Security-58286.20.16.tar.gz

[apple/security.git] / OSX / libsecurity_keychain / lib / SecAccess.cpp

diff --git a/OSX/libsecurity_keychain/lib/SecAccess.cpp b/OSX/libsecurity_keychain/lib/SecAccess.cpp
index 9491f85c7f9d05a9a793e8a209af46a78c9c8e40..bb3adfc6712bd6dae0801072eaca95785c41a9f6 100644 (file)
--- a/OSX/libsecurity_keychain/lib/SecAccess.cpp
+++ b/OSX/libsecurity_keychain/lib/SecAccess.cpp
@@ -27,10 +27,11 @@
 #include <Security/SecTrustedApplication.h>
 #include <Security/SecTrustedApplicationPriv.h>
 #include <security_keychain/Access.h>
 #include <Security/SecTrustedApplication.h>
 #include <Security/SecTrustedApplicationPriv.h>
 #include <security_keychain/Access.h>

+#include <security_utilities/casts.h>
+#include <utilities/SecCFRelease.h>

 #include "SecBridge.h"
 #include <sys/param.h>
 
 #include "SecBridge.h"
 #include <sys/param.h>
 

-#undef secdebug

 #include <utilities/SecCFWrappers.h>
 
 
 #include <utilities/SecCFWrappers.h>
 
 


@@ -66,6 +67,8 @@ const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizati
 
 const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
 const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");
 
 const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
 const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");

+const CFStringRef kSecACLAuthorizationPartitionID = CFSTR("ACLAuthorizationPartitionID");
+const CFStringRef kSecACLAuthorizationIntegrity = CFSTR("ACLAuthorizationIntegrity");

 
 
 static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);
 
 
 static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);


@@ -95,8 +98,9 @@ static CFStringRef gKeys[] =
        kSecACLAuthorizationKeychainItemDelete,
 
        kSecACLAuthorizationChangeACL,
        kSecACLAuthorizationKeychainItemDelete,
 
        kSecACLAuthorizationChangeACL,

-       kSecACLAuthorizationChangeOwner
-
+       kSecACLAuthorizationChangeOwner,
+    kSecACLAuthorizationPartitionID,
+    kSecACLAuthorizationIntegrity

 };
 
 static sint32 gValues[] =
 };
 
 static sint32 gValues[] =


@@ -121,7 +125,9 @@ static sint32 gValues[] =
        CSSM_ACL_AUTHORIZATION_DB_MODIFY,
        CSSM_ACL_AUTHORIZATION_DB_DELETE,
        CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
        CSSM_ACL_AUTHORIZATION_DB_MODIFY,
        CSSM_ACL_AUTHORIZATION_DB_DELETE,
        CSSM_ACL_AUTHORIZATION_CHANGE_ACL,

-       CSSM_ACL_AUTHORIZATION_CHANGE_OWNER
+       CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
+    CSSM_ACL_AUTHORIZATION_PARTITION_ID,
+    CSSM_ACL_AUTHORIZATION_INTEGRITY

 };
 
 static
 };
 
 static


@@ -226,6 +232,7 @@ CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
        {
                result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
        }
        {
                result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
        }

+    CFReleaseSafe(aNum);

        return result;
 }
 
        return result;
 }
 


@@ -287,7 +294,7 @@ SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAcce
        CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
        {
                CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION,      // selector version
        CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
        {
                CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION,      // selector version

-               ownerType,
+               int_cast<UInt32, uint16>(ownerType),

                userId,
                groupId
        };
                userId,
                groupId
        };


@@ -314,7 +321,9 @@ SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAcce
        CFRelease(debugStr);
 #endif
 
        CFRelease(debugStr);
 #endif
 

-       CSSM_ACL_AUTHORIZATION_TAG rights[numAcls];
+    CFIndex rightsSize = numAcls > 0 ? numAcls : 1;
+
+       CSSM_ACL_AUTHORIZATION_TAG rights[rightsSize];

        memset(rights, 0, sizeof(rights));
 
        for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
        memset(rights, 0, sizeof(rights));
 
        for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)


@@ -375,7 +384,7 @@ SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAcce
                                { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
                                false,  // Delegate
                                // rights for this entry
                                { CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
                                false,  // Delegate
                                // rights for this entry

-                               { (uint32)(sizeof(rights) / sizeof(rights[0])), rights },
+                               { (uint32)numAcls, rights },

                                // rest is defaulted
                        }
                }
                                // rest is defaulted
                        }
                }


@@ -572,9 +581,6 @@ CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trus
     if (!trustedAppsURL)
         goto xit;
 
     if (!trustedAppsURL)
         goto xit;
 

-    if ( trustedAppListFileNameWithoutExtension )
-               CFRelease(trustedAppListFileNameWithoutExtension);
-

        if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,trustedAppsURL,&xmlDataRef,NULL,NULL,&errorCode))
         goto xit;
 
        if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault,trustedAppsURL,&xmlDataRef,NULL,NULL,&errorCode))
         goto xit;
 


@@ -582,6 +588,7 @@ CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trus
     trustedAppList = (CFArrayRef)trustedAppsPlist;
 
 xit:
     trustedAppList = (CFArrayRef)trustedAppsPlist;
 
 xit:

+    CFReleaseNull(trustedAppListFileNameWithoutExtension);

     if (bundleURL)
         CFRelease(bundleURL);
     if (secBundle)
     if (bundleURL)
         CFRelease(bundleURL);
     if (secBundle)