]> git.saurik.com Git - apple/security.git/blob - OSX/sec/ipc/server.c
projects / apple / security.git / blob
? search:


e338b59a840b67e5a60dff4ebdbdbb9dd7a41e3c
[apple/security.git] / OSX / sec / ipc / server.c
1 /*
2 * Copyright (c) 2007-2017 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24 #include <Security/SecureObjectSync/SOSPeerInfoDER.h>
25 #include <Security/SecureObjectSync/SOSCloudCircle.h>
26 #include <Security/SecureObjectSync/SOSCloudCircleInternal.h>
27 #include <Security/SecureObjectSync/SOSInternal.h>
28 #include <Security/SecureObjectSync/SOSPeerInfoCollections.h>
29 #include <Security/SecureObjectSync/SOSControlServer.h>
30 #include <Security/SecBase.h>
31 #include <Security/SecBasePriv.h>
32 #include <Security/SecCertificatePriv.h>
33 #include <Security/SecEntitlements.h>
34 #include <Security/SecInternal.h>
35 #include <Security/SecItem.h>
36 #include <Security/SecItemPriv.h>
37 #include <Security/SecPolicy.h>
38 #include <Security/SecPolicyInternal.h>
39 #include <Security/SecTask.h>
40 #include <Security/SecTrustInternal.h>
41 #include <Security/SecuritydXPC.h>
42 #include <securityd/OTATrustUtilities.h>
43 #include <securityd/SOSCloudCircleServer.h>
44 #include <securityd/SecItemBackupServer.h>
45 #include <securityd/SecItemServer.h>
46 #include <securityd/SecLogSettingsServer.h>
47 #include <securityd/SecOTRRemote.h>
48 #include <securityd/SecTrustServer.h>
49 #include <securityd/SecTrustStoreServer.h>
50 #include <securityd/iCloudTrace.h>
51 #include <securityd/spi.h>
52 #include <utilities/SecCFError.h>
53 #include <utilities/SecCFWrappers.h>
54 #include <utilities/SecDb.h>
55 #include <utilities/SecIOFormat.h>
56 #include <utilities/SecXPCError.h>
57 #include <utilities/debugging.h>
58 #include <utilities/SecInternalReleasePriv.h>
59 #include <utilities/der_plist_internal.h>
60 #include <utilities/der_plist.h>
61 #include <securityd/personalization.h>
62 #include <securityd/SecPinningDb.h>
63 #include <securityd/SFKeychainControlManager.h>
64
65 #include <keychain/ckks/CKKS.h>
66 #include <keychain/ckks/CKKSControlServer.h>
67 #include "keychain/ot/OctagonControlServer.h"
68
69 #include <AssertMacros.h>
70 #include <CoreFoundation/CFXPCBridge.h>
71 #include <CoreFoundation/CoreFoundation.h>
72 // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
73
74 #if TARGET_OS_OSX
75 #include <Security/SecTaskPriv.h>
76 #include <login/SessionAgentStatusCom.h>
77 #endif
78 #include <asl.h>
79 #include <bsm/libbsm.h>
80 #include <ipc/securityd_client.h>
81 #include <libkern/OSAtomic.h>
82 #include <mach/mach.h>
83 #include <mach/message.h>
84 #include <notify.h>
85 #include <stdlib.h>
86 #include <sys/queue.h>
87 #include <sys/sysctl.h>
88 #include <syslog.h>
89 #include <xpc/private.h>
90 #include <xpc/xpc.h>
91
92 #include <ipc/server_security_helpers.h>
93 #include <ipc/server_entitlement_helpers.h>
94
95 #if TARGET_OS_OSX
96 #include <sandbox.h>
97 #include <pwd.h>
98 #include <err.h>
99 #endif
100
101 static bool accessGroupPermitted(SecurityClient* client, CFArrayRef accessGroups, CFStringRef accessGroup) {
102 /* NULL accessGroups is wildcard. */
103 if (!accessGroups)
104 return true;
105 /* Make sure we have a string. */
106 if (!isString(accessGroup))
107 return false;
108
109 /* Having the special accessGroup "*" allows access to all accessGroups. */
110 CFRange range = { 0, CFArrayGetCount(accessGroups) };
111 if (range.length &&
112 (CFArrayContainsValue(accessGroups, range, accessGroup) ||
113 CFArrayContainsValue(accessGroups, range, CFSTR("*"))))
114 return true;
115
116 return false;
117 }
118
119 static bool extractAccessGroup(SecurityClient *client, CFStringRef requestedAgrp, CFStringRef *resolvedAgrp, CFErrorRef *error) {
120 bool ok = true;
121
122 /* Access group sanity checking.
123 Similar to accessGroupsAllows, but ignores accessGroupIsNetworkExtensionAndClientIsEntitled */
124 CFArrayRef accessGroups = client->accessGroups;
125 CFStringRef agrp = requestedAgrp;
126 /* Having the special accessGroup "*" allows access to all accessGroups. */
127 if (CFArrayContainsValue(accessGroups, CFRangeMake(0,CFArrayGetCount(accessGroups)), CFSTR("*")))
128 accessGroups = NULL;
129
130 if (requestedAgrp) {
131 /* The user specified an explicit access group, validate it. */
132 if (!accessGroupPermitted(client, accessGroups, requestedAgrp))
133 ok = SecError(errSecMissingEntitlement, error, CFSTR("explicit accessGroup %@ not in client access %@"), requestedAgrp, accessGroups);
134 } else {
135 // We are using an implicit access group
136 // Add it as if the user specified it as an attribute.
137 agrp = (CFStringRef)CFArrayGetValueAtIndex(client->accessGroups, 0);
138 }
139
140 if (agrp && resolvedAgrp)
141 *resolvedAgrp = agrp;
142 return ok;
143 }
144
145 static void with_label_and_password(xpc_object_t message, void (^action)(CFStringRef label, CFDataRef password)) {
146 const char *label_utf8 = xpc_dictionary_get_string(message, kSecXPCKeyUserLabel);
147
148 if (label_utf8) { // Anything we would do here requires a user label
149 size_t password_length = 0;
150 const void *password_data = xpc_dictionary_get_data(message, kSecXPCKeyUserPassword, &password_length);
151
152 CFDataRef user_password = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, password_data, password_length, kCFAllocatorNull);
153 CFStringRef user_label = CFStringCreateWithCString(kCFAllocatorDefault, label_utf8, kCFStringEncodingUTF8);
154
155 action(user_label, user_password);
156
157 CFReleaseNull(user_password);
158 CFReleaseNull(user_label);
159 }
160 }
161
162 static void with_label_and_password_and_dsid(xpc_object_t message, void (^action)(CFStringRef label, CFDataRef password, CFStringRef dsid)) {
163 const char *label_utf8 = xpc_dictionary_get_string(message, kSecXPCKeyUserLabel);
164
165 if (label_utf8) { // Anything we would do here requires a user label
166 size_t password_length = 0;
167 const void *password_data = xpc_dictionary_get_data(message, kSecXPCKeyUserPassword, &password_length);
168 const char *xdsid = xpc_dictionary_get_string(message, kSecXPCKeyDSID);
169
170 CFDataRef user_password = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, password_data, password_length, kCFAllocatorNull);
171 CFStringRef user_label = CFStringCreateWithCString(kCFAllocatorDefault, label_utf8, kCFStringEncodingUTF8);
172 CFStringRef dsid = CFStringCreateWithCString(kCFAllocatorDefault, xdsid, kCFStringEncodingUTF8);
173
174 action(user_label, user_password, dsid);
175
176 CFReleaseNull(dsid);
177 CFReleaseNull(user_password);
178 CFReleaseNull(user_label);
179 }
180 }
181
182 static void with_label_and_number(xpc_object_t message, void (^action)(CFStringRef label, uint64_t number)) {
183 const char *label_utf8 = xpc_dictionary_get_string(message, kSecXPCKeyViewName);
184
185 if (label_utf8) { // Anything we would do here requires a user label
186 const int64_t number = xpc_dictionary_get_int64(message, kSecXPCKeyViewActionCode);
187 CFStringRef user_label = CFStringCreateWithCString(kCFAllocatorDefault, label_utf8, kCFStringEncodingUTF8);
188
189 action(user_label, number);
190 CFReleaseNull(user_label);
191 }
192 }
193
194 static CFArrayRef SecXPCDictionaryCopyPeerInfoArray(xpc_object_t dictionary, const char *key, CFErrorRef *error) {
195 return CreateArrayOfPeerInfoWithXPCObject(xpc_dictionary_get_value(dictionary, key), error);
196 }
197
198 static CFDataRef SecXPCDictionaryCopyCFDataRef(xpc_object_t message, const char *key, CFErrorRef *error) {
199 CFDataRef retval = NULL;
200 const uint8_t *bytes = NULL;
201 size_t len = 0;
202
203 bytes = xpc_dictionary_get_data(message, key, &len);
204 require_action_quiet(bytes, errOut, SOSCreateError(kSOSErrorBadKey, CFSTR("missing CFDataRef info"), NULL, error));
205 retval = CFDataCreate(NULL, bytes, len);
206 require_action_quiet(retval, errOut, SOSCreateError(kSOSErrorBadKey, CFSTR("could not allocate CFDataRef info"), NULL, error));
207 errOut:
208 return retval;
209 }
210
211 static CFSetRef CreateCFSetRefFromXPCObject(xpc_object_t xpcSetDER, CFErrorRef* error) {
212 CFSetRef retval = NULL;
213 require_action_quiet(xpcSetDER, errOut, SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedNull, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("Unexpected Null Set to decode")));
214
215 require_action_quiet(xpc_get_type(xpcSetDER) == XPC_TYPE_DATA, errOut, SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, error, NULL, CFSTR("xpcSetDER not data, got %@"), xpcSetDER));
216
217 const uint8_t* der = xpc_data_get_bytes_ptr(xpcSetDER);
218 const uint8_t* der_end = der + xpc_data_get_length(xpcSetDER);
219 der = der_decode_set(kCFAllocatorDefault, kCFPropertyListMutableContainersAndLeaves, &retval, error, der, der_end);
220 if (der != der_end) {
221 SecError(errSecDecode, error, CFSTR("trailing garbage at end of SecAccessControl data"));
222 goto errOut;
223 }
224 return retval;
225 errOut:
226 CFReleaseNull(retval);
227 return NULL;
228 }
229
230 static SOSPeerInfoRef SecXPCDictionaryCopyPeerInfo(xpc_object_t message, const char *key, CFErrorRef *error) {
231 size_t length = 0;
232 const uint8_t *der = xpc_dictionary_get_data(message, key, &length);
233
234 return SecRequirementError(der != NULL, error, CFSTR("No data for key %s"), key) ? SOSPeerInfoCreateFromDER(kCFAllocatorDefault, error, &der, der + length) : NULL;
235 }
236
237 static CFSetRef SecXPCSetCreateFromXPCDictionaryElement(xpc_object_t event, const char *key) {
238 CFErrorRef error = NULL;
239 xpc_object_t object = xpc_dictionary_get_value(event, key);
240 CFSetRef retval = NULL;
241 if(object) retval = CreateCFSetRefFromXPCObject(object, &error);
242 CFReleaseNull(error);
243 return retval;
244 }
245
246 static inline
247 void xpc_dictionary_set_and_consume_CFArray(xpc_object_t xdict, const char *key, CF_CONSUMED CFArrayRef cf_array) {
248 if (cf_array) {
249 xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(cf_array);
250 xpc_dictionary_set_value(xdict, key, xpc_array);
251 xpc_release(xpc_array);
252 }
253 CFReleaseNull(cf_array);
254 }
255
256 static inline
257 bool xpc_dictionary_set_and_consume_PeerInfoArray(xpc_object_t xdict, const char *key, CF_CONSUMED CFArrayRef cf_array, CFErrorRef *error) {
258 bool success = true;
259 if (cf_array) {
260 xpc_object_t xpc_array = CreateXPCObjectWithArrayOfPeerInfo(cf_array, error);
261 if (xpc_array) {
262 xpc_dictionary_set_value(xdict, key, xpc_array);
263 xpc_release(xpc_array);
264 } else {
265 success = false;
266 }
267 }
268 CFReleaseNull(cf_array);
269 return success;
270 }
271
272 static CFDataRef
273 SecDataCopyMmapFileDescriptor(int fd, void **mem, size_t *size, CFErrorRef *error)
274 {
275 struct stat sb;
276 if (fstat(fd, &sb) < 0) {
277 return NULL;
278 }
279
280 *size = (size_t)sb.st_size;
281 if ((off_t)*size != sb.st_size) {
282 return NULL;
283 }
284
285 *mem = mmap(NULL, *size, PROT_READ, MAP_SHARED, fd, 0);
286 if (*mem == MAP_FAILED) {
287 return NULL;
288 }
289
290 return CFDataCreateWithBytesNoCopy(NULL, *mem, *size, kCFAllocatorNull);
291 }
292
293 static bool
294 SecDataWriteFileDescriptor(int fd, CFDataRef data)
295 {
296 CFIndex count = CFDataGetLength(data);
297 const uint8_t *ptr = CFDataGetBytePtr(data);
298 bool writeResult = false;
299
300 while (count) {
301 ssize_t ret = write(fd, ptr, count);
302 if (ret <= 0)
303 break;
304 count -= ret;
305 ptr += ret;
306 }
307 if (count == 0)
308 writeResult = true;
309
310 return writeResult;
311 }
312
313
314 // Returns error if entitlement isn't present.
315 static bool
316 EntitlementPresentAndTrue(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
317 {
318 if (!SecTaskGetBooleanValueForEntitlement(clientTask, entitlement)) {
319 SecError(errSecMissingEntitlement, error, CFSTR("%@: %@ lacks entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation)op), clientTask, entitlement);
320 return false;
321 }
322 return true;
323 }
324
325 // Per <rdar://problem/13315020> Disable the entitlement check for "keychain-cloud-circle"
326 // we disable entitlement enforcement. However, we still log so we know who needs the entitlement
327 static bool
328 EntitlementPresentOrWhine(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
329 {
330 if (!SecTaskGetBooleanValueForEntitlement(clientTask, entitlement))
331 secnotice("serverxpc", "%@: %@ lacks entitlement %@", SOSCCGetOperationDescription((enum SecXPCOperation)op), clientTask, entitlement);
332
333 return true;
334 }
335
336
337 static bool
338 EntitlementAbsentOrFalse(uint64_t op, SecTaskRef clientTask, CFStringRef entitlement, CFErrorRef *error)
339 {
340 if (SecTaskGetBooleanValueForEntitlement(clientTask, entitlement)) {
341 SecError(errSecNotAvailable, error, CFSTR("%@: %@ has entitlement %@"), SOSCCGetOperationDescription((enum SecXPCOperation) op), clientTask, entitlement);
342 return false;
343 }
344 return true;
345 }
346
347 static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, xpc_object_t event) {
348 xpc_type_t type = xpc_get_type(event);
349 __block CFErrorRef error = NULL;
350 xpc_object_t xpcError = NULL;
351 xpc_object_t replyMessage = NULL;
352 CFDataRef clientAuditToken = NULL;
353 CFArrayRef domains = NULL;
354 SecurityClient client = {
355 .task = NULL,
356 .accessGroups = NULL,
357 .musr = NULL,
358 .uid = xpc_connection_get_euid(connection),
359 .allowSystemKeychain = false,
360 .allowSyncBubbleKeychain = false,
361 .isNetworkExtension = false,
362 .canAccessNetworkExtensionAccessGroups = false,
363 };
364
365 secdebug("serverxpc", "entering");
366 if (type == XPC_TYPE_DICTIONARY) {
367 // TODO: Find out what we're dispatching.
368 replyMessage = xpc_dictionary_create_reply(event);
369
370 uint64_t operation = xpc_dictionary_get_uint64(event, kSecXPCKeyOperation);
371
372 audit_token_t auditToken = {};
373 xpc_connection_get_audit_token(connection, &auditToken);
374 clientAuditToken = CFDataCreate(kCFAllocatorDefault, (const UInt8*)&auditToken, sizeof(auditToken));
375
376 fill_security_client(&client, xpc_connection_get_euid(connection), auditToken);
377
378 #if TARGET_OS_IOS
379 if (operation == sec_add_shared_web_credential_id || operation == sec_copy_shared_web_credential_id) {
380 domains = SecTaskCopySharedWebCredentialDomains(client.task);
381 }
382 #endif
383 secinfo("serverxpc", "XPC [%@] operation: %@ (%" PRIu64 ")", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), operation);
384
385 switch (operation)
386 {
387 case sec_item_add_id:
388 {
389 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
390 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
391 if (query) {
392 // Check for any entitlement-required attributes
393 bool entitlementsCorrect = true;
394 if(CFDictionaryGetValue(query, kSecAttrDeriveSyncIDFromItemAttributes) ||
395 CFDictionaryGetValue(query, kSecAttrPCSPlaintextServiceIdentifier) ||
396 CFDictionaryGetValue(query, kSecAttrPCSPlaintextPublicKey) ||
397 CFDictionaryGetValue(query, kSecAttrPCSPlaintextPublicIdentity)) {
398 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_add_id, client.task, kSecEntitlementPrivateCKKSPlaintextFields, &error);
399 }
400 if (entitlementsCorrect && CFDictionaryGetValue(query, kSecAttrSysBound)) {
401 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_add_id, client.task, kSecEntitlementPrivateSysBound, &error);
402 }
403
404 CFTypeRef result = NULL;
405 if(entitlementsCorrect) {
406 if (_SecItemAdd(query, &client, &result, &error) && result) {
407 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
408 CFReleaseNull(result);
409 }
410 }
411 CFReleaseNull(query);
412 }
413 break;
414 }
415 }
416 case sec_item_copy_matching_id:
417 {
418 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
419 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
420 if (query) {
421 CFTypeRef result = NULL;
422 if (_SecItemCopyMatching(query, &client, &result, &error) && result) {
423 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
424 CFReleaseNull(result);
425 }
426 CFReleaseNull(query);
427 }
428 break;
429 }
430 }
431 case sec_item_update_id:
432 {
433 if (EntitlementAbsentOrFalse(sec_item_update_id, client.task, kSecEntitlementKeychainDeny, &error)) {
434 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
435 if (query) {
436 CFDictionaryRef attributesToUpdate = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyAttributesToUpdate, &error);
437 if (attributesToUpdate) {
438 // Check for any entitlement-required attributes
439 bool entitlementsCorrect = true;
440 if(CFDictionaryGetValue(query, kSecAttrDeriveSyncIDFromItemAttributes) ||
441 CFDictionaryGetValue(attributesToUpdate, kSecAttrPCSPlaintextServiceIdentifier) ||
442 CFDictionaryGetValue(attributesToUpdate, kSecAttrPCSPlaintextPublicKey) ||
443 CFDictionaryGetValue(attributesToUpdate, kSecAttrPCSPlaintextPublicIdentity)) {
444 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_update_id, client.task, kSecEntitlementPrivateCKKSPlaintextFields, &error);
445 }
446 if (entitlementsCorrect && CFDictionaryGetValue(query, kSecAttrSysBound)) {
447 entitlementsCorrect = EntitlementPresentAndTrue(sec_item_update_id, client.task, kSecEntitlementPrivateSysBound, &error);
448 }
449
450 if(entitlementsCorrect) {
451 bool result = _SecItemUpdate(query, attributesToUpdate, &client, &error);
452 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
453 }
454 CFReleaseNull(attributesToUpdate);
455 }
456 CFReleaseNull(query);
457 }
458 }
459 break;
460 }
461 case sec_item_delete_id:
462 {
463 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
464 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
465 if (query) {
466 bool result = _SecItemDelete(query, &client, &error);
467 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
468 CFReleaseNull(query);
469 }
470 }
471 break;
472 }
473 case sec_item_update_token_items_id:
474 {
475 if (EntitlementAbsentOrFalse(sec_item_add_id, client.task, kSecEntitlementKeychainDeny, &error)) {
476 CFStringRef tokenID = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
477 CFArrayRef attributes = SecXPCDictionaryCopyArray(event, kSecXPCKeyQuery, &error);
478 if (tokenID) {
479 bool result = _SecItemUpdateTokenItems(tokenID, attributes, &client, &error);
480 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
481 }
482 CFReleaseNull(tokenID);
483 CFReleaseNull(attributes);
484 }
485 break;
486 }
487 case sec_delete_all_id:
488 {
489 bool retval = false;
490 #if TARGET_OS_IPHONE
491 /* buddy is temporary allowed to do this */
492 CFStringRef applicationIdentifier = SecTaskCopyApplicationIdentifier(client.task);
493 bool isBuddy = applicationIdentifier &&
494 CFEqual(applicationIdentifier, CFSTR("com.apple.purplebuddy"));
495
496 if (isBuddy || EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateDeleteAll, &error))
497 {
498 retval = _SecItemDeleteAll(&error);
499 }
500 #endif
501 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
502 break;
503 }
504 case sec_keychain_backup_id:
505 {
506 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
507 CFDataRef keybag = NULL, passcode = NULL;
508 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybag, &error)) {
509 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
510 bool emcs = SecXPCDictionaryGetBool(event, kSecXPCKeyEMCSBackup, NULL);
511 CFDataRef backup = _SecServerKeychainCreateBackup(&client, keybag, passcode, emcs, &error);
512 if (backup) {
513 int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
514 if (fd < 0) {
515 SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, backup, &error);
516 } else {
517 bool writeResult = SecDataWriteFileDescriptor(fd, backup);
518 if (close(fd) != 0)
519 writeResult = false;
520 if (!writeResult)
521 SecError(errSecIO, &error, CFSTR("Failed to write backup file: %d"), errno);
522 SecXPCDictionarySetBool(replyMessage, kSecXPCKeyResult, writeResult, NULL);
523 }
524 CFRelease(backup);
525 }
526 CFReleaseSafe(passcode);
527 }
528 CFReleaseSafe(keybag);
529 }
530 }
531 break;
532 }
533 case sec_keychain_restore_id:
534 {
535 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
536 CFDataRef backup = NULL;
537 void *mem = NULL;
538 size_t size = 0;
539
540 int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
541 if (fd != -1) {
542 backup = SecDataCopyMmapFileDescriptor(fd, &mem, &size, &error);
543 } else {
544 backup = SecXPCDictionaryCopyData(event, kSecXPCKeyBackup, &error);
545 }
546 if (backup) {
547 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
548 if (keybag) {
549 CFDataRef passcode = NULL;
550 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
551 bool result = _SecServerKeychainRestore(backup, &client, keybag, passcode, &error);
552 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
553 CFReleaseSafe(passcode);
554 }
555 }
556 CFReleaseNull(keybag);
557 }
558 CFReleaseNull(backup);
559 if (fd != -1)
560 close(fd);
561 if (mem) {
562 munmap(mem, size);
563 }
564 }
565 break;
566 }
567 case sec_keychain_backup_keybag_uuid_id:
568 {
569 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
570 CFDataRef backup = NULL;
571 CFStringRef uuid = NULL;
572 void *mem = NULL;
573 size_t size = 0;
574
575 int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL);
576 if (fd != -1) {
577 backup = SecDataCopyMmapFileDescriptor(fd, &mem, &size, &error);
578 if (backup)
579 uuid = _SecServerBackupCopyUUID(backup, &error);
580 }
581 if (uuid)
582 SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, uuid, &error);
583
584 CFReleaseNull(backup);
585 if (fd != -1)
586 close(fd);
587 if (mem) {
588 munmap(mem, size);
589 }
590 CFReleaseNull(uuid);
591 }
592 break;
593 }
594 case sec_keychain_sync_update_message_id:
595 {
596 CFDictionaryRef updates = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
597 if (updates) {
598 CFArrayRef result = _SecServerKeychainSyncUpdateMessage(updates, &error);
599 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
600 CFReleaseNull(result);
601 }
602 CFReleaseNull(updates);
603 break;
604 }
605 case sec_keychain_backup_syncable_id:
606 {
607 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
608 CFDictionaryRef oldbackup = NULL;
609 if (SecXPCDictionaryCopyDictionaryOptional(event, kSecXPCKeyBackup, &oldbackup, &error)) {
610 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
611 if (keybag) {
612 CFDataRef passcode = NULL;
613 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
614 CFDictionaryRef newbackup = _SecServerBackupSyncable(oldbackup, keybag, passcode, &error);
615 if (newbackup) {
616 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, newbackup, &error);
617 CFRelease(newbackup);
618 }
619 CFReleaseSafe(passcode);
620 }
621 CFReleaseNull(keybag);
622 }
623 CFReleaseSafe(oldbackup);
624 }
625 }
626 break;
627 }
628 case sec_keychain_restore_syncable_id:
629 {
630 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
631 CFDictionaryRef backup = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyBackup, &error);
632 if (backup) {
633 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
634 if (keybag) {
635 CFDataRef passcode = NULL;
636 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
637 bool result = _SecServerRestoreSyncable(backup, keybag, passcode, &error);
638 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
639 CFReleaseSafe(passcode);
640 }
641 CFReleaseNull(keybag);
642 }
643 CFReleaseNull(backup);
644 }
645 }
646 break;
647 }
648 case sec_item_backup_copy_names_id:
649 {
650 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
651 CFArrayRef names = SecServerItemBackupCopyNames(&error);
652 SecXPCDictionarySetPListOptional(replyMessage, kSecXPCKeyResult, names, &error);
653 CFReleaseSafe(names);
654 }
655 break;
656 }
657 case sec_item_backup_handoff_fd_id:
658 {
659 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
660 CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
661 int fd = -1;
662 if (backupName) {
663 fd = SecServerItemBackupHandoffFD(backupName, &error);
664 CFRelease(backupName);
665 }
666 SecXPCDictionarySetFileDescriptor(replyMessage, kSecXPCKeyResult, fd, &error);
667 if (fd != -1)
668 close(fd);
669 }
670 break;
671 }
672 case sec_item_backup_set_confirmed_manifest_id:
673 {
674 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
675 CFDataRef keybagDigest = NULL;
676 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybagDigest, &error)) {
677 CFDataRef manifest = NULL;
678 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCData, &manifest, &error)) {
679 CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
680 if (backupName) {
681 bool result = SecServerItemBackupSetConfirmedManifest(backupName, keybagDigest, manifest, &error);
682 CFRelease(backupName);
683 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
684 }
685 CFReleaseSafe(manifest);
686 }
687 }
688 CFReleaseNull(keybagDigest);
689 }
690 break;
691 }
692 case sec_item_backup_restore_id:
693 {
694 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
695 bool result = false;
696 CFStringRef backupName = SecXPCDictionaryCopyString(event, kSecXPCKeyBackup, &error);
697 if (backupName) {
698 CFStringRef peerID = NULL;
699 if (SecXPCDictionaryCopyStringOptional(event, kSecXPCKeyDigest, &peerID, &error)) {
700 CFDataRef keybag = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
701 if (keybag) {
702 CFDataRef secret = SecXPCDictionaryCopyData(event, kSecXPCKeyUserPassword, &error);
703 if (secret) {
704 CFDataRef backup = SecXPCDictionaryCopyData(event, kSecXPCData, &error);
705 if (backup) {
706 result = SecServerItemBackupRestore(backupName, peerID, keybag, secret, backup, &error);
707 CFRelease(backup);
708 }
709 CFRelease(secret);
710 }
711 CFRelease(keybag);
712 }
713 CFReleaseSafe(peerID);
714 }
715 CFRelease(backupName);
716 }
717 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
718 }
719 break;
720 }
721 case sec_add_shared_web_credential_id:
722 {
723 #if TARGET_OS_IOS && !TARGET_OS_BRIDGE
724 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
725 if (query) {
726 CFTypeRef result = NULL;
727
728 CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
729 if (_SecAddSharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
730 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
731 CFReleaseNull(result);
732 }
733 CFReleaseSafe(appID);
734 CFReleaseNull(query);
735 }
736 #else
737 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
738 #endif
739 break;
740 }
741 case sec_copy_shared_web_credential_id:
742 {
743 #if TARGET_OS_IOS && !TARGET_OS_BRIDGE
744 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
745 if (query) {
746 CFTypeRef result = NULL;
747 CFStringRef appID = (client.task) ? SecTaskCopyApplicationIdentifier(client.task) : NULL;
748 if (_SecCopySharedWebCredential(query, &client, &auditToken, appID, domains, &result, &error) && result) {
749 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
750 CFReleaseNull(result);
751 }
752 CFReleaseSafe(appID);
753 CFReleaseNull(query);
754 }
755 #else
756 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, kCFBooleanFalse, &error);
757 #endif
758 break;
759 }
760 case sec_get_log_settings_id:
761 {
762 CFPropertyListRef currentList = SecCopyLogSettings_Server(&error);
763 if (currentList) {
764 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, currentList, &error);
765 }
766 CFReleaseSafe(currentList);
767 break;
768 }
769 case sec_set_xpc_log_settings_id:
770 {
771 CFPropertyListRef newSettings = SecXPCDictionaryCopyPList(event, kSecXPCKeyQuery, &error);
772 if (newSettings) {
773 SecSetXPCLogSettings_Server(newSettings, &error);
774 }
775 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
776 CFReleaseNull(newSettings);
777 break;
778 }
779 case sec_set_circle_log_settings_id:
780 {
781 CFPropertyListRef newSettings = SecXPCDictionaryCopyPList(event, kSecXPCKeyQuery, &error);
782 if (newSettings) {
783 SecSetCircleLogSettings_Server(newSettings, &error);
784 }
785 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
786 CFReleaseNull(newSettings);
787 break;
788 }
789 case sec_otr_session_create_remote_id:
790 {
791 CFDataRef publicPeerId = NULL;
792 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCPublicPeerId, &publicPeerId, &error)) {
793 CFDataRef otrSession = _SecOTRSessionCreateRemote(publicPeerId, &error);
794 if (otrSession) {
795 SecXPCDictionarySetData(replyMessage, kSecXPCKeyResult, otrSession, &error);
796 CFReleaseNull(otrSession);
797 }
798 CFReleaseSafe(publicPeerId);
799 }
800 break;
801 }
802 case sec_otr_session_process_packet_remote_id:
803 {
804 CFDataRef sessionData = NULL, inputPacket = NULL, outputSessionData = NULL, outputPacket = NULL;
805 bool readyForMessages = false;
806 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCOTRSession, &sessionData, &error)) {
807 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCData, &inputPacket, &error)) {
808 bool result = _SecOTRSessionProcessPacketRemote(sessionData, inputPacket, &outputSessionData, &outputPacket, &readyForMessages, &error);
809 if (result) {
810 SecXPCDictionarySetData(replyMessage, kSecXPCOTRSession, outputSessionData, &error);
811 SecXPCDictionarySetData(replyMessage, kSecXPCData, outputPacket, &error);
812 xpc_dictionary_set_bool(replyMessage, kSecXPCOTRReady, readyForMessages);
813 CFReleaseNull(outputSessionData);
814 CFReleaseNull(outputPacket);
815 }
816 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
817
818 CFReleaseSafe(inputPacket);
819 }
820 CFReleaseSafe(sessionData);
821 }
822 break;
823 }
824 case kSecXPCOpTryUserCredentials:
825 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
826 with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) {
827 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
828 SOSCCTryUserCredentials_Server(label, password, dsid, &error));
829 });
830 }
831 break;
832 case kSecXPCOpSetUserCredentials:
833 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
834 with_label_and_password(event, ^(CFStringRef label, CFDataRef password) {
835 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
836 SOSCCSetUserCredentials_Server(label, password, &error));
837 });
838 }
839 break;
840 case kSecXPCOpSetUserCredentialsAndDSID:
841 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
842 with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) {
843 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
844 SOSCCSetUserCredentialsAndDSID_Server(label, password, dsid, &error));
845 });
846 }
847 break;
848 case kSecXPCOpView:
849 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
850 with_label_and_number(event, ^(CFStringRef view, uint64_t actionCode) {
851 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
852 SOSCCView_Server(view, (SOSViewActionCode)actionCode, &error));
853 });
854 }
855 break;
856 case kSecXPCOpViewSet:
857 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
858 CFSetRef enabledViews = SecXPCSetCreateFromXPCDictionaryElement(event, kSecXPCKeyEnabledViewsKey);
859 CFSetRef disabledViews = SecXPCSetCreateFromXPCDictionaryElement(event, kSecXPCKeyDisabledViewsKey);
860 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCViewSet_Server(enabledViews, disabledViews));
861 CFReleaseNull(enabledViews);
862 CFReleaseNull(disabledViews);
863 }
864 break;
865 case kSecXPCOpSecurityProperty:
866 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
867 with_label_and_number(event, ^(CFStringRef property, uint64_t actionCode) {
868 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
869 SOSCCSecurityProperty_Server(property, (SOSSecurityPropertyActionCode)actionCode, &error));
870 });
871 }
872 break;
873 case kSecXPCOpCanAuthenticate:
874 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
875 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
876 SOSCCCanAuthenticate_Server(&error));
877 }
878 break;
879 case kSecXPCOpPurgeUserCredentials:
880 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
881 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
882 SOSCCPurgeUserCredentials_Server(&error));
883 }
884 break;
885 case kSecXPCOpDeviceInCircle:
886 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
887 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
888 SOSCCThisDeviceIsInCircle_Server(&error));
889 }
890 break;
891 case kSecXPCOpRequestToJoin:
892 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
893 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
894 SOSCCRequestToJoinCircle_Server(&error));
895 }
896 break;
897 case kSecXPCOpAccountHasPublicKey:
898 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
899 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
900 SOSCCAccountHasPublicKey_Server(&error));
901 }
902 break;
903 case kSecXPCOpAccountIsNew:
904 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
905 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
906 SOSCCAccountIsNew_Server(&error));
907 }
908 break;
909 case kSecXPCOpRequestToJoinAfterRestore:
910 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
911 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
912 SOSCCRequestToJoinCircleAfterRestore_Server(&error));
913 }
914 break;
915 case kSecXPCOpRequestEnsureFreshParameters:
916 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
917 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
918 SOSCCRequestEnsureFreshParameters_Server(&error));
919 }
920 break;
921 case kSecXPCOpGetAllTheRings:
922 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
923 CFStringRef ringDescriptions = SOSCCGetAllTheRings_Server(&error);
924 xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(ringDescriptions);
925 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
926 xpc_release(xpc_dictionary);
927 }
928 break;
929 case kSecXPCOpApplyToARing:
930 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
931 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
932 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCApplyToARing_Server(ringName, &error));
933 CFReleaseNull(ringName);
934 }
935 break;
936 case kSecXPCOpWithdrawlFromARing:
937 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
938 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
939 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCWithdrawlFromARing_Server(ringName, &error));
940 CFReleaseNull(ringName);
941 }
942 break;
943 case kSecXPCOpRingStatus:
944 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
945 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
946 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRingStatus_Server(ringName, &error));
947 CFReleaseNull(ringName);
948 }
949 break;
950 case kSecXPCOpEnableRing:
951 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
952 CFStringRef ringName = SecXPCDictionaryCopyString(event, kSecXPCKeyString, &error);
953 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCEnableRing_Server(ringName, &error));
954 CFReleaseNull(ringName);
955 }
956 break;
957 case kSecXPCOpRequestDeviceID:
958 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
959 CFStringRef deviceID = SOSCCCopyDeviceID_Server(&error);
960 if (deviceID) {
961 SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, deviceID, &error);
962 }
963 CFReleaseNull(deviceID);
964 }
965 break;
966 case kSecXPCOpSetDeviceID:
967 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
968 CFStringRef IDS = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
969 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCSetDeviceID_Server(IDS, &error));
970 CFReleaseNull(IDS);
971 }
972 break;
973 case kSecXPCOpHandleIDSMessage:
974 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
975 CFDictionaryRef IDS = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyIDSMessage, &error);
976 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult, SOSCCHandleIDSMessage_Server(IDS, &error));
977 CFReleaseNull(IDS);
978 }
979 break;
980 case kSecXPCOpClearKVSPeerMessage:
981 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
982 CFStringRef peerID = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
983 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCClearPeerMessageKeyInKVS_Server(peerID, &error));
984 CFReleaseNull(peerID);
985 }
986 break;
987 case kSecXPCOpSendIDSMessage:
988 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
989 CFStringRef message = SecXPCDictionaryCopyString(event, kSecXPCKeySendIDSMessage, &error);
990 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCIDSServiceRegistrationTest_Server(message, &error));
991 CFReleaseNull(message);
992 }
993 break;
994 case kSecXPCOpSyncWithKVSPeer:
995 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
996 CFStringRef peerID = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
997 CFDataRef message = SecXPCDictionaryCopyData(event, kSecXPCKeyIDSMessage, &error);
998 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestSyncWithPeerOverKVS_Server(peerID, message, &error));
999 CFReleaseNull(message);
1000 CFReleaseNull(peerID);
1001 }
1002 break;
1003 case kSecXPCOpSyncWithKVSPeerIDOnly:
1004 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1005 CFStringRef peerID = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error);
1006 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestSyncWithPeerOverKVSUsingIDOnly_Server(peerID, &error));
1007 CFReleaseNull(peerID);
1008 }
1009 break;
1010 case kSecXPCOpPingTest:
1011 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1012 CFStringRef message = SecXPCDictionaryCopyString(event, kSecXPCKeySendIDSMessage, &error);
1013 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCIDSPingTest_Server(message, &error));
1014 CFReleaseNull(message);
1015 }
1016 break;
1017 case kSecXPCOpIDSDeviceID:
1018 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1019 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCIDSDeviceIDIsAvailableTest_Server(&error));
1020 }
1021 break;
1022 case kSecXPCOpAccountSetToNew:
1023 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1024 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCAccountSetToNew_Server(&error));
1025 }
1026 break;
1027 case kSecXPCOpResetToOffering:
1028 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1029 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1030 SOSCCResetToOffering_Server(&error));
1031 }
1032 break;
1033 case kSecXPCOpResetToEmpty:
1034 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1035 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1036 SOSCCResetToEmpty_Server(&error));
1037 }
1038 break;
1039 case kSecXPCOpRemoveThisDeviceFromCircle:
1040 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1041 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1042 SOSCCRemoveThisDeviceFromCircle_Server(&error));
1043 }
1044 break;
1045 case kSecXPCOpRemovePeersFromCircle:
1046 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1047 CFArrayRef applicants = SecXPCDictionaryCopyPeerInfoArray(event, kSecXPCKeyPeerInfoArray, &error);
1048 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1049 SOSCCRemovePeersFromCircle_Server(applicants, &error));
1050 CFReleaseNull(applicants);
1051 }
1052 break;
1053 case kSecXPCOpLoggedOutOfAccount:
1054 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1055 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1056 SOSCCLoggedOutOfAccount_Server(&error));
1057 }
1058 break;
1059 case kSecXPCOpBailFromCircle:
1060 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1061 uint64_t limit_in_seconds = xpc_dictionary_get_uint64(event, kSecXPCLimitInMinutes);
1062 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1063 SOSCCBailFromCircle_Server(limit_in_seconds, &error));
1064 }
1065 break;
1066 case kSecXPCOpAcceptApplicants:
1067 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1068 xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfoArray);
1069 CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); //(CFArrayRef)(_CFXPCCreateCFObjectFromXPCObject(xapplicants));
1070 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1071 (applicants && SOSCCAcceptApplicants_Server(applicants, &error)));
1072 CFReleaseSafe(applicants);
1073 }
1074 break;
1075 case kSecXPCOpRejectApplicants:
1076 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1077 xpc_object_t xapplicants = xpc_dictionary_get_value(event, kSecXPCKeyPeerInfoArray);
1078 CFArrayRef applicants = CreateArrayOfPeerInfoWithXPCObject(xapplicants, &error); //(CFArrayRef)(_CFXPCCreateCFObjectFromXPCObject(xapplicants));
1079 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1080 (applicants && SOSCCRejectApplicants_Server(applicants, &error)));
1081 CFReleaseSafe(applicants);
1082 }
1083 break;
1084 case kSecXPCOpSetNewPublicBackupKey:
1085 {
1086 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1087 CFDataRef publicBackupKey = SecXPCDictionaryCopyData(event, kSecXPCKeyNewPublicBackupKey, &error);
1088 SOSPeerInfoRef peerInfo = SOSCCSetNewPublicBackupKey_Server(publicBackupKey, &error);
1089 CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
1090 CFReleaseNull(peerInfo);
1091 if (peerInfoData) {
1092 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
1093 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1094 xpc_release(xpc_object);
1095 }
1096 CFReleaseNull(peerInfoData);
1097 CFReleaseSafe(publicBackupKey);
1098
1099 }
1100 }
1101 break;
1102 case kSecXPCOpRegisterRecoveryPublicKey:
1103 {
1104 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1105 CFDataRef recovery_key = SecXPCDictionaryCopyData(event, kSecXPCKeyRecoveryPublicKey, &error);
1106 uint8_t zero = 0;
1107 CFDataRef nullData = CFDataCreate(kCFAllocatorDefault, &zero, 1); // token we send if we really wanted to send NULL
1108 if(CFEqual(recovery_key, nullData)) {
1109 CFReleaseNull(recovery_key);
1110 }
1111 CFReleaseNull(nullData);
1112 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRegisterRecoveryPublicKey_Server(recovery_key, &error));
1113 CFReleaseNull(recovery_key);
1114 }
1115 }
1116 break;
1117 case kSecXPCOpGetRecoveryPublicKey:
1118 {
1119 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1120 xpc_object_t xpc_recovery_object = NULL;
1121 CFDataRef recovery = SOSCCCopyRecoveryPublicKey(&error);
1122 if(recovery)
1123 xpc_recovery_object = _CFXPCCreateXPCObjectFromCFObject(recovery);
1124
1125 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_recovery_object);
1126 CFReleaseNull(recovery);
1127 }
1128 }
1129 break;
1130 case kSecXPCOpSetBagForAllSlices:
1131 {
1132 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) {
1133 CFDataRef backupSlice = SecXPCDictionaryCopyData(event, kSecXPCKeyKeybag, &error);
1134 bool includeV0 = xpc_dictionary_get_bool(event, kSecXPCKeyIncludeV0);
1135 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, backupSlice && SOSCCRegisterSingleRecoverySecret_Server(backupSlice, includeV0, &error));
1136 CFReleaseSafe(backupSlice);
1137 }
1138 }
1139 break;
1140 case kSecXPCOpCopyApplicantPeerInfo:
1141 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1142 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1143 SOSCCCopyApplicantPeerInfo_Server(&error),
1144 &error);
1145 }
1146 break;
1147 case kSecXPCOpCopyValidPeerPeerInfo:
1148 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1149 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1150 SOSCCCopyValidPeerPeerInfo_Server(&error),
1151 &error);
1152 }
1153 break;
1154 case kSecXPCOpValidateUserPublic:
1155 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1156 bool trusted = SOSCCValidateUserPublic_Server(&error);
1157 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, trusted);
1158 }
1159 break;
1160 case kSecXPCOpCopyNotValidPeerPeerInfo:
1161 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1162 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1163 SOSCCCopyNotValidPeerPeerInfo_Server(&error),
1164 &error);
1165 }
1166 break;
1167 case kSecXPCOpCopyGenerationPeerInfo:
1168 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1169 xpc_dictionary_set_and_consume_CFArray(replyMessage, kSecXPCKeyResult,
1170 SOSCCCopyGenerationPeerInfo_Server(&error));
1171 }
1172 break;
1173 case kSecXPCOpCopyRetirementPeerInfo:
1174 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1175 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1176 SOSCCCopyRetirementPeerInfo_Server(&error),
1177 &error);
1178 }
1179 break;
1180 case kSecXPCOpCopyViewUnawarePeerInfo:
1181 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1182 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1183 SOSCCCopyViewUnawarePeerInfo_Server(&error),
1184 &error);
1185 }
1186 break;
1187 case kSecXPCOpCopyAccountData:
1188 {
1189 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1190 xpc_object_t xpc_account_object = NULL;
1191 CFDataRef accountData = SOSCCCopyAccountState_Server(&error);
1192 if(accountData)
1193 xpc_account_object = _CFXPCCreateXPCObjectFromCFObject(accountData);
1194
1195 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_account_object);
1196 CFReleaseNull(accountData);
1197 }
1198 break;
1199 }
1200 case kSecXPCOpDeleteAccountData:
1201 {
1202 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1203 bool status = SOSCCDeleteAccountState_Server(&error);
1204 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
1205 }
1206 break;
1207 }
1208 case kSecXPCOpCopyEngineData:
1209 {
1210 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1211
1212 xpc_object_t xpc_engine_object = NULL;
1213 CFDataRef engineData = SOSCCCopyEngineData_Server(&error);
1214 if(engineData)
1215 xpc_engine_object = _CFXPCCreateXPCObjectFromCFObject(engineData);
1216
1217 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_engine_object);
1218 CFReleaseNull(engineData);
1219
1220 }
1221 break;
1222 }
1223 case kSecXPCOpDeleteEngineData:
1224 {
1225 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1226 bool status = SOSCCDeleteEngineState_Server(&error);
1227 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, status);
1228 }
1229 break;
1230 }
1231 case kSecXPCOpCopyEngineState:
1232 {
1233 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1234 CFArrayRef array = SOSCCCopyEngineState_Server(&error);
1235 CFDataRef derData = NULL;
1236
1237 require_quiet(array, done);
1238 derData = CFPropertyListCreateDERData(kCFAllocatorDefault, array, &error);
1239
1240 require_quiet(derData, done);
1241 xpc_dictionary_set_data(replyMessage, kSecXPCKeyResult, CFDataGetBytePtr(derData), CFDataGetLength(derData));
1242 done:
1243 CFReleaseNull(derData);
1244 CFReleaseNull(array);
1245 }
1246 }
1247 break;
1248 case kSecXPCOpCopyPeerPeerInfo:
1249 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1250 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1251 SOSCCCopyPeerPeerInfo_Server(&error),
1252 &error);
1253 }
1254 break;
1255 case kSecXPCOpCopyConcurringPeerPeerInfo:
1256 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1257 xpc_dictionary_set_and_consume_PeerInfoArray(replyMessage, kSecXPCKeyResult,
1258 SOSCCCopyConcurringPeerPeerInfo_Server(&error),
1259 &error);
1260 }
1261 break;
1262 case kSecXPCOpCopyMyPeerInfo:
1263 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1264 SOSPeerInfoRef peerInfo = SOSCCCopyMyPeerInfo_Server(&error);
1265 CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
1266 CFReleaseNull(peerInfo);
1267 if (peerInfoData) {
1268 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
1269 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1270 xpc_release(xpc_object);
1271 }
1272 CFReleaseNull(peerInfoData);
1273 }
1274 break;
1275 case kSecXPCOpGetLastDepartureReason:
1276 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1277 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
1278 SOSCCGetLastDepartureReason_Server(&error));
1279 }
1280 break;
1281 case kSecXPCOpSetLastDepartureReason:
1282 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1283 int32_t reason = (int32_t) xpc_dictionary_get_int64(event, kSecXPCKeyReason);
1284 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
1285 SOSCCSetLastDepartureReason_Server(reason, &error));
1286 }
1287 break;
1288 case kSecXPCOpProcessSyncWithPeers:
1289 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainSyncUpdates, &error)) {
1290 CFSetRef peers = SecXPCDictionaryCopySet(event, kSecXPCKeySet, &error);
1291 CFSetRef backupPeers = SecXPCDictionaryCopySet(event, kSecXPCKeySet2, &error);
1292 if (peers && backupPeers) {
1293 CFSetRef result = SOSCCProcessSyncWithPeers_Server(peers, backupPeers, &error);
1294 if (result) {
1295 SecXPCDictionarySetPList(replyMessage, kSecXPCKeyResult, result, &error);
1296 }
1297 CFReleaseNull(result);
1298 }
1299 CFReleaseNull(peers);
1300 CFReleaseNull(backupPeers);
1301 }
1302 break;
1303 case kSecXPCOpProcessSyncWithAllPeers:
1304 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainSyncUpdates, &error)) {
1305 xpc_dictionary_set_int64(replyMessage, kSecXPCKeyResult,
1306 SOSCCProcessSyncWithAllPeers_Server(&error));
1307 }
1308 break;
1309 case soscc_EnsurePeerRegistration_id:
1310 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainSyncUpdates, &error)) {
1311 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1312 SOSCCProcessEnsurePeerRegistration_Server(&error));
1313 }
1314 break;
1315 case kSecXPCOpCopyIncompatibilityInfo:
1316 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1317 CFStringRef iis = SOSCCCopyIncompatibilityInfo_Server(&error);
1318 SecXPCDictionarySetString(replyMessage, kSecXPCKeyResult, iis, &error);
1319 CFReleaseSafe(iis);
1320 }
1321 break;
1322 case kSecXPCOpRollKeys:
1323 {
1324 bool force = xpc_dictionary_get_bool(event, "force");
1325 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1326 _SecServerRollKeys(force, &client, &error));
1327 }
1328 break;
1329 case kSecXPCOpWaitForInitialSync:
1330 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1331 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1332 SOSCCWaitForInitialSync_Server(&error));
1333 }
1334 break;
1335
1336 case kSecXPCOpCopyYetToSyncViews:
1337 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1338 CFArrayRef array = SOSCCCopyYetToSyncViewsList_Server(&error);
1339 if (array) {
1340 xpc_object_t xpc_array = _CFXPCCreateXPCObjectFromCFObject(array);
1341 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_array);
1342 xpc_release(xpc_array);
1343 }
1344 CFReleaseNull(array);
1345 }
1346 break;
1347 case kSecXPCOpSetEscrowRecord:
1348 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1349 CFStringRef escrow_label = SecXPCDictionaryCopyString(event, kSecXPCKeyEscrowLabel, &error);
1350 uint64_t tries = xpc_dictionary_get_int64(event, kSecXPCKeyTriesLabel);
1351
1352 bool result = SOSCCSetEscrowRecord_Server(escrow_label, tries, &error);
1353 if (result) {
1354 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
1355 }
1356 CFReleaseNull(escrow_label);
1357 }
1358 break;
1359 case kSecXPCOpGetEscrowRecord:
1360 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1361 CFDictionaryRef record = SOSCCCopyEscrowRecord_Server(&error);
1362 if (record) {
1363 xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(record);
1364 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
1365 xpc_release(xpc_dictionary);
1366 }
1367 CFReleaseNull(record);
1368 }
1369 break;
1370 case kSecXPCOpCopyBackupInformation:
1371 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1372 CFDictionaryRef record = SOSCCCopyBackupInformation_Server(&error);
1373 if (record) {
1374 xpc_object_t xpc_dictionary = _CFXPCCreateXPCObjectFromCFObject(record);
1375 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_dictionary);
1376 xpc_release(xpc_dictionary);
1377 }
1378 CFReleaseNull(record);
1379 }
1380 break;
1381
1382 case kSecXPCOpCheckPeerAvailability:
1383 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1384 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCCheckPeerAvailability_Server(&error));
1385 }
1386 break;
1387
1388
1389 case kSecXPCOpIsThisDeviceLastBackup:
1390 if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1391 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCkSecXPCOpIsThisDeviceLastBackup_Server(&error));
1392 }
1393 break;
1394 case kSecXPCOpPeersHaveViewsEnabled:
1395 {
1396 CFArrayRef viewSet = SecXPCDictionaryCopyArray(event, kSecXPCKeyArray, &error);
1397 if (viewSet) {
1398 CFBooleanRef result = SOSCCPeersHaveViewsEnabled_Server(viewSet, &error);
1399 if (result != NULL) {
1400 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result != kCFBooleanFalse);
1401 }
1402 }
1403 CFReleaseNull(viewSet);
1404 }
1405 break;
1406
1407 case kSecXPCOpWhoAmI:
1408 {
1409 if (client.musr)
1410 xpc_dictionary_set_data(replyMessage, "musr", CFDataGetBytePtr(client.musr), CFDataGetLength(client.musr));
1411 xpc_dictionary_set_bool(replyMessage, "system-keychain", client.allowSystemKeychain);
1412 xpc_dictionary_set_bool(replyMessage, "syncbubble-keychain", client.allowSyncBubbleKeychain);
1413 xpc_dictionary_set_bool(replyMessage, "network-extension", client.isNetworkExtension);
1414 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
1415 }
1416 break;
1417 case kSecXPCOpTransmogrifyToSyncBubble:
1418 {
1419 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainSyncBubble, &error)) {
1420 #if TARGET_OS_IOS
1421 uid_t uid = (uid_t)xpc_dictionary_get_int64(event, "uid");
1422 CFArrayRef services = SecXPCDictionaryCopyArray(event, "services", &error);
1423 bool res = false;
1424 if (uid && services) {
1425 res = _SecServerTransmogrifyToSyncBubble(services, uid, &client, &error);
1426 }
1427 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
1428 CFReleaseNull(services);
1429 #else
1430 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1431 #endif
1432 }
1433 }
1434 break;
1435 case kSecXPCOpTransmogrifyToSystemKeychain:
1436 {
1437 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error)) {
1438 #if TARGET_OS_IOS
1439 bool res = _SecServerTransmogrifyToSystemKeychain(&client, &error);
1440 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
1441 #else
1442 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1443 #endif
1444
1445 }
1446 }
1447 break;
1448 case kSecXPCOpDeleteUserView:
1449 {
1450 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateKeychainMigrateSystemKeychain, &error)) {
1451 bool res = false;
1452 #if TARGET_OS_IOS
1453 uid_t uid = (uid_t)xpc_dictionary_get_int64(event, "uid");
1454 if (uid) {
1455 res = _SecServerDeleteMUSERViews(&client, uid, &error);
1456 }
1457 #endif
1458 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, res);
1459
1460 }
1461 }
1462 break;
1463 case kSecXPCOpWrapToBackupSliceKeyBagForView:
1464 {
1465 CFStringRef viewname = SecXPCDictionaryCopyString(event, kSecXPCKeyViewName, &error);
1466 if(viewname) {
1467 CFDataRef plaintext = SecXPCDictionaryCopyData(event, kSecXPCData, &error);
1468 if (plaintext) {
1469 CFDataRef ciphertext = NULL;
1470 CFDataRef bskbEncoded = NULL;
1471
1472 bool result = SOSWrapToBackupSliceKeyBagForView_Server(viewname, plaintext, &ciphertext, &bskbEncoded, &error);
1473 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
1474
1475 if(!error && result) {
1476 if(ciphertext) {
1477 xpc_dictionary_set_data(replyMessage, kSecXPCData, CFDataGetBytePtr(ciphertext), CFDataGetLength(ciphertext));
1478 }
1479 if(bskbEncoded) {
1480 xpc_dictionary_set_data(replyMessage, kSecXPCKeyKeybag, CFDataGetBytePtr(bskbEncoded), CFDataGetLength(bskbEncoded));
1481 }
1482 }
1483 CFReleaseSafe(ciphertext);
1484 CFReleaseSafe(bskbEncoded);
1485 }
1486 CFReleaseSafe(plaintext);
1487 }
1488 CFReleaseNull(viewname);
1489 }
1490 break;
1491 case kSecXPCOpCopyApplication:
1492 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1493 SOSPeerInfoRef peerInfo = SOSCCCopyApplication_Server(&error);
1494 CFDataRef peerInfoData = peerInfo ? SOSPeerInfoCopyEncodedData(peerInfo, kCFAllocatorDefault, &error) : NULL;
1495 CFReleaseNull(peerInfo);
1496 if (peerInfoData) {
1497 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(peerInfoData);
1498 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1499 xpc_release(xpc_object);
1500 }
1501 CFReleaseNull(peerInfoData);
1502 }
1503 break;
1504 case kSecXPCOpCopyCircleJoiningBlob:
1505 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1506 CFDataRef appBlob = SecXPCDictionaryCopyCFDataRef(event, kSecXPCData, &error);
1507 SOSPeerInfoRef applicant = SOSPeerInfoCreateFromData(kCFAllocatorDefault, &error, appBlob);
1508 CFDataRef pbblob = SOSCCCopyCircleJoiningBlob_Server(applicant, &error);
1509 if (pbblob) {
1510 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(pbblob);
1511 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1512 xpc_release(xpc_object);
1513 }
1514 CFReleaseNull(pbblob);
1515 CFReleaseNull(applicant);
1516 CFReleaseNull(appBlob);
1517 }
1518 break;
1519 case kSecXPCOpCopyInitialSyncBlob:
1520 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1521 CFDataRef initialblob = SOSCCCopyInitialSyncData_Server(&error);
1522 if (initialblob) {
1523 xpc_object_t xpc_object = _CFXPCCreateXPCObjectFromCFObject(initialblob);
1524 xpc_dictionary_set_value(replyMessage, kSecXPCKeyResult, xpc_object);
1525 xpc_release(xpc_object);
1526 }
1527 CFReleaseNull(initialblob);
1528 }
1529 break;
1530 case kSecXPCOpJoinWithCircleJoiningBlob:
1531 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementCircleJoin, &error)) {
1532 CFDataRef joiningBlob = SecXPCDictionaryCopyCFDataRef(event, kSecXPCData, &error);
1533 uint64_t version = xpc_dictionary_get_uint64(event, kSecXPCVersion);
1534 bool retval = SOSCCJoinWithCircleJoiningBlob_Server(joiningBlob, (PiggyBackProtocolVersion) version, &error);
1535 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1536 CFReleaseNull(joiningBlob);
1537 }
1538 break;
1539
1540 case kSecXPCOpKVSKeyCleanup:
1541 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1542 bool retval = SOSCCCleanupKVSKeys_Server(&error);
1543 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1544 }
1545 break;
1546 case kSecXPCOpPopulateKVS:
1547 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) {
1548 bool retval = SOSCCTestPopulateKVSWithBadKeys_Server(&error);
1549 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1550 }
1551 break;
1552 case kSecXPCOpMessageFromPeerIsPending:
1553 {
1554 SOSPeerInfoRef peer = SecXPCDictionaryCopyPeerInfo(event, kSecXPCKeyPeerInfo, &error);
1555 if (peer) {
1556 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1557 SOSCCMessageFromPeerIsPending_Server(peer, &error));
1558 }
1559 CFReleaseNull(peer);
1560 break;
1561 }
1562 case kSecXPCOpSendToPeerIsPending:
1563 {
1564 SOSPeerInfoRef peer = SecXPCDictionaryCopyPeerInfo(event, kSecXPCKeyPeerInfo, &error);
1565 if (peer) {
1566 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult,
1567 SOSCCSendToPeerIsPending(peer, &error));
1568 }
1569 CFReleaseNull(peer);
1570 break;
1571 }
1572 case sec_delete_items_with_access_groups_id:
1573 {
1574 bool retval = false;
1575 #if TARGET_OS_IPHONE
1576 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateUninstallDeletion, &error)) {
1577 CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
1578
1579 if (accessGroups) {
1580 retval = _SecItemServerDeleteAllWithAccessGroups(accessGroups, &client, &error);
1581 }
1582 CFReleaseNull(accessGroups);
1583 }
1584 #endif
1585 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval);
1586 }
1587 break;
1588 case sec_item_copy_parent_certificates_id:
1589 {
1590 CFArrayRef results = NULL;
1591 if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateCertificateAllAccess, &error)) {
1592 CFDataRef issuer = SecXPCDictionaryCopyData(event, kSecXPCKeyNormalizedIssuer, &error);
1593 CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
1594 if (issuer && accessGroups) {
1595 results = _SecItemCopyParentCertificates(issuer, accessGroups, &error);
1596 }
1597 CFReleaseNull(issuer);
1598 CFReleaseNull(accessGroups);
1599 }
1600 SecXPCDictionarySetPListOptional(replyMessage, kSecXPCKeyResult, results, &error);
1601 CFReleaseNull(results);
1602 }
1603 break;
1604 case sec_item_certificate_exists_id:
1605 {
1606 bool result = false;
1607 if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateCertificateAllAccess, &error)) {
1608 CFDataRef issuer = SecXPCDictionaryCopyData(event, kSecXPCKeyNormalizedIssuer, &error);
1609 CFDataRef serialNum = SecXPCDictionaryCopyData(event, kSecXPCKeySerialNumber, &error);
1610 CFArrayRef accessGroups = SecXPCDictionaryCopyArray(event, kSecXPCKeyAccessGroups, &error);
1611 if (issuer && serialNum && accessGroups) {
1612 result = _SecItemCertificateExists(issuer, serialNum, accessGroups, &error);
1613 }
1614 CFReleaseNull(issuer);
1615 CFReleaseNull(serialNum);
1616 CFReleaseNull(accessGroups);
1617 }
1618 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result);
1619 }
1620 break;
1621 case kSecXPCOpBackupKeybagAdd: {
1622 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementBackupTableOperations, &error)) {
1623 CFDataRef keybag = NULL, passcode = NULL;
1624 if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) {
1625 CFDataRef identifier = NULL;
1626 CFDataRef pathinfo = NULL; // really a CFURLRef
1627 bool added = _SecServerBackupKeybagAdd(&client, passcode, &identifier, &pathinfo, &error);
1628 if (added) {
1629 added &= SecXPCDictionarySetDataOptional(replyMessage, kSecXPCKeyBackupKeybagIdentifier, identifier, &error);
1630 added &= SecXPCDictionarySetDataOptional(replyMessage, kSecXPCKeyBackupKeybagPath, pathinfo, &error);
1631 SecXPCDictionarySetBool(replyMessage, kSecXPCKeyResult, added, NULL);
1632 } else {
1633 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1634 }
1635 }
1636 CFReleaseSafe(passcode);
1637 CFReleaseSafe(keybag);
1638 }
1639 break;
1640 }
1641 case kSecXPCOpBackupKeybagDelete: {
1642 // >>>
1643 if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementBackupTableOperations, &error)) {
1644 bool deleted = false;
1645 CFDictionaryRef query = SecXPCDictionaryCopyDictionary(event, kSecXPCKeyQuery, &error);
1646 if (query) {
1647 CFTypeRef matchLimit = CFDictionaryGetValue(query, kSecMatchLimit);
1648 bool deleteAll = matchLimit && CFEqualSafe(matchLimit, kSecMatchLimitAll);
1649
1650 if (deleteAll && !EntitlementPresentAndTrue(operation, client.task, kSecEntitlementBackupTableOperationsDeleteAll, &error)) {
1651 // require special entitlement to delete all backup keybags
1652 } else {
1653 CFMutableDictionaryRef attributes = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, query);
1654 CFStringRef requestedAgrp = CFDictionaryGetValue(attributes, kSecAttrAccessGroup);
1655 CFStringRef resolvedAgrp = NULL;
1656 if (client.musr) {
1657 CFDictionarySetValue(attributes, kSecAttrMultiUser, client.musr);
1658 }
1659 if (extractAccessGroup(&client, requestedAgrp, &resolvedAgrp, &error)) {
1660 if (resolvedAgrp) {
1661 CFDictionarySetValue(attributes, kSecAttrAccessGroup, resolvedAgrp);
1662 }
1663 deleted = _SecServerBackupKeybagDelete(attributes, deleteAll, &error);
1664 }
1665 CFReleaseNull(attributes);
1666 }
1667 }
1668 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, deleted);
1669 CFReleaseNull(query);
1670 }
1671 break;
1672 }
1673 case kSecXPCOpKeychainControlEndpoint: {
1674 if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainControl, &error)) {
1675 xpc_endpoint_t endpoint = SecServerCreateKeychainControlEndpoint();
1676 if (endpoint) {
1677 xpc_dictionary_set_value(replyMessage, kSecXPCKeyEndpoint, endpoint);
1678 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true);
1679 xpc_release(endpoint);
1680 } else {
1681 xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false);
1682 }
1683 }
1684 break;
1685 }
1686 default:
1687 break;
1688 }
1689
1690 if (error)
1691 {
1692 if(SecErrorGetOSStatus(error) == errSecItemNotFound || isSOSErrorCoded(error, kSOSErrorPublicKeyAbsent))
1693 secdebug("ipc", "%@ %@ %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
1694 else if (SecErrorGetOSStatus(error) == errSecAuthNeeded)
1695 secwarning("Authentication is needed %@ %@ %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
1696 else
1697 secerror("%@ %@ %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), error);
1698
1699 xpcError = SecCreateXPCObjectWithCFError(error);
1700 if (replyMessage) {
1701 xpc_dictionary_set_value(replyMessage, kSecXPCKeyError, xpcError);
1702 }
1703 } else if (replyMessage) {
1704 secdebug("ipc", "%@ %@ responding %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), replyMessage);
1705 }
1706 } else {
1707 SecCFCreateErrorWithFormat(kSecXPCErrorUnexpectedType, sSecXPCErrorDomain, NULL, &error, 0, CFSTR("Messages expect to be xpc dictionary, got: %@"), event);
1708 secerror("%@: returning error: %@", client.task, error);
1709 xpcError = SecCreateXPCObjectWithCFError(error);
1710 replyMessage = xpc_create_reply_with_format(event, "{%string: %value}", kSecXPCKeyError, xpcError);
1711 }
1712
1713 if (replyMessage) {
1714 xpc_connection_send_message(connection, replyMessage);
1715 xpc_release(replyMessage);
1716 }
1717 if (xpcError)
1718 xpc_release(xpcError);
1719 #if TARGET_OS_IPHONE
1720 pthread_setspecific(taskThreadKey, NULL);
1721 #endif
1722 CFReleaseSafe(error);
1723 CFReleaseSafe(client.accessGroups);
1724 CFReleaseSafe(client.musr);
1725 CFReleaseSafe(client.task);
1726 CFReleaseSafe(domains);
1727 CFReleaseSafe(clientAuditToken);
1728 }
1729
1730 static void securityd_xpc_init(const char *service_name)
1731 {
1732 #if TARGET_OS_IPHONE
1733 pthread_key_create(&taskThreadKey, NULL);
1734 SecTaskDiagnoseEntitlements = secTaskDiagnoseEntitlements;
1735 #endif
1736
1737 secdebug("serverxpc", "start");
1738 xpc_connection_t listener = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_LISTENER);
1739 if (!listener) {
1740 seccritical("security failed to register xpc listener for %s, exiting", service_name);
1741 abort();
1742 }
1743
1744 xpc_connection_set_event_handler(listener, ^(xpc_object_t connection) {
1745 if (xpc_get_type(connection) == XPC_TYPE_CONNECTION) {
1746 xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
1747 if (xpc_get_type(event) == XPC_TYPE_DICTIONARY) {
1748 xpc_retain(connection);
1749 xpc_retain(event);
1750 dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
1751 securityd_xpc_dictionary_handler(connection, event);
1752 xpc_release(event);
1753 xpc_release(connection);
1754 });
1755 }
1756 });
1757 xpc_connection_resume(connection);
1758 }
1759 });
1760 xpc_connection_resume(listener);
1761
1762 #if OCTAGON
1763 xpc_activity_register("com.apple.securityd.daily", XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) {
1764 xpc_activity_state_t activityState = xpc_activity_get_state(activity);
1765 if (activityState == XPC_ACTIVITY_STATE_RUN) {
1766 SecCKKS24hrNotification();
1767 }
1768 });
1769 #endif
1770 }
1771
1772
1773 // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
1774
1775 #if TARGET_OS_EMBEDDED
1776 static void securityd_soscc_lock_hack() {
1777 dispatch_queue_t soscc_lock_queue = dispatch_queue_create("soscc_lock_queue", DISPATCH_QUEUE_PRIORITY_DEFAULT);
1778 int soscc_tok;
1779
1780 // <rdar://problem/22500239> Prevent securityd from quitting while holding a keychain assertion
1781 // FIXME: securityd isn't currently registering for any other notifyd events. If/when it does,
1782 // this code will need to be generalized / migrated away from just this specific purpose.
1783 xpc_set_event_stream_handler("com.apple.notifyd.matching", dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^(xpc_object_t object) {
1784 char *event_description = xpc_copy_description(object);
1785 secnotice("events", "%s", event_description);
1786 free(event_description);
1787 });
1788
1789 secnotice("lockassertion", "notify_register_dispatch(kSOSCCHoldLockForInitialSync)");
1790 notify_register_dispatch(kSOSCCHoldLockForInitialSync, &soscc_tok, soscc_lock_queue, ^(int token __unused) {
1791 secnotice("lockassertion", "kSOSCCHoldLockForInitialSync: grabbing the lock");
1792 CFErrorRef error = NULL;
1793
1794 uint64_t one_minute = 60ull;
1795 if(SecAKSLockUserKeybag(one_minute, &error)){
1796 // <rdar://problem/22500239> Prevent securityd from quitting while holding a keychain assertion
1797 xpc_transaction_begin();
1798
1799 dispatch_after(dispatch_time(DISPATCH_TIME_NOW, one_minute*NSEC_PER_SEC), soscc_lock_queue, ^{
1800 CFErrorRef localError = NULL;
1801 if(!SecAKSUnLockUserKeybag(&localError))
1802 secerror("failed to unlock: %@", localError);
1803 CFReleaseNull(localError);
1804 xpc_transaction_end();
1805 });
1806 } else {
1807 secerror("Failed to take device lock assertion: %@", error);
1808 }
1809 CFReleaseNull(error);
1810 secnotice("lockassertion", "kSOSCCHoldLockForInitialSync => done");
1811 });
1812 }
1813 #endif
1814
1815 #if TARGET_OS_OSX
1816
1817 static char *
1818 homedirPath(void)
1819 {
1820 static char homeDir[PATH_MAX] = {};
1821
1822 if (homeDir[0] == '\0') {
1823 struct passwd* pwd = getpwuid(getuid());
1824 if (pwd == NULL)
1825 return NULL;
1826
1827 if (realpath(pwd->pw_dir, homeDir) == NULL) {
1828 strlcpy(homeDir, pwd->pw_dir, sizeof(homeDir));
1829 }
1830 }
1831 return homeDir;
1832 }
1833 #endif
1834
1835
1836 int main(int argc, char *argv[])
1837 {
1838 char *wait4debugger = getenv("WAIT4DEBUGGER");
1839 if (wait4debugger && !strcasecmp("YES", wait4debugger)) {
1840 seccritical("SIGSTOPing self, awaiting debugger");
1841 kill(getpid(), SIGSTOP);
1842 seccritical("Again, for good luck (or bad debuggers)");
1843 kill(getpid(), SIGSTOP);
1844 }
1845
1846 /* <rdar://problem/15792007> Users with network home folders are unable to use/save password for Mail/Cal/Contacts/websites
1847 Secd doesn't realize DB connections get invalidated when network home directory users logout
1848 and their home gets unmounted. Exit secd, start fresh when user logs back in.
1849 */
1850 #if TARGET_OS_OSX
1851 int sessionstatechanged_tok;
1852 notify_register_dispatch(kSA_SessionStateChangedNotification, &sessionstatechanged_tok, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(int token __unused) {
1853 // we could be a process running as root.
1854 // However, since root never logs out this isn't an issue.
1855 if (SASSessionStateForUser(getuid()) == kSA_state_loggingout_pointofnoreturn) {
1856 dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 3ull*NSEC_PER_SEC), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
1857 xpc_transaction_exit_clean();
1858 });
1859 }
1860 });
1861 #endif
1862
1863 #if TARGET_OS_OSX
1864 #define SECD_PROFILE_NAME "com.apple.secd"
1865 const char *homedir = homedirPath();
1866 if (homedir == NULL)
1867 errx(1, "failed to get home directory for secd");
1868
1869 char *errorbuf = NULL;
1870 const char *sandbox_params[] = {
1871 "_HOME", homedir,
1872 NULL
1873 };
1874 int32_t rc;
1875
1876 rc = sandbox_init_with_parameters(SECD_PROFILE_NAME, SANDBOX_NAMED, sandbox_params, &errorbuf);
1877 if (rc)
1878 err(1, "Failed to process in a sandbox: %d %s", rc, errorbuf);
1879 #endif /* TARGET_OS_OSX */
1880
1881 const char *serviceName = kSecuritydXPCServiceName;
1882 /* setup SQDLite before some other component have a chance to create a database connection */
1883 _SecDbServerSetup();
1884
1885 securityd_init_server();
1886 securityd_xpc_init(serviceName);
1887
1888 SecCreateSecuritydXPCServer();
1889 CKKSControlServerInitialize();
1890 SOSControlServerInitialize();
1891 OctagonControlServerInitialize();
1892
1893 // <rdar://problem/22425706> 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp
1894 #if TARGET_OS_EMBEDDED
1895 securityd_soscc_lock_hack();
1896 #endif
1897
1898 dispatch_main();
1899 }
1900
1901 /* vi:set ts=4 sw=4 et: */
mirror of Security