Modified: trunk/launchd/src/launchd_core_logic.c (23696 => 23697)
--- trunk/launchd/src/launchd_core_logic.c 2008-08-22 22:48:58 UTC (rev 23696)
+++ trunk/launchd/src/launchd_core_logic.c 2008-08-22 22:53:46 UTC (rev 23697)
@@ -6507,6 +6507,7 @@
kr = BOOTSTRAP_SUCCESS;
} else if (!per_pid_lookup && (inherited_bootstrap_port != MACH_PORT_NULL)) {
job_log(j, LOG_DEBUG, "Mach service lookup forwarded: %s", servicename);
+ /* Clients potentially check the audit token of the reply to verify that the returned send right is trustworthy. */
job_assumes(j, vproc_mig_look_up2_forward(inherited_bootstrap_port, srp, servicename, 0, 0) == 0);
/* The previous routine moved the reply port, we're forced to return MIG_NO_REPLY now */
return MIG_NO_REPLY;
Modified: trunk/launchd/src/libbootstrap.c (23696 => 23697)
--- trunk/launchd/src/libbootstrap.c 2008-08-22 22:48:58 UTC (rev 23696)
+++ trunk/launchd/src/libbootstrap.c 2008-08-22 22:53:46 UTC (rev 23697)
@@ -141,6 +141,7 @@
kern_return_t
bootstrap_look_up_per_user(mach_port_t bp, name_t service_name, uid_t target_user, mach_port_t *sp)
{
+ audit_token_t au_tok;
struct stat sb;
kern_return_t kr;
mach_port_t puc;
@@ -153,7 +154,7 @@
return kr;
}
- kr = vproc_mig_look_up2(puc, service_name, sp, 0, 0);
+ kr = vproc_mig_look_up2(puc, service_name, sp, &au_tok, 0, 0);
mach_port_deallocate(mach_task_self(), puc);
return kr;
@@ -173,6 +174,7 @@
static mach_port_t prev_bp;
static mach_port_t prev_sp;
static name_t prev_name;
+ audit_token_t au_tok;
bool per_pid_lookup = flags & BOOTSTRAP_PER_PID_SERVICE;
kern_return_t kr = 0;
mach_port_t puc;
@@ -195,7 +197,7 @@
}
skip_cache:
- if ((kr = vproc_mig_look_up2(bp, service_name, sp, target_pid, flags)) != VPROC_ERR_TRY_PER_USER) {
+ if ((kr = vproc_mig_look_up2(bp, service_name, sp, &au_tok, target_pid, flags)) != VPROC_ERR_TRY_PER_USER) {
goto out;
}
@@ -203,7 +205,7 @@
goto out;
}
- kr = vproc_mig_look_up2(puc, service_name, sp, target_pid, flags);
+ kr = vproc_mig_look_up2(puc, service_name, sp, &au_tok, target_pid, flags);
mach_port_deallocate(mach_task_self(), puc);
out:
@@ -217,6 +219,27 @@
pthread_mutex_unlock(&bslu2_lock);
+ if ((kr == 0) && (flags & BOOTSTRAP_PRIVILEGED_SERVER)) {
+ uid_t server_euid;
+
+ /*
+ * The audit token magic is dependent on the per-user launchd
+ * forwarding MIG requests to the root launchd when it cannot
+ * find the answer locally.
+ */
+
+ /* This API should be in Libsystem, but is not */
+ //audit_token_to_au32(au_tok, NULL, &server_euid, NULL, NULL, NULL, NULL, NULL, NULL);
+
+ server_euid = au_tok.val[1];
+
+ if (server_euid) {
+ mach_port_deallocate(mach_task_self(), *sp);
+ kr = BOOTSTRAP_NOT_PRIVILEGED;
+ }
+
+ }
+
return kr;
}
Modified: trunk/launchd/src/libbootstrap_private.h (23696 => 23697)
--- trunk/launchd/src/libbootstrap_private.h 2008-08-22 22:48:58 UTC (rev 23696)
+++ trunk/launchd/src/libbootstrap_private.h 2008-08-22 22:53:46 UTC (rev 23697)
@@ -30,6 +30,7 @@
#define BOOTSTRAP_PER_PID_SERVICE 0x1
#define BOOTSTRAP_ALLOW_LOOKUP 0x2
#define BOOTSTRAP_DENY_JOB_CREATION 0x4
+#define BOOTSTRAP_PRIVILEGED_SERVER 0x8
kern_return_t bootstrap_register2(mach_port_t bp, name_t service_name, mach_port_t sp, uint64_t flags);