source/Host/macosx/launcherXPCService/LauncherRootXPCService.mm - lldb - Git at Google

 #include <AvailabilityMacros.h>

 #if !defined(MAC_OS_X_VERSION_10_7) || MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7
 #define BUILDING_ON_SNOW_LEOPARD 1
 #endif

 #if !BUILDING_ON_SNOW_LEOPARD
 #define __XPC_PRIVATE_H__
 #include <xpc/xpc.h>
 #include <Security/Security.h>
 #include "LauncherXPCService.h"

 // Returns 0 if successful.
 int _validate_authorization(xpc_object_t message)
 {
 	size_t data_length = 0ul;
 	const char *data_bytes = (const char *)xpc_dictionary_get_data(message, LauncherXPCServiceAuthKey, &data_length);

 	AuthorizationExternalForm extAuth;
     if (data_length < sizeof(extAuth.bytes))
         return 1;

 	memcpy(extAuth.bytes, data_bytes, sizeof(extAuth.bytes));
     AuthorizationRef authRef;
 	if (AuthorizationCreateFromExternalForm(&extAuth, &authRef) != errAuthorizationSuccess)
         return 2;

     AuthorizationItem item1 = { LaunchUsingXPCRightName, 0, NULL, 0 };
     AuthorizationItem items[] = {item1};
     AuthorizationRights requestedRights = {1, items };
     AuthorizationRights *outAuthorizedRights = NULL;
 	OSStatus status = AuthorizationCopyRights(authRef, &requestedRights, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &outAuthorizedRights);

 	// Given a set of rights, return the subset that is currently authorized by the AuthorizationRef given; count(subset) > 0  -> success.
 	bool auth_success = (status == errAuthorizationSuccess && outAuthorizedRights && outAuthorizedRights->count > 0) ? true : false;
 	if (outAuthorizedRights) AuthorizationFreeItemSet(outAuthorizedRights);
     if (!auth_success)
         return 3;

     // On Lion, because the rights initially doesn't exist in /etc/authorization, if an admin user logs in and uses lldb within the first 5 minutes,
     // it is possible to do AuthorizationCopyRights on LaunchUsingXPCRightName and get the rights back.
     // As another security measure, we make sure that the LaunchUsingXPCRightName rights actually exists.
     status = AuthorizationRightGet(LaunchUsingXPCRightName, NULL);
     if (status == errAuthorizationSuccess)
         return 0;
     else
         return 4;
 }

 #endif
	#include <AvailabilityMacros.h>

	#if !defined(MAC_OS_X_VERSION_10_7) \|\| MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_7
	#define BUILDING_ON_SNOW_LEOPARD 1
	#endif

	#if !BUILDING_ON_SNOW_LEOPARD
	#define __XPC_PRIVATE_H__
	#include <xpc/xpc.h>
	#include <Security/Security.h>
	#include "LauncherXPCService.h"

	// Returns 0 if successful.
	int _validate_authorization(xpc_object_t message)
	{
	size_t data_length = 0ul;
	const char data_bytes = (const char )xpc_dictionary_get_data(message, LauncherXPCServiceAuthKey, &data_length);

	AuthorizationExternalForm extAuth;
	if (data_length < sizeof(extAuth.bytes))
	return 1;

	memcpy(extAuth.bytes, data_bytes, sizeof(extAuth.bytes));
	AuthorizationRef authRef;
	if (AuthorizationCreateFromExternalForm(&extAuth, &authRef) != errAuthorizationSuccess)
	return 2;

	AuthorizationItem item1 = { LaunchUsingXPCRightName, 0, NULL, 0 };
	AuthorizationItem items[] = {item1};
	AuthorizationRights requestedRights = {1, items };
	AuthorizationRights *outAuthorizedRights = NULL;
	OSStatus status = AuthorizationCopyRights(authRef, &requestedRights, kAuthorizationEmptyEnvironment, kAuthorizationFlagDefaults, &outAuthorizedRights);

	// Given a set of rights, return the subset that is currently authorized by the AuthorizationRef given; count(subset) > 0 -> success.
	bool auth_success = (status == errAuthorizationSuccess && outAuthorizedRights && outAuthorizedRights->count > 0) ? true : false;
	if (outAuthorizedRights) AuthorizationFreeItemSet(outAuthorizedRights);
	if (!auth_success)
	return 3;

	// On Lion, because the rights initially doesn't exist in /etc/authorization, if an admin user logs in and uses lldb within the first 5 minutes,
	// it is possible to do AuthorizationCopyRights on LaunchUsingXPCRightName and get the rights back.
	// As another security measure, we make sure that the LaunchUsingXPCRightName rights actually exists.
	status = AuthorizationRightGet(LaunchUsingXPCRightName, NULL);
	if (status == errAuthorizationSuccess)
	return 0;
	else
	return 4;
	}

	#endif