projects / apple / security.git / blame
| Commit | Line | Data |
|---|---|---|
| bac41a7b A |
1 | /* |
| 2 | * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved. | |
| 3 | * | |
| 4 | * The contents of this file constitute Original Code as defined in and are | |
| 5 | * subject to the Apple Public Source License Version 1.2 (the 'License'). | |
| 6 | * You may not use this file except in compliance with the License. Please obtain | |
| 7 | * a copy of the License at http://www.apple.com/publicsource and read it before | |
| 8 | * using this file. | |
| 9 | * | |
| 10 | * This Original Code and all software distributed under the License are | |
| 11 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS | |
| 12 | * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT | |
| 13 | * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR | |
| 14 | * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the | |
| 15 | * specific language governing rights and limitations under the License. | |
| 16 | */ | |
| 17 | ||
| 18 | ||
| 19 | // | |
| 20 | // acl_process - Process-attribute ACL subject type. | |
| 21 | // | |
| bac41a7b | 22 | #include <Security/acl_process.h> |
| df0e469f | 23 | #include <Security/endian.h> |
| bac41a7b A |
24 | #include <algorithm> |
| 25 | ||
| bac41a7b A |
26 | |
| 27 | // | |
| df0e469f A |
28 | // Validate a credential set against this subject. |
| 29 | // No credential is required for this match. | |
| bac41a7b | 30 | // |
| df0e469f | 31 | bool ProcessAclSubject::validate(const AclValidationContext &context) const |
| bac41a7b | 32 | { |
| bac41a7b A |
33 | // reality check (internal structure was validated when created) |
| 34 | assert(select.uses(CSSM_ACL_MATCH_BITS)); | |
| 35 | ||
| 36 | // access the environment | |
| 37 | Environment *env = context.environment<Environment>(); | |
| 38 | if (env == NULL) { | |
| 39 | static Environment localEnvironment; | |
| 40 | env = &localEnvironment; | |
| 41 | } | |
| 42 | ||
| 43 | // match uid | |
| 44 | if (select.uses(CSSM_ACL_MATCH_UID)) { | |
| 45 | uid_t uid = env->getuid(); | |
| 46 | if (!(uid == select.uid || (select.uses(CSSM_ACL_MATCH_HONOR_ROOT) && uid == 0))) | |
| 47 | return false; | |
| 48 | } | |
| 49 | ||
| 50 | // match gid | |
| 51 | if (select.uses(CSSM_ACL_MATCH_GID) && select.gid != env->getgid()) | |
| 52 | return false; | |
| 53 | ||
| 54 | return true; | |
| 55 | } | |
| 56 | ||
| 57 | ||
| 58 | // | |
| 59 | // Make a copy of this subject in CSSM_LIST form | |
| 60 | // | |
| 61 | CssmList ProcessAclSubject::toList(CssmAllocator &alloc) const | |
| 62 | { | |
| 63 | // all associated data is public (no secrets) | |
| 64 | //@@@ ownership of selector data is murky; revisit after leak-plugging pass | |
| 65 | CssmData sData(memcpy(alloc.alloc<CSSM_ACL_PROCESS_SUBJECT_SELECTOR>(), | |
| 66 | &select, sizeof(select)), sizeof(select)); | |
| 67 | return TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_PROCESS, | |
| 68 | new(alloc) ListElement(sData)); | |
| 69 | } | |
| 70 | ||
| 71 | ||
| 72 | // | |
| 73 | // Create a ProcessAclSubject | |
| 74 | // | |
| 75 | ProcessAclSubject *ProcessAclSubject::Maker::make(const TypedList &list) const | |
| 76 | { | |
| 77 | // crack input apart | |
| 78 | ListElement *selectorData; | |
| 79 | crack(list, 1, &selectorData, CSSM_LIST_ELEMENT_DATUM); | |
| 80 | AclProcessSubjectSelector selector; | |
| 81 | selectorData->extract(selector); | |
| 82 | ||
| 83 | // validate input | |
| 84 | if (selector.version != CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION) | |
| 85 | CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE); | |
| 86 | if (!selector.uses(CSSM_ACL_MATCH_BITS)) | |
| 87 | CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE); | |
| 88 | ||
| 89 | // okay | |
| 90 | return new ProcessAclSubject(selector); | |
| 91 | } | |
| 92 | ||
| 29654253 | 93 | ProcessAclSubject *ProcessAclSubject::Maker::make(Version, Reader &pub, Reader &priv) const |
| bac41a7b A |
94 | { |
| 95 | AclProcessSubjectSelector selector; pub(selector); | |
| df0e469f A |
96 | n2hi(selector.version); |
| 97 | n2hi(selector.mask); | |
| 98 | n2hi(selector.uid); | |
| 99 | n2hi(selector.gid); | |
| bac41a7b A |
100 | return new ProcessAclSubject(selector); |
| 101 | } | |
| 102 | ||
| 103 | ||
| 104 | // | |
| 105 | // Export the subject to a memory blob | |
| 106 | // | |
| 107 | void ProcessAclSubject::exportBlob(Writer::Counter &pub, Writer::Counter &priv) | |
| 108 | { | |
| 109 | pub(select); | |
| 110 | } | |
| 111 | ||
| 112 | void ProcessAclSubject::exportBlob(Writer &pub, Writer &priv) | |
| 113 | { | |
| df0e469f A |
114 | AclProcessSubjectSelector temp; |
| 115 | temp.version = h2n (select.version); | |
| 116 | temp.mask = h2n (select.mask); | |
| 117 | temp.uid = h2n (select.uid); | |
| 118 | temp.gid = h2n (select.gid); | |
| 119 | pub(temp); | |
| bac41a7b A |
120 | } |
| 121 | ||
| 122 | ||
| 123 | // | |
| 124 | // Implement the default methods of a ProcessEnvironment | |
| 125 | // | |
| 126 | uid_t ProcessAclSubject::Environment::getuid() const | |
| 127 | { | |
| 128 | return ::getuid(); | |
| 129 | } | |
| 130 | ||
| 131 | gid_t ProcessAclSubject::Environment::getgid() const | |
| 132 | { | |
| 133 | return ::getgid(); | |
| 134 | } | |
| 135 | ||
| 136 | ||
| 137 | #ifdef DEBUGDUMP | |
| 138 | ||
| 139 | void ProcessAclSubject::debugDump() const | |
| 140 | { | |
| 141 | Debug::dump("Process "); | |
| 142 | if (select.uses(CSSM_ACL_MATCH_UID)) { | |
| 143 | Debug::dump("uid=%d", int(select.uid)); | |
| 144 | if (select.uses(CSSM_ACL_MATCH_HONOR_ROOT)) | |
| 145 | Debug::dump("+root"); | |
| 146 | } | |
| 147 | if (select.uses(CSSM_ACL_MATCH_GID)) | |
| 148 | Debug::dump("gid=%d", int(select.gid)); | |
| 149 | } | |
| 150 | ||
| 151 | #endif //DEBUGDUMP |