X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_codesigning/lib/Code.cpp diff --git a/OSX/libsecurity_codesigning/lib/Code.cpp b/OSX/libsecurity_codesigning/lib/Code.cpp index 643c4f58..d5de3047 100644 --- a/OSX/libsecurity_codesigning/lib/Code.cpp +++ b/OSX/libsecurity_codesigning/lib/Code.cpp @@ -205,7 +205,9 @@ void SecCode::checkValidity(SecCSFlags flags) SecStaticCode *hostDisk = this->host()->staticCode(); // check my static state - myDisk->validateDirectory(); + myDisk->validateNonResourceComponents(); // also validates the CodeDirectory + if (flags & kSecCSStrictValidate) + myDisk->diskRep()->strictValidate(myDisk->codeDirectory(), DiskRep::ToleratedErrors(), flags); // check my own dynamic state if (!(this->host()->getGuestStatus(this) & kSecCodeStatusValid)) @@ -257,9 +259,9 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags) if (CFDictionaryGetCount(attributes) == 0) return KernelCode::active()->retain(); - // main logic: we need a pid, and we'll take a canonical guest id as an option - int pid = 0; - if (!cfscan(attributes, "{%O=%d}", kSecGuestAttributePid, &pid)) + // main logic: we need a pid or audit trailer; everything else goes to the guests + if (CFDictionaryGetValue(attributes, kSecGuestAttributePid) == NULL + && CFDictionaryGetValue(attributes, kSecGuestAttributeAudit) == NULL) CSError::throwMe(errSecCSUnsupportedGuestAttributes, kSecCFErrorGuestAttributes, attributes); if (SecCode *process = KernelCode::active()->locateGuest(attributes)) { @@ -269,6 +271,7 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags) // might be a code host. Let's find out CFRef rest = makeCFMutableDictionary(attributes); CFDictionaryRemoveValue(rest, kSecGuestAttributePid); + CFDictionaryRemoveValue(rest, kSecGuestAttributeAudit); if (SecCode *guest = code->locateGuest(rest)) return guest; }