security/mac_bsdextended/mac_bsdextended.h

101099Srwatson/*-
126097Srwatson * Copyright (c) 1999-2002 Robert N. M. Watson
136742Srwatson * Copyright (c) 2001-2004 Networks Associates Technology, Inc.
101099Srwatson * All rights reserved.
101099Srwatson *
101099Srwatson * This software was developed by Robert Watson for the TrustedBSD Project.
101099Srwatson *
106393Srwatson * This software was developed for the FreeBSD Project in part by Network
106393Srwatson * Associates Laboratories, the Security Research Division of Network
106393Srwatson * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
106393Srwatson * as part of the DARPA CHATS research program.
101099Srwatson *
101099Srwatson * Redistribution and use in source and binary forms, with or without
101099Srwatson * modification, are permitted provided that the following conditions
101099Srwatson * are met:
101099Srwatson * 1. Redistributions of source code must retain the above copyright
101099Srwatson *    notice, this list of conditions and the following disclaimer.
101099Srwatson * 2. Redistributions in binary form must reproduce the above copyright
101099Srwatson *    notice, this list of conditions and the following disclaimer in the
101099Srwatson *    documentation and/or other materials provided with the distribution.
101099Srwatson *
101099Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
101099Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
101099Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
101099Srwatson * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
101099Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
101099Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
101099Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
101099Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
101099Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
101099Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
101099Srwatson * SUCH DAMAGE.
101099Srwatson *
101099Srwatson * $FreeBSD$
101099Srwatson */
101099Srwatson
101099Srwatson#ifndef _SYS_SECURITY_MAC_BSDEXTENDED_H
101099Srwatson#define	_SYS_SECURITY_MAC_BSDEXTENDED_H
101099Srwatson
157986Sdwmalone#define MB_VERSION 2 /* Used to check library and kernel are the same. */
101099Srwatson
136739Srwatson/*
171253Srwatson * Rights that can be represented in mbr_mode.  These have the same values as
171253Srwatson * the V* rights in vnode.h, but in order to avoid sharing user and kernel
171253Srwatson * constants, we define them here.  That will also improve ABI stability if
171253Srwatson * the in-kernel values change.
136739Srwatson */
136739Srwatson#define	MBI_EXEC	000100
136739Srwatson#define	MBI_WRITE	000200
136739Srwatson#define	MBI_READ	000400
136739Srwatson#define	MBI_ADMIN	010000
136739Srwatson#define	MBI_STAT	020000
136739Srwatson#define	MBI_APPEND	040000
136739Srwatson#define	MBI_ALLPERM	(MBI_EXEC | MBI_WRITE | MBI_READ | MBI_ADMIN | \
136739Srwatson			    MBI_STAT | MBI_APPEND)
136739Srwatson
157986Sdwmalone#define	MBS_UID_DEFINED	0x00000001	/* uid field should be matched */
157986Sdwmalone#define	MBS_GID_DEFINED	0x00000002	/* gid field should be matched */
157986Sdwmalone#define	MBS_PRISON_DEFINED 0x00000004	/* prison field should be matched */
157986Sdwmalone
157986Sdwmalone#define MBS_ALL_FLAGS (MBS_UID_DEFINED | MBS_GID_DEFINED | MBS_PRISON_DEFINED)
157986Sdwmalone
157986Sdwmalonestruct mac_bsdextended_subject {
157986Sdwmalone	int	mbs_flags;
157986Sdwmalone	int	mbs_neg;
157986Sdwmalone	uid_t	mbs_uid_min;
157986Sdwmalone	uid_t	mbs_uid_max;
157986Sdwmalone	gid_t	mbs_gid_min;
157986Sdwmalone	gid_t	mbs_gid_max;
157986Sdwmalone	int	mbs_prison;
101099Srwatson};
101099Srwatson
157986Sdwmalone#define	MBO_UID_DEFINED	0x00000001	/* uid field should be matched */
157986Sdwmalone#define	MBO_GID_DEFINED	0x00000002	/* gid field should be matched */
157986Sdwmalone#define	MBO_FSID_DEFINED 0x00000004	/* fsid field should be matched */
157986Sdwmalone#define	MBO_SUID	0x00000008	/* object must be suid */
157986Sdwmalone#define	MBO_SGID	0x00000010	/* object must be sgid */
157986Sdwmalone#define	MBO_UID_SUBJECT	0x00000020	/* uid must match subject */
157986Sdwmalone#define	MBO_GID_SUBJECT	0x00000040	/* gid must match subject */
157986Sdwmalone#define	MBO_TYPE_DEFINED 0x00000080	/* object type should be matched */
157986Sdwmalone
157986Sdwmalone#define MBO_ALL_FLAGS (MBO_UID_DEFINED | MBO_GID_DEFINED | MBO_FSID_DEFINED | \
157986Sdwmalone	    MBO_SUID | MBO_SGID | MBO_UID_SUBJECT | MBO_GID_SUBJECT | \
157986Sdwmalone	    MBO_TYPE_DEFINED)
157986Sdwmalone
157986Sdwmalone#define MBO_TYPE_REG	0x00000001
157986Sdwmalone#define MBO_TYPE_DIR	0x00000002
157986Sdwmalone#define MBO_TYPE_BLK	0x00000004
157986Sdwmalone#define MBO_TYPE_CHR	0x00000008
157986Sdwmalone#define MBO_TYPE_LNK	0x00000010
157986Sdwmalone#define MBO_TYPE_SOCK	0x00000020
157986Sdwmalone#define MBO_TYPE_FIFO	0x00000040
157986Sdwmalone
157986Sdwmalone#define MBO_ALL_TYPE	(MBO_TYPE_REG | MBO_TYPE_DIR | MBO_TYPE_BLK | \
157986Sdwmalone	    MBO_TYPE_CHR | MBO_TYPE_LNK | MBO_TYPE_SOCK | MBO_TYPE_FIFO)
157986Sdwmalone
157986Sdwmalonestruct mac_bsdextended_object {
157986Sdwmalone	int	mbo_flags;
157986Sdwmalone	int	mbo_neg;
157986Sdwmalone	uid_t	mbo_uid_min;
157986Sdwmalone	uid_t	mbo_uid_max;
157986Sdwmalone	gid_t	mbo_gid_min;
157986Sdwmalone	gid_t	mbo_gid_max;
157986Sdwmalone	struct fsid mbo_fsid;
157986Sdwmalone	int	mbo_type;
157986Sdwmalone};
157986Sdwmalone
101099Srwatsonstruct mac_bsdextended_rule {
157986Sdwmalone	struct mac_bsdextended_subject	mbr_subject;
157986Sdwmalone	struct mac_bsdextended_object	mbr_object;
101099Srwatson	mode_t				mbr_mode;	/* maximum access */
101099Srwatson};
101099Srwatson
101099Srwatson#endif /* _SYS_SECURITY_MAC_BSDEXTENDED_H */