VII. Antivirus/mac/apply_exec_quarantine.c

@@ -1,90 +1,107 @@
-intptr_t __fastcall apply_exec_quarantine(__int64 a1, struct vnode *a2)
+intptr_t __fastcall apply_exec_quarantine(
+        __int64 context,          // a1: context or structure with additional info
+        struct vnode *file_vnode, // a2: vnode representing the file being executed
+        __int64 reserved1,        // a3: reserved for future use
+        __int64 reserved2,        // a4: reserved for future use
+        __int64 reserved3,        // a5: reserved for future use
+        __int64 reserved4,        // a6: reserved for future use
+        __int64 reserved5,        // a7: reserved for future use
+        __int64 reserved6)        // a8: reserved for future use
 {
-  int flags; // w0
-  int v5; // w8
-  intptr_t result; // x0
-  struct mount *v7; // x0
-  char v8; // w8
-  struct label *v9; // x16
-  intptr_t v10; // x20
-  int v11; // w21
-  const char *v12; // x0
-  const char *v13; // x19
-  const char *v14; // x9
-  unsigned int v15; // [xsp+2Ch] [xbp-134h] BYREF
-  __int128 v16[16]; // [xsp+30h] [xbp-130h] BYREF
+    int quarantine_flags;             // w0: quarantine flags
+    int temp_flags;                   // w8: temporary storage for flags
+    intptr_t result;                  // x0: return value
+    struct mount *mount_info;         // x0: mount information
+    char mount_flags;                 // w8: flags from mount info
+    struct label *sec_label;          // x16: security label
+    intptr_t label_result;            // x20: temporary storage for label result
+    int label_flags;                  // w21: temporary storage for label flags
+    const char *file_path;            // x0: file path
+    const char *log_msg;              // x19: log message
+    const char *quarantine_reason;    // x9: reason for quarantine
+    __int64 reserved_context1;        // [xsp+0h] [xbp-160h]
+    __int64 reserved_context2;        // [xsp+8h] [xbp-158h]
+    unsigned int quarantine_flag_set; // [xsp+2Ch] [xbp-134h] BYREF
+    __int128 additional_info[16];     // [xsp+30h] [xbp-130h] BYREF
 
-  memset(v16, 0, sizeof(v16));
-  v15 = 0;
-  flags = quarantine_get_flags(a2, 0LL, &v15, v16);
-  if ( flags )
-  {
-    v5 = flags;
-    result = 0LL;
-    if ( v5 == 93 )
-      return result;
-    return 1LL;
-  }
-  if ( (v15 & 6) == 0 )
-    return 0LL;
-  if ( (v15 & 4) != 0 )
-  {
-LABEL_15:
-    v12 = (const char *)getpath(a2);
-    v13 = v12;
-    v14 = "created without user consent";
-    if ( (v15 & 4) == 0 )
-      v14 = "not approved by Gatekeeper";
-    _os_log_internal(
-      &dword_FFFFFE000792BD40,
-      (os_log_t)&_os_log_default,
-      OS_LOG_TYPE_ERROR,
-      "exec of %s denied since it was quarantined by %s and %s, qtn-flags was 0x%08x",
-      v12,
-      (const char *)v16,
-      v14,
-      v15);
-    kfree_data_addr_external(v13);
-    return 1LL;
-  }
-  result = 0LL;
-  if ( require_user_approved_exec )
-  {
-    if ( (v15 & 0x40) == 0 )
-    {
-      v7 = vnode_mount(a2);
-      v8 = vfs_flags(v7);
-      result = 0LL;
-      if ( a1 )
-      {
-        if ( (v8 & 1) == 0 )
-        {
-          v9 = *(struct label **)(a1 + 120);
-          if ( v9 )
-          {
-            result = mac_label_get(v9, label_slot);
-            if ( !result )
-              return result;
-            v10 = result;
-            os_ref_retain_internal((os_ref_atomic_t *)(result + 16), 0LL);
-            if ( *(_QWORD *)v10
-              && (os_ref_retain_internal((os_ref_atomic_t *)(*(_QWORD *)v10 + 60LL), 0LL), *(_QWORD *)v10) )
-            {
-              v11 = *(_DWORD *)(*(_QWORD *)v10 + 56LL);
-              qtnstate_rele();
-              cred_label_rele(v10);
-              if ( (v11 & 2) != 0 )
-                goto LABEL_15;
-            }
-            else
-            {
-              cred_label_rele(v10);
-            }
-          }
-          return 0LL;
-        }
-      }
+    // Initialize additional info buffer and quarantine flag set
+    memset(additional_info, 0, sizeof(additional_info));
+    quarantine_flag_set = 0;
+
+    // Retrieve quarantine flags for the vnode
+    quarantine_flags = quarantine_get_flags(file_vnode, 0LL, (__int64)&quarantine_flag_set, (__int64)additional_info, reserved3, reserved4, reserved5, reserved6, reserved_context1, reserved_context2);
+    
+    // Handle specific flags and return values from quarantine_get_flags
+    if (quarantine_flags) {
+        temp_flags = quarantine_flags;
+        result = 0LL;
+        if (temp_flags == 0x5D)
+            return result;
+        return 1LL;
     }
-  }
-  return result;
+
+    // Check quarantine flag set for specific conditions
+    if ((quarantine_flag_set & 6) == 0)
+        return 0LL;
+
+    if ((quarantine_flag_set & 4) != 0) {
+    LABEL_15:
+        file_path = (const char *)getpath(file_vnode);
+        log_msg = file_path;
+        quarantine_reason = "created without user consent";
+        if ((quarantine_flag_set & 4) == 0)
+            quarantine_reason = "not approved by Gatekeeper";
+
+        // Log the quarantine enforcement
+        _os_log_internal(
+            &dword_FFFFFE000792BD40,
+            (os_log_t)&_os_log_default,
+            OS_LOG_TYPE_ERROR,
+            "exec of %s denied since it was quarantined by %s and %s, qtn-flags was 0x%08x",
+            file_path,
+            (const char *)additional_info,
+            quarantine_reason,
+            quarantine_flag_set);
+        
+        // Free the file path memory and return 1
+        kfree_data_addr_external(log_msg);
+        return 1LL;
+    }
+
+    result = 0LL;
+
+    // Check if user-approved execution is required
+    if (require_user_approved_exec) {
+        if ((quarantine_flag_set & 0x40) == 0) {
+            mount_info = vnode_mount(file_vnode);
+            mount_flags = vfs_flags(mount_info);
+            result = 0LL;
+
+            if (context) {
+                if ((mount_flags & 1) == 0) {
+                    sec_label = *(struct label **)(context + 120);
+                    if (sec_label) {
+                        result = mac_label_get(sec_label, label_slot);
+                        if (!result)
+                            return result;
+                        label_result = result;
+                        os_ref_retain_internal((os_ref_atomic_t *)(result + 16), 0LL);
+                        if (*(_QWORD *)label_result
+                            && (os_ref_retain_internal((os_ref_atomic_t *)(*(_QWORD *)label_result + 60LL), 0LL), *(_QWORD *)label_result)) {
+                            label_flags = *(_DWORD *)(*(_QWORD *)label_result + 56LL);
+                            qtnstate_rele();
+                            cred_label_rele(label_result);
+                            if ((label_flags & 2) != 0)
+                                goto LABEL_15;
+                        } else {
+                            cred_label_rele(label_result);
+                        }
+                    }
+                    return 0LL;
+                }
+            }
+        }
+    }
+
+    return result;
 }