1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #ifndef _SYS_PRIV_H
26 #define _SYS_PRIV_H
27
28 #include <sys/types.h>
29 #include <sys/cred.h>
30 #include <sys/priv_names.h>
31
32 #ifdef __cplusplus
33 extern "C" {
34 #endif
35
36 typedef uint32_t priv_chunk_t;
37 typedef struct priv_set priv_set_t;
38
39 #ifdef _KERNEL
40
41 /*
42 * Kernel type definitions.
43 */
44 typedef int priv_ptype_t;
45 typedef int priv_t;
46
47 #else /* _KERNEL */
48
49 /*
50 * Userland type definitions.
51 */
52
53 #ifdef __STDC__
54 typedef const char *priv_ptype_t;
55 typedef const char *priv_t;
56 #else
57 typedef char *priv_ptype_t;
58 typedef char *priv_t;
59 #endif
60
61 #endif /* _KERNEL */
62
63 /*
64 * priv_op_t indicates a privilege operation type
65 */
66 typedef enum priv_op {
67 PRIV_ON,
68 PRIV_OFF,
69 PRIV_SET
70 } priv_op_t;
71
72 /*
73 * Privilege system call subcodes.
74 */
75
76 #define PRIVSYS_SETPPRIV 0
77 #define PRIVSYS_GETPPRIV 1
78 #define PRIVSYS_GETIMPLINFO 2
79 #define PRIVSYS_SETPFLAGS 3
80 #define PRIVSYS_GETPFLAGS 4
81 #define PRIVSYS_ISSETUGID 5
82 #define PRIVSYS_KLPD_REG 6
83 #define PRIVSYS_KLPD_UNREG 7
84 #define PRIVSYS_PFEXEC_REG 8
85 #define PRIVSYS_PFEXEC_UNREG 9
86
87
88 /*
89 * Maximum length of a user defined privilege name.
90 */
91 #define PRIVNAME_MAX 32
92
93 /*
94 * Privilege interface functions for those parts of the kernel that
95 * know nothing of the privilege internals.
96 *
97 * A privilege implementation can have a varying number of sets; sets
98 * consist of a number of priv_chunk_t's and the size is expressed as such.
99 * The privileges can be represented as
100 *
101 * priv_chunk_t privs[info.priv_nsets][info.priv_setsize]
102 * ... priv_infosize of extra information ...
103 *
104 * Extra data contained in the privilege information consists of chunks
105 * of data with specified size and type all headed by a priv_info_t header
106 * which defines both the type of information as well as the size of the
107 * information. ((char*)&info)+info->priv_info_size should be rounded up
108 * to point to the next piece of information.
109 */
110
111 typedef struct priv_impl_info {
112 uint32_t priv_headersize; /* sizeof (priv_impl_info) */
113 uint32_t priv_flags; /* additional flags */
114 uint32_t priv_nsets; /* number of priv sets */
115 uint32_t priv_setsize; /* size in priv_chunk_t */
116 uint32_t priv_max; /* highest actual valid priv */
117 uint32_t priv_infosize; /* Per proc. additional info */
118 uint32_t priv_globalinfosize; /* Per system info */
119 } priv_impl_info_t;
120
121 #define PRIV_IMPL_INFO_SIZE(p) \
122 ((p)->priv_headersize + (p)->priv_globalinfosize)
123
124 #define PRIV_PRPRIV_INFO_OFFSET(p) \
125 (sizeof (*(p)) + \
126 ((p)->pr_nsets * (p)->pr_setsize - 1) * sizeof (priv_chunk_t))
127
128 #define PRIV_PRPRIV_SIZE(p) \
129 (PRIV_PRPRIV_INFO_OFFSET(p) + (p)->pr_infosize)
130
131 /*
132 * Per credential flags.
133 */
134 #define PRIV_DEBUG 0x0001 /* User debugging */
135 #define PRIV_AWARE 0x0002 /* Is privilege aware */
136 #define PRIV_AWARE_INHERIT 0x0004 /* Inherit awareness */
137 #define __PROC_PROTECT 0x0008 /* Private */
138 #define NET_MAC_AWARE 0x0010 /* Is MAC aware */
139 #define NET_MAC_AWARE_INHERIT 0x0020 /* Inherit MAC aware */
140 #define PRIV_AWARE_RESET 0x0040 /* Reset on setuid() */
141 #define PRIV_XPOLICY 0x0080 /* Extended policy */
142 #define PRIV_PFEXEC 0x0100 /* As if pfexec'ed */
143
144 /* user-settable flags: */
145 #define PRIV_USER (PRIV_DEBUG | NET_MAC_AWARE | NET_MAC_AWARE_INHERIT |\
146 PRIV_XPOLICY | PRIV_AWARE_RESET | PRIV_PFEXEC)
147
148 /*
149 * Header of the privilege info data structure; multiple structures can
150 * follow the privilege sets and priv_impl_info structures.
151 */
152 typedef struct priv_info {
153 uint32_t priv_info_type;
154 uint32_t priv_info_size;
155 } priv_info_t;
156
157 typedef struct priv_info_uint {
158 priv_info_t info;
159 uint_t val;
160 } priv_info_uint_t;
161
162 /*
163 * Global privilege set information item; the actual size of the array is
164 * {priv_setsize}.
165 */
166 typedef struct priv_info_set {
167 priv_info_t info;
168 priv_chunk_t set[1];
169 } priv_info_set_t;
170
171 /*
172 * names[1] is a place holder which can contain multiple NUL terminated,
173 * non-empty strings.
174 */
175
176 typedef struct priv_info_names {
177 priv_info_t info;
178 int cnt; /* number of strings */
179 char names[1]; /* "string1\0string2\0 ..stringN\0" */
180 } priv_info_names_t;
181
182 /*
183 * Privilege information types.
184 */
185 #define PRIV_INFO_SETNAMES 0x0001
186 #define PRIV_INFO_PRIVNAMES 0x0002
187 #define PRIV_INFO_BASICPRIVS 0x0003
188 #define PRIV_INFO_FLAGS 0x0004
189
190 /*
191 * Special "privileges" used to indicate special conditions in privilege
192 * debugging/tracing code.
193 */
194 #define PRIV_ALL (-1) /* All privileges required */
195 #define PRIV_MULTIPLE (-2) /* More than one */
196 #define PRIV_NONE (-3) /* No value */
197 #define PRIV_ALLZONE (-4) /* All privileges in zone */
198 #define PRIV_GLOBAL (-5) /* Must be in global zone */
199
200 #ifdef _KERNEL
201
202 #define PRIV_ALLOC 0x1
203
204 extern int priv_debug;
205 extern int priv_basic_test;
206
207 struct proc;
208 struct prpriv;
209 struct cred;
210
211 extern int priv_prgetprivsize(struct prpriv *);
212 extern void cred2prpriv(const struct cred *, struct prpriv *);
213 extern int priv_pr_spriv(struct proc *, struct prpriv *, const struct cred *);
214
215 extern priv_impl_info_t *priv_hold_implinfo(void);
216 extern void priv_release_implinfo(void);
217 extern size_t priv_get_implinfo_size(void);
218 extern const priv_set_t *priv_getset(const struct cred *, int);
219 extern void priv_getinfo(const struct cred *, void *);
220 extern int priv_getbyname(const char *, uint_t);
221 extern int priv_getsetbyname(const char *, int);
222 extern const char *priv_getbynum(int);
223 extern const char *priv_getsetbynum(int);
224
225 extern void priv_emptyset(priv_set_t *);
226 extern void priv_fillset(priv_set_t *);
227 extern void priv_addset(priv_set_t *, int);
228 extern void priv_delset(priv_set_t *, int);
229 extern boolean_t priv_ismember(const priv_set_t *, int);
230 extern boolean_t priv_isemptyset(const priv_set_t *);
231 extern boolean_t priv_isfullset(const priv_set_t *);
232 extern boolean_t priv_isequalset(const priv_set_t *, const priv_set_t *);
233 extern boolean_t priv_issubset(const priv_set_t *, const priv_set_t *);
234 extern int priv_proc_cred_perm(const struct cred *, struct proc *,
235 struct cred **, int);
236 extern void priv_intersect(const priv_set_t *, priv_set_t *);
237 extern void priv_union(const priv_set_t *, priv_set_t *);
238 extern void priv_inverse(priv_set_t *);
239
240 extern void priv_set_PA(cred_t *);
241 extern void priv_adjust_PA(cred_t *);
242 extern void priv_reset_PA(cred_t *, boolean_t);
243 extern boolean_t priv_can_clear_PA(const cred_t *);
244
245 extern int setpflags(uint_t, uint_t, cred_t *);
246 extern uint_t getpflags(uint_t, const cred_t *);
247
248 #endif /* _KERNEL */
249
250 #ifdef __cplusplus
251 }
252 #endif
253
254 #endif /* _SYS_PRIV_H */