1*4d495c6eSApple OSS Distributions /*
2*4d495c6eSApple OSS Distributions * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3*4d495c6eSApple OSS Distributions *
4*4d495c6eSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*4d495c6eSApple OSS Distributions *
6*4d495c6eSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*4d495c6eSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*4d495c6eSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*4d495c6eSApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*4d495c6eSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*4d495c6eSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*4d495c6eSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*4d495c6eSApple OSS Distributions * terms of an Apple operating system software license agreement.
14*4d495c6eSApple OSS Distributions *
15*4d495c6eSApple OSS Distributions * Please obtain a copy of the License at
16*4d495c6eSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*4d495c6eSApple OSS Distributions *
18*4d495c6eSApple OSS Distributions * The Original Code and all software distributed under the License are
19*4d495c6eSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*4d495c6eSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*4d495c6eSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*4d495c6eSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*4d495c6eSApple OSS Distributions * Please see the License for the specific language governing rights and
24*4d495c6eSApple OSS Distributions * limitations under the License.
25*4d495c6eSApple OSS Distributions *
26*4d495c6eSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*4d495c6eSApple OSS Distributions */
28*4d495c6eSApple OSS Distributions
29*4d495c6eSApple OSS Distributions /*-
30*4d495c6eSApple OSS Distributions * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31*4d495c6eSApple OSS Distributions * Copyright (c) 2001 Ilmar S. Habibulin
32*4d495c6eSApple OSS Distributions * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33*4d495c6eSApple OSS Distributions *
34*4d495c6eSApple OSS Distributions * This software was developed by Robert Watson and Ilmar Habibulin for the
35*4d495c6eSApple OSS Distributions * TrustedBSD Project.
36*4d495c6eSApple OSS Distributions *
37*4d495c6eSApple OSS Distributions * This software was developed for the FreeBSD Project in part by Network
38*4d495c6eSApple OSS Distributions * Associates Laboratories, the Security Research Division of Network
39*4d495c6eSApple OSS Distributions * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40*4d495c6eSApple OSS Distributions * as part of the DARPA CHATS research program.
41*4d495c6eSApple OSS Distributions *
42*4d495c6eSApple OSS Distributions * Redistribution and use in source and binary forms, with or without
43*4d495c6eSApple OSS Distributions * modification, are permitted provided that the following conditions
44*4d495c6eSApple OSS Distributions * are met:
45*4d495c6eSApple OSS Distributions * 1. Redistributions of source code must retain the above copyright
46*4d495c6eSApple OSS Distributions * notice, this list of conditions and the following disclaimer.
47*4d495c6eSApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright
48*4d495c6eSApple OSS Distributions * notice, this list of conditions and the following disclaimer in the
49*4d495c6eSApple OSS Distributions * documentation and/or other materials provided with the distribution.
50*4d495c6eSApple OSS Distributions *
51*4d495c6eSApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52*4d495c6eSApple OSS Distributions * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53*4d495c6eSApple OSS Distributions * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54*4d495c6eSApple OSS Distributions * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55*4d495c6eSApple OSS Distributions * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56*4d495c6eSApple OSS Distributions * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57*4d495c6eSApple OSS Distributions * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58*4d495c6eSApple OSS Distributions * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59*4d495c6eSApple OSS Distributions * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60*4d495c6eSApple OSS Distributions * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61*4d495c6eSApple OSS Distributions * SUCH DAMAGE.
62*4d495c6eSApple OSS Distributions *
63*4d495c6eSApple OSS Distributions */
64*4d495c6eSApple OSS Distributions
65*4d495c6eSApple OSS Distributions #include <string.h>
66*4d495c6eSApple OSS Distributions #include <sys/param.h>
67*4d495c6eSApple OSS Distributions #include <sys/ucred.h>
68*4d495c6eSApple OSS Distributions #include <sys/malloc.h>
69*4d495c6eSApple OSS Distributions #include <sys/sbuf.h>
70*4d495c6eSApple OSS Distributions #include <sys/vnode.h>
71*4d495c6eSApple OSS Distributions #include <sys/proc.h>
72*4d495c6eSApple OSS Distributions #include <sys/proc_internal.h>
73*4d495c6eSApple OSS Distributions #include <sys/kauth.h>
74*4d495c6eSApple OSS Distributions #include <sys/imgact.h>
75*4d495c6eSApple OSS Distributions #include <sys/reason.h>
76*4d495c6eSApple OSS Distributions #include <sys/vnode_internal.h>
77*4d495c6eSApple OSS Distributions #include <mach/mach_types.h>
78*4d495c6eSApple OSS Distributions #include <kern/task.h>
79*4d495c6eSApple OSS Distributions #include <kern/zalloc.h>
80*4d495c6eSApple OSS Distributions
81*4d495c6eSApple OSS Distributions #include <os/hash.h>
82*4d495c6eSApple OSS Distributions
83*4d495c6eSApple OSS Distributions #include <security/mac_internal.h>
84*4d495c6eSApple OSS Distributions #include <security/mac_mach_internal.h>
85*4d495c6eSApple OSS Distributions
86*4d495c6eSApple OSS Distributions #include <bsd/security/audit/audit.h>
87*4d495c6eSApple OSS Distributions
88*4d495c6eSApple OSS Distributions #include <os/log.h>
89*4d495c6eSApple OSS Distributions #include <kern/cs_blobs.h>
90*4d495c6eSApple OSS Distributions #include <sys/spawn.h>
91*4d495c6eSApple OSS Distributions #include <sys/spawn_internal.h>
92*4d495c6eSApple OSS Distributions
93*4d495c6eSApple OSS Distributions struct label *
mac_cred_label_alloc(void)94*4d495c6eSApple OSS Distributions mac_cred_label_alloc(void)
95*4d495c6eSApple OSS Distributions {
96*4d495c6eSApple OSS Distributions struct label *label;
97*4d495c6eSApple OSS Distributions
98*4d495c6eSApple OSS Distributions label = mac_labelzone_alloc(MAC_WAITOK);
99*4d495c6eSApple OSS Distributions if (label == NULL) {
100*4d495c6eSApple OSS Distributions return NULL;
101*4d495c6eSApple OSS Distributions }
102*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_init, label);
103*4d495c6eSApple OSS Distributions return label;
104*4d495c6eSApple OSS Distributions }
105*4d495c6eSApple OSS Distributions
106*4d495c6eSApple OSS Distributions void
mac_cred_label_init(struct ucred * cred)107*4d495c6eSApple OSS Distributions mac_cred_label_init(struct ucred *cred)
108*4d495c6eSApple OSS Distributions {
109*4d495c6eSApple OSS Distributions cred->cr_label = mac_cred_label_alloc();
110*4d495c6eSApple OSS Distributions }
111*4d495c6eSApple OSS Distributions
112*4d495c6eSApple OSS Distributions void
mac_cred_label_seal(struct ucred * cred)113*4d495c6eSApple OSS Distributions mac_cred_label_seal(struct ucred *cred)
114*4d495c6eSApple OSS Distributions {
115*4d495c6eSApple OSS Distributions #if DEVELOPMENT || DEBUG
116*4d495c6eSApple OSS Distributions struct label **seal = (struct label **)-1;
117*4d495c6eSApple OSS Distributions
118*4d495c6eSApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, cred->cr_label, l_owner, &seal);
119*4d495c6eSApple OSS Distributions #else
120*4d495c6eSApple OSS Distributions (void)cred;
121*4d495c6eSApple OSS Distributions #endif
122*4d495c6eSApple OSS Distributions }
123*4d495c6eSApple OSS Distributions
124*4d495c6eSApple OSS Distributions void
mac_cred_label_free(struct label * label)125*4d495c6eSApple OSS Distributions mac_cred_label_free(struct label *label)
126*4d495c6eSApple OSS Distributions {
127*4d495c6eSApple OSS Distributions #if DEVELOPMENT || DEBUG
128*4d495c6eSApple OSS Distributions struct label **seal = (struct label **)-1;
129*4d495c6eSApple OSS Distributions
130*4d495c6eSApple OSS Distributions if (label->l_owner == seal) {
131*4d495c6eSApple OSS Distributions seal = NULL;
132*4d495c6eSApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, label, l_owner, &seal);
133*4d495c6eSApple OSS Distributions }
134*4d495c6eSApple OSS Distributions #endif
135*4d495c6eSApple OSS Distributions
136*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_destroy, label);
137*4d495c6eSApple OSS Distributions mac_labelzone_free(label);
138*4d495c6eSApple OSS Distributions }
139*4d495c6eSApple OSS Distributions
140*4d495c6eSApple OSS Distributions struct label *
mac_cred_label(struct ucred * cred)141*4d495c6eSApple OSS Distributions mac_cred_label(struct ucred *cred)
142*4d495c6eSApple OSS Distributions {
143*4d495c6eSApple OSS Distributions return cred->cr_label;
144*4d495c6eSApple OSS Distributions }
145*4d495c6eSApple OSS Distributions
146*4d495c6eSApple OSS Distributions bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)147*4d495c6eSApple OSS Distributions mac_cred_label_is_equal(const struct label *a, const struct label *b)
148*4d495c6eSApple OSS Distributions {
149*4d495c6eSApple OSS Distributions return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
150*4d495c6eSApple OSS Distributions }
151*4d495c6eSApple OSS Distributions
152*4d495c6eSApple OSS Distributions uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)153*4d495c6eSApple OSS Distributions mac_cred_label_hash_update(const struct label *a, uint32_t hash)
154*4d495c6eSApple OSS Distributions {
155*4d495c6eSApple OSS Distributions return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
156*4d495c6eSApple OSS Distributions }
157*4d495c6eSApple OSS Distributions
158*4d495c6eSApple OSS Distributions int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)159*4d495c6eSApple OSS Distributions mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
160*4d495c6eSApple OSS Distributions {
161*4d495c6eSApple OSS Distributions kauth_cred_t cr;
162*4d495c6eSApple OSS Distributions int error;
163*4d495c6eSApple OSS Distributions
164*4d495c6eSApple OSS Distributions cr = kauth_cred_proc_ref(p);
165*4d495c6eSApple OSS Distributions
166*4d495c6eSApple OSS Distributions error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
167*4d495c6eSApple OSS Distributions mac->m_string, mac->m_buflen);
168*4d495c6eSApple OSS Distributions
169*4d495c6eSApple OSS Distributions kauth_cred_unref(&cr);
170*4d495c6eSApple OSS Distributions return error;
171*4d495c6eSApple OSS Distributions }
172*4d495c6eSApple OSS Distributions
173*4d495c6eSApple OSS Distributions void
mac_cred_label_destroy(kauth_cred_t cred)174*4d495c6eSApple OSS Distributions mac_cred_label_destroy(kauth_cred_t cred)
175*4d495c6eSApple OSS Distributions {
176*4d495c6eSApple OSS Distributions struct label *label = mac_cred_label(cred);
177*4d495c6eSApple OSS Distributions cred->cr_label = NULL;
178*4d495c6eSApple OSS Distributions mac_cred_label_free(label);
179*4d495c6eSApple OSS Distributions }
180*4d495c6eSApple OSS Distributions
181*4d495c6eSApple OSS Distributions int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)182*4d495c6eSApple OSS Distributions mac_cred_label_externalize(struct label *label, char *elements,
183*4d495c6eSApple OSS Distributions char *outbuf, size_t outbuflen, int flags __unused)
184*4d495c6eSApple OSS Distributions {
185*4d495c6eSApple OSS Distributions int error = 0;
186*4d495c6eSApple OSS Distributions
187*4d495c6eSApple OSS Distributions error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
188*4d495c6eSApple OSS Distributions
189*4d495c6eSApple OSS Distributions return error;
190*4d495c6eSApple OSS Distributions }
191*4d495c6eSApple OSS Distributions
192*4d495c6eSApple OSS Distributions int
mac_cred_label_internalize(struct label * label,char * string)193*4d495c6eSApple OSS Distributions mac_cred_label_internalize(struct label *label, char *string)
194*4d495c6eSApple OSS Distributions {
195*4d495c6eSApple OSS Distributions int error;
196*4d495c6eSApple OSS Distributions
197*4d495c6eSApple OSS Distributions error = MAC_INTERNALIZE(cred, label, string);
198*4d495c6eSApple OSS Distributions
199*4d495c6eSApple OSS Distributions return error;
200*4d495c6eSApple OSS Distributions }
201*4d495c6eSApple OSS Distributions
202*4d495c6eSApple OSS Distributions /*
203*4d495c6eSApple OSS Distributions * By default, fork just adds a reference to the parent
204*4d495c6eSApple OSS Distributions * credential. Policies may need to know about this reference
205*4d495c6eSApple OSS Distributions * if they are tracking exit calls to know when to free the
206*4d495c6eSApple OSS Distributions * label.
207*4d495c6eSApple OSS Distributions */
208*4d495c6eSApple OSS Distributions void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)209*4d495c6eSApple OSS Distributions mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
210*4d495c6eSApple OSS Distributions {
211*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_associate_fork, cred, proc);
212*4d495c6eSApple OSS Distributions }
213*4d495c6eSApple OSS Distributions
214*4d495c6eSApple OSS Distributions /*
215*4d495c6eSApple OSS Distributions * Initialize MAC label for the first kernel process, from which other
216*4d495c6eSApple OSS Distributions * kernel processes and threads are spawned.
217*4d495c6eSApple OSS Distributions */
218*4d495c6eSApple OSS Distributions void
mac_cred_label_associate_kernel(kauth_cred_t cred)219*4d495c6eSApple OSS Distributions mac_cred_label_associate_kernel(kauth_cred_t cred)
220*4d495c6eSApple OSS Distributions {
221*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_associate_kernel, cred);
222*4d495c6eSApple OSS Distributions }
223*4d495c6eSApple OSS Distributions
224*4d495c6eSApple OSS Distributions /*
225*4d495c6eSApple OSS Distributions * Initialize MAC label for the first userland process, from which other
226*4d495c6eSApple OSS Distributions * userland processes and threads are spawned.
227*4d495c6eSApple OSS Distributions */
228*4d495c6eSApple OSS Distributions void
mac_cred_label_associate_user(kauth_cred_t cred)229*4d495c6eSApple OSS Distributions mac_cred_label_associate_user(kauth_cred_t cred)
230*4d495c6eSApple OSS Distributions {
231*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_associate_user, cred);
232*4d495c6eSApple OSS Distributions }
233*4d495c6eSApple OSS Distributions
234*4d495c6eSApple OSS Distributions /*
235*4d495c6eSApple OSS Distributions * When a new process is created, its label must be initialized. Generally,
236*4d495c6eSApple OSS Distributions * this involves inheritence from the parent process, modulo possible
237*4d495c6eSApple OSS Distributions * deltas. This function allows that processing to take place.
238*4d495c6eSApple OSS Distributions */
239*4d495c6eSApple OSS Distributions void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)240*4d495c6eSApple OSS Distributions mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
241*4d495c6eSApple OSS Distributions {
242*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
243*4d495c6eSApple OSS Distributions }
244*4d495c6eSApple OSS Distributions
245*4d495c6eSApple OSS Distributions int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)246*4d495c6eSApple OSS Distributions mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
247*4d495c6eSApple OSS Distributions {
248*4d495c6eSApple OSS Distributions if (mac_p == USER_ADDR_NULL) {
249*4d495c6eSApple OSS Distributions return 0;
250*4d495c6eSApple OSS Distributions }
251*4d495c6eSApple OSS Distributions
252*4d495c6eSApple OSS Distributions return mac_do_set(current_proc(), mac_p,
253*4d495c6eSApple OSS Distributions ^(char *input, __unused size_t len) {
254*4d495c6eSApple OSS Distributions struct label *execlabel;
255*4d495c6eSApple OSS Distributions int error;
256*4d495c6eSApple OSS Distributions
257*4d495c6eSApple OSS Distributions execlabel = mac_cred_label_alloc();
258*4d495c6eSApple OSS Distributions if ((error = mac_cred_label_internalize(execlabel, input))) {
259*4d495c6eSApple OSS Distributions mac_cred_label_free(execlabel);
260*4d495c6eSApple OSS Distributions execlabel = NULL;
261*4d495c6eSApple OSS Distributions }
262*4d495c6eSApple OSS Distributions
263*4d495c6eSApple OSS Distributions imgp->ip_execlabelp = execlabel;
264*4d495c6eSApple OSS Distributions return error;
265*4d495c6eSApple OSS Distributions });
266*4d495c6eSApple OSS Distributions }
267*4d495c6eSApple OSS Distributions
268*4d495c6eSApple OSS Distributions /*
269*4d495c6eSApple OSS Distributions * When the subject's label changes, it may require revocation of privilege
270*4d495c6eSApple OSS Distributions * to mapped objects. This can't be done on-the-fly later with a unified
271*4d495c6eSApple OSS Distributions * buffer cache.
272*4d495c6eSApple OSS Distributions *
273*4d495c6eSApple OSS Distributions * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
274*4d495c6eSApple OSS Distributions * XXX: than a posix_cred_t field.
275*4d495c6eSApple OSS Distributions */
276*4d495c6eSApple OSS Distributions void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)277*4d495c6eSApple OSS Distributions mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
278*4d495c6eSApple OSS Distributions {
279*4d495c6eSApple OSS Distributions posix_cred_t pcred = posix_cred_get(cred);
280*4d495c6eSApple OSS Distributions
281*4d495c6eSApple OSS Distributions /* force label to be part of "matching" for credential */
282*4d495c6eSApple OSS Distributions pcred->cr_flags |= CRF_MAC_ENFORCE;
283*4d495c6eSApple OSS Distributions
284*4d495c6eSApple OSS Distributions /* inform the policies of the update */
285*4d495c6eSApple OSS Distributions MAC_PERFORM(cred_label_update, cred, newlabel);
286*4d495c6eSApple OSS Distributions }
287*4d495c6eSApple OSS Distributions
288*4d495c6eSApple OSS Distributions int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)289*4d495c6eSApple OSS Distributions mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
290*4d495c6eSApple OSS Distributions {
291*4d495c6eSApple OSS Distributions int error;
292*4d495c6eSApple OSS Distributions
293*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
294*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
295*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
296*4d495c6eSApple OSS Distributions return 0;
297*4d495c6eSApple OSS Distributions }
298*4d495c6eSApple OSS Distributions #endif
299*4d495c6eSApple OSS Distributions
300*4d495c6eSApple OSS Distributions MAC_CHECK(cred_check_label_update, cred, newlabel);
301*4d495c6eSApple OSS Distributions
302*4d495c6eSApple OSS Distributions return error;
303*4d495c6eSApple OSS Distributions }
304*4d495c6eSApple OSS Distributions
305*4d495c6eSApple OSS Distributions int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)306*4d495c6eSApple OSS Distributions mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
307*4d495c6eSApple OSS Distributions {
308*4d495c6eSApple OSS Distributions int error;
309*4d495c6eSApple OSS Distributions
310*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
311*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
312*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
313*4d495c6eSApple OSS Distributions return 0;
314*4d495c6eSApple OSS Distributions }
315*4d495c6eSApple OSS Distributions #endif
316*4d495c6eSApple OSS Distributions
317*4d495c6eSApple OSS Distributions MAC_CHECK(cred_check_visible, u1, u2);
318*4d495c6eSApple OSS Distributions
319*4d495c6eSApple OSS Distributions return error;
320*4d495c6eSApple OSS Distributions }
321*4d495c6eSApple OSS Distributions
322*4d495c6eSApple OSS Distributions int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)323*4d495c6eSApple OSS Distributions mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
324*4d495c6eSApple OSS Distributions {
325*4d495c6eSApple OSS Distributions int error;
326*4d495c6eSApple OSS Distributions bool enforce;
327*4d495c6eSApple OSS Distributions proc_t tracingp;
328*4d495c6eSApple OSS Distributions
329*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
330*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
331*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
332*4d495c6eSApple OSS Distributions return 0;
333*4d495c6eSApple OSS Distributions }
334*4d495c6eSApple OSS Distributions #endif
335*4d495c6eSApple OSS Distributions /*
336*4d495c6eSApple OSS Distributions * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
337*4d495c6eSApple OSS Distributions * it below should go to mac_proc_check_enforce().
338*4d495c6eSApple OSS Distributions */
339*4d495c6eSApple OSS Distributions if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
340*4d495c6eSApple OSS Distributions return ESRCH;
341*4d495c6eSApple OSS Distributions }
342*4d495c6eSApple OSS Distributions enforce = mac_proc_check_enforce(tracingp);
343*4d495c6eSApple OSS Distributions proc_rele(tracingp);
344*4d495c6eSApple OSS Distributions
345*4d495c6eSApple OSS Distributions if (!enforce) {
346*4d495c6eSApple OSS Distributions return 0;
347*4d495c6eSApple OSS Distributions }
348*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
349*4d495c6eSApple OSS Distributions
350*4d495c6eSApple OSS Distributions return error;
351*4d495c6eSApple OSS Distributions }
352*4d495c6eSApple OSS Distributions
353*4d495c6eSApple OSS Distributions int
mac_proc_check_dump_core(struct proc * proc)354*4d495c6eSApple OSS Distributions mac_proc_check_dump_core(struct proc *proc)
355*4d495c6eSApple OSS Distributions {
356*4d495c6eSApple OSS Distributions int error;
357*4d495c6eSApple OSS Distributions
358*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
359*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
360*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
361*4d495c6eSApple OSS Distributions return 0;
362*4d495c6eSApple OSS Distributions }
363*4d495c6eSApple OSS Distributions #endif
364*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
365*4d495c6eSApple OSS Distributions return 0;
366*4d495c6eSApple OSS Distributions }
367*4d495c6eSApple OSS Distributions
368*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_dump_core, proc);
369*4d495c6eSApple OSS Distributions
370*4d495c6eSApple OSS Distributions return error;
371*4d495c6eSApple OSS Distributions }
372*4d495c6eSApple OSS Distributions
373*4d495c6eSApple OSS Distributions int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)374*4d495c6eSApple OSS Distributions mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
375*4d495c6eSApple OSS Distributions {
376*4d495c6eSApple OSS Distributions proc_t curp = current_proc();
377*4d495c6eSApple OSS Distributions proc_t proc;
378*4d495c6eSApple OSS Distributions int error;
379*4d495c6eSApple OSS Distributions
380*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
381*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
382*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
383*4d495c6eSApple OSS Distributions return 0;
384*4d495c6eSApple OSS Distributions }
385*4d495c6eSApple OSS Distributions #endif
386*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
387*4d495c6eSApple OSS Distributions return 0;
388*4d495c6eSApple OSS Distributions }
389*4d495c6eSApple OSS Distributions
390*4d495c6eSApple OSS Distributions proc = proc_find(task_pid(task));
391*4d495c6eSApple OSS Distributions if (proc == PROC_NULL) {
392*4d495c6eSApple OSS Distributions return ESRCH;
393*4d495c6eSApple OSS Distributions }
394*4d495c6eSApple OSS Distributions
395*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_remote_thread_create, current_cached_proc_cred(curp),
396*4d495c6eSApple OSS Distributions proc, flavor, new_state, new_state_count);
397*4d495c6eSApple OSS Distributions proc_rele(proc);
398*4d495c6eSApple OSS Distributions
399*4d495c6eSApple OSS Distributions return error;
400*4d495c6eSApple OSS Distributions }
401*4d495c6eSApple OSS Distributions
402*4d495c6eSApple OSS Distributions void
mac_proc_notify_service_port_derive(struct mach_service_port_info * sp_info)403*4d495c6eSApple OSS Distributions mac_proc_notify_service_port_derive(struct mach_service_port_info *sp_info)
404*4d495c6eSApple OSS Distributions {
405*4d495c6eSApple OSS Distributions MAC_PERFORM(proc_notify_service_port_derive,
406*4d495c6eSApple OSS Distributions current_cached_proc_cred(PROC_NULL), sp_info);
407*4d495c6eSApple OSS Distributions }
408*4d495c6eSApple OSS Distributions
409*4d495c6eSApple OSS Distributions int
mac_proc_check_fork(proc_t curp)410*4d495c6eSApple OSS Distributions mac_proc_check_fork(proc_t curp)
411*4d495c6eSApple OSS Distributions {
412*4d495c6eSApple OSS Distributions int error;
413*4d495c6eSApple OSS Distributions
414*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
415*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
416*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
417*4d495c6eSApple OSS Distributions return 0;
418*4d495c6eSApple OSS Distributions }
419*4d495c6eSApple OSS Distributions #endif
420*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
421*4d495c6eSApple OSS Distributions return 0;
422*4d495c6eSApple OSS Distributions }
423*4d495c6eSApple OSS Distributions
424*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_fork, current_cached_proc_cred(curp), curp);
425*4d495c6eSApple OSS Distributions
426*4d495c6eSApple OSS Distributions return error;
427*4d495c6eSApple OSS Distributions }
428*4d495c6eSApple OSS Distributions
429*4d495c6eSApple OSS Distributions int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)430*4d495c6eSApple OSS Distributions mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
431*4d495c6eSApple OSS Distributions {
432*4d495c6eSApple OSS Distributions int error;
433*4d495c6eSApple OSS Distributions
434*4d495c6eSApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
435*4d495c6eSApple OSS Distributions
436*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
437*4d495c6eSApple OSS Distributions
438*4d495c6eSApple OSS Distributions return error;
439*4d495c6eSApple OSS Distributions }
440*4d495c6eSApple OSS Distributions
441*4d495c6eSApple OSS Distributions int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)442*4d495c6eSApple OSS Distributions mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
443*4d495c6eSApple OSS Distributions {
444*4d495c6eSApple OSS Distributions int error;
445*4d495c6eSApple OSS Distributions
446*4d495c6eSApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
447*4d495c6eSApple OSS Distributions
448*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
449*4d495c6eSApple OSS Distributions
450*4d495c6eSApple OSS Distributions return error;
451*4d495c6eSApple OSS Distributions }
452*4d495c6eSApple OSS Distributions
453*4d495c6eSApple OSS Distributions int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)454*4d495c6eSApple OSS Distributions mac_proc_check_inherit_ipc_ports(
455*4d495c6eSApple OSS Distributions struct proc *p,
456*4d495c6eSApple OSS Distributions struct vnode *cur_vp,
457*4d495c6eSApple OSS Distributions off_t cur_offset,
458*4d495c6eSApple OSS Distributions struct vnode *img_vp,
459*4d495c6eSApple OSS Distributions off_t img_offset,
460*4d495c6eSApple OSS Distributions struct vnode *scriptvp)
461*4d495c6eSApple OSS Distributions {
462*4d495c6eSApple OSS Distributions int error;
463*4d495c6eSApple OSS Distributions
464*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
465*4d495c6eSApple OSS Distributions
466*4d495c6eSApple OSS Distributions return error;
467*4d495c6eSApple OSS Distributions }
468*4d495c6eSApple OSS Distributions
469*4d495c6eSApple OSS Distributions int
mac_proc_check_iopolicysys(struct proc * p,kauth_cred_t cred,int cmd,int type,int scope,int policy)470*4d495c6eSApple OSS Distributions mac_proc_check_iopolicysys(struct proc *p, kauth_cred_t cred, int cmd, int type, int scope, int policy)
471*4d495c6eSApple OSS Distributions {
472*4d495c6eSApple OSS Distributions int error;
473*4d495c6eSApple OSS Distributions
474*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
475*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
476*4d495c6eSApple OSS Distributions if (!mac_system_enforce) {
477*4d495c6eSApple OSS Distributions return 0;
478*4d495c6eSApple OSS Distributions }
479*4d495c6eSApple OSS Distributions #endif
480*4d495c6eSApple OSS Distributions
481*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_iopolicysys, p, cred, cmd, type, scope, policy);
482*4d495c6eSApple OSS Distributions
483*4d495c6eSApple OSS Distributions return error;
484*4d495c6eSApple OSS Distributions }
485*4d495c6eSApple OSS Distributions
486*4d495c6eSApple OSS Distributions /*
487*4d495c6eSApple OSS Distributions * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
488*4d495c6eSApple OSS Distributions * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
489*4d495c6eSApple OSS Distributions * files, so cannot use the typedef itself.
490*4d495c6eSApple OSS Distributions */
491*4d495c6eSApple OSS Distributions int
mac_proc_check_map_anon(proc_t proc,kauth_cred_t cred,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)492*4d495c6eSApple OSS Distributions mac_proc_check_map_anon(proc_t proc, kauth_cred_t cred, user_addr_t u_addr,
493*4d495c6eSApple OSS Distributions user_size_t u_size, int prot, int flags, int *maxprot)
494*4d495c6eSApple OSS Distributions {
495*4d495c6eSApple OSS Distributions int error;
496*4d495c6eSApple OSS Distributions
497*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
498*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
499*4d495c6eSApple OSS Distributions if (!mac_vm_enforce) {
500*4d495c6eSApple OSS Distributions return 0;
501*4d495c6eSApple OSS Distributions }
502*4d495c6eSApple OSS Distributions #endif
503*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
504*4d495c6eSApple OSS Distributions return 0;
505*4d495c6eSApple OSS Distributions }
506*4d495c6eSApple OSS Distributions
507*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
508*4d495c6eSApple OSS Distributions
509*4d495c6eSApple OSS Distributions return error;
510*4d495c6eSApple OSS Distributions }
511*4d495c6eSApple OSS Distributions
512*4d495c6eSApple OSS Distributions
513*4d495c6eSApple OSS Distributions int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)514*4d495c6eSApple OSS Distributions mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
515*4d495c6eSApple OSS Distributions {
516*4d495c6eSApple OSS Distributions int error;
517*4d495c6eSApple OSS Distributions
518*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
519*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
520*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
521*4d495c6eSApple OSS Distributions return 0;
522*4d495c6eSApple OSS Distributions }
523*4d495c6eSApple OSS Distributions #endif
524*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
525*4d495c6eSApple OSS Distributions return 0;
526*4d495c6eSApple OSS Distributions }
527*4d495c6eSApple OSS Distributions
528*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_memorystatus_control, current_cached_proc_cred(proc),
529*4d495c6eSApple OSS Distributions command, pid);
530*4d495c6eSApple OSS Distributions
531*4d495c6eSApple OSS Distributions return error;
532*4d495c6eSApple OSS Distributions }
533*4d495c6eSApple OSS Distributions
534*4d495c6eSApple OSS Distributions int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)535*4d495c6eSApple OSS Distributions mac_proc_check_mprotect(proc_t proc,
536*4d495c6eSApple OSS Distributions user_addr_t addr, user_size_t size, int prot)
537*4d495c6eSApple OSS Distributions {
538*4d495c6eSApple OSS Distributions int error;
539*4d495c6eSApple OSS Distributions
540*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
541*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
542*4d495c6eSApple OSS Distributions if (!mac_vm_enforce) {
543*4d495c6eSApple OSS Distributions return 0;
544*4d495c6eSApple OSS Distributions }
545*4d495c6eSApple OSS Distributions #endif
546*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
547*4d495c6eSApple OSS Distributions return 0;
548*4d495c6eSApple OSS Distributions }
549*4d495c6eSApple OSS Distributions
550*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_mprotect, current_cached_proc_cred(proc),
551*4d495c6eSApple OSS Distributions proc, addr, size, prot);
552*4d495c6eSApple OSS Distributions
553*4d495c6eSApple OSS Distributions return error;
554*4d495c6eSApple OSS Distributions }
555*4d495c6eSApple OSS Distributions
556*4d495c6eSApple OSS Distributions int
mac_proc_check_run_cs_invalid(proc_t proc)557*4d495c6eSApple OSS Distributions mac_proc_check_run_cs_invalid(proc_t proc)
558*4d495c6eSApple OSS Distributions {
559*4d495c6eSApple OSS Distributions int error;
560*4d495c6eSApple OSS Distributions
561*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
562*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
563*4d495c6eSApple OSS Distributions if (!mac_vm_enforce) {
564*4d495c6eSApple OSS Distributions return 0;
565*4d495c6eSApple OSS Distributions }
566*4d495c6eSApple OSS Distributions #endif
567*4d495c6eSApple OSS Distributions
568*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_run_cs_invalid, proc);
569*4d495c6eSApple OSS Distributions
570*4d495c6eSApple OSS Distributions return error;
571*4d495c6eSApple OSS Distributions }
572*4d495c6eSApple OSS Distributions
573*4d495c6eSApple OSS Distributions void
mac_proc_notify_cs_invalidated(proc_t proc)574*4d495c6eSApple OSS Distributions mac_proc_notify_cs_invalidated(proc_t proc)
575*4d495c6eSApple OSS Distributions {
576*4d495c6eSApple OSS Distributions MAC_PERFORM(proc_notify_cs_invalidated, proc);
577*4d495c6eSApple OSS Distributions }
578*4d495c6eSApple OSS Distributions
579*4d495c6eSApple OSS Distributions int
mac_proc_check_sched(proc_t curp,struct proc * proc)580*4d495c6eSApple OSS Distributions mac_proc_check_sched(proc_t curp, struct proc *proc)
581*4d495c6eSApple OSS Distributions {
582*4d495c6eSApple OSS Distributions int error;
583*4d495c6eSApple OSS Distributions
584*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
585*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
586*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
587*4d495c6eSApple OSS Distributions return 0;
588*4d495c6eSApple OSS Distributions }
589*4d495c6eSApple OSS Distributions #endif
590*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
591*4d495c6eSApple OSS Distributions return 0;
592*4d495c6eSApple OSS Distributions }
593*4d495c6eSApple OSS Distributions
594*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_sched, current_cached_proc_cred(curp), proc);
595*4d495c6eSApple OSS Distributions
596*4d495c6eSApple OSS Distributions return error;
597*4d495c6eSApple OSS Distributions }
598*4d495c6eSApple OSS Distributions
599*4d495c6eSApple OSS Distributions int
mac_proc_check_signal(proc_t curp,proc_ident_t instigator,proc_ident_t target,int signum)600*4d495c6eSApple OSS Distributions mac_proc_check_signal(proc_t curp, proc_ident_t instigator, proc_ident_t target, int signum)
601*4d495c6eSApple OSS Distributions {
602*4d495c6eSApple OSS Distributions int error;
603*4d495c6eSApple OSS Distributions
604*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
605*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
606*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
607*4d495c6eSApple OSS Distributions return 0;
608*4d495c6eSApple OSS Distributions }
609*4d495c6eSApple OSS Distributions #endif
610*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
611*4d495c6eSApple OSS Distributions return 0;
612*4d495c6eSApple OSS Distributions }
613*4d495c6eSApple OSS Distributions
614*4d495c6eSApple OSS Distributions /* Check policy without holding any proc refs */
615*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_signal, current_cached_proc_cred(curp), instigator, target, signum);
616*4d495c6eSApple OSS Distributions return error;
617*4d495c6eSApple OSS Distributions }
618*4d495c6eSApple OSS Distributions
619*4d495c6eSApple OSS Distributions int
mac_proc_check_syscall_unix(proc_t curp,int scnum)620*4d495c6eSApple OSS Distributions mac_proc_check_syscall_unix(proc_t curp, int scnum)
621*4d495c6eSApple OSS Distributions {
622*4d495c6eSApple OSS Distributions int error;
623*4d495c6eSApple OSS Distributions
624*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
625*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
626*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
627*4d495c6eSApple OSS Distributions return 0;
628*4d495c6eSApple OSS Distributions }
629*4d495c6eSApple OSS Distributions #endif
630*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
631*4d495c6eSApple OSS Distributions return 0;
632*4d495c6eSApple OSS Distributions }
633*4d495c6eSApple OSS Distributions
634*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_syscall_unix, curp, scnum);
635*4d495c6eSApple OSS Distributions
636*4d495c6eSApple OSS Distributions return error;
637*4d495c6eSApple OSS Distributions }
638*4d495c6eSApple OSS Distributions
639*4d495c6eSApple OSS Distributions int
mac_proc_check_wait(proc_t curp,struct proc * proc)640*4d495c6eSApple OSS Distributions mac_proc_check_wait(proc_t curp, struct proc *proc)
641*4d495c6eSApple OSS Distributions {
642*4d495c6eSApple OSS Distributions int error;
643*4d495c6eSApple OSS Distributions
644*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
645*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
646*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
647*4d495c6eSApple OSS Distributions return 0;
648*4d495c6eSApple OSS Distributions }
649*4d495c6eSApple OSS Distributions #endif
650*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
651*4d495c6eSApple OSS Distributions return 0;
652*4d495c6eSApple OSS Distributions }
653*4d495c6eSApple OSS Distributions
654*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_wait, current_cached_proc_cred(curp), proc);
655*4d495c6eSApple OSS Distributions
656*4d495c6eSApple OSS Distributions return error;
657*4d495c6eSApple OSS Distributions }
658*4d495c6eSApple OSS Distributions
659*4d495c6eSApple OSS Distributions void
mac_proc_notify_exit(struct proc * proc)660*4d495c6eSApple OSS Distributions mac_proc_notify_exit(struct proc *proc)
661*4d495c6eSApple OSS Distributions {
662*4d495c6eSApple OSS Distributions MAC_PERFORM(proc_notify_exit, proc);
663*4d495c6eSApple OSS Distributions }
664*4d495c6eSApple OSS Distributions
665*4d495c6eSApple OSS Distributions int
mac_proc_check_suspend_resume(proc_t proc,int sr)666*4d495c6eSApple OSS Distributions mac_proc_check_suspend_resume(proc_t proc, int sr)
667*4d495c6eSApple OSS Distributions {
668*4d495c6eSApple OSS Distributions proc_t curp = current_proc();
669*4d495c6eSApple OSS Distributions int error;
670*4d495c6eSApple OSS Distributions
671*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
672*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
673*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
674*4d495c6eSApple OSS Distributions return 0;
675*4d495c6eSApple OSS Distributions }
676*4d495c6eSApple OSS Distributions #endif
677*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
678*4d495c6eSApple OSS Distributions return 0;
679*4d495c6eSApple OSS Distributions }
680*4d495c6eSApple OSS Distributions
681*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_suspend_resume, current_cached_proc_cred(curp),
682*4d495c6eSApple OSS Distributions proc, sr);
683*4d495c6eSApple OSS Distributions
684*4d495c6eSApple OSS Distributions return error;
685*4d495c6eSApple OSS Distributions }
686*4d495c6eSApple OSS Distributions
687*4d495c6eSApple OSS Distributions int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)688*4d495c6eSApple OSS Distributions mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
689*4d495c6eSApple OSS Distributions {
690*4d495c6eSApple OSS Distributions int error = 0;
691*4d495c6eSApple OSS Distributions
692*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
693*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
694*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
695*4d495c6eSApple OSS Distributions return 0;
696*4d495c6eSApple OSS Distributions }
697*4d495c6eSApple OSS Distributions #endif
698*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
699*4d495c6eSApple OSS Distributions return 0;
700*4d495c6eSApple OSS Distributions }
701*4d495c6eSApple OSS Distributions
702*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_ledger, current_cached_proc_cred(curp),
703*4d495c6eSApple OSS Distributions proc, ledger_op);
704*4d495c6eSApple OSS Distributions
705*4d495c6eSApple OSS Distributions return error;
706*4d495c6eSApple OSS Distributions }
707*4d495c6eSApple OSS Distributions
708*4d495c6eSApple OSS Distributions int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)709*4d495c6eSApple OSS Distributions mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
710*4d495c6eSApple OSS Distributions {
711*4d495c6eSApple OSS Distributions int error = 0;
712*4d495c6eSApple OSS Distributions
713*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
714*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
715*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
716*4d495c6eSApple OSS Distributions return 0;
717*4d495c6eSApple OSS Distributions }
718*4d495c6eSApple OSS Distributions #endif
719*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
720*4d495c6eSApple OSS Distributions return 0;
721*4d495c6eSApple OSS Distributions }
722*4d495c6eSApple OSS Distributions
723*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_proc_info, current_cached_proc_cred(curp),
724*4d495c6eSApple OSS Distributions target, callnum, flavor);
725*4d495c6eSApple OSS Distributions
726*4d495c6eSApple OSS Distributions return error;
727*4d495c6eSApple OSS Distributions }
728*4d495c6eSApple OSS Distributions
729*4d495c6eSApple OSS Distributions int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)730*4d495c6eSApple OSS Distributions mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
731*4d495c6eSApple OSS Distributions {
732*4d495c6eSApple OSS Distributions int error = 0;
733*4d495c6eSApple OSS Distributions
734*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
735*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
736*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
737*4d495c6eSApple OSS Distributions return 0;
738*4d495c6eSApple OSS Distributions }
739*4d495c6eSApple OSS Distributions #endif
740*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
741*4d495c6eSApple OSS Distributions return 0;
742*4d495c6eSApple OSS Distributions }
743*4d495c6eSApple OSS Distributions
744*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_get_cs_info, current_cached_proc_cred(curp),
745*4d495c6eSApple OSS Distributions target, op);
746*4d495c6eSApple OSS Distributions
747*4d495c6eSApple OSS Distributions return error;
748*4d495c6eSApple OSS Distributions }
749*4d495c6eSApple OSS Distributions
750*4d495c6eSApple OSS Distributions int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)751*4d495c6eSApple OSS Distributions mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
752*4d495c6eSApple OSS Distributions {
753*4d495c6eSApple OSS Distributions int error = 0;
754*4d495c6eSApple OSS Distributions
755*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
756*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
757*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
758*4d495c6eSApple OSS Distributions return 0;
759*4d495c6eSApple OSS Distributions }
760*4d495c6eSApple OSS Distributions #endif
761*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
762*4d495c6eSApple OSS Distributions return 0;
763*4d495c6eSApple OSS Distributions }
764*4d495c6eSApple OSS Distributions
765*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_set_cs_info, current_cached_proc_cred(curp),
766*4d495c6eSApple OSS Distributions target, op);
767*4d495c6eSApple OSS Distributions
768*4d495c6eSApple OSS Distributions return error;
769*4d495c6eSApple OSS Distributions }
770*4d495c6eSApple OSS Distributions
771*4d495c6eSApple OSS Distributions int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)772*4d495c6eSApple OSS Distributions mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
773*4d495c6eSApple OSS Distributions {
774*4d495c6eSApple OSS Distributions int error = 0;
775*4d495c6eSApple OSS Distributions
776*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
777*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
778*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
779*4d495c6eSApple OSS Distributions return 0;
780*4d495c6eSApple OSS Distributions }
781*4d495c6eSApple OSS Distributions #endif
782*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
783*4d495c6eSApple OSS Distributions return 0;
784*4d495c6eSApple OSS Distributions }
785*4d495c6eSApple OSS Distributions
786*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_setuid, cred, uid);
787*4d495c6eSApple OSS Distributions
788*4d495c6eSApple OSS Distributions return error;
789*4d495c6eSApple OSS Distributions }
790*4d495c6eSApple OSS Distributions
791*4d495c6eSApple OSS Distributions int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)792*4d495c6eSApple OSS Distributions mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
793*4d495c6eSApple OSS Distributions {
794*4d495c6eSApple OSS Distributions int error = 0;
795*4d495c6eSApple OSS Distributions
796*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
797*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
798*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
799*4d495c6eSApple OSS Distributions return 0;
800*4d495c6eSApple OSS Distributions }
801*4d495c6eSApple OSS Distributions #endif
802*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
803*4d495c6eSApple OSS Distributions return 0;
804*4d495c6eSApple OSS Distributions }
805*4d495c6eSApple OSS Distributions
806*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_seteuid, cred, euid);
807*4d495c6eSApple OSS Distributions
808*4d495c6eSApple OSS Distributions return error;
809*4d495c6eSApple OSS Distributions }
810*4d495c6eSApple OSS Distributions
811*4d495c6eSApple OSS Distributions int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)812*4d495c6eSApple OSS Distributions mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
813*4d495c6eSApple OSS Distributions {
814*4d495c6eSApple OSS Distributions int error = 0;
815*4d495c6eSApple OSS Distributions
816*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
817*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
818*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
819*4d495c6eSApple OSS Distributions return 0;
820*4d495c6eSApple OSS Distributions }
821*4d495c6eSApple OSS Distributions #endif
822*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
823*4d495c6eSApple OSS Distributions return 0;
824*4d495c6eSApple OSS Distributions }
825*4d495c6eSApple OSS Distributions
826*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
827*4d495c6eSApple OSS Distributions
828*4d495c6eSApple OSS Distributions return error;
829*4d495c6eSApple OSS Distributions }
830*4d495c6eSApple OSS Distributions
831*4d495c6eSApple OSS Distributions int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)832*4d495c6eSApple OSS Distributions mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
833*4d495c6eSApple OSS Distributions {
834*4d495c6eSApple OSS Distributions int error = 0;
835*4d495c6eSApple OSS Distributions
836*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
837*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
838*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
839*4d495c6eSApple OSS Distributions return 0;
840*4d495c6eSApple OSS Distributions }
841*4d495c6eSApple OSS Distributions #endif
842*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
843*4d495c6eSApple OSS Distributions return 0;
844*4d495c6eSApple OSS Distributions }
845*4d495c6eSApple OSS Distributions
846*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_setgid, cred, gid);
847*4d495c6eSApple OSS Distributions
848*4d495c6eSApple OSS Distributions return error;
849*4d495c6eSApple OSS Distributions }
850*4d495c6eSApple OSS Distributions
851*4d495c6eSApple OSS Distributions int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)852*4d495c6eSApple OSS Distributions mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
853*4d495c6eSApple OSS Distributions {
854*4d495c6eSApple OSS Distributions int error = 0;
855*4d495c6eSApple OSS Distributions
856*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
857*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
858*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
859*4d495c6eSApple OSS Distributions return 0;
860*4d495c6eSApple OSS Distributions }
861*4d495c6eSApple OSS Distributions #endif
862*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
863*4d495c6eSApple OSS Distributions return 0;
864*4d495c6eSApple OSS Distributions }
865*4d495c6eSApple OSS Distributions
866*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_setegid, cred, egid);
867*4d495c6eSApple OSS Distributions
868*4d495c6eSApple OSS Distributions return error;
869*4d495c6eSApple OSS Distributions }
870*4d495c6eSApple OSS Distributions
871*4d495c6eSApple OSS Distributions int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)872*4d495c6eSApple OSS Distributions mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
873*4d495c6eSApple OSS Distributions {
874*4d495c6eSApple OSS Distributions int error = 0;
875*4d495c6eSApple OSS Distributions
876*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
877*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
878*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
879*4d495c6eSApple OSS Distributions return 0;
880*4d495c6eSApple OSS Distributions }
881*4d495c6eSApple OSS Distributions #endif
882*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
883*4d495c6eSApple OSS Distributions return 0;
884*4d495c6eSApple OSS Distributions }
885*4d495c6eSApple OSS Distributions
886*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_setregid, cred, rgid, egid);
887*4d495c6eSApple OSS Distributions
888*4d495c6eSApple OSS Distributions return error;
889*4d495c6eSApple OSS Distributions }
890*4d495c6eSApple OSS Distributions
891*4d495c6eSApple OSS Distributions int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)892*4d495c6eSApple OSS Distributions mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
893*4d495c6eSApple OSS Distributions {
894*4d495c6eSApple OSS Distributions int error = 0;
895*4d495c6eSApple OSS Distributions
896*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
897*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
898*4d495c6eSApple OSS Distributions if (!mac_proc_enforce) {
899*4d495c6eSApple OSS Distributions return 0;
900*4d495c6eSApple OSS Distributions }
901*4d495c6eSApple OSS Distributions #endif
902*4d495c6eSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
903*4d495c6eSApple OSS Distributions return 0;
904*4d495c6eSApple OSS Distributions }
905*4d495c6eSApple OSS Distributions
906*4d495c6eSApple OSS Distributions MAC_CHECK(proc_check_settid, current_cached_proc_cred(curp),
907*4d495c6eSApple OSS Distributions kauth_cred_get(), uid, gid);
908*4d495c6eSApple OSS Distributions
909*4d495c6eSApple OSS Distributions return error;
910*4d495c6eSApple OSS Distributions }
911*4d495c6eSApple OSS Distributions
912*4d495c6eSApple OSS Distributions int
mac_proc_check_launch_constraints(proc_t curp,struct image_params * imgp,os_reason_t * reasonp)913*4d495c6eSApple OSS Distributions mac_proc_check_launch_constraints(proc_t curp, struct image_params *imgp, os_reason_t *reasonp)
914*4d495c6eSApple OSS Distributions {
915*4d495c6eSApple OSS Distributions char *fatal_failure_desc = NULL;
916*4d495c6eSApple OSS Distributions size_t fatal_failure_desc_len = 0;
917*4d495c6eSApple OSS Distributions
918*4d495c6eSApple OSS Distributions pid_t original_parent_id = proc_original_ppid(curp);
919*4d495c6eSApple OSS Distributions
920*4d495c6eSApple OSS Distributions pid_t responsible_pid = curp->p_responsible_pid;
921*4d495c6eSApple OSS Distributions
922*4d495c6eSApple OSS Distributions int error = 0;
923*4d495c6eSApple OSS Distributions
924*4d495c6eSApple OSS Distributions /* Vnode of the file */
925*4d495c6eSApple OSS Distributions struct vnode *vp = imgp->ip_vp;
926*4d495c6eSApple OSS Distributions
927*4d495c6eSApple OSS Distributions char *vn_path = NULL;
928*4d495c6eSApple OSS Distributions vm_size_t vn_pathlen = MAXPATHLEN;
929*4d495c6eSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
930*4d495c6eSApple OSS Distributions /* 21167099 - only check if we allow write */
931*4d495c6eSApple OSS Distributions if (!mac_proc_enforce || !mac_vnode_enforce) {
932*4d495c6eSApple OSS Distributions return 0;
933*4d495c6eSApple OSS Distributions }
934*4d495c6eSApple OSS Distributions #endif
935*4d495c6eSApple OSS Distributions
936*4d495c6eSApple OSS Distributions MAC_POLICY_ITERATE({
937*4d495c6eSApple OSS Distributions mpo_proc_check_launch_constraints_t *hook = mpc->mpc_ops->mpo_proc_check_launch_constraints;
938*4d495c6eSApple OSS Distributions if (hook == NULL) {
939*4d495c6eSApple OSS Distributions continue;
940*4d495c6eSApple OSS Distributions }
941*4d495c6eSApple OSS Distributions
942*4d495c6eSApple OSS Distributions size_t spawnattrlen = 0;
943*4d495c6eSApple OSS Distributions void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
944*4d495c6eSApple OSS Distributions struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
945*4d495c6eSApple OSS Distributions struct launch_constraint_data lcd;
946*4d495c6eSApple OSS Distributions lcd.launch_type = CS_LAUNCH_TYPE_NONE;
947*4d495c6eSApple OSS Distributions
948*4d495c6eSApple OSS Distributions /* Check to see if psa_launch_type was initalized */
949*4d495c6eSApple OSS Distributions if (psa != (struct _posix_spawnattr*)NULL) {
950*4d495c6eSApple OSS Distributions lcd.launch_type = psa->psa_launch_type;
951*4d495c6eSApple OSS Distributions }
952*4d495c6eSApple OSS Distributions
953*4d495c6eSApple OSS Distributions error = mac_error_select(
954*4d495c6eSApple OSS Distributions hook(curp, original_parent_id, responsible_pid,
955*4d495c6eSApple OSS Distributions spawnattr, spawnattrlen, &lcd, &fatal_failure_desc, &fatal_failure_desc_len), error);
956*4d495c6eSApple OSS Distributions
957*4d495c6eSApple OSS Distributions /*
958*4d495c6eSApple OSS Distributions * Early exit in case of failure in case we have multiple registered callers.
959*4d495c6eSApple OSS Distributions * This is to avoid other MACF policies from stomping on each other's failure description
960*4d495c6eSApple OSS Distributions */
961*4d495c6eSApple OSS Distributions if (fatal_failure_desc_len) {
962*4d495c6eSApple OSS Distributions goto policy_fail;
963*4d495c6eSApple OSS Distributions }
964*4d495c6eSApple OSS Distributions });
965*4d495c6eSApple OSS Distributions
966*4d495c6eSApple OSS Distributions policy_fail:
967*4d495c6eSApple OSS Distributions if (fatal_failure_desc_len) {
968*4d495c6eSApple OSS Distributions /*
969*4d495c6eSApple OSS Distributions * A fatal code signature validation failure occured, formulate a crash
970*4d495c6eSApple OSS Distributions * reason.
971*4d495c6eSApple OSS Distributions */
972*4d495c6eSApple OSS Distributions
973*4d495c6eSApple OSS Distributions char const *path = NULL;
974*4d495c6eSApple OSS Distributions
975*4d495c6eSApple OSS Distributions vn_path = zalloc(ZV_NAMEI);
976*4d495c6eSApple OSS Distributions if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
977*4d495c6eSApple OSS Distributions path = vn_path;
978*4d495c6eSApple OSS Distributions } else {
979*4d495c6eSApple OSS Distributions path = "(get vnode path failed)";
980*4d495c6eSApple OSS Distributions }
981*4d495c6eSApple OSS Distributions
982*4d495c6eSApple OSS Distributions if (error == 0) {
983*4d495c6eSApple OSS Distributions panic("%s: MAC hook returned no error, but status is claimed to be fatal? "
984*4d495c6eSApple OSS Distributions "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
985*4d495c6eSApple OSS Distributions __func__, path, fatal_failure_desc_len, fatal_failure_desc);
986*4d495c6eSApple OSS Distributions }
987*4d495c6eSApple OSS Distributions
988*4d495c6eSApple OSS Distributions os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
989*4d495c6eSApple OSS Distributions CODESIGNING_EXIT_REASON_LAUNCH_CONSTRAINT_VIOLATION);
990*4d495c6eSApple OSS Distributions
991*4d495c6eSApple OSS Distributions *reasonp = reason;
992*4d495c6eSApple OSS Distributions
993*4d495c6eSApple OSS Distributions reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
994*4d495c6eSApple OSS Distributions OS_REASON_FLAG_CONSISTENT_FAILURE);
995*4d495c6eSApple OSS Distributions
996*4d495c6eSApple OSS Distributions if (fatal_failure_desc != NULL) {
997*4d495c6eSApple OSS Distributions mach_vm_address_t data_addr = 0;
998*4d495c6eSApple OSS Distributions
999*4d495c6eSApple OSS Distributions int reason_error = 0;
1000*4d495c6eSApple OSS Distributions int kcdata_error = 0;
1001*4d495c6eSApple OSS Distributions
1002*4d495c6eSApple OSS Distributions if ((reason_error = os_reason_alloc_buffer_noblock(reason,
1003*4d495c6eSApple OSS Distributions kcdata_estimate_required_buffer_size(1,
1004*4d495c6eSApple OSS Distributions (uint32_t)fatal_failure_desc_len))) == 0) {
1005*4d495c6eSApple OSS Distributions if ((kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
1006*4d495c6eSApple OSS Distributions EXIT_REASON_USER_DESC, (uint32_t)fatal_failure_desc_len,
1007*4d495c6eSApple OSS Distributions &data_addr)) == KERN_SUCCESS) {
1008*4d495c6eSApple OSS Distributions kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
1009*4d495c6eSApple OSS Distributions fatal_failure_desc, (uint32_t)fatal_failure_desc_len);
1010*4d495c6eSApple OSS Distributions }
1011*4d495c6eSApple OSS Distributions }
1012*4d495c6eSApple OSS Distributions }
1013*4d495c6eSApple OSS Distributions }
1014*4d495c6eSApple OSS Distributions
1015*4d495c6eSApple OSS Distributions if (vn_path) {
1016*4d495c6eSApple OSS Distributions zfree(ZV_NAMEI, vn_path);
1017*4d495c6eSApple OSS Distributions }
1018*4d495c6eSApple OSS Distributions
1019*4d495c6eSApple OSS Distributions if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
1020*4d495c6eSApple OSS Distributions kfree_data(fatal_failure_desc, fatal_failure_desc_len);
1021*4d495c6eSApple OSS Distributions }
1022*4d495c6eSApple OSS Distributions
1023*4d495c6eSApple OSS Distributions return error;
1024*4d495c6eSApple OSS Distributions }
1025