1/*
2 * Copyright (c) 2011-2012 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23#include "cs.h"
24#include "policydb.h"
25#include "policyengine.h"
26#include <Security/CodeSigning.h>
27#include <security_utilities/cfutilities.h>
28#include <security_utilities/cfmunge.h>
29#include <security_utilities/blob.h>
30#include <security_utilities/logging.h>
31#include <security_utilities/simpleprefs.h>
32#include <security_utilities/logging.h>
33#include "csdatabase.h"
34
35#include <dispatch/dispatch.h>
36#include <sys/types.h>
37#include <sys/stat.h>
38#include <notify.h>
39
40namespace Security {
41namespace CodeSigning {
42
43
44using namespace SQLite;
45
46
47//
48// Determine the database path
49//
50static const char *dbPath()
51{
52	if (const char *s = getenv("SYSPOLICYDATABASE"))
53		return s;
54	return defaultDatabase;
55}
56
57
58//
59// Help mapping API-ish CFString keys to more convenient internal enumerations
60//
61typedef struct {
62	const CFStringRef &cstring;
63	uint enumeration;
64} StringMap;
65
66static uint mapEnum(CFDictionaryRef context, CFStringRef attr, const StringMap *map, uint value = 0)
67{
68	if (context)
69		if (CFTypeRef value = CFDictionaryGetValue(context, attr))
70			for (const StringMap *mp = map; mp->cstring; ++mp)
71				if (CFEqual(mp->cstring, value))
72					return mp->enumeration;
73	return value;
74}
75
76static const StringMap mapType[] = {
77	{ kSecAssessmentOperationTypeExecute, kAuthorityExecute },
78	{ kSecAssessmentOperationTypeInstall, kAuthorityInstall },
79	{ kSecAssessmentOperationTypeOpenDocument, kAuthorityOpenDoc },
80	{ NULL }
81};
82
83AuthorityType typeFor(CFDictionaryRef context, AuthorityType type /* = kAuthorityInvalid */)
84{
85	return mapEnum(context, kSecAssessmentContextKeyOperation, mapType, type);
86}
87
88CFStringRef typeNameFor(AuthorityType type)
89{
90	for (const StringMap *mp = mapType; mp->cstring; ++mp)
91		if (type == mp->enumeration)
92			return mp->cstring;
93	return CFStringCreateWithFormat(NULL, NULL, CFSTR("type %d"), type);
94}
95
96
97//
98// Open the database
99//
100PolicyDatabase::PolicyDatabase(const char *path, int flags)
101	: SQLite::Database(path ? path : dbPath(), flags),
102	  mLastExplicitCheck(0)
103{
104	// sqlite3 doesn't do foreign key support by default, have to turn this on per connection
105	SQLite::Statement foreign(*this, "PRAGMA foreign_keys = true");
106	foreign.execute();
107
108	// Try upgrade processing if we may be open for write.
109	// Ignore any errors (we may have been downgraded to read-only)
110	// and try again later.
111	if (openFlags() & SQLITE_OPEN_READWRITE)
112		try {
113			upgradeDatabase();
114			installExplicitSet(gkeAuthFile, gkeSigsFile);
115		} catch(...) {
116		}
117}
118
119PolicyDatabase::~PolicyDatabase()
120{ /* virtual */ }
121
122
123//
124// Quick-check the cache for a match.
125// Return true on a cache hit, false on failure to confirm a hit for any reason.
126//
127bool PolicyDatabase::checkCache(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFMutableDictionaryRef result)
128{
129	// we currently don't use the cache for anything but execution rules
130	if (type != kAuthorityExecute)
131		return false;
132
133	CFRef<SecStaticCodeRef> code;
134	MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
135	if (SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly, NULL) != errSecSuccess)
136		return false;	// quick pass - any error is a cache miss
137	CFRef<CFDictionaryRef> info;
138	MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
139	CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
140
141	// check the cache table for a fast match
142	SQLite::Statement cached(*this, "SELECT object.allow, authority.label, authority FROM object, authority"
143		" WHERE object.authority = authority.id AND object.type = :type AND object.hash = :hash AND authority.disabled = 0"
144		" AND JULIANDAY('now') < object.expires;");
145	cached.bind(":type").integer(type);
146	cached.bind(":hash") = cdHash;
147	if (cached.nextRow()) {
148		bool allow = int(cached[0]);
149		const char *label = cached[1];
150		SQLite::int64 auth = cached[2];
151		SYSPOLICY_ASSESS_CACHE_HIT();
152
153		// If its allowed, lets do a full validation unless if
154		// we are overriding the assessement, since that force
155		// the verdict to 'pass' at the end
156
157		if (allow && !overrideAssessment(flags))
158		    MacOSError::check(SecStaticCodeCheckValidity(code, kSecCSDefaultFlags, NULL));
159
160		cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
161		PolicyEngine::addAuthority(flags, result, label, auth, kCFBooleanTrue);
162		return true;
163	}
164	return false;
165}
166
167
168//
169// Purge the object cache of all expired entries.
170// These are meant to run within the caller's transaction.
171//
172void PolicyDatabase::purgeAuthority()
173{
174	SQLite::Statement cleaner(*this,
175		"DELETE FROM authority WHERE expires <= JULIANDAY('now');");
176	cleaner.execute();
177}
178
179void PolicyDatabase::purgeObjects()
180{
181	SQLite::Statement cleaner(*this,
182		"DELETE FROM object WHERE expires <= JULIANDAY('now');");
183	cleaner.execute();
184}
185
186void PolicyDatabase::purgeObjects(double priority)
187{
188	SQLite::Statement cleaner(*this,
189		"DELETE FROM object WHERE expires <= JULIANDAY('now') OR (SELECT priority FROM authority WHERE id = object.authority) <= :priority;");
190	cleaner.bind(":priority") = priority;
191	cleaner.execute();
192}
193
194
195//
196// Database migration
197//
198std::string PolicyDatabase::featureLevel(const char *name)
199{
200	SQLite::Statement feature(*this, "SELECT value FROM feature WHERE name=:name");
201	feature.bind(":name") = name;
202	if (feature.nextRow()) {
203		if (const char *value = feature[0])
204			return value;
205		else
206			return "default";	// old engineering versions may have NULL values; tolerate this
207	}
208	return "";		// new feature (no level)
209}
210
211void PolicyDatabase::addFeature(const char *name, const char *value, const char *remarks)
212{
213	SQLite::Statement feature(*this, "INSERT OR REPLACE INTO feature (name,value,remarks) VALUES(:name, :value, :remarks)");
214	feature.bind(":name") = name;
215	feature.bind(":value") = value;
216	feature.bind(":remarks") = remarks;
217	feature.execute();
218}
219
220void PolicyDatabase::simpleFeature(const char *feature, void (^perform)())
221{
222	if (!hasFeature(feature)) {
223		SQLite::Transaction update(*this);
224		perform();
225		addFeature(feature, "upgraded", "upgraded");
226		update.commit();
227	}
228}
229
230void PolicyDatabase::simpleFeature(const char *feature, const char *sql)
231{
232	simpleFeature(feature, ^{
233		SQLite::Statement perform(*this, sql);
234		perform.execute();
235	});
236}
237
238
239void PolicyDatabase::upgradeDatabase()
240{
241	simpleFeature("bookmarkhints",
242		"CREATE TABLE bookmarkhints ("
243			"  id INTEGER PRIMARY KEY AUTOINCREMENT, "
244			"  bookmark BLOB,"
245			"  authority INTEGER NOT NULL"
246			"     REFERENCES authority(id) ON DELETE CASCADE"
247			")");
248
249	simpleFeature("codesignedpackages", ^{
250		SQLite::Statement update(*this,
251			"UPDATE authority"
252			" SET requirement = 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and "
253				"(certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])'"
254			" WHERE type = 2 and label = 'Developer ID' and flags & :flag");
255		update.bind(":flag") = kAuthorityFlagDefault;
256		update.execute();
257	});
258
259	simpleFeature("filter_unsigned",
260		"ALTER TABLE authority ADD COLUMN filter_unsigned TEXT NULL"
261		);
262
263	simpleFeature("strict_apple_installer", ^{
264		SQLite::Statement update(*this,
265			"UPDATE authority"
266			" SET requirement = 'anchor apple generic and certificate 1[subject.CN] = \"Apple Software Update Certification Authority\"'"
267			" WHERE flags & :flag AND label = 'Apple Installer'");
268		update.bind(":flag") = kAuthorityFlagDefault;
269		update.execute();
270		SQLite::Statement add(*this,
271			"INSERT INTO authority (type, label, flags, requirement)"
272			" VALUES (2, 'Mac App Store', :flags, 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists')");
273		add.bind(":flags") = kAuthorityFlagDefault;
274		add.execute();
275	});
276}
277
278
279//
280// Install Gatekeeper override (GKE) data.
281// The arguments are paths to the authority and signature files.
282//
283void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfile)
284{
285	// only try this every gkeCheckInterval seconds
286	time_t now = time(NULL);
287	if (mLastExplicitCheck + gkeCheckInterval > now)
288		return;
289	mLastExplicitCheck = now;
290
291	try {
292		if (CFRef<CFDataRef> authData = cfLoadFile(authfile)) {
293			CFDictionary auth(CFRef<CFDictionaryRef>(makeCFDictionaryFrom(authData)), errSecCSDbCorrupt);
294			CFDictionaryRef content = auth.get<CFDictionaryRef>(CFSTR("authority"));
295			std::string authUUID = cfString(auth.get<CFStringRef>(CFSTR("uuid")));
296			if (authUUID.empty()) {
297				secdebug("gkupgrade", "no uuid in auth file; ignoring gke.auth");
298				return;
299			}
300			std::string dbUUID;
301			SQLite::Statement uuidQuery(*this, "SELECT value FROM feature WHERE name='gke'");
302			if (uuidQuery.nextRow())
303				dbUUID = (const char *)uuidQuery[0];
304			if (dbUUID == authUUID) {
305				secdebug("gkupgrade", "gke.auth already present, ignoring");
306				return;
307			}
308			Syslog::notice("loading GKE %s (replacing %s)", authUUID.c_str(), dbUUID.empty() ? "nothing" : dbUUID.c_str());
309
310			// first, load code signatures. This is pretty much idempotent
311			if (sigfile)
312				if (FILE *sigs = fopen(sigfile, "r")) {
313					unsigned count = 0;
314				    SignatureDatabaseWriter db;
315					while (const BlobCore *blob = BlobCore::readBlob(sigs)) {
316						db.storeCode(blob, "<remote>");
317						count++;
318					}
319					secdebug("gkupgrade", "%d detached signature(s) loaded from override data", count);
320					fclose(sigs);
321				}
322
323			// start transaction (atomic from here on out)
324			SQLite::Transaction loadAuth(*this, SQLite::Transaction::exclusive, "GKE_Upgrade");
325
326			// purge prior authority data
327			SQLite::Statement purge(*this, "DELETE FROM authority WHERE flags & :flag");
328			purge.bind(":flag") = kAuthorityFlagWhitelist;
329			purge();
330
331			// load new data
332			CFIndex count = CFDictionaryGetCount(content);
333			CFStringRef keys[count];
334			CFDictionaryRef values[count];
335			CFDictionaryGetKeysAndValues(content, (const void **)keys, (const void **)values);
336
337			SQLite::Statement insert(*this, "INSERT INTO authority (type, allow, requirement, label, filter_unsigned, flags, remarks)"
338				" VALUES (:type, 1, :requirement, 'GKE', :filter, :flags, :path)");
339			for (CFIndex n = 0; n < count; n++) {
340				CFDictionary info(values[n], errSecCSDbCorrupt);
341				uint32_t flags = kAuthorityFlagWhitelist;
342				if (CFNumberRef versionRef = info.get<CFNumberRef>("version")) {
343					int version = cfNumber<int>(versionRef);
344					if (version >= 2)
345						flags |= kAuthorityFlagWhitelistV2;
346				}
347				insert.reset();
348				insert.bind(":type") = cfString(info.get<CFStringRef>(CFSTR("type")));
349				insert.bind(":path") = cfString(info.get<CFStringRef>(CFSTR("path")));
350				insert.bind(":requirement") = "cdhash H\"" + cfString(info.get<CFStringRef>(CFSTR("cdhash"))) + "\"";
351				insert.bind(":filter") = cfString(info.get<CFStringRef>(CFSTR("screen")));
352				insert.bind(":flags").integer(flags);
353				insert();
354			}
355
356			// we just changed the authority configuration at priority zero
357			this->purgeObjects(0);
358
359			// update version and commit
360			addFeature("gke", authUUID.c_str(), "gke loaded");
361			loadAuth.commit();
362		}
363	} catch (...) {
364		secdebug("gkupgrade", "exception during GKE upgrade");
365	}
366}
367
368
369//
370// Check the override-enable master flag
371//
372#define SP_ENABLE_KEY CFSTR("enabled")
373#define SP_ENABLED CFSTR("yes")
374#define SP_DISABLED CFSTR("no")
375
376bool overrideAssessment(SecAssessmentFlags flags /* = 0 */)
377{
378	static bool enabled = true;
379	static dispatch_once_t once;
380	static int token = -1;
381	static int have_token = 0;
382	static dispatch_queue_t queue;
383	int check;
384
385	if (flags & kSecAssessmentFlagEnforce)	// explicitly disregard disables (force on)
386		return false;
387
388	if (have_token && notify_check(token, &check) == NOTIFY_STATUS_OK && !check)
389		return !enabled;
390
391	dispatch_once(&once, ^{
392		if (notify_register_check(kNotifySecAssessmentMasterSwitch, &token) == NOTIFY_STATUS_OK)
393			have_token = 1;
394		queue = dispatch_queue_create("com.apple.SecAssessment.assessment", NULL);
395             });
396
397	dispatch_sync(queue, ^{
398		/* upgrade configuration from emir, ignore all error since we might not be able to write to */
399		if (::access(visibleSecurityFlagFile, F_OK) == 0) {
400			try {
401				setAssessment(true);
402				::unlink(visibleSecurityFlagFile);
403			} catch (...) {
404			}
405			enabled = true;
406			return;
407		}
408
409		try {
410			Dictionary * prefsDict = Dictionary::CreateDictionary(prefsFile);
411			if (prefsDict == NULL)
412				return;
413
414			CFStringRef value = prefsDict->getStringValue(SP_ENABLE_KEY);
415			if (value && CFStringCompare(value, SP_DISABLED, 0) == 0)
416				enabled = false;
417			else
418				enabled = true;
419			delete prefsDict;
420		} catch(...) {
421		}
422	});
423
424	return !enabled;
425}
426
427void setAssessment(bool masterSwitch)
428{
429	MutableDictionary *prefsDict = MutableDictionary::CreateMutableDictionary(prefsFile);
430	if (prefsDict == NULL)
431		prefsDict = new MutableDictionary::MutableDictionary();
432	prefsDict->setValue(SP_ENABLE_KEY, masterSwitch ? SP_ENABLED : SP_DISABLED);
433	prefsDict->writePlistToFile(prefsFile);
434	delete prefsDict;
435
436	/* make sure permissions is right */
437	::chmod(prefsFile, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
438
439	notify_post(kNotifySecAssessmentMasterSwitch);
440}
441
442
443} // end namespace CodeSigning
444} // end namespace Security
445