From: Apple Date: Thu, 3 Jan 2013 23:05:03 +0000 (+0000) Subject: securityd-55137.5.tar.gz X-Git-Tag: v55137.5^0 X-Git-Url: https://git.saurik.com/apple/securityd.git/commitdiff_plain/da3a950e50a52c2f256145fb38ea3eaabeb7ed3d securityd-55137.5.tar.gz --- diff --git a/etc/authorization.merge b/etc/authorization.merge index cf17bcc..a4a3d0a 100644 --- a/etc/authorization.merge +++ b/etc/authorization.merge @@ -4,29 +4,142 @@ rights - system.login.console + com.apple.container-repair class - evaluate-mechanisms - comment - Login mechanism based rule. Not for general use, yet. - mechanisms - - builtin:policy-banner - loginwindow:login - builtin:login-begin - builtin:reset-password,privileged - builtin:forward-login,privileged - builtin:auto-login,privileged - builtin:authenticate,privileged - PKINITMechanism:auth,privileged - builtin:login-success - loginwindow:success - HomeDirMechanism:login,privileged - HomeDirMechanism:status - MCXMechanism:login - loginwindow:done - + user + default-button + + ar + تصليح + ca + Reparar + cs + Opravit + da + Reparer + de + Reparieren + el + Επισκευή + en + Repair + es + Reparar + fi + Korjaa + fr + Réparer + he + תקן + hr + Popravi + hu + Javítás + it + Ripara + ja + 修復 + ko + 복구 + nb + Reparer + nl + Herstel + pl + Napraw + pt + Reparar + pt-PT + Reparar + ro + Repară + ru + Исправить + sk + Opraviť + sv + Reparera + th + ซ่อมแซม + tr + Onar + uk + Полагодити + zh-Hans + 修复 + zh-Hant + 修復 + + default-prompt + + ar + يحتاج __APPNAME__ إلى إصلاح مكتبتك لتشغيل التطبيات. + ca + __APPNAME__ necessita reparar la vostra biblioteca per poder executar aplicacions. + cs + __APPNAME__ potřebuje opravit vaši knihovnu, aby bylo možné spouštět aplikace. + da + __APPNAME__ skal reparere dit bibliotek for at kunne afvikle programmer. + de + __APPNAME__ muss Ihre Library reparieren, um Programme auszuführen. + el + Η εφαρμογή «__APPNAME__» πρέπει να επισκευάσει τη Βιβλιοθήκη σας ώστε να εκτελεί εφαρμογές. + en + __APPNAME__ needs to repair your Library to run applications. + es + __APPNAME__ necesita reparar su biblioteca para poder ejecutar aplicaciones. + fi + Kohteen__APPNAME__ pitää korjata kirjastosi, jotta se voi suorittaa ohjelmia. + fr + __APPNAME__ doit réparer votre Bibliothèque pour exécuter les applications. + he + על-מנת שניתן יהיה להפעיל יישומים, על __APPNAME__ לתקן את הספריה שלך. + hr + __APPNAME__ treba popraviti vašu medijateku kako bi se mogle pokrenuti aplikacije. + hu + A(z) __APPNAME__ alkalmazásnak ki kell javítania az Ön Könyvtárát az alkalmazások futtatásához. + it + Per poter eseguire applicazioni, __APPNAME__ deve riparare la libreria. + ja + __APPNAME__ は、アプリケーションを実行するためにライブラリを修復する必要があります。 + ko + 응용 프로그램을 실행하려면 __APPNAME__이(가) 사용자의 라이브러리를 복구해야 합니다. + nb + __APPNAME__ må reparere biblioteket ditt for å kunne bruke programmer. + nl + __APPNAME__ moet uw Bibliotheek herstellen om programma's te kunnen uitvoeren. + pl + __APPNAME__ musi naprawić bibliotekę, aby móc uruchamiać programy. + pt + __APPNAME__ necessita reparar sua biblioteca para poder executar aplicativos. + pt-PT + __APPNAME__ tem de reparar a Biblioteca antes de poder executar aplicações. + ro + __APPNAME__ trebuie să repare biblioteca dvs. pentru a putea rula aplicații. + ru + Программе «__APPNAME__» необходимо исправить Вашу библиотеку для запуска программ. + sk + __APPNAME__ potrebuje kvôli spúšťaniu aplikácií opraviť vašu knižniciu. + sv + __APPNAME__ måste reparera ditt bibliotek för att kunna använda program. + th + __APPNAME__ จำเป็นต้องซ่อมแซมคลังของคุณเพื่อสั่งทำงานแอปพลิเคชั่น + tr + Uygulamaları çalıştırmak için Kitaplık klasörünüzün __APPNAME__ tarafından onarılması gerekiyor. + uk + Програмі __APPNAME__ потрібно полагодити вашу папку «Бібліотека», щоб мати змогу запускати програми. + zh-Hans + “__APPNAME__”需要修复您的资源库才能运行应用程序。 + zh-Hant + “__APPNAME__”需要修復您的資料庫來執行應用程式。 + + group + admin + shared + + timeout + 30 diff --git a/etc/authorization.plist b/etc/authorization.plist index 1a61be9..091f40f 100644 --- a/etc/authorization.plist +++ b/etc/authorization.plist @@ -2439,6 +2439,143 @@ See remaining rules for examples. builtin:generic-unlock + com.apple.container-repair + + class + user + default-button + + ar + تصليح + ca + Reparar + cs + Opravit + da + Reparer + de + Reparieren + el + Επισκευή + en + Repair + es + Reparar + fi + Korjaa + fr + Réparer + he + תקן + hr + Popravi + hu + Javítás + it + Ripara + ja + 修復 + ko + 복구 + nb + Reparer + nl + Herstel + pl + Napraw + pt + Reparar + pt-PT + Reparar + ro + Repară + ru + Исправить + sk + Opraviť + sv + Reparera + th + ซ่อมแซม + tr + Onar + uk + Полагодити + zh-Hans + 修复 + zh-Hant + 修復 + + default-prompt + + ar + يحتاج __APPNAME__ إلى إصلاح مكتبتك لتشغيل التطبيات. + ca + __APPNAME__ necessita reparar la vostra biblioteca per poder executar aplicacions. + cs + __APPNAME__ potřebuje opravit vaši knihovnu, aby bylo možné spouštět aplikace. + da + __APPNAME__ skal reparere dit bibliotek for at kunne afvikle programmer. + de + __APPNAME__ muss Ihre Library reparieren, um Programme auszuführen. + el + Η εφαρμογή «__APPNAME__» πρέπει να επισκευάσει τη Βιβλιοθήκη σας ώστε να εκτελεί εφαρμογές. + en + __APPNAME__ needs to repair your Library to run applications. + es + __APPNAME__ necesita reparar su biblioteca para poder ejecutar aplicaciones. + fi + Kohteen__APPNAME__ pitää korjata kirjastosi, jotta se voi suorittaa ohjelmia. + fr + __APPNAME__ doit réparer votre Bibliothèque pour exécuter les applications. + he + על-מנת שניתן יהיה להפעיל יישומים, על __APPNAME__ לתקן את הספריה שלך. + hr + __APPNAME__ treba popraviti vašu medijateku kako bi se mogle pokrenuti aplikacije. + hu + A(z) __APPNAME__ alkalmazásnak ki kell javítania az Ön Könyvtárát az alkalmazások futtatásához. + it + Per poter eseguire applicazioni, __APPNAME__ deve riparare la libreria. + ja + __APPNAME__ は、アプリケーションを実行するためにライブラリを修復する必要があります。 + ko + 응용 프로그램을 실행하려면 __APPNAME__이(가) 사용자의 라이브러리를 복구해야 합니다. + nb + __APPNAME__ må reparere biblioteket ditt for å kunne bruke programmer. + nl + __APPNAME__ moet uw Bibliotheek herstellen om programma's te kunnen uitvoeren. + pl + __APPNAME__ musi naprawić bibliotekę, aby móc uruchamiać programy. + pt + __APPNAME__ necessita reparar sua biblioteca para poder executar aplicativos. + pt-PT + __APPNAME__ tem de reparar a Biblioteca antes de poder executar aplicações. + ro + __APPNAME__ trebuie să repare biblioteca dvs. pentru a putea rula aplicații. + ru + Программе «__APPNAME__» необходимо исправить Вашу библиотеку для запуска программ. + sk + __APPNAME__ potrebuje kvôli spúšťaniu aplikácií opraviť vašu knižniciu. + sv + __APPNAME__ måste reparera ditt bibliotek för att kunna använda program. + th + __APPNAME__ จำเป็นต้องซ่อมแซมคลังของคุณเพื่อสั่งทำงานแอปพลิเคชั่น + tr + Uygulamaları çalıştırmak için Kitaplık klasörünüzün __APPNAME__ tarafından onarılması gerekiyor. + uk + Програмі __APPNAME__ потрібно полагодити вашу папку «Бібліотека», щоб мати змогу запускати програми. + zh-Hans + “__APPNAME__”需要修复您的资源库才能运行应用程序。 + zh-Hant + “__APPNAME__”需要修復您的資料庫來執行應用程式。 + + group + admin + shared + + timeout + 30 + com.apple.dashboard.advisory.allow class diff --git a/src/AuthorizationEngine.cpp b/src/AuthorizationEngine.cpp index 14a154c..b989fc3 100644 --- a/src/AuthorizationEngine.cpp +++ b/src/AuthorizationEngine.cpp @@ -164,16 +164,15 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment, string processName = "unknown"; string authCreatorName = "unknown"; - if (SecCodeRef code = Server::process().currentGuest()) { - CFRef path; - if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())) - processName = cfString(path); - } - if (SecStaticCodeRef code = auth.creatorCode()) { - CFRef path; - if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())) - authCreatorName = cfString(path); + { + StLock _(Server::process()); + if (SecCodeRef code = Server::process().currentGuest()) { + CFRef path; + if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())) + processName = cfString(path); + } } + authCreatorName = auth.creatorPath(); if (sandbox_check(Server::process().pid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) { Syslog::error("Sandbox denied authorizing right '%s' by client '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid()); diff --git a/src/acl_keychain.cpp b/src/acl_keychain.cpp index 59eb86f..e783cfa 100644 --- a/src/acl_keychain.cpp +++ b/src/acl_keychain.cpp @@ -84,34 +84,40 @@ bool KeychainPromptAclSubject::validate(const AclValidationContext &context, mode = (mode & ~CSSM_ACL_KEYCHAIN_PROMPT_INVALID) | (flags & CSSM_ACL_KEYCHAIN_PROMPT_INVALID); // determine signed/validity status of client, without reference to any particular Code Requirement - SecCodeRef clientCode = process.currentGuest(); - Server::active().longTermActivity(); - OSStatus validation = clientCode ? SecCodeCheckValidity(clientCode, kSecCSDefaultFlags, NULL) : errSecCSStaticCodeNotFound; - switch (validation) { - case noErr: // client is signed and valid - secdebug("kcacl", "client is valid, proceeding"); - break; - case errSecCSUnsigned: // client is not signed - if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED)) { - secdebug("kcacl", "client is unsigned, suppressing prompt"); - return false; - } - break; - case errSecCSSignatureFailed: // client signed but signature is broken - case errSecCSGuestInvalid: // client signed but dynamically invalid - case errSecCSStaticCodeNotFound: // client not on disk (or unreadable) - if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_INVALID)) { - secdebug("kcacl", "client is invalid, suppressing prompt"); - Syslog::info("suppressing keychain prompt for invalidly signed client %s(%d)", + SecCodeRef clientCode = NULL; + OSStatus validation = errSecCSStaticCodeNotFound; + { + StLock _(process); + Server::active().longTermActivity(); + clientCode = process.currentGuest(); + if (clientCode) + validation = SecCodeCheckValidity(clientCode, kSecCSDefaultFlags, NULL); + switch (validation) { + case noErr: // client is signed and valid + secdebug("kcacl", "client is valid, proceeding"); + break; + case errSecCSUnsigned: // client is not signed + if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_UNSIGNED)) { + secdebug("kcacl", "client is unsigned, suppressing prompt"); + return false; + } + break; + case errSecCSSignatureFailed: // client signed but signature is broken + case errSecCSGuestInvalid: // client signed but dynamically invalid + case errSecCSStaticCodeNotFound: // client not on disk (or unreadable) + if (!(mode & CSSM_ACL_KEYCHAIN_PROMPT_INVALID)) { + secdebug("kcacl", "client is invalid, suppressing prompt"); + Syslog::info("suppressing keychain prompt for invalidly signed client %s(%d)", + process.getPath().c_str(), process.pid()); + return false; + } + Syslog::info("attempting keychain prompt for invalidly signed client %s(%d)", process.getPath().c_str(), process.pid()); + break; + default: // something else went wrong + secdebug("kcacl", "client validation failed rc=%d, suppressing prompt", int32_t(validation)); return false; } - Syslog::info("attempting keychain prompt for invalidly signed client %s(%d)", - process.getPath().c_str(), process.pid()); - break; - default: // something else went wrong - secdebug("kcacl", "client validation failed rc=%d, suppressing prompt", int32_t(validation)); - return false; } // At this point, we're committed to try to Pop The Question. Now, how? @@ -122,6 +128,7 @@ bool KeychainPromptAclSubject::validate(const AclValidationContext &context, // an application (i.e. Keychain Access.app :-) can force this option if (clientCode && validation == noErr) { + StLock _(process); CFRef dict; if (SecCodeCopySigningInformation(clientCode, kSecCSDefaultFlags, &dict.aref()) == noErr) if (CFDictionaryRef info = CFDictionaryRef(CFDictionaryGetValue(dict, kSecCodeInfoPList))) @@ -146,6 +153,7 @@ bool KeychainPromptAclSubject::validate(const AclValidationContext &context, // process an "always allow..." response if (query.remember && clientCode) { + StLock _(process); RefPointer clientXCode = new OSXCodeWrap(clientCode); RefPointer subject = new CodeSignatureAclSubject(OSXVerifier(clientXCode)); SecurityServerAcl::addToStandardACL(context, subject); diff --git a/src/acls.cpp b/src/acls.cpp index ebd304d..6d885bb 100644 --- a/src/acls.cpp +++ b/src/acls.cpp @@ -87,6 +87,19 @@ void SecurityServerAcl::changeOwner(const AclOwnerPrototype &newOwner, void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred, Database *db) { SecurityServerEnvironment env(*this, db); + + { + // Migrator gets a free ride + Process &thisProcess = Server::process(); + StLock _(thisProcess); + SecCodeRef clientRef = thisProcess.currentGuest(); + if (clientRef) { + std::string clientPath = codePath(clientRef); + if (clientPath == std::string("/usr/libexec/KeychainMigrator")) + return; + } + } + StLock objectSequence(aclSequence); StLock processSequence(Server::process().aclSequence); ObjectAcl::validate(auth, cred, &env); diff --git a/src/agentquery.cpp b/src/agentquery.cpp index 123dbfd..b2e25ab 100644 --- a/src/agentquery.cpp +++ b/src/agentquery.cpp @@ -262,8 +262,11 @@ void SecurityAgentQuery::inferHints(Process &thisProcess) { string guestPath; - if (SecCodeRef clientCode = thisProcess.currentGuest()) - guestPath = codePath(clientCode); + { + StLock _(thisProcess); + if (SecCodeRef clientCode = thisProcess.currentGuest()) + guestPath = codePath(clientCode); + } AuthItemSet processHints = clientHints(SecurityAgent::bundle, guestPath, thisProcess.pid(), thisProcess.uid()); mClientHints.insert(processHints.begin(), processHints.end()); @@ -870,8 +873,10 @@ void QueryInvokeMechanism::run(const AuthValueVector &inArguments, AuthItemSet & // prepopulate with client hints inHints.insert(mClientHints.begin(), mClientHints.end()); - if (Server::active().inDarkWake()) - CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE); + if (mAuthHostType == securityAgent) { + if (Server::active().inDarkWake()) + CssmError::throwMe(CSSM_ERRCODE_IN_DARK_WAKE); + } setArguments(inArguments); setInput(inHints, inContext); diff --git a/src/authority.cpp b/src/authority.cpp index 75221a3..f3371af 100644 --- a/src/authority.cpp +++ b/src/authority.cpp @@ -70,8 +70,12 @@ const audit_token_t &auditToken, bool operateAsLeastPrivileged) else mCreatorSandboxed = false; - if (SecCodeRef code = Server::process().currentGuest()) - MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref())); + { + Process &thisProcess = Server::process(); + StLock _(thisProcess); + if (SecCodeRef code = thisProcess.currentGuest()) + MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref())); + } // link to session referent(ssn); @@ -103,6 +107,18 @@ Session &AuthorizationToken::session() const } +std::string AuthorizationToken::creatorPath() const +{ + if (mCreatorCode) { + StLock _(mLock); + CFRef path; + if (SecCodeCopyPath(mCreatorCode, kSecCSDefaultFlags, &path.aref()) == noErr) + return cfString(path); + } + return "unknown"; +} + + // // Locate an authorization given its blob. // diff --git a/src/authority.h b/src/authority.h index d5f8ce8..c71fc46 100644 --- a/src/authority.h +++ b/src/authority.h @@ -71,6 +71,7 @@ public: uid_t creatorUid() const { return mCreatorUid; } gid_t creatorGid() const { return mCreatorGid; } SecStaticCodeRef creatorCode() const { return mCreatorCode; } + std::string creatorPath() const; pid_t creatorPid() const { return mCreatorPid; } bool creatorSandboxed() const { return mCreatorSandboxed; } @@ -99,7 +100,7 @@ public: }; private: - Mutex mLock; // object lock + mutable Mutex mLock; // object lock AuthorizationBlob mHandle; // official randomized blob marker CredentialSet mBaseCreds; // credentials we're based on diff --git a/src/codesigdb.cpp b/src/codesigdb.cpp index 8d3a425..c0b7868 100644 --- a/src/codesigdb.cpp +++ b/src/codesigdb.cpp @@ -228,13 +228,12 @@ bool CodeSignatures::verify(Process &process, { secdebug("codesign", "start verify"); - // if we have no client code, we cannot possibly match this + StLock _(process); SecCodeRef code = process.currentGuest(); if (!code) { secdebug("codesign", "no code base: fail"); return false; } - if (SecRequirementRef requirement = verifier.requirement()) { // If the ACL contains a code signature (requirement), we won't match against unsigned code at all. // The legacy hash is ignored (it's for use by pre-Leopard systems). diff --git a/src/process.cpp b/src/process.cpp index 868a082..606e949 100644 --- a/src/process.cpp +++ b/src/process.cpp @@ -42,6 +42,8 @@ Process::Process(TaskPort taskPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit) : mTaskPort(taskPort), mByteFlipped(false), mPid(audit.pid()), mUid(audit.euid()), mGid(audit.egid()) { + StLock _(*this); + // set parent session parent(Session::find(audit.sessionId(), true)); @@ -76,6 +78,7 @@ Process::Process(TaskPort taskPort, const ClientSetupInfo *info, const CommonCri // void Process::reset(TaskPort taskPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit) { + StLock _(*this); if (taskPort != mTaskPort) { secdebug("SS", "Process %p(%d) reset mismatch (tp %d-%d)", this, pid(), taskPort.port(), mTaskPort.port());