]> git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_codesigning/lib/dirscanner.cpp
projects / apple / security.git / blob
? search:


a0cb6361b8a0b7fb959fe6ea2090d36c0ed910f1
[apple/security.git] / OSX / libsecurity_codesigning / lib / dirscanner.cpp
1 /*
2 * Copyright (c) 2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <dirent.h>
25 #include <unistd.h>
26 #include <security_utilities/cfutilities.h>
27 #include <security_utilities/debugging.h>
28 #include <security_utilities/logging.h>
29 #include "dirscanner.h"
30
31 namespace Security {
32 namespace CodeSigning {
33
34
35 DirScanner::DirScanner(const char *path)
36 : init(false)
37 {
38 this->path = std::string(path);
39 this->initialize();
40 }
41
42 DirScanner::DirScanner(string path)
43 : init(false)
44 {
45 this->path = path;
46 this->initialize();
47 }
48
49 DirScanner::~DirScanner()
50 {
51 if (this->dp != NULL)
52 (void) closedir(this->dp);
53 }
54
55 void DirScanner::initialize()
56 {
57 if (this->dp == NULL) {
58 errno = 0;
59 if ((this->dp = opendir(this->path.c_str())) == NULL) {
60 if (errno == ENOENT) {
61 init = false;
62 } else {
63 UnixError::check(-1);
64 }
65 } else
66 init = true;
67 } else
68 MacOSError::throwMe(errSecInternalError);
69 }
70
71 struct dirent * DirScanner::getNext()
72 {
73 struct dirent* ent;
74 do {
75 int rc = readdir_r(this->dp, &this->entBuffer, &ent);
76 if (rc)
77 UnixError::throwMe(rc);
78 } while (ent && (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0));
79 return ent;
80 }
81
82 bool DirScanner::initialized()
83 {
84 return this->init;
85 }
86
87 void DirScanner::unlink(const struct dirent* ent, int flags)
88 {
89 UnixError::check(::unlinkat(dirfd(this->dp), ent->d_name, flags));
90 }
91
92 bool DirScanner::isRegularFile(dirent* dp)
93 {
94 switch (dp->d_type) {
95 case DT_REG:
96 return true;
97 default:
98 return false;
99 case DT_UNKNOWN:
100 {
101 struct stat st;
102 MacOSError::check(::stat((this->path + "/" + dp->d_name).c_str(), &st));
103 return S_ISREG(st.st_mode);
104 }
105 }
106 }
107
108
109
110 DirValidator::~DirValidator()
111 {
112 for (Rules::iterator it = mRules.begin(); it != mRules.end(); ++it)
113 delete *it;
114 }
115
116 void DirValidator::validate(const string &root, OSStatus error)
117 {
118 std::set<Rule *> reqMatched;
119 FTS fts(root);
120 while (FTSENT *ent = fts_read(fts)) {
121 const char *relpath = ent->fts_path + root.size() + 1; // skip prefix + "/"
122 bool executable = ent->fts_statp->st_mode & (S_IXUSR | S_IXGRP | S_IXOTH);
123 Rule *rule = NULL;
124 switch (ent->fts_info) {
125 case FTS_F:
126 secinfo("dirval", "file %s", ent->fts_path);
127 rule = match(relpath, file, executable);
128 break;
129 case FTS_SL: {
130 secinfo("dirval", "symlink %s", ent->fts_path);
131 char target[PATH_MAX];
132 ssize_t len = ::readlink(ent->fts_accpath, target, sizeof(target)-1);
133 if (len < 0)
134 UnixError::throwMe();
135 target[len] = '\0';
136 rule = match(relpath, symlink, executable, target);
137 break;
138 }
139 case FTS_D:
140 secinfo("dirval", "entering %s", ent->fts_path);
141 if (ent->fts_level == FTS_ROOTLEVEL)
142 continue; // skip root directory
143 rule = match(relpath, directory, executable);
144 if (!rule || !(rule->flags & descend))
145 fts_set(fts, ent, FTS_SKIP); // do not descend
146 break;
147 case FTS_DP:
148 secinfo("dirval", "leaving %s", ent->fts_path);
149 continue;
150 default:
151 secinfo("dirval", "type %d (errno %d): %s", ent->fts_info, ent->fts_errno, ent->fts_path);
152 MacOSError::throwMe(error); // not a file, symlink, or directory
153 }
154 if (!rule)
155 MacOSError::throwMe(error); // no match
156 else if (rule->flags & required)
157 reqMatched.insert(rule);
158 }
159 if (reqMatched.size() != mRequireCount) {
160 secinfo("dirval", "matched %lu of %d required rules", reqMatched.size(), mRequireCount);
161 MacOSError::throwMe(error); // not all required rules were matched
162 }
163 }
164
165 DirValidator::Rule * DirValidator::match(const char *path, uint32_t flags, bool executable, const char *target)
166 {
167 for (Rules::iterator it = mRules.begin(); it != mRules.end(); ++it) {
168 Rule *rule = *it;
169 if ((rule->flags & flags)
170 && !(executable && (rule->flags & noexec))
171 && rule->match(path)
172 && (!target || rule->matchTarget(path, target)))
173 return rule;
174 }
175 return NULL;
176 }
177
178 DirValidator::FTS::FTS(const string &path, int options)
179 {
180 const char * paths[2] = { path.c_str(), NULL };
181 mFTS = fts_open((char * const *)paths, options, NULL);
182 if (!mFTS)
183 UnixError::throwMe();
184 }
185
186 DirValidator::FTS::~FTS()
187 {
188 fts_close(mFTS);
189 }
190
191 DirValidator::Rule::Rule(const string &pattern, uint32_t flags, TargetPatternBuilder targetBlock)
192 : ResourceBuilder::Rule(pattern, 0, flags), mTargetBlock(NULL)
193 {
194 if (targetBlock)
195 mTargetBlock = Block_copy(targetBlock);
196 }
197
198 DirValidator::Rule::~Rule()
199 {
200 if (mTargetBlock)
201 Block_release(mTargetBlock);
202 }
203
204 bool DirValidator::Rule::matchTarget(const char *path, const char *target) const
205 {
206 if (!mTargetBlock) {
207 Syslog::notice("code signing internal problem: !mTargetBlock");
208 MacOSError::throwMe(errSecCSInternalError);
209 }
210 string pattern = mTargetBlock(path, target);
211 if (pattern.empty())
212 return true; // always match empty pattern
213 secinfo("dirval", "%s: match target %s against %s", path, target, pattern.c_str());
214 regex_t re;
215 if (::regcomp(&re, pattern.c_str(), REG_EXTENDED | REG_NOSUB)) {
216 Syslog::notice("code signing internal problem: failed to compile internal RE");
217 MacOSError::throwMe(errSecCSInternalError);
218 }
219 int rv = ::regexec(&re, target, 0, NULL, 0);
220 ::regfree(&re);
221 switch (rv) {
222 case 0:
223 return true;
224 case REG_NOMATCH:
225 return false;
226 default:
227 Syslog::notice("code signing internal error: regexec failed error=%d", rv);
228 MacOSError::throwMe(errSecCSInternalError);
229 }
230 }
231
232
233 } // end namespace CodeSigning
234 } // end namespace Security
mirror of Security