1 /*
   2  * CDDL HEADER START
   3  *
   4  * The contents of this file are subject to the terms of the
   5  * Common Development and Distribution License (the "License").
   6  * You may not use this file except in compliance with the License.
   7  *
   8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
   9  * or http://www.opensolaris.org/os/licensing.
  10  * See the License for the specific language governing permissions
  11  * and limitations under the License.
  12  *
  13  * When distributing Covered Code, include this CDDL HEADER in each
  14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15  * If applicable, add the following below this CDDL HEADER, with the
  16  * fields enclosed by brackets "[]" replaced with your own identifying
  17  * information: Portions Copyright [yyyy] [name of copyright owner]
  18  *
  19  * CDDL HEADER END
  20  */
  21 /*
  22  * Copyright 2014 Garrett D'Amore <garrett@damore.org>
  23  *
  24  * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
  25  */
  26 
  27 #ifndef _SYS_PRIV_H
  28 #define _SYS_PRIV_H
  29 
  30 #include <sys/types.h>
  31 #include <sys/cred.h>
  32 #include <sys/priv_names.h>
  33 
  34 #ifdef  __cplusplus
  35 extern "C" {
  36 #endif
  37 
  38 typedef uint32_t priv_chunk_t;
  39 typedef struct priv_set priv_set_t;
  40 
  41 #ifdef _KERNEL
  42 
  43 /*
  44  * Kernel type definitions.
  45  */
  46 typedef int priv_ptype_t;
  47 typedef int priv_t;
  48 
  49 #else /* _KERNEL */
  50 
  51 /*
  52  * Userland type definitions.
  53  */
  54 
  55 typedef const char *priv_ptype_t;
  56 typedef const char *priv_t;
  57 
  58 #endif /* _KERNEL */
  59 
  60 /*
  61  * priv_op_t indicates a privilege operation type
  62  */
  63 typedef enum priv_op {
  64         PRIV_ON,
  65         PRIV_OFF,
  66         PRIV_SET
  67 } priv_op_t;
  68 
  69 /*
  70  * Privilege system call subcodes.
  71  */
  72 
  73 #define PRIVSYS_SETPPRIV        0
  74 #define PRIVSYS_GETPPRIV        1
  75 #define PRIVSYS_GETIMPLINFO     2
  76 #define PRIVSYS_SETPFLAGS       3
  77 #define PRIVSYS_GETPFLAGS       4
  78 #define PRIVSYS_ISSETUGID       5
  79 #define PRIVSYS_KLPD_REG        6
  80 #define PRIVSYS_KLPD_UNREG      7
  81 #define PRIVSYS_PFEXEC_REG      8
  82 #define PRIVSYS_PFEXEC_UNREG    9
  83 
  84 
  85 /*
  86  * Maximum length of a user defined privilege name.
  87  */
  88 #define PRIVNAME_MAX            32
  89 
  90 /*
  91  * Privilege interface functions for those parts of the kernel that
  92  * know nothing of the privilege internals.
  93  *
  94  * A privilege implementation can have a varying number of sets; sets
  95  * consist of a number of priv_chunk_t's and the size is expressed as such.
  96  * The privileges can be represented as
  97  *
  98  *              priv_chunk_t privs[info.priv_nsets][info.priv_setsize]
  99  *              ... priv_infosize of extra information ...
 100  *
 101  * Extra data contained in the privilege information consists of chunks
 102  * of data with specified size and type all headed by a priv_info_t header
 103  * which defines both the type of information as well as the size of the
 104  * information.  ((char*)&info)+info->priv_info_size should be rounded up
 105  * to point to the next piece of information.
 106  */
 107 
 108 typedef struct priv_impl_info {
 109         uint32_t        priv_headersize;        /* sizeof (priv_impl_info) */
 110         uint32_t        priv_flags;             /* additional flags */
 111         uint32_t        priv_nsets;             /* number of priv sets */
 112         uint32_t        priv_setsize;           /* size in priv_chunk_t */
 113         uint32_t        priv_max;               /* highest actual valid priv */
 114         uint32_t        priv_infosize;          /* Per proc. additional info */
 115         uint32_t        priv_globalinfosize;    /* Per system info */
 116 } priv_impl_info_t;
 117 
 118 #define PRIV_IMPL_INFO_SIZE(p) \
 119                         ((p)->priv_headersize + (p)->priv_globalinfosize)
 120 
 121 #define PRIV_PRPRIV_INFO_OFFSET(p) \
 122                 (sizeof (*(p)) + \
 123                 ((p)->pr_nsets * (p)->pr_setsize - 1) * sizeof (priv_chunk_t))
 124 
 125 #define PRIV_PRPRIV_SIZE(p) \
 126                 (PRIV_PRPRIV_INFO_OFFSET(p) + (p)->pr_infosize)
 127 
 128 /*
 129  * Per credential flags.
 130  */
 131 #define PRIV_DEBUG                      0x0001          /* User debugging */
 132 #define PRIV_AWARE                      0x0002          /* Is privilege aware */
 133 #define PRIV_AWARE_INHERIT              0x0004          /* Inherit awareness */
 134 #define __PROC_PROTECT                  0x0008          /* Private */
 135 #define NET_MAC_AWARE                   0x0010          /* Is MAC aware */
 136 #define NET_MAC_AWARE_INHERIT           0x0020          /* Inherit MAC aware */
 137 #define PRIV_AWARE_RESET                0x0040          /* Reset on setuid() */
 138 #define PRIV_XPOLICY                    0x0080          /* Extended policy */
 139 #define PRIV_PFEXEC                     0x0100          /* As if pfexec'ed */
 140 
 141 /* user-settable flags: */
 142 #define PRIV_USER       (PRIV_DEBUG | NET_MAC_AWARE | NET_MAC_AWARE_INHERIT |\
 143                             PRIV_XPOLICY | PRIV_AWARE_RESET | PRIV_PFEXEC)
 144 
 145 /*
 146  * Header of the privilege info data structure; multiple structures can
 147  * follow the privilege sets and priv_impl_info structures.
 148  */
 149 typedef struct priv_info {
 150         uint32_t        priv_info_type;
 151         uint32_t        priv_info_size;
 152 } priv_info_t;
 153 
 154 typedef struct priv_info_uint {
 155         priv_info_t     info;
 156         uint_t          val;
 157 } priv_info_uint_t;
 158 
 159 /*
 160  * Global privilege set information item; the actual size of the array is
 161  * {priv_setsize}.
 162  */
 163 typedef struct priv_info_set {
 164         priv_info_t     info;
 165         priv_chunk_t    set[1];
 166 } priv_info_set_t;
 167 
 168 /*
 169  * names[1] is a place holder which can contain multiple NUL terminated,
 170  * non-empty strings.
 171  */
 172 
 173 typedef struct priv_info_names {
 174         priv_info_t     info;
 175         int             cnt;            /* number of strings */
 176         char            names[1];       /* "string1\0string2\0 ..stringN\0" */
 177 } priv_info_names_t;
 178 
 179 /*
 180  * Privilege information types.
 181  */
 182 #define PRIV_INFO_SETNAMES              0x0001
 183 #define PRIV_INFO_PRIVNAMES             0x0002
 184 #define PRIV_INFO_BASICPRIVS            0x0003
 185 #define PRIV_INFO_FLAGS                 0x0004
 186 
 187 /*
 188  * Special "privileges" used to indicate special conditions in privilege
 189  * debugging/tracing code.
 190  */
 191 #define PRIV_ALL                        (-1)    /* All privileges required */
 192 #define PRIV_MULTIPLE                   (-2)    /* More than one */
 193 #define PRIV_NONE                       (-3)    /* No value */
 194 #define PRIV_ALLZONE                    (-4)    /* All privileges in zone */
 195 #define PRIV_GLOBAL                     (-5)    /* Must be in global zone */
 196 
 197 #ifdef _KERNEL
 198 
 199 #define PRIV_ALLOC                      0x1
 200 
 201 extern int priv_debug;
 202 extern int priv_basic_test;
 203 
 204 struct proc;
 205 struct prpriv;
 206 struct cred;
 207 
 208 extern int priv_prgetprivsize(struct prpriv *);
 209 extern void cred2prpriv(const struct cred *, struct prpriv *);
 210 extern int priv_pr_spriv(struct proc *, struct prpriv *, const struct cred *);
 211 
 212 extern priv_impl_info_t *priv_hold_implinfo(void);
 213 extern void priv_release_implinfo(void);
 214 extern size_t priv_get_implinfo_size(void);
 215 extern const priv_set_t *priv_getset(const struct cred *, int);
 216 extern void priv_getinfo(const struct cred *, void *);
 217 extern int priv_getbyname(const char *, uint_t);
 218 extern int priv_getsetbyname(const char *, int);
 219 extern const char *priv_getbynum(int);
 220 extern const char *priv_getsetbynum(int);
 221 
 222 extern void priv_emptyset(priv_set_t *);
 223 extern void priv_fillset(priv_set_t *);
 224 extern void priv_addset(priv_set_t *, int);
 225 extern void priv_delset(priv_set_t *, int);
 226 extern boolean_t priv_ismember(const priv_set_t *, int);
 227 extern boolean_t priv_isemptyset(const priv_set_t *);
 228 extern boolean_t priv_isfullset(const priv_set_t *);
 229 extern boolean_t priv_isequalset(const priv_set_t *, const priv_set_t *);
 230 extern boolean_t priv_issubset(const priv_set_t *, const priv_set_t *);
 231 extern int priv_proc_cred_perm(const struct cred *, struct proc *,
 232         struct cred **, int);
 233 extern void priv_intersect(const priv_set_t *, priv_set_t *);
 234 extern void priv_union(const priv_set_t *, priv_set_t *);
 235 extern void priv_inverse(priv_set_t *);
 236 
 237 extern void priv_set_PA(cred_t *);
 238 extern void priv_adjust_PA(cred_t *);
 239 extern void priv_reset_PA(cred_t *, boolean_t);
 240 extern boolean_t priv_can_clear_PA(const cred_t *);
 241 
 242 extern int setpflags(uint_t, uint_t, cred_t *);
 243 extern uint_t getpflags(uint_t, const cred_t *);
 244 
 245 #endif /* _KERNEL */
 246 
 247 #ifdef  __cplusplus
 248 }
 249 #endif
 250 
 251 #endif  /* _SYS_PRIV_H */