cdsa/cdsa_utilities/acl_process.cpp

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // acl_process - Process-attribute ACL subject type.
  21 //
  22 #ifdef __MWERKS__
  23 #define _CPP_ACL_PROCESS
  24 #endif
  25
  26 #include <Security/acl_process.h>
  27 #include <algorithm>
  28
  29 #include <cstdio>       // testing
  30
  31
  32 //
  33 // Validate a credential set against this subject
  34 //
  35 bool ProcessAclSubject::validate(const AclValidationContext &context,
  36     const TypedList &sample) const
  37 {
  38     if (sample.length() != 1)   // no-argument sample
  39                 CssmError::throwMe(CSSM_ERRCODE_INVALID_SAMPLE_VALUE);
  40
  41     // reality check (internal structure was validated when created)
  42     assert(select.uses(CSSM_ACL_MATCH_BITS));
  43
  44     // access the environment
  45     Environment *env = context.environment<Environment>();
  46     if (env == NULL) {
  47         static Environment localEnvironment;
  48         env = &localEnvironment;
  49     }
  50
  51     // match uid
  52     if (select.uses(CSSM_ACL_MATCH_UID)) {
  53         uid_t uid = env->getuid();
  54         if (!(uid == select.uid || (select.uses(CSSM_ACL_MATCH_HONOR_ROOT) && uid == 0)))
  55             return false;
  56     }
  57
  58     // match gid
  59     if (select.uses(CSSM_ACL_MATCH_GID) && select.gid != env->getgid())
  60         return false;
  61
  62     return true;
  63 }
  64
  65
  66 //
  67 // Make a copy of this subject in CSSM_LIST form
  68 //
  69 CssmList ProcessAclSubject::toList(CssmAllocator &alloc) const
  70 {
  71     // all associated data is public (no secrets)
  72     //@@@ ownership of selector data is murky; revisit after leak-plugging pass
  73     CssmData sData(memcpy(alloc.alloc<CSSM_ACL_PROCESS_SUBJECT_SELECTOR>(),
  74         &select, sizeof(select)), sizeof(select));
  75         return TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_PROCESS,
  76         new(alloc) ListElement(sData));
  77 }
  78
  79
  80 //
  81 // Create a ProcessAclSubject
  82 //
  83 ProcessAclSubject *ProcessAclSubject::Maker::make(const TypedList &list) const
  84 {
  85     // crack input apart
  86         ListElement *selectorData;
  87         crack(list, 1, &selectorData, CSSM_LIST_ELEMENT_DATUM);
  88     AclProcessSubjectSelector selector;
  89     selectorData->extract(selector);
  90
  91     // validate input
  92     if (selector.version != CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION)
  93         CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
  94     if (!selector.uses(CSSM_ACL_MATCH_BITS))
  95         CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
  96
  97     // okay
  98         return new ProcessAclSubject(selector);
  99 }
 100
 101 ProcessAclSubject *ProcessAclSubject::Maker::make(Version, Reader &pub, Reader &priv) const
 102 {
 103     AclProcessSubjectSelector selector; pub(selector);
 104         return new ProcessAclSubject(selector);
 105 }
 106
 107
 108 //
 109 // Export the subject to a memory blob
 110 //
 111 void ProcessAclSubject::exportBlob(Writer::Counter &pub, Writer::Counter &priv)
 112 {
 113     pub(select);
 114 }
 115
 116 void ProcessAclSubject::exportBlob(Writer &pub, Writer &priv)
 117 {
 118     pub(select);
 119 }
 120
 121
 122 //
 123 // Implement the default methods of a ProcessEnvironment
 124 //
 125 uid_t ProcessAclSubject::Environment::getuid() const
 126 {
 127     return ::getuid();
 128 }
 129
 130 gid_t ProcessAclSubject::Environment::getgid() const
 131 {
 132     return ::getgid();
 133 }
 134
 135
 136 #ifdef DEBUGDUMP
 137
 138 void ProcessAclSubject::debugDump() const
 139 {
 140         Debug::dump("Process ");
 141         if (select.uses(CSSM_ACL_MATCH_UID)) {
 142                 Debug::dump("uid=%d", int(select.uid));
 143                 if (select.uses(CSSM_ACL_MATCH_HONOR_ROOT))
 144                         Debug::dump("+root");
 145         }
 146         if (select.uses(CSSM_ACL_MATCH_GID))
 147                 Debug::dump("gid=%d", int(select.gid));
 148 }
 149
 150 #endif //DEBUGDUMP