00001
00002
00003
00004
00005
00006
00007
00008
00009 #ifndef __RSBAC_RC_TYPES_H
00010 #define __RSBAC_RC_TYPES_H
00011
00012 #include <linux/types.h>
00013
00014
00015
00016 #define RSBAC_RC_GENERAL_ROLE 0
00017 #define RSBAC_RC_ROLE_ADMIN_ROLE 1
00018 #define RSBAC_RC_SYSTEM_ADMIN_ROLE 2
00019 #define RSBAC_RC_AUDITOR_ROLE 3
00020 #define RSBAC_RC_BOOT_ROLE 999999
00021 #define RSBAC_RC_GENERAL_TYPE 0
00022 #define RSBAC_RC_SEC_TYPE 1
00023 #define RSBAC_RC_SYS_TYPE 2
00024 #define RSBAC_RC_KERNEL_P_TYPE 999999
00025
00026 #define RSBAC_RC_NAME_LEN 16
00027 #define RSBAC_RC_ALL_REQUESTS ((rsbac_rc_request_vector_t) -1)
00028
00029 #define RSBAC_RC_OLD_SPECIAL_RIGHT_BASE 48
00030 #define RSBAC_RC_SPECIAL_RIGHT_BASE 56
00031
00032 enum rsbac_rc_special_rights_t { RCR_ADMIN = RSBAC_RC_SPECIAL_RIGHT_BASE,
00033 RCR_ASSIGN,
00034 RCR_ACCESS_CONTROL,
00035 RCR_SUPERVISOR,
00036 RCR_MODIFY_AUTH,
00037 RCR_CHANGE_AUTHED_OWNER,
00038 RCR_SELECT,
00039 RCR_NONE
00040 };
00041
00042 typedef __u64 rsbac_rc_rights_vector_t;
00043
00044
00045 typedef __u64 rsbac_rc_role_vector_t;
00046
00047 #define RSBAC_RC_RIGHTS_VECTOR(x) ((rsbac_rc_rights_vector_t) 1 << (x))
00048 #define RSBAC_RC_ROLE_VECTOR(x) ((rsbac_rc_role_vector_t) 1 << (x))
00049 #define RSBAC_RC_TYPE_VECTOR(x) ((rsbac_rc_type_vector_t) 1 << (x))
00050
00051 #define RSBAC_RC_SPECIAL_RIGHTS_VECTOR (\
00052 RSBAC_RC_RIGHTS_VECTOR(RCR_ADMIN) | \
00053 RSBAC_RC_RIGHTS_VECTOR(RCR_ASSIGN) | \
00054 RSBAC_RC_RIGHTS_VECTOR(RCR_ACCESS_CONTROL) | \
00055 RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \
00056 RSBAC_RC_RIGHTS_VECTOR(RCR_MODIFY_AUTH) | \
00057 RSBAC_RC_RIGHTS_VECTOR(RCR_CHANGE_AUTHED_OWNER) | \
00058 RSBAC_RC_RIGHTS_VECTOR(RCR_SELECT) \
00059 )
00060
00061 #define RSBAC_RC_SUPERVISOR_RIGHT_VECTOR (\
00062 RSBAC_RC_RIGHTS_VECTOR(RCR_SUPERVISOR) | \
00063 )
00064
00065 #define RSBAC_RC_ALL_RIGHTS_VECTOR (RSBAC_ALL_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR)
00066
00067 #define RSBAC_RC_PROCESS_RIGHTS_VECTOR (RSBAC_PROCESS_REQUEST_VECTOR | \
00068 RSBAC_RC_RIGHTS_VECTOR(R_CONNECT) | \
00069 RSBAC_RC_RIGHTS_VECTOR(R_ACCEPT) | \
00070 RSBAC_RC_RIGHTS_VECTOR(R_SEND) | \
00071 RSBAC_RC_RIGHTS_VECTOR(R_RECEIVE) \
00072 )
00073
00074 #define RSBAC_RC_DEFAULT_RIGHTS_VECTOR 0
00075
00076 #define RSBAC_RC_GEN_RIGHTS_VECTOR RSBAC_RC_DEFAULT_RIGHTS_VECTOR
00077
00078 typedef __u32 rsbac_rc_role_id_t;
00079 typedef __u32 rsbac_rc_type_id_t;
00080 typedef rsbac_request_vector_t rsbac_rc_request_vector_t;
00081
00082 enum rsbac_rc_admin_type_t { RC_no_admin, RC_role_admin, RC_system_admin,
00083 RC_none };
00084
00085
00086
00087
00088
00089 #define RST_min 32
00090 enum rsbac_rc_scd_type_t { RST_auth_administration = RST_min,
00091 RST_none
00092 };
00093
00094
00095 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
00096 #define RSBAC_RC_GENERAL_COMP_SCD { \
00097 0, \
00098 0, \
00099 0, \
00100 0, \
00101 ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \
00102 RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00103 0, \
00104 0, \
00105 0, \
00106 0, \
00107 ( \
00108 ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00109 ), \
00110 0, \
00111 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00112 0 \
00113 }
00114 #else
00115 #define RSBAC_RC_GENERAL_COMP_SCD { \
00116 0, \
00117 0, \
00118 0, \
00119 0, \
00120 0, \
00121 RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00122 0, \
00123 0, \
00124 0, \
00125 0, \
00126 ( \
00127 ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00128 ), \
00129 0, \
00130 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00131 0, \
00132 0, \
00133 0 \
00134 }
00135 #endif
00136
00137 #define RSBAC_RC_ROLEADM_COMP_SCD { \
00138 0, \
00139 0, \
00140 0, \
00141 0, \
00142 0, \
00143 RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00144 0, \
00145 0, \
00146 RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00147 RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00148 ( \
00149 ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00150 | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
00151 | ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA) \
00152 | ((rsbac_request_vector_t) 1 << R_SWITCH_LOG) \
00153 | ((rsbac_request_vector_t) 1 << R_SWITCH_MODULE) \
00154 ) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00155 0, \
00156 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00157 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00158 0, \
00159 0, \
00160 0, \
00161 0, \
00162 0, \
00163 0, \
00164 0, \
00165 0, \
00166 0, \
00167 0, \
00168 0, \
00169 0, \
00170 0, \
00171 0, \
00172 0, \
00173 0, \
00174 0, \
00175 0, \
00176 RSBAC_SCD_REQUEST_VECTOR | RSBAC_RC_SPECIAL_RIGHTS_VECTOR, \
00177 0 \
00178 }
00179
00180 #define RSBAC_RC_SYSADM_COMP_SCD { \
00181 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00182 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00183 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00184 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00185 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00186 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00187 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00188 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00189 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00190 0, \
00191 ( \
00192 ((rsbac_request_vector_t) 1 << R_ADD_TO_KERNEL) \
00193 | ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) \
00194 | ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00195 | ((rsbac_request_vector_t) 1 << R_MOUNT) \
00196 | ((rsbac_request_vector_t) 1 << R_REMOVE_FROM_KERNEL) \
00197 | ((rsbac_request_vector_t) 1 << R_UMOUNT) \
00198 | ((rsbac_request_vector_t) 1 << R_SHUTDOWN) \
00199 ), \
00200 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00201 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00202 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00203 RSBAC_SCD_REQUEST_VECTOR & RSBAC_SYSTEM_REQUEST_VECTOR, \
00204 0, \
00205 0, \
00206 0, \
00207 0, \
00208 0, \
00209 0, \
00210 0, \
00211 0, \
00212 0, \
00213 0, \
00214 0, \
00215 0, \
00216 0, \
00217 0, \
00218 0, \
00219 0, \
00220 0, \
00221 0, \
00222 0 \
00223 }
00224 #ifdef CONFIG_RSBAC_USER_MOD_IOPERM
00225 #define RSBAC_RC_AUDITOR_COMP_SCD { \
00226 0, \
00227 0, \
00228 0, \
00229 0, \
00230 ((rsbac_request_vector_t) 1 << R_MODIFY_PERMISSIONS_DATA), \
00231 RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00232 0, \
00233 0, \
00234 0, \
00235 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \
00236 ( \
00237 ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00238 ), \
00239 0, \
00240 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00241 0, \
00242 0, \
00243 0 \
00244 }
00245 #else
00246 #define RSBAC_RC_AUDITOR_COMP_SCD { \
00247 0, \
00248 0, \
00249 0, \
00250 0, \
00251 0, \
00252 RSBAC_REQUEST_VECTOR(GET_STATUS_DATA) | RSBAC_REQUEST_VECTOR(MODIFY_SYSTEM_DATA), \
00253 0, \
00254 0, \
00255 0, \
00256 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA) | ((rsbac_request_vector_t) 1 << R_MODIFY_SYSTEM_DATA), \
00257 ( \
00258 ((rsbac_request_vector_t) 1 << R_MAP_EXEC) \
00259 ), \
00260 0, \
00261 ((rsbac_request_vector_t) 1 << R_GET_STATUS_DATA), \
00262 0, \
00263 0, \
00264 0 \
00265 }
00266 #endif
00267
00268
00269 #define RC_type_inherit_process ((rsbac_rc_type_id_t) -1)
00270 #define RC_type_inherit_parent ((rsbac_rc_type_id_t) -2)
00271 #define RC_type_no_create ((rsbac_rc_type_id_t) -3)
00272 #define RC_type_no_execute ((rsbac_rc_type_id_t) -4)
00273 #define RC_type_use_new_role_def_create ((rsbac_rc_type_id_t) -5)
00274 #define RC_type_no_chown ((rsbac_rc_type_id_t) -6)
00275 #define RC_type_use_fd ((rsbac_rc_type_id_t) -7)
00276 #define RC_type_min_special ((rsbac_rc_type_id_t) -7)
00277 #define RC_type_max_value ((rsbac_rc_type_id_t) -32)
00278
00279 #define RC_role_inherit_user ((rsbac_rc_role_id_t) -1)
00280 #define RC_role_inherit_process ((rsbac_rc_role_id_t) -2)
00281 #define RC_role_inherit_parent ((rsbac_rc_role_id_t) -3)
00282 #define RC_role_inherit_up_mixed ((rsbac_rc_role_id_t) -4)
00283 #define RC_role_use_force_role ((rsbac_rc_role_id_t) -5)
00284 #define RC_role_min_special ((rsbac_rc_role_id_t) -5)
00285 #define RC_role_max_value ((rsbac_rc_role_id_t) -32)
00286
00287 #define RC_default_force_role RC_role_inherit_parent
00288 #define RC_default_root_dir_force_role RC_role_inherit_up_mixed
00289 #define RC_default_init_force_role RC_role_inherit_user
00290 #define RC_default_initial_role RC_role_inherit_parent
00291 #define RC_default_root_dir_initial_role RC_role_use_force_role
00292
00293
00294
00295
00296
00297 enum rsbac_rc_target_t { RT_ROLE, RT_TYPE, RT_NONE };
00298
00299 union rsbac_rc_target_id_t {
00300 rsbac_rc_role_id_t role;
00301 rsbac_rc_type_id_t type;
00302 };
00303
00304 enum rsbac_rc_item_t { RI_role_comp,
00305 RI_admin_roles,
00306 RI_assign_roles,
00307 RI_type_comp_fd,
00308 RI_type_comp_dev,
00309 RI_type_comp_user,
00310 RI_type_comp_process,
00311 RI_type_comp_ipc,
00312 RI_type_comp_scd,
00313 RI_type_comp_group,
00314 RI_type_comp_netdev,
00315 RI_type_comp_nettemp,
00316 RI_type_comp_netobj,
00317 RI_admin_type,
00318 RI_name,
00319 RI_def_fd_create_type,
00320 RI_def_fd_ind_create_type,
00321 RI_def_user_create_type,
00322 RI_def_process_create_type,
00323 RI_def_process_chown_type,
00324 RI_def_process_execute_type,
00325 RI_def_ipc_create_type,
00326 RI_def_group_create_type,
00327 RI_def_unixsock_create_type,
00328 RI_boot_role,
00329 RI_req_reauth,
00330 RI_type_fd_name,
00331 RI_type_dev_name,
00332 RI_type_ipc_name,
00333 RI_type_user_name,
00334 RI_type_process_name,
00335 RI_type_group_name,
00336 RI_type_netdev_name,
00337 RI_type_nettemp_name,
00338 RI_type_netobj_name,
00339 RI_type_fd_need_secdel,
00340 RI_type_scd_name,
00341 RI_remove_role,
00342 RI_def_fd_ind_create_type_remove,
00343 RI_type_fd_remove,
00344 RI_type_dev_remove,
00345 RI_type_ipc_remove,
00346 RI_type_user_remove,
00347 RI_type_process_remove,
00348 RI_type_group_remove,
00349 RI_type_netdev_remove,
00350 RI_type_nettemp_remove,
00351 RI_type_netobj_remove,
00352 #ifdef __KERNEL__
00353 #endif
00354 RI_none
00355 };
00356
00357 union rsbac_rc_item_value_t {
00358 rsbac_rc_rights_vector_t rights;
00359 enum rsbac_rc_admin_type_t admin_type;
00360 char name[RSBAC_RC_NAME_LEN];
00361 rsbac_rc_role_id_t role_id;
00362 rsbac_rc_type_id_t type_id;
00363 rsbac_boolean_t need_secdel;
00364 rsbac_boolean_t comp;
00365 rsbac_boolean_t boot_role;
00366 rsbac_boolean_t req_reauth;
00367 #ifdef __KERNEL__
00368 #endif
00369 u_char u_char_dummy;
00370 int dummy;
00371 u_int u_dummy;
00372 long long_dummy;
00373 long long long_long_dummy;
00374 };
00375
00376 #endif