2
* Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
3
* NOVELL (All rights reserved)
7
* This program is free software; you can redistribute it and/or
8
* modify it under the terms of the GNU General Public License as
9
* published by the Free Software Foundation, version 2 of the
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, contact Novell, Inc.
25
* Modeled after MAY_READ, MAY_WRITE, MAY_EXEC in the kernel. The value of
26
* AA_MAY_EXEC must be identical to MAY_EXEC, etc.
28
#define AA_MAY_EXEC (1 << 0)
29
#define AA_MAY_WRITE (1 << 1)
30
#define AA_MAY_READ (1 << 2)
31
#define AA_MAY_APPEND (1 << 3)
32
#define AA_MAY_LINK (1 << 4)
33
#define AA_MAY_LOCK (1 << 5)
34
#define AA_EXEC_MMAP (1 << 6)
35
#define AA_EXEC_PUX (1 << 7)
36
#define AA_EXEC_UNSAFE (1 << 8)
37
#define AA_EXEC_INHERIT (1 << 9)
38
#define AA_EXEC_MOD_0 (1 << 10)
39
#define AA_EXEC_MOD_1 (1 << 11)
40
#define AA_EXEC_MOD_2 (1 << 12)
41
#define AA_EXEC_MOD_3 (1 << 13)
43
#define AA_BASE_PERMS (AA_MAY_EXEC | AA_MAY_WRITE | \
44
AA_MAY_READ | AA_MAY_APPEND | \
45
AA_MAY_LINK | AA_MAY_LOCK | \
46
AA_EXEC_PUX | AA_EXEC_MMAP | \
47
AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
48
AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
49
AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
51
#define AA_USER_SHIFT 0
52
#define AA_OTHER_SHIFT 14
54
#define AA_USER_PERMS (AA_BASE_PERMS << AA_USER_SHIFT)
55
#define AA_OTHER_PERMS (AA_BASE_PERMS << AA_OTHER_SHIFT)
57
#define AA_FILE_PERMS (AA_USER_PERMS | AA_OTHER_PERMS )
59
#define AA_USER_PTRACE (1 << 28)
60
#define AA_OTHER_PTRACE (1 << 29)
61
#define AA_PTRACE_PERMS (AA_USER_PTRACE | AA_OTHER_PTRACE)
63
#define AA_CHANGE_HAT (1 << 30)
64
#define AA_ONEXEC (1 << 30)
65
#define AA_CHANGE_PROFILE (1 << 31)
66
#define AA_SHARED_PERMS (AA_CHANGE_HAT | AA_CHANGE_PROFILE)
68
#define AA_EXEC_MODIFIERS (AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
69
AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
70
#define AA_EXEC_COUNT 16
72
#define AA_USER_EXEC_MODIFIERS (AA_EXEC_MODIFIERS << AA_USER_SHIFT)
73
#define AA_OTHER_EXEC_MODIFIERS (AA_EXEC_MODIFIERS << AA_OTHER_SHIFT)
74
#define AA_ALL_EXEC_MODIFIERS (AA_USER_EXEC_MODIFIERS | \
75
AA_OTHER_EXEC_MODIFIERS)
77
#define AA_EXEC_TYPE (AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
78
AA_EXEC_PUX | AA_EXEC_MODIFIERS)
80
#define AA_EXEC_UNCONFINED (AA_EXEC_MOD_0)
81
#define AA_EXEC_PROFILE (AA_EXEC_MOD_1)
82
#define AA_EXEC_LOCAL (AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
84
#define AA_VALID_PERMS (AA_FILE_PERMS | AA_PTRACE_PERMS | \
87
#define AA_USER_EXEC (AA_MAY_EXEC << AA_USER_SHIFT)
88
#define AA_OTHER_EXEC (AA_MAY_EXEC << AA_OTHER_SHIFT)
90
#define AA_EXEC_BITS (AA_USER_EXEC | AA_OTHER_EXEC)
92
#define ALL_AA_EXEC_UNSAFE ((AA_EXEC_UNSAFE << AA_USER_SHIFT) | \
93
(AA_EXEC_UNSAFE << AA_OTHER_SHIFT))
95
#define AA_USER_EXEC_TYPE (AA_EXEC_TYPE << AA_USER_SHIFT)
96
#define AA_OTHER_EXEC_TYPE (AA_EXEC_TYPE << AA_OTHER_SHIFT)
98
#define ALL_AA_EXEC_TYPE (AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)
100
#define ALL_USER_EXEC (AA_USER_EXEC | AA_USER_EXEC_TYPE)
101
#define ALL_OTHER_EXEC (AA_OTHER_EXEC | AA_OTHER_EXEC_TYPE)
103
#define AA_LINK_BITS ((AA_MAY_LINK << AA_USER_SHIFT) | \
104
(AA_MAY_LINK << AA_OTHER_SHIFT))
106
#define SHIFT_MODE(MODE, SHIFT) ((((MODE) & AA_BASE_PERMS) << (SHIFT))\
107
| ((MODE) & ~AA_FILE_PERMS))
108
#define SHIFT_TO_BASE(MODE, SHIFT) ((((MODE) & AA_FILE_PERMS) >> (SHIFT))\
109
| ((MODE) & ~AA_FILE_PERMS))
112
#define AA_LINK_SUBSET_TEST (AA_MAY_LINK << 1)
113
#define LINK_SUBSET_BITS ((AA_LINK_SUBSET_TEST << AA_USER_SHIFT) | \
114
(AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
115
#define LINK_TO_LINK_SUBSET(X) (((X) << 1) & AA_LINK_SUBSET_TEST)
118
/* Pack the audit, and quiet masks into a single 28 bit field in the
121
#define PACK_AUDIT_CTL(audit, quiet) (((audit) & 0x1fc07f) | \
122
(((quiet) & 0x1fc07f) << 7))
124
#define AA_HAT_SIZE 975 /* Maximum size of a subdomain
126
#define AA_IP_TCP 0x0001
127
#define AA_IP_UDP 0x0002
128
#define AA_IP_RDP 0x0004
129
#define AA_IP_RAW 0x0008
130
#define AA_IPV6_TCP 0x0010
131
#define AA_IPV6_UDP 0x0020
132
#define AA_NETLINK 0x0040
141
#define HAS_MAY_READ(mode) ((mode) & AA_MAY_READ)
142
#define HAS_MAY_WRITE(mode) ((mode) & AA_MAY_WRITE)
143
#define HAS_MAY_APPEND(mode) ((mode) & AA_MAY_APPEND)
144
#define HAS_MAY_EXEC(mode) ((mode) & AA_MAY_EXEC)
145
#define HAS_MAY_LINK(mode) ((mode) & AA_MAY_LINK)
146
#define HAS_MAY_LOCK(mode) ((mode) & AA_MAY_LOCK)
147
#define HAS_EXEC_MMAP(mode) ((mode) & AA_EXEC_MMAP)
149
#define HAS_EXEC_UNSAFE(mode) ((mode) & AA_EXEC_UNSAFE)
150
#define HAS_CHANGE_PROFILE(mode) ((mode) & AA_CHANGE_PROFILE)
153
static inline int is_merged_x_consistent(int a, int b)
155
if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
156
((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
157
{ //fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
160
if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
161
((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
162
{ //fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
168
#endif /* ! _IMMUNIX_H */