#ifndef _H_ACLS
#define _H_ACLS
#include <securityd_client/sscommon.h>
#include <security_cdsa_utilities/cssmacl.h>
#include <security_cdsa_utilities/context.h>
#include <security_cdsa_utilities/acl_process.h>
#include <security_cdsa_utilities/acl_codesigning.h>
#include <security_cdsa_utilities/acl_secret.h>
#include <security_cdsa_utilities/acl_preauth.h>
#include <security_cdsa_utilities/acl_prompted.h>
#include <security_cdsa_utilities/acl_threshold.h>
#include "acl_partition.h"
using namespace SecurityServer;
class Connection;
class Database;
class Process;
class SecurityServerEnvironment;
static const char migrationEntitlement[] = "com.apple.private.security.allow-migration";
class SecurityServerAcl : public ObjectAcl {
public:
SecurityServerAcl() : ObjectAcl(Allocator::standard()), aclSequence(Mutex::recursive) { }
virtual ~SecurityServerAcl();
virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database *relatedDatabase);
void validate(AclAuthorization auth, const Context &context, Database *relatedDatabase);
virtual void getOwner(AclOwnerPrototype &owner);
virtual void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls);
virtual void changeAcl(const AclEdit &edit, const AccessCredentials *cred,
Database *relatedDatabase);
virtual void changeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred,
Database *relatedDatabase);
virtual AclKind aclKind() const = 0;
static bool addToStandardACL(const AclValidationContext &context, AclSubject *subject);
static bool looksLikeLegacyDotMac(const AclValidationContext &context);
bool createClientPartitionID(Process& process);
bool addClientPartitionID(Process& process);
PartitionAclSubject* findPartitionSubject();
CFDictionaryRef createPartitionPayload();
Mutex aclSequence;
private:
void validatePartition(SecurityServerEnvironment& env, bool prompt);
bool extendPartition(SecurityServerEnvironment& env);
};
class SecurityServerEnvironment : public virtual AclValidationEnvironment,
public virtual ProcessAclSubject::Environment,
public virtual CodeSignatureAclSubject::Environment,
public virtual SecretAclSubject::Environment,
public virtual PromptedAclSubject::Environment,
public virtual PreAuthorizationAcls::Environment {
public:
SecurityServerEnvironment(SecurityServerAcl &baseAcl, Database *db)
: acl(baseAcl), database(db) { }
SecurityServerAcl &acl;
Database * const database;
uid_t getuid() const;
gid_t getgid() const;
pid_t getpid() const;
bool verifyCodeSignature(const OSXVerifier &verifier, const AclValidationContext &context);
bool validateSecret(const SecretAclSubject *me, const AccessCredentials *cred);
bool getSecret(CssmOwnedData &secret, const CssmData &prompt) const;
ObjectAcl *preAuthSource();
Adornable &store(const AclSubject *subject);
ThresholdAclSubject *standardSubject(const AclValidationContext &context);
};
class AclSource {
protected:
AclSource() { }
virtual ~AclSource();
public:
virtual SecurityServerAcl &acl(); virtual Database *relatedDatabase();
virtual void getOwner(AclOwnerPrototype &owner)
{ return acl().getOwner(owner); }
virtual void getAcl(const char *tag, uint32 &count, AclEntryInfo *&acls)
{ return acl().getAcl(tag, count, acls); }
virtual void changeAcl(const AclEdit &edit, const AccessCredentials *cred)
{ return acl().changeAcl(edit, cred, relatedDatabase()); }
virtual void changeOwner(const AclOwnerPrototype &newOwner, const AccessCredentials *cred)
{ return acl().changeOwner(newOwner, cred, relatedDatabase()); }
virtual void validate(AclAuthorization auth, const AccessCredentials *cred, Database* relatedDb = NULL)
{ acl().validate(auth, cred, relatedDb ? relatedDb : relatedDatabase()); }
virtual void validate(AclAuthorization auth, const Context &context, Database* relatedDb = NULL)
{ acl().validate(auth, context, relatedDb ? relatedDb : relatedDatabase()); }
};
#endif //_H_ACLS