]> git.saurik.com Git - apple/securityd.git/blob - src/authority.h
securityd-30544.tar.gz
[apple/securityd.git] / src / authority.h
1 /*
2 * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23
24
25 //
26 // authority - authorization manager
27 //
28 #ifndef _H_AUTHORITY
29 #define _H_AUTHORITY
30
31 #include <security_cdsa_utilities/AuthorizationData.h>
32 #include <security_utilities/osxcode.h>
33 #include <security_utilities/ccaudit.h>
34 #include "database.h"
35
36 using Authorization::Credential;
37 using Authorization::CredentialSet;
38 using Authorization::AuthItemSet;
39 using Security::CommonCriteria::AuditToken;
40
41 class Process;
42 class Session;
43
44 class AuthorizationToken : public PerSession {
45 public:
46 AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken);
47 ~AuthorizationToken();
48
49 Session &session() const;
50
51 const AuthorizationBlob &handle() const { return mHandle; }
52 const CredentialSet &baseCreds() const { return mBaseCreds; }
53 CredentialSet effectiveCreds() const;
54
55 typedef CredentialSet::iterator iterator;
56 iterator begin() { return mBaseCreds.begin(); }
57 iterator end() { return mBaseCreds.end(); }
58
59 // add more credential dependencies
60 void mergeCredentials(const CredentialSet &more);
61
62 // maintain process-owning links
63 void addProcess(Process &proc);
64 bool endProcess(Process &proc);
65
66 // access control for external representations
67 bool mayExternalize(Process &proc) const;
68 bool mayInternalize(Process &proc, bool countIt = true);
69
70 uid_t creatorUid() const { return mCreatorUid; }
71 gid_t creatorGid() const { return mCreatorGid; }
72 OSXCode *creatorCode() const { return mCreatorCode; }
73 pid_t creatorPid() const { return mCreatorPid; }
74
75 const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; }
76
77 AuthItemSet infoSet(AuthorizationString tag = NULL);
78 void setInfoSet(AuthItemSet &newInfoSet);
79 void setCredentialInfo(const Credential &inCred);
80 void clearInfoSet();
81 void scrubInfoSet();
82
83 public:
84 static AuthorizationToken &find(const AuthorizationBlob &blob);
85
86 class Deleter {
87 public:
88 Deleter(const AuthorizationBlob &blob);
89
90 void remove();
91 operator AuthorizationToken &() const { return *mAuth; }
92
93 private:
94 AuthorizationToken *mAuth;
95 StLock<Mutex> lock;
96 };
97
98 private:
99 Mutex mLock; // object lock
100 AuthorizationBlob mHandle; // official randomized blob marker
101 CredentialSet mBaseCreds; // credentials we're based on
102
103 unsigned int mTransferCount; // number of internalizations remaining
104
105 typedef set<Process *> ProcessSet;
106 ProcessSet mUsingProcesses; // set of process objects using this token
107
108 uid_t mCreatorUid; // Uid of process that created this authorization
109 gid_t mCreatorGid; // Gid of process that created this authorization
110 RefPointer<OSXCode> mCreatorCode; // code id of creator
111 pid_t mCreatorPid; // Pid of processs that created this authorization
112
113 AuditToken mCreatorAuditToken; // Audit token of the process that created this authorization
114
115 AuthItemSet mInfoSet; // Side band info gathered from evaluations in this session
116
117 private:
118 typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap;
119 static AuthMap &authMap; // set of extant authorizations
120 static Mutex authMapLock; // lock for mAuthorizations (only)
121 };
122
123
124
125
126 #endif //_H_AUTHORITY