xref: /titanic_41/usr/src/uts/common/smbsrv/smb_privilege.h (revision 7f667e74610492ddbce8ce60f52ece95d2401949) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_PRIVILEGE_H
27 #define	_SMB_PRIVILEGE_H
28 
29 #ifdef __cplusplus
30 extern "C" {
31 #endif
32 
33 /*
34  * Privileges
35  *
36  * Privileges apply to all objects and over-ride the access controls
37  * in an object's security descriptor in a manner specific to each
38  * privilege. Privileges are still not full defined. Privileges are
39  * defined in a set structure (LUID = Locally Unique Identifier).
40  *
41  * The default LUID, name and display names defined on NT 4.0 are:
42  * LUID Privilege Name                Display Name
43  * ---- --------------                ------------
44  * 0:2  SeCreateTokenPrivilege        Create a token object
45  * 0:3  SeAssignPrimaryTokenPrivilege Replace a process level token
46  * 0:4  SeLockMemoryPrivilege         Lock pages in memory
47  * 0:5  SeIncreaseQuotaPrivilege      Increase quotas
48  * 0:6  SeMachineAccountPrivilege     Add workstations to domain
49  * 0:7  SeTcbPrivilege                Act as part of the operating system
50  * 0:8  SeSecurityPrivilege           Manage auditing and security log
51  * 0:9  SeTakeOwnershipPrivilege      Take ownership of files or other objects
52  * 0:10 SeLoadDriverPrivilege         Load and unload device drivers
53  * 0:11 SeSystemProfilePrivilege      Profile system performance
54  * 0:12 SeSystemtimePrivilege         Change the system time
55  * 0:13 SeProfileSingleProcessPrivilege  Profile single process
56  * 0:14 SeIncreaseBasePriorityPrivilege  Increase scheduling priority
57  * 0:15 SeCreatePagefilePrivilege     Create a pagefile
58  * 0:16 SeCreatePermanentPrivilege    Create permanent shared objects
59  * 0:17 SeBackupPrivilege             Back up files and directories
60  * 0:18 SeRestorePrivilege            Restore files and directories
61  * 0:19 SeShutdownPrivilege           Shut down the system
62  * 0:20 SeDebugPrivilege              Debug programs
63  * 0:21 SeAuditPrivilege              Generate security audits
64  * 0:22 SeSystemEnvironmentPrivilege  Modify firmware environment values
65  * 0:23 SeChangeNotifyPrivilege       Bypass traverse checking
66  * 0:24 SeRemoteShutdownPrivilege     Force shutdown from a remote system
67  */
68 
69 /*
70  * Privilege names
71  */
72 #define	SE_CREATE_TOKEN_NAME		"SeCreateTokenPrivilege"
73 #define	SE_ASSIGNPRIMARYTOKEN_NAME	"SeAssignPrimaryTokenPrivilege"
74 #define	SE_LOCK_MEMORY_NAME		"SeLockMemoryPrivilege"
75 #define	SE_INCREASE_QUOTA_NAME		"SeIncreaseQuotaPrivilege"
76 #define	SE_UNSOLICITED_INPUT_NAME	"SeUnsolicitedInputPrivilege"
77 #define	SE_MACHINE_ACCOUNT_NAME		"SeMachineAccountPrivilege"
78 #define	SE_TCB_NAME			"SeTcbPrivilege"
79 #define	SE_SECURITY_NAME		"SeSecurityPrivilege"
80 #define	SE_TAKE_OWNERSHIP_NAME		"SeTakeOwnershipPrivilege"
81 #define	SE_LOAD_DRIVER_NAME		"SeLoadDriverPrivilege"
82 #define	SE_SYSTEM_PROFILE_NAME		"SeSystemProfilePrivilege"
83 #define	SE_SYSTEMTIME_NAME		"SeSystemtimePrivilege"
84 #define	SE_PROF_SINGLE_PROCESS_NAME	"SeProfileSingleProcessPrivilege"
85 #define	SE_INC_BASE_PRIORITY_NAME	"SeIncreaseBasePriorityPrivilege"
86 #define	SE_CREATE_PAGEFILE_NAME		"SeCreatePagefilePrivilege"
87 #define	SE_CREATE_PERMANENT_NAME	"SeCreatePermanentPrivilege"
88 #define	SE_BACKUP_NAME			"SeBackupPrivilege"
89 #define	SE_RESTORE_NAME			"SeRestorePrivilege"
90 #define	SE_SHUTDOWN_NAME		"SeShutdownPrivilege"
91 #define	SE_DEBUG_NAME			"SeDebugPrivilege"
92 #define	SE_AUDIT_NAME			"SeAuditPrivilege"
93 #define	SE_SYSTEM_ENVIRONMENT_NAME	"SeSystemEnvironmentPrivilege"
94 #define	SE_CHANGE_NOTIFY_NAME		"SeChangeNotifyPrivilege"
95 #define	SE_REMOTE_SHUTDOWN_NAME		"SeRemoteShutdownPrivilege"
96 
97 #define	SE_MIN_LUID			2
98 #define	SE_CREATE_TOKEN_LUID		2
99 #define	SE_ASSIGNPRIMARYTOKEN_LUID	3
100 #define	SE_LOCK_MEMORY_LUID		4
101 #define	SE_INCREASE_QUOTA_LUID		5
102 #define	SE_MACHINE_ACCOUNT_LUID		6
103 #define	SE_TCB_LUID			7
104 #define	SE_SECURITY_LUID		8
105 #define	SE_TAKE_OWNERSHIP_LUID		9
106 #define	SE_LOAD_DRIVER_LUID		10
107 #define	SE_SYSTEM_PROFILE_LUID		11
108 #define	SE_SYSTEMTIME_LUID		12
109 #define	SE_PROF_SINGLE_PROCESS_LUID	13
110 #define	SE_INC_BASE_PRIORITY_LUID	14
111 #define	SE_CREATE_PAGEFILE_LUID		15
112 #define	SE_CREATE_PERMANENT_LUID	16
113 #define	SE_BACKUP_LUID			17
114 #define	SE_RESTORE_LUID			18
115 #define	SE_SHUTDOWN_LUID		19
116 #define	SE_DEBUG_LUID			20
117 #define	SE_AUDIT_LUID			21
118 #define	SE_SYSTEM_ENVIRONMENT_LUID	22
119 #define	SE_CHANGE_NOTIFY_LUID		23
120 #define	SE_REMOTE_SHUTDOWN_LUID		24
121 #define	SE_MAX_LUID			24
122 
123 /*
124  * Privilege attributes
125  */
126 #define	SE_PRIVILEGE_DISABLED			0x00000000
127 #define	SE_PRIVILEGE_ENABLED_BY_DEFAULT		0x00000001
128 #define	SE_PRIVILEGE_ENABLED			0x00000002
129 #define	SE_PRIVILEGE_USED_FOR_ACCESS		0x80000000
130 
131 /*
132  * Privilege Set Control flags
133  */
134 #define	PRIVILEGE_SET_ALL_NECESSARY		1
135 
136 typedef struct smb_luid {
137 	uint32_t lo_part;
138 	uint32_t hi_part;
139 } smb_luid_t;
140 
141 
142 typedef struct smb_luid_attrs {
143 	smb_luid_t luid;
144 	uint32_t attrs;
145 } smb_luid_attrs_t;
146 
147 
148 typedef struct smb_privset {
149 	uint32_t priv_cnt;
150 	uint32_t control;
151 	smb_luid_attrs_t priv[ANY_SIZE_ARRAY];
152 } smb_privset_t;
153 
154 /*
155  * These are possible value for smb_privinfo_t.flags
156  *
157  * PF_PRESENTABLE	Privilege is user visible
158  */
159 #define	PF_PRESENTABLE	0x1
160 
161 /*
162  * Structure for passing privilege name and id information around within
163  * the system. Note that we are only storing the low uint32_t of the LUID;
164  * the high part is always zero here.
165  */
166 typedef struct smb_privinfo {
167 	uint32_t id;
168 	char *name;
169 	char *display_name;
170 	uint16_t flags;
171 } smb_privinfo_t;
172 
173 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id);
174 smb_privinfo_t *smb_priv_getbyname(char *name);
175 int smb_priv_presentable_num(void);
176 int smb_priv_presentable_ids(uint32_t *ids, int num);
177 smb_privset_t *smb_privset_new();
178 int smb_privset_size();
179 void smb_privset_init(smb_privset_t *privset);
180 void smb_privset_free(smb_privset_t *privset);
181 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src);
182 void smb_privset_merge(smb_privset_t *dst, smb_privset_t *src);
183 void smb_privset_enable(smb_privset_t *privset, uint32_t id);
184 int smb_privset_query(smb_privset_t *privset, uint32_t id);
185 void smb_privset_log(smb_privset_t *privset);
186 
187 #ifdef __cplusplus
188 }
189 #endif
190 
191 #endif /* _SMB_PRIVILEGE_H */
192