/daten/src/linux-2.4.27-rsbac-v1.2.3/include/rsbac/types.h

Go to the documentation of this file.
00001 /*********************************** */ 00002 /* Rule Set Based Access Control */ 00003 /* Author and (c)1999-2004: */ 00004 /* Amon Ott <ao@rsbac.org> */ 00005 /* API: Data types for attributes */ 00006 /* and standard module calls */ 00007 /* Last modified: 21/Jun/2004 */ 00008 /*********************************** */ 00009 00010 #ifndef __RSBAC_TYPES_H 00011 #define __RSBAC_TYPES_H 00012 00013 /* trigger module dependency for EXPORT_SYMBOL */ 00014 #ifdef CONFIG_MODULES 00015 #endif 00016 00017 #define RSBAC_VERSION "v1.2.3" 00018 #define RSBAC_VERSION_MAJOR 1 00019 #define RSBAC_VERSION_MID 2 00020 #define RSBAC_VERSION_MINOR 3 00021 #define RSBAC_VERSION_NR \ 00022 ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR) 00023 #define RSBAC_VERSION_MAKE_NR(x,y,z) \ 00024 ((x << 16) & (y << 8) & z) 00025 00026 #include <linux/types.h> 00027 00028 #ifdef __KERNEL__ 00029 #include <linux/fs.h> 00030 #include <linux/socket.h> 00031 #include <linux/pipe_fs_i.h> 00032 #include <linux/kdev_t.h> 00033 00034 /* version checks */ 00035 #ifndef LINUX_VERSION_CODE 00036 #include <linux/version.h> 00037 #endif 00038 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,19) 00039 #error "RSBAC: unsupported kernel version" 00040 #endif 00041 00042 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0) 00043 #define RSBAC_MAJOR MAJOR 00044 #define RSBAC_MINOR MINOR 00045 #define RSBAC_MKDEV(major,minor) MKDEV(major,minor) 00046 static inline u_int rsbac_current_time(void) 00047 { 00048 struct timespec ts = CURRENT_TIME; 00049 return ts.tv_sec; 00050 } 00051 #ifndef kdev_t 00052 #define kdev_t dev_t 00053 #endif 00054 #define RSBAC_CURRENT_TIME (rsbac_current_time()) 00055 #else 00056 #define RSBAC_MAJOR MAJOR 00057 #define RSBAC_MINOR MINOR 00058 #define RSBAC_MKDEV(major,minor) MKDEV(major,minor) 00059 #define RSBAC_CURRENT_TIME CURRENT_TIME 00060 #endif 00061 00062 #define RSBAC_ZERO_DEV RSBAC_MKDEV(0,0) 00063 #define RSBAC_AUTO_DEV RSBAC_MKDEV(99,99) 00064 #define RSBAC_IS_ZERO_DEV(kdev) (!RSBAC_MAJOR(kdev) && !RSBAC_MINOR(kdev)) 00065 #define RSBAC_IS_AUTO_DEV(kdev) ((RSBAC_MAJOR(kdev) == 99) && (RSBAC_MINOR(kdev) == 99)) 00066 00067 #ifdef CONFIG_RSBAC_INIT_DELAY 00068 #define R_INIT 00069 #else 00070 #define R_INIT __init 00071 #endif 00072 00073 #endif 00074 00075 /* General */ 00076 00077 #ifndef NULL 00078 #define NULL ((void *) 0) 00079 #endif 00080 00081 #define rsbac_min(a,b) (((a)<(b))?(a):(b)) 00082 #define rsbac_max(a,b) (((a)>(b))?(a):(b)) 00083 00084 #define RSBAC_OLD_NO_USER 65533 00085 #define RSBAC_OLD_ALL_USERS 65532 00086 #define RSBAC_NO_USER ((rsbac_uid_t) -3) 00087 #define RSBAC_ALL_USERS ((rsbac_uid_t) -4) 00088 00089 #ifndef __cplusplus 00090 #if defined(FALSE) || defined(TRUE) || defined(boolean) 00091 #ifndef boolean 00092 typedef int boolean; 00093 #endif 00094 #ifndef FALSE 00095 #define FALSE 0 00096 #endif 00097 #ifndef TRUE 00098 #define TRUE 1 00099 #endif 00100 #else 00101 typedef enum {FALSE, TRUE} boolean; 00102 #endif 00103 #else 00104 typedef bool boolean; 00105 #endif 00106 00107 typedef __u8 rsbac_boolean_int_t; 00108 00109 #define RSBAC_IFNAMSIZ 16 00110 typedef u_char rsbac_netdev_id_t[RSBAC_IFNAMSIZ + 1]; 00111 00112 #define RSBAC_SEC_DEL_CHUNK_SIZE 65536 00113 00114 /* Adjust these, if you have to, but if you do, adjust them all! */ 00115 /* Note: no / allowed, file must be exactly in second level! */ 00116 #define RSBAC_AUTH_LOGIN_PATH "/bin/login" 00117 #define RSBAC_AUTH_LOGIN_PATH_DIR "bin" 00118 #define RSBAC_AUTH_LOGIN_PATH_FILE "login" 00119 00120 /* These data structures work parallel to the Linux data structures, */ 00121 /* so all data for RSBAC decisions is maintained seperately. */ 00122 /* Any change to RSBAC data will NOT modify any other linux data, */ 00123 /* e.g. userlists, process lists or inodes. */ 00124 00125 typedef __u32 rsbac_version_t; 00126 typedef __u32 rsbac_uid_t; /* Same as user in Linux kernel */ 00127 typedef __u32 rsbac_gid_t; /* Same as group in Linux kernel */ 00128 typedef __u16 rsbac_old_uid_t; /* Same as user in Linux kernel */ 00129 typedef __u16 rsbac_old_gid_t; /* Same as group in Linux kernel */ 00130 typedef __u32 rsbac_time_t; /* Same as time_t in Linux kernel */ 00131 typedef __u32 rsbac_cap_vector_t; /* Same as kernel_cap_t in Linux kernel */ 00132 00133 /* Special generic lists time-to-live (ttl) value to keep old setting */ 00134 #define RSBAC_LIST_TTL_KEEP ((rsbac_time_t) -1) 00135 00136 typedef __u8 rsbac_enum_t; /* internally used for all enums */ 00137 00138 #define RSBAC_SYSADM_UID 0 00139 #define RSBAC_BIN_UID 1 00140 #ifdef CONFIG_RSBAC_SECOFF_UID 00141 #define RSBAC_SECOFF_UID CONFIG_RSBAC_SECOFF_UID 00142 #else 00143 #define RSBAC_SECOFF_UID 400 00144 #endif 00145 #define RSBAC_DATAPROT_UID (RSBAC_SECOFF_UID+1) 00146 #define RSBAC_TPMAN_UID (RSBAC_SECOFF_UID+2) 00147 #define RSBAC_AUDITOR_UID (RSBAC_SECOFF_UID+4) 00148 00149 typedef __u32 rsbac_pseudo_t; /* For Pseudonymic Logging */ 00150 typedef __u32 rsbac_pid_t; /* Same as pid in Linux */ 00151 00152 00153 typedef __u8 rsbac_security_level_t; 00154 #define SL_max 252 00155 #define SL_min 0 00156 // #define SL_rsbac_internal 253 00157 #define SL_inherit 254 00158 #define SL_none 255 00159 enum rsbac_old_security_level_t {SL_unclassified, SL_confidential, SL_secret, 00160 SL_top_secret, SL_old_rsbac_internal, 00161 SL_old_inherit, SL_old_none}; 00162 /* MAC security levels */ 00163 typedef __u64 rsbac_mac_category_vector_t; /* MAC category sets */ 00164 #define RSBAC_MAC_GENERAL_CATEGORY 0 00165 #define RSBAC_MAC_DEF_CAT_VECTOR ((rsbac_mac_category_vector_t) 1) 00166 /* 1 << GENERAL_CAT */ 00167 #define RSBAC_MAC_MAX_CAT_VECTOR ((rsbac_mac_category_vector_t) -1) 00168 /* all bits set */ 00169 #define RSBAC_MAC_MIN_CAT_VECTOR ((rsbac_mac_category_vector_t) 0) 00170 /* no bits set */ 00171 #define RSBAC_MAC_INHERIT_CAT_VECTOR ((rsbac_mac_category_vector_t) 0) 00172 /* for fd: no bits set */ 00173 #define RSBAC_MAC_NR_CATS 64 00174 #define RSBAC_MAC_MAX_CAT 63 00175 00176 #define RSBAC_MAC_CAT_VECTOR(x) ((rsbac_mac_category_vector_t) 1 << (x)) 00177 00178 typedef u_int rsbac_cwi_relation_id_t; 00179 00180 /* For MAC, FC, SIM, FF, AUTH */ 00181 enum rsbac_system_role_t {SR_user, SR_security_officer, SR_administrator, 00182 SR_auditor, SR_none}; 00183 typedef rsbac_enum_t rsbac_system_role_int_t; 00184 00185 /* For FC */ 00186 enum rsbac_object_category_t {OC_general, OC_security, OC_system, 00187 OC_inherit, OC_none}; 00188 #define RSBAC_FC_OC_DEF OC_inherit 00189 #define RSBAC_FC_OC_ROOT_DEF OC_general 00190 /* internal type */ 00191 typedef rsbac_enum_t rsbac_fc_oc_t; 00192 00193 /* For SIM */ 00194 enum rsbac_data_type_t {DT_none, DT_SI, DT_inherit}; 00195 #define RSBAC_SIM_DT_DEF DT_inherit 00196 #define RSBAC_SIM_DT_ROOT_DEF DT_none 00197 /* internal type */ 00198 typedef rsbac_enum_t rsbac_sim_dt_t; 00199 00200 /* For all models */ 00201 enum rsbac_fake_root_uid_t {FR_off, FR_uid_only, FR_euid_only, FR_both, 00202 FR_none}; 00203 typedef rsbac_enum_t rsbac_fake_root_uid_int_t; 00204 00205 enum rsbac_scd_type_t {ST_time_strucs, ST_clock, ST_host_id, 00206 ST_net_id, ST_ioports, ST_rlimit, 00207 ST_swap, ST_syslog, ST_rsbac, ST_rsbaclog, 00208 ST_other, ST_kmem, ST_network, ST_firewall, 00209 ST_priority, ST_sysfs, ST_none}; 00210 00211 enum rsbac_dev_type_t {D_block, D_char, D_none}; 00212 00213 00214 enum rsbac_ipc_type_t {I_sem, I_msg, I_shm, I_none}; 00215 union rsbac_ipc_id_t 00216 { 00217 u_long id_nr; 00218 }; 00219 00220 typedef __u32 rsbac_inode_nr_t; 00221 00222 enum rsbac_linux_dac_disable_t {LDD_false, LDD_true, LDD_inherit, LDD_none}; 00223 typedef rsbac_enum_t rsbac_linux_dac_disable_int_t; 00224 00225 #ifdef __KERNEL__ 00226 /* We need unique identifiers for each file/dir. inode means inode in */ 00227 /* the file system. */ 00228 struct rsbac_fs_file_t 00229 { 00230 kdev_t device; 00231 rsbac_inode_nr_t inode; 00232 struct dentry * dentry_p; /* used for inheritance recursion */ 00233 }; 00234 00235 /* We need unique ids for dev objects */ 00236 struct rsbac_dev_desc_t 00237 { 00238 __u32 type; 00239 __u32 major; 00240 __u32 minor; 00241 }; 00242 00243 struct rsbac_dev_t 00244 { 00245 enum rsbac_dev_type_t type; 00246 kdev_t id; 00247 }; 00248 #endif /* __KERNEL */ 00249 00250 /* And we need unique ids for ipc objects */ 00251 struct rsbac_ipc_t 00252 { 00253 enum rsbac_ipc_type_t type; 00254 union rsbac_ipc_id_t id; 00255 }; 00256 00257 /* log levels: nothing, denied requests only, all, refer to request log level */ 00258 enum rsbac_log_level_t {LL_none, LL_denied, LL_full, LL_request, LL_invalid}; 00259 typedef __u64 rsbac_log_array_t; 00260 00261 /* request bitvectors */ 00262 typedef __u64 rsbac_request_vector_t; 00263 #define RSBAC_REQUEST_VECTOR(x) ((rsbac_request_vector_t) 1 << (x)) 00264 00265 /* The max length of each filename is kept in a macro */ 00266 #define RSBAC_MAXNAMELEN 256 00267 00268 /* MAC */ 00269 00270 typedef __u8 rsbac_mac_user_flags_t; 00271 typedef __u16 rsbac_mac_process_flags_t; 00272 typedef __u8 rsbac_mac_file_flags_t; 00273 typedef struct rsbac_fs_file_t rsbac_mac_file_t; 00274 #define RSBAC_MAC_MAX_MAXNUM 1000000 00275 00276 #define MAC_override 1 00277 #define MAC_auto 2 00278 #define MAC_trusted 4 00279 #define MAC_write_up 8 00280 #define MAC_read_up 16 00281 #define MAC_write_down 32 00282 #define MAC_allow_auto 64 00283 #define MAC_prop_trusted 128 00284 #define MAC_program_auto 256 00285 00286 #define RSBAC_MAC_U_FLAGS (MAC_override | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_allow_auto) 00287 #define RSBAC_MAC_P_FLAGS (MAC_override | MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_prop_trusted | MAC_program_auto) 00288 #define RSBAC_MAC_F_FLAGS (MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down) 00289 00290 #define RSBAC_MAC_DEF_U_FLAGS 0 00291 #define RSBAC_MAC_DEF_SYSADM_U_FLAGS MAC_allow_auto 00292 #define RSBAC_MAC_DEF_SECOFF_U_FLAGS MAC_override 00293 00294 #define RSBAC_MAC_DEF_P_FLAGS 0 00295 #define RSBAC_MAC_DEF_INIT_P_FLAGS MAC_auto 00296 00297 typedef rsbac_enum_t rsbac_mac_auto_int_t; 00298 enum rsbac_mac_auto_t {MA_no, MA_yes, MA_inherit}; 00299 00300 /* PM */ 00301 00302 #include <rsbac/pm_types.h> 00303 00304 /* DAZ */ 00305 typedef __u8 rsbac_daz_scanned_t; 00306 #define DAZ_unscanned 0 00307 #define DAZ_infected 1 00308 #define DAZ_clean 2 00309 #define DAZ_max 2 00310 #define DEFAULT_DAZ_FD_SCANNED DAZ_unscanned 00311 typedef __u8 rsbac_daz_scanner_t; 00312 00313 /* FF */ 00314 00315 typedef __u16 rsbac_ff_flags_t; 00316 #define FF_read_only 1 00317 #define FF_execute_only 2 00318 #define FF_search_only 4 00319 #define FF_write_only 8 00320 #define FF_secure_delete 16 00321 #define FF_no_execute 32 00322 #define FF_no_delete_or_rename 64 00323 #define FF_append_only 256 00324 #define FF_no_mount 512 00325 00326 #define FF_add_inherited 128 00327 00328 #define RSBAC_FF_DEF FF_add_inherited 00329 #define RSBAC_FF_ROOT_DEF 0 00330 00331 /***** RC *****/ 00332 00333 #include <rsbac/rc_types.h> 00334 00335 /**** AUTH ****/ 00336 /* special cap value, replaced by process owner at execute time */ 00337 #define RSBAC_AUTH_MAX_MAXNUM 1000000 00338 #define RSBAC_AUTH_OLD_OWNER_F_CAP (rsbac_old_uid_t) -3 00339 #define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_t) -3) 00340 #define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_t) -4) 00341 #define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_t) -10) 00342 typedef struct rsbac_fs_file_t rsbac_auth_file_t; 00343 struct rsbac_auth_cap_range_t 00344 { 00345 rsbac_uid_t first; 00346 rsbac_uid_t last; 00347 }; 00348 enum rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs, ACT_none}; 00349 typedef rsbac_enum_t rsbac_auth_cap_type_int_t; 00350 00351 /**** ACL ****/ 00352 /* include at end of types.h */ 00353 00354 /**** CAP ****/ 00355 enum rsbac_cap_process_hiding_t {PH_off, PH_from_other_users, PH_full, 00356 PH_none}; 00357 typedef rsbac_enum_t rsbac_cap_process_hiding_int_t; 00358 00359 #include <linux/capability.h> 00360 #define CAP_NONE 29 00361 #define RSBAC_CAP_MAX CAP_NONE 00362 00363 /**** JAIL ****/ 00364 00365 #define RSBAC_JAIL_VERSION 1 00366 00367 typedef __u32 rsbac_jail_id_t; 00368 #define RSBAC_JAIL_DEF_ID 0 00369 typedef __u32 rsbac_jail_ip_t; 00370 00371 typedef __u32 rsbac_jail_flags_t; 00372 #define JAIL_allow_external_ipc 1 00373 #define JAIL_allow_all_net_family 2 00374 #define JAIL_allow_rlimit 4 00375 #define JAIL_allow_inet_raw 8 00376 #define JAIL_auto_adjust_inet_any 16 00377 #define JAIL_allow_inet_localhost 32 00378 #define JAIL_allow_clock 64 00379 00380 #define RSBAC_JAIL_LOCALHOST ((1 << 24) | 127) 00381 00382 /**** PAX ****/ 00383 00384 typedef unsigned long rsbac_pax_flags_t; 00385 00386 /* for PaX defines */ 00387 #ifdef __KERNEL__ 00388 #include <linux/elf.h> 00389 #include <linux/random.h> 00390 #endif 00391 #ifndef PF_PAX_PAGEEXEC 00392 #define PF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */ 00393 #define PF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */ 00394 #define PF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */ 00395 #define PF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */ 00396 #define PF_PAX_RANDEXEC 0x10000000 /* Randomize ET_EXEC base */ 00397 #define PF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */ 00398 #endif 00399 00400 #define RSBAC_PAX_DEF_FLAGS (PF_PAX_SEGMEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP) 00401 #define RSBAC_PAX_ALL_FLAGS ((rsbac_pax_flags_t) 255 << 24) 00402 00403 00404 /**** RES ****/ 00405 00406 typedef __u32 rsbac_res_limit_t; 00407 #define RSBAC_RES_UNSET 0 00408 00409 #define RSBAC_RES_MAX 10 /* RLIMIT_LOCKS in 2.4.x kernels */ 00410 #define RSBAC_RES_NONE 11 00411 00412 typedef rsbac_res_limit_t rsbac_res_array_t[RSBAC_RES_MAX + 1]; 00413 00414 /**** REG ****/ 00415 typedef __s32 rsbac_reg_handle_t; 00416 00417 00418 /****************************************************************************/ 00419 /* ADF types */ 00420 /****************************************************************************/ 00421 00422 #include <rsbac/network_types.h> 00423 00424 #ifdef __KERNEL__ 00425 typedef struct socket * rsbac_net_obj_id_t; 00426 #else 00427 typedef void * rsbac_net_obj_id_t; 00428 #endif 00429 00430 struct rsbac_net_obj_desc_t 00431 { 00432 rsbac_net_obj_id_t sock_p; 00433 void * local_addr; 00434 u_int local_len; 00435 void * remote_addr; 00436 u_int remote_len; 00437 }; 00438 00439 #define RSBAC_ADF_REQUEST_ARRAY_VERSION 2 00440 00441 enum rsbac_adf_request_t { 00442 R_ADD_TO_KERNEL, 00443 R_ALTER, 00444 R_APPEND_OPEN, 00445 R_CHANGE_GROUP, 00446 R_CHANGE_OWNER, 00447 R_CHDIR, 00448 R_CLONE, 00449 R_CLOSE, 00450 R_CREATE, 00451 R_DELETE, 00452 R_EXECUTE, 00453 R_GET_PERMISSIONS_DATA, 00454 R_GET_STATUS_DATA, 00455 R_LINK_HARD, 00456 R_MODIFY_ACCESS_DATA, 00457 R_MODIFY_ATTRIBUTE, 00458 R_MODIFY_PERMISSIONS_DATA, 00459 R_MODIFY_SYSTEM_DATA, 00460 R_MOUNT, 00461 R_READ, 00462 R_READ_ATTRIBUTE, 00463 R_READ_WRITE_OPEN, 00464 R_READ_OPEN, 00465 R_REMOVE_FROM_KERNEL, 00466 R_RENAME, 00467 R_SEARCH, 00468 R_SEND_SIGNAL, 00469 R_SHUTDOWN, 00470 R_SWITCH_LOG, 00471 R_SWITCH_MODULE, 00472 R_TERMINATE, 00473 R_TRACE, 00474 R_TRUNCATE, 00475 R_UMOUNT, 00476 R_WRITE, 00477 R_WRITE_OPEN, 00478 R_MAP_EXEC, 00479 R_BIND, 00480 R_LISTEN, 00481 R_ACCEPT, 00482 R_CONNECT, 00483 R_SEND, 00484 R_RECEIVE, 00485 R_NET_SHUTDOWN, 00486 R_CHANGE_DAC_EFF_OWNER, 00487 R_CHANGE_DAC_FS_OWNER, 00488 R_NONE 00489 }; 00490 00491 typedef rsbac_enum_t rsbac_adf_request_int_t; 00492 00493 #include <rsbac/request_groups.h> 00494 00495 /* This type is returned from the rsbac_adf_request() function. Since a */ 00496 /* decision of undefined means an error, it is never returned. */ 00497 00498 enum rsbac_adf_req_ret_t {NOT_GRANTED,GRANTED,DO_NOT_CARE,UNDEFINED}; 00499 00500 /****************************************************************************/ 00501 /* ACI types */ 00502 /****************************************************************************/ 00503 00504 /* For switching adf-modules */ 00505 enum rsbac_switch_target_t {GEN,MAC,FC,SIM,PM,DAZ,FF,RC,AUTH,REG,ACL,CAP,JAIL,RES,PAX,SOFTMODE,DAC_DISABLE,SW_NONE}; 00506 #define RSBAC_MAX_MOD (SOFTMODE - 1) 00507 typedef rsbac_enum_t rsbac_switch_target_int_t; 00508 00509 /****************************************************************************/ 00510 /* For objects, users and processes all manipulation is encapsulated by the */ 00511 /* function calls rsbac_set_attr, rsbac_get_attr and rsbac_remove_target. */ 00512 00513 /* For those, we declare some extra types to specify target and attribute. */ 00514 00515 enum rsbac_target_t {T_FILE, T_DIR, T_FIFO, T_SYMLINK, T_DEV, T_IPC, T_SCD, T_USER, T_PROCESS, 00516 T_NETDEV, T_NETTEMP, T_NETOBJ, T_NETTEMP_NT, 00517 T_FD, 00518 T_NONE}; 00519 00520 union rsbac_target_id_t 00521 { 00522 #ifdef __KERNEL__ 00523 struct rsbac_fs_file_t file; 00524 struct rsbac_fs_file_t dir; 00525 struct rsbac_fs_file_t fifo; 00526 struct rsbac_fs_file_t symlink; 00527 struct rsbac_dev_t dev; 00528 #endif 00529 struct rsbac_ipc_t ipc; 00530 rsbac_enum_t scd; 00531 rsbac_uid_t user; 00532 rsbac_pid_t process; 00533 rsbac_netdev_id_t netdev; 00534 rsbac_net_temp_id_t nettemp; 00535 struct rsbac_net_obj_desc_t netobj; 00536 int dummy; 00537 }; 00538 00539 #ifdef __KERNEL__ 00540 typedef rsbac_enum_t rsbac_log_entry_t[T_NONE+1]; 00541 00542 struct rsbac_create_data_t 00543 { 00544 enum rsbac_target_t target; 00545 struct dentry * dentry_p; 00546 int mode; 00547 kdev_t device; /* for mknod etc. */ 00548 }; 00549 #endif 00550 00551 enum rsbac_attribute_t 00552 { 00553 A_pseudo, 00554 A_security_level, 00555 A_initial_security_level, 00556 A_local_sec_level, 00557 A_remote_sec_level, 00558 A_min_security_level, 00559 A_mac_categories, 00560 A_mac_initial_categories, 00561 A_local_mac_categories, 00562 A_remote_mac_categories, 00563 A_mac_min_categories, 00564 A_mac_user_flags, 00565 A_mac_process_flags, 00566 A_mac_file_flags, 00567 A_object_category, 00568 A_local_object_category, 00569 A_remote_object_category, 00570 A_data_type, 00571 A_local_data_type, 00572 A_remote_data_type, 00573 A_system_role, 00574 A_mac_role, 00575 A_fc_role, 00576 A_sim_role, 00577 A_daz_role, 00578 A_ff_role, 00579 A_auth_role, 00580 A_cap_role, 00581 A_jail_role, 00582 A_pax_role, 00583 A_current_sec_level, 00584 A_mac_curr_categories, 00585 A_min_write_open, 00586 A_min_write_categories, 00587 A_max_read_open, 00588 A_max_read_categories, 00589 A_mac_auto, 00590 A_mac_check, 00591 A_mac_prop_trusted, 00592 A_pm_role, 00593 A_pm_process_type, 00594 A_pm_current_task, 00595 A_pm_object_class, 00596 A_local_pm_object_class, 00597 A_remote_pm_object_class, 00598 A_pm_ipc_purpose, 00599 A_local_pm_ipc_purpose, 00600 A_remote_pm_ipc_purpose, 00601 A_pm_object_type, 00602 A_local_pm_object_type, 00603 A_remote_pm_object_type, 00604 A_pm_program_type, 00605 A_pm_tp, 00606 A_pm_task_set, 00607 A_daz_scanned, 00608 A_daz_scanner, 00609 A_ff_flags, 00610 A_rc_type, 00611 A_local_rc_type, 00612 A_remote_rc_type, 00613 A_rc_type_fd, 00614 A_rc_type_nt, 00615 A_rc_force_role, 00616 A_rc_initial_role, 00617 A_rc_role, 00618 A_rc_def_role, 00619 A_auth_may_setuid, 00620 A_auth_may_set_cap, 00621 A_auth_learn, 00622 A_min_caps, 00623 A_max_caps, 00624 A_jail_id, 00625 A_jail_ip, 00626 A_jail_flags, 00627 A_jail_max_caps, 00628 A_pax_flags, 00629 A_res_role, 00630 A_res_min, 00631 A_res_max, 00632 A_log_array_low, 00633 A_local_log_array_low, 00634 A_remote_log_array_low, 00635 A_log_array_high, 00636 A_local_log_array_high, 00637 A_remote_log_array_high, 00638 A_log_program_based, 00639 A_log_user_based, 00640 A_symlink_add_uid, 00641 A_symlink_add_mac_level, 00642 A_symlink_add_rc_role, 00643 A_linux_dac_disable, 00644 A_cap_process_hiding, 00645 A_fake_root_uid, 00646 #ifdef __KERNEL__ 00647 /* adf-request helpers */ 00648 A_owner, 00649 A_group, 00650 A_signal, 00651 A_mode, 00652 A_nlink, 00653 A_switch_target, 00654 A_mod_name, 00655 A_request, 00656 A_trace_request, 00657 A_auth_add_f_cap, 00658 A_auth_remove_f_cap, 00659 A_auth_get_caplist, 00660 A_prot_bits, 00661 A_internal, 00662 /* used with CREATE on DIR */ 00663 A_create_data, 00664 A_new_object, 00665 A_rlimit, 00666 A_new_dir_dentry_p, 00667 A_auth_program_file, 00668 A_auth_start_uid, 00669 A_acl_learn, 00670 A_priority, 00671 A_pgid, 00672 A_kernel_thread, 00673 #endif 00674 A_none}; 00675 00676 union rsbac_attribute_value_t 00677 { 00678 rsbac_uid_t owner; /* process owner */ 00679 rsbac_pseudo_t pseudo; 00680 rsbac_security_level_t security_level; 00681 rsbac_mac_category_vector_t mac_categories; 00682 rsbac_fc_oc_t object_category; 00683 rsbac_sim_dt_t data_type; 00684 rsbac_system_role_int_t system_role; 00685 rsbac_security_level_t current_sec_level; 00686 rsbac_security_level_t min_write_open; 00687 rsbac_security_level_t max_read_open; 00688 rsbac_mac_user_flags_t mac_user_flags; 00689 rsbac_mac_process_flags_t mac_process_flags; 00690 rsbac_mac_file_flags_t mac_file_flags; 00691 rsbac_mac_auto_int_t mac_auto; 00692 boolean mac_check; 00693 boolean mac_prop_trusted; 00694 rsbac_pm_role_int_t pm_role; 00695 rsbac_pm_process_type_int_t pm_process_type; 00696 rsbac_pm_task_id_t pm_current_task; 00697 rsbac_pm_object_class_id_t pm_object_class; 00698 rsbac_pm_purpose_id_t pm_ipc_purpose; 00699 rsbac_pm_object_type_int_t pm_object_type; 00700 rsbac_pm_program_type_int_t pm_program_type; 00701 rsbac_pm_tp_id_t pm_tp; 00702 rsbac_pm_task_set_id_t pm_task_set; 00703 rsbac_daz_scanned_t daz_scanned; 00704 rsbac_daz_scanner_t daz_scanner; 00705 rsbac_ff_flags_t ff_flags; 00706 rsbac_rc_type_id_t rc_type; 00707 rsbac_rc_type_id_t rc_type_fd; 00708 rsbac_rc_role_id_t rc_force_role; 00709 rsbac_rc_role_id_t rc_initial_role; 00710 rsbac_rc_role_id_t rc_role; 00711 rsbac_rc_role_id_t rc_def_role; 00712 boolean auth_may_setuid; 00713 boolean auth_may_set_cap; 00714 rsbac_pid_t auth_p_capset; 00715 rsbac_inode_nr_t auth_f_capset; 00716 boolean auth_learn; 00717 rsbac_cap_vector_t min_caps; 00718 rsbac_cap_vector_t max_caps; 00719 rsbac_jail_id_t jail_id; 00720 rsbac_jail_ip_t jail_ip; 00721 rsbac_jail_flags_t jail_flags; 00722 rsbac_cap_vector_t jail_max_caps; 00723 rsbac_pax_flags_t pax_flags; 00724 rsbac_res_array_t res_array; 00725 rsbac_log_array_t log_array_low; 00726 rsbac_log_array_t log_array_high; 00727 rsbac_request_vector_t log_program_based; 00728 rsbac_request_vector_t log_user_based; 00729 boolean symlink_add_uid; 00730 boolean symlink_add_mac_level; 00731 boolean symlink_add_rc_role; 00732 rsbac_linux_dac_disable_int_t linux_dac_disable; 00733 // rsbac_net_temp_id_t net_temp; 00734 rsbac_cap_process_hiding_int_t cap_process_hiding; 00735 rsbac_fake_root_uid_int_t fake_root_uid; 00736 #ifdef __KERNEL__ 00737 rsbac_gid_t group; /* process/fd group */ 00738 struct sockaddr * sockaddr_p; /* socket-ipc address */ 00739 long signal; /* signal for kill */ 00740 int mode; /* mode for create/mount */ 00741 int nlink; /* for DELETE/unlink */ 00742 enum rsbac_switch_target_t switch_target; /* for SWITCH_MODULE */ 00743 char * mod_name; /* for ADD_TO_KERNEL */ 00744 enum rsbac_adf_request_t request; /* for SWITCH_LOG */ 00745 long trace_request; /* request for sys_trace */ 00746 struct rsbac_auth_cap_range_t auth_cap_range; 00747 int prot_bits;/* prot bits for mmap()/mprotect() */ 00748 boolean internal; 00749 /* used with CREATE on DIR */ 00750 struct rsbac_create_data_t create_data; 00751 /* newly created object in OPEN requests? */ 00752 boolean new_object; 00753 u_int rlimit; 00754 struct dentry * new_dir_dentry_p; 00755 struct rsbac_fs_file_t auth_program_file; /* for learning mode */ 00756 rsbac_uid_t auth_start_uid; 00757 boolean acl_learn; 00758 int priority; 00759 rsbac_pid_t pgid; 00760 boolean kernel_thread; 00761 #endif 00762 u_char u_char_dummy; 00763 u_short u_short_dummy; 00764 int dummy; 00765 u_int u_dummy; 00766 long long_dummy; 00767 u_long u_long_dummy; 00768 }; 00769 00770 00771 /**** ACL ****/ 00772 00773 #include <rsbac/acl_types.h> 00774 00775 #endif

Generated on Tue Aug 31 10:05:22 2004 for RSBAC by doxygen 1.3.8