/* IBM_PROLOG_BEGIN_TAG */ /* This is an automatically generated prolog. */ /* */ /* bos72Q src/bos/kernel/sys/secconf.h 1.11.1.1 */ /* */ /* Licensed Materials - Property of IBM */ /* */ /* Restricted Materials of IBM */ /* */ /* COPYRIGHT International Business Machines Corp. 2006,2019 */ /* All Rights Reserved */ /* */ /* US Government Users Restricted Rights - Use, duplication or */ /* disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */ /* */ /* IBM_PROLOG_END_TAG */ /* @(#)01 1.11.1.1 src/bos/kernel/sys/secconf.h, syssmls, bos72Q, q2019_13A4 2/6/19 00:41:32 */ /* * COMPONENT_NAME: SYSSMLS * * ORIGINS: 27 * * * (C) COPYRIGHT International Business Machines Corp. 1988,2006 * All Rights Reserved * Licensed Materials - Property of IBM * US Government Users Restricted Rights - Use, duplication or * disclosure restricted by GSA ADP Schedule Contract with IBM Corp. * */ #ifndef _H_SECCONF #define _H_SECCONF #include <sys/types.h> #include <sys/param.h> #include <sys/cred.h> #ifdef __cplusplus extern "C" { #endif /* File security flags (FSF) */ #define FSF_DIR 0x0 #define FSF_PDIR 0x1 /* Partitioned directory */ #define FSF_PSDIR 0x2 /* Partitioned subdirectory */ #define FSF_PSSDIR 0x4 /* Partitioned sub-subdirectory */ #define FSF_PDIRMASK 0x7 /* Mask for all above */ #define FSF_APPEND 0x10 /* File can only be appended */ #define FSF_AUDIT 0x20 /* Audit privilege required */ #define FSF_MAC_EXMPT 0x40 /* Exempt MAC along with proper privilege */ #define FSF_TLIB 0x100 /* object is marked as part of the TLIB */ #define FSF_TLIB_PROC 0x200 /* TLIB process */ #define FSF_VALID_MASK 0x377 /* Mask representing valid FSF's */ #define FSF_MIN_INDEX 1 /* Minimum bit index used by FSF */ #define FSF_MAX_INDEX 8 /* Maximum bit index used by FSF */ /* File Security Flag String definitions */ #define FSF_STRINGS \ "FSF_PDIR" /* 0 */\ ,"FSF_PSDIR" /* 1 */\ ,"FSF_PSSDIR" /* 2 */\ ,"FSF_RESERVED_3" /* 3 */\ ,"FSF_APPEND" /* 4 */\ ,"FSF_AUDIT" /* 5 */\ ,"FSF_MAC_EXMPT" /* 6 */\ ,"FSF_RESERVED_7" /* 7 */\ ,"FSF_TLIB" /* 8 */\ ,"FSF_TLIB_PROC" /* 9 */ /* * Determines whether the FSF flag given by offset i is turned on in FSF x. */ #define FSF_TST(x,i) ((x) & 1<<(i)) /* Kernel security flags (KSF) */ #define SEC_TNET 0x1 /* Trusted networking */ #define SEC_ROOT 0x2 /* root powers enabled */ #define SEC_SL 0x10 /* MAC enforced */ #define SEC_TL_WRITE 0x20 /* MIC enforced on write, delete and rename */ #define SEC_TL_READ 0x40 /* MIC enforced on read */ #define SEC_STRPUSH 0x100 /* bypass STRPUSH privilege */ #define SEC_TLIB 0x200 /* TLIB flag is honored */ #define SEC_TLIBPATH 0x400 /* Trusted library path */ #define SEC_TRACEAUTH 0x800 /* Tracing used authorization */ /* System Runtime Modes */ #define CONFIGURATION_MODE 0x1 #define OPERATIONAL_MODE 0x2 /* mode for the system call setptcbmode. */ #define NONTLIB_PROC 1 #define TLIB_PROC 2 /* mode for the system call setppdmode. */ #define PD_REAL 1 #define PD_VIRTUAL 2 /* commands for the pdmkdir syscall. */ #define MKPDIR 1 #define MKPSDIR 2 #define MKPSSDIR 3 #define SETDIR 4 #define SETPDIR 5 #define SETPSDIR 6 #define SETPSSDIR 7 #if defined (_KERNEL) || defined(__KDB) /* Security Flag Definition */ typedef struct _secconfig_t { uint32_t conf_flags; uint32_t oper_flags; uint32_t runtime_mode; uint32_t mode_status; } secconfig_t; extern secconfig_t system_security; extern int get_secflags(void); /* Macros for determining Security Settings */ #define IS_OPERATIONAL_MODE(_x) \ ( (fetch_and_nop((atomic_p)&((_x).runtime_mode)) & OPERATIONAL_MODE) \ == OPERATIONAL_MODE) /* this needs to be updated if secconfig_t is modified */ #define MODE_FLAGS(x) (fetch_and_nop((atomic_p) &(x)+IS_OPERATIONAL_MODE(x))) #define TNET_ENABLED(x) (MODE_FLAGS(x) & SEC_ASN) #define ROOT_ENABLED(x) (KCID_CORRALED(KCID_CURPROC()) ? \ (curpvproc->pv_secflag & SROOT) : (MODE_FLAGS(x) & SEC_ROOT)) #define SL_ENFORCED(x) (MODE_FLAGS(x) & SEC_SL) #define TL_WRITE_ENFORCED(x) (MODE_FLAGS(x) & SEC_TL_WRITE) #define TL_READ_ENFORCED(x) (MODE_FLAGS(x) & SEC_TL_READ) #define STRPUSH_ENABLED(x) (MODE_FLAGS(x) & SEC_STRPUSH) #define TRUSTEDLIB_ENABLED(x) (MODE_FLAGS(x) & SEC_TLIB) #define TLIBPATH_ENABLED(x) (MODE_FLAGS(x) & SEC_TLIBPATH) #define TRAUTH_ENABLED(x) (KCID_CORRALED(KCID_CURPROC()) ? \ (curpvproc->pv_secflag & STRAUTH) : (MODE_FLAGS(x) & SEC_TRACEAUTH)) #define MODES_ALL_ENABLED(x, y) ((MODE_FLAGS(x) & (y)) == (y)) #define MODES_ENABLED(x, y) ((MODE_FLAGS(x) & (y)) != 0) #define VIRTUALMODE(cr) ( ((cr)->cr_SECflags & SEC_P_PDMODE) != SEC_P_PDMODE ) #define TLIB_PROCESS(cr) ( ((cr)->cr_SECflags & SEC_P_TLIBPROC)==SEC_P_TLIBPROC ) struct tlib_path_entry { char name[MAXPATHLEN + 4]; }; /* Global Kernel tlib Variables */ extern struct tlib_path_entry *tlib_path; /* library path table */ extern int tlib_path_entries; /* entries in table */ extern Complex_lock tlib_lock; /* lock for tlib variables */ /* Kernel Label Functions */ extern int sl_dom(sl_t *, sl_t *); extern int sl_eq(sl_t *, sl_t *); extern int tl_dom(tl_t *, tl_t *); extern int tl_eq(tl_t *, tl_t *); #endif /* _KERNEL */ /* system calls */ extern int sec_getsyslab(sl_t *, sl_t *, tl_t *, tl_t *); extern int sec_setsyslab(sl_t *, sl_t *, tl_t *, tl_t *); extern int sec_getpsec(pid_t, secattr_t *); extern int sec_getsecconf(uint32_t *, uint32_t *); extern int sec_setsecconf(uint32_t *, uint32_t *); extern int sec_getrunmode(ushort *); extern int sec_setrunmode(ushort); extern int sec_setptlibmode(int); extern int sec_gettlibbufsize(int *); extern int sec_gettlibpath(int, char *); extern int sec_settlibpath(int, char *[]); extern int sec_setplab(pid_t, sl_t *, sl_t *, sl_t *, tl_t *, tl_t *, tl_t *); extern int pdmkdir(char *, mode_t, int); extern int setppdmode(int); #ifdef __cplusplus } #endif #endif /* _H_SECCONF */