1 /*
   2  * This file and its contents are supplied under the terms of the
   3  * Common Development and Distribution License ("CDDL"), version 1.0.
   4  * You may only use this file in accordance with the terms of version
   5  * 1.0 of the CDDL.
   6  *
   7  * A full copy of the text of the CDDL should have accompanied this
   8  * source.  A copy of the CDDL is also available via the Internet at
   9  * http://www.illumos.org/license/CDDL.
  10  */
  11 
  12 /* Copyright 2014, Richard Lowe */
  13 
  14 #ifndef _SYS_SECFLAGS_H
  15 #define _SYS_SECFLAGS_H
  16 
  17 #ifdef __cplusplus
  18 extern "C" {
  19 #endif
  20 
  21 #include <sys/types.h>
  22 #include <sys/procset.h>
  23 
  24 struct proc;
  25 typedef uint32_t secflagset_t;
  26 
  27 typedef struct psecflags {
  28         secflagset_t psf_effective;
  29         secflagset_t psf_inherit;
  30         secflagset_t psf_lower;
  31         secflagset_t psf_upper;
  32 } psecflags_t;
  33 
  34 typedef struct secflagdelta {
  35         secflagset_t psd_add;           /* Flags to add */
  36         secflagset_t psd_rem;           /* Flags to remove */
  37         secflagset_t psd_assign;        /* Flags to assign */
  38         boolean_t psd_ass_active;       /* Need to assign */
  39 } secflagdelta_t;
  40 
  41 typedef enum {
  42         PSF_EFFECTIVE = 0,
  43         PSF_INHERIT,
  44         PSF_LOWER,
  45         PSF_UPPER
  46 } psecflagwhich_t;
  47 
  48 
  49 /*
  50  * p_secflags codes
  51  *
  52  * These flags indicate the extra security-related features enabled for a
  53  * given process.
  54  */
  55 typedef enum {
  56         PROC_SEC_ASLR = 0,
  57         PROC_SEC_FORBIDNULLMAP,
  58         PROC_SEC_NOEXECSTACK
  59 } secflag_t;
  60 
  61 extern secflagset_t secflag_to_bit(secflag_t);
  62 extern boolean_t secflag_isset(secflagset_t, secflag_t);
  63 extern void secflag_clear(secflagset_t *, secflag_t);
  64 extern void secflag_set(secflagset_t *, secflag_t);
  65 extern boolean_t secflags_isempty(secflagset_t);
  66 extern void secflags_zero(secflagset_t *);
  67 extern void secflags_fullset(secflagset_t *);
  68 extern void secflags_copy(secflagset_t *, const secflagset_t *);
  69 extern boolean_t secflags_issubset(secflagset_t, secflagset_t);
  70 extern boolean_t secflags_issuperset(secflagset_t, secflagset_t);
  71 extern boolean_t secflags_intersection(secflagset_t, secflagset_t);
  72 extern void secflags_union(secflagset_t *, const secflagset_t *);
  73 extern void secflags_difference(secflagset_t *, const secflagset_t *);
  74 extern boolean_t psecflags_validate_delta(const psecflags_t *,
  75     const secflagdelta_t *);
  76 extern boolean_t psecflags_validate(const psecflags_t *);
  77 extern void psecflags_default(psecflags_t *sf);
  78 extern const char *secflag_to_str(secflag_t);
  79 extern boolean_t secflag_by_name(const char *, secflag_t *);
  80 extern void secflags_to_str(secflagset_t, char *, size_t);
  81 
  82 /* All valid bits */
  83 #define PROC_SEC_MASK   (secflag_to_bit(PROC_SEC_ASLR) |        \
  84     secflag_to_bit(PROC_SEC_FORBIDNULLMAP) |                    \
  85     secflag_to_bit(PROC_SEC_NOEXECSTACK))
  86 
  87 #if !defined(_KERNEL)
  88 extern int secflags_parse(const secflagset_t *, const char *, secflagdelta_t *);
  89 extern int psecflags(idtype_t, id_t, psecflagwhich_t, secflagdelta_t *);
  90 #endif
  91 
  92 #if defined(_KERNEL)
  93 extern boolean_t secflag_enabled(struct proc *, secflag_t);
  94 extern void secflags_promote(struct proc *);
  95 extern void secflags_apply_delta(secflagset_t *, const secflagdelta_t *);
  96 #endif
  97 
  98 #ifdef __cplusplus
  99 }
 100 #endif
 101 
 102 #endif /* _SYS_SECFLAGS_H */