usr/src/uts/common/smbsrv/ndl/security.ndl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
 */

#ifndef _SECURITY_NDL_
#define	_SECURITY_NDL_

#define	USE_UINT_ENUMS 1

struct GUID {
	DWORD time_low;
	WORD time_mid;
	WORD time_hi_and_version;
	BYTE clock_seq[2];
	BYTE node[6];
};

#define	SEC_MASK_GENERIC	0xF0000000
#define	SEC_MASK_FLAGS		0x0F000000
#define	SEC_MASK_STANDARD	0x00FF0000
#define	SEC_MASK_SPECIFIC	0x0000FFFF
#define	SEC_GENERIC_ALL		0x10000000
#define	SEC_GENERIC_EXECUTE	0x20000000
#define	SEC_GENERIC_WRITE	0x40000000
#define	SEC_GENERIC_READ	0x80000000
#define	SEC_FLAG_SYSTEM_SECURITY 0x01000000
#define	SEC_FLAG_MAXIMUM_ALLOWED 0x02000000
#define	SEC_STD_DELETE		0x00010000
#define	SEC_STD_READ_CONTROL	0x00020000
#define	SEC_STD_WRITE_DAC	0x00040000
#define	SEC_STD_WRITE_OWNER	0x00080000
#define	SEC_STD_SYNCHRONIZE	0x00100000
#define	SEC_STD_REQUIRED	0x000F0000
#define	SEC_STD_ALL		0x001F0000
#define	SEC_FILE_READ_DATA	0x00000001
#define	SEC_FILE_WRITE_DATA	0x00000002
#define	SEC_FILE_APPEND_DATA	0x00000004
#define	SEC_FILE_READ_EA	0x00000008
#define	SEC_FILE_WRITE_EA	0x00000010
#define	SEC_FILE_EXECUTE	0x00000020
#define	SEC_FILE_READ_ATTRIBUTE	0x00000080
#define	SEC_FILE_WRITE_ATTRIBUTE 0x00000100
#define	SEC_FILE_ALL		0x000001ff
#define	SEC_DIR_LIST		0x00000001
#define	SEC_DIR_ADD_FILE	0x00000002
#define	SEC_DIR_ADD_SUBDIR	0x00000004
#define	SEC_DIR_READ_EA		0x00000008
#define	SEC_DIR_WRITE_EA	0x00000010
#define	SEC_DIR_TRAVERSE	0x00000020
#define	SEC_DIR_DELETE_CHILD	0x00000040
#define	SEC_DIR_READ_ATTRIBUTE	0x00000080
#define	SEC_DIR_WRITE_ATTRIBUTE	0x00000100
#define	SEC_REG_QUERY_VALUE	0x00000001
#define	SEC_REG_SET_VALUE	0x00000002
#define	SEC_REG_CREATE_SUBKEY	0x00000004
#define	SEC_REG_ENUM_SUBKEYS	0x00000008
#define	SEC_REG_NOTIFY		0x00000010
#define	SEC_REG_CREATE_LINK	0x00000020
#define	SEC_ADS_CREATE_CHILD	0x00000001
#define	SEC_ADS_DELETE_CHILD	0x00000002
#define	SEC_ADS_LIST		0x00000004
#define	SEC_ADS_SELF_WRITE	0x00000008
#define	SEC_ADS_READ_PROP	0x00000010
#define	SEC_ADS_WRITE_PROP	0x00000020
#define	SEC_ADS_DELETE_TREE	0x00000040
#define	SEC_ADS_LIST_OBJECT	0x00000080
#define	SEC_ADS_CONTROL_ACCESS	0x00000100
#define	SEC_RIGHTS_FILE_READ	SEC_STD_READ_CONTROL|SEC_STD_SYNCHRONIZE|SEC_FILE_READ_DATA|SEC_FILE_READ_ATTRIBUTE|SEC_FILE_READ_EA
#define	SEC_RIGHTS_FILE_WRITE	SEC_STD_READ_CONTROL|SEC_STD_SYNCHRONIZE|SEC_FILE_WRITE_DATA|SEC_FILE_WRITE_ATTRIBUTE|SEC_FILE_WRITE_EA|SEC_FILE_APPEND_DATA
#define	SEC_RIGHTS_FILE_EXECUTE	SEC_STD_SYNCHRONIZE|SEC_STD_READ_CONTROL|SEC_FILE_READ_ATTRIBUTE|SEC_FILE_EXECUTE
#define	SEC_RIGHTS_FILE_ALL	SEC_STD_ALL|SEC_FILE_ALL
#define	SEC_RIGHTS_DIR_READ	SEC_RIGHTS_FILE_READ
#define	SEC_RIGHTS_DIR_WRITE	SEC_RIGHTS_FILE_WRITE
#define	SEC_RIGHTS_DIR_EXECUTE	SEC_RIGHTS_FILE_EXECUTE
#define	SEC_RIGHTS_DIR_ALL	SEC_RIGHTS_FILE_ALL
#define	SID_NULL		"S-1-0-0"
#define	SID_WORLD_DOMAIN	"S-1-1"
#define	SID_WORLD		"S-1-1-0"
#define	SID_CREATOR_OWNER_DOMAIN "S-1-3"
#define	SID_CREATOR_OWNER	"S-1-3-0"
#define	SID_CREATOR_GROUP	"S-1-3-1"
#define	SID_NT_AUTHORITY	"S-1-5"
#define	SID_NT_DIALUP		"S-1-5-1"
#define	SID_NT_NETWORK		"S-1-5-2"
#define	SID_NT_BATCH		"S-1-5-3"
#define	SID_NT_INTERACTIVE	"S-1-5-4"
#define	SID_NT_SERVICE		"S-1-5-6"
#define	SID_NT_ANONYMOUS	"S-1-5-7"
#define	SID_NT_PROXY		"S-1-5-8"
#define	SID_NT_ENTERPRISE_DCS	"S-1-5-9"
#define	SID_NT_SELF		"S-1-5-10"
#define	SID_NT_AUTHENTICATED_USERS "S-1-5-11"
#define	SID_NT_RESTRICTED	"S-1-5-12"
#define	SID_NT_TERMINAL_SERVER_USERS "S-1-5-13"
#define	SID_NT_REMOTE_INTERACTIVE "S-1-5-14"
#define	SID_NT_THIS_ORGANISATION  "S-1-5-15"
#define	SID_NT_SYSTEM		"S-1-5-18"
#define	SID_NT_LOCAL_SERVICE	"S-1-5-19"
#define	SID_NT_NETWORK_SERVICE	"S-1-5-20"
#define	SID_BUILTIN		"S-1-5-32"
#define	SID_BUILTIN_ADMINISTRATORS "S-1-5-32-544"
#define	SID_BUILTIN_USERS	"S-1-5-32-545"
#define	SID_BUILTIN_GUESTS	"S-1-5-32-546"
#define	SID_BUILTIN_POWER_USERS	"S-1-5-32-547"
#define	SID_BUILTIN_ACCOUNT_OPERATORS	"S-1-5-32-548"
#define	SID_BUILTIN_SERVER_OPERATORS	"S-1-5-32-549"
#define	SID_BUILTIN_PRINT_OPERATORS	"S-1-5-32-550"
#define	SID_BUILTIN_BACKUP_OPERATORS	"S-1-5-32-551"
#define	SID_BUILTIN_REPLICATOR	"S-1-5-32-552"
#define	SID_BUILTIN_RAS_SERVERS	"S-1-5-32-553"
#define	SID_BUILTIN_PREW2K	"S-1-5-32-554"
#define	DOMAIN_RID_LOGON	9
#define	DOMAIN_RID_ADMINISTRATOR 500
#define	DOMAIN_RID_GUEST	501
#define	DOMAIN_RID_ADMINS	512
#define	DOMAIN_RID_USERS	513
#define	DOMAIN_RID_DCS		516
#define	DOMAIN_RID_CERT_ADMINS	517
#define	DOMAIN_RID_SCHEMA_ADMINS 518
#define	DOMAIN_RID_ENTERPRISE_ADMINS 519
#define	NT4_ACL_REVISION	SECURITY_ACL_REVISION_NT4
#define	SD_REVISION		SECURITY_DESCRIPTOR_REVISION_1

#ifndef USE_UINT_ENUMS
	enum sec_privilege {
	SEC_PRIV_SECURITY=1,
	SEC_PRIV_BACKUP=2,
	SEC_PRIV_RESTORE=3,
	SEC_PRIV_SYSTEMTIME=4,
	SEC_PRIV_SHUTDOWN=5,
	SEC_PRIV_REMOTE_SHUTDOWN=6,
	SEC_PRIV_TAKE_OWNERSHIP=7,
	SEC_PRIV_DEBUG=8,
	SEC_PRIV_SYSTEM_ENVIRONMENT=9,
	SEC_PRIV_SYSTEM_PROFILE=10,
	SEC_PRIV_PROFILE_SINGLE_PROCESS=11,
	SEC_PRIV_INCREASE_BASE_PRIORITY=12,
	SEC_PRIV_LOAD_DRIVER=13,
	SEC_PRIV_CREATE_PAGEFILE=14,
	SEC_PRIV_INCREASE_QUOTA=15,
	SEC_PRIV_CHANGE_NOTIFY=16,
	SEC_PRIV_UNDOCK=17,
	SEC_PRIV_MANAGE_VOLUME=18,
	SEC_PRIV_IMPERSONATE=19,
	SEC_PRIV_CREATE_GLOBAL=20,
	SEC_PRIV_ENABLE_DELEGATION=21,
	SEC_PRIV_INTERACTIVE_LOGON=22,
	SEC_PRIV_NETWORK_LOGON=23,
	SEC_PRIV_REMOTE_INTERACTIVE_LOGON=24
};
#else

#define	SEC_PRIV_SECURITY			1
#define	SEC_PRIV_BACKUP				2
#define	SEC_PRIV_RESTORE			3
#define	SEC_PRIV_SYSTEMTIME			4
#define	SEC_PRIV_SHUTDOWN			5
#define	SEC_PRIV_REMOTE_SHUTDOWN		6
#define	SEC_PRIV_TAKE_OWNERSHIP			7
#define	SEC_PRIV_DEBUG				8
#define	SEC_PRIV_SYSTEM_ENVIRONMENT		9
#define	SEC_PRIV_SYSTEM_PROFILE			10
#define	SEC_PRIV_PROFILE_SINGLE_PROCESS		11
#define	SEC_PRIV_INCREASE_BASE_PRIORITY		12
#define	SEC_PRIV_LOAD_DRIVER			13
#define	SEC_PRIV_CREATE_PAGEFILE		14
#define	SEC_PRIV_INCREASE_QUOTA			15
#define	SEC_PRIV_CHANGE_NOTIFY			16
#define	SEC_PRIV_UNDOCK				17
#define	SEC_PRIV_MANAGE_VOLUME			18
#define	SEC_PRIV_IMPERSONATE			19
#define	SEC_PRIV_CREATE_GLOBAL			20
#define	SEC_PRIV_ENABLE_DELEGATION		21
#define	SEC_PRIV_INTERACTIVE_LOGON		22
#define	SEC_PRIV_NETWORK_LOGON			23
#define	SEC_PRIV_REMOTE_INTERACTIVE_LOGON	24
#endif

struct dom_sid {
	BYTE sid_rev_num;
	BYTE num_auths;
	BYTE id_auth[6];
	DWORD *sub_auths;
};

/*
 * bitmap security_ace_flags
 */
#define	SEC_ACE_FLAG_OBJECT_INHERIT		0x01
#define	SEC_ACE_FLAG_CONTAINER_INHERIT		0x02
#define	SEC_ACE_FLAG_NO_PROPAGATE_INHERIT	0x04
#define	SEC_ACE_FLAG_INHERIT_ONLY		0x08
#define	SEC_ACE_FLAG_INHERITED_ACE		0x10
#define	SEC_ACE_FLAG_VALID_INHERIT		0x0f
#define	SEC_ACE_FLAG_SUCCESSFUL_ACCESS		0x40
#define	SEC_ACE_FLAG_FAILED_ACCESS		0x80

#ifndef USE_UINT_ENUMS
enum security_ace_type {
	SEC_ACE_TYPE_ACCESS_ALLOWED=0,
	SEC_ACE_TYPE_ACCESS_DENIED=1,
	SEC_ACE_TYPE_SYSTEM_AUDIT=2,
	SEC_ACE_TYPE_SYSTEM_ALARM=3,
	SEC_ACE_TYPE_ALLOWED_COMPOUND=4,
	SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT=5,
	SEC_ACE_TYPE_ACCESS_DENIED_OBJECT=6,
	SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT=7,
	SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT=8
};
#else
#define	SEC_ACE_TYPE_ACCESS_ALLOWED		0
#define	SEC_ACE_TYPE_ACCESS_DENIED		1
#define	SEC_ACE_TYPE_SYSTEM_AUDIT		2
#define	SEC_ACE_TYPE_SYSTEM_ALARM		3
#define	SEC_ACE_TYPE_ALLOWED_COMPOUND		4
#define	SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT	5
#define	SEC_ACE_TYPE_ACCESS_DENIED_OBJECT	6
#define	SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT	7
#define	SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT	8
#endif

/*
 * bitmap security_ace_object_flags
 */
#define	SEC_ACE_OBJECT_TYPE_PRESENT		0x00000001
#define	SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT	0x00000002

union security_ace_object_type {
	CASE(0) struct GUID type;
};

union security_ace_object_inherited_type {
	CASE(0) struct GUID inherited_type;
};

struct security_ace_object {
	DWORD flags;
};

union security_ace_object_ctr {
	CASE(0) struct security_ace_object object;
};

struct security_ace {
	DWORD security_ace_type;
	BYTE flags;
	WORD size;
	DWORD access_mask;
	struct dom_sid trustee;
};

#ifndef USE_UINT_ENUMS
enum security_acl_revision {
	SECURITY_ACL_REVISION_NT4=2,
	SECURITY_ACL_REVISION_ADS=4
};
#else
#define	SECURITY_ACL_REVISION_NT4	2
#define	SECURITY_ACL_REVISION_ADS	4
#endif

struct security_acl {
	DWORD security_acl_revision;
	WORD size;
	DWORD num_aces;
	struct security_ace *aces;
};

#ifndef USE_UINT_ENUMS
enum security_descriptor_revision {
	SECURITY_DESCRIPTOR_REVISION_1=1
};
#else
#define	SECURITY_DESCRIPTOR_REVISION_1	1
#endif

/*
 * bitmap security_descriptor_type
 */
#define	SEC_DESC_OWNER_DEFAULTED	0x0001
#define	SEC_DESC_GROUP_DEFAULTED	0x0002
#define	SEC_DESC_DACL_PRESENT		0x0004
#define	SEC_DESC_DACL_DEFAULTED		0x0008
#define	SEC_DESC_SACL_PRESENT		0x0010
#define	SEC_DESC_SACL_DEFAULTED		0x0020
#define	SEC_DESC_DACL_TRUSTED		0x0040
#define	SEC_DESC_SERVER_SECURITY	0x0080
#define	SEC_DESC_DACL_AUTO_INHERIT_REQ	0x0100
#define	SEC_DESC_SACL_AUTO_INHERIT_REQ	0x0200
#define	SEC_DESC_DACL_AUTO_INHERITED	0x0400
#define	SEC_DESC_SACL_AUTO_INHERITED	0x0800
#define	SEC_DESC_DACL_PROTECTED		0x1000
#define	SEC_DESC_SACL_PROTECTED		0x2000
#define	SEC_DESC_RM_CONTROL_VALID	0x4000
#define	SEC_DESC_SELF_RELATIVE		0x8000

struct security_descriptor {
	WORD revision;
	WORD type;
	DWORD ownersid;
	DWORD groupsid;
	DWORD sacl;
	DWORD dacl;
};

struct sec_desc_buf {
	DWORD sd_size;
	struct security_descriptor *sd;
};

struct security_token {
	struct dom_sid *user_sid;
	struct dom_sid *group_sid;
	DWORD num_sids;
	DWORD privilege_mask1;
	DWORD privilege_mask2;
};

/* 
 * bitmap security_secinfo
 */
#define	SECINFO_OWNER		0x00000001
#define	SECINFO_GROUP		0x00000002
#define	SECINFO_DACL		0x00000004
#define	SECINFO_SACL		0x00000008

#endif /* _SECURITY_NDL_ */