1 /*
2 * Copyright (c) 2022 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29 #include <skywalk/os_skywalk_private.h>
30 #include <IOKit/IOBSD.h>
31
32 static int
nxioctl_check_entitlement(u_long cmd)33 nxioctl_check_entitlement(u_long cmd)
34 {
35 boolean_t entitled = FALSE;
36
37 if (kauth_cred_issuser(kauth_cred_get())) {
38 return 0;
39 }
40 switch (cmd) {
41 case NXIOC_ADD_TRAFFIC_RULE_INET:
42 case NXIOC_ADD_TRAFFIC_RULE_ETH:
43 case NXIOC_REMOVE_TRAFFIC_RULE:
44 entitled = IOCurrentTaskHasEntitlement(
45 NXCTL_TRAFFIC_RULE_WRITE_ENTITLEMENT);
46 break;
47 case NXIOC_GET_TRAFFIC_RULES:
48 entitled = IOCurrentTaskHasEntitlement(
49 NXCTL_TRAFFIC_RULE_READ_ENTITLEMENT);
50 break;
51 default:
52 SK_ERR("invalid command %lx", cmd);
53 return ENOTSUP;
54 }
55 return entitled ? 0 : EPERM;
56 }
57
58 static int
_nxioctl(struct nxctl * nxctl,u_long cmd,caddr_t data,proc_t procp)59 _nxioctl(struct nxctl *nxctl, u_long cmd, caddr_t data, proc_t procp)
60 {
61 switch (cmd) {
62 case NXIOC_ADD_TRAFFIC_RULE_INET:
63 return nxioctl_add_traffic_rule_inet(nxctl, data, procp);
64 case NXIOC_ADD_TRAFFIC_RULE_ETH:
65 return nxioctl_add_traffic_rule_eth(nxctl, data, procp);
66 case NXIOC_REMOVE_TRAFFIC_RULE:
67 return nxioctl_remove_traffic_rule(nxctl, data, procp);
68 case NXIOC_GET_TRAFFIC_RULES:
69 return nxioctl_get_traffic_rules(nxctl, data, procp);
70 default:
71 SK_ERR("invalid command %lx", cmd);
72 return ENOTSUP;
73 }
74 }
75
76 int
nxioctl(struct nxctl * nxctl,u_long cmd,caddr_t data,proc_t procp)77 nxioctl(struct nxctl *nxctl, u_long cmd, caddr_t data, proc_t procp)
78 {
79 int err;
80
81 if ((err = nxioctl_check_entitlement(cmd)) != 0) {
82 return err;
83 }
84 return _nxioctl(nxctl, cmd, data, procp);
85 }
86
87 int
nxioctl_kernel(nexus_controller_t ncd,u_long cmd,caddr_t data,proc_t procp)88 nxioctl_kernel(nexus_controller_t ncd, u_long cmd, caddr_t data, proc_t procp)
89 {
90 return _nxioctl(ncd->ncd_nxctl, cmd, data, procp);
91 }
92