void Bundle::resources(vector<string> &paths, const char *type, const char *subdir) { CFRef<CFArrayRef> cfList = CFBundleCopyResourceURLsOfType(cfBundle(), CFTempString(type), CFTempString(subdir)); CFIndex size = CFArrayGetCount(cfList); paths.reserve(size); for (CFIndex n = 0; n < size; n++) paths.push_back(cfString(CFURLRef(CFArrayGetValueAtIndex(cfList, n)))); }
static void copyCFDictionary(const void *key, const void *value, void *ctx) { CFMutableDictionaryRef target = CFMutableDictionaryRef(ctx); if (CFEqual(key, kSecAssessmentContextKeyCertificates)) // obsolete return; if (CFGetTypeID(value) == CFURLGetTypeID()) { CFRef<CFStringRef> path = CFURLCopyFileSystemPath(CFURLRef(value), kCFURLPOSIXPathStyle); CFDictionaryAddValue(target, key, path); } else { CFDictionaryAddValue(target, key, value); } }
string cfString(CFTypeRef it, OSStatus err) { if (it == NULL) MacOSError::throwMe(err); CFTypeID id = CFGetTypeID(it); if (id == CFStringGetTypeID()) return cfString(CFStringRef(it)); else if (id == CFURLGetTypeID()) return cfString(CFURLRef(it)); else if (id == CFBundleGetTypeID()) return cfString(CFBundleRef(it)); else return cfString(CFCopyDescription(it), true); }
CFDictionaryRef PolicyEngine::remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context) { if (type == kAuthorityOpenDoc) { // handle document-open differently: use quarantine flags for whitelisting authorizeUpdate(flags, context); if (!target || CFGetTypeID(target) != CFURLGetTypeID()) MacOSError::throwMe(errSecCSInvalidObjectRef); std::string spath = cfString(CFURLRef(target)).c_str(); FileQuarantine qtn(spath.c_str()); qtn.clearFlag(QTN_FLAG_ASSESSMENT_OK); qtn.applyTo(spath.c_str()); return NULL; } return manipulateRules("DELETE FROM authority", target, type, flags, context); }
// // Process special overrides for invalidly signed code. // This is the (hopefully minimal) concessions we make to keep hurting our customers // for our own prior mistakes... // static bool codeInvalidityExceptions(SecStaticCodeRef code, CFMutableDictionaryRef result) { if (OSAIsRecognizedExecutableURL) { CFRef<CFDictionaryRef> info; MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref())); if (CFURLRef executable = CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))) { SInt32 error; if (OSAIsRecognizedExecutableURL(executable, &error)) { if (result) CFDictionaryAddValue(result, kSecAssessmentAssessmentAuthorityOverride, CFSTR("ignoring known invalid applet signature")); return true; } } } return false; }
CFDictionaryRef xpcEngineUpdate(CFTypeRef target, uint flags, CFDictionaryRef context) { Message msg("update"); // target can be NULL, a CFURLRef, a SecRequirementRef, or a CFNumberRef if (target) { if (CFGetTypeID(target) == CFNumberGetTypeID()) xpc_dictionary_set_uint64(msg, "rule", cfNumber<int64_t>(CFNumberRef(target))); else if (CFGetTypeID(target) == CFURLGetTypeID()) xpc_dictionary_set_string(msg, "url", cfString(CFURLRef(target)).c_str()); else if (CFGetTypeID(target) == SecRequirementGetTypeID()) { CFRef<CFDataRef> data; MacOSError::check(SecRequirementCopyData(SecRequirementRef(target), kSecCSDefaultFlags, &data.aref())); xpc_dictionary_set_data(msg, "requirement", CFDataGetBytePtr(data), CFDataGetLength(data)); } else MacOSError::throwMe(errSecCSInvalidObjectRef); } xpc_dictionary_set_int64(msg, "flags", flags); CFRef<CFMutableDictionaryRef> ctx = makeCFMutableDictionary(); if (context) CFDictionaryApplyFunction(context, copyCFDictionary, ctx); AuthorizationRef localAuthorization = NULL; if (CFDictionaryGetValue(ctx, kSecAssessmentUpdateKeyAuthorization) == NULL) { // no caller-provided authorization MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &localAuthorization)); AuthorizationExternalForm extForm; MacOSError::check(AuthorizationMakeExternalForm(localAuthorization, &extForm)); CFDictionaryAddValue(ctx, kSecAssessmentUpdateKeyAuthorization, CFTempData(&extForm, sizeof(extForm))); } CFRef<CFDataRef> contextData = makeCFData(CFDictionaryRef(ctx)); xpc_dictionary_set_data(msg, "context", CFDataGetBytePtr(contextData), CFDataGetLength(contextData)); msg.send(); if (localAuthorization) AuthorizationFree(localAuthorization, kAuthorizationFlagDefaults); if (int64_t error = xpc_dictionary_get_int64(msg, "error")) MacOSError::throwMe(error); size_t resultLength; const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength); return makeCFDictionaryFrom(resultData, resultLength); }
// // The executable path is a bit annoying to get, but not quite // annoying enough to cache the result. // string OSXCodeWrap::executablePath() const { CFRef<CFDictionaryRef> info; MacOSError::check(SecCodeCopySigningInformation(mCode, kSecCSDefaultFlags, &info.aref())); return cfString(CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable))); }