2
* Copyright (c) 2000-2003 Apple Computer, Inc. All Rights Reserved.
4
* The contents of this file constitute Original Code as defined in and are
5
* subject to the Apple Public Source License Version 1.2 (the 'License').
6
* You may not use this file except in compliance with the License. Please obtain
7
* a copy of the License at http://www.apple.com/publicsource and read it before
10
* This Original Code and all software distributed under the License are
11
* distributed on an 'AS IS' basis, WITHOUT WARRANTY of ANY KIND, EITHER EXPRESS
12
* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
13
* LIMITATION, ANY WARRANTIES of MERCHANTABILITY, FITNESS FOR A PARTICULAR
14
* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
15
* specific language governing rights and limitations under the License.
17
{ Pascal Translation: Peter N Lewis, <peter@stairways.com.au>, 2004 }
22
* AuthSession - APIs for managing login, authorization, and security Sessions.
27
Modified for use with Free Pascal
29
Please report any bugs to <gpc@microbizz.nl>
40
{$setc UNIVERSAL_INTERFACES_VERSION := $0342}
41
{$setc GAP_INTERFACES_VERSION := $0200}
43
{$ifc not defined USE_CFSTR_CONSTANT_MACROS}
44
{$setc USE_CFSTR_CONSTANT_MACROS := TRUE}
47
{$ifc defined CPUPOWERPC and defined CPUI386}
48
{$error Conflicting initial definitions for CPUPOWERPC and CPUI386}
50
{$ifc defined FPC_BIG_ENDIAN and defined FPC_LITTLE_ENDIAN}
51
{$error Conflicting initial definitions for FPC_BIG_ENDIAN and FPC_LITTLE_ENDIAN}
54
{$ifc not defined __ppc__ and defined CPUPOWERPC}
59
{$ifc not defined __i386__ and defined CPUI386}
65
{$ifc defined __ppc__ and __ppc__ and defined __i386__ and __i386__}
66
{$error Conflicting definitions for __ppc__ and __i386__}
69
{$ifc defined __ppc__ and __ppc__}
70
{$setc TARGET_CPU_PPC := TRUE}
71
{$setc TARGET_CPU_X86 := FALSE}
72
{$elifc defined __i386__ and __i386__}
73
{$setc TARGET_CPU_PPC := FALSE}
74
{$setc TARGET_CPU_X86 := TRUE}
76
{$error Neither __ppc__ nor __i386__ is defined.}
78
{$setc TARGET_CPU_PPC_64 := FALSE}
80
{$ifc defined FPC_BIG_ENDIAN}
81
{$setc TARGET_RT_BIG_ENDIAN := TRUE}
82
{$setc TARGET_RT_LITTLE_ENDIAN := FALSE}
83
{$elifc defined FPC_LITTLE_ENDIAN}
84
{$setc TARGET_RT_BIG_ENDIAN := FALSE}
85
{$setc TARGET_RT_LITTLE_ENDIAN := TRUE}
87
{$error Neither FPC_BIG_ENDIAN nor FPC_LITTLE_ENDIAN are defined.}
89
{$setc ACCESSOR_CALLS_ARE_FUNCTIONS := TRUE}
90
{$setc CALL_NOT_IN_CARBON := FALSE}
91
{$setc OLDROUTINENAMES := FALSE}
92
{$setc OPAQUE_TOOLBOX_STRUCTS := TRUE}
93
{$setc OPAQUE_UPP_TYPES := TRUE}
94
{$setc OTCARBONAPPLICATION := TRUE}
95
{$setc OTKERNEL := FALSE}
96
{$setc PM_USE_SESSION_APIS := TRUE}
97
{$setc TARGET_API_MAC_CARBON := TRUE}
98
{$setc TARGET_API_MAC_OS8 := FALSE}
99
{$setc TARGET_API_MAC_OSX := TRUE}
100
{$setc TARGET_CARBON := TRUE}
101
{$setc TARGET_CPU_68K := FALSE}
102
{$setc TARGET_CPU_MIPS := FALSE}
103
{$setc TARGET_CPU_SPARC := FALSE}
104
{$setc TARGET_OS_MAC := TRUE}
105
{$setc TARGET_OS_UNIX := FALSE}
106
{$setc TARGET_OS_WIN32 := FALSE}
107
{$setc TARGET_RT_MAC_68881 := FALSE}
108
{$setc TARGET_RT_MAC_CFM := FALSE}
109
{$setc TARGET_RT_MAC_MACHO := TRUE}
110
{$setc TYPED_FUNCTION_POINTERS := TRUE}
111
{$setc TYPE_BOOL := FALSE}
112
{$setc TYPE_EXTENDED := FALSE}
113
{$setc TYPE_LONGLONG := TRUE}
114
uses MacTypes,Authorization;
119
The Session API provides specialized applications access to Session management and inquiry
120
functions. This is a specialized API that should not be of interest to most people.
122
The Security subsystem separates all processes into Security "sessions". Each process is in
123
exactly one session, and session membership inherits across fork/exec. Sessions form boundaries
124
for security-related state such as authorizations, keychain lock status, and the like.
125
Typically, each successful login (whether graphical or through ssh & friends) creates
126
a separate session. System daemons (started at system startup) belong to the "root session"
127
which has no user nor graphics access.
129
Sessions are identified with SecuritySessionIds. A session has a set of attributes
130
that are set on creation and can be retrieved with SessionGetInfo().
132
There are similar session concepts in the system, related but not necessarily
133
completely congruous. In particular, graphics sessions track security sessions
134
(but only for graphic logins).
139
@typedef SecuritySessionId
140
These are externally visible identifiers for authorization sessions.
141
Different sessions have different identifiers; beyond that, you can't
142
tell anything from these values.
143
SessionIds can be compared for equality as you'd expect, but you should be careful
144
to use attribute bits wherever appropriate.
147
SecuritySessionId = UInt32;
148
SecuritySessionIdPtr = ^SecuritySessionId;
152
@enum SecuritySessionId
153
Here are some special values for SecuritySessionId. You may specify those
154
on input to SessionAPI functions. They will never be returned from such
158
noSecuritySession = 0; { definitely not a valid SecuritySessionId }
159
callerSecuritySession = -1; { the Session I (the caller) am in }
163
@enum SessionAttributeBits
164
Each Session has a set of attribute bits. You can get those from the
165
SessionGetInfo API function.
168
SessionAttributeBits = UInt32;
169
SessionAttributeBitsPtr = ^SessionAttributeBits;
172
sessionIsRoot = $0001; { is the root session (startup/system programs) }
173
sessionHasGraphicAccess = $0010; { graphic subsystem (CoreGraphics et al) available }
174
sessionHasTTY = $0020; { /dev/tty is available }
175
sessionIsRemote = $1000; { session was established over the network }
177
// the following bits are used internally; do not try to set them
178
sessionWasInitialized = $8000; { session has been set up by its leader }
182
@enum SessionCreationFlags
183
These flags control how a new session is created by SessionCreate.
184
They have no permanent meaning beyond that.
187
SessionCreationFlags = UInt32;
188
SessionCreationFlagsPtr = ^SessionCreationFlags;
191
sessionKeepCurrentBootstrap = $8000; { caller has allocated sub-bootstrap (expert use only) }
196
Error codes returned by AuthSession API.
197
Note that the AuthSession APIs can also return Authorization API error codes.
200
errSessionSuccess = 0; { all is well }
201
errSessionInvalidId = -60500; { invalid session id specified }
202
errSessionInvalidAttributes = -60501; { invalid set of requested attribute bits }
203
errSessionAuthorizationDenied = -60502; { you are not allowed to do this }
205
errSessionInternal = errAuthorizationInternal; { internal error }
206
errSessionInvalidFlags = errAuthorizationInvalidFlags; { invalid flags/options }
210
@function SessionGetInfo
211
Obtain information about a session. You can ask about any session whose
212
identifier you know. Use the callerSecuritySession constant to ask about
213
your own session (the one your process is in).
215
@param session (input) The Session you are asking about. Can be one of the
216
special constants defined above.
218
@param sessionId (output/optional) The actual SecuritySessionId for the session you asked about.
219
Will never be one of those constants.
221
@param attributes (output/optional) Receives the attribute bits for the session.
223
@result An OSStatus indicating success (noErr) or an error cause.
225
errSessionInvalidId -60500 Invalid session id specified
228
function SessionGetInfo( session: SecuritySessionId; sessionId: SecuritySessionIdPtr; attributes: SessionAttributeBitsPtr ): OSStatus; external name '_SessionGetInfo';
232
@function SessionCreate
233
This (very specialized) function creates a security session.
234
Upon completion, the new session contains the calling process (and none other).
235
You cannot create a session for someone else, and cannot avoid being placed
236
into the new session. This is (currently) the only call that changes a process's
238
By default, a new bootstrap subset port is created for the calling process. The process
239
acquires this new port as its bootstrap port, which all its children will inherit.
240
If you happen to have created the subset port on your own, you can pass the
241
sessionKeepCurrentBootstrap flag, and SessionCreate will use it. Note however that
242
you cannot supersede a prior SessionCreate call that way; only a single SessionCreate
243
call is allowed for each Session (however made).
244
This call will discard any security information established for the calling process.
245
In particular, any authorization handles acquired will become invalid, and so will any
246
keychain related information. We recommend that you call SessionCreate before
247
making any other security-related calls that establish rights of any kind, to the
248
extent this is practical. Also, we strongly recommend that you do not perform
249
security-related calls in any other threads while calling SessionCreate.
251
@param flags Flags controlling how the session is created.
253
@param attributes The set of attribute bits to set for the new session.
254
Not all bits can be set this way.
256
@result An OSStatus indicating success (noErr) or an error cause.
258
errSessionInvalidAttributes -60501 Attempt to set invalid attribute bits
259
errSessionAuthorizationDenied -60502 Attempt to re-initialize a session
260
errSessionInvalidFlags -60011 Attempt to specify unsupported flag bits
263
function SessionCreate( flags: SessionCreationFlags; attributes: SessionAttributeBits ): OSStatus; external name '_SessionCreate';