2 * Copyright (c) 1999 Ilmar S. Habibulin
3 * Copyright (c) 2000-2001 Robert N. M. Watson
4 * Copyright (c) 2001 Thomas Moestl
7 * This software was developed by Robert Watson, Thomas Moestl, and Ilmar
8 * Habibulin for the TrustedBSD Project.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * Developed by the TrustedBSD Project.
35 * Support for POSIX.1e process capabilities.
38 #ifndef _SYS_CAPABILITY_H
39 #define _SYS_CAPABILITY_H
41 #define POSIX1E_CAPABILITY_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM
42 #define POSIX1E_CAPABILITY_EXTATTR_NAME "posix1e.cap"
44 typedef int cap_flag_t;
45 typedef int cap_flag_value_t;
46 typedef u_int64_t cap_value_t;
49 u_int64_t c_effective;
50 u_int64_t c_permitted;
51 u_int64_t c_inheritable;
53 typedef struct cap *cap_t;
55 #if defined(_KERNEL) | defined(_CAPABILITY_NEEDMACROS)
56 #define SET_CAPABILITY(mask, cap) do { \
60 #define UNSET_CAPABILITY(mask, cap) do { \
64 #define IS_CAP_SET(mask, cap) \
68 * Is (tcap) a logical subset of (scap)?
70 #define CAP_SUBSET(scap,tcap) \
71 ((((scap).c_permitted | (tcap).c_permitted) == (scap).c_permitted) && \
72 (((scap).c_effective | (tcap).c_effective) == (scap).c_effective) && \
73 (((scap).c_inheritable | (tcap).c_inheritable) == (scap).c_inheritable))
76 * Put the union of the capability sets c1 and c2 into c2.
78 #define CAP_UNITE(c1, c2) do { \
79 (c1).c_permitted |= (c2).c_permitted; \
80 (c1).c_effective |= (c2).c_effective; \
81 (c1).c_inheritable |= (c2).c_inheritable; \
85 * Test whether any bits in a cap set are set.
86 * XXX: due to capability setting constraints, it should actually be
87 * sufficient to check c_permitted.
90 #define CAP_NONZERO(c) \
91 ((c).c_permitted != 0 || (c).c_effective != 0 || (c).c_inheritable != 0)
96 * Possible flags for a particular capability.
98 #define CAP_EFFECTIVE 0x01
99 #define CAP_INHERITABLE 0x02
100 #define CAP_PERMITTED 0x04
103 * Possible values for each capability flag.
109 * Possible capability values, both BSD/LINUX and POSIX.1e.
111 #define CAP_CHOWN (0x0000000000000001)
112 #define CAP_DAC_EXECUTE (0x0000000000000002)
113 #define CAP_DAC_WRITE (0x0000000000000004)
114 #define CAP_DAC_READ_SEARCH (0x0000000000000008)
115 #define CAP_FOWNER (0x0000000000000010)
116 #define CAP_FSETID (0x0000000000000020)
117 #define CAP_KILL (0x0000000000000040)
118 #define CAP_LINK_DIR (0x0000000000000080)
119 #define CAP_SETFCAP (0x0000000000000100)
120 #define CAP_SETGID (0x0000000000000200)
121 #define CAP_SETUID (0x0000000000000400)
122 #define CAP_MAC_DOWNGRADE (0x0000000000000800)
123 #define CAP_MAC_READ (0x0000000000001000)
124 #define CAP_MAC_RELABEL_SUBJ (0x0000000000002000)
125 #define CAP_MAC_UPGRADE (0x0000000000004000)
126 #define CAP_MAC_WRITE (0x0000000000008000)
127 #define CAP_INF_NOFLOAT_OBJ (0x0000000000010000)
128 #define CAP_INF_NOFLOAT_SUBJ (0x0000000000020000)
129 #define CAP_INF_RELABEL_OBJ (0x0000000000040000)
130 #define CAP_INF_RELABEL_SUBJ (0x0000000000080000)
131 #define CAP_AUDIT_CONTROL (0x0000000000100000)
132 #define CAP_AUDIT_WRITE (0x0000000000200000)
135 * The following is no longer functional.
136 * With our capability model, this serves no useful purpose. A process just
137 * has all the capabilities it needs, and if it are to be temporarily given
138 * up, they can be removed from the effective set.
139 * We do not support modifying the capabilities of other processes, as Linux
140 * (from which this one originated) does.
142 #define CAP_SETPCAP (0x0000000000400000)
143 /* This is unallocated: */
144 #define CAP_XXX_INVALID1 (0x0000000000800000)
145 #define CAP_SYS_SETFFLAG (0x0000000001000000)
147 * The CAP_LINUX_IMMUTABLE flag approximately maps into the
148 * general file flag setting capability in BSD. Therfore, for
149 * compatibility, map the constants.
151 #define CAP_LINUX_IMMUTABLE CAP_SYS_SETFFLAG
152 #define CAP_NET_BIND_SERVICE (0x0000000002000000)
153 #define CAP_NET_BROADCAST (0x0000000004000000)
154 #define CAP_NET_ADMIN (0x0000000008000000)
155 #define CAP_NET_RAW (0x0000000010000000)
156 #define CAP_IPC_LOCK (0x0000000020000000)
157 #define CAP_IPC_OWNER (0x0000000040000000)
159 * The following capabilities, borrowed from Linux, are unsafe in a
160 * secure environment.
162 #define CAP_SYS_MODULE (0x0000000080000000)
163 #define CAP_SYS_RAWIO (0x0000000100000000)
164 #define CAP_SYS_CHROOT (0x0000000200000000)
165 #define CAP_SYS_PTRACE (0x0000000400000000)
166 #define CAP_SYS_PACCT (0x0000000800000000)
167 #define CAP_SYS_ADMIN (0x0000001000000000)
169 * Back to the safe ones, again.
171 #define CAP_SYS_BOOT (0x0000002000000000)
172 #define CAP_SYS_NICE (0x0000004000000000)
173 #define CAP_SYS_RESOURCE (0x0000008000000000)
174 #define CAP_SYS_TIME (0x0000010000000000)
175 #define CAP_SYS_TTY_CONFIG (0x0000020000000000)
176 #define CAP_MKNOD (0x0000040000000000)
177 #define CAP_MAX_ID CAP_MKNOD
179 #define CAP_ALL_ON (CAP_CHOWN | CAP_DAC_EXECUTE | CAP_DAC_WRITE | \
180 CAP_DAC_READ_SEARCH | CAP_FOWNER | CAP_FSETID | CAP_KILL | CAP_LINK_DIR | \
181 CAP_SETFCAP | CAP_SETGID | CAP_SETUID | CAP_MAC_DOWNGRADE | \
182 CAP_MAC_READ | CAP_MAC_RELABEL_SUBJ | CAP_MAC_UPGRADE | \
183 CAP_MAC_WRITE | CAP_INF_NOFLOAT_OBJ | CAP_INF_NOFLOAT_SUBJ | \
184 CAP_INF_RELABEL_OBJ | CAP_INF_RELABEL_SUBJ | CAP_AUDIT_CONTROL | \
185 CAP_AUDIT_WRITE | CAP_SYS_SETFFLAG | CAP_NET_BIND_SERVICE | \
186 CAP_NET_BROADCAST | CAP_NET_ADMIN | CAP_NET_RAW | CAP_IPC_LOCK | \
187 CAP_IPC_OWNER | CAP_SYS_MODULE | CAP_SYS_RAWIO | CAP_SYS_CHROOT | \
188 CAP_SYS_PTRACE | CAP_SYS_PACCT | CAP_SYS_ADMIN | CAP_SYS_BOOT | \
189 CAP_SYS_NICE | CAP_SYS_RESOURCE | CAP_SYS_TIME | CAP_SYS_TTY_CONFIG | \
191 #define CAP_ALL_OFF (0)
199 int cap_check(struct ucred *, struct proc *, cap_value_t, int);
200 int cap_check_td(struct ucred *, struct thread *, cap_value_t, int);
201 int cap_change_on_inherit(struct cap *cap_p);
202 int cap_inherit(struct vnode *vp, struct proc *p);
203 void cap_init_proc0(struct cap *);
204 void cap_init_proc1(struct cap *);
211 typedef _BSD_SSIZE_T_ ssize_t;
215 int __cap_get_proc(struct cap *);
216 int __cap_set_proc(struct cap *);
217 int __cap_get_fd(int, struct cap *);
218 int __cap_get_file(const char *, struct cap *);
219 int __cap_set_fd(int, struct cap *);
220 int __cap_set_file(const char *, struct cap *);
222 int cap_clear(cap_t);
223 ssize_t cap_copy_ext(void *, cap_t, ssize_t);
224 cap_t cap_copy_int(const void *);
225 cap_t cap_dup(cap_t);
226 int cap_free(void *);
227 cap_t cap_from_text(const char *);
228 cap_t cap_get_fd(int);
229 cap_t cap_get_file(const char *);
230 int cap_get_flag(cap_t, cap_value_t, cap_flag_t, cap_flag_value_t *);
231 cap_t cap_get_proc(void);
232 cap_t cap_init(void);
233 int cap_set_fd(int, cap_t);
234 int cap_set_file(const char *, cap_t);
235 int cap_set_flag(cap_t, cap_flag_t, int, cap_value_t[] , cap_flag_value_t);
236 int cap_set_proc(cap_t);
237 ssize_t cap_size(cap_t);
238 char *cap_to_text(cap_t, ssize_t *);
241 * Non-POSIX.1e functions
243 * Do the two cap_t's represent equal capability sets?
245 int cap_equal_np(cap_t, cap_t);
247 /* Interpret the text relative to an existing cap_t. */
248 cap_t cap_from_text2_np(const char *, cap_t);
250 /* Is the first cap set a subset of the second? */
251 int cap_subset_np(cap_t, cap_t);
254 * Like cap_to_text, takes an additional flags argument. Flags are defined
257 char *cap_to_text2_np(cap_t, ssize_t *, int);
259 #define CTT_NOE 1 /* Do not output caps with only E flag set */
260 #define CTT_NOI 2 /* Do not output caps with only I flag set */
261 #define CTT_NOP 4 /* Do not output caps with only P flag set */
262 #define CTT_ALL 8 /* Do output caps with no flags set */
264 #define CTT_NOMSK (CTT_NOE | CTT_NOI | CTT_NOP)
266 #define CAP_MAX_BUF_LEN 1024 /* Maximum cap text buffer length */
268 #endif /* !_KERNEL */
270 #endif /* !_SYS_CAPABILITY_H */