X-Git-Url: https://git.saurik.com/apple/securityd.git/blobdiff_plain/73f561dd7d3848f043bdf7efcefdff031c234410..4cd1cad0dea00daa03e1b54fdf2797a02373ad5b:/src/transition.cpp

diff --git a/src/transition.cpp b/src/transition.cpp
index 09a01b8..49e31f0 100644
--- a/src/transition.cpp
+++ b/src/transition.cpp
@@ -45,7 +45,9 @@
 #include <securityd_client/xdr_auth.h>
 #include <securityd_client/xdr_dldb.h>
 #include <security_utilities/logging.h>
+#include <AssertMacros.h>
 
+#include <CoreFoundation/CFNumber.h>
 #include <CoreFoundation/CFDictionary.h>
 #include <CoreFoundation/CFPropertyList.h>
 
@@ -72,7 +74,7 @@
 
 #define BEGIN_IPCS		try {
 #define	END_IPCS(more)	} catch (...) { } \
-						mach_port_deallocate(mach_task_self(), serverPort); more; return KERN_SUCCESS;
+						mach_port_deallocate(mach_task_self(), servicePort); more; return KERN_SUCCESS;
 
 #define DATA_IN(base)	void *base, mach_msg_type_number_t base##Length
 #define DATA_OUT(base)	void **base, mach_msg_type_number_t *base##Length
@@ -223,45 +225,20 @@ kern_return_t ucsp_server_setup(UCSP_ARGS, mach_port_t taskPort, ClientSetupInfo
 {
 	BEGIN_IPCN
 	SECURITYD_REQUEST_ENTRY((char*)"setup", NULL, NULL);
-	Server::active().setupConnection(Server::connectNewProcess, servicePort, replyPort,
-		taskPort, auditToken, &info, identity);
+	Server::active().setupConnection(Server::connectNewProcess, replyPort,
+		taskPort, auditToken, &info);
 	END_IPCN(CSSM)
 	if (*rcode)
 		Syslog::notice("setup(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
 	return KERN_SUCCESS;
 }
 
-kern_return_t ucsp_server_setupNew(UCSP_ARGS, mach_port_t taskPort,
-	ClientSetupInfo info, const char *identity,
-	mach_port_t *newServicePort)
-{
-	BEGIN_IPCN
-	SECURITYD_REQUEST_ENTRY((char*)"setupNew", NULL, NULL);
-	try {
-		RefPointer<Session> session = new DynamicSession(taskPort);
-		Server::active().setupConnection(Server::connectNewSession, session->servicePort(), replyPort,
-			taskPort, auditToken, &info, identity);
-		*newServicePort = session->servicePort();
-	} catch (const MachPlusPlus::Error &err) {
-		switch (err.error) {
-		case BOOTSTRAP_SERVICE_ACTIVE:
-			MacOSError::throwMe(errSessionAuthorizationDenied);	// translate
-		default:
-			throw;
-		}
-	}
-	END_IPCN(CSSM)
-	if (*rcode)
-		Syslog::notice("setupNew(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
-	return KERN_SUCCESS;
-}
 
 kern_return_t ucsp_server_setupThread(UCSP_ARGS, mach_port_t taskPort)
 {
 	SECURITYD_REQUEST_ENTRY((char*)"setupThread", NULL, NULL);
 	BEGIN_IPCN
-	Server::active().setupConnection(Server::connectNewThread, servicePort, replyPort,
-		taskPort, auditToken);
+	Server::active().setupConnection(Server::connectNewThread, replyPort, taskPort, auditToken);
 	END_IPCN(CSSM)
 	if (*rcode)
 		Syslog::notice("setupThread failed rcode=%d", *rcode);
@@ -675,13 +652,63 @@ kern_return_t ucsp_server_unlockDb(UCSP_ARGS, DbHandle db)
 	END_IPC(DL)
 }
 
+static void check_stash_entitlement(Process & proc)
+{
+    OSStatus status = noErr;
+    CFDictionaryRef code_info = NULL;
+    CFDictionaryRef entitlements = NULL;
+    CFTypeRef value = NULL;
+    bool entitled = false;
+    
+    status = SecCodeCopySigningInformation(proc.processCode(), kSecCSRequirementInformation, &code_info);
+    require_noerr(status, done);
+    
+    if (CFDictionaryGetValueIfPresent(code_info, kSecCodeInfoEntitlementsDict, &value)) {
+        if (CFGetTypeID(value) == CFDictionaryGetTypeID()) {
+            entitlements = (CFDictionaryRef)value;
+        }
+    }
+    require(entitlements != NULL, done);
+    
+    if (CFDictionaryGetValueIfPresent(entitlements, CFSTR("com.apple.private.securityd.stash"), &value)) {
+        if (CFGetTypeID(value) && CFBooleanGetTypeID()) {
+            entitled = CFBooleanGetValue((CFBooleanRef)value);
+        }
+    }
+    
+done:
+    if (code_info) {
+        CFRelease(code_info);
+    }
+    
+    if (!entitled) {
+        CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
+    }
+}
+
 kern_return_t ucsp_server_unlockDbWithPassphrase(UCSP_ARGS, DbHandle db, DATA_IN(passphrase))
 {
 	BEGIN_IPC(unlockDbWithPassphrase)
-	Server::keychain(db)->unlockDb(DATA(passphrase));
+    Server::keychain(db)->unlockDb(DATA(passphrase));
 	END_IPC(DL)
 }
 
+kern_return_t ucsp_server_stashDb(UCSP_ARGS, DbHandle db)
+{
+    BEGIN_IPC(stashDb)
+    check_stash_entitlement(connection.process());
+    Server::keychain(db)->stashDb();
+    END_IPC(DL)
+}
+
+kern_return_t ucsp_server_stashDbCheck(UCSP_ARGS, DbHandle db)
+{
+    BEGIN_IPC(stashDbCheck)
+    check_stash_entitlement(connection.process());
+    Server::keychain(db)->stashDbCheck();
+    END_IPC(DL)
+}
+
 kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked)
 {
     BEGIN_IPC(isLocked)
@@ -689,6 +716,26 @@ kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked)
     END_IPC(DL)
 }
 
+kern_return_t ucsp_server_verifyKeyStorePassphrase(UCSP_ARGS, uint32_t retries)
+{
+    BEGIN_IPC(verifyKeyStorePassphrase)
+    connection.process().session().verifyKeyStorePassphrase(retries);
+    END_IPC(DL)
+}
+
+kern_return_t ucsp_server_changeKeyStorePassphrase(UCSP_ARGS)
+{
+    BEGIN_IPC(verifyKeyStorePassphrase)
+    connection.process().session().changeKeyStorePassphrase();
+    END_IPC(DL)
+}
+
+kern_return_t ucsp_server_resetKeyStorePassphrase(UCSP_ARGS, DATA_IN(passphrase))
+{
+    BEGIN_IPC(verifyKeyStorePassphrase)
+    connection.process().session().resetKeyStorePassphrase(DATA(passphrase));
+    END_IPC(DL)
+}
 
 //
 // Key management
@@ -1348,40 +1395,6 @@ kern_return_t ucsp_server_authorizationInternalize(UCSP_ARGS,
 //
 // Session management subsystem
 //
-kern_return_t ucsp_server_getSessionInfo(UCSP_ARGS,
-    SecuritySessionId *sessionId, SessionAttributeBits *attrs)
-{
-	BEGIN_IPC(getSessionInfo)
-	Session &session = Session::find(*sessionId);
-	*sessionId = session.handle();
-	*attrs = session.attributes();
-	END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_setupSession(UCSP_ARGS,
-    SessionCreationFlags flags, SessionAttributeBits attrs)
-{
-	BEGIN_IPC(setupSession)
-	Server::process().session().setupAttributes(flags, attrs);
-	END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_setSessionDistinguishedUid(UCSP_ARGS,
-	SecuritySessionId sessionId, uid_t user)
-{
-	BEGIN_IPC(setSessionDistinguishedUid)
-	Session::find<DynamicSession>(sessionId).originatorUid(user);
-	END_IPC(CSSM)
-}
-
-kern_return_t ucsp_server_getSessionDistinguishedUid(UCSP_ARGS,
-	SecuritySessionId sessionId, uid_t *user)
-{
-	BEGIN_IPC(getSessionDistinguishedUid)
-	*user = Session::find(sessionId).originatorUid();
-	END_IPC(CSSM)
-}
-
 kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessionId, DATA_IN(userPrefs))
 {
 	BEGIN_IPC(setSessionuserPrefs)
@@ -1400,7 +1413,6 @@ kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessi
 }
 
 
-
 //
 // Notification core subsystem
 //