[launchd-changes] [23863] trunk/launchd/src

source_changes at macosforge.org source_changes at macosforge.org
Tue Mar 17 18:41:55 PDT 2009 

Revision: 23863
          http://trac.macosforge.org/projects/launchd/changeset/23863
Author:   dsorresso at apple.com
Date:     2009-03-17 18:41:53 -0700 (Tue, 17 Mar 2009)
Log Message:
-----------
Embedded security fixes.

Modified Paths:
--------------
    trunk/launchd/src/launchd_core_logic.c
    trunk/launchd/src/liblaunch.c

Modified: trunk/launchd/src/launchd_core_logic.c
===================================================================
--- trunk/launchd/src/launchd_core_logic.c	2009-03-17 22:24:19 UTC (rev 23862)
+++ trunk/launchd/src/launchd_core_logic.c	2009-03-18 01:41:53 UTC (rev 23863)
@@ -3507,16 +3507,16 @@
 	pid_t c;
 	bool sipc = false;
 	u_int proc_fflags = NOTE_EXIT|NOTE_FORK|NOTE_EXEC|NOTE_REAP;
-
+	
 	if (!job_assumes(j, j->mgr != NULL)) {
 		return;
 	}
-
+	
 	if (unlikely(job_active(j))) {
 		job_log(j, LOG_DEBUG, "Already started");
 		return;
 	}
-
+	
 	/*
 	 * Some users adjust the wall-clock and then expect software to not notice.
 	 * Therefore, launchd must use an absolute clock instead of the wall clock
@@ -3524,31 +3524,31 @@
 	 */
 	td = runtime_get_nanoseconds_since(j->start_time);
 	td /= NSEC_PER_SEC;
-
+	
 	if (j->start_time && (td < j->min_run_time) && !j->legacy_mach_job && !j->inetcompat) {
 		time_t respawn_delta = j->min_run_time - (uint32_t)td;
-
+		
 		/*
 		 * We technically should ref-count throttled jobs to prevent idle exit,
 		 * but we're not directly tracking the 'throttled' state at the moment.
 		 */
-
+		
 		job_log(j, LOG_WARNING, "Throttling respawn: Will start in %ld seconds", respawn_delta);
 		job_assumes(j, kevent_mod((uintptr_t)j, EVFILT_TIMER, EV_ADD|EV_ONESHOT, NOTE_SECONDS, respawn_delta, j) != -1);
 		job_ignore(j);
 		return;
 	}
-
+	
 	if (likely(!j->legacy_mach_job)) {
-		sipc = (!SLIST_EMPTY(&j->sockets) || !SLIST_EMPTY(&j->machservices));
+		sipc = ( !SLIST_EMPTY(&j->sockets) || !SLIST_EMPTY(&j->machservices) ) && !j->deny_job_creation;
 	}
 
 	if (sipc) {
 		job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, spair) != -1);
 	}
-
+	
 	job_assumes(j, socketpair(AF_UNIX, SOCK_STREAM, 0, execspair) != -1);
-
+	
 	if (likely(!j->legacy_mach_job) && job_assumes(j, pipe(oepair) != -1)) {
 		j->log_redirect_fd = _fd(oepair[0]);
 		job_assumes(j, fcntl(j->log_redirect_fd, F_SETFL, O_NONBLOCK) != -1);
@@ -3584,7 +3584,7 @@
 		job_assumes(j, runtime_close(execspair[0]) == 0);
 		/* wait for our parent to say they've attached a kevent to us */
 		read(_fd(execspair[1]), &c, sizeof(c));
-
+		
 		if (sipc) {
 			job_assumes(j, runtime_close(spair[0]) == 0);
 			snprintf(nbuf, sizeof(nbuf), "%d", spair[1]);
@@ -3594,9 +3594,9 @@
 		break;
 	default:
 		j->start_time = runtime_get_opaque_time();
-
+		
 		job_log(j, LOG_DEBUG, "Started as PID: %u", c);
-
+		
 		j->checkedin = false;
 		j->start_pending = false;
 		j->reaped = false;
@@ -3617,7 +3617,7 @@
 		runtime_add_ref();
 		total_children++;
 		LIST_INSERT_HEAD(&j->mgr->active_jobs[ACTIVE_JOB_HASH(c)], j, pid_hash_sle);
-
+		
 		if (likely(!j->legacy_mach_job)) {
 			job_assumes(j, runtime_close(oepair[1]) != -1);
 		}
@@ -3638,7 +3638,7 @@
 		} else {
 			job_reap(j);
 		}
-
+		
 		if (likely(!j->stall_before_exec)) {
 			job_uncork_fork(j);
 		}
@@ -6676,7 +6676,7 @@
 		return BOOTSTRAP_NO_MEMORY;
 	}
 
-	if (unlikely(ldc->euid != 0 && ldc->euid != getuid())) {
+	if( unlikely(ldc->euid != 0 && ldc->euid != getuid()) || j->deny_job_creation ) {
 		return BOOTSTRAP_NOT_PRIVILEGED;
 	}
 
@@ -7221,6 +7221,10 @@
 		return BOOTSTRAP_NO_MEMORY;
 	}
 
+	if( j->deny_job_creation ) {
+		return BOOTSTRAP_NOT_PRIVILEGED;
+	}
+
 	ipc_server_init();
 
 	if (unlikely(!sockpath)) {
@@ -7329,6 +7333,11 @@
 	struct ldcred *ldc = runtime_get_caller_creds();
 	job_t jpu;
 	
+#if TARGET_OS_EMBEDDED
+	/* There is no need for per-user launchd's on embedded. */
+	return BOOTSTRAP_NOT_PRIVILEGED;
+#endif
+	
 	if (!launchd_assumes(j != NULL)) {
 		return BOOTSTRAP_NO_MEMORY;
 	}
@@ -7839,7 +7848,7 @@
 	kern_return_t kr = BOOTSTRAP_NOT_PRIVILEGED;
 	
 	mach_port_t _mp = MACH_PORT_NULL;
-	if( ldc->euid == 0 || ldc->euid == geteuid() ) {
+	if( !j->deny_job_creation && (ldc->euid == 0 || ldc->euid == geteuid()) ) {
 		job_t target_j = job_find(label);
 		if( jobmgr_assumes(root_jobmgr, target_j != NULL) ) {
 			if( target_j->j_port == MACH_PORT_NULL ) {

Modified: trunk/launchd/src/liblaunch.c
===================================================================
--- trunk/launchd/src/liblaunch.c	2009-03-17 22:24:19 UTC (rev 23862)
+++ trunk/launchd/src/liblaunch.c	2009-03-18 01:41:53 UTC (rev 23863)
@@ -190,12 +190,12 @@
 	name_t spath;
 	
 	_lc = calloc(1, sizeof(struct _launch_client));
-
+	
 	if (!_lc)
 		return;
-
+	
 	pthread_mutex_init(&_lc->mtx, NULL);
-
+	
 	if (_launchd_fd) {
 		lfd = strtol(_launchd_fd, NULL, 10);
 		if ((dfd = dup(lfd)) >= 0) {
@@ -248,7 +248,7 @@
 	if (!(_lc->async_resp = launch_data_alloc(LAUNCH_DATA_ARRAY))) {
 		goto out_bad;
 	}
-
+	
 	return;
 out_bad:
 	if (_lc->l)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/launchd-changes/attachments/20090317/581ab26f/attachment-0001.html>

More information about the launchd-changes mailing list