void Bundle::resources(vector<string> &paths, const char *type, const char *subdir)
{
CFRef<CFArrayRef> cfList = CFBundleCopyResourceURLsOfType(cfBundle(),
CFTempString(type), CFTempString(subdir));
CFIndex size = CFArrayGetCount(cfList);
paths.reserve(size);
for (CFIndex n = 0; n < size; n++)
paths.push_back(cfString(CFURLRef(CFArrayGetValueAtIndex(cfList, n))));
}
static void copyCFDictionary(const void *key, const void *value, void *ctx)
{
CFMutableDictionaryRef target = CFMutableDictionaryRef(ctx);
if (CFEqual(key, kSecAssessmentContextKeyCertificates)) // obsolete
return;
if (CFGetTypeID(value) == CFURLGetTypeID()) {
CFRef<CFStringRef> path = CFURLCopyFileSystemPath(CFURLRef(value), kCFURLPOSIXPathStyle);
CFDictionaryAddValue(target, key, path);
} else {
CFDictionaryAddValue(target, key, value);
}
}
string cfString(CFTypeRef it, OSStatus err)
{
if (it == NULL)
MacOSError::throwMe(err);
CFTypeID id = CFGetTypeID(it);
if (id == CFStringGetTypeID())
return cfString(CFStringRef(it));
else if (id == CFURLGetTypeID())
return cfString(CFURLRef(it));
else if (id == CFBundleGetTypeID())
return cfString(CFBundleRef(it));
else
return cfString(CFCopyDescription(it), true);
}
CFDictionaryRef PolicyEngine::remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
{
if (type == kAuthorityOpenDoc) {
// handle document-open differently: use quarantine flags for whitelisting
authorizeUpdate(flags, context);
if (!target || CFGetTypeID(target) != CFURLGetTypeID())
MacOSError::throwMe(errSecCSInvalidObjectRef);
std::string spath = cfString(CFURLRef(target)).c_str();
FileQuarantine qtn(spath.c_str());
qtn.clearFlag(QTN_FLAG_ASSESSMENT_OK);
qtn.applyTo(spath.c_str());
return NULL;
}
return manipulateRules("DELETE FROM authority", target, type, flags, context);
}
//
// Process special overrides for invalidly signed code.
// This is the (hopefully minimal) concessions we make to keep hurting our customers
// for our own prior mistakes...
//
static bool codeInvalidityExceptions(SecStaticCodeRef code, CFMutableDictionaryRef result)
{
if (OSAIsRecognizedExecutableURL) {
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
if (CFURLRef executable = CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))) {
SInt32 error;
if (OSAIsRecognizedExecutableURL(executable, &error)) {
if (result)
CFDictionaryAddValue(result,
kSecAssessmentAssessmentAuthorityOverride, CFSTR("ignoring known invalid applet signature"));
return true;
}
}
}
return false;
}
CFDictionaryRef xpcEngineUpdate(CFTypeRef target, uint flags, CFDictionaryRef context)
{
Message msg("update");
// target can be NULL, a CFURLRef, a SecRequirementRef, or a CFNumberRef
if (target) {
if (CFGetTypeID(target) == CFNumberGetTypeID())
xpc_dictionary_set_uint64(msg, "rule", cfNumber<int64_t>(CFNumberRef(target)));
else if (CFGetTypeID(target) == CFURLGetTypeID())
xpc_dictionary_set_string(msg, "url", cfString(CFURLRef(target)).c_str());
else if (CFGetTypeID(target) == SecRequirementGetTypeID()) {
CFRef<CFDataRef> data;
MacOSError::check(SecRequirementCopyData(SecRequirementRef(target), kSecCSDefaultFlags, &data.aref()));
xpc_dictionary_set_data(msg, "requirement", CFDataGetBytePtr(data), CFDataGetLength(data));
} else
MacOSError::throwMe(errSecCSInvalidObjectRef);
}
xpc_dictionary_set_int64(msg, "flags", flags);
CFRef<CFMutableDictionaryRef> ctx = makeCFMutableDictionary();
if (context)
CFDictionaryApplyFunction(context, copyCFDictionary, ctx);
AuthorizationRef localAuthorization = NULL;
if (CFDictionaryGetValue(ctx, kSecAssessmentUpdateKeyAuthorization) == NULL) { // no caller-provided authorization
MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &localAuthorization));
AuthorizationExternalForm extForm;
MacOSError::check(AuthorizationMakeExternalForm(localAuthorization, &extForm));
CFDictionaryAddValue(ctx, kSecAssessmentUpdateKeyAuthorization, CFTempData(&extForm, sizeof(extForm)));
}
CFRef<CFDataRef> contextData = makeCFData(CFDictionaryRef(ctx));
xpc_dictionary_set_data(msg, "context", CFDataGetBytePtr(contextData), CFDataGetLength(contextData));
msg.send();
if (localAuthorization)
AuthorizationFree(localAuthorization, kAuthorizationFlagDefaults);
if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
MacOSError::throwMe(error);
size_t resultLength;
const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength);
return makeCFDictionaryFrom(resultData, resultLength);
}
//
// The executable path is a bit annoying to get, but not quite
// annoying enough to cache the result.
//
string OSXCodeWrap::executablePath() const
{
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(mCode, kSecCSDefaultFlags, &info.aref()));
return cfString(CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable)));
}
