/* * Copyright (c) 2025 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. The rights granted to you under the License * may not be used to create, or enable the creation or redistribution of, * unlawful or unlicensed copies of an Apple operating system, or to * circumvent, violate, or enable the circumvention or violation of, any * terms of an Apple operating system software license agreement. * * Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ /* test that the header doesn't implicitly depend on others */ #include #include #include #include #include #include #include #include #include #include #include #include /* TODO: this should be installed for userspace */ extern int ledger(int cmd, caddr_t arg1, caddr_t arg2, caddr_t arg3); #include extern int __microstackshot(char *tracebuf, uint32_t tracebuf_size, uint32_t flags); T_GLOBAL_META(T_META_NAMESPACE("xnu.scheduler"), T_META_RADAR_COMPONENT_NAME("xnu"), T_META_RADAR_COMPONENT_VERSION("scheduler"), T_META_OWNER("chimene"), T_META_RUN_CONCURRENTLY(false), /* because of messing with global SFI */ T_META_ASROOT(true), /* for TASK_POLICY_STATE, and setting SFI */ T_META_TAG_VM_PREFERRED); static void check_is_bg(bool wants_bg) { kern_return_t kr; struct task_policy_state policy_state; mach_msg_type_number_t count = TASK_POLICY_STATE_COUNT; boolean_t get_default = FALSE; kr = task_policy_get(mach_task_self(), TASK_POLICY_STATE, (task_policy_t)&policy_state, &count, &get_default); T_QUIET; T_ASSERT_MACH_SUCCESS(kr, "task_policy_get(TASK_POLICY_STATE)"); /* * A test reporting type=APPLICATION should have the live donor bit set. * If this fails, the test may have been launched as a daemon instead. */ T_QUIET; T_ASSERT_BITS_SET(policy_state.flags, TASK_IMP_LIVE_DONOR, "test should be live donor enabled"); /* * The BG bit is updated via task_policy_update_internal_locked, * checking this proves that the first phase update ran on this task. */ if (wants_bg) { T_ASSERT_BITS_SET(policy_state.effective, POLICY_EFF_DARWIN_BG, "%d: is BG", getpid()); } else { T_ASSERT_BITS_NOTSET(policy_state.effective, POLICY_EFF_DARWIN_BG, "%d: is not BG", getpid()); } /* * The live donor bit is updated via task_policy_update_complete_unlocked, * checking this proves that the second phase update ran on this task. */ if (wants_bg) { T_ASSERT_BITS_NOTSET(policy_state.flags, TASK_IMP_DONOR, "%d: is not live donor", getpid()); } else { T_ASSERT_BITS_SET(policy_state.flags, TASK_IMP_DONOR, "%d: is live donor", getpid()); } } static void check_runaway_mode(bool expected_mode) { int runaway_mode = getpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0); T_QUIET; T_ASSERT_POSIX_SUCCESS(runaway_mode, "getpriority(PRIO_DARWIN_RUNAWAY_MITIGATION)"); T_LOG("pid %d: runaway mitigation mode is: %d", getpid(), runaway_mode); if (expected_mode) { T_QUIET; T_ASSERT_EQ(runaway_mode, PRIO_DARWIN_RUNAWAY_MITIGATION_ON, "should be on"); check_is_bg(true); } else { T_QUIET; T_ASSERT_EQ(runaway_mode, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF, "should be off"); check_is_bg(false); } } T_DECL(entitled_runaway_mode, "runaway mitigation mode should be settable while entitled") { T_LOG("uid: %d", getuid()); check_runaway_mode(false); T_ASSERT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON)"); check_runaway_mode(true); T_ASSERT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF)"); check_runaway_mode(false); } T_DECL(entitled_runaway_mode_read_root, "runaway mitigation mode should be readable as root", T_META_ASROOT(true)) { T_LOG("uid: %d", getuid()); check_runaway_mode(false); } T_DECL(entitled_runaway_mode_read_notroot, "runaway mitigation mode should be readable as not root but entitled", T_META_ASROOT(false)) { T_LOG("uid: %d", getuid()); int runaway_mode = getpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, getpid()); T_QUIET; T_ASSERT_POSIX_SUCCESS(runaway_mode, "getpriority(PRIO_DARWIN_RUNAWAY_MITIGATION)"); T_ASSERT_EQ(runaway_mode, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF, "should be off"); } T_DECL(runaway_mode_child_exit, "runaway mitigation mode should disappear when child exits") { T_LOG("uid: %d", getuid()); check_runaway_mode(false); T_LOG("Spawning child"); pid_t child_pid = fork(); if (child_pid == 0) { /* child process */ check_runaway_mode(false); T_ASSERT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON)"); check_runaway_mode(true); T_LOG("Exit pid %d with runaway mitigation mode on", getpid()); exit(0); } else { T_ASSERT_POSIX_SUCCESS(child_pid, "fork, pid %d", child_pid); /* wait for child process to exit */ int exit_status = 0, signum = 0; T_ASSERT_TRUE(dt_waitpid(child_pid, &exit_status, &signum, 5), "wait for child (%d) complete", child_pid); T_QUIET; T_ASSERT_EQ(exit_status, 0, "dt_waitpid: exit_status"); T_QUIET; T_ASSERT_EQ(signum, 0, "dt_waitpid: signum"); } check_runaway_mode(false); } T_DECL(runaway_mode_child_set, "runaway mitigation mode should be settable on child pid") { T_LOG("uid: %d", getuid()); check_runaway_mode(false); int fd[2]; T_QUIET; T_ASSERT_POSIX_SUCCESS(pipe(fd), "pipe()"); T_LOG("Spawning child"); pid_t child_pid = fork(); if (child_pid == 0) { char buf[10]; /* child process */ T_ASSERT_POSIX_SUCCESS(child_pid, "fork, in child with pid %d", getpid()); T_ASSERT_POSIX_SUCCESS(close(fd[1]), "close(fd[1])"); T_ASSERT_POSIX_SUCCESS(read(fd[0], buf, sizeof(buf)), "read(fd[0], buf, sizeof(buf)"); T_ASSERT_POSIX_SUCCESS(close(fd[0]), "close(fd[0])"); check_runaway_mode(true); T_LOG("Exit pid %d with runaway mitigation mode on", getpid()); exit(0); } else { T_ASSERT_POSIX_SUCCESS(child_pid, "fork parent: child pid %d", child_pid); T_ASSERT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, child_pid, PRIO_DARWIN_RUNAWAY_MITIGATION_ON), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, child_pid, PRIO_DARWIN_RUNAWAY_MITIGATION_ON)"); int runaway_mode = getpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, child_pid); T_QUIET; T_ASSERT_POSIX_SUCCESS(runaway_mode, "getpriority(PRIO_DARWIN_RUNAWAY_MITIGATION)"); T_ASSERT_EQ(runaway_mode, PRIO_DARWIN_RUNAWAY_MITIGATION_ON, "should be on"); T_QUIET; T_LOG("Signalling child to continue"); T_ASSERT_POSIX_SUCCESS(close(fd[1]), "close(fd[1])"); /* wait for child process to exit */ int exit_status = 0, signum = 0; T_ASSERT_TRUE(dt_waitpid(child_pid, &exit_status, &signum, 5), "wait for child (%d) complete", child_pid); T_QUIET; T_ASSERT_EQ(exit_status, 0, "dt_waitpid: exit_status"); T_QUIET; T_ASSERT_EQ(signum, 0, "dt_waitpid: signum"); } check_runaway_mode(false); } /* * TODO: This should be in a test utils library, * but it requires including Kernel.framework header kern/ledger.h, which is Bad */ static size_t ledger_index_for_string(size_t *num_entries, char* string) { struct ledger_info li; struct ledger_template_info *templateInfo = NULL; int ret; size_t i, footprint_index; bool found = false; ret = ledger(LEDGER_INFO, (caddr_t)(uintptr_t)getpid(), (caddr_t)&li, NULL); T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "ledger(LEDGER_INFO)"); T_QUIET; T_ASSERT_GT(li.li_entries, (int64_t) 0, "num ledger entries is valid"); *num_entries = (size_t) li.li_entries; templateInfo = malloc((size_t)li.li_entries * sizeof(struct ledger_template_info)); T_QUIET; T_ASSERT_NOTNULL(templateInfo, "malloc entries"); footprint_index = 0; ret = ledger(LEDGER_TEMPLATE_INFO, (caddr_t) templateInfo, (caddr_t) num_entries, NULL); T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "ledger(LEDGER_TEMPLATE_INFO)"); for (i = 0; i < *num_entries; i++) { if (strcmp(templateInfo[i].lti_name, string) == 0) { footprint_index = i; found = true; } } free(templateInfo); T_QUIET; T_ASSERT_TRUE(found, "found %s in ledger", string); return footprint_index; } /* * sadly there's no 'get just this one ledger index' syscall, * we have to read all ledgers and filter for the one we want */ static int64_t get_ledger_entry_for_pid(pid_t pid, size_t index, size_t num_entries) { int ret; int64_t value; struct ledger_entry_info *lei = NULL; lei = malloc(num_entries * sizeof(*lei)); ret = ledger(LEDGER_ENTRY_INFO, (caddr_t) (uintptr_t) pid, (caddr_t) lei, (caddr_t) &num_entries); T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "ledger(LEDGER_ENTRY_INFO)"); value = lei[index].lei_balance; free(lei); return value; } uint64_t initial_sfi_window = 0, initial_class_offtime = 0; static void restore_sfi_state(void) { T_LOG("Restoring initial system SFI window %lld, SFI_CLASS_RUNAWAY_MITIGATION class offtime %lld", initial_sfi_window, initial_class_offtime); /* * Setting window will fail if there is a larger offtime set, and * setting class will fail if the window is smaller. * To avoid this, disable the window, configure new values, then finally * re-enable the window. */ T_QUIET; T_ASSERT_POSIX_SUCCESS(system_set_sfi_window(0), "system_set_sfi_window(0)"); T_QUIET; T_ASSERT_POSIX_SUCCESS(sfi_set_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, initial_class_offtime), "system_set_sfi_window(%lld)", initial_class_offtime); T_QUIET; T_ASSERT_POSIX_SUCCESS(system_set_sfi_window(initial_sfi_window), "system_set_sfi_window(%lld)", initial_sfi_window); } const int spin_seconds = 1; static void * spin_thread(void *arg) { static mach_timebase_info_data_t timebase_info; mach_timebase_info(&timebase_info); uint64_t duration = spin_seconds * NSEC_PER_SEC * timebase_info.denom / timebase_info.numer; uint64_t deadline = mach_absolute_time() + duration; while (mach_absolute_time() < deadline) { ; } return NULL; } T_DECL(runaway_mode_child_sfi, "runaway mitigation mode should cause SFI") { T_LOG("uid: %d", getuid()); check_runaway_mode(false); T_QUIET; T_ASSERT_POSIX_SUCCESS(system_get_sfi_window(&initial_sfi_window), "system_get_sfi_window(&initial_sfi_window)"); T_QUIET; T_ASSERT_POSIX_SUCCESS(sfi_get_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, &initial_class_offtime), "sfi_get_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, &initial_class_offtime)"); T_LOG("Initial System SFI window %lld, SFI_CLASS_RUNAWAY_MITIGATION class offtime %lld\n", initial_sfi_window, initial_class_offtime); size_t num_ledger_entries = 0; size_t ledger_index = ledger_index_for_string(&num_ledger_entries, "SFI_CLASS_RUNAWAY_MITIGATION"); uint64_t sfi_time_before = get_ledger_entry_for_pid(getpid(), ledger_index, num_ledger_entries); T_LOG("SFI_CLASS_RUNAWAY_MITIGATION ledger index: %zu out of %zu\n", ledger_index, num_ledger_entries); T_LOG("Initial accumulated SFI time: %lld\n", sfi_time_before); T_ATEND(restore_sfi_state); uint64_t custom_sfi_window = 100000; /* microseconds */ uint64_t custom_class_offtime = 50000; T_LOG("Setting custom system SFI window %lld, SFI_CLASS_RUNAWAY_MITIGATION class offtime %lld", custom_sfi_window, custom_class_offtime); T_QUIET; T_ASSERT_POSIX_SUCCESS(system_set_sfi_window(0), "system_set_sfi_window(0)"); T_ASSERT_POSIX_SUCCESS(sfi_set_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, custom_class_offtime), "sfi_set_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, %lld)", custom_class_offtime); T_ASSERT_POSIX_SUCCESS(system_set_sfi_window(custom_sfi_window), "system_set_sfi_window(%lld)", custom_sfi_window); pthread_t thread; T_LOG("Spawning thread to spin for %d seconds\n", spin_seconds); int rv = pthread_create(&thread, NULL, spin_thread, NULL); T_QUIET; T_ASSERT_POSIX_SUCCESS(rv, "pthread_create"); T_LOG("Enable mitigation mode\n"); T_ASSERT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON)"); check_runaway_mode(true); T_LOG("Wait %d seconds for spin to finish\n", spin_seconds); rv = pthread_join(thread, NULL); T_QUIET; T_ASSERT_POSIX_SUCCESS(rv, "pthread_join"); T_LOG("Thread joined, disable mitigation mode\n"); T_ASSERT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF)"); uint64_t sfi_time_after = get_ledger_entry_for_pid(getpid(), ledger_index, num_ledger_entries); T_LOG("Ending accumulated SFI time: %lld\n", sfi_time_after); T_ASSERT_LT(sfi_time_before, sfi_time_after, "SFI_CLASS_RUNAWAY_MITIGATION SFI time must have increased"); check_runaway_mode(false); uint64_t final_sfi_window = 0, final_class_offtime = 0; T_QUIET; T_ASSERT_POSIX_SUCCESS(system_get_sfi_window(&final_sfi_window), "system_get_sfi_window(&final_sfi_window)"); T_QUIET; T_ASSERT_POSIX_SUCCESS(sfi_get_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, &final_class_offtime), "sfi_get_class_offtime(SFI_CLASS_RUNAWAY_MITIGATION, &final_class_offtime)"); /* * If the System SFI configuration was changed out from under us during the test, either us or them will be confused. */ T_QUIET; T_ASSERT_EQ(custom_sfi_window, final_sfi_window, "System SFI window should not unexpectedly change during the test"); T_QUIET; T_ASSERT_EQ(custom_class_offtime, final_class_offtime, "System SFI offtime should not unexpectedly change during the test"); } #if defined(__arm64__) static bool found_flag = false; static bool found_self = false; static const size_t microstackshot_buf_size = 16 * 1024; static bool search_for_self_microstackshot(bool log_details) { void *buf = calloc(microstackshot_buf_size, 1); T_QUIET; T_ASSERT_NOTNULL(buf, "allocate buffer"); int ret = __microstackshot(buf, microstackshot_buf_size, STACKSHOT_GET_MICROSTACKSHOT); T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "microstackshot"); if (!log_details) { T_QUIET; } T_EXPECT_EQ(*(uint32_t *)buf, (uint32_t)STACKSHOT_MICRO_SNAPSHOT_MAGIC, "magic value for microstackshot matches"); uint32_t magic = STACKSHOT_TASK_SNAPSHOT_MAGIC; void* next_tsnap = memmem(buf, microstackshot_buf_size, &magic, sizeof(magic)); void* buf_end = buf + microstackshot_buf_size; while (next_tsnap != NULL && next_tsnap + sizeof(struct task_snapshot) < buf_end) { struct task_snapshot *tsnap = (struct task_snapshot *)next_tsnap; unsigned int offset = next_tsnap - buf; if (log_details) { T_LOG("%6d: found snap pid %d name %s\n", offset, tsnap->pid, (char*)&tsnap->p_comm); } if (tsnap->pid == getpid()) { if (log_details) { T_LOG("%6d: found self snap: flags 0x%x 0x%llx\n", offset, tsnap->ss_flags, tsnap->disk_reads_count); } found_self = true; if (tsnap->disk_reads_count & kTaskRunawayMitigation) { T_LOG("%6d: found runaway flag: pid %d, name %s, flags: 0x%x 0x%llx, \n", offset, tsnap->pid, (char*)&tsnap->p_comm, tsnap->ss_flags, tsnap->disk_reads_count); found_flag = true; } } void* search_start = next_tsnap + sizeof(struct task_snapshot); size_t remaining_size = buf_end - search_start; next_tsnap = memmem(search_start, remaining_size, &magic, sizeof(magic)); } free(buf); return found_flag; } T_DECL(runaway_mode_microstackshot_flag, "check that mitigated processes show up in microstackshot", T_META_REQUIRES_SYSCTL_EQ("kern.monotonic.supported", 1), T_META_TAG_VM_NOT_ELIGIBLE, T_META_TIMEOUT(120)) { unsigned int pmi_counter; size_t sysctl_size = sizeof(pmi_counter); int ret = sysctlbyname( "kern.microstackshot.pmi_sample_counter", &pmi_counter, &sysctl_size, NULL, 0); if (ret == -1 && errno == ENOENT) { T_SKIP("no PMI support"); } else { T_QUIET; T_ASSERT_POSIX_SUCCESS(ret, "query PMI counter"); } uint64_t pmi_period; sysctl_size = sizeof(pmi_period); T_QUIET; T_ASSERT_POSIX_SUCCESS(sysctlbyname( "kern.microstackshot.pmi_sample_period", &pmi_period, &sysctl_size, NULL, 0), "query PMI period"); T_LOG("PMI counter: %u", pmi_counter); T_LOG("PMI period: %llu", pmi_period); if (pmi_period == 0) { T_SKIP("PMI microstackshots not enabled"); } T_LOG("Enable mitigation mode on self\n"); T_EXPECT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_ON)"); uint32_t iterations = 100; /* Over-spin to make it likely we get sampled at least once before failing */ uint32_t multiplier = 10; uint64_t target_cycles = multiplier * pmi_period; T_LOG("Spinning for %d iterations or %lld*%d cycles or until self-sample is found\n", iterations, pmi_period, multiplier); struct rusage_info_v6 ru = {}; for (int i = 0; i < iterations; i++) { spin_thread(NULL); int rv = proc_pid_rusage(getpid(), RUSAGE_INFO_V6, (rusage_info_t *)&ru); T_QUIET; T_ASSERT_POSIX_SUCCESS(rv, "proc_pid_rusage"); T_LOG("iteration %3d: %14lld / %14lld cycles executed (%.2f%%)\n", i, ru.ri_cycles, target_cycles, ((double)ru.ri_cycles) * 100.0 / (double)target_cycles); T_QUIET; T_ASSERT_NE(ru.ri_cycles, (uint64_t)0, "should be able to measure cycles with proc_pid_rusage"); bool found = search_for_self_microstackshot(false); if (ru.ri_cycles > target_cycles || found) { break; } } T_LOG("Complete, executed %lld cycles. Disable mitigation mode.\n", ru.ri_cycles); T_EXPECT_POSIX_SUCCESS(setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF), "setpriority(PRIO_DARWIN_RUNAWAY_MITIGATION, 0, PRIO_DARWIN_RUNAWAY_MITIGATION_OFF)"); search_for_self_microstackshot(true); T_EXPECT_EQ(found_self, true, "Should have found self in microstackshot buffer"); T_EXPECT_EQ(found_flag, true, "Should have found kTaskRunawayMitigation flag in microstackshot buffer"); } #endif // defined(__arm64__)