syspolicy.sql   [plain text]


--
-- Copyright (c) 2011 Apple Inc. All Rights Reserved.
-- 
-- @APPLE_LICENSE_HEADER_START@
-- 
-- This file contains Original Code and/or Modifications of Original Code
-- as defined in and that are subject to the Apple Public Source License
-- Version 2.0 (the 'License'). You may not use this file except in
-- compliance with the License. Please obtain a copy of the License at
-- http://www.opensource.apple.com/apsl/ and read it before using this
-- file.
--
-- The Original Code and all software distributed under the License are
-- distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
-- EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
-- INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
-- FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
-- Please see the License for the specific language governing rights and
-- limitations under the License.
-- 
-- @APPLE_LICENSE_HEADER_END@
--
--
-- System Policy master database - file format and initial contents
--
-- This is currently for sqlite3
--
PRAGMA foreign_keys = true;



--
-- The primary authority. This table is conceptually scanned
-- in priority order, with the highest-priority matching record
-- determining the outcome.
-- 
CREATE TABLE authority (
	id INTEGER PRIMARY KEY,
	type INTEGER NOT NULL,
	requirement TEXT NOT NULL,
	allow INTEGER NOT NULL,
	expires INTEGER NULL,
	priority REAL NOT NULL DEFAULT (0),
	label TEXT NULL,
	inhibit_cache INTEGER NULL,
	flags INTEGER NOT NULL DEFAULT (0),
	-- following fields are for documentation only
	remarks TEXT NULL
);

-- any Apple-signed installers of any kind
insert into authority (type, allow, priority, label, requirement)
	values (2, 1, -1, 'Apple Installer', 'anchor apple generic');

-- Apple code signing
insert into authority (type, allow, label, requirement)
	values (1, 1, 'Apple', 'anchor apple');

-- Mac App Store signing
insert into authority (type, allow, label, requirement)
	values (1, 1, 'Mac App Store', 'anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] exists');

insert into authority (type, allow, label, requirement)
	values (1, 1, 'Developer Seed', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists');
insert into authority (type, allow, label, requirement)
	values (2, 1, 'Developer Seed', 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.14] exists');


--
-- The cache table lists previously determined outcomes
-- for individual objects (by object hash). Entries come from
-- full evaluations of authority records, or by explicitly inserting
-- override rules that preempt the normal authority.
--
CREATE TABLE object (
	id INTEGER PRIMARY KEY,
	type INTEGER NOT NULL,
	hash CDHASH NOT NULL UNIQUE,
	allow INTEGER NOT NULL,
	expires INTEGER NULL,
	label TEXT NULL,
	authority INTEGER NULL REFERENCES authority(id),
	-- following fields are for documentation only
	path TEXT NULL,
	created INTEGER NOT NULL default (strftime('%s','now')),
	remarks TEXT NULL
);