X-Git-Url: https://git.saurik.com/apple/securityd.git/blobdiff_plain/eeadf2e6470f45ea0275a6019635573f2a7b5a2c..f7aa9f666a1c7ab343b4ce8f1677ea253c4e126e:/src/AuthorizationEngine.cpp diff --git a/src/AuthorizationEngine.cpp b/src/AuthorizationEngine.cpp index a2d0f6e..cd05764 100644 --- a/src/AuthorizationEngine.cpp +++ b/src/AuthorizationEngine.cpp @@ -3,8 +3,6 @@ * * @APPLE_LICENSE_HEADER_START@ * - * Copyright (c) 1999-2003 Apple Computer, Inc. All Rights Reserved. - * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in @@ -23,14 +21,6 @@ * @APPLE_LICENSE_HEADER_END@ */ - -/* - * AuthorizationEngine.cpp - * Authorization - * - * Created by Michael Brouwer on Thu Oct 12 2000. - * - */ #include "AuthorizationEngine.h" #include #include @@ -55,6 +45,8 @@ #include #include +#include + namespace Authorization { @@ -155,15 +147,26 @@ Engine::authorize(const AuthItemSet &inRights, const AuthItemSet &environment, secdebug("autheval", "evaluate rule %s for right %s returned %ld.", toplevelRule->name().c_str(), (*it)->name(), result); { - CodeSigning::OSXCode *processCode = Server::process().clientCode(); - string processName = processCode ? processCode->canonicalPath() : "unknown"; - CodeSigning::OSXCode *authCreatorCode = auth.creatorCode(); - string authCreatorName = authCreatorCode ? authCreatorCode->canonicalPath() : "unknown"; - - if (result == errAuthorizationSuccess) - Syslog::info("Succeeded authorizing right %s by process %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str()); - else if (result == errAuthorizationDenied) - Syslog::notice("Failed to authorize right %s by process %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str()); + string processName = "unknown"; + if (SecCodeRef code = Server::process().currentGuest()) { + CFRef path; + if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())) + processName = cfString(path); + } + string authCreatorName = "unknown"; + if (SecStaticCodeRef code = auth.creatorCode()) { + CFRef path; + if (!SecCodeCopyPath(code, kSecCSDefaultFlags, &path.aref())) + authCreatorName = cfString(path); + } + + if (result == errAuthorizationSuccess) { + Syslog::info("Succeeded authorizing right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str()); + CommonCriteria::AuditRecord auditrec(auth.creatorAuditToken()); + auditrec.submit(AUE_ssauthorize, CommonCriteria::errNone, (*it)->name()); + } else if (result == errAuthorizationDenied) { + Syslog::notice("Failed to authorize right %s by client %s for authorization created by %s.", (*it)->name(), processName.c_str(), authCreatorName.c_str()); + } } if (result == errAuthorizationSuccess) @@ -287,12 +290,6 @@ Engine::getRule(string &inRightName, CFDictionaryRef *outRuleDefinition) OSStatus Engine::setRule(const char *inRightName, CFDictionaryRef inRuleDefinition, const CredentialSet *inCredentials, CredentialSet *outCredentials, AuthorizationToken &auth) { - // Get current time of day. - CFAbsoluteTime now = CFAbsoluteTimeGetCurrent(); - - // Update rules from database if needed - mAuthdb.sync(now); - // Validate rule by constructing it from the passed dictionary if (!mAuthdb.validateRule(inRightName, inRuleDefinition)) return errAuthorizationDenied; // @@@ separate error for this?