X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/641423b6670d8656d5daeaf988e7d307fb6c1ebc..dd5fb164cf5b32c462296bc65e289e100f74b59a:/OSX/libsecurity_codesigning/lib/policydb.cpp?ds=inline diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp index af49aa9e..94d1bbc8 100644 --- a/OSX/libsecurity_codesigning/lib/policydb.cpp +++ b/OSX/libsecurity_codesigning/lib/policydb.cpp @@ -282,6 +282,10 @@ void PolicyDatabase::upgradeDatabase() "INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists')"); addDevID.execute(); }); + + simpleFeature("root_only", ^{ + UnixError::check(::chmod(dbPath(), S_IRUSR | S_IWUSR)); + }); } @@ -303,7 +307,7 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil CFDictionaryRef content = auth.get(CFSTR("authority")); std::string authUUID = cfString(auth.get(CFSTR("uuid"))); if (authUUID.empty()) { - secdebug("gkupgrade", "no uuid in auth file; ignoring gke.auth"); + secinfo("gkupgrade", "no uuid in auth file; ignoring gke.auth"); return; } std::string dbUUID; @@ -311,7 +315,7 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil if (uuidQuery.nextRow()) dbUUID = (const char *)uuidQuery[0]; if (dbUUID == authUUID) { - secdebug("gkupgrade", "gke.auth already present, ignoring"); + secinfo("gkupgrade", "gke.auth already present, ignoring"); return; } Syslog::notice("loading GKE %s (replacing %s)", authUUID.c_str(), dbUUID.empty() ? "nothing" : dbUUID.c_str()); @@ -325,7 +329,7 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil db.storeCode(blob, ""); count++; } - secdebug("gkupgrade", "%d detached signature(s) loaded from override data", count); + secinfo("gkupgrade", "%d detached signature(s) loaded from override data", count); fclose(sigs); } @@ -350,8 +354,12 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil uint32_t flags = kAuthorityFlagWhitelist; if (CFNumberRef versionRef = info.get("version")) { int version = cfNumber(versionRef); - if (version >= 2) + if (version >= 2) { flags |= kAuthorityFlagWhitelistV2; + if (version >= 3) { + flags |= kAuthorityFlagWhitelistSHA256; + } + } } insert.reset(); insert.bind(":type") = cfString(info.get(CFSTR("type"))); @@ -368,9 +376,25 @@ void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfil // update version and commit addFeature("gke", authUUID.c_str(), "gke loaded"); loadAuth.commit(); + /* now that we have moved to a bundle for gke files, delete any old style files we find + This is really just a best effort cleanup, so we don't care about errors. */ + if (access(gkeAuthFile_old, F_OK) == 0) + { + if (unlink(gkeAuthFile_old) == 0) + { + Syslog::notice("Deleted old style gke file (%s)", gkeAuthFile_old); + } + } + if (access(gkeSigsFile_old, F_OK) == 0) + { + if (unlink(gkeSigsFile_old) == 0) + { + Syslog::notice("Deleted old style gke file (%s)", gkeSigsFile_old); + } + } } } catch (...) { - secdebug("gkupgrade", "exception during GKE upgrade"); + secinfo("gkupgrade", "exception during GKE upgrade"); } }