xref: /illumos-gate/usr/src/uts/common/smbsrv/ndl/security.ndl (revision 2bbdd445a21f9d61f4a0ca0faf05d5ceb2bd91f3)
1/*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21/*
22 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25#ifndef _SECURITY_NDL_
26#define	_SECURITY_NDL_
27
28#define	USE_UINT_ENUMS 1
29
30struct GUID {
31	DWORD time_low;
32	WORD time_mid;
33	WORD time_hi_and_version;
34	BYTE clock_seq[2];
35	BYTE node[6];
36};
37
38#define	SEC_MASK_GENERIC	0xF0000000
39#define	SEC_MASK_FLAGS		0x0F000000
40#define	SEC_MASK_STANDARD	0x00FF0000
41#define	SEC_MASK_SPECIFIC	0x0000FFFF
42#define	SEC_GENERIC_ALL		0x10000000
43#define	SEC_GENERIC_EXECUTE	0x20000000
44#define	SEC_GENERIC_WRITE	0x40000000
45#define	SEC_GENERIC_READ	0x80000000
46#define	SEC_FLAG_SYSTEM_SECURITY 0x01000000
47#define	SEC_FLAG_MAXIMUM_ALLOWED 0x02000000
48#define	SEC_STD_DELETE		0x00010000
49#define	SEC_STD_READ_CONTROL	0x00020000
50#define	SEC_STD_WRITE_DAC	0x00040000
51#define	SEC_STD_WRITE_OWNER	0x00080000
52#define	SEC_STD_SYNCHRONIZE	0x00100000
53#define	SEC_STD_REQUIRED	0x000F0000
54#define	SEC_STD_ALL		0x001F0000
55#define	SEC_FILE_READ_DATA	0x00000001
56#define	SEC_FILE_WRITE_DATA	0x00000002
57#define	SEC_FILE_APPEND_DATA	0x00000004
58#define	SEC_FILE_READ_EA	0x00000008
59#define	SEC_FILE_WRITE_EA	0x00000010
60#define	SEC_FILE_EXECUTE	0x00000020
61#define	SEC_FILE_READ_ATTRIBUTE	0x00000080
62#define	SEC_FILE_WRITE_ATTRIBUTE 0x00000100
63#define	SEC_FILE_ALL		0x000001ff
64#define	SEC_DIR_LIST		0x00000001
65#define	SEC_DIR_ADD_FILE	0x00000002
66#define	SEC_DIR_ADD_SUBDIR	0x00000004
67#define	SEC_DIR_READ_EA		0x00000008
68#define	SEC_DIR_WRITE_EA	0x00000010
69#define	SEC_DIR_TRAVERSE	0x00000020
70#define	SEC_DIR_DELETE_CHILD	0x00000040
71#define	SEC_DIR_READ_ATTRIBUTE	0x00000080
72#define	SEC_DIR_WRITE_ATTRIBUTE	0x00000100
73#define	SEC_REG_QUERY_VALUE	0x00000001
74#define	SEC_REG_SET_VALUE	0x00000002
75#define	SEC_REG_CREATE_SUBKEY	0x00000004
76#define	SEC_REG_ENUM_SUBKEYS	0x00000008
77#define	SEC_REG_NOTIFY		0x00000010
78#define	SEC_REG_CREATE_LINK	0x00000020
79#define	SEC_ADS_CREATE_CHILD	0x00000001
80#define	SEC_ADS_DELETE_CHILD	0x00000002
81#define	SEC_ADS_LIST		0x00000004
82#define	SEC_ADS_SELF_WRITE	0x00000008
83#define	SEC_ADS_READ_PROP	0x00000010
84#define	SEC_ADS_WRITE_PROP	0x00000020
85#define	SEC_ADS_DELETE_TREE	0x00000040
86#define	SEC_ADS_LIST_OBJECT	0x00000080
87#define	SEC_ADS_CONTROL_ACCESS	0x00000100
88#define	SEC_RIGHTS_FILE_READ	SEC_STD_READ_CONTROL|SEC_STD_SYNCHRONIZE|SEC_FILE_READ_DATA|SEC_FILE_READ_ATTRIBUTE|SEC_FILE_READ_EA
89#define	SEC_RIGHTS_FILE_WRITE	SEC_STD_READ_CONTROL|SEC_STD_SYNCHRONIZE|SEC_FILE_WRITE_DATA|SEC_FILE_WRITE_ATTRIBUTE|SEC_FILE_WRITE_EA|SEC_FILE_APPEND_DATA
90#define	SEC_RIGHTS_FILE_EXECUTE	SEC_STD_SYNCHRONIZE|SEC_STD_READ_CONTROL|SEC_FILE_READ_ATTRIBUTE|SEC_FILE_EXECUTE
91#define	SEC_RIGHTS_FILE_ALL	SEC_STD_ALL|SEC_FILE_ALL
92#define	SEC_RIGHTS_DIR_READ	SEC_RIGHTS_FILE_READ
93#define	SEC_RIGHTS_DIR_WRITE	SEC_RIGHTS_FILE_WRITE
94#define	SEC_RIGHTS_DIR_EXECUTE	SEC_RIGHTS_FILE_EXECUTE
95#define	SEC_RIGHTS_DIR_ALL	SEC_RIGHTS_FILE_ALL
96#define	SID_NULL		"S-1-0-0"
97#define	SID_WORLD_DOMAIN	"S-1-1"
98#define	SID_WORLD		"S-1-1-0"
99#define	SID_CREATOR_OWNER_DOMAIN "S-1-3"
100#define	SID_CREATOR_OWNER	"S-1-3-0"
101#define	SID_CREATOR_GROUP	"S-1-3-1"
102#define	SID_NT_AUTHORITY	"S-1-5"
103#define	SID_NT_DIALUP		"S-1-5-1"
104#define	SID_NT_NETWORK		"S-1-5-2"
105#define	SID_NT_BATCH		"S-1-5-3"
106#define	SID_NT_INTERACTIVE	"S-1-5-4"
107#define	SID_NT_SERVICE		"S-1-5-6"
108#define	SID_NT_ANONYMOUS	"S-1-5-7"
109#define	SID_NT_PROXY		"S-1-5-8"
110#define	SID_NT_ENTERPRISE_DCS	"S-1-5-9"
111#define	SID_NT_SELF		"S-1-5-10"
112#define	SID_NT_AUTHENTICATED_USERS "S-1-5-11"
113#define	SID_NT_RESTRICTED	"S-1-5-12"
114#define	SID_NT_TERMINAL_SERVER_USERS "S-1-5-13"
115#define	SID_NT_REMOTE_INTERACTIVE "S-1-5-14"
116#define	SID_NT_THIS_ORGANISATION  "S-1-5-15"
117#define	SID_NT_SYSTEM		"S-1-5-18"
118#define	SID_NT_LOCAL_SERVICE	"S-1-5-19"
119#define	SID_NT_NETWORK_SERVICE	"S-1-5-20"
120#define	SID_BUILTIN		"S-1-5-32"
121#define	SID_BUILTIN_ADMINISTRATORS "S-1-5-32-544"
122#define	SID_BUILTIN_USERS	"S-1-5-32-545"
123#define	SID_BUILTIN_GUESTS	"S-1-5-32-546"
124#define	SID_BUILTIN_POWER_USERS	"S-1-5-32-547"
125#define	SID_BUILTIN_ACCOUNT_OPERATORS	"S-1-5-32-548"
126#define	SID_BUILTIN_SERVER_OPERATORS	"S-1-5-32-549"
127#define	SID_BUILTIN_PRINT_OPERATORS	"S-1-5-32-550"
128#define	SID_BUILTIN_BACKUP_OPERATORS	"S-1-5-32-551"
129#define	SID_BUILTIN_REPLICATOR	"S-1-5-32-552"
130#define	SID_BUILTIN_RAS_SERVERS	"S-1-5-32-553"
131#define	SID_BUILTIN_PREW2K	"S-1-5-32-554"
132#define	DOMAIN_RID_LOGON	9
133#define	DOMAIN_RID_ADMINISTRATOR 500
134#define	DOMAIN_RID_GUEST	501
135#define	DOMAIN_RID_ADMINS	512
136#define	DOMAIN_RID_USERS	513
137#define	DOMAIN_RID_DCS		516
138#define	DOMAIN_RID_CERT_ADMINS	517
139#define	DOMAIN_RID_SCHEMA_ADMINS 518
140#define	DOMAIN_RID_ENTERPRISE_ADMINS 519
141#define	NT4_ACL_REVISION	SECURITY_ACL_REVISION_NT4
142#define	SD_REVISION		SECURITY_DESCRIPTOR_REVISION_1
143
144#ifndef USE_UINT_ENUMS
145	enum sec_privilege {
146	SEC_PRIV_SECURITY=1,
147	SEC_PRIV_BACKUP=2,
148	SEC_PRIV_RESTORE=3,
149	SEC_PRIV_SYSTEMTIME=4,
150	SEC_PRIV_SHUTDOWN=5,
151	SEC_PRIV_REMOTE_SHUTDOWN=6,
152	SEC_PRIV_TAKE_OWNERSHIP=7,
153	SEC_PRIV_DEBUG=8,
154	SEC_PRIV_SYSTEM_ENVIRONMENT=9,
155	SEC_PRIV_SYSTEM_PROFILE=10,
156	SEC_PRIV_PROFILE_SINGLE_PROCESS=11,
157	SEC_PRIV_INCREASE_BASE_PRIORITY=12,
158	SEC_PRIV_LOAD_DRIVER=13,
159	SEC_PRIV_CREATE_PAGEFILE=14,
160	SEC_PRIV_INCREASE_QUOTA=15,
161	SEC_PRIV_CHANGE_NOTIFY=16,
162	SEC_PRIV_UNDOCK=17,
163	SEC_PRIV_MANAGE_VOLUME=18,
164	SEC_PRIV_IMPERSONATE=19,
165	SEC_PRIV_CREATE_GLOBAL=20,
166	SEC_PRIV_ENABLE_DELEGATION=21,
167	SEC_PRIV_INTERACTIVE_LOGON=22,
168	SEC_PRIV_NETWORK_LOGON=23,
169	SEC_PRIV_REMOTE_INTERACTIVE_LOGON=24
170};
171#else
172
173#define	SEC_PRIV_SECURITY			1
174#define	SEC_PRIV_BACKUP				2
175#define	SEC_PRIV_RESTORE			3
176#define	SEC_PRIV_SYSTEMTIME			4
177#define	SEC_PRIV_SHUTDOWN			5
178#define	SEC_PRIV_REMOTE_SHUTDOWN		6
179#define	SEC_PRIV_TAKE_OWNERSHIP			7
180#define	SEC_PRIV_DEBUG				8
181#define	SEC_PRIV_SYSTEM_ENVIRONMENT		9
182#define	SEC_PRIV_SYSTEM_PROFILE			10
183#define	SEC_PRIV_PROFILE_SINGLE_PROCESS		11
184#define	SEC_PRIV_INCREASE_BASE_PRIORITY		12
185#define	SEC_PRIV_LOAD_DRIVER			13
186#define	SEC_PRIV_CREATE_PAGEFILE		14
187#define	SEC_PRIV_INCREASE_QUOTA			15
188#define	SEC_PRIV_CHANGE_NOTIFY			16
189#define	SEC_PRIV_UNDOCK				17
190#define	SEC_PRIV_MANAGE_VOLUME			18
191#define	SEC_PRIV_IMPERSONATE			19
192#define	SEC_PRIV_CREATE_GLOBAL			20
193#define	SEC_PRIV_ENABLE_DELEGATION		21
194#define	SEC_PRIV_INTERACTIVE_LOGON		22
195#define	SEC_PRIV_NETWORK_LOGON			23
196#define	SEC_PRIV_REMOTE_INTERACTIVE_LOGON	24
197#endif
198
199struct dom_sid {
200	BYTE sid_rev_num;
201	BYTE num_auths;
202	BYTE id_auth[6];
203	DWORD *sub_auths;
204};
205
206/*
207 * bitmap security_ace_flags
208 */
209#define	SEC_ACE_FLAG_OBJECT_INHERIT		0x01
210#define	SEC_ACE_FLAG_CONTAINER_INHERIT		0x02
211#define	SEC_ACE_FLAG_NO_PROPAGATE_INHERIT	0x04
212#define	SEC_ACE_FLAG_INHERIT_ONLY		0x08
213#define	SEC_ACE_FLAG_INHERITED_ACE		0x10
214#define	SEC_ACE_FLAG_VALID_INHERIT		0x0f
215#define	SEC_ACE_FLAG_SUCCESSFUL_ACCESS		0x40
216#define	SEC_ACE_FLAG_FAILED_ACCESS		0x80
217
218#ifndef USE_UINT_ENUMS
219enum security_ace_type {
220	SEC_ACE_TYPE_ACCESS_ALLOWED=0,
221	SEC_ACE_TYPE_ACCESS_DENIED=1,
222	SEC_ACE_TYPE_SYSTEM_AUDIT=2,
223	SEC_ACE_TYPE_SYSTEM_ALARM=3,
224	SEC_ACE_TYPE_ALLOWED_COMPOUND=4,
225	SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT=5,
226	SEC_ACE_TYPE_ACCESS_DENIED_OBJECT=6,
227	SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT=7,
228	SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT=8
229};
230#else
231#define	SEC_ACE_TYPE_ACCESS_ALLOWED		0
232#define	SEC_ACE_TYPE_ACCESS_DENIED		1
233#define	SEC_ACE_TYPE_SYSTEM_AUDIT		2
234#define	SEC_ACE_TYPE_SYSTEM_ALARM		3
235#define	SEC_ACE_TYPE_ALLOWED_COMPOUND		4
236#define	SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT	5
237#define	SEC_ACE_TYPE_ACCESS_DENIED_OBJECT	6
238#define	SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT	7
239#define	SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT	8
240#endif
241
242/*
243 * bitmap security_ace_object_flags
244 */
245#define	SEC_ACE_OBJECT_TYPE_PRESENT		0x00000001
246#define	SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT	0x00000002
247
248union security_ace_object_type {
249	CASE(0) struct GUID type;
250};
251
252union security_ace_object_inherited_type {
253	CASE(0) struct GUID inherited_type;
254};
255
256struct security_ace_object {
257	DWORD flags;
258};
259
260union security_ace_object_ctr {
261	CASE(0) struct security_ace_object object;
262};
263
264struct security_ace {
265	DWORD security_ace_type;
266	BYTE flags;
267	WORD size;
268	DWORD access_mask;
269	struct dom_sid trustee;
270};
271
272#ifndef USE_UINT_ENUMS
273enum security_acl_revision {
274	SECURITY_ACL_REVISION_NT4=2,
275	SECURITY_ACL_REVISION_ADS=4
276};
277#else
278#define	SECURITY_ACL_REVISION_NT4	2
279#define	SECURITY_ACL_REVISION_ADS	4
280#endif
281
282struct security_acl {
283	DWORD security_acl_revision;
284	WORD size;
285	DWORD num_aces;
286	struct security_ace *aces;
287};
288
289#ifndef USE_UINT_ENUMS
290enum security_descriptor_revision {
291	SECURITY_DESCRIPTOR_REVISION_1=1
292};
293#else
294#define	SECURITY_DESCRIPTOR_REVISION_1	1
295#endif
296
297/*
298 * bitmap security_descriptor_type
299 */
300#define	SEC_DESC_OWNER_DEFAULTED	0x0001
301#define	SEC_DESC_GROUP_DEFAULTED	0x0002
302#define	SEC_DESC_DACL_PRESENT		0x0004
303#define	SEC_DESC_DACL_DEFAULTED		0x0008
304#define	SEC_DESC_SACL_PRESENT		0x0010
305#define	SEC_DESC_SACL_DEFAULTED		0x0020
306#define	SEC_DESC_DACL_TRUSTED		0x0040
307#define	SEC_DESC_SERVER_SECURITY	0x0080
308#define	SEC_DESC_DACL_AUTO_INHERIT_REQ	0x0100
309#define	SEC_DESC_SACL_AUTO_INHERIT_REQ	0x0200
310#define	SEC_DESC_DACL_AUTO_INHERITED	0x0400
311#define	SEC_DESC_SACL_AUTO_INHERITED	0x0800
312#define	SEC_DESC_DACL_PROTECTED		0x1000
313#define	SEC_DESC_SACL_PROTECTED		0x2000
314#define	SEC_DESC_RM_CONTROL_VALID	0x4000
315#define	SEC_DESC_SELF_RELATIVE		0x8000
316
317struct security_descriptor {
318	WORD revision;
319	WORD type;
320	DWORD ownersid;
321	DWORD groupsid;
322	DWORD sacl;
323	DWORD dacl;
324};
325
326struct sec_desc_buf {
327	DWORD sd_size;
328	struct security_descriptor *sd;
329};
330
331struct security_token {
332	struct dom_sid *user_sid;
333	struct dom_sid *group_sid;
334	DWORD num_sids;
335	DWORD privilege_mask1;
336	DWORD privilege_mask2;
337};
338
339/*
340 * bitmap security_secinfo
341 */
342#define	SECINFO_OWNER		0x00000001
343#define	SECINFO_GROUP		0x00000002
344#define	SECINFO_DACL		0x00000004
345#define	SECINFO_SACL		0x00000008
346
347#endif /* _SECURITY_NDL_ */
348