]> git.saurik.com Git - apple/securityd.git/blob - src/authority.h
securityd-55126.2.tar.gz
[apple/securityd.git] / src / authority.h
1 /*
2 * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // authority - authorization manager
27 //
28 #ifndef _H_AUTHORITY
29 #define _H_AUTHORITY
30
31 #include <security_utilities/osxcode.h>
32 #include <security_utilities/ccaudit.h>
33 #include "database.h"
34 #include "credential.h"
35 #include <security_cdsa_utilities/AuthorizationData.h>
36
37 using Authorization::AuthItemSet;
38 using Authorization::Credential;
39 using Authorization::CredentialSet;
40 using Security::CommonCriteria::AuditToken;
41
42 class Process;
43 class Session;
44
45 class AuthorizationToken : public PerSession {
46 public:
47 AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false);
48 ~AuthorizationToken();
49
50 Session &session() const;
51
52 const AuthorizationBlob &handle() const { return mHandle; }
53 const CredentialSet &baseCreds() const { return mBaseCreds; }
54 CredentialSet effectiveCreds() const;
55
56 typedef CredentialSet::iterator iterator;
57 iterator begin() { return mBaseCreds.begin(); }
58 iterator end() { return mBaseCreds.end(); }
59
60 // add more credential dependencies
61 void mergeCredentials(const CredentialSet &more);
62
63 // maintain process-owning links
64 void addProcess(Process &proc);
65 bool endProcess(Process &proc);
66
67 // access control for external representations
68 bool mayExternalize(Process &proc) const;
69 bool mayInternalize(Process &proc, bool countIt = true);
70
71 uid_t creatorUid() const { return mCreatorUid; }
72 gid_t creatorGid() const { return mCreatorGid; }
73 SecStaticCodeRef creatorCode() const { return mCreatorCode; }
74 pid_t creatorPid() const { return mCreatorPid; }
75 bool creatorSandboxed() const { return mCreatorSandboxed; }
76
77 const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
78
79 AuthItemSet infoSet(AuthorizationString tag = NULL);
80 void setInfoSet(AuthItemSet &newInfoSet, bool savePassword);
81 void setCredentialInfo(const Credential &inCred, bool savePassword);
82 void clearInfoSet();
83 void scrubInfoSet(bool savePassword);
84 bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; }
85
86 public:
87 static AuthorizationToken &find(const AuthorizationBlob &blob);
88
89 class Deleter {
90 public:
91 Deleter(const AuthorizationBlob &blob);
92
93 void remove();
94 operator AuthorizationToken &() const { return *mAuth; }
95
96 private:
97 AuthorizationToken *mAuth;
98 StLock<Mutex> lock;
99 };
100
101 private:
102 Mutex mLock; // object lock
103 AuthorizationBlob mHandle; // official randomized blob marker
104 CredentialSet mBaseCreds; // credentials we're based on
105
106 unsigned int mTransferCount; // number of internalizations remaining
107
108 typedef set<Process *> ProcessSet;
109 ProcessSet mUsingProcesses; // set of process objects using this token
110
111 uid_t mCreatorUid; // Uid of process that created this authorization
112 gid_t mCreatorGid; // Gid of process that created this authorization
113 CFCopyRef<SecStaticCodeRef> mCreatorCode; // code reference to creator
114 pid_t mCreatorPid; // Pid of processs that created this authorization
115 bool mCreatorSandboxed; // A record of whether or not the creator was Sandboxed
116
117 AuditToken mCreatorAuditToken; // Audit token of the process that created this authorization
118
119 AuthItemSet mInfoSet; // Side band info gathered from evaluations in this session
120
121 bool mOperatesAsLeastPrivileged;
122
123 AuthItemSet mSavedPassword;
124
125 private:
126 typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
127 static AuthMap &authMap; // set of extant authorizations
128 static Mutex authMapLock; // lock for mAuthorizations (only)
129 };
130
131 #endif //_H_AUTHORITY