securityd/src/authority.h

   1 /*
   2  * Copyright (c) 2000-2007,2010-2012 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // authority - authorization manager
  27 //
  28 #ifndef _H_AUTHORITY
  29 #define _H_AUTHORITY
  30
  31 #include <security_utilities/osxcode.h>
  32 #include <security_utilities/ccaudit.h>
  33 #include "database.h"
  34 #include "credential.h"
  35 #include <security_cdsa_utilities/AuthorizationData.h>
  36
  37 using Authorization::AuthItemSet;
  38 using Authorization::Credential;
  39 using Authorization::CredentialSet;
  40 using Security::CommonCriteria::AuditToken;
  41
  42 class Process;
  43 class Session;
  44
  45 class AuthorizationToken : public PerSession {
  46 public:
  47         AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false);
  48         ~AuthorizationToken();
  49
  50     Session &session() const;
  51
  52         const AuthorizationBlob &handle() const         { return mHandle; }
  53         const CredentialSet &baseCreds() const          { return mBaseCreds; }
  54         CredentialSet effectiveCreds() const;
  55
  56         typedef CredentialSet::iterator iterator;
  57         iterator begin()                { return mBaseCreds.begin(); }
  58         iterator end()                  { return mBaseCreds.end(); }
  59
  60         // add more credential dependencies
  61         void mergeCredentials(const CredentialSet &more);
  62
  63         // maintain process-owning links
  64         void addProcess(Process &proc);
  65         bool endProcess(Process &proc);
  66
  67         // access control for external representations
  68         bool mayExternalize(Process &proc) const;
  69         bool mayInternalize(Process &proc, bool countIt = true);
  70
  71         uid_t creatorUid() const        { return mCreatorUid; }
  72         gid_t creatorGid() const        { return mCreatorGid; }
  73     SecStaticCodeRef creatorCode() const { return mCreatorCode; }
  74         std::string creatorPath() const;
  75         pid_t creatorPid() const        { return mCreatorPid; }
  76         bool creatorSandboxed() const { return mCreatorSandboxed; }
  77
  78         const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
  79
  80         AuthItemSet infoSet(AuthorizationString tag = NULL);
  81     void setInfoSet(AuthItemSet &newInfoSet, bool savePassword);
  82     void setCredentialInfo(const Credential &inCred, bool savePassword);
  83     void clearInfoSet();
  84         void scrubInfoSet(bool savePassword);
  85         bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; }
  86
  87 public:
  88         static AuthorizationToken &find(const AuthorizationBlob &blob);
  89
  90     class Deleter {
  91     public:
  92         Deleter(const AuthorizationBlob &blob);
  93
  94         void remove();
  95         operator AuthorizationToken &() const   { return *mAuth; }
  96
  97     private:
  98         RefPointer<AuthorizationToken> mAuth;
  99         StLock<Mutex> lock;
 100     };
 101
 102 private:
 103         mutable Mutex mLock;                    // object lock
 104         AuthorizationBlob mHandle;              // official randomized blob marker
 105         CredentialSet mBaseCreds;               // credentials we're based on
 106
 107         unsigned int mTransferCount;    // number of internalizations remaining
 108
 109         typedef set<Process *> ProcessSet;
 110         ProcessSet mUsingProcesses;             // set of process objects using this token
 111
 112         uid_t mCreatorUid;                              // Uid of process that created this authorization
 113         gid_t mCreatorGid;                              // Gid of process that created this authorization
 114         CFCopyRef<SecStaticCodeRef> mCreatorCode; // code reference to creator
 115         pid_t mCreatorPid;                              // Pid of processs that created this authorization
 116         bool mCreatorSandboxed;         // A record of whether or not the creator was Sandboxed
 117
 118         AuditToken mCreatorAuditToken;  // Audit token of the process that created this authorization
 119
 120     AuthItemSet mInfoSet;                       // Side band info gathered from evaluations in this session
 121
 122         bool mOperatesAsLeastPrivileged;
 123
 124         AuthItemSet mSavedPassword;
 125
 126 private:
 127         typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
 128         static AuthMap &authMap;                        // set of extant authorizations
 129     static Mutex authMapLock;           // lock for mAuthorizations (only)
 130 };
 131
 132 #endif //_H_AUTHORITY