X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/80e2389990082500d76eb566d4946be3e786c3ef..d8f41ccd20de16f8ebe2ccc84d47bf1cb2b26bbb:/Security/libsecurity_codesigning/lib/policyengine.h diff --git a/Security/libsecurity_codesigning/lib/policyengine.h b/Security/libsecurity_codesigning/lib/policyengine.h new file mode 100644 index 00000000..673f1e66 --- /dev/null +++ b/Security/libsecurity_codesigning/lib/policyengine.h @@ -0,0 +1,97 @@ +/* + * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef _H_POLICYENGINE +#define _H_POLICYENGINE + +#include "SecAssessment.h" +#include "opaquewhitelist.h" +#include "policydb.h" +#include +#include +#include +#include +#include +#include + +namespace Security { +namespace CodeSigning { + + +typedef uint EngineOperation; +enum { + opInvalid = 0, + opEvaluate, + opAddAuthority, + opRemoveAuthority, +}; + + +class PolicyEngine : public PolicyDatabase { +public: + PolicyEngine(); + virtual ~PolicyEngine(); + +public: + void evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + + CFDictionaryRef update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef add(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + CFDictionaryRef find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + + void recordFailure(CFDictionaryRef info); + +public: + static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false); + static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value); + +private: + void evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned); + void evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + void evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result); + + void evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result); + void adjustValidation(SecStaticCodeRef code); + bool temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags); + void normalizeTarget(CFRef &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned); + + void selectRules(SQLite::Statement &action, std::string stanza, std::string table, + CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix = ""); + CFDictionaryRef manipulateRules(const std::string &stanza, + CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context); + + void setOrigin(CFArrayRef chain, CFMutableDictionaryRef result); + + void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority); + +private: + OpaqueWhitelist mOpaqueWhitelist; +}; + + +} // end namespace CodeSigning +} // end namespace Security + +#endif //_H_POLICYENGINE