src/acls.h

   1 /*
   2  * Copyright (c) 2000-2001,2003-2004 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved.
   7  *
   8  * This file contains Original Code and/or Modifications of Original Code
   9  * as defined in and that are subject to the Apple Public Source License
  10  * Version 2.0 (the 'License'). You may not use this file except in
  11  * compliance with the License. Please obtain a copy of the License at
  12  * http://www.opensource.apple.com/apsl/ and read it before using this
  13  * file.
  14  *
  15  * The Original Code and all software distributed under the License are
  16  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  17  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  18  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  19  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  20  * Please see the License for the specific language governing rights and
  21  * limitations under the License.
  22  *
  23  * @APPLE_LICENSE_HEADER_END@
  24  */
  25
  26
  27 //
  28 // acls - SecurityServer ACL implementation
  29 //
  30 #ifndef _H_ACLS
  31 #define _H_ACLS
  32
  33 #include "securityserver.h"
  34 #include <security_cdsa_utilities/cssmacl.h>
  35 #include <security_cdsa_utilities/acl_process.h>
  36 #include <security_cdsa_utilities/acl_codesigning.h>
  37
  38
  39 class Connection;
  40 class Database;
  41
  42
  43 //
  44 // ACL implementation as used by the SecurityServer
  45 //
  46 class SecurityServerAcl : public ObjectAcl {
  47 public:
  48         SecurityServerAcl(AclKind k, Allocator &alloc) : ObjectAcl(alloc), mKind(k) { }
  49         virtual ~SecurityServerAcl();
  50
  51         AclKind kind() const { return mKind; }
  52
  53     // validation calls restated
  54         void validate(AclAuthorization auth, const AccessCredentials *cred);
  55         void validate(AclAuthorization auth, const Context &context);
  56
  57     void cssmChangeAcl(const AclEdit &edit, const AccessCredentials *cred);
  58     void cssmChangeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred);
  59
  60         virtual const Database *relatedDatabase() const;
  61
  62         // aclSequence is taken to serialize ACL validations to pick up mutual changes
  63         Mutex aclSequence;
  64
  65 private:
  66         AclKind mKind;
  67 };
  68
  69
  70 //
  71 // Our implementation of an ACL validation environment uses information
  72 // derived from a Connection object. It implements context for
  73 // -- ProcessAclSubjects (getuid/getgid)
  74 // -- KeychainPromptAclSubjects (connection link)
  75 //
  76 class SecurityServerEnvironment : public virtual AclValidationEnvironment,
  77     public virtual ProcessAclSubject::Environment,
  78         public virtual CodeSignatureAclSubject::Environment {
  79 public:
  80     SecurityServerEnvironment(const SecurityServerAcl &baseAcl)
  81     : acl(baseAcl) { }
  82
  83         const SecurityServerAcl &acl;
  84
  85         const Database *database() const                { return acl.relatedDatabase(); }
  86     uid_t getuid() const;
  87     gid_t getgid() const;
  88         pid_t getpid() const;
  89         bool verifyCodeSignature(const CodeSigning::Signature *signature, const CssmData *comment);
  90 };
  91
  92
  93 #endif //_H_ACLS