+++ /dev/null
-/*
- * Copyright (c) 2003-2005,2007-2010 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- *
- * AuthorizationDBPlist.cpp
- * Security
- *
- */
-
-#include "AuthorizationDBPlist.h"
-#include <security_utilities/logging.h>
-#include <System/sys/fsctl.h>
-
-// mLock is held when the database is changed
-// mReadWriteLock is held when the file on disk is changed
-// during load(), save() and parseConfig() mLock is assumed
-
-namespace Authorization {
-
-AuthorizationDBPlist::AuthorizationDBPlist(const char *configFile) :
- mFileName(configFile), mLastChecked(DBL_MIN)
-{
- memset(&mRulesFileMtimespec, 0, sizeof(mRulesFileMtimespec));
-}
-
-void AuthorizationDBPlist::sync(CFAbsoluteTime now)
-{
- if (mRules.empty()) {
- StLock<Mutex> _(mLock);
- load();
- } else {
- // Don't do anything if we checked the timestamp less than 5 seconds ago
- if (mLastChecked > now - 5.0) {
- secdebug("authdb", "no sync: last reload %.0f + 5 > %.0f",
- mLastChecked, now);
- return;
- }
-
- {
- struct stat st;
- {
- StLock<Mutex> _(mReadWriteLock);
- if (stat(mFileName.c_str(), &st)) {
- Syslog::error("Stating rules file \"%s\": %s", mFileName.c_str(),
- strerror(errno));
- return;
- }
- }
-
- if (memcmp(&st.st_mtimespec, &mRulesFileMtimespec, sizeof(mRulesFileMtimespec))) {
- StLock<Mutex> _(mLock);
- load();
- }
- }
- }
-}
-
-void AuthorizationDBPlist::save()
-{
- if (!mConfig)
- return;
-
- StLock<Mutex> _(mReadWriteLock);
-
- secdebug("authdb", "policy db changed, saving to disk.");
- int fd = -1;
- string tempFile = mFileName + ",";
-
- for (;;) {
- fd = open(tempFile.c_str(), O_WRONLY|O_CREAT|O_EXCL, 0644);
- if (fd == -1) {
- if (errno == EEXIST) {
- unlink(tempFile.c_str());
- continue;
- }
- if (errno == EINTR)
- continue;
- else
- break;
- } else
- break;
- }
-
- if (fd == -1) {
- Syslog::error("Saving rules file \"%s\": %s", tempFile.c_str(),
- strerror(errno));
- return;
- }
-
- CFDataRef configXML = CFPropertyListCreateXMLData(NULL, mConfig);
- if (!configXML)
- return;
-
- CFIndex configSize = CFDataGetLength(configXML);
- ssize_t bytesWritten = write(fd, CFDataGetBytePtr(configXML), configSize);
- CFRelease(configXML);
-
- if (bytesWritten != configSize) {
- if (bytesWritten == -1)
- Syslog::error("Problem writing rules file \"%s\": (errno=%s)",
- tempFile.c_str(), strerror(errno));
- else
- Syslog::error("Problem writing rules file \"%s\": "
- "only wrote %lu out of %ld bytes",
- tempFile.c_str(), bytesWritten, configSize);
-
- close(fd);
- unlink(tempFile.c_str());
- }
- else
- {
- if (-1 == fcntl(fd, F_FULLFSYNC, NULL))
- fsync(fd);
-
- close(fd);
- int fd2 = open (mFileName.c_str(), O_RDONLY);
- if (rename(tempFile.c_str(), mFileName.c_str()))
- {
- close(fd2);
- unlink(tempFile.c_str());
- }
- else
- {
- /* force a sync to flush the journal */
- int flags = FSCTL_SYNC_WAIT|FSCTL_SYNC_FULLSYNC;
- ffsctl(fd2, FSCTL_SYNC_VOLUME, &flags, sizeof(flags));
- close(fd2);
- mLastChecked = CFAbsoluteTimeGetCurrent(); // we have the copy that's on disk now, so don't go loading it right away
- }
- }
-}
-
-void AuthorizationDBPlist::load()
-{
- StLock<Mutex> _(mReadWriteLock);
- CFDictionaryRef configPlist;
-
- secdebug("authdb", "(re)loading policy db from disk.");
- int fd = open(mFileName.c_str(), O_RDONLY, 0);
- if (fd == -1) {
- Syslog::error("Problem opening rules file \"%s\": %s",
- mFileName.c_str(), strerror(errno));
- return;
- }
-
- struct stat st;
- if (fstat(fd, &st)) {
- int error = errno;
- close(fd);
- UnixError::throwMe(error);
- }
-
- mRulesFileMtimespec = st.st_mtimespec;
- off_t fileSize = st.st_size;
- CFMutableDataRef xmlData = CFDataCreateMutable(NULL, fileSize);
- CFDataSetLength(xmlData, fileSize);
- void *buffer = CFDataGetMutableBytePtr(xmlData);
- ssize_t bytesRead = read(fd, buffer, fileSize);
- if (bytesRead != fileSize) {
- if (bytesRead == -1) {
- Syslog::error("Problem reading rules file \"%s\": %s",
- mFileName.c_str(), strerror(errno));
- goto cleanup;
- }
- Syslog::error("Problem reading rules file \"%s\": "
- "only read %ul out of %ul bytes",
- bytesRead, fileSize, mFileName.c_str());
- goto cleanup;
- }
-
- CFStringRef errorString;
- configPlist = reinterpret_cast<CFDictionaryRef>(CFPropertyListCreateFromXMLData(NULL, xmlData, kCFPropertyListMutableContainersAndLeaves, &errorString));
-
- if (!configPlist) {
- char buffer[512];
- const char *error = CFStringGetCStringPtr(errorString,
- kCFStringEncodingUTF8);
- if (error == NULL) {
- if (CFStringGetCString(errorString, buffer, 512,
- kCFStringEncodingUTF8))
- error = buffer;
- }
-
- Syslog::error("Parsing rules file \"%s\": %s",
- mFileName.c_str(), error);
- if (errorString)
- CFRelease(errorString);
-
- goto cleanup;
- }
-
- if (CFGetTypeID(configPlist) != CFDictionaryGetTypeID()) {
-
- Syslog::error("Rules file \"%s\": is not a dictionary",
- mFileName.c_str());
-
- goto cleanup;
- }
-
- parseConfig(configPlist);
-
-cleanup:
- if (xmlData)
- CFRelease(xmlData);
- if (configPlist)
- CFRelease(configPlist);
-
- close(fd);
-
- // If all went well, we have the copy that's on disk now, so don't go loading it right away
- mLastChecked = CFAbsoluteTimeGetCurrent();
-}
-
-void AuthorizationDBPlist::parseConfig(CFDictionaryRef config)
-{
- CFStringRef rightsKey = CFSTR("rights");
- CFStringRef rulesKey = CFSTR("rules");
- CFMutableDictionaryRef newRights = NULL;
- CFMutableDictionaryRef newRules = NULL;
-
- if (!config)
- {
- Syslog::alert("Failed to parse config, no config");
- MacOSError::throwMe(errAuthorizationInternal);
- }
-
- if (CFDictionaryContainsKey(config, rulesKey))
- newRules = reinterpret_cast<CFMutableDictionaryRef>(const_cast<void*>(CFDictionaryGetValue(config, rulesKey)));
-
- if (CFDictionaryContainsKey(config, rightsKey))
- newRights = reinterpret_cast<CFMutableDictionaryRef>(const_cast<void*>(CFDictionaryGetValue(config, rightsKey)));
-
- if (newRules && newRights
- && (CFDictionaryGetTypeID() == CFGetTypeID(newRules))
- && (CFDictionaryGetTypeID() == CFGetTypeID(newRights)))
- {
- mConfigRights = static_cast<CFMutableDictionaryRef>(newRights);
- mConfigRules = static_cast<CFMutableDictionaryRef>(newRules);
- mRules.clear();
- try {
- CFDictionaryApplyFunction(newRights, parseRule, this);
- } catch (...) {
- Syslog::alert("Failed to parse config and apply dictionary function");
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule file
- }
- mConfig = config;
- }
- else
- {
- Syslog::alert("Failed to parse config, invalid rule file");
- MacOSError::throwMe(errAuthorizationInternal); // XXX/cs invalid rule file
- }
-}
-
-void AuthorizationDBPlist::parseRule(const void *key, const void *value, void *context)
-{
- static_cast<AuthorizationDBPlist*>(context)->addRight(static_cast<CFStringRef>(key), static_cast<CFDictionaryRef>(value));
-}
-
-void AuthorizationDBPlist::addRight(CFStringRef key, CFDictionaryRef definition)
-{
- string keyString = cfString(key);
- mRules[keyString] = Rule(keyString, definition, mConfigRules);
-}
-
-bool
-AuthorizationDBPlist::validateRule(string inRightName, CFDictionaryRef inRightDefinition) const
-{
- if (!mConfigRules ||
- 0 == CFDictionaryGetCount(mConfigRules)) {
- Syslog::error("No rule definitions!");
- MacOSError::throwMe(errAuthorizationInternal);
- }
- try {
- Rule newRule(inRightName, inRightDefinition, mConfigRules);
- if (newRule->name() == inRightName)
- return true;
- } catch (...) {
- secdebug("authrule", "invalid definition for rule %s.\n",
- inRightName.c_str());
- }
- return false;
-}
-
-CFDictionaryRef
-AuthorizationDBPlist::getRuleDefinition(string &key)
-{
- if (!mConfigRights ||
- 0 == CFDictionaryGetCount(mConfigRights)) {
- Syslog::error("No rule definitions!");
- MacOSError::throwMe(errAuthorizationInternal);
- }
- CFStringRef cfKey = makeCFString(key);
- StLock<Mutex> _(mLock);
- if (CFDictionaryContainsKey(mConfigRights, cfKey)) {
- CFDictionaryRef definition = reinterpret_cast<CFMutableDictionaryRef>(const_cast<void*>(CFDictionaryGetValue(mConfigRights, cfKey)));
- CFRelease(cfKey);
- return CFDictionaryCreateCopy(NULL, definition);
- } else {
- CFRelease(cfKey);
- return NULL;
- }
-}
-
-bool
-AuthorizationDBPlist::existRule(string &ruleName) const
-{
- AuthItemRef candidateRule(ruleName.c_str());
- string ruleForCandidate = getRule(candidateRule)->name();
- // same name or covered by wildcard right -> modification.
- if ( (ruleName == ruleForCandidate) ||
- (*(ruleForCandidate.rbegin()) == '.') )
- return true;
-
- return false;
-}
-
-Rule
-AuthorizationDBPlist::getRule(const AuthItemRef &inRight) const
-{
- string key(inRight->name());
- // Lock the rulemap
- StLock<Mutex> _(mLock);
-
- secdebug("authdb", "looking up rule %s.", inRight->name());
- if (mRules.empty())
- return Rule();
-
- for (;;) {
- map<string,Rule>::const_iterator rule = mRules.find(key);
-
- if (rule != mRules.end())
- return (*rule).second;
-
- // no default rule
- assert (key.size());
-
- // any reduction of a combination of two chars is futile
- if (key.size() > 2) {
- // find last dot with exception of possible dot at end
- string::size_type index = key.rfind('.', key.size() - 2);
- // cut right after found dot, or make it match default rule
- key = key.substr(0, index == string::npos ? 0 : index + 1);
- } else
- key.erase();
- }
-}
-
-void
-AuthorizationDBPlist::setRule(const char *inRightName, CFDictionaryRef inRuleDefinition)
-{
- // if mConfig is now a reasonable guard
- if (!inRuleDefinition || !mConfigRights)
- {
- Syslog::alert("Failed to set rule, no definition or rights");
- MacOSError::throwMe(errAuthorizationDenied); // ???/gh errAuthorizationInternal instead?
- }
-
- CFRef<CFStringRef> keyRef(CFStringCreateWithCString(NULL, inRightName,
- kCFStringEncodingASCII));
- if (!keyRef)
- return;
-
- {
- StLock<Mutex> _(mLock);
- secdebug("authdb", "setting up rule %s.", inRightName);
- CFDictionarySetValue(mConfigRights, keyRef, inRuleDefinition);
- save();
- parseConfig(mConfig);
- }
-}
-
-void
-AuthorizationDBPlist::removeRule(const char *inRightName)
-{
- // if mConfig is now a reasonable guard
- if (!mConfigRights)
- {
- Syslog::alert("Failed to remove rule, no rights");
- MacOSError::throwMe(errAuthorizationDenied); // ???/gh errAuthorizationInternal instead?
- }
-
- CFRef<CFStringRef> keyRef(CFStringCreateWithCString(NULL, inRightName,
- kCFStringEncodingASCII));
- if (!keyRef)
- return;
-
- {
- StLock<Mutex> _(mLock);
- secdebug("authdb", "removing rule %s.", inRightName);
- CFDictionaryRemoveValue(mConfigRights, keyRef);
- save();
- parseConfig(mConfig);
- }
-}
-
-
-} // end namespace Authorization
projects / apple / security.git / blobdiff