policydb.h   [plain text]


/*
 * Copyright (c) 2011 Apple Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 * 
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
#ifndef _H_POLICYDB
#define _H_POLICYDB

#include <security_utilities/globalizer.h>
#include <security_utilities/hashing.h>
#include <security_utilities/sqlite++.h>
#include <CoreFoundation/CoreFoundation.h>

namespace Security {
namespace CodeSigning {


namespace SQLite = SQLite3;


static const char defaultDatabase[] = "/var/db/SystemPolicy";
static const char visibleSecurityFlagFile[] = "/var/db/.sp_visible";

static const double never = 5000000;	// expires never (i.e. in the year 8977)


typedef SHA1::SDigest ObjectHash;


typedef uint AuthorityType;
enum {
	kAuthorityInvalid = 0,				// not a valid authority type
	kAuthorityExecute = 1,				// authorizes launch and execution
	kAuthorityInstall = 2,				// authorizes installation
	kAuthorityOpenDoc = 3,				// authorizes opening of documents
};


//
// Defined flags for authority flags column
//
enum {
	kAuthorityFlagVirtual =	0x0001,	// virtual rule (anchoring object records)
	kAuthorityFlagDefault =	0x0002,	// rule is part of the original default set
	kAuthorityFlagInhibitCache = 0x0004, // never cache outcome of this rule
};


//
// Mapping/translation to/from API space
//
AuthorityType typeFor(CFDictionaryRef context, AuthorityType type = kAuthorityInvalid);


//
// An open policy database.
// Usually read-only, but can be opened for write by privileged callers.
// This is a translucent wrapper around SQLite::Database; the caller
// is expected to work with statement rows.
//
class PolicyDatabase : public SQLite::Database {
public:
	PolicyDatabase(const char *path = NULL,	int flags = SQLITE_OPEN_READONLY);
	virtual ~PolicyDatabase();
	
public:
	bool checkCache(CFURLRef path, AuthorityType type, CFMutableDictionaryRef result);

public:
	void purgeAuthority();
	void purgeObjects();
	void purgeObjects(double priority);
};


//
// Check the system-wide overriding flag file
//
bool overrideAssessment();


} // end namespace CodeSigning
} // end namespace Security

#endif //_H_POLICYDB