OSX/libsecurity_codesigning/CodeSigningHelper/main.cpp

   1 /*
   2  * Copyright (c) 2016 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23 #include <Security/CodeSigning.h>
  24 #include <Security/SecCodePriv.h>
  25 #include <xpc/xpc.h>
  26 #include <sandbox.h>
  27 #include <security_utilities/cfutilities.h>
  28 #include <security_utilities/cfmunge.h>
  29 #include <security_utilities/logging.h>
  30 #include "codedirectory.h"
  31
  32
  33
  34 static void
  35 request(xpc_connection_t peer, xpc_object_t event)
  36 {
  37         OSStatus rc;
  38
  39         pid_t pid = (pid_t)xpc_dictionary_get_int64(event, "pid");
  40         if (pid <= 0)
  41                 return;
  42
  43         size_t audit_size;
  44         audit_token_t const *audit =
  45                 (audit_token_t const *)xpc_dictionary_get_data(event, "audit", &audit_size);
  46
  47         if (audit != NULL && audit_size != sizeof(audit_token_t)) {
  48                 Syslog::error("audit token has unexpected size %zu", audit_size);
  49                 return;
  50         }
  51
  52         xpc_object_t reply = xpc_dictionary_create_reply(event);
  53         if (reply == NULL)
  54                 return;
  55
  56         CFTemp<CFMutableDictionaryRef> attributes("{%O=%d}", kSecGuestAttributePid, pid);
  57
  58         if (audit != NULL) {
  59                 CFRef<CFDataRef> auditData = makeCFData(audit, audit_size);
  60                 CFDictionaryAddValue(attributes.get(), kSecGuestAttributeAudit,
  61                                                          auditData);
  62         }
  63         CFRef<SecCodeRef> code;
  64         if ((rc = SecCodeCopyGuestWithAttributes(NULL, attributes, kSecCSDefaultFlags, &code.aref())) == noErr) {
  65
  66                 // path to base of client code
  67                 CFRef<CFURLRef> codePath;
  68                 if ((rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &codePath.aref())) == noErr) {
  69                         CFRef<CFDataRef> data = CFURLCreateData(NULL, codePath, kCFStringEncodingUTF8, true);
  70                         xpc_dictionary_set_data(reply, "bundleURL", CFDataGetBytePtr(data), CFDataGetLength(data));
  71                 }
  72
  73                 // if the caller wants the Info.plist, get it and verify the hash passed by the caller
  74                 size_t iphLength;
  75                 if (const void *iphash = xpc_dictionary_get_data(event, "infohash", &iphLength)) {
  76                         if (CFRef<CFDataRef> data = SecCodeCopyComponent(code, Security::CodeSigning::cdInfoSlot, CFTempData(iphash, iphLength))) {
  77                                 xpc_dictionary_set_data(reply, "infoPlist", CFDataGetBytePtr(data), CFDataGetLength(data));
  78                         }
  79                 }
  80         }
  81         xpc_connection_send_message(peer, reply);
  82         xpc_release(reply);
  83 }
  84
  85
  86 static void CodeSigningHelper_peer_event_handler(xpc_connection_t peer, xpc_object_t event)
  87 {
  88         xpc_type_t type = xpc_get_type(event);
  89         if (type == XPC_TYPE_ERROR)
  90                 return;
  91
  92         assert(type == XPC_TYPE_DICTIONARY);
  93
  94         const char *cmd = xpc_dictionary_get_string(event, "command");
  95         if (cmd == NULL) {
  96                 xpc_connection_cancel(peer);
  97         } else if (strcmp(cmd, "fetchData") == 0)
  98                 request(peer, event);
  99         else {
 100                 Syslog::error("peer sent invalid command %s", cmd);
 101                 xpc_connection_cancel(peer);
 102         }
 103 }
 104
 105
 106 static void CodeSigningHelper_event_handler(xpc_connection_t peer)
 107 {
 108         xpc_connection_set_event_handler(peer, ^(xpc_object_t event) {
 109                 CodeSigningHelper_peer_event_handler(peer, event);
 110         });
 111         xpc_connection_resume(peer);
 112 }
 113
 114 int main(int argc, const char *argv[])
 115 {
 116         char *error = NULL;
 117         if (sandbox_init("com.apple.CodeSigningHelper", SANDBOX_NAMED, &error)) {
 118                 Syslog::error("failed to enter sandbox: %s", error);
 119                 exit(EXIT_FAILURE);
 120         }
 121         xpc_main(CodeSigningHelper_event_handler);
 122         return 0;
 123 }