1 /* 2 * Copyright (c) 2004-2010 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /* 29 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce 30 * support for mandatory and extensible security protections. This notice 31 * is included in support of clause 2.2 (b) of the Apple Public License, 32 * Version 2.0. 33 */ 34 35 #ifndef _SYS_KAUTH_H 36 #define _SYS_KAUTH_H 37 38 #include <sys/appleapiopts.h> 39 #include <sys/cdefs.h> 40 #include <mach/boolean.h> 41 #include <machine/types.h> /* u_int8_t, etc. */ 42 #include <sys/_types.h> /* __offsetof() */ 43 #include <sys/_types/_uid_t.h> /* uid_t */ 44 #include <sys/_types/_gid_t.h> /* gid_t */ 45 #include <sys/syslimits.h> /* NGROUPS_MAX */ 46 47 #ifdef __APPLE_API_EVOLVING 48 49 /* 50 * Identities. 51 */ 52 53 #define KAUTH_UID_NONE (~(uid_t)0 - 100) /* not a valid UID */ 54 #define KAUTH_GID_NONE (~(gid_t)0 - 100) /* not a valid GID */ 55 56 #include <sys/_types/_guid_t.h> 57 58 /* NT Security Identifier, structure as defined by Microsoft */ 59 #pragma pack(1) /* push packing of 1 byte */ 60 typedef struct { 61 u_int8_t sid_kind; 62 u_int8_t sid_authcount; 63 u_int8_t sid_authority[6]; 64 #define KAUTH_NTSID_MAX_AUTHORITIES 16 65 u_int32_t sid_authorities[KAUTH_NTSID_MAX_AUTHORITIES]; 66 } ntsid_t; 67 #pragma pack() /* pop packing to previous packing level */ 68 #define _NTSID_T 69 70 /* valid byte count inside a SID structure */ 71 #define KAUTH_NTSID_HDRSIZE (8) 72 #define KAUTH_NTSID_SIZE(_s) (KAUTH_NTSID_HDRSIZE + ((_s)->sid_authcount * sizeof(u_int32_t))) 73 74 /* 75 * External lookup message payload; this structure is shared between the 76 * kernel group membership resolver, and the user space group membership 77 * resolver daemon, and is use to communicate resolution requests from the 78 * kernel to user space, and the result of that request from user space to 79 * the kernel. 80 */ 81 struct kauth_identity_extlookup { 82 u_int32_t el_seqno; /* request sequence number */ 83 u_int32_t el_result; /* lookup result */ 84 #define KAUTH_EXTLOOKUP_SUCCESS 0 /* results here are good */ 85 #define KAUTH_EXTLOOKUP_BADRQ 1 /* request badly formatted */ 86 #define KAUTH_EXTLOOKUP_FAILURE 2 /* transient failure during lookup */ 87 #define KAUTH_EXTLOOKUP_FATAL 3 /* permanent failure during lookup */ 88 #define KAUTH_EXTLOOKUP_INPROG 100 /* request in progress */ 89 u_int32_t el_flags; 90 #define KAUTH_EXTLOOKUP_VALID_UID (1<<0) 91 #define KAUTH_EXTLOOKUP_VALID_UGUID (1<<1) 92 #define KAUTH_EXTLOOKUP_VALID_USID (1<<2) 93 #define KAUTH_EXTLOOKUP_VALID_GID (1<<3) 94 #define KAUTH_EXTLOOKUP_VALID_GGUID (1<<4) 95 #define KAUTH_EXTLOOKUP_VALID_GSID (1<<5) 96 #define KAUTH_EXTLOOKUP_WANT_UID (1<<6) 97 #define KAUTH_EXTLOOKUP_WANT_UGUID (1<<7) 98 #define KAUTH_EXTLOOKUP_WANT_USID (1<<8) 99 #define KAUTH_EXTLOOKUP_WANT_GID (1<<9) 100 #define KAUTH_EXTLOOKUP_WANT_GGUID (1<<10) 101 #define KAUTH_EXTLOOKUP_WANT_GSID (1<<11) 102 #define KAUTH_EXTLOOKUP_WANT_MEMBERSHIP (1<<12) 103 #define KAUTH_EXTLOOKUP_VALID_MEMBERSHIP (1<<13) 104 #define KAUTH_EXTLOOKUP_ISMEMBER (1<<14) 105 #define KAUTH_EXTLOOKUP_VALID_PWNAM (1<<15) 106 #define KAUTH_EXTLOOKUP_WANT_PWNAM (1<<16) 107 #define KAUTH_EXTLOOKUP_VALID_GRNAM (1<<17) 108 #define KAUTH_EXTLOOKUP_WANT_GRNAM (1<<18) 109 #define KAUTH_EXTLOOKUP_VALID_SUPGRPS (1<<19) 110 #define KAUTH_EXTLOOKUP_WANT_SUPGRPS (1<<20) 111 112 __darwin_pid_t el_info_pid; /* request on behalf of PID */ 113 u_int64_t el_extend; /* extension field */ 114 u_int32_t el_info_reserved_1; /* reserved (APPLE) */ 115 116 uid_t el_uid; /* user ID */ 117 guid_t el_uguid; /* user GUID */ 118 u_int32_t el_uguid_valid; /* TTL on translation result (seconds) */ 119 ntsid_t el_usid; /* user NT SID */ 120 u_int32_t el_usid_valid; /* TTL on translation result (seconds) */ 121 gid_t el_gid; /* group ID */ 122 guid_t el_gguid; /* group GUID */ 123 u_int32_t el_gguid_valid; /* TTL on translation result (seconds) */ 124 ntsid_t el_gsid; /* group SID */ 125 u_int32_t el_gsid_valid; /* TTL on translation result (seconds) */ 126 u_int32_t el_member_valid; /* TTL on group lookup result */ 127 u_int32_t el_sup_grp_cnt; /* count of supplemental groups up to NGROUPS */ 128 gid_t el_sup_groups[NGROUPS_MAX]; /* supplemental group list */ 129 }; 130 131 struct kauth_cache_sizes { 132 u_int32_t kcs_group_size; 133 u_int32_t kcs_id_size; 134 }; 135 136 #define KAUTH_EXTLOOKUP_REGISTER (0) 137 #define KAUTH_EXTLOOKUP_RESULT (1<<0) 138 #define KAUTH_EXTLOOKUP_WORKER (1<<1) 139 #define KAUTH_EXTLOOKUP_DEREGISTER (1<<2) 140 #define KAUTH_GET_CACHE_SIZES (1<<3) 141 #define KAUTH_SET_CACHE_SIZES (1<<4) 142 #define KAUTH_CLEAR_CACHES (1<<5) 143 144 #define IDENTITYSVC_ENTITLEMENT "com.apple.private.identitysvc" 145 146 147 #ifdef KERNEL 148 /* 149 * Credentials. 150 */ 151 /* XXX just for now */ 152 #include <sys/ucred.h> 153 154 /* Kernel SPI for now */ 155 __BEGIN_DECLS 156 /* 157 * Routines specific to credentials with POSIX credential labels attached 158 * 159 * XXX Should be in policy_posix.h, with struct posix_cred 160 */ 161 extern kauth_cred_t posix_cred_create(posix_cred_t pcred); 162 extern posix_cred_t posix_cred_get(kauth_cred_t cred); 163 extern void posix_cred_label(kauth_cred_t cred, posix_cred_t pcred); 164 extern int posix_cred_access(kauth_cred_t cred, id_t object_uid, id_t object_gid, mode_t object_mode, mode_t mode_req); 165 166 extern uid_t kauth_getuid(void); 167 extern uid_t kauth_getruid(void); 168 extern gid_t kauth_getgid(void); 169 extern kauth_cred_t kauth_cred_get(void); 170 extern kauth_cred_t kauth_cred_get_with_ref(void); 171 extern kauth_cred_t kauth_cred_proc_ref(proc_t procp); 172 extern kauth_cred_t kauth_cred_create(kauth_cred_t cred); 173 extern void kauth_cred_ref(kauth_cred_t _cred); 174 #ifndef __LP64__ 175 /* Use kauth_cred_unref(), not kauth_cred_rele() */ 176 extern void kauth_cred_rele(kauth_cred_t _cred) __deprecated; 177 #endif 178 extern void kauth_cred_unref(kauth_cred_t *_cred); 179 180 #if CONFIG_MACF 181 struct label; 182 extern kauth_cred_t kauth_cred_label_update(kauth_cred_t cred, struct label *label); 183 extern int kauth_proc_label_update(struct proc *p, struct label *label); 184 #else 185 /* this is a temp hack to cover us when MAC is not built in a kernel configuration. 186 * Since we cannot build our export list based on the kernel configuration we need 187 * to define a stub. 188 */ 189 extern kauth_cred_t kauth_cred_label_update(kauth_cred_t cred, void *label); 190 extern int kauth_proc_label_update(struct proc *p, void *label); 191 #endif 192 193 __deprecated_msg("Unsafe interface: requires lock holds that aren't exposed") 194 extern kauth_cred_t kauth_cred_find(kauth_cred_t cred); 195 extern uid_t kauth_cred_getuid(kauth_cred_t _cred); 196 extern uid_t kauth_cred_getruid(kauth_cred_t _cred); 197 extern uid_t kauth_cred_getsvuid(kauth_cred_t _cred); 198 extern gid_t kauth_cred_getgid(kauth_cred_t _cred); 199 extern gid_t kauth_cred_getrgid(kauth_cred_t _cred); 200 extern gid_t kauth_cred_getsvgid(kauth_cred_t _cred); 201 extern int kauth_cred_pwnam2guid(char *pwnam, guid_t *guidp); 202 extern int kauth_cred_grnam2guid(char *grnam, guid_t *guidp); 203 extern int kauth_cred_guid2pwnam(guid_t *guidp, char *pwnam); 204 extern int kauth_cred_guid2grnam(guid_t *guidp, char *grnam); 205 extern int kauth_cred_guid2uid(guid_t *_guid, uid_t *_uidp); 206 extern int kauth_cred_guid2gid(guid_t *_guid, gid_t *_gidp); 207 extern int kauth_cred_ntsid2uid(ntsid_t *_sid, uid_t *_uidp); 208 extern int kauth_cred_ntsid2gid(ntsid_t *_sid, gid_t *_gidp); 209 extern int kauth_cred_ntsid2guid(ntsid_t *_sid, guid_t *_guidp); 210 extern int kauth_cred_uid2guid(uid_t _uid, guid_t *_guidp); 211 extern int kauth_cred_getguid(kauth_cred_t _cred, guid_t *_guidp); 212 extern int kauth_cred_gid2guid(gid_t _gid, guid_t *_guidp); 213 extern int kauth_cred_uid2ntsid(uid_t _uid, ntsid_t *_sidp); 214 extern int kauth_cred_getntsid(kauth_cred_t _cred, ntsid_t *_sidp); 215 extern int kauth_cred_gid2ntsid(gid_t _gid, ntsid_t *_sidp); 216 extern int kauth_cred_guid2ntsid(guid_t *_guid, ntsid_t *_sidp); 217 extern int kauth_cred_ismember_gid(kauth_cred_t _cred, gid_t _gid, int *_resultp); 218 extern int kauth_cred_ismember_guid(kauth_cred_t _cred, guid_t *_guidp, int *_resultp); 219 extern int kauth_cred_nfs4domain2dsnode(char *nfs4domain, char *dsnode); 220 extern int kauth_cred_dsnode2nfs4domain(char *dsnode, char *nfs4domain); 221 222 extern int groupmember(gid_t gid, kauth_cred_t cred); 223 224 /* currently only exported in unsupported for use by seatbelt */ 225 extern int kauth_cred_issuser(kauth_cred_t _cred); 226 227 228 /* GUID, NTSID helpers */ 229 extern guid_t kauth_null_guid; 230 extern int kauth_guid_equal(guid_t *_guid1, guid_t *_guid2); 231 232 #ifdef KERNEL_PRIVATE 233 extern int kauth_cred_getgroups(kauth_cred_t _cred, gid_t *_groups, size_t *_groupcount); 234 235 #endif /* KERNEL_PRIVATE */ 236 237 #ifdef XNU_KERNEL_PRIVATE 238 extern int kauth_ntsid_equal(ntsid_t *_sid1, ntsid_t *_sid2); 239 240 extern int kauth_wellknown_guid(guid_t *_guid); 241 #define KAUTH_WKG_NOT 0 /* not a well-known GUID */ 242 #define KAUTH_WKG_OWNER 1 243 #define KAUTH_WKG_GROUP 2 244 #define KAUTH_WKG_NOBODY 3 245 #define KAUTH_WKG_EVERYBODY 4 246 247 extern gid_t kauth_getrgid(void); 248 extern int cantrace(proc_t cur_procp, kauth_cred_t creds, proc_t traced_procp, int *errp); 249 extern kauth_cred_t kauth_cred_copy_real(kauth_cred_t cred); 250 extern kauth_cred_t kauth_cred_setresuid(kauth_cred_t cred, uid_t ruid, uid_t euid, uid_t svuid, uid_t gmuid); 251 extern kauth_cred_t kauth_cred_setresgid(kauth_cred_t cred, gid_t rgid, gid_t egid, gid_t svgid); 252 extern kauth_cred_t kauth_cred_setuidgid(kauth_cred_t cred, uid_t uid, gid_t gid); 253 extern kauth_cred_t kauth_cred_setsvuidgid(kauth_cred_t cred, uid_t uid, gid_t gid); 254 extern kauth_cred_t kauth_cred_setgroups(kauth_cred_t cred, gid_t *groups, size_t groupcount, uid_t gmuid); 255 struct uthread; 256 extern void kauth_cred_thread_update(struct thread *, proc_t); 257 #ifdef CONFIG_MACF 258 extern void kauth_proc_label_update_execve(struct proc *p, struct vfs_context *ctx, struct vnode *vp, off_t offset, struct vnode *scriptvp, struct label *scriptlabel, struct label *execlabel, unsigned int *csflags, void *psattr, int *disjoint, int *update_return); 259 #endif 260 extern int kauth_cred_gid_subset(kauth_cred_t _cred1, kauth_cred_t _cred2, int *_resultp); 261 struct auditinfo_addr; 262 extern kauth_cred_t kauth_cred_setauditinfo(kauth_cred_t, au_session_t *); 263 extern int kauth_cred_supplementary_register(const char *name, int *ident); 264 extern int kauth_cred_supplementary_add(kauth_cred_t cred, int ident, const void *data, size_t datasize); 265 extern int kauth_cred_supplementary_remove(kauth_cred_t cred, int ident); 266 267 extern kauth_cred_t kauth_cred_require(kauth_cred_t cred) __pure2; 268 269 extern void kauth_cred_set(kauth_cred_t *credp, kauth_cred_t new_cred); 270 extern void kauth_cred_set_and_unref(kauth_cred_t *credp, kauth_cred_t *new_credp); 271 272 #if HAS_APPLE_PAC 273 /* 274 * `kauth_cred_set` and `kauth_cred_unref` take pointers to a 275 * `kauth_cred_t`, which the compiler considers strictly different from a 276 * pointer to a signed `kauth_cred_t` (as it should do). These macros 277 * therefore authenticate the arguments into naked locals, pass them to the 278 * function and then write back the results, signing them in the process. 279 */ 280 #define kauth_cred_set(credp, new_cred) \ 281 do { \ 282 kauth_cred_t _cred = *(credp); \ 283 (kauth_cred_set)(&_cred, (new_cred)); \ 284 *(credp) = _cred; \ 285 } while (0) 286 287 #define kauth_cred_set_and_unref(credp, new_credp) \ 288 do { \ 289 kauth_cred_t _cred = *(credp); \ 290 (kauth_cred_set_and_unref)(&_cred, (new_credp)); \ 291 *(credp) = _cred; \ 292 } while (0) 293 294 #define kauth_cred_unref(credp) \ 295 do { \ 296 kauth_cred_t _credp = *(credp); \ 297 (kauth_cred_unref)(&_credp); \ 298 *(credp) = _credp; \ 299 } while (0) 300 #endif /* HAS_APPLE_PAC */ 301 302 #endif /* XNU_KERNEL_PRIVATE */ 303 __END_DECLS 304 305 #endif /* KERNEL */ 306 307 /* 308 * Generic Access Control Lists. 309 */ 310 #if defined(KERNEL) || defined (_SYS_ACL_H) 311 312 typedef u_int32_t kauth_ace_rights_t; 313 314 /* Access Control List Entry (ACE) */ 315 struct kauth_ace { 316 guid_t ace_applicable; 317 u_int32_t ace_flags; 318 #define KAUTH_ACE_KINDMASK 0xf 319 #define KAUTH_ACE_PERMIT 1 320 #define KAUTH_ACE_DENY 2 321 #define KAUTH_ACE_AUDIT 3 /* not implemented */ 322 #define KAUTH_ACE_ALARM 4 /* not implemented */ 323 #define KAUTH_ACE_INHERITED (1<<4) 324 #define KAUTH_ACE_FILE_INHERIT (1<<5) 325 #define KAUTH_ACE_DIRECTORY_INHERIT (1<<6) 326 #define KAUTH_ACE_LIMIT_INHERIT (1<<7) 327 #define KAUTH_ACE_ONLY_INHERIT (1<<8) 328 #define KAUTH_ACE_SUCCESS (1<<9) /* not implemented (AUDIT/ALARM) */ 329 #define KAUTH_ACE_FAILURE (1<<10) /* not implemented (AUDIT/ALARM) */ 330 /* All flag bits controlling ACE inheritance */ 331 #define KAUTH_ACE_INHERIT_CONTROL_FLAGS \ 332 (KAUTH_ACE_FILE_INHERIT | \ 333 KAUTH_ACE_DIRECTORY_INHERIT | \ 334 KAUTH_ACE_LIMIT_INHERIT | \ 335 KAUTH_ACE_ONLY_INHERIT) 336 kauth_ace_rights_t ace_rights; /* scope specific */ 337 /* These rights are never tested, but may be present in an ACL */ 338 #define KAUTH_ACE_GENERIC_ALL (1<<21) 339 #define KAUTH_ACE_GENERIC_EXECUTE (1<<22) 340 #define KAUTH_ACE_GENERIC_WRITE (1<<23) 341 #define KAUTH_ACE_GENERIC_READ (1<<24) 342 }; 343 344 #ifndef _KAUTH_ACE 345 #define _KAUTH_ACE 346 typedef struct kauth_ace *kauth_ace_t; 347 #endif 348 349 350 /* Access Control List */ 351 struct kauth_acl { 352 u_int32_t acl_entrycount; 353 u_int32_t acl_flags; 354 355 struct kauth_ace acl_ace[1]; 356 }; 357 358 /* 359 * XXX this value needs to be raised - 3893388 360 */ 361 #define KAUTH_ACL_MAX_ENTRIES 128 362 363 /* 364 * The low 16 bits of the flags field are reserved for filesystem 365 * internal use and must be preserved by all APIs. This includes 366 * round-tripping flags through user-space interfaces. 367 */ 368 #define KAUTH_ACL_FLAGS_PRIVATE (0xffff) 369 370 /* 371 * The high 16 bits of the flags are used to store attributes and 372 * to request specific handling of the ACL. 373 */ 374 375 /* inheritance will be deferred until the first rename operation */ 376 #define KAUTH_ACL_DEFER_INHERIT (1<<16) 377 /* this ACL must not be overwritten as part of an inheritance operation */ 378 #define KAUTH_ACL_NO_INHERIT (1<<17) 379 380 /* acl_entrycount that tells us the ACL is not valid */ 381 #define KAUTH_FILESEC_NOACL ((u_int32_t)(-1)) 382 383 /* 384 * If the acl_entrycount field is KAUTH_FILESEC_NOACL, then the size is the 385 * same as a kauth_acl structure; the intent is to put an actual entrycount of 386 * KAUTH_FILESEC_NOACL on disk to distinguish a kauth_filesec_t with an empty 387 * entry (Windows treats this as "deny all") from one that merely indicates a 388 * file group and/or owner guid values. 389 */ 390 #define KAUTH_ACL_SIZE(c) (__offsetof(struct kauth_acl, acl_ace) + ((u_int32_t)(c) != KAUTH_FILESEC_NOACL ? ((c) * sizeof(struct kauth_ace)) : 0)) 391 #define KAUTH_ACL_COPYSIZE(p) KAUTH_ACL_SIZE((p)->acl_entrycount) 392 393 394 #ifndef _KAUTH_ACL 395 #define _KAUTH_ACL 396 typedef struct kauth_acl *kauth_acl_t; 397 #endif 398 399 #ifdef KERNEL 400 __BEGIN_DECLS 401 kauth_acl_t kauth_acl_alloc(int size); 402 void kauth_acl_free(kauth_acl_t fsp); 403 __END_DECLS 404 #endif 405 406 407 /* 408 * Extended File Security. 409 */ 410 411 /* File Security information */ 412 struct kauth_filesec { 413 u_int32_t fsec_magic; 414 #define KAUTH_FILESEC_MAGIC 0x012cc16d 415 guid_t fsec_owner; 416 guid_t fsec_group; 417 418 struct kauth_acl fsec_acl; 419 }; 420 421 /* backwards compatibility */ 422 #define fsec_entrycount fsec_acl.acl_entrycount 423 #define fsec_flags fsec_acl.acl_flags 424 #define fsec_ace fsec_acl.acl_ace 425 #define KAUTH_FILESEC_FLAGS_PRIVATE KAUTH_ACL_FLAGS_PRIVATE 426 #define KAUTH_FILESEC_DEFER_INHERIT KAUTH_ACL_DEFER_INHERIT 427 #define KAUTH_FILESEC_NO_INHERIT KAUTH_ACL_NO_INHERIT 428 #define KAUTH_FILESEC_NONE ((kauth_filesec_t)0) 429 #define KAUTH_FILESEC_WANTED ((kauth_filesec_t)1) 430 431 #ifndef _KAUTH_FILESEC 432 #define _KAUTH_FILESEC 433 typedef struct kauth_filesec *kauth_filesec_t; 434 #endif 435 436 #define KAUTH_FILESEC_SIZE(c) (__offsetof(struct kauth_filesec, fsec_acl) + __offsetof(struct kauth_acl, acl_ace) + (c) * sizeof(struct kauth_ace)) 437 #define KAUTH_FILESEC_COPYSIZE(p) KAUTH_FILESEC_SIZE(((p)->fsec_entrycount == KAUTH_FILESEC_NOACL) ? 0 : (p)->fsec_entrycount) 438 #define KAUTH_FILESEC_COUNT(s) (((s) - KAUTH_FILESEC_SIZE(0)) / sizeof(struct kauth_ace)) 439 #define KAUTH_FILESEC_VALID(s) ((s) >= KAUTH_FILESEC_SIZE(0) && (((s) - KAUTH_FILESEC_SIZE(0)) % sizeof(struct kauth_ace)) == 0) 440 441 #define KAUTH_FILESEC_XATTR "com.apple.system.Security" 442 443 /* Allowable first arguments to kauth_filesec_acl_setendian() */ 444 #define KAUTH_ENDIAN_HOST 0x00000001 /* set host endianness */ 445 #define KAUTH_ENDIAN_DISK 0x00000002 /* set disk endianness */ 446 447 #endif /* KERNEL || <sys/acl.h> */ 448 449 450 #ifdef KERNEL 451 452 453 /* 454 * Scope management. 455 */ 456 struct kauth_scope; 457 typedef struct kauth_scope *kauth_scope_t; 458 struct kauth_listener; 459 typedef struct kauth_listener *kauth_listener_t; 460 #ifndef _KAUTH_ACTION_T 461 typedef int kauth_action_t; 462 # define _KAUTH_ACTION_T 463 #endif 464 465 typedef int (* kauth_scope_callback_t)(kauth_cred_t _credential, 466 void *_idata, 467 kauth_action_t _action, 468 uintptr_t _arg0, 469 uintptr_t _arg1, 470 uintptr_t _arg2, 471 uintptr_t _arg3); 472 473 #define KAUTH_RESULT_ALLOW (1) 474 #define KAUTH_RESULT_DENY (2) 475 #define KAUTH_RESULT_DEFER (3) 476 477 struct kauth_acl_eval { 478 kauth_ace_t ae_acl; 479 int ae_count; 480 kauth_ace_rights_t ae_requested; 481 kauth_ace_rights_t ae_residual; 482 int ae_result; 483 boolean_t ae_found_deny; 484 int ae_options; 485 #define KAUTH_AEVAL_IS_OWNER (1<<0) /* authorizing operation for owner */ 486 #define KAUTH_AEVAL_IN_GROUP (1<<1) /* authorizing operation for groupmember */ 487 #define KAUTH_AEVAL_IN_GROUP_UNKNOWN (1<<2) /* authorizing operation for unknown group membership */ 488 /* expansions for 'generic' rights bits */ 489 kauth_ace_rights_t ae_exp_gall; 490 kauth_ace_rights_t ae_exp_gread; 491 kauth_ace_rights_t ae_exp_gwrite; 492 kauth_ace_rights_t ae_exp_gexec; 493 }; 494 495 typedef struct kauth_acl_eval *kauth_acl_eval_t; 496 497 __BEGIN_DECLS 498 kauth_filesec_t kauth_filesec_alloc(int size); 499 void kauth_filesec_free(kauth_filesec_t fsp); 500 extern kauth_scope_t kauth_register_scope(const char *_identifier, kauth_scope_callback_t _callback, void *_idata); 501 extern void kauth_deregister_scope(kauth_scope_t _scope); 502 __kpi_deprecated("Use EndpointSecurity instead") 503 extern kauth_listener_t kauth_listen_scope(const char *_identifier, kauth_scope_callback_t _callback, void *_idata); 504 __kpi_deprecated("Use EndpointSecurity instead") 505 extern void kauth_unlisten_scope(kauth_listener_t _scope); 506 extern int kauth_authorize_action(kauth_scope_t _scope, kauth_cred_t _credential, kauth_action_t _action, 507 uintptr_t _arg0, uintptr_t _arg1, uintptr_t _arg2, uintptr_t _arg3); 508 509 /* default scope handlers */ 510 extern int kauth_authorize_allow(kauth_cred_t _credential, void *_idata, kauth_action_t _action, 511 uintptr_t _arg0, uintptr_t _arg1, uintptr_t _arg2, uintptr_t _arg3); 512 513 #ifdef KERNEL_PRIVATE 514 extern int kauth_acl_evaluate(kauth_cred_t _credential, kauth_acl_eval_t _eval); 515 516 #endif /* KERNEL_PRIVATE */ 517 518 519 #ifdef XNU_KERNEL_PRIVATE 520 void kauth_filesec_acl_setendian(int, kauth_filesec_t, kauth_acl_t); 521 int kauth_copyinfilesec(user_addr_t xsecurity, kauth_filesec_t *xsecdestpp); 522 extern int kauth_acl_inherit(vnode_t _dvp, kauth_acl_t _initial, kauth_acl_t *_product, int _isdir, vfs_context_t _ctx); 523 524 #endif /* XNU_KERNEL_PRIVATE */ 525 526 527 __END_DECLS 528 529 /* 530 * Generic scope. 531 */ 532 #define KAUTH_SCOPE_GENERIC "com.apple.kauth.generic" 533 534 /* Actions */ 535 #define KAUTH_GENERIC_ISSUSER 1 536 537 #ifdef XNU_KERNEL_PRIVATE 538 __BEGIN_DECLS 539 extern int kauth_authorize_generic(kauth_cred_t credential, kauth_action_t action); 540 __END_DECLS 541 #endif /* XNU_KERNEL_PRIVATE */ 542 543 /* 544 * Process/task scope. 545 */ 546 #define KAUTH_SCOPE_PROCESS "com.apple.kauth.process" 547 548 /* Actions */ 549 #define KAUTH_PROCESS_CANSIGNAL 1 550 #define KAUTH_PROCESS_CANTRACE 2 551 552 __BEGIN_DECLS 553 extern int kauth_authorize_process(kauth_cred_t _credential, kauth_action_t _action, 554 struct proc *_process, uintptr_t _arg1, uintptr_t _arg2, uintptr_t _arg3); 555 __END_DECLS 556 557 /* 558 * Vnode operation scope. 559 * 560 * Prototype for vnode_authorize is in vnode.h 561 */ 562 #define KAUTH_SCOPE_VNODE "com.apple.kauth.vnode" 563 564 /* 565 * File system operation scope. 566 * 567 */ 568 #define KAUTH_SCOPE_FILEOP "com.apple.kauth.fileop" 569 570 /* Actions */ 571 #define KAUTH_FILEOP_OPEN 1 572 #define KAUTH_FILEOP_CLOSE 2 573 #define KAUTH_FILEOP_RENAME 3 574 #define KAUTH_FILEOP_EXCHANGE 4 575 #define KAUTH_FILEOP_LINK 5 576 #define KAUTH_FILEOP_EXEC 6 577 #define KAUTH_FILEOP_DELETE 7 578 #define KAUTH_FILEOP_WILL_RENAME 8 579 580 /* 581 * arguments passed to KAUTH_FILEOP_OPEN listeners 582 * arg0 is pointer to vnode (vnode *) for given user path. 583 * arg1 is pointer to path (char *) passed in to open. 584 * arguments passed to KAUTH_FILEOP_CLOSE listeners 585 * arg0 is pointer to vnode (vnode *) for file to be closed. 586 * arg1 is pointer to path (char *) of file to be closed. 587 * arg2 is close flags. 588 * arguments passed to KAUTH_FILEOP_WILL_RENAME listeners 589 * arg0 is pointer to vnode (vnode *) of the file being renamed 590 * arg1 is pointer to the "from" path (char *) 591 * arg2 is pointer to the "to" path (char *) 592 * arguments passed to KAUTH_FILEOP_RENAME listeners 593 * arg0 is pointer to "from" path (char *). 594 * arg1 is pointer to "to" path (char *). 595 * arguments passed to KAUTH_FILEOP_EXCHANGE listeners 596 * arg0 is pointer to file 1 path (char *). 597 * arg1 is pointer to file 2 path (char *). 598 * arguments passed to KAUTH_FILEOP_LINK listeners 599 * arg0 is pointer to path to file we are linking to (char *). 600 * arg1 is pointer to path to the new link file (char *). 601 * arguments passed to KAUTH_FILEOP_EXEC listeners 602 * arg0 is pointer to vnode (vnode *) for executable. 603 * arg1 is pointer to path (char *) to executable. 604 * arguments passed to KAUTH_FILEOP_DELETE listeners 605 * arg0 is pointer to vnode (vnode *) of file/dir that was deleted. 606 * arg1 is pointer to path (char *) of file/dir that was deleted. 607 */ 608 609 /* Flag values returned to close listeners. */ 610 #define KAUTH_FILEOP_CLOSE_MODIFIED (1<<1) 611 612 __BEGIN_DECLS 613 #ifdef XNU_KERNEL_PRIVATE 614 extern int kauth_authorize_fileop_has_listeners(void); 615 #endif /* XNU_KERNEL_PRIVATE */ 616 extern int kauth_authorize_fileop(kauth_cred_t _credential, kauth_action_t _action, 617 uintptr_t _arg0, uintptr_t _arg1); 618 __END_DECLS 619 620 #endif /* KERNEL */ 621 622 /* Actions, also rights bits in an ACE */ 623 624 #if defined(KERNEL) || defined (_SYS_ACL_H) 625 #define KAUTH_VNODE_READ_DATA (1U<<1) 626 #define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA 627 #define KAUTH_VNODE_WRITE_DATA (1U<<2) 628 #define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA 629 #define KAUTH_VNODE_EXECUTE (1U<<3) 630 #define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE 631 #define KAUTH_VNODE_DELETE (1U<<4) 632 #define KAUTH_VNODE_APPEND_DATA (1U<<5) 633 #define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA 634 #define KAUTH_VNODE_DELETE_CHILD (1U<<6) 635 #define KAUTH_VNODE_READ_ATTRIBUTES (1U<<7) 636 #define KAUTH_VNODE_WRITE_ATTRIBUTES (1U<<8) 637 #define KAUTH_VNODE_READ_EXTATTRIBUTES (1U<<9) 638 #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1U<<10) 639 #define KAUTH_VNODE_READ_SECURITY (1U<<11) 640 #define KAUTH_VNODE_WRITE_SECURITY (1U<<12) 641 #define KAUTH_VNODE_TAKE_OWNERSHIP (1U<<13) 642 643 /* backwards compatibility only */ 644 #define KAUTH_VNODE_CHANGE_OWNER KAUTH_VNODE_TAKE_OWNERSHIP 645 646 /* For Windows interoperability only */ 647 #define KAUTH_VNODE_SYNCHRONIZE (1U<<20) 648 649 /* (1<<21) - (1<<24) are reserved for generic rights bits */ 650 651 /* Actions not expressed as rights bits */ 652 /* 653 * Authorizes the vnode as the target of a hard link. 654 */ 655 #define KAUTH_VNODE_LINKTARGET (1U<<25) 656 657 /* 658 * Indicates that other steps have been taken to authorise the action, 659 * but authorisation should be denied for immutable objects. 660 */ 661 #define KAUTH_VNODE_CHECKIMMUTABLE (1U<<26) 662 663 /* Action modifiers */ 664 /* 665 * The KAUTH_VNODE_ACCESS bit is passed to the callback if the authorisation 666 * request in progress is advisory, rather than authoritative. Listeners 667 * performing consequential work (i.e. not strictly checking authorisation) 668 * may test this flag to avoid performing unnecessary work. 669 * 670 * This bit will never be present in an ACE. 671 */ 672 #define KAUTH_VNODE_ACCESS (1U<<31) 673 674 /* 675 * The KAUTH_VNODE_NOIMMUTABLE bit is passed to the callback along with the 676 * KAUTH_VNODE_WRITE_SECURITY bit (and no others) to indicate that the 677 * caller wishes to change one or more of the immutable flags, and the 678 * state of these flags should not be considered when authorizing the request. 679 * The system immutable flags are only ignored when the system securelevel 680 * is low enough to allow their removal. 681 */ 682 #define KAUTH_VNODE_NOIMMUTABLE (1U<<30) 683 684 685 /* 686 * fake right that is composed by the following... 687 * vnode must have search for owner, group and world allowed 688 * plus there must be no deny modes present for SEARCH... this fake 689 * right is used by the fast lookup path to avoid checking 690 * for an exact match on the last credential to lookup 691 * the component being acted on 692 */ 693 #define KAUTH_VNODE_SEARCHBYANYONE (1U<<29) 694 695 696 /* 697 * when passed as an 'action' to "vnode_uncache_authorized_actions" 698 * it indicates that all of the cached authorizations for that 699 * vnode should be invalidated 700 */ 701 #define KAUTH_INVALIDATE_CACHED_RIGHTS ((kauth_action_t)~0) 702 703 704 705 /* The expansions of the GENERIC bits at evaluation time */ 706 #define KAUTH_VNODE_GENERIC_READ_BITS (KAUTH_VNODE_READ_DATA | \ 707 KAUTH_VNODE_READ_ATTRIBUTES | \ 708 KAUTH_VNODE_READ_EXTATTRIBUTES | \ 709 KAUTH_VNODE_READ_SECURITY) 710 711 #define KAUTH_VNODE_GENERIC_WRITE_BITS (KAUTH_VNODE_WRITE_DATA | \ 712 KAUTH_VNODE_APPEND_DATA | \ 713 KAUTH_VNODE_DELETE | \ 714 KAUTH_VNODE_DELETE_CHILD | \ 715 KAUTH_VNODE_WRITE_ATTRIBUTES | \ 716 KAUTH_VNODE_WRITE_EXTATTRIBUTES | \ 717 KAUTH_VNODE_WRITE_SECURITY) 718 719 #define KAUTH_VNODE_GENERIC_EXECUTE_BITS (KAUTH_VNODE_EXECUTE) 720 721 #define KAUTH_VNODE_GENERIC_ALL_BITS (KAUTH_VNODE_GENERIC_READ_BITS | \ 722 KAUTH_VNODE_GENERIC_WRITE_BITS | \ 723 KAUTH_VNODE_GENERIC_EXECUTE_BITS) 724 725 /* 726 * Some sets of bits, defined here for convenience. 727 */ 728 #define KAUTH_VNODE_WRITE_RIGHTS (KAUTH_VNODE_ADD_FILE | \ 729 KAUTH_VNODE_ADD_SUBDIRECTORY | \ 730 KAUTH_VNODE_DELETE_CHILD | \ 731 KAUTH_VNODE_WRITE_DATA | \ 732 KAUTH_VNODE_APPEND_DATA | \ 733 KAUTH_VNODE_DELETE | \ 734 KAUTH_VNODE_WRITE_ATTRIBUTES | \ 735 KAUTH_VNODE_WRITE_EXTATTRIBUTES | \ 736 KAUTH_VNODE_WRITE_SECURITY | \ 737 KAUTH_VNODE_TAKE_OWNERSHIP | \ 738 KAUTH_VNODE_LINKTARGET | \ 739 KAUTH_VNODE_CHECKIMMUTABLE) 740 741 742 #endif /* KERNEL || <sys/acl.h> */ 743 744 #ifdef KERNEL 745 #include <sys/lock.h> /* lck_grp_t */ 746 747 /* 748 * Debugging 749 * 750 * XXX this wouldn't be necessary if we had a *real* debug-logging system. 751 */ 752 #if 0 753 # ifndef _FN_KPRINTF 754 # define _FN_KPRINTF 755 void kprintf(const char *fmt, ...) __printflike(1, 2); 756 # endif /* !_FN_KPRINTF */ 757 # define KAUTH_DEBUG_ENABLE 758 # define K_UUID_FMT "%08x:%08x:%08x:%08x" 759 # define K_UUID_ARG(_u) &_u.g_guid_asint[0],&_u.g_guid_asint[1],&_u.g_guid_asint[2],&_u.g_guid_asint[3] 760 # define KAUTH_DEBUG(fmt, args...) do { kprintf("%s:%d: " fmt "\n", __PRETTY_FUNCTION__, __LINE__ , ##args); } while (0) 761 # define KAUTH_DEBUG_CTX(_c) KAUTH_DEBUG("p = %p c = %p", _c->vc_proc, _c->vc_ucred) 762 # define VFS_DEBUG(_ctx, _vp, fmt, args...) \ 763 do { \ 764 kprintf("%p '%s' %s:%d " fmt "\n", \ 765 _ctx, \ 766 (_vp != NULL && _vp->v_name != NULL) ? _vp->v_name : "????", \ 767 __PRETTY_FUNCTION__, __LINE__ , \ 768 ##args); \ 769 } while(0) 770 #else /* !0 */ 771 # define KAUTH_DEBUG(fmt, args...) do { } while (0) 772 # define VFS_DEBUG(ctx, vp, fmt, args...) do { } while(0) 773 #endif /* !0 */ 774 775 /* 776 * Initialisation. 777 */ 778 #ifdef XNU_KERNEL_PRIVATE 779 __BEGIN_DECLS 780 781 extern lck_grp_t kauth_lck_grp; 782 783 extern void kauth_init(void); 784 785 #if CONFIG_EXT_RESOLVER 786 extern void kauth_resolver_identity_reset(void); 787 #endif 788 __END_DECLS 789 #endif /* XNU_KERNEL_PRIVATE */ 790 791 #endif /* KERNEL */ 792 793 #endif /* __APPLE_API_EVOLVING */ 794 #endif /* _SYS_KAUTH_H */ 795