]> git.saurik.com Git - apple/xnu.git/blobdiff - bsd/kern/ubc_subr.c
xnu-2422.115.4.tar.gz
[apple/xnu.git] / bsd / kern / ubc_subr.c
index 1f1f99d3ef6bbd2d8691692bd0bf4e2895da7bb3..2916f3e08b3546f6fc770034999b9d780cbea371 100644 (file)
 #include <vm/vm_protos.h> /* last */
 
 #include <libkern/crypto/sha1.h>
+#include <libkern/libkern.h>
+
+#include <sys/kasl.h>
+#include <sys/syslog.h>
 
 #include <security/mac_framework.h>
 
@@ -74,6 +78,9 @@ extern kern_return_t memory_object_pages_resident(memory_object_control_t,
                                                        boolean_t *);
 extern kern_return_t   memory_object_signed(memory_object_control_t control,
                                             boolean_t is_signed);
+extern boolean_t       memory_object_is_slid(memory_object_control_t   control);
+extern boolean_t       memory_object_is_signed(memory_object_control_t);
+
 extern void Debugger(const char *message);
 
 
@@ -131,67 +138,16 @@ cs_valid_range(
        return TRUE;
 }
 
-/*
- * Magic numbers used by Code Signing
- */
-enum {
-       CSMAGIC_REQUIREMENT = 0xfade0c00,               /* single Requirement blob */
-       CSMAGIC_REQUIREMENTS = 0xfade0c01,              /* Requirements vector (internal requirements) */
-       CSMAGIC_CODEDIRECTORY = 0xfade0c02,             /* CodeDirectory blob */
-       CSMAGIC_EMBEDDED_SIGNATURE = 0xfade0cc0, /* embedded form of signature data */
-       CSMAGIC_EMBEDDED_SIGNATURE_OLD = 0xfade0b02,    /* XXX */
-       CSMAGIC_DETACHED_SIGNATURE = 0xfade0cc1, /* multi-arch collection of embedded signatures */
-       
-       CSSLOT_CODEDIRECTORY = 0,                               /* slot index for CodeDirectory */
-};
-
-static const uint32_t supportsScatter = 0x20100;       // first version to support scatter option
-
-/*
- * Structure of an embedded-signature SuperBlob
- */
-typedef struct __BlobIndex {
-       uint32_t type;                                  /* type of entry */
-       uint32_t offset;                                /* offset of entry */
-} CS_BlobIndex;
-
-typedef struct __SuperBlob {
-       uint32_t magic;                                 /* magic number */
-       uint32_t length;                                /* total length of SuperBlob */
-       uint32_t count;                                 /* number of index entries following */
-       CS_BlobIndex index[];                   /* (count) entries */
-       /* followed by Blobs in no particular order as indicated by offsets in index */
-} CS_SuperBlob;
-
-struct Scatter {
-       uint32_t count;                 // number of pages; zero for sentinel (only)
-       uint32_t base;                  // first page number
-       uint64_t targetOffset;          // offset in target
-       uint64_t spare;                 // reserved
-};
-
-/*
- * C form of a CodeDirectory.
- */
-typedef struct __CodeDirectory {
-       uint32_t magic;                                 /* magic number (CSMAGIC_CODEDIRECTORY) */
-       uint32_t length;                                /* total length of CodeDirectory blob */
-       uint32_t version;                               /* compatibility version */
-       uint32_t flags;                                 /* setup and mode flags */
-       uint32_t hashOffset;                    /* offset of hash slot element at index zero */
-       uint32_t identOffset;                   /* offset of identifier string */
-       uint32_t nSpecialSlots;                 /* number of special hash slots */
-       uint32_t nCodeSlots;                    /* number of ordinary (code) hash slots */
-       uint32_t codeLimit;                             /* limit to main image signature range */
-       uint8_t hashSize;                               /* size of each hash in bytes */
-       uint8_t hashType;                               /* type of hash (cdHashType* constants) */
-       uint8_t spare1;                                 /* unused (must be zero) */
-       uint8_t pageSize;                               /* log2(page size in bytes); 0 => infinite */
-       uint32_t spare2;                                /* unused (must be zero) */
-       /* Version 0x20100 */
-       uint32_t scatterOffset;                         /* offset of optional scatter vector */
-       /* followed by dynamic content as located by offset fields above */
-} CS_CodeDirectory;
+static void
+hex_str(
+       const unsigned char *hash,
+       size_t len,
+       char *buf)
+{
+       unsigned int n;
+       for (n = 0; n < len; n++)
+               snprintf(buf + 2*n, 3, "%02.2x", hash[n]);
+}
 
 
 /*
@@ -268,9 +224,9 @@ hashes(
 
        assert(cs_valid_range(cd, cd + 1, lower_bound, upper_bound));
 
-       if((ntohl(cd->version) >= supportsScatter) && (ntohl(cd->scatterOffset))) {
+       if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) {
                /* Get first scatter struct */
-               const struct Scatter *scatter = (const struct Scatter*)
+               const SC_Scatter *scatter = (const SC_Scatter*)
                        ((const char*)cd + ntohl(cd->scatterOffset));
                uint32_t hashindex=0, scount, sbase=0;
                /* iterate all scatter structs */
@@ -348,11 +304,400 @@ hashes(
 
        return hash;
 }
+
+/*
+ * cs_validate_codedirectory
+ *
+ * Validate that pointers inside the code directory to make sure that
+ * all offsets and lengths are constrained within the buffer.
+ *
+ * Parameters: cd                      Pointer to code directory buffer
+ *             length                  Length of buffer
+ *
+ * Returns:    0                       Success
+ *             EBADEXEC                Invalid code signature
+ */
+
+static int
+cs_validate_codedirectory(const CS_CodeDirectory *cd, size_t length)
+{
+
+       if (length < sizeof(*cd))
+               return EBADEXEC;
+       if (ntohl(cd->magic) != CSMAGIC_CODEDIRECTORY)
+               return EBADEXEC;
+       if (cd->hashSize != SHA1_RESULTLEN)
+               return EBADEXEC;
+       if (cd->pageSize != PAGE_SHIFT)
+               return EBADEXEC;
+       if (cd->hashType != CS_HASHTYPE_SHA1)
+               return EBADEXEC;
+
+       if (length < ntohl(cd->hashOffset))
+               return EBADEXEC;
+
+       /* check that nSpecialSlots fits in the buffer in front of hashOffset */
+       if (ntohl(cd->hashOffset) / SHA1_RESULTLEN < ntohl(cd->nSpecialSlots))
+               return EBADEXEC;
+
+       /* check that codeslots fits in the buffer */
+       if ((length - ntohl(cd->hashOffset)) / SHA1_RESULTLEN <  ntohl(cd->nCodeSlots))
+               return EBADEXEC;
+       
+       if (ntohl(cd->version) >= CS_SUPPORTSSCATTER && cd->scatterOffset) {
+
+               if (length < ntohl(cd->scatterOffset))
+                       return EBADEXEC;
+
+               SC_Scatter *scatter = (SC_Scatter *)
+                       (((uint8_t *)cd) + ntohl(cd->scatterOffset));
+               uint32_t nPages = 0;
+
+               /*
+                * Check each scatter buffer, since we don't know the
+                * length of the scatter buffer array, we have to
+                * check each entry.
+                */
+               while(1) {
+                       /* check that the end of each scatter buffer in within the length */
+                       if (((const uint8_t *)scatter) + sizeof(scatter[0]) > (const uint8_t *)cd + length)
+                               return EBADEXEC;
+                       uint32_t scount = ntohl(scatter->count);
+                       if (scount == 0)
+                               break;
+                       if (nPages + scount < nPages)
+                               return EBADEXEC;
+                       nPages += scount;
+                       scatter++;
+
+                       /* XXX check that basees doesn't overlap */
+                       /* XXX check that targetOffset doesn't overlap */
+               }
+#if 0 /* rdar://12579439 */
+               if (nPages != ntohl(cd->nCodeSlots))
+                       return EBADEXEC;
+#endif
+       }
+
+       if (length < ntohl(cd->identOffset))
+               return EBADEXEC;
+
+       /* identifier is NUL terminated string */
+       if (cd->identOffset) {
+               uint8_t *ptr = (uint8_t *)cd + ntohl(cd->identOffset);
+               if (memchr(ptr, 0, length - ntohl(cd->identOffset)) == NULL)
+                       return EBADEXEC;
+       }
+
+       return 0;
+}
+
+/*
+ *
+ */
+
+static int
+cs_validate_blob(const CS_GenericBlob *blob, size_t length)
+{
+       if (length < sizeof(CS_GenericBlob) || length < ntohl(blob->length))
+               return EBADEXEC;
+       return 0;
+}
+
+/*
+ * cs_validate_csblob
+ *
+ * Validate that superblob/embedded code directory to make sure that
+ * all internal pointers are valid.
+ *
+ * Will validate both a superblob csblob and a "raw" code directory.
+ *
+ *
+ * Parameters: buffer                  Pointer to code signature
+ *             length                  Length of buffer
+ *             rcd                     returns pointer to code directory
+ *
+ * Returns:    0                       Success
+ *             EBADEXEC                Invalid code signature
+ */
+
+static int
+cs_validate_csblob(const uint8_t *addr, size_t length,
+                  const CS_CodeDirectory **rcd)
+{
+       const CS_GenericBlob *blob = (const CS_GenericBlob *)(void *)addr;
+       int error;
+
+       *rcd = NULL;
+
+       error = cs_validate_blob(blob, length);
+       if (error)
+               return error;
+
+       length = ntohl(blob->length);
+
+       if (ntohl(blob->magic) == CSMAGIC_EMBEDDED_SIGNATURE) {
+               const CS_SuperBlob *sb = (const CS_SuperBlob *)blob;
+               uint32_t n, count = ntohl(sb->count);
+
+               if (length < sizeof(CS_SuperBlob))
+                       return EBADEXEC;
+
+               /* check that the array of BlobIndex fits in the rest of the data */
+               if ((length - sizeof(CS_SuperBlob)) / sizeof(CS_BlobIndex) < count)
+                       return EBADEXEC;
+
+               /* now check each BlobIndex */
+               for (n = 0; n < count; n++) {
+                       const CS_BlobIndex *blobIndex = &sb->index[n];
+                       if (length < ntohl(blobIndex->offset))
+                               return EBADEXEC;
+
+                       const CS_GenericBlob *subBlob =
+                               (const CS_GenericBlob *)(void *)(addr + ntohl(blobIndex->offset));
+
+                       size_t subLength = length - ntohl(blobIndex->offset);
+
+                       if ((error = cs_validate_blob(subBlob, subLength)) != 0)
+                               return error;
+                       subLength = ntohl(subBlob->length);
+
+                       /* extra validation for CDs, that is also returned */
+                       if (ntohl(blobIndex->type) == CSSLOT_CODEDIRECTORY) {
+                               const CS_CodeDirectory *cd = (const CS_CodeDirectory *)subBlob;
+                               if ((error = cs_validate_codedirectory(cd, subLength)) != 0)
+                                       return error;
+                               *rcd = cd;
+                       }
+               }
+
+       } else if (ntohl(blob->magic) == CSMAGIC_CODEDIRECTORY) {
+
+               if ((error = cs_validate_codedirectory((const CS_CodeDirectory *)(void *)addr, length)) != 0)
+                       return error;
+               *rcd = (const CS_CodeDirectory *)blob;
+       } else {
+               return EBADEXEC;
+       }
+
+       if (*rcd == NULL)
+               return EBADEXEC;
+
+       return 0;
+}
+
+/*
+ * cs_find_blob_bytes
+ *
+ * Find an blob from the superblob/code directory. The blob must have
+ * been been validated by cs_validate_csblob() before calling
+ * this. Use cs_find_blob() instead.
+ * 
+ * Will also find a "raw" code directory if its stored as well as
+ * searching the superblob.
+ *
+ * Parameters: buffer                  Pointer to code signature
+ *             length                  Length of buffer
+ *             type                    type of blob to find
+ *             magic                   the magic number for that blob
+ *
+ * Returns:    pointer                 Success
+ *             NULL                    Buffer not found
+ */
+
+static const CS_GenericBlob *
+cs_find_blob_bytes(const uint8_t *addr, size_t length, uint32_t type, uint32_t magic)
+{
+       const CS_GenericBlob *blob = (const CS_GenericBlob *)(void *)addr;
+
+       if (ntohl(blob->magic) == CSMAGIC_EMBEDDED_SIGNATURE) {
+               const CS_SuperBlob *sb = (const CS_SuperBlob *)blob;
+               size_t n, count = ntohl(sb->count);
+
+               for (n = 0; n < count; n++) {
+                       if (ntohl(sb->index[n].type) != type)
+                               continue;
+                       uint32_t offset = ntohl(sb->index[n].offset);
+                       if (length - sizeof(const CS_GenericBlob) < offset)
+                               return NULL;
+                       blob = (const CS_GenericBlob *)(void *)(addr + offset);
+                       if (ntohl(blob->magic) != magic)
+                               continue;
+                       return blob;
+               }
+       } else if (type == CSSLOT_CODEDIRECTORY
+                  && ntohl(blob->magic) == CSMAGIC_CODEDIRECTORY
+                  && magic == CSMAGIC_CODEDIRECTORY)
+               return blob;
+       return NULL;
+}
+
+
+static const CS_GenericBlob *
+cs_find_blob(struct cs_blob *csblob, uint32_t type, uint32_t magic)
+{
+       if ((csblob->csb_flags & CS_VALID) == 0)
+               return NULL;
+       return cs_find_blob_bytes((const uint8_t *)csblob->csb_mem_kaddr, csblob->csb_mem_size, type, magic);
+}
+
+static const uint8_t *
+cs_find_special_slot(const CS_CodeDirectory *cd, uint32_t slot)
+{
+       /* there is no zero special slot since that is the first code slot */
+       if (ntohl(cd->nSpecialSlots) < slot || slot == 0)
+               return NULL;
+
+       return ((const uint8_t *)cd + ntohl(cd->hashOffset) - (SHA1_RESULTLEN * slot));
+}
+
 /*
  * CODESIGNING
  * End of routines to navigate code signing data structures in the kernel.
  */
 
+/*
+ * ENTITLEMENTS
+ * Routines to navigate entitlements in the kernel.
+ */
+
+/* Retrieve the entitlements blob for a process.
+ * Returns:
+ *   EINVAL    no text vnode associated with the process
+ *   EBADEXEC   invalid code signing data
+ *   0         no error occurred
+ *
+ * On success, out_start and out_length will point to the
+ * entitlements blob if found; or will be set to NULL/zero
+ * if there were no entitlements.
+ */
+
+static uint8_t sha1_zero[SHA1_RESULTLEN] = { 0 };
+
+int
+cs_entitlements_blob_get(proc_t p, void **out_start, size_t *out_length)
+{
+       uint8_t computed_hash[SHA1_RESULTLEN];
+       const CS_GenericBlob *entitlements;
+       const CS_CodeDirectory *code_dir;
+       struct cs_blob *csblob;
+       const uint8_t *embedded_hash;
+       SHA1_CTX context;
+
+       *out_start = NULL;
+       *out_length = 0;
+
+       if (NULL == p->p_textvp)
+               return EINVAL;
+
+       if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
+               return 0;
+
+       if ((code_dir = (const CS_CodeDirectory *)cs_find_blob(csblob, CSSLOT_CODEDIRECTORY, CSMAGIC_CODEDIRECTORY)) == NULL)
+               return 0;
+
+       entitlements = cs_find_blob(csblob, CSSLOT_ENTITLEMENTS, CSMAGIC_EMBEDDED_ENTITLEMENTS);
+       embedded_hash = cs_find_special_slot(code_dir, CSSLOT_ENTITLEMENTS);
+
+       if (embedded_hash == NULL) {
+               if (entitlements)
+                       return EBADEXEC;
+               return 0;
+       } else if (entitlements == NULL && memcmp(embedded_hash, sha1_zero, SHA1_RESULTLEN) != 0) {
+               return EBADEXEC;
+       }
+
+       SHA1Init(&context);
+       SHA1Update(&context, entitlements, ntohl(entitlements->length));
+       SHA1Final(computed_hash, &context);
+       if (memcmp(computed_hash, embedded_hash, SHA1_RESULTLEN) != 0)
+               return EBADEXEC;
+
+       *out_start = (void *)entitlements;
+       *out_length = ntohl(entitlements->length);
+
+       return 0;
+}
+
+/* Retrieve the codesign identity for a process.
+ * Returns:
+ *   NULL      an error occured
+ *   string    the cs_identity
+ */
+
+const char *
+cs_identity_get(proc_t p)
+{
+       const CS_CodeDirectory *code_dir;
+       struct cs_blob *csblob;
+
+       if (NULL == p->p_textvp)
+               return NULL;
+
+       if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
+               return NULL;
+
+       if ((code_dir = (const CS_CodeDirectory *)cs_find_blob(csblob, CSSLOT_CODEDIRECTORY, CSMAGIC_CODEDIRECTORY)) == NULL)
+               return NULL;
+
+       if (code_dir->identOffset == 0)
+               return NULL;
+
+       return ((const char *)code_dir) + ntohl(code_dir->identOffset);
+}
+
+
+
+/* Retrieve the codesign blob for a process.
+ * Returns:
+ *   EINVAL    no text vnode associated with the process
+ *   0         no error occurred
+ *
+ * On success, out_start and out_length will point to the
+ * cms blob if found; or will be set to NULL/zero
+ * if there were no blob.
+ */
+
+int
+cs_blob_get(proc_t p, void **out_start, size_t *out_length)
+{
+       struct cs_blob *csblob;
+
+       *out_start = NULL;
+       *out_length = 0;
+
+       if (NULL == p->p_textvp)
+               return EINVAL;
+
+       if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
+               return 0;
+
+       *out_start = (void *)csblob->csb_mem_kaddr;
+       *out_length = csblob->csb_mem_size;
+
+       return 0;
+}
+
+uint8_t *
+cs_get_cdhash(struct proc *p)
+{
+       struct cs_blob *csblob;
+
+       if (NULL == p->p_textvp)
+               return NULL;
+
+       if ((csblob = ubc_cs_blob_get(p->p_textvp, -1, p->p_textoff)) == NULL)
+               return NULL;
+
+       return csblob->csb_sha1;
+}
+
+/*
+ * ENTITLEMENTS
+ * End of routines to navigate entitlements in the kernel.
+ */
+
+
 
 /*
  * ubc_init
@@ -374,6 +719,8 @@ ubc_init(void)
        i = (vm_size_t) sizeof (struct ubc_info);
 
        ubc_info_zone = zinit (i, 10000*i, 8192, "ubc_info zone");
+
+       zone_change(ubc_info_zone, Z_NOENCRYPT, TRUE);
 }
 
 
@@ -624,7 +971,10 @@ ubc_setsize(struct vnode *vp, off_t nsize)
        uip->ui_size = nsize;
 
        if (nsize >= osize) {   /* Nothing more to do */
-               lock_vnode_and_post(vp, NOTE_EXTEND);
+               if (nsize > osize) {
+                       lock_vnode_and_post(vp, NOTE_EXTEND);
+               }
+
                return (1);             /* return success */
        }
 
@@ -984,6 +1334,16 @@ ubc_getobject(struct vnode *vp, __unused int flags)
        return (MEMORY_OBJECT_CONTROL_NULL);
 }
 
+boolean_t
+ubc_strict_uncached_IO(struct vnode *vp)
+{
+        boolean_t result = FALSE;
+
+       if (UBCINFOEXISTS(vp)) {
+               result = memory_object_is_slid(vp->v_ubcinfo->ui_control);
+       }
+       return result;
+}
 
 /*
  * ubc_blktooff
@@ -1384,6 +1744,9 @@ ubc_map(vnode_t vp, int flags)
                        if ( !ISSET(uip->ui_flags, UI_ISMAPPED))
                                need_ref = 1;
                        SET(uip->ui_flags, (UI_WASMAPPED | UI_ISMAPPED));
+                       if (flags & PROT_WRITE) {
+                               SET(uip->ui_flags, UI_MAPPEDWRITE);
+                       }
                }
                CLR(uip->ui_flags, UI_MAPBUSY);
 
@@ -1832,6 +2195,9 @@ ubc_create_upl(
        if (bufsize & 0xfff)
                return KERN_INVALID_ARGUMENT;
 
+       if (bufsize > MAX_UPL_SIZE * PAGE_SIZE)
+               return KERN_INVALID_ARGUMENT;
+
        if (uplflags & (UPL_UBC_MSYNC | UPL_UBC_PAGEOUT | UPL_UBC_PAGEIN)) {
 
                if (uplflags & UPL_UBC_MSYNC) {
@@ -1849,9 +2215,20 @@ ubc_create_upl(
                        uplflags |= UPL_FOR_PAGEOUT | UPL_CLEAN_IN_PLACE |
                                     UPL_COPYOUT_FROM | UPL_SET_INTERNAL | UPL_SET_LITE;
                } else {
-                       uplflags |= UPL_RET_ONLY_ABSENT | UPL_NOBLOCK |
+                       uplflags |= UPL_RET_ONLY_ABSENT |
                                    UPL_NO_SYNC | UPL_CLEAN_IN_PLACE |
                                    UPL_SET_INTERNAL | UPL_SET_LITE;
+
+                       /*
+                        * if the requested size == PAGE_SIZE, we don't want to set
+                        * the UPL_NOBLOCK since we may be trying to recover from a
+                        * previous partial pagein I/O that occurred because we were low
+                        * on memory and bailed early in order to honor the UPL_NOBLOCK...
+                        * since we're only asking for a single page, we can block w/o fear
+                        * of tying up pages while waiting for more to become available
+                        */
+                       if (bufsize > PAGE_SIZE)
+                               uplflags |= UPL_NOBLOCK;
                }
        } else {
                uplflags &= ~UPL_FOR_PAGEOUT;
@@ -2209,6 +2586,16 @@ UBCINFOEXISTS(struct vnode * vp)
 }
 
 
+void
+ubc_upl_range_needed(
+       upl_t           upl,
+       int             index,
+       int             count)
+{
+       upl_range_needed(upl, index, count);
+}
+
+
 /*
  * CODE SIGNING
  */
@@ -2221,12 +2608,15 @@ static SInt32 cs_blob_count_peak = 0;
 
 int cs_validation = 1;
 
-SYSCTL_INT(_vm, OID_AUTO, cs_validation, CTLFLAG_RW, &cs_validation, 0, "Do validate code signatures");
-SYSCTL_INT(_vm, OID_AUTO, cs_blob_count, CTLFLAG_RD, &cs_blob_count, 0, "Current number of code signature blobs");
-SYSCTL_INT(_vm, OID_AUTO, cs_blob_size, CTLFLAG_RD, &cs_blob_size, 0, "Current size of all code signature blobs");
-SYSCTL_INT(_vm, OID_AUTO, cs_blob_count_peak, CTLFLAG_RD, &cs_blob_count_peak, 0, "Peak number of code signature blobs");
-SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_peak, CTLFLAG_RD, &cs_blob_size_peak, 0, "Peak size of code signature blobs");
-SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_max, CTLFLAG_RD, &cs_blob_size_max, 0, "Size of biggest code signature blob");
+#ifndef SECURE_KERNEL
+SYSCTL_INT(_vm, OID_AUTO, cs_validation, CTLFLAG_RW | CTLFLAG_LOCKED, &cs_validation, 0, "Do validate code signatures");
+#endif
+SYSCTL_INT(_vm, OID_AUTO, cs_blob_count, CTLFLAG_RD | CTLFLAG_LOCKED, (int *)(uintptr_t)&cs_blob_count, 0, "Current number of code signature blobs");
+SYSCTL_INT(_vm, OID_AUTO, cs_blob_size, CTLFLAG_RD | CTLFLAG_LOCKED, (int *)(uintptr_t)&cs_blob_size, 0, "Current size of all code signature blobs");
+SYSCTL_INT(_vm, OID_AUTO, cs_blob_count_peak, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_blob_count_peak, 0, "Peak number of code signature blobs");
+SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_peak, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_blob_size_peak, 0, "Peak size of code signature blobs");
+SYSCTL_INT(_vm, OID_AUTO, cs_blob_size_max, CTLFLAG_RD | CTLFLAG_LOCKED, &cs_blob_size_max, 0, "Size of biggest code signature blob");
+
 
 kern_return_t
 ubc_cs_blob_allocate(
@@ -2261,12 +2651,125 @@ ubc_cs_blob_deallocate(
 #endif /* CS_BLOB_PAGEABLE */
 }
        
+int
+ubc_cs_sigpup_add(
+       struct vnode    *vp,
+       vm_address_t    address,
+       vm_size_t       size)
+{
+       kern_return_t           kr;
+       struct ubc_info         *uip;
+       struct cs_blob          *blob;
+       memory_object_control_t control;
+       const CS_CodeDirectory *cd;
+       int                     error;
+
+       control = ubc_getobject(vp, UBC_FLAGS_NONE);
+       if (control == MEMORY_OBJECT_CONTROL_NULL)
+               return KERN_INVALID_ARGUMENT;
+
+       if (memory_object_is_signed(control))
+               return 0;
+
+       blob = (struct cs_blob *) kalloc(sizeof (struct cs_blob));
+       if (blob == NULL)
+               return ENOMEM;
+
+       /* fill in the new blob */
+       blob->csb_cpu_type = CPU_TYPE_ANY;
+       blob->csb_base_offset = 0;
+       blob->csb_mem_size = size;
+       blob->csb_mem_offset = 0;
+       blob->csb_mem_handle = IPC_PORT_NULL;
+       blob->csb_mem_kaddr = address;
+       blob->csb_sigpup = 1;
+       
+       /*
+        * Validate the blob's contents
+        */
+       cd = findCodeDirectory(
+               (const CS_SuperBlob *) address, 
+               (char *) address, 
+               (char *) address + blob->csb_mem_size);
+       if (cd == NULL) {
+               /* no code directory => useless blob ! */
+               error = EINVAL;
+               goto out;
+       }
+
+       blob->csb_flags = ntohl(cd->flags) | CS_VALID;
+       blob->csb_end_offset = round_page(ntohl(cd->codeLimit));
+       if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) {
+               const SC_Scatter *scatter = (const SC_Scatter*)
+                   ((const char*)cd + ntohl(cd->scatterOffset));
+               blob->csb_start_offset = ntohl(scatter->base) * PAGE_SIZE;
+       } else {
+               blob->csb_start_offset = (blob->csb_end_offset - (ntohl(cd->nCodeSlots) * PAGE_SIZE));
+       }
+
+       /* 
+        * We don't need to check with the policy module, since the input data is supposed to be already checked
+        */
+       
+       vnode_lock(vp);
+       if (! UBCINFOEXISTS(vp)) {
+               vnode_unlock(vp);
+               if (cs_debug)
+                       printf("out ubc object\n");
+               error = ENOENT;
+               goto out;
+       }
+       uip = vp->v_ubcinfo;
+
+       /* someone raced us to adding the code directory */
+       if (uip->cs_blobs != NULL) {
+               if (cs_debug)
+                       printf("sigpup: vnode already have CD ?\n");
+               vnode_unlock(vp);
+               error = EEXIST;
+               goto out;
+       }
+
+       blob->csb_next = uip->cs_blobs;
+       uip->cs_blobs = blob;
+
+       OSAddAtomic(+1, &cs_blob_count);
+       OSAddAtomic((SInt32) +blob->csb_mem_size, &cs_blob_size);
+
+       /* mark this vnode's VM object as having "signed pages" */
+       kr = memory_object_signed(uip->ui_control, TRUE);
+       if (kr != KERN_SUCCESS) {
+               vnode_unlock(vp);
+               if (cs_debug)
+                       printf("sigpup: not signable ?\n");
+               error = ENOENT;
+               goto out;
+       }
+
+       vnode_unlock(vp);
+
+       error = 0;
+out:
+       if (error) {
+               if (cs_debug)
+                       printf("sigpup: not signable ?\n");
+               /* we failed; release what we allocated */
+               if (blob) {
+                       kfree(blob, sizeof (*blob));
+                       blob = NULL;
+               }
+       }
+
+       return error;
+}
+
 int
 ubc_cs_blob_add(
        struct vnode    *vp,
        cpu_type_t      cputype,
        off_t           base_offset,
        vm_address_t    addr,
+       off_t           blob_offset,
        vm_size_t       size)
 {
        kern_return_t           kr;
@@ -2278,6 +2781,9 @@ ubc_cs_blob_add(
        const CS_CodeDirectory *cd;
        off_t                   blob_start_offset, blob_end_offset;
        SHA1_CTX                sha1ctxt;
+       boolean_t               record_mtime;
+
+       record_mtime = FALSE;
 
        blob_handle = IPC_PORT_NULL;
 
@@ -2314,32 +2820,36 @@ ubc_cs_blob_add(
 
        /* fill in the new blob */
        blob->csb_cpu_type = cputype;
+       blob->csb_sigpup = 0;
        blob->csb_base_offset = base_offset;
+       blob->csb_blob_offset = blob_offset;
        blob->csb_mem_size = size;
        blob->csb_mem_offset = 0;
        blob->csb_mem_handle = blob_handle;
        blob->csb_mem_kaddr = addr;
+       blob->csb_flags = 0;
        
        /*
         * Validate the blob's contents
         */
-       cd = findCodeDirectory(
-               (const CS_SuperBlob *) addr, 
-               (char *) addr, 
-               (char *) addr + blob->csb_mem_size);
-       if (cd == NULL) {
-               /* no code directory => useless blob ! */
+
+       error = cs_validate_csblob((const uint8_t *)addr, size, &cd);
+       if (error) {
+               if (cs_debug)
+                       printf("CODESIGNING: csblob invalid: %d\n", error);
                blob->csb_flags = 0;
                blob->csb_start_offset = 0;
                blob->csb_end_offset = 0;
+               memset(blob->csb_sha1, 0, SHA1_RESULTLEN);
+               /* let the vnode checker determine if the signature is valid or not */
        } else {
-               unsigned char *sha1_base;
+               const unsigned char *sha1_base;
                int sha1_size;
 
-               blob->csb_flags = ntohl(cd->flags) | CS_VALID;
+               blob->csb_flags = (ntohl(cd->flags) & CS_ALLOWED_MACHO) | CS_VALID;
                blob->csb_end_offset = round_page(ntohl(cd->codeLimit));
-               if((ntohl(cd->version) >= supportsScatter) && (ntohl(cd->scatterOffset))) {
-                       const struct Scatter *scatter = (const struct Scatter*)
+               if((ntohl(cd->version) >= CS_SUPPORTSSCATTER) && (ntohl(cd->scatterOffset))) {
+                       const SC_Scatter *scatter = (const SC_Scatter*)
                                ((const char*)cd + ntohl(cd->scatterOffset));
                        blob->csb_start_offset = ntohl(scatter->base) * PAGE_SIZE;
                } else {
@@ -2358,7 +2868,7 @@ ubc_cs_blob_add(
         * Let policy module check whether the blob's signature is accepted.
         */
 #if CONFIG_MACF
-       error = mac_vnode_check_signature(vp, blob->csb_sha1, (void*)addr, size);
+       error = mac_vnode_check_signature(vp, base_offset, blob->csb_sha1, (void*)addr, size);
        if (error) 
                goto out;
 #endif 
@@ -2424,11 +2934,43 @@ ubc_cs_blob_add(
                                          */
                                         oblob->csb_cpu_type = cputype;
                                 }
+                                /* 
+                                 * If the same blob moved around in the Mach-O, we
+                                 * want to remember the new blob offset to avoid
+                                 * coming back here again and again.
+                                 */
+                                oblob->csb_blob_offset = blob_offset;
+
                                 vnode_unlock(vp);
                                 error = EAGAIN;
                                 goto out;
                         } else {
                                 /* different blob: reject the new one */
+                                char pathbuf[MAXPATHLEN];
+                                char new_sha1_str[2*SHA1_RESULTLEN+1];
+                                char old_sha1_str[2*SHA1_RESULTLEN+1];
+                                char arch_str[20];
+                                const char *pathp = "?unknown";
+                                int pblen = sizeof(pathbuf);
+                                if (vn_getpath(vp, pathbuf, &pblen) == 0) {
+                                       /* pblen == strlen(pathbuf) + 1. Assume strlen(pathbuf) > 0 */
+                                       for (pathp = pathbuf + pblen - 2; pathp > pathbuf && pathp[-1] != '/'; pathp--) ;
+                                }
+                                snprintf(arch_str, sizeof(arch_str), "%x", cputype);
+                                hex_str(oblob->csb_sha1, SHA1_RESULTLEN, old_sha1_str);
+                                hex_str(blob->csb_sha1, SHA1_RESULTLEN, new_sha1_str);
+                                kern_asl_msg(LOG_NOTICE, "messagetracer",
+                                       6,
+                                       "com.apple.message.domain", "com.apple.kernel.cs.replace",
+                                       "com.apple.message.signature", pathp,
+                                       "com.apple.message.signature2", arch_str,
+                                       "com.apple.message.signature3", old_sha1_str,
+                                       "com.apple.message.result", new_sha1_str,
+                                       "com.apple.message.summarize", "YES",
+                                       NULL
+                                );
+                                printf("CODESIGNING: rejected new signature for architecture %d of file %s\n",
+                                       cputype, pathbuf);
                                 vnode_unlock(vp);
                                 error = EALREADY;
                                 goto out;
@@ -2437,7 +2979,6 @@ ubc_cs_blob_add(
 
        }
 
-
        /* mark this vnode's VM object as having "signed pages" */
        kr = memory_object_signed(uip->ui_control, TRUE);
        if (kr != KERN_SUCCESS) {
@@ -2446,6 +2987,11 @@ ubc_cs_blob_add(
                goto out;
        }
 
+       if (uip->cs_blobs == NULL) {
+               /* loading 1st blob: record the file's current "modify time" */
+               record_mtime = TRUE;
+       }
+
        /*
         * Add this blob to the list of blobs for this vnode.
         * We always add at the front of the list and we never remove a
@@ -2468,23 +3014,28 @@ ubc_cs_blob_add(
                cs_blob_size_max = (UInt32) blob->csb_mem_size;
        }
 
-       if (cs_debug) {
+       if (cs_debug > 1) {
                proc_t p;
-
+               const char *name = vnode_getname_printable(vp);
                p = current_proc();
                printf("CODE SIGNING: proc %d(%s) "
                       "loaded %s signatures for file (%s) "
                       "range 0x%llx:0x%llx flags 0x%x\n",
                       p->p_pid, p->p_comm,
                       blob->csb_cpu_type == -1 ? "detached" : "embedded",
-                      vnode_name(vp),
+                      name,
                       blob->csb_base_offset + blob->csb_start_offset,
                       blob->csb_base_offset + blob->csb_end_offset,
                       blob->csb_flags);
+               vnode_putname_printable(name);
        }
 
        vnode_unlock(vp);
 
+       if (record_mtime) {
+               vnode_mtime(vp, &uip->cs_mtime, vfs_context_current());
+       }
+
        error = 0;      /* success ! */
 
 out:
@@ -2551,6 +3102,8 @@ ubc_cs_blob_get(
                }
        }
 
+       if (cs_debug && blob != NULL && blob->csb_sigpup)
+               printf("found sig pup blob\n");
 out:
        vnode_unlock(vp);
 
@@ -2567,7 +3120,7 @@ ubc_cs_free(
             blob != NULL;
             blob = next_blob) {
                next_blob = blob->csb_next;
-               if (blob->csb_mem_kaddr != 0) {
+               if (blob->csb_mem_kaddr != 0 && !blob->csb_sigpup) {
                        ubc_cs_blob_deallocate(blob->csb_mem_kaddr,
                                               blob->csb_mem_size);
                        blob->csb_mem_kaddr = 0;
@@ -2580,6 +3133,9 @@ ubc_cs_free(
                OSAddAtomic((SInt32) -blob->csb_mem_size, &cs_blob_size);
                kfree(blob, sizeof (*blob));
        }
+#if CHECK_CS_VALIDATION_BITMAP
+       ubc_cs_validation_bitmap_deallocate( uip->ui_vnode );
+#endif
        uip->cs_blobs = NULL;
 }
 
@@ -2617,11 +3173,30 @@ out:
        return blobs;
 }
 
+void
+ubc_get_cs_mtime(
+       struct vnode    *vp,
+       struct timespec *cs_mtime)
+{
+       struct ubc_info *uip;
+
+       if (! UBCINFOEXISTS(vp)) {
+               cs_mtime->tv_sec = 0;
+               cs_mtime->tv_nsec = 0;
+               return;
+       }
+
+       uip = vp->v_ubcinfo;
+       cs_mtime->tv_sec = uip->cs_mtime.tv_sec;
+       cs_mtime->tv_nsec = uip->cs_mtime.tv_nsec;
+}
+
 unsigned long cs_validate_page_no_hash = 0;
 unsigned long cs_validate_page_bad_hash = 0;
 boolean_t
 cs_validate_page(
        void                    *_blobs,
+       memory_object_t         pager,
        memory_object_offset_t  page_offset,
        const void              *data,
        boolean_t               *tainted)
@@ -2683,6 +3258,9 @@ cs_validate_page(
                                break;
                        }
                }
+               if (blob->csb_sigpup && cs_debug)
+                       printf("checking for a sigpup CD\n");
+
                blob_addr = kaddr + blob->csb_mem_offset;
                
                lower_bound = CAST_DOWN(char *, blob_addr);
@@ -2692,9 +3270,11 @@ cs_validate_page(
                cd = findCodeDirectory(embedded, lower_bound, upper_bound);
                if (cd != NULL) {
                        if (cd->pageSize != PAGE_SHIFT ||
-                           cd->hashType != 0x1 ||
+                           cd->hashType != CS_HASHTYPE_SHA1 ||
                            cd->hashSize != SHA1_RESULTLEN) {
                                /* bogus blob ? */
+                               if (blob->csb_sigpup && cs_debug)
+                                       printf("page foo bogus sigpup CD\n");
                                continue;
                        }
 
@@ -2702,19 +3282,30 @@ cs_validate_page(
                        if (offset < blob->csb_start_offset ||
                            offset >= blob->csb_end_offset) {
                                /* our page is not covered by this blob */
+                               if (blob->csb_sigpup && cs_debug)
+                                       printf("OOB sigpup CD\n");
                                continue;
                        }
 
                        codeLimit = ntohl(cd->codeLimit);
-                       hash = hashes(cd, atop(offset),
+                       if (blob->csb_sigpup && cs_debug)
+                               printf("sigpup codesize %d\n", (int)codeLimit);
+
+                       hash = hashes(cd, (unsigned)atop(offset),
                                      lower_bound, upper_bound);
                        if (hash != NULL) {
                                bcopy(hash, expected_hash,
                                      sizeof (expected_hash));
                                found_hash = TRUE;
+                               if (blob->csb_sigpup && cs_debug)
+                                       printf("sigpup hash\n");
                        }
 
                        break;
+               } else {
+                       if (blob->csb_sigpup && cs_debug)
+                               printf("sig pup had no valid CD\n");
+
                }
        }
 
@@ -2730,15 +3321,14 @@ cs_validate_page(
                cs_validate_page_no_hash++;
                if (cs_debug > 1) {
                        printf("CODE SIGNING: cs_validate_page: "
-                              "off 0x%llx: no hash to validate !?\n",
-                              page_offset);
+                              "mobj %p off 0x%llx: no hash to validate !?\n",
+                              pager, page_offset);
                }
                validated = FALSE;
                *tainted = FALSE;
        } else {
 
                size = PAGE_SIZE;
-               const uint32_t *asha1, *esha1;
                if ((off_t)(offset + size) > codeLimit) {
                        /* partial page at end of segment */
                        assert(offset < codeLimit);
@@ -2749,28 +3339,37 @@ cs_validate_page(
                SHA1UpdateUsePhysicalAddress(&sha1ctxt, data, size);
                SHA1Final(actual_hash, &sha1ctxt);
 
-               asha1 = (const uint32_t *) actual_hash;
-               esha1 = (const uint32_t *) expected_hash;
-
                if (bcmp(expected_hash, actual_hash, SHA1_RESULTLEN) != 0) {
+                       char asha1_str[2*SHA1_RESULTLEN+1];
+                       char esha1_str[2*SHA1_RESULTLEN+1];
+                       hex_str(actual_hash, SHA1_RESULTLEN, asha1_str);
+                       hex_str(expected_hash, SHA1_RESULTLEN, esha1_str);
                        if (cs_debug) {
                                printf("CODE SIGNING: cs_validate_page: "
-                                      "off 0x%llx size 0x%lx: "
-                                      "actual [0x%x 0x%x 0x%x 0x%x 0x%x] != "
-                                      "expected [0x%x 0x%x 0x%x 0x%x 0x%x]\n",
-                                      page_offset, size,
-                                      asha1[0], asha1[1], asha1[2],
-                                      asha1[3], asha1[4],
-                                      esha1[0], esha1[1], esha1[2],
-                                      esha1[3], esha1[4]);
+                                      "mobj %p off 0x%llx size 0x%lx: actual %s expected %s\n",
+                                      pager, page_offset, size, asha1_str, esha1_str);
                        }
                        cs_validate_page_bad_hash++;
+                       if (!*tainted) {
+                               char page_offset_str[20];
+                               snprintf(page_offset_str, sizeof(page_offset_str), "%llx", page_offset);
+                                kern_asl_msg(LOG_NOTICE, "messagetracer",
+                                       5,
+                                       "com.apple.message.domain", "com.apple.kernel.cs.mismatch",
+                                       "com.apple.message.signature", page_offset_str,
+                                       "com.apple.message.signature2", asha1_str,
+                                       "com.apple.message.signature3", esha1_str,
+                                       "com.apple.message.summarize", "YES",
+                                       NULL
+                                );
+                       }
                        *tainted = TRUE;
                } else {
-                       if (cs_debug > 1) {
+                       if (cs_debug > 10) {
                                printf("CODE SIGNING: cs_validate_page: "
-                                      "off 0x%llx size 0x%lx: SHA1 OK\n",
-                                      page_offset, size);
+                                      "mobj %p off 0x%llx size 0x%lx: "
+                                      "SHA1 OK\n",
+                                      pager, page_offset, size);
                        }
                        *tainted = FALSE;
                }
@@ -2818,3 +3417,127 @@ ubc_cs_getcdhash(
 
        return ret;
 }
+
+#if CHECK_CS_VALIDATION_BITMAP
+#define stob(s)        ((atop_64((s)) + 07) >> 3)
+extern boolean_t       root_fs_upgrade_try;
+
+/*
+ * Should we use the code-sign bitmap to avoid repeated code-sign validation?
+ * Depends:
+ * a) Is the target vnode on the root filesystem?
+ * b) Has someone tried to mount the root filesystem read-write?
+ * If answers are (a) yes AND (b) no, then we can use the bitmap.
+ */
+#define USE_CODE_SIGN_BITMAP(vp)       ( (vp != NULL) && (vp->v_mount != NULL) && (vp->v_mount->mnt_flag & MNT_ROOTFS) && !root_fs_upgrade_try) 
+kern_return_t
+ubc_cs_validation_bitmap_allocate(
+       vnode_t         vp)
+{
+       kern_return_t   kr = KERN_SUCCESS;
+       struct ubc_info *uip;
+       char            *target_bitmap;
+       vm_object_size_t        bitmap_size;
+
+       if ( ! USE_CODE_SIGN_BITMAP(vp) || (! UBCINFOEXISTS(vp))) {
+               kr = KERN_INVALID_ARGUMENT;
+       } else {
+               uip = vp->v_ubcinfo;
+
+               if ( uip->cs_valid_bitmap == NULL ) {
+                       bitmap_size = stob(uip->ui_size);
+                       target_bitmap = (char*) kalloc( (vm_size_t)bitmap_size );
+                       if (target_bitmap == 0) {
+                               kr = KERN_NO_SPACE;
+                       } else {
+                               kr = KERN_SUCCESS;
+                       }
+                       if( kr == KERN_SUCCESS ) {
+                               memset( target_bitmap, 0, (size_t)bitmap_size);
+                               uip->cs_valid_bitmap = (void*)target_bitmap;
+                               uip->cs_valid_bitmap_size = bitmap_size;
+                       }
+               }
+       }
+       return kr;
+}
+
+kern_return_t
+ubc_cs_check_validation_bitmap (
+       vnode_t                 vp,
+       memory_object_offset_t          offset,
+       int                     optype)
+{
+       kern_return_t   kr = KERN_SUCCESS;
+
+       if ( ! USE_CODE_SIGN_BITMAP(vp) || ! UBCINFOEXISTS(vp)) {
+               kr = KERN_INVALID_ARGUMENT;
+       } else {
+               struct ubc_info *uip = vp->v_ubcinfo;
+               char            *target_bitmap = uip->cs_valid_bitmap;
+
+               if ( target_bitmap == NULL ) {
+                      kr = KERN_INVALID_ARGUMENT;
+               } else {
+                       uint64_t        bit, byte;
+                       bit = atop_64( offset );
+                       byte = bit >> 3;
+
+                       if ( byte > uip->cs_valid_bitmap_size ) {
+                              kr = KERN_INVALID_ARGUMENT;
+                       } else {
+
+                               if (optype == CS_BITMAP_SET) {
+                                       target_bitmap[byte] |= (1 << (bit & 07));
+                                       kr = KERN_SUCCESS;
+                               } else if (optype == CS_BITMAP_CLEAR) {
+                                       target_bitmap[byte] &= ~(1 << (bit & 07));
+                                       kr = KERN_SUCCESS;
+                               } else if (optype == CS_BITMAP_CHECK) {
+                                       if ( target_bitmap[byte] & (1 << (bit & 07))) {
+                                               kr = KERN_SUCCESS;
+                                       } else {
+                                               kr = KERN_FAILURE;
+                                       }
+                               }
+                       }
+               }
+       }
+       return kr;
+}
+
+void
+ubc_cs_validation_bitmap_deallocate(
+       vnode_t         vp)
+{
+       struct ubc_info *uip;
+       void            *target_bitmap;
+       vm_object_size_t        bitmap_size;
+
+       if ( UBCINFOEXISTS(vp)) {
+               uip = vp->v_ubcinfo;
+
+               if ( (target_bitmap = uip->cs_valid_bitmap) != NULL ) {
+                       bitmap_size = uip->cs_valid_bitmap_size;
+                       kfree( target_bitmap, (vm_size_t) bitmap_size );
+                       uip->cs_valid_bitmap = NULL;
+               }
+       }
+}
+#else
+kern_return_t  ubc_cs_validation_bitmap_allocate(__unused vnode_t vp){
+       return KERN_INVALID_ARGUMENT;
+}
+
+kern_return_t ubc_cs_check_validation_bitmap(
+       __unused struct vnode *vp, 
+       __unused memory_object_offset_t offset,
+       __unused int optype){
+
+       return KERN_INVALID_ARGUMENT;
+}
+
+void   ubc_cs_validation_bitmap_deallocate(__unused vnode_t vp){
+       return;
+}
+#endif /* CHECK_CS_VALIDATION_BITMAP */