1*6f52b16cSGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2607ca46eSDavid Howells #ifndef _UAPI_LINUX_SECUREBITS_H 3607ca46eSDavid Howells #define _UAPI_LINUX_SECUREBITS_H 4607ca46eSDavid Howells 5607ca46eSDavid Howells /* Each securesetting is implemented using two bits. One bit specifies 6607ca46eSDavid Howells whether the setting is on or off. The other bit specify whether the 7607ca46eSDavid Howells setting is locked or not. A setting which is locked cannot be 8607ca46eSDavid Howells changed from user-level. */ 9607ca46eSDavid Howells #define issecure_mask(X) (1 << (X)) 10607ca46eSDavid Howells 11607ca46eSDavid Howells #define SECUREBITS_DEFAULT 0x00000000 12607ca46eSDavid Howells 13607ca46eSDavid Howells /* When set UID 0 has no special privileges. When unset, we support 14607ca46eSDavid Howells inheritance of root-permissions and suid-root executable under 15607ca46eSDavid Howells compatibility mode. We raise the effective and inheritable bitmasks 16607ca46eSDavid Howells *of the executable file* if the effective uid of the new process is 17607ca46eSDavid Howells 0. If the real uid is 0, we raise the effective (legacy) bit of the 18607ca46eSDavid Howells executable file. */ 19607ca46eSDavid Howells #define SECURE_NOROOT 0 20607ca46eSDavid Howells #define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */ 21607ca46eSDavid Howells 22607ca46eSDavid Howells #define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT)) 23607ca46eSDavid Howells #define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED)) 24607ca46eSDavid Howells 25607ca46eSDavid Howells /* When set, setuid to/from uid 0 does not trigger capability-"fixup". 26607ca46eSDavid Howells When unset, to provide compatiblility with old programs relying on 27607ca46eSDavid Howells set*uid to gain/lose privilege, transitions to/from uid 0 cause 28607ca46eSDavid Howells capabilities to be gained/lost. */ 29607ca46eSDavid Howells #define SECURE_NO_SETUID_FIXUP 2 30607ca46eSDavid Howells #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ 31607ca46eSDavid Howells 32607ca46eSDavid Howells #define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP)) 33607ca46eSDavid Howells #define SECBIT_NO_SETUID_FIXUP_LOCKED \ 34607ca46eSDavid Howells (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)) 35607ca46eSDavid Howells 36607ca46eSDavid Howells /* When set, a process can retain its capabilities even after 37607ca46eSDavid Howells transitioning to a non-root user (the set-uid fixup suppressed by 38607ca46eSDavid Howells bit 2). Bit-4 is cleared when a process calls exec(); setting both 39607ca46eSDavid Howells bit 4 and 5 will create a barrier through exec that no exec()'d 40607ca46eSDavid Howells child can use this feature again. */ 41607ca46eSDavid Howells #define SECURE_KEEP_CAPS 4 42607ca46eSDavid Howells #define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */ 43607ca46eSDavid Howells 44607ca46eSDavid Howells #define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) 45607ca46eSDavid Howells #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) 46607ca46eSDavid Howells 47746bf6d6SAndy Lutomirski /* When set, a process cannot add new capabilities to its ambient set. */ 48746bf6d6SAndy Lutomirski #define SECURE_NO_CAP_AMBIENT_RAISE 6 49746bf6d6SAndy Lutomirski #define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7 /* make bit-6 immutable */ 50746bf6d6SAndy Lutomirski 51746bf6d6SAndy Lutomirski #define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) 52746bf6d6SAndy Lutomirski #define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ 53746bf6d6SAndy Lutomirski (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) 54746bf6d6SAndy Lutomirski 55607ca46eSDavid Howells #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ 56607ca46eSDavid Howells issecure_mask(SECURE_NO_SETUID_FIXUP) | \ 57746bf6d6SAndy Lutomirski issecure_mask(SECURE_KEEP_CAPS) | \ 58746bf6d6SAndy Lutomirski issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) 59607ca46eSDavid Howells #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) 60607ca46eSDavid Howells 61607ca46eSDavid Howells #endif /* _UAPI_LINUX_SECUREBITS_H */ 62