1 | /* |
2 | * Copyright (c) 2015-2023 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | |
29 | #include <string.h> |
30 | |
31 | #include <kern/thread_call.h> |
32 | #include <kern/zalloc.h> |
33 | |
34 | #include <net/if.h> |
35 | #include <net/if_var.h> |
36 | #include <net/net_api_stats.h> |
37 | #include <net/necp.h> |
38 | #include <net/network_agent.h> |
39 | #include <net/ntstat.h> |
40 | |
41 | #include <netinet/in_pcb.h> |
42 | #include <netinet/in_var.h> |
43 | #include <netinet/ip.h> |
44 | #include <netinet/ip6.h> |
45 | #include <netinet/mp_pcb.h> |
46 | #include <netinet/tcp_cc.h> |
47 | #include <netinet/tcp_fsm.h> |
48 | #include <netinet/tcp_cache.h> |
49 | #include <netinet6/in6_var.h> |
50 | |
51 | #include <sys/domain.h> |
52 | #include <sys/file_internal.h> |
53 | #include <sys/kauth.h> |
54 | #include <sys/kernel.h> |
55 | #include <sys/malloc.h> |
56 | #include <sys/poll.h> |
57 | #include <sys/priv.h> |
58 | #include <sys/protosw.h> |
59 | #include <sys/queue.h> |
60 | #include <sys/socket.h> |
61 | #include <sys/socketvar.h> |
62 | #include <sys/sysproto.h> |
63 | #include <sys/systm.h> |
64 | #include <sys/types.h> |
65 | #include <sys/codesign.h> |
66 | #include <libkern/section_keywords.h> |
67 | #include <IOKit/IOBSD.h> |
68 | |
69 | #include <os/refcnt.h> |
70 | |
71 | #include <CoreEntitlements/CoreEntitlements.h> |
72 | |
73 | #if SKYWALK |
74 | #include <skywalk/os_skywalk_private.h> |
75 | #include <skywalk/nexus/flowswitch/flow/flow_var.h> |
76 | #include <skywalk/nexus/flowswitch/nx_flowswitch.h> |
77 | #endif /* SKYWALK */ |
78 | |
79 | #if CONFIG_MACF |
80 | #include <security/mac_framework.h> |
81 | #endif |
82 | |
83 | /* |
84 | * NECP Client Architecture |
85 | * ------------------------------------------------ |
86 | * See <net/necp.c> for a discussion on NECP database architecture. |
87 | * |
88 | * Each client of NECP provides a set of parameters for a connection or network state |
89 | * evaluation, on which NECP policy evaluation is run. This produces a policy result |
90 | * which can be accessed by the originating process, along with events for when policies |
91 | * results have changed. |
92 | * |
93 | * ------------------------------------------------ |
94 | * NECP Client FD |
95 | * ------------------------------------------------ |
96 | * A process opens an NECP file descriptor using necp_open(). This is a very simple |
97 | * file descriptor, upon which the process may do the following operations: |
98 | * - necp_client_action(...), to add/remove/query clients |
99 | * - kqueue, to watch for readable events |
100 | * - close(), to close the client session and release all clients |
101 | * |
102 | * Client objects are allocated structures that hang off of the file descriptor. Each |
103 | * client contains: |
104 | * - Client ID, a UUID that references the client across the system |
105 | * - Parameters, a buffer of TLVs that describe the client's connection parameters, |
106 | * such as the remote and local endpoints, interface requirements, etc. |
107 | * - Result, a buffer of TLVs containing the current policy evaluation for the client. |
108 | * This result will be updated whenever a network change occurs that impacts the |
109 | * policy result for that client. |
110 | * |
111 | * +--------------+ |
112 | * | NECP fd | |
113 | * +--------------+ |
114 | * || |
115 | * ================================== |
116 | * || || || |
117 | * +--------------+ +--------------+ +--------------+ |
118 | * | Client ID | | Client ID | | Client ID | |
119 | * | ---- | | ---- | | ---- | |
120 | * | Parameters | | Parameters | | Parameters | |
121 | * | ---- | | ---- | | ---- | |
122 | * | Result | | Result | | Result | |
123 | * +--------------+ +--------------+ +--------------+ |
124 | * |
125 | * ------------------------------------------------ |
126 | * Client Actions |
127 | * ------------------------------------------------ |
128 | * - Add. Input parameters as a buffer of TLVs, and output a client ID. Allocates a |
129 | * new client structure on the file descriptor. |
130 | * - Remove. Input a client ID. Removes a client structure from the file descriptor. |
131 | * - Copy Parameters. Input a client ID, and output parameter TLVs. |
132 | * - Copy Result. Input a client ID, and output result TLVs. Alternatively, input empty |
133 | * client ID and get next unread client result. |
134 | * - Copy List. List all client IDs. |
135 | * |
136 | * ------------------------------------------------ |
137 | * Client Policy Evaluation |
138 | * ------------------------------------------------ |
139 | * Policies are evaluated for clients upon client creation, and upon update events, |
140 | * which are network/agent/policy changes coalesced by a timer. |
141 | * |
142 | * The policy evaluation goes through the following steps: |
143 | * 1. Parse client parameters. |
144 | * 2. Select a scoped interface if applicable. This involves using require/prohibit |
145 | * parameters, along with the local address, to select the most appropriate interface |
146 | * if not explicitly set by the client parameters. |
147 | * 3. Run NECP application-level policy evalution |
148 | * 4. Set policy result into client result buffer. |
149 | * |
150 | * ------------------------------------------------ |
151 | * Client Observers |
152 | * ------------------------------------------------ |
153 | * If necp_open() is called with the NECP_OPEN_FLAG_OBSERVER flag, and the process |
154 | * passes the necessary privilege check, the fd is allowed to use necp_client_action() |
155 | * to copy client state attached to the file descriptors of other processes, and to |
156 | * list all client IDs on the system. |
157 | */ |
158 | |
159 | extern u_int32_t necp_debug; |
160 | |
161 | static int necpop_select(struct fileproc *, int, void *, vfs_context_t); |
162 | static int necpop_close(struct fileglob *, vfs_context_t); |
163 | static int necpop_kqfilter(struct fileproc *, struct knote *, struct kevent_qos_s *); |
164 | |
165 | // Timer functions |
166 | static int necp_timeout_microseconds = 1000 * 100; // 100ms |
167 | static int necp_timeout_leeway_microseconds = 1000 * 50; // 50ms |
168 | #if SKYWALK |
169 | static int necp_collect_stats_timeout_microseconds = 1000 * 1000 * 1; // 1s |
170 | static int necp_collect_stats_timeout_leeway_microseconds = 1000 * 500; // 500ms |
171 | static int necp_close_arenas_timeout_microseconds = 1000 * 1000 * 10; // 10s |
172 | static int necp_close_arenas_timeout_leeway_microseconds = 1000 * 1000 * 1; // 1s |
173 | #endif /* SKYWALK */ |
174 | |
175 | static int necp_client_fd_count = 0; |
176 | static int necp_observer_fd_count = 0; |
177 | static int necp_client_count = 0; |
178 | static int necp_socket_flow_count = 0; |
179 | static int necp_if_flow_count = 0; |
180 | static int necp_observer_message_limit = 256; |
181 | |
182 | /* |
183 | * NECP client tracing control - |
184 | * |
185 | * necp_client_tracing_level : 1 for client trace, 2 for flow trace, 3 for parameter details |
186 | * necp_client_tracing_pid : match client with pid |
187 | */ |
188 | static int necp_client_tracing_level = 0; |
189 | static int necp_client_tracing_pid = 0; |
190 | |
191 | #define NECP_CLIENT_TRACE_LEVEL_CLIENT 1 |
192 | #define NECP_CLIENT_TRACE_LEVEL_FLOW 2 |
193 | #define NECP_CLIENT_TRACE_LEVEL_PARAMS 3 |
194 | |
195 | #define NECP_CLIENT_TRACE_PID_MATCHED(pid) \ |
196 | (pid == necp_client_tracing_pid) |
197 | |
198 | #define NECP_ENABLE_CLIENT_TRACE(level) \ |
199 | ((necp_client_tracing_level >= level && \ |
200 | (!necp_client_tracing_pid || NECP_CLIENT_TRACE_PID_MATCHED(client->proc_pid))) ? necp_client_tracing_level : 0) |
201 | |
202 | #define NECP_CLIENT_LOG(client, fmt, ...) \ |
203 | if (client && NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_CLIENT)) { \ |
204 | uuid_string_t client_uuid_str = { }; \ |
205 | uuid_unparse_lower(client->client_id, client_uuid_str); \ |
206 | NECPLOG(LOG_NOTICE, "NECP_CLIENT_LOG <pid %d %s>: " fmt "\n", client ? client->proc_pid : 0, client_uuid_str, ##__VA_ARGS__); \ |
207 | } |
208 | |
209 | #define NECP_CLIENT_FLOW_LOG(client, flow, fmt, ...) \ |
210 | if (client && flow && NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_FLOW)) { \ |
211 | uuid_string_t client_uuid_str = { }; \ |
212 | uuid_unparse_lower(client->client_id, client_uuid_str); \ |
213 | uuid_string_t flow_uuid_str = { }; \ |
214 | uuid_unparse_lower(flow->registration_id, flow_uuid_str); \ |
215 | NECPLOG(LOG_NOTICE, "NECP CLIENT FLOW TRACE <pid %d %s> <flow %s>: " fmt "\n", client ? client->proc_pid : 0, client_uuid_str, flow_uuid_str, ##__VA_ARGS__); \ |
216 | } |
217 | |
218 | #define NECP_CLIENT_PARAMS_LOG(client, fmt, ...) \ |
219 | if (client && NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_PARAMS)) { \ |
220 | uuid_string_t client_uuid_str = { }; \ |
221 | uuid_unparse_lower(client->client_id, client_uuid_str); \ |
222 | NECPLOG(LOG_NOTICE, "NECP_CLIENT_PARAMS_LOG <pid %d %s>: " fmt "\n", client ? client->proc_pid : 0, client_uuid_str, ##__VA_ARGS__); \ |
223 | } |
224 | |
225 | #define NECP_SOCKET_PID(so) \ |
226 | ((so->so_flags & SOF_DELEGATED) ? so->e_pid : so->last_pid) |
227 | |
228 | #define NECP_ENABLE_SOCKET_TRACE(level) \ |
229 | ((necp_client_tracing_level >= level && \ |
230 | (!necp_client_tracing_pid || NECP_CLIENT_TRACE_PID_MATCHED(NECP_SOCKET_PID(so)))) ? necp_client_tracing_level : 0) |
231 | |
232 | #define NECP_SOCKET_PARAMS_LOG(so, fmt, ...) \ |
233 | if (so && NECP_ENABLE_SOCKET_TRACE(NECP_CLIENT_TRACE_LEVEL_PARAMS)) { \ |
234 | NECPLOG(LOG_NOTICE, "NECP_SOCKET_PARAMS_LOG <pid %d>: " fmt "\n", NECP_SOCKET_PID(so), ##__VA_ARGS__); \ |
235 | } |
236 | |
237 | #define NECP_SOCKET_ATTRIBUTE_LOG(fmt, ...) \ |
238 | if (necp_client_tracing_level >= NECP_CLIENT_TRACE_LEVEL_PARAMS) { \ |
239 | NECPLOG(LOG_NOTICE, "NECP_SOCKET_ATTRIBUTE_LOG: " fmt "\n", ##__VA_ARGS__); \ |
240 | } |
241 | |
242 | #define NECP_CLIENT_TRACKER_LOG(pid, fmt, ...) \ |
243 | if (pid) { \ |
244 | NECPLOG(LOG_NOTICE, "NECP_CLIENT_TRACKER_LOG <pid %d>: " fmt "\n", pid, ##__VA_ARGS__); \ |
245 | } |
246 | |
247 | #if SKYWALK |
248 | static int necp_arena_count = 0; |
249 | static int necp_sysctl_arena_count = 0; |
250 | static int necp_nexus_flow_count = 0; |
251 | |
252 | /* userspace stats sanity check range, same unit as TCP (see TCP_RTT_SCALE) */ |
253 | static uint32_t necp_client_stats_rtt_floor = 1; // 32us |
254 | static uint32_t necp_client_stats_rtt_ceiling = 1920000; // 60s |
255 | const static struct sk_stats_flow ntstat_sk_stats_zero; |
256 | #endif /* SKYWALK */ |
257 | |
258 | /* |
259 | * Global lock to protect socket inp_necp_attributes across updates. |
260 | * NECP updating these attributes and clients accessing these attributes |
261 | * must take this lock. |
262 | */ |
263 | static LCK_GRP_DECLARE(necp_socket_attr_lock_grp, "necpSocketAttrGroup" ); |
264 | LCK_MTX_DECLARE(necp_socket_attr_lock, &necp_socket_attr_lock_grp); |
265 | |
266 | os_refgrp_decl(static, necp_client_refgrp, "NECPClientRefGroup" , NULL); |
267 | |
268 | SYSCTL_INT(_net_necp, NECPCTL_CLIENT_FD_COUNT, client_fd_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_client_fd_count, 0, "" ); |
269 | SYSCTL_INT(_net_necp, NECPCTL_OBSERVER_FD_COUNT, observer_fd_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_observer_fd_count, 0, "" ); |
270 | SYSCTL_INT(_net_necp, NECPCTL_CLIENT_COUNT, client_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_client_count, 0, "" ); |
271 | SYSCTL_INT(_net_necp, NECPCTL_SOCKET_FLOW_COUNT, socket_flow_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_socket_flow_count, 0, "" ); |
272 | SYSCTL_INT(_net_necp, NECPCTL_IF_FLOW_COUNT, if_flow_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_if_flow_count, 0, "" ); |
273 | SYSCTL_INT(_net_necp, NECPCTL_OBSERVER_MESSAGE_LIMIT, observer_message_limit, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_observer_message_limit, 256, "" ); |
274 | SYSCTL_INT(_net_necp, NECPCTL_CLIENT_TRACING_LEVEL, necp_client_tracing_level, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_client_tracing_level, 0, "" ); |
275 | SYSCTL_INT(_net_necp, NECPCTL_CLIENT_TRACING_PID, necp_client_tracing_pid, CTLFLAG_LOCKED | CTLFLAG_RW, &necp_client_tracing_pid, 0, "" ); |
276 | |
277 | #if SKYWALK |
278 | SYSCTL_INT(_net_necp, NECPCTL_ARENA_COUNT, arena_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_arena_count, 0, "" ); |
279 | SYSCTL_INT(_net_necp, NECPCTL_SYSCTL_ARENA_COUNT, sysctl_arena_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_sysctl_arena_count, 0, "" ); |
280 | SYSCTL_INT(_net_necp, NECPCTL_NEXUS_FLOW_COUNT, nexus_flow_count, CTLFLAG_LOCKED | CTLFLAG_RD, &necp_nexus_flow_count, 0, "" ); |
281 | #if (DEVELOPMENT || DEBUG) |
282 | SYSCTL_UINT(_net_necp, OID_AUTO, collect_stats_interval_us, CTLFLAG_RW | CTLFLAG_LOCKED, &necp_collect_stats_timeout_microseconds, 0, "" ); |
283 | SYSCTL_UINT(_net_necp, OID_AUTO, necp_client_stats_rtt_floor, CTLFLAG_RW | CTLFLAG_LOCKED, &necp_client_stats_rtt_floor, 0, "" ); |
284 | SYSCTL_UINT(_net_necp, OID_AUTO, necp_client_stats_rtt_ceiling, CTLFLAG_RW | CTLFLAG_LOCKED, &necp_client_stats_rtt_ceiling, 0, "" ); |
285 | #endif /* (DEVELOPMENT || DEBUG) */ |
286 | #endif /* SKYWALK */ |
287 | |
288 | #define NECP_MAX_CLIENT_LIST_SIZE 1024 * 1024 // 1MB |
289 | #define NECP_MAX_AGENT_ACTION_SIZE 10 * 1024 // 10K |
290 | |
291 | extern int tvtohz(struct timeval *); |
292 | extern unsigned int get_maxmtu(struct rtentry *); |
293 | |
294 | // Parsed parameters |
295 | #define NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR 0x00001 |
296 | #define NECP_PARSED_PARAMETERS_FIELD_REMOTE_ADDR 0x00002 |
297 | #define NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IF 0x00004 |
298 | #define NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IF 0x00008 |
299 | #define NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE 0x00010 |
300 | #define NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IFTYPE 0x00020 |
301 | #define NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT 0x00040 |
302 | #define NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT 0x00080 |
303 | #define NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT 0x00100 |
304 | #define NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT 0x00200 |
305 | #define NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE 0x00400 |
306 | #define NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT_TYPE 0x00800 |
307 | #define NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT_TYPE 0x01000 |
308 | #define NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT_TYPE 0x02000 |
309 | #define NECP_PARSED_PARAMETERS_FIELD_FLAGS 0x04000 |
310 | #define NECP_PARSED_PARAMETERS_FIELD_IP_PROTOCOL 0x08000 |
311 | #define NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_PID 0x10000 |
312 | #define NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_UUID 0x20000 |
313 | #define NECP_PARSED_PARAMETERS_FIELD_TRAFFIC_CLASS 0x40000 |
314 | #define NECP_PARSED_PARAMETERS_FIELD_LOCAL_PORT 0x80000 |
315 | #define NECP_PARSED_PARAMETERS_FIELD_DELEGATED_UPID 0x100000 |
316 | #define NECP_PARSED_PARAMETERS_FIELD_ETHERTYPE 0x200000 |
317 | #define NECP_PARSED_PARAMETERS_FIELD_TRANSPORT_PROTOCOL 0x400000 |
318 | #define NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR_PREFERENCE 0x800000 |
319 | #define NECP_PARSED_PARAMETERS_FIELD_ATTRIBUTED_BUNDLE_IDENTIFIER 0x1000000 |
320 | #define NECP_PARSED_PARAMETERS_FIELD_PARENT_UUID 0x2000000 |
321 | #define NECP_PARSED_PARAMETERS_FIELD_FLOW_DEMUX_PATTERN 0x4000000 |
322 | #define NECP_PARSED_PARAMETERS_FIELD_UID 0x8000000 |
323 | #define NECP_PARSED_PARAMETERS_FIELD_PERSONA_ID 0x10000000 |
324 | |
325 | |
326 | #define NECP_MAX_INTERFACE_PARAMETERS 16 |
327 | #define NECP_MAX_AGENT_PARAMETERS 4 |
328 | struct necp_client_parsed_parameters { |
329 | u_int32_t valid_fields; |
330 | u_int32_t flags; |
331 | u_int64_t delegated_upid; |
332 | union necp_sockaddr_union local_addr; |
333 | union necp_sockaddr_union remote_addr; |
334 | u_int32_t required_interface_index; |
335 | char prohibited_interfaces[NECP_MAX_INTERFACE_PARAMETERS][IFXNAMSIZ]; |
336 | u_int8_t required_interface_type; |
337 | u_int8_t local_address_preference; |
338 | u_int8_t prohibited_interface_types[NECP_MAX_INTERFACE_PARAMETERS]; |
339 | struct necp_client_parameter_netagent_type required_netagent_types[NECP_MAX_AGENT_PARAMETERS]; |
340 | struct necp_client_parameter_netagent_type prohibited_netagent_types[NECP_MAX_AGENT_PARAMETERS]; |
341 | struct necp_client_parameter_netagent_type preferred_netagent_types[NECP_MAX_AGENT_PARAMETERS]; |
342 | struct necp_client_parameter_netagent_type avoided_netagent_types[NECP_MAX_AGENT_PARAMETERS]; |
343 | uuid_t required_netagents[NECP_MAX_AGENT_PARAMETERS]; |
344 | uuid_t prohibited_netagents[NECP_MAX_AGENT_PARAMETERS]; |
345 | uuid_t preferred_netagents[NECP_MAX_AGENT_PARAMETERS]; |
346 | uuid_t avoided_netagents[NECP_MAX_AGENT_PARAMETERS]; |
347 | u_int8_t ip_protocol; |
348 | u_int8_t transport_protocol; |
349 | u_int16_t ethertype; |
350 | pid_t effective_pid; |
351 | uuid_t effective_uuid; |
352 | uuid_t parent_uuid; |
353 | u_int32_t traffic_class; |
354 | struct necp_demux_pattern demux_patterns[NECP_MAX_DEMUX_PATTERNS]; |
355 | u_int8_t demux_pattern_count; |
356 | uid_t uid; |
357 | uid_t persona_id; |
358 | }; |
359 | |
360 | static bool |
361 | necp_find_matching_interface_index(struct necp_client_parsed_parameters *parsed_parameters, |
362 | u_int *return_ifindex, bool *validate_agents); |
363 | |
364 | static bool |
365 | necp_ifnet_matches_local_address(struct ifnet *ifp, struct sockaddr *sa); |
366 | |
367 | static bool |
368 | necp_ifnet_matches_parameters(struct ifnet *ifp, |
369 | struct necp_client_parsed_parameters *parsed_parameters, |
370 | u_int32_t override_flags, |
371 | u_int32_t *preferred_count, |
372 | bool secondary_interface, |
373 | bool require_scoped_field); |
374 | |
375 | static const struct fileops necp_fd_ops = { |
376 | .fo_type = DTYPE_NETPOLICY, |
377 | .fo_read = fo_no_read, |
378 | .fo_write = fo_no_write, |
379 | .fo_ioctl = fo_no_ioctl, |
380 | .fo_select = necpop_select, |
381 | .fo_close = necpop_close, |
382 | .fo_drain = fo_no_drain, |
383 | .fo_kqfilter = necpop_kqfilter, |
384 | }; |
385 | |
386 | struct necp_client_assertion { |
387 | LIST_ENTRY(necp_client_assertion) assertion_chain; |
388 | uuid_t asserted_netagent; |
389 | }; |
390 | |
391 | struct { |
392 | struct necp_tlv_header ; |
393 | struct necp_tlv_header ; |
394 | uuid_t ; |
395 | struct necp_tlv_header ; |
396 | u_int32_t ; |
397 | struct necp_tlv_header ; |
398 | struct necp_client_result_interface ; |
399 | } __attribute__((__packed__)); |
400 | |
401 | struct { |
402 | struct necp_tlv_header ; |
403 | struct necp_client_flow_protoctl_event ; |
404 | } __attribute__((__packed__)); |
405 | |
406 | struct { |
407 | struct necp_client_flow_header ; |
408 | struct necp_tlv_header ; |
409 | struct necp_client_result_netagent ; |
410 | struct necp_tlv_header ; |
411 | u_int8_t [NECP_TFO_COOKIE_LEN_MAX]; |
412 | } __attribute__((__packed__)); |
413 | |
414 | #if SKYWALK |
415 | struct necp_arena_info; |
416 | #endif |
417 | |
418 | struct necp_client_flow { |
419 | LIST_ENTRY(necp_client_flow) flow_chain; |
420 | unsigned invalid : 1; |
421 | unsigned nexus : 1; // If true, flow is a nexus; if false, flow is attached to socket |
422 | unsigned socket : 1; |
423 | unsigned viable : 1; |
424 | unsigned assigned : 1; |
425 | unsigned has_protoctl_event : 1; |
426 | unsigned check_tcp_heuristics : 1; |
427 | unsigned _reserved : 1; |
428 | union { |
429 | uuid_t nexus_agent; |
430 | struct { |
431 | void *socket_handle; |
432 | necp_client_flow_cb cb; |
433 | }; |
434 | } u; |
435 | uint32_t interface_index; |
436 | u_short delegated_interface_index; |
437 | uint32_t interface_flags; |
438 | uint32_t necp_flow_flags; |
439 | struct necp_client_flow_protoctl_event protoctl_event; |
440 | union necp_sockaddr_union local_addr; |
441 | union necp_sockaddr_union remote_addr; |
442 | |
443 | size_t assigned_results_length; |
444 | u_int8_t *assigned_results; |
445 | }; |
446 | |
447 | struct necp_client_flow_registration { |
448 | RB_ENTRY(necp_client_flow_registration) fd_link; |
449 | RB_ENTRY(necp_client_flow_registration) global_link; |
450 | RB_ENTRY(necp_client_flow_registration) client_link; |
451 | LIST_ENTRY(necp_client_flow_registration) collect_stats_chain; |
452 | uuid_t registration_id; |
453 | u_int32_t flags; |
454 | unsigned flow_result_read : 1; |
455 | unsigned defunct : 1; |
456 | void *interface_handle; |
457 | necp_client_flow_cb interface_cb; |
458 | struct necp_client *client; |
459 | LIST_HEAD(_necp_registration_flow_list, necp_client_flow) flow_list; |
460 | #if SKYWALK |
461 | struct necp_arena_info *stats_arena; /* arena where the stats objects came from */ |
462 | void * kstats_kaddr; /* kernel snapshot of untrusted userspace stats, for calculating delta */ |
463 | mach_vm_address_t ustats_uaddr; /* userspace stats (untrusted) */ |
464 | nstat_userland_context stats_handler_context; |
465 | struct flow_stats *nexus_stats; /* shared stats objects between necp_client and skywalk */ |
466 | #endif /* !SKYWALK */ |
467 | u_int64_t last_interface_details __attribute__((aligned(sizeof(u_int64_t)))); |
468 | }; |
469 | |
470 | static int necp_client_flow_id_cmp(struct necp_client_flow_registration *flow0, struct necp_client_flow_registration *flow1); |
471 | |
472 | RB_HEAD(_necp_client_flow_tree, necp_client_flow_registration); |
473 | RB_PROTOTYPE_PREV(_necp_client_flow_tree, necp_client_flow_registration, client_link, necp_client_flow_id_cmp); |
474 | RB_GENERATE_PREV(_necp_client_flow_tree, necp_client_flow_registration, client_link, necp_client_flow_id_cmp); |
475 | |
476 | #define NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT 4 |
477 | #define NECP_CLIENT_MAX_INTERFACE_OPTIONS 32 |
478 | |
479 | #define (NECP_CLIENT_MAX_INTERFACE_OPTIONS - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) |
480 | |
481 | struct necp_client { |
482 | RB_ENTRY(necp_client) link; |
483 | RB_ENTRY(necp_client) global_link; |
484 | |
485 | decl_lck_mtx_data(, lock); |
486 | decl_lck_mtx_data(, route_lock); |
487 | os_refcnt_t reference_count; |
488 | |
489 | uuid_t client_id; |
490 | unsigned result_read : 1; |
491 | unsigned group_members_read : 1; |
492 | unsigned allow_multiple_flows : 1; |
493 | unsigned legacy_client_is_flow : 1; |
494 | |
495 | unsigned platform_binary : 1; |
496 | unsigned validated_parent : 1; |
497 | |
498 | size_t result_length; |
499 | u_int8_t result[NECP_BASE_CLIENT_RESULT_SIZE]; |
500 | |
501 | necp_policy_id policy_id; |
502 | necp_policy_id skip_policy_id; |
503 | |
504 | u_int8_t ip_protocol; |
505 | int proc_pid; |
506 | |
507 | u_int64_t delegated_upid; |
508 | |
509 | struct _necp_client_flow_tree flow_registrations; |
510 | LIST_HEAD(_necp_client_assertion_list, necp_client_assertion) assertion_list; |
511 | |
512 | size_t assigned_group_members_length; |
513 | u_int8_t *assigned_group_members; |
514 | |
515 | struct rtentry *current_route; |
516 | |
517 | struct necp_client_interface_option interface_options[NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
518 | struct necp_client_interface_option *; |
519 | u_int8_t interface_option_count; // Number in interface_options + extra_interface_options |
520 | |
521 | struct necp_client_result_netagent failed_trigger_agent; |
522 | |
523 | void *agent_handle; |
524 | |
525 | uuid_t override_euuid; |
526 | |
527 | #if SKYWALK |
528 | netns_token port_reservation; |
529 | nstat_context nstat_context; |
530 | uuid_t latest_flow_registration_id; |
531 | uuid_t parent_client_id; |
532 | struct necp_client *original_parameters_source; |
533 | #endif /* !SKYWALK */ |
534 | |
535 | size_t parameters_length; |
536 | u_int8_t *parameters; |
537 | }; |
538 | |
539 | #define NECP_CLIENT_LOCK(_c) lck_mtx_lock(&_c->lock) |
540 | #define NECP_CLIENT_UNLOCK(_c) lck_mtx_unlock(&_c->lock) |
541 | #define NECP_CLIENT_ASSERT_LOCKED(_c) LCK_MTX_ASSERT(&_c->lock, LCK_MTX_ASSERT_OWNED) |
542 | #define NECP_CLIENT_ASSERT_UNLOCKED(_c) LCK_MTX_ASSERT(&_c->lock, LCK_MTX_ASSERT_NOTOWNED) |
543 | |
544 | #define NECP_CLIENT_ROUTE_LOCK(_c) lck_mtx_lock(&_c->route_lock) |
545 | #define NECP_CLIENT_ROUTE_UNLOCK(_c) lck_mtx_unlock(&_c->route_lock) |
546 | |
547 | static void necp_client_retain_locked(struct necp_client *client); |
548 | static void necp_client_retain(struct necp_client *client); |
549 | |
550 | static bool necp_client_release_locked(struct necp_client *client); |
551 | static bool necp_client_release(struct necp_client *client); |
552 | |
553 | static void |
554 | necp_client_add_assertion(struct necp_client *client, uuid_t netagent_uuid); |
555 | |
556 | static bool |
557 | necp_client_remove_assertion(struct necp_client *client, uuid_t netagent_uuid); |
558 | |
559 | static int |
560 | necp_client_copy_parameters_locked(struct necp_client *client, |
561 | struct necp_client_nexus_parameters *parameters); |
562 | |
563 | LIST_HEAD(_necp_flow_registration_list, necp_client_flow_registration); |
564 | static struct _necp_flow_registration_list necp_collect_stats_flow_list; |
565 | |
566 | struct necp_flow_defunct { |
567 | LIST_ENTRY(necp_flow_defunct) chain; |
568 | |
569 | uuid_t flow_id; |
570 | uuid_t nexus_agent; |
571 | void *agent_handle; |
572 | int proc_pid; |
573 | u_int32_t flags; |
574 | struct necp_client_agent_parameters close_parameters; |
575 | bool has_close_parameters; |
576 | }; |
577 | |
578 | LIST_HEAD(_necp_flow_defunct_list, necp_flow_defunct); |
579 | |
580 | static int necp_client_id_cmp(struct necp_client *client0, struct necp_client *client1); |
581 | |
582 | RB_HEAD(_necp_client_tree, necp_client); |
583 | RB_PROTOTYPE_PREV(_necp_client_tree, necp_client, link, necp_client_id_cmp); |
584 | RB_GENERATE_PREV(_necp_client_tree, necp_client, link, necp_client_id_cmp); |
585 | |
586 | RB_HEAD(_necp_client_global_tree, necp_client); |
587 | RB_PROTOTYPE_PREV(_necp_client_global_tree, necp_client, global_link, necp_client_id_cmp); |
588 | RB_GENERATE_PREV(_necp_client_global_tree, necp_client, global_link, necp_client_id_cmp); |
589 | |
590 | RB_HEAD(_necp_fd_flow_tree, necp_client_flow_registration); |
591 | RB_PROTOTYPE_PREV(_necp_fd_flow_tree, necp_client_flow_registration, fd_link, necp_client_flow_id_cmp); |
592 | RB_GENERATE_PREV(_necp_fd_flow_tree, necp_client_flow_registration, fd_link, necp_client_flow_id_cmp); |
593 | |
594 | RB_HEAD(_necp_client_flow_global_tree, necp_client_flow_registration); |
595 | RB_PROTOTYPE_PREV(_necp_client_flow_global_tree, necp_client_flow_registration, global_link, necp_client_flow_id_cmp); |
596 | RB_GENERATE_PREV(_necp_client_flow_global_tree, necp_client_flow_registration, global_link, necp_client_flow_id_cmp); |
597 | |
598 | static struct _necp_client_global_tree necp_client_global_tree; |
599 | static struct _necp_client_flow_global_tree necp_client_flow_global_tree; |
600 | |
601 | struct necp_client_update { |
602 | TAILQ_ENTRY(necp_client_update) chain; |
603 | |
604 | uuid_t client_id; |
605 | |
606 | size_t update_length; |
607 | struct necp_client_observer_update *update; |
608 | }; |
609 | |
610 | #if SKYWALK |
611 | struct necp_arena_info { |
612 | LIST_ENTRY(necp_arena_info) nai_chain; |
613 | u_int32_t nai_flags; |
614 | pid_t nai_proc_pid; |
615 | struct skmem_arena *nai_arena; |
616 | struct skmem_arena_mmap_info nai_mmap; |
617 | mach_vm_offset_t nai_roff; |
618 | u_int32_t nai_use_count; |
619 | }; |
620 | #endif /* !SKYWALK */ |
621 | |
622 | #define NAIF_ATTACHED 0x1 // arena is attached to list |
623 | #define NAIF_REDIRECT 0x2 // arena mmap has been redirected |
624 | #define NAIF_DEFUNCT 0x4 // arena is now defunct |
625 | |
626 | #define NECP_FD_REPORTED_AGENT_COUNT 2 |
627 | |
628 | struct necp_fd_reported_agents { |
629 | uuid_t agent_uuid[NECP_FD_REPORTED_AGENT_COUNT]; |
630 | }; |
631 | |
632 | struct necp_fd_data { |
633 | u_int8_t necp_fd_type; |
634 | LIST_ENTRY(necp_fd_data) chain; |
635 | struct _necp_client_tree clients; |
636 | struct _necp_fd_flow_tree flows; |
637 | TAILQ_HEAD(_necp_client_update_list, necp_client_update) update_list; |
638 | int update_count; |
639 | int flags; |
640 | |
641 | unsigned background : 1; |
642 | unsigned request_in_process_flow_divert : 1; |
643 | |
644 | int proc_pid; |
645 | decl_lck_mtx_data(, fd_lock); |
646 | struct selinfo si; |
647 | |
648 | struct necp_fd_reported_agents reported_agents; |
649 | #if SKYWALK |
650 | // Arenas and their mmap info for per-process stats. Stats objects are allocated from an active arena |
651 | // that is not redirected/defunct. The stats_arena_active keeps track of such an arena, and it also |
652 | // holds a reference count on the object. Each flow allocating a stats object also holds a reference |
653 | // the necp_arena_info (where the object got allocated from). During defunct, we redirect the mapping |
654 | // of the arena such that any attempt to access (read/write) will result in getting zero-filled pages. |
655 | // We then go thru all of the flows for the process and free the stats objects associated with them, |
656 | // followed by destroying the skmem region(s) associated with the arena. The stats_arena_list keeps |
657 | // track of all current and defunct stats arenas; there could be more than one arena created for the |
658 | // process as the arena destruction happens when its reference count drops to 0. |
659 | struct necp_arena_info *stats_arena_active; |
660 | LIST_HEAD(_necp_arena_info_list, necp_arena_info) stats_arena_list; |
661 | u_int32_t stats_arena_gencnt; |
662 | |
663 | struct skmem_arena *sysctl_arena; |
664 | struct skmem_arena_mmap_info sysctl_mmap; |
665 | mach_vm_offset_t system_sysctls_roff; |
666 | #endif /* !SKYWALK */ |
667 | }; |
668 | |
669 | #define NECP_FD_LOCK(_f) lck_mtx_lock(&_f->fd_lock) |
670 | #define NECP_FD_UNLOCK(_f) lck_mtx_unlock(&_f->fd_lock) |
671 | #define NECP_FD_ASSERT_LOCKED(_f) LCK_MTX_ASSERT(&_f->fd_lock, LCK_MTX_ASSERT_OWNED) |
672 | #define NECP_FD_ASSERT_UNLOCKED(_f) LCK_MTX_ASSERT(&_f->fd_lock, LCK_MTX_ASSERT_NOTOWNED) |
673 | |
674 | static LIST_HEAD(_necp_fd_list, necp_fd_data) necp_fd_list; |
675 | static LIST_HEAD(_necp_fd_observer_list, necp_fd_data) necp_fd_observer_list; |
676 | |
677 | #if SKYWALK |
678 | static KALLOC_TYPE_DEFINE(necp_arena_info_zone, struct necp_arena_info, NET_KT_DEFAULT); |
679 | #endif /* !SKYWALK */ |
680 | |
681 | static LCK_ATTR_DECLARE(necp_fd_mtx_attr, 0, 0); |
682 | static LCK_GRP_DECLARE(necp_fd_mtx_grp, "necp_fd" ); |
683 | |
684 | static LCK_RW_DECLARE_ATTR(necp_fd_lock, &necp_fd_mtx_grp, &necp_fd_mtx_attr); |
685 | static LCK_RW_DECLARE_ATTR(necp_observer_lock, &necp_fd_mtx_grp, &necp_fd_mtx_attr); |
686 | static LCK_RW_DECLARE_ATTR(necp_client_tree_lock, &necp_fd_mtx_grp, &necp_fd_mtx_attr); |
687 | static LCK_RW_DECLARE_ATTR(necp_flow_tree_lock, &necp_fd_mtx_grp, &necp_fd_mtx_attr); |
688 | static LCK_RW_DECLARE_ATTR(necp_collect_stats_list_lock, &necp_fd_mtx_grp, &necp_fd_mtx_attr); |
689 | |
690 | |
691 | #define NECP_STATS_LIST_LOCK_EXCLUSIVE() lck_rw_lock_exclusive(&necp_collect_stats_list_lock) |
692 | #define NECP_STATS_LIST_LOCK_SHARED() lck_rw_lock_shared(&necp_collect_stats_list_lock) |
693 | #define NECP_STATS_LIST_UNLOCK() lck_rw_done(&necp_collect_stats_list_lock) |
694 | |
695 | #define NECP_CLIENT_TREE_LOCK_EXCLUSIVE() lck_rw_lock_exclusive(&necp_client_tree_lock) |
696 | #define NECP_CLIENT_TREE_LOCK_SHARED() lck_rw_lock_shared(&necp_client_tree_lock) |
697 | #define NECP_CLIENT_TREE_UNLOCK() lck_rw_done(&necp_client_tree_lock) |
698 | #define NECP_CLIENT_TREE_ASSERT_LOCKED() LCK_RW_ASSERT(&necp_client_tree_lock, LCK_RW_ASSERT_HELD) |
699 | |
700 | #define NECP_FLOW_TREE_LOCK_EXCLUSIVE() lck_rw_lock_exclusive(&necp_flow_tree_lock) |
701 | #define NECP_FLOW_TREE_LOCK_SHARED() lck_rw_lock_shared(&necp_flow_tree_lock) |
702 | #define NECP_FLOW_TREE_UNLOCK() lck_rw_done(&necp_flow_tree_lock) |
703 | #define NECP_FLOW_TREE_ASSERT_LOCKED() LCK_RW_ASSERT(&necp_flow_tree_lock, LCK_RW_ASSERT_HELD) |
704 | |
705 | #define NECP_FD_LIST_LOCK_EXCLUSIVE() lck_rw_lock_exclusive(&necp_fd_lock) |
706 | #define NECP_FD_LIST_LOCK_SHARED() lck_rw_lock_shared(&necp_fd_lock) |
707 | #define NECP_FD_LIST_UNLOCK() lck_rw_done(&necp_fd_lock) |
708 | #define NECP_FD_LIST_ASSERT_LOCKED() LCK_RW_ASSERT(&necp_fd_lock, LCK_RW_ASSERT_HELD) |
709 | |
710 | #define NECP_OBSERVER_LIST_LOCK_EXCLUSIVE() lck_rw_lock_exclusive(&necp_observer_lock) |
711 | #define NECP_OBSERVER_LIST_LOCK_SHARED() lck_rw_lock_shared(&necp_observer_lock) |
712 | #define NECP_OBSERVER_LIST_UNLOCK() lck_rw_done(&necp_observer_lock) |
713 | |
714 | // Locking Notes |
715 | |
716 | // Take NECP_FD_LIST_LOCK when accessing or modifying the necp_fd_list |
717 | // Take NECP_CLIENT_TREE_LOCK when accessing or modifying the necp_client_global_tree |
718 | // Take NECP_FLOW_TREE_LOCK when accessing or modifying the necp_client_flow_global_tree |
719 | // Take NECP_STATS_LIST_LOCK when accessing or modifying the necp_collect_stats_flow_list |
720 | // Take NECP_FD_LOCK when accessing or modifying an necp_fd_data entry |
721 | // Take NECP_CLIENT_LOCK when accessing or modifying a single necp_client |
722 | // Take NECP_CLIENT_ROUTE_LOCK when accessing or modifying a client's route |
723 | |
724 | // Precedence, where 1 is the first lock that must be taken |
725 | // 1. NECP_FD_LIST_LOCK |
726 | // 2. NECP_FD_LOCK (any) |
727 | // 3. NECP_CLIENT_TREE_LOCK |
728 | // 4. NECP_CLIENT_LOCK (any) |
729 | // 5. NECP_FLOW_TREE_LOCK |
730 | // 6. NECP_STATS_LIST_LOCK |
731 | // 7. NECP_CLIENT_ROUTE_LOCK (any) |
732 | |
733 | static thread_call_t necp_client_update_tcall; |
734 | static uint32_t necp_update_all_clients_sched_cnt = 0; |
735 | static uint64_t necp_update_all_clients_sched_abstime = 0; |
736 | static LCK_RW_DECLARE_ATTR(necp_update_all_clients_lock, &necp_fd_mtx_grp, &necp_fd_mtx_attr); |
737 | #define NECP_UPDATE_ALL_CLIENTS_LOCK_EXCLUSIVE() lck_rw_lock_exclusive(&necp_update_all_clients_lock) |
738 | #define NECP_UPDATE_ALL_CLIENTS_SHARED_TO_EXCLUSIVE() lck_rw_lock_shared_to_exclusive(&necp_update_all_clients_lock) |
739 | #define NECP_UPDATE_ALL_CLIENTS_SHARED() lck_rw_lock_shared(&necp_update_all_clients_lock) |
740 | #define NECP_UPDATE_ALL_CLIENTS_UNLOCK() lck_rw_done(&necp_update_all_clients_lock) |
741 | |
742 | // Array of PIDs that will trigger in-process flow divert, protected by NECP_FD_LIST_LOCK |
743 | #define NECP_MAX_FLOW_DIVERT_NEEDED_PIDS 4 |
744 | static pid_t necp_flow_divert_needed_pids[NECP_MAX_FLOW_DIVERT_NEEDED_PIDS]; |
745 | |
746 | #if SKYWALK |
747 | static thread_call_t necp_client_collect_stats_tcall; |
748 | static thread_call_t necp_close_empty_arenas_tcall; |
749 | |
750 | static void necp_fd_insert_stats_arena(struct necp_fd_data *fd_data, struct necp_arena_info *nai); |
751 | static void necp_fd_remove_stats_arena(struct necp_fd_data *fd_data, struct necp_arena_info *nai); |
752 | static struct necp_arena_info *necp_fd_mredirect_stats_arena(struct necp_fd_data *fd_data, struct proc *proc); |
753 | |
754 | static void necp_arena_info_retain(struct necp_arena_info *nai); |
755 | static void necp_arena_info_release(struct necp_arena_info *nai); |
756 | static struct necp_arena_info *necp_arena_info_alloc(void); |
757 | static void necp_arena_info_free(struct necp_arena_info *nai); |
758 | |
759 | static int necp_arena_initialize(struct necp_fd_data *fd_data, bool locked); |
760 | static int necp_stats_initialize(struct necp_fd_data *fd_data, struct necp_client *client, |
761 | struct necp_client_flow_registration *flow_registration, struct necp_stats_bufreq *bufreq); |
762 | static int necp_arena_create(struct necp_fd_data *fd_data, size_t obj_size, size_t obj_cnt, struct proc *p); |
763 | static int necp_arena_stats_obj_alloc(struct necp_fd_data *fd_data, mach_vm_offset_t *off, struct necp_arena_info **stats_arena, void **kstats_kaddr, boolean_t cansleep); |
764 | static void necp_arena_stats_obj_free(struct necp_fd_data *fd_data, struct necp_arena_info *stats_arena, void **kstats_kaddr, mach_vm_address_t *ustats_uaddr); |
765 | static void necp_stats_arenas_destroy(struct necp_fd_data *fd_data, boolean_t closing); |
766 | |
767 | static int necp_sysctl_arena_initialize(struct necp_fd_data *fd_data, bool locked); |
768 | static void necp_sysctl_arena_destroy(struct necp_fd_data *fd_data); |
769 | static void *necp_arena_sysctls_obj(struct necp_fd_data *fd_data, mach_vm_offset_t *off, size_t *size); |
770 | #endif /* !SKYWALK */ |
771 | |
772 | void necp_copy_inp_domain_info(struct inpcb *, struct socket *, nstat_domain_info *); |
773 | void necp_with_inp_domain_name(struct socket *so, void *ctx, void (*with_func)(char *domain_name, void *ctx)); |
774 | |
775 | static void |
776 | necp_lock_socket_attributes(void) |
777 | { |
778 | lck_mtx_lock(lck: &necp_socket_attr_lock); |
779 | } |
780 | |
781 | static void |
782 | necp_unlock_socket_attributes(void) |
783 | { |
784 | lck_mtx_unlock(lck: &necp_socket_attr_lock); |
785 | } |
786 | |
787 | /// NECP file descriptor functions |
788 | |
789 | static void |
790 | necp_fd_notify(struct necp_fd_data *fd_data, bool locked) |
791 | { |
792 | struct selinfo *si = &fd_data->si; |
793 | |
794 | if (!locked) { |
795 | NECP_FD_LOCK(fd_data); |
796 | } |
797 | |
798 | selwakeup(si); |
799 | |
800 | // use a non-zero hint to tell the notification from the |
801 | // call done in kqueue_scan() which uses 0 |
802 | KNOTE(&si->si_note, 1); // notification |
803 | |
804 | if (!locked) { |
805 | NECP_FD_UNLOCK(fd_data); |
806 | } |
807 | } |
808 | |
809 | static inline bool |
810 | necp_client_has_unread_flows(struct necp_client *client) |
811 | { |
812 | NECP_CLIENT_ASSERT_LOCKED(client); |
813 | struct necp_client_flow_registration *flow_registration = NULL; |
814 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
815 | if (!flow_registration->flow_result_read) { |
816 | return true; |
817 | } |
818 | } |
819 | return false; |
820 | } |
821 | |
822 | static int |
823 | necp_fd_poll(struct necp_fd_data *fd_data, int events, void *wql, struct proc *p, int is_kevent) |
824 | { |
825 | #pragma unused(wql, p, is_kevent) |
826 | u_int revents = 0; |
827 | |
828 | u_int want_rx = events & (POLLIN | POLLRDNORM); |
829 | if (want_rx) { |
830 | if (fd_data->flags & NECP_OPEN_FLAG_PUSH_OBSERVER) { |
831 | // Push-mode observers are readable when they have a new update |
832 | if (!TAILQ_EMPTY(&fd_data->update_list)) { |
833 | revents |= want_rx; |
834 | } |
835 | } else { |
836 | // Standard fds are readable when some client is unread |
837 | struct necp_client *client = NULL; |
838 | bool has_unread_clients = FALSE; |
839 | RB_FOREACH(client, _necp_client_tree, &fd_data->clients) { |
840 | NECP_CLIENT_LOCK(client); |
841 | if (!client->result_read || !client->group_members_read || necp_client_has_unread_flows(client)) { |
842 | has_unread_clients = TRUE; |
843 | } |
844 | NECP_CLIENT_UNLOCK(client); |
845 | if (has_unread_clients) { |
846 | break; |
847 | } |
848 | } |
849 | |
850 | if (has_unread_clients || fd_data->request_in_process_flow_divert) { |
851 | revents |= want_rx; |
852 | } |
853 | } |
854 | } |
855 | |
856 | return revents; |
857 | } |
858 | |
859 | static inline void |
860 | necp_generate_client_id(uuid_t client_id, bool is_flow) |
861 | { |
862 | uuid_generate_random(out: client_id); |
863 | |
864 | if (is_flow) { |
865 | client_id[9] |= 0x01; |
866 | } else { |
867 | client_id[9] &= ~0x01; |
868 | } |
869 | } |
870 | |
871 | static inline bool |
872 | necp_client_id_is_flow(uuid_t client_id) |
873 | { |
874 | return client_id[9] & 0x01; |
875 | } |
876 | |
877 | static struct necp_client * |
878 | necp_find_client_and_lock(uuid_t client_id) |
879 | { |
880 | NECP_CLIENT_TREE_ASSERT_LOCKED(); |
881 | |
882 | struct necp_client *client = NULL; |
883 | |
884 | if (necp_client_id_is_flow(client_id)) { |
885 | NECP_FLOW_TREE_LOCK_SHARED(); |
886 | struct necp_client_flow_registration find; |
887 | uuid_copy(dst: find.registration_id, src: client_id); |
888 | struct necp_client_flow_registration *flow = RB_FIND(_necp_client_flow_global_tree, &necp_client_flow_global_tree, &find); |
889 | if (flow != NULL) { |
890 | client = flow->client; |
891 | } |
892 | NECP_FLOW_TREE_UNLOCK(); |
893 | } else { |
894 | struct necp_client find; |
895 | uuid_copy(dst: find.client_id, src: client_id); |
896 | client = RB_FIND(_necp_client_global_tree, &necp_client_global_tree, &find); |
897 | } |
898 | |
899 | if (client != NULL) { |
900 | NECP_CLIENT_LOCK(client); |
901 | } |
902 | |
903 | return client; |
904 | } |
905 | |
906 | static struct necp_client_flow_registration * |
907 | necp_client_find_flow(struct necp_client *client, uuid_t flow_id) |
908 | { |
909 | NECP_CLIENT_ASSERT_LOCKED(client); |
910 | struct necp_client_flow_registration *flow = NULL; |
911 | |
912 | if (necp_client_id_is_flow(client_id: flow_id)) { |
913 | struct necp_client_flow_registration find; |
914 | uuid_copy(dst: find.registration_id, src: flow_id); |
915 | flow = RB_FIND(_necp_client_flow_tree, &client->flow_registrations, &find); |
916 | } else { |
917 | flow = RB_ROOT(&client->flow_registrations); |
918 | } |
919 | |
920 | return flow; |
921 | } |
922 | |
923 | static struct necp_client * |
924 | necp_client_fd_find_client_unlocked(struct necp_fd_data *client_fd, uuid_t client_id) |
925 | { |
926 | NECP_FD_ASSERT_LOCKED(client_fd); |
927 | struct necp_client *client = NULL; |
928 | |
929 | if (necp_client_id_is_flow(client_id)) { |
930 | struct necp_client_flow_registration find; |
931 | uuid_copy(dst: find.registration_id, src: client_id); |
932 | struct necp_client_flow_registration *flow = RB_FIND(_necp_fd_flow_tree, &client_fd->flows, &find); |
933 | if (flow != NULL) { |
934 | client = flow->client; |
935 | } |
936 | } else { |
937 | struct necp_client find; |
938 | uuid_copy(dst: find.client_id, src: client_id); |
939 | client = RB_FIND(_necp_client_tree, &client_fd->clients, &find); |
940 | } |
941 | |
942 | return client; |
943 | } |
944 | |
945 | static struct necp_client * |
946 | necp_client_fd_find_client_and_lock(struct necp_fd_data *client_fd, uuid_t client_id) |
947 | { |
948 | struct necp_client *client = necp_client_fd_find_client_unlocked(client_fd, client_id); |
949 | if (client != NULL) { |
950 | NECP_CLIENT_LOCK(client); |
951 | } |
952 | |
953 | return client; |
954 | } |
955 | |
956 | static inline int |
957 | necp_client_id_cmp(struct necp_client *client0, struct necp_client *client1) |
958 | { |
959 | return uuid_compare(uu1: client0->client_id, uu2: client1->client_id); |
960 | } |
961 | |
962 | static inline int |
963 | necp_client_flow_id_cmp(struct necp_client_flow_registration *flow0, struct necp_client_flow_registration *flow1) |
964 | { |
965 | return uuid_compare(uu1: flow0->registration_id, uu2: flow1->registration_id); |
966 | } |
967 | |
968 | static int |
969 | necpop_select(struct fileproc *fp, int which, void *wql, vfs_context_t ctx) |
970 | { |
971 | #pragma unused(fp, which, wql, ctx) |
972 | return 0; |
973 | struct necp_fd_data *fd_data = NULL; |
974 | int revents = 0; |
975 | int events = 0; |
976 | proc_t procp; |
977 | |
978 | fd_data = (struct necp_fd_data *)fp_get_data(fp); |
979 | if (fd_data == NULL) { |
980 | return 0; |
981 | } |
982 | |
983 | procp = vfs_context_proc(ctx); |
984 | |
985 | switch (which) { |
986 | case FREAD: { |
987 | events = POLLIN; |
988 | break; |
989 | } |
990 | |
991 | default: { |
992 | return 1; |
993 | } |
994 | } |
995 | |
996 | NECP_FD_LOCK(fd_data); |
997 | revents = necp_fd_poll(fd_data, events, wql, p: procp, is_kevent: 0); |
998 | NECP_FD_UNLOCK(fd_data); |
999 | |
1000 | return (events & revents) ? 1 : 0; |
1001 | } |
1002 | |
1003 | static void |
1004 | necp_fd_knrdetach(struct knote *kn) |
1005 | { |
1006 | struct necp_fd_data *fd_data = (struct necp_fd_data *)knote_kn_hook_get_raw(kn); |
1007 | struct selinfo *si = &fd_data->si; |
1008 | |
1009 | NECP_FD_LOCK(fd_data); |
1010 | KNOTE_DETACH(&si->si_note, kn); |
1011 | NECP_FD_UNLOCK(fd_data); |
1012 | } |
1013 | |
1014 | static int |
1015 | necp_fd_knread(struct knote *kn, long hint) |
1016 | { |
1017 | #pragma unused(kn, hint) |
1018 | return 1; /* assume we are ready */ |
1019 | } |
1020 | |
1021 | static int |
1022 | necp_fd_knrprocess(struct knote *kn, struct kevent_qos_s *kev) |
1023 | { |
1024 | struct necp_fd_data *fd_data; |
1025 | int revents; |
1026 | int res; |
1027 | |
1028 | fd_data = (struct necp_fd_data *)knote_kn_hook_get_raw(kn); |
1029 | |
1030 | NECP_FD_LOCK(fd_data); |
1031 | revents = necp_fd_poll(fd_data, POLLIN, NULL, p: current_proc(), is_kevent: 1); |
1032 | res = ((revents & POLLIN) != 0); |
1033 | if (res) { |
1034 | knote_fill_kevent(kn, kev, data: 0); |
1035 | } |
1036 | NECP_FD_UNLOCK(fd_data); |
1037 | return res; |
1038 | } |
1039 | |
1040 | static int |
1041 | necp_fd_knrtouch(struct knote *kn, struct kevent_qos_s *kev) |
1042 | { |
1043 | #pragma unused(kev) |
1044 | struct necp_fd_data *fd_data; |
1045 | int revents; |
1046 | |
1047 | fd_data = (struct necp_fd_data *)knote_kn_hook_get_raw(kn); |
1048 | |
1049 | NECP_FD_LOCK(fd_data); |
1050 | revents = necp_fd_poll(fd_data, POLLIN, NULL, p: current_proc(), is_kevent: 1); |
1051 | NECP_FD_UNLOCK(fd_data); |
1052 | |
1053 | return (revents & POLLIN) != 0; |
1054 | } |
1055 | |
1056 | SECURITY_READ_ONLY_EARLY(struct filterops) necp_fd_rfiltops = { |
1057 | .f_isfd = 1, |
1058 | .f_detach = necp_fd_knrdetach, |
1059 | .f_event = necp_fd_knread, |
1060 | .f_touch = necp_fd_knrtouch, |
1061 | .f_process = necp_fd_knrprocess, |
1062 | }; |
1063 | |
1064 | static int |
1065 | necpop_kqfilter(struct fileproc *fp, struct knote *kn, |
1066 | __unused struct kevent_qos_s *kev) |
1067 | { |
1068 | struct necp_fd_data *fd_data = NULL; |
1069 | int revents; |
1070 | |
1071 | if (kn->kn_filter != EVFILT_READ) { |
1072 | NECPLOG(LOG_ERR, "bad filter request %d" , kn->kn_filter); |
1073 | knote_set_error(kn, EINVAL); |
1074 | return 0; |
1075 | } |
1076 | |
1077 | fd_data = (struct necp_fd_data *)fp_get_data(fp); |
1078 | if (fd_data == NULL) { |
1079 | NECPLOG0(LOG_ERR, "No channel for kqfilter" ); |
1080 | knote_set_error(kn, ENOENT); |
1081 | return 0; |
1082 | } |
1083 | |
1084 | NECP_FD_LOCK(fd_data); |
1085 | kn->kn_filtid = EVFILTID_NECP_FD; |
1086 | knote_kn_hook_set_raw(kn, kn_hook: fd_data); |
1087 | KNOTE_ATTACH(&fd_data->si.si_note, kn); |
1088 | |
1089 | revents = necp_fd_poll(fd_data, POLLIN, NULL, p: current_proc(), is_kevent: 1); |
1090 | |
1091 | NECP_FD_UNLOCK(fd_data); |
1092 | |
1093 | return (revents & POLLIN) != 0; |
1094 | } |
1095 | |
1096 | #define INTERFACE_FLAGS_SHIFT 32 |
1097 | #define INTERFACE_FLAGS_MASK 0xffffffff |
1098 | #define INTERFACE_INDEX_SHIFT 0 |
1099 | #define INTERFACE_INDEX_MASK 0xffffffff |
1100 | |
1101 | static uint64_t |
1102 | combine_interface_details(uint32_t interface_index, uint32_t interface_flags) |
1103 | { |
1104 | return ((uint64_t)interface_flags & INTERFACE_FLAGS_MASK) << INTERFACE_FLAGS_SHIFT | |
1105 | ((uint64_t)interface_index & INTERFACE_INDEX_MASK) << INTERFACE_INDEX_SHIFT; |
1106 | } |
1107 | |
1108 | #if SKYWALK |
1109 | |
1110 | static void |
1111 | split_interface_details(uint64_t combined_details, uint32_t *interface_index, uint32_t *interface_flags) |
1112 | { |
1113 | *interface_index = (combined_details >> INTERFACE_INDEX_SHIFT) & INTERFACE_INDEX_MASK; |
1114 | *interface_flags = (combined_details >> INTERFACE_FLAGS_SHIFT) & INTERFACE_FLAGS_MASK; |
1115 | } |
1116 | |
1117 | static void |
1118 | necp_flow_save_current_interface_details(struct necp_client_flow_registration *flow_registration) |
1119 | { |
1120 | struct necp_client_flow *flow = NULL; |
1121 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
1122 | if (flow->nexus) { |
1123 | uint64_t combined_details = combine_interface_details(interface_index: flow->interface_index, interface_flags: flow->interface_flags); |
1124 | os_atomic_store(&flow_registration->last_interface_details, combined_details, release); |
1125 | break; |
1126 | } |
1127 | } |
1128 | } |
1129 | |
1130 | static void |
1131 | necp_client_collect_interface_stats(struct necp_client_flow_registration *flow_registration, struct ifnet_stats_per_flow *ifs) |
1132 | { |
1133 | struct necp_client_flow *flow = NULL; |
1134 | |
1135 | if (ifs == NULL || ifs->txpackets == 0 || ifs->rxpackets == 0) { |
1136 | return; // App might have crashed without publishing ifs |
1137 | } |
1138 | |
1139 | // Do malicious stats detection here |
1140 | |
1141 | // Fold userspace stats into (trusted) kernel stats (stored in ifp). |
1142 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
1143 | uint32_t if_idx = flow->interface_index; |
1144 | ifnet_t ifp = NULL; |
1145 | ifnet_head_lock_shared(); |
1146 | if (if_idx != IFSCOPE_NONE && if_idx <= (uint32_t)if_index) { |
1147 | ifp = ifindex2ifnet[if_idx]; |
1148 | ifnet_update_stats_per_flow(ifs, ifp); |
1149 | } |
1150 | ifnet_head_done(); |
1151 | |
1152 | // Currently there is only one flow that uses the shared necp |
1153 | // stats region, so this loop should exit after updating an ifp |
1154 | break; |
1155 | } |
1156 | } |
1157 | |
1158 | static void |
1159 | necp_client_collect_stats(struct necp_client_flow_registration *flow_registration) |
1160 | { |
1161 | struct necp_all_kstats *kstats = (struct necp_all_kstats *)flow_registration->kstats_kaddr; |
1162 | if (kstats == NULL) { |
1163 | return; |
1164 | } |
1165 | |
1166 | // Grab userspace stats delta (untrusted). |
1167 | struct necp_tcp_stats *curr_tcpstats = (struct necp_tcp_stats *)kstats->necp_stats_ustats; |
1168 | struct necp_tcp_stats *prev_tcpstats = (struct necp_tcp_stats *)&kstats->necp_stats_comm; |
1169 | #define diff_n_update(field) \ |
1170 | u_int32_t d_##field = (curr_tcpstats->necp_tcp_counts.necp_stat_##field - prev_tcpstats->necp_tcp_counts.necp_stat_##field); \ |
1171 | prev_tcpstats->necp_tcp_counts.necp_stat_##field += d_##field; |
1172 | diff_n_update(rxpackets); |
1173 | diff_n_update(txpackets); |
1174 | if (d_rxpackets == 0 && d_txpackets == 0) { |
1175 | return; // no activity since last collection, stop here |
1176 | } |
1177 | diff_n_update(rxbytes); |
1178 | diff_n_update(txbytes); |
1179 | diff_n_update(rxduplicatebytes); |
1180 | diff_n_update(rxoutoforderbytes); |
1181 | diff_n_update(txretransmit); |
1182 | diff_n_update(connectattempts); |
1183 | diff_n_update(connectsuccesses); |
1184 | uint32_t rtt = prev_tcpstats->necp_tcp_counts.necp_stat_avg_rtt = curr_tcpstats->necp_tcp_counts.necp_stat_avg_rtt; |
1185 | uint32_t rtt_var = prev_tcpstats->necp_tcp_counts.necp_stat_var_rtt = curr_tcpstats->necp_tcp_counts.necp_stat_var_rtt; |
1186 | #undef diff_n_update |
1187 | |
1188 | // Do malicious stats detection with the deltas here. |
1189 | // RTT check (not necessarily attacks, might just be not measured since we report stats async periodically). |
1190 | if (rtt < necp_client_stats_rtt_floor || rtt > necp_client_stats_rtt_ceiling) { |
1191 | rtt = rtt_var = 0; // nstat_route_update to skip 0 rtt |
1192 | } |
1193 | |
1194 | // Fold userspace stats into (trusted) kernel stats (stored in route). |
1195 | NECP_CLIENT_ROUTE_LOCK(flow_registration->client); |
1196 | struct rtentry *route = flow_registration->client->current_route; |
1197 | if (route != NULL) { |
1198 | nstat_route_update(rte: route, connect_attempts: d_connectattempts, connect_successes: d_connectsuccesses, rx_packets: d_rxpackets, rx_bytes: d_rxbytes, rx_duplicatebytes: d_rxduplicatebytes, |
1199 | rx_outoforderbytes: d_rxoutoforderbytes, tx_packets: d_txpackets, tx_bytes: d_txbytes, tx_retransmit: d_txretransmit, rtt, rtt_var); |
1200 | } |
1201 | NECP_CLIENT_ROUTE_UNLOCK(flow_registration->client); |
1202 | } |
1203 | |
1204 | // This is called from various places; "closing" here implies the client being closed/removed if true, otherwise being |
1205 | // defunct. In the former, we expect the caller to not hold the lock; for the latter it must have acquired it. |
1206 | static void |
1207 | necp_destroy_flow_stats(struct necp_fd_data *fd_data, |
1208 | struct necp_client_flow_registration *flow_registration, |
1209 | struct ifnet_stats_per_flow *flow_ifnet_stats, |
1210 | boolean_t closing) |
1211 | { |
1212 | NECP_FD_ASSERT_LOCKED(fd_data); |
1213 | |
1214 | struct necp_client *client = flow_registration->client; |
1215 | |
1216 | if (closing) { |
1217 | NECP_CLIENT_ASSERT_UNLOCKED(client); |
1218 | NECP_CLIENT_LOCK(client); |
1219 | } else { |
1220 | NECP_CLIENT_ASSERT_LOCKED(client); |
1221 | } |
1222 | |
1223 | // the interface stats are independent of the flow stats, hence we check here |
1224 | if (flow_ifnet_stats != NULL) { |
1225 | necp_client_collect_interface_stats(flow_registration, ifs: flow_ifnet_stats); |
1226 | } |
1227 | |
1228 | if (flow_registration->kstats_kaddr != NULL) { |
1229 | NECP_STATS_LIST_LOCK_EXCLUSIVE(); |
1230 | necp_client_collect_stats(flow_registration); |
1231 | const bool destroyed = necp_client_release_locked(client); // Drop the reference held by the stats list |
1232 | ASSERT(!destroyed); |
1233 | (void)destroyed; |
1234 | LIST_REMOVE(flow_registration, collect_stats_chain); |
1235 | NECP_STATS_LIST_UNLOCK(); |
1236 | if (flow_registration->stats_handler_context != NULL) { |
1237 | ntstat_userland_stats_close(nstat_ctx: flow_registration->stats_handler_context); |
1238 | flow_registration->stats_handler_context = NULL; |
1239 | } |
1240 | necp_arena_stats_obj_free(fd_data, stats_arena: flow_registration->stats_arena, kstats_kaddr: &flow_registration->kstats_kaddr, ustats_uaddr: &flow_registration->ustats_uaddr); |
1241 | ASSERT(flow_registration->kstats_kaddr == NULL); |
1242 | ASSERT(flow_registration->ustats_uaddr == 0); |
1243 | } |
1244 | |
1245 | if (flow_registration->nexus_stats != NULL) { |
1246 | flow_stats_release(fs: flow_registration->nexus_stats); |
1247 | flow_registration->nexus_stats = NULL; |
1248 | } |
1249 | |
1250 | if (closing) { |
1251 | NECP_CLIENT_UNLOCK(client); |
1252 | } |
1253 | } |
1254 | |
1255 | static void |
1256 | necp_schedule_collect_stats_clients(bool recur) |
1257 | { |
1258 | if (necp_client_collect_stats_tcall == NULL || |
1259 | (!recur && thread_call_isactive(call: necp_client_collect_stats_tcall))) { |
1260 | return; |
1261 | } |
1262 | |
1263 | uint64_t deadline = 0; |
1264 | uint64_t leeway = 0; |
1265 | clock_interval_to_deadline(interval: necp_collect_stats_timeout_microseconds, NSEC_PER_USEC, result: &deadline); |
1266 | clock_interval_to_absolutetime_interval(interval: necp_collect_stats_timeout_leeway_microseconds, NSEC_PER_USEC, result: &leeway); |
1267 | |
1268 | thread_call_enter_delayed_with_leeway(call: necp_client_collect_stats_tcall, NULL, |
1269 | deadline, leeway, THREAD_CALL_DELAY_LEEWAY); |
1270 | } |
1271 | |
1272 | static void |
1273 | necp_collect_stats_client_callout(__unused thread_call_param_t dummy, |
1274 | __unused thread_call_param_t arg) |
1275 | { |
1276 | struct necp_client_flow_registration *flow_registration; |
1277 | |
1278 | net_update_uptime(); |
1279 | NECP_STATS_LIST_LOCK_SHARED(); |
1280 | if (LIST_EMPTY(&necp_collect_stats_flow_list)) { |
1281 | NECP_STATS_LIST_UNLOCK(); |
1282 | return; |
1283 | } |
1284 | LIST_FOREACH(flow_registration, &necp_collect_stats_flow_list, collect_stats_chain) { |
1285 | // Collecting stats should be cheap (atomic increments) |
1286 | // Values like flow_registration->kstats_kaddr are guaranteed to be valid |
1287 | // as long as the flow_registration is in the stats list |
1288 | necp_client_collect_stats(flow_registration); |
1289 | } |
1290 | NECP_STATS_LIST_UNLOCK(); |
1291 | |
1292 | necp_schedule_collect_stats_clients(TRUE); // recurring collection |
1293 | } |
1294 | |
1295 | #endif /* !SKYWALK */ |
1296 | |
1297 | static void |
1298 | necp_defunct_flow_registration(struct necp_client *client, |
1299 | struct necp_client_flow_registration *flow_registration, |
1300 | struct _necp_flow_defunct_list *defunct_list) |
1301 | { |
1302 | NECP_CLIENT_ASSERT_LOCKED(client); |
1303 | |
1304 | if (!flow_registration->defunct) { |
1305 | bool needs_defunct = false; |
1306 | struct necp_client_flow *search_flow = NULL; |
1307 | LIST_FOREACH(search_flow, &flow_registration->flow_list, flow_chain) { |
1308 | if (search_flow->nexus && |
1309 | !uuid_is_null(uu: search_flow->u.nexus_agent)) { |
1310 | // Save defunct values for the nexus |
1311 | if (defunct_list != NULL) { |
1312 | // Sleeping alloc won't fail; copy only what's necessary |
1313 | struct necp_flow_defunct *flow_defunct = kalloc_type(struct necp_flow_defunct, |
1314 | Z_WAITOK | Z_ZERO); |
1315 | uuid_copy(dst: flow_defunct->nexus_agent, src: search_flow->u.nexus_agent); |
1316 | uuid_copy(dst: flow_defunct->flow_id, src: ((flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID) ? |
1317 | client->client_id : |
1318 | flow_registration->registration_id)); |
1319 | flow_defunct->proc_pid = client->proc_pid; |
1320 | flow_defunct->agent_handle = client->agent_handle; |
1321 | flow_defunct->flags = flow_registration->flags; |
1322 | #if SKYWALK |
1323 | if (flow_registration->kstats_kaddr != NULL) { |
1324 | struct necp_all_stats *ustats_kaddr = ((struct necp_all_kstats *)flow_registration->kstats_kaddr)->necp_stats_ustats; |
1325 | struct necp_quic_stats *quicstats = (struct necp_quic_stats *)ustats_kaddr; |
1326 | if (quicstats != NULL) { |
1327 | memcpy(dst: flow_defunct->close_parameters.u.close_token, src: quicstats->necp_quic_extra.ssr_token, n: sizeof(flow_defunct->close_parameters.u.close_token)); |
1328 | flow_defunct->has_close_parameters = true; |
1329 | } |
1330 | } |
1331 | #endif /* SKYWALK */ |
1332 | // Add to the list provided by caller |
1333 | LIST_INSERT_HEAD(defunct_list, flow_defunct, chain); |
1334 | } |
1335 | |
1336 | needs_defunct = true; |
1337 | } |
1338 | } |
1339 | |
1340 | if (needs_defunct) { |
1341 | #if SKYWALK |
1342 | // Close the stats early |
1343 | if (flow_registration->stats_handler_context != NULL) { |
1344 | ntstat_userland_stats_event(nstat_ctx: flow_registration->stats_handler_context, |
1345 | NECP_CLIENT_STATISTICS_EVENT_TIME_WAIT); |
1346 | } |
1347 | #endif /* SKYWALK */ |
1348 | |
1349 | // Only set defunct if there was some assigned flow |
1350 | flow_registration->defunct = true; |
1351 | } |
1352 | } |
1353 | } |
1354 | |
1355 | static void |
1356 | necp_defunct_client_for_policy(struct necp_client *client, |
1357 | struct _necp_flow_defunct_list *defunct_list) |
1358 | { |
1359 | NECP_CLIENT_ASSERT_LOCKED(client); |
1360 | |
1361 | struct necp_client_flow_registration *flow_registration = NULL; |
1362 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
1363 | necp_defunct_flow_registration(client, flow_registration, defunct_list); |
1364 | } |
1365 | } |
1366 | |
1367 | static void |
1368 | necp_client_free(struct necp_client *client) |
1369 | { |
1370 | NECP_CLIENT_ASSERT_UNLOCKED(client); |
1371 | |
1372 | kfree_data(client->extra_interface_options, |
1373 | sizeof(struct necp_client_interface_option) * NECP_CLIENT_INTERFACE_OPTION_EXTRA_COUNT); |
1374 | client->extra_interface_options = NULL; |
1375 | |
1376 | kfree_data(client->parameters, client->parameters_length); |
1377 | client->parameters = NULL; |
1378 | |
1379 | kfree_data(client->assigned_group_members, client->assigned_group_members_length); |
1380 | client->assigned_group_members = NULL; |
1381 | |
1382 | lck_mtx_destroy(lck: &client->route_lock, grp: &necp_fd_mtx_grp); |
1383 | lck_mtx_destroy(lck: &client->lock, grp: &necp_fd_mtx_grp); |
1384 | |
1385 | kfree_type(struct necp_client, client); |
1386 | } |
1387 | |
1388 | static void |
1389 | necp_client_retain_locked(struct necp_client *client) |
1390 | { |
1391 | NECP_CLIENT_ASSERT_LOCKED(client); |
1392 | |
1393 | os_ref_retain_locked(rc: &client->reference_count); |
1394 | } |
1395 | |
1396 | static void |
1397 | necp_client_retain(struct necp_client *client) |
1398 | { |
1399 | NECP_CLIENT_LOCK(client); |
1400 | necp_client_retain_locked(client); |
1401 | NECP_CLIENT_UNLOCK(client); |
1402 | } |
1403 | |
1404 | static bool |
1405 | necp_client_release_locked(struct necp_client *client) |
1406 | { |
1407 | NECP_CLIENT_ASSERT_LOCKED(client); |
1408 | |
1409 | os_ref_count_t count = os_ref_release_locked(rc: &client->reference_count); |
1410 | if (count == 0) { |
1411 | NECP_CLIENT_UNLOCK(client); |
1412 | necp_client_free(client); |
1413 | } |
1414 | |
1415 | return count == 0; |
1416 | } |
1417 | |
1418 | static bool |
1419 | necp_client_release(struct necp_client *client) |
1420 | { |
1421 | bool last_ref; |
1422 | |
1423 | NECP_CLIENT_LOCK(client); |
1424 | if (!(last_ref = necp_client_release_locked(client))) { |
1425 | NECP_CLIENT_UNLOCK(client); |
1426 | } |
1427 | |
1428 | return last_ref; |
1429 | } |
1430 | |
1431 | static struct necp_client_update * |
1432 | necp_client_update_alloc(const void *data, size_t length) |
1433 | { |
1434 | struct necp_client_update *client_update; |
1435 | struct necp_client_observer_update *buffer; |
1436 | size_t alloc_size; |
1437 | |
1438 | if (os_add_overflow(length, sizeof(*buffer), &alloc_size)) { |
1439 | return NULL; |
1440 | } |
1441 | buffer = kalloc_data(alloc_size, Z_WAITOK); |
1442 | if (buffer == NULL) { |
1443 | return NULL; |
1444 | } |
1445 | |
1446 | client_update = kalloc_type(struct necp_client_update, |
1447 | Z_WAITOK | Z_ZERO | Z_NOFAIL); |
1448 | client_update->update_length = alloc_size; |
1449 | client_update->update = buffer; |
1450 | memcpy(dst: buffer->tlv_buffer, src: data, n: length); |
1451 | return client_update; |
1452 | } |
1453 | |
1454 | static void |
1455 | necp_client_update_free(struct necp_client_update *client_update) |
1456 | { |
1457 | kfree_data(client_update->update, client_update->update_length); |
1458 | kfree_type(struct necp_client_update, client_update); |
1459 | } |
1460 | |
1461 | static void |
1462 | necp_client_update_observer_add_internal(struct necp_fd_data *observer_fd, struct necp_client *client) |
1463 | { |
1464 | struct necp_client_update *client_update; |
1465 | |
1466 | NECP_FD_LOCK(observer_fd); |
1467 | |
1468 | if (observer_fd->update_count >= necp_observer_message_limit) { |
1469 | NECP_FD_UNLOCK(observer_fd); |
1470 | return; |
1471 | } |
1472 | |
1473 | client_update = necp_client_update_alloc(data: client->parameters, length: client->parameters_length); |
1474 | if (client_update != NULL) { |
1475 | uuid_copy(dst: client_update->client_id, src: client->client_id); |
1476 | client_update->update->update_type = NECP_CLIENT_UPDATE_TYPE_PARAMETERS; |
1477 | TAILQ_INSERT_TAIL(&observer_fd->update_list, client_update, chain); |
1478 | observer_fd->update_count++; |
1479 | |
1480 | necp_fd_notify(fd_data: observer_fd, true); |
1481 | } |
1482 | |
1483 | NECP_FD_UNLOCK(observer_fd); |
1484 | } |
1485 | |
1486 | static void |
1487 | necp_client_update_observer_update_internal(struct necp_fd_data *observer_fd, struct necp_client *client) |
1488 | { |
1489 | NECP_FD_LOCK(observer_fd); |
1490 | |
1491 | if (observer_fd->update_count >= necp_observer_message_limit) { |
1492 | NECP_FD_UNLOCK(observer_fd); |
1493 | return; |
1494 | } |
1495 | |
1496 | struct necp_client_update *client_update = necp_client_update_alloc(data: client->result, length: client->result_length); |
1497 | if (client_update != NULL) { |
1498 | uuid_copy(dst: client_update->client_id, src: client->client_id); |
1499 | client_update->update->update_type = NECP_CLIENT_UPDATE_TYPE_RESULT; |
1500 | TAILQ_INSERT_TAIL(&observer_fd->update_list, client_update, chain); |
1501 | observer_fd->update_count++; |
1502 | |
1503 | necp_fd_notify(fd_data: observer_fd, true); |
1504 | } |
1505 | |
1506 | NECP_FD_UNLOCK(observer_fd); |
1507 | } |
1508 | |
1509 | static void |
1510 | necp_client_update_observer_remove_internal(struct necp_fd_data *observer_fd, struct necp_client *client) |
1511 | { |
1512 | NECP_FD_LOCK(observer_fd); |
1513 | |
1514 | if (observer_fd->update_count >= necp_observer_message_limit) { |
1515 | NECP_FD_UNLOCK(observer_fd); |
1516 | return; |
1517 | } |
1518 | |
1519 | struct necp_client_update *client_update = necp_client_update_alloc(NULL, length: 0); |
1520 | if (client_update != NULL) { |
1521 | uuid_copy(dst: client_update->client_id, src: client->client_id); |
1522 | client_update->update->update_type = NECP_CLIENT_UPDATE_TYPE_REMOVE; |
1523 | TAILQ_INSERT_TAIL(&observer_fd->update_list, client_update, chain); |
1524 | observer_fd->update_count++; |
1525 | |
1526 | necp_fd_notify(fd_data: observer_fd, true); |
1527 | } |
1528 | |
1529 | NECP_FD_UNLOCK(observer_fd); |
1530 | } |
1531 | |
1532 | static void |
1533 | necp_client_update_observer_add(struct necp_client *client) |
1534 | { |
1535 | NECP_OBSERVER_LIST_LOCK_SHARED(); |
1536 | |
1537 | if (LIST_EMPTY(&necp_fd_observer_list)) { |
1538 | // No observers, bail |
1539 | NECP_OBSERVER_LIST_UNLOCK(); |
1540 | return; |
1541 | } |
1542 | |
1543 | struct necp_fd_data *observer_fd = NULL; |
1544 | LIST_FOREACH(observer_fd, &necp_fd_observer_list, chain) { |
1545 | necp_client_update_observer_add_internal(observer_fd, client); |
1546 | } |
1547 | |
1548 | NECP_OBSERVER_LIST_UNLOCK(); |
1549 | } |
1550 | |
1551 | static void |
1552 | necp_client_update_observer_update(struct necp_client *client) |
1553 | { |
1554 | NECP_OBSERVER_LIST_LOCK_SHARED(); |
1555 | |
1556 | if (LIST_EMPTY(&necp_fd_observer_list)) { |
1557 | // No observers, bail |
1558 | NECP_OBSERVER_LIST_UNLOCK(); |
1559 | return; |
1560 | } |
1561 | |
1562 | struct necp_fd_data *observer_fd = NULL; |
1563 | LIST_FOREACH(observer_fd, &necp_fd_observer_list, chain) { |
1564 | necp_client_update_observer_update_internal(observer_fd, client); |
1565 | } |
1566 | |
1567 | NECP_OBSERVER_LIST_UNLOCK(); |
1568 | } |
1569 | |
1570 | static void |
1571 | necp_client_update_observer_remove(struct necp_client *client) |
1572 | { |
1573 | NECP_OBSERVER_LIST_LOCK_SHARED(); |
1574 | |
1575 | if (LIST_EMPTY(&necp_fd_observer_list)) { |
1576 | // No observers, bail |
1577 | NECP_OBSERVER_LIST_UNLOCK(); |
1578 | return; |
1579 | } |
1580 | |
1581 | struct necp_fd_data *observer_fd = NULL; |
1582 | LIST_FOREACH(observer_fd, &necp_fd_observer_list, chain) { |
1583 | necp_client_update_observer_remove_internal(observer_fd, client); |
1584 | } |
1585 | |
1586 | NECP_OBSERVER_LIST_UNLOCK(); |
1587 | } |
1588 | |
1589 | static void |
1590 | necp_destroy_client_flow_registration(struct necp_client *client, |
1591 | struct necp_client_flow_registration *flow_registration, |
1592 | pid_t pid, bool abort) |
1593 | { |
1594 | NECP_CLIENT_ASSERT_LOCKED(client); |
1595 | |
1596 | bool has_close_parameters = false; |
1597 | struct necp_client_agent_parameters close_parameters = {}; |
1598 | memset(s: close_parameters.u.close_token, c: 0, n: sizeof(close_parameters.u.close_token)); |
1599 | #if SKYWALK |
1600 | if (flow_registration->kstats_kaddr != NULL) { |
1601 | struct necp_all_stats *ustats_kaddr = ((struct necp_all_kstats *)flow_registration->kstats_kaddr)->necp_stats_ustats; |
1602 | struct necp_quic_stats *quicstats = (struct necp_quic_stats *)ustats_kaddr; |
1603 | if (quicstats != NULL && |
1604 | quicstats->necp_quic_udp_stats.necp_udp_hdr.necp_stats_type == NECP_CLIENT_STATISTICS_TYPE_QUIC) { |
1605 | memcpy(dst: close_parameters.u.close_token, src: quicstats->necp_quic_extra.ssr_token, n: sizeof(close_parameters.u.close_token)); |
1606 | has_close_parameters = true; |
1607 | } |
1608 | } |
1609 | |
1610 | // Release reference held on the stats arena |
1611 | if (flow_registration->stats_arena != NULL) { |
1612 | necp_arena_info_release(nai: flow_registration->stats_arena); |
1613 | flow_registration->stats_arena = NULL; |
1614 | } |
1615 | #endif /* SKYWALK */ |
1616 | |
1617 | struct necp_client_flow *search_flow = NULL; |
1618 | struct necp_client_flow *temp_flow = NULL; |
1619 | LIST_FOREACH_SAFE(search_flow, &flow_registration->flow_list, flow_chain, temp_flow) { |
1620 | if (search_flow->nexus && |
1621 | !uuid_is_null(uu: search_flow->u.nexus_agent)) { |
1622 | // Don't unregister for defunct flows |
1623 | if (!flow_registration->defunct) { |
1624 | u_int8_t message_type = (abort ? NETAGENT_MESSAGE_TYPE_ABORT_NEXUS : |
1625 | NETAGENT_MESSAGE_TYPE_CLOSE_NEXUS); |
1626 | if (((flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_BROWSE) || |
1627 | (flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_RESOLVE)) && |
1628 | !(flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_ALLOW_NEXUS)) { |
1629 | message_type = NETAGENT_MESSAGE_TYPE_CLIENT_UNASSERT; |
1630 | } |
1631 | int netagent_error = netagent_client_message_with_params(agent_uuid: search_flow->u.nexus_agent, |
1632 | necp_client_uuid: ((flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID) ? |
1633 | client->client_id : |
1634 | flow_registration->registration_id), |
1635 | pid, handle: client->agent_handle, |
1636 | message_type, |
1637 | parameters: has_close_parameters ? &close_parameters : NULL, |
1638 | NULL, assigned_results_length: 0); |
1639 | if (netagent_error != 0 && netagent_error != ENOENT) { |
1640 | NECPLOG(LOG_ERR, "necp_client_remove close nexus error (%d) MESSAGE TYPE %u" , netagent_error, message_type); |
1641 | } |
1642 | } |
1643 | uuid_clear(uu: search_flow->u.nexus_agent); |
1644 | } |
1645 | if (search_flow->assigned_results != NULL) { |
1646 | kfree_data(search_flow->assigned_results, search_flow->assigned_results_length); |
1647 | search_flow->assigned_results = NULL; |
1648 | } |
1649 | LIST_REMOVE(search_flow, flow_chain); |
1650 | #if SKYWALK |
1651 | if (search_flow->nexus) { |
1652 | OSDecrementAtomic(&necp_nexus_flow_count); |
1653 | } else |
1654 | #endif /* SKYWALK */ |
1655 | if (search_flow->socket) { |
1656 | OSDecrementAtomic(&necp_socket_flow_count); |
1657 | } else { |
1658 | OSDecrementAtomic(&necp_if_flow_count); |
1659 | } |
1660 | kfree_type(struct necp_client_flow, search_flow); |
1661 | } |
1662 | |
1663 | RB_REMOVE(_necp_client_flow_tree, &client->flow_registrations, flow_registration); |
1664 | flow_registration->client = NULL; |
1665 | |
1666 | kfree_type(struct necp_client_flow_registration, flow_registration); |
1667 | } |
1668 | |
1669 | static void |
1670 | necp_destroy_client(struct necp_client *client, pid_t pid, bool abort) |
1671 | { |
1672 | NECP_CLIENT_ASSERT_UNLOCKED(client); |
1673 | |
1674 | #if SKYWALK |
1675 | if (client->nstat_context != NULL) { |
1676 | // This is a catch-all that should be rarely used. |
1677 | nstat_provider_stats_close(nstat_ctx: client->nstat_context); |
1678 | client->nstat_context = NULL; |
1679 | } |
1680 | if (client->original_parameters_source != NULL) { |
1681 | necp_client_release(client: client->original_parameters_source); |
1682 | client->original_parameters_source = NULL; |
1683 | } |
1684 | #endif /* SKYWALK */ |
1685 | necp_client_update_observer_remove(client); |
1686 | |
1687 | NECP_CLIENT_LOCK(client); |
1688 | |
1689 | // Free route |
1690 | NECP_CLIENT_ROUTE_LOCK(client); |
1691 | if (client->current_route != NULL) { |
1692 | rtfree(client->current_route); |
1693 | client->current_route = NULL; |
1694 | } |
1695 | NECP_CLIENT_ROUTE_UNLOCK(client); |
1696 | |
1697 | // Remove flow assignments |
1698 | struct necp_client_flow_registration *flow_registration = NULL; |
1699 | struct necp_client_flow_registration *temp_flow_registration = NULL; |
1700 | RB_FOREACH_SAFE(flow_registration, _necp_client_flow_tree, &client->flow_registrations, temp_flow_registration) { |
1701 | necp_destroy_client_flow_registration(client, flow_registration, pid, abort); |
1702 | } |
1703 | |
1704 | #if SKYWALK |
1705 | // Remove port reservation |
1706 | if (NETNS_TOKEN_VALID(&client->port_reservation)) { |
1707 | netns_release(token: &client->port_reservation); |
1708 | } |
1709 | #endif /* !SKYWALK */ |
1710 | |
1711 | // Remove agent assertions |
1712 | struct necp_client_assertion *search_assertion = NULL; |
1713 | struct necp_client_assertion *temp_assertion = NULL; |
1714 | LIST_FOREACH_SAFE(search_assertion, &client->assertion_list, assertion_chain, temp_assertion) { |
1715 | int netagent_error = netagent_client_message(agent_uuid: search_assertion->asserted_netagent, necp_client_uuid: client->client_id, pid, |
1716 | handle: client->agent_handle, NETAGENT_MESSAGE_TYPE_CLIENT_UNASSERT); |
1717 | if (netagent_error != 0) { |
1718 | NECPLOG((netagent_error == ENOENT ? LOG_DEBUG : LOG_ERR), |
1719 | "necp_client_remove unassert agent error (%d)" , netagent_error); |
1720 | } |
1721 | LIST_REMOVE(search_assertion, assertion_chain); |
1722 | kfree_type(struct necp_client_assertion, search_assertion); |
1723 | } |
1724 | |
1725 | if (!necp_client_release_locked(client)) { |
1726 | NECP_CLIENT_UNLOCK(client); |
1727 | } |
1728 | |
1729 | OSDecrementAtomic(&necp_client_count); |
1730 | } |
1731 | |
1732 | static bool |
1733 | necp_defunct_client_fd_locked_inner(struct necp_fd_data *client_fd, struct _necp_flow_defunct_list *defunct_list, bool destroy_stats); |
1734 | |
1735 | static void |
1736 | necp_process_defunct_list(struct _necp_flow_defunct_list *defunct_list) |
1737 | { |
1738 | if (!LIST_EMPTY(defunct_list)) { |
1739 | struct necp_flow_defunct *flow_defunct = NULL; |
1740 | struct necp_flow_defunct *temp_flow_defunct = NULL; |
1741 | |
1742 | // For each newly defunct client, send a message to the nexus to remove the flow |
1743 | LIST_FOREACH_SAFE(flow_defunct, defunct_list, chain, temp_flow_defunct) { |
1744 | if (!uuid_is_null(uu: flow_defunct->nexus_agent)) { |
1745 | u_int8_t message_type = NETAGENT_MESSAGE_TYPE_ABORT_NEXUS; |
1746 | if (((flow_defunct->flags & NECP_CLIENT_FLOW_FLAGS_BROWSE) || |
1747 | (flow_defunct->flags & NECP_CLIENT_FLOW_FLAGS_RESOLVE)) && |
1748 | !(flow_defunct->flags & NECP_CLIENT_FLOW_FLAGS_ALLOW_NEXUS)) { |
1749 | message_type = NETAGENT_MESSAGE_TYPE_CLIENT_UNASSERT; |
1750 | } |
1751 | int netagent_error = netagent_client_message_with_params(agent_uuid: flow_defunct->nexus_agent, |
1752 | necp_client_uuid: flow_defunct->flow_id, |
1753 | pid: flow_defunct->proc_pid, |
1754 | handle: flow_defunct->agent_handle, |
1755 | message_type, |
1756 | parameters: flow_defunct->has_close_parameters ? &flow_defunct->close_parameters : NULL, |
1757 | NULL, assigned_results_length: 0); |
1758 | if (netagent_error != 0) { |
1759 | char namebuf[MAXCOMLEN + 1]; |
1760 | (void) strlcpy(dst: namebuf, src: "unknown" , n: sizeof(namebuf)); |
1761 | proc_name(pid: flow_defunct->proc_pid, buf: namebuf, size: sizeof(namebuf)); |
1762 | NECPLOG((netagent_error == ENOENT ? LOG_DEBUG : LOG_ERR), "necp_update_client abort nexus error (%d) for pid %d %s" , netagent_error, flow_defunct->proc_pid, namebuf); |
1763 | } |
1764 | } |
1765 | LIST_REMOVE(flow_defunct, chain); |
1766 | kfree_type(struct necp_flow_defunct, flow_defunct); |
1767 | } |
1768 | } |
1769 | ASSERT(LIST_EMPTY(defunct_list)); |
1770 | } |
1771 | |
1772 | static int |
1773 | necpop_close(struct fileglob *fg, vfs_context_t ctx) |
1774 | { |
1775 | #pragma unused(ctx) |
1776 | struct necp_fd_data *fd_data = NULL; |
1777 | int error = 0; |
1778 | |
1779 | fd_data = (struct necp_fd_data *)fg_get_data(fg); |
1780 | fg_set_data(fg, NULL); |
1781 | |
1782 | if (fd_data != NULL) { |
1783 | struct _necp_client_tree clients_to_close; |
1784 | RB_INIT(&clients_to_close); |
1785 | |
1786 | // Remove from list quickly |
1787 | if (fd_data->flags & NECP_OPEN_FLAG_PUSH_OBSERVER) { |
1788 | NECP_OBSERVER_LIST_LOCK_EXCLUSIVE(); |
1789 | LIST_REMOVE(fd_data, chain); |
1790 | NECP_OBSERVER_LIST_UNLOCK(); |
1791 | } else { |
1792 | NECP_FD_LIST_LOCK_EXCLUSIVE(); |
1793 | LIST_REMOVE(fd_data, chain); |
1794 | NECP_FD_LIST_UNLOCK(); |
1795 | } |
1796 | |
1797 | NECP_FD_LOCK(fd_data); |
1798 | pid_t pid = fd_data->proc_pid; |
1799 | |
1800 | struct _necp_flow_defunct_list defunct_list; |
1801 | LIST_INIT(&defunct_list); |
1802 | |
1803 | (void)necp_defunct_client_fd_locked_inner(client_fd: fd_data, defunct_list: &defunct_list, false); |
1804 | |
1805 | struct necp_client_flow_registration *flow_registration = NULL; |
1806 | struct necp_client_flow_registration *temp_flow_registration = NULL; |
1807 | RB_FOREACH_SAFE(flow_registration, _necp_fd_flow_tree, &fd_data->flows, temp_flow_registration) { |
1808 | #if SKYWALK |
1809 | necp_destroy_flow_stats(fd_data, flow_registration, NULL, TRUE); |
1810 | #endif /* SKYWALK */ |
1811 | NECP_FLOW_TREE_LOCK_EXCLUSIVE(); |
1812 | RB_REMOVE(_necp_client_flow_global_tree, &necp_client_flow_global_tree, flow_registration); |
1813 | NECP_FLOW_TREE_UNLOCK(); |
1814 | RB_REMOVE(_necp_fd_flow_tree, &fd_data->flows, flow_registration); |
1815 | } |
1816 | |
1817 | struct necp_client *client = NULL; |
1818 | struct necp_client *temp_client = NULL; |
1819 | RB_FOREACH_SAFE(client, _necp_client_tree, &fd_data->clients, temp_client) { |
1820 | // Clear out the agent_handle to avoid dangling pointers back to fd_data |
1821 | NECP_CLIENT_LOCK(client); |
1822 | client->agent_handle = NULL; |
1823 | NECP_CLIENT_UNLOCK(client); |
1824 | |
1825 | NECP_CLIENT_TREE_LOCK_EXCLUSIVE(); |
1826 | RB_REMOVE(_necp_client_global_tree, &necp_client_global_tree, client); |
1827 | NECP_CLIENT_TREE_UNLOCK(); |
1828 | RB_REMOVE(_necp_client_tree, &fd_data->clients, client); |
1829 | RB_INSERT(_necp_client_tree, &clients_to_close, client); |
1830 | } |
1831 | |
1832 | struct necp_client_update *client_update = NULL; |
1833 | struct necp_client_update *temp_update = NULL; |
1834 | TAILQ_FOREACH_SAFE(client_update, &fd_data->update_list, chain, temp_update) { |
1835 | // Flush pending updates |
1836 | TAILQ_REMOVE(&fd_data->update_list, client_update, chain); |
1837 | necp_client_update_free(client_update); |
1838 | } |
1839 | fd_data->update_count = 0; |
1840 | |
1841 | #if SKYWALK |
1842 | // Cleanup stats arena(s); indicate that we're closing |
1843 | necp_stats_arenas_destroy(fd_data, TRUE); |
1844 | ASSERT(fd_data->stats_arena_active == NULL); |
1845 | ASSERT(LIST_EMPTY(&fd_data->stats_arena_list)); |
1846 | |
1847 | // Cleanup systctl arena |
1848 | necp_sysctl_arena_destroy(fd_data); |
1849 | ASSERT(fd_data->sysctl_arena == NULL); |
1850 | #endif /* SKYWALK */ |
1851 | |
1852 | NECP_FD_UNLOCK(fd_data); |
1853 | |
1854 | selthreadclear(&fd_data->si); |
1855 | |
1856 | lck_mtx_destroy(lck: &fd_data->fd_lock, grp: &necp_fd_mtx_grp); |
1857 | |
1858 | if (fd_data->flags & NECP_OPEN_FLAG_PUSH_OBSERVER) { |
1859 | OSDecrementAtomic(&necp_observer_fd_count); |
1860 | } else { |
1861 | OSDecrementAtomic(&necp_client_fd_count); |
1862 | } |
1863 | |
1864 | kfree_type(struct necp_fd_data, fd_data); |
1865 | |
1866 | RB_FOREACH_SAFE(client, _necp_client_tree, &clients_to_close, temp_client) { |
1867 | RB_REMOVE(_necp_client_tree, &clients_to_close, client); |
1868 | necp_destroy_client(client, pid, true); |
1869 | } |
1870 | |
1871 | necp_process_defunct_list(defunct_list: &defunct_list); |
1872 | } |
1873 | |
1874 | return error; |
1875 | } |
1876 | |
1877 | /// NECP client utilities |
1878 | |
1879 | static inline bool |
1880 | necp_address_is_wildcard(const union necp_sockaddr_union * const addr) |
1881 | { |
1882 | return (addr->sa.sa_family == AF_INET && addr->sin.sin_addr.s_addr == INADDR_ANY) || |
1883 | (addr->sa.sa_family == AF_INET6 && IN6_IS_ADDR_UNSPECIFIED(&addr->sin6.sin6_addr)); |
1884 | } |
1885 | |
1886 | static int |
1887 | necp_find_fd_data(struct proc *p, int fd, |
1888 | struct fileproc **fpp, struct necp_fd_data **fd_data) |
1889 | { |
1890 | struct fileproc *fp; |
1891 | int error = fp_get_ftype(p, fd, ftype: DTYPE_NETPOLICY, ENODEV, fpp: &fp); |
1892 | |
1893 | if (error == 0) { |
1894 | *fd_data = (struct necp_fd_data *)fp_get_data(fp); |
1895 | *fpp = fp; |
1896 | |
1897 | if ((*fd_data)->necp_fd_type != necp_fd_type_client) { |
1898 | // Not a client fd, ignore |
1899 | fp_drop(p, fd, fp, locked: 0); |
1900 | error = EINVAL; |
1901 | } |
1902 | } |
1903 | return error; |
1904 | } |
1905 | |
1906 | static void |
1907 | necp_client_add_nexus_flow(struct necp_client_flow_registration *flow_registration, |
1908 | uuid_t nexus_agent, |
1909 | uint32_t interface_index, |
1910 | uint32_t interface_flags) |
1911 | { |
1912 | struct necp_client_flow *new_flow = kalloc_type(struct necp_client_flow, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
1913 | |
1914 | new_flow->nexus = TRUE; |
1915 | uuid_copy(dst: new_flow->u.nexus_agent, src: nexus_agent); |
1916 | new_flow->interface_index = interface_index; |
1917 | new_flow->interface_flags = interface_flags; |
1918 | new_flow->check_tcp_heuristics = TRUE; |
1919 | |
1920 | #if SKYWALK |
1921 | OSIncrementAtomic(&necp_nexus_flow_count); |
1922 | #endif /* SKYWALK */ |
1923 | |
1924 | LIST_INSERT_HEAD(&flow_registration->flow_list, new_flow, flow_chain); |
1925 | |
1926 | #if SKYWALK |
1927 | necp_flow_save_current_interface_details(flow_registration); |
1928 | #endif /* SKYWALK */ |
1929 | } |
1930 | |
1931 | static void |
1932 | necp_client_add_nexus_flow_if_needed(struct necp_client_flow_registration *flow_registration, |
1933 | uuid_t nexus_agent, |
1934 | uint32_t interface_index) |
1935 | { |
1936 | struct necp_client_flow *flow = NULL; |
1937 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
1938 | if (flow->nexus && |
1939 | uuid_compare(uu1: flow->u.nexus_agent, uu2: nexus_agent) == 0) { |
1940 | return; |
1941 | } |
1942 | } |
1943 | |
1944 | uint32_t interface_flags = 0; |
1945 | ifnet_t ifp = NULL; |
1946 | ifnet_head_lock_shared(); |
1947 | if (interface_index != IFSCOPE_NONE && interface_index <= (u_int32_t)if_index) { |
1948 | ifp = ifindex2ifnet[interface_index]; |
1949 | if (ifp != NULL) { |
1950 | ifnet_lock_shared(ifp); |
1951 | interface_flags = nstat_ifnet_to_flags(ifp); |
1952 | ifnet_lock_done(ifp); |
1953 | } |
1954 | } |
1955 | ifnet_head_done(); |
1956 | necp_client_add_nexus_flow(flow_registration, nexus_agent, interface_index, interface_flags); |
1957 | } |
1958 | |
1959 | static struct necp_client_flow * |
1960 | necp_client_add_interface_flow(struct necp_client_flow_registration *flow_registration, |
1961 | uint32_t interface_index) |
1962 | { |
1963 | struct necp_client_flow *new_flow = kalloc_type(struct necp_client_flow, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
1964 | |
1965 | // Neither nexus nor socket |
1966 | new_flow->interface_index = interface_index; |
1967 | new_flow->u.socket_handle = flow_registration->interface_handle; |
1968 | new_flow->u.cb = flow_registration->interface_cb; |
1969 | |
1970 | OSIncrementAtomic(&necp_if_flow_count); |
1971 | |
1972 | LIST_INSERT_HEAD(&flow_registration->flow_list, new_flow, flow_chain); |
1973 | |
1974 | return new_flow; |
1975 | } |
1976 | |
1977 | static struct necp_client_flow * |
1978 | necp_client_add_interface_flow_if_needed(struct necp_client *client, |
1979 | struct necp_client_flow_registration *flow_registration, |
1980 | uint32_t interface_index) |
1981 | { |
1982 | if (!client->allow_multiple_flows || |
1983 | interface_index == IFSCOPE_NONE) { |
1984 | // Interface not set, or client not allowed to use this mode |
1985 | return NULL; |
1986 | } |
1987 | |
1988 | struct necp_client_flow *flow = NULL; |
1989 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
1990 | if (!flow->nexus && !flow->socket && flow->interface_index == interface_index) { |
1991 | // Already have the flow |
1992 | flow->invalid = FALSE; |
1993 | flow->u.socket_handle = flow_registration->interface_handle; |
1994 | flow->u.cb = flow_registration->interface_cb; |
1995 | return NULL; |
1996 | } |
1997 | } |
1998 | return necp_client_add_interface_flow(flow_registration, interface_index); |
1999 | } |
2000 | |
2001 | static void |
2002 | necp_client_add_interface_option_if_needed(struct necp_client *client, |
2003 | uint32_t interface_index, |
2004 | uint32_t interface_generation, |
2005 | uuid_t *nexus_agent, |
2006 | bool network_provider) |
2007 | { |
2008 | if ((interface_index == IFSCOPE_NONE && !network_provider) || |
2009 | (client->interface_option_count != 0 && !client->allow_multiple_flows)) { |
2010 | // Interface not set, or client not allowed to use this mode |
2011 | return; |
2012 | } |
2013 | |
2014 | if (client->interface_option_count >= NECP_CLIENT_MAX_INTERFACE_OPTIONS) { |
2015 | // Cannot take any more interface options |
2016 | return; |
2017 | } |
2018 | |
2019 | // Check if already present |
2020 | for (u_int32_t option_i = 0; option_i < client->interface_option_count; option_i++) { |
2021 | if (option_i < NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) { |
2022 | struct necp_client_interface_option *option = &client->interface_options[option_i]; |
2023 | if (option->interface_index == interface_index) { |
2024 | if (nexus_agent == NULL) { |
2025 | return; |
2026 | } |
2027 | if (uuid_compare(uu1: option->nexus_agent, uu2: *nexus_agent) == 0) { |
2028 | return; |
2029 | } |
2030 | if (uuid_is_null(uu: option->nexus_agent)) { |
2031 | uuid_copy(dst: option->nexus_agent, src: *nexus_agent); |
2032 | return; |
2033 | } |
2034 | // If we get to this point, this is a new nexus flow |
2035 | } |
2036 | } else { |
2037 | struct necp_client_interface_option *option = &client->extra_interface_options[option_i - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
2038 | if (option->interface_index == interface_index) { |
2039 | if (nexus_agent == NULL) { |
2040 | return; |
2041 | } |
2042 | if (uuid_compare(uu1: option->nexus_agent, uu2: *nexus_agent) == 0) { |
2043 | return; |
2044 | } |
2045 | if (uuid_is_null(uu: option->nexus_agent)) { |
2046 | uuid_copy(dst: option->nexus_agent, src: *nexus_agent); |
2047 | return; |
2048 | } |
2049 | // If we get to this point, this is a new nexus flow |
2050 | } |
2051 | } |
2052 | } |
2053 | |
2054 | // Add a new entry |
2055 | if (client->interface_option_count < NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) { |
2056 | // Add to static |
2057 | struct necp_client_interface_option *option = &client->interface_options[client->interface_option_count]; |
2058 | option->interface_index = interface_index; |
2059 | option->interface_generation = interface_generation; |
2060 | if (nexus_agent != NULL) { |
2061 | uuid_copy(dst: option->nexus_agent, src: *nexus_agent); |
2062 | } else { |
2063 | uuid_clear(uu: option->nexus_agent); |
2064 | } |
2065 | client->interface_option_count++; |
2066 | } else { |
2067 | // Add to extra |
2068 | if (client->extra_interface_options == NULL) { |
2069 | client->extra_interface_options = (struct necp_client_interface_option *)kalloc_data( |
2070 | sizeof(struct necp_client_interface_option) * NECP_CLIENT_INTERFACE_OPTION_EXTRA_COUNT, Z_WAITOK | Z_ZERO); |
2071 | } |
2072 | if (client->extra_interface_options != NULL) { |
2073 | struct necp_client_interface_option *option = &client->extra_interface_options[client->interface_option_count - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
2074 | option->interface_index = interface_index; |
2075 | option->interface_generation = interface_generation; |
2076 | if (nexus_agent != NULL) { |
2077 | uuid_copy(dst: option->nexus_agent, src: *nexus_agent); |
2078 | } else { |
2079 | uuid_clear(uu: option->nexus_agent); |
2080 | } |
2081 | client->interface_option_count++; |
2082 | } |
2083 | } |
2084 | } |
2085 | |
2086 | static bool |
2087 | necp_client_flow_is_viable(proc_t proc, struct necp_client *client, |
2088 | struct necp_client_flow *flow) |
2089 | { |
2090 | struct necp_aggregate_result result; |
2091 | bool ignore_address = (client->allow_multiple_flows && !flow->nexus && !flow->socket); |
2092 | |
2093 | flow->necp_flow_flags = 0; |
2094 | int error = necp_application_find_policy_match_internal(proc, parameters: client->parameters, |
2095 | parameters_size: (u_int32_t)client->parameters_length, |
2096 | returned_result: &result, flags: &flow->necp_flow_flags, NULL, |
2097 | required_interface_index: flow->interface_index, |
2098 | override_local_addr: &flow->local_addr, override_remote_addr: &flow->remote_addr, NULL, NULL, |
2099 | NULL, ignore_address, true, NULL); |
2100 | |
2101 | // Check for blocking agents |
2102 | for (int i = 0; i < NECP_MAX_NETAGENTS; i++) { |
2103 | if (uuid_is_null(uu: result.netagents[i])) { |
2104 | // Passed end of valid agents |
2105 | break; |
2106 | } |
2107 | if (result.netagent_use_flags[i] & NECP_AGENT_USE_FLAG_REMOVE) { |
2108 | // A removed agent, ignore |
2109 | continue; |
2110 | } |
2111 | u_int32_t flags = netagent_get_flags(uuid: result.netagents[i]); |
2112 | if ((flags & NETAGENT_FLAG_REGISTERED) && |
2113 | !(flags & NETAGENT_FLAG_VOLUNTARY) && |
2114 | !(flags & NETAGENT_FLAG_ACTIVE) && |
2115 | !(flags & NETAGENT_FLAG_SPECIFIC_USE_ONLY)) { |
2116 | // A required agent is not active, cause the flow to be marked non-viable |
2117 | return false; |
2118 | } |
2119 | } |
2120 | |
2121 | if (flow->interface_index != IFSCOPE_NONE) { |
2122 | ifnet_head_lock_shared(); |
2123 | |
2124 | struct ifnet *ifp = ifindex2ifnet[flow->interface_index]; |
2125 | if (ifp && ifp->if_delegated.ifp != IFSCOPE_NONE) { |
2126 | flow->delegated_interface_index = ifp->if_delegated.ifp->if_index; |
2127 | } |
2128 | |
2129 | ifnet_head_done(); |
2130 | } |
2131 | |
2132 | return error == 0 && |
2133 | result.routed_interface_index != IFSCOPE_NONE && |
2134 | result.routing_result != NECP_KERNEL_POLICY_RESULT_DROP; |
2135 | } |
2136 | |
2137 | static void |
2138 | necp_flow_add_interface_flows(proc_t proc, |
2139 | struct necp_client *client, |
2140 | struct necp_client_flow_registration *flow_registration, |
2141 | bool send_initial) |
2142 | { |
2143 | // Traverse all interfaces and add a tracking flow if needed |
2144 | for (u_int32_t option_i = 0; option_i < client->interface_option_count; option_i++) { |
2145 | if (option_i < NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) { |
2146 | struct necp_client_interface_option *option = &client->interface_options[option_i]; |
2147 | struct necp_client_flow *flow = necp_client_add_interface_flow_if_needed(client, flow_registration, interface_index: option->interface_index); |
2148 | if (flow != NULL && send_initial) { |
2149 | flow->viable = necp_client_flow_is_viable(proc, client, flow); |
2150 | if (flow->viable && flow->u.cb) { |
2151 | bool viable = flow->viable; |
2152 | flow->u.cb(flow_registration->interface_handle, NECP_CLIENT_CBACTION_INITIAL, flow->interface_index, flow->necp_flow_flags, &viable); |
2153 | flow->viable = viable; |
2154 | } |
2155 | } |
2156 | } else { |
2157 | struct necp_client_interface_option *option = &client->extra_interface_options[option_i - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
2158 | struct necp_client_flow *flow = necp_client_add_interface_flow_if_needed(client, flow_registration, interface_index: option->interface_index); |
2159 | if (flow != NULL && send_initial) { |
2160 | flow->viable = necp_client_flow_is_viable(proc, client, flow); |
2161 | if (flow->viable && flow->u.cb) { |
2162 | bool viable = flow->viable; |
2163 | flow->u.cb(flow_registration->interface_handle, NECP_CLIENT_CBACTION_INITIAL, flow->interface_index, flow->necp_flow_flags, &viable); |
2164 | flow->viable = viable; |
2165 | } |
2166 | } |
2167 | } |
2168 | } |
2169 | } |
2170 | |
2171 | static bool |
2172 | necp_client_update_flows(proc_t proc, |
2173 | struct necp_client *client, |
2174 | struct _necp_flow_defunct_list *defunct_list) |
2175 | { |
2176 | NECP_CLIENT_ASSERT_LOCKED(client); |
2177 | |
2178 | bool any_client_updated = FALSE; |
2179 | struct necp_client_flow *flow = NULL; |
2180 | struct necp_client_flow *temp_flow = NULL; |
2181 | struct necp_client_flow_registration *flow_registration = NULL; |
2182 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
2183 | if (flow_registration->interface_cb != NULL) { |
2184 | // Add any interface flows that are not already tracked |
2185 | necp_flow_add_interface_flows(proc, client, flow_registration, false); |
2186 | } |
2187 | |
2188 | LIST_FOREACH_SAFE(flow, &flow_registration->flow_list, flow_chain, temp_flow) { |
2189 | bool client_updated = FALSE; |
2190 | |
2191 | // Check policy result for flow |
2192 | u_short old_delegated_ifindex = flow->delegated_interface_index; |
2193 | |
2194 | int old_flags = flow->necp_flow_flags; |
2195 | bool viable = necp_client_flow_is_viable(proc, client, flow); |
2196 | |
2197 | // TODO: Defunct nexus flows that are blocked by policy |
2198 | |
2199 | if (flow->viable != viable) { |
2200 | flow->viable = viable; |
2201 | client_updated = TRUE; |
2202 | } |
2203 | |
2204 | if ((old_flags & NECP_CLIENT_RESULT_FLAG_FORCE_UPDATE) != |
2205 | (flow->necp_flow_flags & NECP_CLIENT_RESULT_FLAG_FORCE_UPDATE)) { |
2206 | client_updated = TRUE; |
2207 | } |
2208 | |
2209 | if (flow->delegated_interface_index != old_delegated_ifindex) { |
2210 | client_updated = TRUE; |
2211 | } |
2212 | |
2213 | if (flow->viable && client_updated && (flow->socket || (!flow->socket && !flow->nexus)) && flow->u.cb) { |
2214 | bool flow_viable = flow->viable; |
2215 | flow->u.cb(flow->u.socket_handle, NECP_CLIENT_CBACTION_VIABLE, flow->interface_index, flow->necp_flow_flags, &flow_viable); |
2216 | flow->viable = flow_viable; |
2217 | } |
2218 | |
2219 | if (!flow->viable || flow->invalid) { |
2220 | if (client_updated && (flow->socket || (!flow->socket && !flow->nexus)) && flow->u.cb) { |
2221 | bool flow_viable = flow->viable; |
2222 | flow->u.cb(flow->u.socket_handle, NECP_CLIENT_CBACTION_NONVIABLE, flow->interface_index, flow->necp_flow_flags, &flow_viable); |
2223 | flow->viable = flow_viable; |
2224 | } |
2225 | // The callback might change the viable-flag of the |
2226 | // flow depending on its policy. Thus, we need to |
2227 | // check the flags again after the callback. |
2228 | } |
2229 | |
2230 | #if SKYWALK |
2231 | if (defunct_list != NULL) { |
2232 | if (flow->invalid && flow->nexus && flow->assigned && !uuid_is_null(uu: flow->u.nexus_agent)) { |
2233 | // This is a nexus flow that was assigned, but not found on path |
2234 | u_int32_t flags = netagent_get_flags(uuid: flow->u.nexus_agent); |
2235 | if (!(flags & NETAGENT_FLAG_REGISTERED)) { |
2236 | // The agent is no longer registered! Mark defunct. |
2237 | necp_defunct_flow_registration(client, flow_registration, defunct_list); |
2238 | client_updated = TRUE; |
2239 | } |
2240 | } |
2241 | } |
2242 | #else /* !SKYWALK */ |
2243 | (void)defunct_list; |
2244 | #endif /* !SKYWALK */ |
2245 | |
2246 | // Handle flows that no longer match |
2247 | if (!flow->viable || flow->invalid) { |
2248 | // Drop them as long as they aren't assigned data |
2249 | if (!flow->nexus && !flow->assigned) { |
2250 | if (flow->assigned_results != NULL) { |
2251 | kfree_data(flow->assigned_results, flow->assigned_results_length); |
2252 | flow->assigned_results = NULL; |
2253 | client_updated = TRUE; |
2254 | } |
2255 | LIST_REMOVE(flow, flow_chain); |
2256 | #if SKYWALK |
2257 | if (flow->nexus) { |
2258 | OSDecrementAtomic(&necp_nexus_flow_count); |
2259 | } else |
2260 | #endif /* SKYWALK */ |
2261 | if (flow->socket) { |
2262 | OSDecrementAtomic(&necp_socket_flow_count); |
2263 | } else { |
2264 | OSDecrementAtomic(&necp_if_flow_count); |
2265 | } |
2266 | kfree_type(struct necp_client_flow, flow); |
2267 | } |
2268 | } |
2269 | |
2270 | any_client_updated |= client_updated; |
2271 | } |
2272 | #if SKYWALK |
2273 | necp_flow_save_current_interface_details(flow_registration); |
2274 | #endif /* SKYWALK */ |
2275 | } |
2276 | |
2277 | return any_client_updated; |
2278 | } |
2279 | |
2280 | static void |
2281 | necp_client_mark_all_nonsocket_flows_as_invalid(struct necp_client *client) |
2282 | { |
2283 | struct necp_client_flow_registration *flow_registration = NULL; |
2284 | struct necp_client_flow *flow = NULL; |
2285 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
2286 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
2287 | if (!flow->socket) { // Socket flows are not marked as invalid |
2288 | flow->invalid = TRUE; |
2289 | } |
2290 | } |
2291 | } |
2292 | |
2293 | // Reset option count every update |
2294 | client->interface_option_count = 0; |
2295 | } |
2296 | |
2297 | static inline bool |
2298 | necp_netagent_is_requested(const struct necp_client_parsed_parameters *parameters, |
2299 | uuid_t *netagent_uuid) |
2300 | { |
2301 | // Specific use agents only apply when requested |
2302 | bool requested = false; |
2303 | if (parameters != NULL) { |
2304 | // Check required agent UUIDs |
2305 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
2306 | if (uuid_is_null(uu: parameters->required_netagents[i])) { |
2307 | break; |
2308 | } |
2309 | if (uuid_compare(uu1: parameters->required_netagents[i], uu2: *netagent_uuid) == 0) { |
2310 | requested = true; |
2311 | break; |
2312 | } |
2313 | } |
2314 | |
2315 | if (!requested) { |
2316 | // Check required agent types |
2317 | bool fetched_type = false; |
2318 | char netagent_domain[NETAGENT_DOMAINSIZE]; |
2319 | char netagent_type[NETAGENT_TYPESIZE]; |
2320 | memset(s: &netagent_domain, c: 0, NETAGENT_DOMAINSIZE); |
2321 | memset(s: &netagent_type, c: 0, NETAGENT_TYPESIZE); |
2322 | |
2323 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
2324 | if (strlen(s: parameters->required_netagent_types[i].netagent_domain) == 0 || |
2325 | strlen(s: parameters->required_netagent_types[i].netagent_type) == 0) { |
2326 | break; |
2327 | } |
2328 | |
2329 | if (!fetched_type) { |
2330 | if (netagent_get_agent_domain_and_type(uuid: *netagent_uuid, domain: netagent_domain, type: netagent_type)) { |
2331 | fetched_type = TRUE; |
2332 | } else { |
2333 | break; |
2334 | } |
2335 | } |
2336 | |
2337 | if ((strlen(s: parameters->required_netagent_types[i].netagent_domain) == 0 || |
2338 | strncmp(s1: netagent_domain, s2: parameters->required_netagent_types[i].netagent_domain, NETAGENT_DOMAINSIZE) == 0) && |
2339 | (strlen(s: parameters->required_netagent_types[i].netagent_type) == 0 || |
2340 | strncmp(s1: netagent_type, s2: parameters->required_netagent_types[i].netagent_type, NETAGENT_TYPESIZE) == 0)) { |
2341 | requested = true; |
2342 | break; |
2343 | } |
2344 | } |
2345 | } |
2346 | |
2347 | // Check preferred agent UUIDs |
2348 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
2349 | if (uuid_is_null(uu: parameters->preferred_netagents[i])) { |
2350 | break; |
2351 | } |
2352 | if (uuid_compare(uu1: parameters->preferred_netagents[i], uu2: *netagent_uuid) == 0) { |
2353 | requested = true; |
2354 | break; |
2355 | } |
2356 | } |
2357 | |
2358 | if (!requested) { |
2359 | // Check preferred agent types |
2360 | bool fetched_type = false; |
2361 | char netagent_domain[NETAGENT_DOMAINSIZE]; |
2362 | char netagent_type[NETAGENT_TYPESIZE]; |
2363 | memset(s: &netagent_domain, c: 0, NETAGENT_DOMAINSIZE); |
2364 | memset(s: &netagent_type, c: 0, NETAGENT_TYPESIZE); |
2365 | |
2366 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
2367 | if (strlen(s: parameters->preferred_netagent_types[i].netagent_domain) == 0 || |
2368 | strlen(s: parameters->preferred_netagent_types[i].netagent_type) == 0) { |
2369 | break; |
2370 | } |
2371 | |
2372 | if (!fetched_type) { |
2373 | if (netagent_get_agent_domain_and_type(uuid: *netagent_uuid, domain: netagent_domain, type: netagent_type)) { |
2374 | fetched_type = TRUE; |
2375 | } else { |
2376 | break; |
2377 | } |
2378 | } |
2379 | |
2380 | if ((strlen(s: parameters->preferred_netagent_types[i].netagent_domain) == 0 || |
2381 | strncmp(s1: netagent_domain, s2: parameters->preferred_netagent_types[i].netagent_domain, NETAGENT_DOMAINSIZE) == 0) && |
2382 | (strlen(s: parameters->preferred_netagent_types[i].netagent_type) == 0 || |
2383 | strncmp(s1: netagent_type, s2: parameters->preferred_netagent_types[i].netagent_type, NETAGENT_TYPESIZE) == 0)) { |
2384 | requested = true; |
2385 | break; |
2386 | } |
2387 | } |
2388 | } |
2389 | } |
2390 | |
2391 | return requested; |
2392 | } |
2393 | |
2394 | static bool |
2395 | necp_netagent_applies_to_client(struct necp_client *client, |
2396 | const struct necp_client_parsed_parameters *parameters, |
2397 | uuid_t *netagent_uuid, bool allow_nexus, |
2398 | uint32_t interface_index, uint32_t interface_generation) |
2399 | { |
2400 | #pragma unused(interface_index, interface_generation) |
2401 | bool applies = FALSE; |
2402 | u_int32_t flags = netagent_get_flags(uuid: *netagent_uuid); |
2403 | if (!(flags & NETAGENT_FLAG_REGISTERED)) { |
2404 | // Unregistered agents never apply |
2405 | return applies; |
2406 | } |
2407 | |
2408 | const bool is_nexus_agent = ((flags & NETAGENT_FLAG_NEXUS_PROVIDER) || |
2409 | (flags & NETAGENT_FLAG_NEXUS_LISTENER) || |
2410 | (flags & NETAGENT_FLAG_CUSTOM_ETHER_NEXUS) || |
2411 | (flags & NETAGENT_FLAG_CUSTOM_IP_NEXUS) || |
2412 | (flags & NETAGENT_FLAG_INTERPOSE_NEXUS)); |
2413 | if (is_nexus_agent) { |
2414 | if (!allow_nexus) { |
2415 | // Hide nexus providers unless allowed |
2416 | // Direct interfaces and direct policies are allowed to use a nexus |
2417 | // Delegate interfaces or re-scoped interfaces are not allowed |
2418 | return applies; |
2419 | } |
2420 | |
2421 | if ((parameters->flags & NECP_CLIENT_PARAMETER_FLAG_CUSTOM_ETHER) && |
2422 | !(flags & NETAGENT_FLAG_CUSTOM_ETHER_NEXUS)) { |
2423 | // Client requested a custom ether nexus, but this nexus isn't one |
2424 | return applies; |
2425 | } |
2426 | |
2427 | if ((parameters->flags & NECP_CLIENT_PARAMETER_FLAG_CUSTOM_IP) && |
2428 | !(flags & NETAGENT_FLAG_CUSTOM_IP_NEXUS)) { |
2429 | // Client requested a custom IP nexus, but this nexus isn't one |
2430 | return applies; |
2431 | } |
2432 | |
2433 | if ((parameters->flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) && |
2434 | !(flags & NETAGENT_FLAG_INTERPOSE_NEXUS)) { |
2435 | // Client requested an interpose nexus, but this nexus isn't one |
2436 | return applies; |
2437 | } |
2438 | |
2439 | if (!(parameters->flags & NECP_CLIENT_PARAMETER_FLAG_CUSTOM_ETHER) && |
2440 | !(parameters->flags & NECP_CLIENT_PARAMETER_FLAG_CUSTOM_IP) && |
2441 | !(parameters->flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) && |
2442 | !(flags & NETAGENT_FLAG_NEXUS_PROVIDER)) { |
2443 | // Client requested default parameters, but this nexus isn't generic |
2444 | return applies; |
2445 | } |
2446 | } |
2447 | |
2448 | if (uuid_compare(uu1: client->failed_trigger_agent.netagent_uuid, uu2: *netagent_uuid) == 0) { |
2449 | if (client->failed_trigger_agent.generation == netagent_get_generation(uuid: *netagent_uuid)) { |
2450 | // If this agent was triggered, and failed, and hasn't changed, keep hiding it |
2451 | return applies; |
2452 | } else { |
2453 | // Mismatch generation, clear out old trigger |
2454 | uuid_clear(uu: client->failed_trigger_agent.netagent_uuid); |
2455 | client->failed_trigger_agent.generation = 0; |
2456 | } |
2457 | } |
2458 | |
2459 | if (flags & NETAGENT_FLAG_SPECIFIC_USE_ONLY) { |
2460 | // Specific use agents only apply when requested |
2461 | applies = necp_netagent_is_requested(parameters, netagent_uuid); |
2462 | } else { |
2463 | applies = TRUE; |
2464 | } |
2465 | |
2466 | #if SKYWALK |
2467 | // Add nexus agent if it is a nexus, and either is not a listener, or the nexus supports listeners |
2468 | if (applies && is_nexus_agent && |
2469 | !(parameters->flags & NECP_CLIENT_PARAMETER_FLAG_BROWSE) && // Don't add for browse paths |
2470 | ((flags & NETAGENT_FLAG_NEXUS_LISTENER) || !(parameters->flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER))) { |
2471 | necp_client_add_interface_option_if_needed(client, interface_index, |
2472 | interface_generation, nexus_agent: netagent_uuid, |
2473 | network_provider: (flags & NETAGENT_FLAG_NETWORK_PROVIDER)); |
2474 | } |
2475 | #endif /* SKYWALK */ |
2476 | |
2477 | return applies; |
2478 | } |
2479 | |
2480 | static void |
2481 | necp_client_add_agent_interface_options(struct necp_client *client, |
2482 | const struct necp_client_parsed_parameters *parsed_parameters, |
2483 | ifnet_t ifp) |
2484 | { |
2485 | if (ifp != NULL && ifp->if_agentids != NULL) { |
2486 | for (u_int32_t i = 0; i < ifp->if_agentcount; i++) { |
2487 | if (uuid_is_null(uu: ifp->if_agentids[i])) { |
2488 | continue; |
2489 | } |
2490 | // Relies on the side effect that nexus agents that apply will create flows |
2491 | (void)necp_netagent_applies_to_client(client, parameters: parsed_parameters, netagent_uuid: &ifp->if_agentids[i], TRUE, |
2492 | interface_index: ifp->if_index, interface_generation: ifnet_get_generation(ifp)); |
2493 | } |
2494 | } |
2495 | } |
2496 | |
2497 | static void |
2498 | necp_client_add_browse_interface_options(struct necp_client *client, |
2499 | const struct necp_client_parsed_parameters *parsed_parameters, |
2500 | ifnet_t ifp) |
2501 | { |
2502 | if (ifp != NULL && ifp->if_agentids != NULL) { |
2503 | for (u_int32_t i = 0; i < ifp->if_agentcount; i++) { |
2504 | if (uuid_is_null(uu: ifp->if_agentids[i])) { |
2505 | continue; |
2506 | } |
2507 | |
2508 | u_int32_t flags = netagent_get_flags(uuid: ifp->if_agentids[i]); |
2509 | if ((flags & NETAGENT_FLAG_REGISTERED) && |
2510 | (flags & NETAGENT_FLAG_ACTIVE) && |
2511 | (flags & NETAGENT_FLAG_SUPPORTS_BROWSE) && |
2512 | (!(flags & NETAGENT_FLAG_SPECIFIC_USE_ONLY) || |
2513 | necp_netagent_is_requested(parameters: parsed_parameters, netagent_uuid: &ifp->if_agentids[i]))) { |
2514 | necp_client_add_interface_option_if_needed(client, interface_index: ifp->if_index, interface_generation: ifnet_get_generation(ifp), nexus_agent: &ifp->if_agentids[i], network_provider: (flags & NETAGENT_FLAG_NETWORK_PROVIDER)); |
2515 | |
2516 | // Finding one is enough |
2517 | break; |
2518 | } |
2519 | } |
2520 | } |
2521 | } |
2522 | |
2523 | static inline bool |
2524 | _necp_client_address_is_valid(struct sockaddr *address) |
2525 | { |
2526 | if (address->sa_family == AF_INET) { |
2527 | return address->sa_len == sizeof(struct sockaddr_in); |
2528 | } else if (address->sa_family == AF_INET6) { |
2529 | return address->sa_len == sizeof(struct sockaddr_in6); |
2530 | } else { |
2531 | return FALSE; |
2532 | } |
2533 | } |
2534 | |
2535 | #define necp_client_address_is_valid(S) _necp_client_address_is_valid(SA(S)) |
2536 | |
2537 | static inline bool |
2538 | necp_client_endpoint_is_unspecified(struct necp_client_endpoint *endpoint) |
2539 | { |
2540 | if (necp_client_address_is_valid(&endpoint->u.sa)) { |
2541 | if (endpoint->u.sa.sa_family == AF_INET) { |
2542 | return endpoint->u.sin.sin_addr.s_addr == INADDR_ANY; |
2543 | } else if (endpoint->u.sa.sa_family == AF_INET6) { |
2544 | return IN6_IS_ADDR_UNSPECIFIED(&endpoint->u.sin6.sin6_addr); |
2545 | } else { |
2546 | return TRUE; |
2547 | } |
2548 | } else { |
2549 | return TRUE; |
2550 | } |
2551 | } |
2552 | |
2553 | #if SKYWALK |
2554 | static void |
2555 | necp_client_update_local_port_parameters(u_int8_t *parameters, |
2556 | u_int32_t parameters_size, |
2557 | uint16_t local_port) |
2558 | { |
2559 | size_t offset = 0; |
2560 | while ((offset + sizeof(struct necp_tlv_header)) <= parameters_size) { |
2561 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
2562 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
2563 | |
2564 | if (length > (parameters_size - (offset + sizeof(struct necp_tlv_header)))) { |
2565 | // If the length is larger than what can fit in the remaining parameters size, bail |
2566 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
2567 | break; |
2568 | } |
2569 | |
2570 | if (length > 0) { |
2571 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
2572 | if (value != NULL) { |
2573 | switch (type) { |
2574 | case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: { |
2575 | if (length >= sizeof(struct necp_policy_condition_addr)) { |
2576 | struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value; |
2577 | if (necp_client_address_is_valid(&address_struct->address.sa)) { |
2578 | if (address_struct->address.sa.sa_family == AF_INET) { |
2579 | address_struct->address.sin.sin_port = local_port; |
2580 | } else if (address_struct->address.sa.sa_family == AF_INET6) { |
2581 | address_struct->address.sin6.sin6_port = local_port; |
2582 | } |
2583 | } |
2584 | } |
2585 | break; |
2586 | } |
2587 | case NECP_CLIENT_PARAMETER_LOCAL_ENDPOINT: { |
2588 | if (length >= sizeof(struct necp_client_endpoint)) { |
2589 | struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value; |
2590 | if (necp_client_address_is_valid(&endpoint->u.sa)) { |
2591 | if (endpoint->u.sa.sa_family == AF_INET) { |
2592 | endpoint->u.sin.sin_port = local_port; |
2593 | } else if (endpoint->u.sa.sa_family == AF_INET6) { |
2594 | endpoint->u.sin6.sin6_port = local_port; |
2595 | } |
2596 | } |
2597 | } |
2598 | break; |
2599 | } |
2600 | default: { |
2601 | break; |
2602 | } |
2603 | } |
2604 | } |
2605 | } |
2606 | |
2607 | offset += sizeof(struct necp_tlv_header) + length; |
2608 | } |
2609 | } |
2610 | #endif /* !SKYWALK */ |
2611 | |
2612 | #define NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH 253 |
2613 | |
2614 | static void |
2615 | necp_client_trace_parameter_parsing(struct necp_client *client, u_int8_t type, u_int8_t *value, u_int32_t length) |
2616 | { |
2617 | uint64_t num = 0; |
2618 | uint16_t shortBuf; |
2619 | uint32_t intBuf; |
2620 | char buffer[NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH + 1]; |
2621 | |
2622 | if (value != NULL && length > 0) { |
2623 | switch (length) { |
2624 | case 1: |
2625 | num = *value; |
2626 | break; |
2627 | case 2: |
2628 | memcpy(dst: &shortBuf, src: value, n: sizeof(shortBuf)); |
2629 | num = shortBuf; |
2630 | break; |
2631 | case 4: |
2632 | memcpy(dst: &intBuf, src: value, n: sizeof(intBuf)); |
2633 | num = intBuf; |
2634 | break; |
2635 | case 8: |
2636 | memcpy(dst: &num, src: value, n: sizeof(num)); |
2637 | break; |
2638 | default: |
2639 | num = 0; |
2640 | break; |
2641 | } |
2642 | int len = NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH < length ? NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH : length; |
2643 | memcpy(dst: buffer, src: value, n: len); |
2644 | buffer[len] = 0; |
2645 | NECP_CLIENT_PARAMS_LOG(client, "Parsing param - type %d length %d value <%llu (%llX)> %s" , type, length, num, num, buffer); |
2646 | } else { |
2647 | NECP_CLIENT_PARAMS_LOG(client, "Parsing param - type %d length %d" , type, length); |
2648 | } |
2649 | } |
2650 | |
2651 | static void |
2652 | necp_client_trace_parsed_parameters(struct necp_client *client, struct necp_client_parsed_parameters *parsed_parameters) |
2653 | { |
2654 | int i; |
2655 | char local_buffer[64] = { }; |
2656 | char remote_buffer[64] = { }; |
2657 | uuid_string_t uuid_str = { }; |
2658 | uuid_unparse_lower(uu: parsed_parameters->effective_uuid, out: uuid_str); |
2659 | |
2660 | switch (parsed_parameters->local_addr.sa.sa_family) { |
2661 | case AF_INET: |
2662 | if (parsed_parameters->local_addr.sa.sa_len == sizeof(struct sockaddr_in)) { |
2663 | struct sockaddr_in *addr = &parsed_parameters->local_addr.sin; |
2664 | inet_ntop(AF_INET, &(addr->sin_addr), local_buffer, sizeof(local_buffer)); |
2665 | } |
2666 | break; |
2667 | case AF_INET6: |
2668 | if (parsed_parameters->local_addr.sa.sa_len == sizeof(struct sockaddr_in6)) { |
2669 | struct sockaddr_in6 *addr6 = &parsed_parameters->local_addr.sin6; |
2670 | inet_ntop(AF_INET6, &(addr6->sin6_addr), local_buffer, sizeof(local_buffer)); |
2671 | } |
2672 | break; |
2673 | default: |
2674 | break; |
2675 | } |
2676 | |
2677 | switch (parsed_parameters->remote_addr.sa.sa_family) { |
2678 | case AF_INET: |
2679 | if (parsed_parameters->remote_addr.sa.sa_len == sizeof(struct sockaddr_in)) { |
2680 | struct sockaddr_in *addr = &parsed_parameters->remote_addr.sin; |
2681 | inet_ntop(AF_INET, &(addr->sin_addr), remote_buffer, sizeof(remote_buffer)); |
2682 | } |
2683 | break; |
2684 | case AF_INET6: |
2685 | if (parsed_parameters->remote_addr.sa.sa_len == sizeof(struct sockaddr_in6)) { |
2686 | struct sockaddr_in6 *addr6 = &parsed_parameters->remote_addr.sin6; |
2687 | inet_ntop(AF_INET6, &(addr6->sin6_addr), remote_buffer, sizeof(remote_buffer)); |
2688 | } |
2689 | break; |
2690 | default: |
2691 | break; |
2692 | } |
2693 | |
2694 | NECP_CLIENT_PARAMS_LOG(client, "Parsed params - valid_fields %X flags %X delegated_upid %llu local_addr %s remote_addr %s " |
2695 | "required_interface_index %u required_interface_type %d local_address_preference %d " |
2696 | "ip_protocol %d transport_protocol %d ethertype %d effective_pid %d effective_uuid %s uid %d persona_id %d traffic_class %d" , |
2697 | parsed_parameters->valid_fields, |
2698 | parsed_parameters->flags, |
2699 | parsed_parameters->delegated_upid, |
2700 | local_buffer, remote_buffer, |
2701 | parsed_parameters->required_interface_index, |
2702 | parsed_parameters->required_interface_type, |
2703 | parsed_parameters->local_address_preference, |
2704 | parsed_parameters->ip_protocol, |
2705 | parsed_parameters->transport_protocol, |
2706 | parsed_parameters->ethertype, |
2707 | parsed_parameters->effective_pid, |
2708 | uuid_str, |
2709 | parsed_parameters->uid, |
2710 | parsed_parameters->persona_id, |
2711 | parsed_parameters->traffic_class); |
2712 | |
2713 | NECP_CLIENT_PARAMS_LOG(client, "Parsed params - tracker flags <known-tracker %X> <non-app-initiated %X> <silent %X> <app-approved %X>" , |
2714 | parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_KNOWN_TRACKER, |
2715 | parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_NON_APP_INITIATED, |
2716 | parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_SILENT, |
2717 | parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_APPROVED_APP_DOMAIN); |
2718 | |
2719 | for (i = 0; i < NECP_MAX_INTERFACE_PARAMETERS && parsed_parameters->prohibited_interfaces[i][0]; i++) { |
2720 | NECP_CLIENT_PARAMS_LOG(client, "Parsed prohibited_interfaces[%d] <%s>" , i, parsed_parameters->prohibited_interfaces[i]); |
2721 | } |
2722 | |
2723 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && parsed_parameters->required_netagent_types[i].netagent_domain[0]; i++) { |
2724 | NECP_CLIENT_PARAMS_LOG(client, "Parsed required_netagent_types[%d] <%s> <%s>" , i, |
2725 | parsed_parameters->required_netagent_types[i].netagent_domain, |
2726 | parsed_parameters->required_netagent_types[i].netagent_type); |
2727 | } |
2728 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && parsed_parameters->prohibited_netagent_types[i].netagent_domain[0]; i++) { |
2729 | NECP_CLIENT_PARAMS_LOG(client, "Parsed prohibited_netagent_types[%d] <%s> <%s>" , i, |
2730 | parsed_parameters->prohibited_netagent_types[i].netagent_domain, |
2731 | parsed_parameters->prohibited_netagent_types[i].netagent_type); |
2732 | } |
2733 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && parsed_parameters->preferred_netagent_types[i].netagent_domain[0]; i++) { |
2734 | NECP_CLIENT_PARAMS_LOG(client, "Parsed preferred_netagent_types[%d] <%s> <%s>" , i, |
2735 | parsed_parameters->preferred_netagent_types[i].netagent_domain, |
2736 | parsed_parameters->preferred_netagent_types[i].netagent_type); |
2737 | } |
2738 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && parsed_parameters->avoided_netagent_types[i].netagent_domain[0]; i++) { |
2739 | NECP_CLIENT_PARAMS_LOG(client, "Parsed avoided_netagent_types[%d] <%s> <%s>" , i, |
2740 | parsed_parameters->avoided_netagent_types[i].netagent_domain, |
2741 | parsed_parameters->avoided_netagent_types[i].netagent_type); |
2742 | } |
2743 | |
2744 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && !uuid_is_null(uu: parsed_parameters->required_netagents[i]); i++) { |
2745 | uuid_unparse_lower(uu: parsed_parameters->required_netagents[i], out: uuid_str); |
2746 | NECP_CLIENT_PARAMS_LOG(client, "Parsed required_netagents[%d] <%s>" , i, uuid_str); |
2747 | } |
2748 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && !uuid_is_null(uu: parsed_parameters->prohibited_netagents[i]); i++) { |
2749 | uuid_unparse_lower(uu: parsed_parameters->prohibited_netagents[i], out: uuid_str); |
2750 | NECP_CLIENT_PARAMS_LOG(client, "Parsed prohibited_netagents[%d] <%s>" , i, uuid_str); |
2751 | } |
2752 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && !uuid_is_null(uu: parsed_parameters->preferred_netagents[i]); i++) { |
2753 | uuid_unparse_lower(uu: parsed_parameters->preferred_netagents[i], out: uuid_str); |
2754 | NECP_CLIENT_PARAMS_LOG(client, "Parsed preferred_netagents[%d] <%s>" , i, uuid_str); |
2755 | } |
2756 | for (i = 0; i < NECP_MAX_AGENT_PARAMETERS && !uuid_is_null(uu: parsed_parameters->avoided_netagents[i]); i++) { |
2757 | uuid_unparse_lower(uu: parsed_parameters->avoided_netagents[i], out: uuid_str); |
2758 | NECP_CLIENT_PARAMS_LOG(client, "Parsed avoided_netagents[%d] <%s>" , i, uuid_str); |
2759 | } |
2760 | } |
2761 | |
2762 | static bool |
2763 | necp_client_strings_are_equal(const char *string1, size_t string1_length, |
2764 | const char *string2, size_t string2_length) |
2765 | { |
2766 | if (string1 == NULL || string2 == NULL) { |
2767 | return false; |
2768 | } |
2769 | const size_t string1_actual_length = strnlen(s: string1, n: string1_length); |
2770 | const size_t string2_actual_length = strnlen(s: string2, n: string2_length); |
2771 | if (string1_actual_length != string2_actual_length) { |
2772 | return false; |
2773 | } |
2774 | return strncmp(s1: string1, s2: string2, n: string1_actual_length) == 0; |
2775 | } |
2776 | |
2777 | static int |
2778 | necp_client_parse_parameters(struct necp_client *client, u_int8_t *parameters, |
2779 | u_int32_t parameters_size, |
2780 | struct necp_client_parsed_parameters *parsed_parameters) |
2781 | { |
2782 | int error = 0; |
2783 | size_t offset = 0; |
2784 | |
2785 | u_int32_t num_prohibited_interfaces = 0; |
2786 | u_int32_t num_prohibited_interface_types = 0; |
2787 | u_int32_t num_required_agents = 0; |
2788 | u_int32_t num_prohibited_agents = 0; |
2789 | u_int32_t num_preferred_agents = 0; |
2790 | u_int32_t num_avoided_agents = 0; |
2791 | u_int32_t num_required_agent_types = 0; |
2792 | u_int32_t num_prohibited_agent_types = 0; |
2793 | u_int32_t num_preferred_agent_types = 0; |
2794 | u_int32_t num_avoided_agent_types = 0; |
2795 | u_int8_t *resolver_tag = NULL; |
2796 | u_int32_t resolver_tag_length = 0; |
2797 | u_int8_t *client_hostname = NULL; |
2798 | u_int32_t hostname_length = 0; |
2799 | uuid_t parent_id = {}; |
2800 | |
2801 | if (parsed_parameters == NULL) { |
2802 | return EINVAL; |
2803 | } |
2804 | |
2805 | memset(s: parsed_parameters, c: 0, n: sizeof(struct necp_client_parsed_parameters)); |
2806 | |
2807 | while ((offset + sizeof(struct necp_tlv_header)) <= parameters_size) { |
2808 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
2809 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
2810 | |
2811 | if (length > (parameters_size - (offset + sizeof(struct necp_tlv_header)))) { |
2812 | // If the length is larger than what can fit in the remaining parameters size, bail |
2813 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
2814 | break; |
2815 | } |
2816 | |
2817 | if (length > 0) { |
2818 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
2819 | if (value != NULL) { |
2820 | switch (type) { |
2821 | case NECP_CLIENT_PARAMETER_BOUND_INTERFACE: { |
2822 | if (length <= IFXNAMSIZ && length > 0) { |
2823 | ifnet_t bound_interface = NULL; |
2824 | char interface_name[IFXNAMSIZ]; |
2825 | memcpy(dst: interface_name, src: value, n: length); |
2826 | interface_name[length - 1] = 0; // Make sure the string is NULL terminated |
2827 | if (ifnet_find_by_name(ifname: interface_name, interface: &bound_interface) == 0) { |
2828 | parsed_parameters->required_interface_index = bound_interface->if_index; |
2829 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IF; |
2830 | ifnet_release(interface: bound_interface); |
2831 | } |
2832 | } |
2833 | break; |
2834 | } |
2835 | case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS: { |
2836 | if (length >= sizeof(struct necp_policy_condition_addr)) { |
2837 | struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value; |
2838 | if (necp_client_address_is_valid(&address_struct->address.sa)) { |
2839 | memcpy(dst: &parsed_parameters->local_addr, src: &address_struct->address, n: sizeof(address_struct->address)); |
2840 | if (!necp_address_is_wildcard(addr: &parsed_parameters->local_addr)) { |
2841 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR; |
2842 | } |
2843 | if ((parsed_parameters->local_addr.sa.sa_family == AF_INET && parsed_parameters->local_addr.sin.sin_port) || |
2844 | (parsed_parameters->local_addr.sa.sa_family == AF_INET6 && parsed_parameters->local_addr.sin6.sin6_port)) { |
2845 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_LOCAL_PORT; |
2846 | } |
2847 | } |
2848 | } |
2849 | break; |
2850 | } |
2851 | case NECP_CLIENT_PARAMETER_LOCAL_ENDPOINT: { |
2852 | if (length >= sizeof(struct necp_client_endpoint)) { |
2853 | struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value; |
2854 | if (necp_client_address_is_valid(&endpoint->u.sa)) { |
2855 | memcpy(dst: &parsed_parameters->local_addr, src: &endpoint->u.sa, n: sizeof(union necp_sockaddr_union)); |
2856 | if (!necp_address_is_wildcard(addr: &parsed_parameters->local_addr)) { |
2857 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR; |
2858 | } |
2859 | if ((parsed_parameters->local_addr.sa.sa_family == AF_INET && parsed_parameters->local_addr.sin.sin_port) || |
2860 | (parsed_parameters->local_addr.sa.sa_family == AF_INET6 && parsed_parameters->local_addr.sin6.sin6_port)) { |
2861 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_LOCAL_PORT; |
2862 | } |
2863 | } |
2864 | } |
2865 | break; |
2866 | } |
2867 | case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: { |
2868 | if (length >= sizeof(struct necp_policy_condition_addr)) { |
2869 | struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value; |
2870 | if (necp_client_address_is_valid(&address_struct->address.sa)) { |
2871 | memcpy(dst: &parsed_parameters->remote_addr, src: &address_struct->address, n: sizeof(address_struct->address)); |
2872 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REMOTE_ADDR; |
2873 | } |
2874 | } |
2875 | break; |
2876 | } |
2877 | case NECP_CLIENT_PARAMETER_REMOTE_ENDPOINT: { |
2878 | if (length >= sizeof(struct necp_client_endpoint)) { |
2879 | struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value; |
2880 | if (necp_client_address_is_valid(&endpoint->u.sa)) { |
2881 | memcpy(dst: &parsed_parameters->remote_addr, src: &endpoint->u.sa, n: sizeof(union necp_sockaddr_union)); |
2882 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REMOTE_ADDR; |
2883 | } |
2884 | } |
2885 | break; |
2886 | } |
2887 | case NECP_CLIENT_PARAMETER_PROHIBIT_INTERFACE: { |
2888 | if (num_prohibited_interfaces >= NECP_MAX_INTERFACE_PARAMETERS) { |
2889 | break; |
2890 | } |
2891 | if (length <= IFXNAMSIZ && length > 0) { |
2892 | memcpy(dst: parsed_parameters->prohibited_interfaces[num_prohibited_interfaces], src: value, n: length); |
2893 | parsed_parameters->prohibited_interfaces[num_prohibited_interfaces][length - 1] = 0; // Make sure the string is NULL terminated |
2894 | num_prohibited_interfaces++; |
2895 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IF; |
2896 | } |
2897 | break; |
2898 | } |
2899 | case NECP_CLIENT_PARAMETER_REQUIRE_IF_TYPE: { |
2900 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE) { |
2901 | break; |
2902 | } |
2903 | if (length >= sizeof(u_int8_t)) { |
2904 | memcpy(dst: &parsed_parameters->required_interface_type, src: value, n: sizeof(u_int8_t)); |
2905 | if (parsed_parameters->required_interface_type) { |
2906 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE; |
2907 | } |
2908 | } |
2909 | break; |
2910 | } |
2911 | case NECP_CLIENT_PARAMETER_PROHIBIT_IF_TYPE: { |
2912 | if (num_prohibited_interface_types >= NECP_MAX_INTERFACE_PARAMETERS) { |
2913 | break; |
2914 | } |
2915 | if (length >= sizeof(u_int8_t)) { |
2916 | memcpy(dst: &parsed_parameters->prohibited_interface_types[num_prohibited_interface_types], src: value, n: sizeof(u_int8_t)); |
2917 | num_prohibited_interface_types++; |
2918 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IFTYPE; |
2919 | } |
2920 | break; |
2921 | } |
2922 | case NECP_CLIENT_PARAMETER_REQUIRE_AGENT: { |
2923 | if (num_required_agents >= NECP_MAX_AGENT_PARAMETERS) { |
2924 | break; |
2925 | } |
2926 | if (length >= sizeof(uuid_t)) { |
2927 | memcpy(dst: &parsed_parameters->required_netagents[num_required_agents], src: value, n: sizeof(uuid_t)); |
2928 | num_required_agents++; |
2929 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT; |
2930 | } |
2931 | break; |
2932 | } |
2933 | case NECP_CLIENT_PARAMETER_PROHIBIT_AGENT: { |
2934 | if (num_prohibited_agents >= NECP_MAX_AGENT_PARAMETERS) { |
2935 | break; |
2936 | } |
2937 | if (length >= sizeof(uuid_t)) { |
2938 | memcpy(dst: &parsed_parameters->prohibited_netagents[num_prohibited_agents], src: value, n: sizeof(uuid_t)); |
2939 | num_prohibited_agents++; |
2940 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT; |
2941 | } |
2942 | break; |
2943 | } |
2944 | case NECP_CLIENT_PARAMETER_PREFER_AGENT: { |
2945 | if (num_preferred_agents >= NECP_MAX_AGENT_PARAMETERS) { |
2946 | break; |
2947 | } |
2948 | if (length >= sizeof(uuid_t)) { |
2949 | memcpy(dst: &parsed_parameters->preferred_netagents[num_preferred_agents], src: value, n: sizeof(uuid_t)); |
2950 | num_preferred_agents++; |
2951 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT; |
2952 | } |
2953 | break; |
2954 | } |
2955 | case NECP_CLIENT_PARAMETER_AVOID_AGENT: { |
2956 | if (num_avoided_agents >= NECP_MAX_AGENT_PARAMETERS) { |
2957 | break; |
2958 | } |
2959 | if (length >= sizeof(uuid_t)) { |
2960 | memcpy(dst: &parsed_parameters->avoided_netagents[num_avoided_agents], src: value, n: sizeof(uuid_t)); |
2961 | num_avoided_agents++; |
2962 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT; |
2963 | } |
2964 | break; |
2965 | } |
2966 | case NECP_CLIENT_PARAMETER_REQUIRE_AGENT_TYPE: { |
2967 | if (num_required_agent_types >= NECP_MAX_AGENT_PARAMETERS) { |
2968 | break; |
2969 | } |
2970 | if (length >= sizeof(struct necp_client_parameter_netagent_type)) { |
2971 | memcpy(dst: &parsed_parameters->required_netagent_types[num_required_agent_types], src: value, n: sizeof(struct necp_client_parameter_netagent_type)); |
2972 | num_required_agent_types++; |
2973 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE; |
2974 | } |
2975 | break; |
2976 | } |
2977 | case NECP_CLIENT_PARAMETER_PROHIBIT_AGENT_TYPE: { |
2978 | if (num_prohibited_agent_types >= NECP_MAX_AGENT_PARAMETERS) { |
2979 | break; |
2980 | } |
2981 | if (length >= sizeof(struct necp_client_parameter_netagent_type)) { |
2982 | memcpy(dst: &parsed_parameters->prohibited_netagent_types[num_prohibited_agent_types], src: value, n: sizeof(struct necp_client_parameter_netagent_type)); |
2983 | num_prohibited_agent_types++; |
2984 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT_TYPE; |
2985 | } |
2986 | break; |
2987 | } |
2988 | case NECP_CLIENT_PARAMETER_PREFER_AGENT_TYPE: { |
2989 | if (num_preferred_agent_types >= NECP_MAX_AGENT_PARAMETERS) { |
2990 | break; |
2991 | } |
2992 | if (length >= sizeof(struct necp_client_parameter_netagent_type)) { |
2993 | memcpy(dst: &parsed_parameters->preferred_netagent_types[num_preferred_agent_types], src: value, n: sizeof(struct necp_client_parameter_netagent_type)); |
2994 | num_preferred_agent_types++; |
2995 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT_TYPE; |
2996 | } |
2997 | break; |
2998 | } |
2999 | case NECP_CLIENT_PARAMETER_AVOID_AGENT_TYPE: { |
3000 | if (num_avoided_agent_types >= NECP_MAX_AGENT_PARAMETERS) { |
3001 | break; |
3002 | } |
3003 | if (length >= sizeof(struct necp_client_parameter_netagent_type)) { |
3004 | memcpy(dst: &parsed_parameters->avoided_netagent_types[num_avoided_agent_types], src: value, n: sizeof(struct necp_client_parameter_netagent_type)); |
3005 | num_avoided_agent_types++; |
3006 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT_TYPE; |
3007 | } |
3008 | break; |
3009 | } |
3010 | case NECP_CLIENT_PARAMETER_FLAGS: { |
3011 | if (length >= sizeof(u_int32_t)) { |
3012 | memcpy(dst: &parsed_parameters->flags, src: value, n: sizeof(parsed_parameters->flags)); |
3013 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_FLAGS; |
3014 | } |
3015 | break; |
3016 | } |
3017 | case NECP_CLIENT_PARAMETER_IP_PROTOCOL: { |
3018 | if (length == sizeof(u_int16_t)) { |
3019 | u_int16_t large_ip_protocol = 0; |
3020 | memcpy(dst: &large_ip_protocol, src: value, n: sizeof(large_ip_protocol)); |
3021 | parsed_parameters->ip_protocol = (u_int8_t)large_ip_protocol; |
3022 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_IP_PROTOCOL; |
3023 | } else if (length >= sizeof(parsed_parameters->ip_protocol)) { |
3024 | memcpy(dst: &parsed_parameters->ip_protocol, src: value, n: sizeof(parsed_parameters->ip_protocol)); |
3025 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_IP_PROTOCOL; |
3026 | } |
3027 | break; |
3028 | } |
3029 | case NECP_CLIENT_PARAMETER_TRANSPORT_PROTOCOL: { |
3030 | if (length >= sizeof(parsed_parameters->transport_protocol)) { |
3031 | memcpy(dst: &parsed_parameters->transport_protocol, src: value, n: sizeof(parsed_parameters->transport_protocol)); |
3032 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_TRANSPORT_PROTOCOL; |
3033 | } |
3034 | break; |
3035 | } |
3036 | case NECP_CLIENT_PARAMETER_PID: { |
3037 | if (length >= sizeof(parsed_parameters->effective_pid)) { |
3038 | memcpy(dst: &parsed_parameters->effective_pid, src: value, n: sizeof(parsed_parameters->effective_pid)); |
3039 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_PID; |
3040 | } |
3041 | break; |
3042 | } |
3043 | case NECP_CLIENT_PARAMETER_DELEGATED_UPID: { |
3044 | if (length >= sizeof(parsed_parameters->delegated_upid)) { |
3045 | memcpy(dst: &parsed_parameters->delegated_upid, src: value, n: sizeof(parsed_parameters->delegated_upid)); |
3046 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_DELEGATED_UPID; |
3047 | } |
3048 | break; |
3049 | } |
3050 | case NECP_CLIENT_PARAMETER_ETHERTYPE: { |
3051 | if (length >= sizeof(parsed_parameters->ethertype)) { |
3052 | memcpy(dst: &parsed_parameters->ethertype, src: value, n: sizeof(parsed_parameters->ethertype)); |
3053 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_ETHERTYPE; |
3054 | } |
3055 | break; |
3056 | } |
3057 | case NECP_CLIENT_PARAMETER_APPLICATION: { |
3058 | if (length >= sizeof(parsed_parameters->effective_uuid)) { |
3059 | memcpy(dst: &parsed_parameters->effective_uuid, src: value, n: sizeof(parsed_parameters->effective_uuid)); |
3060 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_UUID; |
3061 | } |
3062 | break; |
3063 | } |
3064 | case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: { |
3065 | if (length >= sizeof(parsed_parameters->traffic_class)) { |
3066 | memcpy(dst: &parsed_parameters->traffic_class, src: value, n: sizeof(parsed_parameters->traffic_class)); |
3067 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_TRAFFIC_CLASS; |
3068 | } |
3069 | break; |
3070 | } |
3071 | case NECP_CLIENT_PARAMETER_RESOLVER_TAG: { |
3072 | if (length > 0) { |
3073 | if (resolver_tag != NULL) { |
3074 | // Multiple resolver tags is invalid |
3075 | NECPLOG0(LOG_ERR, "Multiple resolver tags are not supported" ); |
3076 | error = EINVAL; |
3077 | } else { |
3078 | resolver_tag = (u_int8_t *)value; |
3079 | resolver_tag_length = length; |
3080 | } |
3081 | } |
3082 | break; |
3083 | } |
3084 | case NECP_CLIENT_PARAMETER_DOMAIN: { |
3085 | if (length > 0) { |
3086 | client_hostname = (u_int8_t *)value; |
3087 | hostname_length = length; |
3088 | } |
3089 | break; |
3090 | } |
3091 | case NECP_CLIENT_PARAMETER_PARENT_ID: { |
3092 | if (length == sizeof(parent_id)) { |
3093 | uuid_copy(dst: parent_id, src: value); |
3094 | memcpy(dst: &parsed_parameters->parent_uuid, src: value, n: sizeof(parsed_parameters->parent_uuid)); |
3095 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PARENT_UUID; |
3096 | } |
3097 | break; |
3098 | } |
3099 | case NECP_CLIENT_PARAMETER_LOCAL_ADDRESS_PREFERENCE: { |
3100 | if (length >= sizeof(parsed_parameters->local_address_preference)) { |
3101 | memcpy(dst: &parsed_parameters->local_address_preference, src: value, n: sizeof(parsed_parameters->local_address_preference)); |
3102 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR_PREFERENCE; |
3103 | } |
3104 | break; |
3105 | } |
3106 | case NECP_CLIENT_PARAMETER_ATTRIBUTED_BUNDLE_IDENTIFIER: { |
3107 | if (length > 0) { |
3108 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_ATTRIBUTED_BUNDLE_IDENTIFIER; |
3109 | } |
3110 | break; |
3111 | } |
3112 | case NECP_CLIENT_PARAMETER_FLOW_DEMUX_PATTERN: { |
3113 | if (parsed_parameters->demux_pattern_count >= NECP_MAX_DEMUX_PATTERNS) { |
3114 | break; |
3115 | } |
3116 | if (length >= sizeof(struct necp_demux_pattern)) { |
3117 | memcpy(dst: &parsed_parameters->demux_patterns[parsed_parameters->demux_pattern_count], src: value, n: sizeof(struct necp_demux_pattern)); |
3118 | parsed_parameters->demux_pattern_count++; |
3119 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_FLOW_DEMUX_PATTERN; |
3120 | } |
3121 | break; |
3122 | } |
3123 | case NECP_CLIENT_PARAMETER_APPLICATION_ID: { |
3124 | if (length >= sizeof(necp_application_id_t)) { |
3125 | necp_application_id_t *application_id = (necp_application_id_t *)(void *)value; |
3126 | // UID |
3127 | parsed_parameters->uid = application_id->uid; |
3128 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_UID; |
3129 | // EUUID |
3130 | uuid_copy(dst: parsed_parameters->effective_uuid, src: application_id->effective_uuid); |
3131 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_UUID; |
3132 | // PERSONA |
3133 | parsed_parameters->persona_id = application_id->persona_id; |
3134 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_PERSONA_ID; |
3135 | } |
3136 | break; |
3137 | } |
3138 | default: { |
3139 | break; |
3140 | } |
3141 | } |
3142 | } |
3143 | |
3144 | if (NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_PARAMS)) { |
3145 | necp_client_trace_parameter_parsing(client, type, value, length); |
3146 | } |
3147 | } |
3148 | |
3149 | offset += sizeof(struct necp_tlv_header) + length; |
3150 | } |
3151 | |
3152 | if (resolver_tag != NULL) { |
3153 | struct necp_client_validatable *validatable = (struct necp_client_validatable *)resolver_tag; |
3154 | if (resolver_tag_length <= sizeof(struct necp_client_validatable)) { |
3155 | error = EINVAL; |
3156 | NECPLOG(LOG_ERR, "Resolver tag length too short: %u" , resolver_tag_length); |
3157 | } else { |
3158 | bool matches = true; |
3159 | |
3160 | // Check the client UUID for client-specific results |
3161 | if (validatable->signable.sign_type == NECP_CLIENT_SIGN_TYPE_RESOLVER_ANSWER || |
3162 | validatable->signable.sign_type == NECP_CLIENT_SIGN_TYPE_BROWSE_RESULT || |
3163 | validatable->signable.sign_type == NECP_CLIENT_SIGN_TYPE_SERVICE_RESOLVER_ANSWER) { |
3164 | if (uuid_compare(uu1: parent_id, uu2: validatable->signable.client_id) != 0 && |
3165 | uuid_compare(uu1: client->client_id, uu2: validatable->signable.client_id) != 0) { |
3166 | NECPLOG0(LOG_ERR, "Resolver tag invalid client ID" ); |
3167 | matches = false; |
3168 | } |
3169 | } |
3170 | |
3171 | size_t data_length = resolver_tag_length - sizeof(struct necp_client_validatable); |
3172 | switch (validatable->signable.sign_type) { |
3173 | case NECP_CLIENT_SIGN_TYPE_RESOLVER_ANSWER: |
3174 | case NECP_CLIENT_SIGN_TYPE_SYSTEM_RESOLVER_ANSWER: { |
3175 | if (data_length < (sizeof(struct necp_client_host_resolver_answer) - sizeof(struct necp_client_signable))) { |
3176 | NECPLOG0(LOG_ERR, "Resolver tag invalid length for resolver answer" ); |
3177 | matches = false; |
3178 | } else { |
3179 | struct necp_client_host_resolver_answer *answer_struct = (struct necp_client_host_resolver_answer *)&validatable->signable; |
3180 | if (data_length != (sizeof(struct necp_client_host_resolver_answer) + answer_struct->hostname_length - sizeof(struct necp_client_signable))) { |
3181 | NECPLOG0(LOG_ERR, "Resolver tag invalid length for resolver answer" ); |
3182 | matches = false; |
3183 | } else { |
3184 | if (answer_struct->hostname_length != 0 && // If the hostname on the signed answer is empty, ignore |
3185 | !necp_client_strings_are_equal(string1: (const char *)client_hostname, string1_length: hostname_length, |
3186 | string2: answer_struct->hostname, string2_length: answer_struct->hostname_length)) { |
3187 | NECPLOG0(LOG_ERR, "Resolver tag hostname does not match" ); |
3188 | matches = false; |
3189 | } else if (answer_struct->address_answer.sa.sa_family != parsed_parameters->remote_addr.sa.sa_family || |
3190 | answer_struct->address_answer.sa.sa_len != parsed_parameters->remote_addr.sa.sa_len) { |
3191 | NECPLOG0(LOG_ERR, "Resolver tag address type does not match" ); |
3192 | matches = false; |
3193 | } else if (answer_struct->address_answer.sin.sin_port != 0 && // If the port on the signed answer is empty, ignore |
3194 | answer_struct->address_answer.sin.sin_port != parsed_parameters->remote_addr.sin.sin_port) { |
3195 | NECPLOG0(LOG_ERR, "Resolver tag port does not match" ); |
3196 | matches = false; |
3197 | } else if ((answer_struct->address_answer.sa.sa_family == AF_INET && |
3198 | answer_struct->address_answer.sin.sin_addr.s_addr != parsed_parameters->remote_addr.sin.sin_addr.s_addr) || |
3199 | (answer_struct->address_answer.sa.sa_family == AF_INET6 && |
3200 | memcmp(s1: &answer_struct->address_answer.sin6.sin6_addr, s2: &parsed_parameters->remote_addr.sin6.sin6_addr, n: sizeof(struct in6_addr)) != 0)) { |
3201 | NECPLOG0(LOG_ERR, "Resolver tag address does not match" ); |
3202 | matches = false; |
3203 | } |
3204 | } |
3205 | } |
3206 | break; |
3207 | } |
3208 | case NECP_CLIENT_SIGN_TYPE_BROWSE_RESULT: |
3209 | case NECP_CLIENT_SIGN_TYPE_SYSTEM_BROWSE_RESULT: { |
3210 | if (data_length < (sizeof(struct necp_client_browse_result) - sizeof(struct necp_client_signable))) { |
3211 | NECPLOG0(LOG_ERR, "Resolver tag invalid length for browse result" ); |
3212 | matches = false; |
3213 | } else { |
3214 | struct necp_client_browse_result *answer_struct = (struct necp_client_browse_result *)&validatable->signable; |
3215 | if (data_length != (sizeof(struct necp_client_browse_result) + answer_struct->service_length - sizeof(struct necp_client_signable))) { |
3216 | NECPLOG0(LOG_ERR, "Resolver tag invalid length for browse result" ); |
3217 | matches = false; |
3218 | } |
3219 | } |
3220 | break; |
3221 | } |
3222 | case NECP_CLIENT_SIGN_TYPE_SERVICE_RESOLVER_ANSWER: |
3223 | case NECP_CLIENT_SIGN_TYPE_SYSTEM_SERVICE_RESOLVER_ANSWER: { |
3224 | if (data_length < (sizeof(struct necp_client_service_resolver_answer) - sizeof(struct necp_client_signable))) { |
3225 | NECPLOG0(LOG_ERR, "Resolver tag invalid length for service resolver answer" ); |
3226 | matches = false; |
3227 | } else { |
3228 | struct necp_client_service_resolver_answer *answer_struct = (struct necp_client_service_resolver_answer *)&validatable->signable; |
3229 | if (data_length != (sizeof(struct necp_client_service_resolver_answer) + answer_struct->service_length + answer_struct->hostname_length - sizeof(struct necp_client_signable))) { |
3230 | NECPLOG0(LOG_ERR, "Resolver tag invalid length for service resolver answer" ); |
3231 | matches = false; |
3232 | } |
3233 | } |
3234 | break; |
3235 | } |
3236 | default: { |
3237 | NECPLOG(LOG_ERR, "Resolver tag unknown sign type: %u" , validatable->signable.sign_type); |
3238 | matches = false; |
3239 | break; |
3240 | } |
3241 | } |
3242 | if (!matches) { |
3243 | error = EAUTH; |
3244 | } else { |
3245 | const bool validated = necp_validate_resolver_answer(client_id: validatable->signable.client_id, |
3246 | sign_type: validatable->signable.sign_type, |
3247 | data: validatable->signable.signable_data, data_length, |
3248 | tag: validatable->signature.signed_tag, tag_length: sizeof(validatable->signature.signed_tag)); |
3249 | if (!validated) { |
3250 | error = EAUTH; |
3251 | NECPLOG0(LOG_ERR, "Failed to validate resolve answer" ); |
3252 | } |
3253 | } |
3254 | } |
3255 | } |
3256 | |
3257 | if (NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_PARAMS)) { |
3258 | necp_client_trace_parsed_parameters(client, parsed_parameters); |
3259 | } |
3260 | |
3261 | return error; |
3262 | } |
3263 | |
3264 | static int |
3265 | necp_client_parse_result(u_int8_t *result, |
3266 | u_int32_t result_size, |
3267 | union necp_sockaddr_union *local_address, |
3268 | union necp_sockaddr_union *remote_address, |
3269 | void **flow_stats) |
3270 | { |
3271 | #pragma unused(flow_stats) |
3272 | int error = 0; |
3273 | size_t offset = 0; |
3274 | |
3275 | while ((offset + sizeof(struct necp_tlv_header)) <= result_size) { |
3276 | u_int8_t type = necp_buffer_get_tlv_type(buffer: result, tlv_offset: offset); |
3277 | u_int32_t length = necp_buffer_get_tlv_length(buffer: result, tlv_offset: offset); |
3278 | |
3279 | if (length > 0 && (offset + sizeof(struct necp_tlv_header) + length) <= result_size) { |
3280 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: result, tlv_offset: offset, NULL); |
3281 | if (value != NULL) { |
3282 | switch (type) { |
3283 | case NECP_CLIENT_RESULT_LOCAL_ENDPOINT: { |
3284 | if (length >= sizeof(struct necp_client_endpoint)) { |
3285 | struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value; |
3286 | if (local_address != NULL && necp_client_address_is_valid(&endpoint->u.sa)) { |
3287 | memcpy(dst: local_address, src: &endpoint->u.sa, n: endpoint->u.sa.sa_len); |
3288 | } |
3289 | } |
3290 | break; |
3291 | } |
3292 | case NECP_CLIENT_RESULT_REMOTE_ENDPOINT: { |
3293 | if (length >= sizeof(struct necp_client_endpoint)) { |
3294 | struct necp_client_endpoint *endpoint = (struct necp_client_endpoint *)(void *)value; |
3295 | if (remote_address != NULL && necp_client_address_is_valid(&endpoint->u.sa)) { |
3296 | memcpy(dst: remote_address, src: &endpoint->u.sa, n: endpoint->u.sa.sa_len); |
3297 | } |
3298 | } |
3299 | break; |
3300 | } |
3301 | #if SKYWALK |
3302 | case NECP_CLIENT_RESULT_NEXUS_FLOW_STATS: { |
3303 | // this TLV contains flow_stats pointer which is refcnt'ed. |
3304 | if (flow_stats != NULL && length >= sizeof(struct sk_stats_flow *)) { |
3305 | struct flow_stats *fs = *(void **)(void *)value; |
3306 | // transfer the refcnt to flow_stats pointer |
3307 | *flow_stats = fs; |
3308 | } |
3309 | memset(s: value, c: 0, n: length); // nullify TLV always |
3310 | break; |
3311 | } |
3312 | #endif /* SKYWALK */ |
3313 | default: { |
3314 | break; |
3315 | } |
3316 | } |
3317 | } |
3318 | } |
3319 | |
3320 | offset += sizeof(struct necp_tlv_header) + length; |
3321 | } |
3322 | |
3323 | return error; |
3324 | } |
3325 | |
3326 | static struct necp_client_flow_registration * |
3327 | necp_client_create_flow_registration(struct necp_fd_data *fd_data, struct necp_client *client) |
3328 | { |
3329 | NECP_FD_ASSERT_LOCKED(fd_data); |
3330 | NECP_CLIENT_ASSERT_LOCKED(client); |
3331 | |
3332 | struct necp_client_flow_registration *new_registration = kalloc_type(struct necp_client_flow_registration, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
3333 | |
3334 | new_registration->last_interface_details = combine_interface_details(IFSCOPE_NONE, NSTAT_IFNET_IS_UNKNOWN_TYPE); |
3335 | |
3336 | necp_generate_client_id(client_id: new_registration->registration_id, true); |
3337 | LIST_INIT(&new_registration->flow_list); |
3338 | |
3339 | // Add registration to client list |
3340 | RB_INSERT(_necp_client_flow_tree, &client->flow_registrations, new_registration); |
3341 | |
3342 | // Add registration to fd list |
3343 | RB_INSERT(_necp_fd_flow_tree, &fd_data->flows, new_registration); |
3344 | |
3345 | // Add registration to global tree for lookup |
3346 | NECP_FLOW_TREE_LOCK_EXCLUSIVE(); |
3347 | RB_INSERT(_necp_client_flow_global_tree, &necp_client_flow_global_tree, new_registration); |
3348 | NECP_FLOW_TREE_UNLOCK(); |
3349 | |
3350 | new_registration->client = client; |
3351 | |
3352 | #if SKYWALK |
3353 | { |
3354 | // The uuid caching here is something of a hack, but saves a dynamic lookup with attendant lock hierarchy issues |
3355 | uint64_t stats_event_type = (uuid_is_null(uu: client->latest_flow_registration_id)) ? NSTAT_EVENT_SRC_FLOW_UUID_ASSIGNED : NSTAT_EVENT_SRC_FLOW_UUID_CHANGED; |
3356 | uuid_copy(dst: client->latest_flow_registration_id, src: new_registration->registration_id); |
3357 | |
3358 | // With the flow uuid known, push a new statistics update to ensure the uuid gets known by any clients before the flow can close |
3359 | if (client->nstat_context != NULL) { |
3360 | nstat_provider_stats_event(nstat_ctx: client->nstat_context, event: stats_event_type); |
3361 | } |
3362 | } |
3363 | #endif /* !SKYWALK */ |
3364 | |
3365 | // Start out assuming there is nothing to read from the flow |
3366 | new_registration->flow_result_read = true; |
3367 | |
3368 | return new_registration; |
3369 | } |
3370 | |
3371 | static void |
3372 | necp_client_add_socket_flow(struct necp_client_flow_registration *flow_registration, |
3373 | struct inpcb *inp) |
3374 | { |
3375 | struct necp_client_flow *new_flow = kalloc_type(struct necp_client_flow, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
3376 | |
3377 | new_flow->socket = TRUE; |
3378 | new_flow->u.socket_handle = inp; |
3379 | new_flow->u.cb = inp->necp_cb; |
3380 | |
3381 | OSIncrementAtomic(&necp_socket_flow_count); |
3382 | |
3383 | LIST_INSERT_HEAD(&flow_registration->flow_list, new_flow, flow_chain); |
3384 | } |
3385 | |
3386 | static int |
3387 | necp_client_register_socket_inner(pid_t pid, uuid_t client_id, struct inpcb *inp, bool is_listener) |
3388 | { |
3389 | int error = 0; |
3390 | struct necp_fd_data *client_fd = NULL; |
3391 | bool found_client = FALSE; |
3392 | |
3393 | NECP_FD_LIST_LOCK_SHARED(); |
3394 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
3395 | NECP_FD_LOCK(client_fd); |
3396 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
3397 | if (client != NULL) { |
3398 | if (!pid || client->proc_pid == pid) { |
3399 | if (is_listener) { |
3400 | found_client = TRUE; |
3401 | #if SKYWALK |
3402 | // Check netns token for registration |
3403 | if (!NETNS_TOKEN_VALID(&client->port_reservation)) { |
3404 | error = EINVAL; |
3405 | } |
3406 | #endif /* !SKYWALK */ |
3407 | } else { |
3408 | // Find client flow and assign from socket |
3409 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
3410 | if (flow_registration != NULL) { |
3411 | // Found the right client and flow registration, add a new flow |
3412 | found_client = TRUE; |
3413 | necp_client_add_socket_flow(flow_registration, inp); |
3414 | } else if (RB_EMPTY(&client->flow_registrations) && !necp_client_id_is_flow(client_id)) { |
3415 | // No flows yet on this client, add a new registration |
3416 | flow_registration = necp_client_create_flow_registration(fd_data: client_fd, client); |
3417 | if (flow_registration == NULL) { |
3418 | error = ENOMEM; |
3419 | } else { |
3420 | // Add a new flow |
3421 | found_client = TRUE; |
3422 | necp_client_add_socket_flow(flow_registration, inp); |
3423 | } |
3424 | } |
3425 | } |
3426 | } |
3427 | |
3428 | NECP_CLIENT_UNLOCK(client); |
3429 | } |
3430 | NECP_FD_UNLOCK(client_fd); |
3431 | |
3432 | if (found_client) { |
3433 | break; |
3434 | } |
3435 | } |
3436 | NECP_FD_LIST_UNLOCK(); |
3437 | |
3438 | if (!found_client) { |
3439 | error = ENOENT; |
3440 | } else { |
3441 | // Count the sockets that have the NECP client UUID set |
3442 | struct socket *so = inp->inp_socket; |
3443 | if (!(so->so_flags1 & SOF1_HAS_NECP_CLIENT_UUID)) { |
3444 | so->so_flags1 |= SOF1_HAS_NECP_CLIENT_UUID; |
3445 | INC_ATOMIC_INT64_LIM(net_api_stats.nas_socket_necp_clientuuid_total); |
3446 | } |
3447 | } |
3448 | |
3449 | return error; |
3450 | } |
3451 | |
3452 | int |
3453 | necp_client_register_socket_flow(pid_t pid, uuid_t client_id, struct inpcb *inp) |
3454 | { |
3455 | return necp_client_register_socket_inner(pid, client_id, inp, false); |
3456 | } |
3457 | |
3458 | int |
3459 | necp_client_register_socket_listener(pid_t pid, uuid_t client_id, struct inpcb *inp) |
3460 | { |
3461 | return necp_client_register_socket_inner(pid, client_id, inp, true); |
3462 | } |
3463 | |
3464 | #if SKYWALK |
3465 | int |
3466 | necp_client_get_netns_flow_info(uuid_t client_id, struct ns_flow_info *flow_info) |
3467 | { |
3468 | int error = 0; |
3469 | struct necp_fd_data *client_fd = NULL; |
3470 | bool found_client = FALSE; |
3471 | |
3472 | NECP_FD_LIST_LOCK_SHARED(); |
3473 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
3474 | NECP_FD_LOCK(client_fd); |
3475 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
3476 | if (client != NULL) { |
3477 | found_client = TRUE; |
3478 | if (!NETNS_TOKEN_VALID(&client->port_reservation)) { |
3479 | error = EINVAL; |
3480 | } else { |
3481 | error = netns_get_flow_info(token: &client->port_reservation, nfi: flow_info); |
3482 | } |
3483 | |
3484 | NECP_CLIENT_UNLOCK(client); |
3485 | } |
3486 | NECP_FD_UNLOCK(client_fd); |
3487 | |
3488 | if (found_client) { |
3489 | break; |
3490 | } |
3491 | } |
3492 | NECP_FD_LIST_UNLOCK(); |
3493 | |
3494 | if (!found_client) { |
3495 | error = ENOENT; |
3496 | } |
3497 | |
3498 | return error; |
3499 | } |
3500 | #endif /* !SKYWALK */ |
3501 | |
3502 | static void |
3503 | necp_client_add_multipath_interface_flows(struct necp_client_flow_registration *flow_registration, |
3504 | struct necp_client *client, |
3505 | struct mppcb *mpp) |
3506 | { |
3507 | flow_registration->interface_handle = mpp; |
3508 | flow_registration->interface_cb = mpp->necp_cb; |
3509 | |
3510 | proc_t proc = proc_find(pid: client->proc_pid); |
3511 | if (proc == PROC_NULL) { |
3512 | return; |
3513 | } |
3514 | |
3515 | // Traverse all interfaces and add a tracking flow if needed |
3516 | necp_flow_add_interface_flows(proc, client, flow_registration, true); |
3517 | |
3518 | proc_rele(p: proc); |
3519 | proc = PROC_NULL; |
3520 | } |
3521 | |
3522 | int |
3523 | necp_client_register_multipath_cb(pid_t pid, uuid_t client_id, struct mppcb *mpp) |
3524 | { |
3525 | int error = 0; |
3526 | struct necp_fd_data *client_fd = NULL; |
3527 | bool found_client = FALSE; |
3528 | |
3529 | NECP_FD_LIST_LOCK_SHARED(); |
3530 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
3531 | NECP_FD_LOCK(client_fd); |
3532 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
3533 | if (client != NULL) { |
3534 | if (!pid || client->proc_pid == pid) { |
3535 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
3536 | if (flow_registration != NULL) { |
3537 | // Found the right client and flow registration, add a new flow |
3538 | found_client = TRUE; |
3539 | necp_client_add_multipath_interface_flows(flow_registration, client, mpp); |
3540 | } else if (RB_EMPTY(&client->flow_registrations) && !necp_client_id_is_flow(client_id)) { |
3541 | // No flows yet on this client, add a new registration |
3542 | flow_registration = necp_client_create_flow_registration(fd_data: client_fd, client); |
3543 | if (flow_registration == NULL) { |
3544 | error = ENOMEM; |
3545 | } else { |
3546 | // Add a new flow |
3547 | found_client = TRUE; |
3548 | necp_client_add_multipath_interface_flows(flow_registration, client, mpp); |
3549 | } |
3550 | } |
3551 | } |
3552 | |
3553 | NECP_CLIENT_UNLOCK(client); |
3554 | } |
3555 | NECP_FD_UNLOCK(client_fd); |
3556 | |
3557 | if (found_client) { |
3558 | break; |
3559 | } |
3560 | } |
3561 | NECP_FD_LIST_UNLOCK(); |
3562 | |
3563 | if (!found_client && error == 0) { |
3564 | error = ENOENT; |
3565 | } |
3566 | |
3567 | return error; |
3568 | } |
3569 | |
3570 | #define NETAGENT_DOMAIN_RADIO_MANAGER "WirelessRadioManager" |
3571 | #define NETAGENT_TYPE_RADIO_MANAGER "WirelessRadioManager:BB Manager" |
3572 | |
3573 | static int |
3574 | necp_client_lookup_bb_radio_manager(struct necp_client *client, |
3575 | uuid_t netagent_uuid) |
3576 | { |
3577 | char netagent_domain[NETAGENT_DOMAINSIZE]; |
3578 | char netagent_type[NETAGENT_TYPESIZE]; |
3579 | struct necp_aggregate_result result; |
3580 | proc_t proc; |
3581 | int error; |
3582 | |
3583 | proc = proc_find(pid: client->proc_pid); |
3584 | if (proc == PROC_NULL) { |
3585 | return ESRCH; |
3586 | } |
3587 | |
3588 | error = necp_application_find_policy_match_internal(proc, parameters: client->parameters, parameters_size: (u_int32_t)client->parameters_length, |
3589 | returned_result: &result, NULL, NULL, required_interface_index: 0, NULL, NULL, NULL, NULL, NULL, true, true, NULL); |
3590 | |
3591 | proc_rele(p: proc); |
3592 | proc = PROC_NULL; |
3593 | |
3594 | if (error) { |
3595 | return error; |
3596 | } |
3597 | |
3598 | for (int i = 0; i < NECP_MAX_NETAGENTS; i++) { |
3599 | if (uuid_is_null(uu: result.netagents[i])) { |
3600 | // Passed end of valid agents |
3601 | break; |
3602 | } |
3603 | |
3604 | memset(s: &netagent_domain, c: 0, NETAGENT_DOMAINSIZE); |
3605 | memset(s: &netagent_type, c: 0, NETAGENT_TYPESIZE); |
3606 | if (netagent_get_agent_domain_and_type(uuid: result.netagents[i], domain: netagent_domain, type: netagent_type) == FALSE) { |
3607 | continue; |
3608 | } |
3609 | |
3610 | if (strncmp(s1: netagent_domain, NETAGENT_DOMAIN_RADIO_MANAGER, NETAGENT_DOMAINSIZE) != 0) { |
3611 | continue; |
3612 | } |
3613 | |
3614 | if (strncmp(s1: netagent_type, NETAGENT_TYPE_RADIO_MANAGER, NETAGENT_TYPESIZE) != 0) { |
3615 | continue; |
3616 | } |
3617 | |
3618 | uuid_copy(dst: netagent_uuid, src: result.netagents[i]); |
3619 | |
3620 | break; |
3621 | } |
3622 | |
3623 | return 0; |
3624 | } |
3625 | |
3626 | static int |
3627 | necp_client_assert_bb_radio_manager_common(struct necp_client *client, bool assert) |
3628 | { |
3629 | uuid_t netagent_uuid; |
3630 | uint8_t assert_type; |
3631 | int error; |
3632 | |
3633 | error = necp_client_lookup_bb_radio_manager(client, netagent_uuid); |
3634 | if (error) { |
3635 | NECPLOG0(LOG_ERR, "BB radio manager agent not found" ); |
3636 | return error; |
3637 | } |
3638 | |
3639 | // Before unasserting, verify that the assertion was already taken |
3640 | if (assert == FALSE) { |
3641 | assert_type = NETAGENT_MESSAGE_TYPE_CLIENT_UNASSERT; |
3642 | |
3643 | if (!necp_client_remove_assertion(client, netagent_uuid)) { |
3644 | return EINVAL; |
3645 | } |
3646 | } else { |
3647 | assert_type = NETAGENT_MESSAGE_TYPE_CLIENT_ASSERT; |
3648 | } |
3649 | |
3650 | error = netagent_client_message(agent_uuid: netagent_uuid, necp_client_uuid: client->client_id, pid: client->proc_pid, handle: client->agent_handle, message_type: assert_type); |
3651 | if (error) { |
3652 | NECPLOG0(LOG_ERR, "netagent_client_message failed" ); |
3653 | return error; |
3654 | } |
3655 | |
3656 | // Only save the assertion if the action succeeded |
3657 | if (assert == TRUE) { |
3658 | necp_client_add_assertion(client, netagent_uuid); |
3659 | } |
3660 | |
3661 | return 0; |
3662 | } |
3663 | |
3664 | int |
3665 | necp_client_assert_bb_radio_manager(uuid_t client_id, bool assert) |
3666 | { |
3667 | struct necp_client *client; |
3668 | int error = 0; |
3669 | |
3670 | NECP_CLIENT_TREE_LOCK_SHARED(); |
3671 | |
3672 | client = necp_find_client_and_lock(client_id); |
3673 | |
3674 | if (client) { |
3675 | // Found the right client! |
3676 | error = necp_client_assert_bb_radio_manager_common(client, assert); |
3677 | |
3678 | NECP_CLIENT_UNLOCK(client); |
3679 | } else { |
3680 | NECPLOG0(LOG_ERR, "Couldn't find client" ); |
3681 | error = ENOENT; |
3682 | } |
3683 | |
3684 | NECP_CLIENT_TREE_UNLOCK(); |
3685 | |
3686 | return error; |
3687 | } |
3688 | |
3689 | static int |
3690 | necp_client_unregister_socket_flow(uuid_t client_id, void *handle) |
3691 | { |
3692 | int error = 0; |
3693 | struct necp_fd_data *client_fd = NULL; |
3694 | bool found_client = FALSE; |
3695 | bool client_updated = FALSE; |
3696 | |
3697 | NECP_FD_LIST_LOCK_SHARED(); |
3698 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
3699 | NECP_FD_LOCK(client_fd); |
3700 | |
3701 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
3702 | if (client != NULL) { |
3703 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
3704 | if (flow_registration != NULL) { |
3705 | // Found the right client and flow! |
3706 | found_client = TRUE; |
3707 | |
3708 | // Remove flow assignment |
3709 | struct necp_client_flow *search_flow = NULL; |
3710 | struct necp_client_flow *temp_flow = NULL; |
3711 | LIST_FOREACH_SAFE(search_flow, &flow_registration->flow_list, flow_chain, temp_flow) { |
3712 | if (search_flow->socket && search_flow->u.socket_handle == handle) { |
3713 | if (search_flow->assigned_results != NULL) { |
3714 | kfree_data(search_flow->assigned_results, search_flow->assigned_results_length); |
3715 | search_flow->assigned_results = NULL; |
3716 | } |
3717 | client_updated = TRUE; |
3718 | flow_registration->flow_result_read = FALSE; |
3719 | LIST_REMOVE(search_flow, flow_chain); |
3720 | OSDecrementAtomic(&necp_socket_flow_count); |
3721 | kfree_type(struct necp_client_flow, search_flow); |
3722 | } |
3723 | } |
3724 | } |
3725 | |
3726 | NECP_CLIENT_UNLOCK(client); |
3727 | } |
3728 | |
3729 | if (client_updated) { |
3730 | necp_fd_notify(fd_data: client_fd, true); |
3731 | } |
3732 | NECP_FD_UNLOCK(client_fd); |
3733 | |
3734 | if (found_client) { |
3735 | break; |
3736 | } |
3737 | } |
3738 | NECP_FD_LIST_UNLOCK(); |
3739 | |
3740 | if (!found_client) { |
3741 | error = ENOENT; |
3742 | } |
3743 | |
3744 | return error; |
3745 | } |
3746 | |
3747 | static int |
3748 | necp_client_unregister_multipath_cb(uuid_t client_id, void *handle) |
3749 | { |
3750 | int error = 0; |
3751 | bool found_client = FALSE; |
3752 | |
3753 | NECP_CLIENT_TREE_LOCK_SHARED(); |
3754 | |
3755 | struct necp_client *client = necp_find_client_and_lock(client_id); |
3756 | if (client != NULL) { |
3757 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
3758 | if (flow_registration != NULL) { |
3759 | // Found the right client and flow! |
3760 | found_client = TRUE; |
3761 | |
3762 | // Remove flow assignment |
3763 | struct necp_client_flow *search_flow = NULL; |
3764 | struct necp_client_flow *temp_flow = NULL; |
3765 | LIST_FOREACH_SAFE(search_flow, &flow_registration->flow_list, flow_chain, temp_flow) { |
3766 | if (!search_flow->socket && !search_flow->nexus && |
3767 | search_flow->u.socket_handle == handle) { |
3768 | search_flow->u.socket_handle = NULL; |
3769 | search_flow->u.cb = NULL; |
3770 | } |
3771 | } |
3772 | |
3773 | flow_registration->interface_handle = NULL; |
3774 | flow_registration->interface_cb = NULL; |
3775 | } |
3776 | |
3777 | NECP_CLIENT_UNLOCK(client); |
3778 | } |
3779 | |
3780 | NECP_CLIENT_TREE_UNLOCK(); |
3781 | |
3782 | if (!found_client) { |
3783 | error = ENOENT; |
3784 | } |
3785 | |
3786 | return error; |
3787 | } |
3788 | |
3789 | int |
3790 | necp_client_assign_from_socket(pid_t pid, uuid_t client_id, struct inpcb *inp) |
3791 | { |
3792 | int error = 0; |
3793 | struct necp_fd_data *client_fd = NULL; |
3794 | bool found_client = FALSE; |
3795 | bool client_updated = FALSE; |
3796 | |
3797 | NECP_FD_LIST_LOCK_SHARED(); |
3798 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
3799 | if (pid && client_fd->proc_pid != pid) { |
3800 | continue; |
3801 | } |
3802 | |
3803 | proc_t proc = proc_find(pid: client_fd->proc_pid); |
3804 | if (proc == PROC_NULL) { |
3805 | continue; |
3806 | } |
3807 | |
3808 | NECP_FD_LOCK(client_fd); |
3809 | |
3810 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
3811 | if (client != NULL) { |
3812 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
3813 | if (flow_registration == NULL && RB_EMPTY(&client->flow_registrations) && !necp_client_id_is_flow(client_id)) { |
3814 | // No flows yet on this client, add a new registration |
3815 | flow_registration = necp_client_create_flow_registration(fd_data: client_fd, client); |
3816 | if (flow_registration == NULL) { |
3817 | error = ENOMEM; |
3818 | } |
3819 | } |
3820 | if (flow_registration != NULL) { |
3821 | // Found the right client and flow! |
3822 | found_client = TRUE; |
3823 | |
3824 | struct necp_client_flow *flow = NULL; |
3825 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
3826 | if (flow->socket && flow->u.socket_handle == inp) { |
3827 | // Release prior results and route |
3828 | if (flow->assigned_results != NULL) { |
3829 | kfree_data(flow->assigned_results, flow->assigned_results_length); |
3830 | flow->assigned_results = NULL; |
3831 | } |
3832 | |
3833 | ifnet_t ifp = NULL; |
3834 | if ((inp->inp_flags & INP_BOUND_IF) && inp->inp_boundifp) { |
3835 | ifp = inp->inp_boundifp; |
3836 | } else { |
3837 | ifp = inp->inp_last_outifp; |
3838 | } |
3839 | |
3840 | if (ifp != NULL) { |
3841 | flow->interface_index = ifp->if_index; |
3842 | } else { |
3843 | flow->interface_index = IFSCOPE_NONE; |
3844 | } |
3845 | |
3846 | if (inp->inp_vflag & INP_IPV4) { |
3847 | flow->local_addr.sin.sin_family = AF_INET; |
3848 | flow->local_addr.sin.sin_len = sizeof(struct sockaddr_in); |
3849 | flow->local_addr.sin.sin_port = inp->inp_lport; |
3850 | memcpy(dst: &flow->local_addr.sin.sin_addr, src: &inp->inp_laddr, n: sizeof(struct in_addr)); |
3851 | |
3852 | flow->remote_addr.sin.sin_family = AF_INET; |
3853 | flow->remote_addr.sin.sin_len = sizeof(struct sockaddr_in); |
3854 | flow->remote_addr.sin.sin_port = inp->inp_fport; |
3855 | memcpy(dst: &flow->remote_addr.sin.sin_addr, src: &inp->inp_faddr, n: sizeof(struct in_addr)); |
3856 | } else if (inp->inp_vflag & INP_IPV6) { |
3857 | in6_ip6_to_sockaddr(ip6: &inp->in6p_laddr, port: inp->inp_lport, ifscope: inp->inp_lifscope, sin6: &flow->local_addr.sin6, maxlen: sizeof(flow->local_addr)); |
3858 | in6_ip6_to_sockaddr(ip6: &inp->in6p_faddr, port: inp->inp_fport, ifscope: inp->inp_fifscope, sin6: &flow->remote_addr.sin6, maxlen: sizeof(flow->remote_addr)); |
3859 | } |
3860 | |
3861 | flow->viable = necp_client_flow_is_viable(proc, client, flow); |
3862 | |
3863 | uuid_t empty_uuid; |
3864 | uuid_clear(uu: empty_uuid); |
3865 | flow->assigned = TRUE; |
3866 | flow->assigned_results = necp_create_nexus_assign_message(nexus_instance: empty_uuid, nexus_port: 0, NULL, key_length: 0, |
3867 | local_endpoint: (struct necp_client_endpoint *)&flow->local_addr, |
3868 | remote_endpoint: (struct necp_client_endpoint *)&flow->remote_addr, |
3869 | NULL, flow_adv_index: 0, NULL, message_length: &flow->assigned_results_length); |
3870 | flow_registration->flow_result_read = FALSE; |
3871 | client_updated = TRUE; |
3872 | break; |
3873 | } |
3874 | } |
3875 | } |
3876 | |
3877 | NECP_CLIENT_UNLOCK(client); |
3878 | } |
3879 | if (client_updated) { |
3880 | necp_fd_notify(fd_data: client_fd, true); |
3881 | } |
3882 | NECP_FD_UNLOCK(client_fd); |
3883 | |
3884 | proc_rele(p: proc); |
3885 | proc = PROC_NULL; |
3886 | |
3887 | if (found_client) { |
3888 | break; |
3889 | } |
3890 | } |
3891 | NECP_FD_LIST_UNLOCK(); |
3892 | |
3893 | if (error == 0) { |
3894 | if (!found_client) { |
3895 | error = ENOENT; |
3896 | } else if (!client_updated) { |
3897 | error = EINVAL; |
3898 | } |
3899 | } |
3900 | |
3901 | return error; |
3902 | } |
3903 | |
3904 | bool |
3905 | necp_socket_is_allowed_to_recv_on_interface(struct inpcb *inp, ifnet_t interface) |
3906 | { |
3907 | if (interface == NULL || |
3908 | inp == NULL || |
3909 | !(inp->inp_flags2 & INP2_EXTERNAL_PORT) || |
3910 | uuid_is_null(uu: inp->necp_client_uuid)) { |
3911 | // If there's no interface or client ID to check, |
3912 | // or if this is not a listener, pass. |
3913 | // Outbound connections will have already been |
3914 | // validated for policy. |
3915 | return TRUE; |
3916 | } |
3917 | |
3918 | // Only filter out listener sockets (no remote address specified) |
3919 | if ((inp->inp_vflag & INP_IPV4) && |
3920 | inp->inp_faddr.s_addr != INADDR_ANY) { |
3921 | return TRUE; |
3922 | } |
3923 | if ((inp->inp_vflag & INP_IPV6) && |
3924 | !IN6_IS_ADDR_UNSPECIFIED(&inp->in6p_faddr)) { |
3925 | return TRUE; |
3926 | } |
3927 | |
3928 | bool allowed = TRUE; |
3929 | |
3930 | NECP_CLIENT_TREE_LOCK_SHARED(); |
3931 | |
3932 | struct necp_client *client = necp_find_client_and_lock(client_id: inp->necp_client_uuid); |
3933 | if (client != NULL) { |
3934 | struct necp_client_parsed_parameters *parsed_parameters = NULL; |
3935 | |
3936 | parsed_parameters = kalloc_type(struct necp_client_parsed_parameters, |
3937 | Z_WAITOK | Z_ZERO | Z_NOFAIL); |
3938 | int error = necp_client_parse_parameters(client, parameters: client->parameters, parameters_size: (u_int32_t)client->parameters_length, parsed_parameters); |
3939 | if (error == 0) { |
3940 | if (!necp_ifnet_matches_parameters(ifp: interface, parsed_parameters, override_flags: 0, NULL, true, false)) { |
3941 | allowed = FALSE; |
3942 | } |
3943 | } |
3944 | kfree_type(struct necp_client_parsed_parameters, parsed_parameters); |
3945 | |
3946 | NECP_CLIENT_UNLOCK(client); |
3947 | } |
3948 | |
3949 | NECP_CLIENT_TREE_UNLOCK(); |
3950 | |
3951 | return allowed; |
3952 | } |
3953 | |
3954 | int |
3955 | necp_update_flow_protoctl_event(uuid_t netagent_uuid, uuid_t client_id, |
3956 | uint32_t protoctl_event_code, uint32_t protoctl_event_val, |
3957 | uint32_t protoctl_event_tcp_seq_number) |
3958 | { |
3959 | int error = 0; |
3960 | struct necp_fd_data *client_fd = NULL; |
3961 | bool found_client = FALSE; |
3962 | bool client_updated = FALSE; |
3963 | |
3964 | NECP_FD_LIST_LOCK_SHARED(); |
3965 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
3966 | proc_t proc = proc_find(pid: client_fd->proc_pid); |
3967 | if (proc == PROC_NULL) { |
3968 | continue; |
3969 | } |
3970 | |
3971 | NECP_FD_LOCK(client_fd); |
3972 | |
3973 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
3974 | if (client != NULL) { |
3975 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
3976 | if (flow_registration != NULL) { |
3977 | // Found the right client and flow! |
3978 | found_client = TRUE; |
3979 | |
3980 | struct necp_client_flow *flow = NULL; |
3981 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
3982 | // Verify that the client nexus agent matches |
3983 | if ((flow->nexus && uuid_compare(uu1: flow->u.nexus_agent, uu2: netagent_uuid) == 0) || |
3984 | flow->socket) { |
3985 | flow->has_protoctl_event = TRUE; |
3986 | flow->protoctl_event.protoctl_event_code = protoctl_event_code; |
3987 | flow->protoctl_event.protoctl_event_val = protoctl_event_val; |
3988 | flow->protoctl_event.protoctl_event_tcp_seq_num = protoctl_event_tcp_seq_number; |
3989 | flow_registration->flow_result_read = FALSE; |
3990 | client_updated = TRUE; |
3991 | break; |
3992 | } |
3993 | } |
3994 | } |
3995 | |
3996 | NECP_CLIENT_UNLOCK(client); |
3997 | } |
3998 | |
3999 | if (client_updated) { |
4000 | necp_fd_notify(fd_data: client_fd, true); |
4001 | } |
4002 | |
4003 | NECP_FD_UNLOCK(client_fd); |
4004 | proc_rele(p: proc); |
4005 | proc = PROC_NULL; |
4006 | |
4007 | if (found_client) { |
4008 | break; |
4009 | } |
4010 | } |
4011 | NECP_FD_LIST_UNLOCK(); |
4012 | |
4013 | if (!found_client) { |
4014 | error = ENOENT; |
4015 | } else if (!client_updated) { |
4016 | error = EINVAL; |
4017 | } |
4018 | return error; |
4019 | } |
4020 | |
4021 | static bool |
4022 | necp_assign_client_result_locked(struct proc *proc, |
4023 | struct necp_fd_data *client_fd, |
4024 | struct necp_client *client, |
4025 | struct necp_client_flow_registration *flow_registration, |
4026 | uuid_t netagent_uuid, |
4027 | u_int8_t *assigned_results, |
4028 | size_t assigned_results_length, |
4029 | bool notify_fd, |
4030 | bool assigned_from_userspace_agent) |
4031 | { |
4032 | bool client_updated = FALSE; |
4033 | |
4034 | NECP_FD_ASSERT_LOCKED(client_fd); |
4035 | NECP_CLIENT_ASSERT_LOCKED(client); |
4036 | |
4037 | struct necp_client_flow *flow = NULL; |
4038 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
4039 | // Verify that the client nexus agent matches |
4040 | if (flow->nexus && |
4041 | uuid_compare(uu1: flow->u.nexus_agent, uu2: netagent_uuid) == 0) { |
4042 | // Release prior results and route |
4043 | if (flow->assigned_results != NULL) { |
4044 | kfree_data(flow->assigned_results, flow->assigned_results_length); |
4045 | flow->assigned_results = NULL; |
4046 | } |
4047 | |
4048 | void *nexus_stats = NULL; |
4049 | if (assigned_results != NULL && assigned_results_length > 0) { |
4050 | int error = necp_client_parse_result(result: assigned_results, result_size: (u_int32_t)assigned_results_length, |
4051 | local_address: &flow->local_addr, remote_address: &flow->remote_addr, |
4052 | flow_stats: assigned_from_userspace_agent ? NULL : &nexus_stats); // Only assign stats from kernel agents |
4053 | VERIFY(error == 0); |
4054 | } |
4055 | |
4056 | flow->viable = necp_client_flow_is_viable(proc, client, flow); |
4057 | |
4058 | flow->assigned = TRUE; |
4059 | flow->assigned_results = assigned_results; |
4060 | flow->assigned_results_length = assigned_results_length; |
4061 | flow_registration->flow_result_read = FALSE; |
4062 | #if SKYWALK |
4063 | if (nexus_stats != NULL) { |
4064 | if (flow_registration->nexus_stats != NULL) { |
4065 | flow_stats_release(fs: flow_registration->nexus_stats); |
4066 | } |
4067 | flow_registration->nexus_stats = nexus_stats; |
4068 | } |
4069 | #endif /* SKYWALK */ |
4070 | client_updated = TRUE; |
4071 | break; |
4072 | } |
4073 | } |
4074 | |
4075 | if (client_updated && notify_fd) { |
4076 | necp_fd_notify(fd_data: client_fd, true); |
4077 | } |
4078 | |
4079 | // if not updated, client must free assigned_results |
4080 | return client_updated; |
4081 | } |
4082 | |
4083 | int |
4084 | necp_assign_client_result(uuid_t netagent_uuid, uuid_t client_id, |
4085 | u_int8_t *assigned_results, size_t assigned_results_length) |
4086 | { |
4087 | int error = 0; |
4088 | struct necp_fd_data *client_fd = NULL; |
4089 | bool found_client = FALSE; |
4090 | bool client_updated = FALSE; |
4091 | |
4092 | NECP_FD_LIST_LOCK_SHARED(); |
4093 | |
4094 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
4095 | proc_t proc = proc_find(pid: client_fd->proc_pid); |
4096 | if (proc == PROC_NULL) { |
4097 | continue; |
4098 | } |
4099 | |
4100 | NECP_FD_LOCK(client_fd); |
4101 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
4102 | if (client != NULL) { |
4103 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
4104 | if (flow_registration != NULL) { |
4105 | // Found the right client and flow! |
4106 | found_client = TRUE; |
4107 | if (necp_assign_client_result_locked(proc, client_fd, client, flow_registration, netagent_uuid, |
4108 | assigned_results, assigned_results_length, true, true)) { |
4109 | client_updated = TRUE; |
4110 | } |
4111 | } |
4112 | |
4113 | NECP_CLIENT_UNLOCK(client); |
4114 | } |
4115 | NECP_FD_UNLOCK(client_fd); |
4116 | |
4117 | proc_rele(p: proc); |
4118 | proc = PROC_NULL; |
4119 | |
4120 | if (found_client) { |
4121 | break; |
4122 | } |
4123 | } |
4124 | |
4125 | NECP_FD_LIST_UNLOCK(); |
4126 | |
4127 | // upon error, client must free assigned_results |
4128 | if (!found_client) { |
4129 | error = ENOENT; |
4130 | } else if (!client_updated) { |
4131 | error = EINVAL; |
4132 | } |
4133 | |
4134 | return error; |
4135 | } |
4136 | |
4137 | int |
4138 | necp_assign_client_group_members(uuid_t netagent_uuid, uuid_t client_id, |
4139 | u_int8_t *assigned_group_members, size_t assigned_group_members_length) |
4140 | { |
4141 | #pragma unused(netagent_uuid) |
4142 | int error = 0; |
4143 | struct necp_fd_data *client_fd = NULL; |
4144 | bool found_client = false; |
4145 | bool client_updated = false; |
4146 | |
4147 | NECP_FD_LIST_LOCK_SHARED(); |
4148 | |
4149 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
4150 | proc_t proc = proc_find(pid: client_fd->proc_pid); |
4151 | if (proc == PROC_NULL) { |
4152 | continue; |
4153 | } |
4154 | |
4155 | NECP_FD_LOCK(client_fd); |
4156 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
4157 | if (client != NULL) { |
4158 | found_client = true; |
4159 | // Release prior results |
4160 | if (client->assigned_group_members != NULL) { |
4161 | kfree_data(client->assigned_group_members, client->assigned_group_members_length); |
4162 | client->assigned_group_members = NULL; |
4163 | } |
4164 | |
4165 | // Save new results |
4166 | client->assigned_group_members = assigned_group_members; |
4167 | client->assigned_group_members_length = assigned_group_members_length; |
4168 | client->group_members_read = false; |
4169 | |
4170 | client_updated = true; |
4171 | necp_fd_notify(fd_data: client_fd, true); |
4172 | |
4173 | NECP_CLIENT_UNLOCK(client); |
4174 | } |
4175 | NECP_FD_UNLOCK(client_fd); |
4176 | |
4177 | proc_rele(p: proc); |
4178 | proc = PROC_NULL; |
4179 | |
4180 | if (found_client) { |
4181 | break; |
4182 | } |
4183 | } |
4184 | |
4185 | NECP_FD_LIST_UNLOCK(); |
4186 | |
4187 | // upon error, client must free assigned_results |
4188 | if (!found_client) { |
4189 | error = ENOENT; |
4190 | } else if (!client_updated) { |
4191 | error = EINVAL; |
4192 | } |
4193 | |
4194 | return error; |
4195 | } |
4196 | |
4197 | /// Client updating |
4198 | |
4199 | static bool |
4200 | necp_update_parsed_parameters(struct necp_client_parsed_parameters *parsed_parameters, |
4201 | struct necp_aggregate_result *result) |
4202 | { |
4203 | if (parsed_parameters == NULL || |
4204 | result == NULL) { |
4205 | return false; |
4206 | } |
4207 | |
4208 | bool updated = false; |
4209 | for (int i = 0; i < NECP_MAX_NETAGENTS; i++) { |
4210 | if (uuid_is_null(uu: result->netagents[i])) { |
4211 | // Passed end of valid agents |
4212 | break; |
4213 | } |
4214 | |
4215 | if (!(result->netagent_use_flags[i] & NECP_AGENT_USE_FLAG_SCOPE)) { |
4216 | // Not a scoped agent, ignore |
4217 | continue; |
4218 | } |
4219 | |
4220 | // This is a scoped agent. Add it to the required agents. |
4221 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT) { |
4222 | // Already some required agents, add this at the end |
4223 | for (int j = 0; j < NECP_MAX_AGENT_PARAMETERS; j++) { |
4224 | if (uuid_compare(uu1: parsed_parameters->required_netagents[j], uu2: result->netagents[i]) == 0) { |
4225 | // Already required, break |
4226 | break; |
4227 | } |
4228 | if (uuid_is_null(uu: parsed_parameters->required_netagents[j])) { |
4229 | // Add here |
4230 | memcpy(dst: &parsed_parameters->required_netagents[j], src: result->netagents[i], n: sizeof(uuid_t)); |
4231 | updated = true; |
4232 | break; |
4233 | } |
4234 | } |
4235 | } else { |
4236 | // No required agents yet, add this one |
4237 | parsed_parameters->valid_fields |= NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT; |
4238 | memcpy(dst: &parsed_parameters->required_netagents[0], src: result->netagents[i], n: sizeof(uuid_t)); |
4239 | updated = true; |
4240 | } |
4241 | |
4242 | // Remove requirements for agents of the same type |
4243 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE) { |
4244 | char remove_agent_domain[NETAGENT_DOMAINSIZE] = { 0 }; |
4245 | char remove_agent_type[NETAGENT_TYPESIZE] = { 0 }; |
4246 | if (netagent_get_agent_domain_and_type(uuid: result->netagents[i], domain: remove_agent_domain, type: remove_agent_type)) { |
4247 | for (int j = 0; j < NECP_MAX_AGENT_PARAMETERS; j++) { |
4248 | if (strlen(s: parsed_parameters->required_netagent_types[j].netagent_domain) == 0 && |
4249 | strlen(s: parsed_parameters->required_netagent_types[j].netagent_type) == 0) { |
4250 | break; |
4251 | } |
4252 | |
4253 | if (strncmp(s1: parsed_parameters->required_netagent_types[j].netagent_domain, s2: remove_agent_domain, NETAGENT_DOMAINSIZE) == 0 && |
4254 | strncmp(s1: parsed_parameters->required_netagent_types[j].netagent_type, s2: remove_agent_type, NETAGENT_TYPESIZE) == 0) { |
4255 | updated = true; |
4256 | |
4257 | if (j == NECP_MAX_AGENT_PARAMETERS - 1) { |
4258 | // Last field, just clear and break |
4259 | memset(s: &parsed_parameters->required_netagent_types[NECP_MAX_AGENT_PARAMETERS - 1], c: 0, n: sizeof(struct necp_client_parameter_netagent_type)); |
4260 | break; |
4261 | } else { |
4262 | // Move the parameters down, clear the last entry |
4263 | memmove(dst: &parsed_parameters->required_netagent_types[j], |
4264 | src: &parsed_parameters->required_netagent_types[j + 1], |
4265 | n: sizeof(struct necp_client_parameter_netagent_type) * (NECP_MAX_AGENT_PARAMETERS - (j + 1))); |
4266 | memset(s: &parsed_parameters->required_netagent_types[NECP_MAX_AGENT_PARAMETERS - 1], c: 0, n: sizeof(struct necp_client_parameter_netagent_type)); |
4267 | // Continue, don't increment but look at the new shifted item instead |
4268 | continue; |
4269 | } |
4270 | } |
4271 | |
4272 | // Increment j to look at the next agent type parameter |
4273 | j++; |
4274 | } |
4275 | } |
4276 | } |
4277 | } |
4278 | |
4279 | if (updated && |
4280 | parsed_parameters->required_interface_index != IFSCOPE_NONE && |
4281 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IF) == 0) { |
4282 | // A required interface index was added after the fact. Clear it. |
4283 | parsed_parameters->required_interface_index = IFSCOPE_NONE; |
4284 | } |
4285 | |
4286 | |
4287 | return updated; |
4288 | } |
4289 | |
4290 | static inline bool |
4291 | necp_agent_types_match(const char *agent_domain1, const char *agent_type1, |
4292 | const char *agent_domain2, const char *agent_type2) |
4293 | { |
4294 | return (strlen(s: agent_domain1) == 0 || |
4295 | strncmp(s1: agent_domain2, s2: agent_domain1, NETAGENT_DOMAINSIZE) == 0) && |
4296 | (strlen(s: agent_type1) == 0 || |
4297 | strncmp(s1: agent_type2, s2: agent_type1, NETAGENT_TYPESIZE) == 0); |
4298 | } |
4299 | |
4300 | static inline bool |
4301 | necp_calculate_client_result(proc_t proc, |
4302 | struct necp_client *client, |
4303 | struct necp_client_parsed_parameters *parsed_parameters, |
4304 | struct necp_aggregate_result *result, |
4305 | u_int32_t *flags, |
4306 | u_int32_t *reason, |
4307 | struct necp_client_endpoint *v4_gateway, |
4308 | struct necp_client_endpoint *v6_gateway, |
4309 | uuid_t *override_euuid) |
4310 | { |
4311 | struct rtentry *route = NULL; |
4312 | |
4313 | // Check parameters to find best interface |
4314 | bool validate_agents = false; |
4315 | u_int matching_if_index = 0; |
4316 | if (necp_find_matching_interface_index(parsed_parameters, return_ifindex: &matching_if_index, validate_agents: &validate_agents)) { |
4317 | if (matching_if_index != 0) { |
4318 | parsed_parameters->required_interface_index = matching_if_index; |
4319 | } |
4320 | // Interface found or not needed, match policy. |
4321 | memset(s: result, c: 0, n: sizeof(*result)); |
4322 | int error = necp_application_find_policy_match_internal(proc, parameters: client->parameters, |
4323 | parameters_size: (u_int32_t)client->parameters_length, |
4324 | returned_result: result, flags, reason, required_interface_index: matching_if_index, |
4325 | NULL, NULL, |
4326 | returned_v4_gateway: v4_gateway, returned_v6_gateway: v6_gateway, |
4327 | returned_route: &route, false, true, |
4328 | returned_override_euuid: override_euuid); |
4329 | if (error != 0) { |
4330 | if (route != NULL) { |
4331 | rtfree(route); |
4332 | } |
4333 | return FALSE; |
4334 | } |
4335 | |
4336 | if (validate_agents) { |
4337 | bool requirement_failed = FALSE; |
4338 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT) { |
4339 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
4340 | if (uuid_is_null(uu: parsed_parameters->required_netagents[i])) { |
4341 | break; |
4342 | } |
4343 | |
4344 | bool requirement_found = FALSE; |
4345 | for (int j = 0; j < NECP_MAX_NETAGENTS; j++) { |
4346 | if (uuid_is_null(uu: result->netagents[j])) { |
4347 | break; |
4348 | } |
4349 | |
4350 | if (result->netagent_use_flags[j] & NECP_AGENT_USE_FLAG_REMOVE) { |
4351 | // A removed agent, ignore |
4352 | continue; |
4353 | } |
4354 | |
4355 | if (uuid_compare(uu1: parsed_parameters->required_netagents[i], uu2: result->netagents[j]) == 0) { |
4356 | requirement_found = TRUE; |
4357 | break; |
4358 | } |
4359 | } |
4360 | |
4361 | if (!requirement_found) { |
4362 | requirement_failed = TRUE; |
4363 | break; |
4364 | } |
4365 | } |
4366 | } |
4367 | |
4368 | if (!requirement_failed && parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE) { |
4369 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
4370 | if (strlen(s: parsed_parameters->required_netagent_types[i].netagent_domain) == 0 && |
4371 | strlen(s: parsed_parameters->required_netagent_types[i].netagent_type) == 0) { |
4372 | break; |
4373 | } |
4374 | |
4375 | bool requirement_found = FALSE; |
4376 | for (int j = 0; j < NECP_MAX_NETAGENTS; j++) { |
4377 | if (uuid_is_null(uu: result->netagents[j])) { |
4378 | break; |
4379 | } |
4380 | |
4381 | if (result->netagent_use_flags[j] & NECP_AGENT_USE_FLAG_REMOVE) { |
4382 | // A removed agent, ignore |
4383 | continue; |
4384 | } |
4385 | |
4386 | char policy_agent_domain[NETAGENT_DOMAINSIZE] = { 0 }; |
4387 | char policy_agent_type[NETAGENT_TYPESIZE] = { 0 }; |
4388 | |
4389 | if (netagent_get_agent_domain_and_type(uuid: result->netagents[j], domain: policy_agent_domain, type: policy_agent_type)) { |
4390 | if (necp_agent_types_match(agent_domain1: parsed_parameters->required_netagent_types[i].netagent_domain, |
4391 | agent_type1: parsed_parameters->required_netagent_types[i].netagent_type, |
4392 | agent_domain2: policy_agent_domain, agent_type2: policy_agent_type)) { |
4393 | requirement_found = TRUE; |
4394 | break; |
4395 | } |
4396 | } |
4397 | } |
4398 | |
4399 | if (!requirement_found) { |
4400 | requirement_failed = TRUE; |
4401 | break; |
4402 | } |
4403 | } |
4404 | } |
4405 | |
4406 | if (requirement_failed) { |
4407 | // Agent requirement failed. Clear out the whole result, make everything fail. |
4408 | memset(s: result, c: 0, n: sizeof(*result)); |
4409 | if (route != NULL) { |
4410 | rtfree(route); |
4411 | } |
4412 | return TRUE; |
4413 | } |
4414 | } |
4415 | |
4416 | // Reset current route |
4417 | NECP_CLIENT_ROUTE_LOCK(client); |
4418 | if (client->current_route != NULL) { |
4419 | rtfree(client->current_route); |
4420 | } |
4421 | client->current_route = route; |
4422 | NECP_CLIENT_ROUTE_UNLOCK(client); |
4423 | } else { |
4424 | // Interface not found. Clear out the whole result, make everything fail. |
4425 | memset(s: result, c: 0, n: sizeof(*result)); |
4426 | } |
4427 | |
4428 | return TRUE; |
4429 | } |
4430 | |
4431 | #define NECP_PARSED_PARAMETERS_REQUIRED_FIELDS (NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IF | \ |
4432 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE | \ |
4433 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT | \ |
4434 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE) |
4435 | |
4436 | static bool |
4437 | necp_update_client_result(proc_t proc, |
4438 | struct necp_fd_data *client_fd, |
4439 | struct necp_client *client, |
4440 | struct _necp_flow_defunct_list *defunct_list) |
4441 | { |
4442 | struct necp_client_result_netagent netagent; |
4443 | struct necp_aggregate_result result; |
4444 | struct necp_client_parsed_parameters *parsed_parameters = NULL; |
4445 | u_int32_t flags = 0; |
4446 | u_int32_t reason = 0; |
4447 | |
4448 | NECP_CLIENT_ASSERT_LOCKED(client); |
4449 | |
4450 | parsed_parameters = kalloc_type(struct necp_client_parsed_parameters, |
4451 | Z_WAITOK | Z_ZERO | Z_NOFAIL); |
4452 | |
4453 | // Nexus flows will be brought back if they are still valid |
4454 | necp_client_mark_all_nonsocket_flows_as_invalid(client); |
4455 | |
4456 | int error = necp_client_parse_parameters(client, parameters: client->parameters, parameters_size: (u_int32_t)client->parameters_length, parsed_parameters); |
4457 | if (error != 0) { |
4458 | kfree_type(struct necp_client_parsed_parameters, parsed_parameters); |
4459 | return FALSE; |
4460 | } |
4461 | bool originally_scoped = (parsed_parameters->required_interface_index != IFSCOPE_NONE); |
4462 | |
4463 | // Update saved IP protocol |
4464 | client->ip_protocol = parsed_parameters->ip_protocol; |
4465 | |
4466 | // Calculate the policy result |
4467 | struct necp_client_endpoint v4_gateway = {}; |
4468 | struct necp_client_endpoint v6_gateway = {}; |
4469 | uuid_t override_euuid; |
4470 | uuid_clear(uu: override_euuid); |
4471 | if (!necp_calculate_client_result(proc, client, parsed_parameters, result: &result, flags: &flags, reason: &reason, v4_gateway: &v4_gateway, v6_gateway: &v6_gateway, override_euuid: &override_euuid)) { |
4472 | kfree_type(struct necp_client_parsed_parameters, parsed_parameters); |
4473 | return FALSE; |
4474 | } |
4475 | |
4476 | if (necp_update_parsed_parameters(parsed_parameters, result: &result)) { |
4477 | // Changed the parameters based on result, try again (only once) |
4478 | if (!necp_calculate_client_result(proc, client, parsed_parameters, result: &result, flags: &flags, reason: &reason, v4_gateway: &v4_gateway, v6_gateway: &v6_gateway, override_euuid: &override_euuid)) { |
4479 | kfree_type(struct necp_client_parsed_parameters, parsed_parameters); |
4480 | return FALSE; |
4481 | } |
4482 | } |
4483 | |
4484 | if ((parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) && |
4485 | parsed_parameters->required_interface_index != IFSCOPE_NONE && |
4486 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IF) == 0) { |
4487 | // Listener should not apply required interface index if |
4488 | parsed_parameters->required_interface_index = IFSCOPE_NONE; |
4489 | } |
4490 | |
4491 | // Save the last policy id on the client |
4492 | client->policy_id = result.policy_id; |
4493 | client->skip_policy_id = result.skip_policy_id; |
4494 | uuid_copy(dst: client->override_euuid, src: override_euuid); |
4495 | |
4496 | if ((parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_MULTIPATH) || |
4497 | (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_BROWSE) || |
4498 | ((parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) && |
4499 | result.routing_result != NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED)) { |
4500 | client->allow_multiple_flows = TRUE; |
4501 | } else { |
4502 | client->allow_multiple_flows = FALSE; |
4503 | } |
4504 | |
4505 | // If the original request was scoped, and the policy result matches, make sure the result is scoped |
4506 | if ((result.routing_result == NECP_KERNEL_POLICY_RESULT_NONE || |
4507 | result.routing_result == NECP_KERNEL_POLICY_RESULT_PASS) && |
4508 | result.routed_interface_index != IFSCOPE_NONE && |
4509 | parsed_parameters->required_interface_index == result.routed_interface_index) { |
4510 | result.routing_result = NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED; |
4511 | result.routing_result_parameter.scoped_interface_index = result.routed_interface_index; |
4512 | } |
4513 | |
4514 | if (defunct_list != NULL && |
4515 | result.routing_result == NECP_KERNEL_POLICY_RESULT_DROP) { |
4516 | // If we are forced to drop the client, defunct it if it has flows |
4517 | necp_defunct_client_for_policy(client, defunct_list); |
4518 | } |
4519 | |
4520 | // Recalculate flags |
4521 | if (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) { |
4522 | // Listeners are valid as long as they aren't dropped |
4523 | if (result.routing_result != NECP_KERNEL_POLICY_RESULT_DROP) { |
4524 | flags |= NECP_CLIENT_RESULT_FLAG_SATISFIED; |
4525 | } |
4526 | } else if (result.routed_interface_index != 0) { |
4527 | // Clients without flows determine viability based on having some routable interface |
4528 | flags |= NECP_CLIENT_RESULT_FLAG_SATISFIED; |
4529 | } |
4530 | |
4531 | bool updated = FALSE; |
4532 | u_int8_t *cursor = client->result; |
4533 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_FLAGS, length: sizeof(flags), value: &flags, updated: &updated, buffer: client->result, buffer_length: sizeof(client->result)); |
4534 | if (reason != 0) { |
4535 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_REASON, length: sizeof(reason), value: &reason, updated: &updated, buffer: client->result, buffer_length: sizeof(client->result)); |
4536 | } |
4537 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_CLIENT_ID, length: sizeof(uuid_t), value: client->client_id, updated: &updated, |
4538 | buffer: client->result, buffer_length: sizeof(client->result)); |
4539 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_POLICY_RESULT, length: sizeof(result.routing_result), value: &result.routing_result, updated: &updated, |
4540 | buffer: client->result, buffer_length: sizeof(client->result)); |
4541 | if (result.routing_result_parameter.tunnel_interface_index != 0) { |
4542 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_POLICY_RESULT_PARAMETER, |
4543 | length: sizeof(result.routing_result_parameter), value: &result.routing_result_parameter, updated: &updated, |
4544 | buffer: client->result, buffer_length: sizeof(client->result)); |
4545 | } |
4546 | if (result.filter_control_unit != 0) { |
4547 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_FILTER_CONTROL_UNIT, |
4548 | length: sizeof(result.filter_control_unit), value: &result.filter_control_unit, updated: &updated, |
4549 | buffer: client->result, buffer_length: sizeof(client->result)); |
4550 | } |
4551 | if (result.flow_divert_aggregate_unit != 0) { |
4552 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_FLOW_DIVERT_AGGREGATE_UNIT, |
4553 | length: sizeof(result.flow_divert_aggregate_unit), value: &result.flow_divert_aggregate_unit, updated: &updated, |
4554 | buffer: client->result, buffer_length: sizeof(client->result)); |
4555 | } |
4556 | if (result.routed_interface_index != 0) { |
4557 | u_int routed_interface_index = result.routed_interface_index; |
4558 | if (result.routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && |
4559 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_REQUIRED_FIELDS) && |
4560 | parsed_parameters->required_interface_index != IFSCOPE_NONE && |
4561 | parsed_parameters->required_interface_index != result.routed_interface_index) { |
4562 | routed_interface_index = parsed_parameters->required_interface_index; |
4563 | } |
4564 | |
4565 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE_INDEX, |
4566 | length: sizeof(routed_interface_index), value: &routed_interface_index, updated: &updated, |
4567 | buffer: client->result, buffer_length: sizeof(client->result)); |
4568 | } |
4569 | if (client_fd && client_fd->flags & NECP_OPEN_FLAG_BACKGROUND) { |
4570 | u_int32_t effective_traffic_class = SO_TC_BK_SYS; |
4571 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_EFFECTIVE_TRAFFIC_CLASS, |
4572 | length: sizeof(effective_traffic_class), value: &effective_traffic_class, updated: &updated, |
4573 | buffer: client->result, buffer_length: sizeof(client->result)); |
4574 | } |
4575 | |
4576 | if (client_fd->background) { |
4577 | bool has_assigned_flow = FALSE; |
4578 | struct necp_client_flow_registration *flow_registration = NULL; |
4579 | struct necp_client_flow *search_flow = NULL; |
4580 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
4581 | LIST_FOREACH(search_flow, &flow_registration->flow_list, flow_chain) { |
4582 | if (search_flow->assigned) { |
4583 | has_assigned_flow = TRUE; |
4584 | break; |
4585 | } |
4586 | } |
4587 | } |
4588 | |
4589 | if (has_assigned_flow) { |
4590 | u_int32_t background = client_fd->background; |
4591 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_TRAFFIC_MGMT_BG, |
4592 | length: sizeof(background), value: &background, updated: &updated, |
4593 | buffer: client->result, buffer_length: sizeof(client->result)); |
4594 | } |
4595 | } |
4596 | |
4597 | bool write_v4_gateway = !necp_client_endpoint_is_unspecified(endpoint: &v4_gateway); |
4598 | bool write_v6_gateway = !necp_client_endpoint_is_unspecified(endpoint: &v6_gateway); |
4599 | |
4600 | NECP_CLIENT_ROUTE_LOCK(client); |
4601 | if (client->current_route != NULL) { |
4602 | const u_int32_t route_mtu = get_maxmtu(client->current_route); |
4603 | if (route_mtu != 0) { |
4604 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_EFFECTIVE_MTU, |
4605 | length: sizeof(route_mtu), value: &route_mtu, updated: &updated, |
4606 | buffer: client->result, buffer_length: sizeof(client->result)); |
4607 | } |
4608 | bool has_remote_addr = parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REMOTE_ADDR; |
4609 | if (has_remote_addr && client->current_route->rt_gateway != NULL) { |
4610 | if (client->current_route->rt_gateway->sa_family == AF_INET) { |
4611 | write_v6_gateway = false; |
4612 | } else if (client->current_route->rt_gateway->sa_family == AF_INET6) { |
4613 | write_v4_gateway = false; |
4614 | } |
4615 | } |
4616 | } |
4617 | NECP_CLIENT_ROUTE_UNLOCK(client); |
4618 | |
4619 | if (write_v4_gateway) { |
4620 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_GATEWAY, |
4621 | length: sizeof(struct necp_client_endpoint), value: &v4_gateway, updated: &updated, |
4622 | buffer: client->result, buffer_length: sizeof(client->result)); |
4623 | } |
4624 | |
4625 | if (write_v6_gateway) { |
4626 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_GATEWAY, |
4627 | length: sizeof(struct necp_client_endpoint), value: &v6_gateway, updated: &updated, |
4628 | buffer: client->result, buffer_length: sizeof(client->result)); |
4629 | } |
4630 | |
4631 | for (int i = 0; i < NAT64_MAX_NUM_PREFIXES; i++) { |
4632 | if (result.nat64_prefixes[i].prefix_len != 0) { |
4633 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_NAT64, |
4634 | length: sizeof(result.nat64_prefixes), value: result.nat64_prefixes, updated: &updated, |
4635 | buffer: client->result, buffer_length: sizeof(client->result)); |
4636 | break; |
4637 | } |
4638 | } |
4639 | |
4640 | if (result.mss_recommended != 0) { |
4641 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_RECOMMENDED_MSS, |
4642 | length: sizeof(result.mss_recommended), value: &result.mss_recommended, updated: &updated, |
4643 | buffer: client->result, buffer_length: sizeof(client->result)); |
4644 | } |
4645 | |
4646 | for (int i = 0; i < NECP_MAX_NETAGENTS; i++) { |
4647 | if (uuid_is_null(uu: result.netagents[i])) { |
4648 | break; |
4649 | } |
4650 | if (result.netagent_use_flags[i] & NECP_AGENT_USE_FLAG_REMOVE) { |
4651 | // A removed agent, ignore |
4652 | continue; |
4653 | } |
4654 | uuid_copy(dst: netagent.netagent_uuid, src: result.netagents[i]); |
4655 | netagent.generation = netagent_get_generation(uuid: netagent.netagent_uuid); |
4656 | if (necp_netagent_applies_to_client(client, parameters: parsed_parameters, netagent_uuid: &netagent.netagent_uuid, TRUE, interface_index: 0, interface_generation: 0)) { |
4657 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_NETAGENT, length: sizeof(netagent), value: &netagent, updated: &updated, |
4658 | buffer: client->result, buffer_length: sizeof(client->result)); |
4659 | } |
4660 | } |
4661 | |
4662 | ifnet_head_lock_shared(); |
4663 | ifnet_t direct_interface = NULL; |
4664 | ifnet_t delegate_interface = NULL; |
4665 | ifnet_t original_scoped_interface = NULL; |
4666 | |
4667 | if (result.routed_interface_index != IFSCOPE_NONE && result.routed_interface_index <= (u_int32_t)if_index) { |
4668 | direct_interface = ifindex2ifnet[result.routed_interface_index]; |
4669 | } else if (parsed_parameters->required_interface_index != IFSCOPE_NONE && |
4670 | parsed_parameters->required_interface_index <= (u_int32_t)if_index) { |
4671 | // If the request was scoped, but the route didn't match, still grab the agents |
4672 | direct_interface = ifindex2ifnet[parsed_parameters->required_interface_index]; |
4673 | } else if (result.routed_interface_index == IFSCOPE_NONE && |
4674 | result.routing_result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED && |
4675 | result.routing_result_parameter.scoped_interface_index != IFSCOPE_NONE) { |
4676 | direct_interface = ifindex2ifnet[result.routing_result_parameter.scoped_interface_index]; |
4677 | } |
4678 | if (direct_interface != NULL) { |
4679 | delegate_interface = direct_interface->if_delegated.ifp; |
4680 | } |
4681 | if (result.routing_result == NECP_KERNEL_POLICY_RESULT_IP_TUNNEL && |
4682 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_REQUIRED_FIELDS) && |
4683 | parsed_parameters->required_interface_index != IFSCOPE_NONE && |
4684 | parsed_parameters->required_interface_index != result.routing_result_parameter.tunnel_interface_index && |
4685 | parsed_parameters->required_interface_index <= (u_int32_t)if_index) { |
4686 | original_scoped_interface = ifindex2ifnet[parsed_parameters->required_interface_index]; |
4687 | } |
4688 | // Add interfaces |
4689 | if (original_scoped_interface != NULL) { |
4690 | struct necp_client_result_interface interface_struct; |
4691 | interface_struct.index = original_scoped_interface->if_index; |
4692 | interface_struct.generation = ifnet_get_generation(original_scoped_interface); |
4693 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE, length: sizeof(interface_struct), value: &interface_struct, updated: &updated, |
4694 | buffer: client->result, buffer_length: sizeof(client->result)); |
4695 | } |
4696 | if (direct_interface != NULL) { |
4697 | struct necp_client_result_interface interface_struct; |
4698 | interface_struct.index = direct_interface->if_index; |
4699 | interface_struct.generation = ifnet_get_generation(direct_interface); |
4700 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE, length: sizeof(interface_struct), value: &interface_struct, updated: &updated, |
4701 | buffer: client->result, buffer_length: sizeof(client->result)); |
4702 | |
4703 | // Set the delta time since interface up/down |
4704 | struct timeval updown_delta = {}; |
4705 | if (ifnet_updown_delta(interface: direct_interface, updown_delta: &updown_delta) == 0) { |
4706 | u_int32_t delta = updown_delta.tv_sec; |
4707 | bool ignore_updated = FALSE; |
4708 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE_TIME_DELTA, |
4709 | length: sizeof(delta), value: &delta, updated: &ignore_updated, |
4710 | buffer: client->result, buffer_length: sizeof(client->result)); |
4711 | } |
4712 | } |
4713 | if (delegate_interface != NULL) { |
4714 | struct necp_client_result_interface interface_struct; |
4715 | interface_struct.index = delegate_interface->if_index; |
4716 | interface_struct.generation = ifnet_get_generation(delegate_interface); |
4717 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE, length: sizeof(interface_struct), value: &interface_struct, updated: &updated, |
4718 | buffer: client->result, buffer_length: sizeof(client->result)); |
4719 | } |
4720 | |
4721 | // Update multipath/listener interface flows |
4722 | if (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_MULTIPATH) { |
4723 | // Add the interface option for the routed interface first |
4724 | if (direct_interface != NULL) { |
4725 | // Add nexus agent |
4726 | necp_client_add_agent_interface_options(client, parsed_parameters, ifp: direct_interface); |
4727 | |
4728 | // Add interface option in case it is not a nexus |
4729 | necp_client_add_interface_option_if_needed(client, interface_index: direct_interface->if_index, |
4730 | interface_generation: ifnet_get_generation(direct_interface), NULL, false); |
4731 | } |
4732 | if (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_INBOUND) { |
4733 | // For inbound multipath, add from the global list (like a listener) |
4734 | struct ifnet *multi_interface = NULL; |
4735 | TAILQ_FOREACH(multi_interface, &ifnet_head, if_link) { |
4736 | if ((multi_interface->if_flags & (IFF_UP | IFF_RUNNING)) && |
4737 | necp_ifnet_matches_parameters(ifp: multi_interface, parsed_parameters, override_flags: 0, NULL, true, false)) { |
4738 | // Add nexus agents for inbound multipath |
4739 | necp_client_add_agent_interface_options(client, parsed_parameters, ifp: multi_interface); |
4740 | } |
4741 | } |
4742 | } else { |
4743 | // Get other multipath interface options from ordered list |
4744 | struct ifnet *multi_interface = NULL; |
4745 | TAILQ_FOREACH(multi_interface, &ifnet_ordered_head, if_ordered_link) { |
4746 | if (multi_interface != direct_interface && |
4747 | necp_ifnet_matches_parameters(ifp: multi_interface, parsed_parameters, override_flags: 0, NULL, true, false)) { |
4748 | // Add nexus agents for multipath |
4749 | necp_client_add_agent_interface_options(client, parsed_parameters, ifp: multi_interface); |
4750 | |
4751 | // Add multipath interface flows for kernel MPTCP |
4752 | necp_client_add_interface_option_if_needed(client, interface_index: multi_interface->if_index, |
4753 | interface_generation: ifnet_get_generation(multi_interface), NULL, false); |
4754 | } |
4755 | } |
4756 | } |
4757 | } else if (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) { |
4758 | if (result.routing_result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED) { |
4759 | if (direct_interface != NULL) { |
4760 | // If scoped, only listen on that interface |
4761 | // Add nexus agents for listeners |
4762 | necp_client_add_agent_interface_options(client, parsed_parameters, ifp: direct_interface); |
4763 | |
4764 | // Add interface option in case it is not a nexus |
4765 | necp_client_add_interface_option_if_needed(client, interface_index: direct_interface->if_index, |
4766 | interface_generation: ifnet_get_generation(direct_interface), NULL, false); |
4767 | } |
4768 | } else { |
4769 | // Get listener interface options from global list |
4770 | struct ifnet *listen_interface = NULL; |
4771 | TAILQ_FOREACH(listen_interface, &ifnet_head, if_link) { |
4772 | if ((listen_interface->if_flags & (IFF_UP | IFF_RUNNING)) && |
4773 | necp_ifnet_matches_parameters(ifp: listen_interface, parsed_parameters, override_flags: 0, NULL, true, false)) { |
4774 | // Add nexus agents for listeners |
4775 | necp_client_add_agent_interface_options(client, parsed_parameters, ifp: listen_interface); |
4776 | } |
4777 | } |
4778 | } |
4779 | } else if (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_BROWSE) { |
4780 | if (result.routing_result == NECP_KERNEL_POLICY_RESULT_SOCKET_SCOPED && originally_scoped) { |
4781 | if (direct_interface != NULL) { |
4782 | // Add browse option if it has an agent |
4783 | necp_client_add_browse_interface_options(client, parsed_parameters, ifp: direct_interface); |
4784 | } |
4785 | } else { |
4786 | // Get browse interface options from global list |
4787 | struct ifnet *browse_interface = NULL; |
4788 | TAILQ_FOREACH(browse_interface, &ifnet_head, if_link) { |
4789 | if (necp_ifnet_matches_parameters(ifp: browse_interface, parsed_parameters, override_flags: 0, NULL, true, false)) { |
4790 | necp_client_add_browse_interface_options(client, parsed_parameters, ifp: browse_interface); |
4791 | } |
4792 | } |
4793 | } |
4794 | } |
4795 | |
4796 | struct necp_client_result_estimated_throughput throughput = { |
4797 | .up = 0, |
4798 | .down = 0, |
4799 | }; |
4800 | |
4801 | // Add agents |
4802 | if (original_scoped_interface != NULL) { |
4803 | ifnet_lock_shared(ifp: original_scoped_interface); |
4804 | if (original_scoped_interface->if_agentids != NULL) { |
4805 | for (u_int32_t i = 0; i < original_scoped_interface->if_agentcount; i++) { |
4806 | if (uuid_is_null(uu: original_scoped_interface->if_agentids[i])) { |
4807 | continue; |
4808 | } |
4809 | bool skip_agent = false; |
4810 | for (int j = 0; j < NECP_MAX_NETAGENTS; j++) { |
4811 | if (uuid_is_null(uu: result.netagents[j])) { |
4812 | break; |
4813 | } |
4814 | if ((result.netagent_use_flags[j] & NECP_AGENT_USE_FLAG_REMOVE) && |
4815 | uuid_compare(uu1: original_scoped_interface->if_agentids[i], uu2: result.netagents[j]) == 0) { |
4816 | skip_agent = true; |
4817 | break; |
4818 | } |
4819 | } |
4820 | if (skip_agent) { |
4821 | continue; |
4822 | } |
4823 | uuid_copy(dst: netagent.netagent_uuid, src: original_scoped_interface->if_agentids[i]); |
4824 | netagent.generation = netagent_get_generation(uuid: netagent.netagent_uuid); |
4825 | if (necp_netagent_applies_to_client(client, parameters: parsed_parameters, netagent_uuid: &netagent.netagent_uuid, FALSE, |
4826 | interface_index: original_scoped_interface->if_index, interface_generation: ifnet_get_generation(original_scoped_interface))) { |
4827 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_NETAGENT, length: sizeof(netagent), value: &netagent, updated: &updated, |
4828 | buffer: client->result, buffer_length: sizeof(client->result)); |
4829 | } |
4830 | } |
4831 | } |
4832 | ifnet_lock_done(ifp: original_scoped_interface); |
4833 | } |
4834 | if (direct_interface != NULL) { |
4835 | ifnet_lock_shared(ifp: direct_interface); |
4836 | throughput.up = direct_interface->if_estimated_up_bucket; |
4837 | throughput.down = direct_interface->if_estimated_down_bucket; |
4838 | if (direct_interface->if_agentids != NULL) { |
4839 | for (u_int32_t i = 0; i < direct_interface->if_agentcount; i++) { |
4840 | if (uuid_is_null(uu: direct_interface->if_agentids[i])) { |
4841 | continue; |
4842 | } |
4843 | bool skip_agent = false; |
4844 | for (int j = 0; j < NECP_MAX_NETAGENTS; j++) { |
4845 | if (uuid_is_null(uu: result.netagents[j])) { |
4846 | break; |
4847 | } |
4848 | if ((result.netagent_use_flags[j] & NECP_AGENT_USE_FLAG_REMOVE) && |
4849 | uuid_compare(uu1: direct_interface->if_agentids[i], uu2: result.netagents[j]) == 0) { |
4850 | skip_agent = true; |
4851 | break; |
4852 | } |
4853 | } |
4854 | if (skip_agent) { |
4855 | continue; |
4856 | } |
4857 | uuid_copy(dst: netagent.netagent_uuid, src: direct_interface->if_agentids[i]); |
4858 | netagent.generation = netagent_get_generation(uuid: netagent.netagent_uuid); |
4859 | if (necp_netagent_applies_to_client(client, parameters: parsed_parameters, netagent_uuid: &netagent.netagent_uuid, TRUE, |
4860 | interface_index: direct_interface->if_index, interface_generation: ifnet_get_generation(direct_interface))) { |
4861 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_NETAGENT, length: sizeof(netagent), value: &netagent, updated: &updated, |
4862 | buffer: client->result, buffer_length: sizeof(client->result)); |
4863 | } |
4864 | } |
4865 | } |
4866 | ifnet_lock_done(ifp: direct_interface); |
4867 | } |
4868 | if (delegate_interface != NULL) { |
4869 | ifnet_lock_shared(ifp: delegate_interface); |
4870 | if (throughput.up == 0 && throughput.down == 0) { |
4871 | throughput.up = delegate_interface->if_estimated_up_bucket; |
4872 | throughput.down = delegate_interface->if_estimated_down_bucket; |
4873 | } |
4874 | if (delegate_interface->if_agentids != NULL) { |
4875 | for (u_int32_t i = 0; i < delegate_interface->if_agentcount; i++) { |
4876 | if (uuid_is_null(uu: delegate_interface->if_agentids[i])) { |
4877 | continue; |
4878 | } |
4879 | bool skip_agent = false; |
4880 | for (int j = 0; j < NECP_MAX_NETAGENTS; j++) { |
4881 | if (uuid_is_null(uu: result.netagents[j])) { |
4882 | break; |
4883 | } |
4884 | if ((result.netagent_use_flags[j] & NECP_AGENT_USE_FLAG_REMOVE) && |
4885 | uuid_compare(uu1: delegate_interface->if_agentids[i], uu2: result.netagents[j]) == 0) { |
4886 | skip_agent = true; |
4887 | break; |
4888 | } |
4889 | } |
4890 | if (skip_agent) { |
4891 | continue; |
4892 | } |
4893 | uuid_copy(dst: netagent.netagent_uuid, src: delegate_interface->if_agentids[i]); |
4894 | netagent.generation = netagent_get_generation(uuid: netagent.netagent_uuid); |
4895 | if (necp_netagent_applies_to_client(client, parameters: parsed_parameters, netagent_uuid: &netagent.netagent_uuid, FALSE, |
4896 | interface_index: delegate_interface->if_index, interface_generation: ifnet_get_generation(delegate_interface))) { |
4897 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_NETAGENT, length: sizeof(netagent), value: &netagent, updated: &updated, |
4898 | buffer: client->result, buffer_length: sizeof(client->result)); |
4899 | } |
4900 | } |
4901 | } |
4902 | ifnet_lock_done(ifp: delegate_interface); |
4903 | } |
4904 | ifnet_head_done(); |
4905 | |
4906 | if (throughput.up != 0 || throughput.down != 0) { |
4907 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_ESTIMATED_THROUGHPUT, |
4908 | length: sizeof(throughput), value: &throughput, updated: &updated, buffer: client->result, buffer_length: sizeof(client->result)); |
4909 | } |
4910 | |
4911 | // Add interface options |
4912 | for (u_int32_t option_i = 0; option_i < client->interface_option_count; option_i++) { |
4913 | if (option_i < NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) { |
4914 | struct necp_client_interface_option *option = &client->interface_options[option_i]; |
4915 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE_OPTION, length: sizeof(*option), value: option, updated: &updated, |
4916 | buffer: client->result, buffer_length: sizeof(client->result)); |
4917 | } else { |
4918 | struct necp_client_interface_option *option = &client->extra_interface_options[option_i - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
4919 | cursor = necp_buffer_write_tlv_if_different(cursor, NECP_CLIENT_RESULT_INTERFACE_OPTION, length: sizeof(*option), value: option, updated: &updated, |
4920 | buffer: client->result, buffer_length: sizeof(client->result)); |
4921 | } |
4922 | } |
4923 | |
4924 | size_t new_result_length = (cursor - client->result); |
4925 | if (new_result_length != client->result_length) { |
4926 | client->result_length = new_result_length; |
4927 | updated = TRUE; |
4928 | } |
4929 | |
4930 | // Update flow viability/flags |
4931 | if (necp_client_update_flows(proc, client, defunct_list)) { |
4932 | updated = TRUE; |
4933 | } |
4934 | |
4935 | if (updated) { |
4936 | client->result_read = FALSE; |
4937 | necp_client_update_observer_update(client); |
4938 | } |
4939 | |
4940 | kfree_type(struct necp_client_parsed_parameters, parsed_parameters); |
4941 | return updated; |
4942 | } |
4943 | |
4944 | static bool |
4945 | necp_defunct_client_fd_locked_inner(struct necp_fd_data *client_fd, struct _necp_flow_defunct_list *defunct_list, bool destroy_stats) |
4946 | { |
4947 | bool updated_result = FALSE; |
4948 | struct necp_client *client = NULL; |
4949 | |
4950 | NECP_FD_ASSERT_LOCKED(client_fd); |
4951 | |
4952 | RB_FOREACH(client, _necp_client_tree, &client_fd->clients) { |
4953 | struct necp_client_flow_registration *flow_registration = NULL; |
4954 | |
4955 | NECP_CLIENT_LOCK(client); |
4956 | |
4957 | // Prepare close events to be sent to the nexus to effectively remove the flows |
4958 | struct necp_client_flow *search_flow = NULL; |
4959 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
4960 | LIST_FOREACH(search_flow, &flow_registration->flow_list, flow_chain) { |
4961 | if (search_flow->nexus && |
4962 | !uuid_is_null(uu: search_flow->u.nexus_agent)) { |
4963 | // Sleeping alloc won't fail; copy only what's necessary |
4964 | struct necp_flow_defunct *flow_defunct = kalloc_type(struct necp_flow_defunct, Z_WAITOK | Z_ZERO); |
4965 | uuid_copy(dst: flow_defunct->nexus_agent, src: search_flow->u.nexus_agent); |
4966 | uuid_copy(dst: flow_defunct->flow_id, src: ((flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID) ? |
4967 | client->client_id : |
4968 | flow_registration->registration_id)); |
4969 | flow_defunct->proc_pid = client->proc_pid; |
4970 | flow_defunct->agent_handle = client->agent_handle; |
4971 | flow_defunct->flags = flow_registration->flags; |
4972 | #if SKYWALK |
4973 | if (flow_registration->kstats_kaddr != NULL) { |
4974 | struct necp_all_stats *ustats_kaddr = ((struct necp_all_kstats *)flow_registration->kstats_kaddr)->necp_stats_ustats; |
4975 | struct necp_quic_stats *quicstats = (struct necp_quic_stats *)ustats_kaddr; |
4976 | if (quicstats != NULL && |
4977 | quicstats->necp_quic_udp_stats.necp_udp_hdr.necp_stats_type == NECP_CLIENT_STATISTICS_TYPE_QUIC) { |
4978 | memcpy(dst: flow_defunct->close_parameters.u.close_token, src: quicstats->necp_quic_extra.ssr_token, n: sizeof(flow_defunct->close_parameters.u.close_token)); |
4979 | flow_defunct->has_close_parameters = true; |
4980 | } |
4981 | } |
4982 | #endif /* SKYWALK */ |
4983 | // Add to the list provided by caller |
4984 | LIST_INSERT_HEAD(defunct_list, flow_defunct, chain); |
4985 | |
4986 | flow_registration->defunct = true; |
4987 | flow_registration->flow_result_read = false; |
4988 | updated_result = true; |
4989 | } |
4990 | } |
4991 | } |
4992 | if (destroy_stats) { |
4993 | #if SKYWALK |
4994 | // Free any remaining stats objects back to the arena where they came from; |
4995 | // do this independent of the above defunct check, as the client may have |
4996 | // been marked as defunct separately via necp_defunct_client_for_policy(). |
4997 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
4998 | necp_destroy_flow_stats(fd_data: client_fd, flow_registration, NULL, FALSE); |
4999 | } |
5000 | #endif /* SKYWALK */ |
5001 | } |
5002 | NECP_CLIENT_UNLOCK(client); |
5003 | } |
5004 | |
5005 | return updated_result; |
5006 | } |
5007 | |
5008 | static inline void |
5009 | necp_defunct_client_fd_locked(struct necp_fd_data *client_fd, struct _necp_flow_defunct_list *defunct_list, struct proc *proc) |
5010 | { |
5011 | #pragma unused(proc) |
5012 | bool updated_result = FALSE; |
5013 | |
5014 | NECP_FD_ASSERT_LOCKED(client_fd); |
5015 | #if SKYWALK |
5016 | // redirect regions of currently-active stats arena to zero-filled pages |
5017 | struct necp_arena_info *nai = necp_fd_mredirect_stats_arena(fd_data: client_fd, proc); |
5018 | #endif /* SKYWALK */ |
5019 | |
5020 | updated_result = necp_defunct_client_fd_locked_inner(client_fd, defunct_list, true); |
5021 | |
5022 | #if SKYWALK |
5023 | // and tear down the currently-active arena's regions now that the redirection and freeing are done |
5024 | if (nai != NULL) { |
5025 | ASSERT((nai->nai_flags & (NAIF_REDIRECT | NAIF_DEFUNCT)) == NAIF_REDIRECT); |
5026 | ASSERT(nai->nai_arena != NULL); |
5027 | ASSERT(nai->nai_mmap.ami_mapref != NULL); |
5028 | |
5029 | int err = skmem_arena_defunct(nai->nai_arena); |
5030 | VERIFY(err == 0); |
5031 | |
5032 | nai->nai_flags |= NAIF_DEFUNCT; |
5033 | } |
5034 | #endif /* SKYWALK */ |
5035 | |
5036 | if (updated_result) { |
5037 | necp_fd_notify(fd_data: client_fd, true); |
5038 | } |
5039 | } |
5040 | |
5041 | static inline void |
5042 | necp_update_client_fd_locked(struct necp_fd_data *client_fd, |
5043 | proc_t proc, |
5044 | struct _necp_flow_defunct_list *defunct_list) |
5045 | { |
5046 | struct necp_client *client = NULL; |
5047 | bool updated_result = FALSE; |
5048 | NECP_FD_ASSERT_LOCKED(client_fd); |
5049 | RB_FOREACH(client, _necp_client_tree, &client_fd->clients) { |
5050 | NECP_CLIENT_LOCK(client); |
5051 | if (necp_update_client_result(proc, client_fd, client, defunct_list)) { |
5052 | updated_result = TRUE; |
5053 | } |
5054 | NECP_CLIENT_UNLOCK(client); |
5055 | } |
5056 | |
5057 | // Check if this PID needs to request in-process flow divert |
5058 | NECP_FD_LIST_ASSERT_LOCKED(); |
5059 | for (int i = 0; i < NECP_MAX_FLOW_DIVERT_NEEDED_PIDS; i++) { |
5060 | if (necp_flow_divert_needed_pids[i] == 0) { |
5061 | break; |
5062 | } |
5063 | if (necp_flow_divert_needed_pids[i] == client_fd->proc_pid) { |
5064 | client_fd->request_in_process_flow_divert = true; |
5065 | break; |
5066 | } |
5067 | } |
5068 | |
5069 | if (updated_result || client_fd->request_in_process_flow_divert) { |
5070 | necp_fd_notify(fd_data: client_fd, true); |
5071 | } |
5072 | } |
5073 | |
5074 | #if SKYWALK |
5075 | static void |
5076 | necp_close_empty_arenas_callout(__unused thread_call_param_t dummy, |
5077 | __unused thread_call_param_t arg) |
5078 | { |
5079 | struct necp_fd_data *client_fd = NULL; |
5080 | |
5081 | NECP_FD_LIST_LOCK_SHARED(); |
5082 | |
5083 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
5084 | NECP_FD_LOCK(client_fd); |
5085 | necp_stats_arenas_destroy(fd_data: client_fd, FALSE); |
5086 | NECP_FD_UNLOCK(client_fd); |
5087 | } |
5088 | |
5089 | NECP_FD_LIST_UNLOCK(); |
5090 | } |
5091 | #endif /* SKYWALK */ |
5092 | |
5093 | static void |
5094 | necp_update_all_clients_callout(__unused thread_call_param_t dummy, |
5095 | __unused thread_call_param_t arg) |
5096 | { |
5097 | struct necp_fd_data *client_fd = NULL; |
5098 | |
5099 | NECP_UPDATE_ALL_CLIENTS_LOCK_EXCLUSIVE(); |
5100 | uint32_t count = necp_update_all_clients_sched_cnt; |
5101 | necp_update_all_clients_sched_cnt = 0; |
5102 | necp_update_all_clients_sched_abstime = 0; |
5103 | NECP_UPDATE_ALL_CLIENTS_UNLOCK(); |
5104 | |
5105 | if (necp_debug > 0) { |
5106 | NECPLOG(LOG_DEBUG, |
5107 | "necp_update_all_clients_callout running for coalesced %u updates" , |
5108 | count); |
5109 | } |
5110 | |
5111 | struct _necp_flow_defunct_list defunct_list; |
5112 | LIST_INIT(&defunct_list); |
5113 | |
5114 | NECP_FD_LIST_LOCK_SHARED(); |
5115 | |
5116 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
5117 | proc_t proc = proc_find(pid: client_fd->proc_pid); |
5118 | if (proc == PROC_NULL) { |
5119 | continue; |
5120 | } |
5121 | |
5122 | // Update all clients on one fd |
5123 | NECP_FD_LOCK(client_fd); |
5124 | necp_update_client_fd_locked(client_fd, proc, defunct_list: &defunct_list); |
5125 | NECP_FD_UNLOCK(client_fd); |
5126 | |
5127 | proc_rele(p: proc); |
5128 | proc = PROC_NULL; |
5129 | } |
5130 | |
5131 | // Reset the necp_flow_divert_needed_pids list |
5132 | for (int i = 0; i < NECP_MAX_FLOW_DIVERT_NEEDED_PIDS; i++) { |
5133 | necp_flow_divert_needed_pids[i] = 0; |
5134 | } |
5135 | |
5136 | NECP_FD_LIST_UNLOCK(); |
5137 | |
5138 | // Handle the case in which some clients became newly defunct |
5139 | necp_process_defunct_list(defunct_list: &defunct_list); |
5140 | } |
5141 | |
5142 | void |
5143 | necp_update_all_clients(void) |
5144 | { |
5145 | necp_update_all_clients_immediately_if_needed(false); |
5146 | } |
5147 | |
5148 | void |
5149 | necp_update_all_clients_immediately_if_needed(bool should_update_immediately) |
5150 | { |
5151 | if (necp_client_update_tcall == NULL) { |
5152 | // Don't try to update clients if the module is not initialized |
5153 | return; |
5154 | } |
5155 | |
5156 | uint64_t deadline = 0; |
5157 | uint64_t leeway = 0; |
5158 | |
5159 | uint32_t timeout_to_use = necp_timeout_microseconds; |
5160 | uint32_t leeway_to_use = necp_timeout_leeway_microseconds; |
5161 | if (should_update_immediately) { |
5162 | timeout_to_use = 1000 * 10; // 10ms |
5163 | leeway_to_use = 1000 * 10; // 10ms; |
5164 | } |
5165 | |
5166 | clock_interval_to_deadline(interval: timeout_to_use, NSEC_PER_USEC, result: &deadline); |
5167 | clock_interval_to_absolutetime_interval(interval: leeway_to_use, NSEC_PER_USEC, result: &leeway); |
5168 | |
5169 | NECP_UPDATE_ALL_CLIENTS_LOCK_EXCLUSIVE(); |
5170 | bool need_cancel = false; |
5171 | bool need_schedule = true; |
5172 | uint64_t sched_abstime; |
5173 | |
5174 | clock_absolutetime_interval_to_deadline(abstime: deadline + leeway, result: &sched_abstime); |
5175 | |
5176 | /* |
5177 | * Do not push the timer if it is already scheduled |
5178 | */ |
5179 | if (necp_update_all_clients_sched_abstime != 0) { |
5180 | need_schedule = false; |
5181 | |
5182 | if (should_update_immediately) { |
5183 | /* |
5184 | * To update immediately we may have to cancel the current timer |
5185 | * if it's scheduled too far out. |
5186 | */ |
5187 | if (necp_update_all_clients_sched_abstime > sched_abstime) { |
5188 | need_cancel = true; |
5189 | need_schedule = true; |
5190 | } |
5191 | } |
5192 | } |
5193 | |
5194 | /* |
5195 | * Record the time of the deadline with leeway |
5196 | */ |
5197 | if (need_schedule) { |
5198 | necp_update_all_clients_sched_abstime = sched_abstime; |
5199 | } |
5200 | |
5201 | necp_update_all_clients_sched_cnt += 1; |
5202 | uint32_t count = necp_update_all_clients_sched_cnt; |
5203 | NECP_UPDATE_ALL_CLIENTS_UNLOCK(); |
5204 | |
5205 | if (need_schedule) { |
5206 | /* |
5207 | * Wait if the thread call is currently executing to make sure the |
5208 | * next update will be delivered to all clients |
5209 | */ |
5210 | if (need_cancel) { |
5211 | (void) thread_call_cancel_wait(call: necp_client_update_tcall); |
5212 | } |
5213 | |
5214 | (void) thread_call_enter_delayed_with_leeway(call: necp_client_update_tcall, NULL, |
5215 | deadline, leeway, THREAD_CALL_DELAY_LEEWAY); |
5216 | } |
5217 | if (necp_debug > 0) { |
5218 | NECPLOG(LOG_DEBUG, |
5219 | "necp_update_all_clients immediate %s update %u" , |
5220 | should_update_immediately ? "true" : "false" , count); |
5221 | } |
5222 | } |
5223 | |
5224 | bool |
5225 | necp_set_client_as_background(proc_t proc, |
5226 | struct fileproc *fp, |
5227 | bool background) |
5228 | { |
5229 | if (proc == PROC_NULL) { |
5230 | NECPLOG0(LOG_ERR, "NULL proc" ); |
5231 | return FALSE; |
5232 | } |
5233 | |
5234 | if (fp == NULL) { |
5235 | NECPLOG0(LOG_ERR, "NULL fp" ); |
5236 | return FALSE; |
5237 | } |
5238 | |
5239 | struct necp_fd_data *client_fd = (struct necp_fd_data *)fp_get_data(fp); |
5240 | if (client_fd == NULL) { |
5241 | NECPLOG0(LOG_ERR, "Could not find client structure for backgrounded client" ); |
5242 | return FALSE; |
5243 | } |
5244 | |
5245 | if (client_fd->necp_fd_type != necp_fd_type_client) { |
5246 | // Not a client fd, ignore |
5247 | NECPLOG0(LOG_ERR, "Not a client fd, ignore" ); |
5248 | return FALSE; |
5249 | } |
5250 | |
5251 | client_fd->background = background; |
5252 | |
5253 | return TRUE; |
5254 | } |
5255 | |
5256 | void |
5257 | necp_fd_memstatus(proc_t proc, uint32_t status, |
5258 | struct necp_fd_data *client_fd) |
5259 | { |
5260 | #pragma unused(proc, status, client_fd) |
5261 | ASSERT(proc != PROC_NULL); |
5262 | ASSERT(client_fd != NULL); |
5263 | |
5264 | // Nothing to reap for the process or client for now, |
5265 | // but this is where we would trigger that in future. |
5266 | } |
5267 | |
5268 | void |
5269 | necp_fd_defunct(proc_t proc, struct necp_fd_data *client_fd) |
5270 | { |
5271 | struct _necp_flow_defunct_list defunct_list; |
5272 | |
5273 | ASSERT(proc != PROC_NULL); |
5274 | ASSERT(client_fd != NULL); |
5275 | |
5276 | if (client_fd->necp_fd_type != necp_fd_type_client) { |
5277 | // Not a client fd, ignore |
5278 | return; |
5279 | } |
5280 | |
5281 | // Our local temporary list |
5282 | LIST_INIT(&defunct_list); |
5283 | |
5284 | // Need to hold lock so ntstats defunct the same set of clients |
5285 | NECP_FD_LOCK(client_fd); |
5286 | #if SKYWALK |
5287 | // Shut down statistics |
5288 | nstats_userland_stats_defunct_for_process(pid: proc_getpid(proc)); |
5289 | #endif /* SKYWALK */ |
5290 | necp_defunct_client_fd_locked(client_fd, defunct_list: &defunct_list, proc); |
5291 | NECP_FD_UNLOCK(client_fd); |
5292 | |
5293 | necp_process_defunct_list(defunct_list: &defunct_list); |
5294 | } |
5295 | |
5296 | void |
5297 | necp_client_request_in_process_flow_divert(pid_t pid) |
5298 | { |
5299 | if (pid == 0) { |
5300 | return; |
5301 | } |
5302 | |
5303 | // Add to the list of pids that should get an update. These will |
5304 | // get picked up on the next thread call to update client paths. |
5305 | NECP_FD_LIST_LOCK_SHARED(); |
5306 | for (int i = 0; i < NECP_MAX_FLOW_DIVERT_NEEDED_PIDS; i++) { |
5307 | if (necp_flow_divert_needed_pids[i] == 0) { |
5308 | necp_flow_divert_needed_pids[i] = pid; |
5309 | break; |
5310 | } |
5311 | } |
5312 | NECP_FD_LIST_UNLOCK(); |
5313 | } |
5314 | |
5315 | static void |
5316 | necp_client_remove_agent_from_result(struct necp_client *client, uuid_t netagent_uuid) |
5317 | { |
5318 | size_t offset = 0; |
5319 | |
5320 | u_int8_t *result_buffer = client->result; |
5321 | while ((offset + sizeof(struct necp_tlv_header)) <= client->result_length) { |
5322 | u_int8_t type = necp_buffer_get_tlv_type(buffer: result_buffer, tlv_offset: offset); |
5323 | u_int32_t length = necp_buffer_get_tlv_length(buffer: result_buffer, tlv_offset: offset); |
5324 | |
5325 | size_t tlv_total_length = (sizeof(struct necp_tlv_header) + length); |
5326 | if (type == NECP_CLIENT_RESULT_NETAGENT && |
5327 | length == sizeof(struct necp_client_result_netagent) && |
5328 | (offset + tlv_total_length) <= client->result_length) { |
5329 | struct necp_client_result_netagent *value = ((struct necp_client_result_netagent *)(void *) |
5330 | necp_buffer_get_tlv_value(buffer: result_buffer, tlv_offset: offset, NULL)); |
5331 | if (uuid_compare(uu1: value->netagent_uuid, uu2: netagent_uuid) == 0) { |
5332 | // Found a netagent to remove |
5333 | // Shift bytes down to remove the tlv, and adjust total length |
5334 | // Don't adjust the current offset |
5335 | memmove(dst: result_buffer + offset, |
5336 | src: result_buffer + offset + tlv_total_length, |
5337 | n: client->result_length - (offset + tlv_total_length)); |
5338 | client->result_length -= tlv_total_length; |
5339 | memset(s: result_buffer + client->result_length, c: 0, n: sizeof(client->result) - client->result_length); |
5340 | continue; |
5341 | } |
5342 | } |
5343 | |
5344 | offset += tlv_total_length; |
5345 | } |
5346 | } |
5347 | |
5348 | void |
5349 | necp_force_update_client(uuid_t client_id, uuid_t remove_netagent_uuid, u_int32_t agent_generation) |
5350 | { |
5351 | struct necp_fd_data *client_fd = NULL; |
5352 | |
5353 | NECP_FD_LIST_LOCK_SHARED(); |
5354 | |
5355 | LIST_FOREACH(client_fd, &necp_fd_list, chain) { |
5356 | bool updated_result = FALSE; |
5357 | NECP_FD_LOCK(client_fd); |
5358 | struct necp_client *client = necp_client_fd_find_client_and_lock(client_fd, client_id); |
5359 | if (client != NULL) { |
5360 | client->failed_trigger_agent.generation = agent_generation; |
5361 | uuid_copy(dst: client->failed_trigger_agent.netagent_uuid, src: remove_netagent_uuid); |
5362 | if (!uuid_is_null(uu: remove_netagent_uuid)) { |
5363 | necp_client_remove_agent_from_result(client, netagent_uuid: remove_netagent_uuid); |
5364 | } |
5365 | client->result_read = FALSE; |
5366 | // Found the client, break |
5367 | updated_result = TRUE; |
5368 | NECP_CLIENT_UNLOCK(client); |
5369 | } |
5370 | if (updated_result) { |
5371 | necp_fd_notify(fd_data: client_fd, true); |
5372 | } |
5373 | NECP_FD_UNLOCK(client_fd); |
5374 | if (updated_result) { |
5375 | // Found the client, break |
5376 | break; |
5377 | } |
5378 | } |
5379 | |
5380 | NECP_FD_LIST_UNLOCK(); |
5381 | } |
5382 | |
5383 | #if SKYWALK |
5384 | void |
5385 | necp_client_early_close(uuid_t client_id) |
5386 | { |
5387 | NECP_CLIENT_TREE_LOCK_SHARED(); |
5388 | |
5389 | struct necp_client *client = necp_find_client_and_lock(client_id); |
5390 | if (client != NULL) { |
5391 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
5392 | if (flow_registration != NULL) { |
5393 | // Found the right client and flow, mark the stats as over |
5394 | if (flow_registration->stats_handler_context != NULL) { |
5395 | ntstat_userland_stats_event(nstat_ctx: flow_registration->stats_handler_context, |
5396 | NECP_CLIENT_STATISTICS_EVENT_TIME_WAIT); |
5397 | } |
5398 | } |
5399 | NECP_CLIENT_UNLOCK(client); |
5400 | } |
5401 | |
5402 | NECP_CLIENT_TREE_UNLOCK(); |
5403 | } |
5404 | #endif /* SKYWALK */ |
5405 | |
5406 | /// Interface matching |
5407 | |
5408 | #define NECP_PARSED_PARAMETERS_INTERESTING_IFNET_FIELDS (NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR | \ |
5409 | NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IF | \ |
5410 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE | \ |
5411 | NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IFTYPE | \ |
5412 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT | \ |
5413 | NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT | \ |
5414 | NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT | \ |
5415 | NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT | \ |
5416 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE | \ |
5417 | NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT_TYPE | \ |
5418 | NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT_TYPE | \ |
5419 | NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT_TYPE) |
5420 | |
5421 | #define NECP_PARSED_PARAMETERS_SCOPED_FIELDS (NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR | \ |
5422 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE | \ |
5423 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT | \ |
5424 | NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT | \ |
5425 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE | \ |
5426 | NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT_TYPE) |
5427 | |
5428 | #define NECP_PARSED_PARAMETERS_SCOPED_IFNET_FIELDS (NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR | \ |
5429 | NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE) |
5430 | |
5431 | #define NECP_PARSED_PARAMETERS_PREFERRED_FIELDS (NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT | \ |
5432 | NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT | \ |
5433 | NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT_TYPE | \ |
5434 | NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT_TYPE) |
5435 | |
5436 | static bool |
5437 | necp_ifnet_matches_type(struct ifnet *ifp, u_int8_t interface_type, bool check_delegates) |
5438 | { |
5439 | struct ifnet *check_ifp = ifp; |
5440 | while (check_ifp) { |
5441 | if (if_functional_type(check_ifp, TRUE) == interface_type) { |
5442 | return TRUE; |
5443 | } |
5444 | if (!check_delegates) { |
5445 | break; |
5446 | } |
5447 | check_ifp = check_ifp->if_delegated.ifp; |
5448 | } |
5449 | return FALSE; |
5450 | } |
5451 | |
5452 | static bool |
5453 | necp_ifnet_matches_name(struct ifnet *ifp, const char *interface_name, bool check_delegates) |
5454 | { |
5455 | struct ifnet *check_ifp = ifp; |
5456 | while (check_ifp) { |
5457 | if (strncmp(s1: check_ifp->if_xname, s2: interface_name, IFXNAMSIZ) == 0) { |
5458 | return TRUE; |
5459 | } |
5460 | if (!check_delegates) { |
5461 | break; |
5462 | } |
5463 | check_ifp = check_ifp->if_delegated.ifp; |
5464 | } |
5465 | return FALSE; |
5466 | } |
5467 | |
5468 | static bool |
5469 | necp_ifnet_matches_agent(struct ifnet *ifp, uuid_t *agent_uuid, bool check_delegates) |
5470 | { |
5471 | struct ifnet *check_ifp = ifp; |
5472 | |
5473 | while (check_ifp != NULL) { |
5474 | ifnet_lock_shared(ifp: check_ifp); |
5475 | if (check_ifp->if_agentids != NULL) { |
5476 | for (u_int32_t index = 0; index < check_ifp->if_agentcount; index++) { |
5477 | if (uuid_compare(uu1: check_ifp->if_agentids[index], uu2: *agent_uuid) == 0) { |
5478 | ifnet_lock_done(ifp: check_ifp); |
5479 | return TRUE; |
5480 | } |
5481 | } |
5482 | } |
5483 | ifnet_lock_done(ifp: check_ifp); |
5484 | |
5485 | if (!check_delegates) { |
5486 | break; |
5487 | } |
5488 | check_ifp = check_ifp->if_delegated.ifp; |
5489 | } |
5490 | return FALSE; |
5491 | } |
5492 | |
5493 | static bool |
5494 | necp_ifnet_matches_agent_type(struct ifnet *ifp, const char *agent_domain, const char *agent_type, bool check_delegates) |
5495 | { |
5496 | struct ifnet *check_ifp = ifp; |
5497 | |
5498 | while (check_ifp != NULL) { |
5499 | ifnet_lock_shared(ifp: check_ifp); |
5500 | if (check_ifp->if_agentids != NULL) { |
5501 | for (u_int32_t index = 0; index < check_ifp->if_agentcount; index++) { |
5502 | if (uuid_is_null(uu: check_ifp->if_agentids[index])) { |
5503 | continue; |
5504 | } |
5505 | |
5506 | char if_agent_domain[NETAGENT_DOMAINSIZE] = { 0 }; |
5507 | char if_agent_type[NETAGENT_TYPESIZE] = { 0 }; |
5508 | |
5509 | if (netagent_get_agent_domain_and_type(uuid: check_ifp->if_agentids[index], domain: if_agent_domain, type: if_agent_type)) { |
5510 | if (necp_agent_types_match(agent_domain1: agent_domain, agent_type1: agent_type, agent_domain2: if_agent_domain, agent_type2: if_agent_type)) { |
5511 | ifnet_lock_done(ifp: check_ifp); |
5512 | return TRUE; |
5513 | } |
5514 | } |
5515 | } |
5516 | } |
5517 | ifnet_lock_done(ifp: check_ifp); |
5518 | |
5519 | if (!check_delegates) { |
5520 | break; |
5521 | } |
5522 | check_ifp = check_ifp->if_delegated.ifp; |
5523 | } |
5524 | return FALSE; |
5525 | } |
5526 | |
5527 | static bool |
5528 | necp_ifnet_matches_local_address(struct ifnet *ifp, struct sockaddr *sa) |
5529 | { |
5530 | struct ifaddr *ifa = NULL; |
5531 | bool matched_local_address = FALSE; |
5532 | |
5533 | // Transform sa into the ifaddr form |
5534 | // IPv6 Scope IDs are always embedded in the ifaddr list |
5535 | struct sockaddr_storage address; |
5536 | u_int ifscope = IFSCOPE_NONE; |
5537 | (void)sa_copy(sa, &address, &ifscope); |
5538 | SIN(&address)->sin_port = 0; |
5539 | if (address.ss_family == AF_INET6) { |
5540 | if (in6_embedded_scope || |
5541 | !IN6_IS_SCOPE_EMBED(&SIN6(&address)->sin6_addr)) { |
5542 | SIN6(&address)->sin6_scope_id = 0; |
5543 | } |
5544 | } |
5545 | |
5546 | ifa = ifa_ifwithaddr_scoped_locked((struct sockaddr *)&address, ifp->if_index); |
5547 | matched_local_address = (ifa != NULL); |
5548 | |
5549 | if (ifa) { |
5550 | ifaddr_release(ifaddr: ifa); |
5551 | } |
5552 | |
5553 | return matched_local_address; |
5554 | } |
5555 | |
5556 | static bool |
5557 | necp_interface_type_should_match_unranked_interfaces(u_int8_t interface_type) |
5558 | { |
5559 | switch (interface_type) { |
5560 | // These are the interface types we allow a client to request even if the matching |
5561 | // interface isn't currently eligible to be primary (has default route, dns, etc) |
5562 | case IFRTYPE_FUNCTIONAL_WIFI_AWDL: |
5563 | case IFRTYPE_FUNCTIONAL_INTCOPROC: |
5564 | case IFRTYPE_FUNCTIONAL_COMPANIONLINK: |
5565 | return true; |
5566 | default: |
5567 | break; |
5568 | } |
5569 | return false; |
5570 | } |
5571 | |
5572 | #define NECP_IFP_IS_ON_ORDERED_LIST(_ifp) ((_ifp)->if_ordered_link.tqe_next != NULL || (_ifp)->if_ordered_link.tqe_prev != NULL) |
5573 | |
5574 | // Secondary interface flag indicates that the interface is being |
5575 | // used for multipath or a listener as an extra path |
5576 | static bool |
5577 | necp_ifnet_matches_parameters(struct ifnet *ifp, |
5578 | struct necp_client_parsed_parameters *parsed_parameters, |
5579 | u_int32_t override_flags, |
5580 | u_int32_t *preferred_count, |
5581 | bool secondary_interface, |
5582 | bool require_scoped_field) |
5583 | { |
5584 | bool matched_some_scoped_field = FALSE; |
5585 | |
5586 | if (preferred_count) { |
5587 | *preferred_count = 0; |
5588 | } |
5589 | |
5590 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IF) { |
5591 | if (parsed_parameters->required_interface_index != ifp->if_index) { |
5592 | return FALSE; |
5593 | } |
5594 | } |
5595 | #if SKYWALK |
5596 | else { |
5597 | if (ifnet_is_low_latency(ifp)) { |
5598 | return FALSE; |
5599 | } |
5600 | } |
5601 | #endif /* SKYWALK */ |
5602 | |
5603 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR) { |
5604 | if (!necp_ifnet_matches_local_address(ifp, SA(&parsed_parameters->local_addr.sa))) { |
5605 | return FALSE; |
5606 | } |
5607 | if (require_scoped_field) { |
5608 | matched_some_scoped_field = TRUE; |
5609 | } |
5610 | } |
5611 | |
5612 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) { |
5613 | if (override_flags != 0) { |
5614 | if ((override_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE) && |
5615 | IFNET_IS_EXPENSIVE(ifp)) { |
5616 | return FALSE; |
5617 | } |
5618 | if ((override_flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED) && |
5619 | IFNET_IS_CONSTRAINED(ifp)) { |
5620 | return FALSE; |
5621 | } |
5622 | } else { |
5623 | if ((parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE) && |
5624 | IFNET_IS_EXPENSIVE(ifp)) { |
5625 | return FALSE; |
5626 | } |
5627 | if ((parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED) && |
5628 | IFNET_IS_CONSTRAINED(ifp)) { |
5629 | return FALSE; |
5630 | } |
5631 | } |
5632 | } |
5633 | |
5634 | if ((!secondary_interface || // Enforce interface type if this is the primary interface |
5635 | !(parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) || // or if there are no flags |
5636 | !(parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_ONLY_PRIMARY_REQUIRES_TYPE)) && // or if the flags don't give an exception |
5637 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE) && |
5638 | !necp_ifnet_matches_type(ifp, interface_type: parsed_parameters->required_interface_type, FALSE)) { |
5639 | return FALSE; |
5640 | } |
5641 | |
5642 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE) { |
5643 | if (require_scoped_field) { |
5644 | matched_some_scoped_field = TRUE; |
5645 | } |
5646 | } |
5647 | |
5648 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IFTYPE) { |
5649 | for (int i = 0; i < NECP_MAX_INTERFACE_PARAMETERS; i++) { |
5650 | if (parsed_parameters->prohibited_interface_types[i] == 0) { |
5651 | break; |
5652 | } |
5653 | |
5654 | if (necp_ifnet_matches_type(ifp, interface_type: parsed_parameters->prohibited_interface_types[i], TRUE)) { |
5655 | return FALSE; |
5656 | } |
5657 | } |
5658 | } |
5659 | |
5660 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_IF) { |
5661 | for (int i = 0; i < NECP_MAX_INTERFACE_PARAMETERS; i++) { |
5662 | if (strlen(s: parsed_parameters->prohibited_interfaces[i]) == 0) { |
5663 | break; |
5664 | } |
5665 | |
5666 | if (necp_ifnet_matches_name(ifp, interface_name: parsed_parameters->prohibited_interfaces[i], TRUE)) { |
5667 | return FALSE; |
5668 | } |
5669 | } |
5670 | } |
5671 | |
5672 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT) { |
5673 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5674 | if (uuid_is_null(uu: parsed_parameters->required_netagents[i])) { |
5675 | break; |
5676 | } |
5677 | |
5678 | if (!necp_ifnet_matches_agent(ifp, agent_uuid: &parsed_parameters->required_netagents[i], FALSE)) { |
5679 | return FALSE; |
5680 | } |
5681 | |
5682 | if (require_scoped_field) { |
5683 | matched_some_scoped_field = TRUE; |
5684 | } |
5685 | } |
5686 | } |
5687 | |
5688 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT) { |
5689 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5690 | if (uuid_is_null(uu: parsed_parameters->prohibited_netagents[i])) { |
5691 | break; |
5692 | } |
5693 | |
5694 | if (necp_ifnet_matches_agent(ifp, agent_uuid: &parsed_parameters->prohibited_netagents[i], TRUE)) { |
5695 | return FALSE; |
5696 | } |
5697 | } |
5698 | } |
5699 | |
5700 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_AGENT_TYPE) { |
5701 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5702 | if (strlen(s: parsed_parameters->required_netagent_types[i].netagent_domain) == 0 && |
5703 | strlen(s: parsed_parameters->required_netagent_types[i].netagent_type) == 0) { |
5704 | break; |
5705 | } |
5706 | |
5707 | if (!necp_ifnet_matches_agent_type(ifp, agent_domain: parsed_parameters->required_netagent_types[i].netagent_domain, agent_type: parsed_parameters->required_netagent_types[i].netagent_type, FALSE)) { |
5708 | return FALSE; |
5709 | } |
5710 | |
5711 | if (require_scoped_field) { |
5712 | matched_some_scoped_field = TRUE; |
5713 | } |
5714 | } |
5715 | } |
5716 | |
5717 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_PROHIBITED_AGENT_TYPE) { |
5718 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5719 | if (strlen(s: parsed_parameters->prohibited_netagent_types[i].netagent_domain) == 0 && |
5720 | strlen(s: parsed_parameters->prohibited_netagent_types[i].netagent_type) == 0) { |
5721 | break; |
5722 | } |
5723 | |
5724 | if (necp_ifnet_matches_agent_type(ifp, agent_domain: parsed_parameters->prohibited_netagent_types[i].netagent_domain, agent_type: parsed_parameters->prohibited_netagent_types[i].netagent_type, TRUE)) { |
5725 | return FALSE; |
5726 | } |
5727 | } |
5728 | } |
5729 | |
5730 | // Checked preferred properties |
5731 | if (preferred_count) { |
5732 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT) { |
5733 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5734 | if (uuid_is_null(uu: parsed_parameters->preferred_netagents[i])) { |
5735 | break; |
5736 | } |
5737 | |
5738 | if (necp_ifnet_matches_agent(ifp, agent_uuid: &parsed_parameters->preferred_netagents[i], TRUE)) { |
5739 | (*preferred_count)++; |
5740 | if (require_scoped_field) { |
5741 | matched_some_scoped_field = TRUE; |
5742 | } |
5743 | } |
5744 | } |
5745 | } |
5746 | |
5747 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_PREFERRED_AGENT_TYPE) { |
5748 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5749 | if (strlen(s: parsed_parameters->preferred_netagent_types[i].netagent_domain) == 0 && |
5750 | strlen(s: parsed_parameters->preferred_netagent_types[i].netagent_type) == 0) { |
5751 | break; |
5752 | } |
5753 | |
5754 | if (necp_ifnet_matches_agent_type(ifp, agent_domain: parsed_parameters->preferred_netagent_types[i].netagent_domain, agent_type: parsed_parameters->preferred_netagent_types[i].netagent_type, TRUE)) { |
5755 | (*preferred_count)++; |
5756 | if (require_scoped_field) { |
5757 | matched_some_scoped_field = TRUE; |
5758 | } |
5759 | } |
5760 | } |
5761 | } |
5762 | |
5763 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT) { |
5764 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5765 | if (uuid_is_null(uu: parsed_parameters->avoided_netagents[i])) { |
5766 | break; |
5767 | } |
5768 | |
5769 | if (!necp_ifnet_matches_agent(ifp, agent_uuid: &parsed_parameters->avoided_netagents[i], TRUE)) { |
5770 | (*preferred_count)++; |
5771 | } |
5772 | } |
5773 | } |
5774 | |
5775 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_AVOIDED_AGENT_TYPE) { |
5776 | for (int i = 0; i < NECP_MAX_AGENT_PARAMETERS; i++) { |
5777 | if (strlen(s: parsed_parameters->avoided_netagent_types[i].netagent_domain) == 0 && |
5778 | strlen(s: parsed_parameters->avoided_netagent_types[i].netagent_type) == 0) { |
5779 | break; |
5780 | } |
5781 | |
5782 | if (!necp_ifnet_matches_agent_type(ifp, agent_domain: parsed_parameters->avoided_netagent_types[i].netagent_domain, |
5783 | agent_type: parsed_parameters->avoided_netagent_types[i].netagent_type, TRUE)) { |
5784 | (*preferred_count)++; |
5785 | } |
5786 | } |
5787 | } |
5788 | } |
5789 | |
5790 | if (require_scoped_field) { |
5791 | return matched_some_scoped_field; |
5792 | } |
5793 | |
5794 | return TRUE; |
5795 | } |
5796 | |
5797 | static bool |
5798 | necp_find_matching_interface_index(struct necp_client_parsed_parameters *parsed_parameters, |
5799 | u_int *return_ifindex, bool *validate_agents) |
5800 | { |
5801 | struct ifnet *ifp = NULL; |
5802 | u_int32_t best_preferred_count = 0; |
5803 | bool has_preferred_fields = FALSE; |
5804 | *return_ifindex = 0; |
5805 | |
5806 | if (parsed_parameters->required_interface_index != 0) { |
5807 | *return_ifindex = parsed_parameters->required_interface_index; |
5808 | return TRUE; |
5809 | } |
5810 | |
5811 | // Check and save off flags |
5812 | u_int32_t flags = 0; |
5813 | bool has_prohibit_flags = FALSE; |
5814 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) { |
5815 | flags = parsed_parameters->flags; |
5816 | has_prohibit_flags = (parsed_parameters->flags & |
5817 | (NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE | |
5818 | NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED)); |
5819 | } |
5820 | |
5821 | if (!(parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_INTERESTING_IFNET_FIELDS) && |
5822 | !has_prohibit_flags) { |
5823 | return TRUE; |
5824 | } |
5825 | |
5826 | has_preferred_fields = (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_PREFERRED_FIELDS); |
5827 | |
5828 | // We have interesting parameters to parse and find a matching interface |
5829 | ifnet_head_lock_shared(); |
5830 | |
5831 | if (!(parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_SCOPED_FIELDS) && |
5832 | !has_preferred_fields) { |
5833 | // We do have fields to match, but they are only prohibitory |
5834 | // If the first interface in the list matches, or there are no ordered interfaces, we don't need to scope |
5835 | ifp = TAILQ_FIRST(&ifnet_ordered_head); |
5836 | if (ifp == NULL || necp_ifnet_matches_parameters(ifp, parsed_parameters, override_flags: 0, NULL, false, false)) { |
5837 | // Don't set return_ifindex, so the client doesn't need to scope |
5838 | ifnet_head_done(); |
5839 | return TRUE; |
5840 | } |
5841 | |
5842 | if (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REMOTE_ADDR && |
5843 | parsed_parameters->remote_addr.sin6.sin6_family == AF_INET6 && |
5844 | parsed_parameters->remote_addr.sin6.sin6_scope_id != IFSCOPE_NONE && |
5845 | parsed_parameters->remote_addr.sin6.sin6_scope_id <= (u_int32_t)if_index) { |
5846 | ifp = ifindex2ifnet[parsed_parameters->remote_addr.sin6.sin6_scope_id]; |
5847 | if (ifp != NULL && necp_ifnet_matches_parameters(ifp, parsed_parameters, override_flags: 0, NULL, false, false)) { |
5848 | // Don't set return_ifindex, so the client doesn't need to scope since the v6 scope ID will |
5849 | // already route to the correct interface |
5850 | ifnet_head_done(); |
5851 | return TRUE; |
5852 | } |
5853 | } |
5854 | } |
5855 | |
5856 | // First check the ordered interface list |
5857 | TAILQ_FOREACH(ifp, &ifnet_ordered_head, if_ordered_link) { |
5858 | u_int32_t preferred_count = 0; |
5859 | if (necp_ifnet_matches_parameters(ifp, parsed_parameters, override_flags: flags, preferred_count: &preferred_count, false, false)) { |
5860 | if (preferred_count > best_preferred_count || |
5861 | *return_ifindex == 0) { |
5862 | // Everything matched, and is most preferred. Return this interface. |
5863 | *return_ifindex = ifp->if_index; |
5864 | best_preferred_count = preferred_count; |
5865 | |
5866 | if (!has_preferred_fields) { |
5867 | break; |
5868 | } |
5869 | } |
5870 | } |
5871 | |
5872 | if (has_prohibit_flags && |
5873 | ifp == TAILQ_FIRST(&ifnet_ordered_head)) { |
5874 | // This was the first interface. From here on, if the |
5875 | // client prohibited either expensive or constrained, |
5876 | // don't allow either as a secondary interface option. |
5877 | flags |= (NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_EXPENSIVE | |
5878 | NECP_CLIENT_PARAMETER_FLAG_PROHIBIT_CONSTRAINED); |
5879 | } |
5880 | } |
5881 | |
5882 | bool is_listener = ((parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) && |
5883 | (parsed_parameters->flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER)); |
5884 | |
5885 | // Then check the remaining interfaces |
5886 | if ((parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_SCOPED_FIELDS) && |
5887 | ((!(parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_REQUIRED_IFTYPE)) || |
5888 | necp_interface_type_should_match_unranked_interfaces(interface_type: parsed_parameters->required_interface_type) || |
5889 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR) || |
5890 | is_listener) && |
5891 | (*return_ifindex == 0 || has_preferred_fields)) { |
5892 | TAILQ_FOREACH(ifp, &ifnet_head, if_link) { |
5893 | u_int32_t preferred_count = 0; |
5894 | if (NECP_IFP_IS_ON_ORDERED_LIST(ifp)) { |
5895 | // This interface was in the ordered list, skip |
5896 | continue; |
5897 | } |
5898 | if (necp_ifnet_matches_parameters(ifp, parsed_parameters, override_flags: flags, preferred_count: &preferred_count, false, true)) { |
5899 | if (preferred_count > best_preferred_count || |
5900 | *return_ifindex == 0) { |
5901 | // Everything matched, and is most preferred. Return this interface. |
5902 | *return_ifindex = ifp->if_index; |
5903 | best_preferred_count = preferred_count; |
5904 | |
5905 | if (!has_preferred_fields) { |
5906 | break; |
5907 | } |
5908 | } |
5909 | } |
5910 | } |
5911 | } |
5912 | |
5913 | ifnet_head_done(); |
5914 | |
5915 | if (has_preferred_fields && best_preferred_count == 0 && |
5916 | ((parsed_parameters->valid_fields & (NECP_PARSED_PARAMETERS_SCOPED_FIELDS | NECP_PARSED_PARAMETERS_PREFERRED_FIELDS)) == |
5917 | (parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_PREFERRED_FIELDS))) { |
5918 | // If only has preferred ifnet fields, and nothing was found, clear the interface index and return TRUE |
5919 | *return_ifindex = 0; |
5920 | return TRUE; |
5921 | } |
5922 | |
5923 | if (*return_ifindex == 0 && |
5924 | !(parsed_parameters->valid_fields & NECP_PARSED_PARAMETERS_SCOPED_IFNET_FIELDS)) { |
5925 | // Has required fields, but not including specific interface fields. Pass for now, and check |
5926 | // to see if agents are satisfied by policy. |
5927 | *validate_agents = TRUE; |
5928 | return TRUE; |
5929 | } |
5930 | |
5931 | return *return_ifindex != 0; |
5932 | } |
5933 | |
5934 | void |
5935 | necp_copy_inp_domain_info(struct inpcb *inp, struct socket *so, nstat_domain_info *domain_info) |
5936 | { |
5937 | if (inp == NULL || so == NULL || domain_info == NULL) { |
5938 | return; |
5939 | } |
5940 | |
5941 | necp_lock_socket_attributes(); |
5942 | |
5943 | domain_info->is_tracker = !!(so->so_flags1 & SOF1_KNOWN_TRACKER); |
5944 | domain_info->is_non_app_initiated = !!(so->so_flags1 & SOF1_TRACKER_NON_APP_INITIATED); |
5945 | if (domain_info->is_tracker && |
5946 | inp->inp_necp_attributes.inp_tracker_domain != NULL) { |
5947 | strlcpy(dst: domain_info->domain_name, src: inp->inp_necp_attributes.inp_tracker_domain, |
5948 | n: sizeof(domain_info->domain_name)); |
5949 | } else if (inp->inp_necp_attributes.inp_domain != NULL) { |
5950 | strlcpy(dst: domain_info->domain_name, src: inp->inp_necp_attributes.inp_domain, |
5951 | n: sizeof(domain_info->domain_name)); |
5952 | } |
5953 | if (inp->inp_necp_attributes.inp_domain_owner != NULL) { |
5954 | strlcpy(dst: domain_info->domain_owner, src: inp->inp_necp_attributes.inp_domain_owner, |
5955 | n: sizeof(domain_info->domain_owner)); |
5956 | } |
5957 | if (inp->inp_necp_attributes.inp_domain_context != NULL) { |
5958 | strlcpy(dst: domain_info->domain_tracker_ctxt, src: inp->inp_necp_attributes.inp_domain_context, |
5959 | n: sizeof(domain_info->domain_tracker_ctxt)); |
5960 | } |
5961 | |
5962 | necp_unlock_socket_attributes(); |
5963 | } |
5964 | |
5965 | void |
5966 | necp_with_inp_domain_name(struct socket *so, void *ctx, void (*with_func)(char *domain_name, void *ctx)) |
5967 | { |
5968 | struct inpcb *inp = NULL; |
5969 | |
5970 | if (so == NULL || with_func == NULL) { |
5971 | return; |
5972 | } |
5973 | |
5974 | inp = (struct inpcb *)so->so_pcb; |
5975 | if (inp == NULL) { |
5976 | return; |
5977 | } |
5978 | |
5979 | necp_lock_socket_attributes(); |
5980 | with_func(inp->inp_necp_attributes.inp_domain, ctx); |
5981 | necp_unlock_socket_attributes(); |
5982 | } |
5983 | |
5984 | static size_t |
5985 | necp_find_domain_info_common(struct necp_client *client, |
5986 | u_int8_t *parameters, |
5987 | size_t parameters_size, |
5988 | struct necp_client_flow_registration *flow_registration, /* For logging purposes only */ |
5989 | nstat_domain_info *domain_info) |
5990 | { |
5991 | if (client == NULL) { |
5992 | return 0; |
5993 | } |
5994 | if (domain_info == NULL) { |
5995 | return sizeof(nstat_domain_info); |
5996 | } |
5997 | |
5998 | size_t offset = 0; |
5999 | u_int32_t flags = 0; |
6000 | u_int8_t *tracker_domain = NULL; |
6001 | u_int8_t *domain = NULL; |
6002 | size_t tracker_domain_length = 0; |
6003 | size_t domain_length = 0; |
6004 | |
6005 | NECP_CLIENT_FLOW_LOG(client, flow_registration, "Collecting stats" ); |
6006 | |
6007 | while ((offset + sizeof(struct necp_tlv_header)) <= parameters_size) { |
6008 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
6009 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
6010 | |
6011 | if (length > (parameters_size - (offset + sizeof(struct necp_tlv_header)))) { |
6012 | // If the length is larger than what can fit in the remaining parameters size, bail |
6013 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
6014 | break; |
6015 | } |
6016 | |
6017 | if (length > 0) { |
6018 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
6019 | if (value != NULL) { |
6020 | switch (type) { |
6021 | case NECP_CLIENT_PARAMETER_FLAGS: { |
6022 | if (length >= sizeof(u_int32_t)) { |
6023 | memcpy(dst: &flags, src: value, n: sizeof(u_int32_t)); |
6024 | } |
6025 | |
6026 | domain_info->is_tracker = |
6027 | !!(flags & NECP_CLIENT_PARAMETER_FLAG_KNOWN_TRACKER); |
6028 | domain_info->is_non_app_initiated = |
6029 | !!(flags & NECP_CLIENT_PARAMETER_FLAG_NON_APP_INITIATED); |
6030 | domain_info->is_silent = |
6031 | !!(flags & NECP_CLIENT_PARAMETER_FLAG_SILENT); |
6032 | break; |
6033 | } |
6034 | case NECP_CLIENT_PARAMETER_TRACKER_DOMAIN: { |
6035 | tracker_domain_length = length; |
6036 | tracker_domain = value; |
6037 | break; |
6038 | } |
6039 | case NECP_CLIENT_PARAMETER_DOMAIN: { |
6040 | domain_length = length; |
6041 | domain = value; |
6042 | break; |
6043 | } |
6044 | case NECP_CLIENT_PARAMETER_DOMAIN_OWNER: { |
6045 | size_t length_to_copy = MIN(length, sizeof(domain_info->domain_owner)); |
6046 | strlcpy(dst: domain_info->domain_owner, src: (const char *)value, n: length_to_copy); |
6047 | break; |
6048 | } |
6049 | case NECP_CLIENT_PARAMETER_DOMAIN_CONTEXT: { |
6050 | size_t length_to_copy = MIN(length, sizeof(domain_info->domain_tracker_ctxt)); |
6051 | strlcpy(dst: domain_info->domain_tracker_ctxt, src: (const char *)value, n: length_to_copy); |
6052 | break; |
6053 | } |
6054 | case NECP_CLIENT_PARAMETER_ATTRIBUTED_BUNDLE_IDENTIFIER: { |
6055 | size_t length_to_copy = MIN(length, sizeof(domain_info->domain_attributed_bundle_id)); |
6056 | strlcpy(dst: domain_info->domain_attributed_bundle_id, src: (const char *)value, n: length_to_copy); |
6057 | break; |
6058 | } |
6059 | case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: { |
6060 | if (length >= sizeof(struct necp_policy_condition_addr)) { |
6061 | struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value; |
6062 | if (necp_client_address_is_valid(&address_struct->address.sa)) { |
6063 | memcpy(dst: &domain_info->remote, src: &address_struct->address, n: sizeof(address_struct->address)); |
6064 | } |
6065 | } |
6066 | break; |
6067 | } |
6068 | default: { |
6069 | break; |
6070 | } |
6071 | } |
6072 | } |
6073 | } |
6074 | offset += sizeof(struct necp_tlv_header) + length; |
6075 | } |
6076 | |
6077 | if (domain_info->is_tracker && tracker_domain != NULL && tracker_domain_length > 0) { |
6078 | size_t length_to_copy = MIN(tracker_domain_length, sizeof(domain_info->domain_name)); |
6079 | strlcpy(dst: domain_info->domain_name, src: (const char *)tracker_domain, n: length_to_copy); |
6080 | } else if (domain != NULL && domain_length > 0) { |
6081 | size_t length_to_copy = MIN(domain_length, sizeof(domain_info->domain_name)); |
6082 | strlcpy(dst: domain_info->domain_name, src: (const char *)domain, n: length_to_copy); |
6083 | } |
6084 | |
6085 | NECP_CLIENT_FLOW_LOG(client, flow_registration, |
6086 | "Collected stats - domain <%s> owner <%s> ctxt <%s> bundle id <%s> " |
6087 | "is_tracker %d is_non_app_initiated %d is_silent %d" , |
6088 | domain_info->domain_name, |
6089 | domain_info->domain_owner, |
6090 | domain_info->domain_tracker_ctxt, |
6091 | domain_info->domain_attributed_bundle_id, |
6092 | domain_info->is_tracker, |
6093 | domain_info->is_non_app_initiated, |
6094 | domain_info->is_silent); |
6095 | |
6096 | return sizeof(nstat_domain_info); |
6097 | } |
6098 | |
6099 | static size_t |
6100 | necp_find_conn_extension_info(nstat_provider_context ctx, |
6101 | int requested_extension, /* The extension to be returned */ |
6102 | void *buf, /* If not NULL, the address for extensions to be returned in */ |
6103 | size_t buf_size) /* The size of the buffer space, typically matching the return from a previous call with a NULL buf pointer */ |
6104 | { |
6105 | // Note, the caller has guaranteed that any buffer has been zeroed, there is no need to clear it again |
6106 | |
6107 | if (ctx == NULL) { |
6108 | return 0; |
6109 | } |
6110 | struct necp_client *client = (struct necp_client *)ctx; |
6111 | switch (requested_extension) { |
6112 | case NSTAT_EXTENDED_UPDATE_TYPE_DOMAIN: |
6113 | // This is for completeness. The intent is that domain information can be extracted at user level from the TLV parameters |
6114 | if (buf == NULL) { |
6115 | return sizeof(nstat_domain_info); |
6116 | } |
6117 | if (buf_size < sizeof(nstat_domain_info)) { |
6118 | return 0; |
6119 | } |
6120 | return necp_find_domain_info_common(client, parameters: client->parameters, parameters_size: client->parameters_length, NULL, domain_info: (nstat_domain_info *)buf); |
6121 | |
6122 | case NSTAT_EXTENDED_UPDATE_TYPE_NECP_TLV: { |
6123 | size_t parameters_length = client->parameters_length; |
6124 | if (buf == NULL) { |
6125 | return parameters_length; |
6126 | } |
6127 | if (buf_size < parameters_length) { |
6128 | return 0; |
6129 | } |
6130 | memcpy(dst: buf, src: client->parameters, n: parameters_length); |
6131 | return parameters_length; |
6132 | } |
6133 | case NSTAT_EXTENDED_UPDATE_TYPE_ORIGINAL_NECP_TLV: |
6134 | if (buf == NULL) { |
6135 | return (client->original_parameters_source != NULL) ? client->original_parameters_source->parameters_length : 0; |
6136 | } |
6137 | if ((client->original_parameters_source == NULL) || (buf_size < client->original_parameters_source->parameters_length)) { |
6138 | return 0; |
6139 | } |
6140 | memcpy(dst: buf, src: client->original_parameters_source->parameters, n: client->original_parameters_source->parameters_length); |
6141 | return client->original_parameters_source->parameters_length; |
6142 | |
6143 | case NSTAT_EXTENDED_UPDATE_TYPE_ORIGINAL_DOMAIN: |
6144 | if (buf == NULL) { |
6145 | return (client->original_parameters_source != NULL) ? sizeof(nstat_domain_info) : 0; |
6146 | } |
6147 | if ((buf_size < sizeof(nstat_domain_info)) || (client->original_parameters_source == NULL)) { |
6148 | return 0; |
6149 | } |
6150 | return necp_find_domain_info_common(client, parameters: client->original_parameters_source->parameters, parameters_size: client->original_parameters_source->parameters_length, |
6151 | NULL, domain_info: (nstat_domain_info *)buf); |
6152 | |
6153 | default: |
6154 | return 0; |
6155 | } |
6156 | } |
6157 | |
6158 | #if SKYWALK |
6159 | |
6160 | static size_t |
6161 | necp_find_extension_info(userland_stats_provider_context *ctx, |
6162 | int requested_extension, /* The extension to be returned */ |
6163 | void *buf, /* If not NULL, the address for extensions to be returned in */ |
6164 | size_t buf_size) /* The size of the buffer space, typically matching the return from a previous call with a NULL buf pointer */ |
6165 | { |
6166 | if (ctx == NULL) { |
6167 | return 0; |
6168 | } |
6169 | struct necp_client_flow_registration *flow_registration = (struct necp_client_flow_registration *)(uintptr_t)ctx; |
6170 | struct necp_client *client = flow_registration->client; |
6171 | |
6172 | switch (requested_extension) { |
6173 | case NSTAT_EXTENDED_UPDATE_TYPE_DOMAIN: |
6174 | if (buf == NULL) { |
6175 | return sizeof(nstat_domain_info); |
6176 | } |
6177 | if (buf_size < sizeof(nstat_domain_info)) { |
6178 | return 0; |
6179 | } |
6180 | return necp_find_domain_info_common(client, parameters: client->parameters, parameters_size: client->parameters_length, flow_registration, domain_info: (nstat_domain_info *)buf); |
6181 | |
6182 | case NSTAT_EXTENDED_UPDATE_TYPE_NECP_TLV: |
6183 | if (buf == NULL) { |
6184 | return client->parameters_length; |
6185 | } |
6186 | if (buf_size < client->parameters_length) { |
6187 | return 0; |
6188 | } |
6189 | memcpy(dst: buf, src: client->parameters, n: client->parameters_length); |
6190 | return client->parameters_length; |
6191 | |
6192 | case NSTAT_EXTENDED_UPDATE_TYPE_FUUID: |
6193 | if (buf == NULL) { |
6194 | return sizeof(uuid_t); |
6195 | } |
6196 | if (buf_size < sizeof(uuid_t)) { |
6197 | return 0; |
6198 | } |
6199 | uuid_copy(dst: buf, src: flow_registration->registration_id); |
6200 | return sizeof(uuid_t); |
6201 | |
6202 | default: |
6203 | return 0; |
6204 | } |
6205 | } |
6206 | |
6207 | static void |
6208 | necp_find_netstat_data(struct necp_client *client, |
6209 | union necp_sockaddr_union *remote, |
6210 | pid_t *effective_pid, |
6211 | uid_t *uid, |
6212 | uuid_t euuid, |
6213 | uid_t *persona_id, |
6214 | u_int32_t *traffic_class, |
6215 | u_int8_t *fallback_mode) |
6216 | { |
6217 | bool have_set_euuid = false; |
6218 | size_t offset = 0; |
6219 | u_int8_t *parameters; |
6220 | u_int32_t parameters_size; |
6221 | |
6222 | parameters = client->parameters; |
6223 | parameters_size = (u_int32_t)client->parameters_length; |
6224 | |
6225 | while ((offset + sizeof(struct necp_tlv_header)) <= parameters_size) { |
6226 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
6227 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
6228 | |
6229 | if (length > (parameters_size - (offset + sizeof(struct necp_tlv_header)))) { |
6230 | // If the length is larger than what can fit in the remaining parameters size, bail |
6231 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
6232 | break; |
6233 | } |
6234 | |
6235 | if (length > 0) { |
6236 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
6237 | if (value != NULL) { |
6238 | switch (type) { |
6239 | case NECP_CLIENT_PARAMETER_APPLICATION: { |
6240 | if (length >= sizeof(uuid_t)) { |
6241 | uuid_copy(dst: euuid, src: value); |
6242 | } |
6243 | break; |
6244 | } |
6245 | case NECP_CLIENT_PARAMETER_PID: { |
6246 | if (length >= sizeof(pid_t)) { |
6247 | memcpy(dst: effective_pid, src: value, n: sizeof(pid_t)); |
6248 | } |
6249 | break; |
6250 | } |
6251 | case NECP_CLIENT_PARAMETER_TRAFFIC_CLASS: { |
6252 | if (length >= sizeof(u_int32_t)) { |
6253 | memcpy(dst: traffic_class, src: value, n: sizeof(u_int32_t)); |
6254 | } |
6255 | break; |
6256 | } |
6257 | case NECP_CLIENT_PARAMETER_FALLBACK_MODE: { |
6258 | if (length >= sizeof(u_int8_t)) { |
6259 | memcpy(dst: fallback_mode, src: value, n: sizeof(u_int8_t)); |
6260 | } |
6261 | break; |
6262 | } |
6263 | // It is an implementation quirk that the remote address can be found in the necp parameters |
6264 | // while the local address must be retrieved from the flowswitch |
6265 | case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: { |
6266 | if (length >= sizeof(struct necp_policy_condition_addr)) { |
6267 | struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value; |
6268 | if (necp_client_address_is_valid(&address_struct->address.sa)) { |
6269 | memcpy(dst: remote, src: &address_struct->address, n: sizeof(address_struct->address)); |
6270 | } |
6271 | } |
6272 | break; |
6273 | } |
6274 | case NECP_CLIENT_PARAMETER_APPLICATION_ID: { |
6275 | if (length >= sizeof(necp_application_id_t) && uid && persona_id) { |
6276 | necp_application_id_t *application_id = (necp_application_id_t *)(void *)value; |
6277 | memcpy(dst: uid, src: &application_id->uid, n: sizeof(uid_t)); |
6278 | uuid_copy(dst: euuid, src: application_id->effective_uuid); |
6279 | memcpy(dst: persona_id, src: &application_id->persona_id, n: sizeof(uid_t)); |
6280 | have_set_euuid = true; |
6281 | } |
6282 | break; |
6283 | } |
6284 | default: { |
6285 | break; |
6286 | } |
6287 | } |
6288 | } |
6289 | } |
6290 | offset += sizeof(struct necp_tlv_header) + length; |
6291 | } |
6292 | |
6293 | if (!have_set_euuid) { |
6294 | proc_t proc = proc_find(pid: client->proc_pid); |
6295 | if (proc != PROC_NULL) { |
6296 | uuid_t responsible_uuid = { 0 }; |
6297 | proc_getresponsibleuuid(proc, responsible_uuid, sizeof(responsible_uuid)); |
6298 | proc_rele(p: proc); |
6299 | if (!uuid_is_null(uu: responsible_uuid)) { |
6300 | uuid_copy(dst: euuid, src: responsible_uuid); |
6301 | } |
6302 | } |
6303 | } |
6304 | } |
6305 | |
6306 | static u_int64_t |
6307 | necp_find_netstat_initial_properties(struct necp_client *client) |
6308 | { |
6309 | size_t offset = 0; |
6310 | u_int64_t retval = 0; |
6311 | u_int8_t *parameters; |
6312 | u_int32_t parameters_size; |
6313 | |
6314 | parameters = client->parameters; |
6315 | parameters_size = (u_int32_t)client->parameters_length; |
6316 | |
6317 | while ((offset + sizeof(struct necp_tlv_header)) <= parameters_size) { |
6318 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
6319 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
6320 | |
6321 | if (length > (parameters_size - (offset + sizeof(struct necp_tlv_header)))) { |
6322 | // If the length is larger than what can fit in the remaining parameters size, bail |
6323 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
6324 | break; |
6325 | } |
6326 | |
6327 | if (type == NECP_CLIENT_PARAMETER_FLAGS) { |
6328 | u_int32_t policy_condition_client_flags; |
6329 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
6330 | if ((value != NULL) && (length >= sizeof(policy_condition_client_flags))) { |
6331 | memcpy(dst: &policy_condition_client_flags, src: value, n: sizeof(policy_condition_client_flags)); |
6332 | if (policy_condition_client_flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) { |
6333 | retval |= NSTAT_SOURCE_IS_LISTENER; |
6334 | } |
6335 | if (policy_condition_client_flags & NECP_CLIENT_PARAMETER_FLAG_INBOUND) { |
6336 | retval |= NSTAT_SOURCE_IS_INBOUND; |
6337 | } |
6338 | } |
6339 | break; |
6340 | } |
6341 | offset += sizeof(struct necp_tlv_header) + length; |
6342 | } |
6343 | if (retval == 0) { |
6344 | retval = NSTAT_SOURCE_IS_OUTBOUND; |
6345 | } |
6346 | return retval; |
6347 | } |
6348 | |
6349 | // Called from NetworkStatistics when it wishes to collect latest information for a TCP flow. |
6350 | // It is a responsibility of NetworkStatistics to have previously zeroed any supplied memory. |
6351 | static bool |
6352 | necp_request_tcp_netstats(userland_stats_provider_context *ctx, |
6353 | u_int32_t *ifflagsp, |
6354 | nstat_progress_digest *digestp, |
6355 | nstat_counts *countsp, |
6356 | void *metadatap) |
6357 | { |
6358 | if (ctx == NULL) { |
6359 | return false; |
6360 | } |
6361 | |
6362 | struct necp_client_flow_registration *flow_registration = (struct necp_client_flow_registration *)(uintptr_t)ctx; |
6363 | struct necp_client *client = flow_registration->client; |
6364 | struct necp_all_stats *ustats_kaddr = ((struct necp_all_kstats *)flow_registration->kstats_kaddr)->necp_stats_ustats; |
6365 | struct necp_tcp_stats *tcpstats = (struct necp_tcp_stats *)ustats_kaddr; |
6366 | ASSERT(tcpstats != NULL); |
6367 | |
6368 | u_int32_t nstat_diagnostic_flags = 0; |
6369 | |
6370 | // Retrieve details from the last time the assigned flows were updated |
6371 | u_int32_t route_ifindex = IFSCOPE_NONE; |
6372 | u_int32_t route_ifflags = NSTAT_IFNET_IS_UNKNOWN_TYPE; |
6373 | u_int64_t combined_interface_details = 0; |
6374 | |
6375 | combined_interface_details = os_atomic_load(&flow_registration->last_interface_details, relaxed); |
6376 | split_interface_details(combined_details: combined_interface_details, interface_index: &route_ifindex, interface_flags: &route_ifflags); |
6377 | |
6378 | if (route_ifindex == IFSCOPE_NONE) { |
6379 | // Mark no interface |
6380 | nstat_diagnostic_flags |= NSTAT_IFNET_ROUTE_VALUE_UNOBTAINABLE; |
6381 | route_ifflags = NSTAT_IFNET_IS_UNKNOWN_TYPE; |
6382 | NECPLOG(LOG_INFO, "req tcp stats, failed to get route details for pid %d curproc %d %s\n" , |
6383 | client->proc_pid, proc_pid(current_proc()), proc_best_name(current_proc())); |
6384 | } |
6385 | |
6386 | if (ifflagsp) { |
6387 | *ifflagsp = route_ifflags | nstat_diagnostic_flags; |
6388 | if (tcpstats->necp_tcp_extra.flags1 & SOF1_CELLFALLBACK) { |
6389 | *ifflagsp |= NSTAT_IFNET_VIA_CELLFALLBACK; |
6390 | } |
6391 | if ((digestp == NULL) && (countsp == NULL) && (metadatap == NULL)) { |
6392 | return true; |
6393 | } |
6394 | } |
6395 | |
6396 | if (digestp) { |
6397 | // The digest is intended to give information that may help give insight into the state of the link |
6398 | // while avoiding the need to do the relatively expensive flowswitch lookup |
6399 | digestp->rxbytes = tcpstats->necp_tcp_counts.necp_stat_rxbytes; |
6400 | digestp->txbytes = tcpstats->necp_tcp_counts.necp_stat_txbytes; |
6401 | digestp->rxduplicatebytes = tcpstats->necp_tcp_counts.necp_stat_rxduplicatebytes; |
6402 | digestp->rxoutoforderbytes = tcpstats->necp_tcp_counts.necp_stat_rxoutoforderbytes; |
6403 | digestp->txretransmit = tcpstats->necp_tcp_counts.necp_stat_txretransmit; |
6404 | digestp->ifindex = route_ifindex; |
6405 | digestp->state = tcpstats->necp_tcp_extra.state; |
6406 | digestp->txunacked = tcpstats->necp_tcp_extra.txunacked; |
6407 | digestp->txwindow = tcpstats->necp_tcp_extra.txwindow; |
6408 | digestp->connstatus.probe_activated = tcpstats->necp_tcp_extra.probestatus.probe_activated; |
6409 | digestp->connstatus.write_probe_failed = tcpstats->necp_tcp_extra.probestatus.write_probe_failed; |
6410 | digestp->connstatus.read_probe_failed = tcpstats->necp_tcp_extra.probestatus.read_probe_failed; |
6411 | digestp->connstatus.conn_probe_failed = tcpstats->necp_tcp_extra.probestatus.conn_probe_failed; |
6412 | |
6413 | if ((countsp == NULL) && (metadatap == NULL)) { |
6414 | return true; |
6415 | } |
6416 | } |
6417 | |
6418 | const struct sk_stats_flow *sf = &flow_registration->nexus_stats->fs_stats; |
6419 | if (sf == NULL) { |
6420 | nstat_diagnostic_flags |= NSTAT_IFNET_FLOWSWITCH_VALUE_UNOBTAINABLE; |
6421 | char namebuf[MAXCOMLEN + 1]; |
6422 | (void) strlcpy(dst: namebuf, src: "unknown" , n: sizeof(namebuf)); |
6423 | proc_name(pid: client->proc_pid, buf: namebuf, size: sizeof(namebuf)); |
6424 | NECPLOG(LOG_ERR, "req tcp stats, necp_client flow_registration flow_stats missing for pid %d %s curproc %d %s\n" , |
6425 | client->proc_pid, namebuf, proc_pid(current_proc()), proc_best_name(current_proc())); |
6426 | sf = &ntstat_sk_stats_zero; |
6427 | } |
6428 | |
6429 | if (countsp) { |
6430 | countsp->nstat_rxbytes = tcpstats->necp_tcp_counts.necp_stat_rxbytes; |
6431 | countsp->nstat_txbytes = tcpstats->necp_tcp_counts.necp_stat_txbytes; |
6432 | |
6433 | countsp->nstat_rxduplicatebytes = tcpstats->necp_tcp_counts.necp_stat_rxduplicatebytes; |
6434 | countsp->nstat_rxoutoforderbytes = tcpstats->necp_tcp_counts.necp_stat_rxoutoforderbytes; |
6435 | countsp->nstat_txretransmit = tcpstats->necp_tcp_counts.necp_stat_txretransmit; |
6436 | |
6437 | countsp->nstat_min_rtt = tcpstats->necp_tcp_counts.necp_stat_min_rtt; |
6438 | countsp->nstat_avg_rtt = tcpstats->necp_tcp_counts.necp_stat_avg_rtt; |
6439 | countsp->nstat_var_rtt = tcpstats->necp_tcp_counts.necp_stat_var_rtt; |
6440 | |
6441 | countsp->nstat_connectattempts = tcpstats->necp_tcp_extra.state >= TCPS_SYN_SENT ? 1 : 0; |
6442 | countsp->nstat_connectsuccesses = tcpstats->necp_tcp_extra.state >= TCPS_ESTABLISHED ? 1 : 0; |
6443 | |
6444 | // Supplement what the user level has told us with what we know from the flowswitch |
6445 | countsp->nstat_rxpackets = sf->sf_ipackets; |
6446 | countsp->nstat_txpackets = sf->sf_opackets; |
6447 | if (route_ifflags & NSTAT_IFNET_IS_CELLULAR) { |
6448 | countsp->nstat_cell_rxbytes = sf->sf_ibytes; |
6449 | countsp->nstat_cell_txbytes = sf->sf_obytes; |
6450 | } else if (route_ifflags & NSTAT_IFNET_IS_WIFI) { |
6451 | countsp->nstat_wifi_rxbytes = sf->sf_ibytes; |
6452 | countsp->nstat_wifi_txbytes = sf->sf_obytes; |
6453 | } else if (route_ifflags & NSTAT_IFNET_IS_WIRED) { |
6454 | countsp->nstat_wired_rxbytes = sf->sf_ibytes; |
6455 | countsp->nstat_wired_txbytes = sf->sf_obytes; |
6456 | } |
6457 | } |
6458 | |
6459 | if (metadatap) { |
6460 | nstat_tcp_descriptor *desc = (nstat_tcp_descriptor *)metadatap; |
6461 | memset(s: desc, c: 0, n: sizeof(*desc)); |
6462 | |
6463 | // Metadata from the flow registration |
6464 | uuid_copy(dst: desc->fuuid, src: flow_registration->registration_id); |
6465 | |
6466 | // Metadata that the necp client should have in TLV format. |
6467 | pid_t effective_pid = client->proc_pid; |
6468 | necp_find_netstat_data(client, remote: (union necp_sockaddr_union *)&desc->remote, effective_pid: &effective_pid, uid: &desc->uid, euuid: desc->euuid, persona_id: &desc->persona_id, traffic_class: &desc->traffic_class, fallback_mode: &desc->fallback_mode); |
6469 | desc->epid = (u_int32_t)effective_pid; |
6470 | |
6471 | // Metadata from the flow registration |
6472 | // This needs to revisited if multiple flows are created from one flow registration |
6473 | struct necp_client_flow *flow = NULL; |
6474 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
6475 | memcpy(dst: &desc->local, src: &flow->local_addr, n: sizeof(desc->local)); |
6476 | break; |
6477 | } |
6478 | |
6479 | // Metadata from the route |
6480 | desc->ifindex = route_ifindex; |
6481 | desc->ifnet_properties = route_ifflags | nstat_diagnostic_flags; |
6482 | desc->ifnet_properties |= (sf->sf_flags & SFLOWF_ONLINK) ? NSTAT_IFNET_IS_LOCAL : NSTAT_IFNET_IS_NON_LOCAL; |
6483 | if (tcpstats->necp_tcp_extra.flags1 & SOF1_CELLFALLBACK) { |
6484 | desc->ifnet_properties |= NSTAT_IFNET_VIA_CELLFALLBACK; |
6485 | } |
6486 | |
6487 | // Basic metadata from userland |
6488 | desc->rcvbufsize = tcpstats->necp_tcp_basic.rcvbufsize; |
6489 | desc->rcvbufused = tcpstats->necp_tcp_basic.rcvbufused; |
6490 | |
6491 | // Additional TCP specific data |
6492 | desc->sndbufsize = tcpstats->necp_tcp_extra.sndbufsize; |
6493 | desc->sndbufused = tcpstats->necp_tcp_extra.sndbufused; |
6494 | desc->txunacked = tcpstats->necp_tcp_extra.txunacked; |
6495 | desc->txwindow = tcpstats->necp_tcp_extra.txwindow; |
6496 | desc->txcwindow = tcpstats->necp_tcp_extra.txcwindow; |
6497 | desc->traffic_mgt_flags = tcpstats->necp_tcp_extra.traffic_mgt_flags; |
6498 | desc->state = tcpstats->necp_tcp_extra.state; |
6499 | |
6500 | u_int32_t cc_alg_index = tcpstats->necp_tcp_extra.cc_alg_index; |
6501 | if (cc_alg_index < TCP_CC_ALGO_COUNT) { |
6502 | strlcpy(dst: desc->cc_algo, src: tcp_cc_algo_list[cc_alg_index]->name, n: sizeof(desc->cc_algo)); |
6503 | } else { |
6504 | strlcpy(dst: desc->cc_algo, src: "unknown" , n: sizeof(desc->cc_algo)); |
6505 | } |
6506 | |
6507 | desc->connstatus.probe_activated = tcpstats->necp_tcp_extra.probestatus.probe_activated; |
6508 | desc->connstatus.write_probe_failed = tcpstats->necp_tcp_extra.probestatus.write_probe_failed; |
6509 | desc->connstatus.read_probe_failed = tcpstats->necp_tcp_extra.probestatus.read_probe_failed; |
6510 | desc->connstatus.conn_probe_failed = tcpstats->necp_tcp_extra.probestatus.conn_probe_failed; |
6511 | |
6512 | memcpy(dst: &desc->activity_bitmap, src: &sf->sf_activity, n: sizeof(sf->sf_activity)); |
6513 | |
6514 | if (NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_FLOW)) { |
6515 | uuid_string_t euuid_str = { 0 }; |
6516 | uuid_unparse(uu: desc->euuid, out: euuid_str); |
6517 | NECPLOG(LOG_NOTICE, "Collected stats - TCP - epid %d uid %d euuid %s persona id %d" , desc->epid, desc->uid, euuid_str, desc->persona_id); |
6518 | } |
6519 | } |
6520 | |
6521 | return true; |
6522 | } |
6523 | |
6524 | // Called from NetworkStatistics when it wishes to collect latest information for a UDP flow. |
6525 | static bool |
6526 | necp_request_udp_netstats(userland_stats_provider_context *ctx, |
6527 | u_int32_t *ifflagsp, |
6528 | nstat_progress_digest *digestp, |
6529 | nstat_counts *countsp, |
6530 | void *metadatap) |
6531 | { |
6532 | #pragma unused(digestp) |
6533 | |
6534 | if (ctx == NULL) { |
6535 | return false; |
6536 | } |
6537 | |
6538 | struct necp_client_flow_registration *flow_registration = (struct necp_client_flow_registration *)(uintptr_t)ctx; |
6539 | struct necp_client *client = flow_registration->client; |
6540 | struct necp_all_stats *ustats_kaddr = ((struct necp_all_kstats *)flow_registration->kstats_kaddr)->necp_stats_ustats; |
6541 | struct necp_udp_stats *udpstats = (struct necp_udp_stats *)ustats_kaddr; |
6542 | ASSERT(udpstats != NULL); |
6543 | |
6544 | u_int32_t nstat_diagnostic_flags = 0; |
6545 | |
6546 | // Retrieve details from the last time the assigned flows were updated |
6547 | u_int32_t route_ifindex = IFSCOPE_NONE; |
6548 | u_int32_t route_ifflags = NSTAT_IFNET_IS_UNKNOWN_TYPE; |
6549 | u_int64_t combined_interface_details = 0; |
6550 | |
6551 | combined_interface_details = os_atomic_load(&flow_registration->last_interface_details, relaxed); |
6552 | split_interface_details(combined_details: combined_interface_details, interface_index: &route_ifindex, interface_flags: &route_ifflags); |
6553 | |
6554 | if (route_ifindex == IFSCOPE_NONE) { |
6555 | // Mark no interface |
6556 | nstat_diagnostic_flags |= NSTAT_IFNET_ROUTE_VALUE_UNOBTAINABLE; |
6557 | route_ifflags = NSTAT_IFNET_IS_UNKNOWN_TYPE; |
6558 | NECPLOG(LOG_INFO, "req udp stats, failed to get route details for pid %d curproc %d %s\n" , |
6559 | client->proc_pid, proc_pid(current_proc()), proc_best_name(current_proc())); |
6560 | } |
6561 | |
6562 | if (ifflagsp) { |
6563 | *ifflagsp = route_ifflags | nstat_diagnostic_flags; |
6564 | if ((countsp == NULL) && (metadatap == NULL)) { |
6565 | return true; |
6566 | } |
6567 | } |
6568 | const struct sk_stats_flow *sf = &flow_registration->nexus_stats->fs_stats; |
6569 | if (sf == NULL) { |
6570 | nstat_diagnostic_flags |= NSTAT_IFNET_FLOWSWITCH_VALUE_UNOBTAINABLE; |
6571 | char namebuf[MAXCOMLEN + 1]; |
6572 | (void) strlcpy(dst: namebuf, src: "unknown" , n: sizeof(namebuf)); |
6573 | proc_name(pid: client->proc_pid, buf: namebuf, size: sizeof(namebuf)); |
6574 | NECPLOG(LOG_ERR, "req udp stats, necp_client flow_registration flow_stats missing for pid %d %s curproc %d %s\n" , |
6575 | client->proc_pid, namebuf, proc_pid(current_proc()), proc_best_name(current_proc())); |
6576 | sf = &ntstat_sk_stats_zero; |
6577 | } |
6578 | |
6579 | if (countsp) { |
6580 | countsp->nstat_rxbytes = udpstats->necp_udp_counts.necp_stat_rxbytes; |
6581 | countsp->nstat_txbytes = udpstats->necp_udp_counts.necp_stat_txbytes; |
6582 | |
6583 | countsp->nstat_rxduplicatebytes = udpstats->necp_udp_counts.necp_stat_rxduplicatebytes; |
6584 | countsp->nstat_rxoutoforderbytes = udpstats->necp_udp_counts.necp_stat_rxoutoforderbytes; |
6585 | countsp->nstat_txretransmit = udpstats->necp_udp_counts.necp_stat_txretransmit; |
6586 | |
6587 | countsp->nstat_min_rtt = udpstats->necp_udp_counts.necp_stat_min_rtt; |
6588 | countsp->nstat_avg_rtt = udpstats->necp_udp_counts.necp_stat_avg_rtt; |
6589 | countsp->nstat_var_rtt = udpstats->necp_udp_counts.necp_stat_var_rtt; |
6590 | |
6591 | // Supplement what the user level has told us with what we know from the flowswitch |
6592 | countsp->nstat_rxpackets = sf->sf_ipackets; |
6593 | countsp->nstat_txpackets = sf->sf_opackets; |
6594 | if (route_ifflags & NSTAT_IFNET_IS_CELLULAR) { |
6595 | countsp->nstat_cell_rxbytes = sf->sf_ibytes; |
6596 | countsp->nstat_cell_txbytes = sf->sf_obytes; |
6597 | } else if (route_ifflags & NSTAT_IFNET_IS_WIFI) { |
6598 | countsp->nstat_wifi_rxbytes = sf->sf_ibytes; |
6599 | countsp->nstat_wifi_txbytes = sf->sf_obytes; |
6600 | } else if (route_ifflags & NSTAT_IFNET_IS_WIRED) { |
6601 | countsp->nstat_wired_rxbytes = sf->sf_ibytes; |
6602 | countsp->nstat_wired_txbytes = sf->sf_obytes; |
6603 | } |
6604 | } |
6605 | |
6606 | if (metadatap) { |
6607 | nstat_udp_descriptor *desc = (nstat_udp_descriptor *)metadatap; |
6608 | memset(s: desc, c: 0, n: sizeof(*desc)); |
6609 | |
6610 | // Metadata from the flow registration |
6611 | uuid_copy(dst: desc->fuuid, src: flow_registration->registration_id); |
6612 | |
6613 | // Metadata that the necp client should have in TLV format. |
6614 | pid_t effective_pid = client->proc_pid; |
6615 | necp_find_netstat_data(client, remote: (union necp_sockaddr_union *)&desc->remote, effective_pid: &effective_pid, uid: &desc->uid, euuid: desc->euuid, persona_id: &desc->persona_id, traffic_class: &desc->traffic_class, fallback_mode: &desc->fallback_mode); |
6616 | desc->epid = (u_int32_t)effective_pid; |
6617 | |
6618 | // Metadata from the flow registration |
6619 | // This needs to revisited if multiple flows are created from one flow registration |
6620 | struct necp_client_flow *flow = NULL; |
6621 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
6622 | memcpy(dst: &desc->local, src: &flow->local_addr, n: sizeof(desc->local)); |
6623 | break; |
6624 | } |
6625 | |
6626 | // Metadata from the route |
6627 | desc->ifindex = route_ifindex; |
6628 | desc->ifnet_properties = route_ifflags | nstat_diagnostic_flags; |
6629 | desc->ifnet_properties |= (sf->sf_flags & SFLOWF_ONLINK) ? NSTAT_IFNET_IS_LOCAL : NSTAT_IFNET_IS_NON_LOCAL; |
6630 | |
6631 | // Basic metadata is all that is required for UDP |
6632 | desc->rcvbufsize = udpstats->necp_udp_basic.rcvbufsize; |
6633 | desc->rcvbufused = udpstats->necp_udp_basic.rcvbufused; |
6634 | |
6635 | memcpy(dst: &desc->activity_bitmap, src: &sf->sf_activity, n: sizeof(sf->sf_activity)); |
6636 | |
6637 | if (NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_FLOW)) { |
6638 | uuid_string_t euuid_str = { 0 }; |
6639 | uuid_unparse(uu: desc->euuid, out: euuid_str); |
6640 | NECPLOG(LOG_NOTICE, "Collected stats - UDP - epid %d uid %d euuid %s persona id %d" , desc->epid, desc->uid, euuid_str, desc->persona_id); |
6641 | } |
6642 | } |
6643 | |
6644 | return true; |
6645 | } |
6646 | |
6647 | // Called from NetworkStatistics when it wishes to collect latest information for a QUIC flow. |
6648 | // |
6649 | // TODO: For now it is an exact implementation as that of TCP. |
6650 | // Still to keep the logic separate for future divergence, keeping the routines separate. |
6651 | // It also seems there are lots of common code between existing implementations and |
6652 | // it would be good to refactor this logic at some point. |
6653 | static bool |
6654 | necp_request_quic_netstats(userland_stats_provider_context *ctx, |
6655 | u_int32_t *ifflagsp, |
6656 | nstat_progress_digest *digestp, |
6657 | nstat_counts *countsp, |
6658 | void *metadatap) |
6659 | { |
6660 | if (ctx == NULL) { |
6661 | return false; |
6662 | } |
6663 | |
6664 | struct necp_client_flow_registration *flow_registration = (struct necp_client_flow_registration *)(uintptr_t)ctx; |
6665 | struct necp_client *client = flow_registration->client; |
6666 | struct necp_all_stats *ustats_kaddr = ((struct necp_all_kstats *)flow_registration->kstats_kaddr)->necp_stats_ustats; |
6667 | struct necp_quic_stats *quicstats = (struct necp_quic_stats *)ustats_kaddr; |
6668 | ASSERT(quicstats != NULL); |
6669 | |
6670 | u_int32_t nstat_diagnostic_flags = 0; |
6671 | |
6672 | // Retrieve details from the last time the assigned flows were updated |
6673 | u_int32_t route_ifindex = IFSCOPE_NONE; |
6674 | u_int32_t route_ifflags = NSTAT_IFNET_IS_UNKNOWN_TYPE; |
6675 | u_int64_t combined_interface_details = 0; |
6676 | |
6677 | combined_interface_details = os_atomic_load(&flow_registration->last_interface_details, relaxed); |
6678 | split_interface_details(combined_details: combined_interface_details, interface_index: &route_ifindex, interface_flags: &route_ifflags); |
6679 | |
6680 | if (route_ifindex == IFSCOPE_NONE) { |
6681 | // Mark no interface |
6682 | nstat_diagnostic_flags |= NSTAT_IFNET_ROUTE_VALUE_UNOBTAINABLE; |
6683 | route_ifflags = NSTAT_IFNET_IS_UNKNOWN_TYPE; |
6684 | NECPLOG(LOG_INFO, "req quic stats, failed to get route details for pid %d curproc %d %s\n" , |
6685 | client->proc_pid, proc_pid(current_proc()), proc_best_name(current_proc())); |
6686 | } |
6687 | |
6688 | if (ifflagsp) { |
6689 | *ifflagsp = route_ifflags | nstat_diagnostic_flags; |
6690 | if ((digestp == NULL) && (countsp == NULL) && (metadatap == NULL)) { |
6691 | return true; |
6692 | } |
6693 | } |
6694 | |
6695 | if (digestp) { |
6696 | // The digest is intended to give information that may help give insight into the state of the link |
6697 | // while avoiding the need to do the relatively expensive flowswitch lookup |
6698 | digestp->rxbytes = quicstats->necp_quic_counts.necp_stat_rxbytes; |
6699 | digestp->txbytes = quicstats->necp_quic_counts.necp_stat_txbytes; |
6700 | digestp->rxduplicatebytes = quicstats->necp_quic_counts.necp_stat_rxduplicatebytes; |
6701 | digestp->rxoutoforderbytes = quicstats->necp_quic_counts.necp_stat_rxoutoforderbytes; |
6702 | digestp->txretransmit = quicstats->necp_quic_counts.necp_stat_txretransmit; |
6703 | digestp->ifindex = route_ifindex; |
6704 | digestp->state = quicstats->necp_quic_extra.state; |
6705 | digestp->txunacked = quicstats->necp_quic_extra.txunacked; |
6706 | digestp->txwindow = quicstats->necp_quic_extra.txwindow; |
6707 | digestp->connstatus.probe_activated = quicstats->necp_quic_extra.probestatus.probe_activated; |
6708 | digestp->connstatus.write_probe_failed = quicstats->necp_quic_extra.probestatus.write_probe_failed; |
6709 | digestp->connstatus.read_probe_failed = quicstats->necp_quic_extra.probestatus.read_probe_failed; |
6710 | digestp->connstatus.conn_probe_failed = quicstats->necp_quic_extra.probestatus.conn_probe_failed; |
6711 | |
6712 | if ((countsp == NULL) && (metadatap == NULL)) { |
6713 | return true; |
6714 | } |
6715 | } |
6716 | |
6717 | const struct sk_stats_flow *sf = &flow_registration->nexus_stats->fs_stats; |
6718 | if (sf == NULL) { |
6719 | nstat_diagnostic_flags |= NSTAT_IFNET_FLOWSWITCH_VALUE_UNOBTAINABLE; |
6720 | char namebuf[MAXCOMLEN + 1]; |
6721 | (void) strlcpy(dst: namebuf, src: "unknown" , n: sizeof(namebuf)); |
6722 | proc_name(pid: client->proc_pid, buf: namebuf, size: sizeof(namebuf)); |
6723 | NECPLOG(LOG_ERR, "req quic stats, necp_client flow_registration flow_stats missing for pid %d %s curproc %d %s\n" , |
6724 | client->proc_pid, namebuf, proc_pid(current_proc()), proc_best_name(current_proc())); |
6725 | sf = &ntstat_sk_stats_zero; |
6726 | } |
6727 | |
6728 | if (countsp) { |
6729 | countsp->nstat_rxbytes = quicstats->necp_quic_counts.necp_stat_rxbytes; |
6730 | countsp->nstat_txbytes = quicstats->necp_quic_counts.necp_stat_txbytes; |
6731 | |
6732 | countsp->nstat_rxduplicatebytes = quicstats->necp_quic_counts.necp_stat_rxduplicatebytes; |
6733 | countsp->nstat_rxoutoforderbytes = quicstats->necp_quic_counts.necp_stat_rxoutoforderbytes; |
6734 | countsp->nstat_txretransmit = quicstats->necp_quic_counts.necp_stat_txretransmit; |
6735 | |
6736 | countsp->nstat_min_rtt = quicstats->necp_quic_counts.necp_stat_min_rtt; |
6737 | countsp->nstat_avg_rtt = quicstats->necp_quic_counts.necp_stat_avg_rtt; |
6738 | countsp->nstat_var_rtt = quicstats->necp_quic_counts.necp_stat_var_rtt; |
6739 | |
6740 | // TODO: It would be good to expose QUIC stats for CH/SH retransmission and connection state |
6741 | // Supplement what the user level has told us with what we know from the flowswitch |
6742 | countsp->nstat_rxpackets = sf->sf_ipackets; |
6743 | countsp->nstat_txpackets = sf->sf_opackets; |
6744 | if (route_ifflags & NSTAT_IFNET_IS_CELLULAR) { |
6745 | countsp->nstat_cell_rxbytes = sf->sf_ibytes; |
6746 | countsp->nstat_cell_txbytes = sf->sf_obytes; |
6747 | } else if (route_ifflags & NSTAT_IFNET_IS_WIFI) { |
6748 | countsp->nstat_wifi_rxbytes = sf->sf_ibytes; |
6749 | countsp->nstat_wifi_txbytes = sf->sf_obytes; |
6750 | } else if (route_ifflags & NSTAT_IFNET_IS_WIRED) { |
6751 | countsp->nstat_wired_rxbytes = sf->sf_ibytes; |
6752 | countsp->nstat_wired_txbytes = sf->sf_obytes; |
6753 | } |
6754 | } |
6755 | |
6756 | if (metadatap) { |
6757 | nstat_quic_descriptor *desc = (nstat_quic_descriptor *)metadatap; |
6758 | memset(s: desc, c: 0, n: sizeof(*desc)); |
6759 | |
6760 | // Metadata from the flow registration |
6761 | uuid_copy(dst: desc->fuuid, src: flow_registration->registration_id); |
6762 | |
6763 | // Metadata, that the necp client should have, in TLV format. |
6764 | pid_t effective_pid = client->proc_pid; |
6765 | necp_find_netstat_data(client, remote: (union necp_sockaddr_union *)&desc->remote, effective_pid: &effective_pid, uid: &desc->uid, euuid: desc->euuid, persona_id: &desc->persona_id, traffic_class: &desc->traffic_class, fallback_mode: &desc->fallback_mode); |
6766 | desc->epid = (u_int32_t)effective_pid; |
6767 | |
6768 | // Metadata from the flow registration |
6769 | // This needs to revisited if multiple flows are created from one flow registration |
6770 | struct necp_client_flow *flow = NULL; |
6771 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
6772 | memcpy(dst: &desc->local, src: &flow->local_addr, n: sizeof(desc->local)); |
6773 | break; |
6774 | } |
6775 | |
6776 | // Metadata from the route |
6777 | desc->ifindex = route_ifindex; |
6778 | desc->ifnet_properties = route_ifflags | nstat_diagnostic_flags; |
6779 | desc->ifnet_properties |= (sf->sf_flags & SFLOWF_ONLINK) ? NSTAT_IFNET_IS_LOCAL : NSTAT_IFNET_IS_NON_LOCAL; |
6780 | |
6781 | // Basic metadata from userland |
6782 | desc->rcvbufsize = quicstats->necp_quic_basic.rcvbufsize; |
6783 | desc->rcvbufused = quicstats->necp_quic_basic.rcvbufused; |
6784 | |
6785 | // Additional QUIC specific data |
6786 | desc->sndbufsize = quicstats->necp_quic_extra.sndbufsize; |
6787 | desc->sndbufused = quicstats->necp_quic_extra.sndbufused; |
6788 | desc->txunacked = quicstats->necp_quic_extra.txunacked; |
6789 | desc->txwindow = quicstats->necp_quic_extra.txwindow; |
6790 | desc->txcwindow = quicstats->necp_quic_extra.txcwindow; |
6791 | desc->traffic_mgt_flags = quicstats->necp_quic_extra.traffic_mgt_flags; |
6792 | desc->state = quicstats->necp_quic_extra.state; |
6793 | |
6794 | // TODO: CC algo defines should be named agnostic of the protocol |
6795 | u_int32_t cc_alg_index = quicstats->necp_quic_extra.cc_alg_index; |
6796 | if (cc_alg_index < TCP_CC_ALGO_COUNT) { |
6797 | strlcpy(dst: desc->cc_algo, src: tcp_cc_algo_list[cc_alg_index]->name, n: sizeof(desc->cc_algo)); |
6798 | } else { |
6799 | strlcpy(dst: desc->cc_algo, src: "unknown" , n: sizeof(desc->cc_algo)); |
6800 | } |
6801 | |
6802 | memcpy(dst: &desc->activity_bitmap, src: &sf->sf_activity, n: sizeof(sf->sf_activity)); |
6803 | |
6804 | desc->connstatus.probe_activated = quicstats->necp_quic_extra.probestatus.probe_activated; |
6805 | desc->connstatus.write_probe_failed = quicstats->necp_quic_extra.probestatus.write_probe_failed; |
6806 | desc->connstatus.read_probe_failed = quicstats->necp_quic_extra.probestatus.read_probe_failed; |
6807 | desc->connstatus.conn_probe_failed = quicstats->necp_quic_extra.probestatus.conn_probe_failed; |
6808 | |
6809 | if (NECP_ENABLE_CLIENT_TRACE(NECP_CLIENT_TRACE_LEVEL_FLOW)) { |
6810 | uuid_string_t euuid_str = { 0 }; |
6811 | uuid_unparse(uu: desc->euuid, out: euuid_str); |
6812 | NECPLOG(LOG_NOTICE, "Collected stats - QUIC - epid %d uid %d euuid %s persona id %d" , desc->epid, desc->uid, euuid_str, desc->persona_id); |
6813 | } |
6814 | } |
6815 | return true; |
6816 | } |
6817 | |
6818 | #endif /* SKYWALK */ |
6819 | |
6820 | // Support functions for NetworkStatistics support for necp_client connections |
6821 | |
6822 | static void |
6823 | necp_client_inherit_from_parent( |
6824 | struct necp_client *client, |
6825 | struct necp_client *parent) |
6826 | { |
6827 | assert(client->original_parameters_source == NULL); |
6828 | |
6829 | if (parent->original_parameters_source != NULL) { |
6830 | client->original_parameters_source = parent->original_parameters_source; |
6831 | } else { |
6832 | client->original_parameters_source = parent; |
6833 | } |
6834 | necp_client_retain(client: client->original_parameters_source); |
6835 | } |
6836 | |
6837 | static void |
6838 | necp_find_conn_netstat_data(struct necp_client *client, |
6839 | u_int32_t *ntstat_flags, |
6840 | pid_t *effective_pid, |
6841 | uuid_t puuid, |
6842 | uid_t *uid, |
6843 | uuid_t euuid, |
6844 | uid_t *persona_id) |
6845 | { |
6846 | bool has_remote_address = false; |
6847 | bool has_ip_protocol = false; |
6848 | bool has_transport_protocol = false; |
6849 | size_t offset = 0; |
6850 | u_int8_t *parameters; |
6851 | u_int32_t parameters_size; |
6852 | |
6853 | |
6854 | parameters = client->parameters; |
6855 | parameters_size = (u_int32_t)client->parameters_length; |
6856 | |
6857 | while ((offset + sizeof(struct necp_tlv_header)) <= parameters_size) { |
6858 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
6859 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
6860 | |
6861 | if (length > (parameters_size - (offset + sizeof(struct necp_tlv_header)))) { |
6862 | // If the length is larger than what can fit in the remaining parameters size, bail |
6863 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
6864 | break; |
6865 | } |
6866 | |
6867 | if (length > 0) { |
6868 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
6869 | if (value != NULL) { |
6870 | switch (type) { |
6871 | case NECP_CLIENT_PARAMETER_APPLICATION: { |
6872 | if ((euuid) && (length >= sizeof(uuid_t))) { |
6873 | uuid_copy(dst: euuid, src: value); |
6874 | } |
6875 | break; |
6876 | } |
6877 | case NECP_CLIENT_PARAMETER_IP_PROTOCOL: { |
6878 | if (length >= 1) { |
6879 | has_ip_protocol = true; |
6880 | } |
6881 | break; |
6882 | } |
6883 | case NECP_CLIENT_PARAMETER_PID: { |
6884 | if ((effective_pid) && length >= sizeof(pid_t)) { |
6885 | memcpy(dst: effective_pid, src: value, n: sizeof(pid_t)); |
6886 | } |
6887 | break; |
6888 | } |
6889 | case NECP_CLIENT_PARAMETER_PARENT_ID: { |
6890 | if ((puuid) && (length == sizeof(uuid_t))) { |
6891 | uuid_copy(dst: puuid, src: value); |
6892 | } |
6893 | break; |
6894 | } |
6895 | // It is an implementation quirk that the remote address can be found in the necp parameters |
6896 | case NECP_CLIENT_PARAMETER_REMOTE_ADDRESS: { |
6897 | if (length >= sizeof(struct necp_policy_condition_addr)) { |
6898 | struct necp_policy_condition_addr *address_struct = (struct necp_policy_condition_addr *)(void *)value; |
6899 | if (necp_client_address_is_valid(&address_struct->address.sa)) { |
6900 | has_remote_address = true; |
6901 | } |
6902 | } |
6903 | break; |
6904 | } |
6905 | case NECP_CLIENT_PARAMETER_TRANSPORT_PROTOCOL: { |
6906 | if (length >= 1) { |
6907 | has_transport_protocol = true; |
6908 | } |
6909 | break; |
6910 | } |
6911 | case NECP_CLIENT_PARAMETER_APPLICATION_ID: { |
6912 | if (length >= sizeof(necp_application_id_t) && uid && persona_id) { |
6913 | necp_application_id_t *application_id = (necp_application_id_t *)(void *)value; |
6914 | memcpy(dst: uid, src: &application_id->uid, n: sizeof(uid_t)); |
6915 | uuid_copy(dst: euuid, src: application_id->effective_uuid); |
6916 | memcpy(dst: persona_id, src: &application_id->persona_id, n: sizeof(uid_t)); |
6917 | } |
6918 | break; |
6919 | } |
6920 | default: { |
6921 | break; |
6922 | } |
6923 | } |
6924 | } |
6925 | } |
6926 | offset += sizeof(struct necp_tlv_header) + length; |
6927 | } |
6928 | if (ntstat_flags) { |
6929 | *ntstat_flags = (has_remote_address && has_ip_protocol && has_transport_protocol)? NSTAT_NECP_CONN_HAS_NET_ACCESS: 0; |
6930 | } |
6931 | } |
6932 | |
6933 | static bool |
6934 | necp_request_conn_netstats(nstat_provider_context ctx, |
6935 | u_int32_t *ifflagsp, |
6936 | nstat_counts *countsp, |
6937 | void *metadatap) |
6938 | { |
6939 | if (ctx == NULL) { |
6940 | return false; |
6941 | } |
6942 | struct necp_client *client = (struct necp_client *)(uintptr_t)ctx; |
6943 | nstat_connection_descriptor *desc = (nstat_connection_descriptor *)metadatap; |
6944 | |
6945 | if (ifflagsp) { |
6946 | necp_find_conn_netstat_data(client, ntstat_flags: ifflagsp, NULL, NULL, NULL, NULL, NULL); |
6947 | } |
6948 | if (countsp) { |
6949 | memset(s: countsp, c: 0, n: sizeof(*countsp)); |
6950 | } |
6951 | if (desc) { |
6952 | memset(s: desc, c: 0, n: sizeof(*desc)); |
6953 | // Metadata, that the necp client should have, in TLV format. |
6954 | pid_t effective_pid = client->proc_pid; |
6955 | necp_find_conn_netstat_data(client, ntstat_flags: &desc->ifnet_properties, effective_pid: &effective_pid, puuid: desc->puuid, uid: &desc->uid, euuid: desc->euuid, persona_id: &desc->persona_id); |
6956 | desc->epid = (u_int32_t)effective_pid; |
6957 | |
6958 | // User level should obtain almost all connection information from an extension |
6959 | // leaving little to do here |
6960 | uuid_copy(dst: desc->fuuid, src: client->latest_flow_registration_id); |
6961 | uuid_copy(dst: desc->cuuid, src: client->client_id); |
6962 | } |
6963 | return true; |
6964 | } |
6965 | |
6966 | static int |
6967 | necp_skywalk_priv_check_cred(proc_t p, kauth_cred_t cred) |
6968 | { |
6969 | #pragma unused(p, cred) |
6970 | #if SKYWALK |
6971 | /* This includes Nexus controller and Skywalk observer privs */ |
6972 | return skywalk_nxctl_check_privileges(p, cred); |
6973 | #else /* !SKYWALK */ |
6974 | return 0; |
6975 | #endif /* !SKYWALK */ |
6976 | } |
6977 | |
6978 | /// System calls |
6979 | |
6980 | int |
6981 | necp_open(struct proc *p, struct necp_open_args *uap, int *retval) |
6982 | { |
6983 | #pragma unused(retval) |
6984 | int error = 0; |
6985 | struct necp_fd_data *fd_data = NULL; |
6986 | struct fileproc *fp = NULL; |
6987 | int fd = -1; |
6988 | |
6989 | if (uap->flags & NECP_OPEN_FLAG_OBSERVER || |
6990 | uap->flags & NECP_OPEN_FLAG_PUSH_OBSERVER) { |
6991 | if (necp_skywalk_priv_check_cred(p, cred: kauth_cred_get()) != 0 && |
6992 | priv_check_cred(cred: kauth_cred_get(), PRIV_NET_PRIVILEGED_NETWORK_STATISTICS, flags: 0) != 0) { |
6993 | NECPLOG0(LOG_ERR, "Client does not hold necessary entitlement to observe other NECP clients" ); |
6994 | error = EACCES; |
6995 | goto done; |
6996 | } |
6997 | } |
6998 | |
6999 | #if CONFIG_MACF |
7000 | error = mac_necp_check_open(proc: p, flags: uap->flags); |
7001 | if (error) { |
7002 | goto done; |
7003 | } |
7004 | #endif /* MACF */ |
7005 | |
7006 | error = falloc(p, &fp, &fd); |
7007 | if (error != 0) { |
7008 | goto done; |
7009 | } |
7010 | |
7011 | fd_data = kalloc_type(struct necp_fd_data, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
7012 | |
7013 | fd_data->necp_fd_type = necp_fd_type_client; |
7014 | fd_data->flags = uap->flags; |
7015 | RB_INIT(&fd_data->clients); |
7016 | RB_INIT(&fd_data->flows); |
7017 | TAILQ_INIT(&fd_data->update_list); |
7018 | lck_mtx_init(lck: &fd_data->fd_lock, grp: &necp_fd_mtx_grp, attr: &necp_fd_mtx_attr); |
7019 | klist_init(list: &fd_data->si.si_note); |
7020 | fd_data->proc_pid = proc_pid(p); |
7021 | #if SKYWALK |
7022 | LIST_INIT(&fd_data->stats_arena_list); |
7023 | #endif /* !SKYWALK */ |
7024 | |
7025 | fp->fp_flags |= FP_CLOEXEC | FP_CLOFORK; |
7026 | fp->fp_glob->fg_flag = FREAD; |
7027 | fp->fp_glob->fg_ops = &necp_fd_ops; |
7028 | fp_set_data(fp, fg_data: fd_data); |
7029 | |
7030 | proc_fdlock(p); |
7031 | |
7032 | procfdtbl_releasefd(p, fd, NULL); |
7033 | fp_drop(p, fd, fp, locked: 1); |
7034 | |
7035 | *retval = fd; |
7036 | |
7037 | if (fd_data->flags & NECP_OPEN_FLAG_PUSH_OBSERVER) { |
7038 | NECP_OBSERVER_LIST_LOCK_EXCLUSIVE(); |
7039 | LIST_INSERT_HEAD(&necp_fd_observer_list, fd_data, chain); |
7040 | OSIncrementAtomic(&necp_observer_fd_count); |
7041 | NECP_OBSERVER_LIST_UNLOCK(); |
7042 | |
7043 | // Walk all existing clients and add them |
7044 | NECP_CLIENT_TREE_LOCK_SHARED(); |
7045 | struct necp_client *existing_client = NULL; |
7046 | RB_FOREACH(existing_client, _necp_client_global_tree, &necp_client_global_tree) { |
7047 | NECP_CLIENT_LOCK(existing_client); |
7048 | necp_client_update_observer_add_internal(observer_fd: fd_data, client: existing_client); |
7049 | necp_client_update_observer_update_internal(observer_fd: fd_data, client: existing_client); |
7050 | NECP_CLIENT_UNLOCK(existing_client); |
7051 | } |
7052 | NECP_CLIENT_TREE_UNLOCK(); |
7053 | } else { |
7054 | NECP_FD_LIST_LOCK_EXCLUSIVE(); |
7055 | LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); |
7056 | OSIncrementAtomic(&necp_client_fd_count); |
7057 | NECP_FD_LIST_UNLOCK(); |
7058 | } |
7059 | |
7060 | proc_fdunlock(p); |
7061 | |
7062 | done: |
7063 | if (error != 0) { |
7064 | if (fp != NULL) { |
7065 | fp_free(p, fd, fp); |
7066 | fp = NULL; |
7067 | } |
7068 | if (fd_data != NULL) { |
7069 | kfree_type(struct necp_fd_data, fd_data); |
7070 | } |
7071 | } |
7072 | |
7073 | return error; |
7074 | } |
7075 | |
7076 | // All functions called directly from necp_client_action() to handle one of the |
7077 | // types should be marked with NECP_CLIENT_ACTION_FUNCTION. This ensures that |
7078 | // necp_client_action() does not inline all the actions into a single function. |
7079 | #define NECP_CLIENT_ACTION_FUNCTION __attribute__((noinline)) |
7080 | |
7081 | static NECP_CLIENT_ACTION_FUNCTION int |
7082 | necp_client_add(struct proc *p, struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
7083 | { |
7084 | int error = 0; |
7085 | struct necp_client *client = NULL; |
7086 | const size_t buffer_size = uap->buffer_size; |
7087 | |
7088 | if (fd_data->flags & NECP_OPEN_FLAG_PUSH_OBSERVER) { |
7089 | NECPLOG0(LOG_ERR, "NECP client observers with push enabled may not add their own clients" ); |
7090 | return EINVAL; |
7091 | } |
7092 | |
7093 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t) || |
7094 | buffer_size == 0 || buffer_size > NECP_MAX_CLIENT_PARAMETERS_SIZE || uap->buffer == 0) { |
7095 | return EINVAL; |
7096 | } |
7097 | |
7098 | client = kalloc_type(struct necp_client, Z_WAITOK | Z_ZERO | Z_NOFAIL); |
7099 | client->parameters = kalloc_data(buffer_size, Z_WAITOK | Z_NOFAIL); |
7100 | client->parameters_length = buffer_size; |
7101 | lck_mtx_init(lck: &client->lock, grp: &necp_fd_mtx_grp, attr: &necp_fd_mtx_attr); |
7102 | lck_mtx_init(lck: &client->route_lock, grp: &necp_fd_mtx_grp, attr: &necp_fd_mtx_attr); |
7103 | |
7104 | error = copyin(uap->buffer, client->parameters, buffer_size); |
7105 | if (error) { |
7106 | NECPLOG(LOG_ERR, "necp_client_add parameters copyin error (%d)" , error); |
7107 | goto done; |
7108 | } |
7109 | |
7110 | os_ref_init(&client->reference_count, &necp_client_refgrp); // Hold our reference until close |
7111 | |
7112 | client->proc_pid = fd_data->proc_pid; // Save off proc pid in case the client will persist past fd |
7113 | client->agent_handle = (void *)fd_data; |
7114 | client->platform_binary = ((csproc_get_platform_binary(p) == 0) ? 0 : 1); |
7115 | |
7116 | necp_generate_client_id(client_id: client->client_id, false); |
7117 | LIST_INIT(&client->assertion_list); |
7118 | RB_INIT(&client->flow_registrations); |
7119 | |
7120 | NECP_CLIENT_LOG(client, "Adding client" ); |
7121 | |
7122 | error = copyout(client->client_id, uap->client_id, sizeof(uuid_t)); |
7123 | if (error) { |
7124 | NECPLOG(LOG_ERR, "necp_client_add client_id copyout error (%d)" , error); |
7125 | goto done; |
7126 | } |
7127 | |
7128 | #if SKYWALK |
7129 | struct necp_client_parsed_parameters parsed_parameters = {}; |
7130 | int parse_error = necp_client_parse_parameters(client, parameters: client->parameters, parameters_size: (u_int32_t)client->parameters_length, parsed_parameters: &parsed_parameters); |
7131 | |
7132 | if (parse_error == 0 && |
7133 | ((parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_DELEGATED_UPID) || |
7134 | (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_ATTRIBUTED_BUNDLE_IDENTIFIER))) { |
7135 | bool has_delegation_entitlement = (priv_check_cred(cred: kauth_cred_get(), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, flags: 0) == 0); |
7136 | if (!has_delegation_entitlement) { |
7137 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_DELEGATED_UPID) { |
7138 | NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to delegate network traffic for other processes by upid" , |
7139 | proc_name_address(p), proc_pid(p)); |
7140 | } |
7141 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_ATTRIBUTED_BUNDLE_IDENTIFIER) { |
7142 | NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to set attributed bundle identifier" , |
7143 | proc_name_address(p), proc_pid(p)); |
7144 | } |
7145 | error = EPERM; |
7146 | goto done; |
7147 | } |
7148 | |
7149 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_DELEGATED_UPID) { |
7150 | // Save off delegated unique PID |
7151 | client->delegated_upid = parsed_parameters.delegated_upid; |
7152 | } |
7153 | } |
7154 | |
7155 | if (parse_error == 0 && parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) { |
7156 | bool has_nexus_entitlement = (necp_skywalk_priv_check_cred(p, cred: kauth_cred_get()) == 0); |
7157 | if (!has_nexus_entitlement) { |
7158 | NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement to open a custom nexus client" , |
7159 | proc_name_address(p), proc_pid(p)); |
7160 | error = EPERM; |
7161 | goto done; |
7162 | } |
7163 | } |
7164 | |
7165 | if (parse_error == 0 && (parsed_parameters.flags & |
7166 | (NECP_CLIENT_PARAMETER_FLAG_CUSTOM_ETHER | NECP_CLIENT_PARAMETER_FLAG_CUSTOM_IP))) { |
7167 | bool has_custom_protocol_entitlement = (priv_check_cred(cred: kauth_cred_get(), PRIV_NET_CUSTOM_PROTOCOL, flags: 0) == 0); |
7168 | if (!has_custom_protocol_entitlement) { |
7169 | NECPLOG(LOG_ERR, "%s(%d) does not hold the necessary entitlement for custom protocol APIs" , |
7170 | proc_name_address(p), proc_pid(p)); |
7171 | error = EPERM; |
7172 | goto done; |
7173 | } |
7174 | } |
7175 | |
7176 | if (parse_error == 0 && parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER && |
7177 | (parsed_parameters.ip_protocol == IPPROTO_TCP || parsed_parameters.ip_protocol == IPPROTO_UDP)) { |
7178 | uint32_t *netns_addr = NULL; |
7179 | uint8_t netns_addr_len = 0; |
7180 | struct ns_flow_info flow_info = {}; |
7181 | uint32_t netns_flags = NETNS_LISTENER; |
7182 | uuid_copy(dst: flow_info.nfi_flow_uuid, src: client->client_id); |
7183 | flow_info.nfi_protocol = parsed_parameters.ip_protocol; |
7184 | flow_info.nfi_owner_pid = client->proc_pid; |
7185 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_PID) { |
7186 | flow_info.nfi_effective_pid = parsed_parameters.effective_pid; |
7187 | } else { |
7188 | flow_info.nfi_effective_pid = flow_info.nfi_owner_pid; |
7189 | } |
7190 | proc_name(pid: flow_info.nfi_owner_pid, buf: flow_info.nfi_owner_name, MAXCOMLEN); |
7191 | proc_name(pid: flow_info.nfi_effective_pid, buf: flow_info.nfi_effective_name, MAXCOMLEN); |
7192 | |
7193 | if (parsed_parameters.local_addr.sa.sa_family == AF_UNSPEC) { |
7194 | // Treat no local address as a wildcard IPv6 |
7195 | // parsed_parameters is already initialized to all zeros |
7196 | parsed_parameters.local_addr.sin6.sin6_family = AF_INET6; |
7197 | parsed_parameters.local_addr.sin6.sin6_len = sizeof(struct sockaddr_in6); |
7198 | } |
7199 | |
7200 | switch (parsed_parameters.local_addr.sa.sa_family) { |
7201 | case AF_INET: { |
7202 | memcpy(dst: &flow_info.nfi_laddr, src: &parsed_parameters.local_addr.sa, n: parsed_parameters.local_addr.sa.sa_len); |
7203 | netns_addr = (uint32_t *)&parsed_parameters.local_addr.sin.sin_addr; |
7204 | netns_addr_len = 4; |
7205 | break; |
7206 | } |
7207 | case AF_INET6: { |
7208 | memcpy(dst: &flow_info.nfi_laddr, src: &parsed_parameters.local_addr.sa, n: parsed_parameters.local_addr.sa.sa_len); |
7209 | netns_addr = (uint32_t *)&parsed_parameters.local_addr.sin6.sin6_addr; |
7210 | netns_addr_len = 16; |
7211 | break; |
7212 | } |
7213 | |
7214 | default: { |
7215 | NECPLOG(LOG_ERR, "necp_client_add listener invalid address family (%d)" , parsed_parameters.local_addr.sa.sa_family); |
7216 | error = EINVAL; |
7217 | goto done; |
7218 | } |
7219 | } |
7220 | if ((parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) && |
7221 | (parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_REUSE_LOCAL)) { |
7222 | netns_flags |= NETNS_REUSEPORT; |
7223 | } |
7224 | if (parsed_parameters.local_addr.sin.sin_port == 0) { |
7225 | error = netns_reserve_ephemeral(token: &client->port_reservation, addr: netns_addr, addr_len: netns_addr_len, proto: parsed_parameters.ip_protocol, |
7226 | port: &parsed_parameters.local_addr.sin.sin_port, flags: netns_flags, nfi: &flow_info); |
7227 | if (error) { |
7228 | NECPLOG(LOG_ERR, "necp_client_add netns_reserve_ephemeral error (%d)" , error); |
7229 | goto done; |
7230 | } |
7231 | |
7232 | // Update the parameter TLVs with the assigned port |
7233 | necp_client_update_local_port_parameters(parameters: client->parameters, parameters_size: (u_int32_t)client->parameters_length, local_port: parsed_parameters.local_addr.sin.sin_port); |
7234 | } else { |
7235 | error = netns_reserve(token: &client->port_reservation, addr: netns_addr, addr_len: netns_addr_len, proto: parsed_parameters.ip_protocol, |
7236 | port: parsed_parameters.local_addr.sin.sin_port, flags: netns_flags, nfi: &flow_info); |
7237 | if (error) { |
7238 | NECPLOG(LOG_ERR, "necp_client_add netns_reserve error (%d)" , error); |
7239 | goto done; |
7240 | } |
7241 | } |
7242 | } |
7243 | |
7244 | struct necp_client *parent = NULL; |
7245 | uuid_t parent_client_id; |
7246 | uuid_clear(uu: parent_client_id); |
7247 | struct necp_client_nexus_parameters parent_parameters = {}; |
7248 | uint16_t num_flow_regs = 0; |
7249 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_PARENT_UUID) { |
7250 | // The parent "should" be found on fd_data without having to search across the whole necp_fd_list |
7251 | // It would be nice to do this a little further down where there's another instance of NECP_FD_LOCK |
7252 | // but the logic here depends on the parse paramters |
7253 | NECP_FD_LOCK(fd_data); |
7254 | parent = necp_client_fd_find_client_unlocked(client_fd: fd_data, client_id: parsed_parameters.parent_uuid); |
7255 | if (parent != NULL) { |
7256 | necp_client_inherit_from_parent(client, parent); |
7257 | necp_client_copy_parameters_locked(client, parameters: &parent_parameters); |
7258 | uuid_copy(dst: parent_client_id, src: parsed_parameters.parent_uuid); |
7259 | struct necp_client_flow_registration *flow_registration = NULL; |
7260 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &parent->flow_registrations) { |
7261 | num_flow_regs++; |
7262 | } |
7263 | } |
7264 | NECP_FD_UNLOCK(fd_data); |
7265 | if (parent == NULL) { |
7266 | NECPLOG0(LOG_ERR, "necp_client_add, no necp_client_inherit_from_parent as can't find parent on fd_data" ); |
7267 | } |
7268 | } |
7269 | if (parse_error == 0 && parent != NULL && parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLOW_DEMUX_PATTERN) { |
7270 | do { |
7271 | if (parsed_parameters.demux_patterns[0].len == 0) { |
7272 | NECPLOG0(LOG_INFO, "necp_client_add, child does not have a demux pattern" ); |
7273 | break; |
7274 | } |
7275 | |
7276 | if (uuid_is_null(uu: parent_client_id)) { |
7277 | NECPLOG0(LOG_INFO, "necp_client_add, parent ID is null" ); |
7278 | break; |
7279 | } |
7280 | |
7281 | if (num_flow_regs > 1) { |
7282 | NECPLOG0(LOG_INFO, "necp_client_add, multiple parent flows not supported" ); |
7283 | break; |
7284 | } |
7285 | if (parsed_parameters.ip_protocol != IPPROTO_UDP) { |
7286 | NECPLOG(LOG_INFO, "necp_client_add, flow demux pattern not supported for %d protocol" , |
7287 | parsed_parameters.ip_protocol); |
7288 | break; |
7289 | } |
7290 | if (parsed_parameters.ip_protocol != parent_parameters.ip_protocol) { |
7291 | NECPLOG0(LOG_INFO, "necp_client_add, parent/child ip protocol mismatch" ); |
7292 | break; |
7293 | } |
7294 | if (parsed_parameters.local_addr.sa.sa_family != AF_INET && parsed_parameters.local_addr.sa.sa_family != AF_INET6) { |
7295 | NECPLOG(LOG_INFO, "necp_client_add, flow demux pattern not supported for %d family" , |
7296 | parsed_parameters.local_addr.sa.sa_family); |
7297 | break; |
7298 | } |
7299 | if (parsed_parameters.local_addr.sa.sa_family != parsed_parameters.remote_addr.sa.sa_family) { |
7300 | NECPLOG0(LOG_INFO, "necp_client_add, local/remote address family mismatch" ); |
7301 | break; |
7302 | } |
7303 | if (parsed_parameters.local_addr.sa.sa_family != parent_parameters.local_addr.sa.sa_family) { |
7304 | NECPLOG0(LOG_INFO, "necp_client_add, parent/child address family mismatch" ); |
7305 | break; |
7306 | } |
7307 | if (memcmp(s1: &parsed_parameters.local_addr.sa, s2: &parent_parameters.local_addr.sa, n: parsed_parameters.local_addr.sa.sa_len)) { |
7308 | NECPLOG0(LOG_INFO, "necp_client_add, parent/child local address mismatch" ); |
7309 | break; |
7310 | } |
7311 | if (memcmp(s1: &parsed_parameters.remote_addr.sa, s2: &parent_parameters.remote_addr.sa, n: parsed_parameters.remote_addr.sa.sa_len)) { |
7312 | NECPLOG0(LOG_INFO, "necp_client_add, parent/child remote address mismatch" ); |
7313 | break; |
7314 | } |
7315 | if (parsed_parameters.local_addr.sin.sin_port != parent_parameters.local_addr.sin.sin_port) { |
7316 | NECPLOG0(LOG_INFO, "necp_client_add, parent/child local port mismatch" ); |
7317 | break; |
7318 | } |
7319 | if (parsed_parameters.remote_addr.sin.sin_port != parent_parameters.remote_addr.sin.sin_port) { |
7320 | NECPLOG0(LOG_INFO, "necp_client_add, parent/child remote port mismatch" ); |
7321 | break; |
7322 | } |
7323 | client->validated_parent = 1; |
7324 | uuid_copy(dst: client->parent_client_id, src: parent_client_id); |
7325 | } while (false); |
7326 | } |
7327 | |
7328 | #endif /* !SKYWALK */ |
7329 | |
7330 | necp_client_update_observer_add(client); |
7331 | |
7332 | NECP_FD_LOCK(fd_data); |
7333 | RB_INSERT(_necp_client_tree, &fd_data->clients, client); |
7334 | OSIncrementAtomic(&necp_client_count); |
7335 | NECP_CLIENT_TREE_LOCK_EXCLUSIVE(); |
7336 | RB_INSERT(_necp_client_global_tree, &necp_client_global_tree, client); |
7337 | NECP_CLIENT_TREE_UNLOCK(); |
7338 | |
7339 | // Prime the client result |
7340 | NECP_CLIENT_LOCK(client); |
7341 | (void)necp_update_client_result(proc: current_proc(), client_fd: fd_data, client, NULL); |
7342 | necp_client_retain_locked(client); |
7343 | NECP_CLIENT_UNLOCK(client); |
7344 | NECP_FD_UNLOCK(fd_data); |
7345 | // Now everything is set, it's safe to plumb this in to NetworkStatistics |
7346 | uint32_t ntstat_properties = 0; |
7347 | necp_find_conn_netstat_data(client, ntstat_flags: &ntstat_properties, NULL, NULL, NULL, NULL, NULL); |
7348 | |
7349 | client->nstat_context = nstat_provider_stats_open(ctx: (nstat_provider_context)client, |
7350 | provider_id: NSTAT_PROVIDER_CONN_USERLAND, properties: (u_int64_t)ntstat_properties, req_fn: necp_request_conn_netstats, req_extensions_fn: necp_find_conn_extension_info); |
7351 | necp_client_release(client); |
7352 | done: |
7353 | if (error != 0 && client != NULL) { |
7354 | necp_client_free(client); |
7355 | client = NULL; |
7356 | } |
7357 | *retval = error; |
7358 | |
7359 | return error; |
7360 | } |
7361 | |
7362 | static NECP_CLIENT_ACTION_FUNCTION int |
7363 | necp_client_claim(struct proc *p, struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
7364 | { |
7365 | int error = 0; |
7366 | uuid_t client_id = {}; |
7367 | struct necp_client *client = NULL; |
7368 | |
7369 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t)) { |
7370 | error = EINVAL; |
7371 | goto done; |
7372 | } |
7373 | |
7374 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
7375 | if (error) { |
7376 | NECPLOG(LOG_ERR, "necp_client_claim copyin client_id error (%d)" , error); |
7377 | goto done; |
7378 | } |
7379 | |
7380 | if (necp_client_id_is_flow(client_id)) { |
7381 | NECPLOG0(LOG_ERR, "necp_client_claim cannot claim from flow UUID" ); |
7382 | error = EINVAL; |
7383 | goto done; |
7384 | } |
7385 | |
7386 | u_int64_t upid = proc_uniqueid(p); |
7387 | |
7388 | NECP_FD_LIST_LOCK_SHARED(); |
7389 | |
7390 | struct necp_fd_data *find_fd = NULL; |
7391 | LIST_FOREACH(find_fd, &necp_fd_list, chain) { |
7392 | NECP_FD_LOCK(find_fd); |
7393 | struct necp_client *find_client = necp_client_fd_find_client_and_lock(client_fd: find_fd, client_id); |
7394 | if (find_client != NULL) { |
7395 | if (find_client->delegated_upid == upid && |
7396 | RB_EMPTY(&find_client->flow_registrations)) { |
7397 | // Matched the client to claim; remove from the old fd |
7398 | client = find_client; |
7399 | RB_REMOVE(_necp_client_tree, &find_fd->clients, client); |
7400 | necp_client_retain_locked(client); |
7401 | } |
7402 | NECP_CLIENT_UNLOCK(find_client); |
7403 | } |
7404 | NECP_FD_UNLOCK(find_fd); |
7405 | |
7406 | if (client != NULL) { |
7407 | break; |
7408 | } |
7409 | } |
7410 | |
7411 | NECP_FD_LIST_UNLOCK(); |
7412 | |
7413 | if (client == NULL) { |
7414 | error = ENOENT; |
7415 | goto done; |
7416 | } |
7417 | |
7418 | client->proc_pid = fd_data->proc_pid; // Transfer client to claiming pid |
7419 | client->agent_handle = (void *)fd_data; |
7420 | client->platform_binary = ((csproc_get_platform_binary(p) == 0) ? 0 : 1); |
7421 | |
7422 | NECP_CLIENT_LOG(client, "Claiming client" ); |
7423 | |
7424 | // Add matched client to our fd and re-run result |
7425 | NECP_FD_LOCK(fd_data); |
7426 | RB_INSERT(_necp_client_tree, &fd_data->clients, client); |
7427 | NECP_CLIENT_LOCK(client); |
7428 | (void)necp_update_client_result(proc: current_proc(), client_fd: fd_data, client, NULL); |
7429 | NECP_CLIENT_UNLOCK(client); |
7430 | NECP_FD_UNLOCK(fd_data); |
7431 | |
7432 | necp_client_release(client); |
7433 | |
7434 | done: |
7435 | *retval = error; |
7436 | |
7437 | return error; |
7438 | } |
7439 | |
7440 | static NECP_CLIENT_ACTION_FUNCTION int |
7441 | necp_client_remove(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
7442 | { |
7443 | int error = 0; |
7444 | uuid_t client_id = {}; |
7445 | struct ifnet_stats_per_flow flow_ifnet_stats = {}; |
7446 | const size_t buffer_size = uap->buffer_size; |
7447 | |
7448 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t)) { |
7449 | error = EINVAL; |
7450 | goto done; |
7451 | } |
7452 | |
7453 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
7454 | if (error) { |
7455 | NECPLOG(LOG_ERR, "necp_client_remove copyin client_id error (%d)" , error); |
7456 | goto done; |
7457 | } |
7458 | |
7459 | if (uap->buffer != 0 && buffer_size == sizeof(flow_ifnet_stats)) { |
7460 | error = copyin(uap->buffer, &flow_ifnet_stats, buffer_size); |
7461 | if (error) { |
7462 | NECPLOG(LOG_ERR, "necp_client_remove flow_ifnet_stats copyin error (%d)" , error); |
7463 | // Not fatal; make sure to zero-out stats in case of partial copy |
7464 | memset(s: &flow_ifnet_stats, c: 0, n: sizeof(flow_ifnet_stats)); |
7465 | error = 0; |
7466 | } |
7467 | } else if (uap->buffer != 0) { |
7468 | NECPLOG(LOG_ERR, "necp_client_remove unexpected parameters length (%zu)" , buffer_size); |
7469 | } |
7470 | |
7471 | NECP_FD_LOCK(fd_data); |
7472 | |
7473 | pid_t pid = fd_data->proc_pid; |
7474 | struct necp_client *client = necp_client_fd_find_client_unlocked(client_fd: fd_data, client_id); |
7475 | |
7476 | NECP_CLIENT_LOG(client, "Removing client" ); |
7477 | |
7478 | if (client != NULL) { |
7479 | // Remove any flow registrations that match |
7480 | struct necp_client_flow_registration *flow_registration = NULL; |
7481 | struct necp_client_flow_registration *temp_flow_registration = NULL; |
7482 | RB_FOREACH_SAFE(flow_registration, _necp_fd_flow_tree, &fd_data->flows, temp_flow_registration) { |
7483 | if (flow_registration->client == client) { |
7484 | #if SKYWALK |
7485 | necp_destroy_flow_stats(fd_data, flow_registration, NULL, TRUE); |
7486 | #endif /* SKYWALK */ |
7487 | NECP_FLOW_TREE_LOCK_EXCLUSIVE(); |
7488 | RB_REMOVE(_necp_client_flow_global_tree, &necp_client_flow_global_tree, flow_registration); |
7489 | NECP_FLOW_TREE_UNLOCK(); |
7490 | RB_REMOVE(_necp_fd_flow_tree, &fd_data->flows, flow_registration); |
7491 | } |
7492 | } |
7493 | #if SKYWALK |
7494 | if (client->nstat_context != NULL) { |
7495 | // Main path, we expect stats to be in existance at this point |
7496 | nstat_provider_stats_close(nstat_ctx: client->nstat_context); |
7497 | client->nstat_context = NULL; |
7498 | } else { |
7499 | NECPLOG0(LOG_ERR, "necp_client_remove ntstat shutdown finds nstat_context NULL" ); |
7500 | } |
7501 | #endif /* SKYWALK */ |
7502 | // Remove client from lists |
7503 | NECP_CLIENT_TREE_LOCK_EXCLUSIVE(); |
7504 | RB_REMOVE(_necp_client_global_tree, &necp_client_global_tree, client); |
7505 | NECP_CLIENT_TREE_UNLOCK(); |
7506 | RB_REMOVE(_necp_client_tree, &fd_data->clients, client); |
7507 | } |
7508 | |
7509 | #if SKYWALK |
7510 | // If the currently-active arena is idle (has no more flows referring to it), or if there are defunct |
7511 | // arenas lingering in the list, schedule a threadcall to do the clean up. The idle check is done |
7512 | // by checking if the reference count is 3: one held by this client (will be released below when we |
7513 | // destroy it) when it's non-NULL; the rest held by stats_arena_{active,list}. |
7514 | if ((fd_data->stats_arena_active != NULL && fd_data->stats_arena_active->nai_use_count == 3) || |
7515 | (fd_data->stats_arena_active == NULL && !LIST_EMPTY(&fd_data->stats_arena_list))) { |
7516 | uint64_t deadline = 0; |
7517 | uint64_t leeway = 0; |
7518 | clock_interval_to_deadline(interval: necp_close_arenas_timeout_microseconds, NSEC_PER_USEC, result: &deadline); |
7519 | clock_interval_to_absolutetime_interval(interval: necp_close_arenas_timeout_leeway_microseconds, NSEC_PER_USEC, result: &leeway); |
7520 | |
7521 | thread_call_enter_delayed_with_leeway(call: necp_close_empty_arenas_tcall, NULL, |
7522 | deadline, leeway, THREAD_CALL_DELAY_LEEWAY); |
7523 | } |
7524 | #endif /* SKYWALK */ |
7525 | |
7526 | NECP_FD_UNLOCK(fd_data); |
7527 | |
7528 | if (client != NULL) { |
7529 | ASSERT(error == 0); |
7530 | necp_destroy_client(client, pid, true); |
7531 | } else { |
7532 | error = ENOENT; |
7533 | NECPLOG(LOG_ERR, "necp_client_remove invalid client_id (%d)" , error); |
7534 | } |
7535 | done: |
7536 | *retval = error; |
7537 | |
7538 | return error; |
7539 | } |
7540 | |
7541 | static struct necp_client_flow_registration * |
7542 | necp_client_fd_find_flow(struct necp_fd_data *client_fd, uuid_t flow_id) |
7543 | { |
7544 | NECP_FD_ASSERT_LOCKED(client_fd); |
7545 | struct necp_client_flow_registration *flow = NULL; |
7546 | |
7547 | if (necp_client_id_is_flow(client_id: flow_id)) { |
7548 | struct necp_client_flow_registration find; |
7549 | uuid_copy(dst: find.registration_id, src: flow_id); |
7550 | flow = RB_FIND(_necp_fd_flow_tree, &client_fd->flows, &find); |
7551 | } |
7552 | |
7553 | return flow; |
7554 | } |
7555 | |
7556 | static NECP_CLIENT_ACTION_FUNCTION int |
7557 | necp_client_remove_flow(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
7558 | { |
7559 | int error = 0; |
7560 | uuid_t flow_id = {}; |
7561 | struct ifnet_stats_per_flow flow_ifnet_stats = {}; |
7562 | const size_t buffer_size = uap->buffer_size; |
7563 | |
7564 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t)) { |
7565 | error = EINVAL; |
7566 | NECPLOG(LOG_ERR, "necp_client_remove_flow invalid client_id (length %zu)" , (size_t)uap->client_id_len); |
7567 | goto done; |
7568 | } |
7569 | |
7570 | error = copyin(uap->client_id, flow_id, sizeof(uuid_t)); |
7571 | if (error) { |
7572 | NECPLOG(LOG_ERR, "necp_client_remove_flow copyin client_id error (%d)" , error); |
7573 | goto done; |
7574 | } |
7575 | |
7576 | if (uap->buffer != 0 && buffer_size == sizeof(flow_ifnet_stats)) { |
7577 | error = copyin(uap->buffer, &flow_ifnet_stats, buffer_size); |
7578 | if (error) { |
7579 | NECPLOG(LOG_ERR, "necp_client_remove flow_ifnet_stats copyin error (%d)" , error); |
7580 | // Not fatal |
7581 | } |
7582 | } else if (uap->buffer != 0) { |
7583 | NECPLOG(LOG_ERR, "necp_client_remove unexpected parameters length (%zu)" , buffer_size); |
7584 | } |
7585 | |
7586 | NECP_FD_LOCK(fd_data); |
7587 | struct necp_client *client = NULL; |
7588 | struct necp_client_flow_registration *flow_registration = necp_client_fd_find_flow(client_fd: fd_data, flow_id); |
7589 | if (flow_registration != NULL) { |
7590 | #if SKYWALK |
7591 | // Cleanup stats per flow |
7592 | necp_destroy_flow_stats(fd_data, flow_registration, flow_ifnet_stats: &flow_ifnet_stats, TRUE); |
7593 | #endif /* SKYWALK */ |
7594 | NECP_FLOW_TREE_LOCK_EXCLUSIVE(); |
7595 | RB_REMOVE(_necp_client_flow_global_tree, &necp_client_flow_global_tree, flow_registration); |
7596 | NECP_FLOW_TREE_UNLOCK(); |
7597 | RB_REMOVE(_necp_fd_flow_tree, &fd_data->flows, flow_registration); |
7598 | |
7599 | client = flow_registration->client; |
7600 | if (client != NULL) { |
7601 | necp_client_retain(client); |
7602 | } |
7603 | } |
7604 | NECP_FD_UNLOCK(fd_data); |
7605 | |
7606 | NECP_CLIENT_FLOW_LOG(client, flow_registration, "removing flow" ); |
7607 | |
7608 | if (flow_registration != NULL && client != NULL) { |
7609 | NECP_CLIENT_LOCK(client); |
7610 | if (flow_registration->client == client) { |
7611 | necp_destroy_client_flow_registration(client, flow_registration, pid: fd_data->proc_pid, false); |
7612 | } |
7613 | necp_client_release_locked(client); |
7614 | NECP_CLIENT_UNLOCK(client); |
7615 | } |
7616 | |
7617 | done: |
7618 | *retval = error; |
7619 | if (error != 0) { |
7620 | NECPLOG(LOG_ERR, "Remove flow error (%d)" , error); |
7621 | } |
7622 | |
7623 | return error; |
7624 | } |
7625 | |
7626 | // Don't inline the function since it includes necp_client_parsed_parameters on the stack |
7627 | static __attribute__((noinline)) int |
7628 | necp_client_check_tcp_heuristics(struct necp_client *client, struct necp_client_flow *flow, u_int32_t *flags, u_int8_t *tfo_cookie, u_int8_t *tfo_cookie_len) |
7629 | { |
7630 | struct necp_client_parsed_parameters parsed_parameters; |
7631 | int error = 0; |
7632 | |
7633 | error = necp_client_parse_parameters(client, parameters: client->parameters, |
7634 | parameters_size: (u_int32_t)client->parameters_length, |
7635 | parsed_parameters: &parsed_parameters); |
7636 | if (error) { |
7637 | NECPLOG(LOG_ERR, "necp_client_parse_parameters error (%d)" , error); |
7638 | return error; |
7639 | } |
7640 | |
7641 | if ((flow->remote_addr.sa.sa_family != AF_INET && |
7642 | flow->remote_addr.sa.sa_family != AF_INET6) || |
7643 | (flow->local_addr.sa.sa_family != AF_INET && |
7644 | flow->local_addr.sa.sa_family != AF_INET6)) { |
7645 | return EINVAL; |
7646 | } |
7647 | |
7648 | NECP_CLIENT_ROUTE_LOCK(client); |
7649 | |
7650 | if (client->current_route == NULL) { |
7651 | error = ENOENT; |
7652 | goto do_unlock; |
7653 | } |
7654 | |
7655 | bool check_ecn = false; |
7656 | do { |
7657 | if ((parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_ECN_ENABLE) == |
7658 | NECP_CLIENT_PARAMETER_FLAG_ECN_ENABLE) { |
7659 | check_ecn = true; |
7660 | break; |
7661 | } |
7662 | |
7663 | if ((parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_ECN_DISABLE) == |
7664 | NECP_CLIENT_PARAMETER_FLAG_ECN_DISABLE) { |
7665 | break; |
7666 | } |
7667 | |
7668 | if (client->current_route != NULL) { |
7669 | if (client->current_route->rt_ifp->if_eflags & IFEF_ECN_ENABLE) { |
7670 | check_ecn = true; |
7671 | break; |
7672 | } |
7673 | if (client->current_route->rt_ifp->if_eflags & IFEF_ECN_DISABLE) { |
7674 | break; |
7675 | } |
7676 | } |
7677 | |
7678 | bool inbound = ((parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) == 0); |
7679 | if ((inbound && tcp_ecn_inbound == 1) || |
7680 | (!inbound && tcp_ecn_outbound == 1)) { |
7681 | check_ecn = true; |
7682 | } |
7683 | } while (false); |
7684 | |
7685 | if (check_ecn) { |
7686 | if (tcp_heuristic_do_ecn_with_address(ifp: client->current_route->rt_ifp, |
7687 | local_address: (union sockaddr_in_4_6 *)&flow->local_addr)) { |
7688 | *flags |= NECP_CLIENT_RESULT_FLAG_ECN_ENABLED; |
7689 | } |
7690 | } |
7691 | |
7692 | if ((parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_TFO_ENABLE) == |
7693 | NECP_CLIENT_PARAMETER_FLAG_TFO_ENABLE) { |
7694 | if (!tcp_heuristic_do_tfo_with_address(ifp: client->current_route->rt_ifp, |
7695 | local_address: (union sockaddr_in_4_6 *)&flow->local_addr, |
7696 | remote_address: (union sockaddr_in_4_6 *)&flow->remote_addr, |
7697 | cookie: tfo_cookie, cookie_len: tfo_cookie_len)) { |
7698 | *flags |= NECP_CLIENT_RESULT_FLAG_FAST_OPEN_BLOCKED; |
7699 | *tfo_cookie_len = 0; |
7700 | } |
7701 | } else { |
7702 | *flags |= NECP_CLIENT_RESULT_FLAG_FAST_OPEN_BLOCKED; |
7703 | *tfo_cookie_len = 0; |
7704 | } |
7705 | do_unlock: |
7706 | NECP_CLIENT_ROUTE_UNLOCK(client); |
7707 | |
7708 | return error; |
7709 | } |
7710 | |
7711 | static size_t |
7712 | necp_client_calculate_flow_tlv_size(struct necp_client_flow_registration *flow_registration) |
7713 | { |
7714 | size_t assigned_results_size = 0; |
7715 | struct necp_client_flow *flow = NULL; |
7716 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
7717 | if (flow->assigned || !necp_client_endpoint_is_unspecified(endpoint: (struct necp_client_endpoint *)&flow->remote_addr)) { |
7718 | size_t = 0; |
7719 | if (flow->nexus) { |
7720 | header_length = sizeof(struct necp_client_nexus_flow_header); |
7721 | } else { |
7722 | header_length = sizeof(struct necp_client_flow_header); |
7723 | } |
7724 | assigned_results_size += (header_length + flow->assigned_results_length); |
7725 | |
7726 | if (flow->has_protoctl_event) { |
7727 | assigned_results_size += sizeof(struct necp_client_flow_protoctl_event_header); |
7728 | } |
7729 | } |
7730 | } |
7731 | return assigned_results_size; |
7732 | } |
7733 | |
7734 | static int |
7735 | necp_client_fillout_flow_tlvs(struct necp_client *client, |
7736 | bool client_is_observed, |
7737 | struct necp_client_flow_registration *flow_registration, |
7738 | struct necp_client_action_args *uap, |
7739 | size_t *assigned_results_cursor) |
7740 | { |
7741 | int error = 0; |
7742 | struct necp_client_flow *flow = NULL; |
7743 | LIST_FOREACH(flow, &flow_registration->flow_list, flow_chain) { |
7744 | if (flow->assigned || !necp_client_endpoint_is_unspecified(endpoint: (struct necp_client_endpoint *)&flow->remote_addr)) { |
7745 | // Write TLV headers |
7746 | struct necp_client_nexus_flow_header = {}; |
7747 | u_int32_t length = 0; |
7748 | u_int32_t flags = 0; |
7749 | u_int8_t tfo_cookie_len = 0; |
7750 | u_int8_t type = 0; |
7751 | |
7752 | type = NECP_CLIENT_RESULT_FLOW_ID; |
7753 | length = sizeof(header.flow_header.flow_id); |
7754 | memcpy(dst: &header.flow_header.flow_id_tlv_header.type, src: &type, n: sizeof(type)); |
7755 | memcpy(dst: &header.flow_header.flow_id_tlv_header.length, src: &length, n: sizeof(length)); |
7756 | uuid_copy(dst: header.flow_header.flow_id, src: flow_registration->registration_id); |
7757 | |
7758 | if (flow->nexus) { |
7759 | if (flow->check_tcp_heuristics) { |
7760 | u_int8_t tfo_cookie[NECP_TFO_COOKIE_LEN_MAX]; |
7761 | tfo_cookie_len = NECP_TFO_COOKIE_LEN_MAX; |
7762 | |
7763 | if (necp_client_check_tcp_heuristics(client, flow, flags: &flags, |
7764 | tfo_cookie, tfo_cookie_len: &tfo_cookie_len) != 0) { |
7765 | tfo_cookie_len = 0; |
7766 | } else { |
7767 | flow->check_tcp_heuristics = FALSE; |
7768 | |
7769 | if (tfo_cookie_len != 0) { |
7770 | type = NECP_CLIENT_RESULT_TFO_COOKIE; |
7771 | length = tfo_cookie_len; |
7772 | memcpy(dst: &header.tfo_cookie_tlv_header.type, src: &type, n: sizeof(type)); |
7773 | memcpy(dst: &header.tfo_cookie_tlv_header.length, src: &length, n: sizeof(length)); |
7774 | memcpy(dst: &header.tfo_cookie_value, src: tfo_cookie, n: tfo_cookie_len); |
7775 | } |
7776 | } |
7777 | } |
7778 | } |
7779 | |
7780 | size_t = 0; |
7781 | if (flow->nexus) { |
7782 | if (tfo_cookie_len != 0) { |
7783 | header_length = sizeof(struct necp_client_nexus_flow_header) - (NECP_TFO_COOKIE_LEN_MAX - tfo_cookie_len); |
7784 | } else { |
7785 | header_length = sizeof(struct necp_client_nexus_flow_header) - sizeof(struct necp_tlv_header) - NECP_TFO_COOKIE_LEN_MAX; |
7786 | } |
7787 | } else { |
7788 | header_length = sizeof(struct necp_client_flow_header); |
7789 | } |
7790 | |
7791 | type = NECP_CLIENT_RESULT_FLAGS; |
7792 | length = sizeof(header.flow_header.flags_value); |
7793 | memcpy(dst: &header.flow_header.flags_tlv_header.type, src: &type, n: sizeof(type)); |
7794 | memcpy(dst: &header.flow_header.flags_tlv_header.length, src: &length, n: sizeof(length)); |
7795 | if (flow->assigned) { |
7796 | flags |= NECP_CLIENT_RESULT_FLAG_FLOW_ASSIGNED; |
7797 | } |
7798 | if (flow->viable) { |
7799 | flags |= NECP_CLIENT_RESULT_FLAG_FLOW_VIABLE; |
7800 | } |
7801 | if (flow_registration->defunct) { |
7802 | flags |= NECP_CLIENT_RESULT_FLAG_DEFUNCT; |
7803 | } |
7804 | flags |= flow->necp_flow_flags; |
7805 | memcpy(dst: &header.flow_header.flags_value, src: &flags, n: sizeof(flags)); |
7806 | |
7807 | type = NECP_CLIENT_RESULT_INTERFACE; |
7808 | length = sizeof(header.flow_header.interface_value); |
7809 | memcpy(dst: &header.flow_header.interface_tlv_header.type, src: &type, n: sizeof(type)); |
7810 | memcpy(dst: &header.flow_header.interface_tlv_header.length, src: &length, n: sizeof(length)); |
7811 | |
7812 | struct necp_client_result_interface interface_struct; |
7813 | interface_struct.generation = 0; |
7814 | interface_struct.index = flow->interface_index; |
7815 | |
7816 | memcpy(dst: &header.flow_header.interface_value, src: &interface_struct, n: sizeof(interface_struct)); |
7817 | if (flow->nexus) { |
7818 | type = NECP_CLIENT_RESULT_NETAGENT; |
7819 | length = sizeof(header.agent_value); |
7820 | memcpy(dst: &header.agent_tlv_header.type, src: &type, n: sizeof(type)); |
7821 | memcpy(dst: &header.agent_tlv_header.length, src: &length, n: sizeof(length)); |
7822 | |
7823 | struct necp_client_result_netagent agent_struct; |
7824 | uuid_copy(dst: agent_struct.netagent_uuid, src: flow->u.nexus_agent); |
7825 | agent_struct.generation = netagent_get_generation(uuid: agent_struct.netagent_uuid); |
7826 | |
7827 | memcpy(dst: &header.agent_value, src: &agent_struct, n: sizeof(agent_struct)); |
7828 | } |
7829 | |
7830 | // Don't include outer TLV header in length field |
7831 | type = NECP_CLIENT_RESULT_FLOW; |
7832 | length = (header_length - sizeof(struct necp_tlv_header) + flow->assigned_results_length); |
7833 | if (flow->has_protoctl_event) { |
7834 | length += sizeof(struct necp_client_flow_protoctl_event_header); |
7835 | } |
7836 | memcpy(dst: &header.flow_header.outer_header.type, src: &type, n: sizeof(type)); |
7837 | memcpy(dst: &header.flow_header.outer_header.length, src: &length, n: sizeof(length)); |
7838 | |
7839 | error = copyout(&header, uap->buffer + client->result_length + *assigned_results_cursor, header_length); |
7840 | if (error) { |
7841 | NECPLOG(LOG_ERR, "necp_client_copy assigned results tlv_header copyout error (%d)" , error); |
7842 | return error; |
7843 | } |
7844 | *assigned_results_cursor += header_length; |
7845 | |
7846 | if (flow->assigned_results && flow->assigned_results_length) { |
7847 | // Write inner TLVs |
7848 | error = copyout(flow->assigned_results, uap->buffer + client->result_length + *assigned_results_cursor, |
7849 | flow->assigned_results_length); |
7850 | if (error) { |
7851 | NECPLOG(LOG_ERR, "necp_client_copy assigned results copyout error (%d)" , error); |
7852 | return error; |
7853 | } |
7854 | } |
7855 | *assigned_results_cursor += flow->assigned_results_length; |
7856 | |
7857 | /* Read the protocol event and reset it */ |
7858 | if (flow->has_protoctl_event) { |
7859 | struct necp_client_flow_protoctl_event_header = {}; |
7860 | |
7861 | type = NECP_CLIENT_RESULT_PROTO_CTL_EVENT; |
7862 | length = sizeof(protoctl_event_header.protoctl_event); |
7863 | |
7864 | memcpy(dst: &protoctl_event_header.protoctl_tlv_header.type, src: &type, n: sizeof(type)); |
7865 | memcpy(dst: &protoctl_event_header.protoctl_tlv_header.length, src: &length, n: sizeof(length)); |
7866 | memcpy(dst: &protoctl_event_header.protoctl_event, src: &flow->protoctl_event, |
7867 | n: sizeof(flow->protoctl_event)); |
7868 | |
7869 | error = copyout(&protoctl_event_header, uap->buffer + client->result_length + *assigned_results_cursor, |
7870 | sizeof(protoctl_event_header)); |
7871 | |
7872 | if (error) { |
7873 | NECPLOG(LOG_ERR, "necp_client_copy protocol control event results" |
7874 | " tlv_header copyout error (%d)" , error); |
7875 | return error; |
7876 | } |
7877 | *assigned_results_cursor += sizeof(protoctl_event_header); |
7878 | flow->has_protoctl_event = FALSE; |
7879 | flow->protoctl_event.protoctl_event_code = 0; |
7880 | flow->protoctl_event.protoctl_event_val = 0; |
7881 | flow->protoctl_event.protoctl_event_tcp_seq_num = 0; |
7882 | } |
7883 | } |
7884 | } |
7885 | if (!client_is_observed) { |
7886 | flow_registration->flow_result_read = TRUE; |
7887 | } |
7888 | return 0; |
7889 | } |
7890 | |
7891 | static int |
7892 | necp_client_copy_internal(struct necp_client *client, uuid_t client_id, bool client_is_observed, struct necp_client_action_args *uap, int *retval) |
7893 | { |
7894 | NECP_CLIENT_ASSERT_LOCKED(client); |
7895 | int error = 0; |
7896 | // Copy results out |
7897 | if (uap->action == NECP_CLIENT_ACTION_COPY_PARAMETERS) { |
7898 | if (uap->buffer_size < client->parameters_length) { |
7899 | return EINVAL; |
7900 | } |
7901 | error = copyout(client->parameters, uap->buffer, client->parameters_length); |
7902 | if (error) { |
7903 | NECPLOG(LOG_ERR, "necp_client_copy parameters copyout error (%d)" , error); |
7904 | return error; |
7905 | } |
7906 | *retval = client->parameters_length; |
7907 | } else if (uap->action == NECP_CLIENT_ACTION_COPY_UPDATED_RESULT && |
7908 | client->result_read && client->group_members_read && !necp_client_has_unread_flows(client)) { |
7909 | // Copy updates only, but nothing to read |
7910 | // Just return 0 for bytes read |
7911 | *retval = 0; |
7912 | } else if (uap->action == NECP_CLIENT_ACTION_COPY_RESULT || |
7913 | uap->action == NECP_CLIENT_ACTION_COPY_UPDATED_RESULT) { |
7914 | size_t assigned_results_size = client->assigned_group_members_length; |
7915 | |
7916 | bool some_flow_is_defunct = false; |
7917 | struct necp_client_flow_registration *single_flow_registration = NULL; |
7918 | if (necp_client_id_is_flow(client_id)) { |
7919 | single_flow_registration = necp_client_find_flow(client, flow_id: client_id); |
7920 | if (single_flow_registration != NULL) { |
7921 | assigned_results_size += necp_client_calculate_flow_tlv_size(flow_registration: single_flow_registration); |
7922 | } |
7923 | } else { |
7924 | // This request is for the client, so copy everything |
7925 | struct necp_client_flow_registration *flow_registration = NULL; |
7926 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
7927 | if (flow_registration->defunct) { |
7928 | some_flow_is_defunct = true; |
7929 | } |
7930 | assigned_results_size += necp_client_calculate_flow_tlv_size(flow_registration); |
7931 | } |
7932 | } |
7933 | if (uap->buffer_size < (client->result_length + assigned_results_size)) { |
7934 | return EINVAL; |
7935 | } |
7936 | |
7937 | u_int32_t original_flags = 0; |
7938 | bool flags_updated = false; |
7939 | if (some_flow_is_defunct && client->legacy_client_is_flow) { |
7940 | // If our client expects the defunct flag in the client, add it now |
7941 | u_int32_t client_flags = 0; |
7942 | u_int32_t value_size = 0; |
7943 | u_int8_t *flags_pointer = necp_buffer_get_tlv_value(buffer: client->result, tlv_offset: 0, value_size: &value_size); |
7944 | if (flags_pointer != NULL && value_size == sizeof(client_flags)) { |
7945 | memcpy(dst: &client_flags, src: flags_pointer, n: value_size); |
7946 | original_flags = client_flags; |
7947 | client_flags |= NECP_CLIENT_RESULT_FLAG_DEFUNCT; |
7948 | (void)necp_buffer_write_tlv_if_different(cursor: client->result, NECP_CLIENT_RESULT_FLAGS, |
7949 | length: sizeof(client_flags), value: &client_flags, updated: &flags_updated, |
7950 | buffer: client->result, buffer_length: sizeof(client->result)); |
7951 | } |
7952 | } |
7953 | |
7954 | error = copyout(client->result, uap->buffer, client->result_length); |
7955 | |
7956 | if (flags_updated) { |
7957 | // Revert stored flags |
7958 | (void)necp_buffer_write_tlv_if_different(cursor: client->result, NECP_CLIENT_RESULT_FLAGS, |
7959 | length: sizeof(original_flags), value: &original_flags, updated: &flags_updated, |
7960 | buffer: client->result, buffer_length: sizeof(client->result)); |
7961 | } |
7962 | |
7963 | if (error != 0) { |
7964 | NECPLOG(LOG_ERR, "necp_client_copy result copyout error (%d)" , error); |
7965 | return error; |
7966 | } |
7967 | |
7968 | if (client->assigned_group_members != NULL && client->assigned_group_members_length > 0) { |
7969 | error = copyout(client->assigned_group_members, uap->buffer + client->result_length, client->assigned_group_members_length); |
7970 | if (error != 0) { |
7971 | NECPLOG(LOG_ERR, "necp_client_copy group members copyout error (%d)" , error); |
7972 | return error; |
7973 | } |
7974 | } |
7975 | |
7976 | size_t assigned_results_cursor = client->assigned_group_members_length; // Start with an offset based on the group members |
7977 | if (necp_client_id_is_flow(client_id)) { |
7978 | if (single_flow_registration != NULL) { |
7979 | error = necp_client_fillout_flow_tlvs(client, client_is_observed, flow_registration: single_flow_registration, uap, assigned_results_cursor: &assigned_results_cursor); |
7980 | if (error != 0) { |
7981 | return error; |
7982 | } |
7983 | } |
7984 | } else { |
7985 | // This request is for the client, so copy everything |
7986 | struct necp_client_flow_registration *flow_registration = NULL; |
7987 | RB_FOREACH(flow_registration, _necp_client_flow_tree, &client->flow_registrations) { |
7988 | error = necp_client_fillout_flow_tlvs(client, client_is_observed, flow_registration, uap, assigned_results_cursor: &assigned_results_cursor); |
7989 | if (error != 0) { |
7990 | return error; |
7991 | } |
7992 | } |
7993 | } |
7994 | |
7995 | *retval = client->result_length + assigned_results_cursor; |
7996 | |
7997 | if (!client_is_observed) { |
7998 | client->result_read = TRUE; |
7999 | client->group_members_read = TRUE; |
8000 | } |
8001 | } |
8002 | |
8003 | return 0; |
8004 | } |
8005 | |
8006 | static NECP_CLIENT_ACTION_FUNCTION int |
8007 | necp_client_copy(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
8008 | { |
8009 | int error = 0; |
8010 | struct necp_client *client = NULL; |
8011 | uuid_t client_id; |
8012 | uuid_clear(uu: client_id); |
8013 | |
8014 | *retval = 0; |
8015 | |
8016 | if (uap->buffer_size == 0 || uap->buffer == 0) { |
8017 | return EINVAL; |
8018 | } |
8019 | |
8020 | if (uap->action != NECP_CLIENT_ACTION_COPY_PARAMETERS && |
8021 | uap->action != NECP_CLIENT_ACTION_COPY_RESULT && |
8022 | uap->action != NECP_CLIENT_ACTION_COPY_UPDATED_RESULT) { |
8023 | return EINVAL; |
8024 | } |
8025 | |
8026 | if (uap->client_id) { |
8027 | if (uap->client_id_len != sizeof(uuid_t)) { |
8028 | NECPLOG(LOG_ERR, "Incorrect length (got %zu, expected %zu)" , (size_t)uap->client_id_len, sizeof(uuid_t)); |
8029 | return ERANGE; |
8030 | } |
8031 | |
8032 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
8033 | if (error) { |
8034 | NECPLOG(LOG_ERR, "necp_client_copy client_id copyin error (%d)" , error); |
8035 | return error; |
8036 | } |
8037 | } |
8038 | |
8039 | const bool is_wildcard = (bool)uuid_is_null(uu: client_id); |
8040 | |
8041 | NECP_FD_LOCK(fd_data); |
8042 | |
8043 | bool send_in_process_flow_divert_message = false; |
8044 | if (is_wildcard) { |
8045 | if (uap->action == NECP_CLIENT_ACTION_COPY_RESULT || uap->action == NECP_CLIENT_ACTION_COPY_UPDATED_RESULT) { |
8046 | struct necp_client *find_client = NULL; |
8047 | RB_FOREACH(find_client, _necp_client_tree, &fd_data->clients) { |
8048 | NECP_CLIENT_LOCK(find_client); |
8049 | if (!find_client->result_read || !find_client->group_members_read || necp_client_has_unread_flows(client: find_client)) { |
8050 | client = find_client; |
8051 | // Leave the client locked, and break |
8052 | break; |
8053 | } |
8054 | NECP_CLIENT_UNLOCK(find_client); |
8055 | } |
8056 | |
8057 | if (client == NULL && fd_data->request_in_process_flow_divert) { |
8058 | // No client found that needs update. Check for an event requesting in-process flow divert. |
8059 | send_in_process_flow_divert_message = true; |
8060 | } |
8061 | } |
8062 | } else { |
8063 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
8064 | } |
8065 | |
8066 | if (client != NULL) { |
8067 | if (!send_in_process_flow_divert_message) { |
8068 | // If client is set, it is locked |
8069 | error = necp_client_copy_internal(client, client_id, FALSE, uap, retval); |
8070 | } |
8071 | NECP_CLIENT_UNLOCK(client); |
8072 | } |
8073 | |
8074 | if (send_in_process_flow_divert_message) { |
8075 | fd_data->request_in_process_flow_divert = false; |
8076 | |
8077 | struct necp_tlv_header request_tlv = { |
8078 | .type = NECP_CLIENT_RESULT_REQUEST_IN_PROCESS_FLOW_DIVERT, |
8079 | .length = 0, |
8080 | }; |
8081 | if (uap->buffer_size < sizeof(request_tlv)) { |
8082 | error = EINVAL; |
8083 | } else { |
8084 | error = copyout(&request_tlv, uap->buffer, sizeof(request_tlv)); |
8085 | if (error) { |
8086 | NECPLOG(LOG_ERR, "necp_client_copy request flow divert TLV copyout error (%d)" , error); |
8087 | } else { |
8088 | *retval = sizeof(request_tlv); |
8089 | } |
8090 | } |
8091 | } |
8092 | |
8093 | // Unlock our own fd before moving on or returning |
8094 | NECP_FD_UNLOCK(fd_data); |
8095 | |
8096 | if (client == NULL && !send_in_process_flow_divert_message) { |
8097 | if (fd_data->flags & NECP_OPEN_FLAG_OBSERVER) { |
8098 | // Observers are allowed to lookup clients on other fds |
8099 | |
8100 | // Lock tree |
8101 | NECP_CLIENT_TREE_LOCK_SHARED(); |
8102 | |
8103 | bool found_client = FALSE; |
8104 | |
8105 | client = necp_find_client_and_lock(client_id); |
8106 | if (client != NULL) { |
8107 | // Matched, copy out data |
8108 | found_client = TRUE; |
8109 | error = necp_client_copy_internal(client, client_id, TRUE, uap, retval); |
8110 | NECP_CLIENT_UNLOCK(client); |
8111 | } |
8112 | |
8113 | // Unlock tree |
8114 | NECP_CLIENT_TREE_UNLOCK(); |
8115 | |
8116 | // No client found, fail |
8117 | if (!found_client) { |
8118 | return ENOENT; |
8119 | } |
8120 | } else { |
8121 | // No client found, and not allowed to search other fds, fail |
8122 | return ENOENT; |
8123 | } |
8124 | } |
8125 | |
8126 | return error; |
8127 | } |
8128 | |
8129 | static NECP_CLIENT_ACTION_FUNCTION int |
8130 | necp_client_copy_client_update(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
8131 | { |
8132 | int error = 0; |
8133 | |
8134 | *retval = 0; |
8135 | |
8136 | if (!(fd_data->flags & NECP_OPEN_FLAG_PUSH_OBSERVER)) { |
8137 | NECPLOG0(LOG_ERR, "NECP fd is not observer, cannot copy client update" ); |
8138 | return EINVAL; |
8139 | } |
8140 | |
8141 | if (uap->client_id_len != sizeof(uuid_t) || uap->client_id == 0) { |
8142 | NECPLOG0(LOG_ERR, "Client id invalid, cannot copy client update" ); |
8143 | return EINVAL; |
8144 | } |
8145 | |
8146 | if (uap->buffer_size == 0 || uap->buffer == 0) { |
8147 | NECPLOG0(LOG_ERR, "Buffer invalid, cannot copy client update" ); |
8148 | return EINVAL; |
8149 | } |
8150 | |
8151 | NECP_FD_LOCK(fd_data); |
8152 | struct necp_client_update *client_update = TAILQ_FIRST(&fd_data->update_list); |
8153 | if (client_update != NULL) { |
8154 | TAILQ_REMOVE(&fd_data->update_list, client_update, chain); |
8155 | VERIFY(fd_data->update_count > 0); |
8156 | fd_data->update_count--; |
8157 | } |
8158 | NECP_FD_UNLOCK(fd_data); |
8159 | |
8160 | if (client_update != NULL) { |
8161 | error = copyout(client_update->client_id, uap->client_id, sizeof(uuid_t)); |
8162 | if (error) { |
8163 | NECPLOG(LOG_ERR, "Copy client update copyout client id error (%d)" , error); |
8164 | } else { |
8165 | if (uap->buffer_size < client_update->update_length) { |
8166 | NECPLOG(LOG_ERR, "Buffer size cannot hold update (%zu < %zu)" , (size_t)uap->buffer_size, client_update->update_length); |
8167 | error = EINVAL; |
8168 | } else { |
8169 | error = copyout(client_update->update, uap->buffer, client_update->update_length); |
8170 | if (error) { |
8171 | NECPLOG(LOG_ERR, "Copy client update copyout error (%d)" , error); |
8172 | } else { |
8173 | *retval = client_update->update_length; |
8174 | } |
8175 | } |
8176 | } |
8177 | |
8178 | necp_client_update_free(client_update); |
8179 | client_update = NULL; |
8180 | } else { |
8181 | error = ENOENT; |
8182 | } |
8183 | |
8184 | return error; |
8185 | } |
8186 | |
8187 | static int |
8188 | necp_client_copy_parameters_locked(struct necp_client *client, |
8189 | struct necp_client_nexus_parameters *parameters) |
8190 | { |
8191 | VERIFY(parameters != NULL); |
8192 | |
8193 | struct necp_client_parsed_parameters parsed_parameters = {}; |
8194 | int error = necp_client_parse_parameters(client, parameters: client->parameters, parameters_size: (u_int32_t)client->parameters_length, parsed_parameters: &parsed_parameters); |
8195 | |
8196 | parameters->pid = client->proc_pid; |
8197 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_EFFECTIVE_PID) { |
8198 | parameters->epid = parsed_parameters.effective_pid; |
8199 | } else { |
8200 | parameters->epid = parameters->pid; |
8201 | } |
8202 | #if SKYWALK |
8203 | parameters->port_reservation = client->port_reservation; |
8204 | #endif /* !SKYWALK */ |
8205 | memcpy(dst: ¶meters->local_addr, src: &parsed_parameters.local_addr, n: sizeof(parameters->local_addr)); |
8206 | memcpy(dst: ¶meters->remote_addr, src: &parsed_parameters.remote_addr, n: sizeof(parameters->remote_addr)); |
8207 | parameters->ip_protocol = parsed_parameters.ip_protocol; |
8208 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_TRANSPORT_PROTOCOL) { |
8209 | parameters->transport_protocol = parsed_parameters.transport_protocol; |
8210 | } else { |
8211 | parameters->transport_protocol = parsed_parameters.ip_protocol; |
8212 | } |
8213 | parameters->ethertype = parsed_parameters.ethertype; |
8214 | parameters->traffic_class = parsed_parameters.traffic_class; |
8215 | if (uuid_is_null(uu: client->override_euuid)) { |
8216 | uuid_copy(dst: parameters->euuid, src: parsed_parameters.effective_uuid); |
8217 | } else { |
8218 | uuid_copy(dst: parameters->euuid, src: client->override_euuid); |
8219 | } |
8220 | parameters->is_listener = (parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_LISTENER) ? 1 : 0; |
8221 | parameters->is_interpose = (parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_INTERPOSE) ? 1 : 0; |
8222 | parameters->is_custom_ether = (parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_CUSTOM_ETHER) ? 1 : 0; |
8223 | parameters->policy_id = client->policy_id; |
8224 | parameters->skip_policy_id = client->skip_policy_id; |
8225 | |
8226 | // parse client result flag |
8227 | u_int32_t client_result_flags = 0; |
8228 | u_int32_t value_size = 0; |
8229 | u_int8_t *flags_pointer = NULL; |
8230 | flags_pointer = necp_buffer_get_tlv_value(buffer: client->result, tlv_offset: 0, value_size: &value_size); |
8231 | if (flags_pointer && value_size == sizeof(client_result_flags)) { |
8232 | memcpy(dst: &client_result_flags, src: flags_pointer, n: value_size); |
8233 | } |
8234 | parameters->allow_qos_marking = (client_result_flags & NECP_CLIENT_RESULT_FLAG_ALLOW_QOS_MARKING) ? 1 : 0; |
8235 | |
8236 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_LOCAL_ADDR_PREFERENCE) { |
8237 | if (parsed_parameters.local_address_preference == NECP_CLIENT_PARAMETER_LOCAL_ADDRESS_PREFERENCE_DEFAULT) { |
8238 | parameters->override_address_selection = false; |
8239 | } else if (parsed_parameters.local_address_preference == NECP_CLIENT_PARAMETER_LOCAL_ADDRESS_PREFERENCE_TEMPORARY) { |
8240 | parameters->override_address_selection = true; |
8241 | parameters->use_stable_address = false; |
8242 | } else if (parsed_parameters.local_address_preference == NECP_CLIENT_PARAMETER_LOCAL_ADDRESS_PREFERENCE_STABLE) { |
8243 | parameters->override_address_selection = true; |
8244 | parameters->use_stable_address = true; |
8245 | } |
8246 | } else { |
8247 | parameters->override_address_selection = false; |
8248 | } |
8249 | |
8250 | if ((parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) && |
8251 | (parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_NO_WAKE_FROM_SLEEP)) { |
8252 | parameters->no_wake_from_sleep = true; |
8253 | } |
8254 | |
8255 | if ((parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLAGS) && |
8256 | (parsed_parameters.flags & NECP_CLIENT_PARAMETER_FLAG_REUSE_LOCAL)) { |
8257 | parameters->reuse_port = true; |
8258 | } |
8259 | |
8260 | #if SKYWALK |
8261 | if (!parameters->is_listener) { |
8262 | if (parsed_parameters.valid_fields & NECP_PARSED_PARAMETERS_FIELD_FLOW_DEMUX_PATTERN) { |
8263 | if (parsed_parameters.demux_patterns[0].len == 0) { |
8264 | parameters->is_demuxable_parent = 1; |
8265 | } else { |
8266 | if (client->validated_parent) { |
8267 | ASSERT(!uuid_is_null(client->parent_client_id)); |
8268 | |
8269 | NECP_CLIENT_TREE_LOCK_SHARED(); |
8270 | struct necp_client *parent = necp_find_client_and_lock(client_id: client->parent_client_id); |
8271 | if (parent != NULL) { |
8272 | struct necp_client_flow_registration *parent_flow_registration = NULL; |
8273 | RB_FOREACH(parent_flow_registration, _necp_client_flow_tree, &parent->flow_registrations) { |
8274 | uuid_copy(dst: parameters->parent_flow_uuid, src: parent_flow_registration->registration_id); |
8275 | break; |
8276 | } |
8277 | |
8278 | NECP_CLIENT_UNLOCK(parent); |
8279 | } |
8280 | NECP_CLIENT_TREE_UNLOCK(); |
8281 | |
8282 | if (parsed_parameters.demux_pattern_count > 0) { |
8283 | for (int i = 0; i < parsed_parameters.demux_pattern_count; i++) { |
8284 | memcpy(dst: ¶meters->demux_patterns[i], src: &parsed_parameters.demux_patterns[i], n: sizeof(struct necp_demux_pattern)); |
8285 | } |
8286 | parameters->demux_pattern_count = parsed_parameters.demux_pattern_count; |
8287 | } |
8288 | } |
8289 | } |
8290 | } |
8291 | } |
8292 | #endif // SKYWALK |
8293 | |
8294 | return error; |
8295 | } |
8296 | |
8297 | static NECP_CLIENT_ACTION_FUNCTION int |
8298 | necp_client_list(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
8299 | { |
8300 | int error = 0; |
8301 | struct necp_client *find_client = NULL; |
8302 | uuid_t *list = NULL; |
8303 | u_int32_t requested_client_count = 0; |
8304 | u_int32_t client_count = 0; |
8305 | size_t copy_buffer_size = 0; |
8306 | |
8307 | if (uap->buffer_size < sizeof(requested_client_count) || uap->buffer == 0) { |
8308 | error = EINVAL; |
8309 | goto done; |
8310 | } |
8311 | |
8312 | if (!(fd_data->flags & NECP_OPEN_FLAG_OBSERVER)) { |
8313 | NECPLOG0(LOG_ERR, "Client does not hold necessary entitlement to list other NECP clients" ); |
8314 | error = EACCES; |
8315 | goto done; |
8316 | } |
8317 | |
8318 | error = copyin(uap->buffer, &requested_client_count, sizeof(requested_client_count)); |
8319 | if (error) { |
8320 | goto done; |
8321 | } |
8322 | |
8323 | if (os_mul_overflow(sizeof(uuid_t), requested_client_count, ©_buffer_size)) { |
8324 | error = ERANGE; |
8325 | goto done; |
8326 | } |
8327 | |
8328 | if (uap->buffer_size - sizeof(requested_client_count) != copy_buffer_size) { |
8329 | error = EINVAL; |
8330 | goto done; |
8331 | } |
8332 | |
8333 | if (copy_buffer_size > NECP_MAX_CLIENT_LIST_SIZE) { |
8334 | error = EINVAL; |
8335 | goto done; |
8336 | } |
8337 | |
8338 | if (requested_client_count > 0) { |
8339 | if ((list = (uuid_t*)kalloc_data(copy_buffer_size, Z_WAITOK | Z_ZERO)) == NULL) { |
8340 | error = ENOMEM; |
8341 | goto done; |
8342 | } |
8343 | } |
8344 | |
8345 | // Lock tree |
8346 | NECP_CLIENT_TREE_LOCK_SHARED(); |
8347 | |
8348 | find_client = NULL; |
8349 | RB_FOREACH(find_client, _necp_client_global_tree, &necp_client_global_tree) { |
8350 | NECP_CLIENT_LOCK(find_client); |
8351 | if (!uuid_is_null(uu: find_client->client_id)) { |
8352 | if (client_count < requested_client_count) { |
8353 | uuid_copy(dst: list[client_count], src: find_client->client_id); |
8354 | } |
8355 | client_count++; |
8356 | } |
8357 | NECP_CLIENT_UNLOCK(find_client); |
8358 | } |
8359 | |
8360 | // Unlock tree |
8361 | NECP_CLIENT_TREE_UNLOCK(); |
8362 | |
8363 | error = copyout(&client_count, uap->buffer, sizeof(client_count)); |
8364 | if (error) { |
8365 | NECPLOG(LOG_ERR, "necp_client_list buffer copyout error (%d)" , error); |
8366 | goto done; |
8367 | } |
8368 | |
8369 | if (requested_client_count > 0 && |
8370 | client_count > 0 && |
8371 | list != NULL) { |
8372 | error = copyout(list, uap->buffer + sizeof(client_count), copy_buffer_size); |
8373 | if (error) { |
8374 | NECPLOG(LOG_ERR, "necp_client_list client count copyout error (%d)" , error); |
8375 | goto done; |
8376 | } |
8377 | } |
8378 | done: |
8379 | if (list != NULL) { |
8380 | kfree_data(list, copy_buffer_size); |
8381 | } |
8382 | *retval = error; |
8383 | |
8384 | return error; |
8385 | } |
8386 | |
8387 | static NECP_CLIENT_ACTION_FUNCTION int |
8388 | necp_client_add_flow(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
8389 | { |
8390 | int error = 0; |
8391 | struct necp_client *client = NULL; |
8392 | uuid_t client_id; |
8393 | struct necp_client_nexus_parameters parameters = {}; |
8394 | struct proc *proc = PROC_NULL; |
8395 | struct necp_client_add_flow *add_request = NULL; |
8396 | struct necp_client_add_flow *allocated_add_request = NULL; |
8397 | struct necp_client_add_flow_default default_add_request = {}; |
8398 | const size_t buffer_size = uap->buffer_size; |
8399 | |
8400 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t)) { |
8401 | error = EINVAL; |
8402 | NECPLOG(LOG_ERR, "necp_client_add_flow invalid client_id (length %zu)" , (size_t)uap->client_id_len); |
8403 | goto done; |
8404 | } |
8405 | |
8406 | if (uap->buffer == 0 || buffer_size < sizeof(struct necp_client_add_flow) || |
8407 | buffer_size > sizeof(struct necp_client_add_flow_default) * 4) { |
8408 | error = EINVAL; |
8409 | NECPLOG(LOG_ERR, "necp_client_add_flow invalid buffer (length %zu)" , buffer_size); |
8410 | goto done; |
8411 | } |
8412 | |
8413 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
8414 | if (error) { |
8415 | NECPLOG(LOG_ERR, "necp_client_add_flow copyin client_id error (%d)" , error); |
8416 | goto done; |
8417 | } |
8418 | |
8419 | if (buffer_size <= sizeof(struct necp_client_add_flow_default)) { |
8420 | // Fits in default size |
8421 | error = copyin(uap->buffer, &default_add_request, buffer_size); |
8422 | if (error) { |
8423 | NECPLOG(LOG_ERR, "necp_client_add_flow copyin default_add_request error (%d)" , error); |
8424 | goto done; |
8425 | } |
8426 | |
8427 | add_request = (struct necp_client_add_flow *)&default_add_request; |
8428 | } else { |
8429 | allocated_add_request = (struct necp_client_add_flow *)kalloc_data(buffer_size, Z_WAITOK | Z_ZERO); |
8430 | if (allocated_add_request == NULL) { |
8431 | error = ENOMEM; |
8432 | goto done; |
8433 | } |
8434 | |
8435 | error = copyin(uap->buffer, allocated_add_request, buffer_size); |
8436 | if (error) { |
8437 | NECPLOG(LOG_ERR, "necp_client_add_flow copyin default_add_request error (%d)" , error); |
8438 | goto done; |
8439 | } |
8440 | |
8441 | add_request = allocated_add_request; |
8442 | } |
8443 | |
8444 | NECP_FD_LOCK(fd_data); |
8445 | pid_t pid = fd_data->proc_pid; |
8446 | proc = proc_find(pid); |
8447 | if (proc == PROC_NULL) { |
8448 | NECP_FD_UNLOCK(fd_data); |
8449 | NECPLOG(LOG_ERR, "necp_client_add_flow process not found for pid %d error (%d)" , pid, error); |
8450 | error = ESRCH; |
8451 | goto done; |
8452 | } |
8453 | |
8454 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
8455 | if (client == NULL) { |
8456 | error = ENOENT; |
8457 | NECP_FD_UNLOCK(fd_data); |
8458 | goto done; |
8459 | } |
8460 | |
8461 | // Using ADD_FLOW indicates that the client supports multiple flows per client |
8462 | client->legacy_client_is_flow = false; |
8463 | |
8464 | necp_client_retain_locked(client); |
8465 | necp_client_copy_parameters_locked(client, parameters: ¶meters); |
8466 | |
8467 | struct necp_client_flow_registration *new_registration = necp_client_create_flow_registration(fd_data, client); |
8468 | if (new_registration == NULL) { |
8469 | error = ENOMEM; |
8470 | NECP_CLIENT_UNLOCK(client); |
8471 | NECP_FD_UNLOCK(fd_data); |
8472 | NECPLOG0(LOG_ERR, "Failed to allocate flow registration" ); |
8473 | goto done; |
8474 | } |
8475 | |
8476 | new_registration->flags = add_request->flags; |
8477 | |
8478 | // Copy new ID out to caller |
8479 | uuid_copy(dst: add_request->registration_id, src: new_registration->registration_id); |
8480 | |
8481 | NECP_CLIENT_FLOW_LOG(client, new_registration, "adding flow" ); |
8482 | |
8483 | size_t trailer_offset = (sizeof(struct necp_client_add_flow) + |
8484 | add_request->stats_request_count * sizeof(struct necp_client_flow_stats)); |
8485 | |
8486 | // Copy override address |
8487 | struct sockaddr *override_address = NULL; |
8488 | if (add_request->flags & NECP_CLIENT_FLOW_FLAGS_OVERRIDE_ADDRESS) { |
8489 | size_t offset_of_address = trailer_offset; |
8490 | if (buffer_size >= offset_of_address + sizeof(struct sockaddr_in)) { |
8491 | override_address = (struct sockaddr *)(((uint8_t *)add_request) + offset_of_address); |
8492 | if (buffer_size >= offset_of_address + override_address->sa_len && |
8493 | override_address->sa_len <= sizeof(parameters.remote_addr)) { |
8494 | memcpy(dst: ¶meters.remote_addr, src: override_address, n: override_address->sa_len); |
8495 | trailer_offset += override_address->sa_len; |
8496 | } else { |
8497 | override_address = NULL; |
8498 | } |
8499 | } |
8500 | } |
8501 | |
8502 | // Copy override IP protocol |
8503 | if (add_request->flags & NECP_CLIENT_FLOW_FLAGS_OVERRIDE_IP_PROTOCOL) { |
8504 | size_t offset_of_ip_protocol = trailer_offset; |
8505 | if (buffer_size >= offset_of_ip_protocol + sizeof(uint8_t)) { |
8506 | uint8_t *ip_protocol_p = (uint8_t *)(((uint8_t *)add_request) + offset_of_ip_protocol); |
8507 | memcpy(dst: ¶meters.ip_protocol, src: ip_protocol_p, n: sizeof(uint8_t)); |
8508 | } |
8509 | } |
8510 | |
8511 | #if SKYWALK |
8512 | if (add_request->flags & NECP_CLIENT_FLOW_FLAGS_ALLOW_NEXUS) { |
8513 | void *assigned_results = NULL; |
8514 | size_t assigned_results_length = 0; |
8515 | uint32_t interface_index = 0; |
8516 | |
8517 | // Validate that the nexus UUID is assigned |
8518 | bool found_nexus = false; |
8519 | for (u_int32_t option_i = 0; option_i < client->interface_option_count; option_i++) { |
8520 | if (option_i < NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) { |
8521 | struct necp_client_interface_option *option = &client->interface_options[option_i]; |
8522 | if (uuid_compare(uu1: option->nexus_agent, uu2: add_request->agent_uuid) == 0) { |
8523 | interface_index = option->interface_index; |
8524 | found_nexus = true; |
8525 | break; |
8526 | } |
8527 | } else { |
8528 | struct necp_client_interface_option *option = &client->extra_interface_options[option_i - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
8529 | if (uuid_compare(uu1: option->nexus_agent, uu2: add_request->agent_uuid) == 0) { |
8530 | interface_index = option->interface_index; |
8531 | found_nexus = true; |
8532 | break; |
8533 | } |
8534 | } |
8535 | } |
8536 | |
8537 | if (!found_nexus) { |
8538 | NECPLOG0(LOG_ERR, "Requested nexus not found" ); |
8539 | } else { |
8540 | necp_client_add_nexus_flow_if_needed(flow_registration: new_registration, nexus_agent: add_request->agent_uuid, interface_index); |
8541 | |
8542 | error = netagent_client_message_with_params(agent_uuid: add_request->agent_uuid, |
8543 | necp_client_uuid: ((new_registration->flags & NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID) ? |
8544 | client->client_id : |
8545 | new_registration->registration_id), |
8546 | pid, handle: client->agent_handle, |
8547 | NETAGENT_MESSAGE_TYPE_REQUEST_NEXUS, |
8548 | parameters: (struct necp_client_agent_parameters *)¶meters, |
8549 | assigned_results: &assigned_results, assigned_results_length: &assigned_results_length); |
8550 | if (error != 0) { |
8551 | VERIFY(assigned_results == NULL); |
8552 | VERIFY(assigned_results_length == 0); |
8553 | NECPLOG(LOG_ERR, "netagent_client_message error (%d)" , error); |
8554 | } else if (assigned_results != NULL) { |
8555 | if (!necp_assign_client_result_locked(proc, client_fd: fd_data, client, flow_registration: new_registration, netagent_uuid: add_request->agent_uuid, |
8556 | assigned_results, assigned_results_length, false, false)) { |
8557 | kfree_data(assigned_results, assigned_results_length); |
8558 | } |
8559 | } else if (override_address != NULL) { |
8560 | // Save the overridden address in the flow. Find the correct flow, |
8561 | // and assign just the address TLV. Don't set the assigned flag. |
8562 | struct necp_client_flow *flow = NULL; |
8563 | LIST_FOREACH(flow, &new_registration->flow_list, flow_chain) { |
8564 | if (flow->nexus && |
8565 | uuid_compare(uu1: flow->u.nexus_agent, uu2: add_request->agent_uuid) == 0) { |
8566 | if (flow->assigned_results == NULL) { |
8567 | memcpy(dst: &flow->remote_addr, src: override_address, n: override_address->sa_len); |
8568 | uuid_t empty_uuid; |
8569 | uuid_clear(uu: empty_uuid); |
8570 | flow->assigned_results = necp_create_nexus_assign_message(nexus_instance: empty_uuid, nexus_port: 0, NULL, key_length: 0, |
8571 | local_endpoint: (struct necp_client_endpoint *)&flow->local_addr, |
8572 | remote_endpoint: (struct necp_client_endpoint *)&flow->remote_addr, |
8573 | NULL, flow_adv_index: 0, NULL, message_length: &flow->assigned_results_length); |
8574 | } |
8575 | break; |
8576 | } |
8577 | } |
8578 | } |
8579 | } |
8580 | } |
8581 | |
8582 | // Don't request stats if nexus creation fails |
8583 | if (error == 0 && add_request->stats_request_count > 0 && necp_arena_initialize(fd_data, true) == 0) { |
8584 | struct necp_client_flow_stats *stats_request = (struct necp_client_flow_stats *)&add_request->stats_requests[0]; |
8585 | struct necp_stats_bufreq bufreq = {}; |
8586 | |
8587 | NECP_CLIENT_FLOW_LOG(client, new_registration, "Initializing stats" ); |
8588 | |
8589 | bufreq.necp_stats_bufreq_id = NECP_CLIENT_STATISTICS_BUFREQ_ID; |
8590 | bufreq.necp_stats_bufreq_type = stats_request->stats_type; |
8591 | bufreq.necp_stats_bufreq_ver = stats_request->stats_version; |
8592 | bufreq.necp_stats_bufreq_size = stats_request->stats_size; |
8593 | bufreq.necp_stats_bufreq_uaddr = stats_request->stats_addr; |
8594 | (void)necp_stats_initialize(fd_data, client, flow_registration: new_registration, bufreq: &bufreq); |
8595 | stats_request->stats_type = bufreq.necp_stats_bufreq_type; |
8596 | stats_request->stats_version = bufreq.necp_stats_bufreq_ver; |
8597 | stats_request->stats_size = bufreq.necp_stats_bufreq_size; |
8598 | stats_request->stats_addr = bufreq.necp_stats_bufreq_uaddr; |
8599 | } |
8600 | #endif /* !SKYWALK */ |
8601 | |
8602 | if (error == 0 && |
8603 | (add_request->flags & NECP_CLIENT_FLOW_FLAGS_BROWSE || |
8604 | add_request->flags & NECP_CLIENT_FLOW_FLAGS_RESOLVE)) { |
8605 | uint32_t interface_index = IFSCOPE_NONE; |
8606 | ifnet_head_lock_shared(); |
8607 | struct ifnet *interface = NULL; |
8608 | TAILQ_FOREACH(interface, &ifnet_head, if_link) { |
8609 | ifnet_lock_shared(ifp: interface); |
8610 | if (interface->if_agentids != NULL) { |
8611 | for (u_int32_t i = 0; i < interface->if_agentcount; i++) { |
8612 | if (uuid_compare(uu1: interface->if_agentids[i], uu2: add_request->agent_uuid) == 0) { |
8613 | interface_index = interface->if_index; |
8614 | break; |
8615 | } |
8616 | } |
8617 | } |
8618 | ifnet_lock_done(ifp: interface); |
8619 | if (interface_index != IFSCOPE_NONE) { |
8620 | break; |
8621 | } |
8622 | } |
8623 | ifnet_head_done(); |
8624 | |
8625 | necp_client_add_nexus_flow_if_needed(flow_registration: new_registration, nexus_agent: add_request->agent_uuid, interface_index); |
8626 | |
8627 | error = netagent_client_message_with_params(agent_uuid: add_request->agent_uuid, |
8628 | necp_client_uuid: ((new_registration->flags & NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID) ? |
8629 | client->client_id : |
8630 | new_registration->registration_id), |
8631 | pid, handle: client->agent_handle, |
8632 | NETAGENT_MESSAGE_TYPE_CLIENT_ASSERT, |
8633 | parameters: (struct necp_client_agent_parameters *)¶meters, |
8634 | NULL, NULL); |
8635 | if (error != 0) { |
8636 | NECPLOG(LOG_ERR, "netagent_client_message error (%d)" , error); |
8637 | } |
8638 | } |
8639 | |
8640 | if (error != 0) { |
8641 | // Encountered an error in adding the flow, destroy the flow registration |
8642 | #if SKYWALK |
8643 | necp_destroy_flow_stats(fd_data, flow_registration: new_registration, NULL, false); |
8644 | #endif /* SKYWALK */ |
8645 | NECP_FLOW_TREE_LOCK_EXCLUSIVE(); |
8646 | RB_REMOVE(_necp_client_flow_global_tree, &necp_client_flow_global_tree, new_registration); |
8647 | NECP_FLOW_TREE_UNLOCK(); |
8648 | RB_REMOVE(_necp_fd_flow_tree, &fd_data->flows, new_registration); |
8649 | necp_destroy_client_flow_registration(client, flow_registration: new_registration, pid: fd_data->proc_pid, true); |
8650 | new_registration = NULL; |
8651 | } |
8652 | |
8653 | NECP_CLIENT_UNLOCK(client); |
8654 | NECP_FD_UNLOCK(fd_data); |
8655 | |
8656 | necp_client_release(client); |
8657 | |
8658 | if (error != 0) { |
8659 | goto done; |
8660 | } |
8661 | |
8662 | // Copy the request back out to the caller with assigned fields |
8663 | error = copyout(add_request, uap->buffer, buffer_size); |
8664 | if (error != 0) { |
8665 | NECPLOG(LOG_ERR, "necp_client_add_flow copyout add_request error (%d)" , error); |
8666 | } |
8667 | |
8668 | done: |
8669 | *retval = error; |
8670 | if (error != 0) { |
8671 | NECPLOG(LOG_ERR, "Add flow error (%d)" , error); |
8672 | } |
8673 | |
8674 | if (allocated_add_request != NULL) { |
8675 | kfree_data(allocated_add_request, buffer_size); |
8676 | } |
8677 | |
8678 | if (proc != PROC_NULL) { |
8679 | proc_rele(p: proc); |
8680 | } |
8681 | return error; |
8682 | } |
8683 | |
8684 | #if SKYWALK |
8685 | |
8686 | static NECP_CLIENT_ACTION_FUNCTION int |
8687 | necp_client_request_nexus(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
8688 | { |
8689 | int error = 0; |
8690 | struct necp_client *client = NULL; |
8691 | uuid_t client_id; |
8692 | struct necp_client_nexus_parameters parameters = {}; |
8693 | struct proc *proc = PROC_NULL; |
8694 | const size_t buffer_size = uap->buffer_size; |
8695 | |
8696 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t)) { |
8697 | error = EINVAL; |
8698 | goto done; |
8699 | } |
8700 | |
8701 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
8702 | if (error) { |
8703 | NECPLOG(LOG_ERR, "necp_client_request_nexus copyin client_id error (%d)" , error); |
8704 | goto done; |
8705 | } |
8706 | |
8707 | NECP_FD_LOCK(fd_data); |
8708 | pid_t pid = fd_data->proc_pid; |
8709 | proc = proc_find(pid); |
8710 | if (proc == PROC_NULL) { |
8711 | NECP_FD_UNLOCK(fd_data); |
8712 | NECPLOG(LOG_ERR, "necp_client_request_nexus process not found for pid %d error (%d)" , pid, error); |
8713 | error = ESRCH; |
8714 | goto done; |
8715 | } |
8716 | |
8717 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
8718 | if (client == NULL) { |
8719 | NECP_FD_UNLOCK(fd_data); |
8720 | error = ENOENT; |
8721 | goto done; |
8722 | } |
8723 | |
8724 | // Using REQUEST_NEXUS indicates that the client only supports one flow per client |
8725 | client->legacy_client_is_flow = true; |
8726 | |
8727 | necp_client_retain_locked(client); |
8728 | necp_client_copy_parameters_locked(client, parameters: ¶meters); |
8729 | |
8730 | do { |
8731 | void *assigned_results = NULL; |
8732 | size_t assigned_results_length = 0; |
8733 | uuid_t nexus_uuid; |
8734 | uint32_t interface_index = 0; |
8735 | |
8736 | // Validate that the nexus UUID is assigned |
8737 | bool found_nexus = false; |
8738 | for (u_int32_t option_i = 0; option_i < client->interface_option_count; option_i++) { |
8739 | if (option_i < NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT) { |
8740 | struct necp_client_interface_option *option = &client->interface_options[option_i]; |
8741 | if (!uuid_is_null(uu: option->nexus_agent)) { |
8742 | uuid_copy(dst: nexus_uuid, src: option->nexus_agent); |
8743 | interface_index = option->interface_index; |
8744 | found_nexus = true; |
8745 | break; |
8746 | } |
8747 | } else { |
8748 | struct necp_client_interface_option *option = &client->extra_interface_options[option_i - NECP_CLIENT_INTERFACE_OPTION_STATIC_COUNT]; |
8749 | if (!uuid_is_null(uu: option->nexus_agent)) { |
8750 | uuid_copy(dst: nexus_uuid, src: option->nexus_agent); |
8751 | interface_index = option->interface_index; |
8752 | found_nexus = true; |
8753 | break; |
8754 | } |
8755 | } |
8756 | } |
8757 | |
8758 | if (!found_nexus) { |
8759 | NECP_CLIENT_UNLOCK(client); |
8760 | NECP_FD_UNLOCK(fd_data); |
8761 | necp_client_release(client); |
8762 | // Break the loop |
8763 | error = ENETDOWN; |
8764 | goto done; |
8765 | } |
8766 | |
8767 | struct necp_client_flow_registration *new_registration = necp_client_create_flow_registration(fd_data, client); |
8768 | if (new_registration == NULL) { |
8769 | error = ENOMEM; |
8770 | NECP_CLIENT_UNLOCK(client); |
8771 | NECP_FD_UNLOCK(fd_data); |
8772 | necp_client_release(client); |
8773 | NECPLOG0(LOG_ERR, "Failed to allocate flow registration" ); |
8774 | goto done; |
8775 | } |
8776 | |
8777 | new_registration->flags = (NECP_CLIENT_FLOW_FLAGS_ALLOW_NEXUS | NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID); |
8778 | |
8779 | necp_client_add_nexus_flow_if_needed(flow_registration: new_registration, nexus_agent: nexus_uuid, interface_index); |
8780 | |
8781 | // Note: Any clients using "request_nexus" are not flow-registration aware. |
8782 | // Register the Client ID rather than the Registration ID with the nexus, since |
8783 | // the client will send traffic based on the client ID. |
8784 | error = netagent_client_message_with_params(agent_uuid: nexus_uuid, |
8785 | necp_client_uuid: ((new_registration->flags & NECP_CLIENT_FLOW_FLAGS_USE_CLIENT_ID) ? |
8786 | client->client_id : |
8787 | new_registration->registration_id), |
8788 | pid, handle: client->agent_handle, |
8789 | NETAGENT_MESSAGE_TYPE_REQUEST_NEXUS, |
8790 | parameters: (struct necp_client_agent_parameters *)¶meters, |
8791 | assigned_results: &assigned_results, assigned_results_length: &assigned_results_length); |
8792 | if (error) { |
8793 | NECP_CLIENT_UNLOCK(client); |
8794 | NECP_FD_UNLOCK(fd_data); |
8795 | necp_client_release(client); |
8796 | VERIFY(assigned_results == NULL); |
8797 | VERIFY(assigned_results_length == 0); |
8798 | NECPLOG(LOG_ERR, "netagent_client_message error (%d)" , error); |
8799 | goto done; |
8800 | } |
8801 | |
8802 | if (assigned_results != NULL) { |
8803 | if (!necp_assign_client_result_locked(proc, client_fd: fd_data, client, flow_registration: new_registration, netagent_uuid: nexus_uuid, |
8804 | assigned_results, assigned_results_length, false, false)) { |
8805 | kfree_data(assigned_results, assigned_results_length); |
8806 | } |
8807 | } |
8808 | |
8809 | if (uap->buffer != 0 && buffer_size == sizeof(struct necp_stats_bufreq) && |
8810 | necp_arena_initialize(fd_data, true) == 0) { |
8811 | struct necp_stats_bufreq bufreq = {}; |
8812 | int copy_error = copyin(uap->buffer, &bufreq, buffer_size); |
8813 | if (copy_error) { |
8814 | NECPLOG(LOG_ERR, "necp_client_request_nexus copyin bufreq error (%d)" , copy_error); |
8815 | } else { |
8816 | (void)necp_stats_initialize(fd_data, client, flow_registration: new_registration, bufreq: &bufreq); |
8817 | copy_error = copyout(&bufreq, uap->buffer, buffer_size); |
8818 | if (copy_error != 0) { |
8819 | NECPLOG(LOG_ERR, "necp_client_request_nexus copyout bufreq error (%d)" , copy_error); |
8820 | } |
8821 | } |
8822 | } |
8823 | } while (false); |
8824 | |
8825 | NECP_CLIENT_UNLOCK(client); |
8826 | NECP_FD_UNLOCK(fd_data); |
8827 | |
8828 | necp_client_release(client); |
8829 | |
8830 | done: |
8831 | *retval = error; |
8832 | if (error != 0) { |
8833 | NECPLOG(LOG_ERR, "Request nexus error (%d)" , error); |
8834 | } |
8835 | |
8836 | if (proc != PROC_NULL) { |
8837 | proc_rele(p: proc); |
8838 | } |
8839 | return error; |
8840 | } |
8841 | #endif /* !SKYWALK */ |
8842 | |
8843 | static void |
8844 | necp_client_add_assertion(struct necp_client *client, uuid_t netagent_uuid) |
8845 | { |
8846 | struct necp_client_assertion *new_assertion = NULL; |
8847 | |
8848 | new_assertion = kalloc_type(struct necp_client_assertion, |
8849 | Z_WAITOK | Z_NOFAIL); |
8850 | |
8851 | uuid_copy(dst: new_assertion->asserted_netagent, src: netagent_uuid); |
8852 | |
8853 | LIST_INSERT_HEAD(&client->assertion_list, new_assertion, assertion_chain); |
8854 | } |
8855 | |
8856 | static bool |
8857 | necp_client_remove_assertion(struct necp_client *client, uuid_t netagent_uuid) |
8858 | { |
8859 | struct necp_client_assertion *found_assertion = NULL; |
8860 | struct necp_client_assertion *search_assertion = NULL; |
8861 | LIST_FOREACH(search_assertion, &client->assertion_list, assertion_chain) { |
8862 | if (uuid_compare(uu1: search_assertion->asserted_netagent, uu2: netagent_uuid) == 0) { |
8863 | found_assertion = search_assertion; |
8864 | break; |
8865 | } |
8866 | } |
8867 | |
8868 | if (found_assertion == NULL) { |
8869 | NECPLOG0(LOG_ERR, "Netagent uuid not previously asserted" ); |
8870 | return false; |
8871 | } |
8872 | |
8873 | LIST_REMOVE(found_assertion, assertion_chain); |
8874 | kfree_type(struct necp_client_assertion, found_assertion); |
8875 | return true; |
8876 | } |
8877 | |
8878 | static NECP_CLIENT_ACTION_FUNCTION int |
8879 | necp_client_agent_action(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
8880 | { |
8881 | int error = 0; |
8882 | struct necp_client *client = NULL; |
8883 | uuid_t client_id; |
8884 | bool acted_on_agent = FALSE; |
8885 | u_int8_t *parameters = NULL; |
8886 | const size_t buffer_size = uap->buffer_size; |
8887 | |
8888 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t) || |
8889 | buffer_size == 0 || uap->buffer == 0) { |
8890 | NECPLOG0(LOG_ERR, "necp_client_agent_action invalid parameters" ); |
8891 | error = EINVAL; |
8892 | goto done; |
8893 | } |
8894 | |
8895 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
8896 | if (error) { |
8897 | NECPLOG(LOG_ERR, "necp_client_agent_action copyin client_id error (%d)" , error); |
8898 | goto done; |
8899 | } |
8900 | |
8901 | if (buffer_size > NECP_MAX_AGENT_ACTION_SIZE) { |
8902 | NECPLOG(LOG_ERR, "necp_client_agent_action invalid buffer size (>%u)" , NECP_MAX_AGENT_ACTION_SIZE); |
8903 | error = EINVAL; |
8904 | goto done; |
8905 | } |
8906 | |
8907 | if ((parameters = (u_int8_t *)kalloc_data(buffer_size, Z_WAITOK | Z_ZERO)) == NULL) { |
8908 | NECPLOG0(LOG_ERR, "necp_client_agent_action malloc failed" ); |
8909 | error = ENOMEM; |
8910 | goto done; |
8911 | } |
8912 | |
8913 | error = copyin(uap->buffer, parameters, buffer_size); |
8914 | if (error) { |
8915 | NECPLOG(LOG_ERR, "necp_client_agent_action parameters copyin error (%d)" , error); |
8916 | goto done; |
8917 | } |
8918 | |
8919 | NECP_FD_LOCK(fd_data); |
8920 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
8921 | if (client != NULL) { |
8922 | size_t offset = 0; |
8923 | while ((offset + sizeof(struct necp_tlv_header)) <= buffer_size) { |
8924 | u_int8_t type = necp_buffer_get_tlv_type(buffer: parameters, tlv_offset: offset); |
8925 | u_int32_t length = necp_buffer_get_tlv_length(buffer: parameters, tlv_offset: offset); |
8926 | |
8927 | if (length > (buffer_size - (offset + sizeof(struct necp_tlv_header)))) { |
8928 | // If the length is larger than what can fit in the remaining parameters size, bail |
8929 | NECPLOG(LOG_ERR, "Invalid TLV length (%u)" , length); |
8930 | break; |
8931 | } |
8932 | |
8933 | if (length >= sizeof(uuid_t)) { |
8934 | u_int8_t *value = necp_buffer_get_tlv_value(buffer: parameters, tlv_offset: offset, NULL); |
8935 | if (value == NULL) { |
8936 | NECPLOG0(LOG_ERR, "Invalid TLV value" ); |
8937 | break; |
8938 | } |
8939 | if (type == NECP_CLIENT_PARAMETER_TRIGGER_AGENT || |
8940 | type == NECP_CLIENT_PARAMETER_ASSERT_AGENT || |
8941 | type == NECP_CLIENT_PARAMETER_UNASSERT_AGENT) { |
8942 | uuid_t agent_uuid; |
8943 | uuid_copy(dst: agent_uuid, src: value); |
8944 | u_int8_t netagent_message_type = 0; |
8945 | if (type == NECP_CLIENT_PARAMETER_TRIGGER_AGENT) { |
8946 | netagent_message_type = NETAGENT_MESSAGE_TYPE_CLIENT_TRIGGER; |
8947 | } else if (type == NECP_CLIENT_PARAMETER_ASSERT_AGENT) { |
8948 | netagent_message_type = NETAGENT_MESSAGE_TYPE_CLIENT_ASSERT; |
8949 | } else if (type == NECP_CLIENT_PARAMETER_UNASSERT_AGENT) { |
8950 | netagent_message_type = NETAGENT_MESSAGE_TYPE_CLIENT_UNASSERT; |
8951 | } |
8952 | |
8953 | // Before unasserting, verify that the assertion was already taken |
8954 | if (type == NECP_CLIENT_PARAMETER_UNASSERT_AGENT) { |
8955 | if (!necp_client_remove_assertion(client, netagent_uuid: agent_uuid)) { |
8956 | error = ENOENT; |
8957 | break; |
8958 | } |
8959 | } |
8960 | |
8961 | struct necp_client_nexus_parameters parsed_parameters = {}; |
8962 | necp_client_copy_parameters_locked(client, parameters: &parsed_parameters); |
8963 | |
8964 | error = netagent_client_message_with_params(agent_uuid, |
8965 | necp_client_uuid: client_id, |
8966 | pid: fd_data->proc_pid, |
8967 | handle: client->agent_handle, |
8968 | message_type: netagent_message_type, |
8969 | parameters: (struct necp_client_agent_parameters *)&parsed_parameters, |
8970 | NULL, NULL); |
8971 | if (error == 0) { |
8972 | acted_on_agent = TRUE; |
8973 | } else { |
8974 | break; |
8975 | } |
8976 | |
8977 | // Only save the assertion if the action succeeded |
8978 | if (type == NECP_CLIENT_PARAMETER_ASSERT_AGENT) { |
8979 | necp_client_add_assertion(client, netagent_uuid: agent_uuid); |
8980 | } |
8981 | } else if (type == NECP_CLIENT_PARAMETER_AGENT_ADD_GROUP_MEMBERS || |
8982 | type == NECP_CLIENT_PARAMETER_AGENT_REMOVE_GROUP_MEMBERS) { |
8983 | uuid_t agent_uuid; |
8984 | uuid_copy(dst: agent_uuid, src: value); |
8985 | u_int8_t netagent_message_type = 0; |
8986 | if (type == NECP_CLIENT_PARAMETER_AGENT_ADD_GROUP_MEMBERS) { |
8987 | netagent_message_type = NETAGENT_MESSAGE_TYPE_ADD_GROUP_MEMBERS; |
8988 | } else if (type == NECP_CLIENT_PARAMETER_AGENT_REMOVE_GROUP_MEMBERS) { |
8989 | netagent_message_type = NETAGENT_MESSAGE_TYPE_REMOVE_GROUP_MEMBERS; |
8990 | } |
8991 | |
8992 | struct necp_client_group_members group_members = {}; |
8993 | group_members.group_members_length = (length - sizeof(uuid_t)); |
8994 | group_members.group_members = (value + sizeof(uuid_t)); |
8995 | error = netagent_client_message_with_params(agent_uuid, |
8996 | necp_client_uuid: client_id, |
8997 | pid: fd_data->proc_pid, |
8998 | handle: client->agent_handle, |
8999 | message_type: netagent_message_type, |
9000 | parameters: (struct necp_client_agent_parameters *)&group_members, |
9001 | NULL, NULL); |
9002 | if (error == 0) { |
9003 | acted_on_agent = TRUE; |
9004 | } else { |
9005 | break; |
9006 | } |
9007 | } else if (type == NECP_CLIENT_PARAMETER_REPORT_AGENT_ERROR) { |
9008 | uuid_t agent_uuid; |
9009 | uuid_copy(dst: agent_uuid, src: value); |
9010 | struct necp_client_agent_parameters agent_params = {}; |
9011 | if ((length - sizeof(uuid_t)) >= sizeof(agent_params.u.error.error)) { |
9012 | memcpy(dst: &agent_params.u.error.error, |
9013 | src: (value + sizeof(uuid_t)), |
9014 | n: sizeof(agent_params.u.error.error)); |
9015 | } |
9016 | bool agent_reported = false; |
9017 | for (int agent_i = 0; agent_i < NECP_FD_REPORTED_AGENT_COUNT; agent_i++) { |
9018 | if (uuid_compare(uu1: agent_uuid, uu2: fd_data->reported_agents.agent_uuid[agent_i]) == 0) { |
9019 | // Found a match, already reported |
9020 | agent_reported = true; |
9021 | break; |
9022 | } |
9023 | } |
9024 | agent_params.u.error.force_report = !agent_reported; |
9025 | if (!agent_reported) { |
9026 | // Save this agent as having been reported |
9027 | bool saved_agent_uuid = false; |
9028 | for (int agent_i = 0; agent_i < NECP_FD_REPORTED_AGENT_COUNT; agent_i++) { |
9029 | if (uuid_is_null(uu: fd_data->reported_agents.agent_uuid[agent_i])) { |
9030 | uuid_copy(dst: fd_data->reported_agents.agent_uuid[agent_i], src: agent_uuid); |
9031 | saved_agent_uuid = true; |
9032 | break; |
9033 | } |
9034 | } |
9035 | if (!saved_agent_uuid) { |
9036 | // Reported agent UUIDs full, move over and insert at the end |
9037 | for (int agent_i = 0; agent_i < NECP_FD_REPORTED_AGENT_COUNT; agent_i++) { |
9038 | if (agent_i + 1 < NECP_FD_REPORTED_AGENT_COUNT) { |
9039 | uuid_copy(dst: fd_data->reported_agents.agent_uuid[agent_i], src: fd_data->reported_agents.agent_uuid[agent_i + 1]); |
9040 | } else { |
9041 | uuid_copy(dst: fd_data->reported_agents.agent_uuid[agent_i], src: agent_uuid); |
9042 | } |
9043 | } |
9044 | } |
9045 | } |
9046 | error = netagent_client_message_with_params(agent_uuid, |
9047 | necp_client_uuid: client_id, |
9048 | pid: fd_data->proc_pid, |
9049 | handle: client->agent_handle, |
9050 | NETAGENT_MESSAGE_TYPE_CLIENT_ERROR, |
9051 | parameters: &agent_params, |
9052 | NULL, NULL); |
9053 | if (error == 0) { |
9054 | acted_on_agent = TRUE; |
9055 | } else { |
9056 | break; |
9057 | } |
9058 | } |
9059 | } |
9060 | |
9061 | offset += sizeof(struct necp_tlv_header) + length; |
9062 | } |
9063 | |
9064 | NECP_CLIENT_UNLOCK(client); |
9065 | } |
9066 | NECP_FD_UNLOCK(fd_data); |
9067 | |
9068 | if (!acted_on_agent && |
9069 | error == 0) { |
9070 | error = ENOENT; |
9071 | } |
9072 | done: |
9073 | *retval = error; |
9074 | if (parameters != NULL) { |
9075 | kfree_data(parameters, buffer_size); |
9076 | parameters = NULL; |
9077 | } |
9078 | |
9079 | return error; |
9080 | } |
9081 | |
9082 | static NECP_CLIENT_ACTION_FUNCTION int |
9083 | necp_client_copy_agent(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
9084 | { |
9085 | int error = 0; |
9086 | uuid_t agent_uuid; |
9087 | const size_t buffer_size = uap->buffer_size; |
9088 | |
9089 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t) || |
9090 | buffer_size == 0 || uap->buffer == 0) { |
9091 | NECPLOG0(LOG_ERR, "necp_client_copy_agent bad input" ); |
9092 | error = EINVAL; |
9093 | goto done; |
9094 | } |
9095 | |
9096 | error = copyin(uap->client_id, agent_uuid, sizeof(uuid_t)); |
9097 | if (error) { |
9098 | NECPLOG(LOG_ERR, "necp_client_copy_agent copyin agent_uuid error (%d)" , error); |
9099 | goto done; |
9100 | } |
9101 | |
9102 | error = netagent_copyout(uuid: agent_uuid, user_addr: uap->buffer, user_size: buffer_size); |
9103 | if (error) { |
9104 | // netagent_copyout already logs appropriate errors |
9105 | goto done; |
9106 | } |
9107 | done: |
9108 | *retval = error; |
9109 | |
9110 | return error; |
9111 | } |
9112 | |
9113 | static NECP_CLIENT_ACTION_FUNCTION int |
9114 | necp_client_agent_use(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
9115 | { |
9116 | int error = 0; |
9117 | struct necp_client *client = NULL; |
9118 | uuid_t client_id; |
9119 | struct necp_agent_use_parameters parameters = {}; |
9120 | const size_t buffer_size = uap->buffer_size; |
9121 | |
9122 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t) || |
9123 | buffer_size != sizeof(parameters) || uap->buffer == 0) { |
9124 | error = EINVAL; |
9125 | goto done; |
9126 | } |
9127 | |
9128 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
9129 | if (error) { |
9130 | NECPLOG(LOG_ERR, "Copyin client_id error (%d)" , error); |
9131 | goto done; |
9132 | } |
9133 | |
9134 | error = copyin(uap->buffer, ¶meters, buffer_size); |
9135 | if (error) { |
9136 | NECPLOG(LOG_ERR, "Parameters copyin error (%d)" , error); |
9137 | goto done; |
9138 | } |
9139 | |
9140 | NECP_FD_LOCK(fd_data); |
9141 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
9142 | if (client != NULL) { |
9143 | error = netagent_use(agent_uuid: parameters.agent_uuid, out_use_count: ¶meters.out_use_count); |
9144 | NECP_CLIENT_UNLOCK(client); |
9145 | } else { |
9146 | error = ENOENT; |
9147 | } |
9148 | |
9149 | NECP_FD_UNLOCK(fd_data); |
9150 | |
9151 | if (error == 0) { |
9152 | error = copyout(¶meters, uap->buffer, buffer_size); |
9153 | if (error) { |
9154 | NECPLOG(LOG_ERR, "Parameters copyout error (%d)" , error); |
9155 | goto done; |
9156 | } |
9157 | } |
9158 | |
9159 | done: |
9160 | *retval = error; |
9161 | |
9162 | return error; |
9163 | } |
9164 | |
9165 | static NECP_CLIENT_ACTION_FUNCTION int |
9166 | necp_client_acquire_agent_token(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
9167 | { |
9168 | int error = 0; |
9169 | uuid_t agent_uuid = {}; |
9170 | const size_t buffer_size = uap->buffer_size; |
9171 | |
9172 | *retval = 0; |
9173 | |
9174 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t) || |
9175 | buffer_size == 0 || uap->buffer == 0) { |
9176 | NECPLOG0(LOG_ERR, "necp_client_copy_agent bad input" ); |
9177 | error = EINVAL; |
9178 | goto done; |
9179 | } |
9180 | |
9181 | error = copyin(uap->client_id, agent_uuid, sizeof(uuid_t)); |
9182 | if (error) { |
9183 | NECPLOG(LOG_ERR, "necp_client_copy_agent copyin agent_uuid error (%d)" , error); |
9184 | goto done; |
9185 | } |
9186 | |
9187 | error = netagent_acquire_token(uuid: agent_uuid, user_addr: uap->buffer, user_size: buffer_size, retval); |
9188 | done: |
9189 | return error; |
9190 | } |
9191 | |
9192 | static NECP_CLIENT_ACTION_FUNCTION int |
9193 | necp_client_copy_interface(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
9194 | { |
9195 | int error = 0; |
9196 | u_int32_t interface_index = 0; |
9197 | struct necp_interface_details interface_details = {}; |
9198 | |
9199 | if (uap->client_id == 0 || uap->client_id_len != sizeof(u_int32_t) || |
9200 | uap->buffer_size < sizeof(interface_details) || |
9201 | uap->buffer == 0) { |
9202 | NECPLOG0(LOG_ERR, "necp_client_copy_interface bad input" ); |
9203 | error = EINVAL; |
9204 | goto done; |
9205 | } |
9206 | |
9207 | error = copyin(uap->client_id, &interface_index, sizeof(u_int32_t)); |
9208 | if (error) { |
9209 | NECPLOG(LOG_ERR, "necp_client_copy_interface copyin interface_index error (%d)" , error); |
9210 | goto done; |
9211 | } |
9212 | |
9213 | if (interface_index == 0) { |
9214 | error = ENOENT; |
9215 | NECPLOG(LOG_ERR, "necp_client_copy_interface bad interface_index (%d)" , interface_index); |
9216 | goto done; |
9217 | } |
9218 | |
9219 | lck_mtx_lock(rnh_lock); |
9220 | ifnet_head_lock_shared(); |
9221 | ifnet_t interface = NULL; |
9222 | if (interface_index != IFSCOPE_NONE && interface_index <= (u_int32_t)if_index) { |
9223 | interface = ifindex2ifnet[interface_index]; |
9224 | } |
9225 | |
9226 | if (interface != NULL) { |
9227 | if (interface->if_xname != NULL) { |
9228 | strlcpy(dst: (char *)&interface_details.name, src: interface->if_xname, n: sizeof(interface_details.name)); |
9229 | } |
9230 | interface_details.index = interface->if_index; |
9231 | interface_details.generation = ifnet_get_generation(interface); |
9232 | if (interface->if_delegated.ifp != NULL) { |
9233 | interface_details.delegate_index = interface->if_delegated.ifp->if_index; |
9234 | } |
9235 | interface_details.functional_type = if_functional_type(interface, TRUE); |
9236 | if (IFNET_IS_EXPENSIVE(interface)) { |
9237 | interface_details.flags |= NECP_INTERFACE_FLAG_EXPENSIVE; |
9238 | } |
9239 | if (IFNET_IS_CONSTRAINED(interface)) { |
9240 | interface_details.flags |= NECP_INTERFACE_FLAG_CONSTRAINED; |
9241 | } |
9242 | if ((interface->if_eflags & IFEF_TXSTART) == IFEF_TXSTART) { |
9243 | interface_details.flags |= NECP_INTERFACE_FLAG_TXSTART; |
9244 | } |
9245 | if ((interface->if_eflags & IFEF_NOACKPRI) == IFEF_NOACKPRI) { |
9246 | interface_details.flags |= NECP_INTERFACE_FLAG_NOACKPRI; |
9247 | } |
9248 | if ((interface->if_eflags & IFEF_3CA) == IFEF_3CA) { |
9249 | interface_details.flags |= NECP_INTERFACE_FLAG_3CARRIERAGG; |
9250 | } |
9251 | if (IFNET_IS_LOW_POWER(interface)) { |
9252 | interface_details.flags |= NECP_INTERFACE_FLAG_IS_LOW_POWER; |
9253 | } |
9254 | if (interface->if_xflags & IFXF_MPK_LOG) { |
9255 | interface_details.flags |= NECP_INTERFACE_FLAG_MPK_LOG; |
9256 | } |
9257 | if (interface->if_flags & IFF_MULTICAST) { |
9258 | interface_details.flags |= NECP_INTERFACE_FLAG_SUPPORTS_MULTICAST; |
9259 | } |
9260 | if (IS_INTF_CLAT46(interface)) { |
9261 | interface_details.flags |= NECP_INTERFACE_FLAG_HAS_NAT64; |
9262 | } |
9263 | interface_details.mtu = interface->if_mtu; |
9264 | #if SKYWALK |
9265 | fsw_get_tso_capabilities(interface, &interface_details.tso_max_segment_size_v4, |
9266 | &interface_details.tso_max_segment_size_v6); |
9267 | |
9268 | interface_details.hwcsum_flags = interface->if_hwassist & IFNET_CHECKSUMF; |
9269 | #endif /* SKYWALK */ |
9270 | |
9271 | u_int8_t ipv4_signature_len = sizeof(interface_details.ipv4_signature.signature); |
9272 | u_int16_t ipv4_signature_flags; |
9273 | if (ifnet_get_netsignature(interface, AF_INET, &ipv4_signature_len, &ipv4_signature_flags, |
9274 | (u_int8_t *)&interface_details.ipv4_signature) != 0) { |
9275 | ipv4_signature_len = 0; |
9276 | } |
9277 | interface_details.ipv4_signature.signature_len = ipv4_signature_len; |
9278 | |
9279 | // Check for default scoped routes for IPv4 and IPv6 |
9280 | union necp_sockaddr_union default_address; |
9281 | struct rtentry *v4Route = NULL; |
9282 | memset(s: &default_address, c: 0, n: sizeof(default_address)); |
9283 | default_address.sa.sa_family = AF_INET; |
9284 | default_address.sa.sa_len = sizeof(struct sockaddr_in); |
9285 | v4Route = rtalloc1_scoped_locked((struct sockaddr *)&default_address, 0, 0, |
9286 | interface->if_index); |
9287 | if (v4Route != NULL) { |
9288 | if (v4Route->rt_ifp != NULL && !IS_INTF_CLAT46(v4Route->rt_ifp)) { |
9289 | interface_details.flags |= NECP_INTERFACE_FLAG_IPV4_ROUTABLE; |
9290 | } |
9291 | rtfree_locked(v4Route); |
9292 | v4Route = NULL; |
9293 | } |
9294 | |
9295 | struct rtentry *v6Route = NULL; |
9296 | memset(s: &default_address, c: 0, n: sizeof(default_address)); |
9297 | default_address.sa.sa_family = AF_INET6; |
9298 | default_address.sa.sa_len = sizeof(struct sockaddr_in6); |
9299 | v6Route = rtalloc1_scoped_locked((struct sockaddr *)&default_address, 0, 0, |
9300 | interface->if_index); |
9301 | if (v6Route != NULL) { |
9302 | if (v6Route->rt_ifp != NULL) { |
9303 | interface_details.flags |= NECP_INTERFACE_FLAG_IPV6_ROUTABLE; |
9304 | } |
9305 | rtfree_locked(v6Route); |
9306 | v6Route = NULL; |
9307 | } |
9308 | |
9309 | u_int8_t ipv6_signature_len = sizeof(interface_details.ipv6_signature.signature); |
9310 | u_int16_t ipv6_signature_flags; |
9311 | if (ifnet_get_netsignature(interface, AF_INET6, &ipv6_signature_len, &ipv6_signature_flags, |
9312 | (u_int8_t *)&interface_details.ipv6_signature) != 0) { |
9313 | ipv6_signature_len = 0; |
9314 | } |
9315 | interface_details.ipv6_signature.signature_len = ipv6_signature_len; |
9316 | |
9317 | ifnet_lock_shared(ifp: interface); |
9318 | struct ifaddr *ifa = NULL; |
9319 | TAILQ_FOREACH(ifa, &interface->if_addrhead, ifa_link) { |
9320 | IFA_LOCK(ifa); |
9321 | if (ifa->ifa_addr->sa_family == AF_INET) { |
9322 | interface_details.flags |= NECP_INTERFACE_FLAG_HAS_NETMASK; |
9323 | interface_details.ipv4_netmask = ((struct in_ifaddr *)ifa)->ia_sockmask.sin_addr.s_addr; |
9324 | if (interface->if_flags & IFF_BROADCAST) { |
9325 | interface_details.flags |= NECP_INTERFACE_FLAG_HAS_BROADCAST; |
9326 | interface_details.ipv4_broadcast = ((struct in_ifaddr *)ifa)->ia_broadaddr.sin_addr.s_addr; |
9327 | } |
9328 | } |
9329 | IFA_UNLOCK(ifa); |
9330 | } |
9331 | |
9332 | interface_details.radio_type = interface->if_radio_type; |
9333 | if (interface_details.radio_type == 0 && interface->if_delegated.ifp) { |
9334 | interface_details.radio_type = interface->if_delegated.ifp->if_radio_type; |
9335 | } |
9336 | ifnet_lock_done(ifp: interface); |
9337 | } |
9338 | |
9339 | ifnet_head_done(); |
9340 | lck_mtx_unlock(rnh_lock); |
9341 | |
9342 | // If the client is using an older version of the struct, copy that length |
9343 | error = copyout(&interface_details, uap->buffer, sizeof(interface_details)); |
9344 | if (error) { |
9345 | NECPLOG(LOG_ERR, "necp_client_copy_interface copyout error (%d)" , error); |
9346 | goto done; |
9347 | } |
9348 | done: |
9349 | *retval = error; |
9350 | |
9351 | return error; |
9352 | } |
9353 | |
9354 | #if SKYWALK |
9355 | |
9356 | static NECP_CLIENT_ACTION_FUNCTION int |
9357 | necp_client_get_interface_address(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
9358 | { |
9359 | int error = 0; |
9360 | u_int32_t interface_index = IFSCOPE_NONE; |
9361 | struct sockaddr_storage address = {}; |
9362 | const size_t buffer_size = uap->buffer_size; |
9363 | |
9364 | if (uap->client_id == 0 || uap->client_id_len != sizeof(u_int32_t) || |
9365 | buffer_size < sizeof(struct sockaddr_in) || |
9366 | buffer_size > sizeof(struct sockaddr_storage) || |
9367 | uap->buffer == 0) { |
9368 | NECPLOG0(LOG_ERR, "necp_client_get_interface_address bad input" ); |
9369 | error = EINVAL; |
9370 | goto done; |
9371 | } |
9372 | |
9373 | error = copyin(uap->client_id, &interface_index, sizeof(u_int32_t)); |
9374 | if (error) { |
9375 | NECPLOG(LOG_ERR, "necp_client_get_interface_address copyin interface_index error (%d)" , error); |
9376 | goto done; |
9377 | } |
9378 | |
9379 | if (interface_index == IFSCOPE_NONE) { |
9380 | error = ENOENT; |
9381 | NECPLOG(LOG_ERR, "necp_client_get_interface_address bad interface_index (%d)" , interface_index); |
9382 | goto done; |
9383 | } |
9384 | |
9385 | error = copyin(uap->buffer, &address, buffer_size); |
9386 | if (error) { |
9387 | NECPLOG(LOG_ERR, "necp_client_get_interface_address copyin address error (%d)" , error); |
9388 | goto done; |
9389 | } |
9390 | |
9391 | if (address.ss_family != AF_INET && address.ss_family != AF_INET6) { |
9392 | error = EINVAL; |
9393 | NECPLOG(LOG_ERR, "necp_client_get_interface_address invalid address family (%u)" , address.ss_family); |
9394 | goto done; |
9395 | } |
9396 | |
9397 | if (address.ss_len != buffer_size) { |
9398 | error = EINVAL; |
9399 | NECPLOG(LOG_ERR, "necp_client_get_interface_address invalid address length (%u)" , address.ss_len); |
9400 | goto done; |
9401 | } |
9402 | |
9403 | ifnet_head_lock_shared(); |
9404 | ifnet_t ifp = NULL; |
9405 | if (interface_index != IFSCOPE_NONE && interface_index <= (u_int32_t)if_index) { |
9406 | ifp = ifindex2ifnet[interface_index]; |
9407 | } |
9408 | ifnet_head_done(); |
9409 | if (ifp == NULL) { |
9410 | error = ENOENT; |
9411 | NECPLOG0(LOG_ERR, "necp_client_get_interface_address no matching interface found" ); |
9412 | goto done; |
9413 | } |
9414 | |
9415 | struct rtentry *rt = rtalloc1_scoped((struct sockaddr *)&address, 0, 0, interface_index); |
9416 | if (rt == NULL) { |
9417 | error = EINVAL; |
9418 | NECPLOG0(LOG_ERR, "necp_client_get_interface_address route lookup failed" ); |
9419 | goto done; |
9420 | } |
9421 | |
9422 | uint32_t gencount = 0; |
9423 | struct sockaddr_storage local_address = {}; |
9424 | error = flow_route_select_laddr((union sockaddr_in_4_6 *)&local_address, |
9425 | (union sockaddr_in_4_6 *)&address, ifp, rt, &gencount, 1); |
9426 | rtfree(rt); |
9427 | rt = NULL; |
9428 | |
9429 | if (error) { |
9430 | NECPLOG(LOG_ERR, "necp_client_get_interface_address local address selection failed (%d)" , error); |
9431 | goto done; |
9432 | } |
9433 | |
9434 | if (local_address.ss_len > buffer_size) { |
9435 | error = EMSGSIZE; |
9436 | NECPLOG(LOG_ERR, "necp_client_get_interface_address local address too long for buffer (%u)" , |
9437 | local_address.ss_len); |
9438 | goto done; |
9439 | } |
9440 | |
9441 | error = copyout(&local_address, uap->buffer, local_address.ss_len); |
9442 | if (error) { |
9443 | NECPLOG(LOG_ERR, "necp_client_get_interface_address copyout error (%d)" , error); |
9444 | goto done; |
9445 | } |
9446 | done: |
9447 | *retval = error; |
9448 | |
9449 | return error; |
9450 | } |
9451 | |
9452 | extern char *proc_name_address(void *p); |
9453 | |
9454 | int |
9455 | necp_stats_ctor(struct skmem_obj_info *oi, struct skmem_obj_info *oim, |
9456 | void *arg, uint32_t skmflag) |
9457 | { |
9458 | #pragma unused(arg, skmflag) |
9459 | struct necp_all_kstats *kstats = SKMEM_OBJ_ADDR(oi); |
9460 | |
9461 | ASSERT(oim != NULL && SKMEM_OBJ_ADDR(oim) != NULL); |
9462 | ASSERT(SKMEM_OBJ_SIZE(oi) == SKMEM_OBJ_SIZE(oim)); |
9463 | |
9464 | kstats->necp_stats_ustats = SKMEM_OBJ_ADDR(oim); |
9465 | |
9466 | return 0; |
9467 | } |
9468 | |
9469 | int |
9470 | necp_stats_dtor(void *addr, void *arg) |
9471 | { |
9472 | #pragma unused(addr, arg) |
9473 | struct necp_all_kstats *kstats = addr; |
9474 | |
9475 | kstats->necp_stats_ustats = NULL; |
9476 | |
9477 | return 0; |
9478 | } |
9479 | |
9480 | static void |
9481 | necp_fd_insert_stats_arena(struct necp_fd_data *fd_data, struct necp_arena_info *nai) |
9482 | { |
9483 | NECP_FD_ASSERT_LOCKED(fd_data); |
9484 | VERIFY(!(nai->nai_flags & NAIF_ATTACHED)); |
9485 | VERIFY(nai->nai_chain.le_next == NULL && nai->nai_chain.le_prev == NULL); |
9486 | |
9487 | LIST_INSERT_HEAD(&fd_data->stats_arena_list, nai, nai_chain); |
9488 | nai->nai_flags |= NAIF_ATTACHED; |
9489 | necp_arena_info_retain(nai); // for the list |
9490 | } |
9491 | |
9492 | static void |
9493 | necp_fd_remove_stats_arena(struct necp_fd_data *fd_data, struct necp_arena_info *nai) |
9494 | { |
9495 | #pragma unused(fd_data) |
9496 | NECP_FD_ASSERT_LOCKED(fd_data); |
9497 | VERIFY(nai->nai_flags & NAIF_ATTACHED); |
9498 | VERIFY(nai->nai_use_count >= 1); |
9499 | |
9500 | LIST_REMOVE(nai, nai_chain); |
9501 | nai->nai_flags &= ~NAIF_ATTACHED; |
9502 | nai->nai_chain.le_next = NULL; |
9503 | nai->nai_chain.le_prev = NULL; |
9504 | necp_arena_info_release(nai); // for the list |
9505 | } |
9506 | |
9507 | static struct necp_arena_info * |
9508 | necp_fd_mredirect_stats_arena(struct necp_fd_data *fd_data, struct proc *proc) |
9509 | { |
9510 | struct necp_arena_info *nai, *nai_ret = NULL; |
9511 | |
9512 | NECP_FD_ASSERT_LOCKED(fd_data); |
9513 | |
9514 | // Redirect currently-active stats arena and remove it from the active state; |
9515 | // upon process resumption, new flow request would trigger the creation of |
9516 | // another active arena. |
9517 | if ((nai = fd_data->stats_arena_active) != NULL) { |
9518 | boolean_t need_defunct = FALSE; |
9519 | |
9520 | ASSERT(!(nai->nai_flags & (NAIF_REDIRECT | NAIF_DEFUNCT))); |
9521 | VERIFY(nai->nai_use_count >= 2); |
9522 | ASSERT(nai->nai_arena != NULL); |
9523 | ASSERT(nai->nai_mmap.ami_mapref != NULL); |
9524 | |
9525 | int err = skmem_arena_mredirect(nai->nai_arena, &nai->nai_mmap, proc, &need_defunct); |
9526 | VERIFY(err == 0); |
9527 | // must be TRUE since we don't mmap the arena more than once |
9528 | VERIFY(need_defunct == TRUE); |
9529 | |
9530 | nai->nai_flags |= NAIF_REDIRECT; |
9531 | nai_ret = nai; // return to caller |
9532 | |
9533 | necp_arena_info_release(nai); // for fd_data |
9534 | fd_data->stats_arena_active = nai = NULL; |
9535 | } |
9536 | |
9537 | #if (DEVELOPMENT || DEBUG) |
9538 | // make sure this list now contains nothing but redirected/defunct arenas |
9539 | LIST_FOREACH(nai, &fd_data->stats_arena_list, nai_chain) { |
9540 | ASSERT(nai->nai_use_count >= 1); |
9541 | ASSERT(nai->nai_flags & (NAIF_REDIRECT | NAIF_DEFUNCT)); |
9542 | } |
9543 | #endif /* (DEVELOPMENT || DEBUG) */ |
9544 | |
9545 | return nai_ret; |
9546 | } |
9547 | |
9548 | static void |
9549 | necp_arena_info_retain(struct necp_arena_info *nai) |
9550 | { |
9551 | nai->nai_use_count++; |
9552 | VERIFY(nai->nai_use_count != 0); |
9553 | } |
9554 | |
9555 | static void |
9556 | necp_arena_info_release(struct necp_arena_info *nai) |
9557 | { |
9558 | VERIFY(nai->nai_use_count > 0); |
9559 | if (--nai->nai_use_count == 0) { |
9560 | necp_arena_info_free(nai); |
9561 | } |
9562 | } |
9563 | |
9564 | static struct necp_arena_info * |
9565 | necp_arena_info_alloc(void) |
9566 | { |
9567 | return zalloc_flags(necp_arena_info_zone, Z_WAITOK | Z_ZERO); |
9568 | } |
9569 | |
9570 | static void |
9571 | necp_arena_info_free(struct necp_arena_info *nai) |
9572 | { |
9573 | VERIFY(nai->nai_chain.le_next == NULL && nai->nai_chain.le_prev == NULL); |
9574 | VERIFY(nai->nai_use_count == 0); |
9575 | |
9576 | // NOTE: destroying the arena requires that all outstanding objects |
9577 | // that were allocated have been freed, else it will assert. |
9578 | if (nai->nai_arena != NULL) { |
9579 | skmem_arena_munmap(nai->nai_arena, &nai->nai_mmap); |
9580 | skmem_arena_release(nai->nai_arena); |
9581 | OSDecrementAtomic(&necp_arena_count); |
9582 | nai->nai_arena = NULL; |
9583 | nai->nai_roff = 0; |
9584 | } |
9585 | |
9586 | ASSERT(nai->nai_arena == NULL); |
9587 | ASSERT(nai->nai_mmap.ami_mapref == NULL); |
9588 | ASSERT(nai->nai_mmap.ami_arena == NULL); |
9589 | ASSERT(nai->nai_mmap.ami_maptask == TASK_NULL); |
9590 | |
9591 | zfree(necp_arena_info_zone, nai); |
9592 | } |
9593 | |
9594 | static int |
9595 | necp_arena_create(struct necp_fd_data *fd_data, size_t obj_size, size_t obj_cnt, struct proc *p) |
9596 | { |
9597 | struct skmem_region_params srp_ustats = {}; |
9598 | struct skmem_region_params srp_kstats = {}; |
9599 | struct necp_arena_info *nai; |
9600 | char name[32]; |
9601 | int error = 0; |
9602 | |
9603 | NECP_FD_ASSERT_LOCKED(fd_data); |
9604 | ASSERT(fd_data->stats_arena_active == NULL); |
9605 | ASSERT(p != PROC_NULL); |
9606 | ASSERT(proc_pid(p) == fd_data->proc_pid); |
9607 | |
9608 | // inherit the default parameters for the stats region |
9609 | srp_ustats = *skmem_get_default(SKMEM_REGION_USTATS); |
9610 | srp_kstats = *skmem_get_default(SKMEM_REGION_KSTATS); |
9611 | |
9612 | // enable multi-segment mode |
9613 | srp_ustats.srp_cflags &= ~SKMEM_REGION_CR_MONOLITHIC; |
9614 | srp_kstats.srp_cflags &= ~SKMEM_REGION_CR_MONOLITHIC; |
9615 | |
9616 | // configure and adjust the region parameters |
9617 | srp_ustats.srp_r_obj_cnt = srp_kstats.srp_r_obj_cnt = obj_cnt; |
9618 | srp_ustats.srp_r_obj_size = srp_kstats.srp_r_obj_size = obj_size; |
9619 | skmem_region_params_config(&srp_ustats); |
9620 | skmem_region_params_config(&srp_kstats); |
9621 | |
9622 | nai = necp_arena_info_alloc(); |
9623 | |
9624 | nai->nai_proc_pid = fd_data->proc_pid; |
9625 | (void) snprintf(name, count: sizeof(name), "stats-%u.%s.%d" , fd_data->stats_arena_gencnt, proc_name_address(p), fd_data->proc_pid); |
9626 | nai->nai_arena = skmem_arena_create_for_necp(name, &srp_ustats, &srp_kstats, &error); |
9627 | ASSERT(nai->nai_arena != NULL || error != 0); |
9628 | if (error != 0) { |
9629 | NECPLOG(LOG_ERR, "failed to create stats arena for pid %d\n" , fd_data->proc_pid); |
9630 | } else { |
9631 | OSIncrementAtomic(&necp_arena_count); |
9632 | |
9633 | // Get region offsets from base of mmap span; the arena |
9634 | // doesn't need to be mmap'd at this point, since we simply |
9635 | // compute the relative offset. |
9636 | nai->nai_roff = skmem_arena_get_region_offset(nai->nai_arena, SKMEM_REGION_USTATS); |
9637 | |
9638 | // map to the task/process; upon success, the base address of the region |
9639 | // will be returned in nai_mmap.ami_mapaddr; this can be communicated to |
9640 | // the process. |
9641 | error = skmem_arena_mmap(nai->nai_arena, p, &nai->nai_mmap); |
9642 | if (error != 0) { |
9643 | NECPLOG(LOG_ERR, "failed to map stats arena for pid %d\n" , fd_data->proc_pid); |
9644 | } |
9645 | } |
9646 | |
9647 | if (error == 0) { |
9648 | fd_data->stats_arena_active = nai; |
9649 | necp_arena_info_retain(nai); // for fd_data |
9650 | necp_fd_insert_stats_arena(fd_data, nai); |
9651 | ++fd_data->stats_arena_gencnt; |
9652 | } else { |
9653 | necp_arena_info_free(nai); |
9654 | } |
9655 | |
9656 | return error; |
9657 | } |
9658 | |
9659 | static int |
9660 | necp_arena_stats_obj_alloc(struct necp_fd_data *fd_data, |
9661 | mach_vm_offset_t *off, |
9662 | struct necp_arena_info **stats_arena, |
9663 | void **kstats_kaddr, |
9664 | boolean_t cansleep) |
9665 | { |
9666 | struct skmem_cache *kstats_cp = NULL; |
9667 | void *ustats_obj = NULL; |
9668 | void *kstats_obj = NULL; |
9669 | struct necp_all_kstats *kstats = NULL; |
9670 | struct skmem_obj_info kstats_oi = {}; |
9671 | |
9672 | ASSERT(off != NULL); |
9673 | ASSERT(stats_arena != NULL && *stats_arena == NULL); |
9674 | ASSERT(kstats_kaddr != NULL && *kstats_kaddr == NULL); |
9675 | |
9676 | NECP_FD_ASSERT_LOCKED(fd_data); |
9677 | ASSERT(fd_data->stats_arena_active != NULL); |
9678 | ASSERT(fd_data->stats_arena_active->nai_arena != NULL); |
9679 | |
9680 | kstats_cp = skmem_arena_necp(fd_data->stats_arena_active->nai_arena)->arc_kstats_cache; |
9681 | if ((kstats_obj = skmem_cache_alloc(kstats_cp, (cansleep ? SKMEM_SLEEP : SKMEM_NOSLEEP))) == NULL) { |
9682 | return ENOMEM; |
9683 | } |
9684 | |
9685 | kstats = (struct necp_all_kstats*)kstats_obj; |
9686 | ustats_obj = kstats->necp_stats_ustats; |
9687 | |
9688 | skmem_cache_get_obj_info(kstats_cp, kstats_obj, &kstats_oi, NULL); |
9689 | ASSERT(SKMEM_OBJ_SIZE(&kstats_oi) >= sizeof(struct necp_all_stats)); |
9690 | // reset all stats counters |
9691 | bzero(s: ustats_obj, SKMEM_OBJ_SIZE(&kstats_oi)); |
9692 | bzero(s: &kstats->necp_stats_comm, n: sizeof(struct necp_all_stats)); |
9693 | *stats_arena = fd_data->stats_arena_active; |
9694 | *kstats_kaddr = kstats_obj; |
9695 | // kstats and ustats are mirrored and have the same offset |
9696 | *off = fd_data->stats_arena_active->nai_roff + SKMEM_OBJ_ROFF(&kstats_oi); |
9697 | |
9698 | return 0; |
9699 | } |
9700 | |
9701 | static void |
9702 | necp_arena_stats_obj_free(struct necp_fd_data *fd_data, struct necp_arena_info *stats_arena, void **kstats_kaddr, mach_vm_address_t *ustats_uaddr) |
9703 | { |
9704 | #pragma unused(fd_data) |
9705 | NECP_FD_ASSERT_LOCKED(fd_data); |
9706 | |
9707 | ASSERT(stats_arena != NULL); |
9708 | ASSERT(stats_arena->nai_arena != NULL); |
9709 | ASSERT(kstats_kaddr != NULL && *kstats_kaddr != NULL); |
9710 | ASSERT(ustats_uaddr != NULL); |
9711 | |
9712 | skmem_cache_free(skmem_arena_necp(stats_arena->nai_arena)->arc_kstats_cache, *kstats_kaddr); |
9713 | *kstats_kaddr = NULL; |
9714 | *ustats_uaddr = 0; |
9715 | } |
9716 | |
9717 | // This routine returns the KVA of the sysctls object, as well as the |
9718 | // offset of that object relative to the mmap base address for the |
9719 | // task/process. |
9720 | static void * |
9721 | necp_arena_sysctls_obj(struct necp_fd_data *fd_data, mach_vm_offset_t *off, size_t *size) |
9722 | { |
9723 | void *objaddr; |
9724 | |
9725 | NECP_FD_ASSERT_LOCKED(fd_data); |
9726 | ASSERT(fd_data->sysctl_arena != NULL); |
9727 | |
9728 | // kernel virtual address of the sysctls object |
9729 | objaddr = skmem_arena_system_sysctls_obj_addr(fd_data->sysctl_arena); |
9730 | ASSERT(objaddr != NULL); |
9731 | |
9732 | // Return the relative offset of the sysctls object; there is |
9733 | // only 1 object in the entire sysctls region, and therefore the |
9734 | // object's offset is simply the region's offset in the arena. |
9735 | // (sysctl_mmap.ami_mapaddr + offset) is the address of this object |
9736 | // in the task/process. |
9737 | if (off != NULL) { |
9738 | *off = fd_data->system_sysctls_roff; |
9739 | } |
9740 | |
9741 | if (size != NULL) { |
9742 | *size = skmem_arena_system_sysctls_obj_size(fd_data->sysctl_arena); |
9743 | ASSERT(*size != 0); |
9744 | } |
9745 | |
9746 | return objaddr; |
9747 | } |
9748 | |
9749 | static void |
9750 | necp_stats_arenas_destroy(struct necp_fd_data *fd_data, boolean_t closing) |
9751 | { |
9752 | struct necp_arena_info *nai, *nai_tmp; |
9753 | |
9754 | NECP_FD_ASSERT_LOCKED(fd_data); |
9755 | |
9756 | // If reaping (not closing), release reference only for idle active arena; the reference |
9757 | // count must be 2 by now, when it's not being referred to by any clients/flows. |
9758 | if ((nai = fd_data->stats_arena_active) != NULL && (closing || nai->nai_use_count == 2)) { |
9759 | VERIFY(nai->nai_use_count >= 2); |
9760 | necp_arena_info_release(nai); // for fd_data |
9761 | fd_data->stats_arena_active = NULL; |
9762 | } |
9763 | |
9764 | // clean up any defunct arenas left in the list |
9765 | LIST_FOREACH_SAFE(nai, &fd_data->stats_arena_list, nai_chain, nai_tmp) { |
9766 | // If reaping, release reference if the list holds the last one |
9767 | if (closing || nai->nai_use_count == 1) { |
9768 | VERIFY(nai->nai_use_count >= 1); |
9769 | // callee unchains nai (and may free it) |
9770 | necp_fd_remove_stats_arena(fd_data, nai); |
9771 | } |
9772 | } |
9773 | } |
9774 | |
9775 | static void |
9776 | necp_sysctl_arena_destroy(struct necp_fd_data *fd_data) |
9777 | { |
9778 | NECP_FD_ASSERT_LOCKED(fd_data); |
9779 | |
9780 | // NOTE: destroying the arena requires that all outstanding objects |
9781 | // that were allocated have been freed, else it will assert. |
9782 | if (fd_data->sysctl_arena != NULL) { |
9783 | skmem_arena_munmap(fd_data->sysctl_arena, &fd_data->sysctl_mmap); |
9784 | skmem_arena_release(fd_data->sysctl_arena); |
9785 | OSDecrementAtomic(&necp_sysctl_arena_count); |
9786 | fd_data->sysctl_arena = NULL; |
9787 | fd_data->system_sysctls_roff = 0; |
9788 | } |
9789 | } |
9790 | |
9791 | static int |
9792 | necp_arena_initialize(struct necp_fd_data *fd_data, bool locked) |
9793 | { |
9794 | int error = 0; |
9795 | size_t stats_obj_size = MAX(sizeof(struct necp_all_stats), sizeof(struct necp_all_kstats)); |
9796 | |
9797 | if (!locked) { |
9798 | NECP_FD_LOCK(fd_data); |
9799 | } |
9800 | if (fd_data->stats_arena_active == NULL) { |
9801 | error = necp_arena_create(fd_data, obj_size: stats_obj_size, |
9802 | NECP_MAX_PER_PROCESS_CLIENT_STATISTICS_STRUCTS, |
9803 | p: current_proc()); |
9804 | } |
9805 | if (!locked) { |
9806 | NECP_FD_UNLOCK(fd_data); |
9807 | } |
9808 | |
9809 | return error; |
9810 | } |
9811 | |
9812 | static int |
9813 | necp_sysctl_arena_initialize(struct necp_fd_data *fd_data, bool locked) |
9814 | { |
9815 | int error = 0; |
9816 | |
9817 | if (!locked) { |
9818 | NECP_FD_LOCK(fd_data); |
9819 | } |
9820 | |
9821 | NECP_FD_ASSERT_LOCKED(fd_data); |
9822 | |
9823 | if (fd_data->sysctl_arena == NULL) { |
9824 | char name[32]; |
9825 | struct proc *p = current_proc(); |
9826 | |
9827 | ASSERT(p != PROC_NULL); |
9828 | ASSERT(proc_pid(p) == fd_data->proc_pid); |
9829 | |
9830 | (void) snprintf(name, count: sizeof(name), "sysctl.%s.%d" , proc_name_address(p), fd_data->proc_pid); |
9831 | fd_data->sysctl_arena = skmem_arena_create_for_system(name, &error); |
9832 | ASSERT(fd_data->sysctl_arena != NULL || error != 0); |
9833 | if (error != 0) { |
9834 | NECPLOG(LOG_ERR, "failed to create arena for pid %d\n" , fd_data->proc_pid); |
9835 | } else { |
9836 | OSIncrementAtomic(&necp_sysctl_arena_count); |
9837 | |
9838 | // Get region offsets from base of mmap span; the arena |
9839 | // doesn't need to be mmap'd at this point, since we simply |
9840 | // compute the relative offset. |
9841 | fd_data->system_sysctls_roff = skmem_arena_get_region_offset(fd_data->sysctl_arena, SKMEM_REGION_SYSCTLS); |
9842 | |
9843 | // map to the task/process; upon success, the base address of the region |
9844 | // will be returned in nai_mmap.ami_mapaddr; this can be communicated to |
9845 | // the process. |
9846 | error = skmem_arena_mmap(fd_data->sysctl_arena, p, &fd_data->sysctl_mmap); |
9847 | if (error != 0) { |
9848 | NECPLOG(LOG_ERR, "failed to map sysctl arena for pid %d\n" , fd_data->proc_pid); |
9849 | necp_sysctl_arena_destroy(fd_data); |
9850 | } |
9851 | } |
9852 | } |
9853 | |
9854 | if (!locked) { |
9855 | NECP_FD_UNLOCK(fd_data); |
9856 | } |
9857 | |
9858 | return error; |
9859 | } |
9860 | |
9861 | static int |
9862 | necp_client_stats_bufreq(struct necp_fd_data *fd_data, |
9863 | struct necp_client *client, |
9864 | struct necp_client_flow_registration *flow_registration, |
9865 | struct necp_stats_bufreq *bufreq, |
9866 | struct necp_stats_hdr *) |
9867 | { |
9868 | int error = 0; |
9869 | NECP_CLIENT_ASSERT_LOCKED(client); |
9870 | NECP_FD_ASSERT_LOCKED(fd_data); |
9871 | |
9872 | if ((bufreq->necp_stats_bufreq_id == NECP_CLIENT_STATISTICS_BUFREQ_ID) && |
9873 | ((bufreq->necp_stats_bufreq_type == NECP_CLIENT_STATISTICS_TYPE_TCP && |
9874 | bufreq->necp_stats_bufreq_ver == NECP_CLIENT_STATISTICS_TYPE_TCP_CURRENT_VER) || |
9875 | (bufreq->necp_stats_bufreq_type == NECP_CLIENT_STATISTICS_TYPE_UDP && |
9876 | bufreq->necp_stats_bufreq_ver == NECP_CLIENT_STATISTICS_TYPE_UDP_CURRENT_VER) || |
9877 | (bufreq->necp_stats_bufreq_type == NECP_CLIENT_STATISTICS_TYPE_QUIC && |
9878 | bufreq->necp_stats_bufreq_ver == NECP_CLIENT_STATISTICS_TYPE_QUIC_CURRENT_VER)) && |
9879 | (bufreq->necp_stats_bufreq_size == sizeof(struct necp_all_stats))) { |
9880 | // There should be one and only one stats allocation per client. |
9881 | // If asked more than once, we just repeat ourselves. |
9882 | if (flow_registration->ustats_uaddr == 0) { |
9883 | mach_vm_offset_t off; |
9884 | ASSERT(flow_registration->stats_arena == NULL); |
9885 | ASSERT(flow_registration->kstats_kaddr == NULL); |
9886 | ASSERT(flow_registration->ustats_uaddr == 0); |
9887 | error = necp_arena_stats_obj_alloc(fd_data, off: &off, stats_arena: &flow_registration->stats_arena, kstats_kaddr: &flow_registration->kstats_kaddr, FALSE); |
9888 | if (error == 0) { |
9889 | // upon success, hold a reference for the client; this is released when the client is removed/closed |
9890 | ASSERT(flow_registration->stats_arena != NULL); |
9891 | necp_arena_info_retain(nai: flow_registration->stats_arena); |
9892 | |
9893 | // compute user address based on mapping info and object offset |
9894 | flow_registration->ustats_uaddr = flow_registration->stats_arena->nai_mmap.ami_mapaddr + off; |
9895 | |
9896 | // add to collect_stats list |
9897 | NECP_STATS_LIST_LOCK_EXCLUSIVE(); |
9898 | necp_client_retain_locked(client); // Add a reference to the client |
9899 | LIST_INSERT_HEAD(&necp_collect_stats_flow_list, flow_registration, collect_stats_chain); |
9900 | NECP_STATS_LIST_UNLOCK(); |
9901 | necp_schedule_collect_stats_clients(FALSE); |
9902 | } else { |
9903 | ASSERT(flow_registration->stats_arena == NULL); |
9904 | ASSERT(flow_registration->kstats_kaddr == NULL); |
9905 | } |
9906 | } |
9907 | if (flow_registration->ustats_uaddr != 0) { |
9908 | ASSERT(error == 0); |
9909 | ASSERT(flow_registration->stats_arena != NULL); |
9910 | ASSERT(flow_registration->kstats_kaddr != NULL); |
9911 | |
9912 | struct necp_all_kstats *kstats = (struct necp_all_kstats *)flow_registration->kstats_kaddr; |
9913 | kstats->necp_stats_ustats->all_stats_u.tcp_stats.necp_tcp_hdr.necp_stats_type = bufreq->necp_stats_bufreq_type; |
9914 | kstats->necp_stats_ustats->all_stats_u.tcp_stats.necp_tcp_hdr.necp_stats_ver = bufreq->necp_stats_bufreq_ver; |
9915 | |
9916 | if (out_header) { |
9917 | out_header->necp_stats_type = bufreq->necp_stats_bufreq_type; |
9918 | out_header->necp_stats_ver = bufreq->necp_stats_bufreq_ver; |
9919 | } |
9920 | |
9921 | bufreq->necp_stats_bufreq_uaddr = flow_registration->ustats_uaddr; |
9922 | } |
9923 | } else { |
9924 | error = EINVAL; |
9925 | } |
9926 | |
9927 | return error; |
9928 | } |
9929 | |
9930 | static int |
9931 | necp_client_stats_initial(struct necp_client_flow_registration *flow_registration, uint32_t stats_type, uint32_t stats_ver) |
9932 | { |
9933 | // An attempted create |
9934 | assert(flow_registration->stats_handler_context == NULL); |
9935 | assert(flow_registration->stats_arena); |
9936 | assert(flow_registration->ustats_uaddr); |
9937 | assert(flow_registration->kstats_kaddr); |
9938 | |
9939 | int error = 0; |
9940 | uint64_t ntstat_properties = necp_find_netstat_initial_properties(client: flow_registration->client); |
9941 | |
9942 | switch (stats_type) { |
9943 | case NECP_CLIENT_STATISTICS_TYPE_TCP: { |
9944 | if (stats_ver == NECP_CLIENT_STATISTICS_TYPE_TCP_VER_1) { |
9945 | flow_registration->stats_handler_context = ntstat_userland_stats_open(ctx: (userland_stats_provider_context *)flow_registration, |
9946 | provider_id: NSTAT_PROVIDER_TCP_USERLAND, properties: ntstat_properties, req_fn: necp_request_tcp_netstats, req_extension_fn: necp_find_extension_info); |
9947 | if (flow_registration->stats_handler_context == NULL) { |
9948 | error = EIO; |
9949 | } |
9950 | } else { |
9951 | error = ENOTSUP; |
9952 | } |
9953 | break; |
9954 | } |
9955 | case NECP_CLIENT_STATISTICS_TYPE_UDP: { |
9956 | if (stats_ver == NECP_CLIENT_STATISTICS_TYPE_UDP_VER_1) { |
9957 | flow_registration->stats_handler_context = ntstat_userland_stats_open(ctx: (userland_stats_provider_context *)flow_registration, |
9958 | provider_id: NSTAT_PROVIDER_UDP_USERLAND, properties: ntstat_properties, req_fn: necp_request_udp_netstats, req_extension_fn: necp_find_extension_info); |
9959 | if (flow_registration->stats_handler_context == NULL) { |
9960 | error = EIO; |
9961 | } |
9962 | } else { |
9963 | error = ENOTSUP; |
9964 | } |
9965 | break; |
9966 | } |
9967 | case NECP_CLIENT_STATISTICS_TYPE_QUIC: { |
9968 | if (stats_ver == NECP_CLIENT_STATISTICS_TYPE_QUIC_VER_1 && flow_registration->flags & NECP_CLIENT_FLOW_FLAGS_ALLOW_NEXUS) { |
9969 | flow_registration->stats_handler_context = ntstat_userland_stats_open(ctx: (userland_stats_provider_context *)flow_registration, |
9970 | provider_id: NSTAT_PROVIDER_QUIC_USERLAND, properties: ntstat_properties, req_fn: necp_request_quic_netstats, req_extension_fn: necp_find_extension_info); |
9971 | if (flow_registration->stats_handler_context == NULL) { |
9972 | error = EIO; |
9973 | } |
9974 | } else { |
9975 | error = ENOTSUP; |
9976 | } |
9977 | break; |
9978 | } |
9979 | default: { |
9980 | error = ENOTSUP; |
9981 | break; |
9982 | } |
9983 | } |
9984 | return error; |
9985 | } |
9986 | |
9987 | static int |
9988 | necp_stats_initialize(struct necp_fd_data *fd_data, |
9989 | struct necp_client *client, |
9990 | struct necp_client_flow_registration *flow_registration, |
9991 | struct necp_stats_bufreq *bufreq) |
9992 | { |
9993 | int error = 0; |
9994 | struct necp_stats_hdr stats_hdr = {}; |
9995 | |
9996 | NECP_CLIENT_ASSERT_LOCKED(client); |
9997 | NECP_FD_ASSERT_LOCKED(fd_data); |
9998 | VERIFY(fd_data->stats_arena_active != NULL); |
9999 | VERIFY(fd_data->stats_arena_active->nai_arena != NULL); |
10000 | VERIFY(!(fd_data->stats_arena_active->nai_flags & (NAIF_REDIRECT | NAIF_DEFUNCT))); |
10001 | |
10002 | if (bufreq == NULL) { |
10003 | return EINVAL; |
10004 | } |
10005 | |
10006 | // Setup stats region |
10007 | error = necp_client_stats_bufreq(fd_data, client, flow_registration, bufreq, out_header: &stats_hdr); |
10008 | if (error) { |
10009 | return error; |
10010 | } |
10011 | // Notify ntstat about new flow |
10012 | if (flow_registration->stats_handler_context == NULL) { |
10013 | error = necp_client_stats_initial(flow_registration, stats_type: stats_hdr.necp_stats_type, stats_ver: stats_hdr.necp_stats_ver); |
10014 | if (flow_registration->stats_handler_context != NULL) { |
10015 | ntstat_userland_stats_event(nstat_ctx: flow_registration->stats_handler_context, NECP_CLIENT_STATISTICS_EVENT_INIT); |
10016 | } |
10017 | NECP_CLIENT_FLOW_LOG(client, flow_registration, "Initialized stats <error %d>" , error); |
10018 | } |
10019 | |
10020 | return error; |
10021 | } |
10022 | |
10023 | static NECP_CLIENT_ACTION_FUNCTION int |
10024 | necp_client_map_sysctls(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10025 | { |
10026 | int result = 0; |
10027 | if (!retval) { |
10028 | retval = &result; |
10029 | } |
10030 | |
10031 | do { |
10032 | mach_vm_address_t uaddr = 0; |
10033 | if (uap->buffer_size != sizeof(uaddr)) { |
10034 | *retval = EINVAL; |
10035 | break; |
10036 | } |
10037 | |
10038 | *retval = necp_sysctl_arena_initialize(fd_data, false); |
10039 | if (*retval != 0) { |
10040 | break; |
10041 | } |
10042 | |
10043 | mach_vm_offset_t off = 0; |
10044 | void *location = NULL; |
10045 | NECP_FD_LOCK(fd_data); |
10046 | location = necp_arena_sysctls_obj(fd_data, off: &off, NULL); |
10047 | NECP_FD_UNLOCK(fd_data); |
10048 | |
10049 | if (location == NULL) { |
10050 | *retval = ENOENT; |
10051 | break; |
10052 | } |
10053 | |
10054 | uaddr = fd_data->sysctl_mmap.ami_mapaddr + off; |
10055 | *retval = copyout(&uaddr, uap->buffer, sizeof(uaddr)); |
10056 | } while (false); |
10057 | |
10058 | return *retval; |
10059 | } |
10060 | |
10061 | #endif /* !SKYWALK */ |
10062 | |
10063 | static NECP_CLIENT_ACTION_FUNCTION int |
10064 | necp_client_copy_route_statistics(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10065 | { |
10066 | int error = 0; |
10067 | struct necp_client *client = NULL; |
10068 | uuid_t client_id; |
10069 | |
10070 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t) || |
10071 | uap->buffer_size < sizeof(struct necp_stat_counts) || uap->buffer == 0) { |
10072 | NECPLOG0(LOG_ERR, "necp_client_copy_route_statistics bad input" ); |
10073 | error = EINVAL; |
10074 | goto done; |
10075 | } |
10076 | |
10077 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
10078 | if (error) { |
10079 | NECPLOG(LOG_ERR, "necp_client_copy_route_statistics copyin client_id error (%d)" , error); |
10080 | goto done; |
10081 | } |
10082 | |
10083 | // Lock |
10084 | NECP_FD_LOCK(fd_data); |
10085 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
10086 | if (client != NULL) { |
10087 | NECP_CLIENT_ROUTE_LOCK(client); |
10088 | struct necp_stat_counts route_stats = {}; |
10089 | if (client->current_route != NULL && client->current_route->rt_stats != NULL) { |
10090 | struct nstat_counts *rt_stats = client->current_route->rt_stats; |
10091 | route_stats.necp_stat_rxpackets = os_atomic_load(&rt_stats->nstat_rxpackets, relaxed); |
10092 | route_stats.necp_stat_rxbytes = os_atomic_load(&rt_stats->nstat_rxbytes, relaxed); |
10093 | route_stats.necp_stat_txpackets = os_atomic_load(&rt_stats->nstat_txpackets, relaxed); |
10094 | route_stats.necp_stat_txbytes = os_atomic_load(&rt_stats->nstat_txbytes, relaxed); |
10095 | route_stats.necp_stat_rxduplicatebytes = rt_stats->nstat_rxduplicatebytes; |
10096 | route_stats.necp_stat_rxoutoforderbytes = rt_stats->nstat_rxoutoforderbytes; |
10097 | route_stats.necp_stat_txretransmit = rt_stats->nstat_txretransmit; |
10098 | route_stats.necp_stat_connectattempts = rt_stats->nstat_connectattempts; |
10099 | route_stats.necp_stat_connectsuccesses = rt_stats->nstat_connectsuccesses; |
10100 | route_stats.necp_stat_min_rtt = rt_stats->nstat_min_rtt; |
10101 | route_stats.necp_stat_avg_rtt = rt_stats->nstat_avg_rtt; |
10102 | route_stats.necp_stat_var_rtt = rt_stats->nstat_var_rtt; |
10103 | route_stats.necp_stat_route_flags = client->current_route->rt_flags; |
10104 | } |
10105 | |
10106 | // Unlock before copying out |
10107 | NECP_CLIENT_ROUTE_UNLOCK(client); |
10108 | NECP_CLIENT_UNLOCK(client); |
10109 | NECP_FD_UNLOCK(fd_data); |
10110 | |
10111 | error = copyout(&route_stats, uap->buffer, sizeof(route_stats)); |
10112 | if (error) { |
10113 | NECPLOG(LOG_ERR, "necp_client_copy_route_statistics copyout error (%d)" , error); |
10114 | } |
10115 | } else { |
10116 | // Unlock |
10117 | NECP_FD_UNLOCK(fd_data); |
10118 | error = ENOENT; |
10119 | } |
10120 | |
10121 | |
10122 | done: |
10123 | *retval = error; |
10124 | return error; |
10125 | } |
10126 | |
10127 | static NECP_CLIENT_ACTION_FUNCTION int |
10128 | necp_client_update_cache(struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10129 | { |
10130 | int error = 0; |
10131 | struct necp_client *client = NULL; |
10132 | uuid_t client_id; |
10133 | |
10134 | if (uap->client_id == 0 || uap->client_id_len != sizeof(uuid_t)) { |
10135 | error = EINVAL; |
10136 | goto done; |
10137 | } |
10138 | |
10139 | error = copyin(uap->client_id, client_id, sizeof(uuid_t)); |
10140 | if (error) { |
10141 | NECPLOG(LOG_ERR, "necp_client_update_cache copyin client_id error (%d)" , error); |
10142 | goto done; |
10143 | } |
10144 | |
10145 | NECP_FD_LOCK(fd_data); |
10146 | client = necp_client_fd_find_client_and_lock(client_fd: fd_data, client_id); |
10147 | if (client == NULL) { |
10148 | NECP_FD_UNLOCK(fd_data); |
10149 | error = ENOENT; |
10150 | goto done; |
10151 | } |
10152 | |
10153 | struct necp_client_flow_registration *flow_registration = necp_client_find_flow(client, flow_id: client_id); |
10154 | if (flow_registration == NULL) { |
10155 | NECP_CLIENT_UNLOCK(client); |
10156 | NECP_FD_UNLOCK(fd_data); |
10157 | error = ENOENT; |
10158 | goto done; |
10159 | } |
10160 | |
10161 | NECP_CLIENT_ROUTE_LOCK(client); |
10162 | // This needs to be changed when TFO/ECN is supported by multiple flows |
10163 | struct necp_client_flow *flow = LIST_FIRST(&flow_registration->flow_list); |
10164 | if (flow == NULL || |
10165 | (flow->remote_addr.sa.sa_family != AF_INET && |
10166 | flow->remote_addr.sa.sa_family != AF_INET6) || |
10167 | (flow->local_addr.sa.sa_family != AF_INET && |
10168 | flow->local_addr.sa.sa_family != AF_INET6)) { |
10169 | error = EINVAL; |
10170 | NECPLOG(LOG_ERR, "necp_client_update_cache no flow error (%d)" , error); |
10171 | goto done_unlock; |
10172 | } |
10173 | |
10174 | necp_cache_buffer cache_buffer; |
10175 | memset(s: &cache_buffer, c: 0, n: sizeof(cache_buffer)); |
10176 | |
10177 | if (uap->buffer_size != sizeof(necp_cache_buffer) || |
10178 | uap->buffer == USER_ADDR_NULL) { |
10179 | error = EINVAL; |
10180 | goto done_unlock; |
10181 | } |
10182 | |
10183 | error = copyin(uap->buffer, &cache_buffer, sizeof(cache_buffer)); |
10184 | if (error) { |
10185 | NECPLOG(LOG_ERR, "necp_client_update_cache copyin cache buffer error (%d)" , error); |
10186 | goto done_unlock; |
10187 | } |
10188 | |
10189 | if (cache_buffer.necp_cache_buf_type == NECP_CLIENT_CACHE_TYPE_ECN && |
10190 | cache_buffer.necp_cache_buf_ver == NECP_CLIENT_CACHE_TYPE_ECN_VER_1) { |
10191 | if (cache_buffer.necp_cache_buf_size != sizeof(necp_tcp_ecn_cache) || |
10192 | cache_buffer.necp_cache_buf_addr == USER_ADDR_NULL) { |
10193 | error = EINVAL; |
10194 | goto done_unlock; |
10195 | } |
10196 | |
10197 | necp_tcp_ecn_cache ecn_cache_buffer; |
10198 | memset(s: &ecn_cache_buffer, c: 0, n: sizeof(ecn_cache_buffer)); |
10199 | |
10200 | error = copyin(cache_buffer.necp_cache_buf_addr, &ecn_cache_buffer, sizeof(necp_tcp_ecn_cache)); |
10201 | if (error) { |
10202 | NECPLOG(LOG_ERR, "necp_client_update_cache copyin ecn cache buffer error (%d)" , error); |
10203 | goto done_unlock; |
10204 | } |
10205 | |
10206 | if (client->current_route != NULL && client->current_route->rt_ifp != NULL) { |
10207 | if (!client->platform_binary) { |
10208 | ecn_cache_buffer.necp_tcp_ecn_heuristics_success = 0; |
10209 | } |
10210 | tcp_heuristics_ecn_update(necp_buffer: &ecn_cache_buffer, ifp: client->current_route->rt_ifp, |
10211 | local_address: (union sockaddr_in_4_6 *)&flow->local_addr); |
10212 | } |
10213 | } else if (cache_buffer.necp_cache_buf_type == NECP_CLIENT_CACHE_TYPE_TFO && |
10214 | cache_buffer.necp_cache_buf_ver == NECP_CLIENT_CACHE_TYPE_TFO_VER_1) { |
10215 | if (cache_buffer.necp_cache_buf_size != sizeof(necp_tcp_tfo_cache) || |
10216 | cache_buffer.necp_cache_buf_addr == USER_ADDR_NULL) { |
10217 | error = EINVAL; |
10218 | goto done_unlock; |
10219 | } |
10220 | |
10221 | necp_tcp_tfo_cache tfo_cache_buffer; |
10222 | memset(s: &tfo_cache_buffer, c: 0, n: sizeof(tfo_cache_buffer)); |
10223 | |
10224 | error = copyin(cache_buffer.necp_cache_buf_addr, &tfo_cache_buffer, sizeof(necp_tcp_tfo_cache)); |
10225 | if (error) { |
10226 | NECPLOG(LOG_ERR, "necp_client_update_cache copyin tfo cache buffer error (%d)" , error); |
10227 | goto done_unlock; |
10228 | } |
10229 | |
10230 | if (client->current_route != NULL && client->current_route->rt_ifp != NULL) { |
10231 | if (!client->platform_binary) { |
10232 | tfo_cache_buffer.necp_tcp_tfo_heuristics_success = 0; |
10233 | } |
10234 | tcp_heuristics_tfo_update(necp_buffer: &tfo_cache_buffer, ifp: client->current_route->rt_ifp, |
10235 | local_address: (union sockaddr_in_4_6 *)&flow->local_addr, |
10236 | remote_address: (union sockaddr_in_4_6 *)&flow->remote_addr); |
10237 | } |
10238 | } else { |
10239 | error = EINVAL; |
10240 | } |
10241 | done_unlock: |
10242 | NECP_CLIENT_ROUTE_UNLOCK(client); |
10243 | NECP_CLIENT_UNLOCK(client); |
10244 | NECP_FD_UNLOCK(fd_data); |
10245 | done: |
10246 | *retval = error; |
10247 | return error; |
10248 | } |
10249 | |
10250 | // Most results will fit into this size |
10251 | struct necp_client_signable_default { |
10252 | uuid_t client_id; |
10253 | u_int32_t sign_type; |
10254 | u_int8_t signable_data[NECP_CLIENT_ACTION_SIGN_DEFAULT_DATA_LENGTH]; |
10255 | } __attribute__((__packed__)); |
10256 | |
10257 | static NECP_CLIENT_ACTION_FUNCTION int |
10258 | necp_client_sign(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10259 | { |
10260 | int error = 0; |
10261 | u_int8_t tag[NECP_CLIENT_ACTION_SIGN_TAG_LENGTH] = {}; |
10262 | struct necp_client_signable *signable = NULL; |
10263 | struct necp_client_signable *allocated_signable = NULL; |
10264 | struct necp_client_signable_default default_signable = {}; |
10265 | size_t tag_size = sizeof(tag); |
10266 | |
10267 | const size_t signable_length = uap->client_id_len; |
10268 | const size_t return_tag_length = uap->buffer_size; |
10269 | |
10270 | *retval = 0; |
10271 | |
10272 | const bool has_resolver_entitlement = (priv_check_cred(cred: kauth_cred_get(), PRIV_NET_VALIDATED_RESOLVER, flags: 0) == 0); |
10273 | if (!has_resolver_entitlement) { |
10274 | NECPLOG0(LOG_ERR, "Process does not hold the necessary entitlement to sign resolver answers" ); |
10275 | error = EPERM; |
10276 | goto done; |
10277 | } |
10278 | |
10279 | if (uap->client_id == 0 || signable_length < sizeof(*signable) || signable_length > NECP_CLIENT_ACTION_SIGN_MAX_TOTAL_LENGTH) { |
10280 | error = EINVAL; |
10281 | goto done; |
10282 | } |
10283 | |
10284 | if (uap->buffer == 0 || return_tag_length != NECP_CLIENT_ACTION_SIGN_TAG_LENGTH) { |
10285 | error = EINVAL; |
10286 | goto done; |
10287 | } |
10288 | |
10289 | if (signable_length <= sizeof(default_signable)) { |
10290 | signable = (struct necp_client_signable *)&default_signable; |
10291 | } else { |
10292 | if ((allocated_signable = (struct necp_client_signable *)kalloc_data(signable_length, Z_WAITOK | Z_ZERO)) == NULL) { |
10293 | NECPLOG(LOG_ERR, "necp_client_sign allocate signable %zu failed" , signable_length); |
10294 | error = ENOMEM; |
10295 | goto done; |
10296 | } |
10297 | signable = allocated_signable; |
10298 | } |
10299 | |
10300 | error = copyin(uap->client_id, signable, signable_length); |
10301 | if (error) { |
10302 | NECPLOG(LOG_ERR, "necp_client_sign copyin signable error (%d)" , error); |
10303 | goto done; |
10304 | } |
10305 | |
10306 | size_t data_length = 0; |
10307 | switch (signable->sign_type) { |
10308 | case NECP_CLIENT_SIGN_TYPE_RESOLVER_ANSWER: |
10309 | case NECP_CLIENT_SIGN_TYPE_SYSTEM_RESOLVER_ANSWER: { |
10310 | data_length = (sizeof(struct necp_client_host_resolver_answer) - sizeof(struct necp_client_signable)); |
10311 | if (signable_length < (sizeof(struct necp_client_signable) + data_length)) { |
10312 | error = EINVAL; |
10313 | goto done; |
10314 | } |
10315 | struct necp_client_host_resolver_answer *signable_struct = (struct necp_client_host_resolver_answer *)signable; |
10316 | if (signable_struct->hostname_length > NECP_CLIENT_ACTION_SIGN_MAX_STRING_LENGTH || |
10317 | signable_length != (sizeof(struct necp_client_signable) + data_length + signable_struct->hostname_length)) { |
10318 | error = EINVAL; |
10319 | goto done; |
10320 | } |
10321 | data_length += signable_struct->hostname_length; |
10322 | break; |
10323 | } |
10324 | case NECP_CLIENT_SIGN_TYPE_BROWSE_RESULT: |
10325 | case NECP_CLIENT_SIGN_TYPE_SYSTEM_BROWSE_RESULT: { |
10326 | data_length = (sizeof(struct necp_client_browse_result) - sizeof(struct necp_client_signable)); |
10327 | if (signable_length < (sizeof(struct necp_client_signable) + data_length)) { |
10328 | error = EINVAL; |
10329 | goto done; |
10330 | } |
10331 | struct necp_client_browse_result *signable_struct = (struct necp_client_browse_result *)signable; |
10332 | if (signable_struct->service_length > NECP_CLIENT_ACTION_SIGN_MAX_STRING_LENGTH || |
10333 | signable_length != (sizeof(struct necp_client_signable) + data_length + signable_struct->service_length)) { |
10334 | error = EINVAL; |
10335 | goto done; |
10336 | } |
10337 | data_length += signable_struct->service_length; |
10338 | break; |
10339 | } |
10340 | case NECP_CLIENT_SIGN_TYPE_SERVICE_RESOLVER_ANSWER: |
10341 | case NECP_CLIENT_SIGN_TYPE_SYSTEM_SERVICE_RESOLVER_ANSWER: { |
10342 | data_length = (sizeof(struct necp_client_service_resolver_answer) - sizeof(struct necp_client_signable)); |
10343 | if (signable_length < (sizeof(struct necp_client_signable) + data_length)) { |
10344 | error = EINVAL; |
10345 | goto done; |
10346 | } |
10347 | struct necp_client_service_resolver_answer *signable_struct = (struct necp_client_service_resolver_answer *)signable; |
10348 | if (signable_struct->service_length > NECP_CLIENT_ACTION_SIGN_MAX_STRING_LENGTH || |
10349 | signable_struct->hostname_length > NECP_CLIENT_ACTION_SIGN_MAX_STRING_LENGTH || |
10350 | signable_length != (sizeof(struct necp_client_signable) + data_length + signable_struct->service_length + signable_struct->hostname_length)) { |
10351 | error = EINVAL; |
10352 | goto done; |
10353 | } |
10354 | data_length += signable_struct->service_length; |
10355 | data_length += signable_struct->hostname_length; |
10356 | break; |
10357 | } |
10358 | default: { |
10359 | NECPLOG(LOG_ERR, "necp_client_sign unknown signable type (%u)" , signable->sign_type); |
10360 | error = EINVAL; |
10361 | goto done; |
10362 | } |
10363 | } |
10364 | |
10365 | error = necp_sign_resolver_answer(client_id: signable->client_id, sign_type: signable->sign_type, |
10366 | data: signable->signable_data, data_length, |
10367 | tag, out_tag_length: &tag_size); |
10368 | if (tag_size != sizeof(tag)) { |
10369 | NECPLOG(LOG_ERR, "necp_client_sign unexpected tag size %zu" , tag_size); |
10370 | error = EINVAL; |
10371 | goto done; |
10372 | } |
10373 | error = copyout(tag, uap->buffer, tag_size); |
10374 | if (error) { |
10375 | NECPLOG(LOG_ERR, "necp_client_sign copyout error (%d)" , error); |
10376 | goto done; |
10377 | } |
10378 | |
10379 | done: |
10380 | if (allocated_signable != NULL) { |
10381 | kfree_data(allocated_signable, signable_length); |
10382 | allocated_signable = NULL; |
10383 | } |
10384 | *retval = error; |
10385 | return error; |
10386 | } |
10387 | |
10388 | // Most results will fit into this size |
10389 | struct necp_client_validatable_default { |
10390 | struct necp_client_signature signature; |
10391 | struct necp_client_signable_default signable; |
10392 | } __attribute__((__packed__)); |
10393 | |
10394 | static NECP_CLIENT_ACTION_FUNCTION int |
10395 | necp_client_validate(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10396 | { |
10397 | int error = 0; |
10398 | struct necp_client_validatable *validatable = NULL; |
10399 | struct necp_client_validatable *allocated_validatable = NULL; |
10400 | struct necp_client_validatable_default default_validatable = {}; |
10401 | |
10402 | const size_t validatable_length = uap->client_id_len; |
10403 | |
10404 | *retval = 0; |
10405 | |
10406 | const bool has_resolver_entitlement = (priv_check_cred(cred: kauth_cred_get(), PRIV_NET_VALIDATED_RESOLVER, flags: 0) == 0); |
10407 | if (!has_resolver_entitlement) { |
10408 | NECPLOG0(LOG_ERR, "Process does not hold the necessary entitlement to directly validate resolver answers" ); |
10409 | error = EPERM; |
10410 | goto done; |
10411 | } |
10412 | |
10413 | if (uap->client_id == 0 || validatable_length < sizeof(*validatable) || |
10414 | validatable_length > (NECP_CLIENT_ACTION_SIGN_MAX_TOTAL_LENGTH + NECP_CLIENT_ACTION_SIGN_TAG_LENGTH)) { |
10415 | error = EINVAL; |
10416 | goto done; |
10417 | } |
10418 | |
10419 | if (validatable_length <= sizeof(default_validatable)) { |
10420 | validatable = (struct necp_client_validatable *)&default_validatable; |
10421 | } else { |
10422 | if ((allocated_validatable = (struct necp_client_validatable *)kalloc_data(validatable_length, Z_WAITOK | Z_ZERO)) == NULL) { |
10423 | NECPLOG(LOG_ERR, "necp_client_validate allocate struct %zu failed" , validatable_length); |
10424 | error = ENOMEM; |
10425 | goto done; |
10426 | } |
10427 | validatable = allocated_validatable; |
10428 | } |
10429 | |
10430 | error = copyin(uap->client_id, validatable, validatable_length); |
10431 | if (error) { |
10432 | NECPLOG(LOG_ERR, "necp_client_validate copyin error (%d)" , error); |
10433 | goto done; |
10434 | } |
10435 | |
10436 | const bool validated = necp_validate_resolver_answer(client_id: validatable->signable.client_id, sign_type: validatable->signable.sign_type, |
10437 | data: validatable->signable.signable_data, data_length: validatable_length - sizeof(struct necp_client_validatable), |
10438 | tag: validatable->signature.signed_tag, tag_length: sizeof(validatable->signature.signed_tag)); |
10439 | if (!validated) { |
10440 | // Return EAUTH to indicate that the signature failed |
10441 | error = EAUTH; |
10442 | } |
10443 | |
10444 | done: |
10445 | if (allocated_validatable != NULL) { |
10446 | kfree_data(allocated_validatable, validatable_length); |
10447 | allocated_validatable = NULL; |
10448 | } |
10449 | *retval = error; |
10450 | return error; |
10451 | } |
10452 | |
10453 | static NECP_CLIENT_ACTION_FUNCTION int |
10454 | necp_client_get_signed_client_id(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10455 | { |
10456 | int error = 0; |
10457 | *retval = 0; |
10458 | u_int32_t request_type = 0; |
10459 | struct necp_client_signed_client_id_uuid client_id = { 0 }; |
10460 | const size_t buffer_size = uap->buffer_size; |
10461 | u_int8_t tag[NECP_CLIENT_ACTION_SIGN_TAG_LENGTH] = {}; |
10462 | size_t tag_size = sizeof(tag); |
10463 | |
10464 | // Only allow entitled processes to get the client ID. |
10465 | proc_t proc = current_proc(); |
10466 | task_t __single task = proc_task(proc); |
10467 | bool has_delegation_entitlement = task != NULL && IOTaskHasEntitlement(task, kCSWebBrowserHostEntitlement); |
10468 | if (!has_delegation_entitlement) { |
10469 | has_delegation_entitlement = (priv_check_cred(cred: kauth_cred_get(), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, flags: 0) == 0); |
10470 | } |
10471 | if (!has_delegation_entitlement) { |
10472 | NECPLOG0(LOG_ERR, "necp_client_get_signed_client_id client lacks the necessary entitlement" ); |
10473 | error = EAUTH; |
10474 | goto done; |
10475 | } |
10476 | |
10477 | if (uap->client_id == 0 || uap->client_id_len != sizeof(u_int32_t) || |
10478 | buffer_size < sizeof(struct necp_client_signed_client_id_uuid) || |
10479 | uap->buffer == 0) { |
10480 | NECPLOG0(LOG_ERR, "necp_client_get_signed_client_id bad input" ); |
10481 | error = EINVAL; |
10482 | goto done; |
10483 | } |
10484 | |
10485 | error = copyin(uap->client_id, &request_type, sizeof(u_int32_t)); |
10486 | if (error) { |
10487 | NECPLOG(LOG_ERR, "necp_client_get_signed_client_id copyin request_type error (%d)" , error); |
10488 | goto done; |
10489 | } |
10490 | |
10491 | if (request_type != NECP_CLIENT_SIGNED_CLIENT_ID_TYPE_UUID) { |
10492 | error = ENOENT; |
10493 | NECPLOG(LOG_ERR, "necp_client_get_signed_client_id bad request_type (%d)" , request_type); |
10494 | goto done; |
10495 | } |
10496 | |
10497 | uuid_t application_uuid; |
10498 | uuid_clear(uu: application_uuid); |
10499 | proc_getexecutableuuid(proc, application_uuid, sizeof(application_uuid)); |
10500 | |
10501 | error = necp_sign_application_id(client_id: application_uuid, |
10502 | NECP_CLIENT_SIGNED_CLIENT_ID_TYPE_UUID, |
10503 | tag, out_tag_length: &tag_size); |
10504 | if (tag_size != sizeof(tag)) { |
10505 | NECPLOG(LOG_ERR, "necp_client_get_signed_client_id unexpected tag size %zu" , tag_size); |
10506 | error = EINVAL; |
10507 | goto done; |
10508 | } |
10509 | uuid_copy(dst: client_id.client_id, src: application_uuid); |
10510 | client_id.signature_length = tag_size; |
10511 | memcpy(dst: client_id.signature_data, src: tag, n: tag_size); |
10512 | |
10513 | error = copyout(&client_id, uap->buffer, sizeof(client_id)); |
10514 | if (error != 0) { |
10515 | NECPLOG(LOG_ERR, "necp_client_get_signed_client_id copyout error (%d)" , error); |
10516 | goto done; |
10517 | } |
10518 | |
10519 | done: |
10520 | *retval = error; |
10521 | return error; |
10522 | } |
10523 | |
10524 | static NECP_CLIENT_ACTION_FUNCTION int |
10525 | necp_client_set_signed_client_id(__unused struct necp_fd_data *fd_data, struct necp_client_action_args *uap, int *retval) |
10526 | { |
10527 | int error = 0; |
10528 | *retval = 0; |
10529 | u_int32_t request_type = 0; |
10530 | struct necp_client_signed_client_id_uuid client_id = { 0 }; |
10531 | const size_t buffer_size = uap->buffer_size; |
10532 | |
10533 | // Only allow entitled processes to set the client ID. |
10534 | proc_t proc = current_proc(); |
10535 | task_t __single task = proc_task(proc); |
10536 | bool has_delegation_entitlement = task != NULL && IOTaskHasEntitlement(task, kCSWebBrowserNetworkEntitlement); |
10537 | if (!has_delegation_entitlement) { |
10538 | has_delegation_entitlement = (priv_check_cred(cred: kauth_cred_get(), PRIV_NET_PRIVILEGED_SOCKET_DELEGATE, flags: 0) == 0); |
10539 | } |
10540 | if (!has_delegation_entitlement) { |
10541 | NECPLOG0(LOG_ERR, "necp_client_set_signed_client_id client lacks the necessary entitlement" ); |
10542 | error = EAUTH; |
10543 | goto done; |
10544 | } |
10545 | |
10546 | if (uap->client_id == 0 || uap->client_id_len != sizeof(u_int32_t) || |
10547 | buffer_size < sizeof(struct necp_client_signed_client_id_uuid) || |
10548 | uap->buffer == 0) { |
10549 | NECPLOG0(LOG_ERR, "necp_client_set_signed_client_id bad input" ); |
10550 | error = EINVAL; |
10551 | goto done; |
10552 | } |
10553 | |
10554 | error = copyin(uap->client_id, &request_type, sizeof(u_int32_t)); |
10555 | if (error) { |
10556 | NECPLOG(LOG_ERR, "necp_client_set_signed_client_id copyin request_type error (%d)" , error); |
10557 | goto done; |
10558 | } |
10559 | |
10560 | if (request_type != NECP_CLIENT_SIGNED_CLIENT_ID_TYPE_UUID) { |
10561 | error = ENOENT; |
10562 | NECPLOG(LOG_ERR, "necp_client_set_signed_client_id bad request_type (%d)" , request_type); |
10563 | goto done; |
10564 | } |
10565 | |
10566 | error = copyin(uap->buffer, &client_id, sizeof(struct necp_client_signed_client_id_uuid)); |
10567 | if (error) { |
10568 | NECPLOG(LOG_ERR, "necp_client_set_signed_client_id copyin request error (%d)" , error); |
10569 | goto done; |
10570 | } |
10571 | |
10572 | const bool validated = necp_validate_application_id(client_id: client_id.client_id, |
10573 | NECP_CLIENT_SIGNED_CLIENT_ID_TYPE_UUID, |
10574 | tag: client_id.signature_data, tag_length: sizeof(client_id.signature_data)); |
10575 | if (!validated) { |
10576 | // Return EAUTH to indicate that the signature failed |
10577 | error = EAUTH; |
10578 | NECPLOG(LOG_ERR, "necp_client_set_signed_client_id signature validation failed (%d)" , error); |
10579 | goto done; |
10580 | } |
10581 | |
10582 | proc_setresponsibleuuid(target_proc: proc, responsible_uuid: client_id.client_id, size: sizeof(client_id.client_id)); |
10583 | |
10584 | done: |
10585 | *retval = error; |
10586 | return error; |
10587 | } |
10588 | |
10589 | int |
10590 | necp_client_action(struct proc *p, struct necp_client_action_args *uap, int *retval) |
10591 | { |
10592 | struct fileproc *fp; |
10593 | int error = 0; |
10594 | int return_value = 0; |
10595 | struct necp_fd_data *fd_data = NULL; |
10596 | |
10597 | error = necp_find_fd_data(p, fd: uap->necp_fd, fpp: &fp, fd_data: &fd_data); |
10598 | if (error != 0) { |
10599 | NECPLOG(LOG_ERR, "necp_client_action find fd error (%d)" , error); |
10600 | return error; |
10601 | } |
10602 | |
10603 | u_int32_t action = uap->action; |
10604 | |
10605 | #if CONFIG_MACF |
10606 | error = mac_necp_check_client_action(proc: p, fg: fp->fp_glob, action); |
10607 | if (error) { |
10608 | return_value = error; |
10609 | goto done; |
10610 | } |
10611 | #endif /* MACF */ |
10612 | |
10613 | switch (action) { |
10614 | case NECP_CLIENT_ACTION_ADD: { |
10615 | return_value = necp_client_add(p, fd_data, uap, retval); |
10616 | break; |
10617 | } |
10618 | case NECP_CLIENT_ACTION_CLAIM: { |
10619 | return_value = necp_client_claim(p, fd_data, uap, retval); |
10620 | break; |
10621 | } |
10622 | case NECP_CLIENT_ACTION_REMOVE: { |
10623 | return_value = necp_client_remove(fd_data, uap, retval); |
10624 | break; |
10625 | } |
10626 | case NECP_CLIENT_ACTION_COPY_PARAMETERS: |
10627 | case NECP_CLIENT_ACTION_COPY_RESULT: |
10628 | case NECP_CLIENT_ACTION_COPY_UPDATED_RESULT: { |
10629 | return_value = necp_client_copy(fd_data, uap, retval); |
10630 | break; |
10631 | } |
10632 | case NECP_CLIENT_ACTION_COPY_LIST: { |
10633 | return_value = necp_client_list(fd_data, uap, retval); |
10634 | break; |
10635 | } |
10636 | case NECP_CLIENT_ACTION_ADD_FLOW: { |
10637 | return_value = necp_client_add_flow(fd_data, uap, retval); |
10638 | break; |
10639 | } |
10640 | case NECP_CLIENT_ACTION_REMOVE_FLOW: { |
10641 | return_value = necp_client_remove_flow(fd_data, uap, retval); |
10642 | break; |
10643 | } |
10644 | #if SKYWALK |
10645 | case NECP_CLIENT_ACTION_REQUEST_NEXUS_INSTANCE: { |
10646 | return_value = necp_client_request_nexus(fd_data, uap, retval); |
10647 | break; |
10648 | } |
10649 | #endif /* !SKYWALK */ |
10650 | case NECP_CLIENT_ACTION_AGENT: { |
10651 | return_value = necp_client_agent_action(fd_data, uap, retval); |
10652 | break; |
10653 | } |
10654 | case NECP_CLIENT_ACTION_COPY_AGENT: { |
10655 | return_value = necp_client_copy_agent(fd_data, uap, retval); |
10656 | break; |
10657 | } |
10658 | case NECP_CLIENT_ACTION_AGENT_USE: { |
10659 | return_value = necp_client_agent_use(fd_data, uap, retval); |
10660 | break; |
10661 | } |
10662 | case NECP_CLIENT_ACTION_ACQUIRE_AGENT_TOKEN: { |
10663 | return_value = necp_client_acquire_agent_token(fd_data, uap, retval); |
10664 | break; |
10665 | } |
10666 | case NECP_CLIENT_ACTION_COPY_INTERFACE: { |
10667 | return_value = necp_client_copy_interface(fd_data, uap, retval); |
10668 | break; |
10669 | } |
10670 | #if SKYWALK |
10671 | case NECP_CLIENT_ACTION_GET_INTERFACE_ADDRESS: { |
10672 | return_value = necp_client_get_interface_address(fd_data, uap, retval); |
10673 | break; |
10674 | } |
10675 | case NECP_CLIENT_ACTION_SET_STATISTICS: { |
10676 | return_value = ENOTSUP; |
10677 | break; |
10678 | } |
10679 | case NECP_CLIENT_ACTION_MAP_SYSCTLS: { |
10680 | return_value = necp_client_map_sysctls(fd_data, uap, retval); |
10681 | break; |
10682 | } |
10683 | #endif /* !SKYWALK */ |
10684 | case NECP_CLIENT_ACTION_COPY_ROUTE_STATISTICS: { |
10685 | return_value = necp_client_copy_route_statistics(fd_data, uap, retval); |
10686 | break; |
10687 | } |
10688 | case NECP_CLIENT_ACTION_UPDATE_CACHE: { |
10689 | return_value = necp_client_update_cache(fd_data, uap, retval); |
10690 | break; |
10691 | } |
10692 | case NECP_CLIENT_ACTION_COPY_CLIENT_UPDATE: { |
10693 | return_value = necp_client_copy_client_update(fd_data, uap, retval); |
10694 | break; |
10695 | } |
10696 | case NECP_CLIENT_ACTION_SIGN: { |
10697 | return_value = necp_client_sign(fd_data, uap, retval); |
10698 | break; |
10699 | } |
10700 | case NECP_CLIENT_ACTION_VALIDATE: { |
10701 | return_value = necp_client_validate(fd_data, uap, retval); |
10702 | break; |
10703 | } |
10704 | case NECP_CLIENT_ACTION_GET_SIGNED_CLIENT_ID: { |
10705 | return_value = necp_client_get_signed_client_id(fd_data, uap, retval); |
10706 | break; |
10707 | } |
10708 | case NECP_CLIENT_ACTION_SET_SIGNED_CLIENT_ID: { |
10709 | return_value = necp_client_set_signed_client_id(fd_data, uap, retval); |
10710 | break; |
10711 | } |
10712 | default: { |
10713 | NECPLOG(LOG_ERR, "necp_client_action unknown action (%u)" , action); |
10714 | return_value = EINVAL; |
10715 | break; |
10716 | } |
10717 | } |
10718 | |
10719 | done: |
10720 | fp_drop(p, fd: uap->necp_fd, fp, locked: 0); |
10721 | return return_value; |
10722 | } |
10723 | |
10724 | #define NECP_MAX_MATCH_POLICY_PARAMETER_SIZE 1024 |
10725 | |
10726 | int |
10727 | necp_match_policy(struct proc *p, struct necp_match_policy_args *uap, int32_t *retval) |
10728 | { |
10729 | #pragma unused(retval) |
10730 | u_int8_t *parameters = NULL; |
10731 | struct necp_aggregate_result returned_result; |
10732 | int error = 0; |
10733 | |
10734 | if (uap == NULL) { |
10735 | error = EINVAL; |
10736 | goto done; |
10737 | } |
10738 | |
10739 | if (uap->parameters == 0 || uap->parameters_size == 0 || uap->parameters_size > NECP_MAX_MATCH_POLICY_PARAMETER_SIZE || uap->returned_result == 0) { |
10740 | error = EINVAL; |
10741 | goto done; |
10742 | } |
10743 | |
10744 | parameters = (u_int8_t *)kalloc_data(uap->parameters_size, Z_WAITOK | Z_ZERO); |
10745 | if (parameters == NULL) { |
10746 | error = ENOMEM; |
10747 | goto done; |
10748 | } |
10749 | // Copy parameters in |
10750 | error = copyin(uap->parameters, parameters, uap->parameters_size); |
10751 | if (error) { |
10752 | goto done; |
10753 | } |
10754 | |
10755 | error = necp_application_find_policy_match_internal(proc: p, parameters, parameters_size: uap->parameters_size, |
10756 | returned_result: &returned_result, NULL, NULL, required_interface_index: 0, NULL, NULL, NULL, NULL, NULL, false, false, NULL); |
10757 | if (error) { |
10758 | goto done; |
10759 | } |
10760 | |
10761 | // Copy return value back |
10762 | error = copyout(&returned_result, uap->returned_result, sizeof(struct necp_aggregate_result)); |
10763 | if (error) { |
10764 | goto done; |
10765 | } |
10766 | done: |
10767 | if (parameters != NULL) { |
10768 | kfree_data(parameters, uap->parameters_size); |
10769 | } |
10770 | return error; |
10771 | } |
10772 | |
10773 | /// Socket operations |
10774 | |
10775 | static errno_t |
10776 | necp_set_socket_attribute(u_int8_t *buffer, size_t buffer_length, u_int8_t type, char **buffer_p, bool *single_tlv) |
10777 | { |
10778 | int error = 0; |
10779 | int cursor = 0; |
10780 | size_t string_size = 0; |
10781 | char *local_string = NULL; |
10782 | u_int8_t *value = NULL; |
10783 | char *buffer_to_free = NULL; |
10784 | |
10785 | cursor = necp_buffer_find_tlv(buffer, buffer_length, offset: 0, type, NULL, next: 0); |
10786 | if (cursor < 0) { |
10787 | // This will clear out the parameter |
10788 | goto done; |
10789 | } |
10790 | |
10791 | string_size = necp_buffer_get_tlv_length(buffer, tlv_offset: cursor); |
10792 | if (single_tlv != NULL && (buffer_length == sizeof(struct necp_tlv_header) + string_size)) { |
10793 | *single_tlv = true; |
10794 | } |
10795 | if (string_size == 0 || string_size > NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH) { |
10796 | // This will clear out the parameter |
10797 | goto done; |
10798 | } |
10799 | |
10800 | local_string = (char *)kalloc_data(string_size + 1, Z_WAITOK | Z_ZERO); |
10801 | if (local_string == NULL) { |
10802 | NECPLOG(LOG_ERR, "Failed to allocate a socket attribute buffer (size %zu)" , string_size); |
10803 | goto fail; |
10804 | } |
10805 | |
10806 | value = necp_buffer_get_tlv_value(buffer, tlv_offset: cursor, NULL); |
10807 | if (value == NULL) { |
10808 | NECPLOG0(LOG_ERR, "Failed to get socket attribute" ); |
10809 | goto fail; |
10810 | } |
10811 | |
10812 | memcpy(dst: local_string, src: value, n: string_size); |
10813 | local_string[string_size] = 0; |
10814 | |
10815 | done: |
10816 | buffer_to_free = *buffer_p; |
10817 | |
10818 | // Protect switching of buffer pointer |
10819 | necp_lock_socket_attributes(); |
10820 | *buffer_p = local_string; |
10821 | necp_unlock_socket_attributes(); |
10822 | |
10823 | if (buffer_to_free != NULL) { |
10824 | kfree_data_addr(buffer_to_free); |
10825 | } |
10826 | return 0; |
10827 | fail: |
10828 | if (local_string != NULL) { |
10829 | kfree_data(local_string, string_size + 1); |
10830 | } |
10831 | return error; |
10832 | } |
10833 | |
10834 | errno_t |
10835 | necp_set_socket_attributes(struct inp_necp_attributes *attributes, struct sockopt *sopt) |
10836 | { |
10837 | int error = 0; |
10838 | u_int8_t *buffer = NULL; |
10839 | bool single_tlv = false; |
10840 | size_t valsize = sopt->sopt_valsize; |
10841 | if (valsize == 0 || |
10842 | valsize > ((sizeof(struct necp_tlv_header) + NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH) * 4)) { |
10843 | goto done; |
10844 | } |
10845 | |
10846 | buffer = (u_int8_t *)kalloc_data(valsize, Z_WAITOK | Z_ZERO); |
10847 | if (buffer == NULL) { |
10848 | goto done; |
10849 | } |
10850 | |
10851 | error = sooptcopyin(sopt, buffer, len: valsize, minlen: 0); |
10852 | if (error) { |
10853 | goto done; |
10854 | } |
10855 | |
10856 | // If NECP_TLV_ATTRIBUTE_DOMAIN_CONTEXT is being set/cleared separately from the other attributes, |
10857 | // do not clear other attributes. |
10858 | error = necp_set_socket_attribute(buffer, buffer_length: valsize, NECP_TLV_ATTRIBUTE_DOMAIN_CONTEXT, buffer_p: &attributes->inp_domain_context, single_tlv: &single_tlv); |
10859 | if (error) { |
10860 | NECPLOG0(LOG_ERR, "Could not set domain context TLV for socket attributes" ); |
10861 | goto done; |
10862 | } |
10863 | if (single_tlv == true) { |
10864 | goto done; |
10865 | } |
10866 | |
10867 | error = necp_set_socket_attribute(buffer, buffer_length: valsize, NECP_TLV_ATTRIBUTE_DOMAIN, buffer_p: &attributes->inp_domain, NULL); |
10868 | if (error) { |
10869 | NECPLOG0(LOG_ERR, "Could not set domain TLV for socket attributes" ); |
10870 | goto done; |
10871 | } |
10872 | |
10873 | error = necp_set_socket_attribute(buffer, buffer_length: valsize, NECP_TLV_ATTRIBUTE_DOMAIN_OWNER, buffer_p: &attributes->inp_domain_owner, NULL); |
10874 | if (error) { |
10875 | NECPLOG0(LOG_ERR, "Could not set domain owner TLV for socket attributes" ); |
10876 | goto done; |
10877 | } |
10878 | |
10879 | error = necp_set_socket_attribute(buffer, buffer_length: valsize, NECP_TLV_ATTRIBUTE_TRACKER_DOMAIN, buffer_p: &attributes->inp_tracker_domain, NULL); |
10880 | if (error) { |
10881 | NECPLOG0(LOG_ERR, "Could not set tracker domain TLV for socket attributes" ); |
10882 | goto done; |
10883 | } |
10884 | |
10885 | error = necp_set_socket_attribute(buffer, buffer_length: valsize, NECP_TLV_ATTRIBUTE_ACCOUNT, buffer_p: &attributes->inp_account, NULL); |
10886 | if (error) { |
10887 | NECPLOG0(LOG_ERR, "Could not set account TLV for socket attributes" ); |
10888 | goto done; |
10889 | } |
10890 | |
10891 | done: |
10892 | NECP_SOCKET_ATTRIBUTE_LOG("NECP ATTRIBUTES SOCKET - domain <%s> owner <%s> context <%s> tracker domain <%s> account <%s>" , |
10893 | attributes->inp_domain, |
10894 | attributes->inp_domain_owner, |
10895 | attributes->inp_domain_context, |
10896 | attributes->inp_tracker_domain, |
10897 | attributes->inp_account); |
10898 | |
10899 | if (necp_debug) { |
10900 | NECPLOG(LOG_DEBUG, "Set on socket: Domain %s, Domain owner %s, Domain context %s, Tracker domain %s, Account %s" , |
10901 | attributes->inp_domain, |
10902 | attributes->inp_domain_owner, |
10903 | attributes->inp_domain_context, |
10904 | attributes->inp_tracker_domain, |
10905 | attributes->inp_account); |
10906 | } |
10907 | |
10908 | if (buffer != NULL) { |
10909 | kfree_data(buffer, valsize); |
10910 | } |
10911 | |
10912 | return error; |
10913 | } |
10914 | |
10915 | errno_t |
10916 | necp_get_socket_attributes(struct inp_necp_attributes *attributes, struct sockopt *sopt) |
10917 | { |
10918 | int error = 0; |
10919 | u_int8_t *buffer = NULL; |
10920 | u_int8_t *cursor = NULL; |
10921 | size_t valsize = 0; |
10922 | |
10923 | if (attributes->inp_domain != NULL) { |
10924 | valsize += sizeof(struct necp_tlv_header) + strlen(s: attributes->inp_domain); |
10925 | } |
10926 | if (attributes->inp_domain_owner != NULL) { |
10927 | valsize += sizeof(struct necp_tlv_header) + strlen(s: attributes->inp_domain_owner); |
10928 | } |
10929 | if (attributes->inp_domain_context != NULL) { |
10930 | valsize += sizeof(struct necp_tlv_header) + strlen(s: attributes->inp_domain_context); |
10931 | } |
10932 | if (attributes->inp_tracker_domain != NULL) { |
10933 | valsize += sizeof(struct necp_tlv_header) + strlen(s: attributes->inp_tracker_domain); |
10934 | } |
10935 | if (attributes->inp_account != NULL) { |
10936 | valsize += sizeof(struct necp_tlv_header) + strlen(s: attributes->inp_account); |
10937 | } |
10938 | if (valsize == 0) { |
10939 | goto done; |
10940 | } |
10941 | |
10942 | buffer = (u_int8_t *)kalloc_data(valsize, Z_WAITOK | Z_ZERO); |
10943 | if (buffer == NULL) { |
10944 | goto done; |
10945 | } |
10946 | |
10947 | cursor = buffer; |
10948 | if (attributes->inp_domain != NULL) { |
10949 | cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_DOMAIN, length: strlen(s: attributes->inp_domain), value: attributes->inp_domain, |
10950 | buffer, buffer_length: valsize); |
10951 | } |
10952 | |
10953 | if (attributes->inp_domain_owner != NULL) { |
10954 | cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_DOMAIN_OWNER, length: strlen(s: attributes->inp_domain_owner), value: attributes->inp_domain_owner, |
10955 | buffer, buffer_length: valsize); |
10956 | } |
10957 | |
10958 | if (attributes->inp_domain_context != NULL) { |
10959 | cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_DOMAIN_CONTEXT, length: strlen(s: attributes->inp_domain_context), value: attributes->inp_domain_context, |
10960 | buffer, buffer_length: valsize); |
10961 | } |
10962 | |
10963 | if (attributes->inp_tracker_domain != NULL) { |
10964 | cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_TRACKER_DOMAIN, length: strlen(s: attributes->inp_tracker_domain), value: attributes->inp_tracker_domain, |
10965 | buffer, buffer_length: valsize); |
10966 | } |
10967 | |
10968 | if (attributes->inp_account != NULL) { |
10969 | cursor = necp_buffer_write_tlv(cursor, NECP_TLV_ATTRIBUTE_ACCOUNT, length: strlen(s: attributes->inp_account), value: attributes->inp_account, |
10970 | buffer, buffer_length: valsize); |
10971 | } |
10972 | |
10973 | error = sooptcopyout(sopt, data: buffer, len: valsize); |
10974 | if (error) { |
10975 | goto done; |
10976 | } |
10977 | done: |
10978 | if (buffer != NULL) { |
10979 | kfree_data(buffer, valsize); |
10980 | } |
10981 | |
10982 | return error; |
10983 | } |
10984 | |
10985 | int |
10986 | necp_set_socket_resolver_signature(struct inpcb *inp, struct sockopt *sopt) |
10987 | { |
10988 | const size_t valsize = sopt->sopt_valsize; |
10989 | if (valsize > NECP_CLIENT_ACTION_SIGN_MAX_TOTAL_LENGTH + NECP_CLIENT_ACTION_SIGN_TAG_LENGTH) { |
10990 | return EINVAL; |
10991 | } |
10992 | |
10993 | necp_lock_socket_attributes(); |
10994 | if (inp->inp_resolver_signature != NULL) { |
10995 | kfree_data(inp->inp_resolver_signature, inp->inp_resolver_signature_length); |
10996 | } |
10997 | inp->inp_resolver_signature_length = 0; |
10998 | |
10999 | int error = 0; |
11000 | if (valsize > 0) { |
11001 | inp->inp_resolver_signature = kalloc_data(valsize, Z_WAITOK | Z_ZERO); |
11002 | if ((error = sooptcopyin(sopt, inp->inp_resolver_signature, len: valsize, |
11003 | minlen: valsize)) != 0) { |
11004 | // Free the signature buffer if the copyin failed |
11005 | kfree_data(inp->inp_resolver_signature, valsize); |
11006 | } else { |
11007 | inp->inp_resolver_signature_length = valsize; |
11008 | } |
11009 | } |
11010 | necp_unlock_socket_attributes(); |
11011 | |
11012 | return error; |
11013 | } |
11014 | |
11015 | int |
11016 | necp_get_socket_resolver_signature(struct inpcb *inp, struct sockopt *sopt) |
11017 | { |
11018 | int error = 0; |
11019 | necp_lock_socket_attributes(); |
11020 | if (inp->inp_resolver_signature == NULL || |
11021 | inp->inp_resolver_signature_length == 0) { |
11022 | error = ENOENT; |
11023 | } else { |
11024 | error = sooptcopyout(sopt, data: inp->inp_resolver_signature, |
11025 | len: inp->inp_resolver_signature_length); |
11026 | } |
11027 | necp_unlock_socket_attributes(); |
11028 | return error; |
11029 | } |
11030 | |
11031 | bool |
11032 | necp_socket_has_resolver_signature(struct inpcb *inp) |
11033 | { |
11034 | necp_lock_socket_attributes(); |
11035 | bool has_signature = (inp->inp_resolver_signature != NULL && inp->inp_resolver_signature_length != 0); |
11036 | necp_unlock_socket_attributes(); |
11037 | return has_signature; |
11038 | } |
11039 | |
11040 | bool |
11041 | necp_socket_resolver_signature_matches_address(struct inpcb *inp, union necp_sockaddr_union *address) |
11042 | { |
11043 | bool matches_address = false; |
11044 | necp_lock_socket_attributes(); |
11045 | if (inp->inp_resolver_signature != NULL && inp->inp_resolver_signature_length > 0 && address->sa.sa_len > 0) { |
11046 | struct necp_client_validatable *validatable = (struct necp_client_validatable *)inp->inp_resolver_signature; |
11047 | if (inp->inp_resolver_signature_length > sizeof(struct necp_client_validatable) && |
11048 | validatable->signable.sign_type == NECP_CLIENT_SIGN_TYPE_SYSTEM_RESOLVER_ANSWER) { |
11049 | size_t data_length = inp->inp_resolver_signature_length - sizeof(struct necp_client_validatable); |
11050 | if (data_length >= (sizeof(struct necp_client_host_resolver_answer) - sizeof(struct necp_client_signable))) { |
11051 | struct necp_client_host_resolver_answer *answer_struct = (struct necp_client_host_resolver_answer *)&validatable->signable; |
11052 | if (data_length == (sizeof(struct necp_client_host_resolver_answer) + answer_struct->hostname_length - sizeof(struct necp_client_signable)) && |
11053 | answer_struct->address_answer.sa.sa_family == address->sa.sa_family && |
11054 | answer_struct->address_answer.sa.sa_len == address->sa.sa_len && |
11055 | (answer_struct->address_answer.sin.sin_port == 0 || |
11056 | answer_struct->address_answer.sin.sin_port == address->sin.sin_port) && |
11057 | ((answer_struct->address_answer.sa.sa_family == AF_INET && |
11058 | answer_struct->address_answer.sin.sin_addr.s_addr == address->sin.sin_addr.s_addr) || |
11059 | (answer_struct->address_answer.sa.sa_family == AF_INET6 && |
11060 | memcmp(s1: &answer_struct->address_answer.sin6.sin6_addr, s2: &address->sin6.sin6_addr, n: sizeof(struct in6_addr)) == 0))) { |
11061 | // Address matches |
11062 | const bool validated = necp_validate_resolver_answer(client_id: validatable->signable.client_id, |
11063 | sign_type: validatable->signable.sign_type, |
11064 | data: validatable->signable.signable_data, data_length, |
11065 | tag: validatable->signature.signed_tag, tag_length: sizeof(validatable->signature.signed_tag)); |
11066 | if (validated) { |
11067 | // Answer is validated |
11068 | matches_address = true; |
11069 | } |
11070 | } |
11071 | } |
11072 | } |
11073 | } |
11074 | necp_unlock_socket_attributes(); |
11075 | return matches_address; |
11076 | } |
11077 | |
11078 | /* |
11079 | * necp_set_socket_domain_attributes |
11080 | * Called from soconnectlock/soconnectxlock to directly set the tracker domain and owner for |
11081 | * a newly marked tracker socket. |
11082 | */ |
11083 | errno_t |
11084 | necp_set_socket_domain_attributes(struct socket *so, const char *domain, const char *domain_owner) |
11085 | { |
11086 | int error = 0; |
11087 | struct inpcb *inp = NULL; |
11088 | u_int8_t *buffer = NULL; |
11089 | size_t valsize = 0; |
11090 | char *buffer_to_free = NULL; |
11091 | |
11092 | if (SOCK_DOM(so) != PF_INET && SOCK_DOM(so) != PF_INET6) { |
11093 | error = EINVAL; |
11094 | goto fail; |
11095 | } |
11096 | |
11097 | // Set domain (required) |
11098 | |
11099 | valsize = strlen(s: domain); |
11100 | if (valsize == 0 || valsize > NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH) { |
11101 | error = EINVAL; |
11102 | goto fail; |
11103 | } |
11104 | |
11105 | buffer = (u_int8_t *)kalloc_data(valsize + 1, Z_WAITOK | Z_ZERO); |
11106 | if (buffer == NULL) { |
11107 | error = ENOMEM; |
11108 | goto fail; |
11109 | } |
11110 | bcopy(src: domain, dst: buffer, n: valsize); |
11111 | buffer[valsize] = 0; |
11112 | |
11113 | inp = sotoinpcb(so); |
11114 | // Do not overwrite a previously set domain if tracker domain is different. |
11115 | if (inp->inp_necp_attributes.inp_domain != NULL) { |
11116 | if (strlen(s: inp->inp_necp_attributes.inp_domain) != strlen(s: domain) || |
11117 | strncmp(s1: inp->inp_necp_attributes.inp_domain, s2: domain, n: strlen(s: domain)) != 0) { |
11118 | buffer_to_free = inp->inp_necp_attributes.inp_tracker_domain; |
11119 | // Protect switching of buffer pointer |
11120 | necp_lock_socket_attributes(); |
11121 | inp->inp_necp_attributes.inp_tracker_domain = (char *)buffer; |
11122 | necp_unlock_socket_attributes(); |
11123 | if (buffer_to_free != NULL) { |
11124 | kfree_data_addr(buffer_to_free); |
11125 | } |
11126 | } else { |
11127 | kfree_data_addr(buffer); |
11128 | } |
11129 | } else { |
11130 | // Protect switching of buffer pointer |
11131 | necp_lock_socket_attributes(); |
11132 | inp->inp_necp_attributes.inp_domain = (char *)buffer; |
11133 | necp_unlock_socket_attributes(); |
11134 | } |
11135 | buffer = NULL; |
11136 | |
11137 | // set domain_owner (required only for tracker) |
11138 | if (!(so->so_flags1 & SOF1_KNOWN_TRACKER)) { |
11139 | goto done; |
11140 | } |
11141 | |
11142 | valsize = strlen(s: domain_owner); |
11143 | if (valsize == 0 || valsize > NECP_MAX_SOCKET_ATTRIBUTE_STRING_LENGTH) { |
11144 | error = EINVAL; |
11145 | goto fail; |
11146 | } |
11147 | |
11148 | buffer = (u_int8_t *)kalloc_data(valsize + 1, Z_WAITOK | Z_ZERO); |
11149 | if (buffer == NULL) { |
11150 | error = ENOMEM; |
11151 | goto fail; |
11152 | } |
11153 | bcopy(src: domain_owner, dst: buffer, n: valsize); |
11154 | buffer[valsize] = 0; |
11155 | |
11156 | inp = sotoinpcb(so); |
11157 | |
11158 | buffer_to_free = inp->inp_necp_attributes.inp_domain_owner; |
11159 | // Protect switching of buffer pointer |
11160 | necp_lock_socket_attributes(); |
11161 | inp->inp_necp_attributes.inp_domain_owner = (char *)buffer; |
11162 | necp_unlock_socket_attributes(); |
11163 | buffer = NULL; |
11164 | |
11165 | if (buffer_to_free != NULL) { |
11166 | kfree_data_addr(buffer_to_free); |
11167 | } |
11168 | |
11169 | done: |
11170 | NECP_SOCKET_PARAMS_LOG(so, "NECP ATTRIBUTES SOCKET - domain <%s> owner <%s> context <%s> tracker domain <%s> account <%s> " |
11171 | "<so flags - is_tracker %X non-app-initiated %X app-approved-domain %X" , |
11172 | inp->inp_necp_attributes.inp_domain, |
11173 | inp->inp_necp_attributes.inp_domain_owner, |
11174 | inp->inp_necp_attributes.inp_domain_context, |
11175 | inp->inp_necp_attributes.inp_tracker_domain, |
11176 | inp->inp_necp_attributes.inp_account, |
11177 | so->so_flags1 & SOF1_KNOWN_TRACKER, |
11178 | so->so_flags1 & SOF1_TRACKER_NON_APP_INITIATED, |
11179 | so->so_flags1 & SOF1_APPROVED_APP_DOMAIN); |
11180 | |
11181 | if (necp_debug) { |
11182 | NECPLOG(LOG_DEBUG, "Set on socket: Domain <%s> Domain owner <%s> Domain context <%s> Tracker domain <%s> Account <%s> " , |
11183 | inp->inp_necp_attributes.inp_domain, |
11184 | inp->inp_necp_attributes.inp_domain_owner, |
11185 | inp->inp_necp_attributes.inp_domain_context, |
11186 | inp->inp_necp_attributes.inp_tracker_domain, |
11187 | inp->inp_necp_attributes.inp_account); |
11188 | } |
11189 | fail: |
11190 | if (buffer != NULL) { |
11191 | kfree_data(buffer, valsize + 1); |
11192 | } |
11193 | return error; |
11194 | } |
11195 | |
11196 | void * |
11197 | necp_create_nexus_assign_message(uuid_t nexus_instance, nexus_port_t nexus_port, void *key, uint32_t key_length, |
11198 | struct necp_client_endpoint *local_endpoint, struct necp_client_endpoint *remote_endpoint, struct ether_addr *local_ether_addr, |
11199 | u_int32_t flow_adv_index, void *flow_stats, size_t *message_length) |
11200 | { |
11201 | u_int8_t *buffer = NULL; |
11202 | u_int8_t *cursor = NULL; |
11203 | size_t valsize = 0; |
11204 | bool has_nexus_assignment = FALSE; |
11205 | |
11206 | if (!uuid_is_null(uu: nexus_instance)) { |
11207 | has_nexus_assignment = TRUE; |
11208 | valsize += sizeof(struct necp_tlv_header) + sizeof(uuid_t); |
11209 | valsize += sizeof(struct necp_tlv_header) + sizeof(nexus_port_t); |
11210 | } |
11211 | if (flow_adv_index != NECP_FLOWADV_IDX_INVALID) { |
11212 | valsize += sizeof(struct necp_tlv_header) + sizeof(u_int32_t); |
11213 | } |
11214 | if (key != NULL && key_length > 0) { |
11215 | valsize += sizeof(struct necp_tlv_header) + key_length; |
11216 | } |
11217 | if (local_endpoint != NULL) { |
11218 | valsize += sizeof(struct necp_tlv_header) + sizeof(struct necp_client_endpoint); |
11219 | } |
11220 | if (remote_endpoint != NULL) { |
11221 | valsize += sizeof(struct necp_tlv_header) + sizeof(struct necp_client_endpoint); |
11222 | } |
11223 | if (local_ether_addr != NULL) { |
11224 | valsize += sizeof(struct necp_tlv_header) + sizeof(struct ether_addr); |
11225 | } |
11226 | if (flow_stats != NULL) { |
11227 | valsize += sizeof(struct necp_tlv_header) + sizeof(void *); |
11228 | } |
11229 | if (valsize == 0) { |
11230 | return NULL; |
11231 | } |
11232 | |
11233 | buffer = kalloc_data(valsize, Z_WAITOK | Z_ZERO); |
11234 | if (buffer == NULL) { |
11235 | return NULL; |
11236 | } |
11237 | |
11238 | cursor = buffer; |
11239 | if (has_nexus_assignment) { |
11240 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_NEXUS_INSTANCE, length: sizeof(uuid_t), value: nexus_instance, buffer, buffer_length: valsize); |
11241 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_NEXUS_PORT, length: sizeof(nexus_port_t), value: &nexus_port, buffer, buffer_length: valsize); |
11242 | } |
11243 | if (flow_adv_index != NECP_FLOWADV_IDX_INVALID) { |
11244 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_NEXUS_PORT_FLOW_INDEX, length: sizeof(u_int32_t), value: &flow_adv_index, buffer, buffer_length: valsize); |
11245 | } |
11246 | if (key != NULL && key_length > 0) { |
11247 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_PARAMETER_NEXUS_KEY, length: key_length, value: key, buffer, buffer_length: valsize); |
11248 | } |
11249 | if (local_endpoint != NULL) { |
11250 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_LOCAL_ENDPOINT, length: sizeof(struct necp_client_endpoint), value: local_endpoint, buffer, buffer_length: valsize); |
11251 | } |
11252 | if (remote_endpoint != NULL) { |
11253 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_REMOTE_ENDPOINT, length: sizeof(struct necp_client_endpoint), value: remote_endpoint, buffer, buffer_length: valsize); |
11254 | } |
11255 | if (local_ether_addr != NULL) { |
11256 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_LOCAL_ETHER_ADDR, length: sizeof(struct ether_addr), value: local_ether_addr, buffer, buffer_length: valsize); |
11257 | } |
11258 | if (flow_stats != NULL) { |
11259 | cursor = necp_buffer_write_tlv(cursor, NECP_CLIENT_RESULT_NEXUS_FLOW_STATS, length: sizeof(void *), value: &flow_stats, buffer, buffer_length: valsize); |
11260 | } |
11261 | |
11262 | *message_length = valsize; |
11263 | |
11264 | return buffer; |
11265 | } |
11266 | |
11267 | void |
11268 | necp_inpcb_remove_cb(struct inpcb *inp) |
11269 | { |
11270 | if (!uuid_is_null(uu: inp->necp_client_uuid)) { |
11271 | necp_client_unregister_socket_flow(client_id: inp->necp_client_uuid, handle: inp); |
11272 | uuid_clear(uu: inp->necp_client_uuid); |
11273 | } |
11274 | } |
11275 | |
11276 | void |
11277 | necp_inpcb_dispose(struct inpcb *inp) |
11278 | { |
11279 | necp_inpcb_remove_cb(inp); // Clear out socket registrations if not yet done |
11280 | if (inp->inp_necp_attributes.inp_domain != NULL) { |
11281 | kfree_data_addr(inp->inp_necp_attributes.inp_domain); |
11282 | inp->inp_necp_attributes.inp_domain = NULL; |
11283 | } |
11284 | if (inp->inp_necp_attributes.inp_account != NULL) { |
11285 | kfree_data_addr(inp->inp_necp_attributes.inp_account); |
11286 | inp->inp_necp_attributes.inp_account = NULL; |
11287 | } |
11288 | if (inp->inp_necp_attributes.inp_domain_owner != NULL) { |
11289 | kfree_data_addr(inp->inp_necp_attributes.inp_domain_owner); |
11290 | inp->inp_necp_attributes.inp_domain_owner = NULL; |
11291 | } |
11292 | if (inp->inp_necp_attributes.inp_domain_context != NULL) { |
11293 | kfree_data_addr(inp->inp_necp_attributes.inp_domain_context); |
11294 | inp->inp_necp_attributes.inp_domain_context = NULL; |
11295 | } |
11296 | if (inp->inp_necp_attributes.inp_tracker_domain != NULL) { |
11297 | kfree_data_addr(inp->inp_necp_attributes.inp_tracker_domain); |
11298 | inp->inp_necp_attributes.inp_tracker_domain = NULL; |
11299 | } |
11300 | if (inp->inp_resolver_signature != NULL) { |
11301 | kfree_data(inp->inp_resolver_signature, inp->inp_resolver_signature_length); |
11302 | } |
11303 | inp->inp_resolver_signature_length = 0; |
11304 | } |
11305 | |
11306 | void |
11307 | necp_mppcb_dispose(struct mppcb *mpp) |
11308 | { |
11309 | if (!uuid_is_null(uu: mpp->necp_client_uuid)) { |
11310 | necp_client_unregister_multipath_cb(client_id: mpp->necp_client_uuid, handle: mpp); |
11311 | uuid_clear(uu: mpp->necp_client_uuid); |
11312 | } |
11313 | |
11314 | if (mpp->inp_necp_attributes.inp_domain != NULL) { |
11315 | kfree_data_addr(mpp->inp_necp_attributes.inp_domain); |
11316 | mpp->inp_necp_attributes.inp_domain = NULL; |
11317 | } |
11318 | if (mpp->inp_necp_attributes.inp_account != NULL) { |
11319 | kfree_data_addr(mpp->inp_necp_attributes.inp_account); |
11320 | mpp->inp_necp_attributes.inp_account = NULL; |
11321 | } |
11322 | if (mpp->inp_necp_attributes.inp_domain_owner != NULL) { |
11323 | kfree_data_addr(mpp->inp_necp_attributes.inp_domain_owner); |
11324 | mpp->inp_necp_attributes.inp_domain_owner = NULL; |
11325 | } |
11326 | if (mpp->inp_necp_attributes.inp_tracker_domain != NULL) { |
11327 | kfree_data_addr(mpp->inp_necp_attributes.inp_tracker_domain); |
11328 | mpp->inp_necp_attributes.inp_tracker_domain = NULL; |
11329 | } |
11330 | } |
11331 | |
11332 | /// Module init |
11333 | |
11334 | void |
11335 | necp_client_init(void) |
11336 | { |
11337 | necp_client_update_tcall = thread_call_allocate_with_options(func: necp_update_all_clients_callout, NULL, |
11338 | pri: THREAD_CALL_PRIORITY_KERNEL, options: THREAD_CALL_OPTIONS_ONCE); |
11339 | VERIFY(necp_client_update_tcall != NULL); |
11340 | #if SKYWALK |
11341 | |
11342 | necp_client_collect_stats_tcall = thread_call_allocate_with_options(func: necp_collect_stats_client_callout, NULL, |
11343 | pri: THREAD_CALL_PRIORITY_KERNEL, options: THREAD_CALL_OPTIONS_ONCE); |
11344 | VERIFY(necp_client_collect_stats_tcall != NULL); |
11345 | |
11346 | necp_close_empty_arenas_tcall = thread_call_allocate_with_options(func: necp_close_empty_arenas_callout, NULL, |
11347 | pri: THREAD_CALL_PRIORITY_KERNEL, options: THREAD_CALL_OPTIONS_ONCE); |
11348 | VERIFY(necp_close_empty_arenas_tcall != NULL); |
11349 | #endif /* SKYWALK */ |
11350 | |
11351 | LIST_INIT(&necp_fd_list); |
11352 | LIST_INIT(&necp_fd_observer_list); |
11353 | LIST_INIT(&necp_collect_stats_flow_list); |
11354 | |
11355 | RB_INIT(&necp_client_global_tree); |
11356 | RB_INIT(&necp_client_flow_global_tree); |
11357 | } |
11358 | |
11359 | #if SKYWALK |
11360 | pid_t |
11361 | necp_client_get_proc_pid_from_arena_info(struct skmem_arena_mmap_info *arena_info) |
11362 | { |
11363 | ASSERT((arena_info->ami_arena->ar_type == SKMEM_ARENA_TYPE_NECP) || (arena_info->ami_arena->ar_type == SKMEM_ARENA_TYPE_SYSTEM)); |
11364 | |
11365 | if (arena_info->ami_arena->ar_type == SKMEM_ARENA_TYPE_NECP) { |
11366 | struct necp_arena_info *nai = container_of(arena_info, struct necp_arena_info, nai_mmap); |
11367 | return nai->nai_proc_pid; |
11368 | } else { |
11369 | struct necp_fd_data *fd_data = container_of(arena_info, struct necp_fd_data, sysctl_mmap); |
11370 | return fd_data->proc_pid; |
11371 | } |
11372 | } |
11373 | #endif /* !SKYWALK */ |
11374 | |