* Copyright (c) 2007-2010 Apple Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
- *
+ *
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
- *
+ *
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
- *
+ *
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
- *
+ *
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
#include <mach/mach_types.h>
#include <kern/task.h>
+#include <os/hash.h>
+
#include <security/mac_internal.h>
#include <security/mac_mach_internal.h>
struct label *label;
label = mac_labelzone_alloc(MAC_WAITOK);
- if (label == NULL)
- return (NULL);
+ if (label == NULL) {
+ return NULL;
+ }
MAC_PERFORM(cred_label_init, label);
- return (label);
+ return label;
}
void
mac_labelzone_free(label);
}
-int
-mac_cred_label_compare(struct label *a, struct label *b)
+bool
+mac_cred_label_is_equal(const struct label *a, const struct label *b)
{
- return (bcmp(a, b, sizeof (*a)) == 0);
+ if (a->l_flags != b->l_flags) {
+ return false;
+ }
+ for (int slot = 0; slot < MAC_MAX_SLOTS; slot++) {
+ const void *pa = a->l_perpolicy[slot].l_ptr;
+ const void *pb = b->l_perpolicy[slot].l_ptr;
+
+ if (pa != pb) {
+ return false;
+ }
+ }
+ return true;
+}
+
+uint32_t
+mac_cred_label_hash_update(const struct label *a, uint32_t hash)
+{
+ hash = os_hash_jenkins_update(&a->l_flags,
+ sizeof(a->l_flags), hash);
+#if __has_feature(ptrauth_calls)
+ for (int slot = 0; slot < MAC_MAX_SLOTS; slot++) {
+ const void *ptr = a->l_perpolicy[slot].l_ptr;
+ hash = os_hash_jenkins_update(&ptr, sizeof(ptr), hash);
+ }
+#else
+ hash = os_hash_jenkins_update(&a->l_perpolicy,
+ sizeof(a->l_perpolicy), hash);
+#endif
+ return hash;
}
int
mac->m_string, mac->m_buflen);
kauth_cred_unref(&cr);
- return (error);
+ return error;
}
void
mac_cred_label_destroy(kauth_cred_t cred)
{
-
mac_cred_label_free(cred->cr_label);
cred->cr_label = NULL;
}
error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
- return (error);
+ return error;
}
int
error = MAC_INTERNALIZE(cred, label, string);
- return (error);
+ return error;
}
/*
{
MAC_PERFORM(cred_label_associate_fork, cred, proc);
}
-
+
/*
* Initialize MAC label for the first kernel process, from which other
* kernel processes and threads are spawned.
void
mac_cred_label_associate_kernel(kauth_cred_t cred)
{
-
MAC_PERFORM(cred_label_associate_kernel, cred);
}
void
mac_cred_label_associate_user(kauth_cred_t cred)
{
-
MAC_PERFORM(cred_label_associate_user, cred);
}
void
mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
{
-
MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
}
int error;
size_t ulen;
- if (mac_p == USER_ADDR_NULL)
- return (0);
+ if (mac_p == USER_ADDR_NULL) {
+ return 0;
+ }
if (IS_64BIT_PROCESS(current_proc())) {
struct user64_mac mac64;
mac.m_buflen = mac32.m_buflen;
mac.m_string = mac32.m_string;
}
- if (error)
- return (error);
+ if (error) {
+ return error;
+ }
error = mac_check_structmac_consistent(&mac);
- if (error)
- return (error);
+ if (error) {
+ return error;
+ }
execlabel = mac_cred_label_alloc();
MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK);
error = copyinstr(CAST_USER_ADDR_T(mac.m_string), buffer, mac.m_buflen, &ulen);
- if (error)
+ if (error) {
goto out;
+ }
AUDIT_ARG(mac_string, buffer);
error = mac_cred_label_internalize(execlabel, buffer);
}
imgp->ip_execlabelp = execlabel;
FREE(buffer, M_MACTEMP);
- return (error);
+ return error;
}
/*
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
MAC_CHECK(cred_check_label_update, cred, newlabel);
- return (error);
+ return error;
}
int
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
MAC_CHECK(cred_check_visible, u1, u2);
+ return error;
+}
+
+int
+mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
+{
+ int error;
+ bool enforce;
+ proc_t tracingp;
+
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
+#endif
+ /*
+ * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
+ * it below should go to mac_proc_check_enforce().
+ */
+ if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
+ return ESRCH;
+ }
+ enforce = mac_proc_check_enforce(tracingp);
+ proc_rele(tracingp);
+
+ if (!enforce) {
+ return 0;
+ }
+ MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
- return (error);
+ return error;
}
-/*
- * called with process locked.
- */
-void mac_proc_set_enforce(proc_t p, int enforce_flags)
+int
+mac_proc_check_dump_core(struct proc *proc)
{
- p->p_mac_enforce |= enforce_flags;
+ int error;
+
+#if SECURITY_MAC_CHECK_ENFORCE
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
+#endif
+ if (!mac_proc_check_enforce(proc)) {
+ return 0;
+ }
+
+ MAC_CHECK(proc_check_dump_core, proc);
+
+ return error;
}
int
-mac_proc_check_debug(proc_t curp, struct proc *proc)
+mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
{
+ proc_t curp = current_proc();
+ proc_t proc;
kauth_cred_t cred;
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
-
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
+
+ proc = proc_find(task_pid(task));
+ if (proc == PROC_NULL) {
+ return ESRCH;
+ }
cred = kauth_cred_proc_ref(curp);
- MAC_CHECK(proc_check_debug, cred, proc);
+ MAC_CHECK(proc_check_remote_thread_create, cred, proc, flavor, new_state, new_state_count);
kauth_cred_unref(&cred);
+ proc_rele(proc);
- return (error);
+ return error;
}
int
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
-
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(curp);
MAC_CHECK(proc_check_fork, cred, curp);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
-mac_proc_check_get_task_name(struct ucred *cred, struct proc *p)
+mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
{
int error;
- MAC_CHECK(proc_check_get_task_name, cred, p);
+ assert(flavor <= TASK_FLAVOR_NAME);
- return (error);
-}
+ /* Also call the old hook for compatability, deprecating in rdar://66356944. */
+ if (flavor == TASK_FLAVOR_CONTROL) {
+ MAC_CHECK(proc_check_get_task, cred, pident);
+ if (error) {
+ return error;
+ }
+ }
-int
-mac_proc_check_get_task(struct ucred *cred, struct proc *p)
-{
- int error;
+ if (flavor == TASK_FLAVOR_NAME) {
+ MAC_CHECK(proc_check_get_task_name, cred, pident);
+ if (error) {
+ return error;
+ }
+ }
- MAC_CHECK(proc_check_get_task, cred, p);
+ MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
- return (error);
+ return error;
}
int
-mac_proc_check_expose_task(struct ucred *cred, struct proc *p)
+mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
{
int error;
- MAC_CHECK(proc_check_expose_task, cred, p);
+ assert(flavor <= TASK_FLAVOR_NAME);
+
+ /* Also call the old hook for compatability, deprecating in rdar://66356944. */
+ if (flavor == TASK_FLAVOR_CONTROL) {
+ MAC_CHECK(proc_check_expose_task, cred, pident);
+ if (error) {
+ return error;
+ }
+ }
- return (error);
+ MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
+
+ return error;
}
int
MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
- return (error);
+ return error;
}
/*
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vm_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vm_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(proc, MAC_VM_ENFORCE))
- return (0);
+ if (!mac_proc_check_enforce(proc)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(proc);
MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vm_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vm_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(proc, MAC_VM_ENFORCE))
- return (0);
+ if (!mac_proc_check_enforce(proc)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(proc);
MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
mac_proc_check_run_cs_invalid(proc_t proc)
{
int error;
-
+
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_vm_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_vm_enforce) {
+ return 0;
+ }
#endif
-
+
MAC_CHECK(proc_check_run_cs_invalid, proc);
-
- return (error);
+
+ return error;
+}
+
+void
+mac_proc_notify_cs_invalidated(proc_t proc)
+{
+ MAC_PERFORM(proc_notify_cs_invalidated, proc);
}
-
+
int
mac_proc_check_sched(proc_t curp, struct proc *proc)
{
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
-
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(curp);
MAC_CHECK(proc_check_sched, cred, proc);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
-
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(curp);
MAC_CHECK(proc_check_signal, cred, proc, signum);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
-mac_proc_check_wait(proc_t curp, struct proc *proc)
+mac_proc_check_syscall_unix(proc_t curp, int scnum)
{
- kauth_cred_t cred;
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
- cred = kauth_cred_proc_ref(curp);
- MAC_CHECK(proc_check_wait, cred, proc);
- kauth_cred_unref(&cred);
+ MAC_CHECK(proc_check_syscall_unix, curp, scnum);
- return (error);
+ return error;
}
int
-mac_proc_check_suspend_resume(proc_t curp, int sr)
+mac_proc_check_wait(proc_t curp, struct proc *proc)
{
kauth_cred_t cred;
int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(curp);
- MAC_CHECK(proc_check_suspend_resume, cred, curp, sr);
+ MAC_CHECK(proc_check_wait, cred, proc);
kauth_cred_unref(&cred);
- return (error);
+ return error;
+}
+
+void
+mac_proc_notify_exit(struct proc *proc)
+{
+ MAC_PERFORM(proc_notify_exit, proc);
}
int
-mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
+mac_proc_check_suspend_resume(proc_t proc, int sr)
{
kauth_cred_t cred;
- int error = 0;
+ int error;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(current_proc())) {
+ return 0;
+ }
- cred = kauth_cred_proc_ref(curp);
- MAC_CHECK(proc_check_ledger, cred, proc, ledger_op);
+ cred = kauth_cred_proc_ref(current_proc());
+ MAC_CHECK(proc_check_suspend_resume, cred, proc, sr);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
-mac_proc_check_cpumon(proc_t curp)
+mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
{
kauth_cred_t cred;
int error = 0;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(curp);
- MAC_CHECK(proc_check_cpumon, cred);
+ MAC_CHECK(proc_check_ledger, cred, proc, ledger_op);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
int error = 0;
#if SECURITY_MAC_CHECK_ENFORCE
- /* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
- return 0;
+ /* 21167099 - only check if we allow write */
+ if (!mac_proc_enforce) {
+ return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
- return 0;
+ if (!mac_proc_check_enforce(curp)) {
+ return 0;
+ }
cred = kauth_cred_proc_ref(curp);
MAC_CHECK(proc_check_proc_info, cred, target, callnum, flavor);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
-
int
mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
{
#if SECURITY_MAC_CHECK_ENFORCE
/* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
+ if (!mac_proc_enforce) {
return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
+ if (!mac_proc_check_enforce(curp)) {
return 0;
+ }
cred = kauth_cred_proc_ref(curp);
MAC_CHECK(proc_check_get_cs_info, cred, target, op);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
int
#if SECURITY_MAC_CHECK_ENFORCE
/* 21167099 - only check if we allow write */
- if (!mac_proc_enforce)
+ if (!mac_proc_enforce) {
return 0;
+ }
#endif
- if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE))
+ if (!mac_proc_check_enforce(curp)) {
return 0;
+ }
cred = kauth_cred_proc_ref(curp);
MAC_CHECK(proc_check_set_cs_info, cred, target, op);
kauth_cred_unref(&cred);
- return (error);
+ return error;
}
-
projects / apple / xnu.git / blobdiff