]> git.saurik.com Git - apple/security.git/blobdiff - OSX/libsecurity_codesigning/lib/StaticCode.cpp
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-59754.80.3.tar.gz
[apple/security.git] / OSX / libsecurity_codesigning / lib / StaticCode.cpp
diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.cpp b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
index 033ef507f861d64fb1bbd79a1f44004b122f84a9..85abf01ac3867e0c71584636d49d4f6a773b0161 100644 (file)
--- a/OSX/libsecurity_codesigning/lib/StaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
@@ -1227,7 +1227,6 @@ void SecStaticCode::validateExecutable()
                MacOSError::throwMe(mExecutableValidResult);
 }
 
-
 //
 // Perform static validation of sealed resources and nested code.
 //
@@ -1257,11 +1256,14 @@ void SecStaticCode::validateResources(SecCSFlags flags)
        if (doit) {
                string root = cfStringRelease(copyCanonicalPath());
                bool itemIsOnRootFS = isOnRootFilesystem(root.c_str());
-               bool requestForcedValidation = (mValidationFlags & kSecCSSkipRootVolumeExceptions);
-               bool useRootFSPolicy = itemIsOnRootFS && !requestForcedValidation;
+               bool skipRootVolumeExceptions = (mValidationFlags & kSecCSSkipRootVolumeExceptions);
+               bool useRootFSPolicy = itemIsOnRootFS && !skipRootVolumeExceptions;
+
+               bool itemMightUseXattrFiles = pathFileSystemUsesXattrFiles(root.c_str());
+               bool skipXattrFiles = itemMightUseXattrFiles && (mValidationFlags & kSecCSSkipXattrFiles);
 
-               secinfo("staticCode", "performing resource validation for %s (%d, %d, %d)", root.c_str(),
-                               itemIsOnRootFS, requestForcedValidation, useRootFSPolicy);
+               secinfo("staticCode", "performing resource validation for %s (%d, %d, %d, %d, %d)", root.c_str(),
+                               itemIsOnRootFS, skipRootVolumeExceptions, useRootFSPolicy, itemMightUseXattrFiles, skipXattrFiles);
 
                if (mLimitedAsync == NULL) {
                        bool runMultiThreaded = ((flags & kSecCSSingleThreaded) == kSecCSSingleThreaded) ? false :
@@ -1313,6 +1315,11 @@ void SecStaticCode::validateResources(SecCSFlags flags)
                                void (^validate)() = ^{
                                        bool needsValidation = true;
 
+                                       if (skipXattrFiles && pathIsValidXattrFile(cfString(resourceBase()) + "/" + relpath, "staticCode")) {
+                                               secinfo("staticCode", "resource validation on xattr file skipped: %s", relpath.c_str());
+                                               needsValidation = false;
+                                       }
+
                                        if (useRootFSPolicy) {
                                                CFRef<CFURLRef> itemURL = makeCFURL(relpath, false, resourceBase());
                                                string itemPath = cfString(itemURL);
mirror of Security