Lines Matching refs:kernel_policy
5083 struct necp_kernel_socket_policy *kernel_policy = NULL; in necp_kernel_socket_policy_find() local
5090 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_socket_policies, chain, tmp_kernel_policy) { in necp_kernel_socket_policy_find()
5091 if (kernel_policy->id == policy_id) { in necp_kernel_socket_policy_find()
5092 return kernel_policy; in necp_kernel_socket_policy_find()
5639 struct necp_kernel_socket_policy *kernel_policy = NULL; in necp_kernel_socket_policies_reprocess() local
5671 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) { in necp_kernel_socket_policies_reprocess()
5673 necp_kernel_application_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_socket_policies_reprocess()
5677 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) { in necp_kernel_socket_policies_reprocess()
5683 necp_kernel_socket_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_socket_policies_reprocess()
5686 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) || in necp_kernel_socket_policies_reprocess()
5687 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_kernel_socket_policies_reprocess()
5693 …necp_kernel_socket_policies_map_counts[NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id… in necp_kernel_socket_policies_reprocess()
5716 LIST_FOREACH(kernel_policy, &necp_kernel_socket_policies, chain) { in necp_kernel_socket_policies_reprocess()
5718 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5719 necp_kernel_socket_policies_app_layer_map[app_layer_current_free_index] = kernel_policy; in necp_kernel_socket_policies_reprocess()
5724 if ((kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE)) { in necp_kernel_socket_policies_reprocess()
5730 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) || in necp_kernel_socket_policies_reprocess()
5731 kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_kernel_socket_policies_reprocess()
5733 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5734 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy; in necp_kernel_socket_policies_reprocess()
5740 app_i = NECP_SOCKET_MAP_APP_ID_TO_BUCKET(kernel_policy->cond_app_id); in necp_kernel_socket_policies_reprocess()
5741 …if (!necp_dedup_policies || !necp_kernel_socket_policy_is_unnecessary(kernel_policy, necp_kernel_s… in necp_kernel_socket_policies_reprocess()
5742 (necp_kernel_socket_policies_map[app_i])[(bucket_current_free_index[app_i])] = kernel_policy; in necp_kernel_socket_policies_reprocess()
7112 struct necp_kernel_ip_output_policy *kernel_policy = NULL; in necp_kernel_ip_output_policy_find() local
7119 LIST_FOREACH_SAFE(kernel_policy, &necp_kernel_ip_output_policies, chain, tmp_kernel_policy) { in necp_kernel_ip_output_policy_find()
7120 if (kernel_policy->id == policy_id) { in necp_kernel_ip_output_policy_find()
7121 return kernel_policy; in necp_kernel_ip_output_policy_find()
7330 struct necp_kernel_ip_output_policy *kernel_policy = NULL; in necp_kernel_ip_output_policies_reprocess() local
7351 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) { in necp_kernel_ip_output_policies_reprocess()
7353 necp_kernel_ip_output_policies_condition_mask |= kernel_policy->condition_mask; in necp_kernel_ip_output_policies_reprocess()
7360 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) || in necp_kernel_ip_output_policies_reprocess()
7361 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) || in necp_kernel_ip_output_policies_reprocess()
7362 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
7367 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID)) { in necp_kernel_ip_output_policies_reprocess()
7370 …necp_kernel_ip_output_policies_map_counts[NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_poli… in necp_kernel_ip_output_policies_reprocess()
7389 LIST_FOREACH(kernel_policy, &necp_kernel_ip_output_policies, chain) { in necp_kernel_ip_output_policies_reprocess()
7393 if (current_session_order != kernel_policy->session_order) { in necp_kernel_ip_output_policies_reprocess()
7394 current_session_order = kernel_policy->session_order; in necp_kernel_ip_output_policies_reprocess()
7413 if (kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
7418 if (kernel_policy->order >= current_session_last_non_skip_policy) { in necp_kernel_ip_output_policies_reprocess()
7425 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) || in necp_kernel_ip_output_policies_reprocess()
7426 (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) || in necp_kernel_ip_output_policies_reprocess()
7427 kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP) { in necp_kernel_ip_output_policies_reprocess()
7429 …if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kerne… in necp_kernel_ip_output_policies_reprocess()
7430 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy; in necp_kernel_ip_output_policies_reprocess()
7436 i = NECP_IP_OUTPUT_MAP_ID_TO_BUCKET(kernel_policy->cond_policy_id); in necp_kernel_ip_output_policies_reprocess()
7437 …if (!necp_dedup_policies || !necp_kernel_ip_output_policy_is_unnecessary(kernel_policy, necp_kerne… in necp_kernel_ip_output_policies_reprocess()
7438 (necp_kernel_ip_output_policies_map[i])[(bucket_current_free_index[i])] = kernel_policy; in necp_kernel_ip_output_policies_reprocess()
9106 necp_socket_check_policy(struct necp_kernel_socket_policy *kernel_policy, in necp_socket_check_policy() argument
9143 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) { in necp_socket_check_policy()
9144 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_socket_check_policy()
9145 …u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_b… in necp_socket_check_policy()
9146 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9148 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_socket_check_policy()
9160 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_socket_check_policy()
9161 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9162 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - flags", kernel_policy->cond_bound_interface_flags, … in necp_socket_check_policy()
9163 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9164 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - eflags", kernel_policy->cond_bound_interface_eflags… in necp_socket_check_policy()
9165 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9166 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - xflags", kernel_policy->cond_bound_interface_xflags… in necp_socket_check_policy()
9167 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_socket_check_policy()
9168 …if ((kernel_policy->cond_bound_interface_flags && (bound_interface_flags & kernel_policy->cond_bou… in necp_socket_check_policy()
9169 …(kernel_policy->cond_bound_interface_eflags && (bound_interface_eflags & kernel_policy->cond_bound… in necp_socket_check_policy()
9170 …(kernel_policy->cond_bound_interface_xflags && (bound_interface_xflags & kernel_policy->cond_bound… in necp_socket_check_policy()
9175 …if ((kernel_policy->cond_bound_interface_flags && !(bound_interface_flags & kernel_policy->cond_bo… in necp_socket_check_policy()
9176 …(kernel_policy->cond_bound_interface_eflags && !(bound_interface_eflags & kernel_policy->cond_boun… in necp_socket_check_policy()
9177 …(kernel_policy->cond_bound_interface_xflags && !(bound_interface_xflags & kernel_policy->cond_boun… in necp_socket_check_policy()
9183 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) && in necp_socket_check_policy()
9184 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS)) { in necp_socket_check_policy()
9193 if (kernel_policy->condition_mask == 0) { in necp_socket_check_policy()
9197 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_socket_check_policy()
9198 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9199 "NECP_KERNEL_CONDITION_APP_ID", kernel_policy->cond_app_id, app_id); in necp_socket_check_policy()
9200 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_APP_ID) { in necp_socket_check_policy()
9201 if (app_id == kernel_policy->cond_app_id) { in necp_socket_check_policy()
9206 if (app_id != kernel_policy->cond_app_id) { in necp_socket_check_policy()
9213 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER || in necp_socket_check_policy()
9214 kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) { in necp_socket_check_policy()
9217 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9219 kernel_policy->cond_signing_identifier ? kernel_policy->cond_signing_identifier : "<n/a>", in necp_socket_check_policy()
9222 if (strcmp(signing_id, kernel_policy->cond_signing_identifier) == 0) { in necp_socket_check_policy()
9227 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SIGNING_IDENTIFIER) { in necp_socket_check_policy()
9239 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) { in necp_socket_check_policy()
9240 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9242 kernel_policy->cond_real_app_id, real_app_id); in necp_socket_check_policy()
9243 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_APP_ID) { in necp_socket_check_policy()
9244 if (real_app_id == kernel_policy->cond_real_app_id) { in necp_socket_check_policy()
9249 if (real_app_id != kernel_policy->cond_real_app_id) { in necp_socket_check_policy()
9256 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_HAS_CLIENT) { in necp_socket_check_policy()
9263 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ENTITLEMENT) { in necp_socket_check_policy()
9271 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) { in necp_socket_check_policy()
9272 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9273 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PLATFORM_BINARY) { in necp_socket_check_policy()
9286 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SYSTEM_SIGNED_RESULT) { in necp_socket_check_policy()
9294 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SDK_VERSION) { in necp_socket_check_policy()
9297 kernel_policy->cond_sdk_version.platform, in necp_socket_check_policy()
9298 kernel_policy->cond_sdk_version.min_version, in necp_socket_check_policy()
9299 kernel_policy->cond_sdk_version.version, in necp_socket_check_policy()
9303 if (kernel_policy->cond_sdk_version.platform != 0) { in necp_socket_check_policy()
9304 if (kernel_policy->cond_sdk_version.platform != proc_platform(proc)) { in necp_socket_check_policy()
9310 if (kernel_policy->cond_sdk_version.min_version != 0) { in necp_socket_check_policy()
9311 if (kernel_policy->cond_sdk_version.min_version > proc_min_sdk(proc)) { in necp_socket_check_policy()
9317 if (kernel_policy->cond_sdk_version.version != 0) { in necp_socket_check_policy()
9318 if (kernel_policy->cond_sdk_version.version > proc_sdk(proc)) { in necp_socket_check_policy()
9326 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_EXACT_DOMAIN) { in necp_socket_check_policy()
9327 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9328 "NECP_KERNEL_CONDITION_EXACT_DOMAIN", kernel_policy->cond_domain, domain.string); in necp_socket_check_policy()
9330 bool domain_matches = (domain_dot_count == kernel_policy->cond_domain_dot_count && in necp_socket_check_policy()
9331 …necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy->… in necp_socket_check_policy()
9335 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_EXACT_DOMAIN) { in necp_socket_check_policy()
9346 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN) { in necp_socket_check_policy()
9347 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9348 "NECP_KERNEL_CONDITION_DOMAIN", kernel_policy->cond_domain, domain.string); in necp_socket_check_policy()
9349 … necp_hostname_matches_domain(domain, domain_dot_count, kernel_policy->cond_domain, kernel_policy-… in necp_socket_check_policy()
9353 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN) { in necp_socket_check_policy()
9366 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DOMAIN_FILTER) { in necp_socket_check_policy()
9367 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9368 "NECP_KERNEL_CONDITION_DOMAIN_FILTER (ID)", kernel_policy->cond_domain_filter, 0); in necp_socket_check_policy()
9369 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9372 if (NECP_IS_DOMAIN_FILTER_ID(kernel_policy->cond_domain_filter)) { in necp_socket_check_policy()
9373 … *filter = necp_lookup_domain_filter(&necp_global_domain_filter_list, kernel_policy->cond_domain_f… in necp_socket_check_policy()
9378 …domain_matches = necp_match_domain_with_trie(&necp_global_domain_trie_list, kernel_policy->cond_do… in necp_socket_check_policy()
9380 …<%s %zu> with trie id %d - matched %d", domain.string, domain.length, kernel_policy->cond_domain_f… in necp_socket_check_policy()
9386 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DOMAIN_FILTER) { in necp_socket_check_policy()
9399 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_URL) { in necp_socket_check_policy()
9400 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET_STR(debug, socket, "SOCKET", kernel_policy->condition_negated… in necp_socket_check_policy()
9401 "NECP_KERNEL_CONDITION_URL", kernel_policy->cond_url, url); in necp_socket_check_policy()
9402 bool url_matches = (url ? strcasecmp(kernel_policy->cond_url, url) == 0 : false); in necp_socket_check_policy()
9403 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_URL) { in necp_socket_check_policy()
9416 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) { in necp_socket_check_policy()
9417 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9419 kernel_policy->cond_account_id, account_id); in necp_socket_check_policy()
9420 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_ACCOUNT_ID) { in necp_socket_check_policy()
9421 if (account_id == kernel_policy->cond_account_id) { in necp_socket_check_policy()
9426 if (account_id != kernel_policy->cond_account_id) { in necp_socket_check_policy()
9433 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID) { in necp_socket_check_policy()
9434 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9436 kernel_policy->cond_pid, pid); in necp_socket_check_policy()
9437 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PID) { in necp_socket_check_policy()
9438 if (pid == kernel_policy->cond_pid) { in necp_socket_check_policy()
9442 if (kernel_policy->cond_pid_version != 0 && pid_version == kernel_policy->cond_pid_version) { in necp_socket_check_policy()
9446 if (pid != kernel_policy->cond_pid) { in necp_socket_check_policy()
9450 if (kernel_policy->cond_pid_version != 0 && pid_version != kernel_policy->cond_pid_version) { in necp_socket_check_policy()
9456 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_UID) { in necp_socket_check_policy()
9457 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9459 kernel_policy->cond_uid, uid); in necp_socket_check_policy()
9460 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_UID) { in necp_socket_check_policy()
9461 if (uid == kernel_policy->cond_uid) { in necp_socket_check_policy()
9466 if (uid != kernel_policy->cond_uid) { in necp_socket_check_policy()
9473 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REAL_UID) { in necp_socket_check_policy()
9474 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9476 kernel_policy->cond_real_uid, real_uid); in necp_socket_check_policy()
9477 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REAL_UID) { in necp_socket_check_policy()
9478 if (real_uid == kernel_policy->cond_real_uid) { in necp_socket_check_policy()
9483 if (real_uid != kernel_policy->cond_real_uid) { in necp_socket_check_policy()
9490 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) { in necp_socket_check_policy()
9492 kernel_policy->cond_traffic_class.start_tc, kernel_policy->cond_traffic_class.end_tc, 0, in necp_socket_check_policy()
9494 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_TRAFFIC_CLASS) { in necp_socket_check_policy()
9495 if (traffic_class >= kernel_policy->cond_traffic_class.start_tc && in necp_socket_check_policy()
9496 traffic_class <= kernel_policy->cond_traffic_class.end_tc) { in necp_socket_check_policy()
9501 if (traffic_class < kernel_policy->cond_traffic_class.start_tc || in necp_socket_check_policy()
9502 traffic_class > kernel_policy->cond_traffic_class.end_tc) { in necp_socket_check_policy()
9509 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_socket_check_policy()
9510 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9512 kernel_policy->cond_protocol, protocol); in necp_socket_check_policy()
9513 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_socket_check_policy()
9514 if (protocol == kernel_policy->cond_protocol) { in necp_socket_check_policy()
9519 if (protocol != kernel_policy->cond_protocol) { in necp_socket_check_policy()
9526 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_AGENT_TYPE) { in necp_socket_check_policy()
9528 kernel_policy->cond_agent_type.agent_domain, kernel_policy->cond_agent_type.agent_type, "n/a", in necp_socket_check_policy()
9533 …if ((strbuflen(kernel_policy->cond_agent_type.agent_domain, sizeof(kernel_policy->cond_agent_type.… in necp_socket_check_policy()
9534 …zeof(required_agent_type->netagent_domain), kernel_policy->cond_agent_type.agent_domain, sizeof(ke… in necp_socket_check_policy()
9535 …(strbuflen(kernel_policy->cond_agent_type.agent_type, sizeof(kernel_policy->cond_agent_type.agent_… in necp_socket_check_policy()
9536 … sizeof(required_agent_type->netagent_type), kernel_policy->cond_agent_type.agent_type, sizeof(ker… in necp_socket_check_policy()
9547 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_socket_check_policy()
9549 …bool include_local_addresses = (kernel_policy->cond_local_networks_flags & NECP_POLICY_LOCAL_NETWO… in necp_socket_check_policy()
9560 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9561 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_socket_check_policy()
9574 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) { in necp_socket_check_policy()
9575 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_socket_check_policy()
9576 …ool inRange = necp_is_addr_in_range(SA(local), SA(&kernel_policy->cond_local_start), SA(&kernel_po… in necp_socket_check_policy()
9577 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9578 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_socket_check_policy()
9587 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_socket_check_policy()
9588 …ool inSubnet = necp_is_addr_in_subnet(SA(local), SA(&kernel_policy->cond_local_start), kernel_poli… in necp_socket_check_policy()
9589 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9590 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_socket_check_policy()
9602 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) { in necp_socket_check_policy()
9603 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_socket_check_policy()
9604 …l inRange = necp_is_addr_in_range(SA(remote), SA(&kernel_policy->cond_remote_start), SA(&kernel_po… in necp_socket_check_policy()
9605 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9606 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_socket_check_policy()
9615 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_socket_check_policy()
9616 …l inSubnet = necp_is_addr_in_subnet(SA(remote), SA(&kernel_policy->cond_remote_start), kernel_poli… in necp_socket_check_policy()
9617 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9618 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_socket_check_policy()
9630 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) { in necp_socket_check_policy()
9631 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9633 kernel_policy->cond_client_flags, client_flags); in necp_socket_check_policy()
9634 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_CLIENT_FLAGS) { in necp_socket_check_policy()
9635 if ((client_flags & kernel_policy->cond_client_flags) == kernel_policy->cond_client_flags) { in necp_socket_check_policy()
9640 if ((client_flags & kernel_policy->cond_client_flags) != kernel_policy->cond_client_flags) { in necp_socket_check_policy()
9647 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) { in necp_socket_check_policy()
9649 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9652 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_EMPTY) { in necp_socket_check_policy()
9663 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) { in necp_socket_check_policy()
9665 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9668 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_EMPTY) { in necp_socket_check_policy()
9679 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_socket_check_policy()
9684 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9687 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_socket_check_policy()
9688 if (kernel_policy->cond_scheme_port == scheme_port || in necp_socket_check_policy()
9689 kernel_policy->cond_scheme_port == remote_port) { in necp_socket_check_policy()
9693 if (kernel_policy->cond_scheme_port != scheme_port && in necp_socket_check_policy()
9694 kernel_policy->cond_scheme_port != remote_port) { in necp_socket_check_policy()
9700 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_socket_check_policy()
9701 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9703 kernel_policy->cond_packet_filter_tags, in necp_socket_check_policy()
9706 if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) { in necp_socket_check_policy()
9712 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_socket_check_policy()
9723 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) { in necp_socket_check_policy()
9724 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9726 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_IS_LOOPBACK) { in necp_socket_check_policy()
9737 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
9738 …NECP_DATA_TRACE_LOG_CONDITION_SOCKET(debug, socket, "SOCKET", kernel_policy->condition_negated_mas… in necp_socket_check_policy()
9741 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
9750 } else if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_APP_ID) && in necp_socket_check_policy()
9751 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PID)) { in necp_socket_check_policy()
9754 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_DELEGATE_IS_PLATFORM_BINARY) { in necp_socket_check_policy()
9766 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT) { in necp_socket_check_policy()
9767 …, "SOCKET", false, "NECP_KERNEL_CONDITION_CUSTOM_ENTITLEMENT", "n/a", kernel_policy->cond_custom_e… in necp_socket_check_policy()
9768 if (kernel_policy->cond_custom_entitlement != NULL) { in necp_socket_check_policy()
9775 !IOTaskHasEntitlementAsBooleanOrObject(task, kernel_policy->cond_custom_entitlement)) { in necp_socket_check_policy()
11004 necp_ip_output_check_policy(struct necp_kernel_ip_output_policy *kernel_policy, necp_kernel_policy_… in necp_ip_output_check_policy() argument
11010 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_ALL_INTERFACES)) { in necp_ip_output_check_policy()
11011 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_ip_output_check_policy()
11012 …u_int32_t cond_bound_interface_index = kernel_policy->cond_bound_interface ? kernel_policy->cond_b… in necp_ip_output_check_policy()
11013 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11016 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) { in necp_ip_output_check_policy()
11028 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_ip_output_check_policy()
11040 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11041 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - flags", kernel_policy->cond_bound_interface_flags, … in necp_ip_output_check_policy()
11042 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11043 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - eflags", kernel_policy->cond_bound_interface_eflags… in necp_ip_output_check_policy()
11044 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11045 …"NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS - xflags", kernel_policy->cond_bound_interface_xflags… in necp_ip_output_check_policy()
11046 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS) { in necp_ip_output_check_policy()
11047 …if ((kernel_policy->cond_bound_interface_flags && (bound_interface_flags & kernel_policy->cond_bou… in necp_ip_output_check_policy()
11048 …(kernel_policy->cond_bound_interface_eflags && (bound_interface_eflags & kernel_policy->cond_bound… in necp_ip_output_check_policy()
11049 …(kernel_policy->cond_bound_interface_xflags && (bound_interface_xflags & kernel_policy->cond_bound… in necp_ip_output_check_policy()
11054 …if ((kernel_policy->cond_bound_interface_flags && !(bound_interface_flags & kernel_policy->cond_bo… in necp_ip_output_check_policy()
11055 …(kernel_policy->cond_bound_interface_eflags && !(bound_interface_eflags & kernel_policy->cond_boun… in necp_ip_output_check_policy()
11056 …(kernel_policy->cond_bound_interface_xflags && !(bound_interface_xflags & kernel_policy->cond_boun… in necp_ip_output_check_policy()
11062 if (!(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE) && in necp_ip_output_check_policy()
11063 !(kernel_policy->condition_mask & NECP_KERNEL_CONDITION_BOUND_INTERFACE_FLAGS)) { in necp_ip_output_check_policy()
11072 if (kernel_policy->condition_mask == 0) { in necp_ip_output_check_policy()
11076 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_POLICY_ID) { in necp_ip_output_check_policy()
11078 …kernel_policy->result == NECP_KERNEL_POLICY_RESULT_SKIP ? socket_skip_policy_id : socket_policy_id; in necp_ip_output_check_policy()
11081 kernel_policy->cond_policy_id, 0, 0, in necp_ip_output_check_policy()
11083 if (matched_policy_id != kernel_policy->cond_policy_id) { in necp_ip_output_check_policy()
11089 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LAST_INTERFACE) { in necp_ip_output_check_policy()
11092 kernel_policy->cond_last_interface_index, last_interface_index); in necp_ip_output_check_policy()
11093 if (last_interface_index != kernel_policy->cond_last_interface_index) { in necp_ip_output_check_policy()
11098 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_ip_output_check_policy()
11099 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11101 kernel_policy->cond_protocol, protocol); in necp_ip_output_check_policy()
11102 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PROTOCOL) { in necp_ip_output_check_policy()
11103 if (protocol == kernel_policy->cond_protocol) { in necp_ip_output_check_policy()
11108 if (protocol != kernel_policy->cond_protocol) { in necp_ip_output_check_policy()
11115 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_ip_output_check_policy()
11117 …bool include_local_addresses = (kernel_policy->cond_local_networks_flags & NECP_POLICY_LOCAL_NETWO… in necp_ip_output_check_policy()
11124 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11125 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_NETWORKS) { in necp_ip_output_check_policy()
11138 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_START) { in necp_ip_output_check_policy()
11139 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_ip_output_check_policy()
11140 …ool inRange = necp_is_addr_in_range(SA(local), SA(&kernel_policy->cond_local_start), SA(&kernel_po… in necp_ip_output_check_policy()
11141 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11142 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_END) { in necp_ip_output_check_policy()
11151 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_ip_output_check_policy()
11152 …ool inSubnet = necp_is_addr_in_subnet(SA(local), SA(&kernel_policy->cond_local_start), kernel_poli… in necp_ip_output_check_policy()
11153 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11154 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_LOCAL_PREFIX) { in necp_ip_output_check_policy()
11166 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_START) { in necp_ip_output_check_policy()
11167 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_ip_output_check_policy()
11168 …l inRange = necp_is_addr_in_range(SA(remote), SA(&kernel_policy->cond_remote_start), SA(&kernel_po… in necp_ip_output_check_policy()
11169 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11170 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_END) { in necp_ip_output_check_policy()
11179 } else if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_ip_output_check_policy()
11180 …l inSubnet = necp_is_addr_in_subnet(SA(remote), SA(&kernel_policy->cond_remote_start), kernel_poli… in necp_ip_output_check_policy()
11181 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11182 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_REMOTE_PREFIX) { in necp_ip_output_check_policy()
11194 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_ip_output_check_policy()
11199 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11202 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_SCHEME_PORT) { in necp_ip_output_check_policy()
11203 if (kernel_policy->cond_scheme_port == remote_port) { in necp_ip_output_check_policy()
11207 if (kernel_policy->cond_scheme_port != remote_port) { in necp_ip_output_check_policy()
11213 if (kernel_policy->condition_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_ip_output_check_policy()
11215 …NECP_DATA_TRACE_LOG_CONDITION_IP(debug, "IP", kernel_policy->condition_negated_mask & NECP_KERNEL_… in necp_ip_output_check_policy()
11217 kernel_policy->cond_packet_filter_tags, pf_tag); in necp_ip_output_check_policy()
11218 if (kernel_policy->cond_packet_filter_tags & NECP_POLICY_CONDITION_PACKET_FILTER_TAG_STACK_DROP) { in necp_ip_output_check_policy()
11223 if (kernel_policy->condition_negated_mask & NECP_KERNEL_CONDITION_PACKET_FILTER_TAGS) { in necp_ip_output_check_policy()