]> git.saurik.com Git - apple/security.git/blob - SecurityServer/Authorization/AuthorizationPriv.h
Security-164.1.tar.gz
[apple/security.git] / SecurityServer / Authorization / AuthorizationPriv.h
1 /*
2 * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved.
3 *
4 * The contents of this file constitute Original Code as defined in and are
5 * subject to the Apple Public Source License Version 1.2 (the 'License').
6 * You may not use this file except in compliance with the License. Please obtain
7 * a copy of the License at http://www.apple.com/publicsource and read it before
8 * using this file.
9 *
10 * This Original Code and all software distributed under the License are
11 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
12 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
14 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15 * specific language governing rights and limitations under the License.
16 */
17
18
19 /*
20 * AuthorizationPriv.h -- Authorization SPIs
21 * Private APIs for implementing access control in applications and daemons.
22 *
23 */
24
25 #ifndef _SECURITY_AUTHORIZATIONPRIV_H_
26 #define _SECURITY_AUTHORIZATIONPRIV_H_
27
28 #include <Security/Authorization.h>
29
30 #if defined(__cplusplus)
31 extern "C" {
32 #endif
33
34
35 /*!
36 @header AuthorizationPriv
37 Version 1.1 04/2003
38
39 This header contains private APIs for authorization services.
40 This is the private extension of <Security/Authorization.h>, a public header file.
41 */
42
43
44 /* meta-rightname prefixes that configure authorization for policy changes */
45
46 /*!
47 @defined kConfigRightAdd
48 meta-rightname for prefix adding rights.
49 */
50 #define kAuthorizationConfigRightAdd "config.add."
51 /*!
52 @defined kConfigRightModify
53 meta-rightname prefix for modifying rights.
54 */
55 #define kAuthorizationConfigRightModify "config.modify."
56 /*!
57 @defined kConfigRightRemove
58 meta-rightname prefix for removing rights.
59 */
60 #define kAuthorizationConfigRightRemove "config.remove."
61 /*!
62 @defined kConfigRight
63 meta-rightname prefix.
64 */
65 #define kConfigRight "config."
66
67 /*!
68 @defined kRuleIsRoot
69 canned rule for daemon to daemon convincing (see AuthorizationDB.h for public ones)
70 */
71 #define kAuthorizationRuleIsRoot "is-root"
72
73 /* rule classes the specify behavior */
74
75 /*! @defined kAuthorizationRuleClass
76 Specifying rule class
77 */
78 #define kAuthorizationRuleClass "class"
79
80 /*! @defined kAuthorizationRuleClassUser
81 Specifying user class
82 */
83 #define kAuthorizationRuleClassUser "user"
84
85 /*! @defined kAuthorizationRuleClassMechanisms
86 Specifying evaluate-mechanisms class
87 */
88 #define kAuthorizationRuleClassMechanisms "evaluate-mechanisms"
89
90 /* rule attributes to specify above classes */
91
92 /*! @defined kAuthorizationRuleParameterGroup
93 string, group specification for user rules.
94 */
95 #define kAuthorizationRuleParameterGroup "group"
96
97 /*! @defined kAuthorizationRuleParameterKofN
98 number, k specification for k-of-n
99 */
100 #define kAuthorizationRuleParameterKofN "k-of-n"
101
102 /*! @defined kAuthorizationRuleParameterRules
103 rules specification for rule delegation (incl. k-of-n)
104 */
105 #define kAuthorizationRuleParameterRules "rules"
106
107 /*! @defined kAuthorizationRuleParameterMechanisms
108 mechanism specification, a sequence of mechanisms to be evaluated */
109 #define kAuthorizationRuleParameterMechanisms "mechanisms"
110
111 /*! @defined kAuthorizationRightParameterTimeout
112 timeout if any when a remembered right expires.
113 special values:
114 - not specified retains previous behavior: most privileged, credential based.
115 - zero grants the right once
116 (can be achieved with zero credential timeout, needed?)
117 - all other values are interpreted as number of seconds since granted.
118 */
119 #define kAuthorizationRightParameterTimeout "timeout-right"
120
121 /*! @defined kAuthorizationRuleParameterCredentialTimeout
122 timeout if any for the use of cached credentials when authorizing rights.
123 - not specified allows for any credentials regardless of age; rights will be remembered in authorizations, removing a credential does not stop it from granting this right, specifying a zero timeout for the right will delegate it back to requiring a credential.
124 - all other values are interpreted as number of seconds since the credential was created
125 - zero only allows for the use of credentials created "now" // This is deprecated by means of specifying zero for kRightTimeout
126 */
127 #define kAuthorizationRuleParameterCredentialTimeout "timeout"
128
129 /*! @defined kAuthorizationRuleParameterCredentialShared
130 boolean that indicates whether credentials acquired during authorization are added to the shared pool.
131 */
132 #define kAuthorizationRuleParameterCredentialShared "shared"
133
134 /*! @defined kAuthorizationRuleParameterAllowRoot
135 boolean that indicates whether to grant a right purely because the caller is root */
136 #define kAuthorizationRuleParameterAllowRoot "allow-root"
137
138 /*! @defined kAuthorizationRuleParameterCredentialSessionOwner
139 boolean that indicates whether to grant a right based on a valid session-owner credential */
140 #define kAuthorizationRuleParameterCredentialSessionOwner "session-owner"
141
142 /*! @defined kRuleDefaultPrompt
143 dictionary of localization-name and localized prompt pairs */
144 #define kAuthorizationRuleParameterDefaultPrompt "default-prompt"
145
146 /*!
147 @function AuthorizationBindPrivilegedPort
148
149 @param fileDescriptor (input)
150
151 @param name (input)
152
153 @param authorization (input) The authorization object on which this operation is performed.
154
155 @param flags (input) Bit mask of option flags to this call.
156
157 @result errAuthorizationSuccess 0 No error.
158 */
159 OSStatus AuthorizationBindPrivilegedPort(int fileDescriptor,
160 const struct sockaddr_in *name,
161 AuthorizationRef authorization,
162 AuthorizationFlags flags);
163
164 int __authorization_bind(int s, const struct sockaddr_in *name);
165
166
167 #if defined(__cplusplus)
168 }
169 #endif
170
171 #endif /* !_SECURITY_AUTHORIZATIONPRIV_H_ */