[apple/security.git] / securityd / src / acls.cpp

/*
 * Copyright (c) 2000-2009,2012-2013 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// acls - securityd ACL implementation
//
#include "acls.h"
#include "connection.h"
#include "server.h"
#include "agentquery.h"
#include "tokendatabase.h"
#include "acl_keychain.h"

// ACL subjects whose Environments we implement
#include <security_cdsa_utilities/acl_any.h>
#include <security_cdsa_utilities/acl_password.h>
#include <security_cdsa_utilities/acl_threshold.h>

#include <sys/sysctl.h>
#include <security_utilities/logging.h>

//
// SecurityServerAcl is virtual
//
SecurityServerAcl::~SecurityServerAcl()
{ }


//
// The default implementation of the ACL interface simply uses the local ObjectAcl
// data. You can customize this by implementing instantiateAcl() [from ObjectAcl]
// or by overriding these methods as desired.
// Note: While you can completely ignore the ObjectAcl personality if you wish, it's
// usually smarter to adapt it.
//
void SecurityServerAcl::getOwner(AclOwnerPrototype &owner)
{
	StLock<Mutex> _(aclSequence);
	ObjectAcl::cssmGetOwner(owner);
}

void SecurityServerAcl::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
	StLock<Mutex> _(aclSequence);
	ObjectAcl::cssmGetAcl(tag, count, acls);
}

void SecurityServerAcl::changeAcl(const AclEdit &edit, const AccessCredentials *cred,
	Database *db)
{
	StLock<Mutex> _(aclSequence);
	SecurityServerEnvironment env(*this, db);
	ObjectAcl::cssmChangeAcl(edit, cred, &env);
}

void SecurityServerAcl::changeOwner(const AclOwnerPrototype &newOwner,
	const AccessCredentials *cred, Database *db)
{
	StLock<Mutex> _(aclSequence);
	SecurityServerEnvironment env(*this, db);
	ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
}


//
// Modified validate() methods to connect all the conduits...
//
void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred, Database *db)
{
    SecurityServerEnvironment env(*this, db);
	
	StLock<Mutex> objectSequence(aclSequence);
	StLock<Mutex> processSequence(Server::process().aclSequence);
    ObjectAcl::validate(auth, cred, &env);
}

void SecurityServerAcl::validate(AclAuthorization auth, const Context &context, Database *db)
{
	validate(auth,
		context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS), db);
}


//
// This helper tries to add the (new) subject given to the ACL
// whose validation is currently proceeding through context.
// This will succeed if the ACL is in standard form, which means
// a ThresholdAclSubject.
// The new subject will be added at the front (so it is checked first
// from now on), and as a side effect we'll notify the client side to
// re-encode the object.
// Returns true if the edit could be done, or false if the ACL wasn't
// standard enough. May throw if the ACL is malformed or otherwise messed up.
//
// This is a self-contained helper that is here merely because it's "about"
// ACLs and has no better home.
//
bool SecurityServerAcl::addToStandardACL(const AclValidationContext &context, AclSubject *subject)
{
	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>())
		if (ThresholdAclSubject *threshold = env->standardSubject(context)) {
			unsigned size = threshold->count();
			if (dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
				// looks standard enough
				secdebug("acl", "adding new subject %p to from of threshold ACL", subject);
				threshold->add(subject, 0);
				
				// tell the ACL it's been modified
				context.acl()->changedAcl();

				// trigger a special notification code on (otherwise successful) return
				Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
				return true;
			}
		}
	secdebug("acl", "ACL is not standard form; cannot edit");
	return false;
}


//
// Look at the ACL whose validation is currently proceeding through context.
// If it LOOKS like a plausible version of a legacy "dot mac item" ACL.
// We don't have access to the database attributes of the item up here in the
// securityd sky, so we have to apply a heuristic based on which applications (by path)
// are given access to the item.
// So this is strictly a heuristic. The potential downside is that we may inadvertently
// give access to new .Mac authorized Apple (only) applications when the user only intended
// a limited set of extremely popular Apple (only) applications that just happen to all be
// .Mac authorized today. We can live with that.
//
bool SecurityServerAcl::looksLikeLegacyDotMac(const AclValidationContext &context)
{
	static const char * const prototypicalDotMacPath[] = {
		"/Applications/Mail.app",
		"/Applications/Safari.app",
		"/Applications/iSync.app",
		"/Applications/System Preferences.app",
		"/Applications/iCal.app",
		"/Applications/iChat.app",
		"/Applications/iTunes.app",
		"/Applications/Address Book.app",
		"/Applications/iSync.app",
		NULL	// sentinel
	};
	
	static const unsigned threshold = 6;
	
	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>()) {
		if (ThresholdAclSubject *list = env->standardSubject(context)) {
			unsigned count = list->count();
			unsigned matches = 0;
			for (unsigned n = 0; n < count; ++n) {
				if (CodeSignatureAclSubject *app = dynamic_cast<CodeSignatureAclSubject *>(list->subject(n))) {
					for (const char * const *p = prototypicalDotMacPath; *p; p++)
						if (app->path() == *p)
							matches++;
				}
			}
			secdebug("codesign", "matched %d of %zd candididates (threshold=%d)",
				matches, sizeof(prototypicalDotMacPath) / sizeof(char *) - 1, threshold);
			return matches >= threshold;
		}
	}
	return false;
}


//
// External storage interface
//
Adornable &SecurityServerEnvironment::store(const AclSubject *subject)
{
	switch (subject->type()) {
	case CSSM_ACL_SUBJECT_TYPE_PREAUTH:
		{
			if (TokenDatabase *tokenDb = dynamic_cast<TokenDatabase *>(database))
				return tokenDb->common().store();
		}
		break;
	default:
		break;
	}
	CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
}


//
// ProcessAclSubject personality: uid/gid/pid come from the active Process object
//
uid_t SecurityServerEnvironment::getuid() const
{
    return Server::process().uid();
}

gid_t SecurityServerEnvironment::getgid() const
{
    return Server::process().gid();
}

pid_t SecurityServerEnvironment::getpid() const
{
    return Server::process().pid();
}


//
// CodeSignatureAclSubject personality: take code signature from active Process object
//
bool SecurityServerEnvironment::verifyCodeSignature(const OSXVerifier &verifier,
	const AclValidationContext &context)
{
	return Server::codeSignatures().verify(Server::process(), verifier, context);
}


//
// PromptedAclSubject personality: Get a secret by prompting through SecurityAgent
//
bool SecurityServerEnvironment::getSecret(CssmOwnedData &secret, const CssmData &prompt) const
{
	//@@@ ignoring prompt - not used right now
	if (database) {
		QueryPIN query(*database);
		query.inferHints(Server::process());
		if (!query()) {	// success
			secret = query.pin();
			return true;
		}
	}
	return false;
}


//
// SecretAclSubject personality: externally validate a secret (passphrase etc.)
// Right now, this always goes to the (Token)Database object, because that's where
// the PIN ACL entries are. We could direct this at the ObjectAcl (database or key)
// instead and rely on tokend to perform the PIN mapping, but the generic tokend
// wrappers do not (currently) perform any ACL validation, so every tokend would have
// to re-implement that. Perhaps in the next ACL revamp cycle...
//
bool SecurityServerEnvironment::validateSecret(const SecretAclSubject *me,
	const AccessCredentials *cred)
{
	return database && database->validateSecret(me, cred);
}


//
// PreAuthenticationAclSubject personality - refer to database (ObjectAcl)
//
ObjectAcl *SecurityServerEnvironment::preAuthSource()
{
	return database ? &database->acl() : NULL;
}


//
// Autonomous ACL editing support
//
ThresholdAclSubject *SecurityServerEnvironment::standardSubject(const AclValidationContext &context)
{
	return dynamic_cast<ThresholdAclSubject *>(context.subject());
}


//
// The default AclSource denies having an ACL at all
//
AclSource::~AclSource()
{ /* virtual */ }

SecurityServerAcl &AclSource::acl()
{
	CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
}

Database *AclSource::relatedDatabase()
{
	return NULL;
}
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2000-2009,2012-2013 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// acls - securityd ACL implementation
	27	//
	28	#include "acls.h"
	29	#include "connection.h"
	30	#include "server.h"
	31	#include "agentquery.h"
	32	#include "tokendatabase.h"
	33	#include "acl_keychain.h"
	34
	35	// ACL subjects whose Environments we implement
	36	#include <security_cdsa_utilities/acl_any.h>
	37	#include <security_cdsa_utilities/acl_password.h>
	38	#include <security_cdsa_utilities/acl_threshold.h>
	39
	40	#include <sys/sysctl.h>
	41	#include <security_utilities/logging.h>
	42
	43	//
	44	// SecurityServerAcl is virtual
	45	//
	46	SecurityServerAcl::~SecurityServerAcl()
	47	{ }
	48
	49
	50	//
	51	// The default implementation of the ACL interface simply uses the local ObjectAcl
	52	// data. You can customize this by implementing instantiateAcl() [from ObjectAcl]
	53	// or by overriding these methods as desired.
	54	// Note: While you can completely ignore the ObjectAcl personality if you wish, it's
	55	// usually smarter to adapt it.
	56	//
	57	void SecurityServerAcl::getOwner(AclOwnerPrototype &owner)
	58	{
	59	StLock<Mutex> _(aclSequence);
	60	ObjectAcl::cssmGetOwner(owner);
	61	}
	62
	63	void SecurityServerAcl::getAcl(const char tag, uint32 &count, AclEntryInfo &acls)
	64	{
65	StLock<Mutex> _(aclSequence);
66	ObjectAcl::cssmGetAcl(tag, count, acls);
67	}
68
69	void SecurityServerAcl::changeAcl(const AclEdit &edit, const AccessCredentials *cred,
70	Database *db)
71	{
72	StLock<Mutex> _(aclSequence);
73	SecurityServerEnvironment env(*this, db);
74	ObjectAcl::cssmChangeAcl(edit, cred, &env);
75	}
76
77	void SecurityServerAcl::changeOwner(const AclOwnerPrototype &newOwner,
78	const AccessCredentials cred, Database db)
79	{
80	StLock<Mutex> _(aclSequence);
81	SecurityServerEnvironment env(*this, db);
82	ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
83	}
84
85
86	//
87	// Modified validate() methods to connect all the conduits...
88	//
89	void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials cred, Database db)
90	{
91	SecurityServerEnvironment env(*this, db);
92
93	StLock<Mutex> objectSequence(aclSequence);
94	StLock<Mutex> processSequence(Server::process().aclSequence);
95	ObjectAcl::validate(auth, cred, &env);
96	}
97
98	void SecurityServerAcl::validate(AclAuthorization auth, const Context &context, Database *db)
99	{
100	validate(auth,
101	context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS), db);
102	}
103
104
105	//
106	// This helper tries to add the (new) subject given to the ACL
107	// whose validation is currently proceeding through context.
108	// This will succeed if the ACL is in standard form, which means
109	// a ThresholdAclSubject.
110	// The new subject will be added at the front (so it is checked first
111	// from now on), and as a side effect we'll notify the client side to
112	// re-encode the object.
113	// Returns true if the edit could be done, or false if the ACL wasn't
114	// standard enough. May throw if the ACL is malformed or otherwise messed up.
115	//
116	// This is a self-contained helper that is here merely because it's "about"
117	// ACLs and has no better home.
118	//
119	bool SecurityServerAcl::addToStandardACL(const AclValidationContext &context, AclSubject *subject)
120	{
121	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>())
122	if (ThresholdAclSubject *threshold = env->standardSubject(context)) {
123	unsigned size = threshold->count();
124	if (dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
125	// looks standard enough
126	secdebug("acl", "adding new subject %p to from of threshold ACL", subject);
127	threshold->add(subject, 0);
128
129	// tell the ACL it's been modified
130	context.acl()->changedAcl();
131
132	// trigger a special notification code on (otherwise successful) return
133	Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
134	return true;
135	}
136	}
137	secdebug("acl", "ACL is not standard form; cannot edit");
138	return false;
139	}
140
141
142	//
143	// Look at the ACL whose validation is currently proceeding through context.
144	// If it LOOKS like a plausible version of a legacy "dot mac item" ACL.
145	// We don't have access to the database attributes of the item up here in the
146	// securityd sky, so we have to apply a heuristic based on which applications (by path)
147	// are given access to the item.
148	// So this is strictly a heuristic. The potential downside is that we may inadvertently
149	// give access to new .Mac authorized Apple (only) applications when the user only intended
150	// a limited set of extremely popular Apple (only) applications that just happen to all be
151	// .Mac authorized today. We can live with that.
152	//
153	bool SecurityServerAcl::looksLikeLegacyDotMac(const AclValidationContext &context)
154	{
155	static const char * const prototypicalDotMacPath[] = {
156	"/Applications/Mail.app",
157	"/Applications/Safari.app",
158	"/Applications/iSync.app",
159	"/Applications/System Preferences.app",
160	"/Applications/iCal.app",
161	"/Applications/iChat.app",
162	"/Applications/iTunes.app",
163	"/Applications/Address Book.app",
164	"/Applications/iSync.app",
165	NULL // sentinel
166	};
167
168	static const unsigned threshold = 6;
169
170	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>()) {
171	if (ThresholdAclSubject *list = env->standardSubject(context)) {
172	unsigned count = list->count();
173	unsigned matches = 0;
174	for (unsigned n = 0; n < count; ++n) {
175	if (CodeSignatureAclSubject app = dynamic_cast<CodeSignatureAclSubject >(list->subject(n))) {
176	for (const char * const p = prototypicalDotMacPath; p; p++)
177	if (app->path() == *p)
178	matches++;
179	}
180	}
181	secdebug("codesign", "matched %d of %zd candididates (threshold=%d)",
182	matches, sizeof(prototypicalDotMacPath) / sizeof(char *) - 1, threshold);
183	return matches >= threshold;
184	}
185	}
186	return false;
187	}
188
189
190	//
191	// External storage interface
192	//
193	Adornable &SecurityServerEnvironment::store(const AclSubject *subject)
194	{
195	switch (subject->type()) {
196	case CSSM_ACL_SUBJECT_TYPE_PREAUTH:
197	{
198	if (TokenDatabase tokenDb = dynamic_cast<TokenDatabase >(database))
199	return tokenDb->common().store();
200	}
201	break;
202	default:
203	break;
204	}
205	CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
206	}
207
208
209	//
210	// ProcessAclSubject personality: uid/gid/pid come from the active Process object
211	//
212	uid_t SecurityServerEnvironment::getuid() const
213	{
214	return Server::process().uid();
215	}
216
217	gid_t SecurityServerEnvironment::getgid() const
218	{
219	return Server::process().gid();
220	}
221
222	pid_t SecurityServerEnvironment::getpid() const
223	{
224	return Server::process().pid();
225	}
226
227
228	//
229	// CodeSignatureAclSubject personality: take code signature from active Process object
230	//
231	bool SecurityServerEnvironment::verifyCodeSignature(const OSXVerifier &verifier,
232	const AclValidationContext &context)
233	{
234	return Server::codeSignatures().verify(Server::process(), verifier, context);
235	}
236
237
238	//
239	// PromptedAclSubject personality: Get a secret by prompting through SecurityAgent
240	//
241	bool SecurityServerEnvironment::getSecret(CssmOwnedData &secret, const CssmData &prompt) const
242	{
243	//@@@ ignoring prompt - not used right now
244	if (database) {
245	QueryPIN query(*database);
246	query.inferHints(Server::process());
247	if (!query()) { // success
248	secret = query.pin();
249	return true;
250	}
251	}
252	return false;
253	}
254
255
256	//
257	// SecretAclSubject personality: externally validate a secret (passphrase etc.)
258	// Right now, this always goes to the (Token)Database object, because that's where
259	// the PIN ACL entries are. We could direct this at the ObjectAcl (database or key)
260	// instead and rely on tokend to perform the PIN mapping, but the generic tokend
261	// wrappers do not (currently) perform any ACL validation, so every tokend would have
262	// to re-implement that. Perhaps in the next ACL revamp cycle...
263	//
264	bool SecurityServerEnvironment::validateSecret(const SecretAclSubject *me,
265	const AccessCredentials *cred)
266	{
267	return database && database->validateSecret(me, cred);
268	}
269
270
271	//
272	// PreAuthenticationAclSubject personality - refer to database (ObjectAcl)
273	//
274	ObjectAcl *SecurityServerEnvironment::preAuthSource()
275	{
276	return database ? &database->acl() : NULL;
277	}
278
279
280	//
281	// Autonomous ACL editing support
282	//
283	ThresholdAclSubject *SecurityServerEnvironment::standardSubject(const AclValidationContext &context)
284	{
285	return dynamic_cast<ThresholdAclSubject *>(context.subject());
286	}
287
288
289	//
290	// The default AclSource denies having an ACL at all
291	//
292	AclSource::~AclSource()
293	{ /* virtual */ }
294
295	SecurityServerAcl &AclSource::acl()
296	{
297	CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
298	}
299
300	Database *AclSource::relatedDatabase()
301	{
302	return NULL;
303	}