[apple/security.git] / OSX / libsecurity_keychain / lib / SecAccess.cpp

/*
 * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */

#include <SecBase.h>
#include <Security/SecAccess.h>
#include <Security/SecAccessPriv.h>
#include <Security/SecTrustedApplication.h>
#include <Security/SecTrustedApplicationPriv.h>
#include <security_keychain/Access.h>
#include <security_utilities/casts.h>
#include <utilities/SecCFRelease.h>
#include "SecBridge.h"
#include <sys/param.h>

#include <utilities/SecCFWrappers.h>


/* No restrictions. Permission to perform all operations on
   the resource or available to an ACL owner.  */


const CFStringRef kSecACLAuthorizationAny = CFSTR("ACLAuthorizationAny");

const CFStringRef kSecACLAuthorizationLogin = CFSTR("ACLAuthorizationLogin");
const CFStringRef kSecACLAuthorizationGenKey = CFSTR("ACLAuthorizationGenKey");
const CFStringRef kSecACLAuthorizationDelete = CFSTR("ACLAuthorizationDelete");
const CFStringRef kSecACLAuthorizationExportWrapped = CFSTR("ACLAuthorizationExportWrapped");
const CFStringRef kSecACLAuthorizationExportClear = CFSTR("ACLAuthorizationExportClear");
const CFStringRef kSecACLAuthorizationImportWrapped = CFSTR("ACLAuthorizationImportWrapped");
const CFStringRef kSecACLAuthorizationImportClear = CFSTR("ACLAuthorizationImportClear");
const CFStringRef kSecACLAuthorizationSign = CFSTR("ACLAuthorizationSign");
const CFStringRef kSecACLAuthorizationEncrypt = CFSTR("ACLAuthorizationEncrypt");
const CFStringRef kSecACLAuthorizationDecrypt = CFSTR("ACLAuthorizationDecrypt");
const CFStringRef kSecACLAuthorizationMAC = CFSTR("ACLAuthorizationMAC");
const CFStringRef kSecACLAuthorizationDerive = CFSTR("ACLAuthorizationDerive");

/* Defined authorization tag values for Keychain */


const CFStringRef kSecACLAuthorizationKeychainCreate = CFSTR("ACLAuthorizationKeychainCreate");
const CFStringRef kSecACLAuthorizationKeychainDelete = CFSTR("ACLAuthorizationKeychainDelete");
const CFStringRef kSecACLAuthorizationKeychainItemRead = CFSTR("ACLAuthorizationKeychainItemRead");
const CFStringRef kSecACLAuthorizationKeychainItemInsert = CFSTR("ACLAuthorizationKeychainItemInsert");
const CFStringRef kSecACLAuthorizationKeychainItemModify = CFSTR("ACLAuthorizationKeychainItemModify");
const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizationKeychainItemDelete");

const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");
const CFStringRef kSecACLAuthorizationPartitionID = CFSTR("ACLAuthorizationPartitionID");
const CFStringRef kSecACLAuthorizationIntegrity = CFSTR("ACLAuthorizationIntegrity");


static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);

static CFStringRef gKeys[] =
{
	kSecACLAuthorizationAny,
	kSecACLAuthorizationLogin,
	kSecACLAuthorizationGenKey,
	kSecACLAuthorizationDelete,
	kSecACLAuthorizationExportWrapped,
	kSecACLAuthorizationExportClear,
	kSecACLAuthorizationImportWrapped,
	kSecACLAuthorizationImportClear,
	kSecACLAuthorizationSign,
	kSecACLAuthorizationEncrypt,
	kSecACLAuthorizationDecrypt,
	kSecACLAuthorizationMAC,
	kSecACLAuthorizationDerive,

	/* Defined authorization tag values for Keychain */
	kSecACLAuthorizationKeychainCreate,
	kSecACLAuthorizationKeychainDelete,
	kSecACLAuthorizationKeychainItemRead,
	kSecACLAuthorizationKeychainItemInsert,
	kSecACLAuthorizationKeychainItemModify,
	kSecACLAuthorizationKeychainItemDelete,

	kSecACLAuthorizationChangeACL,
	kSecACLAuthorizationChangeOwner,
    kSecACLAuthorizationPartitionID,
    kSecACLAuthorizationIntegrity
};

static sint32 gValues[] =
{
	CSSM_ACL_AUTHORIZATION_ANY,
	CSSM_ACL_AUTHORIZATION_LOGIN,
	CSSM_ACL_AUTHORIZATION_GENKEY,
	CSSM_ACL_AUTHORIZATION_DELETE,
	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
	CSSM_ACL_AUTHORIZATION_SIGN,
	CSSM_ACL_AUTHORIZATION_ENCRYPT,
	CSSM_ACL_AUTHORIZATION_DECRYPT,
	CSSM_ACL_AUTHORIZATION_MAC,
	CSSM_ACL_AUTHORIZATION_DERIVE,
	CSSM_ACL_AUTHORIZATION_DBS_CREATE,
	CSSM_ACL_AUTHORIZATION_DBS_DELETE,
	CSSM_ACL_AUTHORIZATION_DB_READ,
	CSSM_ACL_AUTHORIZATION_DB_INSERT,
	CSSM_ACL_AUTHORIZATION_DB_MODIFY,
	CSSM_ACL_AUTHORIZATION_DB_DELETE,
	CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
    CSSM_ACL_AUTHORIZATION_PARTITION_ID,
    CSSM_ACL_AUTHORIZATION_INTEGRITY
};

static
CFDictionaryRef CreateStringToNumDictionary()
{
	int numItems = (sizeof(gValues) / sizeof(sint32));
	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

	for (int iCnt = 0; iCnt < numItems; iCnt++)
	{
		sint32 aNumber = gValues[iCnt];
		CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);

		CFStringRef aString = gKeys[iCnt];
		CFDictionaryAddValue(tempDict, aString, aNum);
		CFRelease(aNum);
	}

	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	CFRelease(tempDict);
	return result;

}

static
CFDictionaryRef CreateNumToStringDictionary()
{
	int numItems = (sizeof(gValues) / sizeof(sint32));

	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);

	for (int iCnt = 0; iCnt < numItems; iCnt++)
	{
		sint32 aNumber = gValues[iCnt];
		CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);

		CFStringRef aString = gKeys[iCnt];
		CFDictionaryAddValue(tempDict, aNum, aString);
		CFRelease(aNum);

	}

	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	CFRelease(tempDict);
	return result;
}


/* TODO: This should be in some header */
sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
{
	if (NULL == aclStr)
	{
#ifndef NDEBUG
		CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
#endif
		return 0;
	}

	static CFDictionaryRef gACLMapping = NULL;

	if (NULL == gACLMapping)
	{
		gACLMapping = CreateStringToNumDictionary();
	}

	sint32 result = 0;
	CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
	if (NULL != valueResult)
	{
		if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
		{
			return 0;
		}

	}
	else
	{
		return 0;
	}

	return result;

}

/* TODO: This should be in some header */
CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
{
	static CFDictionaryRef gTagMapping = NULL;
	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);

	if (NULL == gTagMapping)
	{
		gTagMapping = CreateNumToStringDictionary();
	}

	CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;

	if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
	{
		result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
	}
    CFReleaseSafe(aNum);
	return result;
}

//
// CF boilerplate
//
CFTypeID SecAccessGetTypeID(void)
{
	BEGIN_SECAPI
	return gTypes().Access.typeID;
	END_SECAPI1(_kCFRuntimeNotATypeID)
}


//
// API bridge calls
//
/*!
 *	Create a new SecAccessRef that is set to the default configuration
 *	of a (newly created) security object.
 */
OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
{
	BEGIN_SECAPI
	Required(descriptor);
	SecPointer<Access> access;
	if (trustedList) {
		CFIndex length = CFArrayGetCount(trustedList);
		ACL::ApplicationList trusted;
		for (CFIndex n = 0; n < length; n++)
			trusted.push_back(TrustedApplication::required(
				SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
		access = new Access(cfString(descriptor), trusted);
	} else {
		access = new Access(cfString(descriptor));
	}
	Required(accessRef) = access->handle();
	END_SECAPI
}


/*!
 */
OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
	uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
	SecAccessRef *accessRef)
{
	BEGIN_SECAPI
	Required(accessRef);	// preflight
	SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
	*accessRef = access->handle();
	END_SECAPI
}

SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
{
	SecAccessRef result = NULL;

	CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
	{
		CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION,	// selector version
		int_cast<UInt32, uint16>(ownerType),
		userId,
		groupId
	};

	CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
	subject2.Element.Word.Data = (UInt8 *)&selector;
	subject2.Element.Word.Length = sizeof(selector);
	CSSM_LIST_ELEMENT subject1 =
	{
		&subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
	};

	CFIndex numAcls = 0;

	if (NULL != acls)
	{
		numAcls = CFArrayGetCount(acls);
	}

#ifndef NDEBUG
	CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
		CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
	CFShow(debugStr);
	CFRelease(debugStr);
#endif

    CFIndex rightsSize = numAcls > 0 ? numAcls : 1;

	CSSM_ACL_AUTHORIZATION_TAG rights[rightsSize];
	memset(rights, 0, sizeof(rights));

	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	{
		CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);

#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif

		CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);

#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif

		rights[iCnt] = aTag;
	}


	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	{
#ifndef NDEBUG
		debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
			CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d]  = %d"), (int)iCnt, rights[iCnt]);

		CFShow(debugStr);
		CFRelease(debugStr);
#endif


	}

	CSSM_ACL_OWNER_PROTOTYPE owner =
	{
		// TypedSubject
		{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
		// Delegate
		false
	};


	// ACL entries (any number, just one here)
	CSSM_ACL_ENTRY_INFO acl_rights[] =
	{
		{
			// prototype
			{
				// TypedSubject
				{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
				false,	// Delegate
				// rights for this entry
				{ (uint32)numAcls, rights },
				// rest is defaulted
			}
		}
	};

	OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
		sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);

	if (errSecSuccess != err)
	{
		result = NULL;
		if (NULL != error)
		{
			*error  = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
   		}
	}
	return result;
}


/*!
 */
OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
	CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
	uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls)
{
	BEGIN_SECAPI
	Access::required(accessRef)->copyOwnerAndAcl(
		Required(owner), Required(aclCount), Required(acls));
	END_SECAPI
}

OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
{
	CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
	CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
	uint32 aclCount = 0;
	OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
	if (errSecSuccess != result )
	{
		return result;
	}

	if (NULL != owner)
	{
		CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
		if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
		{
			CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
			if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
			{
				// nextElement contains the required data
				CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
				if (NULL != selectorPtr)
				{
					if (NULL != userId)
					{
						*userId = (uid_t)selectorPtr->uid;
					}

					if (NULL != groupId)
					{
						*groupId = (gid_t)selectorPtr->gid;
					}

					if (NULL != ownerType)
					{
						*ownerType = (SecAccessOwnerType)selectorPtr->mask;
					}
				}
			}

		}

	}

	if (NULL != aclList)
	{
#ifndef NDEBUG
		CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
#endif

		CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
		CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
		uint32 numAcls = 0L;
		CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;

		result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
		if (errSecSuccess == result)
		{
#ifndef NDEBUG
			CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
			CFShow(tempStr);
			CFRelease(tempStr);
#endif

			for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
			{
				CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
				CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
				int numAuthTags = (int)authGroup.NumberOfAuthTags;

				for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
				{

					sint32 aTag = authGroup.AuthTags[jCnt];
					CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);

					CFArrayAppendValue(stringArray, aString);
				}
			}
		}

		if (NULL != stringArray)
		{
			if (0 < CFArrayGetCount(stringArray))
			{
				*aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
			}
			CFRelease(stringArray);
		}
	}

	return result;
}

/*!
 */
OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
	CFArrayRef *aclList)
{
	BEGIN_SECAPI
	Required(aclList) = Access::required(accessRef)->copySecACLs();
	END_SECAPI
}


/*!
 */
OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
	CSSM_ACL_AUTHORIZATION_TAG action,
	CFArrayRef *aclList)
{
	BEGIN_SECAPI
	Required(aclList) = Access::required(accessRef)->copySecACLs(action);
	END_SECAPI
}

CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
{
	CFArrayRef result = NULL;
	CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
	OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
	if (errSecSuccess != err)
	{
		result = NULL;
	}
	return result;
}

CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
{
	CFStringRef errorString = nil;
    CFURLRef bundleURL,trustedAppsURL = NULL;
    CFBundleRef secBundle = NULL;
	CFPropertyListRef trustedAppsPlist = NULL;
	CFDataRef xmlDataRef = NULL;
	SInt32 errorCode;
    CFArrayRef trustedAppList = NULL;
	CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
427c49bc	3	*
b1ab9ed8	4	* @APPLE_LICENSE_HEADER_START@
d8f41ccd	5	*
b1ab9ed8 A	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
d8f41ccd	12	*
b1ab9ed8 A	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
d8f41ccd	20	*
b1ab9ed8 A	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
427c49bc	24	#include <SecBase.h>
b1ab9ed8 A	25	#include <Security/SecAccess.h>
b1ab9ed8 A	26	#include <Security/SecAccessPriv.h>
427c49bc A	27	#include <Security/SecTrustedApplication.h>
427c49bc A	28	#include <Security/SecTrustedApplicationPriv.h>
b1ab9ed8	29	#include <security_keychain/Access.h>
6b200bc3 A	30	#include <security_utilities/casts.h>
6b200bc3 A	31	#include <utilities/SecCFRelease.h>
b1ab9ed8 A	32	#include "SecBridge.h"
	33	#include <sys/param.h>
	34
427c49bc A	35	#include <utilities/SecCFWrappers.h>
	36
	37
b1ab9ed8 A	38	/* No restrictions. Permission to perform all operations on
	39	the resource or available to an ACL owner. */
	40
	41
5c19dc3a A	42	const CFStringRef kSecACLAuthorizationAny = CFSTR("ACLAuthorizationAny");
	43
	44	const CFStringRef kSecACLAuthorizationLogin = CFSTR("ACLAuthorizationLogin");
	45	const CFStringRef kSecACLAuthorizationGenKey = CFSTR("ACLAuthorizationGenKey");
	46	const CFStringRef kSecACLAuthorizationDelete = CFSTR("ACLAuthorizationDelete");
	47	const CFStringRef kSecACLAuthorizationExportWrapped = CFSTR("ACLAuthorizationExportWrapped");
	48	const CFStringRef kSecACLAuthorizationExportClear = CFSTR("ACLAuthorizationExportClear");
	49	const CFStringRef kSecACLAuthorizationImportWrapped = CFSTR("ACLAuthorizationImportWrapped");
	50	const CFStringRef kSecACLAuthorizationImportClear = CFSTR("ACLAuthorizationImportClear");
	51	const CFStringRef kSecACLAuthorizationSign = CFSTR("ACLAuthorizationSign");
	52	const CFStringRef kSecACLAuthorizationEncrypt = CFSTR("ACLAuthorizationEncrypt");
	53	const CFStringRef kSecACLAuthorizationDecrypt = CFSTR("ACLAuthorizationDecrypt");
	54	const CFStringRef kSecACLAuthorizationMAC = CFSTR("ACLAuthorizationMAC");
	55	const CFStringRef kSecACLAuthorizationDerive = CFSTR("ACLAuthorizationDerive");
b1ab9ed8 A	56
	57	/* Defined authorization tag values for Keychain */
	58
	59
427c49bc	60
5c19dc3a A	61	const CFStringRef kSecACLAuthorizationKeychainCreate = CFSTR("ACLAuthorizationKeychainCreate");
	62	const CFStringRef kSecACLAuthorizationKeychainDelete = CFSTR("ACLAuthorizationKeychainDelete");
	63	const CFStringRef kSecACLAuthorizationKeychainItemRead = CFSTR("ACLAuthorizationKeychainItemRead");
	64	const CFStringRef kSecACLAuthorizationKeychainItemInsert = CFSTR("ACLAuthorizationKeychainItemInsert");
	65	const CFStringRef kSecACLAuthorizationKeychainItemModify = CFSTR("ACLAuthorizationKeychainItemModify");
	66	const CFStringRef kSecACLAuthorizationKeychainItemDelete = CFSTR("ACLAuthorizationKeychainItemDelete");
b1ab9ed8	67
5c19dc3a A	68	const CFStringRef kSecACLAuthorizationChangeACL = CFSTR("ACLAuthorizationChangeACL");
5c19dc3a A	69	const CFStringRef kSecACLAuthorizationChangeOwner = CFSTR("ACLAuthorizationChangeOwner");
e3d460c9 A	70	const CFStringRef kSecACLAuthorizationPartitionID = CFSTR("ACLAuthorizationPartitionID");
e3d460c9 A	71	const CFStringRef kSecACLAuthorizationIntegrity = CFSTR("ACLAuthorizationIntegrity");
b1ab9ed8 A	72
	73
	74	static CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName);
	75
427c49bc	76	static CFStringRef gKeys[] =
b1ab9ed8	77	{
5c19dc3a A	78	kSecACLAuthorizationAny,
	79	kSecACLAuthorizationLogin,
	80	kSecACLAuthorizationGenKey,
	81	kSecACLAuthorizationDelete,
	82	kSecACLAuthorizationExportWrapped,
	83	kSecACLAuthorizationExportClear,
	84	kSecACLAuthorizationImportWrapped,
	85	kSecACLAuthorizationImportClear,
	86	kSecACLAuthorizationSign,
	87	kSecACLAuthorizationEncrypt,
	88	kSecACLAuthorizationDecrypt,
	89	kSecACLAuthorizationMAC,
	90	kSecACLAuthorizationDerive,
b1ab9ed8 A	91
b1ab9ed8 A	92	/* Defined authorization tag values for Keychain */
5c19dc3a A	93	kSecACLAuthorizationKeychainCreate,
	94	kSecACLAuthorizationKeychainDelete,
	95	kSecACLAuthorizationKeychainItemRead,
	96	kSecACLAuthorizationKeychainItemInsert,
	97	kSecACLAuthorizationKeychainItemModify,
	98	kSecACLAuthorizationKeychainItemDelete,
	99
	100	kSecACLAuthorizationChangeACL,
e3d460c9 A	101	kSecACLAuthorizationChangeOwner,
	102	kSecACLAuthorizationPartitionID,
	103	kSecACLAuthorizationIntegrity
b1ab9ed8 A	104	};
	105
	106	static sint32 gValues[] =
	107	{
	108	CSSM_ACL_AUTHORIZATION_ANY,
	109	CSSM_ACL_AUTHORIZATION_LOGIN,
	110	CSSM_ACL_AUTHORIZATION_GENKEY,
	111	CSSM_ACL_AUTHORIZATION_DELETE,
	112	CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED,
	113	CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR,
	114	CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED,
	115	CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR,
	116	CSSM_ACL_AUTHORIZATION_SIGN,
	117	CSSM_ACL_AUTHORIZATION_ENCRYPT,
	118	CSSM_ACL_AUTHORIZATION_DECRYPT,
	119	CSSM_ACL_AUTHORIZATION_MAC,
	120	CSSM_ACL_AUTHORIZATION_DERIVE,
	121	CSSM_ACL_AUTHORIZATION_DBS_CREATE,
	122	CSSM_ACL_AUTHORIZATION_DBS_DELETE,
	123	CSSM_ACL_AUTHORIZATION_DB_READ,
	124	CSSM_ACL_AUTHORIZATION_DB_INSERT,
	125	CSSM_ACL_AUTHORIZATION_DB_MODIFY,
	126	CSSM_ACL_AUTHORIZATION_DB_DELETE,
	127	CSSM_ACL_AUTHORIZATION_CHANGE_ACL,
e3d460c9 A	128	CSSM_ACL_AUTHORIZATION_CHANGE_OWNER,
	129	CSSM_ACL_AUTHORIZATION_PARTITION_ID,
	130	CSSM_ACL_AUTHORIZATION_INTEGRITY
b1ab9ed8 A	131	};
b1ab9ed8 A	132
427c49bc	133	static
b1ab9ed8 A	134	CFDictionaryRef CreateStringToNumDictionary()
	135	{
	136	int numItems = (sizeof(gValues) / sizeof(sint32));
427c49bc A	137	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
427c49bc A	138
b1ab9ed8 A	139	for (int iCnt = 0; iCnt < numItems; iCnt++)
	140	{
	141	sint32 aNumber = gValues[iCnt];
	142	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
427c49bc	143
b1ab9ed8 A	144	CFStringRef aString = gKeys[iCnt];
b1ab9ed8 A	145	CFDictionaryAddValue(tempDict, aString, aNum);
427c49bc	146	CFRelease(aNum);
b1ab9ed8	147	}
427c49bc	148
b1ab9ed8 A	149	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	150	CFRelease(tempDict);
	151	return result;
427c49bc	152
b1ab9ed8 A	153	}
b1ab9ed8 A	154
427c49bc	155	static
b1ab9ed8 A	156	CFDictionaryRef CreateNumToStringDictionary()
	157	{
	158	int numItems = (sizeof(gValues) / sizeof(sint32));
427c49bc A	159
	160	CFMutableDictionaryRef tempDict = CFDictionaryCreateMutable(kCFAllocatorDefault, numItems, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
	161
b1ab9ed8 A	162	for (int iCnt = 0; iCnt < numItems; iCnt++)
	163	{
	164	sint32 aNumber = gValues[iCnt];
427c49bc A	165	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &aNumber);
427c49bc A	166
b1ab9ed8 A	167	CFStringRef aString = gKeys[iCnt];
	168	CFDictionaryAddValue(tempDict, aNum, aString);
	169	CFRelease(aNum);
427c49bc	170
b1ab9ed8	171	}
427c49bc	172
b1ab9ed8 A	173	CFDictionaryRef result = CFDictionaryCreateCopy(kCFAllocatorDefault, tempDict);
	174	CFRelease(tempDict);
	175	return result;
	176	}
	177
	178
427c49bc A	179	/* TODO: This should be in some header */
427c49bc A	180	sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr);
b1ab9ed8 A	181	sint32 GetACLAuthorizationTagFromString(CFStringRef aclStr)
	182	{
	183	if (NULL == aclStr)
	184	{
	185	#ifndef NDEBUG
	186	CFShow(CFSTR("GetACLAuthorizationTagFromString aclStr is NULL"));
	187	#endif
	188	return 0;
	189	}
427c49bc	190
b1ab9ed8	191	static CFDictionaryRef gACLMapping = NULL;
427c49bc	192
b1ab9ed8 A	193	if (NULL == gACLMapping)
	194	{
	195	gACLMapping = CreateStringToNumDictionary();
	196	}
427c49bc	197
b1ab9ed8 A	198	sint32 result = 0;
	199	CFNumberRef valueResult = (CFNumberRef)CFDictionaryGetValue(gACLMapping, aclStr);
	200	if (NULL != valueResult)
	201	{
	202	if (!CFNumberGetValue(valueResult, kCFNumberSInt32Type, &result))
	203	{
	204	return 0;
	205	}
427c49bc	206
b1ab9ed8 A	207	}
	208	else
	209	{
	210	return 0;
	211	}
427c49bc	212
b1ab9ed8	213	return result;
427c49bc	214
b1ab9ed8 A	215	}
b1ab9ed8 A	216
427c49bc A	217	/* TODO: This should be in some header */
427c49bc A	218	CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag);
b1ab9ed8 A	219	CFStringRef GetAuthStringFromACLAuthorizationTag(sint32 tag)
	220	{
	221	static CFDictionaryRef gTagMapping = NULL;
	222	CFNumberRef aNum = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &tag);
427c49bc	223
b1ab9ed8 A	224	if (NULL == gTagMapping)
	225	{
	226	gTagMapping = CreateNumToStringDictionary();
	227	}
427c49bc	228
b1ab9ed8	229	CFStringRef result = (CFStringRef)kSecACLAuthorizationAny;
427c49bc	230
b1ab9ed8 A	231	if (NULL != gTagMapping && CFDictionaryContainsKey(gTagMapping, aNum))
	232	{
	233	result = (CFStringRef)CFDictionaryGetValue(gTagMapping, aNum);
	234	}
6b200bc3	235	CFReleaseSafe(aNum);
b1ab9ed8 A	236	return result;
	237	}
	238
	239	//
	240	// CF boilerplate
	241	//
	242	CFTypeID SecAccessGetTypeID(void)
	243	{
	244	BEGIN_SECAPI
	245	return gTypes().Access.typeID;
	246	END_SECAPI1(_kCFRuntimeNotATypeID)
	247	}
	248
	249
	250	//
	251	// API bridge calls
	252	//
	253	/*!
	254	* Create a new SecAccessRef that is set to the default configuration
	255	* of a (newly created) security object.
	256	*/
	257	OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedList, SecAccessRef *accessRef)
	258	{
	259	BEGIN_SECAPI
	260	Required(descriptor);
	261	SecPointer<Access> access;
	262	if (trustedList) {
	263	CFIndex length = CFArrayGetCount(trustedList);
	264	ACL::ApplicationList trusted;
	265	for (CFIndex n = 0; n < length; n++)
	266	trusted.push_back(TrustedApplication::required(
	267	SecTrustedApplicationRef(CFArrayGetValueAtIndex(trustedList, n))));
	268	access = new Access(cfString(descriptor), trusted);
	269	} else {
	270	access = new Access(cfString(descriptor));
	271	}
	272	Required(accessRef) = access->handle();
	273	END_SECAPI
	274	}
	275
	276
	277	/*!
	278	*/
	279	OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner,
	280	uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls,
	281	SecAccessRef *accessRef)
	282	{
	283	BEGIN_SECAPI
	284	Required(accessRef); // preflight
	285	SecPointer<Access> access = new Access(Required(owner), aclCount, &Required(acls));
	286	*accessRef = access->handle();
	287	END_SECAPI
	288	}
	289
	290	SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
	291	{
	292	SecAccessRef result = NULL;
427c49bc A	293
427c49bc A	294	CSSM_ACL_PROCESS_SUBJECT_SELECTOR selector =
b1ab9ed8 A	295	{
b1ab9ed8 A	296	CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION, // selector version
6b200bc3	297	int_cast<UInt32, uint16>(ownerType),
427c49bc A	298	userId,
427c49bc A	299	groupId
b1ab9ed8	300	};
427c49bc	301
b1ab9ed8 A	302	CSSM_LIST_ELEMENT subject2 = { NULL, 0 };
	303	subject2.Element.Word.Data = (UInt8 *)&selector;
	304	subject2.Element.Word.Length = sizeof(selector);
427c49bc	305	CSSM_LIST_ELEMENT subject1 =
b1ab9ed8 A	306	{
	307	&subject2, CSSM_ACL_SUBJECT_TYPE_PROCESS, CSSM_LIST_ELEMENT_WORDID
	308	};
427c49bc	309
b1ab9ed8	310	CFIndex numAcls = 0;
427c49bc	311
b1ab9ed8 A	312	if (NULL != acls)
	313	{
	314	numAcls = CFArrayGetCount(acls);
427c49bc A	315	}
427c49bc A	316
b1ab9ed8	317	#ifndef NDEBUG
427c49bc A	318	CFStringRef debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
427c49bc A	319	CFSTR("SecAccessCreateWithOwnerAndACL: processing %d acls"), (int)numAcls);
b1ab9ed8 A	320	CFShow(debugStr);
	321	CFRelease(debugStr);
	322	#endif
427c49bc	323
866f8763 A	324	CFIndex rightsSize = numAcls > 0 ? numAcls : 1;
	325
	326	CSSM_ACL_AUTHORIZATION_TAG rights[rightsSize];
b1ab9ed8	327	memset(rights, 0, sizeof(rights));
427c49bc	328
b1ab9ed8 A	329	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	330	{
	331	CFStringRef aclStr = (CFStringRef)CFArrayGetValueAtIndex(acls, iCnt);
427c49bc	332
b1ab9ed8	333	#ifndef NDEBUG
427c49bc A	334	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	335	CFSTR("SecAccessCreateWithOwnerAndACL: acls[%d] = %@"), (int)iCnt, aclStr);
	336
b1ab9ed8 A	337	CFShow(debugStr);
	338	CFRelease(debugStr);
	339	#endif
427c49bc	340
b1ab9ed8	341	CSSM_ACL_AUTHORIZATION_TAG aTag = GetACLAuthorizationTagFromString(aclStr);
427c49bc	342
b1ab9ed8	343	#ifndef NDEBUG
427c49bc A	344	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	345	CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, aTag);
	346
b1ab9ed8 A	347	CFShow(debugStr);
	348	CFRelease(debugStr);
	349	#endif
427c49bc	350
b1ab9ed8 A	351	rights[iCnt] = aTag;
b1ab9ed8 A	352	}
427c49bc A	353
427c49bc A	354
b1ab9ed8 A	355	for (CFIndex iCnt = 0; iCnt < numAcls; iCnt++)
	356	{
	357	#ifndef NDEBUG
427c49bc A	358	debugStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL,
	359	CFSTR("SecAccessCreateWithOwnerAndACL: rights[%d] = %d"), (int)iCnt, rights[iCnt]);
	360
b1ab9ed8 A	361	CFShow(debugStr);
	362	CFRelease(debugStr);
	363	#endif
427c49bc	364
b1ab9ed8 A	365
b1ab9ed8 A	366	}
427c49bc A	367
427c49bc A	368	CSSM_ACL_OWNER_PROTOTYPE owner =
b1ab9ed8 A	369	{
	370	// TypedSubject
	371	{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
	372	// Delegate
	373	false
	374	};
427c49bc A	375
427c49bc A	376
b1ab9ed8	377	// ACL entries (any number, just one here)
427c49bc	378	CSSM_ACL_ENTRY_INFO acl_rights[] =
b1ab9ed8 A	379	{
	380	{
	381	// prototype
	382	{
	383	// TypedSubject
	384	{ CSSM_LIST_TYPE_UNKNOWN, &subject1, &subject2 },
	385	false, // Delegate
	386	// rights for this entry
866f8763	387	{ (uint32)numAcls, rights },
b1ab9ed8 A	388	// rest is defaulted
	389	}
	390	}
	391	};
427c49bc A	392
427c49bc A	393	OSStatus err = SecAccessCreateFromOwnerAndACL(&owner,
b1ab9ed8	394	sizeof(acl_rights) / sizeof(acl_rights[0]), acl_rights, &result);
427c49bc A	395
427c49bc A	396	if (errSecSuccess != err)
b1ab9ed8 A	397	{
	398	result = NULL;
	399	if (NULL != error)
	400	{
	401	*error = CFErrorCreate(kCFAllocatorDefault, CFSTR("FIX ME"), err, NULL);
	402	}
	403	}
427c49bc	404	return result;
b1ab9ed8 A	405	}
	406
	407
	408	/*!
	409	*/
	410	OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef,
	411	CSSM_ACL_OWNER_PROTOTYPE_PTR *owner,
	412	uint32 aclCount, CSSM_ACL_ENTRY_INFO_PTR acls)
	413	{
	414	BEGIN_SECAPI
	415	Access::required(accessRef)->copyOwnerAndAcl(
	416	Required(owner), Required(aclCount), Required(acls));
	417	END_SECAPI
	418	}
	419
	420	OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
	421	{
	422	CSSM_ACL_OWNER_PROTOTYPE_PTR owner = NULL;
	423	CSSM_ACL_ENTRY_INFO_PTR acls = NULL;
	424	uint32 aclCount = 0;
	425	OSStatus result = SecAccessGetOwnerAndACL(accessRef, &owner, &aclCount, &acls);
427c49bc	426	if (errSecSuccess != result )
b1ab9ed8 A	427	{
	428	return result;
	429	}
427c49bc	430
b1ab9ed8 A	431	if (NULL != owner)
	432	{
	433	CSSM_LIST_ELEMENT_PTR listHead = owner->TypedSubject.Head;
	434	if (listHead != NULL && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
	435	{
	436	CSSM_LIST_ELEMENT_PTR nextElement = listHead->NextElement;
	437	if (listHead->WordID == CSSM_ACL_SUBJECT_TYPE_PROCESS && listHead->ElementType == CSSM_LIST_ELEMENT_WORDID)
	438	{
	439	// nextElement contains the required data
	440	CSSM_ACL_PROCESS_SUBJECT_SELECTOR* selectorPtr = (CSSM_ACL_PROCESS_SUBJECT_SELECTOR*)nextElement->Element.Word.Data;
	441	if (NULL != selectorPtr)
	442	{
	443	if (NULL != userId)
	444	{
	445	*userId = (uid_t)selectorPtr->uid;
	446	}
427c49bc	447
b1ab9ed8 A	448	if (NULL != groupId)
	449	{
	450	*groupId = (gid_t)selectorPtr->gid;
	451	}
427c49bc	452
b1ab9ed8 A	453	if (NULL != ownerType)
	454	{
	455	*ownerType = (SecAccessOwnerType)selectorPtr->mask;
	456	}
	457	}
	458	}
427c49bc	459
b1ab9ed8	460	}
427c49bc	461
b1ab9ed8	462	}
427c49bc	463
b1ab9ed8 A	464	if (NULL != aclList)
	465	{
	466	#ifndef NDEBUG
	467	CFShow(CFSTR("SecAccessCopyOwnerAndACL: processing the ACL list"));
	468	#endif
	469
	470	CFMutableArrayRef stringArray = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
	471	CSSM_ACL_OWNER_PROTOTYPE_PTR protoPtr = NULL;
	472	uint32 numAcls = 0L;
	473	CSSM_ACL_ENTRY_INFO_PTR aclEntry = NULL;
427c49bc	474
b1ab9ed8	475	result = SecAccessGetOwnerAndACL(accessRef, &protoPtr, &numAcls, &aclEntry);
427c49bc	476	if (errSecSuccess == result)
b1ab9ed8 A	477	{
	478	#ifndef NDEBUG
	479	CFStringRef tempStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("SecAccessCopyOwnerAndACL: numAcls = %d"), numAcls);
	480	CFShow(tempStr);
	481	CFRelease(tempStr);
	482	#endif
	483
	484	for (uint32 iCnt = 0; iCnt < numAcls; iCnt++)
	485	{
	486	CSSM_ACL_ENTRY_PROTOTYPE prototype = aclEntry[iCnt].EntryPublicInfo;
	487	CSSM_AUTHORIZATIONGROUP authGroup = prototype.Authorization;
	488	int numAuthTags = (int)authGroup.NumberOfAuthTags;
427c49bc	489
b1ab9ed8 A	490	for (int jCnt = 0; jCnt < numAuthTags; jCnt++)
b1ab9ed8 A	491	{
427c49bc	492
b1ab9ed8 A	493	sint32 aTag = authGroup.AuthTags[jCnt];
b1ab9ed8 A	494	CFStringRef aString = GetAuthStringFromACLAuthorizationTag(aTag);
427c49bc	495
b1ab9ed8 A	496	CFArrayAppendValue(stringArray, aString);
	497	}
	498	}
	499	}
427c49bc	500
b1ab9ed8 A	501	if (NULL != stringArray)
	502	{
	503	if (0 < CFArrayGetCount(stringArray))
	504	{
	505	*aclList = CFArrayCreateCopy(kCFAllocatorDefault, stringArray);
	506	}
	507	CFRelease(stringArray);
	508	}
	509	}
427c49bc A	510
427c49bc A	511	return result;
b1ab9ed8 A	512	}
	513
	514	/*!
	515	*/
	516	OSStatus SecAccessCopyACLList(SecAccessRef accessRef,
	517	CFArrayRef *aclList)
	518	{
	519	BEGIN_SECAPI
	520	Required(aclList) = Access::required(accessRef)->copySecACLs();
	521	END_SECAPI
	522	}
	523
	524
	525	/*!
	526	*/
	527	OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef,
	528	CSSM_ACL_AUTHORIZATION_TAG action,
	529	CFArrayRef *aclList)
	530	{
	531	BEGIN_SECAPI
	532	Required(aclList) = Access::required(accessRef)->copySecACLs(action);
	533	END_SECAPI
	534	}
	535
	536	CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
	537	{
	538	CFArrayRef result = NULL;
	539	CSSM_ACL_AUTHORIZATION_TAG tag = GetACLAuthorizationTagFromString((CFStringRef)authorizationTag);
	540	OSStatus err = SecAccessCopySelectedACLList(accessRef, tag, &result);
427c49bc	541	if (errSecSuccess != err)
b1ab9ed8 A	542	{
	543	result = NULL;
	544	}
	545	return result;
	546	}
	547
	548	CFArrayRef copyTrustedAppListFromBundle(CFStringRef bundlePath, CFStringRef trustedAppListFileName)
	549	{
	550	CFStringRef errorString = nil;
	551	CFURLRef bundleURL,trustedAppsURL = NULL;
	552	CFBundleRef secBundle = NULL;
	553	CFPropertyListRef trustedAppsPlist = NULL;
	554	CFDataRef xmlDataRef = NULL;
	555	SInt32 errorCode;
	556	CFArrayRef trustedAppList = NULL;
	557	CFMutableStringRef trustedAppListFileNameWithoutExtension = NULL;
	558
	559