1 /* 2 * Copyright (c) 2020-2025 Apple Computer, Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29 #ifndef _KERN_EXEC_INTERNAL_H_ 30 #define _KERN_EXEC_INTERNAL_H_ 31 32 #include <sys/imgact.h> 33 #include <sys/kernel_types.h> 34 #include <kern/mach_loader.h> 35 36 /* 37 * Set p->p_comm and p->p_name to the name passed to exec 38 */ 39 extern void 40 set_proc_name(struct image_params *imgp, proc_t p); 41 42 /* 43 * Runtime security mitigations in production are primarily controlled by 44 * entitlements. Third party processes/daemons on MacOS aren't allowed to use 45 * the com.apple.developer entitlement without a profile, whereby a special carve out 46 * exists for com.apple.security. 47 * 48 * Progressively we expect internal first party software to shift towards the com.apple.security 49 * format, but until then we support both cases, with a strict rule that only one can 50 * be present. 51 */ 52 __enum_decl(exec_security_mitigation_entitlement_t, uint8_t, { 53 /* 54 * Hardened-process. 55 * 56 * Security mitigations follow the notion of "hardened-process": binaries that we 57 * have identified as being security critical. They are identified by the 58 * com.apple.{developer|security}.hardened-process entitlement, which is required to further 59 * configure the other security mitigations. 60 */ 61 HARDENED_PROCESS = 0, 62 /* 63 * Hardened-Heap. 64 * 65 * This mitigation extends libmalloc xzone with a number of security features, 66 * most notably increasing the number of buckets and adding guard pages. 67 * The presence of the entitlement opts the binary into the feature. 68 */ 69 HARDENED_HEAP, 70 /* 71 * TPRO - Trusted-Path Read-Only 72 * 73 * The TPRO mitigation allows to create memory regions that are read-only 74 * but that can be rapidly, locally, modified by trusted-paths to be temporarily 75 * read-write. TPRO is "enabled by default" (with the caveats in the exec_setup_tpro()) 76 * starting with the SDK versions below. 77 */ 78 TPRO, 79 #if HAS_MTE 80 CHECKED_ALLOCATIONS, 81 /* 82 * For performance reasons, userland allocators are not required to tag pure data regions. This is 83 * mostly a libmalloc xzone concept, which has separated zones for pointer-containing vs pure-data 84 * allocations. We consider the former more "security-interesting" and therefore focus our 85 * protection on them. This allows to save on perforfmance, although for certain processes we 86 * can swallow the trade-off (both in stability and perf) and enable the extra feature. 87 */ 88 CHECKED_ALLOCATIONS_PURE_DATA, 89 /* 90 * Certain first-party actors (such as WCP and BlastDoor) are modeled untrustworthy, and should never 91 * be allowed to receive untagged aliases to tagged memory from other actors. This entitlement (and a 92 * corresponding hard-coded bundle ID list in AMFI, for secrecy) expresses this constraint. 93 */ 94 CHECKED_ALLOCATIONS_NO_TAGGED_RECEIVE, 95 /* 96 * First and third party processes may want to have a form of "soaking time" where their process 97 * is battle-tested with MTE without crashing on tag check faults. We call this mode soft-mode. 98 * Note that after the first tag check fault, tag checking is completely disabled on the process. 99 */ 100 CHECKED_ALLOCATIONS_SOFT_MODE, 101 #endif /* HAS_MTE */ 102 }); 103 104 /* 105 * exec_check_security_entitlement verifies whether a given entitlement is 106 * associated to the to-be-run process. It verifies both legacy and current 107 * format and returns: 108 * EXEC_SECURITY_NOT_ENTITLED - if no entitlement is present 109 * EXEC_SECURITY_ENTITLED - if the entitlement is present 110 * EXEC_SECURITY_INVALID_CONFIG - if _both_ entitlements are present (fatal condition) 111 */ 112 __enum_decl(exec_security_err_t, uint8_t, { 113 EXEC_SECURITY_NOT_ENTITLED, 114 EXEC_SECURITY_ENTITLED, 115 EXEC_SECURITY_INVALID_CONFIG 116 }); 117 118 extern exec_security_err_t exec_check_security_entitlement(struct image_params *imgp, 119 exec_security_mitigation_entitlement_t entitlement); 120 121 #endif /* _KERN_EXEC_INTERNAL_H_ */ 122