]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_codesigning/lib/xpcengine.cpp
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Security-58286.270.3.0.1.tar.gz
[apple/security.git] / OSX / libsecurity_codesigning / lib / xpcengine.cpp
1 /*
2 * Copyright (c) 2011-2016 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 #include "xpcengine.h"
24 #include <xpc/connection.h>
25 #include <syslog.h>
26 #include <CoreFoundation/CoreFoundation.h>
27 #include <security_utilities/cfutilities.h>
28 #include <security_utilities/logging.h>
29 #include <security_utilities/cfmunge.h>
30
31
32 namespace Security {
33 namespace CodeSigning {
34
35
36 static void doProgress(xpc_object_t msg);
37
38
39 static const char serviceName[] = "com.apple.security.syspolicy";
40
41
42 static dispatch_once_t dispatchInit; // one-time init marker
43 static xpc_connection_t service; // connection to spd
44 static dispatch_queue_t queue; // dispatch queue for service
45
46 static void init()
47 {
48 dispatch_once(&dispatchInit, ^void(void) {
49 const char *name = serviceName;
50 if (const char *env = getenv("SYSPOLICYNAME"))
51 name = env;
52 queue = dispatch_queue_create("spd-client", 0);
53 service = xpc_connection_create_mach_service(name, queue, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
54 xpc_connection_set_event_handler(service, ^(xpc_object_t msg) {
55 if (xpc_get_type(msg) == XPC_TYPE_DICTIONARY) {
56 const char *function = xpc_dictionary_get_string(msg, "function");
57 if (!strcmp(function, "progress")) {
58 doProgress(msg);
59 }
60 }
61 });
62 xpc_connection_resume(service);
63 });
64 }
65
66
67 //
68 // Your standard XPC client-side machinery
69 //
70 class Message {
71 public:
72 xpc_object_t obj;
73
74 Message(const char *function)
75 {
76 init();
77 obj = xpc_dictionary_create(NULL, NULL, 0);
78 xpc_dictionary_set_string(obj, "function", function);
79 }
80 ~Message()
81 {
82 if (obj)
83 xpc_release(obj);
84 }
85 operator xpc_object_t () { return obj; }
86
87 void send()
88 {
89 xpc_object_t reply = xpc_connection_send_message_with_reply_sync(service, obj);
90 xpc_release(obj);
91 obj = NULL;
92 xpc_type_t type = xpc_get_type(reply);
93 if (type == XPC_TYPE_DICTIONARY) {
94 obj = reply;
95 if (int64_t error = xpc_dictionary_get_int64(obj, "error"))
96 MacOSError::throwMe((int)error);
97 } else if (type == XPC_TYPE_ERROR) {
98 const char *s = xpc_copy_description(reply);
99 printf("Error returned: %s\n", s);
100 Syslog::notice("code signing internal problem: unexpected error from xpc: %s", s);
101 free((char*)s);
102 MacOSError::throwMe(errSecCSInternalError);
103 } else {
104 const char *s = xpc_copy_description(reply);
105 printf("Unexpected type of return object: %s\n", s);
106 free((char*)s);
107 }
108 }
109 };
110
111
112
113 static void copyCFDictionary(const void *key, const void *value, void *ctx)
114 {
115 CFMutableDictionaryRef target = CFMutableDictionaryRef(ctx);
116 if (CFGetTypeID(value) == CFURLGetTypeID()) {
117 CFRef<CFStringRef> path = CFURLCopyFileSystemPath(CFURLRef(value), kCFURLPOSIXPathStyle);
118 CFDictionaryAddValue(target, key, path);
119 } else if (CFEqual(key, kSecAssessmentContextKeyFeedback)) {
120 CFDictionaryAddValue(target, key, CFTempNumber(uint64_t(value)));
121 } else {
122 CFDictionaryAddValue(target, key, value);
123 }
124 }
125
126
127 static bool precheckAccess(CFURLRef path, CFDictionaryRef context)
128 {
129 CFTypeRef type = CFDictionaryGetValue(context, kSecAssessmentContextKeyOperation);
130 if (type == NULL || CFEqual(type, kSecAssessmentOperationTypeExecute)) {
131 CFRef<SecStaticCodeRef> code;
132 OSStatus rc = SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref());
133 if (rc == errSecCSBadBundleFormat) // work around <rdar://problem/26075034>
134 return false;
135 CFRef<CFURLRef> exec;
136 MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &exec.aref()));
137 UnixError::check(::access(cfString(exec).c_str(), R_OK));
138 } else {
139 UnixError::check(access(cfString(path).c_str(), R_OK));
140 }
141 return true;
142 }
143
144
145 void xpcEngineAssess(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
146 {
147 precheckAccess(path, context);
148 Message msg("assess");
149 xpc_dictionary_set_string(msg, "path", cfString(path).c_str());
150 xpc_dictionary_set_uint64(msg, "flags", flags);
151 CFRef<CFMutableDictionaryRef> ctx = makeCFMutableDictionary();
152 if (context)
153 CFDictionaryApplyFunction(context, copyCFDictionary, ctx);
154 CFRef<CFDataRef> contextData = makeCFData(CFDictionaryRef(ctx));
155 xpc_dictionary_set_data(msg, "context", CFDataGetBytePtr(contextData), CFDataGetLength(contextData));
156
157 msg.send();
158
159 if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
160 MacOSError::throwMe((int)error);
161
162 size_t resultLength;
163 const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength);
164 CFRef<CFDictionaryRef> resultDict = makeCFDictionaryFrom(resultData, resultLength);
165 CFDictionaryApplyFunction(resultDict, copyCFDictionary, result);
166 CFDictionaryAddValue(result, CFSTR("assessment:remote"), kCFBooleanTrue);
167 }
168
169 static void doProgress(xpc_object_t msg)
170 {
171 uint64_t current = xpc_dictionary_get_uint64(msg, "current");
172 uint64_t total = xpc_dictionary_get_uint64(msg, "total");
173 uint64_t ref = xpc_dictionary_get_uint64(msg, "ref");
174 const char *token = xpc_dictionary_get_string(msg, "token");
175 SecAssessmentFeedback feedback = SecAssessmentFeedback(ref);
176 CFTemp<CFDictionaryRef> info("{current=%d,total=%d}", current, total);
177 Boolean proceed = feedback(kSecAssessmentFeedbackProgress, info);
178 if (!proceed) {
179 xpc_connection_t connection = xpc_dictionary_get_remote_connection(msg);
180 xpc_object_t cancelRequest = xpc_dictionary_create(NULL, NULL, 0);
181 xpc_dictionary_set_string(cancelRequest, "function", "cancel");
182 xpc_dictionary_set_string(cancelRequest, "token", token);
183 xpc_connection_send_message(connection, cancelRequest);
184 xpc_release(cancelRequest);
185 }
186 }
187
188
189 CFDictionaryRef xpcEngineUpdate(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context)
190 {
191 Message msg("update");
192 // target can be NULL, a CFURLRef, a SecRequirementRef, or a CFNumberRef
193 if (target) {
194 if (CFGetTypeID(target) == CFNumberGetTypeID())
195 xpc_dictionary_set_uint64(msg, "rule", cfNumber<int64_t>(CFNumberRef(target)));
196 else if (CFGetTypeID(target) == CFURLGetTypeID()) {
197 bool good = precheckAccess(CFURLRef(target), context);
198 if (!good) // work around <rdar://problem/26075034>
199 return makeCFDictionary(0); // pretend this worked
200 xpc_dictionary_set_string(msg, "url", cfString(CFURLRef(target)).c_str());
201 } else if (CFGetTypeID(target) == SecRequirementGetTypeID()) {
202 CFRef<CFDataRef> data;
203 MacOSError::check(SecRequirementCopyData(SecRequirementRef(target), kSecCSDefaultFlags, &data.aref()));
204 xpc_dictionary_set_data(msg, "requirement", CFDataGetBytePtr(data), CFDataGetLength(data));
205 } else
206 MacOSError::throwMe(errSecCSInvalidObjectRef);
207 }
208 xpc_dictionary_set_uint64(msg, "flags", flags);
209 CFRef<CFMutableDictionaryRef> ctx = makeCFMutableDictionary();
210 if (context)
211 CFDictionaryApplyFunction(context, copyCFDictionary, ctx);
212 AuthorizationRef localAuthorization = NULL;
213 if (CFDictionaryGetValue(ctx, kSecAssessmentUpdateKeyAuthorization) == NULL) { // no caller-provided authorization
214 MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &localAuthorization));
215 AuthorizationExternalForm extForm;
216 MacOSError::check(AuthorizationMakeExternalForm(localAuthorization, &extForm));
217 CFDictionaryAddValue(ctx, kSecAssessmentUpdateKeyAuthorization, CFTempData(&extForm, sizeof(extForm)));
218 }
219 CFRef<CFDataRef> contextData = makeCFData(CFDictionaryRef(ctx));
220 xpc_dictionary_set_data(msg, "context", CFDataGetBytePtr(contextData), CFDataGetLength(contextData));
221
222 msg.send();
223
224 if (localAuthorization)
225 AuthorizationFree(localAuthorization, kAuthorizationFlagDefaults);
226
227 if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
228 MacOSError::throwMe((int)error);
229
230 size_t resultLength;
231 const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength);
232 return makeCFDictionaryFrom(resultData, resultLength);
233 }
234
235
236 bool xpcEngineControl(const char *control)
237 {
238 Message msg("control");
239 xpc_dictionary_set_string(msg, "control", control);
240 msg.send();
241 return true;
242 }
243
244
245 void xpcEngineRecord(CFDictionaryRef info)
246 {
247 Message msg("record");
248 CFRef<CFDataRef> infoData = makeCFData(CFDictionaryRef(info));
249 xpc_dictionary_set_data(msg, "info", CFDataGetBytePtr(infoData), CFDataGetLength(infoData));
250
251 msg.send();
252 }
253
254 void xpcEngineCheckDevID(CFBooleanRef* result)
255 {
256 Message msg("check-dev-id");
257
258 msg.send();
259
260 if (int64_t error = xpc_dictionary_get_int64(msg, "error")) {
261 MacOSError::throwMe((int)error);
262 }
263
264 *result = xpc_dictionary_get_bool(msg,"result") ? kCFBooleanTrue : kCFBooleanFalse;
265 }
266
267 void xpcEngineCheckNotarized(CFBooleanRef* result)
268 {
269 Message msg("check-notarized");
270
271 msg.send();
272
273 if (int64_t error = xpc_dictionary_get_int64(msg, "error")) {
274 MacOSError::throwMe((int)error);
275 }
276
277 *result = xpc_dictionary_get_bool(msg,"result") ? kCFBooleanTrue : kCFBooleanFalse;
278 }
279
280 void xpcEngineTicketRegister(CFDataRef ticketData)
281 {
282 Message msg("ticket-register");
283 xpc_dictionary_set_data(msg, "ticketData", CFDataGetBytePtr(ticketData), CFDataGetLength(ticketData));
284
285 msg.send();
286
287 if (int64_t error = xpc_dictionary_get_int64(msg, "error")) {
288 MacOSError::throwMe((int)error);
289 }
290 }
291
292 void xpcEngineTicketLookup(CFDataRef hashData, SecCSDigestAlgorithm hashType, SecAssessmentTicketFlags flags, double *date)
293 {
294 Message msg("ticket-lookup");
295 xpc_dictionary_set_data(msg, "hashData", CFDataGetBytePtr(hashData), CFDataGetLength(hashData));
296 xpc_dictionary_set_uint64(msg, "hashType", hashType);
297 xpc_dictionary_set_uint64(msg, "flags", flags);
298
299 msg.send();
300
301 if (int64_t error = xpc_dictionary_get_int64(msg, "error")) {
302 MacOSError::throwMe((int)error);
303 }
304
305 double local_date = xpc_dictionary_get_double(msg, "date");
306 if (date && !isnan(local_date)) {
307 *date = local_date;
308 }
309 }
310
311
312 } // end namespace CodeSigning
313 } // end namespace Security
mirror of Security