/* IBM_PROLOG_BEGIN_TAG */
/* This is an automatically generated prolog. */
/* */
/* bos72Q src/bos/kernel/sys/secconf.h 1.11.1.1 */
/* */
/* Licensed Materials - Property of IBM */
/* */
/* Restricted Materials of IBM */
/* */
/* COPYRIGHT International Business Machines Corp. 2006,2019 */
/* All Rights Reserved */
/* */
/* US Government Users Restricted Rights - Use, duplication or */
/* disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */
/* */
/* IBM_PROLOG_END_TAG */
/* @(#)01 1.11.1.1 src/bos/kernel/sys/secconf.h, syssmls, bos72Q, q2019_13A4 2/6/19 00:41:32 */
/*
* COMPONENT_NAME: SYSSMLS
*
* ORIGINS: 27
*
*
* (C) COPYRIGHT International Business Machines Corp. 1988,2006
* All Rights Reserved
* Licensed Materials - Property of IBM
* US Government Users Restricted Rights - Use, duplication or
* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
*
*/
#ifndef _H_SECCONF
#define _H_SECCONF
#include <sys/types.h>
#include <sys/param.h>
#include <sys/cred.h>
#ifdef __cplusplus
extern "C" {
#endif
/* File security flags (FSF) */
#define FSF_DIR 0x0
#define FSF_PDIR 0x1 /* Partitioned directory */
#define FSF_PSDIR 0x2 /* Partitioned subdirectory */
#define FSF_PSSDIR 0x4 /* Partitioned sub-subdirectory */
#define FSF_PDIRMASK 0x7 /* Mask for all above */
#define FSF_APPEND 0x10 /* File can only be appended */
#define FSF_AUDIT 0x20 /* Audit privilege required */
#define FSF_MAC_EXMPT 0x40 /* Exempt MAC along with proper privilege */
#define FSF_TLIB 0x100 /* object is marked as part of the TLIB */
#define FSF_TLIB_PROC 0x200 /* TLIB process */
#define FSF_VALID_MASK 0x377 /* Mask representing valid FSF's */
#define FSF_MIN_INDEX 1 /* Minimum bit index used by FSF */
#define FSF_MAX_INDEX 8 /* Maximum bit index used by FSF */
/* File Security Flag String definitions */
#define FSF_STRINGS \
"FSF_PDIR" /* 0 */\
,"FSF_PSDIR" /* 1 */\
,"FSF_PSSDIR" /* 2 */\
,"FSF_RESERVED_3" /* 3 */\
,"FSF_APPEND" /* 4 */\
,"FSF_AUDIT" /* 5 */\
,"FSF_MAC_EXMPT" /* 6 */\
,"FSF_RESERVED_7" /* 7 */\
,"FSF_TLIB" /* 8 */\
,"FSF_TLIB_PROC" /* 9 */
/*
* Determines whether the FSF flag given by offset i is turned on in FSF x.
*/
#define FSF_TST(x,i) ((x) & 1<<(i))
/* Kernel security flags (KSF) */
#define SEC_TNET 0x1 /* Trusted networking */
#define SEC_ROOT 0x2 /* root powers enabled */
#define SEC_SL 0x10 /* MAC enforced */
#define SEC_TL_WRITE 0x20 /* MIC enforced on write, delete and rename */
#define SEC_TL_READ 0x40 /* MIC enforced on read */
#define SEC_STRPUSH 0x100 /* bypass STRPUSH privilege */
#define SEC_TLIB 0x200 /* TLIB flag is honored */
#define SEC_TLIBPATH 0x400 /* Trusted library path */
#define SEC_TRACEAUTH 0x800 /* Tracing used authorization */
/* System Runtime Modes */
#define CONFIGURATION_MODE 0x1
#define OPERATIONAL_MODE 0x2
/* mode for the system call setptcbmode. */
#define NONTLIB_PROC 1
#define TLIB_PROC 2
/* mode for the system call setppdmode. */
#define PD_REAL 1
#define PD_VIRTUAL 2
/* commands for the pdmkdir syscall. */
#define MKPDIR 1
#define MKPSDIR 2
#define MKPSSDIR 3
#define SETDIR 4
#define SETPDIR 5
#define SETPSDIR 6
#define SETPSSDIR 7
#if defined (_KERNEL) || defined(__KDB)
/* Security Flag Definition */
typedef struct _secconfig_t {
uint32_t conf_flags;
uint32_t oper_flags;
uint32_t runtime_mode;
uint32_t mode_status;
} secconfig_t;
extern secconfig_t system_security;
extern int get_secflags(void);
/* Macros for determining Security Settings */
#define IS_OPERATIONAL_MODE(_x) \
( (fetch_and_nop((atomic_p)&((_x).runtime_mode)) & OPERATIONAL_MODE) \
== OPERATIONAL_MODE)
/* this needs to be updated if secconfig_t is modified */
#define MODE_FLAGS(x) (fetch_and_nop((atomic_p) &(x)+IS_OPERATIONAL_MODE(x)))
#define TNET_ENABLED(x) (MODE_FLAGS(x) & SEC_ASN)
#define ROOT_ENABLED(x) (KCID_CORRALED(KCID_CURPROC()) ? \
(curpvproc->pv_secflag & SROOT) : (MODE_FLAGS(x) & SEC_ROOT))
#define SL_ENFORCED(x) (MODE_FLAGS(x) & SEC_SL)
#define TL_WRITE_ENFORCED(x) (MODE_FLAGS(x) & SEC_TL_WRITE)
#define TL_READ_ENFORCED(x) (MODE_FLAGS(x) & SEC_TL_READ)
#define STRPUSH_ENABLED(x) (MODE_FLAGS(x) & SEC_STRPUSH)
#define TRUSTEDLIB_ENABLED(x) (MODE_FLAGS(x) & SEC_TLIB)
#define TLIBPATH_ENABLED(x) (MODE_FLAGS(x) & SEC_TLIBPATH)
#define TRAUTH_ENABLED(x) (KCID_CORRALED(KCID_CURPROC()) ? \
(curpvproc->pv_secflag & STRAUTH) : (MODE_FLAGS(x) & SEC_TRACEAUTH))
#define MODES_ALL_ENABLED(x, y) ((MODE_FLAGS(x) & (y)) == (y))
#define MODES_ENABLED(x, y) ((MODE_FLAGS(x) & (y)) != 0)
#define VIRTUALMODE(cr) ( ((cr)->cr_SECflags & SEC_P_PDMODE) != SEC_P_PDMODE )
#define TLIB_PROCESS(cr) ( ((cr)->cr_SECflags & SEC_P_TLIBPROC)==SEC_P_TLIBPROC )
struct tlib_path_entry {
char name[MAXPATHLEN + 4];
};
/* Global Kernel tlib Variables */
extern struct tlib_path_entry *tlib_path; /* library path table */
extern int tlib_path_entries; /* entries in table */
extern Complex_lock tlib_lock; /* lock for tlib variables */
/* Kernel Label Functions */
extern int sl_dom(sl_t *, sl_t *);
extern int sl_eq(sl_t *, sl_t *);
extern int tl_dom(tl_t *, tl_t *);
extern int tl_eq(tl_t *, tl_t *);
#endif /* _KERNEL */
/* system calls */
extern int sec_getsyslab(sl_t *, sl_t *, tl_t *, tl_t *);
extern int sec_setsyslab(sl_t *, sl_t *, tl_t *, tl_t *);
extern int sec_getpsec(pid_t, secattr_t *);
extern int sec_getsecconf(uint32_t *, uint32_t *);
extern int sec_setsecconf(uint32_t *, uint32_t *);
extern int sec_getrunmode(ushort *);
extern int sec_setrunmode(ushort);
extern int sec_setptlibmode(int);
extern int sec_gettlibbufsize(int *);
extern int sec_gettlibpath(int, char *);
extern int sec_settlibpath(int, char *[]);
extern int sec_setplab(pid_t, sl_t *, sl_t *, sl_t *, tl_t *, tl_t *, tl_t *);
extern int pdmkdir(char *, mode_t, int);
extern int setppdmode(int);
#ifdef __cplusplus
}
#endif
#endif /* _H_SECCONF */