// static void Sandbox::initialize(const QString& permissionsFile) { QMutexLocker locker(&s_mutex); s_pSandboxPermissions = new ConfigObject<ConfigValue>(permissionsFile); #ifdef Q_OS_MAC #if __MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_7 // If we are running on at least 10.7.0 and have the com.apple.security.app-sandbox // entitlement, we are in a sandbox SInt32 version = 0; Gestalt(gestaltSystemVersion, &version); SecCodeRef secCodeSelf; if (version >= 0x1070 && SecCodeCopySelf(kSecCSDefaultFlags, &secCodeSelf) == errSecSuccess) { SecRequirementRef sandboxReq; CFStringRef entitlement = CFSTR("entitlement [\"com.apple.security.app-sandbox\"]"); if (SecRequirementCreateWithString(entitlement, kSecCSDefaultFlags, &sandboxReq) == errSecSuccess) { if (SecCodeCheckValidity(secCodeSelf, kSecCSDefaultFlags, sandboxReq) == errSecSuccess) { s_bInSandbox = true; } CFRelease(sandboxReq); } CFRelease(secCodeSelf); } #endif #endif }
/* * Determine if the given task meets a specified requirement. */ OSStatus SecTaskValidateForRequirement(SecTaskRef task, CFStringRef requirement) { OSStatus status; SecCodeRef code = NULL; SecRequirementRef req = NULL; pid_t pid = task->pid; if (pid <= 0) { return errSecParam; } status = SecCodeCreateWithPID(pid, kSecCSDefaultFlags, &code); //syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecCodeCreateWithPID=%d", status); if (!status) { status = SecRequirementCreateWithString(requirement, kSecCSDefaultFlags, &req); //syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecRequirementCreateWithString=%d", status); } if (!status) { status = SecCodeCheckValidity(code, kSecCSDefaultFlags, req); //syslog(LOG_NOTICE, "SecTaskValidateForRequirement: SecCodeCheckValidity=%d", status); } if (req) CFRelease(req); if (code) CFRelease(code); return status; }
const bool ClientIdentification::checkAppleSigned() const { if (GuestState *guest = current()) { if (!guest->checkedSignature) { // This is the clownfish supported way to check for a Mac App Store or B&I signed build CFStringRef requirementString = CFSTR("(anchor apple) or (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9])"); SecRequirementRef secRequirementRef = NULL; OSStatus status = SecRequirementCreateWithString(requirementString, kSecCSDefaultFlags, &secRequirementRef); if (status == errSecSuccess) { OSStatus status = SecCodeCheckValidity(guest->code, kSecCSDefaultFlags, secRequirementRef); if (status != errSecSuccess) { secdebug("SecurityAgentXPCQuery", "code requirement check failed (%d)", (int32_t)status); } else { guest->appleSigned = true; } guest->checkedSignature = true; } CFRelease(secRequirementRef); } return guest->appleSigned; } else return false; }
QSettingsPrivate *QSettingsPrivate::create(QSettings::Format format, QSettings::Scope scope, const QString &organization, const QString &application) { #ifndef QT_BOOTSTRAPPED static bool useAppLocalStorage = false; static bool initialized = false; if (!initialized) { bool inSandbox = false; #if __MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_6 // If we are running on at least 10.7.0 and have the com.apple.security.app-sandbox // entitlement, we are in a sandbox SInt32 version = 0; Gestalt(gestaltSystemVersion, &version); SecCodeRef secCodeSelf; if (version >= 0x1070 && SecCodeCopySelf(kSecCSDefaultFlags, &secCodeSelf) == errSecSuccess) { SecRequirementRef sandboxReq; CFStringRef entitlement = CFSTR("entitlement [\"com.apple.security.app-sandbox\"]"); if (SecRequirementCreateWithString(entitlement, kSecCSDefaultFlags, &sandboxReq) == errSecSuccess) { if (SecCodeCheckValidity(secCodeSelf, kSecCSDefaultFlags, sandboxReq) == errSecSuccess) inSandbox = true; CFRelease(sandboxReq); } CFRelease(secCodeSelf); } #endif bool forAppStore = false; if (!inSandbox) { CFTypeRef val = CFBundleGetValueForInfoDictionaryKey(CFBundleGetMainBundle(), CFSTR("ForAppStore")); forAppStore = (val && CFGetTypeID(val) == CFStringGetTypeID() && CFStringCompare(CFStringRef(val), CFSTR("yes"), kCFCompareCaseInsensitive) == 0); } useAppLocalStorage = inSandbox || forAppStore; initialized = true; } if (useAppLocalStorage) { // Ensure that the global and app-local settings go to the same file, since that's // what we really want if (organization == QLatin1String("Trolltech") || organization.isEmpty() || (organization == qApp->organizationDomain() && application == qApp->applicationName()) || (organization == qApp->organizationName()) && application == qApp->applicationName()) { CFStringRef bundleIdentifier = CFBundleGetIdentifier(CFBundleGetMainBundle()); if (!bundleIdentifier) { qWarning("QSettingsPrivate::create: You must set the bundle identifier when using ForAppStore"); } else { QSettingsPrivate* settings = new QMacSettingsPrivate(bundleIdentifier); if (organization == QLatin1String("Trolltech")) settings->beginGroupOrArray(QSettingsGroup("QtLibrarySettings")); return settings; } } } #endif if (format == QSettings::NativeFormat) { return new QMacSettingsPrivate(scope, organization, application); } else { return new QConfFileSettingsPrivate(format, scope, organization, application); } }