X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/378393581903b274cb7a4d18e0d978071a6b592d..bb59bff194111743b33cc36712410b5656329d3c:/bsd/kern/mach_process.c diff --git a/bsd/kern/mach_process.c b/bsd/kern/mach_process.c index caa043027..ef8ebffcd 100644 --- a/bsd/kern/mach_process.c +++ b/bsd/kern/mach_process.c @@ -1,23 +1,29 @@ /* - * Copyright (c) 2000-2002 Apple Computer, Inc. All rights reserved. + * Copyright (c) 2000-2006 Apple Computer, Inc. All rights reserved. * - * @APPLE_LICENSE_HEADER_START@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. The rights granted to you under the License + * may not be used to create, or enable the creation or redistribution of, + * unlawful or unlicensed copies of an Apple operating system, or to + * circumvent, violate, or enable the circumvention or violation of, any + * terms of an Apple operating system software license agreement. * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. * - * @APPLE_LICENSE_HEADER_END@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */ /*- @@ -76,13 +82,21 @@ #include <sys/mount_internal.h> #include <sys/sysproto.h> +#include <sys/kdebug.h> +#include <sys/codesign.h> /* cs_allow_invalid() */ -#include <bsm/audit_kernel.h> +#include <security/audit/audit.h> #include <kern/task.h> #include <kern/thread.h> -#include <mach/machine/thread_status.h> +#include <mach/task.h> /* for task_resume() */ +#include <kern/sched_prim.h> /* for thread_exception_return() */ + +#include <pexpert/pexpert.h> + +/* XXX ken/bsd_kern.c - prototype should be in common header */ +int get_task_userstop(task_t); /* Macros to clear/set/test flags. */ #define SET(t, f) (t) |= (f) @@ -90,59 +104,49 @@ #define ISSET(t, f) ((t) & (f)) extern thread_t port_name_to_thread(mach_port_name_t port_name); -extern kern_return_t thread_getstatus(thread_t thread, int flavor, thread_state_t tstate, mach_msg_type_number_t *count); extern thread_t get_firstthread(task_t); -#if defined (ppc) -extern kern_return_t thread_setstatus(thread_t thread, int flavor, thread_state_t tstate, mach_msg_type_number_t count); -#endif /* * sys-trace system call. */ int -ptrace(p, uap, retval) - struct proc *p; - struct ptrace_args *uap; - register_t *retval; +ptrace(struct proc *p, struct ptrace_args *uap, int32_t *retval) { struct proc *t = current_proc(); /* target process */ task_t task; thread_t th_act; struct uthread *ut; - int *locr0; -#if defined(ppc) - struct ppc_thread_state64 statep; -#elif defined(i386) - struct i386_saved_state statep; -#else -#error architecture not supported -#endif - unsigned long state_count; int tr_sigexc = 0; + int error = 0; + int stopped = 0; AUDIT_ARG(cmd, uap->req); AUDIT_ARG(pid, uap->pid); AUDIT_ARG(addr, uap->addr); - AUDIT_ARG(value, uap->data); + AUDIT_ARG(value32, uap->data); if (uap->req == PT_DENY_ATTACH) { - if (ISSET(p->p_flag, P_TRACED)) { + proc_lock(p); + if (ISSET(p->p_lflag, P_LTRACED)) { + proc_unlock(p); + KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_FRCEXIT) | DBG_FUNC_NONE, + p->p_pid, W_EXITCODE(ENOTSUP, 0), 4, 0, 0); exit1(p, W_EXITCODE(ENOTSUP, 0), retval); - /* drop funnel before we return */ - thread_funnel_set(kernel_flock, FALSE); + thread_exception_return(); /* NOTREACHED */ } - SET(p->p_flag, P_NOATTACH); + SET(p->p_lflag, P_LNOATTACH); + proc_unlock(p); return(0); } if (uap->req == PT_FORCEQUOTA) { - if (is_suser()) { - SET(t->p_flag, P_FORCEQUOTA); + if (kauth_cred_issuser(kauth_cred_get())) { + OSBitOrAtomic(P_FORCEQUOTA, &t->p_flag); return (0); } else return (EPERM); @@ -152,33 +156,48 @@ ptrace(p, uap, retval) * Intercept and deal with "please trace me" request. */ if (uap->req == PT_TRACE_ME) { - SET(p->p_flag, P_TRACED); + proc_lock(p); + SET(p->p_lflag, P_LTRACED); /* Non-attached case, our tracer is our parent. */ - t->p_oppid = t->p_pptr->p_pid; + p->p_oppid = p->p_ppid; + /* Check whether child and parent are allowed to run modified + * code (they'll have to) */ + struct proc *pproc=proc_find(p->p_oppid); + proc_unlock(p); + cs_allow_invalid(p); + if(pproc) { + cs_allow_invalid(pproc); + proc_rele(pproc); + } return(0); } if (uap->req == PT_SIGEXC) { - if (ISSET(p->p_flag, P_TRACED)) { - SET(p->p_flag, P_SIGEXC); + proc_lock(p); + if (ISSET(p->p_lflag, P_LTRACED)) { + SET(p->p_lflag, P_LSIGEXC); + proc_unlock(p); return(0); - } else + } else { + proc_unlock(p); return(EINVAL); + } + } + + /* + * We do not want ptrace to do anything with kernel or launchd + */ + if (uap->pid < 2) { + return(EPERM); } /* * Locate victim, and make sure it is traceable. */ - if ((t = pfind(uap->pid)) == NULL) + if ((t = proc_find(uap->pid)) == NULL) return (ESRCH); AUDIT_ARG(process, t); - /* We do not want ptrace to do anything with kernel, init - * and mach_init - */ - if (uap->pid <=2 ) - return (EPERM); - task = t->task; if (uap->req == PT_ATTACHEXC) { uap->req = PT_ATTACH; @@ -190,29 +209,45 @@ ptrace(p, uap, retval) if ( kauth_authorize_process(proc_ucred(p), KAUTH_PROCESS_CANTRACE, t, (uintptr_t)&err, 0, 0) == 0 ) { /* it's OK to attach */ - SET(t->p_flag, P_TRACED); + proc_lock(t); + SET(t->p_lflag, P_LTRACED); if (tr_sigexc) - SET(t->p_flag, P_SIGEXC); + SET(t->p_lflag, P_LSIGEXC); - t->p_oppid = t->p_pptr->p_pid; + t->p_oppid = t->p_ppid; + /* Check whether child and parent are allowed to run modified + * code (they'll have to) */ + proc_unlock(t); + cs_allow_invalid(t); + cs_allow_invalid(p); if (t->p_pptr != p) - proc_reparent(t, p); + proc_reparentlocked(t, p, 1, 0); - if (get_task_userstop(task) == 0 ) { - t->p_xstat = 0; - psignal(t, SIGSTOP); - } else { - t->p_xstat = SIGSTOP; - task_resume(task); + proc_lock(t); + if (get_task_userstop(task) > 0 ) { + stopped = 1; } - return(0); + t->p_xstat = 0; + proc_unlock(t); + psignal(t, SIGSTOP); + /* + * If the process was stopped, wake up and run through + * issignal() again to properly connect to the tracing + * process. + */ + if (stopped) + task_resume(task); + error = 0; + goto out; } else { /* not allowed to attach, proper error code returned by kauth_authorize_process */ - if (ISSET(t->p_flag, P_NOATTACH)) { + if (ISSET(t->p_lflag, P_LNOATTACH)) { psignal(p, SIGSEGV); } - return (err); + + error = err; + goto out; } } @@ -220,38 +255,61 @@ ptrace(p, uap, retval) * You can't do what you want to the process if: * (1) It's not being traced at all, */ - if (!ISSET(t->p_flag, P_TRACED)) - return (EPERM); + proc_lock(t); + if (!ISSET(t->p_lflag, P_LTRACED)) { + proc_unlock(t); + error = EPERM; + goto out; + } /* * (2) it's not being traced by _you_, or */ - if (t->p_pptr != p) - return (EBUSY); + if (t->p_pptr != p) { + proc_unlock(t); + error = EBUSY; + goto out; + } /* * (3) it's not currently stopped. */ - if (t->p_stat != SSTOP) - return (EBUSY); + if (t->p_stat != SSTOP) { + proc_unlock(t); + error = EBUSY; + goto out; + } /* * Mach version of ptrace executes request directly here, * thus simplifying the interaction of ptrace and signals. */ + /* proc lock is held here */ switch (uap->req) { case PT_DETACH: - if (t->p_oppid != t->p_pptr->p_pid) { + if (t->p_oppid != t->p_ppid) { struct proc *pp; - pp = pfind(t->p_oppid); - proc_reparent(t, pp ? pp : initproc); + proc_unlock(t); + pp = proc_find(t->p_oppid); + if (pp != PROC_NULL) { + proc_reparentlocked(t, pp, 1, 0); + proc_rele(pp); + } else { + /* original parent exited while traced */ + proc_list_lock(); + t->p_listflag |= P_LIST_DEADPARENT; + proc_list_unlock(); + proc_reparentlocked(t, initproc, 1, 0); + } + proc_lock(t); } t->p_oppid = 0; - CLR(t->p_flag, P_TRACED); - CLR(t->p_flag, P_SIGEXC); + CLR(t->p_lflag, P_LTRACED); + CLR(t->p_lflag, P_LSIGEXC); + proc_unlock(t); goto resume; case PT_KILL: @@ -259,116 +317,115 @@ ptrace(p, uap, retval) * Tell child process to kill itself after it * is resumed by adding NSIG to p_cursig. [see issig] */ - psignal_lock(t, SIGKILL, 0); + proc_unlock(t); +#if CONFIG_MACF + error = mac_proc_check_signal(p, t, SIGKILL); + if (0 != error) + goto resume; +#endif + psignal(t, SIGKILL); goto resume; case PT_STEP: /* single step the child */ case PT_CONTINUE: /* continue the child */ + proc_unlock(t); th_act = (thread_t)get_firstthread(task); - if (th_act == THREAD_NULL) - goto errorLabel; - ut = (uthread_t)get_bsdthread_info(th_act); - locr0 = ut->uu_ar0; -#if defined(i386) - state_count = i386_NEW_THREAD_STATE_COUNT; - if (thread_getstatus(th_act, i386_NEW_THREAD_STATE, &statep, &state_count) != KERN_SUCCESS) { - goto errorLabel; - } -#elif defined(ppc) - state_count = PPC_THREAD_STATE64_COUNT; - if (thread_getstatus(th_act, PPC_THREAD_STATE64, (thread_state_t)&statep, (mach_msg_type_number_t *)&state_count) != KERN_SUCCESS) { - goto errorLabel; - } -#else -#error architecture not supported -#endif + if (th_act == THREAD_NULL) { + error = EINVAL; + goto out; + } + + /* force use of Mach SPIs (and task_for_pid security checks) to adjust PC */ if (uap->addr != (user_addr_t)1) { -#if defined(i386) - locr0[PC] = (int)uap->addr; -#elif defined(ppc) -#define ALIGNED(addr,size) (((unsigned)(addr)&((size)-1))==0) - if (!ALIGNED((int)uap->addr, sizeof(int))) - return (ERESTART); - - statep.srr0 = uap->addr; - state_count = PPC_THREAD_STATE64_COUNT; - if (thread_setstatus(th_act, PPC_THREAD_STATE64, (thread_state_t)&statep, state_count) != KERN_SUCCESS) { - goto errorLabel; - } -#undef ALIGNED -#else -#error architecture not implemented! -#endif - } /* uap->addr != (user_addr_t)1 */ + error = ENOTSUP; + goto out; + } - if ((unsigned)uap->data >= NSIG) - goto errorLabel; + if ((unsigned)uap->data >= NSIG) { + error = EINVAL; + goto out; + } if (uap->data != 0) { - psignal_lock(t, uap->data, 0); + psignal(t, uap->data); } -#if defined(ppc) - state_count = PPC_THREAD_STATE64_COUNT; - if (thread_getstatus(th_act, PPC_THREAD_STATE64, (thread_state_t)&statep, (mach_msg_type_number_t *)&state_count) != KERN_SUCCESS) { - goto errorLabel; - } -#endif - -#define MSR_SE_BIT 21 if (uap->req == PT_STEP) { -#if defined(i386) - locr0[PS] |= PSL_T; -#elif defined(ppc) - statep.srr1 |= MASK(MSR_SE); -#else -#error architecture not implemented! + /* + * set trace bit + * we use sending SIGSTOP as a comparable security check. + */ +#if CONFIG_MACF + error = mac_proc_check_signal(p, t, SIGSTOP); + if (0 != error) { + goto out; + } #endif - } /* uap->req == PT_STEP */ - else { /* PT_CONTINUE - clear trace bit if set */ -#if defined(i386) - locr0[PS] &= ~PSL_T; -#elif defined(ppc) - statep.srr1 &= ~MASK(MSR_SE); + if (thread_setsinglestep(th_act, 1) != KERN_SUCCESS) { + error = ENOTSUP; + goto out; + } + } else { + /* + * clear trace bit if on + * we use sending SIGCONT as a comparable security check. + */ +#if CONFIG_MACF + error = mac_proc_check_signal(p, t, SIGCONT); + if (0 != error) { + goto out; + } #endif - } -#if defined (ppc) - state_count = PPC_THREAD_STATE64_COUNT; - if (thread_setstatus(th_act, PPC_THREAD_STATE64, (thread_state_t)&statep, state_count) != KERN_SUCCESS) { - goto errorLabel; + if (thread_setsinglestep(th_act, 0) != KERN_SUCCESS) { + error = ENOTSUP; + goto out; + } } -#endif resume: + proc_lock(t); t->p_xstat = uap->data; t->p_stat = SRUN; if (t->sigwait) { wakeup((caddr_t)&(t->sigwait)); - if ((t->p_flag & P_SIGEXC) == 0) - task_release(task); - } + proc_unlock(t); + if ((t->p_lflag & P_LSIGEXC) == 0) { + task_resume(task); + } + } else + proc_unlock(t); + break; case PT_THUPDATE: { - if ((unsigned)uap->data >= NSIG) - goto errorLabel; - th_act = port_name_to_thread(CAST_DOWN(mach_port_name_t, uap->addr)); + proc_unlock(t); + if ((unsigned)uap->data >= NSIG) { + error = EINVAL; + goto out; + } + th_act = port_name_to_thread(CAST_MACH_PORT_TO_NAME(uap->addr)); if (th_act == THREAD_NULL) return (ESRCH); ut = (uthread_t)get_bsdthread_info(th_act); if (uap->data) ut->uu_siglist |= sigmask(uap->data); + proc_lock(t); t->p_xstat = uap->data; t->p_stat = SRUN; + proc_unlock(t); thread_deallocate(th_act); - return(0); + error = 0; } break; -errorLabel: default: - return(EINVAL); + proc_unlock(t); + error = EINVAL; + goto out; } - return(0); + error = 0; +out: + proc_rele(t); + return(error); } @@ -392,7 +449,7 @@ cantrace(proc_t cur_procp, kauth_cred_t creds, proc_t traced_procp, int *errp) /* * (2) it's already being traced, or */ - if (ISSET(traced_procp->p_flag, P_TRACED)) { + if (ISSET(traced_procp->p_lflag, P_LTRACED)) { *errp = EBUSY; return (0); } @@ -401,21 +458,29 @@ cantrace(proc_t cur_procp, kauth_cred_t creds, proc_t traced_procp, int *errp) * (3) it's not owned by you, or is set-id on exec * (unless you're root). */ - if ((creds->cr_ruid != proc_ucred(traced_procp)->cr_ruid || + if ((kauth_cred_getruid(creds) != kauth_cred_getruid(proc_ucred(traced_procp)) || ISSET(traced_procp->p_flag, P_SUGID)) && (my_err = suser(creds, &cur_procp->p_acflag)) != 0) { *errp = my_err; return (0); } - if ((cur_procp->p_flag & P_TRACED) && isinferior(cur_procp, traced_procp)) { + if ((cur_procp->p_lflag & P_LTRACED) && isinferior(cur_procp, traced_procp)) { *errp = EPERM; return (0); } - if (ISSET(traced_procp->p_flag, P_NOATTACH)) { + if (ISSET(traced_procp->p_lflag, P_LNOATTACH)) { *errp = EBUSY; return (0); } + +#if CONFIG_MACF + if ((my_err = mac_proc_check_debug(cur_procp, traced_procp)) != 0) { + *errp = my_err; + return (0); + } +#endif + return(1); }