/* * Copyright (c) 2002-2004 Apple Computer, Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ */ /*! @header SecAccess SecAccess implements a way to set and manipulate access control rules and restrictions on SecKeychainItems. */ #ifndef _SECURITY_SECACCESS_H_ #define _SECURITY_SECACCESS_H_ #include <Security/SecBase.h> #include <Security/cssmtype.h> #include <CoreFoundation/CFArray.h> #include <CoreFoundation/CFError.h> #include <sys/types.h> #include <unistd.h> #if defined(__cplusplus) extern "C" { #endif typedef UInt32 SecAccessOwnerType; enum { kSecUseOnlyUID = 1, kSecUseOnlyGID = 2, kSecHonorRoot = 0x100, kSecMatchBits = (kSecUseOnlyUID | kSecUseOnlyGID) }; /* No restrictions. Permission to perform all operations on the resource or available to an ACL owner. */ extern CFTypeRef kSecACLAuthorizationAny __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationLogin __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationGenKey __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationDelete __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationExportWrapped __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationExportClear __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationImportWrapped __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationImportClear __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationSign __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationEncrypt __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationDecrypt __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationMAC __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationDerive __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); /* Defined authorization tag values for Keychain */ extern CFTypeRef kSecACLAuthorizationKeychainCreate __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationKeychainDelete __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationKeychainItemRead __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationKeychainItemInsert __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationKeychainItemModify __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationKeychainItemDelete __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationChangeACL __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); extern CFTypeRef kSecACLAuthorizationChangeOwner __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); /*! @function SecAccessGetTypeID @abstract Returns the type identifier of SecAccess instances. @result The CFTypeID of SecAccess instances. */ CFTypeID SecAccessGetTypeID(void); /*! @function SecAccessCreate @abstract Creates a new SecAccessRef that is set to the currently designated system default configuration of a (newly created) security object. Note that the precise nature of this default may change between releases. @param descriptor The name of the item as it should appear in security dialogs @param trustedlist A CFArray of TrustedApplicationRefs, specifying which applications should be allowed to access an item without triggering confirmation dialogs. If NULL, defaults to (just) the application creating the item. To set no applications, pass a CFArray with no elements. @param accessRef On return, a pointer to the new access reference. @result A result code. See "Security Error Codes" (SecBase.h). */ OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef trustedlist, SecAccessRef *accessRef); /*! @function SecAccessCreateFromOwnerAndACL @abstract Creates a new SecAccessRef using the owner and access control list you provide. @param owner A pointer to a CSSM access control list owner. @param aclCount An unsigned 32-bit integer representing the number of items in the access control list. @param acls A pointer to the access control list. @param On return, a pointer to the new access reference. @result A result code. See "Security Error Codes" (SecBase.h). @discussion For 10.7 and later please use the SecAccessCreateWithOwnerAndACL API */ OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner, uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls, SecAccessRef *accessRef) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; /*! @function SecAccessCreateWithOwnerAndACL @abstract Creates a new SecAccessRef using either for a user or a group with a list of ACLs @param userId An user id that specifies the user to associate with this SecAccessRef. @param groupId A group id that specifies the group to associate with this SecAccessRef. @param ownerType Specifies the how the ownership of the new SecAccessRef is defined. @param acls A CFArrayRef of the ACLs to associate with this SecAccessRef @param error Optionally a pointer to a CFErrorRef to return any errors with may have occured @result A pointer to the new access reference. */ SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef acls, CFErrorRef *error) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); /*! @function SecAccessGetOwnerAndACL @abstract Retrieves the owner and the access control list of a given access. @param accessRef A reference to the access from which to retrieve the information. @param owner On return, a pointer to the access control list owner. @param aclCount On return, a pointer to an unsigned 32-bit integer representing the number of items in the access control list. @param acls On return, a pointer to the access control list. @result A result code. See "Security Error Codes" (SecBase.h). @discussion For 10.7 and later please use the SecAccessCopyOwnerAndACL API */ OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef, CSSM_ACL_OWNER_PROTOTYPE_PTR *owner, uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR *acls) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; /*! @function SecAccessCopyOwnerAndACL @abstract Retrieves the owner and the access control list of a given access. @param accessRef A reference to the access from which to retrieve the information. @param userId On return, the user id of the owner @param groupId On return, the group id of the owner @param ownerType On return, the type of owner for this AccessRef @param aclCount On return, a Boolean that if true specifies that the ownerId is a uid_t else it is a gid_t. @param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array. @result A result code. See "Security Error Codes" (SecBase.h). */ OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t* userId, gid_t* groupId, SecAccessOwnerType* ownerType, CFArrayRef* aclList) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); /*! @function SecAccessCopyACLList @abstract Copies all the access control lists of a given access. @param accessRef A reference to the access from which to retrieve the information. @param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array. @result A result code. See "Security Error Codes" (SecBase.h). */ OSStatus SecAccessCopyACLList(SecAccessRef accessRef, CFArrayRef *aclList); /*! @function SecAccessCopySelectedACLList @abstract Copies selected access control lists from a given access. @param accessRef A reference to the access from which to retrieve the information. @param action An authorization tag specifying what action with which to select the action control lists. @param aclList On return, a pointer to the selected access control lists. @result A result code. See "Security Error Codes" (SecBase.h). @discussion For 10.7 and later please use the SecAccessCopyMatchingACLList API */ OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef, CSSM_ACL_AUTHORIZATION_TAG action, CFArrayRef *aclList) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; /*! @function SecAccessCopyMatchingACLList @abstract Copies selected access control lists from a given access. @param accessRef A reference to the access from which to retrieve the information. @param authorizationTag An authorization tag specifying what action with which to select the action control lists. @result A pointer to the selected access control lists. */ CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag) __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); #if defined(__cplusplus) } #endif #endif /* !_SECURITY_SECACCESS_H_ */