--- /dev/null
+/*
+ * Copyright (c) 2000-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+//
+// authority - authorization manager
+//
+#include "authority.h"
+#include "server.h"
+#include "connection.h"
+#include "session.h"
+#include "process.h"
+
+#include <security_cdsa_utilities/AuthorizationWalkers.h>
+
+#include <security_utilities/ccaudit.h> // AuditToken
+
+#include <sandbox.h>
+
+using Authorization::AuthItemSet;
+using Authorization::AuthItemRef;
+using Authorization::AuthValue;
+using Authorization::AuthValueOverlay;
+
+//
+// The global dictionary of extant AuthorizationTokens
+//
+//AuthorizationToken::AuthMap AuthorizationToken::authMap; // set of extant authorizations
+//@@@ Workaround ONLY! Don't destruct this map on termination
+AuthorizationToken::AuthMap &AuthorizationToken::authMap = *new AuthMap; // set of extant authorizations
+Mutex AuthorizationToken::authMapLock; // lock for mAuthorizations (only)
+
+
+
+//
+// Create an authorization token.
+//
+AuthorizationToken::AuthorizationToken(Session &ssn, const CredentialSet &base,
+const audit_token_t &auditToken, bool operateAsLeastPrivileged)
+ : mBaseCreds(base), mTransferCount(INT_MAX),
+ mCreatorPid(Server::process().pid()),
+ mCreatorAuditToken(auditToken),
+ mOperatesAsLeastPrivileged(operateAsLeastPrivileged)
+{
+ mCreatorUid = mCreatorAuditToken.euid();
+ mCreatorGid = mCreatorAuditToken.egid();
+
+ if (sandbox_check(mCreatorPid, "authorization-right-obtain", SANDBOX_CHECK_NO_REPORT) != 0)
+ mCreatorSandboxed = true;
+ else
+ mCreatorSandboxed = false;
+
+ {
+ Process &thisProcess = Server::process();
+ StLock<Mutex> _(thisProcess);
+ if (SecCodeRef code = thisProcess.currentGuest())
+ MacOSError::check(SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &mCreatorCode.aref()));
+ }
+
+ // link to session
+ referent(ssn);
+
+ // generate our (random) handle
+ Server::active().random(mHandle);
+
+ // register handle in the global map
+ StLock<Mutex> _(authMapLock);
+ authMap[mHandle] = this;
+
+ // all ready
+ secdebug("SSauth", "Authorization %p created using %d credentials; owner=%p",
+ this, int(mBaseCreds.size()), mCreatorCode.get());
+}
+
+AuthorizationToken::~AuthorizationToken()
+{
+ // we better be clean
+ assert(mUsingProcesses.empty());
+
+ secdebug("SSauth", "Authorization %p destroyed", this);
+}
+
+
+Session &AuthorizationToken::session() const
+{
+ return referent<Session>();
+}
+
+
+std::string AuthorizationToken::creatorPath() const
+{
+ if (mCreatorCode) {
+ StLock<Mutex> _(mLock);
+ CFRef<CFURLRef> path;
+ if (SecCodeCopyPath(mCreatorCode, kSecCSDefaultFlags, &path.aref()) == noErr)
+ return cfString(path);
+ }
+ return "unknown";
+}
+
+
+//
+// Locate an authorization given its blob.
+//
+AuthorizationToken &AuthorizationToken::find(const AuthorizationBlob &blob)
+{
+ StLock<Mutex> _(authMapLock);
+ AuthMap::iterator it = authMap.find(blob);
+ if (it == authMap.end())
+ Authorization::Error::throwMe(errAuthorizationInvalidRef);
+ return *it->second;
+}
+
+
+//
+// Handle atomic deletion of AuthorizationToken objects
+//
+AuthorizationToken::Deleter::Deleter(const AuthorizationBlob &blob)
+ : lock(authMapLock)
+{
+ AuthMap::iterator it = authMap.find(blob);
+ if (it == authMap.end())
+ Authorization::Error::throwMe(errAuthorizationInvalidRef);
+ mAuth = it->second;
+}
+
+void AuthorizationToken::Deleter::remove()
+{
+ if (mAuth) {
+ authMap.erase(mAuth->handle());
+ mAuth = NULL;
+ }
+}
+
+
+//
+// Given a set of credentials, add it to our private credentials and return the result
+//
+// must hold Session::mCredsLock
+CredentialSet AuthorizationToken::effectiveCreds() const
+{
+ secdebug("SSauth", "Authorization %p grabbing session %p creds %p",
+ this, &session(), &session().authCredentials());
+ CredentialSet result = session().authCredentials();
+ for (CredentialSet::const_iterator it = mBaseCreds.begin(); it != mBaseCreds.end(); it++)
+ if (!(*it)->isShared())
+ result.insert(*it);
+ return result;
+}
+
+
+//
+// Add more credential dependencies to an authorization
+//
+// must hold Session::mCredsLock
+void AuthorizationToken::mergeCredentials(const CredentialSet &add)
+{
+ secdebug("SSauth", "Authorization %p merge creds %p", this, &add);
+ for (CredentialSet::const_iterator it = add.begin(); it != add.end(); it++) {
+ mBaseCreds.erase(*it);
+ mBaseCreds.insert(*it);
+ }
+ secdebug("SSauth", "Authorization %p merged %d new credentials for %d total",
+ this, int(add.size()), int(mBaseCreds.size()));
+}
+
+
+//
+// Register a new process that uses this authorization token.
+// This is an idempotent operation.
+//
+void AuthorizationToken::addProcess(Process &proc)
+{
+ StLock<Mutex> _(mLock);
+ mUsingProcesses.insert(&proc);
+ secdebug("SSauth", "Authorization %p added process %p(%d)", this, &proc, proc.pid());
+}
+
+
+//
+// Completely unregister client process.
+// It does not matter how often it was registered with addProcess before.
+// This returns true if no more processes use this token. Presumably you
+// would then want to clean up, though that's up to you.
+//
+bool AuthorizationToken::endProcess(Process &proc)
+{
+ StLock<Mutex> _(mLock);
+ assert(mUsingProcesses.find(&proc) != mUsingProcesses.end());
+ mUsingProcesses.erase(&proc);
+ secdebug("SSauth", "Authorization %p removed process %p(%d)%s",
+ this, &proc, proc.pid(), mUsingProcesses.empty() ? " FINAL" : "");
+ return mUsingProcesses.empty();
+}
+
+
+//
+// Check whether internalization/externalization is allowed
+//
+bool AuthorizationToken::mayExternalize(Process &) const
+{
+ return mTransferCount > 0;
+}
+
+bool AuthorizationToken::mayInternalize(Process &, bool countIt)
+{
+ StLock<Mutex> _(mLock);
+ if (mTransferCount > 0) {
+ if (countIt) {
+ mTransferCount--;
+ secdebug("SSauth", "Authorization %p decrement intcount to %d", this, mTransferCount);
+ }
+ return true;
+ }
+ return false;
+}
+
+AuthItemSet
+AuthorizationToken::infoSet(AuthorizationString tag)
+{
+ StLock<Mutex> _(mLock); // consider a separate lock
+
+ AuthItemSet tempSet;
+
+ if (tag)
+ {
+ AuthItemSet::iterator found = find_if(mInfoSet.begin(), mInfoSet.end(),
+ Authorization::FindAuthItemByRightName(tag));
+ if (found != mInfoSet.end())
+ tempSet.insert(AuthItemRef(*found));
+
+ }
+ else
+ tempSet = mInfoSet;
+
+ secdebug("SSauth", "Authorization %p returning copy of context %s%s.", this, tag ? "for tag " : "", tag ? "" : tag);
+
+ return tempSet;
+}
+
+void
+AuthorizationToken::setInfoSet(AuthItemSet &newInfoSet, bool savePassword)
+{
+ StLock<Mutex> _(mLock); // consider a separate lock
+ secdebug("SSauth", "Authorization %p setting new context", this);
+
+ AuthItemSet::const_iterator end = mInfoSet.end();
+ for (AuthItemSet::const_iterator it = mInfoSet.begin(); it != end; ++it) {
+ const AuthItemRef &item = *it;
+ if (0 == strcmp(item->name(), "password")) {
+ mSavedPassword.clear();
+ mSavedPassword.insert(item);
+ }
+ }
+
+ if (true == savePassword)
+ newInfoSet.insert(mSavedPassword.begin(), mSavedPassword.end());
+
+ mInfoSet = newInfoSet;
+}
+
+// This is destructive (non-merging)
+void
+AuthorizationToken::setCredentialInfo(const Credential &inCred, bool savePassword)
+{
+ AuthItemSet dstInfoSet;
+
+ uid_t uid = inCred->uid();
+ AuthItemRef uidHint("uid", AuthValueOverlay(sizeof(uid), &uid));
+ dstInfoSet.insert(uidHint);
+
+ AuthItemRef userHint("username", AuthValueOverlay(inCred->name()), 0);
+ dstInfoSet.insert(userHint);
+
+ setInfoSet(dstInfoSet, savePassword);
+}
+
+void
+AuthorizationToken::clearInfoSet()
+{
+ AuthItemSet dstInfoSet;
+ secdebug("SSauth", "Authorization %p clearing context", this);
+ setInfoSet(dstInfoSet, false);
+}
+
+void
+AuthorizationToken::scrubInfoSet(bool savePassword)
+{
+ AuthItemSet srcInfoSet = infoSet(), dstInfoSet;
+ AuthItemSet::const_iterator end = srcInfoSet.end();
+ for (AuthItemSet::const_iterator it = srcInfoSet.begin(); it != end; ++it)
+ {
+ const AuthItemRef &item = *it;
+ if (item->flags() == kAuthorizationContextFlagExtractable)
+ dstInfoSet.insert(item);
+ }
+ secdebug("SSauth", "Authorization %p scrubbing context", this);
+ setInfoSet(dstInfoSet, savePassword);
+}
projects / apple / security.git / blobdiff