OSX/libsecurity_codesigning/gke/gkclear

   1 #!/usr/bin/python
   2 #
   3 # gkclear - clear system state for Gatekeeper recording sessions
   4 #
   5 # This removes DetachedSignatures, resets SystemPolicy, and removes existing gke files.
   6 #
   7 import sys
   8 import os
   9 import signal
  10 import errno
  11 import subprocess
  12 import shutil
  13
  14
  15 #
  16 # Usage and fail
  17 #
  18 def usage():
  19         print >>sys.stderr, "Usage: %s" % sys.argv[0]
  20         sys.exit(2)
  21
  22 def fail(whatever):
  23         print >>sys.stderr, "%s: %s" % (sys.argv[0], whatever)
  24         sys.exit(1)
  25
  26
  27 #
  28 # Argument processing
  29 #
  30 if len(sys.argv) != 1:
  31         usage()
  32
  33
  34 #
  35 # Places and things
  36 #
  37 db = "/var/db/"
  38 detachedsignatures = db + "DetachedSignatures"
  39 gkeauth = db + "gke.auth"
  40 gkesigs = db + "gke.sigs"
  41 policydb = db + "SystemPolicy"
  42 policydb_default = db + ".SystemPolicy-default"
  43
  44
  45 # must be root
  46 if os.getuid() != 0:
  47         fail("Must have root privileges")
  48
  49
  50 #
  51 # Make sure Gatekeeper is disabled
  52 #
  53 subprocess.check_call(["/usr/sbin/spctl", "--master-disable"])
  54
  55
  56 #
  57 # Clear detached signatures database
  58 #
  59 for file in [detachedsignatures, gkeauth, gkesigs]:
  60         try:
  61                 os.remove(file)
  62         except OSError, e:
  63                 if e[0] != errno.ENOENT:
  64                         raise
  65
  66
  67 #
  68 # Reset system policy to default values
  69 #
  70 shutil.copyfile(policydb_default, policydb)
  71
  72
  73 #
  74 # Kill any extant syspolicyd to flush state
  75 #
  76 null = open("/dev/null", "w")
  77 subprocess.call(["/usr/bin/killall", "syspolicyd"], stderr=null)
  78
  79
  80 #
  81 # Done
  82 #
  83 print "System state has been reset."
  84 sys.exit(0)