/linux-2.6.21.1-rsbac-1.3.4/include/rsbac/rc_types.h

Go to the documentation of this file.
00001 /************************************ */
00002 /* Rule Set Based Access Control      */
00003 /* Author and (c) 1999-2005: Amon Ott */
00004 /* API: Data types for                */
00005 /*    Role Compatibility Module       */
00006 /* Last modified: 21/Dec/2005         */
00007 /************************************ */
00008 
00009 #ifndef __RSBAC_RC_TYPES_H
00010 #define __RSBAC_RC_TYPES_H
00011 
00012 #include <linux/types.h>
00013 
00014 /***** RC *****/
00015 
00016 #define RSBAC_RC_GENERAL_ROLE 0
00017 #define RSBAC_RC_ROLE_ADMIN_ROLE 1
00018 #define RSBAC_RC_SYSTEM_ADMIN_ROLE 2
00019 #define RSBAC_RC_AUDITOR_ROLE 3
00020 #define RSBAC_RC_BOOT_ROLE 999999
00021 #define RSBAC_RC_GENERAL_TYPE 0
00022 #define RSBAC_RC_SEC_TYPE 1
00023 #define RSBAC_RC_SYS_TYPE 2
00024 #define RSBAC_RC_KERNEL_P_TYPE 999999
00025 
00026 #define RSBAC_RC_NAME_LEN 16
00027 #define RSBAC_RC_ALL_REQUESTS ((rsbac_rc_request_vector_t) -1)
00028 
00029 #define RSBAC_RC_OLD_SPECIAL_RIGHT_BASE 48
00030 #define RSBAC_RC_SPECIAL_RIGHT_BASE 56
00031 
00032 enum rsbac_rc_special_rights_t { RCR_ADMIN = RSBAC_RC_SPECIAL_RIGHT_BASE,
00033         RCR_ASSIGN,
00034         RCR_ACCESS_CONTROL,
00035         RCR_SUPERVISOR,
00036         RCR_MODIFY_AUTH,
00037         RCR_CHANGE_AUTHED_OWNER,
00038         RCR_SELECT,
00039         RCR_NONE
00040 };
00041 
00042 typedef __u64 rsbac_rc_rights_vector_t;
00043 
00044 /* backwards compatibility only! */
00045 typedef __u64 rsbac_rc_role_vector_t;
00046 
00047 #define RSBAC_RC_RIGHTS_VECTOR(x) ((rsbac_rc_rights_vector_t) 1 << (x))
00048 #define RSBAC_RC_ROLE_VECTOR(x) ((rsbac_rc_role_vector_t) 1 << (x))
00049 #define RSBAC_RC_TYPE_VECTOR(x) ((rsbac_rc_type_vector_t) 1 << (x))
00050 
00051 #define RSBAC_RC_SPECIAL_RIGHTS_VECTOR (\
00052   RSBAC_RC_RIGHTS_VECTOR(RCR_ADMIN) | \
00053   RSBAC_RC_RIGHTS_VECTOR(RCR_ASSIGN) | \
00054   RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL) | \
00055   RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \
00056   RSBAC_RC_RIGHTS_VECTOR(RCR_MODIFY_AUTH) | \
00057   RSBAC_RC_RIGHTS_VECTOR(RCR_CHANGE_AUTHED_OWNER) | \
00058   RSBAC_RC_RIGHTS_VECTOR(RCR_SELECT) \
00059   )
00060 
00061 #define RSBAC_RC_SUPERVISOR_RIGHT_VECTOR (\
00062     RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \
00063   )
00064 
00065 #define RSBAC_RC_ALL_RIGHTS_VECTOR (RSBAC_ALL_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
00066 
00067 #define RSBAC_RC_PROCESS_RIGHTS_VECTOR (RSBAC_PROCESS_REQUEST_VECTOR | \
00068   RSBAC_RC_RIGHTS_VECTOR(R_CONNECT) | \
00069   RSBAC_RC_RIGHTS_VECTOR(R_ACCEPT) | \
00070   RSBAC_RC_RIGHTS_VECTOR(R_SEND) | \
00071   RSBAC_RC_RIGHTS_VECTOR(R_RECEIVE) \
00072 )
00073 
00074 #define RSBAC_RC_DEFAULT_RIGHTS_VECTOR 0
00075 
00076 #define RSBAC_RC_GEN_RIGHTS_VECTOR RSBAC_RC_DEFAULT_RIGHTS_VECTOR
00077 
00078 typedef __u32 rsbac_rc_role_id_t;
00079 typedef __u32 rsbac_rc_type_id_t;
00080 typedef rsbac_request_vector_t rsbac_rc_request_vector_t;
00081 
00082 enum rsbac_rc_admin_type_t { RC_no_admin, RC_role_admin, RC_system_admin,
00083             RC_none };
00084 
00085 /*
00086  * System Control Types, including general SCD types
00087  * (start at 32 to allow future SCD types, max is 63)
00088  */
00089 #define RST_min 32
00090 enum rsbac_rc_scd_type_t { RST_auth_administration = RST_min,
00091         RST_none
00092 };
00093 
00094 /* what should always be there to keep system functional */
00095 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
00096 #define RSBAC_RC_GENERAL_COMP_SCD { \
00097                           0, \
00098                           0, \
00099                           0, \
00100                           0, \
00101          /* ST_ioports */ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \
00102          /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00103          /* ST_swap */              0, \
00104          /* ST_syslog */            0, \
00105          /* ST_rsbac */             0, \
00106          /* ST_rsbac_log */         0, \
00107          /* ST_other */             ( \
00108                                        ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00109                                     ), \
00110          /* ST_kmem */              0, \
00111          /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00112          /* 13 = ST_none */         0 \
00113           }
00114 #else
00115 #define RSBAC_RC_GENERAL_COMP_SCD { \
00116                           0, \
00117                           0, \
00118                           0, \
00119                           0, \
00120                           0, \
00121          /* ST_rlimit */ RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00122          /* ST_swap */              0, \
00123          /* ST_syslog */            0, \
00124          /* ST_rsbac */             0, \
00125          /* ST_rsbac_log */         0, \
00126          /* ST_other */             ( \
00127                                        ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00128                                     ), \
00129          /* ST_kmem */              0, \
00130          /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00131          /* ST_firewall */          0, \
00132          /* ST_priority */          0, \
00133          /* 15 = ST_none */         0 \
00134           }
00135 #endif
00136 
00137 #define RSBAC_RC_ROLEADM_COMP_SCD { \
00138          /* 0 = ST_time_structs */  0, \
00139          /* ST_clock */             0, \
00140          /* ST_host_id */           0, \
00141          /* ST_net_id */            0, \
00142          /* ST_ioports */           0, \
00143          /* ST_rlimit */            RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00144          /* ST_swap */              0, \
00145          /* ST_syslog */            0, \
00146          /* ST_rsbac */             RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00147          /* ST_rsbac_log */         RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00148          /* ST_other */             ( \
00149                                        ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00150                                      | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
00151                                      | ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \
00152                                      | ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) \
00153                                      | ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \
00154                                     ) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00155          /* ST_kmem */              0, \
00156          /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00157          /* ST_firewall */          ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00158          /* ST_nice */              0, \
00159          /* 15 = ST_none */         0, \
00160                                     0, \
00161                                     0, \
00162                                     0, \
00163                                     0, \
00164          /* 20 */                   0, \
00165                                     0, \
00166                                     0, \
00167                                     0, \
00168                                     0, \
00169                                     0, \
00170                                     0, \
00171                                     0, \
00172                                     0, \
00173                                     0, \
00174          /* 30 */                   0, \
00175                                     0, \
00176          /* 32 = RST_auth_admin */  RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00177          /* 33 = RST_none */        0 \
00178           }
00179 
00180 #define RSBAC_RC_SYSADM_COMP_SCD { \
00181          /* 0 = ST_time_structs */  RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00182          /* ST_clock */             RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00183          /* ST_host_id */           RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00184          /* ST_net_id */            RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00185          /* ST_ioports */           RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00186          /* ST_rlimit */            RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00187          /* ST_swap */              RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00188          /* ST_syslog */            RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00189          /* ST_rsbac */             RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00190          /* ST_rsbac_log */         0, \
00191          /* ST_other */             ( \
00192                                        ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) \
00193                                      | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
00194                                      | ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00195                                      | ((rsbac_request_vector_t) 1 << R_MOUNT) \
00196                                      | ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) \
00197                                      | ((rsbac_request_vector_t) 1 << R_UMOUNT) \
00198                                      | ((rsbac_request_vector_t) 1 << R_SHUTDOWN) \
00199                                     ), \
00200          /* ST_kmem */              RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00201          /* ST_network */           RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00202          /* ST_firewall */          RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00203          /* ST_priority */          RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00204          /* 15 = ST_none */         0, \
00205                                     0, \
00206                                     0, \
00207                                     0, \
00208                                     0, \
00209          /* 20 */                   0, \
00210                                     0, \
00211                                     0, \
00212                                     0, \
00213                                     0, \
00214                                     0, \
00215                                     0, \
00216                                     0, \
00217                                     0, \
00218                                     0, \
00219          /* 30 */                   0, \
00220                                     0, \
00221          /* 32 = RST_auth_admin */  0, \
00222          /* 33 = RST_none */        0 \
00223           }
00224 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
00225 #define RSBAC_RC_AUDITOR_COMP_SCD { \
00226                           0, \
00227                           0, \
00228                           0, \
00229                           0, \
00230          /* ST_ioports */ ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \
00231          /* ST_rlimit */  RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00232          /* ST_swap */              0, \
00233          /* ST_syslog */            0, \
00234          /* ST_rsbac */             0, \
00235          /* ST_rsbac_log */         ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \
00236          /* ST_other */             ( \
00237                                        ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00238                                     ), \
00239          /* ST_kmem */              0, \
00240          /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00241          /* ST_firewall */          0, \
00242          /* ST_priority */          0, \
00243          /* 15 = ST_none */         0 \
00244           }
00245 #else
00246 #define RSBAC_RC_AUDITOR_COMP_SCD { \
00247                           0, \
00248                           0, \
00249                           0, \
00250                           0, \
00251                           0, \
00252          /* ST_rlimit */  RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00253          /* ST_swap */              0, \
00254          /* ST_syslog */            0, \
00255          /* ST_rsbac */             0, \
00256          /* ST_rsbac_log */         ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \
00257          /* ST_other */             ( \
00258                                        ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00259                                     ), \
00260          /* ST_kmem */              0, \
00261          /* ST_network */           ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00262          /* ST_firewall */          0, \
00263          /* ST_priority */          0, \
00264          /* 15 = ST_none */         0 \
00265           }
00266 #endif
00267 
00268 
00269 #define RC_type_inherit_process ((rsbac_rc_type_id_t) -1)
00270 #define RC_type_inherit_parent ((rsbac_rc_type_id_t) -2)
00271 #define RC_type_no_create ((rsbac_rc_type_id_t) -3)
00272 #define RC_type_no_execute ((rsbac_rc_type_id_t) -4)
00273 #define RC_type_use_new_role_def_create ((rsbac_rc_type_id_t) -5)       /* for process chown (setuid) */
00274 #define RC_type_no_chown ((rsbac_rc_type_id_t) -6)
00275 #define RC_type_use_fd ((rsbac_rc_type_id_t) -7)
00276 #define RC_type_min_special ((rsbac_rc_type_id_t) -7)
00277 #define RC_type_max_value ((rsbac_rc_type_id_t) -32)
00278 
00279 #define RC_role_inherit_user ((rsbac_rc_role_id_t) -1)
00280 #define RC_role_inherit_process ((rsbac_rc_role_id_t) -2)
00281 #define RC_role_inherit_parent ((rsbac_rc_role_id_t) -3)
00282 #define RC_role_inherit_up_mixed ((rsbac_rc_role_id_t) -4)
00283 #define RC_role_use_force_role ((rsbac_rc_role_id_t) -5)
00284 #define RC_role_min_special ((rsbac_rc_role_id_t) -5)
00285 #define RC_role_max_value ((rsbac_rc_role_id_t) -32)
00286 
00287 #define RC_default_force_role RC_role_inherit_parent
00288 #define RC_default_root_dir_force_role RC_role_inherit_up_mixed
00289 #define RC_default_init_force_role RC_role_inherit_user
00290 #define RC_default_initial_role RC_role_inherit_parent
00291 #define RC_default_root_dir_initial_role RC_role_use_force_role
00292 
00293 /****************************************************************************/
00294 /* RC ACI types                                                             */
00295 /****************************************************************************/
00296 
00297 enum rsbac_rc_target_t { RT_ROLE, RT_TYPE, RT_NONE };
00298 
00299 union rsbac_rc_target_id_t {
00300         rsbac_rc_role_id_t role;
00301         rsbac_rc_type_id_t type;
00302 };
00303 
00304 enum rsbac_rc_item_t { RI_role_comp,
00305         RI_admin_roles,
00306         RI_assign_roles,
00307         RI_type_comp_fd,
00308         RI_type_comp_dev,
00309         RI_type_comp_user,
00310         RI_type_comp_process,
00311         RI_type_comp_ipc,
00312         RI_type_comp_scd,
00313         RI_type_comp_group,
00314         RI_type_comp_netdev,
00315         RI_type_comp_nettemp,
00316         RI_type_comp_netobj,
00317         RI_admin_type,
00318         RI_name,
00319         RI_def_fd_create_type,
00320         RI_def_fd_ind_create_type,
00321         RI_def_user_create_type,
00322         RI_def_process_create_type,
00323         RI_def_process_chown_type,
00324         RI_def_process_execute_type,
00325         RI_def_ipc_create_type,
00326         RI_def_group_create_type,
00327         RI_def_unixsock_create_type,
00328         RI_boot_role,
00329         RI_req_reauth,
00330         RI_type_fd_name,
00331         RI_type_dev_name,
00332         RI_type_ipc_name,
00333         RI_type_user_name,
00334         RI_type_process_name,
00335         RI_type_group_name,
00336         RI_type_netdev_name,
00337         RI_type_nettemp_name,
00338         RI_type_netobj_name,
00339         RI_type_fd_need_secdel,
00340         RI_type_scd_name,       /* Pseudo, using get_rc_scd_name() */
00341         RI_remove_role,
00342         RI_def_fd_ind_create_type_remove,
00343         RI_type_fd_remove,
00344         RI_type_dev_remove,
00345         RI_type_ipc_remove,
00346         RI_type_user_remove,
00347         RI_type_process_remove,
00348         RI_type_group_remove,
00349         RI_type_netdev_remove,
00350         RI_type_nettemp_remove,
00351         RI_type_netobj_remove,
00352 #ifdef __KERNEL__
00353 #endif
00354         RI_none
00355 };
00356 
00357 union rsbac_rc_item_value_t {
00358         rsbac_rc_rights_vector_t rights;
00359         enum rsbac_rc_admin_type_t admin_type;
00360         char name[RSBAC_RC_NAME_LEN];
00361         rsbac_rc_role_id_t role_id;
00362         rsbac_rc_type_id_t type_id;
00363         rsbac_boolean_t need_secdel;
00364         rsbac_boolean_t comp;
00365         rsbac_boolean_t boot_role;
00366         rsbac_boolean_t req_reauth;
00367 #ifdef __KERNEL__
00368 #endif
00369         u_char u_char_dummy;
00370         int dummy;
00371         u_int u_dummy;
00372         long long_dummy;
00373         long long long_long_dummy;
00374 };
00375 
00376 #endif

Generated on Wed May 16 11:53:28 2007 for RSBAC by  doxygen 1.5.1