cdsa/cdsa_utilities/acl_process.cpp

   1 /*
   2  * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * The contents of this file constitute Original Code as defined in and are
   5  * subject to the Apple Public Source License Version 1.2 (the 'License').
   6  * You may not use this file except in compliance with the License. Please obtain
   7  * a copy of the License at http://www.apple.com/publicsource and read it before
   8  * using this file.
   9  *
  10  * This Original Code and all software distributed under the License are
  11  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
  12  * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
  13  * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
  14  * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
  15  * specific language governing rights and limitations under the License.
  16  */
  17
  18
  19 //
  20 // acl_process - Process-attribute ACL subject type.
  21 //
  22 #include <Security/acl_process.h>
  23 #include <Security/endian.h>
  24 #include <algorithm>
  25
  26
  27 //
  28 // Validate a credential set against this subject.
  29 // No credential is required for this match.
  30 //
  31 bool ProcessAclSubject::validate(const AclValidationContext &context) const
  32 {
  33     // reality check (internal structure was validated when created)
  34     assert(select.uses(CSSM_ACL_MATCH_BITS));
  35
  36     // access the environment
  37     Environment *env = context.environment<Environment>();
  38     if (env == NULL) {
  39         static Environment localEnvironment;
  40         env = &localEnvironment;
  41     }
  42
  43     // match uid
  44     if (select.uses(CSSM_ACL_MATCH_UID)) {
  45         uid_t uid = env->getuid();
  46         if (!(uid == select.uid || (select.uses(CSSM_ACL_MATCH_HONOR_ROOT) && uid == 0)))
  47             return false;
  48     }
  49
  50     // match gid
  51     if (select.uses(CSSM_ACL_MATCH_GID) && select.gid != env->getgid())
  52         return false;
  53
  54     return true;
  55 }
  56
  57
  58 //
  59 // Make a copy of this subject in CSSM_LIST form
  60 //
  61 CssmList ProcessAclSubject::toList(CssmAllocator &alloc) const
  62 {
  63     // all associated data is public (no secrets)
  64     //@@@ ownership of selector data is murky; revisit after leak-plugging pass
  65     CssmData sData(memcpy(alloc.alloc<CSSM_ACL_PROCESS_SUBJECT_SELECTOR>(),
  66         &select, sizeof(select)), sizeof(select));
  67         return TypedList(alloc, CSSM_ACL_SUBJECT_TYPE_PROCESS,
  68         new(alloc) ListElement(sData));
  69 }
  70
  71
  72 //
  73 // Create a ProcessAclSubject
  74 //
  75 ProcessAclSubject *ProcessAclSubject::Maker::make(const TypedList &list) const
  76 {
  77     // crack input apart
  78         ListElement *selectorData;
  79         crack(list, 1, &selectorData, CSSM_LIST_ELEMENT_DATUM);
  80     AclProcessSubjectSelector selector;
  81     selectorData->extract(selector);
  82
  83     // validate input
  84     if (selector.version != CSSM_ACL_PROCESS_SELECTOR_CURRENT_VERSION)
  85         CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
  86     if (!selector.uses(CSSM_ACL_MATCH_BITS))
  87         CssmError::throwMe(CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE);
  88
  89     // okay
  90         return new ProcessAclSubject(selector);
  91 }
  92
  93 ProcessAclSubject *ProcessAclSubject::Maker::make(Version, Reader &pub, Reader &priv) const
  94 {
  95     AclProcessSubjectSelector selector; pub(selector);
  96         n2hi(selector.version);
  97         n2hi(selector.mask);
  98         n2hi(selector.uid);
  99         n2hi(selector.gid);
 100         return new ProcessAclSubject(selector);
 101 }
 102
 103
 104 //
 105 // Export the subject to a memory blob
 106 //
 107 void ProcessAclSubject::exportBlob(Writer::Counter &pub, Writer::Counter &priv)
 108 {
 109     pub(select);
 110 }
 111
 112 void ProcessAclSubject::exportBlob(Writer &pub, Writer &priv)
 113 {
 114         AclProcessSubjectSelector temp;
 115         temp.version = h2n (select.version);
 116         temp.mask = h2n (select.mask);
 117         temp.uid = h2n (select.uid);
 118         temp.gid = h2n (select.gid);
 119     pub(temp);
 120 }
 121
 122
 123 //
 124 // Implement the default methods of a ProcessEnvironment
 125 //
 126 uid_t ProcessAclSubject::Environment::getuid() const
 127 {
 128     return ::getuid();
 129 }
 130
 131 gid_t ProcessAclSubject::Environment::getgid() const
 132 {
 133     return ::getgid();
 134 }
 135
 136
 137 #ifdef DEBUGDUMP
 138
 139 void ProcessAclSubject::debugDump() const
 140 {
 141         Debug::dump("Process ");
 142         if (select.uses(CSSM_ACL_MATCH_UID)) {
 143                 Debug::dump("uid=%d", int(select.uid));
 144                 if (select.uses(CSSM_ACL_MATCH_HONOR_ROOT))
 145                         Debug::dump("+root");
 146         }
 147         if (select.uses(CSSM_ACL_MATCH_GID))
 148                 Debug::dump("gid=%d", int(select.gid));
 149 }
 150
 151 #endif //DEBUGDUMP