xref: /illumos-gate/usr/src/uts/common/smbsrv/smb_privilege.h (revision bb57d1f5164aca913cbd286ae1b61c896167cfa7) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef _SMB_PRIVILEGE_H
27 #define	_SMB_PRIVILEGE_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #include <smbsrv/smb_xdr.h>
32 
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36 
37 /*
38  * Privileges
39  *
40  * Privileges apply to all objects and over-ride the access controls
41  * in an object's security descriptor in a manner specific to each
42  * privilege. Privileges are still not full defined. Privileges are
43  * defined in a set structure (LUID = Locally Unique Identifier).
44  *
45  * The default LUID, name and display names defined on NT 4.0 are:
46  * LUID Privilege Name                Display Name
47  * ---- --------------                ------------
48  * 0:2  SeCreateTokenPrivilege        Create a token object
49  * 0:3  SeAssignPrimaryTokenPrivilege Replace a process level token
50  * 0:4  SeLockMemoryPrivilege         Lock pages in memory
51  * 0:5  SeIncreaseQuotaPrivilege      Increase quotas
52  * 0:6  SeMachineAccountPrivilege     Add workstations to domain
53  * 0:7  SeTcbPrivilege                Act as part of the operating system
54  * 0:8  SeSecurityPrivilege           Manage auditing and security log
55  * 0:9  SeTakeOwnershipPrivilege      Take ownership of files or other objects
56  * 0:10 SeLoadDriverPrivilege         Load and unload device drivers
57  * 0:11 SeSystemProfilePrivilege      Profile system performance
58  * 0:12 SeSystemtimePrivilege         Change the system time
59  * 0:13 SeProfileSingleProcessPrivilege  Profile single process
60  * 0:14 SeIncreaseBasePriorityPrivilege  Increase scheduling priority
61  * 0:15 SeCreatePagefilePrivilege     Create a pagefile
62  * 0:16 SeCreatePermanentPrivilege    Create permanent shared objects
63  * 0:17 SeBackupPrivilege             Back up files and directories
64  * 0:18 SeRestorePrivilege            Restore files and directories
65  * 0:19 SeShutdownPrivilege           Shut down the system
66  * 0:20 SeDebugPrivilege              Debug programs
67  * 0:21 SeAuditPrivilege              Generate security audits
68  * 0:22 SeSystemEnvironmentPrivilege  Modify firmware environment values
69  * 0:23 SeChangeNotifyPrivilege       Bypass traverse checking
70  * 0:24 SeRemoteShutdownPrivilege     Force shutdown from a remote system
71  */
72 
73 /*
74  * Privilege names
75  */
76 #define	SE_CREATE_TOKEN_NAME		"SeCreateTokenPrivilege"
77 #define	SE_ASSIGNPRIMARYTOKEN_NAME	"SeAssignPrimaryTokenPrivilege"
78 #define	SE_LOCK_MEMORY_NAME		"SeLockMemoryPrivilege"
79 #define	SE_INCREASE_QUOTA_NAME		"SeIncreaseQuotaPrivilege"
80 #define	SE_UNSOLICITED_INPUT_NAME	"SeUnsolicitedInputPrivilege"
81 #define	SE_MACHINE_ACCOUNT_NAME		"SeMachineAccountPrivilege"
82 #define	SE_TCB_NAME			"SeTcbPrivilege"
83 #define	SE_SECURITY_NAME		"SeSecurityPrivilege"
84 #define	SE_TAKE_OWNERSHIP_NAME		"SeTakeOwnershipPrivilege"
85 #define	SE_LOAD_DRIVER_NAME		"SeLoadDriverPrivilege"
86 #define	SE_SYSTEM_PROFILE_NAME		"SeSystemProfilePrivilege"
87 #define	SE_SYSTEMTIME_NAME		"SeSystemtimePrivilege"
88 #define	SE_PROF_SINGLE_PROCESS_NAME	"SeProfileSingleProcessPrivilege"
89 #define	SE_INC_BASE_PRIORITY_NAME	"SeIncreaseBasePriorityPrivilege"
90 #define	SE_CREATE_PAGEFILE_NAME		"SeCreatePagefilePrivilege"
91 #define	SE_CREATE_PERMANENT_NAME	"SeCreatePermanentPrivilege"
92 #define	SE_BACKUP_NAME			"SeBackupPrivilege"
93 #define	SE_RESTORE_NAME			"SeRestorePrivilege"
94 #define	SE_SHUTDOWN_NAME		"SeShutdownPrivilege"
95 #define	SE_DEBUG_NAME			"SeDebugPrivilege"
96 #define	SE_AUDIT_NAME			"SeAuditPrivilege"
97 #define	SE_SYSTEM_ENVIRONMENT_NAME	"SeSystemEnvironmentPrivilege"
98 #define	SE_CHANGE_NOTIFY_NAME		"SeChangeNotifyPrivilege"
99 #define	SE_REMOTE_SHUTDOWN_NAME		"SeRemoteShutdownPrivilege"
100 
101 #define	SE_CREATE_TOKEN_LUID		2
102 #define	SE_ASSIGNPRIMARYTOKEN_LUID	3
103 #define	SE_LOCK_MEMORY_LUID		4
104 #define	SE_INCREASE_QUOTA_LUID		5
105 #define	SE_MACHINE_ACCOUNT_LUID		6
106 #define	SE_TCB_LUID			7
107 #define	SE_SECURITY_LUID		8
108 #define	SE_TAKE_OWNERSHIP_LUID		9
109 #define	SE_LOAD_DRIVER_LUID		10
110 #define	SE_SYSTEM_PROFILE_LUID		11
111 #define	SE_SYSTEMTIME_LUID		12
112 #define	SE_PROF_SINGLE_PROCESS_LUID	13
113 #define	SE_INC_BASE_PRIORITY_LUID	14
114 #define	SE_CREATE_PAGEFILE_LUID		15
115 #define	SE_CREATE_PERMANENT_LUID	16
116 #define	SE_BACKUP_LUID			17
117 #define	SE_RESTORE_LUID			18
118 #define	SE_SHUTDOWN_LUID		19
119 #define	SE_DEBUG_LUID			20
120 #define	SE_AUDIT_LUID			21
121 #define	SE_SYSTEM_ENVIRONMENT_LUID	22
122 #define	SE_CHANGE_NOTIFY_LUID		23
123 #define	SE_REMOTE_SHUTDOWN_LUID		24
124 
125 /*
126  * Privilege attributes
127  */
128 #define	SE_PRIVILEGE_DISABLED			0x00000000
129 #define	SE_PRIVILEGE_ENABLED_BY_DEFAULT		0x00000001
130 #define	SE_PRIVILEGE_ENABLED			0x00000002
131 #define	SE_PRIVILEGE_USED_FOR_ACCESS		0x80000000
132 
133 /*
134  * Privilege Set Control flags
135  */
136 #define	PRIVILEGE_SET_ALL_NECESSARY		1
137 
138 typedef struct smb_luid {
139 	uint32_t lo_part;
140 	uint32_t hi_part;
141 } smb_luid_t;
142 
143 
144 typedef struct smb_luid_attrs {
145 	smb_luid_t luid;
146 	uint32_t attrs;
147 } smb_luid_attrs_t;
148 
149 
150 typedef struct smb_privset {
151 	uint32_t priv_cnt;
152 	uint32_t control;
153 	smb_luid_attrs_t priv[ANY_SIZE_ARRAY];
154 } smb_privset_t;
155 
156 /*
157  * These are possible value for smb_privinfo_t.flags
158  *
159  * PF_PRESENTABLE	Privilege is user visible
160  */
161 #define	PF_PRESENTABLE	0x1
162 
163 /*
164  * Structure for passing privilege name and id information around within
165  * the system. Note that we are only storing the low uint32_t of the LUID;
166  * the high part is always zero here.
167  */
168 typedef struct smb_privinfo {
169 	uint32_t id;
170 	char *name;
171 	char *display_name;
172 	uint16_t flags;
173 } smb_privinfo_t;
174 
175 smb_privinfo_t *smb_priv_getbyvalue(uint32_t id);
176 smb_privinfo_t *smb_priv_getbyname(char *name);
177 int smb_priv_presentable_num(void);
178 int smb_priv_presentable_ids(uint32_t *ids, int num);
179 smb_privset_t *smb_privset_new();
180 int smb_privset_size();
181 void smb_privset_init(smb_privset_t *privset);
182 void smb_privset_free(smb_privset_t *privset);
183 void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src);
184 void smb_privset_enable(smb_privset_t *privset, uint32_t id);
185 int smb_privset_query(smb_privset_t *privset, uint32_t id);
186 void smb_privset_log(smb_privset_t *privset);
187 
188 /* XDR routines */
189 extern bool_t xdr_smb_luid_t();
190 extern bool_t xdr_smb_luid_attrs_t();
191 extern bool_t xdr_smb_privset_t();
192 
193 #ifdef __cplusplus
194 }
195 #endif
196 
197 #endif /* _SMB_PRIVILEGE_H */
198