1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. 23 */ 24 25 #ifndef _SYS_PRIV_H 26 #define _SYS_PRIV_H 27 28 #include <sys/types.h> 29 #include <sys/cred.h> 30 #include <sys/priv_names.h> 31 32 #ifdef __cplusplus 33 extern "C" { 34 #endif 35 36 typedef uint32_t priv_chunk_t; 37 typedef struct priv_set priv_set_t; 38 39 #ifdef _KERNEL 40 41 /* 42 * Kernel type definitions. 43 */ 44 typedef int priv_ptype_t; 45 typedef int priv_t; 46 47 #else /* _KERNEL */ 48 49 /* 50 * Userland type definitions. 51 */ 52 53 #ifdef __STDC__ 54 typedef const char *priv_ptype_t; 55 typedef const char *priv_t; 56 #else 57 typedef char *priv_ptype_t; 58 typedef char *priv_t; 59 #endif 60 61 #endif /* _KERNEL */ 62 63 /* 64 * priv_op_t indicates a privilege operation type 65 */ 66 typedef enum priv_op { 67 PRIV_ON, 68 PRIV_OFF, 69 PRIV_SET 70 } priv_op_t; 71 72 /* 73 * Privilege system call subcodes. 74 */ 75 76 #define PRIVSYS_SETPPRIV 0 77 #define PRIVSYS_GETPPRIV 1 78 #define PRIVSYS_GETIMPLINFO 2 79 #define PRIVSYS_SETPFLAGS 3 80 #define PRIVSYS_GETPFLAGS 4 81 #define PRIVSYS_ISSETUGID 5 82 #define PRIVSYS_KLPD_REG 6 83 #define PRIVSYS_KLPD_UNREG 7 84 #define PRIVSYS_PFEXEC_REG 8 85 #define PRIVSYS_PFEXEC_UNREG 9 86 87 88 /* 89 * Maximum length of a user defined privilege name. 90 */ 91 #define PRIVNAME_MAX 32 92 93 /* 94 * Privilege interface functions for those parts of the kernel that 95 * know nothing of the privilege internals. 96 * 97 * A privilege implementation can have a varying number of sets; sets 98 * consist of a number of priv_chunk_t's and the size is expressed as such. 99 * The privileges can be represented as 100 * 101 * priv_chunk_t privs[info.priv_nsets][info.priv_setsize] 102 * ... priv_infosize of extra information ... 103 * 104 * Extra data contained in the privilege information consists of chunks 105 * of data with specified size and type all headed by a priv_info_t header 106 * which defines both the type of information as well as the size of the 107 * information. ((char*)&info)+info->priv_info_size should be rounded up 108 * to point to the next piece of information. 109 */ 110 111 typedef struct priv_impl_info { 112 uint32_t priv_headersize; /* sizeof (priv_impl_info) */ 113 uint32_t priv_flags; /* additional flags */ 114 uint32_t priv_nsets; /* number of priv sets */ 115 uint32_t priv_setsize; /* size in priv_chunk_t */ 116 uint32_t priv_max; /* highest actual valid priv */ 117 uint32_t priv_infosize; /* Per proc. additional info */ 118 uint32_t priv_globalinfosize; /* Per system info */ 119 } priv_impl_info_t; 120 121 #define PRIV_IMPL_INFO_SIZE(p) \ 122 ((p)->priv_headersize + (p)->priv_globalinfosize) 123 124 #define PRIV_PRPRIV_INFO_OFFSET(p) \ 125 (sizeof (*(p)) + \ 126 ((p)->pr_nsets * (p)->pr_setsize - 1) * sizeof (priv_chunk_t)) 127 128 #define PRIV_PRPRIV_SIZE(p) \ 129 (PRIV_PRPRIV_INFO_OFFSET(p) + (p)->pr_infosize) 130 131 /* 132 * Per credential flags. 133 */ 134 #define PRIV_DEBUG 0x0001 /* User debugging */ 135 #define PRIV_AWARE 0x0002 /* Is privilege aware */ 136 #define PRIV_AWARE_INHERIT 0x0004 /* Inherit awareness */ 137 #define __PROC_PROTECT 0x0008 /* Private */ 138 #define NET_MAC_AWARE 0x0010 /* Is MAC aware */ 139 #define NET_MAC_AWARE_INHERIT 0x0020 /* Inherit MAC aware */ 140 #define PRIV_AWARE_RESET 0x0040 /* Reset on setuid() */ 141 #define PRIV_XPOLICY 0x0080 /* Extended policy */ 142 #define PRIV_PFEXEC 0x0100 /* As if pfexec'ed */ 143 144 /* user-settable flags: */ 145 #define PRIV_USER (PRIV_DEBUG | NET_MAC_AWARE | NET_MAC_AWARE_INHERIT |\ 146 PRIV_XPOLICY | PRIV_AWARE_RESET | PRIV_PFEXEC) 147 148 /* 149 * Header of the privilege info data structure; multiple structures can 150 * follow the privilege sets and priv_impl_info structures. 151 */ 152 typedef struct priv_info { 153 uint32_t priv_info_type; 154 uint32_t priv_info_size; 155 } priv_info_t; 156 157 typedef struct priv_info_uint { 158 priv_info_t info; 159 uint_t val; 160 } priv_info_uint_t; 161 162 /* 163 * Global privilege set information item; the actual size of the array is 164 * {priv_setsize}. 165 */ 166 typedef struct priv_info_set { 167 priv_info_t info; 168 priv_chunk_t set[1]; 169 } priv_info_set_t; 170 171 /* 172 * names[1] is a place holder which can contain multiple NUL terminated, 173 * non-empty strings. 174 */ 175 176 typedef struct priv_info_names { 177 priv_info_t info; 178 int cnt; /* number of strings */ 179 char names[1]; /* "string1\0string2\0 ..stringN\0" */ 180 } priv_info_names_t; 181 182 /* 183 * Privilege information types. 184 */ 185 #define PRIV_INFO_SETNAMES 0x0001 186 #define PRIV_INFO_PRIVNAMES 0x0002 187 #define PRIV_INFO_BASICPRIVS 0x0003 188 #define PRIV_INFO_FLAGS 0x0004 189 190 /* 191 * Special "privileges" used to indicate special conditions in privilege 192 * debugging/tracing code. 193 */ 194 #define PRIV_ALL (-1) /* All privileges required */ 195 #define PRIV_MULTIPLE (-2) /* More than one */ 196 #define PRIV_NONE (-3) /* No value */ 197 #define PRIV_ALLZONE (-4) /* All privileges in zone */ 198 #define PRIV_GLOBAL (-5) /* Must be in global zone */ 199 200 #ifdef _KERNEL 201 202 #define PRIV_ALLOC 0x1 203 204 extern int priv_debug; 205 extern int priv_basic_test; 206 207 struct proc; 208 struct prpriv; 209 struct cred; 210 211 extern int priv_prgetprivsize(struct prpriv *); 212 extern void cred2prpriv(const struct cred *, struct prpriv *); 213 extern int priv_pr_spriv(struct proc *, struct prpriv *, const struct cred *); 214 215 extern priv_impl_info_t *priv_hold_implinfo(void); 216 extern void priv_release_implinfo(void); 217 extern size_t priv_get_implinfo_size(void); 218 extern const priv_set_t *priv_getset(const struct cred *, int); 219 extern void priv_getinfo(const struct cred *, void *); 220 extern int priv_getbyname(const char *, uint_t); 221 extern int priv_getsetbyname(const char *, int); 222 extern const char *priv_getbynum(int); 223 extern const char *priv_getsetbynum(int); 224 225 extern void priv_emptyset(priv_set_t *); 226 extern void priv_fillset(priv_set_t *); 227 extern void priv_addset(priv_set_t *, int); 228 extern void priv_delset(priv_set_t *, int); 229 extern boolean_t priv_ismember(const priv_set_t *, int); 230 extern boolean_t priv_isemptyset(const priv_set_t *); 231 extern boolean_t priv_isfullset(const priv_set_t *); 232 extern boolean_t priv_isequalset(const priv_set_t *, const priv_set_t *); 233 extern boolean_t priv_issubset(const priv_set_t *, const priv_set_t *); 234 extern int priv_proc_cred_perm(const struct cred *, struct proc *, 235 struct cred **, int); 236 extern void priv_intersect(const priv_set_t *, priv_set_t *); 237 extern void priv_union(const priv_set_t *, priv_set_t *); 238 extern void priv_inverse(priv_set_t *); 239 240 extern void priv_set_PA(cred_t *); 241 extern void priv_adjust_PA(cred_t *); 242 extern void priv_reset_PA(cred_t *, boolean_t); 243 extern boolean_t priv_can_clear_PA(const cred_t *); 244 245 extern int setpflags(uint_t, uint_t, cred_t *); 246 extern uint_t getpflags(uint_t, const cred_t *); 247 248 #endif /* _KERNEL */ 249 250 #ifdef __cplusplus 251 } 252 #endif 253 254 #endif /* _SYS_PRIV_H */