static pascal void NavEventProc(
NavEventCallbackMessage inSelector,
NavCBRecPtr ioParams,
NavCallBackUserData ioUserData )
{
OpenUserDataRec * data = ( OpenUserDataRec *) ioUserData ;
if (inSelector == kNavCBEvent)
{
}
else if ( inSelector == kNavCBStart )
{
if (data && !(data->defaultLocation).empty())
{
// Set default location for the modern Navigation APIs
// Apple Technical Q&A 1151
FSRef theFile;
wxMacPathToFSRef(data->defaultLocation, &theFile);
AEDesc theLocation = { typeNull, NULL };
if (noErr == ::AECreateDesc(typeFSRef, &theFile, sizeof(FSRef), &theLocation))
::NavCustomControl(ioParams->context, kNavCtlSetLocation, (void *) &theLocation);
}
if( data->extensions.GetCount() > 0 )
{
NavMenuItemSpec menuItem;
memset( &menuItem, 0, sizeof(menuItem) );
menuItem.version = kNavMenuItemSpecVersion;
menuItem.menuType = data->currentfilter;
::NavCustomControl(ioParams->context, kNavCtlSelectCustomType, &menuItem);
}
}
else if ( inSelector == kNavCBPopupMenuSelect )
{
NavMenuItemSpec * menu = (NavMenuItemSpec *) ioParams->eventData.eventDataParms.param ;
const size_t numFilters = data->extensions.GetCount();
if ( menu->menuType < numFilters )
{
data->currentfilter = menu->menuType ;
if ( data->saveMode )
{
int i = menu->menuType ;
wxString extension = data->extensions[i].AfterLast('.') ;
wxString sfilename ;
wxMacCFStringHolder cfString( NavDialogGetSaveFileName( ioParams->context ) , false );
sfilename = cfString.AsString() ;
int pos = sfilename.Find('.', true) ;
if ( pos != wxNOT_FOUND && extension != wxT("*") )
{
sfilename = sfilename.Left(pos+1)+extension ;
cfString.Assign( sfilename , wxFONTENCODING_DEFAULT ) ;
NavDialogSetSaveFileName( ioParams->context , cfString ) ;
}
}
}
}
}
static void dumpCode(SecCodeRef code)
{
CFRef<CFURLRef> path;
if (OSStatus rc = SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
Debug::dump("unknown(rc=%d)", int32_t(rc));
else
Debug::dump("%s", cfString(path).c_str());
}
void Bundle::resources(vector<string> &paths, const char *type, const char *subdir)
{
CFRef<CFArrayRef> cfList = CFBundleCopyResourceURLsOfType(cfBundle(),
CFTempString(type), CFTempString(subdir));
CFIndex size = CFArrayGetCount(cfList);
paths.reserve(size);
for (CFIndex n = 0; n < size; n++)
paths.push_back(cfString(CFURLRef(CFArrayGetValueAtIndex(cfList, n))));
}
/*!
* Create a new SecAccessRef that is set to the default configuration
* of a (newly created) security object.
*/
OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
{
BEGIN_SECAPI
Required(descriptor);
SecPointer<Access> access;
if (trustedList) {
CFIndex length = CFArrayGetCount(trustedList);
ACL::ApplicationList trusted;
for (CFIndex n = 0; n < length; n++)
trusted.push_back(TrustedApplication::required(
SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
access = new Access(cfString(descriptor), trusted);
} else {
access = new Access(cfString(descriptor));
}
Required(accessRef) = access->handle();
END_SECAPI
}
//
// Perform common argument normalizations for update operations
//
static void normalizeTarget(CFRef<CFTypeRef> &target, CFDictionary &context, std::string *signUnsigned)
{
// turn CFURLs into (designated) SecRequirements
if (target && CFGetTypeID(target) == CFURLGetTypeID()) {
CFRef<SecStaticCodeRef> code;
MacOSError::check(SecStaticCodeCreateWithPath(target.as<CFURLRef>(), kSecCSDefaultFlags, &code.aref()));
switch (OSStatus rc = SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref())) {
case noErr: {
// use the *default* DR to avoid unreasonably wide DRs opening up Gatekeeper to attack
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSRequirementInformation, &info.aref()));
target = CFDictionaryGetValue(info, kSecCodeInfoImplicitDesignatedRequirement);
}
break;
case errSecCSUnsigned:
if (signUnsigned) {
// Ad-hoc sign the code temporarily so we can get its code requirement
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFRef<SecCodeSignerRef> signer;
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref()));
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSInternalInformation, &info.aref()));
if (CFDataRef cdData = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoCodeDirectory)))
*signUnsigned = ((const CodeDirectory *)CFDataGetBytePtr(cdData))->screeningCode();
break;
}
MacOSError::check(rc);
case errSecCSSignatureFailed:
// recover certain cases of broken signatures (well, try)
if (codeInvalidityExceptions(code, NULL)) {
// Ad-hoc sign the code in place (requiring a writable subject). This requires root privileges.
CFRef<SecCodeSignerRef> signer;
CFTemp<CFDictionaryRef> arguments("{%O=#N}", kSecCodeSignerIdentity);
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, (SecRequirementRef *)&target.aref()));
break;
}
MacOSError::check(rc);
default:
MacOSError::check(rc);
}
if (context.get(kSecAssessmentUpdateKeyRemarks) == NULL) {
// no explicit remarks; add one with the path
CFRef<CFURLRef> path;
MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
CFMutableDictionaryRef dict = makeCFMutableDictionary(context.get());
CFDictionaryAddValue(dict, kSecAssessmentUpdateKeyRemarks, CFTempString(cfString(path)));
context.take(dict);
}
}
}
//
// CFURLAccess wrappers for specific purposes
//
CFDataRef cfLoadFile(CFURLRef url)
{
assert(url);
CFDataRef data;
SInt32 error;
if (CFURLCreateDataAndPropertiesFromResource(NULL, url,
&data, NULL, NULL, &error)) {
return data;
} else {
secdebug("cfloadfile", "failed to fetch %s error=%d", cfString(url).c_str(), int(error));
return NULL;
}
}
CFDictionaryRef PolicyEngine::remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
{
if (type == kAuthorityOpenDoc) {
// handle document-open differently: use quarantine flags for whitelisting
authorizeUpdate(flags, context);
if (!target || CFGetTypeID(target) != CFURLGetTypeID())
MacOSError::throwMe(errSecCSInvalidObjectRef);
std::string spath = cfString(CFURLRef(target)).c_str();
FileQuarantine qtn(spath.c_str());
qtn.clearFlag(QTN_FLAG_ASSESSMENT_OK);
qtn.applyTo(spath.c_str());
return NULL;
}
return manipulateRules("DELETE FROM authority", target, type, flags, context);
}
//
// Process % scan forms.
// This delivers the object value, scanf-style, somehow.
//
bool CFScan::scanformat(CFTypeRef obj)
{
switch (*++format) {
case F_OBJECT:
store<CFTypeRef>(obj);
return true;
case F_ARRAY: // %a*
return typescan(obj, CFArrayGetTypeID()) == done;
case F_BOOLEAN:
if (Typescan rc = typescan(obj, CFBooleanGetTypeID()))
return rc == done;
switch (*format) {
case 'f': // %Bf - two arguments (value, &variable)
{
unsigned flag = va_arg(args, unsigned);
unsigned *value = va_arg(args, unsigned *);
if (obj == kCFBooleanTrue && !suppress)
*value |= flag;
return true;
}
default: // %b - CFBoolean as int boolean
store<int>(obj == kCFBooleanTrue);
return true;
}
case F_DICTIONARY:
return typescan(obj, CFDictionaryGetTypeID()) == done;
case 'd': // %d - int
return scannumber<int>(obj);
case F_NUMBER:
return typescan(obj, CFNumberGetTypeID()) == done;
case F_STRING:
case 's':
if (Typescan rc = typescan(obj, CFStringGetTypeID()))
return rc == done;
// %s
store<std::string>(cfString(CFStringRef(obj)));
return true;
case 'u':
return scannumber<unsigned int>(obj);
case F_DATA:
return typescan(obj, CFDataGetTypeID()) == done;
default:
assert(false);
return false;
}
}
wxString wxMacFSRefToPath( const FSRef *fsRef , CFStringRef additionalPathComponent )
{
CFURLRef fullURLRef;
fullURLRef = CFURLCreateFromFSRef(NULL, fsRef);
if ( fullURLRef == NULL)
return wxEmptyString;
if ( additionalPathComponent )
{
CFURLRef parentURLRef = fullURLRef ;
fullURLRef = CFURLCreateCopyAppendingPathComponent(NULL, parentURLRef,
additionalPathComponent,false);
CFRelease( parentURLRef ) ;
}
wxCFStringRef cfString( CFURLCopyFileSystemPath(fullURLRef, kDefaultPathStyle ));
CFRelease( fullURLRef ) ;
return wxCFStringRef::AsStringWithNormalizationFormC(cfString);
}
//
// Construct and prepare an SQL query on the authority table, operating on some set of existing authority records.
// In essence, this appends a suitable WHERE clause to the stanza passed and prepares it on the statement given.
//
void PolicyEngine::selectRules(SQLite::Statement &action, std::string phrase, std::string table,
CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix /* = "" */)
{
CFDictionary ctx(context, errSecCSInvalidAttributeValues);
CFCopyRef<CFTypeRef> target = inTarget;
std::string filter_unsigned; // ignored; used just to trigger ad-hoc signing
normalizeTarget(target, ctx, &filter_unsigned);
string label;
if (CFStringRef lab = ctx.get<CFStringRef>(kSecAssessmentUpdateKeyLabel))
label = cfString(CFStringRef(lab));
if (!target) {
if (label.empty()) {
if (type == kAuthorityInvalid) {
action.query(phrase + suffix);
} else {
action.query(phrase + " WHERE " + table + ".type = :type" + suffix);
action.bind(":type").integer(type);
}
} else { // have label
if (type == kAuthorityInvalid) {
action.query(phrase + " WHERE " + table + ".label = :label" + suffix);
} else {
action.query(phrase + " WHERE " + table + ".type = :type AND " + table + ".label = :label" + suffix);
action.bind(":type").integer(type);
}
action.bind(":label") = label;
}
} else if (CFGetTypeID(target) == CFNumberGetTypeID()) {
action.query(phrase + " WHERE " + table + ".id = :id" + suffix);
action.bind(":id").integer(cfNumber<uint64_t>(target.as<CFNumberRef>()));
} else if (CFGetTypeID(target) == SecRequirementGetTypeID()) {
if (type == kAuthorityInvalid)
type = kAuthorityExecute;
CFRef<CFStringRef> requirementText;
MacOSError::check(SecRequirementCopyString(target.as<SecRequirementRef>(), kSecCSDefaultFlags, &requirementText.aref()));
action.query(phrase + " WHERE " + table + ".type = :type AND " + table + ".requirement = :requirement" + suffix);
action.bind(":type").integer(type);
action.bind(":requirement") = requirementText.get();
} else
MacOSError::throwMe(errSecCSInvalidObjectRef);
}
CFDictionaryRef xpcEngineUpdate(CFTypeRef target, uint flags, CFDictionaryRef context)
{
Message msg("update");
// target can be NULL, a CFURLRef, a SecRequirementRef, or a CFNumberRef
if (target) {
if (CFGetTypeID(target) == CFNumberGetTypeID())
xpc_dictionary_set_uint64(msg, "rule", cfNumber<int64_t>(CFNumberRef(target)));
else if (CFGetTypeID(target) == CFURLGetTypeID())
xpc_dictionary_set_string(msg, "url", cfString(CFURLRef(target)).c_str());
else if (CFGetTypeID(target) == SecRequirementGetTypeID()) {
CFRef<CFDataRef> data;
MacOSError::check(SecRequirementCopyData(SecRequirementRef(target), kSecCSDefaultFlags, &data.aref()));
xpc_dictionary_set_data(msg, "requirement", CFDataGetBytePtr(data), CFDataGetLength(data));
} else
MacOSError::throwMe(errSecCSInvalidObjectRef);
}
xpc_dictionary_set_int64(msg, "flags", flags);
CFRef<CFMutableDictionaryRef> ctx = makeCFMutableDictionary();
if (context)
CFDictionaryApplyFunction(context, copyCFDictionary, ctx);
AuthorizationRef localAuthorization = NULL;
if (CFDictionaryGetValue(ctx, kSecAssessmentUpdateKeyAuthorization) == NULL) { // no caller-provided authorization
MacOSError::check(AuthorizationCreate(NULL, NULL, kAuthorizationFlagDefaults, &localAuthorization));
AuthorizationExternalForm extForm;
MacOSError::check(AuthorizationMakeExternalForm(localAuthorization, &extForm));
CFDictionaryAddValue(ctx, kSecAssessmentUpdateKeyAuthorization, CFTempData(&extForm, sizeof(extForm)));
}
CFRef<CFDataRef> contextData = makeCFData(CFDictionaryRef(ctx));
xpc_dictionary_set_data(msg, "context", CFDataGetBytePtr(contextData), CFDataGetLength(contextData));
msg.send();
if (localAuthorization)
AuthorizationFree(localAuthorization, kAuthorizationFlagDefaults);
if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
MacOSError::throwMe(error);
size_t resultLength;
const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength);
return makeCFDictionaryFrom(resultData, resultLength);
}
/*!
*/
OSStatus SecACLCreateFromSimpleContents(SecAccessRef accessRef,
CFArrayRef applicationList,
CFStringRef description, const CSSM_ACL_KEYCHAIN_PROMPT_SELECTOR *promptSelector,
SecACLRef *newAcl)
{
BEGIN_SECAPI
SecPointer<Access> access = Access::required(accessRef);
SecPointer<ACL> acl = new ACL(cfString(description), *promptSelector);
if (applicationList) {
// application-list + prompt
acl->form(ACL::appListForm);
setApplications(acl, applicationList);
} else {
// allow-any
acl->form(ACL::allowAllForm);
}
access->add(acl.get());
Required(newAcl) = acl->handle();
END_SECAPI
}
void xpcEngineAssess(CFURLRef path, uint flags, CFDictionaryRef context, CFMutableDictionaryRef result)
{
Message msg("assess");
xpc_dictionary_set_string(msg, "path", cfString(path).c_str());
xpc_dictionary_set_int64(msg, "flags", flags);
CFRef<CFMutableDictionaryRef> ctx = makeCFMutableDictionary();
if (context)
CFDictionaryApplyFunction(context, copyCFDictionary, ctx);
CFRef<CFDataRef> contextData = makeCFData(CFDictionaryRef(ctx));
xpc_dictionary_set_data(msg, "context", CFDataGetBytePtr(contextData), CFDataGetLength(contextData));
msg.send();
if (int64_t error = xpc_dictionary_get_int64(msg, "error"))
MacOSError::throwMe(error);
size_t resultLength;
const void *resultData = xpc_dictionary_get_data(msg, "result", &resultLength);
CFRef<CFDictionaryRef> resultDict = makeCFDictionaryFrom(resultData, resultLength);
CFDictionaryApplyFunction(resultDict, copyCFDictionary, result);
CFDictionaryAddValue(result, CFSTR("assessment:remote"), kCFBooleanTrue);
}
//
// LaunchServices-layer document open.
// We don't cache those at present. If we ever do, we need to authenticate CoreServicesUIAgent as the source of its risk assessment.
//
void PolicyEngine::evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
{
if (context) {
if (CFStringRef riskCategory = CFStringRef(CFDictionaryGetValue(context, kLSDownloadRiskCategoryKey))) {
FileQuarantine qtn(cfString(path).c_str());
if (CFEqual(riskCategory, kLSRiskCategorySafe)
|| CFEqual(riskCategory, kLSRiskCategoryNeutral)
|| CFEqual(riskCategory, kLSRiskCategoryUnknown)
|| CFEqual(riskCategory, kLSRiskCategoryMayContainUnsafeExecutable)) {
cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "_XProtect");
} else if (qtn.flag(QTN_FLAG_HARD)) {
MacOSError::throwMe(errSecCSFileHardQuarantined);
} else if (qtn.flag(QTN_FLAG_ASSESSMENT_OK)) {
cfadd(result, "{%O=#T}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "Prior Assessment");
} else if (!overrideAssessment()) { // no need to do more work if we're off
try {
evaluateCode(path, kAuthorityExecute, flags, context, result, false);
} catch (...) {
// some documents can't be code signed, so this may be quite benign
}
if (CFDictionaryGetValue(result, kSecAssessmentAssessmentVerdict) == NULL) { // no code signature to help us out
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "_XProtect");
}
}
addToAuthority(result, kLSDownloadRiskCategoryKey, riskCategory);
return;
}
}
// insufficient information from LS - deny by default
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "Insufficient Context");
}
//
// Take an assessment outcome and record it in the object cache
//
void PolicyEngine::recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority)
{
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
assert(cdHash); // was signed
CFRef<CFURLRef> path;
MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
assert(expires);
SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "caching");
SQLite::Statement insert(*this,
"INSERT OR REPLACE INTO object (type, allow, hash, expires, path, authority)"
" VALUES (:type, :allow, :hash, :expires, :path,"
" CASE :authority WHEN 0 THEN (SELECT id FROM authority WHERE label = 'No Matching Rule') ELSE :authority END"
" );");
insert.bind(":type").integer(type);
insert.bind(":allow").integer(allow);
insert.bind(":hash") = cdHash;
insert.bind(":expires") = expires;
insert.bind(":path") = cfString(path);
insert.bind(":authority").integer(authority);
insert.execute();
xact.commit();
}
string cfStringRelease(CFStringRef inStr)
{
CFRef<CFStringRef> str(inStr);
return cfString(str);
}
//
// Contemplate the object-to-be-signed and set up the Signer state accordingly.
//
void SecCodeSigner::Signer::prepare(SecCSFlags flags)
{
// get the Info.plist out of the rep for some creative defaulting
CFRef<CFDictionaryRef> infoDict;
if (CFRef<CFDataRef> infoData = rep->component(cdInfoSlot))
infoDict.take(makeCFDictionaryFrom(infoData));
// work out the canonical identifier
identifier = state.mIdentifier;
if (identifier.empty()) {
identifier = rep->recommendedIdentifier(state);
if (identifier.find('.') == string::npos)
identifier = state.mIdentifierPrefix + identifier;
if (identifier.find('.') == string::npos && state.isAdhoc())
identifier = identifier + "-" + uniqueName();
secdebug("signer", "using default identifier=%s", identifier.c_str());
} else
secdebug("signer", "using explicit identifier=%s", identifier.c_str());
// work out the CodeDirectory flags word
if (state.mCdFlagsGiven) {
cdFlags = state.mCdFlags;
secdebug("signer", "using explicit cdFlags=0x%x", cdFlags);
} else {
cdFlags = 0;
if (infoDict)
if (CFTypeRef csflags = CFDictionaryGetValue(infoDict, CFSTR("CSFlags"))) {
if (CFGetTypeID(csflags) == CFNumberGetTypeID()) {
cdFlags = cfNumber<uint32_t>(CFNumberRef(csflags));
secdebug("signer", "using numeric cdFlags=0x%x from Info.plist", cdFlags);
} else if (CFGetTypeID(csflags) == CFStringGetTypeID()) {
cdFlags = cdTextFlags(cfString(CFStringRef(csflags)));
secdebug("signer", "using text cdFlags=0x%x from Info.plist", cdFlags);
} else
MacOSError::throwMe(errSecCSBadDictionaryFormat);
}
}
if (state.mSigner == SecIdentityRef(kCFNull)) // ad-hoc signing requested...
cdFlags |= kSecCodeSignatureAdhoc; // ... so note that
// prepare the resource directory, if any
string rpath = rep->resourcesRootPath();
if (!rpath.empty()) {
// explicitly given resource rules always win
CFCopyRef<CFDictionaryRef> resourceRules = state.mResourceRules;
// embedded resource rules come next
if (!resourceRules && infoDict)
if (CFTypeRef spec = CFDictionaryGetValue(infoDict, _kCFBundleResourceSpecificationKey)) {
if (CFGetTypeID(spec) == CFStringGetTypeID())
if (CFRef<CFDataRef> data = cfLoadFile(rpath + "/" + cfString(CFStringRef(spec))))
if (CFDictionaryRef dict = makeCFDictionaryFrom(data))
resourceRules.take(dict);
if (!resourceRules) // embedded rules present but unacceptable
MacOSError::throwMe(errSecCSResourceRulesInvalid);
}
// finally, ask the DiskRep for its default
if (!resourceRules)
resourceRules.take(rep->defaultResourceRules(state));
// build the resource directory
ResourceBuilder resources(rpath, cfget<CFDictionaryRef>(resourceRules, "rules"), digestAlgorithm());
rep->adjustResources(resources); // DiskRep-specific adjustments
CFRef<CFDictionaryRef> rdir = resources.build();
resourceDirectory.take(CFPropertyListCreateXMLData(NULL, rdir));
}
// screen and set the signing time
CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
if (state.mSigningTime == CFDateRef(kCFNull)) {
signingTime = 0; // no time at all
} else if (!state.mSigningTime) {
signingTime = now; // default
} else {
CFAbsoluteTime time = CFDateGetAbsoluteTime(state.mSigningTime);
if (time > now) // not allowed to post-date a signature
MacOSError::throwMe(errSecCSBadDictionaryFormat);
signingTime = time;
}
pagesize = state.mPageSize ? cfNumber<size_t>(state.mPageSize) : rep->pageSize(state);
// Timestamping setup
CFRef<SecIdentityRef> mTSAuth; // identity for client-side authentication to the Timestamp server
}
static pascal void
NavEventProc(
NavEventCallbackMessage inSelector,
NavCBRecPtr ioParams,
NavCallBackUserData ioUserData )
{
OpenUserDataRec * data = ( OpenUserDataRec *) ioUserData ;
if (inSelector == kNavCBEvent) {
#if TARGET_CARBON
#else
wxTheApp->MacHandleOneEvent(ioParams->eventData.eventDataParms.event);
#endif
}
else if ( inSelector == kNavCBStart )
{
#if TARGET_CARBON
if (data && !(data->defaultLocation).IsEmpty())
{
// Set default location for the modern Navigation APIs
// Apple Technical Q&A 1151
FSSpec theFSSpec;
wxMacFilename2FSSpec(data->defaultLocation, &theFSSpec);
AEDesc theLocation = {typeNull, NULL};
if (noErr == ::AECreateDesc(typeFSS, &theFSSpec, sizeof(FSSpec), &theLocation))
::NavCustomControl(ioParams->context, kNavCtlSetLocation, (void *) &theLocation);
}
#else
if ( data->menuitems )
NavCustomControl(ioParams->context, kNavCtlSelectCustomType, &(*data->menuitems)[data->currentfilter]);
#endif
}
else if ( inSelector == kNavCBPopupMenuSelect )
{
NavMenuItemSpec * menu = (NavMenuItemSpec *) ioParams->eventData.eventDataParms.param ;
#if TARGET_CARBON
#else
if ( menu->menuCreator == 'WXNG' )
#endif
{
data->currentfilter = menu->menuType ;
if ( data->saveMode )
{
int i = menu->menuType ;
wxString extension = data->extensions[i].AfterLast('.') ;
extension.MakeLower() ;
wxString sfilename ;
#if TARGET_CARBON
wxMacCFStringHolder cfString( NavDialogGetSaveFileName( ioParams->context ) , false );
sfilename = cfString.AsString() ;
#else
Str255 filename ;
// get the current filename
NavCustomControl(ioParams->context, kNavCtlGetEditFileName, &filename);
sfilename = wxMacMakeStringFromPascal( filename ) ;
#endif
int pos = sfilename.Find('.', true) ;
if ( pos != wxNOT_FOUND )
{
sfilename = sfilename.Left(pos+1)+extension ;
#if TARGET_CARBON
cfString.Assign( sfilename , wxFONTENCODING_DEFAULT ) ;
NavDialogSetSaveFileName( ioParams->context , cfString ) ;
#else
wxMacStringToPascal( sfilename , filename ) ;
NavCustomControl(ioParams->context, kNavCtlSetEditFileName, &filename);
#endif
}
}
}
}
}
static void HandleCustomMouseDown(NavCBRecPtr callBackParms, CustomData *data)
{
EventRecord *evt = callBackParms->eventData.eventDataParms.event;
Point where = evt->where;
GlobalToLocal(&where);
ControlRef control = FindControlUnderMouse(where, callBackParms->window, NULL);
if (control != NULL)
{
ControlID cid;
GetControlID(control, &cid);
HandleControlClick(control, where, evt->modifiers, (ControlActionUPP)-1L);
if (cid.signature == kCustom)
{
switch (cid.id)
{
case kChoice:
{
MenuRef menu;
UInt32 v;
menu = GetControlPopupMenuRef(control);
v = GetControl32BitValue(control) - 1;
const size_t numFilters = data->extensions.GetCount();
if (v < numFilters)
{
data->currentfilter = v;
if (data->saveMode)
{
int i = data->currentfilter;
wxString extension = data->extensions[i].AfterLast('.') ;
extension.MakeLower() ;
wxString sfilename ;
wxMacCFStringHolder cfString(NavDialogGetSaveFileName(callBackParms->context), false);
sfilename = cfString.AsString() ;
#if 0
int pos = sfilename.Find('.', true) ;
if (pos != wxNOT_FOUND)
{
sfilename = sfilename.Left(pos + 1) + extension;
cfString.Assign(sfilename, wxFONTENCODING_DEFAULT);
NavDialogSetSaveFileName(callBackParms->context, cfString);
}
#endif
}
NavCustomControl(callBackParms->context, kNavCtlBrowserRedraw, NULL);
}
break;
}
case kButton:
{
data->me->ClickButton(GetControl32BitValue(data->choice) - 1);
break;
}
}
}
}
}
bool PolicyEngine::temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags)
{
if (matchFlags == 0) { // playback; consult authority table for matches
DiskRep *rep = SecStaticCode::requiredStatic(code)->diskRep();
std::string screen;
if (CFRef<CFDataRef> info = rep->component(cdInfoSlot)) {
SHA1 hash;
hash.update(CFDataGetBytePtr(info), CFDataGetLength(info));
screen = createWhitelistScreen('I', hash);
} else if (rep->mainExecutableImage()) {
screen = "N";
} else {
SHA1 hash;
hashFileData(rep->mainExecutablePath().c_str(), &hash);
screen = createWhitelistScreen('M', hash);
}
SQLite::Statement query(*this,
"SELECT flags FROM authority "
"WHERE type = :type"
" AND NOT flags & :flag"
" AND CASE WHEN filter_unsigned IS NULL THEN remarks = :remarks ELSE filter_unsigned = :screen END");
query.bind(":type").integer(type);
query.bind(":flag").integer(kAuthorityFlagDefault);
query.bind(":screen") = screen;
query.bind(":remarks") = cfString(path);
if (!query.nextRow()) // guaranteed no matching rule
return false;
matchFlags = SQLite3::int64(query[0]);
}
try {
// ad-hoc sign the code and attach the signature
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, (matchFlags & kAuthorityFlagWhitelistV2) ? kSecCSSignOpaque : kSecCSSignV1, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
SecRequirementRef dr = NULL;
SecCodeCopyDesignatedRequirement(code, kSecCSDefaultFlags, &dr);
CFStringRef drs = NULL;
SecRequirementCopyString(dr, kSecCSDefaultFlags, &drs);
// if we're in GKE recording mode, save that signature and report its location
if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
int status = recorder_code_unable; // ephemeral signature (not recorded)
if (geteuid() == 0) {
CFRef<CFUUIDRef> uuid = CFUUIDCreate(NULL);
std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig";
try {
UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT);
fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature));
status = recorder_code_adhoc; // recorded signature
SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str());
} catch (...) { }
}
// now report the D probe itself
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "",
cdhash ? CFDataGetBytePtr(cdhash) : NULL, status);
}
return true; // it worked; we're now (well) signed
} catch (...) { }
return false;
}
//
// Executable code.
// Read from disk, evaluate properly, cache as indicated. The whole thing, so far.
//
void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result,
bool handleUnsignedCode /* = true */)
{
FileQuarantine qtn(cfString(path).c_str());
if (qtn.flag(QTN_FLAG_HARD))
MacOSError::throwMe(errSecCSFileHardQuarantined);
CFRef<SecStaticCodeRef> code;
MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
OSStatus rc = noErr; // last validation error
const SecCSFlags validationFlags = kSecCSEnforceRevocationChecks;
WhitelistPrescreen whitelistScreen(code); // pre-screening filter for whitelist pre-screening (only)
SQLite::Statement query(*this,
"SELECT allow, requirement, id, label, expires, flags, disabled, filter_unsigned, remarks FROM scan_authority"
" WHERE type = :type"
" ORDER BY priority DESC;");
query.bind(":type").integer(type);
SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
std::string latentLabel; // ... and associated label, if any
while (query.nextRow()) {
bool allow = int(query[0]);
const char *reqString = query[1];
SQLite3::int64 id = query[2];
const char *label = query[3];
double expires = query[4];
sqlite3_int64 ruleFlags = query[5];
SQLite3::int64 disabled = query[6];
const char *filter = query[7];
const char *remarks = query[8];
CFRef<SecRequirementRef> requirement;
MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
rc = SecStaticCodeCheckValidity(code, validationFlags, requirement);
// ad-hoc sign unsigned code, skip of Gatekeeper is off or the rule is disabled; but always do it for whitelist recording
if (rc == errSecCSUnsigned && handleUnsignedCode && (!(disabled || overrideAssessment()) || SYSPOLICY_RECORDER_MODE_ENABLED())) {
if (!SYSPOLICY_RECORDER_MODE_ENABLED()) {
// apply whitelist pre-screening to speed things up for non-matches
if (ruleFlags & kAuthorityFlagDefault) // can't ever match standard rules with unsigned code
continue;
if (whitelistScreen.reject(filter, remarks)) // apply whitelist pre-filter
continue;
}
try {
// ad-hoc sign the code and attach the signature
CFRef<CFDataRef> signature = CFDataCreateMutable(NULL, 0);
CFTemp<CFDictionaryRef> arguments("{%O=%O, %O=#N}", kSecCodeSignerDetached, signature.get(), kSecCodeSignerIdentity);
CFRef<SecCodeSignerRef> signer;
MacOSError::check(SecCodeSignerCreate(arguments, kSecCSDefaultFlags, &signer.aref()));
MacOSError::check(SecCodeSignerAddSignature(signer, code, kSecCSDefaultFlags));
MacOSError::check(SecCodeSetDetachedSignature(code, signature, kSecCSDefaultFlags));
// if we're in GKE recording mode, save that signature and report its location
if (SYSPOLICY_RECORDER_MODE_ENABLED()) {
int status = recorder_code_unable; // ephemeral signature (not recorded)
if (geteuid() == 0) {
CFRef<CFUUIDRef> uuid = CFUUIDCreate(NULL);
std::string sigfile = RECORDER_DIR + cfStringRelease(CFUUIDCreateString(NULL, uuid)) + ".tsig";
try {
UnixPlusPlus::AutoFileDesc fd(sigfile, O_WRONLY | O_CREAT);
fd.write(CFDataGetBytePtr(signature), CFDataGetLength(signature));
status = recorder_code_adhoc; // recorded signature
SYSPOLICY_RECORDER_MODE_ADHOC_PATH(cfString(path).c_str(), type, sigfile.c_str());
} catch (...) { }
}
// now report the D probe itself
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_RECORDER_MODE(cfString(path).c_str(), type, "",
cdhash ? CFDataGetBytePtr(cdhash) : NULL, status);
}
// rerun the validation to update state
rc = SecStaticCodeCheckValidity(code, validationFlags | kSecCSBasicValidateOnly, requirement);
} catch (...) { }
}
switch (rc) {
case noErr: // well signed and satisfies requirement...
break; // ... continue below
case errSecCSSignatureFailed:
if (!codeInvalidityExceptions(code, result)) {
if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, false);
MacOSError::throwMe(rc);
}
if (SYSPOLICY_ASSESS_OUTCOME_BROKEN_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_BROKEN(cfString(path).c_str(), type, true);
// treat as unsigned to fix problems in the field
case errSecCSUnsigned:
if (handleUnsignedCode) {
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "no usable signature");
}
return;
case errSecCSReqFailed: // requirement missed, but otherwise okay
continue;
default: // broken in some way; all tests will fail like this so bail out
MacOSError::throwMe(rc);
}
if (disabled) {
if (latentID == 0) {
latentID = id;
if (label)
latentLabel = label;
}
continue; // the loop
}
CFRef<CFDictionaryRef> info; // as needed
if (flags & kSecAssessmentFlagRequestOrigin) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (!(ruleFlags & kAuthorityFlagInhibitCache) && !(flags & kSecAssessmentFlagNoCache)) { // cache inhibit
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (SecTrustRef trust = SecTrustRef(CFDictionaryGetValue(info, kSecCodeInfoTrust))) {
CFRef<CFDictionaryRef> xinfo;
MacOSError::check(SecTrustCopyExtendedResult(trust, &xinfo.aref()));
if (CFDateRef limit = CFDateRef(CFDictionaryGetValue(xinfo, kSecTrustExpirationDate))) {
this->recordOutcome(code, allow, type, min(expires, dateToJulian(limit)), id);
}
}
}
if (allow) {
if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, cdhash ? CFDataGetBytePtr(cdhash) : NULL);
}
} else {
if (SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
std::string cpath = cfString(path);
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
SYSPOLICY_ASSESS_OUTCOME_DENY(cpath.c_str(), type, label, hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, label, hashp, recorder_code_untrusted);
}
}
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
addAuthority(result, label, id);
return;
}
if (rc == errSecCSUnsigned) { // skipped all applicable rules due to pre-screening
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, "no usable signature");
return;
}
// no applicable authority (but signed, perhaps temporarily). Deny by default
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (flags & kSecAssessmentFlagRequestOrigin) {
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
std::string cpath = cfString(path);
SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cpath.c_str(), type, latentLabel.c_str(), hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, latentLabel.c_str(), hashp, 0);
}
if (!(flags & kSecAssessmentFlagNoCache))
this->recordOutcome(code, false, type, this->julianNow() + NEGATIVE_HOLD, latentID);
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
addAuthority(result, latentLabel.c_str(), latentID);
}
//
// Installer archive.
// Hybrid policy: If we detect an installer signature, use and validate that.
// If we don't, check for a code signature instead.
//
void PolicyEngine::evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result)
{
const AuthorityType type = kAuthorityInstall;
Xar xar(cfString(path).c_str());
if (!xar) {
// follow the code signing path
evaluateCode(path, type, flags, context, result);
return;
}
SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
std::string latentLabel; // ... and associated label, if any
if (!xar.isSigned()) {
// unsigned xar
if (SYSPOLICY_ASSESS_OUTCOME_UNSIGNED_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_UNSIGNED(cfString(path).c_str(), type);
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
addAuthority(result, "no usable signature");
return;
}
if (CFRef<CFArrayRef> certs = xar.copyCertChain()) {
CFRef<CFTypeRef> policy = installerPolicy();
CFRef<SecTrustRef> trust;
MacOSError::check(SecTrustCreateWithCertificates(certs, policy, &trust.aref()));
// MacOSError::check(SecTrustSetAnchorCertificates(trust, cfEmptyArray())); // no anchors
MacOSError::check(SecTrustSetOptions(trust, kSecTrustOptionAllowExpired | kSecTrustOptionImplicitAnchors));
SecTrustResultType trustResult;
MacOSError::check(SecTrustEvaluate(trust, &trustResult));
CFRef<CFArrayRef> chain;
CSSM_TP_APPLE_EVIDENCE_INFO *info;
MacOSError::check(SecTrustGetResult(trust, &trustResult, &chain.aref(), &info));
if (flags & kSecAssessmentFlagRequestOrigin)
setOrigin(chain, result);
switch (trustResult) {
case kSecTrustResultProceed:
case kSecTrustResultUnspecified:
break;
default:
{
OSStatus rc;
MacOSError::check(SecTrustGetCssmResultCode(trust, &rc));
MacOSError::throwMe(rc);
}
}
SQLite::Statement query(*this,
"SELECT allow, requirement, id, label, flags, disabled FROM scan_authority"
" WHERE type = :type"
" ORDER BY priority DESC;");
query.bind(":type").integer(type);
while (query.nextRow()) {
bool allow = int(query[0]);
const char *reqString = query[1];
SQLite3::int64 id = query[2];
const char *label = query[3];
//sqlite_uint64 ruleFlags = query[4];
SQLite3::int64 disabled = query[5];
CFRef<SecRequirementRef> requirement;
MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
switch (OSStatus rc = SecRequirementEvaluate(requirement, chain, NULL, kSecCSDefaultFlags)) {
case noErr: // success
break;
case errSecCSReqFailed: // requirement missed, but otherwise okay
continue;
default: // broken in some way; all tests will fail like this so bail out
MacOSError::throwMe(rc);
}
if (disabled) {
if (latentID == 0) {
latentID = id;
if (label)
latentLabel = label;
}
continue; // the loop
}
if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED() || SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED()) {
if (allow)
SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, NULL);
else
SYSPOLICY_ASSESS_OUTCOME_DENY(cfString(path).c_str(), type, label, NULL);
}
// not adding to the object cache - we could, but it's not likely to be worth it
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
addAuthority(result, label, id);
return;
}
}
if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED())
SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cfString(path).c_str(), type, latentLabel.c_str(), NULL);
// no applicable authority. Deny by default
cfadd(result, "{%O=#F}", kSecAssessmentAssessmentVerdict);
addAuthority(result, latentLabel.c_str(), latentID);
}
string cfStringRelease(CFURLRef inUrl)
{
CFRef<CFURLRef> bundle(inUrl);
return cfString(bundle);
}
string cfStringRelease(CFBundleRef inBundle)
{
CFRef<CFBundleRef> bundle(inBundle);
return cfString(bundle);
}
//
// Add a rule to the policy database
//
CFDictionaryRef PolicyEngine::add(CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context)
{
// default type to execution
if (type == kAuthorityInvalid)
type = kAuthorityExecute;
authorizeUpdate(flags, context);
CFDictionary ctx(context, errSecCSInvalidAttributeValues);
CFCopyRef<CFTypeRef> target = inTarget;
CFRef<CFDataRef> bookmark = NULL;
std::string filter_unsigned;
switch (type) {
case kAuthorityExecute:
normalizeTarget(target, ctx, &filter_unsigned);
// bookmarks are untrusted and just a hint to callers
bookmark = ctx.get<CFDataRef>(kSecAssessmentRuleKeyBookmark);
break;
case kAuthorityInstall:
if (inTarget && CFGetTypeID(inTarget) == CFURLGetTypeID()) {
// no good way to turn an installer file into a requirement. Pretend to succeeed so caller proceeds
return cfmake<CFDictionaryRef>("{%O=%O}", kSecAssessmentAssessmentAuthorityOverride, CFSTR("virtual install"));
}
break;
case kAuthorityOpenDoc:
// handle document-open differently: use quarantine flags for whitelisting
if (!target || CFGetTypeID(target) != CFURLGetTypeID()) // can only "add" file paths
MacOSError::throwMe(errSecCSInvalidObjectRef);
try {
std::string spath = cfString(target.as<CFURLRef>());
FileQuarantine qtn(spath.c_str());
qtn.setFlag(QTN_FLAG_ASSESSMENT_OK);
qtn.applyTo(spath.c_str());
} catch (const CommonError &error) {
// could not set quarantine flag - report qualified success
return cfmake<CFDictionaryRef>("{%O=%O,'assessment:error'=%d}",
kSecAssessmentAssessmentAuthorityOverride, CFSTR("error setting quarantine"), error.osStatus());
} catch (...) {
return cfmake<CFDictionaryRef>("{%O=%O}", kSecAssessmentAssessmentAuthorityOverride, CFSTR("unable to set quarantine"));
}
return NULL;
}
// if we now have anything else, we're busted
if (!target || CFGetTypeID(target) != SecRequirementGetTypeID())
MacOSError::throwMe(errSecCSInvalidObjectRef);
double priority = 0;
string label;
bool allow = true;
double expires = never;
string remarks;
if (CFNumberRef pri = ctx.get<CFNumberRef>(kSecAssessmentUpdateKeyPriority))
CFNumberGetValue(pri, kCFNumberDoubleType, &priority);
if (CFStringRef lab = ctx.get<CFStringRef>(kSecAssessmentUpdateKeyLabel))
label = cfString(lab);
if (CFDateRef time = ctx.get<CFDateRef>(kSecAssessmentUpdateKeyExpires))
// we're using Julian dates here; convert from CFDate
expires = dateToJulian(time);
if (CFBooleanRef allowing = ctx.get<CFBooleanRef>(kSecAssessmentUpdateKeyAllow))
allow = allowing == kCFBooleanTrue;
if (CFStringRef rem = ctx.get<CFStringRef>(kSecAssessmentUpdateKeyRemarks))
remarks = cfString(rem);
CFRef<CFStringRef> requirementText;
MacOSError::check(SecRequirementCopyString(target.as<SecRequirementRef>(), kSecCSDefaultFlags, &requirementText.aref()));
SQLite::Transaction xact(*this, SQLite3::Transaction::deferred, "add_rule");
SQLite::Statement insert(*this,
"INSERT INTO authority (type, allow, requirement, priority, label, expires, filter_unsigned, remarks)"
" VALUES (:type, :allow, :requirement, :priority, :label, :expires, :filter_unsigned, :remarks);");
insert.bind(":type").integer(type);
insert.bind(":allow").integer(allow);
insert.bind(":requirement") = requirementText.get();
insert.bind(":priority") = priority;
if (!label.empty())
insert.bind(":label") = label;
insert.bind(":expires") = expires;
insert.bind(":filter_unsigned") = filter_unsigned.empty() ? NULL : filter_unsigned.c_str();
if (!remarks.empty())
insert.bind(":remarks") = remarks;
insert.execute();
SQLite::int64 newRow = this->lastInsert();
if (bookmark) {
SQLite::Statement bi(*this, "INSERT INTO bookmarkhints (bookmark, authority) VALUES (:bookmark, :authority)");
bi.bind(":bookmark") = CFDataRef(bookmark);
bi.bind(":authority").integer(newRow);
bi.execute();
}
this->purgeObjects(priority);
xact.commit();
notify_post(kNotifySecAssessmentUpdate);
return cfmake<CFDictionaryRef>("{%O=%d}", kSecAssessmentUpdateKeyRow, newRow);
}
int FileDialog::ShowModal()
{
OSErr err;
NavDialogCreationOptions dialogCreateOptions;
// set default options
::NavGetDefaultDialogCreationOptions(&dialogCreateOptions);
// this was always unset in the old code
dialogCreateOptions.optionFlags &= ~kNavSelectDefaultLocation;
wxMacCFStringHolder message(m_message, GetFont().GetEncoding());
dialogCreateOptions.windowTitle = message;
wxMacCFStringHolder defaultFileName(m_fileName, GetFont().GetEncoding());
dialogCreateOptions.saveFileName = defaultFileName;
NavDialogRef dialog;
NavObjectFilterUPP navFilterUPP = NULL;
CustomData myData;
SetRect(&myData.bounds, 0, 0, 0, 0);
myData.me = this;
myData.window = NULL;
myData.defaultLocation = m_dir;
myData.userpane = NULL;
myData.choice = NULL;
myData.button = NULL;
myData.saveMode = false;
myData.showing = true;
Rect r;
SInt16 base;
SInt16 margin = 3;
SInt16 gap = 0;
MakeUserDataRec(&myData , m_wildCard);
myData.currentfilter = m_filterIndex;
size_t numFilters = myData.extensions.GetCount();
if (numFilters)
{
CreateNewMenu(0, 0, &myData.menu);
for ( size_t i = 0 ; i < numFilters ; ++i )
{
::AppendMenuItemTextWithCFString(myData.menu,
wxMacCFStringHolder(myData.name[i],
GetFont().GetEncoding()),
4,
i,
NULL);
}
SetRect(&r, 0, margin, 0, 0);
CreatePopupButtonControl(NULL, &r, CFSTR("Format:"), -12345, true, -1, teJustLeft, normal, &myData.choice);
SetControlID(myData.choice, &kChoiceID);
SetControlPopupMenuRef(myData.choice, myData.menu);
SetControl32BitMinimum(myData.choice, 1);
SetControl32BitMaximum(myData.choice, myData.name.GetCount());
SetControl32BitValue(myData.choice, myData.currentfilter + 1);
GetBestControlRect(myData.choice, &r, &base);
SizeControl(myData.choice, r.right - r.left, r.bottom - r.top);
UnionRect(&myData.bounds, &r, &myData.bounds);
gap = 15;
HIObjectSetAuxiliaryAccessibilityAttribute((HIObjectRef)myData.choice, 0, kAXDescriptionAttribute, CFSTR("Format"));
}
if (!m_buttonlabel.IsEmpty())
{
wxMacCFStringHolder cfString(wxStripMenuCodes(m_buttonlabel).c_str(), wxFONTENCODING_DEFAULT);
SetRect(&r, myData.bounds.right + gap, margin, 0, 0);
CreatePushButtonControl(NULL, &r, cfString, &myData.button);
SetControlID(myData.button, &kButtonID);
GetBestControlRect(myData.button, &r, &base);
SizeControl(myData.button, r.right - r.left, r.bottom - r.top);
UnionRect(&myData.bounds, &r, &myData.bounds);
}
// Expand bounding rectangle to include a top and bottom margin
myData.bounds.top -= margin;
myData.bounds.bottom += margin;
dialogCreateOptions.optionFlags |= kNavNoTypePopup;
if (m_dialogStyle & wxFD_SAVE)
{
dialogCreateOptions.modality = kWindowModalityWindowModal;
dialogCreateOptions.parentWindow = (WindowRef) GetParent()->MacGetTopLevelWindowRef();
myData.saveMode = true;
if (!numFilters)
{
dialogCreateOptions.optionFlags |= kNavNoTypePopup;
}
dialogCreateOptions.optionFlags |= kNavDontAutoTranslate;
dialogCreateOptions.optionFlags |= kNavDontAddTranslateItems;
// The extension is important
if (numFilters < 2)
dialogCreateOptions.optionFlags |= kNavPreserveSaveFileExtension;
#if TARGET_API_MAC_OSX
if (!(m_dialogStyle & wxFD_OVERWRITE_PROMPT))
{
dialogCreateOptions.optionFlags |= kNavDontConfirmReplacement;
}
#endif
err = ::NavCreatePutFileDialog(&dialogCreateOptions,
// Suppresses the 'Default' (top) menu item
kNavGenericSignature, kNavGenericSignature,
sStandardNavEventFilter,
&myData, // for defaultLocation
&dialog);
}
else
{
//let people select bundles/programs in dialogs
dialogCreateOptions.optionFlags |= kNavSupportPackages;
navFilterUPP = NewNavObjectFilterUPP(CrossPlatformFilterCallback);
err = ::NavCreateGetFileDialog(&dialogCreateOptions,
NULL, // NavTypeListHandle
sStandardNavEventFilter,
NULL, // NavPreviewUPP
navFilterUPP,
(void *) &myData, // inClientData
&dialog);
}
if (err == noErr)
err = ::NavDialogRun(dialog);
if (err == noErr)
{
myData.window = NavDialogGetWindow(dialog);
Rect r;
// This creates our "fake" dialog with the same dimensions as the sheet so
// that Options dialogs will center properly on the sheet. The "fake" dialog
// is never actually seen.
GetWindowBounds(myData.window, kWindowStructureRgn, &r);
wxDialog::Create(NULL, // no parent...otherwise strange things happen
wxID_ANY,
wxEmptyString,
wxPoint(r.left, r.top),
wxSize(r.right - r.left, r.bottom - r.top));
BeginAppModalStateForWindow(myData.window);
while (myData.showing)
{
wxTheApp->MacDoOneEvent();
}
EndAppModalStateForWindow(myData.window);
}
// clean up filter related data, etc.
if (navFilterUPP)
::DisposeNavObjectFilterUPP(navFilterUPP);
if (err != noErr)
return wxID_CANCEL;
NavReplyRecord navReply;
err = ::NavDialogGetReply(dialog, &navReply);
if (err == noErr && navReply.validRecord)
{
AEKeyword theKeyword;
DescType actualType;
Size actualSize;
FSRef theFSRef;
wxString thePath ;
m_filterIndex = myData.currentfilter;
long count;
::AECountItems(&navReply.selection , &count);
for (long i = 1; i <= count; ++i)
{
err = ::AEGetNthPtr(&(navReply.selection), i, typeFSRef, &theKeyword, &actualType,
&theFSRef, sizeof(theFSRef), &actualSize);
if (err != noErr)
break;
if (m_dialogStyle & wxFD_SAVE)
thePath = wxMacFSRefToPath( &theFSRef , navReply.saveFileName ) ;
else
thePath = wxMacFSRefToPath( &theFSRef ) ;
if (!thePath)
{
::NavDisposeReply(&navReply);
return wxID_CANCEL;
}
m_path = ConvertSlashInFileName(thePath);
m_paths.Add(m_path);
m_fileName = wxFileNameFromPath(m_path);
m_fileNames.Add(m_fileName);
}
// set these to the first hit
m_path = m_paths[0];
m_fileName = wxFileNameFromPath(m_path);
m_dir = wxPathOnly(m_path);
}
::NavDisposeReply(&navReply);
return (err == noErr) ? wxID_OK : wxID_CANCEL;
}
//
// Bonus function: get the path out of a SecCodeRef
//
std::string codePath(SecStaticCodeRef code)
{
CFRef<CFURLRef> path;
MacOSError::check(SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()));
return cfString(path);
}
//
// The executable path is a bit annoying to get, but not quite
// annoying enough to cache the result.
//
string OSXCodeWrap::executablePath() const
{
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(mCode, kSecCSDefaultFlags, &info.aref()));
return cfString(CFURLRef(CFDictionaryGetValue(info, kSecCodeInfoMainExecutable)));
}
void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result)
{
SQLite::Statement query(*this,
"SELECT allow, requirement, id, label, expires, flags, disabled, filter_unsigned, remarks FROM scan_authority"
" WHERE type = :type"
" ORDER BY priority DESC;");
query.bind(":type").integer(type);
SQLite3::int64 latentID = 0; // first (highest priority) disabled matching ID
std::string latentLabel; // ... and associated label, if any
while (query.nextRow()) {
bool allow = int(query[0]);
const char *reqString = query[1];
SQLite3::int64 id = query[2];
const char *label = query[3];
double expires = query[4];
sqlite3_int64 ruleFlags = query[5];
SQLite3::int64 disabled = query[6];
// const char *filter = query[7];
// const char *remarks = query[8];
CFRef<SecRequirementRef> requirement;
MacOSError::check(SecRequirementCreateWithString(CFTempString(reqString), kSecCSDefaultFlags, &requirement.aref()));
switch (OSStatus rc = SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly, requirement)) {
case errSecSuccess:
break; // rule match; process below
case errSecCSReqFailed:
continue; // rule does not apply
case errSecCSVetoed:
return; // nested code has failed to pass
default:
MacOSError::throwMe(rc); // general error; pass to caller
}
// if this rule is disabled, skip it but record the first matching one for posterity
if (disabled && latentID == 0) {
latentID = id;
latentLabel = label ? label : "";
continue;
}
// current rule is first rule (in priority order) that matched. Apply it
if (nested) // success, nothing to record
return;
CFRef<CFDictionaryRef> info; // as needed
if (flags & kSecAssessmentFlagRequestOrigin) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (!(ruleFlags & kAuthorityFlagInhibitCache) && !(flags & kSecAssessmentFlagNoCache)) { // cache inhibit
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (SecTrustRef trust = SecTrustRef(CFDictionaryGetValue(info, kSecCodeInfoTrust))) {
CFRef<CFDictionaryRef> xinfo;
MacOSError::check(SecTrustCopyExtendedResult(trust, &xinfo.aref()));
if (CFDateRef limit = CFDateRef(CFDictionaryGetValue(xinfo, kSecTrustExpirationDate))) {
this->recordOutcome(code, allow, type, min(expires, dateToJulian(limit)), id);
}
}
}
if (allow) {
if (SYSPOLICY_ASSESS_OUTCOME_ACCEPT_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
SYSPOLICY_ASSESS_OUTCOME_ACCEPT(cfString(path).c_str(), type, label, cdhash ? CFDataGetBytePtr(cdhash) : NULL);
}
} else {
if (SYSPOLICY_ASSESS_OUTCOME_DENY_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
if (!info)
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
std::string cpath = cfString(path);
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
SYSPOLICY_ASSESS_OUTCOME_DENY(cpath.c_str(), type, label, hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, label, hashp, recorder_code_untrusted);
}
}
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
addAuthority(flags, result, label, id);
return;
}
// no applicable authority (but signed, perhaps temporarily). Deny by default
CFRef<CFDictionaryRef> info;
MacOSError::check(SecCodeCopySigningInformation(code, kSecCSSigningInformation, &info.aref()));
if (flags & kSecAssessmentFlagRequestOrigin) {
if (CFArrayRef chain = CFArrayRef(CFDictionaryGetValue(info, kSecCodeInfoCertificates)))
setOrigin(chain, result);
}
if (SYSPOLICY_ASSESS_OUTCOME_DEFAULT_ENABLED() || SYSPOLICY_RECORDER_MODE_ENABLED()) {
CFDataRef cdhash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
const void *hashp = cdhash ? CFDataGetBytePtr(cdhash) : NULL;
std::string cpath = cfString(path);
SYSPOLICY_ASSESS_OUTCOME_DEFAULT(cpath.c_str(), type, latentLabel.c_str(), hashp);
SYSPOLICY_RECORDER_MODE(cpath.c_str(), type, latentLabel.c_str(), hashp, 0);
}
if (!(flags & kSecAssessmentFlagNoCache))
this->recordOutcome(code, false, type, this->julianNow() + NEGATIVE_HOLD, latentID);
cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false);
addAuthority(flags, result, latentLabel.c_str(), latentID);
}
