]> git.saurik.com Git - apple/securityd.git/blobdiff - src/AuthorizationEngine.cpp
projects / apple / securityd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
securityd-55199.3.tar.gz
[apple/securityd.git] / src / AuthorizationEngine.cpp
diff --git a/src/AuthorizationEngine.cpp b/src/AuthorizationEngine.cpp
index c65ce84809cdb393e9b7df50cba5c0e4d9a8c29f..b989fc3681762809ed0849f7c85efc7aa5027bde 100644 (file)
--- a/src/AuthorizationEngine.cpp
+++ b/src/AuthorizationEngine.cpp
@@ -164,16 +164,15 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
 
         string processName = "unknown";
         string authCreatorName = "unknown";
 
         string processName = "unknown";
         string authCreatorName = "unknown";
-        if (SecCodeRef code = Server::process().currentGuest()) {
-            CFRef<CFURLRef> path;
-            if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
-                processName = cfString(path);
-        }
-        if (SecStaticCodeRef code = auth.creatorCode()) {
-            CFRef<CFURLRef> path;
-            if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
-                authCreatorName = cfString(path);
+               {
+                       StLock<Mutex> _(Server::process());
+               if (SecCodeRef code = Server::process().currentGuest()) {
+                   CFRef<CFURLRef> path;
+               if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+                       processName = cfString(path);
+                       }
         }
         }
+               authCreatorName = auth.creatorPath();
                
         if (sandbox_check(Server::process().pid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) {
             Syslog::error("Sandbox denied authorizing right '%s' by client '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid());
                
         if (sandbox_check(Server::process().pid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) {
             Syslog::error("Sandbox denied authorizing right '%s' by client '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid());
@@ -194,13 +193,13 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
         if (result == errAuthorizationSuccess)
         {
             outRights.insert(*it);
         if (result == errAuthorizationSuccess)
         {
             outRights.insert(*it);
-            Syslog::info("Succeeded authorizing right '%s' by client '%s' [%d] for authorization created by '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid());
+            Syslog::info("Succeeded authorizing right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d)", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid(), uint32_t(flags), auth.operatesAsLeastPrivileged());
         } 
         else if (result == errAuthorizationDenied || result == errAuthorizationInteractionNotAllowed) 
         {
             if (result == errAuthorizationDenied)
             {
         } 
         else if (result == errAuthorizationDenied || result == errAuthorizationInteractionNotAllowed) 
         {
             if (result == errAuthorizationDenied)
             {
-                 Syslog::notice("Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid());
+                 secdebug("autheval", "Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d)", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid(), uint32_t(flags), auth.operatesAsLeastPrivileged());
             }
 
             // add creator pid to authorization token
             }
 
             // add creator pid to authorization token
@@ -222,6 +221,17 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
             break;
                }
        }
             break;
                }
        }
+    
+    // purge all uid credentials from the outCredentials for least privileged mode
+    if (auth.operatesAsLeastPrivileged()) {
+        CredentialSet::const_iterator current, it = outCredentials->begin();
+        while(it != outCredentials->end()) {
+            current = it++;
+            if (!(*current)->isRight()) {
+                outCredentials->erase(current);
+            } 
+        }
+    }
 
        if (outCredentials)
                outCredentials->swap(credentials);
 
        if (outCredentials)
                outCredentials->swap(credentials);
mirror of securityd