X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/0a7de7458d150b5d4dffc935ba399be265ef0a1a..HEAD:/bsd/security/audit/audit_session.c

diff --git a/bsd/security/audit/audit_session.c b/bsd/security/audit/audit_session.c
index d99b186fa..f9345c4e6 100644
--- a/bsd/security/audit/audit_session.c
+++ b/bsd/security/audit/audit_session.c
@@ -34,6 +34,7 @@
 #include <sys/kauth.h>
 #include <sys/conf.h>
 #include <sys/poll.h>
+#include <sys/priv.h>
 #include <sys/queue.h>
 #include <sys/signalvar.h>
 #include <sys/syscall.h>
@@ -98,10 +99,12 @@ static au_sentry_t audit_default_se = {
 	.se_procnt = 1,
 };
 
-struct auditinfo_addr *audit_default_aia_p = &audit_default_se.se_auinfo;
+struct auditinfo_addr * const audit_default_aia_p = &audit_default_se.se_auinfo;
 
+/* Copied from <ipc/ipc_object.h> */
+#define IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND 0x1
 kern_return_t ipc_object_copyin(ipc_space_t, mach_port_name_t,
-    mach_msg_type_name_t, ipc_port_t *);
+    mach_msg_type_name_t, ipc_port_t *, mach_port_context_t, mach_msg_guard_flags_t *, uint32_t);
 void ipc_port_release_send(ipc_port_t);
 
 #if CONFIG_AUDIT
@@ -334,7 +337,7 @@ static read_write_fcn_t         audit_sdev_read;
 static ioctl_fcn_t              audit_sdev_ioctl;
 static select_fcn_t             audit_sdev_poll;
 
-static struct cdevsw audit_sdev_cdevsw = {
+static const struct cdevsw audit_sdev_cdevsw = {
 	.d_open      =          audit_sdev_open,
 	.d_close     =          audit_sdev_close,
 	.d_read      =          audit_sdev_read,
@@ -523,13 +526,12 @@ audit_sysctl_session_debug(__unused struct sysctl_oid *oidp,
 	 * We hold the lock over the alloc since we don't want the table to
 	 * grow on us.   Therefore, use the non-blocking version of kalloc().
 	 */
-	sed_tab = (au_sentry_debug_t *)kalloc_noblock(entry_cnt *
-	    sizeof(au_sentry_debug_t));
+	sed_tab = (au_sentry_debug_t *)kheap_alloc(KHEAP_TEMP,
+	    entry_cnt * sizeof(au_sentry_debug_t), Z_NOWAIT | Z_ZERO);
 	if (sed_tab == NULL) {
 		AUDIT_SENTRY_RUNLOCK();
 		return ENOMEM;
 	}
-	bzero(sed_tab, entry_cnt * sizeof(au_sentry_debug_t));
 
 	/*
 	 * Walk the audit session hash table and build the record array.
@@ -556,14 +558,14 @@ audit_sysctl_session_debug(__unused struct sysctl_oid *oidp,
 	AUDIT_SENTRY_RUNLOCK();
 
 	/* Reconcile with the process table. */
-	(void) proc_iterate(PROC_ALLPROCLIST | PROC_ZOMBPROCLIST,
+	proc_iterate(PROC_ALLPROCLIST | PROC_ZOMBPROCLIST,
 	    audit_session_debug_callout, NULL,
 	    audit_session_debug_filterfn, (void *)&sed_tab[0]);
 
 
 	req->oldlen = sz;
 	err = SYSCTL_OUT(req, sed_tab, sz);
-	kfree(sed_tab, entry_cnt * sizeof(au_sentry_debug_t));
+	kheap_free(KHEAP_TEMP, sed_tab, entry_cnt * sizeof(au_sentry_debug_t));
 
 	return err;
 }
@@ -1350,10 +1352,15 @@ audit_session_port(proc_t p, struct audit_session_port_args *uap,
 		 */
 		se = AU_SENTRY_PTR(aia_p);
 		audit_ref_session(se);
-	} else if (kauth_cred_issuser(cred)) {
-		/* The superuser may obtain a port for any existing
-		 * session.
+	} else {
+		/*
+		 * Only privileged processes may obtain a port for
+		 * any existing session.
 		 */
+		err = priv_check_cred(cred, PRIV_AUDIT_SESSION_PORT, 0);
+		if (err != 0) {
+			goto done;
+		}
 		AUDIT_SENTRY_RLOCK();
 		se = audit_session_find(uap->asid);
 		AUDIT_SENTRY_RUNLOCK();
@@ -1362,9 +1369,6 @@ audit_session_port(proc_t p, struct audit_session_port_args *uap,
 			goto done;
 		}
 		aia_p = &se->se_auinfo;
-	} else {
-		err = EPERM;
-		goto done;
 	}
 
 	/*
@@ -1513,7 +1517,7 @@ audit_session_join(proc_t p, struct audit_session_join_args *uap,
 
 
 	if (ipc_object_copyin(get_task_ipcspace(p->task), send,
-	    MACH_MSG_TYPE_COPY_SEND, &port) != KERN_SUCCESS) {
+	    MACH_MSG_TYPE_COPY_SEND, &port, 0, NULL, IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND) != KERN_SUCCESS) {
 		*ret_asid = AU_DEFAUDITSID;
 		err = EINVAL;
 	} else {