--- /dev/null
+/*
+ * Copyright (c) 2002-2004,2011-2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+/*
+ * AuthorizationPriv.h -- Authorization SPIs
+ * Private APIs for implementing access control in applications and daemons.
+ *
+ */
+
+#ifndef _SECURITY_AUTHORIZATIONPRIV_H_
+#define _SECURITY_AUTHORIZATIONPRIV_H_
+
+#include <Security/Authorization.h>
+#include <Security/AuthSession.h>
+#include <sys/types.h> // uid_t
+#include <mach/message.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/*!
+ @header AuthorizationPriv
+ Version 1.1 04/2003
+
+ This header contains private APIs for authorization services.
+ This is the private extension of <Security/Authorization.h>, a public header file.
+*/
+
+/*!
+ @enum Private (for now) AuthorizationFlags
+*/
+enum {
+ kAuthorizationFlagLeastPrivileged = (1 << 5)
+};
+
+/*!
+ @function AuthorizationCreateWithAuditToken
+ @abstract Create a AuthorizationRef for the process that sent the mach message
+ represented by the audit token. Requires root.
+ @param token The audit token of a mach message
+ @param environment (input/optional) An AuthorizationItemSet containing enviroment state used when making the autorization decision. See the AuthorizationEnvironment type for details.
+ @param flags (input) options specified by the AuthorizationFlags enum. set all unused bits to zero to allow for future expansion.
+ @param authorization (output) A pointer to an AuthorizationRef to be returned. When the returned AuthorizationRef is no longer needed AuthorizationFree should be called to prevent anyone from using the aquired rights.
+
+ @result errAuthorizationSuccess 0 authorization or all requested rights succeeded.
+
+ errAuthorizationDenied -60005 The authorization for one or more of the requested rights was denied.
+*/
+
+OSStatus AuthorizationCreateWithAuditToken(audit_token_t token,
+ const AuthorizationEnvironment *environment,
+ AuthorizationFlags flags,
+ AuthorizationRef *authorization);
+
+/*!
+ @function AuthorizationExecuteWithPrivilegesExternalForm
+ Run an executable tool with enhanced privileges after passing
+ suitable authorization procedures.
+
+ @param authorization in external form that is used to authorize
+ access to the enhanced privileges. It is also passed to the tool for
+ further access control.
+ @param pathToTool Full pathname to the tool that should be executed
+ with enhanced privileges.
+ @param options Option bits (reserved). Must be zero.
+ @param arguments An argv-style vector of strings to be passed to the tool.
+ @param communicationsPipe Assigned a UNIX stdio FILE pointer for
+ a bidirectional pipe to communicate with the tool. The tool will have
+ this pipe as its standard I/O channels (stdin/stdout). If NULL, do not
+ establish a communications pipe.
+
+ @discussion This function has been deprecated and should no longer be used.
+ Use a launchd-launched helper tool and/or the Service Mangement framework
+ for this functionality.
+*/
+
+OSStatus AuthorizationExecuteWithPrivilegesExternalForm(const AuthorizationExternalForm * extForm,
+ const char *pathToTool,
+ AuthorizationFlags flags,
+ char *const *arguments,
+ FILE **communicationsPipe) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_1,__MAC_10_7,__IPHONE_NA,__IPHONE_NA);
+
+/*
+ @function AuthorizationDismiss
+ @abstract Dismisses all Authorization dialogs associated to the calling process.
+ Any active authorization requests will be canceled and return errAuthorizationDenied
+*/
+
+OSStatus AuthorizationDismiss(void);
+
+/*!
+ @function SessionSetDistinguishedUser
+ This function allows the creator of a (new) security session to associate an arbitrary
+ UNIX user identity (uid) with the session. This uid can be retrieved with
+ SessionGetDistinguishedUser by anyone who knows the session's id, and may also
+ be used by the system for identification (but not authentication) purposes.
+
+ This call can only be made by the process that created the session, and only
+ once.
+
+ This is a private API, and is subject to change.
+
+ @param session (input) Session-id for which to set the uid. Can be one of the
+ special constants defined in AuthSession.h.
+ @param user (input) The uid to set.
+ */
+OSStatus SessionSetDistinguishedUser(SecuritySessionId session, uid_t user);
+
+
+/*!
+ @function SessionGetDistinguishedUser
+ Retrieves the distinguished uid of a session as set by the session creator
+ using the SessionSetDistinguishedUser call.
+
+ @param session (input) Session-id for which to set the uid. Can be one of the
+ special constants defined in AuthSession.h.
+ @param user (output) Will receive the uid. Unchanged on error.
+ */
+OSStatus SessionGetDistinguishedUser(SecuritySessionId session, uid_t *user);
+
+/*!
+ @function SessionSetUserPreferences
+ Set preferences from current application context for session (for use during agent interactions).
+
+ @param session (input) Session-id for which to set the user preferences. Can be one of the special constants defined in AuthSession.h.
+ */
+OSStatus SessionSetUserPreferences(SecuritySessionId session);
+
+
+/*!
+ @function AuthorizationEnableSmartCard
+ Enable or disable system login using smartcard or get current status.
+
+ @param authorization (input) The authorization object on which this operation is performed.
+ @param enable (input) desired smartcard login support state, TRUE to enable, FALSE to disable
+ */
+OSStatus AuthorizationEnableSmartCard(AuthorizationRef authRef, Boolean enable);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif /* !_SECURITY_AUTHORIZATIONPRIV_H_ */
projects / apple / security.git / blobdiff