1/* 2 * Copyright (c) 2000-2007,2010-2012 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. Please obtain a copy of the License at 10 * http://www.opensource.apple.com/apsl/ and read it before using this 11 * file. 12 * 13 * The Original Code and all software distributed under the License are 14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18 * Please see the License for the specific language governing rights and 19 * limitations under the License. 20 * 21 * @APPLE_LICENSE_HEADER_END@ 22 */ 23 24 25// 26// authority - authorization manager 27// 28#ifndef _H_AUTHORITY 29#define _H_AUTHORITY 30 31#include <security_utilities/osxcode.h> 32#include <security_utilities/ccaudit.h> 33#include "database.h" 34#include "credential.h" 35#include <security_cdsa_utilities/AuthorizationData.h> 36 37using Authorization::AuthItemSet; 38using Authorization::Credential; 39using Authorization::CredentialSet; 40using Security::CommonCriteria::AuditToken; 41 42class Process; 43class Session; 44 45class AuthorizationToken : public PerSession { 46public: 47 AuthorizationToken(Session &ssn, const CredentialSet &base, const audit_token_t &auditToken, bool operateAsLeastPrivileged = false); 48 ~AuthorizationToken(); 49 50 Session &session() const; 51 52 const AuthorizationBlob &handle() const { return mHandle; } 53 const CredentialSet &baseCreds() const { return mBaseCreds; } 54 CredentialSet effectiveCreds() const; 55 56 typedef CredentialSet::iterator iterator; 57 iterator begin() { return mBaseCreds.begin(); } 58 iterator end() { return mBaseCreds.end(); } 59 60 // add more credential dependencies 61 void mergeCredentials(const CredentialSet &more); 62 63 // maintain process-owning links 64 void addProcess(Process &proc); 65 bool endProcess(Process &proc); 66 67 // access control for external representations 68 bool mayExternalize(Process &proc) const; 69 bool mayInternalize(Process &proc, bool countIt = true); 70 71 uid_t creatorUid() const { return mCreatorUid; } 72 gid_t creatorGid() const { return mCreatorGid; } 73 SecStaticCodeRef creatorCode() const { return mCreatorCode; } 74 std::string creatorPath() const; 75 pid_t creatorPid() const { return mCreatorPid; } 76 bool creatorSandboxed() const { return mCreatorSandboxed; } 77 78 const AuditToken &creatorAuditToken() const { return mCreatorAuditToken; } 79 80 AuthItemSet infoSet(AuthorizationString tag = NULL); 81 void setInfoSet(AuthItemSet &newInfoSet, bool savePassword); 82 void setCredentialInfo(const Credential &inCred, bool savePassword); 83 void clearInfoSet(); 84 void scrubInfoSet(bool savePassword); 85 bool operatesAsLeastPrivileged() const { return mOperatesAsLeastPrivileged; } 86 87public: 88 static AuthorizationToken &find(const AuthorizationBlob &blob); 89 90 class Deleter { 91 public: 92 Deleter(const AuthorizationBlob &blob); 93 94 void remove(); 95 operator AuthorizationToken &() const { return *mAuth; } 96 97 private: 98 RefPointer<AuthorizationToken> mAuth; 99 StLock<Mutex> lock; 100 }; 101 102private: 103 mutable Mutex mLock; // object lock 104 AuthorizationBlob mHandle; // official randomized blob marker 105 CredentialSet mBaseCreds; // credentials we're based on 106 107 unsigned int mTransferCount; // number of internalizations remaining 108 109 typedef set<Process *> ProcessSet; 110 ProcessSet mUsingProcesses; // set of process objects using this token 111 112 uid_t mCreatorUid; // Uid of process that created this authorization 113 gid_t mCreatorGid; // Gid of process that created this authorization 114 CFCopyRef<SecStaticCodeRef> mCreatorCode; // code reference to creator 115 pid_t mCreatorPid; // Pid of processs that created this authorization 116 bool mCreatorSandboxed; // A record of whether or not the creator was Sandboxed 117 118 AuditToken mCreatorAuditToken; // Audit token of the process that created this authorization 119 120 AuthItemSet mInfoSet; // Side band info gathered from evaluations in this session 121 122 bool mOperatesAsLeastPrivileged; 123 124 AuthItemSet mSavedPassword; 125 126private: 127 typedef map<AuthorizationBlob, RefPointer<AuthorizationToken> > AuthMap; 128 static AuthMap &authMap; // set of extant authorizations 129 static Mutex authMapLock; // lock for mAuthorizations (only) 130}; 131 132#endif //_H_AUTHORITY 133