2  * Copyright (c) 2000-2008 Apple Inc. All Rights Reserved. 
   4  * @APPLE_LICENSE_HEADER_START@ 
   6  * This file contains Original Code and/or Modifications of Original Code 
   7  * as defined in and that are subject to the Apple Public Source License 
   8  * Version 2.0 (the 'License'). You may not use this file except in 
   9  * compliance with the License. Please obtain a copy of the License at 
  10  * http://www.opensource.apple.com/apsl/ and read it before using this 
  13  * The Original Code and all software distributed under the License are 
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
  18  * Please see the License for the specific language governing rights and 
  19  * limitations under the License. 
  21  * @APPLE_LICENSE_HEADER_END@ 
  26 // acls - securityd ACL implementation 
  29 #include "connection.h" 
  31 #include "agentquery.h" 
  32 #include "tokendatabase.h" 
  33 #include "acl_keychain.h" 
  35 // ACL subjects whose Environments we implement 
  36 #include <security_cdsa_utilities/acl_any.h> 
  37 #include <security_cdsa_utilities/acl_password.h> 
  38 #include <security_cdsa_utilities/acl_threshold.h> 
  42 // SecurityServerAcl is virtual 
  44 SecurityServerAcl::~SecurityServerAcl() 
  49 // The default implementation of the ACL interface simply uses the local ObjectAcl 
  50 // data. You can customize this by implementing instantiateAcl() [from ObjectAcl] 
  51 // or by overriding these methods as desired. 
  52 // Note: While you can completely ignore the ObjectAcl personality if you wish, it's 
  53 // usually smarter to adapt it. 
  55 void SecurityServerAcl::getOwner(AclOwnerPrototype 
&owner
) 
  57         StLock
<Mutex
> _(aclSequence
); 
  58         ObjectAcl::cssmGetOwner(owner
); 
  61 void SecurityServerAcl::getAcl(const char *tag
, uint32 
&count
, AclEntryInfo 
*&acls
) 
  63         StLock
<Mutex
> _(aclSequence
); 
  64         ObjectAcl::cssmGetAcl(tag
, count
, acls
); 
  67 void SecurityServerAcl::changeAcl(const AclEdit 
&edit
, const AccessCredentials 
*cred
, 
  70         StLock
<Mutex
> _(aclSequence
); 
  71         SecurityServerEnvironment 
env(*this, db
); 
  72         ObjectAcl::cssmChangeAcl(edit
, cred
, &env
); 
  75 void SecurityServerAcl::changeOwner(const AclOwnerPrototype 
&newOwner
, 
  76         const AccessCredentials 
*cred
, Database 
*db
) 
  78         StLock
<Mutex
> _(aclSequence
); 
  79         SecurityServerEnvironment 
env(*this, db
); 
  80         ObjectAcl::cssmChangeOwner(newOwner
, cred
, &env
); 
  85 // Modified validate() methods to connect all the conduits... 
  87 void SecurityServerAcl::validate(AclAuthorization auth
, const AccessCredentials 
*cred
, Database 
*db
) 
  89     SecurityServerEnvironment 
env(*this, db
); 
  90         StLock
<Mutex
> objectSequence(aclSequence
); 
  91         StLock
<Mutex
> processSequence(Server::process().aclSequence
); 
  92     ObjectAcl::validate(auth
, cred
, &env
); 
  95 void SecurityServerAcl::validate(AclAuthorization auth
, const Context 
&context
, Database 
*db
) 
  98                 context
.get
<AccessCredentials
>(CSSM_ATTRIBUTE_ACCESS_CREDENTIALS
), db
); 
 103 // This helper tries to add the (new) subject given to the ACL 
 104 // whose validation is currently proceeding through context. 
 105 // This will succeed if the ACL is in standard form, which means 
 106 // a ThresholdAclSubject. 
 107 // The new subject will be added at the front (so it is checked first 
 108 // from now on), and as a side effect we'll notify the client side to 
 109 // re-encode the object. 
 110 // Returns true if the edit could be done, or false if the ACL wasn't 
 111 // standard enough. May throw if the ACL is malformed or otherwise messed up. 
 113 // This is a self-contained helper that is here merely because it's "about" 
 114 // ACLs and has no better home. 
 116 bool SecurityServerAcl::addToStandardACL(const AclValidationContext 
&context
, AclSubject 
*subject
) 
 118         if (SecurityServerEnvironment 
*env 
= context
.environment
<SecurityServerEnvironment
>()) 
 119                 if (ThresholdAclSubject 
*threshold 
= env
->standardSubject(context
)) { 
 120                         unsigned size 
= threshold
->count(); 
 121                         if (dynamic_cast<KeychainPromptAclSubject 
*>(threshold
->subject(size
-1))) { 
 122                                 // looks standard enough 
 123                                 secdebug("acl", "adding new subject %p to from of threshold ACL", subject
); 
 124                                 threshold
->add(subject
, 0); 
 126                                 // tell the ACL it's been modified 
 127                                 context
.acl()->changedAcl(); 
 129                                 // trigger a special notification code on (otherwise successful) return 
 130                                 Server::connection().overrideReturn(CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT
); 
 134         secdebug("acl", "ACL is not standard form; cannot edit"); 
 140 // Look at the ACL whose validation is currently proceeding through context. 
 141 // If it LOOKS like a plausible version of a legacy "dot mac item" ACL. 
 142 // We don't have access to the database attributes of the item up here in the 
 143 // securityd sky, so we have to apply a heuristic based on which applications (by path) 
 144 // are given access to the item. 
 145 // So this is strictly a heuristic. The potential downside is that we may inadvertently 
 146 // give access to new .Mac authorized Apple (only) applications when the user only intended 
 147 // a limited set of extremely popular Apple (only) applications that just happen to all be 
 148 // .Mac authorized today. We can live with that. 
 150 bool SecurityServerAcl::looksLikeLegacyDotMac(const AclValidationContext 
&context
) 
 152         static const char * const prototypicalDotMacPath
[] = { 
 153                 "/Applications/Mail.app", 
 154                 "/Applications/Safari.app", 
 155                 "/Applications/iSync.app", 
 156                 "/Applications/System Preferences.app", 
 157                 "/Applications/iCal.app", 
 158                 "/Applications/iChat.app", 
 159                 "/Applications/iTunes.app", 
 160                 "/Applications/Address Book.app", 
 161                 "/Applications/iSync.app", 
 165         static const unsigned threshold 
= 6; 
 167         if (SecurityServerEnvironment 
*env 
= context
.environment
<SecurityServerEnvironment
>()) { 
 168                 if (ThresholdAclSubject 
*list 
= env
->standardSubject(context
)) { 
 169                         unsigned count 
= list
->count(); 
 170                         unsigned matches 
= 0; 
 171                         for (unsigned n 
= 0; n 
< count
; ++n
) { 
 172                                 if (CodeSignatureAclSubject 
*app 
= dynamic_cast<CodeSignatureAclSubject 
*>(list
->subject(n
))) { 
 173                                         for (const char * const *p 
= prototypicalDotMacPath
; *p
; p
++) 
 174                                                 if (app
->path() == *p
) 
 178                         secdebug("codesign", "matched %d of %zd candididates (threshold=%d)", 
 179                                 matches
, sizeof(prototypicalDotMacPath
) / sizeof(char *) - 1, threshold
); 
 180                         return matches 
>= threshold
; 
 188 // External storage interface 
 190 Adornable 
&SecurityServerEnvironment::store(const AclSubject 
*subject
) 
 192         switch (subject
->type()) { 
 193         case CSSM_ACL_SUBJECT_TYPE_PREAUTH
: 
 195                         if (TokenDatabase 
*tokenDb 
= dynamic_cast<TokenDatabase 
*>(database
)) 
 196                                 return tokenDb
->common().store(); 
 202         CssmError::throwMe(CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED
); 
 207 // ProcessAclSubject personality: uid/gid/pid come from the active Process object 
 209 uid_t 
SecurityServerEnvironment::getuid() const 
 211     return Server::process().uid(); 
 214 gid_t 
SecurityServerEnvironment::getgid() const 
 216     return Server::process().gid(); 
 219 pid_t 
SecurityServerEnvironment::getpid() const 
 221     return Server::process().pid(); 
 226 // CodeSignatureAclSubject personality: take code signature from active Process object 
 228 bool SecurityServerEnvironment::verifyCodeSignature(const OSXVerifier 
&verifier
, 
 229         const AclValidationContext 
&context
) 
 231         return Server::codeSignatures().verify(Server::process(), verifier
, context
); 
 236 // PromptedAclSubject personality: Get a secret by prompting through SecurityAgent 
 238 bool SecurityServerEnvironment::getSecret(CssmOwnedData 
&secret
, const CssmData 
&prompt
) const 
 240         //@@@ ignoring prompt - not used right now 
 242                 QueryPIN 
query(*database
); 
 243                 query
.inferHints(Server::process()); 
 244                 if (!query()) { // success 
 245                         secret 
= query
.pin(); 
 254 // SecretAclSubject personality: externally validate a secret (passphrase etc.) 
 255 // Right now, this always goes to the (Token)Database object, because that's where 
 256 // the PIN ACL entries are. We could direct this at the ObjectAcl (database or key) 
 257 // instead and rely on tokend to perform the PIN mapping, but the generic tokend 
 258 // wrappers do not (currently) perform any ACL validation, so every tokend would have 
 259 // to re-implement that. Perhaps in the next ACL revamp cycle... 
 261 bool SecurityServerEnvironment::validateSecret(const SecretAclSubject 
*me
, 
 262         const AccessCredentials 
*cred
) 
 264         return database 
&& database
->validateSecret(me
, cred
); 
 269 // PreAuthenticationAclSubject personality - refer to database (ObjectAcl) 
 271 ObjectAcl 
*SecurityServerEnvironment::preAuthSource() 
 273         return database 
? &database
->acl() : NULL
; 
 278 // Autonomous ACL editing support 
 280 ThresholdAclSubject 
*SecurityServerEnvironment::standardSubject(const AclValidationContext 
&context
) 
 282         return dynamic_cast<ThresholdAclSubject 
*>(context
.subject()); 
 287 // The default AclSource denies having an ACL at all 
 289 AclSource::~AclSource() 
 292 SecurityServerAcl 
&AclSource::acl() 
 294         CssmError::throwMe(CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED
); 
 297 Database 
*AclSource::relatedDatabase()