src/acls.cpp

   1 /*
   2  * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved.
   7  *
   8  * This file contains Original Code and/or Modifications of Original Code
   9  * as defined in and that are subject to the Apple Public Source License
  10  * Version 2.0 (the 'License'). You may not use this file except in
  11  * compliance with the License. Please obtain a copy of the License at
  12  * http://www.opensource.apple.com/apsl/ and read it before using this
  13  * file.
  14  *
  15  * The Original Code and all software distributed under the License are
  16  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  17  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  18  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  19  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  20  * Please see the License for the specific language governing rights and
  21  * limitations under the License.
  22  *
  23  * @APPLE_LICENSE_HEADER_END@
  24  */
  25
  26
  27 //
  28 // acls - SecurityServer ACL implementation
  29 //
  30 #include "acls.h"
  31 #include "connection.h"
  32 #include "server.h"
  33 #include <security_agent_client/agentclient.h>
  34 #include <security_cdsa_utilities/acl_any.h>
  35 #include <security_cdsa_utilities/acl_password.h>
  36 #include <security_cdsa_utilities/acl_threshold.h>
  37
  38
  39 //
  40 // SecurityServerAcl is virtual
  41 //
  42 SecurityServerAcl::~SecurityServerAcl()
  43 { }
  44
  45
  46 //
  47 // Each SecurityServerAcl type must provide some indication of a database
  48 // it is associated with. The default, naturally, is "none".
  49 //
  50 const Database *SecurityServerAcl::relatedDatabase() const
  51 { return NULL; }
  52
  53
  54 //
  55 // Provide environmental information to get/change-ACL calls.
  56 // Also make them virtual so our children can override them.
  57 //
  58 void SecurityServerAcl::cssmChangeAcl(const AclEdit &edit, const AccessCredentials *cred)
  59 {
  60         SecurityServerEnvironment env(*this);
  61         ObjectAcl::cssmChangeAcl(edit, cred, &env);
  62 }
  63
  64 void SecurityServerAcl::cssmChangeOwner(const AclOwnerPrototype &newOwner,
  65         const AccessCredentials *cred)
  66 {
  67         SecurityServerEnvironment env(*this);
  68         ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
  69 }
  70
  71
  72 //
  73 // Modified validate() methods to connect all the conduits...
  74 //
  75 void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred)
  76 {
  77     SecurityServerEnvironment env(*this);
  78         StLock<Mutex> objectSequence(aclSequence);
  79         StLock<Mutex> processSequence(Server::process().aclSequence);
  80     ObjectAcl::validate(auth, cred, &env);
  81 }
  82
  83 void SecurityServerAcl::validate(AclAuthorization auth, const Context &context)
  84 {
  85         validate(auth,
  86                 context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS));
  87 }
  88
  89
  90 //
  91 // Implement our environment object
  92 //
  93 uid_t SecurityServerEnvironment::getuid() const
  94 {
  95     return Server::process().uid();
  96 }
  97
  98 gid_t SecurityServerEnvironment::getgid() const
  99 {
 100     return Server::process().gid();
 101 }
 102
 103 pid_t SecurityServerEnvironment::getpid() const
 104 {
 105     return Server::process().pid();
 106 }
 107
 108 bool SecurityServerEnvironment::verifyCodeSignature(const CodeSigning::Signature *signature,
 109         const CssmData *comment)
 110 {
 111         return Server::codeSignatures().verify(Server::process(), signature, comment);
 112 }