FreeBSD/Linux Kernel Cross Reference
sys/sys/kauth.h
1 /* $NetBSD: kauth.h,v 1.24.2.4 2007/01/21 19:12:10 bouyer Exp $ */
2
3 /*-
4 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 * must display the following acknowledgement:
17 * This product includes software developed by Elad Efrat.
18 * 4. The name of the author may not be used to endorse or promote products
19 * derived from this software without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 /*
34 * This is based on Apple TN2127, available online at
35 * http://developer.apple.com/technotes/tn2005/tn2127.html
36 */
37
38 #ifndef _SYS_KAUTH_H_
39 #define _SYS_KAUTH_H_
40
41 struct uucred;
42 struct ucred;
43 struct pcred;
44 struct proc;
45 struct tty;
46 struct vnode;
47
48 /* Types. */
49 typedef struct kauth_scope *kauth_scope_t;
50 typedef struct kauth_listener *kauth_listener_t;
51 typedef uint32_t kauth_action_t;
52 typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t,
53 void *, void *, void *, void *, void *);
54
55 /*
56 * Possible return values for a listener.
57 */
58 #define KAUTH_RESULT_ALLOW 0 /* allow access */
59 #define KAUTH_RESULT_DENY 1 /* deny access */
60 #define KAUTH_RESULT_DEFER 2 /* let others decide */
61
62 /*
63 * Scopes.
64 */
65 #define KAUTH_SCOPE_GENERIC "org.netbsd.kauth.generic"
66 #define KAUTH_SCOPE_SYSTEM "org.netbsd.kauth.system"
67 #define KAUTH_SCOPE_PROCESS "org.netbsd.kauth.process"
68 #define KAUTH_SCOPE_NETWORK "org.netbsd.kauth.network"
69 #define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep"
70 #define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device"
71
72 /*
73 * Generic scope - actions.
74 */
75 enum {
76 KAUTH_GENERIC_CANSEE=1,
77 KAUTH_GENERIC_ISSUSER
78 };
79
80 /*
81 * System scope - actions.
82 */
83 enum {
84 KAUTH_SYSTEM_ACCOUNTING=1,
85 KAUTH_SYSTEM_CHROOT,
86 KAUTH_SYSTEM_DEBUG,
87 KAUTH_SYSTEM_FILEHANDLE,
88 KAUTH_SYSTEM_LKM,
89 KAUTH_SYSTEM_MKNOD,
90 KAUTH_SYSTEM_REBOOT,
91 KAUTH_SYSTEM_SETIDCORE,
92 KAUTH_SYSTEM_SWAPCTL,
93 KAUTH_SYSTEM_SYSCTL,
94 KAUTH_SYSTEM_TIME
95 };
96
97 /*
98 * System scope - sub-actions.
99 */
100 enum kauth_system_req {
101 KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1,
102 KAUTH_REQ_SYSTEM_CHROOT_FCHROOT,
103 KAUTH_REQ_SYSTEM_DEBUG_IPKDB,
104 KAUTH_REQ_SYSTEM_SYSCTL_ADD,
105 KAUTH_REQ_SYSTEM_SYSCTL_DELETE,
106 KAUTH_REQ_SYSTEM_SYSCTL_DESC,
107 KAUTH_REQ_SYSTEM_SYSCTL_PRVT,
108 KAUTH_REQ_SYSTEM_TIME_ADJTIME,
109 KAUTH_REQ_SYSTEM_TIME_BACKWARDS,
110 KAUTH_REQ_SYSTEM_TIME_NTPADJTIME,
111 KAUTH_REQ_SYSTEM_TIME_RTCOFFSET,
112 KAUTH_REQ_SYSTEM_TIME_SYSTEM
113 };
114
115 /*
116 * Process scope - actions.
117 */
118 enum {
119 KAUTH_PROCESS_CANKTRACE=1,
120 KAUTH_PROCESS_CANPROCFS,
121 KAUTH_PROCESS_CANPTRACE,
122 KAUTH_PROCESS_CANSEE,
123 KAUTH_PROCESS_CANSIGNAL,
124 KAUTH_PROCESS_CANSYSTRACE,
125 KAUTH_PROCESS_CORENAME,
126 KAUTH_PROCESS_NICE,
127 KAUTH_PROCESS_RLIMIT,
128 KAUTH_PROCESS_SETID
129 };
130
131 /*
132 * Process scope - sub-actions.
133 */
134 enum kauth_process_req {
135 KAUTH_REQ_PROCESS_CANPROCFS_CTL=1,
136 KAUTH_REQ_PROCESS_CANPROCFS_READ,
137 KAUTH_REQ_PROCESS_CANPROCFS_RW,
138 KAUTH_REQ_PROCESS_CANPROCFS_WRITE
139 };
140
141 /*
142 * Network scope - actions.
143 */
144 enum {
145 KAUTH_NETWORK_ALTQ=1,
146 KAUTH_NETWORK_BIND,
147 KAUTH_NETWORK_FIREWALL,
148 KAUTH_NETWORK_INTERFACE,
149 KAUTH_NETWORK_FORWSRCRT,
150 KAUTH_NETWORK_ROUTE,
151 KAUTH_NETWORK_SOCKET
152 };
153
154 /*
155 * Network scope - sub-actions.
156 */
157 enum kauth_network_req {
158 KAUTH_REQ_NETWORK_ALTQ_AFMAP=1,
159 KAUTH_REQ_NETWORK_ALTQ_BLUE,
160 KAUTH_REQ_NETWORK_ALTQ_CBQ,
161 KAUTH_REQ_NETWORK_ALTQ_CDNR,
162 KAUTH_REQ_NETWORK_ALTQ_CONF,
163 KAUTH_REQ_NETWORK_ALTQ_FIFOQ,
164 KAUTH_REQ_NETWORK_ALTQ_HFSC,
165 KAUTH_REQ_NETWORK_ALTQ_JOBS,
166 KAUTH_REQ_NETWORK_ALTQ_PRIQ,
167 KAUTH_REQ_NETWORK_ALTQ_RED,
168 KAUTH_REQ_NETWORK_ALTQ_RIO,
169 KAUTH_REQ_NETWORK_ALTQ_WFQ,
170 KAUTH_REQ_NETWORK_BIND_PORT,
171 KAUTH_REQ_NETWORK_BIND_PRIVPORT,
172 KAUTH_REQ_NETWORK_FIREWALL_FW,
173 KAUTH_REQ_NETWORK_FIREWALL_NAT,
174 KAUTH_REQ_NETWORK_INTERFACE_GET,
175 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV,
176 KAUTH_REQ_NETWORK_INTERFACE_SET,
177 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV,
178 KAUTH_REQ_NETWORK_SOCKET_OPEN,
179 KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
180 KAUTH_REQ_NETWORK_SOCKET_CANSEE
181 };
182
183 /*
184 * Machdep scope - actions.
185 */
186 enum {
187 KAUTH_MACHDEP_IOPERM_GET=1,
188 KAUTH_MACHDEP_IOPERM_SET,
189 KAUTH_MACHDEP_IOPL,
190 KAUTH_MACHDEP_LDT_GET,
191 KAUTH_MACHDEP_LDT_SET,
192 KAUTH_MACHDEP_MTRR_GET,
193 KAUTH_MACHDEP_MTRR_SET,
194 KAUTH_MACHDEP_UNMANAGEDMEM
195 };
196
197 /*
198 * Device scope - actions.
199 */
200 enum {
201 KAUTH_DEVICE_TTY_OPEN=1,
202 KAUTH_DEVICE_TTY_PRIVSET,
203 KAUTH_DEVICE_RAWIO_SPEC,
204 KAUTH_DEVICE_RAWIO_PASSTHRU
205 };
206
207 /*
208 * Device scope - sub-actions.
209 */
210 enum kauth_device_req {
211 KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1,
212 KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE,
213 KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
214 };
215
216 /*
217 * Device scope, passthru request - identifiers.
218 */
219 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 0x00000001
220 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE 0x00000002
221 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF 0x00000004
222 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF 0x00000008
223 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL 0x0000000F
224
225 #define NOCRED ((kauth_cred_t)-1) /* no credential available */
226 #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */
227
228 /* Macro to help passing arguments to authorization wrappers. */
229 #define KAUTH_ARG(arg) ((void *)(unsigned long)(arg))
230
231 /*
232 * Prototypes.
233 */
234 void kauth_init(void);
235 kauth_scope_t kauth_register_scope(const char *, kauth_scope_callback_t, void *);
236 void kauth_deregister_scope(kauth_scope_t);
237 kauth_listener_t kauth_listen_scope(const char *, kauth_scope_callback_t, void *);
238 void kauth_unlisten_scope(kauth_listener_t);
239 int kauth_authorize_action(kauth_scope_t, kauth_cred_t, kauth_action_t, void *,
240 void *, void *, void *);
241
242 /* Authorization wrappers. */
243 int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *);
244 int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req,
245 void *, void *, void *);
246 int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *,
247 void *, void *, void *);
248 int kauth_authorize_network(kauth_cred_t, kauth_action_t,
249 enum kauth_network_req, void *, void *, void *);
250 int kauth_authorize_machdep(kauth_cred_t, kauth_action_t,
251 void *, void *, void *, void *);
252 int kauth_authorize_device(kauth_cred_t, kauth_action_t,
253 void *, void *, void *, void *);
254 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *);
255 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
256 struct vnode *);
257 int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
258
259 /* Kauth credentials management routines. */
260 kauth_cred_t kauth_cred_alloc(void);
261 void kauth_cred_free(kauth_cred_t);
262 void kauth_cred_clone(kauth_cred_t, kauth_cred_t);
263 kauth_cred_t kauth_cred_dup(kauth_cred_t);
264 kauth_cred_t kauth_cred_copy(kauth_cred_t);
265
266 uid_t kauth_cred_getuid(kauth_cred_t);
267 uid_t kauth_cred_geteuid(kauth_cred_t);
268 uid_t kauth_cred_getsvuid(kauth_cred_t);
269 gid_t kauth_cred_getgid(kauth_cred_t);
270 gid_t kauth_cred_getegid(kauth_cred_t);
271 gid_t kauth_cred_getsvgid(kauth_cred_t);
272 int kauth_cred_ismember_gid(kauth_cred_t, gid_t, int *);
273 u_int kauth_cred_ngroups(kauth_cred_t);
274 gid_t kauth_cred_group(kauth_cred_t, u_int);
275
276 void kauth_cred_setuid(kauth_cred_t, uid_t);
277 void kauth_cred_seteuid(kauth_cred_t, uid_t);
278 void kauth_cred_setsvuid(kauth_cred_t, uid_t);
279 void kauth_cred_setgid(kauth_cred_t, gid_t);
280 void kauth_cred_setegid(kauth_cred_t, gid_t);
281 void kauth_cred_setsvgid(kauth_cred_t, gid_t);
282
283 void kauth_cred_hold(kauth_cred_t);
284 u_int kauth_cred_getrefcnt(kauth_cred_t);
285
286 int kauth_cred_setgroups(kauth_cred_t, gid_t *, size_t, uid_t);
287 int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t);
288
289 int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t);
290 void kauth_uucred_to_cred(kauth_cred_t, const struct uucred *);
291 void kauth_cred_to_uucred(struct uucred *, const kauth_cred_t);
292 int kauth_cred_uucmp(kauth_cred_t, const struct uucred *);
293 void kauth_cred_toucred(kauth_cred_t, struct ucred *);
294 void kauth_cred_topcred(kauth_cred_t, struct pcred *);
295
296 kauth_cred_t kauth_cred_get(void);
297
298 #endif /* !_SYS_KAUTH_H_ */
Cache object: 6b7ae80dc1b34a0c9fa12ab8280aba18
|