2 * Copyright (c) 2011-2016 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
23 #include "policyengine.h"
25 #include "quarantine++.h"
26 #include "codesigning_dtrace.h"
27 #include <security_utilities/cfmunge.h>
28 #include <Security/Security.h>
29 #include <Security/SecCodePriv.h>
30 #include <Security/SecRequirementPriv.h>
31 #include <Security/SecPolicyPriv.h>
32 #include <Security/SecTrustPriv.h>
33 #include <Security/SecCodeSigner.h>
34 #include <Security/cssmapplePriv.h>
35 #include <security_utilities/unix++.h>
39 #include "codedirectory.h"
40 #include "csutilities.h"
41 #include "StaticCode.h"
43 #include <CoreServices/CoreServicesPriv.h>
44 #include "SecCodePriv.h"
45 #undef check // Macro! Yech.
48 #include <OpenScriptingUtilPriv.h>
53 namespace CodeSigning
{
55 static const double NEGATIVE_HOLD
= 60.0/86400; // 60 seconds to cache negative outcomes
57 static const char RECORDER_DIR
[] = "/tmp/gke-"; // recorder mode destination for detached signatures
59 recorder_code_untrusted
= 0, // signed but untrusted
60 recorder_code_adhoc
= 1, // unsigned; signature recorded
61 recorder_code_unable
= 2, // unsigned; unable to record signature
65 static void authorizeUpdate(SecAssessmentFlags flags
, CFDictionaryRef context
);
66 static bool codeInvalidityExceptions(SecStaticCodeRef code
, CFMutableDictionaryRef result
);
67 static CFTypeRef
installerPolicy() CF_RETURNS_RETAINED
;
73 PolicyEngine::PolicyEngine()
74 : PolicyDatabase(NULL
, SQLITE_OPEN_READWRITE
| SQLITE_OPEN_CREATE
)
77 mOpaqueWhitelist
= new OpaqueWhitelist();
79 mOpaqueWhitelist
= NULL
;
80 secerror("Failed opening the gkopaque database.");
84 PolicyEngine::~PolicyEngine()
86 delete mOpaqueWhitelist
;
91 // Top-level evaluation driver
93 void PolicyEngine::evaluate(CFURLRef path
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
)
96 installExplicitSet(gkeAuthFile
, gkeSigsFile
);
98 // find the global evaluation manager
99 EvaluationManager
*evaluationManager
= EvaluationManager::globalManager();
101 // perform the evaluation
102 EvaluationTask
*evaluationTask
= evaluationManager
->evaluationTask(this, path
, type
, flags
, context
, result
);
103 evaluationManager
->finalizeTask(evaluationTask
, flags
, result
);
105 // if rejected, reset the automatic rearm timer
106 if (CFDictionaryGetValue(result
, kSecAssessmentAssessmentVerdict
) == kCFBooleanFalse
)
107 resetRearmTimer("reject");
112 // Create GKE whitelist filter screens.
113 // These are strings that are used to determine quickly whether unsigned code may
114 // have a GKE-style whitelist entry in the authority database. The idea is to make
115 // up a decent hash quickly.
117 // Note: We continue to use SHA1 here for compatibility of existing GKE entries.
118 // These are a prescreen, backed up by code signature checks later on. Use of SHA1 here is not a security problem.
120 static std::string
createWhitelistScreen(char type
, const Byte
*digest
, size_t length
)
122 char buffer
[2*length
+ 2];
124 for (size_t n
= 0; n
< length
; n
++)
125 sprintf(buffer
+ 1 + 2*n
, "%02.2x", digest
[n
]);
129 static std::string
createWhitelistScreen(SecStaticCodeRef code
)
131 DiskRep
*rep
= SecStaticCode::requiredStatic(code
)->diskRep();
133 if (CFRef
<CFDataRef
> info
= rep
->component(cdInfoSlot
)) {
134 // has an Info.plist - hash it
136 hash
.update(CFDataGetBytePtr(info
), CFDataGetLength(info
));
139 return createWhitelistScreen('I', digest
, sizeof(digest
));
140 } else if (CFRef
<CFDataRef
> repSpecific
= rep
->component(cdRepSpecificSlot
)) {
141 // has a rep-specific slot - hash that (this catches disk images cheaply)
142 // got invented after SHA-1 deprecation, so we'll use SHA256, which is the new default
143 CCHashInstance
hash(kCCDigestSHA256
);
144 hash
.update(CFDataGetBytePtr(repSpecific
), CFDataGetLength(repSpecific
));
147 return createWhitelistScreen('R', digest
, sizeof(digest
));
148 } else if (rep
->mainExecutableImage()) {
149 // stand-alone Mach-O executables are always candidates
152 // if everything else fails, hash the (single) file
154 hashFileData(rep
->mainExecutablePath().c_str(), &hash
);
157 return createWhitelistScreen('M', digest
, sizeof(digest
));
162 void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code
, CFURLRef path
, AuthorityType type
, SecAssessmentFlags flags
, bool nested
, CFMutableDictionaryRef result
)
165 SQLite::Statement
query(*this,
166 "SELECT allow, requirement, id, label, expires, flags, disabled, filter_unsigned, remarks FROM scan_authority"
167 " WHERE type = :type"
168 " ORDER BY priority DESC;");
169 query
.bind(":type").integer(type
);
171 SQLite3::int64 latentID
= 0; // first (highest priority) disabled matching ID
172 std::string latentLabel
; // ... and associated label, if any
174 secdebug("gk", "evaluateCodeItem type=%d flags=0x%x nested=%d path=%s", type
, int(flags
), nested
, cfString(path
).c_str());
175 while (query
.nextRow()) {
176 bool allow
= int(query
[0]);
177 const char *reqString
= query
[1];
178 SQLite3::int64 id
= query
[2];
179 const char *label
= query
[3];
180 double expires
= query
[4];
181 sqlite3_int64 ruleFlags
= query
[5];
182 SQLite3::int64 disabled
= query
[6];
183 // const char *filter = query[7];
184 // const char *remarks = query[8];
186 secdebug("gk", "considering rule %d(%s) requirement %s", int(id
), label
? label
: "UNLABELED", reqString
);
187 CFRef
<SecRequirementRef
> requirement
;
188 MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString
), kSecCSDefaultFlags
, &requirement
.aref()));
189 switch (OSStatus rc
= SecStaticCodeCheckValidity(code
, kSecCSBasicValidateOnly
| kSecCSCheckGatekeeperArchitectures
, requirement
)) {
191 break; // rule match; process below
192 case errSecCSReqFailed
:
193 continue; // rule does not apply
195 return; // nested code has failed to pass
197 MacOSError::throwMe(rc
); // general error; pass to caller
200 // if this rule is disabled, skip it but record the first matching one for posterity
201 if (disabled
&& latentID
== 0) {
203 latentLabel
= label
? label
: "";
207 // current rule is first rule (in priority order) that matched. Apply it
208 secnotice("gk", "rule %d applies - allow=%d", int(id
), allow
);
209 if (nested
&& allow
) // success, nothing to record
212 CFRef
<CFDictionaryRef
> info
; // as needed
213 if (flags
& kSecAssessmentFlagRequestOrigin
) {
215 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSSigningInformation
, &info
.aref()));
216 if (CFArrayRef chain
= CFArrayRef(CFDictionaryGetValue(info
, kSecCodeInfoCertificates
)))
217 setOrigin(chain
, result
);
219 if (!(ruleFlags
& kAuthorityFlagInhibitCache
) && !(flags
& kSecAssessmentFlagNoCache
)) { // cache inhibit
221 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSSigningInformation
, &info
.aref()));
222 if (SecTrustRef trust
= SecTrustRef(CFDictionaryGetValue(info
, kSecCodeInfoTrust
))) {
223 CFRef
<CFDictionaryRef
> xinfo
;
224 MacOSError::check(SecTrustCopyExtendedResult(trust
, &xinfo
.aref()));
225 if (CFDateRef limit
= CFDateRef(CFDictionaryGetValue(xinfo
, kSecTrustExpirationDate
))) {
226 this->recordOutcome(code
, allow
, type
, min(expires
, dateToJulian(limit
)), id
);
231 if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED()) {
233 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSSigningInformation
, &info
.aref()));
234 CFDataRef cdhash
= CFDataRef(CFDictionaryGetValue(info
, kSecCodeInfoUnique
));
235 SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path
).c_str(), type
, label
, cdhash
? CFDataGetBytePtr(cdhash
) : NULL
);
238 if (SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
240 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSSigningInformation
, &info
.aref()));
241 CFDataRef cdhash
= CFDataRef(CFDictionaryGetValue(info
, kSecCodeInfoUnique
));
242 std::string cpath
= cfString(path
);
243 const void *hashp
= cdhash
? CFDataGetBytePtr(cdhash
) : NULL
;
244 SYSPOLICY_ASSESS_OUTCOME_DENY(cpath
.c_str(), type
, label
, hashp
);
245 SYSPOLICY_RECORDER_MODE(cpath
.c_str(), type
, label
, hashp
, recorder_code_untrusted
);
248 cfadd(result
, "{%O=%B}", kSecAssessmentAssessmentVerdict
, allow
);
249 addAuthority(flags
, result
, label
, id
, NULL
, false, ruleFlags
);
253 // no applicable authority (but signed, perhaps temporarily). Deny by default
254 secnotice("gk", "rejecting due to lack of matching active rule");
255 CFRef
<CFDictionaryRef
> info
;
256 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSSigningInformation
, &info
.aref()));
257 if (flags
& kSecAssessmentFlagRequestOrigin
) {
258 if (CFArrayRef chain
= CFArrayRef(CFDictionaryGetValue(info
, kSecCodeInfoCertificates
)))
259 setOrigin(chain
, result
);
261 if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
262 CFDataRef cdhash
= CFDataRef(CFDictionaryGetValue(info
, kSecCodeInfoUnique
));
263 const void *hashp
= cdhash
? CFDataGetBytePtr(cdhash
) : NULL
;
264 std::string cpath
= cfString(path
);
265 SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cpath
.c_str(), type
, latentLabel
.c_str(), hashp
);
266 SYSPOLICY_RECORDER_MODE(cpath
.c_str(), type
, latentLabel
.c_str(), hashp
, 0);
268 if (!(flags
& kSecAssessmentFlagNoCache
))
269 this->recordOutcome(code
, false, type
, this->julianNow() + NEGATIVE_HOLD
, latentID
);
270 cfadd(result
, "{%O=%B}", kSecAssessmentAssessmentVerdict
, false);
271 addAuthority(flags
, result
, latentLabel
.c_str(), latentID
);
274 CFDictionaryRef
PolicyEngine::opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code
)
276 return (mOpaqueWhitelist
!= NULL
) ? mOpaqueWhitelist
->validationConditionsFor(code
) : NULL
;
279 bool PolicyEngine::opaqueWhiteListContains(SecStaticCodeRef code
, SecAssessmentFeedback feedback
, OSStatus reason
)
281 return (mOpaqueWhitelist
!= NULL
) ? mOpaqueWhitelist
->contains(code
, feedback
, reason
) : false;
284 void PolicyEngine::opaqueWhitelistAdd(SecStaticCodeRef code
)
286 if (mOpaqueWhitelist
) {
287 mOpaqueWhitelist
->add(code
);
291 void PolicyEngine::adjustValidation(SecStaticCodeRef code
)
293 CFRef
<CFDictionaryRef
> conditions
= opaqueWhitelistValidationConditionsFor(code
);
294 SecStaticCodeSetValidationConditions(code
, conditions
);
298 bool PolicyEngine::temporarySigning(SecStaticCodeRef code
, AuthorityType type
, CFURLRef path
, SecAssessmentFlags matchFlags
)
300 secnotice("gk", "temporarySigning type=%d matchFlags=0x%x path=%s", type
, int(matchFlags
), cfString(path
).c_str());
302 // see if we have a screened record to take matchFlags from
303 std::string screen
= createWhitelistScreen(code
);
304 SQLite::Statement
query(*this,
305 "SELECT flags FROM authority "
307 " AND NOT flags & :flag"
308 " AND CASE WHEN filter_unsigned IS NULL THEN remarks = :remarks ELSE filter_unsigned = :screen END");
309 query
.bind(":type").integer(type
);
310 query
.bind(":flag").integer(kAuthorityFlagDefault
);
311 query
.bind(":screen") = screen
;
312 query
.bind(":remarks") = cfString(path
);
313 secdebug("gk", "match screen=%s", screen
.c_str());
314 if (query
.nextRow()) // got a matching rule
315 matchFlags
= SQLite3::int64(query
[0]);
316 else if (matchFlags
== 0) // lazy and no match
318 secdebug("gk", "matchFlags found=0x%x", int(matchFlags
));
321 // ad-hoc sign the code and attach the signature
322 CFRef
<CFDataRef
> signature
= CFDataCreateMutable(NULL
, 0);
323 CFTemp
<CFMutableDictionaryRef
> arguments("{%O=%O, %O=#N, %O=%d}", kSecCodeSignerDetached
, signature
.get(), kSecCodeSignerIdentity
,
324 kSecCodeSignerDigestAlgorithm
, (matchFlags
& kAuthorityFlagWhitelistSHA256
) ? kSecCodeSignatureHashSHA256
: kSecCodeSignatureHashSHA1
);
325 // for modern whitelist entries, neuter the identifier since it may be derived from the filename
326 if (matchFlags
& kAuthorityFlagWhitelistSHA256
)
327 CFDictionaryAddValue(arguments
, kSecCodeSignerIdentifier
, CFSTR("ADHOC"));
328 CFRef
<SecCodeSignerRef
> signer
;
329 MacOSError::check(SecCodeSignerCreate(arguments
, (matchFlags
& kAuthorityFlagWhitelistV2
) ? kSecCSSignOpaque
: kSecCSSignV1
, &signer
.aref()));
330 MacOSError::check(SecCodeSignerAddSignature(signer
, code
, kSecCSDefaultFlags
));
331 MacOSError::check(SecCodeSetDetachedSignature(code
, signature
, kSecCSDefaultFlags
));
333 SecRequirementRef dr
= NULL
;
334 SecCodeCopyDesignatedRequirement(code
, kSecCSDefaultFlags
, &dr
);
335 CFStringRef drs
= NULL
;
336 SecRequirementCopyString(dr
, kSecCSDefaultFlags
, &drs
);
337 secnotice("gk", "successfully created temporary signature - requirement=%s", cfString(drs
).c_str());
339 // if we're in GKE recording mode, save that signature and report its location
340 if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
341 int status
= recorder_code_unable
; // ephemeral signature (not recorded)
342 if (geteuid() == 0) {
343 CFRef
<CFUUIDRef
> uuid
= CFUUIDCreate(NULL
);
344 std::string sigfile
= RECORDER_DIR
+ cfStringRelease(CFUUIDCreateString(NULL
, uuid
)) + ".tsig";
346 UnixPlusPlus::AutoFileDesc
fd(sigfile
, O_WRONLY
| O_CREAT
);
347 fd
.write(CFDataGetBytePtr(signature
), CFDataGetLength(signature
));
348 status
= recorder_code_adhoc
; // recorded signature
349 SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path
).c_str(), type
, sigfile
.c_str());
353 // now report the D probe itself
354 CFRef
<CFDictionaryRef
> info
;
355 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSDefaultFlags
, &info
.aref()));
356 CFDataRef cdhash
= CFDataRef(CFDictionaryGetValue(info
, kSecCodeInfoUnique
));
357 SYSPOLICY_RECORDER_MODE(cfString(path
).c_str(), type
, "",
358 cdhash
? CFDataGetBytePtr(cdhash
) : NULL
, status
);
361 return true; // it worked; we're now (well) signed
370 // Read from disk, evaluate properly, cache as indicated.
372 void PolicyEngine::evaluateCode(CFURLRef path
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
, bool handleUnsigned
)
374 // not really a Gatekeeper function... but reject all "hard quarantined" files because they were made from sandboxed sources without download privilege
375 if (type
== kAuthorityExecute
) {
376 FileQuarantine
qtn(cfString(path
).c_str());
377 if (qtn
.flag(QTN_FLAG_HARD
))
378 MacOSError::throwMe(errSecCSFileHardQuarantined
);
381 // hack: if caller passed a UTI, use that to turn off app-only checks for some well-known ones
383 if (CFStringRef uti
= CFStringRef(CFDictionaryGetValue(context
, kSecAssessmentContextKeyUTI
))) {
384 appOk
= CFEqual(uti
, CFSTR("com.apple.systempreference.prefpane"))
385 || CFEqual(uti
, CFSTR("com.apple.systempreference.screen-saver"))
386 || CFEqual(uti
, CFSTR("com.apple.systempreference.screen-slide-saver"))
387 || CFEqual(uti
, CFSTR("com.apple.menu-extra"));
390 CFCopyRef
<SecStaticCodeRef
> code
;
391 MacOSError::check(SecStaticCodeCreateWithPath(path
, kSecCSDefaultFlags
, &code
.aref()));
393 SecCSFlags validationFlags
= kSecCSEnforceRevocationChecks
| kSecCSCheckAllArchitectures
;
394 if (!(flags
& kSecAssessmentFlagAllowWeak
))
395 validationFlags
|= kSecCSStrictValidate
;
396 adjustValidation(code
);
398 // deal with a very special case (broken 10.6/10.7 Applet bundles)
399 OSStatus rc
= SecStaticCodeCheckValidity(code
, validationFlags
| kSecCSBasicValidateOnly
, NULL
);
400 if (rc
== errSecCSSignatureFailed
) {
401 if (!codeInvalidityExceptions(code
, result
)) { // invalidly signed, no exceptions -> error
402 if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
403 SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path
).c_str(), type
, false);
404 MacOSError::throwMe(rc
);
406 // recognized exception - treat as unsigned
407 if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
408 SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path
).c_str(), type
, true);
409 rc
= errSecCSUnsigned
;
412 // ad-hoc sign unsigned code
413 bool wasAdhocSigned
= false;
414 if (rc
== errSecCSUnsigned
&& handleUnsigned
&& (!overrideAssessment(flags
) || SYSPOLICY_RECORDER_MODE_ENABLED())) {
415 if (temporarySigning(code
, type
, path
, 0)) {
416 wasAdhocSigned
= true;
417 rc
= errSecSuccess
; // clear unsigned; we are now well-signed
418 validationFlags
|= kSecCSBasicValidateOnly
; // no need to re-validate deep contents
422 // prepare for deep traversal of (hopefully) good signatures
423 SecAssessmentFeedback feedback
= SecAssessmentFeedback(CFDictionaryGetValue(context
, kSecAssessmentContextKeyFeedback
));
424 __block CFRef
<CFMutableDictionaryRef
> nestedFailure
= NULL
; // save a nested failure for later
425 MacOSError::check(SecStaticCodeSetCallback(code
, kSecCSDefaultFlags
, NULL
, ^CFTypeRef (SecStaticCodeRef item
, CFStringRef cfStage
, CFDictionaryRef info
) {
426 string stage
= cfString(cfStage
);
427 if (stage
== "prepared") {
428 if (!CFEqual(item
, code
)) // genuine nested (not top) code
429 adjustValidation(item
);
430 } else if (stage
== "progress") {
431 if (feedback
&& CFEqual(item
, code
)) { // top level progress
432 bool proceed
= feedback(kSecAssessmentFeedbackProgress
, info
);
434 SecStaticCodeCancelValidation(code
, kSecCSDefaultFlags
);
436 } else if (stage
== "validated") {
437 SecStaticCodeSetCallback(item
, kSecCSDefaultFlags
, NULL
, NULL
); // clear callback to avoid unwanted recursion
438 evaluateCodeItem(item
, path
, type
, flags
, item
!= code
, result
);
439 if (CFTypeRef verdict
= CFDictionaryGetValue(result
, kSecAssessmentAssessmentVerdict
))
440 if (CFEqual(verdict
, kCFBooleanFalse
)) {
442 return makeCFNumber(OSStatus(errSecCSVetoed
)); // (signal nested-code policy failure, picked up below)
443 // nested code policy failure; save, reset, and continue
445 nestedFailure
= CFMutableDictionaryRef(CFDictionaryGetValue(result
, kSecAssessmentAssessmentAuthority
));
446 CFDictionaryRemoveValue(result
, kSecAssessmentAssessmentAuthority
);
447 CFDictionaryRemoveValue(result
, kSecAssessmentAssessmentVerdict
);
454 SecCSFlags topFlags
= validationFlags
| kSecCSCheckNestedCode
| kSecCSRestrictSymlinks
| kSecCSReportProgress
;
455 if (type
== kAuthorityExecute
&& !appOk
)
456 topFlags
|= kSecCSRestrictToAppLike
;
457 switch (rc
= SecStaticCodeCheckValidity(code
, topFlags
, NULL
)) {
458 case errSecSuccess
: // continue below
460 case errSecCSUnsigned
:
461 cfadd(result
, "{%O=#F}", kSecAssessmentAssessmentVerdict
);
462 addAuthority(flags
, result
, "no usable signature");
464 case errSecCSVetoed
: // nested code rejected by rule book; result was filled out there
466 addToAuthority(result
, kSecAssessmentAssessmentSource
, CFSTR("no usable signature")); // ad-hoc signature proved useless
468 case errSecCSWeakResourceRules
:
469 case errSecCSWeakResourceEnvelope
:
470 case errSecCSResourceNotSupported
:
471 case errSecCSAmbiguousBundleFormat
:
472 case errSecCSSignatureNotVerifiable
:
473 case errSecCSRegularFile
:
474 case errSecCSBadMainExecutable
:
475 case errSecCSBadFrameworkVersion
:
476 case errSecCSUnsealedAppRoot
:
477 case errSecCSUnsealedFrameworkRoot
:
478 case errSecCSInvalidSymlink
:
479 case errSecCSNotAppLike
:
481 // consult the whitelist
484 // we've bypassed evaluateCodeItem before we failed validation. Explicitly apply it now
485 SecStaticCodeSetCallback(code
, kSecCSDefaultFlags
, NULL
, NULL
);
486 evaluateCodeItem(code
, path
, type
, flags
| kSecAssessmentFlagNoCache
, false, result
);
487 if (CFTypeRef verdict
= CFDictionaryGetValue(result
, kSecAssessmentAssessmentVerdict
)) {
488 // verdict rendered from a nested component - signature not acceptable to Gatekeeper
489 if (CFEqual(verdict
, kCFBooleanFalse
)) // nested code rejected by rule book; result was filled out there
491 if (CFEqual(verdict
, kCFBooleanTrue
) && !(flags
& kSecAssessmentFlagIgnoreWhitelist
))
492 if (opaqueWhiteListContains(code
, feedback
, rc
)) {
497 label
= "allowed cdhash";
499 CFDictionaryReplaceValue(result
, kSecAssessmentAssessmentVerdict
, kCFBooleanFalse
);
500 label
= "obsolete resource envelope";
502 cfadd(result
, "{%O=%d}", kSecAssessmentAssessmentCodeSigningError
, rc
);
503 addAuthority(flags
, result
, label
, 0, NULL
, true);
507 MacOSError::throwMe(rc
);
510 if (nestedFailure
&& CFEqual(CFDictionaryGetValue(result
, kSecAssessmentAssessmentVerdict
), kCFBooleanTrue
)) {
511 // structure intact, top level approved, nested code failed policy
512 CFMutableDictionaryRef authority
= CFMutableDictionaryRef(CFDictionaryGetValue(result
, kSecAssessmentAssessmentAuthority
));
513 uint64_t ruleFlags
= cfNumber
<uint64_t>(CFNumberRef(CFDictionaryGetValue(authority
, kSecAssessmentAssessmentAuthorityFlags
)));
514 if (ruleFlags
& kAuthorityFlagDefault
) {
515 // default rule requires positive match at each nested code - reinstate failure
516 CFDictionaryReplaceValue(result
, kSecAssessmentAssessmentVerdict
, kCFBooleanFalse
);
517 CFDictionaryReplaceValue(result
, kSecAssessmentAssessmentAuthority
, nestedFailure
);
524 // Installer archive.
525 // Hybrid policy: If we detect an installer signature, use and validate that.
526 // If we don't, check for a code signature instead.
528 void PolicyEngine::evaluateInstall(CFURLRef path
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
)
530 const AuthorityType type
= kAuthorityInstall
;
532 // check for recent explicit approval, using a bookmark's FileResourceIdentifierKey
533 if (CFRef
<CFDataRef
> bookmark
= cfLoadFile(lastApprovedFile
)) {
535 if (CFRef
<CFURLRef
> url
= CFURLCreateByResolvingBookmarkData(NULL
, bookmark
,
536 kCFBookmarkResolutionWithoutUIMask
| kCFBookmarkResolutionWithoutMountingMask
, NULL
, NULL
, &stale
, NULL
))
537 if (CFRef
<CFDataRef
> savedIdent
= CFDataRef(CFURLCreateResourcePropertyForKeyFromBookmarkData(NULL
, kCFURLFileResourceIdentifierKey
, bookmark
)))
538 if (CFRef
<CFDateRef
> savedMod
= CFDateRef(CFURLCreateResourcePropertyForKeyFromBookmarkData(NULL
, kCFURLContentModificationDateKey
, bookmark
))) {
539 CFRef
<CFDataRef
> currentIdent
;
540 CFRef
<CFDateRef
> currentMod
;
541 if (CFURLCopyResourcePropertyForKey(path
, kCFURLFileResourceIdentifierKey
, ¤tIdent
.aref(), NULL
))
542 if (CFURLCopyResourcePropertyForKey(path
, kCFURLContentModificationDateKey
, ¤tMod
.aref(), NULL
))
543 if (CFEqual(savedIdent
, currentIdent
) && CFEqual(savedMod
, currentMod
)) {
544 cfadd(result
, "{%O=#T}", kSecAssessmentAssessmentVerdict
);
545 addAuthority(flags
, result
, "explicit preference");
551 Xar
xar(cfString(path
).c_str());
553 // follow the code signing path
554 evaluateCode(path
, type
, flags
, context
, result
, true);
558 SQLite3::int64 latentID
= 0; // first (highest priority) disabled matching ID
559 std::string latentLabel
; // ... and associated label, if any
560 if (!xar
.isSigned()) {
562 if (SYSPOLICY_ASSESS_OUTCOME_UNSIGNED_ENABLED())
563 SYSPOLICY_ASSESS_OUTCOME_UNSIGNED(cfString(path
).c_str(), type
);
564 cfadd(result
, "{%O=#F}", kSecAssessmentAssessmentVerdict
);
565 addAuthority(flags
, result
, "no usable signature");
568 if (CFRef
<CFArrayRef
> certs
= xar
.copyCertChain()) {
569 CFRef
<CFTypeRef
> policy
= installerPolicy();
570 CFRef
<SecTrustRef
> trust
;
571 MacOSError::check(SecTrustCreateWithCertificates(certs
, policy
, &trust
.aref()));
572 // MacOSError::check(SecTrustSetAnchorCertificates(trust, cfEmptyArray())); // no anchors
573 MacOSError::check(SecTrustSetOptions(trust
, kSecTrustOptionAllowExpired
| kSecTrustOptionImplicitAnchors
));
575 SecTrustResultType trustResult
;
576 MacOSError::check(SecTrustEvaluate(trust
, &trustResult
));
577 CFRef
<CFArrayRef
> chain
;
578 CSSM_TP_APPLE_EVIDENCE_INFO
*info
;
579 MacOSError::check(SecTrustGetResult(trust
, &trustResult
, &chain
.aref(), &info
));
581 if (flags
& kSecAssessmentFlagRequestOrigin
)
582 setOrigin(chain
, result
);
584 switch (trustResult
) {
585 case kSecTrustResultProceed
:
586 case kSecTrustResultUnspecified
:
591 MacOSError::check(SecTrustGetCssmResultCode(trust
, &rc
));
592 MacOSError::throwMe(rc
);
596 SQLite::Statement
query(*this,
597 "SELECT allow, requirement, id, label, flags, disabled FROM scan_authority"
598 " WHERE type = :type"
599 " ORDER BY priority DESC;");
600 query
.bind(":type").integer(type
);
601 while (query
.nextRow()) {
602 bool allow
= int(query
[0]);
603 const char *reqString
= query
[1];
604 SQLite3::int64 id
= query
[2];
605 const char *label
= query
[3];
606 //sqlite_uint64 ruleFlags = query[4];
607 SQLite3::int64 disabled
= query
[5];
609 CFRef
<SecRequirementRef
> requirement
;
610 MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString
), kSecCSDefaultFlags
, &requirement
.aref()));
611 switch (OSStatus rc
= SecRequirementEvaluate(requirement
, chain
, NULL
, kSecCSDefaultFlags
)) {
612 case errSecSuccess
: // success
614 case errSecCSReqFailed
: // requirement missed, but otherwise okay
616 default: // broken in some way; all tests will fail like this so bail out
617 MacOSError::throwMe(rc
);
625 continue; // the loop
628 if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED() || SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED()) {
630 SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path
).c_str(), type
, label
, NULL
);
632 SYSPOLICY_ASSESS_OUTCOME_DENY(cfString(path
).c_str(), type
, label
, NULL
);
635 // not adding to the object cache - we could, but it's not likely to be worth it
636 cfadd(result
, "{%O=%B}", kSecAssessmentAssessmentVerdict
, allow
);
637 addAuthority(flags
, result
, label
, id
);
641 if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED())
642 SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cfString(path
).c_str(), type
, latentLabel
.c_str(), NULL
);
644 // no applicable authority. Deny by default
645 cfadd(result
, "{%O=#F}", kSecAssessmentAssessmentVerdict
);
646 addAuthority(flags
, result
, latentLabel
.c_str(), latentID
);
651 // Create a suitable policy array for verification of installer signatures.
653 static SecPolicyRef
makeRevocationPolicy()
655 CFRef
<SecPolicyRef
> policy(SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod
));
656 return policy
.yield();
659 static CFTypeRef
installerPolicy()
661 CFRef
<SecPolicyRef
> base
= SecPolicyCreateBasicX509();
662 CFRef
<SecPolicyRef
> revoc
= makeRevocationPolicy();
663 return makeCFArray(2, base
.get(), revoc
.get());
668 // LaunchServices-layer document open.
669 // We don't cache those at present. If we ever do, we need to authenticate CoreServicesUIAgent as the source of its risk assessment.
671 void PolicyEngine::evaluateDocOpen(CFURLRef path
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
)
674 FileQuarantine
qtn(cfString(path
).c_str());
675 if (CFDictionaryGetValue(context
, kSecAssessmentContextKeyPrimarySignature
) == kCFBooleanTrue
) {
676 // Client requests that we focus on the code signature on this document and report on that.
677 // On this path, we care about the (code) signature on the document, not its risk assessment,
678 // and any exception is reported as a primary error.
679 if (qtn
.flag(QTN_FLAG_ASSESSMENT_OK
)) {
680 // previously added by user - hacked to say no/no usable signature to trigger proper DMG processing in XProtect
681 cfadd(result
, "{%O=#F}", kSecAssessmentAssessmentVerdict
);
682 addAuthority(flags
, result
, "no usable signature");
685 evaluateCode(path
, kAuthorityOpenDoc
, flags
, context
, result
, true);
688 if (CFStringRef riskCategory
= CFStringRef(CFDictionaryGetValue(context
, kLSDownloadRiskCategoryKey
))) {
690 if (CFEqual(riskCategory
, kLSRiskCategorySafe
)
691 || CFEqual(riskCategory
, kLSRiskCategoryNeutral
)
692 || CFEqual(riskCategory
, kLSRiskCategoryUnknown
)
693 || CFEqual(riskCategory
, kLSRiskCategoryMayContainUnsafeExecutable
)) {
694 cfadd(result
, "{%O=#T}", kSecAssessmentAssessmentVerdict
);
695 addAuthority(flags
, result
, "_XProtect");
696 } else if (qtn
.flag(QTN_FLAG_HARD
)) {
697 MacOSError::throwMe(errSecCSFileHardQuarantined
);
698 } else if (qtn
.flag(QTN_FLAG_ASSESSMENT_OK
)) {
699 // previously added by user
700 cfadd(result
, "{%O=#T}", kSecAssessmentAssessmentVerdict
);
701 addAuthority(flags
, result
, "Prior Assessment");
702 } else if (!overrideAssessment(flags
)) { // no need to do more work if we're off
704 evaluateCode(path
, kAuthorityOpenDoc
, flags
, context
, result
, true);
706 // some documents can't be code signed, so this may be quite benign
709 if (CFDictionaryGetValue(result
, kSecAssessmentAssessmentVerdict
) == NULL
) { // no code signature to help us out
710 cfadd(result
, "{%O=#F}", kSecAssessmentAssessmentVerdict
);
711 addAuthority(flags
, result
, "_XProtect");
713 addToAuthority(result
, kLSDownloadRiskCategoryKey
, riskCategory
);
717 // insufficient information from LS - deny by default
718 cfadd(result
, "{%O=#F}", kSecAssessmentAssessmentVerdict
);
719 addAuthority(flags
, result
, "Insufficient Context");
724 // Result-creation helpers
726 void PolicyEngine::addAuthority(SecAssessmentFlags flags
, CFMutableDictionaryRef parent
, const char *label
, SQLite::int64 row
, CFTypeRef cacheInfo
, bool weak
, uint64_t ruleFlags
)
728 CFRef
<CFMutableDictionaryRef
> auth
= makeCFMutableDictionary();
729 if (label
&& label
[0])
730 cfadd(auth
, "{%O=%s}", kSecAssessmentAssessmentSource
, label
);
732 CFDictionaryAddValue(auth
, kSecAssessmentAssessmentAuthorityRow
, CFTempNumber(row
));
733 if (overrideAssessment(flags
))
734 CFDictionaryAddValue(auth
, kSecAssessmentAssessmentAuthorityOverride
, kDisabledOverride
);
736 CFDictionaryAddValue(auth
, kSecAssessmentAssessmentFromCache
, cacheInfo
);
737 CFDictionaryAddValue(auth
, kSecAssessmentAssessmentAuthorityFlags
, CFTempNumber(ruleFlags
));
739 CFDictionaryAddValue(auth
, kSecAssessmentAssessmentWeakSignature
, kCFBooleanTrue
);
740 CFDictionaryReplaceValue(parent
, kSecAssessmentAssessmentAuthority
, auth
);
742 CFDictionaryAddValue(parent
, kSecAssessmentAssessmentAuthority
, auth
);
746 void PolicyEngine::addToAuthority(CFMutableDictionaryRef parent
, CFStringRef key
, CFTypeRef value
)
748 CFMutableDictionaryRef authority
= CFMutableDictionaryRef(CFDictionaryGetValue(parent
, kSecAssessmentAssessmentAuthority
));
750 CFDictionaryAddValue(authority
, key
, value
);
755 // Add a rule to the policy database
757 CFDictionaryRef
PolicyEngine::add(CFTypeRef inTarget
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
)
759 // default type to execution
760 if (type
== kAuthorityInvalid
)
761 type
= kAuthorityExecute
;
763 authorizeUpdate(flags
, context
);
764 CFDictionary
ctx(context
, errSecCSInvalidAttributeValues
);
765 CFCopyRef
<CFTypeRef
> target
= inTarget
;
766 CFRef
<CFDataRef
> bookmark
= NULL
;
767 std::string filter_unsigned
;
770 case kAuthorityExecute
:
771 normalizeTarget(target
, type
, ctx
, &filter_unsigned
);
772 // bookmarks are untrusted and just a hint to callers
773 bookmark
= ctx
.get
<CFDataRef
>(kSecAssessmentRuleKeyBookmark
);
775 case kAuthorityInstall
:
776 if (inTarget
&& CFGetTypeID(inTarget
) == CFURLGetTypeID()) {
777 // no good way to turn an installer file into a requirement. Pretend to succeeed so caller proceeds
778 CFRef
<CFArrayRef
> properties
= makeCFArray(2, kCFURLFileResourceIdentifierKey
, kCFURLContentModificationDateKey
);
779 CFRef
<CFErrorRef
> error
;
780 CFURLBookmarkCreationOptions options
= kCFURLBookmarkCreationDoNotIncludeSandboxExtensionsMask
| kCFURLBookmarkCreationMinimalBookmarkMask
;
781 if (CFRef
<CFDataRef
> bookmark
= CFURLCreateBookmarkData(NULL
, CFURLRef(inTarget
), options
, properties
, NULL
, &error
.aref())) {
782 UnixPlusPlus::AutoFileDesc
fd(lastApprovedFile
, O_WRONLY
| O_CREAT
| O_TRUNC
);
783 fd
.write(CFDataGetBytePtr(bookmark
), CFDataGetLength(bookmark
));
788 case kAuthorityOpenDoc
:
789 // handle document-open differently: use quarantine flags for whitelisting
790 if (!target
|| CFGetTypeID(target
) != CFURLGetTypeID()) // can only "add" file paths
791 MacOSError::throwMe(errSecCSInvalidObjectRef
);
793 std::string spath
= cfString(target
.as
<CFURLRef
>());
794 FileQuarantine
qtn(spath
.c_str());
795 qtn
.setFlag(QTN_FLAG_ASSESSMENT_OK
);
796 qtn
.applyTo(spath
.c_str());
797 } catch (const CommonError
&error
) {
798 // could not set quarantine flag - report qualified success
799 return cfmake
<CFDictionaryRef
>("{%O=%O,'assessment:error'=%d}",
800 kSecAssessmentAssessmentAuthorityOverride
, CFSTR("error setting quarantine"), error
.osStatus());
802 return cfmake
<CFDictionaryRef
>("{%O=%O}", kSecAssessmentAssessmentAuthorityOverride
, CFSTR("unable to set quarantine"));
807 // if we now have anything else, we're busted
808 if (!target
|| CFGetTypeID(target
) != SecRequirementGetTypeID())
809 MacOSError::throwMe(errSecCSInvalidObjectRef
);
814 double expires
= never
;
816 SQLite::uint64 dbFlags
= kAuthorityFlagWhitelistV2
| kAuthorityFlagWhitelistSHA256
;
818 if (CFNumberRef pri
= ctx
.get
<CFNumberRef
>(kSecAssessmentUpdateKeyPriority
))
819 CFNumberGetValue(pri
, kCFNumberDoubleType
, &priority
);
820 if (CFStringRef lab
= ctx
.get
<CFStringRef
>(kSecAssessmentUpdateKeyLabel
))
821 label
= cfString(lab
);
822 if (CFDateRef time
= ctx
.get
<CFDateRef
>(kSecAssessmentUpdateKeyExpires
))
823 // we're using Julian dates here; convert from CFDate
824 expires
= dateToJulian(time
);
825 if (CFBooleanRef allowing
= ctx
.get
<CFBooleanRef
>(kSecAssessmentUpdateKeyAllow
))
826 allow
= allowing
== kCFBooleanTrue
;
827 if (CFStringRef rem
= ctx
.get
<CFStringRef
>(kSecAssessmentUpdateKeyRemarks
))
828 remarks
= cfString(rem
);
830 CFRef
<CFStringRef
> requirementText
;
831 MacOSError::check(SecRequirementCopyString(target
.as
<SecRequirementRef
>(), kSecCSDefaultFlags
, &requirementText
.aref()));
832 SQLite::Transaction
xact(*this, SQLite3::Transaction::deferred
, "add_rule");
833 SQLite::Statement
insert(*this,
834 "INSERT INTO authority (type, allow, requirement, priority, label, expires, filter_unsigned, remarks, flags)"
835 " VALUES (:type, :allow, :requirement, :priority, :label, :expires, :filter_unsigned, :remarks, :flags);");
836 insert
.bind(":type").integer(type
);
837 insert
.bind(":allow").integer(allow
);
838 insert
.bind(":requirement") = requirementText
.get();
839 insert
.bind(":priority") = priority
;
841 insert
.bind(":label") = label
;
842 insert
.bind(":expires") = expires
;
843 insert
.bind(":filter_unsigned") = filter_unsigned
.empty() ? NULL
: filter_unsigned
.c_str();
844 if (!remarks
.empty())
845 insert
.bind(":remarks") = remarks
;
846 insert
.bind(":flags").integer(dbFlags
);
848 SQLite::int64 newRow
= this->lastInsert();
850 SQLite::Statement
bi(*this, "INSERT INTO bookmarkhints (bookmark, authority) VALUES (:bookmark, :authority)");
851 bi
.bind(":bookmark") = CFDataRef(bookmark
);
852 bi
.bind(":authority").integer(newRow
);
855 this->purgeObjects(priority
);
857 notify_post(kNotifySecAssessmentUpdate
);
858 return cfmake
<CFDictionaryRef
>("{%O=%d}", kSecAssessmentUpdateKeyRow
, newRow
);
862 CFDictionaryRef
PolicyEngine::remove(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
)
864 if (type
== kAuthorityOpenDoc
) {
865 // handle document-open differently: use quarantine flags for whitelisting
866 authorizeUpdate(flags
, context
);
867 if (!target
|| CFGetTypeID(target
) != CFURLGetTypeID())
868 MacOSError::throwMe(errSecCSInvalidObjectRef
);
869 std::string spath
= cfString(CFURLRef(target
)).c_str();
870 FileQuarantine
qtn(spath
.c_str());
871 qtn
.clearFlag(QTN_FLAG_ASSESSMENT_OK
);
872 qtn
.applyTo(spath
.c_str());
875 return manipulateRules("DELETE FROM authority", target
, type
, flags
, context
, true);
878 CFDictionaryRef
PolicyEngine::enable(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, bool authorize
)
880 return manipulateRules("UPDATE authority SET disabled = 0", target
, type
, flags
, context
, authorize
);
883 CFDictionaryRef
PolicyEngine::disable(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, bool authorize
)
885 return manipulateRules("UPDATE authority SET disabled = 1", target
, type
, flags
, context
, authorize
);
888 CFDictionaryRef
PolicyEngine::find(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
)
890 //for privacy reasons we only want to allow the admin to list the database
891 authorizeUpdate(flags
, context
);
893 SQLite::Statement
query(*this);
894 selectRules(query
, "SELECT scan_authority.id, scan_authority.type, scan_authority.requirement, scan_authority.allow, scan_authority.label, scan_authority.priority, scan_authority.remarks, scan_authority.expires, scan_authority.disabled, bookmarkhints.bookmark FROM scan_authority LEFT OUTER JOIN bookmarkhints ON scan_authority.id = bookmarkhints.authority",
895 "scan_authority", target
, type
, flags
, context
,
896 " ORDER BY priority DESC");
897 CFRef
<CFMutableArrayRef
> found
= makeCFMutableArray(0);
898 while (query
.nextRow()) {
899 SQLite::int64 id
= query
[0];
900 int type
= int(query
[1]);
901 const char *requirement
= query
[2];
902 int allow
= int(query
[3]);
903 const char *label
= query
[4];
904 double priority
= query
[5];
905 const char *remarks
= query
[6];
906 double expires
= query
[7];
907 int disabled
= int(query
[8]);
908 CFRef
<CFDataRef
> bookmark
= query
[9].data();
909 CFRef
<CFMutableDictionaryRef
> rule
= makeCFMutableDictionary(5,
910 kSecAssessmentRuleKeyID
, CFTempNumber(id
).get(),
911 kSecAssessmentRuleKeyType
, CFRef
<CFStringRef
>(typeNameFor(type
)).get(),
912 kSecAssessmentRuleKeyRequirement
, CFTempString(requirement
).get(),
913 kSecAssessmentRuleKeyAllow
, allow
? kCFBooleanTrue
: kCFBooleanFalse
,
914 kSecAssessmentRuleKeyPriority
, CFTempNumber(priority
).get()
917 CFDictionaryAddValue(rule
, kSecAssessmentRuleKeyLabel
, CFTempString(label
));
919 CFDictionaryAddValue(rule
, kSecAssessmentRuleKeyRemarks
, CFTempString(remarks
));
920 if (expires
!= never
)
921 CFDictionaryAddValue(rule
, kSecAssessmentRuleKeyExpires
, CFRef
<CFDateRef
>(julianToDate(expires
)));
923 CFDictionaryAddValue(rule
, kSecAssessmentRuleKeyDisabled
, CFTempNumber(disabled
));
925 CFDictionaryAddValue(rule
, kSecAssessmentRuleKeyBookmark
, bookmark
);
926 CFArrayAppendValue(found
, rule
);
928 if (CFArrayGetCount(found
) == 0)
929 MacOSError::throwMe(errSecCSNoMatches
);
930 return cfmake
<CFDictionaryRef
>("{%O=%O}", kSecAssessmentUpdateKeyFound
, found
.get());
934 CFDictionaryRef
PolicyEngine::update(CFTypeRef target
, SecAssessmentFlags flags
, CFDictionaryRef context
)
937 installExplicitSet(gkeAuthFile
, gkeSigsFile
);
939 AuthorityType type
= typeFor(context
, kAuthorityInvalid
);
940 CFStringRef edit
= CFStringRef(CFDictionaryGetValue(context
, kSecAssessmentContextKeyUpdate
));
941 CFDictionaryRef result
;
942 if (CFEqual(edit
, kSecAssessmentUpdateOperationAdd
))
943 result
= this->add(target
, type
, flags
, context
);
944 else if (CFEqual(edit
, kSecAssessmentUpdateOperationRemove
))
945 result
= this->remove(target
, type
, flags
, context
);
946 else if (CFEqual(edit
, kSecAssessmentUpdateOperationEnable
))
947 result
= this->enable(target
, type
, flags
, context
, true);
948 else if (CFEqual(edit
, kSecAssessmentUpdateOperationDisable
))
949 result
= this->disable(target
, type
, flags
, context
, true);
950 else if (CFEqual(edit
, kSecAssessmentUpdateOperationFind
))
951 result
= this->find(target
, type
, flags
, context
);
953 MacOSError::throwMe(errSecCSInvalidAttributeValues
);
955 result
= makeCFDictionary(0); // success, no details
961 // Construct and prepare an SQL query on the authority table, operating on some set of existing authority records.
962 // In essence, this appends a suitable WHERE clause to the stanza passed and prepares it on the statement given.
964 void PolicyEngine::selectRules(SQLite::Statement
&action
, std::string phrase
, std::string table
,
965 CFTypeRef inTarget
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, std::string suffix
/* = "" */)
967 CFDictionary
ctx(context
, errSecCSInvalidAttributeValues
);
968 CFCopyRef
<CFTypeRef
> target
= inTarget
;
969 std::string filter_unsigned
; // ignored; used just to trigger ad-hoc signing
970 normalizeTarget(target
, type
, ctx
, &filter_unsigned
);
973 if (CFStringRef lab
= ctx
.get
<CFStringRef
>(kSecAssessmentUpdateKeyLabel
))
974 label
= cfString(CFStringRef(lab
));
978 if (type
== kAuthorityInvalid
) {
979 action
.query(phrase
+ suffix
);
981 action
.query(phrase
+ " WHERE " + table
+ ".type = :type" + suffix
);
982 action
.bind(":type").integer(type
);
984 } else { // have label
985 if (type
== kAuthorityInvalid
) {
986 action
.query(phrase
+ " WHERE " + table
+ ".label = :label" + suffix
);
988 action
.query(phrase
+ " WHERE " + table
+ ".type = :type AND " + table
+ ".label = :label" + suffix
);
989 action
.bind(":type").integer(type
);
991 action
.bind(":label") = label
;
993 } else if (CFGetTypeID(target
) == CFNumberGetTypeID()) {
994 action
.query(phrase
+ " WHERE " + table
+ ".id = :id" + suffix
);
995 action
.bind(":id").integer(cfNumber
<uint64_t>(target
.as
<CFNumberRef
>()));
996 } else if (CFGetTypeID(target
) == SecRequirementGetTypeID()) {
997 if (type
== kAuthorityInvalid
)
998 type
= kAuthorityExecute
;
999 CFRef
<CFStringRef
> requirementText
;
1000 MacOSError::check(SecRequirementCopyString(target
.as
<SecRequirementRef
>(), kSecCSDefaultFlags
, &requirementText
.aref()));
1001 action
.query(phrase
+ " WHERE " + table
+ ".type = :type AND " + table
+ ".requirement = :requirement" + suffix
);
1002 action
.bind(":type").integer(type
);
1003 action
.bind(":requirement") = requirementText
.get();
1005 MacOSError::throwMe(errSecCSInvalidObjectRef
);
1010 // Execute an atomic change to existing records in the authority table.
1012 CFDictionaryRef
PolicyEngine::manipulateRules(const std::string
&stanza
,
1013 CFTypeRef inTarget
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, bool authorize
)
1015 SQLite::Transaction
xact(*this, SQLite3::Transaction::deferred
, "rule_change");
1016 SQLite::Statement
action(*this);
1018 authorizeUpdate(flags
, context
);
1019 selectRules(action
, stanza
, "authority", inTarget
, type
, flags
, context
);
1021 unsigned int changes
= this->changes(); // latch change count
1022 // We MUST purge objects with priority <= MAX(priority of any changed rules);
1023 // but for now we just get lazy and purge them ALL.
1025 this->purgeObjects(1.0E100
);
1027 notify_post(kNotifySecAssessmentUpdate
);
1028 return cfmake
<CFDictionaryRef
>("{%O=%d}", kSecAssessmentUpdateKeyCount
, changes
);
1030 // no change; return an error
1031 MacOSError::throwMe(errSecCSNoMatches
);
1036 // Fill in extra information about the originator of cryptographic credentials found - if any
1038 void PolicyEngine::setOrigin(CFArrayRef chain
, CFMutableDictionaryRef result
)
1041 if (CFArrayGetCount(chain
) > 0)
1042 if (SecCertificateRef leaf
= SecCertificateRef(CFArrayGetValueAtIndex(chain
, 0)))
1043 if (CFStringRef summary
= SecCertificateCopyLongDescription(NULL
, leaf
, NULL
)) {
1044 CFDictionarySetValue(result
, kSecAssessmentAssessmentOriginator
, summary
);
1051 // Take an assessment outcome and record it in the object cache
1053 void PolicyEngine::recordOutcome(SecStaticCodeRef code
, bool allow
, AuthorityType type
, double expires
, SQLite::int64 authority
)
1055 CFRef
<CFDictionaryRef
> info
;
1056 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSDefaultFlags
, &info
.aref()));
1057 CFDataRef cdHash
= CFDataRef(CFDictionaryGetValue(info
, kSecCodeInfoUnique
));
1058 assert(cdHash
); // was signed
1059 CFRef
<CFURLRef
> path
;
1060 MacOSError::check(SecCodeCopyPath(code
, kSecCSDefaultFlags
, &path
.aref()));
1062 SQLite::Transaction
xact(*this, SQLite3::Transaction::deferred
, "caching");
1063 SQLite::Statement
insert(*this,
1064 "INSERT OR REPLACE INTO object (type, allow, hash, expires, path, authority)"
1065 " VALUES (:type, :allow, :hash, :expires, :path,"
1066 " CASE :authority WHEN 0 THEN (SELECT id FROM authority WHERE label = 'No Matching Rule') ELSE :authority END"
1068 insert
.bind(":type").integer(type
);
1069 insert
.bind(":allow").integer(allow
);
1070 insert
.bind(":hash") = cdHash
;
1071 insert
.bind(":expires") = expires
;
1072 insert
.bind(":path") = cfString(path
);
1073 insert
.bind(":authority").integer(authority
);
1080 // Record a UI failure record after proper validation of the caller
1082 void PolicyEngine::recordFailure(CFDictionaryRef info
)
1084 CFRef
<CFDataRef
> infoData
= makeCFData(info
);
1085 UnixPlusPlus::AutoFileDesc
fd(lastRejectFile
, O_WRONLY
| O_CREAT
| O_TRUNC
);
1086 fd
.write(CFDataGetBytePtr(infoData
), CFDataGetLength(infoData
));
1087 notify_post(kNotifySecAssessmentRecordingChange
);
1092 // Perform update authorization processing.
1093 // Throws an exception if authorization is denied.
1095 static void authorizeUpdate(SecAssessmentFlags flags
, CFDictionaryRef context
)
1097 AuthorizationRef authorization
= NULL
;
1100 if (CFTypeRef authkey
= CFDictionaryGetValue(context
, kSecAssessmentUpdateKeyAuthorization
))
1101 if (CFGetTypeID(authkey
) == CFDataGetTypeID()) {
1102 CFDataRef authdata
= CFDataRef(authkey
);
1103 if (CFDataGetLength(authdata
) != sizeof(AuthorizationExternalForm
))
1104 MacOSError::throwMe(errSecCSInvalidObjectRef
);
1105 MacOSError::check(AuthorizationCreateFromExternalForm((AuthorizationExternalForm
*)CFDataGetBytePtr(authdata
), &authorization
));
1107 if (authorization
== NULL
)
1108 MacOSError::throwMe(errSecCSDBDenied
);
1110 AuthorizationItem right
[] = {
1111 { "com.apple.security.assessment.update", 0, NULL
, 0 }
1113 AuthorizationRights rights
= { sizeof(right
) / sizeof(right
[0]), right
};
1114 MacOSError::check(AuthorizationCopyRights(authorization
, &rights
, NULL
,
1115 kAuthorizationFlagExtendRights
| kAuthorizationFlagInteractionAllowed
, NULL
));
1117 MacOSError::check(AuthorizationFree(authorization
, kAuthorizationFlagDefaults
));
1122 // Perform common argument normalizations for update operations
1124 void PolicyEngine::normalizeTarget(CFRef
<CFTypeRef
> &target
, AuthorityType type
, CFDictionary
&context
, std::string
*signUnsigned
)
1126 // turn CFURLs into (designated) SecRequirements
1127 if (target
&& CFGetTypeID(target
) == CFURLGetTypeID()) {
1128 CFRef
<SecStaticCodeRef
> code
;
1129 CFURLRef path
= target
.as
<CFURLRef
>();
1130 MacOSError::check(SecStaticCodeCreateWithPath(path
, kSecCSDefaultFlags
, &code
.aref()));
1131 switch (OSStatus rc
= SecCodeCopyDesignatedRequirement(code
, kSecCSDefaultFlags
, (SecRequirementRef
*)&target
.aref())) {
1132 case errSecSuccess
: {
1133 // use the *default* DR to avoid unreasonably wide DRs opening up Gatekeeper to attack
1134 CFRef
<CFDictionaryRef
> info
;
1135 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSRequirementInformation
, &info
.aref()));
1136 target
= CFDictionaryGetValue(info
, kSecCodeInfoImplicitDesignatedRequirement
);
1139 case errSecCSUnsigned
:
1140 if (signUnsigned
&& temporarySigning(code
, type
, path
, kAuthorityFlagWhitelistV2
| kAuthorityFlagWhitelistSHA256
)) { // ad-hoc sign the code temporarily
1141 MacOSError::check(SecCodeCopyDesignatedRequirement(code
, kSecCSDefaultFlags
, (SecRequirementRef
*)&target
.aref()));
1142 *signUnsigned
= createWhitelistScreen(code
);
1145 MacOSError::check(rc
);
1146 case errSecCSSignatureFailed
:
1147 // recover certain cases of broken signatures (well, try)
1148 if (codeInvalidityExceptions(code
, NULL
)) {
1149 // Ad-hoc sign the code in place (requiring a writable subject). This requires root privileges.
1150 CFRef
<SecCodeSignerRef
> signer
;
1151 CFTemp
<CFDictionaryRef
> arguments("{%O=#N}", kSecCodeSignerIdentity
);
1152 MacOSError::check(SecCodeSignerCreate(arguments
, kSecCSSignOpaque
, &signer
.aref()));
1153 MacOSError::check(SecCodeSignerAddSignature(signer
, code
, kSecCSDefaultFlags
));
1154 MacOSError::check(SecCodeCopyDesignatedRequirement(code
, kSecCSDefaultFlags
, (SecRequirementRef
*)&target
.aref()));
1157 MacOSError::check(rc
);
1159 MacOSError::check(rc
);
1161 if (context
.get(kSecAssessmentUpdateKeyRemarks
) == NULL
) {
1162 // no explicit remarks; add one with the path
1163 CFRef
<CFURLRef
> path
;
1164 MacOSError::check(SecCodeCopyPath(code
, kSecCSDefaultFlags
, &path
.aref()));
1165 CFMutableDictionaryRef dict
= makeCFMutableDictionary(context
.get());
1166 CFDictionaryAddValue(dict
, kSecAssessmentUpdateKeyRemarks
, CFTempString(cfString(path
)));
1169 CFStringRef edit
= CFStringRef(context
.get(kSecAssessmentContextKeyUpdate
));
1170 if (type
== kAuthorityExecute
&& CFEqual(edit
, kSecAssessmentUpdateOperationAdd
)) {
1171 // implicitly whitelist the code
1172 opaqueWhitelistAdd(code
);
1179 // Process special overrides for invalidly signed code.
1180 // This is the (hopefully minimal) concessions we make to keep hurting our customers
1181 // for our own prior mistakes...
1183 static bool codeInvalidityExceptions(SecStaticCodeRef code
, CFMutableDictionaryRef result
)
1185 CFRef
<CFDictionaryRef
> info
;
1186 MacOSError::check(SecCodeCopySigningInformation(code
, kSecCSDefaultFlags
, &info
.aref()));
1187 if (CFURLRef executable
= CFURLRef(CFDictionaryGetValue(info
, kSecCodeInfoMainExecutable
))) {
1189 if (OSAIsRecognizedExecutableURL(executable
, &error
)) {
1191 CFDictionaryAddValue(result
,
1192 kSecAssessmentAssessmentAuthorityOverride
, CFSTR("ignoring known invalid applet signature"));
1200 } // end namespace CodeSigning
1201 } // end namespace Security