-- -- Copyright (c) 2011-2012 Apple Inc. All Rights Reserved. -- -- @APPLE_LICENSE_HEADER_START@ -- -- This file contains Original Code and/or Modifications of Original Code -- as defined in and that are subject to the Apple Public Source License -- Version 2.0 (the 'License'). You may not use this file except in -- compliance with the License. Please obtain a copy of the License at -- http://www.opensource.apple.com/apsl/ and read it before using this -- file. -- -- The Original Code and all software distributed under the License are -- distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER -- EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, -- INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, -- FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. -- Please see the License for the specific language governing rights and -- limitations under the License. -- -- @APPLE_LICENSE_HEADER_END@ -- -- -- System Policy master database - file format and initial contents -- -- This is currently for sqlite3 -- -- NOTES: -- Dates are uniformly in julian form. We use 5000000 as the canonical "never" expiration -- value; that's a day in the year 8977. -- PRAGMA user_version = 1; PRAGMA foreign_keys = true; PRAGMA legacy_file_format = false; PRAGMA recursive_triggers = true; -- -- The feature table hold configuration features and options -- CREATE TABLE feature ( id INTEGER PRIMARY KEY, -- canononical name TEXT NOT NULL UNIQUE, -- name of option value TEXT NULL, -- value of option, if any remarks TEXT NULL -- optional remarks string ); -- -- The primary authority. This table is conceptually scanned -- in priority order, with the highest-priority matching enabled record -- determining the outcome. -- CREATE TABLE authority ( id INTEGER PRIMARY KEY AUTOINCREMENT, -- canonical version INTEGER NOT NULL DEFAULT (1) -- semantic version of this rule CHECK (version > 0), type INTEGER NOT NULL, -- operation type requirement TEXT NULL -- code requirement CHECK ((requirement IS NULL) = ((flags & 1) != 0)), allow INTEGER NOT NULL DEFAULT (1) -- allow (1) or deny (0) CHECK (allow = 0 OR allow = 1), disabled INTEGER NOT NULL DEFAULT (0) -- disable count (stacks; enabled if zero) CHECK (disabled >= 0), expires FLOAT NOT NULL DEFAULT (5000000), -- expiration of rule authority (Julian date) priority REAL NOT NULL DEFAULT (0), -- rule priority (full float) label TEXT NULL, -- text label for authority rule filter_unsigned TEXT NULL, -- prescreen for handling unsigned code flags INTEGER NOT NULL DEFAULT (0), -- amalgamated binary flags -- following fields are for documentation only ctime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- rule creation time (Julian) mtime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- time rule was last changed (Julian) user TEXT NULL, -- user requesting this rule (NULL if unknown) remarks TEXT NULL -- optional remarks string ); -- index CREATE INDEX authority_type ON authority (type); CREATE INDEX authority_priority ON authority (priority); CREATE INDEX authority_expires ON authority (expires); -- update mtime if a record is changed CREATE TRIGGER authority_update AFTER UPDATE ON authority BEGIN UPDATE authority SET mtime = JULIANDAY('now') WHERE id = old.id; END; -- rules that are actively considered CREATE VIEW active_authority AS SELECT * from authority WHERE disabled = 0 AND JULIANDAY('now') < expires AND (flags & 1) = 0; -- rules subject to priority scan: active_authority but including disabled rules CREATE VIEW scan_authority AS SELECT * from authority WHERE JULIANDAY('now') < expires AND (flags & 1) = 0; -- -- A table to carry (potentially large-ish) filesystem data stored as a bookmark blob. -- CREATE TABLE bookmarkhints ( id INTEGER PRIMARY KEY AUTOINCREMENT, bookmark BLOB NOT NULL, authority INTEGER NOT NULL REFERENCES authority(id) ON DELETE CASCADE ); -- -- Upgradable features already contained in this baseline. -- See policydatabase.cpp for upgrade code. -- INSERT INTO feature (name, value, remarks) VALUES ('bookmarkhints', 'present', 'builtin'); INSERT INTO feature (name, value, remarks) VALUES ('codesignedpackages', 'present', 'builtin'); INSERT INTO feature (name, value, remarks) VALUES ('filter_unsigned', 'present', 'builtin'); -- -- Initial canonical contents of a fresh database -- -- virtual rule anchoring negative cache entries (no rule found) insert into authority (type, allow, priority, flags, label) values (1, 0, -1.0E100, 1, 'No Matching Rule'); -- any "genuine Apple-signed" installers insert into authority (type, allow, priority, flags, label, requirement) values (2, 1, -1, 2, 'Apple Installer', 'anchor apple generic and certificate 1[subject.CN] = "Apple Software Update Certification Authority"'); -- Apple code signing insert into authority (type, allow, flags, label, requirement) values (1, 1, 2, 'Apple System', 'anchor apple'); -- Mac App Store code signing insert into authority (type, allow, flags, label, requirement) values (1, 1, 2, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists'); -- Mac App Store installer signing insert into authority (type, allow, flags, label, requirement) values (2, 1, 2, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.10] exists'); -- Caspian code and archive signing insert into authority (type, allow, flags, label, requirement) values (1, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists'); insert into authority (type, allow, flags, label, requirement) values (2, 1, 2, 'Developer ID', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])'); -- -- The cache table lists previously determined outcomes -- for individual objects (by object hash). Entries come from -- full evaluations of authority records, or by explicitly inserting -- override rules that preempt the normal authority. -- EACH object record must have a parent authority record from which it is derived; -- this may be a normal authority rule or an override rule. If the parent rule is deleted, -- all objects created from it are automatically removed (by sqlite itself). -- CREATE TABLE object ( id INTEGER PRIMARY KEY, -- canonical type INTEGER NOT NULL, -- operation type hash CDHASH NOT NULL, -- canonical hash of object allow INTEGER NOT NULL, -- allow (1) or deny (0) expires FLOAT NOT NULL DEFAULT (5000000), -- expiration of object entry authority INTEGER NOT NULL -- governing authority rule REFERENCES authority(id) ON DELETE CASCADE, -- following fields are for documentation only path TEXT NULL, -- path of object at record creation time ctime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- record creation time mtime FLOAT NOT NULL DEFAULT (JULIANDAY('now')), -- record modification time remarks TEXT NULL -- optional remarks string ); -- index CREATE INDEX object_type ON object (type); CREATE INDEX object_expires ON object (expires); CREATE UNIQUE INDEX object_hash ON object (hash); -- update mtime if a record is changed CREATE TRIGGER object_update AFTER UPDATE ON object BEGIN UPDATE object SET mtime = JULIANDAY('now') WHERE id = old.id; END; -- -- Some useful views on objects. These are for administration; they are not used by the assessor. -- CREATE VIEW object_state AS SELECT object.id, object.type, object.allow, CASE object.expires WHEN 5000000 THEN NULL ELSE STRFTIME('%Y-%m-%d %H:%M:%f', object.expires, 'localtime') END AS expiration, (object.expires - JULIANDAY('now')) * 86400 as remaining, authority.label, object.authority, object.path, object.ctime, authority.requirement, authority.disabled, object.remarks FROM object, authority WHERE object.authority = authority.id;