]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/server_endpoint.m
projects / apple / security.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Security-58286.1.32.tar.gz
[apple/security.git] / OSX / sec / ipc / server_endpoint.m
1 /*
2 * Copyright (c) 2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #import <Foundation/Foundation.h>
25 #import <Foundation/NSXPCConnection.h>
26 #import <Foundation/NSXPCConnection_Private.h>
27 #include <xpc/private.h>
28 #include <xpc/xpc.h>
29
30 #include <ipc/securityd_client.h>
31 #include <ipc/server_security_helpers.h>
32 #include <ipc/server_entitlement_helpers.h>
33 #include <ipc/server_endpoint.h>
34
35 #include <securityd/SecItemServer.h>
36 #include <Security/SecEntitlements.h>
37
38 #pragma mark - Securityd Server
39
40 @implementation SecuritydXPCServer
41 @synthesize connection = _connection;
42
43 - (instancetype)initWithConnection:(NSXPCConnection *)connection
44 {
45 if ((self = [super init])) {
46 _connection = connection;
47
48 fill_security_client(&self->_client, connection.effectiveUserIdentifier, connection.auditToken);
49 }
50 return self;
51 }
52
53 - (instancetype)initWithSecurityClient:(SecurityClient*) existingClient
54 {
55 if(!existingClient) {
56 return nil;
57 }
58 if((self = [super init])) {
59 _connection = nil;
60
61 self->_client.task = CFRetainSafe(existingClient->task);
62 self->_client.accessGroups = CFRetainSafe(existingClient->accessGroups);
63 self->_client.allowSystemKeychain = existingClient->allowSystemKeychain;
64 self->_client.allowSyncBubbleKeychain = existingClient->allowSyncBubbleKeychain;
65 self->_client.isNetworkExtension = existingClient->isNetworkExtension;
66 self->_client.canAccessNetworkExtensionAccessGroups = existingClient->canAccessNetworkExtensionAccessGroups;
67 self->_client.uid = existingClient->uid;
68 self->_client.musr = CFRetainSafe(existingClient->musr);
69 #if TARGET_OS_EMBEDDED && TARGET_HAS_KEYSTORE
70 self->_client.keybag = existingClient->keybag;
71 #endif
72 #if TARGET_OS_IPHONE
73 self->_client.inMultiUser = existingClient->inMultiUser;
74 self->_client.activeUser = existingClient->activeUser;
75 #endif
76 }
77 return self;
78 }
79
80
81 - (bool)clientHasBooleanEntitlement: (NSString*) entitlement {
82 return SecTaskGetBooleanValueForEntitlement(self->_client.task, (__bridge CFStringRef) entitlement);
83 }
84
85 -(void)dealloc {
86 CFReleaseNull(self->_client.task);
87 CFReleaseNull(self->_client.accessGroups);
88 CFReleaseNull(self->_client.musr);
89 }
90 @end
91
92
93 // Class to use for local dispatching of securityd xpcs. Adds capability of fake entitlements, because you don't have a real task on the other end.
94 @interface LocalSecuritydXPCServer : SecuritydXPCServer
95 @property NSMutableDictionary<NSString*, id>* fakeEntitlements;
96 - (instancetype)initWithSecurityClient:(SecurityClient*) existingClient fakeEntitlements:(NSDictionary<NSString*, id>*)fakeEntitlements;
97 @end
98
99 @implementation LocalSecuritydXPCServer
100 - (instancetype)initWithSecurityClient:(SecurityClient*) existingClient fakeEntitlements:(NSDictionary<NSString*, id>*)fakeEntitlements {
101 if((self = [super initWithSecurityClient: existingClient])) {
102 _fakeEntitlements = [fakeEntitlements mutableCopy];
103 }
104 return self;
105 }
106
107 - (bool)clientHasBooleanEntitlement: (NSString*) entitlement {
108 if(self.fakeEntitlements) {
109 return [self.fakeEntitlements[entitlement] isEqual: @YES];
110 } else {
111 return false;
112 }
113 }
114 @end
115
116
117 #pragma mark - SecuritydXPCServerListener
118
119 // Responsible for bringing up new SecuritydXPCServer objects, and configuring them with their remote connection
120 @interface SecuritydXPCServerListener : NSObject <NSXPCListenerDelegate>
121 @property (retain,nonnull) NSXPCListener *listener;
122 - (xpc_endpoint_t)xpcControlEndpoint;
123 @end
124
125 @implementation SecuritydXPCServerListener
126 -(instancetype)init
127 {
128 if((self = [super init])){
129 self.listener = [NSXPCListener anonymousListener];
130 self.listener.delegate = self;
131 [self.listener resume];
132 }
133 return self;
134 }
135
136 - (xpc_endpoint_t)xpcControlEndpoint {
137 return [self.listener.endpoint _endpoint];
138 }
139
140 - (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection
141 {
142 // Anyone is allowed to get a connection to securityd, except if you have kSecEntitlementKeychainDeny entitlement
143 // The SecuritydClient class _must_ check for required entitlements in each XPC handler.
144
145 if([newConnection valueForEntitlement: (__bridge NSString*) kSecEntitlementKeychainDeny]) {
146 return NO;
147 }
148
149 newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SecuritydXPCProtocol)];
150 // Configure the interface on the server side, too
151 [SecuritydXPCClient configureSecuritydXPCProtocol: newConnection.exportedInterface];
152
153 newConnection.exportedObject = [[SecuritydXPCServer alloc] initWithConnection:newConnection];
154 [newConnection resume];
155
156 return YES;
157 }
158 @end
159
160 XPC_RETURNS_RETAINED xpc_endpoint_t SecCreateSecuritydXPCServerEndpoint(CFErrorRef *error)
161 {
162 static SecuritydXPCServerListener* listener = NULL;
163 static dispatch_once_t onceToken;
164 dispatch_once(&onceToken, ^{
165 listener = [[SecuritydXPCServerListener alloc] init];
166 });
167 return [listener xpcControlEndpoint];
168 }
169
170 id<SecuritydXPCProtocol> SecCreateLocalSecuritydXPCServer(void) {
171 // Create a fake securitydxpcserver using the access groups of securityd and some number of fake entitlements
172 SecurityClient* client = SecSecurityClientGet();
173
174 // We know that SecuritydXPCServerListener will comply with SecuritydXPCProtocol via category, so help the compiler out
175 return (id<SecuritydXPCProtocol>) [[LocalSecuritydXPCServer alloc] initWithSecurityClient: client fakeEntitlements: @{}];
176 }
177
178 CFTypeRef SecCreateLocalCFSecuritydXPCServer(void) {
179 return (CFTypeRef) CFBridgingRetain(SecCreateLocalSecuritydXPCServer());
180 }
181
182 void SecResetLocalSecuritydXPCFakeEntitlements(void) {
183 if([(__bridge id) gSecurityd->secd_xpc_server isKindOfClass: [LocalSecuritydXPCServer class]]) {
184 LocalSecuritydXPCServer* server = (__bridge LocalSecuritydXPCServer*)gSecurityd->secd_xpc_server;
185 server.fakeEntitlements = [[NSMutableDictionary alloc] init];
186 }
187 }
188
189 void SecAddLocalSecuritydXPCFakeEntitlement(CFStringRef entitlement, CFTypeRef value) {
190 if([(__bridge id) gSecurityd->secd_xpc_server isKindOfClass: [LocalSecuritydXPCServer class]]) {
191 LocalSecuritydXPCServer* server = (__bridge LocalSecuritydXPCServer*)gSecurityd->secd_xpc_server;
192 server.fakeEntitlements[(__bridge NSString*)entitlement] = (__bridge id)value;
193 }
194 }
mirror of Security