--- /dev/null
+/*
+ * Copyright (c) 2000-2007,2010-2012 Apple Inc. All Rights Reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_LICENSE_HEADER_END@
+ */
+
+
+//
+// authority - authorization manager
+//
+#ifndef _H_AUTHORITY
+#define _H_AUTHORITY
+
+#include <security_utilities/osxcode.h>
+#include <security_utilities/ccaudit.h>
+#include "database.h"
+#include "credential.h"
+#include <security_cdsa_utilities/AuthorizationData.h>
+
+using Authorization::AuthItemSet;
+using Authorization::Credential;
+using Authorization::CredentialSet;
+using Security::CommonCriteria::AuditToken;
+
+class Process;
+class Session;
+
+class AuthorizationToken : public PerSession {
+public:
+ AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false);
+ ~AuthorizationToken();
+
+ Session &session() const;
+
+ const AuthorizationBlob &handle() const { return mHandle; }
+ const CredentialSet &baseCreds() const { return mBaseCreds; }
+ CredentialSet effectiveCreds() const;
+
+ typedef CredentialSet::iterator iterator;
+ iterator begin() { return mBaseCreds.begin(); }
+ iterator end() { return mBaseCreds.end(); }
+
+ // add more credential dependencies
+ void mergeCredentials(const CredentialSet &more);
+
+ // maintain process-owning links
+ void addProcess(Process &proc);
+ bool endProcess(Process &proc);
+
+ // access control for external representations
+ bool mayExternalize(Process &proc) const;
+ bool mayInternalize(Process &proc, bool countIt = true);
+
+ uid_t creatorUid() const { return mCreatorUid; }
+ gid_t creatorGid() const { return mCreatorGid; }
+ SecStaticCodeRef creatorCode() const { return mCreatorCode; }
+ std::string creatorPath() const;
+ pid_t creatorPid() const { return mCreatorPid; }
+ bool creatorSandboxed() const { return mCreatorSandboxed; }
+
+ const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
+
+ AuthItemSet infoSet(AuthorizationString tag = NULL);
+ void setInfoSet(AuthItemSet &newInfoSet, bool savePassword);
+ void setCredentialInfo(const Credential &inCred, bool savePassword);
+ void clearInfoSet();
+ void scrubInfoSet(bool savePassword);
+ bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; }
+
+public:
+ static AuthorizationToken &find(const AuthorizationBlob &blob);
+
+ class Deleter {
+ public:
+ Deleter(const AuthorizationBlob &blob);
+
+ void remove();
+ operator AuthorizationToken &() const { return *mAuth; }
+
+ private:
+ RefPointer<AuthorizationToken> mAuth;
+ StLock<Mutex> lock;
+ };
+
+private:
+ mutable Mutex mLock; // object lock
+ AuthorizationBlob mHandle; // official randomized blob marker
+ CredentialSet mBaseCreds; // credentials we're based on
+
+ unsigned int mTransferCount; // number of internalizations remaining
+
+ typedef set<Process *> ProcessSet;
+ ProcessSet mUsingProcesses; // set of process objects using this token
+
+ uid_t mCreatorUid; // Uid of process that created this authorization
+ gid_t mCreatorGid; // Gid of process that created this authorization
+ CFCopyRef<SecStaticCodeRef> mCreatorCode; // code reference to creator
+ pid_t mCreatorPid; // Pid of processs that created this authorization
+ bool mCreatorSandboxed; // A record of whether or not the creator was Sandboxed
+
+ AuditToken mCreatorAuditToken; // Audit token of the process that created this authorization
+
+ AuthItemSet mInfoSet; // Side band info gathered from evaluations in this session
+
+ bool mOperatesAsLeastPrivileged;
+
+ AuthItemSet mSavedPassword;
+
+private:
+ typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
+ static AuthMap &authMap; // set of extant authorizations
+ static Mutex authMapLock; // lock for mAuthorizations (only)
+};
+
+#endif //_H_AUTHORITY
projects / apple / security.git / blobdiff