--- /dev/null
+/*
+ * Copyright (c) 2000-2007,2009-2010,2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+#include <paths.h>
+#include <fcntl.h>
+#include "authhost.h"
+#include "server.h"
+#include <security_utilities/logging.h>
+#include <security_utilities/debugging.h>
+#include <security_agent_client/sa_request.h>
+#include <security_agent_client/utils.h>
+#include <bsm/audit.h>
+#include <bootstrap_priv.h>
+
+#include <grp.h>
+#include <pwd.h>
+#include <sys/types.h>
+#include <sys/sysctl.h>
+#include <syslog.h>
+#include <pthread.h>
+
+static pthread_once_t agent_cred_init = PTHREAD_ONCE_INIT;
+static gid_t agent_gid = 92;
+static uid_t agent_uid = 92;
+
+void initialize_agent_creds()
+{
+ struct passwd *agentUser = getpwnam("securityagent");
+ if (agentUser)
+ {
+ agent_uid = agentUser->pw_uid;
+ agent_gid = agentUser->pw_gid;
+ endpwent();
+ }
+}
+
+AuthHostInstance::AuthHostInstance(Session &session, AuthHostType host) :
+ mHostType(host)
+{
+ secdebug("authhost", "authhost born (%p)", this);
+ referent(session);
+ session.addReference(*this);
+ if (host == securityAgent)
+ pthread_once(&agent_cred_init, initialize_agent_creds);
+}
+
+AuthHostInstance::~AuthHostInstance()
+{
+ secdebug("authhost", "authhost died (%p)", this);
+}
+
+Session &AuthHostInstance::session() const
+{
+ return referent<Session>();
+}
+
+bool AuthHostInstance::inDarkWake()
+{
+ return session().server().inDarkWake();
+}
+
+void
+AuthHostInstance::childAction()
+{
+ // switch to desired session
+ CommonCriteria::AuditInfo &audit = this->session().auditInfo();
+ audit.get(audit.sessionId());
+ audit.set();
+ //this->session().auditInfo().set();
+
+ // Setup the environment for the SecurityAgent
+ unsetenv("USER");
+ unsetenv("LOGNAME");
+ unsetenv("HOME");
+
+ // close down any files that might have been open at this point
+ int maxDescriptors = getdtablesize ();
+ int i;
+
+ int devnull = open(_PATH_DEVNULL, O_RDWR, 0);
+ if (devnull >= 0) for (i = 0; i < 3; ++i)
+ {
+ dup2(devnull, i);
+ }
+
+ for (i = 3; i < maxDescriptors; ++i)
+ {
+ close (i);
+ }
+
+ // construct path to SecurityAgent
+ char agentExecutable[PATH_MAX + 1];
+ const char *path = getenv("SECURITYAGENT");
+ if (!path)
+ path = "/System/Library/CoreServices/SecurityAgent.app";
+ secdebug("adhoc", "hostType = %d", mHostType);
+
+ if ((mHostType == userAuthHost) || (mHostType == privilegedAuthHost))
+ {
+ snprintf(agentExecutable, sizeof(agentExecutable), "%s/Contents/Resources/authorizationhost", path);
+ secdebug("AuthHostInstance", "execl(%s)", agentExecutable);
+ execl(agentExecutable, agentExecutable, NULL);
+ }
+ else
+ {
+ snprintf(agentExecutable, sizeof(agentExecutable), "%s/Contents/MacOS/SecurityAgent", path);
+
+ pid_t pid = getpid();
+ if ((pid <= 0) ||
+ sysctlbyname("vfs.generic.noremotehang", NULL, NULL, &pid, sizeof(pid)))
+ syslog(LOG_ERR, "Failed to set vfs.generic.noremotehang for pid(%d)", pid);
+
+ setgroups(1, &agent_gid);
+ setgid(agent_gid);
+ setuid(agent_uid);
+
+ secdebug("AuthHostInstance", "execl(%s) as user (%d,%d)", agentExecutable, agent_uid, agent_gid);
+ execl(agentExecutable, agentExecutable, NULL);
+ }
+
+ secdebug("AuthHostInstance", "execl failed, errno=%d", errno);
+ // Unconditional suicide follows.
+ _exit(1);
+}
+
+// @@@ these definitions and the logic in lookup() should move into
+// libsecurity_agent
+#define SECURITYAGENT_BOOTSTRAP_NAME_BASE "com.apple.SecurityAgent"
+#define AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE "com.apple.authorizationhost"
+
+mach_port_t
+AuthHostInstance::lookup(SessionId jobId)
+{
+ StLock<Mutex> _(*this);
+
+ mach_port_t pluginhostPort = MACH_PORT_NULL;
+ kern_return_t result;
+ const char *serviceName;
+ /* PR-7483709 const */ uuid_t instanceId = UUID_INITIALIZER_FROM_SESSIONID(jobId);
+ uuid_string_t s;
+
+ if ((mHostType == securityAgent)) {
+ if (!(session().attributes() & sessionHasGraphicAccess))
+ CssmError::throwMe(CSSM_ERRCODE_NO_USER_INTERACTION);
+ if (inDarkWake())
+ CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE);
+ }
+
+ if (mHostType == securityAgent)
+ serviceName = SECURITYAGENT_BOOTSTRAP_NAME_BASE;
+ else
+ serviceName = AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE;
+
+ secdebug("AuthHostInstance", "looking up %s instance %s", serviceName,
+ uuid_to_string(instanceId, s)); // XXX/gh debugging
+ if ((result = bootstrap_look_up3(bootstrap_port, serviceName,
+ &pluginhostPort, 0, instanceId, BOOTSTRAP_SPECIFIC_INSTANCE)) != KERN_SUCCESS) {
+
+ Syslog::error("error %d looking up %s instance %s", result, serviceName,
+ uuid_to_string(instanceId, s));
+ } else
+ secdebug("AuthHostInstance", "port = %x", (unsigned int)pluginhostPort);
+
+ return pluginhostPort;
+}
+
+Port AuthHostInstance::activate()
+{
+ StLock<Mutex> _(*this);
+ if (state() != alive)
+ {
+ if ((mHostType == securityAgent)) {
+ if (!(session().attributes() & sessionHasGraphicAccess))
+ CssmError::throwMe(CSSM_ERRCODE_NO_USER_INTERACTION);
+ if (inDarkWake())
+ CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE);
+ }
+
+ fork();
+ switch (ServerChild::state()) {
+ case Child::alive:
+ secdebug("AuthHostInstance", "%p (pid %d) has launched", this, pid());
+ break;
+ case Child::dead:
+ secdebug("AuthHostInstance", "%p (pid %d) failed on startup", this, pid());
+ break;
+ default:
+ assert(false);
+ }
+ }
+
+ if (!ready())
+ CssmError::throwMe(CSSM_ERRCODE_NO_USER_INTERACTION);
+
+ return servicePort();
+}