2 * Copyright (c) 2000-2007,2010-2012 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // authority - authorization manager
31 #include <security_utilities/osxcode.h>
32 #include <security_utilities/ccaudit.h>
34 #include "credential.h"
35 #include <security_cdsa_utilities/AuthorizationData.h>
37 using Authorization::AuthItemSet
;
38 using Authorization::Credential
;
39 using Authorization::CredentialSet
;
40 using Security::CommonCriteria::AuditToken
;
45 class AuthorizationToken
: public PerSession
{
47 AuthorizationToken(Session
&ssn
, const CredentialSet
&base
, const audit_token_t
&auditToken
, bool operateAsLeastPrivileged
= false);
48 ~AuthorizationToken();
50 Session
&session() const;
52 const AuthorizationBlob
&handle() const { return mHandle
; }
53 const CredentialSet
&baseCreds() const { return mBaseCreds
; }
54 CredentialSet
effectiveCreds() const;
56 typedef CredentialSet::iterator iterator
;
57 iterator
begin() { return mBaseCreds
.begin(); }
58 iterator
end() { return mBaseCreds
.end(); }
60 // add more credential dependencies
61 void mergeCredentials(const CredentialSet
&more
);
63 // maintain process-owning links
64 void addProcess(Process
&proc
);
65 bool endProcess(Process
&proc
);
67 // access control for external representations
68 bool mayExternalize(Process
&proc
) const;
69 bool mayInternalize(Process
&proc
, bool countIt
= true);
71 uid_t
creatorUid() const { return mCreatorUid
; }
72 gid_t
creatorGid() const { return mCreatorGid
; }
73 SecStaticCodeRef
creatorCode() const { return mCreatorCode
; }
74 std::string
creatorPath() const;
75 pid_t
creatorPid() const { return mCreatorPid
; }
76 bool creatorSandboxed() const { return mCreatorSandboxed
; }
78 const AuditToken
&creatorAuditToken() const { return mCreatorAuditToken
; }
80 AuthItemSet
infoSet(AuthorizationString tag
= NULL
);
81 void setInfoSet(AuthItemSet
&newInfoSet
, bool savePassword
);
82 void setCredentialInfo(const Credential
&inCred
, bool savePassword
);
84 void scrubInfoSet(bool savePassword
);
85 bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged
; }
88 static AuthorizationToken
&find(const AuthorizationBlob
&blob
);
92 Deleter(const AuthorizationBlob
&blob
);
95 operator AuthorizationToken
&() const { return *mAuth
; }
98 RefPointer
<AuthorizationToken
> mAuth
;
103 mutable Mutex mLock
; // object lock
104 AuthorizationBlob mHandle
; // official randomized blob marker
105 CredentialSet mBaseCreds
; // credentials we're based on
107 unsigned int mTransferCount
; // number of internalizations remaining
109 typedef set
<Process
*> ProcessSet
;
110 ProcessSet mUsingProcesses
; // set of process objects using this token
112 uid_t mCreatorUid
; // Uid of process that created this authorization
113 gid_t mCreatorGid
; // Gid of process that created this authorization
114 CFCopyRef
<SecStaticCodeRef
> mCreatorCode
; // code reference to creator
115 pid_t mCreatorPid
; // Pid of processs that created this authorization
116 bool mCreatorSandboxed
; // A record of whether or not the creator was Sandboxed
118 AuditToken mCreatorAuditToken
; // Audit token of the process that created this authorization
120 AuthItemSet mInfoSet
; // Side band info gathered from evaluations in this session
122 bool mOperatesAsLeastPrivileged
;
124 AuthItemSet mSavedPassword
;
127 typedef map
<AuthorizationBlob
, RefPointer
<AuthorizationToken
> > AuthMap
;
128 static AuthMap
&authMap
; // set of extant authorizations
129 static Mutex authMapLock
; // lock for mAuthorizations (only)
132 #endif //_H_AUTHORITY