+CFStringRef
+SecTaskCopySigningIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+ return SecTaskCopyIdentifier(task, CS_OPS_IDENTITY, error);
+}
+
+CFStringRef
+SecTaskCopyTeamIdentifier(SecTaskRef task, CFErrorRef *error)
+{
+ return SecTaskCopyIdentifier(task, CS_OPS_TEAMID, error);
+}
+
ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
/* Any other combination means no entitlements */
ret = csops_task(task, CS_OPS_ENTITLEMENTS_BLOB, &header, sizeof(header));
/* Any other combination means no entitlements */
if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
}
if (-1 == csops_task(task, CS_OPS_STATUS, &cs_flags, sizeof(cs_flags))) {
syslog(LOG_NOTICE, "Failed to get cs_flags, error=%d", errno);
}
- if (cs_flags != 0) { // was signed
-
- pid_t pid;
- audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
- syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, pid=%d", entitlementErrno, cs_flags, pid); // to ease diagnostics
-
- CFStringRef description = SecTaskCopyDebugDescription(task);
- char *descriptionBuf = NULL;
- CFIndex descriptionSize = CFStringGetLength(description) * 4;
- descriptionBuf = (char *)malloc(descriptionSize);
- if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
- descriptionBuf[0] = 0;
- }
-
- syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
- CFReleaseNull(description);
- free(descriptionBuf);
- }
- task->lastFailure = entitlementErrno; // was overwritten by csops_task(CS_OPS_STATUS) above
-
- // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
- if (entitlementErrno == EINVAL) {
- task->entitlementsLoaded = true;
- return true;
- }
- ret = entitlementErrno; // what really went wrong
- goto out; // bail out
- }
+ if (cs_flags != 0) { // was signed
+ pid_t pid;
+ audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+ syslog(LOG_NOTICE, "SecTaskLoadEntitlements failed error=%d cs_flags=%x, pid=%d", entitlementErrno, cs_flags, pid); // to ease diagnostics
+
+ CFStringRef description = SecTaskCopyDebugDescription(task);
+ char *descriptionBuf = NULL;
+ CFIndex descriptionSize = CFStringGetLength(description) * 4;
+ descriptionBuf = (char *)malloc(descriptionSize);
+ if (!CFStringGetCString(description, descriptionBuf, descriptionSize, kCFStringEncodingUTF8)) {
+ descriptionBuf[0] = 0;
+ }
+
+ syslog(LOG_NOTICE, "SecTaskCopyDebugDescription: %s", descriptionBuf);
+ CFReleaseNull(description);
+ free(descriptionBuf);
+ }
+ task->lastFailure = entitlementErrno; // was overwritten by csops_task(CS_OPS_STATUS) above
+
+ // EINVAL is what the kernel says for unsigned code, so we'll have to let that pass
+ if (entitlementErrno == EINVAL) {
+ task->entitlementsLoaded = true;
+ return true;
+ }
+ ret = entitlementErrno; // what really went wrong
+ goto out; // bail out
+ }
+
+ bool entitlementsModified = updateCatalystEntitlements(entitlements);
+ if (entitlementsModified) {
+ pid_t pid;
+ audit_token_to_au32(task->token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
+ secinfo("SecTask", "Fixed catalyst entitlements for process %d", pid);
+ }
projects / apple / security.git / blobdiff