Revision: 23714 http://trac.macosforge.org/projects/launchd/changeset/23714 Author: dsorresso@apple.com Date: 2008-09-19 14:55:47 -0700 (Fri, 19 Sep 2008) Log Message: ----------- <rdar://problem/6228042> SULeoZip: sandbox_init: Could not set default launchd policy, err=1100 Modified Paths: -------------- branches/SULeopard/launchd/src/launchd_core_logic.c Modified: branches/SULeopard/launchd/src/launchd_core_logic.c =================================================================== --- branches/SULeopard/launchd/src/launchd_core_logic.c 2008-09-18 00:40:51 UTC (rev 23713) +++ branches/SULeopard/launchd/src/launchd_core_logic.c 2008-09-19 21:55:47 UTC (rev 23714) @@ -6668,13 +6668,31 @@ runtime_get_caller_creds(&ldc); #if TARGET_OS_EMBEDDED - if (ldc.euid) { -#else - if (ldc.euid && (ldc.euid != getuid())) { -#endif + if( ldc.euid ) { return BOOTSTRAP_NOT_PRIVILEGED; } +#else + if( ldc.euid && (ldc.euid != getuid()) ) { + int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_PID, target_pid }; + struct kinfo_proc kp; + size_t len = sizeof(kp); + job_assumes(j, sysctl(mib, 4, &kp, &len, NULL, 0) != -1); + job_assumes(j, len == sizeof(kp)); + + uid_t kp_euid = kp.kp_eproc.e_ucred.cr_uid; + uid_t kp_uid = kp.kp_eproc.e_pcred.p_ruid; + + if( ldc.euid == kp_euid ) { + job_log(j, LOG_DEBUG, "Working around rdar://problem/5982485 and allowing job to set policy for PID %u.", target_pid); + } else { + job_log(j, LOG_ERR, "Denied Mach service policy update requested by UID/EUID %u/%u against PID %u with UID/EUID %u/%u due to mismatched credentials.", ldc.uid, ldc.euid, target_pid, kp_uid, kp_euid); + + return BOOTSTRAP_NOT_PRIVILEGED; + } + } +#endif + if (!job_assumes(j, (target_j = jobmgr_find_by_pid(j->mgr, target_pid, true)) != NULL)) { return BOOTSTRAP_NO_MEMORY; }