]> git.saurik.com Git - apple/security.git/blobdiff - OSX/authd/authorization.plist
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-57740.60.18.tar.gz
[apple/security.git] / OSX / authd / authorization.plist
diff --git a/OSX/authd/authorization.plist b/OSX/authd/authorization.plist
index c7f386a478b1cd7898416af4172c865d67481e73..d7cef74ff50243ccb8437ab346802c1dcc818200 100644 (file)
--- a/OSX/authd/authorization.plist
+++ b/OSX/authd/authorization.plist
@@ -206,6 +206,39 @@ See remaining rules for examples.
                        <key>timeout</key>
                        <integer>0</integer>
                </dict>
+        <key>com.apple.Safari.allow-apple-events-to-run-javascript</key>
+        <dict>
+            <key>class</key>
+            <string>user</string>
+            <key>comment</key>
+            <string>This right is used by Safari to allow Apple Events to run JavaScript on web pages.</string>
+            <key>session-owner</key>
+            <true/>
+            <key>shared</key>
+            <false/>
+        </dict>
+        <key>com.apple.Safari.allow-unsigned-app-extensions</key>
+        <dict>
+            <key>class</key>
+            <string>user</string>
+            <key>comment</key>
+            <string>This right is used by Safari to allow unsigned extensions in the Develop Menu.</string>
+            <key>session-owner</key>
+            <true/>
+            <key>shared</key>
+            <false/>
+        </dict>
+        <key>com.apple.Safari.allow-javascript-in-smart-search-field</key>
+        <dict>
+            <key>class</key>
+            <string>user</string>
+            <key>comment</key>
+            <string>This right is used by Safari to allow JavaScript to be used in the Smart Search Field.</string>
+            <key>session-owner</key>
+            <true/>
+            <key>shared</key>
+            <false/>
+        </dict>
                <key>com.apple.ServiceManagement.blesshelper</key>
                <dict>
                        <key>allow-root</key>
@@ -232,8 +265,10 @@ See remaining rules for examples.
                        <key>rule</key>
                        <array>
                                <string>is-root</string>
-                               <string>entitled-admin-or-authenticate-admin</string>
+                               <string>entitled-admin-or-authenticate-admin-nonshared</string>
                        </array>
+                       <key>version</key>
+                       <integer>1</integer>
                </dict>
                <key>com.apple.SoftwareUpdate.modify-settings</key>
                <dict>
@@ -360,6 +395,15 @@ See remaining rules for examples.
                                <string>builtin:generic-unlock</string>
                        </array>
                </dict>
+               <key>com.apple.builtin.sc-kc-new-passphrase</key>
+               <dict>
+                       <key>class</key>
+                       <string>evaluate-mechanisms</string>
+                       <key>mechanisms</key>
+                       <array>
+                               <string>builtin:generic-new-passphrase</string>
+                       </array>
+               </dict>
                <key>com.apple.container-repair</key>
                <dict>
                        <key>class</key>
@@ -430,17 +474,21 @@ See remaining rules for examples.
                        <key>shared</key>
                        <false/>
                </dict>
-               <key>com.apple.iCloud.passwordReset</key>
-                <dict>
-                        <key>class</key>
-                        <string>user</string>
-                        <key>comment</key>
-                        <string>Authenticate as the session owner to reset iCloud password</string>
-                        <key>session-owner</key>
-                        <true/>
+               <key>com.apple.icloud.passwordreset</key>
+               <dict>
+                       <key>class</key>
+                       <string>user</string>
+                       <key>comment</key>
+                       <string>Authenticate as the session owner to reset iCloud password</string>
+                       <key>session-owner</key>
+                       <true/>
                        <key>timeout</key>
                        <integer>0</integer>
-                </dict>
+                       <key>password-only</key>
+                       <true/>
+                       <key>version</key>
+                       <integer>1</integer>
+               </dict>
                <key>com.apple.library-repair</key>
                <dict>
                        <key>class</key>
@@ -462,6 +510,22 @@ See remaining rules for examples.
                        <key>rule</key>
                        <string>entitled-session-owner-or-authenticate-session-owner</string>
                </dict>
+               <key>com.apple.ctk.pair</key>
+               <dict>
+                       <key>class</key>
+                       <string>rule</string>
+                       <key>rule</key>
+                       <string>kcunlock</string>
+               </dict>
+               <key>com.apple.ctkbind.admin</key>
+               <dict>
+                       <key>class</key>
+                       <string>user</string>
+                       <key>group</key>
+                       <string>admin</string>
+                       <key>shared</key>
+                       <false/>
+               </dict>
                <key>com.apple.pf.rule</key>
                <dict>
                        <key>authenticate-user</key>
@@ -795,8 +859,9 @@ See remaining rules for examples.
                        <array>
                                <string>loginKC:queryCreate</string>
                                <string>loginKC:showPasswordUI</string>
-                               <string>authinternal</string>
                        </array>
+                       <key>version</key>
+                       <integer>1</integer>
                        <key>session-owner</key>
                        <true/>
                        <key>shared</key>
@@ -837,10 +902,11 @@ See remaining rules for examples.
                                <string>HomeDirMechanism:login,privileged</string>
                                <string>HomeDirMechanism:status</string>
                                <string>MCXMechanism:login</string>
+                               <string>CryptoTokenKit:login</string>
                                <string>loginwindow:done</string>
                        </array>
                        <key>version</key>
-                       <integer>3</integer>
+                       <integer>6</integer>
                </dict>
                <key>system.login.fus</key>
                <dict>
@@ -1428,6 +1494,60 @@ See remaining rules for examples.
                                <string>authenticate-admin-30</string>
                        </array>
                </dict>
+               <key>com.apple.security.syntheticinput</key>
+               <dict>
+                   <key>class</key>
+                   <string>rule</string>
+                   <key>rule</key>
+                   <string>authenticate-session-owner</string>
+               </dict>         
+               <key>com.apple.security.sudo</key>
+               <dict>
+                       <key>class</key>
+                       <string>rule</string>
+                       <key>k-of-n</key>
+                       <integer>2</integer>
+                       <key>rule</key>
+                       <array>
+                               <string>entitled</string>
+                               <string>authenticate-session-owner</string>
+                       </array>
+               </dict>         
+               <key>system.localauthentication.ui</key>
+               <dict>
+                       <key>class</key>
+                       <string>evaluate-mechanisms</string>
+                       <key>comment</key>
+                       <string>Used by LocalAuthentication to display its UI.</string>
+                       <key>mechanisms</key>
+                       <array>
+                               <string>LocalAuthentication:UI</string>
+                       </array>
+               </dict>
+               <key>system.preferences.continuity</key>
+               <dict>
+                       <key>class</key>
+                       <string>rule</string>
+                       <key>comment</key>
+                       <string>Used by Password And Continuity PrefPane to request the user's password.</string>
+                       <key>rule</key>
+                       <array>
+                               <string>authenticate-staff-extract-context</string>
+                       </array>
+               </dict>
+               <key>com.apple.safaridriver.allow</key>
+               <dict>
+                       <key>comment</key>
+                       <string>This right is used by safaridriver to allow running it.</string>
+                       <key>class</key>
+                       <string>user</string>
+                       <key>group</key>
+                       <string>admin</string>
+                       <key>allow-root</key>
+                       <true/>
+                       <key>shared</key>
+                       <true/>
+               </dict>
        </dict>
        <key>rules</key>
        <dict>
@@ -1480,6 +1600,20 @@ See remaining rules for examples.
                                <string>PKINITMechanism:auth,privileged</string>
                        </array>
                </dict>
+               <key>kcunlock</key>
+               <dict>
+                       <key>class</key>
+                       <string>evaluate-mechanisms</string>
+                       <key>extract-password</key>
+                       <true/>
+                       <key>mechanisms</key>
+                       <array>
+                               <string>builtin:unlock-keychain</string>
+                               <string>builtin:kc-verify,privileged</string>
+                       </array>
+                       <key>version</key>
+                       <integer>1</integer>
+               </dict>             
                <key>authenticate-admin</key>
                <dict>
                        <key>class</key>
@@ -1493,6 +1627,19 @@ See remaining rules for examples.
                        <key>timeout</key>
                        <integer>0</integer>
                </dict>
+               <key>authenticate-admin-nonshared</key>
+               <dict>
+                       <key>class</key>
+                       <string>user</string>
+                       <key>comment</key>
+                       <string>Authenticate as an administrator.</string>
+                       <key>group</key>
+                       <string>admin</string>
+                       <key>timeout</key>
+                       <integer>30</integer>
+                       <key>version</key>
+                       <integer>1</integer>
+               </dict>
                <key>authenticate-admin-30</key>
                <dict>
                        <key>class</key>
@@ -1517,12 +1664,16 @@ See remaining rules for examples.
                        <string>Authenticate as an administrator + allow password extraction.</string>
                        <key>extract-password</key>
                        <true/>
+                       <key>password-only</key>
+                       <true/>
                        <key>group</key>
                        <string>admin</string>
                        <key>require-apple-signed</key>
                        <true/>
                        <key>timeout</key>
                        <integer>0</integer>
+                       <key>version</key>
+                       <integer>1</integer>
                </dict>
                <key>authenticate-staff-extract</key>
                <dict>
@@ -1532,12 +1683,28 @@ See remaining rules for examples.
                        <string>Authenticate as group staff + allow password to be extracted.</string>
                        <key>extract-password</key>
                        <true/>
+                       <key>password-only</key>
+                       <true/>
                        <key>group</key>
                        <string>staff</string>
                        <key>require-apple-signed</key>
                        <true/>
                        <key>timeout</key>
                        <integer>0</integer>
+                       <key>version</key>
+                       <integer>1</integer>
+               </dict>
+               <key>authenticate-staff-extract-context</key>
+               <dict>
+                       <key>class</key>
+                       <string>rule</string>
+                       <key>k-of-n</key>
+                       <integer>2</integer>
+                       <key>rule</key>
+                       <array>
+                               <string>authenticate-staff-extract</string>
+                               <string>localauthentication-context</string>
+                       </array>
                </dict>
                <key>authenticate-admin-or-staff-extract</key>
                <dict>
@@ -1647,6 +1814,30 @@ See remaining rules for examples.
                                <string>entitled</string>
                        </array>
                </dict>
+               <key>entitled-admin-nonshared</key>
+               <dict>
+                       <key>class</key>
+                       <string>rule</string>
+                       <key>k-of-n</key>
+                       <integer>2</integer>
+                       <key>rule</key>
+                       <array>
+                               <string>is-admin-nonshared</string>
+                               <string>entitled</string>
+                       </array>
+               </dict>
+               <key>entitled-admin-or-authenticate-admin-nonshared</key>
+               <dict>
+                       <key>class</key>
+                       <string>rule</string>
+                       <key>k-of-n</key>
+                       <integer>1</integer>
+                       <key>rule</key>
+                       <array>
+                               <string>entitled-admin-nonshared</string>
+                               <string>authenticate-admin-nonshared</string>
+                       </array>
+               </dict>
                <key>entitled-admin-or-authenticate-admin</key>
                <dict>
                        <key>class</key>
@@ -1744,6 +1935,17 @@ See remaining rules for examples.
                        <key>shared</key>
                        <true/>
                </dict>
+               <key>is-admin-nonshared</key>
+               <dict>
+                       <key>authenticate-user</key>
+                       <false/>
+                       <key>class</key>
+                       <string>user</string>
+                       <key>comment</key>
+                       <string>Verify that the user asking for authorization is an administrator - nonshared right.</string>
+                       <key>group</key>
+                       <string>admin</string>
+               </dict>
                <key>is-appstore</key>
                <dict>
                        <key>authenticate-user</key>
@@ -1885,6 +2087,17 @@ See remaining rules for examples.
                        <key>shared</key>
                        <false/>
                </dict>
+               <key>localauthentication-context</key>
+               <dict>
+                       <key>class</key>
+                       <string>evaluate-mechanisms</string>
+                       <key>comment</key>
+                       <string>Used by LocalAuthentication to pass externalized context.</string>
+                       <key>mechanisms</key>
+                       <array>
+                               <string>LocalAuthentication:context</string>
+                       </array>
+               </dict>
        </dict>
 </dict>
 </plist>
mirror of Security