PSARC/2002/762 Layered Trusted Solaris

PSARC/2005/060 TSNET: Trusted Networking with Security Labels
PSARC/2005/259 Layered Trusted Solaris Label Interfaces
PSARC/2005/573 Solaris Trusted Extensions for Printing
PSARC/2005/691 Trusted Extensions for Device Allocation
PSARC/2005/723 Solaris Trusted Extensions Filesystem Labeling
PSARC/2006/009 Labeled Auditing
PSARC/2006/155 Trusted Extensions RBAC Changes
PSARC/2006/191 is_system_labeled
6293271 Zone processes should use zone_kcred instead of kcred
6394554 integrate Solaris Trusted Extensions

--HG--
rename : usr/src/cmd/dminfo/Makefile => deleted_files/usr/src/cmd/dminfo/Makefile
rename : usr/src/cmd/dminfo/dminfo.c => usr/src/cmd/allocate/dminfo.c

7 files changed, 127 insertions, 23 deletions

diff --git a/usr/src/head/auth_list.h b/usr/src/head/auth_list.h
index 4bf9c17511..d0d625bc72 100644
--- a/usr/src/head/auth_list.h
+++ b/usr/src/head/auth_list.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  * This is an internal header file. Not to be shipped.
@@ -50,6 +49,27 @@ extern "C" {
 #define	WIFI_CONFIG_AUTH	"solaris.network.wifi.config"
 #define	WIFI_WEP_AUTH		"solaris.network.wifi.wep"
 
+/*
+ * Authorizations used by Trusted Solaris.
+ */
+#define	BYPASS_FILE_VIEW_AUTH	"solaris.label.win.noview"
+#define	DEVICE_CONFIG_AUTH	"solaris.device.config"
+#define	FILE_CHOWN_AUTH		"solaris.file.chown"
+#define	FILE_DOWNGRADE_SL_AUTH	"solaris.label.file.downgrade"
+#define	FILE_OWNER_AUTH		"solaris.file.owner"
+#define	FILE_UPGRADE_SL_AUTH	"solaris.label.file.upgrade"
+#define	PRINT_ADMIN_AUTH	"solaris.print.admin"
+#define	PRINT_CANCEL_AUTH	"solaris.print.cancel"
+#define	PRINT_LIST_AUTH		"solaris.print.list"
+#define	PRINT_MAC_AUTH		"solaris.label.print"
+#define	PRINT_NOBANNER_AUTH	"solaris.print.nobanner"
+#define	PRINT_POSTSCRIPT_AUTH	"solaris.print.ps"
+#define	PRINT_UNLABELED_AUTH	"solaris.print.unlabeled"
+#define	SHUTDOWN_AUTH		"solaris.system.shutdown"
+#define	SYS_ACCRED_SET_AUTH	"solaris.label.range"
+#define	WIN_DOWNGRADE_SL_AUTH	"solaris.label.win.downgrade"
+#define	WIN_UPGRADE_SL_AUTH	"solaris.label.win.upgrade"
+
 #ifdef	__cplusplus
 }
 #endif
diff --git a/usr/src/head/nss_dbdefs.h b/usr/src/head/nss_dbdefs.h
index a427674214..dc37584a46 100644
--- a/usr/src/head/nss_dbdefs.h
+++ b/usr/src/head/nss_dbdefs.h
@@ -22,7 +22,7 @@
  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Database-speficic definitions for the getXXXbyYYY routines
+ * Database-specific definitions for the getXXXbyYYY routines
  * (e.g getpwuid_r(), ether_ntohost()) that use the name-service switch.
  * Database-independent definitions are in <nss_common.h>
  *
@@ -80,6 +80,10 @@ extern "C" {
 #define	NSS_DBNAM_PROFATTR	"prof_attr"
 #define	NSS_DBNAM_USERATTR	"user_attr"
 
+#define	NSS_DBNAM_TSOL_TP	"tnrhtp"
+#define	NSS_DBNAM_TSOL_RH	"tnrhdb"
+#define	NSS_DBNAM_TSOL_ZC	"tnzonecfg"
+
 /* getspnam() et al use the "passwd" config entry but the "shadow" backend */
 #define	NSS_DBNAM_SHADOW	"shadow"
 
@@ -97,6 +101,7 @@ extern "C" {
 #define	NSS_FILES_NS		"files nis"
 #define	NSS_NS_FALLBACK		"nis [NOTFOUND=return] files"
 #define	NSS_NS_ONLY		"nis"
+#define	NSS_TSOL_FALLBACK	"files ldap"
 
 #define	NSS_DEFCONF_ALIASES	NSS_FILES_NS
 #define	NSS_DEFCONF_AUTOMOUNT	NSS_FILES_NS
@@ -127,6 +132,10 @@ extern "C" {
 #define	NSS_DEFCONF_PROFATTR	NSS_DEFCONF_ATTRDB
 #define	NSS_DEFCONF_EXECATTR	NSS_DEFCONF_PROFATTR
 
+#define	NSS_DEFCONF_TSOL_TP	NSS_TSOL_FALLBACK
+#define	NSS_DEFCONF_TSOL_RH	NSS_TSOL_FALLBACK
+#define	NSS_DEFCONF_TSOL_ZC	NSS_TSOL_FALLBACK
+
 /*
  * Line-lengths that the "files" and "compat" backends will try to support.
  * It may be reasonable (even advisable) to use smaller values than these.
@@ -160,6 +169,12 @@ extern "C" {
 
 #define	NSS_MMAPLEN_EXECATTR	NSS_LINELEN_EXECATTR * 8
 
+#define	NSS_LINELEN_TSOL	NSS_BUFSIZ
+
+#define	NSS_LINELEN_TSOL_TP	NSS_LINELEN_TSOL
+#define	NSS_LINELEN_TSOL_RH	NSS_LINELEN_TSOL
+#define	NSS_LINELEN_TSOL_ZC	NSS_LINELEN_TSOL
+
 /*
  * Reasonable defaults for 'buflen' values passed to _r functions.  The BSD
  * and SunOS 4.x implementations of the getXXXbyYYY() functions used hard-
@@ -193,6 +208,11 @@ extern "C" {
 #define	NSS_BUFLEN_PROFATTR	NSS_BUFLEN_ATTRDB
 #define	NSS_BUFLEN_USERATTR	((NSS_BUFLEN_ATTRDB) * 8)
 
+#define	NSS_BUFLEN_TSOL		NSS_LINELEN_TSOL
+
+#define	NSS_BUFLEN_TSOL_TP	NSS_BUFLEN_TSOL
+#define	NSS_BUFLEN_TSOL_RH	NSS_BUFLEN_TSOL
+#define	NSS_BUFLEN_TSOL_ZC	NSS_BUFLEN_TSOL
 
 /*
  * Arguments and results, passed between the frontends and backends for
@@ -553,6 +573,10 @@ extern char		**_nss_netdb_aliases();
 #define	NSS_DBOP_PROFATTR_BYNAME	NSS_DBOP_ATTRDB_BYNAME
 #define	NSS_DBOP_USERATTR_BYNAME	NSS_DBOP_ATTRDB_BYNAME
 
+#define	NSS_DBOP_TSOL_TP_BYNAME		(NSS_DBOP_next_iter)
+#define	NSS_DBOP_TSOL_RH_BYADDR		(NSS_DBOP_next_iter)
+#define	NSS_DBOP_TSOL_ZC_BYNAME		(NSS_DBOP_next_iter)
+
 /*
  * Used all over in the switch code. The best home for it I can think of.
  * Power-of-two alignments only.
diff --git a/usr/src/head/protocols/routed.h b/usr/src/head/protocols/routed.h
index d4ca467878..db58d9a406 100644
--- a/usr/src/head/protocols/routed.h
+++ b/usr/src/head/protocols/routed.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -108,6 +108,18 @@ struct netauth {
 	} au;
 };
 
+struct rip_emetric {
+	uint16_t	rip_metric;
+	uint16_t	rip_mask;
+	uint32_t	rip_token[1];
+};
+
+struct rip_sec_entry {
+	uint32_t	rip_dst;
+	uint32_t	rip_count;
+	struct rip_emetric rip_emetric[1];
+};
+
 struct rip {
 	uint8_t    rip_cmd;		/* request/response */
 	uint8_t    rip_vers;		/* protocol version # */
@@ -116,10 +128,15 @@ struct rip {
 	    struct netinfo ru_nets[1];	/* variable length... */
 	    char    ru_tracefile[1];	/* ditto ... */
 	    struct netauth ru_auth[1];
+	    struct {
+		uint32_t rip_generation;
+		struct rip_sec_entry rip_sec_entry[1];
+	    } ru_tsol;
 	} ripun;
 #define	rip_nets	ripun.ru_nets
 #define	rip_tracefile	ripun.ru_tracefile
 #define	rip_auths	ripun.ru_auth
+#define	rip_tsol	ripun.ru_tsol
 };
 
 struct entryinfo {
@@ -149,6 +166,9 @@ struct entryinfo {
 #define	RIPCMD_POLL		5	/* like request, but anyone answers */
 #define	RIPCMD_POLLENTRY	6	/* like poll, but for entire entry */
 
+#define	RIPCMD_SEC_RESPONSE	51	/* response includes E-metrics */
+#define	RIPCMD_SEC_T_RESPONSE	52	/* tunneling */
+
 #define	RIPCMD_MAX		7
 
 #define	HOPCNT_INFINITY		16	/* per Xerox NS */
diff --git a/usr/src/head/tar.h b/usr/src/head/tar.h
index d3dcd35ab6..0510bd7a68 100644
--- a/usr/src/head/tar.h
+++ b/usr/src/head/tar.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -19,10 +18,13 @@
  *
  * CDDL HEADER END
  */
+/*
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
 /*	Copyright (c) 1988 AT&T	*/
 /*	  All Rights Reserved  	*/
 
-
 #ifndef _TAR_H
 #define	_TAR_H
 
@@ -68,6 +70,25 @@ extern "C" {
 #define	TOWRITE		00002
 #define	TOEXEC		00001
 
+/*
+ *      Types used in ancillary files
+ */
+#define	ACL_HDR		'A'	/* Access Control List */
+#define	LBL_TYPE	'L'	/* Trusted Extensions file label */
+#define	DIR_TYPE	'D'	/* Trusted Extensions directory label */
+/*
+ * Attribute types used in Trusted Solaris ancillary files
+ * that are interpreted for backward compatibility
+ */
+#define	SLD_TYPE	'S'	/* single-level directory component */
+#define	PATH_TYPE	'P'	/* Path component */
+#define	MLD_TYPE	'M'	/* multi-level directory component */
+#define	FILE_TYPE	'F'	/* Have to handle files differently */
+#define	APRIV_TYPE	'P'	/* allowed privileges data type in file */
+#define	FPRIV_TYPE	'p'	/* forced privileges data type in file */
+#define	COMP_TYPE	'C'	/* path components, use for MLD */
+#define	ATTR_FLAG_TYPE	'F'	/* file attribute flag bytes data type */
+#define	LK_COMP_TYPE	'K'	/* link data path component */
 #ifdef	__cplusplus
 }
 #endif
diff --git a/usr/src/head/ucred.h b/usr/src/head/ucred.h
index a0d4af444a..e10ab26f52 100644
--- a/usr/src/head/ucred.h
+++ b/usr/src/head/ucred.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -31,6 +30,7 @@
 
 #include <sys/types.h>
 #include <sys/priv.h>
+#include <sys/tsol/label.h>
 
 #ifdef	__cplusplus
 extern "C" {
@@ -66,6 +66,8 @@ extern int getpeerucred(int, ucred_t **);
 
 extern zoneid_t ucred_getzoneid(const ucred_t *);
 
+extern bslabel_t *ucred_getlabel(const ucred_t *);
+
 extern projid_t ucred_getprojid(const ucred_t *);
 
 #else	/* Non ANSI */
@@ -93,6 +95,8 @@ extern int getpeerucred(/* int, ucred_t ** */);
 
 extern zoneid_t ucred_getzoneid(/* ucred_t * */);
 
+extern bslabel_t *ucred_getlabel(/* const ucred_t * */);
+
 extern projid_t ucred_getprojid(/* ucred_t * */);
 
 #endif	/* __STDC__ */
diff --git a/usr/src/head/user_attr.h b/usr/src/head/user_attr.h
index 2f79d937fd..e5e6c9329c 100644
--- a/usr/src/head/user_attr.h
+++ b/usr/src/head/user_attr.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -93,6 +92,21 @@ struct __FILE;		/* structure tag for type FILE defined in stdio.h */
 #define	USERATTR_LIMPRIV_KW		"limitpriv"
 #define	USERATTR_DFLTPRIV_KW		"defaultpriv"
 #define	USERATTR_LOCK_AFTER_RETRIES_KW	"lock_after_retries"
+#define	USERATTR_CLEARANCE		"clearance"
+#define	USERATTR_LABELVIEW		"labelview"
+#define	USERATTR_LABELVIEW_EXTERNAL	"external"
+#define	USERATTR_LABELVIEW_HIDESL	"hidesl"
+#define	USERATTR_HIDESL			USERATTR_LABELVIEW_HIDESL
+#define	USERATTR_LABELVIEW_INTERNAL	"internal"
+#define	USERATTR_LABELVIEW_SHOWSL	"showsl"
+#define	USERATTR_LABELTRANS		"labeltrans"
+#define	USERATTR_LOCK_NO		"no"
+#define	USERATTR_LOCK_YES		"yes"
+#define	USERATTR_MINLABEL		"min_label"
+#define	USERATTR_PASSWD			"password"
+#define	USERATTR_PASSWD_AUTOMATIC	"automatic"
+#define	USERATTR_PASSWD_MANUAL		"manual"
+#define	USERATTR_TYPE_ROLE		USERATTR_TYPE_NONADMIN_KW
 
 
 /*
diff --git a/usr/src/head/zone.h b/usr/src/head/zone.h
index 407cf5f809..c950ee5aa6 100644
--- a/usr/src/head/zone.h
+++ b/usr/src/head/zone.h
@@ -2,9 +2,8 @@
  * CDDL HEADER START
  *
  * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License").  You may not use this file except in compliance
- * with the License.
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
  *
  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  * or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -32,6 +31,7 @@
 #include <sys/types.h>
 #include <sys/zone.h>
 #include <sys/priv.h>
+#include <tsol/label.h>
 
 #ifdef	__cplusplus
 extern "C" {
@@ -57,7 +57,8 @@ extern int zone_get_id(const char *, zoneid_t *);
 
 /* System call API */
 extern zoneid_t	zone_create(const char *, const char *,
-    const struct priv_set *, const char *, size_t, const char *, size_t, int *);
+    const struct priv_set *, const char *, size_t, const char *, size_t, int *,
+    int, int, const bslabel_t *);
 extern int	zone_boot(zoneid_t, const char *);
 extern int	zone_destroy(zoneid_t);
 extern ssize_t	zone_getattr(zoneid_t, int, void *, size_t);