1 | /* |
2 | * Copyright (c) 2004-2010 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce |
30 | * support for mandatory and extensible security protections. This notice |
31 | * is included in support of clause 2.2 (b) of the Apple Public License, |
32 | * Version 2.0. |
33 | */ |
34 | |
35 | #ifndef _SYS_KAUTH_H |
36 | #define _SYS_KAUTH_H |
37 | |
38 | #include <sys/appleapiopts.h> |
39 | #include <sys/cdefs.h> |
40 | #include <mach/boolean.h> |
41 | #include <sys/_types.h> /* __offsetof() */ |
42 | #include <sys/syslimits.h> /* NGROUPS_MAX */ |
43 | |
44 | #ifdef __APPLE_API_EVOLVING |
45 | |
46 | /* |
47 | * Identities. |
48 | */ |
49 | |
50 | #define KAUTH_UID_NONE (~(uid_t)0 - 100) /* not a valid UID */ |
51 | #define KAUTH_GID_NONE (~(gid_t)0 - 100) /* not a valid GID */ |
52 | |
53 | #include <sys/_types/_guid_t.h> |
54 | |
55 | /* NT Security Identifier, structure as defined by Microsoft */ |
56 | #pragma pack(1) /* push packing of 1 byte */ |
57 | typedef struct { |
58 | u_int8_t sid_kind; |
59 | u_int8_t sid_authcount; |
60 | u_int8_t sid_authority[6]; |
61 | #define KAUTH_NTSID_MAX_AUTHORITIES 16 |
62 | u_int32_t sid_authorities[KAUTH_NTSID_MAX_AUTHORITIES]; |
63 | } ntsid_t; |
64 | #pragma pack() /* pop packing to previous packing level */ |
65 | #define _NTSID_T |
66 | |
67 | /* valid byte count inside a SID structure */ |
68 | #define KAUTH_NTSID_HDRSIZE (8) |
69 | #define KAUTH_NTSID_SIZE(_s) (KAUTH_NTSID_HDRSIZE + ((_s)->sid_authcount * sizeof(u_int32_t))) |
70 | |
71 | /* |
72 | * External lookup message payload; this structure is shared between the |
73 | * kernel group membership resolver, and the user space group membership |
74 | * resolver daemon, and is use to communicate resolution requests from the |
75 | * kernel to user space, and the result of that request from user space to |
76 | * the kernel. |
77 | */ |
78 | struct kauth_identity_extlookup { |
79 | u_int32_t el_seqno; /* request sequence number */ |
80 | u_int32_t el_result; /* lookup result */ |
81 | #define KAUTH_EXTLOOKUP_SUCCESS 0 /* results here are good */ |
82 | #define KAUTH_EXTLOOKUP_BADRQ 1 /* request badly formatted */ |
83 | #define KAUTH_EXTLOOKUP_FAILURE 2 /* transient failure during lookup */ |
84 | #define KAUTH_EXTLOOKUP_FATAL 3 /* permanent failure during lookup */ |
85 | #define KAUTH_EXTLOOKUP_INPROG 100 /* request in progress */ |
86 | u_int32_t el_flags; |
87 | #define KAUTH_EXTLOOKUP_VALID_UID (1<<0) |
88 | #define KAUTH_EXTLOOKUP_VALID_UGUID (1<<1) |
89 | #define KAUTH_EXTLOOKUP_VALID_USID (1<<2) |
90 | #define KAUTH_EXTLOOKUP_VALID_GID (1<<3) |
91 | #define KAUTH_EXTLOOKUP_VALID_GGUID (1<<4) |
92 | #define KAUTH_EXTLOOKUP_VALID_GSID (1<<5) |
93 | #define KAUTH_EXTLOOKUP_WANT_UID (1<<6) |
94 | #define KAUTH_EXTLOOKUP_WANT_UGUID (1<<7) |
95 | #define KAUTH_EXTLOOKUP_WANT_USID (1<<8) |
96 | #define KAUTH_EXTLOOKUP_WANT_GID (1<<9) |
97 | #define KAUTH_EXTLOOKUP_WANT_GGUID (1<<10) |
98 | #define KAUTH_EXTLOOKUP_WANT_GSID (1<<11) |
99 | #define KAUTH_EXTLOOKUP_WANT_MEMBERSHIP (1<<12) |
100 | #define KAUTH_EXTLOOKUP_VALID_MEMBERSHIP (1<<13) |
101 | #define KAUTH_EXTLOOKUP_ISMEMBER (1<<14) |
102 | #define KAUTH_EXTLOOKUP_VALID_PWNAM (1<<15) |
103 | #define KAUTH_EXTLOOKUP_WANT_PWNAM (1<<16) |
104 | #define KAUTH_EXTLOOKUP_VALID_GRNAM (1<<17) |
105 | #define KAUTH_EXTLOOKUP_WANT_GRNAM (1<<18) |
106 | #define KAUTH_EXTLOOKUP_VALID_SUPGRPS (1<<19) |
107 | #define KAUTH_EXTLOOKUP_WANT_SUPGRPS (1<<20) |
108 | |
109 | __darwin_pid_t el_info_pid; /* request on behalf of PID */ |
110 | u_int64_t el_extend; /* extension field */ |
111 | u_int32_t el_info_reserved_1; /* reserved (APPLE) */ |
112 | |
113 | uid_t el_uid; /* user ID */ |
114 | guid_t el_uguid; /* user GUID */ |
115 | u_int32_t el_uguid_valid; /* TTL on translation result (seconds) */ |
116 | ntsid_t el_usid; /* user NT SID */ |
117 | u_int32_t el_usid_valid; /* TTL on translation result (seconds) */ |
118 | gid_t el_gid; /* group ID */ |
119 | guid_t el_gguid; /* group GUID */ |
120 | u_int32_t el_gguid_valid; /* TTL on translation result (seconds) */ |
121 | ntsid_t el_gsid; /* group SID */ |
122 | u_int32_t el_gsid_valid; /* TTL on translation result (seconds) */ |
123 | u_int32_t el_member_valid; /* TTL on group lookup result */ |
124 | u_int32_t el_sup_grp_cnt; /* count of supplemental groups up to NGROUPS */ |
125 | gid_t el_sup_groups[NGROUPS_MAX]; /* supplemental group list */ |
126 | }; |
127 | |
128 | struct kauth_cache_sizes { |
129 | u_int32_t kcs_group_size; |
130 | u_int32_t kcs_id_size; |
131 | }; |
132 | |
133 | #define KAUTH_EXTLOOKUP_REGISTER (0) |
134 | #define KAUTH_EXTLOOKUP_RESULT (1<<0) |
135 | #define KAUTH_EXTLOOKUP_WORKER (1<<1) |
136 | #define KAUTH_EXTLOOKUP_DEREGISTER (1<<2) |
137 | #define KAUTH_GET_CACHE_SIZES (1<<3) |
138 | #define KAUTH_SET_CACHE_SIZES (1<<4) |
139 | #define KAUTH_CLEAR_CACHES (1<<5) |
140 | |
141 | #define IDENTITYSVC_ENTITLEMENT "com.apple.private.identitysvc" |
142 | |
143 | |
144 | #ifdef KERNEL |
145 | /* |
146 | * Credentials. |
147 | */ |
148 | |
149 | #if 0 |
150 | /* |
151 | * Supplemental credential data. |
152 | * |
153 | * This interface allows us to associate arbitrary data with a credential. |
154 | * As with the credential, the data is considered immutable. |
155 | */ |
156 | struct kauth_cred_supplement { |
157 | TAILQ_ENTRY(kauth_cred_supplement) kcs_link; |
158 | |
159 | int kcs_ref; /* reference count */ |
160 | int kcs_id; /* vended identifier */ |
161 | size_t kcs_size; /* size of data field */ |
162 | char kcs_data[0]; |
163 | }; |
164 | |
165 | typedef struct kauth_cred_supplement *kauth_cred_supplement_t; |
166 | |
167 | struct kauth_cred { |
168 | TAILQ_ENTRY(kauth_cred) kc_link; |
169 | |
170 | int kc_ref; /* reference count */ |
171 | uid_t kc_uid; /* effective user id */ |
172 | uid_t kc_ruid; /* real user id */ |
173 | uid_t kc_svuid; /* saved user id */ |
174 | gid_t kc_gid; /* effective group id */ |
175 | gid_t kc_rgid; /* real group id */ |
176 | gid_t kc_svgid; /* saved group id */ |
177 | |
178 | int kc_flags; |
179 | #define KAUTH_CRED_GRPOVERRIDE (1<<0) /* private group list is authoritative */ |
180 | |
181 | int kc_npvtgroups; /* private group list, advisory or authoritative */ |
182 | gid_t kc_pvtgroups[NGROUPS]; /* based on KAUTH_CRED_GRPOVERRIDE flag */ |
183 | |
184 | int kc_nsuppgroups; /* supplementary group list */ |
185 | gid_t *kc_suppgroups; |
186 | |
187 | int kc_nwhtgroups; /* whiteout group list */ |
188 | gid_t *kc_whtgroups; |
189 | |
190 | struct au_session cr_audit; /* user auditing data */ |
191 | |
192 | int kc_nsupplement; /* entry count in supplemental data pointer array */ |
193 | kauth_cred_supplement_t *kc_supplement; |
194 | }; |
195 | #else |
196 | |
197 | /* XXX just for now */ |
198 | #include <sys/ucred.h> |
199 | // typedef struct ucred *kauth_cred_t; |
200 | #endif |
201 | |
202 | /* Kernel SPI for now */ |
203 | __BEGIN_DECLS |
204 | /* |
205 | * Routines specific to credentials with POSIX credential labels attached |
206 | * |
207 | * XXX Should be in policy_posix.h, with struct posix_cred |
208 | */ |
209 | extern kauth_cred_t posix_cred_create(posix_cred_t pcred); |
210 | extern posix_cred_t posix_cred_get(kauth_cred_t cred); |
211 | extern void posix_cred_label(kauth_cred_t cred, posix_cred_t pcred); |
212 | extern int posix_cred_access(kauth_cred_t cred, id_t object_uid, id_t object_gid, mode_t object_mode, mode_t mode_req); |
213 | |
214 | extern uid_t kauth_getuid(void); |
215 | extern uid_t kauth_getruid(void); |
216 | extern gid_t kauth_getgid(void); |
217 | extern kauth_cred_t kauth_cred_get(void); |
218 | extern kauth_cred_t kauth_cred_get_with_ref(void); |
219 | extern kauth_cred_t kauth_cred_proc_ref(proc_t procp); |
220 | extern kauth_cred_t kauth_cred_create(kauth_cred_t cred); |
221 | extern void kauth_cred_ref(kauth_cred_t _cred); |
222 | #ifndef __LP64__ |
223 | /* Use kauth_cred_unref(), not kauth_cred_rele() */ |
224 | extern void kauth_cred_rele(kauth_cred_t _cred) __deprecated; |
225 | #endif |
226 | extern void kauth_cred_unref(kauth_cred_t *_cred); |
227 | |
228 | #if CONFIG_MACF |
229 | struct label; |
230 | extern kauth_cred_t kauth_cred_label_update(kauth_cred_t cred, struct label *label); |
231 | extern int kauth_proc_label_update(struct proc *p, struct label *label); |
232 | #else |
233 | /* this is a temp hack to cover us when MAC is not built in a kernel configuration. |
234 | * Since we cannot build our export list based on the kernel configuration we need |
235 | * to define a stub. |
236 | */ |
237 | extern kauth_cred_t kauth_cred_label_update(kauth_cred_t cred, void *label); |
238 | extern int kauth_proc_label_update(struct proc *p, void *label); |
239 | #endif |
240 | |
241 | extern kauth_cred_t kauth_cred_find(kauth_cred_t cred); |
242 | extern uid_t kauth_cred_getuid(kauth_cred_t _cred); |
243 | extern uid_t kauth_cred_getruid(kauth_cred_t _cred); |
244 | extern uid_t kauth_cred_getsvuid(kauth_cred_t _cred); |
245 | extern gid_t kauth_cred_getgid(kauth_cred_t _cred); |
246 | extern gid_t kauth_cred_getrgid(kauth_cred_t _cred); |
247 | extern gid_t kauth_cred_getsvgid(kauth_cred_t _cred); |
248 | extern int kauth_cred_pwnam2guid(char *pwnam, guid_t *guidp); |
249 | extern int kauth_cred_grnam2guid(char *grnam, guid_t *guidp); |
250 | extern int kauth_cred_guid2pwnam(guid_t *guidp, char *pwnam); |
251 | extern int kauth_cred_guid2grnam(guid_t *guidp, char *grnam); |
252 | extern int kauth_cred_guid2uid(guid_t *_guid, uid_t *_uidp); |
253 | extern int kauth_cred_guid2gid(guid_t *_guid, gid_t *_gidp); |
254 | extern int kauth_cred_ntsid2uid(ntsid_t *_sid, uid_t *_uidp); |
255 | extern int kauth_cred_ntsid2gid(ntsid_t *_sid, gid_t *_gidp); |
256 | extern int kauth_cred_ntsid2guid(ntsid_t *_sid, guid_t *_guidp); |
257 | extern int kauth_cred_uid2guid(uid_t _uid, guid_t *_guidp); |
258 | extern int kauth_cred_getguid(kauth_cred_t _cred, guid_t *_guidp); |
259 | extern int kauth_cred_gid2guid(gid_t _gid, guid_t *_guidp); |
260 | extern int kauth_cred_uid2ntsid(uid_t _uid, ntsid_t *_sidp); |
261 | extern int kauth_cred_getntsid(kauth_cred_t _cred, ntsid_t *_sidp); |
262 | extern int kauth_cred_gid2ntsid(gid_t _gid, ntsid_t *_sidp); |
263 | extern int kauth_cred_guid2ntsid(guid_t *_guid, ntsid_t *_sidp); |
264 | extern int kauth_cred_ismember_gid(kauth_cred_t _cred, gid_t _gid, int *_resultp); |
265 | extern int kauth_cred_ismember_guid(kauth_cred_t _cred, guid_t *_guidp, int *_resultp); |
266 | extern int kauth_cred_nfs4domain2dsnode(char *nfs4domain, char *dsnode); |
267 | extern int kauth_cred_dsnode2nfs4domain(char *dsnode, char *nfs4domain); |
268 | |
269 | extern int groupmember(gid_t gid, kauth_cred_t cred); |
270 | |
271 | /* currently only exported in unsupported for use by seatbelt */ |
272 | extern int kauth_cred_issuser(kauth_cred_t _cred); |
273 | |
274 | |
275 | /* GUID, NTSID helpers */ |
276 | extern guid_t kauth_null_guid; |
277 | extern int kauth_guid_equal(guid_t *_guid1, guid_t *_guid2); |
278 | #ifdef XNU_KERNEL_PRIVATE |
279 | extern int kauth_ntsid_equal(ntsid_t *_sid1, ntsid_t *_sid2); |
280 | #endif /* XNU_KERNEL_PRIVATE */ |
281 | |
282 | #ifdef XNU_KERNEL_PRIVATE |
283 | extern int kauth_wellknown_guid(guid_t *_guid); |
284 | #define KAUTH_WKG_NOT 0 /* not a well-known GUID */ |
285 | #define KAUTH_WKG_OWNER 1 |
286 | #define KAUTH_WKG_GROUP 2 |
287 | #define KAUTH_WKG_NOBODY 3 |
288 | #define KAUTH_WKG_EVERYBODY 4 |
289 | |
290 | extern kauth_cred_t kauth_cred_dup(kauth_cred_t cred); |
291 | extern gid_t kauth_getrgid(void); |
292 | extern kauth_cred_t kauth_cred_alloc(void); |
293 | extern int cantrace(proc_t cur_procp, kauth_cred_t creds, proc_t traced_procp, int *errp); |
294 | extern kauth_cred_t kauth_cred_copy_real(kauth_cred_t cred); |
295 | extern kauth_cred_t kauth_cred_setresuid(kauth_cred_t cred, uid_t ruid, uid_t euid, uid_t svuid, uid_t gmuid); |
296 | extern kauth_cred_t kauth_cred_setresgid(kauth_cred_t cred, gid_t rgid, gid_t egid, gid_t svgid); |
297 | extern kauth_cred_t kauth_cred_setuidgid(kauth_cred_t cred, uid_t uid, gid_t gid); |
298 | extern kauth_cred_t kauth_cred_setsvuidgid(kauth_cred_t cred, uid_t uid, gid_t gid); |
299 | extern kauth_cred_t kauth_cred_setgroups(kauth_cred_t cred, gid_t *groups, int groupcount, uid_t gmuid); |
300 | struct uthread; |
301 | extern void kauth_cred_uthread_update(struct uthread *, proc_t); |
302 | #ifdef CONFIG_MACF |
303 | extern void kauth_proc_label_update_execve(struct proc *p, struct vfs_context *ctx, struct vnode *vp, off_t offset, struct vnode *scriptvp, struct label *scriptlabel, struct label *execlabel, unsigned int *csflags, void *psattr, int *disjoint, int *update_return); |
304 | #endif |
305 | extern int kauth_cred_getgroups(kauth_cred_t _cred, gid_t *_groups, int *_groupcount); |
306 | extern int kauth_cred_assume(uid_t _uid); |
307 | extern int kauth_cred_gid_subset(kauth_cred_t _cred1, kauth_cred_t _cred2, int *_resultp); |
308 | struct auditinfo_addr; |
309 | extern kauth_cred_t kauth_cred_setauditinfo(kauth_cred_t, au_session_t *); |
310 | extern int kauth_cred_supplementary_register(const char *name, int *ident); |
311 | extern int kauth_cred_supplementary_add(kauth_cred_t cred, int ident, const void *data, size_t datasize); |
312 | extern int kauth_cred_supplementary_remove(kauth_cred_t cred, int ident); |
313 | |
314 | #endif /* XNU_KERNEL_PRIVATE */ |
315 | __END_DECLS |
316 | |
317 | #endif /* KERNEL */ |
318 | |
319 | /* |
320 | * Generic Access Control Lists. |
321 | */ |
322 | #if defined(KERNEL) || defined (_SYS_ACL_H) |
323 | |
324 | typedef u_int32_t kauth_ace_rights_t; |
325 | |
326 | /* Access Control List Entry (ACE) */ |
327 | struct kauth_ace { |
328 | guid_t ace_applicable; |
329 | u_int32_t ace_flags; |
330 | #define KAUTH_ACE_KINDMASK 0xf |
331 | #define KAUTH_ACE_PERMIT 1 |
332 | #define KAUTH_ACE_DENY 2 |
333 | #define KAUTH_ACE_AUDIT 3 /* not implemented */ |
334 | #define KAUTH_ACE_ALARM 4 /* not implemented */ |
335 | #define KAUTH_ACE_INHERITED (1<<4) |
336 | #define KAUTH_ACE_FILE_INHERIT (1<<5) |
337 | #define KAUTH_ACE_DIRECTORY_INHERIT (1<<6) |
338 | #define KAUTH_ACE_LIMIT_INHERIT (1<<7) |
339 | #define KAUTH_ACE_ONLY_INHERIT (1<<8) |
340 | #define KAUTH_ACE_SUCCESS (1<<9) /* not implemented (AUDIT/ALARM) */ |
341 | #define KAUTH_ACE_FAILURE (1<<10) /* not implemented (AUDIT/ALARM) */ |
342 | /* All flag bits controlling ACE inheritance */ |
343 | #define KAUTH_ACE_INHERIT_CONTROL_FLAGS \ |
344 | (KAUTH_ACE_FILE_INHERIT | \ |
345 | KAUTH_ACE_DIRECTORY_INHERIT | \ |
346 | KAUTH_ACE_LIMIT_INHERIT | \ |
347 | KAUTH_ACE_ONLY_INHERIT) |
348 | kauth_ace_rights_t ace_rights; /* scope specific */ |
349 | /* These rights are never tested, but may be present in an ACL */ |
350 | #define KAUTH_ACE_GENERIC_ALL (1<<21) |
351 | #define KAUTH_ACE_GENERIC_EXECUTE (1<<22) |
352 | #define KAUTH_ACE_GENERIC_WRITE (1<<23) |
353 | #define KAUTH_ACE_GENERIC_READ (1<<24) |
354 | |
355 | }; |
356 | |
357 | #ifndef _KAUTH_ACE |
358 | #define _KAUTH_ACE |
359 | typedef struct kauth_ace *kauth_ace_t; |
360 | #endif |
361 | |
362 | |
363 | /* Access Control List */ |
364 | struct kauth_acl { |
365 | u_int32_t acl_entrycount; |
366 | u_int32_t acl_flags; |
367 | |
368 | struct kauth_ace acl_ace[1]; |
369 | }; |
370 | |
371 | /* |
372 | * XXX this value needs to be raised - 3893388 |
373 | */ |
374 | #define KAUTH_ACL_MAX_ENTRIES 128 |
375 | |
376 | /* |
377 | * The low 16 bits of the flags field are reserved for filesystem |
378 | * internal use and must be preserved by all APIs. This includes |
379 | * round-tripping flags through user-space interfaces. |
380 | */ |
381 | #define KAUTH_ACL_FLAGS_PRIVATE (0xffff) |
382 | |
383 | /* |
384 | * The high 16 bits of the flags are used to store attributes and |
385 | * to request specific handling of the ACL. |
386 | */ |
387 | |
388 | /* inheritance will be deferred until the first rename operation */ |
389 | #define KAUTH_ACL_DEFER_INHERIT (1<<16) |
390 | /* this ACL must not be overwritten as part of an inheritance operation */ |
391 | #define KAUTH_ACL_NO_INHERIT (1<<17) |
392 | |
393 | /* acl_entrycount that tells us the ACL is not valid */ |
394 | #define KAUTH_FILESEC_NOACL ((u_int32_t)(-1)) |
395 | |
396 | /* |
397 | * If the acl_entrycount field is KAUTH_FILESEC_NOACL, then the size is the |
398 | * same as a kauth_acl structure; the intent is to put an actual entrycount of |
399 | * KAUTH_FILESEC_NOACL on disk to distinguish a kauth_filesec_t with an empty |
400 | * entry (Windows treats this as "deny all") from one that merely indicates a |
401 | * file group and/or owner guid values. |
402 | */ |
403 | #define KAUTH_ACL_SIZE(c) (__offsetof(struct kauth_acl, acl_ace) + ((u_int32_t)(c) != KAUTH_FILESEC_NOACL ? ((c) * sizeof(struct kauth_ace)) : 0)) |
404 | #define KAUTH_ACL_COPYSIZE(p) KAUTH_ACL_SIZE((p)->acl_entrycount) |
405 | |
406 | |
407 | #ifndef _KAUTH_ACL |
408 | #define _KAUTH_ACL |
409 | typedef struct kauth_acl *kauth_acl_t; |
410 | #endif |
411 | |
412 | #ifdef KERNEL |
413 | __BEGIN_DECLS |
414 | kauth_acl_t kauth_acl_alloc(int size); |
415 | void kauth_acl_free(kauth_acl_t fsp); |
416 | __END_DECLS |
417 | #endif |
418 | |
419 | |
420 | /* |
421 | * Extended File Security. |
422 | */ |
423 | |
424 | /* File Security information */ |
425 | struct kauth_filesec { |
426 | u_int32_t fsec_magic; |
427 | #define KAUTH_FILESEC_MAGIC 0x012cc16d |
428 | guid_t fsec_owner; |
429 | guid_t fsec_group; |
430 | |
431 | struct kauth_acl fsec_acl; |
432 | }; |
433 | |
434 | /* backwards compatibility */ |
435 | #define fsec_entrycount fsec_acl.acl_entrycount |
436 | #define fsec_flags fsec_acl.acl_flags |
437 | #define fsec_ace fsec_acl.acl_ace |
438 | #define KAUTH_FILESEC_FLAGS_PRIVATE KAUTH_ACL_FLAGS_PRIVATE |
439 | #define KAUTH_FILESEC_DEFER_INHERIT KAUTH_ACL_DEFER_INHERIT |
440 | #define KAUTH_FILESEC_NO_INHERIT KAUTH_ACL_NO_INHERIT |
441 | #define KAUTH_FILESEC_NONE ((kauth_filesec_t)0) |
442 | #define KAUTH_FILESEC_WANTED ((kauth_filesec_t)1) |
443 | |
444 | #ifndef _KAUTH_FILESEC |
445 | #define _KAUTH_FILESEC |
446 | typedef struct kauth_filesec *kauth_filesec_t; |
447 | #endif |
448 | |
449 | #define KAUTH_FILESEC_SIZE(c) (__offsetof(struct kauth_filesec, fsec_acl) + __offsetof(struct kauth_acl, acl_ace) + (c) * sizeof(struct kauth_ace)) |
450 | #define KAUTH_FILESEC_COPYSIZE(p) KAUTH_FILESEC_SIZE(((p)->fsec_entrycount == KAUTH_FILESEC_NOACL) ? 0 : (p)->fsec_entrycount) |
451 | #define KAUTH_FILESEC_COUNT(s) (((s) - KAUTH_FILESEC_SIZE(0)) / sizeof(struct kauth_ace)) |
452 | #define KAUTH_FILESEC_VALID(s) ((s) >= KAUTH_FILESEC_SIZE(0) && (((s) - KAUTH_FILESEC_SIZE(0)) % sizeof(struct kauth_ace)) == 0) |
453 | |
454 | #define KAUTH_FILESEC_XATTR "com.apple.system.Security" |
455 | |
456 | /* Allowable first arguments to kauth_filesec_acl_setendian() */ |
457 | #define KAUTH_ENDIAN_HOST 0x00000001 /* set host endianness */ |
458 | #define KAUTH_ENDIAN_DISK 0x00000002 /* set disk endianness */ |
459 | |
460 | #endif /* KERNEL || <sys/acl.h> */ |
461 | |
462 | |
463 | #ifdef KERNEL |
464 | |
465 | |
466 | /* |
467 | * Scope management. |
468 | */ |
469 | struct kauth_scope; |
470 | typedef struct kauth_scope *kauth_scope_t; |
471 | struct kauth_listener; |
472 | typedef struct kauth_listener *kauth_listener_t; |
473 | #ifndef _KAUTH_ACTION_T |
474 | typedef int kauth_action_t; |
475 | # define _KAUTH_ACTION_T |
476 | #endif |
477 | |
478 | typedef int (* kauth_scope_callback_t)(kauth_cred_t _credential, |
479 | void *_idata, |
480 | kauth_action_t _action, |
481 | uintptr_t _arg0, |
482 | uintptr_t _arg1, |
483 | uintptr_t _arg2, |
484 | uintptr_t _arg3); |
485 | |
486 | #define KAUTH_RESULT_ALLOW (1) |
487 | #define KAUTH_RESULT_DENY (2) |
488 | #define KAUTH_RESULT_DEFER (3) |
489 | |
490 | struct kauth_acl_eval { |
491 | kauth_ace_t ae_acl; |
492 | int ae_count; |
493 | kauth_ace_rights_t ae_requested; |
494 | kauth_ace_rights_t ae_residual; |
495 | int ae_result; |
496 | boolean_t ae_found_deny; |
497 | int ae_options; |
498 | #define KAUTH_AEVAL_IS_OWNER (1<<0) /* authorizing operation for owner */ |
499 | #define KAUTH_AEVAL_IN_GROUP (1<<1) /* authorizing operation for groupmember */ |
500 | #define KAUTH_AEVAL_IN_GROUP_UNKNOWN (1<<2) /* authorizing operation for unknown group membership */ |
501 | /* expansions for 'generic' rights bits */ |
502 | kauth_ace_rights_t ae_exp_gall; |
503 | kauth_ace_rights_t ae_exp_gread; |
504 | kauth_ace_rights_t ae_exp_gwrite; |
505 | kauth_ace_rights_t ae_exp_gexec; |
506 | }; |
507 | |
508 | typedef struct kauth_acl_eval *kauth_acl_eval_t; |
509 | |
510 | __BEGIN_DECLS |
511 | kauth_filesec_t kauth_filesec_alloc(int size); |
512 | void kauth_filesec_free(kauth_filesec_t fsp); |
513 | extern kauth_scope_t kauth_register_scope(const char *_identifier, kauth_scope_callback_t _callback, void *_idata); |
514 | extern void kauth_deregister_scope(kauth_scope_t _scope); |
515 | extern kauth_listener_t kauth_listen_scope(const char *_identifier, kauth_scope_callback_t _callback, void *_idata); |
516 | extern void kauth_unlisten_scope(kauth_listener_t _scope); |
517 | extern int kauth_authorize_action(kauth_scope_t _scope, kauth_cred_t _credential, kauth_action_t _action, |
518 | uintptr_t _arg0, uintptr_t _arg1, uintptr_t _arg2, uintptr_t _arg3); |
519 | |
520 | /* default scope handlers */ |
521 | extern int kauth_authorize_allow(kauth_cred_t _credential, void *_idata, kauth_action_t _action, |
522 | uintptr_t _arg0, uintptr_t _arg1, uintptr_t _arg2, uintptr_t _arg3); |
523 | |
524 | |
525 | #ifdef XNU_KERNEL_PRIVATE |
526 | void kauth_filesec_acl_setendian(int, kauth_filesec_t, kauth_acl_t); |
527 | int kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp); |
528 | extern int kauth_acl_evaluate(kauth_cred_t _credential, kauth_acl_eval_t _eval); |
529 | extern int kauth_acl_inherit(vnode_t _dvp, kauth_acl_t _initial, kauth_acl_t *_product, int _isdir, vfs_context_t _ctx); |
530 | |
531 | #endif /* XNU_KERNEL_PRIVATE */ |
532 | |
533 | |
534 | __END_DECLS |
535 | |
536 | /* |
537 | * Generic scope. |
538 | */ |
539 | #define KAUTH_SCOPE_GENERIC "com.apple.kauth.generic" |
540 | |
541 | /* Actions */ |
542 | #define KAUTH_GENERIC_ISSUSER 1 |
543 | |
544 | #ifdef XNU_KERNEL_PRIVATE |
545 | __BEGIN_DECLS |
546 | extern int kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action); |
547 | __END_DECLS |
548 | #endif /* XNU_KERNEL_PRIVATE */ |
549 | |
550 | /* |
551 | * Process/task scope. |
552 | */ |
553 | #define KAUTH_SCOPE_PROCESS "com.apple.kauth.process" |
554 | |
555 | /* Actions */ |
556 | #define KAUTH_PROCESS_CANSIGNAL 1 |
557 | #define KAUTH_PROCESS_CANTRACE 2 |
558 | |
559 | __BEGIN_DECLS |
560 | extern int kauth_authorize_process(kauth_cred_t _credential, kauth_action_t _action, |
561 | struct proc *_process, uintptr_t _arg1, uintptr_t _arg2, uintptr_t _arg3); |
562 | __END_DECLS |
563 | |
564 | /* |
565 | * Vnode operation scope. |
566 | * |
567 | * Prototype for vnode_authorize is in vnode.h |
568 | */ |
569 | #define KAUTH_SCOPE_VNODE "com.apple.kauth.vnode" |
570 | |
571 | /* |
572 | * File system operation scope. |
573 | * |
574 | */ |
575 | #define KAUTH_SCOPE_FILEOP "com.apple.kauth.fileop" |
576 | |
577 | /* Actions */ |
578 | #define KAUTH_FILEOP_OPEN 1 |
579 | #define KAUTH_FILEOP_CLOSE 2 |
580 | #define KAUTH_FILEOP_RENAME 3 |
581 | #define KAUTH_FILEOP_EXCHANGE 4 |
582 | #define KAUTH_FILEOP_LINK 5 |
583 | #define KAUTH_FILEOP_EXEC 6 |
584 | #define KAUTH_FILEOP_DELETE 7 |
585 | #define KAUTH_FILEOP_WILL_RENAME 8 |
586 | |
587 | /* |
588 | * arguments passed to KAUTH_FILEOP_OPEN listeners |
589 | * arg0 is pointer to vnode (vnode *) for given user path. |
590 | * arg1 is pointer to path (char *) passed in to open. |
591 | * arguments passed to KAUTH_FILEOP_CLOSE listeners |
592 | * arg0 is pointer to vnode (vnode *) for file to be closed. |
593 | * arg1 is pointer to path (char *) of file to be closed. |
594 | * arg2 is close flags. |
595 | * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners |
596 | * arg0 is pointer to vnode (vnode *) of the file being renamed |
597 | * arg1 is pointer to the "from" path (char *) |
598 | * arg2 is pointer to the "to" path (char *) |
599 | * arguments passed to KAUTH_FILEOP_RENAME listeners |
600 | * arg0 is pointer to "from" path (char *). |
601 | * arg1 is pointer to "to" path (char *). |
602 | * arguments passed to KAUTH_FILEOP_EXCHANGE listeners |
603 | * arg0 is pointer to file 1 path (char *). |
604 | * arg1 is pointer to file 2 path (char *). |
605 | * arguments passed to KAUTH_FILEOP_LINK listeners |
606 | * arg0 is pointer to path to file we are linking to (char *). |
607 | * arg1 is pointer to path to the new link file (char *). |
608 | * arguments passed to KAUTH_FILEOP_EXEC listeners |
609 | * arg0 is pointer to vnode (vnode *) for executable. |
610 | * arg1 is pointer to path (char *) to executable. |
611 | * arguments passed to KAUTH_FILEOP_DELETE listeners |
612 | * arg0 is pointer to vnode (vnode *) of file/dir that was deleted. |
613 | * arg1 is pointer to path (char *) of file/dir that was deleted. |
614 | */ |
615 | |
616 | /* Flag values returned to close listeners. */ |
617 | #define KAUTH_FILEOP_CLOSE_MODIFIED (1<<1) |
618 | |
619 | __BEGIN_DECLS |
620 | #ifdef XNU_KERNEL_PRIVATE |
621 | extern int kauth_authorize_fileop_has_listeners(void); |
622 | #endif /* XNU_KERNEL_PRIVATE */ |
623 | extern int kauth_authorize_fileop(kauth_cred_t _credential, kauth_action_t _action, |
624 | uintptr_t _arg0, uintptr_t _arg1); |
625 | __END_DECLS |
626 | |
627 | #endif /* KERNEL */ |
628 | |
629 | /* Actions, also rights bits in an ACE */ |
630 | |
631 | #if defined(KERNEL) || defined (_SYS_ACL_H) |
632 | #define KAUTH_VNODE_READ_DATA (1<<1) |
633 | #define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA |
634 | #define KAUTH_VNODE_WRITE_DATA (1<<2) |
635 | #define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA |
636 | #define KAUTH_VNODE_EXECUTE (1<<3) |
637 | #define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE |
638 | #define KAUTH_VNODE_DELETE (1<<4) |
639 | #define KAUTH_VNODE_APPEND_DATA (1<<5) |
640 | #define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA |
641 | #define KAUTH_VNODE_DELETE_CHILD (1<<6) |
642 | #define KAUTH_VNODE_READ_ATTRIBUTES (1<<7) |
643 | #define KAUTH_VNODE_WRITE_ATTRIBUTES (1<<8) |
644 | #define KAUTH_VNODE_READ_EXTATTRIBUTES (1<<9) |
645 | #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1<<10) |
646 | #define KAUTH_VNODE_READ_SECURITY (1<<11) |
647 | #define KAUTH_VNODE_WRITE_SECURITY (1<<12) |
648 | #define KAUTH_VNODE_TAKE_OWNERSHIP (1<<13) |
649 | |
650 | /* backwards compatibility only */ |
651 | #define KAUTH_VNODE_CHANGE_OWNER KAUTH_VNODE_TAKE_OWNERSHIP |
652 | |
653 | /* For Windows interoperability only */ |
654 | #define KAUTH_VNODE_SYNCHRONIZE (1<<20) |
655 | |
656 | /* (1<<21) - (1<<24) are reserved for generic rights bits */ |
657 | |
658 | /* Actions not expressed as rights bits */ |
659 | /* |
660 | * Authorizes the vnode as the target of a hard link. |
661 | */ |
662 | #define KAUTH_VNODE_LINKTARGET (1<<25) |
663 | |
664 | /* |
665 | * Indicates that other steps have been taken to authorise the action, |
666 | * but authorisation should be denied for immutable objects. |
667 | */ |
668 | #define KAUTH_VNODE_CHECKIMMUTABLE (1<<26) |
669 | |
670 | /* Action modifiers */ |
671 | /* |
672 | * The KAUTH_VNODE_ACCESS bit is passed to the callback if the authorisation |
673 | * request in progress is advisory, rather than authoritative. Listeners |
674 | * performing consequential work (i.e. not strictly checking authorisation) |
675 | * may test this flag to avoid performing unnecessary work. |
676 | * |
677 | * This bit will never be present in an ACE. |
678 | */ |
679 | #define KAUTH_VNODE_ACCESS (1<<31) |
680 | |
681 | /* |
682 | * The KAUTH_VNODE_NOIMMUTABLE bit is passed to the callback along with the |
683 | * KAUTH_VNODE_WRITE_SECURITY bit (and no others) to indicate that the |
684 | * caller wishes to change one or more of the immutable flags, and the |
685 | * state of these flags should not be considered when authorizing the request. |
686 | * The system immutable flags are only ignored when the system securelevel |
687 | * is low enough to allow their removal. |
688 | */ |
689 | #define KAUTH_VNODE_NOIMMUTABLE (1<<30) |
690 | |
691 | |
692 | /* |
693 | * fake right that is composed by the following... |
694 | * vnode must have search for owner, group and world allowed |
695 | * plus there must be no deny modes present for SEARCH... this fake |
696 | * right is used by the fast lookup path to avoid checking |
697 | * for an exact match on the last credential to lookup |
698 | * the component being acted on |
699 | */ |
700 | #define KAUTH_VNODE_SEARCHBYANYONE (1<<29) |
701 | |
702 | |
703 | /* |
704 | * when passed as an 'action' to "vnode_uncache_authorized_actions" |
705 | * it indicates that all of the cached authorizations for that |
706 | * vnode should be invalidated |
707 | */ |
708 | #define KAUTH_INVALIDATE_CACHED_RIGHTS ((kauth_action_t)~0) |
709 | |
710 | |
711 | |
712 | /* The expansions of the GENERIC bits at evaluation time */ |
713 | #define KAUTH_VNODE_GENERIC_READ_BITS (KAUTH_VNODE_READ_DATA | \ |
714 | KAUTH_VNODE_READ_ATTRIBUTES | \ |
715 | KAUTH_VNODE_READ_EXTATTRIBUTES | \ |
716 | KAUTH_VNODE_READ_SECURITY) |
717 | |
718 | #define KAUTH_VNODE_GENERIC_WRITE_BITS (KAUTH_VNODE_WRITE_DATA | \ |
719 | KAUTH_VNODE_APPEND_DATA | \ |
720 | KAUTH_VNODE_DELETE | \ |
721 | KAUTH_VNODE_DELETE_CHILD | \ |
722 | KAUTH_VNODE_WRITE_ATTRIBUTES | \ |
723 | KAUTH_VNODE_WRITE_EXTATTRIBUTES | \ |
724 | KAUTH_VNODE_WRITE_SECURITY) |
725 | |
726 | #define KAUTH_VNODE_GENERIC_EXECUTE_BITS (KAUTH_VNODE_EXECUTE) |
727 | |
728 | #define KAUTH_VNODE_GENERIC_ALL_BITS (KAUTH_VNODE_GENERIC_READ_BITS | \ |
729 | KAUTH_VNODE_GENERIC_WRITE_BITS | \ |
730 | KAUTH_VNODE_GENERIC_EXECUTE_BITS) |
731 | |
732 | /* |
733 | * Some sets of bits, defined here for convenience. |
734 | */ |
735 | #define KAUTH_VNODE_WRITE_RIGHTS (KAUTH_VNODE_ADD_FILE | \ |
736 | KAUTH_VNODE_ADD_SUBDIRECTORY | \ |
737 | KAUTH_VNODE_DELETE_CHILD | \ |
738 | KAUTH_VNODE_WRITE_DATA | \ |
739 | KAUTH_VNODE_APPEND_DATA | \ |
740 | KAUTH_VNODE_DELETE | \ |
741 | KAUTH_VNODE_WRITE_ATTRIBUTES | \ |
742 | KAUTH_VNODE_WRITE_EXTATTRIBUTES | \ |
743 | KAUTH_VNODE_WRITE_SECURITY | \ |
744 | KAUTH_VNODE_TAKE_OWNERSHIP | \ |
745 | KAUTH_VNODE_LINKTARGET | \ |
746 | KAUTH_VNODE_CHECKIMMUTABLE) |
747 | |
748 | |
749 | #endif /* KERNEL || <sys/acl.h> */ |
750 | |
751 | #ifdef KERNEL |
752 | #include <sys/lock.h> /* lck_grp_t */ |
753 | |
754 | /* |
755 | * Debugging |
756 | * |
757 | * XXX this wouldn't be necessary if we had a *real* debug-logging system. |
758 | */ |
759 | #if 0 |
760 | # ifndef _FN_KPRINTF |
761 | # define _FN_KPRINTF |
762 | void kprintf(const char *fmt, ...); |
763 | # endif /* !_FN_KPRINTF */ |
764 | # define KAUTH_DEBUG_ENABLE |
765 | # define K_UUID_FMT "%08x:%08x:%08x:%08x" |
766 | # define K_UUID_ARG(_u) *(int *)&_u.g_guid[0],*(int *)&_u.g_guid[4],*(int *)&_u.g_guid[8],*(int *)&_u.g_guid[12] |
767 | # define KAUTH_DEBUG(fmt, args...) do { kprintf("%s:%d: " fmt "\n", __PRETTY_FUNCTION__, __LINE__ , ##args); } while (0) |
768 | # define KAUTH_DEBUG_CTX(_c) KAUTH_DEBUG("p = %p c = %p", _c->vc_proc, _c->vc_ucred) |
769 | # define VFS_DEBUG(_ctx, _vp, fmt, args...) \ |
770 | do { \ |
771 | kprintf("%p '%s' %s:%d " fmt "\n", \ |
772 | _ctx, \ |
773 | (_vp != NULL && _vp->v_name != NULL) ? _vp->v_name : "????", \ |
774 | __PRETTY_FUNCTION__, __LINE__ , \ |
775 | ##args); \ |
776 | } while(0) |
777 | #else /* !0 */ |
778 | # define KAUTH_DEBUG(fmt, args...) do { } while (0) |
779 | # define VFS_DEBUG(ctx, vp, fmt, args...) do { } while(0) |
780 | #endif /* !0 */ |
781 | |
782 | /* |
783 | * Initialisation. |
784 | */ |
785 | extern lck_grp_t *kauth_lck_grp; |
786 | #ifdef XNU_KERNEL_PRIVATE |
787 | __BEGIN_DECLS |
788 | extern void kauth_init(void); |
789 | extern void kauth_cred_init(void); |
790 | #if CONFIG_EXT_RESOLVER |
791 | extern void kauth_identity_init(void); |
792 | extern void kauth_groups_init(void); |
793 | extern void kauth_resolver_init(void); |
794 | #endif |
795 | __END_DECLS |
796 | #endif /* XNU_KERNEL_PRIVATE */ |
797 | |
798 | #endif /* KERNEL */ |
799 | |
800 | #endif /* __APPLE_API_EVOLVING */ |
801 | #endif /* _SYS_KAUTH_H */ |
802 | |