Doug / smarc-fsl-linux-kernel | Embedian Git Server

Blame view

include/linux/securebits.h 2.26 KB

1da177e4c Linus Torvalds Linux-2.6.12-rc2	1 2	#ifndef _LINUX_SECUREBITS_H #define _LINUX_SECUREBITS_H 1
5975c725d Serge E. Hallyn define convenient...	3 4 5 6 7 8 9 10	/* Each securesetting is implemented using two bits. One bit specifies whether the setting is on or off. The other bit specify whether the setting is locked or not. A setting which is locked cannot be changed from user-level. */ #define issecure_mask(X) (1 << (X)) #ifdef __KERNEL__ #define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits)) #endif
1da177e4c Linus Torvalds Linux-2.6.12-rc2	11	#define SECUREBITS_DEFAULT 0x00000000
1da177e4c Linus Torvalds Linux-2.6.12-rc2	12 13 14 15	/* When set UID 0 has no special privileges. When unset, we support inheritance of root-permissions and suid-root executable under compatibility mode. We raise the effective and inheritable bitmasks of the executable file if the effective uid of the new process is
086f7316f Andrew G. Morgan security: filesys...	16	0. If the real uid is 0, we raise the effective (legacy) bit of the
1da177e4c Linus Torvalds Linux-2.6.12-rc2	17	executable file. */
3898b1b4e Andrew G. Morgan capabilities: imp...	18 19	#define SECURE_NOROOT 0 #define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */
1da177e4c Linus Torvalds Linux-2.6.12-rc2	20
5975c725d Serge E. Hallyn define convenient...	21 22	#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT)) #define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED))
086f7316f Andrew G. Morgan security: filesys...	23 24 25 26	/* When set, setuid to/from uid 0 does not trigger capability-"fixup". When unset, to provide compatiblility with old programs relying on setuid to gain/lose privilege, transitions to/from uid 0 cause capabilities to be gained/lost. /
3898b1b4e Andrew G. Morgan capabilities: imp...	27 28	#define SECURE_NO_SETUID_FIXUP 2 #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
5975c725d Serge E. Hallyn define convenient...	29 30 31	#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP)) #define SECBIT_NO_SETUID_FIXUP_LOCKED \ (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
3898b1b4e Andrew G. Morgan capabilities: imp...	32 33 34 35 36 37 38	/* When set, a process can retain its capabilities even after transitioning to a non-root user (the set-uid fixup suppressed by bit 2). Bit-4 is cleared when a process calls exec(); setting both bit 4 and 5 will create a barrier through exec that no exec()'d child can use this feature again. / #define SECURE_KEEP_CAPS 4 #define SECURE_KEEP_CAPS_LOCKED 5 / make bit-4 immutable */
1da177e4c Linus Torvalds Linux-2.6.12-rc2	39
5975c725d Serge E. Hallyn define convenient...	40 41	#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
1da177e4c Linus Torvalds Linux-2.6.12-rc2	42
3898b1b4e Andrew G. Morgan capabilities: imp...	43 44 45 46	#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) \| \ issecure_mask(SECURE_NO_SETUID_FIXUP) \| \ issecure_mask(SECURE_KEEP_CAPS)) #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
1da177e4c Linus Torvalds Linux-2.6.12-rc2	47 48	#endif /* !_LINUX_SECUREBITS_H */