X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/d64be36ead0ce792f249208635bc8db368d6cdd2..refs/heads/master:/OSX/libsecurity_codesigning/lib/StaticCode.cpp

diff --git a/OSX/libsecurity_codesigning/lib/StaticCode.cpp b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
index 033ef507..85abf01a 100644
--- a/OSX/libsecurity_codesigning/lib/StaticCode.cpp
+++ b/OSX/libsecurity_codesigning/lib/StaticCode.cpp
@@ -1227,7 +1227,6 @@ void SecStaticCode::validateExecutable()
 		MacOSError::throwMe(mExecutableValidResult);
 }
 
-
 //
 // Perform static validation of sealed resources and nested code.
 //
@@ -1257,11 +1256,14 @@ void SecStaticCode::validateResources(SecCSFlags flags)
 	if (doit) {
 		string root = cfStringRelease(copyCanonicalPath());
 		bool itemIsOnRootFS = isOnRootFilesystem(root.c_str());
-		bool requestForcedValidation = (mValidationFlags & kSecCSSkipRootVolumeExceptions);
-		bool useRootFSPolicy = itemIsOnRootFS && !requestForcedValidation;
+		bool skipRootVolumeExceptions = (mValidationFlags & kSecCSSkipRootVolumeExceptions);
+		bool useRootFSPolicy = itemIsOnRootFS && !skipRootVolumeExceptions;
+
+		bool itemMightUseXattrFiles = pathFileSystemUsesXattrFiles(root.c_str());
+		bool skipXattrFiles = itemMightUseXattrFiles && (mValidationFlags & kSecCSSkipXattrFiles);
 
-		secinfo("staticCode", "performing resource validation for %s (%d, %d, %d)", root.c_str(),
-				itemIsOnRootFS, requestForcedValidation, useRootFSPolicy);
+		secinfo("staticCode", "performing resource validation for %s (%d, %d, %d, %d, %d)", root.c_str(),
+				itemIsOnRootFS, skipRootVolumeExceptions, useRootFSPolicy, itemMightUseXattrFiles, skipXattrFiles);
 
 		if (mLimitedAsync == NULL) {
 			bool runMultiThreaded = ((flags & kSecCSSingleThreaded) == kSecCSSingleThreaded) ? false :
@@ -1313,6 +1315,11 @@ void SecStaticCode::validateResources(SecCSFlags flags)
 				void (^validate)() = ^{
 					bool needsValidation = true;
 
+					if (skipXattrFiles && pathIsValidXattrFile(cfString(resourceBase()) + "/" + relpath, "staticCode")) {
+						secinfo("staticCode", "resource validation on xattr file skipped: %s", relpath.c_str());
+						needsValidation = false;
+					}
+
 					if (useRootFSPolicy) {
 						CFRef<CFURLRef> itemURL = makeCFURL(relpath, false, resourceBase());
 						string itemPath = cfString(itemURL);