+ }
+#endif
+ if (pgrp == PGRP_NULL) {
+ pid_t savepid = p->p_pid;
+ proc_t np = PROC_NULL;
+ /*
+ * new process group
+ */
+#if DIAGNOSTIC
+ if (p->p_pid != pgid) {
+ panic("enterpgrp: new pgrp and pid != pgid");
+ }
+#endif
+ MALLOC_ZONE(pgrp, struct pgrp *, sizeof(struct pgrp), M_PGRP,
+ M_WAITOK);
+ if (pgrp == NULL) {
+ panic("enterpgrp: M_PGRP zone depleted");
+ }
+ if ((np = proc_find(savepid)) == NULL || np != p) {
+ if (np != PROC_NULL) {
+ proc_rele(np);
+ }
+ if (mypgrp != PGRP_NULL) {
+ pg_rele(mypgrp);
+ }
+ if (procsp != SESSION_NULL) {
+ session_rele(procsp);
+ }
+ FREE_ZONE(pgrp, sizeof(struct pgrp), M_PGRP);
+ return ESRCH;
+ }
+ proc_rele(np);
+ if (mksess) {
+ struct session *sess;
+
+ /*
+ * new session
+ */
+ MALLOC_ZONE(sess, struct session *,
+ sizeof(struct session), M_SESSION, M_WAITOK);
+ if (sess == NULL) {
+ panic("enterpgrp: M_SESSION zone depleted");
+ }
+ sess->s_leader = p;
+ sess->s_sid = p->p_pid;
+ sess->s_count = 1;
+ sess->s_ttyvp = NULL;
+ sess->s_ttyp = TTY_NULL;
+ sess->s_flags = 0;
+ sess->s_listflags = 0;
+ sess->s_ttypgrpid = NO_PID;
+
+ lck_mtx_init(&sess->s_mlock, proc_mlock_grp, proc_lck_attr);
+
+ bcopy(procsp->s_login, sess->s_login,
+ sizeof(sess->s_login));
+ OSBitAndAtomic(~((uint32_t)P_CONTROLT), &p->p_flag);
+ proc_list_lock();
+ LIST_INSERT_HEAD(SESSHASH(sess->s_sid), sess, s_hash);
+ proc_list_unlock();
+ pgrp->pg_session = sess;
+#if DIAGNOSTIC
+ if (p != current_proc()) {
+ panic("enterpgrp: mksession and p != curproc");
+ }
+#endif
+ } else {
+ proc_list_lock();
+ pgrp->pg_session = procsp;
+
+ if ((pgrp->pg_session->s_listflags & (S_LIST_TERM | S_LIST_DEAD)) != 0) {
+ panic("enterpgrp: providing ref to terminating session ");
+ }
+ pgrp->pg_session->s_count++;
+ proc_list_unlock();
+ }
+ pgrp->pg_id = pgid;
+
+ lck_mtx_init(&pgrp->pg_mlock, proc_mlock_grp, proc_lck_attr);
+
+ LIST_INIT(&pgrp->pg_members);
+ pgrp->pg_membercnt = 0;
+ pgrp->pg_jobc = 0;
+ proc_list_lock();
+ pgrp->pg_refcount = 1;
+ pgrp->pg_listflags = 0;
+ LIST_INSERT_HEAD(PGRPHASH(pgid), pgrp, pg_hash);
+ proc_list_unlock();
+ } else if (pgrp == mypgrp) {
+ pg_rele(pgrp);
+ if (mypgrp != NULL) {
+ pg_rele(mypgrp);
+ }
+ if (procsp != SESSION_NULL) {
+ session_rele(procsp);
+ }
+ return 0;
+ }
+
+ if (procsp != SESSION_NULL) {
+ session_rele(procsp);
+ }
+ /*
+ * Adjust eligibility of affected pgrps to participate in job control.
+ * Increment eligibility counts before decrementing, otherwise we
+ * could reach 0 spuriously during the first call.
+ */
+ fixjobc(p, pgrp, 1);
+ fixjobc(p, mypgrp, 0);
+
+ if (mypgrp != PGRP_NULL) {
+ pg_rele(mypgrp);
+ }
+ pgrp_replace(p, pgrp);
+ pg_rele(pgrp);
+
+ return 0;
+}
+
+/*
+ * remove process from process group
+ */
+int
+leavepgrp(proc_t p)
+{
+ pgrp_remove(p);
+ return 0;
+}
+
+/*
+ * delete a process group
+ */
+static void
+pgdelete_dropref(struct pgrp *pgrp)
+{
+ struct tty *ttyp;
+ int emptypgrp = 1;
+ struct session *sessp;
+
+
+ pgrp_lock(pgrp);
+ if (pgrp->pg_membercnt != 0) {
+ emptypgrp = 0;
+ }
+ pgrp_unlock(pgrp);
+
+ proc_list_lock();
+ pgrp->pg_refcount--;
+ if ((emptypgrp == 0) || (pgrp->pg_membercnt != 0)) {
+ proc_list_unlock();
+ return;
+ }
+
+ pgrp->pg_listflags |= PGRP_FLAG_TERMINATE;
+
+ if (pgrp->pg_refcount > 0) {
+ proc_list_unlock();
+ return;
+ }
+
+ pgrp->pg_listflags |= PGRP_FLAG_DEAD;
+ LIST_REMOVE(pgrp, pg_hash);
+
+ proc_list_unlock();
+
+ ttyp = SESSION_TP(pgrp->pg_session);
+ if (ttyp != TTY_NULL) {
+ if (ttyp->t_pgrp == pgrp) {
+ tty_lock(ttyp);
+ /* Re-check after acquiring the lock */
+ if (ttyp->t_pgrp == pgrp) {
+ ttyp->t_pgrp = NULL;
+ pgrp->pg_session->s_ttypgrpid = NO_PID;
+ }
+ tty_unlock(ttyp);
+ }
+ }
+
+ proc_list_lock();
+
+ sessp = pgrp->pg_session;
+ if ((sessp->s_listflags & (S_LIST_TERM | S_LIST_DEAD)) != 0) {
+ panic("pg_deleteref: manipulating refs of already terminating session");
+ }
+ if (--sessp->s_count == 0) {
+ if ((sessp->s_listflags & (S_LIST_TERM | S_LIST_DEAD)) != 0) {
+ panic("pg_deleteref: terminating already terminated session");
+ }
+ sessp->s_listflags |= S_LIST_TERM;
+ ttyp = SESSION_TP(sessp);
+ LIST_REMOVE(sessp, s_hash);
+ proc_list_unlock();
+ if (ttyp != TTY_NULL) {
+ tty_lock(ttyp);
+ if (ttyp->t_session == sessp) {
+ ttyp->t_session = NULL;
+ }
+ tty_unlock(ttyp);
+ }
+ proc_list_lock();
+ sessp->s_listflags |= S_LIST_DEAD;
+ if (sessp->s_count != 0) {
+ panic("pg_deleteref: freeing session in use");
+ }
+ proc_list_unlock();
+ lck_mtx_destroy(&sessp->s_mlock, proc_mlock_grp);
+
+ FREE_ZONE(sessp, sizeof(struct session), M_SESSION);
+ } else {
+ proc_list_unlock();
+ }
+ lck_mtx_destroy(&pgrp->pg_mlock, proc_mlock_grp);
+ FREE_ZONE(pgrp, sizeof(*pgrp), M_PGRP);
+}
+
+
+/*
+ * Adjust pgrp jobc counters when specified process changes process group.
+ * We count the number of processes in each process group that "qualify"
+ * the group for terminal job control (those with a parent in a different
+ * process group of the same session). If that count reaches zero, the
+ * process group becomes orphaned. Check both the specified process'
+ * process group and that of its children.
+ * entering == 0 => p is leaving specified group.
+ * entering == 1 => p is entering specified group.
+ */
+int
+fixjob_callback(proc_t p, void * arg)
+{
+ struct fixjob_iterargs *fp;
+ struct pgrp * pg, *hispg;
+ struct session * mysession, *hissess;
+ int entering;
+
+ fp = (struct fixjob_iterargs *)arg;
+ pg = fp->pg;
+ mysession = fp->mysession;
+ entering = fp->entering;
+
+ hispg = proc_pgrp(p);
+ hissess = proc_session(p);
+
+ if ((hispg != pg) &&
+ (hissess == mysession)) {
+ pgrp_lock(hispg);
+ if (entering) {
+ hispg->pg_jobc++;
+ pgrp_unlock(hispg);
+ } else if (--hispg->pg_jobc == 0) {
+ pgrp_unlock(hispg);
+ orphanpg(hispg);
+ } else {
+ pgrp_unlock(hispg);
+ }
+ }
+ if (hissess != SESSION_NULL) {
+ session_rele(hissess);
+ }
+ if (hispg != PGRP_NULL) {
+ pg_rele(hispg);
+ }
+
+ return PROC_RETURNED;
+}
+
+void
+fixjobc(proc_t p, struct pgrp *pgrp, int entering)
+{
+ struct pgrp *hispgrp = PGRP_NULL;
+ struct session *hissess = SESSION_NULL;
+ struct session *mysession = pgrp->pg_session;
+ proc_t parent;
+ struct fixjob_iterargs fjarg;
+ boolean_t proc_parent_self;
+
+ /*
+ * Check if p's parent is current proc, if yes then no need to take
+ * a ref; calling proc_parent with current proc as parent may
+ * deadlock if current proc is exiting.
+ */
+ proc_parent_self = proc_parent_is_currentproc(p);
+ if (proc_parent_self) {
+ parent = current_proc();
+ } else {
+ parent = proc_parent(p);
+ }
+
+ if (parent != PROC_NULL) {
+ hispgrp = proc_pgrp(parent);
+ hissess = proc_session(parent);
+ if (!proc_parent_self) {
+ proc_rele(parent);
+ }
+ }
+
+
+ /*
+ * Check p's parent to see whether p qualifies its own process
+ * group; if so, adjust count for p's process group.
+ */
+ if ((hispgrp != pgrp) &&
+ (hissess == mysession)) {
+ pgrp_lock(pgrp);
+ if (entering) {
+ pgrp->pg_jobc++;
+ pgrp_unlock(pgrp);
+ } else if (--pgrp->pg_jobc == 0) {
+ pgrp_unlock(pgrp);
+ orphanpg(pgrp);
+ } else {
+ pgrp_unlock(pgrp);
+ }
+ }
+
+ if (hissess != SESSION_NULL) {
+ session_rele(hissess);
+ }
+ if (hispgrp != PGRP_NULL) {
+ pg_rele(hispgrp);
+ }
+
+ /*
+ * Check this process' children to see whether they qualify
+ * their process groups; if so, adjust counts for children's
+ * process groups.
+ */
+ fjarg.pg = pgrp;
+ fjarg.mysession = mysession;
+ fjarg.entering = entering;
+ proc_childrenwalk(p, fixjob_callback, &fjarg);
+}
+
+/*
+ * The pidlist_* routines support the functions in this file that
+ * walk lists of processes applying filters and callouts to the
+ * elements of the list.
+ *
+ * A prior implementation used a single linear array, which can be
+ * tricky to allocate on large systems. This implementation creates
+ * an SLIST of modestly sized arrays of PIDS_PER_ENTRY elements.
+ *
+ * The array should be sized large enough to keep the overhead of
+ * walking the list low, but small enough that blocking allocations of
+ * pidlist_entry_t structures always succeed.
+ */
+
+#define PIDS_PER_ENTRY 1021
+
+typedef struct pidlist_entry {
+ SLIST_ENTRY(pidlist_entry) pe_link;
+ u_int pe_nused;
+ pid_t pe_pid[PIDS_PER_ENTRY];
+} pidlist_entry_t;
+
+typedef struct {
+ SLIST_HEAD(, pidlist_entry) pl_head;
+ struct pidlist_entry *pl_active;
+ u_int pl_nalloc;
+} pidlist_t;
+
+static __inline__ pidlist_t *
+pidlist_init(pidlist_t *pl)
+{
+ SLIST_INIT(&pl->pl_head);
+ pl->pl_active = NULL;
+ pl->pl_nalloc = 0;
+ return pl;
+}
+
+static u_int
+pidlist_alloc(pidlist_t *pl, u_int needed)
+{
+ while (pl->pl_nalloc < needed) {
+ pidlist_entry_t *pe = kalloc(sizeof(*pe));
+ if (NULL == pe) {
+ panic("no space for pidlist entry");
+ }
+ pe->pe_nused = 0;
+ SLIST_INSERT_HEAD(&pl->pl_head, pe, pe_link);
+ pl->pl_nalloc += (sizeof(pe->pe_pid) / sizeof(pe->pe_pid[0]));
+ }
+ return pl->pl_nalloc;
+}
+
+static void
+pidlist_free(pidlist_t *pl)
+{
+ pidlist_entry_t *pe;
+ while (NULL != (pe = SLIST_FIRST(&pl->pl_head))) {
+ SLIST_FIRST(&pl->pl_head) = SLIST_NEXT(pe, pe_link);
+ kfree(pe, sizeof(*pe));
+ }
+ pl->pl_nalloc = 0;
+}
+
+static __inline__ void
+pidlist_set_active(pidlist_t *pl)
+{
+ pl->pl_active = SLIST_FIRST(&pl->pl_head);
+ assert(pl->pl_active);
+}
+
+static void
+pidlist_add_pid(pidlist_t *pl, pid_t pid)
+{
+ pidlist_entry_t *pe = pl->pl_active;
+ if (pe->pe_nused >= sizeof(pe->pe_pid) / sizeof(pe->pe_pid[0])) {
+ if (NULL == (pe = SLIST_NEXT(pe, pe_link))) {
+ panic("pidlist allocation exhausted");
+ }
+ pl->pl_active = pe;
+ }
+ pe->pe_pid[pe->pe_nused++] = pid;
+}
+
+static __inline__ u_int
+pidlist_nalloc(const pidlist_t *pl)
+{
+ return pl->pl_nalloc;
+}
+
+/*
+ * A process group has become orphaned; if there are any stopped processes in
+ * the group, hang-up all process in that group.
+ */
+static void
+orphanpg(struct pgrp *pgrp)
+{
+ pidlist_t pid_list, *pl = pidlist_init(&pid_list);
+ u_int pid_count_available = 0;
+ proc_t p;
+
+ /* allocate outside of the pgrp_lock */
+ for (;;) {
+ pgrp_lock(pgrp);
+
+ boolean_t should_iterate = FALSE;
+ pid_count_available = 0;
+
+ PGMEMBERS_FOREACH(pgrp, p) {
+ pid_count_available++;
+ if (p->p_stat == SSTOP) {
+ should_iterate = TRUE;
+ }
+ }
+ if (pid_count_available == 0 || !should_iterate) {
+ pgrp_unlock(pgrp);
+ goto out; /* no orphaned processes OR nothing stopped */
+ }
+ if (pidlist_nalloc(pl) >= pid_count_available) {
+ break;
+ }
+ pgrp_unlock(pgrp);
+
+ pidlist_alloc(pl, pid_count_available);
+ }
+ pidlist_set_active(pl);
+
+ u_int pid_count = 0;
+ PGMEMBERS_FOREACH(pgrp, p) {
+ pidlist_add_pid(pl, proc_pid(p));
+ if (++pid_count >= pid_count_available) {
+ break;
+ }
+ }
+ pgrp_unlock(pgrp);
+
+ const pidlist_entry_t *pe;
+ SLIST_FOREACH(pe, &(pl->pl_head), pe_link) {
+ for (u_int i = 0; i < pe->pe_nused; i++) {
+ const pid_t pid = pe->pe_pid[i];
+ if (0 == pid) {
+ continue; /* skip kernproc */
+ }
+ p = proc_find(pid);
+ if (!p) {
+ continue;
+ }
+ proc_transwait(p, 0);
+ pt_setrunnable(p);
+ psignal(p, SIGHUP);
+ psignal(p, SIGCONT);
+ proc_rele(p);
+ }
+ }
+out:
+ pidlist_free(pl);
+}
+
+int
+proc_is_classic(proc_t p __unused)
+{
+ return 0;
+}
+
+/* XXX Why does this function exist? Need to kill it off... */
+proc_t
+current_proc_EXTERNAL(void)
+{
+ return current_proc();
+}
+
+int
+proc_is_forcing_hfs_case_sensitivity(proc_t p)
+{
+ return (p->p_vfs_iopolicy & P_VFS_IOPOLICY_FORCE_HFS_CASE_SENSITIVITY) ? 1 : 0;
+}
+
+#if CONFIG_COREDUMP
+/*
+ * proc_core_name(name, uid, pid)
+ * Expand the name described in corefilename, using name, uid, and pid.
+ * corefilename is a printf-like string, with three format specifiers:
+ * %N name of process ("name")
+ * %P process id (pid)
+ * %U user id (uid)
+ * For example, "%N.core" is the default; they can be disabled completely
+ * by using "/dev/null", or all core files can be stored in "/cores/%U/%N-%P".
+ * This is controlled by the sysctl variable kern.corefile (see above).
+ */
+__private_extern__ int
+proc_core_name(const char *name, uid_t uid, pid_t pid, char *cf_name,
+ size_t cf_name_len)
+{
+ const char *format, *appendstr;
+ char id_buf[11]; /* Buffer for pid/uid -- max 4B */
+ size_t i, l, n;
+
+ if (cf_name == NULL) {
+ goto toolong;
+ }
+
+ format = corefilename;
+ for (i = 0, n = 0; n < cf_name_len && format[i]; i++) {
+ switch (format[i]) {
+ case '%': /* Format character */
+ i++;
+ switch (format[i]) {
+ case '%':
+ appendstr = "%";
+ break;
+ case 'N': /* process name */
+ appendstr = name;
+ break;
+ case 'P': /* process id */
+ snprintf(id_buf, sizeof(id_buf), "%u", pid);
+ appendstr = id_buf;
+ break;
+ case 'U': /* user id */
+ snprintf(id_buf, sizeof(id_buf), "%u", uid);
+ appendstr = id_buf;
+ break;
+ case '\0': /* format string ended in % symbol */
+ goto endofstring;
+ default:
+ appendstr = "";
+ log(LOG_ERR,
+ "Unknown format character %c in `%s'\n",
+ format[i], format);
+ }
+ l = strlen(appendstr);
+ if ((n + l) >= cf_name_len) {
+ goto toolong;
+ }
+ bcopy(appendstr, cf_name + n, l);
+ n += l;
+ break;
+ default:
+ cf_name[n++] = format[i];
+ }
+ }
+ if (format[i] != '\0') {
+ goto toolong;
+ }
+ return 0;
+toolong:
+ log(LOG_ERR, "pid %ld (%s), uid (%u): corename is too long\n",
+ (long)pid, name, (uint32_t)uid);
+ return 1;
+endofstring:
+ log(LOG_ERR, "pid %ld (%s), uid (%u): unexpected end of string after %% token\n",
+ (long)pid, name, (uint32_t)uid);
+ return 1;
+}
+#endif /* CONFIG_COREDUMP */
+
+/* Code Signing related routines */
+
+int
+csops(__unused proc_t p, struct csops_args *uap, __unused int32_t *retval)
+{
+ return csops_internal(uap->pid, uap->ops, uap->useraddr,
+ uap->usersize, USER_ADDR_NULL);
+}
+
+int
+csops_audittoken(__unused proc_t p, struct csops_audittoken_args *uap, __unused int32_t *retval)
+{
+ if (uap->uaudittoken == USER_ADDR_NULL) {
+ return EINVAL;
+ }
+ return csops_internal(uap->pid, uap->ops, uap->useraddr,
+ uap->usersize, uap->uaudittoken);
+}
+
+static int
+csops_copy_token(void *start, size_t length, user_size_t usize, user_addr_t uaddr)
+{
+ char fakeheader[8] = { 0 };
+ int error;
+
+ if (usize < sizeof(fakeheader)) {
+ return ERANGE;
+ }
+
+ /* if no blob, fill in zero header */
+ if (NULL == start) {
+ start = fakeheader;
+ length = sizeof(fakeheader);
+ } else if (usize < length) {
+ /* ... if input too short, copy out length of entitlement */
+ uint32_t length32 = htonl((uint32_t)length);
+ memcpy(&fakeheader[4], &length32, sizeof(length32));
+
+ error = copyout(fakeheader, uaddr, sizeof(fakeheader));
+ if (error == 0) {
+ return ERANGE; /* input buffer to short, ERANGE signals that */
+ }
+ return error;
+ }
+ return copyout(start, uaddr, length);
+}
+
+static int
+csops_internal(pid_t pid, int ops, user_addr_t uaddr, user_size_t usersize, user_addr_t uaudittoken)
+{
+ size_t usize = (size_t)CAST_DOWN(size_t, usersize);
+ proc_t pt;
+ int forself;
+ int error;
+ vnode_t tvp;
+ off_t toff;
+ unsigned char cdhash[SHA1_RESULTLEN];
+ audit_token_t token;
+ unsigned int upid = 0, uidversion = 0;
+
+ forself = error = 0;
+
+ if (pid == 0) {
+ pid = proc_selfpid();
+ }
+ if (pid == proc_selfpid()) {
+ forself = 1;
+ }
+
+
+ switch (ops) {
+ case CS_OPS_STATUS:
+ case CS_OPS_CDHASH:
+ case CS_OPS_PIDOFFSET:
+ case CS_OPS_ENTITLEMENTS_BLOB:
+ case CS_OPS_IDENTITY:
+ case CS_OPS_BLOB:
+ case CS_OPS_TEAMID:
+ case CS_OPS_CLEAR_LV:
+ break; /* not restricted to root */
+ default:
+ if (forself == 0 && kauth_cred_issuser(kauth_cred_get()) != TRUE) {
+ return EPERM;
+ }
+ break;
+ }
+
+ pt = proc_find(pid);
+ if (pt == PROC_NULL) {
+ return ESRCH;
+ }
+
+ upid = pt->p_pid;
+ uidversion = pt->p_idversion;
+ if (uaudittoken != USER_ADDR_NULL) {
+ error = copyin(uaudittoken, &token, sizeof(audit_token_t));
+ if (error != 0) {
+ goto out;
+ }
+ /* verify the audit token pid/idversion matches with proc */
+ if ((token.val[5] != upid) || (token.val[7] != uidversion)) {
+ error = ESRCH;
+ goto out;
+ }
+ }
+
+#if CONFIG_MACF
+ switch (ops) {
+ case CS_OPS_MARKINVALID:
+ case CS_OPS_MARKHARD:
+ case CS_OPS_MARKKILL:
+ case CS_OPS_MARKRESTRICT:
+ case CS_OPS_SET_STATUS:
+ case CS_OPS_CLEARINSTALLER:
+ case CS_OPS_CLEARPLATFORM:
+ case CS_OPS_CLEAR_LV:
+ if ((error = mac_proc_check_set_cs_info(current_proc(), pt, ops))) {
+ goto out;
+ }
+ break;
+ default:
+ if ((error = mac_proc_check_get_cs_info(current_proc(), pt, ops))) {
+ goto out;
+ }
+ }
+#endif
+
+ switch (ops) {
+ case CS_OPS_STATUS: {
+ uint32_t retflags;
+
+ proc_lock(pt);
+ retflags = pt->p_csflags;
+ if (cs_process_enforcement(pt)) {
+ retflags |= CS_ENFORCEMENT;
+ }
+ if (csproc_get_platform_binary(pt)) {
+ retflags |= CS_PLATFORM_BINARY;
+ }
+ if (csproc_get_platform_path(pt)) {
+ retflags |= CS_PLATFORM_PATH;
+ }
+ //Don't return CS_REQUIRE_LV if we turned it on with CS_FORCED_LV but still report CS_FORCED_LV
+ if ((pt->p_csflags & CS_FORCED_LV) == CS_FORCED_LV) {
+ retflags &= (~CS_REQUIRE_LV);
+ }
+ proc_unlock(pt);
+
+ if (uaddr != USER_ADDR_NULL) {
+ error = copyout(&retflags, uaddr, sizeof(uint32_t));
+ }
+ break;
+ }
+ case CS_OPS_MARKINVALID:
+ proc_lock(pt);
+ if ((pt->p_csflags & CS_VALID) == CS_VALID) { /* is currently valid */
+ pt->p_csflags &= ~CS_VALID; /* set invalid */
+ if ((pt->p_csflags & CS_KILL) == CS_KILL) {
+ pt->p_csflags |= CS_KILLED;
+ proc_unlock(pt);
+ if (cs_debug) {
+ printf("CODE SIGNING: marked invalid by pid %d: "
+ "p=%d[%s] honoring CS_KILL, final status 0x%x\n",
+ proc_selfpid(), pt->p_pid, pt->p_comm, pt->p_csflags);
+ }
+ psignal(pt, SIGKILL);
+ } else {
+ proc_unlock(pt);
+ }
+ } else {
+ proc_unlock(pt);
+ }
+
+ break;
+
+ case CS_OPS_MARKHARD:
+ proc_lock(pt);
+ pt->p_csflags |= CS_HARD;
+ if ((pt->p_csflags & CS_VALID) == 0) {
+ /* @@@ allow? reject? kill? @@@ */
+ proc_unlock(pt);
+ error = EINVAL;
+ goto out;
+ } else {
+ proc_unlock(pt);
+ }
+ break;
+
+ case CS_OPS_MARKKILL:
+ proc_lock(pt);
+ pt->p_csflags |= CS_KILL;
+ if ((pt->p_csflags & CS_VALID) == 0) {
+ proc_unlock(pt);
+ psignal(pt, SIGKILL);
+ } else {
+ proc_unlock(pt);
+ }
+ break;
+
+ case CS_OPS_PIDOFFSET:
+ toff = pt->p_textoff;
+ proc_rele(pt);
+ error = copyout(&toff, uaddr, sizeof(toff));
+ return error;
+
+ case CS_OPS_CDHASH:
+
+ /* pt already holds a reference on its p_textvp */
+ tvp = pt->p_textvp;
+ toff = pt->p_textoff;
+
+ if (tvp == NULLVP || usize != SHA1_RESULTLEN) {
+ proc_rele(pt);
+ return EINVAL;
+ }
+
+ error = vn_getcdhash(tvp, toff, cdhash);
+ proc_rele(pt);
+
+ if (error == 0) {
+ error = copyout(cdhash, uaddr, sizeof(cdhash));
+ }
+
+ return error;
+
+ case CS_OPS_ENTITLEMENTS_BLOB: {
+ void *start;
+ size_t length;
+
+ proc_lock(pt);
+
+ if ((pt->p_csflags & (CS_VALID | CS_DEBUGGED)) == 0) {
+ proc_unlock(pt);
+ error = EINVAL;
+ break;
+ }
+
+ error = cs_entitlements_blob_get(pt, &start, &length);
+ proc_unlock(pt);
+ if (error) {
+ break;
+ }
+
+ error = csops_copy_token(start, length, usize, uaddr);
+ break;
+ }
+ case CS_OPS_MARKRESTRICT:
+ proc_lock(pt);
+ pt->p_csflags |= CS_RESTRICT;
+ proc_unlock(pt);
+ break;
+
+ case CS_OPS_SET_STATUS: {
+ uint32_t flags;
+
+ if (usize < sizeof(flags)) {
+ error = ERANGE;
+ break;
+ }
+
+ error = copyin(uaddr, &flags, sizeof(flags));
+ if (error) {
+ break;
+ }
+
+ /* only allow setting a subset of all code sign flags */
+ flags &=
+ CS_HARD | CS_EXEC_SET_HARD |
+ CS_KILL | CS_EXEC_SET_KILL |
+ CS_RESTRICT |
+ CS_REQUIRE_LV |
+ CS_ENFORCEMENT | CS_EXEC_SET_ENFORCEMENT;
+
+ proc_lock(pt);
+ if (pt->p_csflags & CS_VALID) {
+ pt->p_csflags |= flags;
+ } else {
+ error = EINVAL;
+ }
+ proc_unlock(pt);
+
+ break;
+ }
+ case CS_OPS_CLEAR_LV: {
+ /*
+ * This option is used to remove library validation from
+ * a running process. This is used in plugin architectures
+ * when a program needs to load untrusted libraries. This
+ * allows the process to maintain library validation as
+ * long as possible, then drop it only when required.
+ * Once a process has loaded the untrusted library,
+ * relying on library validation in the future will
+ * not be effective. An alternative is to re-exec
+ * your application without library validation, or
+ * fork an untrusted child.
+ */
+#ifdef CONFIG_EMBEDDED
+ // On embedded platforms, we don't support dropping LV
+ error = ENOTSUP;
+#else
+ /*
+ * if we have the flag set, and the caller wants
+ * to remove it, and they're entitled to, then
+ * we remove it from the csflags
+ *
+ * NOTE: We are fine to poke into the task because
+ * we get a ref to pt when we do the proc_find
+ * at the beginning of this function.
+ *
+ * We also only allow altering ourselves.
+ */
+ if (forself == 1 && IOTaskHasEntitlement(pt->task, CLEAR_LV_ENTITLEMENT)) {
+ proc_lock(pt);
+ pt->p_csflags &= (~(CS_REQUIRE_LV & CS_FORCED_LV));
+ proc_unlock(pt);
+ error = 0;
+ } else {
+ error = EPERM;
+ }
+#endif
+ break;
+ }
+ case CS_OPS_BLOB: {
+ void *start;
+ size_t length;
+
+ proc_lock(pt);
+ if ((pt->p_csflags & (CS_VALID | CS_DEBUGGED)) == 0) {
+ proc_unlock(pt);
+ error = EINVAL;
+ break;
+ }
+
+ error = cs_blob_get(pt, &start, &length);
+ proc_unlock(pt);
+ if (error) {
+ break;
+ }
+
+ error = csops_copy_token(start, length, usize, uaddr);
+ break;
+ }
+ case CS_OPS_IDENTITY:
+ case CS_OPS_TEAMID: {
+ const char *identity;
+ uint8_t fakeheader[8];
+ uint32_t idlen;
+ size_t length;
+
+ /*
+ * Make identity have a blob header to make it
+ * easier on userland to guess the identity
+ * length.
+ */
+ if (usize < sizeof(fakeheader)) {
+ error = ERANGE;
+ break;
+ }
+ memset(fakeheader, 0, sizeof(fakeheader));
+
+ proc_lock(pt);
+ if ((pt->p_csflags & (CS_VALID | CS_DEBUGGED)) == 0) {
+ proc_unlock(pt);
+ error = EINVAL;
+ break;
+ }
+
+ identity = ops == CS_OPS_TEAMID ? csproc_get_teamid(pt) : cs_identity_get(pt);
+ proc_unlock(pt);
+ if (identity == NULL) {
+ error = ENOENT;
+ break;
+ }
+
+ length = strlen(identity) + 1; /* include NUL */
+ idlen = htonl(length + sizeof(fakeheader));
+ memcpy(&fakeheader[4], &idlen, sizeof(idlen));
+
+ error = copyout(fakeheader, uaddr, sizeof(fakeheader));
+ if (error) {
+ break;
+ }
+
+ if (usize < sizeof(fakeheader) + length) {
+ error = ERANGE;
+ } else if (usize > sizeof(fakeheader)) {
+ error = copyout(identity, uaddr + sizeof(fakeheader), length);
+ }
+
+ break;
+ }
+
+ case CS_OPS_CLEARINSTALLER:
+ proc_lock(pt);
+ pt->p_csflags &= ~(CS_INSTALLER | CS_DATAVAULT_CONTROLLER | CS_EXEC_INHERIT_SIP);
+ proc_unlock(pt);
+ break;
+
+ case CS_OPS_CLEARPLATFORM:
+#if DEVELOPMENT || DEBUG
+ if (cs_process_global_enforcement()) {
+ error = ENOTSUP;
+ break;
+ }
+
+#if CONFIG_CSR
+ if (csr_check(CSR_ALLOW_APPLE_INTERNAL) != 0) {
+ error = ENOTSUP;
+ break;
+ }
+#endif
+
+ proc_lock(pt);
+ pt->p_csflags &= ~(CS_PLATFORM_BINARY | CS_PLATFORM_PATH);
+ csproc_clear_platform_binary(pt);
+ proc_unlock(pt);
+ break;
+#else
+ error = ENOTSUP;
+ break;
+#endif /* !DEVELOPMENT || DEBUG */
+
+ default:
+ error = EINVAL;
+ break;
+ }
+out:
+ proc_rele(pt);
+ return error;
+}
+
+void
+proc_iterate(
+ unsigned int flags,
+ proc_iterate_fn_t callout,
+ void *arg,
+ proc_iterate_fn_t filterfn,
+ void *filterarg)
+{
+ pidlist_t pid_list, *pl = pidlist_init(&pid_list);
+ u_int pid_count_available = 0;
+
+ assert(callout != NULL);
+
+ /* allocate outside of the proc_list_lock */
+ for (;;) {
+ proc_list_lock();
+ pid_count_available = nprocs + 1; /* kernel_task not counted in nprocs */
+ assert(pid_count_available > 0);
+ if (pidlist_nalloc(pl) > pid_count_available) {
+ break;
+ }
+ proc_list_unlock();
+
+ pidlist_alloc(pl, pid_count_available);
+ }
+ pidlist_set_active(pl);
+
+ /* filter pids into the pid_list */
+
+ u_int pid_count = 0;
+ if (flags & PROC_ALLPROCLIST) {
+ proc_t p;
+ ALLPROC_FOREACH(p) {
+ /* ignore processes that are being forked */
+ if (p->p_stat == SIDL) {
+ continue;
+ }
+ if ((filterfn != NULL) && (filterfn(p, filterarg) == 0)) {
+ continue;
+ }
+ pidlist_add_pid(pl, proc_pid(p));
+ if (++pid_count >= pid_count_available) {
+ break;
+ }
+ }
+ }
+
+ if ((pid_count < pid_count_available) &&
+ (flags & PROC_ZOMBPROCLIST)) {
+ proc_t p;
+ ZOMBPROC_FOREACH(p) {
+ if ((filterfn != NULL) && (filterfn(p, filterarg) == 0)) {
+ continue;
+ }
+ pidlist_add_pid(pl, proc_pid(p));
+ if (++pid_count >= pid_count_available) {
+ break;
+ }
+ }
+ }
+
+ proc_list_unlock();
+
+ /* call callout on processes in the pid_list */
+
+ const pidlist_entry_t *pe;
+ SLIST_FOREACH(pe, &(pl->pl_head), pe_link) {
+ for (u_int i = 0; i < pe->pe_nused; i++) {
+ const pid_t pid = pe->pe_pid[i];
+ proc_t p = proc_find(pid);
+ if (p) {
+ if ((flags & PROC_NOWAITTRANS) == 0) {
+ proc_transwait(p, 0);
+ }
+ const int callout_ret = callout(p, arg);
+
+ switch (callout_ret) {
+ case PROC_RETURNED_DONE:
+ proc_rele(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED_DONE:
+ goto out;
+
+ case PROC_RETURNED:
+ proc_rele(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED:
+ break;
+ default:
+ panic("%s: callout =%d for pid %d",
+ __func__, callout_ret, pid);
+ break;
+ }
+ } else if (flags & PROC_ZOMBPROCLIST) {
+ p = proc_find_zombref(pid);
+ if (!p) {
+ continue;
+ }
+ const int callout_ret = callout(p, arg);
+
+ switch (callout_ret) {
+ case PROC_RETURNED_DONE:
+ proc_drop_zombref(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED_DONE:
+ goto out;
+
+ case PROC_RETURNED:
+ proc_drop_zombref(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED:
+ break;
+ default:
+ panic("%s: callout =%d for zombie %d",
+ __func__, callout_ret, pid);
+ break;
+ }
+ }
+ }
+ }
+out:
+ pidlist_free(pl);
+}
+
+void
+proc_rebootscan(
+ proc_iterate_fn_t callout,
+ void *arg,
+ proc_iterate_fn_t filterfn,
+ void *filterarg)
+{
+ proc_t p;
+
+ assert(callout != NULL);
+
+ proc_shutdown_exitcount = 0;
+
+restart_foreach:
+
+ proc_list_lock();
+
+ ALLPROC_FOREACH(p) {
+ if ((filterfn != NULL) && filterfn(p, filterarg) == 0) {
+ continue;
+ }
+ p = proc_ref_locked(p);
+ if (!p) {
+ continue;
+ }
+
+ proc_list_unlock();
+
+ proc_transwait(p, 0);
+ (void)callout(p, arg);
+ proc_rele(p);
+
+ goto restart_foreach;
+ }
+
+ proc_list_unlock();
+}
+
+void
+proc_childrenwalk(
+ proc_t parent,
+ proc_iterate_fn_t callout,
+ void *arg)
+{
+ pidlist_t pid_list, *pl = pidlist_init(&pid_list);
+ u_int pid_count_available = 0;
+
+ assert(parent != NULL);
+ assert(callout != NULL);
+
+ for (;;) {
+ proc_list_lock();
+ pid_count_available = parent->p_childrencnt;
+ if (pid_count_available == 0) {
+ proc_list_unlock();
+ goto out;
+ }
+ if (pidlist_nalloc(pl) > pid_count_available) {
+ break;
+ }
+ proc_list_unlock();
+
+ pidlist_alloc(pl, pid_count_available);
+ }
+ pidlist_set_active(pl);
+
+ u_int pid_count = 0;
+ proc_t p;
+ PCHILDREN_FOREACH(parent, p) {
+ if (p->p_stat == SIDL) {
+ continue;
+ }
+ pidlist_add_pid(pl, proc_pid(p));
+ if (++pid_count >= pid_count_available) {
+ break;
+ }
+ }
+
+ proc_list_unlock();
+
+ const pidlist_entry_t *pe;
+ SLIST_FOREACH(pe, &(pl->pl_head), pe_link) {
+ for (u_int i = 0; i < pe->pe_nused; i++) {
+ const pid_t pid = pe->pe_pid[i];
+ p = proc_find(pid);
+ if (!p) {
+ continue;
+ }
+ const int callout_ret = callout(p, arg);
+
+ switch (callout_ret) {
+ case PROC_RETURNED_DONE:
+ proc_rele(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED_DONE:
+ goto out;
+
+ case PROC_RETURNED:
+ proc_rele(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED:
+ break;
+ default:
+ panic("%s: callout =%d for pid %d",
+ __func__, callout_ret, pid);
+ break;
+ }
+ }
+ }
+out:
+ pidlist_free(pl);
+}
+
+void
+pgrp_iterate(
+ struct pgrp *pgrp,
+ unsigned int flags,
+ proc_iterate_fn_t callout,
+ void * arg,
+ proc_iterate_fn_t filterfn,
+ void * filterarg)
+{
+ pidlist_t pid_list, *pl = pidlist_init(&pid_list);
+ u_int pid_count_available = 0;
+
+ assert(pgrp != NULL);
+ assert(callout != NULL);
+
+ for (;;) {
+ pgrp_lock(pgrp);
+ pid_count_available = pgrp->pg_membercnt;
+ if (pid_count_available == 0) {
+ pgrp_unlock(pgrp);
+ if (flags & PGRP_DROPREF) {
+ pg_rele(pgrp);
+ }
+ goto out;
+ }
+ if (pidlist_nalloc(pl) > pid_count_available) {
+ break;
+ }
+ pgrp_unlock(pgrp);
+
+ pidlist_alloc(pl, pid_count_available);
+ }
+ pidlist_set_active(pl);
+
+ const pid_t pgid = pgrp->pg_id;
+ u_int pid_count = 0;
+ proc_t p;
+ PGMEMBERS_FOREACH(pgrp, p) {
+ if ((filterfn != NULL) && (filterfn(p, filterarg) == 0)) {
+ continue;;
+ }
+ pidlist_add_pid(pl, proc_pid(p));
+ if (++pid_count >= pid_count_available) {
+ break;
+ }
+ }
+
+ pgrp_unlock(pgrp);
+
+ if (flags & PGRP_DROPREF) {
+ pg_rele(pgrp);
+ }
+
+ const pidlist_entry_t *pe;
+ SLIST_FOREACH(pe, &(pl->pl_head), pe_link) {
+ for (u_int i = 0; i < pe->pe_nused; i++) {
+ const pid_t pid = pe->pe_pid[i];
+ if (0 == pid) {
+ continue; /* skip kernproc */
+ }
+ p = proc_find(pid);
+ if (!p) {
+ continue;
+ }
+ if (p->p_pgrpid != pgid) {
+ proc_rele(p);
+ continue;
+ }
+ const int callout_ret = callout(p, arg);
+
+ switch (callout_ret) {
+ case PROC_RETURNED:
+ proc_rele(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED:
+ break;
+ case PROC_RETURNED_DONE:
+ proc_rele(p);
+ /* FALLTHROUGH */
+ case PROC_CLAIMED_DONE:
+ goto out;
+
+ default:
+ panic("%s: callout =%d for pid %d",
+ __func__, callout_ret, pid);
+ }
+ }
+ }
+
+out:
+ pidlist_free(pl);
+}
+
+static void
+pgrp_add(struct pgrp * pgrp, struct proc * parent, struct proc * child)
+{
+ proc_list_lock();
+ child->p_pgrp = pgrp;
+ child->p_pgrpid = pgrp->pg_id;
+ child->p_listflag |= P_LIST_INPGRP;
+ /*
+ * When pgrp is being freed , a process can still
+ * request addition using setpgid from bash when
+ * login is terminated (login cycler) return ESRCH
+ * Safe to hold lock due to refcount on pgrp
+ */
+ if ((pgrp->pg_listflags & (PGRP_FLAG_TERMINATE | PGRP_FLAG_DEAD)) == PGRP_FLAG_TERMINATE) {
+ pgrp->pg_listflags &= ~PGRP_FLAG_TERMINATE;
+ }
+
+ if ((pgrp->pg_listflags & PGRP_FLAG_DEAD) == PGRP_FLAG_DEAD) {
+ panic("pgrp_add : pgrp is dead adding process");
+ }
+ proc_list_unlock();
+
+ pgrp_lock(pgrp);
+ pgrp->pg_membercnt++;
+ if (parent != PROC_NULL) {
+ LIST_INSERT_AFTER(parent, child, p_pglist);
+ } else {
+ LIST_INSERT_HEAD(&pgrp->pg_members, child, p_pglist);
+ }
+ pgrp_unlock(pgrp);
+
+ proc_list_lock();
+ if (((pgrp->pg_listflags & (PGRP_FLAG_TERMINATE | PGRP_FLAG_DEAD)) == PGRP_FLAG_TERMINATE) && (pgrp->pg_membercnt != 0)) {
+ pgrp->pg_listflags &= ~PGRP_FLAG_TERMINATE;
+ }
+ proc_list_unlock();
+}
+
+static void
+pgrp_remove(struct proc * p)
+{
+ struct pgrp * pg;
+
+ pg = proc_pgrp(p);
+
+ proc_list_lock();
+#if __PROC_INTERNAL_DEBUG
+ if ((p->p_listflag & P_LIST_INPGRP) == 0) {
+ panic("removing from pglist but no named ref\n");
+ }
projects / apple / xnu.git / blobdiff