File: LauncherRootXPCService.mm

package info (click to toggle)
llvm-toolchain-3.5 1%3A3.5-10
  • links: PTS, VCS
  • area: main
  • in suites: jessie, jessie-kfreebsd
  • size: 282,028 kB
  • ctags: 310,872
  • sloc: cpp: 1,883,926; ansic: 310,731; objc: 86,612; python: 79,565; asm: 65,844; sh: 9,829; makefile: 6,057; perl: 5,589; ml: 5,254; pascal: 3,285; lisp: 1,640; xml: 686; cs: 239; csh: 117
file content (50 lines) | stat: -rw-r--r-- 2,125 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
#include <AvailabilityMacros.h>

#if !defined(MAC_OS_X_VERSION_10_7) || MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7
#define BUILDING_ON_SNOW_LEOPARD 1
#endif

#if !BUILDING_ON_SNOW_LEOPARD
#define __XPC_PRIVATE_H__
#include <xpc/xpc.h>
#include <Security/Security.h>
#include "LauncherXPCService.h"

// Returns 0 if successful.
int _validate_authorization(xpc_object_t message)
{
	size_t data_length = 0ul;
	const char *data_bytes = (const char *)xpc_dictionary_get_data(message, LauncherXPCServiceAuthKey, &data_length);
    
	AuthorizationExternalForm extAuth;
    if (data_length < sizeof(extAuth.bytes))
        return 1;
    
	memcpy(extAuth.bytes, data_bytes, sizeof(extAuth.bytes));
    AuthorizationRef authRef;
	if (AuthorizationCreateFromExternalForm(&extAuth, &authRef) != errAuthorizationSuccess)
        return 2;
    
    AuthorizationItem item1 = { LaunchUsingXPCRightName, 0, NULL, 0 };
    AuthorizationItem items[] = {item1};
    AuthorizationRights requestedRights = {1, items };
    AuthorizationRights *outAuthorizedRights = NULL;
	OSStatus status = AuthorizationCopyRights(authRef, &requestedRights, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &outAuthorizedRights);
	
	// Given a set of rights, return the subset that is currently authorized by the AuthorizationRef given; count(subset) > 0  -> success.
	bool auth_success = (status == errAuthorizationSuccess && outAuthorizedRights && outAuthorizedRights->count > 0) ? true : false;
	if (outAuthorizedRights) AuthorizationFreeItemSet(outAuthorizedRights);
    if (!auth_success)
        return 3;
    
    // On Lion, because the rights initially doesn't exist in /etc/authorization, if an admin user logs in and uses lldb within the first 5 minutes,
    // it is possible to do AuthorizationCopyRights on LaunchUsingXPCRightName and get the rights back.
    // As another security measure, we make sure that the LaunchUsingXPCRightName rights actually exists.
    status = AuthorizationRightGet(LaunchUsingXPCRightName, NULL);
    if (status == errAuthorizationSuccess)
        return 0;
    else
        return 4;
}

#endif