[apple/security.git] / securityd / src / process.h

/*
 * Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// process - track a single client process and its belongings
//
#ifndef _H_PROCESS
#define _H_PROCESS

#include "structure.h"
#include "session.h"
#include <security_utilities/refcount.h>
#include <security_utilities/ccaudit.h>
#include "clientid.h"
#include "localkey.h"
#include "notifications.h"
#include <string>

using MachPlusPlus::Port;
using MachPlusPlus::TaskPort;

class Session;
class LocalDatabase;
class AuthorizationToken;


//
// A Process object represents a UNIX process (and associated Mach Task) that has
// had contact with us and may have some state associated with it. It primarily tracks
// the process nature of the client. Individual threads in the client are tracked by
// Connection objects.
//
// ClientIdentification tracks the identity of guests in the client *as securityd clients*.
// It is concerned with which guest is asking for securityd services, and whether this
// should be granted.
//
class Process : public PerProcess,
				public ClientIdentification{
public:
	Process(TaskPort tPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit);
	virtual ~Process();
	
	void reset(TaskPort tPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit);
    
    uid_t uid() const			{ return mUid; }
    gid_t gid() const			{ return mGid; }
    pid_t pid() const			{ return mPid; }
    Security::CommonCriteria::AuditToken const &audit_token() const { return mAudit; }
    TaskPort taskPort() const	{ return mTaskPort; }
	bool byteFlipped() const	{ return mByteFlipped; }
	
	using PerProcess::kill;
	void kill();
	
	void changeSession(Session::SessionId sessionId);
    
	Session& session() const;
	void checkSession(const audit_token_t &auditToken);
	
	LocalDatabase &localStore();
	Key *makeTemporaryKey(const CssmKey &key, CSSM_KEYATTR_FLAGS moreAttributes,
		const AclEntryPrototype *owner);

	// aclSequence is taken to serialize ACL validations to pick up mutual changes
	Mutex aclSequence;

    // Dumping is buggy and only hurts debugging. It's dead Jim.
	//IFDUMP(void dumpNode());
	
private:
	void setup(const ClientSetupInfo *info);
	
private:
	// peer state: established during connection startup; fixed thereafter
    TaskPort mTaskPort;					// task port
	bool mByteFlipped;					// client's byte order is reverse of ours
    pid_t mPid;							// process id
    uid_t mUid;							// UNIX uid credential
    gid_t mGid;							// primary UNIX gid credential

    Security::CommonCriteria::AuditToken const mAudit; // audit token

	// canonical local (transient) key store
	RefPointer<LocalDatabase> mLocalStore;
};


//
// Convenience comparison
//
inline bool operator == (const Process &p1, const Process &p2)
{
	return &p1 == &p2;
}


#endif //_H_PROCESS
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2000-2009 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// process - track a single client process and its belongings
	27	//
	28	#ifndef _H_PROCESS
	29	#define _H_PROCESS
	30
	31	#include "structure.h"
	32	#include "session.h"
d8f41ccd A	33	#include <security_utilities/refcount.h>
d8f41ccd A	34	#include <security_utilities/ccaudit.h>
d8f41ccd	35	#include "clientid.h"
d8f41ccd A	36	#include "localkey.h"
	37	#include "notifications.h"
	38	#include <string>
	39
	40	using MachPlusPlus::Port;
	41	using MachPlusPlus::TaskPort;
	42
	43	class Session;
	44	class LocalDatabase;
	45	class AuthorizationToken;
	46
	47
	48	//
	49	// A Process object represents a UNIX process (and associated Mach Task) that has
	50	// had contact with us and may have some state associated with it. It primarily tracks
	51	// the process nature of the client. Individual threads in the client are tracked by
	52	// Connection objects.
	53	//
b54c578e A	54	// ClientIdentification tracks the identity of guests in the client as securityd clients.
	55	// It is concerned with which guest is asking for securityd services, and whether this
	56	// should be granted.
d8f41ccd A	57	//
d8f41ccd A	58	class Process : public PerProcess,
b54c578e	59	public ClientIdentification{
d8f41ccd A	60	public:
	61	Process(TaskPort tPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit);
	62	virtual ~Process();
	63
	64	void reset(TaskPort tPort, const ClientSetupInfo *info, const CommonCriteria::AuditToken &audit);
	65
	66	uid_t uid() const { return mUid; }
	67	gid_t gid() const { return mGid; }
	68	pid_t pid() const { return mPid; }
dbe77505	69	Security::CommonCriteria::AuditToken const &audit_token() const { return mAudit; }
d8f41ccd A	70	TaskPort taskPort() const { return mTaskPort; }
	71	bool byteFlipped() const { return mByteFlipped; }
	72
d8f41ccd A	73	using PerProcess::kill;
	74	void kill();
	75
	76	void changeSession(Session::SessionId sessionId);
	77
	78	Session& session() const;
	79	void checkSession(const audit_token_t &auditToken);
	80
	81	LocalDatabase &localStore();
	82	Key *makeTemporaryKey(const CssmKey &key, CSSM_KEYATTR_FLAGS moreAttributes,
	83	const AclEntryPrototype *owner);
	84
	85	// aclSequence is taken to serialize ACL validations to pick up mutual changes
	86	Mutex aclSequence;
79b9da22 A	87
	88	// Dumping is buggy and only hurts debugging. It's dead Jim.
	89	//IFDUMP(void dumpNode());
d8f41ccd A	90
	91	private:
	92	void setup(const ClientSetupInfo *info);
	93
	94	private:
	95	// peer state: established during connection startup; fixed thereafter
	96	TaskPort mTaskPort; // task port
	97	bool mByteFlipped; // client's byte order is reverse of ours
	98	pid_t mPid; // process id
	99	uid_t mUid; // UNIX uid credential
	100	gid_t mGid; // primary UNIX gid credential
b54c578e	101
dbe77505	102	Security::CommonCriteria::AuditToken const mAudit; // audit token
fa7225c8	103
d8f41ccd A	104	// canonical local (transient) key store
	105	RefPointer<LocalDatabase> mLocalStore;
	106	};
	107
	108
	109	//
	110	// Convenience comparison
	111	//
	112	inline bool operator == (const Process &p1, const Process &p2)
	113	{
	114	return &p1 == &p2;
	115	}
	116
	117
	118	#endif //_H_PROCESS