X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/89b3af67bb32e691275bf6fa803d1834b2284115..bb59bff194111743b33cc36712410b5656329d3c:/bsd/kern/kern_authorization.c diff --git a/bsd/kern/kern_authorization.c b/bsd/kern/kern_authorization.c index 93eebc05d..91c2305c8 100644 --- a/bsd/kern/kern_authorization.c +++ b/bsd/kern/kern_authorization.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004 Apple Computer, Inc. All rights reserved. + * Copyright (c) 2004-2011 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -43,7 +43,7 @@ #include #include -#include +#include #include #include @@ -132,7 +132,7 @@ static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_ida uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3); kauth_scope_t kauth_scope_fileop; -extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int); +extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int, int); extern char * get_pathbuff(void); extern void release_pathbuff(char *path); @@ -154,11 +154,14 @@ kauth_init(void) /* bring up kauth subsystem components */ kauth_cred_init(); +#if CONFIG_EXT_RESOLVER kauth_identity_init(); kauth_groups_init(); +#endif kauth_scope_init(); +#if CONFIG_EXT_RESOLVER kauth_resolver_init(); - +#endif /* can't alloc locks after this */ lck_grp_free(kauth_lck_grp); kauth_lck_grp = NULL; @@ -185,10 +188,9 @@ kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void /* * Allocate and populate the scope structure. */ - MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK); + MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO); if (sp == NULL) return(NULL); - bzero(&sp->ks_listeners, sizeof(sp->ks_listeners)); sp->ks_flags = 0; sp->ks_identifier = identifier; sp->ks_idata = idata; @@ -228,7 +230,8 @@ kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, vo KAUTH_SCOPELOCK(); TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) { /* duplicate! */ - if (strcmp(tsp->ks_identifier, identifier) == 0) { + if (strncmp(tsp->ks_identifier, identifier, + strlen(tsp->ks_identifier) + 1) == 0) { KAUTH_SCOPEUNLOCK(); FREE(sp, M_KAUTH); return(NULL); @@ -244,7 +247,8 @@ kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, vo */ restart: TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) { - if (strcmp(klp->kl_identifier, sp->ks_identifier) == 0) { + if (strncmp(klp->kl_identifier, sp->ks_identifier, + strlen(klp->kl_identifier) + 1) == 0) { /* found a match on the dangling listener list. add it to the * the active scope. */ @@ -307,7 +311,8 @@ kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void */ KAUTH_SCOPELOCK(); TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { - if (strcmp(sp->ks_identifier, identifier) == 0) { + if (strncmp(sp->ks_identifier, identifier, + strlen(sp->ks_identifier) + 1) == 0) { /* scope exists, add it to scope listener table */ if (kauth_add_callback_to_scope(sp, klp) == 0) { KAUTH_SCOPEUNLOCK(); @@ -382,6 +387,12 @@ kauth_unlisten_scope(kauth_listener_t listener) /* * Authorization requests. + * + * Returns: 0 Success + * EPERM Operation not permitted + * + * Imputed: *arg3, modified Callback return - depends on callback + * modification of *arg3, if any */ int kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action, @@ -473,7 +484,7 @@ kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, /* arg0 - process to signal * arg1 - signal to send the process */ - if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1)) + if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1, 0)) return(KAUTH_RESULT_ALLOW); break; case KAUTH_PROCESS_CANTRACE: @@ -604,7 +615,7 @@ kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, int kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) { - int applies, error, i; + int applies, error, i, gotguid; kauth_ace_t ace; guid_t guid; uint32_t rights; @@ -617,14 +628,17 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) } eval->ae_residual = eval->ae_requested; + eval->ae_found_deny = FALSE; /* * Get our guid for comparison purposes. */ if ((error = kauth_cred_getguid(cred, &guid)) != 0) { - eval->ae_result = KAUTH_RESULT_DENY; - KAUTH_DEBUG(" ACL - can't get credential GUID (%d), ACL denied", error); - return(error); + KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error); + error = 0; + gotguid = 0; + } else { + gotguid = 1; } KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual); @@ -662,12 +676,13 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) case KAUTH_ACE_DENY: if (!(eval->ae_requested & rights)) continue; + eval->ae_found_deny = TRUE; break; default: /* we don't recognise this ACE, skip it */ continue; } - + /* * Verify whether this entry applies to the credential. */ @@ -677,7 +692,10 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER; break; case KAUTH_WKG_GROUP: - applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP; + if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN)) + applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY); + else + applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP; break; /* we short-circuit these here rather than wasting time calling the group membership code */ case KAUTH_WKG_EVERYBODY: @@ -689,12 +707,12 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) default: /* check to see whether it's exactly us, or a group we are a member of */ - applies = kauth_guid_equal(&guid, &ace->ace_applicable); + applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable); KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched", K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not "); if (!applies) { - error = kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies); + error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies); /* * If we can't resolve group membership, we have to limit misbehaviour. * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid @@ -771,24 +789,51 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is kauth_acl_t inherit, result; /* - * Fetch the ACL from the directory. This should never fail. Note that we don't - * manage inheritance when the remote server is doing authorization; we just - * want to compose the umask-ACL and any initial ACL. + * Fetch the ACL from the directory. This should never fail. + * Note that we don't manage inheritance when the remote server is + * doing authorization, since this means server enforcement of + * inheritance semantics; we just want to compose the initial + * ACL and any inherited ACE entries from the container object. + * + * XXX TODO: wants a "umask ACL" from the process. */ inherit = NULL; - if ((dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) { + /* + * If there is no initial ACL, or there is, and the initial ACLs + * flags do not request "no inheritance", then we inherit. This allows + * initial object creation via open_extended() and mkdir_extended() + * to reject inheritance for themselves and for inferior nodes by + * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT + * flag set in the flags field. + */ + if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) && + (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) { VATTR_INIT(&dva); VATTR_WANTED(&dva, va_acl); if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) { KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance"); return(error); } - if (VATTR_IS_SUPPORTED(&dva, va_acl)) + if (VATTR_IS_SUPPORTED(&dva, va_acl)) { inherit = dva.va_acl; + /* + * If there is an ACL on the parent directory, then + * there are potentially inheritable ACE entries, but + * if the flags on the directory ACL say not to + * inherit, then we don't inherit. This allows for + * per directory rerooting of the inheritable ACL + * hierarchy. + */ + if (inherit != NULL && inherit->acl_flags & KAUTH_ACL_NO_INHERIT) { + kauth_acl_free(inherit); + inherit = NULL; + } + } } /* - * Compute the number of entries in the result ACL by scanning the input lists. + * Compute the number of entries in the result ACL by scanning the + * input lists. */ entries = 0; if (inherit != NULL) { @@ -799,16 +844,23 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is } if (initial == NULL) { - /* XXX 3634665 TODO: fetch umask ACL from the process, set in initial */ + /* + * XXX 3634665 TODO: if the initial ACL is not specfied by + * XXX the caller, fetch the umask ACL from the process, + * and use it in place of "initial". + */ } if (initial != NULL) { - entries += initial->acl_entrycount; + if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) + entries += initial->acl_entrycount; + else + initial = NULL; } /* * If there is no initial ACL, and no inheritable entries, the - * object should have no ACL at all. + * object should be created with no ACL at all. * Note that this differs from the case where the initial ACL * is empty, in which case the object must also have an empty ACL. */ @@ -822,32 +874,49 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is * Allocate the result buffer. */ if ((result = kauth_acl_alloc(entries)) == NULL) { - KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL"); + KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries); error = ENOMEM; goto out; } /* * Composition is simply: - * - initial - * - inherited + * - initial direct ACEs + * - inherited ACEs from new parent */ index = 0; if (initial != NULL) { - for (i = 0; i < initial->acl_entrycount; i++) - result->acl_ace[index++] = initial->acl_ace[i]; - KAUTH_DEBUG(" INHERIT - applied %d initial entries", index); + for (i = 0; i < initial->acl_entrycount; i++) { + if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) { + result->acl_ace[index++] = initial->acl_ace[i]; + } + } + KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount); } if (inherit != NULL) { for (i = 0; i < inherit->acl_entrycount; i++) { - /* inherit onto this object? */ + /* + * Inherit onto this object? We inherit only if + * the target object is a container object and the + * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if + * if the target object is not a container, and + * the KAUTH_ACE_FILE_INHERIT bit is set. + */ if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) { result->acl_ace[index] = inherit->acl_ace[i]; result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED; - /* don't re-inherit? */ - if (result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) + result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT; + /* + * We do not re-inherit inheritance flags + * if the ACE from the container has a + * KAUTH_ACE_LIMIT_INHERIT, OR if the new + * object is not itself a container (since + * inheritance is always container-based). + */ + if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) { result->acl_ace[index].ace_flags &= - ~(KAUTH_ACE_DIRECTORY_INHERIT | KAUTH_ACE_FILE_INHERIT | KAUTH_ACE_LIMIT_INHERIT); + ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS); + } index++; } } @@ -911,7 +980,7 @@ kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp) * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The * value here is fairly arbitrary. It's ok to have a zero count. */ - known_bound = xsecurity + sizeof(struct kauth_filesec); + known_bound = xsecurity + KAUTH_FILESEC_SIZE(0); uaddr = mach_vm_round_page(known_bound); count = (uaddr - known_bound) / sizeof(struct kauth_ace); if (count > 32) @@ -952,6 +1021,7 @@ out: kauth_filesec_free(fsec); } else { *xsecdestpp = fsec; + AUDIT_ARG(opaque, fsec, copysize); } return(error); }