* @APPLE_LICENSE_HEADER_END@
*/
-
-/*
- * AuthorizationEngine.cpp
- * Authorization
- *
- * Created by Michael Brouwer on Thu Oct 12 2000.
- *
- */
#include "AuthorizationEngine.h"
#include <security_cdsa_utilities/AuthorizationWalkers.h>
#include <Security/AuthorizationPriv.h>
#include <fcntl.h>
#include <float.h>
+#include <bsm/audit_uevents.h>
+
namespace Authorization {
secdebug("autheval", "evaluate rule %s for right %s returned %ld.", toplevelRule->name().c_str(), (*it)->name(), result);
{
- RefPointer<OSXCode> processCode = Server::process().clientCode();
- string processName = processCode ? processCode->canonicalPath() : "unknown";
- RefPointer<OSXCode> authCreatorCode = auth.creatorCode();
- string authCreatorName = authCreatorCode ? authCreatorCode->canonicalPath() : "unknown";
-
- if (result == errAuthorizationSuccess)
- Syslog::info("Succeeded authorizing right %s by process %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
- else if (result == errAuthorizationDenied)
- Syslog::notice("Failed to authorize right %s by process %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+ string processName = "unknown";
+ if (SecCodeRef code = Server::process().currentGuest()) {
+ CFRef<CFURLRef> path;
+ if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+ processName = cfString(path);
+ }
+ string authCreatorName = "unknown";
+ if (SecStaticCodeRef code = auth.creatorCode()) {
+ CFRef<CFURLRef> path;
+ if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+ authCreatorName = cfString(path);
+ }
+
+ if (result == errAuthorizationSuccess) {
+ Syslog::info("Succeeded authorizing right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+ CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
+ auditrec.submit(AUE_ssauthorize, CommonCriteria::errNone, (*it)->name());
+ } else if (result == errAuthorizationDenied) {
+ Syslog::notice("Failed to authorize right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+ }
}
if (result == errAuthorizationSuccess)
OSStatus
Engine::setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth)
{
- // Get current time of day.
- CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
-
- // Update rules from database if needed
- mAuthdb.sync(now);
-
// Validate rule by constructing it from the passed dictionary
if (!mAuthdb.validateRule(inRightName, inRuleDefinition))
return errAuthorizationDenied; // @@@ separate error for this?
projects / apple / securityd.git / blobdiff