xref: /illumos-gate/usr/src/uts/common/sys/secflags.h (revision 8c69cc8fbe729fa7b091e901c4b50508ccc6bb33)
1 /*
2  * This file and its contents are supplied under the terms of the
3  * Common Development and Distribution License ("CDDL"), version 1.0.
4  * You may only use this file in accordance with the terms of version
5  * 1.0 of the CDDL.
6  *
7  * A full copy of the text of the CDDL should have accompanied this
8  * source.  A copy of the CDDL is also available via the Internet at
9  * http://www.illumos.org/license/CDDL.
10  */
11 
12 /* Copyright 2014, Richard Lowe */
13 
14 #ifndef _SYS_SECFLAGS_H
15 #define	_SYS_SECFLAGS_H
16 
17 #ifdef __cplusplus
18 extern "C" {
19 #endif
20 
21 #include <sys/types.h>
22 #include <sys/procset.h>
23 
24 struct proc;
25 typedef uint64_t secflagset_t;
26 
27 typedef struct psecflags {
28 	secflagset_t psf_effective;
29 	secflagset_t psf_inherit;
30 	secflagset_t psf_lower;
31 	secflagset_t psf_upper;
32 } psecflags_t;
33 
34 typedef struct secflagdelta {
35 	secflagset_t psd_add;		/* Flags to add */
36 	secflagset_t psd_rem;		/* Flags to remove */
37 	secflagset_t psd_assign;	/* Flags to assign */
38 	boolean_t psd_ass_active;	/* Need to assign */
39 } secflagdelta_t;
40 
41 typedef enum {
42 	PSF_EFFECTIVE = 0,
43 	PSF_INHERIT,
44 	PSF_LOWER,
45 	PSF_UPPER
46 } psecflagwhich_t;
47 
48 
49 /*
50  * p_secflags codes
51  *
52  * These flags indicate the extra security-related features enabled for a
53  * given process.
54  */
55 typedef enum {
56 	PROC_SEC_ASLR = 0,
57 	PROC_SEC_FORBIDNULLMAP,
58 	PROC_SEC_NOEXECSTACK
59 } secflag_t;
60 
61 extern secflagset_t secflag_to_bit(secflag_t);
62 extern boolean_t secflag_isset(secflagset_t, secflag_t);
63 extern void secflag_clear(secflagset_t *, secflag_t);
64 extern void secflag_set(secflagset_t *, secflag_t);
65 extern boolean_t secflags_isempty(secflagset_t);
66 extern void secflags_zero(secflagset_t *);
67 extern void secflags_fullset(secflagset_t *);
68 extern void secflags_copy(secflagset_t *, const secflagset_t *);
69 extern boolean_t secflags_issubset(secflagset_t, secflagset_t);
70 extern boolean_t secflags_issuperset(secflagset_t, secflagset_t);
71 extern boolean_t secflags_intersection(secflagset_t, secflagset_t);
72 extern void secflags_union(secflagset_t *, const secflagset_t *);
73 extern void secflags_difference(secflagset_t *, const secflagset_t *);
74 extern boolean_t psecflags_validate_delta(const psecflags_t *,
75     const secflagdelta_t *);
76 extern boolean_t psecflags_validate(const psecflags_t *);
77 extern void psecflags_default(psecflags_t *sf);
78 extern const char *secflag_to_str(secflag_t);
79 extern boolean_t secflag_by_name(const char *, secflag_t *);
80 extern void secflags_to_str(secflagset_t, char *, size_t);
81 
82 /* All valid bits */
83 #define	PROC_SEC_MASK	(secflag_to_bit(PROC_SEC_ASLR) |	\
84     secflag_to_bit(PROC_SEC_FORBIDNULLMAP) |			\
85     secflag_to_bit(PROC_SEC_NOEXECSTACK))
86 
87 #if !defined(_KERNEL)
88 extern int secflags_parse(const secflagset_t *, const char *, secflagdelta_t *);
89 extern int psecflags(idtype_t, id_t, psecflagwhich_t, secflagdelta_t *);
90 #endif
91 
92 #if defined(_KERNEL)
93 extern boolean_t secflag_enabled(struct proc *, secflag_t);
94 extern void secflags_promote(struct proc *);
95 extern void secflags_apply_delta(secflagset_t *, const secflagdelta_t *);
96 #endif
97 
98 #ifdef __cplusplus
99 }
100 #endif
101 
102 #endif /* _SYS_SECFLAGS_H */
103