Cradicle Explorer
darling-security
/ OSX / libsecurity_codesigning / lib / policyengine.h
policyengine.h
  1  /*
  2   * Copyright (c) 2011-2014 Apple Inc. All Rights Reserved.
  3   * 
  4   * @APPLE_LICENSE_HEADER_START@
  5   * 
  6   * This file contains Original Code and/or Modifications of Original Code
  7   * as defined in and that are subject to the Apple Public Source License
  8   * Version 2.0 (the 'License'). You may not use this file except in
  9   * compliance with the License. Please obtain a copy of the License at
 10   * http://www.opensource.apple.com/apsl/ and read it before using this
 11   * file.
 12   * 
 13   * The Original Code and all software distributed under the License are
 14   * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 15   * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 16   * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 17   * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 18   * Please see the License for the specific language governing rights and
 19   * limitations under the License.
 20   * 
 21   * @APPLE_LICENSE_HEADER_END@
 22   */
 23  #ifndef _H_POLICYENGINE
 24  #define _H_POLICYENGINE
 25  
 26  #include "SecAssessment.h"
 27  #include "opaquewhitelist.h"
 28  #include "evaluationmanager.h"
 29  #include "policydb.h"
 30  #include <security_utilities/globalizer.h>
 31  #include <security_utilities/cfutilities.h>
 32  #include <security_utilities/hashing.h>
 33  #include <security_utilities/sqlite++.h>
 34  #include <CoreFoundation/CoreFoundation.h>
 35  #include <Security/CodeSigning.h>
 36  
 37  namespace Security {
 38  namespace CodeSigning {
 39  
 40  
 41  typedef uint EngineOperation;
 42  enum {
 43  	opInvalid = 0,
 44  	opEvaluate,
 45  	opAddAuthority,
 46  	opRemoveAuthority,
 47  };
 48  
 49  
 50  class PolicyEngine : public PolicyDatabase {
 51  public:
 52  	PolicyEngine();
 53  	virtual ~PolicyEngine();
 54  
 55  public:
 56  	void evaluate(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
 57  
 58  	CFDictionaryRef update(CFTypeRef target, SecAssessmentFlags flags, CFDictionaryRef context);
 59  	CFDictionaryRef add(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
 60  	CFDictionaryRef remove(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
 61  	CFDictionaryRef enable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
 62  	CFDictionaryRef disable(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
 63  	CFDictionaryRef find(CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context);
 64  
 65  	void recordFailure(CFDictionaryRef info);
 66  
 67  public:
 68  	static void addAuthority(SecAssessmentFlags flags, CFMutableDictionaryRef parent, const char *label, SQLite::int64 row = 0, CFTypeRef cacheInfo = NULL, bool weak = false, uint64_t ruleFlags = 0);
 69  	static void addToAuthority(CFMutableDictionaryRef parent, CFStringRef key, CFTypeRef value);
 70  
 71  private:
 72  	void evaluateCode(CFURLRef path, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result, bool handleUnsigned);
 73  	void evaluateInstall(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
 74  	void evaluateDocOpen(CFURLRef path, SecAssessmentFlags flags, CFDictionaryRef context, CFMutableDictionaryRef result);
 75  	
 76  	void evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, AuthorityType type, SecAssessmentFlags flags, bool nested, CFMutableDictionaryRef result);
 77  	void adjustValidation(SecStaticCodeRef code);
 78  	bool temporarySigning(SecStaticCodeRef code, AuthorityType type, CFURLRef path, SecAssessmentFlags matchFlags);
 79  	void normalizeTarget(CFRef<CFTypeRef> &target, AuthorityType type, CFDictionary &context, std::string *signUnsigned);
 80  	
 81  	void selectRules(SQLite::Statement &action, std::string stanza, std::string table,
 82  		CFTypeRef inTarget, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, std::string suffix = "");
 83  	CFDictionaryRef manipulateRules(const std::string &stanza,
 84  		CFTypeRef target, AuthorityType type, SecAssessmentFlags flags, CFDictionaryRef context, bool authorize);
 85  
 86  	void setOrigin(CFArrayRef chain, CFMutableDictionaryRef result);
 87  
 88  	void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority);
 89  
 90  private:
 91  	OpaqueWhitelist* mOpaqueWhitelist;
 92  	CFDictionaryRef opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code);
 93  	bool opaqueWhiteListContains(SecStaticCodeRef code, SecAssessmentFeedback feedback, OSStatus reason);
 94  	void opaqueWhitelistAdd(SecStaticCodeRef code);
 95  
 96      friend class EvaluationManager;
 97      friend class EvaluationTask;
 98  };
 99  
100  
101  } // end namespace CodeSigning
102  } // end namespace Security
103  
104  #endif //_H_POLICYENGINE