1 /* $NetBSD: kauth.h,v 1.89 2023/01/05 18:29:45 jakllsch Exp $ */ 2 3 /*- 4 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This is based on Apple TN2127, available online at 32 * http://developer.apple.com/technotes/tn2005/tn2127.html 33 */ 34 35 #ifndef _SYS_KAUTH_H_ 36 #define _SYS_KAUTH_H_ 37 38 #include <secmodel/secmodel.h> /* for secmodel_t type */ 39 #include <sys/stat.h> /* for modes */ 40 41 struct uucred; 42 struct ki_ucred; 43 struct ki_pcred; 44 struct proc; 45 struct tty; 46 struct vnode; 47 struct cwdinfo; 48 49 enum uio_seg; 50 51 /* Types. */ 52 typedef struct kauth_scope *kauth_scope_t; 53 typedef struct kauth_listener *kauth_listener_t; 54 typedef uint64_t kauth_action_t; 55 typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t, 56 void *, void *, void *, void *, void *); 57 typedef struct kauth_key *kauth_key_t; 58 59 #ifdef __KAUTH_PRIVATE /* For the debugger */ 60 61 #include <sys/types.h> 62 #include <sys/specificdata.h> 63 64 /* 65 * Credentials. 66 * 67 * A subset of this structure is used in kvm(3) (src/lib/libkvm/kvm_proc.c) 68 * and should be synchronized with this structure when the update is 69 * relevant. 70 */ 71 struct kauth_cred { 72 /* 73 * Ensure that the first part of the credential resides in its own 74 * cache line. Due to sharing there aren't many kauth_creds in a 75 * typical system, but the reference counts change very often. 76 * Keeping it separate from the rest of the data prevents false 77 * sharing between CPUs. 78 */ 79 u_int cr_refcnt; /* reference count */ 80 #if COHERENCY_UNIT > 4 81 uint8_t cr_pad[COHERENCY_UNIT - 4]; 82 #endif 83 uid_t cr_uid; /* user id */ 84 uid_t cr_euid; /* effective user id */ 85 uid_t cr_svuid; /* saved effective user id */ 86 gid_t cr_gid; /* group id */ 87 gid_t cr_egid; /* effective group id */ 88 gid_t cr_svgid; /* saved effective group id */ 89 u_int cr_ngroups; /* number of groups */ 90 gid_t cr_groups[NGROUPS]; /* group memberships */ 91 specificdata_reference cr_sd; /* specific data */ 92 }; 93 94 #endif 95 96 /* 97 * Possible return values for a listener. 98 */ 99 #define KAUTH_RESULT_ALLOW 0 /* allow access */ 100 #define KAUTH_RESULT_DENY 1 /* deny access */ 101 #define KAUTH_RESULT_DEFER 2 /* let others decide */ 102 103 /* 104 * Scopes. 105 */ 106 #define KAUTH_SCOPE_GENERIC "org.netbsd.kauth.generic" 107 #define KAUTH_SCOPE_SYSTEM "org.netbsd.kauth.system" 108 #define KAUTH_SCOPE_PROCESS "org.netbsd.kauth.process" 109 #define KAUTH_SCOPE_NETWORK "org.netbsd.kauth.network" 110 #define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep" 111 #define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device" 112 #define KAUTH_SCOPE_CRED "org.netbsd.kauth.cred" 113 #define KAUTH_SCOPE_VNODE "org.netbsd.kauth.vnode" 114 115 /* 116 * Generic scope - actions. 117 */ 118 enum { 119 KAUTH_GENERIC_UNUSED1=1, 120 KAUTH_GENERIC_ISSUSER, 121 }; 122 123 /* 124 * System scope - actions. 125 */ 126 enum { 127 KAUTH_SYSTEM_ACCOUNTING=1, 128 KAUTH_SYSTEM_CHROOT, 129 KAUTH_SYSTEM_CHSYSFLAGS, 130 KAUTH_SYSTEM_CPU, 131 KAUTH_SYSTEM_DEBUG, 132 KAUTH_SYSTEM_FILEHANDLE, 133 KAUTH_SYSTEM_MKNOD, 134 KAUTH_SYSTEM_MOUNT, 135 KAUTH_SYSTEM_PSET, 136 KAUTH_SYSTEM_REBOOT, 137 KAUTH_SYSTEM_SETIDCORE, 138 KAUTH_SYSTEM_SWAPCTL, 139 KAUTH_SYSTEM_SYSCTL, 140 KAUTH_SYSTEM_TIME, 141 KAUTH_SYSTEM_MODULE, 142 KAUTH_SYSTEM_FS_RESERVEDSPACE, 143 KAUTH_SYSTEM_FS_QUOTA, 144 KAUTH_SYSTEM_SEMAPHORE, 145 KAUTH_SYSTEM_SYSVIPC, 146 KAUTH_SYSTEM_MQUEUE, 147 KAUTH_SYSTEM_VERIEXEC, 148 KAUTH_SYSTEM_DEVMAPPER, 149 KAUTH_SYSTEM_MAP_VA_ZERO, 150 KAUTH_SYSTEM_LFS, 151 KAUTH_SYSTEM_FS_EXTATTR, 152 KAUTH_SYSTEM_FS_SNAPSHOT, 153 KAUTH_SYSTEM_INTR, 154 KAUTH_SYSTEM_KERNADDR, 155 }; 156 157 /* 158 * System scope - sub-actions. 159 */ 160 enum kauth_system_req { 161 KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1, 162 KAUTH_REQ_SYSTEM_CHROOT_FCHROOT, 163 KAUTH_REQ_SYSTEM_CPU_SETSTATE, 164 KAUTH_REQ_SYSTEM_MOUNT_GET, 165 KAUTH_REQ_SYSTEM_MOUNT_NEW, 166 KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT, 167 KAUTH_REQ_SYSTEM_MOUNT_UPDATE, 168 KAUTH_REQ_SYSTEM_PSET_ASSIGN, 169 KAUTH_REQ_SYSTEM_PSET_BIND, 170 KAUTH_REQ_SYSTEM_PSET_CREATE, 171 KAUTH_REQ_SYSTEM_PSET_DESTROY, 172 KAUTH_REQ_SYSTEM_SYSCTL_ADD, 173 KAUTH_REQ_SYSTEM_SYSCTL_DELETE, 174 KAUTH_REQ_SYSTEM_SYSCTL_DESC, 175 KAUTH_REQ_SYSTEM_SYSCTL_MODIFY, 176 KAUTH_REQ_SYSTEM_SYSCTL_PRVT, 177 KAUTH_REQ_SYSTEM_TIME_ADJTIME, 178 KAUTH_REQ_SYSTEM_TIME_NTPADJTIME, 179 KAUTH_REQ_SYSTEM_TIME_RTCOFFSET, 180 KAUTH_REQ_SYSTEM_TIME_SYSTEM, 181 KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS, 182 KAUTH_REQ_SYSTEM_FS_QUOTA_GET, 183 KAUTH_REQ_SYSTEM_FS_QUOTA_MANAGE, 184 KAUTH_REQ_SYSTEM_FS_QUOTA_NOLIMIT, 185 KAUTH_REQ_SYSTEM_FS_QUOTA_ONOFF, 186 KAUTH_REQ_SYSTEM_SYSVIPC_BYPASS, 187 KAUTH_REQ_SYSTEM_SYSVIPC_SHM_LOCK, 188 KAUTH_REQ_SYSTEM_SYSVIPC_SHM_UNLOCK, 189 KAUTH_REQ_SYSTEM_SYSVIPC_MSGQ_OVERSIZE, 190 KAUTH_REQ_SYSTEM_VERIEXEC_ACCESS, 191 KAUTH_REQ_SYSTEM_VERIEXEC_MODIFY, 192 KAUTH_REQ_SYSTEM_LFS_MARKV, 193 KAUTH_REQ_SYSTEM_LFS_BMAPV, 194 KAUTH_REQ_SYSTEM_LFS_SEGCLEAN, 195 KAUTH_REQ_SYSTEM_LFS_SEGWAIT, 196 KAUTH_REQ_SYSTEM_LFS_FCNTL, 197 KAUTH_REQ_SYSTEM_MOUNT_UMAP, 198 KAUTH_REQ_SYSTEM_MOUNT_DEVICE, 199 KAUTH_REQ_SYSTEM_INTR_AFFINITY, 200 }; 201 202 /* 203 * Process scope - actions. 204 */ 205 enum { 206 KAUTH_PROCESS_CANSEE=1, 207 KAUTH_PROCESS_CORENAME, 208 KAUTH_PROCESS_FORK, 209 KAUTH_PROCESS_KEVENT_FILTER, 210 KAUTH_PROCESS_KTRACE, 211 KAUTH_PROCESS_NICE, 212 KAUTH_PROCESS_PROCFS, 213 KAUTH_PROCESS_PTRACE, 214 KAUTH_PROCESS_RLIMIT, 215 KAUTH_PROCESS_SCHEDULER_GETAFFINITY, 216 KAUTH_PROCESS_SCHEDULER_SETAFFINITY, 217 KAUTH_PROCESS_SCHEDULER_GETPARAM, 218 KAUTH_PROCESS_SCHEDULER_SETPARAM, 219 KAUTH_PROCESS_SETID, 220 KAUTH_PROCESS_SIGNAL, 221 KAUTH_PROCESS_STOPFLAG 222 }; 223 224 /* 225 * Process scope - sub-actions. 226 */ 227 enum kauth_process_req { 228 KAUTH_REQ_PROCESS_CANSEE_ARGS=1, 229 KAUTH_REQ_PROCESS_CANSEE_ENTRY, 230 KAUTH_REQ_PROCESS_CANSEE_ENV, 231 KAUTH_REQ_PROCESS_CANSEE_OPENFILES, 232 KAUTH_REQ_PROCESS_CORENAME_GET, 233 KAUTH_REQ_PROCESS_CORENAME_SET, 234 KAUTH_REQ_PROCESS_KTRACE_PERSISTENT, 235 KAUTH_REQ_PROCESS_PROCFS_READ, 236 KAUTH_REQ_PROCESS_PROCFS_RW, 237 KAUTH_REQ_PROCESS_PROCFS_WRITE, 238 KAUTH_REQ_PROCESS_RLIMIT_GET, 239 KAUTH_REQ_PROCESS_RLIMIT_SET, 240 KAUTH_REQ_PROCESS_RLIMIT_BYPASS, 241 KAUTH_REQ_PROCESS_CANSEE_EPROC, 242 KAUTH_REQ_PROCESS_CANSEE_KPTR 243 }; 244 245 /* 246 * Network scope - actions. 247 */ 248 enum { 249 KAUTH_NETWORK_ALTQ=1, 250 KAUTH_NETWORK_BIND, 251 KAUTH_NETWORK_FIREWALL, 252 KAUTH_NETWORK_INTERFACE, 253 KAUTH_NETWORK_FORWSRCRT, 254 KAUTH_NETWORK_NFS, 255 KAUTH_NETWORK_ROUTE, 256 KAUTH_NETWORK_SOCKET, 257 KAUTH_NETWORK_INTERFACE_PPP, 258 KAUTH_NETWORK_INTERFACE_SLIP, 259 KAUTH_NETWORK_INTERFACE_STRIP, /* obsolete */ 260 KAUTH_NETWORK_INTERFACE_TUN, 261 KAUTH_NETWORK_INTERFACE_BRIDGE, 262 KAUTH_NETWORK_IPSEC, 263 KAUTH_NETWORK_INTERFACE_PVC, 264 KAUTH_NETWORK_IPV6, 265 KAUTH_NETWORK_SMB, 266 KAUTH_NETWORK_INTERFACE_WG, 267 }; 268 269 /* 270 * Network scope - sub-actions. 271 */ 272 enum kauth_network_req { 273 KAUTH_REQ_NETWORK_ALTQ_AFMAP=1, 274 KAUTH_REQ_NETWORK_ALTQ_BLUE, 275 KAUTH_REQ_NETWORK_ALTQ_CBQ, 276 KAUTH_REQ_NETWORK_ALTQ_CDNR, 277 KAUTH_REQ_NETWORK_ALTQ_CONF, 278 KAUTH_REQ_NETWORK_ALTQ_FIFOQ, 279 KAUTH_REQ_NETWORK_ALTQ_HFSC, 280 KAUTH_REQ_NETWORK_ALTQ_JOBS, 281 KAUTH_REQ_NETWORK_ALTQ_PRIQ, 282 KAUTH_REQ_NETWORK_ALTQ_RED, 283 KAUTH_REQ_NETWORK_ALTQ_RIO, 284 KAUTH_REQ_NETWORK_ALTQ_WFQ, 285 KAUTH_REQ_NETWORK_BIND_PORT, 286 KAUTH_REQ_NETWORK_BIND_PRIVPORT, 287 KAUTH_REQ_NETWORK_FIREWALL_FW, 288 KAUTH_REQ_NETWORK_FIREWALL_NAT, 289 KAUTH_REQ_NETWORK_INTERFACE_GET, 290 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, 291 KAUTH_REQ_NETWORK_INTERFACE_SET, 292 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, 293 KAUTH_REQ_NETWORK_NFS_EXPORT, 294 KAUTH_REQ_NETWORK_NFS_SVC, 295 KAUTH_REQ_NETWORK_SOCKET_OPEN, 296 KAUTH_REQ_NETWORK_SOCKET_RAWSOCK, 297 KAUTH_REQ_NETWORK_SOCKET_CANSEE, 298 KAUTH_REQ_NETWORK_SOCKET_DROP, 299 KAUTH_REQ_NETWORK_SOCKET_SETPRIV, 300 KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD, 301 KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD, 302 KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD, /* obsolete */ 303 KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD, 304 KAUTH_REQ_NETWORK_IPV6_HOPBYHOP, 305 KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_GETPRIV, 306 KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_SETPRIV, 307 KAUTH_REQ_NETWORK_IPSEC_BYPASS, 308 KAUTH_REQ_NETWORK_IPV6_JOIN_MULTICAST, 309 KAUTH_REQ_NETWORK_INTERFACE_PVC_ADD, 310 KAUTH_REQ_NETWORK_SMB_SHARE_ACCESS, 311 KAUTH_REQ_NETWORK_SMB_SHARE_CREATE, 312 KAUTH_REQ_NETWORK_SMB_VC_ACCESS, 313 KAUTH_REQ_NETWORK_SMB_VC_CREATE, 314 KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE, 315 KAUTH_REQ_NETWORK_BIND_ANYADDR, 316 KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV, 317 KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV, 318 }; 319 320 /* 321 * Machdep scope - actions. 322 */ 323 enum { 324 KAUTH_MACHDEP_CACHEFLUSH=1, 325 KAUTH_MACHDEP_CPU_UCODE_APPLY, 326 KAUTH_MACHDEP_IOPERM_GET, 327 KAUTH_MACHDEP_IOPERM_SET, 328 KAUTH_MACHDEP_IOPL, 329 KAUTH_MACHDEP_LDT_GET, 330 KAUTH_MACHDEP_LDT_SET, 331 KAUTH_MACHDEP_MTRR_GET, 332 KAUTH_MACHDEP_MTRR_SET, 333 KAUTH_MACHDEP_NVRAM, 334 KAUTH_MACHDEP_UNMANAGEDMEM, 335 KAUTH_MACHDEP_PXG, 336 KAUTH_MACHDEP_SVS_DISABLE 337 }; 338 339 /* 340 * Device scope - actions. 341 */ 342 enum { 343 KAUTH_DEVICE_TTY_OPEN=1, 344 KAUTH_DEVICE_TTY_PRIVSET, 345 KAUTH_DEVICE_TTY_STI, 346 KAUTH_DEVICE_RAWIO_SPEC, 347 KAUTH_DEVICE_RAWIO_PASSTHRU, 348 KAUTH_DEVICE_BLUETOOTH_SETPRIV, 349 KAUTH_DEVICE_RND_ADDDATA, 350 KAUTH_DEVICE_RND_ADDDATA_ESTIMATE, 351 KAUTH_DEVICE_RND_GETPRIV, 352 KAUTH_DEVICE_RND_SETPRIV, 353 KAUTH_DEVICE_BLUETOOTH_BCSP, 354 KAUTH_DEVICE_BLUETOOTH_BTUART, 355 KAUTH_DEVICE_GPIO_PINSET, 356 KAUTH_DEVICE_BLUETOOTH_SEND, 357 KAUTH_DEVICE_BLUETOOTH_RECV, 358 KAUTH_DEVICE_TTY_VIRTUAL, 359 KAUTH_DEVICE_WSCONS_KEYBOARD_BELL, 360 KAUTH_DEVICE_WSCONS_KEYBOARD_KEYREPEAT, 361 KAUTH_DEVICE_NVMM_CTL, 362 }; 363 364 /* 365 * Device scope - sub-actions. 366 */ 367 enum kauth_device_req { 368 KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1, 369 KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE, 370 KAUTH_REQ_DEVICE_RAWIO_SPEC_RW, 371 KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD, 372 KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD, 373 }; 374 375 /* 376 * Credentials scope - actions. 377 */ 378 enum { 379 KAUTH_CRED_INIT=1, 380 KAUTH_CRED_FORK, 381 KAUTH_CRED_COPY, 382 KAUTH_CRED_FREE, 383 KAUTH_CRED_CHROOT 384 }; 385 386 /* 387 * Vnode scope - action bits. 388 */ 389 #define KAUTH_VNODE_READ_DATA (1ULL << 0) 390 #define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA 391 #define KAUTH_VNODE_WRITE_DATA (1ULL << 1) 392 #define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA 393 #define KAUTH_VNODE_EXECUTE (1ULL << 2) 394 #define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE 395 #define KAUTH_VNODE_DELETE (1ULL << 3) 396 #define KAUTH_VNODE_APPEND_DATA (1ULL << 4) 397 #define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA 398 #define KAUTH_VNODE_READ_TIMES (1ULL << 5) 399 #define KAUTH_VNODE_WRITE_TIMES (1ULL << 6) 400 #define KAUTH_VNODE_READ_FLAGS (1ULL << 7) 401 #define KAUTH_VNODE_WRITE_FLAGS (1ULL << 8) 402 #define KAUTH_VNODE_READ_SYSFLAGS (1ULL << 9) 403 #define KAUTH_VNODE_WRITE_SYSFLAGS (1ULL << 10) 404 #define KAUTH_VNODE_RENAME (1ULL << 11) 405 #define KAUTH_VNODE_CHANGE_OWNERSHIP (1ULL << 12) 406 #define KAUTH_VNODE_READ_SECURITY (1ULL << 13) 407 #define KAUTH_VNODE_WRITE_SECURITY (1ULL << 14) 408 #define KAUTH_VNODE_READ_ATTRIBUTES (1ULL << 15) 409 #define KAUTH_VNODE_WRITE_ATTRIBUTES (1ULL << 16) 410 #define KAUTH_VNODE_READ_EXTATTRIBUTES (1ULL << 17) 411 #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1ULL << 18) 412 #define KAUTH_VNODE_RETAIN_SUID (1ULL << 19) 413 #define KAUTH_VNODE_RETAIN_SGID (1ULL << 20) 414 #define KAUTH_VNODE_REVOKE (1ULL << 21) 415 416 #define KAUTH_VNODE_IS_EXEC (1ULL << 29) 417 #define KAUTH_VNODE_HAS_SYSFLAGS (1ULL << 30) 418 #define KAUTH_VNODE_ACCESS (1ULL << 31) 419 #define KAUTH_VNODE_ADD_LINK (1ULL << 32) 420 421 /* 422 * This is a special fs_decision indication that can be used by file-systems 423 * that don't support decision-before-action to tell kauth(9) it can only 424 * short-circuit the operation beforehand. 425 */ 426 #define KAUTH_VNODE_REMOTEFS (-1) 427 428 /* 429 * Device scope, passthru request - identifiers. 430 */ 431 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 0x00000001 432 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE 0x00000002 433 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF 0x00000004 434 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF 0x00000008 435 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL 0x0000000F 436 437 #define NOCRED ((kauth_cred_t)-1) /* no credential available */ 438 #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */ 439 440 /* Macro to help passing arguments to authorization wrappers. */ 441 #define KAUTH_ARG(arg) ((void *)(unsigned long)(arg)) 442 443 /* 444 * A file-system object is determined to be able to execute if it's a 445 * directory or if the execute bit is present in any of the 446 * owner/group/other modes. 447 * 448 * This helper macro is intended to be used in order to implement a 449 * policy that maintains the semantics of "a privileged user can enter 450 * directory, and can execute any file, but only if the file is actually 451 * executable." 452 */ 453 #define FS_OBJECT_CAN_EXEC(vtype, mode) (((vtype) == VDIR) || \ 454 ((mode) & \ 455 (S_IXUSR|S_IXGRP|S_IXOTH))) 456 457 /* 458 * Prototypes. 459 */ 460 void kauth_init(void); 461 kauth_scope_t kauth_register_scope(const char *, kauth_scope_callback_t, void *); 462 void kauth_deregister_scope(kauth_scope_t); 463 kauth_listener_t kauth_listen_scope(const char *, kauth_scope_callback_t, void *); 464 void kauth_unlisten_scope(kauth_listener_t); 465 int kauth_authorize_action(kauth_scope_t, kauth_cred_t, kauth_action_t, void *, 466 void *, void *, void *); 467 468 /* Authorization wrappers. */ 469 int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *); 470 int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req, 471 void *, void *, void *); 472 int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *, 473 void *, void *, void *); 474 int kauth_authorize_network(kauth_cred_t, kauth_action_t, 475 enum kauth_network_req, void *, void *, void *); 476 int kauth_authorize_machdep(kauth_cred_t, kauth_action_t, 477 void *, void *, void *, void *); 478 int kauth_authorize_device(kauth_cred_t, kauth_action_t, 479 void *, void *, void *, void *); 480 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *); 481 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req, 482 struct vnode *); 483 int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *); 484 int kauth_authorize_vnode(kauth_cred_t, kauth_action_t, struct vnode *, 485 struct vnode *, int); 486 487 /* Kauth credentials management routines. */ 488 kauth_cred_t kauth_cred_alloc(void); 489 void kauth_cred_free(kauth_cred_t); 490 void kauth_cred_clone(kauth_cred_t, kauth_cred_t); 491 kauth_cred_t kauth_cred_dup(kauth_cred_t); 492 kauth_cred_t kauth_cred_copy(kauth_cred_t); 493 494 uid_t kauth_cred_getuid(kauth_cred_t); 495 uid_t kauth_cred_geteuid(kauth_cred_t); 496 uid_t kauth_cred_getsvuid(kauth_cred_t); 497 gid_t kauth_cred_getgid(kauth_cred_t); 498 gid_t kauth_cred_getegid(kauth_cred_t); 499 gid_t kauth_cred_getsvgid(kauth_cred_t); 500 int kauth_cred_ismember_gid(kauth_cred_t, gid_t, int *); 501 int kauth_cred_groupmember(kauth_cred_t, gid_t); 502 u_int kauth_cred_ngroups(kauth_cred_t); 503 gid_t kauth_cred_group(kauth_cred_t, u_int); 504 505 void kauth_cred_setuid(kauth_cred_t, uid_t); 506 void kauth_cred_seteuid(kauth_cred_t, uid_t); 507 void kauth_cred_setsvuid(kauth_cred_t, uid_t); 508 void kauth_cred_setgid(kauth_cred_t, gid_t); 509 void kauth_cred_setegid(kauth_cred_t, gid_t); 510 void kauth_cred_setsvgid(kauth_cred_t, gid_t); 511 512 void kauth_cred_hold(kauth_cred_t); 513 u_int kauth_cred_getrefcnt(kauth_cred_t); 514 515 int kauth_cred_setgroups(kauth_cred_t, const gid_t *, size_t, uid_t, 516 enum uio_seg); 517 int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t, enum uio_seg); 518 519 /* This is for sys_setgroups() */ 520 int kauth_proc_setgroups(struct lwp *, kauth_cred_t); 521 522 int kauth_register_key(secmodel_t, kauth_key_t *); 523 int kauth_deregister_key(kauth_key_t); 524 void kauth_cred_setdata(kauth_cred_t, kauth_key_t, void *); 525 void *kauth_cred_getdata(kauth_cred_t, kauth_key_t); 526 527 int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t); 528 void kauth_uucred_to_cred(kauth_cred_t, const struct uucred *); 529 void kauth_cred_to_uucred(struct uucred *, const kauth_cred_t); 530 int kauth_cred_uucmp(kauth_cred_t, const struct uucred *); 531 void kauth_cred_toucred(kauth_cred_t, struct ki_ucred *); 532 void kauth_cred_topcred(kauth_cred_t, struct ki_pcred *); 533 534 kauth_action_t kauth_accmode_to_action(accmode_t); 535 kauth_action_t kauth_extattr_action(mode_t); 536 537 #define KAUTH_ACCESS_ACTION(access_mode, vn_vtype, file_mode) \ 538 (kauth_accmode_to_action(access_mode) | \ 539 (FS_OBJECT_CAN_EXEC(vn_vtype, file_mode) ? KAUTH_VNODE_IS_EXEC : 0)) 540 541 kauth_cred_t kauth_cred_get(void); 542 543 void kauth_proc_fork(struct proc *, struct proc *); 544 void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi); 545 546 #endif /* !_SYS_KAUTH_H_ */ 547