+/*
+ * Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+/*!
+ @header SecAccess
+ SecAccess implements a way to set and manipulate access control rules and
+ restrictions on SecKeychainItems.
+*/
+
+#ifndef _SECURITY_SECACCESS_H_
+#define _SECURITY_SECACCESS_H_
+
+#include <Security/SecBase.h>
+#include <Security/cssmtype.h>
+#include <CoreFoundation/CFArray.h>
+#include <CoreFoundation/CFError.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+
+typedef UInt32 SecAccessOwnerType;
+enum
+{
+ kSecUseOnlyUID = 1,
+ kSecUseOnlyGID = 2,
+ kSecHonorRoot = 0x100,
+ kSecMatchBits = (kSecUseOnlyUID | kSecUseOnlyGID)
+};
+
+/* No restrictions. Permission to perform all operations on
+ the resource or available to an ACL owner. */
+extern CFTypeRef kSecACLAuthorizationAny
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+extern CFTypeRef kSecACLAuthorizationLogin
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationGenKey
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationDelete
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationExportWrapped
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationExportClear
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationImportWrapped
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationImportClear
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationSign
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationEncrypt
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationDecrypt
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationMAC
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationDerive
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+/* Defined authorization tag values for Keychain */
+extern CFTypeRef kSecACLAuthorizationKeychainCreate
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationKeychainDelete
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationKeychainItemRead
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationKeychainItemInsert
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationKeychainItemModify
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationKeychainItemDelete
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+extern CFTypeRef kSecACLAuthorizationChangeACL
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+extern CFTypeRef kSecACLAuthorizationChangeOwner
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+
+/*!
+ @function SecAccessGetTypeID
+ @abstract Returns the type identifier of SecAccess instances.
+ @result The CFTypeID of SecAccess instances.
+*/
+CFTypeID SecAccessGetTypeID(void);
+
+/*!
+ @function SecAccessCreate
+ @abstract Creates a new SecAccessRef that is set to the currently designated system default
+ configuration of a (newly created) security object. Note that the precise nature of
+ this default may change between releases.
+ @param descriptor The name of the item as it should appear in security dialogs
+ @param trustedlist A CFArray of TrustedApplicationRefs, specifying which applications
+ should be allowed to access an item without triggering confirmation dialogs.
+ If NULL, defaults to (just) the application creating the item. To set no applications,
+ pass a CFArray with no elements.
+ @param accessRef On return, a pointer to the new access reference.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+*/
+OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedlist, SecAccessRef *accessRef);
+
+/*!
+ @function SecAccessCreateFromOwnerAndACL
+ @abstract Creates a new SecAccessRef using the owner and access control list you provide.
+ @param owner A pointer to a CSSM access control list owner.
+ @param aclCount An unsigned 32-bit integer representing the number of items in the access control list.
+ @param acls A pointer to the access control list.
+ @param On return, a pointer to the new access reference.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion For 10.7 and later please use the SecAccessCreateWithOwnerAndACL API
+*/
+OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner, uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls, SecAccessRef *accessRef)
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*!
+ @function SecAccessCreateWithOwnerAndACL
+ @abstract Creates a new SecAccessRef using either for a user or a group with a list of ACLs
+ @param userId An user id that specifies the user to associate with this SecAccessRef.
+ @param groupId A group id that specifies the group to associate with this SecAccessRef.
+ @param ownerType Specifies the how the ownership of the new SecAccessRef is defined.
+ @param acls A CFArrayRef of the ACLs to associate with this SecAccessRef
+ @param error Optionally a pointer to a CFErrorRef to return any errors with may have occured
+ @result A pointer to the new access reference.
+*/
+SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+/*!
+ @function SecAccessGetOwnerAndACL
+ @abstract Retrieves the owner and the access control list of a given access.
+ @param accessRef A reference to the access from which to retrieve the information.
+ @param owner On return, a pointer to the access control list owner.
+ @param aclCount On return, a pointer to an unsigned 32-bit integer representing the number of items in the access control list.
+ @param acls On return, a pointer to the access control list.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion For 10.7 and later please use the SecAccessCopyOwnerAndACL API
+ */
+OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef, CSSM_ACL_OWNER_PROTOTYPE_PTR *owner, uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls)
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+/*!
+ @function SecAccessCopyOwnerAndACL
+ @abstract Retrieves the owner and the access control list of a given access.
+ @param accessRef A reference to the access from which to retrieve the information.
+ @param userId On return, the user id of the owner
+ @param groupId On return, the group id of the owner
+ @param ownerType On return, the type of owner for this AccessRef
+ @param aclCount On return, a Boolean that if true specifies that the ownerId is a uid_t else it is a gid_t.
+ @param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ */
+OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+/*!
+ @function SecAccessCopyACLList
+ @abstract Copies all the access control lists of a given access.
+ @param accessRef A reference to the access from which to retrieve the information.
+ @param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+*/
+OSStatus SecAccessCopyACLList(SecAccessRef accessRef, CFArrayRef *aclList);
+
+/*!
+ @function SecAccessCopySelectedACLList
+ @abstract Copies selected access control lists from a given access.
+ @param accessRef A reference to the access from which to retrieve the information.
+ @param action An authorization tag specifying what action with which to select the action control lists.
+ @param aclList On return, a pointer to the selected access control lists.
+ @result A result code. See "Security Error Codes" (SecBase.h).
+ @discussion For 10.7 and later please use the SecAccessCopyMatchingACLList API
+*/
+OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef, CSSM_ACL_AUTHORIZATION_TAG action, CFArrayRef *aclList)
+ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
+
+
+/*!
+ @function SecAccessCopyMatchingACLList
+ @abstract Copies selected access control lists from a given access.
+ @param accessRef A reference to the access from which to retrieve the information.
+ @param authorizationTag An authorization tag specifying what action with which to select the action control lists.
+ @result A pointer to the selected access control lists.
+*/
+CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
+ __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#endif /* !_SECURITY_SECACCESS_H_ */
projects / apple / security.git / blobdiff