From a4c2b42a1d48559c73e7dd3ba50aee71b0c6d123 Mon Sep 17 00:00:00 2001
From: Apple <opensource@apple.com>
Date: Thu, 12 Jul 2012 22:14:41 +0000
Subject: [PATCH] securityd-55126.5.tar.gz

---
 etc/authorization.merge             | 378 ++++++++++++++++++++++++++++
 securityd.xcodeproj/project.pbxproj |   8 +-
 src/session.cpp                     |   9 +-
 3 files changed, 390 insertions(+), 5 deletions(-)

diff --git a/etc/authorization.merge b/etc/authorization.merge
index b7b0367..8d59456 100644
--- a/etc/authorization.merge
+++ b/etc/authorization.merge
@@ -7979,6 +7979,371 @@
 	</dict>
 	<key>rules</key>
 	<dict>
+		<key>admin</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>shared</key>
+			<true/>
+		</dict>
+		<key>allow</key>
+		<dict>
+			<key>class</key>
+			<string>allow</string>
+			<key>comment</key>
+			<string>Allow anyone.</string>
+		</dict>
+		<key>appserver-admin</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>appserveradm</string>
+		</dict>
+		<key>appserver-user</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>appserverusr</string>
+		</dict>
+		<key>authenticate</key>
+		<dict>
+			<key>class</key>
+			<string>evaluate-mechanisms</string>
+			<key>mechanisms</key>
+			<array>
+				<string>builtin:authenticate</string>
+				<string>builtin:reset-password,privileged</string>
+				<string>builtin:authenticate,privileged</string>
+				<string>PKINITMechanism:auth,privileged</string>
+			</array>
+		</dict>
+		<key>authenticate-admin</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Authenticate as an administrator.</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>shared</key>
+			<true/>
+			<key>timeout</key>
+			<integer>0</integer>
+		</dict>
+		<key>authenticate-admin-30</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Like the default rule, but 
+            credentials remain valid for only 30 seconds after they've 
+            been obtained.  An acquired credential is shared by all clients.
+			</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>shared</key>
+			<true/>
+			<key>timeout</key>
+			<integer>30</integer>
+		</dict>
+		<key>authenticate-appstore-30</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>_appstore</string>
+			<key>shared</key>
+			<true/>
+			<key>timeout</key>
+			<integer>30</integer>
+		</dict>
+		<key>authenticate-developer</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Authenticate as a developer.</string>
+			<key>group</key>
+			<string>_developer</string>
+			<key>shared</key>
+			<true/>
+			<key>timeout</key>
+			<integer>36000</integer>
+		</dict>
+		<key>authenticate-session-owner</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Authenticate as the session owner.</string>
+			<key>session-owner</key>
+			<true/>
+		</dict>
+		<key>authenticate-session-owner-or-admin</key>
+		<dict>
+			<key>allow-root</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Authenticate either as the owner or as an administrator.</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>session-owner</key>
+			<true/>
+			<key>shared</key>
+			<false/>
+		</dict>
+		<key>authenticate-session-user</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Same as authenticate-session-owner.</string>
+			<key>session-owner</key>
+			<true/>
+		</dict>
+		<key>default</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Default rule.	
+            Credentials remain valid for 5 minutes after they've been obtained. 
+            An acquired credential is shared by all clients.
+			</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>shared</key>
+			<true/>
+			<key>timeout</key>
+			<integer>300</integer>
+		</dict>
+		<key>entitled</key>
+		<dict>
+			<key>class</key>
+			<string>evaluate-mechanisms</string>
+			<key>mechanisms</key>
+			<array>
+				<string>builtin:entitled,privileged</string>
+			</array>
+			<key>tries</key>
+			<integer>1</integer>
+		</dict>
+		<key>entitled-admin</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>2</integer>
+			<key>rule</key>
+			<array>
+				<string>is-admin</string>
+				<string>entitled</string>
+			</array>
+		</dict>
+		<key>entitled-admin-or-authenticate-admin</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>entitled-admin</string>
+				<string>authenticate-admin-30</string>
+			</array>
+		</dict>
+		<key>entitled-appstore</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>2</integer>
+			<key>rule</key>
+			<array>
+				<string>is-appstore</string>
+				<string>entitled</string>
+			</array>
+		</dict>
+		<key>entitled-appstore-or-entitled-authenticate-appstore</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>entitled-appstore</string>
+				<string>entitled-authenticate-appstore</string>
+			</array>
+		</dict>
+		<key>entitled-authenticate-admin</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>2</integer>
+			<key>rule</key>
+			<array>
+				<string>entitled</string>
+				<string>authenticate-admin-30</string>
+			</array>
+		</dict>
+		<key>entitled-authenticate-appstore</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>2</integer>
+			<key>rule</key>
+			<array>
+				<string>entitled</string>
+				<string>authenticate-appstore-30</string>
+			</array>
+		</dict>
+		<key>entitled-session-owner</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>2</integer>
+			<key>rule</key>
+			<array>
+				<string>is-session-owner</string>
+				<string>entitled</string>
+			</array>
+		</dict>
+		<key>entitled-session-owner-or-authenticate-session-owner</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>entitled-session-owner</string>
+				<string>authenticate-session-owner</string>
+			</array>
+		</dict>
+		<key>is-admin</key>
+		<dict>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Verify that the user asking for authorization is an administrator.</string>
+			<key>group</key>
+			<string>admin</string>
+			<key>shared</key>
+			<string>true</string>
+		</dict>
+		<key>is-appstore</key>
+		<dict>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>_appstore</string>
+			<key>shared</key>
+			<string>true</string>
+		</dict>
+		<key>is-developer</key>
+		<dict>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Verify that the user asking for authorization is a developer.</string>
+			<key>group</key>
+			<string>_developer</string>
+		</dict>
+		<key>is-lpadmin</key>
+		<dict>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>_lpadmin</string>
+		</dict>
+		<key>is-root</key>
+		<dict>
+			<key>allow-root</key>
+			<true/>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Verify that the process that created this AuthorizationRef is running as root.</string>
+		</dict>
+		<key>is-session-owner</key>
+		<dict>
+			<key>allow-root</key>
+			<false/>
+			<key>authenticate-user</key>
+			<false/>
+			<key>class</key>
+			<string>user</string>
+			<key>comment</key>
+			<string>Verify that the requesting process is running as the session owner.</string>
+			<key>session-owner</key>
+			<true/>
+		</dict>
+		<key>lpadmin</key>
+		<dict>
+			<key>class</key>
+			<string>user</string>
+			<key>group</key>
+			<string>_lpadmin</string>
+			<key>shared</key>
+			<true/>
+		</dict>
+		<key>on-console</key>
+		<dict>
+			<key>class</key>
+			<string>evaluate-mechanisms</string>
+			<key>mechanisms</key>
+			<array>
+				<string>builtin:on-console</string>
+			</array>
+			<key>tries</key>
+			<integer>1</integer>
+		</dict>
+		<key>root-or-admin-or-authenticate-admin</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>is-root</string>
+				<string>is-admin</string>
+				<string>authenticate-admin-30</string>
+			</array>
+		</dict>
+		<key>root-or-entitled-admin-or-admin</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>is-root</string>
+				<string>entitled-admin</string>
+				<string>admin</string>
+			</array>
+		</dict>
 		<key>root-or-entitled-admin-or-authenticate-admin</key>
 		<dict>
 			<key>class</key>
@@ -7991,6 +8356,19 @@
 				<string>entitled-admin-or-authenticate-admin</string>
 			</array>
 		</dict>
+		<key>root-or-lpadmin</key>
+		<dict>
+			<key>class</key>
+			<string>rule</string>
+			<key>k-of-n</key>
+			<integer>1</integer>
+			<key>rule</key>
+			<array>
+				<string>is-root</string>
+				<string>is-lpadmin</string>
+				<string>lpadmin</string>
+			</array>
+		</dict>
 	</dict>
 </dict>
 </plist>
diff --git a/securityd.xcodeproj/project.pbxproj b/securityd.xcodeproj/project.pbxproj
index 0615462..77e908b 100644
--- a/securityd.xcodeproj/project.pbxproj
+++ b/securityd.xcodeproj/project.pbxproj
@@ -991,7 +991,7 @@
 				BUILD_VARIANTS = debug;
 				COPY_PHASE_STRIP = NO;
 				CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
-				CURRENT_PROJECT_VERSION = 55126.2;
+				CURRENT_PROJECT_VERSION = 55126.5;
 				FRAMEWORK_SEARCH_PATHS = (
 					/usr/local/SecurityPieces/Frameworks,
 					/usr/local/SecurityPieces/Components/securityd,
@@ -1044,7 +1044,7 @@
 				);
 				COPY_PHASE_STRIP = "(null)";
 				CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
-				CURRENT_PROJECT_VERSION = 55126.2;
+				CURRENT_PROJECT_VERSION = 55126.5;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
 				FRAMEWORK_SEARCH_PATHS = (
 					/usr/local/SecurityPieces/Frameworks,
@@ -1095,7 +1095,7 @@
 				BUILD_VARIANTS = normal;
 				COPY_PHASE_STRIP = NO;
 				CSSM_HEADERS = "$(BUILT_PRODUCTS_DIR)/Security.framework/Headers:$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Headers";
-				CURRENT_PROJECT_VERSION = 55126.2;
+				CURRENT_PROJECT_VERSION = 55126.5;
 				FRAMEWORK_SEARCH_PATHS = (
 					/usr/local/SecurityPieces/Frameworks,
 					/usr/local/SecurityPieces/Components/securityd,
@@ -1148,7 +1148,7 @@
 				);
 				COPY_PHASE_STRIP = "(null)";
 				CSSM_HEADERS = "";
-				CURRENT_PROJECT_VERSION = 55126.2;
+				CURRENT_PROJECT_VERSION = 55126.5;
 				FRAMEWORK_SEARCH_PATHS = (
 					/usr/local/SecurityPieces/Frameworks,
 					/usr/local/SecurityPieces/Components/securityd,
diff --git a/src/session.cpp b/src/session.cpp
index 42d51c4..08127db 100644
--- a/src/session.cpp
+++ b/src/session.cpp
@@ -172,7 +172,14 @@ void Session::kill()
 //
 void Session::updateAudit() const
 {
-	mAudit.get(mAudit.sessionId());
+    CommonCriteria::AuditInfo info;
+	StLock<Mutex> _(mSessionLock);
+    try {
+        info.get(mAudit.sessionId());
+    } catch (...) {
+        return;
+    }
+    mAudit = info;
 }
 
 
-- 
2.45.2