00001
00002
00003
00004
00005
00006
00007
00008
00009
00010 #ifndef __RSBAC_TYPES_H
00011 #define __RSBAC_TYPES_H
00012
00013
00014 #ifdef CONFIG_MODULES
00015 #endif
00016
00017 #define RSBAC_VERSION "1.3.4"
00018 #define RSBAC_VERSION_MAJOR 1
00019 #define RSBAC_VERSION_MID 3
00020 #define RSBAC_VERSION_MINOR 4
00021 #define RSBAC_VERSION_NR \
00022 ((RSBAC_VERSION_MAJOR << 16) | (RSBAC_VERSION_MID << 8) | RSBAC_VERSION_MINOR)
00023 #define RSBAC_VERSION_MAKE_NR(x,y,z) \
00024 ((x << 16) | (y << 8) | z)
00025
00026 #ifdef __KERNEL__
00027 #include <linux/types.h>
00028 #else
00029 #include <asm/types.h>
00030 #include <sys/types.h>
00031 #endif
00032
00033 typedef __u32 rsbac_version_t;
00034 typedef __u32 rsbac_uid_t;
00035 typedef __u32 rsbac_gid_t;
00036 typedef __u16 rsbac_old_uid_t;
00037 typedef __u16 rsbac_old_gid_t;
00038 typedef __u32 rsbac_time_t;
00039 typedef __u32 rsbac_cap_vector_t;
00040
00041 typedef __u32 rsbac_list_ta_number_t;
00042
00043 struct rsbac_nanotime_t
00044 {
00045 rsbac_time_t sec;
00046 __u32 nsec;
00047 };
00048
00049 #ifdef __KERNEL__
00050 #include <linux/fs.h>
00051 #include <linux/socket.h>
00052 #include <linux/pipe_fs_i.h>
00053 #include <linux/kdev_t.h>
00054
00055
00056 #ifndef LINUX_VERSION_CODE
00057 #include <linux/version.h>
00058 #endif
00059 #if LINUX_VERSION_CODE < KERNEL_VERSION(2,4,19)
00060 #error "RSBAC: unsupported kernel version"
00061 #endif
00062
00063 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,0)
00064 #define RSBAC_MAJOR MAJOR
00065 #define RSBAC_MINOR MINOR
00066 #define RSBAC_MKDEV(major,minor) MKDEV(major,minor)
00067 static inline rsbac_time_t rsbac_current_time(void)
00068 {
00069 struct timespec ts = CURRENT_TIME;
00070 return ts.tv_sec;
00071 }
00072 static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime)
00073 {
00074 struct timespec ts = CURRENT_TIME;
00075 nanotime->sec = ts.tv_sec;
00076 nanotime->nsec = ts.tv_nsec;
00077 }
00078 #ifndef kdev_t
00079 #define kdev_t dev_t
00080 #endif
00081 #define RSBAC_CURRENT_TIME (rsbac_current_time())
00082 #else
00083 #define RSBAC_MAJOR MAJOR
00084 #define RSBAC_MINOR MINOR
00085 #define RSBAC_MKDEV(major,minor) MKDEV(major,minor)
00086 #define RSBAC_CURRENT_TIME CURRENT_TIME
00087 #include <linux/sched.h>
00088 static inline void rsbac_get_current_nanotime(struct rsbac_nanotime_t * nanotime)
00089 {
00090 nanotime->sec = xtime.tv_sec;
00091 nanotime->nsec = xtime.tv_usec * 1000;
00092 }
00093 #endif
00094
00095 #define RSBAC_ZERO_DEV RSBAC_MKDEV(0,0)
00096 #define RSBAC_AUTO_DEV RSBAC_MKDEV(99,99)
00097 #define RSBAC_IS_ZERO_DEV(kdev) (!RSBAC_MAJOR(kdev) && !RSBAC_MINOR(kdev))
00098 #define RSBAC_IS_AUTO_DEV(kdev) ((RSBAC_MAJOR(kdev) == 99) && (RSBAC_MINOR(kdev) == 99))
00099
00100 #ifdef CONFIG_RSBAC_INIT_DELAY
00101 #define R_INIT
00102 #else
00103 #define R_INIT __init
00104 #endif
00105
00106 #endif
00107
00108
00109
00110 #ifndef NULL
00111 #define NULL ((void *) 0)
00112 #endif
00113
00114 #define rsbac_min(a,b) (((a)<(b))?(a):(b))
00115 #define rsbac_max(a,b) (((a)>(b))?(a):(b))
00116
00117 #define RSBAC_OLD_NO_USER 65533
00118 #define RSBAC_OLD_ALL_USERS 65532
00119 #define RSBAC_NO_USER ((rsbac_uid_t) -3)
00120 #define RSBAC_ALL_USERS ((rsbac_uid_t) -4)
00121 #define RSBAC_NO_GROUP ((rsbac_gid_t) -3)
00122 #define RSBAC_ALL_GROUPS ((rsbac_gid_t) -4)
00123
00124 #ifndef FALSE
00125 #define FALSE 0
00126 #endif
00127 #ifndef TRUE
00128 #define TRUE 1
00129 #endif
00130
00131 typedef u_int rsbac_boolean_t;
00132
00133 typedef __u8 rsbac_boolean_int_t;
00134
00135 #define RSBAC_IFNAMSIZ 16
00136 typedef u_char rsbac_netdev_id_t[RSBAC_IFNAMSIZ + 1];
00137
00138 #define RSBAC_SEC_DEL_CHUNK_SIZE 65536
00139
00140
00141
00142 #define RSBAC_AUTH_LOGIN_PATH "/bin/login"
00143 #define RSBAC_AUTH_LOGIN_PATH_DIR "bin"
00144 #define RSBAC_AUTH_LOGIN_PATH_FILE "login"
00145
00146
00147
00148
00149
00150
00151
00152 #define RSBAC_LIST_TTL_KEEP ((rsbac_time_t) -1)
00153
00154 typedef __u8 rsbac_enum_t;
00155
00156 #define RSBAC_SYSADM_UID 0
00157 #define RSBAC_BIN_UID 1
00158 #ifdef CONFIG_RSBAC_SECOFF_UID
00159 #define RSBAC_SECOFF_UID CONFIG_RSBAC_SECOFF_UID
00160 #else
00161 #define RSBAC_SECOFF_UID 400
00162 #endif
00163 #define RSBAC_DATAPROT_UID (RSBAC_SECOFF_UID+1)
00164 #define RSBAC_TPMAN_UID (RSBAC_SECOFF_UID+2)
00165 #define RSBAC_AUDITOR_UID (RSBAC_SECOFF_UID+4)
00166
00167 typedef __u32 rsbac_pseudo_t;
00168 typedef __u32 rsbac_pid_t;
00169
00170 typedef __u32 rsbac_ta_number_t;
00171
00172 typedef __u8 rsbac_security_level_t;
00173 #define SL_max 252
00174 #define SL_min 0
00175
00176 #define SL_inherit 254
00177 #define SL_none 255
00178 enum rsbac_old_security_level_t {SL_unclassified, SL_confidential, SL_secret,
00179 SL_top_secret, SL_old_rsbac_internal,
00180 SL_old_inherit, SL_old_none};
00181
00182 typedef __u64 rsbac_mac_category_vector_t;
00183 #define RSBAC_MAC_GENERAL_CATEGORY 0
00184 #define RSBAC_MAC_DEF_CAT_VECTOR ((rsbac_mac_category_vector_t) 1)
00185
00186 #define RSBAC_MAC_MAX_CAT_VECTOR ((rsbac_mac_category_vector_t) -1)
00187
00188 #define RSBAC_MAC_MIN_CAT_VECTOR ((rsbac_mac_category_vector_t) 0)
00189
00190 #define RSBAC_MAC_INHERIT_CAT_VECTOR ((rsbac_mac_category_vector_t) 0)
00191
00192 #define RSBAC_MAC_NR_CATS 64
00193 #define RSBAC_MAC_MAX_CAT 63
00194
00195 #define RSBAC_MAC_CAT_VECTOR(x) ((rsbac_mac_category_vector_t) 1 << (x))
00196
00197 typedef u_int rsbac_cwi_relation_id_t;
00198
00199
00200 enum rsbac_system_role_t {SR_user, SR_security_officer, SR_administrator,
00201 SR_auditor, SR_none};
00202 typedef rsbac_enum_t rsbac_system_role_int_t;
00203
00204
00205 enum rsbac_fake_root_uid_t {FR_off, FR_uid_only, FR_euid_only, FR_both,
00206 FR_none};
00207 typedef rsbac_enum_t rsbac_fake_root_uid_int_t;
00208
00209 enum rsbac_scd_type_t {ST_time_strucs, ST_clock, ST_host_id,
00210 ST_net_id, ST_ioports, ST_rlimit,
00211 ST_swap, ST_syslog, ST_rsbac, ST_rsbac_log,
00212 ST_other, ST_kmem, ST_network, ST_firewall,
00213 ST_priority, ST_sysfs, ST_rsbac_remote_log,
00214 ST_quota, ST_sysctl, ST_nfsd, ST_ksyms,
00215 ST_mlock, ST_capability, ST_kexec, ST_none};
00216
00217 typedef __u32 rsbac_scd_vector_t;
00218 #define RSBAC_SCD_VECTOR(x) ((rsbac_scd_vector_t) 1 << (x))
00219
00220 enum rsbac_dev_type_t {D_block, D_char, D_block_major, D_char_major, D_none};
00221
00222
00223 enum rsbac_ipc_type_t {I_sem, I_msg, I_shm, I_anonpipe, I_mqueue,
00224 I_anonunix, I_none};
00225 union rsbac_ipc_id_t
00226 {
00227 u_long id_nr;
00228 };
00229
00230 typedef __u32 rsbac_inode_nr_t;
00231
00232 enum rsbac_linux_dac_disable_t {LDD_false, LDD_true, LDD_inherit, LDD_none};
00233 typedef rsbac_enum_t rsbac_linux_dac_disable_int_t;
00234
00235 #ifdef __KERNEL__
00236
00237
00238 struct rsbac_fs_file_t
00239 {
00240 kdev_t device;
00241 rsbac_inode_nr_t inode;
00242 struct dentry * dentry_p;
00243 };
00244
00245 struct rsbac_dev_t
00246 {
00247 enum rsbac_dev_type_t type;
00248 kdev_t id;
00249 };
00250 #endif
00251
00252
00253 struct rsbac_dev_desc_t
00254 {
00255 __u32 type;
00256 __u32 major;
00257 __u32 minor;
00258 };
00259
00260 static inline struct rsbac_dev_desc_t
00261 rsbac_mkdev_desc(__u32 type, __u32 major, __u32 minor)
00262 {
00263 struct rsbac_dev_desc_t dev_desc;
00264
00265 dev_desc.type = type;
00266 dev_desc.major = major;
00267 dev_desc.minor = minor;
00268 return dev_desc;
00269 }
00270
00271 #define RSBAC_ZERO_DEV_DESC rsbac_mkdev_desc(D_none, 0, 0)
00272 #define RSBAC_AUTO_DEV_DESC rsbac_mkdev_desc(D_none, 99, 99)
00273 #define RSBAC_IS_ZERO_DEV_DESC(dev) ((dev.type == D_none) && !dev.major && !dev.minor)
00274 #define RSBAC_IS_AUTO_DEV_DESC(dev) ((dev.type == D_none) && (dev.major == 99) && (dev.minor == 99))
00275
00276
00277 struct rsbac_ipc_t
00278 {
00279 enum rsbac_ipc_type_t type;
00280 union rsbac_ipc_id_t id;
00281 };
00282
00283
00284 enum rsbac_log_level_t {LL_none, LL_denied, LL_full, LL_request, LL_invalid};
00285 typedef __u64 rsbac_log_array_t;
00286
00287
00288 typedef __u64 rsbac_request_vector_t;
00289 #define RSBAC_REQUEST_VECTOR(x) ((rsbac_request_vector_t) 1 << (x))
00290
00291
00292 #define RSBAC_MAXNAMELEN 256
00293
00294 #define RSBAC_LIST_TA_MAX_PASSLEN 36
00295
00296
00297
00298 typedef __u8 rsbac_mac_user_flags_t;
00299 typedef __u16 rsbac_mac_process_flags_t;
00300 typedef __u8 rsbac_mac_file_flags_t;
00301 typedef struct rsbac_fs_file_t rsbac_mac_file_t;
00302 #define RSBAC_MAC_MAX_MAXNUM 1000000
00303
00304 #define MAC_override 1
00305 #define MAC_auto 2
00306 #define MAC_trusted 4
00307 #define MAC_write_up 8
00308 #define MAC_read_up 16
00309 #define MAC_write_down 32
00310 #define MAC_allow_auto 64
00311 #define MAC_prop_trusted 128
00312 #define MAC_program_auto 256
00313
00314 #define RSBAC_MAC_U_FLAGS (MAC_override | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_allow_auto)
00315 #define RSBAC_MAC_P_FLAGS (MAC_override | MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down | MAC_prop_trusted | MAC_program_auto)
00316 #define RSBAC_MAC_F_FLAGS (MAC_auto | MAC_trusted | MAC_write_up | MAC_read_up | MAC_write_down)
00317
00318 #define RSBAC_MAC_DEF_U_FLAGS 0
00319 #define RSBAC_MAC_DEF_SYSADM_U_FLAGS MAC_allow_auto
00320 #define RSBAC_MAC_DEF_SECOFF_U_FLAGS MAC_override
00321
00322 #define RSBAC_MAC_DEF_P_FLAGS 0
00323 #define RSBAC_MAC_DEF_INIT_P_FLAGS MAC_auto
00324
00325 typedef rsbac_enum_t rsbac_mac_auto_int_t;
00326 enum rsbac_mac_auto_t {MA_no, MA_yes, MA_inherit};
00327
00328
00329
00330 #include <rsbac/pm_types.h>
00331
00332
00333 typedef __u8 rsbac_daz_scanned_t;
00334 #define DAZ_unscanned 0
00335 #define DAZ_infected 1
00336 #define DAZ_clean 2
00337 #define DAZ_max 2
00338 #define DEFAULT_DAZ_FD_SCANNED DAZ_unscanned
00339 typedef __u8 rsbac_daz_scanner_t;
00340 typedef __u8 rsbac_daz_do_scan_t;
00341 #define DAZ_never 0
00342 #define DAZ_registered 1
00343 #define DAZ_always 2
00344 #define DAZ_inherit 3
00345 #define DAZ_max_do_scan 3
00346 #define DEFAULT_DAZ_FD_DO_SCAN DAZ_inherit
00347 #define DEFAULT_DAZ_FD_ROOT_DO_SCAN DAZ_registered
00348
00349
00350
00351 typedef __u16 rsbac_ff_flags_t;
00352 #define FF_read_only 1
00353 #define FF_execute_only 2
00354 #define FF_search_only 4
00355 #define FF_write_only 8
00356 #define FF_secure_delete 16
00357 #define FF_no_execute 32
00358 #define FF_no_delete_or_rename 64
00359 #define FF_append_only 256
00360 #define FF_no_mount 512
00361 #define FF_no_search 1024
00362
00363 #define FF_add_inherited 128
00364
00365 #define RSBAC_FF_DEF FF_add_inherited
00366 #define RSBAC_FF_ROOT_DEF 0
00367
00368
00369
00370 #include <rsbac/rc_types.h>
00371
00372
00373
00374 #define RSBAC_AUTH_MAX_MAXNUM 1000000
00375 #define RSBAC_AUTH_OLD_OWNER_F_CAP (rsbac_old_uid_t) -3
00376 #define RSBAC_AUTH_OWNER_F_CAP ((rsbac_uid_t) -3)
00377 #define RSBAC_AUTH_DAC_OWNER_F_CAP ((rsbac_uid_t) -4)
00378 #define RSBAC_AUTH_MAX_RANGE_UID ((rsbac_uid_t) -10)
00379 #define RSBAC_AUTH_GROUP_F_CAP ((rsbac_gid_t) -3)
00380 #define RSBAC_AUTH_DAC_GROUP_F_CAP ((rsbac_gid_t) -4)
00381 #define RSBAC_AUTH_MAX_RANGE_GID ((rsbac_gid_t) -10)
00382 typedef struct rsbac_fs_file_t rsbac_auth_file_t;
00383 struct rsbac_auth_cap_range_t
00384 {
00385 rsbac_uid_t first;
00386 rsbac_uid_t last;
00387 };
00388 enum rsbac_auth_cap_type_t {ACT_real, ACT_eff, ACT_fs,
00389 ACT_group_real, ACT_group_eff, ACT_group_fs,
00390 ACT_none};
00391 typedef rsbac_enum_t rsbac_auth_cap_type_int_t;
00392
00393 enum rsbac_auth_may_setuid_t {AMS_off, AMS_full, AMS_last_auth_only,
00394 AMS_last_auth_and_gid, AMS_none};
00395
00396 typedef rsbac_enum_t rsbac_auth_may_setuid_int_t;
00397
00398
00399
00400
00401
00402 enum rsbac_cap_process_hiding_t {PH_off, PH_from_other_users, PH_full,
00403 PH_none};
00404 typedef rsbac_enum_t rsbac_cap_process_hiding_int_t;
00405
00406 enum rsbac_cap_ld_env_t { LD_deny, LD_allow, LD_keep, LD_inherit };
00407 typedef rsbac_enum_t rsbac_cap_ld_env_int_t;
00408
00409 #define RSBAC_CAP_DEFAULT_MIN ((rsbac_cap_vector_t) 0)
00410 #define RSBAC_CAP_DEFAULT_MAX ((rsbac_cap_vector_t) -1)
00411
00412 #include <linux/capability.h>
00413 #define CAP_NONE 29
00414 #define RSBAC_CAP_MAX CAP_NONE
00415
00416
00417
00418 #define RSBAC_JAIL_VERSION 1
00419
00420 typedef __u32 rsbac_jail_id_t;
00421 #define RSBAC_JAIL_DEF_ID 0
00422 typedef __u32 rsbac_jail_ip_t;
00423 typedef __u32 rsbac_jail_scd_vector_t;
00424
00425 typedef __u32 rsbac_jail_flags_t;
00426 #define JAIL_allow_external_ipc 1
00427 #define JAIL_allow_all_net_family 2
00428 #define JAIL_allow_inet_raw 8
00429 #define JAIL_auto_adjust_inet_any 16
00430 #define JAIL_allow_inet_localhost 32
00431 #define JAIL_allow_dev_get_status 128
00432 #define JAIL_allow_dev_mod_system 256
00433 #define JAIL_allow_dev_read 512
00434 #define JAIL_allow_dev_write 1024
00435 #define JAIL_allow_tty_open 2048
00436 #define JAIL_allow_parent_ipc 4096
00437 #define JAIL_allow_suid_files 8192
00438 #define JAIL_allow_mount 16384
00439 #define JAIL_this_is_syslog 32768
00440 #define JAIL_allow_ipc_to_syslog 65536
00441
00442 #define RSBAC_JAIL_LOCALHOST ((1 << 24) | 127)
00443
00444
00445
00446 typedef unsigned long rsbac_pax_flags_t;
00447
00448
00449 #ifdef __KERNEL__
00450 #include <linux/elf.h>
00451 #include <linux/random.h>
00452 #endif
00453 #ifndef PF_PAX_PAGEEXEC
00454 #define PF_PAX_PAGEEXEC 0x01000000
00455 #define PF_PAX_EMUTRAMP 0x02000000
00456 #define PF_PAX_MPROTECT 0x04000000
00457 #define PF_PAX_RANDMMAP 0x08000000
00458 #define PF_PAX_RANDEXEC 0x10000000
00459 #define PF_PAX_SEGMEXEC 0x20000000
00460 #endif
00461
00462 #define RSBAC_PAX_DEF_FLAGS (PF_PAX_SEGMEXEC | PF_PAX_PAGEEXEC | PF_PAX_MPROTECT | PF_PAX_RANDMMAP)
00463 #define RSBAC_PAX_ALL_FLAGS ((rsbac_pax_flags_t) 255 << 24)
00464
00465
00466
00467
00468
00469
00470 typedef __u32 rsbac_res_limit_t;
00471 #define RSBAC_RES_UNSET 0
00472
00473 #define RSBAC_RES_MAX 10
00474 #define RSBAC_RES_NONE 11
00475
00476 typedef rsbac_res_limit_t rsbac_res_array_t[RSBAC_RES_MAX + 1];
00477
00478
00479 typedef __s32 rsbac_reg_handle_t;
00480
00481
00482
00483
00484
00485
00486 #include <rsbac/network_types.h>
00487
00488 #ifdef __KERNEL__
00489 typedef struct socket * rsbac_net_obj_id_t;
00490 #else
00491 typedef void * rsbac_net_obj_id_t;
00492 #endif
00493
00494 struct rsbac_net_obj_desc_t
00495 {
00496 rsbac_net_obj_id_t sock_p;
00497 void * local_addr;
00498 u_int local_len;
00499 void * remote_addr;
00500 u_int remote_len;
00501 rsbac_net_temp_id_t local_temp;
00502 rsbac_net_temp_id_t remote_temp;
00503 };
00504
00505 #define RSBAC_ADF_REQUEST_ARRAY_VERSION 2
00506
00507 enum rsbac_adf_request_t {
00508 R_ADD_TO_KERNEL,
00509 R_ALTER,
00510 R_APPEND_OPEN,
00511 R_CHANGE_GROUP,
00512 R_CHANGE_OWNER,
00513 R_CHDIR,
00514 R_CLONE,
00515 R_CLOSE,
00516 R_CREATE,
00517 R_DELETE,
00518 R_EXECUTE,
00519 R_GET_PERMISSIONS_DATA,
00520 R_GET_STATUS_DATA,
00521 R_LINK_HARD,
00522 R_MODIFY_ACCESS_DATA,
00523 R_MODIFY_ATTRIBUTE,
00524 R_MODIFY_PERMISSIONS_DATA,
00525 R_MODIFY_SYSTEM_DATA,
00526 R_MOUNT,
00527 R_READ,
00528 R_READ_ATTRIBUTE,
00529 R_READ_WRITE_OPEN,
00530 R_READ_OPEN,
00531 R_REMOVE_FROM_KERNEL,
00532 R_RENAME,
00533 R_SEARCH,
00534 R_SEND_SIGNAL,
00535 R_SHUTDOWN,
00536 R_SWITCH_LOG,
00537 R_SWITCH_MODULE,
00538 R_TERMINATE,
00539 R_TRACE,
00540 R_TRUNCATE,
00541 R_UMOUNT,
00542 R_WRITE,
00543 R_WRITE_OPEN,
00544 R_MAP_EXEC,
00545 R_BIND,
00546 R_LISTEN,
00547 R_ACCEPT,
00548 R_CONNECT,
00549 R_SEND,
00550 R_RECEIVE,
00551 R_NET_SHUTDOWN,
00552 R_CHANGE_DAC_EFF_OWNER,
00553 R_CHANGE_DAC_FS_OWNER,
00554 R_CHANGE_DAC_EFF_GROUP,
00555 R_CHANGE_DAC_FS_GROUP,
00556 R_IOCTL,
00557 R_LOCK,
00558 R_AUTHENTICATE,
00559 R_NONE
00560 };
00561
00562 typedef rsbac_enum_t rsbac_adf_request_int_t;
00563
00564 #include <rsbac/request_groups.h>
00565
00566
00567
00568
00569 enum rsbac_adf_req_ret_t {NOT_GRANTED,GRANTED,DO_NOT_CARE,UNDEFINED};
00570
00571
00572
00573
00574
00575
00576 enum rsbac_switch_target_t {SW_GEN,SW_MAC,SW_PM,SW_DAZ,SW_FF,SW_RC,SW_AUTH,
00577 SW_REG,SW_ACL,SW_CAP,SW_JAIL,SW_RES,SW_PAX,SW_SOFTMODE,
00578 SW_DAC_DISABLE,SW_UM,SW_FREEZE,SW_NONE};
00579 #define RSBAC_MAX_MOD (SW_SOFTMODE - 1)
00580 typedef rsbac_enum_t rsbac_switch_target_int_t;
00581
00582
00583
00584
00585
00586
00587
00588 enum rsbac_target_t {T_FILE, T_DIR, T_FIFO, T_SYMLINK, T_DEV, T_IPC, T_SCD, T_USER, T_PROCESS,
00589 T_NETDEV, T_NETTEMP, T_NETOBJ, T_NETTEMP_NT, T_GROUP,
00590 T_FD, T_UNIXSOCK,
00591 T_NONE};
00592
00593 union rsbac_target_id_t
00594 {
00595 #ifdef __KERNEL__
00596 struct rsbac_fs_file_t file;
00597 struct rsbac_fs_file_t dir;
00598 struct rsbac_fs_file_t fifo;
00599 struct rsbac_fs_file_t symlink;
00600 struct rsbac_fs_file_t unixsock;
00601 #endif
00602 struct rsbac_dev_desc_t dev;
00603 struct rsbac_ipc_t ipc;
00604 rsbac_enum_t scd;
00605 rsbac_uid_t user;
00606 rsbac_gid_t group;
00607 rsbac_pid_t process;
00608 rsbac_netdev_id_t netdev;
00609 rsbac_net_temp_id_t nettemp;
00610 struct rsbac_net_obj_desc_t netobj;
00611 int dummy;
00612 };
00613
00614 #ifdef __KERNEL__
00615 typedef rsbac_enum_t rsbac_log_entry_t[T_NONE+1];
00616 typedef rsbac_enum_t rsbac_old_log_entry_t[T_NONE];
00617
00618 struct rsbac_create_data_t
00619 {
00620 enum rsbac_target_t target;
00621 struct dentry * dentry_p;
00622 int mode;
00623 kdev_t device;
00624 };
00625 #endif
00626
00627 enum rsbac_attribute_t
00628 {
00629 A_pseudo,
00630 A_security_level,
00631 A_initial_security_level,
00632 A_local_sec_level,
00633 A_remote_sec_level,
00634 A_min_security_level,
00635 A_mac_categories,
00636 A_mac_initial_categories,
00637 A_local_mac_categories,
00638 A_remote_mac_categories,
00639 A_mac_min_categories,
00640 A_mac_user_flags,
00641 A_mac_process_flags,
00642 A_mac_file_flags,
00643 A_system_role,
00644 A_mac_role,
00645 A_daz_role,
00646 A_ff_role,
00647 A_auth_role,
00648 A_cap_role,
00649 A_jail_role,
00650 A_pax_role,
00651 A_current_sec_level,
00652 A_mac_curr_categories,
00653 A_min_write_open,
00654 A_min_write_categories,
00655 A_max_read_open,
00656 A_max_read_categories,
00657 A_mac_auto,
00658 A_mac_check,
00659 A_mac_prop_trusted,
00660 A_pm_role,
00661 A_pm_process_type,
00662 A_pm_current_task,
00663 A_pm_object_class,
00664 A_local_pm_object_class,
00665 A_remote_pm_object_class,
00666 A_pm_ipc_purpose,
00667 A_local_pm_ipc_purpose,
00668 A_remote_pm_ipc_purpose,
00669 A_pm_object_type,
00670 A_local_pm_object_type,
00671 A_remote_pm_object_type,
00672 A_pm_program_type,
00673 A_pm_tp,
00674 A_pm_task_set,
00675 A_daz_scanned,
00676 A_daz_scanner,
00677 A_ff_flags,
00678 A_rc_type,
00679 A_rc_select_type,
00680 A_local_rc_type,
00681 A_remote_rc_type,
00682 A_rc_type_fd,
00683 A_rc_type_nt,
00684 A_rc_force_role,
00685 A_rc_initial_role,
00686 A_rc_role,
00687 A_rc_def_role,
00688 A_auth_may_setuid,
00689 A_auth_may_set_cap,
00690 A_auth_learn,
00691 A_min_caps,
00692 A_max_caps,
00693 A_max_caps_user,
00694 A_max_caps_program,
00695 A_jail_id,
00696 A_jail_parent,
00697 A_jail_ip,
00698 A_jail_flags,
00699 A_jail_max_caps,
00700 A_jail_scd_get,
00701 A_jail_scd_modify,
00702 A_pax_flags,
00703 A_res_role,
00704 A_res_min,
00705 A_res_max,
00706 A_log_array_low,
00707 A_local_log_array_low,
00708 A_remote_log_array_low,
00709 A_log_array_high,
00710 A_local_log_array_high,
00711 A_remote_log_array_high,
00712 A_log_program_based,
00713 A_log_user_based,
00714 A_symlink_add_remote_ip,
00715 A_symlink_add_uid,
00716 A_symlink_add_mac_level,
00717 A_symlink_add_rc_role,
00718 A_linux_dac_disable,
00719 A_cap_process_hiding,
00720 A_fake_root_uid,
00721 A_audit_uid,
00722 A_auid_exempt,
00723 A_auth_last_auth,
00724 A_remote_ip,
00725 A_cap_ld_env,
00726 A_daz_do_scan,
00727 #ifdef __KERNEL__
00728
00729 A_owner,
00730 A_group,
00731 A_signal,
00732 A_mode,
00733 A_nlink,
00734 A_switch_target,
00735 A_mod_name,
00736 A_request,
00737 A_trace_request,
00738 A_auth_add_f_cap,
00739 A_auth_remove_f_cap,
00740 A_auth_get_caplist,
00741 A_prot_bits,
00742 A_internal,
00743
00744 A_create_data,
00745 A_new_object,
00746 A_rlimit,
00747 A_new_dir_dentry_p,
00748 A_auth_program_file,
00749 A_auth_start_uid,
00750 A_auth_start_euid,
00751 A_auth_start_gid,
00752 A_auth_start_egid,
00753 A_acl_learn,
00754 A_priority,
00755 A_pgid,
00756 A_kernel_thread,
00757 A_open_flag,
00758 A_reboot_cmd,
00759 A_setsockopt_level,
00760 A_ioctl_cmd,
00761 A_f_mode,
00762 A_process,
00763 A_sock_type,
00764 #endif
00765 A_none};
00766
00767 union rsbac_attribute_value_t
00768 {
00769 rsbac_uid_t owner;
00770 rsbac_pseudo_t pseudo;
00771 rsbac_system_role_int_t system_role;
00772 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC)
00773 rsbac_security_level_t security_level;
00774 rsbac_mac_category_vector_t mac_categories;
00775 rsbac_security_level_t current_sec_level;
00776 rsbac_security_level_t min_write_open;
00777 rsbac_security_level_t max_read_open;
00778 rsbac_mac_user_flags_t mac_user_flags;
00779 rsbac_mac_process_flags_t mac_process_flags;
00780 rsbac_mac_file_flags_t mac_file_flags;
00781 rsbac_mac_auto_int_t mac_auto;
00782 rsbac_boolean_t mac_check;
00783 rsbac_boolean_t mac_prop_trusted;
00784 #endif
00785 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PM)
00786 rsbac_pm_role_int_t pm_role;
00787 rsbac_pm_process_type_int_t pm_process_type;
00788 rsbac_pm_task_id_t pm_current_task;
00789 rsbac_pm_object_class_id_t pm_object_class;
00790 rsbac_pm_purpose_id_t pm_ipc_purpose;
00791 rsbac_pm_object_type_int_t pm_object_type;
00792 rsbac_pm_program_type_int_t pm_program_type;
00793 rsbac_pm_tp_id_t pm_tp;
00794 rsbac_pm_task_set_id_t pm_task_set;
00795 #endif
00796 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ)
00797 rsbac_daz_scanned_t daz_scanned;
00798 rsbac_daz_scanner_t daz_scanner;
00799 rsbac_daz_do_scan_t daz_do_scan;
00800 #endif
00801 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF)
00802 rsbac_ff_flags_t ff_flags;
00803 #endif
00804 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC)
00805 rsbac_rc_type_id_t rc_type;
00806 rsbac_rc_type_id_t rc_type_fd;
00807 rsbac_rc_role_id_t rc_force_role;
00808 rsbac_rc_role_id_t rc_initial_role;
00809 rsbac_rc_role_id_t rc_role;
00810 rsbac_rc_role_id_t rc_def_role;
00811 rsbac_rc_type_id_t rc_select_type;
00812 #endif
00813 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_AUTH)
00814 rsbac_auth_may_setuid_int_t auth_may_setuid;
00815 rsbac_boolean_t auth_may_set_cap;
00816 rsbac_pid_t auth_p_capset;
00817 rsbac_inode_nr_t auth_f_capset;
00818 rsbac_boolean_t auth_learn;
00819 rsbac_uid_t auth_last_auth;
00820 #endif
00821 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_CAP)
00822 rsbac_cap_vector_t min_caps;
00823 rsbac_cap_vector_t max_caps;
00824 rsbac_cap_vector_t max_caps_user;
00825 rsbac_cap_vector_t max_caps_program;
00826 rsbac_cap_process_hiding_int_t cap_process_hiding;
00827 rsbac_cap_ld_env_int_t cap_ld_env;
00828 #endif
00829 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_JAIL)
00830 rsbac_jail_id_t jail_id;
00831 rsbac_jail_id_t jail_parent;
00832 rsbac_jail_ip_t jail_ip;
00833 rsbac_jail_flags_t jail_flags;
00834 rsbac_jail_scd_vector_t jail_scd_get;
00835 rsbac_jail_scd_vector_t jail_scd_modify;
00836 rsbac_cap_vector_t jail_max_caps;
00837 #endif
00838 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_PAX)
00839 rsbac_pax_flags_t pax_flags;
00840 #endif
00841 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RES)
00842 rsbac_res_array_t res_array;
00843 #endif
00844 rsbac_log_array_t log_array_low;
00845 rsbac_log_array_t log_array_high;
00846 rsbac_request_vector_t log_program_based;
00847 rsbac_request_vector_t log_user_based;
00848 rsbac_enum_t symlink_add_remote_ip;
00849 rsbac_boolean_t symlink_add_uid;
00850 rsbac_boolean_t symlink_add_mac_level;
00851 rsbac_boolean_t symlink_add_rc_role;
00852 rsbac_linux_dac_disable_int_t linux_dac_disable;
00853
00854 rsbac_fake_root_uid_int_t fake_root_uid;
00855 rsbac_uid_t audit_uid;
00856 rsbac_uid_t auid_exempt;
00857 __u32 remote_ip;
00858 #ifdef __KERNEL__
00859 rsbac_gid_t group;
00860 struct sockaddr * sockaddr_p;
00861 long signal;
00862 int mode;
00863 int nlink;
00864 enum rsbac_switch_target_t switch_target;
00865 char * mod_name;
00866 enum rsbac_adf_request_t request;
00867 long trace_request;
00868 struct rsbac_auth_cap_range_t auth_cap_range;
00869 int prot_bits;
00870 rsbac_boolean_t internal;
00871
00872 struct rsbac_create_data_t create_data;
00873
00874 rsbac_boolean_t new_object;
00875 u_int rlimit;
00876 struct dentry * new_dir_dentry_p;
00877 struct rsbac_fs_file_t auth_program_file;
00878 rsbac_uid_t auth_start_uid;
00879 rsbac_uid_t auth_start_euid;
00880 rsbac_gid_t auth_start_gid;
00881 rsbac_gid_t auth_start_egid;
00882 rsbac_boolean_t acl_learn;
00883 int priority;
00884 rsbac_pid_t pgid;
00885 rsbac_boolean_t kernel_thread;
00886 u_int open_flag;
00887 u_int reboot_cmd;
00888 int setsockopt_level;
00889 u_int ioctl_cmd;
00890 mode_t f_mode;
00891 rsbac_pid_t process;
00892 short sock_type;
00893 #endif
00894 u_char u_char_dummy;
00895 u_short u_short_dummy;
00896 int dummy;
00897 u_int u_dummy;
00898 long long_dummy;
00899 u_long u_long_dummy;
00900 };
00901
00902
00903
00904 #ifdef CONFIG_RSBAC_FD_CACHE
00905 union rsbac_attribute_value_cache_t
00906 {
00907 rsbac_uid_t owner;
00908 rsbac_pseudo_t pseudo;
00909 rsbac_system_role_int_t system_role;
00910 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_MAC)
00911 rsbac_security_level_t security_level;
00912 rsbac_mac_category_vector_t mac_categories;
00913 rsbac_security_level_t current_sec_level;
00914 rsbac_security_level_t min_write_open;
00915 rsbac_security_level_t max_read_open;
00916 rsbac_mac_user_flags_t mac_user_flags;
00917 rsbac_mac_process_flags_t mac_process_flags;
00918 rsbac_mac_file_flags_t mac_file_flags;
00919 rsbac_mac_auto_int_t mac_auto;
00920 rsbac_boolean_t mac_check;
00921 rsbac_boolean_t mac_prop_trusted;
00922 #endif
00923 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_DAZ)
00924 rsbac_daz_scanned_t daz_scanned;
00925 rsbac_daz_scanner_t daz_scanner;
00926 rsbac_daz_do_scan_t daz_do_scan;
00927 #endif
00928 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_FF)
00929 rsbac_ff_flags_t ff_flags;
00930 #endif
00931 #if !defined(__KERNEL__) || defined(CONFIG_RSBAC_RC)
00932 rsbac_rc_type_id_t rc_type;
00933 rsbac_rc_type_id_t rc_type_fd;
00934 rsbac_rc_role_id_t rc_force_role;
00935 rsbac_rc_role_id_t rc_initial_role;
00936 rsbac_rc_role_id_t rc_role;
00937 rsbac_rc_role_id_t rc_def_role;
00938 rsbac_rc_type_id_t rc_select_type;
00939 #endif
00940 rsbac_log_array_t log_array_low;
00941 rsbac_log_array_t log_array_high;
00942 rsbac_request_vector_t log_program_based;
00943 rsbac_request_vector_t log_user_based;
00944 rsbac_enum_t symlink_add_remote_ip;
00945 rsbac_boolean_t symlink_add_uid;
00946 rsbac_boolean_t symlink_add_mac_level;
00947 rsbac_boolean_t symlink_add_rc_role;
00948 rsbac_linux_dac_disable_int_t linux_dac_disable;
00949
00950 rsbac_fake_root_uid_int_t fake_root_uid;
00951 rsbac_uid_t audit_uid;
00952 rsbac_uid_t auid_exempt;
00953 __u32 remote_ip;
00954 u_char u_char_dummy;
00955 u_short u_short_dummy;
00956 int dummy;
00957 u_int u_dummy;
00958 long long_dummy;
00959 u_long u_long_dummy;
00960 };
00961 #endif
00962
00963
00964
00965 #include <rsbac/acl_types.h>
00966 #include <rsbac/um_types.h>
00967
00968 #endif