1*043036a2SApple OSS Distributions /*
2*043036a2SApple OSS Distributions * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3*043036a2SApple OSS Distributions *
4*043036a2SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*043036a2SApple OSS Distributions *
6*043036a2SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*043036a2SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*043036a2SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*043036a2SApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*043036a2SApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*043036a2SApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*043036a2SApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*043036a2SApple OSS Distributions * terms of an Apple operating system software license agreement.
14*043036a2SApple OSS Distributions *
15*043036a2SApple OSS Distributions * Please obtain a copy of the License at
16*043036a2SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*043036a2SApple OSS Distributions *
18*043036a2SApple OSS Distributions * The Original Code and all software distributed under the License are
19*043036a2SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*043036a2SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*043036a2SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*043036a2SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*043036a2SApple OSS Distributions * Please see the License for the specific language governing rights and
24*043036a2SApple OSS Distributions * limitations under the License.
25*043036a2SApple OSS Distributions *
26*043036a2SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*043036a2SApple OSS Distributions */
28*043036a2SApple OSS Distributions
29*043036a2SApple OSS Distributions /*-
30*043036a2SApple OSS Distributions * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31*043036a2SApple OSS Distributions * Copyright (c) 2001 Ilmar S. Habibulin
32*043036a2SApple OSS Distributions * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33*043036a2SApple OSS Distributions *
34*043036a2SApple OSS Distributions * This software was developed by Robert Watson and Ilmar Habibulin for the
35*043036a2SApple OSS Distributions * TrustedBSD Project.
36*043036a2SApple OSS Distributions *
37*043036a2SApple OSS Distributions * This software was developed for the FreeBSD Project in part by Network
38*043036a2SApple OSS Distributions * Associates Laboratories, the Security Research Division of Network
39*043036a2SApple OSS Distributions * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40*043036a2SApple OSS Distributions * as part of the DARPA CHATS research program.
41*043036a2SApple OSS Distributions *
42*043036a2SApple OSS Distributions * Redistribution and use in source and binary forms, with or without
43*043036a2SApple OSS Distributions * modification, are permitted provided that the following conditions
44*043036a2SApple OSS Distributions * are met:
45*043036a2SApple OSS Distributions * 1. Redistributions of source code must retain the above copyright
46*043036a2SApple OSS Distributions * notice, this list of conditions and the following disclaimer.
47*043036a2SApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright
48*043036a2SApple OSS Distributions * notice, this list of conditions and the following disclaimer in the
49*043036a2SApple OSS Distributions * documentation and/or other materials provided with the distribution.
50*043036a2SApple OSS Distributions *
51*043036a2SApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52*043036a2SApple OSS Distributions * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53*043036a2SApple OSS Distributions * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54*043036a2SApple OSS Distributions * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55*043036a2SApple OSS Distributions * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56*043036a2SApple OSS Distributions * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57*043036a2SApple OSS Distributions * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58*043036a2SApple OSS Distributions * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59*043036a2SApple OSS Distributions * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60*043036a2SApple OSS Distributions * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61*043036a2SApple OSS Distributions * SUCH DAMAGE.
62*043036a2SApple OSS Distributions *
63*043036a2SApple OSS Distributions */
64*043036a2SApple OSS Distributions
65*043036a2SApple OSS Distributions #include <string.h>
66*043036a2SApple OSS Distributions #include <sys/param.h>
67*043036a2SApple OSS Distributions #include <sys/ucred.h>
68*043036a2SApple OSS Distributions #include <sys/malloc.h>
69*043036a2SApple OSS Distributions #include <sys/sbuf.h>
70*043036a2SApple OSS Distributions #include <sys/vnode.h>
71*043036a2SApple OSS Distributions #include <sys/proc.h>
72*043036a2SApple OSS Distributions #include <sys/proc_internal.h>
73*043036a2SApple OSS Distributions #include <sys/kauth.h>
74*043036a2SApple OSS Distributions #include <sys/imgact.h>
75*043036a2SApple OSS Distributions #include <sys/reason.h>
76*043036a2SApple OSS Distributions #include <sys/vnode_internal.h>
77*043036a2SApple OSS Distributions #include <mach/mach_types.h>
78*043036a2SApple OSS Distributions #include <kern/task.h>
79*043036a2SApple OSS Distributions #include <kern/zalloc.h>
80*043036a2SApple OSS Distributions
81*043036a2SApple OSS Distributions #include <os/hash.h>
82*043036a2SApple OSS Distributions
83*043036a2SApple OSS Distributions #include <security/mac_internal.h>
84*043036a2SApple OSS Distributions #include <security/mac_mach_internal.h>
85*043036a2SApple OSS Distributions
86*043036a2SApple OSS Distributions #include <bsd/security/audit/audit.h>
87*043036a2SApple OSS Distributions
88*043036a2SApple OSS Distributions #include <os/log.h>
89*043036a2SApple OSS Distributions #include <kern/cs_blobs.h>
90*043036a2SApple OSS Distributions #include <sys/spawn.h>
91*043036a2SApple OSS Distributions #include <sys/spawn_internal.h>
92*043036a2SApple OSS Distributions
93*043036a2SApple OSS Distributions struct label *
mac_cred_label_alloc(void)94*043036a2SApple OSS Distributions mac_cred_label_alloc(void)
95*043036a2SApple OSS Distributions {
96*043036a2SApple OSS Distributions struct label *label;
97*043036a2SApple OSS Distributions
98*043036a2SApple OSS Distributions label = mac_labelzone_alloc(MAC_WAITOK);
99*043036a2SApple OSS Distributions if (label == NULL) {
100*043036a2SApple OSS Distributions return NULL;
101*043036a2SApple OSS Distributions }
102*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_init, label);
103*043036a2SApple OSS Distributions return label;
104*043036a2SApple OSS Distributions }
105*043036a2SApple OSS Distributions
106*043036a2SApple OSS Distributions void
mac_cred_label_init(struct ucred * cred)107*043036a2SApple OSS Distributions mac_cred_label_init(struct ucred *cred)
108*043036a2SApple OSS Distributions {
109*043036a2SApple OSS Distributions cred->cr_label = mac_cred_label_alloc();
110*043036a2SApple OSS Distributions }
111*043036a2SApple OSS Distributions
112*043036a2SApple OSS Distributions void
mac_cred_label_seal(struct ucred * cred)113*043036a2SApple OSS Distributions mac_cred_label_seal(struct ucred *cred)
114*043036a2SApple OSS Distributions {
115*043036a2SApple OSS Distributions #if DEVELOPMENT || DEBUG
116*043036a2SApple OSS Distributions struct label **seal = (struct label **)-1;
117*043036a2SApple OSS Distributions
118*043036a2SApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, cred->cr_label, l_owner, &seal);
119*043036a2SApple OSS Distributions #else
120*043036a2SApple OSS Distributions (void)cred;
121*043036a2SApple OSS Distributions #endif
122*043036a2SApple OSS Distributions }
123*043036a2SApple OSS Distributions
124*043036a2SApple OSS Distributions void
mac_cred_label_free(struct label * label)125*043036a2SApple OSS Distributions mac_cred_label_free(struct label *label)
126*043036a2SApple OSS Distributions {
127*043036a2SApple OSS Distributions #if DEVELOPMENT || DEBUG
128*043036a2SApple OSS Distributions struct label **seal = (struct label **)-1;
129*043036a2SApple OSS Distributions
130*043036a2SApple OSS Distributions if (label->l_owner == seal) {
131*043036a2SApple OSS Distributions seal = NULL;
132*043036a2SApple OSS Distributions zalloc_ro_update_field(ZONE_ID_MAC_LABEL, label, l_owner, &seal);
133*043036a2SApple OSS Distributions }
134*043036a2SApple OSS Distributions #endif
135*043036a2SApple OSS Distributions
136*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_destroy, label);
137*043036a2SApple OSS Distributions mac_labelzone_free(label);
138*043036a2SApple OSS Distributions }
139*043036a2SApple OSS Distributions
140*043036a2SApple OSS Distributions struct label *
mac_cred_label(struct ucred * cred)141*043036a2SApple OSS Distributions mac_cred_label(struct ucred *cred)
142*043036a2SApple OSS Distributions {
143*043036a2SApple OSS Distributions return cred->cr_label;
144*043036a2SApple OSS Distributions }
145*043036a2SApple OSS Distributions
146*043036a2SApple OSS Distributions bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)147*043036a2SApple OSS Distributions mac_cred_label_is_equal(const struct label *a, const struct label *b)
148*043036a2SApple OSS Distributions {
149*043036a2SApple OSS Distributions return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
150*043036a2SApple OSS Distributions }
151*043036a2SApple OSS Distributions
152*043036a2SApple OSS Distributions uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)153*043036a2SApple OSS Distributions mac_cred_label_hash_update(const struct label *a, uint32_t hash)
154*043036a2SApple OSS Distributions {
155*043036a2SApple OSS Distributions return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
156*043036a2SApple OSS Distributions }
157*043036a2SApple OSS Distributions
158*043036a2SApple OSS Distributions int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)159*043036a2SApple OSS Distributions mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
160*043036a2SApple OSS Distributions {
161*043036a2SApple OSS Distributions kauth_cred_t cr;
162*043036a2SApple OSS Distributions int error;
163*043036a2SApple OSS Distributions
164*043036a2SApple OSS Distributions cr = kauth_cred_proc_ref(p);
165*043036a2SApple OSS Distributions
166*043036a2SApple OSS Distributions error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
167*043036a2SApple OSS Distributions mac->m_string, mac->m_buflen);
168*043036a2SApple OSS Distributions
169*043036a2SApple OSS Distributions kauth_cred_unref(&cr);
170*043036a2SApple OSS Distributions return error;
171*043036a2SApple OSS Distributions }
172*043036a2SApple OSS Distributions
173*043036a2SApple OSS Distributions void
mac_cred_label_destroy(kauth_cred_t cred)174*043036a2SApple OSS Distributions mac_cred_label_destroy(kauth_cred_t cred)
175*043036a2SApple OSS Distributions {
176*043036a2SApple OSS Distributions struct label *label = mac_cred_label(cred);
177*043036a2SApple OSS Distributions cred->cr_label = NULL;
178*043036a2SApple OSS Distributions mac_cred_label_free(label);
179*043036a2SApple OSS Distributions }
180*043036a2SApple OSS Distributions
181*043036a2SApple OSS Distributions int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)182*043036a2SApple OSS Distributions mac_cred_label_externalize(struct label *label, char *elements,
183*043036a2SApple OSS Distributions char *outbuf, size_t outbuflen, int flags __unused)
184*043036a2SApple OSS Distributions {
185*043036a2SApple OSS Distributions int error = 0;
186*043036a2SApple OSS Distributions
187*043036a2SApple OSS Distributions error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
188*043036a2SApple OSS Distributions
189*043036a2SApple OSS Distributions return error;
190*043036a2SApple OSS Distributions }
191*043036a2SApple OSS Distributions
192*043036a2SApple OSS Distributions int
mac_cred_label_internalize(struct label * label,char * string)193*043036a2SApple OSS Distributions mac_cred_label_internalize(struct label *label, char *string)
194*043036a2SApple OSS Distributions {
195*043036a2SApple OSS Distributions int error;
196*043036a2SApple OSS Distributions
197*043036a2SApple OSS Distributions error = MAC_INTERNALIZE(cred, label, string);
198*043036a2SApple OSS Distributions
199*043036a2SApple OSS Distributions return error;
200*043036a2SApple OSS Distributions }
201*043036a2SApple OSS Distributions
202*043036a2SApple OSS Distributions /*
203*043036a2SApple OSS Distributions * By default, fork just adds a reference to the parent
204*043036a2SApple OSS Distributions * credential. Policies may need to know about this reference
205*043036a2SApple OSS Distributions * if they are tracking exit calls to know when to free the
206*043036a2SApple OSS Distributions * label.
207*043036a2SApple OSS Distributions */
208*043036a2SApple OSS Distributions void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)209*043036a2SApple OSS Distributions mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
210*043036a2SApple OSS Distributions {
211*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_associate_fork, cred, proc);
212*043036a2SApple OSS Distributions }
213*043036a2SApple OSS Distributions
214*043036a2SApple OSS Distributions /*
215*043036a2SApple OSS Distributions * Initialize MAC label for the first kernel process, from which other
216*043036a2SApple OSS Distributions * kernel processes and threads are spawned.
217*043036a2SApple OSS Distributions */
218*043036a2SApple OSS Distributions void
mac_cred_label_associate_kernel(kauth_cred_t cred)219*043036a2SApple OSS Distributions mac_cred_label_associate_kernel(kauth_cred_t cred)
220*043036a2SApple OSS Distributions {
221*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_associate_kernel, cred);
222*043036a2SApple OSS Distributions }
223*043036a2SApple OSS Distributions
224*043036a2SApple OSS Distributions /*
225*043036a2SApple OSS Distributions * Initialize MAC label for the first userland process, from which other
226*043036a2SApple OSS Distributions * userland processes and threads are spawned.
227*043036a2SApple OSS Distributions */
228*043036a2SApple OSS Distributions void
mac_cred_label_associate_user(kauth_cred_t cred)229*043036a2SApple OSS Distributions mac_cred_label_associate_user(kauth_cred_t cred)
230*043036a2SApple OSS Distributions {
231*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_associate_user, cred);
232*043036a2SApple OSS Distributions }
233*043036a2SApple OSS Distributions
234*043036a2SApple OSS Distributions /*
235*043036a2SApple OSS Distributions * When a new process is created, its label must be initialized. Generally,
236*043036a2SApple OSS Distributions * this involves inheritence from the parent process, modulo possible
237*043036a2SApple OSS Distributions * deltas. This function allows that processing to take place.
238*043036a2SApple OSS Distributions */
239*043036a2SApple OSS Distributions void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)240*043036a2SApple OSS Distributions mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
241*043036a2SApple OSS Distributions {
242*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
243*043036a2SApple OSS Distributions }
244*043036a2SApple OSS Distributions
245*043036a2SApple OSS Distributions int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)246*043036a2SApple OSS Distributions mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
247*043036a2SApple OSS Distributions {
248*043036a2SApple OSS Distributions if (mac_p == USER_ADDR_NULL) {
249*043036a2SApple OSS Distributions return 0;
250*043036a2SApple OSS Distributions }
251*043036a2SApple OSS Distributions
252*043036a2SApple OSS Distributions return mac_do_set(current_proc(), mac_p,
253*043036a2SApple OSS Distributions ^(char *input, __unused size_t len) {
254*043036a2SApple OSS Distributions struct label *execlabel;
255*043036a2SApple OSS Distributions int error;
256*043036a2SApple OSS Distributions
257*043036a2SApple OSS Distributions execlabel = mac_cred_label_alloc();
258*043036a2SApple OSS Distributions if ((error = mac_cred_label_internalize(execlabel, input))) {
259*043036a2SApple OSS Distributions mac_cred_label_free(execlabel);
260*043036a2SApple OSS Distributions execlabel = NULL;
261*043036a2SApple OSS Distributions }
262*043036a2SApple OSS Distributions
263*043036a2SApple OSS Distributions imgp->ip_execlabelp = execlabel;
264*043036a2SApple OSS Distributions return error;
265*043036a2SApple OSS Distributions });
266*043036a2SApple OSS Distributions }
267*043036a2SApple OSS Distributions
268*043036a2SApple OSS Distributions /*
269*043036a2SApple OSS Distributions * When the subject's label changes, it may require revocation of privilege
270*043036a2SApple OSS Distributions * to mapped objects. This can't be done on-the-fly later with a unified
271*043036a2SApple OSS Distributions * buffer cache.
272*043036a2SApple OSS Distributions *
273*043036a2SApple OSS Distributions * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
274*043036a2SApple OSS Distributions * XXX: than a posix_cred_t field.
275*043036a2SApple OSS Distributions */
276*043036a2SApple OSS Distributions void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)277*043036a2SApple OSS Distributions mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
278*043036a2SApple OSS Distributions {
279*043036a2SApple OSS Distributions posix_cred_t pcred = posix_cred_get(cred);
280*043036a2SApple OSS Distributions
281*043036a2SApple OSS Distributions /* force label to be part of "matching" for credential */
282*043036a2SApple OSS Distributions pcred->cr_flags |= CRF_MAC_ENFORCE;
283*043036a2SApple OSS Distributions
284*043036a2SApple OSS Distributions /* inform the policies of the update */
285*043036a2SApple OSS Distributions MAC_PERFORM(cred_label_update, cred, newlabel);
286*043036a2SApple OSS Distributions }
287*043036a2SApple OSS Distributions
288*043036a2SApple OSS Distributions int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)289*043036a2SApple OSS Distributions mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
290*043036a2SApple OSS Distributions {
291*043036a2SApple OSS Distributions int error;
292*043036a2SApple OSS Distributions
293*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
294*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
295*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
296*043036a2SApple OSS Distributions return 0;
297*043036a2SApple OSS Distributions }
298*043036a2SApple OSS Distributions #endif
299*043036a2SApple OSS Distributions
300*043036a2SApple OSS Distributions MAC_CHECK(cred_check_label_update, cred, newlabel);
301*043036a2SApple OSS Distributions
302*043036a2SApple OSS Distributions return error;
303*043036a2SApple OSS Distributions }
304*043036a2SApple OSS Distributions
305*043036a2SApple OSS Distributions int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)306*043036a2SApple OSS Distributions mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
307*043036a2SApple OSS Distributions {
308*043036a2SApple OSS Distributions int error;
309*043036a2SApple OSS Distributions
310*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
311*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
312*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
313*043036a2SApple OSS Distributions return 0;
314*043036a2SApple OSS Distributions }
315*043036a2SApple OSS Distributions #endif
316*043036a2SApple OSS Distributions
317*043036a2SApple OSS Distributions MAC_CHECK(cred_check_visible, u1, u2);
318*043036a2SApple OSS Distributions
319*043036a2SApple OSS Distributions return error;
320*043036a2SApple OSS Distributions }
321*043036a2SApple OSS Distributions
322*043036a2SApple OSS Distributions int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)323*043036a2SApple OSS Distributions mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
324*043036a2SApple OSS Distributions {
325*043036a2SApple OSS Distributions int error;
326*043036a2SApple OSS Distributions bool enforce;
327*043036a2SApple OSS Distributions proc_t tracingp;
328*043036a2SApple OSS Distributions
329*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
330*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
331*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
332*043036a2SApple OSS Distributions return 0;
333*043036a2SApple OSS Distributions }
334*043036a2SApple OSS Distributions #endif
335*043036a2SApple OSS Distributions /*
336*043036a2SApple OSS Distributions * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
337*043036a2SApple OSS Distributions * it below should go to mac_proc_check_enforce().
338*043036a2SApple OSS Distributions */
339*043036a2SApple OSS Distributions if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
340*043036a2SApple OSS Distributions return ESRCH;
341*043036a2SApple OSS Distributions }
342*043036a2SApple OSS Distributions enforce = mac_proc_check_enforce(tracingp);
343*043036a2SApple OSS Distributions proc_rele(tracingp);
344*043036a2SApple OSS Distributions
345*043036a2SApple OSS Distributions if (!enforce) {
346*043036a2SApple OSS Distributions return 0;
347*043036a2SApple OSS Distributions }
348*043036a2SApple OSS Distributions MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
349*043036a2SApple OSS Distributions
350*043036a2SApple OSS Distributions return error;
351*043036a2SApple OSS Distributions }
352*043036a2SApple OSS Distributions
353*043036a2SApple OSS Distributions int
mac_proc_check_dump_core(struct proc * proc)354*043036a2SApple OSS Distributions mac_proc_check_dump_core(struct proc *proc)
355*043036a2SApple OSS Distributions {
356*043036a2SApple OSS Distributions int error;
357*043036a2SApple OSS Distributions
358*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
359*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
360*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
361*043036a2SApple OSS Distributions return 0;
362*043036a2SApple OSS Distributions }
363*043036a2SApple OSS Distributions #endif
364*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
365*043036a2SApple OSS Distributions return 0;
366*043036a2SApple OSS Distributions }
367*043036a2SApple OSS Distributions
368*043036a2SApple OSS Distributions MAC_CHECK(proc_check_dump_core, proc);
369*043036a2SApple OSS Distributions
370*043036a2SApple OSS Distributions return error;
371*043036a2SApple OSS Distributions }
372*043036a2SApple OSS Distributions
373*043036a2SApple OSS Distributions int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)374*043036a2SApple OSS Distributions mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
375*043036a2SApple OSS Distributions {
376*043036a2SApple OSS Distributions proc_t curp = current_proc();
377*043036a2SApple OSS Distributions proc_t proc;
378*043036a2SApple OSS Distributions int error;
379*043036a2SApple OSS Distributions
380*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
381*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
382*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
383*043036a2SApple OSS Distributions return 0;
384*043036a2SApple OSS Distributions }
385*043036a2SApple OSS Distributions #endif
386*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
387*043036a2SApple OSS Distributions return 0;
388*043036a2SApple OSS Distributions }
389*043036a2SApple OSS Distributions
390*043036a2SApple OSS Distributions proc = proc_find(task_pid(task));
391*043036a2SApple OSS Distributions if (proc == PROC_NULL) {
392*043036a2SApple OSS Distributions return ESRCH;
393*043036a2SApple OSS Distributions }
394*043036a2SApple OSS Distributions
395*043036a2SApple OSS Distributions MAC_CHECK(proc_check_remote_thread_create, current_cached_proc_cred(curp),
396*043036a2SApple OSS Distributions proc, flavor, new_state, new_state_count);
397*043036a2SApple OSS Distributions proc_rele(proc);
398*043036a2SApple OSS Distributions
399*043036a2SApple OSS Distributions return error;
400*043036a2SApple OSS Distributions }
401*043036a2SApple OSS Distributions
402*043036a2SApple OSS Distributions void
mac_proc_notify_service_port_derive(struct mach_service_port_info * sp_info)403*043036a2SApple OSS Distributions mac_proc_notify_service_port_derive(struct mach_service_port_info *sp_info)
404*043036a2SApple OSS Distributions {
405*043036a2SApple OSS Distributions MAC_PERFORM(proc_notify_service_port_derive,
406*043036a2SApple OSS Distributions current_cached_proc_cred(PROC_NULL), sp_info);
407*043036a2SApple OSS Distributions }
408*043036a2SApple OSS Distributions
409*043036a2SApple OSS Distributions int
mac_proc_check_fork(proc_t curp)410*043036a2SApple OSS Distributions mac_proc_check_fork(proc_t curp)
411*043036a2SApple OSS Distributions {
412*043036a2SApple OSS Distributions int error;
413*043036a2SApple OSS Distributions
414*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
415*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
416*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
417*043036a2SApple OSS Distributions return 0;
418*043036a2SApple OSS Distributions }
419*043036a2SApple OSS Distributions #endif
420*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
421*043036a2SApple OSS Distributions return 0;
422*043036a2SApple OSS Distributions }
423*043036a2SApple OSS Distributions
424*043036a2SApple OSS Distributions MAC_CHECK(proc_check_fork, current_cached_proc_cred(curp), curp);
425*043036a2SApple OSS Distributions
426*043036a2SApple OSS Distributions return error;
427*043036a2SApple OSS Distributions }
428*043036a2SApple OSS Distributions
429*043036a2SApple OSS Distributions int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)430*043036a2SApple OSS Distributions mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
431*043036a2SApple OSS Distributions {
432*043036a2SApple OSS Distributions int error;
433*043036a2SApple OSS Distributions
434*043036a2SApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
435*043036a2SApple OSS Distributions
436*043036a2SApple OSS Distributions MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
437*043036a2SApple OSS Distributions
438*043036a2SApple OSS Distributions return error;
439*043036a2SApple OSS Distributions }
440*043036a2SApple OSS Distributions
441*043036a2SApple OSS Distributions int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)442*043036a2SApple OSS Distributions mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
443*043036a2SApple OSS Distributions {
444*043036a2SApple OSS Distributions int error;
445*043036a2SApple OSS Distributions
446*043036a2SApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
447*043036a2SApple OSS Distributions
448*043036a2SApple OSS Distributions MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
449*043036a2SApple OSS Distributions
450*043036a2SApple OSS Distributions return error;
451*043036a2SApple OSS Distributions }
452*043036a2SApple OSS Distributions
453*043036a2SApple OSS Distributions int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)454*043036a2SApple OSS Distributions mac_proc_check_inherit_ipc_ports(
455*043036a2SApple OSS Distributions struct proc *p,
456*043036a2SApple OSS Distributions struct vnode *cur_vp,
457*043036a2SApple OSS Distributions off_t cur_offset,
458*043036a2SApple OSS Distributions struct vnode *img_vp,
459*043036a2SApple OSS Distributions off_t img_offset,
460*043036a2SApple OSS Distributions struct vnode *scriptvp)
461*043036a2SApple OSS Distributions {
462*043036a2SApple OSS Distributions int error;
463*043036a2SApple OSS Distributions
464*043036a2SApple OSS Distributions MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
465*043036a2SApple OSS Distributions
466*043036a2SApple OSS Distributions return error;
467*043036a2SApple OSS Distributions }
468*043036a2SApple OSS Distributions
469*043036a2SApple OSS Distributions int
mac_proc_check_iopolicysys(struct proc * p,kauth_cred_t cred,int cmd,int type,int scope,int policy)470*043036a2SApple OSS Distributions mac_proc_check_iopolicysys(struct proc *p, kauth_cred_t cred, int cmd, int type, int scope, int policy)
471*043036a2SApple OSS Distributions {
472*043036a2SApple OSS Distributions int error;
473*043036a2SApple OSS Distributions
474*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
475*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
476*043036a2SApple OSS Distributions if (!mac_system_enforce) {
477*043036a2SApple OSS Distributions return 0;
478*043036a2SApple OSS Distributions }
479*043036a2SApple OSS Distributions #endif
480*043036a2SApple OSS Distributions
481*043036a2SApple OSS Distributions MAC_CHECK(proc_check_iopolicysys, p, cred, cmd, type, scope, policy);
482*043036a2SApple OSS Distributions
483*043036a2SApple OSS Distributions return error;
484*043036a2SApple OSS Distributions }
485*043036a2SApple OSS Distributions
486*043036a2SApple OSS Distributions /*
487*043036a2SApple OSS Distributions * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
488*043036a2SApple OSS Distributions * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
489*043036a2SApple OSS Distributions * files, so cannot use the typedef itself.
490*043036a2SApple OSS Distributions */
491*043036a2SApple OSS Distributions int
mac_proc_check_map_anon(proc_t proc,kauth_cred_t cred,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)492*043036a2SApple OSS Distributions mac_proc_check_map_anon(proc_t proc, kauth_cred_t cred, user_addr_t u_addr,
493*043036a2SApple OSS Distributions user_size_t u_size, int prot, int flags, int *maxprot)
494*043036a2SApple OSS Distributions {
495*043036a2SApple OSS Distributions int error;
496*043036a2SApple OSS Distributions
497*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
498*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
499*043036a2SApple OSS Distributions if (!mac_vm_enforce) {
500*043036a2SApple OSS Distributions return 0;
501*043036a2SApple OSS Distributions }
502*043036a2SApple OSS Distributions #endif
503*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
504*043036a2SApple OSS Distributions return 0;
505*043036a2SApple OSS Distributions }
506*043036a2SApple OSS Distributions
507*043036a2SApple OSS Distributions MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
508*043036a2SApple OSS Distributions
509*043036a2SApple OSS Distributions return error;
510*043036a2SApple OSS Distributions }
511*043036a2SApple OSS Distributions
512*043036a2SApple OSS Distributions
513*043036a2SApple OSS Distributions int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)514*043036a2SApple OSS Distributions mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
515*043036a2SApple OSS Distributions {
516*043036a2SApple OSS Distributions int error;
517*043036a2SApple OSS Distributions
518*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
519*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
520*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
521*043036a2SApple OSS Distributions return 0;
522*043036a2SApple OSS Distributions }
523*043036a2SApple OSS Distributions #endif
524*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
525*043036a2SApple OSS Distributions return 0;
526*043036a2SApple OSS Distributions }
527*043036a2SApple OSS Distributions
528*043036a2SApple OSS Distributions MAC_CHECK(proc_check_memorystatus_control, current_cached_proc_cred(proc),
529*043036a2SApple OSS Distributions command, pid);
530*043036a2SApple OSS Distributions
531*043036a2SApple OSS Distributions return error;
532*043036a2SApple OSS Distributions }
533*043036a2SApple OSS Distributions
534*043036a2SApple OSS Distributions int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)535*043036a2SApple OSS Distributions mac_proc_check_mprotect(proc_t proc,
536*043036a2SApple OSS Distributions user_addr_t addr, user_size_t size, int prot)
537*043036a2SApple OSS Distributions {
538*043036a2SApple OSS Distributions int error;
539*043036a2SApple OSS Distributions
540*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
541*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
542*043036a2SApple OSS Distributions if (!mac_vm_enforce) {
543*043036a2SApple OSS Distributions return 0;
544*043036a2SApple OSS Distributions }
545*043036a2SApple OSS Distributions #endif
546*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
547*043036a2SApple OSS Distributions return 0;
548*043036a2SApple OSS Distributions }
549*043036a2SApple OSS Distributions
550*043036a2SApple OSS Distributions MAC_CHECK(proc_check_mprotect, current_cached_proc_cred(proc),
551*043036a2SApple OSS Distributions proc, addr, size, prot);
552*043036a2SApple OSS Distributions
553*043036a2SApple OSS Distributions return error;
554*043036a2SApple OSS Distributions }
555*043036a2SApple OSS Distributions
556*043036a2SApple OSS Distributions int
mac_proc_check_run_cs_invalid(proc_t proc)557*043036a2SApple OSS Distributions mac_proc_check_run_cs_invalid(proc_t proc)
558*043036a2SApple OSS Distributions {
559*043036a2SApple OSS Distributions int error;
560*043036a2SApple OSS Distributions
561*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
562*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
563*043036a2SApple OSS Distributions if (!mac_vm_enforce) {
564*043036a2SApple OSS Distributions return 0;
565*043036a2SApple OSS Distributions }
566*043036a2SApple OSS Distributions #endif
567*043036a2SApple OSS Distributions
568*043036a2SApple OSS Distributions MAC_CHECK(proc_check_run_cs_invalid, proc);
569*043036a2SApple OSS Distributions
570*043036a2SApple OSS Distributions return error;
571*043036a2SApple OSS Distributions }
572*043036a2SApple OSS Distributions
573*043036a2SApple OSS Distributions void
mac_proc_notify_cs_invalidated(proc_t proc)574*043036a2SApple OSS Distributions mac_proc_notify_cs_invalidated(proc_t proc)
575*043036a2SApple OSS Distributions {
576*043036a2SApple OSS Distributions MAC_PERFORM(proc_notify_cs_invalidated, proc);
577*043036a2SApple OSS Distributions }
578*043036a2SApple OSS Distributions
579*043036a2SApple OSS Distributions int
mac_proc_check_sched(proc_t curp,struct proc * proc)580*043036a2SApple OSS Distributions mac_proc_check_sched(proc_t curp, struct proc *proc)
581*043036a2SApple OSS Distributions {
582*043036a2SApple OSS Distributions int error;
583*043036a2SApple OSS Distributions
584*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
585*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
586*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
587*043036a2SApple OSS Distributions return 0;
588*043036a2SApple OSS Distributions }
589*043036a2SApple OSS Distributions #endif
590*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
591*043036a2SApple OSS Distributions return 0;
592*043036a2SApple OSS Distributions }
593*043036a2SApple OSS Distributions
594*043036a2SApple OSS Distributions MAC_CHECK(proc_check_sched, current_cached_proc_cred(curp), proc);
595*043036a2SApple OSS Distributions
596*043036a2SApple OSS Distributions return error;
597*043036a2SApple OSS Distributions }
598*043036a2SApple OSS Distributions
599*043036a2SApple OSS Distributions int
mac_proc_check_signal(proc_t curp,proc_ident_t instigator,proc_ident_t target,int signum)600*043036a2SApple OSS Distributions mac_proc_check_signal(proc_t curp, proc_ident_t instigator, proc_ident_t target, int signum)
601*043036a2SApple OSS Distributions {
602*043036a2SApple OSS Distributions int error;
603*043036a2SApple OSS Distributions
604*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
605*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
606*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
607*043036a2SApple OSS Distributions return 0;
608*043036a2SApple OSS Distributions }
609*043036a2SApple OSS Distributions #endif
610*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
611*043036a2SApple OSS Distributions return 0;
612*043036a2SApple OSS Distributions }
613*043036a2SApple OSS Distributions
614*043036a2SApple OSS Distributions /* Check policy without holding any proc refs */
615*043036a2SApple OSS Distributions MAC_CHECK(proc_check_signal, current_cached_proc_cred(curp), instigator, target, signum);
616*043036a2SApple OSS Distributions return error;
617*043036a2SApple OSS Distributions }
618*043036a2SApple OSS Distributions
619*043036a2SApple OSS Distributions int
mac_proc_check_syscall_unix(proc_t curp,int scnum)620*043036a2SApple OSS Distributions mac_proc_check_syscall_unix(proc_t curp, int scnum)
621*043036a2SApple OSS Distributions {
622*043036a2SApple OSS Distributions int error;
623*043036a2SApple OSS Distributions
624*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
625*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
626*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
627*043036a2SApple OSS Distributions return 0;
628*043036a2SApple OSS Distributions }
629*043036a2SApple OSS Distributions #endif
630*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
631*043036a2SApple OSS Distributions return 0;
632*043036a2SApple OSS Distributions }
633*043036a2SApple OSS Distributions
634*043036a2SApple OSS Distributions MAC_CHECK(proc_check_syscall_unix, curp, scnum);
635*043036a2SApple OSS Distributions
636*043036a2SApple OSS Distributions return error;
637*043036a2SApple OSS Distributions }
638*043036a2SApple OSS Distributions
639*043036a2SApple OSS Distributions int
mac_proc_check_wait(proc_t curp,struct proc * proc)640*043036a2SApple OSS Distributions mac_proc_check_wait(proc_t curp, struct proc *proc)
641*043036a2SApple OSS Distributions {
642*043036a2SApple OSS Distributions int error;
643*043036a2SApple OSS Distributions
644*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
645*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
646*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
647*043036a2SApple OSS Distributions return 0;
648*043036a2SApple OSS Distributions }
649*043036a2SApple OSS Distributions #endif
650*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
651*043036a2SApple OSS Distributions return 0;
652*043036a2SApple OSS Distributions }
653*043036a2SApple OSS Distributions
654*043036a2SApple OSS Distributions MAC_CHECK(proc_check_wait, current_cached_proc_cred(curp), proc);
655*043036a2SApple OSS Distributions
656*043036a2SApple OSS Distributions return error;
657*043036a2SApple OSS Distributions }
658*043036a2SApple OSS Distributions
659*043036a2SApple OSS Distributions void
mac_proc_notify_exit(struct proc * proc)660*043036a2SApple OSS Distributions mac_proc_notify_exit(struct proc *proc)
661*043036a2SApple OSS Distributions {
662*043036a2SApple OSS Distributions MAC_PERFORM(proc_notify_exit, proc);
663*043036a2SApple OSS Distributions }
664*043036a2SApple OSS Distributions
665*043036a2SApple OSS Distributions int
mac_proc_check_suspend_resume(proc_t proc,int sr)666*043036a2SApple OSS Distributions mac_proc_check_suspend_resume(proc_t proc, int sr)
667*043036a2SApple OSS Distributions {
668*043036a2SApple OSS Distributions proc_t curp = current_proc();
669*043036a2SApple OSS Distributions int error;
670*043036a2SApple OSS Distributions
671*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
672*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
673*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
674*043036a2SApple OSS Distributions return 0;
675*043036a2SApple OSS Distributions }
676*043036a2SApple OSS Distributions #endif
677*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
678*043036a2SApple OSS Distributions return 0;
679*043036a2SApple OSS Distributions }
680*043036a2SApple OSS Distributions
681*043036a2SApple OSS Distributions MAC_CHECK(proc_check_suspend_resume, current_cached_proc_cred(curp),
682*043036a2SApple OSS Distributions proc, sr);
683*043036a2SApple OSS Distributions
684*043036a2SApple OSS Distributions return error;
685*043036a2SApple OSS Distributions }
686*043036a2SApple OSS Distributions
687*043036a2SApple OSS Distributions int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)688*043036a2SApple OSS Distributions mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
689*043036a2SApple OSS Distributions {
690*043036a2SApple OSS Distributions int error = 0;
691*043036a2SApple OSS Distributions
692*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
693*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
694*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
695*043036a2SApple OSS Distributions return 0;
696*043036a2SApple OSS Distributions }
697*043036a2SApple OSS Distributions #endif
698*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
699*043036a2SApple OSS Distributions return 0;
700*043036a2SApple OSS Distributions }
701*043036a2SApple OSS Distributions
702*043036a2SApple OSS Distributions MAC_CHECK(proc_check_ledger, current_cached_proc_cred(curp),
703*043036a2SApple OSS Distributions proc, ledger_op);
704*043036a2SApple OSS Distributions
705*043036a2SApple OSS Distributions return error;
706*043036a2SApple OSS Distributions }
707*043036a2SApple OSS Distributions
708*043036a2SApple OSS Distributions int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)709*043036a2SApple OSS Distributions mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
710*043036a2SApple OSS Distributions {
711*043036a2SApple OSS Distributions int error = 0;
712*043036a2SApple OSS Distributions
713*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
714*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
715*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
716*043036a2SApple OSS Distributions return 0;
717*043036a2SApple OSS Distributions }
718*043036a2SApple OSS Distributions #endif
719*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
720*043036a2SApple OSS Distributions return 0;
721*043036a2SApple OSS Distributions }
722*043036a2SApple OSS Distributions
723*043036a2SApple OSS Distributions MAC_CHECK(proc_check_proc_info, current_cached_proc_cred(curp),
724*043036a2SApple OSS Distributions target, callnum, flavor);
725*043036a2SApple OSS Distributions
726*043036a2SApple OSS Distributions return error;
727*043036a2SApple OSS Distributions }
728*043036a2SApple OSS Distributions
729*043036a2SApple OSS Distributions int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)730*043036a2SApple OSS Distributions mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
731*043036a2SApple OSS Distributions {
732*043036a2SApple OSS Distributions int error = 0;
733*043036a2SApple OSS Distributions
734*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
735*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
736*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
737*043036a2SApple OSS Distributions return 0;
738*043036a2SApple OSS Distributions }
739*043036a2SApple OSS Distributions #endif
740*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
741*043036a2SApple OSS Distributions return 0;
742*043036a2SApple OSS Distributions }
743*043036a2SApple OSS Distributions
744*043036a2SApple OSS Distributions MAC_CHECK(proc_check_get_cs_info, current_cached_proc_cred(curp),
745*043036a2SApple OSS Distributions target, op);
746*043036a2SApple OSS Distributions
747*043036a2SApple OSS Distributions return error;
748*043036a2SApple OSS Distributions }
749*043036a2SApple OSS Distributions
750*043036a2SApple OSS Distributions int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)751*043036a2SApple OSS Distributions mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
752*043036a2SApple OSS Distributions {
753*043036a2SApple OSS Distributions int error = 0;
754*043036a2SApple OSS Distributions
755*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
756*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
757*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
758*043036a2SApple OSS Distributions return 0;
759*043036a2SApple OSS Distributions }
760*043036a2SApple OSS Distributions #endif
761*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
762*043036a2SApple OSS Distributions return 0;
763*043036a2SApple OSS Distributions }
764*043036a2SApple OSS Distributions
765*043036a2SApple OSS Distributions MAC_CHECK(proc_check_set_cs_info, current_cached_proc_cred(curp),
766*043036a2SApple OSS Distributions target, op);
767*043036a2SApple OSS Distributions
768*043036a2SApple OSS Distributions return error;
769*043036a2SApple OSS Distributions }
770*043036a2SApple OSS Distributions
771*043036a2SApple OSS Distributions int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)772*043036a2SApple OSS Distributions mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
773*043036a2SApple OSS Distributions {
774*043036a2SApple OSS Distributions int error = 0;
775*043036a2SApple OSS Distributions
776*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
777*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
778*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
779*043036a2SApple OSS Distributions return 0;
780*043036a2SApple OSS Distributions }
781*043036a2SApple OSS Distributions #endif
782*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
783*043036a2SApple OSS Distributions return 0;
784*043036a2SApple OSS Distributions }
785*043036a2SApple OSS Distributions
786*043036a2SApple OSS Distributions MAC_CHECK(proc_check_setuid, cred, uid);
787*043036a2SApple OSS Distributions
788*043036a2SApple OSS Distributions return error;
789*043036a2SApple OSS Distributions }
790*043036a2SApple OSS Distributions
791*043036a2SApple OSS Distributions int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)792*043036a2SApple OSS Distributions mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
793*043036a2SApple OSS Distributions {
794*043036a2SApple OSS Distributions int error = 0;
795*043036a2SApple OSS Distributions
796*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
797*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
798*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
799*043036a2SApple OSS Distributions return 0;
800*043036a2SApple OSS Distributions }
801*043036a2SApple OSS Distributions #endif
802*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
803*043036a2SApple OSS Distributions return 0;
804*043036a2SApple OSS Distributions }
805*043036a2SApple OSS Distributions
806*043036a2SApple OSS Distributions MAC_CHECK(proc_check_seteuid, cred, euid);
807*043036a2SApple OSS Distributions
808*043036a2SApple OSS Distributions return error;
809*043036a2SApple OSS Distributions }
810*043036a2SApple OSS Distributions
811*043036a2SApple OSS Distributions int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)812*043036a2SApple OSS Distributions mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
813*043036a2SApple OSS Distributions {
814*043036a2SApple OSS Distributions int error = 0;
815*043036a2SApple OSS Distributions
816*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
817*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
818*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
819*043036a2SApple OSS Distributions return 0;
820*043036a2SApple OSS Distributions }
821*043036a2SApple OSS Distributions #endif
822*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
823*043036a2SApple OSS Distributions return 0;
824*043036a2SApple OSS Distributions }
825*043036a2SApple OSS Distributions
826*043036a2SApple OSS Distributions MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
827*043036a2SApple OSS Distributions
828*043036a2SApple OSS Distributions return error;
829*043036a2SApple OSS Distributions }
830*043036a2SApple OSS Distributions
831*043036a2SApple OSS Distributions int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)832*043036a2SApple OSS Distributions mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
833*043036a2SApple OSS Distributions {
834*043036a2SApple OSS Distributions int error = 0;
835*043036a2SApple OSS Distributions
836*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
837*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
838*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
839*043036a2SApple OSS Distributions return 0;
840*043036a2SApple OSS Distributions }
841*043036a2SApple OSS Distributions #endif
842*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
843*043036a2SApple OSS Distributions return 0;
844*043036a2SApple OSS Distributions }
845*043036a2SApple OSS Distributions
846*043036a2SApple OSS Distributions MAC_CHECK(proc_check_setgid, cred, gid);
847*043036a2SApple OSS Distributions
848*043036a2SApple OSS Distributions return error;
849*043036a2SApple OSS Distributions }
850*043036a2SApple OSS Distributions
851*043036a2SApple OSS Distributions int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)852*043036a2SApple OSS Distributions mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
853*043036a2SApple OSS Distributions {
854*043036a2SApple OSS Distributions int error = 0;
855*043036a2SApple OSS Distributions
856*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
857*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
858*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
859*043036a2SApple OSS Distributions return 0;
860*043036a2SApple OSS Distributions }
861*043036a2SApple OSS Distributions #endif
862*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
863*043036a2SApple OSS Distributions return 0;
864*043036a2SApple OSS Distributions }
865*043036a2SApple OSS Distributions
866*043036a2SApple OSS Distributions MAC_CHECK(proc_check_setegid, cred, egid);
867*043036a2SApple OSS Distributions
868*043036a2SApple OSS Distributions return error;
869*043036a2SApple OSS Distributions }
870*043036a2SApple OSS Distributions
871*043036a2SApple OSS Distributions int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)872*043036a2SApple OSS Distributions mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
873*043036a2SApple OSS Distributions {
874*043036a2SApple OSS Distributions int error = 0;
875*043036a2SApple OSS Distributions
876*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
877*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
878*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
879*043036a2SApple OSS Distributions return 0;
880*043036a2SApple OSS Distributions }
881*043036a2SApple OSS Distributions #endif
882*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
883*043036a2SApple OSS Distributions return 0;
884*043036a2SApple OSS Distributions }
885*043036a2SApple OSS Distributions
886*043036a2SApple OSS Distributions MAC_CHECK(proc_check_setregid, cred, rgid, egid);
887*043036a2SApple OSS Distributions
888*043036a2SApple OSS Distributions return error;
889*043036a2SApple OSS Distributions }
890*043036a2SApple OSS Distributions
891*043036a2SApple OSS Distributions int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)892*043036a2SApple OSS Distributions mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
893*043036a2SApple OSS Distributions {
894*043036a2SApple OSS Distributions int error = 0;
895*043036a2SApple OSS Distributions
896*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
897*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
898*043036a2SApple OSS Distributions if (!mac_proc_enforce) {
899*043036a2SApple OSS Distributions return 0;
900*043036a2SApple OSS Distributions }
901*043036a2SApple OSS Distributions #endif
902*043036a2SApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
903*043036a2SApple OSS Distributions return 0;
904*043036a2SApple OSS Distributions }
905*043036a2SApple OSS Distributions
906*043036a2SApple OSS Distributions MAC_CHECK(proc_check_settid, current_cached_proc_cred(curp),
907*043036a2SApple OSS Distributions kauth_cred_get(), uid, gid);
908*043036a2SApple OSS Distributions
909*043036a2SApple OSS Distributions return error;
910*043036a2SApple OSS Distributions }
911*043036a2SApple OSS Distributions
912*043036a2SApple OSS Distributions int
mac_proc_check_launch_constraints(proc_t curp,struct image_params * imgp,os_reason_t * reasonp)913*043036a2SApple OSS Distributions mac_proc_check_launch_constraints(proc_t curp, struct image_params *imgp, os_reason_t *reasonp)
914*043036a2SApple OSS Distributions {
915*043036a2SApple OSS Distributions char *fatal_failure_desc = NULL;
916*043036a2SApple OSS Distributions size_t fatal_failure_desc_len = 0;
917*043036a2SApple OSS Distributions
918*043036a2SApple OSS Distributions pid_t original_parent_id = proc_original_ppid(curp);
919*043036a2SApple OSS Distributions
920*043036a2SApple OSS Distributions pid_t responsible_pid = curp->p_responsible_pid;
921*043036a2SApple OSS Distributions
922*043036a2SApple OSS Distributions int error = 0;
923*043036a2SApple OSS Distributions
924*043036a2SApple OSS Distributions /* Vnode of the file */
925*043036a2SApple OSS Distributions struct vnode *vp = imgp->ip_vp;
926*043036a2SApple OSS Distributions
927*043036a2SApple OSS Distributions char *vn_path = NULL;
928*043036a2SApple OSS Distributions vm_size_t vn_pathlen = MAXPATHLEN;
929*043036a2SApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
930*043036a2SApple OSS Distributions /* 21167099 - only check if we allow write */
931*043036a2SApple OSS Distributions if (!mac_proc_enforce || !mac_vnode_enforce) {
932*043036a2SApple OSS Distributions return 0;
933*043036a2SApple OSS Distributions }
934*043036a2SApple OSS Distributions #endif
935*043036a2SApple OSS Distributions
936*043036a2SApple OSS Distributions MAC_POLICY_ITERATE({
937*043036a2SApple OSS Distributions mpo_proc_check_launch_constraints_t *hook = mpc->mpc_ops->mpo_proc_check_launch_constraints;
938*043036a2SApple OSS Distributions if (hook == NULL) {
939*043036a2SApple OSS Distributions continue;
940*043036a2SApple OSS Distributions }
941*043036a2SApple OSS Distributions
942*043036a2SApple OSS Distributions size_t spawnattrlen = 0;
943*043036a2SApple OSS Distributions void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
944*043036a2SApple OSS Distributions struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
945*043036a2SApple OSS Distributions struct launch_constraint_data lcd;
946*043036a2SApple OSS Distributions lcd.launch_type = CS_LAUNCH_TYPE_NONE;
947*043036a2SApple OSS Distributions
948*043036a2SApple OSS Distributions /* Check to see if psa_launch_type was initalized */
949*043036a2SApple OSS Distributions if (psa != (struct _posix_spawnattr*)NULL) {
950*043036a2SApple OSS Distributions lcd.launch_type = psa->psa_launch_type;
951*043036a2SApple OSS Distributions }
952*043036a2SApple OSS Distributions
953*043036a2SApple OSS Distributions error = mac_error_select(
954*043036a2SApple OSS Distributions hook(curp, original_parent_id, responsible_pid,
955*043036a2SApple OSS Distributions spawnattr, spawnattrlen, &lcd, &fatal_failure_desc, &fatal_failure_desc_len), error);
956*043036a2SApple OSS Distributions
957*043036a2SApple OSS Distributions /*
958*043036a2SApple OSS Distributions * Early exit in case of failure in case we have multiple registered callers.
959*043036a2SApple OSS Distributions * This is to avoid other MACF policies from stomping on each other's failure description
960*043036a2SApple OSS Distributions */
961*043036a2SApple OSS Distributions if (fatal_failure_desc_len) {
962*043036a2SApple OSS Distributions goto policy_fail;
963*043036a2SApple OSS Distributions }
964*043036a2SApple OSS Distributions });
965*043036a2SApple OSS Distributions
966*043036a2SApple OSS Distributions policy_fail:
967*043036a2SApple OSS Distributions if (fatal_failure_desc_len) {
968*043036a2SApple OSS Distributions /*
969*043036a2SApple OSS Distributions * A fatal code signature validation failure occured, formulate a crash
970*043036a2SApple OSS Distributions * reason.
971*043036a2SApple OSS Distributions */
972*043036a2SApple OSS Distributions
973*043036a2SApple OSS Distributions char const *path = NULL;
974*043036a2SApple OSS Distributions
975*043036a2SApple OSS Distributions vn_path = zalloc(ZV_NAMEI);
976*043036a2SApple OSS Distributions if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
977*043036a2SApple OSS Distributions path = vn_path;
978*043036a2SApple OSS Distributions } else {
979*043036a2SApple OSS Distributions path = "(get vnode path failed)";
980*043036a2SApple OSS Distributions }
981*043036a2SApple OSS Distributions
982*043036a2SApple OSS Distributions if (error == 0) {
983*043036a2SApple OSS Distributions panic("%s: MAC hook returned no error, but status is claimed to be fatal? "
984*043036a2SApple OSS Distributions "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
985*043036a2SApple OSS Distributions __func__, path, fatal_failure_desc_len, fatal_failure_desc);
986*043036a2SApple OSS Distributions }
987*043036a2SApple OSS Distributions
988*043036a2SApple OSS Distributions os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
989*043036a2SApple OSS Distributions CODESIGNING_EXIT_REASON_LAUNCH_CONSTRAINT_VIOLATION);
990*043036a2SApple OSS Distributions
991*043036a2SApple OSS Distributions *reasonp = reason;
992*043036a2SApple OSS Distributions
993*043036a2SApple OSS Distributions reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
994*043036a2SApple OSS Distributions OS_REASON_FLAG_CONSISTENT_FAILURE);
995*043036a2SApple OSS Distributions
996*043036a2SApple OSS Distributions if (fatal_failure_desc != NULL) {
997*043036a2SApple OSS Distributions mach_vm_address_t data_addr = 0;
998*043036a2SApple OSS Distributions
999*043036a2SApple OSS Distributions int reason_error = 0;
1000*043036a2SApple OSS Distributions int kcdata_error = 0;
1001*043036a2SApple OSS Distributions
1002*043036a2SApple OSS Distributions if ((reason_error = os_reason_alloc_buffer_noblock(reason,
1003*043036a2SApple OSS Distributions kcdata_estimate_required_buffer_size(1,
1004*043036a2SApple OSS Distributions (uint32_t)fatal_failure_desc_len))) == 0) {
1005*043036a2SApple OSS Distributions if ((kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
1006*043036a2SApple OSS Distributions EXIT_REASON_USER_DESC, (uint32_t)fatal_failure_desc_len,
1007*043036a2SApple OSS Distributions &data_addr)) == KERN_SUCCESS) {
1008*043036a2SApple OSS Distributions kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
1009*043036a2SApple OSS Distributions fatal_failure_desc, (uint32_t)fatal_failure_desc_len);
1010*043036a2SApple OSS Distributions }
1011*043036a2SApple OSS Distributions }
1012*043036a2SApple OSS Distributions }
1013*043036a2SApple OSS Distributions }
1014*043036a2SApple OSS Distributions
1015*043036a2SApple OSS Distributions if (vn_path) {
1016*043036a2SApple OSS Distributions zfree(ZV_NAMEI, vn_path);
1017*043036a2SApple OSS Distributions }
1018*043036a2SApple OSS Distributions
1019*043036a2SApple OSS Distributions if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
1020*043036a2SApple OSS Distributions kfree_data(fatal_failure_desc, fatal_failure_desc_len);
1021*043036a2SApple OSS Distributions }
1022*043036a2SApple OSS Distributions
1023*043036a2SApple OSS Distributions return error;
1024*043036a2SApple OSS Distributions }
1025