1 #include <AvailabilityMacros.h> 2 3 #if !defined(MAC_OS_X_VERSION_10_7) || MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7 4 #define BUILDING_ON_SNOW_LEOPARD 1 5 #endif 6 7 #if !BUILDING_ON_SNOW_LEOPARD 8 #define __XPC_PRIVATE_H__ 9 #include <xpc/xpc.h> 10 #include <Security/Security.h> 11 #include "LauncherXPCService.h" 12 13 // Returns 0 if successful. 14 int _validate_authorization(xpc_object_t message) 15 { 16 size_t data_length = 0ul; 17 const char *data_bytes = (const char *)xpc_dictionary_get_data(message, LauncherXPCServiceAuthKey, &data_length); 18 19 AuthorizationExternalForm extAuth; 20 if (data_length < sizeof(extAuth.bytes)) 21 return 1; 22 23 memcpy(extAuth.bytes, data_bytes, sizeof(extAuth.bytes)); 24 AuthorizationRef authRef; 25 if (AuthorizationCreateFromExternalForm(&extAuth, &authRef) != errAuthorizationSuccess) 26 return 2; 27 28 AuthorizationItem item1 = { LaunchUsingXPCRightName, 0, NULL, 0 }; 29 AuthorizationItem items[] = {item1}; 30 AuthorizationRights requestedRights = {1, items }; 31 AuthorizationRights *outAuthorizedRights = NULL; 32 OSStatus status = AuthorizationCopyRights(authRef, &requestedRights, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &outAuthorizedRights); 33 34 // Given a set of rights, return the subset that is currently authorized by the AuthorizationRef given; count(subset) > 0 -> success. 35 bool auth_success = (status == errAuthorizationSuccess && outAuthorizedRights && outAuthorizedRights->count > 0) ? true : false; 36 if (outAuthorizedRights) AuthorizationFreeItemSet(outAuthorizedRights); 37 if (!auth_success) 38 return 3; 39 40 // On Lion, because the rights initially doesn't exist in /etc/authorization, if an admin user logs in and uses lldb within the first 5 minutes, 41 // it is possible to do AuthorizationCopyRights on LaunchUsingXPCRightName and get the rights back. 42 // As another security measure, we make sure that the LaunchUsingXPCRightName rights actually exists. 43 status = AuthorizationRightGet(LaunchUsingXPCRightName, NULL); 44 if (status == errAuthorizationSuccess) 45 return 0; 46 else 47 return 4; 48 } 49 50 #endif 51