2 * Copyright (c) 2000-2004 Apple Computer, Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 // authority - authorization manager
31 #include <security_cdsa_utilities/AuthorizationData.h>
32 #include <security_utilities/osxcode.h>
33 #include <security_utilities/ccaudit.h>
36 using Authorization::Credential
;
37 using Authorization::CredentialSet
;
38 using Authorization::AuthItemSet
;
39 using Security::CommonCriteria::AuditToken
;
44 class AuthorizationToken
: public PerSession
{
46 AuthorizationToken(Session
&ssn
, const CredentialSet
&base
, const audit_token_t
&auditToken
);
47 ~AuthorizationToken();
49 Session
&session() const;
51 const AuthorizationBlob
&handle() const { return mHandle
; }
52 const CredentialSet
&baseCreds() const { return mBaseCreds
; }
53 CredentialSet
effectiveCreds() const;
55 typedef CredentialSet::iterator iterator
;
56 iterator
begin() { return mBaseCreds
.begin(); }
57 iterator
end() { return mBaseCreds
.end(); }
59 // add more credential dependencies
60 void mergeCredentials(const CredentialSet
&more
);
62 // maintain process-owning links
63 void addProcess(Process
&proc
);
64 bool endProcess(Process
&proc
);
66 // access control for external representations
67 bool mayExternalize(Process
&proc
) const;
68 bool mayInternalize(Process
&proc
, bool countIt
= true);
70 uid_t
creatorUid() const { return mCreatorUid
; }
71 gid_t
creatorGid() const { return mCreatorGid
; }
72 OSXCode
*creatorCode() const { return mCreatorCode
; }
73 pid_t
creatorPid() const { return mCreatorPid
; }
75 const AuditToken
&creatorAuditToken() const { return mCreatorAuditToken
; }
77 AuthItemSet
infoSet(AuthorizationString tag
= NULL
);
78 void setInfoSet(AuthItemSet
&newInfoSet
);
79 void setCredentialInfo(const Credential
&inCred
);
84 static AuthorizationToken
&find(const AuthorizationBlob
&blob
);
88 Deleter(const AuthorizationBlob
&blob
);
91 operator AuthorizationToken
&() const { return *mAuth
; }
94 AuthorizationToken
*mAuth
;
99 Mutex mLock
; // object lock
100 AuthorizationBlob mHandle
; // official randomized blob marker
101 CredentialSet mBaseCreds
; // credentials we're based on
103 unsigned int mTransferCount
; // number of internalizations remaining
105 typedef set
<Process
*> ProcessSet
;
106 ProcessSet mUsingProcesses
; // set of process objects using this token
108 uid_t mCreatorUid
; // Uid of process that created this authorization
109 gid_t mCreatorGid
; // Gid of process that created this authorization
110 RefPointer
<OSXCode
> mCreatorCode
; // code id of creator
111 pid_t mCreatorPid
; // Pid of processs that created this authorization
113 AuditToken mCreatorAuditToken
; // Audit token of the process that created this authorization
115 AuthItemSet mInfoSet
; // Side band info gathered from evaluations in this session
118 typedef map
<AuthorizationBlob
, RefPointer
<AuthorizationToken
> > AuthMap
;
119 static AuthMap
&authMap
; // set of extant authorizations
120 static Mutex authMapLock
; // lock for mAuthorizations (only)
126 #endif //_H_AUTHORITY
projects / apple / securityd.git / blob