xref: /illumos-gate/usr/src/uts/common/smbsrv/smb_privilege.h (revision 698f4ab6008be205f4362675967638572eef4f21)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  *
25  * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
26  */
27 
28 #ifndef _SMB_PRIVILEGE_H
29 #define	_SMB_PRIVILEGE_H
30 
31 #include <smb/wintypes.h>
32 
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 
37 /*
38  * Privileges
39  *
40  * Privileges apply to all objects and over-ride the access controls
41  * in an object's security descriptor in a manner specific to each
42  * privilege. Privileges are still not full defined. Privileges are
43  * defined in a set structure (LUID = Locally Unique Identifier).
44  *
45  * The default LUID, name and display names defined on NT 4.0 are:
46  * LUID Privilege Name                Display Name
47  * ---- --------------                ------------
48  * 0:2  SeCreateTokenPrivilege        Create a token object
49  * 0:3  SeAssignPrimaryTokenPrivilege Replace a process level token
50  * 0:4  SeLockMemoryPrivilege         Lock pages in memory
51  * 0:5  SeIncreaseQuotaPrivilege      Increase quotas
52  * 0:6  SeMachineAccountPrivilege     Add workstations to domain
53  * 0:7  SeTcbPrivilege                Act as part of the operating system
54  * 0:8  SeSecurityPrivilege           Manage auditing and security log
55  * 0:9  SeTakeOwnershipPrivilege      Take ownership of files or other objects
56  * 0:10 SeLoadDriverPrivilege         Load and unload device drivers
57  * 0:11 SeSystemProfilePrivilege      Profile system performance
58  * 0:12 SeSystemtimePrivilege         Change the system time
59  * 0:13 SeProfileSingleProcessPrivilege  Profile single process
60  * 0:14 SeIncreaseBasePriorityPrivilege  Increase scheduling priority
61  * 0:15 SeCreatePagefilePrivilege     Create a pagefile
62  * 0:16 SeCreatePermanentPrivilege    Create permanent shared objects
63  * 0:17 SeBackupPrivilege             Back up files and directories
64  * 0:18 SeRestorePrivilege            Restore files and directories
65  * 0:19 SeShutdownPrivilege           Shut down the system
66  * 0:20 SeDebugPrivilege              Debug programs
67  * 0:21 SeAuditPrivilege              Generate security audits
68  * 0:22 SeSystemEnvironmentPrivilege  Modify firmware environment values
69  * 0:23 SeChangeNotifyPrivilege       Bypass traverse checking
70  * 0:24 SeRemoteShutdownPrivilege     Force shutdown from a remote system
71  */
72 
73 /*
74  * Privilege names
75  */
76 #define	SE_CREATE_TOKEN_NAME		"SeCreateTokenPrivilege"
77 #define	SE_ASSIGNPRIMARYTOKEN_NAME	"SeAssignPrimaryTokenPrivilege"
78 #define	SE_LOCK_MEMORY_NAME		"SeLockMemoryPrivilege"
79 #define	SE_INCREASE_QUOTA_NAME		"SeIncreaseQuotaPrivilege"
80 #define	SE_UNSOLICITED_INPUT_NAME	"SeUnsolicitedInputPrivilege"
81 #define	SE_MACHINE_ACCOUNT_NAME		"SeMachineAccountPrivilege"
82 #define	SE_TCB_NAME			"SeTcbPrivilege"
83 #define	SE_SECURITY_NAME		"SeSecurityPrivilege"
84 #define	SE_TAKE_OWNERSHIP_NAME		"SeTakeOwnershipPrivilege"
85 #define	SE_LOAD_DRIVER_NAME		"SeLoadDriverPrivilege"
86 #define	SE_SYSTEM_PROFILE_NAME		"SeSystemProfilePrivilege"
87 #define	SE_SYSTEMTIME_NAME		"SeSystemtimePrivilege"
88 #define	SE_PROF_SINGLE_PROCESS_NAME	"SeProfileSingleProcessPrivilege"
89 #define	SE_INC_BASE_PRIORITY_NAME	"SeIncreaseBasePriorityPrivilege"
90 #define	SE_CREATE_PAGEFILE_NAME		"SeCreatePagefilePrivilege"
91 #define	SE_CREATE_PERMANENT_NAME	"SeCreatePermanentPrivilege"
92 #define	SE_BACKUP_NAME			"SeBackupPrivilege"
93 #define	SE_RESTORE_NAME			"SeRestorePrivilege"
94 #define	SE_SHUTDOWN_NAME		"SeShutdownPrivilege"
95 #define	SE_DEBUG_NAME			"SeDebugPrivilege"
96 #define	SE_AUDIT_NAME			"SeAuditPrivilege"
97 #define	SE_SYSTEM_ENVIRONMENT_NAME	"SeSystemEnvironmentPrivilege"
98 #define	SE_CHANGE_NOTIFY_NAME		"SeChangeNotifyPrivilege"
99 #define	SE_REMOTE_SHUTDOWN_NAME		"SeRemoteShutdownPrivilege"
100 #define	SE_READ_FILE_NAME		"BypassAclRead"
101 #define	SE_WRITE_FILE_NAME		"BypassAclWrite"
102 
103 #define	SE_MIN_LUID			2
104 #define	SE_CREATE_TOKEN_LUID		2
105 #define	SE_ASSIGNPRIMARYTOKEN_LUID	3
106 #define	SE_LOCK_MEMORY_LUID		4
107 #define	SE_INCREASE_QUOTA_LUID		5
108 #define	SE_MACHINE_ACCOUNT_LUID		6
109 #define	SE_TCB_LUID			7
110 #define	SE_SECURITY_LUID		8
111 #define	SE_TAKE_OWNERSHIP_LUID		9
112 #define	SE_LOAD_DRIVER_LUID		10
113 #define	SE_SYSTEM_PROFILE_LUID		11
114 #define	SE_SYSTEMTIME_LUID		12
115 #define	SE_PROF_SINGLE_PROCESS_LUID	13
116 #define	SE_INC_BASE_PRIORITY_LUID	14
117 #define	SE_CREATE_PAGEFILE_LUID		15
118 #define	SE_CREATE_PERMANENT_LUID	16
119 #define	SE_BACKUP_LUID			17
120 #define	SE_RESTORE_LUID			18
121 #define	SE_SHUTDOWN_LUID		19
122 #define	SE_DEBUG_LUID			20
123 #define	SE_AUDIT_LUID			21
124 #define	SE_SYSTEM_ENVIRONMENT_LUID	22
125 #define	SE_CHANGE_NOTIFY_LUID		23
126 #define	SE_REMOTE_SHUTDOWN_LUID		24
127 #define	SE_READ_FILE_LUID		25
128 #define	SE_WRITE_FILE_LUID		26
129 #define	SE_MAX_LUID			26
130 
131 /*
132  * Privilege attributes
133  */
134 #define	SE_PRIVILEGE_DISABLED			0x00000000
135 #define	SE_PRIVILEGE_ENABLED_BY_DEFAULT		0x00000001
136 #define	SE_PRIVILEGE_ENABLED			0x00000002
137 #define	SE_PRIVILEGE_USED_FOR_ACCESS		0x80000000
138 
139 /*
140  * Privilege Set Control flags
141  */
142 #define	PRIVILEGE_SET_ALL_NECESSARY		1
143 
144 /*
145  * Local User ID (an NT thing, not a Unix UID)
146  * See also: smb_luid_xdr()
147  */
148 typedef struct smb_luid {
149 	uint32_t lo_part;
150 	uint32_t hi_part;
151 } smb_luid_t;
152 
153 /*
154  * Local User ID and attributes (again, an NT thing)
155  * See also: smb_luid_attrs_xdr()
156  */
157 typedef struct smb_luid_attrs {
158 	smb_luid_t luid;
159 	uint32_t attrs;
160 } smb_luid_attrs_t;
161 
162 /*
163  * An (NT-style) collection of privileges.
164  * See also: smb_privset_xdr()
165  */
166 typedef struct smb_privset {
167 	uint32_t priv_cnt;
168 	uint32_t control;
169 	smb_luid_attrs_t priv[ANY_SIZE_ARRAY];
170 } smb_privset_t;
171 
172 /*
173  * These are possible value for smb_privinfo_t.flags
174  *
175  * PF_PRESENTABLE	Privilege is user visible
176  */
177 #define	PF_PRESENTABLE	0x1
178 
179 /*
180  * Structure for passing privilege name and id information around within
181  * the system. Note that we are only storing the low uint32_t of the LUID;
182  * the high part is always zero here.
183  */
184 typedef struct smb_privinfo {
185 	uint32_t id;
186 	char *name;
187 	char *display_name;
188 	uint16_t flags;
189 } smb_privinfo_t;
190 
191 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id);
192 smb_privinfo_t *smb_priv_getbyname(char *name);
193 int smb_priv_presentable_num(void);
194 int smb_priv_presentable_ids(uint32_t *ids, int num);
195 smb_privset_t *smb_privset_new();
196 int smb_privset_size();
197 void smb_privset_init(smb_privset_t *privset);
198 void smb_privset_free(smb_privset_t *privset);
199 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src);
200 void smb_privset_merge(smb_privset_t *dst, smb_privset_t *src);
201 void smb_privset_enable(smb_privset_t *privset, uint32_t id);
202 int smb_privset_query(smb_privset_t *privset, uint32_t id);
203 void smb_privset_log(smb_privset_t *privset);
204 
205 #ifdef __cplusplus
206 }
207 #endif
208 
209 #endif /* _SMB_PRIVILEGE_H */
210