xref: /onnv-gate/usr/src/uts/common/smbsrv/smb_privilege.h (revision 5331:3047ad28a67b) 
1*5331Samw /*
2*5331Samw  * CDDL HEADER START
3*5331Samw  *
4*5331Samw  * The contents of this file are subject to the terms of the
5*5331Samw  * Common Development and Distribution License (the "License").
6*5331Samw  * You may not use this file except in compliance with the License.
7*5331Samw  *
8*5331Samw  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9*5331Samw  * or http://www.opensolaris.org/os/licensing.
10*5331Samw  * See the License for the specific language governing permissions
11*5331Samw  * and limitations under the License.
12*5331Samw  *
13*5331Samw  * When distributing Covered Code, include this CDDL HEADER in each
14*5331Samw  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15*5331Samw  * If applicable, add the following below this CDDL HEADER, with the
16*5331Samw  * fields enclosed by brackets "[]" replaced with your own identifying
17*5331Samw  * information: Portions Copyright [yyyy] [name of copyright owner]
18*5331Samw  *
19*5331Samw  * CDDL HEADER END
20*5331Samw  */
21*5331Samw /*
22*5331Samw  * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
23*5331Samw  * Use is subject to license terms.
24*5331Samw  */
25*5331Samw 
26*5331Samw #ifndef _SMB_PRIVILEGE_H
27*5331Samw #define	_SMB_PRIVILEGE_H
28*5331Samw 
29*5331Samw #pragma ident	"%Z%%M%	%I%	%E% SMI"
30*5331Samw 
31*5331Samw #include <smbsrv/smb_xdr.h>
32*5331Samw 
33*5331Samw #ifdef __cplusplus
34*5331Samw extern "C" {
35*5331Samw #endif
36*5331Samw 
37*5331Samw /*
38*5331Samw  * Privileges
39*5331Samw  *
40*5331Samw  * Privileges apply to all objects and over-ride the access controls
41*5331Samw  * in an object's security descriptor in a manner specific to each
42*5331Samw  * privilege. Privileges are still not full defined. Privileges are
43*5331Samw  * defined in a set structure (LUID = Locally Unique Identifier).
44*5331Samw  *
45*5331Samw  * The default LUID, name and display names defined on NT 4.0 are:
46*5331Samw  * LUID Privilege Name                Display Name
47*5331Samw  * ---- --------------                ------------
48*5331Samw  * 0:2  SeCreateTokenPrivilege        Create a token object
49*5331Samw  * 0:3  SeAssignPrimaryTokenPrivilege Replace a process level token
50*5331Samw  * 0:4  SeLockMemoryPrivilege         Lock pages in memory
51*5331Samw  * 0:5  SeIncreaseQuotaPrivilege      Increase quotas
52*5331Samw  * 0:6  SeMachineAccountPrivilege     Add workstations to domain
53*5331Samw  * 0:7  SeTcbPrivilege                Act as part of the operating system
54*5331Samw  * 0:8  SeSecurityPrivilege           Manage auditing and security log
55*5331Samw  * 0:9  SeTakeOwnershipPrivilege      Take ownership of files or other objects
56*5331Samw  * 0:10 SeLoadDriverPrivilege         Load and unload device drivers
57*5331Samw  * 0:11 SeSystemProfilePrivilege      Profile system performance
58*5331Samw  * 0:12 SeSystemtimePrivilege         Change the system time
59*5331Samw  * 0:13 SeProfileSingleProcessPrivilege  Profile single process
60*5331Samw  * 0:14 SeIncreaseBasePriorityPrivilege  Increase scheduling priority
61*5331Samw  * 0:15 SeCreatePagefilePrivilege     Create a pagefile
62*5331Samw  * 0:16 SeCreatePermanentPrivilege    Create permanent shared objects
63*5331Samw  * 0:17 SeBackupPrivilege             Back up files and directories
64*5331Samw  * 0:18 SeRestorePrivilege            Restore files and directories
65*5331Samw  * 0:19 SeShutdownPrivilege           Shut down the system
66*5331Samw  * 0:20 SeDebugPrivilege              Debug programs
67*5331Samw  * 0:21 SeAuditPrivilege              Generate security audits
68*5331Samw  * 0:22 SeSystemEnvironmentPrivilege  Modify firmware environment values
69*5331Samw  * 0:23 SeChangeNotifyPrivilege       Bypass traverse checking
70*5331Samw  * 0:24 SeRemoteShutdownPrivilege     Force shutdown from a remote system
71*5331Samw  */
72*5331Samw 
73*5331Samw /*
74*5331Samw  * Privilege names
75*5331Samw  */
76*5331Samw #define	SE_CREATE_TOKEN_NAME		"SeCreateTokenPrivilege"
77*5331Samw #define	SE_ASSIGNPRIMARYTOKEN_NAME	"SeAssignPrimaryTokenPrivilege"
78*5331Samw #define	SE_LOCK_MEMORY_NAME		"SeLockMemoryPrivilege"
79*5331Samw #define	SE_INCREASE_QUOTA_NAME		"SeIncreaseQuotaPrivilege"
80*5331Samw #define	SE_UNSOLICITED_INPUT_NAME	"SeUnsolicitedInputPrivilege"
81*5331Samw #define	SE_MACHINE_ACCOUNT_NAME		"SeMachineAccountPrivilege"
82*5331Samw #define	SE_TCB_NAME			"SeTcbPrivilege"
83*5331Samw #define	SE_SECURITY_NAME		"SeSecurityPrivilege"
84*5331Samw #define	SE_TAKE_OWNERSHIP_NAME		"SeTakeOwnershipPrivilege"
85*5331Samw #define	SE_LOAD_DRIVER_NAME		"SeLoadDriverPrivilege"
86*5331Samw #define	SE_SYSTEM_PROFILE_NAME		"SeSystemProfilePrivilege"
87*5331Samw #define	SE_SYSTEMTIME_NAME		"SeSystemtimePrivilege"
88*5331Samw #define	SE_PROF_SINGLE_PROCESS_NAME	"SeProfileSingleProcessPrivilege"
89*5331Samw #define	SE_INC_BASE_PRIORITY_NAME	"SeIncreaseBasePriorityPrivilege"
90*5331Samw #define	SE_CREATE_PAGEFILE_NAME		"SeCreatePagefilePrivilege"
91*5331Samw #define	SE_CREATE_PERMANENT_NAME	"SeCreatePermanentPrivilege"
92*5331Samw #define	SE_BACKUP_NAME			"SeBackupPrivilege"
93*5331Samw #define	SE_RESTORE_NAME			"SeRestorePrivilege"
94*5331Samw #define	SE_SHUTDOWN_NAME		"SeShutdownPrivilege"
95*5331Samw #define	SE_DEBUG_NAME			"SeDebugPrivilege"
96*5331Samw #define	SE_AUDIT_NAME			"SeAuditPrivilege"
97*5331Samw #define	SE_SYSTEM_ENVIRONMENT_NAME	"SeSystemEnvironmentPrivilege"
98*5331Samw #define	SE_CHANGE_NOTIFY_NAME		"SeChangeNotifyPrivilege"
99*5331Samw #define	SE_REMOTE_SHUTDOWN_NAME		"SeRemoteShutdownPrivilege"
100*5331Samw 
101*5331Samw #define	SE_CREATE_TOKEN_LUID		2
102*5331Samw #define	SE_ASSIGNPRIMARYTOKEN_LUID	3
103*5331Samw #define	SE_LOCK_MEMORY_LUID		4
104*5331Samw #define	SE_INCREASE_QUOTA_LUID		5
105*5331Samw #define	SE_MACHINE_ACCOUNT_LUID		6
106*5331Samw #define	SE_TCB_LUID			7
107*5331Samw #define	SE_SECURITY_LUID		8
108*5331Samw #define	SE_TAKE_OWNERSHIP_LUID		9
109*5331Samw #define	SE_LOAD_DRIVER_LUID		10
110*5331Samw #define	SE_SYSTEM_PROFILE_LUID		11
111*5331Samw #define	SE_SYSTEMTIME_LUID		12
112*5331Samw #define	SE_PROF_SINGLE_PROCESS_LUID	13
113*5331Samw #define	SE_INC_BASE_PRIORITY_LUID	14
114*5331Samw #define	SE_CREATE_PAGEFILE_LUID		15
115*5331Samw #define	SE_CREATE_PERMANENT_LUID	16
116*5331Samw #define	SE_BACKUP_LUID			17
117*5331Samw #define	SE_RESTORE_LUID			18
118*5331Samw #define	SE_SHUTDOWN_LUID		19
119*5331Samw #define	SE_DEBUG_LUID			20
120*5331Samw #define	SE_AUDIT_LUID			21
121*5331Samw #define	SE_SYSTEM_ENVIRONMENT_LUID	22
122*5331Samw #define	SE_CHANGE_NOTIFY_LUID		23
123*5331Samw #define	SE_REMOTE_SHUTDOWN_LUID		24
124*5331Samw 
125*5331Samw /*
126*5331Samw  * Privilege attributes
127*5331Samw  */
128*5331Samw #define	SE_PRIVILEGE_DISABLED			0x00000000
129*5331Samw #define	SE_PRIVILEGE_ENABLED_BY_DEFAULT		0x00000001
130*5331Samw #define	SE_PRIVILEGE_ENABLED			0x00000002
131*5331Samw #define	SE_PRIVILEGE_USED_FOR_ACCESS		0x80000000
132*5331Samw 
133*5331Samw /*
134*5331Samw  * Privilege Set Control flags
135*5331Samw  */
136*5331Samw #define	PRIVILEGE_SET_ALL_NECESSARY		1
137*5331Samw 
138*5331Samw typedef struct smb_luid {
139*5331Samw 	uint32_t lo_part;
140*5331Samw 	uint32_t hi_part;
141*5331Samw } smb_luid_t;
142*5331Samw 
143*5331Samw 
144*5331Samw typedef struct smb_luid_attrs {
145*5331Samw 	smb_luid_t luid;
146*5331Samw 	uint32_t attrs;
147*5331Samw } smb_luid_attrs_t;
148*5331Samw 
149*5331Samw 
150*5331Samw typedef struct smb_privset {
151*5331Samw 	uint32_t priv_cnt;
152*5331Samw 	uint32_t control;
153*5331Samw 	smb_luid_attrs_t priv[ANY_SIZE_ARRAY];
154*5331Samw } smb_privset_t;
155*5331Samw 
156*5331Samw /*
157*5331Samw  * These are possible value for smb_privinfo_t.flags
158*5331Samw  *
159*5331Samw  * PF_PRESENTABLE	Privilege is user visible
160*5331Samw  */
161*5331Samw #define	PF_PRESENTABLE	0x1
162*5331Samw 
163*5331Samw /*
164*5331Samw  * Structure for passing privilege name and id information around within
165*5331Samw  * the system. Note that we are only storing the low uint32_t of the LUID;
166*5331Samw  * the high part is always zero here.
167*5331Samw  */
168*5331Samw typedef struct smb_privinfo {
169*5331Samw 	uint32_t id;
170*5331Samw 	char *name;
171*5331Samw 	char *display_name;
172*5331Samw 	uint16_t flags;
173*5331Samw } smb_privinfo_t;
174*5331Samw 
175*5331Samw smb_privinfo_t *smb_priv_getbyvalue(uint32_t id);
176*5331Samw smb_privinfo_t *smb_priv_getbyname(char *name);
177*5331Samw int smb_priv_presentable_num(void);
178*5331Samw int smb_priv_presentable_ids(uint32_t *ids, int num);
179*5331Samw smb_privset_t *smb_privset_new();
180*5331Samw int smb_privset_size();
181*5331Samw void smb_privset_init(smb_privset_t *privset);
182*5331Samw void smb_privset_free(smb_privset_t *privset);
183*5331Samw void smb_privset_copy(smb_privset_t *dst, smb_privset_t *src);
184*5331Samw void smb_privset_enable(smb_privset_t *privset, uint32_t id);
185*5331Samw int smb_privset_query(smb_privset_t *privset, uint32_t id);
186*5331Samw void smb_privset_log(smb_privset_t *privset);
187*5331Samw 
188*5331Samw /* XDR routines */
189*5331Samw extern bool_t xdr_smb_luid_t();
190*5331Samw extern bool_t xdr_smb_luid_attrs_t();
191*5331Samw extern bool_t xdr_smb_privset_t();
192*5331Samw 
193*5331Samw #ifdef __cplusplus
194*5331Samw }
195*5331Samw #endif
196*5331Samw 
197*5331Samw #endif /* _SMB_PRIVILEGE_H */
198