1/*
2 * Copyright (c) 2000-2006 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29/*-
30 * Copyright (c) 1982, 1986, 1989, 1993
31 * The Regents of the University of California. All rights reserved.
32 * (c) UNIX System Laboratories, Inc.
33 * All or some portions of this file are derived from material licensed
34 * to the University of California by American Telephone and Telegraph
35 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
36 * the permission of UNIX System Laboratories, Inc.
37 *
38 * Redistribution and use in source and binary forms, with or without
39 * modification, are permitted provided that the following conditions
40 * are met:
41 * 1. Redistributions of source code must retain the above copyright
42 * notice, this list of conditions and the following disclaimer.
43 * 2. Redistributions in binary form must reproduce the above copyright
44 * notice, this list of conditions and the following disclaimer in the
45 * documentation and/or other materials provided with the distribution.
46 * 3. All advertising materials mentioning features or use of this software
47 * must display the following acknowledgement:
48 * This product includes software developed by the University of
49 * California, Berkeley and its contributors.
50 * 4. Neither the name of the University nor the names of its contributors
51 * may be used to endorse or promote products derived from this software
52 * without specific prior written permission.
53 *
54 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
55 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
56 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
57 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
58 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
59 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
60 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
61 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
62 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
63 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
64 * SUCH DAMAGE.
65 *
66 * from: @(#)sys_process.c 8.1 (Berkeley) 6/10/93
67 */
68
69#include <machine/reg.h>
70#include <machine/psl.h>
71
72#include <sys/param.h>
73#include <sys/systm.h>
74#include <sys/proc_internal.h>
75#include <sys/kauth.h>
76#include <sys/errno.h>
77#include <sys/ptrace.h>
78#include <sys/uio.h>
79#include <sys/user.h>
80#include <sys/sysctl.h>
81#include <sys/wait.h>
82
83#include <sys/mount_internal.h>
84#include <sys/sysproto.h>
85#include <sys/kdebug.h>
86#include <sys/codesign.h> /* cs_allow_invalid() */
87
88#include <security/audit/audit.h>
89
90#include <kern/task.h>
91#include <kern/thread.h>
92
93#include <mach/task.h> /* for task_resume() */
94#include <kern/sched_prim.h> /* for thread_exception_return() */
95
96#include <pexpert/pexpert.h>
97
98#if CONFIG_MACF
99#include <security/mac_framework.h>
100#endif
101
102/* XXX ken/bsd_kern.c - prototype should be in common header */
103int get_task_userstop(task_t);
104
105/* Macros to clear/set/test flags. */
106#define SET(t, f) (t) |= (f)
107#define CLR(t, f) (t) &= ~(f)
108#define ISSET(t, f) ((t) & (f))
109
110extern thread_t port_name_to_thread(mach_port_name_t port_name);
111extern thread_t get_firstthread(task_t);
112
113
114/*
115 * sys-trace system call.
116 */
117
118int
119ptrace(struct proc *p, struct ptrace_args *uap, int32_t *retval)
120{
121 struct proc *t = current_proc(); /* target process */
122 task_t task;
123 thread_t th_act;
124 struct uthread *ut;
125 int tr_sigexc = 0;
126 int error = 0;
127 int stopped = 0;
128
129 AUDIT_ARG(cmd, uap->req);
130 AUDIT_ARG(pid, uap->pid);
131 AUDIT_ARG(addr, uap->addr);
132 AUDIT_ARG(value32, uap->data);
133
134 if (uap->req == PT_DENY_ATTACH) {
135#if (DEVELOPMENT || DEBUG) && CONFIG_EMBEDDED
136 if (PE_i_can_has_debugger(NULL))
137 return(0);
138#endif
139 proc_lock(p);
140 if (ISSET(p->p_lflag, P_LTRACED)) {
141 proc_unlock(p);
142 KERNEL_DEBUG_CONSTANT(BSDDBG_CODE(DBG_BSD_PROC, BSD_PROC_FRCEXIT) | DBG_FUNC_NONE,
143 p->p_pid, W_EXITCODE(ENOTSUP, 0), 4, 0, 0);
144 exit1(p, W_EXITCODE(ENOTSUP, 0), retval);
145
146 thread_exception_return();
147 /* NOTREACHED */
148 }
149 SET(p->p_lflag, P_LNOATTACH);
150 proc_unlock(p);
151
152 return(0);
153 }
154
155 if (uap->req == PT_FORCEQUOTA) {
156 if (kauth_cred_issuser(kauth_cred_get())) {
157 OSBitOrAtomic(P_FORCEQUOTA, &t->p_flag);
158 return (0);
159 } else
160 return (EPERM);
161 }
162
163 /*
164 * Intercept and deal with "please trace me" request.
165 */
166 if (uap->req == PT_TRACE_ME) {
167retry_trace_me:;
168 proc_t pproc = proc_parent(p);
169 if (pproc == NULL)
170 return (EINVAL);
171#if CONFIG_MACF
172 /*
173 * NB: Cannot call kauth_authorize_process(..., KAUTH_PROCESS_CANTRACE, ...)
174 * since that assumes the process being checked is the current process
175 * when, in this case, it is the current process's parent.
176 * Most of the other checks in cantrace() don't apply either.
177 */
178 if ((error = mac_proc_check_debug(pproc, p)) == 0) {
179#endif
180 proc_lock(p);
181 /* Make sure the process wasn't re-parented. */
182 if (p->p_ppid != pproc->p_pid) {
183 proc_unlock(p);
184 proc_rele(pproc);
185 goto retry_trace_me;
186 }
187 SET(p->p_lflag, P_LTRACED);
188 /* Non-attached case, our tracer is our parent. */
189 p->p_oppid = p->p_ppid;
190 proc_unlock(p);
191 /* Child and parent will have to be able to run modified code. */
192 cs_allow_invalid(p);
193 cs_allow_invalid(pproc);
194#if CONFIG_MACF
195 }
196#endif
197 proc_rele(pproc);
198 return (error);
199 }
200 if (uap->req == PT_SIGEXC) {
201 proc_lock(p);
202 if (ISSET(p->p_lflag, P_LTRACED)) {
203 SET(p->p_lflag, P_LSIGEXC);
204 proc_unlock(p);
205 return(0);
206 } else {
207 proc_unlock(p);
208 return(EINVAL);
209 }
210 }
211
212 /*
213 * We do not want ptrace to do anything with kernel or launchd
214 */
215 if (uap->pid < 2) {
216 return(EPERM);
217 }
218
219 /*
220 * Locate victim, and make sure it is traceable.
221 */
222 if ((t = proc_find(uap->pid)) == NULL)
223 return (ESRCH);
224
225 AUDIT_ARG(process, t);
226
227 task = t->task;
228 if (uap->req == PT_ATTACHEXC) {
229#pragma clang diagnostic push
230#pragma clang diagnostic ignored "-Wdeprecated-declarations"
231 uap->req = PT_ATTACH;
232 tr_sigexc = 1;
233 }
234 if (uap->req == PT_ATTACH) {
235#pragma clang diagnostic pop
236 int err;
237
238#if CONFIG_EMBEDDED
239 if (tr_sigexc == 0) {
240 error = ENOTSUP;
241 goto out;
242 }
243#endif
244
245 if ( kauth_authorize_process(proc_ucred(p), KAUTH_PROCESS_CANTRACE,
246 t, (uintptr_t)&err, 0, 0) == 0 ) {
247 /* it's OK to attach */
248 proc_lock(t);
249 SET(t->p_lflag, P_LTRACED);
250 if (tr_sigexc)
251 SET(t->p_lflag, P_LSIGEXC);
252
253 t->p_oppid = t->p_ppid;
254 /* Check whether child and parent are allowed to run modified
255 * code (they'll have to) */
256 proc_unlock(t);
257 cs_allow_invalid(t);
258 cs_allow_invalid(p);
259 if (t->p_pptr != p)
260 proc_reparentlocked(t, p, 1, 0);
261
262 proc_lock(t);
263 if (get_task_userstop(task) > 0 ) {
264 stopped = 1;
265 }
266 t->p_xstat = 0;
267 proc_unlock(t);
268 psignal(t, SIGSTOP);
269 /*
270 * If the process was stopped, wake up and run through
271 * issignal() again to properly connect to the tracing
272 * process.
273 */
274 if (stopped)
275 task_resume(task);
276 error = 0;
277 goto out;
278 }
279 else {
280 /* not allowed to attach, proper error code returned by kauth_authorize_process */
281 if (ISSET(t->p_lflag, P_LNOATTACH)) {
282 psignal(p, SIGSEGV);
283 }
284
285 error = err;
286 goto out;
287 }
288 }
289
290 /*
291 * You can't do what you want to the process if:
292 * (1) It's not being traced at all,
293 */
294 proc_lock(t);
295 if (!ISSET(t->p_lflag, P_LTRACED)) {
296 proc_unlock(t);
297 error = EPERM;
298 goto out;
299 }
300
301 /*
302 * (2) it's not being traced by _you_, or
303 */
304 if (t->p_pptr != p) {
305 proc_unlock(t);
306 error = EBUSY;
307 goto out;
308 }
309
310 /*
311 * (3) it's not currently stopped.
312 */
313 if (t->p_stat != SSTOP) {
314 proc_unlock(t);
315 error = EBUSY;
316 goto out;
317 }
318
319 /*
320 * Mach version of ptrace executes request directly here,
321 * thus simplifying the interaction of ptrace and signals.
322 */
323 /* proc lock is held here */
324 switch (uap->req) {
325
326 case PT_DETACH:
327 if (t->p_oppid != t->p_ppid) {
328 struct proc *pp;
329
330 proc_unlock(t);
331 pp = proc_find(t->p_oppid);
332 if (pp != PROC_NULL) {
333 proc_reparentlocked(t, pp, 1, 0);
334 proc_rele(pp);
335 } else {
336 /* original parent exited while traced */
337 proc_list_lock();
338 t->p_listflag |= P_LIST_DEADPARENT;
339 proc_list_unlock();
340 proc_reparentlocked(t, initproc, 1, 0);
341 }
342 proc_lock(t);
343 }
344
345 t->p_oppid = 0;
346 CLR(t->p_lflag, P_LTRACED);
347 CLR(t->p_lflag, P_LSIGEXC);
348 proc_unlock(t);
349 goto resume;
350
351 case PT_KILL:
352 /*
353 * Tell child process to kill itself after it
354 * is resumed by adding NSIG to p_cursig. [see issig]
355 */
356 proc_unlock(t);
357#if CONFIG_MACF
358 error = mac_proc_check_signal(p, t, SIGKILL);
359 if (0 != error)
360 goto resume;
361#endif
362 psignal(t, SIGKILL);
363 goto resume;
364
365 case PT_STEP: /* single step the child */
366 case PT_CONTINUE: /* continue the child */
367 proc_unlock(t);
368 th_act = (thread_t)get_firstthread(task);
369 if (th_act == THREAD_NULL) {
370 error = EINVAL;
371 goto out;
372 }
373
374 /* force use of Mach SPIs (and task_for_pid security checks) to adjust PC */
375 if (uap->addr != (user_addr_t)1) {
376 error = ENOTSUP;
377 goto out;
378 }
379
380 if ((unsigned)uap->data >= NSIG) {
381 error = EINVAL;
382 goto out;
383 }
384
385 if (uap->data != 0) {
386#if CONFIG_MACF
387 error = mac_proc_check_signal(p, t, uap->data);
388 if (0 != error)
389 goto out;
390#endif
391 psignal(t, uap->data);
392 }
393
394 if (uap->req == PT_STEP) {
395 /*
396 * set trace bit
397 * we use sending SIGSTOP as a comparable security check.
398 */
399#if CONFIG_MACF
400 error = mac_proc_check_signal(p, t, SIGSTOP);
401 if (0 != error) {
402 goto out;
403 }
404#endif
405 if (thread_setsinglestep(th_act, 1) != KERN_SUCCESS) {
406 error = ENOTSUP;
407 goto out;
408 }
409 } else {
410 /*
411 * clear trace bit if on
412 * we use sending SIGCONT as a comparable security check.
413 */
414#if CONFIG_MACF
415 error = mac_proc_check_signal(p, t, SIGCONT);
416 if (0 != error) {
417 goto out;
418 }
419#endif
420 if (thread_setsinglestep(th_act, 0) != KERN_SUCCESS) {
421 error = ENOTSUP;
422 goto out;
423 }
424 }
425 resume:
426 proc_lock(t);
427 t->p_xstat = uap->data;
428 t->p_stat = SRUN;
429 if (t->sigwait) {
430 wakeup((caddr_t)&(t->sigwait));
431 proc_unlock(t);
432 if ((t->p_lflag & P_LSIGEXC) == 0) {
433 task_resume(task);
434 }
435 } else
436 proc_unlock(t);
437
438 break;
439
440 case PT_THUPDATE: {
441 proc_unlock(t);
442 if ((unsigned)uap->data >= NSIG) {
443 error = EINVAL;
444 goto out;
445 }
446 th_act = port_name_to_thread(CAST_MACH_PORT_TO_NAME(uap->addr));
447 if (th_act == THREAD_NULL) {
448 error = ESRCH;
449 goto out;
450 }
451 ut = (uthread_t)get_bsdthread_info(th_act);
452 if (uap->data)
453 ut->uu_siglist |= sigmask(uap->data);
454 proc_lock(t);
455 t->p_xstat = uap->data;
456 t->p_stat = SRUN;
457 proc_unlock(t);
458 thread_deallocate(th_act);
459 error = 0;
460 }
461 break;
462 default:
463 proc_unlock(t);
464 error = EINVAL;
465 goto out;
466 }
467
468 error = 0;
469out:
470 proc_rele(t);
471 return(error);
472}
473
474
475/*
476 * determine if one process (cur_procp) can trace another process (traced_procp).
477 */
478
479int
480cantrace(proc_t cur_procp, kauth_cred_t creds, proc_t traced_procp, int *errp)
481{
482 int my_err;
483 /*
484 * You can't trace a process if:
485 * (1) it's the process that's doing the tracing,
486 */
487 if (traced_procp->p_pid == cur_procp->p_pid) {
488 *errp = EINVAL;
489 return (0);
490 }
491
492 /*
493 * (2) it's already being traced, or
494 */
495 if (ISSET(traced_procp->p_lflag, P_LTRACED)) {
496 *errp = EBUSY;
497 return (0);
498 }
499
500 /*
501 * (3) it's not owned by you, or is set-id on exec
502 * (unless you're root).
503 */
504 if ((kauth_cred_getruid(creds) != kauth_cred_getruid(proc_ucred(traced_procp)) ||
505 ISSET(traced_procp->p_flag, P_SUGID)) &&
506 (my_err = suser(creds, &cur_procp->p_acflag)) != 0) {
507 *errp = my_err;
508 return (0);
509 }
510
511 if ((cur_procp->p_lflag & P_LTRACED) && isinferior(cur_procp, traced_procp)) {
512 *errp = EPERM;
513 return (0);
514 }
515
516 if (ISSET(traced_procp->p_lflag, P_LNOATTACH)) {
517 *errp = EBUSY;
518 return (0);
519 }
520
521#if CONFIG_MACF
522 if ((my_err = mac_proc_check_debug(cur_procp, traced_procp)) != 0) {
523 *errp = my_err;
524 return (0);
525 }
526#endif
527
528 return(1);
529}
530