securityd/src/acls.h

/*
 * Copyright (c) 2000-2001,2003-2007,2011 Apple Inc. All Rights Reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */


//
// acls - securityd ACL implementation
//
// These classes implement securityd's local ACL machine in terms of the generic
// ObjectAcl model. In particular, they define securityd's AclValidationEnvironment,
// which hooks the real-world state into the abstract AclSubject submachines.
//
// Note that these classes are *complete* but *extendable*. The default implementation
// uses unmodified local ObjectAcl state. Subclasses (and certain AclSubjects) may delegate
// validation to outside agents (such as a tokend) and thus act as caching forwarding agents.
// Don't assume.
//
#ifndef _H_ACLS
#define _H_ACLS

#include <securityd_client/sscommon.h>
#include <security_cdsa_utilities/cssmacl.h>
#include <security_cdsa_utilities/context.h>
#include <security_cdsa_utilities/acl_process.h>
#include <security_cdsa_utilities/acl_codesigning.h>
#include <security_cdsa_utilities/acl_secret.h>
#include <security_cdsa_utilities/acl_preauth.h>
#include <security_cdsa_utilities/acl_prompted.h>
#include <security_cdsa_utilities/acl_threshold.h>
#include "acl_partition.h"

using namespace SecurityServer;


class Connection;
class Database;
class Process;
class SecurityServerEnvironment;


//
// Interesting entitlements
//
static const char migrationEntitlement[] = "com.apple.private.security.allow-migration";


//
// ACL implementation as used by the SecurityServer
//
class SecurityServerAcl : public ObjectAcl {
public:
	SecurityServerAcl() : ObjectAcl(Allocator::standard()), aclSequence(Mutex::recursive) { }
	virtual ~SecurityServerAcl();

    // validation calls restated
	virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
	void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase);

	// CSSM layer ACL calls
	virtual void getOwner(AclOwnerPrototype &owner);
	virtual void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls);
    virtual void changeAcl(const AclEdit &edit, const AccessCredentials *cred,
		Database *relatedDatabase);
	virtual void changeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred,
		Database *relatedDatabase);

	// to be provided by implementations
	virtual AclKind aclKind() const = 0;

	// a helper to (try to) add an ACL to a "standard form" item ACL
	static bool addToStandardACL(const AclValidationContext &context, AclSubject *subject);
	static bool looksLikeLegacyDotMac(const AclValidationContext &context);

	bool createClientPartitionID(Process& process);
	bool addClientPartitionID(Process& process);

	// implicit partitioning support
	PartitionAclSubject* findPartitionSubject();
	CFDictionaryRef createPartitionPayload();

	// aclSequence is taken to serialize ACL validations to pick up mutual changes
	Mutex aclSequence;

private:
	void validatePartition(SecurityServerEnvironment& env, bool prompt);
	bool extendPartition(SecurityServerEnvironment& env);
};


//
// Our implementation of an ACL validation environment uses information
// derived from a Connection object. It implements context for a fair number
// of subject types (see the inheritance list below).
//
class SecurityServerEnvironment : public virtual AclValidationEnvironment,
    public virtual ProcessAclSubject::Environment,
	public virtual CodeSignatureAclSubject::Environment,
	public virtual SecretAclSubject::Environment,
	public virtual PromptedAclSubject::Environment,
	public virtual PreAuthorizationAcls::Environment {
public:
    SecurityServerEnvironment(SecurityServerAcl &baseAcl, Database *db)
    : acl(baseAcl), database(db) { }

	SecurityServerAcl &acl;
	Database * const database;

	// personalities
    uid_t getuid() const;
    gid_t getgid() const;
	pid_t getpid() const;
	bool verifyCodeSignature(const OSXVerifier &verifier, const AclValidationContext &context);
	bool validateSecret(const SecretAclSubject *me, const AccessCredentials *cred);
	bool getSecret(CssmOwnedData &secret, const CssmData &prompt) const;
	ObjectAcl *preAuthSource();
	Adornable &store(const AclSubject *subject);

	// subject editing
	ThresholdAclSubject *standardSubject(const AclValidationContext &context);
};


//
// An abstract source of a SecurityServerAcl.
// There is a default implementation, which throws OBJECT_ACL_NOT_SUPPORTED.
//
class AclSource {
protected:
	AclSource() { }
	virtual ~AclSource();

public:
	virtual SecurityServerAcl &acl();	// defaults to "no ACL; throw exception"
	virtual Database *relatedDatabase(); // optionally, a Database related to me

	//
    // Forward ACL calls, passing some locally obtained stuff along.
	// These are virtual so an AclSource can override them. Such overrides
	// should enhance/post-process rather than replace functionality.
	//
	virtual void getOwner(AclOwnerPrototype &owner)
	{ return acl().getOwner(owner); }
	virtual void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
	{ return acl().getAcl(tag, count, acls); }
	virtual void changeAcl(const AclEdit &edit, const AccessCredentials *cred)
	{ return acl().changeAcl(edit, cred, relatedDatabase()); }
	virtual void changeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred)
	{ return acl().changeOwner(newOwner, cred, relatedDatabase()); }
	virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database* relatedDb = NULL)
    { acl().validate(auth, cred, relatedDb ? relatedDb : relatedDatabase()); }
	virtual void validate(AclAuthorization auth, const Context &context, Database* relatedDb = NULL)
	{ acl().validate(auth, context, relatedDb ? relatedDb : relatedDatabase()); }
};


#endif //_H_ACLS
Commit	Line	Data
	1	/*
	2	* Copyright (c) 2000-2001,2003-2007,2011 Apple Inc. All Rights Reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24
	25	//
	26	// acls - securityd ACL implementation
	27	//
	28	// These classes implement securityd's local ACL machine in terms of the generic
	29	// ObjectAcl model. In particular, they define securityd's AclValidationEnvironment,
	30	// which hooks the real-world state into the abstract AclSubject submachines.
	31	//
	32	// Note that these classes are complete but extendable. The default implementation
	33	// uses unmodified local ObjectAcl state. Subclasses (and certain AclSubjects) may delegate
	34	// validation to outside agents (such as a tokend) and thus act as caching forwarding agents.
	35	// Don't assume.
	36	//
	37	#ifndef _H_ACLS
	38	#define _H_ACLS
	39
	40	#include <securityd_client/sscommon.h>
	41	#include <security_cdsa_utilities/cssmacl.h>
	42	#include <security_cdsa_utilities/context.h>
	43	#include <security_cdsa_utilities/acl_process.h>
	44	#include <security_cdsa_utilities/acl_codesigning.h>
	45	#include <security_cdsa_utilities/acl_secret.h>
	46	#include <security_cdsa_utilities/acl_preauth.h>
	47	#include <security_cdsa_utilities/acl_prompted.h>
	48	#include <security_cdsa_utilities/acl_threshold.h>
	49	#include "acl_partition.h"
	50
	51	using namespace SecurityServer;
	52
	53
	54	class Connection;
	55	class Database;
	56	class Process;
	57	class SecurityServerEnvironment;
	58
	59
	60	//
	61	// Interesting entitlements
	62	//
	63	static const char migrationEntitlement[] = "com.apple.private.security.allow-migration";
	64
	65
	66	//
	67	// ACL implementation as used by the SecurityServer
	68	//
	69	class SecurityServerAcl : public ObjectAcl {
	70	public:
	71	SecurityServerAcl() : ObjectAcl(Allocator::standard()), aclSequence(Mutex::recursive) { }
	72	virtual ~SecurityServerAcl();
	73
	74	// validation calls restated
	75	virtual void validate(AclAuthorization auth, const AccessCredentials cred, Database relatedDatabase);
	76	void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase);
	77
	78	// CSSM layer ACL calls
	79	virtual void getOwner(AclOwnerPrototype &owner);
	80	virtual void getAcl(const char tag, uint32 &count, AclEntryInfo &acls);
	81	virtual void changeAcl(const AclEdit &edit, const AccessCredentials *cred,
	82	Database *relatedDatabase);
	83	virtual void changeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred,
	84	Database *relatedDatabase);
	85
	86	// to be provided by implementations
	87	virtual AclKind aclKind() const = 0;
	88
	89	// a helper to (try to) add an ACL to a "standard form" item ACL
	90	static bool addToStandardACL(const AclValidationContext &context, AclSubject *subject);
	91	static bool looksLikeLegacyDotMac(const AclValidationContext &context);
	92
	93	bool createClientPartitionID(Process& process);
	94	bool addClientPartitionID(Process& process);
	95
	96	// implicit partitioning support
	97	PartitionAclSubject* findPartitionSubject();
	98	CFDictionaryRef createPartitionPayload();
	99
	100	// aclSequence is taken to serialize ACL validations to pick up mutual changes
	101	Mutex aclSequence;
	102
	103	private:
	104	void validatePartition(SecurityServerEnvironment& env, bool prompt);
	105	bool extendPartition(SecurityServerEnvironment& env);
	106	};
	107
	108
	109	//
	110	// Our implementation of an ACL validation environment uses information
	111	// derived from a Connection object. It implements context for a fair number
	112	// of subject types (see the inheritance list below).
	113	//
	114	class SecurityServerEnvironment : public virtual AclValidationEnvironment,
	115	public virtual ProcessAclSubject::Environment,
	116	public virtual CodeSignatureAclSubject::Environment,
	117	public virtual SecretAclSubject::Environment,
	118	public virtual PromptedAclSubject::Environment,
	119	public virtual PreAuthorizationAcls::Environment {
	120	public:
	121	SecurityServerEnvironment(SecurityServerAcl &baseAcl, Database *db)
	122	: acl(baseAcl), database(db) { }
	123
	124	SecurityServerAcl &acl;
	125	Database * const database;
	126
	127	// personalities
	128	uid_t getuid() const;
	129	gid_t getgid() const;
	130	pid_t getpid() const;
	131	bool verifyCodeSignature(const OSXVerifier &verifier, const AclValidationContext &context);
	132	bool validateSecret(const SecretAclSubject me, const AccessCredentials cred);
	133	bool getSecret(CssmOwnedData &secret, const CssmData &prompt) const;
	134	ObjectAcl *preAuthSource();
	135	Adornable &store(const AclSubject *subject);
	136
	137	// subject editing
	138	ThresholdAclSubject *standardSubject(const AclValidationContext &context);
	139	};
	140
	141
	142	//
	143	// An abstract source of a SecurityServerAcl.
	144	// There is a default implementation, which throws OBJECT_ACL_NOT_SUPPORTED.
	145	//
	146	class AclSource {
	147	protected:
	148	AclSource() { }
	149	virtual ~AclSource();
	150
	151	public:
	152	virtual SecurityServerAcl &acl(); // defaults to "no ACL; throw exception"
	153	virtual Database *relatedDatabase(); // optionally, a Database related to me
	154
	155	//
	156	// Forward ACL calls, passing some locally obtained stuff along.
	157	// These are virtual so an AclSource can override them. Such overrides
	158	// should enhance/post-process rather than replace functionality.
	159	//
	160	virtual void getOwner(AclOwnerPrototype &owner)
	161	{ return acl().getOwner(owner); }
	162	virtual void getAcl(const char tag, uint32 &count, AclEntryInfo &acls)
	163	{ return acl().getAcl(tag, count, acls); }
	164	virtual void changeAcl(const AclEdit &edit, const AccessCredentials *cred)
	165	{ return acl().changeAcl(edit, cred, relatedDatabase()); }
	166	virtual void changeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred)
	167	{ return acl().changeOwner(newOwner, cred, relatedDatabase()); }
	168	virtual void validate(AclAuthorization auth, const AccessCredentials cred, Database relatedDb = NULL)
	169	{ acl().validate(auth, cred, relatedDb ? relatedDb : relatedDatabase()); }
	170	virtual void validate(AclAuthorization auth, const Context &context, Database* relatedDb = NULL)
	171	{ acl().validate(auth, context, relatedDb ? relatedDb : relatedDatabase()); }
	172	};
	173
	174
	175	#endif //_H_ACLS