/* IBM_PROLOG_BEGIN_TAG */ /* This is an automatically generated prolog. */ /* */ /* bos720 src/bos/kernel/sys/secattr.h 1.12.1.4 */ /* */ /* Licensed Materials - Property of IBM */ /* */ /* Restricted Materials of IBM */ /* */ /* COPYRIGHT International Business Machines Corp. 2006,2012 */ /* All Rights Reserved */ /* */ /* US Government Users Restricted Rights - Use, duplication or */ /* disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */ /* */ /* IBM_PROLOG_END_TAG */ /* @(#)05 1.12.1.4 src/bos/kernel/sys/secattr.h, syssrbac, bos720 10/1/12 15:12:16 */ /* * COMPONENT_NAME: SYSSRBAC * * ORIGINS: 27 * * * (C) COPYRIGHT International Business Machines Corp. 1988,2000 * All Rights Reserved * Licensed Materials - Property of IBM * US Government Users Restricted Rights - Use, duplication or * disclosure restricted by GSA ADP Schedule Contract with IBM Corp. * */ #ifndef _H_SECATTR #define _H_SECATTR #include #include #include #ifdef __cplusplus extern "C" { #endif #define MAX_ROLES 8 /* Maximum no. of supported Roles */ #define MAX_AAS_SIZ 16 /* Maximum size of Access Authorization set */ #define MAX_APS_SIZ 16 /* Maximum size of Privileged Auth set */ #define MAX_AROLES_SIZ 16 /* Maximum size of authroles roles */ /* Security attributes for subjects (process) */ struct subsec_attr { rid_t roles[MAX_ROLES]; /* Maximum no. of supported roles */ short nroles; /* Number of roles */ short ntrauths; /* Number of traced auths */ uint32_t flags; /* Flags */ privg_t effpriv; /* Effective privilege vector */ privg_t maxpriv; /* Maximum privilege vector */ privg_t inhpriv; /* Inheritable privilege vector */ privg_t limpriv; /* Limited privilege vector */ privg_t usedpriv; /* Used privilege vector */ #ifdef _KERNEL authnum_t *trauths; /* Buffer for tracing authorizations */ #else int reserved[2]; /* Reserved */ #endif sec_labels_t labels; /* All Labels */ }; typedef struct subsec_attr subsec_attr_t; /* Security attributes for objects (File System, Privcmd) */ struct fsobjsec_attr { authnum_t accessAuths[MAX_AAS_SIZ]; /* Access Authorizations */ authnum_t privAuths[MAX_APS_SIZ]; /* Privileged Authorizations */ privg_t authPrivs[MAX_APS_SIZ]; /* Authorized Privileges */ privg_t innatePrivs; /* Innate Privileges */ privg_t inheritPrivs; /* Inheritable Privileges */ uint32_t secFlags; /* File Security Flag */ rid_t aroles[MAX_AROLES_SIZ]; /* Authenticated Roles */ }; typedef struct fsobjsec_attr fsobjsec_attr_t; /* Special auth ids for accessAuths */ #define ALLOW_OWNER 1 /* Allow file owner to execute */ #define ALLOW_GROUP 2 /* Allow file group member to execute */ #define ALLOW_ALL 3 /* Allow everyone to execute */ #define BYPASS_AUTH 4 /* Not to assign in privcmd, for traceauth only */ /* File Security Flags (secFlags). More flags are defined in sys/secconf.h */ #define FSF_EPS 0x1000 /* EPS will be same as MPS */ #define FSF_SETEUID 0x2000 /* euid field is set (for privcmd) */ #define FSF_SETEGID 0x4000 /* egid field is set (for privcmd) */ #define FSF_SETRUID 0x8000 /* ruid field is set (for privcmd) */ #define FSF_DOM_ALL 0x0100 /* used for object domains */ #define FSF_DOM_ANY 0x0200 /* used for object domains */ /* cred SECflags */ #define SEC_PRIVCMD 0x01 /* privileged command */ #define SEC_P_PDMODE 0x02 /* PDIR REAL Mode */ #define SEC_P_TLIBPROC 0x04 /* TLIB process */ #define SEC_RBACAWARE 0x08 /* RBAC-aware program */ #define SEC_NOEXEC 0x10 /* exec allowed */ #define SEC_INIT 0x20 /* pass privs to init */ #define SEC_PRIVSCR 0x40 /* privileged symlink script*/ #define SEC_TRAUTHS 0x80 /* trace authorizations */ #define SEC_AROLES 0x100 /* Authenticated Roles */ #define SEC_RBACPATH 0x200 /* used for NFS when uid switched to 0 */ #define NUM_TRAUTHS 64 /* no. of auths in a traced buffer */ /* * This is the security relevant attributes of a process which can be * used in user space. */ #define SC_NGROUPS 32 /* No of supported groups for sec_cred */ struct sec_attr { uid_t sc_uid; /* effective uid */ uid_t sc_ruid; /* real uid */ uid_t sc_luid; /* login uid */ uid_t sc_gid; /* effective gid */ uid_t sc_rgid; /* real gid */ short sc_ngrps; /* no of groups */ short sc_pad; /* pad */ gid_t sc_groups[SC_NGROUPS]; /* groups */ subsec_attr_t sc_attr; /* security attributes */ }; typedef struct sec_attr secattr_t; /* shortcuts */ #define sc_roles sc_attr.roles #define sc_nroles sc_attr.nroles #define sc_ntrauths sc_attr.ntrauths #define sc_SECflags sc_attr.flags #define sc_effpriv sc_attr.effpriv #define sc_maxpriv sc_attr.maxpriv #define sc_inhpriv sc_attr.inhriv #define sc_limpriv sc_attr.limpriv #define sc_usedpriv sc_attr.usedpriv #define sc_sl sc_attr.labels.sl #define sc_sl_cl_min sc_attr.labels.sl_cl_min #define sc_sl_cl_max sc_attr.labels.sl_cl_max #define sc_tl sc_attr.labels.tl #define sc_tl_cl_min sc_attr.labels.tl_cl_min #define sc_tl_cl_max sc_attr.labels.tl_cl_max #ifdef __64BIT_KERNEL #include extern struct ucred *kcred; extern Simple_lock kcred_lock; #endif /* * This structure contains all the security attributes asociated * with a extended read/write object. */ struct file_secattr { sec_labels_t labels; int refcount; }; typedef struct file_secattr file_secattr_t; #ifdef __cplusplus } #endif #endif /* _H_SECATTR */