src/authority.h

   1 /*
   2  * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // authority - authorization manager
  27 //
  28 #ifndef _H_AUTHORITY
  29 #define _H_AUTHORITY
  30
  31 #include <security_utilities/osxcode.h>
  32 #include <security_utilities/ccaudit.h>
  33 #include "database.h"
  34 #include "credential.h"
  35 #include <security_cdsa_utilities/AuthorizationData.h>
  36
  37 using Authorization::AuthItemSet;
  38 using Authorization::Credential;
  39 using Authorization::CredentialSet;
  40 using Security::CommonCriteria::AuditToken;
  41
  42 class Process;
  43 class Session;
  44
  45 class AuthorizationToken : public PerSession {
  46 public:
  47         AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false);
  48         ~AuthorizationToken();
  49
  50     Session &session() const;
  51
  52         const AuthorizationBlob &handle() const         { return mHandle; }
  53         const CredentialSet &baseCreds() const          { return mBaseCreds; }
  54         CredentialSet effectiveCreds() const;
  55
  56         typedef CredentialSet::iterator iterator;
  57         iterator begin()                { return mBaseCreds.begin(); }
  58         iterator end()                  { return mBaseCreds.end(); }
  59
  60         // add more credential dependencies
  61         void mergeCredentials(const CredentialSet &more);
  62
  63         // maintain process-owning links
  64         void addProcess(Process &proc);
  65         bool endProcess(Process &proc);
  66
  67         // access control for external representations
  68         bool mayExternalize(Process &proc) const;
  69         bool mayInternalize(Process &proc, bool countIt = true);
  70
  71         uid_t creatorUid() const        { return mCreatorUid; }
  72         gid_t creatorGid() const        { return mCreatorGid; }
  73     SecStaticCodeRef creatorCode() const { return mCreatorCode; }
  74         pid_t creatorPid() const        { return mCreatorPid; }
  75         bool creatorSandboxed() const { return mCreatorSandboxed; }
  76
  77         const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
  78
  79         AuthItemSet infoSet(AuthorizationString tag = NULL);
  80     void setInfoSet(AuthItemSet &newInfoSet, bool savePassword);
  81     void setCredentialInfo(const Credential &inCred, bool savePassword);
  82     void clearInfoSet();
  83         void scrubInfoSet(bool savePassword);
  84         bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; }
  85
  86 public:
  87         static AuthorizationToken &find(const AuthorizationBlob &blob);
  88
  89     class Deleter {
  90     public:
  91         Deleter(const AuthorizationBlob &blob);
  92
  93         void remove();
  94         operator AuthorizationToken &() const   { return *mAuth; }
  95
  96     private:
  97         AuthorizationToken *mAuth;
  98         StLock<Mutex> lock;
  99     };
 100
 101 private:
 102         Mutex mLock;                                    // object lock
 103         AuthorizationBlob mHandle;              // official randomized blob marker
 104         CredentialSet mBaseCreds;               // credentials we're based on
 105
 106         unsigned int mTransferCount;    // number of internalizations remaining
 107
 108         typedef set<Process *> ProcessSet;
 109         ProcessSet mUsingProcesses;             // set of process objects using this token
 110
 111         uid_t mCreatorUid;                              // Uid of process that created this authorization
 112         gid_t mCreatorGid;                              // Gid of process that created this authorization
 113         CFCopyRef<SecStaticCodeRef> mCreatorCode; // code reference to creator
 114         pid_t mCreatorPid;                              // Pid of processs that created this authorization
 115         bool mCreatorSandboxed;         // A record of whether or not the creator was Sandboxed
 116
 117         AuditToken mCreatorAuditToken;  // Audit token of the process that created this authorization
 118
 119     AuthItemSet mInfoSet;                       // Side band info gathered from evaluations in this session
 120
 121         bool mOperatesAsLeastPrivileged;
 122
 123         AuthItemSet mSavedPassword;
 124
 125 private:
 126         typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
 127         static AuthMap &authMap;                        // set of extant authorizations
 128     static Mutex authMapLock;           // lock for mAuthorizations (only)
 129 };
 130
 131 #endif //_H_AUTHORITY