OSX/libsecurity_codesigning/lib/policyengine.h

   1 /*
   2  * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23 #ifndef _H_POLICYENGINE
  24 #define _H_POLICYENGINE
  25
  26 #include "SecAssessment.h"
  27 #include "opaquewhitelist.h"
  28 #include "evaluationmanager.h"
  29 #include "policydb.h"
  30 #include <security_utilities/globalizer.h>
  31 #include <security_utilities/cfutilities.h>
  32 #include <security_utilities/hashing.h>
  33 #include <security_utilities/sqlite++.h>
  34 #include <CoreFoundation/CoreFoundation.h>
  35 #include <Security/CodeSigning.h>
  36
  37 namespace Security {
  38 namespace CodeSigning {
  39
  40
  41 typedef uint EngineOperation;
  42 enum {
  43         opInvalid = 0,
  44         opEvaluate,
  45         opAddAuthority,
  46         opRemoveAuthority,
  47 };
  48
  49
  50 class PolicyEngine : public PolicyDatabase {
  51 public:
  52         PolicyEngine();
  53         virtual ~PolicyEngine();
  54
  55 public:
  56         void evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
  57
  58         CFDictionaryRef update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context);
  59         CFDictionaryRef add(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
  60         CFDictionaryRef remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
  61         CFDictionaryRef enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
  62         CFDictionaryRef disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
  63         CFDictionaryRef find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
  64
  65         void recordFailure(CFDictionaryRef info);
  66
  67 public:
  68         static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false, uint64_t ruleFlags = 0);
  69         static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value);
  70
  71 private:
  72         void evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned);
  73         void evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
  74         void evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
  75
  76         void evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result);
  77         void adjustValidation(SecStaticCodeRef code);
  78         bool temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags);
  79         void normalizeTarget(CFRef<CFTypeRef> &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned);
  80
  81         void selectRules(SQLite::Statement &action, std::string stanza, std::string table,
  82                 CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix = "");
  83         CFDictionaryRef manipulateRules(const std::string &stanza,
  84                 CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
  85
  86         void setOrigin(CFArrayRef chain, CFMutableDictionaryRef result);
  87
  88         void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority);
  89
  90 private:
  91         OpaqueWhitelist* mOpaqueWhitelist;
  92         CFDictionaryRef opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code);
  93         bool opaqueWhiteListContains(SecStaticCodeRef code, SecAssessmentFeedback feedback, OSStatus reason);
  94         void opaqueWhitelistAdd(SecStaticCodeRef code);
  95
  96     friend class EvaluationManager;
  97     friend class EvaluationTask;
  98 };
  99
 100
 101 } // end namespace CodeSigning
 102 } // end namespace Security
 103
 104 #endif //_H_POLICYENGINE