1 /* 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68 /** 69 * @file mac_policy.h 70 * @brief Kernel Interfaces for MAC policy modules 71 * 72 * This header defines the list of operations that are defined by the 73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 * with the framework to declare interest in a specific set of 75 * operations. If interest in an entry point is not declared, then 76 * the policy will be ignored when the Framework evaluates that entry 77 * point. 78 */ 79 80 #ifndef _SECURITY_MAC_POLICY_H_ 81 #define _SECURITY_MAC_POLICY_H_ 82 83 #ifndef PRIVATE 84 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85 #endif 86 87 #include <security/_label.h> 88 #include <kern/cs_blobs.h> 89 90 struct attrlist; 91 struct auditinfo; 92 struct bpf_d; 93 struct cs_blob; 94 struct devnode; 95 struct exception_action; 96 struct fileglob; 97 struct ifnet; 98 struct inpcb; 99 struct ipq; 100 struct label; 101 struct mac_policy_conf; 102 struct mbuf; 103 struct mount; 104 struct msg; 105 struct msqid_kernel; 106 struct pipe; 107 struct pseminfo; 108 struct pshminfo; 109 struct sbuf; 110 struct semid_kernel; 111 struct shmid_kernel; 112 struct socket; 113 struct sockopt; 114 struct task; 115 struct thread; 116 struct tty; 117 struct ucred; 118 struct vfs_attr; 119 struct vnode; 120 struct sockaddr; 121 /** @struct dummy */ 122 123 124 /* 125 * proc_ident_t support, see: rdar://problem/58928152 126 * Should be removed once all dependent parties adopt 127 * proc_ident_t. 128 */ 129 #define MAC_PROC_IDENT_SUPPORT 130 131 #ifndef _KAUTH_CRED_T 132 #define _KAUTH_CRED_T 133 typedef struct ucred *kauth_cred_t; 134 #endif /* !_KAUTH_CRED_T */ 135 136 #ifndef __IOKIT_PORTS_DEFINED__ 137 #define __IOKIT_PORTS_DEFINED__ 138 #ifdef __cplusplus 139 class OSObject; 140 typedef OSObject *io_object_t; 141 #else 142 struct OSObject; 143 typedef struct OSObject *io_object_t; 144 #endif 145 #endif /* __IOKIT_PORTS_DEFINED__ */ 146 147 /*- 148 * MAC entry points are generally named using the following template: 149 * 150 * mpo_<object>_<operation>() 151 * 152 * or: 153 * 154 * mpo_<object>_check_<operation>() 155 * 156 * Entry points are sorted by object type. 157 * 158 * It may be desirable also to consider some subsystems as "objects", such 159 * as system, iokit, etc. 160 */ 161 162 /** 163 * @name Entry Points for Label Management 164 * 165 * These are the entry points corresponding to the life cycle events for 166 * kernel objects, such as initialization, creation, and destruction. 167 * 168 * Most policies (that use labels) will initialize labels by allocating 169 * space for policy-specific data. In most cases, it is permitted to 170 * sleep during label initialization operations; it will be noted when 171 * it is not permitted. 172 * 173 * Initialization usually will not require doing more than allocating a 174 * generic label for the given object. What follows initialization is 175 * creation, where a label is made specific to the object it is associated 176 * with. Destruction occurs when the label is no longer needed, such as 177 * when the corresponding object is destroyed. All necessary cleanup should 178 * be performed in label destroy operations. 179 * 180 * Where possible, the label entry points have identical parameters. If 181 * the policy module does not require structure-specific label 182 * information, the same function may be registered in the policy 183 * operation vector. Many policies will implement two such generic 184 * allocation calls: one to handle sleepable requests, and one to handle 185 * potentially non-sleepable requests. 186 */ 187 188 189 /** 190 * @brief Audit event postselection 191 * @param cred Subject credential 192 * @param syscode Syscall number 193 * @param args Syscall arguments 194 * @param error Syscall errno 195 * @param retval Syscall return value 196 * 197 * This is the MAC Framework audit postselect, which is called before 198 * exiting a syscall to determine if an audit event should be committed. 199 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 200 * Any other return value results in the audit record being committed. 201 * 202 * @warning The suppression behavior will probably go away in Apple's 203 * future version of the audit implementation. 204 * 205 * @return Return MAC_AUDIT_NO to force suppression of the audit record. 206 * Any other value results in the audit record being committed. 207 * 208 */ 209 typedef int mpo_audit_check_postselect_t( 210 kauth_cred_t cred, 211 unsigned short syscode, 212 void *args, 213 int error, 214 int retval 215 ); 216 /** 217 * @brief Audit event preselection 218 * @param cred Subject credential 219 * @param syscode Syscall number 220 * @param args Syscall arguments 221 * 222 * This is the MAC Framework audit preselect, which is called before a 223 * syscall is entered to determine if an audit event should be created. 224 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 225 * returned. A return value of MAC_AUDIT_NO causes the audit record to 226 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 227 * to defer to the system's existing preselection mechanism. 228 * 229 * When policies return different preferences, the Framework decides what action 230 * to take based on the following policy. If any policy returns MAC_AUDIT_YES, 231 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then 232 * suppress the creations of an audit record, else defer to the system's 233 * existing preselection mechanism. 234 * 235 * @warning The audit implementation in Apple's current version is 236 * incomplete, so the MAC policies have priority over the system's existing 237 * mechanisms. This will probably change in the future version where 238 * the audit implementation is more complete. 239 * 240 * @return Return MAC_AUDIT_YES to force auditing of the syscall, 241 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 242 * to allow auditing mechanisms to determine if the syscall is audited. 243 * 244 */ 245 typedef int mpo_audit_check_preselect_t( 246 kauth_cred_t cred, 247 unsigned short syscode, 248 void *args 249 ); 250 /** 251 * @brief Indicate desire to change the process label at exec time 252 * @param old Existing subject credential 253 * @param vp File being executed 254 * @param offset Offset of binary within file being executed 255 * @param scriptvp Script being executed by interpreter, if any. 256 * @param vnodelabel Label corresponding to vp 257 * @param scriptvnodelabel Script vnode label 258 * @param execlabel Userspace provided execution label 259 * @param p Object process 260 * @param macpolicyattr MAC policy-specific spawn attribute data 261 * @param macpolicyattrlen Length of policy-specific spawn attribute data 262 * @see mac_execve 263 * @see mpo_cred_label_update_execve_t 264 * @see mpo_vnode_check_exec_t 265 * 266 * Indicate whether this policy intends to update the label of a newly 267 * created credential from the existing subject credential (old). This 268 * call occurs when a process executes the passed vnode. If a policy 269 * returns success from this entry point, the mpo_cred_label_update_execve 270 * entry point will later be called with the same parameters. Access 271 * has already been checked via the mpo_vnode_check_exec entry point, 272 * this entry point is necessary to preserve kernel locking constraints 273 * during program execution. 274 * 275 * The supplied vnode and vnodelabel correspond with the file actually 276 * being executed; in the case that the file is interpreted (for 277 * example, a script), the label of the original exec-time vnode has 278 * been preserved in scriptvnodelabel. 279 * 280 * The final label, execlabel, corresponds to a label supplied by a 281 * user space application through the use of the mac_execve system call. 282 * 283 * The vnode lock is held during this operation. No changes should be 284 * made to the old credential structure. 285 * 286 * @warning Even if a policy returns 0, it should behave correctly in 287 * the presence of an invocation of mpo_cred_label_update_execve, as that 288 * call may happen as a result of another policy requesting a transition. 289 * 290 * @return Non-zero if a transition is required, 0 otherwise. 291 */ 292 typedef int mpo_cred_check_label_update_execve_t( 293 kauth_cred_t old, 294 struct vnode *vp, 295 off_t offset, 296 struct vnode *scriptvp, 297 struct label *vnodelabel, 298 struct label *scriptvnodelabel, 299 struct label *execlabel, 300 struct proc *p, 301 void *macpolicyattr, 302 size_t macpolicyattrlen 303 ); 304 /** 305 * @brief Access control check for relabelling processes 306 * @param cred Subject credential 307 * @param newlabel New label to apply to the user credential 308 * @see mpo_cred_label_update_t 309 * @see mac_set_proc 310 * 311 * Determine whether the subject identified by the credential can relabel 312 * itself to the supplied new label (newlabel). This access control check 313 * is called when the mac_set_proc system call is invoked. A user space 314 * application will supply a new value, the value will be internalized 315 * and provided in newlabel. 316 * 317 * @return Return 0 if access is granted, otherwise an appropriate value for 318 * errno should be returned. 319 */ 320 typedef int mpo_cred_check_label_update_t( 321 kauth_cred_t cred, 322 struct label *newlabel 323 ); 324 /** 325 * @brief Access control check for visibility of other subjects 326 * @param u1 Subject credential 327 * @param u2 Object credential 328 * 329 * Determine whether the subject identified by the credential u1 can 330 * "see" other subjects with the passed subject credential u2. This call 331 * may be made in a number of situations, including inter-process status 332 * sysctls used by ps, and in procfs lookups. 333 * 334 * @return Return 0 if access is granted, otherwise an appropriate value for 335 * errno should be returned. Suggested failure: EACCES for label mismatch, 336 * EPERM for lack of privilege, or ESRCH to hide visibility. 337 */ 338 typedef int mpo_cred_check_visible_t( 339 kauth_cred_t u1, 340 kauth_cred_t u2 341 ); 342 /** 343 * @brief Associate a credential with a new process at fork 344 * @param cred credential to inherited by new process 345 * @param proc the new process 346 * 347 * Allow a process to associate the credential with a new 348 * process for reference countng purposes. 349 * NOTE: the credential can be dis-associated in ways other 350 * than exit - so this strategy is flawed - should just 351 * catch label destroy callback. 352 */ 353 typedef void mpo_cred_label_associate_fork_t( 354 kauth_cred_t cred, 355 proc_t proc 356 ); 357 /** 358 * @brief Create the first process 359 * @param cred Subject credential to be labeled 360 * 361 * Create the subject credential of process 0, the parent of all BSD 362 * kernel processes. Policies should update the label in the 363 * previously initialized credential structure. 364 */ 365 typedef void mpo_cred_label_associate_kernel_t( 366 kauth_cred_t cred 367 ); 368 /** 369 * @brief Create a credential label 370 * @param parent_cred Parent credential 371 * @param child_cred Child credential 372 * 373 * Set the label of a newly created credential, most likely using the 374 * information in the supplied parent credential. 375 * 376 * @warning This call is made when crcopy or crdup is invoked on a 377 * newly created struct ucred, and should not be confused with a 378 * process fork or creation event. 379 */ 380 typedef void mpo_cred_label_associate_t( 381 kauth_cred_t parent_cred, 382 kauth_cred_t child_cred 383 ); 384 /** 385 * @brief Create the first process 386 * @param cred Subject credential to be labeled 387 * 388 * Create the subject credential of process 1, the parent of all BSD 389 * user processes. Policies should update the label in the previously 390 * initialized credential structure. This is the 'init' process. 391 */ 392 typedef void mpo_cred_label_associate_user_t( 393 kauth_cred_t cred 394 ); 395 /** 396 * @brief Destroy credential label 397 * @param label The label to be destroyed 398 * 399 * Destroy a user credential label. Since the user credential 400 * is going out of scope, policy modules should free any internal 401 * storage associated with the label so that it may be destroyed. 402 */ 403 typedef void mpo_cred_label_destroy_t( 404 struct label *label 405 ); 406 /** 407 * @brief Externalize a user credential label for auditing 408 * @param label Label to be externalized 409 * @param element_name Name of the label namespace for which labels should be 410 * externalized 411 * @param sb String buffer to be filled with a text representation of the label 412 * 413 * Produce an external representation of the label on a user credential for 414 * inclusion in an audit record. An externalized label consists of a text 415 * representation of the label contents that will be added to the audit record 416 * as part of a text token. Policy-agnostic user space tools will display 417 * this externalized version. 418 * 419 * @return 0 on success, return non-zero if an error occurs while 420 * externalizing the label data. 421 * 422 */ 423 typedef int mpo_cred_label_externalize_audit_t( 424 struct label *label, 425 char *element_name, 426 struct sbuf *sb 427 ); 428 /** 429 * @brief Externalize a user credential label 430 * @param label Label to be externalized 431 * @param element_name Name of the label namespace for which labels should be 432 * externalized 433 * @param sb String buffer to be filled with a text representation of the label 434 * 435 * Produce an external representation of the label on a user 436 * credential. An externalized label consists of a text representation 437 * of the label contents that can be used with user applications. 438 * Policy-agnostic user space tools will display this externalized 439 * version. 440 * 441 * @return 0 on success, return non-zero if an error occurs while 442 * externalizing the label data. 443 * 444 */ 445 typedef int mpo_cred_label_externalize_t( 446 struct label *label, 447 char *element_name, 448 struct sbuf *sb 449 ); 450 /** 451 * @brief Initialize user credential label 452 * @param label New label to initialize 453 * 454 * Initialize the label for a newly instantiated user credential. 455 * Sleeping is permitted. 456 */ 457 typedef void mpo_cred_label_init_t( 458 struct label *label 459 ); 460 /** 461 * @brief Internalize a user credential label 462 * @param label Label to be internalized 463 * @param element_name Name of the label namespace for which the label should 464 * be internalized 465 * @param element_data Text data to be internalized 466 * 467 * Produce a user credential label from an external representation. An 468 * externalized label consists of a text representation of the label 469 * contents that can be used with user applications. Policy-agnostic 470 * user space tools will forward text version to the kernel for 471 * processing by individual policy modules. 472 * 473 * The policy's internalize entry points will be called only if the 474 * policy has registered interest in the label namespace. 475 * 476 * @return 0 on success, Otherwise, return non-zero if an error occurs 477 * while internalizing the label data. 478 * 479 */ 480 typedef int mpo_cred_label_internalize_t( 481 struct label *label, 482 char *element_name, 483 char *element_data 484 ); 485 /** 486 * @brief Update credential at exec time 487 * @param old_cred Existing subject credential 488 * @param new_cred New subject credential to be labeled 489 * @param p Object process. 490 * @param vp File being executed 491 * @param offset Offset of binary within file being executed 492 * @param scriptvp Script being executed by interpreter, if any. 493 * @param vnodelabel Label corresponding to vp 494 * @param scriptvnodelabel Script vnode label 495 * @param execlabel Userspace provided execution label 496 * @param csflags Code signing flags to be set after exec 497 * @param macpolicyattr MAC policy-specific spawn attribute data. 498 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 499 * @see mac_execve 500 * @see mpo_cred_check_label_update_execve_t 501 * @see mpo_vnode_check_exec_t 502 * 503 * Update the label of a newly created credential (new) from the 504 * existing subject credential (old). This call occurs when a process 505 * executes the passed vnode and one of the loaded policy modules has 506 * returned success from the mpo_cred_check_label_update_execve entry point. 507 * Access has already been checked via the mpo_vnode_check_exec entry 508 * point, this entry point is only used to update any policy state. 509 * 510 * The supplied vnode and vnodelabel correspond with the file actually 511 * being executed; in the case that the file is interpreted (for 512 * example, a script), the label of the original exec-time vnode has 513 * been preserved in scriptvnodelabel. 514 * 515 * The final label, execlabel, corresponds to a label supplied by a 516 * user space application through the use of the mac_execve system call. 517 * 518 * If non-NULL, the value pointed to by disjointp will be set to 0 to 519 * indicate that the old and new credentials are not disjoint, or 1 to 520 * indicate that they are. 521 * 522 * The vnode lock is held during this operation. No changes should be 523 * made to the old credential structure. 524 * @return 0 on success, Otherwise, return non-zero if update results in 525 * termination of child. 526 */ 527 typedef int mpo_cred_label_update_execve_t( 528 kauth_cred_t old_cred, 529 kauth_cred_t new_cred, 530 struct proc *p, 531 struct vnode *vp, 532 off_t offset, 533 struct vnode *scriptvp, 534 struct label *vnodelabel, 535 struct label *scriptvnodelabel, 536 struct label *execlabel, 537 u_int *csflags, 538 void *macpolicyattr, 539 size_t macpolicyattrlen, 540 int *disjointp 541 ); 542 /** 543 * @brief Update a credential label 544 * @param cred The existing credential 545 * @param newlabel A new label to apply to the credential 546 * @see mpo_cred_check_label_update_t 547 * @see mac_set_proc 548 * 549 * Update the label on a user credential, using the supplied new label. 550 * This is called as a result of a process relabel operation. Access 551 * control was already confirmed by mpo_cred_check_label_update. 552 */ 553 typedef void mpo_cred_label_update_t( 554 kauth_cred_t cred, 555 struct label *newlabel 556 ); 557 /** 558 * @brief Access control for launching a process with constraints 559 * @param curr_p The new process 560 * @param original_parent_id The pid of the original parent that spawned this process 561 * @param responsible_pid The pid of the responsible process that spawned this process 562 * @param macpolicyattr MAC policy-specific spawn attribute data 563 * @param macpolicyattrlen Length of policy-specific spawn attribute data 564 * @param fatal_failure_desc Description of fatal failure 565 * @param fatal_failure_desc_len Failure description len, failure is fatal if non-0 566 * 567 * Detemine whether the process being spawned adheres to the launch 568 * constraints (e.g. whether the process is spawned by launchd) and should 569 * be allowed to execute. This call occurs during execve or posix_spawn. 570 * 571 * @return Return 0 if process can be created, otherwise an appropriate value for 572 * errno should be returned. 573 */ 574 typedef int mpo_proc_check_launch_constraints_t( 575 proc_t curr_p, 576 pid_t original_parent_id, 577 pid_t responsible_pid, 578 void *macpolicyattr, 579 size_t macpolicyattrlen, 580 launch_constraint_data_t lcd, 581 char **fatal_failure_desc, size_t *fatal_failure_desc_len 582 ); 583 /** 584 * @brief Create a new devfs device 585 * @param dev Major and minor numbers of special file 586 * @param de "inode" of new device file 587 * @param label Destination label 588 * @param fullpath Path relative to mount (e.g. /dev) of new device file 589 * 590 * This entry point labels a new devfs device. The label will likely be based 591 * on the path to the device, or the major and minor numbers. 592 * The policy should store an appropriate label into 'label'. 593 */ 594 typedef void mpo_devfs_label_associate_device_t( 595 dev_t dev, 596 struct devnode *de, 597 struct label *label, 598 const char *fullpath 599 ); 600 /** 601 * @brief Create a new devfs directory 602 * @param dirname Name of new directory 603 * @param dirnamelen Length of 'dirname' 604 * @param de "inode" of new directory 605 * @param label Destination label 606 * @param fullpath Path relative to mount (e.g. /dev) of new directory 607 * 608 * This entry point labels a new devfs directory. The label will likely be 609 * based on the path of the new directory. The policy should store an appropriate 610 * label into 'label'. The devfs root directory is labelled in this way. 611 */ 612 typedef void mpo_devfs_label_associate_directory_t( 613 const char *dirname, 614 int dirnamelen, 615 struct devnode *de, 616 struct label *label, 617 const char *fullpath 618 ); 619 /** 620 * @brief Copy a devfs label 621 * @param src Source devfs label 622 * @param dest Destination devfs label 623 * 624 * Copy the label information from src to dest. The devfs file system 625 * often duplicates (splits) existing device nodes rather than creating 626 * new ones. 627 */ 628 typedef void mpo_devfs_label_copy_t( 629 struct label *src, 630 struct label *dest 631 ); 632 /** 633 * @brief Destroy devfs label 634 * @param label The label to be destroyed 635 * 636 * Destroy a devfs entry label. Since the object is going out 637 * of scope, policy modules should free any internal storage associated 638 * with the label so that it may be destroyed. 639 */ 640 typedef void mpo_devfs_label_destroy_t( 641 struct label *label 642 ); 643 /** 644 * @brief Initialize devfs label 645 * @param label New label to initialize 646 * 647 * Initialize the label for a newly instantiated devfs entry. Sleeping 648 * is permitted. 649 */ 650 typedef void mpo_devfs_label_init_t( 651 struct label *label 652 ); 653 /** 654 * @brief Update a devfs label after relabelling its vnode 655 * @param mp Devfs mount point 656 * @param de Affected devfs directory entry 657 * @param delabel Label of devfs directory entry 658 * @param vp Vnode associated with de 659 * @param vnodelabel New label of vnode 660 * 661 * Update a devfs label when its vnode is manually relabelled, 662 * for example with setfmac(1). Typically, this will simply copy 663 * the vnode label into the devfs label. 664 */ 665 typedef void mpo_devfs_label_update_t( 666 struct mount *mp, 667 struct devnode *de, 668 struct label *delabel, 669 struct vnode *vp, 670 struct label *vnodelabel 671 ); 672 /** 673 * @brief Access control for sending an exception to an exception action 674 * @param crashlabel The crashing process's label 675 * @param action Exception action 676 * @param exclabel Policy label for exception action 677 * 678 * Determine whether the the exception message caused by the victim 679 * process can be sent to the exception action. The policy may compare 680 * credentials in the crashlabel, which are derived from the process at 681 * the time the exception occurs, with the credentials in the exclabel, 682 * which was set at the time the exception port was set, to determine 683 * its decision. Note that any process from which the policy derived 684 * any credentials may not exist anymore at the time of this policy 685 * operation. Sleeping is permitted. 686 * 687 * @return Return 0 if the message can be sent, otherwise an 688 * appropriate value for errno should be returned. 689 */ 690 typedef int mpo_exc_action_check_exception_send_t( 691 struct label *crashlabel, 692 struct exception_action *action, 693 struct label *exclabel 694 ); 695 /** 696 * @brief Associate an exception action label 697 * @param action Exception action to label 698 * @param exclabel Policy label to be filled in for exception action 699 * 700 * Set the label on an exception action. 701 */ 702 typedef void mpo_exc_action_label_associate_t( 703 struct exception_action *action, 704 struct label *exclabel 705 ); 706 /** 707 * @brief Destroy exception action label 708 * @param label The label to be destroyed 709 * 710 * Destroy the label on an exception action. Since the object is going 711 * out of scope, policy modules should free any internal storage 712 * associated with the label so that it may be destroyed. Sleeping is 713 * permitted. 714 */ 715 typedef void mpo_exc_action_label_destroy_t( 716 struct label *label 717 ); 718 /** 719 * @brief Populate an exception action label with process credentials 720 * @param label The label to be populated 721 * @param proc Process to derive credentials from 722 * 723 * Populate a label with credentials derived from a process. At 724 * exception delivery time, the policy should compare credentials of the 725 * process that set an exception ports with the credentials of the 726 * process or corpse that experienced the exception. Note that the 727 * process that set the port may not exist at that time anymore, so 728 * labels should carry copies of live credentials if necessary. 729 */ 730 typedef void mpo_exc_action_label_populate_t( 731 struct label *label, 732 struct proc *proc 733 ); 734 /** 735 * @brief Initialize exception action label 736 * @param label New label to initialize 737 * 738 * Initialize a label for an exception action. Usually performs 739 * policy specific allocations. Sleeping is permitted. 740 */ 741 typedef int mpo_exc_action_label_init_t( 742 struct label *label 743 ); 744 /** 745 * @brief Update the label on an exception action 746 * @param action Exception action that the label belongs to (may be 747 * NULL if none) 748 * @param label Policy label to update 749 * @param newlabel New label for update 750 * 751 * Update the credentials of an exception action from the given 752 * label. The policy should copy over any credentials (process and 753 * otherwise) from the new label into the label to update. Must not 754 * sleep, must be quick and can be called with locks held. 755 */ 756 typedef int mpo_exc_action_label_update_t( 757 struct exception_action *action, 758 struct label *label, 759 struct label *newlabel 760 ); 761 /** 762 * @brief Access control for changing the offset of a file descriptor 763 * @param cred Subject credential 764 * @param fg Fileglob structure 765 * @param label Policy label for fg 766 * 767 * Determine whether the subject identified by the credential can 768 * change the offset of the file represented by fg. 769 * 770 * @return Return 0 if access if granted, otherwise an appropriate 771 * value for errno should be returned. 772 */ 773 typedef int mpo_file_check_change_offset_t( 774 kauth_cred_t cred, 775 struct fileglob *fg, 776 struct label *label 777 ); 778 /** 779 * @brief Access control for creating a file descriptor 780 * @param cred Subject credential 781 * 782 * Determine whether the subject identified by the credential can 783 * allocate a new file descriptor. 784 * 785 * @return Return 0 if access if granted, otherwise an appropriate 786 * value for errno should be returned. 787 */ 788 typedef int mpo_file_check_create_t( 789 kauth_cred_t cred 790 ); 791 /** 792 * @brief Access control for duplicating a file descriptor 793 * @param cred Subject credential 794 * @param fg Fileglob structure 795 * @param label Policy label for fg 796 * @param newfd New file descriptor number 797 * 798 * Determine whether the subject identified by the credential can 799 * duplicate the fileglob structure represented by fg and as file 800 * descriptor number newfd. 801 * 802 * @return Return 0 if access if granted, otherwise an appropriate 803 * value for errno should be returned. 804 */ 805 typedef int mpo_file_check_dup_t( 806 kauth_cred_t cred, 807 struct fileglob *fg, 808 struct label *label, 809 int newfd 810 ); 811 /** 812 * @brief Access control check for fcntl 813 * @param cred Subject credential 814 * @param fg Fileglob structure 815 * @param label Policy label for fg 816 * @param cmd Control operation to be performed; see fcntl(2) 817 * @param arg fcnt arguments; see fcntl(2) 818 * 819 * Determine whether the subject identified by the credential can perform 820 * the file control operation indicated by cmd. 821 * 822 * @return Return 0 if access is granted, otherwise an appropriate value for 823 * errno should be returned. 824 */ 825 typedef int mpo_file_check_fcntl_t( 826 kauth_cred_t cred, 827 struct fileglob *fg, 828 struct label *label, 829 int cmd, 830 user_long_t arg 831 ); 832 /** 833 * @brief Access control check for mac_get_fd 834 * @param cred Subject credential 835 * @param fg Fileglob structure 836 * @param elements Element buffer 837 * @param len Length of buffer 838 * 839 * Determine whether the subject identified by the credential should be allowed 840 * to get an externalized version of the label on the object indicated by fd. 841 * 842 * @return Return 0 if access is granted, otherwise an appropriate value for 843 * errno should be returned. 844 */ 845 typedef int mpo_file_check_get_t( 846 kauth_cred_t cred, 847 struct fileglob *fg, 848 char *elements, 849 size_t len 850 ); 851 /** 852 * @brief Access control for getting the offset of a file descriptor 853 * @param cred Subject credential 854 * @param fg Fileglob structure 855 * @param label Policy label for fg 856 * 857 * Determine whether the subject identified by the credential can 858 * get the offset of the file represented by fg. 859 * 860 * @return Return 0 if access if granted, otherwise an appropriate 861 * value for errno should be returned. 862 */ 863 typedef int mpo_file_check_get_offset_t( 864 kauth_cred_t cred, 865 struct fileglob *fg, 866 struct label *label 867 ); 868 /** 869 * @brief Access control for inheriting a file descriptor 870 * @param cred Subject credential 871 * @param fg Fileglob structure 872 * @param label Policy label for fg 873 * 874 * Determine whether the subject identified by the credential can 875 * inherit the fileglob structure represented by fg. 876 * 877 * @return Return 0 if access if granted, otherwise an appropriate 878 * value for errno should be returned. 879 */ 880 typedef int mpo_file_check_inherit_t( 881 kauth_cred_t cred, 882 struct fileglob *fg, 883 struct label *label 884 ); 885 /** 886 * @brief Access control check for file ioctl 887 * @param cred Subject credential 888 * @param fg Fileglob structure 889 * @param label Policy label for fg 890 * @param cmd The ioctl command; see ioctl(2) 891 * 892 * Determine whether the subject identified by the credential can perform 893 * the ioctl operation indicated by cmd. 894 * 895 * @warning Since ioctl data is opaque from the standpoint of the MAC 896 * framework, policies must exercise extreme care when implementing 897 * access control checks. 898 * 899 * @return Return 0 if access is granted, otherwise an appropriate value for 900 * errno should be returned. 901 * 902 */ 903 typedef int mpo_file_check_ioctl_t( 904 kauth_cred_t cred, 905 struct fileglob *fg, 906 struct label *label, 907 unsigned long cmd 908 ); 909 /** 910 * @brief Access control check for file locking 911 * @param cred Subject credential 912 * @param fg Fileglob structure 913 * @param label Policy label for fg 914 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 915 * @param fl The flock structure 916 * 917 * Determine whether the subject identified by the credential can perform 918 * the lock operation indicated by op and fl on the file represented by fg. 919 * 920 * @return Return 0 if access is granted, otherwise an appropriate value for 921 * errno should be returned. 922 * 923 */ 924 typedef int mpo_file_check_lock_t( 925 kauth_cred_t cred, 926 struct fileglob *fg, 927 struct label *label, 928 int op, 929 struct flock *fl 930 ); 931 /** 932 * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. 933 * @param p Subject process 934 * @param fg Fileglob structure 935 * @param slice_offset offset of the code slice 936 * @param error_message error message returned to user-space in case of error (userspace pointer) 937 * @param error_message_size error message size 938 * 939 * It's a little odd that the MAC/kext writes into userspace since this 940 * implies there is only one MAC module that implements this, however 941 * the alternative is to allocate memory in xnu, in the hope that 942 * the MAC module will use it, or allocate in the MAC module and then 943 * free it in xnu. Neither of these is very appealing, so let's go with 944 * the slightly more hacky way. 945 * 946 * @return Return 0 if access is granted, otherwise an appropriate value for 947 * errno should be returned. 948 */ 949 typedef int mpo_file_check_library_validation_t( 950 struct proc *p, 951 struct fileglob *fg, 952 off_t slice_offset, 953 user_long_t error_message, 954 size_t error_message_size 955 ); 956 /** 957 * @brief Access control check for mapping a file 958 * @param cred Subject credential 959 * @param fg fileglob representing file to map 960 * @param label Policy label associated with vp 961 * @param prot mmap protections; see mmap(2) 962 * @param flags Type of mapped object; see mmap(2) 963 * @param maxprot Maximum rights 964 * 965 * Determine whether the subject identified by the credential should be 966 * allowed to map the file represented by fg with the protections specified 967 * in prot. The maxprot field holds the maximum permissions on the new 968 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 969 * To avoid overriding prior access control checks, a policy should only 970 * remove flags from maxprot. 971 * 972 * @return Return 0 if access is granted, otherwise an appropriate value for 973 * errno should be returned. Suggested failure: EACCES for label mismatch or 974 * EPERM for lack of privilege. 975 */ 976 typedef int mpo_file_check_mmap_t( 977 kauth_cred_t cred, 978 struct fileglob *fg, 979 struct label *label, 980 int prot, 981 int flags, 982 uint64_t file_pos, 983 int *maxprot 984 ); 985 /** 986 * @brief Downgrade the mmap protections 987 * @param cred Subject credential 988 * @param fg file to map 989 * @param label Policy label associated with vp 990 * @param prot mmap protections to be downgraded 991 * 992 * Downgrade the mmap protections based on the subject and object labels. 993 */ 994 typedef void mpo_file_check_mmap_downgrade_t( 995 kauth_cred_t cred, 996 struct fileglob *fg, 997 struct label *label, 998 int *prot 999 ); 1000 /** 1001 * @brief Access control for receiving a file descriptor 1002 * @param cred Subject credential 1003 * @param fg Fileglob structure 1004 * @param label Policy label for fg 1005 * 1006 * Determine whether the subject identified by the credential can 1007 * receive the fileglob structure represented by fg. 1008 * 1009 * @return Return 0 if access if granted, otherwise an appropriate 1010 * value for errno should be returned. 1011 */ 1012 typedef int mpo_file_check_receive_t( 1013 kauth_cred_t cred, 1014 struct fileglob *fg, 1015 struct label *label 1016 ); 1017 /** 1018 * @brief Access control check for mac_set_fd 1019 * @param cred Subject credential 1020 * @param fg Fileglob structure 1021 * @param elements Elements buffer 1022 * @param len Length of elements buffer 1023 * 1024 * Determine whether the subject identified by the credential can 1025 * perform the mac_set_fd operation. The mac_set_fd operation is used 1026 * to associate a MAC label with a file. 1027 * 1028 * @return Return 0 if access is granted, otherwise an appropriate value for 1029 * errno should be returned. 1030 */ 1031 typedef int mpo_file_check_set_t( 1032 kauth_cred_t cred, 1033 struct fileglob *fg, 1034 char *elements, 1035 size_t len 1036 ); 1037 /** 1038 * @brief Inform MAC policies that file is being closed 1039 * @param cred Subject credential 1040 * @param fg Fileglob structure 1041 * @param label Policy label for fg 1042 * @param modified Boolean; 1 if file was modified, 0 otherwise 1043 * 1044 * Called when an open file is being closed, as a result of a call to 1045 * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. 1046 */ 1047 typedef void mpo_file_notify_close_t( 1048 kauth_cred_t cred, 1049 struct fileglob *fg, 1050 struct label *label, 1051 int modified 1052 ); 1053 /** 1054 * @brief Create file label 1055 * @param cred Subject credential 1056 * @param fg Fileglob structure 1057 * @param label Policy label for fg 1058 */ 1059 typedef void mpo_file_label_associate_t( 1060 kauth_cred_t cred, 1061 struct fileglob *fg, 1062 struct label *label 1063 ); 1064 /** 1065 * @brief Destroy file label 1066 * @param label The label to be destroyed 1067 * 1068 * Destroy the label on a file descriptor. In this entry point, a 1069 * policy module should free any internal storage associated with 1070 * label so that it may be destroyed. 1071 */ 1072 typedef void mpo_file_label_destroy_t( 1073 struct label *label 1074 ); 1075 /** 1076 * @brief Initialize file label 1077 * @param label New label to initialize 1078 */ 1079 typedef void mpo_file_label_init_t( 1080 struct label *label 1081 ); 1082 /** 1083 * @brief Access control check for opening an I/O Kit device 1084 * @param cred Subject credential 1085 * @param user_client User client instance 1086 * @param user_client_type User client type 1087 * 1088 * Determine whether the subject identified by the credential can open an 1089 * I/O Kit device at the passed path of the passed user client class and 1090 * type. This check is performed after instantiating the user client. 1091 * See also mpo_iokit_check_open_service_t. 1092 * 1093 * @return Return 0 if access is granted, or an appropriate value for 1094 * errno should be returned. 1095 */ 1096 typedef int mpo_iokit_check_open_t( 1097 kauth_cred_t cred, 1098 io_object_t user_client, 1099 unsigned int user_client_type 1100 ); 1101 /** 1102 * @brief Access control check for opening an I/O Kit device 1103 * @param cred Subject credential 1104 * @param service Service instance 1105 * @param user_client_type User client type 1106 * 1107 * Determine whether the subject identified by the credential can open a 1108 * I/O Kit user client of the passed service and user client type. 1109 * This check is performed before instantiating the user client. See also 1110 * mpo_iokit_check_open_t. 1111 * 1112 * @return Return 0 if access is granted, or an appropriate value for 1113 * errno should be returned. 1114 */ 1115 typedef int mpo_iokit_check_open_service_t( 1116 kauth_cred_t cred, 1117 io_object_t service, 1118 unsigned int user_client_type 1119 ); 1120 /** 1121 * @brief Access control check for setting I/O Kit device properties 1122 * @param cred Subject credential 1123 * @param entry Target device 1124 * @param properties Property list 1125 * 1126 * Determine whether the subject identified by the credential can set 1127 * properties on an I/O Kit device. 1128 * 1129 * @return Return 0 if access is granted, or an appropriate value for 1130 * errno should be returned. 1131 */ 1132 typedef int mpo_iokit_check_set_properties_t( 1133 kauth_cred_t cred, 1134 io_object_t entry, 1135 io_object_t properties 1136 ); 1137 /** 1138 * @brief Indicate desire to filter I/O Kit devices properties 1139 * @param cred Subject credential 1140 * @param entry Target device 1141 * @see mpo_iokit_check_get_property_t 1142 * 1143 * Indicate whether this policy may restrict the subject credential 1144 * from reading properties of the target device. 1145 * If a policy returns success from this entry point, the 1146 * mpo_iokit_check_get_property entry point will later be called 1147 * for each property that the subject credential tries to read from 1148 * the target device. 1149 * 1150 * This entry point is primarilly to optimize bulk property reads 1151 * by skipping calls to the mpo_iokit_check_get_property entry point 1152 * for credentials / devices no MAC policy is interested in. 1153 * 1154 * @warning Even if a policy returns 0, it should behave correctly in 1155 * the presence of an invocation of mpo_iokit_check_get_property, as that 1156 * call may happen as a result of another policy requesting a transition. 1157 * 1158 * @return Non-zero if a transition is required, 0 otherwise. 1159 */ 1160 typedef int mpo_iokit_check_filter_properties_t( 1161 kauth_cred_t cred, 1162 io_object_t entry 1163 ); 1164 /** 1165 * @brief Access control check for getting I/O Kit device properties 1166 * @param cred Subject credential 1167 * @param entry Target device 1168 * @param name Property name 1169 * 1170 * Determine whether the subject identified by the credential can get 1171 * properties on an I/O Kit device. 1172 * 1173 * @return Return 0 if access is granted, or an appropriate value for 1174 * errno. 1175 */ 1176 typedef int mpo_iokit_check_get_property_t( 1177 kauth_cred_t cred, 1178 io_object_t entry, 1179 const char *name 1180 ); 1181 /** 1182 * @brief Access control check for software HID control 1183 * @param cred Subject credential 1184 * 1185 * Determine whether the subject identified by the credential can 1186 * control the HID (Human Interface Device) subsystem, such as to 1187 * post synthetic keypresses, pointer movement and clicks. 1188 * 1189 * @return Return 0 if access is granted, or an appropriate value for 1190 * errno. 1191 */ 1192 typedef int mpo_iokit_check_hid_control_t( 1193 kauth_cred_t cred 1194 ); 1195 /** 1196 * @brief Access control check for fsctl 1197 * @param cred Subject credential 1198 * @param mp The mount point 1199 * @param label Label associated with the mount point 1200 * @param cmd Filesystem-dependent request code; see fsctl(2) 1201 * 1202 * Determine whether the subject identified by the credential can perform 1203 * the volume operation indicated by com. 1204 * 1205 * @warning The fsctl() system call is directly analogous to ioctl(); since 1206 * the associated data is opaque from the standpoint of the MAC framework 1207 * and since these operations can affect many aspects of system operation, 1208 * policies must exercise extreme care when implementing access control checks. 1209 * 1210 * @return Return 0 if access is granted, otherwise an appropriate value for 1211 * errno should be returned. 1212 */ 1213 typedef int mpo_mount_check_fsctl_t( 1214 kauth_cred_t cred, 1215 struct mount *mp, 1216 struct label *label, 1217 unsigned long cmd 1218 ); 1219 /** 1220 * @brief Access control check for the retrieval of file system attributes 1221 * @param cred Subject credential 1222 * @param mp The mount structure of the file system 1223 * @param vfa The attributes requested 1224 * 1225 * This entry point determines whether given subject can get information 1226 * about the given file system. This check happens during statfs() syscalls, 1227 * but is also used by other parts within the kernel such as the audit system. 1228 * 1229 * @return Return 0 if access is granted, otherwise an appropriate value for 1230 * errno should be returned. 1231 * 1232 * @note Policies may change the contents of vfa to alter the list of 1233 * file system attributes returned. 1234 */ 1235 1236 typedef int mpo_mount_check_getattr_t( 1237 kauth_cred_t cred, 1238 struct mount *mp, 1239 struct label *mp_label, 1240 struct vfs_attr *vfa 1241 ); 1242 /** 1243 * @brief Access control check for mount point relabeling 1244 * @param cred Subject credential 1245 * @param mp Object file system mount point 1246 * @param mntlabel Policy label for fle system mount point 1247 * 1248 * Determine whether the subject identified by the credential can relabel 1249 * the mount point. This call is made when a file system mount is updated. 1250 * 1251 * @return Return 0 if access is granted, otherwise an appropriate value for 1252 * errno should be returned. Suggested failure: EACCES for label mismatch 1253 * or EPERM for lack of privilege. 1254 */ 1255 typedef int mpo_mount_check_label_update_t( 1256 kauth_cred_t cred, 1257 struct mount *mp, 1258 struct label *mntlabel 1259 ); 1260 /** 1261 * @brief Access control check for mounting a file system 1262 * @param cred Subject credential 1263 * @param vp Vnode that is to be the mount point 1264 * @param vlabel Label associated with the vnode 1265 * @param cnp Component name for vp 1266 * @param vfc_name Filesystem type name 1267 * 1268 * Determine whether the subject identified by the credential can perform 1269 * the mount operation on the target vnode. 1270 * 1271 * @return Return 0 if access is granted, otherwise an appropriate value for 1272 * errno should be returned. 1273 */ 1274 typedef int mpo_mount_check_mount_t( 1275 kauth_cred_t cred, 1276 struct vnode *vp, 1277 struct label *vlabel, 1278 struct componentname *cnp, 1279 const char *vfc_name 1280 ); 1281 /** 1282 * @brief Access control check for mounting a file system (late) 1283 * @param cred Subject credential 1284 * @param mp Mount point 1285 * 1286 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been 1287 * called, making it possible to access mnt_vfsstat.f_mntfromname and other 1288 * fields. 1289 * 1290 * @return Return 0 if access is granted, otherwise an appropriate value for 1291 * errno should be returned. 1292 */ 1293 typedef int mpo_mount_check_mount_late_t( 1294 kauth_cred_t cred, 1295 struct mount *mp 1296 ); 1297 1298 /** 1299 * @brief Access control check for quotactl 1300 * @param cred Subject credential 1301 * @param cmd The quotactl command and subcommand; see quotactl(2) 1302 * @param id The user or group ID on which cmd will operate 1303 * 1304 * Determine whether the subject identified by the credential can perform 1305 * the quotactl operation indicated by cmd. 1306 * 1307 * @return Return 0 if access is granted, otherwise an appropriate value for 1308 * errno should be returned. 1309 */ 1310 typedef int mpo_mount_check_quotactl_t( 1311 kauth_cred_t cred, 1312 struct mount *mp, 1313 int cmd, 1314 int id 1315 ); 1316 /** 1317 * @brief Access control check for fs_snapshot_create 1318 * @param cred Subject credential 1319 * @mp Filesystem mount point to create snapshot of 1320 * @name Name of snapshot to create 1321 * 1322 * Determine whether the subject identified by the credential can 1323 * create a snapshot of the filesystem at the given mount point. 1324 * 1325 * @return Return 0 if access is granted, otherwise an appropriate value 1326 * for errno should be returned. 1327 */ 1328 typedef int mpo_mount_check_snapshot_create_t( 1329 kauth_cred_t cred, 1330 struct mount *mp, 1331 const char *name 1332 ); 1333 /** 1334 * @brief Access control check for fs_snapshot_delete 1335 * @param cred Subject credential 1336 * @mp Filesystem mount point to delete snapshot of 1337 * @name Name of snapshot to delete 1338 * 1339 * Determine whether the subject identified by the credential can 1340 * delete the named snapshot from the filesystem at the given 1341 * mount point. 1342 * 1343 * @return Return 0 if access is granted, otherwise an appropriate value 1344 * for errno should be returned. 1345 */ 1346 typedef int mpo_mount_check_snapshot_delete_t( 1347 kauth_cred_t cred, 1348 struct mount *mp, 1349 const char *name 1350 ); 1351 /** 1352 * @brief Access control check for fs_snapshot_mount 1353 * @param cred Subject credential 1354 * @param rvp Vnode of either the root directory of the 1355 * filesystem to mount snapshot of, or the device from 1356 * which to mount the snapshot. 1357 * @param vp Vnode that is to be the mount point 1358 * @param cnp Component name for vp 1359 * @param name Name of snapshot to mount 1360 * @param vfc_name Filesystem type name 1361 * 1362 * Determine whether the subject identified by the credential can 1363 * mount the named snapshot from the filesystem at the given 1364 * directory. 1365 * 1366 * @return Return 0 if access is granted, otherwise an appropriate value 1367 * for errno should be returned. 1368 */ 1369 typedef int mpo_mount_check_snapshot_mount_t( 1370 kauth_cred_t cred, 1371 struct vnode *rvp, 1372 struct vnode *vp, 1373 struct componentname *cnp, 1374 const char *name, 1375 const char *vfc_name 1376 ); 1377 /** 1378 * @brief Access control check for fs_snapshot_revert 1379 * @param cred Subject credential 1380 * @mp Filesystem mount point to revert to snapshot 1381 * @name Name of snapshot to revert to 1382 * 1383 * Determine whether the subject identified by the credential can 1384 * revert the filesystem at the given mount point to the named snapshot. 1385 * 1386 * @return Return 0 if access is granted, otherwise an appropriate value 1387 * for errno should be returned. 1388 */ 1389 typedef int mpo_mount_check_snapshot_revert_t( 1390 kauth_cred_t cred, 1391 struct mount *mp, 1392 const char *name 1393 ); 1394 /** 1395 * @brief Access control check remounting a filesystem 1396 * @param cred Subject credential 1397 * @param mp The mount point 1398 * @param mlabel Label currently associated with the mount point 1399 * 1400 * Determine whether the subject identified by the credential can perform 1401 * the remount operation on the target vnode. 1402 * 1403 * @return Return 0 if access is granted, otherwise an appropriate value for 1404 * errno should be returned. 1405 */ 1406 typedef int mpo_mount_check_remount_t( 1407 kauth_cred_t cred, 1408 struct mount *mp, 1409 struct label *mlabel 1410 ); 1411 /** 1412 * @brief Access control check for the settting of file system attributes 1413 * @param cred Subject credential 1414 * @param mp The mount structure of the file system 1415 * @param vfa The attributes requested 1416 * 1417 * This entry point determines whether given subject can set information 1418 * about the given file system, for example the volume name. 1419 * 1420 * @return Return 0 if access is granted, otherwise an appropriate value for 1421 * errno should be returned. 1422 */ 1423 1424 typedef int mpo_mount_check_setattr_t( 1425 kauth_cred_t cred, 1426 struct mount *mp, 1427 struct label *mp_label, 1428 struct vfs_attr *vfa 1429 ); 1430 /** 1431 * @brief Access control check for file system statistics 1432 * @param cred Subject credential 1433 * @param mp Object file system mount 1434 * @param mntlabel Policy label for mp 1435 * 1436 * Determine whether the subject identified by the credential can see 1437 * the results of a statfs performed on the file system. This call may 1438 * be made in a number of situations, including during invocations of 1439 * statfs(2) and related calls, as well as to determine what file systems 1440 * to exclude from listings of file systems, such as when getfsstat(2) 1441 * is invoked. 1442 * 1443 * @return Return 0 if access is granted, otherwise an appropriate value for 1444 * errno should be returned. Suggested failure: EACCES for label mismatch 1445 * or EPERM for lack of privilege. 1446 */ 1447 typedef int mpo_mount_check_stat_t( 1448 kauth_cred_t cred, 1449 struct mount *mp, 1450 struct label *mntlabel 1451 ); 1452 /** 1453 * @brief Access control check for unmounting a filesystem 1454 * @param cred Subject credential 1455 * @param mp The mount point 1456 * @param mlabel Label associated with the mount point 1457 * 1458 * Determine whether the subject identified by the credential can perform 1459 * the unmount operation on the target vnode. 1460 * 1461 * @return Return 0 if access is granted, otherwise an appropriate value for 1462 * errno should be returned. 1463 */ 1464 typedef int mpo_mount_check_umount_t( 1465 kauth_cred_t cred, 1466 struct mount *mp, 1467 struct label *mlabel 1468 ); 1469 /** 1470 * @brief Create mount labels 1471 * @param cred Subject credential 1472 * @param mp Mount point of file system being mounted 1473 * @param mntlabel Label to associate with the new mount point 1474 * @see mpo_mount_label_init_t 1475 * 1476 * Fill out the labels on the mount point being created by the supplied 1477 * user credential. This call is made when file systems are first mounted. 1478 */ 1479 typedef void mpo_mount_label_associate_t( 1480 kauth_cred_t cred, 1481 struct mount *mp, 1482 struct label *mntlabel 1483 ); 1484 /** 1485 * @brief Destroy mount label 1486 * @param label The label to be destroyed 1487 * 1488 * Destroy a file system mount label. Since the 1489 * object is going out of scope, policy modules should free any 1490 * internal storage associated with the label so that it may be 1491 * destroyed. 1492 */ 1493 typedef void mpo_mount_label_destroy_t( 1494 struct label *label 1495 ); 1496 /** 1497 * @brief Externalize a mount point label 1498 * @param label Label to be externalized 1499 * @param element_name Name of the label namespace for which labels should be 1500 * externalized 1501 * @param sb String buffer to be filled with a text representation of the label 1502 * 1503 * Produce an external representation of the mount point label. An 1504 * externalized label consists of a text representation of the label 1505 * contents that can be used with user applications. Policy-agnostic 1506 * user space tools will display this externalized version. 1507 * 1508 * The policy's externalize entry points will be called only if the 1509 * policy has registered interest in the label namespace. 1510 * 1511 * @return 0 on success, return non-zero if an error occurs while 1512 * externalizing the label data. 1513 * 1514 */ 1515 typedef int mpo_mount_label_externalize_t( 1516 struct label *label, 1517 char *element_name, 1518 struct sbuf *sb 1519 ); 1520 /** 1521 * @brief Initialize mount point label 1522 * @param label New label to initialize 1523 * 1524 * Initialize the label for a newly instantiated mount structure. 1525 * This label is typically used to store a default label in the case 1526 * that the file system has been mounted singlelabel. Since some 1527 * file systems do not support persistent labels (extended attributes) 1528 * or are read-only (such as CD-ROMs), it is often necessary to store 1529 * a default label separately from the label of the mount point 1530 * itself. Sleeping is permitted. 1531 */ 1532 typedef void mpo_mount_label_init_t( 1533 struct label *label 1534 ); 1535 /** 1536 * @brief Internalize a mount point label 1537 * @param label Label to be internalized 1538 * @param element_name Name of the label namespace for which the label should 1539 * be internalized 1540 * @param element_data Text data to be internalized 1541 * 1542 * Produce a mount point file system label from an external representation. 1543 * An externalized label consists of a text representation of the label 1544 * contents that can be used with user applications. Policy-agnostic 1545 * user space tools will forward text version to the kernel for 1546 * processing by individual policy modules. 1547 * 1548 * The policy's internalize entry points will be called only if the 1549 * policy has registered interest in the label namespace. 1550 * 1551 * @return 0 on success, Otherwise, return non-zero if an error occurs 1552 * while internalizing the label data. 1553 * 1554 */ 1555 typedef int mpo_mount_label_internalize_t( 1556 struct label *label, 1557 char *element_name, 1558 char *element_data 1559 ); 1560 /** 1561 * @brief Access control check for opening an NECP file descriptor 1562 * @param cred Subject credential 1563 * @param flags Open flags 1564 * 1565 * Determine whether the subject identified by the credential can open 1566 * an NECP file descriptor. 1567 * 1568 * @return Return 0 if access is granted, otherwise an appropriate value for 1569 * errno should be returned. 1570 * 1571 */ 1572 typedef int mpo_necp_check_open_t( 1573 kauth_cred_t cred, 1574 int flags 1575 ); 1576 /** 1577 * @brief Access control check for necp_client_action(2) 1578 * @param cred Subject credential 1579 * @param fg NECP fileglob 1580 * @param action NECP client action 1581 * 1582 * Determine whether the subject identified by the credential can open 1583 * an NECP socket. 1584 * 1585 * @return Return 0 if access is granted, otherwise an appropriate value for 1586 * errno should be returned. 1587 * 1588 */ 1589 typedef int mpo_necp_check_client_action_t( 1590 kauth_cred_t cred, 1591 struct fileglob *fg, 1592 uint32_t action 1593 ); 1594 /** 1595 * @brief Access control check for pipe ioctl 1596 * @param cred Subject credential 1597 * @param cpipe Object to be accessed 1598 * @param pipelabel The label on the pipe 1599 * @param cmd The ioctl command; see ioctl(2) 1600 * 1601 * Determine whether the subject identified by the credential can perform 1602 * the ioctl operation indicated by cmd. 1603 * 1604 * @warning Since ioctl data is opaque from the standpoint of the MAC 1605 * framework, policies must exercise extreme care when implementing 1606 * access control checks. 1607 * 1608 * @return Return 0 if access is granted, otherwise an appropriate value for 1609 * errno should be returned. 1610 * 1611 */ 1612 typedef int mpo_pipe_check_ioctl_t( 1613 kauth_cred_t cred, 1614 struct pipe *cpipe, 1615 struct label *pipelabel, 1616 unsigned long cmd 1617 ); 1618 /** 1619 * @brief Access control check for pipe kqfilter 1620 * @param cred Subject credential 1621 * @param kn Object knote 1622 * @param cpipe Object to be accessed 1623 * @param pipelabel Policy label for the pipe 1624 * 1625 * Determine whether the subject identified by the credential can 1626 * receive the knote on the passed pipe. 1627 * 1628 * @return Return 0 if access if granted, otherwise an appropriate 1629 * value for errno should be returned. 1630 */ 1631 typedef int mpo_pipe_check_kqfilter_t( 1632 kauth_cred_t cred, 1633 struct knote *kn, 1634 struct pipe *cpipe, 1635 struct label *pipelabel 1636 ); 1637 /** 1638 * @brief Access control check for pipe read 1639 * @param cred Subject credential 1640 * @param cpipe Object to be accessed 1641 * @param pipelabel The label on the pipe 1642 * 1643 * Determine whether the subject identified by the credential can 1644 * perform a read operation on the passed pipe. The cred object holds 1645 * the credentials of the subject performing the operation. 1646 * 1647 * @return Return 0 if access is granted, otherwise an appropriate value for 1648 * errno should be returned. 1649 * 1650 */ 1651 typedef int mpo_pipe_check_read_t( 1652 kauth_cred_t cred, 1653 struct pipe *cpipe, 1654 struct label *pipelabel 1655 ); 1656 /** 1657 * @brief Access control check for pipe select 1658 * @param cred Subject credential 1659 * @param cpipe Object to be accessed 1660 * @param pipelabel The label on the pipe 1661 * @param which The operation selected on: FREAD or FWRITE 1662 * 1663 * Determine whether the subject identified by the credential can 1664 * perform a select operation on the passed pipe. The cred object holds 1665 * the credentials of the subject performing the operation. 1666 * 1667 * @return Return 0 if access is granted, otherwise an appropriate value for 1668 * errno should be returned. 1669 * 1670 */ 1671 typedef int mpo_pipe_check_select_t( 1672 kauth_cred_t cred, 1673 struct pipe *cpipe, 1674 struct label *pipelabel, 1675 int which 1676 ); 1677 /** 1678 * @brief Access control check for pipe stat 1679 * @param cred Subject credential 1680 * @param cpipe Object to be accessed 1681 * @param pipelabel The label on the pipe 1682 * 1683 * Determine whether the subject identified by the credential can 1684 * perform a stat operation on the passed pipe. The cred object holds 1685 * the credentials of the subject performing the operation. 1686 * 1687 * @return Return 0 if access is granted, otherwise an appropriate value for 1688 * errno should be returned. 1689 * 1690 */ 1691 typedef int mpo_pipe_check_stat_t( 1692 kauth_cred_t cred, 1693 struct pipe *cpipe, 1694 struct label *pipelabel 1695 ); 1696 /** 1697 * @brief Access control check for pipe write 1698 * @param cred Subject credential 1699 * @param cpipe Object to be accessed 1700 * @param pipelabel The label on the pipe 1701 * 1702 * Determine whether the subject identified by the credential can 1703 * perform a write operation on the passed pipe. The cred object holds 1704 * the credentials of the subject performing the operation. 1705 * 1706 * @return Return 0 if access is granted, otherwise an appropriate value for 1707 * errno should be returned. 1708 * 1709 */ 1710 typedef int mpo_pipe_check_write_t( 1711 kauth_cred_t cred, 1712 struct pipe *cpipe, 1713 struct label *pipelabel 1714 ); 1715 /** 1716 * @brief Create a pipe label 1717 * @param cred Subject credential 1718 * @param cpipe object to be labeled 1719 * @param pipelabel Label for the pipe object 1720 * 1721 * Create a label for the pipe object being created by the supplied 1722 * user credential. This call is made when a pipe pair is being created. 1723 * The label is shared by both ends of the pipe. 1724 */ 1725 typedef void mpo_pipe_label_associate_t( 1726 kauth_cred_t cred, 1727 struct pipe *cpipe, 1728 struct label *pipelabel 1729 ); 1730 /** 1731 * @brief Destroy pipe label 1732 * @param label The label to be destroyed 1733 * 1734 * Destroy a pipe label. Since the object is going out of scope, 1735 * policy modules should free any internal storage associated with the 1736 * label so that it may be destroyed. 1737 */ 1738 typedef void mpo_pipe_label_destroy_t( 1739 struct label *label 1740 ); 1741 /** 1742 * @brief Initialize pipe label 1743 * @param label New label to initialize 1744 * 1745 * Initialize label storage for use with a newly instantiated pipe object. 1746 * Sleeping is permitted. 1747 */ 1748 typedef void mpo_pipe_label_init_t( 1749 struct label *label 1750 ); 1751 /** 1752 * @brief Policy unload event 1753 * @param mpc MAC policy configuration 1754 * 1755 * This is the MAC Framework policy unload event. This entry point will 1756 * only be called if the module's policy configuration allows unload (if 1757 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 1758 * want to be unloaded; they should set their flags to prevent this 1759 * entry point from being called. 1760 * 1761 * @warning During this call, the mac policy list mutex is held, so 1762 * sleep operations cannot be performed, and calls out to other kernel 1763 * subsystems must be made with caution. 1764 * 1765 * @see MPC_LOADTIME_FLAG_UNLOADOK 1766 */ 1767 typedef void mpo_policy_destroy_t( 1768 struct mac_policy_conf *mpc 1769 ); 1770 /** 1771 * @brief Policy initialization event 1772 * @param mpc MAC policy configuration 1773 * @see mac_policy_register 1774 * @see mpo_policy_initbsd_t 1775 * 1776 * This is the MAC Framework policy initialization event. This entry 1777 * point is called during mac_policy_register, when the policy module 1778 * is first registered with the MAC Framework. This is often done very 1779 * early in the boot process, after the kernel Mach subsystem has been 1780 * initialized, but prior to the BSD subsystem being initialized. 1781 * Since the kernel BSD services are not yet available, it is possible 1782 * that some initialization must occur later, possibly in the 1783 * mpo_policy_initbsd_t policy entry point, such as registering BSD system 1784 * controls (sysctls). Policy modules loaded at boot time will be 1785 * registered and initialized before labeled Mach objects are created. 1786 * 1787 * @warning During this call, the mac policy list mutex is held, so 1788 * sleep operations cannot be performed, and calls out to other kernel 1789 * subsystems must be made with caution. 1790 */ 1791 typedef void mpo_policy_init_t( 1792 struct mac_policy_conf *mpc 1793 ); 1794 /** 1795 * @brief Policy BSD initialization event 1796 * @param mpc MAC policy configuration 1797 * @see mpo_policy_init_t 1798 * 1799 * This entry point is called after the kernel BSD subsystem has been 1800 * initialized. By this point, the module should already be loaded, 1801 * registered, and initialized. Since policy modules are initialized 1802 * before kernel BSD services are available, this second initialization 1803 * phase is necessary. At this point, BSD services (memory management, 1804 * synchronization primitives, vfs, etc.) are available, but the first 1805 * process has not yet been created. Mach-related objects and tasks 1806 * will already be fully initialized and may be in use--policies requiring 1807 * ubiquitous labeling may also want to implement mpo_policy_init_t. 1808 * 1809 * @warning During this call, the mac policy list mutex is held, so 1810 * sleep operations cannot be performed, and calls out to other kernel 1811 * subsystems must be made with caution. 1812 */ 1813 typedef void mpo_policy_initbsd_t( 1814 struct mac_policy_conf *mpc 1815 ); 1816 /** 1817 * @brief Policy extension service 1818 * @param p Calling process 1819 * @param call Policy-specific syscall number 1820 * @param arg Pointer to syscall arguments 1821 * 1822 * This entry point provides a policy-multiplexed system call so that 1823 * policies may provide additional services to user processes without 1824 * registering specific system calls. The policy name provided during 1825 * registration is used to demux calls from userland, and the arguments 1826 * will be forwarded to this entry point. When implementing new 1827 * services, security modules should be sure to invoke appropriate 1828 * access control checks from the MAC framework as needed. For 1829 * example, if a policy implements an augmented signal functionality, 1830 * it should call the necessary signal access control checks to invoke 1831 * the MAC framework and other registered policies. 1832 * 1833 * @warning Since the format and contents of the policy-specific 1834 * arguments are unknown to the MAC Framework, modules must perform the 1835 * required copyin() of the syscall data on their own. No policy 1836 * mediation is performed, so policies must perform any necessary 1837 * access control checks themselves. If multiple policies are loaded, 1838 * they will currently be unable to mediate calls to other policies. 1839 * 1840 * @return In the event of an error, an appropriate value for errno 1841 * should be returned, otherwise return 0 upon success. 1842 */ 1843 typedef int mpo_policy_syscall_t( 1844 struct proc *p, 1845 int call, 1846 user_addr_t arg 1847 ); 1848 /** 1849 * @brief Access control check for POSIX semaphore create 1850 * @param cred Subject credential 1851 * @param name String name of the semaphore 1852 * 1853 * Determine whether the subject identified by the credential can create 1854 * a POSIX semaphore specified by name. 1855 * 1856 * @return Return 0 if access is granted, otherwise an appropriate value for 1857 * errno should be returned. 1858 */ 1859 typedef int mpo_posixsem_check_create_t( 1860 kauth_cred_t cred, 1861 const char *name 1862 ); 1863 /** 1864 * @brief Access control check for POSIX semaphore open 1865 * @param cred Subject credential 1866 * @param ps Pointer to semaphore information structure 1867 * @param semlabel Label associated with the semaphore 1868 * 1869 * Determine whether the subject identified by the credential can open 1870 * the named POSIX semaphore with label semlabel. 1871 * 1872 * @return Return 0 if access is granted, otherwise an appropriate value for 1873 * errno should be returned. 1874 */ 1875 typedef int mpo_posixsem_check_open_t( 1876 kauth_cred_t cred, 1877 struct pseminfo *ps, 1878 struct label *semlabel 1879 ); 1880 /** 1881 * @brief Access control check for POSIX semaphore post 1882 * @param cred Subject credential 1883 * @param ps Pointer to semaphore information structure 1884 * @param semlabel Label associated with the semaphore 1885 * 1886 * Determine whether the subject identified by the credential can unlock 1887 * the named POSIX semaphore with label semlabel. 1888 * 1889 * @return Return 0 if access is granted, otherwise an appropriate value for 1890 * errno should be returned. 1891 */ 1892 typedef int mpo_posixsem_check_post_t( 1893 kauth_cred_t cred, 1894 struct pseminfo *ps, 1895 struct label *semlabel 1896 ); 1897 /** 1898 * @brief Access control check for POSIX semaphore unlink 1899 * @param cred Subject credential 1900 * @param ps Pointer to semaphore information structure 1901 * @param semlabel Label associated with the semaphore 1902 * @param name String name of the semaphore 1903 * 1904 * Determine whether the subject identified by the credential can remove 1905 * the named POSIX semaphore with label semlabel. 1906 * 1907 * @return Return 0 if access is granted, otherwise an appropriate value for 1908 * errno should be returned. 1909 */ 1910 typedef int mpo_posixsem_check_unlink_t( 1911 kauth_cred_t cred, 1912 struct pseminfo *ps, 1913 struct label *semlabel, 1914 const char *name 1915 ); 1916 /** 1917 * @brief Access control check for POSIX semaphore wait 1918 * @param cred Subject credential 1919 * @param ps Pointer to semaphore information structure 1920 * @param semlabel Label associated with the semaphore 1921 * 1922 * Determine whether the subject identified by the credential can lock 1923 * the named POSIX semaphore with label semlabel. 1924 * 1925 * @return Return 0 if access is granted, otherwise an appropriate value for 1926 * errno should be returned. 1927 */ 1928 typedef int mpo_posixsem_check_wait_t( 1929 kauth_cred_t cred, 1930 struct pseminfo *ps, 1931 struct label *semlabel 1932 ); 1933 /** 1934 * @brief Create a POSIX semaphore label 1935 * @param cred Subject credential 1936 * @param ps Pointer to semaphore information structure 1937 * @param semlabel Label to associate with the new semaphore 1938 * @param name String name of the semaphore 1939 * 1940 * Label a new POSIX semaphore. The label was previously 1941 * initialized and associated with the semaphore. At this time, an 1942 * appropriate initial label value should be assigned to the object and 1943 * stored in semalabel. 1944 */ 1945 typedef void mpo_posixsem_label_associate_t( 1946 kauth_cred_t cred, 1947 struct pseminfo *ps, 1948 struct label *semlabel, 1949 const char *name 1950 ); 1951 /** 1952 * @brief Destroy POSIX semaphore label 1953 * @param label The label to be destroyed 1954 * 1955 * Destroy a POSIX semaphore label. Since the object is 1956 * going out of scope, policy modules should free any internal storage 1957 * associated with the label so that it may be destroyed. 1958 */ 1959 typedef void mpo_posixsem_label_destroy_t( 1960 struct label *label 1961 ); 1962 /** 1963 * @brief Initialize POSIX semaphore label 1964 * @param label New label to initialize 1965 * 1966 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping 1967 * is permitted. 1968 */ 1969 typedef void mpo_posixsem_label_init_t( 1970 struct label *label 1971 ); 1972 /** 1973 * @brief Access control check for POSIX shared memory region create 1974 * @param cred Subject credential 1975 * @param name String name of the shared memory region 1976 * 1977 * Determine whether the subject identified by the credential can create 1978 * the POSIX shared memory region referenced by name. 1979 * 1980 * @return Return 0 if access is granted, otherwise an appropriate value for 1981 * errno should be returned. 1982 */ 1983 typedef int mpo_posixshm_check_create_t( 1984 kauth_cred_t cred, 1985 const char *name 1986 ); 1987 /** 1988 * @brief Access control check for mapping POSIX shared memory 1989 * @param cred Subject credential 1990 * @param ps Pointer to shared memory information structure 1991 * @param shmlabel Label associated with the shared memory region 1992 * @param prot mmap protections; see mmap(2) 1993 * @param flags shmat flags; see shmat(2) 1994 * 1995 * Determine whether the subject identified by the credential can map 1996 * the POSIX shared memory segment associated with shmlabel. 1997 * 1998 * @return Return 0 if access is granted, otherwise an appropriate value for 1999 * errno should be returned. 2000 */ 2001 typedef int mpo_posixshm_check_mmap_t( 2002 kauth_cred_t cred, 2003 struct pshminfo *ps, 2004 struct label *shmlabel, 2005 int prot, 2006 int flags 2007 ); 2008 /** 2009 * @brief Access control check for POSIX shared memory region open 2010 * @param cred Subject credential 2011 * @param ps Pointer to shared memory information structure 2012 * @param shmlabel Label associated with the shared memory region 2013 * @param fflags shm_open(2) open flags ('fflags' encoded) 2014 * 2015 * Determine whether the subject identified by the credential can open 2016 * the POSIX shared memory region. 2017 * 2018 * @return Return 0 if access is granted, otherwise an appropriate value for 2019 * errno should be returned. 2020 */ 2021 typedef int mpo_posixshm_check_open_t( 2022 kauth_cred_t cred, 2023 struct pshminfo *ps, 2024 struct label *shmlabel, 2025 int fflags 2026 ); 2027 /** 2028 * @brief Access control check for POSIX shared memory stat 2029 * @param cred Subject credential 2030 * @param ps Pointer to shared memory information structure 2031 * @param shmlabel Label associated with the shared memory region 2032 * 2033 * Determine whether the subject identified by the credential can obtain 2034 * status for the POSIX shared memory segment associated with shmlabel. 2035 * 2036 * @return Return 0 if access is granted, otherwise an appropriate value for 2037 * errno should be returned. 2038 */ 2039 typedef int mpo_posixshm_check_stat_t( 2040 kauth_cred_t cred, 2041 struct pshminfo *ps, 2042 struct label *shmlabel 2043 ); 2044 /** 2045 * @brief Access control check for POSIX shared memory truncate 2046 * @param cred Subject credential 2047 * @param ps Pointer to shared memory information structure 2048 * @param shmlabel Label associated with the shared memory region 2049 * @param len Length to truncate or extend shared memory segment 2050 * 2051 * Determine whether the subject identified by the credential can truncate 2052 * or extend (to len) the POSIX shared memory segment associated with shmlabel. 2053 * 2054 * @return Return 0 if access is granted, otherwise an appropriate value for 2055 * errno should be returned. 2056 */ 2057 typedef int mpo_posixshm_check_truncate_t( 2058 kauth_cred_t cred, 2059 struct pshminfo *ps, 2060 struct label *shmlabel, 2061 off_t len 2062 ); 2063 /** 2064 * @brief Access control check for POSIX shared memory unlink 2065 * @param cred Subject credential 2066 * @param ps Pointer to shared memory information structure 2067 * @param shmlabel Label associated with the shared memory region 2068 * @param name String name of the shared memory region 2069 * 2070 * Determine whether the subject identified by the credential can delete 2071 * the POSIX shared memory segment associated with shmlabel. 2072 * 2073 * @return Return 0 if access is granted, otherwise an appropriate value for 2074 * errno should be returned. 2075 */ 2076 typedef int mpo_posixshm_check_unlink_t( 2077 kauth_cred_t cred, 2078 struct pshminfo *ps, 2079 struct label *shmlabel, 2080 const char *name 2081 ); 2082 /** 2083 * @brief Create a POSIX shared memory region label 2084 * @param cred Subject credential 2085 * @param ps Pointer to shared memory information structure 2086 * @param shmlabel Label to associate with the new shared memory region 2087 * @param name String name of the shared memory region 2088 * 2089 * Label a new POSIX shared memory region. The label was previously 2090 * initialized and associated with the shared memory region. At this 2091 * time, an appropriate initial label value should be assigned to the 2092 * object and stored in shmlabel. 2093 */ 2094 typedef void mpo_posixshm_label_associate_t( 2095 kauth_cred_t cred, 2096 struct pshminfo *ps, 2097 struct label *shmlabel, 2098 const char *name 2099 ); 2100 /** 2101 * @brief Destroy POSIX shared memory label 2102 * @param label The label to be destroyed 2103 * 2104 * Destroy a POSIX shared memory region label. Since the 2105 * object is going out of scope, policy modules should free any 2106 * internal storage associated with the label so that it may be 2107 * destroyed. 2108 */ 2109 typedef void mpo_posixshm_label_destroy_t( 2110 struct label *label 2111 ); 2112 /** 2113 * @brief Initialize POSIX Shared Memory region label 2114 * @param label New label to initialize 2115 * 2116 * Initialize the label for newly a instantiated POSIX Shared Memory 2117 * region. Sleeping is permitted. 2118 */ 2119 typedef void mpo_posixshm_label_init_t( 2120 struct label *label 2121 ); 2122 /** 2123 * @brief Access control check for privileged operations 2124 * @param cred Subject credential 2125 * @param priv Requested privilege (see sys/priv.h) 2126 * 2127 * Determine whether the subject identified by the credential can perform 2128 * a privileged operation. Privileged operations are allowed if the cred 2129 * is the superuser or any policy returns zero for mpo_priv_grant, unless 2130 * any policy returns nonzero for mpo_priv_check. 2131 * 2132 * @return Return 0 if access is granted, otherwise EPERM should be returned. 2133 */ 2134 typedef int mpo_priv_check_t( 2135 kauth_cred_t cred, 2136 int priv 2137 ); 2138 /** 2139 * @brief Grant regular users the ability to perform privileged operations 2140 * @param cred Subject credential 2141 * @param priv Requested privilege (see sys/priv.h) 2142 * 2143 * Determine whether the subject identified by the credential should be 2144 * allowed to perform a privileged operation that in the absense of any 2145 * MAC policy it would not be able to perform. Privileged operations are 2146 * allowed if the cred is the superuser or any policy returns zero for 2147 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2148 * 2149 * Unlike other MAC hooks which can only reduce the privilege of a 2150 * credential, this hook raises the privilege of a credential when it 2151 * returns 0. Extreme care must be taken when implementing this hook to 2152 * avoid undermining the security of the system. 2153 * 2154 * @return Return 0 if additional privilege is granted, otherwise EPERM 2155 * should be returned. 2156 */ 2157 typedef int mpo_priv_grant_t( 2158 kauth_cred_t cred, 2159 int priv 2160 ); 2161 /** 2162 * @brief Access control over process core dumps 2163 * @param proc Subject process 2164 * 2165 * Determine whether a core dump may be written to disk for the subject 2166 * identified. 2167 * 2168 * @return Return 0 if access is granted, otherwise an appropriate value for 2169 * errno should be returned. 2170 */ 2171 typedef int mpo_proc_check_dump_core_t( 2172 struct proc *proc 2173 ); 2174 /** 2175 * @brief Access control over remote thread creation 2176 * @param cred Subject credential 2177 * @param proc Object process 2178 * @param flavor Flavor of thread state passed in new_state, or -1 2179 * @param new_state Thread state to be set on the created thread, or NULL 2180 * @param new_state_count Size of thread state, in natural_t units, or 0 2181 * 2182 * Determine whether the subject can create a thread in the object process 2183 * by calling the thread_create or thread_create_running MIG routines on 2184 * another process' task port. For thread_create_running, the flavor, 2185 * new_state and new_state_count arguments are passed here before they are 2186 * converted and checked by machine-dependent code. 2187 * 2188 * @return Return 0 if access is granted, otherwise an appropriate value for 2189 * errno should be returned. 2190 */ 2191 typedef int mpo_proc_check_remote_thread_create_t( 2192 kauth_cred_t cred, 2193 struct proc *proc, 2194 int flavor, 2195 thread_state_t new_state, 2196 mach_msg_type_number_t new_state_count 2197 ); 2198 /** 2199 * @brief Access control check for debugging process 2200 * @param cred Subject credential 2201 * @param pident Object unique process identifier 2202 * 2203 * Determine whether the subject identified by the credential can debug 2204 * the passed process. This call may be made in a number of situations, 2205 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2206 * types of procfs operations. 2207 * 2208 * @return Return 0 if access is granted, otherwise an appropriate value for 2209 * errno should be returned. Suggested failure: EACCES for label mismatch, 2210 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2211 */ 2212 typedef int mpo_proc_check_debug_t( 2213 kauth_cred_t cred, 2214 struct proc_ident *pident 2215 ); 2216 /** 2217 * @brief Access control over fork 2218 * @param cred Subject credential 2219 * @param proc Subject process trying to fork 2220 * 2221 * Determine whether the subject identified is allowed to fork. 2222 * 2223 * @return Return 0 if access is granted, otherwise an appropriate value for 2224 * errno should be returned. 2225 */ 2226 typedef int mpo_proc_check_fork_t( 2227 kauth_cred_t cred, 2228 struct proc *proc 2229 ); 2230 /** 2231 * @brief Access control check for setting host special ports. 2232 * @param cred Subject credential 2233 * @param id The host special port to set 2234 * @param port The new value to set for the special port 2235 * 2236 * @return Return 0 if access is granted, otherwise an appropriate value for 2237 * errno should be returned. 2238 */ 2239 typedef int mpo_proc_check_set_host_special_port_t( 2240 kauth_cred_t cred, 2241 int id, 2242 struct ipc_port *port 2243 ); 2244 /** 2245 * @brief Access control check for setting host exception ports. 2246 * @param cred Subject credential 2247 * @param exception Exception port to set 2248 * 2249 * @return Return 0 if access is granted, otherwise an appropriate value for 2250 * errno should be returned. 2251 */ 2252 typedef int mpo_proc_check_set_host_exception_port_t( 2253 kauth_cred_t cred, 2254 unsigned int exception 2255 ); 2256 /** 2257 * @brief Access control check for getting task special ports. 2258 * @param cred Subject credential 2259 * @param pident Object unique process identifier, NULL if target is a corpse task 2260 * @param which The task special port to get 2261 * 2262 * @return Return 0 if access is granted, otherwise an appropriate value for 2263 * errno should be returned. 2264 */ 2265 typedef int mpo_proc_check_get_task_special_port_t( 2266 kauth_cred_t cred, 2267 struct proc_ident *pident, 2268 int which 2269 ); 2270 /** 2271 * @brief Access control check for setting task special ports. 2272 * @param cred Subject credential 2273 * @param pident Object unique process identifier 2274 * @param which The task special port to set 2275 * @param port The new value to set for the special port 2276 * 2277 * @return Return 0 if access is granted, otherwise an appropriate value for 2278 * errno should be returned. 2279 */ 2280 typedef int mpo_proc_check_set_task_special_port_t( 2281 kauth_cred_t cred, 2282 struct proc_ident *pident, 2283 int which, 2284 struct ipc_port *port 2285 ); 2286 /** 2287 * @brief Access control check for getting movable task/thread control port for current task. 2288 * @param cred Subject credential 2289 * 2290 * @return Return 0 if access is granted, otherwise an appropriate value for 2291 * errno should be returned. 2292 */ 2293 typedef int mpo_proc_check_get_movable_control_port_t( 2294 kauth_cred_t cred 2295 ); 2296 /** 2297 * @brief Access control check for calling task_dyld_process_info_notify_register 2298 * and task_dyld_process_info_notify_deregister. 2299 * @param cred Subject credential 2300 * 2301 * @return Return 0 if access is granted, otherwise an appropriate value for 2302 * errno should be returned. 2303 */ 2304 typedef int mpo_proc_check_dyld_process_info_notify_register_t( 2305 kauth_cred_t cred 2306 ); 2307 /** 2308 * @brief Access control over pid_suspend, pid_resume and family 2309 * @param cred Subject credential 2310 * @param proc Object process 2311 * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, 2312 * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, 2313 * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. 2314 * 2315 * Determine whether the subject identified is allowed to call pid_suspend, 2316 * pid_resume, pid_hibernate, pid_shutdown_sockets, 2317 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or 2318 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on 2319 * the object process. 2320 * 2321 * @return Return 0 if access is granted, otherwise an appropriate value for 2322 * errno should be returned. 2323 */ 2324 typedef int mpo_proc_check_suspend_resume_t( 2325 kauth_cred_t cred, 2326 struct proc *proc, 2327 int sr 2328 ); 2329 /** 2330 * @brief Access control check for retrieving audit information 2331 * @param cred Subject credential 2332 * 2333 * Determine whether the subject identified by the credential can get 2334 * audit information such as the audit user ID, the preselection mask, 2335 * the terminal ID and the audit session ID, using the getaudit() system call. 2336 * 2337 * @return Return 0 if access is granted, otherwise an appropriate value for 2338 * errno should be returned. 2339 */ 2340 typedef int mpo_proc_check_getaudit_t( 2341 kauth_cred_t cred 2342 ); 2343 /** 2344 * @brief Access control check for retrieving audit user ID 2345 * @param cred Subject credential 2346 * 2347 * Determine whether the subject identified by the credential can get 2348 * the user identity being used by the auditing system, using the getauid() 2349 * system call. 2350 * 2351 * @return Return 0 if access is granted, otherwise an appropriate value for 2352 * errno should be returned. 2353 */ 2354 typedef int mpo_proc_check_getauid_t( 2355 kauth_cred_t cred 2356 ); 2357 /** 2358 * @brief Access control check for retrieving ledger information 2359 * @param cred Subject credential 2360 * @param target Object process 2361 * @param op ledger operation 2362 * 2363 * Determine if ledger(2) system call is permitted. 2364 * 2365 * Information returned by this system call is similar to that returned via 2366 * process listings etc. 2367 * 2368 * @return Return 0 if access is granted, otherwise an appropriate value for 2369 * errno should be returned. 2370 */ 2371 typedef int mpo_proc_check_ledger_t( 2372 kauth_cred_t cred, 2373 struct proc *target, 2374 int op 2375 ); 2376 /** 2377 * @brief Access control check for retrieving process information. 2378 * @param cred Subject credential 2379 * @param target Target process (may be null, may be zombie) 2380 * 2381 * Determine if a credential has permission to access process information as defined 2382 * by call number and flavor on target process 2383 * 2384 * @return Return 0 if access is granted, otherwise an appropriate value for 2385 * errno should be returned. 2386 */ 2387 typedef int mpo_proc_check_proc_info_t( 2388 kauth_cred_t cred, 2389 struct proc *target, 2390 int callnum, 2391 int flavor 2392 ); 2393 /** 2394 * @brief Access control check for retrieving code signing information. 2395 * @param cred Subject credential 2396 * @param target Target process 2397 * @param op Code signing operation being performed 2398 * 2399 * Determine whether the subject identified by the credential should be 2400 * allowed to get code signing information about the target process. 2401 * 2402 * @return Return 0 if access is granted, otherwise an appropriate value for 2403 * errno should be returned. 2404 */ 2405 typedef int mpo_proc_check_get_cs_info_t( 2406 kauth_cred_t cred, 2407 struct proc *target, 2408 unsigned int op 2409 ); 2410 /** 2411 * @brief Access control check for setting code signing information. 2412 * @param cred Subject credential 2413 * @param target Target process 2414 * @param op Code signing operation being performed. 2415 * 2416 * Determine whether the subject identified by the credential should be 2417 * allowed to set code signing information about the target process. 2418 * 2419 * @return Return 0 if permission is granted, otherwise an appropriate 2420 * value of errno should be returned. 2421 */ 2422 typedef int mpo_proc_check_set_cs_info_t( 2423 kauth_cred_t cred, 2424 struct proc *target, 2425 unsigned int op 2426 ); 2427 /** 2428 * @brief Access control check for mmap MAP_ANON 2429 * @param proc User process requesting the memory 2430 * @param cred Subject credential 2431 * @param u_addr Start address of the memory range 2432 * @param u_size Length address of the memory range 2433 * @param prot mmap protections; see mmap(2) 2434 * @param flags Type of mapped object; see mmap(2) 2435 * @param maxprot Maximum rights 2436 * 2437 * Determine whether the subject identified by the credential should be 2438 * allowed to obtain anonymous memory using the specified flags and 2439 * protections on the new mapping. MAP_ANON will always be present in the 2440 * flags. Certain combinations of flags with a non-NULL addr may 2441 * cause a mapping to be rejected before this hook is called. The maxprot field 2442 * holds the maximum permissions on the new mapping, a combination of 2443 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2444 * access control checks, a policy should only remove flags from maxprot. 2445 * 2446 * @return Return 0 if access is granted, otherwise an appropriate value for 2447 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2448 */ 2449 typedef int mpo_proc_check_map_anon_t( 2450 struct proc *proc, 2451 kauth_cred_t cred, 2452 user_addr_t u_addr, 2453 user_size_t u_size, 2454 int prot, 2455 int flags, 2456 int *maxprot 2457 ); 2458 /** 2459 * @brief Access control check for memorystatus_control(2) 2460 * @param cred Subject credential 2461 * @param command Memory status control command 2462 * @param pid Target process id, or 0 2463 * 2464 * Determine whether the subject identified by the credential should 2465 * be allowed to issue the specified memorystatus control command. 2466 * 2467 * @return Return 0 if access is granted, otherwise an appropriate value for 2468 * errno should be returned. 2469 */ 2470 typedef int mpo_proc_check_memorystatus_control_t( 2471 kauth_cred_t cred, 2472 int32_t command, 2473 pid_t pid 2474 ); 2475 /** 2476 * @brief Access control check for setting memory protections 2477 * @param cred Subject credential 2478 * @param proc User process requesting the change 2479 * @param addr Start address of the memory range 2480 * @param size Length address of the memory range 2481 * @param prot Memory protections, see mmap(2) 2482 * 2483 * Determine whether the subject identified by the credential should 2484 * be allowed to set the specified memory protections on memory mapped 2485 * in the process proc. 2486 * 2487 * @return Return 0 if access is granted, otherwise an appropriate value for 2488 * errno should be returned. 2489 */ 2490 typedef int mpo_proc_check_mprotect_t( 2491 kauth_cred_t cred, 2492 struct proc *proc, 2493 user_addr_t addr, 2494 user_size_t size, 2495 int prot 2496 ); 2497 /** 2498 * @brief Access control check for changing scheduling parameters 2499 * @param cred Subject credential 2500 * @param proc Object process 2501 * 2502 * Determine whether the subject identified by the credential can change 2503 * the scheduling parameters of the passed process. 2504 * 2505 * @return Return 0 if access is granted, otherwise an appropriate value for 2506 * errno should be returned. Suggested failure: EACCES for label mismatch, 2507 * EPERM for lack of privilege, or ESRCH to limit visibility. 2508 */ 2509 typedef int mpo_proc_check_sched_t( 2510 kauth_cred_t cred, 2511 struct proc *proc 2512 ); 2513 /** 2514 * @brief Access control check for setting audit information 2515 * @param cred Subject credential 2516 * @param ai Audit information 2517 * 2518 * Determine whether the subject identified by the credential can set 2519 * audit information such as the the preselection mask, the terminal ID 2520 * and the audit session ID, using the setaudit() system call. 2521 * 2522 * @return Return 0 if access is granted, otherwise an appropriate value for 2523 * errno should be returned. 2524 */ 2525 typedef int mpo_proc_check_setaudit_t( 2526 kauth_cred_t cred, 2527 struct auditinfo_addr *ai 2528 ); 2529 /** 2530 * @brief Access control check for setting audit user ID 2531 * @param cred Subject credential 2532 * @param auid Audit user ID 2533 * 2534 * Determine whether the subject identified by the credential can set 2535 * the user identity used by the auditing system, using the setauid() 2536 * system call. 2537 * 2538 * @return Return 0 if access is granted, otherwise an appropriate value for 2539 * errno should be returned. 2540 */ 2541 typedef int mpo_proc_check_setauid_t( 2542 kauth_cred_t cred, 2543 uid_t auid 2544 ); 2545 /** 2546 * @brief Access control check for delivering signal 2547 * @param cred Subject credential 2548 * @param proc Object process 2549 * @param signum Signal number; see kill(2) 2550 * 2551 * Determine whether the subject identified by the credential can deliver 2552 * the passed signal to the passed process. 2553 * 2554 * @warning Programs typically expect to be able to send and receive 2555 * signals as part or their normal process lifecycle; caution should be 2556 * exercised when implementing access controls over signal events. 2557 * 2558 * @return Return 0 if access is granted, otherwise an appropriate value for 2559 * errno should be returned. Suggested failure: EACCES for label mismatch, 2560 * EPERM for lack of privilege, or ESRCH to limit visibility. 2561 */ 2562 typedef int mpo_proc_check_signal_t( 2563 kauth_cred_t cred, 2564 struct proc *proc, 2565 int signum 2566 ); 2567 /** 2568 * @brief Access control check for MAC syscalls. 2569 * @param proc Subject process 2570 * @param policy MAC policy name 2571 * @param callnum MAC policy-specific syscall number 2572 * 2573 * Determine whether the subject process can perform the passed MAC syscall. 2574 * 2575 * @return Return 0 if access is granted, otherwise an appropriate value for 2576 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2577 */ 2578 typedef int mpo_proc_check_syscall_mac_t( 2579 struct proc *proc, 2580 const char *policy, 2581 int callnum 2582 ); 2583 /** 2584 * @brief Access control check for Unix syscalls. 2585 * @param proc Subject process 2586 * @param scnum Syscall number; see bsd/kern/syscalls.master. 2587 * 2588 * Determine whether the subject process can perform the passed syscall (number). 2589 * 2590 * @warning Programs typically expect to be able to make syscalls as part of 2591 * their normal process lifecycle; caution should be exercised when restricting 2592 * which syscalls a process can perform. 2593 * 2594 * @return Return 0 if access is granted, otherwise an appropriate value for 2595 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2596 */ 2597 typedef int mpo_proc_check_syscall_unix_t( 2598 struct proc *proc, 2599 int scnum 2600 ); 2601 /** 2602 * @brief Access control check for wait 2603 * @param cred Subject credential 2604 * @param proc Object process 2605 * 2606 * Determine whether the subject identified by the credential can wait 2607 * for process termination. 2608 * 2609 * @warning Caution should be exercised when implementing access 2610 * controls for wait, since programs often wait for child processes to 2611 * exit. Failure to be notified of a child process terminating may 2612 * cause the parent process to hang, or may produce zombie processes. 2613 * 2614 * @return Return 0 if access is granted, otherwise an appropriate value for 2615 * errno should be returned. 2616 */ 2617 typedef int mpo_proc_check_wait_t( 2618 kauth_cred_t cred, 2619 struct proc *proc 2620 ); 2621 /** 2622 * @brief Inform MAC policies that a process has exited. 2623 * @param proc Object process 2624 * 2625 * Called after all of the process's threads have terminated and 2626 * it has been removed from the process list. KPI that identifies 2627 * the process by pid will fail to find the process; KPI that 2628 * identifies the process by the object process pointer functions 2629 * normally. proc_exiting() returns true for the object process. 2630 */ 2631 typedef void mpo_proc_notify_exit_t( 2632 struct proc *proc 2633 ); 2634 /** 2635 * @brief Access control check for skywalk flow connect 2636 * @param cred Subject credential 2637 * @param flow Flow object 2638 * @param addr Remote address for flow to send data to 2639 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2640 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2641 * 2642 * Determine whether the subject identified by the credential can 2643 * create a flow for sending data to the remote host specified by 2644 * addr. 2645 * 2646 * @return Return 0 if access if granted, otherwise an appropriate 2647 * value for errno should be returned. 2648 */ 2649 typedef int mpo_skywalk_flow_check_connect_t( 2650 kauth_cred_t cred, 2651 void *flow, 2652 const struct sockaddr *addr, 2653 int type, 2654 int protocol 2655 ); 2656 /** 2657 * @brief Access control check for skywalk flow listen 2658 * @param cred Subject credential 2659 * @param flow Flow object 2660 * @param addr Local address for flow to listen on 2661 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2662 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2663 * 2664 * Determine whether the subject identified by the credential can 2665 * create a flow for receiving data on the local address specified 2666 * by addr. 2667 * 2668 * @return Return 0 if access if granted, otherwise an appropriate 2669 * value for errno should be returned. 2670 */ 2671 typedef int mpo_skywalk_flow_check_listen_t( 2672 kauth_cred_t cred, 2673 void *flow, 2674 const struct sockaddr *addr, 2675 int type, 2676 int protocol 2677 ); 2678 /** 2679 * @brief Access control check for socket accept 2680 * @param cred Subject credential 2681 * @param so Object socket 2682 * @param socklabel Policy label for socket 2683 * 2684 * Determine whether the subject identified by the credential can accept() 2685 * a new connection on the socket from the host specified by addr. 2686 * 2687 * @return Return 0 if access if granted, otherwise an appropriate 2688 * value for errno should be returned. 2689 */ 2690 typedef int mpo_socket_check_accept_t( 2691 kauth_cred_t cred, 2692 socket_t so, 2693 struct label *socklabel 2694 ); 2695 /** 2696 * @brief Access control check for a pending socket accept 2697 * @param cred Subject credential 2698 * @param so Object socket 2699 * @param socklabel Policy label for socket 2700 * @param addr Address of the listening socket (coming soon) 2701 * 2702 * Determine whether the subject identified by the credential can accept() 2703 * a pending connection on the socket from the host specified by addr. 2704 * 2705 * @return Return 0 if access if granted, otherwise an appropriate 2706 * value for errno should be returned. 2707 */ 2708 typedef int mpo_socket_check_accepted_t( 2709 kauth_cred_t cred, 2710 socket_t so, 2711 struct label *socklabel, 2712 struct sockaddr *addr 2713 ); 2714 /** 2715 * @brief Access control check for socket bind 2716 * @param cred Subject credential 2717 * @param so Object socket 2718 * @param socklabel Policy label for socket 2719 * @param addr Name to assign to the socket 2720 * 2721 * Determine whether the subject identified by the credential can bind() 2722 * the name (addr) to the socket. 2723 * 2724 * @return Return 0 if access if granted, otherwise an appropriate 2725 * value for errno should be returned. 2726 */ 2727 typedef int mpo_socket_check_bind_t( 2728 kauth_cred_t cred, 2729 socket_t so, 2730 struct label *socklabel, 2731 struct sockaddr *addr 2732 ); 2733 /** 2734 * @brief Access control check for socket connect 2735 * @param cred Subject credential 2736 * @param so Object socket 2737 * @param socklabel Policy label for socket 2738 * @param addr Name to assign to the socket 2739 * 2740 * Determine whether the subject identified by the credential can 2741 * connect() the passed socket to the remote host specified by addr. 2742 * 2743 * @return Return 0 if access if granted, otherwise an appropriate 2744 * value for errno should be returned. 2745 */ 2746 typedef int mpo_socket_check_connect_t( 2747 kauth_cred_t cred, 2748 socket_t so, 2749 struct label *socklabel, 2750 struct sockaddr *addr 2751 ); 2752 /** 2753 * @brief Access control check for socket() system call. 2754 * @param cred Subject credential 2755 * @param domain communication domain 2756 * @param type socket type 2757 * @param protocol socket protocol 2758 * 2759 * Determine whether the subject identified by the credential can 2760 * make the socket() call. 2761 * 2762 * @return Return 0 if access if granted, otherwise an appropriate 2763 * value for errno should be returned. 2764 */ 2765 typedef int mpo_socket_check_create_t( 2766 kauth_cred_t cred, 2767 int domain, 2768 int type, 2769 int protocol 2770 ); 2771 /** 2772 * @brief Access control check for socket ioctl. 2773 * @param cred Subject credential 2774 * @param so Object socket 2775 * @param cmd The ioctl command; see ioctl(2) 2776 * @param socklabel Policy label for socket 2777 * 2778 * Determine whether the subject identified by the credential can perform 2779 * the ioctl operation indicated by cmd on the given socket. 2780 * 2781 * @warning Since ioctl data is opaque from the standpoint of the MAC 2782 * framework, and since ioctls can affect many aspects of system 2783 * operation, policies must exercise extreme care when implementing 2784 * access control checks. 2785 * 2786 * @return Return 0 if access is granted, otherwise an appropriate value for 2787 * errno should be returned. 2788 */ 2789 typedef int mpo_socket_check_ioctl_t( 2790 kauth_cred_t cred, 2791 socket_t so, 2792 unsigned long cmd, 2793 struct label *socklabel 2794 ); 2795 /** 2796 * @brief Access control check for socket listen 2797 * @param cred Subject credential 2798 * @param so Object socket 2799 * @param socklabel Policy label for socket 2800 * 2801 * Determine whether the subject identified by the credential can 2802 * listen() on the passed socket. 2803 * 2804 * @return Return 0 if access if granted, otherwise an appropriate 2805 * value for errno should be returned. 2806 */ 2807 typedef int mpo_socket_check_listen_t( 2808 kauth_cred_t cred, 2809 socket_t so, 2810 struct label *socklabel 2811 ); 2812 /** 2813 * @brief Access control check for socket receive 2814 * @param cred Subject credential 2815 * @param so Object socket 2816 * @param socklabel Policy label for socket 2817 * 2818 * Determine whether the subject identified by the credential can 2819 * receive data from the socket. 2820 * 2821 * @return Return 0 if access if granted, otherwise an appropriate 2822 * value for errno should be returned. 2823 */ 2824 typedef int mpo_socket_check_receive_t( 2825 kauth_cred_t cred, 2826 socket_t so, 2827 struct label *socklabel 2828 ); 2829 2830 /** 2831 * @brief Access control check for socket receive 2832 * @param cred Subject credential 2833 * @param sock Object socket 2834 * @param socklabel Policy label for socket 2835 * @param saddr Name of the remote socket 2836 * 2837 * Determine whether the subject identified by the credential can 2838 * receive data from the remote host specified by addr. 2839 * 2840 * @return Return 0 if access if granted, otherwise an appropriate 2841 * value for errno should be returned. 2842 */ 2843 typedef int mpo_socket_check_received_t( 2844 kauth_cred_t cred, 2845 struct socket *sock, 2846 struct label *socklabel, 2847 struct sockaddr *saddr 2848 ); 2849 2850 /** 2851 * @brief Access control check for socket send 2852 * @param cred Subject credential 2853 * @param so Object socket 2854 * @param socklabel Policy label for socket 2855 * @param addr Address being sent to 2856 * 2857 * Determine whether the subject identified by the credential can send 2858 * data to the socket. 2859 * 2860 * @return Return 0 if access if granted, otherwise an appropriate 2861 * value for errno should be returned. 2862 */ 2863 typedef int mpo_socket_check_send_t( 2864 kauth_cred_t cred, 2865 socket_t so, 2866 struct label *socklabel, 2867 struct sockaddr *addr 2868 ); 2869 /** 2870 * @brief Access control check for retrieving socket status 2871 * @param cred Subject credential 2872 * @param so Object socket 2873 * @param socklabel Policy label for so 2874 * 2875 * Determine whether the subject identified by the credential can 2876 * execute the stat() system call on the given socket. 2877 * 2878 * @return Return 0 if access if granted, otherwise an appropriate 2879 * value for errno should be returned. 2880 */ 2881 typedef int mpo_socket_check_stat_t( 2882 kauth_cred_t cred, 2883 socket_t so, 2884 struct label *socklabel 2885 ); 2886 /** 2887 * @brief Access control check for setting socket options 2888 * @param cred Subject credential 2889 * @param so Object socket 2890 * @param socklabel Policy label for so 2891 * @param sopt The options being set 2892 * 2893 * Determine whether the subject identified by the credential can 2894 * execute the setsockopt system call on the given socket. 2895 * 2896 * @return Return 0 if access if granted, otherwise an appropriate 2897 * value for errno should be returned. 2898 */ 2899 typedef int mpo_socket_check_setsockopt_t( 2900 kauth_cred_t cred, 2901 socket_t so, 2902 struct label *socklabel, 2903 struct sockopt *sopt 2904 ); 2905 /** 2906 * @brief Access control check for getting socket options 2907 * @param cred Subject credential 2908 * @param so Object socket 2909 * @param socklabel Policy label for so 2910 * @param sopt The options to get 2911 * 2912 * Determine whether the subject identified by the credential can 2913 * execute the getsockopt system call on the given socket. 2914 * 2915 * @return Return 0 if access if granted, otherwise an appropriate 2916 * value for errno should be returned. 2917 */ 2918 typedef int mpo_socket_check_getsockopt_t( 2919 kauth_cred_t cred, 2920 socket_t so, 2921 struct label *socklabel, 2922 struct sockopt *sopt 2923 ); 2924 /** 2925 * @brief Access control check for enabling accounting 2926 * @param cred Subject credential 2927 * @param vp Accounting file 2928 * @param vlabel Label associated with vp 2929 * 2930 * Determine whether the subject should be allowed to enable accounting, 2931 * based on its label and the label of the accounting log file. See 2932 * acct(5) for more information. 2933 * 2934 * As accounting is disabled by passing NULL to the acct(2) system call, 2935 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 2936 * 2937 * @return Return 0 if access is granted, otherwise an appropriate value for 2938 * errno should be returned. 2939 */ 2940 typedef int mpo_system_check_acct_t( 2941 kauth_cred_t cred, 2942 struct vnode *vp, 2943 struct label *vlabel 2944 ); 2945 /** 2946 * @brief Access control check for audit 2947 * @param cred Subject credential 2948 * @param record Audit record 2949 * @param length Audit record length 2950 * 2951 * Determine whether the subject identified by the credential can submit 2952 * an audit record for inclusion in the audit log via the audit() system call. 2953 * 2954 * @return Return 0 if access is granted, otherwise an appropriate value for 2955 * errno should be returned. 2956 */ 2957 typedef int mpo_system_check_audit_t( 2958 kauth_cred_t cred, 2959 void *record, 2960 int length 2961 ); 2962 /** 2963 * @brief Access control check for controlling audit 2964 * @param cred Subject credential 2965 * @param vp Audit file 2966 * @param vl Label associated with vp 2967 * 2968 * Determine whether the subject should be allowed to enable auditing using 2969 * the auditctl() system call, based on its label and the label of the proposed 2970 * audit file. 2971 * 2972 * @return Return 0 if access is granted, otherwise an appropriate value for 2973 * errno should be returned. 2974 */ 2975 typedef int mpo_system_check_auditctl_t( 2976 kauth_cred_t cred, 2977 struct vnode *vp, 2978 struct label *vl 2979 ); 2980 /** 2981 * @brief Access control check for manipulating auditing 2982 * @param cred Subject credential 2983 * @param cmd Audit control command 2984 * 2985 * Determine whether the subject identified by the credential can perform 2986 * the audit subsystem control operation cmd via the auditon() system call. 2987 * 2988 * @return Return 0 if access is granted, otherwise an appropriate value for 2989 * errno should be returned. 2990 */ 2991 typedef int mpo_system_check_auditon_t( 2992 kauth_cred_t cred, 2993 int cmd 2994 ); 2995 /** 2996 * @brief Access control check for obtaining the host control port 2997 * @param cred Subject credential 2998 * 2999 * Determine whether the subject identified by the credential can 3000 * obtain the host control port. 3001 * 3002 * @return Return 0 if access is granted, or non-zero otherwise. 3003 */ 3004 typedef int mpo_system_check_host_priv_t( 3005 kauth_cred_t cred 3006 ); 3007 /** 3008 * @brief Access control check for obtaining system information 3009 * @param cred Subject credential 3010 * @param info_type A description of the information requested 3011 * 3012 * Determine whether the subject identified by the credential should be 3013 * allowed to obtain information about the system. 3014 * 3015 * This is a generic hook that can be used in a variety of situations where 3016 * information is being returned that might be considered sensitive. 3017 * Rather than adding a new MAC hook for every such interface, this hook can 3018 * be called with a string identifying the type of information requested. 3019 * 3020 * @return Return 0 if access is granted, otherwise an appropriate value for 3021 * errno should be returned. 3022 */ 3023 typedef int mpo_system_check_info_t( 3024 kauth_cred_t cred, 3025 const char *info_type 3026 ); 3027 /** 3028 * @brief Access control check for calling NFS services 3029 * @param cred Subject credential 3030 * 3031 * Determine whether the subject identified by the credential should be 3032 * allowed to call nfssrv(2). 3033 * 3034 * @return Return 0 if access is granted, otherwise an appropriate value for 3035 * errno should be returned. 3036 */ 3037 typedef int mpo_system_check_nfsd_t( 3038 kauth_cred_t cred 3039 ); 3040 /** 3041 * @brief Access control check for reboot 3042 * @param cred Subject credential 3043 * @param howto howto parameter from reboot(2) 3044 * 3045 * Determine whether the subject identified by the credential should be 3046 * allowed to reboot the system in the specified manner. 3047 * 3048 * @return Return 0 if access is granted, otherwise an appropriate value for 3049 * errno should be returned. 3050 */ 3051 typedef int mpo_system_check_reboot_t( 3052 kauth_cred_t cred, 3053 int howto 3054 ); 3055 /** 3056 * @brief Access control check for setting system clock 3057 * @param cred Subject credential 3058 * 3059 * Determine whether the subject identified by the credential should be 3060 * allowed to set the system clock. 3061 * 3062 * @return Return 0 if access is granted, otherwise an appropriate value for 3063 * errno should be returned. 3064 */ 3065 typedef int mpo_system_check_settime_t( 3066 kauth_cred_t cred 3067 ); 3068 /** 3069 * @brief Access control check for removing swap devices 3070 * @param cred Subject credential 3071 * @param vp Swap device 3072 * @param label Label associated with vp 3073 * 3074 * Determine whether the subject identified by the credential should be 3075 * allowed to remove vp as a swap device. 3076 * 3077 * @return Return 0 if access is granted, otherwise an appropriate value for 3078 * errno should be returned. 3079 */ 3080 typedef int mpo_system_check_swapoff_t( 3081 kauth_cred_t cred, 3082 struct vnode *vp, 3083 struct label *label 3084 ); 3085 /** 3086 * @brief Access control check for adding swap devices 3087 * @param cred Subject credential 3088 * @param vp Swap device 3089 * @param label Label associated with vp 3090 * 3091 * Determine whether the subject identified by the credential should be 3092 * allowed to add vp as a swap device. 3093 * 3094 * @return Return 0 if access is granted, otherwise an appropriate value for 3095 * errno should be returned. 3096 */ 3097 typedef int mpo_system_check_swapon_t( 3098 kauth_cred_t cred, 3099 struct vnode *vp, 3100 struct label *label 3101 ); 3102 /** 3103 * @brief Access control check for sysctl 3104 * @param cred Subject credential 3105 * @param namestring String representation of sysctl name. 3106 * @param name Integer name; see sysctl(3) 3107 * @param namelen Length of name array of integers; see sysctl(3) 3108 * @param old 0 or address where to store old value; see sysctl(3) 3109 * @param oldlen Length of old buffer; see sysctl(3) 3110 * @param newvalue 0 or address of new value; see sysctl(3) 3111 * @param newlen Length of new buffer; see sysctl(3) 3112 * 3113 * Determine whether the subject identified by the credential should be 3114 * allowed to make the specified sysctl(3) transaction. 3115 * 3116 * The sysctl(3) call specifies that if the old value is not desired, 3117 * oldp and oldlenp should be set to NULL. Likewise, if a new value is 3118 * not to be set, newp should be set to NULL and newlen set to 0. 3119 * 3120 * @return Return 0 if access is granted, otherwise an appropriate value for 3121 * errno should be returned. 3122 */ 3123 typedef int mpo_system_check_sysctlbyname_t( 3124 kauth_cred_t cred, 3125 const char *namestring, 3126 int *name, 3127 size_t namelen, 3128 user_addr_t old, /* NULLOK */ 3129 size_t oldlen, 3130 user_addr_t newvalue, /* NULLOK */ 3131 size_t newlen 3132 ); 3133 /** 3134 * @brief Access control check for kas_info 3135 * @param cred Subject credential 3136 * @param selector Category of information to return. See kas_info.h 3137 * 3138 * Determine whether the subject identified by the credential can perform 3139 * introspection of the kernel address space layout for 3140 * debugging/performance analysis. 3141 * 3142 * @return Return 0 if access is granted, otherwise an appropriate value for 3143 * errno should be returned. 3144 */ 3145 typedef int mpo_system_check_kas_info_t( 3146 kauth_cred_t cred, 3147 int selector 3148 ); 3149 /** 3150 * @brief Create a System V message label 3151 * @param cred Subject credential 3152 * @param msqptr The message queue the message will be placed in 3153 * @param msqlabel The label of the message queue 3154 * @param msgptr The message 3155 * @param msglabel The label of the message 3156 * 3157 * Label the message as its placed in the message queue. 3158 */ 3159 typedef void mpo_sysvmsg_label_associate_t( 3160 kauth_cred_t cred, 3161 struct msqid_kernel *msqptr, 3162 struct label *msqlabel, 3163 struct msg *msgptr, 3164 struct label *msglabel 3165 ); 3166 /** 3167 * @brief Destroy System V message label 3168 * @param label The label to be destroyed 3169 * 3170 * Destroy a System V message label. Since the object is 3171 * going out of scope, policy modules should free any internal storage 3172 * associated with the label so that it may be destroyed. 3173 */ 3174 typedef void mpo_sysvmsg_label_destroy_t( 3175 struct label *label 3176 ); 3177 /** 3178 * @brief Initialize System V message label 3179 * @param label New label to initialize 3180 * 3181 * Initialize the label for a newly instantiated System V message. 3182 */ 3183 typedef void mpo_sysvmsg_label_init_t( 3184 struct label *label 3185 ); 3186 /** 3187 * @brief Clean up a System V message label 3188 * @param label The label to be destroyed 3189 * 3190 * Clean up a System V message label. Darwin pre-allocates 3191 * messages at system boot time and re-uses them rather than 3192 * allocating new ones. Before messages are returned to the "free 3193 * pool", policies can cleanup or overwrite any information present in 3194 * the label. 3195 */ 3196 typedef void mpo_sysvmsg_label_recycle_t( 3197 struct label *label 3198 ); 3199 /** 3200 * @brief Access control check for System V message enqueuing 3201 * @param cred Subject credential 3202 * @param msgptr The message 3203 * @param msglabel The message's label 3204 * @param msqptr The message queue 3205 * @param msqlabel The message queue's label 3206 * 3207 * Determine whether the subject identified by the credential can add the 3208 * given message to the given message queue. 3209 * 3210 * @return Return 0 if access is granted, otherwise an appropriate value for 3211 * errno should be returned. 3212 */ 3213 typedef int mpo_sysvmsq_check_enqueue_t( 3214 kauth_cred_t cred, 3215 struct msg *msgptr, 3216 struct label *msglabel, 3217 struct msqid_kernel *msqptr, 3218 struct label *msqlabel 3219 ); 3220 /** 3221 * @brief Access control check for System V message reception 3222 * @param cred The credential of the intended recipient 3223 * @param msgptr The message 3224 * @param msglabel The message's label 3225 * 3226 * Determine whether the subject identified by the credential can receive 3227 * the given message. 3228 * 3229 * @return Return 0 if access is granted, otherwise an appropriate value for 3230 * errno should be returned. 3231 */ 3232 typedef int mpo_sysvmsq_check_msgrcv_t( 3233 kauth_cred_t cred, 3234 struct msg *msgptr, 3235 struct label *msglabel 3236 ); 3237 /** 3238 * @brief Access control check for System V message queue removal 3239 * @param cred The credential of the caller 3240 * @param msgptr The message 3241 * @param msglabel The message's label 3242 * 3243 * System V message queues are removed using the msgctl() system call. 3244 * The system will iterate over each message in the queue, calling this 3245 * function for each, to determine whether the caller has the appropriate 3246 * credentials. 3247 * 3248 * @return Return 0 if access is granted, otherwise an appropriate value for 3249 * errno should be returned. 3250 */ 3251 typedef int mpo_sysvmsq_check_msgrmid_t( 3252 kauth_cred_t cred, 3253 struct msg *msgptr, 3254 struct label *msglabel 3255 ); 3256 /** 3257 * @brief Access control check for msgctl() 3258 * @param cred The credential of the caller 3259 * @param msqptr The message queue 3260 * @param msqlabel The message queue's label 3261 * 3262 * This access check is performed to validate calls to msgctl(). 3263 * 3264 * @return Return 0 if access is granted, otherwise an appropriate value for 3265 * errno should be returned. 3266 */ 3267 typedef int mpo_sysvmsq_check_msqctl_t( 3268 kauth_cred_t cred, 3269 struct msqid_kernel *msqptr, 3270 struct label *msqlabel, 3271 int cmd 3272 ); 3273 /** 3274 * @brief Access control check to get a System V message queue 3275 * @param cred The credential of the caller 3276 * @param msqptr The message queue requested 3277 * @param msqlabel The message queue's label 3278 * 3279 * On a call to msgget(), if the queue requested already exists, 3280 * and it is a public queue, this check will be performed before the 3281 * queue's ID is returned to the user. 3282 * 3283 * @return Return 0 if access is granted, otherwise an appropriate value for 3284 * errno should be returned. 3285 */ 3286 typedef int mpo_sysvmsq_check_msqget_t( 3287 kauth_cred_t cred, 3288 struct msqid_kernel *msqptr, 3289 struct label *msqlabel 3290 ); 3291 /** 3292 * @brief Access control check to receive a System V message from the given queue 3293 * @param cred The credential of the caller 3294 * @param msqptr The message queue to receive from 3295 * @param msqlabel The message queue's label 3296 * 3297 * On a call to msgrcv(), this check is performed to determine whether the 3298 * caller has receive rights on the given queue. 3299 * 3300 * @return Return 0 if access is granted, otherwise an appropriate value for 3301 * errno should be returned. 3302 */ 3303 typedef int mpo_sysvmsq_check_msqrcv_t( 3304 kauth_cred_t cred, 3305 struct msqid_kernel *msqptr, 3306 struct label *msqlabel 3307 ); 3308 /** 3309 * @brief Access control check to send a System V message to the given queue 3310 * @param cred The credential of the caller 3311 * @param msqptr The message queue to send to 3312 * @param msqlabel The message queue's label 3313 * 3314 * On a call to msgsnd(), this check is performed to determine whether the 3315 * caller has send rights on the given queue. 3316 * 3317 * @return Return 0 if access is granted, otherwise an appropriate value for 3318 * errno should be returned. 3319 */ 3320 typedef int mpo_sysvmsq_check_msqsnd_t( 3321 kauth_cred_t cred, 3322 struct msqid_kernel *msqptr, 3323 struct label *msqlabel 3324 ); 3325 /** 3326 * @brief Create a System V message queue label 3327 * @param cred Subject credential 3328 * @param msqptr The message queue 3329 * @param msqlabel The label of the message queue 3330 * 3331 */ 3332 typedef void mpo_sysvmsq_label_associate_t( 3333 kauth_cred_t cred, 3334 struct msqid_kernel *msqptr, 3335 struct label *msqlabel 3336 ); 3337 /** 3338 * @brief Destroy System V message queue label 3339 * @param label The label to be destroyed 3340 * 3341 * Destroy a System V message queue label. Since the object is 3342 * going out of scope, policy modules should free any internal storage 3343 * associated with the label so that it may be destroyed. 3344 */ 3345 typedef void mpo_sysvmsq_label_destroy_t( 3346 struct label *label 3347 ); 3348 /** 3349 * @brief Initialize System V message queue label 3350 * @param label New label to initialize 3351 * 3352 * Initialize the label for a newly instantiated System V message queue. 3353 */ 3354 typedef void mpo_sysvmsq_label_init_t( 3355 struct label *label 3356 ); 3357 /** 3358 * @brief Clean up a System V message queue label 3359 * @param label The label to be destroyed 3360 * 3361 * Clean up a System V message queue label. Darwin pre-allocates 3362 * message queues at system boot time and re-uses them rather than 3363 * allocating new ones. Before message queues are returned to the "free 3364 * pool", policies can cleanup or overwrite any information present in 3365 * the label. 3366 */ 3367 typedef void mpo_sysvmsq_label_recycle_t( 3368 struct label *label 3369 ); 3370 /** 3371 * @brief Access control check for System V semaphore control operation 3372 * @param cred Subject credential 3373 * @param semakptr Pointer to semaphore identifier 3374 * @param semaklabel Label associated with semaphore 3375 * @param cmd Control operation to be performed; see semctl(2) 3376 * 3377 * Determine whether the subject identified by the credential can perform 3378 * the operation indicated by cmd on the System V semaphore semakptr. 3379 * 3380 * @return Return 0 if access is granted, otherwise an appropriate value for 3381 * errno should be returned. 3382 */ 3383 typedef int mpo_sysvsem_check_semctl_t( 3384 kauth_cred_t cred, 3385 struct semid_kernel *semakptr, 3386 struct label *semaklabel, 3387 int cmd 3388 ); 3389 /** 3390 * @brief Access control check for obtaining a System V semaphore 3391 * @param cred Subject credential 3392 * @param semakptr Pointer to semaphore identifier 3393 * @param semaklabel Label to associate with the semaphore 3394 * 3395 * Determine whether the subject identified by the credential can 3396 * obtain a System V semaphore. 3397 * 3398 * @return Return 0 if access is granted, otherwise an appropriate value for 3399 * errno should be returned. 3400 */ 3401 typedef int mpo_sysvsem_check_semget_t( 3402 kauth_cred_t cred, 3403 struct semid_kernel *semakptr, 3404 struct label *semaklabel 3405 ); 3406 /** 3407 * @brief Access control check for System V semaphore operations 3408 * @param cred Subject credential 3409 * @param semakptr Pointer to semaphore identifier 3410 * @param semaklabel Label associated with the semaphore 3411 * @param accesstype Flags to indicate access (read and/or write) 3412 * 3413 * Determine whether the subject identified by the credential can 3414 * perform the operations on the System V semaphore indicated by 3415 * semakptr. The accesstype flags hold the maximum set of permissions 3416 * from the sem_op array passed to the semop system call. It may 3417 * contain SEM_R for read-only operations or SEM_A for read/write 3418 * operations. 3419 * 3420 * @return Return 0 if access is granted, otherwise an appropriate value for 3421 * errno should be returned. 3422 */ 3423 typedef int mpo_sysvsem_check_semop_t( 3424 kauth_cred_t cred, 3425 struct semid_kernel *semakptr, 3426 struct label *semaklabel, 3427 size_t accesstype 3428 ); 3429 /** 3430 * @brief Create a System V semaphore label 3431 * @param cred Subject credential 3432 * @param semakptr The semaphore being created 3433 * @param semalabel Label to associate with the new semaphore 3434 * 3435 * Label a new System V semaphore. The label was previously 3436 * initialized and associated with the semaphore. At this time, an 3437 * appropriate initial label value should be assigned to the object and 3438 * stored in semalabel. 3439 */ 3440 typedef void mpo_sysvsem_label_associate_t( 3441 kauth_cred_t cred, 3442 struct semid_kernel *semakptr, 3443 struct label *semalabel 3444 ); 3445 /** 3446 * @brief Destroy System V semaphore label 3447 * @param label The label to be destroyed 3448 * 3449 * Destroy a System V semaphore label. Since the object is 3450 * going out of scope, policy modules should free any internal storage 3451 * associated with the label so that it may be destroyed. 3452 */ 3453 typedef void mpo_sysvsem_label_destroy_t( 3454 struct label *label 3455 ); 3456 /** 3457 * @brief Initialize System V semaphore label 3458 * @param label New label to initialize 3459 * 3460 * Initialize the label for a newly instantiated System V semaphore. Sleeping 3461 * is permitted. 3462 */ 3463 typedef void mpo_sysvsem_label_init_t( 3464 struct label *label 3465 ); 3466 /** 3467 * @brief Clean up a System V semaphore label 3468 * @param label The label to be cleaned 3469 * 3470 * Clean up a System V semaphore label. Darwin pre-allocates 3471 * semaphores at system boot time and re-uses them rather than 3472 * allocating new ones. Before semaphores are returned to the "free 3473 * pool", policies can cleanup or overwrite any information present in 3474 * the label. 3475 */ 3476 typedef void mpo_sysvsem_label_recycle_t( 3477 struct label *label 3478 ); 3479 /** 3480 * @brief Access control check for mapping System V shared memory 3481 * @param cred Subject credential 3482 * @param shmsegptr Pointer to shared memory segment identifier 3483 * @param shmseglabel Label associated with the shared memory segment 3484 * @param shmflg shmat flags; see shmat(2) 3485 * 3486 * Determine whether the subject identified by the credential can map 3487 * the System V shared memory segment associated with shmsegptr. 3488 * 3489 * @return Return 0 if access is granted, otherwise an appropriate value for 3490 * errno should be returned. 3491 */ 3492 typedef int mpo_sysvshm_check_shmat_t( 3493 kauth_cred_t cred, 3494 struct shmid_kernel *shmsegptr, 3495 struct label *shmseglabel, 3496 int shmflg 3497 ); 3498 /** 3499 * @brief Access control check for System V shared memory control operation 3500 * @param cred Subject credential 3501 * @param shmsegptr Pointer to shared memory segment identifier 3502 * @param shmseglabel Label associated with the shared memory segment 3503 * @param cmd Control operation to be performed; see shmctl(2) 3504 * 3505 * Determine whether the subject identified by the credential can perform 3506 * the operation indicated by cmd on the System V shared memory segment 3507 * shmsegptr. 3508 * 3509 * @return Return 0 if access is granted, otherwise an appropriate value for 3510 * errno should be returned. 3511 */ 3512 typedef int mpo_sysvshm_check_shmctl_t( 3513 kauth_cred_t cred, 3514 struct shmid_kernel *shmsegptr, 3515 struct label *shmseglabel, 3516 int cmd 3517 ); 3518 /** 3519 * @brief Access control check for unmapping System V shared memory 3520 * @param cred Subject credential 3521 * @param shmsegptr Pointer to shared memory segment identifier 3522 * @param shmseglabel Label associated with the shared memory segment 3523 * 3524 * Determine whether the subject identified by the credential can unmap 3525 * the System V shared memory segment associated with shmsegptr. 3526 * 3527 * @return Return 0 if access is granted, otherwise an appropriate value for 3528 * errno should be returned. 3529 */ 3530 typedef int mpo_sysvshm_check_shmdt_t( 3531 kauth_cred_t cred, 3532 struct shmid_kernel *shmsegptr, 3533 struct label *shmseglabel 3534 ); 3535 /** 3536 * @brief Access control check obtaining System V shared memory identifier 3537 * @param cred Subject credential 3538 * @param shmsegptr Pointer to shared memory segment identifier 3539 * @param shmseglabel Label associated with the shared memory segment 3540 * @param shmflg shmget flags; see shmget(2) 3541 * 3542 * Determine whether the subject identified by the credential can get 3543 * the System V shared memory segment address. 3544 * 3545 * @return Return 0 if access is granted, otherwise an appropriate value for 3546 * errno should be returned. 3547 */ 3548 typedef int mpo_sysvshm_check_shmget_t( 3549 kauth_cred_t cred, 3550 struct shmid_kernel *shmsegptr, 3551 struct label *shmseglabel, 3552 int shmflg 3553 ); 3554 /** 3555 * @brief Create a System V shared memory region label 3556 * @param cred Subject credential 3557 * @param shmsegptr The shared memory region being created 3558 * @param shmlabel Label to associate with the new shared memory region 3559 * 3560 * Label a new System V shared memory region. The label was previously 3561 * initialized and associated with the shared memory region. At this 3562 * time, an appropriate initial label value should be assigned to the 3563 * object and stored in shmlabel. 3564 */ 3565 typedef void mpo_sysvshm_label_associate_t( 3566 kauth_cred_t cred, 3567 struct shmid_kernel *shmsegptr, 3568 struct label *shmlabel 3569 ); 3570 /** 3571 * @brief Destroy System V shared memory label 3572 * @param label The label to be destroyed 3573 * 3574 * Destroy a System V shared memory region label. Since the 3575 * object is going out of scope, policy modules should free any 3576 * internal storage associated with the label so that it may be 3577 * destroyed. 3578 */ 3579 typedef void mpo_sysvshm_label_destroy_t( 3580 struct label *label 3581 ); 3582 /** 3583 * @brief Initialize System V Shared Memory region label 3584 * @param label New label to initialize 3585 * 3586 * Initialize the label for a newly instantiated System V Shared Memory 3587 * region. Sleeping is permitted. 3588 */ 3589 typedef void mpo_sysvshm_label_init_t( 3590 struct label *label 3591 ); 3592 /** 3593 * @brief Clean up a System V Share Memory Region label 3594 * @param shmlabel The label to be cleaned 3595 * 3596 * Clean up a System V Shared Memory Region label. Darwin 3597 * pre-allocates these objects at system boot time and re-uses them 3598 * rather than allocating new ones. Before the memory regions are 3599 * returned to the "free pool", policies can cleanup or overwrite any 3600 * information present in the label. 3601 */ 3602 typedef void mpo_sysvshm_label_recycle_t( 3603 struct label *shmlabel 3604 ); 3605 3606 /** 3607 * @brief Access control check for getting a process's task ports of different flavors 3608 * @param cred Subject credential 3609 * @param pident Object unique process identifier 3610 * @param flavor Requested task port flavor 3611 * 3612 * Determine whether the subject identified by the credential can get 3613 * the passed process's task port of given flavor. 3614 * This call is used by the task_{,read,inspect,name}_for_pid(2) API. 3615 * 3616 * @return Return 0 if access is granted, otherwise an appropriate value for 3617 * errno should be returned. Suggested failure: EACCES for label mismatch, 3618 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3619 */ 3620 typedef int mpo_proc_check_get_task_with_flavor_t( 3621 kauth_cred_t cred, 3622 struct proc_ident *pident, 3623 mach_task_flavor_t flavor 3624 ); 3625 3626 /** 3627 * @brief Access control check for exposing a process's task ports of different flavors 3628 * @param cred Subject credential 3629 * @param pident Object unique process identifier 3630 * @param flavor Requested task port flavor 3631 * 3632 * Determine whether the subject identified by the credential can expose 3633 * the passed process's task port of given flavor. 3634 * This call is used by the accessor APIs like processor_set_tasks() and 3635 * processor_set_threads(). 3636 * 3637 * @return Return 0 if access is granted, otherwise an appropriate value for 3638 * errno should be returned. Suggested failure: EACCES for label mismatch, 3639 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3640 */ 3641 typedef int mpo_proc_check_expose_task_with_flavor_t( 3642 kauth_cred_t cred, 3643 struct proc_ident *pident, 3644 mach_task_flavor_t flavor 3645 ); 3646 3647 /** 3648 * @brief Access control check for upgrading to task port with a task identity token 3649 * @param cred Subject credential 3650 * @param pident Object unique process identifier, NULL if token represents a corpse task 3651 * @param flavor Requested task port flavor 3652 * 3653 * Determine whether the subject identified by the credential can upgrade to task port 3654 * of given flavor with a task identity token of the passed process. 3655 * This call is used by task_identity_token_get_task_port(). 3656 * 3657 * @return Return 0 if access is granted, otherwise an appropriate value for 3658 * errno should be returned. Suggested failure: EACCES for label mismatch, 3659 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3660 */ 3661 typedef int mpo_proc_check_task_id_token_get_task_t( 3662 kauth_cred_t cred, 3663 struct proc_ident *pident, /* Nullable */ 3664 mach_task_flavor_t flavor 3665 ); 3666 3667 /** 3668 * @brief Check whether task's IPC may inherit across process exec 3669 * @param p current process instance 3670 * @param cur_vp vnode pointer to current instance 3671 * @param cur_offset offset of binary of currently executing image 3672 * @param img_vp vnode pointer to to be exec'ed image 3673 * @param img_offset offset into file which is selected for execution 3674 * @param scriptvp vnode pointer of script file if any. 3675 * @return Return 0 if access is granted. 3676 * EPERM if parent does not have any entitlements. 3677 * EACCESS if mismatch in entitlements 3678 */ 3679 typedef int mpo_proc_check_inherit_ipc_ports_t( 3680 struct proc *p, 3681 struct vnode *cur_vp, 3682 off_t cur_offset, 3683 struct vnode *img_vp, 3684 off_t img_offset, 3685 struct vnode *scriptvp 3686 ); 3687 3688 /** 3689 * @brief Privilege check for a process to run invalid 3690 * @param p Object process 3691 * 3692 * Determine whether the process may execute even though the system determined 3693 * that it is untrusted (eg unidentified / modified code). 3694 * 3695 * @return Return 0 if access is granted, otherwise an appropriate value for 3696 * errno should be returned. 3697 */ 3698 typedef int mpo_proc_check_run_cs_invalid_t( 3699 struct proc *p 3700 ); 3701 3702 /** 3703 * @brief Notification a process was invalidated 3704 * @param p Object process 3705 * 3706 * Notifies that the CS_VALID bit was removed from a process' csflags. This 3707 * either indicates that a validly code-signed process has encountered an 3708 * invalidly code-signed page for the first time, or that it was explicitly 3709 * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. 3710 * 3711 * @warning This hook can be called from the page fault handler; it should not 3712 * perform any operations that may result in paging, and stack space is extremely 3713 * limited. Furthermore, the hook is called with proc lock held, and if called 3714 * from the fault handler, with vm object lock held. Consumers reacting to this 3715 * hook being called are expected to defer processing to a userret, possibly 3716 * after suspending the task. 3717 */ 3718 typedef void mpo_proc_notify_cs_invalidated_t( 3719 struct proc *p 3720 ); 3721 3722 /** 3723 * @brief Notification a process is finished with exec and will jump to userspace 3724 * @param p Object process 3725 * 3726 * Notifies all MAC policies that a process has completed an exec and is about to 3727 * jump to userspace to continue execution. This may result in process termination 3728 * via signals. Hook is designed to hold no/minimal locks so it can be used for any 3729 * necessary upcalls. 3730 */ 3731 typedef void mpo_proc_notify_exec_complete_t( 3732 struct proc *p 3733 ); 3734 3735 /** 3736 * @brief Access control check for setting user ID 3737 * @param cred Subject credential 3738 * @param uid Requested user ID 3739 * 3740 * Determine whether the subject identified by the credential can set the 3741 * real and effective user ID and the saved set-user-ID of the current 3742 * process, using the setuid() system call. 3743 * 3744 * @return Return 0 if access is granted, otherwise an appropriate value for 3745 * errno should be returned. 3746 */ 3747 typedef int mpo_proc_check_setuid_t( 3748 kauth_cred_t cred, 3749 uid_t uid 3750 ); 3751 3752 /** 3753 * @brief Access control check for setting effective user ID 3754 * @param cred Subject credential 3755 * @param euid Requested effective user ID 3756 * 3757 * Determine whether the subject identified by the credential can set the 3758 * effective user ID of the current process, using the seteuid() system call. 3759 * 3760 * @return Return 0 if access is granted, otherwise an appropriate value for 3761 * errno should be returned. 3762 */ 3763 typedef int mpo_proc_check_seteuid_t( 3764 kauth_cred_t cred, 3765 uid_t euid 3766 ); 3767 3768 /** 3769 * @brief Access control check for setting real and effective user ID 3770 * @param cred Subject credential 3771 * @param ruid Requested real user ID 3772 * @param euid Requested effective user ID 3773 * 3774 * Determine whether the subject identified by the credential can set the 3775 * real and effective user ID of the current process, using the setreuid() 3776 * system call. 3777 * 3778 * @return Return 0 if access is granted, otherwise an appropriate value for 3779 * errno should be returned. 3780 */ 3781 typedef int mpo_proc_check_setreuid_t( 3782 kauth_cred_t cred, 3783 uid_t ruid, 3784 uid_t euid 3785 ); 3786 3787 /** 3788 * @brief Access control check for setting group ID 3789 * @param cred Subject credential 3790 * @param gid Requested group ID 3791 * 3792 * Determine whether the subject identified by the credential can set the 3793 * real and effective group IDs and the saved set-group-ID of the current 3794 * process, using the setgid() system call. 3795 * 3796 * @return Return 0 if access is granted, otherwise an appropriate value for 3797 * errno should be returned. 3798 */ 3799 typedef int mpo_proc_check_setgid_t( 3800 kauth_cred_t cred, 3801 gid_t gid 3802 ); 3803 3804 /** 3805 * @brief Access control check for setting effective group ID 3806 * @param cred Subject credential 3807 * @param egid Requested effective group ID 3808 * 3809 * Determine whether the subject identified by the credential can set the 3810 * effective group ID of the current process, using the setegid() system call. 3811 * 3812 * @return Return 0 if access is granted, otherwise an appropriate value for 3813 * errno should be returned. 3814 */ 3815 typedef int mpo_proc_check_setegid_t( 3816 kauth_cred_t cred, 3817 gid_t egid 3818 ); 3819 3820 /** 3821 * @brief Access control check for setting real and effective group ID 3822 * @param cred Subject credential 3823 * @param rgid Requested real group ID or KAUTH_UID_NONE for none 3824 * @param egid Requested effective group ID or KAUTH_GID_NONE for none 3825 * 3826 * Determine whether the subject identified by the credential can set the 3827 * real and effective group ID of the current process, using the setregid() 3828 * system call. 3829 * 3830 * @return Return 0 if access is granted, otherwise an appropriate value for 3831 * errno should be returned. 3832 */ 3833 typedef int mpo_proc_check_setregid_t( 3834 kauth_cred_t cred, 3835 gid_t rgid, 3836 gid_t egid 3837 ); 3838 3839 /** 3840 * @brief Access control check for setting thread assumed identity 3841 * @param pcred Subject process credential 3842 * @param tcred Subject thread credential 3843 * @param uid Requested user ID or KAUTH_UID_NONE for none 3844 * @param gid Requested group ID or KAUTH_GID_NONE for none 3845 * 3846 * Determine whether the subject identified by the credential can set the 3847 * user and group ID of the current thread, using the settid() or 3848 * settid_with_pid() system call. 3849 * 3850 * @return Return 0 if access is granted, otherwise an appropriate value for 3851 * errno should be returned. 3852 */ 3853 typedef int mpo_proc_check_settid_t( 3854 kauth_cred_t pcred, 3855 kauth_cred_t tcred, 3856 uid_t uid, 3857 gid_t gid 3858 ); 3859 3860 /** 3861 * @brief Notification of connection port derivation from service port 3862 * @param cred Subject process credential 3863 * @param sp_info Service port info 3864 * 3865 * Called when a process derives a connection port from a service port. 3866 * 3867 * Notes: 3868 * - Port derivation is only mandatory if the receiving end of the 3869 * connection performs validation of that fact. 3870 * - MAC policies should not perform upcalls or expensive operations in 3871 * this hook. 3872 * - Only called on macOS. 3873 */ 3874 typedef void mpo_proc_notify_service_port_derive_t( 3875 kauth_cred_t cred, 3876 struct mach_service_port_info *sp_info 3877 ); 3878 3879 /** 3880 * @brief Perform MAC-related analysis of telemetry data. 3881 * @param thread The Mach thread that was sampled. 3882 * 3883 * Notifies MAC policies that telemetry data was just collected from a 3884 * process's user thread and that it is ready to be analyzed. The analysis is 3885 * performed shortly before a thread is about to return to userspace via a 3886 * syscall or mach trap. 3887 * 3888 * Note that sometimes the scheduled telemetry can fail. In the case of 3889 * failure, the function will be called with a non-zero `err` value, in which 3890 * case it is expected that the client will cleanup any necessary state 3891 * recorded back when the telemetry was first scheduled. 3892 */ 3893 typedef void mpo_thread_telemetry_t( 3894 struct thread *thread, 3895 int err, 3896 const void *data, 3897 size_t length 3898 ); 3899 3900 /** 3901 * @brief Perform MAC-related events when a thread returns to user space 3902 * @param thread Mach (not BSD) thread that is returning 3903 * 3904 * This entry point permits policy modules to perform MAC-related 3905 * events when a thread returns to user space, via a system call 3906 * return or trap return. 3907 */ 3908 typedef void mpo_thread_userret_t( 3909 struct thread *thread 3910 ); 3911 3912 /** 3913 * @brief Check vnode access 3914 * @param cred Subject credential 3915 * @param vp Object vnode 3916 * @param label Label for vp 3917 * @param acc_mode access(2) flags 3918 * 3919 * Determine how invocations of access(2) and related calls by the 3920 * subject identified by the credential should return when performed 3921 * on the passed vnode using the passed access flags. This should 3922 * generally be implemented using the same semantics used in 3923 * mpo_vnode_check_open. 3924 * 3925 * @return Return 0 if access is granted, otherwise an appropriate value for 3926 * errno should be returned. Suggested failure: EACCES for label mismatch or 3927 * EPERM for lack of privilege. 3928 */ 3929 typedef int mpo_vnode_check_access_t( 3930 kauth_cred_t cred, 3931 struct vnode *vp, 3932 struct label *label, 3933 int acc_mode 3934 ); 3935 /** 3936 * @brief Access control check for changing working directory 3937 * @param cred Subject credential 3938 * @param dvp Object; vnode to chdir(2) into 3939 * @param dlabel Policy label for dvp 3940 * 3941 * Determine whether the subject identified by the credential can change 3942 * the process working directory to the passed vnode. 3943 * 3944 * @return Return 0 if access is granted, otherwise an appropriate value for 3945 * errno should be returned. Suggested failure: EACCES for label mismatch or 3946 * EPERM for lack of privilege. 3947 */ 3948 typedef int mpo_vnode_check_chdir_t( 3949 kauth_cred_t cred, 3950 struct vnode *dvp, 3951 struct label *dlabel 3952 ); 3953 /** 3954 * @brief Access control check for changing root directory 3955 * @param cred Subject credential 3956 * @param dvp Directory vnode 3957 * @param dlabel Policy label associated with dvp 3958 * @param cnp Component name for dvp 3959 * 3960 * Determine whether the subject identified by the credential should be 3961 * allowed to chroot(2) into the specified directory (dvp). 3962 * 3963 * @return In the event of an error, an appropriate value for errno 3964 * should be returned, otherwise return 0 upon success. 3965 */ 3966 typedef int mpo_vnode_check_chroot_t( 3967 kauth_cred_t cred, 3968 struct vnode *dvp, 3969 struct label *dlabel, 3970 struct componentname *cnp 3971 ); 3972 /** 3973 * @brief Access control check for creating clone 3974 * @param cred Subject credential 3975 * @param dvp Vnode of directory to create the clone in 3976 * @param dlabel Policy label associated with dvp 3977 * @param vp Vnode of the file to clone from 3978 * @param label Policy label associated with vp 3979 * @param cnp Component name for the clone being created 3980 * 3981 * Determine whether the subject identified by the credential should be 3982 * allowed to create a clone of the vnode vp with the name specified by cnp. 3983 * 3984 * @return Return 0 if access is granted, otherwise an appropriate value for 3985 * errno should be returned. 3986 */ 3987 typedef int mpo_vnode_check_clone_t( 3988 kauth_cred_t cred, 3989 struct vnode *dvp, 3990 struct label *dlabel, 3991 struct vnode *vp, 3992 struct label *label, 3993 struct componentname *cnp 3994 ); 3995 /** 3996 * @brief Access control check for creating vnode 3997 * @param cred Subject credential 3998 * @param dvp Directory vnode 3999 * @param dlabel Policy label for dvp 4000 * @param cnp Component name for dvp 4001 * @param vap vnode attributes for vap 4002 * 4003 * Determine whether the subject identified by the credential can create 4004 * a vnode with the passed parent directory, passed name information, 4005 * and passed attribute information. This call may be made in a number of 4006 * situations, including as a result of calls to open(2) with O_CREAT, 4007 * mknod(2), mkfifo(2), and others. 4008 * 4009 * @return Return 0 if access is granted, otherwise an appropriate value for 4010 * errno should be returned. Suggested failure: EACCES for label mismatch or 4011 * EPERM for lack of privilege. 4012 */ 4013 typedef int mpo_vnode_check_create_t( 4014 kauth_cred_t cred, 4015 struct vnode *dvp, 4016 struct label *dlabel, 4017 struct componentname *cnp, 4018 struct vnode_attr *vap 4019 ); 4020 /** 4021 * @brief Access control check for deleting extended attribute 4022 * @param cred Subject credential 4023 * @param vp Object vnode 4024 * @param vlabel Label associated with vp 4025 * @param name Extended attribute name 4026 * 4027 * Determine whether the subject identified by the credential can delete 4028 * the extended attribute from the passed vnode. 4029 * 4030 * @return Return 0 if access is granted, otherwise an appropriate value for 4031 * errno should be returned. Suggested failure: EACCES for label mismatch or 4032 * EPERM for lack of privilege. 4033 */ 4034 typedef int mpo_vnode_check_deleteextattr_t( 4035 kauth_cred_t cred, 4036 struct vnode *vp, 4037 struct label *vlabel, 4038 const char *name 4039 ); 4040 /** 4041 * @brief Access control check for exchanging file data 4042 * @param cred Subject credential 4043 * @param v1 vnode 1 to swap 4044 * @param vl1 Policy label for v1 4045 * @param v2 vnode 2 to swap 4046 * @param vl2 Policy label for v2 4047 * 4048 * Determine whether the subject identified by the credential can swap the data 4049 * in the two supplied vnodes. 4050 * 4051 * @return Return 0 if access is granted, otherwise an appropriate value for 4052 * errno should be returned. Suggested failure: EACCES for label mismatch or 4053 * EPERM for lack of privilege. 4054 */ 4055 typedef int mpo_vnode_check_exchangedata_t( 4056 kauth_cred_t cred, 4057 struct vnode *v1, 4058 struct label *vl1, 4059 struct vnode *v2, 4060 struct label *vl2 4061 ); 4062 /** 4063 * @brief Access control check for executing the vnode 4064 * @param cred Subject credential 4065 * @param vp Object vnode to execute 4066 * @param scriptvp Script being executed by interpreter, if any. 4067 * @param vnodelabel Label corresponding to vp 4068 * @param scriptlabel Script vnode label 4069 * @param execlabel Userspace provided execution label 4070 * @param cnp Component name for file being executed 4071 * @param macpolicyattr MAC policy-specific spawn attribute data. 4072 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 4073 * 4074 * Determine whether the subject identified by the credential can execute 4075 * the passed vnode. Determination of execute privilege is made separately 4076 * from decisions about any process label transitioning event. 4077 * 4078 * The final label, execlabel, corresponds to a label supplied by a 4079 * user space application through the use of the mac_execve system call. 4080 * This label will be NULL if the user application uses the the vendor 4081 * execve(2) call instead of the MAC Framework mac_execve() call. 4082 * 4083 * @return Return 0 if access is granted, otherwise an appropriate value for 4084 * errno should be returned. Suggested failure: EACCES for label mismatch or 4085 * EPERM for lack of privilege. 4086 */ 4087 typedef int mpo_vnode_check_exec_t( 4088 kauth_cred_t cred, 4089 struct vnode *vp, 4090 struct vnode *scriptvp, 4091 struct label *vnodelabel, 4092 struct label *scriptlabel, 4093 struct label *execlabel, /* NULLOK */ 4094 struct componentname *cnp, 4095 u_int *csflags, 4096 void *macpolicyattr, 4097 size_t macpolicyattrlen 4098 ); 4099 /** 4100 * @brief Access control check for fsgetpath 4101 * @param cred Subject credential 4102 * @param vp Vnode for which a path will be returned 4103 * @param label Label associated with the vnode 4104 * 4105 * Determine whether the subject identified by the credential can get the path 4106 * of the given vnode with fsgetpath. 4107 * 4108 * @return Return 0 if access is granted, otherwise an appropriate value for 4109 * errno should be returned. 4110 */ 4111 typedef int mpo_vnode_check_fsgetpath_t( 4112 kauth_cred_t cred, 4113 struct vnode *vp, 4114 struct label *label 4115 ); 4116 /** 4117 * @brief Access control check for retrieving file attributes 4118 * @param active_cred Subject credential 4119 * @param file_cred Credential associated with the struct fileproc 4120 * @param vp Object vnode 4121 * @param vlabel Policy label for vp 4122 * @param va Vnode attributes to retrieve 4123 * 4124 * Determine whether the subject identified by the credential can 4125 * get information about the passed vnode. The active_cred hold 4126 * the credentials of the subject performing the operation, and 4127 * file_cred holds the credentials of the subject that originally 4128 * opened the file. This check happens during stat(), lstat(), 4129 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for 4130 * definitions of the attributes. 4131 * 4132 * @return Return 0 if access is granted, otherwise an appropriate value for 4133 * errno should be returned. 4134 * 4135 * @note Policies may change the contents of va to alter the list of 4136 * file attributes returned. 4137 */ 4138 typedef int mpo_vnode_check_getattr_t( 4139 kauth_cred_t active_cred, 4140 kauth_cred_t file_cred, /* NULLOK */ 4141 struct vnode *vp, 4142 struct label *vlabel, 4143 struct vnode_attr *va 4144 ); 4145 /** 4146 * @brief Access control check for retrieving file attributes 4147 * @param cred Subject credential 4148 * @param vp Object vnode 4149 * @param vlabel Policy label for vp 4150 * @param alist List of attributes to retrieve 4151 * @param options Option flags for alist 4152 * 4153 * Determine whether the subject identified by the credential can read 4154 * various attributes of the specified vnode, or the filesystem or volume on 4155 * which that vnode resides. See <sys/attr.h> for definitions of the 4156 * attributes and flags. 4157 * 4158 * @return Return 0 if access is granted, otherwise an appropriate value for 4159 * errno should be returned. Suggested failure: EACCES for label mismatch or 4160 * EPERM for lack of privilege. Access control covers all attributes requested 4161 * with this call; the security policy is not permitted to change the set of 4162 * attributes requested. 4163 */ 4164 typedef int mpo_vnode_check_getattrlist_t( 4165 kauth_cred_t cred, 4166 struct vnode *vp, 4167 struct label *vlabel, 4168 struct attrlist *alist, 4169 uint64_t options 4170 ); 4171 /** 4172 * @brief Access control check for retrieving file attributes for multiple directory entries 4173 * @param cred Subject credential 4174 * @param dvp Directory vnode 4175 * @param alist List of attributes to retrieve 4176 * @param options Option flags for alist 4177 * 4178 * Determine whether the subject identified by the credential can read 4179 * various attributes of the specified vnode, or the filesystem or volume on 4180 * which that vnode resides. See <sys/attr.h> for definitions of the 4181 * attributes and flags. 4182 * 4183 * @return Return 0 if access is granted, otherwise an appropriate value for 4184 * errno should be returned. Suggested failure: EACCES for label mismatch or 4185 * EPERM for lack of privilege. Access control covers all attributes requested 4186 * with this call; the security policy is not permitted to change the set of 4187 * attributes requested. 4188 */ 4189 typedef int mpo_vnode_check_getattrlistbulk_t( 4190 kauth_cred_t cred, 4191 struct vnode *dvp, 4192 struct attrlist *alist, 4193 uint64_t options 4194 ); 4195 /** 4196 * @brief Access control check for retrieving an extended attribute 4197 * @param cred Subject credential 4198 * @param vp Object vnode 4199 * @param label Policy label for vp 4200 * @param name Extended attribute name 4201 * @param uio I/O structure pointer 4202 * 4203 * Determine whether the subject identified by the credential can retrieve 4204 * the extended attribute from the passed vnode. The uio parameter 4205 * will be NULL when the getxattr(2) call has been made with a NULL data 4206 * value; this is done to request the size of the data only. 4207 * 4208 * @return Return 0 if access is granted, otherwise an appropriate value for 4209 * errno should be returned. Suggested failure: EACCES for label mismatch or 4210 * EPERM for lack of privilege. 4211 */ 4212 typedef int mpo_vnode_check_getextattr_t( 4213 kauth_cred_t cred, 4214 struct vnode *vp, 4215 struct label *label, /* NULLOK */ 4216 const char *name, 4217 struct uio *uio /* NULLOK */ 4218 ); 4219 /** 4220 * @brief Access control check for ioctl 4221 * @param cred Subject credential 4222 * @param vp Object vnode 4223 * @param label Policy label for vp 4224 * @param cmd Device-dependent request code; see ioctl(2) 4225 * 4226 * Determine whether the subject identified by the credential can perform 4227 * the ioctl operation indicated by com. 4228 * 4229 * @warning Since ioctl data is opaque from the standpoint of the MAC 4230 * framework, and since ioctls can affect many aspects of system 4231 * operation, policies must exercise extreme care when implementing 4232 * access control checks. 4233 * 4234 * @return Return 0 if access is granted, otherwise an appropriate value for 4235 * errno should be returned. 4236 */ 4237 typedef int mpo_vnode_check_ioctl_t( 4238 kauth_cred_t cred, 4239 struct vnode *vp, 4240 struct label *label, 4241 unsigned long cmd 4242 ); 4243 /** 4244 * @brief Access control check for vnode kqfilter 4245 * @param active_cred Subject credential 4246 * @param kn Object knote 4247 * @param vp Object vnode 4248 * @param label Policy label for vp 4249 * 4250 * Determine whether the subject identified by the credential can 4251 * receive the knote on the passed vnode. 4252 * 4253 * @return Return 0 if access if granted, otherwise an appropriate 4254 * value for errno should be returned. 4255 */ 4256 typedef int mpo_vnode_check_kqfilter_t( 4257 kauth_cred_t active_cred, 4258 kauth_cred_t file_cred, /* NULLOK */ 4259 struct knote *kn, 4260 struct vnode *vp, 4261 struct label *label 4262 ); 4263 /** 4264 * @brief Access control check for relabel 4265 * @param cred Subject credential 4266 * @param vp Object vnode 4267 * @param vnodelabel Existing policy label for vp 4268 * @param newlabel Policy label update to later be applied to vp 4269 * @see mpo_relable_vnode_t 4270 * 4271 * Determine whether the subject identified by the credential can relabel 4272 * the passed vnode to the passed label update. If all policies permit 4273 * the label change, the actual relabel entry point (mpo_vnode_label_update) 4274 * will follow. 4275 * 4276 * @return Return 0 if access is granted, otherwise an appropriate value for 4277 * errno should be returned. 4278 */ 4279 typedef int mpo_vnode_check_label_update_t( 4280 struct ucred *cred, 4281 struct vnode *vp, 4282 struct label *vnodelabel, 4283 struct label *newlabel 4284 ); 4285 /** 4286 * @brief Access control check for creating link 4287 * @param cred Subject credential 4288 * @param dvp Directory vnode 4289 * @param dlabel Policy label associated with dvp 4290 * @param vp Link destination vnode 4291 * @param label Policy label associated with vp 4292 * @param cnp Component name for the link being created 4293 * 4294 * Determine whether the subject identified by the credential should be 4295 * allowed to create a link to the vnode vp with the name specified by cnp. 4296 * 4297 * @return Return 0 if access is granted, otherwise an appropriate value for 4298 * errno should be returned. 4299 */ 4300 typedef int mpo_vnode_check_link_t( 4301 kauth_cred_t cred, 4302 struct vnode *dvp, 4303 struct label *dlabel, 4304 struct vnode *vp, 4305 struct label *label, 4306 struct componentname *cnp 4307 ); 4308 /** 4309 * @brief Access control check for listing extended attributes 4310 * @param cred Subject credential 4311 * @param vp Object vnode 4312 * @param vlabel Policy label associated with vp 4313 * 4314 * Determine whether the subject identified by the credential can retrieve 4315 * a list of named extended attributes from a vnode. 4316 * 4317 * @return Return 0 if access is granted, otherwise an appropriate value for 4318 * errno should be returned. 4319 */ 4320 typedef int mpo_vnode_check_listextattr_t( 4321 kauth_cred_t cred, 4322 struct vnode *vp, 4323 struct label *vlabel 4324 ); 4325 /** 4326 * @brief Access control check for lookup 4327 * @param cred Subject credential 4328 * @param dvp Directory vnode 4329 * @param dlabel Policy label for dvp 4330 * @param path Path being looked up 4331 * @param pathlen Length of path in bytes 4332 * 4333 * Determine whether the subject identified by the credential can perform 4334 * a lookup of the passed path relative to the passed directory vnode. 4335 * 4336 * @return Return 0 if access is granted, otherwise an appropriate value for 4337 * errno should be returned. Suggested failure: EACCES for label mismatch or 4338 * EPERM for lack of privilege. 4339 * 4340 * @note The path may contain untrusted input. If approved, lookup proceeds 4341 * on the path; if a component is found to be a symlink then this hook is 4342 * called again with the updated path. 4343 */ 4344 typedef int mpo_vnode_check_lookup_preflight_t( 4345 kauth_cred_t cred, 4346 struct vnode *dvp, 4347 struct label *dlabel, 4348 const char *path, 4349 size_t pathlen 4350 ); 4351 /** 4352 * @brief Access control check for lookup 4353 * @param cred Subject credential 4354 * @param dvp Object vnode 4355 * @param dlabel Policy label for dvp 4356 * @param cnp Component name being looked up 4357 * 4358 * Determine whether the subject identified by the credential can perform 4359 * a lookup in the passed directory vnode for the passed name (cnp). 4360 * 4361 * @return Return 0 if access is granted, otherwise an appropriate value for 4362 * errno should be returned. Suggested failure: EACCES for label mismatch or 4363 * EPERM for lack of privilege. 4364 */ 4365 typedef int mpo_vnode_check_lookup_t( 4366 kauth_cred_t cred, 4367 struct vnode *dvp, 4368 struct label *dlabel, 4369 struct componentname *cnp 4370 ); 4371 /** 4372 * @brief Access control check for open 4373 * @param cred Subject credential 4374 * @param vp Object vnode 4375 * @param label Policy label associated with vp 4376 * @param acc_mode open(2) access mode 4377 * 4378 * Determine whether the subject identified by the credential can perform 4379 * an open operation on the passed vnode with the passed access mode. 4380 * 4381 * @return Return 0 if access is granted, otherwise an appropriate value for 4382 * errno should be returned. Suggested failure: EACCES for label mismatch or 4383 * EPERM for lack of privilege. 4384 */ 4385 typedef int mpo_vnode_check_open_t( 4386 kauth_cred_t cred, 4387 struct vnode *vp, 4388 struct label *label, 4389 int acc_mode 4390 ); 4391 /** 4392 * @brief Access control check for read 4393 * @param active_cred Subject credential 4394 * @param file_cred Credential associated with the struct fileproc 4395 * @param vp Object vnode 4396 * @param label Policy label for vp 4397 * 4398 * Determine whether the subject identified by the credential can perform 4399 * a read operation on the passed vnode. The active_cred hold the credentials 4400 * of the subject performing the operation, and file_cred holds the 4401 * credentials of the subject that originally opened the file. 4402 * 4403 * @return Return 0 if access is granted, otherwise an appropriate value for 4404 * errno should be returned. Suggested failure: EACCES for label mismatch or 4405 * EPERM for lack of privilege. 4406 */ 4407 typedef int mpo_vnode_check_read_t( 4408 kauth_cred_t active_cred, /* SUBJECT */ 4409 kauth_cred_t file_cred, /* NULLOK */ 4410 struct vnode *vp, /* OBJECT */ 4411 struct label *label /* LABEL */ 4412 ); 4413 /** 4414 * @brief Access control check for read directory 4415 * @param cred Subject credential 4416 * @param dvp Object directory vnode 4417 * @param dlabel Policy label for dvp 4418 * 4419 * Determine whether the subject identified by the credential can 4420 * perform a readdir operation on the passed directory vnode. 4421 * 4422 * @return Return 0 if access is granted, otherwise an appropriate value for 4423 * errno should be returned. Suggested failure: EACCES for label mismatch or 4424 * EPERM for lack of privilege. 4425 */ 4426 typedef int mpo_vnode_check_readdir_t( 4427 kauth_cred_t cred, /* SUBJECT */ 4428 struct vnode *dvp, /* OBJECT */ 4429 struct label *dlabel /* LABEL */ 4430 ); 4431 /** 4432 * @brief Access control check for read link 4433 * @param cred Subject credential 4434 * @param vp Object vnode 4435 * @param label Policy label for vp 4436 * 4437 * Determine whether the subject identified by the credential can perform 4438 * a readlink operation on the passed symlink vnode. This call can be made 4439 * in a number of situations, including an explicit readlink call by the 4440 * user process, or as a result of an implicit readlink during a name 4441 * lookup by the process. 4442 * 4443 * @return Return 0 if access is granted, otherwise an appropriate value for 4444 * errno should be returned. Suggested failure: EACCES for label mismatch or 4445 * EPERM for lack of privilege. 4446 */ 4447 typedef int mpo_vnode_check_readlink_t( 4448 kauth_cred_t cred, 4449 struct vnode *vp, 4450 struct label *label 4451 ); 4452 /** 4453 * @brief Access control check for rename 4454 * @param cred Subject credential 4455 * @param dvp Directory vnode 4456 * @param dlabel Policy label associated with dvp 4457 * @param vp vnode to be renamed 4458 * @param label Policy label associated with vp 4459 * @param cnp Component name for vp 4460 * @param tdvp Destination directory vnode 4461 * @param tdlabel Policy label associated with tdvp 4462 * @param tvp Overwritten vnode 4463 * @param tlabel Policy label associated with tvp 4464 * @param tcnp Destination component name 4465 * 4466 * Determine whether the subject identified by the credential should be allowed 4467 * to rename the vnode vp to something else. 4468 * 4469 * @return Return 0 if access is granted, otherwise an appropriate value for 4470 * errno should be returned. 4471 */ 4472 typedef int mpo_vnode_check_rename_t( 4473 kauth_cred_t cred, 4474 struct vnode *dvp, 4475 struct label *dlabel, 4476 struct vnode *vp, 4477 struct label *label, 4478 struct componentname *cnp, 4479 struct vnode *tdvp, 4480 struct label *tdlabel, 4481 struct vnode *tvp, 4482 struct label *tlabel, 4483 struct componentname *tcnp 4484 ); 4485 /** 4486 * @brief Access control check for rename from 4487 * @param cred Subject credential 4488 * @param dvp Directory vnode 4489 * @param dlabel Policy label associated with dvp 4490 * @param vp vnode to be renamed 4491 * @param label Policy label associated with vp 4492 * @param cnp Component name for vp 4493 * @see mpo_vnode_check_rename_t 4494 * @see mpo_vnode_check_rename_to_t 4495 * 4496 * Determine whether the subject identified by the credential should be 4497 * allowed to rename the vnode vp to something else. 4498 * 4499 * Due to VFS locking constraints (to make sure proper vnode locks are 4500 * held during this entry point), the vnode relabel checks had to be 4501 * split into two parts: relabel_from and relabel to. 4502 * 4503 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4504 * 4505 * @return Return 0 if access is granted, otherwise an appropriate value for 4506 * errno should be returned. 4507 */ 4508 typedef int mpo_vnode_check_rename_from_t( 4509 kauth_cred_t cred, 4510 struct vnode *dvp, 4511 struct label *dlabel, 4512 struct vnode *vp, 4513 struct label *label, 4514 struct componentname *cnp 4515 ); 4516 /** 4517 * @brief Access control check for rename to 4518 * @param cred Subject credential 4519 * @param dvp Directory vnode 4520 * @param dlabel Policy label associated with dvp 4521 * @param vp Overwritten vnode 4522 * @param label Policy label associated with vp 4523 * @param samedir Boolean; 1 if the source and destination directories are the same 4524 * @param cnp Destination component name 4525 * @see mpo_vnode_check_rename_t 4526 * @see mpo_vnode_check_rename_from_t 4527 * 4528 * Determine whether the subject identified by the credential should be 4529 * allowed to rename to the vnode vp, into the directory dvp, or to the 4530 * name represented by cnp. If there is no existing file to overwrite, 4531 * vp and label will be NULL. 4532 * 4533 * Due to VFS locking constraints (to make sure proper vnode locks are 4534 * held during this entry point), the vnode relabel checks had to be 4535 * split into two parts: relabel_from and relabel to. 4536 * 4537 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4538 * 4539 * @return Return 0 if access is granted, otherwise an appropriate value for 4540 * errno should be returned. 4541 */ 4542 typedef int mpo_vnode_check_rename_to_t( 4543 kauth_cred_t cred, 4544 struct vnode *dvp, 4545 struct label *dlabel, 4546 struct vnode *vp, /* NULLOK */ 4547 struct label *label, /* NULLOK */ 4548 int samedir, 4549 struct componentname *cnp 4550 ); 4551 /** 4552 * @brief Access control check for revoke 4553 * @param cred Subject credential 4554 * @param vp Object vnode 4555 * @param label Policy label for vp 4556 * 4557 * Determine whether the subject identified by the credential can revoke 4558 * access to the passed vnode. 4559 * 4560 * @return Return 0 if access is granted, otherwise an appropriate value for 4561 * errno should be returned. Suggested failure: EACCES for label mismatch or 4562 * EPERM for lack of privilege. 4563 */ 4564 typedef int mpo_vnode_check_revoke_t( 4565 kauth_cred_t cred, 4566 struct vnode *vp, 4567 struct label *label 4568 ); 4569 /** 4570 * @brief Access control check for searchfs 4571 * @param cred Subject credential 4572 * @param vp Object vnode 4573 * @param vlabel Policy label for vp 4574 * @param returnattrs List of attributes to be returned 4575 * @param searchattrs List of attributes used as search criteria 4576 * 4577 * Determine whether the subject identified by the credential can search the 4578 * vnode using the searchfs system call. 4579 * 4580 * @return Return 0 if access is granted, otherwise an appropriate value for 4581 * errno should be returned. 4582 */ 4583 typedef int mpo_vnode_check_searchfs_t( 4584 kauth_cred_t cred, 4585 struct vnode *vp, 4586 struct label *vlabel, 4587 struct attrlist *returnattrs, 4588 struct attrlist *searchattrs 4589 ); 4590 /** 4591 * @brief Access control check for select 4592 * @param cred Subject credential 4593 * @param vp Object vnode 4594 * @param label Policy label for vp 4595 * @param which The operation selected on: FREAD or FWRITE 4596 * 4597 * Determine whether the subject identified by the credential can select 4598 * the vnode. 4599 * 4600 * @return Return 0 if access is granted, otherwise an appropriate value for 4601 * errno should be returned. 4602 */ 4603 typedef int mpo_vnode_check_select_t( 4604 kauth_cred_t cred, 4605 struct vnode *vp, 4606 struct label *label, 4607 int which 4608 ); 4609 /** 4610 * @brief Access control check for setting ACL 4611 * @param cred Subject credential 4612 * @param vp Object node 4613 * @param label Policy label for vp 4614 * @param acl ACL structure pointer 4615 * 4616 * Determine whether the subject identified by the credential can set an ACL 4617 * on the specified vnode. The ACL pointer will be NULL when removing an ACL. 4618 * 4619 * @return Return 0 if access is granted, otherwise an appropriate value for 4620 * errno should be returned. Suggested failure: EACCES for label mismatch or 4621 * EPERM for lack of privilege. 4622 */ 4623 typedef int mpo_vnode_check_setacl_t( 4624 kauth_cred_t cred, 4625 struct vnode *vp, 4626 struct label *label, 4627 struct kauth_acl *acl 4628 ); 4629 /** 4630 * @brief Access control check for setting file attributes 4631 * @param cred Subject credential 4632 * @param vp Object vnode 4633 * @param vlabel Policy label for vp 4634 * @param alist List of attributes to set 4635 * 4636 * Determine whether the subject identified by the credential can set 4637 * various attributes of the specified vnode, or the filesystem or volume on 4638 * which that vnode resides. See <sys/attr.h> for definitions of the 4639 * attributes. 4640 * 4641 * @return Return 0 if access is granted, otherwise an appropriate value for 4642 * errno should be returned. Suggested failure: EACCES for label mismatch or 4643 * EPERM for lack of privilege. Access control covers all attributes requested 4644 * with this call. 4645 */ 4646 typedef int mpo_vnode_check_setattrlist_t( 4647 kauth_cred_t cred, 4648 struct vnode *vp, 4649 struct label *vlabel, 4650 struct attrlist *alist 4651 ); 4652 /** 4653 * @brief Access control check for setting extended attribute 4654 * @param cred Subject credential 4655 * @param vp Object vnode 4656 * @param label Policy label for vp 4657 * @param name Extended attribute name 4658 * @param uio I/O structure pointer 4659 * 4660 * Determine whether the subject identified by the credential can set the 4661 * extended attribute of passed name and passed namespace on the passed 4662 * vnode. Policies implementing security labels backed into extended 4663 * attributes may want to provide additional protections for those 4664 * attributes. Additionally, policies should avoid making decisions based 4665 * on the data referenced from uio, as there is a potential race condition 4666 * between this check and the actual operation. The uio may also be NULL 4667 * if a delete operation is being performed. 4668 * 4669 * @return Return 0 if access is granted, otherwise an appropriate value for 4670 * errno should be returned. Suggested failure: EACCES for label mismatch or 4671 * EPERM for lack of privilege. 4672 */ 4673 typedef int mpo_vnode_check_setextattr_t( 4674 kauth_cred_t cred, 4675 struct vnode *vp, 4676 struct label *label, 4677 const char *name, 4678 struct uio *uio 4679 ); 4680 /** 4681 * @brief Access control check for setting flags 4682 * @param cred Subject credential 4683 * @param vp Object vnode 4684 * @param label Policy label for vp 4685 * @param flags File flags; see chflags(2) 4686 * 4687 * Determine whether the subject identified by the credential can set 4688 * the passed flags on the passed vnode. 4689 * 4690 * @return Return 0 if access is granted, otherwise an appropriate value for 4691 * errno should be returned. Suggested failure: EACCES for label mismatch or 4692 * EPERM for lack of privilege. 4693 */ 4694 typedef int mpo_vnode_check_setflags_t( 4695 kauth_cred_t cred, 4696 struct vnode *vp, 4697 struct label *label, 4698 u_long flags 4699 ); 4700 /** 4701 * @brief Access control check for setting mode 4702 * @param cred Subject credential 4703 * @param vp Object vnode 4704 * @param label Policy label for vp 4705 * @param mode File mode; see chmod(2) 4706 * 4707 * Determine whether the subject identified by the credential can set 4708 * the passed mode on the passed vnode. 4709 * 4710 * @return Return 0 if access is granted, otherwise an appropriate value for 4711 * errno should be returned. Suggested failure: EACCES for label mismatch or 4712 * EPERM for lack of privilege. 4713 */ 4714 typedef int mpo_vnode_check_setmode_t( 4715 kauth_cred_t cred, 4716 struct vnode *vp, 4717 struct label *label, 4718 mode_t mode 4719 ); 4720 /** 4721 * @brief Access control check for setting uid and gid 4722 * @param cred Subject credential 4723 * @param vp Object vnode 4724 * @param label Policy label for vp 4725 * @param uid User ID 4726 * @param gid Group ID 4727 * 4728 * Determine whether the subject identified by the credential can set 4729 * the passed uid and passed gid as file uid and file gid on the passed 4730 * vnode. The IDs may be set to (-1) to request no update. 4731 * 4732 * @return Return 0 if access is granted, otherwise an appropriate value for 4733 * errno should be returned. Suggested failure: EACCES for label mismatch or 4734 * EPERM for lack of privilege. 4735 */ 4736 typedef int mpo_vnode_check_setowner_t( 4737 kauth_cred_t cred, 4738 struct vnode *vp, 4739 struct label *label, 4740 uid_t uid, 4741 gid_t gid 4742 ); 4743 /** 4744 * @brief Access control check for setting timestamps 4745 * @param cred Subject credential 4746 * @param vp Object vnode 4747 * @param label Policy label for vp 4748 * @param atime Access time; see utimes(2) 4749 * @param mtime Modification time; see utimes(2) 4750 * 4751 * Determine whether the subject identified by the credential can set 4752 * the passed access timestamps on the passed vnode. 4753 * 4754 * @return Return 0 if access is granted, otherwise an appropriate value for 4755 * errno should be returned. Suggested failure: EACCES for label mismatch or 4756 * EPERM for lack of privilege. 4757 */ 4758 typedef int mpo_vnode_check_setutimes_t( 4759 kauth_cred_t cred, 4760 struct vnode *vp, 4761 struct label *label, 4762 struct timespec atime, 4763 struct timespec mtime 4764 ); 4765 /** 4766 * @brief Access control check after determining the code directory hash 4767 * @param vp vnode vnode to combine into proc 4768 * @param label label associated with the vnode 4769 * @param cpu_type cpu type of the signature being checked 4770 * @param cs_blob the code signature to check 4771 * @param cs_flags update code signing flags if needed 4772 * @param signer_type output parameter for the code signature's signer type 4773 * @param flags operational flag to mpo_vnode_check_signature 4774 * @param platform platform of the signature being checked 4775 * @param fatal_failure_desc description of fatal failure 4776 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 4777 * 4778 * @return Return 0 if access is granted, otherwise an appropriate value for 4779 * errno should be returned. 4780 */ 4781 typedef int mpo_vnode_check_signature_t( 4782 struct vnode *vp, 4783 struct label *label, 4784 cpu_type_t cpu_type, 4785 struct cs_blob *cs_blob, 4786 unsigned int *cs_flags, 4787 unsigned int *signer_type, 4788 int flags, 4789 unsigned int platform, 4790 char **fatal_failure_desc, size_t *fatal_failure_desc_len 4791 ); 4792 4793 /** 4794 * @brief Access control check for supplemental signature attachement 4795 * @param vp the vnode to which the signature will be attached 4796 * @param label label associated with the vnode 4797 * @param cs_blob the code signature to check 4798 * @param linked_vp vnode to which this new vp is related 4799 * @param linked_cs_blob the code signature of the linked vnode 4800 * @param signer_type output parameter for the signer type of the code signature being checked. 4801 * 4802 * @return Return 0 if access is granted, otherwise an appropriate value for 4803 * errno should be returned. 4804 */ 4805 typedef int mpo_vnode_check_supplemental_signature_t( 4806 struct vnode *vp, 4807 struct label *label, 4808 struct cs_blob *cs_blob, 4809 struct vnode *linked_vp, 4810 struct cs_blob *linked_cs_blob, 4811 unsigned int *signer_type 4812 ); 4813 4814 /** 4815 * @brief Access control check for stat 4816 * @param active_cred Subject credential 4817 * @param file_cred Credential associated with the struct fileproc 4818 * @param vp Object vnode 4819 * @param label Policy label for vp 4820 * 4821 * Determine whether the subject identified by the credential can stat 4822 * the passed vnode. See stat(2) for more information. The active_cred 4823 * hold the credentials of the subject performing the operation, and 4824 * file_cred holds the credentials of the subject that originally 4825 * opened the file. 4826 * 4827 * @return Return 0 if access is granted, otherwise an appropriate value for 4828 * errno should be returned. Suggested failure: EACCES for label mismatch or 4829 * EPERM for lack of privilege. 4830 */ 4831 typedef int mpo_vnode_check_stat_t( 4832 struct ucred *active_cred, 4833 struct ucred *file_cred, /* NULLOK */ 4834 struct vnode *vp, 4835 struct label *label 4836 ); 4837 /** 4838 * @brief Access control check for vnode trigger resolution 4839 * @param cred Subject credential 4840 * @param dvp Object vnode 4841 * @param dlabel Policy label for dvp 4842 * @param cnp Component name that triggered resolution 4843 * 4844 * Determine whether the subject identified by the credential can trigger 4845 * resolution of the passed name (cnp) in the passed directory vnode 4846 * via an external trigger resolver. 4847 * 4848 * @return Return 0 if access is granted, otherwise an appropriate value for 4849 * errno should be returned. Suggested failure: EACCES for label mismatch or 4850 * EPERM for lack of privilege. 4851 */ 4852 typedef int mpo_vnode_check_trigger_resolve_t( 4853 kauth_cred_t cred, 4854 struct vnode *dvp, 4855 struct label *dlabel, 4856 struct componentname *cnp 4857 ); 4858 /** 4859 * @brief Access control check for truncate/ftruncate 4860 * @param active_cred Subject credential 4861 * @param file_cred Credential associated with the struct fileproc 4862 * @param vp Object vnode 4863 * @param label Policy label for vp 4864 * 4865 * Determine whether the subject identified by the credential can 4866 * perform a truncate operation on the passed vnode. The active_cred hold 4867 * the credentials of the subject performing the operation, and 4868 * file_cred holds the credentials of the subject that originally 4869 * opened the file. 4870 * 4871 * @return Return 0 if access is granted, otherwise an appropriate value for 4872 * errno should be returned. Suggested failure: EACCES for label mismatch or 4873 * EPERM for lack of privilege. 4874 */ 4875 typedef int mpo_vnode_check_truncate_t( 4876 kauth_cred_t active_cred, 4877 kauth_cred_t file_cred, /* NULLOK */ 4878 struct vnode *vp, 4879 struct label *label 4880 ); 4881 /** 4882 * @brief Access control check for binding UNIX domain socket 4883 * @param cred Subject credential 4884 * @param dvp Directory vnode 4885 * @param dlabel Policy label for dvp 4886 * @param cnp Component name for dvp 4887 * @param vap vnode attributes for vap 4888 * 4889 * Determine whether the subject identified by the credential can perform a 4890 * bind operation on a UNIX domain socket with the passed parent directory, 4891 * passed name information, and passed attribute information. 4892 * 4893 * @return Return 0 if access is granted, otherwise an appropriate value for 4894 * errno should be returned. Suggested failure: EACCES for label mismatch or 4895 * EPERM for lack of privilege. 4896 */ 4897 typedef int mpo_vnode_check_uipc_bind_t( 4898 kauth_cred_t cred, 4899 struct vnode *dvp, 4900 struct label *dlabel, 4901 struct componentname *cnp, 4902 struct vnode_attr *vap 4903 ); 4904 /** 4905 * @brief Access control check for connecting UNIX domain socket 4906 * @param cred Subject credential 4907 * @param vp Object vnode 4908 * @param label Policy label associated with vp 4909 * @param so Socket 4910 * 4911 * Determine whether the subject identified by the credential can perform a 4912 * connect operation on the passed UNIX domain socket vnode. 4913 * 4914 * @return Return 0 if access is granted, otherwise an appropriate value for 4915 * errno should be returned. Suggested failure: EACCES for label mismatch or 4916 * EPERM for lack of privilege. 4917 */ 4918 typedef int mpo_vnode_check_uipc_connect_t( 4919 kauth_cred_t cred, 4920 struct vnode *vp, 4921 struct label *label, 4922 socket_t so 4923 ); 4924 /** 4925 * @brief Access control check for deleting vnode 4926 * @param cred Subject credential 4927 * @param dvp Parent directory vnode 4928 * @param dlabel Policy label for dvp 4929 * @param vp Object vnode to delete 4930 * @param label Policy label for vp 4931 * @param cnp Component name for vp 4932 * @see mpo_check_rename_to_t 4933 * 4934 * Determine whether the subject identified by the credential can delete 4935 * a vnode from the passed parent directory and passed name information. 4936 * This call may be made in a number of situations, including as a 4937 * results of calls to unlink(2) and rmdir(2). Policies implementing 4938 * this entry point should also implement mpo_check_rename_to to 4939 * authorize deletion of objects as a result of being the target of a rename. 4940 * 4941 * @return Return 0 if access is granted, otherwise an appropriate value for 4942 * errno should be returned. Suggested failure: EACCES for label mismatch or 4943 * EPERM for lack of privilege. 4944 */ 4945 typedef int mpo_vnode_check_unlink_t( 4946 kauth_cred_t cred, 4947 struct vnode *dvp, 4948 struct label *dlabel, 4949 struct vnode *vp, 4950 struct label *label, 4951 struct componentname *cnp 4952 ); 4953 /** 4954 * @brief Access control check for write 4955 * @param active_cred Subject credential 4956 * @param file_cred Credential associated with the struct fileproc 4957 * @param vp Object vnode 4958 * @param label Policy label for vp 4959 * 4960 * Determine whether the subject identified by the credential can 4961 * perform a write operation on the passed vnode. The active_cred hold 4962 * the credentials of the subject performing the operation, and 4963 * file_cred holds the credentials of the subject that originally 4964 * opened the file. 4965 * 4966 * @return Return 0 if access is granted, otherwise an appropriate value for 4967 * errno should be returned. Suggested failure: EACCES for label mismatch or 4968 * EPERM for lack of privilege. 4969 */ 4970 typedef int mpo_vnode_check_write_t( 4971 kauth_cred_t active_cred, 4972 kauth_cred_t file_cred, /* NULLOK */ 4973 struct vnode *vp, 4974 struct label *label 4975 ); 4976 /** 4977 * @brief Access control check for copyfile 4978 * @param cred Subject credential 4979 * @param dvp Vnode of directory to create the copy in 4980 * @param dlabel Policy label associated with dvp 4981 * @param tvp Vnode of the file at the target path that will be unlinked to 4982 * make room for the copy being created, if file exists 4983 * @param tlabel Policy label associated with tvp 4984 * @param fvp Vnode of the file to copy from 4985 * @param flabel Policy label associated with fvp 4986 * @param cnp Component name for the copy being created 4987 * @param mode Corresponds to mode argument to the copyfile syscall 4988 * @param flags Corresponds to flags argument to the copyfile syscall 4989 * 4990 * Determine whether the subject identified by the credential should be 4991 * allowed to create a copy of the vnode fvp with the name specified by cnp. 4992 * 4993 * @return Return 0 if access is granted, otherwise an appropriate value for 4994 * errno should be returned. 4995 */ 4996 typedef int mpo_vnode_check_copyfile_t( 4997 kauth_cred_t cred, 4998 struct vnode *dvp, 4999 struct label *dlabel, 5000 struct vnode *tvp, /* NULLOK */ 5001 struct label *tlabel, /* NULLOK */ 5002 struct vnode *fvp, 5003 struct label *flabel, 5004 struct componentname *cnp, 5005 mode_t mode, 5006 int flags 5007 ); 5008 /** 5009 * @brief Associate a vnode with a devfs entry 5010 * @param mp Devfs mount point 5011 * @param mntlabel Devfs mount point label 5012 * @param de Devfs directory entry 5013 * @param delabel Label associated with de 5014 * @param vp vnode associated with de 5015 * @param vlabel Label associated with vp 5016 * 5017 * Fill in the label (vlabel) for a newly created devfs vnode. The 5018 * label is typically derived from the label on the devfs directory 5019 * entry or the label on the filesystem, supplied as parameters. 5020 */ 5021 typedef void mpo_vnode_label_associate_devfs_t( 5022 struct mount *mp, 5023 struct label *mntlabel, 5024 struct devnode *de, 5025 struct label *delabel, 5026 struct vnode *vp, 5027 struct label *vlabel 5028 ); 5029 /** 5030 * @brief Associate a label with a vnode 5031 * @param mp File system mount point 5032 * @param mntlabel File system mount point label 5033 * @param vp Vnode to label 5034 * @param vlabel Label associated with vp 5035 * 5036 * Attempt to retrieve label information for the vnode, vp, from the 5037 * file system extended attribute store. The label should be stored in 5038 * the supplied vlabel parameter. If a policy cannot retrieve an 5039 * extended attribute, sometimes it is acceptible to fallback to using 5040 * the mntlabel. 5041 * 5042 * If the policy requires vnodes to have a valid label elsewhere it 5043 * MUST NOT return other than temporary errors, and must always provide 5044 * a valid label of some sort. Returning an error will cause vnode 5045 * labeling to be retried at a later access. Failure to handle policy 5046 * centric errors internally (corrupt labels etc.) will result in 5047 * inaccessible files. 5048 * 5049 * @return In the event of an error, an appropriate value for errno 5050 * should be returned, otherwise return 0 upon success. 5051 */ 5052 typedef int mpo_vnode_label_associate_extattr_t( 5053 struct mount *mp, 5054 struct label *mntlabel, 5055 struct vnode *vp, 5056 struct label *vlabel 5057 ); 5058 /** 5059 * @brief Associate a file label with a vnode 5060 * @param cred User credential 5061 * @param mp Fdesc mount point 5062 * @param mntlabel Fdesc mount point label 5063 * @param fg Fileglob structure 5064 * @param label Policy label for fg 5065 * @param vp Vnode to label 5066 * @param vlabel Label associated with vp 5067 * 5068 * Associate label information for the vnode, vp, with the label of 5069 * the open file descriptor described by fg. 5070 * The label should be stored in the supplied vlabel parameter. 5071 */ 5072 typedef void mpo_vnode_label_associate_file_t( 5073 struct ucred *cred, 5074 struct mount *mp, 5075 struct label *mntlabel, 5076 struct fileglob *fg, 5077 struct label *label, 5078 struct vnode *vp, 5079 struct label *vlabel 5080 ); 5081 /** 5082 * @brief Associate a pipe label with a vnode 5083 * @param cred User credential for the process that opened the pipe 5084 * @param cpipe Pipe structure 5085 * @param pipelabel Label associated with pipe 5086 * @param vp Vnode to label 5087 * @param vlabel Label associated with vp 5088 * 5089 * Associate label information for the vnode, vp, with the label of 5090 * the pipe described by the pipe structure cpipe. 5091 * The label should be stored in the supplied vlabel parameter. 5092 */ 5093 typedef void mpo_vnode_label_associate_pipe_t( 5094 struct ucred *cred, 5095 struct pipe *cpipe, 5096 struct label *pipelabel, 5097 struct vnode *vp, 5098 struct label *vlabel 5099 ); 5100 /** 5101 * @brief Associate a POSIX semaphore label with a vnode 5102 * @param cred User credential for the process that create psem 5103 * @param psem POSIX semaphore structure 5104 * @param psemlabel Label associated with psem 5105 * @param vp Vnode to label 5106 * @param vlabel Label associated with vp 5107 * 5108 * Associate label information for the vnode, vp, with the label of 5109 * the POSIX semaphore described by psem. 5110 * The label should be stored in the supplied vlabel parameter. 5111 */ 5112 typedef void mpo_vnode_label_associate_posixsem_t( 5113 struct ucred *cred, 5114 struct pseminfo *psem, 5115 struct label *psemlabel, 5116 struct vnode *vp, 5117 struct label *vlabel 5118 ); 5119 /** 5120 * @brief Associate a POSIX shared memory label with a vnode 5121 * @param cred User credential for the process that created pshm 5122 * @param pshm POSIX shared memory structure 5123 * @param pshmlabel Label associated with pshm 5124 * @param vp Vnode to label 5125 * @param vlabel Label associated with vp 5126 * 5127 * Associate label information for the vnode, vp, with the label of 5128 * the POSIX shared memory region described by pshm. 5129 * The label should be stored in the supplied vlabel parameter. 5130 */ 5131 typedef void mpo_vnode_label_associate_posixshm_t( 5132 struct ucred *cred, 5133 struct pshminfo *pshm, 5134 struct label *pshmlabel, 5135 struct vnode *vp, 5136 struct label *vlabel 5137 ); 5138 /** 5139 * @brief Associate a label with a vnode 5140 * @param mp File system mount point 5141 * @param mntlabel File system mount point label 5142 * @param vp Vnode to label 5143 * @param vlabel Label associated with vp 5144 * 5145 * On non-multilabel file systems, set the label for a vnode. The 5146 * label will most likely be based on the file system label. 5147 */ 5148 typedef void mpo_vnode_label_associate_singlelabel_t( 5149 struct mount *mp, 5150 struct label *mntlabel, 5151 struct vnode *vp, 5152 struct label *vlabel 5153 ); 5154 /** 5155 * @brief Associate a socket label with a vnode 5156 * @param cred User credential for the process that opened the socket 5157 * @param so Socket structure 5158 * @param solabel Label associated with so 5159 * @param vp Vnode to label 5160 * @param vlabel Label associated with vp 5161 * 5162 * Associate label information for the vnode, vp, with the label of 5163 * the open socket described by the socket structure so. 5164 * The label should be stored in the supplied vlabel parameter. 5165 */ 5166 typedef void mpo_vnode_label_associate_socket_t( 5167 kauth_cred_t cred, 5168 socket_t so, 5169 struct label *solabel, 5170 struct vnode *vp, 5171 struct label *vlabel 5172 ); 5173 /** 5174 * @brief Copy a vnode label 5175 * @param src Source vnode label 5176 * @param dest Destination vnode label 5177 * 5178 * Copy the vnode label information from src to dest. On Darwin, this 5179 * is currently only necessary when executing interpreted scripts, but 5180 * will later be used if vnode label externalization cannot be an 5181 * atomic operation. 5182 */ 5183 typedef void mpo_vnode_label_copy_t( 5184 struct label *src, 5185 struct label *dest 5186 ); 5187 /** 5188 * @brief Destroy vnode label 5189 * @param label The label to be destroyed 5190 * 5191 * Destroy a vnode label. Since the object is going out of scope, 5192 * policy modules should free any internal storage associated with the 5193 * label so that it may be destroyed. 5194 */ 5195 typedef void mpo_vnode_label_destroy_t( 5196 struct label *label 5197 ); 5198 /** 5199 * @brief Externalize a vnode label for auditing 5200 * @param label Label to be externalized 5201 * @param element_name Name of the label namespace for which labels should be 5202 * externalized 5203 * @param sb String buffer to be filled with a text representation of the label 5204 * 5205 * Produce an external representation of the label on a vnode suitable for 5206 * inclusion in an audit record. An externalized label consists of a text 5207 * representation of the label contents that will be added to the audit record 5208 * as part of a text token. Policy-agnostic user space tools will display 5209 * this externalized version. 5210 * 5211 * @return 0 on success, return non-zero if an error occurs while 5212 * externalizing the label data. 5213 * 5214 */ 5215 typedef int mpo_vnode_label_externalize_audit_t( 5216 struct label *label, 5217 char *element_name, 5218 struct sbuf *sb 5219 ); 5220 /** 5221 * @brief Externalize a vnode label 5222 * @param label Label to be externalized 5223 * @param element_name Name of the label namespace for which labels should be 5224 * externalized 5225 * @param sb String buffer to be filled with a text representation of the label 5226 * 5227 * Produce an external representation of the label on a vnode. An 5228 * externalized label consists of a text representation of the label 5229 * contents that can be used with user applications. Policy-agnostic 5230 * user space tools will display this externalized version. 5231 * 5232 * @return 0 on success, return non-zero if an error occurs while 5233 * externalizing the label data. 5234 * 5235 */ 5236 typedef int mpo_vnode_label_externalize_t( 5237 struct label *label, 5238 char *element_name, 5239 struct sbuf *sb 5240 ); 5241 /** 5242 * @brief Initialize vnode label 5243 * @param label New label to initialize 5244 * 5245 * Initialize label storage for use with a newly instantiated vnode, or 5246 * for temporary storage associated with the copying in or out of a 5247 * vnode label. While it is necessary to allocate space for a 5248 * kernel-resident vnode label, it is not yet necessary to link this vnode 5249 * with persistent label storage facilities, such as extended attributes. 5250 * Sleeping is permitted. 5251 */ 5252 typedef void mpo_vnode_label_init_t( 5253 struct label *label 5254 ); 5255 /** 5256 * @brief Internalize a vnode label 5257 * @param label Label to be internalized 5258 * @param element_name Name of the label namespace for which the label should 5259 * be internalized 5260 * @param element_data Text data to be internalized 5261 * 5262 * Produce a vnode label from an external representation. An 5263 * externalized label consists of a text representation of the label 5264 * contents that can be used with user applications. Policy-agnostic 5265 * user space tools will forward text version to the kernel for 5266 * processing by individual policy modules. 5267 * 5268 * The policy's internalize entry points will be called only if the 5269 * policy has registered interest in the label namespace. 5270 * 5271 * @return 0 on success, Otherwise, return non-zero if an error occurs 5272 * while internalizing the label data. 5273 */ 5274 typedef int mpo_vnode_label_internalize_t( 5275 struct label *label, 5276 char *element_name, 5277 char *element_data 5278 ); 5279 /** 5280 * @brief Clean up a vnode label 5281 * @param label The label to be cleaned or purged 5282 * 5283 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5284 * typically never frees them. Before vnodes are placed back on free lists for 5285 * re-use, policies can cleanup or overwrite any information present in the label, 5286 * or free any internal resources used for the label. 5287 */ 5288 typedef void mpo_vnode_label_recycle_t( 5289 struct label *label 5290 ); 5291 /** 5292 * @brief Write a label to a extended attribute 5293 * @param cred Subject credential 5294 * @param vp The vnode for which the label is being stored 5295 * @param vlabel Label associated with vp 5296 * @param intlabel The new label to store 5297 * 5298 * Store a new label in the extended attribute corresponding to the 5299 * supplied vnode. The policy has already authorized the operation; 5300 * this call must be implemented in order to perform the actual 5301 * operation. 5302 * 5303 * @return In the event of an error, an appropriate value for errno 5304 * should be returned, otherwise return 0 upon success. 5305 * 5306 * @warning XXX After examining the extended attribute implementation on 5307 * Apple's future release, this entry point may be changed. 5308 */ 5309 typedef int mpo_vnode_label_store_t( 5310 kauth_cred_t cred, 5311 struct vnode *vp, 5312 struct label *vlabel, 5313 struct label *intlabel 5314 ); 5315 /** 5316 * @brief Update vnode label from extended attributes 5317 * @param mp File system mount point 5318 * @param mntlabel Mount point label 5319 * @param vp Vnode to label 5320 * @param vlabel Label associated with vp 5321 * @param name Name of the xattr 5322 * @see mpo_vnode_check_setextattr_t 5323 * 5324 * When an extended attribute is updated via the Vendor attribute management 5325 * functions, the MAC vnode label might also require an update. 5326 * Policies should first determine if 'name' matches their xattr label 5327 * name. If it does, the kernel is has either replaced or removed the 5328 * named extended attribute that was previously associated with the 5329 * vnode. Normally labels should only be modified via MAC Framework label 5330 * management calls, but sometimes the user space components will directly 5331 * modify extended attributes. For example, 'cp', 'tar', etc. manage 5332 * extended attributes in userspace, not the kernel. 5333 * 5334 * This entry point is called after the label update has occurred, so 5335 * it cannot return a failure. However, the operation is preceded by 5336 * the mpo_vnode_check_setextattr() access control check. 5337 * 5338 * If the vnode label needs to be updated the policy should return 5339 * a non-zero value. The vnode label will be marked for re-association 5340 * by the framework. 5341 */ 5342 typedef int mpo_vnode_label_update_extattr_t( 5343 struct mount *mp, 5344 struct label *mntlabel, 5345 struct vnode *vp, 5346 struct label *vlabel, 5347 const char *name 5348 ); 5349 /** 5350 * @brief Update a vnode label 5351 * @param cred Subject credential 5352 * @param vp The vnode to relabel 5353 * @param vnodelabel Existing vnode label 5354 * @param label New label to replace existing label 5355 * @see mpo_vnode_check_label_update_t 5356 * 5357 * The subject identified by the credential has previously requested 5358 * and was authorized to relabel the vnode; this entry point allows 5359 * policies to perform the actual relabel operation. Policies should 5360 * update vnodelabel using the label stored in the label parameter. 5361 */ 5362 typedef void mpo_vnode_label_update_t( 5363 kauth_cred_t cred, 5364 struct vnode *vp, 5365 struct label *vnodelabel, 5366 struct label *label 5367 ); 5368 /** 5369 * @brief Find deatched signatures for a shared library 5370 * @param p file trying to find the signature 5371 * @param vp The vnode to relabel 5372 * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) 5373 * @param label Existing vnode label 5374 * 5375 */ 5376 typedef int mpo_vnode_find_sigs_t( 5377 struct proc *p, 5378 struct vnode *vp, 5379 off_t offset, 5380 struct label *label 5381 ); 5382 /** 5383 * @brief Create a new vnode, backed by extended attributes 5384 * @param cred User credential for the creating process 5385 * @param mp File system mount point 5386 * @param mntlabel File system mount point label 5387 * @param dvp Parent directory vnode 5388 * @param dlabel Parent directory vnode label 5389 * @param vp Newly created vnode 5390 * @param vlabel Label to associate with the new vnode 5391 * @param cnp Component name for vp 5392 * 5393 * Write out the label for the newly created vnode, most likely storing 5394 * the results in a file system extended attribute. Most policies will 5395 * derive the new vnode label using information from a combination 5396 * of the subject (user) credential, the file system label, the parent 5397 * directory label, and potentially the path name component. 5398 * 5399 * @return If the operation succeeds, store the new label in vlabel and 5400 * return 0. Otherwise, return an appropriate errno value. 5401 */ 5402 typedef int mpo_vnode_notify_create_t( 5403 kauth_cred_t cred, 5404 struct mount *mp, 5405 struct label *mntlabel, 5406 struct vnode *dvp, 5407 struct label *dlabel, 5408 struct vnode *vp, 5409 struct label *vlabel, 5410 struct componentname *cnp 5411 ); 5412 5413 /** 5414 * @brief Inform MAC policies that a vnode has been opened 5415 * @param cred User credential for the creating process 5416 * @param vp vnode opened 5417 * @param label Policy label for the vp 5418 * @param acc_mode open(2) access mode used 5419 * 5420 * Inform Mac policies that a vnode have been successfully opened 5421 * (passing all MAC polices and DAC). 5422 */ 5423 typedef void mpo_vnode_notify_open_t( 5424 kauth_cred_t cred, 5425 struct vnode *vp, 5426 struct label *label, 5427 int acc_mode 5428 ); 5429 5430 /** 5431 * @brief Inform MAC policies that a vnode has been renamed 5432 * @param cred User credential for the renaming process 5433 * @param vp Vnode that's being renamed 5434 * @param label Policy label for vp 5435 * @param dvp Parent directory for the destination 5436 * @param dlabel Policy label for dvp 5437 * @param cnp Component name for the destination 5438 * 5439 * Inform MAC policies that a vnode has been renamed. 5440 */ 5441 typedef void mpo_vnode_notify_rename_t( 5442 kauth_cred_t cred, 5443 struct vnode *vp, 5444 struct label *label, 5445 struct vnode *dvp, 5446 struct label *dlabel, 5447 struct componentname *cnp 5448 ); 5449 5450 /** 5451 * @brief Inform MAC policies that two vnodes were atomically swapped. 5452 * @param cred User credential for the renaming process 5453 * @param v1 vnode 1 to swap 5454 * @param vl1 Policy label for v1 5455 * @param v2 vnode 2 to swap 5456 * @param vl2 Policy label for v2 5457 * 5458 * Inform MAC policies that two vnodes were atomically swapped. 5459 * NOTE: If a policy implements this notify hook, then this hook will be 5460 * called instead of two calls to the vnode_notify_rename hook (one for each 5461 * member of the swap). 5462 */ 5463 typedef void mpo_vnode_notify_swap_t( 5464 kauth_cred_t cred, 5465 struct vnode *v1, 5466 struct label *vl1, 5467 struct vnode *v2, 5468 struct label *vl2 5469 ); 5470 5471 /** 5472 * @brief Inform MAC policies that a vnode has been linked 5473 * @param cred User credential for the renaming process 5474 * @param dvp Parent directory for the destination 5475 * @param dlabel Policy label for dvp 5476 * @param vp Vnode that's being linked 5477 * @param vlabel Policy label for vp 5478 * @param cnp Component name for the destination 5479 * 5480 * Inform MAC policies that a vnode has been linked. 5481 */ 5482 typedef void mpo_vnode_notify_link_t( 5483 kauth_cred_t cred, 5484 struct vnode *dvp, 5485 struct label *dlabel, 5486 struct vnode *vp, 5487 struct label *vlabel, 5488 struct componentname *cnp 5489 ); 5490 5491 /** 5492 * @brief Inform MAC policies that an extended attribute has been removed from a vnode 5493 * @param cred Subject credential 5494 * @param vp Object node 5495 * @param label Policy label for vp 5496 * @param name Extended attribute name 5497 * 5498 * Inform MAC policies that an extended attribute has been removed from a vnode. 5499 */ 5500 typedef void mpo_vnode_notify_deleteextattr_t( 5501 kauth_cred_t cred, 5502 struct vnode *vp, 5503 struct label *label, 5504 const char *name 5505 ); 5506 5507 5508 /** 5509 * @brief Inform MAC policies that an ACL has been set on a vnode 5510 * @param cred Subject credential 5511 * @param vp Object node 5512 * @param label Policy label for vp 5513 * @param acl ACL structure pointer 5514 * 5515 * Inform MAC policies that an ACL has been set on a vnode. 5516 */ 5517 typedef void mpo_vnode_notify_setacl_t( 5518 kauth_cred_t cred, 5519 struct vnode *vp, 5520 struct label *label, 5521 struct kauth_acl *acl 5522 ); 5523 5524 /** 5525 * @brief Inform MAC policies that an attributes have been set on a vnode 5526 * @param cred Subject credential 5527 * @param vp Object vnode 5528 * @param label Policy label for vp 5529 * @param alist List of attributes to set 5530 * 5531 * Inform MAC policies that an attributes have been set on a vnode. 5532 */ 5533 typedef void mpo_vnode_notify_setattrlist_t( 5534 kauth_cred_t cred, 5535 struct vnode *vp, 5536 struct label *label, 5537 struct attrlist *alist 5538 ); 5539 5540 /** 5541 * @brief Inform MAC policies that an extended attribute has been set on a vnode 5542 * @param cred Subject credential 5543 * @param vp Object vnode 5544 * @param label Policy label for vp 5545 * @param name Extended attribute name 5546 * @param uio I/O structure pointer 5547 * 5548 * Inform MAC policies that an extended attribute has been set on a vnode. 5549 */ 5550 typedef void mpo_vnode_notify_setextattr_t( 5551 kauth_cred_t cred, 5552 struct vnode *vp, 5553 struct label *label, 5554 const char *name, 5555 struct uio *uio 5556 ); 5557 5558 /** 5559 * @brief Inform MAC policies that flags have been set on a vnode 5560 * @param cred Subject credential 5561 * @param vp Object vnode 5562 * @param label Policy label for vp 5563 * @param flags File flags; see chflags(2) 5564 * 5565 * Inform MAC policies that flags have been set on a vnode. 5566 */ 5567 typedef void mpo_vnode_notify_setflags_t( 5568 kauth_cred_t cred, 5569 struct vnode *vp, 5570 struct label *label, 5571 u_long flags 5572 ); 5573 5574 /** 5575 * @brief Inform MAC policies that a new mode has been set on a vnode 5576 * @param cred Subject credential 5577 * @param vp Object vnode 5578 * @param label Policy label for vp 5579 * @param mode File mode; see chmod(2) 5580 * 5581 * Inform MAC policies that a new mode has been set on a vnode. 5582 */ 5583 typedef void mpo_vnode_notify_setmode_t( 5584 kauth_cred_t cred, 5585 struct vnode *vp, 5586 struct label *label, 5587 mode_t mode 5588 ); 5589 5590 /** 5591 * @brief Inform MAC policies that new uid/gid have been set on a vnode 5592 * @param cred Subject credential 5593 * @param vp Object vnode 5594 * @param label Policy label for vp 5595 * @param uid User ID 5596 * @param gid Group ID 5597 * 5598 * Inform MAC policies that new uid/gid have been set on a vnode. 5599 */ 5600 typedef void mpo_vnode_notify_setowner_t( 5601 kauth_cred_t cred, 5602 struct vnode *vp, 5603 struct label *label, 5604 uid_t uid, 5605 gid_t gid 5606 ); 5607 5608 /** 5609 * @brief Inform MAC policies that new timestamps have been set on a vnode 5610 * @param cred Subject credential 5611 * @param vp Object vnode 5612 * @param label Policy label for vp 5613 * @param atime Access time; see utimes(2) 5614 * @param mtime Modification time; see utimes(2) 5615 * 5616 * Inform MAC policies that new timestamps have been set on a vnode. 5617 */ 5618 typedef void mpo_vnode_notify_setutimes_t( 5619 kauth_cred_t cred, 5620 struct vnode *vp, 5621 struct label *label, 5622 struct timespec atime, 5623 struct timespec mtime 5624 ); 5625 5626 /** 5627 * @brief Inform MAC policies that a vnode has been truncated 5628 * @param cred Subject credential 5629 * @param file_cred Credential associated with the struct fileproc 5630 * @param vp Object vnode 5631 * @param label Policy label for vp 5632 * 5633 * Inform MAC policies that a vnode has been truncated. 5634 */ 5635 typedef void mpo_vnode_notify_truncate_t( 5636 kauth_cred_t cred, 5637 kauth_cred_t file_cred, 5638 struct vnode *vp, 5639 struct label *label 5640 ); 5641 5642 5643 /** 5644 * @brief Inform MAC policies that a pty slave has been granted 5645 * @param p Responsible process 5646 * @param tp tty data structure 5647 * @param dev Major and minor numbers of device 5648 * @param label Policy label for tp 5649 * 5650 * Inform MAC policies that a pty slave has been granted. 5651 */ 5652 typedef void mpo_pty_notify_grant_t( 5653 proc_t p, 5654 struct tty *tp, 5655 dev_t dev, 5656 struct label *label 5657 ); 5658 5659 /** 5660 * @brief Inform MAC policies that a pty master has been closed 5661 * @param p Responsible process 5662 * @param tp tty data structure 5663 * @param dev Major and minor numbers of device 5664 * @param label Policy label for tp 5665 * 5666 * Inform MAC policies that a pty master has been closed. 5667 */ 5668 typedef void mpo_pty_notify_close_t( 5669 proc_t p, 5670 struct tty *tp, 5671 dev_t dev, 5672 struct label *label 5673 ); 5674 5675 /** 5676 * @brief Access control check for kext loading 5677 * @param cred Subject credential 5678 * @param identifier Kext identifier 5679 * 5680 * Determine whether the subject identified by the credential can load the 5681 * specified kext. 5682 * 5683 * @return Return 0 if access is granted, otherwise an appropriate value for 5684 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5685 */ 5686 typedef int mpo_kext_check_load_t( 5687 kauth_cred_t cred, 5688 const char *identifier 5689 ); 5690 5691 /** 5692 * @brief Access control check for kext unloading 5693 * @param cred Subject credential 5694 * @param identifier Kext identifier 5695 * 5696 * Determine whether the subject identified by the credential can unload the 5697 * specified kext. 5698 * 5699 * @return Return 0 if access is granted, otherwise an appropriate value for 5700 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5701 */ 5702 typedef int mpo_kext_check_unload_t( 5703 kauth_cred_t cred, 5704 const char *identifier 5705 ); 5706 5707 /** 5708 * @brief Access control check for querying information about loaded kexts 5709 * @param cred Subject credential 5710 * 5711 * Determine whether the subject identified by the credential can query 5712 * information about loaded kexts. 5713 * 5714 * @return Return 0 if access is granted, otherwise an appropriate value for 5715 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5716 */ 5717 typedef int mpo_kext_check_query_t( 5718 kauth_cred_t cred 5719 ); 5720 5721 /** 5722 * @brief Inform MAC policies that a vnode is being reclaimed 5723 * @param vp Object vnode 5724 * 5725 * Any external accounting tracking this vnode must consider it to be no longer valid. 5726 */ 5727 typedef void mpo_vnode_notify_reclaim_t( 5728 struct vnode *vp 5729 ); 5730 5731 /** 5732 * @brief Inform MAC policies that a vnode has been deleted 5733 * @param cred Subject credential 5734 * @param dvp Parent directory vnode 5735 * @param dlabel Policy label for dvp 5736 * @param vp Object vnode to delete 5737 * @param label Policy label for vp 5738 * @param cnp Component name for vp 5739 * 5740 * Inform Mac policies that a vnode have been successfully deleted 5741 * (passing all MAC polices and DAC). 5742 */ 5743 typedef void mpo_vnode_notify_unlink_t( 5744 kauth_cred_t cred, 5745 struct vnode *dvp, 5746 struct label *dlabel, 5747 struct vnode *vp, 5748 struct label *label, 5749 struct componentname *cnp 5750 ); 5751 5752 /* 5753 * Placeholder for future events that may need mac hooks. 5754 */ 5755 typedef void mpo_reserved_hook_t(void); 5756 5757 /* 5758 * Policy module operations. 5759 * 5760 * Please note that this should be kept in sync with the check assumptions 5761 * policy in bsd/kern/policy_check.c (policy_ops struct). 5762 */ 5763 #define MAC_POLICY_OPS_VERSION 84 /* inc when new reserved slots are taken */ 5764 struct mac_policy_ops { 5765 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5766 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5767 5768 mpo_reserved_hook_t *mpo_reserved01; 5769 mpo_reserved_hook_t *mpo_reserved02; 5770 mpo_reserved_hook_t *mpo_reserved03; 5771 mpo_reserved_hook_t *mpo_reserved04; 5772 5773 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5774 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5775 mpo_cred_check_visible_t *mpo_cred_check_visible; 5776 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5777 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5778 mpo_cred_label_associate_t *mpo_cred_label_associate; 5779 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5780 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5781 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5782 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5783 mpo_cred_label_init_t *mpo_cred_label_init; 5784 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5785 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5786 mpo_cred_label_update_t *mpo_cred_label_update; 5787 5788 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5789 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5790 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5791 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5792 mpo_devfs_label_init_t *mpo_devfs_label_init; 5793 mpo_devfs_label_update_t *mpo_devfs_label_update; 5794 5795 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5796 mpo_file_check_create_t *mpo_file_check_create; 5797 mpo_file_check_dup_t *mpo_file_check_dup; 5798 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 5799 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 5800 mpo_file_check_get_t *mpo_file_check_get; 5801 mpo_file_check_inherit_t *mpo_file_check_inherit; 5802 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 5803 mpo_file_check_lock_t *mpo_file_check_lock; 5804 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 5805 mpo_file_check_mmap_t *mpo_file_check_mmap; 5806 mpo_file_check_receive_t *mpo_file_check_receive; 5807 mpo_file_check_set_t *mpo_file_check_set; 5808 mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ 5809 mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ 5810 mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ 5811 mpo_file_notify_close_t *mpo_file_notify_close; 5812 mpo_proc_check_launch_constraints_t *mpo_proc_check_launch_constraints; 5813 mpo_proc_notify_service_port_derive_t *mpo_proc_notify_service_port_derive; 5814 5815 mpo_reserved_hook_t *mpo_reserved08; 5816 mpo_reserved_hook_t *mpo_reserved09; 5817 mpo_reserved_hook_t *mpo_reserved10; 5818 mpo_reserved_hook_t *mpo_reserved11; 5819 mpo_reserved_hook_t *mpo_reserved12; 5820 mpo_reserved_hook_t *mpo_reserved13; 5821 mpo_reserved_hook_t *mpo_reserved14; 5822 mpo_reserved_hook_t *mpo_reserved15; 5823 mpo_reserved_hook_t *mpo_reserved16; 5824 mpo_reserved_hook_t *mpo_reserved17; 5825 mpo_reserved_hook_t *mpo_reserved18; 5826 mpo_reserved_hook_t *mpo_reserved19; 5827 mpo_reserved_hook_t *mpo_reserved20; 5828 mpo_reserved_hook_t *mpo_reserved21; 5829 mpo_reserved_hook_t *mpo_reserved22; 5830 mpo_reserved_hook_t *mpo_reserved23; 5831 mpo_reserved_hook_t *mpo_reserved24; 5832 5833 mpo_necp_check_open_t *mpo_necp_check_open; 5834 mpo_necp_check_client_action_t *mpo_necp_check_client_action; 5835 5836 mpo_file_check_library_validation_t *mpo_file_check_library_validation; 5837 5838 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; 5839 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; 5840 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; 5841 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; 5842 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; 5843 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; 5844 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; 5845 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; 5846 mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; 5847 5848 mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; 5849 mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; 5850 5851 mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; 5852 mpo_vnode_notify_unlink_t *mpo_vnode_notify_unlink; 5853 mpo_reserved_hook_t *mpo_reserved32; 5854 mpo_reserved_hook_t *mpo_reserved33; 5855 mpo_reserved_hook_t *mpo_reserved34; 5856 mpo_reserved_hook_t *mpo_reserved35; 5857 mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; 5858 5859 mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; 5860 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 5861 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 5862 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 5863 mpo_mount_check_mount_t *mpo_mount_check_mount; 5864 mpo_mount_check_remount_t *mpo_mount_check_remount; 5865 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 5866 mpo_mount_check_stat_t *mpo_mount_check_stat; 5867 mpo_mount_check_umount_t *mpo_mount_check_umount; 5868 mpo_mount_label_associate_t *mpo_mount_label_associate; 5869 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 5870 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 5871 mpo_mount_label_init_t *mpo_mount_label_init; 5872 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 5873 5874 mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; 5875 mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; 5876 mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; 5877 5878 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 5879 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 5880 mpo_reserved_hook_t *mpo_reserved41; 5881 mpo_pipe_check_read_t *mpo_pipe_check_read; 5882 mpo_pipe_check_select_t *mpo_pipe_check_select; 5883 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 5884 mpo_pipe_check_write_t *mpo_pipe_check_write; 5885 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 5886 mpo_reserved_hook_t *mpo_reserved42; 5887 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 5888 mpo_reserved_hook_t *mpo_reserved43; 5889 mpo_pipe_label_init_t *mpo_pipe_label_init; 5890 mpo_reserved_hook_t *mpo_reserved44; 5891 mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; 5892 5893 mpo_policy_destroy_t *mpo_policy_destroy; 5894 mpo_policy_init_t *mpo_policy_init; 5895 mpo_policy_initbsd_t *mpo_policy_initbsd; 5896 mpo_policy_syscall_t *mpo_policy_syscall; 5897 5898 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 5899 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 5900 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 5901 mpo_kext_check_query_t *mpo_kext_check_query; 5902 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; 5903 mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; 5904 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; 5905 mpo_reserved_hook_t *mpo_reserved45; 5906 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; 5907 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; 5908 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; 5909 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; 5910 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; 5911 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; 5912 mpo_exc_action_label_init_t *mpo_exc_action_label_init; 5913 mpo_exc_action_label_update_t *mpo_exc_action_label_update; 5914 5915 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; 5916 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; 5917 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; 5918 mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; 5919 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; 5920 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; 5921 5922 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 5923 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 5924 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 5925 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 5926 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 5927 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 5928 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 5929 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 5930 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 5931 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 5932 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 5933 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 5934 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 5935 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 5936 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 5937 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 5938 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 5939 5940 mpo_proc_check_debug_t *mpo_proc_check_debug; 5941 mpo_proc_check_fork_t *mpo_proc_check_fork; 5942 mpo_reserved_hook_t *mpo_reserved61; 5943 mpo_reserved_hook_t *mpo_reserved62; 5944 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 5945 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 5946 mpo_reserved_hook_t *mpo_reserved63; 5947 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 5948 mpo_proc_check_sched_t *mpo_proc_check_sched; 5949 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 5950 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 5951 mpo_reserved_hook_t *mpo_reserved64; 5952 mpo_proc_check_signal_t *mpo_proc_check_signal; 5953 mpo_proc_check_wait_t *mpo_proc_check_wait; 5954 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; 5955 mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; 5956 5957 mpo_socket_check_accept_t *mpo_socket_check_accept; 5958 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 5959 mpo_socket_check_bind_t *mpo_socket_check_bind; 5960 mpo_socket_check_connect_t *mpo_socket_check_connect; 5961 mpo_socket_check_create_t *mpo_socket_check_create; 5962 mpo_reserved_hook_t *mpo_reserved46; 5963 mpo_reserved_hook_t *mpo_reserved47; 5964 mpo_reserved_hook_t *mpo_reserved48; 5965 mpo_socket_check_listen_t *mpo_socket_check_listen; 5966 mpo_socket_check_receive_t *mpo_socket_check_receive; 5967 mpo_socket_check_received_t *mpo_socket_check_received; 5968 mpo_reserved_hook_t *mpo_reserved49; 5969 mpo_socket_check_send_t *mpo_socket_check_send; 5970 mpo_socket_check_stat_t *mpo_socket_check_stat; 5971 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 5972 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 5973 5974 mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; 5975 mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; 5976 mpo_proc_check_setuid_t *mpo_proc_check_setuid; 5977 mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; 5978 mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; 5979 mpo_proc_check_setgid_t *mpo_proc_check_setgid; 5980 mpo_proc_check_setegid_t *mpo_proc_check_setegid; 5981 mpo_proc_check_setregid_t *mpo_proc_check_setregid; 5982 mpo_proc_check_settid_t *mpo_proc_check_settid; 5983 mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; 5984 mpo_reserved_hook_t *mpo_reserved60; 5985 5986 mpo_thread_telemetry_t *mpo_thread_telemetry; 5987 5988 mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; 5989 5990 mpo_system_check_acct_t *mpo_system_check_acct; 5991 mpo_system_check_audit_t *mpo_system_check_audit; 5992 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 5993 mpo_system_check_auditon_t *mpo_system_check_auditon; 5994 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 5995 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 5996 mpo_system_check_reboot_t *mpo_system_check_reboot; 5997 mpo_system_check_settime_t *mpo_system_check_settime; 5998 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 5999 mpo_system_check_swapon_t *mpo_system_check_swapon; 6000 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; 6001 6002 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6003 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6004 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6005 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6006 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6007 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6008 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6009 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6010 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6011 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6012 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6013 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6014 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6015 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6016 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6017 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6018 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6019 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6020 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6021 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6022 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6023 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6024 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6025 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6026 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6027 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6028 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6029 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6030 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6031 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6032 6033 mpo_proc_notify_exit_t *mpo_proc_notify_exit; 6034 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; 6035 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; 6036 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; 6037 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; 6038 mpo_vnode_check_clone_t *mpo_vnode_check_clone; 6039 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; 6040 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; 6041 6042 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6043 6044 mpo_vnode_check_access_t *mpo_vnode_check_access; 6045 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6046 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6047 mpo_vnode_check_create_t *mpo_vnode_check_create; 6048 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6049 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6050 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6051 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6052 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6053 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6054 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6055 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6056 mpo_vnode_check_link_t *mpo_vnode_check_link; 6057 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6058 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6059 mpo_vnode_check_open_t *mpo_vnode_check_open; 6060 mpo_vnode_check_read_t *mpo_vnode_check_read; 6061 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6062 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6063 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6064 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6065 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6066 mpo_vnode_check_select_t *mpo_vnode_check_select; 6067 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6068 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6069 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6070 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6071 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6072 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6073 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6074 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6075 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6076 mpo_vnode_check_write_t *mpo_vnode_check_write; 6077 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6078 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6079 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6080 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6081 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6082 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6083 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6084 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6085 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6086 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6087 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6088 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6089 mpo_vnode_label_init_t *mpo_vnode_label_init; 6090 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6091 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6092 mpo_vnode_label_store_t *mpo_vnode_label_store; 6093 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6094 mpo_vnode_label_update_t *mpo_vnode_label_update; 6095 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6096 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6097 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6098 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6099 6100 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6101 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6102 6103 mpo_thread_userret_t *mpo_thread_userret; 6104 6105 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6106 6107 mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; 6108 6109 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6110 6111 mpo_priv_check_t *mpo_priv_check; 6112 mpo_priv_grant_t *mpo_priv_grant; 6113 6114 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6115 6116 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6117 6118 mpo_iokit_check_open_t *mpo_iokit_check_open; 6119 6120 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6121 6122 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6123 6124 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; 6125 6126 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; 6127 6128 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6129 6130 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; 6131 6132 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6133 6134 mpo_system_check_info_t *mpo_system_check_info; 6135 6136 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6137 mpo_pty_notify_close_t *mpo_pty_notify_close; 6138 6139 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6140 6141 mpo_kext_check_load_t *mpo_kext_check_load; 6142 mpo_kext_check_unload_t *mpo_kext_check_unload; 6143 6144 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6145 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6146 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6147 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6148 }; 6149 6150 /** 6151 * @brief MAC policy handle type 6152 * 6153 * The MAC handle is used to uniquely identify a loaded policy within 6154 * the MAC Framework. 6155 * 6156 * A variable of this type is set by mac_policy_register(). 6157 */ 6158 typedef unsigned int mac_policy_handle_t; 6159 6160 #define mpc_t struct mac_policy_conf * 6161 6162 /** 6163 * @brief Mac policy configuration 6164 * 6165 * This structure specifies the configuration information for a 6166 * MAC policy module. A policy module developer must supply 6167 * a short unique policy name, a more descriptive full name, a list of label 6168 * namespaces and count, a pointer to the registered enty point operations, 6169 * any load time flags, and optionally, a pointer to a label slot identifier. 6170 * 6171 * The Framework will update the runtime flags (mpc_runtime_flags) to 6172 * indicate that the module has been registered. 6173 * 6174 * If the label slot identifier (mpc_field_off) is NULL, the Framework 6175 * will not provide label storage for the policy. Otherwise, the 6176 * Framework will store the label location (slot) in this field. 6177 * 6178 * The mpc_list field is used by the Framework and should not be 6179 * modified by policies. 6180 */ 6181 /* XXX - reorder these for better alignment on 64bit platforms */ 6182 struct mac_policy_conf { 6183 const char *mpc_name; /** policy name */ 6184 const char *mpc_fullname; /** full name */ 6185 char const * const *mpc_labelnames; /** managed label namespaces */ 6186 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6187 const struct mac_policy_ops *mpc_ops; /** operation vector */ 6188 int mpc_loadtime_flags; /** load time flags */ 6189 int *mpc_field_off; /** label slot */ 6190 int mpc_runtime_flags; /** run time flags */ 6191 mpc_t mpc_list; /** List reference */ 6192 void *mpc_data; /** module data */ 6193 }; 6194 6195 /** 6196 * @brief MAC policy module registration routine 6197 * 6198 * This function is called to register a policy with the 6199 * MAC framework. A policy module will typically call this from the 6200 * Darwin KEXT registration routine. 6201 */ 6202 int mac_policy_register(struct mac_policy_conf *mpc, 6203 mac_policy_handle_t *handlep, void *xd); 6204 6205 /** 6206 * @brief MAC policy module de-registration routine 6207 * 6208 * This function is called to de-register a policy with the 6209 * MAC framework. A policy module will typically call this from the 6210 * Darwin KEXT de-registration routine. 6211 */ 6212 int mac_policy_unregister(mac_policy_handle_t handle); 6213 6214 /* 6215 * Framework entry points for the policies to add audit data. 6216 */ 6217 int mac_audit_text(char *text, mac_policy_handle_t handle); 6218 6219 /* 6220 * Calls to assist with use of Apple XATTRs within policy modules. 6221 */ 6222 int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6223 int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6224 size_t *); 6225 int mac_vnop_removexattr(struct vnode *, const char *); 6226 6227 /** 6228 * @brief Set an extended attribute on a vnode-based fileglob. 6229 * @param fg fileglob representing file to attach the extended attribute 6230 * @param name extended attribute name 6231 * @param buf buffer of data to use as the extended attribute value 6232 * @param len size of buffer 6233 * 6234 * Sets the value of an extended attribute on a file. 6235 * 6236 * Caller must hold an iocount on the vnode represented by the fileglob. 6237 */ 6238 #ifdef KERNEL_PRIVATE 6239 int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); 6240 #endif 6241 6242 /** 6243 * @brief Get an extended attribute from a vnode-based fileglob. 6244 * @param fg fileglob representing file to read the extended attribute 6245 * @param name extended attribute name 6246 * @param buf buffer of data to hold the extended attribute value 6247 * @param len size of buffer 6248 * @param attrlen size of full extended attribute value 6249 * 6250 * Gets the value of an extended attribute on a file. 6251 * 6252 * Caller must hold an iocount on the vnode represented by the fileglob. 6253 */ 6254 #ifdef KERNEL_PRIVATE 6255 int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, 6256 size_t *attrlen); 6257 #endif 6258 6259 /** 6260 * @brief Remove an extended attribute from a vnode-based fileglob. 6261 * @param fg fileglob representing file to remove the extended attribute 6262 * @param name extended attribute name 6263 * 6264 * Removes the named extended attribute from the file. 6265 * 6266 * Caller must hold an iocount on the vnode represented by the fileglob. 6267 */ 6268 #ifdef KERNEL_PRIVATE 6269 int mac_file_removexattr(struct fileglob *fg, const char *name); 6270 #endif 6271 6272 /* 6273 * Arbitrary limit on how much data will be logged by the audit 6274 * entry points above. 6275 */ 6276 #define MAC_AUDIT_DATA_LIMIT 1024 6277 6278 /* 6279 * Values returned by mac_audit_{pre,post}select. To combine the responses 6280 * of the security policies into a single decision, 6281 * mac_audit_{pre,post}select() choose the greatest value returned. 6282 */ 6283 #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6284 #define MAC_AUDIT_NO 1 /* force not auditing this event */ 6285 #define MAC_AUDIT_YES 2 /* force auditing this event */ 6286 6287 // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6288 6289 /** 6290 * @name Flags for the mpc_loadtime_flags field 6291 * @see mac_policy_conf 6292 * 6293 * This is the complete list of flags that are supported by the 6294 * mpc_loadtime_flags field of the mac_policy_conf structure. These 6295 * flags specify the load time behavior of MAC Framework policy 6296 * modules. 6297 */ 6298 6299 /*@{*/ 6300 6301 /** 6302 * @brief Flag to indicate registration preference 6303 * 6304 * This flag indicates that the policy module must be loaded and 6305 * initialized early in the boot process. If the flag is specified, 6306 * attempts to register the module following boot will be rejected. The 6307 * flag may be used by policies that require pervasive labeling of all 6308 * system objects, and cannot handle objects that have not been 6309 * properly initialized by the policy. 6310 */ 6311 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6312 6313 /** 6314 * @brief Flag to indicate unload preference 6315 * 6316 * This flag indicates that the policy module may be unloaded. If this 6317 * flag is not set, then the policy framework will reject requests to 6318 * unload the module. This flag might be used by modules that allocate 6319 * label state and are unable to free that state at runtime, or for 6320 * modules that simply do not want to permit unload operations. 6321 */ 6322 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6323 6324 /** 6325 * @brief Unsupported 6326 * 6327 * XXX This flag is not yet supported. 6328 */ 6329 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6330 6331 /** 6332 * @brief Flag to indicate a base policy 6333 * 6334 * This flag indicates that the policy module is a base policy. Only 6335 * one module can declare itself as base, otherwise the boot process 6336 * will be halted. 6337 */ 6338 #define MPC_LOADTIME_BASE_POLICY 0x00000008 6339 6340 /*@}*/ 6341 6342 /** 6343 * @brief Policy registration flag 6344 * @see mac_policy_conf 6345 * 6346 * This flag indicates that the policy module has been successfully 6347 * registered with the TrustedBSD MAC Framework. The Framework will 6348 * set this flag in the mpc_runtime_flags field of the policy's 6349 * mac_policy_conf structure after registering the policy. 6350 */ 6351 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6352 6353 /* 6354 * Depends on POLICY_VER 6355 */ 6356 6357 #ifndef POLICY_VER 6358 #define POLICY_VER 1.0 6359 #endif 6360 6361 #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6362 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6363 .mpc_name = #mpname, \ 6364 .mpc_fullname = mpfullname, \ 6365 .mpc_labelnames = lnames, \ 6366 .mpc_labelname_count = lcount, \ 6367 .mpc_ops = mpops, \ 6368 .mpc_loadtime_flags = lflags, \ 6369 .mpc_field_off = slot, \ 6370 .mpc_runtime_flags = rflags \ 6371 }; \ 6372 \ 6373 static kern_return_t \ 6374 kmod_start(kmod_info_t *ki, void *xd) \ 6375 { \ 6376 return mac_policy_register(&mpname##_mac_policy_conf, \ 6377 &handle, xd); \ 6378 } \ 6379 \ 6380 static kern_return_t \ 6381 kmod_stop(kmod_info_t *ki, void *xd) \ 6382 { \ 6383 return mac_policy_unregister(handle); \ 6384 } \ 6385 \ 6386 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6387 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6388 \ 6389 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6390 kmod_start_func_t *_realmain = kmod_start; \ 6391 kmod_stop_func_t *_antimain = kmod_stop; \ 6392 int _kext_apple_cc = __APPLE_CC__ 6393 6394 /* 6395 * Policy interface to map a struct label pointer to per-policy data. 6396 * Typically, policies wrap this in their own accessor macro that casts an 6397 * intptr_t to a policy-specific data type. 6398 */ 6399 #ifdef KERNEL_PRIVATE 6400 struct label * mac_label_verify(struct label **labelp); 6401 intptr_t mac_label_get(struct label *l, int slot); 6402 /* 6403 * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. 6404 */ 6405 void mac_label_set(struct label *l, int slot, intptr_t v); 6406 struct label * mac_labelzone_alloc(int flags); 6407 struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, 6408 void (^extra_setup)(struct label *)); 6409 struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, 6410 void (^extra_setup)(struct label *)); 6411 void mac_labelzone_free(struct label *l); 6412 void mac_labelzone_free_owned(struct label **labelp, 6413 void (^extra_deinit)(struct label *)); 6414 intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); 6415 void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); 6416 #endif 6417 6418 #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6419 6420 /** 6421 * @name Flags for MAC allocator interfaces 6422 * 6423 * These flags are passed to the Darwin kernel allocator routines to 6424 * indicate whether the allocation is permitted to block or not. 6425 * Caution should be taken; some operations are not permitted to sleep, 6426 * and some types of locks cannot be held when sleeping. 6427 */ 6428 6429 /*@{*/ 6430 6431 /** 6432 * @brief Allocation operations may block 6433 * 6434 * If memory is not immediately available, the allocation routine 6435 * will block (typically sleeping) until memory is available. 6436 * 6437 * @warning Inappropriate use of this flag may cause kernel panics. 6438 */ 6439 #define MAC_WAITOK 0 6440 6441 /** 6442 * @brief Allocation operations may not block 6443 * 6444 * Rather than blocking, the allocator may return an error if memory 6445 * is not immediately available. This type of allocation will not 6446 * sleep, preserving locking semantics. 6447 */ 6448 #define MAC_NOWAIT 1 6449 6450 /*@}*/ 6451 6452 #endif /* !_SECURITY_MAC_POLICY_H_ */ 6453