include/xfs_cred.h

   1 /*
   2  * Copyright (c) 2000-2002 Silicon Graphics, Inc.  All Rights Reserved.
   3  *
   4  * This program is free software; you can redistribute it and/or modify it
   5  * under the terms of version 2 of the GNU General Public License as
   6  * published by the Free Software Foundation.
   7  *
   8  * This program is distributed in the hope that it would be useful, but
   9  * WITHOUT ANY WARRANTY; without even the implied warranty of
  10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  11  *
  12  * Further, this software is distributed without any warranty that it is
  13  * free of the rightful claim of any third person regarding infringement
  14  * or the like.  Any license provided herein, whether implied or
  15  * otherwise, applies only to this software file.  Patent licenses, if
  16  * any, provided herein do not apply to combinations of this program with
  17  * other software, or any other product whatsoever.
  18  *
  19  * You should have received a copy of the GNU General Public License along
  20  * with this program; if not, write the Free Software Foundation, Inc., 59
  21  * Temple Place - Suite 330, Boston MA 02111-1307, USA.
  22  *
  23  * Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy,
  24  * Mountain View, CA  94043, or:
  25  *
  26  * http://www.sgi.com
  27  *
  28  * For further information regarding this notice, see:
  29  *
  30  * http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/
  31  */
  32 #ifndef __XFS_CRED_H__
  33 #define __XFS_CRED_H__
  34
  35 /*
  36  * Access Control Lists
  37  */
  38 typedef __uint16_t      xfs_acl_perm_t;
  39 typedef __int32_t       xfs_acl_type_t;
  40 typedef __int32_t       xfs_acl_tag_t;
  41 typedef __int32_t       xfs_acl_id_t;
  42
  43 #define XFS_ACL_MAX_ENTRIES 25
  44 #define XFS_ACL_NOT_PRESENT (-1)
  45
  46 typedef struct xfs_acl_entry {
  47         xfs_acl_tag_t   ae_tag;
  48         xfs_acl_id_t    ae_id;
  49         xfs_acl_perm_t  ae_perm;
  50 } xfs_acl_entry_t;
  51
  52 typedef struct xfs_acl {
  53         __int32_t       acl_cnt;
  54         xfs_acl_entry_t acl_entry[XFS_ACL_MAX_ENTRIES];
  55 } xfs_acl_t;
  56
  57 /*
  58  * Capabilities
  59  */
  60 typedef __uint64_t xfs_cap_value_t;
  61
  62 typedef struct xfs_cap_set {
  63         xfs_cap_value_t cap_effective;  /* use in capability checks */
  64         xfs_cap_value_t cap_permitted;  /* combined with file attrs */
  65         xfs_cap_value_t cap_inheritable;/* pass through exec */
  66 } xfs_cap_set_t;
  67
  68
  69 /*
  70  * Mandatory Access Control
  71  *
  72  * Layout of a composite MAC label:
  73  * ml_list contains the list of categories (MSEN) followed by the list of
  74  * divisions (MINT). This is actually a header for the data structure which
  75  * will have an ml_list with more than one element.
  76  *
  77  *      -------------------------------
  78  *      | ml_msen_type | ml_mint_type |
  79  *      -------------------------------
  80  *      | ml_level     | ml_grade     |
  81  *      -------------------------------
  82  *      | ml_catcount                 |
  83  *      -------------------------------
  84  *      | ml_divcount                 |
  85  *      -------------------------------
  86  *      | category 1                  |
  87  *      | . . .                       |
  88  *      | category N                  | (where N = ml_catcount)
  89  *      -------------------------------
  90  *      | division 1                  |
  91  *      | . . .                       |
  92  *      | division M                  | (where M = ml_divcount)
  93  *      -------------------------------
  94  */
  95 #define XFS_MAC_MAX_SETS        250
  96 typedef struct xfs_mac_label {
  97         __uint8_t       ml_msen_type;   /* MSEN label type */
  98         __uint8_t       ml_mint_type;   /* MINT label type */
  99         __uint8_t       ml_level;       /* Hierarchical level  */
 100         __uint8_t       ml_grade;       /* Hierarchical grade  */
 101         __uint16_t      ml_catcount;    /* Category count */
 102         __uint16_t      ml_divcount;    /* Division count */
 103                                         /* Category set, then Division set */
 104         __uint16_t      ml_list[XFS_MAC_MAX_SETS];
 105 } xfs_mac_label_t;
 106
 107 /* On-disk XFS extended attribute names (access control lists) */
 108 #define SGI_ACL_FILE    "SGI_ACL_FILE"
 109 #define SGI_ACL_DEFAULT "SGI_ACL_DEFAULT"
 110 #define SGI_ACL_FILE_SIZE       (sizeof(SGI_ACL_FILE)-1)
 111 #define SGI_ACL_DEFAULT_SIZE    (sizeof(SGI_ACL_DEFAULT)-1)
 112
 113 /* On-disk XFS extended attribute names (mandatory access control) */
 114 #define SGI_MAC_FILE    "SGI_MAC_FILE"
 115 #define SGI_MAC_FILE_SIZE       (sizeof(SGI_MAC_FILE)-1)
 116
 117 /* On-disk XFS extended attribute names (capabilities) */
 118 #define SGI_CAP_FILE    "SGI_CAP_FILE"
 119 #define SGI_CAP_FILE_SIZE       (sizeof(SGI_CAP_FILE)-1)
 120
 121 /* MSEN label type names. Choose an upper case ASCII character.  */
 122 #define MSEN_ADMIN_LABEL        'A'     /* Admin: low<admin != tcsec<high */
 123 #define MSEN_EQUAL_LABEL        'E'     /* Wildcard - always equal */
 124 #define MSEN_HIGH_LABEL         'H'     /* System High - always dominates */
 125 #define MSEN_MLD_HIGH_LABEL     'I'     /* System High, multi-level dir */
 126 #define MSEN_LOW_LABEL          'L'     /* System Low - always dominated */
 127 #define MSEN_MLD_LABEL          'M'     /* TCSEC label on a multi-level dir */
 128 #define MSEN_MLD_LOW_LABEL      'N'     /* System Low, multi-level dir */
 129 #define MSEN_TCSEC_LABEL        'T'     /* TCSEC label */
 130 #define MSEN_UNKNOWN_LABEL      'U'     /* unknown label */
 131
 132 /* MINT label type names. Choose a lower case ASCII character.  */
 133 #define MINT_BIBA_LABEL         'b'     /* Dual of a TCSEC label */
 134 #define MINT_EQUAL_LABEL        'e'     /* Wildcard - always equal */
 135 #define MINT_HIGH_LABEL         'h'     /* High Grade - always dominates */
 136 #define MINT_LOW_LABEL          'l'     /* Low Grade - always dominated */
 137
 138
 139 #ifdef __KERNEL__
 140
 141 #include <asm/param.h>          /* For NGROUPS */
 142 #include <linux/capability.h>
 143 #include <linux/sched.h>
 144
 145 /*
 146  * Credentials
 147  */
 148 typedef struct cred {
 149         int     cr_ref;                 /* reference count */
 150         ushort  cr_ngroups;             /* number of groups in cr_groups */
 151         uid_t   cr_uid;                 /* effective user id */
 152         gid_t   cr_gid;                 /* effective group id */
 153         uid_t   cr_ruid;                /* real user id */
 154         gid_t   cr_rgid;                /* real group id */
 155         uid_t   cr_suid;                /* "saved" user id (from exec) */
 156         gid_t   cr_sgid;                /* "saved" group id (from exec) */
 157         xfs_mac_label_t *cr_mac;        /* MAC label for B1 and beyond */
 158         xfs_cap_set_t   cr_cap;         /* capability (privilege) sets */
 159         gid_t   cr_groups[NGROUPS];     /* supplementary group list */
 160 } cred_t;
 161
 162 #define VREAD           00400
 163 #define VWRITE          00200
 164 #define VEXEC           00100
 165 #define MACEXEC         00100
 166 #define MACWRITE        00200
 167 #define MACREAD         00400
 168
 169 extern void cred_init(void);
 170 static __inline cred_t *get_current_cred(void) { return NULL; }
 171 /*
 172  * XXX: tes
 173  * This is a hack.
 174  * It assumes that if cred is not null then it is sys_cred which
 175  * has all capabilities.
 176  * One solution may be to implement capable_cred based on linux' capable()
 177  * and initialize all credentials in our xfs linvfs layer.
 178  */
 179 static __inline int capable_cred(cred_t *cr, int cid) { return (cr==NULL) ? capable(cid) : 1; }
 180 extern struct cred *sys_cred;
 181 #endif  /* __KERNEL__ */
 182
 183 #endif  /* __XFS_CRED_H__ */