X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/2d21ac55c334faf3a56e5634905ed6987fc787d4..3903760236c30e3b5ace7a4eefac3a269d68957c:/security/mac_process.c diff --git a/security/mac_process.c b/security/mac_process.c index 20ca2fb64..193507f5d 100644 --- a/security/mac_process.c +++ b/security/mac_process.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007 Apple Inc. All rights reserved. + * Copyright (c) 2007-2010 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -72,10 +72,13 @@ #include #include #include +#include +#include #include +#include -#include +#include struct label * mac_cred_label_alloc(void) @@ -102,6 +105,12 @@ mac_cred_label_free(struct label *label) mac_labelzone_free(label); } +int +mac_cred_label_compare(struct label *a, struct label *b) +{ + return (bcmp(a, b, sizeof (*a)) == 0); +} + int mac_cred_label_externalize_audit(struct proc *p, struct mac *mac) { @@ -205,12 +214,15 @@ mac_execve_enter(user_addr_t mac_p, struct image_params *imgp) return (0); if (IS_64BIT_PROCESS(current_proc())) { - error = copyin(mac_p, &mac, sizeof(mac)); + struct user64_mac mac64; + error = copyin(mac_p, &mac64, sizeof(mac64)); + mac.m_buflen = mac64.m_buflen; + mac.m_string = mac64.m_string; } else { - struct mac mac32; + struct user32_mac mac32; error = copyin(mac_p, &mac32, sizeof(mac32)); mac.m_buflen = mac32.m_buflen; - mac.m_string = CAST_USER_ADDR_T(mac32.m_string); + mac.m_string = mac32.m_string; } if (error) return (error); @@ -241,13 +253,17 @@ out: * When the subject's label changes, it may require revocation of privilege * to mapped objects. This can't be done on-the-fly later with a unified * buffer cache. + * + * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather + * XXX: than a posix_cred_t field. */ void mac_cred_label_update(kauth_cred_t cred, struct label *newlabel) { + posix_cred_t pcred = posix_cred_get(cred); /* force label to be part of "matching" for credential */ - cred->cr_flags |= CRF_MAC_ENFORCE; + pcred->cr_flags |= CRF_MAC_ENFORCE; /* inform the policies of the update */ MAC_PERFORM(cred_label_update, cred, newlabel); @@ -258,8 +274,11 @@ mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel) { int error; - if (!mac_proc_enforce) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif MAC_CHECK(cred_check_label_update, cred, newlabel); @@ -271,16 +290,14 @@ mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2) { int error; - - +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ if (!mac_proc_enforce) - return (0); - - + return 0; +#endif MAC_CHECK(cred_check_visible, u1, u2); - return (error); } @@ -298,11 +315,13 @@ mac_proc_check_debug(proc_t curp, struct proc *proc) kauth_cred_t cred; int error; - - - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_debug, cred, proc); @@ -317,9 +336,13 @@ mac_proc_check_fork(proc_t curp) kauth_cred_t cred; int error; - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_fork, cred, curp); @@ -348,6 +371,53 @@ mac_proc_check_get_task(struct ucred *cred, struct proc *p) return (error); } +int +mac_proc_check_expose_task(struct ucred *cred, struct proc *p) +{ + int error; + + MAC_CHECK(proc_check_expose_task, cred, p); + + return (error); +} + +int +mac_proc_check_inherit_ipc_ports(struct proc *p, struct vnode *cur_vp, off_t cur_offset, struct vnode *img_vp, off_t img_offset, struct vnode *scriptvp) +{ + int error; + + MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp); + + return (error); +} + +/* + * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t + * (defined in ). mac_policy.h does not include any header + * files, so cannot use the typedef itself. + */ +int +mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr, + user_size_t u_size, int prot, int flags, int *maxprot) +{ + kauth_cred_t cred; + int error; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vm_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(proc, MAC_VM_ENFORCE)) + return (0); + + cred = kauth_cred_proc_ref(proc); + MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot); + kauth_cred_unref(&cred); + + return (error); +} + int mac_proc_check_mprotect(proc_t proc, user_addr_t addr, user_size_t size, int prot) @@ -355,8 +425,12 @@ mac_proc_check_mprotect(proc_t proc, kauth_cred_t cred; int error; - if (!mac_vm_enforce || - !mac_proc_check_enforce(proc, MAC_VM_ENFORCE)) +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vm_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(proc, MAC_VM_ENFORCE)) return (0); cred = kauth_cred_proc_ref(proc); @@ -366,17 +440,35 @@ mac_proc_check_mprotect(proc_t proc, return (error); } +int +mac_proc_check_run_cs_invalid(proc_t proc) +{ + int error; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_vm_enforce) + return 0; +#endif + + MAC_CHECK(proc_check_run_cs_invalid, proc); + + return (error); +} + int mac_proc_check_sched(proc_t curp, struct proc *proc) { kauth_cred_t cred; int error; - - - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_sched, cred, proc); @@ -391,11 +483,13 @@ mac_proc_check_signal(proc_t curp, struct proc *proc, int signum) kauth_cred_t cred; int error; - - - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_signal, cred, proc, signum); @@ -410,11 +504,13 @@ mac_proc_check_wait(proc_t curp, struct proc *proc) kauth_cred_t cred; int error; - - - if (!mac_proc_enforce || - !mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; cred = kauth_cred_proc_ref(curp); MAC_CHECK(proc_check_wait, cred, proc); @@ -423,120 +519,129 @@ mac_proc_check_wait(proc_t curp, struct proc *proc) return (error); } -#if CONFIG_LCTX -/* - * Login Context - */ - int -mac_proc_check_setlcid (struct proc *p0, struct proc *p, - pid_t pid, pid_t lcid) +mac_proc_check_suspend_resume(proc_t curp, int sr) { + kauth_cred_t cred; int error; - if (!mac_proc_enforce || - !mac_proc_check_enforce(p0, MAC_PROC_ENFORCE)) - return (0); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; + + cred = kauth_cred_proc_ref(curp); + MAC_CHECK(proc_check_suspend_resume, cred, curp, sr); + kauth_cred_unref(&cred); - MAC_CHECK(proc_check_setlcid, p0, p, pid, lcid); return (error); } int -mac_proc_check_getlcid (struct proc *p0, struct proc *p, pid_t pid) +mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op) { - int error; - - if (!mac_proc_enforce || - !mac_proc_check_enforce(p0, MAC_PROC_ENFORCE)) - return (0); - - MAC_CHECK(proc_check_getlcid, p0, p, pid); - return (error); -} + kauth_cred_t cred; + int error = 0; -void -mac_lctx_notify_create (struct proc *p, struct lctx *l) -{ - MAC_PERFORM(lctx_notify_create, p, l); -} +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; -void -mac_lctx_notify_join (struct proc *p, struct lctx *l) -{ - MAC_PERFORM(lctx_notify_join, p, l); -} + cred = kauth_cred_proc_ref(curp); + MAC_CHECK(proc_check_ledger, cred, proc, ledger_op); + kauth_cred_unref(&cred); -void -mac_lctx_notify_leave (struct proc *p, struct lctx *l) -{ - MAC_PERFORM(lctx_notify_leave, p, l); + return (error); } -struct label * -mac_lctx_label_alloc(void) +int +mac_proc_check_cpumon(proc_t curp) { - struct label *label; + kauth_cred_t cred; + int error = 0; - label = mac_labelzone_alloc(MAC_WAITOK); - if (label == NULL) - return (NULL); - MAC_PERFORM(lctx_label_init, label); - return (label); -} +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; -void -mac_lctx_label_free(struct label *label) -{ + cred = kauth_cred_proc_ref(curp); + MAC_CHECK(proc_check_cpumon, cred); + kauth_cred_unref(&cred); - MAC_PERFORM(lctx_label_destroy, label); - mac_labelzone_free(label); + return (error); } int -mac_lctx_label_externalize(struct label *label, char *elements, - char *outbuf, size_t outbuflen) +mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor) { - int error; + kauth_cred_t cred; + int error = 0; + +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; - error = MAC_EXTERNALIZE(lctx, label, elements, outbuf, outbuflen); + cred = kauth_cred_proc_ref(curp); + MAC_CHECK(proc_check_proc_info, cred, target, callnum, flavor); + kauth_cred_unref(&cred); return (error); } int -mac_lctx_label_internalize(struct label *label, char *string) +mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op) { - int error; - - error = MAC_INTERNALIZE(lctx, label, string); + kauth_cred_t cred; + int error = 0; - return (error); -} +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; -void -mac_lctx_label_update(struct lctx *l, struct label *newlabel) -{ + cred = kauth_cred_proc_ref(curp); + MAC_CHECK(proc_check_get_cs_info, cred, target, op); + kauth_cred_unref(&cred); - MAC_PERFORM(lctx_label_update, l, newlabel); + return (error); } int -mac_lctx_check_label_update(struct lctx *l, struct label *newlabel) +mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op) { - int error; + kauth_cred_t cred; + int error = 0; - MAC_CHECK(lctx_check_label_update, l, newlabel); +#if SECURITY_MAC_CHECK_ENFORCE + /* 21167099 - only check if we allow write */ + if (!mac_proc_enforce) + return 0; +#endif + if (!mac_proc_check_enforce(curp, MAC_PROC_ENFORCE)) + return 0; + + cred = kauth_cred_proc_ref(curp); + MAC_CHECK(proc_check_set_cs_info, cred, target, op); + kauth_cred_unref(&cred); return (error); } -#endif /* LCTX */ - -void -mac_thread_userret(int code, int error, struct thread *thread) -{ - - if (mac_late) - MAC_PERFORM(thread_userret, code, error, thread); -}