Main Page | Modules | Namespace List | Class Hierarchy | Data Structures | Directories | File List | Namespace Members | Data Fields | Globals

lsm_cmd.h

Go to the documentation of this file.
00001 /* lsm_cmd.h
00002 
00003 Copyright 2006, ACCESS Systems Americas, Inc. All rights reserved.
00004 
00005 The contents of this file are subject to the Mozilla Public License Version
00006 1.1 (the "License"); you may not use this file except in compliance with
00007 the License. You may obtain a copy of the License at
00008 http://www.mozilla.org/MPL/
00009 
00010 Software distributed under the License is distributed on an "AS IS" basis,
00011 WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00012 for the specific language governing rights and limitations under the
00013 License.
00014 
00015 The Original Code is the entire contents of this file.
00016 
00017 The Initial Developer of the Original Code is ACCESS Systems Americas, Inc.
00018 
00019 Portions created by ACCESS Systems Americas, Inc. are Copyright © 2006. All
00020 Rights Reserved.
00021 
00022 Contributor(s): none.
00023 
00024  * This header file contains #defines and structures common to both
00025  * kernel and user space SPF functions.
00026  */
00027 
00028 #ifndef _LSM_CMD_H_
00029 #define _LSM_CMD_H_
00030 
00031 #ifdef __cplusplus
00032 extern "C" {
00033 #endif /* __cplusplus */
00034 
00035 #define SPF_LSM_DEV_IN              "/dev/security_in"
00036 #define LSMSPF_PRIMARY_INIT_FILE    "/var/opt/alp/data/lib/security/LSMSPF_init"
00037 
00038 /* standard Input Command message structure */
00039 typedef struct Alp_lsmCmd_unit {
00040     u_int32_t   command;        /* LSM_SPF command number */
00041     u_int32_t   subject_id;     /* Subject identifier */
00042     u_int32_t   object_id1;     /* (first) object identifier */
00043     u_int32_t   object_id2;     /* (second) object identifier */
00044     u_int32_t   object_id3;     /* (third) object identifier */
00045     u_int32_t   process_id;     /* thread identifier */
00046     u_int32_t   bit_flag;       /* Permission Field */
00047     int32_t     status;         /* return status for 'command' */        
00048 } Alp_lsmCmd_unit;
00049 
00050 
00051 /* SPF-LSM Command definitions */
00052 /* ACL Set commands */
00053 #define ALP_LSMCMD_SET_CREATE           1   /* Create New (but empty) ACL Set Container */
00054 #define ALP_LSMCMD_SET_MODIFY           2   /* Modify bit_flag of existing ACL Set container */
00055 #define ALP_LSMCMD_SET_DELETE           3   /* Delete an existing ACL Set container */
00056 #define ALP_LSMCMD_SET_RESET_ALL        4   /* Removes ALL existing ACL sets AND D-Cache objs */
00057 /* ACL Unit commands */
00058 #define ALP_LSMCMD_ACL_INODE_ADD        5   /* Add Inode ACL to a Policy Set */
00059 #define ALP_LSMCMD_ACL_INODE_MODIFY     6   /* Modify bit flag of a inode ACL */
00060 #define ALP_LSMCMD_ACL_INODE_DELETE     7   /* Delete Inode ACL from Policy Set */
00061 #define ALP_LSMCMD_ACL_INODE_RESET      8   /* remove ALL Inode ACL Set entries */
00062 #define ALP_LSMCMD_ACL_NET_ADD          9   /* Add Net (IP) ACL to policy set */
00063 #define ALP_LSMCMD_ACL_NET_MODIFY       10  /* Modify bit_flag of Net (IP) Perm Unit ACL */
00064 #define ALP_LSMCMD_ACL_NET_DELETE       11  /* Delete ACL Net (IP) from Set */
00065 #define ALP_LSMCMD_ACL_NET_RESET        12  /* remove ALL Dev ACL set entries */
00066 #define ALP_LSMCMD_ACL_RESET_ALL        13  /* remove ALL Dev AND Inode ACL entries */
00067 /* D-Cache commands */
00068 #define ALP_LSMCMD_DCACHE_ADD           14  /* Add new App/Policy mapping */
00069 #define ALP_LSMCMD_DCACHE_MODIFY        15  /* Modify App/Policy mapping */
00070 #define ALP_LSMCMD_DCACHE_ALL_MOD       16  /* Change all matching Policy ID to new mapping */
00071 #define ALP_LSMCMD_DCACHE_DELETE        17  /* Delete App/Policy mapping */
00072 #define ALP_LSMCMD_DCACHE_RESET_ALL     18  /* Removes ALL EXISTING D-CACHE objects */
00073 /* D-Cache Signal/Socket flag commands */
00074 #define ALP_LSMCMD_DSIG_ADD             19  /* Add a bit mask bit to the D-Cache sig_field */
00075 #define ALP_LSMCMD_DSIG_DEL             20  /* Delete a bit mask from the D-Cache sig_field */
00076 #define ALP_LSMCMD_DSIG_RESET           21  /* Wipe the D-Cache sig_field */
00077 /* DCL Unit commands */
00078 #define ALP_LSMCMD_DCL_INODE_ADD        22  /* Add Inode DCL to a D-Cache */
00079 #define ALP_LSMCMD_DCL_INODE_MODIFY     23  /* Modify bit flag of a inode DCL */
00080 #define ALP_LSMCMD_DCL_INODE_DELETE     24  /* Delete Inode DCL from D-Cache */
00081 #define ALP_LSMCMD_DCL_INODE_RESET      25  /* remove ALL Inode DCL from D-Cache */
00082 #define ALP_LSMCMD_DCL_NET_ADD          26  /* Add Net (IP) DCL to D-Cache */
00083 #define ALP_LSMCMD_DCL_NET_MODIFY       27  /* Modify bit_flag of Net DCL */
00084 #define ALP_LSMCMD_DCL_NET_DELETE       28  /* Delete Net (IP) DCL from D-Cache */
00085 #define ALP_LSMCMD_DCL_NET_RESET        29  /* remove ALL Net (IP) DCL D cache */
00086 #define ALP_LSMCMD_DCL_RESET_ALL        30  /* remove ALL Dev & Inode DCL from D-Cache */
00087 /* SPF-LSM PID commands */
00088 #define ALP_LSMCMD_PID_MAP              31  /* Map a PID to a App Pkg ID (D-Cache) obj */
00089 #define ALP_LSMCMD_PID_STAT             32  /* Get Security Properties of PID */
00090 /* SPF-LSM Module commands */
00091 #define ALP_LSMCMD_LSM_ENABLE           33  /* Enable LSM security functionality */
00092 #define ALP_LSMCMD_LSM_DISABLE          34  /* Disable LSM security functionality */
00093 #define ALP_LSMCMD_LSM_DUMP_META        35  /* (Reserved) Create Metadata file from LSM data */
00094 #define ALP_LSMCMD_LSM_LOAD_META        36  /* Load Metadata file (alternate initialization) */
00095 
00096 /* Security Properties Bit-Mask fields */
00097 /* ACL Set Bit-Flags */
00098 #define ALP_LSMSET_BFLAG_EXCLUSIVE  0   /* anything not denied is permitted */
00099 #define ALP_LSMSET_BFLAG_INET_INCL  1   /* any IP addr not permitted is denied */
00100 #define ALP_LSMSET_BFLAG_INET_ASK   2   /* any IP addr not permitted is asked */
00101 #define ALP_LSMSET_BFLAG_INO_INCL   4   /* inode access not permitted is denied */
00102 #define ALP_LSMSET_BFLAG_INO_ASK    8   /* inode access not permitted is asked */
00103 #define ALP_LSMSET_BFLAG_SOCK_INCL  16  /* Socket access not permitted is denied */
00104 #define ALP_LSMSET_BFLAG_SOCK_ASK   32  /* Socket access not permitted is asked */
00105 /* ACL Set Sig-Flags */
00106 #define ALP_LSMSET_SFLAG_BLOCK_ALL_SOCKET       0x00000001      /* Block all socket create */
00107 #define ALP_LSMSET_SFLAG_PERMIT_SOCKET          0x00000002      /* Permit all sockets create */
00108 #define ALP_LSMSET_SFLAG_BLOCK_INET             0x00000004      /* Block all IPv4 Sockets */
00109 #define ALP_LSMSET_SFLAG_PERMIT_INET            0x00000008      /* Permit all IPv4 sockets */
00110 #define ALP_LSMSET_SFLAG_BLOCK_IRDA             0x00000010      /* Block all IRDA Sockets */
00111 #define ALP_LSMSET_SFLAG_PERMIT_IRDA            0x00000020      /* Permit IRDA Sockets */
00112 #define ALP_LSMSET_SFLAG_BLOCK_BLUETOOTH        0x00000040      /* Block all Bluetooth Sockets */
00113 #define ALP_LSMSET_SFLAG_PERMIT_BLUE            0x00000080      /* Permit all Bluetooth Sockets */
00114 #define ALP_LSMSET_SFLAG_BLOCK_UNIX             0x00000100      /* Block all IPC Sockets */
00115 #define ALP_LSMSET_SFLAG_PERMIT_UNIX            0x00000200      /* Permit all IPC sockets */
00116 #define ALP_LSMSET_SFLAG_BLOCK_FD_RECEIVE       0x00000400      /* Block receiving File Desc via IPC */
00117 #define ALP_LSMSET_SFLAG_PERMIT_FD_RECEIVE      0x00000800      /* Allow receiving file Desc via IPC */
00118 #define ALP_LSMSET_SFLAG_NO_CONNECT             0x00001000      /* Block socket connect */
00119 #define ALP_LSMSET_SFLAG_ASK_CONNECT            0x00002000      /* Ask for socket connect */
00120 #define ALP_LSMSET_SFLAG_PERMIT_CONNECT         0x00004000      /* Permit Socket connect */
00121 #define ALP_LSMSET_SFLAG_NO_LISTEN              0x00008000      /* Block socket listen */
00122 #define ALP_LSMSET_SFLAG_ASK_LISTEN             0x00010000      /* Ask for socket listen */
00123 #define ALP_LSMSET_SFLAG_PERMIT_LISTEN          0x00020000      /* Permit Socket listen */
00124 /* D-Cache Obj Sig-Flags */
00125 #define ALP_LSMDCH_SFLAG_CONNECT_INET_DENY          0x00000001  /* Deny ALL IPv4 Connect */
00126 #define ALP_LSMDCH_SFLAG_CONNECT_INET_BLOCK         0x00000002  /* Block once IPv4 Connect */
00127 #define ALP_LSMDCH_SFLAG_CONNECT_INET_ALLOW         0x00000004  /* Allow once IPv4 Connect */
00128 #define ALP_LSMDCH_SFLAG_CONNECT_INET_PERMIT        0x00000008  /* Permit ALL IPv4 Connect */
00129 #define ALP_LSMDCH_SFLAG_CONNECT_IRDA_DENY          0x00000010  /* Deny ALL IRDA Connect */
00130 #define ALP_LSMDCH_SFLAG_CONNECT_IRDA_BLOCK         0x00000020  /* Block once IRDA Connect */
00131 #define ALP_LSMDCH_SFLAG_CONNECT_IRDA_ALLOW         0x00000040  /* Allow Once IRDA Connect */
00132 #define ALP_LSMDCH_SFLAG_CONNECT_IRDA_PERMIT        0x00000080  /* Permit ALL IRDA Connect */
00133 #define ALP_LSMDCH_SFLAG_CONNECT_BLUETOOTH_DENY     0x00000100  /* Deny ALL BLUETOOTH Connect */
00134 #define ALP_LSMDCH_SFLAG_CONNECT_BLUETOOTH_BLOCK    0x00000200  /* Block once BLUETOOTH Connect */
00135 #define ALP_LSMDCH_SFLAG_CONNECT_BLUETOOTH_ALLOW    0x00000400  /* Allow Once BLUETOOTH Connect */
00136 #define ALP_LSMDCH_SFLAG_CONNECT_BLUETOOTH_PERMIT   0x00000800  /* Permit BLUETOOTH Connect */
00137 #define ALP_LSMDCH_SFLAG_CONNECT_UNIX_DENY          0x00001000  /* Deny ALL IPC Connect */
00138 #define ALP_LSMDCH_SFLAG_CONNECT_UNIX_BLOCK         0x00002000  /* Block once IPC Connect */
00139 #define ALP_LSMDCH_SFLAG_CONNECT_UNIX_ALLOW         0x00004000  /* Allow Once IPC Connect */
00140 #define ALP_LSMDCH_SFLAG_CONNECT_UNIX_PERMIT        0x00008000  /* Permit IPC Connect */
00141 #define ALP_LSMDCH_SFLAG_LISTEN_INET_DENY           0x00010000  /* Deny all IPv4 Listen */
00142 #define ALP_LSMDCH_SFLAG_LISTEN_INET_BLOCK          0x00020000  /* Block once IPv4 Listen */
00143 #define ALP_LSMDCH_SFLAG_LISTEN_INET_ALLOW          0x00040000  /* Allow once IPv4 Listen */
00144 #define ALP_LSMDCH_SFLAG_LISTEN_INET_PERMIT         0x00080000  /* Permit all IPv4 Listen */
00145 #define ALP_LSMDCH_SFLAG_LISTEN_IRDA_DENY           0x00100000  /* Deny all IRDA Listen */
00146 #define ALP_LSMDCH_SFLAG_LISTEN_IRDA_BLOCK          0x00200000  /* Block once IRDA Listen */
00147 #define ALP_LSMDCH_SFLAG_LISTEN_IRDA_ALLOW          0x00400000  /* Allow once IRDA Listen */
00148 #define ALP_LSMDCH_SFLAG_LISTEN_IRDA_PERMIT         0x00800000  /* Permit all IRDA Listen */
00149 #define ALP_LSMDCH_SFLAG_LISTEN_BLUETOOTH_DENY      0x01000000  /* Deny all BLUETOOTH Listen */
00150 #define ALP_LSMDCH_SFLAG_LISTEN_BLUETOOTH_BLOCK     0x02000000  /* Block once BLUETOOTH Listen */
00151 #define ALP_LSMDCH_SFLAG_LISTEN_BLUETOOTH_ALLOW     0x04000000  /* Allow once all BLUETOOTH Listen */
00152 #define ALP_LSMDCH_SFLAG_LISTEN_BLUETOOTH_PERMIT    0x08000000  /* Permit all BLUETOOTH Listen */
00153 #define ALP_LSMDCH_SFLAG_LISTEN_UNIX_DENY           0x10000000  /* Deny all IPC Listen */
00154 #define ALP_LSMDCH_SFLAG_LISTEN_UNIX_BLOCK          0x20000000  /* Block once IPC Listen */
00155 #define ALP_LSMDCH_SFLAG_LISTEN_UNIX_ALLOW          0x40000000  /* Allow Once all IPC Listen */
00156 #define ALP_LSMDCH_SFLAG_LISTEN_UNIX_PERMIT         0x80000000  /* Permit all IPC Listen */
00157 /* ACL Unit Bit-flags */
00158 #define ALP_LSMACL_BFLAG_DENY       1   /* Default Deny */
00159 #define ALP_LSMACL_BFLAG_PERMIT     2   /* Default Permit */
00160 #define ALP_LSMACL_BFLAG_ASK        4   /* Default Ask */
00161 /* DCL Unit Bit-Flags */
00162 #define ALP_LSMDCL_BFLAG_DENY       1   /* unconditional deny */
00163 #define ALP_LSMDCL_BFLAG_PERMIT     2   /* unconditional permit */
00164 #define ALP_LSMDCL_BFLAG_BLOCK      4   /* block once only */
00165 #define ALP_LSMDCL_BFLAG_ALLOW      8   /* allow ONCE ONLY */
00166 
00167 /* Acknowledgement Message Error codes */
00168 #ifndef ALP_CLASS_LSM
00169 #define ALP_CLASS_LSM 0x1F000000
00170 #endif /* ALP_CLASS_LSM */
00171 
00172 #define ALP_STATUS_LSM_NO_SUB       (ALP_CLASS_LSM | 1 )    /* subject_id does not exist */
00173 #define ALP_STATUS_LSM_DUP_SUB      (ALP_CLASS_LSM | 2 )    /* duplicate subject_id */
00174 #define ALP_STATUS_LSM_INUSE_SUB    (ALP_CLASS_LSM | 3 )    /* subject_id in use, can't be deleted */
00175 #define ALP_STATUS_LSM_NO_OBJ       (ALP_CLASS_LSM | 4 )    /* object_id does not exist */
00176 #define ALP_STATUS_LSM_DUP_OBJ      (ALP_CLASS_LSM | 5 )    /* duplicate object_id */
00177 #define ALP_STATUS_LSM_DCACHE_BUSY  (ALP_CLASS_LSM | 6 )    /* D-Cache in use by App */
00178 #define ALP_STATUS_LSM_NO_THREAD    (ALP_CLASS_LSM | 7 )    /* Can't find thread from pid */
00179 #define ALP_STATUS_LSM_FOPEN_FAIL   (ALP_CLASS_LSM | 8 )    /* Kernel File Open error */
00180 #define ALP_STATUS_LSM_FWRITE_FAIL  (ALP_CLASS_LSM | 9 )    /* Kernel File Write error */
00181 #define ALP_STATUS_LSM_BAD_INIT_CMD (ALP_CLASS_LSM | 10 )   /* Unexpected Init Cmd */
00182 
00183 /* Kernel LSM Specific data structures, global variables and function declarations */
00184 #ifdef __KERNEL__
00185 
00186 /* Global ACL Set Linked List structures */
00187 extern struct list_head         glsmList_ACLset_anchor; /* global ACL Set linked list anchor */
00188 extern struct rw_semaphore      glsmList_ACLset_flag;   /* ACL Set linked list R/W Semaphore */
00189 
00190 /* Global D-Cache Set Linked List structures */
00191 extern struct list_head glsmList_DCACH_anchor;      /* global D-Cache linked list anchor */
00192 extern struct rw_semaphore glsmList_DCACH_flag;     /* D-Cache list R/W Semaphore */
00193 
00194 /* enable/disable LSM enforcement functionality */
00195 extern atomic_t glsmCmd_LSM_toggle;
00196 
00197 
00198 /* prv_lsmCmd_process_command
00199  * This function interpets and implements the SPF-LSM command interface.
00200  * 
00201  * Inputs:
00202  * Alp_lsmCmd_unit* cmd_unit_ptr: Ptr to Command structure for input
00203  *
00204  * Implied Inputs (Global Variables)
00205  * struct list_head glsmList_ACLset_anchor;     * global ACL Set linked list anchor *
00206  * struct rw_semaphore glsmList_ACLset_flag;    * ACL Set linked list R/W Semaphore *
00207  * struct list_head glsmList_DCACH_anchor;      * global D-Cache linked list anchor *
00208  * struct rw_semaphore glsmList_DCACH_flag;     * ACL Set/D-Cache list R/W Semaphore *
00209  * atomic_t glsmCmd_Msg_toggle;                 * Message Acknowledement toggle *
00210  * atomic_t glsmCmd_LSM_toggle;                 * LSM enforcement toggle *
00211  *
00212  * Side-Effects:
00213  * Depending on the Command, Kernel Memory may be allocated/deallocated.
00214  * Module global variables may be modified
00215  *
00216  * Outputs:
00217  * Alp_lsmCmd_unit::command: Value is set to 0 (SUCCESS) or error code.
00218  *
00219  * Returns int:
00220  * 0 = Success: Command successful
00221  * Anything else: error response of command/sys call
00222  */
00223 int prv_lsmCmd_process_command(
00224         Alp_lsmCmd_unit* cmd_unit_ptr);/* Pointer to command unit buffer */
00225 
00226 
00227 /* prv_lsmCmd_init()
00228  * Initializes static global structures 
00229  */
00230 int prv_lsmCmd_init(void);
00231 
00232 
00233 /* prv_lsmCmd_cleanup()
00234  * Cleanup static global structures
00235  */
00236 int prv_lsmCmd_cleanup(void);
00237 
00238 
00239 #endif /* __KERNEL__ */
00240 
00241 
00242 #ifdef __cplusplus
00243 }
00244 #endif /* __cplusplus */
00245 
00246 #endif /* LSM_CMD */

Generated on Sat Dec 16 20:29:47 2006 for hiker-0.9 by  doxygen 1.4.4