securityd/src/clientid.h

   1 /*
   2  * Copyright (c) 2000-2004,2006-2007,2012 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23 //
  24 // clientid - track and manage identity of securityd clients
  25 //
  26 #ifndef _H_CLIENTID
  27 #define _H_CLIENTID
  28
  29 #include "codesigdb.h"
  30 #include <Security/SecCode.h>
  31 #include <security_utilities/ccaudit.h>
  32 #include <security_utilities/cfutilities.h>
  33 #include <string>
  34
  35
  36 //
  37 // A ClientIdentification object is a mix-in class that tracks
  38 // the identity of associated client processes and their sub-entities
  39 // (aka Code Signing Guest objects).
  40 //
  41 class ClientIdentification : public CodeSignatures::Identity {
  42 public:
  43         ClientIdentification();
  44
  45         std::string partitionId() const;
  46         AclSubject* copyAclSubject() const;
  47
  48         // CodeSignatures::Identity personality
  49         string getPath() const;
  50         const CssmData getHash() const;
  51         OSStatus checkValidity(SecCSFlags flags, SecRequirementRef requirement) const;
  52         OSStatus copySigningInfo(SecCSFlags flags, CFDictionaryRef *info) const;
  53     bool checkAppleSigned() const;
  54         bool hasEntitlement(const char *name) const;
  55
  56 protected:
  57         //
  58         // Access to the underlying SecCodeRef should only be made from methods of
  59         // this class, which must take the appropriate mutex when accessing them.
  60         //
  61         SecCodeRef processCode() const;
  62         SecCodeRef currentGuest() const;
  63
  64         void setup(Security::CommonCriteria::AuditToken const &audit);
  65
  66 public:
  67         IFDUMP(void dump());
  68
  69 private:
  70         CFRef<SecCodeRef> mClientProcess;       // process-level client object
  71
  72         mutable RecursiveMutex mValidityCheckLock; // protects validity check
  73
  74         mutable Mutex mLock;                            // protects everything below
  75
  76         struct GuestState {
  77                 GuestState() : gotHash(false) { }
  78                 CFRef<SecCodeRef> code;
  79                 mutable bool gotHash;
  80                 mutable SHA1::Digest legacyHash;
  81         };
  82         typedef std::map<SecGuestRef, GuestState> GuestMap;
  83         mutable GuestMap mGuests;
  84
  85         mutable std::string mClientPartitionId;
  86         mutable bool mGotPartitionId;
  87
  88         GuestState *current() const;
  89         static std::string partitionIdForProcess(SecStaticCodeRef code);
  90 };
  91
  92
  93 //
  94 // Bonus function
  95 //
  96 std::string codePath(SecStaticCodeRef code);
  97
  98
  99 #endif //_H_CLIENTID