1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  23  */
  24 
  25 #ifndef _SYS_PRIV_H
  26 #define _SYS_PRIV_H
  27 
  28 #include <sys/types.h>
  29 #include <sys/cred.h>
  30 #include <sys/priv_names.h>
  31 
  32 #ifdef  __cplusplus
  33 extern "C" {
  34 #endif
  35 
  36 typedef uint32_t priv_chunk_t;
  37 typedef struct priv_set priv_set_t;
  38 
  39 #ifdef _KERNEL
  40 
  41 /*
  42  * Kernel type definitions.
  43  */
  44 typedef int priv_ptype_t;
  45 typedef int priv_t;
  46 
  47 #else /* _KERNEL */
  48 
  49 /*
  50  * Userland type definitions.
  51  */
  52 
  53 #ifdef __STDC__
  54 typedef const char *priv_ptype_t;
  55 typedef const char *priv_t;
  56 #else
  57 typedef char *priv_ptype_t;
  58 typedef char *priv_t;
  59 #endif
  60 
  61 #endif /* _KERNEL */
  62 
  63 /*
  64  * priv_op_t indicates a privilege operation type
  65  */
  66 typedef enum priv_op {
  67         PRIV_ON,
  68         PRIV_OFF,
  69         PRIV_SET
  70 } priv_op_t;
  71 
  72 /*
  73  * Privilege system call subcodes.
  74  */
  75 
  76 #define PRIVSYS_SETPPRIV        0
  77 #define PRIVSYS_GETPPRIV        1
  78 #define PRIVSYS_GETIMPLINFO     2
  79 #define PRIVSYS_SETPFLAGS       3
  80 #define PRIVSYS_GETPFLAGS       4
  81 #define PRIVSYS_ISSETUGID       5
  82 #define PRIVSYS_KLPD_REG        6
  83 #define PRIVSYS_KLPD_UNREG      7
  84 #define PRIVSYS_PFEXEC_REG      8
  85 #define PRIVSYS_PFEXEC_UNREG    9
  86 
  87 
  88 /*
  89  * Maximum length of a user defined privilege name.
  90  */
  91 #define PRIVNAME_MAX            32
  92 
  93 /*
  94  * Privilege interface functions for those parts of the kernel that
  95  * know nothing of the privilege internals.
  96  *
  97  * A privilege implementation can have a varying number of sets; sets
  98  * consist of a number of priv_chunk_t's and the size is expressed as such.
  99  * The privileges can be represented as
 100  *
 101  *              priv_chunk_t privs[info.priv_nsets][info.priv_setsize]
 102  *              ... priv_infosize of extra information ...
 103  *
 104  * Extra data contained in the privilege information consists of chunks
 105  * of data with specified size and type all headed by a priv_info_t header
 106  * which defines both the type of information as well as the size of the
 107  * information.  ((char*)&info)+info->priv_info_size should be rounded up
 108  * to point to the next piece of information.
 109  */
 110 
 111 typedef struct priv_impl_info {
 112         uint32_t        priv_headersize;        /* sizeof (priv_impl_info) */
 113         uint32_t        priv_flags;             /* additional flags */
 114         uint32_t        priv_nsets;             /* number of priv sets */
 115         uint32_t        priv_setsize;           /* size in priv_chunk_t */
 116         uint32_t        priv_max;               /* highest actual valid priv */
 117         uint32_t        priv_infosize;          /* Per proc. additional info */
 118         uint32_t        priv_globalinfosize;    /* Per system info */
 119 } priv_impl_info_t;
 120 
 121 #define PRIV_IMPL_INFO_SIZE(p) \
 122                         ((p)->priv_headersize + (p)->priv_globalinfosize)
 123 
 124 #define PRIV_PRPRIV_INFO_OFFSET(p) \
 125                 (sizeof (*(p)) + \
 126                 ((p)->pr_nsets * (p)->pr_setsize - 1) * sizeof (priv_chunk_t))
 127 
 128 #define PRIV_PRPRIV_SIZE(p) \
 129                 (PRIV_PRPRIV_INFO_OFFSET(p) + (p)->pr_infosize)
 130 
 131 /*
 132  * Per credential flags.
 133  */
 134 #define PRIV_DEBUG                      0x0001          /* User debugging */
 135 #define PRIV_AWARE                      0x0002          /* Is privilege aware */
 136 #define PRIV_AWARE_INHERIT              0x0004          /* Inherit awareness */
 137 #define __PROC_PROTECT                  0x0008          /* Private */
 138 #define NET_MAC_AWARE                   0x0010          /* Is MAC aware */
 139 #define NET_MAC_AWARE_INHERIT           0x0020          /* Inherit MAC aware */
 140 #define PRIV_AWARE_RESET                0x0040          /* Reset on setuid() */
 141 #define PRIV_XPOLICY                    0x0080          /* Extended policy */
 142 #define PRIV_PFEXEC                     0x0100          /* As if pfexec'ed */
 143 
 144 /* user-settable flags: */
 145 #define PRIV_USER       (PRIV_DEBUG | NET_MAC_AWARE | NET_MAC_AWARE_INHERIT |\
 146                             PRIV_XPOLICY | PRIV_AWARE_RESET | PRIV_PFEXEC)
 147 
 148 /*
 149  * Header of the privilege info data structure; multiple structures can
 150  * follow the privilege sets and priv_impl_info structures.
 151  */
 152 typedef struct priv_info {
 153         uint32_t        priv_info_type;
 154         uint32_t        priv_info_size;
 155 } priv_info_t;
 156 
 157 typedef struct priv_info_uint {
 158         priv_info_t     info;
 159         uint_t          val;
 160 } priv_info_uint_t;
 161 
 162 /*
 163  * Global privilege set information item; the actual size of the array is
 164  * {priv_setsize}.
 165  */
 166 typedef struct priv_info_set {
 167         priv_info_t     info;
 168         priv_chunk_t    set[1];
 169 } priv_info_set_t;
 170 
 171 /*
 172  * names[1] is a place holder which can contain multiple NUL terminated,
 173  * non-empty strings.
 174  */
 175 
 176 typedef struct priv_info_names {
 177         priv_info_t     info;
 178         int             cnt;            /* number of strings */
 179         char            names[1];       /* "string1\0string2\0 ..stringN\0" */
 180 } priv_info_names_t;
 181 
 182 /*
 183  * Privilege information types.
 184  */
 185 #define PRIV_INFO_SETNAMES              0x0001
 186 #define PRIV_INFO_PRIVNAMES             0x0002
 187 #define PRIV_INFO_BASICPRIVS            0x0003
 188 #define PRIV_INFO_FLAGS                 0x0004
 189 
 190 /*
 191  * Special "privileges" used to indicate special conditions in privilege
 192  * debugging/tracing code.
 193  */
 194 #define PRIV_ALL                        (-1)    /* All privileges required */
 195 #define PRIV_MULTIPLE                   (-2)    /* More than one */
 196 #define PRIV_NONE                       (-3)    /* No value */
 197 #define PRIV_ALLZONE                    (-4)    /* All privileges in zone */
 198 #define PRIV_GLOBAL                     (-5)    /* Must be in global zone */
 199 
 200 #ifdef _KERNEL
 201 
 202 #define PRIV_ALLOC                      0x1
 203 
 204 extern int priv_debug;
 205 extern int priv_basic_test;
 206 
 207 struct proc;
 208 struct prpriv;
 209 struct cred;
 210 
 211 extern int priv_prgetprivsize(struct prpriv *);
 212 extern void cred2prpriv(const struct cred *, struct prpriv *);
 213 extern int priv_pr_spriv(struct proc *, struct prpriv *, const struct cred *);
 214 
 215 extern priv_impl_info_t *priv_hold_implinfo(void);
 216 extern void priv_release_implinfo(void);
 217 extern size_t priv_get_implinfo_size(void);
 218 extern const priv_set_t *priv_getset(const struct cred *, int);
 219 extern void priv_getinfo(const struct cred *, void *);
 220 extern int priv_getbyname(const char *, uint_t);
 221 extern int priv_getsetbyname(const char *, int);
 222 extern const char *priv_getbynum(int);
 223 extern const char *priv_getsetbynum(int);
 224 
 225 extern void priv_emptyset(priv_set_t *);
 226 extern void priv_fillset(priv_set_t *);
 227 extern void priv_addset(priv_set_t *, int);
 228 extern void priv_delset(priv_set_t *, int);
 229 extern boolean_t priv_ismember(const priv_set_t *, int);
 230 extern boolean_t priv_isemptyset(const priv_set_t *);
 231 extern boolean_t priv_isfullset(const priv_set_t *);
 232 extern boolean_t priv_isequalset(const priv_set_t *, const priv_set_t *);
 233 extern boolean_t priv_issubset(const priv_set_t *, const priv_set_t *);
 234 extern int priv_proc_cred_perm(const struct cred *, struct proc *,
 235         struct cred **, int);
 236 extern void priv_intersect(const priv_set_t *, priv_set_t *);
 237 extern void priv_union(const priv_set_t *, priv_set_t *);
 238 extern void priv_inverse(priv_set_t *);
 239 
 240 extern void priv_set_PA(cred_t *);
 241 extern void priv_adjust_PA(cred_t *);
 242 extern void priv_reset_PA(cred_t *, boolean_t);
 243 extern boolean_t priv_can_clear_PA(const cred_t *);
 244 
 245 extern int setpflags(uint_t, uint_t, cred_t *);
 246 extern uint_t getpflags(uint_t, const cred_t *);
 247 
 248 #endif /* _KERNEL */
 249 
 250 #ifdef  __cplusplus
 251 }
 252 #endif
 253 
 254 #endif  /* _SYS_PRIV_H */