1 /* @(#)priv.h 1.5 13/05/28 Copyright 2009-2013 J. Schilling */ 2 /* 3 * Abstraction code for fine grained process privileges 4 * 5 * Copyright (c) 2009-2013 J. Schilling 6 */ 7 /* 8 * The contents of this file are subject to the terms of the 9 * Common Development and Distribution License, Version 1.0 only 10 * (the "License"). You may not use this file except in compliance 11 * with the License. 12 * 13 * See the file CDDL.Schily.txt in this distribution for details. 14 * A copy of the CDDL is also available via the Internet at 15 * http://www.opensource.org/licenses/cddl1.txt 16 * 17 * When distributing Covered Code, include this CDDL HEADER in each 18 * file and include the License file CDDL.Schily.txt from this distribution. 19 */ 20 21 #ifndef _SCHILY_PRIV_H 22 #define _SCHILY_PRIV_H 23 24 #ifndef _SCHILY_MCONFIG_H 25 #include <schily/mconfig.h> 26 #endif 27 28 /* 29 * The Solaris process privileges interface. 30 */ 31 #if defined(HAVE_PRIV_H) && \ 32 defined(HAVE_GETPPRIV) && defined(HAVE_SETPPRIV) && \ 33 defined(HAVE_PRIV_SET) 34 35 #define HAVE_SOLARIS_PPRIV 36 #endif 37 38 #ifdef NO_SOLARIS_PPRIV 39 #undef HAVE_SOLARIS_PPRIV 40 #endif 41 42 #ifdef HAVE_SOLARIS_PPRIV 43 #ifndef _INCL_PRIV_H 44 #define _INCL_PRIV_H 45 #include <priv.h> 46 #endif 47 #endif 48 49 /* 50 * AIX implements an incompatible process privileges interface. 51 * On AIX, we have sys/priv.h, getppriv(), setppriv() but no priv_set(). 52 */ 53 #if defined(HAVE_SYS_PRIV_H) && \ 54 defined(HAVE_GETPPRIV) && defined(HAVE_SETPPRIV) && \ 55 defined(HAVE_PRIVBIT_SET) 56 57 #define HAVE_AIX_PPRIV 58 #endif 59 60 #ifdef NO_AIX_PPRIV 61 #undef HAVE_AIX_PPRIV 62 #endif 63 64 #ifdef HAVE_AIX_PPRIV 65 #ifndef _INCL_SYS_PRIV_H 66 #define _INCL_SYS_PRIV_H 67 #include <sys/priv.h> 68 #endif 69 #endif 70 71 /* 72 * The POSIX.1e draft has been withdrawn in 1997. 73 * Linux started to implement this outdated concept in 1997. 74 * On Linux, we have sys/capability.h, cap_get_proc(), cap_set_proc(), 75 * cap_set_flag() cap_clear_flag() 76 */ 77 #if defined(HAVE_SYS_CAPABILITY_H) && \ 78 defined(HAVE_CAP_GET_PROC) && defined(HAVE_CAP_SET_PROC) && \ 79 defined(HAVE_CAP_SET_FLAG) && defined(HAVE_CAP_CLEAR_FLAG) 80 81 #define HAVE_LINUX_CAPS 82 #endif 83 84 #ifdef NO_LINUX_CAPS 85 #undef HAVE_LINUX_CAPS 86 #endif 87 88 #ifdef HAVE_LINUX_CAPS 89 #ifndef _INCL_SYS_CAPABILITY_H 90 #define _INCL_SYS_CAPABILITY_H 91 #include <sys/capability.h> 92 #endif 93 #endif 94 95 /* 96 * Privileges abstraction layer definitions 97 */ 98 #define SCHILY_PRIV_FILE_CHOWN 10 /* Allow to chown any file */ 99 #define SCHILY_PRIV_FILE_CHOWN_SELF 11 /* Allow to chown own files */ 100 #define SCHILY_PRIV_FILE_DAC_EXECUTE 12 /* Overwrite execute permission */ 101 #define SCHILY_PRIV_FILE_DAC_READ 13 /* Overwrite read permission */ 102 #define SCHILY_PRIV_FILE_DAC_SEARCH 14 /* Overwrite dir search permission */ 103 #define SCHILY_PRIV_FILE_DAC_WRITE 15 /* Overwrite write permission */ 104 #define SCHILY_PRIV_FILE_DOWNGRADE_SL 16 /* Downgrade sensivity label */ 105 #define SCHILY_PRIV_FILE_LINK_ANY 17 /* Hard-link files not owned */ 106 #define SCHILY_PRIV_FILE_OWNER 18 /* Allow chmod ... to unowned files */ 107 #define SCHILY_PRIV_FILE_SETID 19 /* Allow chown or suid/sgid without being owner */ 108 #define SCHILY_PRIV_FILE_UPGRADE_SL 20 /* Upgrade sensivity label */ 109 #define SCHILY_PRIV_FILE_FLAG_SET 22 /* Allow set file attributes as "immutable" */ 110 111 #define SCHILY_PRIV_IPC_DAC_READ 40 /* Overwrite read permission */ 112 #define SCHILY_PRIV_IPC_DAC_WRITE 41 /* Overwrite write permission */ 113 #define SCHILY_PRIV_IPC_OWNER 42 /* Allow chmod ... to unowned files */ 114 115 #define SCHILY_PRIV_NET_BINDMLP 50 /* Allow to bind multi-level ports */ 116 #define SCHILY_PRIV_NET_ICMPACCESS 51 /* Allow to send/receive ICMP packets */ 117 #define SCHILY_PRIV_NET_MAC_AWARE 52 /* Allow to set NET_MAC_AWARE flag */ 118 #define SCHILY_PRIV_NET_OBSERVABILITY 53 /* Allow tp access network device for receiving traffic */ 119 #define SCHILY_PRIV_NET_PRIVADDR 54 /* Allow to bind priv ports */ 120 #define SCHILY_PRIV_NET_RAWACCESS 55 /* Allow raw network access */ 121 122 #define SCHILY_PRIV_PROC_AUDIT 60 /* Allow to create audit records */ 123 #define SCHILY_PRIV_PROC_CHROOT 61 /* Allow chroot */ 124 #define SCHILY_PRIV_PROC_CLOCK_HIGHRES 62 /* Allow to use high resulution timers */ 125 #define SCHILY_PRIV_PROC_EXEC 63 /* Allow to call exec*() */ 126 #define SCHILY_PRIV_PROC_FORK 64 /* Allow to call fork*()/vfork*() */ 127 #define SCHILY_PRIV_PROC_INFO 65 /* Allow to examine /proc status without sendsig priv */ 128 #define SCHILY_PRIV_PROC_LOCK_MEMORY 66 /* Allow to lock pages into physical memory */ 129 #define SCHILY_PRIV_PROC_OWNER 67 /* Allow sendsig and /proc to other procs */ 130 #define SCHILY_PRIV_PROC_PRIOCNTL 68 /* Allow to send sognals or trace outside session */ 131 #define SCHILY_PRIV_PROC_SESSION 68 /* Allow to send sognals or trace outside session */ 132 #define SCHILY_PRIV_PROC_SETID 69 /* Allow set proc's UID/GID */ 133 134 #define SCHILY_PRIV_SYS_ACCT 80 /* Allow process accounting */ 135 #define SCHILY_PRIV_SYS_ADMIN 81 /* Allow system administration */ 136 #define SCHILY_PRIV_SYS_AUDIT 82 /* Allow so start kernel auditing */ 137 #define SCHILY_PRIV_SYS_CONFIG 83 /* Allow various system config tasks */ 138 #define SCHILY_PRIV_SYS_DEVICES 84 /* Allow device specific stuff */ 139 #define SCHILY_PRIV_SYS_DL_CONFIG 85 /* Allow tp configure datalink interfaces */ 140 #define SCHILY_PRIV_SYS_IP_CONFIG 86 /* Allow to configure IP interfaces */ 141 #define SCHILY_PRIV_SYS_LINKDIR 87 /* Allow to link/unlink directories */ 142 #define SCHILY_PRIV_SYS_MOUNT 88 /* Allow file-system administration */ 143 #define SCHILY_PRIV_SYS_NET_CONFIG 89 /* Allow to configure the network */ 144 #define SCHILY_PRIV_SYS_NFS 90 /* Allow to configure NFS */ 145 #define SCHILY_PRIV_SYS_PPP_CONFIG 91 /* Allow to configure PPP */ 146 #define SCHILY_PRIV_SYS_RES_CONFIG 92 /* Allow to configure system resources */ 147 #define SCHILY_PRIV_SYS_RESOURCE 93 /* Allow setrlimit */ 148 #define SCHILY_PRIV_SYS_SMB 94 /* Allow to configure SMB */ 149 #define SCHILY_PRIV_SYS_SUSER_COMPAT 95 /* Allow to load modules that call suser() */ 150 #define SCHILY_PRIV_SYS_TIME 96 /* Allow to set time */ 151 #define SCHILY_PRIV_SYS_TRANS_LABEL 97 /* Allow to translate labels in trusted extensions */ 152 153 #endif /* _SCHILY_PRIV_H */ 154