Home | History | Annotate | Download | only in launcherXPCService
      1 #include <AvailabilityMacros.h>
      2 
      3 #if !defined(MAC_OS_X_VERSION_10_7) || MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7
      4 #define BUILDING_ON_SNOW_LEOPARD 1
      5 #endif
      6 
      7 #if !BUILDING_ON_SNOW_LEOPARD
      8 #define __XPC_PRIVATE_H__
      9 #include <xpc/xpc.h>
     10 #include <Security/Security.h>
     11 #include "LauncherXPCService.h"
     12 
     13 // Returns 0 if successful.
     14 int _validate_authorization(xpc_object_t message)
     15 {
     16 	size_t data_length = 0ul;
     17 	const char *data_bytes = (const char *)xpc_dictionary_get_data(message, LauncherXPCServiceAuthKey, &data_length);
     18     
     19 	AuthorizationExternalForm extAuth;
     20     if (data_length < sizeof(extAuth.bytes))
     21         return 1;
     22     
     23 	memcpy(extAuth.bytes, data_bytes, sizeof(extAuth.bytes));
     24     AuthorizationRef authRef;
     25 	if (AuthorizationCreateFromExternalForm(&extAuth, &authRef) != errAuthorizationSuccess)
     26         return 2;
     27     
     28     AuthorizationItem item1 = { LaunchUsingXPCRightName, 0, NULL, 0 };
     29     AuthorizationItem items[] = {item1};
     30     AuthorizationRights requestedRights = {1, items };
     31     AuthorizationRights *outAuthorizedRights = NULL;
     32 	OSStatus status = AuthorizationCopyRights(authRef, &requestedRights, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &outAuthorizedRights);
     33 	
     34 	// Given a set of rights, return the subset that is currently authorized by the AuthorizationRef given; count(subset) > 0  -> success.
     35 	bool auth_success = (status == errAuthorizationSuccess && outAuthorizedRights && outAuthorizedRights->count > 0) ? true : false;
     36 	if (outAuthorizedRights) AuthorizationFreeItemSet(outAuthorizedRights);
     37     if (!auth_success)
     38         return 3;
     39     
     40     // On Lion, because the rights initially doesn't exist in /etc/authorization, if an admin user logs in and uses lldb within the first 5 minutes,
     41     // it is possible to do AuthorizationCopyRights on LaunchUsingXPCRightName and get the rights back.
     42     // As another security measure, we make sure that the LaunchUsingXPCRightName rights actually exists.
     43     status = AuthorizationRightGet(LaunchUsingXPCRightName, NULL);
     44     if (status == errAuthorizationSuccess)
     45         return 0;
     46     else
     47         return 4;
     48 }
     49 
     50 #endif
     51