X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/fe8ab488e9161c46dd9885d58fc52996dc0249ff..5ba3f43ea354af8ad55bea84372a2bc834d8757c:/security/mac_base.c diff --git a/security/mac_base.c b/security/mac_base.c index c88c7e14a..ec5955df8 100644 --- a/security/mac_base.c +++ b/security/mac_base.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2012 Apple Inc. All rights reserved. + * Copyright (c) 2007-2016 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -105,6 +105,9 @@ #include #endif +#if CONFIG_EMBEDDED +#include +#endif /* * define MB_DEBUG to display run-time debugging information @@ -124,12 +127,6 @@ SYSCTL_NODE(, OID_AUTO, security, CTLFLAG_RW|CTLFLAG_LOCKED, 0, SYSCTL_NODE(_security, OID_AUTO, mac, CTLFLAG_RW|CTLFLAG_LOCKED, 0, "TrustedBSD MAC policy controls"); -#if DEBUG -#define SECURITY_MAC_CTLFLAGS CTLFLAG_RW | CTLFLAG_LOCKED -#else -#define SECURITY_MAC_CTLFLAGS CTLFLAG_RD | CTLFLAG_LOCKED -#endif - /* * Declare that the kernel provides MAC support, version 1. This permits * modules to refuse to be loaded if the necessary support isn't present, @@ -188,17 +185,6 @@ unsigned int mac_label_vnodes = 0; SYSCTL_UINT(_security_mac, OID_AUTO, labelvnodes, SECURITY_MAC_CTLFLAGS, &mac_label_vnodes, 0, "Label all vnodes"); - -unsigned int mac_mmap_revocation = 0; -SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation, SECURITY_MAC_CTLFLAGS, - &mac_mmap_revocation, 0, "Revoke mmap access to files on subject " - "relabel"); - -unsigned int mac_mmap_revocation_via_cow = 0; -SYSCTL_UINT(_security_mac, OID_AUTO, mmap_revocation_via_cow, SECURITY_MAC_CTLFLAGS, - &mac_mmap_revocation_via_cow, 0, "Revoke mmap access to files via " - "copy-on-write semantics, or by removing all write access"); - unsigned int mac_device_enforce = 1; SYSCTL_UINT(_security_mac, OID_AUTO, device_enforce, SECURITY_MAC_CTLFLAGS, &mac_device_enforce, 0, "Enforce MAC policy on device operations"); @@ -282,7 +268,12 @@ static lck_mtx_t *mac_policy_mtx; static int mac_policy_busy; +#if CONFIG_EMBEDDED +SECURITY_READ_ONLY_LATE(mac_policy_list_t) mac_policy_list; +SECURITY_READ_ONLY_LATE(static struct mac_policy_list_element) mac_policy_static_entries[MAC_POLICY_LIST_CHUNKSIZE]; +#else mac_policy_list_t mac_policy_list; +#endif /* * mac_label_element_list holds the master list of label namespaces for @@ -369,7 +360,12 @@ mac_policy_init(void) mac_policy_list.freehint = 0; mac_policy_list.chunks = 1; +#if CONFIG_EMBEDDED + mac_policy_list.entries = mac_policy_static_entries; +#else mac_policy_list.entries = kalloc(sizeof(struct mac_policy_list_element) * MAC_POLICY_LIST_CHUNKSIZE); +#endif + bzero(mac_policy_list.entries, sizeof(struct mac_policy_list_element) * MAC_POLICY_LIST_CHUNKSIZE); LIST_INIT(&mac_label_element_list); @@ -645,7 +641,9 @@ int mac_policy_register(struct mac_policy_conf *mpc, mac_policy_handle_t *handlep, void *xd) { +#if !CONFIG_EMBEDDED struct mac_policy_list_element *tmac_policy_list_element; +#endif int error, slot, static_entry = 0; u_int i; @@ -677,6 +675,7 @@ mac_policy_register(struct mac_policy_conf *mpc, mac_policy_handle_t *handlep, } if (mac_policy_list.numloaded >= mac_policy_list.max) { +#if !CONFIG_EMBEDDED /* allocate new policy list array, zero new chunk */ tmac_policy_list_element = kalloc((sizeof(struct mac_policy_list_element) * @@ -700,6 +699,10 @@ mac_policy_register(struct mac_policy_conf *mpc, mac_policy_handle_t *handlep, /* Update maximums, etc */ mac_policy_list.max += MAC_POLICY_LIST_CHUNKSIZE; mac_policy_list.chunks++; +#else + printf("out of space in mac_policy_list.\n"); + return (ENOMEM); +#endif /* CONFIG_EMBEDDED */ } /* Check for policy with same name already loaded */ @@ -975,8 +978,8 @@ element_loop: mpc = mac_policy_list.entries[mll->mll_handle].mpc; if (mpc == NULL) continue; - mpo_externalize = *(typeof(mpo_externalize) *) - ((char *)mpc->mpc_ops + mpo_externalize_off); + mpo_externalize = *(const typeof(mpo_externalize) *) + ((const char *)mpc->mpc_ops + mpo_externalize_off); if (mpo_externalize == NULL) continue; error = sbuf_printf(sb, "%s/", name); @@ -1104,8 +1107,8 @@ element_loop: mpc = mac_policy_list.entries[mll->mll_handle].mpc; if (mpc == NULL) continue; - mpo_internalize = *(typeof(mpo_internalize) *) - ((char *)mpc->mpc_ops + mpo_internalize_off); + mpo_internalize = *(const typeof(mpo_internalize) *) + ((const char *)mpc->mpc_ops + mpo_internalize_off); if (mpo_internalize == NULL) continue; error = mpo_internalize(label, element_name, @@ -1311,231 +1314,6 @@ out: return (error); } -#if CONFIG_LCTX -/* - * __mac_get_lcid: - * Get login context ID. A login context associates a BSD process - * with an instance of a user. For more information see getlcid(2) man page. - * - * Parameters: p Process requesting the get - * uap User argument descriptor (see below) - * ret (ignored) - * - * Indirect: uap->lcid login context ID to search - * uap->mac_p.m_buflen MAC info buffer size - * uap->mac_p.m_string MAC info user address - * - * Returns: 0 Success - * !0 Not success - */ -int -__mac_get_lcid(proc_t p, struct __mac_get_lcid_args *uap, int *ret __unused) -{ - char *elements, *buffer; - struct user_mac mac; - struct lctx *l; - int error; - size_t ulen; - - AUDIT_ARG(value32, uap->lcid); - if (IS_64BIT_PROCESS(p)) { - struct user64_mac mac64; - error = copyin(uap->mac_p, &mac64, sizeof(mac64)); - mac.m_buflen = mac64.m_buflen; - mac.m_string = mac64.m_string; - } else { - struct user32_mac mac32; - error = copyin(uap->mac_p, &mac32, sizeof(mac32)); - mac.m_buflen = mac32.m_buflen; - mac.m_string = mac32.m_string; - } - - if (error) - return (error); - - error = mac_check_structmac_consistent(&mac); - if (error) - return (error); - - l = lcfind(uap->lcid); - if (l == NULL) - return (ESRCH); - - MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen); - if (error) { - LCTX_UNLOCK(l); - FREE(elements, M_MACTEMP); - return (error); - } - AUDIT_ARG(mac_string, elements); - MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = mac_lctx_label_externalize(l->lc_label, elements, - buffer, mac.m_buflen); - if (error == 0) - error = copyout(buffer, mac.m_string, strlen(buffer)+1); - - LCTX_UNLOCK(l); - FREE(buffer, M_MACTEMP); - FREE(elements, M_MACTEMP); - return (error); -} - -/* - * __mac_get_lctx: - * Get login context label. A login context associates a BSD process - * associated with an instance of a user. - * - * Parameters: p Process requesting the get - * uap User argument descriptor (see below) - * ret (ignored) - * - * Indirect: uap->lcid login context ID to search - * uap->mac_p MAC info - * - * Returns: 0 Success - * !0 Not success - * - */ -int -__mac_get_lctx(proc_t p, struct __mac_get_lctx_args *uap, int *ret __unused) -{ - char *elements, *buffer; - struct user_mac mac; - int error; - size_t ulen; - - if (IS_64BIT_PROCESS(p)) { - struct user64_mac mac64; - error = copyin(uap->mac_p, &mac64, sizeof(mac64)); - mac.m_buflen = mac64.m_buflen; - mac.m_string = mac64.m_string; - } else { - struct user32_mac mac32; - error = copyin(uap->mac_p, &mac32, sizeof(mac32)); - mac.m_buflen = mac32.m_buflen; - mac.m_string = mac32.m_string; - } - - if (error) - return (error); - - error = mac_check_structmac_consistent(&mac); - if (error) - return (error); - - MALLOC(elements, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, elements, mac.m_buflen, &ulen); - if (error) { - FREE(elements, M_MACTEMP); - return (error); - } - AUDIT_ARG(mac_string, elements); - MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - - proc_lock(p); - if (p->p_lctx == NULL) { - proc_unlock(p); - error = ENOENT; - goto out; - } - - error = mac_lctx_label_externalize(p->p_lctx->lc_label, - elements, buffer, mac.m_buflen); - proc_unlock(p); - if (error == 0) - error = copyout(buffer, mac.m_string, strlen(buffer)+1); - -out: - FREE(buffer, M_MACTEMP); - FREE(elements, M_MACTEMP); - return (error); -} - -int -__mac_set_lctx(proc_t p, struct __mac_set_lctx_args *uap, int *ret __unused) -{ - struct user_mac mac; - struct label *intlabel; - char *buffer; - int error; - size_t ulen; - - if (IS_64BIT_PROCESS(p)) { - struct user64_mac mac64; - error = copyin(uap->mac_p, &mac64, sizeof(mac64)); - mac.m_buflen = mac64.m_buflen; - mac.m_string = mac64.m_string; - } else { - struct user32_mac mac32; - error = copyin(uap->mac_p, &mac32, sizeof(mac32)); - mac.m_buflen = mac32.m_buflen; - mac.m_string = mac32.m_string; - } - if (error) - return (error); - - error = mac_check_structmac_consistent(&mac); - if (error) - return (error); - - MALLOC(buffer, char *, mac.m_buflen, M_MACTEMP, M_WAITOK); - error = copyinstr(mac.m_string, buffer, mac.m_buflen, &ulen); - if (error) { - FREE(buffer, M_MACTEMP); - return (error); - } - AUDIT_ARG(mac_string, buffer); - - intlabel = mac_lctx_label_alloc(); - error = mac_lctx_label_internalize(intlabel, buffer); - FREE(buffer, M_MACTEMP); - if (error) - goto out; - - proc_lock(p); - if (p->p_lctx == NULL) { - proc_unlock(p); - error = ENOENT; - goto out; - } - - error = mac_lctx_check_label_update(p->p_lctx, intlabel); - if (error) { - proc_unlock(p); - goto out; - } - mac_lctx_label_update(p->p_lctx, intlabel); - proc_unlock(p); -out: - mac_lctx_label_free(intlabel); - return (error); -} - -#else /* LCTX */ - -int -__mac_get_lcid(proc_t p __unused, struct __mac_get_lcid_args *uap __unused, int *ret __unused) -{ - - return (ENOSYS); -} - -int -__mac_get_lctx(proc_t p __unused, struct __mac_get_lctx_args *uap __unused, int *ret __unused) -{ - - return (ENOSYS); -} - -int -__mac_set_lctx(proc_t p __unused, struct __mac_set_lctx_args *uap __unused, int *ret __unused) -{ - - return (ENOSYS); -} -#endif /* !LCTX */ - int __mac_get_fd(proc_t p, struct __mac_get_fd_args *uap, int *ret __unused) { @@ -1632,6 +1410,8 @@ __mac_get_fd(proc_t p, struct __mac_get_fd_args *uap, int *ret __unused) case DTYPE_PIPE: case DTYPE_KQUEUE: case DTYPE_FSEVENTS: + case DTYPE_ATALK: + case DTYPE_NETPOLICY: default: error = ENOSYS; // only sockets/vnodes so far break; @@ -1838,6 +1618,8 @@ __mac_set_fd(proc_t p, struct __mac_set_fd_args *uap, int *ret __unused) case DTYPE_PIPE: case DTYPE_KQUEUE: case DTYPE_FSEVENTS: + case DTYPE_ATALK: + case DTYPE_NETPOLICY: default: error = ENOSYS; // only sockets/vnodes so far break; @@ -1852,7 +1634,7 @@ static int mac_set_filelink(proc_t p, user_addr_t mac_p, user_addr_t path_p, int follow) { - register struct vnode *vp; + struct vnode *vp; struct vfs_context *ctx = vfs_context_current(); struct label *intlabel; struct nameidata nd; @@ -2187,28 +1969,34 @@ mac_vnop_removexattr(struct vnode *vp __unused, const char *name __unused) return (ENOENT); } -intptr_t mac_label_get(struct label *l __unused, int slot __unused) +int +mac_file_setxattr(struct fileglob *fg __unused, const char *name __unused, char *buf __unused, size_t len __unused) { - return 0; + + return (ENOENT); } -void mac_label_set(struct label *l __unused, int slot __unused, intptr_t v __unused) +int +mac_file_getxattr(struct fileglob *fg __unused, const char *name __unused, + char *buf __unused, size_t len __unused, size_t *attrlen __unused) { - return; + + return (ENOENT); } -struct label *mac_thread_get_threadlabel(struct thread *thread __unused) +int +mac_file_removexattr(struct fileglob *fg __unused, const char *name __unused) { - return NULL; + + return (ENOENT); } -struct label *mac_thread_get_uthreadlabel(struct uthread *uthread __unused) +intptr_t mac_label_get(struct label *l __unused, int slot __unused) { - return NULL; + return 0; } -void mac_proc_set_enforce(proc_t p, int enforce_flags); -void mac_proc_set_enforce(proc_t p __unused, int enforce_flags __unused) +void mac_label_set(struct label *l __unused, int slot __unused, intptr_t v __unused) { return; } @@ -2219,4 +2007,23 @@ int mac_iokit_check_hid_control(kauth_cred_t cred __unused) return 0; } + +int mac_iokit_check_nvram_delete(kauth_cred_t cred __unused, const char *name __unused); +int mac_iokit_check_nvram_delete(kauth_cred_t cred __unused, const char *name __unused) +{ + return 0; +} + +int mac_iokit_check_nvram_get(kauth_cred_t cred __unused, const char *name __unused); +int mac_iokit_check_nvram_get(kauth_cred_t cred __unused, const char *name __unused) +{ + return 0; +} + +int mac_iokit_check_nvram_set(kauth_cred_t cred __unused, const char *name __unused, io_object_t value __unused); +int mac_iokit_check_nvram_set(kauth_cred_t cred __unused, const char *name __unused, io_object_t value __unused) +{ + return 0; +} + #endif /* !MAC */