1 /* $NetBSD: kauth.h,v 1.71 2013/03/18 19:35:46 plunky Exp $ */ 2 3 /*- 4 * Copyright (c) 2005, 2006 Elad Efrat <elad@NetBSD.org> 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote products 16 * derived from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This is based on Apple TN2127, available online at 32 * http://developer.apple.com/technotes/tn2005/tn2127.html 33 */ 34 35 #ifndef _SYS_KAUTH_H_ 36 #define _SYS_KAUTH_H_ 37 38 #include <secmodel/secmodel.h> /* for secmodel_t type */ 39 #include <sys/stat.h> /* for modes */ 40 41 struct uucred; 42 struct ki_ucred; 43 struct ki_pcred; 44 struct proc; 45 struct tty; 46 struct vnode; 47 struct cwdinfo; 48 49 /* Types. */ 50 typedef struct kauth_scope *kauth_scope_t; 51 typedef struct kauth_listener *kauth_listener_t; 52 typedef uint32_t kauth_action_t; 53 typedef int (*kauth_scope_callback_t)(kauth_cred_t, kauth_action_t, 54 void *, void *, void *, void *, void *); 55 typedef struct kauth_key *kauth_key_t; 56 57 /* 58 * Possible return values for a listener. 59 */ 60 #define KAUTH_RESULT_ALLOW 0 /* allow access */ 61 #define KAUTH_RESULT_DENY 1 /* deny access */ 62 #define KAUTH_RESULT_DEFER 2 /* let others decide */ 63 64 /* 65 * Scopes. 66 */ 67 #define KAUTH_SCOPE_GENERIC "org.netbsd.kauth.generic" 68 #define KAUTH_SCOPE_SYSTEM "org.netbsd.kauth.system" 69 #define KAUTH_SCOPE_PROCESS "org.netbsd.kauth.process" 70 #define KAUTH_SCOPE_NETWORK "org.netbsd.kauth.network" 71 #define KAUTH_SCOPE_MACHDEP "org.netbsd.kauth.machdep" 72 #define KAUTH_SCOPE_DEVICE "org.netbsd.kauth.device" 73 #define KAUTH_SCOPE_CRED "org.netbsd.kauth.cred" 74 #define KAUTH_SCOPE_VNODE "org.netbsd.kauth.vnode" 75 76 /* 77 * Generic scope - actions. 78 */ 79 enum { 80 KAUTH_GENERIC_UNUSED1=1, 81 KAUTH_GENERIC_ISSUSER, 82 }; 83 84 /* 85 * System scope - actions. 86 */ 87 enum { 88 KAUTH_SYSTEM_ACCOUNTING=1, 89 KAUTH_SYSTEM_CHROOT, 90 KAUTH_SYSTEM_CHSYSFLAGS, 91 KAUTH_SYSTEM_CPU, 92 KAUTH_SYSTEM_DEBUG, 93 KAUTH_SYSTEM_FILEHANDLE, 94 KAUTH_SYSTEM_MKNOD, 95 KAUTH_SYSTEM_MOUNT, 96 KAUTH_SYSTEM_PSET, 97 KAUTH_SYSTEM_REBOOT, 98 KAUTH_SYSTEM_SETIDCORE, 99 KAUTH_SYSTEM_SWAPCTL, 100 KAUTH_SYSTEM_SYSCTL, 101 KAUTH_SYSTEM_TIME, 102 KAUTH_SYSTEM_MODULE, 103 KAUTH_SYSTEM_FS_RESERVEDSPACE, 104 KAUTH_SYSTEM_FS_QUOTA, 105 KAUTH_SYSTEM_SEMAPHORE, 106 KAUTH_SYSTEM_SYSVIPC, 107 KAUTH_SYSTEM_MQUEUE, 108 KAUTH_SYSTEM_VERIEXEC, 109 KAUTH_SYSTEM_DEVMAPPER, 110 KAUTH_SYSTEM_MAP_VA_ZERO, 111 KAUTH_SYSTEM_LFS, 112 KAUTH_SYSTEM_FS_EXTATTR, 113 KAUTH_SYSTEM_FS_SNAPSHOT, 114 }; 115 116 /* 117 * System scope - sub-actions. 118 */ 119 enum kauth_system_req { 120 KAUTH_REQ_SYSTEM_CHROOT_CHROOT=1, 121 KAUTH_REQ_SYSTEM_CHROOT_FCHROOT, 122 KAUTH_REQ_SYSTEM_CPU_SETSTATE, 123 KAUTH_REQ_SYSTEM_DEBUG_IPKDB, 124 KAUTH_REQ_SYSTEM_MOUNT_GET, 125 KAUTH_REQ_SYSTEM_MOUNT_NEW, 126 KAUTH_REQ_SYSTEM_MOUNT_UNMOUNT, 127 KAUTH_REQ_SYSTEM_MOUNT_UPDATE, 128 KAUTH_REQ_SYSTEM_PSET_ASSIGN, 129 KAUTH_REQ_SYSTEM_PSET_BIND, 130 KAUTH_REQ_SYSTEM_PSET_CREATE, 131 KAUTH_REQ_SYSTEM_PSET_DESTROY, 132 KAUTH_REQ_SYSTEM_SYSCTL_ADD, 133 KAUTH_REQ_SYSTEM_SYSCTL_DELETE, 134 KAUTH_REQ_SYSTEM_SYSCTL_DESC, 135 KAUTH_REQ_SYSTEM_SYSCTL_MODIFY, 136 KAUTH_REQ_SYSTEM_SYSCTL_PRVT, 137 KAUTH_REQ_SYSTEM_TIME_ADJTIME, 138 KAUTH_REQ_SYSTEM_TIME_NTPADJTIME, 139 KAUTH_REQ_SYSTEM_TIME_RTCOFFSET, 140 KAUTH_REQ_SYSTEM_TIME_SYSTEM, 141 KAUTH_REQ_SYSTEM_TIME_TIMECOUNTERS, 142 KAUTH_REQ_SYSTEM_FS_QUOTA_GET, 143 KAUTH_REQ_SYSTEM_FS_QUOTA_MANAGE, 144 KAUTH_REQ_SYSTEM_FS_QUOTA_NOLIMIT, 145 KAUTH_REQ_SYSTEM_FS_QUOTA_ONOFF, 146 KAUTH_REQ_SYSTEM_SYSVIPC_BYPASS, 147 KAUTH_REQ_SYSTEM_SYSVIPC_SHM_LOCK, 148 KAUTH_REQ_SYSTEM_SYSVIPC_SHM_UNLOCK, 149 KAUTH_REQ_SYSTEM_SYSVIPC_MSGQ_OVERSIZE, 150 KAUTH_REQ_SYSTEM_VERIEXEC_ACCESS, 151 KAUTH_REQ_SYSTEM_VERIEXEC_MODIFY, 152 KAUTH_REQ_SYSTEM_LFS_MARKV, 153 KAUTH_REQ_SYSTEM_LFS_BMAPV, 154 KAUTH_REQ_SYSTEM_LFS_SEGCLEAN, 155 KAUTH_REQ_SYSTEM_LFS_SEGWAIT, 156 KAUTH_REQ_SYSTEM_LFS_FCNTL, 157 KAUTH_REQ_SYSTEM_MOUNT_UMAP, 158 KAUTH_REQ_SYSTEM_MOUNT_DEVICE, 159 }; 160 161 /* 162 * Process scope - actions. 163 */ 164 enum { 165 KAUTH_PROCESS_CANSEE=1, 166 KAUTH_PROCESS_CORENAME, 167 KAUTH_PROCESS_FORK, 168 KAUTH_PROCESS_KEVENT_FILTER, 169 KAUTH_PROCESS_KTRACE, 170 KAUTH_PROCESS_NICE, 171 KAUTH_PROCESS_PROCFS, 172 KAUTH_PROCESS_PTRACE, 173 KAUTH_PROCESS_RLIMIT, 174 KAUTH_PROCESS_SCHEDULER_GETAFFINITY, 175 KAUTH_PROCESS_SCHEDULER_SETAFFINITY, 176 KAUTH_PROCESS_SCHEDULER_GETPARAM, 177 KAUTH_PROCESS_SCHEDULER_SETPARAM, 178 KAUTH_PROCESS_SETID, 179 KAUTH_PROCESS_SIGNAL, 180 KAUTH_PROCESS_STOPFLAG 181 }; 182 183 /* 184 * Process scope - sub-actions. 185 */ 186 enum kauth_process_req { 187 KAUTH_REQ_PROCESS_CANSEE_ARGS=1, 188 KAUTH_REQ_PROCESS_CANSEE_ENTRY, 189 KAUTH_REQ_PROCESS_CANSEE_ENV, 190 KAUTH_REQ_PROCESS_CANSEE_OPENFILES, 191 KAUTH_REQ_PROCESS_CORENAME_GET, 192 KAUTH_REQ_PROCESS_CORENAME_SET, 193 KAUTH_REQ_PROCESS_KTRACE_PERSISTENT, 194 KAUTH_REQ_PROCESS_PROCFS_CTL, 195 KAUTH_REQ_PROCESS_PROCFS_READ, 196 KAUTH_REQ_PROCESS_PROCFS_RW, 197 KAUTH_REQ_PROCESS_PROCFS_WRITE, 198 KAUTH_REQ_PROCESS_RLIMIT_GET, 199 KAUTH_REQ_PROCESS_RLIMIT_SET, 200 KAUTH_REQ_PROCESS_RLIMIT_BYPASS, 201 }; 202 203 /* 204 * Network scope - actions. 205 */ 206 enum { 207 KAUTH_NETWORK_ALTQ=1, 208 KAUTH_NETWORK_BIND, 209 KAUTH_NETWORK_FIREWALL, 210 KAUTH_NETWORK_INTERFACE, 211 KAUTH_NETWORK_FORWSRCRT, 212 KAUTH_NETWORK_NFS, 213 KAUTH_NETWORK_ROUTE, 214 KAUTH_NETWORK_SOCKET, 215 KAUTH_NETWORK_INTERFACE_PPP, 216 KAUTH_NETWORK_INTERFACE_SLIP, 217 KAUTH_NETWORK_INTERFACE_STRIP, 218 KAUTH_NETWORK_INTERFACE_TUN, 219 KAUTH_NETWORK_INTERFACE_BRIDGE, 220 KAUTH_NETWORK_IPSEC, 221 KAUTH_NETWORK_INTERFACE_PVC, 222 KAUTH_NETWORK_IPV6, 223 KAUTH_NETWORK_SMB, 224 }; 225 226 /* 227 * Network scope - sub-actions. 228 */ 229 enum kauth_network_req { 230 KAUTH_REQ_NETWORK_ALTQ_AFMAP=1, 231 KAUTH_REQ_NETWORK_ALTQ_BLUE, 232 KAUTH_REQ_NETWORK_ALTQ_CBQ, 233 KAUTH_REQ_NETWORK_ALTQ_CDNR, 234 KAUTH_REQ_NETWORK_ALTQ_CONF, 235 KAUTH_REQ_NETWORK_ALTQ_FIFOQ, 236 KAUTH_REQ_NETWORK_ALTQ_HFSC, 237 KAUTH_REQ_NETWORK_ALTQ_JOBS, 238 KAUTH_REQ_NETWORK_ALTQ_PRIQ, 239 KAUTH_REQ_NETWORK_ALTQ_RED, 240 KAUTH_REQ_NETWORK_ALTQ_RIO, 241 KAUTH_REQ_NETWORK_ALTQ_WFQ, 242 KAUTH_REQ_NETWORK_BIND_PORT, 243 KAUTH_REQ_NETWORK_BIND_PRIVPORT, 244 KAUTH_REQ_NETWORK_FIREWALL_FW, 245 KAUTH_REQ_NETWORK_FIREWALL_NAT, 246 KAUTH_REQ_NETWORK_INTERFACE_GET, 247 KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, 248 KAUTH_REQ_NETWORK_INTERFACE_SET, 249 KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, 250 KAUTH_REQ_NETWORK_NFS_EXPORT, 251 KAUTH_REQ_NETWORK_NFS_SVC, 252 KAUTH_REQ_NETWORK_SOCKET_OPEN, 253 KAUTH_REQ_NETWORK_SOCKET_RAWSOCK, 254 KAUTH_REQ_NETWORK_SOCKET_CANSEE, 255 KAUTH_REQ_NETWORK_SOCKET_DROP, 256 KAUTH_REQ_NETWORK_SOCKET_SETPRIV, 257 KAUTH_REQ_NETWORK_INTERFACE_PPP_ADD, 258 KAUTH_REQ_NETWORK_INTERFACE_SLIP_ADD, 259 KAUTH_REQ_NETWORK_INTERFACE_STRIP_ADD, 260 KAUTH_REQ_NETWORK_INTERFACE_TUN_ADD, 261 KAUTH_REQ_NETWORK_IPV6_HOPBYHOP, 262 KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_GETPRIV, 263 KAUTH_REQ_NETWORK_INTERFACE_BRIDGE_SETPRIV, 264 KAUTH_REQ_NETWORK_IPSEC_BYPASS, 265 KAUTH_REQ_NETWORK_IPV6_JOIN_MULTICAST, 266 KAUTH_REQ_NETWORK_INTERFACE_PVC_ADD, 267 KAUTH_REQ_NETWORK_SMB_SHARE_ACCESS, 268 KAUTH_REQ_NETWORK_SMB_SHARE_CREATE, 269 KAUTH_REQ_NETWORK_SMB_VC_ACCESS, 270 KAUTH_REQ_NETWORK_SMB_VC_CREATE, 271 KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE, 272 }; 273 274 /* 275 * Machdep scope - actions. 276 */ 277 enum { 278 KAUTH_MACHDEP_CACHEFLUSH=1, 279 KAUTH_MACHDEP_CPU_UCODE_APPLY, 280 KAUTH_MACHDEP_IOPERM_GET, 281 KAUTH_MACHDEP_IOPERM_SET, 282 KAUTH_MACHDEP_IOPL, 283 KAUTH_MACHDEP_LDT_GET, 284 KAUTH_MACHDEP_LDT_SET, 285 KAUTH_MACHDEP_MTRR_GET, 286 KAUTH_MACHDEP_MTRR_SET, 287 KAUTH_MACHDEP_NVRAM, 288 KAUTH_MACHDEP_UNMANAGEDMEM, 289 KAUTH_MACHDEP_PXG, 290 }; 291 292 /* 293 * Device scope - actions. 294 */ 295 enum { 296 KAUTH_DEVICE_TTY_OPEN=1, 297 KAUTH_DEVICE_TTY_PRIVSET, 298 KAUTH_DEVICE_TTY_STI, 299 KAUTH_DEVICE_RAWIO_SPEC, 300 KAUTH_DEVICE_RAWIO_PASSTHRU, 301 KAUTH_DEVICE_BLUETOOTH_SETPRIV, 302 KAUTH_DEVICE_RND_ADDDATA, 303 KAUTH_DEVICE_RND_ADDDATA_ESTIMATE, 304 KAUTH_DEVICE_RND_GETPRIV, 305 KAUTH_DEVICE_RND_SETPRIV, 306 KAUTH_DEVICE_BLUETOOTH_BCSP, 307 KAUTH_DEVICE_BLUETOOTH_BTUART, 308 KAUTH_DEVICE_GPIO_PINSET, 309 KAUTH_DEVICE_BLUETOOTH_SEND, 310 KAUTH_DEVICE_BLUETOOTH_RECV, 311 KAUTH_DEVICE_TTY_VIRTUAL, 312 KAUTH_DEVICE_WSCONS_KEYBOARD_BELL, 313 KAUTH_DEVICE_WSCONS_KEYBOARD_KEYREPEAT, 314 }; 315 316 /* 317 * Device scope - sub-actions. 318 */ 319 enum kauth_device_req { 320 KAUTH_REQ_DEVICE_RAWIO_SPEC_READ=1, 321 KAUTH_REQ_DEVICE_RAWIO_SPEC_WRITE, 322 KAUTH_REQ_DEVICE_RAWIO_SPEC_RW, 323 KAUTH_REQ_DEVICE_BLUETOOTH_BCSP_ADD, 324 KAUTH_REQ_DEVICE_BLUETOOTH_BTUART_ADD, 325 }; 326 327 /* 328 * Credentials scope - actions. 329 */ 330 enum { 331 KAUTH_CRED_INIT=1, 332 KAUTH_CRED_FORK, 333 KAUTH_CRED_COPY, 334 KAUTH_CRED_FREE, 335 KAUTH_CRED_CHROOT 336 }; 337 338 /* 339 * Vnode scope - action bits. 340 */ 341 #define KAUTH_VNODE_READ_DATA (1U << 0) 342 #define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA 343 #define KAUTH_VNODE_WRITE_DATA (1U << 1) 344 #define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA 345 #define KAUTH_VNODE_EXECUTE (1U << 2) 346 #define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE 347 #define KAUTH_VNODE_DELETE (1U << 3) 348 #define KAUTH_VNODE_APPEND_DATA (1U << 4) 349 #define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA 350 #define KAUTH_VNODE_READ_TIMES (1U << 5) 351 #define KAUTH_VNODE_WRITE_TIMES (1U << 6) 352 #define KAUTH_VNODE_READ_FLAGS (1U << 7) 353 #define KAUTH_VNODE_WRITE_FLAGS (1U << 8) 354 #define KAUTH_VNODE_READ_SYSFLAGS (1U << 9) 355 #define KAUTH_VNODE_WRITE_SYSFLAGS (1U << 10) 356 #define KAUTH_VNODE_RENAME (1U << 11) 357 #define KAUTH_VNODE_CHANGE_OWNERSHIP (1U << 12) 358 #define KAUTH_VNODE_READ_SECURITY (1U << 13) 359 #define KAUTH_VNODE_WRITE_SECURITY (1U << 14) 360 #define KAUTH_VNODE_READ_ATTRIBUTES (1U << 15) 361 #define KAUTH_VNODE_WRITE_ATTRIBUTES (1U << 16) 362 #define KAUTH_VNODE_READ_EXTATTRIBUTES (1U << 17) 363 #define KAUTH_VNODE_WRITE_EXTATTRIBUTES (1U << 18) 364 #define KAUTH_VNODE_RETAIN_SUID (1U << 19) 365 #define KAUTH_VNODE_RETAIN_SGID (1U << 20) 366 #define KAUTH_VNODE_REVOKE (1U << 21) 367 368 #define KAUTH_VNODE_IS_EXEC (1U << 29) 369 #define KAUTH_VNODE_HAS_SYSFLAGS (1U << 30) 370 #define KAUTH_VNODE_ACCESS (1U << 31) 371 372 /* 373 * This is a special fs_decision indication that can be used by file-systems 374 * that don't support decision-before-action to tell kauth(9) it can only 375 * short-circuit the operation beforehand. 376 */ 377 #define KAUTH_VNODE_REMOTEFS (-1) 378 379 /* 380 * Device scope, passthru request - identifiers. 381 */ 382 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READ 0x00000001 383 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITE 0x00000002 384 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_READCONF 0x00000004 385 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_WRITECONF 0x00000008 386 #define KAUTH_REQ_DEVICE_RAWIO_PASSTHRU_ALL 0x0000000F 387 388 #define NOCRED ((kauth_cred_t)-1) /* no credential available */ 389 #define FSCRED ((kauth_cred_t)-2) /* filesystem credential */ 390 391 /* Macro to help passing arguments to authorization wrappers. */ 392 #define KAUTH_ARG(arg) ((void *)(unsigned long)(arg)) 393 394 /* 395 * A file-system object is determined to be able to execute if it's a 396 * directory or if the execute bit is present in any of the 397 * owner/group/other modes. 398 * 399 * This helper macro is intended to be used in order to implement a 400 * policy that maintains the semantics of "a privileged user can enter 401 * directory, and can execute any file, but only if the file is actually 402 * executable." 403 */ 404 #define FS_OBJECT_CAN_EXEC(vtype, mode) (((vtype) == VDIR) || \ 405 ((mode) & \ 406 (S_IXUSR|S_IXGRP|S_IXOTH))) 407 408 /* 409 * Prototypes. 410 */ 411 void kauth_init(void); 412 kauth_scope_t kauth_register_scope(const char *, kauth_scope_callback_t, void *); 413 void kauth_deregister_scope(kauth_scope_t); 414 kauth_listener_t kauth_listen_scope(const char *, kauth_scope_callback_t, void *); 415 void kauth_unlisten_scope(kauth_listener_t); 416 int kauth_authorize_action(kauth_scope_t, kauth_cred_t, kauth_action_t, void *, 417 void *, void *, void *); 418 419 /* Authorization wrappers. */ 420 int kauth_authorize_generic(kauth_cred_t, kauth_action_t, void *); 421 int kauth_authorize_system(kauth_cred_t, kauth_action_t, enum kauth_system_req, 422 void *, void *, void *); 423 int kauth_authorize_process(kauth_cred_t, kauth_action_t, struct proc *, 424 void *, void *, void *); 425 int kauth_authorize_network(kauth_cred_t, kauth_action_t, 426 enum kauth_network_req, void *, void *, void *); 427 int kauth_authorize_machdep(kauth_cred_t, kauth_action_t, 428 void *, void *, void *, void *); 429 int kauth_authorize_device(kauth_cred_t, kauth_action_t, 430 void *, void *, void *, void *); 431 int kauth_authorize_device_tty(kauth_cred_t, kauth_action_t, struct tty *); 432 int kauth_authorize_device_spec(kauth_cred_t, enum kauth_device_req, 433 struct vnode *); 434 int kauth_authorize_device_passthru(kauth_cred_t, dev_t, u_long, void *); 435 int kauth_authorize_vnode(kauth_cred_t, kauth_action_t, struct vnode *, 436 struct vnode *, int); 437 438 /* Kauth credentials management routines. */ 439 kauth_cred_t kauth_cred_alloc(void); 440 void kauth_cred_free(kauth_cred_t); 441 void kauth_cred_clone(kauth_cred_t, kauth_cred_t); 442 kauth_cred_t kauth_cred_dup(kauth_cred_t); 443 kauth_cred_t kauth_cred_copy(kauth_cred_t); 444 445 uid_t kauth_cred_getuid(kauth_cred_t); 446 uid_t kauth_cred_geteuid(kauth_cred_t); 447 uid_t kauth_cred_getsvuid(kauth_cred_t); 448 gid_t kauth_cred_getgid(kauth_cred_t); 449 gid_t kauth_cred_getegid(kauth_cred_t); 450 gid_t kauth_cred_getsvgid(kauth_cred_t); 451 int kauth_cred_ismember_gid(kauth_cred_t, gid_t, int *); 452 u_int kauth_cred_ngroups(kauth_cred_t); 453 gid_t kauth_cred_group(kauth_cred_t, u_int); 454 455 void kauth_cred_setuid(kauth_cred_t, uid_t); 456 void kauth_cred_seteuid(kauth_cred_t, uid_t); 457 void kauth_cred_setsvuid(kauth_cred_t, uid_t); 458 void kauth_cred_setgid(kauth_cred_t, gid_t); 459 void kauth_cred_setegid(kauth_cred_t, gid_t); 460 void kauth_cred_setsvgid(kauth_cred_t, gid_t); 461 462 void kauth_cred_hold(kauth_cred_t); 463 u_int kauth_cred_getrefcnt(kauth_cred_t); 464 465 int kauth_cred_setgroups(kauth_cred_t, const gid_t *, size_t, uid_t, 466 enum uio_seg); 467 int kauth_cred_getgroups(kauth_cred_t, gid_t *, size_t, enum uio_seg); 468 469 /* This is for sys_setgroups() */ 470 int kauth_proc_setgroups(struct lwp *, kauth_cred_t); 471 472 int kauth_register_key(secmodel_t, kauth_key_t *); 473 int kauth_deregister_key(kauth_key_t); 474 void kauth_cred_setdata(kauth_cred_t, kauth_key_t, void *); 475 void *kauth_cred_getdata(kauth_cred_t, kauth_key_t); 476 477 int kauth_cred_uidmatch(kauth_cred_t, kauth_cred_t); 478 void kauth_uucred_to_cred(kauth_cred_t, const struct uucred *); 479 void kauth_cred_to_uucred(struct uucred *, const kauth_cred_t); 480 int kauth_cred_uucmp(kauth_cred_t, const struct uucred *); 481 void kauth_cred_toucred(kauth_cred_t, struct ki_ucred *); 482 void kauth_cred_topcred(kauth_cred_t, struct ki_pcred *); 483 484 kauth_action_t kauth_mode_to_action(mode_t); 485 kauth_action_t kauth_extattr_action(mode_t); 486 487 #define KAUTH_ACCESS_ACTION(access_mode, vn_vtype, file_mode) \ 488 (kauth_mode_to_action(access_mode) | \ 489 (FS_OBJECT_CAN_EXEC(vn_vtype, file_mode) ? KAUTH_VNODE_IS_EXEC : 0)) 490 491 kauth_cred_t kauth_cred_get(void); 492 493 void kauth_proc_fork(struct proc *, struct proc *); 494 void kauth_proc_chroot(kauth_cred_t cred, struct cwdinfo *cwdi); 495 496 #endif /* !_SYS_KAUTH_H_ */ 497