SecurityServer/acls.h

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // acls - SecurityServer ACL implementation
  21 //
  22 #ifndef _H_ACLS
  23 #define _H_ACLS
  24
  25 #include "securityserver.h"
  26 #include <Security/cssmacl.h>
  27 #include <Security/acl_process.h>
  28 #include <Security/acl_codesigning.h>
  29
  30
  31 class Connection;
  32 class Database;
  33
  34
  35 //
  36 // ACL implementation as used by the SecurityServer
  37 //
  38 class SecurityServerAcl : public ObjectAcl {
  39 public:
  40         SecurityServerAcl(AclKind k, CssmAllocator &alloc) :ObjectAcl(alloc), mKind(k) { }
  41         virtual ~SecurityServerAcl();
  42
  43         AclKind kind() const { return mKind; }
  44
  45     // validation calls restated
  46         void validate(AclAuthorization auth, const AccessCredentials *cred);
  47         void validate(AclAuthorization auth, const Context &context);
  48
  49     void cssmChangeAcl(const AclEdit &edit, const AccessCredentials *cred);
  50     void cssmChangeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred);
  51
  52         virtual const Database *relatedDatabase() const;
  53
  54         // aclSequence is taken to serialize ACL validations to pick up mutual changes
  55         Mutex aclSequence;
  56
  57 private:
  58         AclKind mKind;
  59 };
  60
  61
  62 //
  63 // Our implementation of an ACL validation environment uses information
  64 // derived from a Connection object. It implements context for
  65 // -- ProcessAclSubjects (getuid/getgid)
  66 // -- KeychainPromptAclSubjects (connection link)
  67 //
  68 class SecurityServerEnvironment : public virtual AclValidationEnvironment,
  69     public virtual ProcessAclSubject::Environment,
  70         public virtual CodeSignatureAclSubject::Environment {
  71 public:
  72     SecurityServerEnvironment(const SecurityServerAcl &baseAcl)
  73     : acl(baseAcl) { }
  74
  75         const SecurityServerAcl &acl;
  76
  77         const Database *database() const                { return acl.relatedDatabase(); }
  78     uid_t getuid() const;
  79     gid_t getgid() const;
  80         pid_t getpid() const;
  81         bool verifyCodeSignature(const CodeSigning::Signature *signature, const CssmData *comment);
  82 };
  83
  84
  85 #endif //_H_ACLS