| 1 | /* |
|---|---|
| 2 | * Copyright (c) 2015-2020 Apple Inc. All rights reserved. |
| 3 | * |
| 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
| 5 | * |
| 6 | * This file contains Original Code and/or Modifications of Original Code |
| 7 | * as defined in and that are subject to the Apple Public Source License |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in |
| 9 | * compliance with the License. The rights granted to you under the License |
| 10 | * may not be used to create, or enable the creation or redistribution of, |
| 11 | * unlawful or unlicensed copies of an Apple operating system, or to |
| 12 | * circumvent, violate, or enable the circumvention or violation of, any |
| 13 | * terms of an Apple operating system software license agreement. |
| 14 | * |
| 15 | * Please obtain a copy of the License at |
| 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
| 17 | * |
| 18 | * The Original Code and all software distributed under the License are |
| 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
| 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
| 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
| 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
| 23 | * Please see the License for the specific language governing rights and |
| 24 | * limitations under the License. |
| 25 | * |
| 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
| 27 | */ |
| 28 | |
| 29 | #include <sys/kernel.h> |
| 30 | #include <sys/commpage.h> |
| 31 | #include <sys/kernel_types.h> |
| 32 | #include <sys/persona.h> |
| 33 | #include <pexpert/pexpert.h> |
| 34 | #include <machine/cpu_capabilities.h> |
| 35 | |
| 36 | #if CONFIG_PERSONAS |
| 37 | #include <machine/atomic.h> |
| 38 | |
| 39 | #include <kern/assert.h> |
| 40 | #include <kern/simple_lock.h> |
| 41 | #include <kern/task.h> |
| 42 | #include <kern/zalloc.h> |
| 43 | #include <mach/thread_act.h> |
| 44 | #include <kern/thread.h> |
| 45 | |
| 46 | #include <sys/param.h> |
| 47 | #include <sys/proc_internal.h> |
| 48 | #include <sys/kauth.h> |
| 49 | #include <sys/proc_info.h> |
| 50 | #include <sys/resourcevar.h> |
| 51 | |
| 52 | #include <security/audit/audit.h> |
| 53 | |
| 54 | #include <os/log.h> |
| 55 | #define pna_err(fmt, ...) \ |
| 56 | os_log_error(OS_LOG_DEFAULT, "ERROR: " fmt, ## __VA_ARGS__) |
| 57 | |
| 58 | #define MAX_PERSONAS 512 |
| 59 | |
| 60 | #define TEMP_PERSONA_ID 499 |
| 61 | |
| 62 | #define FIRST_PERSONA_ID 501 |
| 63 | #define PERSONA_ID_STEP 10 |
| 64 | |
| 65 | #define PERSONA_ALLOC_TOKEN (0x7a0000ae) |
| 66 | #define PERSONA_INIT_TOKEN (0x7500005e) |
| 67 | #define PERSONA_MAGIC (0x0aa55aa0) |
| 68 | #define persona_initialized(p) ((p)->pna_valid == PERSONA_MAGIC || (p)->pna_valid == PERSONA_INIT_TOKEN) |
| 69 | #define persona_valid(p) ((p)->pna_valid == PERSONA_MAGIC) |
| 70 | #define persona_mkinvalid(p) ((p)->pna_valid = ~(PERSONA_MAGIC)) |
| 71 | |
| 72 | static LIST_HEAD(personalist, persona) all_personas = LIST_HEAD_INITIALIZER(all_personas); |
| 73 | static uint32_t g_total_personas; |
| 74 | const uint32_t g_max_personas = MAX_PERSONAS; |
| 75 | static uid_t g_next_persona_id = FIRST_PERSONA_ID; |
| 76 | |
| 77 | LCK_GRP_DECLARE(persona_lck_grp, "personas"); |
| 78 | LCK_MTX_DECLARE(all_personas_lock, &persona_lck_grp); |
| 79 | |
| 80 | os_refgrp_decl(static, persona_refgrp, "persona", NULL); |
| 81 | |
| 82 | static KALLOC_TYPE_DEFINE(persona_zone, struct persona, KT_DEFAULT); |
| 83 | |
| 84 | #define lock_personas() lck_mtx_lock(&all_personas_lock) |
| 85 | #define unlock_personas() lck_mtx_unlock(&all_personas_lock) |
| 86 | |
| 87 | extern kern_return_t bank_get_bank_ledger_thread_group_and_persona(void *voucher, |
| 88 | void *bankledger, void **banktg, uint32_t *persona_id); |
| 89 | void |
| 90 | ipc_voucher_release(void *voucher); |
| 91 | |
| 92 | struct persona * |
| 93 | persona_alloc(uid_t id, const char *login, persona_type_t type, char *path, uid_t uid, int *error) |
| 94 | { |
| 95 | struct persona *persona; |
| 96 | int err = 0; |
| 97 | |
| 98 | if (!login) { |
| 99 | pna_err("Must provide a login name for a new persona!"); |
| 100 | if (error) { |
| 101 | *error = EINVAL; |
| 102 | } |
| 103 | return NULL; |
| 104 | } |
| 105 | |
| 106 | if (type <= PERSONA_INVALID || type > PERSONA_TYPE_MAX) { |
| 107 | pna_err("Invalid type: %d", type); |
| 108 | if (error) { |
| 109 | *error = EINVAL; |
| 110 | } |
| 111 | return NULL; |
| 112 | } |
| 113 | |
| 114 | persona = zalloc_flags(persona_zone, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
| 115 | |
| 116 | if (os_atomic_inc(&g_total_personas, relaxed) > MAX_PERSONAS) { |
| 117 | /* too many personas! */ |
| 118 | pna_err("too many active personas!"); |
| 119 | err = EBUSY; |
| 120 | goto out_error; |
| 121 | } |
| 122 | |
| 123 | strncpy(persona->pna_login, login, sizeof(persona->pna_login) - 1); |
| 124 | persona_dbg("Starting persona allocation for: '%s'", persona->pna_login); |
| 125 | |
| 126 | LIST_INIT(&persona->pna_members); |
| 127 | lck_mtx_init(lck: &persona->pna_lock, grp: &persona_lck_grp, LCK_ATTR_NULL); |
| 128 | os_ref_init(&persona->pna_refcount, &persona_refgrp); |
| 129 | |
| 130 | persona->pna_type = type; |
| 131 | persona->pna_id = id; |
| 132 | persona->pna_valid = PERSONA_ALLOC_TOKEN; |
| 133 | persona->pna_path = path; |
| 134 | persona->pna_uid = uid; |
| 135 | |
| 136 | /* |
| 137 | * NOTE: this persona has not been fully initialized. A subsequent |
| 138 | * call to persona_init_begin() followed by persona_init_end() will make |
| 139 | * the persona visible to the rest of the system. |
| 140 | */ |
| 141 | if (error) { |
| 142 | *error = 0; |
| 143 | } |
| 144 | return persona; |
| 145 | |
| 146 | out_error: |
| 147 | os_atomic_dec(&g_total_personas, relaxed); |
| 148 | zfree(persona_zone, persona); |
| 149 | if (error) { |
| 150 | *error = err; |
| 151 | } |
| 152 | return NULL; |
| 153 | } |
| 154 | |
| 155 | /** |
| 156 | * persona_init_begin |
| 157 | * |
| 158 | * This function begins initialization of a persona. It first acquires the |
| 159 | * global persona list lock via lock_personas(), then selects an appropriate |
| 160 | * persona ID and sets up the persona's credentials. This function *must* be |
| 161 | * followed by a call to persona_init_end() which will mark the persona |
| 162 | * structure as valid |
| 163 | * |
| 164 | * Conditions: |
| 165 | * persona has been allocated via persona_alloc() |
| 166 | * nothing locked |
| 167 | * |
| 168 | * Returns: |
| 169 | * global persona list is locked (even on error) |
| 170 | */ |
| 171 | int |
| 172 | persona_init_begin(struct persona *persona) |
| 173 | { |
| 174 | struct persona *tmp; |
| 175 | int err = 0; |
| 176 | uid_t id; |
| 177 | |
| 178 | if (!persona || (persona->pna_valid != PERSONA_ALLOC_TOKEN)) { |
| 179 | return EINVAL; |
| 180 | } |
| 181 | |
| 182 | id = persona->pna_id; |
| 183 | |
| 184 | lock_personas(); |
| 185 | try_again: |
| 186 | if (id == PERSONA_ID_NONE) { |
| 187 | persona->pna_id = g_next_persona_id; |
| 188 | } |
| 189 | |
| 190 | persona_dbg("Beginning Initialization of %d:%d (%s)...", id, persona->pna_id, persona->pna_login); |
| 191 | |
| 192 | err = 0; |
| 193 | LIST_FOREACH(tmp, &all_personas, pna_list) { |
| 194 | persona_lock(tmp); |
| 195 | if (id == PERSONA_ID_NONE && tmp->pna_id == persona->pna_id) { |
| 196 | persona_unlock(tmp); |
| 197 | /* |
| 198 | * someone else manually claimed this ID, and we're |
| 199 | * trying to allocate an ID for the caller: try again |
| 200 | */ |
| 201 | g_next_persona_id += PERSONA_ID_STEP; |
| 202 | goto try_again; |
| 203 | } |
| 204 | if (strncmp(s1: tmp->pna_login, s2: persona->pna_login, n: sizeof(tmp->pna_login)) == 0 || |
| 205 | tmp->pna_id == persona->pna_id) { |
| 206 | persona_unlock(tmp); |
| 207 | /* |
| 208 | * Disallow use of identical login names and re-use |
| 209 | * of previously allocated persona IDs |
| 210 | */ |
| 211 | err = EEXIST; |
| 212 | break; |
| 213 | } |
| 214 | persona_unlock(tmp); |
| 215 | } |
| 216 | if (err) { |
| 217 | goto out; |
| 218 | } |
| 219 | |
| 220 | /* if the kernel supplied the persona ID, increment for next time */ |
| 221 | if (id == PERSONA_ID_NONE) { |
| 222 | g_next_persona_id += PERSONA_ID_STEP; |
| 223 | } |
| 224 | |
| 225 | persona->pna_valid = PERSONA_INIT_TOKEN; |
| 226 | |
| 227 | out: |
| 228 | if (err != 0) { |
| 229 | persona_dbg("ERROR:%d while initializing %d:%d (%s)...", err, id, persona->pna_id, persona->pna_login); |
| 230 | /* |
| 231 | * mark the persona with an error so that persona_init_end() |
| 232 | * will *not* add it to the global list. |
| 233 | */ |
| 234 | persona->pna_id = PERSONA_ID_NONE; |
| 235 | } |
| 236 | |
| 237 | /* |
| 238 | * leave the global persona list locked: it will be |
| 239 | * unlocked in a call to persona_init_end() |
| 240 | */ |
| 241 | return err; |
| 242 | } |
| 243 | |
| 244 | /** |
| 245 | * persona_init_end |
| 246 | * |
| 247 | * This function finalizes the persona initialization by marking it valid and |
| 248 | * adding it to the global list of personas. After unlocking the global list, |
| 249 | * the persona will be visible to the reset of the system. The function will |
| 250 | * only mark the persona valid if the input parameter 'error' is 0. |
| 251 | * |
| 252 | * Conditions: |
| 253 | * persona is initialized via persona_init_begin() |
| 254 | * global persona list is locked via lock_personas() |
| 255 | * |
| 256 | * Returns: |
| 257 | * global persona list is unlocked |
| 258 | */ |
| 259 | void |
| 260 | persona_init_end(struct persona *persona, int error) |
| 261 | { |
| 262 | if (persona == NULL) { |
| 263 | return; |
| 264 | } |
| 265 | |
| 266 | /* |
| 267 | * If the pna_valid member is set to the INIT_TOKEN value, then it has |
| 268 | * successfully gone through persona_init_begin(), and we can mark it |
| 269 | * valid and make it visible to the rest of the system. However, if |
| 270 | * there was an error either during initialization or otherwise, we |
| 271 | * need to decrement the global count of personas because this one |
| 272 | * will be disposed-of by the callers invocation of persona_put(). |
| 273 | */ |
| 274 | if (error != 0 || persona->pna_valid == PERSONA_ALLOC_TOKEN) { |
| 275 | persona_dbg("ERROR:%d after initialization of %d (%s)", error, persona->pna_id, persona->pna_login); |
| 276 | /* remove this persona from the global count */ |
| 277 | os_atomic_dec(&g_total_personas, relaxed); |
| 278 | } else if (error == 0 && |
| 279 | persona->pna_valid == PERSONA_INIT_TOKEN) { |
| 280 | persona->pna_valid = PERSONA_MAGIC; |
| 281 | LIST_INSERT_HEAD(&all_personas, persona, pna_list); |
| 282 | persona_dbg("Initialization of %d (%s) Complete.", persona->pna_id, persona->pna_login); |
| 283 | } |
| 284 | |
| 285 | unlock_personas(); |
| 286 | } |
| 287 | |
| 288 | static struct persona * |
| 289 | persona_get_locked(struct persona *persona) |
| 290 | { |
| 291 | os_ref_retain_locked(rc: &persona->pna_refcount); |
| 292 | return persona; |
| 293 | } |
| 294 | |
| 295 | struct persona * |
| 296 | persona_get(struct persona *persona) |
| 297 | { |
| 298 | struct persona *ret; |
| 299 | if (!persona) { |
| 300 | return NULL; |
| 301 | } |
| 302 | persona_lock(persona); |
| 303 | ret = persona_get_locked(persona); |
| 304 | persona_unlock(persona); |
| 305 | |
| 306 | return ret; |
| 307 | } |
| 308 | |
| 309 | struct persona * |
| 310 | proc_persona_get(proc_t p) |
| 311 | { |
| 312 | proc_lock(p); |
| 313 | struct persona *persona = persona_get(persona: p->p_persona); |
| 314 | proc_unlock(p); |
| 315 | |
| 316 | return persona; |
| 317 | } |
| 318 | |
| 319 | static void |
| 320 | persona_put_and_unlock(struct persona *persona) |
| 321 | { |
| 322 | int destroy = 0; |
| 323 | |
| 324 | if (os_ref_release_locked(rc: &persona->pna_refcount) == 0) { |
| 325 | destroy = 1; |
| 326 | } |
| 327 | persona_unlock(persona); |
| 328 | |
| 329 | if (!destroy) { |
| 330 | return; |
| 331 | } |
| 332 | |
| 333 | persona_dbg("Destroying persona %s", persona_desc(persona, 0)); |
| 334 | |
| 335 | /* remove it from the global list and decrement the count */ |
| 336 | lock_personas(); |
| 337 | persona_lock(persona); |
| 338 | if (persona_valid(persona)) { |
| 339 | LIST_REMOVE(persona, pna_list); |
| 340 | if (os_atomic_dec_orig(&g_total_personas, relaxed) == 0) { |
| 341 | panic("persona count underflow!"); |
| 342 | } |
| 343 | persona_mkinvalid(persona); |
| 344 | } |
| 345 | if (persona->pna_path != NULL) { |
| 346 | zfree(ZV_NAMEI, persona->pna_path); |
| 347 | } |
| 348 | persona_unlock(persona); |
| 349 | unlock_personas(); |
| 350 | |
| 351 | assert(LIST_EMPTY(&persona->pna_members)); |
| 352 | memset(s: persona, c: 0, n: sizeof(*persona)); |
| 353 | zfree(persona_zone, persona); |
| 354 | } |
| 355 | |
| 356 | void |
| 357 | persona_put(struct persona *persona) |
| 358 | { |
| 359 | if (persona) { |
| 360 | persona_lock(persona); |
| 361 | persona_put_and_unlock(persona); |
| 362 | } |
| 363 | } |
| 364 | |
| 365 | uid_t |
| 366 | persona_get_id(struct persona *persona) |
| 367 | { |
| 368 | if (persona) { |
| 369 | return persona->pna_id; |
| 370 | } |
| 371 | return PERSONA_ID_NONE; |
| 372 | } |
| 373 | |
| 374 | struct persona * |
| 375 | persona_lookup(uid_t id) |
| 376 | { |
| 377 | struct persona *persona, *tmp; |
| 378 | |
| 379 | persona = NULL; |
| 380 | |
| 381 | /* |
| 382 | * simple, linear lookup for now: there shouldn't be too many |
| 383 | * of these in memory at any given time. |
| 384 | */ |
| 385 | lock_personas(); |
| 386 | LIST_FOREACH(tmp, &all_personas, pna_list) { |
| 387 | persona_lock(tmp); |
| 388 | if (tmp->pna_id == id && persona_valid(tmp)) { |
| 389 | persona = persona_get_locked(persona: tmp); |
| 390 | persona_unlock(tmp); |
| 391 | break; |
| 392 | } |
| 393 | persona_unlock(tmp); |
| 394 | } |
| 395 | unlock_personas(); |
| 396 | |
| 397 | return persona; |
| 398 | } |
| 399 | |
| 400 | struct persona * |
| 401 | persona_lookup_and_invalidate(uid_t id) |
| 402 | { |
| 403 | struct persona *persona, *entry, *tmp; |
| 404 | |
| 405 | persona = NULL; |
| 406 | |
| 407 | lock_personas(); |
| 408 | LIST_FOREACH_SAFE(entry, &all_personas, pna_list, tmp) { |
| 409 | persona_lock(entry); |
| 410 | if (entry->pna_id == id) { |
| 411 | if (persona_valid(entry)) { |
| 412 | persona = persona_get_locked(persona: entry); |
| 413 | assert(persona != NULL); |
| 414 | LIST_REMOVE(persona, pna_list); |
| 415 | if (os_atomic_dec_orig(&g_total_personas, relaxed) == 0) { |
| 416 | panic("persona ref count underflow!"); |
| 417 | } |
| 418 | persona_mkinvalid(persona); |
| 419 | } |
| 420 | persona_unlock(entry); |
| 421 | break; |
| 422 | } |
| 423 | persona_unlock(entry); |
| 424 | } |
| 425 | unlock_personas(); |
| 426 | |
| 427 | return persona; |
| 428 | } |
| 429 | |
| 430 | int |
| 431 | persona_find_by_type(persona_type_t persona_type, struct persona **persona, size_t *plen) |
| 432 | { |
| 433 | return persona_find_all(NULL, PERSONA_ID_NONE, persona_type, persona, plen); |
| 434 | } |
| 435 | |
| 436 | int |
| 437 | persona_find(const char *login, uid_t uid, |
| 438 | struct persona **persona, size_t *plen) |
| 439 | { |
| 440 | return persona_find_all(login, uid, persona_type: PERSONA_INVALID, persona, plen); |
| 441 | } |
| 442 | |
| 443 | int |
| 444 | persona_find_all(const char *login, uid_t uid, persona_type_t persona_type, |
| 445 | struct persona **persona, size_t *plen) |
| 446 | { |
| 447 | struct persona *tmp; |
| 448 | int match = 0; |
| 449 | size_t found = 0; |
| 450 | |
| 451 | if (login) { |
| 452 | match++; |
| 453 | } |
| 454 | if (uid != PERSONA_ID_NONE) { |
| 455 | match++; |
| 456 | } |
| 457 | if ((persona_type > PERSONA_INVALID) && (persona_type <= PERSONA_TYPE_MAX)) { |
| 458 | match++; |
| 459 | } else if (persona_type != PERSONA_INVALID) { |
| 460 | return EINVAL; |
| 461 | } |
| 462 | |
| 463 | if (match == 0) { |
| 464 | return EINVAL; |
| 465 | } |
| 466 | |
| 467 | persona_dbg("Searching with %d parameters (l:\"%s\", u:%d)", |
| 468 | match, login, uid); |
| 469 | |
| 470 | lock_personas(); |
| 471 | LIST_FOREACH(tmp, &all_personas, pna_list) { |
| 472 | int m = 0; |
| 473 | persona_lock(tmp); |
| 474 | if (login && strncmp(s1: tmp->pna_login, s2: login, n: sizeof(tmp->pna_login)) == 0) { |
| 475 | m++; |
| 476 | } |
| 477 | if (uid != PERSONA_ID_NONE && uid == tmp->pna_id) { |
| 478 | m++; |
| 479 | } |
| 480 | if (persona_type != PERSONA_INVALID && persona_type == tmp->pna_type) { |
| 481 | m++; |
| 482 | } |
| 483 | if (m == match) { |
| 484 | if (persona && *plen > found) { |
| 485 | persona[found] = persona_get_locked(persona: tmp); |
| 486 | } |
| 487 | found++; |
| 488 | } |
| 489 | #ifdef PERSONA_DEBUG |
| 490 | if (m > 0) { |
| 491 | persona_dbg("ID:%d Matched %d/%d, found:%d, *plen:%d", |
| 492 | tmp->pna_id, m, match, (int)found, (int)*plen); |
| 493 | } |
| 494 | #endif |
| 495 | persona_unlock(tmp); |
| 496 | } |
| 497 | unlock_personas(); |
| 498 | |
| 499 | *plen = found; |
| 500 | if (!found) { |
| 501 | return ESRCH; |
| 502 | } |
| 503 | return 0; |
| 504 | } |
| 505 | |
| 506 | struct persona * |
| 507 | persona_proc_get(pid_t pid) |
| 508 | { |
| 509 | proc_t p = proc_find(pid); |
| 510 | if (!p) { |
| 511 | return NULL; |
| 512 | } |
| 513 | |
| 514 | struct persona *persona = proc_persona_get(p); |
| 515 | |
| 516 | proc_rele(p); |
| 517 | |
| 518 | return persona; |
| 519 | } |
| 520 | |
| 521 | uid_t |
| 522 | current_persona_get_id(void) |
| 523 | { |
| 524 | uid_t current_persona_id = PERSONA_ID_NONE; |
| 525 | ipc_voucher_t voucher; |
| 526 | |
| 527 | thread_get_mach_voucher(thr_act: current_thread(), which: 0, voucher: &voucher); |
| 528 | /* returns a voucher ref */ |
| 529 | if (voucher != IPC_VOUCHER_NULL) { |
| 530 | /* |
| 531 | * If the voucher doesn't contain a bank attribute, it uses |
| 532 | * the default bank task value to determine the persona id |
| 533 | * which is the same as the proc's persona id |
| 534 | */ |
| 535 | bank_get_bank_ledger_thread_group_and_persona(voucher, NULL, |
| 536 | NULL, persona_id: ¤t_persona_id); |
| 537 | ipc_voucher_release(voucher); |
| 538 | } else { |
| 539 | /* Fallback - get the proc's persona */ |
| 540 | current_persona_id = proc_persona_id(current_proc()); |
| 541 | } |
| 542 | return current_persona_id; |
| 543 | } |
| 544 | |
| 545 | struct persona * |
| 546 | current_persona_get(void) |
| 547 | { |
| 548 | struct persona *persona = NULL; |
| 549 | uid_t current_persona_id = PERSONA_ID_NONE; |
| 550 | |
| 551 | current_persona_id = current_persona_get_id(); |
| 552 | persona = persona_lookup(id: current_persona_id); |
| 553 | return persona; |
| 554 | } |
| 555 | |
| 556 | typedef enum e_persona_reset_op { |
| 557 | PROC_REMOVE_PERSONA = 1, |
| 558 | PROC_RESET_OLD_PERSONA = 2, |
| 559 | } persona_reset_op_t; |
| 560 | |
| 561 | /* |
| 562 | * internal cleanup routine for proc_set_persona_internal |
| 563 | * |
| 564 | */ |
| 565 | static struct persona * |
| 566 | proc_reset_persona_internal(proc_t p, persona_reset_op_t op, |
| 567 | struct persona *old_persona, |
| 568 | struct persona *new_persona) |
| 569 | { |
| 570 | #if (DEVELOPMENT || DEBUG) |
| 571 | persona_lock_assert_held(new_persona); |
| 572 | #endif |
| 573 | |
| 574 | switch (op) { |
| 575 | case PROC_REMOVE_PERSONA: |
| 576 | old_persona = p->p_persona; |
| 577 | OS_FALLTHROUGH; |
| 578 | case PROC_RESET_OLD_PERSONA: |
| 579 | break; |
| 580 | default: |
| 581 | /* invalid arguments */ |
| 582 | return NULL; |
| 583 | } |
| 584 | |
| 585 | /* unlock the new persona (locked on entry) */ |
| 586 | persona_unlock(new_persona); |
| 587 | /* lock the old persona and the process */ |
| 588 | assert(old_persona != NULL); |
| 589 | persona_lock(old_persona); |
| 590 | proc_lock(p); |
| 591 | |
| 592 | switch (op) { |
| 593 | case PROC_REMOVE_PERSONA: |
| 594 | LIST_REMOVE(p, p_persona_list); |
| 595 | p->p_persona = NULL; |
| 596 | break; |
| 597 | case PROC_RESET_OLD_PERSONA: |
| 598 | p->p_persona = old_persona; |
| 599 | LIST_INSERT_HEAD(&old_persona->pna_members, p, p_persona_list); |
| 600 | break; |
| 601 | } |
| 602 | |
| 603 | proc_unlock(p); |
| 604 | persona_unlock(old_persona); |
| 605 | |
| 606 | /* re-lock the new persona */ |
| 607 | persona_lock(new_persona); |
| 608 | return old_persona; |
| 609 | } |
| 610 | |
| 611 | /* |
| 612 | * Assumes persona is locked. |
| 613 | * On success, takes a reference to 'persona' and returns the |
| 614 | * previous persona the process had adopted. The caller is |
| 615 | * responsible to release the reference. |
| 616 | */ |
| 617 | static struct persona * |
| 618 | proc_set_persona_internal( |
| 619 | proc_t p, |
| 620 | struct persona *persona, |
| 621 | kauth_cred_derive_t derive_fn, |
| 622 | int *rlim_error) |
| 623 | { |
| 624 | struct persona *old_persona = NULL; |
| 625 | uid_t old_uid, new_uid; |
| 626 | size_t count; |
| 627 | rlim_t nproc = proc_limitgetcur(p, RLIMIT_NPROC); |
| 628 | |
| 629 | /* |
| 630 | * This operation must be done under the proc trans lock |
| 631 | * by the thread which took the trans lock! |
| 632 | */ |
| 633 | assert(((p->p_lflag & P_LINTRANSIT) == P_LINTRANSIT) && |
| 634 | p->p_transholder == current_thread()); |
| 635 | assert(persona != NULL); |
| 636 | |
| 637 | /* no work to do if we "re-adopt" the same persona */ |
| 638 | if (p->p_persona == persona) { |
| 639 | return NULL; |
| 640 | } |
| 641 | |
| 642 | /* |
| 643 | * If p is in a persona, then we need to remove 'p' from the list of |
| 644 | * processes in that persona. To do this, we need to drop the lock |
| 645 | * held on the incoming (new) persona and lock the old one. |
| 646 | */ |
| 647 | if (p->p_persona) { |
| 648 | old_persona = proc_reset_persona_internal(p, op: PROC_REMOVE_PERSONA, |
| 649 | NULL, new_persona: persona); |
| 650 | } |
| 651 | |
| 652 | /* |
| 653 | * Check to see if we will hit a proc rlimit by moving the process |
| 654 | * into the persona. If so, we'll bail early before actually moving |
| 655 | * the process or changing its credentials. |
| 656 | */ |
| 657 | new_uid = persona->pna_id; |
| 658 | |
| 659 | if (new_uid != 0 && |
| 660 | (rlim_t)chgproccnt(uid: new_uid, diff: 0) > nproc) { |
| 661 | pna_err("PID:%d hit proc rlimit in new persona(%d): %s", |
| 662 | proc_getpid(p), new_uid, persona_desc(persona, 1)); |
| 663 | |
| 664 | *rlim_error = EACCES; |
| 665 | |
| 666 | if (old_persona) { |
| 667 | (void)proc_reset_persona_internal(p, op: PROC_RESET_OLD_PERSONA, |
| 668 | old_persona, new_persona: persona); |
| 669 | } |
| 670 | |
| 671 | return NULL; |
| 672 | } |
| 673 | |
| 674 | *rlim_error = 0; |
| 675 | |
| 676 | if (old_persona) { |
| 677 | old_uid = old_persona->pna_id; |
| 678 | } else { |
| 679 | /* proc_ucred_unsafe() is OK because p is a fork/exec/... child */ |
| 680 | old_uid = kauth_cred_getruid(cred: proc_ucred_unsafe(p)); |
| 681 | } |
| 682 | |
| 683 | if (derive_fn) { |
| 684 | kauth_cred_proc_update(p, action: PROC_SETTOKEN_SETUGID, fn: derive_fn); |
| 685 | } |
| 686 | |
| 687 | if (new_uid != old_uid) { |
| 688 | count = chgproccnt(uid: old_uid, diff: -1); |
| 689 | persona_dbg("Decrement %s:%d proc_count to: %lu", |
| 690 | old_persona ? "Persona": "UID", old_uid, count); |
| 691 | |
| 692 | /* |
| 693 | * Increment the proc count on the UID associated with |
| 694 | * the new persona. Enforce the resource limit just |
| 695 | * as in fork1() |
| 696 | */ |
| 697 | count = chgproccnt(uid: new_uid, diff: 1); |
| 698 | persona_dbg("Increment Persona:%d proc_count to: %lu", |
| 699 | new_uid, count); |
| 700 | } |
| 701 | |
| 702 | OSBitOrAtomic(P_ADOPTPERSONA, &p->p_flag); |
| 703 | |
| 704 | proc_lock(p); |
| 705 | p->p_persona = persona_get_locked(persona); |
| 706 | LIST_INSERT_HEAD(&persona->pna_members, p, p_persona_list); |
| 707 | proc_unlock(p); |
| 708 | |
| 709 | return old_persona; |
| 710 | } |
| 711 | |
| 712 | /* only called during fork or exec: child's ucred is stable */ |
| 713 | int |
| 714 | persona_proc_adopt( |
| 715 | proc_t p, |
| 716 | struct persona *persona, /* consumed */ |
| 717 | kauth_cred_derive_t derive_fn) |
| 718 | { |
| 719 | int error; |
| 720 | struct persona *old_persona; |
| 721 | |
| 722 | if (!persona) { |
| 723 | return EINVAL; |
| 724 | } |
| 725 | |
| 726 | persona_dbg("%d adopting Persona %d (%s)", proc_pid(p), |
| 727 | persona->pna_id, persona_desc(persona, 0)); |
| 728 | |
| 729 | persona_lock(persona); |
| 730 | if (!persona_valid(persona)) { |
| 731 | persona_dbg("Invalid persona (%s)!", persona_desc(persona, 1)); |
| 732 | persona_put_and_unlock(persona); |
| 733 | return EINVAL; |
| 734 | } |
| 735 | |
| 736 | /* |
| 737 | * assume the persona: this may drop and re-acquire the persona lock! |
| 738 | */ |
| 739 | error = 0; |
| 740 | old_persona = proc_set_persona_internal(p, persona, derive_fn, rlim_error: &error); |
| 741 | |
| 742 | /* Only Multiuser Mode needs to update the session login name to the persona name */ |
| 743 | #if XNU_TARGET_OS_IOS |
| 744 | uint32_t multiuser_flags = COMM_PAGE_READ(uint32_t, MULTIUSER_CONFIG); |
| 745 | /* set the login name of the session */ |
| 746 | if (multiuser_flags & kIsMultiUserDevice) { |
| 747 | struct pgrp *pg; |
| 748 | struct session *sessp; |
| 749 | |
| 750 | if ((pg = proc_pgrp(p, &sessp)) != PGRP_NULL) { |
| 751 | session_lock(sessp); |
| 752 | bcopy(persona->pna_login, sessp->s_login, MAXLOGNAME); |
| 753 | session_unlock(sessp); |
| 754 | pgrp_rele(pg); |
| 755 | } |
| 756 | } |
| 757 | #endif |
| 758 | persona_put_and_unlock(persona); |
| 759 | |
| 760 | /* |
| 761 | * Drop the reference to the old persona. |
| 762 | */ |
| 763 | if (old_persona) { |
| 764 | persona_put(persona: old_persona); |
| 765 | } |
| 766 | |
| 767 | persona_dbg("%s", error == 0 ? "SUCCESS": "FAILED"); |
| 768 | return error; |
| 769 | } |
| 770 | |
| 771 | int |
| 772 | persona_proc_drop(proc_t p) |
| 773 | { |
| 774 | struct persona *persona = NULL; |
| 775 | |
| 776 | persona_dbg("PID:%d, %s -> <none>", proc_getpid(p), persona_desc(p->p_persona, 0)); |
| 777 | |
| 778 | /* |
| 779 | * There are really no other credentials for us to assume, |
| 780 | * so we'll just continue running with the credentials |
| 781 | * we got from the persona. |
| 782 | */ |
| 783 | |
| 784 | /* |
| 785 | * the locks must be taken in reverse order here, so |
| 786 | * we have to be careful not to cause deadlock |
| 787 | */ |
| 788 | try_again: |
| 789 | proc_lock(p); |
| 790 | if (p->p_persona) { |
| 791 | uid_t puid, ruid; |
| 792 | if (!persona_try_lock(p->p_persona)) { |
| 793 | proc_unlock(p); |
| 794 | mutex_pause(0); /* back-off time */ |
| 795 | goto try_again; |
| 796 | } |
| 797 | persona = p->p_persona; |
| 798 | LIST_REMOVE(p, p_persona_list); |
| 799 | p->p_persona = NULL; |
| 800 | |
| 801 | smr_proc_task_enter(); |
| 802 | ruid = kauth_cred_getruid(cred: proc_ucred_smr(p)); |
| 803 | smr_proc_task_leave(); |
| 804 | |
| 805 | puid = persona->pna_id; |
| 806 | proc_unlock(p); |
| 807 | (void)chgproccnt(uid: ruid, diff: 1); |
| 808 | (void)chgproccnt(uid: puid, diff: -1); |
| 809 | } else { |
| 810 | proc_unlock(p); |
| 811 | } |
| 812 | |
| 813 | /* |
| 814 | * if the proc had a persona, then it is still locked here |
| 815 | * (preserving proper lock ordering) |
| 816 | */ |
| 817 | |
| 818 | if (persona) { |
| 819 | persona_unlock(persona); |
| 820 | persona_put(persona); |
| 821 | } |
| 822 | |
| 823 | return 0; |
| 824 | } |
| 825 | |
| 826 | int |
| 827 | persona_get_type(struct persona *persona) |
| 828 | { |
| 829 | int type; |
| 830 | |
| 831 | if (!persona) { |
| 832 | return PERSONA_INVALID; |
| 833 | } |
| 834 | |
| 835 | persona_lock(persona); |
| 836 | if (!persona_valid(persona)) { |
| 837 | persona_unlock(persona); |
| 838 | return PERSONA_INVALID; |
| 839 | } |
| 840 | type = persona->pna_type; |
| 841 | persona_unlock(persona); |
| 842 | |
| 843 | return type; |
| 844 | } |
| 845 | |
| 846 | uid_t |
| 847 | persona_get_uid(struct persona *persona) |
| 848 | { |
| 849 | uid_t uid = KAUTH_UID_NONE; |
| 850 | |
| 851 | if (!persona) { |
| 852 | return KAUTH_UID_NONE; |
| 853 | } |
| 854 | |
| 855 | persona_lock(persona); |
| 856 | if (persona_valid(persona)) { |
| 857 | uid = persona->pna_uid; |
| 858 | } |
| 859 | persona_unlock(persona); |
| 860 | |
| 861 | return uid; |
| 862 | } |
| 863 | |
| 864 | boolean_t |
| 865 | persona_is_adoption_allowed(struct persona *persona) |
| 866 | { |
| 867 | if (!persona) { |
| 868 | return FALSE; |
| 869 | } |
| 870 | int type = persona->pna_type; |
| 871 | return type == PERSONA_SYSTEM || type == PERSONA_SYSTEM_PROXY; |
| 872 | } |
| 873 | |
| 874 | #else /* !CONFIG_PERSONAS */ |
| 875 | |
| 876 | /* |
| 877 | * symbol exports for kext compatibility |
| 878 | */ |
| 879 | |
| 880 | uid_t |
| 881 | persona_get_id(__unused struct persona *persona) |
| 882 | { |
| 883 | return PERSONA_ID_NONE; |
| 884 | } |
| 885 | |
| 886 | uid_t |
| 887 | persona_get_uid(__unused struct persona *persona) |
| 888 | { |
| 889 | return KAUTH_UID_NONE; |
| 890 | } |
| 891 | |
| 892 | int |
| 893 | persona_get_type(__unused struct persona *persona) |
| 894 | { |
| 895 | return PERSONA_INVALID; |
| 896 | } |
| 897 | |
| 898 | struct persona * |
| 899 | persona_lookup(__unused uid_t id) |
| 900 | { |
| 901 | return NULL; |
| 902 | } |
| 903 | |
| 904 | int |
| 905 | persona_find(__unused const char *login, |
| 906 | __unused uid_t uid, |
| 907 | __unused struct persona **persona, |
| 908 | __unused size_t *plen) |
| 909 | { |
| 910 | return ENOTSUP; |
| 911 | } |
| 912 | |
| 913 | int |
| 914 | persona_find_by_type(__unused int persona_type, |
| 915 | __unused struct persona **persona, |
| 916 | __unused size_t *plen) |
| 917 | { |
| 918 | return ENOTSUP; |
| 919 | } |
| 920 | |
| 921 | struct persona * |
| 922 | persona_proc_get(__unused pid_t pid) |
| 923 | { |
| 924 | return NULL; |
| 925 | } |
| 926 | |
| 927 | uid_t |
| 928 | current_persona_get_id(void) |
| 929 | { |
| 930 | return PERSONA_ID_NONE; |
| 931 | } |
| 932 | |
| 933 | struct persona * |
| 934 | current_persona_get(void) |
| 935 | { |
| 936 | return NULL; |
| 937 | } |
| 938 | |
| 939 | struct persona * |
| 940 | persona_get(struct persona *persona) |
| 941 | { |
| 942 | return persona; |
| 943 | } |
| 944 | |
| 945 | struct persona * |
| 946 | proc_persona_get(__unused proc_t p) |
| 947 | { |
| 948 | return NULL; |
| 949 | } |
| 950 | |
| 951 | void |
| 952 | persona_put(__unused struct persona *persona) |
| 953 | { |
| 954 | return; |
| 955 | } |
| 956 | |
| 957 | boolean_t |
| 958 | persona_is_adoption_allowed(__unused struct persona *persona) |
| 959 | { |
| 960 | return FALSE; |
| 961 | } |
| 962 | #endif |
| 963 |
Generated on 2024-Jun-06 from project xnu revision 10063.121.3
Powered by 
Code Browser 2.1
Generator usage only permitted with license.