securityd-32661.tar.gz

[apple/securityd.git] / src / AuthorizationEngine.cpp
diff --git a/src/AuthorizationEngine.cpp b/src/AuthorizationEngine.cpp

index a2d0f6e70709ccbaaa2843361174428770764c9c..cd057645dd25cc9a48e43b2a09e57a08bc84be2b 100644 (file)
--- a/src/AuthorizationEngine.cpp
+++ b/src/AuthorizationEngine.cpp
@@ -3,8 +3,6 @@
   * 
   * @APPLE_LICENSE_HEADER_START@
   * 
   * 
   * @APPLE_LICENSE_HEADER_START@
   * 
- * Copyright (c) 1999-2003 Apple Computer, Inc.  All Rights Reserved.
- * 
   * This file contains Original Code and/or Modifications of Original Code
   * as defined in and that are subject to the Apple Public Source License
   * Version 2.0 (the 'License'). You may not use this file except in
   * This file contains Original Code and/or Modifications of Original Code
   * as defined in and that are subject to the Apple Public Source License
   * Version 2.0 (the 'License'). You may not use this file except in
@@ -23,14 +21,6 @@
   * @APPLE_LICENSE_HEADER_END@
   */
  
   * @APPLE_LICENSE_HEADER_END@
   */
  
-
-/*
- *  AuthorizationEngine.cpp
- *  Authorization
- *
- *  Created by Michael Brouwer on Thu Oct 12 2000.
- *
- */
  #include "AuthorizationEngine.h"
  #include <security_cdsa_utilities/AuthorizationWalkers.h>
  #include <Security/AuthorizationPriv.h>
  #include "AuthorizationEngine.h"
  #include <security_cdsa_utilities/AuthorizationWalkers.h>
  #include <Security/AuthorizationPriv.h>
@@ -55,6 +45,8 @@
  #include <fcntl.h>
  #include <float.h>
  
  #include <fcntl.h>
  #include <float.h>
  
+#include <bsm/audit_uevents.h>
+
  namespace Authorization {
  
  
  namespace Authorization {
  
  
@@ -155,15 +147,26 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment,
                 secdebug("autheval", "evaluate rule %s for right %s returned %ld.", toplevelRule->name().c_str(), (*it)->name(), result);
  
                 {
                 secdebug("autheval", "evaluate rule %s for right %s returned %ld.", toplevelRule->name().c_str(), (*it)->name(), result);
  
                 {
-                       CodeSigning::OSXCode *processCode = Server::process().clientCode();
-                       string processName = processCode ? processCode->canonicalPath() : "unknown";
-                       CodeSigning::OSXCode *authCreatorCode = auth.creatorCode();
-                       string authCreatorName = authCreatorCode ? authCreatorCode->canonicalPath() : "unknown";
-                       
-                       if (result == errAuthorizationSuccess)
-                               Syslog::info("Succeeded authorizing right %s by process %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
-                       else if (result == errAuthorizationDenied)
-                               Syslog::notice("Failed to authorize right %s by process %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+                       string processName = "unknown";
+                       if (SecCodeRef code = Server::process().currentGuest()) {
+                               CFRef<CFURLRef> path;
+                               if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+                                       processName = cfString(path);
+                       }
+                       string authCreatorName = "unknown";
+                       if (SecStaticCodeRef code = auth.creatorCode()) {
+                               CFRef<CFURLRef> path;
+                               if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref()))
+                                       authCreatorName = cfString(path);
+                       }
+
+                       if (result == errAuthorizationSuccess) {
+                               Syslog::info("Succeeded authorizing right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+                               CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken());
+                               auditrec.submit(AUE_ssauthorize, CommonCriteria::errNone, (*it)->name());
+                       } else if (result == errAuthorizationDenied) {
+                               Syslog::notice("Failed to authorize right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str());
+                       }
                 }
                 
                 if (result == errAuthorizationSuccess)
                 }
                 
                 if (result == errAuthorizationSuccess)
@@ -287,12 +290,6 @@ Engine::getRule(string &inRightName, CFDictionaryRef *outRuleDefinition)
  OSStatus 
  Engine::setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth)
  {
  OSStatus 
  Engine::setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth)
  {
-       // Get current time of day.
-       CFAbsoluteTime now = CFAbsoluteTimeGetCurrent();
-
-       // Update rules from database if needed
-       mAuthdb.sync(now);
-
         // Validate rule by constructing it from the passed dictionary
         if (!mAuthdb.validateRule(inRightName, inRuleDefinition))
                 return errAuthorizationDenied; // @@@ separate error for this?
         // Validate rule by constructing it from the passed dictionary
         if (!mAuthdb.validateRule(inRightName, inRuleDefinition))
                 return errAuthorizationDenied; // @@@ separate error for this?