X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/8f6c56a50524aa785f7e596d52dddfb331e18961..d9a64523371fa019c4575bb400cbbc3a50ac9903:/bsd/sys/ucred.h?ds=sidebyside diff --git a/bsd/sys/ucred.h b/bsd/sys/ucred.h index 0603ebab8..dae092dac 100644 --- a/bsd/sys/ucred.h +++ b/bsd/sys/ucred.h @@ -60,6 +60,12 @@ * * @(#)ucred.h 8.4 (Berkeley) 1/9/95 */ +/* + * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce + * support for mandatory and extensible security protections. This notice + * is included in support of clause 2.2 (b) of the Apple Public License, + * Version 2.0. + */ #ifndef _SYS_UCRED_H_ #define _SYS_UCRED_H_ @@ -69,19 +75,26 @@ #include #include +struct label; + #ifdef __APPLE_API_UNSTABLE +#include /* * In-kernel credential structure. * * Note that this structure should not be used outside the kernel, nor should - * it or copies of it be exported outside. + * it or copies of it be exported outside. */ struct ucred { TAILQ_ENTRY(ucred) cr_link; /* never modify this without KAUTH_CRED_HASH_LOCK */ u_long cr_ref; /* reference count */ - /* credential hash depends on everything from this point on (see kauth_cred_get_hashkey) */ +struct posix_cred { + /* + * The credential hash depends on everything from this point on + * (see kauth_cred_get_hashkey) + */ uid_t cr_uid; /* effective user id */ uid_t cr_ruid; /* real user id */ uid_t cr_svuid; /* saved user id */ @@ -89,10 +102,29 @@ struct ucred { gid_t cr_groups[NGROUPS]; /* advisory group list */ gid_t cr_rgid; /* real group id */ gid_t cr_svgid; /* saved group id */ - uid_t cr_gmuid; /* user id for group membership purposes */ - struct auditinfo cr_au; /* user auditing data */ + uid_t cr_gmuid; /* UID for group membership purposes */ + int cr_flags; /* flags on credential */ +} cr_posix; + struct label *cr_label; /* MAC label */ + /* + * NOTE: If anything else (besides the flags) + * added after the label, you must change + * kauth_cred_find(). + */ + struct au_session cr_audit; /* user auditing data */ }; +#ifndef _KAUTH_CRED_T +#define _KAUTH_CRED_T typedef struct ucred *kauth_cred_t; +typedef struct posix_cred *posix_cred_t; +#endif /* !_KAUTH_CRED_T */ + +/* + * Credential flags that can be set on a credential + */ +#define CRF_NOMEMBERD 0x00000001 /* memberd opt out by setgroups() */ +#define CRF_MAC_ENFORCE 0x00000002 /* force entry through MAC Framework */ + /* also forces credential cache miss */ /* * This is the external representation of struct ucred. @@ -109,12 +141,15 @@ struct xucred { #define NOCRED ((kauth_cred_t )0) /* no credential available */ #define FSCRED ((kauth_cred_t )-1) /* filesystem credential */ +#define IS_VALID_CRED(_cr) ((_cr) != NOCRED && (_cr) != FSCRED) + #ifdef KERNEL #ifdef __APPLE_API_OBSOLETE __BEGIN_DECLS int crcmp(kauth_cred_t cr1, kauth_cred_t cr2); int suser(kauth_cred_t cred, u_short *acflag); int set_security_token(struct proc * p); +int set_security_token_task_internal(struct proc *p, void *task); void cru2x(kauth_cred_t cr, struct xucred *xcr); __END_DECLS #endif /* __APPLE_API_OBSOLETE */