From 0f639b0d1698752a3436fe8deb5f289876c3e95b Mon Sep 17 00:00:00 2001 From: Paul Mabileau Date: Wed, 30 Oct 2024 11:39:41 +0100 Subject: [PATCH 1/5] Chore: Bump libc requirement So the LOCAL_PEERTOKEN it adds may be guaranteed to be available. Signed-off-by: Paul Mabileau --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 98894a57bd..0665795ed2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -28,7 +28,7 @@ targets = [ ] [dependencies] -libc = { version = "0.2.158", features = ["extra_traits"] } +libc = { version = "0.2.160", features = ["extra_traits"] } bitflags = "2.3.3" cfg-if = "1.0" pin-utils = { version = "0.1.0", optional = true } From b97a9a79579e32e3d9b8d72127caf508cf77ccd7 Mon Sep 17 00:00:00 2001 From: Paul Mabileau Date: Wed, 30 Oct 2024 11:59:41 +0100 Subject: [PATCH 2/5] Refactor(sockopt): Use libc::SOL_LOCAL for LOCAL_PEER* options instead of 0 Should be more readable. Signed-off-by: Paul Mabileau --- src/sys/socket/sockopt.rs | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/sys/socket/sockopt.rs b/src/sys/socket/sockopt.rs index e2f9f10b08..969b62c015 100644 --- a/src/sys/socket/sockopt.rs +++ b/src/sys/socket/sockopt.rs @@ -563,7 +563,7 @@ sockopt_impl!( libc::SO_KEEPALIVE, bool ); -#[cfg(any(freebsdlike, apple_targets))] +#[cfg(freebsdlike)] sockopt_impl!( /// Get the credentials of the peer process of a connected unix domain /// socket. @@ -574,11 +574,21 @@ sockopt_impl!( super::XuCred ); #[cfg(apple_targets)] +sockopt_impl!( + /// Get the credentials of the peer process of a connected unix domain + /// socket. + LocalPeerCred, + GetOnly, + libc::SOL_LOCAL, + libc::LOCAL_PEERCRED, + super::XuCred +); +#[cfg(apple_targets)] sockopt_impl!( /// Get the PID of the peer process of a connected unix domain socket. LocalPeerPid, GetOnly, - 0, + libc::SOL_LOCAL, libc::LOCAL_PEERPID, libc::c_int ); From e83e7150d87427fa93e48647618b58fea21acbb0 Mon Sep 17 00:00:00 2001 From: Paul Mabileau Date: Wed, 30 Oct 2024 12:07:57 +0100 Subject: [PATCH 3/5] Feat(sockopt): Add new wrapper around libc::LOCAL_PEERTOKEN audit_token_t is taken from endpoint-sec-sys. Signed-off-by: Paul Mabileau --- src/sys/socket/mod.rs | 57 +++++++++++++++++++++++++++++++++++++++ src/sys/socket/sockopt.rs | 10 +++++++ 2 files changed, 67 insertions(+) diff --git a/src/sys/socket/mod.rs b/src/sys/socket/mod.rs index 9777aa6b9d..dd74013c64 100644 --- a/src/sys/socket/mod.rs +++ b/src/sys/socket/mod.rs @@ -499,6 +499,63 @@ cfg_if! { } } +cfg_if! { + if #[cfg(apple_targets)] { + use std::fmt; + + /// Return type of [`LocalPeerToken`]. + /// + /// The audit token is an opaque token which identifies Mach tasks and + /// senders of Mach messages as subjects to the BSM audit system. Only + /// the appropriate BSM library routines should be used to interpret + /// the contents of the audit token as the representation of the + /// subject identity within the token may change over time. + /// + /// Starting with macOS 11, almost all audit functions have been + /// deprecated (see the system header `bsm/libbsm.h`), do not use them + /// if your program target more recent versions of macOS. + /// + /// [`LocalPeerToken`]: crate::sys::socket::sockopt::LocalPeerToken + #[repr(C)] + #[derive(Default, Copy, Clone, PartialEq, Eq, Hash)] + pub struct audit_token_t { + /// Value of the token. + /// + /// This is considered an opaque value, do not rely on its format. + pub val: [libc::c_uint; 8], + } + + // Make the debug representation a hex string to make it shorter and clearer. + impl fmt::Debug for audit_token_t { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + f.debug_tuple("audit_token_t") + .field(&format!("0x{:08X}", self)) + .finish() + } + } + + impl fmt::LowerHex for audit_token_t { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + for v in self.val { + fmt::LowerHex::fmt(&v, f)?; + } + + Ok(()) + } + } + + impl fmt::UpperHex for audit_token_t { + fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + for v in self.val { + fmt::UpperHex::fmt(&v, f)?; + } + + Ok(()) + } + } + } +} + feature! { #![feature = "net"] /// Request for multicast socket operations diff --git a/src/sys/socket/sockopt.rs b/src/sys/socket/sockopt.rs index 969b62c015..408f8acb65 100644 --- a/src/sys/socket/sockopt.rs +++ b/src/sys/socket/sockopt.rs @@ -592,6 +592,16 @@ sockopt_impl!( libc::LOCAL_PEERPID, libc::c_int ); +#[cfg(apple_targets)] +sockopt_impl!( + /// Get the audit token of the peer process of a connected unix domain + /// socket. + LocalPeerToken, + GetOnly, + libc::SOL_LOCAL, + libc::LOCAL_PEERTOKEN, + super::audit_token_t +); #[cfg(linux_android)] sockopt_impl!( /// Return the credentials of the foreign process connected to this socket. From e7cd5e811afd73931ff41d6ecbfb253249eb42bc Mon Sep 17 00:00:00 2001 From: Paul Mabileau Date: Wed, 30 Oct 2024 12:16:58 +0100 Subject: [PATCH 4/5] Test(socket): Add small test for LocalPeerToken Signed-off-by: Paul Mabileau --- test/sys/test_sockopt.rs | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/test/sys/test_sockopt.rs b/test/sys/test_sockopt.rs index fd055ef3dd..3cecbf7d7f 100644 --- a/test/sys/test_sockopt.rs +++ b/test/sys/test_sockopt.rs @@ -66,6 +66,36 @@ pub fn test_local_peer_pid() { assert_eq!(pid, std::process::id() as _); } +#[cfg(apple_targets)] +#[test] +pub fn test_local_peer_token() { + use nix::sys::socket::{audit_token_t, socketpair}; + + #[link(name = "bsm", kind = "dylib")] + extern "C" { + /// Extract the process ID from an `audit_token_t`, used to identify + /// Mach tasks and senders of Mach messages as subjects of the audit + /// system. + /// + /// - `atoken`: The Mach audit token. + /// - Returns: The process ID extracted from the Mach audit token. + fn audit_token_to_pid(atoken: audit_token_t) -> libc::pid_t; + } + + let (fd1, _fd2) = socketpair( + AddressFamily::Unix, + SockType::Stream, + None, + SockFlag::empty(), + ) + .unwrap(); + let audit_token = getsockopt(&fd1, sockopt::LocalPeerToken).unwrap(); + assert_eq!( + unsafe { audit_token_to_pid(audit_token) }, + std::process::id() as _ + ); +} + #[cfg(target_os = "linux")] #[test] fn is_so_mark_functional() { From c5d6f2b6e58768388559b31e4c603de58ea8989d Mon Sep 17 00:00:00 2001 From: Paul Mabileau Date: Wed, 30 Oct 2024 12:33:42 +0100 Subject: [PATCH 5/5] Docs: Add changelog entry Signed-off-by: Paul Mabileau --- changelog/2529.added.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/2529.added.md diff --git a/changelog/2529.added.md b/changelog/2529.added.md new file mode 100644 index 0000000000..23bc985692 --- /dev/null +++ b/changelog/2529.added.md @@ -0,0 +1 @@ +Add support for `libc::LOCAL_PEERTOKEN` in `getsockopt`.