+++ /dev/null
-/*
- * Copyright (c) 2000-2004,2006-2012 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-#include "AuthorizationEngine.h"
-#include <security_cdsa_utilities/AuthorizationWalkers.h>
-#include <Security/AuthorizationPriv.h>
-#include <Security/AuthorizationDB.h>
-
-#include "authority.h"
-
-#include <Security/AuthorizationTags.h>
-#include <Security/AuthorizationTagsPriv.h>
-#include <security_utilities/logging.h>
-#include <security_utilities/cfutilities.h>
-#include <security_utilities/debugging.h>
-#include "server.h"
-
-#include <CoreFoundation/CFData.h>
-#include <CoreFoundation/CFNumber.h>
-#include <CoreFoundation/CFPropertyList.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <float.h>
-#include <sandbox.h>
-
-#include <bsm/audit_uevents.h> // AUE_ssauth*
-#include "ccaudit_extensions.h"
-
-namespace Authorization {
-
-using namespace CommonCriteria::Securityd;
-
-
-//
-// Errors to be thrown
-//
-Error::Error(int err) : error(err)
-{
-}
-
-const char *Error::what() const throw()
-{ return "Authorization error"; }
-
-int Error::unixError() const throw()
-{ return error; } // @@@ eventually...
-
-OSStatus Error::osStatus() const throw()
-{ return error; }
-
-void Error::throwMe(int err) { throw Error(err); }
-
-//
-// Engine class
-//
-Engine::Engine(const char *configFile) : mAuthdb(configFile)
-{
-}
-
-Engine::~Engine()
-{
-}
-
-
-/*!
- @function AuthorizationEngine::authorize
-
- @@@.
-
- @param inRights (input) List of rights being requested for authorization.
- @param environment (optional/input) Environment containing information to be used during evaluation.
- @param flags (input) Optional flags @@@ see AuthorizationCreate for a description.
- @param inCredentials (input) Credentials already held by the caller.
- @param outCredentials (output/optional) Credentials obtained, used or refreshed during this call to authorize the requested rights.
- @param outRights (output/optional) Subset of inRights which were actually authorized.
-
- @results Returns errAuthorizationSuccess if all rights requested are authorized, or if the kAuthorizationFlagPartialRights flag was specified. Might return other status values like errAuthorizationDenied, errAuthorizationCanceled or errAuthorizationInteractionNotAllowed
-*/
-OSStatus
-Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
- AuthorizationFlags flags, const CredentialSet *inCredentials, CredentialSet *outCredentials,
- AuthItemSet &outRights, AuthorizationToken &auth)
-{
- CredentialSet credentials;
- OSStatus status = errAuthorizationSuccess;
- SecurityAgent::Reason reason = SecurityAgent::noReason;
-
- // Get current time of day.
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
-
- // Update rules from database if needed
- mAuthdb.sync(now);
-
- // Check if a credential was passed into the environment and we were asked to extend the rights
- if (flags & kAuthorizationFlagExtendRights)
- {
- string username, password;
- bool shared = false;
- for (AuthItemSet::iterator item = environment.begin(); item != environment.end(); item ++)
- {
- if (!strcmp((*item)->name(), kAuthorizationEnvironmentUsername))
- username = (*item)->stringValue();
- else if (!strcmp((*item)->name(), kAuthorizationEnvironmentPassword))
- password = (*item)->stringValue();
- else if (!strcmp((*item)->name(), kAuthorizationEnvironmentShared))
- shared = true;
- }
-
- if (username.length())
- {
- // Let's create a credential from the passed in username and password.
- Credential newCredential(username, password, shared);
- // If it's valid insert it into the credentials list. Normally this is
- // only done if it actually authorizes a requested right, but for this
- // special case (environment) we do it even when no rights are being requested.
- if (newCredential->isValid())
- credentials.insert(newCredential);
- }
- }
-
- // generate hints for every authorization
- AuthItemSet environmentToClient = environment;
-
- RightAuthenticationLogger logger(auth.creatorAuditToken(), AUE_ssauthorize);
-
- // create a vector with the first right first
- std::vector<AuthItemRef> tempRights;
- for (AuthItemSet::const_iterator it = inRights.begin(); it != inRights.end(); ++it) {
- if (inRights.firstItemName != NULL && strcmp((*it)->name(), inRights.firstItemName) == 0)
- tempRights.insert(tempRights.begin(), *it);
- else
- tempRights.push_back(*it);
- }
-
- bool authExtractPassword = false;
- std::vector<AuthItemRef>::const_iterator end = tempRights.end();
- for (std::vector<AuthItemRef>::const_iterator it = tempRights.begin(); it != end; ++it)
- {
- // Get the rule for each right we are trying to obtain.
- const Rule &toplevelRule = mAuthdb.getRule(*it);
-
- if (false == authExtractPassword)
- authExtractPassword = toplevelRule->extractPassword();
-
- string processName = "unknown";
- string authCreatorName = "unknown";
- {
- StLock<Mutex> _(Server::process());
- if (SecCodeRef code = Server::process().currentGuest()) {
- CFRef<CFURLRef> path;
- if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
- processName = cfString(path);
- }
- }
- authCreatorName = auth.creatorPath();
-
- if (sandbox_check(Server::process().pid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) {
- Syslog::error("Sandbox denied authorizing right '%s' by client '%s' [%d]", (*it)->name(), processName.c_str(), Server::process().pid());
- return errAuthorizationDenied;
- }
- if (auth.creatorSandboxed() && sandbox_check(auth.creatorPid(), "authorization-right-obtain", SANDBOX_FILTER_RIGHT_NAME, (*it)->name())) {
- Syslog::error("Sandbox denied authorizing right '%s' for authorization created by '%s' [%d]", (*it)->name(), authCreatorName.c_str(), auth.creatorPid());
- return errAuthorizationDenied;
- }
-
- OSStatus result = toplevelRule->evaluate(*it, toplevelRule, environmentToClient, flags, now, inCredentials, credentials, auth, reason, authExtractPassword);
- secdebug("autheval", "evaluate rule %s for right %s returned %d.", toplevelRule->name().c_str(), (*it)->name(), int(result));
- SECURITYD_AUTH_EVALRIGHT(&auth, (char *)(*it)->name(), result);
-
- logger.setRight((*it)->name());
- logger.logAuthorizationResult(processName.c_str(), authCreatorName.c_str(), result);
-
- if (result == errAuthorizationSuccess)
- {
- outRights.insert(*it);
- Syslog::info("Succeeded authorizing right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d)", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid(), uint32_t(flags), auth.operatesAsLeastPrivileged());
- }
- else if (result == errAuthorizationDenied || result == errAuthorizationInteractionNotAllowed)
- {
- if (result == errAuthorizationDenied)
- {
- secdebug("autheval", "Failed to authorize right '%s' by client '%s' [%d] for authorization created by '%s' [%d] (%X,%d)", (*it)->name(), processName.c_str(), Server::process().pid(), authCreatorName.c_str(), auth.creatorPid(), uint32_t(flags), auth.operatesAsLeastPrivileged());
- }
-
- // add creator pid to authorization token
- if (!(flags & kAuthorizationFlagPartialRights))
- {
- status = result;
- break;
- }
- }
- else if (result == errAuthorizationCanceled)
- {
- status = result;
- break;
- }
- else
- {
- Syslog::error("Engine::authorize: Rule::evaluate returned %ld returning errAuthorizationInternal", result);
- status = errAuthorizationInternal;
- break;
- }
- }
-
- // purge all uid credentials from the outCredentials for least privileged mode
- if (auth.operatesAsLeastPrivileged()) {
- CredentialSet::const_iterator current, it = outCredentials->begin();
- while(it != outCredentials->end()) {
- current = it++;
- if (!(*current)->isRight()) {
- outCredentials->erase(current);
- }
- }
- }
-
- if (outCredentials)
- outCredentials->swap(credentials);
-
- return status;
-}
-
-OSStatus
-Engine::verifyModification(string inRightName, bool remove,
- const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth)
-{
- // Validate right
-
- // meta rights are constructed as follows:
- // we don't allow setting of wildcard rights, so you can only be more specific
- // note that you should never restrict things with a wildcard right without disallowing
- // changes to the entire domain. ie.
- // system.privilege. -> never
- // config.add.system.privilege. -> never
- // config.modify.system.privilege. -> never
- // config.delete.system.privilege. -> never
- // For now we don't allow any configuration of configuration rules
- // config.config. -> never
-
- string rightnameToCheck;
-
- // @@@ verify right name is is not NULL or zero length
- if (inRightName.length() == 0)
- return errAuthorizationDenied;
-
- // @@@ make sure it isn't a wildcard right by checking trailing "."
- if ( *(inRightName.rbegin()) == '.')
- return errAuthorizationDenied;
-
- // @@@ make sure it isn't a configure right by checking it doesn't start with config.
- if (inRightName.find(kConfigRight, 0) != string::npos)
- {
- // special handling of meta right change:
- // config.add. config.modify. config.remove. config.{}.
- // check for config.<right> (which always starts with config.config.)
- rightnameToCheck = string(kConfigRight) + inRightName;
- }
- else
- {
- // regular check of rights
- bool existingRule = mAuthdb.existRule(inRightName);
- if (!remove)
- {
- if (existingRule)
- rightnameToCheck = string(kAuthorizationConfigRightModify) + inRightName;
- else
- rightnameToCheck = string(kAuthorizationConfigRightAdd) + inRightName;
- }
- else
- {
- if (existingRule)
- rightnameToCheck = string(kAuthorizationConfigRightRemove) + inRightName;
- else
- {
- secdebug("engine", "rule %s doesn't exist.", inRightName.c_str());
- return errAuthorizationSuccess; // doesn't exist, done
- }
- }
- }
-
-
- AuthItemSet rights, environment, outRights;
- rights.insert(AuthItemRef(rightnameToCheck.c_str()));
- secdebug("engine", "authorizing %s for db modification.", rightnameToCheck.c_str());
- return authorize(rights, environment, kAuthorizationFlagDefaults | kAuthorizationFlagInteractionAllowed | kAuthorizationFlagExtendRights, inCredentials, outCredentials, outRights, auth);
-}
-
-OSStatus
-Engine::getRule(string &inRightName, CFDictionaryRef *outRuleDefinition)
-{
- // Get current time of day.
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
-
- // Update rules from database if needed
- mAuthdb.sync(now);
-
- CFDictionaryRef definition = mAuthdb.getRuleDefinition(inRightName);
- if (definition)
- {
- if (outRuleDefinition)
- *outRuleDefinition = definition;
- else
- CFRelease(definition);
-
- return errAuthorizationSuccess;
- }
-
- return errAuthorizationDenied;
-}
-
-OSStatus
-Engine::setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth)
-{
- // Validate rule by constructing it from the passed dictionary
- if (!mAuthdb.validateRule(inRightName, inRuleDefinition))
- return errAuthorizationDenied; // @@@ separate error for this?
-
- OSStatus result = verifyModification(inRightName, false /*setting, not removing*/, inCredentials, outCredentials, auth);
- if (result != errAuthorizationSuccess)
- return result;
-
- // set the rule for the right and save the database
- mAuthdb.setRule(inRightName, inRuleDefinition);
-
- return errAuthorizationSuccess;
-}
-
-OSStatus
-Engine::removeRule(const char *inRightName, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth)
-{
- // Get current time of day.
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
-
- // Update rules from database if needed
- mAuthdb.sync(now);
-
- OSStatus result = verifyModification(inRightName, true /*removing*/, inCredentials, outCredentials, auth);
- if (result != errAuthorizationSuccess)
- return result;
-
- // set the rule for the right and save the database
- mAuthdb.removeRule(inRightName);
-
- return errAuthorizationSuccess;
-}
-
-} // end namespace Authorization
projects / apple / security.git / blobdiff