1/* 2 * Copyright (c) 2011-2012 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23#include "cs.h" 24#include "policydb.h" 25#include "policyengine.h" 26#include <Security/CodeSigning.h> 27#include <security_utilities/cfutilities.h> 28#include <security_utilities/cfmunge.h> 29#include <security_utilities/blob.h> 30#include <security_utilities/logging.h> 31#include <security_utilities/simpleprefs.h> 32#include <security_utilities/logging.h> 33#include "csdatabase.h" 34 35#include <dispatch/dispatch.h> 36#include <sys/types.h> 37#include <sys/stat.h> 38#include <notify.h> 39 40namespace Security { 41namespace CodeSigning { 42 43 44using namespace SQLite; 45 46 47// 48// Determine the database path 49// 50static const char *dbPath() 51{ 52 if (const char *s = getenv("SYSPOLICYDATABASE")) 53 return s; 54 return defaultDatabase; 55} 56 57 58// 59// Help mapping API-ish CFString keys to more convenient internal enumerations 60// 61typedef struct { 62 const CFStringRef &cstring; 63 uint enumeration; 64} StringMap; 65 66static uint mapEnum(CFDictionaryRef context, CFStringRef attr, const StringMap *map, uint value = 0) 67{ 68 if (context) 69 if (CFTypeRef value = CFDictionaryGetValue(context, attr)) 70 for (const StringMap *mp = map; mp->cstring; ++mp) 71 if (CFEqual(mp->cstring, value)) 72 return mp->enumeration; 73 return value; 74} 75 76static const StringMap mapType[] = { 77 { kSecAssessmentOperationTypeExecute, kAuthorityExecute }, 78 { kSecAssessmentOperationTypeInstall, kAuthorityInstall }, 79 { kSecAssessmentOperationTypeOpenDocument, kAuthorityOpenDoc }, 80 { NULL } 81}; 82 83AuthorityType typeFor(CFDictionaryRef context, AuthorityType type /* = kAuthorityInvalid */) 84{ 85 return mapEnum(context, kSecAssessmentContextKeyOperation, mapType, type); 86} 87 88CFStringRef typeNameFor(AuthorityType type) 89{ 90 for (const StringMap *mp = mapType; mp->cstring; ++mp) 91 if (type == mp->enumeration) 92 return mp->cstring; 93 return CFStringCreateWithFormat(NULL, NULL, CFSTR("type %d"), type); 94} 95 96 97// 98// Open the database 99// 100PolicyDatabase::PolicyDatabase(const char *path, int flags) 101 : SQLite::Database(path ? path : dbPath(), flags), 102 mLastExplicitCheck(0) 103{ 104 // sqlite3 doesn't do foreign key support by default, have to turn this on per connection 105 SQLite::Statement foreign(*this, "PRAGMA foreign_keys = true"); 106 foreign.execute(); 107 108 // Try upgrade processing if we may be open for write. 109 // Ignore any errors (we may have been downgraded to read-only) 110 // and try again later. 111 if (openFlags() & SQLITE_OPEN_READWRITE) 112 try { 113 upgradeDatabase(); 114 installExplicitSet(gkeAuthFile, gkeSigsFile); 115 } catch(...) { 116 } 117} 118 119PolicyDatabase::~PolicyDatabase() 120{ /* virtual */ } 121 122 123// 124// Quick-check the cache for a match. 125// Return true on a cache hit, false on failure to confirm a hit for any reason. 126// 127bool PolicyDatabase::checkCache(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFMutableDictionaryRef result) 128{ 129 // we currently don't use the cache for anything but execution rules 130 if (type != kAuthorityExecute) 131 return false; 132 133 CFRef<SecStaticCodeRef> code; 134 MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref())); 135 if (SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly, NULL) != errSecSuccess) 136 return false; // quick pass - any error is a cache miss 137 CFRef<CFDictionaryRef> info; 138 MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref())); 139 CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique)); 140 141 // check the cache table for a fast match 142 SQLite::Statement cached(*this, "SELECT object.allow, authority.label, authority FROM object, authority" 143 " WHERE object.authority = authority.id AND object.type = :type AND object.hash = :hash AND authority.disabled = 0" 144 " AND JULIANDAY('now') < object.expires;"); 145 cached.bind(":type").integer(type); 146 cached.bind(":hash") = cdHash; 147 if (cached.nextRow()) { 148 bool allow = int(cached[0]); 149 const char *label = cached[1]; 150 SQLite::int64 auth = cached[2]; 151 SYSPOLICY_ASSESS_CACHE_HIT(); 152 153 // If its allowed, lets do a full validation unless if 154 // we are overriding the assessement, since that force 155 // the verdict to 'pass' at the end 156 157 if (allow && !overrideAssessment(flags)) 158 MacOSError::check(SecStaticCodeCheckValidity(code, kSecCSDefaultFlags, NULL)); 159 160 cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow); 161 PolicyEngine::addAuthority(flags, result, label, auth, kCFBooleanTrue); 162 return true; 163 } 164 return false; 165} 166 167 168// 169// Purge the object cache of all expired entries. 170// These are meant to run within the caller's transaction. 171// 172void PolicyDatabase::purgeAuthority() 173{ 174 SQLite::Statement cleaner(*this, 175 "DELETE FROM authority WHERE expires <= JULIANDAY('now');"); 176 cleaner.execute(); 177} 178 179void PolicyDatabase::purgeObjects() 180{ 181 SQLite::Statement cleaner(*this, 182 "DELETE FROM object WHERE expires <= JULIANDAY('now');"); 183 cleaner.execute(); 184} 185 186void PolicyDatabase::purgeObjects(double priority) 187{ 188 SQLite::Statement cleaner(*this, 189 "DELETE FROM object WHERE expires <= JULIANDAY('now') OR (SELECT priority FROM authority WHERE id = object.authority) <= :priority;"); 190 cleaner.bind(":priority") = priority; 191 cleaner.execute(); 192} 193 194 195// 196// Database migration 197// 198std::string PolicyDatabase::featureLevel(const char *name) 199{ 200 SQLite::Statement feature(*this, "SELECT value FROM feature WHERE name=:name"); 201 feature.bind(":name") = name; 202 if (feature.nextRow()) { 203 if (const char *value = feature[0]) 204 return value; 205 else 206 return "default"; // old engineering versions may have NULL values; tolerate this 207 } 208 return ""; // new feature (no level) 209} 210 211void PolicyDatabase::addFeature(const char *name, const char *value, const char *remarks) 212{ 213 SQLite::Statement feature(*this, "INSERT OR REPLACE INTO feature (name,value,remarks) VALUES(:name, :value, :remarks)"); 214 feature.bind(":name") = name; 215 feature.bind(":value") = value; 216 feature.bind(":remarks") = remarks; 217 feature.execute(); 218} 219 220void PolicyDatabase::simpleFeature(const char *feature, void (^perform)()) 221{ 222 if (!hasFeature(feature)) { 223 SQLite::Transaction update(*this); 224 perform(); 225 addFeature(feature, "upgraded", "upgraded"); 226 update.commit(); 227 } 228} 229 230void PolicyDatabase::simpleFeature(const char *feature, const char *sql) 231{ 232 simpleFeature(feature, ^{ 233 SQLite::Statement perform(*this, sql); 234 perform.execute(); 235 }); 236} 237 238 239void PolicyDatabase::upgradeDatabase() 240{ 241 simpleFeature("bookmarkhints", 242 "CREATE TABLE bookmarkhints (" 243 " id INTEGER PRIMARY KEY AUTOINCREMENT, " 244 " bookmark BLOB," 245 " authority INTEGER NOT NULL" 246 " REFERENCES authority(id) ON DELETE CASCADE" 247 ")"); 248 249 simpleFeature("codesignedpackages", ^{ 250 SQLite::Statement update(*this, 251 "UPDATE authority" 252 " SET requirement = 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and " 253 "(certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])'" 254 " WHERE type = 2 and label = 'Developer ID' and flags & :flag"); 255 update.bind(":flag") = kAuthorityFlagDefault; 256 update.execute(); 257 }); 258 259 simpleFeature("filter_unsigned", 260 "ALTER TABLE authority ADD COLUMN filter_unsigned TEXT NULL" 261 ); 262 263 simpleFeature("strict_apple_installer", ^{ 264 SQLite::Statement update(*this, 265 "UPDATE authority" 266 " SET requirement = 'anchor apple generic and certificate 1[subject.CN] = \"Apple Software Update Certification Authority\"'" 267 " WHERE flags & :flag AND label = 'Apple Installer'"); 268 update.bind(":flag") = kAuthorityFlagDefault; 269 update.execute(); 270 SQLite::Statement add(*this, 271 "INSERT INTO authority (type, label, flags, requirement)" 272 " VALUES (2, 'Mac App Store', :flags, 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists')"); 273 add.bind(":flags") = kAuthorityFlagDefault; 274 add.execute(); 275 }); 276} 277 278 279// 280// Install Gatekeeper override (GKE) data. 281// The arguments are paths to the authority and signature files. 282// 283void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfile) 284{ 285 // only try this every gkeCheckInterval seconds 286 time_t now = time(NULL); 287 if (mLastExplicitCheck + gkeCheckInterval > now) 288 return; 289 mLastExplicitCheck = now; 290 291 try { 292 if (CFRef<CFDataRef> authData = cfLoadFile(authfile)) { 293 CFDictionary auth(CFRef<CFDictionaryRef>(makeCFDictionaryFrom(authData)), errSecCSDbCorrupt); 294 CFDictionaryRef content = auth.get<CFDictionaryRef>(CFSTR("authority")); 295 std::string authUUID = cfString(auth.get<CFStringRef>(CFSTR("uuid"))); 296 if (authUUID.empty()) { 297 secdebug("gkupgrade", "no uuid in auth file; ignoring gke.auth"); 298 return; 299 } 300 std::string dbUUID; 301 SQLite::Statement uuidQuery(*this, "SELECT value FROM feature WHERE name='gke'"); 302 if (uuidQuery.nextRow()) 303 dbUUID = (const char *)uuidQuery[0]; 304 if (dbUUID == authUUID) { 305 secdebug("gkupgrade", "gke.auth already present, ignoring"); 306 return; 307 } 308 Syslog::notice("loading GKE %s (replacing %s)", authUUID.c_str(), dbUUID.empty() ? "nothing" : dbUUID.c_str()); 309 310 // first, load code signatures. This is pretty much idempotent 311 if (sigfile) 312 if (FILE *sigs = fopen(sigfile, "r")) { 313 unsigned count = 0; 314 SignatureDatabaseWriter db; 315 while (const BlobCore *blob = BlobCore::readBlob(sigs)) { 316 db.storeCode(blob, "<remote>"); 317 count++; 318 } 319 secdebug("gkupgrade", "%d detached signature(s) loaded from override data", count); 320 fclose(sigs); 321 } 322 323 // start transaction (atomic from here on out) 324 SQLite::Transaction loadAuth(*this, SQLite::Transaction::exclusive, "GKE_Upgrade"); 325 326 // purge prior authority data 327 SQLite::Statement purge(*this, "DELETE FROM authority WHERE flags & :flag"); 328 purge.bind(":flag") = kAuthorityFlagWhitelist; 329 purge(); 330 331 // load new data 332 CFIndex count = CFDictionaryGetCount(content); 333 CFStringRef keys[count]; 334 CFDictionaryRef values[count]; 335 CFDictionaryGetKeysAndValues(content, (const void **)keys, (const void **)values); 336 337 SQLite::Statement insert(*this, "INSERT INTO authority (type, allow, requirement, label, filter_unsigned, flags, remarks)" 338 " VALUES (:type, 1, :requirement, 'GKE', :filter, :flags, :path)"); 339 for (CFIndex n = 0; n < count; n++) { 340 CFDictionary info(values[n], errSecCSDbCorrupt); 341 uint32_t flags = kAuthorityFlagWhitelist; 342 if (CFNumberRef versionRef = info.get<CFNumberRef>("version")) { 343 int version = cfNumber<int>(versionRef); 344 if (version >= 2) 345 flags |= kAuthorityFlagWhitelistV2; 346 } 347 insert.reset(); 348 insert.bind(":type") = cfString(info.get<CFStringRef>(CFSTR("type"))); 349 insert.bind(":path") = cfString(info.get<CFStringRef>(CFSTR("path"))); 350 insert.bind(":requirement") = "cdhash H\"" + cfString(info.get<CFStringRef>(CFSTR("cdhash"))) + "\""; 351 insert.bind(":filter") = cfString(info.get<CFStringRef>(CFSTR("screen"))); 352 insert.bind(":flags").integer(flags); 353 insert(); 354 } 355 356 // we just changed the authority configuration at priority zero 357 this->purgeObjects(0); 358 359 // update version and commit 360 addFeature("gke", authUUID.c_str(), "gke loaded"); 361 loadAuth.commit(); 362 } 363 } catch (...) { 364 secdebug("gkupgrade", "exception during GKE upgrade"); 365 } 366} 367 368 369// 370// Check the override-enable master flag 371// 372#define SP_ENABLE_KEY CFSTR("enabled") 373#define SP_ENABLED CFSTR("yes") 374#define SP_DISABLED CFSTR("no") 375 376bool overrideAssessment(SecAssessmentFlags flags /* = 0 */) 377{ 378 static bool enabled = true; 379 static dispatch_once_t once; 380 static int token = -1; 381 static int have_token = 0; 382 static dispatch_queue_t queue; 383 int check; 384 385 if (flags & kSecAssessmentFlagEnforce) // explicitly disregard disables (force on) 386 return false; 387 388 if (have_token && notify_check(token, &check) == NOTIFY_STATUS_OK && !check) 389 return !enabled; 390 391 dispatch_once(&once, ^{ 392 if (notify_register_check(kNotifySecAssessmentMasterSwitch, &token) == NOTIFY_STATUS_OK) 393 have_token = 1; 394 queue = dispatch_queue_create("com.apple.SecAssessment.assessment", NULL); 395 }); 396 397 dispatch_sync(queue, ^{ 398 /* upgrade configuration from emir, ignore all error since we might not be able to write to */ 399 if (::access(visibleSecurityFlagFile, F_OK) == 0) { 400 try { 401 setAssessment(true); 402 ::unlink(visibleSecurityFlagFile); 403 } catch (...) { 404 } 405 enabled = true; 406 return; 407 } 408 409 try { 410 Dictionary * prefsDict = Dictionary::CreateDictionary(prefsFile); 411 if (prefsDict == NULL) 412 return; 413 414 CFStringRef value = prefsDict->getStringValue(SP_ENABLE_KEY); 415 if (value && CFStringCompare(value, SP_DISABLED, 0) == 0) 416 enabled = false; 417 else 418 enabled = true; 419 delete prefsDict; 420 } catch(...) { 421 } 422 }); 423 424 return !enabled; 425} 426 427void setAssessment(bool masterSwitch) 428{ 429 MutableDictionary *prefsDict = MutableDictionary::CreateMutableDictionary(prefsFile); 430 if (prefsDict == NULL) 431 prefsDict = new MutableDictionary::MutableDictionary(); 432 prefsDict->setValue(SP_ENABLE_KEY, masterSwitch ? SP_ENABLED : SP_DISABLED); 433 prefsDict->writePlistToFile(prefsFile); 434 delete prefsDict; 435 436 /* make sure permissions is right */ 437 ::chmod(prefsFile, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 438 439 notify_post(kNotifySecAssessmentMasterSwitch); 440} 441 442 443} // end namespace CodeSigning 444} // end namespace Security 445