kern_persona.c   [plain text]

/*
 * Copyright (c) 2015 Apple Inc. All rights reserved.
 *
 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. The rights granted to you under the License
 * may not be used to create, or enable the creation or redistribution of,
 * unlawful or unlicensed copies of an Apple operating system, or to
 * circumvent, violate, or enable the circumvention or violation of, any
 * terms of an Apple operating system software license agreement.
 * 
 * Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
 */
#include <sys/kernel.h>
#include <sys/kernel_types.h>
#include <sys/persona.h>

#if CONFIG_PERSONAS
#include <kern/assert.h>
#include <kern/simple_lock.h>
#include <kern/task.h>
#include <kern/zalloc.h>

#include <sys/param.h>
#include <sys/proc_internal.h>
#include <sys/kauth.h>
#include <sys/proc_info.h>
#include <sys/resourcevar.h>

#define pna_info(fmt, ...) \
	printf("%s:  " fmt "\n", __func__, ## __VA_ARGS__)

#define pna_err(fmt, ...) \
	printf("ERROR[%s]:  " fmt "\n", __func__, ## __VA_ARGS__)

#define MAX_PERSONAS     512

#define TEMP_PERSONA_ID  499

#define FIRST_PERSONA_ID 501
#define PERSONA_ID_STEP   10

#define PERSONA_SYSTEM_UID    ((uid_t)99)
#define PERSONA_SYSTEM_LOGIN  "system"

#define PERSONA_MAGIC         (0x0aa55aa0)
#define persona_valid(p)      ((p)->pna_valid == PERSONA_MAGIC)
#define persona_mkinvalid(p)  ((p)->pna_valid = ~(PERSONA_MAGIC))

static LIST_HEAD(personalist, persona) all_personas;
static uint32_t g_total_personas;
uint32_t g_max_personas = MAX_PERSONAS;

struct persona *g_system_persona = NULL;

static uid_t g_next_persona_id;

lck_mtx_t all_personas_lock;
lck_attr_t *persona_lck_attr;
lck_grp_t *persona_lck_grp;
lck_grp_attr_t *persona_lck_grp_attr;

static zone_t persona_zone;

kauth_cred_t g_default_persona_cred;

#define lock_personas()    lck_mtx_lock(&all_personas_lock)
#define unlock_personas()  lck_mtx_unlock(&all_personas_lock)


extern void mach_kauth_cred_uthread_update(void);

void personas_bootstrap(void)
{
	struct posix_cred pcred;

	persona_dbg("Initializing persona subsystem");
	LIST_INIT(&all_personas);
	g_total_personas = 0;

	g_next_persona_id = FIRST_PERSONA_ID;

	persona_lck_grp_attr = lck_grp_attr_alloc_init();
	lck_grp_attr_setstat(persona_lck_grp_attr);

	persona_lck_grp = lck_grp_alloc_init("personas", persona_lck_grp_attr);
	persona_lck_attr = lck_attr_alloc_init();

	lck_mtx_init(&all_personas_lock, persona_lck_grp, persona_lck_attr);

	persona_zone = zinit(sizeof(struct persona),
			     MAX_PERSONAS * sizeof(struct persona),
			     MAX_PERSONAS, "personas");
	assert(persona_zone != NULL);

	/*
	 * setup the default credentials that a persona temporarily
	 * inherits (to work around kauth APIs)
	 */
	bzero(&pcred, sizeof(pcred));
	pcred.cr_uid = pcred.cr_ruid = pcred.cr_svuid = TEMP_PERSONA_ID;
	pcred.cr_rgid = pcred.cr_svgid = TEMP_PERSONA_ID;
	pcred.cr_groups[0] = TEMP_PERSONA_ID;
	pcred.cr_ngroups = 1;
	pcred.cr_flags = CRF_NOMEMBERD;
	pcred.cr_gmuid = KAUTH_UID_NONE;

	g_default_persona_cred = posix_cred_create(&pcred);
	if (!g_default_persona_cred)
		panic("couldn't create default persona credentials!");

	g_system_persona = persona_alloc(PERSONA_SYSTEM_UID,
					 PERSONA_SYSTEM_LOGIN,
					 PERSONA_SYSTEM, NULL);
	assert(g_system_persona != NULL);
}

struct persona *persona_alloc(uid_t id, const char *login, int type, int *error)
{
	struct persona *persona, *tmp;
	int err = 0;
	kauth_cred_t tmp_cred;
	gid_t new_group;

	if (!login) {
		pna_err("Must provide a login name for a new persona!");
		if (error)
			*error = EINVAL;
		return NULL;
	}

	if (type <= PERSONA_INVALID || type > PERSONA_TYPE_MAX) {
		pna_err("Invalid type: %d", type);
		if (error)
			*error = EINVAL;
		return NULL;
	}

	persona = (struct persona *)zalloc(persona_zone);
	if (!persona) {
		if (error)
			*error = ENOMEM;
		return NULL;
	}

	bzero(persona, sizeof(*persona));

	if (hw_atomic_add(&g_total_personas, 1) > MAX_PERSONAS) {
		/* too many personas! */
		pna_err("too many active personas!");
		err = EBUSY;
		goto out_error;
	}

	strncpy(persona->pna_login, login, sizeof(persona->pna_login)-1);

	LIST_INIT(&persona->pna_members);
	lck_mtx_init(&persona->pna_lock, persona_lck_grp, persona_lck_attr);
	persona->pna_refcount = 1;

	/*
	 * Setup initial (temporary) kauth_cred structure
	 * We need to do this here because all kauth calls require
	 * an existing cred structure.
	 */
	persona->pna_cred = kauth_cred_create(g_default_persona_cred);
	if (!persona->pna_cred) {
		pna_err("could not copy initial credentials!");
		err = EIO;
		goto out_error;
	}

	lock_personas();
try_again:
	if (id != PERSONA_ID_NONE)
		persona->pna_id = id;
	else
		persona->pna_id = g_next_persona_id;

	persona_dbg("Adding %d (%s) to global list...", persona->pna_id, persona->pna_login);

	err = 0;
	LIST_FOREACH(tmp, &all_personas, pna_list) {
		if (id == PERSONA_ID_NONE && tmp->pna_id == id) {
			/*
			 * someone else manually claimed this ID, and we're
			 * trying to allocate an ID for the caller: try again
			 */
			g_next_persona_id += PERSONA_ID_STEP;
			goto try_again;
		}
		if (strncmp(tmp->pna_login, login, sizeof(tmp->pna_login)) == 0
		    || tmp->pna_id == id) {
			/*
			 * Disallow use of identical login names and re-use
			 * of previously allocated persona IDs
			 */
			err = EEXIST;
			break;
		}
	}
	if (err)
		goto out_unlock;

	/* ensure the cred has proper UID/GID defaults */
	kauth_cred_ref(persona->pna_cred);
	tmp_cred = kauth_cred_setuidgid(persona->pna_cred,
					persona->pna_id,
					persona->pna_id);
	kauth_cred_unref(&persona->pna_cred);
	if (tmp_cred != persona->pna_cred)
		persona->pna_cred = tmp_cred;

	if (!persona->pna_cred) {
		err = EACCES;
		goto out_unlock;
	}

	/* it should be a member of exactly 1 group (equal to its UID) */
	new_group = (gid_t)persona->pna_id;

	kauth_cred_ref(persona->pna_cred);
	/* opt _out_ of memberd as a default */
	tmp_cred = kauth_cred_setgroups(persona->pna_cred,
					&new_group, 1, KAUTH_UID_NONE);
	kauth_cred_unref(&persona->pna_cred);
	if (tmp_cred != persona->pna_cred)
		persona->pna_cred = tmp_cred;

	if (!persona->pna_cred) {
		err = EACCES;
		goto out_unlock;
	}

	persona->pna_type = type;

	/* insert the, now valid, persona into the global list! */
	persona->pna_valid = PERSONA_MAGIC;
	LIST_INSERT_HEAD(&all_personas, persona, pna_list);

	/* if the kernel supplied the persona ID, increment for next time */
	if (id == PERSONA_ID_NONE)
		g_next_persona_id += PERSONA_ID_STEP;

out_unlock:
	unlock_personas();

	if (err) {
		switch (err) {
		case EEXIST:
			persona_dbg("Login '%s' (%d) already exists",
				    login, persona->pna_id);
			break;
		case EACCES:
			persona_dbg("kauth_error for persona:%d", persona->pna_id);
			break;
		default:
			persona_dbg("Unknown error:%d", err);
		}
		goto out_error;
	}

	return persona;

out_error:
	(void)hw_atomic_add(&g_total_personas, -1);
	zfree(persona_zone, persona);
	if (error)
		*error = err;
	return NULL;
}

int persona_invalidate(struct persona *persona)
{
	int error = 0;
	if (!persona)
		return EINVAL;

	lock_personas();
	persona_lock(persona);

	if (!persona_valid(persona))
		panic("Double-invalidation of persona %p", persona);

	LIST_REMOVE(persona, pna_list);
	if (hw_atomic_add(&g_total_personas, -1) == UINT_MAX)
		panic("persona ref count underflow!\n");
	persona_mkinvalid(persona);

	persona_unlock(persona);
	unlock_personas();

	return error;
}

static struct persona *persona_get_locked(struct persona *persona)
{
	if (persona->pna_refcount) {
		persona->pna_refcount++;
		return persona;
	}
	return NULL;
}

struct persona *persona_get(struct persona *persona)
{
	struct persona *ret;
	if (!persona)
		return NULL;
	persona_lock(persona);
	ret = persona_get_locked(persona);
	persona_unlock(persona);

	return ret;
}

void persona_put(struct persona *persona)
{
	int destroy = 0;

	if (!persona)
		return;

	persona_lock(persona);
	if (persona->pna_refcount >= 0) {
		if (--(persona->pna_refcount) == 0)
			destroy = 1;
	}
	persona_unlock(persona);

	if (!destroy)
		return;

	persona_dbg("Destroying persona %s", persona_desc(persona, 0));

	/* release our credential reference */
	if (persona->pna_cred)
		kauth_cred_unref(&persona->pna_cred);

	/* remove it from the global list and decrement the count */
	lock_personas();
	if (persona_valid(persona)) {
		LIST_REMOVE(persona, pna_list);
		if (hw_atomic_add(&g_total_personas, -1) == UINT_MAX)
			panic("persona count underflow!\n");
		persona_mkinvalid(persona);
	}
	unlock_personas();

	assert(LIST_EMPTY(&persona->pna_members));
	memset(persona, 0, sizeof(*persona));
	zfree(persona_zone, persona);
}

uid_t persona_get_id(struct persona *persona)
{
	if (persona)
		return persona->pna_id;
	return PERSONA_ID_NONE;
}

struct persona *persona_lookup(uid_t id)
{
	struct persona *persona, *tmp;

	persona = NULL;

	/*
	 * simple, linear lookup for now: there shouldn't be too many
	 * of these in memory at any given time.
	 */
	lock_personas();
	LIST_FOREACH(tmp, &all_personas, pna_list) {
		persona_lock(tmp);
		if (tmp->pna_id == id && persona_valid(tmp)) {
			persona = persona_get_locked(tmp);
			persona_unlock(tmp);
			break;
		}
		persona_unlock(tmp);
	}
	unlock_personas();

	return persona;
}

int persona_find(const char *login, uid_t uid,
		 struct persona **persona, size_t *plen)
{
	struct persona *tmp;
	int match = 0;
	size_t found = 0;

	if (login)
		match++;
	if (uid != PERSONA_ID_NONE)
		match++;

	if (match == 0)
		return EINVAL;

	persona_dbg("Searching with %d parameters (l:\"%s\", u:%d)",
		    match, login, uid);

	lock_personas();
	LIST_FOREACH(tmp, &all_personas, pna_list) {
		int m = 0;
		persona_lock(tmp);
		if (login && strncmp(tmp->pna_login, login, sizeof(tmp->pna_login)) == 0)
			m++;
		if (uid != PERSONA_ID_NONE && uid == tmp->pna_id)
			m++;
		if (m == match) {
			if (persona && *plen > found)
				persona[found] = persona_get_locked(tmp);
			found++;
		}
#ifdef PERSONA_DEBUG
		if (m > 0)
			persona_dbg("ID:%d Matched %d/%d, found:%d, *plen:%d",
				    tmp->pna_id, m, match, (int)found, (int)*plen);
#endif
		persona_unlock(tmp);
	}
	unlock_personas();

	*plen = found;
	if (!found)
		return ESRCH;
	return 0;
}

struct persona *persona_proc_get(pid_t pid)
{
	struct persona *persona;
	proc_t p = proc_find(pid);

	if (!p)
		return NULL;

	proc_lock(p);
	persona = persona_get(p->p_persona);
	proc_unlock(p);

	proc_rele(p);

	return persona;
}

struct persona *current_persona_get(void)
{
	proc_t p = current_proc();
	struct persona *persona;

	proc_lock(p);
	persona = persona_get(p->p_persona);
	proc_unlock(p);

	return persona;
}

/**
 * inherit a persona from parent to child
 */
int persona_proc_inherit(proc_t child, proc_t parent)
{
	if (child->p_persona != NULL) {
		persona_dbg("proc_inherit: child already in persona: %s",
			    persona_desc(child->p_persona, 0));
		return -1;
	}

	/* no persona to inherit */
	if (parent->p_persona == NULL)
		return 0;

	return persona_proc_adopt(child, parent->p_persona, parent->p_ucred);
}

int persona_proc_adopt_id(proc_t p, uid_t id, kauth_cred_t auth_override)
{
	int ret;
	struct persona *persona;

	persona = persona_lookup(id);
	if (!persona)
		return ESRCH;

	ret = persona_proc_adopt(p, persona, auth_override);

	/* put the reference from the lookup() */
	persona_put(persona);

	return ret;
}


typedef enum e_persona_reset_op {
	PROC_REMOVE_PERSONA = 1,
	PROC_RESET_OLD_PERSONA = 2,
} persona_reset_op_t;

/*
 * internal cleanup routine for proc_set_cred_internal
 *
 */
static struct persona *proc_reset_persona_internal(proc_t p, persona_reset_op_t op,
						   struct persona *old_persona,
						   struct persona *new_persona)
{
#if (DEVELOPMENT || DEBUG)
	persona_lock_assert_held(new_persona);
#endif

	switch (op) {
	case PROC_REMOVE_PERSONA:
		old_persona = p->p_persona;
		/* fall through */
	case PROC_RESET_OLD_PERSONA:
		break;
	default:
		/* invalid arguments */
		return NULL;
	}

	/* unlock the new persona (locked on entry) */
	persona_unlock(new_persona);
	/* lock the old persona and the process */
	persona_lock(old_persona);
	proc_lock(p);

	switch (op) {
	case PROC_REMOVE_PERSONA:
		LIST_REMOVE(p, p_persona_list);
		p->p_persona = NULL;
		break;
	case PROC_RESET_OLD_PERSONA:
		p->p_persona = old_persona;
		LIST_INSERT_HEAD(&old_persona->pna_members, p, p_persona_list);
		break;
	}

	proc_unlock(p);
	persona_unlock(old_persona);

	/* re-lock the new persona */
	persona_lock(new_persona);
	return old_persona;
}

/*
 * Assumes persona is locked.
 * On success, takes a reference to 'persona' and returns the
 * previous persona the process had adopted. The caller is
 * responsible to release the reference.
 */
static struct persona *proc_set_cred_internal(proc_t p, struct persona *persona,
					      kauth_cred_t auth_override, int *rlim_error)
{
	struct persona *old_persona = NULL;
	kauth_cred_t my_cred, my_new_cred;
	uid_t old_uid, new_uid;
	int count;

	/*
	 * This operation must be done under the proc trans lock
	 * by the thread which took the trans lock!
	 */
	assert(((p->p_lflag & P_LINTRANSIT) == P_LINTRANSIT) &&
	       p->p_transholder == current_thread());
	assert(persona != NULL);

	/* no work to do if we "re-adopt" the same persona */
	if (p->p_persona == persona)
		return NULL;

	/*
	 * If p is in a persona, then we need to remove 'p' from the list of
	 * processes in that persona. To do this, we need to drop the lock
	 * held on the incoming (new) persona and lock the old one.
	 */
	if (p->p_persona) {
		old_persona = proc_reset_persona_internal(p, PROC_REMOVE_PERSONA,
							  NULL, persona);
	}

	if (auth_override)
		my_new_cred = auth_override;
	else
		my_new_cred = persona->pna_cred;

	if (!my_new_cred)
		panic("NULL credentials (persona:%p)", persona);

	*rlim_error = 0;

	kauth_cred_ref(my_new_cred);

	new_uid = persona->pna_id;

	/*
	 * Check to see if we will hit a proc rlimit by moving the process
	 * into the persona. If so, we'll bail early before actually moving
	 * the process or changing its credentials.
	 */
	if (new_uid != 0 &&
	    (rlim_t)chgproccnt(new_uid, 0) > p->p_rlimit[RLIMIT_NPROC].rlim_cur) {
		pna_err("PID:%d hit proc rlimit in new persona(%d): %s",
			p->p_pid, new_uid, persona_desc(persona, 1));
		*rlim_error = EACCES;
		(void)proc_reset_persona_internal(p, PROC_RESET_OLD_PERSONA,
						  old_persona, persona);
		kauth_cred_unref(&my_new_cred);
		return NULL;
	}

	/*
	 * Set the new credentials on the proc
	 */
set_proc_cred:
	my_cred = kauth_cred_proc_ref(p);
	persona_dbg("proc_adopt PID:%d, %s -> %s",
		    p->p_pid,
		    persona_desc(old_persona, 1),
		    persona_desc(persona, 1));

	old_uid = kauth_cred_getruid(my_cred);

	if (my_cred != my_new_cred) {
		kauth_cred_t old_cred = my_cred;

		proc_ucred_lock(p);
		/*
		 * We need to protect against a race where another thread
		 * also changed the credential after we took our
		 * reference.  If p_ucred has changed then we should
		 * restart this again with the new cred.
		 */
		if (p->p_ucred != my_cred) {
			proc_ucred_unlock(p);
			kauth_cred_unref(&my_cred);
			/* try again */
			goto set_proc_cred;
		}

		/* update the credential and take a ref for the proc */
		kauth_cred_ref(my_new_cred);
		p->p_ucred = my_new_cred;

		/* update cred on proc (and current thread) */
		mach_kauth_cred_uthread_update();
		PROC_UPDATE_CREDS_ONPROC(p);

		/* drop the proc's old ref on the credential */
		kauth_cred_unref(&old_cred);
		proc_ucred_unlock(p);
	}

	/* drop this function's reference to the old cred */
	kauth_cred_unref(&my_cred);

	/*
	 * Update the proc count.
	 * If the UIDs are the same, then there is no work to do.
	 */
	if (old_persona)
		old_uid = old_persona->pna_id;

	if (new_uid != old_uid) {
		count = chgproccnt(old_uid, -1);
		persona_dbg("Decrement %s:%d proc_count to: %d",
			    old_persona ? "Persona" : "UID", old_uid, count);

		/*
		 * Increment the proc count on the UID associated with
		 * the new persona. Enforce the resource limit just
		 * as in fork1()
		 */
		count = chgproccnt(new_uid, 1);
		persona_dbg("Increment Persona:%d (UID:%d) proc_count to: %d",
			    new_uid, kauth_cred_getuid(my_new_cred), count);
	}

	OSBitOrAtomic(P_ADOPTPERSONA, &p->p_flag);

	proc_lock(p);
	p->p_persona = persona_get_locked(persona);
	LIST_INSERT_HEAD(&persona->pna_members, p, p_persona_list);
	proc_unlock(p);

	kauth_cred_unref(&my_new_cred);

	return old_persona;
}

int persona_proc_adopt(proc_t p, struct persona *persona, kauth_cred_t auth_override)
{
	int error;
	struct persona *old_persona;
	struct session * sessp;

	if (!persona)
		return EINVAL;

	persona_dbg("%d adopting Persona %d (%s)", proc_pid(p),
		    persona->pna_id, persona_desc(persona, 0));

	persona_lock(persona);
	if (!persona->pna_cred || !persona_valid(persona)) {
		persona_dbg("Invalid persona (%s): NULL credentials!", persona_desc(persona, 1));
		persona_unlock(persona);
		return EINVAL;
	}

	/* the persona credentials can no longer be adjusted */
	persona->pna_cred_locked = 1;

	/*
	 * assume the persona: this may drop and re-acquire the persona lock!
	 */
	error = 0;
	old_persona = proc_set_cred_internal(p, persona, auth_override, &error);

	/* join the process group associated with the persona */
	if (persona->pna_pgid) {
		uid_t uid = kauth_cred_getuid(persona->pna_cred);
		persona_dbg(" PID:%d, pgid:%d%s",
			    p->p_pid, persona->pna_pgid,
			    persona->pna_pgid == uid ? ", new_session" : ".");
		enterpgrp(p, persona->pna_pgid, persona->pna_pgid == uid);
	}

	/* set the login name of the session */
	sessp = proc_session(p);
	if (sessp != SESSION_NULL) {
		session_lock(sessp);
		bcopy(persona->pna_login, sessp->s_login, MAXLOGNAME);
		session_unlock(sessp);
		session_rele(sessp);
	}

	persona_unlock(persona);

	set_security_token(p);

	/*
	 * Drop the reference to the old persona.
	 */
	if (old_persona)
		persona_put(old_persona);

	persona_dbg("%s", error == 0 ? "SUCCESS" : "FAILED");
	return error;
}

int persona_proc_drop(proc_t p)
{
	struct persona *persona = NULL;

	persona_dbg("PID:%d, %s -> <none>", p->p_pid, persona_desc(p->p_persona, 0));

	/*
	 * There are really no other credentials for us to assume,
	 * so we'll just continue running with the credentials
	 * we got from the persona.
	 */

	/*
	 * the locks must be taken in reverse order here, so
	 * we have to be careful not to cause deadlock
	 */
try_again:
	proc_lock(p);
	if (p->p_persona) {
		uid_t puid, ruid;
		if (!persona_try_lock(p->p_persona)) {
			proc_unlock(p);
			mutex_pause(0); /* back-off time */
			goto try_again;
		}
		persona = p->p_persona;
		LIST_REMOVE(p, p_persona_list);
		p->p_persona = NULL;

		ruid = kauth_cred_getruid(p->p_ucred);
		puid = kauth_cred_getuid(persona->pna_cred);
		proc_unlock(p);
		(void)chgproccnt(ruid, 1);
		(void)chgproccnt(puid, -1);
	} else {
		proc_unlock(p);
	}

	/*
	 * if the proc had a persona, then it is still locked here
	 * (preserving proper lock ordering)
	 */

	if (persona) {
		persona_unlock(persona);
		persona_put(persona);
	}

	return 0;
}

int persona_get_type(struct persona *persona)
{
	int type;

	if (!persona)
		return PERSONA_INVALID;

	persona_lock(persona);
	if (!persona_valid(persona)) {
		persona_unlock(persona);
		return PERSONA_INVALID;
	}
	type = persona->pna_type;
	persona_unlock(persona);

	return type;
}

int persona_set_cred(struct persona *persona, kauth_cred_t cred)
{
	int ret = 0;
	kauth_cred_t my_cred;
	if (!persona || !cred)
		return EINVAL;

	persona_lock(persona);
	if (!persona_valid(persona)) {
		ret = EINVAL;
		goto out_unlock;
	}
	if (persona->pna_cred_locked) {
		ret = EPERM;
		goto out_unlock;
	}

	/* create a new cred from the passed-in cred */
	my_cred = kauth_cred_create(cred);

	/* ensure that the UID matches the persona ID */
	my_cred = kauth_cred_setresuid(my_cred, persona->pna_id,
				       persona->pna_id, persona->pna_id,
				       KAUTH_UID_NONE);

	/* TODO: clear the saved GID?! */

	/* replace the persona's cred with the new one */
	if (persona->pna_cred)
		kauth_cred_unref(&persona->pna_cred);
	persona->pna_cred = my_cred;

out_unlock:
	persona_unlock(persona);
	return ret;
}

int persona_set_cred_from_proc(struct persona *persona, proc_t proc)
{
	int ret = 0;
	kauth_cred_t parent_cred, my_cred;
	if (!persona || !proc)
		return EINVAL;

	persona_lock(persona);
	if (!persona_valid(persona)) {
		ret = EINVAL;
		goto out_unlock;
	}
	if (persona->pna_cred_locked) {
		ret = EPERM;
		goto out_unlock;
	}

	parent_cred = kauth_cred_proc_ref(proc);

	/* TODO: clear the saved UID/GID! */

	/* create a new cred from the proc's cred */
	my_cred = kauth_cred_create(parent_cred);

	/* ensure that the UID matches the persona ID */
	my_cred = kauth_cred_setresuid(my_cred, persona->pna_id,
				       persona->pna_id, persona->pna_id,
				       KAUTH_UID_NONE);

	/* replace the persona's cred with the new one */
	if (persona->pna_cred)
		kauth_cred_unref(&persona->pna_cred);
	persona->pna_cred = my_cred;

	kauth_cred_unref(&parent_cred);

out_unlock:
	persona_unlock(persona);
	return ret;
}

kauth_cred_t persona_get_cred(struct persona *persona)
{
	kauth_cred_t cred = NULL;

	if (!persona)
		return NULL;

	persona_lock(persona);
	if (!persona_valid(persona))
		goto out_unlock;

	if (persona->pna_cred) {
		kauth_cred_ref(persona->pna_cred);
		cred = persona->pna_cred;
	}

out_unlock:
	persona_unlock(persona);

	return cred;
}

uid_t persona_get_uid(struct persona *persona)
{
	uid_t uid = UID_MAX;

	if (!persona || !persona->pna_cred)
		return UID_MAX;

	persona_lock(persona);
	if (persona_valid(persona)) {
		uid = kauth_cred_getuid(persona->pna_cred);
		assert(uid == persona->pna_id);
	}
	persona_unlock(persona);

	return uid;
}

int persona_set_gid(struct persona *persona, gid_t gid)
{
	int ret = 0;
	kauth_cred_t my_cred, new_cred;

	if (!persona || !persona->pna_cred)
		return EINVAL;

	persona_lock(persona);
	if (!persona_valid(persona)) {
		ret = EINVAL;
		goto out_unlock;
	}
	if (persona->pna_cred_locked) {
		ret = EPERM;
		goto out_unlock;
	}

	my_cred = persona->pna_cred;
	kauth_cred_ref(my_cred);
	new_cred = kauth_cred_setresgid(my_cred, gid, gid, gid);
	if (new_cred != my_cred)
		persona->pna_cred = new_cred;
	kauth_cred_unref(&my_cred);

out_unlock:
	persona_unlock(persona);
	return ret;
}

gid_t persona_get_gid(struct persona *persona)
{
	gid_t gid = GID_MAX;

	if (!persona || !persona->pna_cred)
		return GID_MAX;

	persona_lock(persona);
	if (persona_valid(persona))
		gid = kauth_cred_getgid(persona->pna_cred);
	persona_unlock(persona);

	return gid;
}

int persona_set_groups(struct persona *persona, gid_t *groups, int ngroups, uid_t gmuid)
{
	int ret = 0;
	kauth_cred_t my_cred, new_cred;

	if (!persona || !persona->pna_cred)
		return EINVAL;
	if (ngroups > NGROUPS_MAX)
		return EINVAL;

	persona_lock(persona);
	if (!persona_valid(persona)) {
		ret = EINVAL;
		goto out_unlock;
	}
	if (persona->pna_cred_locked) {
		ret = EPERM;
		goto out_unlock;
	}

	my_cred = persona->pna_cred;
	kauth_cred_ref(my_cred);
	new_cred = kauth_cred_setgroups(my_cred, groups, ngroups, gmuid);
	if (new_cred != my_cred)
		persona->pna_cred = new_cred;
	kauth_cred_unref(&my_cred);

out_unlock:
	persona_unlock(persona);
	return ret;
}

int persona_get_groups(struct persona *persona, int *ngroups, gid_t *groups, int groups_sz)
{
	int ret = EINVAL;
	if (!persona || !persona->pna_cred || !groups || !ngroups)
		return EINVAL;

	*ngroups = groups_sz;

	persona_lock(persona);
	if (persona_valid(persona)) {
		kauth_cred_getgroups(persona->pna_cred, groups, ngroups);
		ret = 0;
	}
	persona_unlock(persona);

	return ret;
}

uid_t persona_get_gmuid(struct persona *persona)
{
	uid_t gmuid = KAUTH_UID_NONE;

	if (!persona || !persona->pna_cred)
		return gmuid;

	persona_lock(persona);
	if (!persona_valid(persona))
		goto out_unlock;

	posix_cred_t pcred = posix_cred_get(persona->pna_cred);
	gmuid = pcred->cr_gmuid;

out_unlock:
	persona_unlock(persona);
	return gmuid;
}

int persona_get_login(struct persona *persona, char login[MAXLOGNAME+1])
{
	int ret = EINVAL;
	if (!persona || !persona->pna_cred)
		return EINVAL;

	persona_lock(persona);
	if (!persona_valid(persona))
		goto out_unlock;

	strlcpy(login, persona->pna_login, MAXLOGNAME);
	ret = 0;

out_unlock:
	persona_unlock(persona);
	login[MAXLOGNAME] = 0;

	return ret;
}

#else /* !CONFIG_PERSONAS */

/*
 * symbol exports for kext compatibility
 */

uid_t persona_get_id(__unused struct persona *persona)
{
	return PERSONA_ID_NONE;
}

int persona_get_type(__unused struct persona *persona)
{
	return PERSONA_INVALID;
}

kauth_cred_t persona_get_cred(__unused struct persona *persona)
{
	return NULL;
}

struct persona *persona_lookup(__unused uid_t id)
{
	return NULL;
}

int persona_find(__unused const char *login,
		 __unused uid_t uid,
		 __unused struct persona **persona,
		 __unused size_t *plen)
{
	return ENOTSUP;
}

struct persona *current_persona_get(void)
{
	return NULL;
}

struct persona *persona_get(struct persona *persona)
{
	return persona;
}

void persona_put(__unused struct persona *persona)
{
	return;
}
#endif