SecurityServer/Authorization/AuthorizationPriv.h

   1 /*
   2  * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 /*
  20  *  AuthorizationPriv.h -- Authorization SPIs
  21  *  Private APIs for implementing access control in applications and daemons.
  22  *
  23  */
  24
  25 #ifndef _SECURITY_AUTHORIZATIONPRIV_H_
  26 #define _SECURITY_AUTHORIZATIONPRIV_H_
  27
  28 #include <Security/Authorization.h>
  29
  30 #if defined(__cplusplus)
  31 extern "C" {
  32 #endif
  33
  34
  35 /*!
  36         @header AuthorizationPriv
  37         Version 1.1 04/2003
  38
  39         This header contains private APIs for authorization services.
  40         This is the private extension of <Security/Authorization.h>, a public header file.
  41 */
  42
  43
  44 /* meta-rightname prefixes that configure authorization for policy changes */
  45
  46 /*!
  47         @defined kConfigRightAdd
  48         meta-rightname for prefix adding rights.
  49 */
  50 #define kAuthorizationConfigRightAdd    "config.add."
  51 /*!
  52         @defined kConfigRightModify
  53         meta-rightname prefix for modifying rights.
  54 */
  55 #define kAuthorizationConfigRightModify "config.modify."
  56 /*!
  57         @defined kConfigRightRemove
  58         meta-rightname prefix for removing rights.
  59 */
  60 #define kAuthorizationConfigRightRemove "config.remove."
  61 /*!
  62         @defined kConfigRight
  63         meta-rightname prefix.
  64 */
  65 #define kConfigRight                                    "config."
  66
  67 /*!
  68         @defined kRuleIsRoot
  69         canned rule for daemon to daemon convincing (see AuthorizationDB.h for public ones)
  70 */
  71 #define kAuthorizationRuleIsRoot                                "is-root"
  72
  73 /* rule classes the specify behavior */
  74
  75 /*!     @defined kAuthorizationRuleClass
  76         Specifying rule class
  77 */
  78 #define kAuthorizationRuleClass                                 "class"
  79
  80 /*! @defined kAuthorizationRuleClassUser
  81         Specifying user class
  82 */
  83 #define kAuthorizationRuleClassUser                             "user"
  84
  85 /*! @defined kAuthorizationRuleClassMechanisms
  86         Specifying evaluate-mechanisms class
  87 */
  88 #define kAuthorizationRuleClassMechanisms               "evaluate-mechanisms"
  89
  90 /* rule attributes to specify above classes */
  91
  92 /*! @defined kAuthorizationRuleParameterGroup
  93         string, group specification for user rules.
  94 */
  95 #define kAuthorizationRuleParameterGroup                "group"
  96
  97 /*! @defined kAuthorizationRuleParameterKofN
  98         number, k specification for k-of-n
  99 */
 100 #define kAuthorizationRuleParameterKofN                 "k-of-n"
 101
 102 /*! @defined kAuthorizationRuleParameterRules
 103         rules specification for rule delegation (incl. k-of-n)
 104 */
 105 #define kAuthorizationRuleParameterRules                "rules"
 106
 107 /*! @defined kAuthorizationRuleParameterMechanisms
 108         mechanism specification, a sequence of mechanisms to be evaluated */
 109 #define kAuthorizationRuleParameterMechanisms   "mechanisms"
 110
 111 /*! @defined kAuthorizationRightParameterTimeout
 112         timeout if any when a remembered right expires.
 113         special values:
 114         - not specified retains previous behavior: most privileged, credential based.
 115         - zero grants the right once
 116 (can be achieved with zero credential timeout, needed?)
 117         - all other values are interpreted as number of seconds since granted.
 118 */
 119 #define kAuthorizationRightParameterTimeout     "timeout-right"
 120
 121 /*! @defined kAuthorizationRuleParameterCredentialTimeout
 122         timeout if any for the use of cached credentials when authorizing rights.
 123         - not specified allows for any credentials regardless of age; rights will be remembered in authorizations, removing a credential does not stop it from granting this right, specifying a zero timeout for the right will delegate it back to requiring a credential.
 124         - all other values are interpreted as number of seconds since the credential was created
 125         - zero only allows for the use of credentials created "now" // This is deprecated by means of specifying zero for kRightTimeout
 126 */
 127 #define kAuthorizationRuleParameterCredentialTimeout            "timeout"
 128
 129 /*!     @defined kAuthorizationRuleParameterCredentialShared
 130         boolean that indicates whether credentials acquired during authorization are added to the shared pool.
 131 */
 132 #define kAuthorizationRuleParameterCredentialShared             "shared"
 133
 134 /*! @defined kAuthorizationRuleParameterAllowRoot
 135         boolean that indicates whether to grant a right purely because the caller is root */
 136 #define kAuthorizationRuleParameterAllowRoot            "allow-root"
 137
 138 /*! @defined kAuthorizationRuleParameterCredentialSessionOwner
 139         boolean that indicates whether to grant a right based on a valid session-owner credential */
 140 #define kAuthorizationRuleParameterCredentialSessionOwner               "session-owner"
 141
 142 /*! @defined kRuleDefaultPrompt
 143         dictionary of localization-name and localized prompt pairs */
 144 #define kAuthorizationRuleParameterDefaultPrompt        "default-prompt"
 145
 146 /*!
 147     @function AuthorizationBindPrivilegedPort
 148
 149     @param fileDescriptor (input)
 150
 151         @param name (input)
 152
 153     @param authorization (input) The authorization object on which this operation is performed.
 154
 155         @param flags (input) Bit mask of option flags to this call.
 156
 157     @result errAuthorizationSuccess 0 No error.
 158 */
 159 OSStatus AuthorizationBindPrivilegedPort(int fileDescriptor,
 160         const struct sockaddr_in *name,
 161         AuthorizationRef authorization,
 162         AuthorizationFlags flags);
 163
 164 int __authorization_bind(int s, const struct sockaddr_in *name);
 165
 166
 167 #if defined(__cplusplus)
 168 }
 169 #endif
 170
 171 #endif /* !_SECURITY_AUTHORIZATIONPRIV_H_ */