securityd/src/clientid.h

   1 /*
   2  * Copyright (c) 2000-2004,2006-2007,2012 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23 //
  24 // clientid - track and manage identity of securityd clients
  25 //
  26 #ifndef _H_CLIENTID
  27 #define _H_CLIENTID
  28
  29 #include "codesigdb.h"
  30 #include <Security/SecCode.h>
  31 #include <security_utilities/cfutilities.h>
  32 #include <string>
  33
  34
  35 //
  36 // A ClientIdentification object is a mix-in class that tracks
  37 // the identity of associated client processes and their sub-entities
  38 // (aka Code Signing Guest objects).
  39 //
  40 class ClientIdentification : public CodeSignatures::Identity {
  41 public:
  42         ClientIdentification();
  43
  44         std::string partitionId() const;
  45         AclSubject* copyAclSubject() const;
  46
  47         // CodeSignatures::Identity personality
  48         string getPath() const;
  49         const CssmData getHash() const;
  50         OSStatus checkValidity(SecCSFlags flags, SecRequirementRef requirement) const;
  51         OSStatus copySigningInfo(SecCSFlags flags, CFDictionaryRef *info) const;
  52         const bool checkAppleSigned() const;
  53         bool hasEntitlement(const char *name) const;
  54
  55 protected:
  56         //
  57         // Access to the underlying SecCodeRef should only be made from methods of
  58         // this class, which must take the appropriate mutex when accessing them.
  59         //
  60         SecCodeRef processCode() const;
  61         SecCodeRef currentGuest() const;
  62
  63         void setup(pid_t pid);
  64
  65 public:
  66         IFDUMP(void dump());
  67
  68 private:
  69         CFRef<SecCodeRef> mClientProcess;       // process-level client object
  70
  71         mutable RecursiveMutex mValidityCheckLock; // protects validity check
  72
  73         mutable Mutex mLock;                            // protects everything below
  74
  75         struct GuestState {
  76                 GuestState() : gotHash(false) { }
  77                 CFRef<SecCodeRef> code;
  78                 mutable bool gotHash;
  79                 mutable SHA1::Digest legacyHash;
  80         };
  81         typedef std::map<SecGuestRef, GuestState> GuestMap;
  82         mutable GuestMap mGuests;
  83
  84         mutable std::string mClientPartitionId;
  85         mutable bool mGotPartitionId;
  86
  87         GuestState *current() const;
  88         static std::string partitionIdForProcess(SecStaticCodeRef code);
  89 };
  90
  91
  92 //
  93 // Bonus function
  94 //
  95 std::string codePath(SecStaticCodeRef code);
  96
  97
  98 #endif //_H_CLIENTID