#ifndef _H_POLICYDB
#define _H_POLICYDB
#include "SecAssessment.h"
#include <security_utilities/globalizer.h>
#include <security_utilities/hashing.h>
#include <security_utilities/sqlite++.h>
#include <CoreFoundation/CoreFoundation.h>
namespace Security {
namespace CodeSigning {
namespace SQLite = SQLite3;
static const char defaultDatabase[] = "/var/db/SystemPolicy";
static const char visibleSecurityFlagFile[] = "/var/db/.sp_visible";
static const char prefsFile[] = "/var/db/SystemPolicy-prefs.plist";
static const char lastRejectFile[] = "/var/db/.LastGKReject";
static const char lastApprovedFile[] = "/var/db/.LastGKApp";
static const char rearmTimerFile[] = "/var/db/.GKRearmTimer";
static const char gkeAuthFile_old[] = "/var/db/gke.auth";
static const char gkeSigsFile_old[] = "/var/db/gke.sigs";
static const char gkeAuthFile[] = "/var/db/gke.bundle/Contents/Resources/gke.auth";
static const char gkeSigsFile[] = "/var/db/gke.bundle/Contents/Resources/gke.sigs";
static const unsigned int gkeCheckInterval = 60;
static const double never = 5000000; static const double julianBase = 2451910.5;
static inline double dateToJulian(CFDateRef time)
{ return CFDateGetAbsoluteTime(time) / 86400.0 + julianBase; }
static inline CFDateRef julianToDate(double julian)
{ return CFDateCreate(NULL, (julian - julianBase) * 86400); }
typedef SHA1::SDigest ObjectHash;
typedef uint AuthorityType;
enum {
kAuthorityInvalid = 0, kAuthorityExecute = 1, kAuthorityInstall = 2, kAuthorityOpenDoc = 3, };
enum {
kAuthorityFlagVirtual = 0x0001, kAuthorityFlagDefault = 0x0002, kAuthorityFlagInhibitCache = 0x0004, kAuthorityFlagWhitelist = 0x1000, kAuthorityFlagWhitelistV2 = 0x2000, kAuthorityFlagWhitelistSHA256 = 0x4000, };
AuthorityType typeFor(CFDictionaryRef context, AuthorityType type = kAuthorityInvalid);
CFStringRef typeNameFor(AuthorityType type)
CF_RETURNS_RETAINED;
class PolicyDatabase : public SQLite::Database {
public:
PolicyDatabase(const char *path = NULL, int flags = SQLITE_OPEN_READONLY);
virtual ~PolicyDatabase();
public:
bool checkCache(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFMutableDictionaryRef result);
public:
void purgeAuthority();
void purgeObjects();
void purgeObjects(double priority);
void upgradeDatabase();
std::string featureLevel(const char *feature);
bool hasFeature(const char *feature) { return !featureLevel(feature).empty(); }
void addFeature(const char *feature, const char *value, const char *remarks);
void simpleFeature(const char *feature, const char *sql);
void simpleFeature(const char *feature, void (^perform)());
void installExplicitSet(const char *auth, const char *sigs);
private:
time_t mLastExplicitCheck;
};
bool overrideAssessment(SecAssessmentFlags flags = 0);
void setAssessment(bool masterSwitch);
void resetRearmTimer(const char *event);
bool queryRearmTimer(CFTimeInterval &delta);
} }
#endif //_H_POLICYDB