Location:
e32base.h
Link against: euser.lib
class CPolicyServer : public CServer2;
A security policy framework built on top of the normal CServer2
class.
The two major functions of the Policy Server framework are to check a received message against a security policy and then
to perform an action depending on the result of this check. The exact behaviour is defined by the contents of the TPolicy
structure given in the constructor for CPolicyServer.
The processing performed when a server receives a message are describe below. This should aid understanding of the interaction
of the TPolicy
structure and virtual member functions which may be implemented by classes derived from CPolicyServer.
Checking the Security Policy
On receipt of a message, the message function number is used to search the list of ranges pointed to by TPolicy::iRanges
. This yields a range number R, which is between 0 and TPolicy::iRangeCount
-1. The policy index, X, for this range is then fetched from TPolicy::iElementsIndex
[R]. If the message is a Connect message, then X is fetched directly from TPolicy::iOnConnect
instead.
The further action taken is determined by the value of X.
If X==TSpecialCase::EAlwaysPass, the message is processed as normal; either by passing it to the ServiceL() method of a session, or, in the case of a connection message, a new session is created.
If X==TSpecialCase::ENotSupported, the message is completed with KErrNotSupported.
If X==TSpecialCase::ECustomCheck, a call to the virtual function CustomSecurityCheckL()
is made. The implementation of this method must return one of the TCustomResult enumerations which determine what further
action is to be taken:
TCustomResult::EPass The message is processed as normal; either by passing it to the ServiceL() method of a session, or, in the case of a connection message, a new session is created.
TCustomResult::EFail This causes CheckFailedL()
to be called with the action specified by the aAction reference given to CustomSecurityCheckL()
(This defaults to TFailureAction::EFailClient.)
TCustomResult::EAsync The derived class is responsible for further processing of the message, the Policy Server framework will do nothing more with it.
If X < TSpecialCase::ESpecialCaseHardLimit, X is taken as an index into the array of TPolicyElement
objects pointed to by TPolicy::iElements
. The platform security attributes of the process which sent the message being processed are checked against the security
policy specified in this TPolicyElement
. If the process possesses all of the attributes specified then the message processed as normal. Otherwise, CheckFailedL()
is called with the action value specified in the TPolicyElement
.
Handling Policy Check Failure
The CheckFailedL()
method is called when a security check has failed. It performs an action according to the aAction value given to it:
If aAction==TFailureAction::EFailClient, the message is completed with KErrPermissionDenied.
If aAction==TFailureAction::EPanicClient, the client thread is panicked.
If aAction < 0 a call to the virtual function CustomFailureActionL()
is made. The implementation of this method must return one of the TCustomResult enumerations which determine what further
action is to be taken:
TCustomResult::EPass The message is processed as normal; either by passing it to the ServiceL() method of a session, or, in the case of a connection message, a new session is created.
TCustomResult::EFail The message is completed with KErrPermissionDenied.
TCustomResult::EAsync The derived class is responsible for further processing of the message, the Policy Server framework will do nothing more with it.
CBase
- Base class for all classes to be instantiated on the heap
CActive
- The core class of the active object abstraction
CServer2
- Abstract base class for servers (version 2)
CPolicyServer
- A security policy framework built on top of the normal
Defined in CPolicyServer
:
CPolicyServer()
, CheckFailedL()
, CustomFailureActionL()
, CustomSecurityCheckL()
, EAlwaysPass
, EAsync
, ECustomCheck
, EFail
, EFailClient
, ENotSupported
, EPanicClient
, EPass
, Extension_()
, ProcessError()
, ProcessL()
, RunError()
, RunL()
, TCustomResult
, TFailureAction
, TPolicy
, TPolicyElement
, TSpecialCase
Inherited from CActive
:
Cancel()
,
Deque()
,
EPriorityHigh
,
EPriorityIdle
,
EPriorityLow
,
EPriorityStandard
,
EPriorityUserInput
,
IsActive()
,
IsAdded()
,
Priority()
,
SetActive()
,
SetPriority()
,
TPriority
,
iStatus
Inherited from CBase
:
Delete()
,
operator new()
Inherited from CServer2
:
DoCancel()
,
DoConnect()
,
EGlobalSharableSessions
,
ESharableSessions
,
EUnsharableSessions
,
Message()
,
NewSessionL()
,
ReStart()
,
Server()
,
Start()
,
StartL()
,
TServerType
,
iSessionIter
protected: IMPORT_C CPolicyServer(TInt aPriority, const TPolicy &aPolicy, TServerType aType=EUnsharableSessions);
Construct a policy server
|
IMPORT_C void ProcessL(const RMessage2 &aMsg);
Process an accepted message which has passed its policy check.
The message is either passed to the ServiceL() method of a session, or, in the case of a connection message, a new session is created.
This is called by RunL()
to process a message which has passed its security check. If the server implementation returns EAsync from either CustomSecurityCheckL()
or CustomFailureActionL()
, then it is the responsibility of the derived server implementation to call ProcessL at a later point if the messages passes
the asynchronous check.
This function should only ever be called by derived implementations if asynchronous security checks are in use.
|
IMPORT_C void CheckFailedL(const RMessage2 &aMsg, TInt aAction, const TSecurityInfo &aMissing);
Called when a security check has failed.
The aAction parameter determines the action taken:
If aAction==TFailureAction::EFailClient, the message is completed with KErrPermissionDenied.
If aAction==TFailureAction::EPanicClient, the client thread is panicked.
If aAction < 0 a call to the virtual function CustomFailureActionL()
is made.
This function should only ever be called by derived implementations if asynchronous security checks are in use.
|
IMPORT_C void ProcessError(const RMessage2 &aMsg, TInt aError);
Called if a leave occurs during processing of a message. The underlying framework ensures that leaves which occur during CSession2::ServiceL
are passed to CSession2::ServiceError
. Leaves occuring prior to this (ie. during CustomSecurityCheckL()
or CustomFailureActionL()
) are completed with the leave code.
This function should only ever be called by derived implementations if asynchronous security checks are in use. In this case
the RunError()
of that other active object must call ProcessError()
.
|
protected: virtual IMPORT_C TCustomResult CustomSecurityCheckL(const RMessage2 &aMsg, TInt &aAction, TSecurityInfo &aMissing);
Performs a custom security check. Derived server classes must implement this function if any element in iElementsIndex has
the value CPolicyServer::ECustomCheck
. Similarly, if CPolicyServer::ECustomCheck
is not used, then this function can be safely ignored.
If CPolicyServer::ECustomCheck
is used, there are two further cases to consider:
The custom security check can synchronously decide if the message should pass. In this case, the derived implementation must simply return either EPass or EFail depending on the result of the security check.
The custom security check needs to use asynchronous methods in order to determine whether the message should procceed. In this case, these asysnchronous methods should be started and then the EAsync value returned. Furthermore, implmentations returning EAsync commit to the following:
If the security check eventually passes, ProcessL()
must be called with the appropriate message.
If the security check eventually fails, CheckFailedL()
must be called with that message.
Pending messages on a given session need to be completed and discarded if the session is closed.
IMPORTANT NOTE. When processing a message asynchronously, a copy must be made of the RMessage2
object. Saving a refernece or pointer to the original message will produce unpredictable defects. This is because the object
will be reused for the next message that the server receives.
In both cases, synchronous and asynchronous, the derived implementation has the option of updating the aAction and/or aMissing parameters if that is appropriate.
|
|
|
protected: virtual IMPORT_C TCustomResult CustomFailureActionL(const RMessage2 &aMsg, TInt aAction, const TSecurityInfo &aMissing);
Performs a custom action after the failure of a security check. Derived server classes must implement this function if the
aAction value passed to CheckFailedL()
is less than zero. This can happened if the policy specified a negative number in the iAction member of any of the TPolicyElements,
or, if the derived CustomSecurityCheckL()
modified the value of aAction prior to returning.
If negative aAction values are used, there are two further cases to consider:
The custom security check can synchronously decide if the message should pass. In this case, the derived implementation must simply return either EPass or EFail depending on the result of the security check.
The custom security check needs to use asynchronous methods in order to determine whether the message should still proceed. In this case, these asysnchronous methods should be started and then the EAsync value returned. Furthermore, implmentations returning EAsync commit to the following:
If the security check eventually passes, ProcessL()
must be called with the appropriate message.
If the security check eventually fails, or if a fatal error condition occurs, including if the previously mentioned call to
ProcessL()
leaves; then CPolicyServer::ProcessError()
should be called passing the message and relevant error code.
Pending messages on a given session need to be completed and discarded if the session is closed.
IMPORTANT NOTE. When processing a message asynchronously, a copy must be made of the RMessage2
object. Saving a refernece or pointer to the original message will produce unpredictable defects. This is because the object
will be reused for the next message that the server receives.
The default implementation of this function panics the server.
|
|
|
protected: virtual IMPORT_C TInt Extension_(TUint aExtensionId, TAny *&a0, TAny *a1);
Extension function
|
|
private: virtual IMPORT_C TInt RunError(TInt aError);
Handles the situation where a call to CServer2::RunL()
, leaves.
This is the server active object's implementation of the active object framework's RunError()
function.
In practice, the leave can only be caused by a session's ServiceL() function, which is called from this RunL()
; this error is reflected back to that session by calling its ServiceError() function.
|
|
class TPolicyElement;
Class specifying a security check and the action to take
If iAction is >=0 it must be a member of TFailureAction If iAction is <0 it is assumed to specify a custom action specific to the derived implementation. In this case, CustomFailureActionL must be implemented by the derived class.
Defined in CPolicyServer::TPolicyElement
:
iAction
, iPolicy
iPolicy
TStaticSecurityPolicy iPolicy;
Security policy to check against the client which sent a message.
This class can specify a security policy consisting of either:
A check for between 0 and 7 capabilities
A check for a given Secure ID along with 0-3 capabilities
A check for a given Vendor ID along with 0-3 capabilities
This member should only be initialised by one of the following macros:
_INIT_SECURITY_POLICY_PASS
_INIT_SECURITY_POLICY_FAIL
_INIT_SECURITY_POLICY_C1
_INIT_SECURITY_POLICY_C2
_INIT_SECURITY_POLICY_C3
_INIT_SECURITY_POLICY_C4
_INIT_SECURITY_POLICY_C5
_INIT_SECURITY_POLICY_C6
_INIT_SECURITY_POLICY_C7
_INIT_SECURITY_POLICY_S0
_INIT_SECURITY_POLICY_S1
_INIT_SECURITY_POLICY_S2
_INIT_SECURITY_POLICY_S3
_INIT_SECURITY_POLICY_V0
_INIT_SECURITY_POLICY_V1
_INIT_SECURITY_POLICY_V2
_INIT_SECURITY_POLICY_V3
iAction
TInt iAction;
Action to take on failure. Either a value from TFailureAction or a negative value which has meaning to the CustomFailureActionL()
method of a derived class.
class TPolicy;
Object specifying which security checks to perform on each request number and what action to take if the check fails.
Explanations of each of the members of this class are detailed below.
As explained in CPolicyServer::CPolicyServer
, it is important that the instance of this class (CPolicyServer::TPolicy) given to the policy server constructor, exists
for the lifetime of the server. For this reason, as well as code size considerations, it is recommended that the TPolicy
instance is const static data. The following code segment shows the recommended way of doing this. Further detail on what
each of these statements means is given below.
const TUint myRangeCount = 4;
const TInt myRanges[myRangeCount] =
{
0, //range is 0-2 inclusive
3, //range is 3-6 inclusive
7, //range is 7
8, //range is 8-KMaxTInt inclusive
};
const TUint8 myElementsIndex[myRangeCount] =
{
1, //applies to 0th range (req num: 0-2)
CPolicyServer::ECustomCheck, //applies to 1st range (req num: 3-6)
0, //applies to 2nd range (req num: 7)
CPolicyServer::ENotSupported, //applies to 3rd range (req num: 8-KMaxTInt)
};
const CPolicyServer::TPolicyElement myElements[] =
{
{_INIT_SECURITY_POLICY_C1(ECapabilityDiskAdmin), CPolicyServer::EFailClient},
{_INIT_SECURITY_POLICY_C1(ECapabilityLocation), CMyPolicyServer::EQueryUser},
}
const CPolicySErver::TPolicy myPolicy =
{
CPolicyServer::EAlwaysPass, //specifies all connect attempts should pass
myRangeCount,
myRanges,
myElementsIndex,
myElements,
}
Defined in CPolicyServer::TPolicy
:
iElements
, iElementsIndex
, iOnConnect
, iRangeCount
, iRanges
iOnConnect
TUint8 iOnConnect;
The index into iElements, or an allowed value of TSpecialCase, that is used to check a connection attempt .
iRangeCount
TUint16 iRangeCount;
Number of ranges in the iRanges array.
iRanges
const TInt * iRanges;
A pointer to an array of ordered ranges of request numbers. Each element in this array refers to the starting request number of a range. The range of the previous element is up to and including the current element minus 1. Thus an array like:
const TInt myRanges[4] = {0, 3, 7, 8};
means that:
the 0th range is 0-2 (inclusive).
the 1st range is 3-6 (inclusive).
the 2nd range is solely request number 7.
the 3rd range is 8-KMaxTInt (inclusive).
Note that the all possible request numbers must be accounted for. This implies that the first element must be 0. It also implies that the last range goes from the that element to KMaxTint. Finally, each element must be strictly greater than the previous element. As the first element is 0, this clearly implies that iRanges must not contain negative elements.
iElementsIndex
const TUint8 * iElementsIndex;
A pointer to an array of TUint8 values specifying the appropriate action to take for each range in iRanges. For example, the 0th element of iElementsIndex specifies the appropriate action to take for the 0th range in iRanges. As such, iElementsIndex must have precisely the same number of elements as iRanges.
The following rules apply to the value of each element in iElementsIndex:
Each value must be a valid index into iElements (that is, less than the number of elements in iElements) OR a valid value from TSpecialCase.
Elements' values need not follow any special ordering.
Elements may repeat values.
Continuing the example from iRanges:
const TInt myRanges[4] = {0, 3, 7, 8};
const TUInt8 myElementsIndex[4] = {
1,
CPolicyServer::ECustomCheck,
0,
CPolicyServer::ENotSupported
};
This means that:
Requests within the first range of myRanges (request numbers 0-2) will be checked against the policy specified by the 1st element of iElements.
Requests with the the second range of myRanges (request numbers 3-6) require a custom check to determine if they are allowed.
This requires derived server implementations to implement CustomSecurityCheckL()
Requests within the third range of myRanges (request number 7) will be checked against the policy specified by the 0th element of iElements.
Requests within the fourth range of myRanges (request numbers 8-KMaxTInt) will automatically be completed with KErrNotSupported by the policy server framework.
iElements
const TPolicyElement * iElements;
A pointer to an array of distinct policy elements.
Continuing with the previous examples:
const TInt myRanges[4] = {0, 3, 7, 8};
const TUInt8 myElementsIndex[4] = {
1,
CPolicyServer::ECustomCheck,
0,
CPolicyServer::ENotSupported
};
const TPolicyElement iElements[] = {
{_INIT_SECURITY_POLICY_C1(ECapabilityDiskAdmin), CPolicyServer::EFailClient},
{_INIT_SECURITY_POLICY_C1(ECapabilityLocation), CMyPolicyServer::EQueryUser}
}
The instantiation of iElements specifies that:
Request numbers 0-2 require the Location capability. As the iAction member of the 1st element specifies a custom action (represented by the negative number, CMyPolicyServer::EQueryUser), requests without Location will passed to the reimplementation of CustomFailureActionL.
Request number 7 requires the DiskAdmin capability. Requestors without DiskAdmin will have their request completed with KErrPermissionDenied.
TFailureAction
Enumeration specifying action to take if a security check fails. Values >= 0 are handled by CheckFailedL()
. Values < 0 are specific to the derived implementation of the policy server and will result in a call to CustomFailureActionL()
if a security check fails. Attempts to use undefined values >= 0 will result in a panic in CheckFailedL()
.
|
TCustomResult
Enumeration of acceptable return codes from both of CustomSecurityCheckL()
and CustomFailureActionL()
. Results of EPass or EFail are handled by the CPolicyServer framework. No other action is required on the part of the derived
implementation. However, results of EAsync imply that the derived implementation will call the appropriate function once the
result is known. See CustomSecurityCheckL()
and CustomFailureActionL for more information.
|
TSpecialCase
Special case values which can be used instead of a policy element index contained in the array TPolicy::iElementsIndex
|