The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/sys/kauth.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /* $NetBSD: kauth.h,v 1.89 2023/01/05 18:29:45 jakllsch Exp $ */
    2 
    3 /*-
    4  * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>  
    5  * All rights reserved.
    6  *
    7  * Redistribution and use in source and binary forms, with or without
    8  * modification, are permitted provided that the following conditions
    9  * are met:
   10  * 1. Redistributions of source code must retain the above copyright
   11  *    notice, this list of conditions and the following disclaimer.
   12  * 2. Redistributions in binary form must reproduce the above copyright
   13  *    notice, this list of conditions and the following disclaimer in the
   14  *    documentation and/or other materials provided with the distribution.
   15  * 3. The name of the author may not be used to endorse or promote products
   16  *    derived from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
   19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
   21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
   22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
   23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
   24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
   25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   28  */
   29 
   30 /*
   31  * This is based on Apple TN2127, available online at
   32  * http://developer.apple.com/technotes/tn2005/tn2127.html
   33  */
   34 
   35 #ifndef _SYS_KAUTH_H_
   36 #define _SYS_KAUTH_H_
   37 
   38 #include <secmodel/secmodel.h> /* for secmodel_t type */
   39 #include <sys/stat.h> /* for modes */
   40 
   41 struct uucred;
   42 struct ki_ucred;
   43 struct ki_pcred;
   44 struct proc;
   45 struct tty;
   46 struct vnode;
   47 struct cwdinfo;
   48 
   49 enum uio_seg;
   50 
   51 /* Types. */
   52 typedef struct kauth_scope     *kauth_scope_t;
   53 typedef struct kauth_listener  *kauth_listener_t;
   54 typedef uint64_t                kauth_action_t;
   55 typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t,
   56                                       void *, void *, void *, void *, void *);
   57 typedef struct kauth_key       *kauth_key_t;
   58 
   59 #ifdef __KAUTH_PRIVATE  /* For the debugger */
   60 
   61 #include <sys/types.h>
   62 #include <sys/specificdata.h>
   63 
   64 /*
   65  * Credentials.
   66  *
   67  * A subset of this structure is used in kvm(3) (src/lib/libkvm/kvm_proc.c)
   68  * and should be synchronized with this structure when the update is
   69  * relevant.
   70  */
   71 struct kauth_cred {
   72         /*
   73          * Ensure that the first part of the credential resides in its own
   74          * cache line.  Due to sharing there aren't many kauth_creds in a
   75          * typical system, but the reference counts change very often.
   76          * Keeping it separate from the rest of the data prevents false
   77          * sharing between CPUs.
   78          */
   79         u_int cr_refcnt;                /* reference count */
   80 #if COHERENCY_UNIT > 4
   81         uint8_t cr_pad[COHERENCY_UNIT - 4];
   82 #endif
   83         uid_t cr_uid;                   /* user id */
   84         uid_t cr_euid;                  /* effective user id */
   85         uid_t cr_svuid;                 /* saved effective user id */
   86         gid_t cr_gid;                   /* group id */
   87         gid_t cr_egid;                  /* effective group id */
   88         gid_t cr_svgid;                 /* saved effective group id */
   89         u_int cr_ngroups;               /* number of groups */
   90         gid_t cr_groups[NGROUPS];       /* group memberships */
   91         specificdata_reference cr_sd;   /* specific data */
   92 };
   93 
   94 #endif
   95 
   96 /*
   97  * Possible return values for a listener.
   98  */
   99 #define KAUTH_RESULT_ALLOW      0       /* allow access */
  100 #define KAUTH_RESULT_DENY       1       /* deny access */
  101 #define KAUTH_RESULT_DEFER      2       /* let others decide */
  102 
  103 /*
  104  * Scopes.
  105  */
  106 #define KAUTH_SCOPE_GENERIC     "org.netbsd.kauth.generic"
  107 #define KAUTH_SCOPE_SYSTEM      "org.netbsd.kauth.system"
  108 #define KAUTH_SCOPE_PROCESS     "org.netbsd.kauth.process"
  109 #define KAUTH_SCOPE_NETWORK     "org.netbsd.kauth.network"
  110 #define KAUTH_SCOPE_MACHDEP     "org.netbsd.kauth.machdep"
  111 #define KAUTH_SCOPE_DEVICE      "org.netbsd.kauth.device"
  112 #define KAUTH_SCOPE_CRED        "org.netbsd.kauth.cred"
  113 #define KAUTH_SCOPE_VNODE       "org.netbsd.kauth.vnode"
  114 
  115 /*
  116  * Generic scope - actions.
  117  */
  118 enum {
  119         KAUTH_GENERIC_UNUSED1=1,
  120         KAUTH_GENERIC_ISSUSER,
  121 };
  122 
  123 /*
  124  * System scope - actions.
  125  */
  126 enum {
  127         KAUTH_SYSTEM_ACCOUNTING=1,
  128         KAUTH_SYSTEM_CHROOT,
  129         KAUTH_SYSTEM_CHSYSFLAGS,
  130         KAUTH_SYSTEM_CPU,
  131         KAUTH_SYSTEM_DEBUG,
  132         KAUTH_SYSTEM_FILEHANDLE,
  133         KAUTH_SYSTEM_MKNOD,
  134         KAUTH_SYSTEM_MOUNT,
  135         KAUTH_SYSTEM_PSET,
  136         KAUTH_SYSTEM_REBOOT,
  137         KAUTH_SYSTEM_SETIDCORE,
  138         KAUTH_SYSTEM_SWAPCTL,
  139         KAUTH_SYSTEM_SYSCTL,
  140         KAUTH_SYSTEM_TIME,
  141         KAUTH_SYSTEM_MODULE,
  142         KAUTH_SYSTEM_FS_RESERVEDSPACE,
  143         KAUTH_SYSTEM_FS_QUOTA,
  144         KAUTH_SYSTEM_SEMAPHORE,
  145         KAUTH_SYSTEM_SYSVIPC,
  146         KAUTH_SYSTEM_MQUEUE,
  147         KAUTH_SYSTEM_VERIEXEC,
  148         KAUTH_SYSTEM_DEVMAPPER,
  149         KAUTH_SYSTEM_MAP_VA_ZERO,
  150         KAUTH_SYSTEM_LFS,
  151         KAUTH_SYSTEM_FS_EXTATTR,
  152         KAUTH_SYSTEM_FS_SNAPSHOT,
  153         KAUTH_SYSTEM_INTR,
  154         KAUTH_SYSTEM_KERNADDR,
  155 };
  156 
  157 /*
  158  * System scope - sub-actions.
  159  */
  160 enum kauth_system_req {
  161         KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1,
  162         KAUTH_REQ_SYSTEM_CHROOT_FCHROOT,
  163         KAUTH_REQ_SYSTEM_CPU_SETSTATE,
  164         KAUTH_REQ_SYSTEM_MOUNT_GET,
  165         KAUTH_REQ_SYSTEM_MOUNT_NEW,
  166         KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT,
  167         KAUTH_REQ_SYSTEM_MOUNT_UPDATE,
  168         KAUTH_REQ_SYSTEM_PSET_ASSIGN,
  169         KAUTH_REQ_SYSTEM_PSET_BIND,
  170         KAUTH_REQ_SYSTEM_PSET_CREATE,
  171         KAUTH_REQ_SYSTEM_PSET_DESTROY,
  172         KAUTH_REQ_SYSTEM_SYSCTL_ADD,
  173         KAUTH_REQ_SYSTEM_SYSCTL_DELETE,
  174         KAUTH_REQ_SYSTEM_SYSCTL_DESC,
  175         KAUTH_REQ_SYSTEM_SYSCTL_MODIFY,
  176         KAUTH_REQ_SYSTEM_SYSCTL_PRVT,
  177         KAUTH_REQ_SYSTEM_TIME_ADJTIME,
  178         KAUTH_REQ_SYSTEM_TIME_NTPADJTIME,
  179         KAUTH_REQ_SYSTEM_TIME_RTCOFFSET,
  180         KAUTH_REQ_SYSTEM_TIME_SYSTEM,
  181         KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS,
  182         KAUTH_REQ_SYSTEM_FS_QUOTA_GET,
  183         KAUTH_REQ_SYSTEM_FS_QUOTA_MANAGE,
  184         KAUTH_REQ_SYSTEM_FS_QUOTA_NOLIMIT,
  185         KAUTH_REQ_SYSTEM_FS_QUOTA_ONOFF,
  186         KAUTH_REQ_SYSTEM_SYSVIPC_BYPASS,
  187         KAUTH_REQ_SYSTEM_SYSVIPC_SHM_LOCK,
  188         KAUTH_REQ_SYSTEM_SYSVIPC_SHM_UNLOCK,
  189         KAUTH_REQ_SYSTEM_SYSVIPC_MSGQ_OVERSIZE,
  190         KAUTH_REQ_SYSTEM_VERIEXEC_ACCESS,
  191         KAUTH_REQ_SYSTEM_VERIEXEC_MODIFY,
  192         KAUTH_REQ_SYSTEM_LFS_MARKV,
  193         KAUTH_REQ_SYSTEM_LFS_BMAPV,
  194         KAUTH_REQ_SYSTEM_LFS_SEGCLEAN,
  195         KAUTH_REQ_SYSTEM_LFS_SEGWAIT,
  196         KAUTH_REQ_SYSTEM_LFS_FCNTL,
  197         KAUTH_REQ_SYSTEM_MOUNT_UMAP,
  198         KAUTH_REQ_SYSTEM_MOUNT_DEVICE,
  199         KAUTH_REQ_SYSTEM_INTR_AFFINITY,
  200 };
  201 
  202 /*
  203  * Process scope - actions.
  204  */
  205 enum {
  206         KAUTH_PROCESS_CANSEE=1,
  207         KAUTH_PROCESS_CORENAME,
  208         KAUTH_PROCESS_FORK,
  209         KAUTH_PROCESS_KEVENT_FILTER,
  210         KAUTH_PROCESS_KTRACE,
  211         KAUTH_PROCESS_NICE,
  212         KAUTH_PROCESS_PROCFS,
  213         KAUTH_PROCESS_PTRACE,
  214         KAUTH_PROCESS_RLIMIT,
  215         KAUTH_PROCESS_SCHEDULER_GETAFFINITY,
  216         KAUTH_PROCESS_SCHEDULER_SETAFFINITY,
  217         KAUTH_PROCESS_SCHEDULER_GETPARAM,
  218         KAUTH_PROCESS_SCHEDULER_SETPARAM,
  219         KAUTH_PROCESS_SETID,
  220         KAUTH_PROCESS_SIGNAL,
  221         KAUTH_PROCESS_STOPFLAG
  222 };
  223 
  224 /*
  225  * Process scope - sub-actions.
  226  */
  227 enum kauth_process_req {
  228         KAUTH_REQ_PROCESS_CANSEE_ARGS=1,
  229         KAUTH_REQ_PROCESS_CANSEE_ENTRY,
  230         KAUTH_REQ_PROCESS_CANSEE_ENV,
  231         KAUTH_REQ_PROCESS_CANSEE_OPENFILES,
  232         KAUTH_REQ_PROCESS_CORENAME_GET,
  233         KAUTH_REQ_PROCESS_CORENAME_SET,
  234         KAUTH_REQ_PROCESS_KTRACE_PERSISTENT,
  235         KAUTH_REQ_PROCESS_PROCFS_READ,
  236         KAUTH_REQ_PROCESS_PROCFS_RW,
  237         KAUTH_REQ_PROCESS_PROCFS_WRITE,
  238         KAUTH_REQ_PROCESS_RLIMIT_GET,
  239         KAUTH_REQ_PROCESS_RLIMIT_SET,
  240         KAUTH_REQ_PROCESS_RLIMIT_BYPASS,
  241         KAUTH_REQ_PROCESS_CANSEE_EPROC,
  242         KAUTH_REQ_PROCESS_CANSEE_KPTR
  243 };
  244 
  245 /*
  246  * Network scope - actions.
  247  */
  248 enum {
  249         KAUTH_NETWORK_ALTQ=1,
  250         KAUTH_NETWORK_BIND,
  251         KAUTH_NETWORK_FIREWALL,
  252         KAUTH_NETWORK_INTERFACE,
  253         KAUTH_NETWORK_FORWSRCRT,
  254         KAUTH_NETWORK_NFS,
  255         KAUTH_NETWORK_ROUTE,
  256         KAUTH_NETWORK_SOCKET,
  257         KAUTH_NETWORK_INTERFACE_PPP,
  258         KAUTH_NETWORK_INTERFACE_SLIP,
  259         KAUTH_NETWORK_INTERFACE_STRIP,  /* obsolete */
  260         KAUTH_NETWORK_INTERFACE_TUN,
  261         KAUTH_NETWORK_INTERFACE_BRIDGE,
  262         KAUTH_NETWORK_IPSEC,
  263         KAUTH_NETWORK_INTERFACE_PVC,
  264         KAUTH_NETWORK_IPV6,
  265         KAUTH_NETWORK_SMB,
  266         KAUTH_NETWORK_INTERFACE_WG,
  267 };
  268 
  269 /*
  270  * Network scope - sub-actions.
  271  */
  272 enum kauth_network_req {
  273         KAUTH_REQ_NETWORK_ALTQ_AFMAP=1,
  274         KAUTH_REQ_NETWORK_ALTQ_BLUE,
  275         KAUTH_REQ_NETWORK_ALTQ_CBQ,
  276         KAUTH_REQ_NETWORK_ALTQ_CDNR,
  277         KAUTH_REQ_NETWORK_ALTQ_CONF,
  278         KAUTH_REQ_NETWORK_ALTQ_FIFOQ,
  279         KAUTH_REQ_NETWORK_ALTQ_HFSC,
  280         KAUTH_REQ_NETWORK_ALTQ_JOBS,
  281         KAUTH_REQ_NETWORK_ALTQ_PRIQ,
  282         KAUTH_REQ_NETWORK_ALTQ_RED,
  283         KAUTH_REQ_NETWORK_ALTQ_RIO,
  284         KAUTH_REQ_NETWORK_ALTQ_WFQ,
  285         KAUTH_REQ_NETWORK_BIND_PORT,
  286         KAUTH_REQ_NETWORK_BIND_PRIVPORT,
  287         KAUTH_REQ_NETWORK_FIREWALL_FW,
  288         KAUTH_REQ_NETWORK_FIREWALL_NAT,
  289         KAUTH_REQ_NETWORK_INTERFACE_GET,
  290         KAUTH_REQ_NETWORK_INTERFACE_GETPRIV,
  291         KAUTH_REQ_NETWORK_INTERFACE_SET,
  292         KAUTH_REQ_NETWORK_INTERFACE_SETPRIV,
  293         KAUTH_REQ_NETWORK_NFS_EXPORT,
  294         KAUTH_REQ_NETWORK_NFS_SVC,
  295         KAUTH_REQ_NETWORK_SOCKET_OPEN,
  296         KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
  297         KAUTH_REQ_NETWORK_SOCKET_CANSEE,
  298         KAUTH_REQ_NETWORK_SOCKET_DROP,
  299         KAUTH_REQ_NETWORK_SOCKET_SETPRIV,
  300         KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD,
  301         KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD,
  302         KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD,  /* obsolete */
  303         KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD,
  304         KAUTH_REQ_NETWORK_IPV6_HOPBYHOP,
  305         KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_GETPRIV,
  306         KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_SETPRIV,
  307         KAUTH_REQ_NETWORK_IPSEC_BYPASS,
  308         KAUTH_REQ_NETWORK_IPV6_JOIN_MULTICAST,
  309         KAUTH_REQ_NETWORK_INTERFACE_PVC_ADD,
  310         KAUTH_REQ_NETWORK_SMB_SHARE_ACCESS,
  311         KAUTH_REQ_NETWORK_SMB_SHARE_CREATE,
  312         KAUTH_REQ_NETWORK_SMB_VC_ACCESS,
  313         KAUTH_REQ_NETWORK_SMB_VC_CREATE,
  314         KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE,
  315         KAUTH_REQ_NETWORK_BIND_ANYADDR,
  316         KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV,
  317         KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV,
  318 };
  319 
  320 /*
  321  * Machdep scope - actions.
  322  */
  323 enum {
  324         KAUTH_MACHDEP_CACHEFLUSH=1,
  325         KAUTH_MACHDEP_CPU_UCODE_APPLY,
  326         KAUTH_MACHDEP_IOPERM_GET,
  327         KAUTH_MACHDEP_IOPERM_SET,
  328         KAUTH_MACHDEP_IOPL,
  329         KAUTH_MACHDEP_LDT_GET,
  330         KAUTH_MACHDEP_LDT_SET,
  331         KAUTH_MACHDEP_MTRR_GET,
  332         KAUTH_MACHDEP_MTRR_SET,
  333         KAUTH_MACHDEP_NVRAM,
  334         KAUTH_MACHDEP_UNMANAGEDMEM,
  335         KAUTH_MACHDEP_PXG,
  336         KAUTH_MACHDEP_SVS_DISABLE
  337 };
  338 
  339 /*
  340  * Device scope - actions.
  341  */
  342 enum {
  343         KAUTH_DEVICE_TTY_OPEN=1,
  344         KAUTH_DEVICE_TTY_PRIVSET,
  345         KAUTH_DEVICE_TTY_STI,
  346         KAUTH_DEVICE_RAWIO_SPEC,
  347         KAUTH_DEVICE_RAWIO_PASSTHRU,
  348         KAUTH_DEVICE_BLUETOOTH_SETPRIV,
  349         KAUTH_DEVICE_RND_ADDDATA,
  350         KAUTH_DEVICE_RND_ADDDATA_ESTIMATE,
  351         KAUTH_DEVICE_RND_GETPRIV,
  352         KAUTH_DEVICE_RND_SETPRIV,
  353         KAUTH_DEVICE_BLUETOOTH_BCSP,
  354         KAUTH_DEVICE_BLUETOOTH_BTUART,
  355         KAUTH_DEVICE_GPIO_PINSET,
  356         KAUTH_DEVICE_BLUETOOTH_SEND,
  357         KAUTH_DEVICE_BLUETOOTH_RECV,
  358         KAUTH_DEVICE_TTY_VIRTUAL,
  359         KAUTH_DEVICE_WSCONS_KEYBOARD_BELL,
  360         KAUTH_DEVICE_WSCONS_KEYBOARD_KEYREPEAT,
  361         KAUTH_DEVICE_NVMM_CTL,
  362 };
  363 
  364 /*
  365  * Device scope - sub-actions.
  366  */
  367 enum kauth_device_req {
  368         KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1,
  369         KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE,
  370         KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
  371         KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD,
  372         KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD,
  373 };
  374 
  375 /*
  376  * Credentials scope - actions.
  377  */
  378 enum {
  379         KAUTH_CRED_INIT=1,
  380         KAUTH_CRED_FORK,
  381         KAUTH_CRED_COPY,
  382         KAUTH_CRED_FREE,
  383         KAUTH_CRED_CHROOT
  384 };
  385 
  386 /*
  387  * Vnode scope - action bits.
  388  */
  389 #define KAUTH_VNODE_READ_DATA           (1ULL << 0)
  390 #define KAUTH_VNODE_LIST_DIRECTORY      KAUTH_VNODE_READ_DATA
  391 #define KAUTH_VNODE_WRITE_DATA          (1ULL << 1)
  392 #define KAUTH_VNODE_ADD_FILE            KAUTH_VNODE_WRITE_DATA
  393 #define KAUTH_VNODE_EXECUTE             (1ULL << 2)
  394 #define KAUTH_VNODE_SEARCH              KAUTH_VNODE_EXECUTE
  395 #define KAUTH_VNODE_DELETE              (1ULL << 3)
  396 #define KAUTH_VNODE_APPEND_DATA         (1ULL << 4)
  397 #define KAUTH_VNODE_ADD_SUBDIRECTORY    KAUTH_VNODE_APPEND_DATA
  398 #define KAUTH_VNODE_READ_TIMES          (1ULL << 5)
  399 #define KAUTH_VNODE_WRITE_TIMES         (1ULL << 6)
  400 #define KAUTH_VNODE_READ_FLAGS          (1ULL << 7)
  401 #define KAUTH_VNODE_WRITE_FLAGS         (1ULL << 8)
  402 #define KAUTH_VNODE_READ_SYSFLAGS       (1ULL << 9)
  403 #define KAUTH_VNODE_WRITE_SYSFLAGS      (1ULL << 10)
  404 #define KAUTH_VNODE_RENAME              (1ULL << 11)
  405 #define KAUTH_VNODE_CHANGE_OWNERSHIP    (1ULL << 12)
  406 #define KAUTH_VNODE_READ_SECURITY       (1ULL << 13)
  407 #define KAUTH_VNODE_WRITE_SECURITY      (1ULL << 14)
  408 #define KAUTH_VNODE_READ_ATTRIBUTES     (1ULL << 15)
  409 #define KAUTH_VNODE_WRITE_ATTRIBUTES    (1ULL << 16)
  410 #define KAUTH_VNODE_READ_EXTATTRIBUTES  (1ULL << 17)
  411 #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1ULL << 18)
  412 #define KAUTH_VNODE_RETAIN_SUID         (1ULL << 19)
  413 #define KAUTH_VNODE_RETAIN_SGID         (1ULL << 20)
  414 #define KAUTH_VNODE_REVOKE              (1ULL << 21)
  415 
  416 #define KAUTH_VNODE_IS_EXEC             (1ULL << 29)
  417 #define KAUTH_VNODE_HAS_SYSFLAGS        (1ULL << 30)
  418 #define KAUTH_VNODE_ACCESS              (1ULL << 31)
  419 #define KAUTH_VNODE_ADD_LINK            (1ULL << 32)
  420 
  421 /*
  422  * This is a special fs_decision indication that can be used by file-systems
  423  * that don't support decision-before-action to tell kauth(9) it can only
  424  * short-circuit the operation beforehand.
  425  */
  426 #define KAUTH_VNODE_REMOTEFS            (-1)
  427 
  428 /*
  429  * Device scope, passthru request - identifiers.
  430  */
  431 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ            0x00000001
  432 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE           0x00000002
  433 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF        0x00000004
  434 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF       0x00000008
  435 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL             0x0000000F
  436 
  437 #define NOCRED ((kauth_cred_t)-1)       /* no credential available */
  438 #define FSCRED ((kauth_cred_t)-2)       /* filesystem credential */
  439 
  440 /* Macro to help passing arguments to authorization wrappers. */
  441 #define KAUTH_ARG(arg)  ((void *)(unsigned long)(arg))
  442 
  443 /*
  444  * A file-system object is determined to be able to execute if it's a
  445  * directory or if the execute bit is present in any of the
  446  * owner/group/other modes.
  447  *
  448  * This helper macro is intended to be used in order to implement a
  449  * policy that maintains the semantics of "a privileged user can enter
  450  * directory, and can execute any file, but only if the file is actually
  451  * executable."
  452  */
  453 #define FS_OBJECT_CAN_EXEC(vtype, mode) (((vtype) == VDIR) ||           \
  454                                          ((mode) &                      \
  455                                           (S_IXUSR|S_IXGRP|S_IXOTH)))
  456 
  457 /*
  458  * Prototypes.
  459  */
  460 void kauth_init(void);
  461 kauth_scope_t kauth_register_scope(const char *, kauth_scope_callback_t, void *);
  462 void kauth_deregister_scope(kauth_scope_t);
  463 kauth_listener_t kauth_listen_scope(const char *, kauth_scope_callback_t, void *);
  464 void kauth_unlisten_scope(kauth_listener_t);
  465 int kauth_authorize_action(kauth_scope_t, kauth_cred_t, kauth_action_t, void *,
  466     void *, void *, void *);
  467 
  468 /* Authorization wrappers. */
  469 int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *);
  470 int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req,
  471     void *, void *, void *);
  472 int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *,
  473     void *, void *, void *);
  474 int kauth_authorize_network(kauth_cred_t, kauth_action_t,
  475     enum kauth_network_req, void *, void *, void *);
  476 int kauth_authorize_machdep(kauth_cred_t, kauth_action_t,
  477     void *, void *, void *, void *);
  478 int kauth_authorize_device(kauth_cred_t, kauth_action_t,
  479     void *, void *, void *, void *);
  480 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *);
  481 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
  482     struct vnode *);
  483 int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
  484 int kauth_authorize_vnode(kauth_cred_t, kauth_action_t, struct vnode *,
  485     struct vnode *, int);
  486 
  487 /* Kauth credentials management routines. */
  488 kauth_cred_t kauth_cred_alloc(void);
  489 void kauth_cred_free(kauth_cred_t);
  490 void kauth_cred_clone(kauth_cred_t, kauth_cred_t);
  491 kauth_cred_t kauth_cred_dup(kauth_cred_t);
  492 kauth_cred_t kauth_cred_copy(kauth_cred_t);
  493 
  494 uid_t kauth_cred_getuid(kauth_cred_t);
  495 uid_t kauth_cred_geteuid(kauth_cred_t);
  496 uid_t kauth_cred_getsvuid(kauth_cred_t);
  497 gid_t kauth_cred_getgid(kauth_cred_t);
  498 gid_t kauth_cred_getegid(kauth_cred_t);
  499 gid_t kauth_cred_getsvgid(kauth_cred_t);
  500 int kauth_cred_ismember_gid(kauth_cred_t, gid_t, int *);
  501 int kauth_cred_groupmember(kauth_cred_t, gid_t);
  502 u_int kauth_cred_ngroups(kauth_cred_t);
  503 gid_t kauth_cred_group(kauth_cred_t, u_int);
  504 
  505 void kauth_cred_setuid(kauth_cred_t, uid_t);
  506 void kauth_cred_seteuid(kauth_cred_t, uid_t);
  507 void kauth_cred_setsvuid(kauth_cred_t, uid_t);
  508 void kauth_cred_setgid(kauth_cred_t, gid_t);
  509 void kauth_cred_setegid(kauth_cred_t, gid_t);
  510 void kauth_cred_setsvgid(kauth_cred_t, gid_t);
  511 
  512 void kauth_cred_hold(kauth_cred_t);
  513 u_int kauth_cred_getrefcnt(kauth_cred_t);
  514 
  515 int kauth_cred_setgroups(kauth_cred_t, const gid_t *, size_t, uid_t,
  516     enum uio_seg);
  517 int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t, enum uio_seg);
  518 
  519 /* This is for sys_setgroups() */
  520 int kauth_proc_setgroups(struct lwp *, kauth_cred_t);
  521 
  522 int kauth_register_key(secmodel_t, kauth_key_t *);
  523 int kauth_deregister_key(kauth_key_t);
  524 void kauth_cred_setdata(kauth_cred_t, kauth_key_t, void *);
  525 void *kauth_cred_getdata(kauth_cred_t, kauth_key_t);
  526 
  527 int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t);
  528 void kauth_uucred_to_cred(kauth_cred_t, const struct uucred *);
  529 void kauth_cred_to_uucred(struct uucred *, const kauth_cred_t);
  530 int kauth_cred_uucmp(kauth_cred_t, const struct uucred *);
  531 void kauth_cred_toucred(kauth_cred_t, struct ki_ucred *);
  532 void kauth_cred_topcred(kauth_cred_t, struct ki_pcred *);
  533 
  534 kauth_action_t kauth_accmode_to_action(accmode_t);
  535 kauth_action_t kauth_extattr_action(mode_t);
  536 
  537 #define KAUTH_ACCESS_ACTION(access_mode, vn_vtype, file_mode)   \
  538         (kauth_accmode_to_action(access_mode) |                 \
  539         (FS_OBJECT_CAN_EXEC(vn_vtype, file_mode) ? KAUTH_VNODE_IS_EXEC : 0))
  540 
  541 kauth_cred_t kauth_cred_get(void);
  542 
  543 void kauth_proc_fork(struct proc *, struct proc *);
  544 void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi);
  545 
  546 #endif  /* !_SYS_KAUTH_H_ */

Cache object: 09396981144cea1fbc0aeca216f33e0a


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.