--- /dev/null
+$(DERIVED_SRC)/securityd_dtrace.h: $(SRCROOT)/src/securityd.d
+ /usr/sbin/dtrace -h -C -s $(SRCROOT)/src/securityd.d -o $(DERIVED_SRC)/securityd_dtrace.h
--- /dev/null
+#!/usr/sbin/dtrace -q -s
+
+
+/*
+ * Tracking state
+ */
+typedef uint32_t DTPort;
+typedef uint64_t DTHandle;
+
+DTHandle portmap[DTPort]; /* map client reply ports to connections */
+
+struct connection {
+ DTPort replyport; /* reply port for client thread */
+ uint32_t client; /* client object for this connection */
+};
+struct connection connection[DTHandle]; /* indexed by connection handle */
+
+/* should be a single self struct, but that doesn't work right... */
+self string reqName; /* request name */
+self DTHandle reqConnection; /* associated connection */
+self DTHandle reqClient; /* associated client */
+
+struct client {
+ pid_t pid; /* original client pid */
+ DTHandle session; /* session handle */
+ string name; /* abbreviated name */
+ string path; /* path to client process (regardless of guests) */
+ DTPort taskport; /* process task port */
+};
+struct client client[DTHandle]; /* indexed by client handle */
+
+struct keychain {
+ string name; /* keychain path */
+};
+struct keychain keychain[DTHandle]; /* indexed by DbCommon handle */
+
+
+/*
+ * Script management
+ */
+:::BEGIN
+{
+ /* fake data for unknown processes */
+ client[0].pid = 0;
+ client[0].session = 0;
+ client[0].name = "*UNKNOWN*";
+ client[0].path = "*UNKNOWN*";
+
+ printf("Ready...\n");
+}
+
+
+/*
+ * Translate thread id
+ */
+uint32_t threads[DTHandle]; /* map tids to simple thread numbers */
+uint32_t nextThread; /* next unused thread number */
+self uint32_t mytid; /* translated tid */
+
+securityd*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
+security_debug*::: /!threads[tid]/ { threads[tid] = ++nextThread; }
+
+securityd*::: { self->mytid = threads[tid]; }
+security_debug*::: { self->mytid = threads[tid]; }
+
+
+/*
+ * Principal events
+ */
+securityd*:::installmode
+{
+ printf("%u SYSTEM INSTALLATION MODE SELECTED\n", timestamp);
+}
+
+securityd*:::initialized
+{
+ printf("%u COMMENCING SERVICE as %s\n", timestamp, copyinstr(arg0));
+}
+
+
+/*
+ * Client management
+ */
+securityd*:::client-connection-new
+{
+ replymap[arg1] = arg0;
+ self->reqClient = arg2;
+ connection[arg0].client = self->reqClient;
+ self->reqConnection = arg0;
+ @total["Connections"] = count();
+ printf("%u T%d:connection-new(<%x>,port=%d,client=<%x>/%s(%d))\n",
+ timestamp, self->mytid, arg0, arg1,
+ arg2, client[arg2].name, client[arg2].pid);
+}
+
+securityd*:::client-connection-release
+/connection[arg0].client/
+{
+ printf("%u T%d:connection-release(<%x>,client=<%x>/%s(%d))\n",
+ timestamp, self->mytid, arg0,
+ connection[arg0].client,
+ client[connection[arg0].client].name,
+ client[connection[arg0].client].pid);
+ replymap[connection[arg0].replyport] = 0; /* clear from port map */
+ connection[arg0].replyport = 0;
+ connection[arg0].client = 0;
+}
+
+securityd*:::client-new
+{
+ client[arg0].pid = arg1;
+ client[arg0].session = arg2;
+ client[arg0].path = copyinstr(arg3);
+ client[arg0].name = basename(client[arg0].path);
+ client[arg0].taskport = arg4;
+ self->reqClient = arg0;
+ @total["Processes"] = count();
+ printf("%u T%d:client-new(<%x>,%s(%d),session=<%x>,task=%d)\n",
+ timestamp, self->mytid, arg0,
+ client[arg0].path, client[arg0].pid,
+ client[arg0].session, client[arg0].taskport);
+}
+
+securityd*:::client-release
+{
+ printf("%u T%d:client-release(<%x>,%s(%d))\n",
+ timestamp, self->mytid, arg0, client[arg0].path, arg1);
+ client[arg0].pid = 0;
+}
+
+securityd*:::client-change_session
+{
+ printf("%u T%d:client-change_session(<%x>,new session=<%x>)\n",
+ timestamp, self->mytid, arg0, arg1);
+ client[arg0].pid = 0;
+}
+
+
+/*
+ * Client requests
+ */
+uint32_t connections[DTHandle];
+uint32_t nextConnection;
+self uint32_t myConnection;
+
+securityd*:::request-entry
+/!connections[arg1]/
+{ connections[arg1] = ++nextConnection; }
+
+securityd*:::request-entry
+{
+ self->reqName = copyinstr(arg0);
+ self->reqConnection = arg1;
+ self->myConnection = connections[arg1];
+ self->reqClient = arg2;
+ this->client = client[self->reqClient];
+}
+
+securityd*:::request-entry
+/this->client.pid/
+{
+ printf("%u T%d:C%d:%s(%d)%s\n",
+ timestamp, self->mytid, self->myConnection, this->client.name, this->client.pid, self->reqName);
+ @request[client[self->reqClient].name, self->reqName] = count();
+}
+
+securityd*:::request-entry
+/!this->client.pid/
+{
+ printf("%u T%d:C%d:%s\n",
+ timestamp, self->mytid, self->myConnection, self->reqName);
+}
+
+securityd*:::request-entry
+{
+ @requests[self->reqName] = count();
+ @total["Requests"] = count();
+}
+
+securityd*:::request-return
+/self->reqConnection && arg0 == 0/
+{
+ printf("%u T%d:C%d:return\n",
+ timestamp, self->mytid, self->myConnection);
+}
+
+securityd*:::request-return
+/self->reqConnection && arg0 != 0/
+{
+ printf("%u T%d:C%d:FAIL(%d)\n",
+ timestamp, self->mytid, self->myConnection, arg0);
+}
+
+securityd*:::request-return
+{
+ self->reqConnection = 0;
+ self->reqClient = 0;
+}
+
+
+/*
+ * Sessions
+ */
+securityd*:::session-*
+{
+ printf("%u T%d:%s(<%x>,0x%x)\n", timestamp, self->mytid, probename, arg0, arg1);
+}
+
+
+/*
+ * Keychains
+ */
+securityd*:::keychain-*
+{
+ this->path = copyinstr(arg1);
+ printf("%u T%d:%s(<%x>,%s)\n", timestamp, self->mytid, probename, arg0, this->path);
+ @keychain[this->path, probename] = count();
+}
+
+
+/*
+ * Low-level port events
+ */
+securityd*:::ports-*
+{
+ printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
+}
+
+
+/*
+ * Code signing
+ */
+securityd*:::guest-create
+{
+ printf("%u T%d:guest-create(<%x>,host=<%x>,guest=<%x>,status=0x%x,flags=0x%x,path=%s)\n",
+ timestamp, self->mytid, arg0, arg1, arg2, arg3, arg4, copyinstr(arg5));
+ @total["Guests"] = count();
+}
+
+securityd*:::guest-change
+{
+ printf("%u T%d:guest-change(<%x>,<%x>,status=0x%x)\n", timestamp, self->mytid, arg0, arg1, arg2);
+}
+
+securityd*:::guest-destroy
+{
+ printf("%u T%d:guest-destroy(<%x>,<%x>)\n", timestamp, self->mytid, arg0, arg1);
+}
+
+securityd*:::host-register,
+securityd*:::host-proxy
+{
+ printf("%u T%d:%s(<%x>,port=%d)\n", timestamp, self->mytid, probename, arg0, arg1);
+ @total["Hosts"] = count();
+}
+
+securityd*:::host-unregister
+{
+ printf("%u T%d:host-unregister(<%x>)\n", timestamp, self->mytid, arg0);
+}
+
+
+/*
+ * Child management
+ */
+securityd*:::child-*
+{
+ printf("%u T%d:%s(%d,%d)\n", timestamp, self->mytid, probename, arg0, arg1);
+}
+
+
+/*
+ * Power events
+ */
+securityd*:::power-*
+{
+ printf("%u T%d:POWER(%s)\n", timestamp, self->mytid, probename);
+}
+
+
+/*
+ * Authorization
+ */
+securityd*:::auth-create
+{
+ printf("%u T%d:%s ref(%#x) session(%#x)\n", timestamp, self->mytid, probename, arg1, arg0);
+}
+
+securityd*:::auth-allow,
+securityd*:::auth-deny,
+securityd*:::auth-user,
+securityd*:::auth-rules,
+securityd*:::auth-kofn,
+securityd*:::auth-mechrule
+{
+ printf("%u T%d:%s ref(%#x) rule(%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
+}
+
+securityd*:::auth-mech
+{
+ printf("%u T%d:%s ref(%#x) (%s)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1));
+}
+
+securityd*:::auth-user-allowroot,
+securityd*:::auth-user-allowsessionowner
+{
+ printf("%u T%d:%s ref(%#x)\n", timestamp, self->mytid, probename, arg0);
+}
+
+securityd*:::auth-evalright
+{
+ printf("%u T%d:%s ref(%#x) %s (%d)\n", timestamp, self->mytid, probename, arg0, copyinstr(arg1), arg2);
+}
+
+
+/*
+ * Miscellanea
+ */
+securityd*:::entropy-collect
+{
+ printf("%u T%d:entropy-collect()\n", timestamp, tid);
+}
+
+securityd*:::entropy-seed
+{
+ printf("%u T%d:entropy-seed(%d)\n", timestamp, self->mytid, arg0);
+}
+
+securityd*:::entropy-save
+{
+ printf("%u T%d:entropy-save(%s)\n", timestamp, self->mytid, copyinstr(arg0));
+}
+
+securityd*:::signal-*
+{
+ printf("%u T%d:%s(%d)\n", timestamp, self->mytid, probename, arg0);
+}
+
+
+/*
+ * Integrate secdebug logs
+ */
+security_debug*:::log
+/execname == "securityd"/
+{
+ printf("%u T%d:[%s]%s\n", timestamp, threads[tid],
+ copyinstr(arg0), copyinstr(arg1));
+}
+
+security_exception*:::throw-*
+/execname == "securityd"/
+{
+ printf("%u T%d:EXCEPTION(%p) THROWN %s(%d)\n", timestamp, threads[tid],
+ arg0, probename, arg1);
+}
+
+
+/*
+ * Wrapup
+ */
+:::END
+{
+ printa("%@8u %s\n", @total);
+ printf("\n Requests:\n");
+ printa("%@8u %s\n", @requests);
+ printf("\n Requests by client:\n");
+ printa("%@8u %s:%s\n", @request);
+ printf("\n Keychains by path and operation:\n");
+ printa("%@8u %s(%s)\n", @keychain);
+}
<string>builtin:reset-password,privileged</string>
<string>builtin:auto-login,privileged</string>
<string>builtin:authenticate,privileged</string>
+ <string>loginwindow:success</string>
<string>HomeDirMechanism:login,privileged</string>
<string>HomeDirMechanism:status</string>
<string>MCXMechanism:login</string>
- <string>loginwindow:success</string>
<string>loginwindow:done</string>
</array>
</dict>
<key>group</key>
<string>admin</string>
<key>shared</key>
- <false/>
+ <true/>
<key>timeout</key>
- <integer>300</integer>
+ <integer>30</integer>
</dict>
<key>system.preferences</key>
<dict>
<key>timeout</key>
<integer>0</integer>
</dict>
+ <key>system.preferences.security</key>
+ <dict>
+ <key>allow-root</key>
+ <true/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Checked by the Admin framework when making changes to the Security preference pane.</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <false/>
+ </dict>
<key>system.printingmanager</key>
<dict>
<key>class</key>
<key>class</key>
<string>user</string>
<key>group</key>
- <string>_lpadmin</string>
+ <string>lpadmin</string>
+ <key>shared</key>
+ <true/>
+ </dict>
+ <key>system.print.operator</key>
+ <dict>
+ <key>allow-root</key>
+ <true/>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>_lpoperator</string>
<key>shared</key>
<true/>
</dict>
<key>shared</key>
<false/>
</dict>
+ <key>com.apple.DiskManagement.</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>comment</key>
+ <string>Used by diskmanagementd to allow access to its privileged functions</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>is-root</string>
+ <string>is-admin</string>
+ <string>default</string>
+ </array>
+ <key>shared</key>
+ <true/>
+ </dict>
<key>system.privilege.admin</key>
<dict>
<key>allow-root</key>
Task_for_pid is called by programs requesting full control over another program
for things like debugging or performance analysis. This authorization only applies
if the requesting and target programs are run by the same user; it will never
- authorize access to the program of another user.</string>
+ authorize access to the program of another user. WARNING: administrators are advised not to modify this right.</string>
<key>group</key>
- <string>admin</string>
+ <string>_developer</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>36000</integer>
+ </dict>
+ <key>system.privilege.taskport.safe</key>
+ <dict>
+ <key>class</key>
+ <string>allow</string>
+ <key>comment</key>
+ <string>For use by Apple.</string>
+ </dict>
+ <key>system.privilege.taskport.debug</key>
+ <dict>
+ <key>allow-root</key>
+ <false/>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>For use by Apple. WARNING: administrators are advised
+ not to modify this right.</string>
+ <key>group</key>
+ <string>_developer</string>
<key>shared</key>
<true/>
+ <key>timeout</key>
+ <integer>36000</integer>
</dict>
<key>system.restart</key>
<dict>
<string>Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching.</string>
<key>mechanisms</key>
<array>
+ <string>builtin:smartcard-sniffer,privileged</string>
<string>RestartAuthorization:restart</string>
- <string>RestartAuthorization:authenticate</string>
+ <string>builtin:authenticate,privileged</string>
<string>RestartAuthorization:success</string>
</array>
</dict>
<string>Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching.</string>
<key>mechanisms</key>
<array>
+ <string>builtin:smartcard-sniffer,privileged</string>
<string>RestartAuthorization:shutdown</string>
- <string>RestartAuthorization:authenticate</string>
+ <string>builtin:authenticate,privileged</string>
<string>RestartAuthorization:success</string>
</array>
</dict>
<string>builtin:confirm-access-password</string>
</array>
</dict>
+ <key>com.apple.ZFSManager.</key>
+ <dict>
+ <key>class</key>
+ <string>rule</string>
+ <key>comment</key>
+ <string>Used by zfsmanager to allow access to destructive zfs functions</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>is-root</string>
+ <string>is-admin</string>
+ <string>default</string>
+ </array>
+ <key>shared</key>
+ <true/>
+ </dict>
+ <key>com.apple.ServiceManagement.blesshelper</key>
+ <dict>
+ <key>comment</key>
+ <string>Used by the ServiceManagement framework to add a privileged helper tool to the system launchd.</string>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>is-root</string>
+ <string>authenticate-admin-30</string>
+ </array>
+ </dict>
+ <key>com.apple.ServiceManagement.daemons.modify</key>
+ <dict>
+ <key>comment</key>
+ <string>Used by the ServiceManagement framework to make changes to the system launchd's set of daemons.</string>
+ <key>class</key>
+ <string>rule</string>
+ <key>k-of-n</key>
+ <integer>1</integer>
+ <key>rule</key>
+ <array>
+ <string>is-root</string>
+ <string>authenticate-admin-30</string>
+ </array>
+ </dict>
+ <key>com.apple.pcastagentconfigd.</key>
+ <dict>
+ <key>comment</key>
+ <string>Wildcard for rights checked by Podcast Producer when making changes to your camera binding.</string>
+ <key>class</key>
+ <string>user</string>
+ <key>group</key>
+ <string>admin</string>
+ <key>allow-root</key>
+ <true/>
+ <key>shared</key>
+ <false/>
+ </dict>
</dict>
<key>rules</key>
<dict>
<key>timeout</key>
<integer>0</integer>
</dict>
+ <key>authenticate-admin-30</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Like the default rule, but
+ credentials remain valid for only 30 seconds after they've
+ been obtained. An acquired credential is shared by all clients.
+ </string>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>30</integer>
+ </dict>
+ <key>authenticate-developer</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Authenticate as a developer.</string>
+ <key>group</key>
+ <string>_developer</string>
+ <key>shared</key>
+ <true/>
+ <key>timeout</key>
+ <integer>36000</integer>
+ </dict>
<key>authenticate-session-owner</key>
<dict>
<key>class</key>
<key>session-owner</key>
<true/>
</dict>
+ <key>authenticate-session-user</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Same as authenticate-session-owner.</string>
+ <key>session-owner</key>
+ <true/>
+ </dict>
<key>authenticate-session-owner-or-admin</key>
<dict>
<key>allow-root</key>
<key>shared</key>
<string>true</string>
</dict>
+ <key>is-developer</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>comment</key>
+ <string>Verify that the user asking for authorization is a developer.</string>
+ <key>group</key>
+ <string>_developer</string>
+ <key>authenticate-user</key>
+ <false/>
+ </dict>
<key>is-root</key>
<dict>
<key>allow-root</key>
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
- <string>com.apple.SecurityServer</string>
+ <string>com.apple.securityd</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/securityd</string>
<true/>
<key>LaunchOnlyOnce</key>
<true/>
+ <key>HopefullyExitsLast</key>
+ <true/>
+ <key>EnableTransactions</key>
+ <true/>
</dict>
</plist>
archiveVersion = 1;
classes = {
};
- objectVersion = 42;
+ objectVersion = 45;
objects = {
/* Begin PBXAggregateTarget section */
- C209B3A506ADBCAC007B9E6D /* mig */ = {
+ AA6D4B7A0E6F3A910050206D /* mig */ = {
isa = PBXAggregateTarget;
- buildConfigurationList = C27AD4990987FCF4001272E0 /* Build configuration list for PBXAggregateTarget "mig" */;
+ buildConfigurationList = AA6D4B7F0E6F3AE50050206D /* Build configuration list for PBXAggregateTarget "mig" */;
buildPhases = (
- C209B3A406ADBCAC007B9E6D /* ShellScript */,
+ AA6D4B790E6F3A910050206D /* ShellScript */,
);
dependencies = (
);
name = mig;
- productName = generate;
+ productName = mig_native;
+ };
+ AA6D4B810E6F3B210050206D /* startup */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = AA6D4B860E6F3B8D0050206D /* Build configuration list for PBXAggregateTarget "startup" */;
+ buildPhases = (
+ AA6D4B800E6F3B210050206D /* ShellScript */,
+ );
+ dependencies = (
+ );
+ name = startup;
+ productName = startup_native;
+ };
+ C26CF02C0CD934260094DD9D /* DTrace */ = {
+ isa = PBXAggregateTarget;
+ buildConfigurationList = C26CF03B0CD934420094DD9D /* Build configuration list for PBXAggregateTarget "DTrace" */;
+ buildPhases = (
+ C26CF0360CD9343A0094DD9D /* ShellScript */,
+ );
+ dependencies = (
+ );
+ name = DTrace;
+ productName = DTrace;
};
/* End PBXAggregateTarget section */
/* Begin PBXBuildFile section */
- 405845670663B2010083E58C /* AuthorizationMechEval.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 405845650663B2010083E58C /* AuthorizationMechEval.cpp */; };
- 405845680663B2010083E58C /* AuthorizationMechEval.h in Headers */ = {isa = PBXBuildFile; fileRef = 405845660663B2010083E58C /* AuthorizationMechEval.h */; };
- 40689F860725DCE00021A502 /* authhost.h in Headers */ = {isa = PBXBuildFile; fileRef = 40689F840725DCE00021A502 /* authhost.h */; };
- 40689F870725DCE00021A502 /* authhost.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 40689F850725DCE00021A502 /* authhost.cpp */; };
- 407ACD080AE5B57700A9DA90 /* credential.h in Headers */ = {isa = PBXBuildFile; fileRef = 407ACD060AE5B57700A9DA90 /* credential.h */; };
- 407ACD090AE5B57700A9DA90 /* credential.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 407ACD070AE5B57700A9DA90 /* credential.cpp */; };
- 4C01B3DA06FFC640004B3A01 /* securityd.1 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4CE1878706FFC5D60079D235 /* securityd.1 */; };
- 4C9264C80534866F004B0E72 /* acl_keychain.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264980534866F004B0E72 /* acl_keychain.cpp */; };
- 4C9264C90534866F004B0E72 /* acl_keychain.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264990534866F004B0E72 /* acl_keychain.h */; };
- 4C9264CA0534866F004B0E72 /* acls.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C92649A0534866F004B0E72 /* acls.cpp */; };
- 4C9264CB0534866F004B0E72 /* acls.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C92649B0534866F004B0E72 /* acls.h */; };
- 4C9264CC0534866F004B0E72 /* agentquery.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C92649C0534866F004B0E72 /* agentquery.cpp */; };
- 4C9264CD0534866F004B0E72 /* agentquery.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C92649D0534866F004B0E72 /* agentquery.h */; };
- 4C9264CE0534866F004B0E72 /* authority.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C92649E0534866F004B0E72 /* authority.cpp */; };
- 4C9264CF0534866F004B0E72 /* authority.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C92649F0534866F004B0E72 /* authority.h */; };
- 4C9264D00534866F004B0E72 /* AuthorizationDBPlist.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A00534866F004B0E72 /* AuthorizationDBPlist.cpp */; };
- 4C9264D10534866F004B0E72 /* AuthorizationDBPlist.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A10534866F004B0E72 /* AuthorizationDBPlist.h */; };
- 4C9264D20534866F004B0E72 /* AuthorizationEngine.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A20534866F004B0E72 /* AuthorizationEngine.cpp */; };
- 4C9264D30534866F004B0E72 /* AuthorizationEngine.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A30534866F004B0E72 /* AuthorizationEngine.h */; };
- 4C9264D40534866F004B0E72 /* AuthorizationRule.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A40534866F004B0E72 /* AuthorizationRule.cpp */; };
- 4C9264D50534866F004B0E72 /* AuthorizationRule.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A50534866F004B0E72 /* AuthorizationRule.h */; };
- 4C9264D80534866F004B0E72 /* codesigdb.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A80534866F004B0E72 /* codesigdb.cpp */; };
- 4C9264D90534866F004B0E72 /* codesigdb.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A90534866F004B0E72 /* codesigdb.h */; };
- 4C9264DA0534866F004B0E72 /* connection.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264AA0534866F004B0E72 /* connection.cpp */; };
- 4C9264DB0534866F004B0E72 /* connection.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264AB0534866F004B0E72 /* connection.h */; };
- 4C9264DC0534866F004B0E72 /* dbcrypto.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264AC0534866F004B0E72 /* dbcrypto.cpp */; };
- 4C9264DD0534866F004B0E72 /* dbcrypto.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264AD0534866F004B0E72 /* dbcrypto.h */; };
- 4C9264DE0534866F004B0E72 /* entropy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264AE0534866F004B0E72 /* entropy.cpp */; };
- 4C9264DF0534866F004B0E72 /* entropy.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264AF0534866F004B0E72 /* entropy.h */; };
- 4C9264E20534866F004B0E72 /* key.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264B50534866F004B0E72 /* key.cpp */; };
- 4C9264E30534866F004B0E72 /* key.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264B60534866F004B0E72 /* key.h */; };
- 4C9264E40534866F004B0E72 /* main.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264B70534866F004B0E72 /* main.cpp */; };
- 4C9264E50534866F004B0E72 /* notifications.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264B80534866F004B0E72 /* notifications.cpp */; };
- 4C9264E60534866F004B0E72 /* notifications.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264B90534866F004B0E72 /* notifications.h */; };
- 4C9264E70534866F004B0E72 /* process.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264BA0534866F004B0E72 /* process.cpp */; };
- 4C9264E80534866F004B0E72 /* process.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264BB0534866F004B0E72 /* process.h */; };
- 4C9264EA0534866F004B0E72 /* server.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264BE0534866F004B0E72 /* server.cpp */; };
- 4C9264EB0534866F004B0E72 /* server.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264BF0534866F004B0E72 /* server.h */; };
- 4C9264EC0534866F004B0E72 /* session.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264C00534866F004B0E72 /* session.cpp */; };
- 4C9264ED0534866F004B0E72 /* session.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264C10534866F004B0E72 /* session.h */; };
- 4C9264EE0534866F004B0E72 /* transition.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264C20534866F004B0E72 /* transition.cpp */; };
- 4CB5ACBB06680AE000F359A9 /* child.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CB5ACB906680AE000F359A9 /* child.cpp */; };
- 4CB5ACBC06680AE000F359A9 /* child.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CB5ACBA06680AE000F359A9 /* child.h */; };
- C207646505EAD713004FEEDA /* kckey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C207646305EAD713004FEEDA /* kckey.cpp */; };
- C207646605EAD713004FEEDA /* kckey.h in Headers */ = {isa = PBXBuildFile; fileRef = C207646405EAD713004FEEDA /* kckey.h */; };
- C20764E805ED250F004FEEDA /* localdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20764E405ED250F004FEEDA /* localdatabase.cpp */; };
- C20764E905ED250F004FEEDA /* localdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C20764E505ED250F004FEEDA /* localdatabase.h */; };
- C20764EA05ED250F004FEEDA /* localkey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20764E605ED250F004FEEDA /* localkey.cpp */; };
- C20764EB05ED250F004FEEDA /* localkey.h in Headers */ = {isa = PBXBuildFile; fileRef = C20764E705ED250F004FEEDA /* localkey.h */; };
- C209B3B506ADBE64007B9E6D /* self.h in Headers */ = {isa = PBXBuildFile; fileRef = C209B3B206ADBE64007B9E6D /* self.h */; };
- C209B3B606ADBE64007B9E6D /* selfServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C209B3B306ADBE64007B9E6D /* selfServer.cpp */; settings = {COMPILER_FLAGS = "-D__MigTypeCheck=1"; }; };
- C209B3B706ADBE64007B9E6D /* selfUser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C209B3B406ADBE64007B9E6D /* selfUser.cpp */; };
- C20AF37E05F689540055732C /* tempdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20AF37C05F689540055732C /* tempdatabase.cpp */; };
- C20AF37F05F689540055732C /* tempdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C20AF37D05F689540055732C /* tempdatabase.h */; };
- C22A7F8E06AF06D9006087B7 /* tokend.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C22A7F8C06AF06D9006087B7 /* tokend.cpp */; };
- C22A7F8F06AF06D9006087B7 /* tokend.h in Headers */ = {isa = PBXBuildFile; fileRef = C22A7F8D06AF06D9006087B7 /* tokend.h */; };
- C22C344E0B278E770009368E /* osxcodewrap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C22C344C0B278E770009368E /* osxcodewrap.cpp */; };
- C22C344F0B278E770009368E /* osxcodewrap.h in Headers */ = {isa = PBXBuildFile; fileRef = C22C344D0B278E770009368E /* osxcodewrap.h */; };
- C22C34540B278EB60009368E /* clientid.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C22C34520B278EB60009368E /* clientid.cpp */; };
- C22C34550B278EB60009368E /* clientid.h in Headers */ = {isa = PBXBuildFile; fileRef = C22C34530B278EB60009368E /* clientid.h */; };
- C26D533906C1E70A00062E1E /* tokenkey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C26D533706C1E70A00062E1E /* tokenkey.cpp */; };
- C26D533A06C1E70A00062E1E /* tokenkey.h in Headers */ = {isa = PBXBuildFile; fileRef = C26D533806C1E70A00062E1E /* tokenkey.h */; };
- C26EA9530688CF34007CE21D /* tokencache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C26EA9510688CF34007CE21D /* tokencache.cpp */; };
- C26EA9540688CF34007CE21D /* tokencache.h in Headers */ = {isa = PBXBuildFile; fileRef = C26EA9520688CF34007CE21D /* tokencache.h */; };
- C2813C810730534A00E243E8 /* tokenaccess.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2813C7F0730534A00E243E8 /* tokenaccess.cpp */; };
- C2813C820730534A00E243E8 /* tokenaccess.h in Headers */ = {isa = PBXBuildFile; fileRef = C2813C800730534A00E243E8 /* tokenaccess.h */; };
- C28654B206DBC2A30021E6E5 /* tokenacl.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C28654B006DBC2A30021E6E5 /* tokenacl.cpp */; };
- C28654B306DBC2A30021E6E5 /* tokenacl.h in Headers */ = {isa = PBXBuildFile; fileRef = C28654B106DBC2A30021E6E5 /* tokenacl.h */; };
- C28ACF9C05C9940B00447176 /* structure.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C28ACF9A05C9940B00447176 /* structure.cpp */; };
- C28ACF9D05C9940B00447176 /* structure.h in Headers */ = {isa = PBXBuildFile; fileRef = C28ACF9B05C9940B00447176 /* structure.h */; };
- C2B8DBCB05E6C3CE00E6E67C /* database.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2B8DBC705E6C3CE00E6E67C /* database.cpp */; };
- C2B8DBCC05E6C3CE00E6E67C /* database.h in Headers */ = {isa = PBXBuildFile; fileRef = C2B8DBC805E6C3CE00E6E67C /* database.h */; };
- C2B8DBCD05E6C3CE00E6E67C /* kcdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2B8DBC905E6C3CE00E6E67C /* kcdatabase.cpp */; };
- C2B8DBCE05E6C3CE00E6E67C /* kcdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C2B8DBCA05E6C3CE00E6E67C /* kcdatabase.h */; };
- C2BD5FDC0AC47E850057FD3D /* csproxy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2BD5FDA0AC47E850057FD3D /* csproxy.cpp */; };
- C2BD5FDD0AC47E850057FD3D /* csproxy.h in Headers */ = {isa = PBXBuildFile; fileRef = C2BD5FDB0AC47E850057FD3D /* csproxy.h */; };
- C2D425F305F3C07400CB11F8 /* tokendatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D425F105F3C07400CB11F8 /* tokendatabase.cpp */; };
- C2D425F405F3C07400CB11F8 /* tokendatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C2D425F205F3C07400CB11F8 /* tokendatabase.h */; };
- C2FDCAC50663CD5B0013F64C /* pcscmonitor.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FDCABD0663CD5B0013F64C /* pcscmonitor.cpp */; };
- C2FDCAC60663CD5B0013F64C /* pcscmonitor.h in Headers */ = {isa = PBXBuildFile; fileRef = C2FDCABE0663CD5B0013F64C /* pcscmonitor.h */; };
- C2FDCAC70663CD5B0013F64C /* reader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FDCABF0663CD5B0013F64C /* reader.cpp */; };
- C2FDCAC80663CD5B0013F64C /* reader.h in Headers */ = {isa = PBXBuildFile; fileRef = C2FDCAC00663CD5B0013F64C /* reader.h */; };
- C2FDCAC90663CD5B0013F64C /* token.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FDCAC10663CD5B0013F64C /* token.cpp */; };
- C2FDCACA0663CD5B0013F64C /* token.h in Headers */ = {isa = PBXBuildFile; fileRef = C2FDCAC20663CD5B0013F64C /* token.h */; };
- D6C887F00A55B6220044DFD2 /* SharedMemoryServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D6C887ED0A55B6220044DFD2 /* SharedMemoryServer.cpp */; };
- D6C887F10A55B6220044DFD2 /* SharedMemoryServer.h in Headers */ = {isa = PBXBuildFile; fileRef = D6C887EE0A55B6220044DFD2 /* SharedMemoryServer.h */; };
+ 4E0BB2B40F79590300BBFEFA /* ccaudit_extensions.h in Headers */ = {isa = PBXBuildFile; fileRef = 4E0BB2B20F79590300BBFEFA /* ccaudit_extensions.h */; };
+ 4E0BB2B50F79590300BBFEFA /* ccaudit_extensions.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4E0BB2B30F79590300BBFEFA /* ccaudit_extensions.cpp */; };
+ AAC707230E6F4335003CC2B2 /* acl_keychain.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264990534866F004B0E72 /* acl_keychain.h */; };
+ AAC707240E6F4335003CC2B2 /* acls.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C92649B0534866F004B0E72 /* acls.h */; };
+ AAC707250E6F4335003CC2B2 /* agentquery.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C92649D0534866F004B0E72 /* agentquery.h */; };
+ AAC707260E6F4335003CC2B2 /* authority.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C92649F0534866F004B0E72 /* authority.h */; };
+ AAC707270E6F4335003CC2B2 /* AuthorizationDBPlist.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A10534866F004B0E72 /* AuthorizationDBPlist.h */; };
+ AAC707280E6F4335003CC2B2 /* AuthorizationEngine.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A30534866F004B0E72 /* AuthorizationEngine.h */; };
+ AAC707290E6F4335003CC2B2 /* AuthorizationMechEval.h in Headers */ = {isa = PBXBuildFile; fileRef = 405845660663B2010083E58C /* AuthorizationMechEval.h */; };
+ AAC7072A0E6F4335003CC2B2 /* AuthorizationRule.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A50534866F004B0E72 /* AuthorizationRule.h */; };
+ AAC7072B0E6F4335003CC2B2 /* child.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CB5ACBA06680AE000F359A9 /* child.h */; };
+ AAC7072C0E6F4335003CC2B2 /* codesigdb.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264A90534866F004B0E72 /* codesigdb.h */; };
+ AAC7072D0E6F4335003CC2B2 /* connection.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264AB0534866F004B0E72 /* connection.h */; };
+ AAC7072E0E6F4335003CC2B2 /* database.h in Headers */ = {isa = PBXBuildFile; fileRef = C2B8DBC805E6C3CE00E6E67C /* database.h */; };
+ AAC7072F0E6F4335003CC2B2 /* dbcrypto.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264AD0534866F004B0E72 /* dbcrypto.h */; };
+ AAC707300E6F4335003CC2B2 /* entropy.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264AF0534866F004B0E72 /* entropy.h */; };
+ AAC707310E6F4335003CC2B2 /* kcdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C2B8DBCA05E6C3CE00E6E67C /* kcdatabase.h */; };
+ AAC707320E6F4335003CC2B2 /* kckey.h in Headers */ = {isa = PBXBuildFile; fileRef = C207646405EAD713004FEEDA /* kckey.h */; };
+ AAC707330E6F4335003CC2B2 /* key.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264B60534866F004B0E72 /* key.h */; };
+ AAC707340E6F4335003CC2B2 /* localdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C20764E505ED250F004FEEDA /* localdatabase.h */; };
+ AAC707350E6F4335003CC2B2 /* localkey.h in Headers */ = {isa = PBXBuildFile; fileRef = C20764E705ED250F004FEEDA /* localkey.h */; };
+ AAC707360E6F4335003CC2B2 /* notifications.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264B90534866F004B0E72 /* notifications.h */; };
+ AAC707370E6F4335003CC2B2 /* pcscmonitor.h in Headers */ = {isa = PBXBuildFile; fileRef = C2FDCABE0663CD5B0013F64C /* pcscmonitor.h */; };
+ AAC707380E6F4335003CC2B2 /* process.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264BB0534866F004B0E72 /* process.h */; };
+ AAC707390E6F4335003CC2B2 /* reader.h in Headers */ = {isa = PBXBuildFile; fileRef = C2FDCAC00663CD5B0013F64C /* reader.h */; };
+ AAC7073A0E6F4335003CC2B2 /* server.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264BF0534866F004B0E72 /* server.h */; };
+ AAC7073B0E6F4335003CC2B2 /* session.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C9264C10534866F004B0E72 /* session.h */; };
+ AAC7073C0E6F4335003CC2B2 /* structure.h in Headers */ = {isa = PBXBuildFile; fileRef = C28ACF9B05C9940B00447176 /* structure.h */; };
+ AAC7073D0E6F4335003CC2B2 /* tempdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C20AF37D05F689540055732C /* tempdatabase.h */; };
+ AAC7073E0E6F4335003CC2B2 /* token.h in Headers */ = {isa = PBXBuildFile; fileRef = C2FDCAC20663CD5B0013F64C /* token.h */; };
+ AAC7073F0E6F4335003CC2B2 /* tokendatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = C2D425F205F3C07400CB11F8 /* tokendatabase.h */; };
+ AAC707400E6F4335003CC2B2 /* tokencache.h in Headers */ = {isa = PBXBuildFile; fileRef = C26EA9520688CF34007CE21D /* tokencache.h */; };
+ AAC707410E6F4335003CC2B2 /* self.h in Headers */ = {isa = PBXBuildFile; fileRef = C209B3B206ADBE64007B9E6D /* self.h */; };
+ AAC707420E6F4335003CC2B2 /* tokend.h in Headers */ = {isa = PBXBuildFile; fileRef = C22A7F8D06AF06D9006087B7 /* tokend.h */; };
+ AAC707430E6F4335003CC2B2 /* tokenkey.h in Headers */ = {isa = PBXBuildFile; fileRef = C26D533806C1E70A00062E1E /* tokenkey.h */; };
+ AAC707440E6F4335003CC2B2 /* tokenacl.h in Headers */ = {isa = PBXBuildFile; fileRef = C28654B106DBC2A30021E6E5 /* tokenacl.h */; };
+ AAC707450E6F4335003CC2B2 /* tokenaccess.h in Headers */ = {isa = PBXBuildFile; fileRef = C2813C800730534A00E243E8 /* tokenaccess.h */; };
+ AAC707460E6F4335003CC2B2 /* authhost.h in Headers */ = {isa = PBXBuildFile; fileRef = 40689F840725DCE00021A502 /* authhost.h */; };
+ AAC707470E6F4335003CC2B2 /* SharedMemoryServer.h in Headers */ = {isa = PBXBuildFile; fileRef = D6C887EE0A55B6220044DFD2 /* SharedMemoryServer.h */; };
+ AAC707480E6F4335003CC2B2 /* csproxy.h in Headers */ = {isa = PBXBuildFile; fileRef = C2BD5FDB0AC47E850057FD3D /* csproxy.h */; };
+ AAC707490E6F4335003CC2B2 /* credential.h in Headers */ = {isa = PBXBuildFile; fileRef = 407ACD060AE5B57700A9DA90 /* credential.h */; };
+ AAC7074B0E6F4335003CC2B2 /* clientid.h in Headers */ = {isa = PBXBuildFile; fileRef = C22C34530B278EB60009368E /* clientid.h */; };
+ AAC7074C0E6F4335003CC2B2 /* dtrace.h in Headers */ = {isa = PBXBuildFile; fileRef = C26CF0880CDFE1180094DD9D /* dtrace.h */; };
+ AAC7074D0E6F4352003CC2B2 /* acl_keychain.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264980534866F004B0E72 /* acl_keychain.cpp */; };
+ AAC7074E0E6F4352003CC2B2 /* acls.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C92649A0534866F004B0E72 /* acls.cpp */; };
+ AAC7074F0E6F4352003CC2B2 /* agentquery.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C92649C0534866F004B0E72 /* agentquery.cpp */; };
+ AAC707500E6F4352003CC2B2 /* authority.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C92649E0534866F004B0E72 /* authority.cpp */; };
+ AAC707510E6F4352003CC2B2 /* AuthorizationDBPlist.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A00534866F004B0E72 /* AuthorizationDBPlist.cpp */; };
+ AAC707520E6F4352003CC2B2 /* AuthorizationEngine.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A20534866F004B0E72 /* AuthorizationEngine.cpp */; };
+ AAC707530E6F4352003CC2B2 /* AuthorizationMechEval.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 405845650663B2010083E58C /* AuthorizationMechEval.cpp */; };
+ AAC707540E6F4352003CC2B2 /* AuthorizationRule.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A40534866F004B0E72 /* AuthorizationRule.cpp */; };
+ AAC707550E6F4352003CC2B2 /* child.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CB5ACB906680AE000F359A9 /* child.cpp */; };
+ AAC707560E6F4352003CC2B2 /* codesigdb.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264A80534866F004B0E72 /* codesigdb.cpp */; };
+ AAC707570E6F4352003CC2B2 /* connection.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264AA0534866F004B0E72 /* connection.cpp */; };
+ AAC707580E6F4352003CC2B2 /* database.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2B8DBC705E6C3CE00E6E67C /* database.cpp */; };
+ AAC707590E6F4352003CC2B2 /* dbcrypto.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264AC0534866F004B0E72 /* dbcrypto.cpp */; };
+ AAC7075A0E6F4352003CC2B2 /* entropy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264AE0534866F004B0E72 /* entropy.cpp */; };
+ AAC7075B0E6F4352003CC2B2 /* kcdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2B8DBC905E6C3CE00E6E67C /* kcdatabase.cpp */; };
+ AAC7075C0E6F4352003CC2B2 /* kckey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C207646305EAD713004FEEDA /* kckey.cpp */; };
+ AAC7075D0E6F4352003CC2B2 /* key.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264B50534866F004B0E72 /* key.cpp */; };
+ AAC7075E0E6F4352003CC2B2 /* localdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20764E405ED250F004FEEDA /* localdatabase.cpp */; };
+ AAC7075F0E6F4352003CC2B2 /* localkey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20764E605ED250F004FEEDA /* localkey.cpp */; };
+ AAC707600E6F4352003CC2B2 /* main.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264B70534866F004B0E72 /* main.cpp */; };
+ AAC707610E6F4352003CC2B2 /* notifications.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264B80534866F004B0E72 /* notifications.cpp */; };
+ AAC707620E6F4352003CC2B2 /* pcscmonitor.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FDCABD0663CD5B0013F64C /* pcscmonitor.cpp */; };
+ AAC707630E6F4352003CC2B2 /* process.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264BA0534866F004B0E72 /* process.cpp */; };
+ AAC707640E6F4352003CC2B2 /* reader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FDCABF0663CD5B0013F64C /* reader.cpp */; };
+ AAC707650E6F4352003CC2B2 /* server.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264BE0534866F004B0E72 /* server.cpp */; };
+ AAC707660E6F4352003CC2B2 /* session.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264C00534866F004B0E72 /* session.cpp */; };
+ AAC707670E6F4352003CC2B2 /* structure.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C28ACF9A05C9940B00447176 /* structure.cpp */; };
+ AAC707680E6F4352003CC2B2 /* tempdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C20AF37C05F689540055732C /* tempdatabase.cpp */; };
+ AAC707690E6F4352003CC2B2 /* token.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2FDCAC10663CD5B0013F64C /* token.cpp */; };
+ AAC7076A0E6F4352003CC2B2 /* tokendatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2D425F105F3C07400CB11F8 /* tokendatabase.cpp */; };
+ AAC7076B0E6F4352003CC2B2 /* transition.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4C9264C20534866F004B0E72 /* transition.cpp */; };
+ AAC7076C0E6F4352003CC2B2 /* tokencache.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C26EA9510688CF34007CE21D /* tokencache.cpp */; };
+ AAC7076D0E6F4352003CC2B2 /* selfServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C209B3B306ADBE64007B9E6D /* selfServer.cpp */; };
+ AAC7076E0E6F4352003CC2B2 /* selfUser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C209B3B406ADBE64007B9E6D /* selfUser.cpp */; };
+ AAC7076F0E6F4352003CC2B2 /* tokend.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C22A7F8C06AF06D9006087B7 /* tokend.cpp */; };
+ AAC707700E6F4352003CC2B2 /* tokenkey.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C26D533706C1E70A00062E1E /* tokenkey.cpp */; };
+ AAC707710E6F4352003CC2B2 /* tokenacl.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C28654B006DBC2A30021E6E5 /* tokenacl.cpp */; };
+ AAC707720E6F4352003CC2B2 /* tokenaccess.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2813C7F0730534A00E243E8 /* tokenaccess.cpp */; };
+ AAC707730E6F4352003CC2B2 /* authhost.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 40689F850725DCE00021A502 /* authhost.cpp */; };
+ AAC707740E6F4352003CC2B2 /* SharedMemoryServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = D6C887ED0A55B6220044DFD2 /* SharedMemoryServer.cpp */; };
+ AAC707750E6F4352003CC2B2 /* csproxy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2BD5FDA0AC47E850057FD3D /* csproxy.cpp */; };
+ AAC707760E6F4352003CC2B2 /* credential.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 407ACD070AE5B57700A9DA90 /* credential.cpp */; };
+ AAC707780E6F4352003CC2B2 /* clientid.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C22C34520B278EB60009368E /* clientid.cpp */; };
+ ED5130690E7F1259002A3749 /* securityd.1 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4CE1878706FFC5D60079D235 /* securityd.1 */; };
/* End PBXBuildFile section */
/* Begin PBXContainerItemProxy section */
- 4CD8CCB5055884BD006B3584 /* PBXContainerItemProxy */ = {
+ AA1A9FF80E71EF08003D0309 /* PBXContainerItemProxy */ = {
+ isa = PBXContainerItemProxy;
+ containerPortal = 4CA1FEB0052A3C5800F22E42 /* Project object */;
+ proxyType = 1;
+ remoteGlobalIDString = C26CF02C0CD934260094DD9D;
+ remoteInfo = DTrace;
+ };
+ AA1AA00E0E71F2ED003D0309 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4CA1FEB0052A3C5800F22E42 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = 4CA4EB2C0558848900CF7791;
+ remoteGlobalIDString = AA6D4B810E6F3B210050206D;
remoteInfo = startup;
};
- C209B3A906ADBD6D007B9E6D /* PBXContainerItemProxy */ = {
+ AA1AA0100E71F2F7003D0309 /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
containerPortal = 4CA1FEB0052A3C5800F22E42 /* Project object */;
proxyType = 1;
- remoteGlobalIDString = C209B3A506ADBCAC007B9E6D;
+ remoteGlobalIDString = AA6D4B7A0E6F3A910050206D;
remoteInfo = mig;
};
/* End PBXContainerItemProxy section */
/* Begin PBXCopyFilesBuildPhase section */
- 4C01B3D706FFC621004B3A01 /* CopyFiles */ = {
+ ED51306A0E7F1277002A3749 /* CopyFiles */ = {
isa = PBXCopyFilesBuildPhase;
buildActionMask = 8;
- dstPath = /usr/share/man/man1/;
+ dstPath = /usr/share/man/man1;
dstSubfolderSpec = 0;
files = (
- 4C01B3DA06FFC640004B3A01 /* securityd.1 in CopyFiles */,
+ ED5130690E7F1259002A3749 /* securityd.1 in CopyFiles */,
);
runOnlyForDeploymentPostprocessing = 1;
};
4C9264C00534866F004B0E72 /* session.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = session.cpp; sourceTree = "<group>"; };
4C9264C10534866F004B0E72 /* session.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = session.h; sourceTree = "<group>"; };
4C9264C20534866F004B0E72 /* transition.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = transition.cpp; sourceTree = "<group>"; };
- 4CA1FEB6052A3C6D00F22E42 /* securityd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; path = securityd; sourceTree = BUILT_PRODUCTS_DIR; };
4CB5ACB906680AE000F359A9 /* child.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = child.cpp; sourceTree = "<group>"; };
4CB5ACBA06680AE000F359A9 /* child.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = child.h; sourceTree = "<group>"; };
4CD8CCBC055884E0006B3584 /* authorization.plist */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text.plist; path = authorization.plist; sourceTree = "<group>"; };
4CDD506B0537666500FEC36D /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = /System/Library/Frameworks/IOKit.framework; sourceTree = "<absolute>"; };
4CE1878606FFC5D60079D235 /* BLOBFORMAT */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text; path = BLOBFORMAT; sourceTree = "<group>"; };
4CE1878706FFC5D60079D235 /* securityd.1 */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text.man; path = securityd.1; sourceTree = "<group>"; };
+ 4E0BB2B20F79590300BBFEFA /* ccaudit_extensions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ccaudit_extensions.h; sourceTree = "<group>"; };
+ 4E0BB2B30F79590300BBFEFA /* ccaudit_extensions.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ccaudit_extensions.cpp; sourceTree = "<group>"; };
+ AA6D4B8A0E6F3BB80050206D /* securityd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = securityd; sourceTree = BUILT_PRODUCTS_DIR; };
+ AAA020B10E367BB000A6F842 /* dtrace.mk */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = dtrace.mk; path = dtrace/dtrace.mk; sourceTree = "<group>"; };
C207646305EAD713004FEEDA /* kckey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = kckey.cpp; sourceTree = "<group>"; };
C207646405EAD713004FEEDA /* kckey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = kckey.h; sourceTree = "<group>"; };
C20764E405ED250F004FEEDA /* localdatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = localdatabase.cpp; sourceTree = "<group>"; };
C20AF37D05F689540055732C /* tempdatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tempdatabase.h; sourceTree = "<group>"; };
C22A7F8C06AF06D9006087B7 /* tokend.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokend.cpp; sourceTree = "<group>"; };
C22A7F8D06AF06D9006087B7 /* tokend.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tokend.h; sourceTree = "<group>"; };
- C22C344C0B278E770009368E /* osxcodewrap.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = osxcodewrap.cpp; sourceTree = "<group>"; };
- C22C344D0B278E770009368E /* osxcodewrap.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = osxcodewrap.h; sourceTree = "<group>"; };
C22C34520B278EB60009368E /* clientid.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = clientid.cpp; sourceTree = "<group>"; };
C22C34530B278EB60009368E /* clientid.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = clientid.h; sourceTree = "<group>"; };
+ C26CF0230CD933AE0094DD9D /* securityd.d */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.dtrace; name = securityd.d; path = src/securityd.d; sourceTree = "<group>"; };
+ C26CF0880CDFE1180094DD9D /* dtrace.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = dtrace.h; path = src/dtrace.h; sourceTree = "<group>"; };
C26D533706C1E70A00062E1E /* tokenkey.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokenkey.cpp; sourceTree = "<group>"; };
C26D533806C1E70A00062E1E /* tokenkey.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tokenkey.h; sourceTree = "<group>"; };
C26EA9510688CF34007CE21D /* tokencache.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokencache.cpp; sourceTree = "<group>"; };
C2B8DBCA05E6C3CE00E6E67C /* kcdatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = kcdatabase.h; sourceTree = "<group>"; };
C2BD5FDA0AC47E850057FD3D /* csproxy.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = csproxy.cpp; sourceTree = "<group>"; };
C2BD5FDB0AC47E850057FD3D /* csproxy.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = csproxy.h; sourceTree = "<group>"; };
+ C2CB75A90CE26A3600727A2B /* securityd-watch.d */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.dtrace; name = "securityd-watch.d"; path = "dtrace/securityd-watch.d"; sourceTree = "<group>"; };
C2D425F105F3C07400CB11F8 /* tokendatabase.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokendatabase.cpp; sourceTree = "<group>"; };
C2D425F205F3C07400CB11F8 /* tokendatabase.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tokendatabase.h; sourceTree = "<group>"; };
C2FDCABD0663CD5B0013F64C /* pcscmonitor.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = pcscmonitor.cpp; sourceTree = "<group>"; };
/* End PBXFileReference section */
/* Begin PBXFrameworksBuildPhase section */
- 4CA1FEB3052A3C6D00F22E42 /* Frameworks */ = {
+ AA6D4B880E6F3BB80050206D /* Frameworks */ = {
isa = PBXFrameworksBuildPhase;
buildActionMask = 2147483647;
files = (
C28AE82606CD7E4700BE0061 /* ACLs */,
C28AE81106CD7D7800BE0061 /* Authorization */,
C22C34510B278E950009368E /* Client Identification */,
+ C26AC79D0DAED222005BFB40 /* Code Signing */,
C28AE83906CD7EE900BE0061 /* Support */,
);
path = src;
children = (
4C9264970534866F004B0E72 /* src */,
C209B39106ADBB19007B9E6D /* mig */,
+ C26CF0290CD933D60094DD9D /* DTrace */,
4CE1878506FFC5D60079D235 /* doc */,
C209B39406ADBB2B007B9E6D /* derived_src */,
C28AE82006CD7DF500BE0061 /* Build Stuff */,
4CA1FEB7052A3C6D00F22E42 /* Products */ = {
isa = PBXGroup;
children = (
- 4CA1FEB6052A3C6D00F22E42 /* securityd */,
+ AA6D4B8A0E6F3BB80050206D /* securityd */,
);
name = Products;
sourceTree = "<group>";
children = (
C22C34530B278EB60009368E /* clientid.h */,
C22C34520B278EB60009368E /* clientid.cpp */,
- C2BD5FDB0AC47E850057FD3D /* csproxy.h */,
- C2BD5FDA0AC47E850057FD3D /* csproxy.cpp */,
4C9264A90534866F004B0E72 /* codesigdb.h */,
4C9264A80534866F004B0E72 /* codesigdb.cpp */,
);
name = "Client Identification";
sourceTree = "<group>";
};
+ C26AC79D0DAED222005BFB40 /* Code Signing */ = {
+ isa = PBXGroup;
+ children = (
+ C2BD5FDB0AC47E850057FD3D /* csproxy.h */,
+ C2BD5FDA0AC47E850057FD3D /* csproxy.cpp */,
+ );
+ name = "Code Signing";
+ sourceTree = "<group>";
+ };
+ C26CF0290CD933D60094DD9D /* DTrace */ = {
+ isa = PBXGroup;
+ children = (
+ C26CF0230CD933AE0094DD9D /* securityd.d */,
+ C26CF0880CDFE1180094DD9D /* dtrace.h */,
+ C2CB75A90CE26A3600727A2B /* securityd-watch.d */,
+ AAA020B10E367BB000A6F842 /* dtrace.mk */,
+ );
+ name = DTrace;
+ sourceTree = "<group>";
+ };
C28AE7FE06CD7CFF00BE0061 /* Token */ = {
isa = PBXGroup;
children = (
children = (
4C92649D0534866F004B0E72 /* agentquery.h */,
4C92649C0534866F004B0E72 /* agentquery.cpp */,
+ 4E0BB2B20F79590300BBFEFA /* ccaudit_extensions.h */,
+ 4E0BB2B30F79590300BBFEFA /* ccaudit_extensions.cpp */,
4CB5ACBA06680AE000F359A9 /* child.h */,
4CB5ACB906680AE000F359A9 /* child.cpp */,
4C9264AF0534866F004B0E72 /* entropy.h */,
4C9264AE0534866F004B0E72 /* entropy.cpp */,
4C9264B90534866F004B0E72 /* notifications.h */,
4C9264B80534866F004B0E72 /* notifications.cpp */,
- C22C344D0B278E770009368E /* osxcodewrap.h */,
- C22C344C0B278E770009368E /* osxcodewrap.cpp */,
D6C887EE0A55B6220044DFD2 /* SharedMemoryServer.h */,
D6C887ED0A55B6220044DFD2 /* SharedMemoryServer.cpp */,
);
/* End PBXGroup section */
/* Begin PBXHeadersBuildPhase section */
- 4CA1FEB1052A3C6D00F22E42 /* Headers */ = {
+ AAC7077A0E6F437A003CC2B2 /* Headers */ = {
isa = PBXHeadersBuildPhase;
buildActionMask = 2147483647;
files = (
- 4C9264C90534866F004B0E72 /* acl_keychain.h in Headers */,
- 4C9264CB0534866F004B0E72 /* acls.h in Headers */,
- 4C9264CD0534866F004B0E72 /* agentquery.h in Headers */,
- 4C9264CF0534866F004B0E72 /* authority.h in Headers */,
- 4C9264D10534866F004B0E72 /* AuthorizationDBPlist.h in Headers */,
- 4C9264D30534866F004B0E72 /* AuthorizationEngine.h in Headers */,
- 405845680663B2010083E58C /* AuthorizationMechEval.h in Headers */,
- 4C9264D50534866F004B0E72 /* AuthorizationRule.h in Headers */,
- 4CB5ACBC06680AE000F359A9 /* child.h in Headers */,
- 4C9264D90534866F004B0E72 /* codesigdb.h in Headers */,
- 4C9264DB0534866F004B0E72 /* connection.h in Headers */,
- C2B8DBCC05E6C3CE00E6E67C /* database.h in Headers */,
- 4C9264DD0534866F004B0E72 /* dbcrypto.h in Headers */,
- 4C9264DF0534866F004B0E72 /* entropy.h in Headers */,
- C2B8DBCE05E6C3CE00E6E67C /* kcdatabase.h in Headers */,
- C207646605EAD713004FEEDA /* kckey.h in Headers */,
- 4C9264E30534866F004B0E72 /* key.h in Headers */,
- C20764E905ED250F004FEEDA /* localdatabase.h in Headers */,
- C20764EB05ED250F004FEEDA /* localkey.h in Headers */,
- 4C9264E60534866F004B0E72 /* notifications.h in Headers */,
- C2FDCAC60663CD5B0013F64C /* pcscmonitor.h in Headers */,
- 4C9264E80534866F004B0E72 /* process.h in Headers */,
- C2FDCAC80663CD5B0013F64C /* reader.h in Headers */,
- 4C9264EB0534866F004B0E72 /* server.h in Headers */,
- 4C9264ED0534866F004B0E72 /* session.h in Headers */,
- C28ACF9D05C9940B00447176 /* structure.h in Headers */,
- C20AF37F05F689540055732C /* tempdatabase.h in Headers */,
- C2FDCACA0663CD5B0013F64C /* token.h in Headers */,
- C2D425F405F3C07400CB11F8 /* tokendatabase.h in Headers */,
- C26EA9540688CF34007CE21D /* tokencache.h in Headers */,
- C209B3B506ADBE64007B9E6D /* self.h in Headers */,
- C22A7F8F06AF06D9006087B7 /* tokend.h in Headers */,
- C26D533A06C1E70A00062E1E /* tokenkey.h in Headers */,
- C28654B306DBC2A30021E6E5 /* tokenacl.h in Headers */,
- C2813C820730534A00E243E8 /* tokenaccess.h in Headers */,
- 40689F860725DCE00021A502 /* authhost.h in Headers */,
- D6C887F10A55B6220044DFD2 /* SharedMemoryServer.h in Headers */,
- C2BD5FDD0AC47E850057FD3D /* csproxy.h in Headers */,
- 407ACD080AE5B57700A9DA90 /* credential.h in Headers */,
- C22C344F0B278E770009368E /* osxcodewrap.h in Headers */,
- C22C34550B278EB60009368E /* clientid.h in Headers */,
+ AAC707230E6F4335003CC2B2 /* acl_keychain.h in Headers */,
+ AAC707240E6F4335003CC2B2 /* acls.h in Headers */,
+ AAC707250E6F4335003CC2B2 /* agentquery.h in Headers */,
+ AAC707260E6F4335003CC2B2 /* authority.h in Headers */,
+ AAC707270E6F4335003CC2B2 /* AuthorizationDBPlist.h in Headers */,
+ AAC707280E6F4335003CC2B2 /* AuthorizationEngine.h in Headers */,
+ AAC707290E6F4335003CC2B2 /* AuthorizationMechEval.h in Headers */,
+ AAC7072A0E6F4335003CC2B2 /* AuthorizationRule.h in Headers */,
+ AAC7072B0E6F4335003CC2B2 /* child.h in Headers */,
+ AAC7072C0E6F4335003CC2B2 /* codesigdb.h in Headers */,
+ AAC7072D0E6F4335003CC2B2 /* connection.h in Headers */,
+ AAC7072E0E6F4335003CC2B2 /* database.h in Headers */,
+ AAC7072F0E6F4335003CC2B2 /* dbcrypto.h in Headers */,
+ AAC707300E6F4335003CC2B2 /* entropy.h in Headers */,
+ AAC707310E6F4335003CC2B2 /* kcdatabase.h in Headers */,
+ AAC707320E6F4335003CC2B2 /* kckey.h in Headers */,
+ AAC707330E6F4335003CC2B2 /* key.h in Headers */,
+ AAC707340E6F4335003CC2B2 /* localdatabase.h in Headers */,
+ AAC707350E6F4335003CC2B2 /* localkey.h in Headers */,
+ AAC707360E6F4335003CC2B2 /* notifications.h in Headers */,
+ AAC707370E6F4335003CC2B2 /* pcscmonitor.h in Headers */,
+ AAC707380E6F4335003CC2B2 /* process.h in Headers */,
+ AAC707390E6F4335003CC2B2 /* reader.h in Headers */,
+ AAC7073A0E6F4335003CC2B2 /* server.h in Headers */,
+ AAC7073B0E6F4335003CC2B2 /* session.h in Headers */,
+ AAC7073C0E6F4335003CC2B2 /* structure.h in Headers */,
+ AAC7073D0E6F4335003CC2B2 /* tempdatabase.h in Headers */,
+ AAC7073E0E6F4335003CC2B2 /* token.h in Headers */,
+ AAC7073F0E6F4335003CC2B2 /* tokendatabase.h in Headers */,
+ AAC707400E6F4335003CC2B2 /* tokencache.h in Headers */,
+ AAC707410E6F4335003CC2B2 /* self.h in Headers */,
+ AAC707420E6F4335003CC2B2 /* tokend.h in Headers */,
+ AAC707430E6F4335003CC2B2 /* tokenkey.h in Headers */,
+ AAC707440E6F4335003CC2B2 /* tokenacl.h in Headers */,
+ AAC707450E6F4335003CC2B2 /* tokenaccess.h in Headers */,
+ AAC707460E6F4335003CC2B2 /* authhost.h in Headers */,
+ AAC707470E6F4335003CC2B2 /* SharedMemoryServer.h in Headers */,
+ AAC707480E6F4335003CC2B2 /* csproxy.h in Headers */,
+ AAC707490E6F4335003CC2B2 /* credential.h in Headers */,
+ AAC7074B0E6F4335003CC2B2 /* clientid.h in Headers */,
+ AAC7074C0E6F4335003CC2B2 /* dtrace.h in Headers */,
+ 4E0BB2B40F79590300BBFEFA /* ccaudit_extensions.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXHeadersBuildPhase section */
-/* Begin PBXLegacyTarget section */
- 4CA4EB2C0558848900CF7791 /* startup */ = {
- isa = PBXLegacyTarget;
- buildArgumentsString = "-f $(SRCROOT)/etc/startup.mk $(ACTION)";
- buildConfigurationList = C27AD4A30987FCF4001272E0 /* Build configuration list for PBXLegacyTarget "startup" */;
+/* Begin PBXNativeTarget section */
+ AA6D4B890E6F3BB80050206D /* securityd */ = {
+ isa = PBXNativeTarget;
+ buildConfigurationList = AA6D4B900E6F3BE80050206D /* Build configuration list for PBXNativeTarget "securityd" */;
buildPhases = (
+ AAC7077A0E6F437A003CC2B2 /* Headers */,
+ AA6D4B870E6F3BB80050206D /* Sources */,
+ AA6D4B880E6F3BB80050206D /* Frameworks */,
+ ED51306A0E7F1277002A3749 /* CopyFiles */,
+ );
+ buildRules = (
);
- buildToolPath = /usr/bin/gnumake;
- buildWorkingDirectory = "";
dependencies = (
+ AA1AA00F0E71F2ED003D0309 /* PBXTargetDependency */,
+ AA1AA0110E71F2F7003D0309 /* PBXTargetDependency */,
+ AA1A9FF90E71EF08003D0309 /* PBXTargetDependency */,
);
- name = startup;
- passBuildSettingsInEnvironment = 1;
- productName = startup;
+ name = securityd;
+ productName = securityd_native;
+ productReference = AA6D4B8A0E6F3BB80050206D /* securityd */;
+ productType = "com.apple.product-type.tool";
};
-/* End PBXLegacyTarget section */
+/* End PBXNativeTarget section */
/* Begin PBXProject section */
4CA1FEB0052A3C5800F22E42 /* Project object */ = {
isa = PBXProject;
buildConfigurationList = C27AD4AD0987FCF4001272E0 /* Build configuration list for PBXProject "securityd" */;
- compatibilityVersion = "Xcode 2.4";
+ compatibilityVersion = "Xcode 3.1";
hasScannedForEncodings = 1;
mainGroup = 4CA1FEAC052A3C5800F22E42;
productRefGroup = 4CA1FEB7052A3C6D00F22E42 /* Products */;
projectDirPath = "";
projectRoot = "";
targets = (
- 4CA1FEB5052A3C6D00F22E42 /* securityd */,
- 4CA4EB2C0558848900CF7791 /* startup */,
- C209B3A506ADBCAC007B9E6D /* mig */,
+ AA6D4B890E6F3BB80050206D /* securityd */,
+ C26CF02C0CD934260094DD9D /* DTrace */,
+ AA6D4B7A0E6F3A910050206D /* mig */,
+ AA6D4B810E6F3B210050206D /* startup */,
);
};
/* End PBXProject section */
/* Begin PBXShellScriptBuildPhase section */
- C209B3A406ADBCAC007B9E6D /* ShellScript */ = {
+ AA6D4B790E6F3A910050206D /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
- shellPath = /bin/bash;
+ shellPath = /bin/sh;
shellScript = "make -f mig/mig.mk\n";
};
+ AA6D4B800E6F3B210050206D /* ShellScript */ = {
+ isa = PBXShellScriptBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ );
+ inputPaths = (
+ );
+ outputPaths = (
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ shellPath = /bin/sh;
+ shellScript = "/usr/bin/gnumake -f $SRCROOT/etc/startup.mk $ACTION\n\n";
+ };
+ C26CF0360CD9343A0094DD9D /* ShellScript */ = {
+ isa = PBXShellScriptBuildPhase;
+ buildActionMask = 2147483647;
+ files = (
+ );
+ inputPaths = (
+ );
+ outputPaths = (
+ );
+ runOnlyForDeploymentPostprocessing = 0;
+ shellPath = /bin/bash;
+ shellScript = "export DERIVED_SRC=$BUILT_PRODUCTS_DIR/derived_src\nmkdir -p $DERIVED_SRC\nmake -f $SRCROOT/dtrace/dtrace.mk\n";
+ };
/* End PBXShellScriptBuildPhase section */
/* Begin PBXSourcesBuildPhase section */
- 4CA1FEB2052A3C6D00F22E42 /* Sources */ = {
+ AA6D4B870E6F3BB80050206D /* Sources */ = {
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
- 4C9264C80534866F004B0E72 /* acl_keychain.cpp in Sources */,
- 4C9264CA0534866F004B0E72 /* acls.cpp in Sources */,
- 4C9264CC0534866F004B0E72 /* agentquery.cpp in Sources */,
- 4C9264CE0534866F004B0E72 /* authority.cpp in Sources */,
- 4C9264D00534866F004B0E72 /* AuthorizationDBPlist.cpp in Sources */,
- 4C9264D20534866F004B0E72 /* AuthorizationEngine.cpp in Sources */,
- 405845670663B2010083E58C /* AuthorizationMechEval.cpp in Sources */,
- 4C9264D40534866F004B0E72 /* AuthorizationRule.cpp in Sources */,
- 4CB5ACBB06680AE000F359A9 /* child.cpp in Sources */,
- 4C9264D80534866F004B0E72 /* codesigdb.cpp in Sources */,
- 4C9264DA0534866F004B0E72 /* connection.cpp in Sources */,
- C2B8DBCB05E6C3CE00E6E67C /* database.cpp in Sources */,
- 4C9264DC0534866F004B0E72 /* dbcrypto.cpp in Sources */,
- 4C9264DE0534866F004B0E72 /* entropy.cpp in Sources */,
- C2B8DBCD05E6C3CE00E6E67C /* kcdatabase.cpp in Sources */,
- C207646505EAD713004FEEDA /* kckey.cpp in Sources */,
- 4C9264E20534866F004B0E72 /* key.cpp in Sources */,
- C20764E805ED250F004FEEDA /* localdatabase.cpp in Sources */,
- C20764EA05ED250F004FEEDA /* localkey.cpp in Sources */,
- 4C9264E40534866F004B0E72 /* main.cpp in Sources */,
- 4C9264E50534866F004B0E72 /* notifications.cpp in Sources */,
- C2FDCAC50663CD5B0013F64C /* pcscmonitor.cpp in Sources */,
- 4C9264E70534866F004B0E72 /* process.cpp in Sources */,
- C2FDCAC70663CD5B0013F64C /* reader.cpp in Sources */,
- 4C9264EA0534866F004B0E72 /* server.cpp in Sources */,
- 4C9264EC0534866F004B0E72 /* session.cpp in Sources */,
- C28ACF9C05C9940B00447176 /* structure.cpp in Sources */,
- C20AF37E05F689540055732C /* tempdatabase.cpp in Sources */,
- C2FDCAC90663CD5B0013F64C /* token.cpp in Sources */,
- C2D425F305F3C07400CB11F8 /* tokendatabase.cpp in Sources */,
- 4C9264EE0534866F004B0E72 /* transition.cpp in Sources */,
- C26EA9530688CF34007CE21D /* tokencache.cpp in Sources */,
- C209B3B606ADBE64007B9E6D /* selfServer.cpp in Sources */,
- C209B3B706ADBE64007B9E6D /* selfUser.cpp in Sources */,
- C22A7F8E06AF06D9006087B7 /* tokend.cpp in Sources */,
- C26D533906C1E70A00062E1E /* tokenkey.cpp in Sources */,
- C28654B206DBC2A30021E6E5 /* tokenacl.cpp in Sources */,
- C2813C810730534A00E243E8 /* tokenaccess.cpp in Sources */,
- 40689F870725DCE00021A502 /* authhost.cpp in Sources */,
- D6C887F00A55B6220044DFD2 /* SharedMemoryServer.cpp in Sources */,
- C2BD5FDC0AC47E850057FD3D /* csproxy.cpp in Sources */,
- 407ACD090AE5B57700A9DA90 /* credential.cpp in Sources */,
- C22C344E0B278E770009368E /* osxcodewrap.cpp in Sources */,
- C22C34540B278EB60009368E /* clientid.cpp in Sources */,
+ AAC7074D0E6F4352003CC2B2 /* acl_keychain.cpp in Sources */,
+ AAC7074E0E6F4352003CC2B2 /* acls.cpp in Sources */,
+ AAC7074F0E6F4352003CC2B2 /* agentquery.cpp in Sources */,
+ AAC707500E6F4352003CC2B2 /* authority.cpp in Sources */,
+ AAC707510E6F4352003CC2B2 /* AuthorizationDBPlist.cpp in Sources */,
+ AAC707520E6F4352003CC2B2 /* AuthorizationEngine.cpp in Sources */,
+ AAC707530E6F4352003CC2B2 /* AuthorizationMechEval.cpp in Sources */,
+ AAC707540E6F4352003CC2B2 /* AuthorizationRule.cpp in Sources */,
+ AAC707550E6F4352003CC2B2 /* child.cpp in Sources */,
+ AAC707560E6F4352003CC2B2 /* codesigdb.cpp in Sources */,
+ AAC707570E6F4352003CC2B2 /* connection.cpp in Sources */,
+ AAC707580E6F4352003CC2B2 /* database.cpp in Sources */,
+ AAC707590E6F4352003CC2B2 /* dbcrypto.cpp in Sources */,
+ AAC7075A0E6F4352003CC2B2 /* entropy.cpp in Sources */,
+ AAC7075B0E6F4352003CC2B2 /* kcdatabase.cpp in Sources */,
+ AAC7075C0E6F4352003CC2B2 /* kckey.cpp in Sources */,
+ AAC7075D0E6F4352003CC2B2 /* key.cpp in Sources */,
+ AAC7075E0E6F4352003CC2B2 /* localdatabase.cpp in Sources */,
+ AAC7075F0E6F4352003CC2B2 /* localkey.cpp in Sources */,
+ AAC707600E6F4352003CC2B2 /* main.cpp in Sources */,
+ AAC707610E6F4352003CC2B2 /* notifications.cpp in Sources */,
+ AAC707620E6F4352003CC2B2 /* pcscmonitor.cpp in Sources */,
+ AAC707630E6F4352003CC2B2 /* process.cpp in Sources */,
+ AAC707640E6F4352003CC2B2 /* reader.cpp in Sources */,
+ AAC707650E6F4352003CC2B2 /* server.cpp in Sources */,
+ AAC707660E6F4352003CC2B2 /* session.cpp in Sources */,
+ AAC707670E6F4352003CC2B2 /* structure.cpp in Sources */,
+ AAC707680E6F4352003CC2B2 /* tempdatabase.cpp in Sources */,
+ AAC707690E6F4352003CC2B2 /* token.cpp in Sources */,
+ AAC7076A0E6F4352003CC2B2 /* tokendatabase.cpp in Sources */,
+ AAC7076B0E6F4352003CC2B2 /* transition.cpp in Sources */,
+ AAC7076C0E6F4352003CC2B2 /* tokencache.cpp in Sources */,
+ AAC7076D0E6F4352003CC2B2 /* selfServer.cpp in Sources */,
+ AAC7076E0E6F4352003CC2B2 /* selfUser.cpp in Sources */,
+ AAC7076F0E6F4352003CC2B2 /* tokend.cpp in Sources */,
+ AAC707700E6F4352003CC2B2 /* tokenkey.cpp in Sources */,
+ AAC707710E6F4352003CC2B2 /* tokenacl.cpp in Sources */,
+ AAC707720E6F4352003CC2B2 /* tokenaccess.cpp in Sources */,
+ AAC707730E6F4352003CC2B2 /* authhost.cpp in Sources */,
+ AAC707740E6F4352003CC2B2 /* SharedMemoryServer.cpp in Sources */,
+ AAC707750E6F4352003CC2B2 /* csproxy.cpp in Sources */,
+ AAC707760E6F4352003CC2B2 /* credential.cpp in Sources */,
+ AAC707780E6F4352003CC2B2 /* clientid.cpp in Sources */,
+ 4E0BB2B50F79590300BBFEFA /* ccaudit_extensions.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
/* End PBXSourcesBuildPhase section */
/* Begin PBXTargetDependency section */
- 4CD8CCB6055884BD006B3584 /* PBXTargetDependency */ = {
+ AA1A9FF90E71EF08003D0309 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = 4CA4EB2C0558848900CF7791 /* startup */;
- targetProxy = 4CD8CCB5055884BD006B3584 /* PBXContainerItemProxy */;
+ target = C26CF02C0CD934260094DD9D /* DTrace */;
+ targetProxy = AA1A9FF80E71EF08003D0309 /* PBXContainerItemProxy */;
};
- C209B3AA06ADBD6D007B9E6D /* PBXTargetDependency */ = {
+ AA1AA00F0E71F2ED003D0309 /* PBXTargetDependency */ = {
isa = PBXTargetDependency;
- target = C209B3A506ADBCAC007B9E6D /* mig */;
- targetProxy = C209B3A906ADBD6D007B9E6D /* PBXContainerItemProxy */;
+ target = AA6D4B810E6F3B210050206D /* startup */;
+ targetProxy = AA1AA00E0E71F2ED003D0309 /* PBXContainerItemProxy */;
};
-/* End PBXTargetDependency section */
-
-/* Begin PBXToolTarget section */
- 4CA1FEB5052A3C6D00F22E42 /* securityd */ = {
- isa = PBXToolTarget;
- buildConfigurationList = C27AD4A80987FCF4001272E0 /* Build configuration list for PBXToolTarget "securityd" */;
- buildPhases = (
- 4CA1FEB1052A3C6D00F22E42 /* Headers */,
- 4CA1FEB2052A3C6D00F22E42 /* Sources */,
- 4CA1FEB3052A3C6D00F22E42 /* Frameworks */,
- 4C01B3D706FFC621004B3A01 /* CopyFiles */,
- );
- dependencies = (
- C209B3AA06ADBD6D007B9E6D /* PBXTargetDependency */,
- 4CD8CCB6055884BD006B3584 /* PBXTargetDependency */,
- );
- name = securityd;
- productInstallPath = /usr/sbin;
- productName = securityd;
- productReference = 4CA1FEB6052A3C6D00F22E42 /* securityd */;
+ AA1AA0110E71F2F7003D0309 /* PBXTargetDependency */ = {
+ isa = PBXTargetDependency;
+ target = AA6D4B7A0E6F3A910050206D /* mig */;
+ targetProxy = AA1AA0100E71F2F7003D0309 /* PBXContainerItemProxy */;
};
-/* End PBXToolTarget section */
+/* End PBXTargetDependency section */
/* Begin XCBuildConfiguration section */
- C27AD49A0987FCF4001272E0 /* Development */ = {
+ AA6D4B7B0E6F3A910050206D /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
BUILD_VARIANTS = debug;
+ CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
+ CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
COPY_PHASE_STRIP = NO;
CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_OPTIMIZATION_LEVEL = 0;
+ HEADER_SEARCH_PATHS = (
+ "$(BUILT_PRODUCTS_DIR)/SecurityPieces/Headers",
+ "$(BUILT_PRODUCTS_DIR)/SecurityPieces/PrivateHeaders",
+ );
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
OTHER_REZFLAGS = "";
};
name = Development;
};
- C27AD49B0987FCF4001272E0 /* Deployment */ = {
+ AA6D4B7C0E6F3A910050206D /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
+ CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
+ COPY_PHASE_STRIP = YES;
CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
DEAD_CODE_STRIPPING = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
};
name = Deployment;
};
- C27AD49C0987FCF4001272E0 /* normal with debug */ = {
+ AA6D4B7D0E6F3A910050206D /* normal with debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
BUILD_VARIANTS = normal;
+ CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
+ CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
COPY_PHASE_STRIP = NO;
OPT_LDFLAGS = "";
OPT_LDXFLAGS = "";
};
name = "normal with debug";
};
- C27AD49D0987FCF4001272E0 /* Default */ = {
+ AA6D4B7E0E6F3A910050206D /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
+ CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
OTHER_REZFLAGS = "";
};
name = Default;
};
- C27AD4A40987FCF4001272E0 /* Development */ = {
+ AA6D4B820E6F3B210050206D /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
BUILD_VARIANTS = debug;
COPY_PHASE_STRIP = NO;
CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_OPTIMIZATION_LEVEL = 0;
OTHER_CFLAGS = "";
};
name = Development;
};
- C27AD4A50987FCF4001272E0 /* Deployment */ = {
+ AA6D4B830E6F3B210050206D /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ COPY_PHASE_STRIP = YES;
CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
DEAD_CODE_STRIPPING = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
OTHER_CFLAGS = "";
OTHER_LDFLAGS = "";
};
name = Deployment;
};
- C27AD4A60987FCF4001272E0 /* normal with debug */ = {
+ AA6D4B840E6F3B210050206D /* normal with debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
- BUILD_VARIANTS = normal;
- COPY_PHASE_STRIP = NO;
- OPT_LDFLAGS = "";
- OPT_LDXFLAGS = "";
- OPT_LDXNOPIC = "";
- OTHER_CFLAGS = "";
- OTHER_CFLAGS_normal = "$(OTHER_CFLAGS) -O1 -fno-inline";
- OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
- OTHER_LDFLAGS = "";
- OTHER_REZFLAGS = "";
- PRODUCT_NAME = startup;
- SECTORDER_FLAGS = "";
- WARNING_CFLAGS = (
- "-Wmost",
- "-Wno-four-char-constants",
- "-Wno-unknown-pragmas",
- );
+ PRODUCT_NAME = startup_native;
};
name = "normal with debug";
};
- C27AD4A70987FCF4001272E0 /* Default */ = {
+ AA6D4B850E6F3B210050206D /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
- OTHER_CFLAGS = "";
- OTHER_LDFLAGS = "";
- OTHER_REZFLAGS = "";
- PRODUCT_NAME = startup;
- SECTORDER_FLAGS = "";
- WARNING_CFLAGS = (
- "-Wmost",
- "-Wno-four-char-constants",
- "-Wno-unknown-pragmas",
- );
+ PRODUCT_NAME = startup_native;
};
name = Default;
};
- C27AD4A90987FCF4001272E0 /* Development */ = {
+ AA6D4B8C0E6F3BB80050206D /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
+ ARCHS = "$(NATIVE_ARCH)";
BUILD_VARIANTS = debug;
COPY_PHASE_STRIP = NO;
CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
- CURRENT_PROJECT_VERSION = 36489;
+ CURRENT_PROJECT_VERSION = 36975;
FRAMEWORK_SEARCH_PATHS = (
/usr/local/SecurityPieces/Frameworks,
/usr/local/SecurityPieces/Components/securityd,
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = YES;
GCC_OPTIMIZATION_LEVEL = 0;
+ HEADER_SEARCH_PATHS = "\"$(BUILT_PRODUCTS_DIR)/derived_src\"";
INSTALL_PATH = /usr/sbin;
- OPTIMIZATION_CFLAGS = "-O0";
OPT_CPPXFLAGS = "$(OPT_CXFLAGS)";
OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";
OPT_INLINEXFLAGS = "-finline-functions";
OPT_LDXFLAGS = "-dead_strip";
OPT_LDXNOPIC = ",_nopic";
+ ORDER_FILE = "$(SRCROOT)/src/securityd.order";
OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";
- OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -fno-inline";
+ OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O0 -fno-inline";
OTHER_CFLAGS_normal = "$(OPT_CXFLAGS) $(OTHER_CFLAGS)";
OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";
- OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -fno-inline";
+ OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline -gdwarf-2";
OTHER_CPLUSPLUSFLAGS_normal = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS)";
OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
- OTHER_LDFLAGS = (
- "-lbsm",
- "-exported_symbols_list",
- "$(SRCROOT)/src/securityd.exp",
- );
- OTHER_LDFLAGS_debug = "$(OTHER_LDFLAGS) \"-framework\" \"Security,_debug\" \"-framework\" \"PCSC,_debug\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_debug\" \"-framework\" \"security_tokend_client,_debug\" \"-framework\" \"security_cdsa_client,_debug\" \"-framework\" \"securityd_server,_debug\" \"-framework\" \"securityd_client,_debug\" \"-framework\" \"security_cdsa_utilities,_debug\" \"-framework\" \"security_utilities,_debug\" \"-framework\" \"security_codesigning,_debug\"";
+ OTHER_LDFLAGS = "-lbsm";
+ OTHER_LDFLAGS_debug = "$(OTHER_LDFLAGS) \"-framework\" \"Security,_debug\" \"-framework\" \"PCSC,_debug\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_debug\" \"-framework\" \"security_tokend_client,_debug\" \"-framework\" \"security_cdsa_client,_debug\" \"-framework\" \"securityd_server,_debug\" \"-framework\" \"securityd_client,_debug\" \"-framework\" \"security_cdsa_utilities,_debug\" \"-framework\" \"security_utilities,_debug\" \"-framework\" \"security_codesigning,_debug\" -gdwarf-2";
OTHER_LDFLAGS_normal = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) \"-framework\" \"Security\" \"-framework\" \"PCSC\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_tokend_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_client$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_server$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_utilities$(OPT_LDXNOPIC)\" \"-framework\" \"security_utilities$(OPT_LDXNOPIC)\"";
OTHER_LDFLAGS_profile = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) -pg \"-framework\" \"Security,_profile\" \"-framework\" \"PCSC,_profile\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_profile\" \"-framework\" \"security_tokend_client,_profile\" \"-framework\" \"security_cdsa_client,_profile\" \"-framework\" \"securityd_server,_profile\" \"-framework\" \"securityd_client,_profile\" \"-framework\" \"security_cdsa_utilities,_profile\" \"-framework\" \"security_utilities,_profile\"";
+ PREBINDING = NO;
PRODUCT_NAME = securityd;
- SECTORDER_FLAGS = (
- "-sectorder",
- __TEXT,
- __text,
- src/securityd.order,
- "-e",
- start,
- );
VERSIONING_SYSTEM = "apple-generic";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
);
- ZERO_LINK = YES;
+ ZERO_LINK = NO;
};
name = Development;
};
- C27AD4AA0987FCF4001272E0 /* Deployment */ = {
+ AA6D4B8D0E6F3BB80050206D /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
BUILD_VARIANTS = (
normal,
debug,
);
+ COPY_PHASE_STRIP = "(null)";
CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
- CURRENT_PROJECT_VERSION = 36489;
- DEAD_CODE_STRIPPING = YES;
- EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/src/securityd.exp";
+ CURRENT_PROJECT_VERSION = 36975;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
FRAMEWORK_SEARCH_PATHS = (
/usr/local/SecurityPieces/Frameworks,
/usr/local/SecurityPieces/Components/securityd,
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
GCC_DYNAMIC_NO_PIC = NO;
- GCC_ENABLE_FIX_AND_CONTINUE = YES;
GCC_GENERATE_DEBUGGING_SYMBOLS = NO;
+ GCC_OPTIMIZATION_LEVEL = s;
+ HEADER_SEARCH_PATHS = "\"$(BUILT_PRODUCTS_DIR)/derived_src\"";
INSTALL_PATH = /usr/sbin;
OPT_CPPXFLAGS = "$(OPT_CXFLAGS)";
OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";
OPT_INLINEXFLAGS = "-finline-functions";
OPT_LDXFLAGS = "-dead_strip";
OPT_LDXNOPIC = ",_nopic";
- OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
+ ORDER_FILE = "$(SRCROOT)/src/securityd.order";
+ OTHER_ASFLAGS_debug = "\"$(OTHER_CFLAGS)\"";
OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";
- OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O1 -fno-inline";
+ OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O0 -fno-inline";
OTHER_CFLAGS_normal = "$(OPT_CXFLAGS) $(OTHER_CFLAGS)";
OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";
- OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
+ OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline -gdwarf-2";
OTHER_CPLUSPLUSFLAGS_normal = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS)";
OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
- OTHER_LDFLAGS = (
- "-lbsm",
- "-exported_symbols_list",
- "$(SRCROOT)/src/securityd.exp",
- );
+ OTHER_LDFLAGS = "-lbsm";
OTHER_LDFLAGS_debug = "$(OTHER_LDFLAGS) \"-framework\" \"Security,_debug\" \"-framework\" \"PCSC,_debug\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_debug\" \"-framework\" \"security_tokend_client,_debug\" \"-framework\" \"security_cdsa_client,_debug\" \"-framework\" \"securityd_server,_debug\" \"-framework\" \"securityd_client,_debug\" \"-framework\" \"security_cdsa_utilities,_debug\" \"-framework\" \"security_utilities,_debug\" \"-framework\" \"security_codesigning,_debug\"";
OTHER_LDFLAGS_normal = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) \"-framework\" \"Security\" \"-framework\" \"PCSC\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_tokend_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_client$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_server$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_utilities$(OPT_LDXNOPIC)\" \"-framework\" \"security_utilities$(OPT_LDXNOPIC)\"";
OTHER_LDFLAGS_profile = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) -pg \"-framework\" \"Security,_profile\" \"-framework\" \"PCSC,_profile\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_profile\" \"-framework\" \"security_tokend_client,_profile\" \"-framework\" \"security_cdsa_client,_profile\" \"-framework\" \"securityd_server,_profile\" \"-framework\" \"securityd_client,_profile\" \"-framework\" \"security_cdsa_utilities,_profile\" \"-framework\" \"security_utilities,_profile\"";
+ PREBINDING = NO;
PRODUCT_NAME = securityd;
- SECTORDER_FLAGS = (
- "-sectorder",
- __TEXT,
- __text,
- src/securityd.order,
- "-e",
- start,
- );
VERSIONING_SYSTEM = "apple-generic";
WARNING_CFLAGS = (
"-Wmost",
};
name = Deployment;
};
- C27AD4AB0987FCF4001272E0 /* normal with debug */ = {
+ AA6D4B8E0E6F3BB80050206D /* normal with debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
BUILD_VARIANTS = normal;
COPY_PHASE_STRIP = NO;
- CURRENT_PROJECT_VERSION = 36489;
- EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/src/securityd.exp";
+ CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
+ CURRENT_PROJECT_VERSION = 36975;
FRAMEWORK_SEARCH_PATHS = (
/usr/local/SecurityPieces/Frameworks,
/usr/local/SecurityPieces/Components/securityd,
/usr/local/SecurityPieces/Components/Security,
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
+ GCC_DYNAMIC_NO_PIC = "";
+ GCC_GENERATE_DEBUGGING_SYMBOLS = "";
+ GCC_MODEL_TUNING = G5;
+ GCC_OPTIMIZATION_LEVEL = "";
+ HEADER_SEARCH_PATHS = "\"$(BUILT_PRODUCTS_DIR)/derived_src\"";
INSTALL_PATH = /usr/sbin;
OPT_CPPXFLAGS = "$(OPT_CXFLAGS)";
OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";
OPT_INLINEXFLAGS = "-finline-functions";
- OPT_LDFLAGS = "";
OPT_LDXFLAGS = "";
OPT_LDXNOPIC = "";
- OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
+ ORDER_FILE = "$(SRCROOT)/src/securityd.order";
+ OTHER_ASFLAGS_debug = "\"$(OTHER_CFLAGS)\"";
OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";
- OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O1 -fno-inline";
+ OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O0 -fno-inline";
OTHER_CFLAGS_normal = "$(OTHER_CFLAGS) -O1 -fno-inline";
OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";
- OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
- OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
+ OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline -gdwarf-2";
+ OTHER_CPLUSPLUSFLAGS_normal = "$(OTHER_CPLUSPLUSFLAGS) -fno-inline";
OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
- OTHER_LDFLAGS = (
- "-lbsm",
- "-exported_symbols_list",
- "$(SRCROOT)/src/securityd.exp",
- );
+ OTHER_LDFLAGS = "-lbsm";
OTHER_LDFLAGS_debug = "$(OTHER_LDFLAGS) \"-framework\" \"Security,_debug\" \"-framework\" \"PCSC,_debug\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_debug\" \"-framework\" \"security_tokend_client,_debug\" \"-framework\" \"security_cdsa_client,_debug\" \"-framework\" \"securityd_server,_debug\" \"-framework\" \"securityd_client,_debug\" \"-framework\" \"security_cdsa_utilities,_debug\" \"-framework\" \"security_utilities,_debug\" \"-framework\" \"security_codesigning,_debug\"";
OTHER_LDFLAGS_normal = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) \"-framework\" \"Security\" \"-framework\" \"PCSC\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_tokend_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_client$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_server$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_utilities$(OPT_LDXNOPIC)\" \"-framework\" \"security_utilities$(OPT_LDXNOPIC)\"";
OTHER_LDFLAGS_profile = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) -pg \"-framework\" \"Security,_profile\" \"-framework\" \"PCSC,_profile\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_profile\" \"-framework\" \"security_tokend_client,_profile\" \"-framework\" \"security_cdsa_client,_profile\" \"-framework\" \"securityd_server,_profile\" \"-framework\" \"securityd_client,_profile\" \"-framework\" \"security_cdsa_utilities,_profile\" \"-framework\" \"security_utilities,_profile\"";
+ PREBINDING = NO;
PRODUCT_NAME = securityd;
- SECTORDER_FLAGS = (
- "-sectorder",
- __TEXT,
- __text,
- src/securityd.order,
- "-e",
- start,
- );
VERSIONING_SYSTEM = "apple-generic";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
);
+ ZERO_LINK = NO;
};
name = "normal with debug";
};
- C27AD4AC0987FCF4001272E0 /* Default */ = {
+ AA6D4B8F0E6F3BB80050206D /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ ALWAYS_SEARCH_USER_PATHS = NO;
BUILD_VARIANTS = (
normal,
debug,
);
- CURRENT_PROJECT_VERSION = 36489;
- EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/src/securityd.exp";
+ COPY_PHASE_STRIP = "(null)";
+ CSSM_HEADERS = "";
+ CURRENT_PROJECT_VERSION = 36975;
FRAMEWORK_SEARCH_PATHS = (
/usr/local/SecurityPieces/Frameworks,
/usr/local/SecurityPieces/Components/securityd,
/usr/local/SecurityPieces/Components/Security,
"$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks",
);
+ GCC_DYNAMIC_NO_PIC = "";
+ GCC_GENERATE_DEBUGGING_SYMBOLS = "";
+ GCC_MODEL_TUNING = G5;
+ HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/derived_src";
INSTALL_PATH = /usr/sbin;
OPT_CPPXFLAGS = "$(OPT_CXFLAGS)";
OPT_CXFLAGS = "-DNDEBUG $(OPT_INLINEXFLAGS)";
OPT_INLINEXFLAGS = "-finline-functions";
OPT_LDXFLAGS = "-dead_strip";
OPT_LDXNOPIC = ",_nopic";
+ ORDER_FILE = "$(SRCROOT)/src/securityd.order";
OTHER_ASFLAGS_debug = "$(OTHER_CFLAGS)";
OTHER_ASFLAGS_normal = "-DNDEBUG $(OTHER_CFLAGS)";
OTHER_ASFLAGS_profile = "-DNDEBUG $(OTHER_CFLAGS) -pg";
- OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O1 -fno-inline";
+ OTHER_CFLAGS_debug = "$(OTHER_CFLAGS) -O0 -fno-inline -gdwarf-2";
OTHER_CFLAGS_normal = "$(OPT_CXFLAGS) $(OTHER_CFLAGS)";
OTHER_CFLAGS_profile = "$(OPT_CXFLAGS) $(OTHER_CFLAGS) -pg";
- OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O1 -fno-inline";
+ OTHER_CPLUSPLUSFLAGS_debug = "$(OTHER_CPLUSPLUSFLAGS) -O0 -fno-inline -gdwarf-2 ";
OTHER_CPLUSPLUSFLAGS_normal = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS)";
OTHER_CPLUSPLUSFLAGS_profile = "$(OPT_CPPXFLAGS) $(OTHER_CPLUSPLUSFLAGS) -pg";
- OTHER_LDFLAGS = (
- "-lbsm",
- "-exported_symbols_list",
- "$(SRCROOT)/src/securityd.exp",
- );
+ OTHER_LDFLAGS = "-lbsm";
OTHER_LDFLAGS_debug = "$(OTHER_LDFLAGS) \"-framework\" \"Security,_debug\" \"-framework\" \"PCSC,_debug\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_debug\" \"-framework\" \"security_tokend_client,_debug\" \"-framework\" \"security_cdsa_client,_debug\" \"-framework\" \"securityd_server,_debug\" \"-framework\" \"securityd_client,_debug\" \"-framework\" \"security_cdsa_utilities,_debug\" \"-framework\" \"security_utilities,_debug\" \"-framework\" \"security_codesigning,_debug\"";
OTHER_LDFLAGS_normal = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) \"-framework\" \"Security\" \"-framework\" \"PCSC\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_tokend_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_client$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_server$(OPT_LDXNOPIC)\" \"-framework\" \"securityd_client$(OPT_LDXNOPIC)\" \"-framework\" \"security_cdsa_utilities$(OPT_LDXNOPIC)\" \"-framework\" \"security_utilities$(OPT_LDXNOPIC)\"";
OTHER_LDFLAGS_profile = "$(OPT_LDXFLAGS) $(OTHER_LDFLAGS) -pg \"-framework\" \"Security,_profile\" \"-framework\" \"PCSC,_profile\" \"-framework\" \"IOKit\" \"-framework\" \"CoreFoundation\" \"-framework\" \"security_agent_client,_profile\" \"-framework\" \"security_tokend_client,_profile\" \"-framework\" \"security_cdsa_client,_profile\" \"-framework\" \"securityd_server,_profile\" \"-framework\" \"securityd_client,_profile\" \"-framework\" \"security_cdsa_utilities,_profile\" \"-framework\" \"security_utilities,_profile\"";
+ PREBINDING = NO;
PRODUCT_NAME = securityd;
- SECTORDER_FLAGS = (
- "-sectorder",
- __TEXT,
- __text,
- src/securityd.order,
- "-e",
- start,
- );
VERSIONING_SYSTEM = "apple-generic";
WARNING_CFLAGS = (
"-Wmost",
"-Wno-four-char-constants",
"-Wno-unknown-pragmas",
);
+ ZERO_LINK = NO;
+ };
+ name = Default;
+ };
+ C26CF02D0CD934260094DD9D /* Development */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ COPY_PHASE_STRIP = NO;
+ GCC_DYNAMIC_NO_PIC = NO;
+ GCC_OPTIMIZATION_LEVEL = 0;
+ INSTALLHDRS_SCRIPT_PHASE = YES;
+ PRODUCT_NAME = DTrace;
+ };
+ name = Development;
+ };
+ C26CF02E0CD934260094DD9D /* Deployment */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ COPY_PHASE_STRIP = YES;
+ DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ INSTALLHDRS_SCRIPT_PHASE = YES;
+ PRODUCT_NAME = DTrace;
+ ZERO_LINK = NO;
+ };
+ name = Deployment;
+ };
+ C26CF02F0CD934260094DD9D /* normal with debug */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ INSTALLHDRS_SCRIPT_PHASE = YES;
+ PRODUCT_NAME = DTrace;
+ };
+ name = "normal with debug";
+ };
+ C26CF0300CD934260094DD9D /* Default */ = {
+ isa = XCBuildConfiguration;
+ buildSettings = {
+ INSTALLHDRS_SCRIPT_PHASE = YES;
+ PRODUCT_NAME = DTrace;
};
name = Default;
};
C27AD4AE0987FCF4001272E0 /* Development */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ CODE_SIGN_IDENTITY = "-";
CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
+ GCC_OPTIMIZATION_LEVEL = 0;
HEADER_SEARCH_PATHS = (
"$(BUILT_PRODUCTS_DIR)/SecurityPieces/Headers",
"$(BUILT_PRODUCTS_DIR)/SecurityPieces/PrivateHeaders",
C27AD4AF0987FCF4001272E0 /* Deployment */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ CODE_SIGN_IDENTITY = "-";
CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
};
C27AD4B00987FCF4001272E0 /* normal with debug */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ CODE_SIGN_IDENTITY = "-";
CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
+ GCC_OPTIMIZATION_LEVEL = 0;
};
name = "normal with debug";
};
C27AD4B10987FCF4001272E0 /* Default */ = {
isa = XCBuildConfiguration;
buildSettings = {
+ CODE_SIGN_IDENTITY = "-";
CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)";
CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)";
};
/* End XCBuildConfiguration section */
/* Begin XCConfigurationList section */
- C27AD4990987FCF4001272E0 /* Build configuration list for PBXAggregateTarget "mig" */ = {
+ AA6D4B7F0E6F3AE50050206D /* Build configuration list for PBXAggregateTarget "mig" */ = {
+ isa = XCConfigurationList;
+ buildConfigurations = (
+ AA6D4B7B0E6F3A910050206D /* Development */,
+ AA6D4B7C0E6F3A910050206D /* Deployment */,
+ AA6D4B7D0E6F3A910050206D /* normal with debug */,
+ AA6D4B7E0E6F3A910050206D /* Default */,
+ );
+ defaultConfigurationIsVisible = 0;
+ defaultConfigurationName = Default;
+ };
+ AA6D4B860E6F3B8D0050206D /* Build configuration list for PBXAggregateTarget "startup" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- C27AD49A0987FCF4001272E0 /* Development */,
- C27AD49B0987FCF4001272E0 /* Deployment */,
- C27AD49C0987FCF4001272E0 /* normal with debug */,
- C27AD49D0987FCF4001272E0 /* Default */,
+ AA6D4B820E6F3B210050206D /* Development */,
+ AA6D4B830E6F3B210050206D /* Deployment */,
+ AA6D4B840E6F3B210050206D /* normal with debug */,
+ AA6D4B850E6F3B210050206D /* Default */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Default;
};
- C27AD4A30987FCF4001272E0 /* Build configuration list for PBXLegacyTarget "startup" */ = {
+ AA6D4B900E6F3BE80050206D /* Build configuration list for PBXNativeTarget "securityd" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- C27AD4A40987FCF4001272E0 /* Development */,
- C27AD4A50987FCF4001272E0 /* Deployment */,
- C27AD4A60987FCF4001272E0 /* normal with debug */,
- C27AD4A70987FCF4001272E0 /* Default */,
+ AA6D4B8C0E6F3BB80050206D /* Development */,
+ AA6D4B8D0E6F3BB80050206D /* Deployment */,
+ AA6D4B8E0E6F3BB80050206D /* normal with debug */,
+ AA6D4B8F0E6F3BB80050206D /* Default */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Default;
};
- C27AD4A80987FCF4001272E0 /* Build configuration list for PBXToolTarget "securityd" */ = {
+ C26CF03B0CD934420094DD9D /* Build configuration list for PBXAggregateTarget "DTrace" */ = {
isa = XCConfigurationList;
buildConfigurations = (
- C27AD4A90987FCF4001272E0 /* Development */,
- C27AD4AA0987FCF4001272E0 /* Deployment */,
- C27AD4AB0987FCF4001272E0 /* normal with debug */,
- C27AD4AC0987FCF4001272E0 /* Default */,
+ C26CF02D0CD934260094DD9D /* Development */,
+ C26CF02E0CD934260094DD9D /* Deployment */,
+ C26CF02F0CD934260094DD9D /* normal with debug */,
+ C26CF0300CD934260094DD9D /* Default */,
);
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Default;
return;
CFIndex configSize = CFDataGetLength(configXML);
- size_t bytesWritten = write(fd, CFDataGetBytePtr(configXML), configSize);
+ ssize_t bytesWritten = write(fd, CFDataGetBytePtr(configXML), configSize);
CFRelease(configXML);
if (bytesWritten != configSize) {
- if (bytesWritten == static_cast<size_t>(-1))
+ if (bytesWritten == -1)
Syslog::error("Problem writing rules file \"%s\": (errno=%s)",
tempFile.c_str(), strerror(errno));
else
CFMutableDataRef xmlData = CFDataCreateMutable(NULL, fileSize);
CFDataSetLength(xmlData, fileSize);
void *buffer = CFDataGetMutableBytePtr(xmlData);
- size_t bytesRead = read(fd, buffer, fileSize);
+ ssize_t bytesRead = read(fd, buffer, fileSize);
if (bytesRead != fileSize) {
- if (bytesRead == static_cast<size_t>(-1)) {
+ if (bytesRead == -1) {
Syslog::error("Problem reading rules file \"%s\": %s",
mFileName.c_str(), strerror(errno));
CFRelease(xmlData);
CFMutableDictionaryRef newRules = NULL;
if (!config)
+ {
+ Syslog::alert("Failed to parse config, no config");
MacOSError::throwMe(errAuthorizationInternal);
+ }
if (CFDictionaryContainsKey(config, rulesKey))
newRules = reinterpret_cast<CFMutableDictionaryRef>(const_cast<void*>(CFDictionaryGetValue(config, rulesKey)));
try {
CFDictionaryApplyFunction(newRights, parseRule, this);
} catch (...) {
+ Syslog::alert("Failed to parse config and apply dictionary function");
MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule file
}
mConfig = config;
}
else
+ {
+ Syslog::alert("Failed to parse config, invalid rule file");
MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule file
+ }
}
void AuthorizationDBPlist::parseRule(const void *key, const void *value, void *context)
bool
AuthorizationDBPlist::validateRule(string inRightName, CFDictionaryRef inRightDefinition) const
{
+ if (!mConfigRules ||
+ 0 == CFDictionaryGetCount(mConfigRules)) {
+ Syslog::error("No rule definitions!");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
try {
Rule newRule(inRightName, inRightDefinition, mConfigRules);
if (newRule->name() == inRightName)
CFDictionaryRef
AuthorizationDBPlist::getRuleDefinition(string &key)
{
+ if (!mConfigRights ||
+ 0 == CFDictionaryGetCount(mConfigRights)) {
+ Syslog::error("No rule definitions!");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
CFStringRef cfKey = makeCFString(key);
StLock<Mutex> _(mLock);
if (CFDictionaryContainsKey(mConfigRights, cfKey)) {
{
// if mConfig is now a reasonable guard
if (!inRuleDefinition || !mConfigRights)
- MacOSError::throwMe(errAuthorizationDenied); // errInvalidRule
+ {
+ Syslog::alert("Failed to set rule, no definition or rights");
+ MacOSError::throwMe(errAuthorizationDenied); // ???/gh errAuthorizationInternal instead?
+ }
CFRef<CFStringRef> keyRef(CFStringCreateWithCString(NULL, inRightName,
kCFStringEncodingASCII));
{
// if mConfig is now a reasonable guard
if (!mConfigRights)
- MacOSError::throwMe(errAuthorizationDenied);
+ {
+ Syslog::alert("Failed to remove rule, no rights");
+ MacOSError::throwMe(errAuthorizationDenied); // ???/gh errAuthorizationInternal instead?
+ }
CFRef<CFStringRef> keyRef(CFStringCreateWithCString(NULL, inRightName,
kCFStringEncodingASCII));
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include <Security/AuthorizationPriv.h>
#include <Security/AuthorizationDB.h>
-
#include "authority.h"
#include <Security/AuthorizationTags.h>
#include <security_utilities/logging.h>
#include <security_utilities/cfutilities.h>
#include <security_utilities/debugging.h>
-//#include "session.h"
#include "server.h"
#include <CoreFoundation/CFData.h>
#include <fcntl.h>
#include <float.h>
-#include <bsm/audit_uevents.h>
+#include <bsm/audit_uevents.h> // AUE_ssauth*
+#include "ccaudit_extensions.h"
namespace Authorization {
+using namespace CommonCriteria::Securityd;
+
//
// Errors to be thrown
{
CredentialSet credentials;
OSStatus status = errAuthorizationSuccess;
+ SecurityAgent::Reason reason = SecurityAgent::noReason;
// Get current time of day.
CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
// generate hints for every authorization
AuthItemSet environmentToClient = environment;
+ RightAuthenticationLogger logger(auth.creatorAuditToken(), AUE_ssauthorize);
+
AuthItemSet::const_iterator end = inRights.end();
for (AuthItemSet::const_iterator it = inRights.begin(); it != end; ++it)
{
// Get the rule for each right we are trying to obtain.
const Rule &toplevelRule = mAuthdb.getRule(*it);
- OSStatus result = toplevelRule->evaluate(*it, toplevelRule, environmentToClient, flags, now, inCredentials, credentials, auth);
- secdebug("autheval", "evaluate rule %s for right %s returned %ld.", toplevelRule->name().c_str(), (*it)->name(), result);
-
- {
- string processName = "unknown";
- if (SecCodeRef code = Server::process().currentGuest()) {
- CFRef<CFURLRef> path;
- if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- processName = cfString(path);
- }
- string authCreatorName = "unknown";
- if (SecStaticCodeRef code = auth.creatorCode()) {
- CFRef<CFURLRef> path;
- if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- authCreatorName = cfString(path);
- }
+ OSStatus result = toplevelRule->evaluate(*it, toplevelRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason);
+ secdebug("autheval", "evaluate rule %s for right %s returned %d.", toplevelRule->name().c_str(), (*it)->name(), int(result));
+ SECURITYD_AUTH_EVALRIGHT(&auth, (char *)(*it)->name(), result);
+
+ string processName = "unknown";
+ string authCreatorName = "unknown";
+ if (SecCodeRef code = Server::process().currentGuest()) {
+ CFRef<CFURLRef> path;
+ if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+ processName = cfString(path);
+ }
+ if (SecStaticCodeRef code = auth.creatorCode()) {
+ CFRef<CFURLRef> path;
+ if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+ authCreatorName = cfString(path);
+ }
+
+ logger.setRight((*it)->name());
+ logger.logAuthorizationResult(processName.c_str(), authCreatorName.c_str(), result);
- if (result == errAuthorizationSuccess) {
- Syslog::info("Succeeded authorizing right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
- CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
- auditrec.submit(AUE_ssauthorize, CommonCriteria::errNone, (*it)->name());
- } else if (result == errAuthorizationDenied) {
- Syslog::notice("Failed to authorize right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
- }
- }
-
- if (result == errAuthorizationSuccess)
- outRights.insert(*it);
- else if (result == errAuthorizationDenied || result == errAuthorizationInteractionNotAllowed)
- {
- // add creator pid to authorization token
- if (!(flags & kAuthorizationFlagPartialRights))
- {
- status = result;
- break;
- }
- }
+ if (result == errAuthorizationSuccess)
+ {
+ outRights.insert(*it);
+ Syslog::info("Succeeded authorizing right '%s' by client '%s' for authorization created by '%s'", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+ }
+ else if (result == errAuthorizationDenied || result == errAuthorizationInteractionNotAllowed)
+ {
+ if (result == errAuthorizationDenied)
+ {
+ Syslog::notice("Failed to authorize right '%s' by client '%s' for authorization created by '%s'", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+ }
+
+ // add creator pid to authorization token
+ if (!(flags & kAuthorizationFlagPartialRights))
+ {
+ status = result;
+ break;
+ }
+ }
else if (result == errAuthorizationCanceled)
{
status = result;
break;
- }
- else
- {
- Syslog::error("Engine::authorize: Rule::evaluate returned %ld returning errAuthorizationInternal", result);
- status = errAuthorizationInternal;
- break;
+ }
+ else
+ {
+ Syslog::error("Engine::authorize: Rule::evaluate returned %ld returning errAuthorizationInternal", result);
+ status = errAuthorizationInternal;
+ break;
}
}
virtual int unixError() const throw();
virtual OSStatus osStatus() const throw();
virtual const char *what () const throw();
- // @@@ Default value should be internal error.
- static void throwMe(int err = -1) __attribute((noreturn));
+ static void throwMe(int err) __attribute((noreturn));
};
/*
- * Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2003-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include "AuthorizationMechEval.h"
#include <security_utilities/logging.h>
#include <bsm/audit_uevents.h>
-#include <security_utilities/ccaudit.h>
+#include "ccaudit_extensions.h"
namespace Authorization {
+using namespace CommonCriteria::Securityd;
+
AgentMechanismRef::AgentMechanismRef(const AuthHostType type, Session &session) :
RefPointer<QueryInvokeMechanism>(new QueryInvokeMechanism(type, session)) {}
OSStatus
AgentMechanismEvaluator::run(const AuthValueVector &inArguments, const AuthItemSet &inHints, const AuthorizationToken &auth)
{
+ AuthMechLogger logger(auth.creatorAuditToken(), AUE_ssauthmech);
+ string rightName = "<unknown right>"; // for syslog
+
+ // as of 10.6, the first item in inArguments should be the name of the
+ // requested right, for auditing
+ try
+ {
+ AuthorizationValue val = inArguments.at(0)->value();
+ string tmpstr(static_cast<const char *>(val.data), val.length);
+ logger.setRight(tmpstr);
+ rightName.clear();
+ rightName = tmpstr;
+ }
+ catch (...) { }
+
const AuthItemSet &inContext = const_cast<AuthorizationToken &>(auth).infoSet();
// add process specifics to context?
AuthItemSet context = inContext;
// add saved-off sticky context values to context for evaluation
context.insert(mStickyContext.begin(), mStickyContext.end());
-
+
while ( (result == kAuthorizationResultAllow) &&
(currentMechanism != mMechanisms.end()) ) // iterate mechanisms
{
+ SECURITYD_AUTH_MECH(&auth, (char *)(*currentMechanism).c_str());
+
+ // set up the audit message
+ logger.setCurrentMechanism(*currentMechanism);
+
+ // do the real work
ClientMap::iterator iter = mClients.find(*currentMechanism);
if (iter == mClients.end())
{
if (extMechanism != string::npos)
{
if (extMechanism < extPlugin)
+ {
+ string auditMsg = "badly formed mechanism name; ending rule evaluation";
+ Syslog::alert("Right '%s', mech '%s': %s", rightName.c_str(), (*currentMechanism).c_str(), auditMsg.c_str());
+ logger.logFailure(auditMsg);
return errAuthorizationInternal;
+ }
mechanismIn = currentMechanism->substr(extPlugin + 1, extMechanism - extPlugin - 1);
authhostIn = currentMechanism->substr(extMechanism + 1);
secdebug("AuthEvalMech", "performing authentication");
result = authinternal(context);
- AuthItem *rightItem = hints.find(AGENT_HINT_AUTHORIZE_RIGHT);
- string right = (rightItem == NULL) ? string("<unknown right>") : rightItem->stringValue();
- CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
if (kAuthorizationResultAllow == result)
- auditrec.submit(AUE_ssauthint, CommonCriteria::errNone, right.c_str());
+ {
+ logger.logSuccess();
+ }
else // kAuthorizationResultDeny
- auditrec.submit(AUE_ssauthint, CommonCriteria::errInvalidCredential, right.c_str());
+ {
+ logger.logFailure();
+ }
}
else if (*currentMechanism == "push_hints_to_context")
{
secdebug("AuthEvalMech", "evaluate push_hints_to_context");
+ logger.logSuccess();
// doesn't block evaluation, ever
result = kAuthorizationResultAllow;
context = hints;
}
else
+ {
+ string auditMsg = "unknown mechanism; ending rule evaluation";
+ Syslog::alert("Right '%s', mech '%s': %s", rightName.c_str(), (*currentMechanism).c_str(), auditMsg.c_str());
+ logger.logFailure(auditMsg);
return errAuthorizationInternal;
+ }
}
iter = mClients.find(*currentMechanism);
while (client->state() == client->deactivating)
client->receive();
- secdebug("AuthEvalMech", "evaluate(%s) interrupted by %s.", (iter->first).c_str(), (iter2->first).c_str());
+ string auditMsg = "evaluation interrupted by ";
+ auditMsg += (iter2->first).c_str();
+ auditMsg += "; restarting evaluation there";
+ secdebug("AuthEvalMech", "%s", auditMsg.c_str());
+ logger.logInterrupt(auditMsg);
interrupted = true;
hints = iter2->second->inHints();
continue;
}
else
- secdebug("AuthEvalMech", "evaluate(%s) with result: %lu.", (iter->first).c_str(), result);
+ secdebug("AuthEvalMech", "evaluate(%s) with result: %u.", (iter->first).c_str(), (uint32_t)result);
}
catch (...) {
- secdebug("AuthEvalMech", "exception during evaluate(%s).", (iter->first).c_str());
+ string auditMsg = "exception during evaluation of ";
+ auditMsg += (iter->first).c_str();
+ secdebug("AuthEvalMech", "%s", auditMsg.c_str());
+ logger.logFailure(auditMsg);
result = kAuthorizationResultUndefined;
}
}
if (result == kAuthorizationResultAllow)
+ {
+ logger.logSuccess();
currentMechanism++;
+ }
}
-
+
if ((result == kAuthorizationResultUserCanceled) ||
(result == kAuthorizationResultAllow))
{
if (item->flags() != kAuthorizationContextFlagSticky)
mContext.insert(item);
}
+ if (result == kAuthorizationResultUserCanceled)
+ logger.logFailure(NULL, errAuthorizationCanceled);
}
else if (result == kAuthorizationResultDeny)
{
if (item->flags() == kAuthorizationContextFlagSticky)
mStickyContext.insert(item);
}
+ logger.logFailure();
}
// convert AuthorizationResult to OSStatus
return errAuthorizationCanceled;
case kAuthorizationResultAllow:
return errAuthorizationSuccess;
+ case kAuthorizationResultUndefined:
+ return errAuthorizationInternal;
default:
+ {
+ Syslog::alert("Right '%s': unexpected error result (%u)", rightName.c_str(), result);
+ logger.logFailure("unexpected error result", result);
return errAuthorizationInternal;
+ }
}
}
/*
- * Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2003-2004,2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
AgentMechanismEvaluator(uid_t uid, Session &session, const vector<string>& inMechanisms);
OSStatus run(const AuthValueVector &inArguments, const AuthItemSet &inHints, const AuthorizationToken &auth);
- AuthorizationResult AgentMechanismEvaluator::authinternal(AuthItemSet &context);
+ AuthorizationResult authinternal(AuthItemSet &context);
AuthItemSet &hints() { return mHints; }
AuthItemSet &context() { return mContext; }
/*
- * Copyright (c) 2003-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2003-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include <Security/AuthorizationDB.h>
#include <Security/AuthorizationPriv.h>
#include <security_utilities/logging.h>
-#include <security_utilities/ccaudit.h>
#include <bsm/audit_uevents.h>
+#include "ccaudit_extensions.h"
#include "authority.h"
#include "server.h"
#include "process.h"
#include <membershipPriv.h>
}
+using namespace CommonCriteria::Securityd;
+
//
// Rule class
//
string
-RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool required = false, char *defaultValue = "")
+RuleImpl::Attribute::getString(CFDictionaryRef config, CFStringRef key, bool required = false, const char *defaultValue = "")
{
CFTypeRef value = CFDictionaryGetValue(config, key);
if (value && (CFGetTypeID(value) == CFStringGetTypeID()))
if (CFStringGetCString(stringValue, buffer, sizeof(buffer), kCFStringEncodingUTF8))
ptr = buffer;
else
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Could not convert CFString to C string");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
}
return string(ptr);
if (!required)
return string(defaultValue);
else
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Failed to get rule string");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
}
double
if (!required)
return defaultValue;
else
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Failed to get rule double value");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
return doubleValue;
}
if (!required)
return defaultValue;
else
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Failed to get rule bool value");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
return boolValue;
}
{
CFArrayRef evalArray = reinterpret_cast<CFArrayRef>(value);
- for (int index=0; index < CFArrayGetCount(evalArray); index++)
+ CFIndex numItems = CFArrayGetCount(evalArray);
+ for (CFIndex index=0; index < numItems; index++)
{
CFTypeRef arrayValue = CFArrayGetValueAtIndex(evalArray, index);
if (arrayValue && (CFGetTypeID(arrayValue) == CFStringGetTypeID()))
if (CFStringGetCString(stringValue, buffer, sizeof(buffer), kCFStringEncodingUTF8))
ptr = buffer;
else
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Failed to convert CFString to C string for item %u in array", index);
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
}
valueArray.push_back(string(ptr));
}
}
else
if (required)
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Value for key either not present or not a CFArray");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
return valueArray;
}
// @@@ make sure cfRight is non mutable and never used that way
if (CFGetTypeID(cfRight) != CFDictionaryGetTypeID())
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Invalid rights set");
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
mTries = 0;
if (cfRuleDef && CFGetTypeID(cfRuleDef) == CFDictionaryGetTypeID())
mEvalDef = Attribute::getVector(cfRuleDef, kMechanismsID);
}
- mTries = int(Attribute::getDouble(cfRight, kTriesID, false, 3.0)); // XXX/cs double(kAuthorizationMaxTries)
+ mTries = int(Attribute::getDouble(cfRight, kTriesID, false, double(kMaximumAuthorizationTries)));
mAuthenticateUser = Attribute::getBool(cfRight, kRuleAuthenticateUserID, false, true);
secdebug("authrule", "%s : rule user in group \"%s\" timeout %g%s%s",
if (ruleDefRef)
CFRelease(ruleDefRef);
if (!cfRuleDef || CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID())
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("'%s' does not name a built-in rule", ruleDefString.c_str());
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
mRuleDef.push_back(Rule(ruleDefString, cfRuleDef, cfRules));
}
else // array
if (ruleNameRef)
CFRelease(ruleNameRef);
if (!cfRuleDef || (CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID()))
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Invalid rule '%s'in rule set", it->c_str());
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
mRuleDef.push_back(Rule(*it, cfRuleDef, cfRules));
}
}
}
else
{
- secdebug("authrule", "%s : rule class unknown %s.", inRightName.c_str(), classTag.c_str());
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ secdebug("authrule", "%s : rule class '%s' unknown.", inRightName.c_str(), classTag.c_str());
+ Syslog::alert("%s : rule class '%s' unknown", inRightName.c_str(), classTag.c_str());
+ MacOSError::throwMe(errAuthorizationInternal);
}
}
else
if (ruleNameRef)
CFRelease(ruleNameRef);
if (!cfRuleDef || CFGetTypeID(cfRuleDef) != CFDictionaryGetTypeID())
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ {
+ Syslog::alert("Rule '%s' for right '%s' does not exist or is not properly formed", ruleName.c_str(), inRightName.c_str());
+ MacOSError::throwMe(errAuthorizationInternal);
+ }
mRuleDef.push_back(Rule(ruleName, cfRuleDef, cfRules));
}
// we'll run that and validate the credentials from there.
// we fall back on a default configuration from the authenticate rule
OSStatus
-RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const
+RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const
{
OSStatus status = errAuthorizationDenied;
Credential hintCredential;
- if (errAuthorizationSuccess == evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, hintCredential)) {
- if (hintCredential->name().length())
- environmentToClient.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER, AuthValueOverlay(hintCredential->name())));
+ if (errAuthorizationSuccess == evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, hintCredential, reason)) {
+ if (hintCredential->username().length())
+ environmentToClient.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER, AuthValueOverlay(hintCredential->username())));
if (hintCredential->realname().length())
environmentToClient.insert(AuthItemRef(AGENT_HINT_SUGGESTED_USER_LONG, AuthValueOverlay(hintCredential->realname())));
}
environmentToClient.insert(AuthItemRef(AGENT_HINT_REQUIRE_USER_IN_GROUP, AuthValueOverlay(mGroupName)));
uint32 tries;
- SecurityAgent::Reason reason = SecurityAgent::noReason;
+ reason = SecurityAgent::noReason;
Process &cltProc = Server::process();
// Authorization preserves creator's UID in setuid processes
+ // (which is nice, but cltUid ends up being unused except by the debug
+ // message -- AgentMechanismEvaluator ignores it)
uid_t cltUid = (cltProc.uid() != 0) ? cltProc.uid() : auth.creatorUid();
secdebug("AuthEvalMech", "Mechanism invocation by process %d (UID %d)", cltProc.pid(), cltUid);
+ // For auditing within AuthorizationMechEval, pass the right name.
+ size_t rightNameSize = inRight->name() ? strlen(inRight->name()) : 0;
+ AuthorizationString rightName = inRight->name() ? inRight->name() : "";
+ // @@@ AuthValueRef's ctor ought to take a const void *
+ AuthValueRef rightValue(rightNameSize, const_cast<char *>(rightName));
+ AuthValueVector authValueVector;
+ authValueVector.push_back(rightValue);
+
+ RightAuthenticationLogger rightAuthLogger(auth.creatorAuditToken(), AUE_ssauthint);
+ rightAuthLogger.setRight(rightName);
+
AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef);
for (tries = 0; tries < mTries; tries++)
AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
- status = eval.run(AuthValueVector(), environmentToClient, auth);
-
- if ((status == errAuthorizationSuccess) ||
- (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
- {
- secdebug("AuthEvalMech", "storing new context for authorization");
- auth.setInfoSet(eval.context());
- }
-
- // successfully ran mechanisms to obtain credential
- if (status == errAuthorizationSuccess)
- {
- // deny is the default
- status = errAuthorizationDenied;
-
- CredentialSet newCredentials = makeCredentials(auth);
- // clear context after extracting credentials
- auth.scrubInfoSet();
-
- CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
- for (CredentialSet::const_iterator it = newCredentials.begin(); it != newCredentials.end(); ++it)
- {
- const Credential& newCredential = *it;
-
- // @@@ we log the uid a process was running under when it created the authref, which is misleading in the case of loginwindow
- if (newCredential->isValid()) {
- Syslog::info("uid %lu succeeded authenticating as user %s (uid %lu) for right %s.", auth.creatorUid(), newCredential->name().c_str(), newCredential->uid(), inRight->name());
- auditrec.submit(AUE_ssauthint, CommonCriteria::errNone, inRight->name());
- } else {
- // we can't be sure that the user actually exists so inhibit logging of uid
- Syslog::error("uid %lu failed to authenticate as user %s for right %s.", auth.creatorUid(), newCredential->name().c_str(), inRight->name());
- auditrec.submit(AUE_ssauthint, CommonCriteria::errInvalidCredential, inRight->name());
- }
-
- if (!newCredential->isValid())
- {
- reason = SecurityAgent::invalidPassphrase; //invalidPassphrase;
- continue;
- }
-
- // verify that this credential authorizes right
- status = evaluateUserCredentialForRight(auth, inRight, inRule, environmentToClient, now, newCredential, true);
-
- if (status == errAuthorizationSuccess)
- {
- if (auth.operatesAsLeastPrivileged()) {
- Credential rightCredential(inRight->name(), mShared);
- credentials.erase(rightCredential); credentials.insert(rightCredential);
- if (mShared)
- credentials.insert(Credential(inRight->name(), false));
- } else {
- // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent
- credentials.erase(newCredential); credentials.insert(newCredential);
- // just got a new credential - if it's shared also add a non-shared one that to stick in the authorizationref local cache
- if (mShared)
- credentials.insert(Credential(newCredential->uid(), newCredential->name(), newCredential->realname(), false));
- }
-
- // use valid credential to set context info
- // XXX/cs keeping this for now, such that the uid is passed back
- auth.setCredentialInfo(newCredential);
- secdebug("SSevalMech", "added valid credential for user %s", newCredential->name().c_str());
- status = errAuthorizationSuccess;
- break;
- }
- else
- reason = SecurityAgent::userNotInGroup; //unacceptableUser; // userNotInGroup
- }
+ status = eval.run(authValueVector, environmentToClient, auth);
+
+ if ((status == errAuthorizationSuccess) ||
+ (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
+ {
+ secdebug("AuthEvalMech", "storing new context for authorization");
+ auth.setInfoSet(eval.context());
+ }
+
+ // successfully ran mechanisms to obtain credential
+ if (status == errAuthorizationSuccess)
+ {
+ // deny is the default
+ status = errAuthorizationDenied;
+
+ CredentialSet newCredentials = makeCredentials(auth);
+ // clear context after extracting credentials
+ auth.scrubInfoSet();
+
+ for (CredentialSet::const_iterator it = newCredentials.begin(); it != newCredentials.end(); ++it)
+ {
+ const Credential& newCredential = *it;
+
+ // @@@ we log the uid a process was running under when it created the authref, which is misleading in the case of loginwindow
+ if (newCredential->isValid()) {
+ Syslog::info("UID %u authenticated as user %s (UID %u) for right '%s'", auth.creatorUid(), newCredential->username().c_str(), newCredential->uid(), rightName);
+ rightAuthLogger.logSuccess(auth.creatorUid(), newCredential->uid(), newCredential->username().c_str());
+ } else {
+ // we can't be sure that the user actually exists so inhibit logging of uid
+ Syslog::error("UID %u failed to authenticate as user '%s' for right '%s'", auth.creatorUid(), newCredential->username().c_str(), rightName);
+ rightAuthLogger.logFailure(auth.creatorUid(), newCredential->username().c_str());
+ }
+
+ if (!newCredential->isValid())
+ {
+ reason = SecurityAgent::invalidPassphrase;
+ continue;
+ }
+
+ // verify that this credential authorizes right
+ status = evaluateUserCredentialForRight(auth, inRight, inRule, environmentToClient, now, newCredential, true, reason);
+
+ if (status == errAuthorizationSuccess)
+ {
+ if (auth.operatesAsLeastPrivileged()) {
+ Credential rightCredential(rightName, newCredential->uid(), mShared);
+ credentials.erase(rightCredential); credentials.insert(rightCredential);
+ if (mShared)
+ credentials.insert(Credential(rightName, newCredential->uid(), false));
+ } else {
+ // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent
+ credentials.erase(newCredential); credentials.insert(newCredential);
+ // just got a new credential - if it's shared also add a non-shared one that to stick in the authorizationref local cache
+ if (mShared)
+ credentials.insert(Credential(newCredential->uid(), newCredential->username(), newCredential->realname(), newCredential->groupname(), false));
+ }
+
+ // use valid credential to set context info
+ // XXX/cs keeping this for now, such that the uid is passed back
+ auth.setCredentialInfo(newCredential);
+ secdebug("SSevalMech", "added valid credential for user %s", newCredential->username().c_str());
+ status = errAuthorizationSuccess;
+ break;
+ }
+ }
if (status == errAuthorizationSuccess)
break;
}
else
- if ((status == errAuthorizationCanceled) ||
- (status == errAuthorizationInternal))
+ if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal))
{
auth.scrubInfoSet();
break;
else // last mechanism is now authentication - fail
if (status == errAuthorizationDenied)
reason = SecurityAgent::invalidPassphrase;
-}
+ }
// If we fell out of the loop because of too many tries, notify user
if (tries == mTries)
environmentToClient.erase(retryHint); environmentToClient.insert(retryHint); // replace
AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
- eval.run(AuthValueVector(), environmentToClient, auth);
+ eval.run(AuthValueVector(), environmentToClient, auth);
// XXX/cs is this still necessary?
auth.scrubInfoSet();
- CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
- auditrec.submit(AUE_ssauthorize, CommonCriteria::errTooManyTries, inRight->name());
+ rightAuthLogger.logFailure(NULL, CommonCriteria::errTooManyTries);
}
return status;
if (username.length() && uid)
{
// credential is valid because mechanism says so
- newCredentials.insert(Credential(*uid, username, "", mShared));
+ newCredentials.insert(Credential(*uid, username, "", "", mShared));
}
} while(0);
// evaluate whether a good credential of the current session owner would authorize a right
OSStatus
-RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential) const
+RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const
{
// username hint is taken from the user who created the authorization, unless it's clearly ineligible
// @@@ we have no access to current requester uid here and the process uid is only taken when the authorization is created
if (session.haveOriginatorUid()) {
// preflight session credential as if it were a fresh copy
const Credential &cred = session.originatorCredential();
- sessionCredential = Credential(cred->uid(), cred->name(), cred->realname(), mShared/*ignored*/);
+ sessionCredential = Credential(cred->uid(), cred->username(), cred->realname(), cred->groupname(), mShared/*ignored*/);
} else {
uid = auth.creatorUid();
Server::active().longTermActivity();
// Check if username will authorize the request and set username to
// be used as a hint to the user if so
secdebug("AuthEvalMech", "preflight credential from current user, result follows:");
- sessionCredential = Credential(pw->pw_uid, pw->pw_name, pw->pw_gecos, mShared/*ignored*/);
+ sessionCredential = Credential(pw->pw_uid, pw->pw_name, pw->pw_gecos, "", mShared/*ignored*/);
} //fi
endpwent();
}
}
- OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, sessionCredential, true);
+ OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, sessionCredential, true, reason);
if (errAuthorizationSuccess == status)
credential = sessionCredential;
OSStatus
-RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const
+RuleImpl::evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const
{
if (auth.operatesAsLeastPrivileged()) {
- if (credential->isRight() && credential->isValid() && (inRight->name() == credential->name()))
+ if (credential->isRight() && credential->isValid() && (inRight->name() == credential->rightname()))
return errAuthorizationSuccess;
else
+ {
+ // @@@ no proper SA::Reason
+ reason = SecurityAgent::unknownReason;
return errAuthorizationDenied;
+ }
} else
- return evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, credential, false);
+ return evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, credential, false, reason);
}
// Return errAuthorizationSuccess if this rule allows access based on the specified credential,
// return errAuthorizationDenied otherwise.
OSStatus
-RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const
+RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const
{
assert(mType == kUser);
+ // Ideally we'd set the AGENT_HINT_RETRY_REASON hint in this method, but
+ // evaluateAuthentication() overwrites it before
+ // AgentMechanismEvaluator::run(). That's what led to passing "reason"
+ // everywhere, from RuleImpl::evaluate() on down.
+
// Get the username from the credential
- const char *user = credential->name().c_str();
+ const char *user = credential->username().c_str();
- // If the credential is not valid or it's age is more than the allowed maximum age
+ // If the credential is not valid or its age is more than the allowed maximum age
// for a credential, deny.
if (!credential->isValid())
{
+ // @@@ it could be the username, not password, was invalid
+ reason = SecurityAgent::invalidPassphrase;
secdebug("autheval", "credential for user %s is invalid, denying right %s", user, inRight->name());
return errAuthorizationDenied;
}
if (now - credential->creationTime() > mMaxCredentialAge)
{
+ // @@@ no proper SA::Reason
+ reason = SecurityAgent::unknownReason;
secdebug("autheval", "credential for user %s has expired, denying right %s", user, inRight->name());
return errAuthorizationDenied;
}
if (!ignoreShared && !mShared && credential->isShared())
{
+ // @@@ no proper SA::Reason
+ reason = SecurityAgent::unknownReason;
secdebug("autheval", "shared credential for user %s cannot be used, denying right %s", user, inRight->name());
return errAuthorizationDenied;
}
secdebug("autheval", "user %s is session-owner(uid: %d), granting right %s", user, console_user, inRight->name());
return errAuthorizationSuccess;
}
+ // set "reason" in this case? not that a proper SA::Reason exists
}
else
+ {
+ // @@@ no proper SA::Reason
+ reason = SecurityAgent::unknownReason;
secdebug("autheval", "session-owner check failed.");
+ }
}
if (mGroupName.length())
{
uuid_t group_uuid, user_uuid;
int is_member;
-
+
+ // @@@ it'd be nice to have SA::Reason codes for the failures
+ // associated with the pre-check-membership mbr_*() functions,
+ // but userNotInGroup will do
if (mbr_group_name_to_uuid(groupname, group_uuid))
break;
if (is_member)
{
+ credential->setGroupname(mGroupName);
secdebug("autheval", "user %s is a member of group %s, granting right %s",
user, groupname, inRight->name());
return errAuthorizationSuccess;
}
while (0);
-
+
+ reason = SecurityAgent::userNotInGroup;
secdebug("autheval", "user %s is not a member of group %s, denying right %s",
user, groupname, inRight->name());
}
+ else if (mSessionOwner) // rule asks only if user is the session owner
+ {
+ reason = SecurityAgent::unacceptableUser;
+ }
return errAuthorizationDenied;
}
OSStatus
-RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const
+RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const
{
- // If we got here, this is a kUser type rule, let's start looking for a
+ // If we got here, this is a kUser type rule, let's start looking for a
// credential that is satisfactory
// Zeroth -- Here is an extra special saucy ugly hack to allow authorizations
// created by a proccess running as root to automatically get a right.
if (mAllowRoot && auth.creatorUid() == 0)
{
+ SECURITYD_AUTH_USER_ALLOWROOT(&auth);
+
secdebug("autheval", "creator of authorization has uid == 0 granting right %s",
inRight->name());
return errAuthorizationSuccess;
if (!mAuthenticateUser)
{
Credential hintCredential;
- OSStatus status = evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, hintCredential);
+ OSStatus status = evaluateSessionOwner(inRight, inRule, environmentToClient, now, auth, hintCredential, reason);
if (!status)
+ {
+ SECURITYD_AUTH_USER_ALLOWSESSIONOWNER(&auth);
return errAuthorizationSuccess;
+ }
return errAuthorizationDenied;
}
// First -- go though the credentials we either already used or obtained during this authorize operation.
for (CredentialSet::const_iterator it = credentials.begin(); it != credentials.end(); ++it)
{
- // Passed in user credentials are allowed for least privileged mode
+ // Passed-in user credentials are allowed for least-privileged mode
if (auth.operatesAsLeastPrivileged() && !(*it)->isRight() && (*it)->isValid())
{
- OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false);
+ OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false, reason);
if (errAuthorizationSuccess == status) {
- Credential rightCredential(inRight->name(), mShared);
+ Credential rightCredential(inRight->name(), (*it)->uid(), mShared);
credentials.erase(rightCredential); credentials.insert(rightCredential);
if (mShared)
- credentials.insert(Credential(inRight->name(), false));
+ credentials.insert(Credential(inRight->name(), (*it)->uid(), false));
return status;
}
}
// if this is least privileged, this will function differently: match credential to requested right
- OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false);
+ OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false, reason);
if (status != errAuthorizationDenied) {
// add credential to authinfo
for (CredentialSet::const_iterator it = inCredentials->begin(); it != inCredentials->end(); ++it)
{
// if this is least privileged, this will function differently: match credential to requested right
- OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false);
+ OSStatus status = evaluateCredentialForRight(auth, inRight, inRule, environmentToClient, now, *it, false, reason);
if (status == errAuthorizationSuccess)
{
setAgentHints(inRight, inRule, environmentToClient, auth);
- return evaluateAuthentication(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+ return evaluateAuthentication(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason);
}
OSStatus
{
AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef);
-
+ // For auditing within AuthorizationMechEval, pass the right name.
+ size_t rightNameSize = inRight->name() ? strlen(inRight->name()) : 0;
+ AuthorizationString rightName = inRight->name() ? inRight->name() : "";
+ // @@@ AuthValueRef's ctor ought to take a const void *
+ AuthValueRef rightValue(rightNameSize, const_cast<char *>(rightName));
+ AuthValueVector authValueVector;
+ authValueVector.push_back(rightValue);
+
do
{
setAgentHints(inRight, inRule, environmentToClient, auth);
AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(tries), &tries));
environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace
-
- status = eval.run(AuthValueVector(), environmentToClient, auth);
-
+
+ status = eval.run(authValueVector, environmentToClient, auth);
if ((status == errAuthorizationSuccess) ||
(status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context
{
auth.setInfoSet(eval.context());
if (status == errAuthorizationSuccess)
{
+ // (try to) attach the authorizing UID to the least-priv cred
if (auth.operatesAsLeastPrivileged())
- outCredentials.insert(Credential(inRight->name(), mShared));
+ {
+ RightAuthenticationLogger logger(auth.creatorAuditToken(), AUE_ssauthint);
+ logger.setRight(rightName);
+
+ AuthItem *uidItem = eval.context().find(AGENT_CONTEXT_UID);
+ if (uidItem)
+ {
+ uid_t authorizedUid;
+ memcpy(&authorizedUid, uidItem->value().data, sizeof(authorizedUid));
+ secdebug("AuthEvalMech", "generating least-privilege cred for '%s' authorized by UID %u", inRight->name(), authorizedUid);
+ outCredentials.insert(Credential(rightName, authorizedUid, mShared));
+ logger.logLeastPrivilege(authorizedUid, true);
+ }
+ else // cltUid is better than nothing
+ {
+ secdebug("AuthEvalMech", "generating least-privilege cred for '%s' with process- or auth-UID %u", inRight->name(), cltUid);
+ outCredentials.insert(Credential(rightName, cltUid, mShared));
+ logger.logLeastPrivilege(cltUid, false);
+ }
+ }
else
outCredentials = makeCredentials(auth);
}
}
// HACK kill all hosts to free pages for low memory systems
+ // (XXX/gh there should be a #define for this right)
if (name() == "system.login.done")
{
+ // one case where we don't want to mark the agents as "busy"
QueryInvokeMechanism query(securityAgent, auth.session());
query.terminateAgent();
QueryInvokeMechanism query2(privilegedAuthHost, auth.session());
}
OSStatus
-RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const
+RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const
{
// line up the rules to try
if (!mRuleDef.size())
return errAuthorizationSuccess;
// get a rule and try it
- status = (*it)->evaluate(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+ status = (*it)->evaluate(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason);
// if status is cancel/internal error abort
if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal))
OSStatus
-RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const
+RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const
{
switch (mType)
{
case kAllow:
- secdebug("autheval", "rule is always allow");
+ SECURITYD_AUTH_ALLOW(&auth, (char *)name().c_str());
return errAuthorizationSuccess;
case kDeny:
- secdebug("autheval", "rule is always deny");
+ SECURITYD_AUTH_DENY(&auth, (char *)name().c_str());
return errAuthorizationDenied;
case kUser:
- secdebug("autheval", "rule is user");
- return evaluateUser(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+ SECURITYD_AUTH_USER(&auth, (char *)name().c_str());
+ return evaluateUser(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason);
case kRuleDelegation:
- secdebug("autheval", "rule evaluates rules");
- return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+ SECURITYD_AUTH_RULES(&auth, (char *)name().c_str());
+ return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason);
case kKofN:
- secdebug("autheval", "rule evaluates k-of-n rules");
- return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth);
+ SECURITYD_AUTH_KOFN(&auth, (char *)name().c_str());
+ return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason);
case kEvaluateMechanisms:
- secdebug("autheval", "rule evaluates mechanisms");
+ SECURITYD_AUTH_MECHRULE(&auth, (char *)name().c_str());
+ // if we had a SecurityAgent::Reason code for "mechanism denied,"
+ // it would make sense to pass down "reason"
return evaluateMechanismOnly(inRight, inRule, environmentToClient, auth, credentials);
default:
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule
+ Syslog::alert("Unrecognized rule type %d", mType);
+ MacOSError::throwMe(errAuthorizationInternal); // invalid rule
}
}
OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient,
AuthorizationFlags flags, CFAbsoluteTime now,
const CredentialSet *inCredentials, CredentialSet &credentials,
- AuthorizationToken &auth) const;
+ AuthorizationToken &auth, SecurityAgent::Reason &reason) const;
string name() const { return mRightName; }
// evaluate credential for right
OSStatus evaluateCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule,
- const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const;
+ const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
// evaluate user credential (authentication) for right
- OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared) const;
+ OSStatus evaluateUserCredentialForRight(const AuthorizationToken &auth, const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, CFAbsoluteTime now, const Credential &credential, bool ignoreShared, SecurityAgent::Reason &reason) const;
OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule,
AuthItemSet &environmentToClient, AuthorizationFlags flags,
CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
- AuthorizationToken &auth) const;
+ AuthorizationToken &auth, SecurityAgent::Reason &reason) const;
void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const;
// perform authorization based on running specified mechanisms (see evaluateMechanism)
- OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth) const;
+ OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const;
OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule,
AuthItemSet &environmentToClient, AuthorizationFlags flags,
CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials,
- AuthorizationToken &auth) const;
+ AuthorizationToken &auth, SecurityAgent::Reason &reason) const;
OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const;
// find username hint based on session owner
- OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential) const;
+ OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const;
CredentialSet makeCredentials(const AuthorizationToken &auth) const;
public:
static bool getBool(CFDictionaryRef config, CFStringRef key, bool required, bool defaultValue);
static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue);
- static string getString(CFDictionaryRef config, CFStringRef key, bool required, char *defaultValue);
+ static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue);
static vector<string> getVector(CFDictionaryRef config, CFStringRef key, bool required);
static bool getLocalizedPrompts(CFDictionaryRef config, map<string,string> &localizedPrompts);
};
#include <sys/stat.h>
#include <security_utilities/crc.h>
-static const char* kPrefix = "/private/var/tmp/mds/messages/se_";
+static const char* kPrefix = "/private/var/db/mds/messages/se_";
SharedMemoryServer::SharedMemoryServer (const char* segmentName, SegmentOffsetType segmentSize) :
mSegmentName (segmentName), mSegmentSize (segmentSize)
mFileName += segmentName;
// make the mds directory, just in case it doesn't exist
- mkdir("/var/tmp/mds/messages", 0755);
+ mkdir("/var/db/mds", 1777);
+ mkdir("/var/db/mds/messages", 0755);
// make the file name
// clean any old file away
/*
- * Copyright (c) 2000-2004,2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2007-2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include "connection.h"
#include "database.h"
#include "server.h"
-#include "osxcodewrap.h"
#include <security_utilities/debugging.h>
#include <security_utilities/logging.h>
#include <security_cdsa_utilities/osxverifier.h>
process.getPath().c_str(), process.pid());
break;
default: // something else went wrong
- secdebug("kcacl", "client validation failed rc=%ld, suppressing prompt", validation);
+ secdebug("kcacl", "client validation failed rc=%d, suppressing prompt", int32_t(validation));
return false;
}
bool needPassphrase = db && (selector.flags & CSSM_ACL_KEYCHAIN_PROMPT_REQUIRE_PASSPHRASE);
// an application (i.e. Keychain Access.app :-) can force this option
- if (clientCode) {
+ if (clientCode && validation == noErr) {
CFRef<CFDictionaryRef> dict;
- if (!SecCodeCopySigningInformation(clientCode, kSecCSDefaultFlags, &dict.aref()))
+ if (SecCodeCopySigningInformation(clientCode, kSecCSDefaultFlags, &dict.aref()) == noErr)
if (CFDictionaryRef info = CFDictionaryRef(CFDictionaryGetValue(dict, kSecCodeInfoPList)))
needPassphrase |=
(CFDictionaryGetValue(info, CFSTR("SecForcePassphrasePrompt")) != NULL);
}
// pop The Question
- QueryKeychainUse query(needPassphrase, db);
- query.inferHints(Server::process());
- query.addHint(AGENT_HINT_CLIENT_VALIDITY, &validation, sizeof(validation));
- if (query.queryUser(db ? db->dbName() : NULL,
- description.c_str(), context.authorization()) != SecurityAgent::noReason)
- return false;
+ if (db && db->belongsToSystem() && !hasAuthorizedForSystemKeychain()) {
+ QueryKeychainAuth query;
+ query.inferHints(Server::process());
+ if (query(db ? db->dbName() : NULL, description.c_str(), context.authorization(), NULL) != SecurityAgent::noReason)
+ return false;
+ return true;
+ } else {
+ QueryKeychainUse query(needPassphrase, db);
+ query.inferHints(Server::process());
+ query.addHint(AGENT_HINT_CLIENT_VALIDITY, &validation, sizeof(validation));
+ if (query.queryUser(db ? db->dbName() : NULL,
+ description.c_str(), context.authorization()) != SecurityAgent::noReason)
+ return false;
- // process an "always allow..." response
- if (query.remember && clientCode) {
- RefPointer<OSXCode> clientXCode = new OSXCodeWrap(clientCode);
- RefPointer<AclSubject> subject = new CodeSignatureAclSubject(OSXVerifier(clientXCode));
- SecurityServerAcl::addToStandardACL(context, subject);
- }
+ // process an "always allow..." response
+ if (query.remember && clientCode) {
+ RefPointer<OSXCode> clientXCode = new OSXCodeWrap(clientCode);
+
RefPointer<AclSubject> subject = new CodeSignatureAclSubject(OSXVerifier(clientXCode));
+ SecurityServerAcl::addToStandardACL(context, subject);
+ }
- // finally, return the actual user response
- return query.allow;
+ // finally, return the actual user response
+ return query.allow;
+ }
}
return false; // default to deny without prejudice
}
new(alloc) ListElement(alloc, description));
}
+//
+// Has the caller recently authorized in such a way as to render unnecessary
+// the usual QueryKeychainAuth dialog? (The right is specific to Keychain
+// Access' way of editing a system keychain.)
+//
+bool KeychainPromptAclSubject::hasAuthorizedForSystemKeychain() const
+{
+ string rightString = "system.keychain.modify";
+ return Server::session().isRightAuthorized(rightString, Server::connection(), false/*no UI*/);
+}
+
+
//
// Create a KeychainPromptAclSubject
public:
bool validate(const AclValidationContext &baseCtx, const TypedList &sample) const;
CssmList toList(Allocator &alloc) const;
+ bool hasAuthorizedForSystemKeychain() const;
KeychainPromptAclSubject(string description, const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR &selector);
/*
- * Copyright (c) 2000-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
//
#include "agentquery.h"
#include "authority.h"
+#include "ccaudit_extensions.h"
#include <Security/AuthorizationTags.h>
#include <Security/AuthorizationTagsPriv.h>
+#include <Security/checkpw.h>
+#include <bsm/audit_uevents.h> // AUE_ssauthint
//
// NOSA support functions. This is a test mode where the SecurityAgent
#endif //NOSA
-using SecurityAgent::Reason;
-using namespace Authorization;
+// SecurityAgentConnection
-SecurityAgentQuery::SecurityAgentQuery(const AuthHostType type, Session &session) : mAuthHostType(type), mHostInstance(session.authhost(mAuthHostType)), mConnection(&Server::connection())
+SecurityAgentConnection::SecurityAgentConnection(const AuthHostType type, Session &session)
+ : mAuthHostType(type),
+ mHostInstance(session.authhost(mAuthHostType)),
+ mConnection(&Server::connection()),
+ mAuditToken(Server::connection().auditToken())
{
// this may take a while
Server::active().longTermActivity();
+ secdebug("SecurityAgentConnection", "new SecurityAgentConnection(%p)", this);
+}
+
+SecurityAgentConnection::~SecurityAgentConnection()
+{
+ secdebug("SecurityAgentConnection", "SecurityAgentConnection(%p) dying", this);
+ mConnection->useAgent(NULL);
+}
+
+void
+SecurityAgentConnection::activate()
+{
+ secdebug("SecurityAgentConnection", "activate(%p)", this);
+ mConnection->useAgent(this);
+ try {
+ mPort = mHostInstance->activate();
+ secdebug("SecurityAgentConnection", "%p activated", this);
+ } catch (...) {
+ mConnection->useAgent(NULL); // guess not
+ secdebug("SecurityAgentConnection", "error activating %p", this);
+ throw;
+ }
+}
+
+void
+SecurityAgentConnection::reconnect()
+{
+ // if !mHostInstance throw()?
+ if (mHostInstance)
+ {
+ Session &session = mHostInstance->session();
+ mHostInstance = session.authhost(mAuthHostType, true);
+ activate();
+ }
+}
+
+void
+SecurityAgentConnection::terminate()
+{
+ activate();
+
+ // @@@ This happens already in the destructor; presumably we do this to tear things down orderly
+ mConnection->useAgent(NULL);
+}
+
+
+// SecurityAgentTransaction
+
+SecurityAgentTransaction::SecurityAgentTransaction(const AuthHostType type, Session &session, bool startNow)
+ : SecurityAgentConnection(type, session),
+ mStarted(false)
+{
+ secdebug("SecurityAgentTransaction", "New SecurityAgentTransaction(%p)", this);
+ activate(); // start agent now, or other SAConnections will kill and spawn new agents
+ if (startNow)
+ start();
+}
+
+SecurityAgentTransaction::~SecurityAgentTransaction()
+{
+ try { end(); } catch(...) {}
+ secdebug("SecurityAgentTransaction", "Destroying %p", this);
+}
+
+void
+SecurityAgentTransaction::start()
+{
+ secdebug("SecurityAgentTransaction", "start(%p)", this);
+ MacOSError::check(SecurityAgentQuery::Client::startTransaction(mPort));
+ mStarted = true;
+ secdebug("SecurityAgentTransaction", "started(%p)", this);
+}
+
+void
+SecurityAgentTransaction::end()
+{
+ if (started())
+ {
+ MacOSError::check(SecurityAgentQuery::Client::endTransaction(mPort));
+ mStarted = false;
+ }
+ secdebug("SecurityAgentTransaction", "End SecurityAgentTransaction(%p)", this);
+}
+
+using SecurityAgent::Reason;
+using namespace Authorization;
+
+SecurityAgentQuery::SecurityAgentQuery(const AuthHostType type, Session &session)
+ : SecurityAgentConnection(type, session)
+{
secdebug("SecurityAgentQuery", "new SecurityAgentQuery(%p)", this);
}
SecurityAgentQuery::~SecurityAgentQuery()
{
secdebug("SecurityAgentQuery", "SecurityAgentQuery(%p) dying", this);
- mConnection->useAgent(NULL);
#if defined(NOSA)
if (getenv("NOSA")) {
destroy();
}
-void
+void
SecurityAgentQuery::activate()
{
- mConnection->useAgent(this);
+ SecurityAgentConnection::activate();
+ SecurityAgent::Client::activate(mPort);
+ secdebug("SecurityAgentQuery", "activate(%p)", this);
+}
- try {
- SecurityAgent::Client::activate(mHostInstance->activate());
- } catch (...) {
- mConnection->useAgent(NULL); // guess not
- throw;
- }
+void
+SecurityAgentQuery::reconnect()
+{
+ SecurityAgentConnection::reconnect();
+ SecurityAgent::Client::activate(mPort);
+ secdebug("SecurityAgentQuery", "reconnect(%p)", this);
}
void
}
void
-SecurityAgentQuery::terminate()
+SecurityAgentQuery::disconnect()
{
- activate();
-
- // @@@ This happens already in the destructor; presumably we do this to tear things down orderly
- mConnection->useAgent(NULL);
+ SecurityAgent::Client::destroy();
+}
+void
+SecurityAgentQuery::terminate()
+{
+ // you might think these are called in the wrong order, but you'd be wrong
+ SecurityAgentConnection::terminate();
SecurityAgent::Client::terminate();
}
if (status)
{
secdebug("SecurityAgentQuery", "agent went walkabout, restarting");
- Session &session = mHostInstance->session();
- mHostInstance = session.authhost(mAuthHostType, true);
- activate();
+ reconnect();
status = SecurityAgent::Client::create(pluginId, mechanismId, inSessionId);
}
if (status) MacOSError::throwMe(status);
//
// Get a DB blob's passphrase--keychain synchronization
//
-Reason QueryDBBlobSecret::operator () (DatabaseCryptoCore &dbCore, const DbBlob *secretsBlob)
+Reason QueryDBBlobSecret::operator () (DbHandle *dbHandleArray, uint8 dbHandleArrayCount, DbHandle *dbHandleAuthenticated)
{
- return query(dbCore, secretsBlob);
+ return query(dbHandleArray, dbHandleArrayCount, dbHandleAuthenticated);
}
-Reason QueryDBBlobSecret::query(DatabaseCryptoCore &dbCore, const DbBlob *secretsBlob)
+Reason QueryDBBlobSecret::query(DbHandle *dbHandleArray, uint8 dbHandleArrayCount, DbHandle *dbHandleAuthenticated)
{
Reason reason = SecurityAgent::noReason;
CssmAutoData passphrase(Allocator::standard(Allocator::sensitive));
return SecurityAgent::noReason;
}
#endif
-
- hints.insert(mClientHints.begin(), mClientHints.end());
+
+ hints.insert(mClientHints.begin(), mClientHints.end());
create("builtin", "generic-unlock-kcblob", noSecuritySession);
continue;
secretItem->getCssmData(passphrase);
- } while (reason = accept(passphrase, dbCore, secretsBlob));
+ } while (reason = accept(passphrase, dbHandleArray, dbHandleArrayCount, dbHandleAuthenticated));
return reason;
}
Reason QueryDBBlobSecret::accept(CssmManagedData &passphrase,
- DatabaseCryptoCore &dbCore,
- const DbBlob *secretsBlob)
+ DbHandle *dbHandlesToAuthenticate, uint8 dbHandleCount, DbHandle *dbHandleAuthenticated)
{
- try {
- dbCore.setup(secretsBlob, passphrase);
- dbCore.decodeCore(secretsBlob, NULL);
- } catch (const CommonError &err) {
- // XXX/gh Are there errors other than this?
- return SecurityAgent::invalidPassphrase;
+ DbHandle *currHdl = dbHandlesToAuthenticate;
+ short index;
+ Boolean authenticated = false;
+ for (index=0; index < dbHandleCount && !authenticated; index++)
+ {
+ try
+ {
+ RefPointer<KeychainDatabase> dbToUnlock = Server::keychain(*currHdl);
+ dbToUnlock->unlockDb(passphrase);
+ authenticated = true;
+ *dbHandleAuthenticated = *currHdl; // return the DbHandle that 'passphrase' authenticated with.
+ }
+ catch (const CommonError &err)
+ {
+ currHdl++; // we failed to authenticate with this one, onto the next one.
+ }
}
+ if ( !authenticated )
+ return SecurityAgent::invalidPassphrase;
+
return SecurityAgent::noReason;
}
{
terminate();
}
+
+// @@@ no pluggable authentication possible!
+Reason
+QueryKeychainAuth::operator () (const char *database, const char *description, AclAuthorization action, const char *prompt)
+{
+ Reason reason = SecurityAgent::noReason;
+ AuthItemSet hints, context;
+ AuthValueVector arguments;
+ int retryCount = 0;
+ string username;
+ string password;
+
+ using CommonCriteria::Securityd::KeychainAuthLogger;
+ KeychainAuthLogger logger(mAuditToken, AUE_ssauthint, database, description);
+
+#if defined(NOSA)
+ /* XXX/gh probably not complete; stolen verbatim from rogue-app query */
+ if (getenv("NOSA")) {
+ char answer[maxPassphraseLength+10];
+
+ string applicationPath;
+ AuthItem *applicationPathItem = mClientHints.find(AGENT_HINT_APPLICATION_PATH);
+ if (applicationPathItem)
+ applicationPathItem->getString(applicationPath);
+
+ getNoSA(answer, sizeof(answer), "Allow %s to do %d on %s in %s? [yn][g]%s ",
+ applicationPath.c_str(), int(action), (description ? description : "[NULL item]"),
+ (database ? database : "[NULL database]"),
+ mPassphraseCheck ? ":passphrase" : "");
+ // turn passphrase (no ':') into y:passphrase
+ if (mPassphraseCheck && !strchr(answer, ':')) {
+ memmove(answer+2, answer, strlen(answer)+1);
+ memcpy(answer, "y:", 2);
+ }
+
+ allow = answer[0] == 'y';
+ remember = answer[1] == 'g';
+ return SecurityAgent::noReason;
+ }
+#endif
+
+ hints.insert(mClientHints.begin(), mClientHints.end());
+
+ // put action/operation (sint32) into hints
+ hints.insert(AuthItemRef(AGENT_HINT_ACL_TAG, AuthValueOverlay(sizeof(action), static_cast<sint32*>(&action))));
+
+ hints.insert(AuthItemRef(AGENT_HINT_CUSTOM_PROMPT, AuthValueOverlay(prompt ? strlen(prompt) : 0, const_cast<char*>(prompt))));
+
+ // item name into hints
+ hints.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_ITEM_NAME, AuthValueOverlay(description ? strlen(description) : 0, const_cast<char*>(description))));
+
+ // keychain name into hints
+ hints.insert(AuthItemRef(AGENT_HINT_KEYCHAIN_PATH, AuthValueOverlay(database ? strlen(database) : 0, const_cast<char*>(database))));
+
+ create("builtin", "confirm-access-user-password", noSecuritySession);
+
+ AuthItem *usernameItem;
+ AuthItem *passwordItem;
+
+ do {
+
+ AuthItemRef triesHint(AGENT_HINT_TRIES, AuthValueOverlay(sizeof(retryCount), &retryCount));
+ hints.erase(triesHint); hints.insert(triesHint); // replace
+
+ if (++retryCount > maxTries)
+ reason = SecurityAgent::tooManyTries;
+
+ if (SecurityAgent::noReason != reason)
+ {
+ if (SecurityAgent::tooManyTries == reason)
+ logger.logFailure(NULL, CommonCriteria::errTooManyTries);
+ else
+ logger.logFailure();
+ }
+
+ AuthItemRef retryHint(AGENT_HINT_RETRY_REASON, AuthValueOverlay(sizeof(reason), &reason));
+ hints.erase(retryHint); hints.insert(retryHint); // replace
+
+ setInput(hints, context);
+ try
+ {
+ invoke();
+ checkResult();
+ }
+ catch (...) // user probably clicked "deny"
+ {
+ logger.logFailure();
+ throw;
+ }
+ usernameItem = outContext().find(AGENT_USERNAME);
+ passwordItem = outContext().find(AGENT_PASSWORD);
+ if (!usernameItem || !passwordItem)
+ continue;
+ usernameItem->getString(username);
+ passwordItem->getString(password);
+ } while (reason = accept(username, password));
+
+ if (SecurityAgent::noReason == reason)
+ logger.logSuccess();
+ // else we logged the denial in the loop
+
+ return reason;
+}
+
+Reason
+QueryKeychainAuth::accept(string &username, string &passphrase)
+{
+ const char *user = username.c_str();
+ const char *passwd = passphrase.c_str();
+ int checkpw_status = checkpw(user, passwd);
+
+ if (checkpw_status != CHECKPW_SUCCESS)
+ return SecurityAgent::invalidPassphrase;
+
+ return SecurityAgent::noReason;
+}
+
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include <security_agent_client/agentclient.h>
#include <security_cdsa_utilities/AuthorizationData.h>
+#include <security_utilities/ccaudit.h> // some queries do their own authentication
#include <Security/AuthorizationPlugin.h>
#include "kcdatabase.h"
#include "AuthorizationEngine.h"
using Authorization::AuthValueVector;
using Security::OSXCode;
-class SecurityAgentQuery : public SecurityAgent::Client {
+//
+// base for classes talking to SecurityAgent and authorizationhost
+//
+class SecurityAgentConnection : public SecurityAgentConnectionInterface
+{
+public:
+ SecurityAgentConnection(const AuthHostType type = securityAgent, Session &session = Server::session());
+ virtual ~SecurityAgentConnection();
+ virtual void activate();
+ virtual void reconnect();
+ virtual void disconnect() { };
+ virtual void terminate();
+
+ AuthHostType hostType() { return mAuthHostType; }
+
+protected:
+ AuthHostType mAuthHostType;
+ RefPointer<AuthHostInstance> mHostInstance;
+ Port mPort;
+ const RefPointer<Connection> mConnection;
+ audit_token_t *mAuditToken;
+};
+
+//
+// Special wrapper around SecurityAgent::Client transaction interfaces.
+// Not currently used because this was intended to support
+// SecurityAgent's/authorizationhost's use of Foundation's enable/disable-sudden-
+// termination APIs, but the latter don't work for non-direct children of
+// launchd. Kept around because securityd might need its own child-transaction
+// semantics one day.
+//
+class SecurityAgentTransaction : public SecurityAgentConnection
+{
+public:
+ SecurityAgentTransaction(const AuthHostType type = securityAgent, Session &session = Server::session(), bool startNow = true);
+ ~SecurityAgentTransaction();
+
+ void start();
+ void end();
+ bool started() { return mStarted; }
+
+private:
+ bool mStarted;
+};
+
+//
+// The main SecurityAgent/authorizationhost interaction base class
+//
+class SecurityAgentQuery : public SecurityAgent::Client,
+ public SecurityAgentConnection
+{
public:
typedef SecurityAgent::Reason Reason;
SecurityAgentQuery(const AuthHostType type = securityAgent, Session &session = Server::session());
+
void inferHints(Process &thisProcess);
void addHint(const char *name, const void *value = NULL, UInt32 valueLen = 0, UInt32 flags = 0);
virtual ~SecurityAgentQuery();
virtual void activate();
+ virtual void reconnect();
+ virtual void disconnect();
virtual void terminate();
void create(const char *pluginId, const char *mechanismId, const SessionId inSessionId);
-public:
void readChoice();
bool allow;
bool remember;
- AuthHostType mAuthHostType;
- RefPointer<AuthHostInstance> mHostInstance;
protected:
AuthItemSet mClientHints;
-private:
- Port mPort;
- const RefPointer<Connection> mConnection;
};
//
static const int maxTries = kMaximumAuthorizationTries;
public:
QueryDBBlobSecret() { }
- Reason operator () (DatabaseCryptoCore &dbCore, const DbBlob *secretsBlob);
+ Reason operator () (DbHandle *dbHandleArray, uint8 dbHandleArrayCount, DbHandle *dbHandleAuthenticated);
protected:
- Reason query(DatabaseCryptoCore &dbCore, const DbBlob *secretsBlob);
- Reason accept(CssmManagedData &passphrase, DatabaseCryptoCore &dbCore, const DbBlob *secretsBlob);
+ Reason query(DbHandle *dbHandleArray, uint8 dbHandleArrayCount, DbHandle *dbHandleAuthenticated);
+ Reason accept(CssmManagedData &passphrase, DbHandle *dbHandlesToAuthenticate, uint8 dbHandleCount, DbHandle *dbHandleAuthenticated);
};
class QueryInvokeMechanism : public SecurityAgentQuery, public RefCount {
AuthValueVector mArguments;
};
+// hybrid of confirm-access and generic authentication queries, for
+// securityd's use; keep the Frankenstein references to yourself
+// (the alternative is to ask the user to unlock the system keychain,
+// and you don't want that, do you?)
+class QueryKeychainAuth : public SecurityAgentQuery {
+ static const int maxTries = kMaximumAuthorizationTries;
+public:
+ QueryKeychainAuth() { }
+ // "prompt" can be NULL
+ Reason operator () (const char *database, const char *description, AclAuthorization action, const char *prompt);
+ Reason accept(string &username, string &passphrase);
+};
+
#endif //_H_AGENTQUERY
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
if (snprintf(uid_string, sizeof(uid_string), "%u", inCred->uid()) >=
int(sizeof(uid_string)))
uid_string[0] = '\0';
- AuthItemRef uidHint("uid", AuthValueOverlay(uid_string ? strlen(uid_string) + 1 : 0, uid_string), 0);
+ AuthItemRef uidHint("uid", AuthValueOverlay(uid_string[0] ? strlen(uid_string) + 1 : 0, uid_string), 0);
dstInfoSet.insert(uidHint);
- AuthItemRef userHint("username", AuthValueOverlay(inCred->name()), 0);
+ AuthItemRef userHint("username", AuthValueOverlay(inCred->username()), 0);
dstInfoSet.insert(userHint);
setInfoSet(dstInfoSet);
--- /dev/null
+/*
+ * ccaudit_extensions.cpp
+ * securityd
+ *
+ * Created by G H on 3/24/09.
+ * Copyright 2009 Apple Inc. All rights reserved.
+ *
+ */
+
+#include <errno.h>
+#include <assert.h>
+#include <stdio.h> // vsnprintf()
+#include <stdarg.h> // va_start(), et al.
+#include <syslog.h>
+#include <string.h> // memcpy()
+#include <bsm/audit_uevents.h> // AUE_ssauth*
+#include <bsm/libbsm.h>
+#include <security_utilities/errors.h>
+#include <security_utilities/ccaudit.h>
+#include "ccaudit_extensions.h"
+
+namespace Security
+{
+
+namespace CommonCriteria
+{
+
+namespace Securityd
+{
+
+//
+// AuditLogger
+//
+AuditLogger::AuditLogger(const audit_token_t *srcToken, short auEvent)
+ : mAuditFd(-1), mEvent(auEvent), mClientInfoSet(false)
+{
+ setClientInfo(srcToken);
+}
+
+AuditLogger::AuditLogger(const AuditToken &srcToken, short auEvent)
+ : mAuditFd(-1), mEvent(auEvent), mClientInfoSet(false)
+{
+ setClientInfo(srcToken);
+}
+
+AuditLogger::~AuditLogger()
+{
+ close();
+}
+
+bool
+AuditLogger::open()
+{
+ if (-1 != mAuditFd)
+ return true;
+
+ // @@@ use audit_get_cond() when it's available
+ int acond = au_get_state();
+ switch (acond)
+ {
+ case AUC_NOAUDIT:
+ return false;
+ case AUC_AUDITING:
+ break;
+ default:
+ logInternalError("error checking auditing status (%d)", acond);
+ UnixError::throwMe(acond); // assume it's a Unix error
+ }
+ if ((mAuditFd = au_open()) < 0)
+ {
+ logInternalError("au_open() failed (%s)", strerror(errno));
+ UnixError::throwMe(errno);
+ }
+ return true;
+}
+
+void
+AuditLogger::close(bool writeLog/* = true*/)
+{
+ if (-1 != mAuditFd)
+ {
+ int keep = writeLog == true ? AU_TO_WRITE : AU_TO_NO_WRITE;
+ int error = au_close(mAuditFd, keep, mEvent);
+ mAuditFd = -1;
+ if (writeLog == true && error < 0)
+ {
+ logInternalError("au_close() failed; record not committed");
+ UnixError::throwMe(error);
+ }
+ }
+}
+
+void
+AuditLogger::setClientInfo(const audit_token_t *srcToken)
+{
+ assert(srcToken);
+ audit_token_to_au32(*srcToken, &mAuditId, &mEuid, &mEgid, &mRuid, &mRgid, &mPid, &mAuditSessionId, &mOldTerminalId);
+
+ mTerminalId.at_type = AU_IPv4;
+ mTerminalId.at_addr[0] = mOldTerminalId.machine;
+ mTerminalId.at_port = mOldTerminalId.port;
+
+ mClientInfoSet = true;
+}
+
+void
+AuditLogger::setClientInfo(const AuditToken &srcToken)
+{
+ mAuditId = srcToken.auditId();
+ mEuid = srcToken.euid();
+ mEgid = srcToken.egid();
+ mRuid = srcToken.ruid();
+ mRgid = srcToken.rgid();
+ mPid = srcToken.pid();
+ mAuditSessionId = srcToken.auditSession();
+ memcpy(&mOldTerminalId, &(srcToken.terminalId()), sizeof(mOldTerminalId));
+
+ mTerminalId.at_type = AU_IPv4;
+ mTerminalId.at_addr[0] = mOldTerminalId.machine;
+ mTerminalId.at_port = mOldTerminalId.port;
+
+ mClientInfoSet = true;
+}
+
+void
+AuditLogger::writeToken(token_t *token, const char *name)
+{
+ const char *tokenName = name ? name : "<unidentified>";
+ if (NULL == token)
+ {
+ logInternalError("Invalid '%s' token", tokenName);
+ close();
+ UnixError::throwMe(EPERM); // per audit_submit()
+ }
+ if (au_write(mAuditFd, token) < 0)
+ {
+ logInternalError("Error writing '%s' token (%s)", tokenName, strerror(errno));
+ close();
+ UnixError::throwMe(errno);
+ }
+}
+
+void
+AuditLogger::writeSubject()
+{
+ assert(mClientInfoSet);
+
+ token_t *token;
+
+ // @@@ terminal ID is not carried in the audit trailer nowadays, but
+ // this code should be harmless: it replicates the current logic in
+ // audit_submit()
+ if (AU_IPv4 == mTerminalId.at_type)
+ token = au_to_subject32(mAuditId, mEuid, mEgid, mRuid, mRgid, mPid, mAuditSessionId, &mOldTerminalId);
+ else
+ token = au_to_subject_ex(mAuditId, mEuid, mEgid, mRuid, mRgid, mPid, mAuditSessionId, &mTerminalId);
+ writeToken(token, "subject");
+}
+
+void
+AuditLogger::writeReturn(char status, int reterr)
+{
+ writeToken(au_to_return32(status, reterr), "return");
+}
+
+void
+AuditLogger::logSuccess()
+{
+ if (false == open())
+ return;
+ writeCommon();
+ writeReturn(0, 0);
+ close();
+}
+
+void
+AuditLogger::logFailure(const char *errMsg, int errcode)
+{
+ if (false == open())
+ return;
+ writeCommon();
+ if (errMsg)
+ writeToken(au_to_text(errMsg), "evaluation error");
+ writeReturn(EPERM, errcode);
+ close();
+}
+
+// cribbed from audit_submit()
+void
+AuditLogger::logInternalError(const char *fmt, ...)
+{
+ va_list ap;
+ char text[MAX_AUDITSTRING_LEN];
+
+ if (fmt != NULL)
+ {
+ int error = errno;
+ va_start(ap, fmt);
+ (void)vsnprintf(text, MAX_AUDITSTRING_LEN, fmt, ap);
+ va_end(ap);
+ syslog(LOG_AUTH | LOG_ERR, "%s", text);
+ errno = error;
+ }
+}
+
+//
+// KeychainAuthLogger
+//
+const char *KeychainAuthLogger::sysKCAuthStr = "System keychain authorization";
+const char *KeychainAuthLogger::unknownKCStr = "<unknown keychain>";
+const char *KeychainAuthLogger::unknownItemStr = "<unknown item>";
+
+KeychainAuthLogger::KeychainAuthLogger(const audit_token_t *srcToken, short auEvent)
+ : AuditLogger(srcToken, auEvent), mDatabase(unknownKCStr),
+ mItem(unknownItemStr)
+{
+}
+
+KeychainAuthLogger::KeychainAuthLogger(const AuditToken &srcToken, short auEvent)
+ : AuditLogger(srcToken, auEvent), mDatabase(unknownKCStr),
+ mItem(unknownItemStr)
+{
+}
+
+KeychainAuthLogger::KeychainAuthLogger(const audit_token_t *srcToken, short auEvent, const char *database, const char *item)
+ : AuditLogger(srcToken, auEvent)
+{
+ setDbName(database);
+ setItemName(item);
+}
+
+KeychainAuthLogger::KeychainAuthLogger(const AuditToken &srcToken, short auEvent, const char *database, const char *item)
+ : AuditLogger(srcToken, auEvent)
+{
+ setDbName(database);
+ setItemName(item);
+}
+
+void
+KeychainAuthLogger::setDbName(const char *database)
+{
+ mDatabase = database ? database : unknownKCStr;
+}
+
+void
+KeychainAuthLogger::setItemName(const char *item)
+{
+ mItem = item ? item : unknownItemStr;
+}
+
+void
+KeychainAuthLogger::writeCommon()
+{
+ writeSubject();
+ writeToken(au_to_text(sysKCAuthStr), sysKCAuthStr);
+ writeToken(au_to_text(mDatabase.c_str()), "keychain");
+ writeToken(au_to_text(mItem.c_str()), "keychain item");
+}
+
+
+//
+// RightLogger
+//
+const char *RightLogger::unknownRightStr = "<unknown right>";
+
+void
+RightLogger::setRight(const string &rightName)
+{
+ mRight.clear();
+ mRight = rightName;
+}
+
+void
+RightLogger::setRight(const char *rightName)
+{
+ if (rightName) // NULL bad for string class and au_to_text()
+ {
+ string tmpStr(rightName); // setRight() takes a string&
+ setRight(tmpStr);
+ }
+}
+
+
+//
+// AuthMechLogger
+//
+const char *AuthMechLogger::unknownMechStr = "<unknown mechanism>";
+const char *AuthMechLogger::mechStr = "mechanism ";
+
+AuthMechLogger::AuthMechLogger(const AuditToken &srcToken, short auEvent)
+ : AuditLogger(srcToken, auEvent), RightLogger(),
+ mEvaluatingMechanism(false), mCurrentMechanism(unknownMechStr)
+{
+}
+
+AuthMechLogger::AuthMechLogger(const audit_token_t *srcToken, short auEvent)
+ : AuditLogger(srcToken, auEvent), RightLogger(),
+ mEvaluatingMechanism(false), mCurrentMechanism(unknownMechStr)
+{
+}
+
+void
+AuthMechLogger::setCurrentMechanism(const char *mech)
+{
+ mCurrentMechanism.clear();
+ if (NULL == mech)
+ {
+ mEvaluatingMechanism = false;
+ }
+ else
+ {
+ mCurrentMechanism = mech;
+ mEvaluatingMechanism = true;
+ }
+}
+
+void
+AuthMechLogger::writeCommon()
+{
+ writeSubject();
+ writeToken(au_to_text(mRight.c_str()), "right");
+ if (true == mEvaluatingMechanism)
+ {
+ string tmpStr = mechStr; // mechStr includes a trailing space
+ tmpStr += mCurrentMechanism;
+ writeToken(au_to_text(tmpStr.c_str()), "mechanism");
+ }
+}
+
+void
+AuthMechLogger::logInterrupt(const char *msg)
+{
+ if (false == open())
+ return;
+ writeCommon();
+ if (msg)
+ writeToken(au_to_text(msg), "interrupt");
+ writeReturn(0, 0);
+ close();
+}
+
+//
+// RightAuthenticationLogger
+//
+const char *RightAuthenticationLogger::unknownUserStr = "<unknown user>";
+const char *RightAuthenticationLogger::unknownClientStr = "<unknown client>";
+const char *RightAuthenticationLogger::unknownAuthCreatorStr = "<unknown creator>";
+const char *RightAuthenticationLogger::authenticatorStr = "known UID ";
+const char *RightAuthenticationLogger::clientStr = "client ";
+const char *RightAuthenticationLogger::authCreatorStr = "creator ";
+const char *RightAuthenticationLogger::authenticatedAsStr = "authenticated as ";
+const char *RightAuthenticationLogger::leastPrivStr = "least-privilege";
+
+RightAuthenticationLogger::RightAuthenticationLogger(const AuditToken &srcToken, short auEvent)
+ : AuditLogger(srcToken, auEvent), RightLogger()
+{
+}
+
+RightAuthenticationLogger::RightAuthenticationLogger(const audit_token_t *srcToken, short auEvent)
+ : AuditLogger(srcToken, auEvent), RightLogger()
+{
+}
+
+void
+RightAuthenticationLogger::writeCommon()
+{
+ writeSubject();
+ writeToken(au_to_text(mRight.c_str()), "right");
+}
+
+void
+RightAuthenticationLogger::logSuccess(uid_t authenticator, uid_t target, const char *targetName)
+{
+ if (false == open())
+ return;
+ writeCommon();
+
+ // au_to_arg32() is really meant for auditing syscall arguments;
+ // we're slightly abusing it to get descriptive strings for free.
+ writeToken(au_to_arg32(1, authenticatorStr, authenticator), "authenticator");
+ string tmpStr(authenticatedAsStr);
+ // targetName shouldn't be NULL on a successful authentication, but allow
+ // for programmer screwups
+ tmpStr += targetName ? targetName : unknownUserStr;
+ writeToken(au_to_arg32(2, tmpStr.c_str(), target), "target");
+ writeReturn(0, 0);
+ close();
+}
+
+void
+RightAuthenticationLogger::logAuthorizationResult(const char *client, const char *authCreator, int errcode)
+{
+ if (false == open())
+ return;
+ writeCommon();
+ string tmpStr(clientStr);
+ tmpStr += client ? client : unknownClientStr;
+ writeToken(au_to_text(tmpStr.c_str()), "Authorization client");
+ tmpStr.clear();
+ tmpStr = authCreatorStr;
+ tmpStr += authCreator ? authCreator : unknownAuthCreatorStr;
+ writeToken(au_to_text(tmpStr.c_str()), "Authorization creator");
+ if (errAuthorizationSuccess == errcode)
+ writeReturn(0, 0);
+ else
+ writeReturn(EPERM, errcode);
+ close();
+}
+
+void
+RightAuthenticationLogger::logLeastPrivilege(uid_t userId, bool isAuthorizingUser)
+{
+ if (false == open())
+ return;
+ writeCommon();
+ writeToken(au_to_text(leastPrivStr), leastPrivStr);
+ writeReturn(0, 0);
+ close();
+}
+
+void
+RightAuthenticationLogger::logFailure(uid_t authenticator, const char *targetName)
+{
+ if (false == open())
+ return;
+ writeCommon();
+ writeToken(au_to_arg32(1, authenticatorStr, authenticator), "authenticator");
+ if (NULL == targetName)
+ writeToken(au_to_text(unknownUserStr), "target username");
+ else
+ writeToken(au_to_text(targetName), "target username");
+ // @@@ EAUTH more appropriate, but !defined for _POSIX_C_SOURCE
+ writeReturn(EPERM, errAuthorizationDenied);
+ close();
+}
+
+} // namespace Securityd
+
+} // namespace CommonCriteria
+
+} // namespace Security
--- /dev/null
+/*
+ * ccaudit_extensions.h
+ * securityd
+ *
+ * Created by G H on 3/24/09.
+ * Copyright 2009 Apple Inc. All rights reserved.
+ *
+ * Extensions to utility classes in Security::CommonCriteria
+ * (libsecurity_utilities). Not clear that these are useful enough to be
+ * added there, so for now, they're here.
+ */
+
+#include <string>
+#include <stdint.h>
+#include <Security/Authorization.h>
+#include <bsm/audit_kevents.h> // AUE_NULL
+#include <bsm/libbsm.h>
+
+//
+// Regarding message formats in comments, below:
+//
+// <> denotes a string with the indicated information
+// '' denotes a literal string
+//
+// Message info is in text tokens unless otherwise indicated.
+//
+
+namespace Security
+{
+
+namespace CommonCriteria
+{
+
+namespace Securityd
+{
+
+//
+// Pure virtual class from which audit log writers should be derived.
+// The assumption about logging is that a "success" case logs certain
+// data about what succeeded, while a "failure" case logs that same data
+// plus some indication as to why the failure occurred.
+//
+// Subclasses minimally need to provide a writeCommon() method. They may
+// override logSuccess(); q.v.
+//
+// An AuditLogger is intended to live no longer than the audit trailer of a
+// securityd IPC.
+//
+// setClientInfo() must be called before logging, or at best, gibberish
+// will be logged.
+//
+// Nomenclature:
+// "write" methods only au_write()
+// "log" methods open, write, and close the log
+//
+class AuditLogger
+{
+public:
+ AuditLogger() : mAuditFd(-1), mEvent(AUE_NULL), mClientInfoSet(false) { }
+ AuditLogger(const audit_token_t *srcToken, short auEvent = AUE_NULL);
+ AuditLogger(const AuditToken &srcToken, short auEvent = AUE_NULL);
+ virtual ~AuditLogger();
+
+ bool open(); // false if auditing disabled; throws on real errors
+ void close(bool writeLog = true); // throws if writeLog true but au_close() failed
+
+ void setClientInfo(const audit_token_t *srcToken);
+ void setClientInfo(const AuditToken &srcToken);
+ void setEvent(short auEvent) { mEvent = auEvent; }
+ short event() const { return mEvent; }
+
+ // common log-writing activities
+ void writeToken(token_t *token, const char *name);
+ void writeSubject();
+ void writeReturn(char status, int reterr);
+ virtual void writeCommon() = 0; // should not open or close log
+
+ // logSuccess() assumes that all the ancillary information you need is
+ // written by writeCommon(). If that's not true, you can either
+ // override logSuccess() in your subclass, or use a different method
+ // altogether. Do not call AuditLogger::logSuccess() from the subclass
+ // in eiher case.
+ virtual void logSuccess();
+
+ virtual void logFailure(const char *errMsg = NULL, int errcode = errAuthorizationDenied);
+ virtual void logFailure(string &errMsg, int errcode = errAuthorizationDenied) { logFailure(errMsg.c_str(), errcode); }
+
+ // @@@ Extra credit: let callers add arbitrary tokens. Tokens added
+ // before a log*() call would be appended to the end of writeCommon()'s
+ // standard set.
+
+protected:
+ void logInternalError(const char *fmt, ...);
+
+private:
+ int mAuditFd;
+ short mEvent;
+ bool mClientInfoSet; // disallow resetting client info
+
+ uid_t mAuditId;
+ uid_t mEuid;
+ gid_t mEgid;
+ uid_t mRuid;
+ gid_t mRgid;
+ pid_t mPid;
+ au_asid_t mAuditSessionId;
+ au_tid_t mOldTerminalId; // to cache audit_token_to_au32() result
+ au_tid_addr_t mTerminalId; // @@@ AuditInfo still uses ai_tid_t
+};
+
+//
+// KeychainAuthLogger format:
+// 'System keychain authorization'
+// <keychain name>
+// <keychain item name>
+// [optional] <more failure info>
+//
+// For QueryKeychainAuth audit logging
+//
+class KeychainAuthLogger : public AuditLogger
+{
+ static const char *sysKCAuthStr;
+ static const char *unknownKCStr;
+ static const char *unknownItemStr;
+
+public:
+ KeychainAuthLogger() : AuditLogger(), mDatabase(unknownKCStr), mItem(unknownItemStr) { }
+ KeychainAuthLogger(const audit_token_t *srcToken, short auEvent);
+ KeychainAuthLogger(const audit_token_t *srcToken, short auEvent, const char *database, const char *item);
+ KeychainAuthLogger(const AuditToken &srcToken, short auEvent);
+ KeychainAuthLogger(const AuditToken &srcToken, short auEvent, const char *database, const char *item);
+ void setDbName(const char *database);
+ void setItemName(const char *item);
+ virtual void writeCommon();
+
+private:
+ string mDatabase;
+ string mItem;
+};
+
+//
+// RightLogger provides basic common data and behavior for rights-based
+// logging classes. @@@ "RightLogger" is a lousy name
+//
+class RightLogger
+{
+protected:
+ static const char *unknownRightStr;
+
+public:
+ RightLogger() : mRight(unknownRightStr) { }
+ virtual ~RightLogger() { }
+
+ void setRight(const string &rightName);
+ void setRight(const char *rightName);
+
+protected:
+ string mRight;
+};
+
+//
+// Basic (per-mechanism) AuthMechLogger format:
+// <right name>
+// [optional] 'mechanism' <mechanism name>
+// [optional] <more info>
+//
+// e.g.:
+// com.foo.bar
+// mechanism FooPlugin:SomeMechanism
+// unknown mechanism; ending rule evaluation
+//
+class AuthMechLogger : public AuditLogger, public RightLogger
+{
+ static const char *unknownMechStr;
+ static const char *mechStr;
+
+public:
+ AuthMechLogger() : AuditLogger(), RightLogger(), mEvaluatingMechanism(false), mCurrentMechanism(unknownMechStr) { }
+ AuthMechLogger(const AuditToken &srcToken, short auEvent);
+ AuthMechLogger(const audit_token_t *srcToken, short auEvent);
+
+ void setCurrentMechanism(const char *mech); // pass NULL if not running mechs.
+ void setCurrentMechanism(const string &mech) { setCurrentMechanism(mech.c_str()); }
+ virtual void writeCommon();
+
+ // Authorization mechanism-evaluation interrupts need to be logged since
+ // they cause evaluation to restart, possibly at a different point in the
+ // mechanism chain.
+ void logInterrupt(const char *msg); // NULL msg okay
+ void logInterrupt(string &msg) { logInterrupt(msg.c_str()); }
+
+private:
+ bool mEvaluatingMechanism;
+ string mCurrentMechanism;
+};
+
+//
+// Basic RightAuthenticationLogger formats:
+//
+// Per-credential (newly granted during an evaluation):
+// <right name>
+// UID of user performing the authentication [arg32 token]
+// UID and username of the successfully authenticated user [arg32 token]
+// or:
+// <right name>
+// UID of user performing the authentication [arg32 token]
+// Name of the user as whom the first UID was attempting to authenticate
+//
+// Final (i.e., after all mechanisms) right-granting decision format:
+// <right name>
+// name of process requesting authorization
+// name of process that created the Authorization handle
+//
+// Least-privilege credential-generating event format:
+// <right name>
+// 'least-privilege'
+//
+// @@@ each format should be its own class
+//
+class RightAuthenticationLogger : public AuditLogger, public RightLogger
+{
+ static const char *unknownUserStr;
+ static const char *unknownClientStr;
+ static const char *unknownAuthCreatorStr;
+ static const char *authenticatorStr;
+ static const char *clientStr;
+ static const char *authCreatorStr;
+ static const char *authenticatedAsStr;
+ static const char *leastPrivStr;
+
+public:
+ RightAuthenticationLogger() : AuditLogger(), RightLogger() { }
+ RightAuthenticationLogger(const AuditToken &srcToken, short auEvent);
+ RightAuthenticationLogger(const audit_token_t *srcToken, short auEvent);
+ virtual ~RightAuthenticationLogger() { }
+
+ virtual void writeCommon();
+
+ virtual void logSuccess() { } // throw? in any case, don't allow the usual logSuccess() to work
+ // @@@ clean up, consolidate Success and AuthorizationResult
+ void logSuccess(uid_t authenticator, uid_t target, const char *targetName);
+ void logAuthorizationResult(const char *client, const char *authCreator, int errcode);
+ void logLeastPrivilege(uid_t userId, bool isAuthorizingUser);
+ virtual void logFailure(const char *errMsg, int errcode) { AuditLogger::logFailure(errMsg, errcode); }
+ void logFailure(uid_t authenticator, const char *targetName);
+};
+
+
+} // namespace Securityd
+
+} // namespace CommonCriteria
+
+} // namespace Security
// child - track a single child process and its belongings
//
#include "child.h"
+#include "dtrace.h"
#include <security_utilities/debugging.h>
//
// If the ServerChild is destroyed, kill its process, nice or hard.
//
-// In case you wonder about the tango below, it's making sure we
+// In case you wonder about the tango below, it's making sure we
// get to "It's dead, Jim" with the minimum number of checkChildren()
// calls while still working correctly if this is the only thread alive.
//
if (state() == dead) {
// our child died
secdebug("serverchild", "%p (pid %d) died before checking in", this, pid());
+ SECURITYD_CHILD_STILLBORN(this->pid());
} else if (ready()) {
// child has checked in and is ready for service
secdebug("serverchild", "%p (pid %d) ready for service on port %d",
this, pid(), mServicePort.port());
+ SECURITYD_CHILD_READY(this->pid());
} else
assert(false); // how did we ever get here?!
}
//
void ServerChild::dying()
{
+ SECURITYD_CHILD_DYING(this->pid());
secdebug("serverchild", "%p is dead; resuming parent thread (if any)", this);
mCheckinCond.signal();
}
secdebug("serverchild", "%p (pid %d) checking in; resuming parent thread",
child, pid);
}
+ SECURITYD_CHILD_CHECKIN(pid, servicePort);
child->mCheckinCond.signal();
} else {
// Child has died; is wrong kind; or spurious checkin.
// If it was a proper child, death notifications will wake up the parent thread
secdebug("serverchild", "pid %d not in child set; checkin ignored", pid);
+ SECURITYD_CHILD_CHECKIN(pid, 0);
}
}
//
#include "clientid.h"
#include "server.h"
-#include "osxcodewrap.h"
+#include <Security/SecCodePriv.h>
//
//
void ClientIdentification::setup(pid_t pid)
{
- if (IFDEBUG(OSStatus rc =)SecCodeCreateWithPID(pid, kSecCSDefaultFlags,
+ StLock<Mutex> _(mLock);
+ if (OSStatus rc = SecCodeCreateWithPID(pid, kSecCSDefaultFlags,
&mClientProcess.aref()))
- secdebug("clientid", "could not get code for process %d: OSStatus=%ld",
- pid, rc);
+ secdebug("clientid", "could not get code for process %d: OSStatus=%d",
+ pid, int32_t(rc));
+ mGuests.erase(mGuests.begin(), mGuests.end());
}
{
CFRef<CFURLRef> path;
if (OSStatus rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- Debug::dump("unknown(rc=%ld)", rc);
+ Debug::dump("unknown(rc=%d)", int32_t(rc));
else
Debug::dump("%s", cfString(path).c_str());
}
/*
- * Copyright (c) 2003-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2003-2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include "codesigdb.h"
#include "process.h"
#include "server.h"
-#include "osxcodewrap.h"
#include "agentquery.h"
#include <security_utilities/memutils.h>
#include <security_utilities/logging.h>
+#include <Security/SecRequirementPriv.h>
//
// The legacy hash is ignored (it's for use by pre-Leopard systems).
secdebug("codesign", "CS requirement present; ignoring legacy hashes");
Server::active().longTermActivity();
- switch (IFDEBUG(OSStatus rc =) SecCodeCheckValidity(code, kSecCSDefaultFlags, requirement)) {
+ switch (OSStatus rc = SecCodeCheckValidity(code, kSecCSDefaultFlags, requirement)) {
case noErr:
secdebug("codesign", "CS verify passed");
return true;
secdebug("codesign", "CS verify against unsigned binary failed");
return false;
default:
- secdebug("codesign", "CS verify failed OSStatus=%ld", rc);
+ secdebug("codesign", "CS verify failed OSStatus=%d", int32_t(rc));
return false;
}
}
return noErr;
}
default:
- secdebug("codesign", "validation fails with rc=%ld, rejecting", rc);
+ secdebug("codesign", "validation fails with rc=%d, rejecting", int32_t(rc));
return rc;
}
secdebug("codesign", "does not withstand strict scrutiny; ask the user");
return false;
}
+#if CONSULT_LEGACY_CODE_EQUIVALENCE_DATABASE
+
// Ah well. Establish mediator objects for database signature links
AclIdentity aclIdentity(signature, path);
mDb.flush();
secdebug("codesign", "new linkages established: pass");
return true;
+
+#else /* ignore Code Equivalence Database */
+
+ return false;
+
+#endif
}
/*
- * Copyright (c) 2000-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
// bump the send-rights count on the reply port so we keep the right after replying
mClientPort.modRefs(MACH_PORT_RIGHT_SEND, +1);
- secdebug("SS", "New connection %p for process %d clientport=%d",
- this, process().pid(), int(rPort));
+ SECURITYD_CLIENT_CONNECTION_NEW(this, rPort, &proc);
}
//
Connection::~Connection()
{
- secdebug("SS", "Connection %p destroyed", this);
+ SECURITYD_CLIENT_CONNECTION_RELEASE(this);
assert(!agentWait);
}
case busy:
state = dying; // shoot me soon, please
if (agentWait)
- agentWait->destroy();
+ agentWait->disconnect();
secdebug("SS", "Connection %p abort deferred (busy)", this);
break;
default:
// into the Big Bad Void as Connections and processes drop out from
// under them.
//
-void Connection::beginWork()
+void Connection::beginWork(audit_token_t &auditToken)
{
+ // assume the audit token will be valid for the Connection's lifetime
+ // (but no longer)
+ mAuditToken = &auditToken;
switch (state) {
case idle:
state = busy;
void Connection::endWork(CSSM_RETURN &rcode)
{
+ mAuditToken = NULL;
+
switch (state) {
case busy:
if (mOverrideReturn && rcode == CSSM_OK)
/*
- * Copyright (c) 2000-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#ifndef _H_CONNECTION
#define _H_CONNECTION
-#include <security_agent_client/agentclient.h>
#include "process.h"
#include "session.h"
#include "notifications.h"
+#include <bsm/libbsm.h> // audit_token_t
#include <string>
using MachPlusPlus::Port;
class Session;
+// define the minimum interface Connection requires for classes wanting to
+// participate in SecurityAgent/authorizationhost IPCs (defined here rather
+// than agentquery.h to avoid circularity in headers)
+class SecurityAgentConnectionInterface
+{
+public:
+ virtual void disconnect() = 0;
+};
//
// A Connection object represents an established connection between a client
// Code Signing guest management - tracks current guest id in client
SecGuestRef guestRef() const { return mGuestRef; }
void guestRef(SecGuestRef newGuest, SecCSFlags flags = 0);
+
+ audit_token_t *auditToken() const { return mAuditToken; }
// work framing - called as work threads pick up connection work
- void beginWork(); // I've got it
+ void beginWork(audit_token_t &auditToken); // I've got it
void checkWork(); // everything still okay?
void endWork(CSSM_RETURN &rcode); // Done with this
// notify that a SecurityAgent call may hang the active worker thread for a while
- void useAgent(SecurityAgent::Client *client)
+ void useAgent(SecurityAgentConnectionInterface *client)
{ StLock<Mutex> _(*this); agentWait = client; }
// set an overriding CSSM_RETURN to return instead of success
// peer state: established during connection startup; fixed thereafter
Port mClientPort; // client's Mach reply port
SecGuestRef mGuestRef; // last known Code Signing guest reference for this client thread
+ audit_token_t *mAuditToken; // in case auditing is required
CSSM_RETURN mOverrideReturn; // override successful return code (only)
// transient state (altered as we go)
busy, // a thread is busy servicing us
dying // busy and scheduled to die as soon as possible
} state;
- SecurityAgent::Client *agentWait; // SA client session we may be waiting on
+ SecurityAgentConnectionInterface *agentWait; // SA connection we may be waiting on
};
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
namespace Authorization {
// default credential: invalid for everything, needed as a default session credential
-CredentialImpl::CredentialImpl() : mUid(0), mShared(false), mName(""), mRealname(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false), mRight(false)
+CredentialImpl::CredentialImpl() : mShared(false), mRight(false), mRightName(""), mGroupName(""), mUid(0), mUserName(""), mRealName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
{
}
// only for testing whether this credential is usable
-CredentialImpl::CredentialImpl(const uid_t uid, const string &username, const string &realname, bool shared) : mUid(uid), mShared(shared), mName(username), mRealname(realname), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true), mRight(false)
+CredentialImpl::CredentialImpl(const uid_t uid, const string &username, const string &realname, const string &groupname, bool shared) : mShared(shared), mRight(false), mRightName(""), mGroupName(groupname), mUid(uid), mUserName(username), mRealName(realname), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
{
}
-CredentialImpl::CredentialImpl(const string &username, const string &password, bool shared) : mShared(shared), mName(username), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false), mRight(false)
+CredentialImpl::CredentialImpl(const string &username, const string &password, bool shared) : mShared(shared), mRight(false), mRightName(""), mGroupName(""), mUserName(username), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
{
Server::active().longTermActivity();
const char *user = username.c_str();
}
mUid = pw->pw_uid;
- mName = pw->pw_name;
- mRealname = pw->pw_gecos;
+ mUserName = pw->pw_name;
+ mRealName = pw->pw_gecos;
const char *passwd = password.c_str();
int checkpw_status = checkpw_internal(pw, passwd);
} while (0);
}
-CredentialImpl::CredentialImpl(const string &right, bool shared) : mUid(-2), mShared(shared), mName(right), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true), mRight(true)
+// least-privilege
+ // @@@ arguably we don't care about the UID any more and should not
+ // require it in this ctor
+CredentialImpl::CredentialImpl(const string &right, const uid_t uid, bool shared) : mShared(shared), mRight(true), mRightName(right), mGroupName(""), mUid(uid), mUserName(""), mRealName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
{
}
bool
CredentialImpl::operator < (const CredentialImpl &other) const
{
- if (!mShared && other.mShared)
- return true;
- if (!other.mShared && mShared)
- return false;
-
- return mUid < other.mUid;
+ // Desired ordering characteristics:
+ //
+ // - unshared before shared
+ // - least privilege before non-least privilege
+ // - for least privilege credentials with the same sharing characteristics,
+ // order on the basis of right strings
+ // - orthographic order of group names
+ //
+ // UID used to be the primary distinguishing element, but it can't be
+ // trusted--it's gathered as a side effect, potentially by an external
+ // process.
+ //
+ // Nothing is sacred about this ordering; we just had to pick something.
+
+ if (!mShared && other.mShared)
+ return true;
+ if (!other.mShared && mShared)
+ return false;
+ if (mRight && !other.mRight)
+ return true;
+ if (!mRight && other.mRight)
+ return false;
+ if (mRight && other.mRight)
+ return mRightName < other.mRightName;
+ else
+ return mGroupName < other.mGroupName;
}
// Returns true if this CredentialImpl should be shared.
void
CredentialImpl::merge(const CredentialImpl &other)
{
- assert(mUid == other.mUid);
+ // try to ensure that the credentials are the same type
+ assert(mRight == other.mRight);
+ if (mRight)
+ assert(mRightName == other.mRightName);
+ else
+ assert(mGroupName == other.mGroupName);
- if (other.mValid && (!mValid || mCreationTime < other.mCreationTime))
- {
- mCreationTime = other.mCreationTime;
- mValid = true;
- }
+ if (other.mValid && (!mValid || mCreationTime < other.mCreationTime))
+ {
+ mCreationTime = other.mCreationTime;
+ mValid = true;
+ }
}
// The time at which this credential was obtained.
{
}
-Credential::Credential(const uid_t uid, const string &username, const string &realname, bool shared) :
-RefPointer<CredentialImpl>(new CredentialImpl(uid, username, realname, shared))
+Credential::Credential(const uid_t uid, const string &username, const string &realname, const string &groupname, bool shared) :
+RefPointer<CredentialImpl>(new CredentialImpl(uid, username, realname, groupname, shared))
{
}
{
}
-Credential::Credential(const string &right, bool shared) : RefPointer<CredentialImpl>(new CredentialImpl(right, shared))
+Credential::Credential(const string &right, const uid_t uid, bool shared) : RefPointer<CredentialImpl>(new CredentialImpl(right, uid, shared))
{
}
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include <set>
namespace Authorization {
+
+ // There should be an abstract base class for Credential so we can have
+ // different kinds, e.g., those associated with smart-card auth, or those
+ // not requiring authentication as such at all. (<rdar://problem/6556724>)
/* Credentials are less than comparable so they can be put in sets or maps. */
class CredentialImpl : public RefCount
{
public:
CredentialImpl();
- CredentialImpl(const uid_t uid, const string &username, const string &realname, bool shared);
+ CredentialImpl(const uid_t uid, const string &username, const string &realname, const string &groupname, bool shared);
CredentialImpl(const string &username, const string &password, bool shared);
- CredentialImpl(const string &right, bool shared);
+ CredentialImpl(const string &right, const uid_t uid, bool shared);
~CredentialImpl();
bool operator < (const CredentialImpl &other) const;
// We could make Rule a friend but instead we just expose this for now
inline const uid_t uid() const { return mUid; }
- inline const string& name() const { return mName; }
- inline const string& realname() const { return mRealname; }
+ inline const string& username() const { return mUserName; }
+ inline const string& realname() const { return mRealName; }
inline const bool isRight() const { return mRight; }
+ inline const string &rightname() const { return mRightName; }
+ inline const string &groupname() const { return mGroupName; }
+
+ // sometimes the Credential exists before we've validated it, so we need
+ // a setter for group name
+ inline void setGroupname(const string &group) { mGroupName = group; }
+
private:
- // Key
- uid_t mUid;
-
- // True iff this credential is shared.
- bool mShared;
+ bool mShared; // credential is shared
+ bool mRight; // is least-privilege credential
+ string mRightName; // least-privilege name
+ string mGroupName; // if it's not least-priv, it boils down to
+ // user-in-group
- // Fields below are not used by less than operator
+ // Fields below are not used by less-than operator
- // The username of the user that provided his password.
- string mName;
- string mRealname;
+ // The user that provided his password.
+ uid_t mUid;
+ string mUserName;
+ string mRealName;
CFAbsoluteTime mCreationTime;
bool mValid;
- bool mRight;
};
/* Credentials are less than comparable so they can be put in sets or maps. */
public:
Credential();
Credential(CredentialImpl *impl);
- Credential(const uid_t uid, const string &username, const string &realname, bool shared);
+ Credential(const uid_t uid, const string &username, const string &realname, const string &groupname, bool shared);
Credential(const string &username, const string &password, bool shared);
- Credential(const string &right, bool shared);
+ Credential(const string &right, const uid_t uid, bool shared);
~Credential();
bool operator < (const Credential &other) const;
//
#include "csproxy.h"
#include "server.h"
+#include <Security/SecStaticCode.h>
#include <securityd_client/cshosting.h>
+#include <security_utilities/cfmunge.h>
//
case dynamicHosting:
mHostingPort.destroy();
mHostingPort = MACH_PORT_NULL;
+ SECURITYD_HOST_UNREGISTER(DTSELF);
break;
case proxyHosting:
Server::active().remove(*this); // unhook service handler
mHostingState = noHosting;
mHostingPort = MACH_PORT_NULL;
mGuests.erase(mGuests.begin(), mGuests.end());
+ SECURITYD_HOST_UNREGISTER(DTSELF);
break;
}
}
for (;;) {
if (Guest *guest = findGuest(host))
if (guest->dedicated) {
- secdebug("hosting", "%p selecting dedicated guest %p of %p", this, guest, host);
host = guest;
continue;
}
if (CFNumberRef canonical = attrs.get<CFNumberRef>(kSecGuestAttributeCanonical)) {
// direct lookup by SecGuestRef (canonical guest handle)
SecGuestRef guestRef = cfNumber<SecGuestRef>(canonical);
- secdebug("hosting", "host %p looking for guest handle 0x%x", host, guestRef);
if (Guest *guest = findGuest(guestRef, true)) // found guest handle
- if (guest->isGuestOf(host, loose)) {
- secdebug("hosting", "found guest %p, continuing search", guest);
+ if (guest->isGuestOf(host, loose))
host = guest; // new starting point
- } else
+ else
MacOSError::throwMe(errSecCSNoSuchCode); // not a guest of given host
else
MacOSError::throwMe(errSecCSNoSuchCode); // not there at all
CFTypeRef keys[count], values[count];
CFDictionaryGetKeysAndValues(attrs, keys, values);
for (;;) {
- secdebug("hosting", "searching host %p by attributes", host);
Guest *match = NULL; // previous match found
for (GuestMap::const_iterator it = mGuests.begin(); it != mGuests.end(); ++it)
if (it->second->isGuestOf(host, strict))
MacOSError::throwMe(errSecCSMultipleGuests); // ambiguous
else
match = it->second;
- if (!match) { // nothing found
- secdebug("hosting", "nothing found, returning %p", host);
+ if (!match) // nothing found
return host;
- } else {
- secdebug("hosting", "found guest %p, continuing", match);
+ else
host = match; // and repeat
- }
}
}
{
switch (mHostingState) {
case noHosting:
- secdebug("hosting", "%p registering for dynamic hosting on port %d",
- this, hostingPort);
mHostingPort = hostingPort;
mHostingState = dynamicHosting;
+ SECURITYD_HOST_REGISTER(DTSELF, mHostingPort);
break;
default:
MacOSError::throwMe(errSecCSHostProtocolContradiction);
// This engages proxy hosting mode, and is incompatible with dynamic hosting mode.
//
SecGuestRef CodeSigningHost::createGuest(SecGuestRef hostRef,
- uint32_t status, const char *path, const CssmData &attributes, SecCSFlags flags)
+ uint32_t status, const char *path,
+ const CssmData &cdhash, const CssmData &attributes, SecCSFlags flags)
{
- secdebug("hosting", "%p create guest from host %d", this, hostRef);
-
if (path[0] != '/') // relative path (relative to what? :-)
MacOSError::throwMe(errSecCSHostProtocolRelativePath);
+ if (cdhash.length() > maxUcspHashLength)
+ MacOSError::throwMe(errSecCSHostProtocolInvalidHash);
// set up for hosting proxy services if nothing's there yet
switch (mHostingState) {
- case noHosting:
+ case noHosting: // first hosting call, this host
// set up proxy hosting
- mHostingPort.allocate();
- MachServer::Handler::port(mHostingPort);
- MachServer::active().add(*this);
- mHostingState = proxyHosting;
- secdebug("hosting", "%p created hosting port %d for proxy hosting", this, mHostingPort.port());
+ mHostingPort.allocate(); // allocate service port
+ MachServer::Handler::port(mHostingPort); // put into Handler
+ MachServer::active().add(*this); // start listening
+ mHostingState = proxyHosting; // now proxying for this host
+ SECURITYD_HOST_PROXY(DTSELF, mHostingPort);
break;
- case proxyHosting:
- break; // all set
- case dynamicHosting:
+ case proxyHosting: // already proxying
+ break;
+ case dynamicHosting: // in dynamic mode, can't switch
MacOSError::throwMe(errSecCSHostProtocolContradiction);
}
RefPointer<Guest> host = findHost(hostRef);
- RefPointer<Guest> knownGuest = findGuest(host);
- if ((flags & kSecCSDedicatedHost) && knownGuest)
- MacOSError::throwMe(errSecCSHostProtocolDedicationError); // can't dedicate with other guests
- else if (knownGuest && knownGuest->dedicated)
- MacOSError::throwMe(errSecCSHostProtocolDedicationError); // other guest is already dedicated
+ if (RefPointer<Guest> knownGuest = findGuest(host)) // got a guest already
+ if (flags & kSecCSDedicatedHost)
+ MacOSError::throwMe(errSecCSHostProtocolDedicationError); // can't dedicate with other guests
+ else if (knownGuest->dedicated)
+ MacOSError::throwMe(errSecCSHostProtocolDedicationError); // other guest is already dedicated
// create the new guest
RefPointer<Guest> guest = new Guest;
guest->status = status;
guest->path = path;
guest->setAttributes(attributes);
+ guest->setHash(cdhash, flags & kSecCSGenerateGuestHash);
guest->dedicated = (flags & kSecCSDedicatedHost);
mGuests[guest->guestRef()] = guest;
- secdebug("hosting", "guest 0x%x created %sstatus=0x%x path=%s",
- guest->guestRef(), guest->dedicated ? "dedicated " : "", guest->status, guest->path.c_str());
+ SECURITYD_GUEST_CREATE(DTSELF, hostRef, guest->guestRef(), guest->status, flags, (char *)guest->path.c_str());
+ if (SECURITYD_GUEST_CDHASH_ENABLED())
+ SECURITYD_GUEST_CDHASH(DTSELF, guest->guestRef(),
+ (void*)CFDataGetBytePtr(guest->cdhash), CFDataGetLength(guest->cdhash));
return guest->guestRef();
}
void CodeSigningHost::setGuestStatus(SecGuestRef guestRef, uint32_t status, const CssmData &attributes)
{
- secdebug("hosting", "%p set guest 0x%x", this, guestRef);
if (mHostingState != proxyHosting)
MacOSError::throwMe(errSecCSHostProtocolNotProxy);
Guest *guest = findGuest(guestRef);
// state modification machine
- if ((status & ~guest->status) & CS_VALID)
+ if ((status & ~guest->status) & kSecCodeStatusValid)
MacOSError::throwMe(errSecCSHostProtocolStateError); // can't set
- if ((~status & guest->status) & (CS_HARD | CS_KILL))
+ if ((~status & guest->status) & (kSecCodeStatusHard | kSecCodeStatusKill))
MacOSError::throwMe(errSecCSHostProtocolStateError); // can't clear
guest->status = status;
+ SECURITYD_GUEST_CHANGE(DTSELF, guestRef, status);
// replace attributes if requested
if (attributes)
//
void CodeSigningHost::removeGuest(SecGuestRef hostRef, SecGuestRef guestRef)
{
- secdebug("hosting", "%p removes guest %d from host %d", this, guestRef, hostRef);
if (mHostingState != proxyHosting)
MacOSError::throwMe(errSecCSHostProtocolNotProxy);
RefPointer<Guest> host = findHost(hostRef);
if (!guest->isGuestOf(host, strict))
MacOSError::throwMe(errSecCSHostProtocolUnrelated);
for (GuestMap::iterator it = mGuests.begin(); it != mGuests.end(); ++it)
- if (it->second->isGuestOf(guest, loose))
+ if (it->second->isGuestOf(guest, loose)) {
+ SECURITYD_GUEST_DESTROY(DTSELF, it->first);
mGuests.erase(it);
+ }
}
// The internal Guest object
//
CodeSigningHost::Guest::~Guest()
-{
- secdebug("hosting", "guest %ld destroyed", handle());
-}
+{ }
void CodeSigningHost::Guest::setAttributes(const CssmData &attrData)
{
CFRef<CFNumberRef> guest = makeCFNumber(guestRef());
if (attrData) {
- CFRef<CFDictionaryRef> inputDict = makeCFDictionaryFrom(attrData.data(), attrData.length());
- CFRef<CFMutableDictionaryRef> dict = CFDictionaryCreateMutableCopy(NULL, 0, inputDict);
- CFDictionaryAddValue(dict, kSecGuestAttributeCanonical, guest);
- attributes.take(dict);
+ attributes.take(cfmake<CFDictionaryRef>("{+%O,%O=%O}",
+ makeCFDictionaryFrom(attrData.data(), attrData.length()), kSecGuestAttributeCanonical, guest.get()));
} else {
attributes.take(makeCFDictionary(1, kSecGuestAttributeCanonical, guest.get()));
}
}
+CFDataRef CodeSigningHost::Guest::attrData() const
+{
+ if (!mAttrData)
+ mAttrData = makeCFData(this->attributes.get());
+ return mAttrData;
+}
+
+
+void CodeSigningHost::Guest::setHash(const CssmData &given, bool generate)
+{
+ if (given.length()) // explicitly given
+ this->cdhash.take(makeCFData(given));
+ else if (CFTypeRef hash = CFDictionaryGetValue(this->attributes, kSecGuestAttributeHash))
+ if (CFGetTypeID(hash) == CFDataGetTypeID())
+ this->cdhash = CFDataRef(hash);
+ else
+ MacOSError::throwMe(errSecCSHostProtocolInvalidHash);
+ else if (generate) { // generate from path (well, try)
+ CFRef<SecStaticCodeRef> code;
+ MacOSError::check(SecStaticCodeCreateWithPath(CFTempURL(this->path), kSecCSDefaultFlags, &code.aref()));
+ CFRef<CFDictionaryRef> info;
+ MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
+ this->cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
+ }
+}
+
bool CodeSigningHost::Guest::isGuestOf(Guest *host, GuestCheck check) const
{
//
// Retrieve the path to a guest specified by canonical reference.
//
-kern_return_t cshosting_server_guestPath(CSH_ARGS, SecGuestRef guestRef, char *path)
+kern_return_t cshosting_server_identifyGuest(CSH_ARGS, SecGuestRef guestRef,
+ char *path, char *hash, uint32_t *hashLength, DATA_OUT(attributes))
{
BEGIN_IPC
- strncpy(path, context()->findGuest(guestRef)->path.c_str(), MAXPATHLEN);
+ CodeSigningHost::Guest *guest = context()->findGuest(guestRef);
+ strncpy(path, guest->path.c_str(), MAXPATHLEN);
+
+ // canonical cdhash
+ if (guest->cdhash) {
+ *hashLength = CFDataGetLength(guest->cdhash);
+ assert(*hashLength <= maxUcspHashLength);
+ memcpy(hash, CFDataGetBytePtr(guest->cdhash), *hashLength);
+ } else
+ *hashLength = 0; // unavailable
+
+ // visible attributes. This proxy returns all attributes set by the host
+ CFDataRef attrData = guest->attrData(); // (the guest will cache this until it dies)
+ *attributes = (void *)CFDataGetBytePtr(attrData); // MIG botch (it doesn't need a writable pointer)
+ *attributesLength = CFDataGetLength(attrData);
+
END_IPC
}
uint32_t status; // dynamic status
std::string path; // canonical code path
CFRef<CFDictionaryRef> attributes; // matching attributes set
+ CFRef<CFDataRef> cdhash; // hash of CodeDirectory as specified by host
bool dedicated; // host is dedicated (and this is the only guest)
operator bool() const { return attributes; } // exists
SecGuestRef guestRef() const { return handle(); }
void setAttributes(const CssmData &attrData);
+ CFDataRef attrData() const;
+ void setHash(const CssmData &given, bool generate);
bool isGuestOf(Guest *host, GuestCheck check) const;
bool matches(CFIndex count, CFTypeRef keys[], CFTypeRef values[]) const;
IFDUMP(void dump() const);
+
+ private:
+ mutable CFRef<CFDataRef> mAttrData; // XML form of attributes (must live until guest destruction)
};
void registerCodeSigning(mach_port_t hostingPort, SecCSFlags flags);
Port hostingPort() const { return mHostingPort; }
SecGuestRef createGuest(SecGuestRef guest,
- uint32_t status, const char *path, const CssmData &attributes, SecCSFlags flags);
+ uint32_t status, const char *path,
+ const CssmData &cdhash, const CssmData &attributes, SecCSFlags flags);
void setGuestStatus(SecGuestRef guest, uint32_t status, const CssmData &attributes);
void removeGuest(SecGuestRef host, SecGuestRef guest);
// nothing
}
+bool DbCommon::belongsToSystem() const
+{
+ return false;
+}
+
void Database::releaseKey(Key &key)
{
return dbAcl;
}
-GenericHandle Database::aclHandle() const
-{
- return HandleObject::handle();
-}
-
//
// Remote validation is not, by default, supported
#include "dbcrypto.h"
#include "notifications.h"
#include <security_utilities/utilities.h>
-#include <security_cdsa_utilities/handleobject.h>
+#include <security_cdsa_utilities/u32handleobject.h>
#include <security_cdsa_utilities/cssmdb.h>
#include <security_utilities/machserver.h>
#include <security_agent_client/agentclient.h>
virtual void sleepProcessing(); // generic action on system sleep
virtual void lockProcessing(); // generic action on "lock" requests
+
+ virtual bool belongsToSystem() const; // belongs to system (root) security domain
protected:
void notify(NotificationEvent event, const DLDbIdentifier &ident);
public:
// SecurityServerAcl personality
AclKind aclKind() const;
- GenericHandle aclHandle() const;
Database *relatedDatabase();
+ bool belongsToSystem() const { return common().belongsToSystem(); }
+
public:
// support ACL remote secret validation (default is no support)
virtual bool validateSecret(const AclSubject *subject, const AccessCredentials *cred);
--- /dev/null
+/*
+ * Copyright (c) 2007 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+//
+// dtrace - dtrace support in securityd
+//
+#ifndef _H_DTRACE
+#define _H_DTRACE
+
+
+//
+// Typedefs used in the DTrace static probe interface
+//
+typedef const void *DTHandle;
+typedef uint32_t DTPort;
+typedef uint32_t DTGuest;
+
+
+#define DTHANDLE(it) (dynamic_cast<const void *>((it)))
+#define DTSELF DTHANDLE(this)
+
+
+#include "securityd_dtrace.h"
+
+
+
+#endif //_H_DTRACE
// file that some fool administrator removed yesterday.
//
#include "entropy.h"
+#include "dtrace.h"
#include <sys/sysctl.h>
#include <mach/clock_types.h>
#include <errno.h>
//
void EntropyManager::collectEntropy()
{
+ SECURITYD_ENTROPY_COLLECT();
int mib[4];
mib[0] = CTL_KERN;
mib[1] = KERN_KDEBUG;
mib[3] = 1; // milliseconds maximum delay
mach_timespec_t timings[timingsToCollect];
size_t size = sizeof(timings);
- int ret = sysctl(mib, 4, timings, &size, NULL, 0);
- if (ret == -1) {
+ if (sysctl(mib, 4, timings, &size, NULL, 0)) {
Syslog::alert("entropy collection failed (errno=%d)", errno);
return;
}
+ size /= sizeof(mach_timespec_t); // convert to element count
+ if (size > timingsToCollect)
+ size = timingsToCollect; // pure paranoia
char buffer[timingsToCollect];
+ size /= sizeof(mach_timespec_t); // convert to element count
+ if (size > timingsToCollect)
+ size = timingsToCollect; // pure paranoia
for (unsigned n = 0; n < size; n++)
buffer[n] = timings[n].tv_nsec; // truncating to LSB
secdebug("entropy", "Entropy size %d: %02x %02x %02x %02x %02x %02x %02x %02x...",
(unsigned char)buffer[0], (unsigned char)buffer[1], (unsigned char)buffer[2],
(unsigned char)buffer[3], (unsigned char)buffer[4], (unsigned char)buffer[5],
(unsigned char)buffer[6], (unsigned char)buffer[7]);
+ SECURITYD_ENTROPY_SEED((void *)buffer, size);
addEntropy(buffer, size);
}
{
if (Time::now() >= mNextUpdate) {
try {
+ SECURITYD_ENTROPY_SAVE((char *)mEntropyFilePath.c_str());
mNextUpdate = Time::now() + Time::Interval(updateInterval);
secdebug("entropy", "updating %s", mEntropyFilePath.c_str());
char buffer[entropyFileSize];
/*
- * Copyright (c) 2000-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
// this new keychain is unlocked; make it so
activity();
- secdebug("KCdb", "database %s(%p) created, common at %p",
- common().dbName(), this, &common());
+ SECURITYD_KEYCHAIN_CREATE(&common(), (char*)this->dbName(), this);
}
session.findFirst<KeychainDbCommon, const DbIdentifier &>(&KeychainDbCommon::identifier, ident)) {
parent(*dbcom);
//@@@ arbitrate sequence number here, perhaps update common().mParams
- secdebug("KCdb",
- "open database %s(%p) version %x at known common %p",
- common().dbName(), this, blob->version(), &common());
+ SECURITYD_KEYCHAIN_JOIN(&common(), (char*)this->dbName(), this);
} else {
// DbCommon not present; make a new one
parent(*new KeychainDbCommon(proc.session(), ident));
common().mParams = blob->params;
- secdebug("KCdb", "open database %s(%p) version %x with new common %p",
- common().dbName(), this, blob->version(), &common());
+ SECURITYD_KEYCHAIN_MAKE(&common(), (char*)this->dbName(), this);
// this DbCommon is locked; no timer or reference setting
}
proc.addReference(*this);
}
-//
+// recode/clone:
+//
// Special-purpose constructor for keychain synchronization. Copies an
// existing keychain but uses the operational keys from secretsBlob. The
// new KeychainDatabase will silently replace the existing KeychainDatabase
// securityd state, but we try to ensure that only the client that started
// the re-encoding can declare it done.
//
-KeychainDatabase::KeychainDatabase(KeychainDatabase &src, Process &proc,
- const DbBlob *secretsBlob, const CssmData &agentData)
+KeychainDatabase::KeychainDatabase(KeychainDatabase &src, Process &proc, DbHandle dbToClone)
: LocalDatabase(proc), mValidData(false), version(0), mBlob(NULL)
{
- validateBlob(secretsBlob);
-
- // get the passphrase to unlock secretsBlob
- QueryDBBlobSecret query;
- query.inferHints(proc);
- query.addHint(AGENT_HINT_KCSYNC_DICT, agentData.data(), agentData.length());
- DatabaseCryptoCore keysCore;
- if (query(keysCore, secretsBlob) != SecurityAgent::noReason)
- CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
- // keysCore is now ready to yield its secrets to us
-
mCred = DataWalkers::copy(src.mCred, Allocator::standard());
// Give this KeychainDatabase a temporary name
common().setup(src.blob(), src.common().masterKey());
// import the operational secrets
- common().importSecrets(keysCore);
+ RefPointer<KeychainDatabase> srcKC = Server::keychain(dbToClone);
+ common().importSecrets(srcKC->common());
// import source keychain's ACL
CssmData pubAcl, privAcl;
common().dbName(), this, &common());
}
-
//
// Destroy a Database
//
// items until after this call.
//
// @@@ This specific implementation is a workaround for 4003540.
- std::vector<CSSM_HANDLE> handleList;
- HandleObject::findAllRefs<KeychainKey>(handleList);
+ std::vector<U32HandleObject::Handle> handleList;
+ U32HandleObject::findAllRefs<KeychainKey>(handleList);
size_t count = handleList.size();
if (count > 0) {
for (unsigned int n = 0; n < count; ++n) {
RefPointer<KeychainKey> kckey =
- HandleObject::findRefAndLock<KeychainKey>(handleList[n], CSSMERR_CSP_INVALID_KEY_REFERENCE);
+ U32HandleObject::findRefAndLock<KeychainKey>(handleList[n], CSSMERR_CSP_INVALID_KEY_REFERENCE);
StLock<Mutex> _(*kckey/*, true*/);
if (kckey->database().global().identifier() == identifier()) {
kckey->key(); // force decode
//
void KeychainDatabase::establishOldSecrets(const AccessCredentials *creds)
{
+ bool forSystem = this->belongsToSystem(); // this keychain belongs to the system security domain
+
+ // attempt system-keychain unlock
+ if (forSystem) {
+ SystemKeychainKey systemKeychain(kSystemUnlockFile);
+ if (systemKeychain.matches(mBlob->randomSignature)) {
+ secdebug("KCdb", "%p attempting system unlock", this);
+ common().setup(mBlob, CssmClient::Key(Server::csp(), systemKeychain.key(), true));
+ if (decode())
+ return;
+ }
+ }
+
list<CssmSample> samples;
if (creds && creds->samples().collect(CSSM_SAMPLE_TYPE_KEYCHAIN_LOCK, samples)) {
for (list<CssmSample>::iterator it = samples.begin(); it != samples.end(); it++) {
switch (sample.type()) {
// interactively prompt the user - no additional data
case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
- if (interactiveUnlock())
- return;
- break;
+ if (!forSystem) {
+ if (interactiveUnlock())
+ return;
+ }
+ break;
// try to use an explicitly given passphrase - Data:passphrase
case CSSM_SAMPLE_TYPE_PASSWORD:
if (sample.length() != 2)
} else {
// default action
assert(mBlob);
-
- // attempt system-keychain unlock
- SystemKeychainKey systemKeychain(kSystemUnlockFile);
- if (systemKeychain.matches(mBlob->randomSignature)) {
- secdebug("KCdb", "%p attempting system unlock", this);
- common().setup(mBlob, CssmClient::Key(Server::csp(), systemKeychain.key(), true));
- if (decode())
+
+ if (!forSystem) {
+ if (interactiveUnlock())
return;
}
-
- if (interactiveUnlock())
- return;
}
// out of options - no secret obtained
switch (sample.type()) {
// interactively prompt the user
case CSSM_SAMPLE_TYPE_KEYCHAIN_PROMPT:
- {
+ {
secdebug("KCdb", "%p specified interactive passphrase", this);
QueryNewPassphrase query(*this, reason);
StSyncLock<Mutex, Mutex> uisync(common().uiLock(), common());
common().setup(NULL, passphrase);
return;
}
- }
+ }
break;
// try to use an explicitly given passphrase
case CSSM_SAMPLE_TYPE_PASSWORD:
|| sample[2].type() != CSSM_LIST_ELEMENT_DATUM
|| (requiredLength == 4 && sample[3].type() != CSSM_LIST_ELEMENT_DATUM))
CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
- CSSM_CSP_HANDLE &handle = *sample[1].data().interpretedAs<CSSM_CSP_HANDLE>(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
- CssmKey &key = *sample[2].data().interpretedAs<CssmKey>(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+ KeyHandle &handle = *sample[1].data().interpretedAs<KeyHandle>(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+ // We used to be able to check the length but supporting multiple client
+ // architectures dishes that (sizeof(CSSM_KEY) varies due to alignment and
+ // field-size differences). The decoding in the transition layer should
+ // serve as a sufficient garbling check anyway.
+ if (sample[2].data().data() == NULL)
+ CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
+ CssmKey &key = *sample[2].data().interpretedAs<CssmKey>();
if (key.header().cspGuid() == gGuidAppleCSPDL) {
// handleOrKey is a SecurityServer KeyHandle; ignore key argument
KeyBlob *KeychainDatabase::encodeKey(const CssmKey &key, const CssmData &pubAcl, const CssmData &privAcl)
{
bool inTheClear = false;
-
if((key.keyClass() == CSSM_KEYCLASS_PUBLIC_KEY) &&
!(key.attribute(CSSM_KEYATTR_PUBLIC_KEY_ENCRYPT))) {
inTheClear = true;
}
- if(!inTheClear) {
+ StLock<Mutex> _(common());
+ if(!inTheClear)
unlockDb();
- }
// tell the cryptocore to form the key blob
return common().encodeKeyCore(key, pubAcl, privAcl, inTheClear);
//
void KeychainDatabase::decodeKey(KeyBlob *blob, CssmKey &key, void * &pubAcl, void * &privAcl)
{
- if(!blob->isClearText()) {
+ StLock<Mutex> _(common());
+
+ if(!blob->isClearText())
unlockDb(); // we need our keys
- }
-
- common().decodeKeyCore(blob, key, pubAcl, privAcl);
- // memory protocol: pubAcl points into blob; privAcl was allocated
+
+ common().decodeKeyCore(blob, key, pubAcl, privAcl);
+ // memory protocol: pubAcl points into blob; privAcl was allocated
activity();
}
KeychainDbCommon::~KeychainDbCommon()
{
- secdebug("KCdb", "DbCommon %p destroyed", this);
+ SECURITYD_KEYCHAIN_RELEASE(this, (char*)this->dbName());
// explicitly unschedule ourselves
Server::active().clearTimer(this);
if (isLocked) {
// broadcast unlock notification, but only if we were previously locked
notify(kNotificationEventUnlocked);
+ SECURITYD_KEYCHAIN_UNLOCK(this, (char*)this->dbName());
}
return true;
}
{
StLock<Mutex> _(*this);
if (!isLocked()) {
- secdebug("KCdb", "common %s(%p) locking", dbName(), this);
DatabaseCryptoCore::invalidate();
notify(kNotificationEventLocked);
+ SECURITYD_KEYCHAIN_LOCK(this, (char*)this->dbName());
Server::active().clearTimer(this);
mIsLocked = true; // mark locked
}
+//
+// We consider a keychain to belong to the system domain if it resides
+// in /Library/Keychains. That's not exactly fool-proof, but we don't
+// currently have any internal markers to interrogate.
+//
+bool KeychainDbCommon::belongsToSystem() const
+{
+ if (const char *name = this->dbName())
+ return !strncmp(name, "/Library/Keychains/", 19);
+ return false;
+}
+
+
//
// Keychain global objects
//
#define _H_KCDATABASE
#include "localdatabase.h"
+#include <securityd_client/ss_types.h>
class KeychainDatabase;
class KeychainDbCommon;
void sleepProcessing();
void lockProcessing();
+
+ bool belongsToSystem() const;
public:
// debugging
const AccessCredentials *cred, const AclEntryPrototype *owner);
KeychainDatabase(const DLDbIdentifier &id, const DbBlob *blob, Process &proc,
const AccessCredentials *cred);
- // keychain synchronization
- KeychainDatabase(KeychainDatabase &src, Process &proc, const DbBlob *secretsBlob, const CssmData &agentData);
+
+ // keychain synchronization recode to a specfic blob:
+ KeychainDatabase(KeychainDatabase &src, Process &proc, DbHandle dbToClone);
virtual ~KeychainDatabase();
KeychainDbCommon &common() const;
#include "server.h"
#include "database.h"
#include <security_cdsa_utilities/acl_any.h>
+#include <security_cdsa_utilities/cssmendian.h>
//
mBlob = blob->copy(Allocator::standard());
mValidBlob = true;
db.addReference(*this);
- secdebug("SSkey", "%p (handle 0x%lx) created from blob version %x",
+ secdebug("SSkey", "%p (handle %#x) created from blob version %x",
this, handle(), blob->version());
}
//
// Ensure that a key is fully decoded.
// This makes the mKey key value available for use, as well as its ACL.
+// Caller must hold the key object lock.
//
void KeychainKey::decode()
{
//
void KeychainKey::instantiateAcl()
{
+ StLock<Mutex> _(*this);
decode();
}
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include "structure.h"
#include "database.h"
#include "acls.h"
-#include <security_cdsa_utilities/handleobject.h>
+#include <security_cdsa_utilities/u32handleobject.h>
#include <security_cdsa_client/keyclient.h>
virtual CSSM_KEYATTR_FLAGS attributes() = 0;
bool attribute(CSSM_KEYATTR_FLAGS f) { return attributes() & f; }
- virtual void returnKey(Handle &h, CssmKey::Header &hdr) = 0;
+ virtual void returnKey(U32HandleObject::Handle &h, CssmKey::Header &hdr) = 0;
};
CssmData *param, uint32 usage, uint32 attrs, RefPointer<Key> &derivedKey)
{
if (key) {
- key->validate(CSSM_ACL_AUTHORIZATION_DERIVE, cred);
+ key->validate(CSSM_ACL_AUTHORIZATION_DERIVE, context);
context.replace(CSSM_ATTRIBUTE_KEY, myKey(*key).cssmKey());
}
CssmClient::DeriveKey derive(Server::csp(), context.algorithm(), CSSM_ALGID_NONE);
{
mValidKey = true;
setup(newKey, moreAttributes);
- secdebug("SSkey", "%p (handle 0x%lx) created from key alg=%u use=0x%x attr=0x%x db=%p",
+ secdebug("SSkey", "%p (handle %#x) created from key alg=%u use=0x%x attr=0x%x db=%p",
this, handle(), mKey.header().algorithm(), mKey.header().usage(), mAttributes, &db);
}
//
// Return a key's handle and header in external form
//
-void LocalKey::returnKey(Handle &h, CssmKey::Header &hdr)
+void LocalKey::returnKey(U32HandleObject::Handle &h, CssmKey::Header &hdr)
{
StLock<Mutex> _(*this);
/*
- * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2001,2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#define _H_LOCALKEY
#include "key.h"
-#include <security_cdsa_utilities/handleobject.h>
#include <security_cdsa_client/keyclient.h>
operator const CSSM_KEY & () { return keyValue(); }
// yield the approximate external key header -- external attributes
- void returnKey(Handle &h, CssmKey::Header &hdr);
+ void returnKey(U32HandleObject::Handle &h, CssmKey::Header &hdr);
// generate the canonical key digest
const CssmData &canonicalDigest();
#include <security_utilities/daemon.h>
#include <security_utilities/machserver.h>
#include <security_utilities/logging.h>
-#include <security_utilities/ktracecodes.h>
#include <Security/SecKeychainPriv.h>
#include <signal.h>
#include <syslog.h>
-
-// #define PERFORMANCE_MEASUREMENT 1
-
-#ifdef PERFORMANCE_MEASUREMENT
-#include <mach/mach_time.h>
-#endif
-
// ACL subject types (their makers are instantiated here)
#include <security_cdsa_utilities/acl_any.h>
#include <security_cdsa_utilities/acl_password.h>
//
int main(int argc, char *argv[])
{
- #ifdef PERFORMANCE_MEASUREMENT
- // needed for automated timing of securityd startup
- uint64_t startTime = mach_absolute_time ();
- #endif
-
- Debug::trace (kSecTraceSecurityServerStart);
-
// clear the umask - we know what we're doing
secdebug("SS", "starting umask was 0%o", ::umask(0));
::umask(0);
bool reExecute = false;
int workerTimeout = 0;
int maxThreads = 0;
- bool waitForClients = false;
+ bool waitForClients = true;
+ bool mdsIsInstalled = false;
const char *authorizationConfig = "/etc/authorization";
const char *tokenCacheDir = "/var/db/TokenCache";
const char *entropyFile = "/var/db/SystemEntropyCache";
const char *equivDbFile = EQUIVALENCEDBPATH;
const char *smartCardOptions = getenv("SMARTCARDS");
uint32_t keychainAclDefault = CSSM_ACL_KEYCHAIN_PROMPT_INVALID | CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED;
+ unsigned int verbose = 0;
// check for the Installation-DVD environment and modify some default arguments if found
if (access("/etc/rc.cdrom", F_OK) == 0) { // /etc/rc.cdrom exists
- secdebug("SS", "configuring for installation");
+ SECURITYD_INSTALLMODE();
smartCardOptions = "off"; // needs writable directories that aren't
}
extern char *optarg;
extern int optind;
int arg;
- while ((arg = getopt(argc, argv, "a:c:de:E:fiN:s:t:T:Xuw")) != -1) {
+ while ((arg = getopt(argc, argv, "a:c:de:E:fimN:s:t:T:uvWX")) != -1) {
switch (arg) {
case 'a':
authorizationConfig = optarg;
case 'i':
keychainAclDefault &= ~CSSM_ACL_KEYCHAIN_PROMPT_INVALID;
break;
+ case 'm':
+ mdsIsInstalled = true;
+ break;
case 'N':
bootstrapName = optarg;
break;
if ((workerTimeout = atoi(optarg)) < 0)
workerTimeout = 0;
break;
- case 'w':
- waitForClients = true;
+ case 'W':
+ waitForClients = false;
break;
case 'u':
keychainAclDefault &= ~CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED;
break;
+ case 'v':
+ verbose++;
+ break;
case 'X':
doFork = true;
reExecute = true;
fprintf(stderr, "You are not allowed to run securityd\n");
exit(1);
#else
- fprintf(stderr, "securityd is unprivileged; some features may not work.\n");
- secdebug("SS", "Running as user %d (you have been warned)", uid);
+ fprintf(stderr, "securityd is unprivileged (uid=%d); some features may not work.\n", uid);
#endif //NDEBUG
}
}
// arm signal handlers; code below may generate signals we want to see
- if (signal(SIGCHLD, handleSignals) == SIG_ERR)
- secdebug("SS", "Cannot handle SIGCHLD: errno=%d", errno);
- if (signal(SIGINT, handleSignals) == SIG_ERR)
- secdebug("SS", "Cannot handle SIGINT: errno=%d", errno);
- if (signal(SIGTERM, handleSignals) == SIG_ERR)
- secdebug("SS", "Cannot handle SIGTERM: errno=%d", errno);
- if (signal(SIGPIPE, handleSignals) == SIG_ERR)
- secdebug("SS", "Cannot handle SIGPIPE: errno=%d", errno);
+ if (signal(SIGCHLD, handleSignals) == SIG_ERR
+ || signal(SIGINT, handleSignals) == SIG_ERR
+ || signal(SIGTERM, handleSignals) == SIG_ERR
+ || signal(SIGPIPE, handleSignals) == SIG_ERR
#if !defined(NDEBUG)
- if (signal(SIGUSR1, handleSignals) == SIG_ERR)
- secdebug("SS", "Cannot handle SIGUSR1: errno=%d", errno);
+ || signal(SIGUSR1, handleSignals) == SIG_ERR
#endif //NDEBUG
- if (signal(SIGUSR2, handleSignals) == SIG_ERR)
- secdebug("SS", "Cannot handle SIGUSR2: errno=%d", errno);
+ || signal(SIGUSR2, handleSignals) == SIG_ERR) {
+ perror("signal");
+ exit(1);
+ }
// create an Authorization engine
Authority authority(authorizationConfig);
server.maxThreads(maxThreads);
server.floatingThread(true);
server.waitForClients(waitForClients);
+ server.verbosity(verbose);
// add the RNG seed timer
# if defined(NDEBUG)
# else
if (getuid() == 0) new EntropyManager(server, entropyFile);
# endif
-
- // create a token-cache interface
-#if !defined(NDEBUG)
- if (const char *s = getenv("TOKENCACHE"))
- tokenCacheDir = s;
-#endif //NDEBUG
// create a smartcard monitor to manage external token devices
gPCSC = new PCSCMonitor(server, tokenCacheDir, scOptions(smartCardOptions));
RootSession rootSession(server,
debugMode ? (sessionHasGraphicAccess | sessionHasTTY) : 0);
- // install MDS and initialize the local CSSM
- server.loadCssm();
+ // install MDS (if needed) and initialize the local CSSM
+ server.loadCssm(mdsIsInstalled);
// create the shared memory notification hub
new SharedMemoryListener(messagingName, kSharedMemoryPoolSize);
// okay, we're ready to roll
+ SECURITYD_INITIALIZED((char*)bootstrapName);
Syslog::notice("Entering service");
- secdebug("SS", "%s initialized", bootstrapName);
- Debug::trace (kSecTraceSecurityServerInitialized);
- #ifdef PERFORMANCE_MEASUREMENT
- // needed for automated timing of securityd startup
- uint64_t endTime = mach_absolute_time ();
-
- // compute how long it took to initialize
- uint64_t elapsedTime = endTime - startTime;
- mach_timebase_info_data_t multiplier;
- mach_timebase_info (&multiplier);
-
- elapsedTime = elapsedTime * multiplier.numer / multiplier.denom;
-
- FILE* f = fopen ("/var/log/startuptime.txt", "a");
- if (f == NULL)
- {
- // probably not running as root.
- f = fopen ("/tmp/startuptime.txt", "a");
- }
-
- fprintf (f, "%lld\n", elapsedTime);
- fclose (f);
- #endif
-
// go
server.run();
//
static void handleSignals(int sig)
{
+ SECURITYD_SIGNAL_RECEIVED(sig);
if (kern_return_t rc = self_client_handleSignal(gMainServerPort, mach_task_self(), sig))
Syslog::error("self-send failed (mach error %d)", rc);
}
#include <securityd_client/ucspNotify.h>
-Listener::ListenerMap Listener::listeners;
+Listener::ListenerMap& Listener::listeners = *(new Listener::ListenerMap);
Mutex Listener::setLock(Mutex::recursive);
};
private:
- static void Listener::sendNotification(Notification *message);
+ static void sendNotification(Notification *message);
private:
typedef multimap<mach_port_t, RefPointer<Listener> > ListenerMap;
- static ListenerMap listeners;
+ static ListenerMap& listeners;
static Mutex setLock;
};
+++ /dev/null
-/*
- * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-//
-// osxcodewrap - wrap an OSXCode around a SecCodeRef
-//
-#include "osxcodewrap.h"
-#include <Security/SecCode.h>
-
-
-//
-// We don't really HAVE a canonical encoding, in the sense that
-// the matching OSXCode::decode function won't recognize us.
-// That's not the point; if you want use the old transmission logic,
-// use the canonical OSXCode subclasses.
-//
-string OSXCodeWrap::encode() const
-{
- return "?:unsupported";
-}
-
-
-//
-// Canonical path directly from the SecCode's mouth
-//
-string OSXCodeWrap::canonicalPath() const
-{
- CFURLRef path;
- MacOSError::check(SecCodeCopyPath(mCode, kSecCSDefaultFlags, &path));
- return cfString(path, true);
-}
-
-
-//
-// The executable path is a bit annoying to get, but not quite
-// annoying enough to cache the result.
-//
-string OSXCodeWrap::executablePath() const
-{
- CFRef<CFDictionaryRef> info;
- MacOSError::check(SecCodeCopySigningInformation(mCode, kSecCSDefaultFlags, &info.aref()));
- return cfString(CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable)));
-}
+++ /dev/null
-/*
- * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-
-//
-// osxcodewrap - wrap an OSXCode around a SecCodeRef
-//
-#ifndef _H_OSXCODEWRAP
-#define _H_OSXCODEWRAP
-
-#include <security_utilities/osxcode.h>
-#include <Security/SecCode.h>
-#include <string>
-#include <map>
-
-
-//
-// OSXCodeWrap is a partial OSXCode implementation that gets all its information
-// from a SecStaticCodeRef API object. OSXCode and SecStaticCode are in many ways
-// twin brothers, and this class allows the use of a SecStaticCode in places where
-// an OSXCode is required.
-// Note that OSXCodeWrap will not provide the capabilities of the canonical
-// OSXCode subclasses (such as Bundle). its encodings will always specify a type
-// code of '?' (unknown).
-//
-class OSXCodeWrap : public OSXCode {
-public:
- OSXCodeWrap(SecStaticCodeRef code) : mCode(code) { }
-
- string encode() const;
-
- string canonicalPath() const;
- string executablePath() const;
-
-private:
- CFCopyRef<SecStaticCodeRef> mCode;
-};
-
-
-#endif //_H_OSXCODEWRAP
static const uint32_t kVendorIDApple = 0x05AC;
static const uint16_t kProductIDBuiltInISight = 0x8501;
+/*
+ Copied from USBVideoClass-230.2.3/Digitizers/USBVDC/Camera/USBClient/APW_VDO_USBVDC_USBClient.h
+*/
+
+enum {
+ kBuiltIniSightProductID = 0x8501,
+ kBuiltIniSightWave2ProductID = 0x8502,
+ kBuiltIniSightWave3ProductID = 0x8505,
+ kUSBWave4ProductID = 0x8507,
+ kUSBWave2InK29ProductID = 0x8508,
+ kUSBWaveReserved1ProductID = 0x8509,
+ kUSBWaveReserved2ProductID = 0x850a,
+ kExternaliSightProductID = 0x1111,
+ kLogitechVendorID = 0x046d
+};
+
//
// Construct a PCSCMonitor.
// We strongly assume there's only one of us around here.
// composite USB device with interface class
if (CFRef<CFNumberRef> cfInterface = dev.property<CFNumberRef>("bInterfaceClass"))
- switch (IFDEBUG(uint32 clas =) cfNumber(cfInterface)) {
+ switch (uint32 clas = cfNumber(cfInterface)) {
case kUSBChipSmartCardInterfaceClass: // CCID smartcard reader - go
secdebug("scsel", " CCID smartcard reader recognized");
return definite;
productID = cfNumber(cfProductID);
secdebug("scsel", " checking device for possible exclusion [vendor id: 0x%08X, product id: 0x%08X]", vendorID, productID);
- return ((vendorID & kVendorProductMask) == kVendorIDApple && (productID & kVendorProductMask) == kProductIDBuiltInISight);
+
+ if ((vendorID & kVendorProductMask) != kVendorIDApple)
+ return false; // i.e. it is not an excluded device
+
+ // Since Apple does not manufacture smartcard readers, just exclude
+ // If we even start making them, we should make it a CCID reader anyway
+
+ return true;
}
//
#include "session.h"
#include "tempdatabase.h"
#include "authority.h"
+#include "child.h" // ServerChild (really UnixPlusPlus::Child)::find()
#include <security_utilities/logging.h> //@@@ debug only
#include "agentquery.h"
setup(info);
ClientIdentification::setup(this->pid());
- secdebug("SS", "New process %p(%d) uid=%d gid=%d session=%p TP=%d %sfor %s",
- this, mPid, mUid, mGid, &session(),
- mTaskPort.port(),
- mByteFlipped ? "FLIP " : "",
- (identity && identity[0]) ? identity : "(unknown)");
+ // NB: ServerChild::find() should only be used to determine
+ // *existence*. Don't use the returned Child object for anything else,
+ // as it is not protected against its underlying process's destruction.
+ if (this->pid() == getpid() // called ourselves (through some API). Do NOT record this as a "dirty" transaction
+ || ServerChild::find<ServerChild>(this->pid())) // securityd's child; do not mark this txn dirty
+ VProc::Transaction::deactivate();
+
+ if (SECURITYD_CLIENT_NEW_ENABLED())
+ SECURITYD_CLIENT_NEW(this, this->pid(), &this->session(),
+ (char *)codePath(this->processCode()).c_str(), taskPort, mUid, mGid, mByteFlipped);
}
(identity && identity[0]) ? identity : "(unknown)");
//CssmError::throwMe(CSSM_ERRCODE_VERIFICATION_FAILURE); // liar
}
-
- string oldPath = codePath(processCode());
setup(info);
- ClientIdentification::setup(this->pid());
- if (codePath(processCode()) == oldPath) {
- secdebug("SS", "process %p(%d) path unchanged; assuming client-side reset", this, mPid);
+ CFRef<SecCodeRef> oldCode; // DO NOT MAKE THE ASSIGNMENT HERE. If you do, you will invoke the copy constructor, not the assignment operator. For the CFRef
+ // template, they have very different meanings (assignment retains the CFRef, copy does not).
+ oldCode = processCode(); // This is the right place to do the assignment.
+
+ ClientIdentification::setup(this->pid()); // re-constructs processCode()
+ if (CFEqual(oldCode, processCode())) {
+ secdebug("SS", "process %p(%d) unchanged; assuming client-side reset", this, mPid);
} else {
- secdebug("SS", "process %p(%d) path changed; assuming exec with full reset", this, mPid);
+ secdebug("SS", "process %p(%d) changed; assuming exec with full reset", this, mPid);
CodeSigningHost::reset();
}
pversion = info->version;
mByteFlipped = false;
} else if (info->order == 0x34120000) { // flip side up
- pversion = ntohl(info->version);
+ pversion = flip(info->version);
mByteFlipped = true;
} else // non comprende
CssmError::throwMe(CSSM_ERRCODE_INCOMPATIBLE_VERSION);
//
Process::~Process()
{
+ SECURITYD_CLIENT_RELEASE(this, this->pid());
+
// tell all our authorizations that we're gone
IFDEBUG(if (!mAuthorizations.empty())
secdebug("SS", "Process %p(%d) clearing %d authorizations",
if (auth->endProcess(*this))
delete auth;
}
-
- // no need to lock here; the client process has no more active threads
- secdebug("SS", "Process %p(%d) has died", this, mPid);
// release our name for the process's task port
if (mTaskPort)
{
// re-parent
parent(Session::find(servicePort));
-
- secdebug("SS", "process %p(%d) changed session to %p", this, pid(), &session());
+ SECURITYD_CLIENT_CHANGE_SESSION(this, &this->session());
}
#include <security_agent_client/agentclient.h>
#include <security_utilities/refcount.h>
#include <security_utilities/ccaudit.h>
+#include <security_utilities/vproc++.h>
#include "clientid.h"
#include "csproxy.h"
#include "localkey.h"
// but there's no evidence (yet) that this is worth the trouble.
//
class Process : public PerProcess,
- public CodeSigningHost, public ClientIdentification {
+ public CodeSigningHost,
+ public ClientIdentification,
+ private VProc::Transaction {
public:
Process(Port servicePort, TaskPort tPort,
const ClientSetupInfo *info, const char *identity,
void Reader::update(const PCSC::ReaderState &state)
{
// set new state
- IFDEBUG(unsigned long oldState = mState.state());
+ unsigned long oldState = mState.state();
mState = state;
mState.name(mName.c_str()); // (fix name pointer, unchanged)
--- /dev/null
+/*
+ * DTrace provider for securityd
+ */
+
+
+/*
+ * Work around 5194316
+ */
+#define uint32_t unsigned
+
+
+/*
+ * Types
+ */
+typedef const void *DTHandle;
+typedef uint32_t DTPort;
+typedef uint32_t DTGuest;
+
+
+/*
+ * The main static provider for securityd
+ */
+provider securityd {
+ /*
+ * Overall operational events
+ */
+ probe installmode(); // configuring for system installation scenario
+ probe initialized(const char *bootstrapName);
+
+
+ /*
+ * Keychain activity (DbCommon status change)
+ */
+ probe keychain__create(DTHandle common, const char *name, DTHandle db);
+ probe keychain__make(DTHandle common, const char *name, DTHandle db);
+ probe keychain__join(DTHandle common, const char *name, DTHandle db);
+ probe keychain__unlock(DTHandle id, const char *name);
+ probe keychain__lock(DTHandle id, const char *name);
+ probe keychain__release(DTHandle id, const char *name);
+
+ /*
+ * Client management
+ */
+ probe client__new(DTHandle id, int pid, DTHandle session, const char *path, DTPort taskport, int uid, int gid, bool flipped);
+ probe client__release(DTHandle id, int pid);
+ probe client__connection__new(DTHandle id, DTPort port, DTHandle client);
+ probe client__connection__release(DTHandle id);
+
+ probe client__change_session(DTHandle id, DTHandle session);
+
+ probe request__entry(const char *name, DTHandle connection, DTHandle process);
+ probe request__return(uint32_t osstatus);
+
+ /*
+ * Session management
+ */
+ probe session__create(DTHandle id, uint32_t attributes, DTPort port);
+ probe session__setattr(DTHandle id, uint32_t attributes);
+ probe session__destroy(DTHandle id);
+
+ /*
+ * Port-related events (internal interest only)
+ */
+ probe ports__dead__connection(DTPort port);
+ probe ports__dead__process(DTPort port);
+ probe ports__dead__session(DTPort port);
+ probe ports__dead__orphan(DTPort port);
+
+ /*
+ * Power management and tracking
+ */
+ probe power__sleep();
+ probe power__wake();
+ probe power__on();
+
+ /*
+ * Code Signing related
+ */
+ probe host__register(DTHandle proc, DTPort port);
+ probe host__proxy(DTHandle proc, DTPort port);
+ probe host__unregister(DTHandle proc);
+ probe guest__create(DTHandle proc, DTGuest host, DTGuest guest, uint32_t status, uint32_t flags, const char *path);
+ probe guest__cdhash(DTHandle proc, DTGuest guest, const void *hash, uint32_t length);
+ probe guest__destroy(DTHandle proc, DTGuest guest);
+ probe guest__change(DTHandle proc, DTGuest guest, uint32_t status);
+
+ /*
+ * Child management
+ */
+ probe child__dying(int pid);
+ probe child__checkin(int pid, DTPort servicePort);
+ probe child__stillborn(int pid);
+ probe child__ready(int pid);
+
+ /*
+ * Authorization
+ */
+ /* creation */
+ probe auth__create(DTHandle session, void *authref);
+ /* rule evaluation types */
+ probe auth__allow(DTHandle authref, const char *rule);
+ probe auth__deny(DTHandle authref, const char *rule);
+ probe auth__user(DTHandle authref, const char *rule);
+ probe auth__rules(DTHandle authref, const char *rule);
+ probe auth__kofn(DTHandle authref, const char *rule);
+ probe auth__mechrule(DTHandle authref, const char *rule);
+ probe auth__mech(DTHandle authref, const char *mechanism);
+ /* evaluation intermediate results */
+ probe auth__user__allowroot(DTHandle authref);
+ probe auth__user__allowsessionowner(DTHandle authref);
+ /* evaluation final result */
+ probe auth__evalright(DTHandle authref, const char *right, int32_t status);
+
+ /*
+ * Miscellaneous activity
+ */
+ probe shutdown__begin();
+ probe shutdown__count(int processesLeft, int dirtyCountLeft);
+ probe shutdown__now();
+
+ probe entropy__collect();
+ probe entropy__seed(const void *data, uint32_t count);
+ probe entropy__save(const char *path);
+
+ probe signal__received(int signal);
+ probe signal__handled(int signal);
+};
-__Znwm
-dyld_stub_binding_helper
-__ZNSt24__default_alloc_templateILb1ELi0EE8allocateEm
-__ZNSt24__default_alloc_templateILb1ELi0EE5_LockC4Ev
-__ZNSt24__default_alloc_templateILb1ELi0EE9_S_refillEm
-__ZNSt24__default_alloc_templateILb1ELi0EE14_S_chunk_allocEmRi
-__ZNSt24__default_alloc_templateILb1ELi0EE5_LockD4Ev
-__ZN8Security5MutexC1Eb
-__ZN8Security5MutexC4Eb
-__ZN8Security5MutexC2Eb
-__ZN8Security15ThreadStoreSlotC2EPFvPvE
-__ZN8Security15ThreadStoreSlotC4EPFvPvE
-__call_mod_init_funcs
-__start
-__call_objcInit
-__dyld_func_lookup
-_crt_basename
-_crt_strbeginswith
-_main
-__ZN8Security6Syslog4openEPKcii
-__ZN8Security11CodeSigning9OSXSignerC1Ev
-__ZN8Security11CodeSigning9OSXSignerC4Ev
-__ZN8Security10CssmClient7CSPImplC1ERKNS_4GuidE
-__ZN8Security10CssmClient7CSPImplC4ERKNS_4GuidE
-__ZN8Security10CssmClient14AttachmentImplC2ERKNS_4GuidEm
-__ZN8Security10CssmClient14AttachmentImplC4ERKNS_4GuidEm
-__ZN8Security10CssmClient8CssmImpl8standardEv
+__ZN8Security5MutexC1Ev
+__ZN8Security5MutexC2Ev
+__ZN8Security5MutexC1ENS0_4TypeE
+__ZN8Security5MutexC2ENS0_4TypeE
+__ZN8Security11ModuleNexusI15MutexAttributesEclEv
__ZN8Security17ModuleNexusCommon6createEPFPvvE
__ZN8Security5Mutex4lockEv
+__ZN8Security11ModuleNexusI15MutexAttributesE4makeEv
+__ZN15MutexAttributesC2Ev
__ZN8Security5Mutex6unlockEv
__ZN8Security5MutexD1Ev
-__ZN8Security5MutexD4Ev
-__ZdlPv
-__ZN8Security10CssmClient8CssmImpl12StandardCssm3getEv
-__ZN8Security10CssmClient8CssmImplC4Eb
-__ZN8Security10CssmClient10ObjectImplC4Ev
-__ZN8Security10CssmClient8CssmImpl5setupEv
-___dynamic_cast
-__ZNK10__cxxabiv120__si_class_type_info12__do_dyncastEiNS_17__class_type_info10__sub_kindEPKS1_PKvS4_S6_RNS1_16__dyncast_resultE
-__ZNKSt9type_infoeqERKS_
-__ZN8Security10CssmClient8CssmImpl10autoModuleERKNS_4GuidE
-__ZN8Security10CssmClient10ModuleImplC1ERKNS_4GuidERKNS0_4CssmE
-__ZN8Security10CssmClient10ModuleImplC4ERKNS_4GuidERKNS0_4CssmE
-__ZN8Security10CssmClient10ObjectImplC4ERKNS0_6ObjectE
-__ZN8Security10CssmClient10ObjectImpl8addChildEv
-__ZN8Security10CssmClient14AttachmentImpl4makeEm
+__ZN8Security5MutexD2Ev
+__ZN7PortMapI7SessionEC2Ev
+__ZN8Security15ThreadStoreSlotC2EPFvPvE
+start
+_main
+__ZN8Security6Syslog4openEPKcii
__ZN9AuthorityC1EPKc
-__ZN9AuthorityC4EPKc
__ZN13Authorization6EngineC2EPKc
-__ZN13Authorization6EngineC4EPKc
__ZN13Authorization20AuthorizationDBPlistC1EPKc
-__ZN13Authorization20AuthorizationDBPlistC4EPKc
-__ZNSsC1EPKcRKSaIcE
-__ZNSsC4EPKcRKSaIcE
-__ZNSs12_S_constructIPKcEEPcT_S3_RKSaIcESt20forward_iterator_tag
-__ZNSs4_Rep9_S_createEmRKSaIcE
-__ZNSs12_Alloc_hiderC4EPcRKSaIcE
-__ZN8Security10AclSubject5MakerC2El
-__ZN8Security10AclSubject5MakerC4El
+__ZN13Authorization20AuthorizationDBPlistC2EPKc
+__ZN8Security10AclSubject5MakerC2Ei
+__ZN8Security11ModuleNexusISt3mapIiPNS_10AclSubject5MakerESt4lessIiESaISt4pairIKiS4_EEEEclEv
+__ZN8Security11ModuleNexusISt3mapIiPNS_10AclSubject5MakerESt4lessIiESaISt4pairIKiS4_EEEE4makeEv
+__ZNSt3mapIiPN8Security10AclSubject5MakerESt4lessIiESaISt4pairIKiS3_EEEixERS7_
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueESt17_Rb_tree_
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueERKS6_
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE9_M_insertEPSt18_Rb_tree_node_ba
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE14_M_create_nodeERKS6_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiPN8Security10AclSubject5MakerEEEE8allocateEmPKv
__ZN14CodeSignaturesC1EPKc
-__ZN14CodeSignaturesC4EPKc
+__ZN14CodeSignaturesC2EPKc
__ZN8Security12UnixPlusPlus6UnixDbC1Ev
-__ZN8Security12UnixPlusPlus6UnixDbC4Ev
__ZN8Security12UnixPlusPlus6UnixDb4openEPKcii6DBTYPE
__ZN8Security12UnixPlusPlus6UnixDb5closeEv
__ZN8Security12UnixPlusPlus6UnixDb5flushEi
+__ZN8Security12UnixPlusPlus10checkErrorIiEET_S2_
__ZN6ServerC1ER9AuthorityR14CodeSignaturesPKc
-__ZN6ServerC4ER9AuthorityR14CodeSignaturesPKc
-__ZN8Security5MutexC2ENS0_4TypeEb
-__ZN8Security5MutexC4ENS0_4TypeEb
+__ZN6ServerC2ER9AuthorityR14CodeSignaturesPKc
+__ZN8NodeCoreC2Ev
__ZN8Security12MachPlusPlus10MachServerC2EPKc
-__ZN8Security12MachPlusPlus10MachServerC4EPKc
+__ZN8Security12MachPlusPlus9BootstrapC2Ev
__ZN8Security12MachPlusPlus5Error5checkEi
-__ZN8Security12MachPlusPlus11ReceivePortC1EPKcRKNS0_9BootstrapE
-__ZN8Security12MachPlusPlus11ReceivePortC4EPKcRKNS0_9BootstrapE
+__ZN8Security12MachPlusPlus11ReceivePortC1EPKcRKNS0_9BootstrapEb
+__ZN8Security12MachPlusPlus11ReceivePortC2EPKcRKNS0_9BootstrapEb
__ZNK8Security12MachPlusPlus9Bootstrap15checkInOptionalEPKc
-__ZNK8Security12MachPlusPlus9Bootstrap10registerAsEjPKc
-__ZN8Security12MachPlusPlus10MachServer5setupEPKc
+__ZN8Security12MachPlusPlus4Port8allocateEj
+__ZN8Security12MachPlusPlus7PortSetpLERKNS0_4PortE
__ZN8Security18DevRandomGeneratorC2Eb
-__ZN8Security18DevRandomGeneratorC4Eb
+__ZN6Server12SleepWatcherC2Ev
__ZN8Security12MachPlusPlus16PortPowerWatcherC2Ev
-__ZN8Security12MachPlusPlus16PortPowerWatcherC4Ev
-__ZN8Security12MachPlusPlus14IOPowerWatcherC4Ev
+__ZN8Security12MachPlusPlus14IOPowerWatcherC2Ev
+__ZN7PortMapI10ConnectionEC2Ev
+__ZN7PortMapI7ProcessEC2Ev
+__ZN8Security10CssmClient4CssmC2Ev
__ZN8Security10CssmClient8CssmImplC1Ev
-__ZN8Security10CssmClient8CssmImplC4Ev
+__ZN8Security11ModuleNexusINS_10CssmClient8CssmImpl12StandardCssmEEclEv
+__ZN8Security11ModuleNexusINS_10CssmClient8CssmImpl12StandardCssmEE4makeEv
__ZN8Security10CssmClient8CssmImpl12StandardCssm7setCssmEPS1_
+__ZNK8Security8RefCount3refEv
+__ZN8Security10CssmClient6ModuleC2ERKNS_4GuidERKNS0_4CssmE
+__ZN8Security10CssmClient10ModuleImplC1ERKNS_4GuidERKNS0_4CssmE
+__ZN8Security10CssmClient10ObjectImplC2ERKNS0_6ObjectE
+__ZN8Security10CssmClient3CSPC2ERKNS0_6ModuleE
__ZN8Security10CssmClient7CSPImplC1ERKNS0_6ModuleE
-__ZN8Security10CssmClient7CSPImplC4ERKNS0_6ModuleE
-__ZN8Security10CssmClient14AttachmentImplC2ERKNS0_6ModuleEm
-__ZN8Security10CssmClient14AttachmentImplC4ERKNS0_6ModuleEm
+__ZN8Security10CssmClient14AttachmentImplC2ERKNS0_6ModuleEj
__ZN8Security14CommonCriteria10TerminalIdC1Ev
-__ZN8Security14CommonCriteria10TerminalIdC4Ev
+__ZN8Security14CommonCriteria10TerminalIdC2Ev
__ZN8Security14CommonCriteria12AuditSession15registerSessionEv
__ZN8Security12MachPlusPlus10MachServer3addERNS1_7HandlerE
+__ZNSt8_Rb_treeIPN8Security12MachPlusPlus10MachServer7HandlerES4_St9_IdentityIS4_ESt4lessIS4_ESaIS4_EE16_M_insert_uniqueERKS4_
+__ZNSt8_Rb_treeIPN8Security12MachPlusPlus10MachServer7HandlerES4_St9_IdentityIS4_ESt4lessIS4_ESaIS4_EE9_M_insertEPSt18_Rb_tree_
+__ZNSt8_Rb_treeIPN8Security12MachPlusPlus10MachServer7HandlerES4_St9_IdentityIS4_ESt4lessIS4_ESaIS4_EE14_M_create_nodeERKS4_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN8Security12MachPlusPlus10MachServer7HandlerEEE8allocateEmPKv
+__ZN6Server14waitForClientsEb
__ZN14EntropyManagerC1ERN8Security12MachPlusPlus10MachServerEPKc
-__ZN14EntropyManagerC4ERN8Security12MachPlusPlus10MachServerEPKc
+__ZN14EntropyManagerC2ERN8Security12MachPlusPlus10MachServerEPKc
__ZN8Security4Time3nowEv
__ZN8Security12UnixPlusPlus8FileDesc4openEPKcit
__ZN8Security12UnixPlusPlus8FileDesc4readEPvm
__ZN8Security18DevRandomGenerator10addEntropyEPKvm
+__ZN8Security11ModuleNexusINS_18DevRandomGenerator8WritableEEclEv
+__ZN8Security11ModuleNexusINS_18DevRandomGenerator8WritableEE4makeEv
__ZN8Security12UnixPlusPlus8FileDesc5writeEPKvm
__ZN8Security12UnixPlusPlus8FileDesc5closeEv
__ZN14EntropyManager6actionEv
__ZN14EntropyManager14collectEntropyEv
__ZN14EntropyManager17updateEntropyFileEv
__ZN8Security18DevRandomGenerator6randomEPvm
+__ZN8Security11ModuleNexusINS_18DevRandomGenerator8ReadonlyEEclEv
+__ZN8Security11ModuleNexusINS_18DevRandomGenerator8ReadonlyEE4makeEv
+__ZN8Security12MachPlusPlus10MachServer8setTimerEPNS1_5TimerENS_4Time8IntervalE
__ZN8Security12MachPlusPlus10MachServer8setTimerEPNS1_5TimerENS_4Time8AbsoluteE
-__ZN10TokenCacheC1EPKc
-__ZN10TokenCacheC4EPKc
-__ZNSsC1ERKSs
-__ZNSsC4ERKSs
-__ZNKSs13get_allocatorEv
-__ZN10TokenCache7makedirEPKcitNS_5OwnerE
-__ZN8Security12UnixPlusPlus7makedirEPKcit
-__ZNSsD4Ev
-__ZNK6Rooted4pathEPKc
-__ZNSs6appendEPKcm
-__ZNSs7reserveEm
-__ZNSs4_Rep8_M_cloneERKSaIcEm
-__ZNKSs7_M_iendEv
-__ZNSs15_M_replace_safeIPKcEERSsN9__gnu_cxx17__normal_iteratorIPcSsEES6_T_S7_
-__ZNKSs9_M_ibeginEv
-__ZNSs9_M_mutateEmmm
-__ZNSs4_Rep10_M_destroyERKSaIcE
-__Z9scOptionsPKc
-__ZN11PCSCMonitorC1ER6ServerR10TokenCacheNS_12ServiceLevelE
-__ZN11PCSCMonitorC4ER6ServerR10TokenCacheNS_12ServiceLevelE
-__ZN8ListenerC2Emm
-__ZN8ListenerC4Emm
-__ZN8Listener5setupEv
+__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE8scheduleEPNS3_5EventES2_
+__ZN11PCSCMonitorC1ER6ServerPKcNS_12ServiceLevelE
+__ZN11PCSCMonitorC2ER6ServerPKcNS_12ServiceLevelE
+__ZN8ListenerC2Ejjj
+__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerI8ListenerEEESt10_Select1stIS6_ESt4lessIjESaIS6_EE9_M_insertEPSt18_Rb_tree_nod
+__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerI8ListenerEEESt10_Select1stIS6_ESt4lessIjESaIS6_EE14_M_create_nodeERKS6_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKjN8Security10RefPointerI8ListenerEEEEE8allocateEmPKv
+__ZN8Security10RefPointerI8ListenerE7releaseEv
+__ZNK8Security8RefCount5unrefEv
__ZN8Security12UnixPlusPlus5ChildC2Ev
-__ZN8Security12UnixPlusPlus5ChildC4Ev
__ZN8Security4PCSC7SessionC1Ev
-__ZN8Security4PCSC7SessionC4Ev
-__ZNSaIcED4Ev
__ZN8Security5IOKit24MachPortNotificationPortC1Ev
-__ZN8Security5IOKit24MachPortNotificationPortC4Ev
-__ZN8Security5IOKit16NotificationPortC4Ev
-__ZN8Security5IOKit10MasterPortC4Ev
-__ZN11RootSessionC1ER6Serverm
-__ZN11RootSessionC4ER6Serverm
-__ZN7SessionC4EN8Security12MachPlusPlus9BootstrapENS1_4PortEm
-__ZN8Security12HandleObject5StateC1Ev
-__ZN8Security12HandleObject5StateC4Ev
-__ZN8Security12HandleObject5State4makeEPS0_
+__ZN8Security5IOKit24MachPortNotificationPortC2Ev
+__ZN8Security5IOKit16NotificationPortC2Ev
+__ZN8Security5IOKit10MasterPortC2Ev
+__ZN8Security12MachPlusPlus4Port10deallocateEv
+__ZNK8Security5IOKit16NotificationPort4portEv
+__ZN11RootSessionC1ER6Serverj
+__ZN11RootSessionC2ER6Serverj
+__ZN7SessionC2EN8Security12MachPlusPlus9BootstrapENS1_4PortEj
+__ZN8Security13MappingHandleIjE4makeEv
+__ZN8Security11ModuleNexusINS_13MappingHandleIjE5StateEEclEv
+__ZN8Security11ModuleNexusINS_13MappingHandleIjE5StateEE4makeEv
+__ZN8Security13MappingHandleIjE5StateC2Ev
+__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EEC2EmRKS
+__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE21_M_in
+__ZSt11lower_boundIPKmmET_S2_S2_RKT0_
+__ZNSt6vectorIPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESaISA_EE7reserveEm
+__ZNSt6vectorIPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESaISA_EE20_M_allocate_and_copyIPSA_EESE_
+__ZN9__gnu_cxx13new_allocatorIPNS_15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEEE8allocateEmPKv
+__ZSt18uninitialized_copyIPPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESB_ET0_T_SD_SC_
+__ZNSt6vectorIPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESaISA_EE14_M_fill_insertENS0_17__normal_
+__ZN8Security13MappingHandleIjE5State11handleInUseEj
+__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE4findER
+__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE14find_
+__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE6resize
+__ZN9__gnu_cxx13new_allocatorINS_15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEEE8allocateEmPKv
+__ZN13Authorization10CredentialC1Ev
+__ZN13Authorization10CredentialC2Ev
+__ZN13Authorization14CredentialImplC2Ev
+__ZN8Security6Syslog6noticeEPKcz
__ZN8NodeCore6parentERS_
-__ZN6Server8loadCssmEv
+__ZN8Security10RefPointerI8NodeCoreE10setPointerEPS1_
+__ZN8Security10RefPointerI8NodeCoreE7releaseEv
+__ZNSt3mapIN8Security12MachPlusPlus4PortENS0_10RefPointerI7SessionEESt4lessIS2_ESaISt4pairIKS2_S5_EEEixERS9_
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7SessionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE16
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7SessionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE9_
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7SessionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE14
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security12MachPlusPlus4PortENS3_10RefPointerI7SessionEEEEE8allocateE
+__ZN8Security10RefPointerI7SessionE7releaseEv
+__ZN8Security10RefPointerI7SessionE10setPointerEPS1_
+__ZN6Server8loadCssmEb
+__ZNK8Security10CssmClient6Object4implINS0_8CssmImplEEERT_v
+__ZN8Security11ModuleNexusINS_9MDSClient9DirectoryEEclEv
+__ZN8Security11ModuleNexusINS_9MDSClient9DirectoryEE4makeEv
__ZN8Security9MDSClient9DirectoryC1Ev
-__ZN8Security9MDSClient9DirectoryC4Ev
-__ZN8Security9Allocator8standardEm
+__ZN8Security9MDSClient9DirectoryC2Ev
+__ZN8Security9Allocator8standardEj
+__ZN8Security11ModuleNexusI17DefaultAllocatorsEclEv
+__ZN8Security11ModuleNexusI17DefaultAllocatorsE4makeEv
__ZN8Security28CssmAllocatorMemoryFunctionsC1ERNS_9AllocatorE
-__ZN8Security28CssmAllocatorMemoryFunctionsC4ERNS_9AllocatorE
+__ZN8Security9MDSClient9Directory7installEv
__ZN8Security28CssmAllocatorMemoryFunctions11relayMallocEmPv
__ZN16DefaultAllocator6mallocEm
__ZN8Security28CssmAllocatorMemoryFunctions9relayFreeEPvS1_
__ZN16DefaultAllocator4freeEPv
-__ZN8Security9MDSClient9Directory7installEv
__ZN8Security10CssmClient8CssmImpl8activateEv
+__ZNK8Security10CssmClient6Object4implINS0_7CSPImplEEERT_v
__ZN8Security10CssmClient14AttachmentImpl8activateEv
-__ZNK8Security10CssmClient14AttachmentImpl6moduleEv
-__ZNK10__cxxabiv121__vmi_class_type_info12__do_dyncastEiNS_17__class_type_info10__sub_kindEPKS1_PKvS4_S6_RNS1_16__dyncast_resultE
+__ZNK8Security10CssmClient6Object4implINS0_10ModuleImplEEERT_v
__ZN8Security10CssmClient10ModuleImpl8activateEv
-__ZNK8Security10CssmClient10ModuleImpl7sessionEv
+__ZN8Security10RefPointerINS_10CssmClient10ObjectImplEE7releaseEv
__ZNK8Security10CssmClient10ObjectImpl9allocatorEv
-__ZN8Security6Syslog6noticeEPKcz
+__ZNK8Security10CssmClient14AttachmentImpl4guidEv
+__ZNK8Security10CssmClient14AttachmentImpl6moduleEv
+__ZN20SharedMemoryListenerC1EPKcj
+__ZN20SharedMemoryListenerC2EPKcj
+__ZN18SharedMemoryServerC2EPKcj
__ZN6Server3runEv
__ZN8Security12MachPlusPlus10MachServer3runEmi
__ZN8Security12MachPlusPlus10MachServer15runServerThreadEb
__ZN8Security12MachPlusPlus7MessageC1Em
-__ZN8Security12MachPlusPlus7MessageC4Em
__ZN8Security12MachPlusPlus7Message9setBufferEm
-__ZN8Security12MachPlusPlus7Message7releaseEv
-__Znam
+__ZN8Security12MachPlusPlus10MachServer9perThreadEv
+__ZN8Security11ModuleNexusINS_11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEEEclEv
+__ZN8Security11ModuleNexusINS_11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEEE4makeEv
+__ZN8Security11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEclEv
+__ZNK8Security15ThreadStoreSlotaSEPv
+__ZN8Security11ModuleNexusINS_5MutexEEclEv
+__ZN8Security11ModuleNexusINS_5MutexEE4makeEv
+__ZN8Security11ModuleNexusISt3setIPvSt4lessIS2_ESaIS2_EEEclEv
+__ZN8Security11ModuleNexusISt3setIPvSt4lessIS2_ESaIS2_EEE4makeEv
+__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE16_M_insert_uniqueERKS0_
+__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE9_M_insertEPSt18_Rb_tree_node_baseS8_RKS0_
+__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE14_M_create_nodeERKS0_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPvEE8allocateEmPKv
+__ZThn144_N6Server9eventDoneEv
+__ZN6Server9eventDoneEv
__ZN8Security12MachPlusPlus10MachServer12processTimerEv
+__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE3popES2_
+__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE5Event10unscheduleEv
+__ZN8Security12MachPlusPlus10MachServer5Timer6selectEv
+__ZN8Security12MachPlusPlus10MachServer4busyEv
+__ZN8Security12MachPlusPlus10MachServer17ensureReadyThreadEv
+__ZN8Security6Thread3runEv
+__ZThn24_N11PCSCMonitor6actionEv
__ZN11PCSCMonitor6actionEv
__ZN11PCSCMonitor12initialSetupEv
+__ZN6Server3addEPN8Security12MachPlusPlus12PowerWatcherE
__ZN6Server12SleepWatcher3addEPN8Security12MachPlusPlus12PowerWatcherE
+__ZN8Security6Thread6runnerEPv
+__ZN8Security12MachPlusPlus10MachServer10LoadThread6actionEv
+__ZNSt8_Rb_treeIPN8Security12MachPlusPlus12PowerWatcherES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS3_
+__ZN8Security12MachPlusPlus10MachServer9addThreadEPNS_6ThreadE
+__ZNSt8_Rb_treeIPN8Security12MachPlusPlus12PowerWatcherES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tree_node_b
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE16_M_insert_uniqueERKS2_
+__ZNSt8_Rb_treeIPN8Security12MachPlusPlus12PowerWatcherES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE9_M_insertEPSt18_Rb_tree_node_baseSA_RKS2_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN8Security12MachPlusPlus12PowerWatcherEEE8allocateEmPKv
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE14_M_create_nodeERKS2_
__ZN8Security5IOKit11DeviceMatchC1EPKc
-__ZN8Security5IOKit11DeviceMatchC4EPKc
-__ZN8Security5IOKit16NotificationPort3addENS0_11DeviceMatchERNS1_8ReceiverEPKc
-__ZN11PCSCMonitor8ioChangeERN8Security5IOKit14DeviceIteratorE
-__ZN8Security5IOKit14DeviceIteratorclEv
-__ZN11PCSCMonitor13deviceSupportERKN8Security5IOKit6DeviceE
-__ZNK8Security5IOKit6Device8propertyEPKc
-__ZN8Security8cfNumberEPK10__CFNumber
-__ZN8Security5IOKit6DeviceD1Ev
-__ZN8Security5IOKit6DeviceD4Ev
-__ZN8Security5IOKit14DeviceIteratorD4Ev
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN8Security6ThreadEEE8allocateEmPKv
+__ZN8Security5IOKit11DeviceMatchC2EPKc
__ZN8Security12MachPlusPlus10MachServer26releaseDeferredAllocationsEv
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE8_M_eraseEPSt13_Rb_tre
+__ZN8Security5IOKit16NotificationPort3addERKNS0_11DeviceMatchERNS1_8ReceiverEPKc
+__ZThn144_N6Server6handleEP17mach_msg_header_tS1_
__ZN6Server6handleEP17mach_msg_header_tS1_
__Z11ucsp_serverP17mach_msg_header_tS0_
-__Z7_XsetupP17mach_msg_header_tS0_
-__Z29__MIG_check__Request__setup_tP18__Request__setup_t
-__Z17ucsp_server_setupjj13audit_token_tPljN8Security14SecurityServer15ClientSetupInfoEPKc
-__ZN6Server15setupConnectionENS_12ConnectLevelEN8Security12MachPlusPlus4PortES3_S3_RK13audit_token_tPKNS1_14SecurityServer15ClientSetupInfoEPKc
+__ZL18_XverifyPrivilegedP17mach_msg_header_tS0_
+__Z28ucsp_server_verifyPrivilegedjj13audit_token_tPi
+__ZN8Security12MachPlusPlus10MachServer4idleEv
+__ZL7_XsetupP17mach_msg_header_tS0_
+__Z17ucsp_server_setupjj13audit_token_tPijN8Security14SecurityServer15ClientSetupInfoEPKc
+__ZN6Server15setupConnectionENS_12ConnectLevelEN8Security12MachPlusPlus4PortES3_S3_RK13audit_token_tPKNS1_14SecurityServer15Cli
+__ZNSt3mapIN8Security12MachPlusPlus4PortENS0_10RefPointerI7ProcessEESt4lessIS2_ESaISt4pairIKS2_S5_EEEixERS9_
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE16
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE9_
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE14
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security12MachPlusPlus4PortENS3_10RefPointerI7ProcessEEEEE8allocateE
+__ZN8Security10RefPointerI7ProcessE7releaseEv
__ZN8Security14CommonCriteria10AuditTokenC1ERK13audit_token_t
-__ZN8Security14CommonCriteria10AuditTokenC4ERK13audit_token_t
-__ZN7ProcessC1EN8Security12MachPlusPlus4PortENS1_8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoEPKcjj
-__ZN7ProcessC4EN8Security12MachPlusPlus4PortENS1_8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoEPKcjj
+__ZN8Security14CommonCriteria10AuditTokenC2ERK13audit_token_t
+__ZN7ProcessC1EN8Security12MachPlusPlus4PortENS1_8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoEPKcRKNS0_14CommonCriteria10A
+__ZN7ProcessC2EN8Security12MachPlusPlus4PortENS1_8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoEPKcRKNS0_14CommonCriteria10A
+__ZN10PerProcessC2Ev
+__ZN15CodeSigningHostC2Ev
+__ZN20ClientIdentificationC2Ev
__ZN14CodeSignatures8IdentityC2Ev
-__ZN14CodeSignatures8IdentityC4Ev
__ZN7Session4findEN8Security12MachPlusPlus4PortE
__ZNK8Security12MachPlusPlus8TaskPort3pidEv
-__ZN8Security7OSXCode6decodeEPKc
+__ZN7Process5setupEPKN8Security14SecurityServer15ClientSetupInfoE
+__ZN20ClientIdentification5setupEi
+__ZThn72_N11PCSCMonitor8ioChangeERN8Security5IOKit14DeviceIteratorE
+__ZN11PCSCMonitor8ioChangeERN8Security5IOKit14DeviceIteratorE
+__ZN8Security5IOKit14DeviceIteratorclEv
+__ZN11PCSCMonitor13deviceSupportERKN8Security5IOKit6DeviceE
+__ZNK8Security5IOKit6Device8propertyEPKc
+__ZN8Security8cfNumberIjEET_PK10__CFNumber
+__ZN8Security5IOKit6DeviceD1Ev
+__ZN11PCSCMonitor16isExcludedDeviceERKN8Security5IOKit6DeviceE
+__ZN8Security5IOKit14DeviceIteratorD2Ev
+__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE8_M_eraseEPSt13_Rb_tree_no
+__ZN8Security12UnixPlusPlus5Child4findI11ServerChildEEPT_i
+__ZN8Security12UnixPlusPlus5Child11findGenericEi
+__ZN8Security11ModuleNexusINS_12UnixPlusPlus5Child8ChildrenEEclEv
+__ZN8Security11ModuleNexusINS_12UnixPlusPlus5Child8ChildrenEE4makeEv
+__ZN8Security12UnixPlusPlus5Child8ChildrenC2Ev
+__ZN8Security10RefPointerI7ProcessE10setPointerEPS1_
__ZNK8Security12MachPlusPlus10MachServer12notifyIfDeadENS0_4PortEb
__ZN8Security12MachPlusPlus4Port13requestNotifyEjij
+__ZNSt3mapIiP7ProcessSt4lessIiESaISt4pairIKiS1_EEEixERS5_
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE16_M_insert_uniqueESt17_Rb_tree_iteratorIS4_ERKS4_
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE16_M_insert_uniqueERKS4_
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE9_M_insertEPSt18_Rb_tree_node_baseSC_RKS4_
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE14_M_create_nodeERKS4_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiP7ProcessEEE8allocateEmPKv
__ZN10ConnectionC1ER7ProcessN8Security12MachPlusPlus4PortE
-__ZN10ConnectionC4ER7ProcessN8Security12MachPlusPlus4PortE
-__Z21_XauthorizationCreateP17mach_msg_header_tS0_
-__Z43__MIG_check__Request__authorizationCreate_tP32__Request__authorizationCreate_t
-__Z31ucsp_server_authorizationCreatejj13audit_token_tPlP20AuthorizationItemSetjS2_mS2_jS2_PN8Security14SecurityServer17AuthorizationBlobE
-__ZN6Server10connectionEj
-__ZN10Connection9beginWorkEv
-__ZN13Authorization11AuthItemSetC1EPK20AuthorizationItemSet
-__ZN13Authorization11AuthItemSetC4EPK20AuthorizationItemSet
-__ZNK7Process7sessionEv
-__ZN7Session10authCreateERKN13Authorization11AuthItemSetES3_mRN8Security14SecurityServer17AuthorizationBlobERK13audit_token_t
-__ZN18AuthorizationTokenC1ER7SessionRKSt3setIN13Authorization10CredentialESt4lessIS4_ESaIS4_EERK13audit_token_t
-__ZN18AuthorizationTokenC4ER7SessionRKSt3setIN13Authorization10CredentialESt4lessIS4_ESaIS4_EERK13audit_token_t
-__ZN6Server7processEv
+__ZN10ConnectionC2ER7ProcessN8Security12MachPlusPlus4PortE
+__ZN8Security12MachPlusPlus4Port7modRefsEji
+__ZNK7PortMapI10ConnectionE8containsEj
+__ZNSt3mapIN8Security12MachPlusPlus4PortENS0_10RefPointerI10ConnectionEESt4lessIS2_ESaISt4pairIKS2_S5_EEEixERS9_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security12MachPlusPlus4PortENS3_10RefPointerI10ConnectionEEEEE8alloc
+__ZN8Security10RefPointerI10ConnectionE7releaseEv
+__ZN8Security10RefPointerI10ConnectionE10setPointerEPS1_
+__ZL16_XgetSessionInfoP17mach_msg_header_tS0_
+__Z26ucsp_server_getSessionInfojj13audit_token_tPiPjS1_
+__ZN6Server10connectionEjR13audit_token_t
+__ZNK7PortMapI10ConnectionE3getEji
+__ZN8Security11ThreadNexusINS_10RefPointerI10ConnectionEEEclEv
+__ZN10Connection9beginWorkER13audit_token_t
+__ZN7Session4findEj
+__ZN6Server7sessionEv
__ZN6Server10connectionEb
__ZN10Connection9checkWorkEv
-__ZN13Authorization11AuthItemSetC1Ev
-__ZN13Authorization11AuthItemSetC4Ev
+__ZNK7Process7sessionEv
+__ZN6Server15requestCompleteERi
+__ZN10Connection7endWorkERi
+__ZN11PCSCMonitor15startSoftTokensEv
+__ZN11PCSCMonitor12clearReadersEN6Reader4TypeE
+__ZN8Security14CodeRepositoryINS_6BundleEEC2ERKSsPKcS6_b
+__ZN8Security8PathListC2ERKSsPKcS4_b
+__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_EPKS3_RKS6_
+__ZNSt6vectorISsSaISsEE9push_backERKSs
+__ZNSt6vectorISsSaISsEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPSsS1_EERKSs
+__ZN9__gnu_cxx13new_allocatorISsE8allocateEmPKv
+__ZSt24__uninitialized_copy_auxIPSsS0_ET0_T_S2_S1_St12__false_type
+__ZN8Security14CodeRepositoryINS_6BundleEE6updateEv
+__ZN8Security9makeCFURLEPKcbPK7__CFURL
+__ZN8Security6BundleC1EP10__CFBundlePKc
+__ZN8Security6BundleC2EP10__CFBundlePKc
+__ZN8Security8cfStringEPK7__CFURLb
+__ZNSt6vectorIN8Security10RefPointerINS0_6BundleEEESaIS3_EE9push_backERKS3_
+__ZNSt6vectorIN8Security10RefPointerINS0_6BundleEEESaIS3_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS3_S5_EERKS3_
+__ZN9__gnu_cxx13new_allocatorIN8Security10RefPointerINS1_6BundleEEEE8allocateEmPKv
+__ZSt24__uninitialized_copy_auxIPN8Security10RefPointerINS0_6BundleEEES4_ET0_T_S6_S5_St12__false_type
+__ZN8Security10RefPointerINS_6BundleEE7releaseEv
+__ZNSt6vectorIN8Security10RefPointerINS0_6BundleEEESaIS3_EED2Ev
+__ZNSt12_Vector_baseIN8Security10RefPointerINS0_6BundleEEESaIS3_EED2Ev
+__ZNK8Security6Bundle13infoPlistItemEPKc
+__ZNK8Security6Bundle8cfBundleEv
+__ZN8Security14CodeRepositoryINS_6BundleEED2Ev
+__ZN8Security8PathListD2Ev
+__ZNSt6vectorISsSaISsEED2Ev
+__ZNSt12_Vector_baseISsSaISsEED2Ev
+__ZN8Security6BundleD0Ev
+__ZN8Security12MachPlusPlus10MachServer5Timer8unselectEv
+__ZL10_XdecodeDbP17mach_msg_header_tS0_
+__Z20ucsp_server_decodeDbjj13audit_token_tPiPjPvjS2_jS2_j
+__ZN7CopyOutC2EPvmPFiP9__rpc_xdrzEbP9cssm_data
+_copyout
+_sec_xdrmem_create
+_sec_xdr_sizeof_out
+_sec_xdr_arena_init_size_alloc
+__Z25xdr_DLDbFlatIdentifierRefP9__rpc_xdrPPN8Security11DataWalkers18DLDbFlatIdentifierE
+_sec_xdr_reference
+_sec_xdr_arena_size_allocator
+_sec_mem_alloc
+__Z22xdr_DLDbFlatIdentifierP9__rpc_xdrPN8Security11DataWalkers18DLDbFlatIdentifierE
+_sec_xdr_pointer
+_sec_xdrmem_getlong_aligned
+_xdr_CSSM_SUBSERVICE_UID
+_sec_xdrmem_getbytes
+_xdr_CSSM_VERSION
+_sec_xdr_charp
+_sec_xdr_bytes
+_sec_xdr_arena_init
+__ZN8Security14DLDbIdentifierC2ERK19cssm_subservice_uidPKcPK16cssm_net_address
+__ZN8Security14DLDbIdentifier4ImplC2ERK19cssm_subservice_uidPKcPK16cssm_net_address
+__ZN8Security6DbNameC1EPKcPK16cssm_net_address
+__ZN8Security6DbNameC2EPKcPK16cssm_net_address
+__Z8makeBlobIN8Security14SecurityServer6DbBlobEEPKT_RKNS0_8CssmDataEi
+__ZN16KeychainDatabaseC1ERKN8Security14DLDbIdentifierEPKNS0_14SecurityServer6DbBlobER7ProcessPKNS0_17AccessCredentialsE
+__ZN17SecurityServerAclC2Ev
+__ZN8Security9ObjectAclC2ERNS_9AllocatorE
+__ZN13LocalDatabaseC2ER7Process
+__ZN8DatabaseC2ER7Process
__ZN8NodeCore8referentERS_
-__ZN13Authorization6Engine9authorizeERKNS_11AuthItemSetES3_mPKSt3setINS_10CredentialESt4lessIS5_ESaIS5_EEPS9_RS1_R18AuthorizationToken
+__ZN16KeychainDatabase12validateBlobEPKN8Security14SecurityServer6DbBlobE
+__ZNK8Security14SecurityServer10CommonBlob8validateEi
+__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_RNS_9AllocatorE
+__ZNK8Security14SecurityServer6DbBlob4copyERNS_9AllocatorE
+__ZN8Security9Allocator6mallocINS_14SecurityServer6DbBlobEEEPT_m
+__ZNK8Database7processEv
+__ZN8NodeCore9findFirstI16KeychainDbCommonRK12DbIdentifierEEN8Security10RefPointerIT_EEMS7_KFT0_vES9_
+__ZN8Security10RefPointerI16KeychainDbCommonE7releaseEv
+__ZN16KeychainDbCommonC2ER7SessionRK12DbIdentifier
+__ZN13LocalDbCommonC2ER7Session
+__ZN8DbCommonC2ER7Session
+__ZN18DatabaseCryptoCoreC2Ev
+__ZN8NodeCore9findFirstI16KeychainDbGlobalRK12DbIdentifierEEN8Security10RefPointerIT_EEMS7_KFT0_vES9_
+__ZN8Security10RefPointerI16KeychainDbGlobalE7releaseEv
+__ZN16KeychainDbGlobalC2ERK12DbIdentifier
+__ZNK8DbCommon7sessionEv
+__ZN8NodeCore12addReferenceERS_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS3_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tree_node_baseSB_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN8Security10RefPointerI8NodeCoreEEEE8allocateEmPKv
+__ZN8Security10RefPointerINS_14DLDbIdentifier4ImplEE7releaseEv
+__ZN7CopyOutD1Ev
+__ZN7CopyOutD2Ev
+__ZL16_XauthenticateDbP17mach_msg_header_tS0_
+__Z26ucsp_server_authenticateDbjj13audit_token_tPijjPvj
+_xdr_CSSM_ACCESS_CREDENTIALS_PTR
+_xdr_CSSM_ACCESS_CREDENTIALS
+_xdr_CSSM_BASE_CERTS
+_xdr_CSSM_CERTGROUP
+_sec_xdr_array
+_xdr_CSSM_SAMPLE
+_xdr_CSSM_LIST
+_xdr_CSSM_LIST_ELEMENT
+__ZN6Server8databaseEj
+__ZN6Server4findI8DatabaseEEN8Security10RefPointerIT_EEji
+__ZN8Security13MappingHandleIjE7findRefI8DatabaseEENS_10RefPointerIT_EEji
+__ZN8Security13MappingHandleIjE5State6locateEji
+__ZN16KeychainDatabase12authenticateEjPKN8Security17AccessCredentialsE
+__ZN8Security11DataWalkers4sizeIPNS_17AccessCredentialsEEEmT_
+__ZN8Security11DataWalkers14enumerateArrayINS0_10SizeWalkerENS_11SampleGroupENS_10CssmSampleEEEvRT_RT0_MS7_FRPT1_vE
+__ZN8Security11SampleGroup7samplesEv
+__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEPNS_11ListElementERT_RS4_
+__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_RNS_9AllocatorEm
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPNS_17AccessCredentialsERT_RS4_
+__ZN8Security11DataWalkers14enumerateArrayINS0_10CopyWalkerENS_11SampleGroupENS_10CssmSampleEEEvRT_RT0_MS7_FRPT1_vE
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEvRT_RNS_10CssmSampleE
+__ZN8Security11DataWalkers9enumerateINS0_10CopyWalkerEEEvRT_RNS_8CssmListE
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPNS_11ListElementERT_RS4_
+__ZN8Security11ListElement4lastEv
+__ZN8Security10RefPointerI8DatabaseE7releaseEv
+__ZL11_XdecodeKeyP17mach_msg_header_tS0_
+__Z21ucsp_server_decodeKeyjj13audit_token_tPiPjPPvS1_jS2_j
+__ZN6Server8keychainEj
+__ZN6Server4findI16KeychainDatabaseEEN8Security10RefPointerIT_EEji
+__ZN8Security13MappingHandleIjE7findRefI16KeychainDatabaseEENS_10RefPointerIT_EEji
+__Z8makeBlobIN8Security14SecurityServer7KeyBlobEEPKT_RKNS0_8CssmDataEi
+__ZN11KeychainKeyC1ER8DatabasePKN8Security14SecurityServer7KeyBlobE
+__ZN11KeychainKeyC2ER8DatabasePKN8Security14SecurityServer7KeyBlobE
+__ZN8LocalKeyC2ER8Databasej
+__ZN3KeyC2ER8Database
+__ZN8Database10SubsidiaryC2ERS_
+__ZNK8Security14SecurityServer7KeyBlob4copyERNS_9AllocatorE
+__ZN8Security9Allocator6mallocINS_14SecurityServer7KeyBlobEEEPT_m
+__ZN8Security10RefPointerI16KeychainDatabaseE7releaseEv
+__ZN8LocalKey9returnKeyERjRN8Security7CssmKey6HeaderE
+__ZN11KeychainKey9getHeaderERN8Security7CssmKey6HeaderE
+__ZN8Security4n2hiERNS_7CssmKey6HeaderE
+_copyin
+_sec_xdr_sizeof_in
+_xdr_CSSM_KEYHEADER
+_sec_x_putlong
+_sec_x_putbytes
+_sec_xdrmem_putlong_aligned
+_sec_xdrmem_putbytes
+__ZN6Server15releaseWhenDoneEPv
+__ZN6Server15releaseWhenDoneERN8Security9AllocatorEPv
+__ZN8Security12MachPlusPlus10MachServer15releaseWhenDoneERNS_9AllocatorEPv
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tr
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN8Security12MachPlusPlus10MachServer10AllocationEEE8allocateEmPKv
+__ZN8Security10RefPointerI3KeyE7releaseEv
+__ZL9_XdecryptP17mach_msg_header_tS0_
+__Z19ucsp_server_decryptjj13audit_token_tPiPvjjS1_jPS1_Pj
+_xdr_CSSM_CONTEXT_PTR
+_xdr_CSSM_CONTEXT
+_xdr_CSSM_CONTEXT_ATTRIBUTE
+_xdr_CSSM_KEY
+_xdr_CSSM_DATA
+__ZN6Server3keyEj
+__ZN8Security13MappingHandleIjE7findRefI3KeyEENS_10RefPointerIT_EEji
+__ZN13LocalDatabase7decryptERKN8Security7ContextER3KeyRKNS0_8CssmDataERS6_
+__ZN8LocalKey7cssmKeyEv
+__ZN8LocalKey8keyValueEv
+__ZN11KeychainKey6getKeyEv
+__ZN11KeychainKey6decodeEv
+__ZN16KeychainDatabase9decodeKeyEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_
+__ZN8Security14SecurityServer7KeyBlob11isClearTextEv
+__ZN16KeychainDatabase8unlockDbEv
+__ZN16KeychainDatabase12makeUnlockedEPKN8Security17AccessCredentialsE
+__ZN16KeychainDatabase8isLockedEv
+__ZN16KeychainDatabase19establishOldSecretsEPKN8Security17AccessCredentialsE
+__ZNK16KeychainDbCommon15belongsToSystemEv
+__ZN17SystemKeychainKeyC1EPKc
+__ZN17SystemKeychainKeyC2EPKc
+__ZN17SystemKeychainKey7matchesERKN8Security14SecurityServer6DbBlob9SignatureE
+__ZN17SystemKeychainKey6updateEv
+__ZNK8Security14SecurityServer10CommonBlob7isValidEv
+__ZN8Security4Time8AbsoluteC1ERK8timespec
+__ZN8Security10CssmClient3KeyC2ERKNS0_3CSPERK8cssm_keyb
+__ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPERK8cssm_keyb
+__ZN8Security7CssmKeyC2ERK8cssm_key
+__ZN8Security12CssmAutoDataC2INS_8CssmDataEEERNS_9AllocatorERKT_
+__ZN8Security13CssmOwnedData4copyIvEEvPKT_m
+__ZN8Security12CssmAutoData5resetEv
+__ZN8Security7destroyEPvRNS_9AllocatorE
+__ZN8Security12CssmAutoData7releaseEv
+__ZN8Security12CssmAutoDataD2Ev
+__ZN8Security13CssmOwnedDataD2Ev
+__ZN8Security15CssmManagedDataD2Ev
+__ZN18DatabaseCryptoCore5setupEPKN8Security14SecurityServer6DbBlobENS0_10CssmClient3KeyE
+__ZNK8Security10CssmClient6Object4implINS0_7KeyImplEEERT_v
+__ZN8Security10RefPointerINS_10CssmClient10ObjectImplEE10setPointerEPS2_
+__ZN16KeychainDatabase6decodeEv
+__ZN16KeychainDbCommon8unlockDbEPN8Security14SecurityServer6DbBlobEPPv
+__ZN18DatabaseCryptoCore10decodeCoreEPKN8Security14SecurityServer6DbBlobEPPv
+__ZN8Security10CssmClient7DecryptC1ERKNS0_3CSPEj
+__ZN8Security10CssmClient5CryptC2ERKNS0_3CSPEj
+__ZN8Security10CssmClient7ContextC2ERKNS0_3CSPEj
+__ZN8Security10CssmClient7Context3setEjj
+__ZN8Security10CssmClient5Crypt3keyERKNS0_3KeyE
+__ZN8Security10CssmClient7Context3setINS_7CssmKeyEEEvjRKT_
+__ZN8Security10CssmClient7Context3setINS_8CssmDataEEEvjRKT_
+__ZN8Security10CssmClient7Decrypt7decryptEPKNS_8CssmDataEjPS2_jRS2_
+__ZN8Security10CssmClient7Context8unstagedEv
+__ZN8Security10CssmClient5Crypt8activateEv
+__ZN8Security10CssmClient10ObjectImpl5checkEi
+__ZN18DatabaseCryptoCore10makeRawKeyEPvmjj
+__ZN8Security10CssmClient9UnwrapKeyC1ERKNS0_3CSPEj
+__ZN8Security10CssmClient9RccBearerC2Ev
+__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataEPS3_
+__ZNK8Security10CssmClient9RccBearer12compositeRccEv
+__ZN8Security10CssmClient9UnwrapKeyD1Ev
+__ZN8Security10CssmClient5CryptD2Ev
+__ZN8Security10CssmClient7ContextD2Ev
+__ZN8Security10CssmClient7Context10deactivateEv
+__ZN8Security10CssmClient10ObjectImplD2Ev
+__ZN8Security10CssmClient9VerifyMacC1ERKNS0_3CSPEj
+__ZN8Security10CssmClient10MacContextC2ERKNS0_3CSPEj
+__ZN8Security10CssmClient10MacContext3keyERKNS0_3KeyE
+__ZN8Security10CssmClient7Context3setINS0_3KeyEEEvjRKT_
+__ZN8Security10CssmClient9VerifyMac6verifyEPKNS_8CssmDataEjRS3_
+__ZN8Security10CssmClient10MacContext8activateEv
+__ZN8Security10CssmClient9VerifyMacD1Ev
+__ZN8Security10CssmClient10MacContextD2Ev
+__ZN8Security10CssmClient7DecryptD1Ev
+__ZN16KeychainDbCommon11setUnlockedEv
+__ZN16KeychainDbCommon8activityEv
+__ZN8DbCommon6notifyEjRKN8Security14DLDbIdentifierE
+__ZN8Security19NameValueDictionaryC1Ev
+__ZN8Security19NameValueDictionary41MakeNameValueDictionaryFromDLDbIdentifierERKNS_14DLDbIdentifierERS0_
+__ZN8Security13NameValuePair9CloneDataERKNS_8CssmDataE
+__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE9push_backERKS2_
+__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS2_S4_EERKS2_
+__ZN9__gnu_cxx13new_allocatorIPN8Security13NameValuePairEE8allocateEmPKv
+__ZN8Security19NameValueDictionary6ExportERNS_8CssmDataE
+__ZNK8Security13NameValuePair6ExportERNS_8CssmDataE
+__ZN8Listener6notifyEjjRKN8Security8CssmDataE
+__ZN8Listener12NotificationC2EjjjRKN8Security8CssmDataE
+__ZN8Listener16sendNotificationEPNS_12NotificationE
+__ZN20SharedMemoryListener8notifyMeEPN8Listener12NotificationE
+__ZNK8Security13CssmOwnedData3getEv
+__ZN18SharedMemoryServer12WriteMessageEjjPKvj
+_CalculateCRC
+__ZN18SharedMemoryServer11WriteOffsetEj
+__ZN18SharedMemoryServer9WriteDataEPKvj
+__ZN8Security10RefPointerIN8Listener12NotificationEE7releaseEv
+__ZN8Listener12NotificationD0Ev
+__ZN8Security19NameValueDictionaryD1Ev
+__ZN8Security19NameValueDictionaryD2Ev
+__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE5eraseEN9__gnu_cxx17__normal_iteratorIPS2_S4_EE
+__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EED2Ev
+__ZNSt12_Vector_baseIPN8Security13NameValuePairESaIS2_EED2Ev
+__ZN16KeychainDatabase3aclEv
+__ZN8Security9ObjectAcl10importBlobEPKvS2_
+__ZN8Security9ObjectAcl5Entry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_
+__ZN8Security9ObjectAcl13importSubjectERNS_23LowLevelMemoryUtilities6ReaderES3_
+__ZN8Security9ObjectAcl4makeEjRNS_23LowLevelMemoryUtilities6ReaderES3_
+__ZN8Security9ObjectAcl8makerForEi
+__ZNK8Security13AnyAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_
+__ZN8Security10AclSubjectC2Ejh
+__ZN8Security10RefPointerINS_10AclSubjectEE10setPointerEPS1_
+__ZN8Security10RefPointerINS_10AclSubjectEE7releaseEv
+__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeI
+__ZN8Security9ObjectAcl8AclEntryC2Ev
+__ZN8Security9ObjectAcl8AclEntry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_
+__ZN8Security23LowLevelMemoryUtilities6ReaderclERPKc
+__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE5eraseESt23_Rb_tree_const_iteratorIiES7_
+__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE8_M_eraseEPSt13_Rb_tree_nodeIiE
+__ZN8Security9ObjectAcl3addERKSsRKNS0_8AclEntryE
+__ZN8Security9ObjectAcl8AclEntryC2ERKS1_
+__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEEC2ERKS5_
+__ZN8Security9ObjectAcl3addERKSsNS0_8AclEntryEl
+__ZNSt4pairISsN8Security9ObjectAcl8AclEntryEEC2ERKSsRKS2_
+__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEEC2ISsS3_EERKS_IT_T0_E
+__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE15_M_insert_equalERKS5_
+__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE9_M_insertEPSt18_Rb_tree_node
+__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE14_M_create_nodeERKS5_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKSsN8Security9ObjectAcl8AclEntryEEEE8allocateEmPKv
+__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEEC2ERKS4_
+__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEED2Ev
+__ZN8Security9ObjectAcl8AclEntryD2Ev
+__ZN8Security9ObjectAcl5EntryD2Ev
+__ZNSt4pairISsN8Security9ObjectAcl8AclEntryEED2Ev
+__ZN17SystemKeychainKeyD1Ev
+__ZNK18DatabaseCryptoCore13decodeKeyCoreEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_
+__ZN8Security4h2niERNS_7CssmKey6HeaderE
+__ZN8Security10CssmClient7Context3addEjj
+__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataE
+__ZN11KeychainKey3aclEv
+__ZNK8Security17ProcessAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_
+__ZNK8Security7Context7replaceINS_7CssmKeyEEEvjRKT_
+__ZN8Security7Context4findEjPK22cssm_context_attributej
+__ZN9AclSource8validateEiRKN8Security7ContextE
+__ZThn160_N11KeychainKey15relatedDatabaseEv
+__ZN11KeychainKey15relatedDatabaseEv
+__ZThn160_N11KeychainKey3aclEv
+__ZN17SecurityServerAcl8validateEiRKN8Security7ContextEP8Database
+__ZThn232_N11KeychainKey8validateEiPKN8Security17AccessCredentialsEP8Database
+__ZN11KeychainKey8validateEiPKN8Security17AccessCredentialsEP8Database
+__ZN17SecurityServerAcl8validateEiPKN8Security17AccessCredentialsEP8Database
+__ZN25SecurityServerEnvironmentC1ER17SecurityServerAclP8Database
+__ZN6Server7processEv
+__ZN8Security9ObjectAcl8validateEiPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE
+__ZN8Security9ObjectAcl9validatesEiPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE
+__ZN8Security9ObjectAcl9validatesERNS_20AclValidationContextE
+__ZThn232_N11KeychainKey14instantiateAclEv
+__ZN11KeychainKey14instantiateAclEv
+__ZNK8Security20AclValidationContext9s_credTagEv
+__ZNK8Security20AclValidationContext7credTagEv
+__ZNK8Security9ObjectAcl8getRangeERKSsRSt4pairISt23_Rb_tree_const_iteratorIS3_IS1_NS0_8AclEntryEEES7_E
+__ZNK8Security9ObjectAcl8AclEntry10authorizesEi
+__ZN8Security20AclValidationContext4initEPNS_9ObjectAclEPNS_10AclSubjectE
+__ZN8Security20AclValidationContext8entryTagERKSs
+__ZNK8Security17ProcessAclSubject8validateERKNS_20AclValidationContextE
+__ZNK25SecurityServerEnvironment6getuidEv
+__ZN21BaseValidationContextD2Ev
+__ZN8Security20AclValidationContextD2Ev
+__ZN25SecurityServerEnvironmentD1Ev
+__ZN8Security20PreAuthorizationAcls11EnvironmentD2Ev
+__ZN8Security18PromptedAclSubject11EnvironmentD2Ev
+__ZN8Security16SecretAclSubject11EnvironmentD2Ev
+__ZN8Security23CodeSignatureAclSubject11EnvironmentD2Ev
+__ZN8Security17ProcessAclSubject11EnvironmentD2Ev
+__ZN8Security24AclValidationEnvironmentD2Ev
+__ZNK16KeychainDatabase8activityEv
+__ZNK16KeychainDatabase6commonEv
+__ZN8Security10CssmClient7Context8overrideERKNS_7ContextE
+__ZL12_XreleaseKeyP17mach_msg_header_tS0_
+__Z22ucsp_server_releaseKeyjj13audit_token_tPij
+__ZN8Database10releaseKeyER3Key
+__ZN8NodeCore4killERS_
+__ZN8NodeCore4killEv
+__ZN8NodeCore15clearReferencesEv
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE8_M_eraseEPSt13_Rb_tree_nodeIS3_E
+__ZN8NodeCore15removeReferenceERS_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseERKS3_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE11equal_rangeERKS3_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt17_Rb_tree_iteratorIS3_ESB_
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeI
+__ZN11KeychainKeyD0Ev
+__ZN17SecurityServerAclD2Ev
+__ZN8Security9ObjectAclD2Ev
+__ZN8Security9ObjectAcl10OwnerEntryD2Ev
+__ZN8Security17ProcessAclSubjectD0Ev
+__ZN8Security10AclSubjectD2Ev
+__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE15_M_destroy_nodeEPSt13_Rb_tr
+__ZN8LocalKeyD2Ev
+__ZN8Security10CssmClient7KeyImplD0Ev
+__ZN8Security10CssmClient7KeyImpl10deactivateEv
+__ZN8Security10CssmClient9AclBearerD2Ev
+__ZN3KeyD2Ev
+__ZN9AclSourceD2Ev
+__ZN8Database10SubsidiaryD2Ev
+__ZN10PerProcessD2Ev
+__ZN4NodeI10PerProcess10PerSessionED2Ev
+__ZN8NodeCoreD2Ev
+__ZN8Security13MappingHandleIjED2Ev
+__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE5eraseE
+__ZL18_XpostNotificationP17mach_msg_header_tS0_
+__Z28ucsp_server_postNotificationjj13audit_token_tPijjPvjj
+__ZN8Listener6notifyEjjjRKN8Security8CssmDataE
+__ZN8Listener12JitterBuffer10inSequenceEPNS_12NotificationE
+__ZN8Listener12JitterBuffer15popNotificationEv
+__ZThn88_N20SharedMemoryListener6actionEv
+__ZN20SharedMemoryListener6actionEv
+__ZL21_XauthorizationCreateP17mach_msg_header_tS0_
+__Z31ucsp_server_authorizationCreatejj13audit_token_tPiPvjjS1_jPN8Security14SecurityServer17AuthorizationBlobE
+__ZN13Authorization11AuthItemSetC1EPK20AuthorizationItemSet
+__ZN13Authorization11AuthItemSetC2EPK20AuthorizationItemSet
+__ZN7Session10authCreateERKN13Authorization11AuthItemSetES3_jRN8Security14SecurityServer17AuthorizationBlobERK13audit_token_t
+__ZN18AuthorizationTokenC1ER7SessionRKSt3setIN13Authorization10CredentialESt4lessIS4_ESaIS4_EERK13audit_token_tb
+__ZN18AuthorizationTokenC2ER7SessionRKSt3setIN13Authorization10CredentialESt4lessIS4_ESaIS4_EERK13audit_token_tb
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEC2ERKS7_
+__ZN13Authorization11AuthItemSetC1Ev
+__ZNK20ClientIdentification12currentGuestEv
+__ZNK20ClientIdentification7currentEv
+__ZN8Security12MachPlusPlus10MachServer16longTermActivityEv
+__ZN8Security5CFRefIP9__SecCodeEaSERKS3_
+__ZNSt3mapIjN20ClientIdentification10GuestStateESt4lessIjESaISt4pairIKjS1_EEEixERS5_
+__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE16_M_insert_uniqueESt17_Rb
+__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE16_M_insert_uniqueERKS4_
+__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE9_M_insertEPSt18_Rb_tree_n
+__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE14_M_create_nodeERKS4_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKjN20ClientIdentification10GuestStateEEEE8allocateEmPKv
+__ZNSt3mapIN8Security14SecurityServer17AuthorizationBlobENS0_10RefPointerI18AuthorizationTokenEESt4lessIS2_ESaISt4pairIKS2_S5_E
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security14SecurityServer17AuthorizationBlobENS3_10RefPointerI18Autho
+__ZN8Security10RefPointerI18AuthorizationTokenE7releaseEv
+__ZN8Security10RefPointerI18AuthorizationTokenE10setPointerEPS1_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEaSERKS7_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E
+__ZN13Authorization6Engine9authorizeERKNS_11AuthItemSetES3_jPKSt3setINS_10CredentialESt4lessIS5_ESaIS5_EEPS9_RS1_R18Authorizati
__ZN13Authorization20AuthorizationDBPlist4syncEd
-__ZN13Authorization20AuthorizationDBPlist4loadEd
+__ZN13Authorization20AuthorizationDBPlist4loadEv
__ZN13Authorization20AuthorizationDBPlist11parseConfigEPK14__CFDictionary
+__ZN8Security5CFRefIP14__CFDictionaryEaSES2_
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE8_M_eraseEPSt13_Rb_tree_nodeIS4_E
__ZN13Authorization20AuthorizationDBPlist9parseRuleEPKvS2_Pv
__ZN13Authorization20AuthorizationDBPlist8addRightEPK10__CFStringPK14__CFDictionary
__ZN8Security8cfStringEPK10__CFStringb
-__ZNSsC4Ev
-__ZNSs6assignEPKcm
-__ZdaPv
-__ZN13Authorization4RuleC1Ev
-__ZN13Authorization4RuleC4Ev
-__ZN13Authorization8RuleImplC4Ev
__ZN13Authorization4RuleC1ERKSsPK14__CFDictionaryS5_
-__ZN13Authorization4RuleC4ERKSsPK14__CFDictionaryS5_
-__ZN13Authorization8RuleImplC4ERKSsPK14__CFDictionaryS5_
-__ZN13Authorization8RuleImpl9Attribute9getStringEPK14__CFDictionaryPK10__CFStringbPc
-__ZNKSs7compareEPKc
-__ZNSs6assignERKSs
-__ZNSs4_Rep7_M_grabERKSaIcES2_
+__ZN13Authorization4RuleC2ERKSsPK14__CFDictionaryS5_
+__ZN13Authorization8RuleImplC2ERKSsPK14__CFDictionaryS5_
+__ZN13Authorization8RuleImpl9Attribute9getStringEPK14__CFDictionaryPK10__CFStringbPKc
__ZN13Authorization8RuleImpl9Attribute9getDoubleEPK14__CFDictionaryPK10__CFStringbd
__ZN13Authorization8RuleImpl9Attribute7getBoolEPK14__CFDictionaryPK10__CFStringbb
__ZN13Authorization8RuleImpl9Attribute9getVectorEPK14__CFDictionaryPK10__CFStringb
-__ZSt13__destroy_auxIPSsEvT_S1_12__false_type
-__ZNSt24__default_alloc_templateILb1ELi0EE10deallocateEPvm
+__ZNSt6vectorISsSaISsEEaSERKS1_
+__ZNSt6__copyILb0ESt26random_access_iterator_tagE4copyIPKSsPSsEET0_T_S7_S6_
+__ZNSt6vectorISsSaISsEE20_M_allocate_and_copyIN9__gnu_cxx17__normal_iteratorIPKSsS1_EEEEPSsmT_S9_
+__ZSt24__uninitialized_copy_auxIN9__gnu_cxx17__normal_iteratorIPKSsSt6vectorISsSaISsEEEEPSsET0_T_SA_S9_St12__false_type
__ZN13Authorization8RuleImpl9Attribute19getLocalizedPromptsEPK14__CFDictionaryRSt3mapISsSsSt4lessISsESaISt4pairIKSsSsEEE
-__ZNKSs7compareERKSs
+__ZNSt6vectorIN13Authorization4RuleESaIS1_EE9push_backERKS1_
+__ZNSt6vectorIN13Authorization4RuleESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_
+__ZN9__gnu_cxx13new_allocatorIN13Authorization4RuleEE8allocateEmPKv
+__ZSt24__uninitialized_copy_auxIPN13Authorization4RuleES2_ET0_T_S4_S3_St12__false_type
+__ZN8Security10RefPointerIN13Authorization8RuleImplEE7releaseEv
+__ZNSt3mapISsN13Authorization4RuleESt4lessISsESaISt4pairIKSsS1_EEEixERS5_
+__ZN13Authorization4RuleC1Ev
+__ZN13Authorization4RuleC2Ev
+__ZN13Authorization8RuleImplC2Ev
+__ZNSt4pairIKSsN13Authorization4RuleEEC2ERS0_RKS2_
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE16_M_insert_uniqueESt17_Rb_tree_itera
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE16_M_insert_uniqueERKS4_
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE9_M_insertEPSt18_Rb_tree_node_baseSC_
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE14_M_create_nodeERKS4_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKSsN13Authorization4RuleEEEE8allocateEmPKv
+__ZNSt4pairIKSsN13Authorization4RuleEEC2ERKS3_
+__ZNSt4pairIKSsN13Authorization4RuleEED2Ev
+__ZN8Security10RefPointerIN13Authorization8RuleImplEE10setPointerEPS2_
+__ZN13Authorization8RuleImplD2Ev
+__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E
+__ZNSt6vectorIN13Authorization4RuleESaIS1_EED2Ev
+__ZNSt12_Vector_baseIN13Authorization4RuleESaIS1_EED2Ev
+__ZN8Security5CFRefIPK14__CFDictionaryEaSES3_
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEC2ERKS7_
+__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerC1ERKNS0_10AuditTokenEs
+__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerC2ERKNS0_10AuditTokenEs
+__ZN8Security14CommonCriteria9Securityd11AuditLogger13setClientInfoERKNS0_10AuditTokenE
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE4swapERS7_
+__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerD2Ev
+__ZN8Security14CommonCriteria9Securityd11RightLoggerD2Ev
+__ZN8Security14CommonCriteria9Securityd11AuditLoggerD2Ev
+__ZN8Security14CommonCriteria9Securityd11AuditLogger5closeEb
__ZN13Authorization11AuthItemSetD1Ev
-__ZN13Authorization11AuthItemSetD4Ev
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E
__ZN7Process16addAuthorizationEP18AuthorizationToken
+__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_
+__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIP18AuthorizationTokenEE8allocateEmPKv
__ZN18AuthorizationToken10addProcessER7Process
-__ZN6Server15requestCompleteEv
-__ZN10Connection7endWorkEv
-__Z26_XauthorizationInternalizeP17mach_msg_header_tS0_
-__Z36ucsp_server_authorizationInternalizejj13audit_token_tPl25AuthorizationExternalFormPN8Security14SecurityServer17AuthorizationBlobE
-__ZN7Session15authInternalizeERK25AuthorizationExternalFormRN8Security14SecurityServer17AuthorizationBlobE
-__ZN18AuthorizationToken4findERKN8Security14SecurityServer17AuthorizationBlobE
-__ZN13Authorization5Error7throwMeEi
-___cxa_allocate_exception
-__ZN13Authorization5ErrorC4Ei
-__ZN8Security11CommonErrorC2Ev
-__ZN8Security11CommonErrorC4Ev
-___cxa_throw
-___cxa_get_globals
-__Z21get_globals_init_oncev
-__Unwind_RaiseException
-save_world
-_uw_init_context_1
-_uw_frame_state_for
-__Unwind_Find_FDE
-__Unwind_Find_registered_FDE
-_examine_objects
-_search_object
-_init_object
-_classify_object_over_fdes
-_get_cie_encoding
-_read_uleb128
-_read_sleb128
-_base_from_object
-_read_encoded_value_with_base
-_size_of_encoded_value
-_add_fdes
-_fde_split
-_fde_single_encoding_compare
-_frame_heapsort
-_extract_cie_info
-_read_uleb128
-_read_sleb128
-_execute_cfa_program
-_size_of_encoded_value
-_uw_update_context_1
-_base_of_encoded_value
-_read_encoded_value_with_base
-___gxx_personality_v0
-__Unwind_GetLanguageSpecificData
-_uw_update_context
-__Z17parse_lsda_headerP15_Unwind_ContextPKhP16lsda_header_info
-__Unwind_GetRegionStart
-__Z12read_uleb128PKhPj
-__Z21base_of_encoded_valuehP15_Unwind_Context
-__Unwind_GetIP
-__Z28read_encoded_value_with_basehjPKhPj
-__Z12read_sleb128PKhPi
-__Z15get_ttype_entryP16lsda_header_infoj
-__Z21size_of_encoded_valueh
-__Z16get_adjusted_ptrPKSt9type_infoS1_PPv
-__ZNKSt9type_info14__is_pointer_pEv
-__ZNK10__cxxabiv117__class_type_info10__do_catchEPKSt9type_infoPPvj
-__ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PPv
-__ZNK10__cxxabiv120__si_class_type_info11__do_upcastEPKNS_17__class_type_infoEPKvRNS1_15__upcast_resultE
-__ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PKvRNS0_15__upcast_resultE
-__Unwind_RaiseException_Phase2
-__Unwind_SetGR
-__Unwind_SetIP
-_uw_install_context_1
-_init_dwarf_reg_size_table
-eh_rest_world_r10
-rest_world_eh_r7r8
-___cxa_begin_catch
-__ZN8Security9CssmError9cssmErrorERKNS_11CommonErrorEl
-__ZNK13Authorization5Error8osStatusEv
-___cxa_end_catch
-___cxa_get_globals_fast
-__Unwind_DeleteException
-__Z23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception
-__ZN8Security11CommonErrorD2Ev
-__ZN8Security11CommonErrorD4Ev
-__ZNSt9exceptionD2Ev
-__ZNSt9exceptionD4Ev
-___cxa_free_exception
-__Z26_XauthorizationExternalizeP17mach_msg_header_tS0_
-__Z36ucsp_server_authorizationExternalizejj13audit_token_tPlN8Security14SecurityServer17AuthorizationBlobEP25AuthorizationExternalForm
-__ZN7Session15authExternalizeERKN8Security14SecurityServer17AuthorizationBlobER25AuthorizationExternalForm
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIP7ProcessEE8allocateEmPKv
+__ZL20_XauthorizationdbGetP17mach_msg_header_tS0_
+__Z30ucsp_server_authorizationdbGetjj13audit_token_tPiPKcPPvPj
+__ZN7Session18authorizationdbGetEPKcPPK14__CFDictionary
+__ZN13Authorization6Engine7getRuleERSsPPK14__CFDictionary
+__ZN13Authorization20AuthorizationDBPlist17getRuleDefinitionERSs
+__ZL20_XauthorizationdbSetP17mach_msg_header_tS0_
+__Z30ucsp_server_authorizationdbSetjj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEPKcPvj
+__ZN7Session18authorizationdbSetERKN8Security14SecurityServer17AuthorizationBlobEPKcPK14__CFDictionary
__ZN7Session13authorizationERKN8Security14SecurityServer17AuthorizationBlobE
+__ZN18AuthorizationToken4findERKN8Security14SecurityServer17AuthorizationBlobE
__ZN7Process18checkAuthorizationEP18AuthorizationToken
-__ZNK18AuthorizationToken14mayExternalizeER7Process
-__ZN18AuthorizationToken14mayInternalizeER7Processb
-__Z16_XgetSessionInfoP17mach_msg_header_tS0_
-__Z38__MIG_check__Request__getSessionInfo_tP27__Request__getSessionInfo_t
-__Z26ucsp_server_getSessionInfojj13audit_token_tPlPmS1_
-__ZN7Session4findEm
-__ZN6Server7sessionEv
+__ZNK18AuthorizationToken14effectiveCredsEv
+__ZN13Authorization6Engine7setRuleEPKcPK14__CFDictionaryPKSt3setINS_10CredentialESt4lessIS7_ESaIS7_EEPSB_R18AuthorizationToken
+__ZNK13Authorization20AuthorizationDBPlist12validateRuleESsPK14__CFDictionary
+__ZN13Authorization6Engine18verifyModificationESsbPKSt3setINS_10CredentialESt4lessIS2_ESaIS2_EEPS6_R18AuthorizationToken
+__ZNK13Authorization20AuthorizationDBPlist9existRuleERSs
+__ZN13Authorization11AuthItemRefC1EPKc
+__ZN13Authorization11AuthItemRefC2EPKc
+__ZNK13Authorization20AuthorizationDBPlist7getRuleERKNS_11AuthItemRefE
+__ZNKSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE4findERS1_
+__ZN8Security10RefPointerIN13Authorization8AuthItemEE7releaseEv
+__ZN13Authorization8AuthItemD1Ev
+__ZN13Authorization8AuthItemD2Ev
+__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_ERKS6_S8_
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN13Authorization11AuthItemRefEEE8allocateEmPKv
+__ZNK13Authorization8RuleImpl8evaluateERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4lessISA_ES
+__ZNK13Authorization8RuleImpl13evaluateRulesERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4less
+__ZNK13Authorization8RuleImpl12evaluateUserERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4lessI
+__ZN8Security14CommonCriteria9Securityd11RightLogger8setRightEPKc
+__ZN8Security14CommonCriteria9Securityd11RightLogger8setRightERKSs
+__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger22logAuthorizationResultEPKcS4_i
+__ZN8Security14CommonCriteria9Securityd11AuditLogger4openEv
+__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger11writeCommonEv
+__ZN8Security14CommonCriteria9Securityd11AuditLogger12writeSubjectEv
+__ZN8Security14CommonCriteria9Securityd11AuditLogger10writeTokenEP8au_tokenPKc
+__ZN8Security14CommonCriteria9Securityd11AuditLogger11writeReturnEci
+__ZN8Security6Syslog4infoEPKcz
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeIS1_E
+__ZN13Authorization20AuthorizationDBPlist7setRuleEPKcPK14__CFDictionary
+__ZN13Authorization20AuthorizationDBPlist4saveEv
+__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_ERKS6_PKS3_
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeI
+__ZN7Session16mergeCredentialsERSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE
+__ZN18AuthorizationToken16mergeCredentialsERKSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE
+__ZL22_XauthorizationReleaseP17mach_msg_header_tS0_
+__Z32ucsp_server_authorizationReleasejj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEj
+__ZN7Session8authFreeERKN8Security14SecurityServer17AuthorizationBlobEj
+__ZN18AuthorizationToken7DeleterC1ERKN8Security14SecurityServer17AuthorizationBlobE
+__ZN18AuthorizationToken7DeleterC2ERKN8Security14SecurityServer17AuthorizationBlobE
+__ZN7Process19removeAuthorizationEP18AuthorizationToken
+__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt23_Rb_tree_const_iteratorIS1_E
+__ZN18AuthorizationToken10endProcessER7Process
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E
+__ZN18AuthorizationToken7Deleter6removeEv
+__ZNSt8_Rb_treeIN8Security14SecurityServer17AuthorizationBlobESt4pairIKS2_NS0_10RefPointerI18AuthorizationTokenEEESt10_Select1s
+__ZN18AuthorizationTokenD0Ev
+__ZN10PerSessionD2Ev
+__ZN4NodeI10PerSession9PerGlobalED2Ev
_cdsa_notify_server
__Xmach_notify_dead_name
_cdsa_mach_notify_dead_name
+__ZThn144_N6Server14notifyDeadNameEN8Security12MachPlusPlus4PortE
__ZN6Server14notifyDeadNameEN8Security12MachPlusPlus4PortE
__ZN10Connection5abortEb
+__ZN8Security12MachPlusPlus4Port7destroyEv
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI10ConnectionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_
__ZN10ConnectionD0Ev
-__ZN10ConnectionD4Ev
-__ZN8NodeCoreD2Ev
-__ZN8NodeCoreD4Ev
-__ZN8Security5MutexD2Ev
-__Z22_XauthorizationReleaseP17mach_msg_header_tS0_
-__Z44__MIG_check__Request__authorizationRelease_tP33__Request__authorizationRelease_t
-__Z32ucsp_server_authorizationReleasejj13audit_token_tPlN8Security14SecurityServer17AuthorizationBlobEm
-__ZN7Session8authFreeERKN8Security14SecurityServer17AuthorizationBlobEm
-__ZN18AuthorizationToken7DeleterC1ERKN8Security14SecurityServer17AuthorizationBlobE
-__ZN18AuthorizationToken7DeleterC4ERKN8Security14SecurityServer17AuthorizationBlobE
-__ZN7Process19removeAuthorizationEP18AuthorizationToken
-__ZN18AuthorizationToken10endProcessER7Process
+__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN8Listener12NotificationEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE8_M_eraseEPS
+__ZN13PerConnectionD2Ev
+__ZN4NodeI13PerConnection10PerProcessED2Ev
__ZN7Process4killEv
-__ZN8NodeCore4killEv
-__ZN8NodeCore15clearReferencesEv
+__ZN8Security10RefPointerI13LocalDatabaseE10setPointerEPS1_
+__ZN8Security10RefPointerI13LocalDatabaseE7releaseEv
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseERS1_
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseESt17_Rb_tree_iteratorIS4_ESC_
+__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseESt17_Rb_tree_iteratorIS4_E
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE5e
+__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE15
__ZN7ProcessD0Ev
-__ZN7ProcessD4Ev
-__ZN18AuthorizationTokenD0Ev
-__ZN18AuthorizationTokenD4Ev
+__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E
+__ZN20ClientIdentificationD2Ev
+__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE15_M_destroy_nodeEPSt13_Rb
__ZN14CodeSignatures8IdentityD2Ev
-__ZN14CodeSignatures8IdentityD4Ev
-__ZN8Security12HandleObjectD2Ev
-__ZN8Security12HandleObjectD4Ev
-__ZN8Security12HandleObject5State5eraseEPS0_
-__ZN18AuthorizationToken7Deleter6removeEv
-__ZN8Security13GenericBundleC1EPKcS2_
-__ZN8Security13GenericBundleC4EPKcS2_
-__Z10_XsetupNewP17mach_msg_header_tS0_
-__Z32__MIG_check__Request__setupNew_tP21__Request__setupNew_t
-__Z20ucsp_server_setupNewjj13audit_token_tPljN8Security14SecurityServer15ClientSetupInfoEPKcPj
+__ZN15CodeSigningHostD2Ev
+__ZN15CodeSigningHost5resetEv
+__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN15CodeSigningHost5GuestEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE8_M_eraseEPS
+__ZN8Security12MachPlusPlus10MachServer7HandlerD2Ev
+__ZNK16KeychainDbCommon10identifierEv
+__ZNK12DbIdentifiereqERKS_
+__ZNK8Security14DLDbIdentifier4ImpleqERKS1_
+__ZNK8Security17CssmSubserviceUideqERK19cssm_subservice_uid
+__ZNK8Security6DbNameeqERKS0_
+__ZNK8Security6DbNameltERKS0_
+__ZN8Security6DbNameD1Ev
+__ZN8Security6DbNameD2Ev
+__ZL17_XgetDbParametersP17mach_msg_header_tS0_
+__Z27ucsp_server_getDbParametersjj13audit_token_tPijPN8Security14SecurityServer12DBParametersE
+__ZN16KeychainDatabase13getParametersERN8Security14SecurityServer12DBParametersE
+__ZThn16_N16KeychainDatabaseD0Ev
+__ZN16KeychainDatabaseD0Ev
+__ZN13LocalDatabaseD2Ev
+__ZN8DatabaseD2Ev
+__ZN8Security13AnyAclSubjectD0Ev
+__ZN8Security13MappingHandleIjE4findI7SessionEERT_ji
+__ZN8Security13MappingHandleIjE5State4findEji
+__ZL13_XsetupThreadP17mach_msg_header_tS0_
+__Z23ucsp_server_setupThreadjj13audit_token_tPij
+__ZL10_XsetupNewP17mach_msg_header_tS0_
+__Z20ucsp_server_setupNewjj13audit_token_tPijN8Security14SecurityServer15ClientSetupInfoEPKcPj
__ZN14DynamicSessionC1EN8Security12MachPlusPlus8TaskPortE
-__ZN14DynamicSessionC4EN8Security12MachPlusPlus8TaskPortE
-__ZN8Security12MachPlusPlus11ReceivePortC2EPKcRKNS0_9BootstrapE
+__ZN14DynamicSessionC2EN8Security12MachPlusPlus8TaskPortE
+__ZNK8Security12MachPlusPlus8TaskPort9bootstrapEv
+__ZN8Security12MachPlusPlus4Port11insertRightEj
+__ZNK8Security12MachPlusPlus9Bootstrap10registerAsEjPKc
__ZN8Security12MachPlusPlus10MachServer3addENS0_4PortE
__ZNK8Security12MachPlusPlus10MachServer14notifyIfUnusedENS0_4PortEb
__ZN7Process13changeSessionEN8Security12MachPlusPlus4PortE
-__Z14_XsetupSessionP17mach_msg_header_tS0_
-__Z36__MIG_check__Request__setupSession_tP25__Request__setupSession_t
-__Z24ucsp_server_setupSessionjj13audit_token_tPlmm
-__ZN14DynamicSession15setupAttributesEmm
+__ZL14_XsetupSessionP17mach_msg_header_tS0_
+__Z24ucsp_server_setupSessionjj13audit_token_tPijj
+__ZN14DynamicSession15setupAttributesEjj
__ZN14DynamicSession15checkOriginatorEv
-__Z13_XsetupThreadP17mach_msg_header_tS0_
-__Z23ucsp_server_setupThreadjj13audit_token_tPlj
-__Z25_XauthorizationCopyRightsP17mach_msg_header_tS0_
-__Z47__MIG_check__Request__authorizationCopyRights_tP36__Request__authorizationCopyRights_t
-__Z35ucsp_server_authorizationCopyRightsjj13audit_token_tPlN8Security14SecurityServer17AuthorizationBlobEP20AuthorizationItemSetjS5_mS5_jS5_PS5_PjS6_
-__ZN26CheckingReconstituteWalkerC1EPvS0_mb
-__ZN26CheckingReconstituteWalkerC4EPvS0_mb
-__ZN13Authorization11AuthItemRefC4ERK17AuthorizationItem
-__ZN13Authorization8AuthItemC4ERK17AuthorizationItem
-__ZN7Session13authGetRightsERKN8Security14SecurityServer17AuthorizationBlobERKN13Authorization11AuthItemSetES8_mRS6_
-__ZNK18AuthorizationToken14effectiveCredsEv
+__ZL25_XauthorizationCopyRightsP17mach_msg_header_tS0_
+__Z35ucsp_server_authorizationCopyRightsjj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEPvjjS4_jPS4_Pj
+_copyout_AuthorizationItemSet
+_xdr_AuthorizationItemSetPtr
+_xdr_AuthorizationItemSet
+_xdr_AuthorizationItem
+__ZN13Authorization11AuthItemRefC2ERK17AuthorizationItem
+__ZN13Authorization8AuthItemC2ERK17AuthorizationItem
+__ZN7Session13authGetRightsERKN8Security14SecurityServer17AuthorizationBlobERKN13Authorization11AuthItemSetES8_jRS6_
__ZNK18AuthorizationToken7sessionEv
-__ZNK13Authorization20AuthorizationDBPlist7getRuleERKNS_11AuthItemRefE
-__ZNK13Authorization8RuleImpl8evaluateERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEmdPKSt3setINS_10CredentialESt4lessISA_ESaISA_EERSE_R18AuthorizationToken
-__ZNK13Authorization8RuleImpl21evaluateMechanismOnlyERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetER18AuthorizationTokenRSt3setINS_10CredentialESt4lessISC_ESaISC_EE
-__ZN13Authorization23AgentMechanismEvaluatorC1EjRK7SessionRKSt6vectorISsSaISsEE
-__ZN13Authorization23AgentMechanismEvaluatorC4EjRK7SessionRKSt6vectorISsSaISsEE
+__ZN7Session13authGetRightsER18AuthorizationTokenRKN13Authorization11AuthItemSetES5_jRS3_
+__ZNK13Authorization8RuleImpl21evaluateMechanismOnlyERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetER18AuthorizationTokenRSt3s
+__ZN13Authorization23AgentMechanismEvaluatorC1EjR7SessionRKSt6vectorISsSaISsEE
+__ZN13Authorization23AgentMechanismEvaluatorC2EjR7SessionRKSt6vectorISsSaISsEE
+__ZNSt6vectorISsSaISsEEC2ERKS1_
+__ZNSt12_Vector_baseISsSaISsEEC2EmRKS0_
+__ZN13Authorization12AuthValueRefC1EjPv
+__ZN13Authorization12AuthValueRefC2EjPv
+__ZN13Authorization9AuthValueC2EjPv
+__ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EE9push_backERKS1_
+__ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_
+__ZN9__gnu_cxx13new_allocatorIN13Authorization12AuthValueRefEE8allocateEmPKv
+__ZSt24__uninitialized_copy_auxIPN13Authorization12AuthValueRefES2_ET0_T_S4_S3_St12__false_type
__ZNK13Authorization8RuleImpl13setAgentHintsERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetER18AuthorizationToken
-__ZN13Authorization11AuthItemRefC1EPKc
-__ZN13Authorization11AuthItemRefC4EPKc
-__ZN13Authorization8AuthItemC4EPKc
-__ZN13Authorization8AuthItemD1Ev
-__ZN13Authorization8AuthItemD4Ev
-__ZN13Authorization11AuthItemRefC1EPKc18AuthorizationValuem
-__ZN13Authorization11AuthItemRefC4EPKc18AuthorizationValuem
-__ZN13Authorization8AuthItemC4EPKc18AuthorizationValuem
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11equal_rangeERKS1_
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_
+__ZN13Authorization11AuthItemRefC1EPKc18AuthorizationValuej
+__ZN13Authorization11AuthItemRefC2EPKc18AuthorizationValuej
+__ZN13Authorization8AuthItemC2EPKc18AuthorizationValuej
__ZNK13Authorization8AuthItemltERKS0_
-__ZNK8Security13GenericBundle6encodeEv
-__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_EPKS3_RKS6_
-__ZNSs7replaceEN9__gnu_cxx17__normal_iteratorIPcSsEES2_PKcS4_
-__ZNSs7replaceEmmPKcm
-__ZNSs6appendERKSs
-__ZNSs15_M_replace_safeIN9__gnu_cxx17__normal_iteratorIPcSsEEEERSsS3_S3_T_S5_
-__ZNSs13_S_copy_charsEPcN9__gnu_cxx17__normal_iteratorIS_SsEES2_
-__ZNK8Security13GenericBundle13canonicalPathEv
+__Z8codePathPK9__SecCode
__ZN13SecurityAgent6Client11clientHintsENS_13RequestorTypeERSsij
-__ZNKSs5c_strEv
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueISt23_Rb_tree_const_ite
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueESt17_Rb_tree_iteratorI
+__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EEC2ERKS8_
+__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EEaSERKS8_
__ZN13Authorization23AgentMechanismEvaluator3runERKNS_15AuthValueVectorERKNS_11AuthItemSetERK18AuthorizationToken
+__ZN8Security14CommonCriteria9Securityd14AuthMechLoggerC1ERKNS0_10AuditTokenEs
+__ZN8Security14CommonCriteria9Securityd14AuthMechLoggerC2ERKNS0_10AuditTokenEs
+__ZNKSt6vectorIN13Authorization12AuthValueRefESaIS1_EE14_M_range_checkEm
__ZN18AuthorizationToken7infoSetEPKc
-__ZNKSs4findEcm
-__ZNKSs6substrEmm
-__ZNSsC1ERKSsmm
-__ZNSsC4ERKSsmm
-__ZNKSs8_M_checkEm
-__ZNKSs7_M_foldEmm
-__ZNSs12_S_constructIN9__gnu_cxx17__normal_iteratorIPcSsEEEES2_T_S4_RKSaIcESt20forward_iterator_tag
-__ZNKSs5rfindEcm
-__ZN13Authorization17AgentMechanismRefC4E12AuthHostType
-__ZN20QueryInvokeMechanismC1E12AuthHostType
-__ZN20QueryInvokeMechanismC4E12AuthHostType
-__ZN18SecurityAgentQueryC4E12AuthHostType
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEaSERKS7_
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE7_M_copyEPKSt13_Rb_tree_nodeIS1_EPS9_
+__ZN8Security14CommonCriteria9Securityd14AuthMechLogger19setCurrentMechanismEPKc
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE4findERS1_
+__ZN13Authorization17AgentMechanismRefC2E12AuthHostTypeR7Session
+__ZN20QueryInvokeMechanismC1E12AuthHostTypeR7Session
+__ZN20QueryInvokeMechanismC2E12AuthHostTypeR7Session
+__ZN18SecurityAgentQueryC2E12AuthHostTypeR7Session
__ZN13SecurityAgent6ClientC2Ev
-__ZN13SecurityAgent6ClientC4Ev
+__ZN8Security11ThreadNexusIN13SecurityAgent7ClientsEEclEv
+__ZN13SecurityAgent7ClientsC2Ev
+__ZN13SecurityAgent7Clients6insertEPNS_6ClientE
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE16_M_insert_uniqueERKS2_
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE9_M_insertEPSt18_Rb_tree_node_baseSA_RKS2_
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE14_M_create_nodeERKS2_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN13SecurityAgent6ClientEEE8allocateEmPKv
+__ZN23SecurityAgentConnectionC2E12AuthHostTypeR7Session
__ZN7Session8authhostE12AuthHostTypeb
__ZN16AuthHostInstanceC1ER7Session12AuthHostType
-__ZN16AuthHostInstanceC4ER7Session12AuthHostType
+__ZN16AuthHostInstanceC2ER7Session12AuthHostType
__ZN11ServerChildC2Ev
-__ZN11ServerChildC4Ev
__ZN8Security9ConditionC1ERNS_5MutexE
-__ZN8Security9ConditionC4ERNS_5MutexE
-__ZN8NodeCore12addReferenceERS_
+__ZN8Security9ConditionC2ERNS_5MutexE
__ZN20QueryInvokeMechanism10initializeERKSsS1_RKN13Authorization15AuthValueVectorEj
__ZN18SecurityAgentQuery6createEPKcS1_j
__ZN18SecurityAgentQuery8activateEv
-__ZN8Security12MachPlusPlus10MachServer16longTermActivityEv
-__ZN8Security6Thread3runEv
+__ZN23SecurityAgentConnection8activateEv
+__ZN10Connection8useAgentEP32SecurityAgentConnectionInterface
__ZN16AuthHostInstance8activateEv
-__ZN8Security6Thread6runnerEPv
-__ZNK16AuthHostInstance7sessionEv
-__ZN8Security12MachPlusPlus10MachServer10LoadThread6actionEv
__ZN8Security12MachPlusPlus11StBootstrapC1ERKNS0_9BootstrapERKNS0_8TaskPortE
-__ZN8Security12MachPlusPlus10MachServer9addThreadEPNS_6ThreadE
-__ZN8Security12MachPlusPlus11StBootstrapC4ERKNS0_9BootstrapERKNS0_8TaskPortE
+__ZN8Security12MachPlusPlus11StBootstrapC2ERKNS0_9BootstrapERKNS0_8TaskPortE
+__ZN8Security12MachPlusPlus8TaskPort9bootstrapENS0_9BootstrapE
__ZN8Security12UnixPlusPlus5Child4forkEv
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueERKS6_
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE9_M_insertEPSt18_Rb_tree_node_
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE14_M_create_nodeERKS6_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiPN8Security12UnixPlusPlus5ChildEEEE8allocateEmPKv
__ZN11ServerChild12parentActionEv
__ZN8Security9Condition4waitEv
-__Z14_XchildCheckInP17mach_msg_header_tS0_
+__ZL14_XchildCheckInP17mach_msg_header_tS0_
__Z24ucsp_server_childCheckInjjj
__ZN11ServerChild7checkInEN8Security12MachPlusPlus4PortEi
-__ZN8Security12UnixPlusPlus5Child11findGenericEi
__ZN8Security9Condition6signalEv
__ZN8Security12MachPlusPlus11StBootstrapD1Ev
-__ZN8Security12MachPlusPlus11StBootstrapD4Ev
+__ZN8Security12MachPlusPlus11StBootstrapD2Ev
__ZN13SecurityAgent6Client8activateEN8Security12MachPlusPlus4PortE
__ZN13SecurityAgent6Client6createEPKcS2_j
_sa_request_client_create
__ZN13SecurityAgent6Client7receiveEv
__ZN13SecurityAgent7Clients7receiveEv
__ZN8Security12MachPlusPlus7Message7receiveEjijj
-__ZN8Security12MachPlusPlus7Message5checkEi
_secagentreply_server
-__XdidCreate
-_sa_reply_server_didCreate
+__ZL11_XdidCreateP17mach_msg_header_tS0_
+__Z25sa_reply_server_didCreatejj
__ZNK13SecurityAgent7Clients4findEj
-__ZN13SecurityAgent6Client12setStagePortEj
__ZN8Security12MachPlusPlus7MessageD1Ev
-__ZN8Security12MachPlusPlus7MessageD4Ev
-__ZN20QueryInvokeMechanism3runERKN13Authorization15AuthValueVectorERNS0_11AuthItemSetES5_Pm
+__ZN8Security12MachPlusPlus7MessageD2Ev
+__ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EEaSERKS3_
+__ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EE20_M_allocate_and_copyIN9__gnu_cxx17__normal_iteratorIPKS1_S3_EEEEPS1_mT_S
+__ZSt24__uninitialized_copy_auxIN9__gnu_cxx17__normal_iteratorIPKN13Authorization12AuthValueRefESt6vectorIS3_SaIS3_EEEEPS3_ET0_
+__ZNSt4pairIKSsN13Authorization17AgentMechanismRefEEC2ERS0_RKS2_
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE16_M_insert_uniqueERKS4
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE9_M_insertEPSt18_Rb_tre
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE14_M_create_nodeERKS4_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKSsN13Authorization17AgentMechanismRefEEEE8allocateEmPKv
+__ZNSt4pairIKSsN13Authorization17AgentMechanismRefEEC2ERKS3_
+__ZNSt4pairIKSsN13Authorization17AgentMechanismRefEED2Ev
+__ZN8Security10RefPointerI20QueryInvokeMechanismE7releaseEv
+__ZN20QueryInvokeMechanism3runERKN13Authorization15AuthValueVectorERNS0_11AuthItemSetES5_Pj
+__ZN13SecurityAgent6Client8setInputERKN13Authorization11AuthItemSetES4_
__ZN13SecurityAgent6Client6invokeEv
__ZNK13Authorization11AuthItemSet4copyERP20AuthorizationItemSetRmRN8Security9AllocatorE
+__ZN8Security11DataWalkers6CopierI20AuthorizationItemSetEC2EPKS2_RNS_9AllocatorE
+__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEP20AuthorizationItemSetRT_RS4_
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEP20AuthorizationItemSetRT_RS4_
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEvRT_R17AuthorizationItem
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPcRT_RS3_
__ZNK13Authorization15AuthValueVector4copyEPP24AuthorizationValueVectorPm
+__ZN8Security11DataWalkers6CopierI24AuthorizationValueVectorEC2EPKS2_RNS_9AllocatorE
+__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEP24AuthorizationValueVectorRT_RS4_
_sa_request_client_invoke
__ZN13SecurityAgent6Client5checkEi
-__XsetResult
-___MIG_check__Request__setResult_t
-_sa_reply_server_setResult
+__ZL11_XsetResultP17mach_msg_header_tS0_
+__Z25sa_reply_server_setResultjjP20AuthorizationItemSetjS0_S0_jS0_
+__ZN8Security11DataWalkers4walkIN13SecurityAgent26CheckingReconstituteWalkerEEEP20AuthorizationItemSetRT_RS5_
+__ZN13SecurityAgent26CheckingReconstituteWalker4blobI20AuthorizationItemSetEEvRPT_m
+__ZN13SecurityAgent26CheckingReconstituteWalker4blobI17AuthorizationItemEEvRPT_m
+__ZN8Security11DataWalkers4walkIN13SecurityAgent26CheckingReconstituteWalkerEEEvRT_R17AuthorizationItem
+__ZN13SecurityAgent26CheckingReconstituteWalker4blobIcEEvRPT_m
+__ZN13SecurityAgent26CheckingReconstituteWalker4blobIvEEvRPT_m
+__ZN13SecurityAgent6Client9setResultEjPK20AuthorizationItemSetS3_
__ZN13Authorization11AuthItemSetaSERK20AuthorizationItemSet
-__ZN8Security12MachPlusPlus10deallocateEjm
-__ZN13Authorization23AgentMechanismEvaluator12authinternalERNS_11AuthItemSetE
-__ZNSsC1EPKcmRKSaIcE
-__ZNSsC4EPKcmRKSaIcE
-__ZN13Authorization10CredentialC1ERKSsS2_b
-__ZN13Authorization10CredentialC4ERKSsS2_b
-__ZN13Authorization14CredentialImplC4ERKSsS2_b
-__ZNK13Authorization14CredentialImpl7isValidEv
-__ZN8Security6Syslog4infoEPKcz
-__ZN13Authorization10CredentialD1Ev
-__ZN13Authorization10CredentialD4Ev
-__ZN13Authorization14CredentialImplD4Ev
-__ZN13Authorization11AuthItemSet4findEPKc
-__ZN8Security14CommonCriteria11AuditRecord6submitEsiPKc
+__ZN8Security14CommonCriteria9Securityd11AuditLogger10logSuccessEv
+__ZN8Security14CommonCriteria9Securityd14AuthMechLogger11writeCommonEv
+__Z22initialize_agent_credsv
+__ZN8Security14CommonCriteria9Securityd11AuditLogger10logFailureEPKci
+__ZN8Security14CommonCriteria9Securityd14AuthMechLoggerD2Ev
+__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_E
+__ZNSt6__copyILb0ESt26random_access_iterator_tagE4copyIPKN13Authorization12AuthValueRefEPS4_EET0_T_S9_S8_
+__ZN8Security10RefPointerIN13Authorization9AuthValueEE10setPointerEPS2_
+__ZN8Security10RefPointerIN13Authorization9AuthValueEE7releaseEv
__ZN18AuthorizationToken10setInfoSetERN13Authorization11AuthItemSetE
__ZNK13Authorization8RuleImpl15makeCredentialsERK18AuthorizationToken
-__ZN13Authorization10CredentialC1ERKSsjjb
-__ZN13Authorization10CredentialC4ERKSsjjb
-__ZN13Authorization14CredentialImplC4ERKSsjjb
-__ZN18SecurityAgentQueryD4Ev
+__ZSt7find_ifISt23_Rb_tree_const_iteratorIN13Authorization11AuthItemRefEENS1_23FindAuthItemByRightNameEET_S5_S5_T0_
+__ZSt9__find_ifISt23_Rb_tree_const_iteratorIN13Authorization11AuthItemRefEENS1_23FindAuthItemByRightNameEET_S5_S5_T0_St18input_
+__ZN13Authorization10CredentialC1EjRKSsS2_S2_b
+__ZN13Authorization10CredentialC2EjRKSsS2_S2_b
+__ZN13Authorization14CredentialImplC2EjRKSsS2_S2_b
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN13Authorization10CredentialEEE8allocateEmPKv
+__ZN13Authorization10CredentialD1Ev
+__ZN8Security10RefPointerIN13Authorization14CredentialImplEE7releaseEv
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE7_M_copyEPKSt13_Rb_tree_nodeIS1_EPS9_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeIS1_E
+__ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EED2Ev
+__ZNSt12_Vector_baseIN13Authorization12AuthValueRefESaIS1_EED2Ev
+__ZN13Authorization23AgentMechanismEvaluatorD2Ev
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE8_M_eraseEPSt13_Rb_tree
+__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE15_M_destroy_nodeEPSt13
+__ZN20QueryInvokeMechanismD0Ev
+__ZN18SecurityAgentQueryD2Ev
__ZN13SecurityAgent6Client7destroyEv
_sa_request_client_destroy
+__ZN23SecurityAgentConnectionD2Ev
+__ZN8Security10RefPointerI16AuthHostInstanceE7releaseEv
__ZN13SecurityAgent6ClientD2Ev
-__ZN13SecurityAgent6ClientD4Ev
__ZN13SecurityAgent6Client8teardownEv
-__ZN20QueryInvokeMechanism14terminateAgentEv
-__ZN18SecurityAgentQuery9terminateEv
-__ZN13SecurityAgent6Client9terminateEv
-_sa_request_client_terminate
-__ZN7Session16mergeCredentialsERSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE
+__ZN13SecurityAgent7Clients6removeEPNS_6ClientE
+__ZN8Security12MachPlusPlus7PortSetmIERKNS0_4PortE
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseERKS2_
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_ESA_
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_E
+__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E
+__ZN13Authorization9AuthValueD1Ev
+__ZN13Authorization9AuthValueD2Ev
__ZNK13Authorization14CredentialImpl8isSharedEv
-__ZN18AuthorizationToken16mergeCredentialsERKSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE
-__Z10flipClientv
-__ZN8Security12MachPlusPlus10MachServer15releaseWhenDoneERNS_9AllocatorEPv
-__Z13handleSignalsi
-__ZN8Security13GenericBundleD0Ev
+__ZNK13Authorization14CredentialImpl7isValidEv
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE4findERKS1_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11equal_rangeERKS1_
+__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_
+__ZNK13Authorization11AuthItemSet4copyEv
+_copyin_AuthorizationItemSet
+__ZL23_XauthorizationCopyInfoP17mach_msg_header_tS0_
+__Z33ucsp_server_authorizationCopyInfojj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEPKcPPvPj
+__ZN7Session11authGetInfoERKN8Security14SecurityServer17AuthorizationBlobEPKcRN13Authorization11AuthItemSetE
+__ZL24_XunlockDbWithPassphraseP17mach_msg_header_tS0_
+__Z34ucsp_server_unlockDbWithPassphrasejj13audit_token_tPijPvj
+__ZN16KeychainDatabase8unlockDbERKN8Security8CssmDataE
+__ZN16KeychainDatabase12makeUnlockedERKN8Security8CssmDataE
+__ZN16KeychainDatabase6decodeERKN8Security8CssmDataE
+__ZN18DatabaseCryptoCore5setupEPKN8Security14SecurityServer6DbBlobERKNS0_8CssmDataE
+__ZNK18DatabaseCryptoCore17deriveDbMasterKeyERKN8Security8CssmDataE
+__ZN8Security10CssmClient9DeriveKeyC1ERKNS0_3CSPEjjj
+__ZN8Security10CssmClient9DeriveKeyclEPNS_8CssmDataERKNS0_7KeySpecE
+__ZN8Security10CssmClient3Key10makeNewKeyERKNS0_3CSPE
+__ZN8Security10CssmClient3KeyC2ERKNS0_3CSPE
+__ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPE
+__ZN8Security10CssmClient9DeriveKey8activateEv
+__ZN8Security10CssmClient7KeyImpl8activateEv
+__ZN8Security10CssmClient9DeriveKeyD1Ev
+__ZL13handleSignalsi
_self_client_handleSignal
-__ZN8Security13GenericBundleD4Ev
__Z11self_serverP17mach_msg_header_tS0_
-__Z14_XhandleSignalP17mach_msg_header_tS0_
-__Z36__MIG_check__Request__handleSignal_tP25__Request__handleSignal_t
+__ZL14_XhandleSignalP17mach_msg_header_tS0_
__Z24self_server_handleSignaljji
__ZN8Security12UnixPlusPlus5Child13checkChildrenEv
+__ZNSt3mapIiPN8Security12UnixPlusPlus5ChildESt4lessIiESaISt4pairIKiS3_EEEixERS7_
__ZN8Security12UnixPlusPlus5Child4buryEi
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE5eraseERS1_
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE5eraseESt17_Rb_tree_iteratorIS
+__ZNSt4listIPN8Security12UnixPlusPlus5ChildESaIS3_EE9_M_insertESt14_List_iteratorIS3_ERKS3_
+__ZNSt4listIPN8Security12UnixPlusPlus5ChildESaIS3_EE14_M_create_nodeERKS3_
+__ZN9__gnu_cxx13new_allocatorISt10_List_nodeIPN8Security12UnixPlusPlus5ChildEEE8allocateEmPKv
+__ZN8Security12UnixPlusPlus5Child4Bier6notifyEv
__ZN11ServerChild5dyingEv
-__Z23_XauthorizationCopyInfoP17mach_msg_header_tS0_
-__Z45__MIG_check__Request__authorizationCopyInfo_tP34__Request__authorizationCopyInfo_t
-__Z33ucsp_server_authorizationCopyInfojj13audit_token_tPlN8Security14SecurityServer17AuthorizationBlobEPKcPP20AuthorizationItemSetPjS8_
-__ZN7Session11authGetInfoERKN8Security14SecurityServer17AuthorizationBlobEPKcRN13Authorization11AuthItemSetE
-__Z28_XsetSessionDistinguishedUidP17mach_msg_header_tS0_
-__Z50__MIG_check__Request__setSessionDistinguishedUid_tP39__Request__setSessionDistinguishedUid_t
-__Z38ucsp_server_setSessionDistinguishedUidjj13audit_token_tPlmj
+__ZL28_XsetSessionDistinguishedUidP17mach_msg_header_tS0_
+__Z38ucsp_server_setSessionDistinguishedUidjj13audit_token_tPijj
+__ZN7Session4findI14DynamicSessionEERT_j
__ZN14DynamicSession13originatorUidEj
-__Z21_XsetSessionUserPrefsP17mach_msg_header_tS0_
-__Z43__MIG_check__Request__setSessionUserPrefs_tP32__Request__setSessionUserPrefs_t
-__Z31ucsp_server_setSessionUserPrefsjj13audit_token_tPlmPvj
+__ZN8Security10RefPointerIN13Authorization14CredentialImplEE10setPointerEPS2_
+__ZN13Authorization14CredentialImplD1Ev
+__ZN13Authorization14CredentialImplD2Ev
+__ZL21_XsetSessionUserPrefsP17mach_msg_header_tS0_
+__Z31ucsp_server_setSessionUserPrefsjj13audit_token_tPijPvj
__ZN14DynamicSession12setUserPrefsEPK8__CFData
+__ZN8Security5CFRefIPK8__CFDataEaSES3_
+__ZN20QueryInvokeMechanism14terminateAgentEv
+__ZN18SecurityAgentQuery9terminateEv
+__ZN23SecurityAgentConnection9terminateEv
+__ZThn256_N18SecurityAgentQuery8activateEv
+__ZN13SecurityAgent6Client9terminateEv
+_sa_request_client_terminate
+__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt17_Rb_tree_iteratorIS3_E
+__ZN16AuthHostInstanceD0Ev
+__ZN11ServerChildD2Ev
+__ZN8Security9ConditionD1Ev
+__ZN8Security9ConditionD2Ev
+__ZN8Security12UnixPlusPlus5ChildD2Ev
+__ZN20QueryInvokeMechanismD2Ev
__ZNK13Authorization10CredentialltERKS0_
__ZNK13Authorization14CredentialImplltERKS0_
__ZN13Authorization14CredentialImpl5mergeERKS0_
-__Z10_XdecodeDbP17mach_msg_header_tS0_
-__Z32__MIG_check__Request__decodeDb_tP21__Request__decodeDb_t
-__Z20ucsp_server_decodeDbjj13audit_token_tPlPmPN8Security11DataWalkers18DLDbFlatIdentifierEjS5_PNS2_17AccessCredentialsEjS7_Pvj
-__ZN8Security6DbNameC1EPKcPK16cssm_net_address
-__ZN8Security6DbNameC4EPKcPK16cssm_net_address
-__ZN16KeychainDatabaseC1ERKN8Security14DLDbIdentifierEPKNS0_14SecurityServer6DbBlobER7ProcessPKNS0_17AccessCredentialsE
-__ZN16KeychainDatabaseC4ERKN8Security14DLDbIdentifierEPKNS0_14SecurityServer6DbBlobER7ProcessPKNS0_17AccessCredentialsE
-__ZN8Security9ObjectAclC2ERNS_9AllocatorE
-__ZN8Security9ObjectAclC4ERNS_9AllocatorE
-__ZN13LocalDatabaseC2ER7Process
-__ZN13LocalDatabaseC4ER7Process
-__ZN8DatabaseC2ER7Process
-__ZN8DatabaseC4ER7Process
-__ZN16KeychainDatabase12validateBlobEPKN8Security14SecurityServer6DbBlobE
-__ZNK8Security14SecurityServer10CommonBlob8validateEl
-__ZNK8Security14SecurityServer10CommonBlob7isValidEv
-__ZNK8Database7processEv
-__ZNK10__cxxabiv117__class_type_info12__do_dyncastEiNS0_10__sub_kindEPKS0_PKvS3_S5_RNS0_16__dyncast_resultE
-__ZN16KeychainDbCommonC1ER7SessionRK12DbIdentifier
-__ZN16KeychainDbCommonC4ER7SessionRK12DbIdentifier
-__ZN8DbCommonC2ER7Session
-__ZN8DbCommonC4ER7Session
-__ZN18DatabaseCryptoCoreC2Ev
-__ZN18DatabaseCryptoCoreC4Ev
-__ZN16KeychainDbGlobalC1ERK12DbIdentifier
-__ZN16KeychainDbGlobalC4ERK12DbIdentifier
-__ZNK8DbCommon7sessionEv
-__ZNK16KeychainDatabase6commonEv
-__Z16_XauthenticateDbP17mach_msg_header_tS0_
-__Z38__MIG_check__Request__authenticateDb_tP27__Request__authenticateDb_t
-__Z26ucsp_server_authenticateDbjj13audit_token_tPlmmPN8Security17AccessCredentialsEjS3_
-__ZN8Security11ListElement4lastEv
-__ZN8Security11ListElement4listEv
-__ZN8Security11ListElement4dataEv
-__ZN6Server8databaseEm
-__ZN8Security12HandleObject5State6locateEml
-__ZN16KeychainDatabase12authenticateEmPKN8Security17AccessCredentialsE
-__Z24_XunlockDbWithPassphraseP17mach_msg_header_tS0_
-__Z46__MIG_check__Request__unlockDbWithPassphrase_tP35__Request__unlockDbWithPassphrase_t
-__Z34ucsp_server_unlockDbWithPassphrasejj13audit_token_tPlmPvj
-__ZN6Server8keychainEm
-__ZN16KeychainDatabase8unlockDbERKN8Security8CssmDataE
-__ZN16KeychainDatabase12makeUnlockedERKN8Security8CssmDataE
-__ZN16KeychainDatabase6decodeERKN8Security8CssmDataE
-__ZN18DatabaseCryptoCore5setupEPKN8Security14SecurityServer6DbBlobERKNS0_8CssmDataE
-__ZNK18DatabaseCryptoCore17deriveDbMasterKeyERKN8Security8CssmDataE
-__ZN8Security10CssmClient5CryptC2ERKNS0_3CSPEm
-__ZN8Security10CssmClient5CryptC4ERKNS0_3CSPEm
-__ZN8Security10CssmClient7ContextC2ERKNS0_3CSPEm
-__ZN8Security10CssmClient7ContextC4ERKNS0_3CSPEm
-__ZN8Security10CssmClient10ObjectImplC2ERKNS0_6ObjectE
-__ZN8Security10CssmClient9DeriveKeyclEPNS_8CssmDataERKNS0_7KeySpecE
-__ZN8Security10CssmClient9DeriveKey8activateEv
-__ZN8Security10CssmClient10ObjectImpl5checkEl
-__ZNK8Security10CssmClient9RccBearer12compositeRccEv
-__ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPE
-__ZN8Security10CssmClient7KeyImplC4ERKNS0_3CSPE
-__ZN8Security10CssmClient7KeyImpl8activateEv
-__ZN8Security10CssmClient7ContextD2Ev
-__ZN8Security10CssmClient7ContextD4Ev
-__ZN8Security10CssmClient7Context10deactivateEv
-__ZN8Security10CssmClient10ObjectImplD2Ev
-__ZN8Security10CssmClient10ObjectImplD4Ev
-__ZN8Security10CssmClient10ObjectImpl11removeChildEv
-__ZN16KeychainDatabase6decodeEv
-__ZN16KeychainDbCommon8unlockDbEPN8Security14SecurityServer6DbBlobEPPv
-__ZN18DatabaseCryptoCore10decodeCoreEPN8Security14SecurityServer6DbBlobEPPv
-__ZN8Security10CssmClient5Crypt3keyERKNS0_3KeyE
-__ZN8Security10CssmClient7Decrypt7decryptEPKNS_8CssmDataEmPS2_mRS2_
-__ZN8Security10CssmClient5Crypt8activateEv
-__ZN18DatabaseCryptoCore10makeRawKeyEPvmmm
-__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataEPS3_
-__ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPERK8cssm_keyb
-__ZN8Security10CssmClient7KeyImplC4ERKNS0_3CSPERK8cssm_keyb
-__ZN8Security7CssmKeyC2ERK8cssm_key
-__ZN8Security7CssmKeyC4ERK8cssm_key
-__ZN8Security10CssmClient9VerifyMac6verifyEPKNS_8CssmDataEmRS3_
-__ZN8Security10CssmClient10MacContext8activateEv
-__ZN16KeychainDbCommon11setUnlockedEv
-__ZN16KeychainDbCommon8activityEv
-__ZN16KeychainDbCommon6notifyEm
-__ZN8Security19NameValueDictionaryC1Ev
-__ZN8Security19NameValueDictionaryC4Ev
-__ZN8Security19NameValueDictionary41MakeNameValueDictionaryFromDLDbIdentifierERKNS_14DLDbIdentifierERS0_
-__ZN8Security13NameValuePairC4EmRKNS_8CssmDataE
-__ZN8Security13NameValuePair9CloneDataERKNS_8CssmDataE
-__ZN8Security19NameValueDictionary6InsertEPNS_13NameValuePairE
-__ZN8Security19NameValueDictionary6ExportERNS_8CssmDataE
-__ZNK8Security19NameValueDictionary13CountElementsEv
-__ZN8Security19NameValueDictionary10GetElementEi
-__ZNK8Security13NameValuePair6ExportERNS_8CssmDataE
-__ZN8Listener6notifyEmmRKN8Security8CssmDataE
-__ZN8Security19NameValueDictionaryD1Ev
-__ZN8Security19NameValueDictionaryD4Ev
-__ZN8Security13NameValuePairD4Ev
-__ZN16KeychainDatabase3aclEv
-__ZN8Security9ObjectAcl10importBlobEPKvS2_
-__ZN8Security9ObjectAcl5Entry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_
-__ZN8Security9ObjectAcl13importSubjectERNS_23LowLevelMemoryUtilities6ReaderES3_
-__ZN8Security9ObjectAcl4makeEmRNS_23LowLevelMemoryUtilities6ReaderES3_
-__ZN8Security9ObjectAcl8makerForEl
-__ZNK8Security13AnyAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_
-__ZN8Security10AclSubjectC2Emh
-__ZN8Security10AclSubjectC4Emh
-__ZN8Security9ObjectAcl8AclEntry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_
-__ZN8Security9ObjectAcl3addERKSsRKNS0_8AclEntryE
-__ZN8Security9ObjectAcl3addERKSsNS0_8AclEntryEm
-__ZN8Security9ObjectAcl5EntryD2Ev
-__ZN8Security9ObjectAcl5EntryD4Ev
-__Z11_XreleaseDbP17mach_msg_header_tS0_
-__Z33__MIG_check__Request__releaseDb_tP22__Request__releaseDb_t
-__Z21ucsp_server_releaseDbjj13audit_token_tPlm
-__ZN8NodeCore4killERS_
-__ZN8NodeCore15removeReferenceERS_
-__ZN16KeychainDatabaseD0Ev
-__ZN16KeychainDatabaseD4Ev
-__ZN17SecurityServerAclD2Ev
-__ZN17SecurityServerAclD4Ev
-__ZN8Security9ObjectAclD2Ev
-__ZN8Security9ObjectAclD4Ev
-__ZN8Security10AclSubjectD2Ev
-__ZN8Security10AclSubjectD4Ev
-__Z21_XrequestNotificationP17mach_msg_header_tS0_
-__Z43__MIG_check__Request__requestNotification_tP32__Request__requestNotification_t
-__Z31ucsp_server_requestNotificationjj13audit_token_tPljmm
-__ZN7Process20requestNotificationsEN8Security12MachPlusPlus4PortEmm
-__ZN15ProcessListenerC1ER7ProcessN8Security12MachPlusPlus4PortEmm
-__ZN15ProcessListenerC4ER7ProcessN8Security12MachPlusPlus4PortEmm
-__ZN8ListenerC4EN8Security12MachPlusPlus4PortEmm
-__ZNK8Security17CssmSubserviceUideqERK19cssm_subservice_uid
-__ZN8Security6DbNameD1Ev
-__ZN8Security6DbNameD4Ev
-__Z10_XisLockedP17mach_msg_header_tS0_
-__Z32__MIG_check__Request__isLocked_tP21__Request__isLocked_t
-__Z20ucsp_server_isLockedjj13audit_token_tPlmPi
-__Z11_XdecodeKeyP17mach_msg_header_tS0_
-__Z33__MIG_check__Request__decodeKey_tP22__Request__decodeKey_t
-__Z21ucsp_server_decodeKeyjj13audit_token_tPlPmPN8Security7CssmKey6HeaderEmPvj
-__ZN11KeychainKeyC1ER8DatabasePKN8Security14SecurityServer7KeyBlobE
-__ZN11KeychainKeyC4ER8DatabasePKN8Security14SecurityServer7KeyBlobE
-__ZN8LocalKeyC2ER8Databasem
-__ZN8LocalKeyC4ER8Databasem
-__ZN3KeyC2ER8Database
-__ZN3KeyC4ER8Database
-__ZN8LocalKey9returnKeyERmRN8Security7CssmKey6HeaderE
-__ZN11KeychainKey9getHeaderERN8Security7CssmKey6HeaderE
-__Z9_XdecryptP17mach_msg_header_tS0_
-__Z31__MIG_check__Request__decrypt_tP20__Request__decrypt_t
-__Z19ucsp_server_decryptjj13audit_token_tPlN8Security7ContextEPvPNS2_4AttrEjmS3_jPS3_Pj
-__Z8relocateRN8Security7ContextEPvPNS0_4AttrEm
-__ZN6Server3keyEm
-__ZN13LocalDatabase7decryptERKN8Security7ContextER3KeyRKNS0_8CssmDataERS6_
-__ZN8LocalKey8keyValueEv
-__ZN11KeychainKey6getKeyEv
-__ZN11KeychainKey6decodeEv
-__ZNK11KeychainKey8databaseEv
-__ZN16KeychainDatabase9decodeKeyEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_
-__ZN16KeychainDatabase8unlockDbEv
-__ZN16KeychainDatabase12makeUnlockedEv
-__ZN16KeychainDatabase12makeUnlockedEPKN8Security17AccessCredentialsE
-__ZN8Security10CssmClient7KeyImplD0Ev
-__ZN8Security10CssmClient7KeyImplD4Ev
-__ZN8Security10CssmClient7KeyImpl10deactivateEv
-__ZN8Security10CssmClient9AclBearerD2Ev
-__ZN8Security10CssmClient9AclBearerD4Ev
-__ZN15ProcessListener8notifyMeEmmRKN8Security8CssmDataE
-_ucsp_notify_sender_notify
-__ZNK18DatabaseCryptoCore13decodeKeyCoreEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_
-__ZN8Security4h2niERNS_7CssmKey6HeaderE
-__ZN8Security4n2hiERNS_7CssmKey6HeaderE
-__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataE
-__ZN11KeychainKey3aclEv
+__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE8_M_eraseEPSt13_Rb_tree_nodeIS
+__ZL26_XauthorizationExternalizeP17mach_msg_header_tS0_
+__Z36ucsp_server_authorizationExternalizejj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEP25AuthorizationExter
+__ZN7Session15authExternalizeERKN8Security14SecurityServer17AuthorizationBlobER25AuthorizationExternalForm
+__ZNK18AuthorizationToken14mayExternalizeER7Process
+__ZL26_XauthorizationInternalizeP17mach_msg_header_tS0_
+__Z36ucsp_server_authorizationInternalizejj13audit_token_tPi25AuthorizationExternalFormPN8Security14SecurityServer17Authorizati
+__ZN7Session15authInternalizeERK25AuthorizationExternalFormRN8Security14SecurityServer17AuthorizationBlobE
+__ZN18AuthorizationToken14mayInternalizeER7Processb
+__ZL11_XreleaseDbP17mach_msg_header_tS0_
+__Z21ucsp_server_releaseDbjj13audit_token_tPij
+__ZL10_XisLockedP17mach_msg_header_tS0_
+__Z20ucsp_server_isLockedjj13audit_token_tPijPj
+__ZNK13Authorization8RuleImpl26evaluateCredentialForRightERK18AuthorizationTokenRKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSe
+__ZNK13Authorization8RuleImpl30evaluateUserCredentialForRightERK18AuthorizationTokenRKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthIt
+__ZNK13Authorization14CredentialImpl12creationTimeEv
+__ZNK13Authorization8RuleImpl22evaluateAuthenticationERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10Credentia
+__ZNK13Authorization8RuleImpl20evaluateSessionOwnerERKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSetEdRK18AuthorizationTokenRNS
+__ZNK14DynamicSession17haveOriginatorUidEv
+__ZN18AuthorizationToken12scrubInfoSetEv
+__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger10logSuccessEjjPKc
+__ZN18AuthorizationToken17setCredentialInfoERKN13Authorization10CredentialE
+__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_E
+__ZThn272_N16KeychainDbCommon6selectEv
+__ZN16KeychainDbCommon6selectEv
+__ZThn272_N16KeychainDbCommon6actionEv
+__ZN16KeychainDbCommon6actionEv
+__ZN16KeychainDbCommon6lockDbEv
+__ZN18DatabaseCryptoCore10invalidateEv
+__ZN8Security12MachPlusPlus10MachServer10clearTimerEPNS1_5TimerE
+__ZThn272_N16KeychainDbCommon8unselectEv
+__ZN16KeychainDbCommon8unselectEv
+__ZN8Security12MachPlusPlus10MachServer12removeThreadEPNS_6ThreadE
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseERKS2_
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_ESA_
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_E
+__ZN8Security12MachPlusPlus10MachServer10LoadThreadD0Ev
+__ZN8Security6ThreadD2Ev
+__ZN8Security16PerThreadPointerIN13SecurityAgent7ClientsEE10destructorEPv
+__ZN13SecurityAgent7ClientsD2Ev
+__ZN8Security16PerThreadPointerINS_10RefPointerI10ConnectionEEE10destructorEPv
+__ZN8Security16PerThreadPointerINS_12MachPlusPlus10MachServer9PerThreadEE10destructorEPv
+__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E
__ZNK8Security19ThresholdAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_
+__ZNSt6vectorIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EEC2EmRKS3_RKS4_
+__ZNSt12_Vector_baseIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EEC2EmRKS4_
+__ZN9__gnu_cxx13new_allocatorIN8Security10RefPointerINS1_10AclSubjectEEEE8allocateEmPKv
+__ZSt26__uninitialized_fill_n_auxIPN8Security10RefPointerINS0_10AclSubjectEEEmS3_EvT_T0_RKT1_St12__false_type
__ZNK24KeychainPromptAclSubject5Maker4makeEhRN8Security23LowLevelMemoryUtilities6ReaderES4_
-__ZN24KeychainPromptAclSubjectC1ESsRK33cssm_acl_keychain_prompt_selector
-__ZN24KeychainPromptAclSubjectC4ESsRK33cssm_acl_keychain_prompt_selector
-__ZN8Security19ThresholdAclSubjectC1EmmRKSt6vectorINS_10RefPointerINS_10AclSubjectEEESaIS4_EE
-__ZN8Security19ThresholdAclSubjectC4EmmRKSt6vectorINS_10RefPointerINS_10AclSubjectEEESaIS4_EE
+__ZN24KeychainPromptAclSubjectC2ESsRK33cssm_acl_keychain_prompt_selector
+__ZN8Security19ThresholdAclSubjectC2EjjRKSt6vectorINS_10RefPointerINS_10AclSubjectEEESaIS4_EE
+__ZNSt6vectorIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EEC2ERKS5_
+__ZSt24__uninitialized_copy_auxIN9__gnu_cxx17__normal_iteratorIPKN8Security10RefPointerINS2_10AclSubjectEEESt6vectorIS5_SaIS5_E
+__ZNSt6vectorIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EED2Ev
+__ZNSt12_Vector_baseIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EED2Ev
__ZNK8Security23CodeSignatureAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_
-__ZN8Security11CodeSigning9OSXSigner7restoreEjPKvm
-__ZN8Security23CodeSignatureAclSubjectC4ERNS_9AllocatorEPKNS_11CodeSigning9SignatureEPKvm
-__ZN8Security12CssmAutoData5resetEv
-__ZN8Security7Context4findEmPK22cssm_context_attributej
-__ZN11KeychainKey15relatedDatabaseEv
-__ZN17SecurityServerAcl8validateElRKN8Security7ContextEP8Database
-__ZN17SecurityServerAcl8validateElPKN8Security17AccessCredentialsEP8Database
-__ZN8Security9ObjectAcl8validateElPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE
-__ZN8Security9ObjectAcl9validatesElPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE
-__ZN8Security9ObjectAcl9validatesERNS_20AclValidationContextE
-__ZN11KeychainKey14instantiateAclEv
-__ZNK8Security20AclValidationContext9s_credTagEv
-__ZNK8Security20AclValidationContext7credTagEv
-__ZNK8Security9ObjectAcl8getRangeERKSsRSt4pairISt17_Rb_tree_iteratorIS3_IS1_NS0_8AclEntryEERKS6_PS7_ESA_E
-__ZNK8Security9ObjectAcl8AclEntry10authorizesEl
-__ZN8Security20AclValidationContext8entryTagERKSs
-__ZNK8Security9ObjectAcl8AclEntry8validateERKNS_20AclValidationContextE
+__ZN8Security23LowLevelMemoryUtilities6Reader11countedDataERPKvRm
+__ZNK8Security23CodeSignatureAclSubject5Maker4makeEPKhRKNS_8CssmDataE
+__ZN8Security23CodeSignatureAclSubjectC2EPKhRKSs
+__ZN8Security11OSXVerifierC2EPKhRKSs
+__ZN8Security11OSXVerifier3addEPKNS_8BlobCoreE
+__ZN8Security10CFTempDataC2INS_8BlobCoreEEERKT_
+__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE16_M_insert_uniqueERKi
+__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE9_M_insertEPSt18_Rb_tree_node_baseS7_RKi
+__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIiEE8allocateEmPKv
+__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE7_M_copyEPKSt13_Rb_tree_nodeIiEPS7_
__ZNK8Security16SimpleAclSubject8validateERKNS_20AclValidationContextE
+__ZNK21BaseValidationContext5countEv
+__ZNK21BaseValidationContext6sampleEj
__ZNK8Security9TypedList8isProperEv
__ZNK8Security11ListElement4wordEv
__ZNK8Security19ThresholdAclSubject8validateERKNS_20AclValidationContextERKNS_9TypedListE
__ZNK8Security23CodeSignatureAclSubject8validateERKNS_20AclValidationContextE
-__ZNK8Security13CssmOwnedData3getEv
-__ZN25SecurityServerEnvironment19verifyCodeSignatureEPKN8Security11CodeSigning9SignatureEPKNS0_8CssmDataE
-__ZN14CodeSignatures6verifyER7ProcessPKN8Security11CodeSigning9SignatureEPKNS2_8CssmDataE
-__ZNK7Process7getHashERN8Security11CodeSigning9OSXSignerE
-__ZN8Security11CodeSigning9OSXSigner4signERKNS0_8SignableE
-__ZNK8Security13GenericBundle12scanContentsERNS_11CodeSigning6Signer5StateE
-__ZNK8Security13GenericBundle14executablePathEv
-__ZNK8Security13GenericBundle8cfBundleEv
-__ZN8Security8cfStringEPK7__CFURLb
-__ZN8Security7OSXCode8scanFileEPKcRNS_11CodeSigning6Signer5StateE
-__ZN8Security11CodeSigning9OSXSigner8Digester17enumerateContentsEPKvm
-__ZN8Security10CssmClient6Digest6digestEPKNS_8CssmDataEm
-__ZN8Security10CssmClient6Digest8activateEv
-__ZN8Security10CssmClient6DigestclERNS_8CssmDataE
-__ZN14CodeSignatures4findERNS_8IdentityEj
-__ZN5DbKeyC4EcRKN8Security8CssmDataEbj
-__ZNK8Security12UnixPlusPlus6UnixDb3getERKNS_8CssmDataERS2_i
-__ZN8Security15CssmManagedDataD2Ev
-__ZN8Security15CssmManagedDataD4Ev
-__ZN14CodeSignatures8Identity13canonicalNameERKSs
-__ZNK7Process7getPathEv
-__ZNK8Security8CssmList6lengthEv
-__ZNK8Security8CssmListixEj
-__ZNK24KeychainPromptAclSubject8validateERKN8Security20AclValidationContextERKNS0_9TypedListE
-__ZNK10__cxxabiv121__vmi_class_type_info20__do_find_public_srcEiPKvPKNS_17__class_type_infoES2_
-__ZNK10__cxxabiv117__class_type_info20__do_find_public_srcEiPKvPKS0_S2_
-__ZN16QueryKeychainUseC1EbPK8Database
-__ZN16QueryKeychainUseC4EbPK8Database
-__ZN16AuthHostInstanceD0Ev
-__ZN16AuthHostInstanceD4Ev
-__ZN11ServerChildD2Ev
-__ZN11ServerChildD4Ev
-__ZN8Security9ConditionD1Ev
-__ZN8Security9ConditionD4Ev
-__ZN8Security12UnixPlusPlus5ChildD2Ev
-__ZN8Security12UnixPlusPlus5ChildD4Ev
-__ZN18SecurityAgentQuery10inferHintsER7Process
-__ZNK16KeychainDatabase6dbNameEv
-__ZN16QueryKeychainUse9queryUserEPKcS1_l
-__ZN13SecurityAgent6Client11checkResultEv
-__ZN13Authorization8AuthItem11getCssmDataERN8Security12CssmAutoDataE
-__ZN18SensitiveAllocator4freeEPv
-__ZN18SecurityAgentQuery10readChoiceEv
-__ZN13Authorization8AuthItem9getStringERSs
-__ZN18SecurityAgentQueryD2Ev
-__ZN8Security20AclValidationContextD2Ev
-__ZN8Security20AclValidationContextD4Ev
-__ZN8Security24AclValidationEnvironmentD2Ev
-__ZN8Security24AclValidationEnvironmentD4Ev
-__ZN8Security10CssmClient7Context8overrideERKNS_7ContextE
-__Z12_XreleaseKeyP17mach_msg_header_tS0_
-__Z34__MIG_check__Request__releaseKey_tP23__Request__releaseKey_t
-__Z22ucsp_server_releaseKeyjj13audit_token_tPlm
-__ZN8Database10releaseKeyER3Key
-__ZN11KeychainKeyD0Ev
-__ZN11KeychainKeyD4Ev
+__ZTv0_n48_N25SecurityServerEnvironment19verifyCodeSignatureERKN8Security11OSXVerifierERKNS0_20AclValidationContextE
+__ZN25SecurityServerEnvironment19verifyCodeSignatureERKN8Security11OSXVerifierERKNS0_20AclValidationContextE
+__ZN14CodeSignatures6verifyER7ProcessRKN8Security11OSXVerifierERKNS2_20AclValidationContextE
+__ZN24SublistValidationContextD2Ev
+__ZNK21BaseValidationContext7matchedEPKN8Security9TypedListE
+__ZN8Security19ThresholdAclSubjectD0Ev
+__ZN24KeychainPromptAclSubjectD0Ev
+__ZN8Security16SimpleAclSubjectD2Ev
__ZN8Security23CodeSignatureAclSubjectD0Ev
-__ZN8Security23CodeSignatureAclSubjectD4Ev
-__ZN8LocalKeyD2Ev
-__ZN8LocalKeyD4Ev
-__Z18_XpostNotificationP17mach_msg_header_tS0_
-__Z40__MIG_check__Request__postNotification_tP29__Request__postNotification_t
-__Z28ucsp_server_postNotificationjmmPvj
-__ZN8Listener6removeEN8Security12MachPlusPlus4PortE
-__ZN8ListenerD4Ev
-__ZNK13Authorization8RuleImpl12evaluateUserERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEmdPKSt3setINS_10CredentialESt4lessISA_ESaISA_EERSE_R18AuthorizationToken
-__ZNK13Authorization8RuleImpl26evaluateCredentialForRightERKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSetEdRKNS_10CredentialEb
-__ZNK13Authorization14CredentialImpl12creationTimeEv
-__ZN18AuthorizationToken17setCredentialInfoERKN13Authorization10CredentialE
-__ZNK8Security14ExecutableTool13canonicalPathEv
-__ZN13Authorization14CredentialImpl10invalidateEv
-__ZNK13Authorization8RuleImpl21evaluateAuthorizationERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEmdPKSt3setINS_10CredentialESt4lessISA_ESaISA_EERSE_R18AuthorizationToken
-__ZNK13Authorization8RuleImpl20evaluateSessionOwnerERKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSetEdRK18AuthorizationTokenRSs
-__ZNK14DynamicSession13originatorUidEv
-__ZN18AuthorizationToken12scrubInfoSetEv
-__ZNK8Security14ExecutableTool6encodeEv
+__ZN8Security11OSXVerifierD2Ev
+__ZN8Security11OSXVerifier6AuxMapD2Ev
+__ZNSt8_Rb_treeIjSt4pairIKjPN8Security8BlobCoreEESt10_Select1stIS5_ESt4lessIjESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeIS5_E
+__ZThn16_N7ProcessD0Ev
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
{
}
+
//
// Construct the server object
//
Server::Server(Authority &authority, CodeSignatures &signatures, const char *bootstrapName)
: MachServer(bootstrapName),
mBootstrapName(bootstrapName),
- mShutdown(shutdownImmediately),
mCSPModule(gGuidAppleCSP, mCssm), mCSP(mCSPModule),
mAuthority(authority),
mCodeSignatures(signatures),
- mAudit(geteuid(), getpid())
+ mAudit(geteuid(), getpid()),
+ mVerbosity(0),
+ mWaitForClients(true), mShuttingDown(false)
{
// make me eternal (in the object mesh)
ref();
// by calling Server::connection() [no argument] until it is released by
// calling Connection::endWork().
//
-Connection &Server::connection(mach_port_t port)
+Connection &Server::connection(mach_port_t port, audit_token_t &auditToken)
{
Server &server = active();
StLock<Mutex> _(server);
Connection *conn = server.mConnections.get(port, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE);
active().mCurrentConnection() = conn;
- conn->beginWork();
+ conn->beginWork(auditToken);
return *conn;
}
RefPointer<Key> Server::key(KeyHandle key)
{
- return HandleObject::findRef<Key>(key, CSSMERR_CSP_INVALID_KEY_REFERENCE);
+ return U32HandleObject::findRef<Key>(key, CSSMERR_CSP_INVALID_KEY_REFERENCE);
}
RefPointer<Database> Server::database(DbHandle db)
//
// Locate an ACL bearer (database or key) by handle
+// The handle might be used across IPC, so we clamp it accordingly
//
-AclSource &Server::aclBearer(AclKind kind, CSSM_HANDLE handle)
+AclSource &Server::aclBearer(AclKind kind, U32HandleObject::Handle handle)
{
- AclSource &bearer = HandleObject::find<AclSource>(handle, CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
+ AclSource &bearer =
U32HandleObject::find<AclSource>(handle, CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
if (kind != bearer.acl().aclKind())
CssmError::throwMe(CSSMERR_CSSM_INVALID_HANDLE_USAGE);
return bearer;
boolean_t self_server(mach_msg_header_t *, mach_msg_header_t *);
-#if !defined(NDEBUG)
-
-struct IPCName { const char *name; int ipc; };
-static IPCName ucspNames[] = { subsystem_to_name_map_ucsp }; // generated by MIG
-static IPCName selfNames[] = { subsystem_to_name_map_self }; // generated by MIG
-
-#endif //NDEBUG
-
boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out)
{
-#if !defined(NDEBUG)
- const int id = in->msgh_id;
- const int ucspBase = ucspNames[0].ipc;
- const int selfBase = selfNames[0].ipc;
- const char *name =
- (id >= ucspBase && id < ucspBase + ucsp_MSG_COUNT) ? ucspNames[id - ucspBase].name :
- (id >= selfBase && id < selfBase + self_MSG_COUNT) ? selfNames[id - selfBase].name :
- "OUT OF BOUNDS";
- secdebug("SSreq", "begin %s (%d)", name, in->msgh_id);
-#endif //NDEBUG
-
- boolean_t result = ucsp_server(in, out) || self_server(in, out);
- IFDEBUG(secdebug("SSreq", "end %s (%d)", name, in->msgh_id));
-
- return result;
+ return ucsp_server(in, out) || self_server(in, out);
}
// is it a connection?
PortMap<Connection>::iterator conIt = mConnections.find(port);
if (conIt != mConnections.end()) {
+ SECURITYD_PORTS_DEAD_CONNECTION(port);
conIt->second->abort();
mConnections.erase(conIt);
return;
// is it a process?
PortMap<Process>::iterator procIt = mProcesses.find(port);
if (procIt != mProcesses.end()) {
+ SECURITYD_PORTS_DEAD_PROCESS(port);
Process *proc = procIt->second;
proc->kill();
mPids.erase(proc->pid());
}
// well, what IS IT?!
+ SECURITYD_PORTS_DEAD_ORPHAN(port);
secdebug("server", "spurious dead port notification for port %d", port.port());
}
//
void Server::notifyNoSenders(Port port, mach_port_mscount_t)
{
+ SECURITYD_PORTS_DEAD_SESSION(port);
secdebug("SSports", "port %d no senders", port.port());
Session::destroy(port);
}
mach_port_t taskPort, int sig)
{
try {
+ SECURITYD_SIGNAL_HANDLED(sig);
if (taskPort != mach_task_self()) {
Syslog::error("handleSignal: received from someone other than myself");
- secdebug("SS", "unauthorized handleSignal");
return KERN_SUCCESS;
}
- secdebug("SS", "dispatching indirect signal %d", sig);
switch (sig) {
case SIGCHLD:
ServerChild::checkChildren();
break;
case SIGINT:
- secdebug("SS", "SIGINT received: terminating immediately");
+ SECURITYD_SHUTDOWN_NOW();
Syslog::notice("securityd terminated due to SIGINT");
- exit(0);
+ _exit(0);
case SIGTERM:
- if (Server::active().beginShutdown()) {
- Syslog::notice("securityd shutting down; lingering for remaining clients");
- } else {
- secdebug("SS", "SIGTERM received: terminating immediately");
- Syslog::notice("securityd terminated due to SIGTERM");
- exit(0);
- }
+ Server::active().beginShutdown();
break;
case SIGPIPE:
- secdebug("SS", "SIGPIPE received: ignoring");
- Syslog::notice("securityd ignoring SIGPIPE received");
+ fprintf(stderr, "securityd ignoring SIGPIPE received");
break;
#if defined(DEBUGDUMP)
//
void Server::SleepWatcher::systemWillSleep()
{
- secdebug("SS", "sleep notification received");
+ SECURITYD_POWER_SLEEP();
Session::processSystemSleep();
- secdebug("server", "distributing sleep event to %ld clients", mPowerClients.size());
for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
(*it)->systemWillSleep();
}
void Server::SleepWatcher::systemIsWaking()
{
- secdebug("server", "distributing wakeup event to %ld clients", mPowerClients.size());
+ SECURITYD_POWER_WAKE();
for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
(*it)->systemIsWaking();
}
+void Server::SleepWatcher::systemWillPowerOn()
+{
+ SECURITYD_POWER_ON();
+ Server::active().longTermActivity();
+ for (set<PowerWatcher *>::const_iterator it = mPowerClients.begin(); it != mPowerClients.end(); it++)
+ (*it)->systemWillPowerOn();
+}
+
void Server::SleepWatcher::add(PowerWatcher *client)
{
assert(mPowerClients.find(client) == mPowerClients.end());
//
void Server::waitForClients(bool waiting)
{
- if (mShutdown == shuttingDown) // too late to change your mind now
- return;
- if (waiting)
- mShutdown = shutdownDelayed;
- else
- mShutdown = shutdownImmediately;
+ mWaitForClients = waiting;
}
//
-// Shutdown processing
+// Begin shutdown processing.
+// We relinquish our primary state authority. From now on, we'll be
+// kept alive (only) by our current clients.
//
-bool Server::beginShutdown()
-{
- if (mShutdown != shutdownDelayed)
- return false;
+static FILE *reportFile;
- secdebug("server", "beginning shutdown with %d client(s)", int(mProcesses.size()));
- mShutdown = shuttingDown;
-
-#if defined(SHUTDOWN_SNITCH)
- struct Snitch : public MachServer::Timer {
- void action() { Server::active().shutdownSnitch(); }
- };
- setTimer(new Snitch, Time::Interval(29)); // right before we get SIGKILLed
-#endif
-
- return true;
+void Server::beginShutdown()
+{
+ StLock<Mutex> _(*this);
+ if (!mWaitForClients) {
+ SECURITYD_SHUTDOWN_NOW();
+ _exit(0);
+ } else {
+ if (!mShuttingDown) {
+ mShuttingDown = true;
+ Session::invalidateAuthHosts();
+ SECURITYD_SHUTDOWN_BEGIN();
+ if (verbosity() >= 2) {
+ reportFile = fopen("/var/log/securityd-shutdown.log", "w");
+ shutdownSnitch();
+ }
+ }
+ }
}
+//
+// During shutdown, we report residual clients to dtrace, and allow a state dump
+// for debugging.
+// We don't bother locking for the shuttingDown() check; it's a latching boolean
+// and we'll be good enough without a lock.
+//
void Server::eventDone()
{
- if (mShutdown == shuttingDown) {
- if (mProcesses.empty()) {
- secdebug("SS", "out of clients - shutdown complete");
- Syslog::notice("securityd has finished serving its clients - terminating now");
- exit(0);
- } else {
- secdebug("SS", "shutdown in progress - %d process(es) left", int(mProcesses.size()));
- IFDUMPING("shutdown", NodeCore::dumpAll());
+ if (this->shuttingDown()) {
+ StLock<Mutex> lazy(*this, false); // lazy lock acquisition
+ if (SECURITYD_SHUTDOWN_COUNT_ENABLED()) {
+ lazy.lock();
+ SECURITYD_SHUTDOWN_COUNT(mProcesses.size(), VProc::Transaction::debugCount());
}
+ if (verbosity() >= 2) {
+ lazy.lock();
+ shutdownSnitch();
+ }
+ IFDUMPING("shutdown", NodeCore::dumpAll());
}
}
-#if defined(SHUTDOWN_SNITCH)
void Server::shutdownSnitch()
{
- Syslog::notice("29 seconds after shutdown began, securityd still has %d clients:", int(mPids.size()));
+ time_t now;
+ time(&now);
+ fprintf(reportFile, "%.24s %d residual clients:\n", ctime(&now), int(mPids.size()));
for (PidMap::const_iterator it = mPids.begin(); it != mPids.end(); ++it)
if (SecCodeRef clientCode = it->second->processCode()) {
CFRef<CFURLRef> path;
- SecCodeCopyPath(clientCode, kSecCSDefaultFlags, &path.aref());
+ OSStatus rc = SecCodeCopyPath(clientCode, kSecCSDefaultFlags, &path.aref());
if (path)
- Syslog::notice(" %s (%d)", cfString(path).c_str(), it->first);
+ fprintf(reportFile, " %s (%d)\n", cfString(path).c_str(), it->first);
else
- Syslog::notice(" pid=%d", it->first);
+ fprintf(reportFile, "pid=%d (error %d)\n", it->first, int32_t(rc));
}
+ fprintf(reportFile, "\n");
+ fflush(reportFile);
}
-#endif //SHUTDOWN_SNITCH
-
//
// Initialize the CSSM/MDS subsystem.
// system MDS here, and CSSM is pretty much always needed, so this is called
// early during program startup. Do note that the server may not (yet) be running.
//
-void Server::loadCssm()
+void Server::loadCssm(bool mdsIsInstalled)
{
if (!mCssm->isActive()) {
StLock<Mutex> _(*this);
+ VProc::Transaction xact;
if (!mCssm->isActive()) {
- secdebug("SS", "Installing MDS");
- IFDEBUG(if (geteuid() == 0))
+ if (!mdsIsInstalled) { // non-system securityd instance should not reinitialize MDS
+ secdebug("SS", "Installing MDS");
+ IFDEBUG(if (geteuid() == 0))
MDSClient::mds().install();
+ }
secdebug("SS", "CSSM initializing");
mCssm->init();
mCSP->attach();
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
*
* @APPLE_LICENSE_HEADER_END@
*/
-#define SHUTDOWN_SNITCH
//
#include <security_cdsa_client/cspclient.h>
#include <security_utilities/devrandom.h>
#include <security_cdsa_utilities/uniformrandom.h>
+#include <security_utilities/vproc++.h>
#include "codesigdb.h"
#include "connection.h"
#include "key.h"
//
static Server &active() { return safer_cast<Server &>(MachServer::active()); }
static const char *bootstrapName() { return active().mBootstrapName.c_str(); }
+ static unsigned int verbosity() { return active().mVerbosity; }
//
// Each thread has at most one "active connection". If the server is currently
// servicing a request received through a Connection, that's it. Otherwise
// there is none.
//
- static Connection &connection(mach_port_t replyPort); // find by reply port and make active
+ static Connection &connection(mach_port_t replyPort, audit_token_t &auditToken); // find by reply port and make active
static Connection &connection(bool tolerant = false); // return active (or fail unless tolerant)
static void requestComplete(CSSM_RETURN &rcode); // de-activate active connection
static RefPointer<Database> database(DbHandle db);
static RefPointer<KeychainDatabase> keychain(DbHandle db);
static RefPointer<Database> optionalDatabase(DbHandle db, bool persistent = true);
- static AclSource &aclBearer(AclKind kind, CSSM_HANDLE handle);
+ static AclSource &aclBearer(AclKind kind, U32HandleObject::Handle handle);
// Generic version of handle lookup
template <class ProcessBearer>
- static RefPointer<ProcessBearer> find(CSSM_HANDLE handle, CSSM_RETURN notFoundError)
+ static RefPointer<ProcessBearer> find(uint32_t handle, CSSM_RETURN notFoundError)
{
RefPointer<ProcessBearer> object =
- HandleObject::findRef<ProcessBearer>(handle, notFoundError);
+
U32HandleObject::findRef<ProcessBearer>(handle, notFoundError);
if (object->process() != Server::process())
CssmError::throwMe(notFoundError);
return object;
//
// Initialize CSSM and MDS
//
- void loadCssm();
+ void loadCssm(bool mdsIsInstalled);
public:
// set up a new connection
public:
void systemWillSleep();
void systemIsWaking();
+ void systemWillPowerOn();
void add(PowerWatcher *client);
void remove(PowerWatcher *client);
public:
Process *findPid(pid_t pid) const;
+ void verbosity(unsigned int v) { mVerbosity = v; }
void waitForClients(bool waiting); // set waiting behavior
- bool beginShutdown(); // start delayed shutdown if configured
+ void beginShutdown(); // start delayed shutdown if configured
+ bool shuttingDown() const { return mShuttingDown; }
+ void shutdownSnitch(); // report lingering clients
private:
// mach bootstrap registration name
PortMap<Process> mProcesses; // strong reference
PidMap mPids; // weak reference (subsidiary to mProcesses)
- enum ShutdownMode {
- shutdownImmediately, // shut down immediately on SIGTERM
- shutdownDelayed, // wait for clients on SIGTERM
- shuttingDown // delayed shutdown in progress
- } mShutdown; // shutdown mode
- void shutdownSnitch(); // rat out lingering clients (to syslog)
-
// Current connection, if any (per thread).
// Set as a side effect of calling connection(mach_port_t)
// and returned by connection(bool).
// Per-process audit initialization
CommonCriteria::AuditSession mAudit;
+
+ // busy state for primary state authority
+ unsigned int mVerbosity;
+ bool mWaitForClients;
+ bool mShuttingDown;
};
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
// Sessions are multi-threaded objects.
//
#include <pwd.h>
+#include <signal.h> // SIGTERM
#include <Security/AuthorizationPriv.h> // kAuthorizationFlagLeastPrivileged
-
#include "session.h"
#include "connection.h"
#include "database.h"
#include "server.h"
+#include <security_utilities/logging.h>
//
// The static session map
: mBootstrap(bootstrap), mServicePort(servicePort),
mAttributes(attrs), mSecurityAgent(NULL), mAuthHost(NULL)
{
- secdebug("SSsession", "%p CREATED: handle=0x%lx bootstrap=%d service=%d attrs=0x%lx",
- this, handle(), mBootstrap.port(), mServicePort.port(), mAttributes);
+ secdebug("SSsession", "%p CREATED: handle=%#x bootstrap=%d service=%d attrs=%#x",
+ this, handle(), mBootstrap.port(), mServicePort.port(), uint32_t(mAttributes));
+ SECURITYD_SESSION_CREATE(this, attrs, servicePort);
+ Syslog::notice("Session 0x%lx created", this->handle());
}
//
Session::~Session()
{
- secdebug("SSsession", "%p DESTROYED: handle=0x%lx bootstrap=%d",
+ secdebug("SSsession", "%p DESTROYED: handle=%#x bootstrap=%d",
this, handle(), mBootstrap.port());
+ Syslog::notice("Session 0x%lx destroyed", this->handle());
}
case callerSecuritySession:
return Server::session();
default:
- return HandleObject::find<Session>(id, CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
+ try {
+ return U32HandleObject::find<Session>(id, CSSMERR_CSSM_INVALID_ADDIN_HANDLE);
+ } catch (const CommonError &err) {
+ Syslog::warning("Session::find(%#x) failed rcode=%d", id, err.osStatus());
+ for (PortMap<Session>::const_iterator it = mSessions.begin(); it != mSessions.end(); ++it)
+ Syslog::notice(" Valid sessions include %#x attrs=%#x",
+ it->second->handle(), it->second->attributes());
+ throw;
+ }
}
}
PortMap<Session>::iterator it = mSessions.find(servPort);
assert(it != mSessions.end());
RefPointer<Session> session = it->second;
+ SECURITYD_SESSION_DESTROY(session);
+ Syslog::notice("Session 0x%lx dead", session->handle());
mSessions.erase(it);
session->kill();
}
void Session::kill()
{
- StLock<Mutex> _(*this);
+ StLock<Mutex> _(*this); // do we need to take this so early?
- // release authorization host objects
- {
- StLock<Mutex> _(mAuthHostLock);
- mSecurityAgent = NULL;
- mAuthHost = NULL;
- }
+ invalidateSessionAuthHosts();
// invalidate shared credentials
{
PerSession::kill();
}
+void Session::invalidateSessionAuthHosts()
+{
+ StLock<Mutex> _(mAuthHostLock);
+
+ // if you got here, we don't care about pending operations: the auth hosts die
+ Syslog::warning("Killing auth hosts");
+ if (mSecurityAgent) mSecurityAgent->UnixPlusPlus::Child::kill(SIGTERM);
+ if (mAuthHost) mAuthHost->UnixPlusPlus::Child::kill(SIGTERM);
+ mSecurityAgent = NULL;
+ mAuthHost = NULL;
+}
+
+void Session::invalidateAuthHosts()
+{
+ StLock<Mutex> _(mSessions);
+ for (PortMap<Session>::const_iterator it = mSessions.begin(); it != mSessions.end(); it++)
+ it->second->invalidateSessionAuthHosts();
+}
//
// On system sleep, call sleepProcessing on all DbCommons of all Sessions
allReferences(&DbCommon::lockProcessing);
}
-
//
// The root session inherits the startup bootstrap and service port
//
void DynamicSession::setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs)
{
StLock<Mutex> _(*this);
- secdebug("SSsession", "%p setup flags=0x%lx attrs=0x%lx", this, flags, attrs);
+ SECURITYD_SESSION_SETATTR(this, attrs);
+ Syslog::notice("Session 0x%lx attributes 0x%x", this->handle(), attrs);
+ secdebug("SSsession", "%p setup flags=%#x attrs=%#x", this, uint32_t(flags), uint32_t(attrs));
if (attrs & ~settableAttributes)
MacOSError::throwMe(errSessionInvalidAttributes);
checkOriginator();
if (pw != NULL) {
- mOriginatorCredential = Credential(uid, pw->pw_name ? pw->pw_name : "", pw->pw_gecos ? pw->pw_gecos : "", true/*shared*/);
+ mOriginatorCredential = Credential(uid, pw->pw_name ? pw->pw_name : "", pw->pw_gecos ? pw->pw_gecos : "", "", true/*shared*/);
endpwent();
}
// this will acquire the object lock, so we delay acquiring it (@@@ no longer needed)
auto_ptr<AuthorizationToken> auth(new AuthorizationToken(*this, resultCreds, auditToken, (flags&kAuthorizationFlagLeastPrivileged)));
+ SECURITYD_AUTH_CREATE(this, auth.get());
+
// Make a copy of the mSessionCreds
CredentialSet sessionCreds;
{
auth.mergeCredentials(resultCreds);
}
- secdebug("SSauth", "Authorization %p authorizationdbSet %s (result=%ld)",
- &authorization(authBlob), inRightName, result);
+ secdebug("SSauth", "Authorization %p authorizationdbSet %s (result=%d)",
+ &authorization(authBlob), inRightName, int32_t(result));
return result;
}
auth.mergeCredentials(resultCreds);
}
- secdebug("SSauth", "Authorization %p authorizationdbRemove %s (result=%ld)",
- &authorization(authBlob), inRightName, result);
+ secdebug("SSauth", "Authorization %p authorizationdbRemove %s (result=%d)",
+ &authorization(authBlob), inRightName, int32_t(result));
return result;
}
return auth;
}
+//
+// Run the Authorization engine to check if a given right has been authorized,
+// independent of an external client request.
+//
+OSStatus Session::authCheckRight(string &rightName, Connection &connection, bool allowUI)
+{
+ // dummy up the arguments for authCreate()
+ AuthorizationItem rightItem = { rightName.c_str(), 0, NULL, 0 };
+ AuthorizationItemSet rightItemSet = { 1, &rightItem };
+ AuthItemSet rightAuthItemSet(&rightItemSet);
+ AuthItemSet envAuthItemSet(kAuthorizationEmptyEnvironment);
+ AuthorizationFlags flags = kAuthorizationFlagDefaults | kAuthorizationFlagExtendRights;
+ if (true == allowUI)
+ flags |= kAuthorizationFlagInteractionAllowed;
+ AuthorizationBlob dummyHandle;
+ const audit_token_t *at = connection.auditToken();
+
+ return authCreate(rightAuthItemSet, envAuthItemSet, flags, dummyHandle, *at);
+}
+
+// for places within securityd that don't want to #include
+// <libsecurity_authorization/Authorization.h> or to fuss about exceptions
+bool Session::isRightAuthorized(string &rightName, Connection &connection, bool allowUI)
+{
+ bool isAuthorized = false;
+
+ try {
+ OSStatus status = authCheckRight(rightName, connection, allowUI);
+ if (errAuthorizationSuccess == status)
+ isAuthorized = true;
+ }
+ catch (...) {
+ }
+ return isAuthorized;
+}
+
RefPointer<AuthHostInstance>
Session::authhost(const AuthHostType hostType, const bool restart)
{
void Session::dumpNode()
{
PerSession::dumpNode();
- Debug::dump(" boot=%d service=%d attrs=0x%lx authhost=%p securityagent=%p",
- mBootstrap.port(), mServicePort.port(), mAttributes, mAuthHost, mSecurityAgent);
+ Debug::dump(" boot=%d service=%d attrs=%#x authhost=%p securityagent=%p",
+ mBootstrap.port(), mServicePort.port(), uint32_t(mAttributes), mAuthHost, mSecurityAgent);
}
#endif //DEBUGDUMP
/*
- * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004,2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include "authority.h"
#include "authhost.h"
#include <Security/AuthSession.h>
-#include <security_cdsa_utilities/handleobject.h>
+#include <security_cdsa_utilities/handletemplates_defs.h>
+#include <security_cdsa_utilities/u32handleobject.h>
#include <security_cdsa_utilities/cssmdb.h>
#if __GNUC__ > 2
// with a modicum of security, and so Sessions are the natural nexus of
// single-sign-on functionality.
//
-class Session : public HandleObject, public PerSession {
+class Session : public U32HandleObject, public PerSession {
public:
typedef MachPlusPlus::Bootstrap Bootstrap;
public:
const CredentialSet &authCredentials() const { return mSessionCreds; }
+ //
+ // For external Authorization clients
+ //
OSStatus authCreate(const AuthItemSet &rights, const AuthItemSet &environment,
AuthorizationFlags flags, AuthorizationBlob &newHandle, const audit_token_t &auditToken);
void authFree(const AuthorizationBlob &auth, AuthorizationFlags flags);
OSStatus authorizationdbGet(AuthorizationString inRightName, CFDictionaryRef *rightDict);
OSStatus authorizationdbSet(const AuthorizationBlob &authBlob, AuthorizationString inRightName, CFDictionaryRef rightDict);
OSStatus authorizationdbRemove(const AuthorizationBlob &authBlob, AuthorizationString inRightName);
+
+ //
+ // Authorization methods for securityd's internal use
+ //
+ OSStatus authCheckRight(string &rightName, Connection &connection, bool allowUI);
+ // authCheckRight() with exception-handling and Boolean return semantics
+ bool isRightAuthorized(string &rightName, Connection &connection, bool allowUI);
private:
struct AuthorizationExternalBlob {
static Session &find(SecuritySessionId id);
template <class SessionType> static SessionType &find(SecuritySessionId id);
static void destroy(Port servPort);
+ void invalidateSessionAuthHosts(); // invalidate auth hosts in this session
+ static void invalidateAuthHosts(); // invalidate auth hosts in all sessions
static void processSystemSleep();
void processLockAll();
// override this to add text to your Node type's state dump output
void NodeCore::dumpNode()
{
- Debug::dump("%s@%p rc=%u", Debug::typeName(*this).c_str(), this, unsigned(refCountForDebuggingOnly()));
+ Debug::dump("%s@%p rc=%u", Debug::typeName(*this).c_str(), this, unsigned(refCountForDebuggingOnly()));
if (mParent)
Debug::dump(" parent=%p", mParent.get());
if (mReferent)
// override this to completely re-implement the dump format for your Node type
void NodeCore::dump()
{
- dumpNode();
+ dumpNode();
if (!mReferences.empty()) {
Debug::dump(" {");
for (ReferenceSet::const_iterator it = mReferences.begin(); it != mReferences.end(); it++) {
// dump all known nodes
void NodeCore::dumpAll()
{
- StLock<Mutex> _(mCoreLock);
+ StLock<Mutex> _(mCoreLock);
time_t now; time(&now);
Debug::dump("\nNODE DUMP (%24.24s)\n", ctime(&now));
for (set<NodeCore *>::const_iterator it = mCoreNodes.begin(); it != mCoreNodes.end(); it++)
/*
- * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2001,2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include <security_utilities/refcount.h>
#include <security_utilities/mach++.h>
-#include <security_cdsa_utilities/handleobject.h>
+#include <security_cdsa_utilities/u32handleobject.h>
#include <map>
+#include "dtrace.h"
using MachPlusPlus::Port;
//
// Process (client process) layer nodes
//
-class PerProcess : public HandleObject, public Node<PerProcess, PerSession> {
+class PerProcess : public
U32HandleObject, public Node<PerProcess, PerSession> {
public:
};
/*
- * Copyright (c) 2004 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2004,2008 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
// Note that the defaulted read functions do NOT write the default
// to disk; they work fine in read-only disk areas.
//
-static uint32 getFile(const string &path, uint32 defaultValue)
+static unsigned long getFile(const string &path, unsigned long defaultValue)
{
try {
- AutoFileDesc fd(path);
- string s; fd.readAll(s);
- uint32 value; sscanf(s.c_str(), "%ld", &value);
- return value;
+ AutoFileDesc fd(path, O_RDONLY, FileDesc::modeMissingOk);
+ if (fd) {
+ string s; fd.readAll(s);
+ unsigned long value; sscanf(s.c_str(), "%lu", &value);
+ return value;
+ }
} catch (...) {
- return defaultValue;
}
+ return defaultValue;
}
static string getFile(const string &path, const string &defaultValue)
{
try {
- AutoFileDesc fd(path);
- string s; fd.readAll(s);
- return s;
+ AutoFileDesc fd(path, O_RDONLY, FileDesc::modeMissingOk);
+ if (fd) {
+ string s; fd.readAll(s);
+ return s;
+ }
} catch (...) {
- return defaultValue;
}
+ return defaultValue;
}
makedir(path(configDir), O_CREAT, 0700, securityd);
makedir(path(tokensDir), O_CREAT, 0711, securityd);
- // get the path for the SSID file. Don't call getFile unless the file exists (avoids exception overhead)
- string idFilePath = path (lastSSIDFile);
- struct stat st;
- if (stat (idFilePath.c_str (), &st) == -1) {
- mLastSubservice = 1;
- } else {
- mLastSubservice = getFile(idFilePath, 1);
- }
+ mLastSubservice = getFile(path(lastSSIDFile), 1);
// identify uid/gid for token daemons
struct passwd *pw = getpwnam(TOKEND_UID);
try {
database().token().tokend().Tokend::ClientSession::releaseSearch(mHandle);
} catch (...) {
- secdebug("tokendb", "%p release search handle %ld threw (ignored)",
+ secdebug("tokendb", "%p release search handle %u threw (ignored)",
this, mHandle);
}
}
try {
database().token().tokend().Tokend::ClientSession::releaseRecord(mHandle);
} catch (...) {
- secdebug("tokendb", "%p release record handle %ld threw (ignored)",
+ secdebug("tokendb", "%p release record handle %u threw (ignored)",
this, mHandle);
}
}
class Handler {
public:
Handler() : mHandle(0) { }
- CSSM_HANDLE &tokenHandle() { return mHandle; }
- CSSM_HANDLE tokenHandle() const { return mHandle; }
+ GenericHandle &tokenHandle() { return mHandle; }
+ GenericHandle tokenHandle() const { return mHandle; }
protected:
- CSSM_HANDLE mHandle;
+ GenericHandle mHandle;
};
// CSSM-style search handles (returned by findFirst)
try {
database().token().tokend().releaseKey(mKey);
} catch (...) {
- secdebug("tokendb", "%p release key handle %ld threw (ignored)",
+ secdebug("tokendb", "%p release key handle %u threw (ignored)",
this, mKey);
}
}
/*
- * Copyright (c) 2000-2007 Apple Inc. All Rights Reserved.
+ * Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
#include <securityd_client/ucsp.h>
#include "server.h"
#include "session.h"
+#include "agentquery.h"
#include "database.h"
#include "kcdatabase.h"
#include "tokendatabase.h"
#include "kckey.h"
#include "child.h"
+#include <syslog.h>
#include <mach/mach_error.h>
#include <securityd_client/xdr_cssm.h>
#include <securityd_client/xdr_auth.h>
#include <securityd_client/xdr_dldb.h>
+#include <security_utilities/logging.h>
#include <CoreFoundation/CFDictionary.h>
#include <CoreFoundation/CFPropertyList.h>
audit_token_t auditToken, CSSM_RETURN *rcode
#define BEGIN_IPCN *rcode = CSSM_OK; try {
-#define BEGIN_IPC BEGIN_IPCN RefPointer<Connection> connRef(&Server::connection(replyPort)); \
- Connection &connection __attribute__((unused)) = *connRef;
+#define BEGIN_IPC(name) BEGIN_IPCN RefPointer<Connection> connRef(&Server::connection(replyPort, auditToken)); \
+ Connection &connection __attribute__((unused)) = *connRef; \
+ if (SECURITYD_REQUEST_ENTRY_ENABLED()) { \
+ const char * volatile s = #name; volatile char __attribute__((unused)) pagein = s[0]; \
+ SECURITYD_REQUEST_ENTRY((char *)s, &connection, &connection.process()); \
+ }
#define END_IPC(base) END_IPCN(base) Server::requestComplete(*rcode); return KERN_SUCCESS;
-#define END_IPCN(base) } \
+#define END_IPCN(base) SECURITYD_REQUEST_RETURN(*rcode); \
+ } \
catch (const CommonError &err) { *rcode = CssmError::cssmError(err, CSSM_ ## base ## _BASE_ERROR); } \
catch (const std::bad_alloc &) { *rcode = CssmError::merge(CSSM_ERRCODE_MEMORY_ERROR, CSSM_ ## base ## _BASE_ERROR); } \
catch (Connection *conn) { *rcode = 0; } \
kern_return_t ucsp_server_setup(UCSP_ARGS, mach_port_t taskPort, ClientSetupInfo info, const char *identity)
{
BEGIN_IPCN
+ SECURITYD_REQUEST_ENTRY((char*)"setup", NULL, NULL);
Server::active().setupConnection(Server::connectNewProcess, servicePort, replyPort,
taskPort, auditToken, &info, identity);
END_IPCN(CSSM)
+ if (*rcode)
+ Syslog::notice("setup(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
return KERN_SUCCESS;
}
mach_port_t *newServicePort)
{
BEGIN_IPCN
+ SECURITYD_REQUEST_ENTRY((char*)"setupNew", NULL, NULL);
try {
RefPointer<Session> session = new DynamicSession(taskPort);
Server::active().setupConnection(Server::connectNewSession, session->servicePort(), replyPort,
}
}
END_IPCN(CSSM)
+ if (*rcode)
+ Syslog::notice("setupNew(%s) failed rcode=%d", identity ? identity : "<NULL>", *rcode);
return KERN_SUCCESS;
}
kern_return_t ucsp_server_setupThread(UCSP_ARGS, mach_port_t taskPort)
{
+ SECURITYD_REQUEST_ENTRY((char*)"setupThread", NULL, NULL);
BEGIN_IPCN
Server::active().setupConnection(Server::connectNewThread, servicePort, replyPort,
taskPort, auditToken);
END_IPCN(CSSM)
+ if (*rcode)
+ Syslog::notice("setupThread failed rcode=%d", *rcode);
return KERN_SUCCESS;
}
kern_return_t ucsp_server_teardown(UCSP_ARGS)
{
BEGIN_IPCN
+ SECURITYD_REQUEST_ENTRY((char*)"teardown", NULL, NULL);
Server::active().endConnection(replyPort);
END_IPCN(CSSM)
return KERN_SUCCESS;
kern_return_t ucsp_server_verifyPrivileged(UCSP_ARGS)
{
BEGIN_IPCN
- // This line intentionally left blank.
+ SECURITYD_REQUEST_ENTRY((char*)"verifyPrivileged", NULL, NULL);
+ // doing nothing (we just want securityd's audit credentials returned)
END_IPCN(CSSM)
return KERN_SUCCESS;
}
//
// Common database operations
//
-kern_return_t ucsp_server_authenticateDb(UCSP_ARGS, IPCDbHandle db,
+kern_return_t ucsp_server_authenticateDb(UCSP_ARGS, DbHandle db,
CSSM_DB_ACCESS_TYPE accessType, DATA_IN(cred))
{
- BEGIN_IPC
+ BEGIN_IPC(authenticateDb)
secdebug("dl", "authenticateDb");
CopyOutAccessCredentials creds(cred, credLength);
// ignoring accessType
END_IPC(DL)
}
-kern_return_t ucsp_server_releaseDb(UCSP_ARGS, IPCDbHandle db)
+kern_return_t ucsp_server_releaseDb(UCSP_ARGS, DbHandle db)
{
- BEGIN_IPC
+ BEGIN_IPC(releaseDb)
connection.process().kill(*Server::database(db));
END_IPC(DL)
}
-kern_return_t ucsp_server_getDbName(UCSP_ARGS, IPCDbHandle db, char name[PATH_MAX])
+kern_return_t ucsp_server_getDbName(UCSP_ARGS, DbHandle db, char name[PATH_MAX])
{
- BEGIN_IPC
+ BEGIN_IPC(getDbName)
string result = Server::database(db)->dbName();
assert(result.length() < PATH_MAX);
memcpy(name, result.c_str(), result.length() + 1);
END_IPC(DL)
}
-kern_return_t ucsp_server_setDbName(UCSP_ARGS, IPCDbHandle db, const char *name)
+kern_return_t ucsp_server_setDbName(UCSP_ARGS, DbHandle db, const char *name)
{
- BEGIN_IPC
+ BEGIN_IPC(setDbName)
Server::database(db)->dbName(name);
END_IPC(DL)
}
// External database interface
//
kern_return_t ucsp_server_openToken(UCSP_ARGS, uint32 ssid, FilePath name,
- DATA_IN(accessCredentials), IPCDbHandle *db)
+ DATA_IN(accessCredentials), DbHandle *db)
{
- BEGIN_IPC
+ BEGIN_IPC(openToken)
CopyOutAccessCredentials creds(accessCredentials, accessCredentialsLength);
*db = (new TokenDatabase(ssid, connection.process(), name, creds))->handle();
END_IPC(DL)
}
-kern_return_t ucsp_server_findFirst(UCSP_ARGS, IPCDbHandle db,
+kern_return_t ucsp_server_findFirst(UCSP_ARGS, DbHandle db,
DATA_IN(inQuery), DATA_IN(inAttributes), DATA_OUT(outAttributes),
boolean_t getData, DATA_OUT(data),
- IPCKeyHandle *hKey, IPCSearchHandle *hSearch, IPCRecordHandle *hRecord)
+ KeyHandle *hKey, SearchHandle *hSearch, IPCRecordHandle *hRecord)
{
- BEGIN_IPC
+ BEGIN_IPC(findFirst)
CopyOutQuery query(inQuery, inQueryLength);
CopyOutDbRecordAttributes attrs(inAttributes, inAttributesLength);
}
-kern_return_t ucsp_server_findNext(UCSP_ARGS, IPCSearchHandle hSearch,
+kern_return_t ucsp_server_findNext(UCSP_ARGS, SearchHandle hSearch,
DATA_IN(inAttributes),
DATA_OUT(outAttributes),
- boolean_t getData, DATA_OUT(data), IPCKeyHandle *hKey,
+ boolean_t getData, DATA_OUT(data), KeyHandle *hKey,
IPCRecordHandle *hRecord)
{
- BEGIN_IPC
+ BEGIN_IPC(findNext)
CopyOutDbRecordAttributes attrs(inAttributes, inAttributesLength);
RefPointer<Database::Search> search =
Server::find<Database::Search>(hSearch, CSSMERR_DL_INVALID_RESULTS_HANDLE);
kern_return_t ucsp_server_findRecordHandle(UCSP_ARGS, IPCRecordHandle hRecord,
DATA_IN(inAttributes), DATA_OUT(outAttributes),
- boolean_t getData, DATA_OUT(data), IPCKeyHandle *hKey)
+ boolean_t getData, DATA_OUT(data), KeyHandle *hKey)
{
- BEGIN_IPC
+ BEGIN_IPC(findRecordHandle)
CopyOutDbRecordAttributes attrs(inAttributes, inAttributesLength);
RefPointer<Database::Record> record =
Server::find<Database::Record>(hRecord, CSSMERR_DL_INVALID_RECORD_UID);
// return data (temporary fix)
if (getData) {
+ /*
+ We can't release this with the usual allocator (which calls free(), since
+ it was VM allocated. Part of the fix for:
+ <rdar://problem/6738709> securityd leaks VM memory during certain smartcard operations
+ will be to call Server::releaseWhenDone below with a new vm allocator param
+ */
Server::releaseWhenDone(outData.data());
xdrproc_t encode_proc = reinterpret_cast<xdrproc_t>(xdr_CSSM_NO_KEY_IN_DATA);
if (key)
END_IPC(DL)
}
-kern_return_t ucsp_server_insertRecord(UCSP_ARGS, IPCDbHandle db, CSSM_DB_RECORDTYPE recordType,
+kern_return_t ucsp_server_insertRecord(UCSP_ARGS, DbHandle db, CSSM_DB_RECORDTYPE recordType,
DATA_IN(inAttributes), DATA_IN(data), IPCRecordHandle *record)
{
- BEGIN_IPC
+ BEGIN_IPC(insertRecord)
RecordHandle recordHandle;
CopyOutDbRecordAttributes attrs(inAttributes, inAttributesLength);
Server::database(db)->insertRecord(recordType, attrs.attribute_data(), attrs.length(),
END_IPC(DL)
}
-kern_return_t ucsp_server_modifyRecord(UCSP_ARGS, IPCDbHandle db, IPCRecordHandle *hRecord,
+kern_return_t ucsp_server_modifyRecord(UCSP_ARGS, DbHandle db, IPCRecordHandle *hRecord,
CSSM_DB_RECORDTYPE recordType, DATA_IN(attributes),
boolean_t setData, DATA_IN(data), CSSM_DB_MODIFY_MODE modifyMode)
{
- BEGIN_IPC
+ BEGIN_IPC(modifyRecord)
CopyOutDbRecordAttributes attrs(attributes, attributesLength);
CssmData newData(DATA(data));
RefPointer<Database::Record> record =
END_IPC(DL)
}
-kern_return_t ucsp_server_deleteRecord(UCSP_ARGS, IPCDbHandle db, IPCRecordHandle hRecord)
+kern_return_t ucsp_server_deleteRecord(UCSP_ARGS, DbHandle db, IPCRecordHandle hRecord)
{
- BEGIN_IPC
+ BEGIN_IPC(deleteRecord)
Server::database(db)->deleteRecord(
Server::find<Database::Record>(hRecord, CSSMERR_DL_INVALID_RECORD_UID));
END_IPC(DL)
}
-kern_return_t ucsp_server_releaseSearch(UCSP_ARGS, IPCSearchHandle hSearch)
+kern_return_t ucsp_server_releaseSearch(UCSP_ARGS, SearchHandle hSearch)
{
- BEGIN_IPC
+ BEGIN_IPC(releaseSearch)
RefPointer<Database::Search> search = Server::find<Database::Search>(hSearch, 0);
search->database().releaseSearch(*search);
END_IPC(DL)
kern_return_t ucsp_server_releaseRecord(UCSP_ARGS, IPCRecordHandle hRecord)
{
- BEGIN_IPC
+ BEGIN_IPC(releaseRecord)
RefPointer<Database::Record> record = Server::find<Database::Record>(hRecord, 0);
record->database().releaseRecord(*record);
END_IPC(DL)
//
// Internal database management
//
-kern_return_t ucsp_server_createDb(UCSP_ARGS, IPCDbHandle *db,
+kern_return_t ucsp_server_createDb(UCSP_ARGS, DbHandle *db,
DATA_IN(ident), DATA_IN(cred), DATA_IN(owner),
DBParameters params)
{
- BEGIN_IPC
+ BEGIN_IPC(createDb)
CopyOutAccessCredentials creds(cred, credLength);
CopyOutEntryAcl owneracl(owner, ownerLength);
CopyOut flatident(ident, identLength, reinterpret_cast<xdrproc_t>(xdr_DLDbFlatIdentifierRef));
END_IPC(DL)
}
-// keychain synchronization
-// @@@ caller should be required to call decodeDb() to get a DbHandle
-// instead of passing the blob itself
-kern_return_t ucsp_server_cloneDbForSync(UCSP_ARGS, DATA_IN(blob),
- IPCDbHandle srcDb, DATA_IN(agentData), IPCDbHandle *newDb)
+kern_return_t ucsp_server_recodeDbForSync(UCSP_ARGS, DbHandle dbToClone,
+ DbHandle srcDb, DbHandle *newDb)
{
- BEGIN_IPC
+ BEGIN_IPC(recodeDbForSync)
RefPointer<KeychainDatabase> srcKC = Server::keychain(srcDb);
- *newDb = (new KeychainDatabase(*srcKC, connection.process(),
- SSBLOB(DbBlob, blob), DATA(agentData)))->handle();
+ *newDb = (new KeychainDatabase(*srcKC, connection.process(), dbToClone))->handle();
+ END_IPC(DL)
+}
+
+kern_return_t ucsp_server_authenticateDbsForSync(UCSP_ARGS, DATA_IN(dbHandleArray),
+ DATA_IN(agentData), DbHandle* authenticatedDBHandle)
+{
+ BEGIN_IPC(authenticateDbsForSync)
+ QueryDBBlobSecret query;
+ query.inferHints(connection.process());
+ query.addHint(AGENT_HINT_KCSYNC_DICT, agentData, agentDataLength);
+ CSSM_DATA dbData = DATA(dbHandleArray);
+ uint8 ipcDbHandleArrayCount = *(dbData.Data);
+ DbHandle *ipcDbHandleArray = (DbHandle *)Allocator::standard().malloc(ipcDbHandleArrayCount * sizeof(DbHandle));
+ if ( ipcDbHandleArray == 0 )
+ CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
+ DbHandle *currIPCDbHandleArrayPtr = ipcDbHandleArray;
+ DbHandle *dbHandleArrayPtr = (DbHandle *)(dbData.Data+1);
+ int index;
+ for (index=0; index < ipcDbHandleArrayCount; index++)
+ {
+ *currIPCDbHandleArrayPtr = *dbHandleArrayPtr;
+ Server::keychain(*currIPCDbHandleArrayPtr)->lockDb(); // lock this db if it was unlocked in the past (user could have deleted the kc, resetLogin, etc.)
+ currIPCDbHandleArrayPtr++;
+ dbHandleArrayPtr++;
+ }
+ Server::releaseWhenDone(ipcDbHandleArray);
+ if (query(ipcDbHandleArray, ipcDbHandleArrayCount, authenticatedDBHandle) != SecurityAgent::noReason)
+ CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
END_IPC(DL)
}
-kern_return_t ucsp_server_commitDbForSync(UCSP_ARGS, IPCDbHandle srcDb,
- IPCDbHandle cloneDb, DATA_OUT(blob))
+kern_return_t ucsp_server_commitDbForSync(UCSP_ARGS, DbHandle srcDb,
+ DbHandle cloneDb, DATA_OUT(blob))
{
- BEGIN_IPC
+ BEGIN_IPC(commitDbForSync)
RefPointer<KeychainDatabase> srcKC = Server::keychain(srcDb);
RefPointer<KeychainDatabase> cloneKC = Server::keychain(cloneDb);
srcKC->commitSecretsForSync(*cloneKC);
END_IPC(DL)
}
-kern_return_t ucsp_server_decodeDb(UCSP_ARGS, IPCDbHandle *db,
+kern_return_t ucsp_server_decodeDb(UCSP_ARGS, DbHandle *db,
DATA_IN(ident), DATA_IN(cred), DATA_IN(blob))
{
- BEGIN_IPC
+ BEGIN_IPC(decodeDb)
CopyOutAccessCredentials creds(cred, credLength);
CopyOut flatident(ident, identLength, reinterpret_cast<xdrproc_t>(xdr_DLDbFlatIdentifierRef));
- *db = (new KeychainDatabase(*reinterpret_cast<DLDbFlatIdentifier*>(flatident.data()), SSBLOB(DbBlob, blob),
+ DLDbFlatIdentifier* flatID = (DLDbFlatIdentifier*) flatident.data();
+ DLDbIdentifier id = *flatID; // invokes a casting operator
+
+ *db = (new KeychainDatabase(id, SSBLOB(DbBlob, blob),
connection.process(), creds))->handle();
END_IPC(DL)
}
-kern_return_t ucsp_server_encodeDb(UCSP_ARGS, IPCDbHandle db, DATA_OUT(blob))
+kern_return_t ucsp_server_encodeDb(UCSP_ARGS, DbHandle db, DATA_OUT(blob))
{
- BEGIN_IPC
+ BEGIN_IPC(encodeDb)
DbBlob *dbBlob = Server::keychain(db)->blob(); // memory owned by database
*blob = dbBlob;
*blobLength = dbBlob->length();
END_IPC(DL)
}
-kern_return_t ucsp_server_setDbParameters(UCSP_ARGS, IPCDbHandle db, DBParameters params)
+kern_return_t ucsp_server_setDbParameters(UCSP_ARGS, DbHandle db, DBParameters params)
{
- BEGIN_IPC
+ BEGIN_IPC(setDbParameters)
Server::keychain(db)->setParameters(params);
END_IPC(DL)
}
-kern_return_t ucsp_server_getDbParameters(UCSP_ARGS, IPCDbHandle db, DBParameters *params)
+kern_return_t ucsp_server_getDbParameters(UCSP_ARGS, DbHandle db, DBParameters *params)
{
- BEGIN_IPC
+ BEGIN_IPC(getDbParameters)
Server::keychain(db)->getParameters(*params);
END_IPC(DL)
}
-kern_return_t ucsp_server_changePassphrase(UCSP_ARGS, IPCDbHandle db,
+kern_return_t ucsp_server_changePassphrase(UCSP_ARGS, DbHandle db,
DATA_IN(cred))
{
- BEGIN_IPC
+ BEGIN_IPC(changePassphrase)
CopyOutAccessCredentials creds(cred, credLength);
Server::keychain(db)->changePassphrase(creds);
END_IPC(DL)
kern_return_t ucsp_server_lockAll (UCSP_ARGS, boolean_t)
{
- BEGIN_IPC
+ BEGIN_IPC(lockAll)
connection.session().processLockAll();
END_IPC(DL)
}
-kern_return_t ucsp_server_unlockDb(UCSP_ARGS, IPCDbHandle db)
+kern_return_t ucsp_server_unlockDb(UCSP_ARGS, DbHandle db)
{
- BEGIN_IPC
+ BEGIN_IPC(unlockDb)
Server::keychain(db)->unlockDb();
END_IPC(DL)
}
-kern_return_t ucsp_server_unlockDbWithPassphrase(UCSP_ARGS, IPCDbHandle db, DATA_IN(passphrase))
+kern_return_t ucsp_server_unlockDbWithPassphrase(UCSP_ARGS, DbHandle db, DATA_IN(passphrase))
{
- BEGIN_IPC
+ BEGIN_IPC(unlockDbWithPassphrase)
Server::keychain(db)->unlockDb(DATA(passphrase));
END_IPC(DL)
}
-kern_return_t ucsp_server_isLocked(UCSP_ARGS, IPCDbHandle db, boolean_t *locked)
+kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked)
{
- BEGIN_IPC
+ BEGIN_IPC(isLocked)
*locked = Server::database(db)->isLocked();
END_IPC(DL)
}
//
// Key management
//
-kern_return_t ucsp_server_encodeKey(UCSP_ARGS, IPCKeyHandle keyh, DATA_OUT(blob),
+kern_return_t ucsp_server_encodeKey(UCSP_ARGS, KeyHandle keyh, DATA_OUT(blob),
boolean_t wantUid, DATA_OUT(uid))
{
- BEGIN_IPC
+ BEGIN_IPC(encodeKey)
RefPointer<Key> gKey = Server::key(keyh);
if (KeychainKey *key = dynamic_cast<KeychainKey *>(gKey.get())) {
KeyBlob *keyBlob = key->blob(); // still owned by key
END_IPC(CSP)
}
-kern_return_t ucsp_server_decodeKey(UCSP_ARGS, IPCKeyHandle *keyh, DATA_OUT(keyHeader),
- IPCDbHandle db, DATA_IN(blob))
+kern_return_t ucsp_server_decodeKey(UCSP_ARGS, KeyHandle *keyh, DATA_OUT(keyHeader),
+ DbHandle db, DATA_IN(blob))
{
- BEGIN_IPC
+ BEGIN_IPC(decodeKey)
RefPointer<Key> key = new KeychainKey(*Server::keychain(db), SSBLOB(KeyBlob, blob));
CssmKey::Header header;
- KeyHandle keyHandle;
- key->returnKey(keyHandle, header);
- *keyh = keyHandle;
+ key->returnKey(*keyh, header);
if (!copyin(&header, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), keyHeader, keyHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
Server::releaseWhenDone(*keyHeader);
}
// keychain synchronization
-kern_return_t ucsp_server_recodeKey(UCSP_ARGS, IPCDbHandle oldDb, IPCKeyHandle keyh,
- IPCDbHandle newDb, DATA_OUT(newBlob))
+kern_return_t ucsp_server_recodeKey(UCSP_ARGS, DbHandle oldDb, KeyHandle keyh,
+ DbHandle newDb, DATA_OUT(newBlob))
{
- BEGIN_IPC
+ BEGIN_IPC(recodeKey)
// If the old key is passed in as DATA_IN(oldBlob):
// RefPointer<KeychainKey> key = new KeychainKey(*Server::keychain(oldDb), SSBLOB(KeyBlob, oldBlob));
RefPointer<Key> key = Server::key(keyh);
END_IPC(CSP)
}
-kern_return_t ucsp_server_releaseKey(UCSP_ARGS, IPCKeyHandle keyh)
+kern_return_t ucsp_server_releaseKey(UCSP_ARGS, KeyHandle keyh)
{
- BEGIN_IPC
+ BEGIN_IPC(releaseKey)
RefPointer<Key> key = Server::key(keyh);
key->database().releaseKey(*key);
END_IPC(CSP)
}
-kern_return_t ucsp_server_queryKeySizeInBits(UCSP_ARGS, IPCKeyHandle keyh, CSSM_KEY_SIZE *length)
+kern_return_t ucsp_server_queryKeySizeInBits(UCSP_ARGS, KeyHandle keyh, CSSM_KEY_SIZE *length)
{
- BEGIN_IPC
+ BEGIN_IPC(queryKeySizeInBits)
RefPointer<Key> key = Server::key(keyh);
key->database().queryKeySizeInBits(*key, CssmKeySize::overlay(*length));
END_IPC(CSP)
}
-kern_return_t ucsp_server_getOutputSize(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_getOutputSize(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
uint32 inputSize, boolean_t encrypt, uint32 *outputSize)
{
- BEGIN_IPC
+ BEGIN_IPC(getOutputSize)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
key->database().getOutputSize(*ctx, *key, inputSize, encrypt, *outputSize);
END_IPC(CSP)
}
-kern_return_t ucsp_server_getKeyDigest(UCSP_ARGS, IPCKeyHandle key, DATA_OUT(digest))
+kern_return_t ucsp_server_getKeyDigest(UCSP_ARGS, KeyHandle key, DATA_OUT(digest))
{
- BEGIN_IPC
+ BEGIN_IPC(getKeyDigest)
CssmData digestData = Server::key(key)->canonicalDigest();
*digest = digestData.data();
*digestLength = digestData.length();
//
// Signatures and MACs
//
-kern_return_t ucsp_server_generateSignature(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_generateSignature(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
CSSM_ALGORITHMS signOnlyAlgorithm, DATA_IN(data), DATA_OUT(signature))
{
- BEGIN_IPC
+ BEGIN_IPC(generateSignature)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
OutputData sigData(signature, signatureLength);
END_IPC(CSP)
}
-kern_return_t ucsp_server_verifySignature(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_verifySignature(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
CSSM_ALGORITHMS verifyOnlyAlgorithm, DATA_IN(data), DATA_IN(signature))
{
- BEGIN_IPC
+ BEGIN_IPC(verifySignature)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
key->database().verifySignature(*ctx, *key, verifyOnlyAlgorithm,
END_IPC(CSP)
}
-kern_return_t ucsp_server_generateMac(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_generateMac(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
DATA_IN(data), DATA_OUT(mac))
{
- BEGIN_IPC
+ BEGIN_IPC(generateMac)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
OutputData macData(mac, macLength);
END_IPC(CSP)
}
-kern_return_t ucsp_server_verifyMac(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_verifyMac(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
DATA_IN(data), DATA_IN(mac))
{
- BEGIN_IPC
+ BEGIN_IPC(verifyMac)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
key->database().verifyMac(*ctx, *key, DATA(data), DATA(mac));
//
// Encryption/Decryption
//
-kern_return_t ucsp_server_encrypt(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_encrypt(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
DATA_IN(clear), DATA_OUT(cipher))
{
- BEGIN_IPC
+ BEGIN_IPC(encrypt)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
OutputData cipherOut(cipher, cipherLength);
END_IPC(CSP)
}
-kern_return_t ucsp_server_decrypt(UCSP_ARGS, DATA_IN(context), IPCKeyHandle keyh,
+kern_return_t ucsp_server_decrypt(UCSP_ARGS, DATA_IN(context), KeyHandle keyh,
DATA_IN(cipher), DATA_OUT(clear))
{
- BEGIN_IPC
+ BEGIN_IPC(decrypt)
CopyOutContext ctx(context, contextLength);
RefPointer<Key> key = Server::key(keyh);
OutputData clearOut(clear, clearLength);
//
// Key generation
//
-kern_return_t ucsp_server_generateKey(UCSP_ARGS, IPCDbHandle db, DATA_IN(context),
+kern_return_t ucsp_server_generateKey(UCSP_ARGS, DbHandle db, DATA_IN(context),
DATA_IN(cred), DATA_IN(owner),
- uint32 usage, uint32 attrs, IPCKeyHandle *newKey, DATA_OUT(keyHeader))
+ uint32 usage, uint32 attrs, KeyHandle *newKey, DATA_OUT(keyHeader))
{
- BEGIN_IPC
+ BEGIN_IPC(generateKey)
CopyOutContext ctx(context, contextLength);
CopyOutAccessCredentials creds(cred, credLength);
RefPointer<Key> key;
database->generateKey(*ctx, creds, owneracl, usage, attrs, key);
CssmKey::Header newHeader;
- KeyHandle keyHandle;
- key->returnKey(keyHandle, newHeader);
- *newKey = keyHandle;
+ key->returnKey(*newKey, newHeader);
if (!copyin(&newHeader, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), keyHeader, keyHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
END_IPC(CSP)
}
-kern_return_t ucsp_server_generateKeyPair(UCSP_ARGS, IPCDbHandle db, DATA_IN(context),
+kern_return_t ucsp_server_generateKeyPair(UCSP_ARGS, DbHandle db, DATA_IN(context),
DATA_IN(cred), DATA_IN(owner),
uint32 pubUsage, uint32 pubAttrs, uint32 privUsage, uint32 privAttrs,
- IPCKeyHandle *pubKey, DATA_OUT(pubHeader), IPCKeyHandle *privKey, DATA_OUT(privHeader))
+ KeyHandle *pubKey, DATA_OUT(pubHeader), KeyHandle *privKey, DATA_OUT(privHeader))
{
- BEGIN_IPC
+ BEGIN_IPC(generateKeyPair)
CopyOutContext ctx(context, contextLength);
CopyOutAccessCredentials creds(cred, credLength);
CopyOutEntryAcl owneracl(owner, ownerLength);
database->generateKey(*ctx, creds, owneracl,
pubUsage, pubAttrs, privUsage, privAttrs, pub, priv);
CssmKey::Header tmpPubHeader, tmpPrivHeader;
- KeyHandle pubKeyHandle, privKeyHandle;
- pub->returnKey(pubKeyHandle, tmpPubHeader);
- *pubKey = pubKeyHandle;
+ pub->returnKey(*pubKey, tmpPubHeader);
if (!copyin(&tmpPubHeader, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), pubHeader, pubHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
Server::releaseWhenDone(*pubHeader);
- priv->returnKey(privKeyHandle, tmpPrivHeader);
- *privKey = privKeyHandle;
+ priv->returnKey(*privKey, tmpPrivHeader);
if (!copyin(&tmpPrivHeader, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), privHeader, privHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
Server::releaseWhenDone(*privHeader);
//
// Key wrapping and unwrapping
//
-kern_return_t ucsp_server_wrapKey(UCSP_ARGS, DATA_IN(context), IPCKeyHandle hWrappingKey,
- DATA_IN(cred), IPCKeyHandle hKeyToBeWrapped,
+kern_return_t ucsp_server_wrapKey(UCSP_ARGS, DATA_IN(context), KeyHandle hWrappingKey,
+ DATA_IN(cred), KeyHandle hKeyToBeWrapped,
DATA_IN(descriptiveData), DATA_OUT(wrappedKeyData))
{
- BEGIN_IPC
+ BEGIN_IPC(wrapKey)
CssmKey wrappedKey;
CopyOutContext ctx(context, contextLength);
CopyOutAccessCredentials creds(cred, credLength);
END_IPC(CSP)
}
-kern_return_t ucsp_server_unwrapKey(UCSP_ARGS, IPCDbHandle db, DATA_IN(context),
- IPCKeyHandle hWrappingKey, DATA_IN(cred), DATA_IN(owner),
- IPCKeyHandle hPublicKey, DATA_IN(wrappedKeyData),
+kern_return_t ucsp_server_unwrapKey(UCSP_ARGS, DbHandle db, DATA_IN(context),
+ KeyHandle hWrappingKey, DATA_IN(cred), DATA_IN(owner),
+ KeyHandle hPublicKey, DATA_IN(wrappedKeyData),
CSSM_KEYUSE usage, CSSM_KEYATTR_FLAGS attrs, DATA_OUT(descriptiveData),
- IPCKeyHandle *newKey, DATA_OUT(keyHeader)/*CssmKey::Header *newHeader*/)
+ KeyHandle *newKey, DATA_OUT(keyHeader)/*CssmKey::Header *newHeader*/)
{
- BEGIN_IPC
+ BEGIN_IPC(unwrapKey)
CopyOutContext ctx(context, contextLength);
CopyOutKey wrappedKey(wrappedKeyData, wrappedKeyDataLength);
CopyOutAccessCredentials creds(cred, credLength);
usage, attrs, wrappedKey.key(), unwrappedKey, descriptiveDatas);
CssmKey::Header newHeader;
- KeyHandle keyHandle;
- unwrappedKey->returnKey(keyHandle, newHeader);
- *newKey = keyHandle;
+ unwrappedKey->returnKey(*newKey, newHeader);
if (!copyin(&newHeader, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), keyHeader, keyHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
Server::releaseWhenDone(*keyHeader);
// (artificial) POD CssmDeriveData handles those that are known; if you add
// an algorithm with structured param, you need to add a case there.
//
-kern_return_t ucsp_server_deriveKey(UCSP_ARGS, IPCDbHandle db, DATA_IN(context), IPCKeyHandle hKey,
+kern_return_t ucsp_server_deriveKey(UCSP_ARGS, DbHandle db, DATA_IN(context), KeyHandle hKey,
DATA_IN(cred), DATA_IN(owner),
DATA_IN(paramInput), DATA_OUT(paramOutput),
- uint32 usage, uint32 attrs, IPCKeyHandle *newKey, DATA_OUT(keyHeader))
+ uint32 usage, uint32 attrs, KeyHandle *newKey, DATA_OUT(keyHeader))
{
- BEGIN_IPC
+ BEGIN_IPC(deriveKey)
CopyOutContext ctx(context, contextLength);
CopyOutAccessCredentials creds(cred, credLength);
CopyOutEntryAcl owneracl(owner, ownerLength);
key)->deriveKey(*ctx, key, creds, owneracl, static_cast<CssmData*>(¶m), usage, attrs, derivedKey);
CssmKey::Header newHeader;
- KeyHandle keyHandle;
- derivedKey->returnKey(keyHandle, newHeader);
- *newKey = keyHandle;
+ derivedKey->returnKey(*newKey, newHeader);
if (!copyin(&newHeader, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), keyHeader, keyHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
//
kern_return_t ucsp_server_generateRandom(UCSP_ARGS, uint32 ssid, DATA_IN(context), DATA_OUT(data))
{
- BEGIN_IPC
+ BEGIN_IPC(generateRandom)
CopyOutContext ctx(context, contextLength);
if (ssid)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
// ACL management.
// Watch out for the memory-management tap-dance.
//
-kern_return_t ucsp_server_getOwner(UCSP_ARGS, AclKind kind, IPCKeyHandle key,
+kern_return_t ucsp_server_getOwner(UCSP_ARGS, AclKind kind, KeyHandle key,
DATA_OUT(ownerOut))
{
- BEGIN_IPC
+ BEGIN_IPC(getOwner)
AclOwnerPrototype owner;
Server::aclBearer(kind, key).getOwner(owner); // allocates memory in owner
void *owners_data; u_int owners_length;
END_IPC(CSP)
}
-kern_return_t ucsp_server_setOwner(UCSP_ARGS, AclKind kind, IPCKeyHandle key,
+kern_return_t ucsp_server_setOwner(UCSP_ARGS, AclKind kind, KeyHandle key,
DATA_IN(cred), DATA_IN(owner))
{
- BEGIN_IPC
+ BEGIN_IPC(setOwner)
CopyOutAccessCredentials creds(cred, credLength);
CopyOutOwnerAcl owneracl(owner, ownerLength);
Server::aclBearer(kind, key).changeOwner(*owneracl, creds);
END_IPC(CSP)
}
-kern_return_t ucsp_server_getAcl(UCSP_ARGS, AclKind kind, IPCKeyHandle key,
+kern_return_t ucsp_server_getAcl(UCSP_ARGS, AclKind kind, KeyHandle key,
boolean_t haveTag, const char *tag,
uint32 *countp, DATA_OUT(acls))
{
- BEGIN_IPC
+ BEGIN_IPC(getAcl)
uint32 count;
AclEntryInfo *aclList;
Server::aclBearer(kind, key).getAcl(haveTag ? tag : NULL, count, aclList);
END_IPC(CSP)
}
-kern_return_t ucsp_server_changeAcl(UCSP_ARGS, AclKind kind, IPCKeyHandle key,
- DATA_IN(cred), CSSM_ACL_EDIT_MODE mode, IPCGenericHandle handle,
+kern_return_t ucsp_server_changeAcl(UCSP_ARGS, AclKind kind, KeyHandle key,
+ DATA_IN(cred), CSSM_ACL_EDIT_MODE mode, GenericHandle handle,
DATA_IN(acl))
{
- BEGIN_IPC
+ BEGIN_IPC(changeAcl)
CopyOutAccessCredentials creds(cred, credLength);
CopyOutAclEntryInput entryacl(acl, aclLength);
//
kern_return_t ucsp_server_login(UCSP_ARGS, DATA_IN(cred), DATA_IN(name))
{
- BEGIN_IPC
+ BEGIN_IPC(login)
CopyOutAccessCredentials creds(cred, credLength);
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
kern_return_t ucsp_server_logout(UCSP_ARGS)
{
- BEGIN_IPC
+ BEGIN_IPC(logout)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
}
//
kern_return_t ucsp_server_getStatistics(UCSP_ARGS, uint32 ssid, CSSM_CSP_OPERATIONAL_STATISTICS *statistics)
{
- BEGIN_IPC
+ BEGIN_IPC(getStatistics)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
}
kern_return_t ucsp_server_getTime(UCSP_ARGS, uint32 ssid, CSSM_ALGORITHMS algorithm, DATA_OUT(data))
{
- BEGIN_IPC
+ BEGIN_IPC(getTime)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
}
kern_return_t ucsp_server_getCounter(UCSP_ARGS, uint32 ssid, DATA_OUT(data))
{
- BEGIN_IPC
+ BEGIN_IPC(getCounter)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
}
kern_return_t ucsp_server_selfVerify(UCSP_ARGS, uint32 ssid)
{
- BEGIN_IPC
+ BEGIN_IPC(selfVerify)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
}
// Passthrough calls (separate for CSP and DL passthroughs)
//
kern_return_t ucsp_server_cspPassThrough(UCSP_ARGS, uint32 ssid, uint32 id, DATA_IN(context),
- IPCKeyHandle hKey, DATA_IN(inData), DATA_OUT(outData))
+ KeyHandle hKey, DATA_IN(inData), DATA_OUT(outData))
{
- BEGIN_IPC
+ BEGIN_IPC(cspPassThrough)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(CSP)
}
kern_return_t ucsp_server_dlPassThrough(UCSP_ARGS, uint32 ssid, uint32 id,
DATA_IN(inData), DATA_OUT(outData))
{
- BEGIN_IPC
+ BEGIN_IPC(dlPassThrough)
CssmError::throwMe(CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED);
END_IPC(DL)
}
// ExtractMasterKey looks vaguely like a key derivation operation, and is in fact
// presented by the CSPDL's CSSM layer as such.
//
-kern_return_t ucsp_server_extractMasterKey(UCSP_ARGS, IPCDbHandle db, DATA_IN(context), IPCDbHandle sourceDb,
+kern_return_t ucsp_server_extractMasterKey(UCSP_ARGS, DbHandle db, DATA_IN(context), DbHandle sourceDb,
DATA_IN(cred), DATA_IN(owner),
- uint32 usage, uint32 attrs, IPCKeyHandle *newKey, DATA_OUT(keyHeader))
+ uint32 usage, uint32 attrs, KeyHandle *newKey, DATA_OUT(keyHeader))
{
- BEGIN_IPC
+ BEGIN_IPC(extractMasterKey)
CopyOutAccessCredentials creds(cred, credLength);
CopyOutEntryAcl owneracl(owner, ownerLength);
CopyOutContext ctx(context, contextLength);
RefPointer<Key> masterKey = keychain->extractMasterKey(
*Server::optionalDatabase(db, attrs & CSSM_KEYATTR_PERMANENT),
creds, owneracl, usage, attrs);
- KeyHandle keyHandle;
CssmKey::Header header;
- masterKey->returnKey(keyHandle, header);
- *newKey = keyHandle;
+ masterKey->returnKey(*newKey, header);
if (!copyin(&header, reinterpret_cast<xdrproc_t> (xdr_CSSM_KEYHEADER), keyHeader, keyHeaderLength))
CssmError::throwMe(CSSMERR_CSSM_MEMORY_ERROR);
Server::releaseWhenDone(*keyHeader);
void *inEnvironment, mach_msg_type_number_t inEnvironmentLength,
AuthorizationBlob *authorization)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationCreate)
AuthorizationItemSet *authrights = NULL, *authenvironment = NULL;
if (inRights && !copyout_AuthorizationItemSet(inRights, inRightsLength, &authrights))
+ {
+ Syslog::alert("ucsp_server_authorizationCreate(): error converting 'rights' input");
CssmError::throwMe(errAuthorizationInternal); // allocation error probably
+ }
if (inEnvironment && !copyout_AuthorizationItemSet(inEnvironment, inEnvironmentLength, &authenvironment))
{
free(authrights);
+ Syslog::alert("ucsp_server_authorizationCreate(): error converting 'environment' input");
CssmError::throwMe(errAuthorizationInternal); // allocation error probably
}
kern_return_t ucsp_server_authorizationRelease(UCSP_ARGS,
AuthorizationBlob authorization, uint32 flags)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationRelease)
connection.process().session().authFree(authorization, flags);
END_IPC(CSSM)
}
void *inEnvironment, mach_msg_type_number_t inEnvironmentLength,
void **result, mach_msg_type_number_t *resultLength)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationCopyRights)
AuthorizationItemSet *authrights = NULL, *authenvironment = NULL;
if (inRights && !copyout_AuthorizationItemSet(inRights, inRightsLength, &authrights))
+ {
+ Syslog::alert("ucsp_server_authorizationCopyRights(): error converting 'rights' input");
CssmError::throwMe(errAuthorizationInternal); // allocation error probably
-
+ }
if (inEnvironment && !copyout_AuthorizationItemSet(inEnvironment, inEnvironmentLength, &authenvironment))
{
free(authrights);
+ Syslog::alert("ucsp_server_authorizationCopyRights(): error converting 'environment' input");
CssmError::throwMe(errAuthorizationInternal); // allocation error probably
}
if (!copyin_AuthorizationItemSet(copyout, result, resultLength))
{
free(copyout);
+ Syslog::alert("ucsp_server_authorizationCopyRights(): error packaging return information");
CssmError::throwMe(errAuthorizationInternal);
}
free(copyout);
AuthorizationString tag,
void **info, mach_msg_type_number_t *infoLength)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationCopyInfo)
Authorization::AuthItemSet infoSet;
*info = NULL;
*infoLength = 0;
if (!copyin_AuthorizationItemSet(copyout, info, infoLength))
{
free(copyout);
+ Syslog::alert("ucsp_server_authorizationCopyInfo(): error packaging return information");
CssmError::throwMe(errAuthorizationInternal);
}
free(copyout);
kern_return_t ucsp_server_authorizationExternalize(UCSP_ARGS,
AuthorizationBlob authorization, AuthorizationExternalForm *extForm)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationExternalize)
*rcode = connection.process().session().authExternalize(authorization, *extForm);
END_IPC(CSSM)
}
kern_return_t ucsp_server_authorizationInternalize(UCSP_ARGS,
AuthorizationExternalForm extForm, AuthorizationBlob *authorization)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationInternalize)
*rcode = connection.process().session().authInternalize(extForm, *authorization);
END_IPC(CSSM)
}
kern_return_t ucsp_server_getSessionInfo(UCSP_ARGS,
SecuritySessionId *sessionId, SessionAttributeBits *attrs)
{
- BEGIN_IPC
- Session &session = Session::find(*sessionId);
- *sessionId = session.handle();
- *attrs = session.attributes();
+ BEGIN_IPC(getSessionInfo)
+ Session &session = Session::find(*sessionId);
+ *sessionId = session.handle();
+ *attrs = session.attributes();
END_IPC(CSSM)
}
kern_return_t ucsp_server_setupSession(UCSP_ARGS,
SessionCreationFlags flags, SessionAttributeBits attrs)
{
- BEGIN_IPC
+ BEGIN_IPC(setupSession)
Server::process().session().setupAttributes(flags, attrs);
END_IPC(CSSM)
}
kern_return_t ucsp_server_setSessionDistinguishedUid(UCSP_ARGS,
SecuritySessionId sessionId, uid_t user)
{
- BEGIN_IPC
+ BEGIN_IPC(setSessionDistinguishedUid)
Session::find<DynamicSession>(sessionId).originatorUid(user);
END_IPC(CSSM)
}
kern_return_t ucsp_server_getSessionDistinguishedUid(UCSP_ARGS,
SecuritySessionId sessionId, uid_t *user)
{
- BEGIN_IPC
+ BEGIN_IPC(getSessionDistinguishedUid)
*user = Session::find(sessionId).originatorUid();
END_IPC(CSSM)
}
kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessionId, DATA_IN(userPrefs))
{
- BEGIN_IPC
+ BEGIN_IPC(setSessionuserPrefs)
CFRef<CFDataRef> data(CFDataCreate(NULL, (UInt8 *)userPrefs, userPrefsLength));
if (!data)
kern_return_t ucsp_server_postNotification(UCSP_ARGS, uint32 domain, uint32 event,
DATA_IN(data), uint32 sequence)
{
- BEGIN_IPC
+ BEGIN_IPC(postNotification)
Listener::notify(domain, event, sequence, DATA(data));
END_IPC(CSSM)
}
//
kern_return_t ucsp_server_authorizationdbGet(UCSP_ARGS, const char *rightname, DATA_OUT(rightDefinition))
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationdbGet)
CFDictionaryRef rightDict;
*rcode = connection.process().session().authorizationdbGet(rightname, &rightDict);
CFRef<CFDataRef> data(CFPropertyListCreateXMLData (NULL, rightDict));
CFRelease(rightDict);
if (!data)
+ {
+ Syslog::alert("ucsp_server_authorizationGet(): unable to make XML version of right definition for '%s'", rightname);
return errAuthorizationInternal;
+ }
// @@@ copy data to avoid having to do a delayed cfrelease
mach_msg_type_number_t length = CFDataGetLength(data);
kern_return_t ucsp_server_authorizationdbSet(UCSP_ARGS, AuthorizationBlob authorization, const char *rightname, DATA_IN(rightDefinition))
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationdbSet)
CFRef<CFDataRef> data(CFDataCreate(NULL, (UInt8 *)rightDefinition, rightDefinitionLength));
if (!data)
+ {
+ Syslog::alert("ucsp_server_authorizationSet(): CFDataCreate() error");
return errAuthorizationInternal;
+ }
CFRef<CFDictionaryRef> rightDefinition(static_cast<CFDictionaryRef>(CFPropertyListCreateFromXMLData(NULL, data, kCFPropertyListImmutable, NULL)));
if (!rightDefinition || (CFGetTypeID(rightDefinition) != CFDictionaryGetTypeID()))
+ {
+ Syslog::alert("ucsp_server_authorizationSet(): error converting XML right definition for '%s' to property list", rightname);
return errAuthorizationInternal;
+ }
*rcode = connection.process().session().authorizationdbSet(authorization, rightname, rightDefinition);
kern_return_t ucsp_server_authorizationdbRemove(UCSP_ARGS, AuthorizationBlob authorization, const char *rightname)
{
- BEGIN_IPC
+ BEGIN_IPC(authorizationdbRemove)
*rcode = connection.process().session().authorizationdbRemove(authorization, rightname);
END_IPC(CSSM)
}
kern_return_t ucsp_server_addCodeEquivalence(UCSP_ARGS, DATA_IN(oldHash), DATA_IN(newHash),
const char *name, boolean_t forSystem)
{
- BEGIN_IPC
+ BEGIN_IPC(addCodeEquivalence)
Server::codeSignatures().addLink(DATA(oldHash), DATA(newHash), name, forSystem);
END_IPC(CSSM)
}
kern_return_t ucsp_server_removeCodeEquivalence(UCSP_ARGS, DATA_IN(hash),
const char *name, boolean_t forSystem)
{
- BEGIN_IPC
+ BEGIN_IPC(removeCodeEquivalence)
Server::codeSignatures().removeLink(DATA(hash), name, forSystem);
END_IPC(CSSM)
}
kern_return_t ucsp_server_setAlternateSystemRoot(UCSP_ARGS, const char *root)
{
- BEGIN_IPC
+ BEGIN_IPC(setAlternateSystemRoot)
#if defined(NDEBUG)
if (connection.process().uid() != 0)
CssmError::throwMe(CSSM_ERRCODE_OS_ACCESS_DENIED);
mach_port_t servicePort, mach_port_t taskPort)
{
BEGIN_IPCS
- ServerChild::checkIn(servicePort, TaskPort(taskPort).pid());
+ ServerChild::checkIn(servicePort, TaskPort(taskPort).pid());
END_IPCS(mach_port_deallocate(mach_task_self(), taskPort))
}
//
kern_return_t ucsp_server_registerHosting(UCSP_ARGS, mach_port_t hostingPort, uint32 flags)
{
- BEGIN_IPC
+ BEGIN_IPC(registerHosting)
connection.process().registerCodeSigning(hostingPort, flags);
END_IPC(CSSM)
}
kern_return_t ucsp_server_hostingPort(UCSP_ARGS, pid_t hostPid, mach_port_t *hostingPort)
{
- BEGIN_IPC
+ BEGIN_IPC(hostingPort)
if (RefPointer<Process> process = Server::active().findPid(hostPid))
*hostingPort = process->hostingPort();
else
kern_return_t ucsp_server_setGuest(UCSP_ARGS, SecGuestRef guest, SecCSFlags flags)
{
- BEGIN_IPC
+ BEGIN_IPC(setGuest)
connection.guestRef(guest, flags);
END_IPC(CSSM)
}
kern_return_t ucsp_server_createGuest(UCSP_ARGS, SecGuestRef host,
- uint32_t status, const char *path, DATA_IN(attributes), SecCSFlags flags, SecGuestRef *newGuest)
+ uint32_t status, const char *path, DATA_IN(cdhash), DATA_IN(attributes),
+ SecCSFlags flags, SecGuestRef *newGuest)
{
- BEGIN_IPC
- *newGuest = connection.process().createGuest(host, status, path, DATA(attributes), flags);
+ BEGIN_IPC(createGuest)
+ *newGuest = connection.process().createGuest(host, status, path, DATA(cdhash), DATA(attributes), flags);
END_IPC(CSSM)
}
kern_return_t ucsp_server_setGuestStatus(UCSP_ARGS, SecGuestRef guest,
uint32_t status, DATA_IN(attributes))
{
- BEGIN_IPC
+ BEGIN_IPC(setGuestStatus)
connection.process().setGuestStatus(guest, status, DATA(attributes));
END_IPC(CSSM)
}
kern_return_t ucsp_server_removeGuest(UCSP_ARGS, SecGuestRef host, SecGuestRef guest)
{
- BEGIN_IPC
+ BEGIN_IPC(removeGuest)
connection.process().removeGuest(host, guest);
END_IPC(CSSM)
}
+
+kern_return_t ucsp_server_helpCheckLoad(UCSP_ARGS, const char path[PATH_MAX], uint32_t type)
+{
+ BEGIN_IPC(helpCheckLoad)
+ END_IPC(CSSM)
+}
projects / apple / securityd.git / commitdiff
