[apple/security.git] / OSX / libsecurity_codesigning / lib / policydb.cpp

/*
 * Copyright (c) 2011-2013 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
#include "cs.h"
#include "policydb.h"
#include "policyengine.h"
#include <Security/CodeSigning.h>
#include <security_utilities/cfutilities.h>
#include <security_utilities/cfmunge.h>
#include <security_utilities/blob.h>
#include <security_utilities/logging.h>
#include <security_utilities/simpleprefs.h>
#include <security_utilities/logging.h>
#include "csdatabase.h"

#include <dispatch/dispatch.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <notify.h>

namespace Security {
namespace CodeSigning {


using namespace SQLite;


//
// Determine the database path
//
static const char *dbPath()
{
	if (const char *s = getenv("SYSPOLICYDATABASE"))
		return s;
	return defaultDatabase;
}


//
// Help mapping API-ish CFString keys to more convenient internal enumerations
//
typedef struct {
	const CFStringRef &cstring;
	uint enumeration;
} StringMap;

static uint mapEnum(CFDictionaryRef context, CFStringRef attr, const StringMap *map, uint value = 0)
{
	if (context)
		if (CFTypeRef value = CFDictionaryGetValue(context, attr))
			for (const StringMap *mp = map; mp->cstring; ++mp)
				if (CFEqual(mp->cstring, value))
					return mp->enumeration;
	return value;
}

static const StringMap mapType[] = {
	{ kSecAssessmentOperationTypeExecute, kAuthorityExecute },
	{ kSecAssessmentOperationTypeInstall, kAuthorityInstall },
	{ kSecAssessmentOperationTypeOpenDocument, kAuthorityOpenDoc },
	{ NULL }
};

AuthorityType typeFor(CFDictionaryRef context, AuthorityType type /* = kAuthorityInvalid */)
{
	return mapEnum(context, kSecAssessmentContextKeyOperation, mapType, type);
}

CFStringRef typeNameFor(AuthorityType type)
{
	for (const StringMap *mp = mapType; mp->cstring; ++mp)
		if (type == mp->enumeration)
			return mp->cstring;
	return CFStringCreateWithFormat(NULL, NULL, CFSTR("type %d"), type);
}


//
// Open the database
//
PolicyDatabase::PolicyDatabase(const char *path, int flags)
	: SQLite::Database(path ? path : dbPath(), flags),
	  mLastExplicitCheck(0)
{
	// sqlite3 doesn't do foreign key support by default, have to turn this on per connection
	SQLite::Statement foreign(*this, "PRAGMA foreign_keys = true");
	foreign.execute();
	
	// Try upgrade processing if we may be open for write.
	// Ignore any errors (we may have been downgraded to read-only)
	// and try again later.
	if (openFlags() & SQLITE_OPEN_READWRITE)
		try {
			upgradeDatabase();
			installExplicitSet(gkeAuthFile, gkeSigsFile);
		} catch(...) {
		}
}

PolicyDatabase::~PolicyDatabase()
{ /* virtual */ }


//
// Quick-check the cache for a match.
// Return true on a cache hit, false on failure to confirm a hit for any reason.
//
bool PolicyDatabase::checkCache(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFMutableDictionaryRef result)
{
	// we currently don't use the cache for anything but execution rules
	if (type != kAuthorityExecute)
		return false;
	
	CFRef<SecStaticCodeRef> code;
	MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
	if (SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly, NULL) != errSecSuccess)
		return false;	// quick pass - any error is a cache miss
	CFRef<CFDictionaryRef> info;
	MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
	CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
	
	// check the cache table for a fast match
	SQLite::Statement cached(*this, "SELECT object.allow, authority.label, authority FROM object, authority"
		" WHERE object.authority = authority.id AND object.type = :type AND object.hash = :hash AND authority.disabled = 0"
		" AND JULIANDAY('now') < object.expires;");
	cached.bind(":type").integer(type);
	cached.bind(":hash") = cdHash;
	if (cached.nextRow()) {
		bool allow = int(cached[0]);
		const char *label = cached[1];
		SQLite::int64 auth = cached[2];
		SYSPOLICY_ASSESS_CACHE_HIT();

		// If its allowed, lets do a full validation unless if
		// we are overriding the assessement, since that force
		// the verdict to 'pass' at the end

		if (allow && !overrideAssessment(flags))
		    MacOSError::check(SecStaticCodeCheckValidity(code, kSecCSDefaultFlags, NULL));

		cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
		PolicyEngine::addAuthority(flags, result, label, auth, kCFBooleanTrue);
		return true;
	}
	return false;
}


//
// Purge the object cache of all expired entries.
// These are meant to run within the caller's transaction.
//
void PolicyDatabase::purgeAuthority()
{
	SQLite::Statement cleaner(*this,
		"DELETE FROM authority WHERE expires <= JULIANDAY('now');");
	cleaner.execute();
}

void PolicyDatabase::purgeObjects()
{
	SQLite::Statement cleaner(*this,
		"DELETE FROM object WHERE expires <= JULIANDAY('now');");
	cleaner.execute();
}

void PolicyDatabase::purgeObjects(double priority)
{
	SQLite::Statement cleaner(*this,
		"DELETE FROM object WHERE expires <= JULIANDAY('now') OR (SELECT priority FROM authority WHERE id = object.authority) <= :priority;");
	cleaner.bind(":priority") = priority;
	cleaner.execute();
}

    
//
// Database migration
//
std::string PolicyDatabase::featureLevel(const char *name)
{
	SQLite::Statement feature(*this, "SELECT value FROM feature WHERE name=:name");
	feature.bind(":name") = name;
	if (feature.nextRow()) {
		if (const char *value = feature[0])
			return value;
		else
			return "default";	// old engineering versions may have NULL values; tolerate this
	}
	return "";		// new feature (no level)
}

void PolicyDatabase::addFeature(const char *name, const char *value, const char *remarks)
{
	SQLite::Statement feature(*this, "INSERT OR REPLACE INTO feature (name,value,remarks) VALUES(:name, :value, :remarks)");
	feature.bind(":name") = name;
	feature.bind(":value") = value;
	feature.bind(":remarks") = remarks;
	feature.execute();
}

void PolicyDatabase::simpleFeature(const char *feature, void (^perform)())
{
	if (!hasFeature(feature)) {
		SQLite::Transaction update(*this);
		perform();
		addFeature(feature, "upgraded", "upgraded");
		update.commit();
	}
}

void PolicyDatabase::simpleFeature(const char *feature, const char *sql)
{
	simpleFeature(feature, ^{
		SQLite::Statement perform(*this, sql);
		perform.execute();
	});
}


void PolicyDatabase::upgradeDatabase()
{
	simpleFeature("bookmarkhints",
		"CREATE TABLE bookmarkhints ("
			"  id INTEGER PRIMARY KEY AUTOINCREMENT, "
			"  bookmark BLOB,"
			"  authority INTEGER NOT NULL"
			"     REFERENCES authority(id) ON DELETE CASCADE"
			")");

	simpleFeature("codesignedpackages", ^{
		SQLite::Statement update(*this,
			"UPDATE authority"
			" SET requirement = 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and "
				"(certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])'"
			" WHERE type = 2 and label = 'Developer ID' and flags & :flag");
		update.bind(":flag") = kAuthorityFlagDefault;
		update.execute();
	});
	
	simpleFeature("filter_unsigned",
		"ALTER TABLE authority ADD COLUMN filter_unsigned TEXT NULL"
		);
	
	simpleFeature("strict_apple_installer", ^{
		SQLite::Statement update(*this,
			"UPDATE authority"
			" SET requirement = 'anchor apple generic and certificate 1[subject.CN] = \"Apple Software Update Certification Authority\"'"
			" WHERE flags & :flag AND label = 'Apple Installer'");
		update.bind(":flag") = kAuthorityFlagDefault;
		update.execute();
		SQLite::Statement add(*this,
			"INSERT INTO authority (type, label, flags, requirement)"
			" VALUES (2, 'Mac App Store', :flags, 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists')");
		add.bind(":flags") = kAuthorityFlagDefault;
		add.execute();
	});
	
	simpleFeature("document rules", ^{
		SQLite::Statement addApple(*this,
			"INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Apple System', 'anchor apple')");
		addApple.execute();
		SQLite::Statement addDevID(*this,
			"INSERT INTO authority (type, allow, flags, label, requirement)	VALUES (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists')");
		addDevID.execute();
	});
    
    simpleFeature("root_only", ^{
        UnixError::check(::chmod(dbPath(), S_IRUSR | S_IWUSR));
    });
}


//
// Install Gatekeeper override (GKE) data.
// The arguments are paths to the authority and signature files.
//
void PolicyDatabase::installExplicitSet(const char *authfile, const char *sigfile)
{
	// only try this every gkeCheckInterval seconds
	time_t now = time(NULL);
	if (mLastExplicitCheck + gkeCheckInterval > now)
		return;
	mLastExplicitCheck = now;

	try {
		if (CFRef<CFDataRef> authData = cfLoadFile(authfile)) {
			CFDictionary auth(CFRef<CFDictionaryRef>(makeCFDictionaryFrom(authData)), errSecCSDbCorrupt);
			CFDictionaryRef content = auth.get<CFDictionaryRef>(CFSTR("authority"));
			std::string authUUID = cfString(auth.get<CFStringRef>(CFSTR("uuid")));
			if (authUUID.empty()) {
				secinfo("gkupgrade", "no uuid in auth file; ignoring gke.auth");
				return;
			}
			std::string dbUUID;
			SQLite::Statement uuidQuery(*this, "SELECT value FROM feature WHERE name='gke'");
			if (uuidQuery.nextRow())
				dbUUID = (const char *)uuidQuery[0];
			if (dbUUID == authUUID) {
				secinfo("gkupgrade", "gke.auth already present, ignoring");
				return;
			}
			Syslog::notice("loading GKE %s (replacing %s)", authUUID.c_str(), dbUUID.empty() ? "nothing" : dbUUID.c_str());

			// first, load code signatures. This is pretty much idempotent
			if (sigfile)
				if (FILE *sigs = fopen(sigfile, "r")) {
					unsigned count = 0;
				    SignatureDatabaseWriter db;
					while (const BlobCore *blob = BlobCore::readBlob(sigs)) {
						db.storeCode(blob, "<remote>");
						count++;
					}
					secinfo("gkupgrade", "%d detached signature(s) loaded from override data", count);
					fclose(sigs);
				}
			
			// start transaction (atomic from here on out)
			SQLite::Transaction loadAuth(*this, SQLite::Transaction::exclusive, "GKE_Upgrade");
			
			// purge prior authority data
			SQLite::Statement purge(*this, "DELETE FROM authority WHERE flags & :flag");
			purge.bind(":flag") = kAuthorityFlagWhitelist;
			purge();
			
			// load new data
			CFIndex count = CFDictionaryGetCount(content);
			CFStringRef keys[count];
			CFDictionaryRef values[count];
			CFDictionaryGetKeysAndValues(content, (const void **)keys, (const void **)values);
			
			SQLite::Statement insert(*this, "INSERT INTO authority (type, allow, requirement, label, filter_unsigned, flags, remarks)"
				" VALUES (:type, 1, :requirement, 'GKE', :filter, :flags, :path)");
			for (CFIndex n = 0; n < count; n++) {
				CFDictionary info(values[n], errSecCSDbCorrupt);
				uint32_t flags = kAuthorityFlagWhitelist;
				if (CFNumberRef versionRef = info.get<CFNumberRef>("version")) {
					int version = cfNumber<int>(versionRef);
					if (version >= 2) {
						flags |= kAuthorityFlagWhitelistV2;
						if (version >= 3) {
							flags |= kAuthorityFlagWhitelistSHA256;
						}
					}
				}
				insert.reset();
				insert.bind(":type") = cfString(info.get<CFStringRef>(CFSTR("type")));
				insert.bind(":path") = cfString(info.get<CFStringRef>(CFSTR("path")));
				insert.bind(":requirement") = "cdhash H\"" + cfString(info.get<CFStringRef>(CFSTR("cdhash"))) + "\"";
				insert.bind(":filter") = cfString(info.get<CFStringRef>(CFSTR("screen")));
				insert.bind(":flags").integer(flags);
				insert();
			}
			
			// we just changed the authority configuration at priority zero
			this->purgeObjects(0);
			
			// update version and commit
			addFeature("gke", authUUID.c_str(), "gke loaded");
			loadAuth.commit();
            /* now that we have moved to a bundle for gke files, delete any old style files we find
               This is really just a best effort cleanup, so we don't care about errors. */
            if (access(gkeAuthFile_old, F_OK) == 0)
            {
                if (unlink(gkeAuthFile_old) == 0)
                {
                    Syslog::notice("Deleted old style gke file (%s)", gkeAuthFile_old);
                }
            }
            if (access(gkeSigsFile_old, F_OK) == 0)
            {
                if (unlink(gkeSigsFile_old) == 0)
                {
                    Syslog::notice("Deleted old style gke file (%s)", gkeSigsFile_old);
                }
            }
		}
	} catch (...) {
		secinfo("gkupgrade", "exception during GKE upgrade");
	}
}


//
// Check the override-enable master flag
//
#define SP_ENABLE_KEY CFSTR("enabled")
#define SP_ENABLED CFSTR("yes")
#define SP_DISABLED CFSTR("no")

bool overrideAssessment(SecAssessmentFlags flags /* = 0 */)
{
	static bool enabled = true;
	static dispatch_once_t once;
	static int token = -1;
	static int have_token = 0;
	static dispatch_queue_t queue;
	int check;

	if (flags & kSecAssessmentFlagEnforce)	// explicitly disregard disables (force on)
		return false;

	if (have_token && notify_check(token, &check) == NOTIFY_STATUS_OK && !check)
		return !enabled;

	dispatch_once(&once, ^{
		if (notify_register_check(kNotifySecAssessmentMasterSwitch, &token) == NOTIFY_STATUS_OK)
			have_token = 1;
		queue = dispatch_queue_create("com.apple.SecAssessment.assessment", NULL);
             });

	dispatch_sync(queue, ^{
		/* upgrade configuration from emir, ignore all error since we might not be able to write to */
		if (::access(visibleSecurityFlagFile, F_OK) == 0) {
			try {
				setAssessment(true);
				::unlink(visibleSecurityFlagFile);
			} catch (...) {
			}
			enabled = true;
			return;
		}

		try {
			Dictionary * prefsDict = Dictionary::CreateDictionary(prefsFile);
			if (prefsDict == NULL)
				return;
			
			CFStringRef value = prefsDict->getStringValue(SP_ENABLE_KEY);
			if (value && CFStringCompare(value, SP_DISABLED, 0) == 0)
				enabled = false;
			else
				enabled = true;
			delete prefsDict;
		} catch(...) {
		}
	});

	return !enabled;
}

void setAssessment(bool masterSwitch)
{
	MutableDictionary *prefsDict = MutableDictionary::CreateMutableDictionary(prefsFile);
	if (prefsDict == NULL)
		prefsDict = new MutableDictionary::MutableDictionary();
	prefsDict->setValue(SP_ENABLE_KEY, masterSwitch ? SP_ENABLED : SP_DISABLED);
	prefsDict->writePlistToFile(prefsFile);
	delete prefsDict;

	/* make sure permissions is right */
	::chmod(prefsFile, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);

	notify_post(kNotifySecAssessmentMasterSwitch);

	/* reset the automatic rearm timer */
	resetRearmTimer("masterswitch");
}


//
// Reset or query the automatic rearm timer
//
void resetRearmTimer(const char *event)
{
	CFRef<CFDateRef> now = CFDateCreate(NULL, CFAbsoluteTimeGetCurrent());
	CFTemp<CFDictionaryRef> info("{event=%s, timestamp=%O}", event, now.get());
	CFRef<CFDataRef> infoData = makeCFData(info.get());
	UnixPlusPlus::AutoFileDesc fd(rearmTimerFile, O_WRONLY | O_CREAT | O_TRUNC, 0644);
	fd.write(CFDataGetBytePtr(infoData), CFDataGetLength(infoData));
}

bool queryRearmTimer(CFTimeInterval &delta)
{
	if (CFRef<CFDataRef> infoData = cfLoadFile(rearmTimerFile)) {
		if (CFRef<CFDictionaryRef> info = makeCFDictionaryFrom(infoData)) {
			CFDateRef timestamp = (CFDateRef)CFDictionaryGetValue(info, CFSTR("timestamp"));
			if (timestamp && CFGetTypeID(timestamp) == CFDateGetTypeID()) {
				delta = CFAbsoluteTimeGetCurrent() - CFDateGetAbsoluteTime(timestamp);
				return true;
			}
		}
		MacOSError::throwMe(errSecCSDbCorrupt);
	}
	return false;
}


} // end namespace CodeSigning
} // end namespace Security
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2011-2013 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23	#include "cs.h"
	24	#include "policydb.h"
	25	#include "policyengine.h"
	26	#include <Security/CodeSigning.h>
	27	#include <security_utilities/cfutilities.h>
	28	#include <security_utilities/cfmunge.h>
	29	#include <security_utilities/blob.h>
	30	#include <security_utilities/logging.h>
	31	#include <security_utilities/simpleprefs.h>
	32	#include <security_utilities/logging.h>
	33	#include "csdatabase.h"
	34
	35	#include <dispatch/dispatch.h>
	36	#include <sys/types.h>
	37	#include <sys/stat.h>
	38	#include <notify.h>
	39
	40	namespace Security {
	41	namespace CodeSigning {
	42
	43
	44	using namespace SQLite;
	45
	46
	47	//
	48	// Determine the database path
	49	//
	50	static const char *dbPath()
	51	{
	52	if (const char *s = getenv("SYSPOLICYDATABASE"))
	53	return s;
	54	return defaultDatabase;
	55	}
	56
	57
	58	//
	59	// Help mapping API-ish CFString keys to more convenient internal enumerations
	60	//
	61	typedef struct {
	62	const CFStringRef &cstring;
	63	uint enumeration;
	64	} StringMap;
	65
	66	static uint mapEnum(CFDictionaryRef context, CFStringRef attr, const StringMap *map, uint value = 0)
67	{
68	if (context)
69	if (CFTypeRef value = CFDictionaryGetValue(context, attr))
70	for (const StringMap *mp = map; mp->cstring; ++mp)
71	if (CFEqual(mp->cstring, value))
72	return mp->enumeration;
73	return value;
74	}
75
76	static const StringMap mapType[] = {
77	{ kSecAssessmentOperationTypeExecute, kAuthorityExecute },
78	{ kSecAssessmentOperationTypeInstall, kAuthorityInstall },
79	{ kSecAssessmentOperationTypeOpenDocument, kAuthorityOpenDoc },
80	{ NULL }
81	};
82
83	AuthorityType typeFor(CFDictionaryRef context, AuthorityType type /* = kAuthorityInvalid */)
84	{
85	return mapEnum(context, kSecAssessmentContextKeyOperation, mapType, type);
86	}
87
88	CFStringRef typeNameFor(AuthorityType type)
89	{
90	for (const StringMap *mp = mapType; mp->cstring; ++mp)
91	if (type == mp->enumeration)
92	return mp->cstring;
93	return CFStringCreateWithFormat(NULL, NULL, CFSTR("type %d"), type);
94	}
95
96
97	//
98	// Open the database
99	//
100	PolicyDatabase::PolicyDatabase(const char *path, int flags)
101	: SQLite::Database(path ? path : dbPath(), flags),
102	mLastExplicitCheck(0)
103	{
104	// sqlite3 doesn't do foreign key support by default, have to turn this on per connection
105	SQLite::Statement foreign(*this, "PRAGMA foreign_keys = true");
106	foreign.execute();
107
108	// Try upgrade processing if we may be open for write.
109	// Ignore any errors (we may have been downgraded to read-only)
110	// and try again later.
111	if (openFlags() & SQLITE_OPEN_READWRITE)
112	try {
113	upgradeDatabase();
114	installExplicitSet(gkeAuthFile, gkeSigsFile);
115	} catch(...) {
116	}
117	}
118
119	PolicyDatabase::~PolicyDatabase()
120	{ /* virtual */ }
121
122
123	//
124	// Quick-check the cache for a match.
125	// Return true on a cache hit, false on failure to confirm a hit for any reason.
126	//
427c49bc	127	bool PolicyDatabase::checkCache(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFMutableDictionaryRef result)
b1ab9ed8 A	128	{
	129	// we currently don't use the cache for anything but execution rules
	130	if (type != kAuthorityExecute)
	131	return false;
	132
	133	CFRef<SecStaticCodeRef> code;
	134	MacOSError::check(SecStaticCodeCreateWithPath(path, kSecCSDefaultFlags, &code.aref()));
427c49bc	135	if (SecStaticCodeCheckValidity(code, kSecCSBasicValidateOnly, NULL) != errSecSuccess)
b1ab9ed8 A	136	return false; // quick pass - any error is a cache miss
	137	CFRef<CFDictionaryRef> info;
	138	MacOSError::check(SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &info.aref()));
	139	CFDataRef cdHash = CFDataRef(CFDictionaryGetValue(info, kSecCodeInfoUnique));
	140
	141	// check the cache table for a fast match
	142	SQLite::Statement cached(*this, "SELECT object.allow, authority.label, authority FROM object, authority"
	143	" WHERE object.authority = authority.id AND object.type = :type AND object.hash = :hash AND authority.disabled = 0"
	144	" AND JULIANDAY('now') < object.expires;");
	145	cached.bind(":type").integer(type);
	146	cached.bind(":hash") = cdHash;
	147	if (cached.nextRow()) {
	148	bool allow = int(cached[0]);
	149	const char *label = cached[1];
	150	SQLite::int64 auth = cached[2];
	151	SYSPOLICY_ASSESS_CACHE_HIT();
	152
	153	// If its allowed, lets do a full validation unless if
	154	// we are overriding the assessement, since that force
	155	// the verdict to 'pass' at the end
	156
427c49bc	157	if (allow && !overrideAssessment(flags))
b1ab9ed8 A	158	MacOSError::check(SecStaticCodeCheckValidity(code, kSecCSDefaultFlags, NULL));
	159
	160	cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, allow);
427c49bc	161	PolicyEngine::addAuthority(flags, result, label, auth, kCFBooleanTrue);
b1ab9ed8 A	162	return true;
	163	}
	164	return false;
	165	}
	166
	167
	168	//
	169	// Purge the object cache of all expired entries.
	170	// These are meant to run within the caller's transaction.
	171	//
	172	void PolicyDatabase::purgeAuthority()
	173	{
	174	SQLite::Statement cleaner(*this,
	175	"DELETE FROM authority WHERE expires <= JULIANDAY('now');");
	176	cleaner.execute();
	177	}
	178
	179	void PolicyDatabase::purgeObjects()
	180	{
	181	SQLite::Statement cleaner(*this,
	182	"DELETE FROM object WHERE expires <= JULIANDAY('now');");
	183	cleaner.execute();
	184	}
	185
	186	void PolicyDatabase::purgeObjects(double priority)
	187	{
	188	SQLite::Statement cleaner(*this,
	189	"DELETE FROM object WHERE expires <= JULIANDAY('now') OR (SELECT priority FROM authority WHERE id = object.authority) <= :priority;");
	190	cleaner.bind(":priority") = priority;
	191	cleaner.execute();
	192	}
	193
	194
	195	//
	196	// Database migration
	197	//
	198	std::string PolicyDatabase::featureLevel(const char *name)
	199	{
	200	SQLite::Statement feature(*this, "SELECT value FROM feature WHERE name=:name");
	201	feature.bind(":name") = name;
427c49bc A	202	if (feature.nextRow()) {
	203	if (const char *value = feature[0])
	204	return value;
	205	else
	206	return "default"; // old engineering versions may have NULL values; tolerate this
	207	}
	208	return ""; // new feature (no level)
b1ab9ed8	209	}
427c49bc	210
b1ab9ed8 A	211	void PolicyDatabase::addFeature(const char name, const char value, const char *remarks)
	212	{
	213	SQLite::Statement feature(*this, "INSERT OR REPLACE INTO feature (name,value,remarks) VALUES(:name, :value, :remarks)");
	214	feature.bind(":name") = name;
	215	feature.bind(":value") = value;
	216	feature.bind(":remarks") = remarks;
	217	feature.execute();
	218	}
	219
	220	void PolicyDatabase::simpleFeature(const char *feature, void (^perform)())
	221	{
	222	if (!hasFeature(feature)) {
b1ab9ed8 A	223	SQLite::Transaction update(*this);
b1ab9ed8 A	224	perform();
427c49bc	225	addFeature(feature, "upgraded", "upgraded");
b1ab9ed8 A	226	update.commit();
	227	}
	228	}
	229
	230	void PolicyDatabase::simpleFeature(const char feature, const char sql)
	231	{
	232	simpleFeature(feature, ^{
	233	SQLite::Statement perform(*this, sql);
b1ab9ed8 A	234	perform.execute();
	235	});
	236	}
	237
	238
	239	void PolicyDatabase::upgradeDatabase()
	240	{
	241	simpleFeature("bookmarkhints",
	242	"CREATE TABLE bookmarkhints ("
	243	" id INTEGER PRIMARY KEY AUTOINCREMENT, "
	244	" bookmark BLOB,"
	245	" authority INTEGER NOT NULL"
	246	" REFERENCES authority(id) ON DELETE CASCADE"
	247	")");
	248
	249	simpleFeature("codesignedpackages", ^{
	250	SQLite::Statement update(*this,
	251	"UPDATE authority"
	252	" SET requirement = 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and "
	253	"(certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])'"
	254	" WHERE type = 2 and label = 'Developer ID' and flags & :flag");
	255	update.bind(":flag") = kAuthorityFlagDefault;
	256	update.execute();
	257	});
313fa17b A	258
	259	simpleFeature("filter_unsigned",
	260	"ALTER TABLE authority ADD COLUMN filter_unsigned TEXT NULL"
	261	);
c2a06e24 A	262
	263	simpleFeature("strict_apple_installer", ^{
	264	SQLite::Statement update(*this,
	265	"UPDATE authority"
	266	" SET requirement = 'anchor apple generic and certificate 1[subject.CN] = \"Apple Software Update Certification Authority\"'"
	267	" WHERE flags & :flag AND label = 'Apple Installer'");
	268	update.bind(":flag") = kAuthorityFlagDefault;
	269	update.execute();
	270	SQLite::Statement add(*this,
	271	"INSERT INTO authority (type, label, flags, requirement)"
	272	" VALUES (2, 'Mac App Store', :flags, 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists')");
	273	add.bind(":flags") = kAuthorityFlagDefault;
	274	add.execute();
	275	});
641423b6 A	276
	277	simpleFeature("document rules", ^{
	278	SQLite::Statement addApple(*this,
	279	"INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Apple System', 'anchor apple')");
	280	addApple.execute();
	281	SQLite::Statement addDevID(*this,
	282	"INSERT INTO authority (type, allow, flags, label, requirement) VALUES (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists')");
	283	addDevID.execute();
	284	});
fa7225c8 A	285
	286	simpleFeature("root_only", ^{
	287	UnixError::check(::chmod(dbPath(), S_IRUSR \| S_IWUSR));
	288	});
b1ab9ed8 A	289	}
	290
	291
	292	//
	293	// Install Gatekeeper override (GKE) data.
	294	// The arguments are paths to the authority and signature files.
	295	//
	296	void PolicyDatabase::installExplicitSet(const char authfile, const char sigfile)
	297	{
	298	// only try this every gkeCheckInterval seconds
	299	time_t now = time(NULL);
	300	if (mLastExplicitCheck + gkeCheckInterval > now)
	301	return;
	302	mLastExplicitCheck = now;
	303
	304	try {
	305	if (CFRef<CFDataRef> authData = cfLoadFile(authfile)) {
	306	CFDictionary auth(CFRef<CFDictionaryRef>(makeCFDictionaryFrom(authData)), errSecCSDbCorrupt);
	307	CFDictionaryRef content = auth.get<CFDictionaryRef>(CFSTR("authority"));
	308	std::string authUUID = cfString(auth.get<CFStringRef>(CFSTR("uuid")));
	309	if (authUUID.empty()) {
fa7225c8	310	secinfo("gkupgrade", "no uuid in auth file; ignoring gke.auth");
b1ab9ed8 A	311	return;
	312	}
	313	std::string dbUUID;
	314	SQLite::Statement uuidQuery(*this, "SELECT value FROM feature WHERE name='gke'");
	315	if (uuidQuery.nextRow())
	316	dbUUID = (const char *)uuidQuery[0];
	317	if (dbUUID == authUUID) {
fa7225c8	318	secinfo("gkupgrade", "gke.auth already present, ignoring");
b1ab9ed8 A	319	return;
	320	}
	321	Syslog::notice("loading GKE %s (replacing %s)", authUUID.c_str(), dbUUID.empty() ? "nothing" : dbUUID.c_str());
	322
	323	// first, load code signatures. This is pretty much idempotent
	324	if (sigfile)
	325	if (FILE *sigs = fopen(sigfile, "r")) {
	326	unsigned count = 0;
427c49bc	327	SignatureDatabaseWriter db;
b1ab9ed8	328	while (const BlobCore *blob = BlobCore::readBlob(sigs)) {
427c49bc	329	db.storeCode(blob, "<remote>");
b1ab9ed8 A	330	count++;
b1ab9ed8 A	331	}
fa7225c8	332	secinfo("gkupgrade", "%d detached signature(s) loaded from override data", count);
b1ab9ed8 A	333	fclose(sigs);
	334	}
	335
	336	// start transaction (atomic from here on out)
	337	SQLite::Transaction loadAuth(*this, SQLite::Transaction::exclusive, "GKE_Upgrade");
	338
	339	// purge prior authority data
	340	SQLite::Statement purge(*this, "DELETE FROM authority WHERE flags & :flag");
	341	purge.bind(":flag") = kAuthorityFlagWhitelist;
	342	purge();
	343
	344	// load new data
	345	CFIndex count = CFDictionaryGetCount(content);
	346	CFStringRef keys[count];
	347	CFDictionaryRef values[count];
	348	CFDictionaryGetKeysAndValues(content, (const void )keys, (const void )values);
	349
313fa17b A	350	SQLite::Statement insert(*this, "INSERT INTO authority (type, allow, requirement, label, filter_unsigned, flags, remarks)"
313fa17b A	351	" VALUES (:type, 1, :requirement, 'GKE', :filter, :flags, :path)");
b1ab9ed8 A	352	for (CFIndex n = 0; n < count; n++) {
b1ab9ed8 A	353	CFDictionary info(values[n], errSecCSDbCorrupt);
427c49bc A	354	uint32_t flags = kAuthorityFlagWhitelist;
	355	if (CFNumberRef versionRef = info.get<CFNumberRef>("version")) {
	356	int version = cfNumber<int>(versionRef);
fa7225c8	357	if (version >= 2) {
427c49bc	358	flags \|= kAuthorityFlagWhitelistV2;
fa7225c8 A	359	if (version >= 3) {
	360	flags \|= kAuthorityFlagWhitelistSHA256;
	361	}
	362	}
427c49bc	363	}
b1ab9ed8 A	364	insert.reset();
	365	insert.bind(":type") = cfString(info.get<CFStringRef>(CFSTR("type")));
	366	insert.bind(":path") = cfString(info.get<CFStringRef>(CFSTR("path")));
	367	insert.bind(":requirement") = "cdhash H\"" + cfString(info.get<CFStringRef>(CFSTR("cdhash"))) + "\"";
313fa17b	368	insert.bind(":filter") = cfString(info.get<CFStringRef>(CFSTR("screen")));
427c49bc	369	insert.bind(":flags").integer(flags);
b1ab9ed8 A	370	insert();
	371	}
	372
427c49bc A	373	// we just changed the authority configuration at priority zero
	374	this->purgeObjects(0);
	375
b1ab9ed8 A	376	// update version and commit
	377	addFeature("gke", authUUID.c_str(), "gke loaded");
	378	loadAuth.commit();
fa7225c8 A	379	/* now that we have moved to a bundle for gke files, delete any old style files we find
	380	This is really just a best effort cleanup, so we don't care about errors. */
	381	if (access(gkeAuthFile_old, F_OK) == 0)
	382	{
	383	if (unlink(gkeAuthFile_old) == 0)
	384	{
	385	Syslog::notice("Deleted old style gke file (%s)", gkeAuthFile_old);
	386	}
	387	}
	388	if (access(gkeSigsFile_old, F_OK) == 0)
	389	{
	390	if (unlink(gkeSigsFile_old) == 0)
	391	{
	392	Syslog::notice("Deleted old style gke file (%s)", gkeSigsFile_old);
	393	}
	394	}
b1ab9ed8 A	395	}
b1ab9ed8 A	396	} catch (...) {
fa7225c8	397	secinfo("gkupgrade", "exception during GKE upgrade");
b1ab9ed8 A	398	}
	399	}
	400
	401
	402	//
	403	// Check the override-enable master flag
	404	//
	405	#define SP_ENABLE_KEY CFSTR("enabled")
	406	#define SP_ENABLED CFSTR("yes")
	407	#define SP_DISABLED CFSTR("no")
	408
427c49bc	409	bool overrideAssessment(SecAssessmentFlags flags /* = 0 */)
b1ab9ed8 A	410	{
	411	static bool enabled = true;
	412	static dispatch_once_t once;
	413	static int token = -1;
	414	static int have_token = 0;
	415	static dispatch_queue_t queue;
	416	int check;
	417
427c49bc A	418	if (flags & kSecAssessmentFlagEnforce) // explicitly disregard disables (force on)
	419	return false;
	420
b1ab9ed8 A	421	if (have_token && notify_check(token, &check) == NOTIFY_STATUS_OK && !check)
	422	return !enabled;
	423
	424	dispatch_once(&once, ^{
	425	if (notify_register_check(kNotifySecAssessmentMasterSwitch, &token) == NOTIFY_STATUS_OK)
	426	have_token = 1;
	427	queue = dispatch_queue_create("com.apple.SecAssessment.assessment", NULL);
	428	});
	429
	430	dispatch_sync(queue, ^{
	431	/* upgrade configuration from emir, ignore all error since we might not be able to write to */
	432	if (::access(visibleSecurityFlagFile, F_OK) == 0) {
	433	try {
	434	setAssessment(true);
	435	::unlink(visibleSecurityFlagFile);
	436	} catch (...) {
	437	}
	438	enabled = true;
	439	return;
	440	}
	441
	442	try {
	443	Dictionary * prefsDict = Dictionary::CreateDictionary(prefsFile);
	444	if (prefsDict == NULL)
	445	return;
	446
	447	CFStringRef value = prefsDict->getStringValue(SP_ENABLE_KEY);
	448	if (value && CFStringCompare(value, SP_DISABLED, 0) == 0)
	449	enabled = false;
	450	else
	451	enabled = true;
	452	delete prefsDict;
	453	} catch(...) {
	454	}
	455	});
	456
	457	return !enabled;
	458	}
	459
	460	void setAssessment(bool masterSwitch)
	461	{
	462	MutableDictionary *prefsDict = MutableDictionary::CreateMutableDictionary(prefsFile);
	463	if (prefsDict == NULL)
	464	prefsDict = new MutableDictionary::MutableDictionary();
	465	prefsDict->setValue(SP_ENABLE_KEY, masterSwitch ? SP_ENABLED : SP_DISABLED);
	466	prefsDict->writePlistToFile(prefsFile);
	467	delete prefsDict;
	468
	469	/* make sure permissions is right */
	470	::chmod(prefsFile, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH);
	471
	472	notify_post(kNotifySecAssessmentMasterSwitch);
d8f41ccd A	473
	474	/* reset the automatic rearm timer */
	475	resetRearmTimer("masterswitch");
	476	}
	477
	478
	479	//
	480	// Reset or query the automatic rearm timer
	481	//
	482	void resetRearmTimer(const char *event)
	483	{
	484	CFRef<CFDateRef> now = CFDateCreate(NULL, CFAbsoluteTimeGetCurrent());
	485	CFTemp<CFDictionaryRef> info("{event=%s, timestamp=%O}", event, now.get());
	486	CFRef<CFDataRef> infoData = makeCFData(info.get());
	487	UnixPlusPlus::AutoFileDesc fd(rearmTimerFile, O_WRONLY \| O_CREAT \| O_TRUNC, 0644);
	488	fd.write(CFDataGetBytePtr(infoData), CFDataGetLength(infoData));
	489	}
	490
	491	bool queryRearmTimer(CFTimeInterval &delta)
	492	{
	493	if (CFRef<CFDataRef> infoData = cfLoadFile(rearmTimerFile)) {
	494	if (CFRef<CFDictionaryRef> info = makeCFDictionaryFrom(infoData)) {
	495	CFDateRef timestamp = (CFDateRef)CFDictionaryGetValue(info, CFSTR("timestamp"));
	496	if (timestamp && CFGetTypeID(timestamp) == CFDateGetTypeID()) {
	497	delta = CFAbsoluteTimeGetCurrent() - CFDateGetAbsoluteTime(timestamp);
	498	return true;
	499	}
	500	}
	501	MacOSError::throwMe(errSecCSDbCorrupt);
	502	}
	503	return false;
b1ab9ed8 A	504	}
	505
	506
	507	} // end namespace CodeSigning
	508	} // end namespace Security