1*d2a70789SRichard Lowe /* 2*d2a70789SRichard Lowe * This file and its contents are supplied under the terms of the 3*d2a70789SRichard Lowe * Common Development and Distribution License ("CDDL"), version 1.0. 4*d2a70789SRichard Lowe * You may only use this file in accordance with the terms of version 5*d2a70789SRichard Lowe * 1.0 of the CDDL. 6*d2a70789SRichard Lowe * 7*d2a70789SRichard Lowe * A full copy of the text of the CDDL should have accompanied this 8*d2a70789SRichard Lowe * source. A copy of the CDDL is also available via the Internet at 9*d2a70789SRichard Lowe * http://www.illumos.org/license/CDDL. 10*d2a70789SRichard Lowe */ 11*d2a70789SRichard Lowe 12*d2a70789SRichard Lowe /* Copyright 2014, Richard Lowe */ 13*d2a70789SRichard Lowe 14*d2a70789SRichard Lowe #ifndef _SYS_SECFLAGS_H 15*d2a70789SRichard Lowe #define _SYS_SECFLAGS_H 16*d2a70789SRichard Lowe 17*d2a70789SRichard Lowe #ifdef __cplusplus 18*d2a70789SRichard Lowe extern "C" { 19*d2a70789SRichard Lowe #endif 20*d2a70789SRichard Lowe 21*d2a70789SRichard Lowe #include <sys/types.h> 22*d2a70789SRichard Lowe #include <sys/procset.h> 23*d2a70789SRichard Lowe 24*d2a70789SRichard Lowe struct proc; 25*d2a70789SRichard Lowe typedef uint64_t secflagset_t; 26*d2a70789SRichard Lowe 27*d2a70789SRichard Lowe typedef struct psecflags { 28*d2a70789SRichard Lowe secflagset_t psf_effective; 29*d2a70789SRichard Lowe secflagset_t psf_inherit; 30*d2a70789SRichard Lowe secflagset_t psf_lower; 31*d2a70789SRichard Lowe secflagset_t psf_upper; 32*d2a70789SRichard Lowe } psecflags_t; 33*d2a70789SRichard Lowe 34*d2a70789SRichard Lowe typedef struct secflagdelta { 35*d2a70789SRichard Lowe secflagset_t psd_add; /* Flags to add */ 36*d2a70789SRichard Lowe secflagset_t psd_rem; /* Flags to remove */ 37*d2a70789SRichard Lowe secflagset_t psd_assign; /* Flags to assign */ 38*d2a70789SRichard Lowe boolean_t psd_ass_active; /* Need to assign */ 39*d2a70789SRichard Lowe } secflagdelta_t; 40*d2a70789SRichard Lowe 41*d2a70789SRichard Lowe typedef enum { 42*d2a70789SRichard Lowe PSF_EFFECTIVE = 0, 43*d2a70789SRichard Lowe PSF_INHERIT, 44*d2a70789SRichard Lowe PSF_LOWER, 45*d2a70789SRichard Lowe PSF_UPPER 46*d2a70789SRichard Lowe } psecflagwhich_t; 47*d2a70789SRichard Lowe 48*d2a70789SRichard Lowe 49*d2a70789SRichard Lowe /* 50*d2a70789SRichard Lowe * p_secflags codes 51*d2a70789SRichard Lowe * 52*d2a70789SRichard Lowe * These flags indicate the extra security-related features enabled for a 53*d2a70789SRichard Lowe * given process. 54*d2a70789SRichard Lowe */ 55*d2a70789SRichard Lowe typedef enum { 56*d2a70789SRichard Lowe PROC_SEC_ASLR = 0, 57*d2a70789SRichard Lowe PROC_SEC_FORBIDNULLMAP, 58*d2a70789SRichard Lowe PROC_SEC_NOEXECSTACK 59*d2a70789SRichard Lowe } secflag_t; 60*d2a70789SRichard Lowe 61*d2a70789SRichard Lowe extern secflagset_t secflag_to_bit(secflag_t); 62*d2a70789SRichard Lowe extern boolean_t secflag_isset(secflagset_t, secflag_t); 63*d2a70789SRichard Lowe extern void secflag_clear(secflagset_t *, secflag_t); 64*d2a70789SRichard Lowe extern void secflag_set(secflagset_t *, secflag_t); 65*d2a70789SRichard Lowe extern boolean_t secflags_isempty(secflagset_t); 66*d2a70789SRichard Lowe extern void secflags_zero(secflagset_t *); 67*d2a70789SRichard Lowe extern void secflags_fullset(secflagset_t *); 68*d2a70789SRichard Lowe extern void secflags_copy(secflagset_t *, const secflagset_t *); 69*d2a70789SRichard Lowe extern boolean_t secflags_issubset(secflagset_t, secflagset_t); 70*d2a70789SRichard Lowe extern boolean_t secflags_issuperset(secflagset_t, secflagset_t); 71*d2a70789SRichard Lowe extern boolean_t secflags_intersection(secflagset_t, secflagset_t); 72*d2a70789SRichard Lowe extern void secflags_union(secflagset_t *, const secflagset_t *); 73*d2a70789SRichard Lowe extern void secflags_difference(secflagset_t *, const secflagset_t *); 74*d2a70789SRichard Lowe extern boolean_t psecflags_validate_delta(const psecflags_t *, 75*d2a70789SRichard Lowe const secflagdelta_t *); 76*d2a70789SRichard Lowe extern boolean_t psecflags_validate(const psecflags_t *); 77*d2a70789SRichard Lowe extern void psecflags_default(psecflags_t *sf); 78*d2a70789SRichard Lowe extern const char *secflag_to_str(secflag_t); 79*d2a70789SRichard Lowe extern boolean_t secflag_by_name(const char *, secflag_t *); 80*d2a70789SRichard Lowe extern void secflags_to_str(secflagset_t, char *, size_t); 81*d2a70789SRichard Lowe 82*d2a70789SRichard Lowe /* All valid bits */ 83*d2a70789SRichard Lowe #define PROC_SEC_MASK (secflag_to_bit(PROC_SEC_ASLR) | \ 84*d2a70789SRichard Lowe secflag_to_bit(PROC_SEC_FORBIDNULLMAP) | \ 85*d2a70789SRichard Lowe secflag_to_bit(PROC_SEC_NOEXECSTACK)) 86*d2a70789SRichard Lowe 87*d2a70789SRichard Lowe #if !defined(_KERNEL) 88*d2a70789SRichard Lowe extern int secflags_parse(const secflagset_t *, const char *, secflagdelta_t *); 89*d2a70789SRichard Lowe extern int psecflags(idtype_t, id_t, psecflagwhich_t, secflagdelta_t *); 90*d2a70789SRichard Lowe #endif 91*d2a70789SRichard Lowe 92*d2a70789SRichard Lowe #if defined(_KERNEL) 93*d2a70789SRichard Lowe extern boolean_t secflag_enabled(struct proc *, secflag_t); 94*d2a70789SRichard Lowe extern void secflags_promote(struct proc *); 95*d2a70789SRichard Lowe extern void secflags_apply_delta(secflagset_t *, const secflagdelta_t *); 96*d2a70789SRichard Lowe #endif 97*d2a70789SRichard Lowe 98*d2a70789SRichard Lowe #ifdef __cplusplus 99*d2a70789SRichard Lowe } 100*d2a70789SRichard Lowe #endif 101*d2a70789SRichard Lowe 102*d2a70789SRichard Lowe #endif /* _SYS_SECFLAGS_H */ 103