xref: /illumos-gate/usr/src/uts/common/sys/secflags.h (revision d2a70789) 
1*d2a70789SRichard Lowe /*
2*d2a70789SRichard Lowe  * This file and its contents are supplied under the terms of the
3*d2a70789SRichard Lowe  * Common Development and Distribution License ("CDDL"), version 1.0.
4*d2a70789SRichard Lowe  * You may only use this file in accordance with the terms of version
5*d2a70789SRichard Lowe  * 1.0 of the CDDL.
6*d2a70789SRichard Lowe  *
7*d2a70789SRichard Lowe  * A full copy of the text of the CDDL should have accompanied this
8*d2a70789SRichard Lowe  * source.  A copy of the CDDL is also available via the Internet at
9*d2a70789SRichard Lowe  * http://www.illumos.org/license/CDDL.
10*d2a70789SRichard Lowe  */
11*d2a70789SRichard Lowe 
12*d2a70789SRichard Lowe /* Copyright 2014, Richard Lowe */
13*d2a70789SRichard Lowe 
14*d2a70789SRichard Lowe #ifndef _SYS_SECFLAGS_H
15*d2a70789SRichard Lowe #define	_SYS_SECFLAGS_H
16*d2a70789SRichard Lowe 
17*d2a70789SRichard Lowe #ifdef __cplusplus
18*d2a70789SRichard Lowe extern "C" {
19*d2a70789SRichard Lowe #endif
20*d2a70789SRichard Lowe 
21*d2a70789SRichard Lowe #include <sys/types.h>
22*d2a70789SRichard Lowe #include <sys/procset.h>
23*d2a70789SRichard Lowe 
24*d2a70789SRichard Lowe struct proc;
25*d2a70789SRichard Lowe typedef uint64_t secflagset_t;
26*d2a70789SRichard Lowe 
27*d2a70789SRichard Lowe typedef struct psecflags {
28*d2a70789SRichard Lowe 	secflagset_t psf_effective;
29*d2a70789SRichard Lowe 	secflagset_t psf_inherit;
30*d2a70789SRichard Lowe 	secflagset_t psf_lower;
31*d2a70789SRichard Lowe 	secflagset_t psf_upper;
32*d2a70789SRichard Lowe } psecflags_t;
33*d2a70789SRichard Lowe 
34*d2a70789SRichard Lowe typedef struct secflagdelta {
35*d2a70789SRichard Lowe 	secflagset_t psd_add;		/* Flags to add */
36*d2a70789SRichard Lowe 	secflagset_t psd_rem;		/* Flags to remove */
37*d2a70789SRichard Lowe 	secflagset_t psd_assign;	/* Flags to assign */
38*d2a70789SRichard Lowe 	boolean_t psd_ass_active;	/* Need to assign */
39*d2a70789SRichard Lowe } secflagdelta_t;
40*d2a70789SRichard Lowe 
41*d2a70789SRichard Lowe typedef enum {
42*d2a70789SRichard Lowe 	PSF_EFFECTIVE = 0,
43*d2a70789SRichard Lowe 	PSF_INHERIT,
44*d2a70789SRichard Lowe 	PSF_LOWER,
45*d2a70789SRichard Lowe 	PSF_UPPER
46*d2a70789SRichard Lowe } psecflagwhich_t;
47*d2a70789SRichard Lowe 
48*d2a70789SRichard Lowe 
49*d2a70789SRichard Lowe /*
50*d2a70789SRichard Lowe  * p_secflags codes
51*d2a70789SRichard Lowe  *
52*d2a70789SRichard Lowe  * These flags indicate the extra security-related features enabled for a
53*d2a70789SRichard Lowe  * given process.
54*d2a70789SRichard Lowe  */
55*d2a70789SRichard Lowe typedef enum {
56*d2a70789SRichard Lowe 	PROC_SEC_ASLR = 0,
57*d2a70789SRichard Lowe 	PROC_SEC_FORBIDNULLMAP,
58*d2a70789SRichard Lowe 	PROC_SEC_NOEXECSTACK
59*d2a70789SRichard Lowe } secflag_t;
60*d2a70789SRichard Lowe 
61*d2a70789SRichard Lowe extern secflagset_t secflag_to_bit(secflag_t);
62*d2a70789SRichard Lowe extern boolean_t secflag_isset(secflagset_t, secflag_t);
63*d2a70789SRichard Lowe extern void secflag_clear(secflagset_t *, secflag_t);
64*d2a70789SRichard Lowe extern void secflag_set(secflagset_t *, secflag_t);
65*d2a70789SRichard Lowe extern boolean_t secflags_isempty(secflagset_t);
66*d2a70789SRichard Lowe extern void secflags_zero(secflagset_t *);
67*d2a70789SRichard Lowe extern void secflags_fullset(secflagset_t *);
68*d2a70789SRichard Lowe extern void secflags_copy(secflagset_t *, const secflagset_t *);
69*d2a70789SRichard Lowe extern boolean_t secflags_issubset(secflagset_t, secflagset_t);
70*d2a70789SRichard Lowe extern boolean_t secflags_issuperset(secflagset_t, secflagset_t);
71*d2a70789SRichard Lowe extern boolean_t secflags_intersection(secflagset_t, secflagset_t);
72*d2a70789SRichard Lowe extern void secflags_union(secflagset_t *, const secflagset_t *);
73*d2a70789SRichard Lowe extern void secflags_difference(secflagset_t *, const secflagset_t *);
74*d2a70789SRichard Lowe extern boolean_t psecflags_validate_delta(const psecflags_t *,
75*d2a70789SRichard Lowe     const secflagdelta_t *);
76*d2a70789SRichard Lowe extern boolean_t psecflags_validate(const psecflags_t *);
77*d2a70789SRichard Lowe extern void psecflags_default(psecflags_t *sf);
78*d2a70789SRichard Lowe extern const char *secflag_to_str(secflag_t);
79*d2a70789SRichard Lowe extern boolean_t secflag_by_name(const char *, secflag_t *);
80*d2a70789SRichard Lowe extern void secflags_to_str(secflagset_t, char *, size_t);
81*d2a70789SRichard Lowe 
82*d2a70789SRichard Lowe /* All valid bits */
83*d2a70789SRichard Lowe #define	PROC_SEC_MASK	(secflag_to_bit(PROC_SEC_ASLR) |	\
84*d2a70789SRichard Lowe     secflag_to_bit(PROC_SEC_FORBIDNULLMAP) |			\
85*d2a70789SRichard Lowe     secflag_to_bit(PROC_SEC_NOEXECSTACK))
86*d2a70789SRichard Lowe 
87*d2a70789SRichard Lowe #if !defined(_KERNEL)
88*d2a70789SRichard Lowe extern int secflags_parse(const secflagset_t *, const char *, secflagdelta_t *);
89*d2a70789SRichard Lowe extern int psecflags(idtype_t, id_t, psecflagwhich_t, secflagdelta_t *);
90*d2a70789SRichard Lowe #endif
91*d2a70789SRichard Lowe 
92*d2a70789SRichard Lowe #if defined(_KERNEL)
93*d2a70789SRichard Lowe extern boolean_t secflag_enabled(struct proc *, secflag_t);
94*d2a70789SRichard Lowe extern void secflags_promote(struct proc *);
95*d2a70789SRichard Lowe extern void secflags_apply_delta(secflagset_t *, const secflagdelta_t *);
96*d2a70789SRichard Lowe #endif
97*d2a70789SRichard Lowe 
98*d2a70789SRichard Lowe #ifdef __cplusplus
99*d2a70789SRichard Lowe }
100*d2a70789SRichard Lowe #endif
101*d2a70789SRichard Lowe 
102*d2a70789SRichard Lowe #endif /* _SYS_SECFLAGS_H */
103