[apple/security.git] / securityd / src / acls.cpp

/*
 * Copyright (c) 2000-2009,2012-2013 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */


//
// acls - securityd ACL implementation
//
#include "acls.h"
#include "connection.h"
#include "server.h"
#include "agentquery.h"
#include "tokendatabase.h"
#include "acl_keychain.h"
#include "acl_partition.h"

// ACL subjects whose Environments we implement
#include <security_cdsa_utilities/acl_any.h>
#include <security_cdsa_utilities/acl_password.h>
#include "acl_keychain.h"

#include <sys/sysctl.h>
#include <security_utilities/logging.h>
#include <security_utilities/cfmunge.h>

//
// SecurityServerAcl is virtual
//
SecurityServerAcl::~SecurityServerAcl()
{ }


//
// The default implementation of the ACL interface simply uses the local ObjectAcl
// data. You can customize this by implementing instantiateAcl() [from ObjectAcl]
// or by overriding these methods as desired.
// Note: While you can completely ignore the ObjectAcl personality if you wish, it's
// usually smarter to adapt it.
//
void SecurityServerAcl::getOwner(AclOwnerPrototype &owner)
{
	StLock<Mutex> _(aclSequence);
	ObjectAcl::cssmGetOwner(owner);
}

void SecurityServerAcl::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{
	StLock<Mutex> _(aclSequence);
	ObjectAcl::cssmGetAcl(tag, count, acls);
}

void SecurityServerAcl::changeAcl(const AclEdit &edit, const AccessCredentials *cred,
	Database *db)
{
	StLock<Mutex> _(aclSequence);
	SecurityServerEnvironment env(*this, db);

    // if we're setting the INTEGRITY entry, check if you're in the partition list.
    if (const AclEntryInput* input = edit.newEntry()) {
        if (input->proto().authorization().containsOnly(CSSM_ACL_AUTHORIZATION_INTEGRITY)) {
            // Only prompt the user if these creds allow UI.
            bool ui = (!!cred) && cred->authorizesUI();
            validatePartition(env, ui); // throws if fail

            // If you passed partition validation, bypass the owner ACL check entirely.
            env.forceSuccess = true;
        }
    }

    // If these access credentials, by themselves, protect this database, force success and don't
    // restrict changing PARTITION_ID
    if(db && db->checkCredentials(cred)) {
        env.forceSuccess = true;
        ObjectAcl::cssmChangeAcl(edit, cred, &env, NULL);
    } else {
        ObjectAcl::cssmChangeAcl(edit, cred, &env, CSSM_APPLE_ACL_TAG_PARTITION_ID);
    }
}

void SecurityServerAcl::changeOwner(const AclOwnerPrototype &newOwner,
	const AccessCredentials *cred, Database *db)
{
	StLock<Mutex> _(aclSequence);
	SecurityServerEnvironment env(*this, db);
	ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
}


//
// Modified validate() methods to connect all the conduits...
//
void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred, Database *db)
{
    SecurityServerEnvironment env(*this, db);
	
	StLock<Mutex> objectSequence(aclSequence);
	StLock<Mutex> processSequence(Server::process().aclSequence);
	ObjectAcl::validate(auth, cred, &env);

    // partition validation happens outside the normal acl validation flow, in addition
    bool ui = (!!cred) && cred->authorizesUI();

    // we should only offer the chance to extend the partition ID list on a "read" operation, so check the AclAuthorization
    bool readOperation =
        (auth == CSSM_ACL_AUTHORIZATION_CHANGE_ACL)     ||
        (auth == CSSM_ACL_AUTHORIZATION_DECRYPT)        ||
        (auth == CSSM_ACL_AUTHORIZATION_GENKEY)         ||
        (auth == CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED) ||
        (auth == CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR)   ||
        (auth == CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED) ||
        (auth == CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR)   ||
        (auth == CSSM_ACL_AUTHORIZATION_SIGN)           ||
        (auth == CSSM_ACL_AUTHORIZATION_DECRYPT)        ||
        (auth == CSSM_ACL_AUTHORIZATION_MAC)            ||
        (auth == CSSM_ACL_AUTHORIZATION_DERIVE);

    validatePartition(env, ui && readOperation);
}

void SecurityServerAcl::validate(AclAuthorization auth, const Context &context, Database *db)
{
	validate(auth,
		context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS), db);
}


//
// Partitioning support
//
void SecurityServerAcl::validatePartition(SecurityServerEnvironment& env, bool prompt)
{
    // For the Keychain Migrator, don't even check the partition list
    Process &process = Server::process();
    if (process.checkAppleSigned() && process.hasEntitlement(migrationEntitlement)) {
        secdebug("integrity", "bypassing partition check for keychain migrator");
        return;   // migrator client -> automatic win
    }

	if (CFRef<CFDictionaryRef> partition = this->createPartitionPayload()) {
		CFArrayRef partitionList;
		if (cfscan(partition, "{Partitions=%AO}", &partitionList)) {
			CFRef<CFStringRef> partitionDebug = CFCopyDescription(partitionList);	// for debugging only
			secdebugfunc("integrity", "ACL partitionID = %s", cfString(partitionDebug).c_str());
			if (env.database) {
				CFRef<CFStringRef> clientPartitionID = makeCFString(env.database->process().partitionId());
				if (CFArrayContainsValue(partitionList, CFRangeMake(0, CFArrayGetCount(partitionList)), clientPartitionID)) {
					secdebugfunc("integrity", "ACL partitions match: %s", cfString(clientPartitionID).c_str());
					return;
				} else {
					secdebugfunc("integrity", "ACL partition mismatch: client %s ACL %s", cfString(clientPartitionID).c_str(), cfString(partitionDebug).c_str());
					if (prompt && extendPartition(env))
						return;
					MacOSError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
				}
			}
		}
		secdebugfunc("integrity", "failed to parse partition payload");
		MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
    } else {
        // There's no partition list. This is keychain is either old or recently upgraded.
        // If there's no database, let it pass.
        if((!env.database) || env.database->dbVersion() < SecurityServer::CommonBlob::version_partition) {
            secdebugfunc("integrity", "no partition ACL - legacy case");
            //@@@ I guess we let this pass...
        } else {
            secdebugfunc("integrity", "no partition ACL - adding");
            env.acl.instantiateAcl();
            this->createClientPartitionID(env.database->process());
            env.acl.changedAcl();
            Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
        }
    }
}


bool SecurityServerAcl::extendPartition(SecurityServerEnvironment& env)
{
	// brute-force find the KeychainAclSubject in the ACL
	KeychainPromptAclSubject *kcSubject = NULL;
	SecurityServerAcl& acl = env.acl;
	for (EntryMap::const_iterator it = acl.begin(); it != acl.end(); ++it) {
		AclSubjectPointer subject = it->second.subject;
		if (ThresholdAclSubject *threshold = dynamic_cast<ThresholdAclSubject *>(subject.get())) {
			unsigned size = threshold->count();
			if (KeychainPromptAclSubject* last = dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
				// looks standard enough
				kcSubject = last;
				break;
			}
		}
	}
	
	if (kcSubject) {
		BaseValidationContext ctx(NULL, CSSM_ACL_AUTHORIZATION_PARTITION_ID, &env);
		return kcSubject->validateExplicitly(ctx, ^{
            secdebugfunc("integrity", "adding partition to list");
            env.acl.instantiateAcl();
			this->addClientPartitionID(env.database->process());
			env.acl.changedAcl();
			// trigger a special notification code on (otherwise successful) return
			Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
		});
	}
    secdebugfunc("integrity", "failure extending partition");
	return false;
}


PartitionAclSubject* SecurityServerAcl::findPartitionSubject()
{
	pair<EntryMap::const_iterator, EntryMap::const_iterator> range;
	switch (this->getRange(CSSM_APPLE_ACL_TAG_PARTITION_ID, range, true)) {
		case 0:
			secdebugfunc("integrity", "no partition tag on ACL");
			return NULL;
		default:
			secdebugfunc("integrity", "multiple partition ACL entries");
			MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
		case 1:
			break;
	}
	const AclEntry& entry = range.first->second;
	if (!entry.authorizes(CSSM_ACL_AUTHORIZATION_PARTITION_ID)) {
		secdebugfunc("integrity", "partition entry does not authorize CSSM_ACL_AUTHORIZATION_PARTITION_ID");
		MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
	}
	if (PartitionAclSubject* partition = dynamic_cast<PartitionAclSubject*>(entry.subject.get())) {
		return partition;
	} else {
		secdebugfunc("integrity", "partition entry is not PartitionAclSubject");
		MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
	}
}


CFDictionaryRef SecurityServerAcl::createPartitionPayload()
{
	if (PartitionAclSubject* subject = this->findPartitionSubject()) {
		if (CFDictionaryRef result = subject->createDictionaryPayload()) {
			return result;
		} else {
			secdebugfunc("integrity", "partition entry is malformed XML");
			MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
		}
	} else {
		return NULL;
	}
}


//
// This helper tries to add the (new) subject given to the ACL
// whose validation is currently proceeding through context.
// This will succeed if the ACL is in standard form, which means
// a ThresholdAclSubject.
// The new subject will be added at the front (so it is checked first
// from now on), and as a side effect we'll notify the client side to
// re-encode the object.
// Returns true if the edit could be done, or false if the ACL wasn't
// standard enough. May throw if the ACL is malformed or otherwise messed up.
//
// This is a self-contained helper that is here merely because it's "about"
// ACLs and has no better home.
//
bool SecurityServerAcl::addToStandardACL(const AclValidationContext &context, AclSubject *subject)
{
	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>())
		if (ThresholdAclSubject *threshold = env->standardSubject(context)) {
			unsigned size = threshold->count();
			if (dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
				// looks standard enough
				secdebug("acl", "adding new subject %p to from of threshold ACL", subject);
				threshold->add(subject, 0);
				
				// tell the ACL it's been modified
				context.acl()->changedAcl();

				// trigger a special notification code on (otherwise successful) return
				Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
				return true;
			}
		}
	secdebug("acl", "ACL is not standard form; cannot edit");
	return false;
}


//
// Look at the ACL whose validation is currently proceeding through context.
// If it LOOKS like a plausible version of a legacy "dot mac item" ACL.
// We don't have access to the database attributes of the item up here in the
// securityd sky, so we have to apply a heuristic based on which applications (by path)
// are given access to the item.
// So this is strictly a heuristic. The potential downside is that we may inadvertently
// give access to new .Mac authorized Apple (only) applications when the user only intended
// a limited set of extremely popular Apple (only) applications that just happen to all be
// .Mac authorized today. We can live with that.
//
bool SecurityServerAcl::looksLikeLegacyDotMac(const AclValidationContext &context)
{
	static const char * const prototypicalDotMacPath[] = {
		"/Applications/Mail.app",
		"/Applications/Safari.app",
		"/Applications/iSync.app",
		"/Applications/System Preferences.app",
		"/Applications/iCal.app",
		"/Applications/iChat.app",
		"/Applications/iTunes.app",
		"/Applications/Address Book.app",
		"/Applications/iSync.app",
		NULL	// sentinel
	};
	
	static const unsigned threshold = 6;
	
	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>()) {
		if (ThresholdAclSubject *list = env->standardSubject(context)) {
			unsigned count = list->count();
			unsigned matches = 0;
			for (unsigned n = 0; n < count; ++n) {
				if (CodeSignatureAclSubject *app = dynamic_cast<CodeSignatureAclSubject *>(list->subject(n))) {
					for (const char * const *p = prototypicalDotMacPath; *p; p++)
						if (app->path() == *p)
							matches++;
				}
			}
			secdebug("codesign", "matched %d of %zd candididates (threshold=%d)",
				matches, sizeof(prototypicalDotMacPath) / sizeof(char *) - 1, threshold);
			return matches >= threshold;
		}
	}
	return false;
}


//
// ACL manipulations related to keychain partitions
//
bool SecurityServerAcl::createClientPartitionID(Process& process)
{
    // Make sure the ACL is ready for edits
    instantiateAcl();

	// create partition payload
	std::string partitionID = process.partitionId();
	CFTemp<CFDictionaryRef> payload("{Partitions=[%s]}", partitionID.c_str());
	ObjectAcl::AclSubjectPointer subject = new PartitionAclSubject();
	static_cast<PartitionAclSubject*>(subject.get())->setDictionaryPayload(Allocator::standard(), payload);
	ObjectAcl::AclEntry partition(subject);
	partition.addAuthorization(CSSM_ACL_AUTHORIZATION_PARTITION_ID);
	this->add(CSSM_APPLE_ACL_TAG_PARTITION_ID, partition);
	secdebugfunc("integrity", "added partition %s to new key", partitionID.c_str());
	return true;
}


bool SecurityServerAcl::addClientPartitionID(Process& process)
{
	if (PartitionAclSubject* subject = this->findPartitionSubject()) {
		std::string partitionID = process.partitionId();
		if (CFRef<CFDictionaryRef> payload = subject->createDictionaryPayload()) {
			CFArrayRef partitionList;
			if (cfscan(payload, "{Partitions=%AO}", &partitionList)) {
				CFTemp<CFDictionaryRef> newPayload("{Partitions=[+%O,%s]}", partitionList, partitionID.c_str());
				subject->setDictionaryPayload(Allocator::standard(), newPayload);
			}
			return true;
		} else {
			MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
		}
	} else {
		return createClientPartitionID(process);
	}
}


//
// External storage interface
//
Adornable &SecurityServerEnvironment::store(const AclSubject *subject)
{
	switch (subject->type()) {
	case CSSM_ACL_SUBJECT_TYPE_PREAUTH:
		{
			if (TokenDatabase *tokenDb = dynamic_cast<TokenDatabase *>(database))
				return tokenDb->common().store();
		}
		break;
	default:
		break;
	}
	CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
}


//
// ProcessAclSubject personality: uid/gid/pid come from the active Process object
//
uid_t SecurityServerEnvironment::getuid() const
{
    return Server::process().uid();
}

gid_t SecurityServerEnvironment::getgid() const
{
    return Server::process().gid();
}

pid_t SecurityServerEnvironment::getpid() const
{
    return Server::process().pid();
}


//
// CodeSignatureAclSubject personality: take code signature from active Process object
//
bool SecurityServerEnvironment::verifyCodeSignature(const OSXVerifier &verifier,
	const AclValidationContext &context)
{
	return Server::codeSignatures().verify(Server::process(), verifier, context);
}


//
// PromptedAclSubject personality: Get a secret by prompting through SecurityAgent
//
bool SecurityServerEnvironment::getSecret(CssmOwnedData &secret, const CssmData &prompt) const
{
	//@@@ ignoring prompt - not used right now
	if (database) {
		QueryPIN query(*database);
		query.inferHints(Server::process());
		if (!query()) {	// success
			secret = query.pin();
			return true;
		}
	}
	return false;
}


//
// SecretAclSubject personality: externally validate a secret (passphrase etc.)
// Right now, this always goes to the (Token)Database object, because that's where
// the PIN ACL entries are. We could direct this at the ObjectAcl (database or key)
// instead and rely on tokend to perform the PIN mapping, but the generic tokend
// wrappers do not (currently) perform any ACL validation, so every tokend would have
// to re-implement that. Perhaps in the next ACL revamp cycle...
//
bool SecurityServerEnvironment::validateSecret(const SecretAclSubject *me,
	const AccessCredentials *cred)
{
	return database && database->validateSecret(me, cred);
}


//
// PreAuthenticationAclSubject personality - refer to database (ObjectAcl)
//
ObjectAcl *SecurityServerEnvironment::preAuthSource()
{
	return database ? &database->acl() : NULL;
}


//
// Autonomous ACL editing support
//
ThresholdAclSubject *SecurityServerEnvironment::standardSubject(const AclValidationContext &context)
{
	return dynamic_cast<ThresholdAclSubject *>(context.subject());
}


//
// The default AclSource denies having an ACL at all
//
AclSource::~AclSource()
{ /* virtual */ }

SecurityServerAcl &AclSource::acl()
{
	CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
}

Database *AclSource::relatedDatabase()
{
	return NULL;
}
Commit	Line	Data
d8f41ccd A	1	/*
	2	* Copyright (c) 2000-2009,2012-2013 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// acls - securityd ACL implementation
	27	//
	28	#include "acls.h"
	29	#include "connection.h"
	30	#include "server.h"
	31	#include "agentquery.h"
	32	#include "tokendatabase.h"
	33	#include "acl_keychain.h"
e3d460c9	34	#include "acl_partition.h"
d8f41ccd A	35
	36	// ACL subjects whose Environments we implement
	37	#include <security_cdsa_utilities/acl_any.h>
	38	#include <security_cdsa_utilities/acl_password.h>
e3d460c9	39	#include "acl_keychain.h"
d8f41ccd A	40
	41	#include <sys/sysctl.h>
	42	#include <security_utilities/logging.h>
e3d460c9	43	#include <security_utilities/cfmunge.h>
d8f41ccd A	44
	45	//
	46	// SecurityServerAcl is virtual
	47	//
	48	SecurityServerAcl::~SecurityServerAcl()
	49	{ }
	50
	51
	52	//
	53	// The default implementation of the ACL interface simply uses the local ObjectAcl
	54	// data. You can customize this by implementing instantiateAcl() [from ObjectAcl]
	55	// or by overriding these methods as desired.
	56	// Note: While you can completely ignore the ObjectAcl personality if you wish, it's
	57	// usually smarter to adapt it.
	58	//
	59	void SecurityServerAcl::getOwner(AclOwnerPrototype &owner)
	60	{
	61	StLock<Mutex> _(aclSequence);
	62	ObjectAcl::cssmGetOwner(owner);
	63	}
	64
	65	void SecurityServerAcl::getAcl(const char tag, uint32 &count, AclEntryInfo &acls)
	66	{
	67	StLock<Mutex> _(aclSequence);
	68	ObjectAcl::cssmGetAcl(tag, count, acls);
	69	}
	70
	71	void SecurityServerAcl::changeAcl(const AclEdit &edit, const AccessCredentials *cred,
	72	Database *db)
	73	{
	74	StLock<Mutex> _(aclSequence);
	75	SecurityServerEnvironment env(*this, db);
e3d460c9 A	76
	77	// if we're setting the INTEGRITY entry, check if you're in the partition list.
	78	if (const AclEntryInput* input = edit.newEntry()) {
	79	if (input->proto().authorization().containsOnly(CSSM_ACL_AUTHORIZATION_INTEGRITY)) {
	80	// Only prompt the user if these creds allow UI.
	81	bool ui = (!!cred) && cred->authorizesUI();
	82	validatePartition(env, ui); // throws if fail
	83
	84	// If you passed partition validation, bypass the owner ACL check entirely.
	85	env.forceSuccess = true;
	86	}
	87	}
	88
	89	// If these access credentials, by themselves, protect this database, force success and don't
	90	// restrict changing PARTITION_ID
	91	if(db && db->checkCredentials(cred)) {
	92	env.forceSuccess = true;
	93	ObjectAcl::cssmChangeAcl(edit, cred, &env, NULL);
	94	} else {
	95	ObjectAcl::cssmChangeAcl(edit, cred, &env, CSSM_APPLE_ACL_TAG_PARTITION_ID);
	96	}
d8f41ccd A	97	}
	98
	99	void SecurityServerAcl::changeOwner(const AclOwnerPrototype &newOwner,
	100	const AccessCredentials cred, Database db)
	101	{
	102	StLock<Mutex> _(aclSequence);
	103	SecurityServerEnvironment env(*this, db);
	104	ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
	105	}
	106
	107
	108	//
	109	// Modified validate() methods to connect all the conduits...
	110	//
	111	void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials cred, Database db)
	112	{
	113	SecurityServerEnvironment env(*this, db);
	114
	115	StLock<Mutex> objectSequence(aclSequence);
	116	StLock<Mutex> processSequence(Server::process().aclSequence);
e3d460c9 A	117	ObjectAcl::validate(auth, cred, &env);
	118
	119	// partition validation happens outside the normal acl validation flow, in addition
	120	bool ui = (!!cred) && cred->authorizesUI();
	121
	122	// we should only offer the chance to extend the partition ID list on a "read" operation, so check the AclAuthorization
	123	bool readOperation =
	124	(auth == CSSM_ACL_AUTHORIZATION_CHANGE_ACL) \|\|
	125	(auth == CSSM_ACL_AUTHORIZATION_DECRYPT) \|\|
	126	(auth == CSSM_ACL_AUTHORIZATION_GENKEY) \|\|
	127	(auth == CSSM_ACL_AUTHORIZATION_EXPORT_WRAPPED) \|\|
	128	(auth == CSSM_ACL_AUTHORIZATION_EXPORT_CLEAR) \|\|
	129	(auth == CSSM_ACL_AUTHORIZATION_IMPORT_WRAPPED) \|\|
	130	(auth == CSSM_ACL_AUTHORIZATION_IMPORT_CLEAR) \|\|
	131	(auth == CSSM_ACL_AUTHORIZATION_SIGN) \|\|
	132	(auth == CSSM_ACL_AUTHORIZATION_DECRYPT) \|\|
	133	(auth == CSSM_ACL_AUTHORIZATION_MAC) \|\|
	134	(auth == CSSM_ACL_AUTHORIZATION_DERIVE);
	135
	136	validatePartition(env, ui && readOperation);
d8f41ccd A	137	}
	138
	139	void SecurityServerAcl::validate(AclAuthorization auth, const Context &context, Database *db)
	140	{
	141	validate(auth,
	142	context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS), db);
	143	}
	144
	145
e3d460c9 A	146	//
	147	// Partitioning support
	148	//
	149	void SecurityServerAcl::validatePartition(SecurityServerEnvironment& env, bool prompt)
	150	{
	151	// For the Keychain Migrator, don't even check the partition list
	152	Process &process = Server::process();
	153	if (process.checkAppleSigned() && process.hasEntitlement(migrationEntitlement)) {
	154	secdebug("integrity", "bypassing partition check for keychain migrator");
	155	return; // migrator client -> automatic win
	156	}
	157
	158	if (CFRef<CFDictionaryRef> partition = this->createPartitionPayload()) {
	159	CFArrayRef partitionList;
	160	if (cfscan(partition, "{Partitions=%AO}", &partitionList)) {
	161	CFRef<CFStringRef> partitionDebug = CFCopyDescription(partitionList); // for debugging only
	162	secdebugfunc("integrity", "ACL partitionID = %s", cfString(partitionDebug).c_str());
	163	if (env.database) {
	164	CFRef<CFStringRef> clientPartitionID = makeCFString(env.database->process().partitionId());
	165	if (CFArrayContainsValue(partitionList, CFRangeMake(0, CFArrayGetCount(partitionList)), clientPartitionID)) {
	166	secdebugfunc("integrity", "ACL partitions match: %s", cfString(clientPartitionID).c_str());
	167	return;
	168	} else {
	169	secdebugfunc("integrity", "ACL partition mismatch: client %s ACL %s", cfString(clientPartitionID).c_str(), cfString(partitionDebug).c_str());
	170	if (prompt && extendPartition(env))
	171	return;
	172	MacOSError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED);
	173	}
	174	}
	175	}
	176	secdebugfunc("integrity", "failed to parse partition payload");
	177	MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
	178	} else {
	179	// There's no partition list. This is keychain is either old or recently upgraded.
	180	// If there's no database, let it pass.
	181	if((!env.database) \|\| env.database->dbVersion() < SecurityServer::CommonBlob::version_partition) {
	182	secdebugfunc("integrity", "no partition ACL - legacy case");
	183	//@@@ I guess we let this pass...
	184	} else {
	185	secdebugfunc("integrity", "no partition ACL - adding");
	186	env.acl.instantiateAcl();
	187	this->createClientPartitionID(env.database->process());
	188	env.acl.changedAcl();
	189	Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
	190	}
	191	}
	192	}
	193
	194
	195	bool SecurityServerAcl::extendPartition(SecurityServerEnvironment& env)
	196	{
	197	// brute-force find the KeychainAclSubject in the ACL
	198	KeychainPromptAclSubject *kcSubject = NULL;
	199	SecurityServerAcl& acl = env.acl;
	200	for (EntryMap::const_iterator it = acl.begin(); it != acl.end(); ++it) {
	201	AclSubjectPointer subject = it->second.subject;
	202	if (ThresholdAclSubject threshold = dynamic_cast<ThresholdAclSubject >(subject.get())) {
	203	unsigned size = threshold->count();
	204	if (KeychainPromptAclSubject* last = dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
	205	// looks standard enough
	206	kcSubject = last;
	207	break;
	208	}
	209	}
210	}
211
212	if (kcSubject) {
213	BaseValidationContext ctx(NULL, CSSM_ACL_AUTHORIZATION_PARTITION_ID, &env);
214	return kcSubject->validateExplicitly(ctx, ^{
215	secdebugfunc("integrity", "adding partition to list");
216	env.acl.instantiateAcl();
217	this->addClientPartitionID(env.database->process());
218	env.acl.changedAcl();
219	// trigger a special notification code on (otherwise successful) return
220	Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
221	});
222	}
223	secdebugfunc("integrity", "failure extending partition");
224	return false;
225	}
226
227
228	PartitionAclSubject* SecurityServerAcl::findPartitionSubject()
229	{
230	pair<EntryMap::const_iterator, EntryMap::const_iterator> range;
231	switch (this->getRange(CSSM_APPLE_ACL_TAG_PARTITION_ID, range, true)) {
232	case 0:
233	secdebugfunc("integrity", "no partition tag on ACL");
234	return NULL;
235	default:
236	secdebugfunc("integrity", "multiple partition ACL entries");
237	MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
238	case 1:
239	break;
240	}
241	const AclEntry& entry = range.first->second;
242	if (!entry.authorizes(CSSM_ACL_AUTHORIZATION_PARTITION_ID)) {
243	secdebugfunc("integrity", "partition entry does not authorize CSSM_ACL_AUTHORIZATION_PARTITION_ID");
244	MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
245	}
246	if (PartitionAclSubject* partition = dynamic_cast<PartitionAclSubject*>(entry.subject.get())) {
247	return partition;
248	} else {
249	secdebugfunc("integrity", "partition entry is not PartitionAclSubject");
250	MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
251	}
252	}
253
254
255	CFDictionaryRef SecurityServerAcl::createPartitionPayload()
256	{
257	if (PartitionAclSubject* subject = this->findPartitionSubject()) {
258	if (CFDictionaryRef result = subject->createDictionaryPayload()) {
259	return result;
260	} else {
261	secdebugfunc("integrity", "partition entry is malformed XML");
262	MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
263	}
264	} else {
265	return NULL;
266	}
267	}
268
269
d8f41ccd A	270	//
	271	// This helper tries to add the (new) subject given to the ACL
	272	// whose validation is currently proceeding through context.
	273	// This will succeed if the ACL is in standard form, which means
	274	// a ThresholdAclSubject.
	275	// The new subject will be added at the front (so it is checked first
	276	// from now on), and as a side effect we'll notify the client side to
	277	// re-encode the object.
	278	// Returns true if the edit could be done, or false if the ACL wasn't
	279	// standard enough. May throw if the ACL is malformed or otherwise messed up.
	280	//
	281	// This is a self-contained helper that is here merely because it's "about"
	282	// ACLs and has no better home.
	283	//
	284	bool SecurityServerAcl::addToStandardACL(const AclValidationContext &context, AclSubject *subject)
	285	{
	286	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>())
	287	if (ThresholdAclSubject *threshold = env->standardSubject(context)) {
	288	unsigned size = threshold->count();
	289	if (dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
	290	// looks standard enough
	291	secdebug("acl", "adding new subject %p to from of threshold ACL", subject);
	292	threshold->add(subject, 0);
	293
	294	// tell the ACL it's been modified
	295	context.acl()->changedAcl();
	296
	297	// trigger a special notification code on (otherwise successful) return
	298	Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
	299	return true;
	300	}
	301	}
	302	secdebug("acl", "ACL is not standard form; cannot edit");
	303	return false;
	304	}
	305
	306
	307	//
	308	// Look at the ACL whose validation is currently proceeding through context.
	309	// If it LOOKS like a plausible version of a legacy "dot mac item" ACL.
	310	// We don't have access to the database attributes of the item up here in the
	311	// securityd sky, so we have to apply a heuristic based on which applications (by path)
	312	// are given access to the item.
	313	// So this is strictly a heuristic. The potential downside is that we may inadvertently
	314	// give access to new .Mac authorized Apple (only) applications when the user only intended
	315	// a limited set of extremely popular Apple (only) applications that just happen to all be
	316	// .Mac authorized today. We can live with that.
	317	//
	318	bool SecurityServerAcl::looksLikeLegacyDotMac(const AclValidationContext &context)
	319	{
	320	static const char * const prototypicalDotMacPath[] = {
	321	"/Applications/Mail.app",
	322	"/Applications/Safari.app",
	323	"/Applications/iSync.app",
	324	"/Applications/System Preferences.app",
	325	"/Applications/iCal.app",
	326	"/Applications/iChat.app",
	327	"/Applications/iTunes.app",
	328	"/Applications/Address Book.app",
	329	"/Applications/iSync.app",
	330	NULL // sentinel
	331	};
	332
	333	static const unsigned threshold = 6;
334
335	if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>()) {
336	if (ThresholdAclSubject *list = env->standardSubject(context)) {
337	unsigned count = list->count();
338	unsigned matches = 0;
339	for (unsigned n = 0; n < count; ++n) {
340	if (CodeSignatureAclSubject app = dynamic_cast<CodeSignatureAclSubject >(list->subject(n))) {
341	for (const char * const p = prototypicalDotMacPath; p; p++)
342	if (app->path() == *p)
343	matches++;
344	}
345	}
346	secdebug("codesign", "matched %d of %zd candididates (threshold=%d)",
347	matches, sizeof(prototypicalDotMacPath) / sizeof(char *) - 1, threshold);
348	return matches >= threshold;
349	}
350	}
351	return false;
352	}
353
354
e3d460c9 A	355	//
	356	// ACL manipulations related to keychain partitions
	357	//
	358	bool SecurityServerAcl::createClientPartitionID(Process& process)
	359	{
	360	// Make sure the ACL is ready for edits
	361	instantiateAcl();
	362
	363	// create partition payload
	364	std::string partitionID = process.partitionId();
	365	CFTemp<CFDictionaryRef> payload("{Partitions=[%s]}", partitionID.c_str());
	366	ObjectAcl::AclSubjectPointer subject = new PartitionAclSubject();
	367	static_cast<PartitionAclSubject*>(subject.get())->setDictionaryPayload(Allocator::standard(), payload);
	368	ObjectAcl::AclEntry partition(subject);
	369	partition.addAuthorization(CSSM_ACL_AUTHORIZATION_PARTITION_ID);
	370	this->add(CSSM_APPLE_ACL_TAG_PARTITION_ID, partition);
	371	secdebugfunc("integrity", "added partition %s to new key", partitionID.c_str());
	372	return true;
	373	}
	374
	375
	376	bool SecurityServerAcl::addClientPartitionID(Process& process)
	377	{
	378	if (PartitionAclSubject* subject = this->findPartitionSubject()) {
	379	std::string partitionID = process.partitionId();
	380	if (CFRef<CFDictionaryRef> payload = subject->createDictionaryPayload()) {
	381	CFArrayRef partitionList;
	382	if (cfscan(payload, "{Partitions=%AO}", &partitionList)) {
	383	CFTemp<CFDictionaryRef> newPayload("{Partitions=[+%O,%s]}", partitionList, partitionID.c_str());
	384	subject->setDictionaryPayload(Allocator::standard(), newPayload);
	385	}
	386	return true;
	387	} else {
	388	MacOSError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
	389	}
	390	} else {
	391	return createClientPartitionID(process);
	392	}
	393	}
	394
	395
d8f41ccd A	396	//
	397	// External storage interface
	398	//
	399	Adornable &SecurityServerEnvironment::store(const AclSubject *subject)
	400	{
	401	switch (subject->type()) {
	402	case CSSM_ACL_SUBJECT_TYPE_PREAUTH:
	403	{
	404	if (TokenDatabase tokenDb = dynamic_cast<TokenDatabase >(database))
	405	return tokenDb->common().store();
	406	}
	407	break;
	408	default:
	409	break;
	410	}
	411	CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
	412	}
	413
	414
	415	//
	416	// ProcessAclSubject personality: uid/gid/pid come from the active Process object
	417	//
	418	uid_t SecurityServerEnvironment::getuid() const
	419	{
	420	return Server::process().uid();
	421	}
	422
	423	gid_t SecurityServerEnvironment::getgid() const
	424	{
	425	return Server::process().gid();
	426	}
	427
	428	pid_t SecurityServerEnvironment::getpid() const
	429	{
	430	return Server::process().pid();
	431	}
	432
	433
	434	//
	435	// CodeSignatureAclSubject personality: take code signature from active Process object
	436	//
	437	bool SecurityServerEnvironment::verifyCodeSignature(const OSXVerifier &verifier,
	438	const AclValidationContext &context)
	439	{
	440	return Server::codeSignatures().verify(Server::process(), verifier, context);
	441	}
	442
	443
	444	//
	445	// PromptedAclSubject personality: Get a secret by prompting through SecurityAgent
	446	//
	447	bool SecurityServerEnvironment::getSecret(CssmOwnedData &secret, const CssmData &prompt) const
	448	{
	449	//@@@ ignoring prompt - not used right now
	450	if (database) {
	451	QueryPIN query(*database);
	452	query.inferHints(Server::process());
	453	if (!query()) { // success
	454	secret = query.pin();
	455	return true;
	456	}
	457	}
	458	return false;
	459	}
460
461
462	//
463	// SecretAclSubject personality: externally validate a secret (passphrase etc.)
464	// Right now, this always goes to the (Token)Database object, because that's where
465	// the PIN ACL entries are. We could direct this at the ObjectAcl (database or key)
466	// instead and rely on tokend to perform the PIN mapping, but the generic tokend
467	// wrappers do not (currently) perform any ACL validation, so every tokend would have
468	// to re-implement that. Perhaps in the next ACL revamp cycle...
469	//
470	bool SecurityServerEnvironment::validateSecret(const SecretAclSubject *me,
471	const AccessCredentials *cred)
472	{
473	return database && database->validateSecret(me, cred);
474	}
475
476
477	//
478	// PreAuthenticationAclSubject personality - refer to database (ObjectAcl)
479	//
480	ObjectAcl *SecurityServerEnvironment::preAuthSource()
481	{
482	return database ? &database->acl() : NULL;
483	}
484
485
486	//
487	// Autonomous ACL editing support
488	//
489	ThresholdAclSubject *SecurityServerEnvironment::standardSubject(const AclValidationContext &context)
490	{
491	return dynamic_cast<ThresholdAclSubject *>(context.subject());
492	}
493
494
495	//
496	// The default AclSource denies having an ACL at all
497	//
498	AclSource::~AclSource()
499	{ /* virtual */ }
500
501	SecurityServerAcl &AclSource::acl()
502	{
503	CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
504	}
505
506	Database *AclSource::relatedDatabase()
507	{
508	return NULL;
509	}