[apple/security.git] / OSX / libsecurity_codesigning / lib / policyengine.h

/*
 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
#ifndef _H_POLICYENGINE
#define _H_POLICYENGINE

#include "SecAssessment.h"
#include "opaquewhitelist.h"
#include "evaluationmanager.h"
#include "policydb.h"
#include <security_utilities/globalizer.h>
#include <security_utilities/cfutilities.h>
#include <security_utilities/hashing.h>
#include <security_utilities/sqlite++.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/CodeSigning.h>

namespace Security {
namespace CodeSigning {


typedef uint EngineOperation;
enum {
	opInvalid = 0,
	opEvaluate,
	opAddAuthority,
	opRemoveAuthority,
};


class PolicyEngine : public PolicyDatabase {
public:
	PolicyEngine();
	virtual ~PolicyEngine();

public:
	void evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);

	CFDictionaryRef update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context);
	CFDictionaryRef add(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
	CFDictionaryRef remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
	CFDictionaryRef enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
	CFDictionaryRef disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
	CFDictionaryRef find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);

	void recordFailure(CFDictionaryRef info);

public:
	static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false, uint64_t ruleFlags = 0);
	static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value);

private:
	void evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned);
	void evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
	void evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
	
	void evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result);
	void adjustValidation(SecStaticCodeRef code);
	bool temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags);
	void normalizeTarget(CFRef<CFTypeRef> &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned);
	
	void selectRules(SQLite::Statement &action, std::string stanza, std::string table,
		CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix = "");
	CFDictionaryRef manipulateRules(const std::string &stanza,
		CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);

	void setOrigin(CFArrayRef chain, CFMutableDictionaryRef result);

	void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority);

private:
	OpaqueWhitelist* mOpaqueWhitelist;
	CFDictionaryRef opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code);
	bool opaqueWhiteListContains(SecStaticCodeRef code, SecAssessmentFeedback feedback, OSStatus reason);
	void opaqueWhitelistAdd(SecStaticCodeRef code);

    friend class EvaluationManager;
    friend class EvaluationTask;
};


} // end namespace CodeSigning
} // end namespace Security

#endif //_H_POLICYENGINE
Commit	Line	Data
b1ab9ed8	1	/*
d8f41ccd	2	* Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
b1ab9ed8 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23	#ifndef _H_POLICYENGINE
	24	#define _H_POLICYENGINE
	25
	26	#include "SecAssessment.h"
80e23899	27	#include "opaquewhitelist.h"
5c19dc3a	28	#include "evaluationmanager.h"
b1ab9ed8 A	29	#include "policydb.h"
	30	#include <security_utilities/globalizer.h>
	31	#include <security_utilities/cfutilities.h>
	32	#include <security_utilities/hashing.h>
	33	#include <security_utilities/sqlite++.h>
	34	#include <CoreFoundation/CoreFoundation.h>
	35	#include <Security/CodeSigning.h>
	36
	37	namespace Security {
	38	namespace CodeSigning {
	39
	40
	41	typedef uint EngineOperation;
	42	enum {
	43	opInvalid = 0,
	44	opEvaluate,
	45	opAddAuthority,
	46	opRemoveAuthority,
	47	};
	48
	49
	50	class PolicyEngine : public PolicyDatabase {
	51	public:
	52	PolicyEngine();
	53	virtual ~PolicyEngine();
	54
	55	public:
	56	void evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
	57
	58	CFDictionaryRef update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context);
	59	CFDictionaryRef add(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
	60	CFDictionaryRef remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
5c19dc3a A	61	CFDictionaryRef enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
5c19dc3a A	62	CFDictionaryRef disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
b1ab9ed8 A	63	CFDictionaryRef find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
b1ab9ed8 A	64
427c49bc A	65	void recordFailure(CFDictionaryRef info);
427c49bc A	66
b1ab9ed8	67	public:
fa7225c8	68	static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false, uint64_t ruleFlags = 0);
b1ab9ed8 A	69	static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value);
	70
	71	private:
427c49bc	72	void evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned);
b1ab9ed8 A	73	void evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
	74	void evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
	75
427c49bc	76	void evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result);
80e23899	77	void adjustValidation(SecStaticCodeRef code);
427c49bc A	78	bool temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags);
	79	void normalizeTarget(CFRef<CFTypeRef> &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned);
	80
b1ab9ed8 A	81	void selectRules(SQLite::Statement &action, std::string stanza, std::string table,
	82	CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix = "");
	83	CFDictionaryRef manipulateRules(const std::string &stanza,
5c19dc3a	84	CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
b1ab9ed8 A	85
	86	void setOrigin(CFArrayRef chain, CFMutableDictionaryRef result);
	87
	88	void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority);
80e23899 A	89
80e23899 A	90	private:
ecaf5866 A	91	OpaqueWhitelist* mOpaqueWhitelist;
	92	CFDictionaryRef opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code);
	93	bool opaqueWhiteListContains(SecStaticCodeRef code, SecAssessmentFeedback feedback, OSStatus reason);
	94	void opaqueWhitelistAdd(SecStaticCodeRef code);
5c19dc3a A	95
	96	friend class EvaluationManager;
	97	friend class EvaluationTask;
b1ab9ed8 A	98	};
	99
	100
	101	} // end namespace CodeSigning
	102	} // end namespace Security
	103
	104	#endif //_H_POLICYENGINE