73     auth_token_t auth = (auth_token_t)value;
74     LOGV("authtoken: deallocated %p", auth);
76     dispatch_barrier_sync(auth->dispatch_queue, ^{});
78     dispatch_release(auth->dispatch_queue);
79     CFReleaseSafe(auth->session);
80     CFReleaseSafe(auth->processes);
81     CFReleaseSafe(auth->context);
82     CFReleaseSafe(auth->credentials);
83     CFReleaseSafe(auth->authorized_rights);
84     free_safe(auth->code_url);
85     CFReleaseSafe(auth->credential);
87     if (auth->creator_bootstrap_port != MACH_PORT_NULL) {
88         mach_port_deallocate(mach_task_self(), auth->creator_bootstrap_port);
104     auth_token_t auth = (auth_token_t)value;
106                                     auth, auth->auditInfo.euid, auth->auditInfo.pid, CFSetGetCount(auth->processes), auth->least_privileged);
112     auth_token_t auth = (auth_token_t)value;
113     return *(CFHashCode*)&auth->blob;
144     auth_token_t auth = (auth_token_t)_CFRuntimeCreateInstance(kCFAllocatorDefault, auth_token_get_type_id(), AUTH_CLASS_SIZE(auth_token), NULL);
145     require(auth != NULL, done);
147     if (CCRandomCopyBytes(kCCRandomDefault, auth->blob.data, sizeof(auth->blob.data)) != kCCSuccess) {
149         CFReleaseNull(auth);
153     auth->context = auth_items_create();
154     auth->auditInfo = *auditInfo;
155     auth->least_privileged = operateAsLeastPrivileged;
157     auth->dispatch_queue = dispatch_queue_create(NULL, DISPATCH_QUEUE_SERIAL);
158     check(auth->dispatch_queue != NULL);
160     auth->credentials = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
161     auth->authorized_rights = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks);
162     auth->processes = CFSetCreateMutable(kCFAllocatorDefault, 0, NULL);
163     auth->creator_bootstrap_port = MACH_PORT_NULL;
165     if (sandbox_check(auth->auditInfo.pid, "authorization-right-obtain", SANDBOX_CHECK_NO_REPORT) != 0)
166 		auth->sandboxed = true;
168 		auth->sandboxed = false;
171     CFHashCode code = AuthTokenHashCallBack(&auth->blob);
172     if (memcmp(&code, auth->blob.data, sizeof(auth->blob.data)) != 0) {
173         LOGD("authtoken[%i]: blob = %x%01x", auth->auditInfo.pid, auth->blob.data[1], auth->blob.data[0]);
174         LOGD("authtoken[%i]: hash = %lx", auth->auditInfo.pid, code);
180     return auth;
186     auth_token_t auth = NULL;
189     auth = _auth_token_create(process_get_audit_info(proc), operateAsLeastPrivileged);
190     require(auth != NULL, done);
192     auth->creator = proc;
193     auth->session = (session_t)CFRetain(process_get_session(proc));
194     auth->code_url = _copy_string(process_get_code_url(proc));
195     auth->appleSigned = process_apple_signed(proc);
196     auth->creator_bootstrap_port = process_get_bootstrap(proc);
200     if (auth->creator_bootstrap_port != MACH_PORT_NULL) {
201         kern_return_t error_code = mach_port_mod_refs(mach_task_self(), auth->creator_bootstrap_port, MACH_PORT_RIGHT_SEND, 1);
204             auth->creator_bootstrap_port = MACH_PORT_NULL;
208     LOGV("authtoken[%i]: created %p", auth->auditInfo.pid, auth);
211     return auth;
221     auth_token_t auth = NULL;
224     auth = _auth_token_create(info, operateAsLeastPrivileged);
225     require(auth != NULL, done);
227     auth->session = server_find_copy_session(info->asid, true);
228     if (auth->session == NULL) {
229         LOGV("authtoken[%i]: failed to create session", auth->auditInfo.pid);
230         CFReleaseNull(auth);
235     CFNumberRef codePid = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &auth->auditInfo.pid);
242         LOGV("authtoken[%i]: failed to create code ref (%i)", auth->auditInfo.pid, status);
243         CFReleaseNull(auth);
248         auth->code_url = calloc(1u, PATH_MAX+1);
249         if (auth->code_url) {
250             CFURLGetFileSystemRepresentation(code_url, true, (UInt8*)auth->code_url, PATH_MAX);
254     LOGV("authtoken[%i]: created %p for %s", auth->auditInfo.pid, auth, auth->code_url);
259     return auth;
263 auth_token_get_sandboxed(auth_token_t auth)
265     return auth->sandboxed;
269 auth_token_get_code_url(auth_token_t auth)
271     return auth->code_url;
275 auth_token_get_key(auth_token_t auth)
277     return &auth->blob;
281 auth_token_get_context(auth_token_t auth)
283     return auth->context;
287 auth_token_least_privileged(auth_token_t auth)
289     return auth->least_privileged;
293 auth_token_get_uid(auth_token_t auth)
295     return auth ? auth->auditInfo.euid : (uid_t)-2;
299 auth_token_get_pid(auth_token_t auth)
301     return auth ? auth->auditInfo.pid : -1;
305 auth_token_get_session(auth_token_t auth)
307     return auth->session;
311 auth_token_get_blob(auth_token_t auth)
313     return &auth->blob;
317 auth_token_get_audit_info(auth_token_t auth)
319     return &auth->auditInfo;
323 auth_token_get_creator_bootstrap(auth_token_t auth)
325     return auth->creator_bootstrap_port;
329 auth_token_add_process(auth_token_t auth, process_t proc)
332     dispatch_sync(auth->dispatch_queue, ^{
333         CFSetAddValue(auth->processes, proc);
334         count = CFSetGetCount(auth->processes);
340 auth_token_remove_process(auth_token_t auth, process_t proc)
343     dispatch_sync(auth->dispatch_queue, ^{
344         if (auth->creator == proc) {
345             auth->creator = NULL;
347         CFSetRemoveValue(auth->processes, proc);
348         count = CFSetGetCount(auth->processes);
354 auth_token_get_process_count(auth_token_t auth)
357     dispatch_sync(auth->dispatch_queue, ^{
358         count = CFSetGetCount(auth->processes);
364 auth_token_set_credential(auth_token_t auth, credential_t cred)
366     dispatch_sync(auth->dispatch_queue, ^{
367         CFSetSetValue(auth->credentials, cred);
372 auth_token_credentials_iterate(auth_token_t auth, credential_iterator_t iter)
376     dispatch_sync(auth->dispatch_queue, ^{
377         CFIndex count = CFSetGetCount(auth->credentials);
379         CFSetGetValues(auth->credentials, values);
393 auth_token_set_right(auth_token_t auth, credential_t right)
395     dispatch_sync(auth->dispatch_queue, ^{
396         CFSetSetValue(auth->authorized_rights, right);
401 auth_token_rights_iterate(auth_token_t auth, credential_iterator_t iter)
405     dispatch_sync(auth->dispatch_queue, ^{
406         CFIndex count = CFSetGetCount(auth->authorized_rights);
408         CFSetGetValues(auth->authorized_rights, values);
422 auth_token_copy_entitlement_value(auth_token_t auth, const char * entitlement)
425     dispatch_sync(auth->dispatch_queue, ^{
426         if (auth->creator) {
427             value = process_copy_entitlement_value(auth->creator, entitlement);
435 auth_token_has_entitlement(auth_token_t auth, const char * entitlement)
439     dispatch_sync(auth->dispatch_queue, ^{
440         if (auth->creator) {
441             entitled = process_has_entitlement(auth->creator, entitlement);
449 auth_token_has_entitlement_for_right(auth_token_t auth, const char * right)
453     dispatch_sync(auth->dispatch_queue, ^{
454         if (auth->creator) {
455             entitled = process_has_entitlement_for_right(auth->creator, right);
463 auth_token_get_credential(auth_token_t auth)
465     dispatch_sync(auth->dispatch_queue, ^{
466         if (auth->credential == NULL) {
467             auth->credential = credential_create(auth->auditInfo.euid);
471     return auth->credential;
475 auth_token_apple_signed(auth_token_t auth)
477     return auth->appleSigned;
480 bool auth_token_is_creator(auth_token_t auth, process_t proc)
484         dispatch_sync(auth->dispatch_queue, ^{
485             if (auth->creator == proc) {
493 void auth_token_set_state(auth_token_t auth, auth_token_state_t state)
495     auth->state |= state;
498 void auth_token_clear_state(auth_token_t auth, auth_token_state_t state)
500     auth->state &= ~state;
503 auth_token_state_t auth_token_get_state(auth_token_t auth)
505     return auth->state;
508 bool auth_token_check_state(auth_token_t auth, auth_token_state_t state)
511         return (auth->state & state) != 0;
513         return auth->state == 0;

Indexes created Thu Sep 05 20:28:34 MDT 2024