]> git.saurik.com Git - apple/securityd.git/blobdiff - src/transition.cpp
projects / apple / securityd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
securityd-55199.3.tar.gz
[apple/securityd.git] / src / transition.cpp
diff --git a/src/transition.cpp b/src/transition.cpp
index 09a01b814d9a24003a0a16c57cc05b0e36f9e19e..49e31f0725c2b14d707ed786b7f184a3bbbcb147 100644 (file)
--- a/src/transition.cpp
+++ b/src/transition.cpp
@@ -45,7 +45,9 @@
 #include <securityd_client/xdr_auth.h>
 #include <securityd_client/xdr_dldb.h>
 #include <security_utilities/logging.h>
+#include <AssertMacros.h>
 
+#include <CoreFoundation/CFNumber.h>
 #include <CoreFoundation/CFDictionary.h>
 #include <CoreFoundation/CFPropertyList.h>
 
@@ -72,7 +74,7 @@
 
 #define BEGIN_IPCS             try {
 #define        END_IPCS(more)  } catch (...) { } \
-                                               mach_port_deallocate(mach_task_self(), serverPort); more; return KERN_SUCCESS;
+                                               mach_port_deallocate(mach_task_self(), servicePort); more; return KERN_SUCCESS;
 
 #define DATA_IN(base)  void *base, mach_msg_type_number_t base##Length
 #define DATA_OUT(base) void **base, mach_msg_type_number_t *base##Length
@@ -223,45 +225,20 @@ kern_return_t ucsp_server_setup(UCSP_ARGS, mach_port_t taskPort, ClientSetupInfo
 {
        BEGIN_IPCN
        SECURITYD_REQUEST_ENTRY((char*)"setup", NULL, NULL);
-       Server::active().setupConnection(Server::connectNewProcess, servicePort, replyPort,
-               taskPort, auditToken, &info, identity);
+       Server::active().setupConnection(Server::connectNewProcess, replyPort,
+               taskPort, auditToken, &info);
        END_IPCN(CSSM)
        if (*rcode)
                Syslog::notice("setup(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
        return KERN_SUCCESS;
 }
 
-kern_return_t ucsp_server_setupNew(UCSP_ARGS, mach_port_t taskPort,
-       ClientSetupInfo info, const char *identity,
-       mach_port_t *newServicePort)
-{
-       BEGIN_IPCN
-       SECURITYD_REQUEST_ENTRY((char*)"setupNew", NULL, NULL);
-       try {
-               RefPointer<Session> session = new DynamicSession(taskPort);
-               Server::active().setupConnection(Server::connectNewSession, session->servicePort(), replyPort,
-                       taskPort, auditToken, &info, identity);
-               *newServicePort = session->servicePort();
-       } catch (const MachPlusPlus::Error &err) {
-               switch (err.error) {
-               case BOOTSTRAP_SERVICE_ACTIVE:
-                       MacOSError::throwMe(errSessionAuthorizationDenied);     // translate
-               default:
-                       throw;
-               }
-       }
-       END_IPCN(CSSM)
-       if (*rcode)
-               Syslog::notice("setupNew(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
-       return KERN_SUCCESS;
-}
 
 kern_return_t ucsp_server_setupThread(UCSP_ARGS, mach_port_t taskPort)
 {
        SECURITYD_REQUEST_ENTRY((char*)"setupThread", NULL, NULL);
        BEGIN_IPCN
-       Server::active().setupConnection(Server::connectNewThread, servicePort, replyPort,
-               taskPort, auditToken);
+       Server::active().setupConnection(Server::connectNewThread, replyPort, taskPort, auditToken);
        END_IPCN(CSSM)
        if (*rcode)
                Syslog::notice("setupThread failed rcode=%d", *rcode);
@@ -675,13 +652,63 @@ kern_return_t ucsp_server_unlockDb(UCSP_ARGS, DbHandle db)
        END_IPC(DL)
 }
 
+static void check_stash_entitlement(Process & proc)
+{
+    OSStatus status = noErr;
+    CFDictionaryRef code_info = NULL;
+    CFDictionaryRef entitlements = NULL;
+    CFTypeRef value = NULL;
+    bool entitled = false;
+    
+    status = SecCodeCopySigningInformation(proc.processCode(), kSecCSRequirementInformation, &code_info);
+    require_noerr(status, done);
+    
+    if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoEntitlementsDict, &value)) {
+        if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
+            entitlements = (CFDictionaryRef)value;
+        }
+    }
+    require(entitlements != NULL, done);
+    
+    if (CFDictionaryGetValueIfPresent(entitlements, CFSTR("com.apple.private.securityd.stash"), &value)) {
+        if (CFGetTypeID(value) && CFBooleanGetTypeID()) {
+            entitled = CFBooleanGetValue((CFBooleanRef)value);
+        }
+    }
+    
+done:
+    if (code_info) {
+        CFRelease(code_info);
+    }
+    
+    if (!entitled) {
+        CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
+    }
+}
+
 kern_return_t ucsp_server_unlockDbWithPassphrase(UCSP_ARGS, DbHandle db, DATA_IN(passphrase))
 {
        BEGIN_IPC(unlockDbWithPassphrase)
-       Server::keychain(db)->unlockDb(DATA(passphrase));
+    Server::keychain(db)->unlockDb(DATA(passphrase));
        END_IPC(DL)
 }
 
+kern_return_t ucsp_server_stashDb(UCSP_ARGS, DbHandle db)
+{
+    BEGIN_IPC(stashDb)
+    check_stash_entitlement(connection.process());
+    Server::keychain(db)->stashDb();
+    END_IPC(DL)
+}
+
+kern_return_t ucsp_server_stashDbCheck(UCSP_ARGS, DbHandle db)
+{
+    BEGIN_IPC(stashDbCheck)
+    check_stash_entitlement(connection.process());
+    Server::keychain(db)->stashDbCheck();
+    END_IPC(DL)
+}
+
 kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked)
 {
     BEGIN_IPC(isLocked)
@@ -689,6 +716,26 @@ kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked)
     END_IPC(DL)
 }
 
+kern_return_t ucsp_server_verifyKeyStorePassphrase(UCSP_ARGS, uint32_t retries)
+{
+    BEGIN_IPC(verifyKeyStorePassphrase)
+    connection.process().session().verifyKeyStorePassphrase(retries);
+    END_IPC(DL)
+}
+
+kern_return_t ucsp_server_changeKeyStorePassphrase(UCSP_ARGS)
+{
+    BEGIN_IPC(verifyKeyStorePassphrase)
+    connection.process().session().changeKeyStorePassphrase();
+    END_IPC(DL)
+}
+
+kern_return_t ucsp_server_resetKeyStorePassphrase(UCSP_ARGS, DATA_IN(passphrase))
+{
+    BEGIN_IPC(verifyKeyStorePassphrase)
+    connection.process().session().resetKeyStorePassphrase(DATA(passphrase));
+    END_IPC(DL)
+}
 
 //
 // Key management
@@ -1348,40 +1395,6 @@ kern_return_t ucsp_server_authorizationInternalize(UCSP_ARGS,
 //
 // Session management subsystem
 //
-kern_return_t ucsp_server_getSessionInfo(UCSP_ARGS,
-    SecuritySessionId *sessionId, SessionAttributeBits *attrs)
-{
-       BEGIN_IPC(getSessionInfo)
-       Session &session = Session::find(*sessionId);
-       *sessionId = session.handle();
-       *attrs = session.attributes();
-       END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_setupSession(UCSP_ARGS,
-    SessionCreationFlags flags, SessionAttributeBits attrs)
-{
-       BEGIN_IPC(setupSession)
-       Server::process().session().setupAttributes(flags, attrs);
-       END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_setSessionDistinguishedUid(UCSP_ARGS,
-       SecuritySessionId sessionId, uid_t user)
-{
-       BEGIN_IPC(setSessionDistinguishedUid)
-       Session::find<DynamicSession>(sessionId).originatorUid(user);
-       END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_getSessionDistinguishedUid(UCSP_ARGS,
-       SecuritySessionId sessionId, uid_t *user)
-{
-       BEGIN_IPC(getSessionDistinguishedUid)
-       *user = Session::find(sessionId).originatorUid();
-       END_IPC(CSSM)
-}
-
 kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessionId, DATA_IN(userPrefs))
 {
        BEGIN_IPC(setSessionuserPrefs)
@@ -1400,7 +1413,6 @@ kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessi
 }
 
 
-
 //
 // Notification core subsystem
 //
mirror of securityd