1 /* 2 * This file and its contents are supplied under the terms of the 3 * Common Development and Distribution License ("CDDL"), version 1.0. 4 * You may only use this file in accordance with the terms of version 5 * 1.0 of the CDDL. 6 * 7 * A full copy of the text of the CDDL should have accompanied this 8 * source. A copy of the CDDL is also available via the Internet at 9 * http://www.illumos.org/license/CDDL. 10 */ 11 12 /* Copyright 2014, Richard Lowe */ 13 14 #ifndef _SYS_SECFLAGS_H 15 #define _SYS_SECFLAGS_H 16 17 #ifdef __cplusplus 18 extern "C" { 19 #endif 20 21 #include <sys/types.h> 22 #include <sys/procset.h> 23 24 struct proc; 25 typedef uint32_t secflagset_t; 26 27 typedef struct psecflags { 28 secflagset_t psf_effective; 29 secflagset_t psf_inherit; 30 secflagset_t psf_lower; 31 secflagset_t psf_upper; 32 } psecflags_t; 33 34 typedef struct secflagdelta { 35 secflagset_t psd_add; /* Flags to add */ 36 secflagset_t psd_rem; /* Flags to remove */ 37 secflagset_t psd_assign; /* Flags to assign */ 38 boolean_t psd_ass_active; /* Need to assign */ 39 } secflagdelta_t; 40 41 typedef enum { 42 PSF_EFFECTIVE = 0, 43 PSF_INHERIT, 44 PSF_LOWER, 45 PSF_UPPER 46 } psecflagwhich_t; 47 48 49 /* 50 * p_secflags codes 51 * 52 * These flags indicate the extra security-related features enabled for a 53 * given process. 54 */ 55 typedef enum { 56 PROC_SEC_ASLR = 0, 57 PROC_SEC_FORBIDNULLMAP, 58 PROC_SEC_NOEXECSTACK 59 } secflag_t; 60 61 extern secflagset_t secflag_to_bit(secflag_t); 62 extern boolean_t secflag_isset(secflagset_t, secflag_t); 63 extern void secflag_clear(secflagset_t *, secflag_t); 64 extern void secflag_set(secflagset_t *, secflag_t); 65 extern boolean_t secflags_isempty(secflagset_t); 66 extern void secflags_zero(secflagset_t *); 67 extern void secflags_fullset(secflagset_t *); 68 extern void secflags_copy(secflagset_t *, const secflagset_t *); 69 extern boolean_t secflags_issubset(secflagset_t, secflagset_t); 70 extern boolean_t secflags_issuperset(secflagset_t, secflagset_t); 71 extern boolean_t secflags_intersection(secflagset_t, secflagset_t); 72 extern void secflags_union(secflagset_t *, const secflagset_t *); 73 extern void secflags_difference(secflagset_t *, const secflagset_t *); 74 extern boolean_t psecflags_validate_delta(const psecflags_t *, 75 const secflagdelta_t *); 76 extern boolean_t psecflags_validate(const psecflags_t *); 77 extern void psecflags_default(psecflags_t *sf); 78 extern const char *secflag_to_str(secflag_t); 79 extern boolean_t secflag_by_name(const char *, secflag_t *); 80 extern void secflags_to_str(secflagset_t, char *, size_t); 81 82 /* All valid bits */ 83 #define PROC_SEC_MASK (secflag_to_bit(PROC_SEC_ASLR) | \ 84 secflag_to_bit(PROC_SEC_FORBIDNULLMAP) | \ 85 secflag_to_bit(PROC_SEC_NOEXECSTACK)) 86 87 #if !defined(_KERNEL) 88 extern int secflags_parse(const secflagset_t *, const char *, secflagdelta_t *); 89 extern int psecflags(idtype_t, id_t, psecflagwhich_t, secflagdelta_t *); 90 #endif 91 92 #if defined(_KERNEL) 93 extern boolean_t secflag_enabled(struct proc *, secflag_t); 94 extern void secflags_promote(struct proc *); 95 extern void secflags_apply_delta(secflagset_t *, const secflagdelta_t *); 96 #endif 97 98 #ifdef __cplusplus 99 } 100 #endif 101 102 #endif /* _SYS_SECFLAGS_H */