1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #ifndef _SYS_PRIV_H 28*7c478bd9Sstevel@tonic-gate #define _SYS_PRIV_H 29*7c478bd9Sstevel@tonic-gate 30*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" /* from TSOL 8 */ 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate #include <sys/types.h> 33*7c478bd9Sstevel@tonic-gate #include <sys/cred.h> 34*7c478bd9Sstevel@tonic-gate #include <sys/priv_names.h> 35*7c478bd9Sstevel@tonic-gate 36*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 37*7c478bd9Sstevel@tonic-gate extern "C" { 38*7c478bd9Sstevel@tonic-gate #endif 39*7c478bd9Sstevel@tonic-gate 40*7c478bd9Sstevel@tonic-gate typedef uint32_t priv_chunk_t; 41*7c478bd9Sstevel@tonic-gate typedef struct priv_set priv_set_t; 42*7c478bd9Sstevel@tonic-gate 43*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 44*7c478bd9Sstevel@tonic-gate 45*7c478bd9Sstevel@tonic-gate /* 46*7c478bd9Sstevel@tonic-gate * Kernel type definitions. 47*7c478bd9Sstevel@tonic-gate */ 48*7c478bd9Sstevel@tonic-gate typedef int priv_ptype_t; 49*7c478bd9Sstevel@tonic-gate typedef int priv_t; 50*7c478bd9Sstevel@tonic-gate 51*7c478bd9Sstevel@tonic-gate #else /* _KERNEL */ 52*7c478bd9Sstevel@tonic-gate 53*7c478bd9Sstevel@tonic-gate /* 54*7c478bd9Sstevel@tonic-gate * Userland type definitions. 55*7c478bd9Sstevel@tonic-gate */ 56*7c478bd9Sstevel@tonic-gate 57*7c478bd9Sstevel@tonic-gate #ifdef __STDC__ 58*7c478bd9Sstevel@tonic-gate typedef const char *priv_ptype_t; 59*7c478bd9Sstevel@tonic-gate typedef const char *priv_t; 60*7c478bd9Sstevel@tonic-gate #else 61*7c478bd9Sstevel@tonic-gate typedef char *priv_ptype_t; 62*7c478bd9Sstevel@tonic-gate typedef char *priv_t; 63*7c478bd9Sstevel@tonic-gate #endif 64*7c478bd9Sstevel@tonic-gate 65*7c478bd9Sstevel@tonic-gate #endif /* _KERNEL */ 66*7c478bd9Sstevel@tonic-gate 67*7c478bd9Sstevel@tonic-gate /* 68*7c478bd9Sstevel@tonic-gate * priv_op_t indicates a privilege operation type 69*7c478bd9Sstevel@tonic-gate */ 70*7c478bd9Sstevel@tonic-gate typedef enum priv_op { 71*7c478bd9Sstevel@tonic-gate PRIV_ON, 72*7c478bd9Sstevel@tonic-gate PRIV_OFF, 73*7c478bd9Sstevel@tonic-gate PRIV_SET 74*7c478bd9Sstevel@tonic-gate } priv_op_t; 75*7c478bd9Sstevel@tonic-gate 76*7c478bd9Sstevel@tonic-gate /* 77*7c478bd9Sstevel@tonic-gate * Privilege system call subcodes. 78*7c478bd9Sstevel@tonic-gate */ 79*7c478bd9Sstevel@tonic-gate 80*7c478bd9Sstevel@tonic-gate #define PRIVSYS_SETPPRIV 0 81*7c478bd9Sstevel@tonic-gate #define PRIVSYS_GETPPRIV 1 82*7c478bd9Sstevel@tonic-gate #define PRIVSYS_GETIMPLINFO 2 83*7c478bd9Sstevel@tonic-gate #define PRIVSYS_SETPFLAGS 3 84*7c478bd9Sstevel@tonic-gate #define PRIVSYS_GETPFLAGS 4 85*7c478bd9Sstevel@tonic-gate 86*7c478bd9Sstevel@tonic-gate /* 87*7c478bd9Sstevel@tonic-gate * Maximum length of a user defined privilege name. 88*7c478bd9Sstevel@tonic-gate */ 89*7c478bd9Sstevel@tonic-gate #define PRIVNAME_MAX 32 90*7c478bd9Sstevel@tonic-gate 91*7c478bd9Sstevel@tonic-gate /* 92*7c478bd9Sstevel@tonic-gate * Privilege interface functions for those parts of the kernel that 93*7c478bd9Sstevel@tonic-gate * know nothing of the privilege internals. 94*7c478bd9Sstevel@tonic-gate * 95*7c478bd9Sstevel@tonic-gate * A privilege implementation can have a varying number of sets; sets 96*7c478bd9Sstevel@tonic-gate * consist of a number of priv_chunk_t's and the size is expressed as such. 97*7c478bd9Sstevel@tonic-gate * The privileges can be represented as 98*7c478bd9Sstevel@tonic-gate * 99*7c478bd9Sstevel@tonic-gate * priv_chunk_t privs[info.priv_nsets][info.priv_setsize] 100*7c478bd9Sstevel@tonic-gate * ... priv_infosize of extra information ... 101*7c478bd9Sstevel@tonic-gate * 102*7c478bd9Sstevel@tonic-gate * Extra data contained in the privilege information consists of chunks 103*7c478bd9Sstevel@tonic-gate * of data with specified size and type all headed by a priv_info_t header 104*7c478bd9Sstevel@tonic-gate * which defines both the type of information as well as the size of the 105*7c478bd9Sstevel@tonic-gate * information. ((char*)&info)+info->priv_info_size should be rounded up 106*7c478bd9Sstevel@tonic-gate * to point to the next piece of information. 107*7c478bd9Sstevel@tonic-gate */ 108*7c478bd9Sstevel@tonic-gate 109*7c478bd9Sstevel@tonic-gate typedef struct priv_impl_info { 110*7c478bd9Sstevel@tonic-gate uint32_t priv_headersize; /* sizeof (priv_impl_info) */ 111*7c478bd9Sstevel@tonic-gate uint32_t priv_flags; /* additional flags */ 112*7c478bd9Sstevel@tonic-gate uint32_t priv_nsets; /* number of priv sets */ 113*7c478bd9Sstevel@tonic-gate uint32_t priv_setsize; /* size in priv_chunk_t */ 114*7c478bd9Sstevel@tonic-gate uint32_t priv_max; /* highest actual valid priv */ 115*7c478bd9Sstevel@tonic-gate uint32_t priv_infosize; /* Per proc. additional info */ 116*7c478bd9Sstevel@tonic-gate uint32_t priv_globalinfosize; /* Per system info */ 117*7c478bd9Sstevel@tonic-gate } priv_impl_info_t; 118*7c478bd9Sstevel@tonic-gate 119*7c478bd9Sstevel@tonic-gate #define PRIV_IMPL_INFO_SIZE(p) \ 120*7c478bd9Sstevel@tonic-gate ((p)->priv_headersize + (p)->priv_globalinfosize) 121*7c478bd9Sstevel@tonic-gate 122*7c478bd9Sstevel@tonic-gate #define PRIV_PRPRIV_INFO_OFFSET(p) \ 123*7c478bd9Sstevel@tonic-gate (sizeof (*(p)) + \ 124*7c478bd9Sstevel@tonic-gate ((p)->pr_nsets * (p)->pr_setsize - 1) * sizeof (priv_chunk_t)) 125*7c478bd9Sstevel@tonic-gate 126*7c478bd9Sstevel@tonic-gate #define PRIV_PRPRIV_SIZE(p) \ 127*7c478bd9Sstevel@tonic-gate (PRIV_PRPRIV_INFO_OFFSET(p) + (p)->pr_infosize) 128*7c478bd9Sstevel@tonic-gate 129*7c478bd9Sstevel@tonic-gate /* 130*7c478bd9Sstevel@tonic-gate * Per credential flags. 131*7c478bd9Sstevel@tonic-gate */ 132*7c478bd9Sstevel@tonic-gate #define PRIV_DEBUG 0x0001 /* User debugging */ 133*7c478bd9Sstevel@tonic-gate #define PRIV_AWARE 0x0002 /* Is privilege aware */ 134*7c478bd9Sstevel@tonic-gate #define PRIV_AWARE_INHERIT 0x0004 /* Inherit awareness */ 135*7c478bd9Sstevel@tonic-gate #define __PROC_PROTECT 0x0008 /* Private */ 136*7c478bd9Sstevel@tonic-gate #define PRIV_USER (PRIV_DEBUG) /* User settable */ 137*7c478bd9Sstevel@tonic-gate 138*7c478bd9Sstevel@tonic-gate /* 139*7c478bd9Sstevel@tonic-gate * Header of the privilege info data structure; multiple structures can 140*7c478bd9Sstevel@tonic-gate * follow the privilege sets and priv_impl_info structures. 141*7c478bd9Sstevel@tonic-gate */ 142*7c478bd9Sstevel@tonic-gate typedef struct priv_info { 143*7c478bd9Sstevel@tonic-gate uint32_t priv_info_type; 144*7c478bd9Sstevel@tonic-gate uint32_t priv_info_size; 145*7c478bd9Sstevel@tonic-gate } priv_info_t; 146*7c478bd9Sstevel@tonic-gate 147*7c478bd9Sstevel@tonic-gate typedef struct priv_info_uint { 148*7c478bd9Sstevel@tonic-gate priv_info_t info; 149*7c478bd9Sstevel@tonic-gate uint_t val; 150*7c478bd9Sstevel@tonic-gate } priv_info_uint_t; 151*7c478bd9Sstevel@tonic-gate 152*7c478bd9Sstevel@tonic-gate /* 153*7c478bd9Sstevel@tonic-gate * Global privilege set information item; the actual size of the array is 154*7c478bd9Sstevel@tonic-gate * {priv_setsize}. 155*7c478bd9Sstevel@tonic-gate */ 156*7c478bd9Sstevel@tonic-gate typedef struct priv_info_set { 157*7c478bd9Sstevel@tonic-gate priv_info_t info; 158*7c478bd9Sstevel@tonic-gate priv_chunk_t set[1]; 159*7c478bd9Sstevel@tonic-gate } priv_info_set_t; 160*7c478bd9Sstevel@tonic-gate 161*7c478bd9Sstevel@tonic-gate /* 162*7c478bd9Sstevel@tonic-gate * names[1] is a place holder which can contain multiple NUL terminated, 163*7c478bd9Sstevel@tonic-gate * non-empty strings. 164*7c478bd9Sstevel@tonic-gate */ 165*7c478bd9Sstevel@tonic-gate 166*7c478bd9Sstevel@tonic-gate typedef struct priv_info_names { 167*7c478bd9Sstevel@tonic-gate priv_info_t info; 168*7c478bd9Sstevel@tonic-gate int cnt; /* number of strings */ 169*7c478bd9Sstevel@tonic-gate char names[1]; /* "string1\0string2\0 ..stringN\0" */ 170*7c478bd9Sstevel@tonic-gate } priv_info_names_t; 171*7c478bd9Sstevel@tonic-gate 172*7c478bd9Sstevel@tonic-gate /* 173*7c478bd9Sstevel@tonic-gate * Privilege information types. 174*7c478bd9Sstevel@tonic-gate */ 175*7c478bd9Sstevel@tonic-gate #define PRIV_INFO_SETNAMES 0x0001 176*7c478bd9Sstevel@tonic-gate #define PRIV_INFO_PRIVNAMES 0x0002 177*7c478bd9Sstevel@tonic-gate #define PRIV_INFO_BASICPRIVS 0x0003 178*7c478bd9Sstevel@tonic-gate #define PRIV_INFO_FLAGS 0x0004 179*7c478bd9Sstevel@tonic-gate 180*7c478bd9Sstevel@tonic-gate /* 181*7c478bd9Sstevel@tonic-gate * Special "privileges" used to indicate special conditions in privilege 182*7c478bd9Sstevel@tonic-gate * debugging/tracing code. 183*7c478bd9Sstevel@tonic-gate */ 184*7c478bd9Sstevel@tonic-gate #define PRIV_ALL (-1) /* All privileges required */ 185*7c478bd9Sstevel@tonic-gate #define PRIV_MULTIPLE (-2) /* More than one */ 186*7c478bd9Sstevel@tonic-gate #define PRIV_NONE (-3) /* No value */ 187*7c478bd9Sstevel@tonic-gate #define PRIV_ALLZONE (-4) /* All privileges in zone */ 188*7c478bd9Sstevel@tonic-gate #define PRIV_GLOBAL (-5) /* Must be in global zone */ 189*7c478bd9Sstevel@tonic-gate 190*7c478bd9Sstevel@tonic-gate #ifdef _KERNEL 191*7c478bd9Sstevel@tonic-gate 192*7c478bd9Sstevel@tonic-gate #define PRIV_ALLOC 0x1 193*7c478bd9Sstevel@tonic-gate 194*7c478bd9Sstevel@tonic-gate struct proc; 195*7c478bd9Sstevel@tonic-gate struct prpriv; 196*7c478bd9Sstevel@tonic-gate struct cred; 197*7c478bd9Sstevel@tonic-gate 198*7c478bd9Sstevel@tonic-gate extern int priv_prgetprivsize(struct prpriv *); 199*7c478bd9Sstevel@tonic-gate extern void cred2prpriv(const struct cred *, struct prpriv *); 200*7c478bd9Sstevel@tonic-gate extern int priv_pr_spriv(struct proc *, struct prpriv *, const struct cred *); 201*7c478bd9Sstevel@tonic-gate 202*7c478bd9Sstevel@tonic-gate extern priv_impl_info_t *priv_hold_implinfo(void); 203*7c478bd9Sstevel@tonic-gate extern void priv_release_implinfo(void); 204*7c478bd9Sstevel@tonic-gate extern size_t priv_get_implinfo_size(void); 205*7c478bd9Sstevel@tonic-gate extern const priv_set_t *priv_getset(const struct cred *, int); 206*7c478bd9Sstevel@tonic-gate extern void priv_getinfo(const struct cred *, void *); 207*7c478bd9Sstevel@tonic-gate extern int priv_getbyname(const char *, uint_t); 208*7c478bd9Sstevel@tonic-gate extern int priv_getsetbyname(const char *, int); 209*7c478bd9Sstevel@tonic-gate extern const char *priv_getbynum(int); 210*7c478bd9Sstevel@tonic-gate extern const char *priv_getsetbynum(int); 211*7c478bd9Sstevel@tonic-gate 212*7c478bd9Sstevel@tonic-gate extern void priv_emptyset(priv_set_t *); 213*7c478bd9Sstevel@tonic-gate extern void priv_fillset(priv_set_t *); 214*7c478bd9Sstevel@tonic-gate extern void priv_addset(priv_set_t *, int); 215*7c478bd9Sstevel@tonic-gate extern void priv_delset(priv_set_t *, int); 216*7c478bd9Sstevel@tonic-gate extern boolean_t priv_ismember(const priv_set_t *, int); 217*7c478bd9Sstevel@tonic-gate extern boolean_t priv_isemptyset(const priv_set_t *); 218*7c478bd9Sstevel@tonic-gate extern boolean_t priv_isfullset(const priv_set_t *); 219*7c478bd9Sstevel@tonic-gate extern boolean_t priv_isequalset(const priv_set_t *, const priv_set_t *); 220*7c478bd9Sstevel@tonic-gate extern boolean_t priv_issubset(const priv_set_t *, const priv_set_t *); 221*7c478bd9Sstevel@tonic-gate extern int priv_proc_cred_perm(const struct cred *, struct proc *, 222*7c478bd9Sstevel@tonic-gate struct cred **, int); 223*7c478bd9Sstevel@tonic-gate extern void priv_intersect(const priv_set_t *, priv_set_t *); 224*7c478bd9Sstevel@tonic-gate extern void priv_union(const priv_set_t *, priv_set_t *); 225*7c478bd9Sstevel@tonic-gate extern void priv_inverse(priv_set_t *); 226*7c478bd9Sstevel@tonic-gate 227*7c478bd9Sstevel@tonic-gate extern void priv_set_PA(cred_t *); 228*7c478bd9Sstevel@tonic-gate extern void priv_adjust_PA(cred_t *); 229*7c478bd9Sstevel@tonic-gate extern boolean_t priv_can_clear_PA(const cred_t *); 230*7c478bd9Sstevel@tonic-gate 231*7c478bd9Sstevel@tonic-gate #endif /* _KERNEL */ 232*7c478bd9Sstevel@tonic-gate 233*7c478bd9Sstevel@tonic-gate #ifdef __cplusplus 234*7c478bd9Sstevel@tonic-gate } 235*7c478bd9Sstevel@tonic-gate #endif 236*7c478bd9Sstevel@tonic-gate 237*7c478bd9Sstevel@tonic-gate #endif /* _SYS_PRIV_H */ 238