1*bbb1b6f9SApple OSS Distributions /*
2*bbb1b6f9SApple OSS Distributions * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3*bbb1b6f9SApple OSS Distributions *
4*bbb1b6f9SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*bbb1b6f9SApple OSS Distributions *
6*bbb1b6f9SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*bbb1b6f9SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*bbb1b6f9SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*bbb1b6f9SApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*bbb1b6f9SApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*bbb1b6f9SApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*bbb1b6f9SApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*bbb1b6f9SApple OSS Distributions * terms of an Apple operating system software license agreement.
14*bbb1b6f9SApple OSS Distributions *
15*bbb1b6f9SApple OSS Distributions * Please obtain a copy of the License at
16*bbb1b6f9SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*bbb1b6f9SApple OSS Distributions *
18*bbb1b6f9SApple OSS Distributions * The Original Code and all software distributed under the License are
19*bbb1b6f9SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*bbb1b6f9SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*bbb1b6f9SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*bbb1b6f9SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*bbb1b6f9SApple OSS Distributions * Please see the License for the specific language governing rights and
24*bbb1b6f9SApple OSS Distributions * limitations under the License.
25*bbb1b6f9SApple OSS Distributions *
26*bbb1b6f9SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*bbb1b6f9SApple OSS Distributions */
28*bbb1b6f9SApple OSS Distributions
29*bbb1b6f9SApple OSS Distributions /*-
30*bbb1b6f9SApple OSS Distributions * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31*bbb1b6f9SApple OSS Distributions * Copyright (c) 2001 Ilmar S. Habibulin
32*bbb1b6f9SApple OSS Distributions * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33*bbb1b6f9SApple OSS Distributions *
34*bbb1b6f9SApple OSS Distributions * This software was developed by Robert Watson and Ilmar Habibulin for the
35*bbb1b6f9SApple OSS Distributions * TrustedBSD Project.
36*bbb1b6f9SApple OSS Distributions *
37*bbb1b6f9SApple OSS Distributions * This software was developed for the FreeBSD Project in part by Network
38*bbb1b6f9SApple OSS Distributions * Associates Laboratories, the Security Research Division of Network
39*bbb1b6f9SApple OSS Distributions * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40*bbb1b6f9SApple OSS Distributions * as part of the DARPA CHATS research program.
41*bbb1b6f9SApple OSS Distributions *
42*bbb1b6f9SApple OSS Distributions * Redistribution and use in source and binary forms, with or without
43*bbb1b6f9SApple OSS Distributions * modification, are permitted provided that the following conditions
44*bbb1b6f9SApple OSS Distributions * are met:
45*bbb1b6f9SApple OSS Distributions * 1. Redistributions of source code must retain the above copyright
46*bbb1b6f9SApple OSS Distributions * notice, this list of conditions and the following disclaimer.
47*bbb1b6f9SApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright
48*bbb1b6f9SApple OSS Distributions * notice, this list of conditions and the following disclaimer in the
49*bbb1b6f9SApple OSS Distributions * documentation and/or other materials provided with the distribution.
50*bbb1b6f9SApple OSS Distributions *
51*bbb1b6f9SApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52*bbb1b6f9SApple OSS Distributions * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53*bbb1b6f9SApple OSS Distributions * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54*bbb1b6f9SApple OSS Distributions * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55*bbb1b6f9SApple OSS Distributions * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56*bbb1b6f9SApple OSS Distributions * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57*bbb1b6f9SApple OSS Distributions * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58*bbb1b6f9SApple OSS Distributions * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59*bbb1b6f9SApple OSS Distributions * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60*bbb1b6f9SApple OSS Distributions * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61*bbb1b6f9SApple OSS Distributions * SUCH DAMAGE.
62*bbb1b6f9SApple OSS Distributions *
63*bbb1b6f9SApple OSS Distributions */
64*bbb1b6f9SApple OSS Distributions
65*bbb1b6f9SApple OSS Distributions #include <string.h>
66*bbb1b6f9SApple OSS Distributions #include <sys/param.h>
67*bbb1b6f9SApple OSS Distributions #include <sys/ucred.h>
68*bbb1b6f9SApple OSS Distributions #include <sys/malloc.h>
69*bbb1b6f9SApple OSS Distributions #include <sys/sbuf.h>
70*bbb1b6f9SApple OSS Distributions #include <sys/vnode.h>
71*bbb1b6f9SApple OSS Distributions #include <sys/proc.h>
72*bbb1b6f9SApple OSS Distributions #include <sys/proc_internal.h>
73*bbb1b6f9SApple OSS Distributions #include <sys/kauth.h>
74*bbb1b6f9SApple OSS Distributions #include <sys/imgact.h>
75*bbb1b6f9SApple OSS Distributions #include <sys/reason.h>
76*bbb1b6f9SApple OSS Distributions #include <sys/vnode_internal.h>
77*bbb1b6f9SApple OSS Distributions #include <mach/mach_types.h>
78*bbb1b6f9SApple OSS Distributions #include <kern/task.h>
79*bbb1b6f9SApple OSS Distributions #include <kern/zalloc.h>
80*bbb1b6f9SApple OSS Distributions
81*bbb1b6f9SApple OSS Distributions #include <os/hash.h>
82*bbb1b6f9SApple OSS Distributions
83*bbb1b6f9SApple OSS Distributions #include <security/mac_internal.h>
84*bbb1b6f9SApple OSS Distributions #include <security/mac_mach_internal.h>
85*bbb1b6f9SApple OSS Distributions
86*bbb1b6f9SApple OSS Distributions #include <bsd/security/audit/audit.h>
87*bbb1b6f9SApple OSS Distributions
88*bbb1b6f9SApple OSS Distributions #include <os/log.h>
89*bbb1b6f9SApple OSS Distributions #include <kern/cs_blobs.h>
90*bbb1b6f9SApple OSS Distributions #include <sys/spawn.h>
91*bbb1b6f9SApple OSS Distributions #include <sys/spawn_internal.h>
92*bbb1b6f9SApple OSS Distributions
93*bbb1b6f9SApple OSS Distributions struct label *
mac_cred_label_alloc(void)94*bbb1b6f9SApple OSS Distributions mac_cred_label_alloc(void)
95*bbb1b6f9SApple OSS Distributions {
96*bbb1b6f9SApple OSS Distributions struct label *label;
97*bbb1b6f9SApple OSS Distributions
98*bbb1b6f9SApple OSS Distributions label = mac_labelzone_alloc(MAC_WAITOK);
99*bbb1b6f9SApple OSS Distributions if (label == NULL) {
100*bbb1b6f9SApple OSS Distributions return NULL;
101*bbb1b6f9SApple OSS Distributions }
102*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_init, label);
103*bbb1b6f9SApple OSS Distributions return label;
104*bbb1b6f9SApple OSS Distributions }
105*bbb1b6f9SApple OSS Distributions
106*bbb1b6f9SApple OSS Distributions void
mac_cred_label_init(struct ucred * cred)107*bbb1b6f9SApple OSS Distributions mac_cred_label_init(struct ucred *cred)
108*bbb1b6f9SApple OSS Distributions {
109*bbb1b6f9SApple OSS Distributions cred->cr_label = mac_cred_label_alloc();
110*bbb1b6f9SApple OSS Distributions }
111*bbb1b6f9SApple OSS Distributions
112*bbb1b6f9SApple OSS Distributions void
mac_cred_label_seal(struct ucred * cred)113*bbb1b6f9SApple OSS Distributions mac_cred_label_seal(struct ucred *cred)
114*bbb1b6f9SApple OSS Distributions {
115*bbb1b6f9SApple OSS Distributions #if DEVELOPMENT || DEBUG
116*bbb1b6f9SApple OSS Distributions struct label **seal = (struct label **)-1;
117*bbb1b6f9SApple OSS Distributions
118*bbb1b6f9SApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, cred->cr_label, l_owner, &seal);
119*bbb1b6f9SApple OSS Distributions #else
120*bbb1b6f9SApple OSS Distributions (void)cred;
121*bbb1b6f9SApple OSS Distributions #endif
122*bbb1b6f9SApple OSS Distributions }
123*bbb1b6f9SApple OSS Distributions
124*bbb1b6f9SApple OSS Distributions void
mac_cred_label_free(struct label * label)125*bbb1b6f9SApple OSS Distributions mac_cred_label_free(struct label *label)
126*bbb1b6f9SApple OSS Distributions {
127*bbb1b6f9SApple OSS Distributions #if DEVELOPMENT || DEBUG
128*bbb1b6f9SApple OSS Distributions struct label **seal = (struct label **)-1;
129*bbb1b6f9SApple OSS Distributions
130*bbb1b6f9SApple OSS Distributions if (label->l_owner == seal) {
131*bbb1b6f9SApple OSS Distributions seal = NULL;
132*bbb1b6f9SApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, label, l_owner, &seal);
133*bbb1b6f9SApple OSS Distributions }
134*bbb1b6f9SApple OSS Distributions #endif
135*bbb1b6f9SApple OSS Distributions
136*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_destroy, label);
137*bbb1b6f9SApple OSS Distributions mac_labelzone_free(label);
138*bbb1b6f9SApple OSS Distributions }
139*bbb1b6f9SApple OSS Distributions
140*bbb1b6f9SApple OSS Distributions struct label *
mac_cred_label(struct ucred * cred)141*bbb1b6f9SApple OSS Distributions mac_cred_label(struct ucred *cred)
142*bbb1b6f9SApple OSS Distributions {
143*bbb1b6f9SApple OSS Distributions return cred->cr_label;
144*bbb1b6f9SApple OSS Distributions }
145*bbb1b6f9SApple OSS Distributions
146*bbb1b6f9SApple OSS Distributions bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)147*bbb1b6f9SApple OSS Distributions mac_cred_label_is_equal(const struct label *a, const struct label *b)
148*bbb1b6f9SApple OSS Distributions {
149*bbb1b6f9SApple OSS Distributions return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
150*bbb1b6f9SApple OSS Distributions }
151*bbb1b6f9SApple OSS Distributions
152*bbb1b6f9SApple OSS Distributions uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)153*bbb1b6f9SApple OSS Distributions mac_cred_label_hash_update(const struct label *a, uint32_t hash)
154*bbb1b6f9SApple OSS Distributions {
155*bbb1b6f9SApple OSS Distributions return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
156*bbb1b6f9SApple OSS Distributions }
157*bbb1b6f9SApple OSS Distributions
158*bbb1b6f9SApple OSS Distributions int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)159*bbb1b6f9SApple OSS Distributions mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
160*bbb1b6f9SApple OSS Distributions {
161*bbb1b6f9SApple OSS Distributions kauth_cred_t cr;
162*bbb1b6f9SApple OSS Distributions int error;
163*bbb1b6f9SApple OSS Distributions
164*bbb1b6f9SApple OSS Distributions cr = kauth_cred_proc_ref(p);
165*bbb1b6f9SApple OSS Distributions
166*bbb1b6f9SApple OSS Distributions error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
167*bbb1b6f9SApple OSS Distributions mac->m_string, mac->m_buflen);
168*bbb1b6f9SApple OSS Distributions
169*bbb1b6f9SApple OSS Distributions kauth_cred_unref(&cr);
170*bbb1b6f9SApple OSS Distributions return error;
171*bbb1b6f9SApple OSS Distributions }
172*bbb1b6f9SApple OSS Distributions
173*bbb1b6f9SApple OSS Distributions void
mac_cred_label_destroy(kauth_cred_t cred)174*bbb1b6f9SApple OSS Distributions mac_cred_label_destroy(kauth_cred_t cred)
175*bbb1b6f9SApple OSS Distributions {
176*bbb1b6f9SApple OSS Distributions struct label *label = mac_cred_label(cred);
177*bbb1b6f9SApple OSS Distributions cred->cr_label = NULL;
178*bbb1b6f9SApple OSS Distributions mac_cred_label_free(label);
179*bbb1b6f9SApple OSS Distributions }
180*bbb1b6f9SApple OSS Distributions
181*bbb1b6f9SApple OSS Distributions int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)182*bbb1b6f9SApple OSS Distributions mac_cred_label_externalize(struct label *label, char *elements,
183*bbb1b6f9SApple OSS Distributions char *outbuf, size_t outbuflen, int flags __unused)
184*bbb1b6f9SApple OSS Distributions {
185*bbb1b6f9SApple OSS Distributions int error = 0;
186*bbb1b6f9SApple OSS Distributions
187*bbb1b6f9SApple OSS Distributions error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
188*bbb1b6f9SApple OSS Distributions
189*bbb1b6f9SApple OSS Distributions return error;
190*bbb1b6f9SApple OSS Distributions }
191*bbb1b6f9SApple OSS Distributions
192*bbb1b6f9SApple OSS Distributions int
mac_cred_label_internalize(struct label * label,char * string)193*bbb1b6f9SApple OSS Distributions mac_cred_label_internalize(struct label *label, char *string)
194*bbb1b6f9SApple OSS Distributions {
195*bbb1b6f9SApple OSS Distributions int error;
196*bbb1b6f9SApple OSS Distributions
197*bbb1b6f9SApple OSS Distributions error = MAC_INTERNALIZE(cred, label, string);
198*bbb1b6f9SApple OSS Distributions
199*bbb1b6f9SApple OSS Distributions return error;
200*bbb1b6f9SApple OSS Distributions }
201*bbb1b6f9SApple OSS Distributions
202*bbb1b6f9SApple OSS Distributions /*
203*bbb1b6f9SApple OSS Distributions * By default, fork just adds a reference to the parent
204*bbb1b6f9SApple OSS Distributions * credential. Policies may need to know about this reference
205*bbb1b6f9SApple OSS Distributions * if they are tracking exit calls to know when to free the
206*bbb1b6f9SApple OSS Distributions * label.
207*bbb1b6f9SApple OSS Distributions */
208*bbb1b6f9SApple OSS Distributions void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)209*bbb1b6f9SApple OSS Distributions mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
210*bbb1b6f9SApple OSS Distributions {
211*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_associate_fork, cred, proc);
212*bbb1b6f9SApple OSS Distributions }
213*bbb1b6f9SApple OSS Distributions
214*bbb1b6f9SApple OSS Distributions /*
215*bbb1b6f9SApple OSS Distributions * Initialize MAC label for the first kernel process, from which other
216*bbb1b6f9SApple OSS Distributions * kernel processes and threads are spawned.
217*bbb1b6f9SApple OSS Distributions */
218*bbb1b6f9SApple OSS Distributions void
mac_cred_label_associate_kernel(kauth_cred_t cred)219*bbb1b6f9SApple OSS Distributions mac_cred_label_associate_kernel(kauth_cred_t cred)
220*bbb1b6f9SApple OSS Distributions {
221*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_associate_kernel, cred);
222*bbb1b6f9SApple OSS Distributions }
223*bbb1b6f9SApple OSS Distributions
224*bbb1b6f9SApple OSS Distributions /*
225*bbb1b6f9SApple OSS Distributions * Initialize MAC label for the first userland process, from which other
226*bbb1b6f9SApple OSS Distributions * userland processes and threads are spawned.
227*bbb1b6f9SApple OSS Distributions */
228*bbb1b6f9SApple OSS Distributions void
mac_cred_label_associate_user(kauth_cred_t cred)229*bbb1b6f9SApple OSS Distributions mac_cred_label_associate_user(kauth_cred_t cred)
230*bbb1b6f9SApple OSS Distributions {
231*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_associate_user, cred);
232*bbb1b6f9SApple OSS Distributions }
233*bbb1b6f9SApple OSS Distributions
234*bbb1b6f9SApple OSS Distributions /*
235*bbb1b6f9SApple OSS Distributions * When a new process is created, its label must be initialized. Generally,
236*bbb1b6f9SApple OSS Distributions * this involves inheritence from the parent process, modulo possible
237*bbb1b6f9SApple OSS Distributions * deltas. This function allows that processing to take place.
238*bbb1b6f9SApple OSS Distributions */
239*bbb1b6f9SApple OSS Distributions void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)240*bbb1b6f9SApple OSS Distributions mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
241*bbb1b6f9SApple OSS Distributions {
242*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
243*bbb1b6f9SApple OSS Distributions }
244*bbb1b6f9SApple OSS Distributions
245*bbb1b6f9SApple OSS Distributions int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)246*bbb1b6f9SApple OSS Distributions mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
247*bbb1b6f9SApple OSS Distributions {
248*bbb1b6f9SApple OSS Distributions if (mac_p == USER_ADDR_NULL) {
249*bbb1b6f9SApple OSS Distributions return 0;
250*bbb1b6f9SApple OSS Distributions }
251*bbb1b6f9SApple OSS Distributions
252*bbb1b6f9SApple OSS Distributions return mac_do_set(current_proc(), mac_p,
253*bbb1b6f9SApple OSS Distributions ^(char *input, __unused size_t len) {
254*bbb1b6f9SApple OSS Distributions struct label *execlabel;
255*bbb1b6f9SApple OSS Distributions int error;
256*bbb1b6f9SApple OSS Distributions
257*bbb1b6f9SApple OSS Distributions execlabel = mac_cred_label_alloc();
258*bbb1b6f9SApple OSS Distributions if ((error = mac_cred_label_internalize(execlabel, input))) {
259*bbb1b6f9SApple OSS Distributions mac_cred_label_free(execlabel);
260*bbb1b6f9SApple OSS Distributions execlabel = NULL;
261*bbb1b6f9SApple OSS Distributions }
262*bbb1b6f9SApple OSS Distributions
263*bbb1b6f9SApple OSS Distributions imgp->ip_execlabelp = execlabel;
264*bbb1b6f9SApple OSS Distributions return error;
265*bbb1b6f9SApple OSS Distributions });
266*bbb1b6f9SApple OSS Distributions }
267*bbb1b6f9SApple OSS Distributions
268*bbb1b6f9SApple OSS Distributions /*
269*bbb1b6f9SApple OSS Distributions * When the subject's label changes, it may require revocation of privilege
270*bbb1b6f9SApple OSS Distributions * to mapped objects. This can't be done on-the-fly later with a unified
271*bbb1b6f9SApple OSS Distributions * buffer cache.
272*bbb1b6f9SApple OSS Distributions *
273*bbb1b6f9SApple OSS Distributions * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
274*bbb1b6f9SApple OSS Distributions * XXX: than a posix_cred_t field.
275*bbb1b6f9SApple OSS Distributions */
276*bbb1b6f9SApple OSS Distributions void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)277*bbb1b6f9SApple OSS Distributions mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
278*bbb1b6f9SApple OSS Distributions {
279*bbb1b6f9SApple OSS Distributions posix_cred_t pcred = posix_cred_get(cred);
280*bbb1b6f9SApple OSS Distributions
281*bbb1b6f9SApple OSS Distributions /* force label to be part of "matching" for credential */
282*bbb1b6f9SApple OSS Distributions pcred->cr_flags |= CRF_MAC_ENFORCE;
283*bbb1b6f9SApple OSS Distributions
284*bbb1b6f9SApple OSS Distributions /* inform the policies of the update */
285*bbb1b6f9SApple OSS Distributions MAC_PERFORM(cred_label_update, cred, newlabel);
286*bbb1b6f9SApple OSS Distributions }
287*bbb1b6f9SApple OSS Distributions
288*bbb1b6f9SApple OSS Distributions int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)289*bbb1b6f9SApple OSS Distributions mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
290*bbb1b6f9SApple OSS Distributions {
291*bbb1b6f9SApple OSS Distributions int error;
292*bbb1b6f9SApple OSS Distributions
293*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
294*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
295*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
296*bbb1b6f9SApple OSS Distributions return 0;
297*bbb1b6f9SApple OSS Distributions }
298*bbb1b6f9SApple OSS Distributions #endif
299*bbb1b6f9SApple OSS Distributions
300*bbb1b6f9SApple OSS Distributions MAC_CHECK(cred_check_label_update, cred, newlabel);
301*bbb1b6f9SApple OSS Distributions
302*bbb1b6f9SApple OSS Distributions return error;
303*bbb1b6f9SApple OSS Distributions }
304*bbb1b6f9SApple OSS Distributions
305*bbb1b6f9SApple OSS Distributions int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)306*bbb1b6f9SApple OSS Distributions mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
307*bbb1b6f9SApple OSS Distributions {
308*bbb1b6f9SApple OSS Distributions int error;
309*bbb1b6f9SApple OSS Distributions
310*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
311*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
312*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
313*bbb1b6f9SApple OSS Distributions return 0;
314*bbb1b6f9SApple OSS Distributions }
315*bbb1b6f9SApple OSS Distributions #endif
316*bbb1b6f9SApple OSS Distributions
317*bbb1b6f9SApple OSS Distributions MAC_CHECK(cred_check_visible, u1, u2);
318*bbb1b6f9SApple OSS Distributions
319*bbb1b6f9SApple OSS Distributions return error;
320*bbb1b6f9SApple OSS Distributions }
321*bbb1b6f9SApple OSS Distributions
322*bbb1b6f9SApple OSS Distributions int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)323*bbb1b6f9SApple OSS Distributions mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
324*bbb1b6f9SApple OSS Distributions {
325*bbb1b6f9SApple OSS Distributions int error;
326*bbb1b6f9SApple OSS Distributions bool enforce;
327*bbb1b6f9SApple OSS Distributions proc_t tracingp;
328*bbb1b6f9SApple OSS Distributions
329*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
330*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
331*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
332*bbb1b6f9SApple OSS Distributions return 0;
333*bbb1b6f9SApple OSS Distributions }
334*bbb1b6f9SApple OSS Distributions #endif
335*bbb1b6f9SApple OSS Distributions /*
336*bbb1b6f9SApple OSS Distributions * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
337*bbb1b6f9SApple OSS Distributions * it below should go to mac_proc_check_enforce().
338*bbb1b6f9SApple OSS Distributions */
339*bbb1b6f9SApple OSS Distributions if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
340*bbb1b6f9SApple OSS Distributions return ESRCH;
341*bbb1b6f9SApple OSS Distributions }
342*bbb1b6f9SApple OSS Distributions enforce = mac_proc_check_enforce(tracingp);
343*bbb1b6f9SApple OSS Distributions proc_rele(tracingp);
344*bbb1b6f9SApple OSS Distributions
345*bbb1b6f9SApple OSS Distributions if (!enforce) {
346*bbb1b6f9SApple OSS Distributions return 0;
347*bbb1b6f9SApple OSS Distributions }
348*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
349*bbb1b6f9SApple OSS Distributions
350*bbb1b6f9SApple OSS Distributions return error;
351*bbb1b6f9SApple OSS Distributions }
352*bbb1b6f9SApple OSS Distributions
353*bbb1b6f9SApple OSS Distributions int
mac_proc_check_dump_core(struct proc * proc)354*bbb1b6f9SApple OSS Distributions mac_proc_check_dump_core(struct proc *proc)
355*bbb1b6f9SApple OSS Distributions {
356*bbb1b6f9SApple OSS Distributions int error;
357*bbb1b6f9SApple OSS Distributions
358*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
359*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
360*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
361*bbb1b6f9SApple OSS Distributions return 0;
362*bbb1b6f9SApple OSS Distributions }
363*bbb1b6f9SApple OSS Distributions #endif
364*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
365*bbb1b6f9SApple OSS Distributions return 0;
366*bbb1b6f9SApple OSS Distributions }
367*bbb1b6f9SApple OSS Distributions
368*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_dump_core, proc);
369*bbb1b6f9SApple OSS Distributions
370*bbb1b6f9SApple OSS Distributions return error;
371*bbb1b6f9SApple OSS Distributions }
372*bbb1b6f9SApple OSS Distributions
373*bbb1b6f9SApple OSS Distributions int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)374*bbb1b6f9SApple OSS Distributions mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
375*bbb1b6f9SApple OSS Distributions {
376*bbb1b6f9SApple OSS Distributions proc_t curp = current_proc();
377*bbb1b6f9SApple OSS Distributions proc_t proc;
378*bbb1b6f9SApple OSS Distributions int error;
379*bbb1b6f9SApple OSS Distributions
380*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
381*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
382*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
383*bbb1b6f9SApple OSS Distributions return 0;
384*bbb1b6f9SApple OSS Distributions }
385*bbb1b6f9SApple OSS Distributions #endif
386*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
387*bbb1b6f9SApple OSS Distributions return 0;
388*bbb1b6f9SApple OSS Distributions }
389*bbb1b6f9SApple OSS Distributions
390*bbb1b6f9SApple OSS Distributions proc = proc_find(task_pid(task));
391*bbb1b6f9SApple OSS Distributions if (proc == PROC_NULL) {
392*bbb1b6f9SApple OSS Distributions return ESRCH;
393*bbb1b6f9SApple OSS Distributions }
394*bbb1b6f9SApple OSS Distributions
395*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_remote_thread_create, current_cached_proc_cred(curp),
396*bbb1b6f9SApple OSS Distributions proc, flavor, new_state, new_state_count);
397*bbb1b6f9SApple OSS Distributions proc_rele(proc);
398*bbb1b6f9SApple OSS Distributions
399*bbb1b6f9SApple OSS Distributions return error;
400*bbb1b6f9SApple OSS Distributions }
401*bbb1b6f9SApple OSS Distributions
402*bbb1b6f9SApple OSS Distributions void
mac_proc_notify_service_port_derive(struct mach_service_port_info * sp_info)403*bbb1b6f9SApple OSS Distributions mac_proc_notify_service_port_derive(struct mach_service_port_info *sp_info)
404*bbb1b6f9SApple OSS Distributions {
405*bbb1b6f9SApple OSS Distributions MAC_PERFORM(proc_notify_service_port_derive,
406*bbb1b6f9SApple OSS Distributions current_cached_proc_cred(PROC_NULL), sp_info);
407*bbb1b6f9SApple OSS Distributions }
408*bbb1b6f9SApple OSS Distributions
409*bbb1b6f9SApple OSS Distributions int
mac_proc_check_fork(proc_t curp)410*bbb1b6f9SApple OSS Distributions mac_proc_check_fork(proc_t curp)
411*bbb1b6f9SApple OSS Distributions {
412*bbb1b6f9SApple OSS Distributions int error;
413*bbb1b6f9SApple OSS Distributions
414*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
415*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
416*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
417*bbb1b6f9SApple OSS Distributions return 0;
418*bbb1b6f9SApple OSS Distributions }
419*bbb1b6f9SApple OSS Distributions #endif
420*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
421*bbb1b6f9SApple OSS Distributions return 0;
422*bbb1b6f9SApple OSS Distributions }
423*bbb1b6f9SApple OSS Distributions
424*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_fork, current_cached_proc_cred(curp), curp);
425*bbb1b6f9SApple OSS Distributions
426*bbb1b6f9SApple OSS Distributions return error;
427*bbb1b6f9SApple OSS Distributions }
428*bbb1b6f9SApple OSS Distributions
429*bbb1b6f9SApple OSS Distributions int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)430*bbb1b6f9SApple OSS Distributions mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
431*bbb1b6f9SApple OSS Distributions {
432*bbb1b6f9SApple OSS Distributions int error;
433*bbb1b6f9SApple OSS Distributions
434*bbb1b6f9SApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
435*bbb1b6f9SApple OSS Distributions
436*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
437*bbb1b6f9SApple OSS Distributions
438*bbb1b6f9SApple OSS Distributions return error;
439*bbb1b6f9SApple OSS Distributions }
440*bbb1b6f9SApple OSS Distributions
441*bbb1b6f9SApple OSS Distributions int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)442*bbb1b6f9SApple OSS Distributions mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
443*bbb1b6f9SApple OSS Distributions {
444*bbb1b6f9SApple OSS Distributions int error;
445*bbb1b6f9SApple OSS Distributions
446*bbb1b6f9SApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
447*bbb1b6f9SApple OSS Distributions
448*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
449*bbb1b6f9SApple OSS Distributions
450*bbb1b6f9SApple OSS Distributions return error;
451*bbb1b6f9SApple OSS Distributions }
452*bbb1b6f9SApple OSS Distributions
453*bbb1b6f9SApple OSS Distributions int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)454*bbb1b6f9SApple OSS Distributions mac_proc_check_inherit_ipc_ports(
455*bbb1b6f9SApple OSS Distributions struct proc *p,
456*bbb1b6f9SApple OSS Distributions struct vnode *cur_vp,
457*bbb1b6f9SApple OSS Distributions off_t cur_offset,
458*bbb1b6f9SApple OSS Distributions struct vnode *img_vp,
459*bbb1b6f9SApple OSS Distributions off_t img_offset,
460*bbb1b6f9SApple OSS Distributions struct vnode *scriptvp)
461*bbb1b6f9SApple OSS Distributions {
462*bbb1b6f9SApple OSS Distributions int error;
463*bbb1b6f9SApple OSS Distributions
464*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
465*bbb1b6f9SApple OSS Distributions
466*bbb1b6f9SApple OSS Distributions return error;
467*bbb1b6f9SApple OSS Distributions }
468*bbb1b6f9SApple OSS Distributions
469*bbb1b6f9SApple OSS Distributions int
mac_proc_check_iopolicysys(struct proc * p,kauth_cred_t cred,int cmd,int type,int scope,int policy)470*bbb1b6f9SApple OSS Distributions mac_proc_check_iopolicysys(struct proc *p, kauth_cred_t cred, int cmd, int type, int scope, int policy)
471*bbb1b6f9SApple OSS Distributions {
472*bbb1b6f9SApple OSS Distributions int error;
473*bbb1b6f9SApple OSS Distributions
474*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
475*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
476*bbb1b6f9SApple OSS Distributions if (!mac_system_enforce) {
477*bbb1b6f9SApple OSS Distributions return 0;
478*bbb1b6f9SApple OSS Distributions }
479*bbb1b6f9SApple OSS Distributions #endif
480*bbb1b6f9SApple OSS Distributions
481*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_iopolicysys, p, cred, cmd, type, scope, policy);
482*bbb1b6f9SApple OSS Distributions
483*bbb1b6f9SApple OSS Distributions return error;
484*bbb1b6f9SApple OSS Distributions }
485*bbb1b6f9SApple OSS Distributions
486*bbb1b6f9SApple OSS Distributions /*
487*bbb1b6f9SApple OSS Distributions * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
488*bbb1b6f9SApple OSS Distributions * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
489*bbb1b6f9SApple OSS Distributions * files, so cannot use the typedef itself.
490*bbb1b6f9SApple OSS Distributions */
491*bbb1b6f9SApple OSS Distributions int
mac_proc_check_map_anon(proc_t proc,kauth_cred_t cred,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)492*bbb1b6f9SApple OSS Distributions mac_proc_check_map_anon(proc_t proc, kauth_cred_t cred, user_addr_t u_addr,
493*bbb1b6f9SApple OSS Distributions user_size_t u_size, int prot, int flags, int *maxprot)
494*bbb1b6f9SApple OSS Distributions {
495*bbb1b6f9SApple OSS Distributions int error;
496*bbb1b6f9SApple OSS Distributions
497*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
498*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
499*bbb1b6f9SApple OSS Distributions if (!mac_vm_enforce) {
500*bbb1b6f9SApple OSS Distributions return 0;
501*bbb1b6f9SApple OSS Distributions }
502*bbb1b6f9SApple OSS Distributions #endif
503*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
504*bbb1b6f9SApple OSS Distributions return 0;
505*bbb1b6f9SApple OSS Distributions }
506*bbb1b6f9SApple OSS Distributions
507*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
508*bbb1b6f9SApple OSS Distributions
509*bbb1b6f9SApple OSS Distributions return error;
510*bbb1b6f9SApple OSS Distributions }
511*bbb1b6f9SApple OSS Distributions
512*bbb1b6f9SApple OSS Distributions
513*bbb1b6f9SApple OSS Distributions int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)514*bbb1b6f9SApple OSS Distributions mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
515*bbb1b6f9SApple OSS Distributions {
516*bbb1b6f9SApple OSS Distributions int error;
517*bbb1b6f9SApple OSS Distributions
518*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
519*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
520*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
521*bbb1b6f9SApple OSS Distributions return 0;
522*bbb1b6f9SApple OSS Distributions }
523*bbb1b6f9SApple OSS Distributions #endif
524*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
525*bbb1b6f9SApple OSS Distributions return 0;
526*bbb1b6f9SApple OSS Distributions }
527*bbb1b6f9SApple OSS Distributions
528*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_memorystatus_control, current_cached_proc_cred(proc),
529*bbb1b6f9SApple OSS Distributions command, pid);
530*bbb1b6f9SApple OSS Distributions
531*bbb1b6f9SApple OSS Distributions return error;
532*bbb1b6f9SApple OSS Distributions }
533*bbb1b6f9SApple OSS Distributions
534*bbb1b6f9SApple OSS Distributions int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)535*bbb1b6f9SApple OSS Distributions mac_proc_check_mprotect(proc_t proc,
536*bbb1b6f9SApple OSS Distributions user_addr_t addr, user_size_t size, int prot)
537*bbb1b6f9SApple OSS Distributions {
538*bbb1b6f9SApple OSS Distributions int error;
539*bbb1b6f9SApple OSS Distributions
540*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
541*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
542*bbb1b6f9SApple OSS Distributions if (!mac_vm_enforce) {
543*bbb1b6f9SApple OSS Distributions return 0;
544*bbb1b6f9SApple OSS Distributions }
545*bbb1b6f9SApple OSS Distributions #endif
546*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
547*bbb1b6f9SApple OSS Distributions return 0;
548*bbb1b6f9SApple OSS Distributions }
549*bbb1b6f9SApple OSS Distributions
550*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_mprotect, current_cached_proc_cred(proc),
551*bbb1b6f9SApple OSS Distributions proc, addr, size, prot);
552*bbb1b6f9SApple OSS Distributions
553*bbb1b6f9SApple OSS Distributions return error;
554*bbb1b6f9SApple OSS Distributions }
555*bbb1b6f9SApple OSS Distributions
556*bbb1b6f9SApple OSS Distributions int
mac_proc_check_run_cs_invalid(proc_t proc)557*bbb1b6f9SApple OSS Distributions mac_proc_check_run_cs_invalid(proc_t proc)
558*bbb1b6f9SApple OSS Distributions {
559*bbb1b6f9SApple OSS Distributions int error;
560*bbb1b6f9SApple OSS Distributions
561*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
562*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
563*bbb1b6f9SApple OSS Distributions if (!mac_vm_enforce) {
564*bbb1b6f9SApple OSS Distributions return 0;
565*bbb1b6f9SApple OSS Distributions }
566*bbb1b6f9SApple OSS Distributions #endif
567*bbb1b6f9SApple OSS Distributions
568*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_run_cs_invalid, proc);
569*bbb1b6f9SApple OSS Distributions
570*bbb1b6f9SApple OSS Distributions return error;
571*bbb1b6f9SApple OSS Distributions }
572*bbb1b6f9SApple OSS Distributions
573*bbb1b6f9SApple OSS Distributions void
mac_proc_notify_cs_invalidated(proc_t proc)574*bbb1b6f9SApple OSS Distributions mac_proc_notify_cs_invalidated(proc_t proc)
575*bbb1b6f9SApple OSS Distributions {
576*bbb1b6f9SApple OSS Distributions MAC_PERFORM(proc_notify_cs_invalidated, proc);
577*bbb1b6f9SApple OSS Distributions }
578*bbb1b6f9SApple OSS Distributions
579*bbb1b6f9SApple OSS Distributions int
mac_proc_check_sched(proc_t curp,struct proc * proc)580*bbb1b6f9SApple OSS Distributions mac_proc_check_sched(proc_t curp, struct proc *proc)
581*bbb1b6f9SApple OSS Distributions {
582*bbb1b6f9SApple OSS Distributions int error;
583*bbb1b6f9SApple OSS Distributions
584*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
585*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
586*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
587*bbb1b6f9SApple OSS Distributions return 0;
588*bbb1b6f9SApple OSS Distributions }
589*bbb1b6f9SApple OSS Distributions #endif
590*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
591*bbb1b6f9SApple OSS Distributions return 0;
592*bbb1b6f9SApple OSS Distributions }
593*bbb1b6f9SApple OSS Distributions
594*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_sched, current_cached_proc_cred(curp), proc);
595*bbb1b6f9SApple OSS Distributions
596*bbb1b6f9SApple OSS Distributions return error;
597*bbb1b6f9SApple OSS Distributions }
598*bbb1b6f9SApple OSS Distributions
599*bbb1b6f9SApple OSS Distributions int
mac_proc_check_signal(proc_t curp,proc_ident_t instigator,proc_ident_t target,int signum)600*bbb1b6f9SApple OSS Distributions mac_proc_check_signal(proc_t curp, proc_ident_t instigator, proc_ident_t target, int signum)
601*bbb1b6f9SApple OSS Distributions {
602*bbb1b6f9SApple OSS Distributions int error;
603*bbb1b6f9SApple OSS Distributions
604*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
605*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
606*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
607*bbb1b6f9SApple OSS Distributions return 0;
608*bbb1b6f9SApple OSS Distributions }
609*bbb1b6f9SApple OSS Distributions #endif
610*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
611*bbb1b6f9SApple OSS Distributions return 0;
612*bbb1b6f9SApple OSS Distributions }
613*bbb1b6f9SApple OSS Distributions
614*bbb1b6f9SApple OSS Distributions /* Check policy without holding any proc refs */
615*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_signal, current_cached_proc_cred(curp), instigator, target, signum);
616*bbb1b6f9SApple OSS Distributions return error;
617*bbb1b6f9SApple OSS Distributions }
618*bbb1b6f9SApple OSS Distributions
619*bbb1b6f9SApple OSS Distributions int
mac_proc_check_syscall_unix(proc_t curp,int scnum)620*bbb1b6f9SApple OSS Distributions mac_proc_check_syscall_unix(proc_t curp, int scnum)
621*bbb1b6f9SApple OSS Distributions {
622*bbb1b6f9SApple OSS Distributions int error;
623*bbb1b6f9SApple OSS Distributions
624*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
625*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
626*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
627*bbb1b6f9SApple OSS Distributions return 0;
628*bbb1b6f9SApple OSS Distributions }
629*bbb1b6f9SApple OSS Distributions #endif
630*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
631*bbb1b6f9SApple OSS Distributions return 0;
632*bbb1b6f9SApple OSS Distributions }
633*bbb1b6f9SApple OSS Distributions
634*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_syscall_unix, curp, scnum);
635*bbb1b6f9SApple OSS Distributions
636*bbb1b6f9SApple OSS Distributions return error;
637*bbb1b6f9SApple OSS Distributions }
638*bbb1b6f9SApple OSS Distributions
639*bbb1b6f9SApple OSS Distributions int
mac_proc_check_wait(proc_t curp,struct proc * proc)640*bbb1b6f9SApple OSS Distributions mac_proc_check_wait(proc_t curp, struct proc *proc)
641*bbb1b6f9SApple OSS Distributions {
642*bbb1b6f9SApple OSS Distributions int error;
643*bbb1b6f9SApple OSS Distributions
644*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
645*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
646*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
647*bbb1b6f9SApple OSS Distributions return 0;
648*bbb1b6f9SApple OSS Distributions }
649*bbb1b6f9SApple OSS Distributions #endif
650*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
651*bbb1b6f9SApple OSS Distributions return 0;
652*bbb1b6f9SApple OSS Distributions }
653*bbb1b6f9SApple OSS Distributions
654*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_wait, current_cached_proc_cred(curp), proc);
655*bbb1b6f9SApple OSS Distributions
656*bbb1b6f9SApple OSS Distributions return error;
657*bbb1b6f9SApple OSS Distributions }
658*bbb1b6f9SApple OSS Distributions
659*bbb1b6f9SApple OSS Distributions void
mac_proc_notify_exit(struct proc * proc)660*bbb1b6f9SApple OSS Distributions mac_proc_notify_exit(struct proc *proc)
661*bbb1b6f9SApple OSS Distributions {
662*bbb1b6f9SApple OSS Distributions MAC_PERFORM(proc_notify_exit, proc);
663*bbb1b6f9SApple OSS Distributions }
664*bbb1b6f9SApple OSS Distributions
665*bbb1b6f9SApple OSS Distributions int
mac_proc_check_suspend_resume(proc_t proc,int sr)666*bbb1b6f9SApple OSS Distributions mac_proc_check_suspend_resume(proc_t proc, int sr)
667*bbb1b6f9SApple OSS Distributions {
668*bbb1b6f9SApple OSS Distributions proc_t curp = current_proc();
669*bbb1b6f9SApple OSS Distributions int error;
670*bbb1b6f9SApple OSS Distributions
671*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
672*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
673*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
674*bbb1b6f9SApple OSS Distributions return 0;
675*bbb1b6f9SApple OSS Distributions }
676*bbb1b6f9SApple OSS Distributions #endif
677*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
678*bbb1b6f9SApple OSS Distributions return 0;
679*bbb1b6f9SApple OSS Distributions }
680*bbb1b6f9SApple OSS Distributions
681*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_suspend_resume, current_cached_proc_cred(curp),
682*bbb1b6f9SApple OSS Distributions proc, sr);
683*bbb1b6f9SApple OSS Distributions
684*bbb1b6f9SApple OSS Distributions return error;
685*bbb1b6f9SApple OSS Distributions }
686*bbb1b6f9SApple OSS Distributions
687*bbb1b6f9SApple OSS Distributions int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)688*bbb1b6f9SApple OSS Distributions mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
689*bbb1b6f9SApple OSS Distributions {
690*bbb1b6f9SApple OSS Distributions int error = 0;
691*bbb1b6f9SApple OSS Distributions
692*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
693*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
694*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
695*bbb1b6f9SApple OSS Distributions return 0;
696*bbb1b6f9SApple OSS Distributions }
697*bbb1b6f9SApple OSS Distributions #endif
698*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
699*bbb1b6f9SApple OSS Distributions return 0;
700*bbb1b6f9SApple OSS Distributions }
701*bbb1b6f9SApple OSS Distributions
702*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_ledger, current_cached_proc_cred(curp),
703*bbb1b6f9SApple OSS Distributions proc, ledger_op);
704*bbb1b6f9SApple OSS Distributions
705*bbb1b6f9SApple OSS Distributions return error;
706*bbb1b6f9SApple OSS Distributions }
707*bbb1b6f9SApple OSS Distributions
708*bbb1b6f9SApple OSS Distributions int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)709*bbb1b6f9SApple OSS Distributions mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
710*bbb1b6f9SApple OSS Distributions {
711*bbb1b6f9SApple OSS Distributions int error = 0;
712*bbb1b6f9SApple OSS Distributions
713*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
714*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
715*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
716*bbb1b6f9SApple OSS Distributions return 0;
717*bbb1b6f9SApple OSS Distributions }
718*bbb1b6f9SApple OSS Distributions #endif
719*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
720*bbb1b6f9SApple OSS Distributions return 0;
721*bbb1b6f9SApple OSS Distributions }
722*bbb1b6f9SApple OSS Distributions
723*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_proc_info, current_cached_proc_cred(curp),
724*bbb1b6f9SApple OSS Distributions target, callnum, flavor);
725*bbb1b6f9SApple OSS Distributions
726*bbb1b6f9SApple OSS Distributions return error;
727*bbb1b6f9SApple OSS Distributions }
728*bbb1b6f9SApple OSS Distributions
729*bbb1b6f9SApple OSS Distributions int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)730*bbb1b6f9SApple OSS Distributions mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
731*bbb1b6f9SApple OSS Distributions {
732*bbb1b6f9SApple OSS Distributions int error = 0;
733*bbb1b6f9SApple OSS Distributions
734*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
735*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
736*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
737*bbb1b6f9SApple OSS Distributions return 0;
738*bbb1b6f9SApple OSS Distributions }
739*bbb1b6f9SApple OSS Distributions #endif
740*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
741*bbb1b6f9SApple OSS Distributions return 0;
742*bbb1b6f9SApple OSS Distributions }
743*bbb1b6f9SApple OSS Distributions
744*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_get_cs_info, current_cached_proc_cred(curp),
745*bbb1b6f9SApple OSS Distributions target, op);
746*bbb1b6f9SApple OSS Distributions
747*bbb1b6f9SApple OSS Distributions return error;
748*bbb1b6f9SApple OSS Distributions }
749*bbb1b6f9SApple OSS Distributions
750*bbb1b6f9SApple OSS Distributions int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)751*bbb1b6f9SApple OSS Distributions mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
752*bbb1b6f9SApple OSS Distributions {
753*bbb1b6f9SApple OSS Distributions int error = 0;
754*bbb1b6f9SApple OSS Distributions
755*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
756*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
757*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
758*bbb1b6f9SApple OSS Distributions return 0;
759*bbb1b6f9SApple OSS Distributions }
760*bbb1b6f9SApple OSS Distributions #endif
761*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
762*bbb1b6f9SApple OSS Distributions return 0;
763*bbb1b6f9SApple OSS Distributions }
764*bbb1b6f9SApple OSS Distributions
765*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_set_cs_info, current_cached_proc_cred(curp),
766*bbb1b6f9SApple OSS Distributions target, op);
767*bbb1b6f9SApple OSS Distributions
768*bbb1b6f9SApple OSS Distributions return error;
769*bbb1b6f9SApple OSS Distributions }
770*bbb1b6f9SApple OSS Distributions
771*bbb1b6f9SApple OSS Distributions int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)772*bbb1b6f9SApple OSS Distributions mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
773*bbb1b6f9SApple OSS Distributions {
774*bbb1b6f9SApple OSS Distributions int error = 0;
775*bbb1b6f9SApple OSS Distributions
776*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
777*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
778*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
779*bbb1b6f9SApple OSS Distributions return 0;
780*bbb1b6f9SApple OSS Distributions }
781*bbb1b6f9SApple OSS Distributions #endif
782*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
783*bbb1b6f9SApple OSS Distributions return 0;
784*bbb1b6f9SApple OSS Distributions }
785*bbb1b6f9SApple OSS Distributions
786*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_setuid, cred, uid);
787*bbb1b6f9SApple OSS Distributions
788*bbb1b6f9SApple OSS Distributions return error;
789*bbb1b6f9SApple OSS Distributions }
790*bbb1b6f9SApple OSS Distributions
791*bbb1b6f9SApple OSS Distributions int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)792*bbb1b6f9SApple OSS Distributions mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
793*bbb1b6f9SApple OSS Distributions {
794*bbb1b6f9SApple OSS Distributions int error = 0;
795*bbb1b6f9SApple OSS Distributions
796*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
797*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
798*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
799*bbb1b6f9SApple OSS Distributions return 0;
800*bbb1b6f9SApple OSS Distributions }
801*bbb1b6f9SApple OSS Distributions #endif
802*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
803*bbb1b6f9SApple OSS Distributions return 0;
804*bbb1b6f9SApple OSS Distributions }
805*bbb1b6f9SApple OSS Distributions
806*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_seteuid, cred, euid);
807*bbb1b6f9SApple OSS Distributions
808*bbb1b6f9SApple OSS Distributions return error;
809*bbb1b6f9SApple OSS Distributions }
810*bbb1b6f9SApple OSS Distributions
811*bbb1b6f9SApple OSS Distributions int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)812*bbb1b6f9SApple OSS Distributions mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
813*bbb1b6f9SApple OSS Distributions {
814*bbb1b6f9SApple OSS Distributions int error = 0;
815*bbb1b6f9SApple OSS Distributions
816*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
817*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
818*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
819*bbb1b6f9SApple OSS Distributions return 0;
820*bbb1b6f9SApple OSS Distributions }
821*bbb1b6f9SApple OSS Distributions #endif
822*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
823*bbb1b6f9SApple OSS Distributions return 0;
824*bbb1b6f9SApple OSS Distributions }
825*bbb1b6f9SApple OSS Distributions
826*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
827*bbb1b6f9SApple OSS Distributions
828*bbb1b6f9SApple OSS Distributions return error;
829*bbb1b6f9SApple OSS Distributions }
830*bbb1b6f9SApple OSS Distributions
831*bbb1b6f9SApple OSS Distributions int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)832*bbb1b6f9SApple OSS Distributions mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
833*bbb1b6f9SApple OSS Distributions {
834*bbb1b6f9SApple OSS Distributions int error = 0;
835*bbb1b6f9SApple OSS Distributions
836*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
837*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
838*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
839*bbb1b6f9SApple OSS Distributions return 0;
840*bbb1b6f9SApple OSS Distributions }
841*bbb1b6f9SApple OSS Distributions #endif
842*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
843*bbb1b6f9SApple OSS Distributions return 0;
844*bbb1b6f9SApple OSS Distributions }
845*bbb1b6f9SApple OSS Distributions
846*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_setgid, cred, gid);
847*bbb1b6f9SApple OSS Distributions
848*bbb1b6f9SApple OSS Distributions return error;
849*bbb1b6f9SApple OSS Distributions }
850*bbb1b6f9SApple OSS Distributions
851*bbb1b6f9SApple OSS Distributions int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)852*bbb1b6f9SApple OSS Distributions mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
853*bbb1b6f9SApple OSS Distributions {
854*bbb1b6f9SApple OSS Distributions int error = 0;
855*bbb1b6f9SApple OSS Distributions
856*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
857*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
858*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
859*bbb1b6f9SApple OSS Distributions return 0;
860*bbb1b6f9SApple OSS Distributions }
861*bbb1b6f9SApple OSS Distributions #endif
862*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
863*bbb1b6f9SApple OSS Distributions return 0;
864*bbb1b6f9SApple OSS Distributions }
865*bbb1b6f9SApple OSS Distributions
866*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_setegid, cred, egid);
867*bbb1b6f9SApple OSS Distributions
868*bbb1b6f9SApple OSS Distributions return error;
869*bbb1b6f9SApple OSS Distributions }
870*bbb1b6f9SApple OSS Distributions
871*bbb1b6f9SApple OSS Distributions int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)872*bbb1b6f9SApple OSS Distributions mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
873*bbb1b6f9SApple OSS Distributions {
874*bbb1b6f9SApple OSS Distributions int error = 0;
875*bbb1b6f9SApple OSS Distributions
876*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
877*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
878*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
879*bbb1b6f9SApple OSS Distributions return 0;
880*bbb1b6f9SApple OSS Distributions }
881*bbb1b6f9SApple OSS Distributions #endif
882*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
883*bbb1b6f9SApple OSS Distributions return 0;
884*bbb1b6f9SApple OSS Distributions }
885*bbb1b6f9SApple OSS Distributions
886*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_setregid, cred, rgid, egid);
887*bbb1b6f9SApple OSS Distributions
888*bbb1b6f9SApple OSS Distributions return error;
889*bbb1b6f9SApple OSS Distributions }
890*bbb1b6f9SApple OSS Distributions
891*bbb1b6f9SApple OSS Distributions int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)892*bbb1b6f9SApple OSS Distributions mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
893*bbb1b6f9SApple OSS Distributions {
894*bbb1b6f9SApple OSS Distributions int error = 0;
895*bbb1b6f9SApple OSS Distributions
896*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
897*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
898*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce) {
899*bbb1b6f9SApple OSS Distributions return 0;
900*bbb1b6f9SApple OSS Distributions }
901*bbb1b6f9SApple OSS Distributions #endif
902*bbb1b6f9SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
903*bbb1b6f9SApple OSS Distributions return 0;
904*bbb1b6f9SApple OSS Distributions }
905*bbb1b6f9SApple OSS Distributions
906*bbb1b6f9SApple OSS Distributions MAC_CHECK(proc_check_settid, current_cached_proc_cred(curp),
907*bbb1b6f9SApple OSS Distributions kauth_cred_get(), uid, gid);
908*bbb1b6f9SApple OSS Distributions
909*bbb1b6f9SApple OSS Distributions return error;
910*bbb1b6f9SApple OSS Distributions }
911*bbb1b6f9SApple OSS Distributions
912*bbb1b6f9SApple OSS Distributions int
mac_proc_check_launch_constraints(proc_t curp,struct image_params * imgp,os_reason_t * reasonp)913*bbb1b6f9SApple OSS Distributions mac_proc_check_launch_constraints(proc_t curp, struct image_params *imgp, os_reason_t *reasonp)
914*bbb1b6f9SApple OSS Distributions {
915*bbb1b6f9SApple OSS Distributions char *fatal_failure_desc = NULL;
916*bbb1b6f9SApple OSS Distributions size_t fatal_failure_desc_len = 0;
917*bbb1b6f9SApple OSS Distributions
918*bbb1b6f9SApple OSS Distributions pid_t original_parent_id = proc_original_ppid(curp);
919*bbb1b6f9SApple OSS Distributions
920*bbb1b6f9SApple OSS Distributions pid_t responsible_pid = curp->p_responsible_pid;
921*bbb1b6f9SApple OSS Distributions
922*bbb1b6f9SApple OSS Distributions int error = 0;
923*bbb1b6f9SApple OSS Distributions
924*bbb1b6f9SApple OSS Distributions /* Vnode of the file */
925*bbb1b6f9SApple OSS Distributions struct vnode *vp = imgp->ip_vp;
926*bbb1b6f9SApple OSS Distributions
927*bbb1b6f9SApple OSS Distributions char *vn_path = NULL;
928*bbb1b6f9SApple OSS Distributions vm_size_t vn_pathlen = MAXPATHLEN;
929*bbb1b6f9SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
930*bbb1b6f9SApple OSS Distributions /* 21167099 - only check if we allow write */
931*bbb1b6f9SApple OSS Distributions if (!mac_proc_enforce || !mac_vnode_enforce) {
932*bbb1b6f9SApple OSS Distributions return 0;
933*bbb1b6f9SApple OSS Distributions }
934*bbb1b6f9SApple OSS Distributions #endif
935*bbb1b6f9SApple OSS Distributions
936*bbb1b6f9SApple OSS Distributions MAC_POLICY_ITERATE({
937*bbb1b6f9SApple OSS Distributions mpo_proc_check_launch_constraints_t *hook = mpc->mpc_ops->mpo_proc_check_launch_constraints;
938*bbb1b6f9SApple OSS Distributions if (hook == NULL) {
939*bbb1b6f9SApple OSS Distributions continue;
940*bbb1b6f9SApple OSS Distributions }
941*bbb1b6f9SApple OSS Distributions
942*bbb1b6f9SApple OSS Distributions size_t spawnattrlen = 0;
943*bbb1b6f9SApple OSS Distributions void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
944*bbb1b6f9SApple OSS Distributions struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
945*bbb1b6f9SApple OSS Distributions struct launch_constraint_data lcd;
946*bbb1b6f9SApple OSS Distributions lcd.launch_type = CS_LAUNCH_TYPE_NONE;
947*bbb1b6f9SApple OSS Distributions
948*bbb1b6f9SApple OSS Distributions /* Check to see if psa_launch_type was initalized */
949*bbb1b6f9SApple OSS Distributions if (psa != (struct _posix_spawnattr*)NULL) {
950*bbb1b6f9SApple OSS Distributions lcd.launch_type = psa->psa_launch_type;
951*bbb1b6f9SApple OSS Distributions }
952*bbb1b6f9SApple OSS Distributions
953*bbb1b6f9SApple OSS Distributions error = mac_error_select(
954*bbb1b6f9SApple OSS Distributions hook(curp, original_parent_id, responsible_pid,
955*bbb1b6f9SApple OSS Distributions spawnattr, spawnattrlen, &lcd, &fatal_failure_desc, &fatal_failure_desc_len), error);
956*bbb1b6f9SApple OSS Distributions
957*bbb1b6f9SApple OSS Distributions /*
958*bbb1b6f9SApple OSS Distributions * Early exit in case of failure in case we have multiple registered callers.
959*bbb1b6f9SApple OSS Distributions * This is to avoid other MACF policies from stomping on each other's failure description
960*bbb1b6f9SApple OSS Distributions */
961*bbb1b6f9SApple OSS Distributions if (fatal_failure_desc_len) {
962*bbb1b6f9SApple OSS Distributions goto policy_fail;
963*bbb1b6f9SApple OSS Distributions }
964*bbb1b6f9SApple OSS Distributions });
965*bbb1b6f9SApple OSS Distributions
966*bbb1b6f9SApple OSS Distributions policy_fail:
967*bbb1b6f9SApple OSS Distributions if (fatal_failure_desc_len) {
968*bbb1b6f9SApple OSS Distributions /*
969*bbb1b6f9SApple OSS Distributions * A fatal code signature validation failure occured, formulate a crash
970*bbb1b6f9SApple OSS Distributions * reason.
971*bbb1b6f9SApple OSS Distributions */
972*bbb1b6f9SApple OSS Distributions
973*bbb1b6f9SApple OSS Distributions char const *path = NULL;
974*bbb1b6f9SApple OSS Distributions
975*bbb1b6f9SApple OSS Distributions vn_path = zalloc(ZV_NAMEI);
976*bbb1b6f9SApple OSS Distributions if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
977*bbb1b6f9SApple OSS Distributions path = vn_path;
978*bbb1b6f9SApple OSS Distributions } else {
979*bbb1b6f9SApple OSS Distributions path = "(get vnode path failed)";
980*bbb1b6f9SApple OSS Distributions }
981*bbb1b6f9SApple OSS Distributions
982*bbb1b6f9SApple OSS Distributions if (error == 0) {
983*bbb1b6f9SApple OSS Distributions panic("%s: MAC hook returned no error, but status is claimed to be fatal? "
984*bbb1b6f9SApple OSS Distributions "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
985*bbb1b6f9SApple OSS Distributions __func__, path, fatal_failure_desc_len, fatal_failure_desc);
986*bbb1b6f9SApple OSS Distributions }
987*bbb1b6f9SApple OSS Distributions
988*bbb1b6f9SApple OSS Distributions os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
989*bbb1b6f9SApple OSS Distributions CODESIGNING_EXIT_REASON_LAUNCH_CONSTRAINT_VIOLATION);
990*bbb1b6f9SApple OSS Distributions
991*bbb1b6f9SApple OSS Distributions *reasonp = reason;
992*bbb1b6f9SApple OSS Distributions
993*bbb1b6f9SApple OSS Distributions reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
994*bbb1b6f9SApple OSS Distributions OS_REASON_FLAG_CONSISTENT_FAILURE);
995*bbb1b6f9SApple OSS Distributions
996*bbb1b6f9SApple OSS Distributions if (fatal_failure_desc != NULL) {
997*bbb1b6f9SApple OSS Distributions mach_vm_address_t data_addr = 0;
998*bbb1b6f9SApple OSS Distributions
999*bbb1b6f9SApple OSS Distributions int reason_error = 0;
1000*bbb1b6f9SApple OSS Distributions int kcdata_error = 0;
1001*bbb1b6f9SApple OSS Distributions
1002*bbb1b6f9SApple OSS Distributions if ((reason_error = os_reason_alloc_buffer_noblock(reason,
1003*bbb1b6f9SApple OSS Distributions kcdata_estimate_required_buffer_size(1,
1004*bbb1b6f9SApple OSS Distributions (uint32_t)fatal_failure_desc_len))) == 0) {
1005*bbb1b6f9SApple OSS Distributions if ((kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
1006*bbb1b6f9SApple OSS Distributions EXIT_REASON_USER_DESC, (uint32_t)fatal_failure_desc_len,
1007*bbb1b6f9SApple OSS Distributions &data_addr)) == KERN_SUCCESS) {
1008*bbb1b6f9SApple OSS Distributions kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
1009*bbb1b6f9SApple OSS Distributions fatal_failure_desc, (uint32_t)fatal_failure_desc_len);
1010*bbb1b6f9SApple OSS Distributions }
1011*bbb1b6f9SApple OSS Distributions }
1012*bbb1b6f9SApple OSS Distributions }
1013*bbb1b6f9SApple OSS Distributions }
1014*bbb1b6f9SApple OSS Distributions
1015*bbb1b6f9SApple OSS Distributions if (vn_path) {
1016*bbb1b6f9SApple OSS Distributions zfree(ZV_NAMEI, vn_path);
1017*bbb1b6f9SApple OSS Distributions }
1018*bbb1b6f9SApple OSS Distributions
1019*bbb1b6f9SApple OSS Distributions if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
1020*bbb1b6f9SApple OSS Distributions kfree_data(fatal_failure_desc, fatal_failure_desc_len);
1021*bbb1b6f9SApple OSS Distributions }
1022*bbb1b6f9SApple OSS Distributions
1023*bbb1b6f9SApple OSS Distributions return error;
1024*bbb1b6f9SApple OSS Distributions }
1025