xref: /illumos-gate/usr/src/uts/common/smbsrv/smb_privilege.h (revision 8b80e8cb6855118d46f605e91b5ed4ce83417395) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_PRIVILEGE_H
27 #define	_SMB_PRIVILEGE_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #include <smbsrv/smb_xdr.h>
32 
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 
37 /*
38  * Privileges
39  *
40  * Privileges apply to all objects and over-ride the access controls
41  * in an object's security descriptor in a manner specific to each
42  * privilege. Privileges are still not full defined. Privileges are
43  * defined in a set structure (LUID = Locally Unique Identifier).
44  *
45  * The default LUID, name and display names defined on NT 4.0 are:
46  * LUID Privilege Name                Display Name
47  * ---- --------------                ------------
48  * 0:2  SeCreateTokenPrivilege        Create a token object
49  * 0:3  SeAssignPrimaryTokenPrivilege Replace a process level token
50  * 0:4  SeLockMemoryPrivilege         Lock pages in memory
51  * 0:5  SeIncreaseQuotaPrivilege      Increase quotas
52  * 0:6  SeMachineAccountPrivilege     Add workstations to domain
53  * 0:7  SeTcbPrivilege                Act as part of the operating system
54  * 0:8  SeSecurityPrivilege           Manage auditing and security log
55  * 0:9  SeTakeOwnershipPrivilege      Take ownership of files or other objects
56  * 0:10 SeLoadDriverPrivilege         Load and unload device drivers
57  * 0:11 SeSystemProfilePrivilege      Profile system performance
58  * 0:12 SeSystemtimePrivilege         Change the system time
59  * 0:13 SeProfileSingleProcessPrivilege  Profile single process
60  * 0:14 SeIncreaseBasePriorityPrivilege  Increase scheduling priority
61  * 0:15 SeCreatePagefilePrivilege     Create a pagefile
62  * 0:16 SeCreatePermanentPrivilege    Create permanent shared objects
63  * 0:17 SeBackupPrivilege             Back up files and directories
64  * 0:18 SeRestorePrivilege            Restore files and directories
65  * 0:19 SeShutdownPrivilege           Shut down the system
66  * 0:20 SeDebugPrivilege              Debug programs
67  * 0:21 SeAuditPrivilege              Generate security audits
68  * 0:22 SeSystemEnvironmentPrivilege  Modify firmware environment values
69  * 0:23 SeChangeNotifyPrivilege       Bypass traverse checking
70  * 0:24 SeRemoteShutdownPrivilege     Force shutdown from a remote system
71  */
72 
73 /*
74  * Privilege names
75  */
76 #define	SE_CREATE_TOKEN_NAME		"SeCreateTokenPrivilege"
77 #define	SE_ASSIGNPRIMARYTOKEN_NAME	"SeAssignPrimaryTokenPrivilege"
78 #define	SE_LOCK_MEMORY_NAME		"SeLockMemoryPrivilege"
79 #define	SE_INCREASE_QUOTA_NAME		"SeIncreaseQuotaPrivilege"
80 #define	SE_UNSOLICITED_INPUT_NAME	"SeUnsolicitedInputPrivilege"
81 #define	SE_MACHINE_ACCOUNT_NAME		"SeMachineAccountPrivilege"
82 #define	SE_TCB_NAME			"SeTcbPrivilege"
83 #define	SE_SECURITY_NAME		"SeSecurityPrivilege"
84 #define	SE_TAKE_OWNERSHIP_NAME		"SeTakeOwnershipPrivilege"
85 #define	SE_LOAD_DRIVER_NAME		"SeLoadDriverPrivilege"
86 #define	SE_SYSTEM_PROFILE_NAME		"SeSystemProfilePrivilege"
87 #define	SE_SYSTEMTIME_NAME		"SeSystemtimePrivilege"
88 #define	SE_PROF_SINGLE_PROCESS_NAME	"SeProfileSingleProcessPrivilege"
89 #define	SE_INC_BASE_PRIORITY_NAME	"SeIncreaseBasePriorityPrivilege"
90 #define	SE_CREATE_PAGEFILE_NAME		"SeCreatePagefilePrivilege"
91 #define	SE_CREATE_PERMANENT_NAME	"SeCreatePermanentPrivilege"
92 #define	SE_BACKUP_NAME			"SeBackupPrivilege"
93 #define	SE_RESTORE_NAME			"SeRestorePrivilege"
94 #define	SE_SHUTDOWN_NAME		"SeShutdownPrivilege"
95 #define	SE_DEBUG_NAME			"SeDebugPrivilege"
96 #define	SE_AUDIT_NAME			"SeAuditPrivilege"
97 #define	SE_SYSTEM_ENVIRONMENT_NAME	"SeSystemEnvironmentPrivilege"
98 #define	SE_CHANGE_NOTIFY_NAME		"SeChangeNotifyPrivilege"
99 #define	SE_REMOTE_SHUTDOWN_NAME		"SeRemoteShutdownPrivilege"
100 
101 #define	SE_MIN_LUID			2
102 #define	SE_CREATE_TOKEN_LUID		2
103 #define	SE_ASSIGNPRIMARYTOKEN_LUID	3
104 #define	SE_LOCK_MEMORY_LUID		4
105 #define	SE_INCREASE_QUOTA_LUID		5
106 #define	SE_MACHINE_ACCOUNT_LUID		6
107 #define	SE_TCB_LUID			7
108 #define	SE_SECURITY_LUID		8
109 #define	SE_TAKE_OWNERSHIP_LUID		9
110 #define	SE_LOAD_DRIVER_LUID		10
111 #define	SE_SYSTEM_PROFILE_LUID		11
112 #define	SE_SYSTEMTIME_LUID		12
113 #define	SE_PROF_SINGLE_PROCESS_LUID	13
114 #define	SE_INC_BASE_PRIORITY_LUID	14
115 #define	SE_CREATE_PAGEFILE_LUID		15
116 #define	SE_CREATE_PERMANENT_LUID	16
117 #define	SE_BACKUP_LUID			17
118 #define	SE_RESTORE_LUID			18
119 #define	SE_SHUTDOWN_LUID		19
120 #define	SE_DEBUG_LUID			20
121 #define	SE_AUDIT_LUID			21
122 #define	SE_SYSTEM_ENVIRONMENT_LUID	22
123 #define	SE_CHANGE_NOTIFY_LUID		23
124 #define	SE_REMOTE_SHUTDOWN_LUID		24
125 #define	SE_MAX_LUID			24
126 
127 /*
128  * Privilege attributes
129  */
130 #define	SE_PRIVILEGE_DISABLED			0x00000000
131 #define	SE_PRIVILEGE_ENABLED_BY_DEFAULT		0x00000001
132 #define	SE_PRIVILEGE_ENABLED			0x00000002
133 #define	SE_PRIVILEGE_USED_FOR_ACCESS		0x80000000
134 
135 /*
136  * Privilege Set Control flags
137  */
138 #define	PRIVILEGE_SET_ALL_NECESSARY		1
139 
140 typedef struct smb_luid {
141 	uint32_t lo_part;
142 	uint32_t hi_part;
143 } smb_luid_t;
144 
145 
146 typedef struct smb_luid_attrs {
147 	smb_luid_t luid;
148 	uint32_t attrs;
149 } smb_luid_attrs_t;
150 
151 
152 typedef struct smb_privset {
153 	uint32_t priv_cnt;
154 	uint32_t control;
155 	smb_luid_attrs_t priv[ANY_SIZE_ARRAY];
156 } smb_privset_t;
157 
158 /*
159  * These are possible value for smb_privinfo_t.flags
160  *
161  * PF_PRESENTABLE	Privilege is user visible
162  */
163 #define	PF_PRESENTABLE	0x1
164 
165 /*
166  * Structure for passing privilege name and id information around within
167  * the system. Note that we are only storing the low uint32_t of the LUID;
168  * the high part is always zero here.
169  */
170 typedef struct smb_privinfo {
171 	uint32_t id;
172 	char *name;
173 	char *display_name;
174 	uint16_t flags;
175 } smb_privinfo_t;
176 
177 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id);
178 smb_privinfo_t *smb_priv_getbyname(char *name);
179 int smb_priv_presentable_num(void);
180 int smb_priv_presentable_ids(uint32_t *ids, int num);
181 smb_privset_t *smb_privset_new();
182 int smb_privset_size();
183 void smb_privset_init(smb_privset_t *privset);
184 void smb_privset_free(smb_privset_t *privset);
185 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src);
186 void smb_privset_merge(smb_privset_t *dst, smb_privset_t *src);
187 void smb_privset_enable(smb_privset_t *privset, uint32_t id);
188 int smb_privset_query(smb_privset_t *privset, uint32_t id);
189 void smb_privset_log(smb_privset_t *privset);
190 
191 /* XDR routines */
192 extern bool_t xdr_smb_luid_t();
193 extern bool_t xdr_smb_luid_attrs_t();
194 extern bool_t xdr_smb_privset_t();
195 
196 #ifdef __cplusplus
197 }
198 #endif
199 
200 #endif /* _SMB_PRIVILEGE_H */
201