X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/fa7225c82381bac4432a6edf16f53b5370238d85..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_codesigning/lib/piddiskrep.cpp?ds=sidebyside diff --git a/OSX/libsecurity_codesigning/lib/piddiskrep.cpp b/OSX/libsecurity_codesigning/lib/piddiskrep.cpp index 3b54434a..0aeeb81e 100644 --- a/OSX/libsecurity_codesigning/lib/piddiskrep.cpp +++ b/OSX/libsecurity_codesigning/lib/piddiskrep.cpp @@ -39,7 +39,7 @@ PidDiskRep::setCredentials(const Security::CodeSigning::CodeDirectory *cd) { // save the Info.plist slot if (cd->slotIsPresent(cdInfoSlot)) { - mInfoPlistHash.take(makeCFData((*cd)[cdInfoSlot], cd->hashSize)); + mInfoPlistHash.take(makeCFData(cd->getSlot(cdInfoSlot, false), cd->hashSize)); } } @@ -58,8 +58,12 @@ PidDiskRep::fetchData(void) assert(request != NULL); xpc_dictionary_set_string(request, "command", "fetchData"); xpc_dictionary_set_int64(request, "pid", mPid); + + if (mAudit) { + xpc_dictionary_set_data(request, "audit", mAudit.get(), sizeof(audit_token_t)); + } xpc_dictionary_set_data(request, "infohash", CFDataGetBytePtr(mInfoPlistHash), CFDataGetLength(mInfoPlistHash)); - + xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, request); if (reply && xpc_get_type(reply) == XPC_TYPE_DICTIONARY) { const void *data; @@ -89,20 +93,30 @@ PidDiskRep::fetchData(void) } -PidDiskRep::PidDiskRep(pid_t pid, CFDataRef infoPlist) +PidDiskRep::PidDiskRep(pid_t pid, audit_token_t *audit, CFDataRef infoPlist) : mDataFetched(false) { BlobCore header; - CODESIGN_DISKREP_CREATE_KERNEL(this); - + mPid = pid; mInfoPlist = infoPlist; - -// fetchData(); - int rcent = ::csops(pid, CS_OPS_BLOB, &header, sizeof(header)); + if (audit != NULL) { + mAudit.reset(new audit_token_t); + memcpy(mAudit.get(), audit, sizeof(audit_token_t)); + } + + // fetchData(); + + int rcent = EINVAL; + + if (audit != NULL) { + rcent = ::csops_audittoken(pid, CS_OPS_BLOB, &header, sizeof(header), mAudit.get()); + } else { + rcent = ::csops(pid, CS_OPS_BLOB, &header, sizeof(header)); + } if (rcent == 0) - MacOSError::throwMe(errSecCSNoSuchCode); + MacOSError::throwMe(errSecCSNoSuchCode); if (errno != ERANGE) UnixError::throwMe(errno); @@ -112,8 +126,12 @@ PidDiskRep::PidDiskRep(pid_t pid, CFDataRef infoPlist) uint32_t bufferLen = (uint32_t)header.length(); mBuffer = new uint8_t [bufferLen]; - - UnixError::check(::csops(pid, CS_OPS_BLOB, mBuffer, bufferLen)); + + if (audit != NULL) { + UnixError::check(::csops_audittoken(pid, CS_OPS_BLOB, mBuffer, bufferLen, mAudit.get())); + } else { + UnixError::check(::csops(pid, CS_OPS_BLOB, mBuffer, bufferLen)); + } const EmbeddedSignatureBlob *b = (const EmbeddedSignatureBlob *)mBuffer; if (!b->validateBlob(bufferLen)) @@ -167,6 +185,11 @@ size_t PidDiskRep::signingLimit() return 0; } +size_t PidDiskRep::execSegLimit(const Architecture *) +{ + return 0; +} + string PidDiskRep::format() { return "pid diskrep"; @@ -180,12 +203,31 @@ UnixPlusPlus::FileDesc &PidDiskRep::fd() string PidDiskRep::mainExecutablePath() { char path[MAXPATHLEN * 2]; + // This is unsafe by pid only, but so is using that path in general. if(::proc_pidpath(mPid, path, sizeof(path)) == 0) UnixError::throwMe(errno); return path; } - + +bool PidDiskRep::appleInternalForcePlatform() const +{ + uint32_t flags = 0; + int rcent = EINVAL; + + if (mAudit != NULL) { + rcent = ::csops_audittoken(mPid, CS_OPS_STATUS, &flags, sizeof(flags), + mAudit.get()); + } else { + rcent = ::csops(mPid, CS_OPS_STATUS, &flags, sizeof(flags)); + } + + if (rcent != 0) { + MacOSError::throwMe(errSecCSNoSuchCode); + } + + return (flags & CS_PLATFORM_BINARY) == CS_PLATFORM_BINARY; +} } // end namespace CodeSigning } // end namespace Security