summaryrefslogtreecommitdiff
path: root/sys/sys/tame.h
blob: 8cfbd036b6a6ed2e2ab8a0b8ca963260f7cd1956 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
/*	$OpenBSD: tame.h,v 1.10 2015/10/06 15:21:26 deraadt Exp $	*/

/*
 * Copyright (c) 2015 Nicholas Marriott <nicm@openbsd.org>
 * Copyright (c) 2015 Theo de Raadt <deraadt@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#ifndef _SYS_TAME_H_
#define _SYS_TAME_H_

#ifdef _KERNEL

#include <sys/cdefs.h>

#define TAME_SELF	0x00000001	/* operate on own pid */
#define TAME_RW		0x00000002	/* basic io operations */
#define TAME_MALLOC	0x00000004	/* enough for malloc */
#define TAME_DNSPATH	0x00000008	/* access to DNS pathnames */
#define TAME_RPATH	0x00000010	/* allow open for read */
#define TAME_WPATH	0x00000020	/* allow open for write */
#define TAME_TMPPATH	0x00000040	/* for mk*temp() */
#define TAME_INET	0x00000080	/* AF_INET/AF_INET6 sockets */
#define TAME_UNIX	0x00000100	/* AF_UNIX sockets */
// reuse, old CMSG	0x00000200
#define TAME_IOCTL	0x00000400	/* Select ioctl */
#define TAME_GETPW	0x00000800	/* YP enables if ypbind.lock */
#define TAME_PROC	0x00001000	/* fork, waitpid, etc */
#define TAME_CPATH	0x00002000	/* allow creat, mkdir, path creations */
#define TAME_FATTR	0x00004000	/* allow explicit file st_* mods */
#define TAME_PROTEXEC	0x00008000	/* allow use of PROT_EXEC */
#define TAME_TTY	0x00010000	/* tty setting */
#define TAME_SENDFD	0x00020000	/* AF_UNIX CMSG fd sending */
#define TAME_RECVFD	0x00040000	/* AF_UNIX CMSG fd receiving */

#define TAME_ABORT	0x08000000	/* SIGABRT instead of SIGKILL */

/* Following flags are set by kernel, as it learns things.
 * Not user settable. Should be moved to a seperate variable */
#define TAME_USERSET	0x0fffffff
#define TAME_YP_ACTIVE	0x10000000	/* YP use detected and allowed */
#define TAME_DNS_ACTIVE	0x20000000	/* DNS use detected and allowed */

int	tame_check(struct proc *, int);
int	tame_fail(struct proc *, int, int);
int	tame_namei(struct proc *, char *);
void	tame_aftersyscall(struct proc *, int, int);

struct mbuf;
int	tame_cmsg_send(struct proc *p, struct mbuf *control);
int	tame_cmsg_recv(struct proc *p, struct mbuf *control);
int	tame_sysctl_check(struct proc *p, int namelen, int *name, void *new);
int	tame_adjtime_check(struct proc *p, const void *v);
int	tame_recvfrom_check(struct proc *p, void *from);
int	tame_sendto_check(struct proc *p, const void *to);
int	tame_bind_check(struct proc *p, const void *v);
int	tame_connect_check(struct proc *p);
int	tame_socket_check(struct proc *p, int domain);
int	tame_setsockopt_check(struct proc *p, int level, int optname);
int	tame_dns_check(struct proc *p, in_port_t port);
int	tame_ioctl_check(struct proc *p, long com, void *);

#define TAME_MAXPATHS	8192

struct whitepaths {
	size_t	wl_size;
	int	wl_count;
	int	wl_ref;
	struct whitepath {
		char		*name;
		size_t		len;
	} wl_paths[0];
};

#endif /* _KERNEL */

#endif /* _SYS_TAME_H_ */