kern_cs.c source code [xnu/bsd/kern/kern_cs.c]

1	/*
2	* Copyright (c) 2000-2012 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28
29	#include <sys/types.h>
30	#include <sys/param.h>
31	#include <sys/systm.h>
32	#include <sys/kernel.h>
33	#include <sys/proc_internal.h>
34	#include <sys/sysctl.h>
35	#include <sys/signal.h>
36	#include <sys/signalvar.h>
37	#include <sys/codesign.h>
38	#include <sys/code_signing.h>
39
40	#include <sys/fcntl.h>
41	#include <sys/file.h>
42	#include <sys/file_internal.h>
43	#include <sys/kauth.h>
44	#include <sys/mount.h>
45	#include <sys/msg.h>
46	#include <sys/proc.h>
47	#include <sys/socketvar.h>
48	#include <sys/vnode.h>
49	#include <sys/vnode_internal.h>
50
51	#include <sys/ubc.h>
52	#include <sys/ubc_internal.h>
53
54	#include <security/mac.h>
55	#include <security/mac_policy.h>
56	#include <security/mac_framework.h>
57
58	#include <mach/mach_types.h>
59	#include <mach/vm_map.h>
60	#include <mach/mach_vm.h>
61
62	#include <kern/kern_types.h>
63	#include <kern/startup.h>
64	#include <kern/task.h>
65
66	#include <vm/vm_map.h>
67	#include <vm/pmap.h>
68	#include <vm/vm_kern.h>
69
70
71	#include <kern/assert.h>
72	#include <kern/cs_blobs.h>
73
74	#include <pexpert/pexpert.h>
75
76	#include <mach/shared_region.h>
77
78	#include <libkern/section_keywords.h>
79	#include <libkern/amfi/amfi.h>
80
81
82	unsigned long cs_procs_killed = `0`;
83	unsigned long cs_procs_invalidated = `0`;
84
85	int cs_force_kill = `0`;
86	int cs_force_hard = `0`;
87	int cs_debug = `0`;
88	// If set, AMFI will error out early on unsigned code, before evaluation the normal policy.
89	int cs_debug_fail_on_unsigned_code = `0`;
90	// If the previous mode is enabled, we count the resulting failures here.
91	unsigned int cs_debug_unsigned_exec_failures = `0`;
92	unsigned int cs_debug_unsigned_mmap_failures = `0`;
93
94	#if CONFIG_ENFORCE_SIGNED_CODE
95	#define DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE 1
96	#define DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE 1
97	#else
98	#define DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE 1
99	#define DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE 0
100	#endif
101
102	#if CONFIG_ENFORCE_LIBRARY_VALIDATION
103	#define DEFAULT_CS_LIBRARY_VA_ENABLE 1
104	#else
105	#define DEFAULT_CS_LIBRARY_VA_ENABLE 0
106	#endif
107
108	#if SECURE_KERNEL
109
110	/*
111	* Here we split cs_enforcement_enable into cs_system_enforcement_enable and cs_process_enforcement_enable
112	*
113	* cs_system_enforcement_enable governs whether or not system level code signing enforcement mechanisms
114	* are applied on the system. Today, the only such mechanism is code signing enforcement of the dyld shared
115	* cache.
116	*
117	* cs_process_enforcement_enable governs whether code signing enforcement mechanisms are applied to all
118	* processes or only those that opt into such enforcement.
119	*
120	* (On iOS and related, both of these are set by default. On macOS, only cs_system_enforcement_enable
121	* is set by default. Processes can then be opted into code signing enforcement on a case by case basis.)
122	*/
123	SECURITY_READ_ONLY_EARLY(int) cs_system_enforcement_enable = DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE;
124	SECURITY_READ_ONLY_EARLY(int) cs_process_enforcement_enable = DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE;
125	SECURITY_READ_ONLY_EARLY(int) cs_library_val_enable = DEFAULT_CS_LIBRARY_VA_ENABLE;
126
127	#else /* !SECURE_KERNEL */
128	int cs_enforcement_panic = `0`;
129	int cs_relax_platform_task_ports = `0`;
130
131	SECURITY_READ_ONLY_LATE(int) cs_system_enforcement_enable = DEFAULT_CS_SYSTEM_ENFORCEMENT_ENABLE;
132	SECURITY_READ_ONLY_LATE(int) cs_process_enforcement_enable = DEFAULT_CS_PROCESS_ENFORCEMENT_ENABLE;
133
134	SECURITY_READ_ONLY_LATE(int) cs_library_val_enable = DEFAULT_CS_LIBRARY_VA_ENABLE;
135
136	#endif /* !SECURE_KERNEL */
137	int cs_all_vnodes = `0`;
138
139	SYSCTL_INT(_vm, OID_AUTO, cs_force_kill, CTLFLAG_RW \| CTLFLAG_LOCKED, &cs_force_kill, `0`, "");
140	SYSCTL_INT(_vm, OID_AUTO, cs_force_hard, CTLFLAG_RW \| CTLFLAG_LOCKED, &cs_force_hard, `0`, "");
141	SYSCTL_INT(_vm, OID_AUTO, cs_debug, CTLFLAG_RW \| CTLFLAG_LOCKED, &cs_debug, `0`, "");
142	SYSCTL_INT(_vm, OID_AUTO, cs_debug_fail_on_unsigned_code, CTLFLAG_RW \| CTLFLAG_LOCKED,
143	&cs_debug_fail_on_unsigned_code, `0`, "");
144	SYSCTL_UINT(_vm, OID_AUTO, cs_debug_unsigned_exec_failures, CTLFLAG_RD \| CTLFLAG_LOCKED,
145	&cs_debug_unsigned_exec_failures, `0`, "");
146	SYSCTL_UINT(_vm, OID_AUTO, cs_debug_unsigned_mmap_failures, CTLFLAG_RD \| CTLFLAG_LOCKED,
147	&cs_debug_unsigned_mmap_failures, `0`, "");
148
149	SYSCTL_INT(_vm, OID_AUTO, cs_all_vnodes, CTLFLAG_RW \| CTLFLAG_LOCKED, &cs_all_vnodes, `0`, "");
150
151	#if !SECURE_KERNEL
152	SYSCTL_INT(_vm, OID_AUTO, cs_system_enforcement, CTLFLAG_RD \| CTLFLAG_LOCKED, &cs_system_enforcement_enable, `0`, "");
153	SYSCTL_INT(_vm, OID_AUTO, cs_process_enforcement, CTLFLAG_RD \| CTLFLAG_LOCKED, &cs_process_enforcement_enable, `0`, "");
154	SYSCTL_INT(_vm, OID_AUTO, cs_enforcement_panic, CTLFLAG_RW \| CTLFLAG_LOCKED, &cs_enforcement_panic, `0`, "");
155
156	#if !CONFIG_ENFORCE_LIBRARY_VALIDATION
157	SYSCTL_INT(_vm, OID_AUTO, cs_library_validation, CTLFLAG_RD \| CTLFLAG_LOCKED, &cs_library_val_enable, `0`, "");
158	#endif
159	#endif /* !SECURE_KERNEL */
160
161	__startup_func
162	static void
163	cs_init(void)
164	{
165	#if !SECURE_KERNEL
166	int disable_cs_enforcement = `0`;
167	PE_parse_boot_argn(arg_string: "cs_enforcement_disable", arg_ptr: &disable_cs_enforcement,
168	max_arg: sizeof(disable_cs_enforcement));
169	if (disable_cs_enforcement && PE_i_can_has_debugger(NULL) != `0`) {
170	cs_system_enforcement_enable = `0`;
171	cs_process_enforcement_enable = `0`;
172	} else {
173	int panic = `0`;
174	PE_parse_boot_argn(arg_string: "cs_enforcement_panic", arg_ptr: &panic, max_arg: sizeof(panic));
175	cs_enforcement_panic = (panic != `0`);
176	}
177
178	PE_parse_boot_argn(arg_string: "cs_relax_platform_task_ports",
179	arg_ptr: &cs_relax_platform_task_ports,
180	max_arg: sizeof(cs_relax_platform_task_ports));
181
182	PE_parse_boot_argn(arg_string: "cs_debug", arg_ptr: &cs_debug, max_arg: sizeof(cs_debug));
183
184	#if !CONFIG_ENFORCE_LIBRARY_VALIDATION
185	PE_parse_boot_argn(arg_string: "cs_library_val_enable", arg_ptr: &cs_library_val_enable,
186	max_arg: sizeof(cs_library_val_enable));
187	#endif
188	#endif /* !SECURE_KERNEL */
189	}
190	STARTUP(CODESIGNING, STARTUP_RANK_FIRST, cs_init);
191
192	int
193	cs_allow_invalid(struct proc *p)
194	{
195	uint64_t flags;
196
197	#if MACH_ASSERT
198	lck_mtx_assert(&p->p_mlock, LCK_MTX_ASSERT_NOTOWNED);
199	#endif
200	#if CONFIG_MACF
201	/ There needs to be a MAC policy to implement this hook, or else the*
202	* kill bits will be cleared here every time. If we have
203	* CONFIG_ENFORCE_SIGNED_CODE, we can assume there is a policy
204	* implementing the hook.
205	*/
206	if (`0` != mac_proc_check_run_cs_invalid(proc: p)) {
207	if (cs_debug) {
208	printf("CODE SIGNING: cs_allow_invalid() "
209	"not allowed: pid %d\n",
210	proc_getpid(p));
211	}
212	return `0`;
213	}
214	if (cs_debug) {
215	printf("CODE SIGNING: cs_allow_invalid() "
216	"allowed: pid %d\n",
217	proc_getpid(p));
218	}
219	proc_lock(p);
220	flags = proc_getcsflags(p) & ~(CS_KILL \| CS_HARD);
221	if (flags & CS_VALID) {
222	flags \|= CS_DEBUGGED;
223	}
224	proc_csflags_update(p, flags);
225
226	task_t procTask = proc_task(p);
227	if (procTask) {
228	vm_map_t proc_map = get_task_map_reference(procTask);
229	if (proc_map) {
230	if (vm_map_cs_wx_enable(map: proc_map) != KERN_SUCCESS) {
231	printf("CODE SIGNING: cs_allow_invalid() not allowed by pmap: pid %d\n", proc_getpid(p));
232	}
233	vm_map_deallocate(map: proc_map);
234	}
235	}
236
237	proc_unlock(p);
238
239	/ allow a debugged process to hide some (debug-only!) memory /
240	task_set_memory_ownership_transfer(task: proc_task(p), TRUE);
241
242	vm_map_switch_protect(map: get_task_map(proc_task(p)), FALSE);
243	vm_map_cs_debugged_set(map: get_task_map(proc_task(p)), TRUE);
244	#endif
245	return (proc_getcsflags(p) & (CS_KILL \| CS_HARD)) == `0`;
246	}
247
248	int
249	cs_invalid_page(addr64_t vaddr, boolean_t *cs_killed)
250	{
251	struct proc *p;
252	int send_kill = `0`, retval = `0`, verbose = cs_debug;
253	uint64_t flags;
254
255	p = current_proc();
256
257	if (verbose) {
258	printf("CODE SIGNING: cs_invalid_page(0x%llx): p=%d[%s]\n",
259	vaddr, proc_getpid(p), p->p_comm);
260	}
261
262	proc_lock(p);
263
264	flags = proc_getcsflags(p);
265
266	/ XXX for testing /
267	if (cs_force_kill) {
268	flags \|= CS_KILL;
269	}
270	if (cs_force_hard) {
271	flags \|= CS_HARD;
272	}
273
274	/ CS_KILL triggers a kill signal, and no you can't have the page. Nothing else. /
275	if (flags & CS_KILL) {
276	flags \|= CS_KILLED;
277	cs_procs_killed++;
278	send_kill = `1`;
279	retval = `1`;
280	}
281
282	/ CS_HARD means fail the mapping operation so the process stays valid. /
283	if (flags & CS_HARD) {
284	retval = `1`;
285	proc_csflags_update(p, flags);
286	} else {
287	if (flags & CS_VALID) {
288	flags &= ~CS_VALID;
289	cs_procs_invalidated++;
290	verbose = `1`;
291	proc_csflags_update(p, flags);
292	cs_process_invalidated(NULL);
293	} else {
294	proc_csflags_update(p, flags);
295	}
296	}
297	proc_unlock(p);
298
299	if (verbose) {
300	printf("CODE SIGNING: cs_invalid_page(0x%llx): "
301	"p=%d[%s] final status 0x%x, %s page%s\n",
302	vaddr, proc_getpid(p), p->p_comm, (unsigned int)proc_getcsflags(p),
303	retval ? "denying" : "allowing (remove VALID)",
304	send_kill ? " sending SIGKILL" : "");
305	}
306
307	if (send_kill) {
308	/ We will set the exit reason for the thread later /
309	threadsignal(sig_actthread: current_thread(), SIGKILL, EXC_BAD_ACCESS, FALSE);
310	if (cs_killed) {
311	*cs_killed = TRUE;
312	}
313	} else if (cs_killed) {
314	*cs_killed = FALSE;
315	}
316
317	return retval;
318	}
319
320	/*
321	* Called after a process got its CS_VALID bit removed, either by
322	* a previous call to cs_invalid_page, or through other means.
323	* Called from fault handler with vm object lock held.
324	* Called with proc lock held for current_proc or, if passed in, p,
325	* to ensure MACF hook can suspend the task before other threads
326	* can access the memory that is paged in after cs_invalid_page
327	* returns 0 due to missing CS_HARD\|CS_KILL.
328	*/
329	void
330	cs_process_invalidated(struct proc * __unused p)
331	{
332	#if CONFIG_MACF
333	if (p == NULL) {
334	p = current_proc();
335	}
336	mac_proc_notify_cs_invalidated(proc: p);
337	#endif
338	}
339
340	/*
341	* Assumes p (if passed in) is locked with proc_lock().
342	*/
343
344	int
345	cs_process_enforcement(struct proc *p)
346	{
347	if (cs_process_enforcement_enable) {
348	return `1`;
349	}
350
351	if (p == NULL) {
352	p = current_proc();
353	}
354
355	if (p != NULL && (proc_getcsflags(p) & CS_ENFORCEMENT)) {
356	return `1`;
357	}
358
359	return `0`;
360	}
361
362	int
363	cs_process_global_enforcement(void)
364	{
365	return cs_process_enforcement_enable ? `1` : `0`;
366	}
367
368	int
369	cs_system_enforcement(void)
370	{
371	return cs_system_enforcement_enable ? `1` : `0`;
372	}
373
374	int
375	cs_vm_supports_4k_translations(void)
376	{
377	return `0`;
378	}
379
380
381	/*
382	* Returns whether a given process is still valid.
383	*/
384	int
385	cs_valid(struct proc *p)
386	{
387	if (p == NULL) {
388	p = current_proc();
389	}
390
391	if (p != NULL && (proc_getcsflags(p) & CS_VALID)) {
392	return `1`;
393	}
394
395	return `0`;
396	}
397
398	/*
399	* Library validation functions
400	*/
401	int
402	cs_require_lv(struct proc *p)
403	{
404	if (cs_library_val_enable) {
405	return `1`;
406	}
407
408	if (p == NULL) {
409	p = current_proc();
410	}
411
412	if (p != NULL && (proc_getcsflags(p) & CS_REQUIRE_LV)) {
413	return `1`;
414	}
415
416	return `0`;
417	}
418
419	int
420	csproc_forced_lv(struct proc* p)
421	{
422	if (p == NULL) {
423	p = current_proc();
424	}
425	if (p != NULL && (proc_getcsflags(p) & CS_FORCED_LV)) {
426	return `1`;
427	}
428	return `0`;
429	}
430
431	/*
432	* <rdar://problem/24634089> added to allow system level library
433	* validation check at mac_cred_label_update_execve time
434	*/
435	int
436	cs_system_require_lv(void)
437	{
438	return cs_library_val_enable ? `1` : `0`;
439	}
440
441	/*
442	* Function: csblob_get_base_offset
443	*
444	* Description: This function returns the base offset into the (possibly universal) binary
445	* for a given blob.
446	*/
447
448	off_t
449	csblob_get_base_offset(struct cs_blob *blob)
450	{
451	return blob->csb_base_offset;
452	}
453
454	/*
455	* Function: csblob_get_size
456	*
457	* Description: This function returns the size of a given blob.
458	*/
459
460	vm_size_t
461	csblob_get_size(struct cs_blob *blob)
462	{
463	return blob->csb_mem_size;
464	}
465
466	/*
467	* Function: csblob_get_addr
468	*
469	* Description: This function returns the address of a given blob.
470	*/
471
472	vm_address_t
473	csblob_get_addr(struct cs_blob *blob)
474	{
475	return (vm_address_t)blob->csb_mem_kaddr;
476	}
477
478	/*
479	* Function: csblob_get_platform_binary
480	*
481	* Description: This function returns true if the binary is
482	* in the trust cache.
483	*/
484
485	int
486	csblob_get_platform_binary(struct cs_blob *blob)
487	{
488	if (blob && blob->csb_platform_binary) {
489	return `1`;
490	}
491	return `0`;
492	}
493
494	/*
495	* Function: csblob_invalidate_flags
496	*
497	* Description: This function is used to clear the CS_VALID bit on a blob
498	* when a vnode may have been modified.
499	*
500	*/
501	void
502	csblob_invalidate_flags(struct cs_blob *csblob)
503	{
504	bool ro_blob = csblob == csblob->csb_ro_addr;
505	unsigned int current_flags = csblob->csb_flags;
506	unsigned int updated_flags = current_flags & (~CS_VALID);
507	if (ro_blob == true) {
508	zalloc_ro_update_field(ZONE_ID_CS_BLOB, csblob, csb_flags, &updated_flags);
509	} else {
510	csblob->csb_flags = updated_flags;
511	}
512
513	if (csblob->csb_entitlements != NULL) {
514	amfi->OSEntitlements_invalidate(csblob->csb_entitlements);
515	}
516
517	printf("Invalidated flags, old %x new %x\n", current_flags, csblob->csb_flags);
518	}
519
520	/*
521	* Function: csvnode_invalidate_flags
522	*
523	* Description: This function is used to clear the CS_VALID bit on all blobs
524	* attached to a vnode.
525	*
526	*/
527	void
528	csvnode_invalidate_flags(struct vnode *vp)
529	{
530	struct cs_blob* oblob;
531	bool mark_ubcinfo = false;
532
533	for (oblob = ubc_get_cs_blobs(vp);
534	oblob != NULL;
535	oblob = oblob->csb_next) {
536	if (!mark_ubcinfo) {
537	mark_ubcinfo = true;
538	vnode_lock(vp);
539	if (vp->v_ubcinfo) {
540	vp->v_ubcinfo->ui_flags \|= UI_CSBLOBINVALID;
541	}
542	vnode_unlock(vp);
543	}
544	csblob_invalidate_flags(csblob: oblob);
545	}
546	}
547
548	/*
549	* Function: csblob_get_flags
550	*
551	* Description: This function returns the flags for a given blob
552	*/
553
554	unsigned int
555	csblob_get_flags(struct cs_blob *blob)
556	{
557	return blob->csb_flags;
558	}
559
560	/*
561	* Function: csblob_get_hashtype
562	*
563	* Description: This function returns the hash type for a given blob
564	*/
565
566	uint8_t
567	csblob_get_hashtype(struct cs_blob const * const blob)
568	{
569	return blob->csb_hashtype != NULL ? cs_hash_type(blob->csb_hashtype) : `0`;
570	}
571
572	/*
573	* Function: csproc_get_blob
574	*
575	* Description: This function returns the cs_blob
576	* for the process p
577	*/
578	struct cs_blob *
579	csproc_get_blob(struct proc *p)
580	{
581	if (NULL == p) {
582	return NULL;
583	}
584
585	if (NULL == p->p_textvp) {
586	return NULL;
587	}
588
589	if ((proc_getcsflags(p) & CS_SIGNED) == `0`) {
590	return NULL;
591	}
592
593	return ubc_cs_blob_get(p->p_textvp, -`1`, -`1`, p->p_textoff);
594	}
595
596	/*
597	* Function: csvnode_get_blob
598	*
599	* Description: This function returns the cs_blob
600	* for the vnode vp
601	*/
602	struct cs_blob *
603	csvnode_get_blob(struct vnode *vp, off_t offset)
604	{
605	return ubc_cs_blob_get(vp, -`1`, -`1`, offset);
606	}
607
608	/*
609	* Function: csblob_get_teamid
610	*
611	* Description: This function returns a pointer to the
612	* team id of csblob
613	*/
614	const char *
615	csblob_get_teamid(struct cs_blob *csblob)
616	{
617	return csblob->csb_teamid;
618	}
619
620	/*
621	* Function: csblob_get_identity
622	*
623	* Description: This function returns a pointer to the
624	* identity string
625	*/
626	const char *
627	csblob_get_identity(struct cs_blob *csblob)
628	{
629	const CS_CodeDirectory *cd;
630
631	cd = (const CS_CodeDirectory *)csblob_find_blob(csblob, CSSLOT_CODEDIRECTORY, CSMAGIC_CODEDIRECTORY);
632	if (cd == NULL) {
633	return NULL;
634	}
635
636	if (cd->identOffset == `0`) {
637	return NULL;
638	}
639
640	return ((const char *)cd) + ntohl(cd->identOffset);
641	}
642
643	/*
644	* Function: csblob_get_cdhash
645	*
646	* Description: This function returns a pointer to the
647	* cdhash of csblob (20 byte array)
648	*/
649	const uint8_t *
650	csblob_get_cdhash(struct cs_blob *csblob)
651	{
652	return csblob->csb_cdhash;
653	}
654
655	/*
656	* Function: csblob_get_signer_type
657	*
658	* Description: This function returns the signer type
659	* as an integer
660	*/
661	unsigned int
662	csblob_get_signer_type(struct cs_blob *csblob)
663	{
664	return csblob->csb_signer_type;
665	}
666
667	/*
668	* Function: csblob_set_validation_category
669	*
670	* Description: This function is used to set the validation
671	* category on a cs_blob. Can only be set once,
672	* except when set as none.
673	*
674	* Return: 0 on success, otherwise -1.
675	*/
676	int
677	csblob_set_validation_category(struct cs_blob csblob, unsigned* int category)
678	{
679	bool ro_blob = csblob == csblob->csb_ro_addr;
680
681	if ((csblob->csb_validation_category == CS_VALIDATION_CATEGORY_INVALID) \|\|
682	(csblob->csb_validation_category == CS_VALIDATION_CATEGORY_NONE)) {
683	if (ro_blob == true) {
684	zalloc_ro_update_field(ZONE_ID_CS_BLOB, csblob, csb_validation_category, &category);
685	} else {
686	csblob->csb_validation_category = category;
687	}
688	return `0`;
689	}
690
691	/ Always allow when setting to none /
692	if (category == CS_VALIDATION_CATEGORY_NONE) {
693	if (ro_blob == true) {
694	zalloc_ro_update_field(ZONE_ID_CS_BLOB, csblob, csb_validation_category, &category);
695	} else {
696	csblob->csb_validation_category = category;
697	}
698	return `0`;
699	}
700
701	/ Allow setting to the same category /
702	if (category == csblob->csb_validation_category) {
703	return `0`;
704	}
705
706	return -`1`;
707	}
708
709	/*
710	* Function: csblob_get_validation_category
711	*
712	* Description: This function is used to get the validation
713	* category on a cs_blob.
714	*/
715	unsigned int
716	csblob_get_validation_category(struct cs_blob *csblob)
717	{
718	return csblob->csb_validation_category;
719	}
720
721	/*
722	* Function: csblob_get_code_directory
723	*
724	* Description: This function returns the best code directory
725	* as chosen by the system
726	*/
727	const CS_CodeDirectory*
728	csblob_get_code_directory(struct cs_blob *csblob)
729	{
730	return csblob->csb_cd;
731	}
732
733	void *
734	csblob_entitlements_dictionary_copy(struct cs_blob *csblob)
735	{
736	if (!csblob->csb_entitlements) {
737	return NULL;
738	}
739	if (!amfi) {
740	panic("CoreEntitlements: missing AMFI bridge\n");
741	}
742	return amfi->OSEntitlements_asdict(csblob->csb_entitlements);
743	}
744
745	OS_NORETURN
746	void
747	csblob_entitlements_dictionary_set(struct cs_blob __unused csblob, void* __unused *entitlements)
748	{
749	panic("CoreEntitlements: This API is no longer supported\n");
750	}
751
752	void
753	csblob_os_entitlements_set(struct cs_blob csblob, void* * entitlements)
754	{
755	assert(csblob->csb_entitlements == NULL);
756	if (entitlements) {
757	osobject_retain(object: entitlements);
758	}
759	csblob->csb_entitlements = entitlements;
760	}
761
762	void *
763	csblob_os_entitlements_copy(struct cs_blob *csblob)
764	{
765	if (!csblob->csb_entitlements) {
766	return NULL;
767	}
768	osobject_retain(object: csblob->csb_entitlements);
769	return csblob->csb_entitlements;
770	}
771
772	void *
773	csblob_os_entitlements_get(struct cs_blob *csblob)
774	{
775	if (!csblob->csb_entitlements) {
776	return NULL;
777	}
778	return csblob->csb_entitlements;
779	}
780
781	void *
782	csblob_get_storage_addr(struct cs_blob *csblob)
783	{
784	void *addr = csblob->csb_ro_addr;
785	cs_blob_require((struct cs_blob *)addr, NULL);
786	return addr;
787	}
788
789	/*
790	* Function: csproc_get_teamid
791	*
792	* Description: This function returns a pointer to the
793	* team id of the process p
794	*/
795	const char *
796	csproc_get_teamid(struct proc *p)
797	{
798	struct cs_blob *csblob;
799
800	csblob = csproc_get_blob(p);
801	if (csblob == NULL) {
802	return NULL;
803	}
804
805	return csblob_get_teamid(csblob);
806	}
807
808	const char *
809	csproc_get_identity(struct proc *p)
810	{
811	struct cs_blob *csblob = NULL;
812
813	csblob = csproc_get_blob(p);
814	if (csblob == NULL) {
815	return NULL;
816	}
817
818	return csblob_get_identity(csblob);
819	}
820
821	/*
822	* Function: csproc_get_signer_type
823	*
824	* Description: This function returns the signer type
825	* of the process p
826	*/
827	unsigned int
828	csproc_get_signer_type(struct proc *p)
829	{
830	struct cs_blob *csblob;
831
832	csblob = csproc_get_blob(p);
833	if (csblob == NULL) {
834	return CS_SIGNER_TYPE_UNKNOWN;
835	}
836
837	return csblob_get_signer_type(csblob);
838	}
839
840	/*
841	* Function: csvnode_get_teamid
842	*
843	* Description: This function returns a pointer to the
844	* team id of the binary at the given offset in vnode vp
845	*/
846	const char *
847	csvnode_get_teamid(struct vnode *vp, off_t offset)
848	{
849	struct cs_blob *csblob;
850
851	if (vp == NULL) {
852	return NULL;
853	}
854
855	csblob = ubc_cs_blob_get(vp, -`1`, -`1`, offset);
856	if (csblob == NULL) {
857	return NULL;
858	}
859
860	return csblob_get_teamid(csblob);
861	}
862
863	/*
864	* Function: csproc_get_platform_binary
865	*
866	* Description: This function returns the value
867	* of the platform_binary field for proc p
868	*/
869	int
870	csproc_get_platform_binary(struct proc *p)
871	{
872	struct cs_blob *csblob;
873
874	csblob = csproc_get_blob(p);
875
876	/ If there is no csblob this returns 0 because*
877	* it is true that it is not a platform binary */
878	return (csblob == NULL) ? `0` : csblob->csb_platform_binary;
879	}
880
881	int
882	csproc_get_platform_path(struct proc *p)
883	{
884	struct cs_blob *csblob;
885
886	csblob = csproc_get_blob(p);
887
888	return (csblob == NULL) ? `0` : csblob->csb_platform_path;
889	}
890
891	#if DEVELOPMENT \|\| DEBUG
892	void
893	csproc_clear_platform_binary(struct proc *p)
894	{
895	struct cs_blob *csblob = csproc_get_blob(p);
896	struct cs_blob_platform_flags platform_flags;
897
898	if (csblob == NULL) {
899	return;
900	}
901
902	if (cs_debug) {
903	printf("clearing platform binary on proc/task: pid = %d\n", proc_getpid(p));
904	}
905
906	platform_flags = csblob->csb_platform_flags;
907	platform_flags.csb_platform_binary = `0`;
908	platform_flags.csb_platform_path = `0`;
909
910	zalloc_ro_update_field(ZONE_ID_CS_BLOB, csblob, csb_platform_flags,
911	&platform_flags);
912
913	task_set_platform_binary(proc_task(p), FALSE);
914	}
915	#endif
916
917	void
918	csproc_disable_enforcement(struct proc* __unused p)
919	{
920	#if !CONFIG_ENFORCE_SIGNED_CODE
921	if (p != NULL) {
922	proc_lock(p);
923	proc_csflags_clear(p, CS_ENFORCEMENT);
924	vm_map_cs_enforcement_set(map: get_task_map(proc_task(p)), FALSE);
925	proc_unlock(p);
926	}
927	#endif
928	}
929
930	/ Function: csproc_mark_invalid_allowed*
931	*
932	* Description: Mark the process as being allowed to go invalid. Called as part of
933	* task_for_pid and ptrace policy. Note CS_INVALID_ALLOWED only matters for
934	* processes that have been opted into CS_ENFORCEMENT.
935	*/
936	void
937	csproc_mark_invalid_allowed(struct proc* __unused p)
938	{
939	#if !CONFIG_ENFORCE_SIGNED_CODE
940	if (p != NULL) {
941	proc_lock(p);
942	proc_csflags_set(p, CS_INVALID_ALLOWED);
943	proc_unlock(p);
944	}
945	#endif
946	}
947
948	/*
949	* Function: csproc_check_invalid_allowed
950	*
951	* Description: Returns 1 if the process has been marked as allowed to go invalid
952	* because it gave its task port to an allowed process.
953	*/
954	int
955	csproc_check_invalid_allowed(struct proc* __unused p)
956	{
957	#if !CONFIG_ENFORCE_SIGNED_CODE
958	if (p == NULL) {
959	p = current_proc();
960	}
961
962	if (p != NULL && (proc_getcsflags(p) & CS_INVALID_ALLOWED)) {
963	return `1`;
964	}
965	#endif
966	return `0`;
967	}
968
969	/*
970	* Function: csproc_get_prod_signed
971	*
972	* Description: Returns 1 if process is not signed with a developer identity.
973	* Note the inverted meaning from the cs_flag to make the error case safer.
974	* Will go away with rdar://problem/28322552.
975	*/
976	int
977	csproc_get_prod_signed(struct proc *p)
978	{
979	return (proc_getcsflags(p) & CS_DEV_CODE) == `0`;
980	}
981
982	int
983	csproc_get_validation_category(struct proc pt, unsigned* int *out_validation_category)
984	{
985	struct cs_blob* blob = NULL;
986	unsigned int validation_category = CS_VALIDATION_CATEGORY_INVALID;
987	int error;
988
989	proc_lock(pt);
990	if ((proc_getcsflags(pt) & (CS_VALID \| CS_DEBUGGED)) == `0`) {
991	proc_unlock(pt);
992	error = EINVAL;
993	goto out;
994	}
995	blob = csproc_get_blob(p: pt);
996	proc_unlock(pt);
997
998	if (!blob) {
999	error = EBADEXEC;
1000	goto out;
1001	}
1002
1003	validation_category = csblob_get_validation_category(csblob: blob);
1004	if (out_validation_category) {
1005	*out_validation_category = validation_category;
1006	}
1007	error = KERN_SUCCESS;
1008	out:
1009	return error;
1010	}
1011
1012
1013	/*
1014	* Function: csfg_get_platform_binary
1015	*
1016	* Description: This function returns the
1017	* platform binary field for the
1018	* fileglob fg
1019	*/
1020	int
1021	csfg_get_platform_binary(struct fileglob *fg)
1022	{
1023	int platform_binary = `0`;
1024	struct ubc_info *uip;
1025	vnode_t vp;
1026
1027	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1028	return `0`;
1029	}
1030
1031	vp = (struct vnode *)fg_get_data(fg);
1032	if (vp == NULL) {
1033	return `0`;
1034	}
1035
1036	vnode_lock(vp);
1037	if (!UBCINFOEXISTS(vp)) {
1038	goto out;
1039	}
1040
1041	uip = vp->v_ubcinfo;
1042	if (uip == NULL) {
1043	goto out;
1044	}
1045
1046	if (uip->cs_blobs == NULL) {
1047	goto out;
1048	}
1049
1050	/ It is OK to extract the teamid from the first blob*
1051	* because all blobs of a vnode must have the same teamid */
1052	platform_binary = uip->cs_blobs->csb_platform_binary;
1053	out:
1054	vnode_unlock(vp);
1055
1056	return platform_binary;
1057	}
1058
1059	int
1060	csfg_get_supplement_platform_binary(struct fileglob *fg __unused)
1061	{
1062	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1063	int platform_binary = `0`;
1064	struct ubc_info *uip;
1065	vnode_t vp;
1066
1067	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1068	return `0`;
1069	}
1070
1071	vp = (struct vnode *)fg_get_data(fg);
1072	if (vp == NULL) {
1073	return `0`;
1074	}
1075
1076	vnode_lock(vp);
1077	if (!UBCINFOEXISTS(vp)) {
1078	goto out;
1079	}
1080
1081	uip = vp->v_ubcinfo;
1082	if (uip == NULL) {
1083	goto out;
1084	}
1085
1086	if (uip->cs_blob_supplement == NULL) {
1087	goto out;
1088	}
1089
1090	platform_binary = uip->cs_blob_supplement->csb_platform_binary;
1091	out:
1092	vnode_unlock(vp);
1093
1094	return platform_binary;
1095	#else
1096	// Supplemental signatures are only allowed in CONFIG_SUPPLEMENTAL_SIGNATURES
1097	// Return false if anyone asks about them
1098	return `0`;
1099	#endif
1100	}
1101
1102	uint8_t *
1103	csfg_get_cdhash(struct fileglob fg, uint64_t offset, size_t cdhash_size)
1104	{
1105	vnode_t vp;
1106
1107	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1108	return NULL;
1109	}
1110
1111	vp = (struct vnode *)fg_get_data(fg);
1112	if (vp == NULL) {
1113	return NULL;
1114	}
1115
1116	struct cs_blob *csblob = NULL;
1117	if ((csblob = ubc_cs_blob_get(vp, -`1`, -`1`, offset)) == NULL) {
1118	return NULL;
1119	}
1120
1121	if (cdhash_size) {
1122	*cdhash_size = CS_CDHASH_LEN;
1123	}
1124	return csblob->csb_cdhash;
1125	}
1126
1127	uint8_t *
1128	csfg_get_supplement_cdhash(struct fileglob fg __unused, uint64_t offset __unused, size_t cdhash_size __unused)
1129	{
1130	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1131	vnode_t vp;
1132
1133	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1134	return NULL;
1135	}
1136
1137	vp = (struct vnode *)fg_get_data(fg);
1138	if (vp == NULL) {
1139	return NULL;
1140	}
1141
1142	struct cs_blob *csblob = NULL;
1143	if ((csblob = ubc_cs_blob_get_supplement(vp, offset)) == NULL) {
1144	return NULL;
1145	}
1146
1147	if (cdhash_size) {
1148	*cdhash_size = CS_CDHASH_LEN;
1149	}
1150	return csblob->csb_cdhash;
1151	#else
1152	// Supplemental signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1153	// return NULL if anyone asks about them
1154	return NULL;
1155	#endif
1156	}
1157
1158	const uint8_t *
1159	csfg_get_supplement_linkage_cdhash(struct fileglob fg __unused, uint64_t offset __unused, size_t cdhash_size __unused)
1160	{
1161	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1162	vnode_t vp;
1163
1164	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1165	return NULL;
1166	}
1167
1168	vp = (struct vnode *)fg_get_data(fg);
1169	if (vp == NULL) {
1170	return NULL;
1171	}
1172
1173	struct cs_blob *csblob = NULL;
1174	if ((csblob = ubc_cs_blob_get_supplement(vp, offset)) == NULL) {
1175	return NULL;
1176	}
1177
1178	if (cdhash_size) {
1179	*cdhash_size = CS_CDHASH_LEN;
1180	}
1181
1182	return csblob->csb_linkage;
1183	#else
1184	// Supplemental signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1185	// return NULL if anyone asks about them
1186	return NULL;
1187	#endif
1188	}
1189
1190	/*
1191	* Function: csfg_get_signer_type
1192	*
1193	* Description: This returns the signer type
1194	* for the fileglob fg
1195	*/
1196	unsigned int
1197	csfg_get_signer_type(struct fileglob *fg)
1198	{
1199	struct ubc_info *uip;
1200	unsigned int signer_type = CS_SIGNER_TYPE_UNKNOWN;
1201	vnode_t vp;
1202
1203	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1204	return CS_SIGNER_TYPE_UNKNOWN;
1205	}
1206
1207	vp = (struct vnode *)fg_get_data(fg);
1208	if (vp == NULL) {
1209	return CS_SIGNER_TYPE_UNKNOWN;
1210	}
1211
1212	vnode_lock(vp);
1213	if (!UBCINFOEXISTS(vp)) {
1214	goto out;
1215	}
1216
1217	uip = vp->v_ubcinfo;
1218	if (uip == NULL) {
1219	goto out;
1220	}
1221
1222	if (uip->cs_blobs == NULL) {
1223	goto out;
1224	}
1225
1226	/ It is OK to extract the signer type from the first blob,*
1227	* because all blobs of a vnode must have the same signer type. */
1228	signer_type = uip->cs_blobs->csb_signer_type;
1229	out:
1230	vnode_unlock(vp);
1231
1232	return signer_type;
1233	}
1234
1235	unsigned int
1236	csfg_get_supplement_signer_type(struct fileglob *fg __unused)
1237	{
1238	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1239	struct ubc_info *uip;
1240	unsigned int signer_type = CS_SIGNER_TYPE_UNKNOWN;
1241	vnode_t vp;
1242
1243	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1244	return CS_SIGNER_TYPE_UNKNOWN;
1245	}
1246
1247	vp = (struct vnode *)fg_get_data(fg);
1248	if (vp == NULL) {
1249	return CS_SIGNER_TYPE_UNKNOWN;
1250	}
1251
1252	vnode_lock(vp);
1253	if (!UBCINFOEXISTS(vp)) {
1254	goto out;
1255	}
1256
1257	uip = vp->v_ubcinfo;
1258	if (uip == NULL) {
1259	goto out;
1260	}
1261
1262	if (uip->cs_blob_supplement == NULL) {
1263	goto out;
1264	}
1265
1266	signer_type = uip->cs_blob_supplement->csb_signer_type;
1267	out:
1268	vnode_unlock(vp);
1269
1270	return signer_type;
1271	#else
1272	// Supplemental signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1273	// Return unknown if anyone asks
1274	return CS_SIGNER_TYPE_UNKNOWN;
1275	#endif
1276	}
1277
1278	/*
1279	* Function: csfg_get_validation_category
1280	*
1281	* Description: This returns the validation category
1282	* for the fileglob fg
1283	*/
1284	unsigned int
1285	csfg_get_validation_category(struct fileglob *fg, uint64_t offset)
1286	{
1287	unsigned int validation_category = CS_VALIDATION_CATEGORY_INVALID;
1288	vnode_t vp;
1289
1290	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1291	return CS_VALIDATION_CATEGORY_INVALID;
1292	}
1293
1294	vp = (struct vnode *)fg_get_data(fg);
1295	if (vp == NULL) {
1296	return CS_VALIDATION_CATEGORY_INVALID;
1297	}
1298
1299	vnode_lock(vp);
1300
1301	struct cs_blob *csblob = NULL;
1302	if ((csblob = ubc_cs_blob_get(vp, -`1`, -`1`, offset)) == NULL) {
1303	goto out;
1304	}
1305
1306	validation_category = csblob->csb_validation_category;
1307	out:
1308	vnode_unlock(vp);
1309
1310	return validation_category;
1311	}
1312
1313	unsigned int
1314	csfg_get_supplement_validation_category(struct fileglob *fg __unused, uint64_t offset __unused)
1315	{
1316	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1317	unsigned int validation_category = CS_VALIDATION_CATEGORY_INVALID;
1318	vnode_t vp;
1319
1320	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1321	return CS_SIGNER_TYPE_UNKNOWN;
1322	}
1323
1324	vp = (struct vnode *)fg_get_data(fg);
1325	if (vp == NULL) {
1326	return CS_SIGNER_TYPE_UNKNOWN;
1327	}
1328
1329	vnode_lock(vp);
1330
1331	struct cs_blob *csblob = NULL;
1332	if ((csblob = ubc_cs_blob_get_supplement(vp, offset)) == NULL) {
1333	goto out;
1334	}
1335
1336	validation_category = csblob->csb_validation_category;
1337	out:
1338	vnode_unlock(vp);
1339
1340	return validation_category;
1341	#else
1342	// Supplemental signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1343	// Return invalid if anyone asks
1344	return CS_VALIDATION_CATEGORY_INVALID;
1345	#endif
1346	}
1347
1348	/*
1349	* Function: csfg_get_teamid
1350	*
1351	* Description: This returns a pointer to
1352	* the teamid for the fileglob fg
1353	*/
1354	const char *
1355	csfg_get_teamid(struct fileglob *fg)
1356	{
1357	struct ubc_info *uip;
1358	const char *str = NULL;
1359	vnode_t vp;
1360
1361	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1362	return NULL;
1363	}
1364
1365	vp = (struct vnode *)fg_get_data(fg);
1366	if (vp == NULL) {
1367	return NULL;
1368	}
1369
1370	vnode_lock(vp);
1371	if (!UBCINFOEXISTS(vp)) {
1372	goto out;
1373	}
1374
1375	uip = vp->v_ubcinfo;
1376	if (uip == NULL) {
1377	goto out;
1378	}
1379
1380	if (uip->cs_blobs == NULL) {
1381	goto out;
1382	}
1383
1384	/ It is OK to extract the teamid from the first blob*
1385	* because all blobs of a vnode must have the same teamid */
1386	str = uip->cs_blobs->csb_teamid;
1387	out:
1388	vnode_unlock(vp);
1389
1390	return str;
1391	}
1392
1393	const char *
1394	csfg_get_supplement_teamid(struct fileglob *fg __unused)
1395	{
1396	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1397	struct ubc_info *uip;
1398	const char *str = NULL;
1399	vnode_t vp;
1400
1401	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1402	return NULL;
1403	}
1404
1405	vp = (struct vnode *)fg_get_data(fg);
1406	if (vp == NULL) {
1407	return NULL;
1408	}
1409
1410	vnode_lock(vp);
1411	if (!UBCINFOEXISTS(vp)) {
1412	goto out;
1413	}
1414
1415	uip = vp->v_ubcinfo;
1416	if (uip == NULL) {
1417	goto out;
1418	}
1419
1420	if (uip->cs_blob_supplement == NULL) {
1421	goto out;
1422	}
1423
1424	str = uip->cs_blob_supplement->csb_supplement_teamid;
1425	out:
1426	vnode_unlock(vp);
1427
1428	return str;
1429	#else
1430	// Supplemental Signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1431	// Return NULL if anyone asks
1432	return NULL;
1433	#endif
1434	}
1435
1436	/*
1437	* Function: csfg_get_csblob
1438	*
1439	* Description: This returns a pointer to
1440	* the csblob for the fileglob fg
1441	*/
1442	struct cs_blob*
1443	csfg_get_csblob(struct fileglob *fg, uint64_t offset)
1444	{
1445	vnode_t vp;
1446
1447	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1448	return NULL;
1449	}
1450
1451	vp = (struct vnode *)fg_get_data(fg);
1452	if (vp == NULL) {
1453	return NULL;
1454	}
1455
1456	struct cs_blob *csblob = NULL;
1457	if ((csblob = ubc_cs_blob_get(vp, -`1`, -`1`, offset)) == NULL) {
1458	return NULL;
1459	}
1460
1461	return csblob;
1462	}
1463
1464	struct cs_blob*
1465	csfg_get_supplement_csblob(__unused struct fileglob *fg, __unused uint64_t offset)
1466	{
1467	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1468	vnode_t vp;
1469
1470	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1471	return NULL;
1472	}
1473
1474	vp = (struct vnode *)fg_get_data(fg);
1475	if (vp == NULL) {
1476	return NULL;
1477	}
1478
1479	struct cs_blob *csblob = NULL;
1480	if ((csblob = ubc_cs_blob_get_supplement(vp, offset)) == NULL) {
1481	return NULL;
1482	}
1483
1484	return csblob;
1485	#else
1486	// Supplemental signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1487	// return NULL if anyone asks about them
1488	return NULL;
1489	#endif
1490	}
1491
1492	/*
1493	* Function: csfg_get_prod_signed
1494	*
1495	* Description: Returns 1 if code is not signed with a developer identity.
1496	* Note the inverted meaning from the cs_flag to make the error case safer.
1497	* Will go away with rdar://problem/28322552.
1498	*/
1499	int
1500	csfg_get_prod_signed(struct fileglob *fg)
1501	{
1502	struct ubc_info *uip;
1503	vnode_t vp;
1504	int prod_signed = `0`;
1505
1506	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1507	return `0`;
1508	}
1509
1510	vp = (struct vnode *)fg_get_data(fg);
1511	if (vp == NULL) {
1512	return `0`;
1513	}
1514
1515	vnode_lock(vp);
1516	if (!UBCINFOEXISTS(vp)) {
1517	goto out;
1518	}
1519
1520	uip = vp->v_ubcinfo;
1521	if (uip == NULL) {
1522	goto out;
1523	}
1524
1525	if (uip->cs_blobs == NULL) {
1526	goto out;
1527	}
1528
1529	/ It is OK to extract the flag from the first blob*
1530	* because all blobs of a vnode must have the same cs_flags */
1531	prod_signed = (uip->cs_blobs->csb_flags & CS_DEV_CODE) == `0`;
1532	out:
1533	vnode_unlock(vp);
1534
1535	return prod_signed;
1536	}
1537
1538	int
1539	csfg_get_supplement_prod_signed(struct fileglob *fg __unused)
1540	{
1541	#if CONFIG_SUPPLEMENTAL_SIGNATURES
1542	struct ubc_info *uip;
1543	vnode_t vp;
1544	int prod_signed = `0`;
1545
1546	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1547	return `0`;
1548	}
1549
1550	vp = (struct vnode *)fg_get_data(fg);
1551	if (vp == NULL) {
1552	return `0`;
1553	}
1554
1555	vnode_lock(vp);
1556	if (!UBCINFOEXISTS(vp)) {
1557	goto out;
1558	}
1559
1560	uip = vp->v_ubcinfo;
1561	if (uip == NULL) {
1562	goto out;
1563	}
1564
1565	if (uip->cs_blob_supplement == NULL) {
1566	goto out;
1567	}
1568
1569	/ It is OK to extract the flag from the first blob*
1570	* because all blobs of a vnode must have the same cs_flags */
1571	prod_signed = (uip->cs_blob_supplement->csb_flags & CS_DEV_CODE) == `0`;
1572	out:
1573	vnode_unlock(vp);
1574
1575	return prod_signed;
1576	#else
1577	// Supplemental signatures are only available in CONFIG_SUPPLEMENTAL_SIGNATURES
1578	// Indicate development signed if anyone tries to ask about one.
1579	return `0`;
1580	#endif
1581	}
1582
1583	/*
1584	* Function: csfg_get_identity
1585	*
1586	* Description: This function returns the codesign identity
1587	* for the fileglob
1588	*/
1589	const char *
1590	csfg_get_identity(struct fileglob *fg, off_t offset)
1591	{
1592	vnode_t vp;
1593	struct cs_blob *csblob = NULL;
1594
1595	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1596	return NULL;
1597	}
1598
1599	vp = (struct vnode *)fg_get_data(fg);
1600	if (vp == NULL) {
1601	return NULL;
1602	}
1603
1604	csblob = ubc_cs_blob_get(vp, -`1`, -`1`, offset);
1605	if (csblob == NULL) {
1606	return NULL;
1607	}
1608
1609	return csblob_get_identity(csblob);
1610	}
1611
1612	/*
1613	* Function: csfg_get_platform_identifier
1614	*
1615	* Description: This function returns the codesign platform
1616	* identifier for the fileglob. Assumes the fileproc
1617	* is being held busy to keep the fileglob consistent.
1618	*/
1619	uint8_t
1620	csfg_get_platform_identifier(struct fileglob *fg, off_t offset)
1621	{
1622	vnode_t vp;
1623
1624	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1625	return `0`;
1626	}
1627
1628	vp = (struct vnode *)fg_get_data(fg);
1629	if (vp == NULL) {
1630	return `0`;
1631	}
1632
1633	return csvnode_get_platform_identifier(vp, offset);
1634	}
1635
1636	/*
1637	* Function: csvnode_get_platform_identifier
1638	*
1639	* Description: This function returns the codesign platform
1640	* identifier for the vnode. Assumes a vnode reference
1641	* is held.
1642	*/
1643	uint8_t
1644	csvnode_get_platform_identifier(struct vnode *vp, off_t offset)
1645	{
1646	struct cs_blob *csblob;
1647	const CS_CodeDirectory *code_dir;
1648
1649	csblob = ubc_cs_blob_get(vp, -`1`, -`1`, offset);
1650	if (csblob == NULL) {
1651	return `0`;
1652	}
1653
1654	code_dir = csblob->csb_cd;
1655	if (code_dir == NULL \|\| ntohl(code_dir->length) < `8`) {
1656	return `0`;
1657	}
1658
1659	return code_dir->platform;
1660	}
1661
1662	/*
1663	* Function: csproc_get_platform_identifier
1664	*
1665	* Description: This function returns the codesign platform
1666	* identifier for the proc. Assumes proc will remain
1667	* valid through call.
1668	*/
1669	uint8_t
1670	csproc_get_platform_identifier(struct proc *p)
1671	{
1672	if (NULL == p->p_textvp) {
1673	return `0`;
1674	}
1675
1676	return csvnode_get_platform_identifier(vp: p->p_textvp, offset: p->p_textoff);
1677	}
1678
1679	uint32_t
1680	cs_entitlement_flags(struct proc *p)
1681	{
1682	return proc_getcsflags(p) & CS_ENTITLEMENT_FLAGS;
1683	}
1684
1685	int
1686	cs_restricted(struct proc *p)
1687	{
1688	return (proc_getcsflags(p) & CS_RESTRICT) ? `1` : `0`;
1689	}
1690
1691	int
1692	csproc_hardened_runtime(struct proc* p)
1693	{
1694	return (proc_getcsflags(p) & CS_RUNTIME) ? `1` : `0`;
1695	}
1696
1697	/*
1698	* Function: csfg_get_path
1699	*
1700	* Description: This populates the buffer passed in
1701	* with the path of the vnode
1702	* When calling this, the fileglob
1703	* cannot go away. The caller must have a
1704	* a reference on the fileglob or fileproc
1705	*/
1706	int
1707	csfg_get_path(struct fileglob fg, char* path, int* *len)
1708	{
1709	vnode_t vp = NULL;
1710
1711	if (FILEGLOB_DTYPE(fg) != DTYPE_VNODE) {
1712	return -`1`;
1713	}
1714
1715	vp = (struct vnode *)fg_get_data(fg);
1716
1717	/ vn_getpath returns 0 for success,*
1718	* or an error code */
1719	return vn_getpath(vp, pathbuf: path, len);
1720	}
1721
1722	/*
1723	* Retrieve the entitlements blob for a vnode
1724	* Returns:
1725	* EINVAL no text vnode associated with the process
1726	* EBADEXEC invalid code signing data
1727	* 0 no error occurred
1728	*
1729	* On success, out_start and out_length will point to the
1730	* entitlements blob if found; or will be set to NULL/zero
1731	* if there were no entitlements.
1732	*/
1733	int
1734	cs_entitlements_blob_get_vnode(vnode_t vnode, off_t offset, void *out_start, size_t out_length)
1735	{
1736	struct cs_blob *csblob;
1737
1738	*out_start = NULL;
1739	*out_length = `0`;
1740
1741	if (vnode == NULL) {
1742	return EINVAL;
1743	}
1744
1745	if ((csblob = ubc_cs_blob_get(vnode, -`1`, -`1`, offset)) == NULL) {
1746	return `0`;
1747	}
1748
1749	return csblob_get_entitlements(csblob, out_start, out_length);
1750	}
1751
1752
1753	/ Retrieve the cached entitlements for a vnode*
1754	* Returns:
1755	* EINVAL no vnode
1756	* EBADEXEC invalid code signing data
1757	* 0 no error occurred
1758	*
1759	* Note: the entitlements may be NULL if there is nothing cached.
1760	*/
1761
1762	int
1763	cs_entitlements_dictionary_copy_vnode(vnode_t vnode, off_t offset, void **entitlements)
1764	{
1765	struct cs_blob *csblob;
1766
1767	*entitlements = NULL;
1768
1769	if (vnode == NULL) {
1770	return EINVAL;
1771	}
1772
1773	if ((csblob = ubc_cs_blob_get(vnode, -`1`, -`1`, offset)) == NULL) {
1774	return `0`;
1775	}
1776
1777	*entitlements = csblob_entitlements_dictionary_copy(csblob);
1778	return `0`;
1779	}
1780
1781	/*
1782	* Retrieve the entitlements blob for a process.
1783	* Returns:
1784	* EINVAL no text vnode associated with the process
1785	* EBADEXEC invalid code signing data
1786	* 0 no error occurred
1787	*
1788	* On success, out_start and out_length will point to the
1789	* entitlements blob if found; or will be set to NULL/zero
1790	* if there were no entitlements.
1791	*/
1792	int
1793	cs_entitlements_blob_get(proc_t p, void *out_start, size_t out_length)
1794	{
1795	if ((proc_getcsflags(p) & CS_SIGNED) == `0`) {
1796	return `0`;
1797	}
1798
1799	return cs_entitlements_blob_get_vnode(vnode: p->p_textvp, offset: p->p_textoff, out_start, out_length);
1800	}
1801
1802
1803	/ Retrieve the cached entitlements for a process*
1804	* Returns:
1805	* EINVAL no text vnode associated with the process
1806	* EBADEXEC invalid code signing data
1807	* 0 no error occurred
1808	*
1809	* Note: the entitlements may be NULL if there is nothing cached.
1810	*/
1811
1812	int
1813	cs_entitlements_dictionary_copy(proc_t p, void **entitlements)
1814	{
1815	struct cs_blob *csblob;
1816
1817	*entitlements = NULL;
1818
1819	if ((proc_getcsflags(p) & CS_SIGNED) == `0`) {
1820	return `0`;
1821	}
1822
1823	if (NULL == p->p_textvp) {
1824	return EINVAL;
1825	}
1826
1827	if ((csblob = ubc_cs_blob_get(p->p_textvp, -`1`, -`1`, p->p_textoff)) == NULL) {
1828	return `0`;
1829	}
1830
1831	*entitlements = csblob_entitlements_dictionary_copy(csblob);
1832	return `0`;
1833	}
1834
1835	/ Retrieve the codesign identity for a process.*
1836	* Returns:
1837	* NULL an error occured
1838	* string the cs_identity
1839	*/
1840
1841	const char *
1842	cs_identity_get(proc_t p)
1843	{
1844	struct cs_blob *csblob;
1845
1846	if ((proc_getcsflags(p) & CS_SIGNED) == `0`) {
1847	return NULL;
1848	}
1849
1850	if (NULL == p->p_textvp) {
1851	return NULL;
1852	}
1853
1854	if ((csblob = ubc_cs_blob_get(p->p_textvp, -`1`, -`1`, p->p_textoff)) == NULL) {
1855	return NULL;
1856	}
1857
1858	return csblob_get_identity(csblob);
1859	}
1860
1861	/*
1862	* DO NOT USE THIS FUNCTION!
1863	* Use the properly guarded csproc_get_blob instead.
1864	*
1865	* This is currently here to allow detached signatures to work
1866	* properly. The only user of this function is also checking
1867	* for CS_VALID.
1868	*/
1869
1870	int
1871	cs_blob_get(proc_t p, void *out_start, size_t out_length)
1872	{
1873	struct cs_blob *csblob;
1874
1875	*out_start = NULL;
1876	*out_length = `0`;
1877
1878	if (NULL == p->p_textvp) {
1879	return EINVAL;
1880	}
1881
1882	if ((csblob = ubc_cs_blob_get(p->p_textvp, -`1`, -`1`, p->p_textoff)) == NULL) {
1883	return `0`;
1884	}
1885
1886	*out_start = csblob->csb_mem_kaddr;
1887	*out_length = csblob->csb_mem_size;
1888
1889	return `0`;
1890	}
1891
1892	/*
1893	* return cshash of a process, cdhash is of size CS_CDHASH_LEN
1894	*/
1895
1896	uint8_t *
1897	cs_get_cdhash(struct proc *p)
1898	{
1899	struct cs_blob *csblob;
1900
1901	if ((proc_getcsflags(p) & CS_SIGNED) == `0`) {
1902	return NULL;
1903	}
1904
1905	if (NULL == p->p_textvp) {
1906	return NULL;
1907	}
1908
1909	if ((csblob = ubc_cs_blob_get(p->p_textvp, -`1`, -`1`, p->p_textoff)) == NULL) {
1910	return NULL;
1911	}
1912
1913	return csblob->csb_cdhash;
1914	}
1915
1916	/*
1917	* return launch type of a process being created.
1918	*/
1919	cs_launch_type_t
1920	launch_constraint_data_get_launch_type(launch_constraint_data_t lcd)
1921	{
1922	return lcd->launch_type;
1923	}
1924

Browse the source code of xnu/bsd/kern/kern_cs.c