src/acls.cpp

   1 /*
   2  * Copyright (c) 2000-2008 Apple Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24
  25 //
  26 // acls - securityd ACL implementation
  27 //
  28 #include "acls.h"
  29 #include "connection.h"
  30 #include "server.h"
  31 #include "agentquery.h"
  32 #include "tokendatabase.h"
  33 #include "acl_keychain.h"
  34
  35 // ACL subjects whose Environments we implement
  36 #include <security_cdsa_utilities/acl_any.h>
  37 #include <security_cdsa_utilities/acl_password.h>
  38 #include <security_cdsa_utilities/acl_threshold.h>
  39
  40
  41 //
  42 // SecurityServerAcl is virtual
  43 //
  44 SecurityServerAcl::~SecurityServerAcl()
  45 { }
  46
  47
  48 //
  49 // The default implementation of the ACL interface simply uses the local ObjectAcl
  50 // data. You can customize this by implementing instantiateAcl() [from ObjectAcl]
  51 // or by overriding these methods as desired.
  52 // Note: While you can completely ignore the ObjectAcl personality if you wish, it's
  53 // usually smarter to adapt it.
  54 //
  55 void SecurityServerAcl::getOwner(AclOwnerPrototype &owner)
  56 {
  57         StLock<Mutex> _(aclSequence);
  58         ObjectAcl::cssmGetOwner(owner);
  59 }
  60
  61 void SecurityServerAcl::getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
  62 {
  63         StLock<Mutex> _(aclSequence);
  64         ObjectAcl::cssmGetAcl(tag, count, acls);
  65 }
  66
  67 void SecurityServerAcl::changeAcl(const AclEdit &edit, const AccessCredentials *cred,
  68         Database *db)
  69 {
  70         StLock<Mutex> _(aclSequence);
  71         SecurityServerEnvironment env(*this, db);
  72         ObjectAcl::cssmChangeAcl(edit, cred, &env);
  73 }
  74
  75 void SecurityServerAcl::changeOwner(const AclOwnerPrototype &newOwner,
  76         const AccessCredentials *cred, Database *db)
  77 {
  78         StLock<Mutex> _(aclSequence);
  79         SecurityServerEnvironment env(*this, db);
  80         ObjectAcl::cssmChangeOwner(newOwner, cred, &env);
  81 }
  82
  83
  84 //
  85 // Modified validate() methods to connect all the conduits...
  86 //
  87 void SecurityServerAcl::validate(AclAuthorization auth, const AccessCredentials *cred, Database *db)
  88 {
  89     SecurityServerEnvironment env(*this, db);
  90         StLock<Mutex> objectSequence(aclSequence);
  91         StLock<Mutex> processSequence(Server::process().aclSequence);
  92     ObjectAcl::validate(auth, cred, &env);
  93 }
  94
  95 void SecurityServerAcl::validate(AclAuthorization auth, const Context &context, Database *db)
  96 {
  97         validate(auth,
  98                 context.get<AccessCredentials>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS), db);
  99 }
 100
 101
 102 //
 103 // This helper tries to add the (new) subject given to the ACL
 104 // whose validation is currently proceeding through context.
 105 // This will succeed if the ACL is in standard form, which means
 106 // a ThresholdAclSubject.
 107 // The new subject will be added at the front (so it is checked first
 108 // from now on), and as a side effect we'll notify the client side to
 109 // re-encode the object.
 110 // Returns true if the edit could be done, or false if the ACL wasn't
 111 // standard enough. May throw if the ACL is malformed or otherwise messed up.
 112 //
 113 // This is a self-contained helper that is here merely because it's "about"
 114 // ACLs and has no better home.
 115 //
 116 bool SecurityServerAcl::addToStandardACL(const AclValidationContext &context, AclSubject *subject)
 117 {
 118         if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>())
 119                 if (ThresholdAclSubject *threshold = env->standardSubject(context)) {
 120                         unsigned size = threshold->count();
 121                         if (dynamic_cast<KeychainPromptAclSubject *>(threshold->subject(size-1))) {
 122                                 // looks standard enough
 123                                 secdebug("acl", "adding new subject %p to from of threshold ACL", subject);
 124                                 threshold->add(subject, 0);
 125
 126                                 // tell the ACL it's been modified
 127                                 context.acl()->changedAcl();
 128
 129                                 // trigger a special notification code on (otherwise successful) return
 130                                 Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT);
 131                                 return true;
 132                         }
 133                 }
 134         secdebug("acl", "ACL is not standard form; cannot edit");
 135         return false;
 136 }
 137
 138
 139 //
 140 // Look at the ACL whose validation is currently proceeding through context.
 141 // If it LOOKS like a plausible version of a legacy "dot mac item" ACL.
 142 // We don't have access to the database attributes of the item up here in the
 143 // securityd sky, so we have to apply a heuristic based on which applications (by path)
 144 // are given access to the item.
 145 // So this is strictly a heuristic. The potential downside is that we may inadvertently
 146 // give access to new .Mac authorized Apple (only) applications when the user only intended
 147 // a limited set of extremely popular Apple (only) applications that just happen to all be
 148 // .Mac authorized today. We can live with that.
 149 //
 150 bool SecurityServerAcl::looksLikeLegacyDotMac(const AclValidationContext &context)
 151 {
 152         static const char * const prototypicalDotMacPath[] = {
 153                 "/Applications/Mail.app",
 154                 "/Applications/Safari.app",
 155                 "/Applications/iSync.app",
 156                 "/Applications/System Preferences.app",
 157                 "/Applications/iCal.app",
 158                 "/Applications/iChat.app",
 159                 "/Applications/iTunes.app",
 160                 "/Applications/Address Book.app",
 161                 "/Applications/iSync.app",
 162                 NULL    // sentinel
 163         };
 164
 165         static const unsigned threshold = 6;
 166
 167         if (SecurityServerEnvironment *env = context.environment<SecurityServerEnvironment>()) {
 168                 if (ThresholdAclSubject *list = env->standardSubject(context)) {
 169                         unsigned count = list->count();
 170                         unsigned matches = 0;
 171                         for (unsigned n = 0; n < count; ++n) {
 172                                 if (CodeSignatureAclSubject *app = dynamic_cast<CodeSignatureAclSubject *>(list->subject(n))) {
 173                                         for (const char * const *p = prototypicalDotMacPath; *p; p++)
 174                                                 if (app->path() == *p)
 175                                                         matches++;
 176                                 }
 177                         }
 178                         secdebug("codesign", "matched %d of %zd candididates (threshold=%d)",
 179                                 matches, sizeof(prototypicalDotMacPath) / sizeof(char *) - 1, threshold);
 180                         return matches >= threshold;
 181                 }
 182         }
 183         return false;
 184 }
 185
 186
 187 //
 188 // External storage interface
 189 //
 190 Adornable &SecurityServerEnvironment::store(const AclSubject *subject)
 191 {
 192         switch (subject->type()) {
 193         case CSSM_ACL_SUBJECT_TYPE_PREAUTH:
 194                 {
 195                         if (TokenDatabase *tokenDb = dynamic_cast<TokenDatabase *>(database))
 196                                 return tokenDb->common().store();
 197                 }
 198                 break;
 199         default:
 200                 break;
 201         }
 202         CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED);
 203 }
 204
 205
 206 //
 207 // ProcessAclSubject personality: uid/gid/pid come from the active Process object
 208 //
 209 uid_t SecurityServerEnvironment::getuid() const
 210 {
 211     return Server::process().uid();
 212 }
 213
 214 gid_t SecurityServerEnvironment::getgid() const
 215 {
 216     return Server::process().gid();
 217 }
 218
 219 pid_t SecurityServerEnvironment::getpid() const
 220 {
 221     return Server::process().pid();
 222 }
 223
 224
 225 //
 226 // CodeSignatureAclSubject personality: take code signature from active Process object
 227 //
 228 bool SecurityServerEnvironment::verifyCodeSignature(const OSXVerifier &verifier,
 229         const AclValidationContext &context)
 230 {
 231         return Server::codeSignatures().verify(Server::process(), verifier, context);
 232 }
 233
 234
 235 //
 236 // PromptedAclSubject personality: Get a secret by prompting through SecurityAgent
 237 //
 238 bool SecurityServerEnvironment::getSecret(CssmOwnedData &secret, const CssmData &prompt) const
 239 {
 240         //@@@ ignoring prompt - not used right now
 241         if (database) {
 242                 QueryPIN query(*database);
 243                 query.inferHints(Server::process());
 244                 if (!query()) { // success
 245                         secret = query.pin();
 246                         return true;
 247                 }
 248         }
 249         return false;
 250 }
 251
 252
 253 //
 254 // SecretAclSubject personality: externally validate a secret (passphrase etc.)
 255 // Right now, this always goes to the (Token)Database object, because that's where
 256 // the PIN ACL entries are. We could direct this at the ObjectAcl (database or key)
 257 // instead and rely on tokend to perform the PIN mapping, but the generic tokend
 258 // wrappers do not (currently) perform any ACL validation, so every tokend would have
 259 // to re-implement that. Perhaps in the next ACL revamp cycle...
 260 //
 261 bool SecurityServerEnvironment::validateSecret(const SecretAclSubject *me,
 262         const AccessCredentials *cred)
 263 {
 264         return database && database->validateSecret(me, cred);
 265 }
 266
 267
 268 //
 269 // PreAuthenticationAclSubject personality - refer to database (ObjectAcl)
 270 //
 271 ObjectAcl *SecurityServerEnvironment::preAuthSource()
 272 {
 273         return database ? &database->acl() : NULL;
 274 }
 275
 276
 277 //
 278 // Autonomous ACL editing support
 279 //
 280 ThresholdAclSubject *SecurityServerEnvironment::standardSubject(const AclValidationContext &context)
 281 {
 282         return dynamic_cast<ThresholdAclSubject *>(context.subject());
 283 }
 284
 285
 286 //
 287 // The default AclSource denies having an ACL at all
 288 //
 289 AclSource::~AclSource()
 290 { /* virtual */ }
 291
 292 SecurityServerAcl &AclSource::acl()
 293 {
 294         CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED);
 295 }
 296
 297 Database *AclSource::relatedDatabase()
 298 {
 299         return NULL;
 300 }