/* @(#)priv.h 1.5 13/05/28 Copyright 2009-2013 J. Schilling */ /* * Abstraction code for fine grained process privileges * * Copyright (c) 2009-2013 J. Schilling */ /* * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * See the file CDDL.Schily.txt in this distribution for details. * A copy of the CDDL is also available via the Internet at * http://www.opensource.org/licenses/cddl1.txt * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file CDDL.Schily.txt from this distribution. */ #ifndef _SCHILY_PRIV_H #define _SCHILY_PRIV_H #ifndef _SCHILY_MCONFIG_H #include #endif /* * The Solaris process privileges interface. */ #if defined(HAVE_PRIV_H) && \ defined(HAVE_GETPPRIV) && defined(HAVE_SETPPRIV) && \ defined(HAVE_PRIV_SET) #define HAVE_SOLARIS_PPRIV #endif #ifdef NO_SOLARIS_PPRIV #undef HAVE_SOLARIS_PPRIV #endif #ifdef HAVE_SOLARIS_PPRIV #ifndef _INCL_PRIV_H #define _INCL_PRIV_H #include #endif #endif /* * AIX implements an incompatible process privileges interface. * On AIX, we have sys/priv.h, getppriv(), setppriv() but no priv_set(). */ #if defined(HAVE_SYS_PRIV_H) && \ defined(HAVE_GETPPRIV) && defined(HAVE_SETPPRIV) && \ defined(HAVE_PRIVBIT_SET) #define HAVE_AIX_PPRIV #endif #ifdef NO_AIX_PPRIV #undef HAVE_AIX_PPRIV #endif #ifdef HAVE_AIX_PPRIV #ifndef _INCL_SYS_PRIV_H #define _INCL_SYS_PRIV_H #include #endif #endif /* * The POSIX.1e draft has been withdrawn in 1997. * Linux started to implement this outdated concept in 1997. * On Linux, we have sys/capability.h, cap_get_proc(), cap_set_proc(), * cap_set_flag() cap_clear_flag() */ #if defined(HAVE_SYS_CAPABILITY_H) && \ defined(HAVE_CAP_GET_PROC) && defined(HAVE_CAP_SET_PROC) && \ defined(HAVE_CAP_SET_FLAG) && defined(HAVE_CAP_CLEAR_FLAG) #define HAVE_LINUX_CAPS #endif #ifdef NO_LINUX_CAPS #undef HAVE_LINUX_CAPS #endif #ifdef HAVE_LINUX_CAPS #ifndef _INCL_SYS_CAPABILITY_H #define _INCL_SYS_CAPABILITY_H #include #endif #endif /* * Privileges abstraction layer definitions */ #define SCHILY_PRIV_FILE_CHOWN 10 /* Allow to chown any file */ #define SCHILY_PRIV_FILE_CHOWN_SELF 11 /* Allow to chown own files */ #define SCHILY_PRIV_FILE_DAC_EXECUTE 12 /* Overwrite execute permission */ #define SCHILY_PRIV_FILE_DAC_READ 13 /* Overwrite read permission */ #define SCHILY_PRIV_FILE_DAC_SEARCH 14 /* Overwrite dir search permission */ #define SCHILY_PRIV_FILE_DAC_WRITE 15 /* Overwrite write permission */ #define SCHILY_PRIV_FILE_DOWNGRADE_SL 16 /* Downgrade sensivity label */ #define SCHILY_PRIV_FILE_LINK_ANY 17 /* Hard-link files not owned */ #define SCHILY_PRIV_FILE_OWNER 18 /* Allow chmod ... to unowned files */ #define SCHILY_PRIV_FILE_SETID 19 /* Allow chown or suid/sgid without being owner */ #define SCHILY_PRIV_FILE_UPGRADE_SL 20 /* Upgrade sensivity label */ #define SCHILY_PRIV_FILE_FLAG_SET 22 /* Allow set file attributes as "immutable" */ #define SCHILY_PRIV_IPC_DAC_READ 40 /* Overwrite read permission */ #define SCHILY_PRIV_IPC_DAC_WRITE 41 /* Overwrite write permission */ #define SCHILY_PRIV_IPC_OWNER 42 /* Allow chmod ... to unowned files */ #define SCHILY_PRIV_NET_BINDMLP 50 /* Allow to bind multi-level ports */ #define SCHILY_PRIV_NET_ICMPACCESS 51 /* Allow to send/receive ICMP packets */ #define SCHILY_PRIV_NET_MAC_AWARE 52 /* Allow to set NET_MAC_AWARE flag */ #define SCHILY_PRIV_NET_OBSERVABILITY 53 /* Allow tp access network device for receiving traffic */ #define SCHILY_PRIV_NET_PRIVADDR 54 /* Allow to bind priv ports */ #define SCHILY_PRIV_NET_RAWACCESS 55 /* Allow raw network access */ #define SCHILY_PRIV_PROC_AUDIT 60 /* Allow to create audit records */ #define SCHILY_PRIV_PROC_CHROOT 61 /* Allow chroot */ #define SCHILY_PRIV_PROC_CLOCK_HIGHRES 62 /* Allow to use high resulution timers */ #define SCHILY_PRIV_PROC_EXEC 63 /* Allow to call exec*() */ #define SCHILY_PRIV_PROC_FORK 64 /* Allow to call fork*()/vfork*() */ #define SCHILY_PRIV_PROC_INFO 65 /* Allow to examine /proc status without sendsig priv */ #define SCHILY_PRIV_PROC_LOCK_MEMORY 66 /* Allow to lock pages into physical memory */ #define SCHILY_PRIV_PROC_OWNER 67 /* Allow sendsig and /proc to other procs */ #define SCHILY_PRIV_PROC_PRIOCNTL 68 /* Allow to send sognals or trace outside session */ #define SCHILY_PRIV_PROC_SESSION 68 /* Allow to send sognals or trace outside session */ #define SCHILY_PRIV_PROC_SETID 69 /* Allow set proc's UID/GID */ #define SCHILY_PRIV_SYS_ACCT 80 /* Allow process accounting */ #define SCHILY_PRIV_SYS_ADMIN 81 /* Allow system administration */ #define SCHILY_PRIV_SYS_AUDIT 82 /* Allow so start kernel auditing */ #define SCHILY_PRIV_SYS_CONFIG 83 /* Allow various system config tasks */ #define SCHILY_PRIV_SYS_DEVICES 84 /* Allow device specific stuff */ #define SCHILY_PRIV_SYS_DL_CONFIG 85 /* Allow tp configure datalink interfaces */ #define SCHILY_PRIV_SYS_IP_CONFIG 86 /* Allow to configure IP interfaces */ #define SCHILY_PRIV_SYS_LINKDIR 87 /* Allow to link/unlink directories */ #define SCHILY_PRIV_SYS_MOUNT 88 /* Allow file-system administration */ #define SCHILY_PRIV_SYS_NET_CONFIG 89 /* Allow to configure the network */ #define SCHILY_PRIV_SYS_NFS 90 /* Allow to configure NFS */ #define SCHILY_PRIV_SYS_PPP_CONFIG 91 /* Allow to configure PPP */ #define SCHILY_PRIV_SYS_RES_CONFIG 92 /* Allow to configure system resources */ #define SCHILY_PRIV_SYS_RESOURCE 93 /* Allow setrlimit */ #define SCHILY_PRIV_SYS_SMB 94 /* Allow to configure SMB */ #define SCHILY_PRIV_SYS_SUSER_COMPAT 95 /* Allow to load modules that call suser() */ #define SCHILY_PRIV_SYS_TIME 96 /* Allow to set time */ #define SCHILY_PRIV_SYS_TRANS_LABEL 97 /* Allow to translate labels in trusted extensions */ #endif /* _SCHILY_PRIV_H */