/linux-2.6.21.1-rsbac-1.3.4/include/rsbac/types.h

Go to the documentation of this file.
00001 /*********************************** */
00002 /* Rule Set Based Access Control     */
00003 /* Author and (c)1999-2007:          */
00004 /*   Amon Ott <ao@rsbac.org>         */
00005 /* API: Data types for attributes    */
00006 /*      and standard module calls    */
00007 /* Last modified: 19/Feb/2007        */
00008 /*********************************** */
00009 
00010 #ifndef __RSBAC_TYPES_H
00011 #define __RSBAC_TYPES_H
00012 
00013 /* trigger module dependency for EXPORT_SYMBOL */
00014 #ifdef CONFIG_MODULES
00015 #endif
00016 
00017 #define RSBAC_VERSION "1.3.4"
00018 #define RSBAC_VERSION_MAJOR 1
00019 #define RSBAC_VERSION_MID 3
00020 #define RSBAC_VERSION_MINOR 4
00021 #define RSBAC_VERSION_NR \
00022  ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR)
00023 #define RSBAC_VERSION_MAKE_NR(x,y,z) \
00024  ((x << 16) | (y << 8) | z)
00025 
00026 #ifdef __KERNEL__
00027 #include <linux/types.h>
00028 #else
00029 #include <asm/types.h>
00030 #include <sys/types.h>
00031 #endif
00032 
00033 typedef __u32 rsbac_version_t;
00034 typedef __u32 rsbac_uid_t;                   /* Same as user in Linux kernel */
00035 typedef __u32 rsbac_gid_t;                   /* Same as group in Linux kernel */
00036 typedef __u16 rsbac_old_uid_t;               /* Same as user in Linux kernel */
00037 typedef __u16 rsbac_old_gid_t;               /* Same as group in Linux kernel */
00038 typedef __u32 rsbac_time_t;                  /* Same as time_t in Linux kernel */
00039 typedef __u32 rsbac_cap_vector_t;            /* Same as kernel_cap_t in Linux kernel */
00040 
00041 typedef __u32 rsbac_list_ta_number_t;
00042 
00043 struct rsbac_nanotime_t
00044     {
00045       rsbac_time_t sec;
00046       __u32 nsec;
00047     };
00048 
00049 #ifdef __KERNEL__
00050 #include <linux/fs.h>
00051 #include <linux/socket.h>
00052 #include <linux/pipe_fs_i.h>
00053 #include <linux/kdev_t.h>
00054 
00055 /* version checks */
00056 #ifndef LINUX_VERSION_CODE
00057 #include <linux/version.h>
00058 #endif
00059 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,19)
00060 #error "RSBAC: unsupported kernel version"
00061 #endif
00062 
00063 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00064 #define RSBAC_MAJOR MAJOR
00065 #define RSBAC_MINOR MINOR
00066 #define RSBAC_MKDEV(major,minor) MKDEV(major,minor)
00067 static inline rsbac_time_t rsbac_current_time(void)
00068   {
00069     struct timespec ts = CURRENT_TIME;
00070     return ts.tv_sec;
00071   }
00072 static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime)
00073   {
00074     struct timespec ts = CURRENT_TIME;
00075     nanotime->sec = ts.tv_sec;
00076     nanotime->nsec = ts.tv_nsec;
00077   }
00078 #ifndef kdev_t
00079 #define kdev_t dev_t
00080 #endif
00081 #define RSBAC_CURRENT_TIME (rsbac_current_time())
00082 #else
00083 #define RSBAC_MAJOR MAJOR
00084 #define RSBAC_MINOR MINOR
00085 #define RSBAC_MKDEV(major,minor) MKDEV(major,minor)
00086 #define RSBAC_CURRENT_TIME CURRENT_TIME
00087 #include <linux/sched.h>
00088 static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime)
00089   {
00090     nanotime->sec = xtime.tv_sec;
00091     nanotime->nsec = xtime.tv_usec * 1000;
00092   }
00093 #endif
00094 
00095 #define RSBAC_ZERO_DEV RSBAC_MKDEV(0,0)
00096 #define RSBAC_AUTO_DEV RSBAC_MKDEV(99,99)
00097 #define RSBAC_IS_ZERO_DEV(kdev) (!RSBAC_MAJOR(kdev) && !RSBAC_MINOR(kdev))
00098 #define RSBAC_IS_AUTO_DEV(kdev) ((RSBAC_MAJOR(kdev) == 99) && (RSBAC_MINOR(kdev) == 99))
00099 
00100 #ifdef CONFIG_RSBAC_INIT_DELAY
00101 #define R_INIT
00102 #else
00103 #define R_INIT __init
00104 #endif
00105 
00106 #endif
00107 
00108 /* General */
00109 
00110 #ifndef NULL
00111 #define NULL ((void *) 0)
00112 #endif
00113 
00114 #define rsbac_min(a,b) (((a)<(b))?(a):(b))
00115 #define rsbac_max(a,b) (((a)>(b))?(a):(b))
00116 
00117 #define RSBAC_OLD_NO_USER 65533
00118 #define RSBAC_OLD_ALL_USERS 65532
00119 #define RSBAC_NO_USER ((rsbac_uid_t) -3)
00120 #define RSBAC_ALL_USERS ((rsbac_uid_t) -4)
00121 #define RSBAC_NO_GROUP ((rsbac_gid_t) -3)
00122 #define RSBAC_ALL_GROUPS ((rsbac_gid_t) -4)
00123 
00124 #ifndef FALSE
00125 #define FALSE 0
00126 #endif
00127 #ifndef TRUE
00128 #define TRUE 1
00129 #endif
00130 
00131 typedef u_int rsbac_boolean_t;
00132 
00133 typedef __u8 rsbac_boolean_int_t;
00134 
00135 #define RSBAC_IFNAMSIZ 16
00136 typedef u_char rsbac_netdev_id_t[RSBAC_IFNAMSIZ + 1];
00137 
00138 #define RSBAC_SEC_DEL_CHUNK_SIZE 65536
00139 
00140 /* Adjust these, if you have to, but if you do, adjust them all! */
00141 /* Note: no / allowed, file must be exactly in second level! */
00142 #define RSBAC_AUTH_LOGIN_PATH "/bin/login"
00143 #define RSBAC_AUTH_LOGIN_PATH_DIR "bin"
00144 #define RSBAC_AUTH_LOGIN_PATH_FILE "login"
00145 
00146 /* These data structures work parallel to the Linux data structures, */
00147 /* so all data for RSBAC decisions is maintained seperately.         */
00148 /* Any change to RSBAC data will NOT modify any other linux data,    */
00149 /* e.g. userlists, process lists or inodes.                          */
00150 
00151 /* Special generic lists time-to-live (ttl) value to keep old setting */
00152 #define RSBAC_LIST_TTL_KEEP ((rsbac_time_t) -1)
00153 
00154 typedef __u8 rsbac_enum_t; /* internally used for all enums */
00155 
00156 #define RSBAC_SYSADM_UID   0
00157 #define RSBAC_BIN_UID      1
00158 #ifdef CONFIG_RSBAC_SECOFF_UID
00159 #define RSBAC_SECOFF_UID   CONFIG_RSBAC_SECOFF_UID
00160 #else
00161 #define RSBAC_SECOFF_UID 400
00162 #endif
00163 #define RSBAC_DATAPROT_UID (RSBAC_SECOFF_UID+1)
00164 #define RSBAC_TPMAN_UID    (RSBAC_SECOFF_UID+2)
00165 #define RSBAC_AUDITOR_UID  (RSBAC_SECOFF_UID+4)
00166 
00167 typedef __u32 rsbac_pseudo_t;               /* For Pseudonymic Logging */
00168 typedef __u32 rsbac_pid_t;                   /* Same as pid in Linux  */
00169 
00170 typedef __u32 rsbac_ta_number_t;
00171 
00172 typedef __u8 rsbac_security_level_t;
00173 #define SL_max            252
00174 #define SL_min            0
00175 // #define SL_rsbac_internal 253
00176 #define SL_inherit        254
00177 #define SL_none           255
00178 enum    rsbac_old_security_level_t {SL_unclassified, SL_confidential, SL_secret,
00179                                     SL_top_secret, SL_old_rsbac_internal,
00180                                     SL_old_inherit, SL_old_none};
00181                                              /* MAC security levels   */
00182 typedef __u64 rsbac_mac_category_vector_t;   /* MAC category sets */
00183 #define RSBAC_MAC_GENERAL_CATEGORY 0
00184 #define RSBAC_MAC_DEF_CAT_VECTOR ((rsbac_mac_category_vector_t) 1)
00185   /* 1 << GENERAL_CAT */
00186 #define RSBAC_MAC_MAX_CAT_VECTOR ((rsbac_mac_category_vector_t) -1)
00187   /* all bits set */
00188 #define RSBAC_MAC_MIN_CAT_VECTOR ((rsbac_mac_category_vector_t) 0)
00189   /* no bits set */
00190 #define RSBAC_MAC_INHERIT_CAT_VECTOR ((rsbac_mac_category_vector_t) 0)
00191   /* for fd: no bits set */
00192 #define RSBAC_MAC_NR_CATS 64
00193 #define RSBAC_MAC_MAX_CAT 63
00194 
00195 #define RSBAC_MAC_CAT_VECTOR(x) ((rsbac_mac_category_vector_t) 1 << (x))
00196 
00197 typedef u_int rsbac_cwi_relation_id_t;
00198 
00199 /* For MAC, FF, AUTH */
00200 enum    rsbac_system_role_t {SR_user, SR_security_officer, SR_administrator,
00201                              SR_auditor, SR_none};
00202 typedef rsbac_enum_t rsbac_system_role_int_t;
00203 
00204 /* For all models */
00205 enum    rsbac_fake_root_uid_t {FR_off, FR_uid_only, FR_euid_only, FR_both,
00206                               FR_none};
00207 typedef rsbac_enum_t rsbac_fake_root_uid_int_t;
00208 
00209 enum    rsbac_scd_type_t {ST_time_strucs, ST_clock, ST_host_id,
00210                           ST_net_id, ST_ioports, ST_rlimit,
00211                           ST_swap, ST_syslog, ST_rsbac, ST_rsbac_log,
00212                           ST_other, ST_kmem, ST_network, ST_firewall,
00213                           ST_priority, ST_sysfs, ST_rsbac_remote_log,
00214                           ST_quota, ST_sysctl, ST_nfsd, ST_ksyms,
00215                           ST_mlock, ST_capability, ST_kexec, ST_none};
00216 
00217 typedef __u32 rsbac_scd_vector_t;
00218 #define RSBAC_SCD_VECTOR(x) ((rsbac_scd_vector_t) 1 << (x))
00219 
00220 enum    rsbac_dev_type_t {D_block, D_char, D_block_major, D_char_major, D_none};
00221 
00222 
00223 enum    rsbac_ipc_type_t {I_sem, I_msg, I_shm, I_anonpipe, I_mqueue,
00224                                 I_anonunix, I_none};
00225 union   rsbac_ipc_id_t
00226   {
00227     u_long id_nr;
00228   };
00229 
00230 typedef __u32 rsbac_inode_nr_t;
00231 
00232 enum    rsbac_linux_dac_disable_t {LDD_false, LDD_true, LDD_inherit, LDD_none};
00233 typedef rsbac_enum_t rsbac_linux_dac_disable_int_t;
00234 
00235 #ifdef __KERNEL__
00236 /* We need unique identifiers for each file/dir. inode means inode in */
00237 /* the file system.                                                   */
00238 struct rsbac_fs_file_t
00239     {
00240       kdev_t               device;
00241       rsbac_inode_nr_t     inode;
00242       struct dentry      * dentry_p;  /* used for inheritance recursion */
00243     };
00244 
00245 struct rsbac_dev_t
00246     {
00247       enum  rsbac_dev_type_t     type;
00248             kdev_t               id;
00249     };
00250 #endif /* __KERNEL */
00251 
00252 /* We need unique ids for dev objects */
00253 struct rsbac_dev_desc_t
00254     {
00255       __u32 type;
00256       __u32 major;
00257       __u32 minor;
00258     };
00259 
00260 static inline struct rsbac_dev_desc_t
00261   rsbac_mkdev_desc(__u32 type, __u32 major, __u32 minor)
00262   {
00263     struct rsbac_dev_desc_t dev_desc;
00264 
00265     dev_desc.type = type;
00266     dev_desc.major = major;
00267     dev_desc.minor = minor;
00268     return dev_desc;
00269   }
00270 
00271 #define RSBAC_ZERO_DEV_DESC rsbac_mkdev_desc(D_none, 0, 0)
00272 #define RSBAC_AUTO_DEV_DESC rsbac_mkdev_desc(D_none, 99, 99)
00273 #define RSBAC_IS_ZERO_DEV_DESC(dev) ((dev.type == D_none) && !dev.major && !dev.minor)
00274 #define RSBAC_IS_AUTO_DEV_DESC(dev) ((dev.type == D_none) && (dev.major == 99) && (dev.minor == 99))
00275 
00276 /* And we need unique ids for ipc objects */
00277 struct rsbac_ipc_t
00278     {
00279       enum  rsbac_ipc_type_t     type;
00280       union rsbac_ipc_id_t       id;
00281     };
00282 
00283 /* log levels: nothing, denied requests only, all, refer to request log level */
00284 enum    rsbac_log_level_t {LL_none, LL_denied, LL_full, LL_request, LL_invalid};
00285 typedef __u64 rsbac_log_array_t;
00286 
00287 /* request bitvectors */
00288 typedef __u64 rsbac_request_vector_t;
00289 #define RSBAC_REQUEST_VECTOR(x) ((rsbac_request_vector_t) 1 << (x))
00290 
00291 /* The max length of each filename is kept in a macro */
00292 #define RSBAC_MAXNAMELEN     256
00293 
00294 #define RSBAC_LIST_TA_MAX_PASSLEN 36
00295 
00296 /* MAC */
00297 
00298 typedef __u8 rsbac_mac_user_flags_t;
00299 typedef __u16 rsbac_mac_process_flags_t;
00300 typedef __u8 rsbac_mac_file_flags_t;
00301 typedef struct rsbac_fs_file_t rsbac_mac_file_t;
00302 #define RSBAC_MAC_MAX_MAXNUM 1000000
00303 
00304 #define MAC_override            1
00305 #define MAC_auto                2
00306 #define MAC_trusted             4
00307 #define MAC_write_up            8
00308 #define MAC_read_up             16
00309 #define MAC_write_down          32
00310 #define MAC_allow_auto          64
00311 #define MAC_prop_trusted        128
00312 #define MAC_program_auto        256
00313 
00314 #define RSBAC_MAC_U_FLAGS (MAC_override | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_allow_auto)
00315 #define RSBAC_MAC_P_FLAGS (MAC_override | MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_prop_trusted | MAC_program_auto)
00316 #define RSBAC_MAC_F_FLAGS (MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down)
00317 
00318 #define RSBAC_MAC_DEF_U_FLAGS 0
00319 #define RSBAC_MAC_DEF_SYSADM_U_FLAGS MAC_allow_auto
00320 #define RSBAC_MAC_DEF_SECOFF_U_FLAGS MAC_override
00321 
00322 #define RSBAC_MAC_DEF_P_FLAGS 0
00323 #define RSBAC_MAC_DEF_INIT_P_FLAGS MAC_auto
00324 
00325 typedef rsbac_enum_t rsbac_mac_auto_int_t;
00326 enum    rsbac_mac_auto_t {MA_no, MA_yes, MA_inherit};
00327 
00328 /* PM */
00329 
00330 #include <rsbac/pm_types.h>
00331 
00332 /* DAZ */
00333 typedef __u8 rsbac_daz_scanned_t;
00334 #define DAZ_unscanned 0
00335 #define DAZ_infected 1
00336 #define DAZ_clean 2
00337 #define DAZ_max 2
00338 #define DEFAULT_DAZ_FD_SCANNED DAZ_unscanned
00339 typedef __u8 rsbac_daz_scanner_t;
00340 typedef __u8 rsbac_daz_do_scan_t;
00341 #define DAZ_never 0
00342 #define DAZ_registered 1
00343 #define DAZ_always 2
00344 #define DAZ_inherit 3
00345 #define DAZ_max_do_scan 3
00346 #define DEFAULT_DAZ_FD_DO_SCAN DAZ_inherit
00347 #define DEFAULT_DAZ_FD_ROOT_DO_SCAN DAZ_registered
00348 
00349 /* FF */
00350 
00351 typedef __u16 rsbac_ff_flags_t;
00352 #define FF_read_only       1
00353 #define FF_execute_only    2
00354 #define FF_search_only     4
00355 #define FF_write_only      8
00356 #define FF_secure_delete  16
00357 #define FF_no_execute     32
00358 #define FF_no_delete_or_rename 64
00359 #define FF_append_only   256
00360 #define FF_no_mount      512
00361 #define FF_no_search     1024
00362 
00363 #define FF_add_inherited 128
00364 
00365 #define RSBAC_FF_DEF FF_add_inherited
00366 #define RSBAC_FF_ROOT_DEF 0
00367 
00368 /***** RC *****/
00369 
00370 #include <rsbac/rc_types.h>
00371 
00372 /**** AUTH ****/
00373 /* special cap value, replaced by process owner at execute time */
00374 #define RSBAC_AUTH_MAX_MAXNUM 1000000
00375 #define RSBAC_AUTH_OLD_OWNER_F_CAP (rsbac_old_uid_t) -3
00376 #define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_t) -3)
00377 #define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_t) -4)
00378 #define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_t) -10)
00379 #define RSBAC_AUTH_GROUP_F_CAP ((rsbac_gid_t) -3)
00380 #define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_gid_t) -4)
00381 #define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_gid_t) -10)
00382 typedef struct rsbac_fs_file_t rsbac_auth_file_t;
00383 struct rsbac_auth_cap_range_t
00384   {
00385     rsbac_uid_t first;
00386     rsbac_uid_t last;
00387   };
00388 enum    rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs, 
00389                                ACT_group_real, ACT_group_eff, ACT_group_fs,
00390                                ACT_none};
00391 typedef rsbac_enum_t rsbac_auth_cap_type_int_t;
00392 
00393 enum    rsbac_auth_may_setuid_t {AMS_off, AMS_full, AMS_last_auth_only, 
00394                                AMS_last_auth_and_gid, AMS_none};
00395 
00396 typedef rsbac_enum_t rsbac_auth_may_setuid_int_t;
00397 
00398 /**** ACL ****/
00399 /* include at end of types.h */
00400 
00401 /**** CAP ****/
00402 enum    rsbac_cap_process_hiding_t {PH_off, PH_from_other_users, PH_full,
00403                               PH_none};
00404 typedef rsbac_enum_t rsbac_cap_process_hiding_int_t;
00405 
00406 enum rsbac_cap_ld_env_t { LD_deny, LD_allow, LD_keep, LD_inherit };
00407 typedef rsbac_enum_t rsbac_cap_ld_env_int_t;
00408 
00409 #define RSBAC_CAP_DEFAULT_MIN ((rsbac_cap_vector_t) 0)
00410 #define RSBAC_CAP_DEFAULT_MAX ((rsbac_cap_vector_t) -1)
00411 
00412 #include <linux/capability.h>
00413 #define CAP_NONE 29
00414 #define RSBAC_CAP_MAX CAP_NONE
00415 
00416 /**** JAIL ****/
00417 
00418 #define RSBAC_JAIL_VERSION 1
00419 
00420 typedef __u32 rsbac_jail_id_t;
00421 #define RSBAC_JAIL_DEF_ID 0
00422 typedef __u32 rsbac_jail_ip_t;
00423 typedef __u32 rsbac_jail_scd_vector_t;
00424 
00425 typedef __u32 rsbac_jail_flags_t;
00426 #define JAIL_allow_external_ipc 1
00427 #define JAIL_allow_all_net_family 2
00428 #define JAIL_allow_inet_raw 8
00429 #define JAIL_auto_adjust_inet_any 16
00430 #define JAIL_allow_inet_localhost 32
00431 #define JAIL_allow_dev_get_status 128
00432 #define JAIL_allow_dev_mod_system 256
00433 #define JAIL_allow_dev_read 512
00434 #define JAIL_allow_dev_write 1024
00435 #define JAIL_allow_tty_open 2048
00436 #define JAIL_allow_parent_ipc 4096
00437 #define JAIL_allow_suid_files 8192
00438 #define JAIL_allow_mount 16384
00439 #define JAIL_this_is_syslog 32768
00440 #define JAIL_allow_ipc_to_syslog 65536
00441 
00442 #define RSBAC_JAIL_LOCALHOST ((1 << 24) | 127)
00443 
00444 /**** PAX ****/
00445 
00446 typedef unsigned long rsbac_pax_flags_t;
00447 
00448 /* for PaX defines */
00449 #ifdef __KERNEL__
00450 #include <linux/elf.h>
00451 #include <linux/random.h>
00452 #endif
00453 #ifndef PF_PAX_PAGEEXEC
00454 #define PF_PAX_PAGEEXEC 0x01000000      /* Paging based non-executable pages */
00455 #define PF_PAX_EMUTRAMP 0x02000000      /* Emulate trampolines */
00456 #define PF_PAX_MPROTECT 0x04000000      /* Restrict mprotect() */
00457 #define PF_PAX_RANDMMAP 0x08000000      /* Randomize mmap() base */
00458 #define PF_PAX_RANDEXEC 0x10000000      /* Randomize ET_EXEC base */
00459 #define PF_PAX_SEGMEXEC 0x20000000      /* Segmentation based non-executable pages */
00460 #endif
00461 
00462 #define RSBAC_PAX_DEF_FLAGS (PF_PAX_SEGMEXEC | PF_PAX_PAGEEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP)
00463 #define RSBAC_PAX_ALL_FLAGS ((rsbac_pax_flags_t) 255 << 24)
00464 
00465 /**** UM User management ****/
00466 /* Included from um_types.h */
00467 
00468 /**** RES ****/
00469 
00470 typedef __u32 rsbac_res_limit_t;
00471 #define RSBAC_RES_UNSET 0
00472 
00473 #define RSBAC_RES_MAX 10 /* RLIMIT_LOCKS in 2.4.x kernels */
00474 #define RSBAC_RES_NONE 11
00475 
00476 typedef rsbac_res_limit_t rsbac_res_array_t[RSBAC_RES_MAX + 1];
00477 
00478 /**** REG ****/
00479 typedef __s32 rsbac_reg_handle_t;
00480 
00481 
00482 /****************************************************************************/
00483 /* ADF types                                                                */
00484 /****************************************************************************/
00485 
00486 #include <rsbac/network_types.h>
00487 
00488 #ifdef __KERNEL__
00489     typedef struct socket * rsbac_net_obj_id_t;
00490 #else
00491     typedef void * rsbac_net_obj_id_t;
00492 #endif
00493 
00494 struct rsbac_net_obj_desc_t
00495   {
00496     rsbac_net_obj_id_t sock_p;
00497     void * local_addr;
00498     u_int  local_len;
00499     void * remote_addr;
00500     u_int  remote_len;
00501     rsbac_net_temp_id_t local_temp;
00502     rsbac_net_temp_id_t remote_temp;
00503   };
00504 
00505 #define RSBAC_ADF_REQUEST_ARRAY_VERSION 2
00506 
00507 enum  rsbac_adf_request_t {
00508                         R_ADD_TO_KERNEL,
00509                         R_ALTER,
00510                         R_APPEND_OPEN,
00511                         R_CHANGE_GROUP,
00512                         R_CHANGE_OWNER,
00513                         R_CHDIR,
00514                         R_CLONE,
00515                         R_CLOSE,
00516                         R_CREATE,
00517                         R_DELETE,
00518                         R_EXECUTE,
00519                         R_GET_PERMISSIONS_DATA,
00520                         R_GET_STATUS_DATA,
00521                         R_LINK_HARD,
00522                         R_MODIFY_ACCESS_DATA,
00523                         R_MODIFY_ATTRIBUTE,
00524                         R_MODIFY_PERMISSIONS_DATA,
00525                         R_MODIFY_SYSTEM_DATA,
00526                         R_MOUNT,
00527                         R_READ,
00528                         R_READ_ATTRIBUTE,
00529                         R_READ_WRITE_OPEN,
00530                         R_READ_OPEN,
00531                         R_REMOVE_FROM_KERNEL,
00532                         R_RENAME,
00533                         R_SEARCH,
00534                         R_SEND_SIGNAL,
00535                         R_SHUTDOWN,
00536                         R_SWITCH_LOG,
00537                         R_SWITCH_MODULE,
00538                         R_TERMINATE,
00539                         R_TRACE,
00540                         R_TRUNCATE,
00541                         R_UMOUNT,
00542                         R_WRITE,
00543                         R_WRITE_OPEN,
00544                         R_MAP_EXEC,
00545                         R_BIND,
00546                         R_LISTEN,
00547                         R_ACCEPT,
00548                         R_CONNECT,
00549                         R_SEND,
00550                         R_RECEIVE,
00551                         R_NET_SHUTDOWN,
00552                         R_CHANGE_DAC_EFF_OWNER,
00553                         R_CHANGE_DAC_FS_OWNER,
00554                         R_CHANGE_DAC_EFF_GROUP,
00555                         R_CHANGE_DAC_FS_GROUP,
00556                         R_IOCTL,
00557                         R_LOCK,
00558                         R_AUTHENTICATE,
00559                         R_NONE
00560                       };
00561 
00562 typedef rsbac_enum_t rsbac_adf_request_int_t;
00563 
00564 #include <rsbac/request_groups.h>
00565 
00566 /* This type is returned from the rsbac_adf_request() function. Since a */
00567 /* decision of undefined means an error, it is never returned.          */
00568 
00569 enum  rsbac_adf_req_ret_t {NOT_GRANTED,GRANTED,DO_NOT_CARE,UNDEFINED};
00570 
00571 /****************************************************************************/
00572 /* ACI types                                                                */
00573 /****************************************************************************/
00574 
00575 /* For switching adf-modules */
00576 enum  rsbac_switch_target_t {SW_GEN,SW_MAC,SW_PM,SW_DAZ,SW_FF,SW_RC,SW_AUTH,
00577                         SW_REG,SW_ACL,SW_CAP,SW_JAIL,SW_RES,SW_PAX,SW_SOFTMODE,
00578                         SW_DAC_DISABLE,SW_UM,SW_FREEZE,SW_NONE};
00579 #define RSBAC_MAX_MOD (SW_SOFTMODE - 1)
00580 typedef rsbac_enum_t rsbac_switch_target_int_t;
00581 
00582 /****************************************************************************/
00583 /* For objects, users and processes all manipulation is encapsulated by the */
00584 /* function calls rsbac_set_attr, rsbac_get_attr and rsbac_remove_target.   */
00585 
00586 /* For those, we declare some extra types to specify target and attribute.  */
00587 
00588 enum   rsbac_target_t {T_FILE, T_DIR, T_FIFO, T_SYMLINK, T_DEV, T_IPC, T_SCD, T_USER, T_PROCESS,
00589                        T_NETDEV, T_NETTEMP, T_NETOBJ, T_NETTEMP_NT, T_GROUP,
00590                        T_FD, T_UNIXSOCK,
00591                        T_NONE};
00592 
00593 union  rsbac_target_id_t
00594        {
00595 #ifdef __KERNEL__
00596           struct rsbac_fs_file_t    file;
00597           struct rsbac_fs_file_t    dir;
00598           struct rsbac_fs_file_t    fifo;
00599           struct rsbac_fs_file_t    symlink;
00600           struct rsbac_fs_file_t    unixsock;
00601 #endif
00602           struct rsbac_dev_desc_t   dev;
00603           struct rsbac_ipc_t        ipc;
00604           rsbac_enum_t              scd;
00605           rsbac_uid_t               user;
00606           rsbac_gid_t               group;
00607           rsbac_pid_t               process;
00608           rsbac_netdev_id_t         netdev;
00609           rsbac_net_temp_id_t       nettemp;
00610           struct rsbac_net_obj_desc_t netobj;
00611           int                       dummy;
00612        };
00613 
00614 #ifdef __KERNEL__
00615 typedef rsbac_enum_t rsbac_log_entry_t[T_NONE+1];
00616 typedef rsbac_enum_t rsbac_old_log_entry_t[T_NONE];
00617 
00618 struct rsbac_create_data_t
00619   {
00620     enum   rsbac_target_t   target;
00621     struct dentry         * dentry_p;
00622            int              mode;
00623            kdev_t           device; /* for mknod etc. */
00624   };
00625 #endif
00626 
00627 enum rsbac_attribute_t
00628   {
00629     A_pseudo,
00630     A_security_level,
00631     A_initial_security_level,
00632     A_local_sec_level,
00633     A_remote_sec_level,
00634     A_min_security_level,
00635     A_mac_categories,
00636     A_mac_initial_categories,
00637     A_local_mac_categories,
00638     A_remote_mac_categories,
00639     A_mac_min_categories,
00640     A_mac_user_flags,
00641     A_mac_process_flags,
00642     A_mac_file_flags,
00643     A_system_role,
00644     A_mac_role,
00645     A_daz_role,
00646     A_ff_role,
00647     A_auth_role,
00648     A_cap_role,
00649     A_jail_role,
00650     A_pax_role,
00651     A_current_sec_level,
00652     A_mac_curr_categories,
00653     A_min_write_open,
00654     A_min_write_categories,
00655     A_max_read_open,
00656     A_max_read_categories,
00657     A_mac_auto,
00658     A_mac_check,
00659     A_mac_prop_trusted,
00660     A_pm_role,
00661     A_pm_process_type,
00662     A_pm_current_task,
00663     A_pm_object_class,
00664     A_local_pm_object_class,
00665     A_remote_pm_object_class,
00666     A_pm_ipc_purpose,
00667     A_local_pm_ipc_purpose,
00668     A_remote_pm_ipc_purpose,
00669     A_pm_object_type,
00670     A_local_pm_object_type,
00671     A_remote_pm_object_type,
00672     A_pm_program_type,
00673     A_pm_tp,
00674     A_pm_task_set,
00675     A_daz_scanned,
00676     A_daz_scanner,
00677     A_ff_flags,
00678     A_rc_type,
00679     A_rc_select_type,
00680     A_local_rc_type,
00681     A_remote_rc_type,
00682     A_rc_type_fd,
00683     A_rc_type_nt,
00684     A_rc_force_role,
00685     A_rc_initial_role,
00686     A_rc_role,
00687     A_rc_def_role,
00688     A_auth_may_setuid,
00689     A_auth_may_set_cap,
00690     A_auth_learn,
00691     A_min_caps,
00692     A_max_caps,
00693     A_max_caps_user,
00694     A_max_caps_program,
00695     A_jail_id,
00696     A_jail_parent,
00697     A_jail_ip,
00698     A_jail_flags,
00699     A_jail_max_caps,
00700     A_jail_scd_get,
00701     A_jail_scd_modify,
00702     A_pax_flags,
00703     A_res_role,
00704     A_res_min,
00705     A_res_max,
00706     A_log_array_low,
00707     A_local_log_array_low,
00708     A_remote_log_array_low,
00709     A_log_array_high,
00710     A_local_log_array_high,
00711     A_remote_log_array_high,
00712     A_log_program_based,
00713     A_log_user_based,
00714     A_symlink_add_remote_ip,
00715     A_symlink_add_uid,
00716     A_symlink_add_mac_level,
00717     A_symlink_add_rc_role,
00718     A_linux_dac_disable,
00719     A_cap_process_hiding,
00720     A_fake_root_uid,
00721     A_audit_uid,
00722     A_auid_exempt,
00723     A_auth_last_auth,
00724     A_remote_ip,
00725     A_cap_ld_env,
00726     A_daz_do_scan,
00727 #ifdef __KERNEL__
00728     /* adf-request helpers */
00729     A_owner,
00730     A_group,
00731     A_signal,
00732     A_mode,
00733     A_nlink,
00734     A_switch_target,
00735     A_mod_name,
00736     A_request,
00737     A_trace_request,
00738     A_auth_add_f_cap,
00739     A_auth_remove_f_cap,
00740     A_auth_get_caplist,
00741     A_prot_bits,
00742     A_internal,
00743     /* used with CREATE on DIR */
00744     A_create_data,
00745     A_new_object,
00746     A_rlimit,
00747     A_new_dir_dentry_p,
00748     A_auth_program_file,
00749     A_auth_start_uid,
00750     A_auth_start_euid,
00751     A_auth_start_gid,
00752     A_auth_start_egid,
00753     A_acl_learn,
00754     A_priority,
00755     A_pgid,
00756     A_kernel_thread,
00757     A_open_flag,
00758     A_reboot_cmd,
00759     A_setsockopt_level,
00760     A_ioctl_cmd,
00761     A_f_mode,
00762     A_process,
00763     A_sock_type,
00764 #endif
00765     A_none};
00766 
00767 union rsbac_attribute_value_t
00768   {
00769          rsbac_uid_t                 owner;           /* process owner */
00770          rsbac_pseudo_t              pseudo;
00771          rsbac_system_role_int_t     system_role;
00772 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC)
00773          rsbac_security_level_t      security_level;
00774          rsbac_mac_category_vector_t mac_categories;
00775          rsbac_security_level_t      current_sec_level;
00776          rsbac_security_level_t      min_write_open;
00777          rsbac_security_level_t      max_read_open;
00778          rsbac_mac_user_flags_t      mac_user_flags;
00779          rsbac_mac_process_flags_t   mac_process_flags;
00780          rsbac_mac_file_flags_t      mac_file_flags;
00781          rsbac_mac_auto_int_t        mac_auto;
00782          rsbac_boolean_t             mac_check;
00783          rsbac_boolean_t             mac_prop_trusted;
00784 #endif
00785 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PM)
00786          rsbac_pm_role_int_t         pm_role;
00787          rsbac_pm_process_type_int_t pm_process_type;
00788          rsbac_pm_task_id_t          pm_current_task;
00789          rsbac_pm_object_class_id_t  pm_object_class;
00790          rsbac_pm_purpose_id_t       pm_ipc_purpose;
00791          rsbac_pm_object_type_int_t  pm_object_type;
00792          rsbac_pm_program_type_int_t pm_program_type;
00793          rsbac_pm_tp_id_t            pm_tp;
00794          rsbac_pm_task_set_id_t      pm_task_set;
00795 #endif
00796 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ)
00797          rsbac_daz_scanned_t         daz_scanned;
00798          rsbac_daz_scanner_t         daz_scanner;
00799          rsbac_daz_do_scan_t         daz_do_scan;
00800 #endif
00801 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF)
00802          rsbac_ff_flags_t            ff_flags;
00803 #endif
00804 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC)
00805          rsbac_rc_type_id_t          rc_type;
00806          rsbac_rc_type_id_t          rc_type_fd;
00807          rsbac_rc_role_id_t          rc_force_role;
00808          rsbac_rc_role_id_t          rc_initial_role;
00809          rsbac_rc_role_id_t          rc_role;
00810          rsbac_rc_role_id_t          rc_def_role;
00811          rsbac_rc_type_id_t          rc_select_type;
00812 #endif
00813 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_AUTH)
00814          rsbac_auth_may_setuid_int_t auth_may_setuid;
00815          rsbac_boolean_t             auth_may_set_cap;
00816          rsbac_pid_t                 auth_p_capset;
00817          rsbac_inode_nr_t            auth_f_capset;
00818          rsbac_boolean_t             auth_learn;
00819          rsbac_uid_t                 auth_last_auth;
00820 #endif
00821 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_CAP)
00822          rsbac_cap_vector_t          min_caps;
00823          rsbac_cap_vector_t          max_caps;
00824          rsbac_cap_vector_t          max_caps_user;
00825          rsbac_cap_vector_t          max_caps_program;
00826          rsbac_cap_process_hiding_int_t cap_process_hiding;
00827          rsbac_cap_ld_env_int_t      cap_ld_env;
00828 #endif
00829 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_JAIL)
00830          rsbac_jail_id_t             jail_id;
00831          rsbac_jail_id_t             jail_parent;
00832          rsbac_jail_ip_t             jail_ip;
00833          rsbac_jail_flags_t          jail_flags;
00834          rsbac_jail_scd_vector_t     jail_scd_get;
00835          rsbac_jail_scd_vector_t     jail_scd_modify;
00836          rsbac_cap_vector_t          jail_max_caps;
00837 #endif
00838 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PAX)
00839          rsbac_pax_flags_t           pax_flags;
00840 #endif
00841 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RES)
00842          rsbac_res_array_t           res_array;
00843 #endif
00844          rsbac_log_array_t           log_array_low;
00845          rsbac_log_array_t           log_array_high;
00846          rsbac_request_vector_t      log_program_based;
00847          rsbac_request_vector_t      log_user_based;
00848          rsbac_enum_t                symlink_add_remote_ip;
00849          rsbac_boolean_t             symlink_add_uid;
00850          rsbac_boolean_t             symlink_add_mac_level;
00851          rsbac_boolean_t             symlink_add_rc_role;
00852          rsbac_linux_dac_disable_int_t linux_dac_disable;
00853 //         rsbac_net_temp_id_t         net_temp;
00854          rsbac_fake_root_uid_int_t   fake_root_uid;
00855          rsbac_uid_t                 audit_uid;
00856          rsbac_uid_t                 auid_exempt;
00857          __u32                       remote_ip;
00858 #ifdef __KERNEL__
00859          rsbac_gid_t                 group;        /* process/fd group */
00860     struct sockaddr                * sockaddr_p; /* socket address */
00861          long                        signal;        /* signal for kill */
00862          int                         mode;    /* mode for create/mount */
00863          int                         nlink;       /* for DELETE/unlink */
00864     enum rsbac_switch_target_t       switch_target; /* for SWITCH_MODULE */
00865          char                      * mod_name;    /* for ADD_TO_KERNEL */
00866     enum rsbac_adf_request_t         request;        /* for SWITCH_LOG */
00867          long                        trace_request; /* request for sys_trace */
00868     struct rsbac_auth_cap_range_t    auth_cap_range;
00869          int                         prot_bits;/* prot bits for mmap()/mprotect() */
00870          rsbac_boolean_t             internal;
00871     /* used with CREATE on DIR */
00872     struct rsbac_create_data_t       create_data;
00873     /* newly created object in OPEN requests? */
00874          rsbac_boolean_t             new_object;
00875          u_int                       rlimit;
00876          struct dentry             * new_dir_dentry_p;
00877          struct rsbac_fs_file_t      auth_program_file; /* for learning mode */
00878          rsbac_uid_t                 auth_start_uid;
00879          rsbac_uid_t                 auth_start_euid;
00880          rsbac_gid_t                 auth_start_gid;
00881          rsbac_gid_t                 auth_start_egid;
00882          rsbac_boolean_t             acl_learn;
00883          int                         priority;
00884          rsbac_pid_t                 pgid;
00885          rsbac_boolean_t             kernel_thread;
00886          u_int                       open_flag;
00887          u_int                       reboot_cmd;
00888          int                         setsockopt_level;
00889          u_int                       ioctl_cmd;
00890          mode_t                      f_mode;
00891          rsbac_pid_t                 process;
00892          short                       sock_type;
00893 #endif
00894          u_char                      u_char_dummy;
00895          u_short                     u_short_dummy;
00896          int                         dummy;
00897          u_int                       u_dummy;
00898          long                        long_dummy;
00899          u_long                      u_long_dummy;
00900        };
00901 
00902 /* List all values possibly used in FD Cache to find data size */
00903 
00904 #ifdef CONFIG_RSBAC_FD_CACHE
00905 union rsbac_attribute_value_cache_t
00906   {
00907          rsbac_uid_t                 owner;           /* process owner */
00908          rsbac_pseudo_t              pseudo;
00909          rsbac_system_role_int_t     system_role;
00910 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC)
00911          rsbac_security_level_t      security_level;
00912          rsbac_mac_category_vector_t mac_categories;
00913          rsbac_security_level_t      current_sec_level;
00914          rsbac_security_level_t      min_write_open;
00915          rsbac_security_level_t      max_read_open;
00916          rsbac_mac_user_flags_t      mac_user_flags;
00917          rsbac_mac_process_flags_t   mac_process_flags;
00918          rsbac_mac_file_flags_t      mac_file_flags;
00919          rsbac_mac_auto_int_t        mac_auto;
00920          rsbac_boolean_t             mac_check;
00921          rsbac_boolean_t             mac_prop_trusted;
00922 #endif
00923 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ)
00924          rsbac_daz_scanned_t         daz_scanned;
00925          rsbac_daz_scanner_t         daz_scanner;
00926          rsbac_daz_do_scan_t         daz_do_scan;
00927 #endif
00928 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF)
00929          rsbac_ff_flags_t            ff_flags;
00930 #endif
00931 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC)
00932          rsbac_rc_type_id_t          rc_type;
00933          rsbac_rc_type_id_t          rc_type_fd;
00934          rsbac_rc_role_id_t          rc_force_role;
00935          rsbac_rc_role_id_t          rc_initial_role;
00936          rsbac_rc_role_id_t          rc_role;
00937          rsbac_rc_role_id_t          rc_def_role;
00938          rsbac_rc_type_id_t          rc_select_type;
00939 #endif
00940          rsbac_log_array_t           log_array_low;
00941          rsbac_log_array_t           log_array_high;
00942          rsbac_request_vector_t      log_program_based;
00943          rsbac_request_vector_t      log_user_based;
00944          rsbac_enum_t                symlink_add_remote_ip;
00945          rsbac_boolean_t             symlink_add_uid;
00946          rsbac_boolean_t             symlink_add_mac_level;
00947          rsbac_boolean_t             symlink_add_rc_role;
00948          rsbac_linux_dac_disable_int_t linux_dac_disable;
00949 //         rsbac_net_temp_id_t         net_temp;
00950          rsbac_fake_root_uid_int_t   fake_root_uid;
00951          rsbac_uid_t                 audit_uid;
00952          rsbac_uid_t                 auid_exempt;
00953          __u32                       remote_ip;
00954          u_char                      u_char_dummy;
00955          u_short                     u_short_dummy;
00956          int                         dummy;
00957          u_int                       u_dummy;
00958          long                        long_dummy;
00959          u_long                      u_long_dummy;
00960        };
00961 #endif
00962 
00963 /**** ACL + UM ****/
00964 
00965 #include <rsbac/acl_types.h>
00966 #include <rsbac/um_types.h>
00967 
00968 #endif

Generated on Wed May 16 11:53:28 2007 for RSBAC by  doxygen 1.5.1