#include <securityd_client/xdr_auth.h>
#include <securityd_client/xdr_dldb.h>
#include <security_utilities/logging.h>
+#include <AssertMacros.h>
+#include <CoreFoundation/CFNumber.h>
#include <CoreFoundation/CFDictionary.h>
#include <CoreFoundation/CFPropertyList.h>
#define BEGIN_IPCS try {
#define END_IPCS(more) } catch (...) { } \
- mach_port_deallocate(mach_task_self(), serverPort); more; return KERN_SUCCESS;
+ mach_port_deallocate(mach_task_self(), servicePort); more; return KERN_SUCCESS;
#define DATA_IN(base) void *base, mach_msg_type_number_t base##Length
#define DATA_OUT(base) void **base, mach_msg_type_number_t *base##Length
{
BEGIN_IPCN
SECURITYD_REQUEST_ENTRY((char*)"setup", NULL, NULL);
- Server::active().setupConnection(Server::connectNewProcess, servicePort, replyPort,
- taskPort, auditToken, &info, identity);
+ Server::active().setupConnection(Server::connectNewProcess, replyPort,
+ taskPort, auditToken, &info);
END_IPCN(CSSM)
if (*rcode)
Syslog::notice("setup(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
return KERN_SUCCESS;
}
-kern_return_t ucsp_server_setupNew(UCSP_ARGS, mach_port_t taskPort,
- ClientSetupInfo info, const char *identity,
- mach_port_t *newServicePort)
-{
- BEGIN_IPCN
- SECURITYD_REQUEST_ENTRY((char*)"setupNew", NULL, NULL);
- try {
- RefPointer<Session> session = new DynamicSession(taskPort);
- Server::active().setupConnection(Server::connectNewSession, session->servicePort(), replyPort,
- taskPort, auditToken, &info, identity);
- *newServicePort = session->servicePort();
- } catch (const MachPlusPlus::Error &err) {
- switch (err.error) {
- case BOOTSTRAP_SERVICE_ACTIVE:
- MacOSError::throwMe(errSessionAuthorizationDenied); // translate
- default:
- throw;
- }
- }
- END_IPCN(CSSM)
- if (*rcode)
- Syslog::notice("setupNew(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
- return KERN_SUCCESS;
-}
kern_return_t ucsp_server_setupThread(UCSP_ARGS, mach_port_t taskPort)
{
SECURITYD_REQUEST_ENTRY((char*)"setupThread", NULL, NULL);
BEGIN_IPCN
- Server::active().setupConnection(Server::connectNewThread, servicePort, replyPort,
- taskPort, auditToken);
+ Server::active().setupConnection(Server::connectNewThread, replyPort, taskPort, auditToken);
END_IPCN(CSSM)
if (*rcode)
Syslog::notice("setupThread failed rcode=%d", *rcode);
return KERN_SUCCESS;
}
+kern_return_t ucsp_server_verifyPrivileged2(UCSP_ARGS, mach_port_t *originPort)
+{
+ BEGIN_IPCN
+ SECURITYD_REQUEST_ENTRY((char*)"verifyPrivileged2", NULL, NULL);
+ // send the port back to the sender to check for a MitM (6986198)
+ *originPort = servicePort;
+ END_IPCN(CSSM)
+ return KERN_SUCCESS;
+}
+
//
// Common database operations
//
END_IPC(DL)
}
+static void check_stash_entitlement(Process & proc)
+{
+ OSStatus status = noErr;
+ CFDictionaryRef code_info = NULL;
+ CFDictionaryRef entitlements = NULL;
+ CFTypeRef value = NULL;
+ bool entitled = false;
+
+ status = SecCodeCopySigningInformation(proc.processCode(), kSecCSRequirementInformation, &code_info);
+ require_noerr(status, done);
+
+ if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoEntitlementsDict, &value)) {
+ if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
+ entitlements = (CFDictionaryRef)value;
+ }
+ }
+ require(entitlements != NULL, done);
+
+ if (CFDictionaryGetValueIfPresent(entitlements, CFSTR("com.apple.private.securityd.stash"), &value)) {
+ if (CFGetTypeID(value) && CFBooleanGetTypeID()) {
+ entitled = CFBooleanGetValue((CFBooleanRef)value);
+ }
+ }
+
+done:
+ if (code_info) {
+ CFRelease(code_info);
+ }
+
+ if (!entitled) {
+ CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
+ }
+}
+
kern_return_t ucsp_server_unlockDbWithPassphrase(UCSP_ARGS, DbHandle db, DATA_IN(passphrase))
{
BEGIN_IPC(unlockDbWithPassphrase)
- Server::keychain(db)->unlockDb(DATA(passphrase));
+ Server::keychain(db)->unlockDb(DATA(passphrase));
END_IPC(DL)
}
+kern_return_t ucsp_server_stashDb(UCSP_ARGS, DbHandle db)
+{
+ BEGIN_IPC(stashDb)
+ check_stash_entitlement(connection.process());
+ Server::keychain(db)->stashDb();
+ END_IPC(DL)
+}
+
+kern_return_t ucsp_server_stashDbCheck(UCSP_ARGS, DbHandle db)
+{
+ BEGIN_IPC(stashDbCheck)
+ check_stash_entitlement(connection.process());
+ Server::keychain(db)->stashDbCheck();
+ END_IPC(DL)
+}
+
kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked)
{
BEGIN_IPC(isLocked)
END_IPC(DL)
}
+kern_return_t ucsp_server_verifyKeyStorePassphrase(UCSP_ARGS, uint32_t retries)
+{
+ BEGIN_IPC(verifyKeyStorePassphrase)
+ connection.process().session().verifyKeyStorePassphrase(retries);
+ END_IPC(DL)
+}
+
+kern_return_t ucsp_server_changeKeyStorePassphrase(UCSP_ARGS)
+{
+ BEGIN_IPC(verifyKeyStorePassphrase)
+ connection.process().session().changeKeyStorePassphrase();
+ END_IPC(DL)
+}
+
+kern_return_t ucsp_server_resetKeyStorePassphrase(UCSP_ARGS, DATA_IN(passphrase))
+{
+ BEGIN_IPC(verifyKeyStorePassphrase)
+ connection.process().session().resetKeyStorePassphrase(DATA(passphrase));
+ END_IPC(DL)
+}
//
// Key management
//
// Session management subsystem
//
-kern_return_t ucsp_server_getSessionInfo(UCSP_ARGS,
- SecuritySessionId *sessionId, SessionAttributeBits *attrs)
-{
- BEGIN_IPC(getSessionInfo)
- Session &session = Session::find(*sessionId);
- *sessionId = session.handle();
- *attrs = session.attributes();
- END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_setupSession(UCSP_ARGS,
- SessionCreationFlags flags, SessionAttributeBits attrs)
-{
- BEGIN_IPC(setupSession)
- Server::process().session().setupAttributes(flags, attrs);
- END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_setSessionDistinguishedUid(UCSP_ARGS,
- SecuritySessionId sessionId, uid_t user)
-{
- BEGIN_IPC(setSessionDistinguishedUid)
- Session::find<DynamicSession>(sessionId).originatorUid(user);
- END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_getSessionDistinguishedUid(UCSP_ARGS,
- SecuritySessionId sessionId, uid_t *user)
-{
- BEGIN_IPC(getSessionDistinguishedUid)
- *user = Session::find(sessionId).originatorUid();
- END_IPC(CSSM)
-}
-
kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessionId, DATA_IN(userPrefs))
{
BEGIN_IPC(setSessionuserPrefs)
}
-
//
// Notification core subsystem
//
projects / apple / securityd.git / blobdiff