[apple/security.git] / sectask / SecTask.c

/*
 * Copyright (c) 2008,2010-2013 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#include "SecTask.h"

#include <utilities/debugging.h>

#include <AssertMacros.h>
#include <CoreFoundation/CFRuntime.h>
#include <IOKit/IOKitLib.h>
#include <IOKit/IOCFUnserialize.h>
#include <System/sys/codesign.h>
#include <bsm/libbsm.h>
#include <inttypes.h>
#include <syslog.h>
#include <utilities/SecCFWrappers.h>

#define USE_LIBPROC  0
#if USE_LIBPROC
#include <libproc.h>
#else
#include <sys/sysctl.h>
#endif

struct __SecTask {
    CFRuntimeBase base;
    
    pid_t pid_self;
    audit_token_t token;
    
    /* Track whether we've loaded entitlements independently since after the
     * load, entitlements may legitimately be NULL */
    Boolean entitlementsLoaded;
    CFDictionaryRef entitlements;
	
	/* for debugging only, shown by debugDescription */
	int lastFailure;
};

static bool check_task(SecTaskRef task) {
    return SecTaskGetTypeID() == CFGetTypeID(task);
}

static void SecTaskFinalize(CFTypeRef cfTask)
{
    SecTaskRef task = (SecTaskRef) cfTask;
    
    if (task->entitlements != NULL) {
        CFRelease(task->entitlements);
        task->entitlements = NULL;
    }
}


// Define PRIdPID (proper printf format string for pid_t)
#define PRIdPID PRId32

static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
{
    SecTaskRef task = (SecTaskRef) cfTask;
    pid_t pid;
    if (task->pid_self==-1) {
        audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
    } else {
        pid = task->pid_self;
    }

#if USE_LIBPROC
#define MAX_PROCNAME 32
    char task_name[MAX_PROCNAME + 1] = {};
    proc_name(pid, task_name, MAX_PROCNAME);
#else
    const char *task_name;
    int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
    struct kinfo_proc kp;
    size_t len = sizeof(kp);
    if (sysctl(mib, 4, &kp, &len, NULL, 0) == -1 || len == 0)
        task_name = strerror(errno);
    else
        task_name = kp.kp_proc.p_comm;
#endif

    return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]/%d#%d LF=%d"), task_name, pid,
									task->entitlementsLoaded, task->entitlements ? (int)CFDictionaryGetCount(task->entitlements) : -1, task->lastFailure);
}

CFGiblisWithFunctions(SecTask, NULL, NULL, SecTaskFinalize, NULL, NULL, NULL, SecTaskCopyDebugDescription, NULL, NULL, NULL)

static SecTaskRef init_task_ref(CFAllocatorRef allocator)
{
    CFIndex extra = sizeof(struct __SecTask) - sizeof(CFRuntimeBase);
    return (SecTaskRef) _CFRuntimeCreateInstance(allocator, SecTaskGetTypeID(), extra, NULL);
}

SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator)
{
    SecTaskRef task = init_task_ref(allocator);
    if (task != NULL) {

        memset(&task->token, 0, sizeof(task->token));
        task->entitlementsLoaded = false;
        task->entitlements = NULL;
        task->pid_self = getpid();
    }

    return task;
}

SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
{
    SecTaskRef task = init_task_ref(allocator);
    if (task != NULL) {
        
        memcpy(&task->token, &token, sizeof(token));
        task->entitlementsLoaded = false;
        task->entitlements = NULL;
        task->pid_self = -1;
    }
    
    return task;
}

struct csheader {
        uint32_t magic;
        uint32_t length;
};

static int
csops_task(SecTaskRef task, int ops, void *blob, size_t size)
{
	int rc;
    if (task->pid_self==-1) {
        pid_t pid;
        audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
        rc = csops_audittoken(pid, ops, blob, size, &task->token);
    }
    else
        rc = csops(task->pid_self, ops, blob, size);
	task->lastFailure = (rc == -1) ? errno : 0;
	return rc;
}

CFStringRef
SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
{
        CFStringRef signingId = NULL;
        char *data = NULL;
        struct csheader header;
        uint32_t bufferlen;
        int ret;

        ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
        if (ret != -1 || errno != ERANGE)
                return NULL;

        bufferlen = ntohl(header.length);
        /* check for insane values */
        if (bufferlen > 1024 * 1024 || bufferlen < 8) {
                ret = EINVAL;
                goto out;
        }
        data = malloc(bufferlen + 1);
        if (data == NULL) {
                ret = ENOMEM;
                goto out;
        }
        ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
        if (ret) {
                ret = errno;
                goto out;
        }
        data[bufferlen] = '\0';

        signingId = CFStringCreateWithCString(NULL, data + 8, kCFStringEncodingUTF8);

 out:
        if (data)
                free(data);
        if (ret && error)
                *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);

        return signingId;
}

uint32_t
SecTaskGetCodeSignStatus(SecTaskRef task)
{
    uint32_t flags = 0;
    if (csops_task(task, CS_OPS_STATUS, &flags, sizeof(flags)) != 0)
        return 0;
    return flags;
}

static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
{
    CFMutableDictionaryRef entitlements = NULL;
    struct csheader header;
    uint8_t *buffer = NULL;
    uint32_t bufferlen;
    int ret;

    
    ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
    /* Any other combination means no entitlements */
	if (ret == -1) {
		if (errno != ERANGE) {
            int entitlementErrno = errno;

			uint32_t cs_flags = -1;
            if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
                syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
            }

			if (cs_flags != 0) {	// was signed
	            syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, task->pid_self=%d", entitlementErrno, cs_flags, task->pid_self);	// to ease diagnostics

				CFStringRef description = SecTaskCopyDebugDescription(task);
				char *descriptionBuf = NULL;
				CFIndex descriptionSize = CFStringGetLength(description) * 4;
				descriptionBuf = (char *)malloc(descriptionSize);
				if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
					descriptionBuf[0] = 0;
				}

				syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
				CFRelease(description);
				free(descriptionBuf);
			}
			task->lastFailure = entitlementErrno;	// was overwritten by csops_task(CS_OPS_STATUS) above

			// EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
			if (entitlementErrno == EINVAL) {
				task->entitlementsLoaded = true;
				return true;
			}
			ret = entitlementErrno;	// what really went wrong
			goto out;		// bail out
		}
        bufferlen = ntohl(header.length);
        /* check for insane values */
        if (bufferlen > 1024 * 1024 || bufferlen < 8) {
            ret = E2BIG;
            goto out;
        }
        buffer = malloc(bufferlen);
        if (buffer == NULL) {
            ret = ENOMEM;
            goto out;
        }
        ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, buffer, bufferlen);
        if (ret) {
            ret = errno;
            goto out;
        }

        CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
        entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
        CFRelease(data);

        if((entitlements==NULL) || (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
            ret = EDOM;	// don't use EINVAL here; it conflates problems with syscall error returns
            goto out;
        }
    }

    task->entitlements = entitlements ? CFRetain(entitlements) : NULL;
    task->entitlementsLoaded = true;

out:
    if(entitlements)
        CFRelease(entitlements);
    if(buffer)
        free(buffer);
    if (ret && error && *error==NULL)
        *error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
    return ret == 0;
}


CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error)
{
    CFTypeRef value = NULL;
    require(check_task(task), out);

    /* Load entitlements if necessary */
    if (task->entitlementsLoaded == false) {
        require_quiet(SecTaskLoadEntitlements(task, error), out);
    }

    if (task->entitlements != NULL) {
        value = CFDictionaryGetValue(task->entitlements, entitlement);
        
        /* Return something the caller must release */
        if (value != NULL) {
            CFRetain(value);
        }
    }
out:
    return value;
}

CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error)
{
    CFMutableDictionaryRef values = NULL;
    require(check_task(task), out);

    /* Load entitlements if necessary */
    if (task->entitlementsLoaded == false) {
        SecTaskLoadEntitlements(task, error);
    }
    
    /* Iterate over the passed in entitlements, populating the dictionary
     * If entitlements were loaded but none were present, return an empty
     * dictionary */
    if (task->entitlementsLoaded == true) {
        
        CFIndex i, count = CFArrayGetCount(entitlements);
        values = CFDictionaryCreateMutable(CFGetAllocator(task), count, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
        if (task->entitlements != NULL) {
            for (i = 0; i < count; i++) {
                CFStringRef entitlement = CFArrayGetValueAtIndex(entitlements, i);
                CFTypeRef value = CFDictionaryGetValue(task->entitlements, entitlement);
                if (value != NULL) {
                    CFDictionarySetValue(values, entitlement, value);
                }
            }
        }
    }
out:
    return values;
}
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2008,2010-2013 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#include "SecTask.h"
	25
	26	#include <utilities/debugging.h>
	27
	28	#include <AssertMacros.h>
	29	#include <CoreFoundation/CFRuntime.h>
	30	#include <IOKit/IOKitLib.h>
	31	#include <IOKit/IOCFUnserialize.h>
	32	#include <System/sys/codesign.h>
	33	#include <bsm/libbsm.h>
	34	#include <inttypes.h>
5c19dc3a	35	#include <syslog.h>
d8f41ccd A	36	#include <utilities/SecCFWrappers.h>
	37
	38	#define USE_LIBPROC 0
	39	#if USE_LIBPROC
	40	#include <libproc.h>
	41	#else
	42	#include <sys/sysctl.h>
	43	#endif
	44
	45	struct __SecTask {
	46	CFRuntimeBase base;
	47
	48	pid_t pid_self;
	49	audit_token_t token;
	50
	51	/* Track whether we've loaded entitlements independently since after the
	52	* load, entitlements may legitimately be NULL */
	53	Boolean entitlementsLoaded;
	54	CFDictionaryRef entitlements;
fa7225c8 A	55
	56	/* for debugging only, shown by debugDescription */
	57	int lastFailure;
d8f41ccd A	58	};
	59
	60	static bool check_task(SecTaskRef task) {
	61	return SecTaskGetTypeID() == CFGetTypeID(task);
	62	}
	63
	64	static void SecTaskFinalize(CFTypeRef cfTask)
	65	{
	66	SecTaskRef task = (SecTaskRef) cfTask;
	67
	68	if (task->entitlements != NULL) {
	69	CFRelease(task->entitlements);
	70	task->entitlements = NULL;
	71	}
	72	}
	73
	74
	75	// Define PRIdPID (proper printf format string for pid_t)
	76	#define PRIdPID PRId32
	77
	78	static CFStringRef SecTaskCopyDebugDescription(CFTypeRef cfTask)
	79	{
	80	SecTaskRef task = (SecTaskRef) cfTask;
	81	pid_t pid;
	82	if (task->pid_self==-1) {
	83	audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
	84	} else {
	85	pid = task->pid_self;
	86	}
	87
	88	#if USE_LIBPROC
	89	#define MAX_PROCNAME 32
	90	char task_name[MAX_PROCNAME + 1] = {};
	91	proc_name(pid, task_name, MAX_PROCNAME);
	92	#else
	93	const char *task_name;
	94	int mib[] = {CTL_KERN, KERN_PROC, KERN_PROC_PID, pid};
	95	struct kinfo_proc kp;
	96	size_t len = sizeof(kp);
	97	if (sysctl(mib, 4, &kp, &len, NULL, 0) == -1 \|\| len == 0)
	98	task_name = strerror(errno);
	99	else
	100	task_name = kp.kp_proc.p_comm;
	101	#endif
	102
fa7225c8 A	103	return CFStringCreateWithFormat(CFGetAllocator(task), NULL, CFSTR("%s[%" PRIdPID "]/%d#%d LF=%d"), task_name, pid,
fa7225c8 A	104	task->entitlementsLoaded, task->entitlements ? (int)CFDictionaryGetCount(task->entitlements) : -1, task->lastFailure);
d8f41ccd A	105	}
	106
	107	CFGiblisWithFunctions(SecTask, NULL, NULL, SecTaskFinalize, NULL, NULL, NULL, SecTaskCopyDebugDescription, NULL, NULL, NULL)
	108
	109	static SecTaskRef init_task_ref(CFAllocatorRef allocator)
	110	{
	111	CFIndex extra = sizeof(struct __SecTask) - sizeof(CFRuntimeBase);
	112	return (SecTaskRef) _CFRuntimeCreateInstance(allocator, SecTaskGetTypeID(), extra, NULL);
	113	}
	114
	115	SecTaskRef SecTaskCreateFromSelf(CFAllocatorRef allocator)
	116	{
	117	SecTaskRef task = init_task_ref(allocator);
	118	if (task != NULL) {
	119
	120	memset(&task->token, 0, sizeof(task->token));
	121	task->entitlementsLoaded = false;
	122	task->entitlements = NULL;
	123	task->pid_self = getpid();
	124	}
	125
	126	return task;
	127	}
	128
	129	SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
	130	{
	131	SecTaskRef task = init_task_ref(allocator);
	132	if (task != NULL) {
	133
	134	memcpy(&task->token, &token, sizeof(token));
	135	task->entitlementsLoaded = false;
	136	task->entitlements = NULL;
	137	task->pid_self = -1;
	138	}
	139
	140	return task;
	141	}
	142
	143	struct csheader {
	144	uint32_t magic;
	145	uint32_t length;
	146	};
	147
	148	static int
	149	csops_task(SecTaskRef task, int ops, void *blob, size_t size)
	150	{
fa7225c8	151	int rc;
d8f41ccd A	152	if (task->pid_self==-1) {
	153	pid_t pid;
	154	audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
fa7225c8	155	rc = csops_audittoken(pid, ops, blob, size, &task->token);
d8f41ccd A	156	}
d8f41ccd A	157	else
fa7225c8 A	158	rc = csops(task->pid_self, ops, blob, size);
	159	task->lastFailure = (rc == -1) ? errno : 0;
	160	return rc;
d8f41ccd A	161	}
d8f41ccd A	162
d8f41ccd A	163	CFStringRef
	164	SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
	165	{
	166	CFStringRef signingId = NULL;
	167	char *data = NULL;
	168	struct csheader header;
	169	uint32_t bufferlen;
	170	int ret;
	171
	172	ret = csops_task(task, CS_OPS_IDENTITY, &header, sizeof(header));
	173	if (ret != -1 \|\| errno != ERANGE)
	174	return NULL;
	175
	176	bufferlen = ntohl(header.length);
	177	/* check for insane values */
	178	if (bufferlen > 1024 * 1024 \|\| bufferlen < 8) {
	179	ret = EINVAL;
	180	goto out;
	181	}
	182	data = malloc(bufferlen + 1);
	183	if (data == NULL) {
	184	ret = ENOMEM;
	185	goto out;
	186	}
	187	ret = csops_task(task, CS_OPS_IDENTITY, data, bufferlen);
	188	if (ret) {
	189	ret = errno;
	190	goto out;
	191	}
	192	data[bufferlen] = '\0';
	193
	194	signingId = CFStringCreateWithCString(NULL, data + 8, kCFStringEncodingUTF8);
	195
	196	out:
	197	if (data)
	198	free(data);
	199	if (ret && error)
	200	*error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
	201
	202	return signingId;
	203	}
	204
fa7225c8 A	205	uint32_t
	206	SecTaskGetCodeSignStatus(SecTaskRef task)
	207	{
	208	uint32_t flags = 0;
	209	if (csops_task(task, CS_OPS_STATUS, &flags, sizeof(flags)) != 0)
	210	return 0;
	211	return flags;
	212	}
d8f41ccd A	213
	214	static bool SecTaskLoadEntitlements(SecTaskRef task, CFErrorRef *error)
	215	{
	216	CFMutableDictionaryRef entitlements = NULL;
	217	struct csheader header;
	218	uint8_t *buffer = NULL;
	219	uint32_t bufferlen;
	220	int ret;
	221
	222
	223	ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
	224	/* Any other combination means no entitlements */
5c19dc3a A	225	if (ret == -1) {
5c19dc3a A	226	if (errno != ERANGE) {
e0e0d90e A	227	int entitlementErrno = errno;
	228
	229	uint32_t cs_flags = -1;
	230	if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
	231	syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
	232	}
	233
fa7225c8 A	234	if (cs_flags != 0) { // was signed
fa7225c8 A	235	syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, task->pid_self=%d", entitlementErrno, cs_flags, task->pid_self); // to ease diagnostics
e0e0d90e	236
fa7225c8 A	237	CFStringRef description = SecTaskCopyDebugDescription(task);
	238	char *descriptionBuf = NULL;
	239	CFIndex descriptionSize = CFStringGetLength(description) * 4;
	240	descriptionBuf = (char *)malloc(descriptionSize);
	241	if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
	242	descriptionBuf[0] = 0;
	243	}
e0e0d90e	244
fa7225c8 A	245	syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
	246	CFRelease(description);
	247	free(descriptionBuf);
	248	}
	249	task->lastFailure = entitlementErrno; // was overwritten by csops_task(CS_OPS_STATUS) above
e0e0d90e	250
5c19dc3a	251	// EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
e0e0d90e	252	if (entitlementErrno == EINVAL) {
5c19dc3a A	253	task->entitlementsLoaded = true;
	254	return true;
	255	}
e0e0d90e	256	ret = entitlementErrno; // what really went wrong
5c19dc3a A	257	goto out; // bail out
5c19dc3a A	258	}
d8f41ccd A	259	bufferlen = ntohl(header.length);
	260	/* check for insane values */
	261	if (bufferlen > 1024 * 1024 \|\| bufferlen < 8) {
fa7225c8	262	ret = E2BIG;
d8f41ccd A	263	goto out;
	264	}
	265	buffer = malloc(bufferlen);
	266	if (buffer == NULL) {
	267	ret = ENOMEM;
	268	goto out;
	269	}
	270	ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, buffer, bufferlen);
	271	if (ret) {
	272	ret = errno;
	273	goto out;
	274	}
	275
	276	CFDataRef data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, buffer+8, bufferlen-8, kCFAllocatorNull);
	277	entitlements = (CFMutableDictionaryRef) CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListMutableContainers, NULL, error);
	278	CFRelease(data);
	279
	280	if((entitlements==NULL) \|\| (CFGetTypeID(entitlements)!=CFDictionaryGetTypeID())){
fa7225c8	281	ret = EDOM; // don't use EINVAL here; it conflates problems with syscall error returns
d8f41ccd A	282	goto out;
	283	}
	284	}
	285
	286	task->entitlements = entitlements ? CFRetain(entitlements) : NULL;
	287	task->entitlementsLoaded = true;
	288
	289	out:
	290	if(entitlements)
	291	CFRelease(entitlements);
	292	if(buffer)
	293	free(buffer);
	294	if (ret && error && *error==NULL)
	295	*error = CFErrorCreate(NULL, kCFErrorDomainPOSIX, ret, NULL);
	296	return ret == 0;
	297	}
	298
	299
	300	CFTypeRef SecTaskCopyValueForEntitlement(SecTaskRef task, CFStringRef entitlement, CFErrorRef *error)
	301	{
	302	CFTypeRef value = NULL;
	303	require(check_task(task), out);
	304
	305	/* Load entitlements if necessary */
	306	if (task->entitlementsLoaded == false) {
	307	require_quiet(SecTaskLoadEntitlements(task, error), out);
	308	}
	309
	310	if (task->entitlements != NULL) {
	311	value = CFDictionaryGetValue(task->entitlements, entitlement);
	312
	313	/* Return something the caller must release */
	314	if (value != NULL) {
	315	CFRetain(value);
	316	}
	317	}
	318	out:
	319	return value;
	320	}
	321
	322	CFDictionaryRef SecTaskCopyValuesForEntitlements(SecTaskRef task, CFArrayRef entitlements, CFErrorRef *error)
	323	{
	324	CFMutableDictionaryRef values = NULL;
	325	require(check_task(task), out);
	326
	327	/* Load entitlements if necessary */
	328	if (task->entitlementsLoaded == false) {
	329	SecTaskLoadEntitlements(task, error);
	330	}
	331
	332	/* Iterate over the passed in entitlements, populating the dictionary
	333	* If entitlements were loaded but none were present, return an empty
	334	* dictionary */
	335	if (task->entitlementsLoaded == true) {
	336
	337	CFIndex i, count = CFArrayGetCount(entitlements);
	338	values = CFDictionaryCreateMutable(CFGetAllocator(task), count, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	339	if (task->entitlements != NULL) {
	340	for (i = 0; i < count; i++) {
	341	CFStringRef entitlement = CFArrayGetValueAtIndex(entitlements, i);
	342	CFTypeRef value = CFDictionaryGetValue(task->entitlements, entitlement);
	343	if (value != NULL) {
	344	CFDictionarySetValue(values, entitlement, value);
	345	}
346	}
347	}
348	}
349	out:
350	return values;
351	}