/* IBM_PROLOG_BEGIN_TAG                                                   */
/* This is an automatically generated prolog.                             */
/*                                                                        */
/* bos72Q src/bos/kernel/sys/secconf.h 1.11.1.1                           */
/*                                                                        */
/* Licensed Materials - Property of IBM                                   */
/*                                                                        */
/* Restricted Materials of IBM                                            */
/*                                                                        */
/* COPYRIGHT International Business Machines Corp. 2006,2019              */
/* All Rights Reserved                                                    */
/*                                                                        */
/* US Government Users Restricted Rights - Use, duplication or            */
/* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.      */
/*                                                                        */
/* IBM_PROLOG_END_TAG                                                     */
/* @(#)01	1.11.1.1  src/bos/kernel/sys/secconf.h, syssmls, bos72Q, q2019_13A4 2/6/19 00:41:32 */
/*
 *   COMPONENT_NAME: SYSSMLS
 *
 *   ORIGINS: 27
 *
 *
 *   (C) COPYRIGHT International Business Machines Corp. 1988,2006
 *   All Rights Reserved
 *   Licensed Materials - Property of IBM
 *   US Government Users Restricted Rights - Use, duplication or
 *   disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
 *
 */
#ifndef _H_SECCONF
#define _H_SECCONF

#include <sys/types.h>
#include <sys/param.h>
#include <sys/cred.h>

#ifdef __cplusplus
extern "C" {
#endif

/* File security flags (FSF) */

#define	FSF_DIR		0x0	
#define	FSF_PDIR	0x1	/* Partitioned directory */
#define	FSF_PSDIR	0x2	/* Partitioned subdirectory */
#define	FSF_PSSDIR	0x4	/* Partitioned sub-subdirectory */
#define FSF_PDIRMASK	0x7	/* Mask for all above */
#define	FSF_APPEND	0x10	/* File can only be appended */
#define	FSF_AUDIT	0x20	/* Audit privilege required */
#define	FSF_MAC_EXMPT	0x40	/* Exempt MAC along with proper privilege */
#define	FSF_TLIB	0x100	/* object is marked as part of the TLIB */
#define	FSF_TLIB_PROC	0x200	/* TLIB process */

#define FSF_VALID_MASK	0x377	/* Mask representing valid FSF's */
#define FSF_MIN_INDEX	1    	/* Minimum bit index used by FSF */
#define FSF_MAX_INDEX	8    	/* Maximum bit index used by FSF */

/* File Security Flag String definitions */
#define FSF_STRINGS \
"FSF_PDIR"		/* 0 */\
,"FSF_PSDIR"		/* 1 */\
,"FSF_PSSDIR"		/* 2 */\
,"FSF_RESERVED_3"	/* 3 */\
,"FSF_APPEND"		/* 4 */\
,"FSF_AUDIT"		/* 5 */\
,"FSF_MAC_EXMPT"	/* 6 */\
,"FSF_RESERVED_7"	/* 7 */\
,"FSF_TLIB"		/* 8 */\
,"FSF_TLIB_PROC"	/* 9 */

/*
 * Determines whether the FSF flag given by offset i is turned on in FSF x.
 */
#define FSF_TST(x,i)       ((x) & 1<<(i))


/* Kernel security flags (KSF) */

#define SEC_TNET	0x1	/* Trusted networking */
#define SEC_ROOT	0x2	/* root powers enabled */
#define SEC_SL		0x10	/* MAC enforced */
#define SEC_TL_WRITE	0x20	/* MIC enforced on write, delete and rename */
#define SEC_TL_READ	0x40	/* MIC enforced on read */
#define SEC_STRPUSH	0x100	/* bypass STRPUSH privilege */
#define SEC_TLIB	0x200	/* TLIB flag is honored */
#define SEC_TLIBPATH	0x400	/* Trusted library path */
#define SEC_TRACEAUTH	0x800	/* Tracing used authorization */

/* System Runtime Modes */
#define CONFIGURATION_MODE      0x1
#define OPERATIONAL_MODE        0x2

/* mode for the system call setptcbmode.  */
#define NONTLIB_PROC             1
#define TLIB_PROC                2

/* mode for the system call setppdmode.  */
#define PD_REAL                 1
#define PD_VIRTUAL              2

/* commands for the pdmkdir syscall.  */
#define MKPDIR		1
#define MKPSDIR		2
#define MKPSSDIR	3
#define SETDIR		4
#define SETPDIR		5
#define SETPSDIR	6
#define SETPSSDIR	7

#if defined (_KERNEL) || defined(__KDB)

/* Security Flag Definition */
typedef struct _secconfig_t {
	uint32_t	conf_flags;
	uint32_t	oper_flags;
	uint32_t	runtime_mode;
	uint32_t	mode_status;
} secconfig_t;

extern secconfig_t system_security;
extern int get_secflags(void);

/* Macros for determining Security Settings */
#define IS_OPERATIONAL_MODE(_x)			\
	( (fetch_and_nop((atomic_p)&((_x).runtime_mode)) & OPERATIONAL_MODE) \
	  == OPERATIONAL_MODE)

/* this needs to be updated if secconfig_t is modified */
#define MODE_FLAGS(x)	(fetch_and_nop((atomic_p) &(x)+IS_OPERATIONAL_MODE(x)))

#define TNET_ENABLED(x)		(MODE_FLAGS(x) & SEC_ASN)
#define ROOT_ENABLED(x)		(KCID_CORRALED(KCID_CURPROC()) ? \
		(curpvproc->pv_secflag & SROOT) : (MODE_FLAGS(x) & SEC_ROOT))
#define SL_ENFORCED(x)		(MODE_FLAGS(x) & SEC_SL)
#define TL_WRITE_ENFORCED(x)	(MODE_FLAGS(x) & SEC_TL_WRITE)
#define TL_READ_ENFORCED(x)	(MODE_FLAGS(x) & SEC_TL_READ)
#define STRPUSH_ENABLED(x)	(MODE_FLAGS(x) & SEC_STRPUSH)
#define TRUSTEDLIB_ENABLED(x)	(MODE_FLAGS(x) & SEC_TLIB)
#define TLIBPATH_ENABLED(x)	(MODE_FLAGS(x) & SEC_TLIBPATH)
#define TRAUTH_ENABLED(x)	(KCID_CORRALED(KCID_CURPROC()) ? \
	(curpvproc->pv_secflag & STRAUTH) : (MODE_FLAGS(x) & SEC_TRACEAUTH))

#define MODES_ALL_ENABLED(x, y)	((MODE_FLAGS(x) & (y)) == (y))
#define MODES_ENABLED(x, y)	((MODE_FLAGS(x) & (y)) != 0)

#define VIRTUALMODE(cr)	 ( ((cr)->cr_SECflags & SEC_P_PDMODE) != SEC_P_PDMODE )
#define TLIB_PROCESS(cr) ( ((cr)->cr_SECflags & SEC_P_TLIBPROC)==SEC_P_TLIBPROC )

struct tlib_path_entry {
	char name[MAXPATHLEN + 4];
};

/* Global Kernel tlib Variables */
extern struct tlib_path_entry *tlib_path;       /* library path table */
extern int tlib_path_entries;                   /* entries in table */
extern Complex_lock tlib_lock;                  /* lock for tlib variables */

/* Kernel Label Functions */
extern int sl_dom(sl_t *, sl_t *);
extern int sl_eq(sl_t *, sl_t *);
extern int tl_dom(tl_t *, tl_t *);
extern int tl_eq(tl_t *, tl_t *);
#endif /* _KERNEL */

/* system calls */
extern int sec_getsyslab(sl_t *, sl_t *, tl_t *, tl_t *);
extern int sec_setsyslab(sl_t *, sl_t *, tl_t *, tl_t *);
extern int sec_getpsec(pid_t, secattr_t *);
extern int sec_getsecconf(uint32_t *, uint32_t *);
extern int sec_setsecconf(uint32_t *, uint32_t *);
extern int sec_getrunmode(ushort *);
extern int sec_setrunmode(ushort);
extern int sec_setptlibmode(int);
extern int sec_gettlibbufsize(int *);
extern int sec_gettlibpath(int, char *);
extern int sec_settlibpath(int, char *[]);
extern int sec_setplab(pid_t, sl_t *, sl_t *, sl_t *, tl_t *, tl_t *, tl_t *);
extern int pdmkdir(char *, mode_t, int);
extern int setppdmode(int);

#ifdef __cplusplus
}
#endif

#endif /* _H_SECCONF */