2 * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
23 #ifndef _H_POLICYENGINE
24 #define _H_POLICYENGINE
26 #include "SecAssessment.h"
27 #include "opaquewhitelist.h"
28 #include "evaluationmanager.h"
30 #include <security_utilities/globalizer.h>
31 #include <security_utilities/cfutilities.h>
32 #include <security_utilities/hashing.h>
33 #include <security_utilities/sqlite++.h>
34 #include <CoreFoundation/CoreFoundation.h>
35 #include <Security/CodeSigning.h>
38 namespace CodeSigning
{
41 typedef uint EngineOperation
;
50 class PolicyEngine
: public PolicyDatabase
{
53 virtual ~PolicyEngine();
56 void evaluate(CFURLRef path
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
);
58 CFDictionaryRef
update(CFTypeRef target
, SecAssessmentFlags flags
, CFDictionaryRef context
);
59 CFDictionaryRef
add(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
);
60 CFDictionaryRef
remove(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
);
61 CFDictionaryRef
enable(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, bool authorize
);
62 CFDictionaryRef
disable(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, bool authorize
);
63 CFDictionaryRef
find(CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
);
65 void recordFailure(CFDictionaryRef info
);
68 static void addAuthority(SecAssessmentFlags flags
, CFMutableDictionaryRef parent
, const char *label
, SQLite::int64 row
= 0, CFTypeRef cacheInfo
= NULL
, bool weak
= false, uint64_t ruleFlags
= 0);
69 static void addToAuthority(CFMutableDictionaryRef parent
, CFStringRef key
, CFTypeRef value
);
72 void evaluateCode(CFURLRef path
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
, bool handleUnsigned
);
73 void evaluateInstall(CFURLRef path
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
);
74 void evaluateDocOpen(CFURLRef path
, SecAssessmentFlags flags
, CFDictionaryRef context
, CFMutableDictionaryRef result
);
76 void evaluateCodeItem(SecStaticCodeRef code
, CFURLRef path
, AuthorityType type
, SecAssessmentFlags flags
, bool nested
, CFMutableDictionaryRef result
);
77 void adjustValidation(SecStaticCodeRef code
);
78 bool temporarySigning(SecStaticCodeRef code
, AuthorityType type
, CFURLRef path
, SecAssessmentFlags matchFlags
);
79 void normalizeTarget(CFRef
<CFTypeRef
> &target
, AuthorityType type
, CFDictionary
&context
, std::string
*signUnsigned
);
81 void selectRules(SQLite::Statement
&action
, std::string stanza
, std::string table
,
82 CFTypeRef inTarget
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, std::string suffix
= "");
83 CFDictionaryRef
manipulateRules(const std::string
&stanza
,
84 CFTypeRef target
, AuthorityType type
, SecAssessmentFlags flags
, CFDictionaryRef context
, bool authorize
);
86 void setOrigin(CFArrayRef chain
, CFMutableDictionaryRef result
);
88 void recordOutcome(SecStaticCodeRef code
, bool allow
, AuthorityType type
, double expires
, SQLite::int64 authority
);
91 OpaqueWhitelist
* mOpaqueWhitelist
;
92 CFDictionaryRef
opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code
);
93 bool opaqueWhiteListContains(SecStaticCodeRef code
, SecAssessmentFeedback feedback
, OSStatus reason
);
94 void opaqueWhitelistAdd(SecStaticCodeRef code
);
96 friend class EvaluationManager
;
97 friend class EvaluationTask
;
101 } // end namespace CodeSigning
102 } // end namespace Security
104 #endif //_H_POLICYENGINE