--- /dev/null
+/*
+ * Copyright (c) 2011-2013 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+#ifndef _H_POLICYDB
+#define _H_POLICYDB
+
+#include "SecAssessment.h"
+#include <security_utilities/globalizer.h>
+#include <security_utilities/hashing.h>
+#include <security_utilities/sqlite++.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+namespace Security {
+namespace CodeSigning {
+
+
+namespace SQLite = SQLite3;
+
+
+static const char defaultDatabase[] = "/var/db/SystemPolicy";
+static const char visibleSecurityFlagFile[] = "/var/db/.sp_visible"; /* old duchess/emir style configration */
+static const char prefsFile[] = "/var/db/SystemPolicy-prefs.plist";
+static const char lastRejectFile[] = "/var/db/.LastGKReject";
+static const char lastApprovedFile[] = "/var/db/.LastGKApp";
+static const char rearmTimerFile[] = "/var/db/.GKRearmTimer";
+
+static const char gkeAuthFile[] = "/var/db/gke.auth";
+static const char gkeSigsFile[] = "/var/db/gke.sigs";
+static const unsigned int gkeCheckInterval = 60; // seconds
+
+
+//
+// We use Julian dates in the database, because SQLite understands them well and they convert easily to/from CFAbsoluteTime
+//
+static const double never = 5000000; // canonical "never" julian date (an arbitrary point in the year 8977)
+static const double julianBase = 2451910.5; // julian date of CFAbsoluteTime epoch
+
+static inline double dateToJulian(CFDateRef time)
+{ return CFDateGetAbsoluteTime(time) / 86400.0 + julianBase; }
+
+static inline CFDateRef julianToDate(double julian)
+{ return CFDateCreate(NULL, (julian - julianBase) * 86400); }
+
+
+typedef SHA1::SDigest ObjectHash;
+
+
+typedef uint AuthorityType;
+enum {
+ kAuthorityInvalid = 0, // not a valid authority type
+ kAuthorityExecute = 1, // authorizes launch and execution
+ kAuthorityInstall = 2, // authorizes installation
+ kAuthorityOpenDoc = 3, // authorizes opening of documents
+};
+
+
+//
+// Defined flags for authority flags column
+//
+enum {
+ kAuthorityFlagVirtual = 0x0001, // virtual rule (anchoring object records)
+ kAuthorityFlagDefault = 0x0002, // rule is part of the original default set
+ kAuthorityFlagInhibitCache = 0x0004, // never cache outcome of this rule
+ kAuthorityFlagWhitelist = 0x1000, // whitelist override
+ kAuthorityFlagWhitelistV2 = 0x2000, // apply "deep" signature to this record
+};
+
+
+//
+// Mapping/translation to/from API space
+//
+AuthorityType typeFor(CFDictionaryRef context, AuthorityType type = kAuthorityInvalid);
+CFStringRef typeNameFor(AuthorityType type)
+ CF_RETURNS_RETAINED;
+
+
+//
+// An open policy database.
+// Usually read-only, but can be opened for write by privileged callers.
+// This is a translucent wrapper around SQLite::Database; the caller
+// is expected to work with statement rows.
+//
+class PolicyDatabase : public SQLite::Database {
+public:
+ PolicyDatabase(const char *path = NULL, int flags = SQLITE_OPEN_READONLY);
+ virtual ~PolicyDatabase();
+
+public:
+ bool checkCache(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFMutableDictionaryRef result);
+
+public:
+ void purgeAuthority();
+ void purgeObjects();
+ void purgeObjects(double priority);//
+
+ void upgradeDatabase();
+ std::string featureLevel(const char *feature);
+ bool hasFeature(const char *feature) { return !featureLevel(feature).empty(); }
+ void addFeature(const char *feature, const char *value, const char *remarks);
+ void simpleFeature(const char *feature, const char *sql);
+ void simpleFeature(const char *feature, void (^perform)());
+
+ void installExplicitSet(const char *auth, const char *sigs);
+
+private:
+ time_t mLastExplicitCheck;
+};
+
+
+//
+// Check the system-wide overriding flag file
+//
+bool overrideAssessment(SecAssessmentFlags flags = 0);
+void setAssessment(bool masterSwitch);
+
+
+//
+// Reset or query the automatic rearm timer
+//
+void resetRearmTimer(const char *event);
+bool queryRearmTimer(CFTimeInterval &delta);
+
+} // end namespace CodeSigning
+} // end namespace Security
+
+#endif //_H_POLICYDB
projects / apple / security.git / blobdiff