| 1 | /* |
|---|---|
| 2 | * Copyright (c) 2004-2016 Apple Inc. All rights reserved. |
| 3 | * |
| 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
| 5 | * |
| 6 | * This file contains Original Code and/or Modifications of Original Code |
| 7 | * as defined in and that are subject to the Apple Public Source License |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in |
| 9 | * compliance with the License. The rights granted to you under the License |
| 10 | * may not be used to create, or enable the creation or redistribution of, |
| 11 | * unlawful or unlicensed copies of an Apple operating system, or to |
| 12 | * circumvent, violate, or enable the circumvention or violation of, any |
| 13 | * terms of an Apple operating system software license agreement. |
| 14 | * |
| 15 | * Please obtain a copy of the License at |
| 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
| 17 | * |
| 18 | * The Original Code and all software distributed under the License are |
| 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
| 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
| 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
| 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
| 23 | * Please see the License for the specific language governing rights and |
| 24 | * limitations under the License. |
| 25 | * |
| 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
| 27 | */ |
| 28 | |
| 29 | /* |
| 30 | * Centralized authorisation framework. |
| 31 | */ |
| 32 | |
| 33 | #include <sys/appleapiopts.h> |
| 34 | #include <sys/param.h> /* XXX trim includes */ |
| 35 | #include <sys/acct.h> |
| 36 | #include <sys/systm.h> |
| 37 | #include <sys/ucred.h> |
| 38 | #include <sys/proc_internal.h> |
| 39 | #include <sys/timeb.h> |
| 40 | #include <sys/times.h> |
| 41 | #include <sys/malloc.h> |
| 42 | #include <sys/vnode_internal.h> |
| 43 | #include <sys/kauth.h> |
| 44 | #include <sys/stat.h> |
| 45 | |
| 46 | #include <security/audit/audit.h> |
| 47 | |
| 48 | #include <sys/mount.h> |
| 49 | #include <sys/sysproto.h> |
| 50 | #include <mach/message.h> |
| 51 | #include <mach/host_security.h> |
| 52 | |
| 53 | #include <kern/locks.h> |
| 54 | |
| 55 | |
| 56 | /* |
| 57 | * Authorization scopes. |
| 58 | */ |
| 59 | |
| 60 | lck_grp_t *kauth_lck_grp; |
| 61 | static lck_mtx_t *kauth_scope_mtx; |
| 62 | #define KAUTH_SCOPELOCK() lck_mtx_lock(kauth_scope_mtx); |
| 63 | #define KAUTH_SCOPEUNLOCK() lck_mtx_unlock(kauth_scope_mtx); |
| 64 | |
| 65 | /* |
| 66 | * We support listeners for scopes that have not been registered yet. |
| 67 | * If a listener comes in for a scope that is not active we hang the listener |
| 68 | * off our kauth_dangling_listeners list and once the scope becomes active we |
| 69 | * remove it from kauth_dangling_listeners and add it to the active scope. |
| 70 | */ |
| 71 | struct kauth_listener { |
| 72 | TAILQ_ENTRY(kauth_listener) kl_link; |
| 73 | const char * kl_identifier; |
| 74 | kauth_scope_callback_t kl_callback; |
| 75 | void * kl_idata; |
| 76 | }; |
| 77 | |
| 78 | /* XXX - kauth_todo - there is a race if a scope listener is removed while we |
| 79 | * we are in the kauth_authorize_action code path. We intentionally do not take |
| 80 | * a scope lock in order to get the best possible performance. we will fix this |
| 81 | * post Tiger. |
| 82 | * Until the race is fixed our kext clients are responsible for all active |
| 83 | * requests that may be in their callback code or on the way to their callback |
| 84 | * code before they free kauth_listener.kl_callback or kauth_listener.kl_idata. |
| 85 | * We keep copies of these in our kauth_local_listener in an attempt to limit |
| 86 | * our expose to unlisten race. |
| 87 | */ |
| 88 | struct kauth_local_listener { |
| 89 | kauth_listener_t kll_listenerp; |
| 90 | kauth_scope_callback_t kll_callback; |
| 91 | void * kll_idata; |
| 92 | }; |
| 93 | typedef struct kauth_local_listener *kauth_local_listener_t; |
| 94 | |
| 95 | static TAILQ_HEAD(,kauth_listener) kauth_dangling_listeners; |
| 96 | |
| 97 | /* |
| 98 | * Scope listeners need to be reworked to be dynamic. |
| 99 | * We intentionally used a static table to avoid locking issues with linked |
| 100 | * lists. The listeners may be called quite often. |
| 101 | * XXX - kauth_todo |
| 102 | */ |
| 103 | #define KAUTH_SCOPE_MAX_LISTENERS 15 |
| 104 | |
| 105 | struct kauth_scope { |
| 106 | TAILQ_ENTRY(kauth_scope) ks_link; |
| 107 | volatile struct kauth_local_listener ks_listeners[KAUTH_SCOPE_MAX_LISTENERS]; |
| 108 | const char * ks_identifier; |
| 109 | kauth_scope_callback_t ks_callback; |
| 110 | void * ks_idata; |
| 111 | u_int ks_flags; |
| 112 | }; |
| 113 | |
| 114 | /* values for kauth_scope.ks_flags */ |
| 115 | #define KS_F_HAS_LISTENERS (1 << 0) |
| 116 | |
| 117 | static TAILQ_HEAD(,kauth_scope) kauth_scopes; |
| 118 | |
| 119 | static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp); |
| 120 | static void kauth_scope_init(void); |
| 121 | static kauth_scope_t kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata); |
| 122 | static kauth_listener_t kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata); |
| 123 | #if 0 |
| 124 | static int kauth_scope_valid(kauth_scope_t scope); |
| 125 | #endif |
| 126 | |
| 127 | kauth_scope_t kauth_scope_process; |
| 128 | static int kauth_authorize_process_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, |
| 129 | uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3); |
| 130 | kauth_scope_t kauth_scope_generic; |
| 131 | static int kauth_authorize_generic_callback(kauth_cred_t _credential, void *_idata, kauth_action_t _action, |
| 132 | uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3); |
| 133 | kauth_scope_t kauth_scope_fileop; |
| 134 | |
| 135 | extern int cansignal(struct proc *, kauth_cred_t, struct proc *, int); |
| 136 | extern char * get_pathbuff(void); |
| 137 | extern void release_pathbuff(char *path); |
| 138 | |
| 139 | /* |
| 140 | * Initialization. |
| 141 | */ |
| 142 | void |
| 143 | kauth_init(void) |
| 144 | { |
| 145 | lck_grp_attr_t *grp_attributes; |
| 146 | |
| 147 | TAILQ_INIT(&kauth_scopes); |
| 148 | TAILQ_INIT(&kauth_dangling_listeners); |
| 149 | |
| 150 | /* set up our lock group */ |
| 151 | grp_attributes = lck_grp_attr_alloc_init(); |
| 152 | kauth_lck_grp = lck_grp_alloc_init("kauth", grp_attributes); |
| 153 | lck_grp_attr_free(grp_attributes); |
| 154 | |
| 155 | /* bring up kauth subsystem components */ |
| 156 | kauth_cred_init(); |
| 157 | #if CONFIG_EXT_RESOLVER |
| 158 | kauth_identity_init(); |
| 159 | kauth_groups_init(); |
| 160 | #endif |
| 161 | kauth_scope_init(); |
| 162 | #if CONFIG_EXT_RESOLVER |
| 163 | kauth_resolver_init(); |
| 164 | #endif |
| 165 | /* can't alloc locks after this */ |
| 166 | lck_grp_free(kauth_lck_grp); |
| 167 | kauth_lck_grp = NULL; |
| 168 | } |
| 169 | |
| 170 | static void |
| 171 | kauth_scope_init(void) |
| 172 | { |
| 173 | kauth_scope_mtx = lck_mtx_alloc_init(kauth_lck_grp, 0 /*LCK_ATTR_NULL*/); |
| 174 | kauth_scope_process = kauth_register_scope(KAUTH_SCOPE_PROCESS, kauth_authorize_process_callback, NULL); |
| 175 | kauth_scope_generic = kauth_register_scope(KAUTH_SCOPE_GENERIC, kauth_authorize_generic_callback, NULL); |
| 176 | kauth_scope_fileop = kauth_register_scope(KAUTH_SCOPE_FILEOP, NULL, NULL); |
| 177 | } |
| 178 | |
| 179 | /* |
| 180 | * Scope registration. |
| 181 | */ |
| 182 | |
| 183 | static kauth_scope_t |
| 184 | kauth_alloc_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) |
| 185 | { |
| 186 | kauth_scope_t sp; |
| 187 | |
| 188 | /* |
| 189 | * Allocate and populate the scope structure. |
| 190 | */ |
| 191 | MALLOC(sp, kauth_scope_t, sizeof(*sp), M_KAUTH, M_WAITOK | M_ZERO); |
| 192 | if (sp == NULL) |
| 193 | return(NULL); |
| 194 | sp->ks_flags = 0; |
| 195 | sp->ks_identifier = identifier; |
| 196 | sp->ks_idata = idata; |
| 197 | sp->ks_callback = callback; |
| 198 | return(sp); |
| 199 | } |
| 200 | |
| 201 | static kauth_listener_t |
| 202 | kauth_alloc_listener(const char *identifier, kauth_scope_callback_t callback, void *idata) |
| 203 | { |
| 204 | kauth_listener_t lsp; |
| 205 | |
| 206 | /* |
| 207 | * Allocate and populate the listener structure. |
| 208 | */ |
| 209 | MALLOC(lsp, kauth_listener_t, sizeof(*lsp), M_KAUTH, M_WAITOK); |
| 210 | if (lsp == NULL) |
| 211 | return(NULL); |
| 212 | lsp->kl_identifier = identifier; |
| 213 | lsp->kl_idata = idata; |
| 214 | lsp->kl_callback = callback; |
| 215 | return(lsp); |
| 216 | } |
| 217 | |
| 218 | kauth_scope_t |
| 219 | kauth_register_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) |
| 220 | { |
| 221 | kauth_scope_t sp, tsp; |
| 222 | kauth_listener_t klp; |
| 223 | |
| 224 | if ((sp = kauth_alloc_scope(identifier, callback, idata)) == NULL) |
| 225 | return(NULL); |
| 226 | |
| 227 | /* |
| 228 | * Lock the list and insert. |
| 229 | */ |
| 230 | KAUTH_SCOPELOCK(); |
| 231 | TAILQ_FOREACH(tsp, &kauth_scopes, ks_link) { |
| 232 | /* duplicate! */ |
| 233 | if (strncmp(tsp->ks_identifier, identifier, |
| 234 | strlen(tsp->ks_identifier) + 1) == 0) { |
| 235 | KAUTH_SCOPEUNLOCK(); |
| 236 | FREE(sp, M_KAUTH); |
| 237 | return(NULL); |
| 238 | } |
| 239 | } |
| 240 | TAILQ_INSERT_TAIL(&kauth_scopes, sp, ks_link); |
| 241 | |
| 242 | /* |
| 243 | * Look for listeners waiting for this scope, move them to the active scope |
| 244 | * listener table. |
| 245 | * Note that we have to restart the scan every time we remove an entry |
| 246 | * from the list, since we can't remove the current item from the list. |
| 247 | */ |
| 248 | restart: |
| 249 | TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) { |
| 250 | if (strncmp(klp->kl_identifier, sp->ks_identifier, |
| 251 | strlen(klp->kl_identifier) + 1) == 0) { |
| 252 | /* found a match on the dangling listener list. add it to the |
| 253 | * the active scope. |
| 254 | */ |
| 255 | if (kauth_add_callback_to_scope(sp, klp) == 0) { |
| 256 | TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link); |
| 257 | } |
| 258 | else { |
| 259 | #if 0 |
| 260 | printf("%s - failed to add listener to scope \"%s\" \n", __FUNCTION__, sp->ks_identifier); |
| 261 | #endif |
| 262 | break; |
| 263 | } |
| 264 | goto restart; |
| 265 | } |
| 266 | } |
| 267 | |
| 268 | KAUTH_SCOPEUNLOCK(); |
| 269 | return(sp); |
| 270 | } |
| 271 | |
| 272 | |
| 273 | |
| 274 | void |
| 275 | kauth_deregister_scope(kauth_scope_t scope) |
| 276 | { |
| 277 | int i; |
| 278 | |
| 279 | KAUTH_SCOPELOCK(); |
| 280 | |
| 281 | TAILQ_REMOVE(&kauth_scopes, scope, ks_link); |
| 282 | |
| 283 | /* relocate listeners back to the waiting list */ |
| 284 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { |
| 285 | if (scope->ks_listeners[i].kll_listenerp != NULL) { |
| 286 | TAILQ_INSERT_TAIL(&kauth_dangling_listeners, scope->ks_listeners[i].kll_listenerp, kl_link); |
| 287 | scope->ks_listeners[i].kll_listenerp = NULL; |
| 288 | /* |
| 289 | * XXX - kauth_todo - WARNING, do not clear kll_callback or |
| 290 | * kll_idata here. they are part of our scope unlisten race hack |
| 291 | */ |
| 292 | } |
| 293 | } |
| 294 | KAUTH_SCOPEUNLOCK(); |
| 295 | FREE(scope, M_KAUTH); |
| 296 | |
| 297 | return; |
| 298 | } |
| 299 | |
| 300 | kauth_listener_t |
| 301 | kauth_listen_scope(const char *identifier, kauth_scope_callback_t callback, void *idata) |
| 302 | { |
| 303 | kauth_listener_t klp; |
| 304 | kauth_scope_t sp; |
| 305 | |
| 306 | if ((klp = kauth_alloc_listener(identifier, callback, idata)) == NULL) |
| 307 | return(NULL); |
| 308 | |
| 309 | /* |
| 310 | * Lock the scope list and check to see whether this scope already exists. |
| 311 | */ |
| 312 | KAUTH_SCOPELOCK(); |
| 313 | TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { |
| 314 | if (strncmp(sp->ks_identifier, identifier, |
| 315 | strlen(sp->ks_identifier) + 1) == 0) { |
| 316 | /* scope exists, add it to scope listener table */ |
| 317 | if (kauth_add_callback_to_scope(sp, klp) == 0) { |
| 318 | KAUTH_SCOPEUNLOCK(); |
| 319 | return(klp); |
| 320 | } |
| 321 | /* table already full */ |
| 322 | KAUTH_SCOPEUNLOCK(); |
| 323 | FREE(klp, M_KAUTH); |
| 324 | return(NULL); |
| 325 | } |
| 326 | } |
| 327 | |
| 328 | /* scope doesn't exist, put on waiting list. */ |
| 329 | TAILQ_INSERT_TAIL(&kauth_dangling_listeners, klp, kl_link); |
| 330 | |
| 331 | KAUTH_SCOPEUNLOCK(); |
| 332 | |
| 333 | return(klp); |
| 334 | } |
| 335 | |
| 336 | void |
| 337 | kauth_unlisten_scope(kauth_listener_t listener) |
| 338 | { |
| 339 | kauth_scope_t sp; |
| 340 | kauth_listener_t klp; |
| 341 | int i, listener_count, do_free; |
| 342 | |
| 343 | KAUTH_SCOPELOCK(); |
| 344 | |
| 345 | /* search the active scope for this listener */ |
| 346 | TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { |
| 347 | do_free = 0; |
| 348 | if ((sp->ks_flags & KS_F_HAS_LISTENERS) != 0) { |
| 349 | listener_count = 0; |
| 350 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { |
| 351 | if (sp->ks_listeners[i].kll_listenerp == listener) { |
| 352 | sp->ks_listeners[i].kll_listenerp = NULL; |
| 353 | do_free = 1; |
| 354 | /* |
| 355 | * XXX - kauth_todo - WARNING, do not clear kll_callback or |
| 356 | * kll_idata here. they are part of our scope unlisten race hack |
| 357 | */ |
| 358 | } |
| 359 | else if (sp->ks_listeners[i].kll_listenerp != NULL) { |
| 360 | listener_count++; |
| 361 | } |
| 362 | } |
| 363 | if (do_free) { |
| 364 | if (listener_count == 0) { |
| 365 | sp->ks_flags &= ~KS_F_HAS_LISTENERS; |
| 366 | } |
| 367 | KAUTH_SCOPEUNLOCK(); |
| 368 | FREE(listener, M_KAUTH); |
| 369 | return; |
| 370 | } |
| 371 | } |
| 372 | } |
| 373 | |
| 374 | /* if not active, check the dangling list */ |
| 375 | TAILQ_FOREACH(klp, &kauth_dangling_listeners, kl_link) { |
| 376 | if (klp == listener) { |
| 377 | TAILQ_REMOVE(&kauth_dangling_listeners, klp, kl_link); |
| 378 | KAUTH_SCOPEUNLOCK(); |
| 379 | FREE(listener, M_KAUTH); |
| 380 | return; |
| 381 | } |
| 382 | } |
| 383 | |
| 384 | KAUTH_SCOPEUNLOCK(); |
| 385 | return; |
| 386 | } |
| 387 | |
| 388 | /* |
| 389 | * Authorization requests. |
| 390 | * |
| 391 | * Returns: 0 Success |
| 392 | * EPERM Operation not permitted |
| 393 | * |
| 394 | * Imputed: *arg3, modified Callback return - depends on callback |
| 395 | * modification of *arg3, if any |
| 396 | */ |
| 397 | int |
| 398 | kauth_authorize_action(kauth_scope_t scope, kauth_cred_t credential, kauth_action_t action, |
| 399 | uintptr_t arg0, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) |
| 400 | { |
| 401 | int result, ret, i; |
| 402 | |
| 403 | /* ask the scope */ |
| 404 | if (scope->ks_callback != NULL) |
| 405 | result = scope->ks_callback(credential, scope->ks_idata, action, arg0, arg1, arg2, arg3); |
| 406 | else |
| 407 | result = KAUTH_RESULT_DEFER; |
| 408 | |
| 409 | /* check with listeners */ |
| 410 | if ((scope->ks_flags & KS_F_HAS_LISTENERS) != 0) { |
| 411 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { |
| 412 | /* XXX - kauth_todo - there is a race here if listener is removed - we will fix this post Tiger. |
| 413 | * Until the race is fixed our kext clients are responsible for all active requests that may |
| 414 | * be in their callbacks or on the way to their callbacks before they free kl_callback or kl_idata. |
| 415 | * We keep copies of these in our kauth_local_listener in an attempt to limit our expose to |
| 416 | * unlisten race. |
| 417 | */ |
| 418 | if (scope->ks_listeners[i].kll_listenerp == NULL || |
| 419 | scope->ks_listeners[i].kll_callback == NULL) |
| 420 | continue; |
| 421 | |
| 422 | ret = scope->ks_listeners[i].kll_callback( |
| 423 | credential, scope->ks_listeners[i].kll_idata, |
| 424 | action, arg0, arg1, arg2, arg3); |
| 425 | if ((ret == KAUTH_RESULT_DENY) || |
| 426 | (result == KAUTH_RESULT_DEFER)) |
| 427 | result = ret; |
| 428 | } |
| 429 | } |
| 430 | |
| 431 | /* we need an explicit allow, or the auth fails */ |
| 432 | /* XXX need a mechanism for auth failure to be signalled vs. denial */ |
| 433 | return(result == KAUTH_RESULT_ALLOW ? 0 : EPERM); |
| 434 | } |
| 435 | |
| 436 | /* |
| 437 | * Default authorization handlers. |
| 438 | */ |
| 439 | int |
| 440 | kauth_authorize_allow(__unused kauth_cred_t credential, __unused void *idata, __unused kauth_action_t action, |
| 441 | __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) |
| 442 | { |
| 443 | |
| 444 | return(KAUTH_RESULT_ALLOW); |
| 445 | } |
| 446 | |
| 447 | #if 0 |
| 448 | /* |
| 449 | * Debugging support. |
| 450 | */ |
| 451 | static int |
| 452 | kauth_scope_valid(kauth_scope_t scope) |
| 453 | { |
| 454 | kauth_scope_t sp; |
| 455 | |
| 456 | KAUTH_SCOPELOCK(); |
| 457 | TAILQ_FOREACH(sp, &kauth_scopes, ks_link) { |
| 458 | if (sp == scope) |
| 459 | break; |
| 460 | } |
| 461 | KAUTH_SCOPEUNLOCK(); |
| 462 | return((sp == NULL) ? 0 : 1); |
| 463 | } |
| 464 | #endif |
| 465 | |
| 466 | /* |
| 467 | * Process authorization scope. |
| 468 | */ |
| 469 | |
| 470 | int |
| 471 | kauth_authorize_process(kauth_cred_t credential, kauth_action_t action, struct proc *process, uintptr_t arg1, uintptr_t arg2, uintptr_t arg3) |
| 472 | { |
| 473 | return(kauth_authorize_action(kauth_scope_process, credential, action, (uintptr_t)process, arg1, arg2, arg3)); |
| 474 | } |
| 475 | |
| 476 | static int |
| 477 | kauth_authorize_process_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, |
| 478 | uintptr_t arg0, uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) |
| 479 | { |
| 480 | switch(action) { |
| 481 | case KAUTH_PROCESS_CANSIGNAL: |
| 482 | panic("KAUTH_PROCESS_CANSIGNAL not implemented"); |
| 483 | /* XXX credential wrong here */ |
| 484 | /* arg0 - process to signal |
| 485 | * arg1 - signal to send the process |
| 486 | */ |
| 487 | if (cansignal(current_proc(), credential, (struct proc *)arg0, (int)arg1)) |
| 488 | return(KAUTH_RESULT_ALLOW); |
| 489 | break; |
| 490 | case KAUTH_PROCESS_CANTRACE: |
| 491 | /* current_proc() - process that will do the tracing |
| 492 | * arg0 - process to be traced |
| 493 | * arg1 - pointer to int - reason (errno) for denial |
| 494 | */ |
| 495 | if (cantrace(current_proc(), credential, (proc_t)arg0, (int *)arg1)) |
| 496 | return(KAUTH_RESULT_ALLOW); |
| 497 | break; |
| 498 | } |
| 499 | |
| 500 | /* no explicit result, so defer to others in the chain */ |
| 501 | return(KAUTH_RESULT_DEFER); |
| 502 | } |
| 503 | |
| 504 | /* |
| 505 | * File system operation authorization scope. This is really only a notification |
| 506 | * of the file system operation, not an authorization check. Thus the result is |
| 507 | * not relevant. |
| 508 | * arguments passed to KAUTH_FILEOP_OPEN listeners |
| 509 | * arg0 is pointer to vnode (vnode *) for given user path. |
| 510 | * arg1 is pointer to path (char *) passed in to open. |
| 511 | * arguments passed to KAUTH_FILEOP_CLOSE listeners |
| 512 | * arg0 is pointer to vnode (vnode *) for file to be closed. |
| 513 | * arg1 is pointer to path (char *) of file to be closed. |
| 514 | * arg2 is close flags. |
| 515 | * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners |
| 516 | * arg0 is pointer to vnode (vnode *) of the file being renamed |
| 517 | * arg1 is pointer to the "from" path (char *) |
| 518 | * arg2 is pointer to the "to" path (char *) |
| 519 | * arguments passed to KAUTH_FILEOP_RENAME listeners |
| 520 | * arg0 is pointer to "from" path (char *). |
| 521 | * arg1 is pointer to "to" path (char *). |
| 522 | * arguments passed to KAUTH_FILEOP_EXCHANGE listeners |
| 523 | * arg0 is pointer to file 1 path (char *). |
| 524 | * arg1 is pointer to file 2 path (char *). |
| 525 | * arguments passed to KAUTH_FILEOP_EXEC listeners |
| 526 | * arg0 is pointer to vnode (vnode *) for executable. |
| 527 | * arg1 is pointer to path (char *) to executable. |
| 528 | */ |
| 529 | |
| 530 | int |
| 531 | kauth_authorize_fileop_has_listeners(void) |
| 532 | { |
| 533 | /* |
| 534 | * return 1 if we have any listeners for the fileop scope |
| 535 | * otherwize return 0 |
| 536 | */ |
| 537 | if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) != 0) { |
| 538 | return(1); |
| 539 | } |
| 540 | return (0); |
| 541 | } |
| 542 | |
| 543 | int |
| 544 | kauth_authorize_fileop(kauth_cred_t credential, kauth_action_t action, uintptr_t arg0, uintptr_t arg1) |
| 545 | { |
| 546 | char *namep = NULL; |
| 547 | int name_len; |
| 548 | uintptr_t arg2 = 0; |
| 549 | |
| 550 | /* we do not have a primary handler for the fileop scope so bail out if |
| 551 | * there are no listeners. |
| 552 | */ |
| 553 | if ((kauth_scope_fileop->ks_flags & KS_F_HAS_LISTENERS) == 0) { |
| 554 | return(0); |
| 555 | } |
| 556 | |
| 557 | if (action == KAUTH_FILEOP_OPEN || |
| 558 | action == KAUTH_FILEOP_CLOSE || |
| 559 | action == KAUTH_FILEOP_EXEC || |
| 560 | action == KAUTH_FILEOP_WILL_RENAME) { |
| 561 | /* get path to the given vnode as a convenience to our listeners. |
| 562 | */ |
| 563 | namep = get_pathbuff(); |
| 564 | name_len = MAXPATHLEN; |
| 565 | if (vn_getpath((vnode_t)arg0, namep, &name_len) != 0) { |
| 566 | release_pathbuff(namep); |
| 567 | return(0); |
| 568 | } |
| 569 | if (action == KAUTH_FILEOP_CLOSE || |
| 570 | action == KAUTH_FILEOP_WILL_RENAME) { |
| 571 | /* |
| 572 | * - Close has some flags that come in via arg1. |
| 573 | * - Will-rename wants to pass the vnode and |
| 574 | * both paths to the listeners ("to" path |
| 575 | * starts in arg1, moves to arg2). |
| 576 | */ |
| 577 | arg2 = arg1; |
| 578 | } |
| 579 | arg1 = (uintptr_t)namep; |
| 580 | } |
| 581 | kauth_authorize_action(kauth_scope_fileop, credential, action, arg0, arg1, arg2, 0); |
| 582 | |
| 583 | if (namep != NULL) { |
| 584 | release_pathbuff(namep); |
| 585 | } |
| 586 | |
| 587 | return(0); |
| 588 | } |
| 589 | |
| 590 | /* |
| 591 | * Generic authorization scope. |
| 592 | */ |
| 593 | |
| 594 | int |
| 595 | kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action) |
| 596 | { |
| 597 | if (credential == NULL) |
| 598 | panic("auth against NULL credential"); |
| 599 | |
| 600 | return(kauth_authorize_action(kauth_scope_generic, credential, action, 0, 0, 0, 0)); |
| 601 | |
| 602 | } |
| 603 | |
| 604 | static int |
| 605 | kauth_authorize_generic_callback(kauth_cred_t credential, __unused void *idata, kauth_action_t action, |
| 606 | __unused uintptr_t arg0, __unused uintptr_t arg1, __unused uintptr_t arg2, __unused uintptr_t arg3) |
| 607 | { |
| 608 | switch(action) { |
| 609 | case KAUTH_GENERIC_ISSUSER: |
| 610 | /* XXX == 0 ? */ |
| 611 | return((kauth_cred_getuid(credential) == 0) ? |
| 612 | KAUTH_RESULT_ALLOW : KAUTH_RESULT_DENY); |
| 613 | } |
| 614 | |
| 615 | /* no explicit result, so defer to others in the chain */ |
| 616 | return(KAUTH_RESULT_DEFER); |
| 617 | } |
| 618 | |
| 619 | /* |
| 620 | * ACL evaluator. |
| 621 | * |
| 622 | * Determines whether the credential has the requested rights for an object secured by the supplied |
| 623 | * ACL. |
| 624 | * |
| 625 | * Evaluation proceeds from the top down, with access denied if any ACE denies any of the requested |
| 626 | * rights, or granted if all of the requested rights are satisfied by the ACEs so far. |
| 627 | */ |
| 628 | int |
| 629 | kauth_acl_evaluate(kauth_cred_t cred, kauth_acl_eval_t eval) |
| 630 | { |
| 631 | int applies, error, i, gotguid; |
| 632 | kauth_ace_t ace; |
| 633 | guid_t guid; |
| 634 | uint32_t rights; |
| 635 | int wkguid; |
| 636 | |
| 637 | /* always allowed to do nothing */ |
| 638 | if (eval->ae_requested == 0) { |
| 639 | eval->ae_result = KAUTH_RESULT_ALLOW; |
| 640 | return(0); |
| 641 | } |
| 642 | |
| 643 | eval->ae_residual = eval->ae_requested; |
| 644 | eval->ae_found_deny = FALSE; |
| 645 | |
| 646 | /* |
| 647 | * Get our guid for comparison purposes. |
| 648 | */ |
| 649 | if ((error = kauth_cred_getguid(cred, &guid)) != 0) { |
| 650 | KAUTH_DEBUG(" ACL - can't get credential GUID (%d)", error); |
| 651 | error = 0; |
| 652 | gotguid = 0; |
| 653 | } else { |
| 654 | gotguid = 1; |
| 655 | } |
| 656 | |
| 657 | KAUTH_DEBUG(" ACL - %d entries, initial residual %x", eval->ae_count, eval->ae_residual); |
| 658 | for (i = 0, ace = eval->ae_acl; i < eval->ae_count; i++, ace++) { |
| 659 | |
| 660 | /* |
| 661 | * Skip inherit-only entries. |
| 662 | */ |
| 663 | if (ace->ace_flags & KAUTH_ACE_ONLY_INHERIT) |
| 664 | continue; |
| 665 | |
| 666 | /* |
| 667 | * Expand generic rights, if appropriate. |
| 668 | */ |
| 669 | rights = ace->ace_rights; |
| 670 | if (rights & KAUTH_ACE_GENERIC_ALL) |
| 671 | rights |= eval->ae_exp_gall; |
| 672 | if (rights & KAUTH_ACE_GENERIC_READ) |
| 673 | rights |= eval->ae_exp_gread; |
| 674 | if (rights & KAUTH_ACE_GENERIC_WRITE) |
| 675 | rights |= eval->ae_exp_gwrite; |
| 676 | if (rights & KAUTH_ACE_GENERIC_EXECUTE) |
| 677 | rights |= eval->ae_exp_gexec; |
| 678 | |
| 679 | /* |
| 680 | * Determine whether this entry applies to the current request. This |
| 681 | * saves us checking the GUID if the entry has nothing to do with what |
| 682 | * we're currently doing. |
| 683 | */ |
| 684 | switch(ace->ace_flags & KAUTH_ACE_KINDMASK) { |
| 685 | case KAUTH_ACE_PERMIT: |
| 686 | if (!(eval->ae_residual & rights)) |
| 687 | continue; |
| 688 | break; |
| 689 | case KAUTH_ACE_DENY: |
| 690 | if (!(eval->ae_requested & rights)) |
| 691 | continue; |
| 692 | eval->ae_found_deny = TRUE; |
| 693 | break; |
| 694 | default: |
| 695 | /* we don't recognise this ACE, skip it */ |
| 696 | continue; |
| 697 | } |
| 698 | |
| 699 | /* |
| 700 | * Verify whether this entry applies to the credential. |
| 701 | */ |
| 702 | wkguid = kauth_wellknown_guid(&ace->ace_applicable); |
| 703 | switch(wkguid) { |
| 704 | case KAUTH_WKG_OWNER: |
| 705 | applies = eval->ae_options & KAUTH_AEVAL_IS_OWNER; |
| 706 | break; |
| 707 | case KAUTH_WKG_GROUP: |
| 708 | if (!gotguid || (eval->ae_options & KAUTH_AEVAL_IN_GROUP_UNKNOWN)) |
| 709 | applies = ((ace->ace_flags & KAUTH_ACE_KINDMASK) == KAUTH_ACE_DENY); |
| 710 | else |
| 711 | applies = eval->ae_options & KAUTH_AEVAL_IN_GROUP; |
| 712 | break; |
| 713 | /* we short-circuit these here rather than wasting time calling the group membership code */ |
| 714 | case KAUTH_WKG_EVERYBODY: |
| 715 | applies = 1; |
| 716 | break; |
| 717 | case KAUTH_WKG_NOBODY: |
| 718 | applies = 0; |
| 719 | break; |
| 720 | |
| 721 | default: |
| 722 | /* check to see whether it's exactly us, or a group we are a member of */ |
| 723 | applies = !gotguid ? 0 : kauth_guid_equal(&guid, &ace->ace_applicable); |
| 724 | KAUTH_DEBUG(" ACL - ACE applicable "K_UUID_FMT " caller "K_UUID_FMT " %smatched", |
| 725 | K_UUID_ARG(ace->ace_applicable), K_UUID_ARG(guid), applies ? "": "not "); |
| 726 | |
| 727 | if (!applies) { |
| 728 | error = !gotguid ? ENOENT : kauth_cred_ismember_guid(cred, &ace->ace_applicable, &applies); |
| 729 | /* |
| 730 | * If we can't resolve group membership, we have to limit misbehaviour. |
| 731 | * If the ACE is an 'allow' ACE, assume the cred is not a member (avoid |
| 732 | * granting excess access). If the ACE is a 'deny' ACE, assume the cred |
| 733 | * is a member (avoid failing to deny). |
| 734 | */ |
| 735 | if (error != 0) { |
| 736 | KAUTH_DEBUG(" ACL[%d] - can't get membership, making pessimistic assumption", i); |
| 737 | switch(ace->ace_flags & KAUTH_ACE_KINDMASK) { |
| 738 | case KAUTH_ACE_PERMIT: |
| 739 | applies = 0; |
| 740 | break; |
| 741 | case KAUTH_ACE_DENY: |
| 742 | applies = 1; |
| 743 | break; |
| 744 | } |
| 745 | } else { |
| 746 | KAUTH_DEBUG(" ACL - %s group member", applies ? "is": "not"); |
| 747 | } |
| 748 | } else { |
| 749 | KAUTH_DEBUG(" ACL - entry matches caller"); |
| 750 | } |
| 751 | } |
| 752 | if (!applies) |
| 753 | continue; |
| 754 | |
| 755 | /* |
| 756 | * Apply ACE to outstanding rights. |
| 757 | */ |
| 758 | switch(ace->ace_flags & KAUTH_ACE_KINDMASK) { |
| 759 | case KAUTH_ACE_PERMIT: |
| 760 | /* satisfy any rights that this ACE grants */ |
| 761 | eval->ae_residual = eval->ae_residual & ~rights; |
| 762 | KAUTH_DEBUG(" ACL[%d] - rights %x leave residual %x", i, rights, eval->ae_residual); |
| 763 | /* all rights satisfied? */ |
| 764 | if (eval->ae_residual == 0) { |
| 765 | eval->ae_result = KAUTH_RESULT_ALLOW; |
| 766 | return(0); |
| 767 | } |
| 768 | break; |
| 769 | case KAUTH_ACE_DENY: |
| 770 | /* deny the request if any of the requested rights is denied */ |
| 771 | if (eval->ae_requested & rights) { |
| 772 | KAUTH_DEBUG(" ACL[%d] - denying based on %x", i, rights); |
| 773 | eval->ae_result = KAUTH_RESULT_DENY; |
| 774 | return(0); |
| 775 | } |
| 776 | break; |
| 777 | default: |
| 778 | KAUTH_DEBUG(" ACL - unknown entry kind %d", ace->ace_flags & KAUTH_ACE_KINDMASK); |
| 779 | break; |
| 780 | } |
| 781 | } |
| 782 | /* if not permitted, defer to other modes of authorisation */ |
| 783 | eval->ae_result = KAUTH_RESULT_DEFER; |
| 784 | return(0); |
| 785 | } |
| 786 | |
| 787 | /* |
| 788 | * Perform ACL inheritance and umask-ACL handling. |
| 789 | * |
| 790 | * Entries are inherited from the ACL on dvp. A caller-supplied |
| 791 | * ACL is in initial, and the result is output into product. |
| 792 | * If the process has a umask ACL and one is not supplied, we use |
| 793 | * the umask ACL. |
| 794 | * If isdir is set, the resultant ACL is for a directory, otherwise it is for a file. |
| 795 | */ |
| 796 | int |
| 797 | kauth_acl_inherit(vnode_t dvp, kauth_acl_t initial, kauth_acl_t *product, int isdir, vfs_context_t ctx) |
| 798 | { |
| 799 | int entries, error, index; |
| 800 | unsigned int i; |
| 801 | struct vnode_attr dva; |
| 802 | kauth_acl_t inherit, result; |
| 803 | |
| 804 | /* |
| 805 | * Fetch the ACL from the directory. This should never fail. |
| 806 | * Note that we don't manage inheritance when the remote server is |
| 807 | * doing authorization, since this means server enforcement of |
| 808 | * inheritance semantics; we just want to compose the initial |
| 809 | * ACL and any inherited ACE entries from the container object. |
| 810 | * |
| 811 | * XXX TODO: <rdar://3634665> wants a "umask ACL" from the process. |
| 812 | */ |
| 813 | inherit = NULL; |
| 814 | /* |
| 815 | * If there is no initial ACL, or there is, and the initial ACLs |
| 816 | * flags do not request "no inheritance", then we inherit. This allows |
| 817 | * initial object creation via open_extended() and mkdir_extended() |
| 818 | * to reject inheritance for themselves and for inferior nodes by |
| 819 | * specifying a non-NULL inital ACL which has the KAUTH_ACL_NO_INHERIT |
| 820 | * flag set in the flags field. |
| 821 | */ |
| 822 | if ((initial == NULL || !(initial->acl_flags & KAUTH_ACL_NO_INHERIT)) && |
| 823 | (dvp != NULL) && !vfs_authopaque(vnode_mount(dvp))) { |
| 824 | VATTR_INIT(&dva); |
| 825 | VATTR_WANTED(&dva, va_acl); |
| 826 | if ((error = vnode_getattr(dvp, &dva, ctx)) != 0) { |
| 827 | KAUTH_DEBUG(" ERROR - could not get parent directory ACL for inheritance"); |
| 828 | return(error); |
| 829 | } |
| 830 | if (VATTR_IS_SUPPORTED(&dva, va_acl)) |
| 831 | inherit = dva.va_acl; |
| 832 | } |
| 833 | |
| 834 | /* |
| 835 | * Compute the number of entries in the result ACL by scanning the |
| 836 | * input lists. |
| 837 | */ |
| 838 | entries = 0; |
| 839 | if (inherit != NULL) { |
| 840 | for (i = 0; i < inherit->acl_entrycount; i++) { |
| 841 | if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) |
| 842 | entries++; |
| 843 | } |
| 844 | } |
| 845 | |
| 846 | if (initial == NULL) { |
| 847 | /* |
| 848 | * XXX 3634665 TODO: if the initial ACL is not specfied by |
| 849 | * XXX the caller, fetch the umask ACL from the process, |
| 850 | * and use it in place of "initial". |
| 851 | */ |
| 852 | } |
| 853 | |
| 854 | if (initial != NULL) { |
| 855 | if (initial->acl_entrycount != KAUTH_FILESEC_NOACL) |
| 856 | entries += initial->acl_entrycount; |
| 857 | else |
| 858 | initial = NULL; |
| 859 | } |
| 860 | |
| 861 | /* |
| 862 | * If there is no initial ACL, and no inheritable entries, the |
| 863 | * object should be created with no ACL at all. |
| 864 | * Note that this differs from the case where the initial ACL |
| 865 | * is empty, in which case the object must also have an empty ACL. |
| 866 | */ |
| 867 | if ((entries == 0) && (initial == NULL)) { |
| 868 | *product = NULL; |
| 869 | error = 0; |
| 870 | goto out; |
| 871 | } |
| 872 | |
| 873 | /* |
| 874 | * Allocate the result buffer. |
| 875 | */ |
| 876 | if ((result = kauth_acl_alloc(entries)) == NULL) { |
| 877 | KAUTH_DEBUG(" ERROR - could not allocate %d-entry result buffer for inherited ACL", entries); |
| 878 | error = ENOMEM; |
| 879 | goto out; |
| 880 | } |
| 881 | |
| 882 | /* |
| 883 | * Composition is simply: |
| 884 | * - initial direct ACEs |
| 885 | * - inherited ACEs from new parent |
| 886 | */ |
| 887 | index = 0; |
| 888 | if (initial != NULL) { |
| 889 | for (i = 0; i < initial->acl_entrycount; i++) { |
| 890 | if (!(initial->acl_ace[i].ace_flags & KAUTH_ACE_INHERITED)) { |
| 891 | result->acl_ace[index++] = initial->acl_ace[i]; |
| 892 | } |
| 893 | } |
| 894 | KAUTH_DEBUG(" INHERIT - applied %d of %d initial entries", index, initial->acl_entrycount); |
| 895 | } |
| 896 | if (inherit != NULL) { |
| 897 | for (i = 0; i < inherit->acl_entrycount; i++) { |
| 898 | /* |
| 899 | * Inherit onto this object? We inherit only if |
| 900 | * the target object is a container object and the |
| 901 | * KAUTH_ACE_DIRECTORY_INHERIT bit is set, OR if |
| 902 | * if the target object is not a container, and |
| 903 | * the KAUTH_ACE_FILE_INHERIT bit is set. |
| 904 | */ |
| 905 | if (inherit->acl_ace[i].ace_flags & (isdir ? KAUTH_ACE_DIRECTORY_INHERIT : KAUTH_ACE_FILE_INHERIT)) { |
| 906 | result->acl_ace[index] = inherit->acl_ace[i]; |
| 907 | result->acl_ace[index].ace_flags |= KAUTH_ACE_INHERITED; |
| 908 | result->acl_ace[index].ace_flags &= ~KAUTH_ACE_ONLY_INHERIT; |
| 909 | /* |
| 910 | * We do not re-inherit inheritance flags |
| 911 | * if the ACE from the container has a |
| 912 | * KAUTH_ACE_LIMIT_INHERIT, OR if the new |
| 913 | * object is not itself a container (since |
| 914 | * inheritance is always container-based). |
| 915 | */ |
| 916 | if ((result->acl_ace[index].ace_flags & KAUTH_ACE_LIMIT_INHERIT) || !isdir) { |
| 917 | result->acl_ace[index].ace_flags &= |
| 918 | ~(KAUTH_ACE_INHERIT_CONTROL_FLAGS); |
| 919 | } |
| 920 | index++; |
| 921 | } |
| 922 | } |
| 923 | } |
| 924 | result->acl_entrycount = index; |
| 925 | *product = result; |
| 926 | KAUTH_DEBUG(" INHERIT - product ACL has %d entries", index); |
| 927 | error = 0; |
| 928 | out: |
| 929 | if (inherit != NULL) |
| 930 | kauth_acl_free(inherit); |
| 931 | return(error); |
| 932 | } |
| 933 | |
| 934 | /* |
| 935 | * Optimistically copy in a kauth_filesec structure |
| 936 | * |
| 937 | * Parameters: xsecurity user space kauth_filesec_t |
| 938 | * xsecdstpp pointer to kauth_filesec_t to be |
| 939 | * modified to contain the contain a |
| 940 | * pointer to an allocated copy of the |
| 941 | * user space argument |
| 942 | * |
| 943 | * Returns: 0 Success |
| 944 | * ENOMEM Insufficient memory for the copy. |
| 945 | * EINVAL The user space data was invalid, or |
| 946 | * there were too many ACE entries. |
| 947 | * EFAULT The user space address was invalid; |
| 948 | * this may mean 'fsec_entrycount' in |
| 949 | * the user copy is corrupt/incorrect. |
| 950 | * |
| 951 | * Implicit returns: xsecdestpp, modified (only if successful!) |
| 952 | * |
| 953 | * Notes: The returned kauth_filesec_t is in host byte order |
| 954 | * |
| 955 | * The caller is responsible for freeing the returned |
| 956 | * kauth_filesec_t in the success case using the function |
| 957 | * kauth_filesec_free() |
| 958 | * |
| 959 | * Our largest initial guess is 32; this needs to move to |
| 960 | * a manifest constant in <sys/kauth.h>. |
| 961 | */ |
| 962 | int |
| 963 | kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp) |
| 964 | { |
| 965 | int error; |
| 966 | kauth_filesec_t fsec; |
| 967 | u_int32_t count; |
| 968 | size_t copysize; |
| 969 | |
| 970 | error = 0; |
| 971 | fsec = NULL; |
| 972 | |
| 973 | /* |
| 974 | * Make a guess at the size of the filesec. We start with the base |
| 975 | * pointer, and look at how much room is left on the page, clipped |
| 976 | * to a sensible upper bound. If it turns out this isn't enough, |
| 977 | * we'll size based on the actual ACL contents and come back again. |
| 978 | * |
| 979 | * The upper bound must be less than KAUTH_ACL_MAX_ENTRIES. The |
| 980 | * value here is fairly arbitrary. It's ok to have a zero count. |
| 981 | * |
| 982 | * Because we're just using these values to make a guess about the |
| 983 | * number of entries, the actual address doesn't matter, only their |
| 984 | * relative offsets into the page. We take advantage of this to |
| 985 | * avoid an overflow in the rounding step (this is a user-provided |
| 986 | * parameter, so caution pays off). |
| 987 | */ |
| 988 | { |
| 989 | user_addr_t known_bound = (xsecurity & PAGE_MASK) + KAUTH_FILESEC_SIZE(0); |
| 990 | user_addr_t uaddr = mach_vm_round_page(known_bound); |
| 991 | count = (uaddr - known_bound) / sizeof(struct kauth_ace); |
| 992 | } |
| 993 | if (count > 32) |
| 994 | count = 32; |
| 995 | restart: |
| 996 | if ((fsec = kauth_filesec_alloc(count)) == NULL) { |
| 997 | error = ENOMEM; |
| 998 | goto out; |
| 999 | } |
| 1000 | copysize = KAUTH_FILESEC_SIZE(count); |
| 1001 | if ((error = copyin(xsecurity, (caddr_t)fsec, copysize)) != 0) |
| 1002 | goto out; |
| 1003 | |
| 1004 | /* validate the filesec header */ |
| 1005 | if (fsec->fsec_magic != KAUTH_FILESEC_MAGIC) { |
| 1006 | error = EINVAL; |
| 1007 | goto out; |
| 1008 | } |
| 1009 | |
| 1010 | /* |
| 1011 | * Is there an ACL payload, and is it too big? |
| 1012 | */ |
| 1013 | if ((fsec->fsec_entrycount != KAUTH_FILESEC_NOACL) && |
| 1014 | (fsec->fsec_entrycount > count)) { |
| 1015 | if (fsec->fsec_entrycount > KAUTH_ACL_MAX_ENTRIES) { |
| 1016 | /* XXX This should be E2BIG */ |
| 1017 | error = EINVAL; |
| 1018 | goto out; |
| 1019 | } |
| 1020 | count = fsec->fsec_entrycount; |
| 1021 | kauth_filesec_free(fsec); |
| 1022 | goto restart; |
| 1023 | } |
| 1024 | |
| 1025 | out: |
| 1026 | if (error) { |
| 1027 | if (fsec) |
| 1028 | kauth_filesec_free(fsec); |
| 1029 | } else { |
| 1030 | *xsecdestpp = fsec; |
| 1031 | AUDIT_ARG(opaque, fsec, copysize); |
| 1032 | } |
| 1033 | return(error); |
| 1034 | } |
| 1035 | |
| 1036 | /* |
| 1037 | * Allocate a block of memory containing a filesec structure, immediately |
| 1038 | * followed by 'count' kauth_ace structures. |
| 1039 | * |
| 1040 | * Parameters: count Number of kauth_ace structures needed |
| 1041 | * |
| 1042 | * Returns: !NULL A pointer to the allocated block |
| 1043 | * NULL Invalid 'count' or insufficient memory |
| 1044 | * |
| 1045 | * Notes: Returned memory area assumes that the structures are packed |
| 1046 | * densely, so this function may only be used by code that also |
| 1047 | * assumes no padding following structures. |
| 1048 | * |
| 1049 | * The returned structure must be freed by the caller using the |
| 1050 | * function kauth_filesec_free(), in case we decide to use an |
| 1051 | * allocation mechanism that is aware of the object size at some |
| 1052 | * point, since the object size is only available by introspecting |
| 1053 | * the object itself. |
| 1054 | */ |
| 1055 | kauth_filesec_t |
| 1056 | kauth_filesec_alloc(int count) |
| 1057 | { |
| 1058 | kauth_filesec_t fsp; |
| 1059 | |
| 1060 | /* if the caller hasn't given us a valid size hint, assume the worst */ |
| 1061 | if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) |
| 1062 | return(NULL); |
| 1063 | |
| 1064 | MALLOC(fsp, kauth_filesec_t, KAUTH_FILESEC_SIZE(count), M_KAUTH, M_WAITOK); |
| 1065 | if (fsp != NULL) { |
| 1066 | fsp->fsec_magic = KAUTH_FILESEC_MAGIC; |
| 1067 | fsp->fsec_owner = kauth_null_guid; |
| 1068 | fsp->fsec_group = kauth_null_guid; |
| 1069 | fsp->fsec_entrycount = KAUTH_FILESEC_NOACL; |
| 1070 | fsp->fsec_flags = 0; |
| 1071 | } |
| 1072 | return(fsp); |
| 1073 | } |
| 1074 | |
| 1075 | /* |
| 1076 | * Free a kauth_filesec_t that was previous allocated, either by a direct |
| 1077 | * call to kauth_filesec_alloc() or by calling a function that calls it. |
| 1078 | * |
| 1079 | * Parameters: fsp kauth_filesec_t to free |
| 1080 | * |
| 1081 | * Returns: (void) |
| 1082 | * |
| 1083 | * Notes: The kauth_filesec_t to be freed is assumed to be in host |
| 1084 | * byte order so that this function can introspect it in the |
| 1085 | * future to determine its size, if necesssary. |
| 1086 | */ |
| 1087 | void |
| 1088 | kauth_filesec_free(kauth_filesec_t fsp) |
| 1089 | { |
| 1090 | #ifdef KAUTH_DEBUG_ENABLE |
| 1091 | if (fsp == KAUTH_FILESEC_NONE) |
| 1092 | panic("freeing KAUTH_FILESEC_NONE"); |
| 1093 | if (fsp == KAUTH_FILESEC_WANTED) |
| 1094 | panic("freeing KAUTH_FILESEC_WANTED"); |
| 1095 | #endif |
| 1096 | FREE(fsp, M_KAUTH); |
| 1097 | } |
| 1098 | |
| 1099 | /* |
| 1100 | * Set the endianness of a filesec and an ACL; if 'acl' is NULL, use the |
| 1101 | * ACL interior to 'fsec' instead. If the endianness doesn't change, then |
| 1102 | * this function will have no effect. |
| 1103 | * |
| 1104 | * Parameters: kendian The endianness to set; this is either |
| 1105 | * KAUTH_ENDIAN_HOST or KAUTH_ENDIAN_DISK. |
| 1106 | * fsec The filesec to convert. |
| 1107 | * acl The ACL to convert (optional) |
| 1108 | * |
| 1109 | * Returns: (void) |
| 1110 | * |
| 1111 | * Notes: We use ntohl() because it has a transitive property on Intel |
| 1112 | * machines and no effect on PPC mancines. This guarantees us |
| 1113 | * that the swapping only occurs if the endiannes is wrong. |
| 1114 | */ |
| 1115 | void |
| 1116 | kauth_filesec_acl_setendian(int kendian, kauth_filesec_t fsec, kauth_acl_t acl) |
| 1117 | { |
| 1118 | uint32_t compare_magic = KAUTH_FILESEC_MAGIC; |
| 1119 | uint32_t invert_magic = ntohl(KAUTH_FILESEC_MAGIC); |
| 1120 | uint32_t compare_acl_entrycount; |
| 1121 | uint32_t i; |
| 1122 | |
| 1123 | if (compare_magic == invert_magic) |
| 1124 | return; |
| 1125 | |
| 1126 | /* If no ACL, use ACL interior to 'fsec' instead */ |
| 1127 | if (acl == NULL) |
| 1128 | acl = &fsec->fsec_acl; |
| 1129 | |
| 1130 | compare_acl_entrycount = acl->acl_entrycount; |
| 1131 | |
| 1132 | /* |
| 1133 | * Only convert what needs to be converted, and only if the arguments |
| 1134 | * are valid. The following switch and tests effectively reject |
| 1135 | * conversions on invalid magic numbers as a desirable side effect. |
| 1136 | */ |
| 1137 | switch(kendian) { |
| 1138 | case KAUTH_ENDIAN_HOST: /* not in host, convert to host */ |
| 1139 | if (fsec->fsec_magic != invert_magic) |
| 1140 | return; |
| 1141 | /* acl_entrycount is byteswapped */ |
| 1142 | compare_acl_entrycount = ntohl(acl->acl_entrycount); |
| 1143 | break; |
| 1144 | case KAUTH_ENDIAN_DISK: /* not in disk, convert to disk */ |
| 1145 | if (fsec->fsec_magic != compare_magic) |
| 1146 | return; |
| 1147 | break; |
| 1148 | default: /* bad argument */ |
| 1149 | return; |
| 1150 | } |
| 1151 | |
| 1152 | /* We are go for conversion */ |
| 1153 | fsec->fsec_magic = ntohl(fsec->fsec_magic); |
| 1154 | acl->acl_entrycount = ntohl(acl->acl_entrycount); |
| 1155 | if (compare_acl_entrycount != KAUTH_FILESEC_NOACL) { |
| 1156 | acl->acl_flags = ntohl(acl->acl_flags); |
| 1157 | |
| 1158 | /* swap ACE rights and flags */ |
| 1159 | for (i = 0; i < compare_acl_entrycount; i++) { |
| 1160 | acl->acl_ace[i].ace_flags = ntohl(acl->acl_ace[i].ace_flags); |
| 1161 | acl->acl_ace[i].ace_rights = ntohl(acl->acl_ace[i].ace_rights); |
| 1162 | } |
| 1163 | } |
| 1164 | } |
| 1165 | |
| 1166 | |
| 1167 | /* |
| 1168 | * Allocate an ACL buffer. |
| 1169 | */ |
| 1170 | kauth_acl_t |
| 1171 | kauth_acl_alloc(int count) |
| 1172 | { |
| 1173 | kauth_acl_t aclp; |
| 1174 | |
| 1175 | /* if the caller hasn't given us a valid size hint, assume the worst */ |
| 1176 | if ((count < 0) || (count > KAUTH_ACL_MAX_ENTRIES)) |
| 1177 | return(NULL); |
| 1178 | |
| 1179 | MALLOC(aclp, kauth_acl_t, KAUTH_ACL_SIZE(count), M_KAUTH, M_WAITOK); |
| 1180 | if (aclp != NULL) { |
| 1181 | aclp->acl_entrycount = 0; |
| 1182 | aclp->acl_flags = 0; |
| 1183 | } |
| 1184 | return(aclp); |
| 1185 | } |
| 1186 | |
| 1187 | void |
| 1188 | kauth_acl_free(kauth_acl_t aclp) |
| 1189 | { |
| 1190 | FREE(aclp, M_KAUTH); |
| 1191 | } |
| 1192 | |
| 1193 | |
| 1194 | /* |
| 1195 | * WARNING - caller must hold KAUTH_SCOPELOCK |
| 1196 | */ |
| 1197 | static int kauth_add_callback_to_scope(kauth_scope_t sp, kauth_listener_t klp) |
| 1198 | { |
| 1199 | int i; |
| 1200 | |
| 1201 | for (i = 0; i < KAUTH_SCOPE_MAX_LISTENERS; i++) { |
| 1202 | if (sp->ks_listeners[i].kll_listenerp == NULL) { |
| 1203 | sp->ks_listeners[i].kll_callback = klp->kl_callback; |
| 1204 | sp->ks_listeners[i].kll_idata = klp->kl_idata; |
| 1205 | sp->ks_listeners[i].kll_listenerp = klp; |
| 1206 | sp->ks_flags |= KS_F_HAS_LISTENERS; |
| 1207 | return(0); |
| 1208 | } |
| 1209 | } |
| 1210 | return(ENOSPC); |
| 1211 | } |
| 1212 |
Generated on 2018-Dec-24 from project xnu revision 4903.221.2
Powered by 
Code Browser 2.1
Generator usage only permitted with license.