lib/policydb.cpp

   1 /*
   2  * Copyright (c) 2011 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23 #include "cs.h"
  24 #include "policydb.h"
  25 #include "policyengine.h"
  26 #include <Security/CodeSigning.h>
  27 #include <security_utilities/cfutilities.h>
  28 #include <security_utilities/cfmunge.h>
  29
  30 namespace Security {
  31 namespace CodeSigning {
  32
  33
  34 using namespace SQLite;
  35
  36
  37 //
  38 // The one and only PolicyDatabase object.
  39 // It auto-adapts to readonly vs. writable use.
  40 //
  41 ModuleNexus<PolicyDatabase> PolicyDatabase;
  42
  43
  44 //
  45 // Determine the database path
  46 //
  47 static const char *dbPath()
  48 {
  49         if (const char *s = getenv("SYSPOLICYDATABASE"))
  50                 return s;
  51         return defaultDatabase;
  52 }
  53
  54
  55 //
  56 // Help mapping API-ish CFString keys to more convenient internal enumerations
  57 //
  58 typedef struct {
  59         const CFStringRef &cstring;
  60         uint enumeration;
  61 } StringMap;
  62
  63 static uint mapEnum(CFDictionaryRef context, CFStringRef attr, const StringMap *map, uint value = 0)
  64 {
  65         if (context)
  66                 if (CFTypeRef value = CFDictionaryGetValue(context, attr))
  67                         for (const StringMap *mp = map; mp->cstring; ++mp)
  68                                 if (CFEqual(mp->cstring, value))
  69                                         return mp->enumeration;
  70         return value;
  71 }
  72
  73 static const StringMap mapType[] = {
  74         { kSecAssessmentOperationTypeExecute, kAuthorityExecute },
  75         { kSecAssessmentOperationTypeInstall, kAuthorityInstall },
  76         { kSecAssessmentOperationTypeOpenDocument, kAuthorityOpenDoc },
  77         { NULL }
  78 };
  79
  80 AuthorityType typeFor(CFDictionaryRef context, AuthorityType type /* = kAuthorityInvalid */)
  81 {
  82         return mapEnum(context, kSecAssessmentContextKeyOperation, mapType, type);
  83 }
  84
  85
  86 //
  87 // Open the database (creating it if necessary and possible).
  88 // Note that this isn't creating the schema; we do that on first write.
  89 //
  90 PolicyDatabase::PolicyDatabase(const char *path, int flags)
  91         : SQLite::Database(path ? path : dbPath(), flags)
  92 {
  93 }
  94
  95 PolicyDatabase::~PolicyDatabase()
  96 { /* virtual */ }
  97
  98
  99 //
 100 // Quick-check the cache for a match.
 101 // Return true on a cache hit, false on failure to confirm a hit for any reason.
 102 //
 103 bool PolicyDatabase::checkCache(CFURLRef path, AuthorityType type, CFMutableDictionaryRef result)
 104 {
 105         // we currently don't use the cache for anything but execution rules
 106         if (type != kAuthorityExecute)
 107                 return false;
 108
 109         CFRef<SecStaticCodeRef> code;
 110         MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
 111         if (SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly, NULL) != noErr)
 112                 return false;   // quick pass - any error is a cache miss
 113         CFRef<CFDictionaryRef> info;
 114         MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
 115         CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
 116
 117         // check the cache table for a fast match
 118         SQLite::Statement cached(*this, "SELECT object.allow, authority.label, authority FROM object, authority"
 119                 " WHERE object.authority = authority.id AND object.type = :type AND object.hash = :hash AND authority.disabled = 0"
 120                 " AND JULIANDAY('now') < object.expires;");
 121         cached.bind(":type").integer(type);
 122         cached.bind(":hash") = cdHash;
 123         if (cached.nextRow()) {
 124                 bool allow = int(cached[0]);
 125                 const char *label = cached[1];
 126                 SQLite::int64 auth = cached[2];
 127                 SYSPOLICY_ASSESS_CACHE_HIT();
 128
 129                 // If its allowed, lets do a full validation unless if
 130                 // we are overriding the assessement, since that force
 131                 // the verdict to 'pass' at the end
 132
 133                 if (allow && !overrideAssessment())
 134                     MacOSError::check(SecStaticCodeCheckValidity(code, kSecCSDefaultFlags, NULL));
 135
 136                 cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
 137                 PolicyEngine::addAuthority(result, label, auth, kCFBooleanTrue);
 138                 return true;
 139         }
 140         return false;
 141 }
 142
 143
 144 //
 145 // Purge the object cache of all expired entries.
 146 // These are meant to run within the caller's transaction.
 147 //
 148 void PolicyDatabase::purgeAuthority()
 149 {
 150         SQLite::Statement cleaner(*this,
 151                 "DELETE FROM authority WHERE expires <= JULIANDAY('now');");
 152         cleaner.execute();
 153 }
 154
 155 void PolicyDatabase::purgeObjects()
 156 {
 157         SQLite::Statement cleaner(*this,
 158                 "DELETE FROM object WHERE expires <= JULIANDAY('now');");
 159         cleaner.execute();
 160 }
 161
 162 void PolicyDatabase::purgeObjects(double priority)
 163 {
 164         SQLite::Statement cleaner(*this,
 165                 "DELETE FROM object WHERE expires <= JULIANDAY('now') OR (SELECT priority FROM authority WHERE id = object.authority) <= :priority;");
 166         cleaner.bind(":priority") = priority;
 167         cleaner.execute();
 168 }
 169
 170
 171 //
 172 // Check the override-enable master flag
 173 //
 174 bool overrideAssessment()
 175 {
 176         if (::access(visibleSecurityFlagFile, F_OK) == 0) {
 177                 return false;
 178         } else if (errno == ENOENT) {
 179                 return true;
 180         } else
 181                 UnixError::throwMe();
 182 }
 183
 184
 185 } // end namespace CodeSigning
 186 } // end namespace Security