2 * Copyright (c) 2000-2004,2006,2011,2014 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // acl_process - Process-attribute ACL subject type.
28 #include <security_cdsa_utilities/acl_process.h>
29 #include <security_utilities/endian.h>
34 // Validate a credential set against this subject.
35 // No credential is required for this match.
37 bool ProcessAclSubject::validates(const AclValidationContext
&context
) const
39 // reality check (internal structure was validated when created)
40 assert(select
.uses(CSSM_ACL_MATCH_BITS
));
42 // access the environment
43 Environment
*env
= context
.environment
<Environment
>();
45 static Environment localEnvironment
;
46 env
= &localEnvironment
;
50 if (select
.uses(CSSM_ACL_MATCH_UID
)) {
51 uid_t uid
= env
->getuid();
52 if (!(uid
== select
.uid
|| (select
.uses(CSSM_ACL_MATCH_HONOR_ROOT
) && uid
== 0)))
57 if (select
.uses(CSSM_ACL_MATCH_GID
) && select
.gid
!= env
->getgid())
65 // Make a copy of this subject in CSSM_LIST form
67 CssmList
ProcessAclSubject::toList(Allocator
&alloc
) const
69 // all associated data is public (no secrets)
70 //@@@ ownership of selector data is murky; revisit after leak-plugging pass
71 CssmData
sData(memcpy(alloc
.alloc
<CSSM_ACL_PROCESS_SUBJECT_SELECTOR
>(),
72 &select
, sizeof(select
)), sizeof(select
));
73 return TypedList(alloc
, CSSM_ACL_SUBJECT_TYPE_PROCESS
,
74 new(alloc
) ListElement(sData
));
79 // Create a ProcessAclSubject
81 ProcessAclSubject
*ProcessAclSubject::Maker::make(const TypedList
&list
) const
84 ListElement
*selectorData
;
85 crack(list
, 1, &selectorData
, CSSM_LIST_ELEMENT_DATUM
);
86 AclProcessSubjectSelector selector
;
87 selectorData
->extract(selector
);
90 if (selector
.version
!= CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION
)
91 CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE
);
92 if (!selector
.uses(CSSM_ACL_MATCH_BITS
)) {
93 CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE
);
97 return new ProcessAclSubject(selector
);
100 ProcessAclSubject
*ProcessAclSubject::Maker::make(Version
, Reader
&pub
, Reader
&priv
) const
102 AclProcessSubjectSelector selector
; pub(selector
);
103 n2hi(selector
.version
);
107 return new ProcessAclSubject(selector
);
112 // Export the subject to a memory blob
114 void ProcessAclSubject::exportBlob(Writer::Counter
&pub
, Writer::Counter
&priv
)
119 void ProcessAclSubject::exportBlob(Writer
&pub
, Writer
&priv
)
121 AclProcessSubjectSelector temp
;
122 temp
.version
= h2n (select
.version
);
123 temp
.mask
= h2n (select
.mask
);
124 temp
.uid
= h2n (select
.uid
);
125 temp
.gid
= h2n (select
.gid
);
131 // Implement the default methods of a ProcessEnvironment
133 uid_t
ProcessAclSubject::Environment::getuid() const
138 gid_t
ProcessAclSubject::Environment::getgid() const
146 void ProcessAclSubject::debugDump() const
148 Debug::dump("Process ");
149 if (select
.uses(CSSM_ACL_MATCH_UID
)) {
150 Debug::dump("uid=%d", int(select
.uid
));
151 if (select
.uses(CSSM_ACL_MATCH_HONOR_ROOT
))
152 Debug::dump("+root");
154 if (select
.uses(CSSM_ACL_MATCH_GID
))
155 Debug::dump("gid=%d", int(select
.gid
));