1*2c2f96dcSApple OSS Distributions /*
2*2c2f96dcSApple OSS Distributions * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3*2c2f96dcSApple OSS Distributions *
4*2c2f96dcSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*2c2f96dcSApple OSS Distributions *
6*2c2f96dcSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*2c2f96dcSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*2c2f96dcSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*2c2f96dcSApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*2c2f96dcSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*2c2f96dcSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*2c2f96dcSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*2c2f96dcSApple OSS Distributions * terms of an Apple operating system software license agreement.
14*2c2f96dcSApple OSS Distributions *
15*2c2f96dcSApple OSS Distributions * Please obtain a copy of the License at
16*2c2f96dcSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*2c2f96dcSApple OSS Distributions *
18*2c2f96dcSApple OSS Distributions * The Original Code and all software distributed under the License are
19*2c2f96dcSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*2c2f96dcSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*2c2f96dcSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*2c2f96dcSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*2c2f96dcSApple OSS Distributions * Please see the License for the specific language governing rights and
24*2c2f96dcSApple OSS Distributions * limitations under the License.
25*2c2f96dcSApple OSS Distributions *
26*2c2f96dcSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*2c2f96dcSApple OSS Distributions */
28*2c2f96dcSApple OSS Distributions
29*2c2f96dcSApple OSS Distributions /*-
30*2c2f96dcSApple OSS Distributions * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31*2c2f96dcSApple OSS Distributions * Copyright (c) 2001 Ilmar S. Habibulin
32*2c2f96dcSApple OSS Distributions * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33*2c2f96dcSApple OSS Distributions *
34*2c2f96dcSApple OSS Distributions * This software was developed by Robert Watson and Ilmar Habibulin for the
35*2c2f96dcSApple OSS Distributions * TrustedBSD Project.
36*2c2f96dcSApple OSS Distributions *
37*2c2f96dcSApple OSS Distributions * This software was developed for the FreeBSD Project in part by Network
38*2c2f96dcSApple OSS Distributions * Associates Laboratories, the Security Research Division of Network
39*2c2f96dcSApple OSS Distributions * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40*2c2f96dcSApple OSS Distributions * as part of the DARPA CHATS research program.
41*2c2f96dcSApple OSS Distributions *
42*2c2f96dcSApple OSS Distributions * Redistribution and use in source and binary forms, with or without
43*2c2f96dcSApple OSS Distributions * modification, are permitted provided that the following conditions
44*2c2f96dcSApple OSS Distributions * are met:
45*2c2f96dcSApple OSS Distributions * 1. Redistributions of source code must retain the above copyright
46*2c2f96dcSApple OSS Distributions * notice, this list of conditions and the following disclaimer.
47*2c2f96dcSApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright
48*2c2f96dcSApple OSS Distributions * notice, this list of conditions and the following disclaimer in the
49*2c2f96dcSApple OSS Distributions * documentation and/or other materials provided with the distribution.
50*2c2f96dcSApple OSS Distributions *
51*2c2f96dcSApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52*2c2f96dcSApple OSS Distributions * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53*2c2f96dcSApple OSS Distributions * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54*2c2f96dcSApple OSS Distributions * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55*2c2f96dcSApple OSS Distributions * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56*2c2f96dcSApple OSS Distributions * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57*2c2f96dcSApple OSS Distributions * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58*2c2f96dcSApple OSS Distributions * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59*2c2f96dcSApple OSS Distributions * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60*2c2f96dcSApple OSS Distributions * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61*2c2f96dcSApple OSS Distributions * SUCH DAMAGE.
62*2c2f96dcSApple OSS Distributions *
63*2c2f96dcSApple OSS Distributions */
64*2c2f96dcSApple OSS Distributions
65*2c2f96dcSApple OSS Distributions #include <string.h>
66*2c2f96dcSApple OSS Distributions #include <sys/param.h>
67*2c2f96dcSApple OSS Distributions #include <sys/ucred.h>
68*2c2f96dcSApple OSS Distributions #include <sys/malloc.h>
69*2c2f96dcSApple OSS Distributions #include <sys/sbuf.h>
70*2c2f96dcSApple OSS Distributions #include <sys/vnode.h>
71*2c2f96dcSApple OSS Distributions #include <sys/proc.h>
72*2c2f96dcSApple OSS Distributions #include <sys/proc_internal.h>
73*2c2f96dcSApple OSS Distributions #include <sys/kauth.h>
74*2c2f96dcSApple OSS Distributions #include <sys/imgact.h>
75*2c2f96dcSApple OSS Distributions #include <sys/reason.h>
76*2c2f96dcSApple OSS Distributions #include <sys/vnode_internal.h>
77*2c2f96dcSApple OSS Distributions #include <mach/mach_types.h>
78*2c2f96dcSApple OSS Distributions #include <kern/task.h>
79*2c2f96dcSApple OSS Distributions #include <kern/zalloc.h>
80*2c2f96dcSApple OSS Distributions
81*2c2f96dcSApple OSS Distributions #include <os/hash.h>
82*2c2f96dcSApple OSS Distributions
83*2c2f96dcSApple OSS Distributions #include <security/mac_internal.h>
84*2c2f96dcSApple OSS Distributions #include <security/mac_mach_internal.h>
85*2c2f96dcSApple OSS Distributions
86*2c2f96dcSApple OSS Distributions #include <bsd/security/audit/audit.h>
87*2c2f96dcSApple OSS Distributions
88*2c2f96dcSApple OSS Distributions #include <os/log.h>
89*2c2f96dcSApple OSS Distributions #include <kern/cs_blobs.h>
90*2c2f96dcSApple OSS Distributions #include <sys/spawn.h>
91*2c2f96dcSApple OSS Distributions #include <sys/spawn_internal.h>
92*2c2f96dcSApple OSS Distributions
93*2c2f96dcSApple OSS Distributions struct label *
mac_cred_label_alloc(void)94*2c2f96dcSApple OSS Distributions mac_cred_label_alloc(void)
95*2c2f96dcSApple OSS Distributions {
96*2c2f96dcSApple OSS Distributions struct label *label;
97*2c2f96dcSApple OSS Distributions
98*2c2f96dcSApple OSS Distributions label = mac_labelzone_alloc(MAC_WAITOK);
99*2c2f96dcSApple OSS Distributions if (label == NULL) {
100*2c2f96dcSApple OSS Distributions return NULL;
101*2c2f96dcSApple OSS Distributions }
102*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_init, label);
103*2c2f96dcSApple OSS Distributions return label;
104*2c2f96dcSApple OSS Distributions }
105*2c2f96dcSApple OSS Distributions
106*2c2f96dcSApple OSS Distributions void
mac_cred_label_init(struct ucred * cred)107*2c2f96dcSApple OSS Distributions mac_cred_label_init(struct ucred *cred)
108*2c2f96dcSApple OSS Distributions {
109*2c2f96dcSApple OSS Distributions cred->cr_label = mac_cred_label_alloc();
110*2c2f96dcSApple OSS Distributions }
111*2c2f96dcSApple OSS Distributions
112*2c2f96dcSApple OSS Distributions void
mac_cred_label_seal(struct ucred * cred)113*2c2f96dcSApple OSS Distributions mac_cred_label_seal(struct ucred *cred)
114*2c2f96dcSApple OSS Distributions {
115*2c2f96dcSApple OSS Distributions #if DEVELOPMENT || DEBUG
116*2c2f96dcSApple OSS Distributions struct label **seal = (struct label **)-1;
117*2c2f96dcSApple OSS Distributions
118*2c2f96dcSApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, cred->cr_label, l_owner, &seal);
119*2c2f96dcSApple OSS Distributions #else
120*2c2f96dcSApple OSS Distributions (void)cred;
121*2c2f96dcSApple OSS Distributions #endif
122*2c2f96dcSApple OSS Distributions }
123*2c2f96dcSApple OSS Distributions
124*2c2f96dcSApple OSS Distributions void
mac_cred_label_free(struct label * label)125*2c2f96dcSApple OSS Distributions mac_cred_label_free(struct label *label)
126*2c2f96dcSApple OSS Distributions {
127*2c2f96dcSApple OSS Distributions #if DEVELOPMENT || DEBUG
128*2c2f96dcSApple OSS Distributions struct label **seal = (struct label **)-1;
129*2c2f96dcSApple OSS Distributions
130*2c2f96dcSApple OSS Distributions if (label->l_owner == seal) {
131*2c2f96dcSApple OSS Distributions seal = NULL;
132*2c2f96dcSApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, label, l_owner, &seal);
133*2c2f96dcSApple OSS Distributions }
134*2c2f96dcSApple OSS Distributions #endif
135*2c2f96dcSApple OSS Distributions
136*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_destroy, label);
137*2c2f96dcSApple OSS Distributions mac_labelzone_free(label);
138*2c2f96dcSApple OSS Distributions }
139*2c2f96dcSApple OSS Distributions
140*2c2f96dcSApple OSS Distributions struct label *
mac_cred_label(struct ucred * cred)141*2c2f96dcSApple OSS Distributions mac_cred_label(struct ucred *cred)
142*2c2f96dcSApple OSS Distributions {
143*2c2f96dcSApple OSS Distributions return cred->cr_label;
144*2c2f96dcSApple OSS Distributions }
145*2c2f96dcSApple OSS Distributions
146*2c2f96dcSApple OSS Distributions bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)147*2c2f96dcSApple OSS Distributions mac_cred_label_is_equal(const struct label *a, const struct label *b)
148*2c2f96dcSApple OSS Distributions {
149*2c2f96dcSApple OSS Distributions return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
150*2c2f96dcSApple OSS Distributions }
151*2c2f96dcSApple OSS Distributions
152*2c2f96dcSApple OSS Distributions uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)153*2c2f96dcSApple OSS Distributions mac_cred_label_hash_update(const struct label *a, uint32_t hash)
154*2c2f96dcSApple OSS Distributions {
155*2c2f96dcSApple OSS Distributions return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
156*2c2f96dcSApple OSS Distributions }
157*2c2f96dcSApple OSS Distributions
158*2c2f96dcSApple OSS Distributions int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)159*2c2f96dcSApple OSS Distributions mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
160*2c2f96dcSApple OSS Distributions {
161*2c2f96dcSApple OSS Distributions kauth_cred_t cr;
162*2c2f96dcSApple OSS Distributions int error;
163*2c2f96dcSApple OSS Distributions
164*2c2f96dcSApple OSS Distributions cr = kauth_cred_proc_ref(p);
165*2c2f96dcSApple OSS Distributions
166*2c2f96dcSApple OSS Distributions error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
167*2c2f96dcSApple OSS Distributions mac->m_string, mac->m_buflen);
168*2c2f96dcSApple OSS Distributions
169*2c2f96dcSApple OSS Distributions kauth_cred_unref(&cr);
170*2c2f96dcSApple OSS Distributions return error;
171*2c2f96dcSApple OSS Distributions }
172*2c2f96dcSApple OSS Distributions
173*2c2f96dcSApple OSS Distributions void
mac_cred_label_destroy(kauth_cred_t cred)174*2c2f96dcSApple OSS Distributions mac_cred_label_destroy(kauth_cred_t cred)
175*2c2f96dcSApple OSS Distributions {
176*2c2f96dcSApple OSS Distributions struct label *label = mac_cred_label(cred);
177*2c2f96dcSApple OSS Distributions cred->cr_label = NULL;
178*2c2f96dcSApple OSS Distributions mac_cred_label_free(label);
179*2c2f96dcSApple OSS Distributions }
180*2c2f96dcSApple OSS Distributions
181*2c2f96dcSApple OSS Distributions int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)182*2c2f96dcSApple OSS Distributions mac_cred_label_externalize(struct label *label, char *elements,
183*2c2f96dcSApple OSS Distributions char *outbuf, size_t outbuflen, int flags __unused)
184*2c2f96dcSApple OSS Distributions {
185*2c2f96dcSApple OSS Distributions int error = 0;
186*2c2f96dcSApple OSS Distributions
187*2c2f96dcSApple OSS Distributions error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
188*2c2f96dcSApple OSS Distributions
189*2c2f96dcSApple OSS Distributions return error;
190*2c2f96dcSApple OSS Distributions }
191*2c2f96dcSApple OSS Distributions
192*2c2f96dcSApple OSS Distributions int
mac_cred_label_internalize(struct label * label,char * string)193*2c2f96dcSApple OSS Distributions mac_cred_label_internalize(struct label *label, char *string)
194*2c2f96dcSApple OSS Distributions {
195*2c2f96dcSApple OSS Distributions int error;
196*2c2f96dcSApple OSS Distributions
197*2c2f96dcSApple OSS Distributions error = MAC_INTERNALIZE(cred, label, string);
198*2c2f96dcSApple OSS Distributions
199*2c2f96dcSApple OSS Distributions return error;
200*2c2f96dcSApple OSS Distributions }
201*2c2f96dcSApple OSS Distributions
202*2c2f96dcSApple OSS Distributions /*
203*2c2f96dcSApple OSS Distributions * By default, fork just adds a reference to the parent
204*2c2f96dcSApple OSS Distributions * credential. Policies may need to know about this reference
205*2c2f96dcSApple OSS Distributions * if they are tracking exit calls to know when to free the
206*2c2f96dcSApple OSS Distributions * label.
207*2c2f96dcSApple OSS Distributions */
208*2c2f96dcSApple OSS Distributions void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)209*2c2f96dcSApple OSS Distributions mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
210*2c2f96dcSApple OSS Distributions {
211*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_associate_fork, cred, proc);
212*2c2f96dcSApple OSS Distributions }
213*2c2f96dcSApple OSS Distributions
214*2c2f96dcSApple OSS Distributions /*
215*2c2f96dcSApple OSS Distributions * Initialize MAC label for the first kernel process, from which other
216*2c2f96dcSApple OSS Distributions * kernel processes and threads are spawned.
217*2c2f96dcSApple OSS Distributions */
218*2c2f96dcSApple OSS Distributions void
mac_cred_label_associate_kernel(kauth_cred_t cred)219*2c2f96dcSApple OSS Distributions mac_cred_label_associate_kernel(kauth_cred_t cred)
220*2c2f96dcSApple OSS Distributions {
221*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_associate_kernel, cred);
222*2c2f96dcSApple OSS Distributions }
223*2c2f96dcSApple OSS Distributions
224*2c2f96dcSApple OSS Distributions /*
225*2c2f96dcSApple OSS Distributions * Initialize MAC label for the first userland process, from which other
226*2c2f96dcSApple OSS Distributions * userland processes and threads are spawned.
227*2c2f96dcSApple OSS Distributions */
228*2c2f96dcSApple OSS Distributions void
mac_cred_label_associate_user(kauth_cred_t cred)229*2c2f96dcSApple OSS Distributions mac_cred_label_associate_user(kauth_cred_t cred)
230*2c2f96dcSApple OSS Distributions {
231*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_associate_user, cred);
232*2c2f96dcSApple OSS Distributions }
233*2c2f96dcSApple OSS Distributions
234*2c2f96dcSApple OSS Distributions /*
235*2c2f96dcSApple OSS Distributions * When a new process is created, its label must be initialized. Generally,
236*2c2f96dcSApple OSS Distributions * this involves inheritence from the parent process, modulo possible
237*2c2f96dcSApple OSS Distributions * deltas. This function allows that processing to take place.
238*2c2f96dcSApple OSS Distributions */
239*2c2f96dcSApple OSS Distributions void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)240*2c2f96dcSApple OSS Distributions mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
241*2c2f96dcSApple OSS Distributions {
242*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
243*2c2f96dcSApple OSS Distributions }
244*2c2f96dcSApple OSS Distributions
245*2c2f96dcSApple OSS Distributions int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)246*2c2f96dcSApple OSS Distributions mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
247*2c2f96dcSApple OSS Distributions {
248*2c2f96dcSApple OSS Distributions if (mac_p == USER_ADDR_NULL) {
249*2c2f96dcSApple OSS Distributions return 0;
250*2c2f96dcSApple OSS Distributions }
251*2c2f96dcSApple OSS Distributions
252*2c2f96dcSApple OSS Distributions return mac_do_set(current_proc(), mac_p,
253*2c2f96dcSApple OSS Distributions ^(char *input, __unused size_t len) {
254*2c2f96dcSApple OSS Distributions struct label *execlabel;
255*2c2f96dcSApple OSS Distributions int error;
256*2c2f96dcSApple OSS Distributions
257*2c2f96dcSApple OSS Distributions execlabel = mac_cred_label_alloc();
258*2c2f96dcSApple OSS Distributions if ((error = mac_cred_label_internalize(execlabel, input))) {
259*2c2f96dcSApple OSS Distributions mac_cred_label_free(execlabel);
260*2c2f96dcSApple OSS Distributions execlabel = NULL;
261*2c2f96dcSApple OSS Distributions }
262*2c2f96dcSApple OSS Distributions
263*2c2f96dcSApple OSS Distributions imgp->ip_execlabelp = execlabel;
264*2c2f96dcSApple OSS Distributions return error;
265*2c2f96dcSApple OSS Distributions });
266*2c2f96dcSApple OSS Distributions }
267*2c2f96dcSApple OSS Distributions
268*2c2f96dcSApple OSS Distributions /*
269*2c2f96dcSApple OSS Distributions * When the subject's label changes, it may require revocation of privilege
270*2c2f96dcSApple OSS Distributions * to mapped objects. This can't be done on-the-fly later with a unified
271*2c2f96dcSApple OSS Distributions * buffer cache.
272*2c2f96dcSApple OSS Distributions *
273*2c2f96dcSApple OSS Distributions * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
274*2c2f96dcSApple OSS Distributions * XXX: than a posix_cred_t field.
275*2c2f96dcSApple OSS Distributions */
276*2c2f96dcSApple OSS Distributions void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)277*2c2f96dcSApple OSS Distributions mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
278*2c2f96dcSApple OSS Distributions {
279*2c2f96dcSApple OSS Distributions posix_cred_t pcred = posix_cred_get(cred);
280*2c2f96dcSApple OSS Distributions
281*2c2f96dcSApple OSS Distributions /* force label to be part of "matching" for credential */
282*2c2f96dcSApple OSS Distributions pcred->cr_flags |= CRF_MAC_ENFORCE;
283*2c2f96dcSApple OSS Distributions
284*2c2f96dcSApple OSS Distributions /* inform the policies of the update */
285*2c2f96dcSApple OSS Distributions MAC_PERFORM(cred_label_update, cred, newlabel);
286*2c2f96dcSApple OSS Distributions }
287*2c2f96dcSApple OSS Distributions
288*2c2f96dcSApple OSS Distributions int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)289*2c2f96dcSApple OSS Distributions mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
290*2c2f96dcSApple OSS Distributions {
291*2c2f96dcSApple OSS Distributions int error;
292*2c2f96dcSApple OSS Distributions
293*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
294*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
295*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
296*2c2f96dcSApple OSS Distributions return 0;
297*2c2f96dcSApple OSS Distributions }
298*2c2f96dcSApple OSS Distributions #endif
299*2c2f96dcSApple OSS Distributions
300*2c2f96dcSApple OSS Distributions MAC_CHECK(cred_check_label_update, cred, newlabel);
301*2c2f96dcSApple OSS Distributions
302*2c2f96dcSApple OSS Distributions return error;
303*2c2f96dcSApple OSS Distributions }
304*2c2f96dcSApple OSS Distributions
305*2c2f96dcSApple OSS Distributions int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)306*2c2f96dcSApple OSS Distributions mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
307*2c2f96dcSApple OSS Distributions {
308*2c2f96dcSApple OSS Distributions int error;
309*2c2f96dcSApple OSS Distributions
310*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
311*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
312*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
313*2c2f96dcSApple OSS Distributions return 0;
314*2c2f96dcSApple OSS Distributions }
315*2c2f96dcSApple OSS Distributions #endif
316*2c2f96dcSApple OSS Distributions
317*2c2f96dcSApple OSS Distributions MAC_CHECK(cred_check_visible, u1, u2);
318*2c2f96dcSApple OSS Distributions
319*2c2f96dcSApple OSS Distributions return error;
320*2c2f96dcSApple OSS Distributions }
321*2c2f96dcSApple OSS Distributions
322*2c2f96dcSApple OSS Distributions int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)323*2c2f96dcSApple OSS Distributions mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
324*2c2f96dcSApple OSS Distributions {
325*2c2f96dcSApple OSS Distributions int error;
326*2c2f96dcSApple OSS Distributions bool enforce;
327*2c2f96dcSApple OSS Distributions proc_t tracingp;
328*2c2f96dcSApple OSS Distributions
329*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
330*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
331*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
332*2c2f96dcSApple OSS Distributions return 0;
333*2c2f96dcSApple OSS Distributions }
334*2c2f96dcSApple OSS Distributions #endif
335*2c2f96dcSApple OSS Distributions /*
336*2c2f96dcSApple OSS Distributions * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
337*2c2f96dcSApple OSS Distributions * it below should go to mac_proc_check_enforce().
338*2c2f96dcSApple OSS Distributions */
339*2c2f96dcSApple OSS Distributions if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
340*2c2f96dcSApple OSS Distributions return ESRCH;
341*2c2f96dcSApple OSS Distributions }
342*2c2f96dcSApple OSS Distributions enforce = mac_proc_check_enforce(tracingp);
343*2c2f96dcSApple OSS Distributions proc_rele(tracingp);
344*2c2f96dcSApple OSS Distributions
345*2c2f96dcSApple OSS Distributions if (!enforce) {
346*2c2f96dcSApple OSS Distributions return 0;
347*2c2f96dcSApple OSS Distributions }
348*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
349*2c2f96dcSApple OSS Distributions
350*2c2f96dcSApple OSS Distributions return error;
351*2c2f96dcSApple OSS Distributions }
352*2c2f96dcSApple OSS Distributions
353*2c2f96dcSApple OSS Distributions int
mac_proc_check_dump_core(struct proc * proc)354*2c2f96dcSApple OSS Distributions mac_proc_check_dump_core(struct proc *proc)
355*2c2f96dcSApple OSS Distributions {
356*2c2f96dcSApple OSS Distributions int error;
357*2c2f96dcSApple OSS Distributions
358*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
359*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
360*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
361*2c2f96dcSApple OSS Distributions return 0;
362*2c2f96dcSApple OSS Distributions }
363*2c2f96dcSApple OSS Distributions #endif
364*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
365*2c2f96dcSApple OSS Distributions return 0;
366*2c2f96dcSApple OSS Distributions }
367*2c2f96dcSApple OSS Distributions
368*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_dump_core, proc);
369*2c2f96dcSApple OSS Distributions
370*2c2f96dcSApple OSS Distributions return error;
371*2c2f96dcSApple OSS Distributions }
372*2c2f96dcSApple OSS Distributions
373*2c2f96dcSApple OSS Distributions int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)374*2c2f96dcSApple OSS Distributions mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
375*2c2f96dcSApple OSS Distributions {
376*2c2f96dcSApple OSS Distributions proc_t curp = current_proc();
377*2c2f96dcSApple OSS Distributions proc_t proc;
378*2c2f96dcSApple OSS Distributions int error;
379*2c2f96dcSApple OSS Distributions
380*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
381*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
382*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
383*2c2f96dcSApple OSS Distributions return 0;
384*2c2f96dcSApple OSS Distributions }
385*2c2f96dcSApple OSS Distributions #endif
386*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
387*2c2f96dcSApple OSS Distributions return 0;
388*2c2f96dcSApple OSS Distributions }
389*2c2f96dcSApple OSS Distributions
390*2c2f96dcSApple OSS Distributions proc = proc_find(task_pid(task));
391*2c2f96dcSApple OSS Distributions if (proc == PROC_NULL) {
392*2c2f96dcSApple OSS Distributions return ESRCH;
393*2c2f96dcSApple OSS Distributions }
394*2c2f96dcSApple OSS Distributions
395*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_remote_thread_create, current_cached_proc_cred(curp),
396*2c2f96dcSApple OSS Distributions proc, flavor, new_state, new_state_count);
397*2c2f96dcSApple OSS Distributions proc_rele(proc);
398*2c2f96dcSApple OSS Distributions
399*2c2f96dcSApple OSS Distributions return error;
400*2c2f96dcSApple OSS Distributions }
401*2c2f96dcSApple OSS Distributions
402*2c2f96dcSApple OSS Distributions void
mac_proc_notify_service_port_derive(struct mach_service_port_info * sp_info)403*2c2f96dcSApple OSS Distributions mac_proc_notify_service_port_derive(struct mach_service_port_info *sp_info)
404*2c2f96dcSApple OSS Distributions {
405*2c2f96dcSApple OSS Distributions MAC_PERFORM(proc_notify_service_port_derive,
406*2c2f96dcSApple OSS Distributions current_cached_proc_cred(PROC_NULL), sp_info);
407*2c2f96dcSApple OSS Distributions }
408*2c2f96dcSApple OSS Distributions
409*2c2f96dcSApple OSS Distributions int
mac_proc_check_fork(proc_t curp)410*2c2f96dcSApple OSS Distributions mac_proc_check_fork(proc_t curp)
411*2c2f96dcSApple OSS Distributions {
412*2c2f96dcSApple OSS Distributions int error;
413*2c2f96dcSApple OSS Distributions
414*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
415*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
416*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
417*2c2f96dcSApple OSS Distributions return 0;
418*2c2f96dcSApple OSS Distributions }
419*2c2f96dcSApple OSS Distributions #endif
420*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
421*2c2f96dcSApple OSS Distributions return 0;
422*2c2f96dcSApple OSS Distributions }
423*2c2f96dcSApple OSS Distributions
424*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_fork, current_cached_proc_cred(curp), curp);
425*2c2f96dcSApple OSS Distributions
426*2c2f96dcSApple OSS Distributions return error;
427*2c2f96dcSApple OSS Distributions }
428*2c2f96dcSApple OSS Distributions
429*2c2f96dcSApple OSS Distributions int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)430*2c2f96dcSApple OSS Distributions mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
431*2c2f96dcSApple OSS Distributions {
432*2c2f96dcSApple OSS Distributions int error;
433*2c2f96dcSApple OSS Distributions
434*2c2f96dcSApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
435*2c2f96dcSApple OSS Distributions
436*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
437*2c2f96dcSApple OSS Distributions
438*2c2f96dcSApple OSS Distributions return error;
439*2c2f96dcSApple OSS Distributions }
440*2c2f96dcSApple OSS Distributions
441*2c2f96dcSApple OSS Distributions int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)442*2c2f96dcSApple OSS Distributions mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
443*2c2f96dcSApple OSS Distributions {
444*2c2f96dcSApple OSS Distributions int error;
445*2c2f96dcSApple OSS Distributions
446*2c2f96dcSApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
447*2c2f96dcSApple OSS Distributions
448*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
449*2c2f96dcSApple OSS Distributions
450*2c2f96dcSApple OSS Distributions return error;
451*2c2f96dcSApple OSS Distributions }
452*2c2f96dcSApple OSS Distributions
453*2c2f96dcSApple OSS Distributions int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)454*2c2f96dcSApple OSS Distributions mac_proc_check_inherit_ipc_ports(
455*2c2f96dcSApple OSS Distributions struct proc *p,
456*2c2f96dcSApple OSS Distributions struct vnode *cur_vp,
457*2c2f96dcSApple OSS Distributions off_t cur_offset,
458*2c2f96dcSApple OSS Distributions struct vnode *img_vp,
459*2c2f96dcSApple OSS Distributions off_t img_offset,
460*2c2f96dcSApple OSS Distributions struct vnode *scriptvp)
461*2c2f96dcSApple OSS Distributions {
462*2c2f96dcSApple OSS Distributions int error;
463*2c2f96dcSApple OSS Distributions
464*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
465*2c2f96dcSApple OSS Distributions
466*2c2f96dcSApple OSS Distributions return error;
467*2c2f96dcSApple OSS Distributions }
468*2c2f96dcSApple OSS Distributions
469*2c2f96dcSApple OSS Distributions /*
470*2c2f96dcSApple OSS Distributions * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
471*2c2f96dcSApple OSS Distributions * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
472*2c2f96dcSApple OSS Distributions * files, so cannot use the typedef itself.
473*2c2f96dcSApple OSS Distributions */
474*2c2f96dcSApple OSS Distributions int
mac_proc_check_map_anon(proc_t proc,kauth_cred_t cred,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)475*2c2f96dcSApple OSS Distributions mac_proc_check_map_anon(proc_t proc, kauth_cred_t cred, user_addr_t u_addr,
476*2c2f96dcSApple OSS Distributions user_size_t u_size, int prot, int flags, int *maxprot)
477*2c2f96dcSApple OSS Distributions {
478*2c2f96dcSApple OSS Distributions int error;
479*2c2f96dcSApple OSS Distributions
480*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
481*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
482*2c2f96dcSApple OSS Distributions if (!mac_vm_enforce) {
483*2c2f96dcSApple OSS Distributions return 0;
484*2c2f96dcSApple OSS Distributions }
485*2c2f96dcSApple OSS Distributions #endif
486*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
487*2c2f96dcSApple OSS Distributions return 0;
488*2c2f96dcSApple OSS Distributions }
489*2c2f96dcSApple OSS Distributions
490*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
491*2c2f96dcSApple OSS Distributions
492*2c2f96dcSApple OSS Distributions return error;
493*2c2f96dcSApple OSS Distributions }
494*2c2f96dcSApple OSS Distributions
495*2c2f96dcSApple OSS Distributions
496*2c2f96dcSApple OSS Distributions int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)497*2c2f96dcSApple OSS Distributions mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
498*2c2f96dcSApple OSS Distributions {
499*2c2f96dcSApple OSS Distributions int error;
500*2c2f96dcSApple OSS Distributions
501*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
502*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
503*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
504*2c2f96dcSApple OSS Distributions return 0;
505*2c2f96dcSApple OSS Distributions }
506*2c2f96dcSApple OSS Distributions #endif
507*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
508*2c2f96dcSApple OSS Distributions return 0;
509*2c2f96dcSApple OSS Distributions }
510*2c2f96dcSApple OSS Distributions
511*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_memorystatus_control, current_cached_proc_cred(proc),
512*2c2f96dcSApple OSS Distributions command, pid);
513*2c2f96dcSApple OSS Distributions
514*2c2f96dcSApple OSS Distributions return error;
515*2c2f96dcSApple OSS Distributions }
516*2c2f96dcSApple OSS Distributions
517*2c2f96dcSApple OSS Distributions int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)518*2c2f96dcSApple OSS Distributions mac_proc_check_mprotect(proc_t proc,
519*2c2f96dcSApple OSS Distributions user_addr_t addr, user_size_t size, int prot)
520*2c2f96dcSApple OSS Distributions {
521*2c2f96dcSApple OSS Distributions int error;
522*2c2f96dcSApple OSS Distributions
523*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
524*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
525*2c2f96dcSApple OSS Distributions if (!mac_vm_enforce) {
526*2c2f96dcSApple OSS Distributions return 0;
527*2c2f96dcSApple OSS Distributions }
528*2c2f96dcSApple OSS Distributions #endif
529*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
530*2c2f96dcSApple OSS Distributions return 0;
531*2c2f96dcSApple OSS Distributions }
532*2c2f96dcSApple OSS Distributions
533*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_mprotect, current_cached_proc_cred(proc),
534*2c2f96dcSApple OSS Distributions proc, addr, size, prot);
535*2c2f96dcSApple OSS Distributions
536*2c2f96dcSApple OSS Distributions return error;
537*2c2f96dcSApple OSS Distributions }
538*2c2f96dcSApple OSS Distributions
539*2c2f96dcSApple OSS Distributions int
mac_proc_check_run_cs_invalid(proc_t proc)540*2c2f96dcSApple OSS Distributions mac_proc_check_run_cs_invalid(proc_t proc)
541*2c2f96dcSApple OSS Distributions {
542*2c2f96dcSApple OSS Distributions int error;
543*2c2f96dcSApple OSS Distributions
544*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
545*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
546*2c2f96dcSApple OSS Distributions if (!mac_vm_enforce) {
547*2c2f96dcSApple OSS Distributions return 0;
548*2c2f96dcSApple OSS Distributions }
549*2c2f96dcSApple OSS Distributions #endif
550*2c2f96dcSApple OSS Distributions
551*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_run_cs_invalid, proc);
552*2c2f96dcSApple OSS Distributions
553*2c2f96dcSApple OSS Distributions return error;
554*2c2f96dcSApple OSS Distributions }
555*2c2f96dcSApple OSS Distributions
556*2c2f96dcSApple OSS Distributions void
mac_proc_notify_cs_invalidated(proc_t proc)557*2c2f96dcSApple OSS Distributions mac_proc_notify_cs_invalidated(proc_t proc)
558*2c2f96dcSApple OSS Distributions {
559*2c2f96dcSApple OSS Distributions MAC_PERFORM(proc_notify_cs_invalidated, proc);
560*2c2f96dcSApple OSS Distributions }
561*2c2f96dcSApple OSS Distributions
562*2c2f96dcSApple OSS Distributions int
mac_proc_check_sched(proc_t curp,struct proc * proc)563*2c2f96dcSApple OSS Distributions mac_proc_check_sched(proc_t curp, struct proc *proc)
564*2c2f96dcSApple OSS Distributions {
565*2c2f96dcSApple OSS Distributions int error;
566*2c2f96dcSApple OSS Distributions
567*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
568*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
569*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
570*2c2f96dcSApple OSS Distributions return 0;
571*2c2f96dcSApple OSS Distributions }
572*2c2f96dcSApple OSS Distributions #endif
573*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
574*2c2f96dcSApple OSS Distributions return 0;
575*2c2f96dcSApple OSS Distributions }
576*2c2f96dcSApple OSS Distributions
577*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_sched, current_cached_proc_cred(curp), proc);
578*2c2f96dcSApple OSS Distributions
579*2c2f96dcSApple OSS Distributions return error;
580*2c2f96dcSApple OSS Distributions }
581*2c2f96dcSApple OSS Distributions
582*2c2f96dcSApple OSS Distributions int
mac_proc_check_signal(proc_t curp,struct proc * proc,int signum)583*2c2f96dcSApple OSS Distributions mac_proc_check_signal(proc_t curp, struct proc *proc, int signum)
584*2c2f96dcSApple OSS Distributions {
585*2c2f96dcSApple OSS Distributions int error;
586*2c2f96dcSApple OSS Distributions
587*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
588*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
589*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
590*2c2f96dcSApple OSS Distributions return 0;
591*2c2f96dcSApple OSS Distributions }
592*2c2f96dcSApple OSS Distributions #endif
593*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
594*2c2f96dcSApple OSS Distributions return 0;
595*2c2f96dcSApple OSS Distributions }
596*2c2f96dcSApple OSS Distributions
597*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_signal, current_cached_proc_cred(curp), proc, signum);
598*2c2f96dcSApple OSS Distributions
599*2c2f96dcSApple OSS Distributions return error;
600*2c2f96dcSApple OSS Distributions }
601*2c2f96dcSApple OSS Distributions
602*2c2f96dcSApple OSS Distributions int
mac_proc_check_syscall_unix(proc_t curp,int scnum)603*2c2f96dcSApple OSS Distributions mac_proc_check_syscall_unix(proc_t curp, int scnum)
604*2c2f96dcSApple OSS Distributions {
605*2c2f96dcSApple OSS Distributions int error;
606*2c2f96dcSApple OSS Distributions
607*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
608*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
609*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
610*2c2f96dcSApple OSS Distributions return 0;
611*2c2f96dcSApple OSS Distributions }
612*2c2f96dcSApple OSS Distributions #endif
613*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
614*2c2f96dcSApple OSS Distributions return 0;
615*2c2f96dcSApple OSS Distributions }
616*2c2f96dcSApple OSS Distributions
617*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_syscall_unix, curp, scnum);
618*2c2f96dcSApple OSS Distributions
619*2c2f96dcSApple OSS Distributions return error;
620*2c2f96dcSApple OSS Distributions }
621*2c2f96dcSApple OSS Distributions
622*2c2f96dcSApple OSS Distributions int
mac_proc_check_wait(proc_t curp,struct proc * proc)623*2c2f96dcSApple OSS Distributions mac_proc_check_wait(proc_t curp, struct proc *proc)
624*2c2f96dcSApple OSS Distributions {
625*2c2f96dcSApple OSS Distributions int error;
626*2c2f96dcSApple OSS Distributions
627*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
628*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
629*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
630*2c2f96dcSApple OSS Distributions return 0;
631*2c2f96dcSApple OSS Distributions }
632*2c2f96dcSApple OSS Distributions #endif
633*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
634*2c2f96dcSApple OSS Distributions return 0;
635*2c2f96dcSApple OSS Distributions }
636*2c2f96dcSApple OSS Distributions
637*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_wait, current_cached_proc_cred(curp), proc);
638*2c2f96dcSApple OSS Distributions
639*2c2f96dcSApple OSS Distributions return error;
640*2c2f96dcSApple OSS Distributions }
641*2c2f96dcSApple OSS Distributions
642*2c2f96dcSApple OSS Distributions void
mac_proc_notify_exit(struct proc * proc)643*2c2f96dcSApple OSS Distributions mac_proc_notify_exit(struct proc *proc)
644*2c2f96dcSApple OSS Distributions {
645*2c2f96dcSApple OSS Distributions MAC_PERFORM(proc_notify_exit, proc);
646*2c2f96dcSApple OSS Distributions }
647*2c2f96dcSApple OSS Distributions
648*2c2f96dcSApple OSS Distributions int
mac_proc_check_suspend_resume(proc_t proc,int sr)649*2c2f96dcSApple OSS Distributions mac_proc_check_suspend_resume(proc_t proc, int sr)
650*2c2f96dcSApple OSS Distributions {
651*2c2f96dcSApple OSS Distributions proc_t curp = current_proc();
652*2c2f96dcSApple OSS Distributions int error;
653*2c2f96dcSApple OSS Distributions
654*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
655*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
656*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
657*2c2f96dcSApple OSS Distributions return 0;
658*2c2f96dcSApple OSS Distributions }
659*2c2f96dcSApple OSS Distributions #endif
660*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
661*2c2f96dcSApple OSS Distributions return 0;
662*2c2f96dcSApple OSS Distributions }
663*2c2f96dcSApple OSS Distributions
664*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_suspend_resume, current_cached_proc_cred(curp),
665*2c2f96dcSApple OSS Distributions proc, sr);
666*2c2f96dcSApple OSS Distributions
667*2c2f96dcSApple OSS Distributions return error;
668*2c2f96dcSApple OSS Distributions }
669*2c2f96dcSApple OSS Distributions
670*2c2f96dcSApple OSS Distributions int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)671*2c2f96dcSApple OSS Distributions mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
672*2c2f96dcSApple OSS Distributions {
673*2c2f96dcSApple OSS Distributions int error = 0;
674*2c2f96dcSApple OSS Distributions
675*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
676*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
677*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
678*2c2f96dcSApple OSS Distributions return 0;
679*2c2f96dcSApple OSS Distributions }
680*2c2f96dcSApple OSS Distributions #endif
681*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
682*2c2f96dcSApple OSS Distributions return 0;
683*2c2f96dcSApple OSS Distributions }
684*2c2f96dcSApple OSS Distributions
685*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_ledger, current_cached_proc_cred(curp),
686*2c2f96dcSApple OSS Distributions proc, ledger_op);
687*2c2f96dcSApple OSS Distributions
688*2c2f96dcSApple OSS Distributions return error;
689*2c2f96dcSApple OSS Distributions }
690*2c2f96dcSApple OSS Distributions
691*2c2f96dcSApple OSS Distributions int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)692*2c2f96dcSApple OSS Distributions mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
693*2c2f96dcSApple OSS Distributions {
694*2c2f96dcSApple OSS Distributions int error = 0;
695*2c2f96dcSApple OSS Distributions
696*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
697*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
698*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
699*2c2f96dcSApple OSS Distributions return 0;
700*2c2f96dcSApple OSS Distributions }
701*2c2f96dcSApple OSS Distributions #endif
702*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
703*2c2f96dcSApple OSS Distributions return 0;
704*2c2f96dcSApple OSS Distributions }
705*2c2f96dcSApple OSS Distributions
706*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_proc_info, current_cached_proc_cred(curp),
707*2c2f96dcSApple OSS Distributions target, callnum, flavor);
708*2c2f96dcSApple OSS Distributions
709*2c2f96dcSApple OSS Distributions return error;
710*2c2f96dcSApple OSS Distributions }
711*2c2f96dcSApple OSS Distributions
712*2c2f96dcSApple OSS Distributions int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)713*2c2f96dcSApple OSS Distributions mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
714*2c2f96dcSApple OSS Distributions {
715*2c2f96dcSApple OSS Distributions int error = 0;
716*2c2f96dcSApple OSS Distributions
717*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
718*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
719*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
720*2c2f96dcSApple OSS Distributions return 0;
721*2c2f96dcSApple OSS Distributions }
722*2c2f96dcSApple OSS Distributions #endif
723*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
724*2c2f96dcSApple OSS Distributions return 0;
725*2c2f96dcSApple OSS Distributions }
726*2c2f96dcSApple OSS Distributions
727*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_get_cs_info, current_cached_proc_cred(curp),
728*2c2f96dcSApple OSS Distributions target, op);
729*2c2f96dcSApple OSS Distributions
730*2c2f96dcSApple OSS Distributions return error;
731*2c2f96dcSApple OSS Distributions }
732*2c2f96dcSApple OSS Distributions
733*2c2f96dcSApple OSS Distributions int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)734*2c2f96dcSApple OSS Distributions mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
735*2c2f96dcSApple OSS Distributions {
736*2c2f96dcSApple OSS Distributions int error = 0;
737*2c2f96dcSApple OSS Distributions
738*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
739*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
740*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
741*2c2f96dcSApple OSS Distributions return 0;
742*2c2f96dcSApple OSS Distributions }
743*2c2f96dcSApple OSS Distributions #endif
744*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
745*2c2f96dcSApple OSS Distributions return 0;
746*2c2f96dcSApple OSS Distributions }
747*2c2f96dcSApple OSS Distributions
748*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_set_cs_info, current_cached_proc_cred(curp),
749*2c2f96dcSApple OSS Distributions target, op);
750*2c2f96dcSApple OSS Distributions
751*2c2f96dcSApple OSS Distributions return error;
752*2c2f96dcSApple OSS Distributions }
753*2c2f96dcSApple OSS Distributions
754*2c2f96dcSApple OSS Distributions int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)755*2c2f96dcSApple OSS Distributions mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
756*2c2f96dcSApple OSS Distributions {
757*2c2f96dcSApple OSS Distributions int error = 0;
758*2c2f96dcSApple OSS Distributions
759*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
760*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
761*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
762*2c2f96dcSApple OSS Distributions return 0;
763*2c2f96dcSApple OSS Distributions }
764*2c2f96dcSApple OSS Distributions #endif
765*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
766*2c2f96dcSApple OSS Distributions return 0;
767*2c2f96dcSApple OSS Distributions }
768*2c2f96dcSApple OSS Distributions
769*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_setuid, cred, uid);
770*2c2f96dcSApple OSS Distributions
771*2c2f96dcSApple OSS Distributions return error;
772*2c2f96dcSApple OSS Distributions }
773*2c2f96dcSApple OSS Distributions
774*2c2f96dcSApple OSS Distributions int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)775*2c2f96dcSApple OSS Distributions mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
776*2c2f96dcSApple OSS Distributions {
777*2c2f96dcSApple OSS Distributions int error = 0;
778*2c2f96dcSApple OSS Distributions
779*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
780*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
781*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
782*2c2f96dcSApple OSS Distributions return 0;
783*2c2f96dcSApple OSS Distributions }
784*2c2f96dcSApple OSS Distributions #endif
785*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
786*2c2f96dcSApple OSS Distributions return 0;
787*2c2f96dcSApple OSS Distributions }
788*2c2f96dcSApple OSS Distributions
789*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_seteuid, cred, euid);
790*2c2f96dcSApple OSS Distributions
791*2c2f96dcSApple OSS Distributions return error;
792*2c2f96dcSApple OSS Distributions }
793*2c2f96dcSApple OSS Distributions
794*2c2f96dcSApple OSS Distributions int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)795*2c2f96dcSApple OSS Distributions mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
796*2c2f96dcSApple OSS Distributions {
797*2c2f96dcSApple OSS Distributions int error = 0;
798*2c2f96dcSApple OSS Distributions
799*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
800*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
801*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
802*2c2f96dcSApple OSS Distributions return 0;
803*2c2f96dcSApple OSS Distributions }
804*2c2f96dcSApple OSS Distributions #endif
805*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
806*2c2f96dcSApple OSS Distributions return 0;
807*2c2f96dcSApple OSS Distributions }
808*2c2f96dcSApple OSS Distributions
809*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
810*2c2f96dcSApple OSS Distributions
811*2c2f96dcSApple OSS Distributions return error;
812*2c2f96dcSApple OSS Distributions }
813*2c2f96dcSApple OSS Distributions
814*2c2f96dcSApple OSS Distributions int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)815*2c2f96dcSApple OSS Distributions mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
816*2c2f96dcSApple OSS Distributions {
817*2c2f96dcSApple OSS Distributions int error = 0;
818*2c2f96dcSApple OSS Distributions
819*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
820*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
821*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
822*2c2f96dcSApple OSS Distributions return 0;
823*2c2f96dcSApple OSS Distributions }
824*2c2f96dcSApple OSS Distributions #endif
825*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
826*2c2f96dcSApple OSS Distributions return 0;
827*2c2f96dcSApple OSS Distributions }
828*2c2f96dcSApple OSS Distributions
829*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_setgid, cred, gid);
830*2c2f96dcSApple OSS Distributions
831*2c2f96dcSApple OSS Distributions return error;
832*2c2f96dcSApple OSS Distributions }
833*2c2f96dcSApple OSS Distributions
834*2c2f96dcSApple OSS Distributions int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)835*2c2f96dcSApple OSS Distributions mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
836*2c2f96dcSApple OSS Distributions {
837*2c2f96dcSApple OSS Distributions int error = 0;
838*2c2f96dcSApple OSS Distributions
839*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
840*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
841*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
842*2c2f96dcSApple OSS Distributions return 0;
843*2c2f96dcSApple OSS Distributions }
844*2c2f96dcSApple OSS Distributions #endif
845*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
846*2c2f96dcSApple OSS Distributions return 0;
847*2c2f96dcSApple OSS Distributions }
848*2c2f96dcSApple OSS Distributions
849*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_setegid, cred, egid);
850*2c2f96dcSApple OSS Distributions
851*2c2f96dcSApple OSS Distributions return error;
852*2c2f96dcSApple OSS Distributions }
853*2c2f96dcSApple OSS Distributions
854*2c2f96dcSApple OSS Distributions int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)855*2c2f96dcSApple OSS Distributions mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
856*2c2f96dcSApple OSS Distributions {
857*2c2f96dcSApple OSS Distributions int error = 0;
858*2c2f96dcSApple OSS Distributions
859*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
860*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
861*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
862*2c2f96dcSApple OSS Distributions return 0;
863*2c2f96dcSApple OSS Distributions }
864*2c2f96dcSApple OSS Distributions #endif
865*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
866*2c2f96dcSApple OSS Distributions return 0;
867*2c2f96dcSApple OSS Distributions }
868*2c2f96dcSApple OSS Distributions
869*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_setregid, cred, rgid, egid);
870*2c2f96dcSApple OSS Distributions
871*2c2f96dcSApple OSS Distributions return error;
872*2c2f96dcSApple OSS Distributions }
873*2c2f96dcSApple OSS Distributions
874*2c2f96dcSApple OSS Distributions int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)875*2c2f96dcSApple OSS Distributions mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
876*2c2f96dcSApple OSS Distributions {
877*2c2f96dcSApple OSS Distributions int error = 0;
878*2c2f96dcSApple OSS Distributions
879*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
880*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
881*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce) {
882*2c2f96dcSApple OSS Distributions return 0;
883*2c2f96dcSApple OSS Distributions }
884*2c2f96dcSApple OSS Distributions #endif
885*2c2f96dcSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
886*2c2f96dcSApple OSS Distributions return 0;
887*2c2f96dcSApple OSS Distributions }
888*2c2f96dcSApple OSS Distributions
889*2c2f96dcSApple OSS Distributions MAC_CHECK(proc_check_settid, current_cached_proc_cred(curp),
890*2c2f96dcSApple OSS Distributions kauth_cred_get(), uid, gid);
891*2c2f96dcSApple OSS Distributions
892*2c2f96dcSApple OSS Distributions return error;
893*2c2f96dcSApple OSS Distributions }
894*2c2f96dcSApple OSS Distributions
895*2c2f96dcSApple OSS Distributions int
mac_proc_check_launch_constraints(proc_t curp,struct image_params * imgp,os_reason_t * reasonp)896*2c2f96dcSApple OSS Distributions mac_proc_check_launch_constraints(proc_t curp, struct image_params *imgp, os_reason_t *reasonp)
897*2c2f96dcSApple OSS Distributions {
898*2c2f96dcSApple OSS Distributions char *fatal_failure_desc = NULL;
899*2c2f96dcSApple OSS Distributions size_t fatal_failure_desc_len = 0;
900*2c2f96dcSApple OSS Distributions
901*2c2f96dcSApple OSS Distributions pid_t original_parent_id = proc_original_ppid(curp);
902*2c2f96dcSApple OSS Distributions
903*2c2f96dcSApple OSS Distributions pid_t responsible_pid = curp->p_responsible_pid;
904*2c2f96dcSApple OSS Distributions
905*2c2f96dcSApple OSS Distributions int error = 0;
906*2c2f96dcSApple OSS Distributions
907*2c2f96dcSApple OSS Distributions /* Vnode of the file */
908*2c2f96dcSApple OSS Distributions struct vnode *vp = imgp->ip_vp;
909*2c2f96dcSApple OSS Distributions
910*2c2f96dcSApple OSS Distributions char *vn_path = NULL;
911*2c2f96dcSApple OSS Distributions vm_size_t vn_pathlen = MAXPATHLEN;
912*2c2f96dcSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
913*2c2f96dcSApple OSS Distributions /* 21167099 - only check if we allow write */
914*2c2f96dcSApple OSS Distributions if (!mac_proc_enforce || !mac_vnode_enforce) {
915*2c2f96dcSApple OSS Distributions return 0;
916*2c2f96dcSApple OSS Distributions }
917*2c2f96dcSApple OSS Distributions #endif
918*2c2f96dcSApple OSS Distributions
919*2c2f96dcSApple OSS Distributions MAC_POLICY_ITERATE({
920*2c2f96dcSApple OSS Distributions mpo_proc_check_launch_constraints_t *hook = mpc->mpc_ops->mpo_proc_check_launch_constraints;
921*2c2f96dcSApple OSS Distributions if (hook == NULL) {
922*2c2f96dcSApple OSS Distributions continue;
923*2c2f96dcSApple OSS Distributions }
924*2c2f96dcSApple OSS Distributions
925*2c2f96dcSApple OSS Distributions size_t spawnattrlen = 0;
926*2c2f96dcSApple OSS Distributions void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
927*2c2f96dcSApple OSS Distributions struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
928*2c2f96dcSApple OSS Distributions struct launch_constraint_data lcd;
929*2c2f96dcSApple OSS Distributions lcd.launch_type = CS_LAUNCH_TYPE_NONE;
930*2c2f96dcSApple OSS Distributions
931*2c2f96dcSApple OSS Distributions /* Check to see if psa_launch_type was initalized */
932*2c2f96dcSApple OSS Distributions if (psa != (struct _posix_spawnattr*)NULL) {
933*2c2f96dcSApple OSS Distributions lcd.launch_type = psa->psa_launch_type;
934*2c2f96dcSApple OSS Distributions }
935*2c2f96dcSApple OSS Distributions
936*2c2f96dcSApple OSS Distributions error = mac_error_select(
937*2c2f96dcSApple OSS Distributions hook(curp, original_parent_id, responsible_pid,
938*2c2f96dcSApple OSS Distributions spawnattr, spawnattrlen, &lcd, &fatal_failure_desc, &fatal_failure_desc_len), error);
939*2c2f96dcSApple OSS Distributions
940*2c2f96dcSApple OSS Distributions /*
941*2c2f96dcSApple OSS Distributions * Early exit in case of failure in case we have multiple registered callers.
942*2c2f96dcSApple OSS Distributions * This is to avoid other MACF policies from stomping on each other's failure description
943*2c2f96dcSApple OSS Distributions */
944*2c2f96dcSApple OSS Distributions if (fatal_failure_desc_len) {
945*2c2f96dcSApple OSS Distributions goto policy_fail;
946*2c2f96dcSApple OSS Distributions }
947*2c2f96dcSApple OSS Distributions });
948*2c2f96dcSApple OSS Distributions
949*2c2f96dcSApple OSS Distributions policy_fail:
950*2c2f96dcSApple OSS Distributions if (fatal_failure_desc_len) {
951*2c2f96dcSApple OSS Distributions /*
952*2c2f96dcSApple OSS Distributions * A fatal code signature validation failure occured, formulate a crash
953*2c2f96dcSApple OSS Distributions * reason.
954*2c2f96dcSApple OSS Distributions */
955*2c2f96dcSApple OSS Distributions
956*2c2f96dcSApple OSS Distributions char const *path = NULL;
957*2c2f96dcSApple OSS Distributions
958*2c2f96dcSApple OSS Distributions vn_path = zalloc(ZV_NAMEI);
959*2c2f96dcSApple OSS Distributions if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
960*2c2f96dcSApple OSS Distributions path = vn_path;
961*2c2f96dcSApple OSS Distributions } else {
962*2c2f96dcSApple OSS Distributions path = "(get vnode path failed)";
963*2c2f96dcSApple OSS Distributions }
964*2c2f96dcSApple OSS Distributions
965*2c2f96dcSApple OSS Distributions if (error == 0) {
966*2c2f96dcSApple OSS Distributions panic("%s: MAC hook returned no error, but status is claimed to be fatal? "
967*2c2f96dcSApple OSS Distributions "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
968*2c2f96dcSApple OSS Distributions __func__, path, fatal_failure_desc_len, fatal_failure_desc);
969*2c2f96dcSApple OSS Distributions }
970*2c2f96dcSApple OSS Distributions
971*2c2f96dcSApple OSS Distributions os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
972*2c2f96dcSApple OSS Distributions CODESIGNING_EXIT_REASON_LAUNCH_CONSTRAINT_VIOLATION);
973*2c2f96dcSApple OSS Distributions
974*2c2f96dcSApple OSS Distributions *reasonp = reason;
975*2c2f96dcSApple OSS Distributions
976*2c2f96dcSApple OSS Distributions reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
977*2c2f96dcSApple OSS Distributions OS_REASON_FLAG_CONSISTENT_FAILURE);
978*2c2f96dcSApple OSS Distributions
979*2c2f96dcSApple OSS Distributions if (fatal_failure_desc != NULL) {
980*2c2f96dcSApple OSS Distributions mach_vm_address_t data_addr = 0;
981*2c2f96dcSApple OSS Distributions
982*2c2f96dcSApple OSS Distributions int reason_error = 0;
983*2c2f96dcSApple OSS Distributions int kcdata_error = 0;
984*2c2f96dcSApple OSS Distributions
985*2c2f96dcSApple OSS Distributions if ((reason_error = os_reason_alloc_buffer_noblock(reason,
986*2c2f96dcSApple OSS Distributions kcdata_estimate_required_buffer_size(1,
987*2c2f96dcSApple OSS Distributions (uint32_t)fatal_failure_desc_len))) == 0) {
988*2c2f96dcSApple OSS Distributions if ((kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
989*2c2f96dcSApple OSS Distributions EXIT_REASON_USER_DESC, (uint32_t)fatal_failure_desc_len,
990*2c2f96dcSApple OSS Distributions &data_addr)) == KERN_SUCCESS) {
991*2c2f96dcSApple OSS Distributions kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
992*2c2f96dcSApple OSS Distributions fatal_failure_desc, (uint32_t)fatal_failure_desc_len);
993*2c2f96dcSApple OSS Distributions }
994*2c2f96dcSApple OSS Distributions }
995*2c2f96dcSApple OSS Distributions }
996*2c2f96dcSApple OSS Distributions }
997*2c2f96dcSApple OSS Distributions
998*2c2f96dcSApple OSS Distributions if (vn_path) {
999*2c2f96dcSApple OSS Distributions zfree(ZV_NAMEI, vn_path);
1000*2c2f96dcSApple OSS Distributions }
1001*2c2f96dcSApple OSS Distributions
1002*2c2f96dcSApple OSS Distributions if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
1003*2c2f96dcSApple OSS Distributions kfree_data(fatal_failure_desc, fatal_failure_desc_len);
1004*2c2f96dcSApple OSS Distributions }
1005*2c2f96dcSApple OSS Distributions
1006*2c2f96dcSApple OSS Distributions return error;
1007*2c2f96dcSApple OSS Distributions }
1008