X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/piddiskrep.cpp?ds=inline

diff --git a/OSX/libsecurity_codesigning/lib/piddiskrep.cpp b/OSX/libsecurity_codesigning/lib/piddiskrep.cpp
index f3488088..0aeeb81e 100644
--- a/OSX/libsecurity_codesigning/lib/piddiskrep.cpp
+++ b/OSX/libsecurity_codesigning/lib/piddiskrep.cpp
@@ -32,10 +32,23 @@ namespace Security {
 namespace CodeSigning {
                 
 using namespace UnixPlusPlus;
-        
+
+
+void
+PidDiskRep::setCredentials(const Security::CodeSigning::CodeDirectory *cd)
+{
+	// save the Info.plist slot
+	if (cd->slotIsPresent(cdInfoSlot)) {
+		mInfoPlistHash.take(makeCFData(cd->getSlot(cdInfoSlot, false), cd->hashSize));
+	}
+}
+
 void
 PidDiskRep::fetchData(void)
 {
+	if (mDataFetched)	// once
+		return;
+	
 	xpc_connection_t conn = xpc_connection_create("com.apple.CodeSigningHelper",
 						      dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0));
 	xpc_connection_set_event_handler(conn, ^(xpc_object_t object){ });
@@ -45,7 +58,12 @@ PidDiskRep::fetchData(void)
 	assert(request != NULL);
 	xpc_dictionary_set_string(request, "command", "fetchData");
 	xpc_dictionary_set_int64(request, "pid", mPid);
-        
+	
+	if (mAudit) {
+		xpc_dictionary_set_data(request, "audit", mAudit.get(), sizeof(audit_token_t));
+	}
+	xpc_dictionary_set_data(request, "infohash", CFDataGetBytePtr(mInfoPlistHash), CFDataGetLength(mInfoPlistHash));
+	
 	xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, request);
 	if (reply && xpc_get_type(reply) == XPC_TYPE_DICTIONARY) {
 		const void *data;
@@ -70,22 +88,35 @@ PidDiskRep::fetchData(void)
     
     if (!mBundleURL)
         MacOSError::throwMe(errSecCSNoSuchCode);
+	
+	mDataFetched = true;
 }
 
 
-PidDiskRep::PidDiskRep(pid_t pid, CFDataRef infoPlist)
+PidDiskRep::PidDiskRep(pid_t pid, audit_token_t *audit, CFDataRef infoPlist)
+	: mDataFetched(false)
 {
         BlobCore header;
-        CODESIGN_DISKREP_CREATE_KERNEL(this);
-        
+	
         mPid = pid;
         mInfoPlist = infoPlist;
-
-        fetchData();
     
-        int rcent = ::csops(pid, CS_OPS_BLOB, &header, sizeof(header));
+        if (audit != NULL) {
+            mAudit.reset(new audit_token_t);
+            memcpy(mAudit.get(), audit, sizeof(audit_token_t));
+        }
+    
+        //        fetchData();
+    
+        int rcent = EINVAL;
+	
+        if (audit != NULL) {
+            rcent = ::csops_audittoken(pid, CS_OPS_BLOB, &header, sizeof(header), mAudit.get());
+        } else {
+            rcent = ::csops(pid, CS_OPS_BLOB, &header, sizeof(header));
+        }
         if (rcent == 0)
-                MacOSError::throwMe(errSecCSNoSuchCode);
+            MacOSError::throwMe(errSecCSNoSuchCode);
         
         if (errno != ERANGE)
                 UnixError::throwMe(errno);
@@ -95,8 +126,12 @@ PidDiskRep::PidDiskRep(pid_t pid, CFDataRef infoPlist)
         
         uint32_t bufferLen = (uint32_t)header.length();
         mBuffer = new uint8_t [bufferLen];
-        
-        UnixError::check(::csops(pid, CS_OPS_BLOB, mBuffer, bufferLen));
+    
+        if (audit != NULL) {
+            UnixError::check(::csops_audittoken(pid, CS_OPS_BLOB, mBuffer, bufferLen, mAudit.get()));
+        } else {
+            UnixError::check(::csops(pid, CS_OPS_BLOB, mBuffer, bufferLen));
+        }
 
         const EmbeddedSignatureBlob *b = (const EmbeddedSignatureBlob *)mBuffer;
         if (!b->validateBlob(bufferLen))
@@ -112,17 +147,20 @@ PidDiskRep::~PidDiskRep()
 
 bool PidDiskRep::supportInfoPlist()
 {
+		fetchData();
         return mInfoPlist;
 }
 
 
 CFDataRef PidDiskRep::component(CodeDirectory::SpecialSlot slot)
 {
-	if (slot == cdInfoSlot)
-                return mInfoPlist.retain();
+	if (slot == cdInfoSlot) {
+		fetchData();
+		return mInfoPlist.retain();
+	}
 
-        EmbeddedSignatureBlob *b = (EmbeddedSignatureBlob *)this->blob();
-        return b->component(slot);
+	EmbeddedSignatureBlob *b = (EmbeddedSignatureBlob *)this->blob();
+	return b->component(slot);
 }
 
 CFDataRef PidDiskRep::identification()
@@ -133,7 +171,8 @@ CFDataRef PidDiskRep::identification()
 
 CFURLRef PidDiskRep::copyCanonicalPath()
 {
-        return mBundleURL.retain();
+	fetchData();
+	return mBundleURL.retain();
 }
 
 string PidDiskRep::recommendedIdentifier(const SigningContext &)
@@ -146,6 +185,11 @@ size_t PidDiskRep::signingLimit()
         return 0;
 }
 
+size_t PidDiskRep::execSegLimit(const Architecture *)
+{
+		return 0;
+}
+    
 string PidDiskRep::format()
 {
         return "pid diskrep";
@@ -159,12 +203,31 @@ UnixPlusPlus::FileDesc &PidDiskRep::fd()
 string PidDiskRep::mainExecutablePath()
 {
         char path[MAXPATHLEN * 2];
+        // This is unsafe by pid only, but so is using that path in general.
         if(::proc_pidpath(mPid, path, sizeof(path)) == 0)
 		UnixError::throwMe(errno);
 
         return path;
 }
-                
+
+bool PidDiskRep::appleInternalForcePlatform() const
+{
+	uint32_t flags = 0;
+	int rcent = EINVAL;
+	
+	if (mAudit != NULL) {
+		rcent = ::csops_audittoken(mPid, CS_OPS_STATUS, &flags, sizeof(flags),
+								   mAudit.get());
+	} else {
+		rcent = ::csops(mPid, CS_OPS_STATUS, &flags, sizeof(flags));
+	}
+	
+	if (rcent != 0) {
+		MacOSError::throwMe(errSecCSNoSuchCode);
+	}
+	
+	return (flags & CS_PLATFORM_BINARY) == CS_PLATFORM_BINARY;
+}
                 
 } // end namespace CodeSigning
 } // end namespace Security