securityd-25481.tar.gz

diff --git a/etc/authorization.plist b/etc/authorization.plist
index 1b1efc130bff25d6c85d11d1bb36d029b74a5fba..0dc7382e8ea665a2a53d947b6d3b5309d6c6b7fb 100644 (file)
--- a/etc/authorization.plist
+++ b/etc/authorization.plist
@@ -83,6 +83,16 @@ See remaining rules for examples.
                        <key>comment</key>
                        <string>wildcard right for deleting system rights.</string>
                </dict>
                        <key>comment</key>
                        <string>wildcard right for deleting system rights.</string>
                </dict>

+               <key>com.apple.</key>
+               <dict>
+                       <key>rule</key>
+                       <string>default</string>
+               </dict>
+               <key>system.</key>
+               <dict>
+                       <key>rule</key>
+                       <string>default</string>
+               </dict>

                <key>sys.openfile.</key>
                <dict>
                        <key>class</key>
                <key>sys.openfile.</key>
                <dict>
                        <key>class</key>

diff --git a/securityd.xcode/project.pbxproj b/securityd.xcode/project.pbxproj
index d4df89e539d493b44c29a7a855fe59b6b347481e..a84ae96d1c428ba626eb6633849d6eb4a8ef55d6 100644 (file)
--- a/securityd.xcode/project.pbxproj
+++ b/securityd.xcode/project.pbxproj
@@ -838,7 +838,7 @@
                        );
                        buildSettings = {
                                BUILD_VARIANTS = "normal debug";
                        );
                        buildSettings = {
                                BUILD_VARIANTS = "normal debug";

-                               CURRENT_PROJECT_VERSION = 67;
+                               CURRENT_PROJECT_VERSION = 25481;

                                FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                INSTALL_PATH = /usr/sbin;
                                OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";
                                FRAMEWORK_SEARCH_PATHS = "/usr/local/SecurityPieces/Frameworks /usr/local/SecurityPieces/Components/securityd $(SYSTEM_LIBRARY_DIR)/PrivateFrameworks";
                                INSTALL_PATH = /usr/sbin;
                                OPT_CPPXFLAGS = "$(OPT_CXFLAGS) -fno-enforce-eh-specs -fno-implement-inlines -fcoalesce-templates";

diff --git a/src/AuthorizationDBPlist.cpp b/src/AuthorizationDBPlist.cpp
index ed48c3264087e56a42f7c1982a6a719e9b4b3226..29ae2cb52f0b650a31fd3d898654b801fb56c7f4 100644 (file)
--- a/src/AuthorizationDBPlist.cpp
+++ b/src/AuthorizationDBPlist.cpp
@@ -311,10 +311,13 @@ AuthorizationDBPlist::getRuleDefinition(string &key)
 bool
 AuthorizationDBPlist::existRule(string &ruleName) const
 {
 bool
 AuthorizationDBPlist::existRule(string &ruleName) const
 {

-       map<string,Rule>::const_iterator rule = mRules.find(ruleName);
-       if (rule != mRules.end())
+       AuthItemRef candidateRule(ruleName.c_str());
+       string ruleForCandidate = getRule(candidateRule)->name();
+       // same name or covered by wildcard right -> modification.
+       if ( (ruleName == ruleForCandidate) ||
+                (*(ruleForCandidate.rbegin()) == '.') )

                return true;
                return true;

-               
+

        return false;
 }
 
        return false;
 }
 

diff --git a/src/acls.cpp b/src/acls.cpp
index e2be78fe74f314eff942bfdc4927c0d8857def72..f820d00aca1d93cd7870b3497cc2b92185557c2a 100644 (file)
--- a/src/acls.cpp
+++ b/src/acls.cpp
@@ -150,6 +150,7 @@ bool SecurityServerEnvironment::getSecret(CssmOwnedData &secret, const CssmData
        //@@@ ignoring prompt - not used right now
        if (database) {
                QueryPIN query(*database);
        //@@@ ignoring prompt - not used right now
        if (database) {
                QueryPIN query(*database);

+               query.inferHints(Server::process());

                if (!query()) { // success
                        secret = query.pin();
                        return true;
                if (!query()) { // success
                        secret = query.pin();
                        return true;

diff --git a/src/agentquery.cpp b/src/agentquery.cpp
index c8118ef8cee8895f594dd31eeb4d9c468a09ea43..1876642b44ca09f84393bd500696ca22606e7893 100644 (file)
--- a/src/agentquery.cpp
+++ b/src/agentquery.cpp
@@ -72,6 +72,8 @@ using namespace Authorization;
 
 SecurityAgentQuery::SecurityAgentQuery(const AuthHostType type, Session &session) : mAuthHostType(type), mHostInstance(session.authhost(mAuthHostType)), mConnection(&Server::connection())
 {
 
 SecurityAgentQuery::SecurityAgentQuery(const AuthHostType type, Session &session) : mAuthHostType(type), mHostInstance(session.authhost(mAuthHostType)), mConnection(&Server::connection())
 {

+       // this may take a while
+       Server::active().longTermActivity();

     secdebug("SecurityAgentQuery", "new SecurityAgentQuery(%p)", this);
 }
 
     secdebug("SecurityAgentQuery", "new SecurityAgentQuery(%p)", this);
 }
 


@@ -94,8 +96,6 @@ SecurityAgentQuery::~SecurityAgentQuery()
 void
 SecurityAgentQuery::activate()
 {
 void
 SecurityAgentQuery::activate()
 {

-       // this may take a while
-       Server::active().longTermActivity();

        mConnection->useAgent(this);
 
        try {
        mConnection->useAgent(this);
 
        try {

diff --git a/src/kcdatabase.cpp b/src/kcdatabase.cpp
index 4f1b4908a6b1c7313e4f99f55dd1320e1931dd17..8f723c5609e72c415dd913f7460c0c6629fcfe74 100644 (file)
--- a/src/kcdatabase.cpp
+++ b/src/kcdatabase.cpp
@@ -570,9 +570,9 @@ void KeychainDatabase::establishOldSecrets(const AccessCredentials *creds)
                        case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
                        {
                                secdebug("KCdb", "%p attempting interactive unlock", this);
                        case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
                        {
                                secdebug("KCdb", "%p attempting interactive unlock", this);

+                               QueryUnlock query(*this);

                                // Holding DB common lock during UI will deadlock securityd
                                StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());
                                // Holding DB common lock during UI will deadlock securityd
                                StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());

-                               QueryUnlock query(*this);

                                query.inferHints(Server::process());
                                if (query() == SecurityAgent::noReason)
                                        return;
                                query.inferHints(Server::process());
                                if (query() == SecurityAgent::noReason)
                                        return;


@@ -622,9 +622,9 @@ void KeychainDatabase::establishOldSecrets(const AccessCredentials *creds)
                                return;
                }
                
                                return;
                }
                

+               QueryUnlock query(*this);

                // attempt interactive unlock
                StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());
                // attempt interactive unlock
                StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());

-               QueryUnlock query(*this);

                query.inferHints(Server::process());
                if (query() == SecurityAgent::noReason)
                        return;
                query.inferHints(Server::process());
                if (query() == SecurityAgent::noReason)
                        return;


@@ -650,8 +650,8 @@ void KeychainDatabase::establishNewSecrets(const AccessCredentials *creds, Secur
                        case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
                                {
                                secdebug("KCdb", "%p specified interactive passphrase", this);
                        case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
                                {
                                secdebug("KCdb", "%p specified interactive passphrase", this);

-                               StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());

                                QueryNewPassphrase query(*this, reason);
                                QueryNewPassphrase query(*this, reason);

+                               StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());

                                query.inferHints(Server::process());
                                CssmAutoData passphrase(Allocator::standard(Allocator::sensitive));
                                if (query(passphrase) == SecurityAgent::noReason) {
                                query.inferHints(Server::process());
                                CssmAutoData passphrase(Allocator::standard(Allocator::sensitive));
                                if (query(passphrase) == SecurityAgent::noReason) {


@@ -690,8 +690,8 @@ void KeychainDatabase::establishNewSecrets(const AccessCredentials *creds, Secur
                }
        } else {
                // default action -- interactive (only)
                }
        } else {
                // default action -- interactive (only)

-               StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());

                QueryNewPassphrase query(*this, reason);
                QueryNewPassphrase query(*this, reason);

+               StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());

         query.inferHints(Server::process());
                CssmAutoData passphrase(Allocator::standard(Allocator::sensitive));
                if (query(passphrase) == SecurityAgent::noReason) {
         query.inferHints(Server::process());
                CssmAutoData passphrase(Allocator::standard(Allocator::sensitive));
                if (query(passphrase) == SecurityAgent::noReason) {

diff --git a/src/main.cpp b/src/main.cpp
index ef34365ee7174ea7cadb8808a2ab681daa98175e..2208882c4b92a2d5d7d8c7808b50057b78ca7139 100644 (file)
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -251,10 +251,9 @@ int main(int argc, char *argv[])
        if (const char *s = getenv("TOKENCACHE"))
                tokenCacheDir = s;
 #endif //NDEBUG
        if (const char *s = getenv("TOKENCACHE"))
                tokenCacheDir = s;
 #endif //NDEBUG

-       TokenCache tokenCache(tokenCacheDir);

 
        // create a smartcard monitor to manage external token devices
 
        // create a smartcard monitor to manage external token devices

-       PCSCMonitor secureCards(server, tokenCache, scOptions(smartCardOptions));
+       PCSCMonitor secureCards(server, tokenCacheDir, scOptions(smartCardOptions));

     
     // create the RootSession object (if -d, give it graphics and tty attributes)
     RootSession rootSession(server,
     
     // create the RootSession object (if -d, give it graphics and tty attributes)
     RootSession rootSession(server,

diff --git a/src/pcscmonitor.cpp b/src/pcscmonitor.cpp
index 9fe6a1386892ff9d20e3f351e1c43f930acabe32..63fa12b93645b9f284d6c100ac93916e3906b22a 100644 (file)
--- a/src/pcscmonitor.cpp
+++ b/src/pcscmonitor.cpp
@@ -57,10 +57,12 @@ static const Time::Interval PCSCD_IDLE_SHUTDOWN(120);               // kill daemon if no devi
 // In fact, you should push all the hard work into a timer, so as not to hold up the
 // general startup process.
 //
 // In fact, you should push all the hard work into a timer, so as not to hold up the
 // general startup process.
 //

-PCSCMonitor::PCSCMonitor(Server &srv, TokenCache &tc, ServiceLevel level)
+PCSCMonitor::PCSCMonitor(Server &server, const char* pathToCache, ServiceLevel level)

        : Listener(kNotificationDomainPCSC, SecurityServer::kNotificationAllEvents),
          MachServer::Timer(true), // "heavy" timer task
        : Listener(kNotificationDomainPCSC, SecurityServer::kNotificationAllEvents),
          MachServer::Timer(true), // "heavy" timer task

-         server(srv), cache(tc),
+         server(server),
+         cache (NULL),
+         cachePath (pathToCache),

          mServiceLevel(level),
          mTimerAction(&PCSCMonitor::initialSetup),
          mGoingToSleep(false)
          mServiceLevel(level),
          mTimerAction(&PCSCMonitor::initialSetup),
          mGoingToSleep(false)


@@ -125,7 +127,7 @@ void PCSCMonitor::pollReaders()
                        // accounted for this reader
                        current.erase(reader);
                } else {
                        // accounted for this reader
                        current.erase(reader);
                } else {

-                       RefPointer<Reader> newReader = new Reader(cache, state);
+                       RefPointer<Reader> newReader = new Reader(getTokenCache (), state);

                        mReaders.insert(make_pair(state.name(), newReader));
                        Syslog::notice("Token reader %s inserted into system", state.name());
                        newReader->update(state);               // initial state setup
                        mReaders.insert(make_pair(state.name(), newReader));
                        Syslog::notice("Token reader %s inserted into system", state.name());
                        newReader->update(state);               // initial state setup


@@ -142,6 +144,17 @@ void PCSCMonitor::pollReaders()
 }
 
 
 }
 
 

+TokenCache& PCSCMonitor::getTokenCache ()
+{
+       if (cache == NULL) {
+               cache = new TokenCache(cachePath.c_str ());
+       }
+       
+       return *cache;
+}
+
+
+

 void PCSCMonitor::launchPcscd()
 {
        // launch pcscd
 void PCSCMonitor::launchPcscd()
 {
        // launch pcscd

diff --git a/src/pcscmonitor.h b/src/pcscmonitor.h
index 4163cebc469f0c9e7ce4831be288492ae7bd9502..4e48d5e444536c9eab24df7712be190fa7caee38 100644 (file)
--- a/src/pcscmonitor.h
+++ b/src/pcscmonitor.h
@@ -61,14 +61,16 @@ public:
                externalDaemon                          // use externally launched daemon if present (do not manage pcscd)
        };
 
                externalDaemon                          // use externally launched daemon if present (do not manage pcscd)
        };
 

-       PCSCMonitor(Server &server, TokenCache &cache, ServiceLevel level = conservative);
+       PCSCMonitor(Server &server, const char* pathToCache, ServiceLevel level = conservative);

 
 protected:
        void pollReaders();
        
        Server &server;
 
 protected:
        void pollReaders();
        
        Server &server;

-       TokenCache &cache;
-       
+       TokenCache *cache;
+       std::string cachePath;
+       TokenCache& getTokenCache ();
+

 protected:
        // Listener
        void notifyMe(SecurityServer::NotificationDomain domain,
 protected:
        // Listener
        void notifyMe(SecurityServer::NotificationDomain domain,

diff --git a/src/tokenacl.cpp b/src/tokenacl.cpp
index efaf36af6288a3216faac48b305d63cfa8e5996f..e6a1d00a64bc2b5fa19e553fcdec2ca2bf519653 100644 (file)
--- a/src/tokenacl.cpp
+++ b/src/tokenacl.cpp
@@ -182,6 +182,7 @@ SecurityAgent::Reason QueryNewPin::accept(CssmManagedData &passphrase, CssmData
 void TokenAcl::pinChange(unsigned int pin, CSSM_ACL_HANDLE handle, TokenDatabase &database)
 {
        QueryNewPin query(pin, handle, database, SecurityAgent::changePassphrase);
 void TokenAcl::pinChange(unsigned int pin, CSSM_ACL_HANDLE handle, TokenDatabase &database)
 {
        QueryNewPin query(pin, handle, database, SecurityAgent::changePassphrase);

+       query.inferHints(Server::process());

        CssmAutoData newPin(Allocator::standard(Allocator::sensitive));
        switch (query(newPin)) {
        case SecurityAgent::noReason:           // worked
        CssmAutoData newPin(Allocator::standard(Allocator::sensitive));
        switch (query(newPin)) {
        case SecurityAgent::noReason:           // worked