#include <asl.h>
#include <IOKit/kext/OSKext.h>
#include <IOKit/kext/OSKextPrivate.h>
#include <IOKit/IOKitLib.h>
#include <Security/Security.h>
#include <sys/sysctl.h>
#include <sys/csr.h>
#include <sys/xattr.h>
#include <syslog.h>
#include <servers/bootstrap.h>
#include <IOKit/kext/kextmanager_types.h>
#include <os/feature_private.h>
#include "kext_tools_util.h"
#include "security.h"
#include "signposts.h"
#include "staging.h"
#include "syspolicy.h"
#include "driverkit.h"
#if HAVE_DANGERZONE
#include <dz/dz.h>
extern void __attribute__((weak_import))
dz_notify_kext_load_v2(dz_kext_load_t type, const char *kextpath,
dz_kext_load_flags_t flags, bool allowed);
extern void __attribute__((weak_import))
dz_notify_kextcache_update_v2(const char *kextpath, bool allowed);
#endif // HAVE_DANGERZONE
static OSStatus checkRootCertificateIsApple(OSKextRef aKext);
static CFStringRef copyCDHash(SecStaticCodeRef code);
static CFStringRef copyIssuerCN(SecCertificateRef certificate);
static CFArrayRef copySubjectCNArray(CFURLRef kextURL);
static CFStringRef copyTeamID(SecCertificateRef certificate);
static CFStringRef createArchitectureList(OSKextRef aKext, CFBooleanRef *isFat);
static void filterKextLoadForMT(OSKextRef aKext, CFMutableArrayRef kextList, Boolean userLoad);
static Boolean hashIsInExceptionList(CFURLRef theKextURL, CFDictionaryRef theDict, CFDictionaryRef codesignAttributes);
static uint32_t getKextDevModeFlags(void);
Boolean
authenticateKext(OSKextRef theKext, void *context)
{
Boolean result = false;
OSStatus sigResult = 0;
const AuthOptions_t *authOptions = (const AuthOptions_t*)context;
if (authOptions == NULL) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext rejected due to invalid authentication params: %@"),
theKext);
result = false;
goto finish;
}
if (OSKextIsInExcludeList(theKext, true)) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext rejected due to presence on exclude list: %@"),
theKext);
messageTraceExcludedKext(theKext);
result = false;
goto finish;
}
if (authOptions->performFilesystemValidation &&
!_OSKextBasicFilesystemAuthentication(theKext, NULL)) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext rejected due to improper filesystem permissions: %@"),
theKext);
result = false;
goto finish;
}
if (authOptions->performSignatureValidation) {
sigResult = checkKextSignature(theKext, true, authOptions->allowNetwork);
if (sigResult != 0) {
if (isInvalidSignatureAllowed()) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext with invalid signature (%ld) allowed: %@"),
(long)sigResult, theKext);
}
else {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext rejected due to invalid signature: %@"),
theKext);
result = false;
goto finish;
}
}
}
if (authOptions->requireSecureLocation) {
if (!kextIsInSecureLocation(theKext)) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext rejected due to insecure location: %@"),
theKext);
result = false;
goto finish;
}
}
if (authOptions->checkDextApproval && OSKextDeclaresUserExecutable(theKext)) {
if (!isDextAllowed(theKext)) {
result = false;
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Driver Extension is not approved to run: %@"),
theKext);
result = false;
goto finish;
}
} else if (authOptions->respectSystemPolicy && !OSKextDeclaresUserExecutable(theKext)) {
Boolean allowed = false;
if (authOptions->isCacheLoad) {
allowed = SPAllowKextLoadCache(theKext);
} else {
allowed = SPAllowKextLoad(theKext);
}
#if 0
if (!authOptions->is_kextcache) {
allowed = allowed && isAllowedToLoadThirdPartyKext(theKext);
}
#endif
if (!allowed) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogValidationFlag,
CFSTR("Kext rejected due to system policy: %@"),
theKext);
result = false;
goto finish;
}
}
result = true;
finish:
return result;
}
Boolean checkEntitlementAtURL(CFURLRef anURL, CFStringRef entitlementString, Boolean allowNetwork)
{
SecRequirementRef entitlementRef = NULL;
SecStaticCodeRef staticCodeRef = NULL;
CFStringRef entitlementReq = NULL;
SecCSFlags flags = kSecCSCheckAllArchitectures |
kSecCSStrictValidate;
bool result = false;
if (!anURL || !entitlementString) {
goto finish;
}
flags |= allowNetwork ? kSecCSEnforceRevocationChecks : kSecCSNoNetworkAccess;
if (SecStaticCodeCreateWithPath(anURL,
kSecCSDefaultFlags,
&staticCodeRef) != errSecSuccess ||
(staticCodeRef == NULL)) {
OSKextLogMemError();
goto finish;
}
entitlementReq = CFStringCreateWithFormat(
kCFAllocatorDefault,
NULL,
CFSTR("entitlement[\"%@\"] exists"),
entitlementString);
if (!entitlementReq) {
OSKextLogMemError();
goto finish;
}
if (SecRequirementCreateWithString(entitlementReq,
kSecCSDefaultFlags,
&entitlementRef) != errSecSuccess ||
(entitlementRef == NULL)) {
OSKextLogMemError();
goto finish;
}
result = (SecStaticCodeCheckValidity(staticCodeRef, flags, entitlementRef) == 0);
finish:
SAFE_RELEASE(entitlementRef);
SAFE_RELEASE(staticCodeRef);
SAFE_RELEASE(entitlementReq);
return result;
}
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wdeprecated-declarations" // needed for asl_*
void messageTraceExcludedKext(OSKextRef theKext)
{
CFStringRef versionString;
CFStringRef bundleIDString;
CFURLRef kextURL = NULL; CFStringRef filename = NULL; aslmsg amsg = NULL; char *versionCString = NULL; char *bundleIDCString = NULL; char *filenameCString = NULL;
kextURL = CFURLCopyAbsoluteURL(OSKextGetURL(theKext));
if (!kextURL) {
OSKextLogMemError();
goto finish;
}
versionString = OSKextGetValueForInfoDictionaryKey(theKext,
kCFBundleVersionKey);
if (versionString) {
versionCString = createUTF8CStringForCFString(versionString);
}
bundleIDString = OSKextGetValueForInfoDictionaryKey(theKext,
kCFBundleIdentifierKey);
if (bundleIDString) {
bundleIDCString = createUTF8CStringForCFString(bundleIDString);
}
filename = CFURLCopyLastPathComponent(kextURL);
if (filename) {
filenameCString = createUTF8CStringForCFString(filename);
}
SAFE_RELEASE(filename);
amsg = asl_new(ASL_TYPE_MSG);
if (!amsg) {
OSKextLogMemError();
goto finish;
}
asl_set(amsg, kMessageTracerDomainKey, kMTKextBlockedDomain);
asl_set(amsg, kMessageTracerBundleIDKey,
bundleIDCString ? bundleIDCString : "");
asl_set(amsg, kMessageTracerVersionKey,
versionCString ? versionCString : "");
asl_set(amsg, kMessageTracerKextNameKey,
filenameCString ? filenameCString : "");
asl_log(NULL, amsg, ASL_LEVEL_NOTICE, "");
finish:
SAFE_FREE(versionCString);
SAFE_FREE(bundleIDCString);
SAFE_FREE(filenameCString);
SAFE_RELEASE(kextURL);
if (amsg) {
asl_free(amsg);
}
return;
}
#pragma clang diagnostic pop
static OSStatus checkRootCertificateIsApple(OSKextRef aKext)
{
OSStatus result = -1;
CFURLRef kextURL = NULL; SecStaticCodeRef staticCodeRef = NULL; SecRequirementRef requirementRef = NULL; CFStringRef myCFString;
CFStringRef requirementsString;
if (aKext == NULL) {
return result;
}
kextURL = CFURLCopyAbsoluteURL(OSKextGetURL(aKext));
if (!kextURL) {
OSKextLogMemError();
goto finish;
}
if (SecStaticCodeCreateWithPath(kextURL,
kSecCSDefaultFlags,
&staticCodeRef) != errSecSuccess ||
(staticCodeRef == NULL)) {
OSKextLogMemError();
goto finish;
}
myCFString = OSKextGetIdentifier(aKext);
if (_OSKextIdentifierHasApplePrefix(aKext)) {
requirementsString = CFSTR("anchor apple");
}
else {
requirementsString = CFSTR("anchor apple generic");
}
if (SecRequirementCreateWithString(requirementsString,
kSecCSDefaultFlags,
&requirementRef) != errSecSuccess ||
(requirementRef == NULL)) {
OSKextLogMemError();
goto finish;
}
result = SecStaticCodeCheckValidity(staticCodeRef,
kSecCSDefaultFlags,
requirementRef);
if (result != 0) {
OSKextLogCFString(NULL,
kOSKextLogErrorLevel | kOSKextLogLoadFlag,
CFSTR("Invalid signature %ld for kext %@"),
(long)result, aKext);
}
finish:
SAFE_RELEASE(kextURL);
SAFE_RELEASE(staticCodeRef);
SAFE_RELEASE(requirementRef);
return result;
}
void getAdhocSignatureHash(CFURLRef kextURL, char ** signatureBuffer, CFDictionaryRef codesignAttributes)
{
OSStatus status = errSecSuccess;
CFMutableDictionaryRef signdict = NULL; SecCodeSignerRef signerRef = NULL; SecStaticCodeRef staticCodeRef = NULL; CFDataRef signature = NULL; CFDictionaryRef signingDict = NULL; CFDataRef cdhash = NULL; CFMutableDictionaryRef resourceRules = NULL; CFMutableDictionaryRef rules = NULL; CFMutableDictionaryRef rules2 = NULL; CFMutableDictionaryRef omitPlugins = NULL; CFMutableDictionaryRef frameworksDict = NULL; CFMutableDictionaryRef topDict = NULL; char * tempBufPtr = NULL; CFNumberRef myNumValue = NULL; CFNumberRef myRealValue = NULL; CFNumberRef myHashNumValue = NULL;
if (codesignAttributes) {
status = SecStaticCodeCreateWithPathAndAttributes(kextURL,
kSecCSDefaultFlags,
codesignAttributes,
&staticCodeRef);
}
else {
status = SecStaticCodeCreateWithPath(kextURL,
kSecCSDefaultFlags,
&staticCodeRef);
}
if (status != errSecSuccess || staticCodeRef == NULL) {
OSKextLogMemError();
goto finish;
}
signature = CFDataCreateMutable(NULL, 0);
if (signature == NULL) {
OSKextLogMemError();
goto finish;
}
signdict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (signdict == NULL) {
OSKextLogMemError();
goto finish;
}
CFDictionarySetValue(signdict, kSecCodeSignerIdentity, kCFNull);
CFDictionarySetValue(signdict, kSecCodeSignerDetached, signature);
int myHashNum = kSecCodeSignatureHashSHA1;
myHashNumValue = CFNumberCreate(kCFAllocatorDefault,
kCFNumberIntType, &myHashNum);
if (myHashNumValue == NULL) {
OSKextLogMemError();
goto finish;
}
CFDictionarySetValue(signdict, kSecCodeSignerDigestAlgorithm, myHashNumValue);
resourceRules = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (resourceRules == NULL) {
OSKextLogMemError();
goto finish;
}
rules = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (rules == NULL) {
OSKextLogMemError();
goto finish;
}
rules2 = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (rules2 == NULL) {
OSKextLogMemError();
goto finish;
}
omitPlugins = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (omitPlugins == NULL) {
OSKextLogMemError();
goto finish;
}
frameworksDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (frameworksDict == NULL) {
OSKextLogMemError();
goto finish;
}
topDict = CFDictionaryCreateMutable(kCFAllocatorDefault, 0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (topDict == NULL) {
OSKextLogMemError();
goto finish;
}
int myNum = 100;
myNumValue = CFNumberCreate(kCFAllocatorDefault,
kCFNumberIntType, &myNum);
if (myNumValue == NULL) {
OSKextLogMemError();
goto finish;
}
CFDictionarySetValue(omitPlugins, CFSTR("omit"), kCFBooleanTrue);
CFDictionarySetValue(omitPlugins, CFSTR("weight"), myNumValue);
CFDictionarySetValue(rules, CFSTR("^.*"), kCFBooleanTrue);
CFDictionarySetValue(rules, CFSTR("^PlugIns/"), omitPlugins);
CFDictionarySetValue(resourceRules, CFSTR("rules"), rules);
float myRealNum = 0.0;
myRealValue = CFNumberCreate(kCFAllocatorDefault,
kCFNumberFloatType, &myRealNum);
if (myRealValue == NULL) {
OSKextLogMemError();
goto finish;
}
CFDictionarySetValue(frameworksDict, CFSTR("nested"), kCFBooleanTrue);
CFDictionarySetValue(frameworksDict, CFSTR("weight"), myRealValue);
CFDictionarySetValue(rules2,
CFSTR("^(Frameworks|SharedFrameworks|Plugins|Plug-ins|XPCServices|Helpers|MacOS)/"),
frameworksDict);
CFDictionarySetValue(rules2, CFSTR("^.*"), kCFBooleanTrue);
CFDictionarySetValue(rules2, CFSTR("^PlugIns/"), omitPlugins);
CFDictionarySetValue(topDict, CFSTR("top"), kCFBooleanTrue);
CFDictionarySetValue(topDict, CFSTR("weight"), myRealValue);
CFDictionarySetValue(rules2,
CFSTR("^[^/]+$"),
topDict);
CFDictionarySetValue(resourceRules, CFSTR("rules2"), rules2);
CFDictionarySetValue(signdict, kSecCodeSignerResourceRules, resourceRules);
if (SecCodeSignerCreate(signdict, kSecCSDefaultFlags | kSecCSSignOpaque, &signerRef) != 0) {
OSKextLog(NULL, kOSKextLogDebugLevel | kOSKextLogGeneralFlag,
"%s - SecCodeSignerCreate failed", __func__);
goto finish;
}
if (SecCodeSignerAddSignature(signerRef, staticCodeRef, kSecCSDefaultFlags) != 0) {
OSKextLog(NULL, kOSKextLogDebugLevel | kOSKextLogGeneralFlag,
"%s - SecCodeSignerAddSignature failed", __func__);
goto finish;
}
if (SecCodeSetDetachedSignature(staticCodeRef, signature, kSecCSDefaultFlags) != 0) {
OSKextLog(NULL, kOSKextLogDebugLevel | kOSKextLogGeneralFlag,
"%s - SecCodeSetDetachedSignature failed", __func__);
goto finish;
}
if (SecCodeCopySigningInformation(staticCodeRef, kSecCSDefaultFlags, &signingDict) != 0
|| signingDict == NULL) {
OSKextLog(NULL, kOSKextLogDebugLevel | kOSKextLogGeneralFlag,
"%s - SecCodeCopySigningInformation failed", __func__);
goto finish;
}
cdhash = (CFDataRef) CFDictionaryGetValue(signingDict, kSecCodeInfoUnique);
if (cdhash && CFGetTypeID(cdhash) == CFDataGetTypeID()) {
CFRetain(cdhash);
const UInt8 * hashDataPtr = NULL; CFIndex hashDataLen = 0;
hashDataPtr = CFDataGetBytePtr(cdhash);
hashDataLen = CFDataGetLength(cdhash);
tempBufPtr = (char *) malloc((hashDataLen + 1) * 2);
if (tempBufPtr == NULL) {
OSKextLogMemError();
goto finish;
}
#if 0
OSKextLogCFString( NULL,
kOSKextLogErrorLevel | kOSKextLogGeneralFlag,
CFSTR("%s - kextURL %@"),
__func__,
kextURL);
OSKextLogCFString( NULL,
kOSKextLogErrorLevel | kOSKextLogGeneralFlag,
CFSTR("%s - cdhash %@"),
__func__,
cdhash);
#endif
bzero(tempBufPtr, ((hashDataLen + 1) * 2));
for (int i = 0; i < hashDataLen; i++) {
sprintf(tempBufPtr + (i * 2), "%02.2x", *(hashDataPtr + i));
}
}
finish:
SAFE_RELEASE(signdict);
SAFE_RELEASE(signerRef);
SAFE_RELEASE(staticCodeRef);
SAFE_RELEASE(signature);
SAFE_RELEASE(signingDict);
SAFE_RELEASE(cdhash);
SAFE_RELEASE(resourceRules);
SAFE_RELEASE(rules);
SAFE_RELEASE(rules2);
SAFE_RELEASE(omitPlugins);
SAFE_RELEASE(frameworksDict);
SAFE_RELEASE(topDict);
SAFE_RELEASE(myNumValue);
SAFE_RELEASE(myRealValue);
SAFE_RELEASE(myHashNumValue);
*signatureBuffer = tempBufPtr;
}
static CFStringRef createArchitectureList(OSKextRef aKext, CFBooleanRef *isFat)
{
if (aKext == NULL || isFat == NULL) {
return NULL;
}
*isFat = kCFBooleanFalse;
const NXArchInfo ** archList = NULL; CFMutableArrayRef archNamesList = NULL; CFStringRef archNames = NULL; const char * archNameCString = NULL; int index = 0;
archList = OSKextCopyArchitectures(aKext);
if (!archList) {
goto finish;
}
archNamesList = CFArrayCreateMutable(kCFAllocatorDefault,
0,
&kCFTypeArrayCallBacks);
if (!archNamesList) {
goto finish;
}
for (index=0; archList[index]; index++) {
archNameCString = archList[index]->name;
if (archNameCString) {
CFStringRef archName = NULL;
archName = CFStringCreateWithCString(kCFAllocatorDefault,
archNameCString,
kCFStringEncodingUTF8);
if (archName) {
CFArrayAppendValue(archNamesList, archName);
SAFE_RELEASE_NULL(archName);
}
}
}
if (index>1) {
*isFat = kCFBooleanTrue;
}
archNames = CFStringCreateByCombiningStrings(kCFAllocatorDefault,
archNamesList,
CFSTR(" "));
if (!archNames) {
goto finish;
}
finish:
SAFE_RELEASE(archNamesList);
SAFE_FREE(archList);
return archNames;
}
static CFStringRef copyTeamID(SecCertificateRef certificate)
{
if (!certificate ||
CFGetTypeID(certificate) !=SecCertificateGetTypeID()) {
return NULL;
}
CFDictionaryRef subjectDict = NULL; CFArrayRef subjectArray = NULL; CFDictionaryRef subjectInfo = NULL; CFStringRef teamID = NULL; CFErrorRef error = NULL;
CFMutableArrayRef certificateKeys = NULL; CFDictionaryRef certificateDict = NULL;
certificateKeys = CFArrayCreateMutable(kCFAllocatorDefault,
1,
&kCFTypeArrayCallBacks);
if (!certificateKeys) {
goto finish;
}
CFArrayAppendValue(certificateKeys, kSecOIDX509V1SubjectName);
certificateDict = SecCertificateCopyValues(certificate,
certificateKeys,
&error);
if (error != errSecSuccess ||
!certificateDict ||
CFGetTypeID(certificateDict) != CFDictionaryGetTypeID()) {
goto finish;
}
subjectDict = (CFDictionaryRef) CFDictionaryGetValue(certificateDict,
kSecOIDX509V1SubjectName);
if (!subjectDict ||
CFGetTypeID(subjectDict) != CFDictionaryGetTypeID()) {
goto finish;
}
subjectArray = (CFArrayRef) CFDictionaryGetValue(subjectDict,
kSecPropertyKeyValue);
if (!subjectArray ||
CFGetTypeID(subjectArray) != CFArrayGetTypeID()) {
goto finish;
}
for (int index=0; index<CFArrayGetCount(subjectArray); index++) {
subjectInfo = (CFDictionaryRef) CFArrayGetValueAtIndex(subjectArray,
index);
if (!subjectInfo ||
CFGetTypeID(subjectInfo) != CFDictionaryGetTypeID()) {
continue;
}
CFStringRef label = NULL; label = CFDictionaryGetValue(subjectInfo,
kSecPropertyKeyLabel);
if (kCFCompareEqualTo == CFStringCompare(label,
CFSTR("0.9.2342.19200300.100.1.1"),
0)) {
teamID = CFDictionaryGetValue(subjectInfo,
kSecPropertyKeyValue);
if (teamID &&
CFGetTypeID(teamID) == CFStringGetTypeID()) {
CFRetain(teamID);
goto finish;
}
else {
teamID = NULL;
}
}
}
if (!teamID) {
for (int index=0; index<CFArrayGetCount(subjectArray); index++) {
subjectInfo = (CFDictionaryRef) CFArrayGetValueAtIndex(subjectArray,
index);
if (!subjectInfo ||
CFGetTypeID(subjectInfo) != CFDictionaryGetTypeID()) {
continue;
}
CFStringRef label = NULL; label = CFDictionaryGetValue(subjectInfo,
kSecPropertyKeyLabel);
if (kCFCompareEqualTo == CFStringCompare(label,
CFSTR("2.5.4.11"),
0)) {
teamID = CFDictionaryGetValue(subjectInfo,
kSecPropertyKeyValue);
if (teamID &&
CFGetTypeID(teamID) == CFStringGetTypeID()) {
CFRetain(teamID);
goto finish;
}
else {
teamID = NULL;
}
}
}
}
finish:
if (!teamID && subjectArray) {
CFShow(subjectArray);
}
SAFE_RELEASE(certificateKeys);
SAFE_RELEASE(certificateDict);
return teamID;
}
static CFStringRef copyIssuerCN(SecCertificateRef certificate)
{
if (!certificate ||
CFGetTypeID(certificate) !=SecCertificateGetTypeID()) {
return NULL;
}
CFStringRef issuerCN = NULL; CFDictionaryRef issuerDict = NULL; CFArrayRef issuerArray = NULL; CFDictionaryRef issuerInfo = NULL; CFErrorRef error = NULL;
CFMutableArrayRef certificateKeys = NULL; CFDictionaryRef certificateDict = NULL;
certificateKeys = CFArrayCreateMutable(kCFAllocatorDefault,
1,
&kCFTypeArrayCallBacks);
if (!certificateKeys) {
goto finish;
}
CFArrayAppendValue(certificateKeys, kSecOIDX509V1IssuerName);
certificateDict = SecCertificateCopyValues(certificate,
certificateKeys,
&error);
if (error != errSecSuccess ||
!certificateDict ||
CFGetTypeID(certificateDict) != CFDictionaryGetTypeID()) {
goto finish;
}
issuerDict = (CFDictionaryRef) CFDictionaryGetValue(certificateDict,
kSecOIDX509V1IssuerName);
if (!issuerDict ||
CFGetTypeID(issuerDict) != CFDictionaryGetTypeID()) {
goto finish;
}
issuerArray = (CFArrayRef) CFDictionaryGetValue(issuerDict,
kSecPropertyKeyValue);
if (!issuerArray ||
CFGetTypeID(issuerArray) != CFArrayGetTypeID()) {
goto finish;
}
for (int index=0; index<CFArrayGetCount(issuerArray); index++) {
issuerInfo = (CFDictionaryRef) CFArrayGetValueAtIndex(issuerArray,
index);
if (!issuerInfo ||
CFGetTypeID(issuerInfo) != CFDictionaryGetTypeID()) {
continue;
}
CFStringRef label = NULL; label = CFDictionaryGetValue(issuerInfo,
kSecPropertyKeyLabel);
if (kCFCompareEqualTo == CFStringCompare(label,
CFSTR("2.5.4.3"),
0)) {
issuerCN = CFDictionaryGetValue(issuerInfo,
kSecPropertyKeyValue);
if (issuerCN &&
CFGetTypeID(issuerCN) == CFStringGetTypeID()) {
CFRetain(issuerCN);
goto finish;
}
else {
issuerCN = NULL;
}
}
}
finish:
SAFE_RELEASE(certificateDict);
SAFE_RELEASE(certificateKeys);
return issuerCN;
}
static CFStringRef copyCDHash(SecStaticCodeRef code)
{
CFDictionaryRef signingInfo = NULL; char * tempBufPtr = NULL; const UInt8 * hashDataPtr = NULL; CFDataRef cdhash = NULL; CFStringRef hash = NULL; CFIndex hashDataLen = 0;
SecCodeCopySigningInformation(code,
kSecCSDefaultFlags,
&signingInfo);
if (!signingInfo) {
goto finish;
}
cdhash = CFDictionaryGetValue(signingInfo, kSecCodeInfoUnique);
if (!cdhash ||
CFGetTypeID(cdhash) != CFDataGetTypeID()) {
goto finish;
}
hashDataPtr = CFDataGetBytePtr(cdhash);
hashDataLen = CFDataGetLength(cdhash);
tempBufPtr = (char *) malloc((hashDataLen + 1) * 2);
if (tempBufPtr == NULL) {
OSKextLogMemError();
goto finish;
}
bzero(tempBufPtr, ((hashDataLen + 1) * 2));
for (int i = 0; i < hashDataLen; i++) {
sprintf(tempBufPtr + (i * 2), "%02.2x", *(hashDataPtr + i));
}
if (tempBufPtr) {
hash = CFStringCreateWithCString(kCFAllocatorDefault,
tempBufPtr,
kCFStringEncodingUTF8);
}
finish:
SAFE_FREE(tempBufPtr);
SAFE_RELEASE(signingInfo);
return hash;
}
CFStringRef copyCDHashFromURL(CFURLRef anURL)
{
SecStaticCodeRef code = NULL; CFStringRef cdHash = NULL;
if (!anURL) {
goto finish;
}
if (SecStaticCodeCreateWithPath(anURL,
kSecCSDefaultFlags,
&code) != 0
|| (code == NULL)) {
OSKextLogMemError();
goto finish;
}
cdHash = copyCDHash(code);
finish:
SAFE_RELEASE(code);
return cdHash;
}
void copySigningInfo(CFURLRef kextURL,
CFStringRef* cdhash,
CFStringRef* teamId,
CFStringRef* subjectCN,
CFStringRef* issuerCN)
{
if (!kextURL) {
return;
}
SecStaticCodeRef code = NULL; CFDictionaryRef information = NULL;
SecCertificateRef issuerCertificate = NULL; CFArrayRef certificateChain = NULL; OSStatus status;
CFIndex count;
if (SecStaticCodeCreateWithPath(kextURL,
kSecCSDefaultFlags,
&code) != 0
|| (code == NULL)) {
OSKextLogMemError();
goto finish;
}
if (cdhash) {
*cdhash = copyCDHash(code);
}
status = SecCodeCopySigningInformation(code,
kSecCSSigningInformation,
&information);
if (status != noErr) {
goto finish;
}
certificateChain = (CFArrayRef) CFDictionaryGetValue(information, kSecCodeInfoCertificates);
if (!certificateChain ||
CFGetTypeID(certificateChain) != CFArrayGetTypeID()) {
goto finish;
}
count = CFArrayGetCount(certificateChain);
if (count < 1) {
goto finish;
}
issuerCertificate = (SecCertificateRef) CFArrayGetValueAtIndex(certificateChain, 0);
if (!issuerCertificate) {
goto finish;
}
if (subjectCN) {
SecCertificateCopyCommonName(issuerCertificate, subjectCN);
}
if (teamId) {
*teamId = copyTeamID(issuerCertificate);
}
if (issuerCN) {
*issuerCN = copyIssuerCN(issuerCertificate);
}
finish:
SAFE_RELEASE(code);
SAFE_RELEASE(information);
return;
}
static CFArrayRef copySubjectCNArray(CFURLRef kextURL)
{
if (!kextURL) {
return NULL;
}
CFMutableArrayRef subjectCNArray = NULL; CFArrayRef certificateChain = NULL; SecCertificateRef certificate = NULL;
SecStaticCodeRef code = NULL; CFDictionaryRef information = NULL;
OSStatus status;
CFIndex count;
subjectCNArray = CFArrayCreateMutable(kCFAllocatorDefault,
0,
&kCFTypeArrayCallBacks);
if (!subjectCNArray) {
goto finish;
}
if (SecStaticCodeCreateWithPath(kextURL,
kSecCSDefaultFlags,
&code) != 0
|| (code == NULL)) {
OSKextLogMemError();
goto finish;
}
status = SecCodeCopySigningInformation(code,
kSecCSSigningInformation,
&information);
if (status != noErr) {
goto finish;
}
certificateChain = (CFArrayRef) CFDictionaryGetValue(information, kSecCodeInfoCertificates);
if (!certificateChain ||
CFGetTypeID(certificateChain) != CFArrayGetTypeID()) {
goto finish;
}
count = CFArrayGetCount(certificateChain);
if (count < 1) {
goto finish;
}
for (CFIndex i=0; i<count; i++) {
certificate = (SecCertificateRef) CFArrayGetValueAtIndex(certificateChain, i);
CFStringRef subjectCN = NULL; SecCertificateCopyCommonName(certificate, &subjectCN);
if (subjectCN) {
CFArrayAppendValue(subjectCNArray, subjectCN);
SAFE_RELEASE(subjectCN);
}
}
finish:
SAFE_RELEASE(code);
SAFE_RELEASE(information);
return subjectCNArray;
}
typedef struct {
CFMutableArrayRef personalities;
} __OSKextPersonalityBundleIdentifierContext;
static void __OSKextPersonalityBundleIdentifierApplierFunction(
const void * vKey,
const void * vValue,
void * vContext)
{
CFStringRef personalityName = (CFStringRef)vKey;
CFMutableDictionaryRef personality = (CFMutableDictionaryRef)vValue;
__OSKextPersonalityBundleIdentifierContext * context =
(__OSKextPersonalityBundleIdentifierContext *)vContext;
CFMutableArrayRef personalities = context->personalities;
io_service_t match;
if (!personalities) return;
CFRetain(personality);
match = IOServiceGetMatchingService(kIOMasterPortDefault, personality);
if (MACH_PORT_NULL != match) {
IOObjectRelease(match);
CFArrayAppendValue(personalities, personalityName);
}
}
static void filterKextLoadForMT(OSKextRef aKext, CFMutableArrayRef kextList, Boolean userLoad)
{
if (aKext == NULL || kextList == NULL)
return;
CFStringRef versionString; CFStringRef bundleIDString; CFStringRef kextSigningCategory = NULL; CFDateRef timestamp = NULL; CFBooleanRef isFat = kCFBooleanFalse; CFBooleanRef isSigned = kCFBooleanFalse; CFURLRef kextURL = NULL; CFURLRef kextExecURL = NULL; CFStringRef kextPath = NULL; CFStringRef kextExecPath = NULL; CFStringRef filename = NULL; CFStringRef hashString = NULL; CFStringRef archString = NULL; CFStringRef teamId = NULL; CFStringRef subjectCN = NULL; CFStringRef issuerCN = NULL; CFBooleanRef codeless = kCFBooleanFalse;
SecStaticCodeRef code = NULL; CFDictionaryRef information = NULL; CFDictionaryRef personalities = NULL; CFMutableDictionaryRef kextDict = NULL; char * hashCString = NULL; OSStatus status = noErr;
__OSKextPersonalityBundleIdentifierContext context = { 0 };
kextURL = CFURLCopyAbsoluteURL(OSKextGetURL(aKext));
if (!kextURL) {
OSKextLogMemError();
goto finish;
}
kextPath = CFURLCopyFileSystemPath(kextURL, kCFURLPOSIXPathStyle);
if (!kextPath) {
OSKextLogMemError();
goto finish;
}
versionString = OSKextGetValueForInfoDictionaryKey(aKext,
kCFBundleVersionKey);
bundleIDString = OSKextGetValueForInfoDictionaryKey(aKext,
kCFBundleIdentifierKey);
filename = CFURLCopyLastPathComponent(kextURL);
archString = createArchitectureList(aKext, &isFat);
if (OSKextDeclaresExecutable(aKext)) {
kextExecURL = CFURLCopyAbsoluteURL(OSKextGetKernelExecutableURL(aKext));
if (kextExecURL) kextExecPath = CFURLCopyFileSystemPath(kextExecURL, kCFURLPOSIXPathStyle);
} else {
codeless = kCFBooleanTrue;
}
if (SecStaticCodeCreateWithPath(kextURL,
kSecCSDefaultFlags,
&code) != 0
|| (code == NULL)) {
OSKextLogMemError();
goto finish;
}
status = SecCodeCopySigningInformation(code,
kSecCSSigningInformation,
&information);
if (status != noErr) {
goto finish;
}
isSigned = CFDictionaryContainsKey(information, kSecCodeInfoIdentifier);
if (!isSigned) {
kextSigningCategory = CFSTR(kUnsignedKext);
getAdhocSignatureHash(kextURL, &hashCString, NULL);
if (hashCString) {
hashString = CFStringCreateWithCString(kCFAllocatorDefault,
hashCString,
kCFStringEncodingUTF8);
}
}
else {
CFStringRef myCFString = NULL; myCFString = OSKextGetIdentifier(aKext);
timestamp = CFDictionaryGetValue(information, kSecCodeInfoTimestamp);
if (timestamp && (CFDateGetTypeID() != CFGetTypeID(timestamp))) {
timestamp = NULL;
}
status = checkKextSignature(aKext, true, true);
if (_OSKextIdentifierHasApplePrefix(aKext)) {
if (status == noErr) {
goto finish;
}
else {
kextSigningCategory = CFSTR(kUnsignedKext);
copySigningInfo(kextURL,
&hashString,
&teamId,
NULL,
&issuerCN);
CFArrayRef subjectCNArray = NULL; subjectCNArray = copySubjectCNArray(kextURL);
if (subjectCNArray) {
subjectCN = CFStringCreateByCombiningStrings(kCFAllocatorDefault,
subjectCNArray,
CFSTR(";"));
SAFE_RELEASE(subjectCNArray);
}
}
}
else {
if (status == noErr) {
kextSigningCategory = CFSTR(k3rdPartyKextWithDevIdPlus);
copySigningInfo(kextURL,
&hashString,
&teamId,
&subjectCN,
&issuerCN);
}
else if (status == CSSMERR_TP_CERT_REVOKED) {
kextSigningCategory = CFSTR(k3rdPartyKextWithRevokedDevIdPlus);
copySigningInfo(kextURL,
&hashString,
&teamId,
&subjectCN,
&issuerCN);
}
else {
status = checkRootCertificateIsApple(aKext);
if (status == noErr) {
kextSigningCategory = CFSTR(k3rdPartyKextWithAppleRoot);
copySigningInfo(kextURL,
&hashString,
&teamId,
NULL,
&issuerCN);
CFArrayRef subjectCNArray = NULL; subjectCNArray = copySubjectCNArray(kextURL);
if (subjectCNArray) {
subjectCN = CFStringCreateByCombiningStrings(kCFAllocatorDefault,
subjectCNArray,
CFSTR(";"));
SAFE_RELEASE(subjectCNArray);
}
}
else {
kextSigningCategory = CFSTR(k3rdPartyKextWithoutAppleRoot);
copySigningInfo(kextURL,
&hashString,
NULL,
NULL,
NULL);
}
}
}
}
personalities = OSKextGetValueForInfoDictionaryKey(aKext,
CFSTR(kIOKitPersonalitiesKey));
if (personalities
&& (CFGetTypeID(personalities) == CFDictionaryGetTypeID())
&& (CFDictionaryGetCount(personalities) > 1))
{
context.personalities = CFArrayCreateMutable(kCFAllocatorDefault,
0,
&kCFTypeArrayCallBacks);
CFDictionaryApplyFunction(personalities,
__OSKextPersonalityBundleIdentifierApplierFunction,
&context);
}
kextDict = CFDictionaryCreateMutable(kCFAllocatorDefault,
0,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (!kextDict) {
OSKextLogMemError();
goto finish;
}
if (bundleIDString) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerBundleIDKey),
bundleIDString);
}
if (versionString) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerVersionKey),
versionString);
}
if (filename) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerKextNameKey),
filename);
}
if (isFat != NULL) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerFatKey),
isFat);
}
if (archString) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerArchKey),
archString);
}
if (kextSigningCategory) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerSignatureTypeKey),
kextSigningCategory);
}
if (hashString) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerHashKey),
hashString);
}
if (teamId) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerTeamIdKey),
teamId);
}
if (subjectCN) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerSubjectCNKey),
subjectCN);
}
if (issuerCN) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerIssuerCNKey),
issuerCN);
}
if (kextPath) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerPathKey),
kextPath);
}
if (kextExecPath) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerExecPathKey),
kextExecPath);
}
if (timestamp) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerSigningTimeKey),
timestamp);
}
CFDictionaryAddValue(kextDict, CFSTR(kMessageTracerCodelessKey), codeless);
if (userLoad) {
CFDictionaryAddValue(kextDict, CFSTR(kMessageTracerUserLoadKey), kCFBooleanTrue);
}
if (context.personalities && CFArrayGetCount(context.personalities)) {
CFDictionaryAddValue(kextDict,
CFSTR(kMessageTracerPersonalityNamesKey),
context.personalities);
}
CFArrayAppendValue(kextList, kextDict);
finish:
SAFE_FREE(hashCString);
SAFE_RELEASE(kextURL);
SAFE_RELEASE(kextExecURL);
SAFE_RELEASE(kextPath);
SAFE_RELEASE(kextExecPath);
SAFE_RELEASE(filename);
SAFE_RELEASE(hashString);
SAFE_RELEASE(kextDict);
SAFE_RELEASE(archString);
SAFE_RELEASE(teamId);
SAFE_RELEASE(subjectCN);
SAFE_RELEASE(issuerCN);
SAFE_RELEASE(code);
SAFE_RELEASE(information);
SAFE_RELEASE(context.personalities);
return;
}
void
recordKextLoadListForMT(CFArrayRef kextList, Boolean userLoad)
{
CFIndex count, i;
CFMutableArrayRef kextsToMessageTrace = NULL; OSKextRef aKext;
if (kextList && (count = CFArrayGetCount(kextList))) {
kextsToMessageTrace = CFArrayCreateMutable(kCFAllocatorDefault,
CFArrayGetCount(kextList),
&kCFTypeArrayCallBacks);
if (kextsToMessageTrace) {
for (i = 0; i < count; i ++) {
aKext = (OSKextRef)CFArrayGetValueAtIndex(kextList, i);
filterKextLoadForMT(aKext, kextsToMessageTrace, userLoad);
}
if (CFArrayGetCount(kextsToMessageTrace)) {
postNoteAboutKextLoadsMT(CFSTR("Loaded Kext Notification"),
kextsToMessageTrace);
}
SAFE_RELEASE(kextsToMessageTrace);
}
}
}
void recordKextLoadForMT(OSKextRef aKext, Boolean userLoad)
{
CFMutableArrayRef myArray = NULL;
if (!aKext)
return;
myArray = CFArrayCreateMutable(kCFAllocatorDefault,
1,
&kCFTypeArrayCallBacks);
if (myArray) {
CFArrayAppendValue(myArray, aKext);
recordKextLoadListForMT(myArray, userLoad);
SAFE_RELEASE(myArray);
}
}
OSStatus checkKextSignature(OSKextRef aKext,
Boolean checkExceptionList,
Boolean allowNetwork)
{
OSStatus result = errSecCSSignatureFailed;
CFURLRef kextURL = NULL; SecStaticCodeRef staticCodeRef = NULL; SecRequirementRef requirementRef = NULL; CFStringRef myCFString;
CFStringRef requirementsString;
SecCSFlags flags = 0;
if (aKext == NULL) {
return result;
}
kextURL = CFURLCopyAbsoluteURL(OSKextGetURL(aKext));
if (!kextURL) {
OSKextLogMemError();
goto finish;
}
if (SecStaticCodeCreateWithPath(kextURL,
kSecCSDefaultFlags,
&staticCodeRef) != errSecSuccess ||
(staticCodeRef == NULL)) {
OSKextLogMemError();
goto finish;
}
myCFString = OSKextGetIdentifier(aKext);
if (_OSKextIdentifierHasApplePrefix(aKext)) {
requirementsString = CFSTR("anchor apple");
} else if (OSKextDeclaresUserExecutable(aKext)) {
requirementsString = CFSTR("(anchor apple "
"or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists) "
"or (anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists "
"and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and notarized) "
"or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9.1] exists) "
"or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.12] exists)) "
"and entitlement[" DEXT_LAUNCH_ENTITLEMENT "] exists");
} else {
requirementsString =
CFSTR("anchor apple generic "
"and certificate 1[field.1.2.840.113635.100.6.2.6] "
"and certificate leaf[field.1.2.840.113635.100.6.1.13] "
"and certificate leaf[field.1.2.840.113635.100.6.1.18]" );
}
if (SecRequirementCreateWithString(requirementsString,
kSecCSDefaultFlags,
&requirementRef) != errSecSuccess ||
(requirementRef == NULL)) {
OSKextLogMemError();
goto finish;
}
flags = kSecCSCheckAllArchitectures | kSecCSStrictValidate;
flags |= allowNetwork ? kSecCSEnforceRevocationChecks : kSecCSNoNetworkAccess;
result = SecStaticCodeCheckValidity(staticCodeRef, flags, requirementRef);
if ( result != 0 &&
checkExceptionList ) {
if (errSecCSWeakResourceEnvelope == result ||
errSecCSBadObjectFormat == result ||
errSecCSBadMainExecutable == result) {
if (isInStrictExceptionList(aKext, kextURL, true)) {
result = 0;
}
}
else {
if (isInExceptionList(aKext, kextURL, true)) {
result = 0;
}
}
}
finish:
SAFE_RELEASE(kextURL);
SAFE_RELEASE(staticCodeRef);
SAFE_RELEASE(requirementRef);
return result;
}
Boolean isAllowedToLoadThirdPartyKext(OSKextRef theKext)
{
static CFArrayRef sValidThirdPartyHashes = NULL;
static CFArrayRef sValidThirdPartyBundles = NULL;
static CFArrayRef sExceptionListBundles = NULL;
static bool sLoadedThirdPartyKextList = false;
Boolean result = FALSE;
CFStringRef myCFString;
CFDataRef cdhash = NULL; CFStringRef theKextBundleID = NULL; CFURLRef theKextURL = NULL; SecStaticCodeRef staticCodeRef = NULL; CFDictionaryRef signingInfo = NULL; bool kextIsDarwinupInstalled = false;
myCFString = OSKextGetIdentifier(theKext);
if (_OSKextIdentifierHasApplePrefix(theKext)) {
return TRUE;
}
if (!OSKextDeclaresExecutable(theKext) || OSKextDeclaresUserExecutable(theKext)) {
return TRUE;
}
if (!sLoadedThirdPartyKextList) {
bool rc = readKextHashAllowList(true, NULL, &sValidThirdPartyHashes, &sValidThirdPartyBundles, &sExceptionListBundles);
if (!rc) {
sValidThirdPartyHashes = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
sValidThirdPartyBundles = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
sExceptionListBundles = CFArrayCreate(kCFAllocatorDefault, NULL, 0, &kCFTypeArrayCallBacks);
}
sLoadedThirdPartyKextList = true;
}
if (!sValidThirdPartyHashes || !sValidThirdPartyBundles || !sExceptionListBundles) {
OSKextLogCFString(theKext,
kOSKextLogErrorLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("Cannot evaluate third party kext loads to to error reading allowed list."));
goto out;
}
theKextURL = CFURLCopyAbsoluteURL(OSKextGetURL(theKext));
if (!theKextURL) {
OSKextLogMemError();
goto out;
}
if (csr_check(CSR_ALLOW_APPLE_INTERNAL) == 0) {
ssize_t ret;
char buf[32] = {};
char kextPath[PATH_MAX] = {};
CFURLRef unstagedURL = copyUnstagedKextURL(theKextURL);
if (!CFURLGetFileSystemRepresentation(unstagedURL, true,
(UInt8 *)kextPath, sizeof(kextPath))) {
OSKextLogMemError();
goto out;
}
SAFE_RELEASE(unstagedURL);
ret = getxattr(kextPath, "com.apple.root.installed", buf, sizeof(buf), 0, 0);
if (ret > 0) {
kextIsDarwinupInstalled = true;
}
}
if (SecStaticCodeCreateWithPath(theKextURL,
kSecCSDefaultFlags,
&staticCodeRef) != errSecSuccess ||
(staticCodeRef == NULL)) {
OSKextLogMemError();
goto out;
}
SecCodeCopySigningInformation(staticCodeRef,
kSecCSDefaultFlags,
&signingInfo);
if (!signingInfo) {
OSKextLogMemError();
goto out;
}
theKextBundleID = OSKextGetValueForInfoDictionaryKey(theKext,
kCFBundleIdentifierKey);
cdhash = CFDictionaryGetValue(signingInfo, kSecCodeInfoUnique);
if (!cdhash || (CFGetTypeID(cdhash) != CFDataGetTypeID())) {
for (int idx = 0; idx < CFArrayGetCount(sExceptionListBundles); idx++) {
CFStringRef validBundle = (CFStringRef)CFArrayGetValueAtIndex(sExceptionListBundles, idx);
if (CFStringCompare(validBundle, theKextBundleID, kCFCompareCaseInsensitive) == kCFCompareEqualTo) {
result = TRUE;
OSKextLogCFString(theKext,
kOSKextLogBasicLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("kext: %@ is in explicit exception list: allowing load"), theKext);
goto out;
}
}
if (isInExceptionList(theKext, theKextURL, TRUE)) {
OSKextLogCFString(theKext,
kOSKextLogErrorLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("%@ is in the exception list, but requires a reboot before loading."), theKext);
} else {
OSKextLogCFString(theKext,
kOSKextLogErrorLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("%@ is missing or has an invalid CDHash. Disallowing load."), theKext);
}
goto out;
}
const UInt8 *cdhash_ptr = CFDataGetBytePtr(cdhash);
const CFIndex cdhash_len = CFDataGetLength(cdhash);
for (int idx = 0; idx < CFArrayGetCount(sValidThirdPartyHashes); idx++) {
CFDataRef validhash = (CFDataRef)CFArrayGetValueAtIndex(sValidThirdPartyHashes, idx);
if (cdhash_len != CFDataGetLength(validhash)) {
continue;
}
const UInt8 *vptr = CFDataGetBytePtr(validhash);
if (memcmp(cdhash_ptr, vptr, (size_t)cdhash_len) == 0) {
result = TRUE;
OSKextLogCFString(theKext,
kOSKextLogBasicLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("kext: %@ is in allowed list of cdhashes"), theKext);
goto out;
}
}
for (int idx = 0; idx < CFArrayGetCount(sValidThirdPartyBundles); idx++) {
CFStringRef validBundle = (CFStringRef)CFArrayGetValueAtIndex(sValidThirdPartyBundles, idx);
if (CFStringCompare(validBundle, theKextBundleID, kCFCompareCaseInsensitive) == kCFCompareEqualTo) {
result = TRUE;
OSKextLogCFString(theKext,
kOSKextLogBasicLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("kext: %@ is in allowed list of bundleIDs"), theKext);
goto out;
}
}
OSKextLogCFString(theKext,
kOSKextLogErrorLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("Could not find %@ (bundleID:%@ cdhash:%@) in list of %lu/%lu allowed 3rd party kexts."),
theKext, theKextBundleID, cdhash,
CFArrayGetCount(sValidThirdPartyHashes),
CFArrayGetCount(sValidThirdPartyBundles));
OSKextLogCFString(theKext,
kOSKextLogErrorLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("If this kext was just installed, a reboot is required to allow it to load."));
out:
if (result != TRUE && (kextIsDarwinupInstalled || (csr_check(CSR_ALLOW_UNTRUSTED_KEXTS) == 0))) {
if (kextIsDarwinupInstalled) {
OSKextLogCFString(theKext,
kOSKextLogBasicLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("Allowing 3rd party / unsigned kext installed via darwinup: %@"), theKext);
} else {
OSKextLogCFString(theKext,
kOSKextLogBasicLevel | kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("Allowing 3rd party kext w/o reboot: %@"), theKext);
}
result = TRUE;
}
SAFE_RELEASE(theKextURL);
SAFE_RELEASE(signingInfo);
SAFE_RELEASE(staticCodeRef);
return result;
}
Boolean isInExceptionList(OSKextRef theKext,
CFURLRef theKextURL,
Boolean useCache)
{
Boolean result = false;
CFURLRef kextURL = NULL; CFStringRef kextID = NULL; OSKextRef excludelistKext = NULL; CFDictionaryRef tempDict = NULL; static CFDictionaryRef sExceptionHashListDict = NULL;
if (useCache == false || sExceptionHashListDict == NULL) {
if (sExceptionHashListDict) {
SAFE_RELEASE_NULL(sExceptionHashListDict);
}
kextID = CFStringCreateWithCString(kCFAllocatorDefault,
"com.apple.driver.KextExcludeList",
kCFStringEncodingUTF8);
if (kextID == NULL) {
OSKextLogStringError( NULL);
goto finish;
}
excludelistKext = OSKextCreateWithIdentifier(kCFAllocatorDefault,
kextID);
if (excludelistKext == NULL) {
goto finish;
}
if (csr_check(CSR_ALLOW_UNTRUSTED_KEXTS) != 0) {
if (checkKextSignature(excludelistKext, false, false) != 0) {
char kextPath[PATH_MAX];
if (!CFURLGetFileSystemRepresentation(OSKextGetURL(excludelistKext),
false,
(UInt8 *)kextPath,
sizeof(kextPath))) {
strlcpy(kextPath, "(unknown)", sizeof(kextPath));
}
OSKextLog( NULL,
kOSKextLogErrorLevel | kOSKextLogArchiveFlag |
kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
"%s has invalid signature; Trust cache is disabled.",
kextPath);
goto finish;
}
}
tempDict = OSKextGetValueForInfoDictionaryKey(
excludelistKext,
CFSTR("OSKextSigExceptionHashList") );
if (tempDict) {
if ((unsigned int)CFDictionaryGetCount(tempDict) > 0) {
sExceptionHashListDict = CFDictionaryCreateCopy(NULL, tempDict);
}
}
}
if (theKext == NULL && theKextURL == NULL) {
goto finish;
}
if (sExceptionHashListDict) {
if (theKextURL == NULL) {
kextURL = CFURLCopyAbsoluteURL(OSKextGetURL(theKext));
if (kextURL == NULL) {
OSKextLogMemError();
goto finish;
}
theKextURL = kextURL;
}
if (hashIsInExceptionList(theKextURL, sExceptionHashListDict, NULL)) {
result = true;
goto finish;
}
}
finish:
SAFE_RELEASE(kextURL);
SAFE_RELEASE(kextID);
SAFE_RELEASE(excludelistKext);
return result;
}
Boolean isInStrictExceptionList(OSKextRef theKext,
CFURLRef theKextURL,
Boolean useCache)
{
Boolean result = false;
CFURLRef kextURL = NULL; CFStringRef kextID = NULL; OSKextRef excludelistKext = NULL; CFDictionaryRef tempDict = NULL; CFMutableDictionaryRef attributes = NULL; static CFDictionaryRef sStrictExceptionHashListDict = NULL; const NXArchInfo *targetArch = NULL; CFStringRef archName = NULL;
attributes = CFDictionaryCreateMutable(kCFAllocatorDefault,
1,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if (!attributes) {
OSKextLogMemError();
goto finish;
}
targetArch = OSKextGetRunningKernelArchitecture();
if (!targetArch) {
OSKextLogCFString(theKext,
kOSKextLogErrorLevel | kOSKextLogArchiveFlag |
kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
CFSTR("Loading kext with identifier %@ failed retrieving running kernel architecture."),
OSKextGetIdentifier(theKext));
goto finish;
}
archName = CFStringCreateWithCString(NULL, targetArch->name, kCFStringEncodingASCII);
if (!archName) {
OSKextLogMemError();
goto finish;
}
CFDictionaryAddValue(attributes, kSecCodeAttributeArchitecture, archName);
if (useCache == false || sStrictExceptionHashListDict == NULL) {
if (sStrictExceptionHashListDict) {
SAFE_RELEASE_NULL(sStrictExceptionHashListDict);
}
kextID = CFStringCreateWithCString(kCFAllocatorDefault,
"com.apple.driver.KextExcludeList",
kCFStringEncodingUTF8);
if (kextID == NULL) {
OSKextLogStringError( NULL);
goto finish;
}
excludelistKext = OSKextCreateWithIdentifier(kCFAllocatorDefault,
kextID);
if (excludelistKext == NULL) {
goto finish;
}
if (csr_check(CSR_ALLOW_UNTRUSTED_KEXTS) != 0) {
if (checkKextSignature(excludelistKext, false, false) != 0) {
char kextPath[PATH_MAX];
if (!CFURLGetFileSystemRepresentation(OSKextGetURL(excludelistKext),
false,
(UInt8 *)kextPath,
sizeof(kextPath))) {
strlcpy(kextPath, "(unknown)", sizeof(kextPath));
}
OSKextLog( NULL,
kOSKextLogErrorLevel | kOSKextLogArchiveFlag |
kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
"%s has invalid signature; Trust cache is disabled.",
kextPath);
goto finish;
}
}
tempDict = OSKextGetValueForInfoDictionaryKey(
excludelistKext,
CFSTR("OSKextStrictExceptionHashList") );
if (tempDict) {
if ((unsigned int)CFDictionaryGetCount(tempDict) > 0) {
sStrictExceptionHashListDict = CFDictionaryCreateCopy(NULL, tempDict);
}
}
}
if (theKext == NULL && theKextURL == NULL) {
goto finish;
}
if (sStrictExceptionHashListDict) {
if (theKextURL == NULL) {
kextURL = CFURLCopyAbsoluteURL(OSKextGetURL(theKext));
if (kextURL == NULL) {
OSKextLogMemError();
goto finish;
}
theKextURL = kextURL;
}
if (hashIsInExceptionList(theKextURL, sStrictExceptionHashListDict, attributes)) {
result = true;
goto finish;
} else {
char kextPath[PATH_MAX];
if (!CFURLGetFileSystemRepresentation(OSKextGetURL(theKext),
false, (UInt8 *)kextPath, sizeof(kextPath))) {
strlcpy(kextPath, "(unknown)", sizeof(kextPath));
}
OSKextLog(theKext,
kOSKextLogErrorLevel | kOSKextLogArchiveFlag |
kOSKextLogAuthenticationFlag | kOSKextLogGeneralFlag,
"%s does not appear in strict exception list for architecture: %s",
kextPath, targetArch->name);
}
}
finish:
SAFE_RELEASE(archName);
SAFE_RELEASE(attributes);
SAFE_RELEASE(kextURL);
SAFE_RELEASE(kextID);
SAFE_RELEASE(excludelistKext);
return result;
}
static Boolean hashIsInExceptionList(CFURLRef theKextURL,
CFDictionaryRef theDict,
CFDictionaryRef codesignAttributes)
{
Boolean result = false;
char * hashCString = NULL; CFStringRef hashString = NULL; CFStringRef kextInfoString = NULL;
if (theKextURL == NULL) {
goto finish;
}
getAdhocSignatureHash(theKextURL, &hashCString, codesignAttributes);
if (hashCString == NULL) {
goto finish;
}
hashString = CFStringCreateWithCString(kCFAllocatorDefault,
hashCString,
kCFStringEncodingUTF8);
if (hashString == NULL) {
OSKextLogMemError();
goto finish;
}
kextInfoString = CFDictionaryGetValue(theDict, hashString);
if (kextInfoString == NULL ||
CFGetTypeID(kextInfoString) != CFStringGetTypeID()) {
goto finish;
}
OSKextLogCFString(NULL,
kOSKextLogGeneralFlag | kOSKextLogErrorLevel,
CFSTR("kext %@ is in hash exception list, allowing to load"),
theKextURL);
result = true;
finish:
SAFE_RELEASE(hashString);
SAFE_FREE(hashCString);
return result;
}
#define KEXT_DEV_MODE_STRING "kext-dev-mode"
enum {
kKextDevModeFlagsIgnoreKextSigFailures = 0x00000001ULL,
kKextDevModeFlagsDisableAutoRebuild = 0x00000002ULL,
};
#if 0 // obsolete with 19635687
Boolean isDevMode(void)
{
uint64_t kextDevModeFlags;
kextDevModeFlags = getKextDevModeFlags();
return(kextDevModeFlags & kKextDevModeFlagsIgnoreKextSigFailures);
}
#endif
Boolean isPrelinkedKernelAutoRebuildDisabled(void)
{
uint32_t kextDevModeFlags = 0x00;
if (csr_check(CSR_ALLOW_UNTRUSTED_KEXTS) == 0) {
kextDevModeFlags = getKextDevModeFlags();
}
return(kextDevModeFlags & kKextDevModeFlagsDisableAutoRebuild);
}
static uint32_t getKextDevModeFlags(void)
{
uint32_t kext_dev_mode = 0;
(void)get_bootarg_int(KEXT_DEV_MODE_STRING, &kext_dev_mode);
return kext_dev_mode;
}
Boolean isInLibraryExtensionsFolder(OSKextRef theKext)
{
CFStringRef myKextPath = NULL; Boolean myResult = false;
myKextPath = copyKextPath(theKext);
if ( myKextPath ) {
if ( CFStringHasPrefix(myKextPath,
CFSTR(_kOSKextLibraryExtensionsFolder)) ) {
myResult = true;
}
}
SAFE_RELEASE(myKextPath);
return(myResult);
}
Boolean isInSystemLibraryExtensionsFolder(OSKextRef theKext)
{
CFStringRef myKextPath = NULL; Boolean myResult = false;
myKextPath = copyKextPath(theKext);
if ( myKextPath ) {
if ( CFStringHasPrefix(myKextPath,
CFSTR(_kOSKextSystemLibraryExtensionsFolder)) ) {
myResult = true;
}
}
SAFE_RELEASE(myKextPath);
return(myResult);
}
Boolean isInvalidSignatureAllowed(void)
{
Boolean result = false;
if (csr_check(CSR_ALLOW_UNTRUSTED_KEXTS) == 0 || csr_check(CSR_ALLOW_APPLE_INTERNAL) == 0) {
result = true;
}
else {
OSKextLog( NULL,
kOSKextLogErrorLevel | kOSKextLogGeneralFlag,
"Untrusted kexts are not allowed");
}
return(result);
}
#include <Security/SecKeychainPriv.h>
int callSecKeychainMDSInstall( void )
{
static int calledOnce = 0;
static int result = 0;
if (calledOnce) return(result);
calledOnce++;
if (isKextdRunning() == FALSE) {
OSStatus err;
err = SecKeychainMDSInstall();
if (err != errSecSuccess) {
OSKextLog( NULL,
kOSKextLogErrorLevel | kOSKextLogGeneralFlag,
"Error in security framework, error %d.", (int) err);
result = err;
}
}
return(result);
}
#include <servers/bootstrap.h> // bootstrap mach ports
Boolean isKextdRunning(void)
{
mach_port_t kextd_port = MACH_PORT_NULL;
kern_return_t kern_result = 0;
kern_result = bootstrap_look_up(bootstrap_port,
(char *)KEXTD_SERVER_NAME,
&kextd_port);
if (kern_result == kOSReturnSuccess && kextd_port != MACH_PORT_NULL) {
return( TRUE );
}
return( FALSE );
}
Boolean isNetBooted(void)
{
Boolean isNetBooted = FALSE;
uint32_t isNetBootInt = 0;
size_t size = sizeof(isNetBootInt);
int error = 0;
error = sysctlbyname("kern.netboot", (void*)&isNetBootInt, &size, NULL, 0);
if (error != 0)
{
OSKextLog( NULL,
kOSKextLogErrorLevel | kOSKextLogGeneralFlag,
"Unable to read netboot sysctl: %d", error);
isNetBooted = FALSE;
goto __out;
}
isNetBooted = isNetBootInt != 0;
__out:
return isNetBooted;
}
#if HAVE_DANGERZONE
void copyKextPathToBuffer(OSKextRef kext, char *buffer, size_t buffer_size) {
CFStringRef kextPath = copyKextPath(kext);
if (!kextPath) {
goto __out;
}
if (!CFStringGetCString(kextPath, buffer, buffer_size, kCFStringEncodingUTF8)) {
OSKextLog( NULL,
kOSKextLogErrorLevel | kOSKextLogGeneralFlag,
"failed to copy kext path");
goto __out;
}
__out:
SAFE_RELEASE(kextPath);
}
void dzRecordKextLoadUser(OSKextRef kext, bool allowed) {
if (dz_notify_kext_load_v2 == NULL) {
return;
}
char localKextPath[PATH_MAX] = {0};
copyKextPathToBuffer(kext, localKextPath, sizeof(localKextPath));
dz_notify_kext_load_v2(DZ_KEXT_LOAD_KEXTD_USER, localKextPath, DZ_KEXT_LOAD_FLAG_NONE, allowed);
}
void dzRecordKextLoadKernel(OSKextRef kext, bool allowed) {
if (dz_notify_kext_load_v2 == NULL) {
return;
}
char localKextPath[PATH_MAX] = {0};
copyKextPathToBuffer(kext, localKextPath, sizeof(localKextPath));
dz_notify_kext_load_v2(DZ_KEXT_LOAD_KEXTD_KERNEL, localKextPath, DZ_KEXT_LOAD_FLAG_NONE, allowed);
}
void dzRecordKextLoadBypass(OSKextRef kext, bool allowed) {
if (dz_notify_kext_load_v2 == NULL) {
return;
}
char localKextPath[PATH_MAX] = {0};
copyKextPathToBuffer(kext, localKextPath, sizeof(localKextPath));
dz_notify_kext_load_v2(DZ_KEXT_LOAD_KEXTD_BYPASS, localKextPath, DZ_KEXT_LOAD_FLAG_NONE, allowed);
}
void dzRecordKextCacheAdd(OSKextRef kext, bool allowed) {
if (dz_notify_kextcache_update_v2 == NULL) {
return;
}
char localKextPath[PATH_MAX] = {0};
copyKextPathToBuffer(kext, localKextPath, sizeof(localKextPath));
dz_notify_kextcache_update_v2(localKextPath, allowed);
}
#endif // HAVE_DANGERZONE