FreeBSD/Linux Kernel Cross Reference
sys/sys/kauth.h
1 /* $NetBSD: kauth.h,v 1.89 2023/01/05 18:29:45 jakllsch Exp $ */
2
3 /*-
4 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 /*
31 * This is based on Apple TN2127, available online at
32 * http://developer.apple.com/technotes/tn2005/tn2127.html
33 */
34
35 #ifndef _SYS_KAUTH_H_
36 #define _SYS_KAUTH_H_
37
38 #include <secmodel/secmodel.h> /* for secmodel_t type */
39 #include <sys/stat.h> /* for modes */
40
41 struct uucred;
42 struct ki_ucred;
43 struct ki_pcred;
44 struct proc;
45 struct tty;
46 struct vnode;
47 struct cwdinfo;
48
49 enum uio_seg;
50
51 /* Types. */
52 typedef struct kauth_scope *kauth_scope_t;
53 typedef struct kauth_listener *kauth_listener_t;
54 typedef uint64_t kauth_action_t;
55 typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t,
56 void *, void *, void *, void *, void *);
57 typedef struct kauth_key *kauth_key_t;
58
59 #ifdef __KAUTH_PRIVATE /* For the debugger */
60
61 #include <sys/types.h>
62 #include <sys/specificdata.h>
63
64 /*
65 * Credentials.
66 *
67 * A subset of this structure is used in kvm(3) (src/lib/libkvm/kvm_proc.c)
68 * and should be synchronized with this structure when the update is
69 * relevant.
70 */
71 struct kauth_cred {
72 /*
73 * Ensure that the first part of the credential resides in its own
74 * cache line. Due to sharing there aren't many kauth_creds in a
75 * typical system, but the reference counts change very often.
76 * Keeping it separate from the rest of the data prevents false
77 * sharing between CPUs.
78 */
79 u_int cr_refcnt; /* reference count */
80 #if COHERENCY_UNIT > 4
81 uint8_t cr_pad[COHERENCY_UNIT - 4];
82 #endif
83 uid_t cr_uid; /* user id */
84 uid_t cr_euid; /* effective user id */
85 uid_t cr_svuid; /* saved effective user id */
86 gid_t cr_gid; /* group id */
87 gid_t cr_egid; /* effective group id */
88 gid_t cr_svgid; /* saved effective group id */
89 u_int cr_ngroups; /* number of groups */
90 gid_t cr_groups[NGROUPS]; /* group memberships */
91 specificdata_reference cr_sd; /* specific data */
92 };
93
94 #endif
95
96 /*
97 * Possible return values for a listener.
98 */
99 #define KAUTH_RESULT_ALLOW 0 /* allow access */
100 #define KAUTH_RESULT_DENY 1 /* deny access */
101 #define KAUTH_RESULT_DEFER 2 /* let others decide */
102
103 /*
104 * Scopes.
105 */
106 #define KAUTH_SCOPE_GENERIC "org.netbsd.kauth.generic"
107 #define KAUTH_SCOPE_SYSTEM "org.netbsd.kauth.system"
108 #define KAUTH_SCOPE_PROCESS "org.netbsd.kauth.process"
109 #define KAUTH_SCOPE_NETWORK "org.netbsd.kauth.network"
110 #define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep"
111 #define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device"
112 #define KAUTH_SCOPE_CRED "org.netbsd.kauth.cred"
113 #define KAUTH_SCOPE_VNODE "org.netbsd.kauth.vnode"
114
115 /*
116 * Generic scope - actions.
117 */
118 enum {
119 KAUTH_GENERIC_UNUSED1=1,
120 KAUTH_GENERIC_ISSUSER,
121 };
122
123 /*
124 * System scope - actions.
125 */
126 enum {
127 KAUTH_SYSTEM_ACCOUNTING=1,
128 KAUTH_SYSTEM_CHROOT,
129 KAUTH_SYSTEM_CHSYSFLAGS,
130 KAUTH_SYSTEM_CPU,
131 KAUTH_SYSTEM_DEBUG,
132 KAUTH_SYSTEM_FILEHANDLE,
133 KAUTH_SYSTEM_MKNOD,
134 KAUTH_SYSTEM_MOUNT,
135 KAUTH_SYSTEM_PSET,
136 KAUTH_SYSTEM_REBOOT,
137 KAUTH_SYSTEM_SETIDCORE,
138 KAUTH_SYSTEM_SWAPCTL,
139 KAUTH_SYSTEM_SYSCTL,
140 KAUTH_SYSTEM_TIME,
141 KAUTH_SYSTEM_MODULE,
142 KAUTH_SYSTEM_FS_RESERVEDSPACE,
143 KAUTH_SYSTEM_FS_QUOTA,
144 KAUTH_SYSTEM_SEMAPHORE,
145 KAUTH_SYSTEM_SYSVIPC,
146 KAUTH_SYSTEM_MQUEUE,
147 KAUTH_SYSTEM_VERIEXEC,
148 KAUTH_SYSTEM_DEVMAPPER,
149 KAUTH_SYSTEM_MAP_VA_ZERO,
150 KAUTH_SYSTEM_LFS,
151 KAUTH_SYSTEM_FS_EXTATTR,
152 KAUTH_SYSTEM_FS_SNAPSHOT,
153 KAUTH_SYSTEM_INTR,
154 KAUTH_SYSTEM_KERNADDR,
155 };
156
157 /*
158 * System scope - sub-actions.
159 */
160 enum kauth_system_req {
161 KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1,
162 KAUTH_REQ_SYSTEM_CHROOT_FCHROOT,
163 KAUTH_REQ_SYSTEM_CPU_SETSTATE,
164 KAUTH_REQ_SYSTEM_MOUNT_GET,
165 KAUTH_REQ_SYSTEM_MOUNT_NEW,
166 KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT,
167 KAUTH_REQ_SYSTEM_MOUNT_UPDATE,
168 KAUTH_REQ_SYSTEM_PSET_ASSIGN,
169 KAUTH_REQ_SYSTEM_PSET_BIND,
170 KAUTH_REQ_SYSTEM_PSET_CREATE,
171 KAUTH_REQ_SYSTEM_PSET_DESTROY,
172 KAUTH_REQ_SYSTEM_SYSCTL_ADD,
173 KAUTH_REQ_SYSTEM_SYSCTL_DELETE,
174 KAUTH_REQ_SYSTEM_SYSCTL_DESC,
175 KAUTH_REQ_SYSTEM_SYSCTL_MODIFY,
176 KAUTH_REQ_SYSTEM_SYSCTL_PRVT,
177 KAUTH_REQ_SYSTEM_TIME_ADJTIME,
178 KAUTH_REQ_SYSTEM_TIME_NTPADJTIME,
179 KAUTH_REQ_SYSTEM_TIME_RTCOFFSET,
180 KAUTH_REQ_SYSTEM_TIME_SYSTEM,
181 KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS,
182 KAUTH_REQ_SYSTEM_FS_QUOTA_GET,
183 KAUTH_REQ_SYSTEM_FS_QUOTA_MANAGE,
184 KAUTH_REQ_SYSTEM_FS_QUOTA_NOLIMIT,
185 KAUTH_REQ_SYSTEM_FS_QUOTA_ONOFF,
186 KAUTH_REQ_SYSTEM_SYSVIPC_BYPASS,
187 KAUTH_REQ_SYSTEM_SYSVIPC_SHM_LOCK,
188 KAUTH_REQ_SYSTEM_SYSVIPC_SHM_UNLOCK,
189 KAUTH_REQ_SYSTEM_SYSVIPC_MSGQ_OVERSIZE,
190 KAUTH_REQ_SYSTEM_VERIEXEC_ACCESS,
191 KAUTH_REQ_SYSTEM_VERIEXEC_MODIFY,
192 KAUTH_REQ_SYSTEM_LFS_MARKV,
193 KAUTH_REQ_SYSTEM_LFS_BMAPV,
194 KAUTH_REQ_SYSTEM_LFS_SEGCLEAN,
195 KAUTH_REQ_SYSTEM_LFS_SEGWAIT,
196 KAUTH_REQ_SYSTEM_LFS_FCNTL,
197 KAUTH_REQ_SYSTEM_MOUNT_UMAP,
198 KAUTH_REQ_SYSTEM_MOUNT_DEVICE,
199 KAUTH_REQ_SYSTEM_INTR_AFFINITY,
200 };
201
202 /*
203 * Process scope - actions.
204 */
205 enum {
206 KAUTH_PROCESS_CANSEE=1,
207 KAUTH_PROCESS_CORENAME,
208 KAUTH_PROCESS_FORK,
209 KAUTH_PROCESS_KEVENT_FILTER,
210 KAUTH_PROCESS_KTRACE,
211 KAUTH_PROCESS_NICE,
212 KAUTH_PROCESS_PROCFS,
213 KAUTH_PROCESS_PTRACE,
214 KAUTH_PROCESS_RLIMIT,
215 KAUTH_PROCESS_SCHEDULER_GETAFFINITY,
216 KAUTH_PROCESS_SCHEDULER_SETAFFINITY,
217 KAUTH_PROCESS_SCHEDULER_GETPARAM,
218 KAUTH_PROCESS_SCHEDULER_SETPARAM,
219 KAUTH_PROCESS_SETID,
220 KAUTH_PROCESS_SIGNAL,
221 KAUTH_PROCESS_STOPFLAG
222 };
223
224 /*
225 * Process scope - sub-actions.
226 */
227 enum kauth_process_req {
228 KAUTH_REQ_PROCESS_CANSEE_ARGS=1,
229 KAUTH_REQ_PROCESS_CANSEE_ENTRY,
230 KAUTH_REQ_PROCESS_CANSEE_ENV,
231 KAUTH_REQ_PROCESS_CANSEE_OPENFILES,
232 KAUTH_REQ_PROCESS_CORENAME_GET,
233 KAUTH_REQ_PROCESS_CORENAME_SET,
234 KAUTH_REQ_PROCESS_KTRACE_PERSISTENT,
235 KAUTH_REQ_PROCESS_PROCFS_READ,
236 KAUTH_REQ_PROCESS_PROCFS_RW,
237 KAUTH_REQ_PROCESS_PROCFS_WRITE,
238 KAUTH_REQ_PROCESS_RLIMIT_GET,
239 KAUTH_REQ_PROCESS_RLIMIT_SET,
240 KAUTH_REQ_PROCESS_RLIMIT_BYPASS,
241 KAUTH_REQ_PROCESS_CANSEE_EPROC,
242 KAUTH_REQ_PROCESS_CANSEE_KPTR
243 };
244
245 /*
246 * Network scope - actions.
247 */
248 enum {
249 KAUTH_NETWORK_ALTQ=1,
250 KAUTH_NETWORK_BIND,
251 KAUTH_NETWORK_FIREWALL,
252 KAUTH_NETWORK_INTERFACE,
253 KAUTH_NETWORK_FORWSRCRT,
254 KAUTH_NETWORK_NFS,
255 KAUTH_NETWORK_ROUTE,
256 KAUTH_NETWORK_SOCKET,
257 KAUTH_NETWORK_INTERFACE_PPP,
258 KAUTH_NETWORK_INTERFACE_SLIP,
259 KAUTH_NETWORK_INTERFACE_STRIP, /* obsolete */
260 KAUTH_NETWORK_INTERFACE_TUN,
261 KAUTH_NETWORK_INTERFACE_BRIDGE,
262 KAUTH_NETWORK_IPSEC,
263 KAUTH_NETWORK_INTERFACE_PVC,
264 KAUTH_NETWORK_IPV6,
265 KAUTH_NETWORK_SMB,
266 KAUTH_NETWORK_INTERFACE_WG,
267 };
268
269 /*
270 * Network scope - sub-actions.
271 */
272 enum kauth_network_req {
273 KAUTH_REQ_NETWORK_ALTQ_AFMAP=1,
274 KAUTH_REQ_NETWORK_ALTQ_BLUE,
275 KAUTH_REQ_NETWORK_ALTQ_CBQ,
276 KAUTH_REQ_NETWORK_ALTQ_CDNR,
277 KAUTH_REQ_NETWORK_ALTQ_CONF,
278 KAUTH_REQ_NETWORK_ALTQ_FIFOQ,
279 KAUTH_REQ_NETWORK_ALTQ_HFSC,
280 KAUTH_REQ_NETWORK_ALTQ_JOBS,
281 KAUTH_REQ_NETWORK_ALTQ_PRIQ,
282 KAUTH_REQ_NETWORK_ALTQ_RED,
283 KAUTH_REQ_NETWORK_ALTQ_RIO,
284 KAUTH_REQ_NETWORK_ALTQ_WFQ,
285 KAUTH_REQ_NETWORK_BIND_PORT,
286 KAUTH_REQ_NETWORK_BIND_PRIVPORT,
287 KAUTH_REQ_NETWORK_FIREWALL_FW,
288 KAUTH_REQ_NETWORK_FIREWALL_NAT,
289 KAUTH_REQ_NETWORK_INTERFACE_GET,
290 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV,
291 KAUTH_REQ_NETWORK_INTERFACE_SET,
292 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV,
293 KAUTH_REQ_NETWORK_NFS_EXPORT,
294 KAUTH_REQ_NETWORK_NFS_SVC,
295 KAUTH_REQ_NETWORK_SOCKET_OPEN,
296 KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
297 KAUTH_REQ_NETWORK_SOCKET_CANSEE,
298 KAUTH_REQ_NETWORK_SOCKET_DROP,
299 KAUTH_REQ_NETWORK_SOCKET_SETPRIV,
300 KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD,
301 KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD,
302 KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD, /* obsolete */
303 KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD,
304 KAUTH_REQ_NETWORK_IPV6_HOPBYHOP,
305 KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_GETPRIV,
306 KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_SETPRIV,
307 KAUTH_REQ_NETWORK_IPSEC_BYPASS,
308 KAUTH_REQ_NETWORK_IPV6_JOIN_MULTICAST,
309 KAUTH_REQ_NETWORK_INTERFACE_PVC_ADD,
310 KAUTH_REQ_NETWORK_SMB_SHARE_ACCESS,
311 KAUTH_REQ_NETWORK_SMB_SHARE_CREATE,
312 KAUTH_REQ_NETWORK_SMB_VC_ACCESS,
313 KAUTH_REQ_NETWORK_SMB_VC_CREATE,
314 KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE,
315 KAUTH_REQ_NETWORK_BIND_ANYADDR,
316 KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV,
317 KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV,
318 };
319
320 /*
321 * Machdep scope - actions.
322 */
323 enum {
324 KAUTH_MACHDEP_CACHEFLUSH=1,
325 KAUTH_MACHDEP_CPU_UCODE_APPLY,
326 KAUTH_MACHDEP_IOPERM_GET,
327 KAUTH_MACHDEP_IOPERM_SET,
328 KAUTH_MACHDEP_IOPL,
329 KAUTH_MACHDEP_LDT_GET,
330 KAUTH_MACHDEP_LDT_SET,
331 KAUTH_MACHDEP_MTRR_GET,
332 KAUTH_MACHDEP_MTRR_SET,
333 KAUTH_MACHDEP_NVRAM,
334 KAUTH_MACHDEP_UNMANAGEDMEM,
335 KAUTH_MACHDEP_PXG,
336 KAUTH_MACHDEP_SVS_DISABLE
337 };
338
339 /*
340 * Device scope - actions.
341 */
342 enum {
343 KAUTH_DEVICE_TTY_OPEN=1,
344 KAUTH_DEVICE_TTY_PRIVSET,
345 KAUTH_DEVICE_TTY_STI,
346 KAUTH_DEVICE_RAWIO_SPEC,
347 KAUTH_DEVICE_RAWIO_PASSTHRU,
348 KAUTH_DEVICE_BLUETOOTH_SETPRIV,
349 KAUTH_DEVICE_RND_ADDDATA,
350 KAUTH_DEVICE_RND_ADDDATA_ESTIMATE,
351 KAUTH_DEVICE_RND_GETPRIV,
352 KAUTH_DEVICE_RND_SETPRIV,
353 KAUTH_DEVICE_BLUETOOTH_BCSP,
354 KAUTH_DEVICE_BLUETOOTH_BTUART,
355 KAUTH_DEVICE_GPIO_PINSET,
356 KAUTH_DEVICE_BLUETOOTH_SEND,
357 KAUTH_DEVICE_BLUETOOTH_RECV,
358 KAUTH_DEVICE_TTY_VIRTUAL,
359 KAUTH_DEVICE_WSCONS_KEYBOARD_BELL,
360 KAUTH_DEVICE_WSCONS_KEYBOARD_KEYREPEAT,
361 KAUTH_DEVICE_NVMM_CTL,
362 };
363
364 /*
365 * Device scope - sub-actions.
366 */
367 enum kauth_device_req {
368 KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1,
369 KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE,
370 KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
371 KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD,
372 KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD,
373 };
374
375 /*
376 * Credentials scope - actions.
377 */
378 enum {
379 KAUTH_CRED_INIT=1,
380 KAUTH_CRED_FORK,
381 KAUTH_CRED_COPY,
382 KAUTH_CRED_FREE,
383 KAUTH_CRED_CHROOT
384 };
385
386 /*
387 * Vnode scope - action bits.
388 */
389 #define KAUTH_VNODE_READ_DATA (1ULL << 0)
390 #define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA
391 #define KAUTH_VNODE_WRITE_DATA (1ULL << 1)
392 #define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA
393 #define KAUTH_VNODE_EXECUTE (1ULL << 2)
394 #define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE
395 #define KAUTH_VNODE_DELETE (1ULL << 3)
396 #define KAUTH_VNODE_APPEND_DATA (1ULL << 4)
397 #define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA
398 #define KAUTH_VNODE_READ_TIMES (1ULL << 5)
399 #define KAUTH_VNODE_WRITE_TIMES (1ULL << 6)
400 #define KAUTH_VNODE_READ_FLAGS (1ULL << 7)
401 #define KAUTH_VNODE_WRITE_FLAGS (1ULL << 8)
402 #define KAUTH_VNODE_READ_SYSFLAGS (1ULL << 9)
403 #define KAUTH_VNODE_WRITE_SYSFLAGS (1ULL << 10)
404 #define KAUTH_VNODE_RENAME (1ULL << 11)
405 #define KAUTH_VNODE_CHANGE_OWNERSHIP (1ULL << 12)
406 #define KAUTH_VNODE_READ_SECURITY (1ULL << 13)
407 #define KAUTH_VNODE_WRITE_SECURITY (1ULL << 14)
408 #define KAUTH_VNODE_READ_ATTRIBUTES (1ULL << 15)
409 #define KAUTH_VNODE_WRITE_ATTRIBUTES (1ULL << 16)
410 #define KAUTH_VNODE_READ_EXTATTRIBUTES (1ULL << 17)
411 #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1ULL << 18)
412 #define KAUTH_VNODE_RETAIN_SUID (1ULL << 19)
413 #define KAUTH_VNODE_RETAIN_SGID (1ULL << 20)
414 #define KAUTH_VNODE_REVOKE (1ULL << 21)
415
416 #define KAUTH_VNODE_IS_EXEC (1ULL << 29)
417 #define KAUTH_VNODE_HAS_SYSFLAGS (1ULL << 30)
418 #define KAUTH_VNODE_ACCESS (1ULL << 31)
419 #define KAUTH_VNODE_ADD_LINK (1ULL << 32)
420
421 /*
422 * This is a special fs_decision indication that can be used by file-systems
423 * that don't support decision-before-action to tell kauth(9) it can only
424 * short-circuit the operation beforehand.
425 */
426 #define KAUTH_VNODE_REMOTEFS (-1)
427
428 /*
429 * Device scope, passthru request - identifiers.
430 */
431 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 0x00000001
432 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE 0x00000002
433 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF 0x00000004
434 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF 0x00000008
435 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL 0x0000000F
436
437 #define NOCRED ((kauth_cred_t)-1) /* no credential available */
438 #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */
439
440 /* Macro to help passing arguments to authorization wrappers. */
441 #define KAUTH_ARG(arg) ((void *)(unsigned long)(arg))
442
443 /*
444 * A file-system object is determined to be able to execute if it's a
445 * directory or if the execute bit is present in any of the
446 * owner/group/other modes.
447 *
448 * This helper macro is intended to be used in order to implement a
449 * policy that maintains the semantics of "a privileged user can enter
450 * directory, and can execute any file, but only if the file is actually
451 * executable."
452 */
453 #define FS_OBJECT_CAN_EXEC(vtype, mode) (((vtype) == VDIR) || \
454 ((mode) & \
455 (S_IXUSR|S_IXGRP|S_IXOTH)))
456
457 /*
458 * Prototypes.
459 */
460 void kauth_init(void);
461 kauth_scope_t kauth_register_scope(const char *, kauth_scope_callback_t, void *);
462 void kauth_deregister_scope(kauth_scope_t);
463 kauth_listener_t kauth_listen_scope(const char *, kauth_scope_callback_t, void *);
464 void kauth_unlisten_scope(kauth_listener_t);
465 int kauth_authorize_action(kauth_scope_t, kauth_cred_t, kauth_action_t, void *,
466 void *, void *, void *);
467
468 /* Authorization wrappers. */
469 int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *);
470 int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req,
471 void *, void *, void *);
472 int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *,
473 void *, void *, void *);
474 int kauth_authorize_network(kauth_cred_t, kauth_action_t,
475 enum kauth_network_req, void *, void *, void *);
476 int kauth_authorize_machdep(kauth_cred_t, kauth_action_t,
477 void *, void *, void *, void *);
478 int kauth_authorize_device(kauth_cred_t, kauth_action_t,
479 void *, void *, void *, void *);
480 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *);
481 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
482 struct vnode *);
483 int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
484 int kauth_authorize_vnode(kauth_cred_t, kauth_action_t, struct vnode *,
485 struct vnode *, int);
486
487 /* Kauth credentials management routines. */
488 kauth_cred_t kauth_cred_alloc(void);
489 void kauth_cred_free(kauth_cred_t);
490 void kauth_cred_clone(kauth_cred_t, kauth_cred_t);
491 kauth_cred_t kauth_cred_dup(kauth_cred_t);
492 kauth_cred_t kauth_cred_copy(kauth_cred_t);
493
494 uid_t kauth_cred_getuid(kauth_cred_t);
495 uid_t kauth_cred_geteuid(kauth_cred_t);
496 uid_t kauth_cred_getsvuid(kauth_cred_t);
497 gid_t kauth_cred_getgid(kauth_cred_t);
498 gid_t kauth_cred_getegid(kauth_cred_t);
499 gid_t kauth_cred_getsvgid(kauth_cred_t);
500 int kauth_cred_ismember_gid(kauth_cred_t, gid_t, int *);
501 int kauth_cred_groupmember(kauth_cred_t, gid_t);
502 u_int kauth_cred_ngroups(kauth_cred_t);
503 gid_t kauth_cred_group(kauth_cred_t, u_int);
504
505 void kauth_cred_setuid(kauth_cred_t, uid_t);
506 void kauth_cred_seteuid(kauth_cred_t, uid_t);
507 void kauth_cred_setsvuid(kauth_cred_t, uid_t);
508 void kauth_cred_setgid(kauth_cred_t, gid_t);
509 void kauth_cred_setegid(kauth_cred_t, gid_t);
510 void kauth_cred_setsvgid(kauth_cred_t, gid_t);
511
512 void kauth_cred_hold(kauth_cred_t);
513 u_int kauth_cred_getrefcnt(kauth_cred_t);
514
515 int kauth_cred_setgroups(kauth_cred_t, const gid_t *, size_t, uid_t,
516 enum uio_seg);
517 int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t, enum uio_seg);
518
519 /* This is for sys_setgroups() */
520 int kauth_proc_setgroups(struct lwp *, kauth_cred_t);
521
522 int kauth_register_key(secmodel_t, kauth_key_t *);
523 int kauth_deregister_key(kauth_key_t);
524 void kauth_cred_setdata(kauth_cred_t, kauth_key_t, void *);
525 void *kauth_cred_getdata(kauth_cred_t, kauth_key_t);
526
527 int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t);
528 void kauth_uucred_to_cred(kauth_cred_t, const struct uucred *);
529 void kauth_cred_to_uucred(struct uucred *, const kauth_cred_t);
530 int kauth_cred_uucmp(kauth_cred_t, const struct uucred *);
531 void kauth_cred_toucred(kauth_cred_t, struct ki_ucred *);
532 void kauth_cred_topcred(kauth_cred_t, struct ki_pcred *);
533
534 kauth_action_t kauth_accmode_to_action(accmode_t);
535 kauth_action_t kauth_extattr_action(mode_t);
536
537 #define KAUTH_ACCESS_ACTION(access_mode, vn_vtype, file_mode) \
538 (kauth_accmode_to_action(access_mode) | \
539 (FS_OBJECT_CAN_EXEC(vn_vtype, file_mode) ? KAUTH_VNODE_IS_EXEC : 0))
540
541 kauth_cred_t kauth_cred_get(void);
542
543 void kauth_proc_fork(struct proc *, struct proc *);
544 void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi);
545
546 #endif /* !_SYS_KAUTH_H_ */
Cache object: 09396981144cea1fbc0aeca216f33e0a
|