1*c54f35caSApple OSS Distributions /*
2*c54f35caSApple OSS Distributions * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3*c54f35caSApple OSS Distributions *
4*c54f35caSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5*c54f35caSApple OSS Distributions *
6*c54f35caSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
7*c54f35caSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
8*c54f35caSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
9*c54f35caSApple OSS Distributions * compliance with the License. The rights granted to you under the License
10*c54f35caSApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
11*c54f35caSApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
12*c54f35caSApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
13*c54f35caSApple OSS Distributions * terms of an Apple operating system software license agreement.
14*c54f35caSApple OSS Distributions *
15*c54f35caSApple OSS Distributions * Please obtain a copy of the License at
16*c54f35caSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
17*c54f35caSApple OSS Distributions *
18*c54f35caSApple OSS Distributions * The Original Code and all software distributed under the License are
19*c54f35caSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20*c54f35caSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21*c54f35caSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22*c54f35caSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23*c54f35caSApple OSS Distributions * Please see the License for the specific language governing rights and
24*c54f35caSApple OSS Distributions * limitations under the License.
25*c54f35caSApple OSS Distributions *
26*c54f35caSApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27*c54f35caSApple OSS Distributions */
28*c54f35caSApple OSS Distributions
29*c54f35caSApple OSS Distributions /*-
30*c54f35caSApple OSS Distributions * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
31*c54f35caSApple OSS Distributions * Copyright (c) 2001 Ilmar S. Habibulin
32*c54f35caSApple OSS Distributions * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
33*c54f35caSApple OSS Distributions *
34*c54f35caSApple OSS Distributions * This software was developed by Robert Watson and Ilmar Habibulin for the
35*c54f35caSApple OSS Distributions * TrustedBSD Project.
36*c54f35caSApple OSS Distributions *
37*c54f35caSApple OSS Distributions * This software was developed for the FreeBSD Project in part by Network
38*c54f35caSApple OSS Distributions * Associates Laboratories, the Security Research Division of Network
39*c54f35caSApple OSS Distributions * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
40*c54f35caSApple OSS Distributions * as part of the DARPA CHATS research program.
41*c54f35caSApple OSS Distributions *
42*c54f35caSApple OSS Distributions * Redistribution and use in source and binary forms, with or without
43*c54f35caSApple OSS Distributions * modification, are permitted provided that the following conditions
44*c54f35caSApple OSS Distributions * are met:
45*c54f35caSApple OSS Distributions * 1. Redistributions of source code must retain the above copyright
46*c54f35caSApple OSS Distributions * notice, this list of conditions and the following disclaimer.
47*c54f35caSApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright
48*c54f35caSApple OSS Distributions * notice, this list of conditions and the following disclaimer in the
49*c54f35caSApple OSS Distributions * documentation and/or other materials provided with the distribution.
50*c54f35caSApple OSS Distributions *
51*c54f35caSApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
52*c54f35caSApple OSS Distributions * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
53*c54f35caSApple OSS Distributions * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
54*c54f35caSApple OSS Distributions * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
55*c54f35caSApple OSS Distributions * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
56*c54f35caSApple OSS Distributions * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
57*c54f35caSApple OSS Distributions * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
58*c54f35caSApple OSS Distributions * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
59*c54f35caSApple OSS Distributions * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
60*c54f35caSApple OSS Distributions * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
61*c54f35caSApple OSS Distributions * SUCH DAMAGE.
62*c54f35caSApple OSS Distributions *
63*c54f35caSApple OSS Distributions */
64*c54f35caSApple OSS Distributions
65*c54f35caSApple OSS Distributions #include <string.h>
66*c54f35caSApple OSS Distributions #include <sys/param.h>
67*c54f35caSApple OSS Distributions #include <sys/ucred.h>
68*c54f35caSApple OSS Distributions #include <sys/malloc.h>
69*c54f35caSApple OSS Distributions #include <sys/sbuf.h>
70*c54f35caSApple OSS Distributions #include <sys/vnode.h>
71*c54f35caSApple OSS Distributions #include <sys/proc.h>
72*c54f35caSApple OSS Distributions #include <sys/proc_internal.h>
73*c54f35caSApple OSS Distributions #include <sys/kauth.h>
74*c54f35caSApple OSS Distributions #include <sys/imgact.h>
75*c54f35caSApple OSS Distributions #include <sys/reason.h>
76*c54f35caSApple OSS Distributions #include <sys/vnode_internal.h>
77*c54f35caSApple OSS Distributions #include <mach/mach_types.h>
78*c54f35caSApple OSS Distributions #include <kern/task.h>
79*c54f35caSApple OSS Distributions #include <kern/zalloc.h>
80*c54f35caSApple OSS Distributions
81*c54f35caSApple OSS Distributions #include <os/hash.h>
82*c54f35caSApple OSS Distributions
83*c54f35caSApple OSS Distributions #include <security/mac_internal.h>
84*c54f35caSApple OSS Distributions #include <security/mac_mach_internal.h>
85*c54f35caSApple OSS Distributions
86*c54f35caSApple OSS Distributions #include <bsd/security/audit/audit.h>
87*c54f35caSApple OSS Distributions
88*c54f35caSApple OSS Distributions #include <os/log.h>
89*c54f35caSApple OSS Distributions #include <kern/cs_blobs.h>
90*c54f35caSApple OSS Distributions #include <sys/spawn.h>
91*c54f35caSApple OSS Distributions #include <sys/spawn_internal.h>
92*c54f35caSApple OSS Distributions
93*c54f35caSApple OSS Distributions struct label *
mac_cred_label_alloc(void)94*c54f35caSApple OSS Distributions mac_cred_label_alloc(void)
95*c54f35caSApple OSS Distributions {
96*c54f35caSApple OSS Distributions struct label *label;
97*c54f35caSApple OSS Distributions
98*c54f35caSApple OSS Distributions label = mac_labelzone_alloc(MAC_WAITOK);
99*c54f35caSApple OSS Distributions if (label == NULL) {
100*c54f35caSApple OSS Distributions return NULL;
101*c54f35caSApple OSS Distributions }
102*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_init, label);
103*c54f35caSApple OSS Distributions return label;
104*c54f35caSApple OSS Distributions }
105*c54f35caSApple OSS Distributions
106*c54f35caSApple OSS Distributions void
mac_cred_label_init(struct ucred * cred)107*c54f35caSApple OSS Distributions mac_cred_label_init(struct ucred *cred)
108*c54f35caSApple OSS Distributions {
109*c54f35caSApple OSS Distributions cred->cr_label = mac_cred_label_alloc();
110*c54f35caSApple OSS Distributions }
111*c54f35caSApple OSS Distributions
112*c54f35caSApple OSS Distributions void
mac_cred_label_free(struct label * label)113*c54f35caSApple OSS Distributions mac_cred_label_free(struct label *label)
114*c54f35caSApple OSS Distributions {
115*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_destroy, label);
116*c54f35caSApple OSS Distributions mac_labelzone_free(label);
117*c54f35caSApple OSS Distributions }
118*c54f35caSApple OSS Distributions
119*c54f35caSApple OSS Distributions struct label *
mac_cred_label(struct ucred * cred)120*c54f35caSApple OSS Distributions mac_cred_label(struct ucred *cred)
121*c54f35caSApple OSS Distributions {
122*c54f35caSApple OSS Distributions return cred->cr_label;
123*c54f35caSApple OSS Distributions }
124*c54f35caSApple OSS Distributions
125*c54f35caSApple OSS Distributions bool
mac_cred_label_is_equal(const struct label * a,const struct label * b)126*c54f35caSApple OSS Distributions mac_cred_label_is_equal(const struct label *a, const struct label *b)
127*c54f35caSApple OSS Distributions {
128*c54f35caSApple OSS Distributions return memcmp(a->l_perpolicy, b->l_perpolicy, sizeof(a->l_perpolicy)) == 0;
129*c54f35caSApple OSS Distributions }
130*c54f35caSApple OSS Distributions
131*c54f35caSApple OSS Distributions uint32_t
mac_cred_label_hash_update(const struct label * a,uint32_t hash)132*c54f35caSApple OSS Distributions mac_cred_label_hash_update(const struct label *a, uint32_t hash)
133*c54f35caSApple OSS Distributions {
134*c54f35caSApple OSS Distributions return os_hash_jenkins_update(a->l_perpolicy, sizeof(a->l_perpolicy), hash);
135*c54f35caSApple OSS Distributions }
136*c54f35caSApple OSS Distributions
137*c54f35caSApple OSS Distributions int
mac_cred_label_externalize_audit(struct proc * p,struct mac * mac)138*c54f35caSApple OSS Distributions mac_cred_label_externalize_audit(struct proc *p, struct mac *mac)
139*c54f35caSApple OSS Distributions {
140*c54f35caSApple OSS Distributions kauth_cred_t cr;
141*c54f35caSApple OSS Distributions int error;
142*c54f35caSApple OSS Distributions
143*c54f35caSApple OSS Distributions cr = kauth_cred_proc_ref(p);
144*c54f35caSApple OSS Distributions
145*c54f35caSApple OSS Distributions error = MAC_EXTERNALIZE_AUDIT(cred, mac_cred_label(cr),
146*c54f35caSApple OSS Distributions mac->m_string, mac->m_buflen);
147*c54f35caSApple OSS Distributions
148*c54f35caSApple OSS Distributions kauth_cred_unref(&cr);
149*c54f35caSApple OSS Distributions return error;
150*c54f35caSApple OSS Distributions }
151*c54f35caSApple OSS Distributions
152*c54f35caSApple OSS Distributions void
mac_cred_label_destroy(kauth_cred_t cred)153*c54f35caSApple OSS Distributions mac_cred_label_destroy(kauth_cred_t cred)
154*c54f35caSApple OSS Distributions {
155*c54f35caSApple OSS Distributions struct label *label = mac_cred_label(cred);
156*c54f35caSApple OSS Distributions cred->cr_label = NULL;
157*c54f35caSApple OSS Distributions mac_cred_label_free(label);
158*c54f35caSApple OSS Distributions }
159*c54f35caSApple OSS Distributions
160*c54f35caSApple OSS Distributions int
mac_cred_label_externalize(struct label * label,char * elements,char * outbuf,size_t outbuflen,int flags __unused)161*c54f35caSApple OSS Distributions mac_cred_label_externalize(struct label *label, char *elements,
162*c54f35caSApple OSS Distributions char *outbuf, size_t outbuflen, int flags __unused)
163*c54f35caSApple OSS Distributions {
164*c54f35caSApple OSS Distributions int error = 0;
165*c54f35caSApple OSS Distributions
166*c54f35caSApple OSS Distributions error = MAC_EXTERNALIZE(cred, label, elements, outbuf, outbuflen);
167*c54f35caSApple OSS Distributions
168*c54f35caSApple OSS Distributions return error;
169*c54f35caSApple OSS Distributions }
170*c54f35caSApple OSS Distributions
171*c54f35caSApple OSS Distributions int
mac_cred_label_internalize(struct label * label,char * string)172*c54f35caSApple OSS Distributions mac_cred_label_internalize(struct label *label, char *string)
173*c54f35caSApple OSS Distributions {
174*c54f35caSApple OSS Distributions int error;
175*c54f35caSApple OSS Distributions
176*c54f35caSApple OSS Distributions error = MAC_INTERNALIZE(cred, label, string);
177*c54f35caSApple OSS Distributions
178*c54f35caSApple OSS Distributions return error;
179*c54f35caSApple OSS Distributions }
180*c54f35caSApple OSS Distributions
181*c54f35caSApple OSS Distributions /*
182*c54f35caSApple OSS Distributions * By default, fork just adds a reference to the parent
183*c54f35caSApple OSS Distributions * credential. Policies may need to know about this reference
184*c54f35caSApple OSS Distributions * if they are tracking exit calls to know when to free the
185*c54f35caSApple OSS Distributions * label.
186*c54f35caSApple OSS Distributions */
187*c54f35caSApple OSS Distributions void
mac_cred_label_associate_fork(kauth_cred_t cred,proc_t proc)188*c54f35caSApple OSS Distributions mac_cred_label_associate_fork(kauth_cred_t cred, proc_t proc)
189*c54f35caSApple OSS Distributions {
190*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_associate_fork, cred, proc);
191*c54f35caSApple OSS Distributions }
192*c54f35caSApple OSS Distributions
193*c54f35caSApple OSS Distributions /*
194*c54f35caSApple OSS Distributions * Initialize MAC label for the first kernel process, from which other
195*c54f35caSApple OSS Distributions * kernel processes and threads are spawned.
196*c54f35caSApple OSS Distributions */
197*c54f35caSApple OSS Distributions void
mac_cred_label_associate_kernel(kauth_cred_t cred)198*c54f35caSApple OSS Distributions mac_cred_label_associate_kernel(kauth_cred_t cred)
199*c54f35caSApple OSS Distributions {
200*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_associate_kernel, cred);
201*c54f35caSApple OSS Distributions }
202*c54f35caSApple OSS Distributions
203*c54f35caSApple OSS Distributions /*
204*c54f35caSApple OSS Distributions * Initialize MAC label for the first userland process, from which other
205*c54f35caSApple OSS Distributions * userland processes and threads are spawned.
206*c54f35caSApple OSS Distributions */
207*c54f35caSApple OSS Distributions void
mac_cred_label_associate_user(kauth_cred_t cred)208*c54f35caSApple OSS Distributions mac_cred_label_associate_user(kauth_cred_t cred)
209*c54f35caSApple OSS Distributions {
210*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_associate_user, cred);
211*c54f35caSApple OSS Distributions }
212*c54f35caSApple OSS Distributions
213*c54f35caSApple OSS Distributions /*
214*c54f35caSApple OSS Distributions * When a new process is created, its label must be initialized. Generally,
215*c54f35caSApple OSS Distributions * this involves inheritence from the parent process, modulo possible
216*c54f35caSApple OSS Distributions * deltas. This function allows that processing to take place.
217*c54f35caSApple OSS Distributions */
218*c54f35caSApple OSS Distributions void
mac_cred_label_associate(struct ucred * parent_cred,struct ucred * child_cred)219*c54f35caSApple OSS Distributions mac_cred_label_associate(struct ucred *parent_cred, struct ucred *child_cred)
220*c54f35caSApple OSS Distributions {
221*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_associate, parent_cred, child_cred);
222*c54f35caSApple OSS Distributions }
223*c54f35caSApple OSS Distributions
224*c54f35caSApple OSS Distributions int
mac_execve_enter(user_addr_t mac_p,struct image_params * imgp)225*c54f35caSApple OSS Distributions mac_execve_enter(user_addr_t mac_p, struct image_params *imgp)
226*c54f35caSApple OSS Distributions {
227*c54f35caSApple OSS Distributions if (mac_p == USER_ADDR_NULL) {
228*c54f35caSApple OSS Distributions return 0;
229*c54f35caSApple OSS Distributions }
230*c54f35caSApple OSS Distributions
231*c54f35caSApple OSS Distributions return mac_do_set(current_proc(), mac_p,
232*c54f35caSApple OSS Distributions ^(char *input, __unused size_t len) {
233*c54f35caSApple OSS Distributions struct label *execlabel;
234*c54f35caSApple OSS Distributions int error;
235*c54f35caSApple OSS Distributions
236*c54f35caSApple OSS Distributions execlabel = mac_cred_label_alloc();
237*c54f35caSApple OSS Distributions if ((error = mac_cred_label_internalize(execlabel, input))) {
238*c54f35caSApple OSS Distributions mac_cred_label_free(execlabel);
239*c54f35caSApple OSS Distributions execlabel = NULL;
240*c54f35caSApple OSS Distributions }
241*c54f35caSApple OSS Distributions
242*c54f35caSApple OSS Distributions imgp->ip_execlabelp = execlabel;
243*c54f35caSApple OSS Distributions return error;
244*c54f35caSApple OSS Distributions });
245*c54f35caSApple OSS Distributions }
246*c54f35caSApple OSS Distributions
247*c54f35caSApple OSS Distributions /*
248*c54f35caSApple OSS Distributions * When the subject's label changes, it may require revocation of privilege
249*c54f35caSApple OSS Distributions * to mapped objects. This can't be done on-the-fly later with a unified
250*c54f35caSApple OSS Distributions * buffer cache.
251*c54f35caSApple OSS Distributions *
252*c54f35caSApple OSS Distributions * XXX: CRF_MAC_ENFORCE should be in a kauth_cred_t field, rather
253*c54f35caSApple OSS Distributions * XXX: than a posix_cred_t field.
254*c54f35caSApple OSS Distributions */
255*c54f35caSApple OSS Distributions void
mac_cred_label_update(kauth_cred_t cred,struct label * newlabel)256*c54f35caSApple OSS Distributions mac_cred_label_update(kauth_cred_t cred, struct label *newlabel)
257*c54f35caSApple OSS Distributions {
258*c54f35caSApple OSS Distributions posix_cred_t pcred = posix_cred_get(cred);
259*c54f35caSApple OSS Distributions
260*c54f35caSApple OSS Distributions /* force label to be part of "matching" for credential */
261*c54f35caSApple OSS Distributions pcred->cr_flags |= CRF_MAC_ENFORCE;
262*c54f35caSApple OSS Distributions
263*c54f35caSApple OSS Distributions /* inform the policies of the update */
264*c54f35caSApple OSS Distributions MAC_PERFORM(cred_label_update, cred, newlabel);
265*c54f35caSApple OSS Distributions }
266*c54f35caSApple OSS Distributions
267*c54f35caSApple OSS Distributions int
mac_cred_check_label_update(kauth_cred_t cred,struct label * newlabel)268*c54f35caSApple OSS Distributions mac_cred_check_label_update(kauth_cred_t cred, struct label *newlabel)
269*c54f35caSApple OSS Distributions {
270*c54f35caSApple OSS Distributions int error;
271*c54f35caSApple OSS Distributions
272*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
273*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
274*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
275*c54f35caSApple OSS Distributions return 0;
276*c54f35caSApple OSS Distributions }
277*c54f35caSApple OSS Distributions #endif
278*c54f35caSApple OSS Distributions
279*c54f35caSApple OSS Distributions MAC_CHECK(cred_check_label_update, cred, newlabel);
280*c54f35caSApple OSS Distributions
281*c54f35caSApple OSS Distributions return error;
282*c54f35caSApple OSS Distributions }
283*c54f35caSApple OSS Distributions
284*c54f35caSApple OSS Distributions int
mac_cred_check_visible(kauth_cred_t u1,kauth_cred_t u2)285*c54f35caSApple OSS Distributions mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2)
286*c54f35caSApple OSS Distributions {
287*c54f35caSApple OSS Distributions int error;
288*c54f35caSApple OSS Distributions
289*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
290*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
291*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
292*c54f35caSApple OSS Distributions return 0;
293*c54f35caSApple OSS Distributions }
294*c54f35caSApple OSS Distributions #endif
295*c54f35caSApple OSS Distributions
296*c54f35caSApple OSS Distributions MAC_CHECK(cred_check_visible, u1, u2);
297*c54f35caSApple OSS Distributions
298*c54f35caSApple OSS Distributions return error;
299*c54f35caSApple OSS Distributions }
300*c54f35caSApple OSS Distributions
301*c54f35caSApple OSS Distributions int
mac_proc_check_debug(proc_ident_t tracing_ident,kauth_cred_t tracing_cred,proc_ident_t traced_ident)302*c54f35caSApple OSS Distributions mac_proc_check_debug(proc_ident_t tracing_ident, kauth_cred_t tracing_cred, proc_ident_t traced_ident)
303*c54f35caSApple OSS Distributions {
304*c54f35caSApple OSS Distributions int error;
305*c54f35caSApple OSS Distributions bool enforce;
306*c54f35caSApple OSS Distributions proc_t tracingp;
307*c54f35caSApple OSS Distributions
308*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
309*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
310*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
311*c54f35caSApple OSS Distributions return 0;
312*c54f35caSApple OSS Distributions }
313*c54f35caSApple OSS Distributions #endif
314*c54f35caSApple OSS Distributions /*
315*c54f35caSApple OSS Distributions * Once all mac hooks adopt proc_ident_t, finding proc_t and releasing
316*c54f35caSApple OSS Distributions * it below should go to mac_proc_check_enforce().
317*c54f35caSApple OSS Distributions */
318*c54f35caSApple OSS Distributions if ((tracingp = proc_find_ident(tracing_ident)) == PROC_NULL) {
319*c54f35caSApple OSS Distributions return ESRCH;
320*c54f35caSApple OSS Distributions }
321*c54f35caSApple OSS Distributions enforce = mac_proc_check_enforce(tracingp);
322*c54f35caSApple OSS Distributions proc_rele(tracingp);
323*c54f35caSApple OSS Distributions
324*c54f35caSApple OSS Distributions if (!enforce) {
325*c54f35caSApple OSS Distributions return 0;
326*c54f35caSApple OSS Distributions }
327*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_debug, tracing_cred, traced_ident);
328*c54f35caSApple OSS Distributions
329*c54f35caSApple OSS Distributions return error;
330*c54f35caSApple OSS Distributions }
331*c54f35caSApple OSS Distributions
332*c54f35caSApple OSS Distributions int
mac_proc_check_dump_core(struct proc * proc)333*c54f35caSApple OSS Distributions mac_proc_check_dump_core(struct proc *proc)
334*c54f35caSApple OSS Distributions {
335*c54f35caSApple OSS Distributions int error;
336*c54f35caSApple OSS Distributions
337*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
338*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
339*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
340*c54f35caSApple OSS Distributions return 0;
341*c54f35caSApple OSS Distributions }
342*c54f35caSApple OSS Distributions #endif
343*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
344*c54f35caSApple OSS Distributions return 0;
345*c54f35caSApple OSS Distributions }
346*c54f35caSApple OSS Distributions
347*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_dump_core, proc);
348*c54f35caSApple OSS Distributions
349*c54f35caSApple OSS Distributions return error;
350*c54f35caSApple OSS Distributions }
351*c54f35caSApple OSS Distributions
352*c54f35caSApple OSS Distributions int
mac_proc_check_remote_thread_create(struct task * task,int flavor,thread_state_t new_state,mach_msg_type_number_t new_state_count)353*c54f35caSApple OSS Distributions mac_proc_check_remote_thread_create(struct task *task, int flavor, thread_state_t new_state, mach_msg_type_number_t new_state_count)
354*c54f35caSApple OSS Distributions {
355*c54f35caSApple OSS Distributions proc_t curp = current_proc();
356*c54f35caSApple OSS Distributions proc_t proc;
357*c54f35caSApple OSS Distributions kauth_cred_t cred;
358*c54f35caSApple OSS Distributions int error;
359*c54f35caSApple OSS Distributions
360*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
361*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
362*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
363*c54f35caSApple OSS Distributions return 0;
364*c54f35caSApple OSS Distributions }
365*c54f35caSApple OSS Distributions #endif
366*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
367*c54f35caSApple OSS Distributions return 0;
368*c54f35caSApple OSS Distributions }
369*c54f35caSApple OSS Distributions
370*c54f35caSApple OSS Distributions proc = proc_find(task_pid(task));
371*c54f35caSApple OSS Distributions if (proc == PROC_NULL) {
372*c54f35caSApple OSS Distributions return ESRCH;
373*c54f35caSApple OSS Distributions }
374*c54f35caSApple OSS Distributions
375*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
376*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_remote_thread_create, cred, proc, flavor, new_state, new_state_count);
377*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
378*c54f35caSApple OSS Distributions proc_rele(proc);
379*c54f35caSApple OSS Distributions
380*c54f35caSApple OSS Distributions return error;
381*c54f35caSApple OSS Distributions }
382*c54f35caSApple OSS Distributions
383*c54f35caSApple OSS Distributions int
mac_proc_check_fork(proc_t curp)384*c54f35caSApple OSS Distributions mac_proc_check_fork(proc_t curp)
385*c54f35caSApple OSS Distributions {
386*c54f35caSApple OSS Distributions kauth_cred_t cred;
387*c54f35caSApple OSS Distributions int error;
388*c54f35caSApple OSS Distributions
389*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
390*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
391*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
392*c54f35caSApple OSS Distributions return 0;
393*c54f35caSApple OSS Distributions }
394*c54f35caSApple OSS Distributions #endif
395*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
396*c54f35caSApple OSS Distributions return 0;
397*c54f35caSApple OSS Distributions }
398*c54f35caSApple OSS Distributions
399*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
400*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_fork, cred, curp);
401*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
402*c54f35caSApple OSS Distributions
403*c54f35caSApple OSS Distributions return error;
404*c54f35caSApple OSS Distributions }
405*c54f35caSApple OSS Distributions
406*c54f35caSApple OSS Distributions int
mac_proc_check_get_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)407*c54f35caSApple OSS Distributions mac_proc_check_get_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
408*c54f35caSApple OSS Distributions {
409*c54f35caSApple OSS Distributions int error;
410*c54f35caSApple OSS Distributions
411*c54f35caSApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
412*c54f35caSApple OSS Distributions
413*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_get_task_with_flavor, cred, pident, flavor);
414*c54f35caSApple OSS Distributions
415*c54f35caSApple OSS Distributions return error;
416*c54f35caSApple OSS Distributions }
417*c54f35caSApple OSS Distributions
418*c54f35caSApple OSS Distributions int
mac_proc_check_expose_task(struct ucred * cred,proc_ident_t pident,mach_task_flavor_t flavor)419*c54f35caSApple OSS Distributions mac_proc_check_expose_task(struct ucred *cred, proc_ident_t pident, mach_task_flavor_t flavor)
420*c54f35caSApple OSS Distributions {
421*c54f35caSApple OSS Distributions int error;
422*c54f35caSApple OSS Distributions
423*c54f35caSApple OSS Distributions assert(flavor <= TASK_FLAVOR_NAME);
424*c54f35caSApple OSS Distributions
425*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_expose_task_with_flavor, cred, pident, flavor);
426*c54f35caSApple OSS Distributions
427*c54f35caSApple OSS Distributions return error;
428*c54f35caSApple OSS Distributions }
429*c54f35caSApple OSS Distributions
430*c54f35caSApple OSS Distributions int
mac_proc_check_inherit_ipc_ports(struct proc * p,struct vnode * cur_vp,off_t cur_offset,struct vnode * img_vp,off_t img_offset,struct vnode * scriptvp)431*c54f35caSApple OSS Distributions mac_proc_check_inherit_ipc_ports(
432*c54f35caSApple OSS Distributions struct proc *p,
433*c54f35caSApple OSS Distributions struct vnode *cur_vp,
434*c54f35caSApple OSS Distributions off_t cur_offset,
435*c54f35caSApple OSS Distributions struct vnode *img_vp,
436*c54f35caSApple OSS Distributions off_t img_offset,
437*c54f35caSApple OSS Distributions struct vnode *scriptvp)
438*c54f35caSApple OSS Distributions {
439*c54f35caSApple OSS Distributions int error;
440*c54f35caSApple OSS Distributions
441*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_inherit_ipc_ports, p, cur_vp, cur_offset, img_vp, img_offset, scriptvp);
442*c54f35caSApple OSS Distributions
443*c54f35caSApple OSS Distributions return error;
444*c54f35caSApple OSS Distributions }
445*c54f35caSApple OSS Distributions
446*c54f35caSApple OSS Distributions /*
447*c54f35caSApple OSS Distributions * The type of maxprot in proc_check_map_anon must be equivalent to vm_prot_t
448*c54f35caSApple OSS Distributions * (defined in <mach/vm_prot.h>). mac_policy.h does not include any header
449*c54f35caSApple OSS Distributions * files, so cannot use the typedef itself.
450*c54f35caSApple OSS Distributions */
451*c54f35caSApple OSS Distributions int
mac_proc_check_map_anon(proc_t proc,user_addr_t u_addr,user_size_t u_size,int prot,int flags,int * maxprot)452*c54f35caSApple OSS Distributions mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr,
453*c54f35caSApple OSS Distributions user_size_t u_size, int prot, int flags, int *maxprot)
454*c54f35caSApple OSS Distributions {
455*c54f35caSApple OSS Distributions kauth_cred_t cred;
456*c54f35caSApple OSS Distributions int error;
457*c54f35caSApple OSS Distributions
458*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
459*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
460*c54f35caSApple OSS Distributions if (!mac_vm_enforce) {
461*c54f35caSApple OSS Distributions return 0;
462*c54f35caSApple OSS Distributions }
463*c54f35caSApple OSS Distributions #endif
464*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
465*c54f35caSApple OSS Distributions return 0;
466*c54f35caSApple OSS Distributions }
467*c54f35caSApple OSS Distributions
468*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(proc);
469*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_map_anon, proc, cred, u_addr, u_size, prot, flags, maxprot);
470*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
471*c54f35caSApple OSS Distributions
472*c54f35caSApple OSS Distributions return error;
473*c54f35caSApple OSS Distributions }
474*c54f35caSApple OSS Distributions
475*c54f35caSApple OSS Distributions
476*c54f35caSApple OSS Distributions int
mac_proc_check_memorystatus_control(proc_t proc,uint32_t command,pid_t pid)477*c54f35caSApple OSS Distributions mac_proc_check_memorystatus_control(proc_t proc, uint32_t command, pid_t pid)
478*c54f35caSApple OSS Distributions {
479*c54f35caSApple OSS Distributions kauth_cred_t cred;
480*c54f35caSApple OSS Distributions int error;
481*c54f35caSApple OSS Distributions
482*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
483*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
484*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
485*c54f35caSApple OSS Distributions return 0;
486*c54f35caSApple OSS Distributions }
487*c54f35caSApple OSS Distributions #endif
488*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
489*c54f35caSApple OSS Distributions return 0;
490*c54f35caSApple OSS Distributions }
491*c54f35caSApple OSS Distributions
492*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(proc);
493*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_memorystatus_control, cred, command, pid);
494*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
495*c54f35caSApple OSS Distributions
496*c54f35caSApple OSS Distributions return error;
497*c54f35caSApple OSS Distributions }
498*c54f35caSApple OSS Distributions
499*c54f35caSApple OSS Distributions int
mac_proc_check_mprotect(proc_t proc,user_addr_t addr,user_size_t size,int prot)500*c54f35caSApple OSS Distributions mac_proc_check_mprotect(proc_t proc,
501*c54f35caSApple OSS Distributions user_addr_t addr, user_size_t size, int prot)
502*c54f35caSApple OSS Distributions {
503*c54f35caSApple OSS Distributions kauth_cred_t cred;
504*c54f35caSApple OSS Distributions int error;
505*c54f35caSApple OSS Distributions
506*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
507*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
508*c54f35caSApple OSS Distributions if (!mac_vm_enforce) {
509*c54f35caSApple OSS Distributions return 0;
510*c54f35caSApple OSS Distributions }
511*c54f35caSApple OSS Distributions #endif
512*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(proc)) {
513*c54f35caSApple OSS Distributions return 0;
514*c54f35caSApple OSS Distributions }
515*c54f35caSApple OSS Distributions
516*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(proc);
517*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_mprotect, cred, proc, addr, size, prot);
518*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
519*c54f35caSApple OSS Distributions
520*c54f35caSApple OSS Distributions return error;
521*c54f35caSApple OSS Distributions }
522*c54f35caSApple OSS Distributions
523*c54f35caSApple OSS Distributions int
mac_proc_check_run_cs_invalid(proc_t proc)524*c54f35caSApple OSS Distributions mac_proc_check_run_cs_invalid(proc_t proc)
525*c54f35caSApple OSS Distributions {
526*c54f35caSApple OSS Distributions int error;
527*c54f35caSApple OSS Distributions
528*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
529*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
530*c54f35caSApple OSS Distributions if (!mac_vm_enforce) {
531*c54f35caSApple OSS Distributions return 0;
532*c54f35caSApple OSS Distributions }
533*c54f35caSApple OSS Distributions #endif
534*c54f35caSApple OSS Distributions
535*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_run_cs_invalid, proc);
536*c54f35caSApple OSS Distributions
537*c54f35caSApple OSS Distributions return error;
538*c54f35caSApple OSS Distributions }
539*c54f35caSApple OSS Distributions
540*c54f35caSApple OSS Distributions void
mac_proc_notify_cs_invalidated(proc_t proc)541*c54f35caSApple OSS Distributions mac_proc_notify_cs_invalidated(proc_t proc)
542*c54f35caSApple OSS Distributions {
543*c54f35caSApple OSS Distributions MAC_PERFORM(proc_notify_cs_invalidated, proc);
544*c54f35caSApple OSS Distributions }
545*c54f35caSApple OSS Distributions
546*c54f35caSApple OSS Distributions int
mac_proc_check_sched(proc_t curp,struct proc * proc)547*c54f35caSApple OSS Distributions mac_proc_check_sched(proc_t curp, struct proc *proc)
548*c54f35caSApple OSS Distributions {
549*c54f35caSApple OSS Distributions kauth_cred_t cred;
550*c54f35caSApple OSS Distributions int error;
551*c54f35caSApple OSS Distributions
552*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
553*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
554*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
555*c54f35caSApple OSS Distributions return 0;
556*c54f35caSApple OSS Distributions }
557*c54f35caSApple OSS Distributions #endif
558*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
559*c54f35caSApple OSS Distributions return 0;
560*c54f35caSApple OSS Distributions }
561*c54f35caSApple OSS Distributions
562*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
563*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_sched, cred, proc);
564*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
565*c54f35caSApple OSS Distributions
566*c54f35caSApple OSS Distributions return error;
567*c54f35caSApple OSS Distributions }
568*c54f35caSApple OSS Distributions
569*c54f35caSApple OSS Distributions int
mac_proc_check_signal(proc_t curp,struct proc * proc,int signum)570*c54f35caSApple OSS Distributions mac_proc_check_signal(proc_t curp, struct proc *proc, int signum)
571*c54f35caSApple OSS Distributions {
572*c54f35caSApple OSS Distributions kauth_cred_t cred;
573*c54f35caSApple OSS Distributions int error;
574*c54f35caSApple OSS Distributions
575*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
576*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
577*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
578*c54f35caSApple OSS Distributions return 0;
579*c54f35caSApple OSS Distributions }
580*c54f35caSApple OSS Distributions #endif
581*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
582*c54f35caSApple OSS Distributions return 0;
583*c54f35caSApple OSS Distributions }
584*c54f35caSApple OSS Distributions
585*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
586*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_signal, cred, proc, signum);
587*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
588*c54f35caSApple OSS Distributions
589*c54f35caSApple OSS Distributions return error;
590*c54f35caSApple OSS Distributions }
591*c54f35caSApple OSS Distributions
592*c54f35caSApple OSS Distributions int
mac_proc_check_syscall_unix(proc_t curp,int scnum)593*c54f35caSApple OSS Distributions mac_proc_check_syscall_unix(proc_t curp, int scnum)
594*c54f35caSApple OSS Distributions {
595*c54f35caSApple OSS Distributions int error;
596*c54f35caSApple OSS Distributions
597*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
598*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
599*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
600*c54f35caSApple OSS Distributions return 0;
601*c54f35caSApple OSS Distributions }
602*c54f35caSApple OSS Distributions #endif
603*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
604*c54f35caSApple OSS Distributions return 0;
605*c54f35caSApple OSS Distributions }
606*c54f35caSApple OSS Distributions
607*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_syscall_unix, curp, scnum);
608*c54f35caSApple OSS Distributions
609*c54f35caSApple OSS Distributions return error;
610*c54f35caSApple OSS Distributions }
611*c54f35caSApple OSS Distributions
612*c54f35caSApple OSS Distributions int
mac_proc_check_wait(proc_t curp,struct proc * proc)613*c54f35caSApple OSS Distributions mac_proc_check_wait(proc_t curp, struct proc *proc)
614*c54f35caSApple OSS Distributions {
615*c54f35caSApple OSS Distributions kauth_cred_t cred;
616*c54f35caSApple OSS Distributions int error;
617*c54f35caSApple OSS Distributions
618*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
619*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
620*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
621*c54f35caSApple OSS Distributions return 0;
622*c54f35caSApple OSS Distributions }
623*c54f35caSApple OSS Distributions #endif
624*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
625*c54f35caSApple OSS Distributions return 0;
626*c54f35caSApple OSS Distributions }
627*c54f35caSApple OSS Distributions
628*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
629*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_wait, cred, proc);
630*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
631*c54f35caSApple OSS Distributions
632*c54f35caSApple OSS Distributions return error;
633*c54f35caSApple OSS Distributions }
634*c54f35caSApple OSS Distributions
635*c54f35caSApple OSS Distributions void
mac_proc_notify_exit(struct proc * proc)636*c54f35caSApple OSS Distributions mac_proc_notify_exit(struct proc *proc)
637*c54f35caSApple OSS Distributions {
638*c54f35caSApple OSS Distributions MAC_PERFORM(proc_notify_exit, proc);
639*c54f35caSApple OSS Distributions }
640*c54f35caSApple OSS Distributions
641*c54f35caSApple OSS Distributions int
mac_proc_check_suspend_resume(proc_t proc,int sr)642*c54f35caSApple OSS Distributions mac_proc_check_suspend_resume(proc_t proc, int sr)
643*c54f35caSApple OSS Distributions {
644*c54f35caSApple OSS Distributions kauth_cred_t cred;
645*c54f35caSApple OSS Distributions int error;
646*c54f35caSApple OSS Distributions
647*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
648*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
649*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
650*c54f35caSApple OSS Distributions return 0;
651*c54f35caSApple OSS Distributions }
652*c54f35caSApple OSS Distributions #endif
653*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(current_proc())) {
654*c54f35caSApple OSS Distributions return 0;
655*c54f35caSApple OSS Distributions }
656*c54f35caSApple OSS Distributions
657*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(current_proc());
658*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_suspend_resume, cred, proc, sr);
659*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
660*c54f35caSApple OSS Distributions
661*c54f35caSApple OSS Distributions return error;
662*c54f35caSApple OSS Distributions }
663*c54f35caSApple OSS Distributions
664*c54f35caSApple OSS Distributions int
mac_proc_check_ledger(proc_t curp,proc_t proc,int ledger_op)665*c54f35caSApple OSS Distributions mac_proc_check_ledger(proc_t curp, proc_t proc, int ledger_op)
666*c54f35caSApple OSS Distributions {
667*c54f35caSApple OSS Distributions kauth_cred_t cred;
668*c54f35caSApple OSS Distributions int error = 0;
669*c54f35caSApple OSS Distributions
670*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
671*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
672*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
673*c54f35caSApple OSS Distributions return 0;
674*c54f35caSApple OSS Distributions }
675*c54f35caSApple OSS Distributions #endif
676*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
677*c54f35caSApple OSS Distributions return 0;
678*c54f35caSApple OSS Distributions }
679*c54f35caSApple OSS Distributions
680*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
681*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_ledger, cred, proc, ledger_op);
682*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
683*c54f35caSApple OSS Distributions
684*c54f35caSApple OSS Distributions return error;
685*c54f35caSApple OSS Distributions }
686*c54f35caSApple OSS Distributions
687*c54f35caSApple OSS Distributions int
mac_proc_check_proc_info(proc_t curp,proc_t target,int callnum,int flavor)688*c54f35caSApple OSS Distributions mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor)
689*c54f35caSApple OSS Distributions {
690*c54f35caSApple OSS Distributions kauth_cred_t cred;
691*c54f35caSApple OSS Distributions int error = 0;
692*c54f35caSApple OSS Distributions
693*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
694*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
695*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
696*c54f35caSApple OSS Distributions return 0;
697*c54f35caSApple OSS Distributions }
698*c54f35caSApple OSS Distributions #endif
699*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
700*c54f35caSApple OSS Distributions return 0;
701*c54f35caSApple OSS Distributions }
702*c54f35caSApple OSS Distributions
703*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
704*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_proc_info, cred, target, callnum, flavor);
705*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
706*c54f35caSApple OSS Distributions
707*c54f35caSApple OSS Distributions return error;
708*c54f35caSApple OSS Distributions }
709*c54f35caSApple OSS Distributions
710*c54f35caSApple OSS Distributions int
mac_proc_check_get_cs_info(proc_t curp,proc_t target,unsigned int op)711*c54f35caSApple OSS Distributions mac_proc_check_get_cs_info(proc_t curp, proc_t target, unsigned int op)
712*c54f35caSApple OSS Distributions {
713*c54f35caSApple OSS Distributions kauth_cred_t cred;
714*c54f35caSApple OSS Distributions int error = 0;
715*c54f35caSApple OSS Distributions
716*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
717*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
718*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
719*c54f35caSApple OSS Distributions return 0;
720*c54f35caSApple OSS Distributions }
721*c54f35caSApple OSS Distributions #endif
722*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
723*c54f35caSApple OSS Distributions return 0;
724*c54f35caSApple OSS Distributions }
725*c54f35caSApple OSS Distributions
726*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
727*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_get_cs_info, cred, target, op);
728*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
729*c54f35caSApple OSS Distributions
730*c54f35caSApple OSS Distributions return error;
731*c54f35caSApple OSS Distributions }
732*c54f35caSApple OSS Distributions
733*c54f35caSApple OSS Distributions int
mac_proc_check_set_cs_info(proc_t curp,proc_t target,unsigned int op)734*c54f35caSApple OSS Distributions mac_proc_check_set_cs_info(proc_t curp, proc_t target, unsigned int op)
735*c54f35caSApple OSS Distributions {
736*c54f35caSApple OSS Distributions kauth_cred_t cred;
737*c54f35caSApple OSS Distributions int error = 0;
738*c54f35caSApple OSS Distributions
739*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
740*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
741*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
742*c54f35caSApple OSS Distributions return 0;
743*c54f35caSApple OSS Distributions }
744*c54f35caSApple OSS Distributions #endif
745*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
746*c54f35caSApple OSS Distributions return 0;
747*c54f35caSApple OSS Distributions }
748*c54f35caSApple OSS Distributions
749*c54f35caSApple OSS Distributions cred = kauth_cred_proc_ref(curp);
750*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_set_cs_info, cred, target, op);
751*c54f35caSApple OSS Distributions kauth_cred_unref(&cred);
752*c54f35caSApple OSS Distributions
753*c54f35caSApple OSS Distributions return error;
754*c54f35caSApple OSS Distributions }
755*c54f35caSApple OSS Distributions
756*c54f35caSApple OSS Distributions int
mac_proc_check_setuid(proc_t curp,kauth_cred_t cred,uid_t uid)757*c54f35caSApple OSS Distributions mac_proc_check_setuid(proc_t curp, kauth_cred_t cred, uid_t uid)
758*c54f35caSApple OSS Distributions {
759*c54f35caSApple OSS Distributions int error = 0;
760*c54f35caSApple OSS Distributions
761*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
762*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
763*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
764*c54f35caSApple OSS Distributions return 0;
765*c54f35caSApple OSS Distributions }
766*c54f35caSApple OSS Distributions #endif
767*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
768*c54f35caSApple OSS Distributions return 0;
769*c54f35caSApple OSS Distributions }
770*c54f35caSApple OSS Distributions
771*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_setuid, cred, uid);
772*c54f35caSApple OSS Distributions
773*c54f35caSApple OSS Distributions return error;
774*c54f35caSApple OSS Distributions }
775*c54f35caSApple OSS Distributions
776*c54f35caSApple OSS Distributions int
mac_proc_check_seteuid(proc_t curp,kauth_cred_t cred,uid_t euid)777*c54f35caSApple OSS Distributions mac_proc_check_seteuid(proc_t curp, kauth_cred_t cred, uid_t euid)
778*c54f35caSApple OSS Distributions {
779*c54f35caSApple OSS Distributions int error = 0;
780*c54f35caSApple OSS Distributions
781*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
782*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
783*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
784*c54f35caSApple OSS Distributions return 0;
785*c54f35caSApple OSS Distributions }
786*c54f35caSApple OSS Distributions #endif
787*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
788*c54f35caSApple OSS Distributions return 0;
789*c54f35caSApple OSS Distributions }
790*c54f35caSApple OSS Distributions
791*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_seteuid, cred, euid);
792*c54f35caSApple OSS Distributions
793*c54f35caSApple OSS Distributions return error;
794*c54f35caSApple OSS Distributions }
795*c54f35caSApple OSS Distributions
796*c54f35caSApple OSS Distributions int
mac_proc_check_setreuid(proc_t curp,kauth_cred_t cred,uid_t ruid,uid_t euid)797*c54f35caSApple OSS Distributions mac_proc_check_setreuid(proc_t curp, kauth_cred_t cred, uid_t ruid, uid_t euid)
798*c54f35caSApple OSS Distributions {
799*c54f35caSApple OSS Distributions int error = 0;
800*c54f35caSApple OSS Distributions
801*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
802*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
803*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
804*c54f35caSApple OSS Distributions return 0;
805*c54f35caSApple OSS Distributions }
806*c54f35caSApple OSS Distributions #endif
807*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
808*c54f35caSApple OSS Distributions return 0;
809*c54f35caSApple OSS Distributions }
810*c54f35caSApple OSS Distributions
811*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_setreuid, cred, ruid, euid);
812*c54f35caSApple OSS Distributions
813*c54f35caSApple OSS Distributions return error;
814*c54f35caSApple OSS Distributions }
815*c54f35caSApple OSS Distributions
816*c54f35caSApple OSS Distributions int
mac_proc_check_setgid(proc_t curp,kauth_cred_t cred,gid_t gid)817*c54f35caSApple OSS Distributions mac_proc_check_setgid(proc_t curp, kauth_cred_t cred, gid_t gid)
818*c54f35caSApple OSS Distributions {
819*c54f35caSApple OSS Distributions int error = 0;
820*c54f35caSApple OSS Distributions
821*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
822*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
823*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
824*c54f35caSApple OSS Distributions return 0;
825*c54f35caSApple OSS Distributions }
826*c54f35caSApple OSS Distributions #endif
827*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
828*c54f35caSApple OSS Distributions return 0;
829*c54f35caSApple OSS Distributions }
830*c54f35caSApple OSS Distributions
831*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_setgid, cred, gid);
832*c54f35caSApple OSS Distributions
833*c54f35caSApple OSS Distributions return error;
834*c54f35caSApple OSS Distributions }
835*c54f35caSApple OSS Distributions
836*c54f35caSApple OSS Distributions int
mac_proc_check_setegid(proc_t curp,kauth_cred_t cred,gid_t egid)837*c54f35caSApple OSS Distributions mac_proc_check_setegid(proc_t curp, kauth_cred_t cred, gid_t egid)
838*c54f35caSApple OSS Distributions {
839*c54f35caSApple OSS Distributions int error = 0;
840*c54f35caSApple OSS Distributions
841*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
842*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
843*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
844*c54f35caSApple OSS Distributions return 0;
845*c54f35caSApple OSS Distributions }
846*c54f35caSApple OSS Distributions #endif
847*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
848*c54f35caSApple OSS Distributions return 0;
849*c54f35caSApple OSS Distributions }
850*c54f35caSApple OSS Distributions
851*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_setegid, cred, egid);
852*c54f35caSApple OSS Distributions
853*c54f35caSApple OSS Distributions return error;
854*c54f35caSApple OSS Distributions }
855*c54f35caSApple OSS Distributions
856*c54f35caSApple OSS Distributions int
mac_proc_check_setregid(proc_t curp,kauth_cred_t cred,gid_t rgid,gid_t egid)857*c54f35caSApple OSS Distributions mac_proc_check_setregid(proc_t curp, kauth_cred_t cred, gid_t rgid, gid_t egid)
858*c54f35caSApple OSS Distributions {
859*c54f35caSApple OSS Distributions int error = 0;
860*c54f35caSApple OSS Distributions
861*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
862*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
863*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
864*c54f35caSApple OSS Distributions return 0;
865*c54f35caSApple OSS Distributions }
866*c54f35caSApple OSS Distributions #endif
867*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
868*c54f35caSApple OSS Distributions return 0;
869*c54f35caSApple OSS Distributions }
870*c54f35caSApple OSS Distributions
871*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_setregid, cred, rgid, egid);
872*c54f35caSApple OSS Distributions
873*c54f35caSApple OSS Distributions return error;
874*c54f35caSApple OSS Distributions }
875*c54f35caSApple OSS Distributions
876*c54f35caSApple OSS Distributions int
mac_proc_check_settid(proc_t curp,uid_t uid,gid_t gid)877*c54f35caSApple OSS Distributions mac_proc_check_settid(proc_t curp, uid_t uid, gid_t gid)
878*c54f35caSApple OSS Distributions {
879*c54f35caSApple OSS Distributions kauth_cred_t pcred, tcred;
880*c54f35caSApple OSS Distributions int error = 0;
881*c54f35caSApple OSS Distributions
882*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
883*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
884*c54f35caSApple OSS Distributions if (!mac_proc_enforce) {
885*c54f35caSApple OSS Distributions return 0;
886*c54f35caSApple OSS Distributions }
887*c54f35caSApple OSS Distributions #endif
888*c54f35caSApple OSS Distributions if (!mac_proc_check_enforce(curp)) {
889*c54f35caSApple OSS Distributions return 0;
890*c54f35caSApple OSS Distributions }
891*c54f35caSApple OSS Distributions
892*c54f35caSApple OSS Distributions pcred = kauth_cred_proc_ref(curp);
893*c54f35caSApple OSS Distributions tcred = kauth_cred_get_with_ref();
894*c54f35caSApple OSS Distributions MAC_CHECK(proc_check_settid, pcred, tcred, uid, gid);
895*c54f35caSApple OSS Distributions kauth_cred_unref(&tcred);
896*c54f35caSApple OSS Distributions kauth_cred_unref(&pcred);
897*c54f35caSApple OSS Distributions
898*c54f35caSApple OSS Distributions return error;
899*c54f35caSApple OSS Distributions }
900*c54f35caSApple OSS Distributions
901*c54f35caSApple OSS Distributions int
mac_proc_check_launch_constraints(proc_t curp,struct image_params * imgp,os_reason_t * reasonp)902*c54f35caSApple OSS Distributions mac_proc_check_launch_constraints(proc_t curp, struct image_params *imgp, os_reason_t *reasonp)
903*c54f35caSApple OSS Distributions {
904*c54f35caSApple OSS Distributions char *fatal_failure_desc = NULL;
905*c54f35caSApple OSS Distributions size_t fatal_failure_desc_len = 0;
906*c54f35caSApple OSS Distributions
907*c54f35caSApple OSS Distributions pid_t original_parent_id = proc_original_ppid(curp);
908*c54f35caSApple OSS Distributions
909*c54f35caSApple OSS Distributions pid_t responsible_pid = curp->p_responsible_pid;
910*c54f35caSApple OSS Distributions
911*c54f35caSApple OSS Distributions int error = 0;
912*c54f35caSApple OSS Distributions
913*c54f35caSApple OSS Distributions /* Vnode of the file */
914*c54f35caSApple OSS Distributions struct vnode *vp = imgp->ip_vp;
915*c54f35caSApple OSS Distributions
916*c54f35caSApple OSS Distributions char *vn_path = NULL;
917*c54f35caSApple OSS Distributions vm_size_t vn_pathlen = MAXPATHLEN;
918*c54f35caSApple OSS Distributions #if SECURITY_MAC_CHECK_ENFORCE
919*c54f35caSApple OSS Distributions /* 21167099 - only check if we allow write */
920*c54f35caSApple OSS Distributions if (!mac_proc_enforce || !mac_vnode_enforce) {
921*c54f35caSApple OSS Distributions return 0;
922*c54f35caSApple OSS Distributions }
923*c54f35caSApple OSS Distributions #endif
924*c54f35caSApple OSS Distributions
925*c54f35caSApple OSS Distributions MAC_POLICY_ITERATE({
926*c54f35caSApple OSS Distributions mpo_proc_check_launch_constraints_t *hook = mpc->mpc_ops->mpo_proc_check_launch_constraints;
927*c54f35caSApple OSS Distributions if (hook == NULL) {
928*c54f35caSApple OSS Distributions continue;
929*c54f35caSApple OSS Distributions }
930*c54f35caSApple OSS Distributions
931*c54f35caSApple OSS Distributions size_t spawnattrlen = 0;
932*c54f35caSApple OSS Distributions void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
933*c54f35caSApple OSS Distributions struct _posix_spawnattr *psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
934*c54f35caSApple OSS Distributions struct launch_constraint_data lcd;
935*c54f35caSApple OSS Distributions lcd.launch_type = CS_LAUNCH_TYPE_NONE;
936*c54f35caSApple OSS Distributions
937*c54f35caSApple OSS Distributions /* Check to see if psa_launch_type was initalized */
938*c54f35caSApple OSS Distributions if (psa != (struct _posix_spawnattr*)NULL) {
939*c54f35caSApple OSS Distributions lcd.launch_type = psa->psa_launch_type;
940*c54f35caSApple OSS Distributions }
941*c54f35caSApple OSS Distributions
942*c54f35caSApple OSS Distributions error = mac_error_select(
943*c54f35caSApple OSS Distributions hook(curp, original_parent_id, responsible_pid,
944*c54f35caSApple OSS Distributions spawnattr, spawnattrlen, &lcd, &fatal_failure_desc, &fatal_failure_desc_len), error);
945*c54f35caSApple OSS Distributions
946*c54f35caSApple OSS Distributions /*
947*c54f35caSApple OSS Distributions * Early exit in case of failure in case we have multiple registered callers.
948*c54f35caSApple OSS Distributions * This is to avoid other MACF policies from stomping on each other's failure description
949*c54f35caSApple OSS Distributions */
950*c54f35caSApple OSS Distributions if (fatal_failure_desc_len) {
951*c54f35caSApple OSS Distributions goto policy_fail;
952*c54f35caSApple OSS Distributions }
953*c54f35caSApple OSS Distributions });
954*c54f35caSApple OSS Distributions
955*c54f35caSApple OSS Distributions policy_fail:
956*c54f35caSApple OSS Distributions if (fatal_failure_desc_len) {
957*c54f35caSApple OSS Distributions /*
958*c54f35caSApple OSS Distributions * A fatal code signature validation failure occured, formulate a crash
959*c54f35caSApple OSS Distributions * reason.
960*c54f35caSApple OSS Distributions */
961*c54f35caSApple OSS Distributions
962*c54f35caSApple OSS Distributions char const *path = NULL;
963*c54f35caSApple OSS Distributions
964*c54f35caSApple OSS Distributions vn_path = zalloc(ZV_NAMEI);
965*c54f35caSApple OSS Distributions if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
966*c54f35caSApple OSS Distributions path = vn_path;
967*c54f35caSApple OSS Distributions } else {
968*c54f35caSApple OSS Distributions path = "(get vnode path failed)";
969*c54f35caSApple OSS Distributions }
970*c54f35caSApple OSS Distributions
971*c54f35caSApple OSS Distributions if (error == 0) {
972*c54f35caSApple OSS Distributions panic("%s: MAC hook returned no error, but status is claimed to be fatal? "
973*c54f35caSApple OSS Distributions "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
974*c54f35caSApple OSS Distributions __func__, path, fatal_failure_desc_len, fatal_failure_desc);
975*c54f35caSApple OSS Distributions }
976*c54f35caSApple OSS Distributions
977*c54f35caSApple OSS Distributions os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
978*c54f35caSApple OSS Distributions CODESIGNING_EXIT_REASON_LAUNCH_CONSTRAINT_VIOLATION);
979*c54f35caSApple OSS Distributions
980*c54f35caSApple OSS Distributions *reasonp = reason;
981*c54f35caSApple OSS Distributions
982*c54f35caSApple OSS Distributions reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
983*c54f35caSApple OSS Distributions OS_REASON_FLAG_CONSISTENT_FAILURE);
984*c54f35caSApple OSS Distributions
985*c54f35caSApple OSS Distributions if (fatal_failure_desc != NULL) {
986*c54f35caSApple OSS Distributions mach_vm_address_t data_addr = 0;
987*c54f35caSApple OSS Distributions
988*c54f35caSApple OSS Distributions int reason_error = 0;
989*c54f35caSApple OSS Distributions int kcdata_error = 0;
990*c54f35caSApple OSS Distributions
991*c54f35caSApple OSS Distributions if ((reason_error = os_reason_alloc_buffer_noblock(reason,
992*c54f35caSApple OSS Distributions kcdata_estimate_required_buffer_size(1,
993*c54f35caSApple OSS Distributions (uint32_t)fatal_failure_desc_len))) == 0) {
994*c54f35caSApple OSS Distributions if ((kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
995*c54f35caSApple OSS Distributions EXIT_REASON_USER_DESC, (uint32_t)fatal_failure_desc_len,
996*c54f35caSApple OSS Distributions &data_addr)) == KERN_SUCCESS) {
997*c54f35caSApple OSS Distributions kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
998*c54f35caSApple OSS Distributions fatal_failure_desc, (uint32_t)fatal_failure_desc_len);
999*c54f35caSApple OSS Distributions }
1000*c54f35caSApple OSS Distributions }
1001*c54f35caSApple OSS Distributions }
1002*c54f35caSApple OSS Distributions }
1003*c54f35caSApple OSS Distributions
1004*c54f35caSApple OSS Distributions if (vn_path) {
1005*c54f35caSApple OSS Distributions zfree(ZV_NAMEI, vn_path);
1006*c54f35caSApple OSS Distributions }
1007*c54f35caSApple OSS Distributions
1008*c54f35caSApple OSS Distributions if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
1009*c54f35caSApple OSS Distributions kfree_data(fatal_failure_desc, fatal_failure_desc_len);
1010*c54f35caSApple OSS Distributions }
1011*c54f35caSApple OSS Distributions
1012*c54f35caSApple OSS Distributions return error;
1013*c54f35caSApple OSS Distributions }
1014