sectask/SecEntitlements.h

   1 /*
   2  * Copyright (c) 2008-2010,2012,2014 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 /* This file contains the names of all known entitlements currently
  26    in use on the system. */
  27
  28 #ifndef _SECURITY_SECENTITLEMENTS_H_
  29 #define _SECURITY_SECENTITLEMENTS_H_
  30
  31 #include <CoreFoundation/CFString.h>
  32
  33 __BEGIN_DECLS
  34
  35 /* Allow other tasks to get this task's name port. This is needed so the app
  36    can be debugged. */
  37 #define kSecEntitlementGetTaskAllow CFSTR("get-task-allow")
  38
  39 #if TARGET_OS_IPHONE
  40 /* The identifier of this application, typically the same as the
  41    CFBundleIdentifier.  Used as the default access group for any keychain
  42    items this application creates and accesses. */
  43 #define kSecEntitlementApplicationIdentifier CFSTR("application-identifier")
  44 #else
  45 /* The identifier of this application, for Mac App Store applications. */
  46 #define kSecEntitlementAppleApplicationIdentifier CFSTR("com.apple.application-identifier")
  47 #define kSecEntitlementApplicationIdentifier kSecEntitlementAppleApplicationIdentifier
  48 #endif
  49
  50 /* The value should be an array of strings.  Each string is the name of an
  51    access group that the application has access to.  The
  52    application-identifier is implicitly added to this list.   When creating
  53    a new keychain item use the kSecAttrAccessGroup attribute (defined in
  54    <Security/SecItem.h>) to specify its access group.  If omitted, the
  55    access group defaults to the first access group in this list or the
  56    application-identifier if there is no keychain-access-groups entitlement. */
  57 #define kSecEntitlementKeychainAccessGroups CFSTR("keychain-access-groups")
  58
  59 /* The value should be an array of strings.  Each string is the name of an
  60    access group that the application has access to.  The first of
  61    kSecEntitlementKeychainAccessGroups,
  62    kSecEntitlementApplicationIdentifier or
  63    kSecEntitlementAppleSecurityApplicationGroups to have a value becomes the default
  64    application group for keychain clients that don't specify an explicit one. */
  65 #define kSecEntitlementAppleSecurityApplicationGroups CFSTR("com.apple.security.application-groups")
  66
  67 /* Boolean entitlement, if present the application with the entitlement is
  68    allowed to modify the which certificates are trusted as anchors using
  69    the SecTrustStoreSetTrustSettings() and SecTrustStoreRemoveCertificate()
  70    SPIs. */
  71 #define kSecEntitlementModifyAnchorCertificates CFSTR("modify-anchor-certificates")
  72
  73 #define kSecEntitlementDebugApplications CFSTR("com.apple.springboard.debugapplications")
  74
  75 #define kSecEntitlementOpenSensitiveURL CFSTR("com.apple.springboard.opensensitiveurl")
  76
  77 /* Boolean entitlement, if present allows the application to wipe the keychain
  78    and truststore. */
  79 #define kSecEntitlementWipeDevice CFSTR("com.apple.springboard.wipedevice")
  80
  81 #define kSecEntitlementRemoteNotificationConfigure CFSTR("com.apple.remotenotification.configure")
  82
  83 #define kSecEntitlementMigrateKeychain CFSTR("migrate-keychain")
  84
  85 #define kSecEntitlementRestoreKeychain CFSTR("restore-keychain")
  86
  87 /* Entitlement needed to call SecKeychainSyncUpdate SPI. */
  88 #define kSecEntitlementKeychainSyncUpdates CFSTR("keychain-sync-updates")
  89
  90 /* Boolean entitlement, if present you get access to the SPIs for keychain sync circle manipulation */
  91 #define kSecEntitlementKeychainCloudCircle CFSTR("keychain-cloud-circle")
  92
  93 /* Associated Domains entitlement (contains array of fully-qualified domain names) */
  94 #define kSecEntitlementAssociatedDomains CFSTR("com.apple.developer.associated-domains")
  95
  96 /* Entitlement needed to call swcd and swcagent processes. */
  97 #define kSecEntitlementPrivateAssociatedDomains CFSTR("com.apple.private.associated-domains")
  98
  99 __END_DECLS
 100
 101 #endif /* !_SECURITY_SECENTITLEMENTS_H_ */