lib/syspolicy.sql

   1 --
   2 -- Copyright (c) 2011 Apple Inc. All Rights Reserved.
   3 --
   4 -- @APPLE_LICENSE_HEADER_START@
   5 --
   6 -- This file contains Original Code and/or Modifications of Original Code
   7 -- as defined in and that are subject to the Apple Public Source License
   8 -- Version 2.0 (the 'License'). You may not use this file except in
   9 -- compliance with the License. Please obtain a copy of the License at
  10 -- http://www.opensource.apple.com/apsl/ and read it before using this
  11 -- file.
  12 --
  13 -- The Original Code and all software distributed under the License are
  14 -- distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15 -- EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16 -- INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17 -- FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18 -- Please see the License for the specific language governing rights and
  19 -- limitations under the License.
  20 --
  21 -- @APPLE_LICENSE_HEADER_END@
  22 --
  23 --
  24 -- System Policy master database - file format and initial contents
  25 --
  26 -- This is currently for sqlite3
  27 --
  28 PRAGMA foreign_keys = true;
  29
  30
  31
  32 --
  33 -- The primary authority. This table is conceptually scanned
  34 -- in priority order, with the highest-priority matching record
  35 -- determining the outcome.
  36 --
  37 CREATE TABLE authority (
  38         id INTEGER PRIMARY KEY,
  39         type INTEGER NOT NULL,
  40         requirement TEXT NOT NULL,
  41         allow INTEGER NOT NULL,
  42         expires INTEGER NULL,
  43         priority REAL NOT NULL DEFAULT (0),
  44         label TEXT NULL,
  45         inhibit_cache INTEGER NULL,
  46         flags INTEGER NOT NULL DEFAULT (0),
  47         -- following fields are for documentation only
  48         remarks TEXT NULL
  49 );
  50
  51 -- any Apple-signed installers of any kind
  52 insert into authority (type, allow, priority, label, requirement)
  53         values (2, 1, -1, 'Apple Installer', 'anchor apple generic');
  54
  55 -- Apple code signing
  56 insert into authority (type, allow, label, requirement)
  57         values (1, 1, 'Apple', 'anchor apple');
  58
  59 -- Mac App Store signing
  60 insert into authority (type, allow, label, requirement)
  61         values (1, 1, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists');
  62
  63 insert into authority (type, allow, label, requirement)
  64         values (1, 1, 'Developer Seed', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');
  65 insert into authority (type, allow, label, requirement)
  66         values (2, 1, 'Developer Seed', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.14] exists');
  67
  68
  69 --
  70 -- The cache table lists previously determined outcomes
  71 -- for individual objects (by object hash). Entries come from
  72 -- full evaluations of authority records, or by explicitly inserting
  73 -- override rules that preempt the normal authority.
  74 --
  75 CREATE TABLE object (
  76         id INTEGER PRIMARY KEY,
  77         type INTEGER NOT NULL,
  78         hash CDHASH NOT NULL UNIQUE,
  79         allow INTEGER NOT NULL,
  80         expires INTEGER NULL,
  81         label TEXT NULL,
  82         authority INTEGER NULL REFERENCES authority(id),
  83         -- following fields are for documentation only
  84         path TEXT NULL,
  85         created INTEGER NOT NULL default (strftime('%s','now')),
  86         remarks TEXT NULL
  87 );