// static
void Sandbox::initialize(const QString& permissionsFile) {
QMutexLocker locker(&s_mutex);
s_pSandboxPermissions = new ConfigObject<ConfigValue>(permissionsFile);
#ifdef Q_OS_MAC
#if __MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_7
// If we are running on at least 10.7.0 and have the com.apple.security.app-sandbox
// entitlement, we are in a sandbox
SInt32 version = 0;
Gestalt(gestaltSystemVersion, &version);
SecCodeRef secCodeSelf;
if (version >= 0x1070 && SecCodeCopySelf(kSecCSDefaultFlags, &secCodeSelf) == errSecSuccess) {
SecRequirementRef sandboxReq;
CFStringRef entitlement = CFSTR("entitlement [\"com.apple.security.app-sandbox\"]");
if (SecRequirementCreateWithString(entitlement, kSecCSDefaultFlags,
&sandboxReq) == errSecSuccess) {
if (SecCodeCheckValidity(secCodeSelf, kSecCSDefaultFlags,
sandboxReq) == errSecSuccess) {
s_bInSandbox = true;
}
CFRelease(sandboxReq);
}
CFRelease(secCodeSelf);
}
#endif
#endif
}
/*
* Determine if the given task meets a specified requirement.
*/
OSStatus
SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement)
{
OSStatus status;
SecCodeRef code = NULL;
SecRequirementRef req = NULL;
pid_t pid = task->pid;
if (pid <= 0) {
return errSecParam;
}
status = SecCodeCreateWithPID(pid, kSecCSDefaultFlags, &code);
//syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecCodeCreateWithPID=%d", status);
if (!status) {
status = SecRequirementCreateWithString(requirement,
kSecCSDefaultFlags, &req);
//syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecRequirementCreateWithString=%d", status);
}
if (!status) {
status = SecCodeCheckValidity(code, kSecCSDefaultFlags, req);
//syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecCodeCheckValidity=%d", status);
}
if (req)
CFRelease(req);
if (code)
CFRelease(code);
return status;
}
const bool ClientIdentification::checkAppleSigned() const
{
if (GuestState *guest = current()) {
if (!guest->checkedSignature) {
// This is the clownfish supported way to check for a Mac App Store or B&I signed build
CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])");
SecRequirementRef secRequirementRef = NULL;
OSStatus status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef);
if (status == errSecSuccess) {
OSStatus status = SecCodeCheckValidity(guest->code, kSecCSDefaultFlags, secRequirementRef);
if (status != errSecSuccess) {
secdebug("SecurityAgentXPCQuery", "code requirement check failed (%d)", (int32_t)status);
} else {
guest->appleSigned = true;
}
guest->checkedSignature = true;
}
CFRelease(secRequirementRef);
}
return guest->appleSigned;
} else
return false;
}
QSettingsPrivate *QSettingsPrivate::create(QSettings::Format format,
QSettings::Scope scope,
const QString &organization,
const QString &application)
{
#ifndef QT_BOOTSTRAPPED
static bool useAppLocalStorage = false;
static bool initialized = false;
if (!initialized) {
bool inSandbox = false;
#if __MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_6
// If we are running on at least 10.7.0 and have the com.apple.security.app-sandbox
// entitlement, we are in a sandbox
SInt32 version = 0;
Gestalt(gestaltSystemVersion, &version);
SecCodeRef secCodeSelf;
if (version >= 0x1070 && SecCodeCopySelf(kSecCSDefaultFlags, &secCodeSelf) == errSecSuccess) {
SecRequirementRef sandboxReq;
CFStringRef entitlement = CFSTR("entitlement [\"com.apple.security.app-sandbox\"]");
if (SecRequirementCreateWithString(entitlement, kSecCSDefaultFlags, &sandboxReq) == errSecSuccess) {
if (SecCodeCheckValidity(secCodeSelf, kSecCSDefaultFlags, sandboxReq) == errSecSuccess)
inSandbox = true;
CFRelease(sandboxReq);
}
CFRelease(secCodeSelf);
}
#endif
bool forAppStore = false;
if (!inSandbox) {
CFTypeRef val = CFBundleGetValueForInfoDictionaryKey(CFBundleGetMainBundle(), CFSTR("ForAppStore"));
forAppStore = (val &&
CFGetTypeID(val) == CFStringGetTypeID() &&
CFStringCompare(CFStringRef(val), CFSTR("yes"), kCFCompareCaseInsensitive) == 0);
}
useAppLocalStorage = inSandbox || forAppStore;
initialized = true;
}
if (useAppLocalStorage) {
// Ensure that the global and app-local settings go to the same file, since that's
// what we really want
if (organization == QLatin1String("Trolltech") ||
organization.isEmpty() ||
(organization == qApp->organizationDomain() && application == qApp->applicationName()) ||
(organization == qApp->organizationName()) && application == qApp->applicationName())
{
CFStringRef bundleIdentifier = CFBundleGetIdentifier(CFBundleGetMainBundle());
if (!bundleIdentifier) {
qWarning("QSettingsPrivate::create: You must set the bundle identifier when using ForAppStore");
} else {
QSettingsPrivate* settings = new QMacSettingsPrivate(bundleIdentifier);
if (organization == QLatin1String("Trolltech"))
settings->beginGroupOrArray(QSettingsGroup("QtLibrarySettings"));
return settings;
}
}
}
#endif
if (format == QSettings::NativeFormat) {
return new QMacSettingsPrivate(scope, organization, application);
} else {
return new QConfFileSettingsPrivate(format, scope, organization, application);
}
}
