util/mach/task_for_pid.h - third_party/crashpad - Git at Google

 // Copyright 2014 The Crashpad Authors. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 #ifndef CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_
 #define CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_

 #include <mach/mach.h>
 #include <sys/types.h>

 namespace crashpad {

 //! \brief Wraps `task_for_pid()`.
 //!
 //! This function exists to support `task_for_pid()` access checks in a setuid
 //! environment. Normally, `task_for_pid()` can only return an arbitrary task’s
 //! port when running as root or when taskgated(8) approves. When not running as
 //! root, a series of access checks are perfomed to ensure that the running
 //! process has permission to obtain the other process’ task port.
 //!
 //! It is possible to make an executable setuid root to give it broader
 //! `task_for_pid()` access by bypassing taskgated(8) checks, but this also has
 //! the effect of bypassing the access checks, allowing any process’ task port
 //! to be obtained. In most situations, these access checks are desirable to
 //! prevent security and privacy breaches.
 //!
 //! When running as setuid root, this function wraps `task_for_pid()`,
 //! reimplementing those access checks. A process whose effective user ID is 0
 //! and whose real user ID is nonzero is understood to be running setuid root.
 //! In this case, the requested task’s real, effective, and saved set-user IDs
 //! must all equal the running process’ real user ID, the requested task must
 //! not have changed privileges, and the requested task’s set of all group IDs
 //! (including its real, effective, and saved set-group IDs and supplementary
 //! group list) must be a subset of the running process’ set of all group IDs.
 //! These access checks mimic those that the kernel performs.
 //!
 //! When not running as setuid root, `task_for_pid()` is called directly,
 //! without imposing any additional checks beyond what the kernel does.
 //!
 //! \param[in] pid The process ID of the task whose task port is desired.
 //!
 //! \return A send right to the task port if it could be obtained, or
 //!     `TASK_NULL` otherwise, with an error message logged. If a send right is
 //!     returned, the caller takes ownership of it.
 task_t TaskForPID(pid_t pid);

 }  // namespace crashpad

 #endif  // CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_
	// Copyright 2014 The Crashpad Authors. All rights reserved.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	#ifndef CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_
	#define CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_

	#include <mach/mach.h>
	#include <sys/types.h>

	namespace crashpad {

	//! \brief Wraps `task_for_pid()`.
	//!
	//! This function exists to support `task_for_pid()` access checks in a setuid
	//! environment. Normally, `task_for_pid()` can only return an arbitrary task’s
	//! port when running as root or when taskgated(8) approves. When not running as
	//! root, a series of access checks are perfomed to ensure that the running
	//! process has permission to obtain the other process’ task port.
	//!
	//! It is possible to make an executable setuid root to give it broader
	//! `task_for_pid()` access by bypassing taskgated(8) checks, but this also has
	//! the effect of bypassing the access checks, allowing any process’ task port
	//! to be obtained. In most situations, these access checks are desirable to
	//! prevent security and privacy breaches.
	//!
	//! When running as setuid root, this function wraps `task_for_pid()`,
	//! reimplementing those access checks. A process whose effective user ID is 0
	//! and whose real user ID is nonzero is understood to be running setuid root.
	//! In this case, the requested task’s real, effective, and saved set-user IDs
	//! must all equal the running process’ real user ID, the requested task must
	//! not have changed privileges, and the requested task’s set of all group IDs
	//! (including its real, effective, and saved set-group IDs and supplementary
	//! group list) must be a subset of the running process’ set of all group IDs.
	//! These access checks mimic those that the kernel performs.
	//!
	//! When not running as setuid root, `task_for_pid()` is called directly,
	//! without imposing any additional checks beyond what the kernel does.
	//!
	//! \param[in] pid The process ID of the task whose task port is desired.
	//!
	//! \return A send right to the task port if it could be obtained, or
	//! `TASK_NULL` otherwise, with an error message logged. If a send right is
	//! returned, the caller takes ownership of it.
	task_t TaskForPID(pid_t pid);

	} // namespace crashpad

	#endif // CRASHPAD_UTIL_MACH_TASK_FOR_PID_H_