<dict>
<key>rights</key>
<dict>
- <key>system.login.console</key>
+ <key>com.apple.container-repair</key>
<dict>
<key>class</key>
- <string>evaluate-mechanisms</string>
- <key>comment</key>
- <string>Login mechanism based rule. Not for general use, yet.</string>
- <key>mechanisms</key>
- <array>
- <string>builtin:policy-banner</string>
- <string>loginwindow:login</string>
- <string>builtin:login-begin</string>
- <string>builtin:reset-password,privileged</string>
- <string>builtin:forward-login,privileged</string>
- <string>builtin:auto-login,privileged</string>
- <string>builtin:authenticate,privileged</string>
- <string>PKINITMechanism:auth,privileged</string>
- <string>builtin:login-success</string>
- <string>loginwindow:success</string>
- <string>HomeDirMechanism:login,privileged</string>
- <string>HomeDirMechanism:status</string>
- <string>MCXMechanism:login</string>
- <string>loginwindow:done</string>
- </array>
+ <string>user</string>
+ <key>default-button</key>
+ <dict>
+ <key>ar</key>
+ <string>تصليح</string>
+ <key>ca</key>
+ <string>Reparar</string>
+ <key>cs</key>
+ <string>Opravit</string>
+ <key>da</key>
+ <string>Reparer</string>
+ <key>de</key>
+ <string>Reparieren</string>
+ <key>el</key>
+ <string>Επισκευή</string>
+ <key>en</key>
+ <string>Repair</string>
+ <key>es</key>
+ <string>Reparar</string>
+ <key>fi</key>
+ <string>Korjaa</string>
+ <key>fr</key>
+ <string>Réparer</string>
+ <key>he</key>
+ <string>תקן</string>
+ <key>hr</key>
+ <string>Popravi</string>
+ <key>hu</key>
+ <string>Javítás</string>
+ <key>it</key>
+ <string>Ripara</string>
+ <key>ja</key>
+ <string>修復</string>
+ <key>ko</key>
+ <string>복구</string>
+ <key>nb</key>
+ <string>Reparer</string>
+ <key>nl</key>
+ <string>Herstel</string>
+ <key>pl</key>
+ <string>Napraw</string>
+ <key>pt</key>
+ <string>Reparar</string>
+ <key>pt-PT</key>
+ <string>Reparar</string>
+ <key>ro</key>
+ <string>Repară</string>
+ <key>ru</key>
+ <string>Исправить</string>
+ <key>sk</key>
+ <string>Opraviť</string>
+ <key>sv</key>
+ <string>Reparera</string>
+ <key>th</key>
+ <string>ซ่อมแซม</string>
+ <key>tr</key>
+ <string>Onar</string>
+ <key>uk</key>
+ <string>Полагодити</string>
+ <key>zh-Hans</key>
+ <string>修复</string>
+ <key>zh-Hant</key>
+ <string>修復</string>
+ </dict>
+ <key>default-prompt</key>
+ <dict>
+ <key>ar</key>
+ <string>يحتاج __APPNAME__ إلى إصلاح مكتبتك لتشغيل التطبيات.</string>
+ <key>ca</key>
+ <string>__APPNAME__ necessita reparar la vostra biblioteca per poder executar aplicacions.</string>
+ <key>cs</key>
+ <string>__APPNAME__ potřebuje opravit vaši knihovnu, aby bylo možné spouštět aplikace.</string>
+ <key>da</key>
+ <string>__APPNAME__ skal reparere dit bibliotek for at kunne afvikle programmer.</string>
+ <key>de</key>
+ <string>__APPNAME__ muss Ihre Library reparieren, um Programme auszuführen.</string>
+ <key>el</key>
+ <string>Η εφαρμογή «__APPNAME__» πρέπει να επισκευάσει τη Βιβλιοθήκη σας ώστε να εκτελεί εφαρμογές.</string>
+ <key>en</key>
+ <string>__APPNAME__ needs to repair your Library to run applications.</string>
+ <key>es</key>
+ <string>__APPNAME__ necesita reparar su biblioteca para poder ejecutar aplicaciones.</string>
+ <key>fi</key>
+ <string>Kohteen__APPNAME__ pitää korjata kirjastosi, jotta se voi suorittaa ohjelmia.</string>
+ <key>fr</key>
+ <string>__APPNAME__ doit réparer votre Bibliothèque pour exécuter les applications.</string>
+ <key>he</key>
+ <string>על-מנת שניתן יהיה להפעיל יישומים, על __APPNAME__ לתקן את הספריה שלך.</string>
+ <key>hr</key>
+ <string>__APPNAME__ treba popraviti vašu medijateku kako bi se mogle pokrenuti aplikacije.</string>
+ <key>hu</key>
+ <string>A(z) __APPNAME__ alkalmazásnak ki kell javítania az Ön Könyvtárát az alkalmazások futtatásához.</string>
+ <key>it</key>
+ <string>Per poter eseguire applicazioni, __APPNAME__ deve riparare la libreria.</string>
+ <key>ja</key>
+ <string>__APPNAME__ は、アプリケーションを実行するためにライブラリを修復する必要があります。</string>
+ <key>ko</key>
+ <string>응용 프로그램을 실행하려면 __APPNAME__이(가) 사용자의 라이브러리를 복구해야 합니다.</string>
+ <key>nb</key>
+ <string>__APPNAME__ må reparere biblioteket ditt for å kunne bruke programmer.</string>
+ <key>nl</key>
+ <string>__APPNAME__ moet uw Bibliotheek herstellen om programma's te kunnen uitvoeren.</string>
+ <key>pl</key>
+ <string>__APPNAME__ musi naprawić bibliotekę, aby móc uruchamiać programy.</string>
+ <key>pt</key>
+ <string>__APPNAME__ necessita reparar sua biblioteca para poder executar aplicativos.</string>
+ <key>pt-PT</key>
+ <string>__APPNAME__ tem de reparar a Biblioteca antes de poder executar aplicações.</string>
+ <key>ro</key>
+ <string>__APPNAME__ trebuie să repare biblioteca dvs. pentru a putea rula aplicații.</string>
+ <key>ru</key>
+ <string>Программе «__APPNAME__» необходимо исправить Вашу библиотеку для запуска программ.</string>
+ <key>sk</key>
+ <string>__APPNAME__ potrebuje kvôli spúšťaniu aplikácií opraviť vašu knižniciu.</string>
+ <key>sv</key>
+ <string>__APPNAME__ måste reparera ditt bibliotek för att kunna använda program.</string>
+ <key>th</key>
+ <string>__APPNAME__ จำเป็นต้องซ่อมแซมคลังของคุณเพื่อสั่งทำงานแอปพลิเคชั่น</string>
+ <key>tr</key>
+ <string>Uygulamaları çalıştırmak için Kitaplık klasörünüzün __APPNAME__ tarafından onarılması gerekiyor.</string>
+ <key>uk</key>
+ <string>Програмі __APPNAME__ потрібно полагодити вашу папку «Бібліотека», щоб мати змогу запускати програми.</string>
+ <key>zh-Hans</key>
+ <string>“__APPNAME__”需要修复您的资源库才能运行应用程序。</string>
+ <key>zh-Hant</key>
+ <string>“__APPNAME__”需要修復您的資料庫來執行應用程式。</string>
+ </dict>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <false/>
+ <key>timeout</key>
+ <integer>30</integer>
</dict>
</dict>
</dict>
<string>builtin:generic-unlock</string>
</array>
</dict>
+ <key>com.apple.container-repair</key>
+ <dict>
+ <key>class</key>
+ <string>user</string>
+ <key>default-button</key>
+ <dict>
+ <key>ar</key>
+ <string>تصليح</string>
+ <key>ca</key>
+ <string>Reparar</string>
+ <key>cs</key>
+ <string>Opravit</string>
+ <key>da</key>
+ <string>Reparer</string>
+ <key>de</key>
+ <string>Reparieren</string>
+ <key>el</key>
+ <string>Επισκευή</string>
+ <key>en</key>
+ <string>Repair</string>
+ <key>es</key>
+ <string>Reparar</string>
+ <key>fi</key>
+ <string>Korjaa</string>
+ <key>fr</key>
+ <string>Réparer</string>
+ <key>he</key>
+ <string>תקן</string>
+ <key>hr</key>
+ <string>Popravi</string>
+ <key>hu</key>
+ <string>Javítás</string>
+ <key>it</key>
+ <string>Ripara</string>
+ <key>ja</key>
+ <string>修復</string>
+ <key>ko</key>
+ <string>복구</string>
+ <key>nb</key>
+ <string>Reparer</string>
+ <key>nl</key>
+ <string>Herstel</string>
+ <key>pl</key>
+ <string>Napraw</string>
+ <key>pt</key>
+ <string>Reparar</string>
+ <key>pt-PT</key>
+ <string>Reparar</string>
+ <key>ro</key>
+ <string>Repară</string>
+ <key>ru</key>
+ <string>Исправить</string>
+ <key>sk</key>
+ <string>Opraviť</string>
+ <key>sv</key>
+ <string>Reparera</string>
+ <key>th</key>
+ <string>ซ่อมแซม</string>
+ <key>tr</key>
+ <string>Onar</string>
+ <key>uk</key>
+ <string>Полагодити</string>
+ <key>zh-Hans</key>
+ <string>修复</string>
+ <key>zh-Hant</key>
+ <string>修復</string>
+ </dict>
+ <key>default-prompt</key>
+ <dict>
+ <key>ar</key>
+ <string>يحتاج __APPNAME__ إلى إصلاح مكتبتك لتشغيل التطبيات.</string>
+ <key>ca</key>
+ <string>__APPNAME__ necessita reparar la vostra biblioteca per poder executar aplicacions.</string>
+ <key>cs</key>
+ <string>__APPNAME__ potřebuje opravit vaši knihovnu, aby bylo možné spouštět aplikace.</string>
+ <key>da</key>
+ <string>__APPNAME__ skal reparere dit bibliotek for at kunne afvikle programmer.</string>
+ <key>de</key>
+ <string>__APPNAME__ muss Ihre Library reparieren, um Programme auszuführen.</string>
+ <key>el</key>
+ <string>Η εφαρμογή «__APPNAME__» πρέπει να επισκευάσει τη Βιβλιοθήκη σας ώστε να εκτελεί εφαρμογές.</string>
+ <key>en</key>
+ <string>__APPNAME__ needs to repair your Library to run applications.</string>
+ <key>es</key>
+ <string>__APPNAME__ necesita reparar su biblioteca para poder ejecutar aplicaciones.</string>
+ <key>fi</key>
+ <string>Kohteen__APPNAME__ pitää korjata kirjastosi, jotta se voi suorittaa ohjelmia.</string>
+ <key>fr</key>
+ <string>__APPNAME__ doit réparer votre Bibliothèque pour exécuter les applications.</string>
+ <key>he</key>
+ <string>על-מנת שניתן יהיה להפעיל יישומים, על __APPNAME__ לתקן את הספריה שלך.</string>
+ <key>hr</key>
+ <string>__APPNAME__ treba popraviti vašu medijateku kako bi se mogle pokrenuti aplikacije.</string>
+ <key>hu</key>
+ <string>A(z) __APPNAME__ alkalmazásnak ki kell javítania az Ön Könyvtárát az alkalmazások futtatásához.</string>
+ <key>it</key>
+ <string>Per poter eseguire applicazioni, __APPNAME__ deve riparare la libreria.</string>
+ <key>ja</key>
+ <string>__APPNAME__ は、アプリケーションを実行するためにライブラリを修復する必要があります。</string>
+ <key>ko</key>
+ <string>응용 프로그램을 실행하려면 __APPNAME__이(가) 사용자의 라이브러리를 복구해야 합니다.</string>
+ <key>nb</key>
+ <string>__APPNAME__ må reparere biblioteket ditt for å kunne bruke programmer.</string>
+ <key>nl</key>
+ <string>__APPNAME__ moet uw Bibliotheek herstellen om programma's te kunnen uitvoeren.</string>
+ <key>pl</key>
+ <string>__APPNAME__ musi naprawić bibliotekę, aby móc uruchamiać programy.</string>
+ <key>pt</key>
+ <string>__APPNAME__ necessita reparar sua biblioteca para poder executar aplicativos.</string>
+ <key>pt-PT</key>
+ <string>__APPNAME__ tem de reparar a Biblioteca antes de poder executar aplicações.</string>
+ <key>ro</key>
+ <string>__APPNAME__ trebuie să repare biblioteca dvs. pentru a putea rula aplicații.</string>
+ <key>ru</key>
+ <string>Программе «__APPNAME__» необходимо исправить Вашу библиотеку для запуска программ.</string>
+ <key>sk</key>
+ <string>__APPNAME__ potrebuje kvôli spúšťaniu aplikácií opraviť vašu knižniciu.</string>
+ <key>sv</key>
+ <string>__APPNAME__ måste reparera ditt bibliotek för att kunna använda program.</string>
+ <key>th</key>
+ <string>__APPNAME__ จำเป็นต้องซ่อมแซมคลังของคุณเพื่อสั่งทำงานแอปพลิเคชั่น</string>
+ <key>tr</key>
+ <string>Uygulamaları çalıştırmak için Kitaplık klasörünüzün __APPNAME__ tarafından onarılması gerekiyor.</string>
+ <key>uk</key>
+ <string>Програмі __APPNAME__ потрібно полагодити вашу папку «Бібліотека», щоб мати змогу запускати програми.</string>
+ <key>zh-Hans</key>
+ <string>“__APPNAME__”需要修复您的资源库才能运行应用程序。</string>
+ <key>zh-Hant</key>
+ <string>“__APPNAME__”需要修復您的資料庫來執行應用程式。</string>
+ </dict>
+ <key>group</key>
+ <string>admin</string>
+ <key>shared</key>
+ <false/>
+ <key>timeout</key>
+ <integer>30</integer>
+ </dict>
<key>com.apple.dashboard.advisory.allow</key>
<dict>
<key>class</key>
string processName = "unknown";
string authCreatorName = "unknown";
- if (SecCodeRef code = Server::process().currentGuest()) {
- CFRef<CFURLRef> path;
- if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- processName = cfString(path);
- }
- if (SecStaticCodeRef code = auth.creatorCode()) {
- CFRef<CFURLRef> path;
- if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- authCreatorName = cfString(path);
+ {
+ StLock<Mutex> _(Server::process());
+ if (SecCodeRef code = Server::process().currentGuest()) {
+ CFRef<CFURLRef> path;
+ if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+ processName = cfString(path);
+ }
}
+ authCreatorName = auth.creatorPath();
if (sandbox_check(Server::process().pid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) {
Syslog::error("Sandbox denied authorizing right '%s' by client '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid());
mode = (mode & ~CSSM_ACL_KEYCHAIN_PROMPT_INVALID) | (flags & CSSM_ACL_KEYCHAIN_PROMPT_INVALID);
// determine signed/validity status of client, without reference to any particular Code Requirement
- SecCodeRef clientCode = process.currentGuest();
- Server::active().longTermActivity();
- OSStatus validation = clientCode ? SecCodeCheckValidity(clientCode, kSecCSDefaultFlags, NULL) : errSecCSStaticCodeNotFound;
- switch (validation) {
- case noErr: // client is signed and valid
- secdebug("kcacl", "client is valid, proceeding");
- break;
- case errSecCSUnsigned: // client is not signed
- if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED)) {
- secdebug("kcacl", "client is unsigned, suppressing prompt");
- return false;
- }
- break;
- case errSecCSSignatureFailed: // client signed but signature is broken
- case errSecCSGuestInvalid: // client signed but dynamically invalid
- case errSecCSStaticCodeNotFound: // client not on disk (or unreadable)
- if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_INVALID)) {
- secdebug("kcacl", "client is invalid, suppressing prompt");
- Syslog::info("suppressing keychain prompt for invalidly signed client %s(%d)",
+ SecCodeRef clientCode = NULL;
+ OSStatus validation = errSecCSStaticCodeNotFound;
+ {
+ StLock<Mutex> _(process);
+ Server::active().longTermActivity();
+ clientCode = process.currentGuest();
+ if (clientCode)
+ validation = SecCodeCheckValidity(clientCode, kSecCSDefaultFlags, NULL);
+ switch (validation) {
+ case noErr: // client is signed and valid
+ secdebug("kcacl", "client is valid, proceeding");
+ break;
+ case errSecCSUnsigned: // client is not signed
+ if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED)) {
+ secdebug("kcacl", "client is unsigned, suppressing prompt");
+ return false;
+ }
+ break;
+ case errSecCSSignatureFailed: // client signed but signature is broken
+ case errSecCSGuestInvalid: // client signed but dynamically invalid
+ case errSecCSStaticCodeNotFound: // client not on disk (or unreadable)
+ if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_INVALID)) {
+ secdebug("kcacl", "client is invalid, suppressing prompt");
+ Syslog::info("suppressing keychain prompt for invalidly signed client %s(%d)",
+ process.getPath().c_str(), process.pid());
+ return false;
+ }
+ Syslog::info("attempting keychain prompt for invalidly signed client %s(%d)",
process.getPath().c_str(), process.pid());
+ break;
+ default: // something else went wrong
+ secdebug("kcacl", "client validation failed rc=%d, suppressing prompt", int32_t(validation));
return false;
}
- Syslog::info("attempting keychain prompt for invalidly signed client %s(%d)",
- process.getPath().c_str(), process.pid());
- break;
- default: // something else went wrong
- secdebug("kcacl", "client validation failed rc=%d, suppressing prompt", int32_t(validation));
- return false;
}
// At this point, we're committed to try to Pop The Question. Now, how?
// an application (i.e. Keychain Access.app :-) can force this option
if (clientCode && validation == noErr) {
+ StLock<Mutex> _(process);
CFRef<CFDictionaryRef> dict;
if (SecCodeCopySigningInformation(clientCode, kSecCSDefaultFlags, &dict.aref()) == noErr)
if (CFDictionaryRef info = CFDictionaryRef(CFDictionaryGetValue(dict, kSecCodeInfoPList)))
// process an "always allow..." response
if (query.remember && clientCode) {
+ StLock<Mutex> _(process);
RefPointer<OSXCode> clientXCode = new OSXCodeWrap(clientCode);
RefPointer<AclSubject> subject = new CodeSignatureAclSubject(OSXVerifier(clientXCode));
SecurityServerAcl::addToStandardACL(context, subject);
void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred, Database *db)
{
SecurityServerEnvironment env(*this, db);
+
+ {
+ // Migrator gets a free ride
+ Process &thisProcess = Server::process();
+ StLock<Mutex> _(thisProcess);
+ SecCodeRef clientRef = thisProcess.currentGuest();
+ if (clientRef) {
+ std::string clientPath = codePath(clientRef);
+ if (clientPath == std::string("/usr/libexec/KeychainMigrator"))
+ return;
+ }
+ }
+
StLock<Mutex> objectSequence(aclSequence);
StLock<Mutex> processSequence(Server::process().aclSequence);
ObjectAcl::validate(auth, cred, &env);
SecurityAgentQuery::inferHints(Process &thisProcess)
{
string guestPath;
- if (SecCodeRef clientCode = thisProcess.currentGuest())
- guestPath = codePath(clientCode);
+ {
+ StLock<Mutex> _(thisProcess);
+ if (SecCodeRef clientCode = thisProcess.currentGuest())
+ guestPath = codePath(clientCode);
+ }
AuthItemSet processHints = clientHints(SecurityAgent::bundle, guestPath,
thisProcess.pid(), thisProcess.uid());
mClientHints.insert(processHints.begin(), processHints.end());
// prepopulate with client hints
inHints.insert(mClientHints.begin(), mClientHints.end());
- if (Server::active().inDarkWake())
- CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE);
+ if (mAuthHostType == securityAgent) {
+ if (Server::active().inDarkWake())
+ CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE);
+ }
setArguments(inArguments);
setInput(inHints, inContext);
else
mCreatorSandboxed = false;
- if (SecCodeRef code = Server::process().currentGuest())
- MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref()));
+ {
+ Process &thisProcess = Server::process();
+ StLock<Mutex> _(thisProcess);
+ if (SecCodeRef code = thisProcess.currentGuest())
+ MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref()));
+ }
// link to session
referent(ssn);
}
+std::string AuthorizationToken::creatorPath() const
+{
+ if (mCreatorCode) {
+ StLock<Mutex> _(mLock);
+ CFRef<CFURLRef> path;
+ if (SecCodeCopyPath(mCreatorCode, kSecCSDefaultFlags, &path.aref()) == noErr)
+ return cfString(path);
+ }
+ return "unknown";
+}
+
+
//
// Locate an authorization given its blob.
//
uid_t creatorUid() const { return mCreatorUid; }
gid_t creatorGid() const { return mCreatorGid; }
SecStaticCodeRef creatorCode() const { return mCreatorCode; }
+ std::string creatorPath() const;
pid_t creatorPid() const { return mCreatorPid; }
bool creatorSandboxed() const { return mCreatorSandboxed; }
};
private:
- Mutex mLock; // object lock
+ mutable Mutex mLock; // object lock
AuthorizationBlob mHandle; // official randomized blob marker
CredentialSet mBaseCreds; // credentials we're based on
{
secdebug("codesign", "start verify");
- // if we have no client code, we cannot possibly match this
+ StLock<Mutex> _(process);
SecCodeRef code = process.currentGuest();
if (!code) {
secdebug("codesign", "no code base: fail");
return false;
}
-
if (SecRequirementRef requirement = verifier.requirement()) {
// If the ACL contains a code signature (requirement), we won't match against unsigned code at all.
// The legacy hash is ignored (it's for use by pre-Leopard systems).
Process::Process(TaskPort taskPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit)
: mTaskPort(taskPort), mByteFlipped(false), mPid(audit.pid()), mUid(audit.euid()), mGid(audit.egid())
{
+ StLock<Mutex> _(*this);
+
// set parent session
parent(Session::find(audit.sessionId(), true));
//
void Process::reset(TaskPort taskPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit)
{
+ StLock<Mutex> _(*this);
if (taskPort != mTaskPort) {
secdebug("SS", "Process %p(%d) reset mismatch (tp %d-%d)",
this, pid(), taskPort.port(), mTaskPort.port());
projects / apple / securityd.git / commitdiff
