From 14142b4a2e5eac6ad8fa35233ef94d6ed6f0c45f Mon Sep 17 00:00:00 2001 From: Apple Date: Thu, 26 May 2011 22:48:18 +0000 Subject: [PATCH] securityd-55009.tar.gz --- doc/BLOBFORMAT | 2 +- dtrace/securityd-watch.d | 49 +- etc/authorization.plist | 6176 +++++++++++++++++++++++++-- etc/com.apple.securityd.plist | 2 +- etc/startup.mk | 1 + mig/self.defs | 3 + securityd.xcodeproj/project.pbxproj | 27 +- src/AuthorizationDBPlist.cpp | 23 +- src/AuthorizationEngine.cpp | 38 +- src/AuthorizationRule.cpp | 198 +- src/AuthorizationRule.h | 18 +- src/agentquery.cpp | 98 +- src/agentquery.h | 10 +- src/auditevents.cpp | 72 + src/auditevents.h | 50 + src/authhost.cpp | 81 +- src/authhost.h | 3 + src/authority.cpp | 41 +- src/authority.h | 10 +- src/ccaudit_extensions.cpp | 2 +- src/csproxy.cpp | 20 +- src/csproxy.h | 12 +- src/main.cpp | 13 +- src/process.cpp | 52 +- src/process.h | 12 +- src/securityd.d | 10 +- src/securityd.order | 1586 +++---- src/server.cpp | 59 +- src/server.h | 9 +- src/session.cpp | 278 +- src/session.h | 111 +- src/transition.cpp | 66 +- 32 files changed, 7310 insertions(+), 1822 deletions(-) create mode 100644 src/auditevents.cpp create mode 100644 src/auditevents.h diff --git a/doc/BLOBFORMAT b/doc/BLOBFORMAT index 6e42669..a6f423d 100644 --- a/doc/BLOBFORMAT +++ b/doc/BLOBFORMAT @@ -58,6 +58,6 @@ Decode (input DSK, DEK, KB output PRIVATE_KEY_BYTES, PUBLIC_KEY_BYTES) 2. Verify the 20 byte SHA1HMAC of TEMP5 using DSK against SIG if if fails the blob is invalid. 3. Split TEMP5 in LEN(PUBLIC_KEY_BYTES) , PUBLIC_KEY_BYTES and TEMP4. 4. Decrypt TEMP4 using DEK with an IV of 0x4adda22c79e82105 in CBC mode with PKCS1 padding call the result TEMP3. -5. Reverse the order of the octects in TEMP3 and call the result TEMP2. +5. Reverse the order of the octects in TEMP3 and call the result TEMP2. 6. Split TEMP2 in IV (first 8 bytes) and TEMP1 (rest). 7. Decrypt TEMP1 using DEK (3DES) and IV in CBC mode with PKCS1 padding. Call the plaintext PRIVATE_KEY_BYTES. diff --git a/dtrace/securityd-watch.d b/dtrace/securityd-watch.d index 631c2fc..aa40587 100755 --- a/dtrace/securityd-watch.d +++ b/dtrace/securityd-watch.d @@ -1,6 +1,7 @@ #!/usr/sbin/dtrace -q -s + /* * Tracking state */ @@ -201,9 +202,53 @@ securityd*:::request-return /* * Sessions */ -securityd*:::session-* +typedef uint32_t SessionId; + +struct Session { + DTHandle handle; + SessionId sessionid; +}; +struct Session session[SessionId]; + +struct xauditinfo { + uint32_t ai_auid; /* audit user id */ + struct { + unsigned int low; + unsigned int high; + } ai_mask; + struct { + uint32_t dev; + uint32_t type; + uint32_t addr[4]; + } ai_termid; + au_asid_t ai_asid; /* audit session id */ + au_asflgs_t ai_flags; /* audit session flags */ +}; +self struct xauditinfo *ai; + +securityd*:::session-create +{ + session[arg1].handle = arg0; + session[arg1].sessionid = arg1; + self->ai = copyin(arg2, sizeof(struct xauditinfo)); + printf("%u T%d:%s(<%x>,id=%d,uid=%d,flags=%#x)\n", timestamp, self->mytid, probename, + arg0, arg1, self->ai->ai_auid, self->ai->ai_flags); +} + +securityd*:::session-kill +{ + printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1); +} + +securityd*:::session-destroy +{ + printf("%u T%d:%s(<%x>,id=%d)\n", timestamp, self->mytid, probename, arg0, arg1); +} + +securityd*:::session-notify { - printf("%u T%d:%s(<%x>,0x%x)\n", timestamp, self->mytid, probename, arg0, arg1); + printf("%u T%d:%s(<%x>,id=%d,events=0x%x,uid=%d)\n", timestamp, self->mytid, probename, + session[arg0].handle, arg0, arg1, arg2); } diff --git a/etc/authorization.plist b/etc/authorization.plist index e1b9c04..9fc6c32 100644 --- a/etc/authorization.plist +++ b/etc/authorization.plist @@ -1,5 +1,5 @@ - + comment @@ -34,272 +34,2764 @@ See remaining rules for examples. rule default - config.add. + com.apple. + + rule + default + + com.apple.DiskManagement. class - allow + rule comment - Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. + Used by diskmanagementd to allow access to its privileged functions + default-button + + ar + تعديل القرص + cs + Změnit Disk + da + Juster disk + de + Volume ändern + en + Modify Disk + es + Modificar disco + fi + Muokkaa levyä + fr + Modifier le disque + hu + Lemez módosítása + it + Modifica disco + ja + ディスクを変更 + ko + 디스크 수정 + nb + Endre disk + nl + Wijzig schijf + pl + Modyfikuj dysk + pt + Modificar Disco + pt-PT + Modificar disco + ru + Модифицировать диск + sv + Ändra skiva + tr + Diski Değiştir + zh-Hans + 修改磁盘 + zh-Hant + 修改磁碟 + + default-prompt + + ar + يحاول __APPNAME__ تعديل القرص المحدد. + cs + __APPNAME__ se pokouší změnit vybraný disk. + da + __APPNAME__ forsøger at ændre den valgte disk. + de + __APPNAME__ versucht, das ausgewählte Volume zu ändern. + en + __APPNAME__ is trying to modify the selected disk. + es + __APPNAME__ está intentando modificar el disco seleccionado. + fi + __APPNAME__ yrittää muokata valittua levyä. + fr + __APPNAME__ essaye de modifier le disque sélectionné. + hu + A(z) __APPNAME__ megpróbálja módosítani a kijelölt lemezt. + it + __APPNAME__ sta cercando di modificare il disco selezionato. + ja + __APPNAME__ は、選択中のディスクを変更しようとしています。 + ko + __APPNAME__이(가) 선택한 디스크를 변경하려고 합니다. + nb + __APPNAME__ prøver å endre den markerte disken. + nl + __APPNAME__ probeert de geselecteerde schijf te wijzigen. + pl + __APPNAME__ próbuje zmodyfikować zaznaczony dysk. + pt + __APPNAME__ está tentando modificar o disco selecionado. + pt-PT + O __APPNAME__ está a tentar modificar o disco seleccionado. + ru + Программа «__APPNAME__» пытается модифицировать выбранный диск. + sv + __APPNAME__ försöker ändra den markerade skivan. + tr + __APPNAME__, seçilen diski değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改所选磁盘。 + zh-Hant + “__APPNAME__”正在嘗試修改所選磁碟。 + + k-of-n + 1 + rule + + is-root + is-admin + default + + shared + - config.config. + com.apple.DiskManagement.reserveKEK + allow-root + class - deny + user comment - Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). + Used by diskmanagementd to allow use of the reserve KEK. + default-button + + en + Modify Disk + + default-prompt + + en + __APPNAME__ is trying to modify an encrypted disk. + + group + admin + shared + - config.modify. + com.apple.KerberosAgent + class + evaluate-mechanisms + comment + Used to acquire Kerberos credentials. + mechanisms + + KerberosAgent:kerberos-dialog + KerberosAgent:kerberos-authenticate,privileged + + + com.apple.OpenScripting.additions.send + + allow-root + + class + user + comment + Used to send restricted scripting addition commands to processes that require authorization to handle the events. + default-button + + ar + إرسال الأوامر + cs + Odeslat příkazy + da + Send kommandoer + de + Befehle senden + en + Send Commands + es + Enviar comandos + fi + Lähetä komennot + fr + Envoyer des commandes + hu + Parancsok küldése + it + Invia comandi + ja + コマンドを送信 + ko + 명령 보내기 + nb + Send kommandoer + nl + Stuur commando's + pl + Wyślij polecenia + pt + Enviar Comandos + pt-PT + Enviar comandos + ru + Отправить команды + sv + Skicka kommandon + tr + Komutları Gönder + zh-Hans + 发送命令 + zh-Hant + 傳送指令 + + default-prompt + + ar + يحاول __APPNAME__ إرسال أوامر إضافة برامج نصية محظورة إلى التطبيقات. + cs + __APPNAME__ se pokouší odeslat omezené příkazy skriptovacího doplňku jiným aplikacím. + da + __APPNAME__ forsøger at sende begrænsede instrukstilføjelseskommandoer til andre programmer. + de + __APPNAME__ versucht, Befehle für beschränkte Scripting Additions an andere Programme zu senden. + en + __APPNAME__ is trying to send restricted scripting addition commands to other applications. + es + __APPNAME__ está intentando enviar comandos de adición de scripts restringidos a otras aplicaciones. + fi + __APPNAME__ yrittää lähettää rajoitettuja komentosarjalisäyskomentoja muille ohjelmille. + fr + __APPNAME__ essaye d’envoyer des commandes restreintes de compléments de pilotage vers d’autres applications. + hu + A(z) __APPNAME__ megpróbál szkripthozzáadási parancsokat küldeni más alkalmazásoknak. + it + __APPNAME__ sta cercando di inviare alle applicazioni comandi con restrizioni per estensioni AppleScript. + ja + __APPNAME__ は、制限付きスクリプティングの追加コマンドをほかのアプリケーションに送信しようとしています。 + ko + __APPNAME__이(가) 다른 응용 프로그램으로 제한된 스크립팅 추가 명령을 보내려고 합니다. + nb + __APPNAME__ prøver å sende begrensede prosedyretilleggkommandoer til andre programmer. + nl + __APPNAME__ probeert beperkte script-extracommando's naar andere programma's te sturen. + pl + __APPNAME__ próbuje wysłać zastrzeżone skryptowe polecenia dodania do innych programów. + pt + __APPNAME__ está tentando enviar comandos restringidos de adição de roteiros para outros aplicativos. + pt-PT + O __APPNAME__ está tentar enviar comandos restritos de adição a outras aplicações. + ru + Программа «__APPNAME__» пытается отправить команды дополнения к скрипту в другие программы. + sv + __APPNAME__ försöker skicka begränsade skripttilläggkommandon till andra program. + tr + __APPNAME__, diğer uygulamalara sınırlı betik yazma eki komutları göndermeye çalışıyor. + zh-Hans + “__APPNAME__”正试图给其他应用程序发送受限制的脚本添加命令。 + zh-Hant + “__APPNAME__”正在嘗試將受限的工序指令附加程式的指令傳送到其他應用程式。 + + group + admin + + com.apple.Safari.parental-controls + + allow-root + class rule comment - Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. + Checked when changing parental controls for Safari. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات الإشراف العائلي لـ Safari. + cs + __APPNAME__ se pokouší změnit nastavení Rodičovského dohledu pro Safari. + da + __APPNAME__ forsøger at ændre indstillingerne til børnesikring i Safari. + de + __APPNAME__ versucht, die Einstellungen für die Kindersicherheit in Safari zu ändern. + en + __APPNAME__ is trying to modify the Parental Controls settings for Safari. + es + __APPNAME__ está intentando modificar los ajustes de los controles parentales de Safari. + fi + __APPNAME__ yrittää muokata Safarin käyttörajoitusten asetuksia. + fr + __APPNAME__ essaye de modifier les réglages du contrôle parental de Safari. + hu + A(z) __APPNAME__ megpróbálja módosítani a Safari szülői felügyeleti beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni dei controlli censura di Safari. + ja + __APPNAME__ は、Safari の“ペアレンタルコントロール”環境設定を変更しようとしています。 + ko + __APPNAME__이(가) Safari에 대한 유해 콘텐츠 차단 설정을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre foreldrekontrollinnstillingene for Safari. + nl + __APPNAME__ probeert de instellingen voor ouderlijk toezicht van Safari te wijzigen. + pl + __APPNAME__ próbuje zmienić ustawienia Nadzoru rodzicielskiego dla Safari. + pt + __APPNAME__ está tentando modificar os ajustes dos Controles Parentais para o Safari. + pt-PT + O __APPNAME__ está a tentar modificar as definições do Controlo Parental do Safari. + ru + Программа «__APPNAME__» пытается модифицировать настройки Родительского контроля в Safari. + sv + __APPNAME__ försöker ändra Föräldrakontrolls inställningar för Safari. + tr + __APPNAME__, Safari için Ebeveyn Denetimi ayarlarını değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改 Safari的“家长控制”设置。 + zh-Hant + “__APPNAME__”正在嘗試修改 Safari 的“分級保護控制”設定。 + k-of-n 1 rule - is-root + is-admin authenticate-admin + shared + + timeout + 60 - config.remove. + com.apple.ServiceManagement.blesshelper class rule comment - Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. + Used by the ServiceManagement framework to add a privileged helper tool to the system launchd. + default-button + + ar + تثبيت المساعد + cs + Instalovat nástroj + da + Installer hjælpeprogram + de + Hilfsprogramm installieren + en + Install Helper + es + Instalar asistente + fi + Asenna avustaja + fr + Installer l’utilitaire + hu + Segédeszköz telepítése + it + Installa Helper + ja + ヘルパーをインストール + ko + 보조 응용 프로그램 설치 + nb + Installer hjelper + nl + Installeer Helper + pl + Zainstaluj narzędzie pomocnicze + pt + Instalar Auxiliar + pt-PT + Instalar Ferramenta de Ajuda + ru + Установить Helper + sv + Installera hjälpprogram + tr + Yardımcıyı Yükle + zh-Hans + 安装帮助程序 + zh-Hant + 安裝輔助程式 + + default-prompt + + ar + يحاول __APPNAME__ تثبيت أداة مساعد جديدة. + cs + __APPNAME__ se pokouší nainstalovat nový pomocný nástroj. + da + __APPNAME__ forsøger at installere et nyt hjælpeværktøj. + de + __APPNAME__ versucht, ein neues Hilfsprogramm zu installieren. + en + __APPNAME__ is trying to install a new helper tool. + es + __APPNAME__ está intentando instalar una herramienta asociada. + fi + __APPNAME__ yrittää asentaa uutta avustajatyökalua. + fr + __APPNAME__ essaye d’installer un nouvel utilitaire. + hu + A(z) __APPNAME__ megpróbál telepíteni egy új segédeszközt. + it + __APPNAME__ sta cercando di installare un nuovo Helper. + ja + __APPNAME__ は、新しいヘルパーツールをインストールしようとしています。 + ko + __APPNAME__이(가) 새로운 보조 도구를 설치하려고 합니다. + nb + __APPNAME__ prøver å installere et nytt hjelpeverktøy. + nl + __APPNAME__ probeert een nieuwe helpertool te installeren. + pl + __APPNAME__ próbuje zainstalować nowe narzędzie pomocnicze. + pt + __APPNAME__ está tentando instalar uma nova ferramenta auxiliar. + pt-PT + O __APPNAME__ está a tentar instalar uma nova ferramenta de ajuda. + ru + Программа «__APPNAME__» пытается установить новый инструмент справки. + sv + __APPNAME__ försöker installera ett nytt hjälpverktyg. + tr + __APPNAME__, yeni bir yardımcı araç yüklemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图安装新的帮助程序工具。 + zh-Hant + “__APPNAME__”正在嘗試安裝新的輔助工具。 + k-of-n 1 rule is-root - authenticate-admin + authenticate-admin-30 - config.remove.system. + com.apple.ServiceManagement.daemons.modify class - deny + rule comment - Wildcard right for deleting system rights. - - com.apple. - + Used by the ServiceManagement framework to make changes to the system launchd's set of daemons. + default-button + + ar + إضافة مساعد + cs + Přidat nástroj + da + Tilføj hjælpeprogram + de + Hilfsprogramm hinzufügen + en + Add Helper + es + Añadir asistente + fi + Lisää avustaja + fr + Ajouter l’utilitaire + hu + Segédeszköz hozzáadása + it + Aggiungi Helper + ja + ヘルパーを追加 + ko + 보조 응용 프로그램 추가 + nb + Legg til hjelper + nl + Voeg Helper toe + pl + Dodaj narzędzie pomocnicze + pt + Adicionar Auxiliar + pt-PT + Adicionar Ferramenta de Ajuda + ru + Добавить Helper + sv + Lägg till hjälpprogram + tr + Yardımcı Ekle + zh-Hans + 添加帮助程序 + zh-Hant + 加入輔助程式 + + default-prompt + + ar + يحاول __APPNAME__ إضافة أداة مساعد جديدة. + cs + __APPNAME__ se pokouší přidat nový pomocný nástroj. + da + __APPNAME__ forsøger at tilføje et nyt hjælpeværktøj. + de + __APPNAME__ versucht, ein neues Hilfsprogramm hinzufügen. + en + __APPNAME__ is trying to add a new helper tool. + es + __APPNAME__ está intentando añadir una herramienta asociada. + fi + __APPNAME__ yrittää lisätä uuden avustajatyökalun. + fr + __APPNAME__ essaye d’ajouter un nouvel utilitaire. + hu + A(z) __APPNAME__ megpróbál hozzáadni egy új segédeszközt. + it + __APPNAME__ sta cercando di aggiungere un nuovo Helper. + ja + __APPNAME__ は、新しいヘルパーツールを追加しようとしています。 + ko + __APPNAME__이(가) 새로운 보조 도구를 추가하려고 합니다. + nb + __APPNAME__ prøver å legge til et nytt hjelpeverktøy. + nl + __APPNAME__ probeert een nieuwe helpertool toe te voegen. + pl + __APPNAME__ próbuje dodać nowe narzędzie pomocnicze. + pt + __APPNAME__ está tentando adicionar uma nova ferramenta auxiliar. + pt-PT + O __APPNAME__ está a tentar adicionar uma nova ferramenta de ajuda. + ru + Программа «__APPNAME__» пытается добавить новый инструмент справки. + sv + __APPNAME__ försöker lägga till ett nytt hjälpverktyg. + tr + __APPNAME__, yeni bir yardımcı araç eklemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图添加一个新的帮助程序工具。 + zh-Hant + “__APPNAME__”正在嘗試加入新的輔助工具。 + + k-of-n + 1 rule - default + + is-root + entitled-admin-or-authenticate-admin + - system. + com.apple.SoftwareUpdate.scan + class + rule + comment + Checked when user is updating software. + default-button + + ar + تحقق + cs + Ověřit + da + Søg + de + Überprüfen + en + Check + es + Comprobar + fi + Tarkista + fr + Rechercher + hu + Ellenőrzés + it + Verifica + ja + 確認 + ko + 확인 + nb + Søk + nl + Markeer + pl + Sprawdź + pt + Verificar + pt-PT + Procurar + ru + Проверить + sv + Kontrollera + tr + Denetle + zh-Hans + 检查 + zh-Hant + 檢查 + + default-prompt + + ar + يحاول __APPNAME__ التحقق من برنامج جديد موّفَر من Apple. + cs + __APPNAME__ se pokouší ověřit dostupnost nového softwaru poskytovaného společností Apple. + da + __APPNAME__ prøver at søge efter ny software leveret af Apple. + de + __APPNAME__ versucht, neue von Apple bereitgestellte Software zu finden. + en + __APPNAME__ is trying to check for new Apple-provided software. + es + __APPNAME__ está intentando comprobar si hay software nuevo proporcionado por Apple. + fi + __APPNAME__ yrittää tarkistaa, onko uutta Applen ohjelmistoa saatavilla. + fr + __APPNAME__ essaie de rechercher des nouveaux logiciels fournis par Apple. + hu + A(z) __APPNAME__ megpróbál ellenőrizni egy új, Apple által szolgáltatott szoftvert. + it + __APPNAME__ sta tentando di verificare se è disponibile nuovo software fornito da Apple. + ja + __APPNAME__ は、Apple 提供の新規ソフトウェアを確認しようとしています。 + ko + __APPNAME__이(가) Apple에서 제공한 새로운 소프트웨어를 확인하려고 합니다. + nb + __APPNAME__ prøver å søke etter ny programvare som er levert av Apple. + nl + __APPNAME__ probeert te zoeken naar nieuwe van Apple afkomstige software. + pl + __APPNAME__ próbuje sprawdzić dostępność oprogramowania udostępnionego przez Apple. + pt + __APPNAME__ está tentando buscar novos softwares fornecidos pela Apple. + pt-PT + __APPNAME__ está a tentar procurar novo software da Apple. + ru + __APPNAME__ пытается проверить наличие нового ПО, предоставленного компанией Apple. + sv + __APPNAME__ försöker kontrollera om ny programvara från Apple finns tillgänglig. + tr + __APPNAME__, Apple tarafından sağlanan yeni yazılım olup olmadığını denetlemeye çalışıyor. + zh-Hans + __APPNAME__ 正在尝试检查是否存在新的 Apple 提供的软件。 + zh-Hant + __APPNAME__ 正在嘗試檢查 Apple 提供的新軟體。 + rule - default + root-or-entitled-admin-or-authenticate-admin - sys.openfile. + com.apple.XType.fontmover.install + allow-root + class user - comment - See authopen(1) for information on the use of this right. + default-button + + ar + تثبيت + cs + Instalovat + de + Installieren + en + Install + es + Instalar + fi + Asenna + fr + Install + hu + Telepítés + it + Installa + ja + インストール + ko + 설치 + nb + Installer + nl + Installeer + pl + Instaluj + pt + Instalar + pt_PT + Instalar + ru + Установить + sv + Installera + tr + Yükle + zh_CN + 安装 + zh_TW + 安裝 + + default-prompt + + ar + يحاول __APPNAME__ تثبيت خطوط النظام الجديدة. + cs + __APPNAME__ se pokouší nainstalovat nová systémová písma. + de + __APPNAME__ versucht neue Systemschriften zu installieren. + en + __APPNAME__ is trying to install new system fonts. + es + __APPNAME__ está intentando instalar nuevos tipos de letra del sistema. + fi + __APPNAME__ yrittää asentaa uusia järjestelmäfontteja. + fr + __APPNAME__ essaie d’installer de nouvelles polices système. + hu + A(z) __APPNAME__ megpróbál új rendszer-betűtípust telepíteni. + it + __APPNAME__ sta tentando di installare nuovi font di sistema. + ja + __APPNAME__ は、新規システムフォントをインストールしようとしています。 + ko + __APPNAME__에서 새로운 시스템 서체를 설치하려고 합니다. + nb + __APPNAME__ prøver å installere nye systemfonter. + nl + __APPNAME__ probeert nieuwe systeemlettertypen te installeren. + pl + __APPNAME__ próbuje zainstalować nowe czcionki systemowe. + pt + __APPNAME__ está tentando instalar novas fontes do sistema. + pt_PT + __APPNAME__ está a tentar instalar novos tipos de letra do sistema. + ru + Программа «__APPNAME__» пытается установить новые системные шрифты. + sv + __APPNAME__ försöker installera nya systemtypsnitt. + tr + __APPNAME__, yeni sistem fontları yüklemeye çalışıyor. + zh_CN + “__APPNAME__”正试图安装新的系统字体。 + zh_TW + “__APPNAME__”正在嘗試安裝新的系統字體。 + group admin shared - + timeout 300 - system.device.dvd.setregion.initial + com.apple.XType.fontmover.remove + allow-root + class user - comment - Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). + default-button + + ar + إزالة + cs + Odstranit + de + Fjern + en + Remove + es + Eliminar + fi + Poista + fr + Remove + hu + Eltávolítás + it + Rimuovi + ja + 取り除く + ko + 제거 + nb + Fjern + nl + Verwijder + pl + Usuń + pt + Remover + pt_PT + Remover + ru + Удалить + sv + Ta bort + tr + Sil + zh_CN + 移除 + zh_TW + 移除 + + default-prompt + + ar + يحاول __APPNAME__ إزالة خطوط النظام الموجودة. + cs + __APPNAME__ se pokouší odstranit existující systémová písma. + de + __APPNAME__ versucht vorhandene Systemschriften zu entfernen. + en + __APPNAME__ is trying to remove existing system fonts. + es + __APPNAME__ está intentando eliminar tipos de letra del sistema. + fi + __APPNAME__ yrittää poistaa nykyistä järjestelmäfonttia. + fr + __APPNAME__ essaie de supprimer des polices système par défaut. + hu + A(z) __APPNAME__ megpróbál eltávolítani egy meglévő rendszer-betűtípust. + it + __APPNAME__ sta tentando di rimuovere i font di un sistema esistente. + ja + __APPNAME__ は、既存のシステムフォントを取り除こうとしています。 + ko + __APPNAME__에서 기존의 시스템 서체를 제거하려고 합니다. + nb + __APPNAME__ prøver å fjerne eksisterende systemfonter. + nl + __APPNAME__ probeert bestaande systeemlettertypen te verwijderen. + pl + __APPNAME__ próbuje usunąć istniejące czcionki systemowe. + pt + __APPNAME__ está tentando remover fontes existentes do sistema. + pt_PT + __APPNAME__ está a tentar remover tipos de letra do sistema. + ru + Программа «__APPNAME__» пытается удалить имеющиеся системные шрифты. + sv + __APPNAME__ försöker ta bort befintliga systemtypsnitt. + tr + __APPNAME__, var olan sistem fontlarını silmeye çalışıyor. + zh_CN + “__APPNAME__”正试图移除现有的系统字体。 + zh_TW + “__APPNAME__”正在嘗試移除現有的系統字體。 + group admin shared + timeout + 300 - system.login.console + com.apple.XType.fontmover.restore class - evaluate-mechanisms + rule + default-button + + ar + استعادة + cs + Obnovit + de + Wiederherstellen + en + Restore + es + Restaurar + fi + Palauta + fr + Restore + hu + Visszaállítás + it + Ripristina + ja + 復元 + ko + 복원 + nb + Gjenopprett + nl + Zet terug + pl + Przywróć + pt + Restaurar + pt_PT + Restaurar + ru + Восстановить + sv + Återskapa + tr + Geri Yükle + zh_CN + 恢复 + zh_TW + 回復 + + default-prompt + + ar + يحاول __APPNAME__ استعادة خطوط النظام الافتراضية. + cs + __APPNAME__ se pokouší obnovit výchozí systémová písma. + de + __APPNAME__ versucht die Standard-Systemschriften wiederherzustellen. + en + __APPNAME__ is trying to restore the default system fonts. + es + __APPNAME__ está intentando restaurar los tipos de letra por omisión del sistema. + fi + __APPNAME__ yrittää palauttaa järjestelmän oletusfontteja. + fr + __APPNAME__ essaie de restaurer les polices système par défaut. + hu + A(z) __APPNAME__ megpróbálja visszaállítani az alapértelmezett rendszer-betűtípust. + it + __APPNAME__ sta tentando di ripristinare i font di default del sistema. + ja + __APPNAME__ は、デフォルトのシステムフォントを復元しようとしてします。 + ko + __APPNAME__에서 기본 시스템 서체를 복원하려고 합니다. + nb + __APPNAME__ prøver å gjenopprette standard systemfonter. + nl + __APPNAME__ probeert de standaardsysteemlettertypen terug te zetten. + pl + __APPNAME__ próbuje przywrócić domyślne czcionki systemowe. + pt + __APPNAME__ está tentando restaurar as fontes padrão do sistema. + pt_PT + __APPNAME__ está a tentar restaurar os tipos de letra predefinidos do sistema. + ru + Программа «__APPNAME__» пытается восстановить стандартные системные шрифты. + sv + __APPNAME__ försöker återskapa de förvalda systemtypsnitten. + tr + __APPNAME__, saptanmış sistem fontlarını geri yüklemeye çalışıyor. + zh_CN + “__APPNAME__”正试图恢复默认的系统字体。 + zh_TW + “__APPNAME__”正在嘗試回復預設的系統字體。 + + rule + root-or-entitled-admin-or-authenticate-admin + + com.apple.ZFSManager. + + class + rule comment - Login mechanism based rule. Not for general use, yet. - mechanisms + Used by zfsmanager to allow access to destructive zfs functions + k-of-n + 1 + rule - builtin:smartcard-sniffer,privileged - loginwindow:login - builtin:reset-password,privileged - builtin:auto-login,privileged - builtin:authenticate,privileged - loginwindow:success - HomeDirMechanism:login,privileged - HomeDirMechanism:status - MCXMechanism:login - loginwindow:done + is-root + is-admin + default + shared + - system.login.done + com.apple.activitymonitor.kill class - evaluate-mechanisms - mechanisms - - + rule + comment + Used by Activity Monitor to authorize killing processes not owned by the user. + default-button + + ar + إنهاء العملية + cs + Ukončit proces + da + Slut proces + de + Vorgang beenden + en + Quit Process + es + Salir del proceso + fi + Lopeta prosessi + fr + Quitter l’opération + hu + Folyamat bezárása + it + Esci dal processo + ja + プロセスを終了 + ko + 프로세스 종료 + nb + Avslutt prosess + nl + Stop proces + pl + Zakończ proces + pt + Encerrar Processo + pt-PT + Sair do processo + ru + Завершить процесс + sv + Avsluta process + tr + İşlemden Çık + zh-Hans + 退出进程 + zh-Hant + 結束程序 + + default-prompt + + ar + يحاول __APPNAME__ إنهاء العملية المحددة. + cs + __APPNAME__ se pokouší ukončit vybraný proces. + da + __APPNAME__ forsøger at afslutte den valgte proces. + de + __APPNAME__ versucht, den ausgewählten Vorgang zu beenden. + en + __APPNAME__ is trying to quit the selected process. + es + __APPNAME__ está intentando salir del proceso seleccionado. + fi + __APPNAME__ yrittää lopettaa valittua prosessia. + fr + __APPNAME__ essaye de quitter le processus sélectionné. + hu + A(z) __APPNAME__ megpróbál kilépni a kijelölt folyamatból. + it + __APPNAME__ sta cercando di uscire dal processo selezionato. + ja + __APPNAME__ は、選択中のプロセスを終了しようとしています。 + ko + __APPNAME__이(가) 선택한 프로세스를 종료하려고 합니다. + nb + __APPNAME__ prøver å avslutte den markerte prosessen. + nl + __APPNAME__ probeert het geselecteerde proces te stoppen. + pl + __APPNAME__ próbuje zakończyć zaznaczony proces. + pt + __APPNAME__ está tentando encerrar o processo selecionado. + pt-PT + O __APPNAME__ está a tentar sair do processo seleccionado. + ru + Программа «__APPNAME__» пытается завершить выбранный процесс. + sv + __APPNAME__ försöker avsluta den markerade processen. + tr + __APPNAME__, seçilen işlemden çıkmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图退出所选进程。 + zh-Hant + “__APPNAME__”正在嘗試結束所選程序。 + + rule + entitled-admin-or-authenticate-admin + shared + + timeout + 0 - system.login.screensaver + com.apple.appserver.privilege.admin class rule comment - The owner or any administrator can unlock the screensaver. + For administrative access to the Application Server management tool. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات خادم التطبيق. + cs + __APPNAME__ se pokouší změnit nastavení serveru aplikací. + da + __APPNAME__ forsøger at ændre indstillingerne til programserveren. + de + __APPNAME__ versucht, die Einstellungen für den Anwendungsserver zu ändern. + en + __APPNAME__ is trying to modify the Application Server settings. + es + __APPNAME__ está intentando modificar los ajustes del servidor de aplicaciones. + fi + __APPNAME__ yrittää muokata ohjelmistopalvelimen asetuksia. + fr + __APPNAME__ essaye de modifier les réglages de serveur d’applications. + hu + A(z) __APPNAME__ megpróbálja módosítani az Alkalmazáskiszolgáló beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni di applicazioni per il server. + ja + __APPNAME__ は、アプリケーションサーバの設定を変更しようとしています。 + ko + __APPNAME__이(가) 응용 프로그램 서버 설정을 수정하려고 합니다. + nb + __APPNAME__ prøver å endre programtjenerinnstillingene. + nl + __APPNAME__ probeert de instellingen van de programmaserver te wijzigen. + pl + __APPNAME__ zmienić ustawienia serwera programów. + pt + __APPNAME__ está tentando modificar os ajustes do Servidor de Aplicativos. + pt-PT + O __APPNAME__ está a tentar modificar as definições do servidor de aplicações. + ru + Программа «__APPNAME__» пытается модифицировать настройки сервера программ. + sv + __APPNAME__ försöker ändra inställningarna för programservern. + tr + __APPNAME__, Uygulama Sunucusu ayarlarını değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改“应用程序服务器”设置。 + zh-Hant + “__APPNAME__”正在嘗試修改“應用程式伺服器”設定。 + rule - authenticate-session-owner-or-admin + appserver-admin - system.login.tty + com.apple.appserver.privilege.user + + class + rule + comment + For user access to the Application Server management tool. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات خادم التطبيق الخاصة بك. + cs + __APPNAME__ se pokouší změnit nastavení vašeho serveru aplikací. + da + __APPNAME__ forsøger at ændre dine indstillinger til programserveren. + de + __APPNAME__ versucht, die Einstellungen für Ihren Anwendungsserver zu ändern. + en + __APPNAME__ is trying to modify your Application Server settings. + es + __APPNAME__ está intentado modificar los ajustes del servidor de aplicaciones. + fi + __APPNAME__ yrittää muokata ohjelmistopalvelimen asetuksia. + fr + __APPNAME__ essaye de modifier les réglages de votre serveur d’applications. + hu + A(z) __APPNAME__ megpróbálja módosítani az Alkalmazáskiszolgáló beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni di applicazioni per il server. + ja + __APPNAME__ は、アプリケーションサーバの設定を変更しようとしています。 + ko + __APPNAME__이(가) 사용자의 응용 프로그램 서버 설정을 수정하려고 합니다. + nb + __APPNAME__ prøver å endre programtjenerinnstillingene. + nl + __APPNAME__ probeert uw instellingen voor de programmaserver te wijzigen. + pl + __APPNAME__ zmienić ustawienia serwera programów. + pt + __APPNAME__ está tentando modificar os ajustes do seu Servidor de Aplicativos. + pt-PT + O __APPNAME__ está a tentar modificar as definições do seu servidor de aplicações. + ru + Программа «__APPNAME__» пытается модифицировать Ваши настройки сервера программ. + sv + __APPNAME__ försöker ändra inställningarna för din programserver. + tr + __APPNAME__, Uygulama Sunucusu ayarlarınızı değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改您的“应用程序服务器”设置。 + zh-Hant + “__APPNAME__”正在嘗試修改您的“應用程式伺服器”設定。 + + k-of-n + 1 + rule + + appserver-admin + appserver-user + + + com.apple.builtin.confirm-access class evaluate-mechanisms + mechanisms + + builtin:confirm-access + tries 1 + + com.apple.builtin.confirm-access-password + + class + evaluate-mechanisms mechanisms - push_hints_to_context - authinternal + builtin:confirm-access-password - system.keychain.create.loginkc + com.apple.builtin.generic-new-passphrase - allow-root - class evaluate-mechanisms - comment - Used by the Security framework when you add an item to an unconfigured default keychain. mechanisms - loginKC:queryCreate - loginKC:showPasswordUI - authinternal + builtin:generic-new-passphrase - session-owner - - shared - - system.keychain.modify + com.apple.builtin.generic-unlock + + class + evaluate-mechanisms + mechanisms + + builtin:generic-unlock + + + com.apple.dashboard.advisory.allow class user - comment - Used by Keychain Access when editing a system keychain. group admin shared - + timeout - 30 + 300 - system.preferences + com.apple.desktopservices - allow-root - class user comment - Checked by the Admin framework when making changes to certain System Preferences. + For privileged file operations from within the Finder. group admin shared - + + timeout + 0 - system.preferences.accounts + com.apple.desktopservices.scripted - allow-root - class user comment - Checked by the Admin framework when making changes to the Accounts preference pane. + For scripting-initiated privileged file operations from within the Finder. group admin shared + timeout + 0 - system.preferences.parental-controls + com.apple.docset.install class user comment - Checked when making changes to the Parental Controls preference pane. + Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. + default-button + + ar + تحديث الوثائق + cs + Aktualizovat dokumentaci + da + Opdater dokumentation + de + Dokumentation aktualisieren + en + Update Documentation + es + Actualizar documentación + fi + Päivitä dokumentaatio + fr + Mettre à jour la documentation + hu + Dokumentáció frissítése + it + Aggiona documentazione + ja + ドキュメントをアップデート + ko + 설명서 업데이트 + nb + Oppdater dokumentasjon + nl + Werk documentatie bij + pl + Uaktualnij dokumentację + pt + Atualizar Documentação + pt-PT + Actualizar documentação + ru + Обновить документацию + sv + Uppdatera dokumentation + tr + Belgeleri Güncelle + zh-Hans + 更新文稿 + zh-Hant + 更新說明文件 + + default-prompt + + ar + يحاول __APPNAME__ تحديث مطور الوثائق. + cs + __APPNAME__ se pokouší aktualizovat vývojářskou dokumentaci. + da + __APPNAME__ forsøger at opdatere dokumentationen til udvikling. + de + __APPNAME__ versucht, die Entwicklerdokumentation zu aktualisieren. + en + __APPNAME__ is trying to update the developer documentation. + es + __APPNAME__ está intentando actualizar la documentación para desarrolladores. + fi + __APPNAME__ yrittää päivittää kehittäjän dokumentaatiota. + fr + __APPNAME__ essaye de mettre à jour la documentation de développement. + hu + A(z) __APPNAME__ megpróbálja frissíteni a fejlesztői dokumentációt. + it + __APPNAME__ sta cercando di aggiornare la documentazione sviluppatori. + ja + __APPNAME__ はデベロッパドキュメントをアップデートしようとしています。 + ko + __APPNAME__이(가) 개발자 설명서를 업데이트하려고 합니다. + nb + __APPNAME__ prøver å oppdatere utviklerdokumentasjonen. + nl + __APPNAME__ probeert de documentatie voor ontwikkelaars bij te werken. + pl + __APPNAME__ próbuje uaktualnić dokumentację dla programistów. + pt + __APPNAME__ está tentando atualizar a documentação do desenvolvedor. + pt-PT + O __APPNAME__ está a tentar actualizar a documentação de programação. + ru + Программа «__APPNAME__» пытается обновить документацию для разработчиков. + sv + __APPNAME__ försöker uppdatera dokumentationen för utvecklare. + tr + __APPNAME__, geliştirici belgelerini güncellemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图更新开发者文稿。 + zh-Hant + “__APPNAME__”正在嘗試更新開發人員說明文件。 + group admin shared - system.preferences.accessibility + com.apple.pcastagentconfigd. allow-root class user comment - Checked by the Admin framework when enabling or disabling the Accessibility APIs. + Wildcard for rights checked by Podcast Producer when making changes to your camera binding. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات منتج البودكاست. + cs + __APPNAME__ se pokouší změnit nastavení aplikace Podcast Producer. + da + __APPNAME__ forsøger at ændre indstillingerne til Podcast Producer. + de + __APPNAME__ versucht, die Einstellungen für Podcast-Produzent zu ändern. + en + __APPNAME__ is trying to modify the Podcast Producer settings. + es + __APPNAME__ está intentando modificar los ajustes de Podcast Producer. + fi + __APPNAME__ yrittää muokata Podcast Producer -asetuksia. + fr + __APPNAME__ essaye de modifier les réglages de Podcast Producer. + hu + A(z) __APPNAME__ megpróbálja módosítani a Podcast Producer beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni Podcast Producer. + ja + __APPNAME__ は、Podcast Producer の設定を変更しようとしています。 + ko + __APPNAME__이(가) Podcast Producer 설정을 수정하려고 합니다. + nb + __APPNAME__ prøver å endre Podcast Producer-innstillingene. + nl + __APPNAME__ probeert de Podcast Producer-instellingen te wijzigen. + pl + __APPNAME__ próbuje zmienić ustawienia programu Podcast Producer. + pt + __APPNAME__ está tentando modificar os ajustes do Podcast Producer. + pt-PT + O __APPNAME__ está a tentar modificar as definições do Podcast Producer. + ru + Программа «__APPNAME__» пытается модифицировать настройки Podcast Producer. + sv + __APPNAME__ försöker ändra inställningarna i Podcast Producer. + tr + __APPNAME__, Podcast Üretici ayarlarını değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改 Podcast Producer 的设置。 + zh-Hant + “__APPNAME__”正在嘗試修改 Podcast Producer 設定。 + group admin shared + + com.apple.server.admin.streaming + + allow-root + + class + rule + comment + For making administrative requests to the QuickTime Streaming Server. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات خادم تدفق QuickTime. + cs + __APPNAME__ se pokouší změnit nastavení serveru QuickTime Streaming. + da + __APPNAME__ forsøger at ændre indstillingerne til QuickTime Streaming. + de + __APPNAME__ versucht, die QuickTime-Streaming-Servereinstellungen zu ändern. + en + __APPNAME__ is trying to modify the QuickTime Streaming Server settings. + es + __APPNAME__ está intentando modificar los ajustes de QuickTime Streaming Server. + fi + __APPNAME__ yrittää muokata QuickTime Streaming Server -asetuksia. + fr + __APPNAME__ essaye de modifier le réglages de QuickTime Streaming Server. + hu + A(z) __APPNAME__ megpróbálja módosítani a QuickTime Streaming kiszolgáló beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni QuickTime Streaming Server. + ja + __APPNAME__ は、QuickTime Streaming Server の設定を変更しようとしています。 + ko + __APPNAME__이(가) QuickTime Streaming Server 설정을 수정하려고 합니다. + nb + __APPNAME__ prøver å endre QuickTime Streaming Server-innstillingene. + nl + __APPNAME__ probeert de instellingen van de QuickTime-streamingserver te wijzigen. + pl + __APPNAME__ próbuje zmienić ustawienia serwera strumieniowania QuickTime. + pt + __APPNAME__ está tentando modificar os ajustes do QuickTime Streaming Server. + pt-PT + O __APPNAME__ está a tentar modificar as definições do servidor de streaming do QuickTime. + ru + Программа «__APPNAME__» пытается модифицировать настройки сервера QuickTime Streaming. + sv + __APPNAME__ försöker ändra inställningarna för QuickTime Streaming Server. + tr + __APPNAME__, QuickTime Streaming Server ayarlarını değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改 QuickTime 流服务器的设置。 + zh-Hant + “__APPNAME__”正在嘗試修改 QuickTime Streaming Server 設定。 + + k-of-n + 1 + rule + + is-admin + authenticate-admin + + shared + timeout 0 - system.preferences.security + com.apple.trust-settings.admin allow-root class user comment - Checked by the Admin framework when making changes to the Security preference pane. + For modifying Trust Settings in the Local Admin domain. + default-button + + ar + تحديث الإعدادات + cs + Aktualizovat nastavení + da + Opdater indstillinger + de + Einstellungen aktualisieren + en + Update Settings + es + Actualizar ajustes + fi + Päivitä asetukset + fr + Mettre à jour les réglages + hu + Beállítások frissítése + it + Aggiorna impostazioni + ja + 設定をアップデート + ko + 설정 업데이트 + nb + Oppdater innstillinger + nl + Werk instellingen bij + pl + Uaktualnij ustawienia + pt + Atualizar Ajustes + pt-PT + Actualizar definições + ru + Обновить настройки + sv + Uppdatera inställningar + tr + Ayarları Güncelle + zh-Hans + 更新设置 + zh-Hant + 更新設定 + + default-prompt + + ar + أنت تقوم بإجراء تغييرات على إعدادات الثقة في شهادة النظام. + cs + Provádíte změny v systémových nastaveních důvěryhodnosti certifikátů. + da + Du foretager ændringer i systemcertifikatets godkendelsesindstillinger. + de + Sie nehmen Änderungen an Ihren Systemeinstellungen für Zertifizierungen vor. + en + You are making changes to the System Certificate Trust Settings. + es + Está modificando los ajustes de confianza en certificados del sistema. + fi + Olet muuttamassa järjestelmävarmenteiden luottoasetuksia. + fr + Vous effectuez des modifications des réglages de confiance du certificat du système. + hu + Módosítja a Rendszertanúsítványok megbízhatósági beállításait. + it + Stai apportando modifiche alle impostazioni System Certificate Trust. + ja + “システム証明書の信頼性”環境設定を変更しようとしています。 + ko + 시스템 인증서 신뢰 설정을 변경하고 있습니다. + nb + Du endrer tillitsinnstillingene for systemsertifikater. + nl + U wijzigt de systeeminstellingen voor het vertrouwen van certificaten. + pl + Wprowadzasz zmiany w ustawieniach zaufania certyfikatu systemowego. + pt + Você está fazendo alterações nos Ajustes de Confiança dos Certificados do Sistema. + pt-PT + Está a alterar as definições de segurança do certificado do sistema. + ru + Вы вносите изменения в настройки доверия системы. + sv + Du gör ändringar i systemets tillförlitlighetsinställningar för certifikat. + tr + Sistem Sertifikası Güven Ayarları’nda değişiklikler yapıyorsunuz. + zh-Hans + 您正在更改“系统证书信任设置”。 + zh-Hant + 您正在更改“系統憑證信任設定”。 + group admin - shared - - system.printingmanager + com.apple.trust-settings.user - class + comment + For modifying per-user Trust Settings. + default-button + + ar + تحديث الإعدادات + cs + Aktualizovat nastavení + da + Opdater indstillinger + de + Einstellungen aktualisieren + en + Update Settings + es + Actualizar ajustes + fi + Päivitä asetukset + fr + Mettre à jour les réglages + hu + Beállítások frissítése + it + Aggiorna impostazioni + ja + 設定をアップデート + ko + 설정 업데이트 + nb + Oppdater innstillinger + nl + Werk instellingen bij + pl + Uaktualnij ustawienia + pt + Atualizar Ajustes + pt-PT + Actualizar definições + ru + Обновить настройки + sv + Uppdatera inställningar + tr + Ayarları Güncelle + zh-Hans + 更新设置 + zh-Hant + 更新設定 + + default-prompt + + ar + أنت تقوم بإجراء تغييرات على إعدادات الثقة في شهادة النظام. + cs + Provádíte změny v nastaveních důvěryhodnosti certifikátů. + da + Du foretager ændringer i systemcertifikatets godkendelsesindstillinger. + de + Sie nehmen Änderungen an Ihren Systemeinstellungen für Zertifizierungen vor. + en + You are making changes to your Certificate Trust Settings. + es + Está modificando los ajustes de confianza en certificados. + fi + Olet muuttamassa varmenteiden luottoasetuksia. + fr + Vous effectuez des modifications de vos réglages de confiance du certificat. + hu + Módosítja a saját tanúsítványainak megbízhatósági beállításait. + it + Stai apportando modifiche alle impostazioni Certificate Trust. + ja + “システム証明書の信頼性”環境設定を変更しようとしています。 + ko + 사용자의 인증서 신뢰 설정을 변경하고 있습니다. + nb + Du endrer tillitsinnstillingene for sertifikater. + nl + U wijzigt uw instellingen voor het vertrouwen van certificaten. + pl + Wprowadzasz zmiany w ustawieniach zaufania swojego certyfikatu. + pt + Você está fazendo alterações nos seus Ajustes de Confiança dos Certificados. + pt-PT + Está a alterar as suas definições de segurança do certificado do sistema. + ru + Вы вносите изменения в свои настройки доверия. + sv + Du gör ändringar i dina tillförlitlighetsinställningar för certifikat. + tr + Sertifika Güven Ayarları’nızda değişiklikler yapıyorsunuz. + zh-Hans + 您正在更改您的“证书信任设置”。 + zh-Hant + 您正在更改您的“憑證信任設定”。 + + rule + entitled-session-owner-or-authenticate-session-owner + + com.apple.uninstalld.uninstall + + class rule + default-button + + cs + Smazat + en + Delete + hu + Törlés + tr + Sil + + default-prompt + + cs + __APPNAME__ se pokouší smazat aplikaci. + en + __APPNAME__ is trying to delete an application. + hu + A(z) __APPNAME__ megpróbál egy alkalmazást törölni. + tr + __APPNAME__, bir uygulamayı silmeye çalışıyor. + + rule + entitled-admin-or-authenticate-admin + + config.add. + + class + allow comment - For printing to locked printers. + Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. + + config.config. + + class + deny + comment + Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). + + config.modify. + + class + rule + comment + Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. + k-of-n + 1 rule - authenticate-admin + + is-root + authenticate-admin + - system.print.admin + config.remove. + + class + rule + comment + Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. + k-of-n + 1 + rule + + is-root + authenticate-admin + + + config.remove.system. + + class + deny + comment + Wildcard right for deleting system rights. + + sys.openfile. - allow-root - class user + comment + See authopen(1) for information on the use of this right. + default-button + + ar + فتح + cs + Otevřít + da + Åben + de + Öffnen + en + Open + es + Abrir + fi + Avaa + fr + Ouvrir + hu + Megnyitás + it + Apri + ja + 開く + ko + 열기 + nb + Åpne + nl + Open + pl + Otwórz + pt + Abrir + pt-PT + Abrir + ru + Открыть + sv + Öppna + tr + Aç + zh-Hans + 打开 + zh-Hant + 打開 + + default-prompt + + ar + يحاول __APPNAME__ فتح الملف الذي تم اختياره. + cs + __APPNAME__ se pokouší otevřít vybraný soubor. + da + __APPNAME__ forsøger at åbne det valgte arkiv. + de + __APPNAME__ versucht, die gewählte Datei zu öffnen. + en + __APPNAME__ is trying to open the chosen file. + es + __APPNAME__ está intentando abrir el archivo seleccionado. + fi + __APPNAME__ yrittää avata valittua tiedostoa. + fr + __APPNAME__ essaye d'ouvrir le fichier sélectionné. + hu + A(z) __APPNAME__ megpróbálja megnyitni a kiválasztott fájlt. + it + __APPNAME__ sta cercando di aprire il documento prescelto. + ja + __APPNAME__ は、選択中のファイルを開こうとしています。 + ko + __APPNAME__이(가) 선택된 파일을 열려고 합니다. + nb + __APPNAME__ prøver å åpne den valgte filen. + nl + __APPNAME__ probeert het gekozen bestand te openen. + pl + __APPNAME__ próbuje otworzyć wybrany plik. + pt + __APPNAME__ está tentando abrir o arquivo escolhido. + pt-PT + O __APPNAME__ está a tentar abrir o ficheiro escolhido. + ru + Программа «__APPNAME__» пытается открыть новый файл. + sv + __APPNAME__ försöker öppna den valda filen. + tr + __APPNAME__, seçilen dosyayı açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图打开所选文件。 + zh-Hant + “__APPNAME__”正在嘗試打開所選檔案。 + group - lpadmin + admin shared - + + timeout + 300 - system.print.operator + system. - allow-root + rule + default + + system.burn + + class + allow + comment + For burning media. + default-button + + ar + نسخ قرص + cs + Vypálit + da + Brænd + de + Brennen + en + Burn + es + Grabar + fi + Polta + fr + Graver + hu + Írás + it + Masterizza + ja + ディスクを作成 + ko + 굽기 + nb + Brenn + nl + Brand + pl + Nagraj + pt + Gravar + pt-PT + Gravar + ru + Записать + sv + Bränn + tr + Diske Bas + zh-Hans + 刻录 + zh-Hant + 燒錄 + + default-prompt + + ar + يحاول __APPNAME__ إنشاء قرص. + cs + __APPNAME__ se pokouší vypálit disk. + da + __APPNAME__ forsøger at brænde en disk. + de + __APPNAME__ versucht, eine CD/DVD zu brennen. + en + __APPNAME__ is trying to burn a disc. + es + __APPNAME__ está intentando grabar un disco. + fi + __APPNAME__ yrittää polttaa levyn. + fr + __APPNAME__ essaye de graver un disque. + hu + A(z) __APPNAME__ megpróbál egy lemezt írni. + it + __APPNAME__ sta cercando di masterizzare un disco. + ja + __APPNAME__ はディスクを作成しようとしています。 + ko + __APPNAME__이(가) 디스크를 구우려고 합니다. + nb + __APPNAME__ prøver å brenne en plate. + nl + __APPNAME__ probeert een schijf te branden. + pl + __APPNAME__ próbuje nagrać na płycie. + pt + __APPNAME__ está tentando gravar um disco. + pt-PT + O __APPNAME__ está a tentar gravar um disco. + ru + Программа «__APPNAME__» пытается записать диск. + sv + __APPNAME__ försöker bränna en skiva. + tr + __APPNAME__, diske basmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图刻录光盘。 + zh-Hant + “__APPNAME__”正在嘗試燒錄光碟。 + + + system.csfde.requestpassword + + class + user + comment + Used by CoreStorage Full Disk Encryption to request the user's password. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロックを解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + ‏يلزم __APPNAME__ فك قفل القرص الخاص بك. + cs + __APPNAME__ potřebuje odemknout předvolby disku. + da + __APPNAME__ skal låse disken op. + de + __APPNAME__ muss Ihr Volume entsperren. + en + __APPNAME__ needs to unlock your disk. + es + __APPNAME__ debe desbloquear el disco. + fi + Ohjelman __APPNAME__ pitää avata levy. + fr + __APPNAME__ à besoin de déverrouiller votre disque. + hu + A(z) __APPNAME__ alkalmazásnak fel kell oldania a lemezt. + it + __APPNAME__ deve sbloccare il disco. + ja + __APPNAME__はディスクのロックを解除する必要があります。 + ko + __APPNAME__이(가) 사용자 디스크를 잠금 해제해야 합니다. + nb + __APPNAME__ må låse opp disken. + nl + __APPNAME__ moet de beveiliging van uw schijf opheffen. + pl + __APPNAME__ musi odblokować dysk. + pt + __APPNAME__ precisa desbloquear seu disco. + pt-PT + O __APPNAME__ precisa de desproteger o disco. + ru + Программе «__APPNAME__» необходимо снять защиту с Вашего диска. + sv + __APPNAME__ måste låsa upp skivan. + tr + __APPNAME__ uygulamasının diskinizin kilidini açması gerekiyor. + zh-Hans + “__APPNAME__”需要解锁您的磁盘。 + zh-Hant + “__APPNAME__”需要解鎖您的磁碟。 + + extract-password + group + staff + shared + + timeout + 0 + + system.device.dvd.setregion.initial + class user + comment + Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). + default-button + + ar + تعيين + cs + Nastavit + da + Indstil + de + Festlegen + en + Set + es + Definir + fi + Aseta + fr + Définir + hu + Beállítás + it + Imposta + ja + 設定 + ko + 설정 + nb + Angi + nl + Stel in + pl + Ustal + pt + Definir + pt-PT + Definir + ru + Установить + sv + Ställ in + tr + Ayarla + zh-Hans + Set + zh-Hant + 設定 + + default-prompt + + ar + يحاول __APPNAME__ تعيين رمز منطقة الـ DVD لأول مرة. + cs + __APPNAME__ se pokouší poprvé nastavit kód DVD regionu. + da + __APPNAME__ forsøger at indstille dvd-områdekoden for første gang. + de + __APPNAME__ versucht, den Ländercode zum ersten Mal einzustellen. + en + __APPNAME__ is trying to set the DVD region code for the first time. + es + __APPNAME__ está intentando definir el código de región del DVD por primera vez. + fi + __APPNAME__ yrittää asettaa DVD-aluekoodia ensimmäistä kertaa. + fr + __APPNAME__ essaye de régler le code de région du lecteur pour la première fois. + hu + A(z) __APPNAME__ megpróbálja először beállítani a DVD régiókódját. + it + __APPNAME__ sta cercando di impostare il codice regionale del DVD per la prima volta. + ja + __APPNAME__ は、DVD のリージョンコードをはじめて設定しようとしています。 + ko + __APPNAME__이(가) 처음으로 DVD 지역 코드를 설정하려고 합니다. + nb + __APPNAME__ prøver å angi DVD-regionkoden for første gang. + nl + __APPNAME__ probeert de dvd-regiocode voor het eerst in te stellen. + pl + __APPNAME__ próbuje ustawić kod regionu DVD po raz pierwszy. + pt + __APPNAME__ está tentando definir o código de região do DVD pela primeira vez. + pt-PT + O __APPNAME__ está a tentar definir o código regional de DVD pela primeira vez. + ru + Программа «__APPNAME__» пытается впервые установить код региона DVD. + sv + __APPNAME__ försöker ställa in DVD-spelarens regionkod för första gången. + tr + __APPNAME__, DVD bölge kodunu ilk kez ayarlamaya çalışıyor. + zh-Hans + “__APPNAME__”首次试图设置 DVD 注册号。 + zh-Hant + “__APPNAME__”正在嘗試初次設定 DVD 的區域碼。 + group - _lpoperator + admin shared + system.disk.unlock + + class + evaluate-mechanisms + comment + Do not modify. + mechanisms + + DiskUnlock:prompt + DiskUnlock:unlock,privileged + + + system.global-login-items. + + class + rule + default-button + + ar + إضافة + cs + Přidat + da + Tilføj + de + Hinzufügen + en + Add + es + Añadir + fi + Lisää + fr + Ajouter + hu + Hozzáadás + it + Aggiungi + ja + 追加 + ko + 추가 + nb + Legg til + nl + Voeg toe + pl + Dodaj + pt + Adicionar + pt-PT + Adicionar + ru + Добавить + sv + Lägg till + tr + Ekle + zh-Hans + 添加 + zh-Hant + 加入 + + default-prompt + + ar + يحاول __APPNAME__ إضافة عنصر الدخول. + cs + __APPNAME__ se pokouší přidat přihlašovací položku. + da + __APPNAME__ forsøger at tilføje et log ind-emne. + de + __APPNAME__ versucht, ein neues Startobjekt hinzufügen. + en + __APPNAME__ is trying to add a login item. + es + __APPNAME__ está intentando añadir un ítem de arranque. + fi + __APPNAME__ yrittää lisätä sisäänkirjautumiskohteen. + fr + __APPNAME__ essaye d’ajouter un élément d’ouverture de session. + hu + A(z) __APPNAME__ megpróbál hozzáadni egy bejelentkezési elemet. + it + __APPNAME__ sta cercando di aggiungere un elemento di login. + ja +  __APPNAME__ はログイン項目を追加しようとしています。 + ko + __APPNAME__이(가) 로그인 항목을 추가하려고 합니다. + nb + __APPNAME__ prøver å legge til et påloggingsobjekt. + nl + __APPNAME__ probeert een inlogonderdeel toe te voegen. + pl + __APPNAME__ próbuje dodać rzecz otwieraną podczas logowania. + pt + __APPNAME__ está tentando adicionar um item de início de sessão. + pt-PT + O __APPNAME__ está a tentar adicionar um elemento de início de sessão. + ru + Программа «__APPNAME__» пытается добавить объект входа. + sv + __APPNAME__ försöker lägga till ett startobjekt. + tr + __APPNAME__, bir oturum açma öğesi eklemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图添加登录项。 + zh-Hant + “__APPNAME__”正在嘗試加入登入項目。 + + k-of-n + 1 + rule + + is-admin + default + + + system.hdd.smart + + class + allow + comment + For modifying SMART settings. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات التشخيص لمحرك الأقراص الثابتة. + cs + __APPNAME__ se pokouší změnit nastavení diagnostiky pevného disku. + da + __APPNAME__ forsøger at ændre diagnosticeringsindstillingerne til harddisken. + de + __APPNAME__ versucht, die Diagnoseeinstellungen für Ihre Festplatte zu ändern. + en + __APPNAME__ is trying to modify the diagnostic settings for your hard drive. + es + __APPNAME__ está intentando modificar los ajustes del diagnóstico del disco duro. + fi + __APPNAME__ yrittää muokata kovalevyn diagnostiikka-asetuksia. + fr + __APPNAME__ essaye de modifier les réglages de diagnostic de votre disque dur. + hu + A(z) __APPNAME__ megpróbálja módosítani a merevlemez diagnosztikai beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni di diagnostica del disco rigido. + ja + __APPNAME__ は、ハード・ドライブの診断設定を変更しようとしています。 + ko + __APPNAME__이(가) 사용자의 하드 드라이브에 대한 진단 설정을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre diagnostikkinnstillingene for harddisken. + nl + __APPNAME__ probeert de diagnostische instellingen voor uw harde schijf te wijzigen. + pl + __APPNAME__ próbuje zmienić ustawienia diagnostyki dysku twardego. + pt + __APPNAME__ está tentando modificar os ajustes de diagnóstico para seu disco rígido. + pt-PT + O __APPNAME__ está a tentar modificar as definições de diagnóstico do disco rígido. + ru + Программа «__APPNAME__» пытается модифицировать настройки диагностики для Вашего жесткого диска. + sv + __APPNAME__ försöker ändra de diagnostiska inställningarna för din hårddisk. + tr + __APPNAME__, sabit sürücünüzün tanı ayarlarını değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改硬盘的诊断设置。 + zh-Hant + “__APPNAME__”正在嘗試修改硬碟的診斷設定。 + + system.identity.write. class rule comment For creating, changing or deleting local user accounts and groups. + default-button + + ar + تحديث المستخدمين + cs + Aktualizovat uživatele + da + Opdater brugere + de + Benutzer aktualisieren + en + Update Users + es + Actualizar usuarios + fi + Päivitä käyttäjät + fr + Mettre à jour les utilisateurs + hu + Felhasználók frissítése + it + Aggiorna gli utenti + ja + ユーザをアップデート + ko + 사용자 업데이트 + nb + Oppdater brukere + nl + Werk gebruikers bij + pl + Uaktualnij użytkowników + pt + Atualizar Usuários + pt-PT + Actualizar utilizadores + ru + Обновить пользователей + sv + Uppdatera användare + tr + Kullanıcıları Güncelle + zh-Hans + 更新用户 + zh-Hant + 更新使用者 + + default-prompt + + ar + يحاول__APPNAME__ تحديث مجموعة المستخدمين المحليين. + cs + __APPNAME__ se pokouší aktualizovat sadu místních uživatelů. + da + __APPNAME__ forsøger at opdatere gruppen af lokale brugere. + de + __APPNAME__ versucht, die Gruppe der lokalen Benutzer zu aktualisieren. + en + __APPNAME__ is trying to update the set of local users. + es + __APPNAME__ está intentando actualizar el conjunto de usuarios locales. + fi + __APPNAME__ yrittää päivittää paikallisia käyttäjiä. + fr + __APPNAME__ essaye de mettre à jour le groupe d’utilisateurs locaux. + hu + A(z) __APPNAME__ megpróbálja frissíteni a helyi felhasználók csoportját. + it + __APPNAME__ sta cercando di aggiornare una serie di utenti locali. + ja + __APPNAME__ は、ローカルユーザのセットをアップデートしようとしています。 + ko + __APPNAME__이(가) 로컬 사용자 모음을 업데이트하려고 합니다. + nb + __APPNAME__ prøver å oppdatere settet med lokale brukere. + nl + __APPNAME__ probeert de set met lokale gebruikers bij te werken. + pl + __APPNAME__ próbuje uaktualnić zastaw użytkowników lokalnych. + pt + __APPNAME__ está tentando atualizar o grupo de usuários locais. + pt-PT + O __APPNAME__ está a tentar actualizar o conjunto de utilizadores locais. + ru + Программа «__APPNAME__» пытается обновить набор локальных пользователей. + sv + __APPNAME__ försöker uppdatera uppsättningen lokala användare. + tr + __APPNAME__, yerel kullanıcılar kümesini güncellemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图更新本地用户组。 + zh-Hant + “__APPNAME__”正在嘗試更新本機使用者群組。 + k-of-n 1 rule @@ -314,309 +2806,2636 @@ See remaining rules for examples. rule comment Checked when changing authentication credentials (password or certificate) for a local user account. + default-button + + ar + تحديث الاعتمادات + cs + Aktualizovat pověření + da + Opdater beviser + de + Accountdaten aktualisieren + en + Update Credentials + es + Actualizar credenciales + fi + Päivitä valtakirjat + fr + Mettre à jour les références + hu + Hitelesítés frissítése + it + Aggiorna credenziali + ja + 資格情報をアップデート + ko + 자격 증명 업데이트 + nb + Oppdater akkreditiver + nl + Werk toegangsgegevens bij + pl + Uaktualnij dane uwierzytelniania + pt + Atualizar Credenciais + pt-PT + Actualizar credenciais + ru + Обновить учетные данные + sv + Uppdatera ID-handlingar + tr + Kimlik Bilgilerini Güncelle + zh-Hans + 更新凭证 + zh-Hant + 更新憑證 + + default-prompt + + ar + يحاول __APPNAME__ تحديث بيانات المصادقة. + cs + __APPNAME__ se pokouší aktualizovat pověření pro ověření totožnosti. + da + __APPNAME__ forsøger at opdatere godkendelsesoplysningerne. + de + __APPNAME__ versucht, die Accountdaten zur Authentifizierung zu aktualisieren. + en + __APPNAME__ is trying to update the authentication credentials. + es + __APPNAME__ está intentando actualizar las credenciales de autenticación. + fi + __APPNAME__ yrittää päivittää todentamisen valtakirjoja. + fr + __APPNAME__ essaye de mettre à jour les informations d’authentification. + hu + A(z) __APPNAME__ megpróbálja frissíteni a hitelesítési adatokat. + it + __APPNAME__ sta cercando di aggiornare le credenziali di autenticazione. + ja + __APPNAME__ は認証資格情報をアップデートしようとしています。 + ko + __APPNAME__이(가) 인증 증명서를 업데이트하려고 합니다. + nb + __APPNAME__ prøver å oppdatere godkjenningsakkreditivene. + nl + __APPNAME__ probeert de gegevens voor identiteitscontrole bij te werken. + pl + __APPNAME__ próbuje uaktualnić dane uwierzytelniania. + pt + __APPNAME__ está tentando atualizar as credenciais de autenticação. + pt-PT + O __APPNAME__ está a tentar actualizar as credenciais de autenticação. + ru + Программа «__APPNAME__» пытается обновить учетные данные для аутентификации. + sv + __APPNAME__ försöker uppdatera autentiseringsuppgifterna. + tr + __APPNAME__, kimlik doğrulama bilgilerini güncellemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图更新鉴定凭证。 + zh-Hant + “__APPNAME__”正在嘗試更新認證憑證。 + rule default system.identity.write.self + authenticate-user + class user comment Checked when changing authentication credentials (password or certificate) for the current user's account. - authenticate-user - + default-button + + ar + تحديث الاعتمادات + cs + Aktualizovat pověření + da + Opdater beviser + de + Accountdaten aktualisieren + en + Update Credentials + es + Actualizar credenciales + fi + Päivitä valtakirjat + fr + Mettre à jour les références + hu + Hitelesítés frissítése + it + Aggiorna credenziali + ja + 資格情報をアップデート + ko + 자격 증명 업데이트 + nb + Oppdater akkreditiver + nl + Werk toegangsgegevens bij + pl + Uaktualnij dane uwierzytelniania + pt + Atualizar Credenciais + pt-PT + Actualizar credenciais + ru + Обновить учетные данные + sv + Uppdatera ID-handlingar + tr + Kimlik Bilgilerini Güncelle + zh-Hans + 更新凭证 + zh-Hant + 更新憑證 + + default-prompt + + ar + يحاول __APPNAME__ تحديث بيانات المصادقة الخاصة بك. + cs + __APPNAME__ se pokouší aktualizovat vaše pověření pro ověření totožnosti. + da + __APPNAME__ forsøger at opdatere dine godkendelsesoplysninger. + de + __APPNAME__ versucht, Ihre Accountdaten zur Authentifizierung zu aktualisieren. + en + __APPNAME__ is trying to update your authentication credentials. + es + __APPNAME__ está intentando actualizar sus credenciales de autenticación. + fi + __APPNAME__ yrittää päivittää todentamisen valtakirjoja. + fr + __APPNAME__ essaye de mettre à jour vos informations d’authentification. + hu + A(z) __APPNAME__ megpróbálja frissíteni az Ön hitelesítési adatait. + it + __APPNAME__ sta cercando di aggiornare le tue credenziali di autenticazione. + ja + __APPNAME__ は、認証資格情報をアップデートしようとしています。 + ko + __APPNAME__이(가) 사용자의 인증 증명서를 업데이트하려고 합니다. + nb + __APPNAME__ prøver å oppdatere godkjenningsakkreditivene. + nl + __APPNAME__ probeert uw gegevens voor identiteitscontrole bij te werken. + pl + __APPNAME__ próbuje uaktualnić dane uwierzytelniania. + pt + __APPNAME__ está tentando atualizar suas credenciais de autenticação. + pt-PT + O __APPNAME__ está a tentar actualizar as suas credenciais de autenticação. + ru + Программа «__APPNAME__» пытается обновить Ваши учетные данные для аутентификации. + sv + __APPNAME__ försöker uppdatera dina autentiseringsuppgifter. + tr + __APPNAME__, kimlik doğrulama bilgilerinizi güncellemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图更新您的鉴定凭证。 + zh-Hant + “__APPNAME__”正在嘗試更新您的認證憑證。 + session-owner - system.global-login-items. + system.install.app-store-software class rule - k-of-n - 1 + comment + Checked when user is installing software from the App Store. + default-button + + ar + تثبيت البرنامج + cs + Nainstalovat software + da + Installer software + de + Software installieren + en + Install Software + es + Instalar software + fi + Asenna ohjelmisto + fr + Installer le logiciel + hu + Szoftver telepítése + it + Installa software + ja + ソフトウェアをインストール + ko + 소프트웨어 설치 + nb + Installer programvare + nl + Installeer software + pl + Zainstaluj oprogramowanie + pt + Instalar Software + pt-PT + Instalar software + ru + Установить ПО + sv + Installera programvara + tr + Yazılımı Yükle + zh-Hans + 安装软件 + zh-Hant + 安裝軟體 + + default-prompt + + ar + يحاول __APPNAME__ تثبيت البرنامج. + cs + __APPNAME__ se pokouší nainstalovat software. + da + __APPNAME__ prøver at installere software. + de + __APPNAME__ versucht, Software zu installieren. + en + __APPNAME__ is trying to install software. + es + __APPNAME__ está intentando instalar software. + fi + __APPNAME__ yrittää asentaa ohjelmistoa. + fr + __APPNAME__ essaie d’installer un logiciel. + hu + A(z) __APPNAME__ megpróbál szoftvert telepíteni. + it + __APPNAME__ sta tentando di installare il software. + ja + __APPNAME__ は、ソフトウェアをインストールしようとしています。 + ko + __APPNAME__이(가) 소프트웨어를 설치하려고 합니다. + nb + __APPNAME__ prøver å installere programvare. + nl + __APPNAME__ probeert software te installeren. + pl + __APPNAME__ próbuje zainstalować oprogramowanie. + pt + __APPNAME__está tentando instalar um software. + pt-PT + __APPNAME__ está a tentar instalar software. + ru + __APPNAME__ пытается установить ПО. + sv + __APPNAME__ försöker installera programvara. + tr + __APPNAME__, yazılım yüklemeye çalışıyor. + zh-Hans + __APPNAME__ 正在尝试安装软件。 + zh-Hant + __APPNAME__ 正在嘗試安裝軟體。 + rule - - is-admin - default - + entitled-appstore-or-entitled-authenticate-appstore - system.sharepoints. + system.install.apple-software - allow-root - class - user + rule comment - Checked when making changes to the Sharepoints. - group - admin - shared - + Checked when user is installing Apple-provided software. + default-button + + ar + تثبيت البرنامج + cs + Nainstalovat software + da + Installer software + de + Software installieren + en + Install Software + es + Instalar software + fi + Asenna ohjelmisto + fr + Installer le logiciel + hu + Szoftver telepítése + it + Installa software + ja + ソフトウェアをインストール + ko + 소프트웨어 설치 + nb + Installer programvare + nl + Installeer software + pl + Zainstaluj oprogramowanie + pt + Instalar Software + pt-PT + Instalar software + ru + Установить ПО + sv + Installera programvara + tr + Yazılımı Yükle + zh-Hans + 安装软件 + zh-Hant + 安裝軟體 + + default-prompt + + ar + يحاول __APPNAME__ تثبيت البرنامج الموّفَر من Apple. + cs + __APPNAME__ se pokouší nainstalovat software poskytovaný společností Apple. + da + __APPNAME__ prøver at installere software leveret af Apple. + de + __APPNAME__ versucht, von Apple bereitgestellte Software zu installieren. + en + __APPNAME__ is trying to install Apple-provided software. + es + __APPNAME__ está intentando instalar software proporcionado por Apple. + fi + __APPNAME__ yrittää asentaa Applen ohjelmistoa. + fr + __APPNAME__ essaie d’installer un logiciel fourni par Apple. + hu + A(z) __APPNAME__ megpróbál egy Apple által szolgáltatott szoftvert telepíteni. + it + __APPNAME__ sta tentando di installare il software fornito da Apple. + ja + __APPNAME__ は、アップル提供のソフトウェアをインストールしようとしています。 + ko + __APPNAME__이(가) Apple에서 제공한 소프트웨어를 설치하려고 합니다. + nb + __APPNAME__ prøver å installere programvare som er levert av Apple. + nl + __APPNAME__ probeert van Apple afkomstige software te installeren. + pl + __APPNAME__ próbuje zainstalować oprogramowanie udostępnione przez Apple. + pt + __APPNAME__ está tentando instalar um software fornecido pela Apple. + pt-PT + __APPNAME__ está a tentar instalar software da Apple. + ru + __APPNAME__ пытается установить ПО, предоставленное компанией Apple. + sv + __APPNAME__ försöker installera programvara från Apple. + tr + __APPNAME__, Apple tarafından sağlanan yazılımı yüklemeye çalışıyor. + zh-Hans + __APPNAME__ 正在尝试安装 Apple 提供的软件。 + zh-Hant + __APPNAME__ 正在嘗試安裝 Apple 提供的軟體。 + + rule + root-or-entitled-admin-or-authenticate-admin - com.apple.activitymonitor.kill + system.install.software + allow-root + class user comment - Used by Activity Monitor to authorize killing processes not owned by the user. + Checked when user is installing new software. + default-button + + ar + تثبيت البرنامج + cs + Nainstalovat software + da + Installer software + de + Software installieren + en + Install Software + es + Instalar software + fi + Asenna ohjelmisto + fr + Installer le logiciel + hu + Szoftver telepítése + it + Installa software + ja + ソフトウェアをインストール + ko + 소프트웨어 설치 + nb + Installer programvare + nl + Installeer software + pl + Zainstaluj oprogramowanie + pt + Instalar Software + pt-PT + Instalar software + ru + Установить ПО + sv + Installera programvara + tr + Yazılımı Yükle + zh-Hans + 安装软件 + zh-Hant + 安裝軟體 + + default-prompt + + ar + يحاول __APPNAME__ تثبيت برنامج جديد. + cs + __APPNAME__ se pokouší nainstalovat nový software. + da + __APPNAME__ forsøger at installere ny software. + de + __APPNAME__ versucht, neue Software zu installieren. + en + __APPNAME__ is trying to install new software. + es + __APPNAME__ está intentando instalar software nuevo. + fi + __APPNAME__ yrittää asentaa uutta ohjelmistoa. + fr + __APPNAME__ essaye d’installer un nouveau logiciel. + hu + A(z) __APPNAME__ megpróbál egy új szoftvert telepíteni. + it + __APPNAME__ sta cercando di installare nuovo software. + ja + __APPNAME__ は、新しいソフトウェアをインストールしようとしています。 + ko + __APPNAME__이(가) 새로운 소프트웨어를 설치하려고 합니다. + nb + __APPNAME__ prøver å installere ny programvare. + nl + __APPNAME__ probeert nieuwe software te installeren. + pl + __APPNAME__ próbuje zainstalować nowe oprogramowanie. + pt + __APPNAME__ está tentando instalar um novo software. + pt-PT + O __APPNAME__ está a tentar instalar software novo. + ru + Программа «__APPNAME__» пытается установить новое ПО. + sv + __APPNAME__ försöker installera ny programvara. + tr + __APPNAME__, yeni yazılım yüklemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图安装新软件。 + zh-Hant + “__APPNAME__”正在嘗試安裝新的軟體。 + group admin shared timeout - 0 + 300 - com.apple.Safari.parental-controls + system.keychain.create.loginkc allow-root - + class - user + evaluate-mechanisms comment - Checked when changing parental controls for Safari. - group - admin + Used by the Security framework when you add an item to an unconfigured default keychain. + mechanisms + + loginKC:queryCreate + loginKC:showPasswordUI + authinternal + + session-owner + shared - timeout - 60 - com.apple.docset.install + system.keychain.modify class user comment - Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. + Used by Keychain Access when editing a system keychain. + default-button + + ar + تعديل Keychain + cs + Změnit svazek klíčů + da + Juster nøglering + de + Schlüsselbund ändern + en + Modify Keychain + es + Modificar llavero + fi + Muokkaa avainnippua + fr + Modifer le trousseau + hu + Kulcskarika módosítása + it + Modifica portachiavi + ja + キーチェーンを変更 + ko + 키체인 수정 + nb + Endre nøkkelring + nl + Wijzig sleutelhanger + pl + Zmień pęk kluczy + pt + Modificar Chaves + pt-PT + Modificar porta‑chaves + ru + Модифицировать связку ключей + sv + Ändra nyckelringen + tr + Anahtar Zincirini Değiştir + zh-Hans + 修改钥匙链 + zh-Hant + 修改鑰匙圈 + + default-prompt + + ar + يحاول __APPNAME__ تعديل سلسلة مفاتيح النظام. + cs + __APPNAME__ se pokouší změnit systémový svazek klíčů. + da + __APPNAME__ forsøger at ændre systemnøgleringen. + de + __APPNAME__ versucht, den System-Schlüsselbund zu ändern. + en + __APPNAME__ is trying to modify the system keychain. + es + __APPNAME__ está intentando modificar el llavero del sistema. + fi + __APPNAME__ yrittää muokata järjestelmän avainnippua. + fr + __APPNAME__ essaye de modifier le trousseau du système. + hu + A(z) __APPNAME__ megpróbálja módosítani a rendszer-kulcskarikát. + it + __APPNAME__ sta cercando di modificare il portachiavi di sistema. + ja + __APPNAME__ は、システムキーチェーンを変更しようとしています。 + ko + __APPNAME__이(가) 시스템 키체인을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre systemnøkkelringen. + nl + __APPNAME__ probeert de systeemsleutelhanger te wijzigen. + pl + __APPNAME__ próbuje zmodyfikować systemowy pęk kluczy. + pt + __APPNAME__ está tentando modificar as chaves do sistema. + pt-PT + O __APPNAME__ está a tentar modificar o porta‑chaves do sistema. + ru + Программа «__APPNAME__» пытается модифицировать связку ключей системы. + sv + __APPNAME__ försöker ändra systemets nyckelring. + tr + __APPNAME__, sistem anahtar zincirini değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改系统钥匙串。 + zh-Hant + “__APPNAME__”正在嘗試修改系統鑰匙圈。 + group admin shared - + + timeout + 30 - com.apple.DiskManagement. + system.login.console + + class + evaluate-mechanisms + comment + Login mechanism based rule. Not for general use, yet. + mechanisms + + builtin:policy-banner + loginwindow:login + builtin:reset-password,privileged + builtin:forward-login,privileged + builtin:auto-login,privileged + builtin:authenticate,privileged + PKINITMechanism:auth,privileged + loginwindow:success + HomeDirMechanism:login,privileged + HomeDirMechanism:status + MCXMechanism:login + loginwindow:done + + + system.login.done + + class + evaluate-mechanisms + mechanisms + + + + system.login.screensaver class rule comment - Used by diskmanagementd to allow access to its privileged functions - k-of-n - 1 + The owner or any administrator can unlock the screensaver. rule + authenticate-session-owner-or-admin + + system.login.tty + + class + evaluate-mechanisms + mechanisms - is-root - is-admin - default + push_hints_to_context + authinternal + tries + 1 + + system.preferences + + allow-root + + class + user + comment + Checked by the Admin framework when making changes to certain System Preferences. + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات النظام الخاص بك. + cs + __APPNAME__ se pokouší změnit systémová nastavení. + da + __APPNAME__ forsøger at ændre systemindstillingerne. + de + __APPNAME__ versucht, Ihre Systemeinstellungen zu ändern. + en + __APPNAME__ is trying to modify your system settings. + es + __APPNAME__ está intentando modificar los ajustes del sistema. + fi + __APPNAME__ yrittää muokata järjestelmän asetuksia. + fr + __APPNAME__ essaye de modifier vos réglages de système. + hu + A(z) __APPNAME__ megpróbálja módosítani a rendszerbeállításokat. + it + __APPNAME__ sta cercando di modificare le impostazioni del sistema. + ja + __APPNAME__ は、システムの設定を変更しようとしています。 + ko + __APPNAME__이(가) 사용자의 시스템 설정을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre systeminnstillingene. + nl + __APPNAME__ probeert uw systeeminstellingen te wijzigen. + pl + __APPNAME__ próbuje zmienić ustawienia systemowe. + pt + __APPNAME__ está tentando modificar seus ajustes do sistema. + pt-PT + O __APPNAME__ está a tentar modificar as definições do sistema. + ru + Программа «__APPNAME__» пытается модифицировать Ваши системные настройки. + sv + __APPNAME__ försöker ändra systemets inställningar. + tr + __APPNAME__, sistem ayarlarınızı değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改您的系统设置。 + zh-Hant + “__APPNAME__”正在嘗試修改您的系統設定。 + + group + admin shared - system.privilege.admin + system.preferences.accessibility allow-root class user comment - Used by AuthorizationExecuteWithPrivileges(...). - AuthorizationExecuteWithPrivileges() is used by programs requesting - to run a tool as root (e.g., some installers). + Checked by the Admin framework when enabling or disabling the Accessibility APIs. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロックを解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات الاحتياجات الخاصة. + cs + __APPNAME__ se pokouší odemknout předvolby Univerzální přístup. + da + __APPNAME__ forsøger at låse Universel adgang op. + de + __APPNAME__ versucht, die Systemeinstellung „Bedienungshilfen“ zu entsperren. + en + __APPNAME__ is trying to unlock Universal Access preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Acceso Universal. + fi + __APPNAME__ yrittää avata Käyttöapu-asetuksia. + fr + __APPNAME__ essaye de déverrouiller les préférences Accès universel. + hu + A(z) __APPNAME__ megpróbálja feloldani az Univerzális hozzáférés beállításait. + it + __APPNAME__ sta cercando di sbloccare le preferenze Accesso Universale. + ja + __APPNAME__ は、“ユニバーサルアクセス”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 손쉬운 사용 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Særlige behov-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Universele toegang' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje Uniwersalny dostęp. + pt + __APPNAME__ está tentando desbloquear as preferências de Acesso Universal. + pt-PT + O __APPNAME__ está a tentar desproteger as preferências do Acesso Universal. + ru + Программа «__APPNAME__» пытается снять защиту с настроек Универсального доступа. + sv + __APPNAME__ försöker låsa upp Hjälpmedelsinställningarna. + tr + __APPNAME__, Evrensel Erişim tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“万能辅助”的偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“輔助使用”偏好設定。 + group admin shared timeout - 300 + 0 - system.privilege.taskport + system.preferences.accounts allow-root - + class user comment - Used by task_for_pid(...). - Task_for_pid is called by programs requesting full control over another program - for things like debugging or performance analysis. This authorization only applies - if the requesting and target programs are run by the same user; it will never - authorize access to the program of another user. WARNING: administrators are advised not to modify this right. + Checked by the Admin framework when making changes to the Users & Groups preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロックを解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فك قفل تفضيلات المستخدمين والمجموعات. + cs + __APPNAME__ se pokouší odemknout předvolby Uživatelé a skupiny. + da + __APPNAME__ forsøger at låse Brugere & grupper op. + de + __APPNAME__ versucht, die Systemeinstellung „Benutzer & Gruppen“ zu entsperren. + en + __APPNAME__ is trying to unlock Users & Groups preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Usuarios y Grupos. + fi + __APPNAME__ yrittää avata Käyttäjät ja ryhmät -asetuksia. + fr + __APPNAME__ essaye de déverrouiller les préférences Utilisateurs et groupes. + hu + A(z) __APPNAME__ megpróbálja feloldani a Csoportok és felhasználók beállításait. + it + __APPNAME__ sta cercando di sbloccare le preferenze di gruppi & utenti. + ja + __APPNAME__ は、“ユーザとグループ”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 사용자 및 그룹 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Brukere og grupper-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Gebruikers en groepen' te ontgrendelen. + pl + __APPNAME__ odblokować preferencje Użytkownicy i grupy. + pt + __APPNAME__ está tentando desbloquear as preferências Usuários e Grupos. + pt-PT + O __APPNAME__ está a tentar desproteger as preferências de Utilizadores e Grupos. + ru + Программа «__APPNAME__» пытается снять защиту с настроек «Пользователи и группы». + sv + __APPNAME__ försöker låsa upp inställningarna för Användare och grupper. + tr + __APPNAME__, Kullanıcılar ve Gruplar tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“用户与群组”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“使用者與群組”偏好設定。 + group - _developer + admin shared - - timeout - 36000 + - system.privilege.taskport.safe + system.preferences.datetime + allow-root + class - allow + user comment - For use by Apple. + Checked by the Admin framework when making changes to the Date & Time preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + حاول __APPNAME__ فتح قفل تفضيلات التاريخ والوقت. + cs + __APPNAME__ se pokouší odemknout předvolby Datum a čas. + da + __APPNAME__ prøver at låse vinduet Dato & tid op. + de + __APPNAME__ versucht, die Systemeinstellung „Datum & Uhrzeit“ zu entsperren. + en + __APPNAME__ is trying to unlock the Date & Time preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Fecha y Hora. + fi + __APPNAME__ yrittää avata Päivämäärä ja aika -asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Date et heure + hu + A(z) __APPNAME__ megpróbálja feloldani a Dátum és idő beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze di Data e ora. + ja + __APPNAME__ が“日付と時刻”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 날짜와 시간 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Dato og tid-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Datum en tijd' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje daty i czasu. + pt + __APPNAME__ está tentando desbloquear as preferências Data e Hora. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Data e Hora. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели «Дата и время». + sv + __APPNAME__ försöker låsa upp inställningarna för Datum och tid. + tr + __APPNAME__, Tarih ve Saat tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“日期与事件”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“日期與時間”偏好設定。 + + group + admin + shared + - system.privilege.taskport.debug + system.preferences.energysaver allow-root - + class user comment - For use by Apple. WARNING: administrators are advised - not to modify this right. + Checked by the Admin framework when making changes to the Energy Saver preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + _يحاول __APPNAME__ فتح قفل تفضيلات موفر الطاقة. + cs + __APPNAME__ se pokouší odemknout předvolby Úspora energie. + da + __APPNAME__ prøver at låse vinduet Energibesparelse op. + de + __APPNAME__ versucht, die Systemeinstellung „Energie sparen“ zu entsperren. + en + __APPNAME__ is trying to unlock the Energy Saver preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Economizador. + fi + __APPNAME__ yrittää avata Energiansäästäjä-asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Économiseur d’énergie. + hu + A(z) __APPNAME__ megpróbálja feloldani az Energiatakarékos mód beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze di Risparmio di energia. + ja + __APPNAME__ が“省エネルギー”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 에너지 절약 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Strømsparing-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Energiestand' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje oszczędzania energii. + pt + __APPNAME__ está tentando desbloquear as preferências Economizador de Energia. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Poupança de Energia. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели «Экономия энергии». + sv + __APPNAME__ försöker låsa upp inställningarna för Strömsparare. + tr + __APPNAME__, Enerji Tasarrufu tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“节能器”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“能源節約器”偏好設定。 + group - _developer + admin shared - timeout - 36000 - system.restart + system.preferences.location class - evaluate-mechanisms + rule comment - Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. - mechanisms + For changing the network location from the Apple menu. + k-of-n + 1 + rule - builtin:smartcard-sniffer,privileged - RestartAuthorization:restart - builtin:authenticate,privileged - RestartAuthorization:success + on-console + is-admin + is-root - system.shutdown + system.preferences.network + allow-root + class - evaluate-mechanisms + user comment - Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. - mechanisms - - builtin:smartcard-sniffer,privileged - RestartAuthorization:shutdown - builtin:authenticate,privileged - RestartAuthorization:success - + Checked by the Admin framework when making changes to the Network preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロックを解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فك قفل تفضيلات الشبكة. + cs + __APPNAME__ se pokouší odemknout předvolby Síť. + da + __APPNAME__ forsøger at låse Netværk op. + de + __APPNAME__ versucht, die Systemeinstellung „Netzwerk“ zu entsperren. + en + __APPNAME__ is trying to unlock the Network preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Red. + fi + __APPNAME__ yrittää avata Verkko-asetuksia. + fr + __APPNAME__ essaye de déverrouiller les préférences Réseau. + hu + A(z) __APPNAME__ megpróbálja feloldani a Hálózat beállításait. + it + __APPNAME__ sta cercando di sbloccare le preferenze Network. + ja + __APPNAME__ は、“ネットワーク”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 네트워크 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Nettverk-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Netwerk' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje Sieć. + pt + __APPNAME__ está tentando desbloquear as preferências Rede. + pt-PT + O __APPNAME__ está a tentar desproteger as preferências de Rede. + ru + Программа «__APPNAME__» пытается установить новый инструмент справки + sv + __APPNAME__ försöker låsa upp nätverksinställningarna. + tr + __APPNAME__, Ağ tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“网络”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“網路”偏好設定。 + + group + admin + shared + - system.burn + system.preferences.parental-controls class - allow + user comment - For burning media. + Checked when making changes to the Parental Controls preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロックを解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات الإشراف العائلي. + cs + __APPNAME__ se pokouší odemknout předvolby Rodičovský dohled. + da + __APPNAME__ forsøger at låse Børnesikring op. + de + __APPNAME__ versucht, die Systemeinstellung „Kindersicherung“ zu entsperren. + en + __APPNAME__ is trying to unlock Parental Controls preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Controles Parentales. + fi + __APPNAME__ yrittää avata Käyttörajoitukset-asetuksia. + fr + __APPNAME__ essaye de déverrouiller les préférences Contrôle parental. + hu + A(z) __APPNAME__ megpróbálja feloldani a Szülői felügyelet beállításait. + it + __APPNAME__ sta cercando di sbloccare le preferenze dei controlli censura. + ja + __APPNAME__ は、“ペアレンタルコントロール”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 유해 콘텐츠 차단 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Foreldrekontroll-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Ouderlijk toezicht' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje Nadzór rodzicielski. + pt + __APPNAME__ está tentando desbloquear as preferências de Controles Parentais. + pt-PT + O __APPNAME__ está a tentar desproteger as preferências do Controlo Parental. + ru + Программа «__APPNAME__» пытается снять защиту с настроек Родительского контроля. + sv + __APPNAME__ försöker låsa upp Föräldrakontrollsinställningarna. + tr + __APPNAME__, Ebeveyn Denetimleri tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“家长控制”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“分級保護控制”偏好設定。 + + group + admin + shared + - system.services.directory.configure + system.preferences.printing + allow-root + class user + comment + Checked by the Admin framework when making changes to the Printing preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات الطباعة والمسح الضوئي. + cs + __APPNAME__ se pokouší odemknout předvolby Tisk a fax. + da + __APPNAME__ prøver at låse vinduet Udskriv & scan op. + de + __APPNAME__ versucht, die Systemeinstellung „Drucken & Scannen“ zu entsperren. + en + __APPNAME__ is trying to unlock the Print & Scan preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Impresión y Escaneado. + fi + __APPNAME__ yrittää avata Tulostus ja skannaus -asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Imprimantes et scanners. + hu + A(z) __APPNAME__ megpróbálja feloldani a Nyomtatás és szkennelés beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze di Stampa e scansione. + ja + __APPNAME__ が“プリントとファクス”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 프린트 및 스캔 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Utskrift- og skanning-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Afdrukken en scannen' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje drukarki i skanera. + pt + __APPNAME__ está tentando desbloquear as preferências Impressão e Escaneamento. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Impressão e Digitalização. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели «Печать и факс». + sv + __APPNAME__ försöker låsa upp inställningarna för Skrivare och skanner. + tr + __APPNAME__, Kağıda Dökme ve Tarama tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“打印与扫描”偏好设置。 + zh-Hant + “__APPNAME__”在嘗試解鎖“列印與掃描”偏好設定。 + group admin - allow-root - shared - timeout - 300 - comment - For making Directory Services changes. - com.apple.server.admin.streaming + system.preferences.security + allow-root + class - user + user comment - For making administrative requests to the QuickTime Streaming Server. + Checked by the Admin framework when making changes to the Security preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロックを解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ إلغاء تأمين تفضيلات الأمن والخصوصية. + cs + __APPNAME__ se pokouší odemknout předvolby Zabezpečení a soukromí. + da + __APPNAME__ forsøger at låse Sikkerhed og personlige indstillinger op. + de + __APPNAME__ versucht, die Systemeinstellung „Sicherheit & Privatsphäre“ zu entsperren. + en + __APPNAME__ is trying to unlock Security & Privacy preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Seguridad y Privacidad. + fi + __APPNAME__ yrittää avata Suojaus ja yksityisyys -asetuksia. + fr + __APPNAME__ essaye de déverrouiller les préférences Sécurité et confidentialité. + hu + A(z) __APPNAME__ megpróbálja feloldani a Biztonság ás adatvédelem beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze Sicurezza e Privacy. + ja + “__APPNAME__”により“セキュリティとプライバシー”環境設定のロックが解除されます。 + ko + __APPNAME__ 이(가) 보안 및 개인 정보 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Sikkerhet og personvern-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Beveiliging en privacy' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje Ochrona i prywatność. + pt + __APPNAME__ está tentando desbloquear as preferências Segurança e Privacidade. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Segurança e Privacidade. + ru + Программа «__APPNAME__» пытается снять защиту с панели «Защита и безопасность». + sv + __APPNAME__ försöker låsa upp inställningarna för Säkerhet och integritet. + tr + __APPNAME__, Güvenlik ve Gizlilik tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“安全性与隐私”偏好设置。 + zh-Hant + __APPNAME__ 正在嘗試解鎖“安全性與隱私”偏好設定。 + group admin shared - allow-root - - timeout - 0 - com.apple.trust-settings.admin + system.preferences.security.remotepair + class + rule comment - For modifying Trust Settings in the Local Admin domain. + Used by Bezel Services to gate IR remote pairing. + default-button + + ar + اقتران + cs + Párovat + da + Dan par + de + Koppeln + en + Pair + es + Enlazar + fi + Muodosta pari + fr + Jumeler + hu + Párosítás + it + Abbina + ja + 登録 + ko + 연결 + nb + Sammenkoble + nl + Koppel + pl + Łącz w parę + pt + Emparelhar + pt-PT + Emparelhar + ru + Создать пару + sv + Parkoppla + tr + Eşle + zh-Hans + 配对 + zh-Hant + 配對 + + default-prompt + + ar + يحاول __APPNAME__ الاقتران بوحدة التحكم عن بعد. + cs + __APPNAME__ se pokouší párovat ovladač. + da + __APPNAME__ forsøger at danne par med fjernbetjeningen. + de + __APPNAME__ versucht, die Fernbedienung zu koppeln. + en + __APPNAME__ is trying to pair the remote. + es + __APPNAME__ está intentando enlazar un mando a distancia. + fi + __APPNAME__ yrittää muodostaa paria kaukosäätimen kanssa. + fr + __APPNAME__ essaye de jumeler la télécommande. + hu + A(z) __APPNAME__ megpróbálja párosítani a távvezérlőt. + it + __APPNAME__ sta cercando di abbinare il telecomando. + ja + __APPNAME__ は Remote を登録しようとしています。 + ko + __APPNAME__이(가) 리모컨을 연결하려고 합니다. + nb + __APPNAME__ prøver å sammenkoble fjernkontrollen. + nl + __APPNAME__ probeert de afstandsbediening te koppelen. + pl + __APPNAME__ próbuje połączyć pilota w parę. + pt + __APPNAME__ está tentando emparelhar o controle remoto. + pt-PT + O __APPNAME__ está a tentar emparelhar o comando. + ru + Программа «__APPNAME__» пытается создать пару с пультом ДУ. + sv + __APPNAME__ försöker parkoppla fjärrkontrollen. + tr + __APPNAME__, uzaktan kumandayı eşlemeye çalışıyor. + zh-Hans + “__APPNAME__”正试图与遥控器配对。 + zh-Hant + “__APPNAME__”正在嘗試配對遙控器。 + + rule + entitled-admin-or-authenticate-admin + + system.preferences.sharing + allow-root class user + comment + Checked by the Admin framework when making changes to the Sharing preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات المشاركة. + cs + __APPNAME__ se pokouší odemknout předvolby Sdílení. + da + __APPNAME__ prøver at låse vinduet Deling op. + de + __APPNAME__ versucht, die Systemeinstellung „Freigaben“ zu entsperren. + en + __APPNAME__ is trying to unlock the Sharing preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Compartir. + fi + __APPNAME__ yrittää avata Jako-asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Partage. + hu + A(z) __APPNAME__ megpróbálja feloldani a Megosztás beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze di Condivisione. + ja + __APPNAME__ が“共有”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 공유 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Deling-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Delen' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje udostępniania. + pt + __APPNAME__ está tentando desbloquear as preferências Compartilhamento. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Partilha. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели «Общий доступ». + sv + __APPNAME__ försöker låsa upp inställningarna för Delning. + tr + __APPNAME__, Paylaşma tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“共享”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“共享”偏好設定。 + group admin + shared + - com.apple.trust-settings.user - - rule - authenticate-session-owner - comment - For modifying per-user Trust Settings. - - system.install.admin.user + system.preferences.softwareupdate + allow-root + class - user + user comment - Checked when user is installing in admin domain (/Applications). + Checked by the Admin framework when making changes to the Software Update preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات محدث البرامج. + cs + __APPNAME__ se pokouší odemknout předvolby Aktualizace softwaru. + da + __APPNAME__ prøver at låse vinduet Softwareopdatering op. + de + __APPNAME__ versucht, die Systemeinstellung „Softwareaktualisierung“ zu entsperren. + en + __APPNAME__ is trying to unlock the Software Update preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Actualización de Software. + fi + __APPNAME__ yrittää avata Ohjelmiston päivitys -asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Mise à jour de logiciels. + hu + A(z) __APPNAME__ megpróbálja feloldani a szoftverfrissítés beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze di Aggiornamento Software. + ja + __APPNAME__ が“ソフトウェア・アップデート”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 소프트웨어 업데이트 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Programvareoppdatering-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Software-update' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje uaktualnień programów. + pt + __APPNAME__ está tentando desbloquear as preferências Atualização de Software. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Actualização de Software. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели «Обновление программ». + sv + __APPNAME__ försöker låsa upp inställningarna för Programuppdatering. + tr + __APPNAME__, Yazılım Güncelleme tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“软件更新”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“軟體更新”偏好設定。 + group admin shared - - timeout - 300 + - system.install.root.user + system.preferences.startupdisk + allow-root + class - user + user comment - Checked when user is installing in root domain (/System). + Checked by the Admin framework when making changes to the Startup Disk preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات قرص بدء التشغيل. + cs + __APPNAME__ se pokouší odemknout předvolby Startovací disk. + da + __APPNAME__ prøver at låse vinduet Startdisk op. + de + __APPNAME__ versucht, die Systemeinstellung „Startvolume“ zu entsperren. + en + __APPNAME__ is trying to unlock the Startup Disk preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Disco de Arranque. + fi + __APPNAME__ yrittää avata Käynnistyslevy-asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Démarrage. + hu + A(z) __APPNAME__ megpróbálja feloldani a Rendszerindító lemez beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze del Disco di avvio. + ja + __APPNAME__ が“起動ディスク”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) 시동 디스크 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Startdisk-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Opstartschijf' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje dysku startowego. + pt + __APPNAME__ está tentando desbloquear as preferências Disco de Inicialização. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Disco de Arranque. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели «Загрузочный том». + sv + __APPNAME__ försöker låsa upp inställningarna för Startskiva. + tr + __APPNAME__, Başlangıç Diski tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁“启动磁盘”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖“啟動磁碟”偏好設定。 + group admin shared - - timeout - 300 + - system.install.root.admin + system.preferences.timemachine + allow-root + class - user + user comment - Checked when admin is installing in root domain (/System). + Checked by the Admin framework when making changes to the Time Machine preference pane. + default-button + + ar + فتح القفل + cs + Odemknout + da + Lås op + de + Entsperren + en + Unlock + es + Desbloquear + fi + Avaa + fr + Déverrouiller + hu + Feloldás + it + Sblocca + ja + ロック解除 + ko + 잠금 해제 + nb + Lås opp + nl + Ontgrendel + pl + Odblokuj + pt + Desbloquear + pt-PT + Desproteger + ru + Снять защиту + sv + Lås upp + tr + Kilidi Aç + zh-Hans + 解锁 + zh-Hant + 解鎖 + + default-prompt + + ar + يحاول __APPNAME__ فتح قفل تفضيلات Time Machine. + cs + __APPNAME__ se pokouší odemknout předvolby Time Machine. + da + __APPNAME__ prøver at låse vinduet Time Machine op. + de + __APPNAME__ versucht, die Systemeinstellung „Time Machine“ zu entsperren. + en + __APPNAME__ is trying to unlock the Time Machine preferences. + es + __APPNAME__ está intentando desbloquear el panel de preferencias Time Machine. + fi + __APPNAME__ yrittää avata Time Machine -asetuksia. + fr + __APPNAME__ essaie de déverrouiller les préférences Time Machine. + hu + A(z) __APPNAME__ megpróbálja feloldani a Time Machine beállításait. + it + __APPNAME__ sta tentando di sbloccare le preferenze di Time Machine. + ja + __APPNAME__ が“Time Machine”環境設定のロックを解除しようとしています。 + ko + __APPNAME__이(가) Time Machine 환경설정을 잠금 해제하려고 합니다. + nb + __APPNAME__ prøver å låse opp Time Machine-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Time Machine' te ontgrendelen. + pl + __APPNAME__ próbuje odblokować preferencje Time Machine. + pt + __APPNAME__ está tentando desbloquear as preferências Time Machine. + pt-PT + __APPNAME__ está a tentar desproteger as preferências de Time Machine. + ru + Программа «__APPNAME__» пытается снять защиту с настроек панели Time Machine. + sv + __APPNAME__ försöker låsa upp inställningarna för Time Machine. + tr + __APPNAME__, Time Machine tercihlerinin kilidini açmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图解锁 Time Machine 偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試解鎖 Time Machine 偏好設定。 + group admin shared - - timeout - 300 + - com.apple.appserver.privilege.admin + system.preferences.version-cue class rule comment - For administrative access to the Application Server management tool. + For gating modifications to Adobe Version Cue preferences. + default-button + + ar + تعديل التفضيلات + cs + Změnit předvolby + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Preferences + es + Modificar preferencias + fi + Muokkaa asetuksia + fr + Modifier les préférences + hu + Beállítások módosítása + it + Modifica preferenze + ja + 環境設定を変更 + ko + 환경설정 수정 + nb + Endre valg + nl + Wijzig voorkeuren + pl + Zmień preferencje + pt + Modificar Preferências + pt-PT + Modificar as preferências + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Tercihleri Değiştir + zh-Hans + 修改偏好设置 + zh-Hant + 修改偏好設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل تفضيلات رمز الإصدار. + cs + __APPNAME__ se pokouší změnit předvolby Version Cue. + da + __APPNAME__ forsøger at ændre indstillingerne til versionindikatoren. + de + __APPNAME__ versucht, die Systemeinstellung „Version Cue“ zu ändern. + en + __APPNAME__ is trying to modify the Version Cue preferences. + es + __APPNAME__ está intentando modificar las preferencias de la indicación de versión. + fi + __APPNAME__ yrittää muokata Version Cue -asetuksia. + fr + __APPNAME__ essaye de modifier les préférences de Version Cue. + hu + A(z) __APPNAME__ megpróbálja feloldani a Version Cue beállításait. + it + __APPNAME__ sta cercando di modificare le preferenze Version Cue. + ja + __APPNAME__ は、“Version Cue”環境設定を変更しようとしています。 + ko + __APPNAME__이(가) Version Cue 환경설정을 수정하려고 합니다. + nb + __APPNAME__ prøver å endre Version Cue-valgpanelet. + nl + __APPNAME__ probeert de Version Cue-voorkeuren te wijzigen. + pl + __APPNAME__ próbuje zmienić preferencje Version Cue. + pt + __APPNAME__ está tentando modificar os ajustes do aplicativo Version Cue. + pt-PT + O __APPNAME__ está a tentar modificar as preferências de Version Cue. + ru + Программа «__APPNAME__» пытается модифицировать настройки Version Cue. + sv + __APPNAME__ försöker ändra inställningarna för Version Cue. + tr + __APPNAME__, Version Cue tercihlerini değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改 Version Cue 的偏好设置 + zh-Hant + “__APPNAME__”正在嘗試修改 Version Cue 偏好設定。 + rule - appserver-admin + authenticate-admin - com.apple.appserver.privilege.user + system.print.admin + + class + rule + default-button + + ar + تعديل الإعدادات + cs + Změnit nastavení + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Settings + es + Modificar ajustes + fi + Muokkaa asetuksia + fr + Modifer les réglages + hu + Beállítások módosítása + it + Modifica impostazioni + ja + 設定を変更 + ko + 설정 수정 + nb + Endre innstillinger + nl + Wijzig instellingen + pl + Zmień ustawienia + pt + Modificar Ajustes + pt-PT + Modificar definições + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Ayarları Değiştir + zh-Hans + 修改设置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل إعدادات الطابعة. + cs + __APPNAME__ se pokouší změnit nastavení tiskárny. + da + __APPNAME__ forsøger at ændre printerindstillingerne. + de + __APPNAME__ versucht, die Druckereinstellungen zu ändern. + en + __APPNAME__ is trying to modify the printer settings. + es + __APPNAME__ está intentando modificar los ajustes de la impresora. + fi + __APPNAME__ yrittää muokata tulostimen asetuksia. + fr + __APPNAME__ essaye de modifier les réglages d’imprimante. + hu + A(z) __APPNAME__ megpróbálja módosítani a nyomtató beállításait. + it + __APPNAME__ sta cercando di modificare le impostazioni della stampante. + ja + __APPNAME__ はプリンタの設定を変更しようとしています。 + ko + __APPNAME__이(가) 프린터 설정을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre skriverinnstillingene. + nl + __APPNAME__ probeert de printerinstellingen te wijzigen. + pl + __APPNAME__ próbuje zmienić ustawienia drukarki. + pt + __APPNAME__ está tentando modificar os ajustes da impressora. + pt-PT + O __APPNAME__ está a tentar modificar as definições de impressão. + ru + Программа «__APPNAME__» пытается модифицировать настройки принтера. + sv + __APPNAME__ försöker ändra skrivarinställningarna. + tr + __APPNAME__, yazıcı ayarlarını değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改打印机设置。 + zh-Hant + “__APPNAME__”正在嘗試修改印表機設定。 + + rule + root-or-lpadmin + + system.print.operator + + allow-root + + class + user + default-button + + ar + السماح بالطباعة + cs + Povolit tisk + da + Tillad udskrivning + de + Drucken erlauben + en + Allow Printing + es + Permitir impresión + fi + Salli tulostus + fr + Autoriser l’impression + hu + Nyomtatás engedélyezése + it + Consenti stampa + ja + プリントを許可 + ko + 프린트 허용 + nb + Tillat utskrift + nl + Sta afdrukken toe + pl + Pozwól na drukowanie + pt + Permitir Impressão + pt-PT + Permitir imprimir + ru + Разрешить печать + sv + Tillåt utskrifter + tr + Kağıda Dökmeye İzin Ver + zh-Hans + 允许打印 + zh-Hant + 允許列印 + + default-prompt + + ar + يحاول __APPNAME__ استخدام الطابعة. + cs + __APPNAME__ se pokouší použít tiskárnu. + da + __APPNAME__ forsøger at bruge printeren. + de + __APPNAME__ versucht, den Drucker zu benutzen. + en + __APPNAME__ is trying to use the printer. + es + __APPNAME__ está intentando usar la impresora. + fi + __APPNAME__ yrittää käyttää tulostinta. + fr + __APPNAME__ essaye d’utiliser l’imprimante. + hu + A(z) __APPNAME__ megpróbálja használni a nyomtatót. + it + __APPNAME__ sta cercando di usare la stampante. + ja + __APPNAME__ はプリンタを使用しようとしています。 + ko + __APPNAME__이(가) 프린터를 사용하려고 합니다. + nb + __APPNAME__ prøver å bruke skriveren. + nl + __APPNAME__ probeert de printer te gebruiken. + pl + __APPNAME__ próbuje użyć drukarki. + pt + __APPNAME__ está tentando usar a impressora. + pt-PT + O __APPNAME__ está a tentar usar a impressora. + ru + Программа «__APPNAME__» пытается использовать принтер. + sv + __APPNAME__ försöker använda skrivaren. + tr + __APPNAME__, yazıcıyı kullanmaya çalışıyor. + zh-Hans + “__APPNAME__”正试图使用打印机。 + zh-Hant + “__APPNAME__”正在嘗試使用印表機。 + + group + _lpoperator + shared + + + system.printingmanager class rule comment - For user access to the Application Server management tool. + For printing to locked printers. + default-button + + ar + طباعة + cs + Tisknout + da + Udskriv + de + Drucken + en + Print + es + Imprimir + fi + Tulosta + fr + Imprimer + hu + Nyomtatás + it + Stampa + ja + プリント + ko + 프린트 + nb + Skriv ut + nl + Druk af + pl + Drukuj + pt + Imprimir + pt-PT + Imprimir + ru + Напечатать + sv + Skriv ut + tr + Kağıda Dök + zh-Hans + 打印 + zh-Hant + 列印 + + default-prompt + + ar + يحاول __APPNAME__ الطباعة على طابعة مقفلة. + cs + __APPNAME__ se pokouší tisknout na uzamčené tiskárně. + da + __APPNAME__ forsøger at udskrive til en låst printer. + de + __APPNAME__ versucht, auf einem gesperrten Drucker zu drucken. + en + __APPNAME__ is trying to print to a locked printer. + es + __APPNAME__ está intentando imprimir en una impresora bloqueada. + fi + __APPNAME__ yrittää tulostaa lukitulle tulostimelle. + fr + __APPNAME__ essaye d’imprimer vers une imprimante verrouillée. + hu + A(z) __APPNAME__ megpróbál nyomtatni egy zárolt nyomtatóra + it + __APPNAME__ sta cercando di stampare su una stampante bloccata. + ja + __APPNAME__ は、ロック中のプリンタを使ってプリントしようとしています。 + ko + __APPNAME__이(가) 잠겨있는 프린터에서 프린트하려고 합니다. + nb + __APPNAME__ prøver å skrive ut på en låst skriver. + nl + __APPNAME__ probeert een vergrendelde printer te gebruiken. + pl + __APPNAME__ próbuje drukować na zablokowanej drukarce. + pt + __APPNAME__ está tentando imprimir em uma impressora bloqueada. + pt-PT + O __APPNAME__ está a tentar imprimir através de uma impressora que se encontra bloqueada. + ru + Программа «__APPNAME__» пытается выполнить печать на защищенном принтере. + sv + __APPNAME__ försöker skriva ut på en låst skrivare. + tr + __APPNAME__, kilitli bir yazıcıda kağıda dökmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图打印到已锁定的打印机。 + zh-Hant + “__APPNAME__”正在嘗試列印至鎖定的印表機。 + k-of-n 1 rule - appserver-admin - appserver-user + is-admin + authenticate-admin - com.apple.dashboard.advisory.allow + system.privilege.admin + allow-root + class user + comment + Used by AuthorizationExecuteWithPrivileges(...). + AuthorizationExecuteWithPrivileges() is used by programs requesting + to run a tool as root (e.g., some installers). group admin shared @@ -624,118 +5443,578 @@ See remaining rules for examples. timeout 300 - com.apple.desktopservices + system.privilege.taskport + allow-root + class user comment - For privileged file operations from within the Finder. + Used by task_for_pid(...). + Task_for_pid is called by programs requesting full control over another program + for things like debugging or performance analysis. This authorization only applies + if the requesting and target programs are run by the same user; it will never + authorize access to the program of another user. WARNING: administrators are advised not to modify this right. + default-button + + ar + التحكم + cs + Převzít kontrolu + da + Overtag kontrol + de + Steuerung übernehmen + en + Take Control + es + Controlar + fi + Ota hallintaan + fr + Prendre le contrôle + hu + Vezérlés átvétele + it + Prendi il controllo + ja + 制御 + ko + 제어하기 + nb + Ta kontroll + nl + Beheer + pl + Przejmij kontrolę + pt + Recuperar Controle + pt-PT + Recuperar controlo + ru + Управлять + sv + Ta kontroll + tr + Yönetimi Ele Geçir + zh-Hans + 控制 + zh-Hant + 控制 + + default-prompt + + ar + يحاول __APPNAME__ أن يسيطر على عملية أخرى. + cs + __APPNAME__ se pokouší převzít kontrolu nad jiným procesem. + da + __APPNAME__ forsøger at overtage kontrollen af en anden proces. + de + __APPNAME__ versucht, die Steuerung eines anderen Vorgangs zu übernehmen. + en + __APPNAME__ is trying to take control of another process. + es + __APPNAME__ está intentando controlar otro proceso. + fi + __APPNAME__ yrittää ottaa hallintaan toista prosessia. + fr + __APPNAME__ essaye de prendre le contrôle d’un autre processus. + hu + A(z) __APPNAME__ megpróbálja átvenni egy másik folyamat vezérlését. + it + __APPNAME__ sta cercando di prendere il controllo di un altro processo. + ja + __APPNAME__ は、ほかのプロセスを制御しようとしています。 + ko + __APPNAME__이(가) 다른 프로세스를 제어하려고 합니다. + nb + __APPNAME__ prøver å styre en annen prosess. + nl + __APPNAME__ probeert het beheer van een ander proces over te nemen. + pl + __APPNAME__ próbuje przejąć kontrolę nad innym procesem. + pt + __APPNAME__ está tentando assumir o controle de outro processo. + pt-PT + O __APPNAME__ está a tentar controlar outro processo. + ru + Программа «__APPNAME__» пытается взять под контроль другой процесс. + sv + __APPNAME__ försöker ta kontroll över en annan process. + tr + __APPNAME__, başka bir işlemin yönetimini ele geçirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图控制另一进程。 + zh-Hant + “__APPNAME__”正在嘗試控制另一個程序。 + group - admin + _developer shared - + timeout - 0 - - com.apple.builtin.generic-new-passphrase - - class - evaluate-mechanisms - mechanisms - - builtin:generic-new-passphrase - + 36000 - com.apple.builtin.generic-unlock + system.privilege.taskport.debug + allow-root + class - evaluate-mechanisms - mechanisms - - builtin:generic-unlock - + user + comment + For use by Apple. WARNING: administrators are advised + not to modify this right. + default-button + + ar + متابعة + cs + Pokračovat + da + Fortsæt + de + Fortfahren + en + Continue + es + Continuar + fi + Jatka + fr + Continuer + hu + Folytatás + it + Continua + ja + 続ける + ko + 계속 + nb + Fortsett + nl + Ga door + pl + Dalej + pt + Continuar + pt-PT + Continuar + ru + Продолжить + sv + Fortsätt + tr + Sürdür + zh-Hans + 继续 + zh-Hant + 繼續 + + default-prompt + + ar + يحاول __APPNAME__ أن يسيطر على عملية أخرى لتصحيح الأخطاء للاستمرار. + cs + __APPNAME__ potřebuje pro pokračování ladění převzít kontrolu nad jiným procesem. + da + __APPNAME__ bliver nødt til at overtage kontrollen af en anden process, for at fejlfinding kan fortsætte. + de + __APPNAME__ muss zum Fortsetzen der Fehlerbehebung die Steuerung eines anderen Vorgangs übernehmen. + en + __APPNAME__ needs to take control of another process for debugging to continue. + es + Para continuar con la depuración, __APPNAME__ debe controlar otro proceso. + fi + Ohjelman __APPNAME__ pitää ottaa toinen prosessi hallintaan, jotta virheidenmääritys voi jatkua. + fr + __APPNAME__ à besoin de prendre le contrôle d’un autre processus pour continuer le débogage. + hu + A(z) __APPNAME__ alkalmazásnak át kell vennie egy másik folyamat vezérlését a hibakeresés folytatásához. + it + __APPNAME__ deve prendere il controllo di un altro processo affinché possa continuare il debugging. + ja + __APPNAME__ は、デバッグを続けるためにほかのプロセスを制御する必要があります。 + ko + __APPNAME__이(가) 다른 프로세스를 제어해야 디버깅을 계속할 수 있습니다. + nb + __APPNAME__ må styre en annen prosess for at feilsøkingen skal fortsette. + nl + __APPNAME__ moet het beheer van een ander proces overnemen voordat de foutopsporing kan worden voortgezet. + pl + __APPNAME__ musi przejąć kontrolę nad innym procesem na potrzeby usuwania błędów, aby kontynuować. + pt + __APPNAME__ precisa assumir o controle de outro processo para que a depuração possa continuar. + pt-PT + Para poder continuar a depuração, o __APPNAME__ necessita de controlar outro processo. + ru + Программе «__APPNAME__» необходимо взять под контроль другой процесс, чтобы отладка могла быть продолжена. + sv + __APPNAME__ måste ta kontroll över en annan process för att kunna fortsätta felsöka. + tr + __APPNAME__, başka bir işlemin yönetimini ele geçirmeden hata ayıklama sürdürülemez. + zh-Hans + “__APPNAME__”需控制另一进程,才能继续调试。 + zh-Hant + “__APPNAME__”需要控制另一個程序才能繼續除錯。 + + group + _developer + shared + + timeout + 36000 - com.apple.builtin.confirm-access + system.privilege.taskport.safe class - evaluate-mechanisms - tries - 1 - mechanisms - - builtin:confirm-access - + allow + comment + For use by Apple. + default-button + + ar + التحكم + cs + Převzít kontrolu + da + Overtag kontrol + de + Steuerung übernehmen + en + Take Control + es + Controlar + fi + Ota hallintaan + fr + Prendre le contrôle + hu + Vezérlés átvétele + it + Prendi il controllo + ja + 制御 + ko + 제어하기 + nb + Ta kontroll + nl + Beheer + pl + Przejmij kontrolę + pt + Recuperar Controle + pt-PT + Recuperar controlo + ru + Управлять + sv + Ta kontroll + tr + Yönetimi Ele Geçir + zh-Hans + 控制 + zh-Hant + 控制 + + default-prompt + + ar + يحاول __APPNAME__ أن يسيطر على عملية أخرى. + cs + __APPNAME__ se pokouší převzít kontrolu nad jiným procesem. + da + __APPNAME__ forsøger at overtage kontrollen af en anden proces. + de + __APPNAME__ versucht, die Steuerung eines anderen Vorgangs zu übernehmen. + en + __APPNAME__ is trying to take control of another process. + es + __APPNAME__ está intentando controlar otro proceso. + fi + __APPNAME__ yrittää ottaa hallintaan toista prosessia. + fr + __APPNAME__ essaye de prendre le contrôle d’un autre processus. + hu + A(z) __APPNAME__ megpróbálja átvenni egy másik folyamat vezérlését. + it + __APPNAME__ sta cercando di prendere il controllo di un altro processo. + ja + __APPNAME__ は、ほかのプロセスを制御しようとしています。 + ko + __APPNAME__이(가) 다른 프로세스를 제어하려고 합니다. + nb + __APPNAME__ prøver å styre en annen prosess. + nl + __APPNAME__ probeert het beheer van een ander proces over te nemen. + pl + __APPNAME__ próbuje przejąć kontrolę nad innym procesem. + pt + __APPNAME__ está tentando assumir o controle de outro processo. + pt-PT + O __APPNAME__ está a tentar controlar outro processo. + ru + Программа «__APPNAME__» пытается взять под контроль другой процесс. + sv + __APPNAME__ försöker ta kontroll över en annan process. + tr + __APPNAME__, başka bir işlemin yönetimini ele geçirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图控制另一进程。 + zh-Hant + “__APPNAME__”正在嘗試控制另一個程序。 + - com.apple.builtin.confirm-access-password + system.restart class evaluate-mechanisms + comment + Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. mechanisms - builtin:confirm-access-password + RestartAuthorization:restart + builtin:authenticate,privileged + RestartAuthorization:success - com.apple.ZFSManager. + system.services.directory.configure class rule comment - Used by zfsmanager to allow access to destructive zfs functions - k-of-n - 1 + For making Directory Services changes. + default-button + + ar + تعديل التكوين + cs + Změnit konfiguraci + da + Juster konfiguration + de + Konfiguration ändern + en + Modify Configuration + es + Modificar configuración + fi + Muokkaa määrittelyä + fr + Modifier la configuration + hu + Konfiguráció módosítása + it + Modifica configurazione + ja + 構成を変更 + ko + 구성 수정 + nb + Endre konfigurasjon + nl + Wijzig configuratie + pl + Zmień konfigurację + pt + Modificar Configuração + pt-PT + Modificar configuração + ru + Модифицировать конфигурацию + sv + Ändra konfiguration + tr + Konfigürasyonu Değiştir + zh-Hans + 修改配置 + zh-Hant + 修改設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل تكوين خدمات الدليل. + cs + __APPNAME__ se pokouší změnit konfiguraci Adresářových služeb. + da + __APPNAME__ forsøger at ændre konfigurationen Bibliotekstjenester. + de + __APPNAME__ versucht, die Konfiguration der Verzeichnisdienste zu ändern. + en + __APPNAME__ is trying to modify the Directory Services configuration. + es + __APPNAME__ está intentando modificar la configuración de los servicios de directorio. + fi + __APPNAME__ yrittää muokata hakemistopalvelujen määrittelyä. + fr + __APPNAME__ essaye de modifier la configuration des services d’annuaire. + hu + A(z) __APPNAME__ megpróbálja módosítani a Könyvtárszolgáltatások konfigurációját. + it + __APPNAME__ sta cercando di modificare la configurazione dei Servizi di directory. + ja + __APPNAME__ は、ディレクトリサービスの構成を変更しようとしています。 + ko + __APPNAME__이(가) 디렉토리 서비스 구성을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre Katalogtjenester-konfigurasjonen. + nl + __APPNAME__ probeert de configuratie van Adreslijstvoorzieningen te wijzigen. + pl + __APPNAME__ próbuje zmienić konfigurację programu Usługi katalogowe. + pt + __APPNAME__ está tentando modificar a configuração dos Serviços de Diretório. + pt-PT + O __APPNAME__ está a tentar modificar a configuração dos serviços de directório. + ru + Программа «__APPNAME__» пытается модифицировать настройку Службы каталогов. + sv + __APPNAME__ försöker ändra konfigurationen för Katalogtjänster. + tr + __APPNAME__, Dizin Servisleri konfigürasyonunu değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改“目录服务”的配置。 + zh-Hant + “__APPNAME__”正在嘗試修改“目錄服務”設定。 + rule - - is-root - is-admin - default - - shared - + root-or-admin-or-authenticate-admin - com.apple.ServiceManagement.blesshelper + system.sharepoints. - comment - Used by the ServiceManagement framework to add a privileged helper tool to the system launchd. + allow-root + class - rule - k-of-n - 1 - rule - - is-root - authenticate-admin-30 - + user + comment + Checked when making changes to the Sharepoints. + default-button + + ar + تعديل التفضيلات + cs + Změnit předvolby + da + Juster indstillinger + de + Einstellungen ändern + en + Modify Preferences + es + Modificar preferencias + fi + Muokkaa asetuksia + fr + Modifier les préférences + hu + Beállítások módosítása + it + Modifica preferenze + ja + 環境設定を変更 + ko + 환경설정 수정 + nb + Endre valg + nl + Wijzig voorkeuren + pl + Zmień preferencje + pt + Modificar Preferências + pt-PT + Modificar as preferências + ru + Модифицировать настройки + sv + Ändra inställningar + tr + Tercihleri Değiştir + zh-Hans + 修改偏好设置 + zh-Hant + 修改偏好設定 + + default-prompt + + ar + يحاول __APPNAME__ تعديل تفضيلات المشاركة. + cs + __APPNAME__ se pokouší změnit předvolby Sdílení. + da + __APPNAME__ forsøger at ændre Deling. + de + __APPNAME__ versucht, die Systemeinstellung „Freigaben“ zu ändern. + en + __APPNAME__ is trying to modify Sharing preferences. + es + __APPNAME__ está intentando modificar las preferencias de Compartir. + fi + __APPNAME__ yrittää muokata Jako-asetuksia. + fr + __APPNAME__ essaye de modifier les préférences Partage. + hu + A(z) __APPNAME__ megpróbálja módosítani a Megosztás beállításait. + it + __APPNAME__ sta cercando di modificare le preferenze di condivisione. + ja + __APPNAME__ は、“共有”環境設定を変更しようとしています。 + ko + __APPNAME__이(가) 공유 환경설정을 변경하려고 합니다. + nb + __APPNAME__ prøver å endre Deling-valgpanelet. + nl + __APPNAME__ probeert het voorkeurenpaneel 'Delen' te wijzigen. + pl + __APPNAME__ próbuje zmienić preferencje Udostępnianie. + pt + __APPNAME__ está tentando modificar as preferências de Compartilhamento. + pt-PT + O __APPNAME__ está a tentar desproteger as preferências de Partilha. + ru + Программа «__APPNAME__» пытается модифицировать настройки Общего доступа. + sv + __APPNAME__ försöker ändra Delningsinställningarna. + tr + __APPNAME__, Paylaşma tercihlerini değiştirmeye çalışıyor. + zh-Hans + “__APPNAME__”正试图修改“共享”偏好设置。 + zh-Hant + “__APPNAME__”正在嘗試修改“共享”偏好設定。 + + group + admin + shared + - com.apple.ServiceManagement.daemons.modify + system.shutdown - comment - Used by the ServiceManagement framework to make changes to the system launchd's set of daemons. class - rule - k-of-n - 1 - rule + evaluate-mechanisms + comment + Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. + mechanisms - is-root - authenticate-admin-30 + RestartAuthorization:shutdown + builtin:authenticate,privileged + RestartAuthorization:success - com.apple.pcastagentconfigd. + + rules + + admin - comment - Wildcard for rights checked by Podcast Producer when making changes to your camera binding. class user group admin - allow-root - shared - + - - rules - allow class @@ -743,6 +6022,32 @@ See remaining rules for examples. comment Allow anyone. + appserver-admin + + class + user + group + appserveradm + + appserver-user + + class + user + group + appserverusr + + authenticate + + class + evaluate-mechanisms + mechanisms + + builtin:authenticate + builtin:reset-password,privileged + builtin:authenticate,privileged + PKINITMechanism:auth,privileged + + authenticate-admin class @@ -772,6 +6077,17 @@ See remaining rules for examples. timeout 30 + authenticate-appstore-30 + + class + user + group + _appstore + shared + + timeout + 30 + authenticate-developer class @@ -794,6 +6110,21 @@ See remaining rules for examples. session-owner + authenticate-session-owner-or-admin + + allow-root + + class + user + comment + Authenticate either as the owner or as an administrator. + group + admin + session-owner + + shared + + authenticate-session-user class @@ -803,95 +6134,266 @@ See remaining rules for examples. session-owner - authenticate-session-owner-or-admin + default - allow-root - class user comment - Authenticate either as the owner or as an administrator. + Default rule. + Credentials remain valid for 5 minutes after they've been obtained. + An acquired credential is shared by all clients. + group admin - session-owner - shared - + + timeout + 300 + + entitled + + class + evaluate-mechanisms + mechanisms + + builtin:entitled,privileged + + tries + 1 + + entitled-admin + + class + rule + k-of-n + 2 + rule + + is-admin + entitled + + + entitled-admin-or-authenticate-admin + + class + rule + k-of-n + 1 + rule + + entitled-admin + authenticate-admin-30 + + + entitled-appstore + + class + rule + k-of-n + 2 + rule + + is-appstore + entitled + + + entitled-appstore-or-entitled-authenticate-appstore + + class + rule + k-of-n + 1 + rule + + entitled-appstore + entitled-authenticate-appstore + + + entitled-authenticate-admin + + class + rule + k-of-n + 2 + rule + + entitled + authenticate-admin-30 + + + entitled-authenticate-appstore + + class + rule + k-of-n + 2 + rule + + entitled + authenticate-appstore-30 + + + entitled-session-owner + + class + rule + k-of-n + 2 + rule + + is-session-owner + entitled + + + entitled-session-owner-or-authenticate-session-owner + + class + rule + k-of-n + 1 + rule + + entitled-session-owner + authenticate-session-owner + is-admin + authenticate-user + class user comment Verify that the user asking for authorization is an administrator. group admin + shared + true + + is-appstore + authenticate-user + class + user + group + _appstore shared true is-developer + authenticate-user + class user comment Verify that the user asking for authorization is a developer. group _developer + + is-lpadmin + authenticate-user + class + user + group + _lpadmin is-root allow-root - class - user authenticate-user - comment - Verify that the process that created this AuthorizationRef is running as root. - - appserver-user - class user - group - appserverusr + comment + Verify that the process that created this AuthorizationRef is running as root. - appserver-admin + is-session-owner + allow-root + + authenticate-user + class user - group - appserveradm + comment + Verify that the requesting process is running as the session owner. + session-owner + - default + lpadmin class user - comment - Default rule. - Credentials remain valid for 5 minutes after they've been obtained. - An acquired credential is shared by all clients. - group - admin + _lpadmin shared - timeout - 300 - authenticate + on-console class evaluate-mechanisms mechanisms - builtin:smartcard-sniffer,privileged - builtin:authenticate - builtin:authenticate,privileged + builtin:on-console + + tries + 1 + + root-or-admin-or-authenticate-admin + + class + rule + k-of-n + 1 + rule + + is-root + is-admin + authenticate-admin-30 + + + root-or-entitled-admin-or-admin + + class + rule + k-of-n + 1 + rule + + is-root + entitled-admin + admin + + + root-or-entitled-admin-or-authenticate-admin + + class + rule + k-of-n + 1 + rule + + is-root + entitled-admin-or-authenticate-admin + + + root-or-lpadmin + + class + rule + k-of-n + 1 + rule + + is-root + is-lpadmin + lpadmin diff --git a/etc/com.apple.securityd.plist b/etc/com.apple.securityd.plist index aae1614..0249143 100644 --- a/etc/com.apple.securityd.plist +++ b/etc/com.apple.securityd.plist @@ -20,7 +20,7 @@ RunAtLoad LaunchOnlyOnce - + HopefullyExitsLast EnableTransactions diff --git a/etc/startup.mk b/etc/startup.mk index 04c77e0..c2fd4bf 100644 --- a/etc/startup.mk +++ b/etc/startup.mk @@ -36,6 +36,7 @@ install: mkdir -p $(LAUNCH_DIR) cp $(SRC)/com.apple.securityd.plist $(LAUNCH_DIR) mkdir -p $(AUTHORIZATION_LOCATION) + plutil -lint $(SRC)/authorization.plist cp $(SRC)/authorization.plist $(AUTHORIZATION_PLIST) chown root:wheel $(AUTHORIZATION_PLIST) chmod 644 $(AUTHORIZATION_PLIST) diff --git a/mig/self.defs b/mig/self.defs index 4a7e3bf..99042d2 100644 --- a/mig/self.defs +++ b/mig/self.defs @@ -38,3 +38,6 @@ userprefix self_client_; // simpleroutine handleSignal(requestport sport: mach_port_make_send_once_t; in task_port: mach_port_t; in signal_number: int); + +simpleroutine handleSession(requestport sport: mach_port_make_send_once_t; + in task_port: mach_port_t; in events: uint32_t; in ident: uint64_t); diff --git a/securityd.xcodeproj/project.pbxproj b/securityd.xcodeproj/project.pbxproj index c27df0a..2c13767 100644 --- a/securityd.xcodeproj/project.pbxproj +++ b/securityd.xcodeproj/project.pbxproj @@ -129,6 +129,8 @@ AAC707750E6F4352003CC2B2 /* csproxy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C2BD5FDA0AC47E850057FD3D /* csproxy.cpp */; }; AAC707760E6F4352003CC2B2 /* credential.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 407ACD070AE5B57700A9DA90 /* credential.cpp */; }; AAC707780E6F4352003CC2B2 /* clientid.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C22C34520B278EB60009368E /* clientid.cpp */; }; + C274C51E0F9E8E0F001ABDA3 /* auditevents.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C274C51C0F9E8E0F001ABDA3 /* auditevents.cpp */; }; + C274C51F0F9E8E0F001ABDA3 /* auditevents.h in Headers */ = {isa = PBXBuildFile; fileRef = C274C51D0F9E8E0F001ABDA3 /* auditevents.h */; }; ED5130690E7F1259002A3749 /* securityd.1 in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4CE1878706FFC5D60079D235 /* securityd.1 */; }; /* End PBXBuildFile section */ @@ -249,6 +251,8 @@ C26EA9510688CF34007CE21D /* tokencache.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokencache.cpp; sourceTree = ""; }; C26EA9520688CF34007CE21D /* tokencache.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tokencache.h; sourceTree = ""; }; C26FB2650BC2C3A300D8EFC8 /* com.apple.securityd.plist */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = text.plist.xml; path = com.apple.securityd.plist; sourceTree = ""; }; + C274C51C0F9E8E0F001ABDA3 /* auditevents.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = auditevents.cpp; sourceTree = ""; }; + C274C51D0F9E8E0F001ABDA3 /* auditevents.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = auditevents.h; sourceTree = ""; }; C276AAD60663E7A400B57276 /* PCSC.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = PCSC.framework; path = /System/Library/Frameworks/PCSC.framework; sourceTree = ""; }; C2813C7F0730534A00E243E8 /* tokenaccess.cpp */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.cpp.cpp; path = tokenaccess.cpp; sourceTree = ""; }; C2813C800730534A00E243E8 /* tokenaccess.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; path = tokenaccess.h; sourceTree = ""; }; @@ -559,6 +563,8 @@ children = ( 4C92649D0534866F004B0E72 /* agentquery.h */, 4C92649C0534866F004B0E72 /* agentquery.cpp */, + C274C51D0F9E8E0F001ABDA3 /* auditevents.h */, + C274C51C0F9E8E0F001ABDA3 /* auditevents.cpp */, 4E0BB2B20F79590300BBFEFA /* ccaudit_extensions.h */, 4E0BB2B30F79590300BBFEFA /* ccaudit_extensions.cpp */, 4CB5ACBA06680AE000F359A9 /* child.h */, @@ -631,6 +637,7 @@ AAC7074B0E6F4335003CC2B2 /* clientid.h in Headers */, AAC7074C0E6F4335003CC2B2 /* dtrace.h in Headers */, 4E0BB2B40F79590300BBFEFA /* ccaudit_extensions.h in Headers */, + C274C51F0F9E8E0F001ABDA3 /* auditevents.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -665,6 +672,7 @@ isa = PBXProject; buildConfigurationList = C27AD4AD0987FCF4001272E0 /* Build configuration list for PBXProject "securityd" */; compatibilityVersion = "Xcode 3.1"; + developmentRegion = English; hasScannedForEncodings = 1; knownRegions = ( English, @@ -776,6 +784,7 @@ AAC707760E6F4352003CC2B2 /* credential.cpp in Sources */, AAC707780E6F4352003CC2B2 /* clientid.cpp in Sources */, 4E0BB2B50F79590300BBFEFA /* ccaudit_extensions.cpp in Sources */, + C274C51E0F9E8E0F001ABDA3 /* auditevents.cpp in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -961,11 +970,11 @@ isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; - ARCHS = "$(NATIVE_ARCH)"; + ARCHS = x86_64; BUILD_VARIANTS = debug; COPY_PHASE_STRIP = NO; CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers"; - CURRENT_PROJECT_VERSION = 1; + CURRENT_PROJECT_VERSION = 55009; FRAMEWORK_SEARCH_PATHS = ( /usr/local/SecurityPieces/Frameworks, /usr/local/SecurityPieces/Components/securityd, @@ -1012,13 +1021,14 @@ isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; + ARCHS = x86_64; BUILD_VARIANTS = ( normal, debug, ); COPY_PHASE_STRIP = "(null)"; CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers"; - CURRENT_PROJECT_VERSION = 1; + CURRENT_PROJECT_VERSION = 55009; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; FRAMEWORK_SEARCH_PATHS = ( /usr/local/SecurityPieces/Frameworks, @@ -1069,7 +1079,7 @@ BUILD_VARIANTS = normal; COPY_PHASE_STRIP = NO; CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers"; - CURRENT_PROJECT_VERSION = 1; + CURRENT_PROJECT_VERSION = 55009; FRAMEWORK_SEARCH_PATHS = ( /usr/local/SecurityPieces/Frameworks, /usr/local/SecurityPieces/Components/securityd, @@ -1123,7 +1133,7 @@ ); COPY_PHASE_STRIP = "(null)"; CSSM_HEADERS = ""; - CURRENT_PROJECT_VERSION = 1; + CURRENT_PROJECT_VERSION = 55009; FRAMEWORK_SEARCH_PATHS = ( /usr/local/SecurityPieces/Frameworks, /usr/local/SecurityPieces/Components/securityd, @@ -1131,7 +1141,7 @@ "$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", ); GCC_DYNAMIC_NO_PIC = ""; - GCC_GENERATE_DEBUGGING_SYMBOLS = ""; + GCC_GENERATE_DEBUGGING_SYMBOLS = YES; GCC_MODEL_TUNING = G5; HEADER_SEARCH_PATHS = "$(BUILT_PRODUCTS_DIR)/derived_src"; INSTALL_PATH = /usr/sbin; @@ -1207,6 +1217,7 @@ C27AD4AE0987FCF4001272E0 /* Development */ = { isa = XCBuildConfiguration; buildSettings = { + ARCHS = x86_64; CODE_SIGN_IDENTITY = "-"; CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)"; CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)"; @@ -1215,6 +1226,7 @@ "$(BUILT_PRODUCTS_DIR)/SecurityPieces/Headers", "$(BUILT_PRODUCTS_DIR)/SecurityPieces/PrivateHeaders", ); + STRIP_STYLE = debugging; }; name = Development; }; @@ -1224,6 +1236,7 @@ CODE_SIGN_IDENTITY = "-"; CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)"; CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)"; + STRIP_STYLE = debugging; }; name = Deployment; }; @@ -1234,6 +1247,7 @@ CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)"; CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)"; GCC_OPTIMIZATION_LEVEL = 0; + STRIP_STYLE = debugging; }; name = "normal with debug"; }; @@ -1243,6 +1257,7 @@ CODE_SIGN_IDENTITY = "-"; CONFIGURATION_BUILD_DIR = "$(BUILD_DIR)"; CONFIGURATION_TEMP_DIR = "$(PROJECT_TEMP_DIR)"; + STRIP_STYLE = debugging; }; name = Default; }; diff --git a/src/AuthorizationDBPlist.cpp b/src/AuthorizationDBPlist.cpp index 2ef298e..dc2294f 100644 --- a/src/AuthorizationDBPlist.cpp +++ b/src/AuthorizationDBPlist.cpp @@ -151,6 +151,7 @@ void AuthorizationDBPlist::save() void AuthorizationDBPlist::load() { StLock _(mReadWriteLock); + CFDictionaryRef configPlist; secdebug("authdb", "(re)loading policy db from disk."); int fd = open(mFileName.c_str(), O_RDONLY, 0); @@ -177,18 +178,16 @@ void AuthorizationDBPlist::load() if (bytesRead == -1) { Syslog::error("Problem reading rules file \"%s\": %s", mFileName.c_str(), strerror(errno)); - CFRelease(xmlData); - return; + goto cleanup; } Syslog::error("Problem reading rules file \"%s\": " "only read %ul out of %ul bytes", bytesRead, fileSize, mFileName.c_str()); - CFRelease(xmlData); - return; + goto cleanup; } CFStringRef errorString; - CFDictionaryRef configPlist = reinterpret_cast(CFPropertyListCreateFromXMLData(NULL, xmlData, kCFPropertyListMutableContainersAndLeaves, &errorString)); + configPlist = reinterpret_cast(CFPropertyListCreateFromXMLData(NULL, xmlData, kCFPropertyListMutableContainersAndLeaves, &errorString)); if (!configPlist) { char buffer[512]; @@ -205,8 +204,7 @@ void AuthorizationDBPlist::load() if (errorString) CFRelease(errorString); - CFRelease(xmlData); - return; + goto cleanup; } if (CFGetTypeID(configPlist) != CFDictionaryGetTypeID()) { @@ -214,15 +212,16 @@ void AuthorizationDBPlist::load() Syslog::error("Rules file \"%s\": is not a dictionary", mFileName.c_str()); - CFRelease(xmlData); - CFRelease(configPlist); - return; + goto cleanup; } parseConfig(configPlist); - CFRelease(xmlData); - CFRelease(configPlist); +cleanup: + if (xmlData) + CFRelease(xmlData); + if (configPlist) + CFRelease(configPlist); close(fd); diff --git a/src/AuthorizationEngine.cpp b/src/AuthorizationEngine.cpp index 6b74271..c65ce84 100644 --- a/src/AuthorizationEngine.cpp +++ b/src/AuthorizationEngine.cpp @@ -42,6 +42,7 @@ #include #include #include +#include #include // AUE_ssauth* #include "ccaudit_extensions.h" @@ -142,14 +143,24 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment, RightAuthenticationLogger logger(auth.creatorAuditToken(), AUE_ssauthorize); - AuthItemSet::const_iterator end = inRights.end(); - for (AuthItemSet::const_iterator it = inRights.begin(); it != end; ++it) + // create a vector with the first right first + std::vector tempRights; + for (AuthItemSet::const_iterator it = inRights.begin(); it != inRights.end(); ++it) { + if (inRights.firstItemName != NULL && strcmp((*it)->name(), inRights.firstItemName) == 0) + tempRights.insert(tempRights.begin(), *it); + else + tempRights.push_back(*it); + } + + bool authExtractPassword = false; + std::vector::const_iterator end = tempRights.end(); + for (std::vector::const_iterator it = tempRights.begin(); it != end; ++it) { // Get the rule for each right we are trying to obtain. const Rule &toplevelRule = mAuthdb.getRule(*it); - OSStatus result = toplevelRule->evaluate(*it, toplevelRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason); - secdebug("autheval", "evaluate rule %s for right %s returned %d.", toplevelRule->name().c_str(), (*it)->name(), int(result)); - SECURITYD_AUTH_EVALRIGHT(&auth, (char *)(*it)->name(), result); + + if (false == authExtractPassword) + authExtractPassword = toplevelRule->extractPassword(); string processName = "unknown"; string authCreatorName = "unknown"; @@ -163,6 +174,19 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment, if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())) authCreatorName = cfString(path); } + + if (sandbox_check(Server::process().pid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) { + Syslog::error("Sandbox denied authorizing right '%s' by client '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid()); + return errAuthorizationDenied; + } + if (auth.creatorSandboxed() && sandbox_check(auth.creatorPid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) { + Syslog::error("Sandbox denied authorizing right '%s' for authorization created by '%s' [%d]", (*it)->name(), authCreatorName.c_str(), auth.creatorPid()); + return errAuthorizationDenied; + } + + OSStatus result = toplevelRule->evaluate(*it, toplevelRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, authExtractPassword); + secdebug("autheval", "evaluate rule %s for right %s returned %d.", toplevelRule->name().c_str(), (*it)->name(), int(result)); + SECURITYD_AUTH_EVALRIGHT(&auth, (char *)(*it)->name(), result); logger.setRight((*it)->name()); logger.logAuthorizationResult(processName.c_str(), authCreatorName.c_str(), result); @@ -170,13 +194,13 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment, if (result == errAuthorizationSuccess) { outRights.insert(*it); - Syslog::info("Succeeded authorizing right '%s' by client '%s' for authorization created by '%s'", (*it)->name(), processName.c_str(), authCreatorName.c_str()); + Syslog::info("Succeeded authorizing right '%s' by client '%s' [%d] for authorization created by '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid()); } else if (result == errAuthorizationDenied || result == errAuthorizationInteractionNotAllowed) { if (result == errAuthorizationDenied) { - Syslog::notice("Failed to authorize right '%s' by client '%s' for authorization created by '%s'", (*it)->name(), processName.c_str(), authCreatorName.c_str()); + Syslog::notice("Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid()); } // add creator pid to authorization token diff --git a/src/AuthorizationRule.cpp b/src/AuthorizationRule.cpp index 61fb2c5..c560076 100644 --- a/src/AuthorizationRule.cpp +++ b/src/AuthorizationRule.cpp @@ -39,6 +39,7 @@ #include "agentquery.h" #include "AuthorizationMechEval.h" +#include #include #include #include @@ -63,7 +64,9 @@ CFStringRef RuleImpl::kMechanismsID = CFSTR(kAuthorizationRuleParameterMechanism CFStringRef RuleImpl::kSessionOwnerID = CFSTR(kAuthorizationRuleParameterCredentialSessionOwner); CFStringRef RuleImpl::kKofNID = CFSTR(kAuthorizationRuleParameterKofN); CFStringRef RuleImpl::kPromptID = CFSTR(kAuthorizationRuleParameterDefaultPrompt); +CFStringRef RuleImpl::kButtonID = CFSTR(kAuthorizationRuleParameterDefaultButton); CFStringRef RuleImpl::kTriesID = CFSTR("tries"); // XXX/cs move to AuthorizationTagsPriv.h +CFStringRef RuleImpl::kExtractPasswordID = CFSTR(kAuthorizationRuleParameterExtractPassword); CFStringRef RuleImpl::kRuleClassID = CFSTR(kAuthorizationRuleClass); CFStringRef RuleImpl::kRuleAllowID = CFSTR(kAuthorizationRuleClassAllow); @@ -194,13 +197,13 @@ RuleImpl::Attribute::getVector(CFDictionaryRef config, CFStringRef key, bool req } -bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config, map &localizedPrompts) +bool RuleImpl::Attribute::getLocalizedText(CFDictionaryRef config, map &localizedPrompts, CFStringRef dictKey, const char *descriptionKey) { CFIndex numberOfPrompts = 0; CFDictionaryRef promptsDict; - if (CFDictionaryContainsKey(config, kPromptID)) + if (CFDictionaryContainsKey(config, dictKey)) { - promptsDict = reinterpret_cast(CFDictionaryGetValue(config, kPromptID)); + promptsDict = reinterpret_cast(CFDictionaryGetValue(config, dictKey)); if (promptsDict && (CFGetTypeID(promptsDict) == CFDictionaryGetTypeID())) numberOfPrompts = CFDictionaryGetCount(promptsDict); } @@ -215,13 +218,15 @@ bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config, map(keys[numberOfPrompts]); CFStringRef valueRef = reinterpret_cast(values[numberOfPrompts]); - if (!keyRef || (CFGetTypeID(keyRef) != CFStringGetTypeID())) + if (!keyRef || (CFGetTypeID(keyRef) != CFStringGetTypeID())) { continue; - if (!valueRef || (CFGetTypeID(valueRef) != CFStringGetTypeID())) + } + if (!valueRef || (CFGetTypeID(valueRef) != CFStringGetTypeID())) { continue; + } string key = cfString(keyRef); string value = cfString(valueRef); - localizedPrompts[kAuthorizationRuleParameterDescription+key] = value; + localizedPrompts[descriptionKey + key] = value; } return true; @@ -230,14 +235,14 @@ bool RuleImpl::Attribute::getLocalizedPrompts(CFDictionaryRef config, map defaultPrompts = inTopLevelRule->localizedPrompts(); + map defaultButtons = inTopLevelRule->localizedButtons(); if (defaultPrompts.empty()) defaultPrompts = localizedPrompts(); + if (defaultButtons.empty()) + defaultButtons = localizedButtons(); if (!defaultPrompts.empty()) { @@ -417,6 +432,16 @@ RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, environmentToClient.insert(AuthItemRef(key.c_str(), AuthValueOverlay(value))); } } + if (!defaultButtons.empty()) + { + map::const_iterator it; + for (it = defaultButtons.begin(); it != defaultButtons.end(); it++) + { + const string &key = it->first; + const string &value = it->second; + environmentToClient.insert(AuthItemRef(key.c_str(), AuthValueOverlay(value))); + } + } // add rulename as a hint string ruleName = name(); @@ -428,7 +453,7 @@ RuleImpl::setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, // we'll run that and validate the credentials from there. // we fall back on a default configuration from the authenticate rule OSStatus -RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const +RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule,AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const { OSStatus status = errAuthorizationDenied; @@ -464,6 +489,31 @@ RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, RightAuthenticationLogger rightAuthLogger(auth.creatorAuditToken(), AUE_ssauthint); rightAuthLogger.setRight(rightName); + // Just succeed for a continuously active session owner. + if (auth.session().originatorUid() == auth.creatorUid() && auth.session().attributes() & AU_SESSION_FLAG_HAS_AUTHENTICATED) { + secdebug("AuthEvalMech", "We are an active session owner."); + aslmsg m = asl_new(ASL_TYPE_MSG); + asl_set(m, "com.apple.message.domain", "com.apple.securityd.UserActivity"); + asl_set(m, "com.apple.message.signature", "userIsActive"); + asl_set(m, "com.apple.message.signature2", rightName); + asl_set(m, "com.apple.message.result", "failure"); + asl_log(NULL, m, ASL_LEVEL_NOTICE, "We are an active session owner."); + asl_free(m); +// Credential rightCredential(rightName, auth.creatorUid(), mShared); +// credentials.erase(rightCredential); credentials.insert(rightCredential); +// return errAuthorizationSuccess; + } + else { + secdebug("AuthEvalMech", "We are not an active session owner."); + aslmsg m = asl_new(ASL_TYPE_MSG); + asl_set(m, "com.apple.message.domain", "com.apple.securityd.UserActivity"); + asl_set(m, "com.apple.message.signature", "userIsNotActive"); + asl_set(m, "com.apple.message.signature2", rightName); + asl_set(m, "com.apple.message.result", "success"); + asl_log(NULL, m, ASL_LEVEL_NOTICE, "We are not an active session owner."); + asl_free(m); + } + AgentMechanismEvaluator eval(cltUid, auth.session(), mEvalDef); for (tries = 0; tries < mTries; tries++) @@ -479,7 +529,7 @@ RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context { secdebug("AuthEvalMech", "storing new context for authorization"); - auth.setInfoSet(eval.context()); + auth.setInfoSet(eval.context(), savePassword); } // successfully ran mechanisms to obtain credential @@ -490,7 +540,7 @@ RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, CredentialSet newCredentials = makeCredentials(auth); // clear context after extracting credentials - auth.scrubInfoSet(); + auth.scrubInfoSet(savePassword); for (CredentialSet::const_iterator it = newCredentials.begin(); it != newCredentials.end(); ++it) { @@ -532,8 +582,16 @@ RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, // use valid credential to set context info // XXX/cs keeping this for now, such that the uid is passed back - auth.setCredentialInfo(newCredential); + auth.setCredentialInfo(newCredential, savePassword); secdebug("SSevalMech", "added valid credential for user %s", newCredential->username().c_str()); + // set the sessionHasAuthenticated + if (newCredential->uid() == auth.session().originatorUid()) { + secdebug("AuthEvalMech", "We authenticated as the session owner.\n"); + SessionAttributeBits flags = auth.session().attributes(); + flags |= AU_SESSION_FLAG_HAS_AUTHENTICATED; + auth.session().setAttributes(flags); + } + status = errAuthorizationSuccess; break; } @@ -545,7 +603,7 @@ RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, else if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal)) { - auth.scrubInfoSet(); + auth.scrubInfoSet(false); break; } else // last mechanism is now authentication - fail @@ -563,7 +621,7 @@ RuleImpl::evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, environmentToClient.erase(triesHint); environmentToClient.insert(triesHint); // replace eval.run(AuthValueVector(), environmentToClient, auth); // XXX/cs is this still necessary? - auth.scrubInfoSet(); + auth.scrubInfoSet(false); rightAuthLogger.logFailure(NULL, CommonCriteria::errTooManyTries); } @@ -613,28 +671,20 @@ RuleImpl::evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, c // @@@ we have no access to current requester uid here and the process uid is only taken when the authorization is created // meaning that a process like loginwindow that drops privs later is screwed. - uid_t uid; - Session &session = auth.session(); Credential sessionCredential; - if (session.haveOriginatorUid()) { - // preflight session credential as if it were a fresh copy - const Credential &cred = session.originatorCredential(); - sessionCredential = Credential(cred->uid(), cred->username(), cred->realname(), cred->groupname(), mShared/*ignored*/); - } else { - uid = auth.creatorUid(); - Server::active().longTermActivity(); - struct passwd *pw = getpwuid(uid); - if (pw != NULL) { - // avoid hinting a locked account - if ( (pw->pw_passwd == NULL) || - strcmp(pw->pw_passwd, "*") ) { - // Check if username will authorize the request and set username to - // be used as a hint to the user if so - secdebug("AuthEvalMech", "preflight credential from current user, result follows:"); - sessionCredential = Credential(pw->pw_uid, pw->pw_name, pw->pw_gecos, "", mShared/*ignored*/); - } //fi - endpwent(); - } + uid_t uid = auth.session().originatorUid(); + Server::active().longTermActivity(); + struct passwd *pw = getpwuid(uid); + if (pw != NULL) { + // avoid hinting a locked account + if ( (pw->pw_passwd == NULL) || + strcmp(pw->pw_passwd, "*") ) { + // Check if username will authorize the request and set username to + // be used as a hint to the user if so + secdebug("AuthEvalMech", "preflight credential from current user, result follows:"); + sessionCredential = Credential(pw->pw_uid, pw->pw_name, pw->pw_gecos, "", mShared/*ignored*/); + } //fi + endpwent(); } OSStatus status = evaluateUserCredentialForRight(auth, inRight, inRule, environment, now, sessionCredential, true, reason); if (errAuthorizationSuccess == status) @@ -711,23 +761,20 @@ RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const A if (mSessionOwner) { Session &session = auth.session(); - if (session.haveOriginatorUid()) - { - uid_t console_user = session.originatorUid(); + uid_t console_user = session.originatorUid(); - if (credential->uid() == console_user) - { - secdebug("autheval", "user %s is session-owner(uid: %d), granting right %s", user, console_user, inRight->name()); - return errAuthorizationSuccess; - } - // set "reason" in this case? not that a proper SA::Reason exists + if (credential->uid() == console_user) + { + secdebug("autheval", "user %s is session-owner(uid: %d), granting right %s", user, console_user, inRight->name()); + return errAuthorizationSuccess; } - else - { - // @@@ no proper SA::Reason - reason = SecurityAgent::unknownReason; - secdebug("autheval", "session-owner check failed."); - } + // set "reason" in this case? not that a proper SA::Reason exists + } + else + { + // @@@ no proper SA::Reason + reason = SecurityAgent::unknownReason; + secdebug("autheval", "session-owner check failed."); } if (mGroupName.length()) @@ -750,7 +797,13 @@ RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const A break; if (mbr_uid_to_uuid(credential->uid(), user_uuid)) - break; + { + struct passwd *pwd; + if (NULL == (pwd = getpwnam(user))) + break; + if (mbr_uid_to_uuid(pwd->pw_uid, user_uuid)) + break; + } if (mbr_check_membership(user_uuid, group_uuid, &is_member)) break; @@ -781,7 +834,7 @@ RuleImpl::evaluateUserCredentialForRight(const AuthorizationToken &auth, const A OSStatus -RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const +RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const { // If we got here, this is a kUser type rule, let's start looking for a // credential that is satisfactory @@ -833,7 +886,7 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemS if (status != errAuthorizationDenied) { // add credential to authinfo - auth.setCredentialInfo(*it); + auth.setCredentialInfo(*it, savePassword); return status; } @@ -853,7 +906,7 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemS // whack an equivalent credential, so it gets updated to a later achieved credential which must have been more stringent credentials.erase(*it); credentials.insert(*it); // add credential to authinfo - auth.setCredentialInfo(*it); + auth.setCredentialInfo(*it, savePassword); return status; } @@ -879,11 +932,11 @@ RuleImpl::evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemS setAgentHints(inRight, inRule, environmentToClient, auth); - return evaluateAuthentication(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason); + return evaluateAuthentication(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword); } OSStatus -RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const +RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const { uint32 tries = 0; OSStatus status; @@ -914,7 +967,7 @@ RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, (status == errAuthorizationCanceled)) // @@@ can only pass back sideband through context { secdebug("AuthEvalMech", "storing new context for authorization"); - auth.setInfoSet(eval.context()); + auth.setInfoSet(eval.context(), savePassword); if (status == errAuthorizationSuccess) { // (try to) attach the authorizing UID to the least-priv cred @@ -939,8 +992,16 @@ RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, logger.logLeastPrivilege(cltUid, false); } } - else - outCredentials = makeCredentials(auth); + else { + if (0 == strcmp(rightName, "system.login.console") && NULL == eval.context().find(AGENT_CONTEXT_AUTO_LOGIN)) { + secdebug("AuthEvalMech", "We logged in as the session owner.\n"); + SessionAttributeBits flags = auth.session().attributes(); + flags |= AU_SESSION_FLAG_HAS_AUTHENTICATED; + auth.session().setAttributes(flags); + } + CredentialSet newCredentials = makeCredentials(auth); + outCredentials.insert(newCredentials.begin(), newCredentials.end()); + } } } @@ -967,7 +1028,7 @@ RuleImpl::evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, } OSStatus -RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const +RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const { // line up the rules to try if (!mRuleDef.size()) @@ -984,7 +1045,7 @@ RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItem return errAuthorizationSuccess; // get a rule and try it - status = (*it)->evaluate(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason); + status = (*it)->evaluate(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword); // if status is cancel/internal error abort if ((status == errAuthorizationCanceled) || (status == errAuthorizationInternal)) @@ -1001,13 +1062,16 @@ RuleImpl::evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItem else count++; } + + if ((mType == kKofN) && (status == errAuthorizationSuccess) && (count < mKofN)) + status = errAuthorizationDenied; return status; // return the last failure } OSStatus -RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const +RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const { switch (mType) { @@ -1019,18 +1083,18 @@ RuleImpl::evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet & return errAuthorizationDenied; case kUser: SECURITYD_AUTH_USER(&auth, (char *)name().c_str()); - return evaluateUser(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason); + return evaluateUser(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword); case kRuleDelegation: SECURITYD_AUTH_RULES(&auth, (char *)name().c_str()); - return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason); + return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword); case kKofN: SECURITYD_AUTH_KOFN(&auth, (char *)name().c_str()); - return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason); + return evaluateRules(inRight, inRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, savePassword); case kEvaluateMechanisms: SECURITYD_AUTH_MECHRULE(&auth, (char *)name().c_str()); // if we had a SecurityAgent::Reason code for "mechanism denied," // it would make sense to pass down "reason" - return evaluateMechanismOnly(inRight, inRule, environmentToClient, auth, credentials); + return evaluateMechanismOnly(inRight, inRule, environmentToClient, auth, credentials, savePassword); default: Syslog::alert("Unrecognized rule type %d", mType); MacOSError::throwMe(errAuthorizationInternal); // invalid rule diff --git a/src/AuthorizationRule.h b/src/AuthorizationRule.h index 7a8e5bc..f6623b6 100644 --- a/src/AuthorizationRule.h +++ b/src/AuthorizationRule.h @@ -46,9 +46,10 @@ public: OSStatus evaluate(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, - AuthorizationToken &auth, SecurityAgent::Reason &reason) const; + AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; string name() const { return mRightName; } + bool extractPassword() const { return mExtractPassword; } private: // internal machinery @@ -62,19 +63,19 @@ private: OSStatus evaluateRules(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, - AuthorizationToken &auth, SecurityAgent::Reason &reason) const; + AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; void setAgentHints(const AuthItemRef &inRight, const Rule &inTopLevelRule, AuthItemSet &environmentToClient, AuthorizationToken &auth) const; // perform authorization based on running specified mechanisms (see evaluateMechanism) - OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason) const; + OSStatus evaluateAuthentication(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; OSStatus evaluateUser(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationFlags flags, CFAbsoluteTime now, const CredentialSet *inCredentials, CredentialSet &credentials, - AuthorizationToken &auth, SecurityAgent::Reason &reason) const; + AuthorizationToken &auth, SecurityAgent::Reason &reason, bool savePassword) const; - OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials) const; + OSStatus evaluateMechanismOnly(const AuthItemRef &inRight, const Rule &inRule, AuthItemSet &environmentToClient, AuthorizationToken &auth, CredentialSet &outCredentials, bool savePassword) const; // find username hint based on session owner OSStatus evaluateSessionOwner(const AuthItemRef &inRight, const Rule &inRule, const AuthItemSet &environment, const CFAbsoluteTime now, const AuthorizationToken &auth, Credential &credential, SecurityAgent::Reason &reason) const; @@ -82,6 +83,7 @@ private: CredentialSet makeCredentials(const AuthorizationToken &auth) const; map localizedPrompts() const { return mLocalizedPrompts; } + map localizedButtons() const { return mLocalizedButtons; } // parsed attributes @@ -106,8 +108,10 @@ private: vector mRuleDef; uint32_t mKofN; mutable uint32_t mTries; + bool mExtractPassword; bool mAuthenticateUser; map mLocalizedPrompts; + map mLocalizedButtons; private: @@ -118,7 +122,7 @@ private: static double getDouble(CFDictionaryRef config, CFStringRef key, bool required, double defaultValue); static string getString(CFDictionaryRef config, CFStringRef key, bool required, const char *defaultValue); static vector getVector(CFDictionaryRef config, CFStringRef key, bool required); - static bool getLocalizedPrompts(CFDictionaryRef config, map &localizedPrompts); + static bool getLocalizedText(CFDictionaryRef config, map &localizedPrompts, CFStringRef dictKey, const char *descriptionKey); }; @@ -131,7 +135,9 @@ private: static CFStringRef kSessionOwnerID; static CFStringRef kKofNID; static CFStringRef kPromptID; + static CFStringRef kButtonID; static CFStringRef kTriesID; + static CFStringRef kExtractPasswordID; static CFStringRef kRuleClassID; static CFStringRef kRuleAllowID; diff --git a/src/agentquery.cpp b/src/agentquery.cpp index b165b4f..b929b95 100644 --- a/src/agentquery.cpp +++ b/src/agentquery.cpp @@ -31,7 +31,12 @@ #include #include #include +#include +#include #include // AUE_ssauthint +#include +#include +#include // // NOSA support functions. This is a test mode where the SecurityAgent @@ -93,15 +98,82 @@ void SecurityAgentConnection::activate() { secdebug("SecurityAgentConnection", "activate(%p)", this); + + Session &session = mHostInstance->session(); + SessionId targetSessionId = session.sessionId(); + MachPlusPlus::Bootstrap processBootstrap = Server::process().taskPort().bootstrap(); + fileport_t userPrefsFP = MACH_PORT_NULL; + + // send the the userPrefs to SecurityAgent + if (mAuthHostType == securityAgent || mAuthHostType == userAuthHost) { + CFRef userPrefs(mHostInstance->session().copyUserPrefs()); + if (NULL != userPrefs) + { + FILE *mbox = NULL; + int fd = 0; + mbox = tmpfile(); + if (NULL != mbox) + { + fd = dup(fileno(mbox)); + fclose(mbox); + if (fd != -1) + { + CFIndex length = CFDataGetLength(userPrefs); + if (write(fd, CFDataGetBytePtr(userPrefs), length) != length) + Syslog::error("could not write userPrefs"); + else + { + if (0 == fileport_makeport(fd, &userPrefsFP)) + secdebug("SecurityAgentConnection", "stashed the userPrefs file descriptor"); + else + Syslog::error("failed to stash the userPrefs file descriptor"); + } + close(fd); + } + } + } + if (MACH_PORT_NULL == userPrefsFP) + { + secdebug("SecurityAgentConnection", "could not read userPrefs"); + } + } + mConnection->useAgent(this); - try { - mPort = mHostInstance->activate(); + try + { + StLock _(*mHostInstance); + + mach_port_t lookupPort = mHostInstance->lookup(targetSessionId); + if (MACH_PORT_NULL == lookupPort) + { + Syslog::error("could not find real service, bailing"); + MacOSError::throwMe(CSSM_ERRCODE_SERVICE_NOT_AVAILABLE); + } + // reset Client contact info + mPort = lookupPort; + SecurityAgent::Client::activate(mPort); + secdebug("SecurityAgentConnection", "%p activated", this); - } catch (...) { + } + catch (MacOSError &err) + { mConnection->useAgent(NULL); // guess not - secdebug("SecurityAgentConnection", "error activating %p", this); + Syslog::error("SecurityAgentConnection: error activating %s instance %p", + mAuthHostType == privilegedAuthHost + ? "authorizationhost" + : "SecurityAgent", this); throw; } + + secdebug("SecurityAgentConnection", "contacting service (%p)", this); + mach_port_name_t jobPort; + if (0 > audit_session_port(session.sessionId(), &jobPort)) + Syslog::error("audit_session_port failed: %m"); + MacOSError::check(SecurityAgent::Client::contact(jobPort, processBootstrap, userPrefsFP)); + secdebug("SecurityAgentConnection", "contact didn't throw (%p)", this); + + if (userPrefsFP != MACH_PORT_NULL) + mach_port_deallocate(mach_task_self(), userPrefsFP); } void @@ -110,8 +182,6 @@ SecurityAgentConnection::reconnect() // if !mHostInstance throw()? if (mHostInstance) { - Session &session = mHostInstance->session(); - mHostInstance = session.authhost(mAuthHostType, true); activate(); } } @@ -188,22 +258,6 @@ SecurityAgentQuery::~SecurityAgentQuery() destroy(); } -void -SecurityAgentQuery::activate() -{ - SecurityAgentConnection::activate(); - SecurityAgent::Client::activate(mPort); - secdebug("SecurityAgentQuery", "activate(%p)", this); -} - -void -SecurityAgentQuery::reconnect() -{ - SecurityAgentConnection::reconnect(); - SecurityAgent::Client::activate(mPort); - secdebug("SecurityAgentQuery", "reconnect(%p)", this); -} - void SecurityAgentQuery::inferHints(Process &thisProcess) { diff --git a/src/agentquery.h b/src/agentquery.h index 771ee7e..ef635a3 100644 --- a/src/agentquery.h +++ b/src/agentquery.h @@ -45,7 +45,8 @@ using Security::OSXCode; // // base for classes talking to SecurityAgent and authorizationhost // -class SecurityAgentConnection : public SecurityAgentConnectionInterface +class SecurityAgentConnection : public SecurityAgent::Client, + public SecurityAgentConnectionInterface { public: SecurityAgentConnection(const AuthHostType type = securityAgent, Session &session = Server::session()); @@ -90,8 +91,7 @@ private: // // The main SecurityAgent/authorizationhost interaction base class // -class SecurityAgentQuery : public SecurityAgent::Client, - public SecurityAgentConnection +class SecurityAgentQuery : public SecurityAgentConnection { public: typedef SecurityAgent::Reason Reason; @@ -104,8 +104,6 @@ public: virtual ~SecurityAgentQuery(); - virtual void activate(); - virtual void reconnect(); virtual void disconnect(); virtual void terminate(); void create(const char *pluginId, const char *mechanismId, const SessionId inSessionId); @@ -190,7 +188,7 @@ private: // A query for a new passphrase // class QueryNewPassphrase : public SecurityAgentQuery { - static const int maxTries = 7; + static const int maxTries = kMaximumAuthorizationTries; public: QueryNewPassphrase(Database &db, Reason reason) : database(db), initialReason(reason), diff --git a/src/auditevents.cpp b/src/auditevents.cpp new file mode 100644 index 0000000..4654131 --- /dev/null +++ b/src/auditevents.cpp @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2009 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// auditevents - monitor and act upon audit subsystem events +// +#include "auditevents.h" +#include "dtrace.h" +#include +#include "self.h" + +using namespace UnixPlusPlus; +using namespace MachPlusPlus; + + +AuditMonitor::AuditMonitor(Port relay) + : mRelay(relay) +{ +} + +AuditMonitor::~AuditMonitor() +{ +} + + +// +// Endlessly retrieve session events and dispatch them. +// (The current version of MachServer cannot receive FileDesc-based events, +// so we need a monitor thread for this.) +// +void AuditMonitor::action() +{ + au_sdev_handle_t *dev = au_sdev_open(AU_SDEVF_ALLSESSIONS); + int event; + auditinfo_addr_t aia; + + if (NULL == dev) { + Syslog::error("This is bad, man. I've got bad vibes here. Could not open %s: %d", AUDIT_SDEV_PATH, errno); + return; + } + + for (;;) { + if (0 != au_sdev_read_aia(dev, &event, &aia)) { + Syslog::error("au_sdev_read_aia failed: %d\n", errno); + continue; + } + SECURITYD_SESSION_NOTIFY(aia.ai_asid, event, aia.ai_auid); + if (kern_return_t rc = self_client_handleSession(mRelay, mach_task_self(), event, aia.ai_asid)) + Syslog::error("self-send failed (mach error %d)", rc); + } +} diff --git a/src/auditevents.h b/src/auditevents.h new file mode 100644 index 0000000..4a110ba --- /dev/null +++ b/src/auditevents.h @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2009 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +// +// child - track a single child process and its belongings +// +#ifndef _H_AUDITEVENTS +#define _H_AUDITEVENTS + +#include +#include +#include +#include +#include + + +class AuditMonitor : public Thread, public UnixPlusPlus::KQueue { +public: + AuditMonitor(MachPlusPlus::Port relay); + ~AuditMonitor(); + + void action(); + +private: + MachPlusPlus::Port mRelay; +}; + + +#endif //_H_AUDITEVENTS diff --git a/src/authhost.cpp b/src/authhost.cpp index bc3f245..3ca8f54 100644 --- a/src/authhost.cpp +++ b/src/authhost.cpp @@ -25,6 +25,12 @@ #include #include "authhost.h" #include "server.h" +#include +#include +#include +#include +#include +#include #include #include @@ -71,6 +77,12 @@ Session &AuthHostInstance::session() const void AuthHostInstance::childAction() { + // switch to desired session + CommonCriteria::AuditInfo &audit = this->session().auditInfo(); + audit.get(audit.sessionId()); + audit.set(); + //this->session().auditInfo().set(); + // Setup the environment for the SecurityAgent unsetenv("USER"); unsetenv("LOGNAME"); @@ -96,6 +108,7 @@ AuthHostInstance::childAction() const char *path = getenv("SECURITYAGENT"); if (!path) path = "/System/Library/CoreServices/SecurityAgent.app"; + secdebug("adhoc", "hostType = %d", mHostType); if ((mHostType == userAuthHost) || (mHostType == privilegedAuthHost)) { @@ -116,42 +129,54 @@ AuthHostInstance::childAction() setgid(agent_gid); setuid(agent_uid); - CFRef userPrefs(session().copyUserPrefs()); - - FILE *mbox = tmpfile(); - - if (userPrefs && mbox) - { - if (fwrite(CFDataGetBytePtr(userPrefs), CFDataGetLength(userPrefs), 1, mbox) != 1) - fclose(mbox); - else - { - char mboxFdString[20]; - fflush(mbox); - if ((int)sizeof(mboxFdString) > snprintf(mboxFdString, sizeof(mboxFdString), "%d", fileno(mbox))) - setenv("SECURITYAGENT_USERPREFS_FD", mboxFdString, 1); - } - } - secdebug("AuthHostInstance", "execl(%s) as user (%d,%d)", agentExecutable, agent_uid, agent_gid); execl(agentExecutable, agentExecutable, NULL); } secdebug("AuthHostInstance", "execl failed, errno=%d", errno); // Unconditional suicide follows. - // See comments below on why we can't use abort() -#if 1 _exit(1); -#else - // NOTE: OS X abort() is implemented as kill(getuid()), which fails - // for a setuid-root process that has setuid'd. Go back to root to die... - setuid(0); - abort(); -#endif } -Port -AuthHostInstance::activate() +// @@@ these definitions and the logic in lookup() should move into +// libsecurity_agent +#define SECURITYAGENT_BOOTSTRAP_NAME_BASE "com.apple.SecurityAgent" +#define AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE "com.apple.authorizationhost" + +mach_port_t +AuthHostInstance::lookup(SessionId jobId) +{ + StLock _(*this); + + mach_port_t pluginhostPort = MACH_PORT_NULL; + kern_return_t result; + const char *serviceName; + /* PR-7483709 const */ uuid_t instanceId = UUID_INITIALIZER_FROM_SESSIONID(jobId); + uuid_string_t s; + + if ((mHostType == securityAgent) && + !(session().attributes() & sessionHasGraphicAccess)) + CssmError::throwMe(CSSM_ERRCODE_NO_USER_INTERACTION); + + if (mHostType == securityAgent) + serviceName = SECURITYAGENT_BOOTSTRAP_NAME_BASE; + else + serviceName = AUTHORIZATIONHOST_BOOTSTRAP_NAME_BASE; + + secdebug("AuthHostInstance", "looking up %s instance %s", serviceName, + uuid_to_string(instanceId, s)); // XXX/gh debugging + if ((result = bootstrap_look_up3(bootstrap_port, serviceName, + &pluginhostPort, 0, instanceId, BOOTSTRAP_SPECIFIC_INSTANCE)) != KERN_SUCCESS) { + + Syslog::error("error %d looking up %s instance %s", result, serviceName, + uuid_to_string(instanceId, s)); + } else + secdebug("AuthHostInstance", "port = %x", (unsigned int)pluginhostPort); + + return pluginhostPort; +} + +Port AuthHostInstance::activate() { StLock _(*this); if (state() != alive) @@ -160,8 +185,6 @@ AuthHostInstance::activate() !(session().attributes() & sessionHasGraphicAccess)) CssmError::throwMe(CSSM_ERRCODE_NO_USER_INTERACTION); - Security::MachPlusPlus::StBootstrap bootSaver(session().bootstrapPort()); - fork(); switch (ServerChild::state()) { case Child::alive: diff --git a/src/authhost.h b/src/authhost.h index 5ec87e4..5e41533 100644 --- a/src/authhost.h +++ b/src/authhost.h @@ -23,6 +23,8 @@ #ifndef _H_AUTHHOST #define _H_AUTHHOST +#include + #include "structure.h" #include "child.h" @@ -40,6 +42,7 @@ public: virtual ~AuthHostInstance(); Session &session() const; + mach_port_t lookup(SessionId jobId); Port activate(); protected: diff --git a/src/authority.cpp b/src/authority.cpp index 3b910d0..5577188 100644 --- a/src/authority.cpp +++ b/src/authority.cpp @@ -35,6 +35,8 @@ #include // AuditToken +#include + using Authorization::AuthItemSet; using Authorization::AuthItemRef; using Authorization::AuthValue; @@ -62,6 +64,11 @@ const audit_token_t &auditToken, bool operateAsLeastPrivileged) { mCreatorUid = mCreatorAuditToken.euid(); mCreatorGid = mCreatorAuditToken.egid(); + + if (sandbox_check(mCreatorPid, "authorization-right-obtain", SANDBOX_FILTER_NONE) != 0) + mCreatorSandboxed = true; + else + mCreatorSandboxed = false; if (SecCodeRef code = Server::process().currentGuest()) MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref())); @@ -236,30 +243,40 @@ AuthorizationToken::infoSet(AuthorizationString tag) } void -AuthorizationToken::setInfoSet(AuthItemSet &newInfoSet) +AuthorizationToken::setInfoSet(AuthItemSet &newInfoSet, bool savePassword) { StLock _(mLock); // consider a separate lock secdebug("SSauth", "Authorization %p setting new context", this); + + AuthItemSet::const_iterator end = mInfoSet.end(); + for (AuthItemSet::const_iterator it = mInfoSet.begin(); it != end; ++it) { + const AuthItemRef &item = *it; + if (0 == strcmp(item->name(), "password")) { + mSavedPassword.clear(); + mSavedPassword.insert(item); + } + } + + if (true == savePassword) + newInfoSet.insert(mSavedPassword.begin(), mSavedPassword.end()); + mInfoSet = newInfoSet; } // This is destructive (non-merging) void -AuthorizationToken::setCredentialInfo(const Credential &inCred) +AuthorizationToken::setCredentialInfo(const Credential &inCred, bool savePassword) { AuthItemSet dstInfoSet; - char uid_string[16]; // fit a uid_t(u_int32_t) - - if (snprintf(uid_string, sizeof(uid_string), "%u", inCred->uid()) >= - int(sizeof(uid_string))) - uid_string[0] = '\0'; - AuthItemRef uidHint("uid", AuthValueOverlay(uid_string[0] ? strlen(uid_string) + 1 : 0, uid_string), 0); + + uid_t uid = inCred->uid(); + AuthItemRef uidHint("uid", AuthValueOverlay(sizeof(uid), &uid)); dstInfoSet.insert(uidHint); AuthItemRef userHint("username", AuthValueOverlay(inCred->username()), 0); dstInfoSet.insert(userHint); - setInfoSet(dstInfoSet); + setInfoSet(dstInfoSet, savePassword); } void @@ -267,11 +284,11 @@ AuthorizationToken::clearInfoSet() { AuthItemSet dstInfoSet; secdebug("SSauth", "Authorization %p clearing context", this); - setInfoSet(dstInfoSet); + setInfoSet(dstInfoSet, false); } void -AuthorizationToken::scrubInfoSet() +AuthorizationToken::scrubInfoSet(bool savePassword) { AuthItemSet srcInfoSet = infoSet(), dstInfoSet; AuthItemSet::const_iterator end = srcInfoSet.end(); @@ -282,5 +299,5 @@ AuthorizationToken::scrubInfoSet() dstInfoSet.insert(item); } secdebug("SSauth", "Authorization %p scrubbing context", this); - setInfoSet(dstInfoSet); + setInfoSet(dstInfoSet, savePassword); } diff --git a/src/authority.h b/src/authority.h index 044ffee..009d734 100644 --- a/src/authority.h +++ b/src/authority.h @@ -72,14 +72,15 @@ public: gid_t creatorGid() const { return mCreatorGid; } SecStaticCodeRef creatorCode() const { return mCreatorCode; } pid_t creatorPid() const { return mCreatorPid; } + bool creatorSandboxed() const { return mCreatorSandboxed; } const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; } AuthItemSet infoSet(AuthorizationString tag = NULL); - void setInfoSet(AuthItemSet &newInfoSet); - void setCredentialInfo(const Credential &inCred); + void setInfoSet(AuthItemSet &newInfoSet, bool savePassword); + void setCredentialInfo(const Credential &inCred, bool savePassword); void clearInfoSet(); - void scrubInfoSet(); + void scrubInfoSet(bool savePassword); bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; } public: @@ -111,6 +112,7 @@ private: gid_t mCreatorGid; // Gid of process that created this authorization CFCopyRef mCreatorCode; // code reference to creator pid_t mCreatorPid; // Pid of processs that created this authorization + bool mCreatorSandboxed; // A record of whether or not the creator was Sandboxed AuditToken mCreatorAuditToken; // Audit token of the process that created this authorization @@ -118,6 +120,8 @@ private: bool mOperatesAsLeastPrivileged; + AuthItemSet mSavedPassword; + private: typedef map > AuthMap; static AuthMap &authMap; // set of extant authorizations diff --git a/src/ccaudit_extensions.cpp b/src/ccaudit_extensions.cpp index dff043a..fe43692 100644 --- a/src/ccaudit_extensions.cpp +++ b/src/ccaudit_extensions.cpp @@ -112,7 +112,7 @@ AuditLogger::setClientInfo(const AuditToken &srcToken) mRuid = srcToken.ruid(); mRgid = srcToken.rgid(); mPid = srcToken.pid(); - mAuditSessionId = srcToken.auditSession(); + mAuditSessionId = srcToken.sessionId(); memcpy(&mOldTerminalId, &(srcToken.terminalId()), sizeof(mOldTerminalId)); mTerminalId.at_type = AU_IPv4; diff --git a/src/csproxy.cpp b/src/csproxy.cpp index 5783e08..11af7cc 100644 --- a/src/csproxy.cpp +++ b/src/csproxy.cpp @@ -36,7 +36,7 @@ // Construct a CodeSigningHost // CodeSigningHost::CodeSigningHost() - : mHostingState(noHosting) + : mLock(Mutex::recursive), mHostingState(noHosting) { } @@ -56,6 +56,7 @@ CodeSigningHost::~CodeSigningHost() // void CodeSigningHost::reset() { + StLock _(mLock); switch (mHostingState) { case noHosting: break; // nothing to do @@ -98,7 +99,7 @@ CodeSigningHost::Guest *CodeSigningHost::findHost(SecGuestRef hostRef) // // Look up guest by guestRef. -// Throws if they we don't have a guest by that ref. +// Throws if we don't have a guest by that ref. // CodeSigningHost::Guest *CodeSigningHost::findGuest(SecGuestRef guestRef, bool hostOk /* = false */) { @@ -181,6 +182,7 @@ CodeSigningHost::Guest *CodeSigningHost::findGuest(Guest *host) // void CodeSigningHost::registerCodeSigning(mach_port_t hostingPort, SecCSFlags flags) { + StLock _(mLock); switch (mHostingState) { case noHosting: mHostingPort = hostingPort; @@ -202,6 +204,7 @@ SecGuestRef CodeSigningHost::createGuest(SecGuestRef hostRef, uint32_t status, const char *path, const CssmData &cdhash, const CssmData &attributes, SecCSFlags flags) { + StLock _(mLock); if (path[0] != '/') // relative path (relative to what? :-) MacOSError::throwMe(errSecCSHostProtocolRelativePath); if (cdhash.length() > maxUcspHashLength) @@ -241,7 +244,7 @@ SecGuestRef CodeSigningHost::createGuest(SecGuestRef hostRef, guest->setHash(cdhash, flags & kSecCSGenerateGuestHash); guest->dedicated = (flags & kSecCSDedicatedHost); mGuests[guest->guestRef()] = guest; - SECURITYD_GUEST_CREATE(DTSELF, hostRef, guest->guestRef(), guest->status, flags, (char *)guest->path.c_str()); + SECURITYD_GUEST_CREATE(DTSELF, hostRef, guest->guestRef(), guest->status, flags, guest->path.c_str()); if (SECURITYD_GUEST_CDHASH_ENABLED()) SECURITYD_GUEST_CDHASH(DTSELF, guest->guestRef(), (void*)CFDataGetBytePtr(guest->cdhash), CFDataGetLength(guest->cdhash)); @@ -251,6 +254,7 @@ SecGuestRef CodeSigningHost::createGuest(SecGuestRef hostRef, void CodeSigningHost::setGuestStatus(SecGuestRef guestRef, uint32_t status, const CssmData &attributes) { + StLock _(mLock); if (mHostingState != proxyHosting) MacOSError::throwMe(errSecCSHostProtocolNotProxy); Guest *guest = findGuest(guestRef); @@ -274,6 +278,7 @@ void CodeSigningHost::setGuestStatus(SecGuestRef guestRef, uint32_t status, cons // void CodeSigningHost::removeGuest(SecGuestRef hostRef, SecGuestRef guestRef) { + StLock _(mLock); if (mHostingState != proxyHosting) MacOSError::throwMe(errSecCSHostProtocolNotProxy); RefPointer host = findHost(hostRef); @@ -378,12 +383,20 @@ bool CodeSigningHost::Guest::matches(CFIndex count, CFTypeRef keys[], CFTypeRef // // The MachServer dispatch handler for proxy hosting. // + +// give MIG handlers access to the object lock +struct CodeSigningHost::Lock : private StLock { + Lock(CodeSigningHost *host) : StLock(host->mLock) { } +}; + + boolean_t cshosting_server(mach_msg_header_t *, mach_msg_header_t *); static ThreadNexus context; boolean_t CodeSigningHost::handle(mach_msg_header_t *in, mach_msg_header_t *out) { + CodeSigningHost::Lock _(this); context() = this; return cshosting_server(in, out); } @@ -481,6 +494,7 @@ kern_return_t cshosting_server_guestStatus(CSH_ARGS, SecGuestRef guestRef, uint3 void CodeSigningHost::dump() const { + StLock _(mLock); switch (mHostingState) { case noHosting: break; diff --git a/src/csproxy.h b/src/csproxy.h index 61dcf82..9629cca 100644 --- a/src/csproxy.h +++ b/src/csproxy.h @@ -97,19 +97,27 @@ public: const CssmData &cdhash, const CssmData &attributes, SecCSFlags flags); void setGuestStatus(SecGuestRef guest, uint32_t status, const CssmData &attributes); void removeGuest(SecGuestRef host, SecGuestRef guest); + +public: + IFDUMP(void dump() const); +public: + // internal use only (public for use by MIG handlers) Guest *findHost(SecGuestRef hostRef); // find most dedicated guest of this host Guest *findGuest(Guest *host, const CssmData &attrData); // by host and attributes Guest *findGuest(SecGuestRef guestRef, bool hostOk = false); // by guest reference Guest *findGuest(Guest *host); // any guest of this host - - IFDUMP(void dump() const); + + class Lock; + friend class Lock; private: boolean_t handle(mach_msg_header_t *in, mach_msg_header_t *out); void eraseGuest(Guest *guest); private: + mutable Mutex mLock; // protects everything below + // host port registry HostingState mHostingState; // status of hosting support Port mHostingPort; // his or ours or NULL diff --git a/src/main.cpp b/src/main.cpp index 68cfdba..8647e72 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -33,6 +33,7 @@ #include "session.h" #include "notifications.h" #include "pcscmonitor.h" +#include "auditevents.h" #include "self.h" #include @@ -111,7 +112,7 @@ int main(int argc, char *argv[]) extern char *optarg; extern int optind; int arg; - while ((arg = getopt(argc, argv, "a:c:de:E:fimN:s:t:T:uvWX")) != -1) { + while ((arg = getopt(argc, argv, "a:c:de:E:imN:s:t:T:uvWX")) != -1) { switch (arg) { case 'a': authorizationConfig = optarg; @@ -127,9 +128,6 @@ int main(int argc, char *argv[]) break; case 'E': entropyFile = optarg; - break; - case 'f': - fprintf(stderr, "%s: the -f option is obsolete\n", argv[0]); break; case 'i': keychainAclDefault &= ~CSSM_ACL_KEYCHAIN_PROMPT_INVALID; @@ -277,8 +275,11 @@ int main(int argc, char *argv[]) gPCSC = new PCSCMonitor(server, tokenCacheDir, scOptions(smartCardOptions)); // create the RootSession object (if -d, give it graphics and tty attributes) - RootSession rootSession(server, - debugMode ? (sessionHasGraphicAccess | sessionHasTTY) : 0); + RootSession rootSession(debugMode ? (sessionHasGraphicAccess | sessionHasTTY) : 0, server); + + // create a monitor thread to watch for audit session events + AuditMonitor audits(gMainServerPort); + audits.run(); // install MDS (if needed) and initialize the local CSSM server.loadCssm(mdsIsInstalled); diff --git a/src/process.cpp b/src/process.cpp index 3d46ae4..868a082 100644 --- a/src/process.cpp +++ b/src/process.cpp @@ -39,18 +39,16 @@ // // Construct a Process object. // -Process::Process(Port servicePort, TaskPort taskPort, - const ClientSetupInfo *info, const char *identity, const CommonCriteria::AuditToken &audit) +Process::Process(TaskPort taskPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit) : mTaskPort(taskPort), mByteFlipped(false), mPid(audit.pid()), mUid(audit.euid()), mGid(audit.egid()) { // set parent session - parent(Session::find(servicePort)); + parent(Session::find(audit.sessionId(), true)); // let's take a look at our wannabe client... if (mTaskPort.pid() != mPid) { - secdebug("SS", "Task/pid setup mismatch pid=%d task=%d(%d) for %s", - mPid, mTaskPort.port(), mTaskPort.pid(), - (identity && identity[0]) ? identity : "(unknown)"); + secdebug("SS", "Task/pid setup mismatch pid=%d task=%d(%d)", + mPid, mTaskPort.port(), mTaskPort.pid()); CssmError::throwMe(CSSMERR_CSSM_ADDIN_AUTHENTICATE_FAILED); // you lied! } @@ -76,37 +74,23 @@ Process::Process(Port servicePort, TaskPort taskPort, // talked to it in the past. This could either be an exec(2), or the client could just // have forgotten all about its securityd client state. Or it could be an attack... // -void Process::reset(Port servicePort, TaskPort taskPort, - const ClientSetupInfo *info, const char *identity, const CommonCriteria::AuditToken &audit) +void Process::reset(TaskPort taskPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit) { - if (servicePort != session().servicePort() || taskPort != mTaskPort) { - secdebug("SS", "Process %p(%d) reset mismatch (sp %d-%d, tp %d-%d) for %s", - this, pid(), servicePort.port(), session().servicePort().port(), taskPort.port(), mTaskPort.port(), - (identity && identity[0]) ? identity : "(unknown)"); - Session &newSession = Session::find(servicePort); - Syslog::alert("Process reset %p(%d) session %d(0x%x:0x%x)->%d(0x%x:0x%x) for %s", - this, pid(), - session().servicePort().port(), &session(), session().attributes(), - newSession.servicePort().port(), &newSession, newSession.attributes(), - (identity && identity[0]) ? identity : "(unknown)"); - //CssmError::throwMe(CSSM_ERRCODE_VERIFICATION_FAILURE); // liar + if (taskPort != mTaskPort) { + secdebug("SS", "Process %p(%d) reset mismatch (tp %d-%d)", + this, pid(), taskPort.port(), mTaskPort.port()); + //@@@ CssmError::throwMe(CSSM_ERRCODE_VERIFICATION_FAILURE); // liar } setup(info); - CFRef oldCode; // DO NOT MAKE THE ASSIGNMENT HERE. If you do, you will invoke the copy constructor, not the assignment operator. For the CFRef - // template, they have very different meanings (assignment retains the CFRef, copy does not). - oldCode = processCode(); // This is the right place to do the assignment. + CFCopyRef oldCode = processCode(); ClientIdentification::setup(this->pid()); // re-constructs processCode() if (CFEqual(oldCode, processCode())) { - secdebug("SS", "process %p(%d) unchanged; assuming client-side reset", this, mPid); + SECURITYD_CLIENT_RESET_AMNESIA(this); } else { - secdebug("SS", "process %p(%d) changed; assuming exec with full reset", this, mPid); + SECURITYD_CLIENT_RESET_FULL(this); CodeSigningHost::reset(); } - - secdebug("SS", "process %p(%d) has reset; now %sfor %s", - this, mPid, mByteFlipped ? "FLIP " : "", - (identity && identity[0]) ? identity : "(unknown)"); } @@ -175,6 +159,14 @@ Session& Process::session() const } +void Process::checkSession(const audit_token_t &auditToken) +{ + AuditToken audit(auditToken); + if (audit.sessionId() != this->session().sessionId()) + this->changeSession(audit.sessionId()); +} + + LocalDatabase &Process::localStore() { StLock _(*this); @@ -194,10 +186,10 @@ Key *Process::makeTemporaryKey(const CssmKey &key, CSSM_KEYATTR_FLAGS moreAttrib // Change the session of a process. // This is the result of SessionCreate from a known process client. // -void Process::changeSession(Port servicePort) +void Process::changeSession(Session::SessionId sessionId) { // re-parent - parent(Session::find(servicePort)); + parent(Session::find(sessionId, true)); SECURITYD_CLIENT_CHANGE_SESSION(this, &this->session()); } diff --git a/src/process.h b/src/process.h index b708582..6ed890d 100644 --- a/src/process.h +++ b/src/process.h @@ -29,6 +29,7 @@ #define _H_PROCESS #include "structure.h" +#include "session.h" #include #include #include @@ -71,14 +72,10 @@ class Process : public PerProcess, public ClientIdentification, private VProc::Transaction { public: - Process(Port servicePort, TaskPort tPort, - const ClientSetupInfo *info, const char *identity, - const CommonCriteria::AuditToken &audit); + Process(TaskPort tPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit); virtual ~Process(); - void reset(Port servicePort, TaskPort tPort, - const ClientSetupInfo *info, const char *identity, - const CommonCriteria::AuditToken &audit); + void reset(TaskPort tPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit); uid_t uid() const { return mUid; } gid_t gid() const { return mGid; } @@ -93,9 +90,10 @@ public: using PerProcess::kill; void kill(); - void changeSession(Port servicePort); // very special indeed + void changeSession(Session::SessionId sessionId); Session& session() const; + void checkSession(const audit_token_t &auditToken); LocalDatabase &localStore(); Key *makeTemporaryKey(const CssmKey &key, CSSM_KEYATTR_FLAGS moreAttributes, diff --git a/src/securityd.d b/src/securityd.d index c66571e..1a711ce 100644 --- a/src/securityd.d +++ b/src/securityd.d @@ -47,6 +47,8 @@ provider securityd { probe client__connection__release(DTHandle id); probe client__change_session(DTHandle id, DTHandle session); + probe client__reset__amnesia(DTHandle id); + probe client__reset__full(DTHandle id); probe request__entry(const char *name, DTHandle connection, DTHandle process); probe request__return(uint32_t osstatus); @@ -54,9 +56,11 @@ provider securityd { /* * Session management */ - probe session__create(DTHandle id, uint32_t attributes, DTPort port); - probe session__setattr(DTHandle id, uint32_t attributes); - probe session__destroy(DTHandle id); + probe session__create(DTHandle id, uint32_t sessionId, const void *auditInfo, uint32_t auditInfoLength); + probe session__kill(DTHandle id, uint32_t sessionId); + probe session__destroy(DTHandle id, uint32_t sessionId); + + probe session__notify(uint64_t id, uint32_t flags, int uid); /* * Port-related events (internal interest only) diff --git a/src/securityd.order b/src/securityd.order index 8c328e2..38454ed 100644 --- a/src/securityd.order +++ b/src/securityd.order @@ -1,662 +1,136 @@ -__ZN8Security5MutexC1Ev -__ZN8Security5MutexC2Ev -__ZN8Security5MutexC1ENS0_4TypeE -__ZN8Security5MutexC2ENS0_4TypeE -__ZN8Security11ModuleNexusI15MutexAttributesEclEv -__ZN8Security17ModuleNexusCommon6createEPFPvvE +_self_client_handleSession +__ZN8Security12MachPlusPlus10MachServer4busyEv __ZN8Security5Mutex4lockEv -__ZN8Security11ModuleNexusI15MutexAttributesE4makeEv -__ZN15MutexAttributesC2Ev +__ZN8Security12MachPlusPlus10MachServer17ensureReadyThreadEv __ZN8Security5Mutex6unlockEv -__ZN8Security5MutexD1Ev -__ZN8Security5MutexD2Ev -__ZN7PortMapI7SessionEC2Ev -__ZN8Security15ThreadStoreSlotC2EPFvPvE -start -_main -__ZN8Security6Syslog4openEPKcii -__ZN9AuthorityC1EPKc -__ZN13Authorization6EngineC2EPKc -__ZN13Authorization20AuthorizationDBPlistC1EPKc -__ZN13Authorization20AuthorizationDBPlistC2EPKc -__ZN8Security10AclSubject5MakerC2Ei -__ZN8Security11ModuleNexusISt3mapIiPNS_10AclSubject5MakerESt4lessIiESaISt4pairIKiS4_EEEEclEv -__ZN8Security11ModuleNexusISt3mapIiPNS_10AclSubject5MakerESt4lessIiESaISt4pairIKiS4_EEEE4makeEv -__ZNSt3mapIiPN8Security10AclSubject5MakerESt4lessIiESaISt4pairIKiS3_EEEixERS7_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueESt17_Rb_tree_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueERKS6_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE9_M_insertEPSt18_Rb_tree_node_ba -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security10AclSubject5MakerEESt10_Select1stIS6_ESt4lessIiESaIS6_EE14_M_create_nodeERKS6_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiPN8Security10AclSubject5MakerEEEE8allocateEmPKv -__ZN14CodeSignaturesC1EPKc -__ZN14CodeSignaturesC2EPKc -__ZN8Security12UnixPlusPlus6UnixDbC1Ev -__ZN8Security12UnixPlusPlus6UnixDb4openEPKcii6DBTYPE -__ZN8Security12UnixPlusPlus6UnixDb5closeEv -__ZN8Security12UnixPlusPlus6UnixDb5flushEi -__ZN8Security12UnixPlusPlus10checkErrorIiEET_S2_ -__ZN6ServerC1ER9AuthorityR14CodeSignaturesPKc -__ZN6ServerC2ER9AuthorityR14CodeSignaturesPKc -__ZN8NodeCoreC2Ev -__ZN8Security12MachPlusPlus10MachServerC2EPKc -__ZN8Security12MachPlusPlus9BootstrapC2Ev -__ZN8Security12MachPlusPlus5Error5checkEi -__ZN8Security12MachPlusPlus11ReceivePortC1EPKcRKNS0_9BootstrapEb -__ZN8Security12MachPlusPlus11ReceivePortC2EPKcRKNS0_9BootstrapEb -__ZNK8Security12MachPlusPlus9Bootstrap15checkInOptionalEPKc -__ZN8Security12MachPlusPlus4Port8allocateEj -__ZN8Security12MachPlusPlus7PortSetpLERKNS0_4PortE -__ZN8Security18DevRandomGeneratorC2Eb -__ZN6Server12SleepWatcherC2Ev -__ZN8Security12MachPlusPlus16PortPowerWatcherC2Ev -__ZN8Security12MachPlusPlus14IOPowerWatcherC2Ev -__ZN7PortMapI10ConnectionEC2Ev -__ZN7PortMapI7ProcessEC2Ev -__ZN8Security10CssmClient4CssmC2Ev -__ZN8Security10CssmClient8CssmImplC1Ev -__ZN8Security11ModuleNexusINS_10CssmClient8CssmImpl12StandardCssmEEclEv -__ZN8Security11ModuleNexusINS_10CssmClient8CssmImpl12StandardCssmEE4makeEv -__ZN8Security10CssmClient8CssmImpl12StandardCssm7setCssmEPS1_ -__ZNK8Security8RefCount3refEv -__ZN8Security10CssmClient6ModuleC2ERKNS_4GuidERKNS0_4CssmE -__ZN8Security10CssmClient10ModuleImplC1ERKNS_4GuidERKNS0_4CssmE -__ZN8Security10CssmClient10ObjectImplC2ERKNS0_6ObjectE -__ZN8Security10CssmClient3CSPC2ERKNS0_6ModuleE -__ZN8Security10CssmClient7CSPImplC1ERKNS0_6ModuleE -__ZN8Security10CssmClient14AttachmentImplC2ERKNS0_6ModuleEj -__ZN8Security14CommonCriteria10TerminalIdC1Ev -__ZN8Security14CommonCriteria10TerminalIdC2Ev -__ZN8Security14CommonCriteria12AuditSession15registerSessionEv -__ZN8Security12MachPlusPlus10MachServer3addERNS1_7HandlerE -__ZNSt8_Rb_treeIPN8Security12MachPlusPlus10MachServer7HandlerES4_St9_IdentityIS4_ESt4lessIS4_ESaIS4_EE16_M_insert_uniqueERKS4_ -__ZNSt8_Rb_treeIPN8Security12MachPlusPlus10MachServer7HandlerES4_St9_IdentityIS4_ESt4lessIS4_ESaIS4_EE9_M_insertEPSt18_Rb_tree_ -__ZNSt8_Rb_treeIPN8Security12MachPlusPlus10MachServer7HandlerES4_St9_IdentityIS4_ESt4lessIS4_ESaIS4_EE14_M_create_nodeERKS4_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN8Security12MachPlusPlus10MachServer7HandlerEEE8allocateEmPKv -__ZN6Server14waitForClientsEb -__ZN14EntropyManagerC1ERN8Security12MachPlusPlus10MachServerEPKc -__ZN14EntropyManagerC2ERN8Security12MachPlusPlus10MachServerEPKc -__ZN8Security4Time3nowEv -__ZN8Security12UnixPlusPlus8FileDesc4openEPKcit -__ZN8Security12UnixPlusPlus8FileDesc4readEPvm -__ZN8Security18DevRandomGenerator10addEntropyEPKvm -__ZN8Security11ModuleNexusINS_18DevRandomGenerator8WritableEEclEv -__ZN8Security11ModuleNexusINS_18DevRandomGenerator8WritableEE4makeEv -__ZN8Security12UnixPlusPlus8FileDesc5writeEPKvm -__ZN8Security12UnixPlusPlus8FileDesc5closeEv -__ZN14EntropyManager6actionEv -__ZN14EntropyManager14collectEntropyEv -__ZN14EntropyManager17updateEntropyFileEv -__ZN8Security18DevRandomGenerator6randomEPvm -__ZN8Security11ModuleNexusINS_18DevRandomGenerator8ReadonlyEEclEv -__ZN8Security11ModuleNexusINS_18DevRandomGenerator8ReadonlyEE4makeEv -__ZN8Security12MachPlusPlus10MachServer8setTimerEPNS1_5TimerENS_4Time8IntervalE -__ZN8Security12MachPlusPlus10MachServer8setTimerEPNS1_5TimerENS_4Time8AbsoluteE -__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE8scheduleEPNS3_5EventES2_ -__ZN11PCSCMonitorC1ER6ServerPKcNS_12ServiceLevelE -__ZN11PCSCMonitorC2ER6ServerPKcNS_12ServiceLevelE -__ZN8ListenerC2Ejjj -__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerI8ListenerEEESt10_Select1stIS6_ESt4lessIjESaIS6_EE9_M_insertEPSt18_Rb_tree_nod -__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerI8ListenerEEESt10_Select1stIS6_ESt4lessIjESaIS6_EE14_M_create_nodeERKS6_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKjN8Security10RefPointerI8ListenerEEEEE8allocateEmPKv -__ZN8Security10RefPointerI8ListenerE7releaseEv -__ZNK8Security8RefCount5unrefEv -__ZN8Security12UnixPlusPlus5ChildC2Ev -__ZN8Security4PCSC7SessionC1Ev -__ZN8Security5IOKit24MachPortNotificationPortC1Ev -__ZN8Security5IOKit24MachPortNotificationPortC2Ev -__ZN8Security5IOKit16NotificationPortC2Ev -__ZN8Security5IOKit10MasterPortC2Ev -__ZN8Security12MachPlusPlus4Port10deallocateEv -__ZNK8Security5IOKit16NotificationPort4portEv -__ZN11RootSessionC1ER6Serverj -__ZN11RootSessionC2ER6Serverj -__ZN7SessionC2EN8Security12MachPlusPlus9BootstrapENS1_4PortEj -__ZN8Security13MappingHandleIjE4makeEv -__ZN8Security11ModuleNexusINS_13MappingHandleIjE5StateEEclEv -__ZN8Security11ModuleNexusINS_13MappingHandleIjE5StateEE4makeEv -__ZN8Security13MappingHandleIjE5StateC2Ev -__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EEC2EmRKS -__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE21_M_in -__ZSt11lower_boundIPKmmET_S2_S2_RKT0_ -__ZNSt6vectorIPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESaISA_EE7reserveEm -__ZNSt6vectorIPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESaISA_EE20_M_allocate_and_copyIPSA_EESE_ -__ZN9__gnu_cxx13new_allocatorIPNS_15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEEE8allocateEmPKv -__ZSt18uninitialized_copyIPPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESB_ET0_T_SD_SC_ -__ZNSt6vectorIPN9__gnu_cxx15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEESaISA_EE14_M_fill_insertENS0_17__normal_ -__ZN8Security13MappingHandleIjE5State11handleInUseEj -__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE4findER -__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE14find_ -__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE6resize -__ZN9__gnu_cxx13new_allocatorINS_15_Hashtable_nodeISt4pairIKjPN8Security13MappingHandleIjEEEEEE8allocateEmPKv -__ZN13Authorization10CredentialC1Ev -__ZN13Authorization10CredentialC2Ev -__ZN13Authorization14CredentialImplC2Ev -__ZN8Security6Syslog6noticeEPKcz -__ZN8NodeCore6parentERS_ -__ZN8Security10RefPointerI8NodeCoreE10setPointerEPS1_ -__ZN8Security10RefPointerI8NodeCoreE7releaseEv -__ZNSt3mapIN8Security12MachPlusPlus4PortENS0_10RefPointerI7SessionEESt4lessIS2_ESaISt4pairIKS2_S5_EEEixERS9_ -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7SessionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE16 -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7SessionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE9_ -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7SessionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE14 -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security12MachPlusPlus4PortENS3_10RefPointerI7SessionEEEEE8allocateE -__ZN8Security10RefPointerI7SessionE7releaseEv -__ZN8Security10RefPointerI7SessionE10setPointerEPS1_ -__ZN6Server8loadCssmEb -__ZNK8Security10CssmClient6Object4implINS0_8CssmImplEEERT_v -__ZN8Security11ModuleNexusINS_9MDSClient9DirectoryEEclEv -__ZN8Security11ModuleNexusINS_9MDSClient9DirectoryEE4makeEv -__ZN8Security9MDSClient9DirectoryC1Ev -__ZN8Security9MDSClient9DirectoryC2Ev -__ZN8Security9Allocator8standardEj -__ZN8Security11ModuleNexusI17DefaultAllocatorsEclEv -__ZN8Security11ModuleNexusI17DefaultAllocatorsE4makeEv -__ZN8Security28CssmAllocatorMemoryFunctionsC1ERNS_9AllocatorE -__ZN8Security9MDSClient9Directory7installEv -__ZN8Security28CssmAllocatorMemoryFunctions11relayMallocEmPv -__ZN16DefaultAllocator6mallocEm -__ZN8Security28CssmAllocatorMemoryFunctions9relayFreeEPvS1_ -__ZN16DefaultAllocator4freeEPv -__ZN8Security10CssmClient8CssmImpl8activateEv -__ZNK8Security10CssmClient6Object4implINS0_7CSPImplEEERT_v -__ZN8Security10CssmClient14AttachmentImpl8activateEv -__ZNK8Security10CssmClient6Object4implINS0_10ModuleImplEEERT_v -__ZN8Security10CssmClient10ModuleImpl8activateEv -__ZN8Security10RefPointerINS_10CssmClient10ObjectImplEE7releaseEv -__ZNK8Security10CssmClient10ObjectImpl9allocatorEv -__ZNK8Security10CssmClient14AttachmentImpl4guidEv -__ZNK8Security10CssmClient14AttachmentImpl6moduleEv -__ZN20SharedMemoryListenerC1EPKcj -__ZN20SharedMemoryListenerC2EPKcj -__ZN18SharedMemoryServerC2EPKcj -__ZN6Server3runEv -__ZN8Security12MachPlusPlus10MachServer3runEmi -__ZN8Security12MachPlusPlus10MachServer15runServerThreadEb -__ZN8Security12MachPlusPlus7MessageC1Em -__ZN8Security12MachPlusPlus7Message9setBufferEm -__ZN8Security12MachPlusPlus10MachServer9perThreadEv -__ZN8Security11ModuleNexusINS_11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEEEclEv -__ZN8Security11ModuleNexusINS_11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEEE4makeEv -__ZN8Security11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEclEv -__ZNK8Security15ThreadStoreSlotaSEPv -__ZN8Security11ModuleNexusINS_5MutexEEclEv -__ZN8Security11ModuleNexusINS_5MutexEE4makeEv -__ZN8Security11ModuleNexusISt3setIPvSt4lessIS2_ESaIS2_EEEclEv -__ZN8Security11ModuleNexusISt3setIPvSt4lessIS2_ESaIS2_EEE4makeEv -__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE16_M_insert_uniqueERKS0_ -__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE9_M_insertEPSt18_Rb_tree_node_baseS8_RKS0_ -__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE14_M_create_nodeERKS0_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPvEE8allocateEmPKv +__ZThn144_N6Server6handleEP17mach_msg_header_tS1_ +__ZN6Server6handleEP17mach_msg_header_tS1_ +__Z11ucsp_serverP17mach_msg_header_tS0_ +__Z11self_serverP17mach_msg_header_tS0_ +__ZL15_XhandleSessionP17mach_msg_header_tS0_ +__Z25self_server_handleSessionjjjy +__ZN8Security6StLockINS_12MachPlusPlus10MachServerEXadL_ZNS2_4busyEvEEXadL_ZNS2_4idleEvEEED2Ev __ZThn144_N6Server9eventDoneEv __ZN6Server9eventDoneEv __ZN8Security12MachPlusPlus10MachServer12processTimerEv -__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE3popES2_ -__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE5Event10unscheduleEv -__ZN8Security12MachPlusPlus10MachServer5Timer6selectEv -__ZN8Security12MachPlusPlus10MachServer4busyEv -__ZN8Security12MachPlusPlus10MachServer17ensureReadyThreadEv -__ZN8Security6Thread3runEv -__ZThn24_N11PCSCMonitor6actionEv -__ZN11PCSCMonitor6actionEv -__ZN11PCSCMonitor12initialSetupEv -__ZN6Server3addEPN8Security12MachPlusPlus12PowerWatcherE -__ZN6Server12SleepWatcher3addEPN8Security12MachPlusPlus12PowerWatcherE -__ZN8Security6Thread6runnerEPv -__ZN8Security12MachPlusPlus10MachServer10LoadThread6actionEv -__ZNSt8_Rb_treeIPN8Security12MachPlusPlus12PowerWatcherES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS3_ -__ZN8Security12MachPlusPlus10MachServer9addThreadEPNS_6ThreadE -__ZNSt8_Rb_treeIPN8Security12MachPlusPlus12PowerWatcherES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tree_node_b -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE16_M_insert_uniqueERKS2_ -__ZNSt8_Rb_treeIPN8Security12MachPlusPlus12PowerWatcherES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_ -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE9_M_insertEPSt18_Rb_tree_node_baseSA_RKS2_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN8Security12MachPlusPlus12PowerWatcherEEE8allocateEmPKv -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE14_M_create_nodeERKS2_ -__ZN8Security5IOKit11DeviceMatchC1EPKc -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN8Security6ThreadEEE8allocateEmPKv -__ZN8Security5IOKit11DeviceMatchC2EPKc +__ZN8Security4Time3nowEv __ZN8Security12MachPlusPlus10MachServer26releaseDeferredAllocationsEv +__ZN8Security11ModuleNexusINS_11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEEEclEv +__ZN8Security11ThreadNexusINS_12MachPlusPlus10MachServer9PerThreadEEclEv +__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt23_Rb_tree_co __ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE8_M_eraseEPSt13_Rb_tre -__ZN8Security5IOKit16NotificationPort3addERKNS0_11DeviceMatchERNS1_8ReceiverEPKc -__ZThn144_N6Server6handleEP17mach_msg_header_tS1_ -__ZN6Server6handleEP17mach_msg_header_tS1_ -__Z11ucsp_serverP17mach_msg_header_tS0_ -__ZL18_XverifyPrivilegedP17mach_msg_header_tS0_ -__Z28ucsp_server_verifyPrivilegedjj13audit_token_tPi -__ZN8Security12MachPlusPlus10MachServer4idleEv +_cdsa_notify_server +__Xmach_notify_dead_name +_cdsa_mach_notify_dead_name +__ZThn144_N6Server14notifyDeadNameEN8Security12MachPlusPlus4PortE +__ZN6Server14notifyDeadNameEN8Security12MachPlusPlus4PortE +__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI10ConnectionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_ +__ZNK8Security8RefCount3refEv +__ZN8Security10RefPointerI10ConnectionE7releaseEv +__ZNK8Security8RefCount5unrefEv +__ZN10Connection5abortEb +__ZN8Security12MachPlusPlus5Error5checkEi +__ZN10ConnectionD0Ev +__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN8Listener12NotificationEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EED2Ev +__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN8Listener12NotificationEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE8_M_eraseEPS +__ZN8NodeCoreD2Ev +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EED2Ev +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE8_M_eraseEPSt13_Rb_tree_nodeIS3_E +__ZN8Security10RefPointerI8NodeCoreE7releaseEv +__ZN8Security5MutexD2Ev +__ZL19_XverifyPrivileged2P17mach_msg_header_tS0_ +__Z29ucsp_server_verifyPrivileged2jj13audit_token_tPiPj __ZL7_XsetupP17mach_msg_header_tS0_ __Z17ucsp_server_setupjj13audit_token_tPijN8Security14SecurityServer15ClientSetupInfoEPKc -__ZN6Server15setupConnectionENS_12ConnectLevelEN8Security12MachPlusPlus4PortES3_S3_RK13audit_token_tPKNS1_14SecurityServer15Cli +__ZN6Server6activeEv +__ZN6Server15setupConnectionENS_12ConnectLevelEN8Security12MachPlusPlus4PortES3_RK13audit_token_tPKNS1_14SecurityServer15Client +__ZN8Security14CommonCriteria10AuditTokenC1ERK13audit_token_t +__ZN8Security14CommonCriteria10AuditTokenC2ERK13audit_token_t +__ZN8Security14CommonCriteria10TerminalIdC2Ev __ZNSt3mapIN8Security12MachPlusPlus4PortENS0_10RefPointerI7ProcessEESt4lessIS2_ESaISt4pairIKS2_S5_EEEixERS9_ -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE16 __ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE9_ __ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE14 -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security12MachPlusPlus4PortENS3_10RefPointerI7ProcessEEEEE8allocateE +__ZN9__gnu_cxx13new_allocatorISt4pairIKN8Security12MachPlusPlus4PortENS2_10RefPointerI7ProcessEEEE9constructEPS9_RKS9_ __ZN8Security10RefPointerI7ProcessE7releaseEv -__ZN8Security14CommonCriteria10AuditTokenC1ERK13audit_token_t -__ZN8Security14CommonCriteria10AuditTokenC2ERK13audit_token_t -__ZN7ProcessC1EN8Security12MachPlusPlus4PortENS1_8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoEPKcRKNS0_14CommonCriteria10A -__ZN7ProcessC2EN8Security12MachPlusPlus4PortENS1_8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoEPKcRKNS0_14CommonCriteria10A +__ZN7ProcessC1EN8Security12MachPlusPlus8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoERKNS0_14CommonCriteria10AuditTokenE +__ZN7ProcessC2EN8Security12MachPlusPlus8TaskPortEPKNS0_14SecurityServer15ClientSetupInfoERKNS0_14CommonCriteria10AuditTokenE __ZN10PerProcessC2Ev +__ZN8Security13MappingHandleIjE4makeEv +__ZN8Security11ModuleNexusINS_13MappingHandleIjE5StateEEclEv +__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE4findER +__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE14find_ +__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE6resize +__ZN8NodeCoreC2Ev +__ZN8Security5MutexC2ENS0_4TypeE +__ZN8Security11ModuleNexusI15MutexAttributesEclEv __ZN15CodeSigningHostC2Ev +__ZN8Security5MutexC1ENS0_4TypeE __ZN20ClientIdentificationC2Ev __ZN14CodeSignatures8IdentityC2Ev -__ZN7Session4findEN8Security12MachPlusPlus4PortE +__ZN8Security5MutexC1Ev +__ZN8Security5MutexC2Ev +__ZN7Session4findEib +__ZNSt8_Rb_treeIiSt4pairIKiN8Security10RefPointerI7SessionEEESt10_Select1stIS6_ESt4lessIiESaIS6_EE4findERS1_ +__ZN8Security14CommonCriteria9AuditInfo3getEi +__ZN8Security9UnixError5checkEi +__ZN14DynamicSessionC2ERKN8Security14CommonCriteria9AuditInfoE +__ZN7SessionC2ERKN8Security14CommonCriteria9AuditInfoER6Server +__ZN13Authorization10CredentialC1Ev +__ZN13Authorization10CredentialC2Ev +__ZN13Authorization14CredentialImplC2Ev +__ZN8NodeCore6parentERS_ +__ZN8Security10RefPointerI8NodeCoreE10setPointerEPS1_ +__ZNSt3mapIiN8Security10RefPointerI7SessionEESt4lessIiESaISt4pairIKiS3_EEEixERS7_ +__ZNSt8_Rb_treeIiSt4pairIKiN8Security10RefPointerI7SessionEEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueESt17_Rb_tr +__ZNSt8_Rb_treeIiSt4pairIKiN8Security10RefPointerI7SessionEEESt10_Select1stIS6_ESt4lessIiESaIS6_EE9_M_insertEPSt18_Rb_tree_node +__ZNSt8_Rb_treeIiSt4pairIKiN8Security10RefPointerI7SessionEEESt10_Select1stIS6_ESt4lessIiESaIS6_EE14_M_create_nodeERKS6_ +__ZN9__gnu_cxx13new_allocatorISt4pairIKiN8Security10RefPointerI7SessionEEEE9constructEPS7_RKS7_ +__ZN8Security10RefPointerI7SessionE7releaseEv +__ZN8Security10RefPointerI7SessionE10setPointerEPS1_ +__ZN8Security6Syslog6noticeEPKcz +__ZNSt8_Rb_treeIiSt4pairIKiN8Security10RefPointerI7SessionEEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueERKS6_ __ZNK8Security12MachPlusPlus8TaskPort3pidEv __ZN7Process5setupEPKN8Security14SecurityServer15ClientSetupInfoE __ZN20ClientIdentification5setupEi -__ZThn72_N11PCSCMonitor8ioChangeERN8Security5IOKit14DeviceIteratorE -__ZN11PCSCMonitor8ioChangeERN8Security5IOKit14DeviceIteratorE -__ZN8Security5IOKit14DeviceIteratorclEv -__ZN11PCSCMonitor13deviceSupportERKN8Security5IOKit6DeviceE -__ZNK8Security5IOKit6Device8propertyEPKc -__ZN8Security8cfNumberIjEET_PK10__CFNumber -__ZN8Security5IOKit6DeviceD1Ev -__ZN11PCSCMonitor16isExcludedDeviceERKN8Security5IOKit6DeviceE -__ZN8Security5IOKit14DeviceIteratorD2Ev +__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE5eraseESt17_Rb_tree_iterat __ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE8_M_eraseEPSt13_Rb_tree_no __ZN8Security12UnixPlusPlus5Child4findI11ServerChildEEPT_i __ZN8Security12UnixPlusPlus5Child11findGenericEi __ZN8Security11ModuleNexusINS_12UnixPlusPlus5Child8ChildrenEEclEv -__ZN8Security11ModuleNexusINS_12UnixPlusPlus5Child8ChildrenEE4makeEv -__ZN8Security12UnixPlusPlus5Child8ChildrenC2Ev +__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE4findERS1_ __ZN8Security10RefPointerI7ProcessE10setPointerEPS1_ __ZNK8Security12MachPlusPlus10MachServer12notifyIfDeadENS0_4PortEb __ZN8Security12MachPlusPlus4Port13requestNotifyEjij __ZNSt3mapIiP7ProcessSt4lessIiESaISt4pairIKiS1_EEEixERS5_ __ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE16_M_insert_uniqueESt17_Rb_tree_iteratorIS4_ERKS4_ -__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE16_M_insert_uniqueERKS4_ __ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE9_M_insertEPSt18_Rb_tree_node_baseSC_RKS4_ -__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE14_M_create_nodeERKS4_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiP7ProcessEEE8allocateEmPKv __ZN10ConnectionC1ER7ProcessN8Security12MachPlusPlus4PortE __ZN10ConnectionC2ER7ProcessN8Security12MachPlusPlus4PortE -__ZN8Security12MachPlusPlus4Port7modRefsEji -__ZNK7PortMapI10ConnectionE8containsEj +__ZNKSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI10ConnectionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8 __ZNSt3mapIN8Security12MachPlusPlus4PortENS0_10RefPointerI10ConnectionEESt4lessIS2_ESaISt4pairIKS2_S5_EEEixERS9_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security12MachPlusPlus4PortENS3_10RefPointerI10ConnectionEEEEE8alloc -__ZN8Security10RefPointerI10ConnectionE7releaseEv +__ZN9__gnu_cxx13new_allocatorISt4pairIKN8Security12MachPlusPlus4PortENS2_10RefPointerI10ConnectionEEEE9constructEPS9_RKS9_ __ZN8Security10RefPointerI10ConnectionE10setPointerEPS1_ -__ZL16_XgetSessionInfoP17mach_msg_header_tS0_ -__Z26ucsp_server_getSessionInfojj13audit_token_tPiPjS1_ +__ZL21_XauthorizationCreateP17mach_msg_header_tS0_ +__Z31ucsp_server_authorizationCreatejj13audit_token_tPiPvjjS1_jPN8Security14SecurityServer17AuthorizationBlobE __ZN6Server10connectionEjR13audit_token_t __ZNK7PortMapI10ConnectionE3getEji +__ZN7Process12checkSessionERK13audit_token_t __ZN8Security11ThreadNexusINS_10RefPointerI10ConnectionEEEclEv __ZN10Connection9beginWorkER13audit_token_t -__ZN7Session4findEj -__ZN6Server7sessionEv -__ZN6Server10connectionEb -__ZN10Connection9checkWorkEv -__ZNK7Process7sessionEv -__ZN6Server15requestCompleteERi -__ZN10Connection7endWorkERi -__ZN11PCSCMonitor15startSoftTokensEv -__ZN11PCSCMonitor12clearReadersEN6Reader4TypeE -__ZN8Security14CodeRepositoryINS_6BundleEEC2ERKSsPKcS6_b -__ZN8Security8PathListC2ERKSsPKcS4_b -__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_EPKS3_RKS6_ -__ZNSt6vectorISsSaISsEE9push_backERKSs -__ZNSt6vectorISsSaISsEE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPSsS1_EERKSs -__ZN9__gnu_cxx13new_allocatorISsE8allocateEmPKv -__ZSt24__uninitialized_copy_auxIPSsS0_ET0_T_S2_S1_St12__false_type -__ZN8Security14CodeRepositoryINS_6BundleEE6updateEv -__ZN8Security9makeCFURLEPKcbPK7__CFURL -__ZN8Security6BundleC1EP10__CFBundlePKc -__ZN8Security6BundleC2EP10__CFBundlePKc -__ZN8Security8cfStringEPK7__CFURLb -__ZNSt6vectorIN8Security10RefPointerINS0_6BundleEEESaIS3_EE9push_backERKS3_ -__ZNSt6vectorIN8Security10RefPointerINS0_6BundleEEESaIS3_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS3_S5_EERKS3_ -__ZN9__gnu_cxx13new_allocatorIN8Security10RefPointerINS1_6BundleEEEE8allocateEmPKv -__ZSt24__uninitialized_copy_auxIPN8Security10RefPointerINS0_6BundleEEES4_ET0_T_S6_S5_St12__false_type -__ZN8Security10RefPointerINS_6BundleEE7releaseEv -__ZNSt6vectorIN8Security10RefPointerINS0_6BundleEEESaIS3_EED2Ev -__ZNSt12_Vector_baseIN8Security10RefPointerINS0_6BundleEEESaIS3_EED2Ev -__ZNK8Security6Bundle13infoPlistItemEPKc -__ZNK8Security6Bundle8cfBundleEv -__ZN8Security14CodeRepositoryINS_6BundleEED2Ev -__ZN8Security8PathListD2Ev -__ZNSt6vectorISsSaISsEED2Ev -__ZNSt12_Vector_baseISsSaISsEED2Ev -__ZN8Security6BundleD0Ev -__ZN8Security12MachPlusPlus10MachServer5Timer8unselectEv -__ZL10_XdecodeDbP17mach_msg_header_tS0_ -__Z20ucsp_server_decodeDbjj13audit_token_tPiPjPvjS2_jS2_j -__ZN7CopyOutC2EPvmPFiP9__rpc_xdrzEbP9cssm_data -_copyout -_sec_xdrmem_create -_sec_xdr_sizeof_out -_sec_xdr_arena_init_size_alloc -__Z25xdr_DLDbFlatIdentifierRefP9__rpc_xdrPPN8Security11DataWalkers18DLDbFlatIdentifierE -_sec_xdr_reference -_sec_xdr_arena_size_allocator -_sec_mem_alloc -__Z22xdr_DLDbFlatIdentifierP9__rpc_xdrPN8Security11DataWalkers18DLDbFlatIdentifierE -_sec_xdr_pointer -_sec_xdrmem_getlong_aligned -_xdr_CSSM_SUBSERVICE_UID -_sec_xdrmem_getbytes -_xdr_CSSM_VERSION -_sec_xdr_charp -_sec_xdr_bytes -_sec_xdr_arena_init -__ZN8Security14DLDbIdentifierC2ERK19cssm_subservice_uidPKcPK16cssm_net_address -__ZN8Security14DLDbIdentifier4ImplC2ERK19cssm_subservice_uidPKcPK16cssm_net_address -__ZN8Security6DbNameC1EPKcPK16cssm_net_address -__ZN8Security6DbNameC2EPKcPK16cssm_net_address -__Z8makeBlobIN8Security14SecurityServer6DbBlobEEPKT_RKNS0_8CssmDataEi -__ZN16KeychainDatabaseC1ERKN8Security14DLDbIdentifierEPKNS0_14SecurityServer6DbBlobER7ProcessPKNS0_17AccessCredentialsE -__ZN17SecurityServerAclC2Ev -__ZN8Security9ObjectAclC2ERNS_9AllocatorE -__ZN13LocalDatabaseC2ER7Process -__ZN8DatabaseC2ER7Process -__ZN8NodeCore8referentERS_ -__ZN16KeychainDatabase12validateBlobEPKN8Security14SecurityServer6DbBlobE -__ZNK8Security14SecurityServer10CommonBlob8validateEi -__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_RNS_9AllocatorE -__ZNK8Security14SecurityServer6DbBlob4copyERNS_9AllocatorE -__ZN8Security9Allocator6mallocINS_14SecurityServer6DbBlobEEEPT_m -__ZNK8Database7processEv -__ZN8NodeCore9findFirstI16KeychainDbCommonRK12DbIdentifierEEN8Security10RefPointerIT_EEMS7_KFT0_vES9_ -__ZN8Security10RefPointerI16KeychainDbCommonE7releaseEv -__ZN16KeychainDbCommonC2ER7SessionRK12DbIdentifier -__ZN13LocalDbCommonC2ER7Session -__ZN8DbCommonC2ER7Session -__ZN18DatabaseCryptoCoreC2Ev -__ZN8NodeCore9findFirstI16KeychainDbGlobalRK12DbIdentifierEEN8Security10RefPointerIT_EEMS7_KFT0_vES9_ -__ZN8Security10RefPointerI16KeychainDbGlobalE7releaseEv -__ZN16KeychainDbGlobalC2ERK12DbIdentifier -__ZNK8DbCommon7sessionEv -__ZN8NodeCore12addReferenceERS_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS3_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tree_node_baseSB_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN8Security10RefPointerI8NodeCoreEEEE8allocateEmPKv -__ZN8Security10RefPointerINS_14DLDbIdentifier4ImplEE7releaseEv -__ZN7CopyOutD1Ev -__ZN7CopyOutD2Ev -__ZL16_XauthenticateDbP17mach_msg_header_tS0_ -__Z26ucsp_server_authenticateDbjj13audit_token_tPijjPvj -_xdr_CSSM_ACCESS_CREDENTIALS_PTR -_xdr_CSSM_ACCESS_CREDENTIALS -_xdr_CSSM_BASE_CERTS -_xdr_CSSM_CERTGROUP -_sec_xdr_array -_xdr_CSSM_SAMPLE -_xdr_CSSM_LIST -_xdr_CSSM_LIST_ELEMENT -__ZN6Server8databaseEj -__ZN6Server4findI8DatabaseEEN8Security10RefPointerIT_EEji -__ZN8Security13MappingHandleIjE7findRefI8DatabaseEENS_10RefPointerIT_EEji -__ZN8Security13MappingHandleIjE5State6locateEji -__ZN16KeychainDatabase12authenticateEjPKN8Security17AccessCredentialsE -__ZN8Security11DataWalkers4sizeIPNS_17AccessCredentialsEEEmT_ -__ZN8Security11DataWalkers14enumerateArrayINS0_10SizeWalkerENS_11SampleGroupENS_10CssmSampleEEEvRT_RT0_MS7_FRPT1_vE -__ZN8Security11SampleGroup7samplesEv -__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEPNS_11ListElementERT_RS4_ -__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_RNS_9AllocatorEm -__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPNS_17AccessCredentialsERT_RS4_ -__ZN8Security11DataWalkers14enumerateArrayINS0_10CopyWalkerENS_11SampleGroupENS_10CssmSampleEEEvRT_RT0_MS7_FRPT1_vE -__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEvRT_RNS_10CssmSampleE -__ZN8Security11DataWalkers9enumerateINS0_10CopyWalkerEEEvRT_RNS_8CssmListE -__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPNS_11ListElementERT_RS4_ -__ZN8Security11ListElement4lastEv -__ZN8Security10RefPointerI8DatabaseE7releaseEv -__ZL11_XdecodeKeyP17mach_msg_header_tS0_ -__Z21ucsp_server_decodeKeyjj13audit_token_tPiPjPPvS1_jS2_j -__ZN6Server8keychainEj -__ZN6Server4findI16KeychainDatabaseEEN8Security10RefPointerIT_EEji -__ZN8Security13MappingHandleIjE7findRefI16KeychainDatabaseEENS_10RefPointerIT_EEji -__Z8makeBlobIN8Security14SecurityServer7KeyBlobEEPKT_RKNS0_8CssmDataEi -__ZN11KeychainKeyC1ER8DatabasePKN8Security14SecurityServer7KeyBlobE -__ZN11KeychainKeyC2ER8DatabasePKN8Security14SecurityServer7KeyBlobE -__ZN8LocalKeyC2ER8Databasej -__ZN3KeyC2ER8Database -__ZN8Database10SubsidiaryC2ERS_ -__ZNK8Security14SecurityServer7KeyBlob4copyERNS_9AllocatorE -__ZN8Security9Allocator6mallocINS_14SecurityServer7KeyBlobEEEPT_m -__ZN8Security10RefPointerI16KeychainDatabaseE7releaseEv -__ZN8LocalKey9returnKeyERjRN8Security7CssmKey6HeaderE -__ZN11KeychainKey9getHeaderERN8Security7CssmKey6HeaderE -__ZN8Security4n2hiERNS_7CssmKey6HeaderE -_copyin -_sec_xdr_sizeof_in -_xdr_CSSM_KEYHEADER -_sec_x_putlong -_sec_x_putbytes -_sec_xdrmem_putlong_aligned -_sec_xdrmem_putbytes -__ZN6Server15releaseWhenDoneEPv -__ZN6Server15releaseWhenDoneERN8Security9AllocatorEPv -__ZN8Security12MachPlusPlus10MachServer15releaseWhenDoneERNS_9AllocatorEPv -__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS -__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tr -__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN8Security12MachPlusPlus10MachServer10AllocationEEE8allocateEmPKv -__ZN8Security10RefPointerI3KeyE7releaseEv -__ZL9_XdecryptP17mach_msg_header_tS0_ -__Z19ucsp_server_decryptjj13audit_token_tPiPvjjS1_jPS1_Pj -_xdr_CSSM_CONTEXT_PTR -_xdr_CSSM_CONTEXT -_xdr_CSSM_CONTEXT_ATTRIBUTE -_xdr_CSSM_KEY -_xdr_CSSM_DATA -__ZN6Server3keyEj -__ZN8Security13MappingHandleIjE7findRefI3KeyEENS_10RefPointerIT_EEji -__ZN13LocalDatabase7decryptERKN8Security7ContextER3KeyRKNS0_8CssmDataERS6_ -__ZN8LocalKey7cssmKeyEv -__ZN8LocalKey8keyValueEv -__ZN11KeychainKey6getKeyEv -__ZN11KeychainKey6decodeEv -__ZN16KeychainDatabase9decodeKeyEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_ -__ZN8Security14SecurityServer7KeyBlob11isClearTextEv -__ZN16KeychainDatabase8unlockDbEv -__ZN16KeychainDatabase12makeUnlockedEPKN8Security17AccessCredentialsE -__ZN16KeychainDatabase8isLockedEv -__ZN16KeychainDatabase19establishOldSecretsEPKN8Security17AccessCredentialsE -__ZNK16KeychainDbCommon15belongsToSystemEv -__ZN17SystemKeychainKeyC1EPKc -__ZN17SystemKeychainKeyC2EPKc -__ZN17SystemKeychainKey7matchesERKN8Security14SecurityServer6DbBlob9SignatureE -__ZN17SystemKeychainKey6updateEv -__ZNK8Security14SecurityServer10CommonBlob7isValidEv -__ZN8Security4Time8AbsoluteC1ERK8timespec -__ZN8Security10CssmClient3KeyC2ERKNS0_3CSPERK8cssm_keyb -__ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPERK8cssm_keyb -__ZN8Security7CssmKeyC2ERK8cssm_key -__ZN8Security12CssmAutoDataC2INS_8CssmDataEEERNS_9AllocatorERKT_ -__ZN8Security13CssmOwnedData4copyIvEEvPKT_m -__ZN8Security12CssmAutoData5resetEv -__ZN8Security7destroyEPvRNS_9AllocatorE -__ZN8Security12CssmAutoData7releaseEv -__ZN8Security12CssmAutoDataD2Ev -__ZN8Security13CssmOwnedDataD2Ev -__ZN8Security15CssmManagedDataD2Ev -__ZN18DatabaseCryptoCore5setupEPKN8Security14SecurityServer6DbBlobENS0_10CssmClient3KeyE -__ZNK8Security10CssmClient6Object4implINS0_7KeyImplEEERT_v -__ZN8Security10RefPointerINS_10CssmClient10ObjectImplEE10setPointerEPS2_ -__ZN16KeychainDatabase6decodeEv -__ZN16KeychainDbCommon8unlockDbEPN8Security14SecurityServer6DbBlobEPPv -__ZN18DatabaseCryptoCore10decodeCoreEPKN8Security14SecurityServer6DbBlobEPPv -__ZN8Security10CssmClient7DecryptC1ERKNS0_3CSPEj -__ZN8Security10CssmClient5CryptC2ERKNS0_3CSPEj -__ZN8Security10CssmClient7ContextC2ERKNS0_3CSPEj -__ZN8Security10CssmClient7Context3setEjj -__ZN8Security10CssmClient5Crypt3keyERKNS0_3KeyE -__ZN8Security10CssmClient7Context3setINS_7CssmKeyEEEvjRKT_ -__ZN8Security10CssmClient7Context3setINS_8CssmDataEEEvjRKT_ -__ZN8Security10CssmClient7Decrypt7decryptEPKNS_8CssmDataEjPS2_jRS2_ -__ZN8Security10CssmClient7Context8unstagedEv -__ZN8Security10CssmClient5Crypt8activateEv -__ZN8Security10CssmClient10ObjectImpl5checkEi -__ZN18DatabaseCryptoCore10makeRawKeyEPvmjj -__ZN8Security10CssmClient9UnwrapKeyC1ERKNS0_3CSPEj -__ZN8Security10CssmClient9RccBearerC2Ev -__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataEPS3_ -__ZNK8Security10CssmClient9RccBearer12compositeRccEv -__ZN8Security10CssmClient9UnwrapKeyD1Ev -__ZN8Security10CssmClient5CryptD2Ev -__ZN8Security10CssmClient7ContextD2Ev -__ZN8Security10CssmClient7Context10deactivateEv -__ZN8Security10CssmClient10ObjectImplD2Ev -__ZN8Security10CssmClient9VerifyMacC1ERKNS0_3CSPEj -__ZN8Security10CssmClient10MacContextC2ERKNS0_3CSPEj -__ZN8Security10CssmClient10MacContext3keyERKNS0_3KeyE -__ZN8Security10CssmClient7Context3setINS0_3KeyEEEvjRKT_ -__ZN8Security10CssmClient9VerifyMac6verifyEPKNS_8CssmDataEjRS3_ -__ZN8Security10CssmClient10MacContext8activateEv -__ZN8Security10CssmClient9VerifyMacD1Ev -__ZN8Security10CssmClient10MacContextD2Ev -__ZN8Security10CssmClient7DecryptD1Ev -__ZN16KeychainDbCommon11setUnlockedEv -__ZN16KeychainDbCommon8activityEv -__ZN8DbCommon6notifyEjRKN8Security14DLDbIdentifierE -__ZN8Security19NameValueDictionaryC1Ev -__ZN8Security19NameValueDictionary41MakeNameValueDictionaryFromDLDbIdentifierERKNS_14DLDbIdentifierERS0_ -__ZN8Security13NameValuePair9CloneDataERKNS_8CssmDataE -__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE9push_backERKS2_ -__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS2_S4_EERKS2_ -__ZN9__gnu_cxx13new_allocatorIPN8Security13NameValuePairEE8allocateEmPKv -__ZN8Security19NameValueDictionary6ExportERNS_8CssmDataE -__ZNK8Security13NameValuePair6ExportERNS_8CssmDataE -__ZN8Listener6notifyEjjRKN8Security8CssmDataE -__ZN8Listener12NotificationC2EjjjRKN8Security8CssmDataE -__ZN8Listener16sendNotificationEPNS_12NotificationE -__ZN20SharedMemoryListener8notifyMeEPN8Listener12NotificationE -__ZNK8Security13CssmOwnedData3getEv -__ZN18SharedMemoryServer12WriteMessageEjjPKvj -_CalculateCRC -__ZN18SharedMemoryServer11WriteOffsetEj -__ZN18SharedMemoryServer9WriteDataEPKvj -__ZN8Security10RefPointerIN8Listener12NotificationEE7releaseEv -__ZN8Listener12NotificationD0Ev -__ZN8Security19NameValueDictionaryD1Ev -__ZN8Security19NameValueDictionaryD2Ev -__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE5eraseEN9__gnu_cxx17__normal_iteratorIPS2_S4_EE -__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EED2Ev -__ZNSt12_Vector_baseIPN8Security13NameValuePairESaIS2_EED2Ev -__ZN16KeychainDatabase3aclEv -__ZN8Security9ObjectAcl10importBlobEPKvS2_ -__ZN8Security9ObjectAcl5Entry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_ -__ZN8Security9ObjectAcl13importSubjectERNS_23LowLevelMemoryUtilities6ReaderES3_ -__ZN8Security9ObjectAcl4makeEjRNS_23LowLevelMemoryUtilities6ReaderES3_ -__ZN8Security9ObjectAcl8makerForEi -__ZNK8Security13AnyAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_ -__ZN8Security10AclSubjectC2Ejh -__ZN8Security10RefPointerINS_10AclSubjectEE10setPointerEPS1_ -__ZN8Security10RefPointerINS_10AclSubjectEE7releaseEv -__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeI -__ZN8Security9ObjectAcl8AclEntryC2Ev -__ZN8Security9ObjectAcl8AclEntry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_ -__ZN8Security23LowLevelMemoryUtilities6ReaderclERPKc -__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE5eraseESt23_Rb_tree_const_iteratorIiES7_ -__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE8_M_eraseEPSt13_Rb_tree_nodeIiE -__ZN8Security9ObjectAcl3addERKSsRKNS0_8AclEntryE -__ZN8Security9ObjectAcl8AclEntryC2ERKS1_ -__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEEC2ERKS5_ -__ZN8Security9ObjectAcl3addERKSsNS0_8AclEntryEl -__ZNSt4pairISsN8Security9ObjectAcl8AclEntryEEC2ERKSsRKS2_ -__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEEC2ISsS3_EERKS_IT_T0_E -__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE15_M_insert_equalERKS5_ -__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE9_M_insertEPSt18_Rb_tree_node -__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE14_M_create_nodeERKS5_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKSsN8Security9ObjectAcl8AclEntryEEEE8allocateEmPKv -__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEEC2ERKS4_ -__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEED2Ev -__ZN8Security9ObjectAcl8AclEntryD2Ev -__ZN8Security9ObjectAcl5EntryD2Ev -__ZNSt4pairISsN8Security9ObjectAcl8AclEntryEED2Ev -__ZN17SystemKeychainKeyD1Ev -__ZNK18DatabaseCryptoCore13decodeKeyCoreEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_ -__ZN8Security4h2niERNS_7CssmKey6HeaderE -__ZN8Security10CssmClient7Context3addEjj -__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataE -__ZN11KeychainKey3aclEv -__ZNK8Security17ProcessAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_ -__ZNK8Security7Context7replaceINS_7CssmKeyEEEvjRKT_ -__ZN8Security7Context4findEjPK22cssm_context_attributej -__ZN9AclSource8validateEiRKN8Security7ContextE -__ZThn160_N11KeychainKey15relatedDatabaseEv -__ZN11KeychainKey15relatedDatabaseEv -__ZThn160_N11KeychainKey3aclEv -__ZN17SecurityServerAcl8validateEiRKN8Security7ContextEP8Database -__ZThn232_N11KeychainKey8validateEiPKN8Security17AccessCredentialsEP8Database -__ZN11KeychainKey8validateEiPKN8Security17AccessCredentialsEP8Database -__ZN17SecurityServerAcl8validateEiPKN8Security17AccessCredentialsEP8Database -__ZN25SecurityServerEnvironmentC1ER17SecurityServerAclP8Database -__ZN6Server7processEv -__ZN8Security9ObjectAcl8validateEiPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE -__ZN8Security9ObjectAcl9validatesEiPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE -__ZN8Security9ObjectAcl9validatesERNS_20AclValidationContextE -__ZThn232_N11KeychainKey14instantiateAclEv -__ZN11KeychainKey14instantiateAclEv -__ZNK8Security20AclValidationContext9s_credTagEv -__ZNK8Security20AclValidationContext7credTagEv -__ZNK8Security9ObjectAcl8getRangeERKSsRSt4pairISt23_Rb_tree_const_iteratorIS3_IS1_NS0_8AclEntryEEES7_E -__ZNK8Security9ObjectAcl8AclEntry10authorizesEi -__ZN8Security20AclValidationContext4initEPNS_9ObjectAclEPNS_10AclSubjectE -__ZN8Security20AclValidationContext8entryTagERKSs -__ZNK8Security17ProcessAclSubject8validateERKNS_20AclValidationContextE -__ZNK25SecurityServerEnvironment6getuidEv -__ZN21BaseValidationContextD2Ev -__ZN8Security20AclValidationContextD2Ev -__ZN25SecurityServerEnvironmentD1Ev -__ZN8Security20PreAuthorizationAcls11EnvironmentD2Ev -__ZN8Security18PromptedAclSubject11EnvironmentD2Ev -__ZN8Security16SecretAclSubject11EnvironmentD2Ev -__ZN8Security23CodeSignatureAclSubject11EnvironmentD2Ev -__ZN8Security17ProcessAclSubject11EnvironmentD2Ev -__ZN8Security24AclValidationEnvironmentD2Ev -__ZNK16KeychainDatabase8activityEv -__ZNK16KeychainDatabase6commonEv -__ZN8Security10CssmClient7Context8overrideERKNS_7ContextE -__ZL12_XreleaseKeyP17mach_msg_header_tS0_ -__Z22ucsp_server_releaseKeyjj13audit_token_tPij -__ZN8Database10releaseKeyER3Key -__ZN8NodeCore4killERS_ -__ZN8NodeCore4killEv -__ZN8NodeCore15clearReferencesEv -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE8_M_eraseEPSt13_Rb_tree_nodeIS3_E -__ZN8NodeCore15removeReferenceERS_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseERKS3_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE11equal_rangeERKS3_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt17_Rb_tree_iteratorIS3_ESB_ -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeI -__ZN11KeychainKeyD0Ev -__ZN17SecurityServerAclD2Ev -__ZN8Security9ObjectAclD2Ev -__ZN8Security9ObjectAcl10OwnerEntryD2Ev -__ZN8Security17ProcessAclSubjectD0Ev -__ZN8Security10AclSubjectD2Ev -__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE15_M_destroy_nodeEPSt13_Rb_tr -__ZN8LocalKeyD2Ev -__ZN8Security10CssmClient7KeyImplD0Ev -__ZN8Security10CssmClient7KeyImpl10deactivateEv -__ZN8Security10CssmClient9AclBearerD2Ev -__ZN3KeyD2Ev -__ZN9AclSourceD2Ev -__ZN8Database10SubsidiaryD2Ev -__ZN10PerProcessD2Ev -__ZN4NodeI10PerProcess10PerSessionED2Ev -__ZN8NodeCoreD2Ev -__ZN8Security13MappingHandleIjED2Ev -__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE5eraseE -__ZL18_XpostNotificationP17mach_msg_header_tS0_ -__Z28ucsp_server_postNotificationjj13audit_token_tPijjPvjj -__ZN8Listener6notifyEjjjRKN8Security8CssmDataE -__ZN8Listener12JitterBuffer10inSequenceEPNS_12NotificationE -__ZN8Listener12JitterBuffer15popNotificationEv -__ZThn88_N20SharedMemoryListener6actionEv -__ZN20SharedMemoryListener6actionEv -__ZL21_XauthorizationCreateP17mach_msg_header_tS0_ -__Z31ucsp_server_authorizationCreatejj13audit_token_tPiPvjjS1_jPN8Security14SecurityServer17AuthorizationBlobE __ZN13Authorization11AuthItemSetC1EPK20AuthorizationItemSet __ZN13Authorization11AuthItemSetC2EPK20AuthorizationItemSet +__ZNK7Process7sessionEv __ZN7Session10authCreateERKN13Authorization11AuthItemSetES3_jRN8Security14SecurityServer17AuthorizationBlobERK13audit_token_t __ZN18AuthorizationTokenC1ER7SessionRKSt3setIN13Authorization10CredentialESt4lessIS4_ESaIS4_EERK13audit_token_tb __ZN18AuthorizationTokenC2ER7SessionRKSt3setIN13Authorization10CredentialESt4lessIS4_ESaIS4_EERK13audit_token_tb __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEC2ERKS7_ +__ZN6Server7processEv +__ZN6Server10connectionEb +__ZN10Connection9checkWorkEv __ZN13Authorization11AuthItemSetC1Ev __ZNK20ClientIdentification12currentGuestEv __ZNK20ClientIdentification7currentEv +__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE4findERS1_ __ZN8Security12MachPlusPlus10MachServer16longTermActivityEv __ZN8Security5CFRefIP9__SecCodeEaSERKS3_ __ZNSt3mapIjN20ClientIdentification10GuestStateESt4lessIjESaISt4pairIKjS1_EEEixERS5_ @@ -664,300 +138,185 @@ __ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS __ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE16_M_insert_uniqueERKS4_ __ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE9_M_insertEPSt18_Rb_tree_n __ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE14_M_create_nodeERKS4_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKjN20ClientIdentification10GuestStateEEEE8allocateEmPKv -__ZNSt3mapIN8Security14SecurityServer17AuthorizationBlobENS0_10RefPointerI18AuthorizationTokenEESt4lessIS2_ESaISt4pairIKS2_S5_E -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKN8Security14SecurityServer17AuthorizationBlobENS3_10RefPointerI18Autho -__ZN8Security10RefPointerI18AuthorizationTokenE7releaseEv -__ZN8Security10RefPointerI18AuthorizationTokenE10setPointerEPS1_ -__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEaSERKS7_ -__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E -__ZN13Authorization6Engine9authorizeERKNS_11AuthItemSetES3_jPKSt3setINS_10CredentialESt4lessIS5_ESaIS5_EEPS9_RS1_R18Authorizati -__ZN13Authorization20AuthorizationDBPlist4syncEd -__ZN13Authorization20AuthorizationDBPlist4loadEv -__ZN13Authorization20AuthorizationDBPlist11parseConfigEPK14__CFDictionary -__ZN8Security5CFRefIP14__CFDictionaryEaSES2_ -__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE8_M_eraseEPSt13_Rb_tree_nodeIS4_E -__ZN13Authorization20AuthorizationDBPlist9parseRuleEPKvS2_Pv -__ZN13Authorization20AuthorizationDBPlist8addRightEPK10__CFStringPK14__CFDictionary -__ZN8Security8cfStringEPK10__CFStringb -__ZN13Authorization4RuleC1ERKSsPK14__CFDictionaryS5_ -__ZN13Authorization4RuleC2ERKSsPK14__CFDictionaryS5_ -__ZN13Authorization8RuleImplC2ERKSsPK14__CFDictionaryS5_ -__ZN13Authorization8RuleImpl9Attribute9getStringEPK14__CFDictionaryPK10__CFStringbPKc -__ZN13Authorization8RuleImpl9Attribute9getDoubleEPK14__CFDictionaryPK10__CFStringbd -__ZN13Authorization8RuleImpl9Attribute7getBoolEPK14__CFDictionaryPK10__CFStringbb -__ZN13Authorization8RuleImpl9Attribute9getVectorEPK14__CFDictionaryPK10__CFStringb -__ZNSt6vectorISsSaISsEEaSERKS1_ -__ZNSt6__copyILb0ESt26random_access_iterator_tagE4copyIPKSsPSsEET0_T_S7_S6_ -__ZNSt6vectorISsSaISsEE20_M_allocate_and_copyIN9__gnu_cxx17__normal_iteratorIPKSsS1_EEEEPSsmT_S9_ -__ZSt24__uninitialized_copy_auxIN9__gnu_cxx17__normal_iteratorIPKSsSt6vectorISsSaISsEEEEPSsET0_T_SA_S9_St12__false_type -__ZN13Authorization8RuleImpl9Attribute19getLocalizedPromptsEPK14__CFDictionaryRSt3mapISsSsSt4lessISsESaISt4pairIKSsSsEEE -__ZNSt6vectorIN13Authorization4RuleESaIS1_EE9push_backERKS1_ -__ZNSt6vectorIN13Authorization4RuleESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_ -__ZN9__gnu_cxx13new_allocatorIN13Authorization4RuleEE8allocateEmPKv -__ZSt24__uninitialized_copy_auxIPN13Authorization4RuleES2_ET0_T_S4_S3_St12__false_type -__ZN8Security10RefPointerIN13Authorization8RuleImplEE7releaseEv -__ZNSt3mapISsN13Authorization4RuleESt4lessISsESaISt4pairIKSsS1_EEEixERS5_ -__ZN13Authorization4RuleC1Ev -__ZN13Authorization4RuleC2Ev -__ZN13Authorization8RuleImplC2Ev -__ZNSt4pairIKSsN13Authorization4RuleEEC2ERS0_RKS2_ -__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE16_M_insert_uniqueESt17_Rb_tree_itera -__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE16_M_insert_uniqueERKS4_ -__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE9_M_insertEPSt18_Rb_tree_node_baseSC_ -__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE14_M_create_nodeERKS4_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKSsN13Authorization4RuleEEEE8allocateEmPKv -__ZNSt4pairIKSsN13Authorization4RuleEEC2ERKS3_ -__ZNSt4pairIKSsN13Authorization4RuleEED2Ev -__ZN8Security10RefPointerIN13Authorization8RuleImplEE10setPointerEPS2_ -__ZN13Authorization8RuleImplD2Ev -__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E -__ZNSt6vectorIN13Authorization4RuleESaIS1_EED2Ev -__ZNSt12_Vector_baseIN13Authorization4RuleESaIS1_EED2Ev -__ZN8Security5CFRefIPK14__CFDictionaryEaSES3_ -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEC2ERKS7_ -__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerC1ERKNS0_10AuditTokenEs -__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerC2ERKNS0_10AuditTokenEs -__ZN8Security14CommonCriteria9Securityd11AuditLogger13setClientInfoERKNS0_10AuditTokenE -__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE4swapERS7_ -__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerD2Ev -__ZN8Security14CommonCriteria9Securityd11RightLoggerD2Ev -__ZN8Security14CommonCriteria9Securityd11AuditLoggerD2Ev -__ZN8Security14CommonCriteria9Securityd11AuditLogger5closeEb -__ZN13Authorization11AuthItemSetD1Ev -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E -__ZN7Process16addAuthorizationEP18AuthorizationToken -__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_ -__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIP18AuthorizationTokenEE8allocateEmPKv -__ZN18AuthorizationToken10addProcessER7Process -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_ -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_ -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIP7ProcessEE8allocateEmPKv -__ZL20_XauthorizationdbGetP17mach_msg_header_tS0_ -__Z30ucsp_server_authorizationdbGetjj13audit_token_tPiPKcPPvPj -__ZN7Session18authorizationdbGetEPKcPPK14__CFDictionary -__ZN13Authorization6Engine7getRuleERSsPPK14__CFDictionary -__ZN13Authorization20AuthorizationDBPlist17getRuleDefinitionERSs -__ZL20_XauthorizationdbSetP17mach_msg_header_tS0_ -__Z30ucsp_server_authorizationdbSetjj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEPKcPvj -__ZN7Session18authorizationdbSetERKN8Security14SecurityServer17AuthorizationBlobEPKcPK14__CFDictionary -__ZN7Session13authorizationERKN8Security14SecurityServer17AuthorizationBlobE -__ZN18AuthorizationToken4findERKN8Security14SecurityServer17AuthorizationBlobE -__ZN7Process18checkAuthorizationEP18AuthorizationToken -__ZNK18AuthorizationToken14effectiveCredsEv -__ZN13Authorization6Engine7setRuleEPKcPK14__CFDictionaryPKSt3setINS_10CredentialESt4lessIS7_ESaIS7_EEPSB_R18AuthorizationToken -__ZNK13Authorization20AuthorizationDBPlist12validateRuleESsPK14__CFDictionary -__ZN13Authorization6Engine18verifyModificationESsbPKSt3setINS_10CredentialESt4lessIS2_ESaIS2_EEPS6_R18AuthorizationToken -__ZNK13Authorization20AuthorizationDBPlist9existRuleERSs -__ZN13Authorization11AuthItemRefC1EPKc -__ZN13Authorization11AuthItemRefC2EPKc -__ZNK13Authorization20AuthorizationDBPlist7getRuleERKNS_11AuthItemRefE -__ZNKSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE4findERS1_ -__ZN8Security10RefPointerIN13Authorization8AuthItemEE7releaseEv -__ZN13Authorization8AuthItemD1Ev -__ZN13Authorization8AuthItemD2Ev -__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_ERKS6_S8_ -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_ -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1 -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN13Authorization11AuthItemRefEEE8allocateEmPKv -__ZNK13Authorization8RuleImpl8evaluateERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4lessISA_ES -__ZNK13Authorization8RuleImpl13evaluateRulesERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4less -__ZNK13Authorization8RuleImpl12evaluateUserERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4lessI -__ZN8Security14CommonCriteria9Securityd11RightLogger8setRightEPKc -__ZN8Security14CommonCriteria9Securityd11RightLogger8setRightERKSs -__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger22logAuthorizationResultEPKcS4_i -__ZN8Security14CommonCriteria9Securityd11AuditLogger4openEv -__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger11writeCommonEv -__ZN8Security14CommonCriteria9Securityd11AuditLogger12writeSubjectEv -__ZN8Security14CommonCriteria9Securityd11AuditLogger10writeTokenEP8au_tokenPKc -__ZN8Security14CommonCriteria9Securityd11AuditLogger11writeReturnEci -__ZN8Security6Syslog4infoEPKcz -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeIS1_E -__ZN13Authorization20AuthorizationDBPlist7setRuleEPKcPK14__CFDictionary -__ZN13Authorization20AuthorizationDBPlist4saveEv -__ZStplIcSt11char_traitsIcESaIcEESbIT_T0_T1_ERKS6_PKS3_ -__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeI -__ZN7Session16mergeCredentialsERSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE -__ZN18AuthorizationToken16mergeCredentialsERKSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE -__ZL22_XauthorizationReleaseP17mach_msg_header_tS0_ -__Z32ucsp_server_authorizationReleasejj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEj -__ZN7Session8authFreeERKN8Security14SecurityServer17AuthorizationBlobEj -__ZN18AuthorizationToken7DeleterC1ERKN8Security14SecurityServer17AuthorizationBlobE -__ZN18AuthorizationToken7DeleterC2ERKN8Security14SecurityServer17AuthorizationBlobE -__ZN7Process19removeAuthorizationEP18AuthorizationToken -__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt23_Rb_tree_const_iteratorIS1_E -__ZN18AuthorizationToken10endProcessER7Process -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_ -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_ -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E -__ZN18AuthorizationToken7Deleter6removeEv +__ZN8NodeCore8referentERS_ +__ZN8Security18DevRandomGenerator6randomEPvm +__ZN8Security11ModuleNexusINS_18DevRandomGenerator8ReadonlyEEclEv +__ZN8Security12UnixPlusPlus8FileDesc4readEPvm +__ZNSt3mapIN8Security14SecurityServer17AuthorizationBlobENS0_10RefPointerI18AuthorizationTokenEESt4lessIS2_ESaISt4pairIKS2_S5_E __ZNSt8_Rb_treeIN8Security14SecurityServer17AuthorizationBlobESt4pairIKS2_NS0_10RefPointerI18AuthorizationTokenEEESt10_Select1s -__ZN18AuthorizationTokenD0Ev -__ZN10PerSessionD2Ev -__ZN4NodeI10PerSession9PerGlobalED2Ev -_cdsa_notify_server -__Xmach_notify_dead_name -_cdsa_mach_notify_dead_name -__ZThn144_N6Server14notifyDeadNameEN8Security12MachPlusPlus4PortE -__ZN6Server14notifyDeadNameEN8Security12MachPlusPlus4PortE -__ZN10Connection5abortEb -__ZN8Security12MachPlusPlus4Port7destroyEv -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI10ConnectionEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_ -__ZN10ConnectionD0Ev -__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN8Listener12NotificationEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE8_M_eraseEPS -__ZN13PerConnectionD2Ev -__ZN4NodeI13PerConnection10PerProcessED2Ev -__ZN7Process4killEv -__ZN8Security10RefPointerI13LocalDatabaseE10setPointerEPS1_ -__ZN8Security10RefPointerI13LocalDatabaseE7releaseEv -__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseERS1_ -__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseESt17_Rb_tree_iteratorIS4_ESC_ -__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseESt17_Rb_tree_iteratorIS4_E -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE5e -__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE15 -__ZN7ProcessD0Ev -__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E -__ZN20ClientIdentificationD2Ev -__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE15_M_destroy_nodeEPSt13_Rb -__ZN14CodeSignatures8IdentityD2Ev -__ZN15CodeSigningHostD2Ev -__ZN15CodeSigningHost5resetEv -__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN15CodeSigningHost5GuestEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE8_M_eraseEPS -__ZN8Security12MachPlusPlus10MachServer7HandlerD2Ev -__ZNK16KeychainDbCommon10identifierEv -__ZNK12DbIdentifiereqERKS_ -__ZNK8Security14DLDbIdentifier4ImpleqERKS1_ -__ZNK8Security17CssmSubserviceUideqERK19cssm_subservice_uid -__ZNK8Security6DbNameeqERKS0_ -__ZNK8Security6DbNameltERKS0_ -__ZN8Security6DbNameD1Ev -__ZN8Security6DbNameD2Ev -__ZL17_XgetDbParametersP17mach_msg_header_tS0_ -__Z27ucsp_server_getDbParametersjj13audit_token_tPijPN8Security14SecurityServer12DBParametersE -__ZN16KeychainDatabase13getParametersERN8Security14SecurityServer12DBParametersE -__ZThn16_N16KeychainDatabaseD0Ev -__ZN16KeychainDatabaseD0Ev -__ZN13LocalDatabaseD2Ev -__ZN8DatabaseD2Ev -__ZN8Security13AnyAclSubjectD0Ev -__ZN8Security13MappingHandleIjE4findI7SessionEERT_ji -__ZN8Security13MappingHandleIjE5State4findEji -__ZL13_XsetupThreadP17mach_msg_header_tS0_ -__Z23ucsp_server_setupThreadjj13audit_token_tPij -__ZL10_XsetupNewP17mach_msg_header_tS0_ -__Z20ucsp_server_setupNewjj13audit_token_tPijN8Security14SecurityServer15ClientSetupInfoEPKcPj -__ZN14DynamicSessionC1EN8Security12MachPlusPlus8TaskPortE -__ZN14DynamicSessionC2EN8Security12MachPlusPlus8TaskPortE -__ZNK8Security12MachPlusPlus8TaskPort9bootstrapEv -__ZN8Security12MachPlusPlus4Port11insertRightEj -__ZNK8Security12MachPlusPlus9Bootstrap10registerAsEjPKc -__ZN8Security12MachPlusPlus10MachServer3addENS0_4PortE -__ZNK8Security12MachPlusPlus10MachServer14notifyIfUnusedENS0_4PortEb -__ZN7Process13changeSessionEN8Security12MachPlusPlus4PortE -__ZL14_XsetupSessionP17mach_msg_header_tS0_ -__Z24ucsp_server_setupSessionjj13audit_token_tPijj -__ZN14DynamicSession15setupAttributesEjj -__ZN14DynamicSession15checkOriginatorEv +__ZN9__gnu_cxx13new_allocatorISt4pairIKN8Security14SecurityServer17AuthorizationBlobENS2_10RefPointerI18AuthorizationTokenEEEE9 +__ZNSt4pairIKN8Security14SecurityServer17AuthorizationBlobENS0_10RefPointerI18AuthorizationTokenEEEC2ERKS7_ +__ZN8Security10RefPointerI18AuthorizationTokenE7releaseEv +__ZN8Security10RefPointerI18AuthorizationTokenE10setPointerEPS1_ +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEaSERKS7_ +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E +__ZN13Authorization6Engine9authorizeERKNS_11AuthItemSetES3_jPKSt3setINS_10CredentialESt4lessIS5_ESaIS5_EEPS9_RS1_R18Authorizati +__ZN13Authorization20AuthorizationDBPlist4syncEd +__ZN13Authorization11AuthItemSetC1ERKS0_ +__ZN13Authorization11AuthItemSetC2ERKS0_ +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEC2ERKS7_ +__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerC1ERKNS0_10AuditTokenEs +__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerC2ERKNS0_10AuditTokenEs +__ZN8Security14CommonCriteria9Securityd11AuditLoggerC2ERKNS0_10AuditTokenEs +__ZN8Security14CommonCriteria9Securityd11RightLoggerC2Ev +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE4swapERS7_ +__ZNSt6vectorIN13Authorization11AuthItemRefESaIS1_EED2Ev +__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLoggerD2Ev +__ZN8Security14CommonCriteria9Securityd11AuditLoggerD2Ev +__ZN8Security14CommonCriteria9Securityd11AuditLogger5closeEb +__ZN13Authorization11AuthItemSetD1Ev +__ZN13Authorization11AuthItemSetD2Ev +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EED2Ev +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EED2Ev +__ZN7Process16addAuthorizationEP18AuthorizationToken +__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE15_M_insert_equalERKS1_ +__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_ +__ZN18AuthorizationToken10addProcessER7Process +__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_ +__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_ +__ZN6Server15requestCompleteERi +__ZN10Connection7endWorkERi __ZL25_XauthorizationCopyRightsP17mach_msg_header_tS0_ __Z35ucsp_server_authorizationCopyRightsjj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEPvjjS4_jPS4_Pj _copyout_AuthorizationItemSet +_copyout +_sec_xdrmem_create +_sec_xdr_sizeof_out +_sec_xdr_arena_init_size_alloc _xdr_AuthorizationItemSetPtr +_sec_xdr_reference +_sec_xdr_arena_size_allocator +_sec_mem_alloc _xdr_AuthorizationItemSet +_sec_xdr_array +_sec_xdrmem_getlong_aligned _xdr_AuthorizationItem +_sec_xdr_charp +_sec_xdr_bytes +_sec_xdrmem_getbytes +_sec_xdr_arena_init __ZN13Authorization11AuthItemRefC2ERK17AuthorizationItem __ZN13Authorization8AuthItemC2ERK17AuthorizationItem +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_ +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1 +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_ +__ZN9__gnu_cxx13new_allocatorIN13Authorization11AuthItemRefEE9constructEPS2_RKS2_ +__ZN8Security10RefPointerIN13Authorization8AuthItemEE7releaseEv __ZN7Session13authGetRightsERKN8Security14SecurityServer17AuthorizationBlobERKN13Authorization11AuthItemSetES8_jRS6_ +__ZN18AuthorizationToken4findERKN8Security14SecurityServer17AuthorizationBlobE +__ZN7Process18checkAuthorizationEP18AuthorizationToken +__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE4findERKS1_ __ZNK18AuthorizationToken7sessionEv __ZN7Session13authGetRightsER18AuthorizationTokenRKN13Authorization11AuthItemSetES5_jRS3_ +__ZNK18AuthorizationToken14effectiveCredsEv +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE7_M_copyEPKSt13_Rb_tree_nodeIS1_EPS9_ +__ZNSt6vectorIN13Authorization11AuthItemRefESaIS1_EE6insertEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_ +__ZNSt6vectorIN13Authorization11AuthItemRefESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_ +__ZNSt12_Vector_baseIN13Authorization11AuthItemRefESaIS1_EE11_M_allocateEm +__ZSt24__uninitialized_copy_auxIPN13Authorization11AuthItemRefES2_ET0_T_S4_S3_St12__false_type +__ZNK13Authorization20AuthorizationDBPlist7getRuleERKNS_11AuthItemRefE +__ZNKSt8_Rb_treeISsSt4pairIKSsN13Authorization4RuleEESt10_Select1stIS4_ESt4lessISsESaIS4_EE4findERS1_ +__ZN8Security8cfStringEPK7__CFURLb +__ZNK13Authorization8RuleImpl8evaluateERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4lessISA_ES __ZNK13Authorization8RuleImpl21evaluateMechanismOnlyERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetER18AuthorizationTokenRSt3s __ZN13Authorization23AgentMechanismEvaluatorC1EjR7SessionRKSt6vectorISsSaISsEE __ZN13Authorization23AgentMechanismEvaluatorC2EjR7SessionRKSt6vectorISsSaISsEE __ZNSt6vectorISsSaISsEEC2ERKS1_ __ZNSt12_Vector_baseISsSaISsEEC2EmRKS0_ +__ZNSt12_Vector_baseISsSaISsEE11_M_allocateEm +__ZSt24__uninitialized_copy_auxIN9__gnu_cxx17__normal_iteratorIPKSsSt6vectorISsSaISsEEEEPSsET0_T_SA_S9_St12__false_type __ZN13Authorization12AuthValueRefC1EjPv __ZN13Authorization12AuthValueRefC2EjPv __ZN13Authorization9AuthValueC2EjPv __ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EE9push_backERKS1_ __ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS1_S3_EERKS1_ -__ZN9__gnu_cxx13new_allocatorIN13Authorization12AuthValueRefEE8allocateEmPKv +__ZNSt12_Vector_baseIN13Authorization12AuthValueRefESaIS1_EE11_M_allocateEm __ZSt24__uninitialized_copy_auxIPN13Authorization12AuthValueRefES2_ET0_T_S4_S3_St12__false_type +__ZN9__gnu_cxx13new_allocatorIN13Authorization12AuthValueRefEE9constructEPS2_RKS2_ __ZNK13Authorization8RuleImpl13setAgentHintsERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetER18AuthorizationToken +__ZN13Authorization11AuthItemRefC1EPKc +__ZN13Authorization11AuthItemRefC2EPKc +__ZN13Authorization8AuthItemC1EPKc __ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_ -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11equal_rangeERKS1_ +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11upper_boundERKS1_ +__ZNK13Authorization8AuthItemltERKS0_ +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11lower_boundERKS1_ __ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_ +__ZN13Authorization8AuthItemD1Ev +__ZN13Authorization8AuthItemD2Ev __ZN13Authorization11AuthItemRefC1EPKc18AuthorizationValuej __ZN13Authorization11AuthItemRefC2EPKc18AuthorizationValuej __ZN13Authorization8AuthItemC2EPKc18AuthorizationValuej -__ZNK13Authorization8AuthItemltERKS0_ __Z8codePathPK9__SecCode __ZN13SecurityAgent6Client11clientHintsENS_13RequestorTypeERSsij __ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueISt23_Rb_tree_const_ite __ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueESt17_Rb_tree_iteratorI __ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EEC2ERKS8_ __ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EEaSERKS8_ +__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E +__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EED2Ev +__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeIS1_E __ZN13Authorization23AgentMechanismEvaluator3runERKNS_15AuthValueVectorERKNS_11AuthItemSetERK18AuthorizationToken __ZN8Security14CommonCriteria9Securityd14AuthMechLoggerC1ERKNS0_10AuditTokenEs __ZN8Security14CommonCriteria9Securityd14AuthMechLoggerC2ERKNS0_10AuditTokenEs -__ZNKSt6vectorIN13Authorization12AuthValueRefESaIS1_EE14_M_range_checkEm +__ZN8Security14CommonCriteria9Securityd11RightLogger8setRightERKSs __ZN18AuthorizationToken7infoSetEPKc +__ZN13Authorization11AuthItemSetaSERKS0_ __ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EEaSERKS7_ -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE7_M_copyEPKSt13_Rb_tree_nodeIS1_EPS9_ __ZN8Security14CommonCriteria9Securityd14AuthMechLogger19setCurrentMechanismEPKc __ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE4findERS1_ __ZN13Authorization17AgentMechanismRefC2E12AuthHostTypeR7Session __ZN20QueryInvokeMechanismC1E12AuthHostTypeR7Session __ZN20QueryInvokeMechanismC2E12AuthHostTypeR7Session __ZN18SecurityAgentQueryC2E12AuthHostTypeR7Session +__ZN23SecurityAgentConnectionC2E12AuthHostTypeR7Session __ZN13SecurityAgent6ClientC2Ev __ZN8Security11ThreadNexusIN13SecurityAgent7ClientsEEclEv __ZN13SecurityAgent7ClientsC2Ev +__ZNK8Security15ThreadStoreSlotaSEPv +__ZN8Security11ModuleNexusINS_5MutexEEclEv +__ZN8Security11ModuleNexusISt3setIPvSt4lessIS2_ESaIS2_EEEclEv +__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE16_M_insert_uniqueERKS0_ +__ZNSt8_Rb_treeIPvS0_St9_IdentityIS0_ESt4lessIS0_ESaIS0_EE9_M_insertEPSt18_Rb_tree_node_baseS8_RKS0_ __ZN13SecurityAgent7Clients6insertEPNS_6ClientE __ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE16_M_insert_uniqueERKS2_ __ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE9_M_insertEPSt18_Rb_tree_node_baseSA_RKS2_ -__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE14_M_create_nodeERKS2_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIPN13SecurityAgent6ClientEEE8allocateEmPKv -__ZN23SecurityAgentConnectionC2E12AuthHostTypeR7Session __ZN7Session8authhostE12AuthHostTypeb __ZN16AuthHostInstanceC1ER7Session12AuthHostType __ZN16AuthHostInstanceC2ER7Session12AuthHostType __ZN11ServerChildC2Ev +__ZN8Security12UnixPlusPlus5ChildC2Ev __ZN8Security9ConditionC1ERNS_5MutexE __ZN8Security9ConditionC2ERNS_5MutexE +__ZN8NodeCore12addReferenceERS_ +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS3_ +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tree_node_baseSB_ +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE14_M_create_nodeERKS3_ +__ZN9__gnu_cxx13new_allocatorIN8Security10RefPointerI8NodeCoreEEE9constructEPS4_RKS4_ +__Z22initialize_agent_credsv __ZN20QueryInvokeMechanism10initializeERKSsS1_RKN13Authorization15AuthValueVectorEj __ZN18SecurityAgentQuery6createEPKcS1_j -__ZN18SecurityAgentQuery8activateEv __ZN23SecurityAgentConnection8activateEv -__ZN10Connection8useAgentEP32SecurityAgentConnectionInterface -__ZN16AuthHostInstance8activateEv -__ZN8Security12MachPlusPlus11StBootstrapC1ERKNS0_9BootstrapERKNS0_8TaskPortE -__ZN8Security12MachPlusPlus11StBootstrapC2ERKNS0_9BootstrapERKNS0_8TaskPortE -__ZN8Security12MachPlusPlus8TaskPort9bootstrapENS0_9BootstrapE -__ZN8Security12UnixPlusPlus5Child4forkEv -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE16_M_insert_uniqueERKS6_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE9_M_insertEPSt18_Rb_tree_node_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE14_M_create_nodeERKS6_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKiPN8Security12UnixPlusPlus5ChildEEEE8allocateEmPKv -__ZN11ServerChild12parentActionEv -__ZN8Security9Condition4waitEv -__ZL14_XchildCheckInP17mach_msg_header_tS0_ -__Z24ucsp_server_childCheckInjjj -__ZN11ServerChild7checkInEN8Security12MachPlusPlus4PortEi -__ZN8Security9Condition6signalEv -__ZN8Security12MachPlusPlus11StBootstrapD1Ev -__ZN8Security12MachPlusPlus11StBootstrapD2Ev +__ZNK16AuthHostInstance7sessionEv +__ZN14DynamicSession13copyUserPrefsEv +__ZN16AuthHostInstance6lookupEj +__ZNK7Session11updateAuditEv __ZN13SecurityAgent6Client8activateEN8Security12MachPlusPlus4PortE +__ZN13SecurityAgent6Client7contactEjN8Security12MachPlusPlus9BootstrapEj +_sa_request_client_contact __ZN13SecurityAgent6Client6createEPKcS2_j _sa_request_client_create __ZN13SecurityAgent6Client7receiveEv __ZN13SecurityAgent7Clients7receiveEv +__ZN8Security12MachPlusPlus7MessageC1Em +__ZN8Security12MachPlusPlus7Message9setBufferEm __ZN8Security12MachPlusPlus7Message7receiveEjijj _secagentreply_server __ZL11_XdidCreateP17mach_msg_header_tS0_ __Z25sa_reply_server_didCreatejj __ZNK13SecurityAgent7Clients4findEj +__ZN13SecurityAgent6Client9didCreateEj __ZN8Security12MachPlusPlus7MessageD1Ev __ZN8Security12MachPlusPlus7MessageD2Ev __ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EEaSERKS3_ @@ -967,26 +326,34 @@ __ZNSt4pairIKSsN13Authorization17AgentMechanismRefEEC2ERS0_RKS2_ __ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE16_M_insert_uniqueERKS4 __ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE9_M_insertEPSt18_Rb_tre __ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE14_M_create_nodeERKS4_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeISt4pairIKSsN13Authorization17AgentMechanismRefEEEE8allocateEmPKv +__ZN9__gnu_cxx13new_allocatorISt4pairIKSsN13Authorization17AgentMechanismRefEEE9constructEPS5_RKS5_ __ZNSt4pairIKSsN13Authorization17AgentMechanismRefEEC2ERKS3_ __ZNSt4pairIKSsN13Authorization17AgentMechanismRefEED2Ev __ZN8Security10RefPointerI20QueryInvokeMechanismE7releaseEv __ZN20QueryInvokeMechanism3runERKN13Authorization15AuthValueVectorERNS0_11AuthItemSetES5_Pj -__ZN13SecurityAgent6Client8setInputERKN13Authorization11AuthItemSetES4_ __ZN13SecurityAgent6Client6invokeEv +__ZN8Security9Allocator8standardEj +__ZN8Security11ModuleNexusI17DefaultAllocatorsEclEv __ZNK13Authorization11AuthItemSet4copyERP20AuthorizationItemSetRmRN8Security9AllocatorE __ZN8Security11DataWalkers6CopierI20AuthorizationItemSetEC2EPKS2_RNS_9AllocatorE __ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEP20AuthorizationItemSetRT_RS4_ +__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEPcRT_RS3_ +__ZN16DefaultAllocator6mallocEm +__ZN8Security11DataWalkers4copyI20AuthorizationItemSetEEPT_PKS3_Pv __ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEP20AuthorizationItemSetRT_RS4_ __ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEvRT_R17AuthorizationItem __ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPcRT_RS3_ +__ZN16DefaultAllocator4freeEPv __ZNK13Authorization15AuthValueVector4copyEPP24AuthorizationValueVectorPm __ZN8Security11DataWalkers6CopierI24AuthorizationValueVectorEC2EPKS2_RNS_9AllocatorE +__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEP24AuthorizationValueVectorRT_RS4_ +__ZN8Security11DataWalkers4copyI24AuthorizationValueVectorEEPT_PKS3_Pv __ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEP24AuthorizationValueVectorRT_RS4_ _sa_request_client_invoke __ZN13SecurityAgent6Client5checkEi __ZL11_XsetResultP17mach_msg_header_tS0_ __Z25sa_reply_server_setResultjjP20AuthorizationItemSetjS0_S0_jS0_ +__ZN13SecurityAgent8relocateI20AuthorizationItemSetEEvPT_S3_m __ZN8Security11DataWalkers4walkIN13SecurityAgent26CheckingReconstituteWalkerEEEP20AuthorizationItemSetRT_RS5_ __ZN13SecurityAgent26CheckingReconstituteWalker4blobI20AuthorizationItemSetEEvRPT_m __ZN13SecurityAgent26CheckingReconstituteWalker4blobI17AuthorizationItemEEvRPT_m @@ -996,32 +363,147 @@ __ZN13SecurityAgent26CheckingReconstituteWalker4blobIvEEvRPT_m __ZN13SecurityAgent6Client9setResultEjPK20AuthorizationItemSetS3_ __ZN13Authorization11AuthItemSetaSERK20AuthorizationItemSet __ZN8Security14CommonCriteria9Securityd11AuditLogger10logSuccessEv +__ZN8Security14CommonCriteria9Securityd11AuditLogger4openEv __ZN8Security14CommonCriteria9Securityd14AuthMechLogger11writeCommonEv -__Z22initialize_agent_credsv -__ZN8Security14CommonCriteria9Securityd11AuditLogger10logFailureEPKci +__ZN8Security14CommonCriteria9Securityd11AuditLogger12writeSubjectEv +__ZN8Security14CommonCriteria9Securityd11AuditLogger10writeTokenEP8au_tokenPKc +__ZN8NodeCore4killERS_ +__ZN8NodeCore4killEv +__ZN8NodeCore15clearReferencesEv +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt23_Rb_tree_const_iteratorIS3 +__ZN8NodeCore15removeReferenceERS_ +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseERKS3_ +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt17_Rb_tree_iteratorIS3_ESB_ +__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeI +__ZN8Security6Thread3runEv +__ZN8Security6Thread6runnerEPv +__ZN8Security12MachPlusPlus10MachServer10LoadThread6actionEv +__ZN8Security12MachPlusPlus10MachServer9addThreadEPNS_6ThreadE +__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE16_M_insert_uniqueERKS2_ +__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE9_M_insertEPSt18_Rb_tree_node_baseSA_RKS2_ +__ZN8Security12MachPlusPlus10MachServer15runServerThreadEb +__ZL10_XdecodeDbP17mach_msg_header_tS0_ +__Z20ucsp_server_decodeDbjj13audit_token_tPiPjPvjS2_jS2_j +__ZN7CopyOutC2EPvmPFiP9__rpc_xdrzEbP9cssm_data +__Z25xdr_DLDbFlatIdentifierRefP9__rpc_xdrPPN8Security11DataWalkers18DLDbFlatIdentifierE +__Z22xdr_DLDbFlatIdentifierP9__rpc_xdrPN8Security11DataWalkers18DLDbFlatIdentifierE +_sec_xdr_pointer +_xdr_CSSM_SUBSERVICE_UID +_xdr_CSSM_VERSION +__ZN8Security14DLDbIdentifierC2ERK19cssm_subservice_uidPKcPK16cssm_net_address +__ZN8Security14DLDbIdentifier4ImplC2ERK19cssm_subservice_uidPKcPK16cssm_net_address +__ZN8Security6DbNameC1EPKcPK16cssm_net_address +__ZN8Security6DbNameC2EPKcPK16cssm_net_address +__ZN8Security6DbName16CanonicalizeNameEv +__Z8makeBlobIN8Security14SecurityServer6DbBlobEEPKT_RKNS0_8CssmDataEi +__ZN16KeychainDatabaseC1ERKN8Security14DLDbIdentifierEPKNS0_14SecurityServer6DbBlobER7ProcessPKNS0_17AccessCredentialsE +__ZN17SecurityServerAclC2Ev +__ZN8Security9ObjectAclC2ERNS_9AllocatorE +__ZN13LocalDatabaseC2ER7Process +__ZN8DatabaseC2ER7Process +__ZN16KeychainDatabase12validateBlobEPKN8Security14SecurityServer6DbBlobE +__ZNK8Security14SecurityServer10CommonBlob8validateEi +__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_RNS_9AllocatorE +__ZN8Security9Allocator6mallocINS_14SecurityServer6DbBlobEEEPT_m +__ZNK8Database7processEv +__ZN8NodeCore9findFirstI16KeychainDbCommonRK12DbIdentifierEEN8Security10RefPointerIT_EEMS7_KFT0_vES9_ +__ZNK16KeychainDbCommon10identifierEv +__ZNK12DbIdentifiereqERKS_ +__ZNK8Security14DLDbIdentifiereqERKS0_ +__ZNK8Security14DLDbIdentifier4ImpleqERKS1_ +__ZNK8Security17CssmSubserviceUideqERK19cssm_subservice_uid +__ZN8Security10RefPointerI16KeychainDbCommonE7releaseEv +__ZN8Security10RefPointerINS_14DLDbIdentifier4ImplEE7releaseEv +__ZN8Security6DbNameD1Ev +__ZN8Security6DbNameD2Ev +__ZN7CopyOutD1Ev +__ZN7CopyOutD2Ev +__ZL16_XauthenticateDbP17mach_msg_header_tS0_ +__Z26ucsp_server_authenticateDbjj13audit_token_tPijjPvj +_xdr_CSSM_ACCESS_CREDENTIALS_PTR +_xdr_CSSM_ACCESS_CREDENTIALS +_xdr_CSSM_BASE_CERTS +_sec_xdr_clip_long +_xdr_CSSM_CERTGROUP +_xdr_CSSM_SAMPLE +_xdr_CSSM_LIST +_xdr_CSSM_LIST_ELEMENT +__ZN6Server8databaseEj +__ZN6Server4findI8DatabaseEEN8Security10RefPointerIT_EEji +__ZN8Security13MappingHandleIjE7findRefI8DatabaseEENS_10RefPointerIT_EEji +__ZN8Security13MappingHandleIjE5State6locateEji +__ZN16KeychainDatabase12authenticateEjPKN8Security17AccessCredentialsE +__ZN8Security11DataWalkers14enumerateArrayINS0_10SizeWalkerENS_11SampleGroupENS_10CssmSampleEEEvRT_RT0_MS7_FRPT1_vE +__ZN8Security11SampleGroup7samplesEv +__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEvRT_RNS_10CssmSampleE +__ZN8Security11DataWalkers4walkINS0_10SizeWalkerEEEPNS_11ListElementERT_RS4_ +__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_RNS_9AllocatorEm +__ZN8Security11DataWalkers4copyINS_17AccessCredentialsEEEPT_PKS3_Pv +__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPNS_17AccessCredentialsERT_RS4_ +__ZN8Security11DataWalkers14enumerateArrayINS0_10CopyWalkerENS_11SampleGroupENS_10CssmSampleEEEvRT_RT0_MS7_FRPT1_vE +__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEvRT_RNS_10CssmSampleE +__ZN8Security11DataWalkers9enumerateINS0_10CopyWalkerEEEvRT_RNS_8CssmListE +__ZN8Security11DataWalkers4walkINS0_10CopyWalkerEEEPNS_11ListElementERT_RS4_ +__ZN8Security11ListElement4lastEv +__ZN8Security10RefPointerI8DatabaseE7releaseEv +__ZL11_XreleaseDbP17mach_msg_header_tS0_ +__Z21ucsp_server_releaseDbjj13audit_token_tPij +__ZN16KeychainDatabaseD0Ev +__ZN8Security10RefPointerI16KeychainDatabaseE7releaseEv +__ZN8DatabaseD2Ev +__ZN9AclSourceD2Ev +__ZN10PerProcessD2Ev +__ZN8Security13MappingHandleIjED2Ev +__ZN9__gnu_cxx9hashtableISt4pairIKjPN8Security13MappingHandleIjEEEjNS_4hashIjEESt10_Select1stIS7_ESt8equal_toIjESaIS6_EE5eraseE +__ZN17SecurityServerAclD2Ev +__ZN8Security5MutexD1Ev +__ZN8Security9ObjectAclD2Ev +__ZN8Security10RefPointerINS_10AclSubjectEE7releaseEv +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EED2Ev +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeI +__ZL13_XsetupThreadP17mach_msg_header_tS0_ +__Z23ucsp_server_setupThreadjj13audit_token_tPij +__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE4f +__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseERS1_ +__ZNSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE5eraseESt17_Rb_tree_iteratorIS4_ESC_ +__ZNSt8_Rb_treeIN8Security12MachPlusPlus4PortESt4pairIKS2_NS0_10RefPointerI7ProcessEEESt10_Select1stIS8_ESt4lessIS2_ESaIS8_EE15 +__ZN7Process4killEv +__ZN8Security10RefPointerI13LocalDatabaseE10setPointerEPS1_ +__ZN8Security10RefPointerI13LocalDatabaseE7releaseEv +__ZN8Security12MachPlusPlus10MachServer4idleEv +__ZN7ProcessD0Ev +__ZNSt8_Rb_treeIP18AuthorizationTokenS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E +__ZN20ClientIdentificationD2Ev +__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EED2Ev +__ZN14CodeSignatures8IdentityD2Ev +__ZN15CodeSigningHostD2Ev +__ZN15CodeSigningHost5resetEv +__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN15CodeSigningHost5GuestEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EED2Ev +__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN15CodeSigningHost5GuestEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE8_M_eraseEPS +__ZN8Security12MachPlusPlus10MachServer7HandlerD2Ev __ZN8Security14CommonCriteria9Securityd14AuthMechLoggerD2Ev -__ZNSt8_Rb_treeIN13Authorization11AuthItemRefES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_E -__ZNSt6__copyILb0ESt26random_access_iterator_tagE4copyIPKN13Authorization12AuthValueRefEPS4_EET0_T_S9_S8_ -__ZN8Security10RefPointerIN13Authorization9AuthValueEE10setPointerEPS2_ -__ZN8Security10RefPointerIN13Authorization9AuthValueEE7releaseEv -__ZN18AuthorizationToken10setInfoSetERN13Authorization11AuthItemSetE +__ZN18AuthorizationToken10setInfoSetERN13Authorization11AuthItemSetEb +__ZN13Authorization11AuthItemSet4findEPKc +__ZN7Session13setAttributesEj +__ZN8Security14CommonCriteria9AuditInfo3setEv __ZNK13Authorization8RuleImpl15makeCredentialsERK18AuthorizationToken -__ZSt7find_ifISt23_Rb_tree_const_iteratorIN13Authorization11AuthItemRefEENS1_23FindAuthItemByRightNameEET_S5_S5_T0_ -__ZSt9__find_ifISt23_Rb_tree_const_iteratorIN13Authorization11AuthItemRefEENS1_23FindAuthItemByRightNameEET_S5_S5_T0_St18input_ +__ZNK13Authorization8AuthItem11stringValueEv __ZN13Authorization10CredentialC1EjRKSsS2_S2_b __ZN13Authorization10CredentialC2EjRKSsS2_S2_b __ZN13Authorization14CredentialImplC2EjRKSsS2_S2_b __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueERKS1_ __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE9_M_insertEPSt18_Rb_tree_node_baseS9_RKS1_ __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE14_M_create_nodeERKS1_ -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIN13Authorization10CredentialEEE8allocateEmPKv +__ZN9__gnu_cxx13new_allocatorIN13Authorization10CredentialEE9constructEPS2_RKS2_ __ZN13Authorization10CredentialD1Ev __ZN8Security10RefPointerIN13Authorization14CredentialImplEE7releaseEv -__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE7_M_copyEPKSt13_Rb_tree_nodeIS1_EPS9_ +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueISt23_Rb_tree_const_iter +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE16_M_insert_uniqueESt17_Rb_tree_iteratorIS __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeIS1_E __ZNSt6vectorIN13Authorization12AuthValueRefESaIS1_EED2Ev -__ZNSt12_Vector_baseIN13Authorization12AuthValueRefESaIS1_EED2Ev +__ZN8Security10RefPointerIN13Authorization9AuthValueEE7releaseEv __ZN13Authorization23AgentMechanismEvaluatorD2Ev +__ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EED2Ev __ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE8_M_eraseEPSt13_Rb_tree __ZNSt8_Rb_treeISsSt4pairIKSsN13Authorization17AgentMechanismRefEESt10_Select1stIS4_ESt4lessISsESaIS4_EE15_M_destroy_nodeEPSt13 __ZN20QueryInvokeMechanismD0Ev @@ -1030,131 +512,240 @@ __ZN13SecurityAgent6Client7destroyEv _sa_request_client_destroy __ZN23SecurityAgentConnectionD2Ev __ZN8Security10RefPointerI16AuthHostInstanceE7releaseEv +__ZN16AuthHostInstanceD0Ev +__ZN11ServerChildD2Ev +__ZN8Security9ConditionD1Ev +__ZN8Security9ConditionD2Ev +__ZN8Security12UnixPlusPlus5ChildD2Ev __ZN13SecurityAgent6ClientD2Ev __ZN13SecurityAgent6Client8teardownEv __ZN13SecurityAgent7Clients6removeEPNS_6ClientE -__ZN8Security12MachPlusPlus7PortSetmIERKNS0_4PortE __ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseERKS2_ __ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_ESA_ -__ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_E __ZNSt8_Rb_treeIPN13SecurityAgent6ClientES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E __ZN13Authorization9AuthValueD1Ev __ZN13Authorization9AuthValueD2Ev +__ZNSt6vectorISsSaISsEED2Ev +__ZN8Security14CommonCriteria9Securityd11RightLogger8setRightEPKc +__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger22logAuthorizationResultEPKcS4_i +__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger11writeCommonEv +__ZN8Security6Syslog4infoEPKcz +__ZN8Security10RefPointerIN13Authorization8RuleImplEE7releaseEv +__ZN7Session16mergeCredentialsERSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE7_M_copyEPKSt13_Rb_tree_nodeIS1_EPS9_ __ZNK13Authorization14CredentialImpl8isSharedEv __ZNK13Authorization14CredentialImpl7isValidEv __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE4findERKS1_ +__ZN18AuthorizationToken16mergeCredentialsERKSt3setIN13Authorization10CredentialESt4lessIS2_ESaIS2_EE __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_ -__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11equal_rangeERKS1_ +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11upper_boundERKS1_ +__ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE11lower_boundERKS1_ __ZNSt8_Rb_treeIN13Authorization10CredentialES1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_ __ZNK13Authorization11AuthItemSet4copyEv _copyin_AuthorizationItemSet +_copyin +_sec_xdr_sizeof_in +_sec_x_putlong +_sec_x_putbytes +_sec_xdrmem_putlong_aligned +_sec_xdrmem_putbytes +__ZN6Server15releaseWhenDoneEPv +__ZN8Security12MachPlusPlus10MachServer15releaseWhenDoneERNS_9AllocatorEPv +__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE16_M_insert_uniqueERKS +__ZNSt8_Rb_treeIN8Security12MachPlusPlus10MachServer10AllocationES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE9_M_insertEPSt18_Rb_tr __ZL23_XauthorizationCopyInfoP17mach_msg_header_tS0_ __Z33ucsp_server_authorizationCopyInfojj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEPKcPPvPj __ZN7Session11authGetInfoERKN8Security14SecurityServer17AuthorizationBlobEPKcRN13Authorization11AuthItemSetE +__ZN16KeychainDbCommonC2ER7SessionRK12DbIdentifier +__ZN13LocalDbCommonC2ER7Session +__ZN8DbCommonC2ER7Session +__ZN18DatabaseCryptoCoreC2Ev +__ZN8NodeCore9findFirstI16KeychainDbGlobalRK12DbIdentifierEEN8Security10RefPointerIT_EEMS7_KFT0_vES9_ +__ZN8Security10RefPointerI16KeychainDbGlobalE7releaseEv +__ZN16KeychainDbGlobalC2ERK12DbIdentifier +__ZNK8DbCommon7sessionEv __ZL24_XunlockDbWithPassphraseP17mach_msg_header_tS0_ __Z34ucsp_server_unlockDbWithPassphrasejj13audit_token_tPijPvj +__ZN6Server8keychainEj +__ZN6Server4findI16KeychainDatabaseEEN8Security10RefPointerIT_EEji +__ZN8Security13MappingHandleIjE7findRefI16KeychainDatabaseEENS_10RefPointerIT_EEji __ZN16KeychainDatabase8unlockDbERKN8Security8CssmDataE __ZN16KeychainDatabase12makeUnlockedERKN8Security8CssmDataE -__ZN16KeychainDatabase6decodeERKN8Security8CssmDataE +__ZN16KeychainDatabase8isLockedEv __ZN18DatabaseCryptoCore5setupEPKN8Security14SecurityServer6DbBlobERKNS0_8CssmDataE __ZNK18DatabaseCryptoCore17deriveDbMasterKeyERKN8Security8CssmDataE __ZN8Security10CssmClient9DeriveKeyC1ERKNS0_3CSPEjjj +__ZN8Security10CssmClient5CryptC2ERKNS0_3CSPEj +__ZN8Security10CssmClient7ContextC2ERKNS0_3CSPEj +__ZN8Security10CssmClient10ObjectImplC2ERKNS0_6ObjectE __ZN8Security10CssmClient9DeriveKeyclEPNS_8CssmDataERKNS0_7KeySpecE __ZN8Security10CssmClient3Key10makeNewKeyERKNS0_3CSPE __ZN8Security10CssmClient3KeyC2ERKNS0_3CSPE __ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPE +__ZN8Security10RefPointerINS_10CssmClient10ObjectImplEE10setPointerEPS2_ +__ZN8Security10RefPointerINS_10CssmClient10ObjectImplEE7releaseEv +__ZNK8Security10CssmClient6Object4implINS0_7KeyImplEEERT_v +__ZNK8Security10CssmClient9RccBearer12compositeRccEv __ZN8Security10CssmClient9DeriveKey8activateEv +__ZNK8Security10CssmClient6Object4implINS0_7CSPImplEEERT_v +__ZN8Security10CssmClient14AttachmentImpl8activateEv +__ZN8Security28CssmAllocatorMemoryFunctions11relayMallocEmPv +__ZN8Security28CssmAllocatorMemoryFunctions9relayFreeEPvS1_ +__ZN8Security10CssmClient10ObjectImpl5checkEi __ZN8Security10CssmClient7KeyImpl8activateEv -__ZN8Security10CssmClient9DeriveKeyD1Ev -__ZL13handleSignalsi -_self_client_handleSignal -__Z11self_serverP17mach_msg_header_tS0_ -__ZL14_XhandleSignalP17mach_msg_header_tS0_ -__Z24self_server_handleSignaljji -__ZN8Security12UnixPlusPlus5Child13checkChildrenEv -__ZNSt3mapIiPN8Security12UnixPlusPlus5ChildESt4lessIiESaISt4pairIKiS3_EEEixERS7_ -__ZN8Security12UnixPlusPlus5Child4buryEi -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE5eraseERS1_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE5eraseESt17_Rb_tree_iteratorIS -__ZNSt4listIPN8Security12UnixPlusPlus5ChildESaIS3_EE9_M_insertESt14_List_iteratorIS3_ERKS3_ -__ZNSt4listIPN8Security12UnixPlusPlus5ChildESaIS3_EE14_M_create_nodeERKS3_ -__ZN9__gnu_cxx13new_allocatorISt10_List_nodeIPN8Security12UnixPlusPlus5ChildEEE8allocateEmPKv -__ZN8Security12UnixPlusPlus5Child4Bier6notifyEv -__ZN11ServerChild5dyingEv -__ZL28_XsetSessionDistinguishedUidP17mach_msg_header_tS0_ -__Z38ucsp_server_setSessionDistinguishedUidjj13audit_token_tPijj -__ZN7Session4findI14DynamicSessionEERT_j -__ZN14DynamicSession13originatorUidEj -__ZN8Security10RefPointerIN13Authorization14CredentialImplEE10setPointerEPS2_ -__ZN13Authorization14CredentialImplD1Ev -__ZN13Authorization14CredentialImplD2Ev +__ZN8Security10CssmClient5CryptD2Ev +__ZN8Security10CssmClient7ContextD2Ev +__ZN8Security10CssmClient7Context10deactivateEv +__ZN8Security10CssmClient10ObjectImplD2Ev +__ZN16KeychainDatabase6decodeEv +__ZN16KeychainDbCommon8unlockDbEPN8Security14SecurityServer6DbBlobEPPv +__ZN18DatabaseCryptoCore10decodeCoreEPKN8Security14SecurityServer6DbBlobEPPv +__ZN8Security10CssmClient7DecryptC1ERKNS0_3CSPEj +__ZN8Security10CssmClient7Context3setEjj +__ZN8Security10CssmClient5Crypt3keyERKNS0_3KeyE +__ZN8Security10CssmClient7Context3setINS_7CssmKeyEEEvjRKT_ +__ZN8Security10CssmClient7Context3setINS_8CssmDataEEEvjRKT_ +__ZN8Security10CssmClient7Decrypt7decryptEPKNS_8CssmDataEjPS2_jRS2_ +__ZN8Security10CssmClient7Context8unstagedEv +__ZN8Security10CssmClient5Crypt8activateEv +__ZN18DatabaseCryptoCore10makeRawKeyEPvmjj +__ZN8Security10CssmClient9UnwrapKeyC1ERKNS0_3CSPEj +__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataEPS3_ +__ZN8Security10CssmClient3KeyC2ERKNS0_3CSPERK8cssm_keyb +__ZN8Security10CssmClient7KeyImplC1ERKNS0_3CSPERK8cssm_keyb +__ZN8Security7CssmKeyC2ERK8cssm_key +__ZN8Security10CssmClient9VerifyMacC1ERKNS0_3CSPEj +__ZN8Security10CssmClient7Context3setINS0_3KeyEEEvjRKT_ +__ZN8Security10CssmClient9VerifyMac6verifyEPKNS_8CssmDataEjRS3_ +__ZN8Security10CssmClient10MacContext8activateEv +__ZN8Security10CssmClient10MacContextD2Ev +__ZN16KeychainDbCommon8activityEv +__ZN8Security12MachPlusPlus10MachServer8setTimerEPNS1_5TimerENS_4Time8AbsoluteE +__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE8scheduleEPNS3_5EventES2_ +__ZN8DbCommon6notifyEjRKN8Security14DLDbIdentifierE +__ZN8Security19NameValueDictionaryC1Ev +__ZN8Security19NameValueDictionary41MakeNameValueDictionaryFromDLDbIdentifierERKNS_14DLDbIdentifierERS0_ +__ZN8Security13NameValuePair9CloneDataERKNS_8CssmDataE +__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE9push_backERKS2_ +__ZNSt6vectorIPN8Security13NameValuePairESaIS2_EE13_M_insert_auxEN9__gnu_cxx17__normal_iteratorIPS2_S4_EERKS2_ +__ZNSt12_Vector_baseIPN8Security13NameValuePairESaIS2_EE11_M_allocateEm +__ZN8Security19NameValueDictionary6ExportERNS_8CssmDataE +__ZNK8Security13NameValuePair6ExportERNS_8CssmDataE +__ZN8Listener6notifyEjjRKN8Security8CssmDataE +__ZN8Listener12NotificationC2EjjjRKN8Security8CssmDataE +__ZN8Security12CssmAutoDataC2INS_8CssmDataEEERNS_9AllocatorERKT_ +__ZN8Security13CssmOwnedData4copyIvEEvPKT_m +__ZN8Security12CssmAutoData5resetEv +__ZN8Security11CssmAutoPtrIvED1Ev +__ZN8Listener16sendNotificationEPNS_12NotificationE +__ZN20SharedMemoryListener8notifyMeEPN8Listener12NotificationE +__ZNK8Security13CssmOwnedData3getEv +__ZN18SharedMemoryServer12WriteMessageEjjPKvj +_CalculateCRC +__ZN18SharedMemoryServer9WriteDataEPKvj +__ZN8Security10RefPointerIN8Listener12NotificationEE7releaseEv +__ZN8Listener12NotificationD0Ev +__ZN8Security12CssmAutoDataD2Ev +__ZN8Security15CssmManagedDataD2Ev +__ZN8Security19NameValueDictionaryD1Ev +__ZN8Security19NameValueDictionaryD2Ev +__ZN16KeychainDatabase3aclEv +__ZN8Security9ObjectAcl10importBlobEPKvS2_ +__ZN8Security9ObjectAcl13importSubjectERNS_23LowLevelMemoryUtilities6ReaderES3_ +__ZN8Security9ObjectAcl8makerForEi +__ZN8Security11ModuleNexusISt3mapIiPNS_10AclSubject5MakerESt4lessIiESaISt4pairIKiS4_EEEEclEv +__ZNSt3mapIiPN8Security10AclSubject5MakerESt4lessIiESaISt4pairIKiS3_EEEixERS7_ +__ZNK8Security13AnyAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_ +__ZN8Security10AclSubjectC2Ejh +__ZN8Security10RefPointerINS_10AclSubjectEE10setPointerEPS1_ +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE5eraseESt17_Rb_tree_iteratorI +__ZN8Security9ObjectAcl8AclEntryC2Ev +__ZN8Security9ObjectAcl8AclEntry10importBlobERNS_23LowLevelMemoryUtilities6ReaderES4_ +__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE5eraseESt23_Rb_tree_const_iteratorIiES7_ +__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE8_M_eraseEPSt13_Rb_tree_nodeIiE +__ZN8Security9ObjectAcl3addERKSsRKNS0_8AclEntryE +__ZN8Security9ObjectAcl8AclEntryC2ERKS1_ +__ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEEC2ERKS5_ +__ZN8Security9ObjectAcl3addERKSsNS0_8AclEntryEl +__ZNSt4pairISsN8Security9ObjectAcl8AclEntryEEC2ERKSsRKS2_ +__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEEC2ISsS3_EERKS_IT_T0_E +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE15_M_insert_equalERKS5_ +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE9_M_insertEPSt18_Rb_tree_node +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE14_M_create_nodeERKS5_ +__ZN9__gnu_cxx13new_allocatorISt4pairIKSsN8Security9ObjectAcl8AclEntryEEE9constructEPS6_RKS6_ +__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEEC2ERKS4_ +__ZNSt4pairIKSsN8Security9ObjectAcl8AclEntryEED2Ev +__ZN8Security9ObjectAcl8AclEntryD2Ev +__ZNSt4pairISsN8Security9ObjectAcl8AclEntryEED2Ev +__ZN8Security13AnyAclSubjectD0Ev +__ZN8Security10AclSubjectD2Ev +__ZNSt8_Rb_treeISsSt4pairIKSsN8Security9ObjectAcl8AclEntryEESt10_Select1stIS5_ESt4lessISsESaIS5_EE15_M_destroy_nodeEPSt13_Rb_tr +__ZN8Security13ScheduleQueueINS_4Time8AbsoluteEE5Event10unscheduleEv +__ZN8Security12MachPlusPlus10MachServer5Timer6selectEv +__ZThn88_N20SharedMemoryListener6actionEv +__ZN20SharedMemoryListener6actionEv +__ZN8Security12MachPlusPlus10MachServer5Timer8unselectEv __ZL21_XsetSessionUserPrefsP17mach_msg_header_tS0_ __Z31ucsp_server_setSessionUserPrefsjj13audit_token_tPijPvj +__ZN7Session4findI14DynamicSessionEERT_j +__ZN6Server7sessionEv __ZN14DynamicSession12setUserPrefsEPK8__CFData __ZN8Security5CFRefIPK8__CFDataEaSES3_ __ZN20QueryInvokeMechanism14terminateAgentEv __ZN18SecurityAgentQuery9terminateEv __ZN23SecurityAgentConnection9terminateEv -__ZThn256_N18SecurityAgentQuery8activateEv __ZN13SecurityAgent6Client9terminateEv _sa_request_client_terminate -__ZNSt8_Rb_treeIN8Security10RefPointerI8NodeCoreEES3_St9_IdentityIS3_ESt4lessIS3_ESaIS3_EE5eraseESt17_Rb_tree_iteratorIS3_E -__ZN16AuthHostInstanceD0Ev -__ZN11ServerChildD2Ev -__ZN8Security9ConditionD1Ev -__ZN8Security9ConditionD2Ev -__ZN8Security12UnixPlusPlus5ChildD2Ev __ZN20QueryInvokeMechanismD2Ev __ZNK13Authorization10CredentialltERKS0_ __ZNK13Authorization14CredentialImplltERKS0_ __ZN13Authorization14CredentialImpl5mergeERKS0_ -__ZNSt8_Rb_treeIiSt4pairIKiPN8Security12UnixPlusPlus5ChildEESt10_Select1stIS6_ESt4lessIiESaIS6_EE8_M_eraseEPSt13_Rb_tree_nodeIS -__ZL26_XauthorizationExternalizeP17mach_msg_header_tS0_ -__Z36ucsp_server_authorizationExternalizejj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEP25AuthorizationExter -__ZN7Session15authExternalizeERKN8Security14SecurityServer17AuthorizationBlobER25AuthorizationExternalForm -__ZNK18AuthorizationToken14mayExternalizeER7Process -__ZL26_XauthorizationInternalizeP17mach_msg_header_tS0_ -__Z36ucsp_server_authorizationInternalizejj13audit_token_tPi25AuthorizationExternalFormPN8Security14SecurityServer17Authorizati -__ZN7Session15authInternalizeERK25AuthorizationExternalFormRN8Security14SecurityServer17AuthorizationBlobE -__ZN18AuthorizationToken14mayInternalizeER7Processb -__ZL11_XreleaseDbP17mach_msg_header_tS0_ -__Z21ucsp_server_releaseDbjj13audit_token_tPij -__ZL10_XisLockedP17mach_msg_header_tS0_ -__Z20ucsp_server_isLockedjj13audit_token_tPijPj -__ZNK13Authorization8RuleImpl26evaluateCredentialForRightERK18AuthorizationTokenRKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSe -__ZNK13Authorization8RuleImpl30evaluateUserCredentialForRightERK18AuthorizationTokenRKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthIt -__ZNK13Authorization14CredentialImpl12creationTimeEv -__ZNK13Authorization8RuleImpl22evaluateAuthenticationERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10Credentia -__ZNK13Authorization8RuleImpl20evaluateSessionOwnerERKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSetEdRK18AuthorizationTokenRNS -__ZNK14DynamicSession17haveOriginatorUidEv -__ZN18AuthorizationToken12scrubInfoSetEv -__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger10logSuccessEjjPKc -__ZN18AuthorizationToken17setCredentialInfoERKN13Authorization10CredentialE -__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_E -__ZThn272_N16KeychainDbCommon6selectEv -__ZN16KeychainDbCommon6selectEv -__ZThn272_N16KeychainDbCommon6actionEv -__ZN16KeychainDbCommon6actionEv -__ZN16KeychainDbCommon6lockDbEv -__ZN18DatabaseCryptoCore10invalidateEv -__ZN8Security12MachPlusPlus10MachServer10clearTimerEPNS1_5TimerE -__ZThn272_N16KeychainDbCommon8unselectEv -__ZN16KeychainDbCommon8unselectEv -__ZN8Security12MachPlusPlus10MachServer12removeThreadEPNS_6ThreadE -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseERKS2_ -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_ESA_ -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE5eraseESt17_Rb_tree_iteratorIS2_E -__ZN8Security12MachPlusPlus10MachServer10LoadThreadD0Ev -__ZN8Security6ThreadD2Ev -__ZN8Security16PerThreadPointerIN13SecurityAgent7ClientsEE10destructorEPv -__ZN13SecurityAgent7ClientsD2Ev -__ZN8Security16PerThreadPointerINS_10RefPointerI10ConnectionEEE10destructorEPv -__ZN8Security16PerThreadPointerINS_12MachPlusPlus10MachServer9PerThreadEE10destructorEPv -__ZNSt8_Rb_treeIPN8Security6ThreadES2_St9_IdentityIS2_ESt4lessIS2_ESaIS2_EE8_M_eraseEPSt13_Rb_tree_nodeIS2_E +__ZN13Authorization14CredentialImplD1Ev +__ZN13Authorization14CredentialImplD2Ev +__ZL11_XdecodeKeyP17mach_msg_header_tS0_ +__Z21ucsp_server_decodeKeyjj13audit_token_tPiPjPPvS1_jS2_j +__Z8makeBlobIN8Security14SecurityServer7KeyBlobEEPKT_RKNS0_8CssmDataEi +__ZN11KeychainKeyC1ER8DatabasePKN8Security14SecurityServer7KeyBlobE +__ZN11KeychainKeyC2ER8DatabasePKN8Security14SecurityServer7KeyBlobE +__ZN8LocalKeyC2ER8Databasej +__ZN3KeyC2ER8Database +__ZN8Database10SubsidiaryC2ERS_ +__ZNK8Security10CssmClient10ObjectImpl9allocatorEv +__ZN8Security9Allocator6mallocINS_14SecurityServer7KeyBlobEEEPT_m +__ZN8LocalKey9returnKeyERjRN8Security7CssmKey6HeaderE +__ZN11KeychainKey9getHeaderERN8Security7CssmKey6HeaderE +__ZN8Security4n2hiERNS_7CssmKey6HeaderE +_xdr_CSSM_KEYHEADER +__ZN8Security10RefPointerI3KeyE7releaseEv +__ZL9_XdecryptP17mach_msg_header_tS0_ +__Z19ucsp_server_decryptjj13audit_token_tPiPvjjS1_jPS1_Pj +_xdr_CSSM_CONTEXT_PTR +_xdr_CSSM_CONTEXT +_xdr_CSSM_CONTEXT_ATTRIBUTE +_xdr_CSSM_KEY +_xdr_CSSM_DATA +__ZN6Server3keyEj +__ZN8Security13MappingHandleIjE7findRefI3KeyEENS_10RefPointerIT_EEji +__ZN13LocalDatabase7decryptERKN8Security7ContextER3KeyRKNS0_8CssmDataERS6_ +__ZN8LocalKey7cssmKeyEv +__ZN8LocalKey8keyValueEv +__ZN11KeychainKey6getKeyEv +__ZN11KeychainKey6decodeEv +__ZN16KeychainDatabase9decodeKeyEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_ +__ZN8Security14SecurityServer7KeyBlob11isClearTextEv +__ZN16KeychainDatabase8unlockDbEv +__ZN16KeychainDatabase12makeUnlockedEPKN8Security17AccessCredentialsE +__ZN8Security10CssmClient7KeyImplD0Ev +__ZN8Security10CssmClient7KeyImpl10deactivateEv +__ZN8Security10CssmClient9AclBearerD2Ev +__ZNK18DatabaseCryptoCore13decodeKeyCoreEPN8Security14SecurityServer7KeyBlobERNS0_7CssmKeyERPvS7_ +__ZN8Security4h2niERNS_7CssmKey6HeaderE +__ZN8Security10CssmClient9UnwrapKeyclERKNS_7CssmKeyERKNS0_7KeySpecERS2_PNS_8CssmDataE +__ZN11KeychainKey3aclEv __ZNK8Security19ThresholdAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_ __ZNSt6vectorIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EEC2EmRKS3_RKS4_ __ZNSt12_Vector_baseIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EEC2EmRKS4_ -__ZN9__gnu_cxx13new_allocatorIN8Security10RefPointerINS1_10AclSubjectEEEE8allocateEmPKv +__ZNSt12_Vector_baseIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EE11_M_allocateEm __ZSt26__uninitialized_fill_n_auxIPN8Security10RefPointerINS0_10AclSubjectEEEmS3_EvT_T0_RKT1_St12__false_type __ZNK24KeychainPromptAclSubject5Maker4makeEhRN8Security23LowLevelMemoryUtilities6ReaderES4_ __ZN24KeychainPromptAclSubjectC2ESsRK33cssm_acl_keychain_prompt_selector @@ -1162,18 +753,35 @@ __ZN8Security19ThresholdAclSubjectC2EjjRKSt6vectorINS_10RefPointerINS_10AclSubje __ZNSt6vectorIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EEC2ERKS5_ __ZSt24__uninitialized_copy_auxIN9__gnu_cxx17__normal_iteratorIPKN8Security10RefPointerINS2_10AclSubjectEEESt6vectorIS5_SaIS5_E __ZNSt6vectorIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EED2Ev -__ZNSt12_Vector_baseIN8Security10RefPointerINS0_10AclSubjectEEESaIS3_EED2Ev __ZNK8Security23CodeSignatureAclSubject5Maker4makeEhRNS_23LowLevelMemoryUtilities6ReaderES4_ -__ZN8Security23LowLevelMemoryUtilities6Reader11countedDataERPKvRm __ZNK8Security23CodeSignatureAclSubject5Maker4makeEPKhRKNS_8CssmDataE __ZN8Security23CodeSignatureAclSubjectC2EPKhRKSs __ZN8Security11OSXVerifierC2EPKhRKSs __ZN8Security11OSXVerifier3addEPKNS_8BlobCoreE -__ZN8Security10CFTempDataC2INS_8BlobCoreEEERKT_ __ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE16_M_insert_uniqueERKi __ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE9_M_insertEPSt18_Rb_tree_node_baseS7_RKi -__ZN9__gnu_cxx13new_allocatorISt13_Rb_tree_nodeIiEE8allocateEmPKv __ZNSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE7_M_copyEPKSt13_Rb_tree_nodeIiEPS7_ +__ZNK8Security7Context7replaceINS_7CssmKeyEEEvjRKT_ +__ZN8Security7Context4findEjPK22cssm_context_attributej +__ZN9AclSource8validateEiRKN8Security7ContextE +__ZThn160_N11KeychainKey15relatedDatabaseEv +__ZThn160_N11KeychainKey3aclEv +__ZN17SecurityServerAcl8validateEiRKN8Security7ContextEP8Database +__ZThn232_N11KeychainKey8validateEiPKN8Security17AccessCredentialsEP8Database +__ZN11KeychainKey8validateEiPKN8Security17AccessCredentialsEP8Database +__ZN17SecurityServerAcl8validateEiPKN8Security17AccessCredentialsEP8Database +__ZN25SecurityServerEnvironmentC1ER17SecurityServerAclP8Database +__ZN8Security9ObjectAcl8validateEiPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE +__ZN8Security9ObjectAcl9validatesEiPKNS_17AccessCredentialsEPNS_24AclValidationEnvironmentE +__ZN8Security9ObjectAcl9validatesERNS_20AclValidationContextE +__ZThn232_N11KeychainKey14instantiateAclEv +__ZN11KeychainKey14instantiateAclEv +__ZNK8Security20AclValidationContext9s_credTagEv +__ZNK8Security20AclValidationContext7credTagEv +__ZNK8Security9ObjectAcl8getRangeERKSsRSt4pairISt23_Rb_tree_const_iteratorIS3_IS1_NS0_8AclEntryEEES7_E +__ZNKSt8_Rb_treeIiiSt9_IdentityIiESt4lessIiESaIiEE4findERKi +__ZN8Security20AclValidationContext4initEPNS_9ObjectAclEPNS_10AclSubjectE +__ZN8Security20AclValidationContext8entryTagERKSs __ZNK8Security16SimpleAclSubject8validateERKNS_20AclValidationContextE __ZNK21BaseValidationContext5countEv __ZNK21BaseValidationContext6sampleEj @@ -1182,15 +790,123 @@ __ZNK8Security11ListElement4wordEv __ZNK8Security19ThresholdAclSubject8validateERKNS_20AclValidationContextERKNS_9TypedListE __ZNK8Security23CodeSignatureAclSubject8validateERKNS_20AclValidationContextE __ZTv0_n48_N25SecurityServerEnvironment19verifyCodeSignatureERKN8Security11OSXVerifierERKNS0_20AclValidationContextE -__ZN25SecurityServerEnvironment19verifyCodeSignatureERKN8Security11OSXVerifierERKNS0_20AclValidationContextE __ZN14CodeSignatures6verifyER7ProcessRKN8Security11OSXVerifierERKNS2_20AclValidationContextE -__ZN24SublistValidationContextD2Ev +__ZN8Security20AclValidationContextD2Ev __ZNK21BaseValidationContext7matchedEPKN8Security9TypedListE +__ZN25SecurityServerEnvironmentD1Ev +__ZN8Security24AclValidationEnvironmentD2Ev +__ZNK16KeychainDatabase6commonEv +__ZN8Security10CssmClient7Context8overrideERKNS_7ContextE +__ZL12_XreleaseKeyP17mach_msg_header_tS0_ +__Z22ucsp_server_releaseKeyjj13audit_token_tPij +__ZN8Database10releaseKeyER3Key +__ZN11KeychainKeyD0Ev __ZN8Security19ThresholdAclSubjectD0Ev __ZN24KeychainPromptAclSubjectD0Ev -__ZN8Security16SimpleAclSubjectD2Ev __ZN8Security23CodeSignatureAclSubjectD0Ev __ZN8Security11OSXVerifierD2Ev __ZN8Security11OSXVerifier6AuxMapD2Ev __ZNSt8_Rb_treeIjSt4pairIKjPN8Security8BlobCoreEESt10_Select1stIS5_ESt4lessIjESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeIS5_E -__ZThn16_N7ProcessD0Ev +__ZN8LocalKeyD2Ev +__ZN3KeyD2Ev +__ZL18_XpostNotificationP17mach_msg_header_tS0_ +__Z28ucsp_server_postNotificationjj13audit_token_tPijjPvjj +__ZN8Listener6notifyEjjjRKN8Security8CssmDataE +__ZN8Listener12JitterBuffer10inSequenceEPNS_12NotificationE +__ZN8Listener12JitterBuffer15popNotificationEv +__ZNSt8_Rb_treeIjSt4pairIKjN8Security10RefPointerIN8Listener12NotificationEEEESt10_Select1stIS7_ESt4lessIjESaIS7_EE4findERS1_ +__ZL26_XauthorizationExternalizeP17mach_msg_header_tS0_ +__Z36ucsp_server_authorizationExternalizejj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEP25AuthorizationExter +__ZN7Session15authExternalizeERKN8Security14SecurityServer17AuthorizationBlobER25AuthorizationExternalForm +__ZNK18AuthorizationToken14mayExternalizeER7Process +__ZL26_XauthorizationInternalizeP17mach_msg_header_tS0_ +__Z36ucsp_server_authorizationInternalizejj13audit_token_tPi25AuthorizationExternalFormPN8Security14SecurityServer17Authorizati +__ZN7Session15authInternalizeERK25AuthorizationExternalFormRN8Security14SecurityServer17AuthorizationBlobE +__ZN18AuthorizationToken14mayInternalizeER7Processb +__ZL10_XisLockedP17mach_msg_header_tS0_ +__Z20ucsp_server_isLockedjj13audit_token_tPijPj +__ZN14CodeSignatures28matchSignedClientToLegacyACLER7ProcessP9__SecCodeRKN8Security11OSXVerifierERKNS4_20AclValidationContextE +__ZN17SecurityServerAcl21looksLikeLegacyDotMacERKN8Security20AclValidationContextE +__ZN8Security8cfStringEPK10__CFStringb +__ZL4trimSsc +__ZL11_XunwrapKeyP17mach_msg_header_tS0_ +__Z21ucsp_server_unwrapKeyjj13audit_token_tPijPvjjS1_jS1_jjS1_jjjPS1_PjS3_S2_S3_ +_xdr_CSSM_KEY_PTR +__ZN6Server16optionalDatabaseEjb +__ZN7Process10localStoreEv +__ZN12TempDatabaseC1ER7Process +__ZN12TempDatabaseC2ER7Process +__Z6pickDbP8DatabaseS0_ +__ZNK12TempDatabase9transientEv +__ZN13LocalDatabase9unwrapKeyERKN8Security7ContextEPKNS0_17AccessCredentialsEPKNS0_17AclEntryPrototypeEP3KeySB_jjNS0_7CssmKeyER +__ZN8Security10CssmClient7Context4credEPK23cssm_access_credentials +__ZN8Security10CssmClient7Context3setINS_17AccessCredentialsEEEvjRKT_ +__ZN8LocalKey7KeySpecC1Ejj +__ZN12TempDatabase7makeKeyERKN8Security7CssmKeyEjPKNS0_17AclEntryPrototypeE +__ZN7TempKeyC2ER8DatabaseRKN8Security7CssmKeyEjPKNS2_17AclEntryPrototypeE +__ZN8LocalKeyC2ER8DatabaseRKN8Security7CssmKeyEj +__ZN8LocalKey5setupERKN8Security7CssmKeyEj +__ZN8LocalKey8setOwnerEPKN8Security17AclEntryPrototypeE +__ZThn160_N7TempKey3aclEv +__ZN8Security9ObjectAcl14cssmSetInitialERKNS_10RefPointerINS_10AclSubjectEEE +__ZN8Security9ObjectAcl5EntryC2ERKNS_10RefPointerINS_10AclSubjectEEE +__ZN8Security9ObjectAcl8AclEntryC2ERKNS_10RefPointerINS_10AclSubjectEEE +__ZN8Security10RefPointerI3KeyE10setPointerEPS1_ +__ZL17_XverifySignatureP17mach_msg_header_tS0_ +__Z27ucsp_server_verifySignaturejj13audit_token_tPiPvjjjS1_jS1_j +__ZN13LocalDatabase15verifySignatureERKN8Security7ContextER3KeyjRKNS0_8CssmDataES8_ +__ZN8Security10CssmClient6VerifyC1ERKNS0_3CSPEjj +__ZN8Security10CssmClient6Verify6verifyEPKNS_8CssmDataEjRS3_ +__ZN8Security10CssmClient14SigningContext8activateEv +__ZN8Security10CssmClient14SigningContextD2Ev +__ZThn16_N7TempKeyD0Ev +__ZN7TempKeyD0Ev +__ZThn16_N16KeychainDatabaseD0Ev +__ZThn16_N12TempDatabaseD0Ev +__ZNSt8_Rb_treeIjSt4pairIKjN20ClientIdentification10GuestStateEESt10_Select1stIS4_ESt4lessIjESaIS4_EE15_M_destroy_nodeEPSt13_Rb +__ZL13_XhostingPortP17mach_msg_header_tS0_ +__Z23ucsp_server_hostingPortjj13audit_token_tPiiPj +__ZNK6Server7findPidEi +__ZNKSt8_Rb_treeIiSt4pairIKiP7ProcessESt10_Select1stIS4_ESt4lessIiESaIS4_EE4findERS1_ +__ZNSt6vectorIN13Authorization11AuthItemRefESaIS1_EE9push_backERKS1_ +__ZNK13Authorization8RuleImpl12evaluateUserERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4lessI +__ZNK13Authorization8RuleImpl26evaluateCredentialForRightERK18AuthorizationTokenRKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSe +__ZNK13Authorization8RuleImpl30evaluateUserCredentialForRightERK18AuthorizationTokenRKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthIt +__ZNK13Authorization14CredentialImpl12creationTimeEv +__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EE7_M_copyEPKSt13_Rb_tree_nodeIS2_EPSA_ +__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EE14_M_create_nodeERKS2_ +__ZN9__gnu_cxx13new_allocatorISt4pairIKSsSsEE9constructEPS3_RKS3_ +__ZNSt4pairIKSsSsEC2ERKS1_ +__ZNSt8_Rb_treeISsSt4pairIKSsSsESt10_Select1stIS2_ESt4lessISsESaIS2_EE15_M_destroy_nodeEPSt13_Rb_tree_nodeIS2_E +__ZNSt4pairIKSsSsED2Ev +__ZNK13Authorization8RuleImpl22evaluateAuthenticationERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10Credentia +__ZNK13Authorization8RuleImpl20evaluateSessionOwnerERKNS_11AuthItemRefERKNS_4RuleERKNS_11AuthItemSetEdRK18AuthorizationTokenRNS +__ZNK7Session13originatorUidEv +__ZN8Security10RefPointerIN13Authorization14CredentialImplEE10setPointerEPS2_ +__ZN18AuthorizationToken12scrubInfoSetEb +__ZN8Security14CommonCriteria9Securityd25RightAuthenticationLogger10logSuccessEjjPKc +__ZN18AuthorizationToken17setCredentialInfoERKN13Authorization10CredentialEb +__ZNK13Authorization8RuleImpl13evaluateRulesERKNS_11AuthItemRefERKNS_4RuleERNS_11AuthItemSetEjdPKSt3setINS_10CredentialESt4less +__ZL22_XauthorizationReleaseP17mach_msg_header_tS0_ +__Z32ucsp_server_authorizationReleasejj13audit_token_tPiN8Security14SecurityServer17AuthorizationBlobEj +__ZN7Session8authFreeERKN8Security14SecurityServer17AuthorizationBlobEj +__ZN18AuthorizationToken7DeleterC1ERKN8Security14SecurityServer17AuthorizationBlobE +__ZN18AuthorizationToken7DeleterC2ERKN8Security14SecurityServer17AuthorizationBlobE +__ZN7Process19removeAuthorizationEP18AuthorizationToken +__ZN18AuthorizationToken10endProcessER7Process +__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseERKS1_ +__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE5eraseESt17_Rb_tree_iteratorIS1_ES9_ +__ZNSt8_Rb_treeIP7ProcessS1_St9_IdentityIS1_ESt4lessIS1_ESaIS1_EE8_M_eraseEPSt13_Rb_tree_nodeIS1_E +__ZN18AuthorizationToken7Deleter6removeEv +__ZN18AuthorizationTokenD0Ev +__ZN13Authorization14CredentialImpl10invalidateEv +__ZN7Session7destroyEi +__ZL13handleSignalsi +_self_client_handleSignal +__ZL14_XhandleSignalP17mach_msg_header_tS0_ +__Z24self_server_handleSignaljji +__ZN6Server13beginShutdownEv +__ZN7Session19invalidateAuthHostsEv +__ZN7Session26invalidateSessionAuthHostsEv +__ZN8Security6Syslog7warningEPKcz +__ZN8Security12UnixPlusPlus5Child4killEi diff --git a/src/server.cpp b/src/server.cpp index b5f2901..0177679 100644 --- a/src/server.cpp +++ b/src/server.cpp @@ -65,15 +65,12 @@ Server::Server(Authority &authority, CodeSignatures &signatures, const char *boo mCSPModule(gGuidAppleCSP, mCssm), mCSP(mCSPModule), mAuthority(authority), mCodeSignatures(signatures), - mAudit(geteuid(), getpid()), mVerbosity(0), mWaitForClients(true), mShuttingDown(false) { // make me eternal (in the object mesh) ref(); - mAudit.registerSession(); - // engage the subsidiary port handler for sleep notifications add(sleepWatcher); } @@ -99,6 +96,7 @@ Connection &Server::connection(mach_port_t port, audit_token_t &auditToken) Server &server = active(); StLock _(server); Connection *conn = server.mConnections.get(port, CSSM_ERRCODE_INVALID_CONTEXT_HANDLE); + conn->process().checkSession(auditToken); active().mCurrentConnection() = conn; conn->beginWork(auditToken); return *conn; @@ -221,27 +219,27 @@ boolean_t Server::handle(mach_msg_header_t *in, mach_msg_header_t *out) // Everything at and below that level is constructed. This is straight-forward except // in the case of session re-initialization (see below). // -void Server::setupConnection(ConnectLevel type, Port servicePort, Port replyPort, Port taskPort, - const audit_token_t &auditToken, const ClientSetupInfo *info, const char *identity) +void Server::setupConnection(ConnectLevel type, Port replyPort, Port taskPort, + const audit_token_t &auditToken, const ClientSetupInfo *info) { + AuditToken audit(auditToken); + // first, make or find the process based on task port StLock _(*this); RefPointer &proc = mProcesses[taskPort]; - if (type == connectNewSession && proc) { - // The client has talked to us before and now wants to create a new session. - proc->changeSession(servicePort); - } + if (proc && proc->session().sessionId() != audit.sessionId()) + proc->changeSession(audit.sessionId()); if (proc && type == connectNewProcess) { // the client has amnesia - reset it - assert(info && identity); - proc->reset(servicePort, taskPort, info, identity, AuditToken(auditToken)); - proc->changeSession(servicePort); + assert(info); + proc->reset(taskPort, info, audit); + proc->changeSession(audit.sessionId()); } if (!proc) { if (type == connectNewThread) // client error (or attack) CssmError::throwMe(CSSM_ERRCODE_INTERNAL_ERROR); - assert(info && identity); - proc = new Process(servicePort, taskPort, info, identity, AuditToken(auditToken)); + assert(info); + proc = new Process(taskPort, info, audit); notifyIfDead(taskPort); mPids[proc->pid()] = proc; } @@ -270,6 +268,7 @@ void Server::endConnection(Port replyPort) mConnections.erase(it); } + // // Handling dead-port notifications. // This receives DPNs for all kinds of ports we're interested in. @@ -277,8 +276,8 @@ void Server::endConnection(Port replyPort) void Server::notifyDeadName(Port port) { // We need the lock to get a proper iterator on mConnections or mProcesses, - // but must release it before we call abort or kill, as these might also - // need the server lock + // but must release it before we call abort or kill, as these might take + // unbounded time, including calls out to token daemons etc. StLock serverLock(*this); secdebug("SSports", "port %d is dead", port.port()); @@ -288,10 +287,10 @@ void Server::notifyDeadName(Port port) if (conIt != mConnections.end()) { SECURITYD_PORTS_DEAD_CONNECTION(port); RefPointer con = conIt->second; - mConnections.erase(conIt); + mConnections.erase(conIt); serverLock.unlock(); con->abort(); - return; + return; } // is it a process? @@ -299,8 +298,8 @@ void Server::notifyDeadName(Port port) if (procIt != mProcesses.end()) { SECURITYD_PORTS_DEAD_PROCESS(port); RefPointer proc = procIt->second; - mPids.erase(proc->pid()); - mProcesses.erase(procIt); + mPids.erase(proc->pid()); + mProcesses.erase(procIt); serverLock.unlock(); // The kill may take some time; make sure there is a spare thread around // to prevent deadlocks @@ -322,8 +321,6 @@ void Server::notifyDeadName(Port port) void Server::notifyNoSenders(Port port, mach_port_mscount_t) { SECURITYD_PORTS_DEAD_SESSION(port); - secdebug("SSports", "port %d no senders", port.port()); - Session::destroy(port); } @@ -380,6 +377,24 @@ kern_return_t self_server_handleSignal(mach_port_t sport, } +kern_return_t self_server_handleSession(mach_port_t sport, + mach_port_t taskPort, uint32_t event, uint64_t ident) +{ + try { + if (taskPort != mach_task_self()) { + Syslog::error("handleSession: received from someone other than myself"); + return KERN_SUCCESS; + } + if (event == AUE_SESSION_CLOSE) + Session::destroy(ident); + } catch(...) { + secdebug("SS", "exception handling a signal (ignored)"); + } + mach_port_deallocate(mach_task_self(), taskPort); + return KERN_SUCCESS; +} + + // // Notifier for system sleep events // diff --git a/src/server.h b/src/server.h index f3c5b4c..2c534b0 100644 --- a/src/server.h +++ b/src/server.h @@ -141,13 +141,11 @@ public: public: // set up a new connection enum ConnectLevel { - connectNewSession, connectNewProcess, connectNewThread }; - void setupConnection(ConnectLevel type, Port servicePort, Port replyPort, Port taskPort, - const audit_token_t &auditToken, - const ClientSetupInfo *info = NULL, const char *executablePath = NULL); + void setupConnection(ConnectLevel type, Port replyPort, Port taskPort, const audit_token_t &auditToken, + const ClientSetupInfo *info = NULL); void endConnection(Port replyPort); @@ -219,9 +217,6 @@ private: Authority &mAuthority; CodeSignatures &mCodeSignatures; - - // Per-process audit initialization - CommonCriteria::AuditSession mAudit; // busy state for primary state authority unsigned int mVerbosity; diff --git a/src/session.cpp b/src/session.cpp index 704cf90..d7cecbf 100644 --- a/src/session.cpp +++ b/src/session.cpp @@ -25,11 +25,16 @@ // // session - authentication session domains // -// A Session is defined by a mach_init bootstrap dictionary. These dictionaries are -// hierarchical and inherited, so they work well for characterization of processes -// that "belong" together. (Of course, if your mach_init is broken, you're in bad shape.) +// Security sessions are now by definition congruent to audit subsystem sessions. +// We represent these sessions within securityd as subclasses of class Session, +// but we reach for the kernel's data whenever we're not sure if our data is +// up to date. // -// Sessions are multi-threaded objects. +// Modifications to session state are made from client space using system calls. +// We discover them when we see changes in audit records as they come in with +// new requests. We cannot use system notifications for such changes because +// securityd is fully symmetrically multi-threaded, and thus may process new +// requests from clients before it gets those notifications. // #include #include // SIGTERM @@ -40,25 +45,37 @@ #include "server.h" #include +using namespace CommonCriteria; + + // // The static session map // -PortMap Session::mSessions; +Session::SessionMap Session::mSessions; +Mutex Session::mSessionLock(Mutex::recursive); + + +const char Session::kUsername[] = "username"; +const char Session::kRealname[] = "realname"; -std::string Session::kUsername = "username"; -std::string Session::kRealname = "realname"; // // Create a Session object from initial parameters (create) // -Session::Session(Bootstrap bootstrap, Port servicePort, SessionAttributeBits attrs) - : mBootstrap(bootstrap), mServicePort(servicePort), - mAttributes(attrs), mSecurityAgent(NULL), mAuthHost(NULL) +Session::Session(const AuditInfo &audit, Server &server) + : mAudit(audit), mSecurityAgent(NULL), mAuthHost(NULL) { - secdebug("SSsession", "%p CREATED: handle=%#x bootstrap=%d service=%d attrs=%#x", - this, handle(), mBootstrap.port(), mServicePort.port(), uint32_t(mAttributes)); - SECURITYD_SESSION_CREATE(this, attrs, servicePort); - Syslog::notice("Session 0x%lx created", this->handle()); + // link to Server as the global nexus in the object mesh + parent(server); + + // self-register + StLock _(mSessionLock); + assert(!mSessions[audit.sessionId()]); + mSessions[audit.sessionId()] = this; + + // log it + SECURITYD_SESSION_CREATE(this, this->sessionId(), &mAudit, sizeof(mAudit)); + Syslog::notice("Session %d created", this->sessionId()); } @@ -67,64 +84,60 @@ Session::Session(Bootstrap bootstrap, Port servicePort, SessionAttributeBits att // Session::~Session() { - secdebug("SSsession", "%p DESTROYED: handle=%#x bootstrap=%d", - this, handle(), mBootstrap.port()); - Syslog::notice("Session 0x%lx destroyed", this->handle()); + SECURITYD_SESSION_DESTROY(this, this->sessionId()); + Syslog::notice("Session %d destroyed", this->sessionId()); } // -// Locate a session object by service port or (Session API) identifier +// Locate a session object by session identifier // -Session &Session::find(Port servicePort) +Session &Session::find(pid_t id, bool create) { - StLock _(mSessions); - PortMap::const_iterator it = mSessions.find(servicePort); - assert(it != mSessions.end()); - return *it->second; -} + if (id == callerSecuritySession) + return Server::session(); + StLock _(mSessionLock); + SessionMap::iterator it = mSessions.find(id); + if (it != mSessions.end()) + return *it->second; -Session &Session::find(SecuritySessionId id) -{ - switch (id) { - case callerSecuritySession: - return Server::session(); - default: - try { - return U32HandleObject::find(id, CSSMERR_CSSM_INVALID_ADDIN_HANDLE); - } catch (const CommonError &err) { - Syslog::warning("Session::find(%#x) failed rcode=%d", id, err.osStatus()); - for (PortMap::const_iterator it = mSessions.begin(); it != mSessions.end(); ++it) - Syslog::notice(" Valid sessions include %#x attrs=%#x", - it->second->handle(), it->second->attributes()); - throw; - } - } + // new session + if (!create) + CssmError::throwMe(errSessionInvalidId); + AuditInfo info; + info.get(id); + assert(info.sessionId() == id); + RefPointer session = new DynamicSession(info); + mSessions.insert(make_pair(id, session)); + return *session; } // -// Act on a death notification for a session's (sub)bootstrap port. +// Act on a death notification for a session's underlying audit session object. // We may not destroy the Session outright here (due to processes that use it), // but we do clear out its accumulated wealth. +// Note that we may get spurious death notifications for audit sessions that we +// never learned about. Ignore those. // -void Session::destroy(Port servPort) +void Session::destroy(SessionId id) { // remove session from session map - StLock _(mSessions); - PortMap::iterator it = mSessions.find(servPort); - assert(it != mSessions.end()); - RefPointer session = it->second; - SECURITYD_SESSION_DESTROY(session); - Syslog::notice("Session 0x%lx dead", session->handle()); - mSessions.erase(it); - session->kill(); + StLock _(mSessionLock); + SessionMap::iterator it = mSessions.find(id); + if (it != mSessions.end()) { + RefPointer session = it->second; + assert(session->sessionId() == id); + mSessions.erase(it); + session->kill(); + } } + void Session::kill() { StLock _(*this); // do we need to take this so early? - + SECURITYD_SESSION_KILL(this, this->sessionId()); invalidateSessionAuthHosts(); // invalidate shared credentials @@ -142,6 +155,24 @@ void Session::kill() PerSession::kill(); } + +// +// Refetch audit session data for the current audit session (to catch outside updates +// to the audit record). This is the price we're paying for not requiring an IPC to +// securityd when audit session data changes (this is desirable for delayering the +// software layer cake). +// If we ever disallow changes to (parts of the) audit session record in the kernel, +// we can loosen up on this continual re-fetching. +// +void Session::updateAudit() const +{ + mAudit.get(mAudit.sessionId()); +} + + +// +// Manage authorization client processes +// void Session::invalidateSessionAuthHosts() { StLock _(mAuthHostLock); @@ -156,8 +187,8 @@ void Session::invalidateSessionAuthHosts() void Session::invalidateAuthHosts() { - StLock _(mSessions); - for (PortMap::const_iterator it = mSessions.begin(); it != mSessions.end(); it++) + StLock _(mSessionLock); + for (SessionMap::const_iterator it = mSessions.begin(); it != mSessions.end(); it++) it->second->invalidateSessionAuthHosts(); } @@ -166,8 +197,8 @@ void Session::invalidateAuthHosts() // void Session::processSystemSleep() { - StLock _(mSessions); - for (PortMap::const_iterator it = mSessions.begin(); it != mSessions.end(); it++) + StLock _(mSessionLock); + for (SessionMap::const_iterator it = mSessions.begin(); it != mSessions.end(); it++) it->second->allReferences(&DbCommon::sleepProcessing); } @@ -180,126 +211,30 @@ void Session::processLockAll() allReferences(&DbCommon::lockProcessing); } -// -// The root session inherits the startup bootstrap and service port -// -RootSession::RootSession(Server &server, SessionAttributeBits attrs) - : Session(Bootstrap(), server.primaryServicePort(), - sessionIsRoot | sessionWasInitialized | attrs) -{ - parent(server); // the Server is our parent - ref(); // eternalize - - // self-install (no thread safety issues here) - mSessions[mServicePort] = this; -} - -// -// Dynamic sessions use the given bootstrap and re-register in it -// -DynamicSession::DynamicSession(TaskPort taskPort) - : ReceivePort(Server::active().bootstrapName(), taskPort.bootstrap(), false), - Session(taskPort.bootstrap(), *this), - mOriginatorTask(taskPort), mHaveOriginatorUid(false) -{ - // link to Server as the global nexus in the object mesh - parent(Server::active()); - - // tell the server to listen to our port - Server::active().add(*this); - - // register for port notifications - Server::active().notifyIfDead(bootstrapPort()); //@@@??? still needed? - Server::active().notifyIfUnused(*this); - - // self-register - StLock _(mSessions); - assert(!mSessions[*this]); // can't be registered already (we just made it) - mSessions[*this] = this; - - secdebug("SSsession", "%p dynamic session originator=%d (pid=%d)", - this, mOriginatorTask.port(), taskPort.pid()); -} - -DynamicSession::~DynamicSession() -{ - // remove our service port from the server - Server::active().remove(*this); -} - - -void DynamicSession::kill() -{ - StLock _(*this); - mBootstrap.destroy(); // release our bootstrap port - Session::kill(); // continue with parent kill -} - - -// -// Set up a DynamicSession. -// This call must be made from a process within the session, and it must be the first -// such process to make the call. -// -void DynamicSession::setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs) -{ - StLock _(*this); - SECURITYD_SESSION_SETATTR(this, attrs); - Syslog::notice("Session 0x%lx attributes 0x%x", this->handle(), attrs); - secdebug("SSsession", "%p setup flags=%#x attrs=%#x", this, uint32_t(flags), uint32_t(attrs)); - if (attrs & ~settableAttributes) - MacOSError::throwMe(errSessionInvalidAttributes); - checkOriginator(); - if (attribute(sessionWasInitialized)) - MacOSError::throwMe(errSessionAuthorizationDenied); - setAttributes(attrs | sessionWasInitialized); -} - // -// Check whether the calling process is the session originator. -// If it's not, throw. +// The root session corresponds to the audit session that security is running in. +// This is usually the initial system session; but in debug scenarios it may be +// an "ordinary" graphic login session. In such a debug case, we may add attribute +// flags to the session to make our (debugging) life easier. // -void DynamicSession::checkOriginator() +RootSession::RootSession(uint64_t attributes, Server &server) + : Session(AuditInfo::current(), server) { - if (mOriginatorTask != Server::process().taskPort()) - MacOSError::throwMe(errSessionAuthorizationDenied); + ref(); // eternalize + mAudit.ai_flags |= attributes; // merge imposed attributes } // -// The "originator uid" is a uid value that can be provided by the session originator -// and retrieved by anyone. Securityd places no semantic meaning on this value. +// Dynamic sessions use the audit session context of the first-contact client caller. // -uid_t DynamicSession::originatorUid() const +DynamicSession::DynamicSession(const AuditInfo &audit) + : Session(audit, Server::active()) { - if (mHaveOriginatorUid) - return mOriginatorUid; - else - MacOSError::throwMe(errSessionValueNotSet); } -void DynamicSession::originatorUid(uid_t uid) -{ - checkOriginator(); - if (mHaveOriginatorUid) // must not re-set this - MacOSError::throwMe(errSessionAuthorizationDenied); - mHaveOriginatorUid = true; - mOriginatorUid = uid; - - Server::active().longTermActivity(); - struct passwd *pw = getpwuid(uid); - - if (pw != NULL) { - - mOriginatorCredential = Credential(uid, pw->pw_name ? pw->pw_name : "", pw->pw_gecos ? pw->pw_gecos : "", "", true/*shared*/); - endpwent(); - } - - secdebug("SSsession", "%p session uid set to %d", this, uid); -} - // // Authorization operations // @@ -420,7 +355,7 @@ OSStatus Session::authExternalize(const AuthorizationBlob &authBlob, AuthorizationExternalBlob &extBlob = reinterpret_cast(extForm); extBlob.blob = auth.handle(); - extBlob.session = bootstrapPort(); + extBlob.session = this->sessionId(); secdebug("SSauth", "Authorization %p externalized", &auth); return noErr; } else @@ -449,6 +384,18 @@ OSStatus Session::authInternalize(const AuthorizationExternalForm &extForm, } +// +// Accessor method for setting audit session flags. +// +void Session::setAttributes(SessionAttributeBits bits) +{ + StLock _(*this); + updateAudit(); + assert((bits & ~settableAttributes) == 0); + mAudit.ai_flags = bits; + mAudit.set(); +} + // // The default session setup operation always fails. // Subclasses can override this to support session setup calls. @@ -618,7 +565,6 @@ Session::authhost(const AuthHostType hostType, const bool restart) void DynamicSession::setUserPrefs(CFDataRef userPrefsDict) { - checkOriginator(); if (Server::process().uid() != 0) MacOSError::throwMe(errSessionAuthorizationDenied); StLock _(*this); @@ -642,8 +588,8 @@ CFDataRef DynamicSession::copyUserPrefs() void Session::dumpNode() { PerSession::dumpNode(); - Debug::dump(" boot=%d service=%d attrs=%#x authhost=%p securityagent=%p", - mBootstrap.port(), mServicePort.port(), uint32_t(mAttributes), mAuthHost, mSecurityAgent); + Debug::dump(" auid=%d attrs=%#x authhost=%p securityagent=%p", + this->sessionId(), uint32_t(this->attributes()), mAuthHost, mSecurityAgent); } #endif //DEBUGDUMP diff --git a/src/session.h b/src/session.h index 08042ac..fd7111c 100644 --- a/src/session.h +++ b/src/session.h @@ -33,17 +33,13 @@ #include "authority.h" #include "authhost.h" #include +#include #include #include #include - -#if __GNUC__ > 2 -#include -using __gnu_cxx::hash_map; -#else -#include -#endif - +#include +#include +#include class Key; class Connection; @@ -58,38 +54,34 @@ class AuthHostInstance; // with a modicum of security, and so Sessions are the natural nexus of // single-sign-on functionality. // -class Session : public U32HandleObject, public PerSession { +class Session : public PerSession { public: - typedef MachPlusPlus::Bootstrap Bootstrap; + typedef au_asid_t SessionId; // internal session identifier (audit session id) - Session(Bootstrap bootstrap, Port servicePort, SessionAttributeBits attrs = 0); + Session(const CommonCriteria::AuditInfo &audit, Server &server); virtual ~Session(); - Bootstrap bootstrapPort() const { return mBootstrap; } - Port servicePort() const { return mServicePort; } + SessionId sessionId() const { return mAudit.sessionId(); } + CommonCriteria::AuditInfo &auditInfo() { return mAudit; } IFDUMP(virtual void dumpNode()); public: static const SessionAttributeBits settableAttributes = - sessionHasGraphicAccess | sessionHasTTY | sessionIsRemote; + sessionHasGraphicAccess | sessionHasTTY | sessionIsRemote | AU_SESSION_FLAG_HAS_AUTHENTICATED; - SessionAttributeBits attributes() const { return mAttributes; } - bool attribute(SessionAttributeBits bits) const { return mAttributes & bits; } + SessionAttributeBits attributes() const { updateAudit(); return mAudit.ai_flags; } + bool attribute(SessionAttributeBits bits) const { return attributes() & bits; } + void setAttributes(SessionAttributeBits bits); virtual void setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs); - virtual bool haveOriginatorUid() const = 0; - virtual uid_t originatorUid() const = 0; - Credential originatorCredential() const { return mOriginatorCredential; } + virtual uid_t originatorUid() const { updateAudit(); return mAudit.uid(); } virtual CFDataRef copyUserPrefs() = 0; - static std::string kUsername; - static std::string kRealname; - -protected: - void setAttributes(SessionAttributeBits attrs) { mAttributes |= attrs; } + static const char kUsername[]; + static const char kRealname[]; public: const CredentialSet &authCredentials() const { return mSessionCreds; } @@ -119,10 +111,13 @@ public: // authCheckRight() with exception-handling and Boolean return semantics bool isRightAuthorized(string &rightName, Connection &connection, bool allowUI); +protected: + void updateAudit() const; + private: struct AuthorizationExternalBlob { AuthorizationBlob blob; - mach_port_t session; + uint32_t session; }; protected: @@ -133,10 +128,6 @@ protected: void mergeCredentials(CredentialSet &creds); public: - static Session &find(Port servPort); - static Session &find(SecuritySessionId id); - template static SessionType &find(SecuritySessionId id); - static void destroy(Port servPort); void invalidateSessionAuthHosts(); // invalidate auth hosts in this session static void invalidateAuthHosts(); // invalidate auth hosts in all sessions @@ -146,12 +137,10 @@ public: RefPointer authhost(const AuthHostType hostType = securityAgent, const bool restart = false); protected: - Bootstrap mBootstrap; // session bootstrap port - Port mServicePort; // SecurityServer service port for this session - SessionAttributeBits mAttributes; // attribute bits (see AuthSession.h) - - mutable Mutex mCredsLock; // lock for mSessionCreds - CredentialSet mSessionCreds; // shared session authorization credentials + mutable CommonCriteria::AuditInfo mAudit; + + mutable Mutex mCredsLock; // lock for mSessionCreds + CredentialSet mSessionCreds; // shared session authorization credentials mutable Mutex mAuthHostLock; AuthHostInstance *mSecurityAgent; @@ -161,15 +150,23 @@ protected: Credential mOriginatorCredential; void kill(); - + +public: + static Session &find(SessionId id, bool create); // find and optionally create + template static SessionType &find(SecuritySessionId id); + static void destroy(SessionId id); + protected: - static PortMap mSessions; + typedef std::map > SessionMap; + static SessionMap mSessions; + static Mutex mSessionLock; }; + template SessionType &Session::find(SecuritySessionId id) { - if (SessionType *ssn = dynamic_cast(&find(id))) + if (SessionType *ssn = dynamic_cast(&find(id, false))) return *ssn; else MacOSError::throwMe(errSessionInvalidId); @@ -177,49 +174,31 @@ SessionType &Session::find(SecuritySessionId id) // -// The RootSession is the session (i.e. bootstrap dictionary) of system daemons that are -// started early and don't belong to anything more restrictive. The RootSession is considered -// immortal. -// Currently, telnet sessions et al also default into this session, but this will change -// (we hope). +// The RootSession is the session of all code that originates from system startup processing +// and does not belong to any particular login origin. (Or, if you prefer, whose login origin +// is the system itself.) // class RootSession : public Session { public: - RootSession(Server &server, SessionAttributeBits attrs = 0); + RootSession(uint64_t attributes, Server &server); - bool haveOriginatorUid() const { return true; } - uid_t originatorUid() const { return 0; } CFDataRef copyUserPrefs() { return NULL; } }; // -// A DynamicSession is the default type of session object. We create one when a new -// Connection initializes whose bootstrap port we haven't seen before. These Sessions -// are torn down when their bootstrap object disappears (which happens when mach_init -// destroys it due to its requestor referent vanishing). +// A DynamicSession object represents a session that is dynamically constructed +// when we first encounter it. These sessions are actually created in client +// space using the audit session APIs. +// We tear down a DynamicSession when the system reports (via kevents) that the +// kernel audit session object has been destroyed. // class DynamicSession : private ReceivePort, public Session { public: - DynamicSession(TaskPort taskPort); - ~DynamicSession(); - - void setupAttributes(SessionCreationFlags flags, SessionAttributeBits attrs); + DynamicSession(const CommonCriteria::AuditInfo &audit); - bool haveOriginatorUid() const { return mHaveOriginatorUid; } - uid_t originatorUid() const; - void originatorUid(uid_t uid); void setUserPrefs(CFDataRef userPrefsDict); CFDataRef copyUserPrefs(); - -protected: - void checkOriginator(); // fail unless current process is originator - void kill(); // augment parent's kill - -private: - Port mOriginatorTask; // originating process's task port - bool mHaveOriginatorUid; // originator uid was set by session originator - uid_t mOriginatorUid; // uid as set by session originator }; diff --git a/src/transition.cpp b/src/transition.cpp index 09a01b8..65fb0b3 100644 --- a/src/transition.cpp +++ b/src/transition.cpp @@ -223,45 +223,20 @@ kern_return_t ucsp_server_setup(UCSP_ARGS, mach_port_t taskPort, ClientSetupInfo { BEGIN_IPCN SECURITYD_REQUEST_ENTRY((char*)"setup", NULL, NULL); - Server::active().setupConnection(Server::connectNewProcess, servicePort, replyPort, - taskPort, auditToken, &info, identity); + Server::active().setupConnection(Server::connectNewProcess, replyPort, + taskPort, auditToken, &info); END_IPCN(CSSM) if (*rcode) Syslog::notice("setup(%s) failed rcode=%d", identity ? identity : "", *rcode); return KERN_SUCCESS; } -kern_return_t ucsp_server_setupNew(UCSP_ARGS, mach_port_t taskPort, - ClientSetupInfo info, const char *identity, - mach_port_t *newServicePort) -{ - BEGIN_IPCN - SECURITYD_REQUEST_ENTRY((char*)"setupNew", NULL, NULL); - try { - RefPointer session = new DynamicSession(taskPort); - Server::active().setupConnection(Server::connectNewSession, session->servicePort(), replyPort, - taskPort, auditToken, &info, identity); - *newServicePort = session->servicePort(); - } catch (const MachPlusPlus::Error &err) { - switch (err.error) { - case BOOTSTRAP_SERVICE_ACTIVE: - MacOSError::throwMe(errSessionAuthorizationDenied); // translate - default: - throw; - } - } - END_IPCN(CSSM) - if (*rcode) - Syslog::notice("setupNew(%s) failed rcode=%d", identity ? identity : "", *rcode); - return KERN_SUCCESS; -} kern_return_t ucsp_server_setupThread(UCSP_ARGS, mach_port_t taskPort) { SECURITYD_REQUEST_ENTRY((char*)"setupThread", NULL, NULL); BEGIN_IPCN - Server::active().setupConnection(Server::connectNewThread, servicePort, replyPort, - taskPort, auditToken); + Server::active().setupConnection(Server::connectNewThread, replyPort, taskPort, auditToken); END_IPCN(CSSM) if (*rcode) Syslog::notice("setupThread failed rcode=%d", *rcode); @@ -1348,40 +1323,6 @@ kern_return_t ucsp_server_authorizationInternalize(UCSP_ARGS, // // Session management subsystem // -kern_return_t ucsp_server_getSessionInfo(UCSP_ARGS, - SecuritySessionId *sessionId, SessionAttributeBits *attrs) -{ - BEGIN_IPC(getSessionInfo) - Session &session = Session::find(*sessionId); - *sessionId = session.handle(); - *attrs = session.attributes(); - END_IPC(CSSM) -} - -kern_return_t ucsp_server_setupSession(UCSP_ARGS, - SessionCreationFlags flags, SessionAttributeBits attrs) -{ - BEGIN_IPC(setupSession) - Server::process().session().setupAttributes(flags, attrs); - END_IPC(CSSM) -} - -kern_return_t ucsp_server_setSessionDistinguishedUid(UCSP_ARGS, - SecuritySessionId sessionId, uid_t user) -{ - BEGIN_IPC(setSessionDistinguishedUid) - Session::find(sessionId).originatorUid(user); - END_IPC(CSSM) -} - -kern_return_t ucsp_server_getSessionDistinguishedUid(UCSP_ARGS, - SecuritySessionId sessionId, uid_t *user) -{ - BEGIN_IPC(getSessionDistinguishedUid) - *user = Session::find(sessionId).originatorUid(); - END_IPC(CSSM) -} - kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessionId, DATA_IN(userPrefs)) { BEGIN_IPC(setSessionuserPrefs) @@ -1400,7 +1341,6 @@ kern_return_t ucsp_server_setSessionUserPrefs(UCSP_ARGS, SecuritySessionId sessi } - // // Notification core subsystem // -- 2.45.2