1 /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 #ifndef _UAPI_LINUX_SECUREBITS_H 3 #define _UAPI_LINUX_SECUREBITS_H 4 5 /* Each securesetting is implemented using two bits. One bit specifies 6 whether the setting is on or off. The other bit specify whether the 7 setting is locked or not. A setting which is locked cannot be 8 changed from user-level. */ 9 #define issecure_mask(X) (1 << (X)) 10 11 #define SECUREBITS_DEFAULT 0x00000000 12 13 /* When set UID 0 has no special privileges. When unset, we support 14 inheritance of root-permissions and suid-root executable under 15 compatibility mode. We raise the effective and inheritable bitmasks 16 *of the executable file* if the effective uid of the new process is 17 0. If the real uid is 0, we raise the effective (legacy) bit of the 18 executable file. */ 19 #define SECURE_NOROOT 0 20 #define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */ 21 22 #define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT)) 23 #define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED)) 24 25 /* When set, setuid to/from uid 0 does not trigger capability-"fixup". 26 When unset, to provide compatiblility with old programs relying on 27 set*uid to gain/lose privilege, transitions to/from uid 0 cause 28 capabilities to be gained/lost. */ 29 #define SECURE_NO_SETUID_FIXUP 2 30 #define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ 31 32 #define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP)) 33 #define SECBIT_NO_SETUID_FIXUP_LOCKED \ 34 (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED)) 35 36 /* When set, a process can retain its capabilities even after 37 transitioning to a non-root user (the set-uid fixup suppressed by 38 bit 2). Bit-4 is cleared when a process calls exec(); setting both 39 bit 4 and 5 will create a barrier through exec that no exec()'d 40 child can use this feature again. */ 41 #define SECURE_KEEP_CAPS 4 42 #define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */ 43 44 #define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) 45 #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) 46 47 /* When set, a process cannot add new capabilities to its ambient set. */ 48 #define SECURE_NO_CAP_AMBIENT_RAISE 6 49 #define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7 /* make bit-6 immutable */ 50 51 #define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) 52 #define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ 53 (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) 54 55 #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ 56 issecure_mask(SECURE_NO_SETUID_FIXUP) | \ 57 issecure_mask(SECURE_KEEP_CAPS) | \ 58 issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) 59 #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) 60 61 #endif /* _UAPI_LINUX_SECUREBITS_H */ 62
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.