xref: /illumos-gate/usr/src/uts/common/sys/priv.h (revision 7c478bd95313f5f23a4c958a745db2134aa0324)

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#ifndef	_SYS_PRIV_H
#define	_SYS_PRIV_H

#pragma ident	"%Z%%M%	%I%	%E% SMI"	/* from TSOL 8 */

#include <sys/types.h>
#include <sys/cred.h>
#include <sys/priv_names.h>

#ifdef	__cplusplus
extern "C" {
#endif

typedef uint32_t priv_chunk_t;
typedef struct priv_set priv_set_t;

#ifdef _KERNEL

/*
 * Kernel type definitions.
 */
typedef int priv_ptype_t;
typedef int priv_t;

#else /* _KERNEL */

/*
 * Userland type definitions.
 */

#ifdef __STDC__
typedef const char *priv_ptype_t;
typedef const char *priv_t;
#else
typedef char *priv_ptype_t;
typedef char *priv_t;
#endif

#endif /* _KERNEL */

/*
 * priv_op_t indicates a privilege operation type
 */
typedef enum priv_op {
	PRIV_ON,
	PRIV_OFF,
	PRIV_SET
} priv_op_t;

/*
 * Privilege system call subcodes.
 */

#define	PRIVSYS_SETPPRIV	0
#define	PRIVSYS_GETPPRIV	1
#define	PRIVSYS_GETIMPLINFO	2
#define	PRIVSYS_SETPFLAGS	3
#define	PRIVSYS_GETPFLAGS	4

/*
 * Maximum length of a user defined privilege name.
 */
#define	PRIVNAME_MAX		32

/*
 * Privilege interface functions for those parts of the kernel that
 * know nothing of the privilege internals.
 *
 * A privilege implementation can have a varying number of sets; sets
 * consist of a number of priv_chunk_t's and the size is expressed as such.
 * The privileges can be represented as
 *
 *		priv_chunk_t privs[info.priv_nsets][info.priv_setsize]
 *		... priv_infosize of extra information ...
 *
 * Extra data contained in the privilege information consists of chunks
 * of data with specified size and type all headed by a priv_info_t header
 * which defines both the type of information as well as the size of the
 * information.  ((char*)&info)+info->priv_info_size should be rounded up
 * to point to the next piece of information.
 */

typedef struct priv_impl_info {
	uint32_t	priv_headersize;	/* sizeof (priv_impl_info) */
	uint32_t	priv_flags;		/* additional flags */
	uint32_t	priv_nsets;		/* number of priv sets */
	uint32_t	priv_setsize;		/* size in priv_chunk_t */
	uint32_t	priv_max;		/* highest actual valid priv */
	uint32_t	priv_infosize;		/* Per proc. additional info */
	uint32_t	priv_globalinfosize;	/* Per system info */
} priv_impl_info_t;

#define	PRIV_IMPL_INFO_SIZE(p) \
			((p)->priv_headersize + (p)->priv_globalinfosize)

#define	PRIV_PRPRIV_INFO_OFFSET(p) \
		(sizeof (*(p)) + \
		((p)->pr_nsets * (p)->pr_setsize - 1) * sizeof (priv_chunk_t))

#define	PRIV_PRPRIV_SIZE(p) \
		(PRIV_PRPRIV_INFO_OFFSET(p) + (p)->pr_infosize)

/*
 * Per credential flags.
 */
#define	PRIV_DEBUG			0x0001		/* User debugging */
#define	PRIV_AWARE			0x0002		/* Is privilege aware */
#define	PRIV_AWARE_INHERIT		0x0004		/* Inherit awareness */
#define	__PROC_PROTECT			0x0008		/* Private */
#define	PRIV_USER			(PRIV_DEBUG)	/* User settable */

/*
 * Header of the privilege info data structure; multiple structures can
 * follow the privilege sets and priv_impl_info structures.
 */
typedef struct priv_info {
	uint32_t	priv_info_type;
	uint32_t	priv_info_size;
} priv_info_t;

typedef struct priv_info_uint {
	priv_info_t	info;
	uint_t		val;
} priv_info_uint_t;

/*
 * Global privilege set information item; the actual size of the array is
 * {priv_setsize}.
 */
typedef struct priv_info_set {
	priv_info_t	info;
	priv_chunk_t	set[1];
} priv_info_set_t;

/*
 * names[1] is a place holder which can contain multiple NUL terminated,
 * non-empty strings.
 */

typedef struct priv_info_names {
	priv_info_t	info;
	int		cnt;		/* number of strings */
	char		names[1];	/* "string1\0string2\0 ..stringN\0" */
} priv_info_names_t;

/*
 * Privilege information types.
 */
#define	PRIV_INFO_SETNAMES		0x0001
#define	PRIV_INFO_PRIVNAMES		0x0002
#define	PRIV_INFO_BASICPRIVS		0x0003
#define	PRIV_INFO_FLAGS			0x0004

/*
 * Special "privileges" used to indicate special conditions in privilege
 * debugging/tracing code.
 */
#define	PRIV_ALL			(-1)	/* All privileges required */
#define	PRIV_MULTIPLE			(-2)	/* More than one */
#define	PRIV_NONE			(-3)	/* No value */
#define	PRIV_ALLZONE			(-4)	/* All privileges in zone */
#define	PRIV_GLOBAL			(-5)	/* Must be in global zone */

#ifdef _KERNEL

#define	PRIV_ALLOC			0x1

struct proc;
struct prpriv;
struct cred;

extern int priv_prgetprivsize(struct prpriv *);
extern void cred2prpriv(const struct cred *, struct prpriv *);
extern int priv_pr_spriv(struct proc *, struct prpriv *, const struct cred *);

extern priv_impl_info_t *priv_hold_implinfo(void);
extern void priv_release_implinfo(void);
extern size_t priv_get_implinfo_size(void);
extern const priv_set_t *priv_getset(const struct cred *, int);
extern void priv_getinfo(const struct cred *, void *);
extern int priv_getbyname(const char *, uint_t);
extern int priv_getsetbyname(const char *, int);
extern const char *priv_getbynum(int);
extern const char *priv_getsetbynum(int);

extern void priv_emptyset(priv_set_t *);
extern void priv_fillset(priv_set_t *);
extern void priv_addset(priv_set_t *, int);
extern void priv_delset(priv_set_t *, int);
extern boolean_t priv_ismember(const priv_set_t *, int);
extern boolean_t priv_isemptyset(const priv_set_t *);
extern boolean_t priv_isfullset(const priv_set_t *);
extern boolean_t priv_isequalset(const priv_set_t *, const priv_set_t *);
extern boolean_t priv_issubset(const priv_set_t *, const priv_set_t *);
extern int priv_proc_cred_perm(const struct cred *, struct proc *,
	struct cred **, int);
extern void priv_intersect(const priv_set_t *, priv_set_t *);
extern void priv_union(const priv_set_t *, priv_set_t *);
extern void priv_inverse(priv_set_t *);

extern void priv_set_PA(cred_t *);
extern void priv_adjust_PA(cred_t *);
extern boolean_t priv_can_clear_PA(const cred_t *);

#endif /* _KERNEL */

#ifdef	__cplusplus
}
#endif

#endif	/* _SYS_PRIV_H */