Lines Matching refs:kernel_policy
5142 struct necp_kernel_socket_policy *kernel_policy = NULL; in necp_kernel_socket_policy_find() local
5149 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) { in necp_kernel_socket_policy_find()
5150 if (kernel_policy->id == policy_id) { in necp_kernel_socket_policy_find()
5151 return kernel_policy; in necp_kernel_socket_policy_find()
5685 struct necp_kernel_socket_policy *kernel_policy = NULL; in necp_kernel_socket_policies_reprocess() local
5717 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) { in necp_kernel_socket_policies_reprocess()
5719 necp_kernel_application_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_socket_policies_reprocess()
5723 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) { in necp_kernel_socket_policies_reprocess()
5729 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_socket_policies_reprocess()
5732 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) || in necp_kernel_socket_policies_reprocess()
5733 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_kernel_socket_policies_reprocess()
5739 …necp_kernel_socket_policies_map_counts[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id… in necp_kernel_socket_policies_reprocess()
5762 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) { in necp_kernel_socket_policies_reprocess()
5764 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5765 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy; in necp_kernel_socket_policies_reprocess()
5770 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) { in necp_kernel_socket_policies_reprocess()
5776 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) || in necp_kernel_socket_policies_reprocess()
5777 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_kernel_socket_policies_reprocess()
5779 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5780 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy; in necp_kernel_socket_policies_reprocess()
5786 app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id); in necp_kernel_socket_policies_reprocess()
5787 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5788 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy; in necp_kernel_socket_policies_reprocess()
7036 struct necp_kernel_ip_output_policy *kernel_policy = NULL; in necp_kernel_ip_output_policy_find() local
7043 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) { in necp_kernel_ip_output_policy_find()
7044 if (kernel_policy->id == policy_id) { in necp_kernel_ip_output_policy_find()
7045 return kernel_policy; in necp_kernel_ip_output_policy_find()
7254 struct necp_kernel_ip_output_policy *kernel_policy = NULL; in necp_kernel_ip_output_policies_reprocess() local
7275 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) { in necp_kernel_ip_output_policies_reprocess()
7277 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_ip_output_policies_reprocess()
7284 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) || in necp_kernel_ip_output_policies_reprocess()
7285 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) || in necp_kernel_ip_output_policies_reprocess()
7286 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
7291 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) { in necp_kernel_ip_output_policies_reprocess()
7294 …necp_kernel_ip_output_policies_map_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_poli… in necp_kernel_ip_output_policies_reprocess()
7313 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) { in necp_kernel_ip_output_policies_reprocess()
7317 if (current_session_order != kernel_policy->session_order) { in necp_kernel_ip_output_policies_reprocess()
7318 current_session_order = kernel_policy->session_order; in necp_kernel_ip_output_policies_reprocess()
7337 if (kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
7342 if (kernel_policy->order >= current_session_last_non_skip_policy) { in necp_kernel_ip_output_policies_reprocess()
7349 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) || in necp_kernel_ip_output_policies_reprocess()
7350 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) || in necp_kernel_ip_output_policies_reprocess()
7351 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
7353 …if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kerne… in necp_kernel_ip_output_policies_reprocess()
7354 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy; in necp_kernel_ip_output_policies_reprocess()
7360 i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id); in necp_kernel_ip_output_policies_reprocess()
7361 …if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kerne… in necp_kernel_ip_output_policies_reprocess()
7362 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy; in necp_kernel_ip_output_policies_reprocess()
9014 necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, in necp_socket_check_policy() argument
9051 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) { in necp_socket_check_policy()
9052 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_socket_check_policy()
9053 …u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_b… in necp_socket_check_policy()
9054 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9056 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_socket_check_policy()
9068 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_socket_check_policy()
9069 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9070 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - flags", kernel_policy->cond_bound_interface_flags, … in necp_socket_check_policy()
9071 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9072 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - eflags", kernel_policy->cond_bound_interface_eflags… in necp_socket_check_policy()
9073 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9074 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - xflags", kernel_policy->cond_bound_interface_xflags… in necp_socket_check_policy()
9075 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_socket_check_policy()
9076 …if ((kernel_policy->cond_bound_interface_flags && (bound_interface_flags & kernel_policy->cond_bou… in necp_socket_check_policy()
9077 …(kernel_policy->cond_bound_interface_eflags && (bound_interface_eflags & kernel_policy->cond_bound… in necp_socket_check_policy()
9078 …(kernel_policy->cond_bound_interface_xflags && (bound_interface_xflags & kernel_policy->cond_bound… in necp_socket_check_policy()
9083 …if ((kernel_policy->cond_bound_interface_flags && !(bound_interface_flags & kernel_policy->cond_bo… in necp_socket_check_policy()
9084 …(kernel_policy->cond_bound_interface_eflags && !(bound_interface_eflags & kernel_policy->cond_boun… in necp_socket_check_policy()
9085 …(kernel_policy->cond_bound_interface_xflags && !(bound_interface_xflags & kernel_policy->cond_boun… in necp_socket_check_policy()
9091 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) && in necp_socket_check_policy()
9092 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS)) { in necp_socket_check_policy()
9101 if (kernel_policy->condition_mask == 0) { in necp_socket_check_policy()
9105 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_socket_check_policy()
9106 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9107 "NECP_KERNEL_CONDITION_APP_ID", kernel_policy->cond_app_id, app_id); in necp_socket_check_policy()
9108 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_socket_check_policy()
9109 if (app_id == kernel_policy->cond_app_id) { in necp_socket_check_policy()
9114 if (app_id != kernel_policy->cond_app_id) { in necp_socket_check_policy()
9121 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER || in necp_socket_check_policy()
9122 kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) { in necp_socket_check_policy()
9125 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9127 kernel_policy->cond_signing_identifier ? kernel_policy->cond_signing_identifier : "<n/a>", in necp_socket_check_policy()
9130 if (strcmp(signing_id, kernel_policy->cond_signing_identifier) == 0) { in necp_socket_check_policy()
9135 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) { in necp_socket_check_policy()
9147 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) { in necp_socket_check_policy()
9148 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9150 kernel_policy->cond_real_app_id, real_app_id); in necp_socket_check_policy()
9151 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) { in necp_socket_check_policy()
9152 if (real_app_id == kernel_policy->cond_real_app_id) { in necp_socket_check_policy()
9157 if (real_app_id != kernel_policy->cond_real_app_id) { in necp_socket_check_policy()
9164 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) { in necp_socket_check_policy()
9171 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) { in necp_socket_check_policy()
9179 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) { in necp_socket_check_policy()
9180 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9181 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) { in necp_socket_check_policy()
9194 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SYSTEM_SIGNED_RESULT) { in necp_socket_check_policy()
9202 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) { in necp_socket_check_policy()
9205 kernel_policy->cond_sdk_version.platform, in necp_socket_check_policy()
9206 kernel_policy->cond_sdk_version.min_version, in necp_socket_check_policy()
9207 kernel_policy->cond_sdk_version.version, in necp_socket_check_policy()
9211 if (kernel_policy->cond_sdk_version.platform != 0) { in necp_socket_check_policy()
9212 if (kernel_policy->cond_sdk_version.platform != proc_platform(proc)) { in necp_socket_check_policy()
9218 if (kernel_policy->cond_sdk_version.min_version != 0) { in necp_socket_check_policy()
9219 if (kernel_policy->cond_sdk_version.min_version > proc_min_sdk(proc)) { in necp_socket_check_policy()
9225 if (kernel_policy->cond_sdk_version.version != 0) { in necp_socket_check_policy()
9226 if (kernel_policy->cond_sdk_version.version > proc_sdk(proc)) { in necp_socket_check_policy()
9234 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) { in necp_socket_check_policy()
9235 …, "SOCKET", false, "NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT", "n/a", kernel_policy->cond_custom_e… in necp_socket_check_policy()
9236 if (kernel_policy->cond_custom_entitlement != NULL) { in necp_socket_check_policy()
9243 !IOTaskHasEntitlement(task, kernel_policy->cond_custom_entitlement)) { in necp_socket_check_policy()
9250 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_EXACT_DOMAIN) { in necp_socket_check_policy()
9251 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9252 "NECP_KERNEL_CONDITION_EXACT_DOMAIN", kernel_policy->cond_domain, domain.string); in necp_socket_check_policy()
9254 bool domain_matches = (domain_dot_count == kernel_policy->cond_domain_dot_count && in necp_socket_check_policy()
9255 …necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy->… in necp_socket_check_policy()
9259 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_EXACT_DOMAIN) { in necp_socket_check_policy()
9270 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) { in necp_socket_check_policy()
9271 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9272 "NECP_KERNEL_CONDITION_DOMAIN", kernel_policy->cond_domain, domain.string); in necp_socket_check_policy()
9273 … necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy-… in necp_socket_check_policy()
9277 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) { in necp_socket_check_policy()
9290 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN_FILTER) { in necp_socket_check_policy()
9291 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9292 "NECP_KERNEL_CONDITION_DOMAIN_FILTER (ID)", kernel_policy->cond_domain_filter, 0); in necp_socket_check_policy()
9293 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9296 if (NECP_IS_DOMAIN_FILTER_ID(kernel_policy->cond_domain_filter)) { in necp_socket_check_policy()
9297 … *filter = necp_lookup_domain_filter(&necp_global_domain_filter_list, kernel_policy->cond_domain_f… in necp_socket_check_policy()
9302 …domain_matches = necp_match_domain_with_trie(&necp_global_domain_trie_list, kernel_policy->cond_do… in necp_socket_check_policy()
9304 …<%s %zu> with trie id %d - matched %d", domain.string, domain.length, kernel_policy->cond_domain_f… in necp_socket_check_policy()
9310 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN_FILTER) { in necp_socket_check_policy()
9323 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_URL) { in necp_socket_check_policy()
9324 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9325 "NECP_KERNEL_CONDITION_URL", kernel_policy->cond_url, url); in necp_socket_check_policy()
9326 bool url_matches = (url ? strcasecmp(kernel_policy->cond_url, url) == 0 : false); in necp_socket_check_policy()
9327 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_URL) { in necp_socket_check_policy()
9340 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) { in necp_socket_check_policy()
9341 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9343 kernel_policy->cond_account_id, account_id); in necp_socket_check_policy()
9344 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) { in necp_socket_check_policy()
9345 if (account_id == kernel_policy->cond_account_id) { in necp_socket_check_policy()
9350 if (account_id != kernel_policy->cond_account_id) { in necp_socket_check_policy()
9357 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) { in necp_socket_check_policy()
9358 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9360 kernel_policy->cond_pid, pid); in necp_socket_check_policy()
9361 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) { in necp_socket_check_policy()
9362 if (pid == kernel_policy->cond_pid) { in necp_socket_check_policy()
9366 if (kernel_policy->cond_pid_version != 0 && pid_version == kernel_policy->cond_pid_version) { in necp_socket_check_policy()
9370 if (pid != kernel_policy->cond_pid) { in necp_socket_check_policy()
9374 if (kernel_policy->cond_pid_version != 0 && pid_version != kernel_policy->cond_pid_version) { in necp_socket_check_policy()
9380 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) { in necp_socket_check_policy()
9381 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9383 kernel_policy->cond_uid, uid); in necp_socket_check_policy()
9384 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) { in necp_socket_check_policy()
9385 if (uid == kernel_policy->cond_uid) { in necp_socket_check_policy()
9390 if (uid != kernel_policy->cond_uid) { in necp_socket_check_policy()
9397 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_UID) { in necp_socket_check_policy()
9398 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9400 kernel_policy->cond_real_uid, real_uid); in necp_socket_check_policy()
9401 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_UID) { in necp_socket_check_policy()
9402 if (real_uid == kernel_policy->cond_real_uid) { in necp_socket_check_policy()
9407 if (real_uid != kernel_policy->cond_real_uid) { in necp_socket_check_policy()
9414 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) { in necp_socket_check_policy()
9416 kernel_policy->cond_traffic_class.start_tc, kernel_policy->cond_traffic_class.end_tc, 0, in necp_socket_check_policy()
9418 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) { in necp_socket_check_policy()
9419 if (traffic_class >= kernel_policy->cond_traffic_class.start_tc && in necp_socket_check_policy()
9420 traffic_class <= kernel_policy->cond_traffic_class.end_tc) { in necp_socket_check_policy()
9425 if (traffic_class < kernel_policy->cond_traffic_class.start_tc || in necp_socket_check_policy()
9426 traffic_class > kernel_policy->cond_traffic_class.end_tc) { in necp_socket_check_policy()
9433 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_socket_check_policy()
9434 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9436 kernel_policy->cond_protocol, protocol); in necp_socket_check_policy()
9437 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_socket_check_policy()
9438 if (protocol == kernel_policy->cond_protocol) { in necp_socket_check_policy()
9443 if (protocol != kernel_policy->cond_protocol) { in necp_socket_check_policy()
9450 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) { in necp_socket_check_policy()
9452 kernel_policy->cond_agent_type.agent_domain, kernel_policy->cond_agent_type.agent_type, "n/a", in necp_socket_check_policy()
9457 …if ((strbuflen(kernel_policy->cond_agent_type.agent_domain, sizeof(kernel_policy->cond_agent_type.… in necp_socket_check_policy()
9458 …zeof(required_agent_type->netagent_domain), kernel_policy->cond_agent_type.agent_domain, sizeof(ke… in necp_socket_check_policy()
9459 …(strbuflen(kernel_policy->cond_agent_type.agent_type, sizeof(kernel_policy->cond_agent_type.agent_… in necp_socket_check_policy()
9460 … sizeof(required_agent_type->netagent_type), kernel_policy->cond_agent_type.agent_type, sizeof(ker… in necp_socket_check_policy()
9471 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_socket_check_policy()
9473 …bool include_local_addresses = (kernel_policy->cond_local_networks_flags & NECP_POLICY_LOCAL_NETWO… in necp_socket_check_policy()
9484 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9485 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_socket_check_policy()
9498 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) { in necp_socket_check_policy()
9499 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_socket_check_policy()
9500 …ool inRange = necp_is_addr_in_range(SA(local), SA(&kernel_policy->cond_local_start), SA(&kernel_po… in necp_socket_check_policy()
9501 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9502 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_socket_check_policy()
9511 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_socket_check_policy()
9512 …ool inSubnet = necp_is_addr_in_subnet(SA(local), SA(&kernel_policy->cond_local_start), kernel_poli… in necp_socket_check_policy()
9513 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9514 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_socket_check_policy()
9526 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) { in necp_socket_check_policy()
9527 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_socket_check_policy()
9528 …l inRange = necp_is_addr_in_range(SA(remote), SA(&kernel_policy->cond_remote_start), SA(&kernel_po… in necp_socket_check_policy()
9529 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9530 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_socket_check_policy()
9539 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_socket_check_policy()
9540 …l inSubnet = necp_is_addr_in_subnet(SA(remote), SA(&kernel_policy->cond_remote_start), kernel_poli… in necp_socket_check_policy()
9541 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9542 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_socket_check_policy()
9554 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) { in necp_socket_check_policy()
9555 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9557 kernel_policy->cond_client_flags, client_flags); in necp_socket_check_policy()
9558 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) { in necp_socket_check_policy()
9559 if ((client_flags & kernel_policy->cond_client_flags) == kernel_policy->cond_client_flags) { in necp_socket_check_policy()
9564 if ((client_flags & kernel_policy->cond_client_flags) != kernel_policy->cond_client_flags) { in necp_socket_check_policy()
9571 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) { in necp_socket_check_policy()
9573 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9576 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) { in necp_socket_check_policy()
9587 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) { in necp_socket_check_policy()
9589 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9592 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) { in necp_socket_check_policy()
9603 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_socket_check_policy()
9608 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9611 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_socket_check_policy()
9612 if (kernel_policy->cond_scheme_port == scheme_port || in necp_socket_check_policy()
9613 kernel_policy->cond_scheme_port == remote_port) { in necp_socket_check_policy()
9617 if (kernel_policy->cond_scheme_port != scheme_port && in necp_socket_check_policy()
9618 kernel_policy->cond_scheme_port != remote_port) { in necp_socket_check_policy()
9624 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_socket_check_policy()
9625 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9627 kernel_policy->cond_packet_filter_tags, in necp_socket_check_policy()
9630 if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) { in necp_socket_check_policy()
9636 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_socket_check_policy()
9647 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) { in necp_socket_check_policy()
9648 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9650 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) { in necp_socket_check_policy()
9661 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
9662 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9665 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
9674 } else if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) && in necp_socket_check_policy()
9675 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID)) { in necp_socket_check_policy()
9678 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
10906 necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_… in necp_ip_output_check_policy() argument
10912 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) { in necp_ip_output_check_policy()
10913 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_ip_output_check_policy()
10914 …u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_b… in necp_ip_output_check_policy()
10915 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
10918 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_ip_output_check_policy()
10930 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_ip_output_check_policy()
10942 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
10943 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - flags", kernel_policy->cond_bound_interface_flags, … in necp_ip_output_check_policy()
10944 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
10945 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - eflags", kernel_policy->cond_bound_interface_eflags… in necp_ip_output_check_policy()
10946 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
10947 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - xflags", kernel_policy->cond_bound_interface_xflags… in necp_ip_output_check_policy()
10948 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_ip_output_check_policy()
10949 …if ((kernel_policy->cond_bound_interface_flags && (bound_interface_flags & kernel_policy->cond_bou… in necp_ip_output_check_policy()
10950 …(kernel_policy->cond_bound_interface_eflags && (bound_interface_eflags & kernel_policy->cond_bound… in necp_ip_output_check_policy()
10951 …(kernel_policy->cond_bound_interface_xflags && (bound_interface_xflags & kernel_policy->cond_bound… in necp_ip_output_check_policy()
10956 …if ((kernel_policy->cond_bound_interface_flags && !(bound_interface_flags & kernel_policy->cond_bo… in necp_ip_output_check_policy()
10957 …(kernel_policy->cond_bound_interface_eflags && !(bound_interface_eflags & kernel_policy->cond_boun… in necp_ip_output_check_policy()
10958 …(kernel_policy->cond_bound_interface_xflags && !(bound_interface_xflags & kernel_policy->cond_boun… in necp_ip_output_check_policy()
10964 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) && in necp_ip_output_check_policy()
10965 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS)) { in necp_ip_output_check_policy()
10974 if (kernel_policy->condition_mask == 0) { in necp_ip_output_check_policy()
10978 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) { in necp_ip_output_check_policy()
10980 …kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id; in necp_ip_output_check_policy()
10983 kernel_policy->cond_policy_id, 0, 0, in necp_ip_output_check_policy()
10985 if (matched_policy_id != kernel_policy->cond_policy_id) { in necp_ip_output_check_policy()
10991 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) { in necp_ip_output_check_policy()
10994 kernel_policy->cond_last_interface_index, last_interface_index); in necp_ip_output_check_policy()
10995 if (last_interface_index != kernel_policy->cond_last_interface_index) { in necp_ip_output_check_policy()
11000 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_ip_output_check_policy()
11001 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11003 kernel_policy->cond_protocol, protocol); in necp_ip_output_check_policy()
11004 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_ip_output_check_policy()
11005 if (protocol == kernel_policy->cond_protocol) { in necp_ip_output_check_policy()
11010 if (protocol != kernel_policy->cond_protocol) { in necp_ip_output_check_policy()
11017 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_ip_output_check_policy()
11019 …bool include_local_addresses = (kernel_policy->cond_local_networks_flags & NECP_POLICY_LOCAL_NETWO… in necp_ip_output_check_policy()
11026 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11027 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_ip_output_check_policy()
11040 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) { in necp_ip_output_check_policy()
11041 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_ip_output_check_policy()
11042 …ool inRange = necp_is_addr_in_range(SA(local), SA(&kernel_policy->cond_local_start), SA(&kernel_po… in necp_ip_output_check_policy()
11043 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11044 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_ip_output_check_policy()
11053 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_ip_output_check_policy()
11054 …ool inSubnet = necp_is_addr_in_subnet(SA(local), SA(&kernel_policy->cond_local_start), kernel_poli… in necp_ip_output_check_policy()
11055 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11056 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_ip_output_check_policy()
11068 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) { in necp_ip_output_check_policy()
11069 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_ip_output_check_policy()
11070 …l inRange = necp_is_addr_in_range(SA(remote), SA(&kernel_policy->cond_remote_start), SA(&kernel_po… in necp_ip_output_check_policy()
11071 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11072 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_ip_output_check_policy()
11081 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_ip_output_check_policy()
11082 …l inSubnet = necp_is_addr_in_subnet(SA(remote), SA(&kernel_policy->cond_remote_start), kernel_poli… in necp_ip_output_check_policy()
11083 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11084 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_ip_output_check_policy()
11096 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_ip_output_check_policy()
11101 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11104 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_ip_output_check_policy()
11105 if (kernel_policy->cond_scheme_port == remote_port) { in necp_ip_output_check_policy()
11109 if (kernel_policy->cond_scheme_port != remote_port) { in necp_ip_output_check_policy()
11115 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_ip_output_check_policy()
11117 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11119 kernel_policy->cond_packet_filter_tags, pf_tag); in necp_ip_output_check_policy()
11120 if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) { in necp_ip_output_check_policy()
11125 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_ip_output_check_policy()