mirror of
https://github.com/opnsense/src.git
synced 2026-04-26 16:47:30 -04:00
70f3685105
introduce a new argument, "namespace", rather than relying on a first-
character namespace indicator. This is in line with more recent
thinking on EA interfaces on various mailing lists, including the
posix1e, Linux acl-devel, and trustedbsd-discuss forums. Two namespaces
are defined by default, EXTATTR_NAMESPACE_SYSTEM and
EXTATTR_NAMESPACE_USER, where the primary distinction lies in the
access control model: user EAs are accessible based on the normal
MAC and DAC file/directory protections, and system attributes are
limited to kernel-originated or appropriately privileged userland
requests.
o These API changes occur at several levels: the namespace argument is
introduced in the extattr_{get,set}_file() system call interfaces,
at the vnode operation level in the vop_{get,set}extattr() interfaces,
and in the UFS extended attribute implementation. Changes are also
introduced in the VFS extattrctl() interface (system call, VFS,
and UFS implementation), where the arguments are modified to include
a namespace field, as well as modified to advoid direct access to
userspace variables from below the VFS layer (in the style of recent
changes to mount by adrian@FreeBSD.org). This required some cleanup
and bug fixing regarding VFS locks and the VFS interface, as a vnode
pointer may now be optionally submitted to the VFS_EXTATTRCTL()
call. Updated documentation for the VFS interface will be committed
shortly.
o In the near future, the auto-starting feature will be updated to
search two sub-directories to the ".attribute" directory in appropriate
file systems: "user" and "system" to locate attributes intended for
those namespaces, as the single filename is no longer sufficient
to indicate what namespace the attribute is intended for. Until this
is committed, all attributes auto-started by UFS will be placed in
the EXTATTR_NAMESPACE_SYSTEM namespace.
o The default POSIX.1e attribute names for ACLs and Capabilities have
been updated to no longer include the '$' in their filename. As such,
if you're using these features, you'll need to rename the attribute
backing files to the same names without '$' symbols in front.
o Note that these changes will require changes in userland, which will
be committed shortly. These include modifications to the extended
attribute utilities, as well as to libutil for new namespace
string conversion routines. Once the matching userland changes are
committed, a buildworld is recommended to update all the necessary
include files and verify that the kernel and userland environments
are in sync. Note: If you do not use extended attributes (most people
won't), upgrading is not imperative although since the system call
API has changed, the new userland extended attribute code will no longer
compile with old include files.
o Couple of minor cleanups while I'm there: make more code compilation
conditional on FFS_EXTATTR, which should recover a bit of space on
kernels running without EA's, as well as update copyright dates.
Obtained from: TrustedBSD Project
213 lines
7.1 KiB
C
213 lines
7.1 KiB
C
/*-
|
|
* Copyright (c) 2000, 2001 Robert N. M. Watson
|
|
* All rights reserved.
|
|
*
|
|
* Copyright (c) 1999 Ilmar S. Habibulin
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
/*
|
|
* Developed by the TrustedBSD Project.
|
|
* Support for POSIX.1e process capabilities.
|
|
*/
|
|
|
|
#ifndef _SYS_CAPABILITY_H
|
|
#define _SYS_CAPABILITY_H
|
|
|
|
#define POSIX1E_CAPABILITY_EXTATTR_NAMESPACE EXTATTR_NAMESPACE_SYSTEM
|
|
#define POSIX1E_CAPABILITY_EXTATTR_NAME "posix1e.cap"
|
|
|
|
typedef int cap_flag_t;
|
|
typedef int cap_flag_value_t;
|
|
typedef u_int64_t cap_value_t;
|
|
|
|
struct cap {
|
|
u_int64_t c_effective;
|
|
u_int64_t c_permitted;
|
|
u_int64_t c_inheritable;
|
|
};
|
|
typedef struct cap *cap_t;
|
|
|
|
#define SET_CAPABILITY(mask, cap) do { \
|
|
(mask) |= cap; \
|
|
} while (0)
|
|
|
|
#define UNSET_CAPABILITY(mask, cap) do { \
|
|
(mask) &= ~(cap); \
|
|
} while (0)
|
|
|
|
#define IS_CAP_SET(mask, cap) \
|
|
((mask) & (cap))
|
|
|
|
/*
|
|
* Is (tcap) a logical subset of (scap)?
|
|
*/
|
|
#define CAP_SUBSET(scap,tcap) \
|
|
(((scap).c_permitted | (tcap).c_permitted == (scap).c_permitted) && \
|
|
((scap).c_effective | (tcap).c_effective == (scap).c_effective) && \
|
|
((scap).c_inheritable | (tcap).c_inheritable == (scap).c_inheritable))
|
|
|
|
/*
|
|
* Possible flags for a particular capability.
|
|
*/
|
|
#define CAP_EFFECTIVE 0x01
|
|
#define CAP_INHERITABLE 0x02
|
|
#define CAP_PERMITTED 0x04
|
|
|
|
/*
|
|
* Possible values for each capability flag.
|
|
*/
|
|
#define CAP_CLEAR 0
|
|
#define CAP_SET 1
|
|
|
|
/*
|
|
* Possible capability values, both BSD/LINUX and POSIX.1e.
|
|
*/
|
|
#define CAP_CHOWN (0x0000000000000001)
|
|
#define CAP_DAC_EXECUTE (0x0000000000000002)
|
|
#define CAP_DAC_WRITE (0x0000000000000004)
|
|
#define CAP_DAC_READ_SEARCH (0x0000000000000008)
|
|
#define CAP_FOWNER (0x0000000000000010)
|
|
#define CAP_FSETID (0x0000000000000020)
|
|
#define CAP_KILL (0x0000000000000040)
|
|
#define CAP_LINK_DIR (0x0000000000000080)
|
|
#define CAP_SETFCAP (0x0000000000000100)
|
|
#define CAP_SETGID (0x0000000000000200)
|
|
#define CAP_SETUID (0x0000000000000400)
|
|
#define CAP_MAC_DOWNGRADE (0x0000000000000800)
|
|
#define CAP_MAC_READ (0x0000000000001000)
|
|
#define CAP_MAC_RELABEL_SUBJ (0x0000000000002000)
|
|
#define CAP_MAC_UPGRADE (0x0000000000004000)
|
|
#define CAP_MAC_WRITE (0x0000000000008000)
|
|
#define CAP_INF_NOFLOAT_OBJ (0x0000000000010000)
|
|
#define CAP_INF_NOFLOAT_SUBJ (0x0000000000020000)
|
|
#define CAP_INF_RELABEL_OBJ (0x0000000000040000)
|
|
#define CAP_INF_RELABEL_SUBJ (0x0000000000080000)
|
|
#define CAP_AUDIT_CONTROL (0x0000000000100000)
|
|
#define CAP_AUDIT_WRITE (0x0000000000200000)
|
|
|
|
/*
|
|
* The following capability, borrowed from Linux, is unsafe
|
|
*/
|
|
#define CAP_SETPCAP (0x0000000000400000)
|
|
/* This is unallocated: */
|
|
#define CAP_XXX_INVALID1 (0x0000000000800000)
|
|
#define CAP_SYS_SETFFLAG (0x0000000001000000)
|
|
/*
|
|
* The CAP_LINUX_IMMUTABLE flag approximately maps into the
|
|
* general file flag setting capability in BSD. Therfore, for
|
|
* compatibility, map the constants.
|
|
*/
|
|
#define CAP_LINUX_IMMUTABLE CAP_SYS_SETFFLAG
|
|
#define CAP_NET_BIND_SERVICE (0x0000000002000000)
|
|
#define CAP_NET_BROADCAST (0x0000000004000000)
|
|
#define CAP_NET_ADMIN (0x0000000008000000)
|
|
#define CAP_NET_RAW (0x0000000010000000)
|
|
#define CAP_IPC_LOCK (0x0000000020000000)
|
|
#define CAP_IPC_OWNER (0x0000000040000000)
|
|
/*
|
|
* The following capabilities, borrowed from Linux, are unsafe in a
|
|
* secure environment.
|
|
*
|
|
*/
|
|
#define CAP_SYS_MODULE (0x0000000080000000)
|
|
#define CAP_SYS_RAWIO (0x0000000100000000)
|
|
#define CAP_SYS_CHROOT (0x0000000200000000)
|
|
#define CAP_SYS_PTRACE (0x0000000400000000)
|
|
#define CAP_SYS_PACCT (0x0000000800000000)
|
|
#define CAP_SYS_ADMIN (0x0000001000000000)
|
|
/*
|
|
* Back to the safe ones, again
|
|
*/
|
|
#define CAP_SYS_BOOT (0x0000002000000000)
|
|
#define CAP_SYS_NICE (0x0000004000000000)
|
|
#define CAP_SYS_RESOURCE (0x0000008000000000)
|
|
#define CAP_SYS_TIME (0x0000010000000000)
|
|
#define CAP_SYS_TTY_CONFIG (0x0000020000000000)
|
|
#define CAP_MKNOD (0x0000040000000000)
|
|
#define CAP_MAX_ID CAP_MKNOD
|
|
|
|
#define CAP_ALL_ON (CAP_CHOWN | CAP_DAC_EXECUTE | CAP_DAC_WRITE | \
|
|
CAP_DAC_READ_SEARCH | CAP_FOWNER | CAP_FSETID | CAP_KILL | CAP_LINK_DIR | \
|
|
CAP_SETFCAP | CAP_SETGID | CAP_SETUID | CAP_MAC_DOWNGRADE | \
|
|
CAP_MAC_READ | CAP_MAC_RELABEL_SUBJ | CAP_MAC_UPGRADE | \
|
|
CAP_MAC_WRITE | CAP_INF_NOFLOAT_OBJ | CAP_INF_NOFLOAT_SUBJ | \
|
|
CAP_INF_RELABEL_OBJ | CAP_INF_RELABEL_SUBJ | CAP_AUDIT_CONTROL | \
|
|
CAP_AUDIT_WRITE | CAP_SETPCAP | CAP_SYS_SETFFLAG | CAP_NET_BIND_SERVICE | \
|
|
CAP_NET_BROADCAST | CAP_NET_ADMIN | CAP_NET_RAW | CAP_IPC_LOCK | \
|
|
CAP_IPC_OWNER | CAP_SYS_MODULE | CAP_SYS_RAWIO | CAP_SYS_CHROOT | \
|
|
CAP_SYS_PTRACE | CAP_SYS_PACCT | CAP_SYS_ADMIN | CAP_SYS_BOOT | \
|
|
CAP_SYS_NICE | CAP_SYS_RESOURCE | CAP_SYS_TIME | CAP_SYS_TTY_CONFIG | \
|
|
CAP_MKNOD)
|
|
#define CAP_ALL_OFF (0)
|
|
|
|
#ifdef _KERNEL
|
|
|
|
struct proc;
|
|
struct ucred;
|
|
struct vnode;
|
|
int cap_check(struct ucred *, struct proc *, cap_value_t, int);
|
|
int cap_change_on_inherit(struct cap *cap_p);
|
|
int cap_inherit(struct vnode *vp, struct proc *p);
|
|
void cap_init_proc0(struct cap *);
|
|
void cap_init_proc1(struct cap *);
|
|
|
|
#else /* !_KERNEL */
|
|
|
|
#define _POSIX_CAP
|
|
|
|
#ifdef _BSD_SSIZE_T_
|
|
typedef _BSD_SSIZE_T_ ssize_t;
|
|
#undef _BSD_SSIZE_T_
|
|
#endif
|
|
|
|
int __cap_get_proc(struct cap *);
|
|
int __cap_set_proc(struct cap *);
|
|
int __cap_get_fd(int, struct cap *);
|
|
int __cap_get_file(const char *, struct cap *);
|
|
int __cap_set_fd(int, struct cap *);
|
|
int __cap_set_file(const char *, struct cap *);
|
|
|
|
int cap_clear(cap_t);
|
|
ssize_t cap_copy_ext(void *, cap_t, ssize_t);
|
|
cap_t cap_copy_int(const void *);
|
|
cap_t cap_dup(cap_t);
|
|
int cap_free(void *);
|
|
cap_t cap_from_text(const char *);
|
|
cap_t cap_get_fd(int);
|
|
cap_t cap_get_file(const char *);
|
|
int cap_get_flag(cap_t, cap_value_t, cap_flag_t, cap_flag_value_t *);
|
|
cap_t cap_get_proc(void);
|
|
cap_t cap_init(void);
|
|
int cap_set_fd(int, cap_t);
|
|
int cap_set_file(const char *, cap_t);
|
|
int cap_set_flag(cap_t, cap_flag_t, int, cap_value_t[] , cap_flag_value_t);
|
|
int cap_set_proc(cap_t);
|
|
ssize_t cap_size(cap_t);
|
|
char *cap_to_text(cap_t, ssize_t *);
|
|
|
|
#endif /* !_KERNEL */
|
|
|
|
#endif /* !_SYS_CAPABILITY_H */
|