xnu-1699.22.81.tar.gz

[apple/xnu.git] / bsd / sys / ucred.h

diff --git a/bsd/sys/ucred.h b/bsd/sys/ucred.h
index 6860d9214915b63e9fc98052f7ebd4dcebe9536a..6d914a4dff265cf5d6f2b90194ee7e3e04a901bc 100644 (file)
--- a/bsd/sys/ucred.h
+++ b/bsd/sys/ucred.h
@@ -60,6 +60,12 @@
  *
  *     @(#)ucred.h     8.4 (Berkeley) 1/9/95
  */
+/*
+ * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
+ * support for mandatory and extensible security protections.  This notice
+ * is included in support of clause 2.2 (b) of the Apple Public License,
+ * Version 2.0.
+ */
 
 #ifndef _SYS_UCRED_H_
 #define        _SYS_UCRED_H_
@@ -69,19 +75,26 @@
 #include <sys/param.h>
 #include <bsm/audit.h>
 
+struct label;
+
 #ifdef __APPLE_API_UNSTABLE
+#include <sys/queue.h>
 
 /*
  * In-kernel credential structure.
  *
  * Note that this structure should not be used outside the kernel, nor should
- * it or copies of it be exported outside.  
+ * it or copies of it be exported outside.
  */
 struct ucred {
        TAILQ_ENTRY(ucred)      cr_link; /* never modify this without KAUTH_CRED_HASH_LOCK */
        u_long  cr_ref;                 /* reference count */
        
-       /* credential hash depends on everything from this point on (see kauth_cred_get_hashkey) */
+struct posix_cred {
+       /*
+        * The credential hash depends on everything from this point on
+        * (see kauth_cred_get_hashkey)
+        */
        uid_t   cr_uid;                 /* effective user id */
        uid_t   cr_ruid;                /* real user id */
        uid_t   cr_svuid;               /* saved user id */
@@ -89,10 +102,29 @@ struct ucred {
        gid_t   cr_groups[NGROUPS];     /* advisory group list */
        gid_t   cr_rgid;                /* real group id */
        gid_t   cr_svgid;               /* saved group id */
-       uid_t   cr_gmuid;               /* user id for group membership purposes */
-       struct auditinfo cr_au;         /* user auditing data */
+       uid_t   cr_gmuid;               /* UID for group membership purposes */
+       int     cr_flags;               /* flags on credential */
+} cr_posix;
+       struct label    *cr_label;      /* MAC label */
+       /* 
+        * NOTE: If anything else (besides the flags)
+        * added after the label, you must change
+        * kauth_cred_find().
+        */
+       struct au_session cr_audit;             /* user auditing data */
 };
+#ifndef _KAUTH_CRED_T
+#define        _KAUTH_CRED_T
 typedef struct ucred *kauth_cred_t;
+typedef struct posix_cred *posix_cred_t;
+#endif /* !_KAUTH_CRED_T */
+
+/*
+ * Credential flags that can be set on a credential
+ */
+#define CRF_NOMEMBERD  0x00000001      /* memberd opt out by setgroups() */
+#define CRF_MAC_ENFORCE 0x00000002     /* force entry through MAC Framework */
+                                       /* also forces credential cache miss */
 
 /*
  * This is the external representation of struct ucred.
@@ -116,6 +148,8 @@ struct xucred {
 __BEGIN_DECLS
 int            crcmp(kauth_cred_t cr1, kauth_cred_t cr2);
 int            suser(kauth_cred_t cred, u_short *acflag);
+int            is_suser(void);
+int            is_suser1(void);
 int            set_security_token(struct proc * p);
 void           cru2x(kauth_cred_t cr, struct xucred *xcr);
 __END_DECLS