QueryData genSIPConfig(QueryContext& context) { auto os_version = SQL::selectAllFrom("os_version"); if (os_version.size() != 1) { VLOG(1) << "Could not determine OS version"; return {}; } // bail out if running on OS X < 10.11 if (os_version.front().at("major") == "10" && std::stoi(os_version.front().at("minor")) < 11) { VLOG(1) << "Not running on OS X 10.11 or higher"; return {}; } QueryData results; #if !defined(DARWIN_10_9) // check if weakly linked symbols exist if (csr_get_active_config == nullptr || csr_check == nullptr) { return {}; } csr_config_t config = 0; csr_get_active_config(&config); csr_config_t valid_allowed_flags = 0; for (const auto& kv : kRootlessConfigFlags) { valid_allowed_flags |= kv.second; } Row r; r["config_flag"] = "sip"; if (config == 0) { // SIP is enabled (default) r["enabled"] = INTEGER(1); r["enabled_nvram"] = INTEGER(1); } else if ((config | valid_allowed_flags) == valid_allowed_flags) { // mark SIP as NOT enabled (i.e. disabled) if // any of the valid_allowed_flags is set r["enabled"] = INTEGER(0); r["enabled_nvram"] = INTEGER(0); } results.push_back(r); uint32_t nvram_config = 0; auto nvram_status = genCsrConfigFromNvram(nvram_config); for (const auto& kv : kRootlessConfigFlags) { r["config_flag"] = kv.first; // csr_check returns zero if the config flag is allowed r["enabled"] = (csr_check(kv.second) == 0) ? INTEGER(1) : INTEGER(0); if (nvram_status.ok()) { r["enabled_nvram"] = (nvram_config & kv.second) ? INTEGER(1) : INTEGER(0); } results.push_back(r); } #endif return results; }
int syscall_csr_check(struct csrctl_args *args) { csr_config_t mask = 0; int error = 0; if (args->useraddr == 0 || args->usersize != sizeof(mask)) return EINVAL; error = copyin(args->useraddr, &mask, sizeof(mask)); if (error) return error; return csr_check(mask); }
int csrctl(__unused proc_t p, struct csrctl_args *uap, __unused int32_t *retval) { int error = 0; if (uap->useraddr == 0) return EINVAL; if (uap->usersize != sizeof(csr_config_t)) return EINVAL; switch (uap->op) { case CSR_OP_CHECK: { csr_config_t mask; error = copyin(uap->useraddr, &mask, sizeof(csr_config_t)); if (error) return error; error = csr_check(mask); break; } case CSR_OP_GET_ACTIVE_CONFIG: case CSR_OP_GET_PENDING_CONFIG: /* fall through */ { csr_config_t config = 0; if (uap->op == CSR_OP_GET_ACTIVE_CONFIG) error = csr_get_active_config(&config); else error = csr_get_pending_config(&config); if (error) return error; error = copyout(&config, uap->useraddr, sizeof(csr_config_t)); break; } default: error = EINVAL; break; } return error; }
char * _csr_check(aMask, aFlipflag) { bool stat = 0; // Syscall if (csr_check(aMask) != 0) { stat = (aFlipflag) ? 0 : 1; } else { stat = (aFlipflag) ? 1 : 0; } if (stat) { return("enabled"); } return("\33[1mdisabled\33[0m"); }