Revision: 23863 http://trac.macosforge.org/projects/launchd/changeset/23863 Author: dsorresso@apple.com Date: 2009-03-17 18:41:53 -0700 (Tue, 17 Mar 2009) Log Message: ----------- Embedded security fixes. Modified Paths: -------------- trunk/launchd/src/launchd_core_logic.c trunk/launchd/src/liblaunch.c Modified: trunk/launchd/src/launchd_core_logic.c =================================================================== --- trunk/launchd/src/launchd_core_logic.c 2009-03-17 22:24:19 UTC (rev 23862) +++ trunk/launchd/src/launchd_core_logic.c 2009-03-18 01:41:53 UTC (rev 23863) @@ -3507,16 +3507,16 @@ pid_t c; bool sipc = false; u_int proc_fflags = NOTE_EXIT|NOTE_FORK|NOTE_EXEC|NOTE_REAP; - + if (!job_assumes(j, j->mgr != NULL)) { return; } - + if (unlikely(job_active(j))) { job_log(j, LOG_DEBUG, "Already started"); return; } - + /* * Some users adjust the wall-clock and then expect software to not notice. * Therefore, launchd must use an absolute clock instead of the wall clock @@ -3524,31 +3524,31 @@ */ td = runtime_get_nanoseconds_since(j->start_time); td /= NSEC_PER_SEC; - + if (j->start_time && (td < j->min_run_time) && !j->legacy_mach_job && !j->inetcompat) { time_t respawn_delta = j->min_run_time - (uint32_t)td; - + /* * We technically should ref-count throttled jobs to prevent idle exit, * but we're not directly tracking the 'throttled' state at the moment. */ - + job_log(j, LOG_WARNING, "Throttling respawn: Will start in %ld seconds", respawn_delta); job_assumes(j, kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, respawn_delta, j) != -1); job_ignore(j); return; } - + if (likely(!j->legacy_mach_job)) { - sipc = (!SLIST_EMPTY(&j->sockets) || !SLIST_EMPTY(&j->machservices)); + sipc = ( !SLIST_EMPTY(&j->sockets) || !SLIST_EMPTY(&j->machservices) ) && !j->deny_job_creation; } if (sipc) { job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, spair) != -1); } - + job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, execspair) != -1); - + if (likely(!j->legacy_mach_job) && job_assumes(j, pipe(oepair) != -1)) { j->log_redirect_fd = _fd(oepair[0]); job_assumes(j, fcntl(j->log_redirect_fd, F_SETFL, O_NONBLOCK) != -1); @@ -3584,7 +3584,7 @@ job_assumes(j, runtime_close(execspair[0]) == 0); /* wait for our parent to say they've attached a kevent to us */ read(_fd(execspair[1]), &c, sizeof(c)); - + if (sipc) { job_assumes(j, runtime_close(spair[0]) == 0); snprintf(nbuf, sizeof(nbuf), "%d", spair[1]); @@ -3594,9 +3594,9 @@ break; default: j->start_time = runtime_get_opaque_time(); - + job_log(j, LOG_DEBUG, "Started as PID: %u", c); - + j->checkedin = false; j->start_pending = false; j->reaped = false; @@ -3617,7 +3617,7 @@ runtime_add_ref(); total_children++; LIST_INSERT_HEAD(&j->mgr->active_jobs[ACTIVE_JOB_HASH(c)], j, pid_hash_sle); - + if (likely(!j->legacy_mach_job)) { job_assumes(j, runtime_close(oepair[1]) != -1); } @@ -3638,7 +3638,7 @@ } else { job_reap(j); } - + if (likely(!j->stall_before_exec)) { job_uncork_fork(j); } @@ -6676,7 +6676,7 @@ return BOOTSTRAP_NO_MEMORY; } - if (unlikely(ldc->euid != 0 && ldc->euid != getuid())) { + if( unlikely(ldc->euid != 0 && ldc->euid != getuid()) || j->deny_job_creation ) { return BOOTSTRAP_NOT_PRIVILEGED; } @@ -7221,6 +7221,10 @@ return BOOTSTRAP_NO_MEMORY; } + if( j->deny_job_creation ) { + return BOOTSTRAP_NOT_PRIVILEGED; + } + ipc_server_init(); if (unlikely(!sockpath)) { @@ -7329,6 +7333,11 @@ struct ldcred *ldc = runtime_get_caller_creds(); job_t jpu; +#if TARGET_OS_EMBEDDED + /* There is no need for per-user launchd's on embedded. */ + return BOOTSTRAP_NOT_PRIVILEGED; +#endif + if (!launchd_assumes(j != NULL)) { return BOOTSTRAP_NO_MEMORY; } @@ -7839,7 +7848,7 @@ kern_return_t kr = BOOTSTRAP_NOT_PRIVILEGED; mach_port_t _mp = MACH_PORT_NULL; - if( ldc->euid == 0 || ldc->euid == geteuid() ) { + if( !j->deny_job_creation && (ldc->euid == 0 || ldc->euid == geteuid()) ) { job_t target_j = job_find(label); if( jobmgr_assumes(root_jobmgr, target_j != NULL) ) { if( target_j->j_port == MACH_PORT_NULL ) { Modified: trunk/launchd/src/liblaunch.c =================================================================== --- trunk/launchd/src/liblaunch.c 2009-03-17 22:24:19 UTC (rev 23862) +++ trunk/launchd/src/liblaunch.c 2009-03-18 01:41:53 UTC (rev 23863) @@ -190,12 +190,12 @@ name_t spath; _lc = calloc(1, sizeof(struct _launch_client)); - + if (!_lc) return; - + pthread_mutex_init(&_lc->mtx, NULL); - + if (_launchd_fd) { lfd = strtol(_launchd_fd, NULL, 10); if ((dfd = dup(lfd)) >= 0) { @@ -248,7 +248,7 @@ if (!(_lc->async_resp = launch_data_alloc(LAUNCH_DATA_ARRAY))) { goto out_bad; } - + return; out_bad: if (_lc->l)