You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

222 lines
10 KiB

/*
* Copyright (c) 2002-2004,2011,2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header SecAccess
SecAccess implements a way to set and manipulate access control rules and
restrictions on SecKeychainItems.
*/
#ifndef _SECURITY_SECACCESS_H_
#define _SECURITY_SECACCESS_H_
#include <Security/SecBase.h>
#include <Security/cssmtype.h>
#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFError.h>
#include <sys/types.h>
#include <unistd.h>
#if defined(__cplusplus)
extern "C" {
#endif
CF_ASSUME_NONNULL_BEGIN
CF_IMPLICIT_BRIDGING_ENABLED
typedef UInt32 SecAccessOwnerType;
enum
{
kSecUseOnlyUID = 1,
kSecUseOnlyGID = 2,
kSecHonorRoot = 0x100,
kSecMatchBits = (kSecUseOnlyUID | kSecUseOnlyGID)
};
/* No restrictions. Permission to perform all operations on
the resource or available to an ACL owner. */
extern const CFStringRef kSecACLAuthorizationAny
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationLogin
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationGenKey
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationDelete
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationExportWrapped
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationExportClear
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationImportWrapped
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationImportClear
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationSign
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationEncrypt
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationDecrypt
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationMAC
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationDerive
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
/* Defined authorization tag values for Keychain */
extern const CFStringRef kSecACLAuthorizationKeychainCreate
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationKeychainDelete
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationKeychainItemRead
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationKeychainItemInsert
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationKeychainItemModify
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationKeychainItemDelete
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationChangeACL
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
extern const CFStringRef kSecACLAuthorizationChangeOwner
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
/*!
@function SecAccessGetTypeID
@abstract Returns the type identifier of SecAccess instances.
@result The CFTypeID of SecAccess instances.
*/
CFTypeID SecAccessGetTypeID(void);
/*!
@function SecAccessCreate
@abstract Creates a new SecAccessRef that is set to the currently designated system default
configuration of a (newly created) security object. Note that the precise nature of
this default may change between releases.
@param descriptor The name of the item as it should appear in security dialogs
@param trustedlist A CFArray of TrustedApplicationRefs, specifying which applications
should be allowed to access an item without triggering confirmation dialogs.
If NULL, defaults to (just) the application creating the item. To set no applications,
pass a CFArray with no elements.
@param accessRef On return, a pointer to the new access reference.
@result A result code. See "Security Error Codes" (SecBase.h).
*/
OSStatus SecAccessCreate(CFStringRef descriptor, CFArrayRef __nullable trustedlist, SecAccessRef * __nonnull CF_RETURNS_RETAINED accessRef);
/*!
@function SecAccessCreateFromOwnerAndACL
@abstract Creates a new SecAccessRef using the owner and access control list you provide.
@param owner A pointer to a CSSM access control list owner.
@param aclCount An unsigned 32-bit integer representing the number of items in the access control list.
@param acls A pointer to the access control list.
@param On return, a pointer to the new access reference.
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion For 10.7 and later please use the SecAccessCreateWithOwnerAndACL API
*/
OSStatus SecAccessCreateFromOwnerAndACL(const CSSM_ACL_OWNER_PROTOTYPE *owner, uint32 aclCount, const CSSM_ACL_ENTRY_INFO *acls, SecAccessRef * __nonnull CF_RETURNS_RETAINED accessRef)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
/*!
@function SecAccessCreateWithOwnerAndACL
@abstract Creates a new SecAccessRef using either for a user or a group with a list of ACLs
@param userId An user id that specifies the user to associate with this SecAccessRef.
@param groupId A group id that specifies the group to associate with this SecAccessRef.
@param ownerType Specifies the how the ownership of the new SecAccessRef is defined.
@param acls A CFArrayRef of the ACLs to associate with this SecAccessRef
@param error Optionally a pointer to a CFErrorRef to return any errors with may have occured
@result A pointer to the new access reference.
*/
__nullable
SecAccessRef SecAccessCreateWithOwnerAndACL(uid_t userId, gid_t groupId, SecAccessOwnerType ownerType, CFArrayRef __nullable acls, CFErrorRef *error)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
/*!
@function SecAccessGetOwnerAndACL
@abstract Retrieves the owner and the access control list of a given access.
@param accessRef A reference to the access from which to retrieve the information.
@param owner On return, a pointer to the access control list owner.
@param aclCount On return, a pointer to an unsigned 32-bit integer representing the number of items in the access control list.
@param acls On return, a pointer to the access control list.
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion For 10.7 and later please use the SecAccessCopyOwnerAndACL API
*/
OSStatus SecAccessGetOwnerAndACL(SecAccessRef accessRef, CSSM_ACL_OWNER_PROTOTYPE_PTR __nullable * __nonnull owner, uint32 *aclCount, CSSM_ACL_ENTRY_INFO_PTR __nullable * __nonnull acls)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
/*!
@function SecAccessCopyOwnerAndACL
@abstract Retrieves the owner and the access control list of a given access.
@param accessRef A reference to the access from which to retrieve the information.
@param userId On return, the user id of the owner
@param groupId On return, the group id of the owner
@param ownerType On return, the type of owner for this AccessRef
@param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array.
@result A result code. See "Security Error Codes" (SecBase.h).
*/
OSStatus SecAccessCopyOwnerAndACL(SecAccessRef accessRef, uid_t * __nullable userId, gid_t * __nullable groupId, SecAccessOwnerType * __nullable ownerType, CFArrayRef * __nullable CF_RETURNS_RETAINED aclList)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
/*!
@function SecAccessCopyACLList
@abstract Copies all the access control lists of a given access.
@param accessRef A reference to the access from which to retrieve the information.
@param aclList On return, a pointer to a new created CFArray of SecACL instances. The caller is responsible for calling CFRelease on this array.
@result A result code. See "Security Error Codes" (SecBase.h).
*/
OSStatus SecAccessCopyACLList(SecAccessRef accessRef, CFArrayRef * __nonnull CF_RETURNS_RETAINED aclList);
/*!
@function SecAccessCopySelectedACLList
@abstract Copies selected access control lists from a given access.
@param accessRef A reference to the access from which to retrieve the information.
@param action An authorization tag specifying what action with which to select the action control lists.
@param aclList On return, a pointer to the selected access control lists.
@result A result code. See "Security Error Codes" (SecBase.h).
@discussion For 10.7 and later please use the SecAccessCopyMatchingACLList API
*/
OSStatus SecAccessCopySelectedACLList(SecAccessRef accessRef, CSSM_ACL_AUTHORIZATION_TAG action, CFArrayRef * __nonnull CF_RETURNS_RETAINED aclList)
DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;
/*!
@function SecAccessCopyMatchingACLList
@abstract Copies selected access control lists from a given access.
@param accessRef A reference to the access from which to retrieve the information.
@param authorizationTag An authorization tag specifying what action with which to select the action control lists.
@result A pointer to the selected access control lists.
*/
__nullable
CFArrayRef SecAccessCopyMatchingACLList(SecAccessRef accessRef, CFTypeRef authorizationTag)
__OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA);
CF_IMPLICIT_BRIDGING_DISABLED
CF_ASSUME_NONNULL_END
#if defined(__cplusplus)
}
#endif
#endif /* !_SECURITY_SECACCESS_H_ */