[apple/security.git] / OSX / libsecurity_codesigning / lib / syspolicy.sql

--
-- Copyright (c) 2011-2012 Apple Inc. All Rights Reserved.
-- 
-- @APPLE_LICENSE_HEADER_START@
-- 
-- This file contains Original Code and/or Modifications of Original Code
-- as defined in and that are subject to the Apple Public Source License
-- Version 2.0 (the 'License'). You may not use this file except in
-- compliance with the License. Please obtain a copy of the License at
-- http://www.opensource.apple.com/apsl/ and read it before using this
-- file.
--
-- The Original Code and all software distributed under the License are
-- distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
-- EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
-- INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
-- FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
-- Please see the License for the specific language governing rights and
-- limitations under the License.
-- 
-- @APPLE_LICENSE_HEADER_END@
--
--
-- System Policy master database - file format and initial contents
--
-- This is currently for sqlite3
--
-- NOTES:
-- Dates are uniformly in julian form. We use 5000000 as the canonical "never" expiration
-- value; that's a day in the year 8977.
--
PRAGMA user_version = 1;
PRAGMA foreign_keys = true;
PRAGMA legacy_file_format = false;
PRAGMA recursive_triggers = true;


--
-- The feature table hold configuration features and options
--
CREATE TABLE feature (
	id INTEGER PRIMARY KEY,				-- canononical
	name TEXT NOT NULL UNIQUE,			-- name of option
	value TEXT NULL,					-- value of option, if any
	remarks TEXT NULL					-- optional remarks string
);


--
-- The primary authority. This table is conceptually scanned
-- in priority order, with the highest-priority matching enabled record
-- determining the outcome.
-- 
CREATE TABLE authority (
	id INTEGER PRIMARY KEY AUTOINCREMENT,				-- canonical
	version INTEGER NOT NULL DEFAULT (1)				-- semantic version of this rule
		CHECK (version > 0),
	type INTEGER NOT NULL,								-- operation type
	requirement TEXT NULL								-- code requirement
		CHECK ((requirement IS NULL) = ((flags & 1) != 0)),
	allow INTEGER NOT NULL DEFAULT (1)					-- allow (1) or deny (0)
		CHECK (allow = 0 OR allow = 1),
	disabled INTEGER NOT NULL DEFAULT (0)				-- disable count (stacks; enabled if zero)
		CHECK (disabled >= 0),
	expires FLOAT NOT NULL DEFAULT (5000000),			-- expiration of rule authority (Julian date)
	priority REAL NOT NULL DEFAULT (0),					-- rule priority (full float)
	label TEXT NULL,									-- text label for authority rule
	filter_unsigned TEXT NULL,							-- prescreen for handling unsigned code
	flags INTEGER NOT NULL DEFAULT (0),					-- amalgamated binary flags
	-- following fields are for documentation only
	ctime FLOAT NOT NULL DEFAULT (JULIANDAY('now')),	-- rule creation time (Julian)
	mtime FLOAT NOT NULL DEFAULT (JULIANDAY('now')),	-- time rule was last changed (Julian)
	user TEXT NULL,										-- user requesting this rule (NULL if unknown)
	remarks TEXT NULL									-- optional remarks string
);

-- index
CREATE INDEX authority_type ON authority (type);
CREATE INDEX authority_priority ON authority (priority);
CREATE INDEX authority_expires ON authority (expires);

-- update mtime if a record is changed
CREATE TRIGGER authority_update AFTER UPDATE ON authority
BEGIN
	UPDATE authority SET mtime = JULIANDAY('now') WHERE id = old.id;
END;

-- rules that are actively considered
CREATE VIEW active_authority AS
SELECT * from authority
WHERE disabled = 0 AND JULIANDAY('now') < expires AND (flags & 1) = 0;

-- rules subject to priority scan: active_authority but including disabled rules
CREATE VIEW scan_authority AS
SELECT * from authority
WHERE JULIANDAY('now') < expires AND (flags & 1) = 0;


--
-- A table to carry (potentially large-ish) filesystem data stored as a bookmark blob.
--
CREATE TABLE bookmarkhints (
	id INTEGER PRIMARY KEY AUTOINCREMENT,
	bookmark BLOB NOT NULL,
	authority INTEGER NOT NULL
		REFERENCES authority(id) ON DELETE CASCADE
);


--
-- Upgradable features already contained in this baseline.
-- See policydatabase.cpp for upgrade code.
--
INSERT INTO feature (name, value, remarks)
	VALUES ('bookmarkhints', 'present', 'builtin');
INSERT INTO feature (name, value, remarks)
	VALUES ('codesignedpackages', 'present', 'builtin');
INSERT INTO feature (name, value, remarks)
	VALUES ('filter_unsigned', 'present', 'builtin');
INSERT INTO feature (name, value, remarks)
	VALUES ('document rules', 'present', 'builtin');
INSERT INTO feature (name, value, remarks)
VALUES ('root_only', 'present', 'builtin');


--
-- Initial canonical contents of a fresh database
--

-- virtual rule anchoring negative cache entries (no rule found)
insert into authority (type, allow, priority, flags, label)
	values (1, 0, -1.0E100, 1, 'No Matching Rule');

-- any "genuine Apple-signed" installers
insert into authority (type, allow, priority, flags, label, requirement)
	values (2, 1, -1, 2, 'Apple Installer', 'anchor apple generic and certificate 1[subject.CN] = "Apple Software Update Certification Authority"');

-- Apple code signing
insert into authority (type, allow, flags, label, requirement)
	values (1, 1, 2, 'Apple System', 'anchor apple');

-- Mac App Store code signing
insert into authority (type, allow, flags, label, requirement)
	values (1, 1, 2, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists');

-- Mac App Store installer signing
insert into authority (type, allow, flags, label, requirement)
	values (2, 1, 2, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists');

-- Caspian code and archive signing
insert into authority (type, allow, flags, label, requirement)
	values (1, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');
insert into authority (type, allow, flags, label, requirement)
	values (2, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])');

-- Document signing
insert into authority (type, allow, flags, label, requirement)
	values (3, 1, 2, 'Apple System', 'anchor apple');
insert into authority (type, allow, flags, label, requirement)
values (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');


--
-- The cache table lists previously determined outcomes
-- for individual objects (by object hash). Entries come from
-- full evaluations of authority records, or by explicitly inserting
-- override rules that preempt the normal authority.
-- EACH object record must have a parent authority record from which it is derived;
-- this may be a normal authority rule or an override rule. If the parent rule is deleted,
-- all objects created from it are automatically removed (by sqlite itself).
--
CREATE TABLE object (
	id INTEGER PRIMARY KEY,								-- canonical
	type INTEGER NOT NULL,									-- operation type
	hash CDHASH NOT NULL,									-- canonical hash of object
	allow INTEGER NOT NULL,								-- allow (1) or deny (0)
	expires FLOAT NOT NULL DEFAULT (5000000),				-- expiration of object entry
	authority INTEGER NOT NULL								-- governing authority rule
		REFERENCES authority(id) ON DELETE CASCADE,
	-- following fields are for documentation only
	path TEXT NULL,											-- path of object at record creation time
	ctime FLOAT NOT NULL DEFAULT (JULIANDAY('now')),		-- record creation time
	mtime FLOAT NOT NULL DEFAULT (JULIANDAY('now')),		-- record modification time
	remarks TEXT NULL										-- optional remarks string
);

-- index
CREATE INDEX object_type ON object (type);
CREATE INDEX object_expires ON object (expires);
CREATE UNIQUE INDEX object_hash ON object (hash);

-- update mtime if a record is changed
CREATE TRIGGER object_update AFTER UPDATE ON object
BEGIN
	UPDATE object SET mtime = JULIANDAY('now') WHERE id = old.id;
END;


--
-- Some useful views on objects. These are for administration; they are not used by the assessor.
--
CREATE VIEW object_state AS
SELECT object.id, object.type, object.allow,
	CASE object.expires WHEN 5000000 THEN NULL ELSE STRFTIME('%Y-%m-%d %H:%M:%f', object.expires, 'localtime') END AS expiration,
	(object.expires - JULIANDAY('now')) * 86400 as remaining,
	authority.label,
	object.authority,
	object.path,
	object.ctime,
	authority.requirement,
	authority.disabled,
	object.remarks
FROM object, authority
WHERE object.authority = authority.id;
Commit	Line	Data
b1ab9ed8 A	1	--
	2	-- Copyright (c) 2011-2012 Apple Inc. All Rights Reserved.
	3	--
	4	-- @APPLE_LICENSE_HEADER_START@
	5	--
	6	-- This file contains Original Code and/or Modifications of Original Code
	7	-- as defined in and that are subject to the Apple Public Source License
	8	-- Version 2.0 (the 'License'). You may not use this file except in
	9	-- compliance with the License. Please obtain a copy of the License at
	10	-- http://www.opensource.apple.com/apsl/ and read it before using this
	11	-- file.
	12	--
	13	-- The Original Code and all software distributed under the License are
	14	-- distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	-- EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	-- INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	-- FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	-- Please see the License for the specific language governing rights and
	19	-- limitations under the License.
	20	--
	21	-- @APPLE_LICENSE_HEADER_END@
	22	--
	23	--
	24	-- System Policy master database - file format and initial contents
	25	--
	26	-- This is currently for sqlite3
	27	--
	28	-- NOTES:
	29	-- Dates are uniformly in julian form. We use 5000000 as the canonical "never" expiration
	30	-- value; that's a day in the year 8977.
	31	--
	32	PRAGMA user_version = 1;
	33	PRAGMA foreign_keys = true;
	34	PRAGMA legacy_file_format = false;
	35	PRAGMA recursive_triggers = true;
	36
	37
	38	--
	39	-- The feature table hold configuration features and options
	40	--
	41	CREATE TABLE feature (
	42	id INTEGER PRIMARY KEY, -- canononical
	43	name TEXT NOT NULL UNIQUE, -- name of option
	44	value TEXT NULL, -- value of option, if any
	45	remarks TEXT NULL -- optional remarks string
	46	);
	47
	48
	49	--
	50	-- The primary authority. This table is conceptually scanned
	51	-- in priority order, with the highest-priority matching enabled record
	52	-- determining the outcome.
	53	--
	54	CREATE TABLE authority (
	55	id INTEGER PRIMARY KEY AUTOINCREMENT, -- canonical
	56	version INTEGER NOT NULL DEFAULT (1) -- semantic version of this rule
	57	CHECK (version > 0),
	58	type INTEGER NOT NULL, -- operation type
	59	requirement TEXT NULL -- code requirement
	60	CHECK ((requirement IS NULL) = ((flags & 1) != 0)),
	61	allow INTEGER NOT NULL DEFAULT (1) -- allow (1) or deny (0)
	62	CHECK (allow = 0 OR allow = 1),
	63	disabled INTEGER NOT NULL DEFAULT (0) -- disable count (stacks; enabled if zero)
	64	CHECK (disabled >= 0),
65	expires FLOAT NOT NULL DEFAULT (5000000), -- expiration of rule authority (Julian date)
66	priority REAL NOT NULL DEFAULT (0), -- rule priority (full float)
67	label TEXT NULL, -- text label for authority rule
313fa17b	68	filter_unsigned TEXT NULL, -- prescreen for handling unsigned code
b1ab9ed8 A	69	flags INTEGER NOT NULL DEFAULT (0), -- amalgamated binary flags
	70	-- following fields are for documentation only
	71	ctime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- rule creation time (Julian)
	72	mtime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- time rule was last changed (Julian)
	73	user TEXT NULL, -- user requesting this rule (NULL if unknown)
	74	remarks TEXT NULL -- optional remarks string
	75	);
	76
	77	-- index
	78	CREATE INDEX authority_type ON authority (type);
	79	CREATE INDEX authority_priority ON authority (priority);
	80	CREATE INDEX authority_expires ON authority (expires);
	81
	82	-- update mtime if a record is changed
	83	CREATE TRIGGER authority_update AFTER UPDATE ON authority
	84	BEGIN
	85	UPDATE authority SET mtime = JULIANDAY('now') WHERE id = old.id;
	86	END;
	87
	88	-- rules that are actively considered
	89	CREATE VIEW active_authority AS
	90	SELECT * from authority
	91	WHERE disabled = 0 AND JULIANDAY('now') < expires AND (flags & 1) = 0;
	92
	93	-- rules subject to priority scan: active_authority but including disabled rules
	94	CREATE VIEW scan_authority AS
	95	SELECT * from authority
	96	WHERE JULIANDAY('now') < expires AND (flags & 1) = 0;
	97
	98
	99	--
	100	-- A table to carry (potentially large-ish) filesystem data stored as a bookmark blob.
	101	--
	102	CREATE TABLE bookmarkhints (
	103	id INTEGER PRIMARY KEY AUTOINCREMENT,
	104	bookmark BLOB NOT NULL,
	105	authority INTEGER NOT NULL
	106	REFERENCES authority(id) ON DELETE CASCADE
	107	);
	108
	109
	110	--
	111	-- Upgradable features already contained in this baseline.
	112	-- See policydatabase.cpp for upgrade code.
	113	--
	114	INSERT INTO feature (name, value, remarks)
313fa17b	115	VALUES ('bookmarkhints', 'present', 'builtin');
b1ab9ed8	116	INSERT INTO feature (name, value, remarks)
313fa17b A	117	VALUES ('codesignedpackages', 'present', 'builtin');
	118	INSERT INTO feature (name, value, remarks)
	119	VALUES ('filter_unsigned', 'present', 'builtin');
641423b6 A	120	INSERT INTO feature (name, value, remarks)
641423b6 A	121	VALUES ('document rules', 'present', 'builtin');
fa7225c8 A	122	INSERT INTO feature (name, value, remarks)
fa7225c8 A	123	VALUES ('root_only', 'present', 'builtin');
b1ab9ed8 A	124
	125
	126	--
	127	-- Initial canonical contents of a fresh database
	128	--
	129
	130	-- virtual rule anchoring negative cache entries (no rule found)
	131	insert into authority (type, allow, priority, flags, label)
	132	values (1, 0, -1.0E100, 1, 'No Matching Rule');
	133
c2a06e24	134	-- any "genuine Apple-signed" installers
b1ab9ed8	135	insert into authority (type, allow, priority, flags, label, requirement)
c2a06e24	136	values (2, 1, -1, 2, 'Apple Installer', 'anchor apple generic and certificate 1[subject.CN] = "Apple Software Update Certification Authority"');
b1ab9ed8 A	137
	138	-- Apple code signing
	139	insert into authority (type, allow, flags, label, requirement)
	140	values (1, 1, 2, 'Apple System', 'anchor apple');
	141
c2a06e24	142	-- Mac App Store code signing
b1ab9ed8 A	143	insert into authority (type, allow, flags, label, requirement)
	144	values (1, 1, 2, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists');
	145
c2a06e24 A	146	-- Mac App Store installer signing
	147	insert into authority (type, allow, flags, label, requirement)
	148	values (2, 1, 2, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists');
	149
b1ab9ed8 A	150	-- Caspian code and archive signing
	151	insert into authority (type, allow, flags, label, requirement)
	152	values (1, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');
	153	insert into authority (type, allow, flags, label, requirement)
	154	values (2, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])');
	155
641423b6 A	156	-- Document signing
	157	insert into authority (type, allow, flags, label, requirement)
	158	values (3, 1, 2, 'Apple System', 'anchor apple');
	159	insert into authority (type, allow, flags, label, requirement)
	160	values (3, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');
	161
b1ab9ed8 A	162
	163	--
	164	-- The cache table lists previously determined outcomes
	165	-- for individual objects (by object hash). Entries come from
	166	-- full evaluations of authority records, or by explicitly inserting
	167	-- override rules that preempt the normal authority.
	168	-- EACH object record must have a parent authority record from which it is derived;
	169	-- this may be a normal authority rule or an override rule. If the parent rule is deleted,
	170	-- all objects created from it are automatically removed (by sqlite itself).
	171	--
	172	CREATE TABLE object (
	173	id INTEGER PRIMARY KEY, -- canonical
	174	type INTEGER NOT NULL, -- operation type
	175	hash CDHASH NOT NULL, -- canonical hash of object
	176	allow INTEGER NOT NULL, -- allow (1) or deny (0)
	177	expires FLOAT NOT NULL DEFAULT (5000000), -- expiration of object entry
	178	authority INTEGER NOT NULL -- governing authority rule
	179	REFERENCES authority(id) ON DELETE CASCADE,
	180	-- following fields are for documentation only
	181	path TEXT NULL, -- path of object at record creation time
	182	ctime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- record creation time
	183	mtime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- record modification time
	184	remarks TEXT NULL -- optional remarks string
	185	);
	186
	187	-- index
	188	CREATE INDEX object_type ON object (type);
	189	CREATE INDEX object_expires ON object (expires);
	190	CREATE UNIQUE INDEX object_hash ON object (hash);
	191
	192	-- update mtime if a record is changed
	193	CREATE TRIGGER object_update AFTER UPDATE ON object
	194	BEGIN
	195	UPDATE object SET mtime = JULIANDAY('now') WHERE id = old.id;
	196	END;
	197
	198
	199	--
	200	-- Some useful views on objects. These are for administration; they are not used by the assessor.
	201	--
	202	CREATE VIEW object_state AS
	203	SELECT object.id, object.type, object.allow,
	204	CASE object.expires WHEN 5000000 THEN NULL ELSE STRFTIME('%Y-%m-%d %H:%M:%f', object.expires, 'localtime') END AS expiration,
	205	(object.expires - JULIANDAY('now')) * 86400 as remaining,
	206	authority.label,
	207	object.authority,
	208	object.path,
	209	object.ctime,
	210	authority.requirement,
	211	authority.disabled,
	212	object.remarks
	213	FROM object, authority
	214	WHERE object.authority = authority.id;