Revision: 23488 http://trac.macosforge.org/projects/launchd/changeset/23488 Author: zarzycki@apple.com Date: 2008-01-18 13:27:01 -0800 (Fri, 18 Jan 2008) Log Message: ----------- <rdar://problem/5653227> work with Seatbelt to provide access control on spawn_via_launchd Modified Paths: -------------- trunk/launchd/src/launchd_core_logic.c trunk/launchd/src/liblaunch_public.h Modified: trunk/launchd/src/launchd_core_logic.c =================================================================== --- trunk/launchd/src/launchd_core_logic.c 2008-01-18 21:24:30 UTC (rev 23487) +++ trunk/launchd/src/launchd_core_logic.c 2008-01-18 21:27:01 UTC (rev 23488) @@ -365,7 +365,7 @@ currently_ignored:1, forced_peers_to_demand_mode:1, setnice:1, hopefully_exits_last:1, removal_pending:1, legacy_LS_job:1, sent_sigkill:1, debug_before_kill:1, weird_bootstrap:1, start_on_mount:1, per_user:1, hopefully_exits_first:1, deny_unknown_mslookups:1, unload_at_mig_return:1, abandon_pg:1, - poll_for_vfs_changes:1, can_kickstart:1, __junk:11; + poll_for_vfs_changes:1, deny_job_creation:1, __junk:11; mode_t mask; const char label[0]; }; @@ -1643,10 +1643,10 @@ bool found_key = false; switch (key[0]) { - case 'c': - case 'C': - if (strcasecmp(key, LAUNCH_JOBPOLICY_CANKICKSTARTOTHERJOBS) == 0) { - j->can_kickstart = launch_data_get_bool(obj); + case 'd': + case 'D': + if (strcasecmp(key, LAUNCH_JOBPOLICY_DENYCREATINGOTHERJOBS) == 0) { + j->deny_job_creation = launch_data_get_bool(obj); found_key = true; } break; @@ -5296,6 +5296,10 @@ return BOOTSTRAP_NO_MEMORY; } + if (unlikely(j->deny_job_creation)) { + return BOOTSTRAP_NOT_PRIVILEGED; + } + runtime_get_caller_creds(&ldc); job_log(j, LOG_DEBUG, "Server create attempt: %s", server_cmd); @@ -6582,16 +6586,21 @@ return BOOTSTRAP_NO_MEMORY; } + if (unlikely(!(otherj = job_find(targetlabel)))) { + return BOOTSTRAP_UNKNOWN_SERVICE; + } + runtime_get_caller_creds(&ldc); - if (!j->can_kickstart || (ldc.euid != 0 && ldc.euid != geteuid())) { + if (ldc.euid != 0 && ldc.euid != geteuid() +#if TARGET_OS_EMBEDDED + && j->username && otherj->username + && strcmp(j->username, otherj->username) != 0 +#endif + ) { return BOOTSTRAP_NOT_PRIVILEGED; } - if (unlikely(!(otherj = job_find(targetlabel)))) { - return BOOTSTRAP_UNKNOWN_SERVICE; - } - otherj = job_dispatch(otherj, true); if (!job_assumes(j, otherj && otherj->p)) { @@ -6690,6 +6699,10 @@ return BOOTSTRAP_NO_MEMORY; } + if (unlikely(j->deny_job_creation)) { + return BOOTSTRAP_NOT_PRIVILEGED; + } + if (unlikely(pid1_magic && ldc.euid && ldc.uid)) { job_log(j, LOG_DEBUG, "Punting spawn to per-user-context"); return VPROC_ERR_TRY_PER_USER; Modified: trunk/launchd/src/liblaunch_public.h =================================================================== --- trunk/launchd/src/liblaunch_public.h 2008-01-18 21:24:30 UTC (rev 23487) +++ trunk/launchd/src/liblaunch_public.h 2008-01-18 21:27:01 UTC (rev 23488) @@ -102,7 +102,7 @@ #define LAUNCH_JOBKEY_ABANDONPROCESSGROUP "AbandonProcessGroup" #define LAUNCH_JOBKEY_POLICIES "Policies" -#define LAUNCH_JOBPOLICY_CANKICKSTARTOTHERJOBS "CanKickStartOtherJobs" +#define LAUNCH_JOBPOLICY_DENYCREATINGOTHERJOBS "DenyCreatingOtherJobs" #define LAUNCH_JOBINETDCOMPATIBILITY_WAIT "Wait"