X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/b0d623f7f2ae71ed96e60569f61f9a9a27016e80..a991bd8d3e7fe02dbca0644054bab73c5b75324a:/bsd/kern/kern_authorization.c diff --git a/bsd/kern/kern_authorization.c b/bsd/kern/kern_authorization.c index 263fc28b4..0181ee93d 100644 --- a/bsd/kern/kern_authorization.c +++ b/bsd/kern/kern_authorization.c @@ -1,8 +1,8 @@ /* - * Copyright (c) 2004-2007 Apple Inc. All rights reserved. + * Copyright (c) 2004-2016 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ - * + * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in @@ -11,10 +11,10 @@ * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. - * + * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. - * + * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, @@ -22,7 +22,7 @@ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. - * + * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ @@ -31,7 +31,7 @@ */ #include -#include /* XXX trim includes */ +#include /* XXX trim includes */ #include #include #include @@ -59,8 +59,8 @@ lck_grp_t *kauth_lck_grp; static lck_mtx_t *kauth_scope_mtx; -#define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx); -#define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx); +#define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx); +#define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx); /* * We support listeners for scopes that have not been registered yet. @@ -69,72 +69,72 @@ static lck_mtx_t *kauth_scope_mtx; * remove it from kauth_dangling_listeners and add it to the active scope. */ struct kauth_listener { - TAILQ_ENTRY(kauth_listener) kl_link; - const char * kl_identifier; - kauth_scope_callback_t kl_callback; - void * kl_idata; + TAILQ_ENTRY(kauth_listener) kl_link; + const char * kl_identifier; + kauth_scope_callback_t kl_callback; + void * kl_idata; }; /* XXX - kauth_todo - there is a race if a scope listener is removed while we * we are in the kauth_authorize_action code path. We intentionally do not take - * a scope lock in order to get the best possible performance. we will fix this - * post Tiger. - * Until the race is fixed our kext clients are responsible for all active + * a scope lock in order to get the best possible performance. we will fix this + * post Tiger. + * Until the race is fixed our kext clients are responsible for all active * requests that may be in their callback code or on the way to their callback * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata. - * We keep copies of these in our kauth_local_listener in an attempt to limit - * our expose to unlisten race. + * We keep copies of these in our kauth_local_listener in an attempt to limit + * our expose to unlisten race. */ struct kauth_local_listener { - kauth_listener_t kll_listenerp; - kauth_scope_callback_t kll_callback; - void * kll_idata; + kauth_listener_t kll_listenerp; + kauth_scope_callback_t kll_callback; + void * kll_idata; }; typedef struct kauth_local_listener *kauth_local_listener_t; -static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners; +static TAILQ_HEAD(, kauth_listener) kauth_dangling_listeners; -/* +/* * Scope listeners need to be reworked to be dynamic. - * We intentionally used a static table to avoid locking issues with linked + * We intentionally used a static table to avoid locking issues with linked * lists. The listeners may be called quite often. * XXX - kauth_todo */ #define KAUTH_SCOPE_MAX_LISTENERS 15 struct kauth_scope { - TAILQ_ENTRY(kauth_scope) ks_link; + TAILQ_ENTRY(kauth_scope) ks_link; volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS]; - const char * ks_identifier; - kauth_scope_callback_t ks_callback; - void * ks_idata; - u_int ks_flags; + const char * ks_identifier; + kauth_scope_callback_t ks_callback; + void * ks_idata; + u_int ks_flags; }; /* values for kauth_scope.ks_flags */ -#define KS_F_HAS_LISTENERS (1 << 0) +#define KS_F_HAS_LISTENERS (1 << 0) -static TAILQ_HEAD(,kauth_scope) kauth_scopes; +static TAILQ_HEAD(, kauth_scope) kauth_scopes; static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp); -static void kauth_scope_init(void) __attribute__((section("__TEXT, initcode"))); +static void kauth_scope_init(void); static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata); static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata); #if 0 -static int kauth_scope_valid(kauth_scope_t scope); +static int kauth_scope_valid(kauth_scope_t scope); #endif -kauth_scope_t kauth_scope_process; -static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, +kauth_scope_t kauth_scope_process; +static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3); -kauth_scope_t kauth_scope_generic; -static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, +kauth_scope_t kauth_scope_generic; +static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3); -kauth_scope_t kauth_scope_fileop; +kauth_scope_t kauth_scope_fileop; -extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int, int); -extern char * get_pathbuff(void); -extern void release_pathbuff(char *path); +extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int); +extern char * get_pathbuff(void); +extern void release_pathbuff(char *path); /* * Initialization. @@ -142,7 +142,7 @@ extern void release_pathbuff(char *path); void kauth_init(void) { - lck_grp_attr_t *grp_attributes; + lck_grp_attr_t *grp_attributes; TAILQ_INIT(&kauth_scopes); TAILQ_INIT(&kauth_dangling_listeners); @@ -154,11 +154,14 @@ kauth_init(void) /* bring up kauth subsystem components */ kauth_cred_init(); +#if CONFIG_EXT_RESOLVER kauth_identity_init(); kauth_groups_init(); +#endif kauth_scope_init(); +#if CONFIG_EXT_RESOLVER kauth_resolver_init(); - +#endif /* can't alloc locks after this */ lck_grp_free(kauth_lck_grp); kauth_lck_grp = NULL; @@ -180,20 +183,20 @@ kauth_scope_init(void) static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) { - kauth_scope_t sp; + kauth_scope_t sp; /* * Allocate and populate the scope structure. */ - MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK); - if (sp == NULL) - return(NULL); - bzero(&sp->ks_listeners, sizeof(sp->ks_listeners)); + MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO); + if (sp == NULL) { + return NULL; + } sp->ks_flags = 0; sp->ks_identifier = identifier; sp->ks_idata = idata; sp->ks_callback = callback; - return(sp); + return sp; } static kauth_listener_t @@ -205,22 +208,24 @@ kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, vo * Allocate and populate the listener structure. */ MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK); - if (lsp == NULL) - return(NULL); + if (lsp == NULL) { + return NULL; + } lsp->kl_identifier = identifier; lsp->kl_idata = idata; lsp->kl_callback = callback; - return(lsp); + return lsp; } kauth_scope_t kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) { - kauth_scope_t sp, tsp; - kauth_listener_t klp; + kauth_scope_t sp, tsp; + kauth_listener_t klp; - if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL) - return(NULL); + if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL) { + return NULL; + } /* * Lock the list and insert. @@ -228,11 +233,11 @@ kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, vo KAUTH_SCOPELOCK(); TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) { /* duplicate! */ - if (strncmp(tsp->ks_identifier, identifier, - strlen(tsp->ks_identifier) + 1) == 0) { + if (strncmp(tsp->ks_identifier, identifier, + strlen(tsp->ks_identifier) + 1) == 0) { KAUTH_SCOPEUNLOCK(); FREE(sp, M_KAUTH); - return(NULL); + return NULL; } } TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link); @@ -246,14 +251,13 @@ kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, vo restart: TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) { if (strncmp(klp->kl_identifier, sp->ks_identifier, - strlen(klp->kl_identifier) + 1) == 0) { + strlen(klp->kl_identifier) + 1) == 0) { /* found a match on the dangling listener list. add it to the * the active scope. */ if (kauth_add_callback_to_scope(sp, klp) == 0) { TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link); - } - else { + } else { #if 0 printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier); #endif @@ -264,7 +268,7 @@ restart: } KAUTH_SCOPEUNLOCK(); - return(sp); + return sp; } @@ -272,18 +276,18 @@ restart: void kauth_deregister_scope(kauth_scope_t scope) { - int i; + int i; KAUTH_SCOPELOCK(); TAILQ_REMOVE(&kauth_scopes, scope, ks_link); - + /* relocate listeners back to the waiting list */ for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { if (scope->ks_listeners[i].kll_listenerp != NULL) { TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link); scope->ks_listeners[i].kll_listenerp = NULL; - /* + /* * XXX - kauth_todo - WARNING, do not clear kll_callback or * kll_idata here. they are part of our scope unlisten race hack */ @@ -291,7 +295,7 @@ kauth_deregister_scope(kauth_scope_t scope) } KAUTH_SCOPEUNLOCK(); FREE(scope, M_KAUTH); - + return; } @@ -299,10 +303,11 @@ kauth_listener_t kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) { kauth_listener_t klp; - kauth_scope_t sp; + kauth_scope_t sp; - if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL) - return(NULL); + if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL) { + return NULL; + } /* * Lock the scope list and check to see whether this scope already exists. @@ -310,34 +315,34 @@ kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void KAUTH_SCOPELOCK(); TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { if (strncmp(sp->ks_identifier, identifier, - strlen(sp->ks_identifier) + 1) == 0) { + strlen(sp->ks_identifier) + 1) == 0) { /* scope exists, add it to scope listener table */ if (kauth_add_callback_to_scope(sp, klp) == 0) { KAUTH_SCOPEUNLOCK(); - return(klp); + return klp; } /* table already full */ KAUTH_SCOPEUNLOCK(); FREE(klp, M_KAUTH); - return(NULL); + return NULL; } } - + /* scope doesn't exist, put on waiting list. */ TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link); KAUTH_SCOPEUNLOCK(); - return(klp); + return klp; } void kauth_unlisten_scope(kauth_listener_t listener) { - kauth_scope_t sp; - kauth_listener_t klp; - int i, listener_count, do_free; - + kauth_scope_t sp; + kauth_listener_t klp; + int i, listener_count, do_free; + KAUTH_SCOPELOCK(); /* search the active scope for this listener */ @@ -349,12 +354,11 @@ kauth_unlisten_scope(kauth_listener_t listener) if (sp->ks_listeners[i].kll_listenerp == listener) { sp->ks_listeners[i].kll_listenerp = NULL; do_free = 1; - /* + /* * XXX - kauth_todo - WARNING, do not clear kll_callback or * kll_idata here. they are part of our scope unlisten race hack */ - } - else if (sp->ks_listeners[i].kll_listenerp != NULL) { + } else if (sp->ks_listeners[i].kll_listenerp != NULL) { listener_count++; } } @@ -399,36 +403,39 @@ kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_actio int result, ret, i; /* ask the scope */ - if (scope->ks_callback != NULL) + if (scope->ks_callback != NULL) { result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3); - else + } else { result = KAUTH_RESULT_DEFER; + } /* check with listeners */ if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) { for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { - /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger. + /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger. * Until the race is fixed our kext clients are responsible for all active requests that may * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata. - * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to - * unlisten race. + * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to + * unlisten race. */ - if (scope->ks_listeners[i].kll_listenerp == NULL || - scope->ks_listeners[i].kll_callback == NULL) + if (scope->ks_listeners[i].kll_listenerp == NULL || + scope->ks_listeners[i].kll_callback == NULL) { continue; + } ret = scope->ks_listeners[i].kll_callback( - credential, scope->ks_listeners[i].kll_idata, - action, arg0, arg1, arg2, arg3); + credential, scope->ks_listeners[i].kll_idata, + action, arg0, arg1, arg2, arg3); if ((ret == KAUTH_RESULT_DENY) || - (result == KAUTH_RESULT_DEFER)) + (result == KAUTH_RESULT_DEFER)) { result = ret; + } } } /* we need an explicit allow, or the auth fails */ - /* XXX need a mechanism for auth failure to be signalled vs. denial */ - return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM); + /* XXX need a mechanism for auth failure to be signalled vs. denial */ + return result == KAUTH_RESULT_ALLOW ? 0 : EPERM; } /* @@ -436,10 +443,9 @@ kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_actio */ int kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action, - __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) + __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) { - - return(KAUTH_RESULT_ALLOW); + return KAUTH_RESULT_ALLOW; } #if 0 @@ -449,15 +455,16 @@ kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __ static int kauth_scope_valid(kauth_scope_t scope) { - kauth_scope_t sp; + kauth_scope_t sp; KAUTH_SCOPELOCK(); TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { - if (sp == scope) + if (sp == scope) { break; + } } KAUTH_SCOPEUNLOCK(); - return((sp == NULL) ? 0 : 1); + return (sp == NULL) ? 0 : 1; } #endif @@ -468,35 +475,37 @@ kauth_scope_valid(kauth_scope_t scope) int kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) { - return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3)); + return kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3); } static int kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) { - switch(action) { + switch (action) { case KAUTH_PROCESS_CANSIGNAL: panic("KAUTH_PROCESS_CANSIGNAL not implemented"); /* XXX credential wrong here */ /* arg0 - process to signal * arg1 - signal to send the process */ - if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1, 0)) - return(KAUTH_RESULT_ALLOW); + if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1)) { + return KAUTH_RESULT_ALLOW; + } break; case KAUTH_PROCESS_CANTRACE: - /* current_proc() - process that will do the tracing - * arg0 - process to be traced - * arg1 - pointer to int - reason (errno) for denial + /* current_proc() - process that will do the tracing + * arg0 - process to be traced + * arg1 - pointer to int - reason (errno) for denial */ - if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1)) - return(KAUTH_RESULT_ALLOW); + if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1)) { + return KAUTH_RESULT_ALLOW; + } break; } /* no explicit result, so defer to others in the chain */ - return(KAUTH_RESULT_DEFER); + return KAUTH_RESULT_DEFER; } /* @@ -510,6 +519,10 @@ kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, * arg0 is pointer to vnode (vnode *) for file to be closed. * arg1 is pointer to path (char *) of file to be closed. * arg2 is close flags. + * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners + * arg0 is pointer to vnode (vnode *) of the file being renamed + * arg1 is pointer to the "from" path (char *) + * arg2 is pointer to the "to" path (char *) * arguments passed to KAUTH_FILEOP_RENAME listeners * arg0 is pointer to "from" path (char *). * arg1 is pointer to "to" path (char *). @@ -529,46 +542,56 @@ kauth_authorize_fileop_has_listeners(void) * otherwize return 0 */ if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) { - return(1); + return 1; } - return (0); + return 0; } int kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1) { - char *namep = NULL; - int name_len; - uintptr_t arg2 = 0; - - /* we do not have a primary handler for the fileop scope so bail out if + char *namep = NULL; + int name_len; + uintptr_t arg2 = 0; + + /* we do not have a primary handler for the fileop scope so bail out if * there are no listeners. */ if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) { - return(0); + return 0; } - if (action == KAUTH_FILEOP_OPEN || action == KAUTH_FILEOP_CLOSE || action == KAUTH_FILEOP_EXEC) { + if (action == KAUTH_FILEOP_OPEN || + action == KAUTH_FILEOP_CLOSE || + action == KAUTH_FILEOP_EXEC || + action == KAUTH_FILEOP_WILL_RENAME) { /* get path to the given vnode as a convenience to our listeners. */ namep = get_pathbuff(); name_len = MAXPATHLEN; if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) { release_pathbuff(namep); - return(0); + return 0; } - if (action == KAUTH_FILEOP_CLOSE) { - arg2 = arg1; /* close has some flags that come in via arg1 */ + if (action == KAUTH_FILEOP_CLOSE || + action == KAUTH_FILEOP_WILL_RENAME) { + /* + * - Close has some flags that come in via arg1. + * - Will-rename wants to pass the vnode and + * both paths to the listeners ("to" path + * starts in arg1, moves to arg2). + */ + arg2 = arg1; } arg1 = (uintptr_t)namep; - } + } kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0); - + if (namep != NULL) { release_pathbuff(namep); } - - return(0); + + return 0; } /* @@ -578,27 +601,26 @@ kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t int kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action) { - if (credential == NULL) + if (credential == NULL) { panic("auth against NULL credential"); + } - return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0)); - + return kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0); } static int kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, - __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) + __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) { - switch(action) { + switch (action) { case KAUTH_GENERIC_ISSUSER: /* XXX == 0 ? */ - return((kauth_cred_getuid(credential) == 0) ? - KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY); - break; + return (kauth_cred_getuid(credential) == 0) ? + KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY; } /* no explicit result, so defer to others in the chain */ - return(KAUTH_RESULT_DEFER); + return KAUTH_RESULT_DEFER; } /* @@ -613,7 +635,7 @@ kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, int kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) { - int applies, error, i; + int applies, error, i, gotguid; kauth_ace_t ace; guid_t guid; uint32_t rights; @@ -622,7 +644,7 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) /* always allowed to do nothing */ if (eval->ae_requested == 0) { eval->ae_result = KAUTH_RESULT_ALLOW; - return(0); + return 0; } eval->ae_residual = eval->ae_requested; @@ -632,63 +654,75 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) * Get our guid for comparison purposes. */ if ((error = kauth_cred_getguid(cred, &guid)) != 0) { - eval->ae_result = KAUTH_RESULT_DENY; - KAUTH_DEBUG(" ACL - can't get credential GUID (%d), ACL denied", error); - return(error); + KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error); + error = 0; + gotguid = 0; + } else { + gotguid = 1; } KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual); for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) { - /* * Skip inherit-only entries. */ - if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT) + if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT) { continue; + } /* * Expand generic rights, if appropriate. */ rights = ace->ace_rights; - if (rights & KAUTH_ACE_GENERIC_ALL) + if (rights & KAUTH_ACE_GENERIC_ALL) { rights |= eval->ae_exp_gall; - if (rights & KAUTH_ACE_GENERIC_READ) + } + if (rights & KAUTH_ACE_GENERIC_READ) { rights |= eval->ae_exp_gread; - if (rights & KAUTH_ACE_GENERIC_WRITE) + } + if (rights & KAUTH_ACE_GENERIC_WRITE) { rights |= eval->ae_exp_gwrite; - if (rights & KAUTH_ACE_GENERIC_EXECUTE) + } + if (rights & KAUTH_ACE_GENERIC_EXECUTE) { rights |= eval->ae_exp_gexec; + } /* * Determine whether this entry applies to the current request. This * saves us checking the GUID if the entry has nothing to do with what * we're currently doing. */ - switch(ace->ace_flags & KAUTH_ACE_KINDMASK) { + switch (ace->ace_flags & KAUTH_ACE_KINDMASK) { case KAUTH_ACE_PERMIT: - if (!(eval->ae_residual & rights)) + if (!(eval->ae_residual & rights)) { continue; + } break; case KAUTH_ACE_DENY: - if (!(eval->ae_requested & rights)) + if (!(eval->ae_requested & rights)) { continue; + } eval->ae_found_deny = TRUE; break; default: /* we don't recognise this ACE, skip it */ continue; } - + /* * Verify whether this entry applies to the credential. */ wkguid = kauth_wellknown_guid(&ace->ace_applicable); - switch(wkguid) { + switch (wkguid) { case KAUTH_WKG_OWNER: applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER; break; case KAUTH_WKG_GROUP: - applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP; + if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN)) { + applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY); + } else { + applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP; + } break; /* we short-circuit these here rather than wasting time calling the group membership code */ case KAUTH_WKG_EVERYBODY: @@ -700,12 +734,12 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) default: /* check to see whether it's exactly us, or a group we are a member of */ - applies = kauth_guid_equal(&guid, &ace->ace_applicable); + applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable); KAUTH_DEBUG(" ACL - ACE applicable " K_UUID_FMT " caller " K_UUID_FMT " %smatched", K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "" : "not "); - + if (!applies) { - error = kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies); + error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies); /* * If we can't resolve group membership, we have to limit misbehaviour. * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid @@ -714,7 +748,7 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) */ if (error != 0) { KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i); - switch(ace->ace_flags & KAUTH_ACE_KINDMASK) { + switch (ace->ace_flags & KAUTH_ACE_KINDMASK) { case KAUTH_ACE_PERMIT: applies = 0; break; @@ -729,13 +763,14 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) KAUTH_DEBUG(" ACL - entry matches caller"); } } - if (!applies) + if (!applies) { continue; + } /* * Apply ACE to outstanding rights. */ - switch(ace->ace_flags & KAUTH_ACE_KINDMASK) { + switch (ace->ace_flags & KAUTH_ACE_KINDMASK) { case KAUTH_ACE_PERMIT: /* satisfy any rights that this ACE grants */ eval->ae_residual = eval->ae_residual & ~rights; @@ -743,7 +778,7 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) /* all rights satisfied? */ if (eval->ae_residual == 0) { eval->ae_result = KAUTH_RESULT_ALLOW; - return(0); + return 0; } break; case KAUTH_ACE_DENY: @@ -751,7 +786,7 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) if (eval->ae_requested & rights) { KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights); eval->ae_result = KAUTH_RESULT_DENY; - return(0); + return 0; } break; default: @@ -761,7 +796,7 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) } /* if not permitted, defer to other modes of authorisation */ eval->ae_result = KAUTH_RESULT_DEFER; - return(0); + return 0; } /* @@ -776,7 +811,7 @@ kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) int kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx) { - int entries, error, index; + int entries, error, index; unsigned int i; struct vnode_attr dva; kauth_acl_t inherit, result; @@ -791,15 +826,25 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is * XXX TODO: wants a "umask ACL" from the process. */ inherit = NULL; - if ((dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) { + /* + * If there is no initial ACL, or there is, and the initial ACLs + * flags do not request "no inheritance", then we inherit. This allows + * initial object creation via open_extended() and mkdir_extended() + * to reject inheritance for themselves and for inferior nodes by + * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT + * flag set in the flags field. + */ + if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) && + (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) { VATTR_INIT(&dva); VATTR_WANTED(&dva, va_acl); if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) { KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance"); - return(error); + return error; } - if (VATTR_IS_SUPPORTED(&dva, va_acl)) + if (VATTR_IS_SUPPORTED(&dva, va_acl)) { inherit = dva.va_acl; + } } /* @@ -809,8 +854,9 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is entries = 0; if (inherit != NULL) { for (i = 0; i < inherit->acl_entrycount; i++) { - if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) + if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) { entries++; + } } } @@ -823,10 +869,11 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is } if (initial != NULL) { - if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) + if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) { entries += initial->acl_entrycount; - else + } else { initial = NULL; + } } /* @@ -840,7 +887,7 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is error = 0; goto out; } - + /* * Allocate the result buffer. */ @@ -852,14 +899,17 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is /* * Composition is simply: - * - initial - * - inherited + * - initial direct ACEs + * - inherited ACEs from new parent */ index = 0; if (initial != NULL) { - for (i = 0; i < initial->acl_entrycount; i++) - result->acl_ace[index++] = initial->acl_ace[i]; - KAUTH_DEBUG(" INHERIT - applied %d initial entries", index); + for (i = 0; i < initial->acl_entrycount; i++) { + if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) { + result->acl_ace[index++] = initial->acl_ace[i]; + } + } + KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount); } if (inherit != NULL) { for (i = 0; i < inherit->acl_entrycount; i++) { @@ -894,9 +944,10 @@ kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int is KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index); error = 0; out: - if (inherit != NULL) + if (inherit != NULL) { kauth_acl_free(inherit); - return(error); + } + return error; } /* @@ -930,12 +981,11 @@ out: int kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp) { - user_addr_t uaddr, known_bound; int error; kauth_filesec_t fsec; - u_int32_t count; + size_t count; size_t copysize; - + error = 0; fsec = NULL; @@ -947,20 +997,30 @@ kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp) * * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The * value here is fairly arbitrary. It's ok to have a zero count. + * + * Because we're just using these values to make a guess about the + * number of entries, the actual address doesn't matter, only their + * relative offsets into the page. We take advantage of this to + * avoid an overflow in the rounding step (this is a user-provided + * parameter, so caution pays off). */ - known_bound = xsecurity + KAUTH_FILESEC_SIZE(0); - uaddr = mach_vm_round_page(known_bound); - count = (uaddr - known_bound) / sizeof(struct kauth_ace); - if (count > 32) + { + user_addr_t known_bound = (xsecurity & PAGE_MASK) + KAUTH_FILESEC_SIZE(0); + user_addr_t uaddr = (user_addr_t)mach_vm_round_page(known_bound); + count = (uaddr - known_bound) / sizeof(struct kauth_ace); + } + if (count > 32) { count = 32; + } restart: - if ((fsec = kauth_filesec_alloc(count)) == NULL) { + if ((fsec = kauth_filesec_alloc((int)count)) == NULL) { error = ENOMEM; goto out; } copysize = KAUTH_FILESEC_SIZE(count); - if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0) + if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0) { goto out; + } /* validate the filesec header */ if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) { @@ -982,16 +1042,17 @@ restart: kauth_filesec_free(fsec); goto restart; } - + out: if (error) { - if (fsec) + if (fsec) { kauth_filesec_free(fsec); + } } else { *xsecdestpp = fsec; AUDIT_ARG(opaque, fsec, copysize); } - return(error); + return error; } /* @@ -1016,11 +1077,12 @@ out: kauth_filesec_t kauth_filesec_alloc(int count) { - kauth_filesec_t fsp; - + kauth_filesec_t fsp; + /* if the caller hasn't given us a valid size hint, assume the worst */ - if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) - return(NULL); + if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) { + return NULL; + } MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK); if (fsp != NULL) { @@ -1030,8 +1092,8 @@ kauth_filesec_alloc(int count) fsp->fsec_entrycount = KAUTH_FILESEC_NOACL; fsp->fsec_flags = 0; } - return(fsp); -} + return fsp; +} /* * Free a kauth_filesec_t that was previous allocated, either by a direct @@ -1049,16 +1111,18 @@ void kauth_filesec_free(kauth_filesec_t fsp) { #ifdef KAUTH_DEBUG_ENABLE - if (fsp == KAUTH_FILESEC_NONE) + if (fsp == KAUTH_FILESEC_NONE) { panic("freeing KAUTH_FILESEC_NONE"); - if (fsp == KAUTH_FILESEC_WANTED) + } + if (fsp == KAUTH_FILESEC_WANTED) { panic("freeing KAUTH_FILESEC_WANTED"); + } #endif FREE(fsp, M_KAUTH); } /* - * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the + * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the * ACL interior to 'fsec' instead. If the endianness doesn't change, then * this function will have no effect. * @@ -1076,17 +1140,19 @@ kauth_filesec_free(kauth_filesec_t fsp) void kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl) { - uint32_t compare_magic = KAUTH_FILESEC_MAGIC; - uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC); - uint32_t compare_acl_entrycount; - uint32_t i; + uint32_t compare_magic = KAUTH_FILESEC_MAGIC; + uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC); + uint32_t compare_acl_entrycount; + uint32_t i; - if (compare_magic == invert_magic) + if (compare_magic == invert_magic) { return; + } /* If no ACL, use ACL interior to 'fsec' instead */ - if (acl == NULL) + if (acl == NULL) { acl = &fsec->fsec_acl; + } compare_acl_entrycount = acl->acl_entrycount; @@ -1095,21 +1161,23 @@ kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl) * are valid. The following switch and tests effectively reject * conversions on invalid magic numbers as a desirable side effect. */ - switch(kendian) { - case KAUTH_ENDIAN_HOST: /* not in host, convert to host */ - if (fsec->fsec_magic != invert_magic) + switch (kendian) { + case KAUTH_ENDIAN_HOST: /* not in host, convert to host */ + if (fsec->fsec_magic != invert_magic) { return; + } /* acl_entrycount is byteswapped */ compare_acl_entrycount = ntohl(acl->acl_entrycount); break; - case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */ - if (fsec->fsec_magic != compare_magic) + case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */ + if (fsec->fsec_magic != compare_magic) { return; + } break; - default: /* bad argument */ + default: /* bad argument */ return; } - + /* We are go for conversion */ fsec->fsec_magic = ntohl(fsec->fsec_magic); acl->acl_entrycount = ntohl(acl->acl_entrycount); @@ -1122,7 +1190,7 @@ kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl) acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights); } } - } +} /* @@ -1131,33 +1199,39 @@ kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl) kauth_acl_t kauth_acl_alloc(int count) { - kauth_acl_t aclp; - + kauth_acl_t aclp; + /* if the caller hasn't given us a valid size hint, assume the worst */ - if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) - return(NULL); + if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) { + return NULL; + } MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK); if (aclp != NULL) { aclp->acl_entrycount = 0; aclp->acl_flags = 0; } - return(aclp); -} + return aclp; +} void kauth_acl_free(kauth_acl_t aclp) { - FREE(aclp, M_KAUTH); + /* + * It's possible this may have have been allocated in a kext using + * MALLOC. Using KHEAP_ANY will allow us to free it here. + */ + kheap_free_addr(KHEAP_ANY, aclp); } /* * WARNING - caller must hold KAUTH_SCOPELOCK */ -static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp) +static int +kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp) { - int i; + int i; for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { if (sp->ks_listeners[i].kll_listenerp == NULL) { @@ -1165,8 +1239,8 @@ static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp) sp->ks_listeners[i].kll_idata = klp->kl_idata; sp->ks_listeners[i].kll_listenerp = klp; sp->ks_flags |= KS_F_HAS_LISTENERS; - return(0); + return 0; } } - return(ENOSPC); + return ENOSPC; }