X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..0d4552ce43ff8bf2e8666a9c5c44c3590eb117a8:/OSX/libsecurity_codesigning/lib/Code.cpp

diff --git a/OSX/libsecurity_codesigning/lib/Code.cpp b/OSX/libsecurity_codesigning/lib/Code.cpp
index 3194bf3d..712b2ff4 100644
--- a/OSX/libsecurity_codesigning/lib/Code.cpp
+++ b/OSX/libsecurity_codesigning/lib/Code.cpp
@@ -26,10 +26,10 @@
 //
 #include "Code.h"
 #include "StaticCode.h"
-#include <Security/SecCodeHost.h>
 #include "cskernel.h"
 #include <security_utilities/cfmunge.h>
 #include <security_utilities/debugging.h>
+#include "SecInternalReleasePriv.h"
 
 namespace Security {
 namespace CodeSigning {
@@ -206,13 +206,27 @@ void SecCode::checkValidity(SecCSFlags flags)
 
 	// check my static state
 	myDisk->validateNonResourceComponents();	// also validates the CodeDirectory
-	if (flags & kSecCSStrictValidate)
+	if (flags & kSecCSStrictValidate) {
 		myDisk->diskRep()->strictValidate(myDisk->codeDirectory(), DiskRep::ToleratedErrors(), flags);
+	} else if (flags & kSecCSStrictValidateStructure) {
+		myDisk->diskRep()->strictValidateStructure(myDisk->codeDirectory(), DiskRep::ToleratedErrors(), flags);
+	}
 
 	// check my own dynamic state
-	if (!(this->host()->getGuestStatus(this) & kSecCodeStatusValid))
-		MacOSError::throwMe(errSecCSGuestInvalid);
-	
+	SecCodeStatus dynamic_status = this->host()->getGuestStatus(this);
+	bool isValid = (dynamic_status & kSecCodeStatusValid) != 0;
+	if (!isValid) {
+		bool isDebugged = (dynamic_status & kSecCodeStatusDebugged) != 0;
+		bool isPlatform = (dynamic_status & kSecCodeStatusPlatform) != 0;
+		bool isInternal = SecIsInternalRelease();
+
+		if (!isDebugged || (isPlatform && !isInternal)) {
+			// fatal if the code is invalid and not being debugged, but
+			// never let platform code be debugged except on internal systems.
+			MacOSError::throwMe(errSecCSGuestInvalid);
+		}
+	}
+
 	// check that static and dynamic views are consistent
 	if (this->cdHash() && !CFEqual(this->cdHash(), myDisk->cdHash()))
 		MacOSError::throwMe(errSecCSStaticCodeChanged);
@@ -255,13 +269,14 @@ void SecCode::changeGuestStatus(SecCode *guest, SecCodeStatusOperation operation
 //
 SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags)
 {
+#if TARGET_OS_OSX
 	// special case: with no attributes at all, return the root of trust
 	if (CFDictionaryGetCount(attributes) == 0)
 		return KernelCode::active()->retain();
 	
-	// main logic: we need a pid, and we'll take a canonical guest id as an option
-	int pid = 0;
-	if (!cfscan(attributes, "{%O=%d}", kSecGuestAttributePid, &pid))
+	// main logic: we need a pid or audit trailer; everything else goes to the guests
+	if (CFDictionaryGetValue(attributes, kSecGuestAttributePid) == NULL
+		&& CFDictionaryGetValue(attributes, kSecGuestAttributeAudit) == NULL)
 		CSError::throwMe(errSecCSUnsupportedGuestAttributes, kSecCFErrorGuestAttributes, attributes);
 	if (SecCode *process =
 			KernelCode::active()->locateGuest(attributes)) {
@@ -271,6 +286,7 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags)
 			// might be a code host. Let's find out
 			CFRef<CFMutableDictionaryRef> rest = makeCFMutableDictionary(attributes);
 			CFDictionaryRemoveValue(rest, kSecGuestAttributePid);
+			CFDictionaryRemoveValue(rest, kSecGuestAttributeAudit);
 			if (SecCode *guest = code->locateGuest(rest))
 				return guest;
 		}
@@ -279,6 +295,7 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags)
 			return code.yield();
 		}
 	}
+#endif // TARGET_OS_OSX
 	MacOSError::throwMe(errSecCSNoSuchCode);
 }