90 extern void kauth_cred_print(kauth_cred_t cred);
173 static void kauth_cred_remove(kauth_cred_t cred);
175 static u_long kauth_cred_get_hashkey(kauth_cred_t cred);
182 static void kauth_cred_print(kauth_cred_t cred);
1307  * Parameters:	cred			Pointer to the credential to modify
1323 kauth_cred_change_egid(kauth_cred_t cred, gid_t new_egid)
1330 	gid_t	old_egid = cred->cr_groups[0];
1333 	for (i = 1; i < cred->cr_ngroups; i++) {
1338 		if (cred->cr_groups[i] == new_egid) {
1339 			cred->cr_groups[i] = old_egid;
1365 	if (displaced && !(cred->cr_flags & CRF_NOMEMBERD) &&
1366 	    kauth_cred_ismember_gid(cred, new_egid, &is_member) == 0 &&
1374 	cred->cr_groups[0] = new_egid;
1385  * Parameters:	cred				Credential to examine
1390 kauth_cred_getuid(kauth_cred_t cred)
1392 	NULLCRED_CHECK(cred);
1393 	return(cred->cr_uid);
1402  * Parameters:	cred				Credential to examine
1407 kauth_cred_getgid(kauth_cred_t cred)
1409 	NULLCRED_CHECK(cred);
1410 	return(cred->cr_gid);
1545  * Parameters:	cred				Credential to examine
1555 kauth_cred_getguid(kauth_cred_t cred, guid_t *guidp)
1557 	NULLCRED_CHECK(cred);
1558 	return(kauth_cred_uid2guid(kauth_cred_getuid(cred), guidp));
1609  * Parameters:	cred				Credential to examine
1619 kauth_cred_getntsid(kauth_cred_t cred, ntsid_t *sidp)
1621 	NULLCRED_CHECK(cred);
1622 	return(kauth_cred_uid2ntsid(kauth_cred_getuid(cred), sidp));
2046  * Parameters:	cred				Credential to check in
2069 kauth_cred_ismember_gid(kauth_cred_t cred, gid_t gid, int *resultp)
2078 	 * We can conditionalise this on cred->cr_gmuid == KAUTH_UID_NONE since
2081 	for (i = 0; i < cred->cr_ngroups; i++) {
2082 		if (gid == cred->cr_groups[i]) {
2089 	 * If we don't have a UID for group membership checks, the in-cred list
2092 	if (cred->cr_gmuid == KAUTH_UID_NONE) {
2117 		if ((gm->gm_uid == cred->cr_gmuid) && (gm->gm_gid == gid) && !kauth_groups_expired(gm)) {
2134 	el.el_uid = cred->cr_gmuid;
2159  * Parameters:	cred				Credential to check in
2178 kauth_cred_ismember_guid(kauth_cred_t cred, guid_t *guidp, int *resultp)
2197 			 * thus the cred can't be a member.
2204 			error = kauth_cred_ismember_gid(cred, gid, resultp);
2283  * Parameters:	cred				Credential to check for super
2293 kauth_cred_issuser(kauth_cred_t cred)
2295 	return(cred->cr_uid == 0);
2451  *		instead, to protect against any future changes to the cred
2485  *		late-bind the uthread cred to the proc cred.
2556 		/* take reference for new cred in thread */
2597 	kauth_cred_t 	cred;
2600 	cred = proc_ucred(procp);
2601 	kauth_cred_ref(cred);
2603 	return(cred);
2656 		/* must do this, or cred has same group membership as uid 0 */
2684  * Parameters:	cred				Template for credential to
2703 kauth_cred_create(kauth_cred_t cred)
2709 	if (cred->cr_flags & CRF_NOMEMBERD)
2710 		cred->cr_gmuid = KAUTH_UID_NONE;
2712 		cred->cr_gmuid = cred->cr_uid;
2715 	if (cred->cr_ngroups < 1)
2720 		found_cred = kauth_cred_find(cred);
2739 			new_cred->cr_uid = cred->cr_uid;
2740 			new_cred->cr_ruid = cred->cr_ruid;
2741 			new_cred->cr_svuid = cred->cr_svuid;
2742 			new_cred->cr_rgid = cred->cr_rgid;
2743 			new_cred->cr_svgid = cred->cr_svgid;
2744 			new_cred->cr_gmuid = cred->cr_gmuid;
2745 			new_cred->cr_ngroups = cred->cr_ngroups;	
2746 			bcopy(&cred->cr_groups[0], &new_cred->cr_groups[0], sizeof(new_cred->cr_groups));
2747 			new_cred->cr_flags = cred->cr_flags;
2775  * Parameters:	cred				The original credential
2801 kauth_cred_setresuid(kauth_cred_t cred, uid_t ruid, uid_t euid, uid_t svuid, uid_t gmuid)
2805 	NULLCRED_CHECK(cred);
2811 	if ((euid == KAUTH_UID_NONE || cred->cr_uid == euid) &&
2812 	    (ruid == KAUTH_UID_NONE || cred->cr_ruid == ruid) &&
2813 	    (svuid == KAUTH_UID_NONE || cred->cr_svuid == svuid) &&
2814 	    (cred->cr_gmuid == gmuid)) {
2816 		return(cred);
2820 	 * Look up in cred hash table to see if we have a matching credential
2823 	bcopy(cred, &temp_cred, sizeof(temp_cred));
2843 	return(kauth_cred_update(cred, &temp_cred, TRUE));
2854  * Parameters:	cred				The original credential
2874 kauth_cred_setresgid(kauth_cred_t cred, gid_t rgid, gid_t egid, gid_t svgid)
2878 	NULLCRED_CHECK(cred);
2879 	DEBUG_CRED_ENTER("kauth_cred_setresgid %p %d %d %d\n", cred, rgid, egid, svgid);
2885 	if (cred->cr_groups[0] == egid &&
2886 	    cred->cr_rgid == rgid &&
2887 	    cred->cr_svgid == svgid) {
2889 		return(cred);
2893 	 * Look up in cred hash table to see if we have a matching credential
2896 	bcopy(cred, &temp_cred, sizeof(temp_cred));
2914 	return(kauth_cred_update(cred, &temp_cred, TRUE));
2931  * Parameters:	cred				The original credential
2968 kauth_cred_setgroups(kauth_cred_t cred, gid_t *groups, int groupcount, uid_t gmuid)
2973 	NULLCRED_CHECK(cred);
2979 	if ((cred->cr_gmuid == gmuid) && (cred->cr_ngroups == groupcount)) {
2981 			if (cred->cr_groups[i] != groups[i])
2986 			return(cred);
2991 	 * Look up in cred hash table to see if we have a matching credential
2997 	bcopy(cred, &temp_cred, sizeof(temp_cred));
3006 	return(kauth_cred_update(cred, &temp_cred, TRUE));
3018  * Parameters:	cred				The original credential
3046 kauth_cred_setuidgid(kauth_cred_t cred, uid_t uid, gid_t gid)
3050 	NULLCRED_CHECK(cred);
3056 	if (cred->cr_uid == uid && cred->cr_ruid == uid && cred->cr_svuid == uid &&
3057 		cred->cr_groups[0] == gid && cred->cr_rgid == gid && cred->cr_svgid == gid) {
3059 		return(cred);
3063 	 * Look up in cred hash table to see if we have a matching credential
3071 	if (cred->cr_flags & CRF_NOMEMBERD) {
3087 	temp_cred.cr_label = cred->cr_label;
3090 	return(kauth_cred_update(cred, &temp_cred, TRUE));
3100  * Parameters:	cred				The credential to update
3119 kauth_cred_setsvuidgid(kauth_cred_t cred, uid_t uid, gid_t gid)
3123 	NULLCRED_CHECK(cred);
3124 	DEBUG_CRED_ENTER("kauth_cred_setsvuidgid: %p u%d->%d g%d->%d\n", cred, cred->cr_svuid, uid, cred->cr_svgid, gid);
3131 	if (cred->cr_svuid == uid && cred->cr_svgid == gid) {
3133 		return(cred);
3135 	DEBUG_CRED_CHANGE("kauth_cred_setsvuidgid: cred change\n");
3137 	/* look up in cred hash table to see if we have a matching credential
3140 	bcopy(cred, &temp_cred, sizeof(temp_cred));
3144 	return(kauth_cred_update(cred, &temp_cred, TRUE));
3153  * Parameters:	cred				The original credential
3171 kauth_cred_setauditinfo(kauth_cred_t cred, auditinfo_t *auditinfo_p)
3175 	NULLCRED_CHECK(cred);
3181 	if (bcmp(&cred->cr_au, auditinfo_p, sizeof(cred->cr_au)) == 0) {
3183 		return(cred);
3186 	bcopy(cred, &temp_cred, sizeof(temp_cred));
3189 	return(kauth_cred_update(cred, &temp_cred, FALSE));
3198  * Parameters:	cred				The original credential
3216 kauth_cred_label_update(kauth_cred_t cred, struct label *label)
3221 	bcopy(cred, &temp_cred, sizeof(temp_cred));
3224 	mac_cred_label_associate(cred, &temp_cred);
3227 	newcred = kauth_cred_update(cred, &temp_cred, TRUE);
3238  * Parameters:	cred				The original credential
3265 kauth_cred_label_update_execve(kauth_cred_t cred, vfs_context_t ctx,
3272 	bcopy(cred, &temp_cred, sizeof(temp_cred));
3275 	mac_cred_label_associate(cred, &temp_cred);
3279 	newcred = kauth_cred_update(cred, &temp_cred, TRUE);
3324 			 * restart this again with the new cred.
3399 			 * restart this again with the new cred.
3424 kauth_cred_t	kauth_cred_setlabel(kauth_cred_t cred, struct label *label);
3426 kauth_cred_setlabel(kauth_cred_t cred, struct label *label)
3428 	return kauth_cred_label_update(cred, label);
3446 kauth_cred_label_update(__unused kauth_cred_t cred, __unused void *label)
3461 kauth_cred_t	kauth_cred_setlabel(kauth_cred_t cred, void *label);
3463 kauth_cred_setlabel(__unused kauth_cred_t cred, __unused void *label)
3482  * Parameters:	cred				The credential to reference
3492  *		if from the per vnode name cache cred cache, and so on).
3498  *		time it is unreferenced from the cred hash cache.
3501 kauth_cred_ref(kauth_cred_t cred)
3505 	NULLCRED_CHECK(cred);
3508 	old_value = OSAddAtomic(1, (SInt32 *)&cred->cr_ref);
3511 		panic("kauth_cred_ref: trying to take a reference on a cred with no references");
3514 	if ( is_target_cred( cred ) != 0 ) {
3564 		panic("%s:0x%08x kauth_cred_unref_hashlocked: dropping a reference on a cred with no references", current_proc()->p_comm, *credp);
3566 		panic("%s:0x%08x kauth_cred_unref_hashlocked: dropping a reference on a cred with no hash entry", current_proc()->p_comm, *credp);
3620  * Parameters:	cred				Credential to release
3630 kauth_cred_rele(kauth_cred_t cred)
3632 	kauth_cred_unref(&cred);
3642  * Parameters:	cred				The credential to duplicate
3676 kauth_cred_dup(kauth_cred_t cred)
3684 	if (cred == NOCRED || cred == FSCRED)
3692 		bcopy(cred, newcred, sizeof(*newcred));
3695 		mac_cred_label_associate(cred, newcred);
3708  * Parameters:	cred				The credential from which to
3715  *		additional reference on the passed cred (if any), and the
3720 kauth_cred_copy_real(kauth_cred_t cred)
3726 	if ((cred->cr_ruid == cred->cr_uid) &&
3727 	    (cred->cr_rgid == cred->cr_gid)) {
3728 		kauth_cred_ref(cred);
3729 		return(cred);
3733 	 * Look up in cred hash table to see if we have a matching credential
3736 	bcopy(cred, &temp_cred, sizeof(temp_cred));
3737 	temp_cred.cr_uid = cred->cr_ruid;
3739 	if (kauth_cred_change_egid(&temp_cred, cred->cr_rgid)) {
3744 	 * If the cred is not opted out, make sure we are using the r/euid
3748 		temp_cred.cr_gmuid = cred->cr_ruid;
3755 		if (found_cred == cred) {
3756 			/* same cred so just bail */
3758 			return(cred); 
3840 			/* same cred so just bail */
3887  * Parameters:	new_cred			Credential to insert into cred
3896  * Notes:	The 'new_cred' MUST NOT already be in the cred hash cache
3932  * Parameters:	cred				Credential to remove from cred
3945 kauth_cred_remove(kauth_cred_t cred)
3950 	hash_key = kauth_cred_get_hashkey(cred);
3954 	if (cred->cr_ref < 1)
3955 		panic("cred reference underflow");
3956 	if (cred->cr_ref > 1)
3959 	/* Find cred in the credential hash table */
3961 		if (found_cred == cred) {
3965 			mac_cred_label_destroy(cred);
3967 			cred->cr_ref = 0;
3968 			FREE_ZONE(cred, sizeof(*cred), M_CRED);
3977 	printf("%s:%d - %s - %s - did not find a match for %p\n", __FILE__, __LINE__, __FUNCTION__, current_proc()->p_comm, cred);
3988  * Parameters:	cred				Credential to lookup in cred
3993  *						cred hash cache
3998 kauth_cred_find(kauth_cred_t cred)
4014 	hash_key = kauth_cred_get_hashkey(cred);
4017 	/* Find cred in the credential hash table */
4026 		    (cred->cr_flags & CRF_MAC_ENFORCE) != 0) {
4028 			match = (bcmp(&found_cred->cr_uid, &cred->cr_uid,
4033 			match = (found_cred->cr_flags == cred->cr_flags &&
4034 				 bcmp(&found_cred->cr_uid, &cred->cr_uid,
4091  * Parameters:	cred				Credential for which hash is
4097 kauth_cred_get_hashkey(kauth_cred_t cred)
4101 	hash_key = kauth_cred_hash((uint8_t *)&cred->cr_uid, 
4102 			((cred->cr_flags & CRF_MAC_ENFORCE) ? 
4114  * Description:	Print out cred hash cache table information for debugging
4129 	printf("\n\t kauth credential hash table statistics - current cred count %d \n", kauth_cred_count);
4157  * Parameters:	cred				The credential to print out
4164 kauth_cred_print(kauth_cred_t cred) 
4168 	printf("%p - refs %lu flags 0x%08x uids e%d r%d sv%d gm%d ", cred, cred->cr_ref, cred->cr_flags, cred->cr_uid, cred->cr_ruid, cred->cr_svuid, cred->cr_gmuid);
4169 	printf("group count %d gids ", cred->cr_ngroups);
4173 		printf("%d ", cred->cr_groups[i]);
4175 	printf("r%d sv%d ", cred->cr_rgid, cred->cr_svgid);
4177 		cred->cr_au.ai_auid, cred->cr_au.ai_mask.am_success, cred->cr_au.ai_mask.am_failure, 
4178 		cred->cr_au.ai_termid.port, cred->cr_au.ai_termid.machine, cred->cr_au.ai_asid);
4235 	return( -1 ); // found target cred
4291     NULL, 0, sysctl_dump_creds, "S,debug_ucred", "List of credentials in the cred hash");

Indexes created Sat Jul 13 22:46:07 MDT 2024