/* IBM_PROLOG_BEGIN_TAG */ /* This is an automatically generated prolog. */ /* */ /* bos720 src/bos/kernel/sys/refmon.h 1.20.2.2 */ /* */ /* Licensed Materials - Property of IBM */ /* */ /* Restricted Materials of IBM */ /* */ /* COPYRIGHT International Business Machines Corp. 2006,2013 */ /* All Rights Reserved */ /* */ /* US Government Users Restricted Rights - Use, duplication or */ /* disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */ /* */ /* IBM_PROLOG_END_TAG */ /* @(#)07 1.20.2.2 src/bos/kernel/sys/refmon.h, syssrefmon, bos720 1/17/13 16:19:12 */ /* * COMPONENT_NAME: SYSSREFMON * * FUNCTIONS: * * ORIGINS: 27 * * -- ( when * combined with the aggregated modules for this product) * OBJECT CODE ONLY SOURCE MATERIALS * * (C) COPYRIGHT International Business Machines Corp. 1988,1996 * All Rights Reserved * US Government Users Restricted Rights - Use, duplication or * disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */ /* * Copyright (c) 1994-2004 by Innovative Security Systems, Inc. * All rights reserved. * */ #ifndef _H_REFMON #define _H_REFMON #include #include #ifdef __64BIT_KERNEL #define ACT_O 0x01000000 #define ACT_P 0x02000000 #define ACT_S 0x04000000 /* * The flags used in refmon */ #define REFMON_AUDIT 0x00000001 #define REFMON_NOUSED 0x00000002 #define DOMAIN_CHECK 0x00010000 /* Initialization function for refmon that will be * called by rbac_init at system startup */ extern void refmon_init(void); typedef enum rfm_action { /********* Auditing *********/ /* DESCRIPTION: * Gets or sets the auditing modes of system data objects * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_ADMIN */ ACT_O_SET_AUDIT, /* DESCRIPTION: * Checks if the minimum and maximum labels of the object falls within the * system auditing range * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None */ ACT_O_AUDIT_MACCHK, /********* Authorization *********/ /* DESCRIPTION: * Check the Access Authorization Set before executing a file * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AZ_ROOT * * INPUT: * (authnum_t *)args[0] - access authorization set */ ACT_O_AUTH_ACCESS, /********* DAC *********/ /* DESCRIPTION: * Check if the subject uid is same as object owner id or check for * permissions that bypass DAC ownership restrictions * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_O * * INPUT: * (uid_t)args[0] - uid, against which DAC ownership is to be checked */ ACT_O_OWNER, /********* File System *********/ /* DESCRIPTION: * Set the sticky bit on a file * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_O */ ACT_O_STICKY, /* DESCRIPTION: * Set the setgid bit when not a group member * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_O */ ACT_O_SGID, /* DESCRIPTION: * Allows a process to modify * 1. file's owner ID * 2. file's GID to other than process' effective GID or one of the process' * supplemental GIDs. * Also, allow chown retaining setuid and setgid bits. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_CHOWN */ ACT_O_CHOWN, /* DESCRIPTION: * Change access time and/or modification time on files * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_O */ ACT_O_UTIME, /* DESCRIPTION: * Create hard links to a directory * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_LINKDIR * * INPUT: * (struct vnode *)args[0] - vnode of the object * (char *)args[1] - pathname of the target object * (struct vnode *)args[2] - pointer to target directory vnode */ ACT_O_LINK, /* DESCRIPTION: * Remove or rename any file in a sticky directory * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_O, PV_DAC_W * * INPUT: * (uid_t)args[0] - uid of the parent directory * (uid_t)args[1] - uid of the object itself */ ACT_O_RMDIR_ISVTX, /* DESCRIPTION: * Unlinks a directory entry from the file system * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_LINKDIR * * INPUT: * (struct vnode *)args[0] - vnode of the object * (char *)args[1] - pathname of the object * (struct vnode *)args[2] - pointer to directory vnode */ ACT_O_UNLINK, /* DESCRIPTION: * Check access on specnode w/o pfs vnode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_R, PV_DAC_W, PV_DAC_X * * INPUT: * (mode_t)args[0] - access mode to the specnode * (struct specnode *)args[1] - attributes of the specnode */ ACT_O_SPECACCESS, /* DESCRIPTION: * Check access on a J2 inode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_R, PV_DAC_W, PV_DAC_X * * INPUT: * (mode_t)args[0] - access mode to the inode * (mode_t)args[1] - file mode * (uid_t)args[2] - file uid * (gid_t)args[3] - file gid * */ ACT_O_J2DACCHK, /* DESCRIPTION: * Allows a process to set or clear TCB or TP flags * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_TCB * */ ACT_O_SET_TCBTP, /* DESCRIPTION: * Assign labels and set partitioned directory flag on newly created inodes * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None * * IUTPUT: * (fs_secattr_t *)args[0] - security attribute pointer * (fs_secattr_t *)args[1] - inherited security attribute pointer * (cred_t *)args[2] - credential (NULL will set to default) * (int)args[3] - indicates if the object is a directory * (int)args[4] - directory type for partitioned directory * * OUTPUT: * (fs_secattr_t *)args[0] - security attributes are initialized */ ACT_O_ICREATE, /* DESCRIPTION: * Change the MLS EA on a JFS2 inode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_OVRRD, PV_MAC_W_UP, PV_MAC_W_DN, PV_MAC_W, PV_MAC_CL, PV_MAC_R_CL, * PV_MAC_R, PV_MIC, PV_TCB, PV_AU_WRITE, PV_AU_READ, PV_DAC_W, PV_DAC_O, * PV_MIC_CL, PV_LAB_SL_FILE, PV_LAB_SLDG, PV_LAB_SLUG, PV_LAB_TL * * INPUT: * (fs_secattr_t *)args[0] - new MLS attributes of the object * (void *)args[1] - J2 inode */ ACT_O_SET_SECATTR, /* DESCRIPTION: * Check for MAC, MIC and FSF based on the operation code or access mode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_OVRRD, PV_MAC_W_UP, PV_MAC_W_DN, PV_MAC_W, PV_MAC_CL, PV_MAC_R_CL, * PV_MAC_R, PV_MIC, PV_TCB, PV_AU_WRITE, PV_AU_READ * * INPUT: * (void *)args[0] - J2 inode * (int)args[1] - operation code * (int)args[2] - (read/write/execute) access mode */ ACT_O_J2_IACCESS, /* DESCRIPTION: * Allows a process to create partitioned directories * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_PDMODE */ ACT_O_PDIR_MK, /* DESCRIPTION: * Allows a process to read Label Encodings File * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_LAB_LEF */ ACT_O_LEF_READ, /* DESCRIPTION: * Checks if the process can access the given vnode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_OVRRD, PV_MAC_W_UP, PV_MAC_W_DN, PV_MAC_W, PV_MAC_CL, PV_MAC_R_CL, * PV_MAC_R, PV_MIC, PV_TCB, PV_AU_WRITE, PV_AU_READ */ ACT_O_VACCESS, /* DESCRIPTION: * Checks for an attempt to append to an object * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_TCB * * INPUT: * (int)args[0] - requested access mode * (uint32_t)args[1] - file security flags of the object */ ACT_O_FAPPEND, /* DESCRIPTION: * Checks for modifications to trusted files * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_LAB_LEF * * INPUT: * (char *)args[0] - file being opened * (int64_t)args[1] - open style flags * (struct vnode *)args[3] - pointer to directory vnode * * OUTPUT: * (int *)args[2] - this flag will be set if the file being opened is * label encodings file in read mode and if the process had PV_LAB_LEF privilege */ ACT_O_OPEN, /* DESCRIPTION: * Checks for modifications to trusted files * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None * * INPUT: * (char *)args[0] - source pathname * (char *)args[1] - target pathname * (struct vnode *)args[2] - vnode of the source file * (struct vnode *)args[3] - pointer to source directory vnode * (struct vnode *)args[4] - pointer to target directory vnode */ ACT_O_RENAME, /* DESCRIPTION: * Checks if process is allowed to use library * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None * * INPUT: * (struct vnode *)args[0] - vnode of the library */ ACT_O_LDLIB, /********* Kernel *********/ /* DESCRIPTION: * Check for DAC with tuning VFS. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_R, PV_DAC_W, PV_DAC_X * * INPUT: * (mode_t)args[0] - access mode */ ACT_O_TUNING_ACCESS, /* DESCRIPTION: * Bypass resource access controls * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_RAC */ ACT_O_BYPASS_RAC, /********* IPC *********/ /* DESCRIPTION: * Allow shmget with a range * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_IPC */ ACT_O_SHM_RANGE, /* DESCRIPTION: * Check for DAC bypass permissions when accessing an IPC object * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_OVRRD, PV_MAC_W_UP, PV_MAC_W_DN, PV_MAC_W, PV_MAC_CL, PV_MAC_R_CL, * PV_MAC_R, PV_MIC, PV_KER_IPC_W, PV_KER_IPC_R, PV_KER_IPC_O * * INPUT: * (mode_t)args[0] - access mode to the IPC object * (struct ipc_perm *)args[1] - IPC object * (ipc_sec_t *)args[2] - IPC object security attributes * (ushort)args[3] - mask to check for */ #define CHECK_UID 0x0001 #define CHECK_PRIV 0x0002 #define CHECK_MODEBITS 0x0004 #define CHECK_MAC 0x0010 #define CHECK_MIC 0x0020 #define CHECK_ALL 0xffff ACT_O_IPC_ACCESS, /* DESCRIPTION: * Bypass message queue bytes size restriction * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_IPC */ ACT_O_MSG_MOREBYTES, /* DESCRIPTION: * Lock/Unlock (pin) shared memory segments * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_IPC */ ACT_O_SHM_LOCK, /* DESCRIPTION: * Support for large pages for shared memory segments * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_RAC */ ACT_O_SHM_LGPAGE, /* DESCRIPTION: * Allow shared memory control operations * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_IPC */ ACT_O_SHMCTL, /* DESCRIPTION: * Allow to set security attributes on IPC object * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_OVRRD, PV_MAC_W_UP, PV_MAC_W_DN, PV_MAC_W, PV_MAC_CL, PV_MAC_R_CL, * PV_MAC_R, PV_MIC, PV_KER_IPC_W, PV_KER_IPC_O, PV_MIC_CL, PV_LAB_SL_FILE, * PV_LAB_SLDG, PV_LAB_SLUG, PV_LAB_TL * * INPUT: * (struct ipc_perm *)args[0] - IPC object permission * (ipc_sec_t *)args[1] - IPC object security attributes * (ipc_sec_t *)args[2] - new security attributes */ ACT_O_IPC_SETSEC, /********* Device *********/ /* DESCRIPTION: * Check if a kernel extension can be loaded/unloaded * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DEV_CONFIG */ ACT_O_EXT_LD_UNLD, /* DESCRIPTION: * Access check for a cdrnode (cfs) * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_R, PV_DAC_W, PV_DAC_X * * INPUT: * (mode_t)args[0] - access mode to the cdrnode * (struct cdrnode *)args[1] - cdrom object */ ACT_O_CDRACCESS, /* DESCRIPTION: * Allows a process to revoke access to the character/mpx device * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_O * * INPUT: * (uid_t)args[0] - uid of the object being revoked */ ACT_O_REVOKE, /* DESCRIPTION: * Allow to configure a device driver or kernel module * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DEV_CONFIG */ ACT_O_DEV_CONFIG, /* DESCRIPTION: * Allow to load/unload a device driver or kernel extension * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DEV_LOAD */ ACT_O_DEV_LOAD, /* DESCRIPTION: * Check the Access Privilege Set before opening a device file * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * Atleast of the privileges in args[0] * * INPUT: * (privg_tp)args[0] - access privilege set */ ACT_O_PRIV_ACCESS, /* DESCRIPTION: * Check for labels when writing to FIFO device * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_OVRRD, PV_MAC_W_UP, PV_MAC_W_DN, PV_MIC, PV_LAB_SLUG_STR, * PV_LAB_SLDG_STR, PV_MAC_CL, PV_MAC_R_STR, PV_MAC_R * * INPUT: * (struct specfs_secattr *)args[0] - labels associated with data being * written to FIFO device * (struct specnode *)args[1] - specnode of the FIFO device */ ACT_O_FIFO_WRITE, /* DESCRIPTION: * Check for labels when reading from FIFO device * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_LAB_SLUG_STR, PV_LAB_SLDG_STR, PV_MAC_CL, PV_MAC_R_STR, PV_MAC_R * * INPUT: * (struct specfs_attr *)args[0] - labels associatd with the data being * read from FIFO device */ ACT_O_FIFO_READ, /********* Network *********/ /* DESCRIPTION: * Allows a process to perform restricted ioctl calls to drivers * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_NET_CNTL */ ACT_O_NET_CNTL, /* DESCRIPTION: * Allows a process to open a restricted port. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_NET_PORT */ ACT_O_NET_PORT, /* DESCRIPTION: * Allows a process to access raw sockets. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_NET_RAWSOCK */ ACT_O_RAWSOCKETS, /* DESCRIPTION: * Network configuration operations * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_NET_CONFIG */ ACT_O_NETCONFIG, /* DESCRIPTION: * Checks for labels on the packet based on host and interface rules * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None * * INPUT: * (int_rule_t *)args[0] - interface rule * (host_rule_t *)args[1] - host rule */ ACT_O_ALLOW_PKT, /* DESCRIPTION: * Checks for an attempt to read from streams * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_R_STR, PV_MAC_R, PV_MAC_CL * * INPUT: * (struct net_secattr *)args[0] - security label associated with mblks */ ACT_O_STR_READ, /* DESCRIPTION: * Checks for an attempt to write to streams * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_LAB_SLUG_STR, PV_LAB_SLDG_STR, PV_MAC_CL * * INPUT: * (struct net_secattr *)args[0] - security label associated with mblks */ ACT_O_STR_WRITE, /********* Auditing *********/ /* DESCRIPTION: * Return process' audit state * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_PROC */ ACT_P_GET_AUDIT, /* DESCRIPTION: * Change process' audit state * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_PROC */ ACT_P_SET_AUDIT, /* DESCRIPTION: * Checks if the process's effective SL falls within system auditing range * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None */ ACT_P_AUDIT_MACCHK, /********* Authorization *********/ /* DESCRIPTION: * Checks if the process has privileges to bypass authorization checks * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AZ_CHECK */ ACT_P_BYPASS_AUTH, /********* Privilege *********/ /* DESCRIPTION: * Change process' privilege sets * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_PRIV, PV_MAC_W_PROC, PV_MAC_W, PV_MAC_CL, PV_MIC * * INPUT: * (cred_t *)args[0] - credentials of the target process whose privilege sets * is to be modified * (privg_tp)args[1] - new effective privilege set, NULL if eps is not being * modified * (privg_tp)args[2] - new maximum privilege set, NULL if mps is not being * modified * (privg_tp)args[3] - new inheritable privilege set, NULL if hps is not being * modified * (privg_tp)args[4] - new limiting privilege set, NULL if lps is not being * modified */ ACT_P_SET_PRIV, /* DESCRIPTION: * Allows to get privilege sets of a given process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_PRIV, PV_MAC_R_PROC, PV_MAC_R, PV_MAC_CL, PV_MIC * * INPUT: * (struct cred_t *)args[0] - target cred, whose privileges must be retrieved */ ACT_P_GET_PRIV, /* DESCRIPTION: * Allows to get roles of a given process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_RID, PV_MAC_R_PROC, PV_MAC_R, PV_MAC_CL, PV_MIC * * INPUT: * (struct cred_t *)args[0] - target cred, whose privileges must be retrieved */ ACT_P_GET_RID, /* DESCRIPTION: * Checks if the current process has the given privilege * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * args[0] contians the privilege * * INPUT: * (int)args[0] - requested privilege */ ACT_P_PRIV_CHECK, /********* Process *********/ /* DESCRIPTION: * Allow a process to change the root directory * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_CHROOT */ ACT_P_CHG_ROOT, /* DESCRIPTION: * Change process' Login/Saved/Real/Effective UID * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_ADMIN, PV_DAC_UID * * INPUT: * (uid_t)args[0] - new uid * (int)args[1] - mask which specifies which uid is to be set: ID_LOGIN, * ID_SAVED, ID_REAL or ID_EFFECTIVE */ ACT_P_SET_UID, /* DESCRIPTION: * Change process' Real/Saved/Effective GID * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_GID * * INPUT: * (gid_t)args[0] - new gid * (int)args[1] - mask which specifies which gid is to be set: ID_SAVED, * ID_REAL or ID_EFFECTIVE */ ACT_P_SET_GID, /* DESCRIPTION: * Set user's concurrent group list * TODO: check if the new group list is a subset of existing one.. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_GID */ ACT_P_SET_SUPPL_GROUPS, /* DESCRIPTION: * Dump core when UID/GID doesn't match * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_CORE */ ACT_P_DUMP_CORE, /* DESCRIPTION: * Use the protected environment from checkpoint file. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_ENV */ ACT_P_SET_ENV, /* DESCRIPTION: * Check if a process can send a given signal to a given process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_SIG * * INPUT: * (struct pvproc *)args[0] - target process to which the signal is to be sent * (int)args[1] - signal number */ ACT_P_SIGNAL, /* DESCRIPTION: * Compute new credentials during exec() * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None * * INPUT: * (obj_sec_attrs *)args[0] - security attributes of the file being executed * (struct vnode *)args[2] - vnode of the file being execed * (struct stat *)args[3] - stat of the file being execed * * OUTPUT: * (cred_t *)args[1] - new credentials of the post exec process; Note: Only * the privilege sets will be modified in the cred */ ACT_P_NEW_CRED, /*TODO: Elaborate the description for ACT_P_SETIDQ: Change the name of the * action? */ /* DESCRIPTION: * Determine if a process will be setid/setpriv * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * None * * INPUT: * (vnode_t *)args[0] - vnode of the file being executed * (struct stat *)args[1] - stat structure of the file being executed * (cred_t *)args[2] - credentials of the post exec process */ ACT_P_SETIDQ, /* DESCRIPTION: * Causes getuidx() to return 0 if the process has PV_SU_UID privilege * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_SU_UID * * OUTPUT: * args[0] - effective uid * args[1] - real uid */ ACT_P_GET_UID, /* DESCRIPTION: * Allows setting user information in user structure. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_ENV */ ACT_P_SET_USRINFO, /* DESCRIPTION: * Allow ptrace to attach * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_UID, PV_DAC_GID * * INPUT: * (struct pvproc *)args[0] - target process to which ptrace should attach */ ACT_P_PT_ATTACH, /* DESCRIPTION: * Get a process's priority * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_PRIO * * INPUT: * (uid_t)args[0] - uid of target process */ ACT_P_GETPRI, /* DESCRIPTION: * Set a process's priority * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_PRIO */ ACT_P_SETPRI, /* DESCRIPTION: * Renice a process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_W * * INPUT: * (uid_t)args[0] - uid of target process */ ACT_P_DONICE, /* DESCRIPTION: * Set process attributes * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_R, PV_DAC_W * * INPUT: * (struct pvproc *)args[0] - process who attributes are * to be set/retreived * (mode_t)args[0] - mode of access */ ACT_P_PROC_ATTR, /* DESCRIPTION: * Bind a process to a processor * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_RSET * * INPUT: * (struct pvproc *)args[0] - process which is to be bound to a processor */ ACT_P_BIND_PROC, /* DESCRIPTION: * Bind a thread to a processor * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_RSET * * INPUT: * (struct pvproc *)args[0] - thread which is to be bound to a processor */ ACT_P_BIND_THREAD, /* DESCRIPTION: * Access to the fine granularity timers * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_TIMER */ ACT_P_SET_INTERVAL, /* DESCRIPTION: * Add or remove a process from a crid * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_CKPT * * INPUT: * (uid_t)args[0] - owner of the crid */ ACT_P_SET_CRID, /* DESCRIPTION: * Process can be checkpoint/restarted * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_R, PV_PROC_CKPT * * INPUT: * (int)args[0] - mode which specifies whether to checkpoint or restart */ ACT_P_SEC_VERIFY, /* DESCRIPTION: * Check if a process can send any signal to any process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_SIG */ ACT_P_SIGPRIV, /* DESCRIPTION: * Set resource access controls (quotas) on proc * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_RAC */ ACT_P_SET_RAC, /* DESCRIPTION: * Set/get realtime clock value from proc * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_RTCLK * * INPUT: * (struct pvproc *)args[0] - target process whose realtime clock value is to * be set/retrieved */ ACT_P_RT_CLOCK, /* DESCRIPTION: * Set thread level credentials * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_UID, PV_AU_ADMIN, PV_DAC_GID * * INPUT: * (uint)args[0] - flags which can have one or more of the following values: * INHERIT_USER_IDS, INHERIT_GROUP_IDS and INHERIT_GROUP_SETS * (struct cred_ext_t *)args[1] - To be validated thread credentials * (int)args[2] - noswitchuid value * (int)args[3] - noswitchgid value */ ACT_P_SET_THREAD_CRED, /* DESCRIPTION: * Set the process authentication group * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_CRED */ ACT_P_SET_PAG, /* DESCRIPTION: * Checks if process can call system calls related to check pointing and * restarting a WPAR * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_WPAR_CKPT */ ACT_P_WPAR_CKPT, /* DESCRIPTION: * Allows numa resource attachments * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_RSET */ ACT_P_NUMA_RSET, /* DESCRIPTION: * Checks if the effective uid is 0 or if the process has PV_ROOT privilege * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_SU_ROOT */ ACT_P_SUSER, /* DESCRIPTION: * Allows a process to change its Role ID * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DAC_RID */ ACT_P_SET_RID, /* DESCRIPTION: * Allows to update/retrieve smttune or schedtune parameters. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_VARS */ ACT_P_PROCVARS, /* DESCRIPTION: * Checks for MAC access on a target process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_W_PROC, PV_MAC_W, PV_MAC_CL, PV_MAC_R_PROC, PV_MAC_R, PV_MAC_CL, * PV_MIC * * INPUT: * (struct pvproc *)args[0] - pvproc of the target process * (mode_t)args[1] - mode of access */ ACT_P_PROC_MAC, /* DESCRIPTION: * Allows a process to change its partitioned directory mode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROC_PDMODE */ ACT_P_SET_PDMODE, /* DESCRIPTION: * Allows to get security attributes of a process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_R_PROC, PV_MAC_CL, PV_MIC * * INPUT: * (cred_t *)args[0] - credentials of the target process */ ACT_P_GET_SEC_CRED, /* DESCRIPTION: * Allows to set sensitivity label in a process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_W, PV_MAC_CL, PV_MAC_W_PROC, PV_MIC, PV_DAC_O, PV_MAC_CL, PV_MIC_CL, * PV_LAB_SL_SELF, PV_LAB_SL_PROC, PV_LAB_CL, PV_LAB_CLTL, PV_LAB_TL, * PV_LAB_SLDG, PV_LAB_SLUG * * INPUT: * (cred_t *)args[0] - credentials of the target process * (sl_t *)args[1] - effective sensitivity label * (sl_t *)args[2] - minimum sensitivity label * (sl_t *)args[3] - maximum sensitivity label */ ACT_P_SET_SL, /* DESCRIPTION: * Allows to set integrity label in a process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_MAC_W, PV_MAC_CL, PV_MAC_W_PROC, PV_MIC, PV_DAC_O, PV_MAC_CL, PV_MIC_CL, * PV_LAB_SL_SELF, PV_LAB_SL_PROC, PV_LAB_CL, PV_LAB_CLTL, PV_LAB_TL, * PV_LAB_SLDG, PV_LAB_SLUG * * INPUT: * (cred_t *)args[0] - credentials of the target process * (tl_t *)args[1] - effective integrity label * (tl_t *)args[2] - minimum integrity label * (tl_t *)args[3] - maximum integrity label */ ACT_P_SET_TL, /* DESCRIPTION: * Allows to set TCB mode flag in a process * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_TCB */ ACT_P_SET_TLIBMODE, /********* Auditing *********/ /* DESCRIPTION: * Appends an audit record to the audit trail * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_ADD */ ACT_S_AUDIT_LOG, /* DESCRIPTION: * Configure auditing * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_ADMIN */ ACT_S_AUDIT_CFG, /* DESCRIPTION: * Get system auditing status/modes * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_ADMIN */ ACT_S_GET_AUDIT_CTL, /* DESCRIPTION: * Set system auditing status/modes * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AU_ADMIN */ ACT_S_SET_AUDIT_CTL, /********* Authorization **********/ /* DESCRIPTION: * Allows the process to read the kernel security tables * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AZ_READ */ ACT_S_KERTABLES_READ, /* DESCRIPTION: * Allows the process to modify the kernel security tables * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_AZ_ADMIN */ ACT_S_KERTABLES_WRITE, /********* File System *********/ /* DESCRIPTION: * Administer the jfs/j2 quota system * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_QUOTA */ ACT_S_QUOTA, /* DESCRIPTION: * Paging space swap on or off. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_VMM */ ACT_S_SWAPCTL, /* DESCRIPTION: * Perform control operations on a filesystem * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_CNTL */ ACT_S_FS_CNTL, /* DESCRIPTION: * Allows a process to perform extend/shrink file-system operations * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_RESIZE */ ACT_S_FS_RESIZE, /********* Kernel *********/ /* DESCRIPTION: * Reboot the machine * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_REBOOT */ ACT_S_REBOOT, /* DESCRIPTION: * Mount a file system * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_MOUNT */ ACT_S_MOUNT, /* DESCRIPTION: * Unmount a file system * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_MOUNT */ ACT_S_UMOUNT, /* DESCRIPTION: * Mount a filesystem and check for modifications to target and stub objects * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_MOUNT * * INPUT: * (char *)args[0] - stub object pathname * (char *)args[1] - target object pathname */ ACT_S_NAMEFS_MOUNT, /* DESCRIPTION: * Create a special file * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_FS_MKNOD */ ACT_S_MKNOD, /* DESCRIPTION: * Allows a process to modify the system time. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_TIME */ ACT_S_ADJ_TIME, /* DESCRIPTION: * Allow setting host name * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_CONF */ ACT_S_SET_HOSTNAME, /* DESCRIPTION: * Allow setting domain name * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_CONF */ ACT_S_SET_DOMAINNAME, /* DESCRIPTION: * Enable or disable the process accounting subsystem. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_ACCT */ ACT_S_ACCT, /* DESCRIPTION: * Allow initializing and modifying the WLM configurations. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_WLM */ ACT_S_WLM, /* DESCRIPTION: * Allow setting the hostid * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_CONF */ ACT_S_SET_HOSTID, /* DESCRIPTION: * Configure RAS services * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_RAS */ ACT_S_RAS_CONFIG, /* DESCRIPTION: * Get/Set the kernel variables * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_VARS */ ACT_S_KERNEL_VAR, /* DESCRIPTION: * Set AIO kernel parameters. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_VARS */ ACT_S_ASYNC_IO, /* DESCRIPTION: * Allows DLPAR reconfiguration operations * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_DR */ ACT_S_DR_CONFIG, /* DESCRIPTION: * Allows to change kernel mempool variables * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_VMM */ ACT_S_VMM_SET_VARS, /* DESCRIPTION: * Program Resource Monitor privs. (SRC_kex) * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_EXTCONF */ ACT_S_PROG_RSC_MON, /* DESCRIPTION: * Initialize or query eWLM environment. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_EWLM */ ACT_S_EWLM, /* DESCRIPTION: * Allow LVM configuration * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_LVM */ ACT_S_LVM, /* DESCRIPTION: * Allows a process to configure WPAR. This will be done from a global WPAR * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_WPAR */ ACT_S_WPAR, /* DESCRIPTION: * Allows an access to another tty. * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_EXTCONF */ ACT_S_TTY_CONFIG, /* DESCRIPTION: * set the perforance statistics extension configuration * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_EXTCONF */ ACT_S_PERFSTATS, /* DESCRIPTION: * Enable NFS * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_NFS */ ACT_S_NFSSYS, /* DESCRIPTION * Query kernel modules * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_DEV_QUERY */ ACT_S_DEV_QUERY, /* DESCRIPTION * configure kernel parameters * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_CONF */ ACT_S_KER_CONF, /* DESCRIPTION: * Allows a process to read the Maximum System Sensitivity Label * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_SECCONFIG, PV_MAC_R */ ACT_S_GET_MAX_SL, /* DESCRIPTION: * Allows a process to read the Maximum System Integrity Label * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_SECCONFIG, PV_MIC */ ACT_S_GET_MAX_TL, /* DESCRIPTION: * Allows setting up of system labels * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_SECCONFIG */ ACT_S_SET_SLTL, /* DESCRIPTION: * Allows setting up kernel security flags * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_SECCONFIG * * INPUT: * (int)args[0] - operational flags * (int)args[1] - configuration flags */ ACT_S_SET_SECCONFIG, /* DESCRIPTION: * Allows setting up runmode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_SECCONFIG */ ACT_S_SET_RUNMODE, /* DESCRIPTION: * Allows setting up trusted path mode * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_TP_SET */ ACT_S_SET_TPMODE, /* DESCRIPTION: * Allows setting up trusted library path * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_TCB */ ACT_S_SET_TLIBPATH, /* DESCRIPTION: * Allows configuration of streams device * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_EXTCONF */ ACT_S_STREAMS, /* DESCRIPTION: * Allows patching of kernel extensions * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_KER_PATCH */ ACT_S_KER_PATCH, /* DESCRIPTION: * Allow users to dynamically trace apps * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_TRC_USER */ ACT_S_PROBEVUE_TRC_USER, /* DESCRIPTION: * Allow users to dynamically trace their apps * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_TRC_USER_SELF */ ACT_S_PROBEVUE_TRC_USER_SELF, /* DESCRIPTION: * Allow users to dynamically trace any system call * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_TRC_SYSCALL */ ACT_S_PROBEVUE_TRC_SYSCALL, /* DESCRIPTION: * Allow users to dynamically trace system calls * invoked by their apps * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_TRC_SYSCALL_SELF */ ACT_S_PROBEVUE_TRC_SYSCALL_SELF, /* DESCRIPTION: * Allow users to dynamically trace the entire system * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_TRC_KERNEL */ ACT_S_PROBEVUE_TRC_KERNEL, /* DESCRIPTION: * Allow users to use the probevue ras events functions, such as * systrace record generating functions * livedump functions * abend * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_RASE */ ACT_S_PROBEVUE_RASE, /* DESCRIPTION: * Allow users to update probevue parameters and query all * the probevue sessions * * REQUIRED PRIVILEGES: * The below set of privileges may be required for this action * PV_PROBEVUE_MANAGE */ ACT_S_PROBEVUE_MANAGE, /* Description: * Check for Domain access * arg[0] = domain attribute structure objdom_secattr_t */ ACT_O_DOM, /* Domain Actions: * Allow user to set domains * arg[0] = target cred * arg[1] = target domain attribute structure objdom_secattr_t * PV_DOM */ ACT_P_SET_DOM, /* Domain Actions: * Validate if invoker can modify network interfaces properties * arg[0] = Network command * arg[1] = domain attribute structure objdom_secattr_t */ ACT_O_NET_IFCFG, /* Domain Actions: * Validate if invoker can modify network routes * arg[0] = Network command * arg[1] = domain attribute structure objdom_secattr_t */ ACT_O_NET_ROUTE, /* Note: * Do not add any actions beyond ACT_HIGHEST */ ACT_HIGHEST } rfm_action_t; /* * NAME: refmon * * DESCRIPTION: * Performs security checks based on the passed in subject credentials, type of * the action, and any other input parameters * * INPUT: * crp - credential, if NULL, current process credentials will be referenced * action - describes what type of security checks needs to be done * flags - possible values include REFMON_AUDIT which enables auditing of the * event * nargs - number of arguments in args[] array * args - used to pass inputs to refmon * * OUTPUT: * args - some of the actions use args to return output values * * RETURNS: * 0 if successful * non zero error code on failure */ extern int refmon (cred_t *crp, rfm_action_t action, uint_t flags, int nargs, void *args[]); #endif /* __64BIT_KERNEL */ #endif /* _H_REFMON */