FreeBSD/Linux Kernel Cross Reference
sys/sys/kauth.h
1 /* $NetBSD: kauth.h,v 1.52 2008/02/28 17:07:49 elad Exp $ */
2
3 /*-
4 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 /*
31 * This is based on Apple TN2127, available online at
32 * http://developer.apple.com/technotes/tn2005/tn2127.html
33 */
34
35 #ifndef _SYS_KAUTH_H_
36 #define _SYS_KAUTH_H_
37
38 struct uucred;
39 struct ki_ucred;
40 struct ki_pcred;
41 struct proc;
42 struct tty;
43 struct vnode;
44
45 /* Types. */
46 typedef struct kauth_scope *kauth_scope_t;
47 typedef struct kauth_listener *kauth_listener_t;
48 typedef uint32_t kauth_action_t;
49 typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t,
50 void *, void *, void *, void *, void *);
51 typedef struct kauth_key *kauth_key_t;
52
53 /*
54 * Possible return values for a listener.
55 */
56 #define KAUTH_RESULT_ALLOW 0 /* allow access */
57 #define KAUTH_RESULT_DENY 1 /* deny access */
58 #define KAUTH_RESULT_DEFER 2 /* let others decide */
59
60 /*
61 * Scopes.
62 */
63 #define KAUTH_SCOPE_GENERIC "org.netbsd.kauth.generic"
64 #define KAUTH_SCOPE_SYSTEM "org.netbsd.kauth.system"
65 #define KAUTH_SCOPE_PROCESS "org.netbsd.kauth.process"
66 #define KAUTH_SCOPE_NETWORK "org.netbsd.kauth.network"
67 #define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep"
68 #define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device"
69 #define KAUTH_SCOPE_CRED "org.netbsd.kauth.cred"
70
71 /*
72 * Generic scope - actions.
73 */
74 enum {
75 KAUTH_GENERIC_CANSEE=1,
76 KAUTH_GENERIC_ISSUSER
77 };
78
79 /*
80 * System scope - actions.
81 */
82 enum {
83 KAUTH_SYSTEM_ACCOUNTING=1,
84 KAUTH_SYSTEM_CHROOT,
85 KAUTH_SYSTEM_CHSYSFLAGS,
86 KAUTH_SYSTEM_CPU,
87 KAUTH_SYSTEM_DEBUG,
88 KAUTH_SYSTEM_FILEHANDLE,
89 KAUTH_SYSTEM_LKM,
90 KAUTH_SYSTEM_MKNOD,
91 KAUTH_SYSTEM_MOUNT,
92 KAUTH_SYSTEM_PSET,
93 KAUTH_SYSTEM_REBOOT,
94 KAUTH_SYSTEM_SETIDCORE,
95 KAUTH_SYSTEM_SWAPCTL,
96 KAUTH_SYSTEM_SYSCTL,
97 KAUTH_SYSTEM_TIME,
98 KAUTH_SYSTEM_MODULE
99 };
100
101 /*
102 * System scope - sub-actions.
103 */
104 enum kauth_system_req {
105 KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1,
106 KAUTH_REQ_SYSTEM_CHROOT_FCHROOT,
107 KAUTH_REQ_SYSTEM_CPU_SETSTATE,
108 KAUTH_REQ_SYSTEM_DEBUG_IPKDB,
109 KAUTH_REQ_SYSTEM_MOUNT_GET,
110 KAUTH_REQ_SYSTEM_MOUNT_NEW,
111 KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT,
112 KAUTH_REQ_SYSTEM_MOUNT_UPDATE,
113 KAUTH_REQ_SYSTEM_PSET_ASSIGN,
114 KAUTH_REQ_SYSTEM_PSET_BIND,
115 KAUTH_REQ_SYSTEM_PSET_CREATE,
116 KAUTH_REQ_SYSTEM_PSET_DESTROY,
117 KAUTH_REQ_SYSTEM_SYSCTL_ADD,
118 KAUTH_REQ_SYSTEM_SYSCTL_DELETE,
119 KAUTH_REQ_SYSTEM_SYSCTL_DESC,
120 KAUTH_REQ_SYSTEM_SYSCTL_PRVT,
121 KAUTH_REQ_SYSTEM_TIME_ADJTIME,
122 KAUTH_REQ_SYSTEM_TIME_NTPADJTIME,
123 KAUTH_REQ_SYSTEM_TIME_RTCOFFSET,
124 KAUTH_REQ_SYSTEM_TIME_SYSTEM,
125 KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS
126 };
127
128 /*
129 * Process scope - actions.
130 */
131 enum {
132 KAUTH_PROCESS_CANSEE=1,
133 KAUTH_PROCESS_CORENAME,
134 KAUTH_PROCESS_FORK,
135 KAUTH_PROCESS_KEVENT_FILTER,
136 KAUTH_PROCESS_KTRACE,
137 KAUTH_PROCESS_NICE,
138 KAUTH_PROCESS_PROCFS,
139 KAUTH_PROCESS_PTRACE,
140 KAUTH_PROCESS_RLIMIT,
141 KAUTH_PROCESS_SCHEDULER_GETAFFINITY,
142 KAUTH_PROCESS_SCHEDULER_SETAFFINITY,
143 KAUTH_PROCESS_SCHEDULER_GETPARAM,
144 KAUTH_PROCESS_SCHEDULER_SETPARAM,
145 KAUTH_PROCESS_SETID,
146 KAUTH_PROCESS_SIGNAL,
147 KAUTH_PROCESS_STOPFLAG
148 };
149
150 /*
151 * Process scope - sub-actions.
152 */
153 enum kauth_process_req {
154 KAUTH_REQ_PROCESS_CANSEE_ARGS=1,
155 KAUTH_REQ_PROCESS_CANSEE_ENTRY,
156 KAUTH_REQ_PROCESS_CANSEE_ENV,
157 KAUTH_REQ_PROCESS_CANSEE_OPENFILES,
158 KAUTH_REQ_PROCESS_CORENAME_GET,
159 KAUTH_REQ_PROCESS_CORENAME_SET,
160 KAUTH_REQ_PROCESS_KTRACE_PERSISTENT,
161 KAUTH_REQ_PROCESS_PROCFS_CTL,
162 KAUTH_REQ_PROCESS_PROCFS_READ,
163 KAUTH_REQ_PROCESS_PROCFS_RW,
164 KAUTH_REQ_PROCESS_PROCFS_WRITE,
165 KAUTH_REQ_PROCESS_RLIMIT_GET,
166 KAUTH_REQ_PROCESS_RLIMIT_SET
167 };
168
169 /*
170 * Network scope - actions.
171 */
172 enum {
173 KAUTH_NETWORK_ALTQ=1,
174 KAUTH_NETWORK_BIND,
175 KAUTH_NETWORK_FIREWALL,
176 KAUTH_NETWORK_INTERFACE,
177 KAUTH_NETWORK_FORWSRCRT,
178 KAUTH_NETWORK_NFS,
179 KAUTH_NETWORK_ROUTE,
180 KAUTH_NETWORK_SOCKET
181 };
182
183 /*
184 * Network scope - sub-actions.
185 */
186 enum kauth_network_req {
187 KAUTH_REQ_NETWORK_ALTQ_AFMAP=1,
188 KAUTH_REQ_NETWORK_ALTQ_BLUE,
189 KAUTH_REQ_NETWORK_ALTQ_CBQ,
190 KAUTH_REQ_NETWORK_ALTQ_CDNR,
191 KAUTH_REQ_NETWORK_ALTQ_CONF,
192 KAUTH_REQ_NETWORK_ALTQ_FIFOQ,
193 KAUTH_REQ_NETWORK_ALTQ_HFSC,
194 KAUTH_REQ_NETWORK_ALTQ_JOBS,
195 KAUTH_REQ_NETWORK_ALTQ_PRIQ,
196 KAUTH_REQ_NETWORK_ALTQ_RED,
197 KAUTH_REQ_NETWORK_ALTQ_RIO,
198 KAUTH_REQ_NETWORK_ALTQ_WFQ,
199 KAUTH_REQ_NETWORK_BIND_PORT,
200 KAUTH_REQ_NETWORK_BIND_PRIVPORT,
201 KAUTH_REQ_NETWORK_FIREWALL_FW,
202 KAUTH_REQ_NETWORK_FIREWALL_NAT,
203 KAUTH_REQ_NETWORK_INTERFACE_GET,
204 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV,
205 KAUTH_REQ_NETWORK_INTERFACE_SET,
206 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV,
207 KAUTH_REQ_NETWORK_NFS_EXPORT,
208 KAUTH_REQ_NETWORK_NFS_SVC,
209 KAUTH_REQ_NETWORK_SOCKET_OPEN,
210 KAUTH_REQ_NETWORK_SOCKET_RAWSOCK,
211 KAUTH_REQ_NETWORK_SOCKET_CANSEE
212 };
213
214 /*
215 * Machdep scope - actions.
216 */
217 enum {
218 KAUTH_MACHDEP_IOPERM_GET=1,
219 KAUTH_MACHDEP_IOPERM_SET,
220 KAUTH_MACHDEP_IOPL,
221 KAUTH_MACHDEP_LDT_GET,
222 KAUTH_MACHDEP_LDT_SET,
223 KAUTH_MACHDEP_MTRR_GET,
224 KAUTH_MACHDEP_MTRR_SET,
225 KAUTH_MACHDEP_UNMANAGEDMEM
226 };
227
228 /*
229 * Device scope - actions.
230 */
231 enum {
232 KAUTH_DEVICE_TTY_OPEN=1,
233 KAUTH_DEVICE_TTY_PRIVSET,
234 KAUTH_DEVICE_TTY_STI,
235 KAUTH_DEVICE_RAWIO_SPEC,
236 KAUTH_DEVICE_RAWIO_PASSTHRU
237 };
238
239 /*
240 * Device scope - sub-actions.
241 */
242 enum kauth_device_req {
243 KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1,
244 KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE,
245 KAUTH_REQ_DEVICE_RAWIO_SPEC_RW,
246 };
247
248 /*
249 * Credentials scope - actions.
250 */
251 enum {
252 KAUTH_CRED_INIT=1,
253 KAUTH_CRED_FORK,
254 KAUTH_CRED_COPY,
255 KAUTH_CRED_FREE
256 };
257
258 /*
259 * Device scope, passthru request - identifiers.
260 */
261 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 0x00000001
262 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE 0x00000002
263 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF 0x00000004
264 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF 0x00000008
265 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL 0x0000000F
266
267 #define NOCRED ((kauth_cred_t)-1) /* no credential available */
268 #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */
269
270 /* Macro to help passing arguments to authorization wrappers. */
271 #define KAUTH_ARG(arg) ((void *)(unsigned long)(arg))
272
273 /*
274 * Prototypes.
275 */
276 void kauth_init(void);
277 kauth_scope_t kauth_register_scope(const char *, kauth_scope_callback_t, void *);
278 void kauth_deregister_scope(kauth_scope_t);
279 kauth_listener_t kauth_listen_scope(const char *, kauth_scope_callback_t, void *);
280 void kauth_unlisten_scope(kauth_listener_t);
281 int kauth_authorize_action(kauth_scope_t, kauth_cred_t, kauth_action_t, void *,
282 void *, void *, void *);
283
284 /* Authorization wrappers. */
285 int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *);
286 int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req,
287 void *, void *, void *);
288 int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *,
289 void *, void *, void *);
290 int kauth_authorize_network(kauth_cred_t, kauth_action_t,
291 enum kauth_network_req, void *, void *, void *);
292 int kauth_authorize_machdep(kauth_cred_t, kauth_action_t,
293 void *, void *, void *, void *);
294 int kauth_authorize_device(kauth_cred_t, kauth_action_t,
295 void *, void *, void *, void *);
296 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *);
297 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req,
298 struct vnode *);
299 int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *);
300
301 /* Kauth credentials management routines. */
302 kauth_cred_t kauth_cred_alloc(void);
303 void kauth_cred_free(kauth_cred_t);
304 void kauth_cred_clone(kauth_cred_t, kauth_cred_t);
305 kauth_cred_t kauth_cred_dup(kauth_cred_t);
306 kauth_cred_t kauth_cred_copy(kauth_cred_t);
307
308 uid_t kauth_cred_getuid(kauth_cred_t);
309 uid_t kauth_cred_geteuid(kauth_cred_t);
310 uid_t kauth_cred_getsvuid(kauth_cred_t);
311 gid_t kauth_cred_getgid(kauth_cred_t);
312 gid_t kauth_cred_getegid(kauth_cred_t);
313 gid_t kauth_cred_getsvgid(kauth_cred_t);
314 int kauth_cred_ismember_gid(kauth_cred_t, gid_t, int *);
315 u_int kauth_cred_ngroups(kauth_cred_t);
316 gid_t kauth_cred_group(kauth_cred_t, u_int);
317
318 void kauth_cred_setuid(kauth_cred_t, uid_t);
319 void kauth_cred_seteuid(kauth_cred_t, uid_t);
320 void kauth_cred_setsvuid(kauth_cred_t, uid_t);
321 void kauth_cred_setgid(kauth_cred_t, gid_t);
322 void kauth_cred_setegid(kauth_cred_t, gid_t);
323 void kauth_cred_setsvgid(kauth_cred_t, gid_t);
324
325 void kauth_cred_hold(kauth_cred_t);
326 u_int kauth_cred_getrefcnt(kauth_cred_t);
327
328 int kauth_cred_setgroups(kauth_cred_t, const gid_t *, size_t, uid_t,
329 enum uio_seg);
330 int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t, enum uio_seg);
331
332 /* This is for sys_setgroups() */
333 int kauth_proc_setgroups(struct lwp *, kauth_cred_t);
334
335 int kauth_register_key(const char *, kauth_key_t *);
336 int kauth_deregister_key(kauth_key_t);
337 void kauth_cred_setdata(kauth_cred_t, kauth_key_t, void *);
338 void *kauth_cred_getdata(kauth_cred_t, kauth_key_t);
339
340 int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t);
341 void kauth_uucred_to_cred(kauth_cred_t, const struct uucred *);
342 void kauth_cred_to_uucred(struct uucred *, const kauth_cred_t);
343 int kauth_cred_uucmp(kauth_cred_t, const struct uucred *);
344 void kauth_cred_toucred(kauth_cred_t, struct ki_ucred *);
345 void kauth_cred_topcred(kauth_cred_t, struct ki_pcred *);
346
347 kauth_cred_t kauth_cred_get(void);
348
349 void kauth_proc_fork(struct proc *, struct proc *);
350
351 void secmodel_register(void);
352 void secmodel_deregister(void);
353
354 #endif /* !_SYS_KAUTH_H_ */
Cache object: aafb4d437f921f5020faafbc0e319fcb
|