1 /* 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68 /** 69 * @file mac_policy.h 70 * @brief Kernel Interfaces for MAC policy modules 71 * 72 * This header defines the list of operations that are defined by the 73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 * with the framework to declare interest in a specific set of 75 * operations. If interest in an entry point is not declared, then 76 * the policy will be ignored when the Framework evaluates that entry 77 * point. 78 */ 79 80 #ifndef _SECURITY_MAC_POLICY_H_ 81 #define _SECURITY_MAC_POLICY_H_ 82 83 #ifndef PRIVATE 84 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85 #endif 86 87 #include <security/_label.h> 88 #include <kern/cs_blobs.h> 89 90 struct attrlist; 91 struct auditinfo; 92 struct bpf_d; 93 struct cs_blob; 94 struct devnode; 95 struct exception_action; 96 struct fileglob; 97 struct ifnet; 98 struct inpcb; 99 struct ipq; 100 struct label; 101 struct mac_policy_conf; 102 struct mbuf; 103 struct mount; 104 struct msg; 105 struct msqid_kernel; 106 struct pipe; 107 struct pseminfo; 108 struct pshminfo; 109 struct sbuf; 110 struct semid_kernel; 111 struct shmid_kernel; 112 struct socket; 113 struct sockopt; 114 struct task; 115 struct thread; 116 struct tty; 117 struct ucred; 118 struct vfs_attr; 119 struct vnode; 120 struct sockaddr; 121 /** @struct dummy */ 122 123 124 /* 125 * proc_ident_t support, see: rdar://problem/58928152 126 * Should be removed once all dependent parties adopt 127 * proc_ident_t. 128 */ 129 #define MAC_PROC_IDENT_SUPPORT 130 131 #ifndef _KAUTH_CRED_T 132 #define _KAUTH_CRED_T 133 typedef struct ucred *kauth_cred_t; 134 #endif /* !_KAUTH_CRED_T */ 135 136 #ifndef __IOKIT_PORTS_DEFINED__ 137 #define __IOKIT_PORTS_DEFINED__ 138 #ifdef __cplusplus 139 class OSObject; 140 typedef OSObject *io_object_t; 141 #else 142 struct OSObject; 143 typedef struct OSObject *io_object_t; 144 #endif 145 #endif /* __IOKIT_PORTS_DEFINED__ */ 146 147 /*- 148 * MAC entry points are generally named using the following template: 149 * 150 * mpo_<object>_<operation>() 151 * 152 * or: 153 * 154 * mpo_<object>_check_<operation>() 155 * 156 * Entry points are sorted by object type. 157 * 158 * It may be desirable also to consider some subsystems as "objects", such 159 * as system, iokit, etc. 160 */ 161 162 /** 163 * @name Entry Points for Label Management 164 * 165 * These are the entry points corresponding to the life cycle events for 166 * kernel objects, such as initialization, creation, and destruction. 167 * 168 * Most policies (that use labels) will initialize labels by allocating 169 * space for policy-specific data. In most cases, it is permitted to 170 * sleep during label initialization operations; it will be noted when 171 * it is not permitted. 172 * 173 * Initialization usually will not require doing more than allocating a 174 * generic label for the given object. What follows initialization is 175 * creation, where a label is made specific to the object it is associated 176 * with. Destruction occurs when the label is no longer needed, such as 177 * when the corresponding object is destroyed. All necessary cleanup should 178 * be performed in label destroy operations. 179 * 180 * Where possible, the label entry points have identical parameters. If 181 * the policy module does not require structure-specific label 182 * information, the same function may be registered in the policy 183 * operation vector. Many policies will implement two such generic 184 * allocation calls: one to handle sleepable requests, and one to handle 185 * potentially non-sleepable requests. 186 */ 187 188 189 /** 190 * @brief Audit event postselection 191 * @param cred Subject credential 192 * @param syscode Syscall number 193 * @param args Syscall arguments 194 * @param error Syscall errno 195 * @param retval Syscall return value 196 * 197 * This is the MAC Framework audit postselect, which is called before 198 * exiting a syscall to determine if an audit event should be committed. 199 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 200 * Any other return value results in the audit record being committed. 201 * 202 * @warning The suppression behavior will probably go away in Apple's 203 * future version of the audit implementation. 204 * 205 * @return Return MAC_AUDIT_NO to force suppression of the audit record. 206 * Any other value results in the audit record being committed. 207 * 208 */ 209 typedef int mpo_audit_check_postselect_t( 210 kauth_cred_t cred, 211 unsigned short syscode, 212 void *args, 213 int error, 214 int retval 215 ); 216 /** 217 * @brief Audit event preselection 218 * @param cred Subject credential 219 * @param syscode Syscall number 220 * @param args Syscall arguments 221 * 222 * This is the MAC Framework audit preselect, which is called before a 223 * syscall is entered to determine if an audit event should be created. 224 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 225 * returned. A return value of MAC_AUDIT_NO causes the audit record to 226 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 227 * to defer to the system's existing preselection mechanism. 228 * 229 * When policies return different preferences, the Framework decides what action 230 * to take based on the following policy. If any policy returns MAC_AUDIT_YES, 231 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then 232 * suppress the creations of an audit record, else defer to the system's 233 * existing preselection mechanism. 234 * 235 * @warning The audit implementation in Apple's current version is 236 * incomplete, so the MAC policies have priority over the system's existing 237 * mechanisms. This will probably change in the future version where 238 * the audit implementation is more complete. 239 * 240 * @return Return MAC_AUDIT_YES to force auditing of the syscall, 241 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 242 * to allow auditing mechanisms to determine if the syscall is audited. 243 * 244 */ 245 typedef int mpo_audit_check_preselect_t( 246 kauth_cred_t cred, 247 unsigned short syscode, 248 void *args 249 ); 250 /** 251 * @brief Indicate desire to change the process label at exec time 252 * @param old Existing subject credential 253 * @param vp File being executed 254 * @param offset Offset of binary within file being executed 255 * @param scriptvp Script being executed by interpreter, if any. 256 * @param vnodelabel Label corresponding to vp 257 * @param scriptvnodelabel Script vnode label 258 * @param execlabel Userspace provided execution label 259 * @param p Object process 260 * @param macpolicyattr MAC policy-specific spawn attribute data 261 * @param macpolicyattrlen Length of policy-specific spawn attribute data 262 * @see mac_execve 263 * @see mpo_cred_label_update_execve_t 264 * @see mpo_vnode_check_exec_t 265 * 266 * Indicate whether this policy intends to update the label of a newly 267 * created credential from the existing subject credential (old). This 268 * call occurs when a process executes the passed vnode. If a policy 269 * returns success from this entry point, the mpo_cred_label_update_execve 270 * entry point will later be called with the same parameters. Access 271 * has already been checked via the mpo_vnode_check_exec entry point, 272 * this entry point is necessary to preserve kernel locking constraints 273 * during program execution. 274 * 275 * The supplied vnode and vnodelabel correspond with the file actually 276 * being executed; in the case that the file is interpreted (for 277 * example, a script), the label of the original exec-time vnode has 278 * been preserved in scriptvnodelabel. 279 * 280 * The final label, execlabel, corresponds to a label supplied by a 281 * user space application through the use of the mac_execve system call. 282 * 283 * The vnode lock is held during this operation. No changes should be 284 * made to the old credential structure. 285 * 286 * @warning Even if a policy returns 0, it should behave correctly in 287 * the presence of an invocation of mpo_cred_label_update_execve, as that 288 * call may happen as a result of another policy requesting a transition. 289 * 290 * @return Non-zero if a transition is required, 0 otherwise. 291 */ 292 typedef int mpo_cred_check_label_update_execve_t( 293 kauth_cred_t old, 294 struct vnode *vp, 295 off_t offset, 296 struct vnode *scriptvp, 297 struct label *vnodelabel, 298 struct label *scriptvnodelabel, 299 struct label *execlabel, 300 struct proc *p, 301 void *macpolicyattr, 302 size_t macpolicyattrlen 303 ); 304 /** 305 * @brief Access control check for relabelling processes 306 * @param cred Subject credential 307 * @param newlabel New label to apply to the user credential 308 * @see mpo_cred_label_update_t 309 * @see mac_set_proc 310 * 311 * Determine whether the subject identified by the credential can relabel 312 * itself to the supplied new label (newlabel). This access control check 313 * is called when the mac_set_proc system call is invoked. A user space 314 * application will supply a new value, the value will be internalized 315 * and provided in newlabel. 316 * 317 * @return Return 0 if access is granted, otherwise an appropriate value for 318 * errno should be returned. 319 */ 320 typedef int mpo_cred_check_label_update_t( 321 kauth_cred_t cred, 322 struct label *newlabel 323 ); 324 /** 325 * @brief Access control check for visibility of other subjects 326 * @param u1 Subject credential 327 * @param u2 Object credential 328 * 329 * Determine whether the subject identified by the credential u1 can 330 * "see" other subjects with the passed subject credential u2. This call 331 * may be made in a number of situations, including inter-process status 332 * sysctls used by ps, and in procfs lookups. 333 * 334 * @return Return 0 if access is granted, otherwise an appropriate value for 335 * errno should be returned. Suggested failure: EACCES for label mismatch, 336 * EPERM for lack of privilege, or ESRCH to hide visibility. 337 */ 338 typedef int mpo_cred_check_visible_t( 339 kauth_cred_t u1, 340 kauth_cred_t u2 341 ); 342 /** 343 * @brief Associate a credential with a new process at fork 344 * @param cred credential to inherited by new process 345 * @param proc the new process 346 * 347 * Allow a process to associate the credential with a new 348 * process for reference countng purposes. 349 * NOTE: the credential can be dis-associated in ways other 350 * than exit - so this strategy is flawed - should just 351 * catch label destroy callback. 352 */ 353 typedef void mpo_cred_label_associate_fork_t( 354 kauth_cred_t cred, 355 proc_t proc 356 ); 357 /** 358 * @brief Create the first process 359 * @param cred Subject credential to be labeled 360 * 361 * Create the subject credential of process 0, the parent of all BSD 362 * kernel processes. Policies should update the label in the 363 * previously initialized credential structure. 364 */ 365 typedef void mpo_cred_label_associate_kernel_t( 366 kauth_cred_t cred 367 ); 368 /** 369 * @brief Create a credential label 370 * @param parent_cred Parent credential 371 * @param child_cred Child credential 372 * 373 * Set the label of a newly created credential, most likely using the 374 * information in the supplied parent credential. 375 * 376 * @warning This call is made when crcopy or crdup is invoked on a 377 * newly created struct ucred, and should not be confused with a 378 * process fork or creation event. 379 */ 380 typedef void mpo_cred_label_associate_t( 381 kauth_cred_t parent_cred, 382 kauth_cred_t child_cred 383 ); 384 /** 385 * @brief Create the first process 386 * @param cred Subject credential to be labeled 387 * 388 * Create the subject credential of process 1, the parent of all BSD 389 * user processes. Policies should update the label in the previously 390 * initialized credential structure. This is the 'init' process. 391 */ 392 typedef void mpo_cred_label_associate_user_t( 393 kauth_cred_t cred 394 ); 395 /** 396 * @brief Destroy credential label 397 * @param label The label to be destroyed 398 * 399 * Destroy a user credential label. Since the user credential 400 * is going out of scope, policy modules should free any internal 401 * storage associated with the label so that it may be destroyed. 402 */ 403 typedef void mpo_cred_label_destroy_t( 404 struct label *label 405 ); 406 /** 407 * @brief Externalize a user credential label for auditing 408 * @param label Label to be externalized 409 * @param element_name Name of the label namespace for which labels should be 410 * externalized 411 * @param sb String buffer to be filled with a text representation of the label 412 * 413 * Produce an external representation of the label on a user credential for 414 * inclusion in an audit record. An externalized label consists of a text 415 * representation of the label contents that will be added to the audit record 416 * as part of a text token. Policy-agnostic user space tools will display 417 * this externalized version. 418 * 419 * @return 0 on success, return non-zero if an error occurs while 420 * externalizing the label data. 421 * 422 */ 423 typedef int mpo_cred_label_externalize_audit_t( 424 struct label *label, 425 char *element_name, 426 struct sbuf *sb 427 ); 428 /** 429 * @brief Externalize a user credential label 430 * @param label Label to be externalized 431 * @param element_name Name of the label namespace for which labels should be 432 * externalized 433 * @param sb String buffer to be filled with a text representation of the label 434 * 435 * Produce an external representation of the label on a user 436 * credential. An externalized label consists of a text representation 437 * of the label contents that can be used with user applications. 438 * Policy-agnostic user space tools will display this externalized 439 * version. 440 * 441 * @return 0 on success, return non-zero if an error occurs while 442 * externalizing the label data. 443 * 444 */ 445 typedef int mpo_cred_label_externalize_t( 446 struct label *label, 447 char *element_name, 448 struct sbuf *sb 449 ); 450 /** 451 * @brief Initialize user credential label 452 * @param label New label to initialize 453 * 454 * Initialize the label for a newly instantiated user credential. 455 * Sleeping is permitted. 456 */ 457 typedef void mpo_cred_label_init_t( 458 struct label *label 459 ); 460 /** 461 * @brief Internalize a user credential label 462 * @param label Label to be internalized 463 * @param element_name Name of the label namespace for which the label should 464 * be internalized 465 * @param element_data Text data to be internalized 466 * 467 * Produce a user credential label from an external representation. An 468 * externalized label consists of a text representation of the label 469 * contents that can be used with user applications. Policy-agnostic 470 * user space tools will forward text version to the kernel for 471 * processing by individual policy modules. 472 * 473 * The policy's internalize entry points will be called only if the 474 * policy has registered interest in the label namespace. 475 * 476 * @return 0 on success, Otherwise, return non-zero if an error occurs 477 * while internalizing the label data. 478 * 479 */ 480 typedef int mpo_cred_label_internalize_t( 481 struct label *label, 482 char *element_name, 483 char *element_data 484 ); 485 /** 486 * @brief Update credential at exec time 487 * @param old_cred Existing subject credential 488 * @param new_cred New subject credential to be labeled 489 * @param p Object process. 490 * @param vp File being executed 491 * @param offset Offset of binary within file being executed 492 * @param scriptvp Script being executed by interpreter, if any. 493 * @param vnodelabel Label corresponding to vp 494 * @param scriptvnodelabel Script vnode label 495 * @param execlabel Userspace provided execution label 496 * @param csflags Code signing flags to be set after exec 497 * @param macpolicyattr MAC policy-specific spawn attribute data. 498 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 499 * @see mac_execve 500 * @see mpo_cred_check_label_update_execve_t 501 * @see mpo_vnode_check_exec_t 502 * 503 * Update the label of a newly created credential (new) from the 504 * existing subject credential (old). This call occurs when a process 505 * executes the passed vnode and one of the loaded policy modules has 506 * returned success from the mpo_cred_check_label_update_execve entry point. 507 * Access has already been checked via the mpo_vnode_check_exec entry 508 * point, this entry point is only used to update any policy state. 509 * 510 * The supplied vnode and vnodelabel correspond with the file actually 511 * being executed; in the case that the file is interpreted (for 512 * example, a script), the label of the original exec-time vnode has 513 * been preserved in scriptvnodelabel. 514 * 515 * The final label, execlabel, corresponds to a label supplied by a 516 * user space application through the use of the mac_execve system call. 517 * 518 * If non-NULL, the value pointed to by disjointp will be set to 0 to 519 * indicate that the old and new credentials are not disjoint, or 1 to 520 * indicate that they are. 521 * 522 * The vnode lock is held during this operation. No changes should be 523 * made to the old credential structure. 524 * @return 0 on success, Otherwise, return non-zero if update results in 525 * termination of child. 526 */ 527 typedef int mpo_cred_label_update_execve_t( 528 kauth_cred_t old_cred, 529 kauth_cred_t new_cred, 530 struct proc *p, 531 struct vnode *vp, 532 off_t offset, 533 struct vnode *scriptvp, 534 struct label *vnodelabel, 535 struct label *scriptvnodelabel, 536 struct label *execlabel, 537 u_int *csflags, 538 void *macpolicyattr, 539 size_t macpolicyattrlen, 540 int *disjointp 541 ); 542 /** 543 * @brief Update a credential label 544 * @param cred The existing credential 545 * @param newlabel A new label to apply to the credential 546 * @see mpo_cred_check_label_update_t 547 * @see mac_set_proc 548 * 549 * Update the label on a user credential, using the supplied new label. 550 * This is called as a result of a process relabel operation. Access 551 * control was already confirmed by mpo_cred_check_label_update. 552 */ 553 typedef void mpo_cred_label_update_t( 554 kauth_cred_t cred, 555 struct label *newlabel 556 ); 557 /** 558 * @brief Access control for launching a process with constraints 559 * @param curr_p The new process 560 * @param original_parent_id The pid of the original parent that spawned this process 561 * @param responsible_pid The pid of the responsible process that spawned this process 562 * @param macpolicyattr MAC policy-specific spawn attribute data 563 * @param macpolicyattrlen Length of policy-specific spawn attribute data 564 * @param fatal_failure_desc Description of fatal failure 565 * @param fatal_failure_desc_len Failure description len, failure is fatal if non-0 566 * 567 * Detemine whether the process being spawned adheres to the launch 568 * constraints (e.g. whether the process is spawned by launchd) and should 569 * be allowed to execute. This call occurs during execve or posix_spawn. 570 * 571 * @return Return 0 if process can be created, otherwise an appropriate value for 572 * errno should be returned. 573 */ 574 typedef int mpo_proc_check_launch_constraints_t( 575 proc_t curr_p, 576 pid_t original_parent_id, 577 pid_t responsible_pid, 578 void *macpolicyattr, 579 size_t macpolicyattrlen, 580 launch_constraint_data_t lcd, 581 char **fatal_failure_desc, size_t *fatal_failure_desc_len 582 ); 583 /** 584 * @brief Create a new devfs device 585 * @param dev Major and minor numbers of special file 586 * @param de "inode" of new device file 587 * @param label Destination label 588 * @param fullpath Path relative to mount (e.g. /dev) of new device file 589 * 590 * This entry point labels a new devfs device. The label will likely be based 591 * on the path to the device, or the major and minor numbers. 592 * The policy should store an appropriate label into 'label'. 593 */ 594 typedef void mpo_devfs_label_associate_device_t( 595 dev_t dev, 596 struct devnode *de, 597 struct label *label, 598 const char *fullpath 599 ); 600 /** 601 * @brief Create a new devfs directory 602 * @param dirname Name of new directory 603 * @param dirnamelen Length of 'dirname' 604 * @param de "inode" of new directory 605 * @param label Destination label 606 * @param fullpath Path relative to mount (e.g. /dev) of new directory 607 * 608 * This entry point labels a new devfs directory. The label will likely be 609 * based on the path of the new directory. The policy should store an appropriate 610 * label into 'label'. The devfs root directory is labelled in this way. 611 */ 612 typedef void mpo_devfs_label_associate_directory_t( 613 const char *dirname, 614 int dirnamelen, 615 struct devnode *de, 616 struct label *label, 617 const char *fullpath 618 ); 619 /** 620 * @brief Copy a devfs label 621 * @param src Source devfs label 622 * @param dest Destination devfs label 623 * 624 * Copy the label information from src to dest. The devfs file system 625 * often duplicates (splits) existing device nodes rather than creating 626 * new ones. 627 */ 628 typedef void mpo_devfs_label_copy_t( 629 struct label *src, 630 struct label *dest 631 ); 632 /** 633 * @brief Destroy devfs label 634 * @param label The label to be destroyed 635 * 636 * Destroy a devfs entry label. Since the object is going out 637 * of scope, policy modules should free any internal storage associated 638 * with the label so that it may be destroyed. 639 */ 640 typedef void mpo_devfs_label_destroy_t( 641 struct label *label 642 ); 643 /** 644 * @brief Initialize devfs label 645 * @param label New label to initialize 646 * 647 * Initialize the label for a newly instantiated devfs entry. Sleeping 648 * is permitted. 649 */ 650 typedef void mpo_devfs_label_init_t( 651 struct label *label 652 ); 653 /** 654 * @brief Update a devfs label after relabelling its vnode 655 * @param mp Devfs mount point 656 * @param de Affected devfs directory entry 657 * @param delabel Label of devfs directory entry 658 * @param vp Vnode associated with de 659 * @param vnodelabel New label of vnode 660 * 661 * Update a devfs label when its vnode is manually relabelled, 662 * for example with setfmac(1). Typically, this will simply copy 663 * the vnode label into the devfs label. 664 */ 665 typedef void mpo_devfs_label_update_t( 666 struct mount *mp, 667 struct devnode *de, 668 struct label *delabel, 669 struct vnode *vp, 670 struct label *vnodelabel 671 ); 672 /** 673 * @brief Access control for sending an exception to an exception action 674 * @param crashlabel The crashing process's label 675 * @param action Exception action 676 * @param exclabel Policy label for exception action 677 * 678 * Determine whether the the exception message caused by the victim 679 * process can be sent to the exception action. The policy may compare 680 * credentials in the crashlabel, which are derived from the process at 681 * the time the exception occurs, with the credentials in the exclabel, 682 * which was set at the time the exception port was set, to determine 683 * its decision. Note that any process from which the policy derived 684 * any credentials may not exist anymore at the time of this policy 685 * operation. Sleeping is permitted. 686 * 687 * @return Return 0 if the message can be sent, otherwise an 688 * appropriate value for errno should be returned. 689 */ 690 typedef int mpo_exc_action_check_exception_send_t( 691 struct label *crashlabel, 692 struct exception_action *action, 693 struct label *exclabel 694 ); 695 /** 696 * @brief Associate an exception action label 697 * @param action Exception action to label 698 * @param exclabel Policy label to be filled in for exception action 699 * 700 * Set the label on an exception action. 701 */ 702 typedef void mpo_exc_action_label_associate_t( 703 struct exception_action *action, 704 struct label *exclabel 705 ); 706 /** 707 * @brief Destroy exception action label 708 * @param label The label to be destroyed 709 * 710 * Destroy the label on an exception action. Since the object is going 711 * out of scope, policy modules should free any internal storage 712 * associated with the label so that it may be destroyed. Sleeping is 713 * permitted. 714 */ 715 typedef void mpo_exc_action_label_destroy_t( 716 struct label *label 717 ); 718 /** 719 * @brief Populate an exception action label with process credentials 720 * @param label The label to be populated 721 * @param proc Process to derive credentials from 722 * 723 * Populate a label with credentials derived from a process. At 724 * exception delivery time, the policy should compare credentials of the 725 * process that set an exception ports with the credentials of the 726 * process or corpse that experienced the exception. Note that the 727 * process that set the port may not exist at that time anymore, so 728 * labels should carry copies of live credentials if necessary. 729 */ 730 typedef void mpo_exc_action_label_populate_t( 731 struct label *label, 732 struct proc *proc 733 ); 734 /** 735 * @brief Initialize exception action label 736 * @param label New label to initialize 737 * 738 * Initialize a label for an exception action. Usually performs 739 * policy specific allocations. Sleeping is permitted. 740 */ 741 typedef int mpo_exc_action_label_init_t( 742 struct label *label 743 ); 744 /** 745 * @brief Update the label on an exception action 746 * @param action Exception action that the label belongs to (may be 747 * NULL if none) 748 * @param label Policy label to update 749 * @param newlabel New label for update 750 * 751 * Update the credentials of an exception action from the given 752 * label. The policy should copy over any credentials (process and 753 * otherwise) from the new label into the label to update. Must not 754 * sleep, must be quick and can be called with locks held. 755 */ 756 typedef int mpo_exc_action_label_update_t( 757 struct exception_action *action, 758 struct label *label, 759 struct label *newlabel 760 ); 761 /** 762 * @brief Access control for changing the offset of a file descriptor 763 * @param cred Subject credential 764 * @param fg Fileglob structure 765 * @param label Policy label for fg 766 * 767 * Determine whether the subject identified by the credential can 768 * change the offset of the file represented by fg. 769 * 770 * @return Return 0 if access if granted, otherwise an appropriate 771 * value for errno should be returned. 772 */ 773 typedef int mpo_file_check_change_offset_t( 774 kauth_cred_t cred, 775 struct fileglob *fg, 776 struct label *label 777 ); 778 /** 779 * @brief Access control for creating a file descriptor 780 * @param cred Subject credential 781 * 782 * Determine whether the subject identified by the credential can 783 * allocate a new file descriptor. 784 * 785 * @return Return 0 if access if granted, otherwise an appropriate 786 * value for errno should be returned. 787 */ 788 typedef int mpo_file_check_create_t( 789 kauth_cred_t cred 790 ); 791 /** 792 * @brief Access control for duplicating a file descriptor 793 * @param cred Subject credential 794 * @param fg Fileglob structure 795 * @param label Policy label for fg 796 * @param newfd New file descriptor number 797 * 798 * Determine whether the subject identified by the credential can 799 * duplicate the fileglob structure represented by fg and as file 800 * descriptor number newfd. 801 * 802 * @return Return 0 if access if granted, otherwise an appropriate 803 * value for errno should be returned. 804 */ 805 typedef int mpo_file_check_dup_t( 806 kauth_cred_t cred, 807 struct fileglob *fg, 808 struct label *label, 809 int newfd 810 ); 811 /** 812 * @brief Access control check for fcntl 813 * @param cred Subject credential 814 * @param fg Fileglob structure 815 * @param label Policy label for fg 816 * @param cmd Control operation to be performed; see fcntl(2) 817 * @param arg fcnt arguments; see fcntl(2) 818 * 819 * Determine whether the subject identified by the credential can perform 820 * the file control operation indicated by cmd. 821 * 822 * @return Return 0 if access is granted, otherwise an appropriate value for 823 * errno should be returned. 824 */ 825 typedef int mpo_file_check_fcntl_t( 826 kauth_cred_t cred, 827 struct fileglob *fg, 828 struct label *label, 829 int cmd, 830 user_long_t arg 831 ); 832 /** 833 * @brief Access control check for mac_get_fd 834 * @param cred Subject credential 835 * @param fg Fileglob structure 836 * @param elements Element buffer 837 * @param len Length of buffer 838 * 839 * Determine whether the subject identified by the credential should be allowed 840 * to get an externalized version of the label on the object indicated by fd. 841 * 842 * @return Return 0 if access is granted, otherwise an appropriate value for 843 * errno should be returned. 844 */ 845 typedef int mpo_file_check_get_t( 846 kauth_cred_t cred, 847 struct fileglob *fg, 848 char *elements, 849 size_t len 850 ); 851 /** 852 * @brief Access control for getting the offset of a file descriptor 853 * @param cred Subject credential 854 * @param fg Fileglob structure 855 * @param label Policy label for fg 856 * 857 * Determine whether the subject identified by the credential can 858 * get the offset of the file represented by fg. 859 * 860 * @return Return 0 if access if granted, otherwise an appropriate 861 * value for errno should be returned. 862 */ 863 typedef int mpo_file_check_get_offset_t( 864 kauth_cred_t cred, 865 struct fileglob *fg, 866 struct label *label 867 ); 868 /** 869 * @brief Access control for inheriting a file descriptor 870 * @param cred Subject credential 871 * @param fg Fileglob structure 872 * @param label Policy label for fg 873 * 874 * Determine whether the subject identified by the credential can 875 * inherit the fileglob structure represented by fg. 876 * 877 * @return Return 0 if access if granted, otherwise an appropriate 878 * value for errno should be returned. 879 */ 880 typedef int mpo_file_check_inherit_t( 881 kauth_cred_t cred, 882 struct fileglob *fg, 883 struct label *label 884 ); 885 /** 886 * @brief Access control check for file ioctl 887 * @param cred Subject credential 888 * @param fg Fileglob structure 889 * @param label Policy label for fg 890 * @param cmd The ioctl command; see ioctl(2) 891 * 892 * Determine whether the subject identified by the credential can perform 893 * the ioctl operation indicated by cmd. 894 * 895 * @warning Since ioctl data is opaque from the standpoint of the MAC 896 * framework, policies must exercise extreme care when implementing 897 * access control checks. 898 * 899 * @return Return 0 if access is granted, otherwise an appropriate value for 900 * errno should be returned. 901 * 902 */ 903 typedef int mpo_file_check_ioctl_t( 904 kauth_cred_t cred, 905 struct fileglob *fg, 906 struct label *label, 907 unsigned long cmd 908 ); 909 /** 910 * @brief Access control check for file locking 911 * @param cred Subject credential 912 * @param fg Fileglob structure 913 * @param label Policy label for fg 914 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 915 * @param fl The flock structure 916 * 917 * Determine whether the subject identified by the credential can perform 918 * the lock operation indicated by op and fl on the file represented by fg. 919 * 920 * @return Return 0 if access is granted, otherwise an appropriate value for 921 * errno should be returned. 922 * 923 */ 924 typedef int mpo_file_check_lock_t( 925 kauth_cred_t cred, 926 struct fileglob *fg, 927 struct label *label, 928 int op, 929 struct flock *fl 930 ); 931 /** 932 * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. 933 * @param p Subject process 934 * @param fg Fileglob structure 935 * @param slice_offset offset of the code slice 936 * @param error_message error message returned to user-space in case of error (userspace pointer) 937 * @param error_message_size error message size 938 * 939 * It's a little odd that the MAC/kext writes into userspace since this 940 * implies there is only one MAC module that implements this, however 941 * the alternative is to allocate memory in xnu, in the hope that 942 * the MAC module will use it, or allocate in the MAC module and then 943 * free it in xnu. Neither of these is very appealing, so let's go with 944 * the slightly more hacky way. 945 * 946 * @return Return 0 if access is granted, otherwise an appropriate value for 947 * errno should be returned. 948 */ 949 typedef int mpo_file_check_library_validation_t( 950 struct proc *p, 951 struct fileglob *fg, 952 off_t slice_offset, 953 user_long_t error_message, 954 size_t error_message_size 955 ); 956 /** 957 * @brief Access control check for mapping a file 958 * @param cred Subject credential 959 * @param fg fileglob representing file to map 960 * @param label Policy label associated with vp 961 * @param prot mmap protections; see mmap(2) 962 * @param flags Type of mapped object; see mmap(2) 963 * @param maxprot Maximum rights 964 * 965 * Determine whether the subject identified by the credential should be 966 * allowed to map the file represented by fg with the protections specified 967 * in prot. The maxprot field holds the maximum permissions on the new 968 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 969 * To avoid overriding prior access control checks, a policy should only 970 * remove flags from maxprot. 971 * 972 * @return Return 0 if access is granted, otherwise an appropriate value for 973 * errno should be returned. Suggested failure: EACCES for label mismatch or 974 * EPERM for lack of privilege. 975 */ 976 typedef int mpo_file_check_mmap_t( 977 kauth_cred_t cred, 978 struct fileglob *fg, 979 struct label *label, 980 int prot, 981 int flags, 982 uint64_t file_pos, 983 int *maxprot 984 ); 985 /** 986 * @brief Downgrade the mmap protections 987 * @param cred Subject credential 988 * @param fg file to map 989 * @param label Policy label associated with vp 990 * @param prot mmap protections to be downgraded 991 * 992 * Downgrade the mmap protections based on the subject and object labels. 993 */ 994 typedef void mpo_file_check_mmap_downgrade_t( 995 kauth_cred_t cred, 996 struct fileglob *fg, 997 struct label *label, 998 int *prot 999 ); 1000 /** 1001 * @brief Access control for receiving a file descriptor 1002 * @param cred Subject credential 1003 * @param fg Fileglob structure 1004 * @param label Policy label for fg 1005 * 1006 * Determine whether the subject identified by the credential can 1007 * receive the fileglob structure represented by fg. 1008 * 1009 * @return Return 0 if access if granted, otherwise an appropriate 1010 * value for errno should be returned. 1011 */ 1012 typedef int mpo_file_check_receive_t( 1013 kauth_cred_t cred, 1014 struct fileglob *fg, 1015 struct label *label 1016 ); 1017 /** 1018 * @brief Access control check for mac_set_fd 1019 * @param cred Subject credential 1020 * @param fg Fileglob structure 1021 * @param elements Elements buffer 1022 * @param len Length of elements buffer 1023 * 1024 * Determine whether the subject identified by the credential can 1025 * perform the mac_set_fd operation. The mac_set_fd operation is used 1026 * to associate a MAC label with a file. 1027 * 1028 * @return Return 0 if access is granted, otherwise an appropriate value for 1029 * errno should be returned. 1030 */ 1031 typedef int mpo_file_check_set_t( 1032 kauth_cred_t cred, 1033 struct fileglob *fg, 1034 char *elements, 1035 size_t len 1036 ); 1037 /** 1038 * @brief Inform MAC policies that file is being closed 1039 * @param cred Subject credential 1040 * @param fg Fileglob structure 1041 * @param label Policy label for fg 1042 * @param modified Boolean; 1 if file was modified, 0 otherwise 1043 * 1044 * Called when an open file is being closed, as a result of a call to 1045 * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. 1046 */ 1047 typedef void mpo_file_notify_close_t( 1048 kauth_cred_t cred, 1049 struct fileglob *fg, 1050 struct label *label, 1051 int modified 1052 ); 1053 /** 1054 * @brief Create file label 1055 * @param cred Subject credential 1056 * @param fg Fileglob structure 1057 * @param label Policy label for fg 1058 */ 1059 typedef void mpo_file_label_associate_t( 1060 kauth_cred_t cred, 1061 struct fileglob *fg, 1062 struct label *label 1063 ); 1064 /** 1065 * @brief Destroy file label 1066 * @param label The label to be destroyed 1067 * 1068 * Destroy the label on a file descriptor. In this entry point, a 1069 * policy module should free any internal storage associated with 1070 * label so that it may be destroyed. 1071 */ 1072 typedef void mpo_file_label_destroy_t( 1073 struct label *label 1074 ); 1075 /** 1076 * @brief Initialize file label 1077 * @param label New label to initialize 1078 */ 1079 typedef void mpo_file_label_init_t( 1080 struct label *label 1081 ); 1082 /** 1083 * @brief Access control check for opening an I/O Kit device 1084 * @param cred Subject credential 1085 * @param user_client User client instance 1086 * @param user_client_type User client type 1087 * 1088 * Determine whether the subject identified by the credential can open an 1089 * I/O Kit device at the passed path of the passed user client class and 1090 * type. This check is performed after instantiating the user client. 1091 * See also mpo_iokit_check_open_service_t. 1092 * 1093 * @return Return 0 if access is granted, or an appropriate value for 1094 * errno should be returned. 1095 */ 1096 typedef int mpo_iokit_check_open_t( 1097 kauth_cred_t cred, 1098 io_object_t user_client, 1099 unsigned int user_client_type 1100 ); 1101 /** 1102 * @brief Access control check for opening an I/O Kit device 1103 * @param cred Subject credential 1104 * @param service Service instance 1105 * @param user_client_type User client type 1106 * 1107 * Determine whether the subject identified by the credential can open a 1108 * I/O Kit user client of the passed service and user client type. 1109 * This check is performed before instantiating the user client. See also 1110 * mpo_iokit_check_open_t. 1111 * 1112 * @return Return 0 if access is granted, or an appropriate value for 1113 * errno should be returned. 1114 */ 1115 typedef int mpo_iokit_check_open_service_t( 1116 kauth_cred_t cred, 1117 io_object_t service, 1118 unsigned int user_client_type 1119 ); 1120 /** 1121 * @brief Access control check for setting I/O Kit device properties 1122 * @param cred Subject credential 1123 * @param entry Target device 1124 * @param properties Property list 1125 * 1126 * Determine whether the subject identified by the credential can set 1127 * properties on an I/O Kit device. 1128 * 1129 * @return Return 0 if access is granted, or an appropriate value for 1130 * errno should be returned. 1131 */ 1132 typedef int mpo_iokit_check_set_properties_t( 1133 kauth_cred_t cred, 1134 io_object_t entry, 1135 io_object_t properties 1136 ); 1137 /** 1138 * @brief Indicate desire to filter I/O Kit devices properties 1139 * @param cred Subject credential 1140 * @param entry Target device 1141 * @see mpo_iokit_check_get_property_t 1142 * 1143 * Indicate whether this policy may restrict the subject credential 1144 * from reading properties of the target device. 1145 * If a policy returns success from this entry point, the 1146 * mpo_iokit_check_get_property entry point will later be called 1147 * for each property that the subject credential tries to read from 1148 * the target device. 1149 * 1150 * This entry point is primarilly to optimize bulk property reads 1151 * by skipping calls to the mpo_iokit_check_get_property entry point 1152 * for credentials / devices no MAC policy is interested in. 1153 * 1154 * @warning Even if a policy returns 0, it should behave correctly in 1155 * the presence of an invocation of mpo_iokit_check_get_property, as that 1156 * call may happen as a result of another policy requesting a transition. 1157 * 1158 * @return Non-zero if a transition is required, 0 otherwise. 1159 */ 1160 typedef int mpo_iokit_check_filter_properties_t( 1161 kauth_cred_t cred, 1162 io_object_t entry 1163 ); 1164 /** 1165 * @brief Access control check for getting I/O Kit device properties 1166 * @param cred Subject credential 1167 * @param entry Target device 1168 * @param name Property name 1169 * 1170 * Determine whether the subject identified by the credential can get 1171 * properties on an I/O Kit device. 1172 * 1173 * @return Return 0 if access is granted, or an appropriate value for 1174 * errno. 1175 */ 1176 typedef int mpo_iokit_check_get_property_t( 1177 kauth_cred_t cred, 1178 io_object_t entry, 1179 const char *name 1180 ); 1181 /** 1182 * @brief Access control check for software HID control 1183 * @param cred Subject credential 1184 * 1185 * Determine whether the subject identified by the credential can 1186 * control the HID (Human Interface Device) subsystem, such as to 1187 * post synthetic keypresses, pointer movement and clicks. 1188 * 1189 * @return Return 0 if access is granted, or an appropriate value for 1190 * errno. 1191 */ 1192 typedef int mpo_iokit_check_hid_control_t( 1193 kauth_cred_t cred 1194 ); 1195 /** 1196 * @brief Access control check for fsctl 1197 * @param cred Subject credential 1198 * @param mp The mount point 1199 * @param label Label associated with the mount point 1200 * @param cmd Filesystem-dependent request code; see fsctl(2) 1201 * 1202 * Determine whether the subject identified by the credential can perform 1203 * the volume operation indicated by com. 1204 * 1205 * @warning The fsctl() system call is directly analogous to ioctl(); since 1206 * the associated data is opaque from the standpoint of the MAC framework 1207 * and since these operations can affect many aspects of system operation, 1208 * policies must exercise extreme care when implementing access control checks. 1209 * 1210 * @return Return 0 if access is granted, otherwise an appropriate value for 1211 * errno should be returned. 1212 */ 1213 typedef int mpo_mount_check_fsctl_t( 1214 kauth_cred_t cred, 1215 struct mount *mp, 1216 struct label *label, 1217 unsigned long cmd 1218 ); 1219 /** 1220 * @brief Access control check for the retrieval of file system attributes 1221 * @param cred Subject credential 1222 * @param mp The mount structure of the file system 1223 * @param vfa The attributes requested 1224 * 1225 * This entry point determines whether given subject can get information 1226 * about the given file system. This check happens during statfs() syscalls, 1227 * but is also used by other parts within the kernel such as the audit system. 1228 * 1229 * @return Return 0 if access is granted, otherwise an appropriate value for 1230 * errno should be returned. 1231 * 1232 * @note Policies may change the contents of vfa to alter the list of 1233 * file system attributes returned. 1234 */ 1235 1236 typedef int mpo_mount_check_getattr_t( 1237 kauth_cred_t cred, 1238 struct mount *mp, 1239 struct label *mp_label, 1240 struct vfs_attr *vfa 1241 ); 1242 /** 1243 * @brief Access control check for mount point relabeling 1244 * @param cred Subject credential 1245 * @param mp Object file system mount point 1246 * @param mntlabel Policy label for fle system mount point 1247 * 1248 * Determine whether the subject identified by the credential can relabel 1249 * the mount point. This call is made when a file system mount is updated. 1250 * 1251 * @return Return 0 if access is granted, otherwise an appropriate value for 1252 * errno should be returned. Suggested failure: EACCES for label mismatch 1253 * or EPERM for lack of privilege. 1254 */ 1255 typedef int mpo_mount_check_label_update_t( 1256 kauth_cred_t cred, 1257 struct mount *mp, 1258 struct label *mntlabel 1259 ); 1260 /** 1261 * @brief Access control check for mounting a file system 1262 * @param cred Subject credential 1263 * @param vp Vnode that is to be the mount point 1264 * @param vlabel Label associated with the vnode 1265 * @param cnp Component name for vp 1266 * @param vfc_name Filesystem type name 1267 * 1268 * Determine whether the subject identified by the credential can perform 1269 * the mount operation on the target vnode. 1270 * 1271 * @return Return 0 if access is granted, otherwise an appropriate value for 1272 * errno should be returned. 1273 */ 1274 typedef int mpo_mount_check_mount_t( 1275 kauth_cred_t cred, 1276 struct vnode *vp, 1277 struct label *vlabel, 1278 struct componentname *cnp, 1279 const char *vfc_name 1280 ); 1281 /** 1282 * @brief Access control check for mounting a file system (late) 1283 * @param cred Subject credential 1284 * @param mp Mount point 1285 * 1286 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been 1287 * called, making it possible to access mnt_vfsstat.f_mntfromname and other 1288 * fields. 1289 * 1290 * @return Return 0 if access is granted, otherwise an appropriate value for 1291 * errno should be returned. 1292 */ 1293 typedef int mpo_mount_check_mount_late_t( 1294 kauth_cred_t cred, 1295 struct mount *mp 1296 ); 1297 1298 /** 1299 * @brief Access control check for quotactl 1300 * @param cred Subject credential 1301 * @param cmd The quotactl command and subcommand; see quotactl(2) 1302 * @param id The user or group ID on which cmd will operate 1303 * 1304 * Determine whether the subject identified by the credential can perform 1305 * the quotactl operation indicated by cmd. 1306 * 1307 * @return Return 0 if access is granted, otherwise an appropriate value for 1308 * errno should be returned. 1309 */ 1310 typedef int mpo_mount_check_quotactl_t( 1311 kauth_cred_t cred, 1312 struct mount *mp, 1313 int cmd, 1314 int id 1315 ); 1316 /** 1317 * @brief Access control check for fs_snapshot_create 1318 * @param cred Subject credential 1319 * @mp Filesystem mount point to create snapshot of 1320 * @name Name of snapshot to create 1321 * 1322 * Determine whether the subject identified by the credential can 1323 * create a snapshot of the filesystem at the given mount point. 1324 * 1325 * @return Return 0 if access is granted, otherwise an appropriate value 1326 * for errno should be returned. 1327 */ 1328 typedef int mpo_mount_check_snapshot_create_t( 1329 kauth_cred_t cred, 1330 struct mount *mp, 1331 const char *name 1332 ); 1333 /** 1334 * @brief Access control check for fs_snapshot_delete 1335 * @param cred Subject credential 1336 * @mp Filesystem mount point to delete snapshot of 1337 * @name Name of snapshot to delete 1338 * 1339 * Determine whether the subject identified by the credential can 1340 * delete the named snapshot from the filesystem at the given 1341 * mount point. 1342 * 1343 * @return Return 0 if access is granted, otherwise an appropriate value 1344 * for errno should be returned. 1345 */ 1346 typedef int mpo_mount_check_snapshot_delete_t( 1347 kauth_cred_t cred, 1348 struct mount *mp, 1349 const char *name 1350 ); 1351 /** 1352 * @brief Access control check for fs_snapshot_mount 1353 * @param cred Subject credential 1354 * @param rvp Vnode of either the root directory of the 1355 * filesystem to mount snapshot of, or the device from 1356 * which to mount the snapshot. 1357 * @param vp Vnode that is to be the mount point 1358 * @param cnp Component name for vp 1359 * @param name Name of snapshot to mount 1360 * @param vfc_name Filesystem type name 1361 * 1362 * Determine whether the subject identified by the credential can 1363 * mount the named snapshot from the filesystem at the given 1364 * directory. 1365 * 1366 * @return Return 0 if access is granted, otherwise an appropriate value 1367 * for errno should be returned. 1368 */ 1369 typedef int mpo_mount_check_snapshot_mount_t( 1370 kauth_cred_t cred, 1371 struct vnode *rvp, 1372 struct vnode *vp, 1373 struct componentname *cnp, 1374 const char *name, 1375 const char *vfc_name 1376 ); 1377 /** 1378 * @brief Access control check for fs_snapshot_revert 1379 * @param cred Subject credential 1380 * @mp Filesystem mount point to revert to snapshot 1381 * @name Name of snapshot to revert to 1382 * 1383 * Determine whether the subject identified by the credential can 1384 * revert the filesystem at the given mount point to the named snapshot. 1385 * 1386 * @return Return 0 if access is granted, otherwise an appropriate value 1387 * for errno should be returned. 1388 */ 1389 typedef int mpo_mount_check_snapshot_revert_t( 1390 kauth_cred_t cred, 1391 struct mount *mp, 1392 const char *name 1393 ); 1394 /** 1395 * @brief Access control check remounting a filesystem 1396 * @param cred Subject credential 1397 * @param mp The mount point 1398 * @param mlabel Label currently associated with the mount point 1399 * @param flags Requested updated flags 1400 * 1401 * Determine whether the subject identified by the credential can perform 1402 * the remount operation on the target vnode. 1403 * 1404 * @return Return 0 if access is granted, otherwise an appropriate value for 1405 * errno should be returned. 1406 */ 1407 #define NEEDS_RDAR_103115865 1 // Required until both EndpointSecurity & Sandbox are updated 1408 typedef int mpo_mount_check_remount_t( 1409 kauth_cred_t cred, 1410 struct mount *mp, 1411 struct label *mlabel, 1412 uint64_t flags 1413 ); 1414 /** 1415 * @brief Access control check for the settting of file system attributes 1416 * @param cred Subject credential 1417 * @param mp The mount structure of the file system 1418 * @param vfa The attributes requested 1419 * 1420 * This entry point determines whether given subject can set information 1421 * about the given file system, for example the volume name. 1422 * 1423 * @return Return 0 if access is granted, otherwise an appropriate value for 1424 * errno should be returned. 1425 */ 1426 1427 typedef int mpo_mount_check_setattr_t( 1428 kauth_cred_t cred, 1429 struct mount *mp, 1430 struct label *mp_label, 1431 struct vfs_attr *vfa 1432 ); 1433 /** 1434 * @brief Access control check for file system statistics 1435 * @param cred Subject credential 1436 * @param mp Object file system mount 1437 * @param mntlabel Policy label for mp 1438 * 1439 * Determine whether the subject identified by the credential can see 1440 * the results of a statfs performed on the file system. This call may 1441 * be made in a number of situations, including during invocations of 1442 * statfs(2) and related calls, as well as to determine what file systems 1443 * to exclude from listings of file systems, such as when getfsstat(2) 1444 * is invoked. 1445 * 1446 * @return Return 0 if access is granted, otherwise an appropriate value for 1447 * errno should be returned. Suggested failure: EACCES for label mismatch 1448 * or EPERM for lack of privilege. 1449 */ 1450 typedef int mpo_mount_check_stat_t( 1451 kauth_cred_t cred, 1452 struct mount *mp, 1453 struct label *mntlabel 1454 ); 1455 /** 1456 * @brief Access control check for unmounting a filesystem 1457 * @param cred Subject credential 1458 * @param mp The mount point 1459 * @param mlabel Label associated with the mount point 1460 * 1461 * Determine whether the subject identified by the credential can perform 1462 * the unmount operation on the target vnode. 1463 * 1464 * @return Return 0 if access is granted, otherwise an appropriate value for 1465 * errno should be returned. 1466 */ 1467 typedef int mpo_mount_check_umount_t( 1468 kauth_cred_t cred, 1469 struct mount *mp, 1470 struct label *mlabel 1471 ); 1472 /** 1473 * @brief Create mount labels 1474 * @param cred Subject credential 1475 * @param mp Mount point of file system being mounted 1476 * @param mntlabel Label to associate with the new mount point 1477 * @see mpo_mount_label_init_t 1478 * 1479 * Fill out the labels on the mount point being created by the supplied 1480 * user credential. This call is made when file systems are first mounted. 1481 */ 1482 typedef void mpo_mount_label_associate_t( 1483 kauth_cred_t cred, 1484 struct mount *mp, 1485 struct label *mntlabel 1486 ); 1487 /** 1488 * @brief Destroy mount label 1489 * @param label The label to be destroyed 1490 * 1491 * Destroy a file system mount label. Since the 1492 * object is going out of scope, policy modules should free any 1493 * internal storage associated with the label so that it may be 1494 * destroyed. 1495 */ 1496 typedef void mpo_mount_label_destroy_t( 1497 struct label *label 1498 ); 1499 /** 1500 * @brief Externalize a mount point label 1501 * @param label Label to be externalized 1502 * @param element_name Name of the label namespace for which labels should be 1503 * externalized 1504 * @param sb String buffer to be filled with a text representation of the label 1505 * 1506 * Produce an external representation of the mount point label. An 1507 * externalized label consists of a text representation of the label 1508 * contents that can be used with user applications. Policy-agnostic 1509 * user space tools will display this externalized version. 1510 * 1511 * The policy's externalize entry points will be called only if the 1512 * policy has registered interest in the label namespace. 1513 * 1514 * @return 0 on success, return non-zero if an error occurs while 1515 * externalizing the label data. 1516 * 1517 */ 1518 typedef int mpo_mount_label_externalize_t( 1519 struct label *label, 1520 char *element_name, 1521 struct sbuf *sb 1522 ); 1523 /** 1524 * @brief Initialize mount point label 1525 * @param label New label to initialize 1526 * 1527 * Initialize the label for a newly instantiated mount structure. 1528 * This label is typically used to store a default label in the case 1529 * that the file system has been mounted singlelabel. Since some 1530 * file systems do not support persistent labels (extended attributes) 1531 * or are read-only (such as CD-ROMs), it is often necessary to store 1532 * a default label separately from the label of the mount point 1533 * itself. Sleeping is permitted. 1534 */ 1535 typedef void mpo_mount_label_init_t( 1536 struct label *label 1537 ); 1538 /** 1539 * @brief Internalize a mount point label 1540 * @param label Label to be internalized 1541 * @param element_name Name of the label namespace for which the label should 1542 * be internalized 1543 * @param element_data Text data to be internalized 1544 * 1545 * Produce a mount point file system label from an external representation. 1546 * An externalized label consists of a text representation of the label 1547 * contents that can be used with user applications. Policy-agnostic 1548 * user space tools will forward text version to the kernel for 1549 * processing by individual policy modules. 1550 * 1551 * The policy's internalize entry points will be called only if the 1552 * policy has registered interest in the label namespace. 1553 * 1554 * @return 0 on success, Otherwise, return non-zero if an error occurs 1555 * while internalizing the label data. 1556 * 1557 */ 1558 typedef int mpo_mount_label_internalize_t( 1559 struct label *label, 1560 char *element_name, 1561 char *element_data 1562 ); 1563 /** 1564 * @brief Notify on successful filesystem mount 1565 * @param cred Subject credential 1566 * @param mp Mount point of file system being mounted 1567 * @param mntlabel Label to associate with the new mount point 1568 * @see mpo_mount_label_init_t 1569 * 1570 * Notify on successful filesystem mount. The mntlabel associated 1571 * to this mount point should be initalized with mac_mount_label_init 1572 * prior to this call. 1573 */ 1574 typedef void mpo_mount_notify_mount_t( 1575 kauth_cred_t cred, 1576 struct mount *mp, 1577 struct label *mntlabel 1578 ); 1579 /** 1580 * @brief Access control check for opening an NECP file descriptor 1581 * @param cred Subject credential 1582 * @param flags Open flags 1583 * 1584 * Determine whether the subject identified by the credential can open 1585 * an NECP file descriptor. 1586 * 1587 * @return Return 0 if access is granted, otherwise an appropriate value for 1588 * errno should be returned. 1589 * 1590 */ 1591 typedef int mpo_necp_check_open_t( 1592 kauth_cred_t cred, 1593 int flags 1594 ); 1595 /** 1596 * @brief Access control check for necp_client_action(2) 1597 * @param cred Subject credential 1598 * @param fg NECP fileglob 1599 * @param action NECP client action 1600 * 1601 * Determine whether the subject identified by the credential can open 1602 * an NECP socket. 1603 * 1604 * @return Return 0 if access is granted, otherwise an appropriate value for 1605 * errno should be returned. 1606 * 1607 */ 1608 typedef int mpo_necp_check_client_action_t( 1609 kauth_cred_t cred, 1610 struct fileglob *fg, 1611 uint32_t action 1612 ); 1613 /** 1614 * @brief Access control check for pipe ioctl 1615 * @param cred Subject credential 1616 * @param cpipe Object to be accessed 1617 * @param pipelabel The label on the pipe 1618 * @param cmd The ioctl command; see ioctl(2) 1619 * 1620 * Determine whether the subject identified by the credential can perform 1621 * the ioctl operation indicated by cmd. 1622 * 1623 * @warning Since ioctl data is opaque from the standpoint of the MAC 1624 * framework, policies must exercise extreme care when implementing 1625 * access control checks. 1626 * 1627 * @return Return 0 if access is granted, otherwise an appropriate value for 1628 * errno should be returned. 1629 * 1630 */ 1631 typedef int mpo_pipe_check_ioctl_t( 1632 kauth_cred_t cred, 1633 struct pipe *cpipe, 1634 struct label *pipelabel, 1635 unsigned long cmd 1636 ); 1637 /** 1638 * @brief Access control check for pipe kqfilter 1639 * @param cred Subject credential 1640 * @param kn Object knote 1641 * @param cpipe Object to be accessed 1642 * @param pipelabel Policy label for the pipe 1643 * 1644 * Determine whether the subject identified by the credential can 1645 * receive the knote on the passed pipe. 1646 * 1647 * @return Return 0 if access if granted, otherwise an appropriate 1648 * value for errno should be returned. 1649 */ 1650 typedef int mpo_pipe_check_kqfilter_t( 1651 kauth_cred_t cred, 1652 struct knote *kn, 1653 struct pipe *cpipe, 1654 struct label *pipelabel 1655 ); 1656 /** 1657 * @brief Access control check for pipe read 1658 * @param cred Subject credential 1659 * @param cpipe Object to be accessed 1660 * @param pipelabel The label on the pipe 1661 * 1662 * Determine whether the subject identified by the credential can 1663 * perform a read operation on the passed pipe. The cred object holds 1664 * the credentials of the subject performing the operation. 1665 * 1666 * @return Return 0 if access is granted, otherwise an appropriate value for 1667 * errno should be returned. 1668 * 1669 */ 1670 typedef int mpo_pipe_check_read_t( 1671 kauth_cred_t cred, 1672 struct pipe *cpipe, 1673 struct label *pipelabel 1674 ); 1675 /** 1676 * @brief Access control check for pipe select 1677 * @param cred Subject credential 1678 * @param cpipe Object to be accessed 1679 * @param pipelabel The label on the pipe 1680 * @param which The operation selected on: FREAD or FWRITE 1681 * 1682 * Determine whether the subject identified by the credential can 1683 * perform a select operation on the passed pipe. The cred object holds 1684 * the credentials of the subject performing the operation. 1685 * 1686 * @return Return 0 if access is granted, otherwise an appropriate value for 1687 * errno should be returned. 1688 * 1689 */ 1690 typedef int mpo_pipe_check_select_t( 1691 kauth_cred_t cred, 1692 struct pipe *cpipe, 1693 struct label *pipelabel, 1694 int which 1695 ); 1696 /** 1697 * @brief Access control check for pipe stat 1698 * @param cred Subject credential 1699 * @param cpipe Object to be accessed 1700 * @param pipelabel The label on the pipe 1701 * 1702 * Determine whether the subject identified by the credential can 1703 * perform a stat operation on the passed pipe. The cred object holds 1704 * the credentials of the subject performing the operation. 1705 * 1706 * @return Return 0 if access is granted, otherwise an appropriate value for 1707 * errno should be returned. 1708 * 1709 */ 1710 typedef int mpo_pipe_check_stat_t( 1711 kauth_cred_t cred, 1712 struct pipe *cpipe, 1713 struct label *pipelabel 1714 ); 1715 /** 1716 * @brief Access control check for pipe write 1717 * @param cred Subject credential 1718 * @param cpipe Object to be accessed 1719 * @param pipelabel The label on the pipe 1720 * 1721 * Determine whether the subject identified by the credential can 1722 * perform a write operation on the passed pipe. The cred object holds 1723 * the credentials of the subject performing the operation. 1724 * 1725 * @return Return 0 if access is granted, otherwise an appropriate value for 1726 * errno should be returned. 1727 * 1728 */ 1729 typedef int mpo_pipe_check_write_t( 1730 kauth_cred_t cred, 1731 struct pipe *cpipe, 1732 struct label *pipelabel 1733 ); 1734 /** 1735 * @brief Create a pipe label 1736 * @param cred Subject credential 1737 * @param cpipe object to be labeled 1738 * @param pipelabel Label for the pipe object 1739 * 1740 * Create a label for the pipe object being created by the supplied 1741 * user credential. This call is made when a pipe pair is being created. 1742 * The label is shared by both ends of the pipe. 1743 */ 1744 typedef void mpo_pipe_label_associate_t( 1745 kauth_cred_t cred, 1746 struct pipe *cpipe, 1747 struct label *pipelabel 1748 ); 1749 /** 1750 * @brief Destroy pipe label 1751 * @param label The label to be destroyed 1752 * 1753 * Destroy a pipe label. Since the object is going out of scope, 1754 * policy modules should free any internal storage associated with the 1755 * label so that it may be destroyed. 1756 */ 1757 typedef void mpo_pipe_label_destroy_t( 1758 struct label *label 1759 ); 1760 /** 1761 * @brief Initialize pipe label 1762 * @param label New label to initialize 1763 * 1764 * Initialize label storage for use with a newly instantiated pipe object. 1765 * Sleeping is permitted. 1766 */ 1767 typedef void mpo_pipe_label_init_t( 1768 struct label *label 1769 ); 1770 /** 1771 * @brief Policy unload event 1772 * @param mpc MAC policy configuration 1773 * 1774 * This is the MAC Framework policy unload event. This entry point will 1775 * only be called if the module's policy configuration allows unload (if 1776 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 1777 * want to be unloaded; they should set their flags to prevent this 1778 * entry point from being called. 1779 * 1780 * @warning During this call, the mac policy list mutex is held, so 1781 * sleep operations cannot be performed, and calls out to other kernel 1782 * subsystems must be made with caution. 1783 * 1784 * @see MPC_LOADTIME_FLAG_UNLOADOK 1785 */ 1786 typedef void mpo_policy_destroy_t( 1787 struct mac_policy_conf *mpc 1788 ); 1789 /** 1790 * @brief Policy initialization event 1791 * @param mpc MAC policy configuration 1792 * @see mac_policy_register 1793 * @see mpo_policy_initbsd_t 1794 * 1795 * This is the MAC Framework policy initialization event. This entry 1796 * point is called during mac_policy_register, when the policy module 1797 * is first registered with the MAC Framework. This is often done very 1798 * early in the boot process, after the kernel Mach subsystem has been 1799 * initialized, but prior to the BSD subsystem being initialized. 1800 * Since the kernel BSD services are not yet available, it is possible 1801 * that some initialization must occur later, possibly in the 1802 * mpo_policy_initbsd_t policy entry point, such as registering BSD system 1803 * controls (sysctls). Policy modules loaded at boot time will be 1804 * registered and initialized before labeled Mach objects are created. 1805 * 1806 * @warning During this call, the mac policy list mutex is held, so 1807 * sleep operations cannot be performed, and calls out to other kernel 1808 * subsystems must be made with caution. 1809 */ 1810 typedef void mpo_policy_init_t( 1811 struct mac_policy_conf *mpc 1812 ); 1813 /** 1814 * @brief Policy BSD initialization event 1815 * @param mpc MAC policy configuration 1816 * @see mpo_policy_init_t 1817 * 1818 * This entry point is called after the kernel BSD subsystem has been 1819 * initialized. By this point, the module should already be loaded, 1820 * registered, and initialized. Since policy modules are initialized 1821 * before kernel BSD services are available, this second initialization 1822 * phase is necessary. At this point, BSD services (memory management, 1823 * synchronization primitives, vfs, etc.) are available, but the first 1824 * process has not yet been created. Mach-related objects and tasks 1825 * will already be fully initialized and may be in use--policies requiring 1826 * ubiquitous labeling may also want to implement mpo_policy_init_t. 1827 * 1828 * @warning During this call, the mac policy list mutex is held, so 1829 * sleep operations cannot be performed, and calls out to other kernel 1830 * subsystems must be made with caution. 1831 */ 1832 typedef void mpo_policy_initbsd_t( 1833 struct mac_policy_conf *mpc 1834 ); 1835 /** 1836 * @brief Policy extension service 1837 * @param p Calling process 1838 * @param call Policy-specific syscall number 1839 * @param arg Pointer to syscall arguments 1840 * 1841 * This entry point provides a policy-multiplexed system call so that 1842 * policies may provide additional services to user processes without 1843 * registering specific system calls. The policy name provided during 1844 * registration is used to demux calls from userland, and the arguments 1845 * will be forwarded to this entry point. When implementing new 1846 * services, security modules should be sure to invoke appropriate 1847 * access control checks from the MAC framework as needed. For 1848 * example, if a policy implements an augmented signal functionality, 1849 * it should call the necessary signal access control checks to invoke 1850 * the MAC framework and other registered policies. 1851 * 1852 * @warning Since the format and contents of the policy-specific 1853 * arguments are unknown to the MAC Framework, modules must perform the 1854 * required copyin() of the syscall data on their own. No policy 1855 * mediation is performed, so policies must perform any necessary 1856 * access control checks themselves. If multiple policies are loaded, 1857 * they will currently be unable to mediate calls to other policies. 1858 * 1859 * @return In the event of an error, an appropriate value for errno 1860 * should be returned, otherwise return 0 upon success. 1861 */ 1862 typedef int mpo_policy_syscall_t( 1863 struct proc *p, 1864 int call, 1865 user_addr_t arg 1866 ); 1867 /** 1868 * @brief Access control check for POSIX semaphore create 1869 * @param cred Subject credential 1870 * @param name String name of the semaphore 1871 * 1872 * Determine whether the subject identified by the credential can create 1873 * a POSIX semaphore specified by name. 1874 * 1875 * @return Return 0 if access is granted, otherwise an appropriate value for 1876 * errno should be returned. 1877 */ 1878 typedef int mpo_posixsem_check_create_t( 1879 kauth_cred_t cred, 1880 const char *name 1881 ); 1882 /** 1883 * @brief Access control check for POSIX semaphore open 1884 * @param cred Subject credential 1885 * @param ps Pointer to semaphore information structure 1886 * @param semlabel Label associated with the semaphore 1887 * 1888 * Determine whether the subject identified by the credential can open 1889 * the named POSIX semaphore with label semlabel. 1890 * 1891 * @return Return 0 if access is granted, otherwise an appropriate value for 1892 * errno should be returned. 1893 */ 1894 typedef int mpo_posixsem_check_open_t( 1895 kauth_cred_t cred, 1896 struct pseminfo *ps, 1897 struct label *semlabel 1898 ); 1899 /** 1900 * @brief Access control check for POSIX semaphore post 1901 * @param cred Subject credential 1902 * @param ps Pointer to semaphore information structure 1903 * @param semlabel Label associated with the semaphore 1904 * 1905 * Determine whether the subject identified by the credential can unlock 1906 * the named POSIX semaphore with label semlabel. 1907 * 1908 * @return Return 0 if access is granted, otherwise an appropriate value for 1909 * errno should be returned. 1910 */ 1911 typedef int mpo_posixsem_check_post_t( 1912 kauth_cred_t cred, 1913 struct pseminfo *ps, 1914 struct label *semlabel 1915 ); 1916 /** 1917 * @brief Access control check for POSIX semaphore unlink 1918 * @param cred Subject credential 1919 * @param ps Pointer to semaphore information structure 1920 * @param semlabel Label associated with the semaphore 1921 * @param name String name of the semaphore 1922 * 1923 * Determine whether the subject identified by the credential can remove 1924 * the named POSIX semaphore with label semlabel. 1925 * 1926 * @return Return 0 if access is granted, otherwise an appropriate value for 1927 * errno should be returned. 1928 */ 1929 typedef int mpo_posixsem_check_unlink_t( 1930 kauth_cred_t cred, 1931 struct pseminfo *ps, 1932 struct label *semlabel, 1933 const char *name 1934 ); 1935 /** 1936 * @brief Access control check for POSIX semaphore wait 1937 * @param cred Subject credential 1938 * @param ps Pointer to semaphore information structure 1939 * @param semlabel Label associated with the semaphore 1940 * 1941 * Determine whether the subject identified by the credential can lock 1942 * the named POSIX semaphore with label semlabel. 1943 * 1944 * @return Return 0 if access is granted, otherwise an appropriate value for 1945 * errno should be returned. 1946 */ 1947 typedef int mpo_posixsem_check_wait_t( 1948 kauth_cred_t cred, 1949 struct pseminfo *ps, 1950 struct label *semlabel 1951 ); 1952 /** 1953 * @brief Create a POSIX semaphore label 1954 * @param cred Subject credential 1955 * @param ps Pointer to semaphore information structure 1956 * @param semlabel Label to associate with the new semaphore 1957 * @param name String name of the semaphore 1958 * 1959 * Label a new POSIX semaphore. The label was previously 1960 * initialized and associated with the semaphore. At this time, an 1961 * appropriate initial label value should be assigned to the object and 1962 * stored in semalabel. 1963 */ 1964 typedef void mpo_posixsem_label_associate_t( 1965 kauth_cred_t cred, 1966 struct pseminfo *ps, 1967 struct label *semlabel, 1968 const char *name 1969 ); 1970 /** 1971 * @brief Destroy POSIX semaphore label 1972 * @param label The label to be destroyed 1973 * 1974 * Destroy a POSIX semaphore label. Since the object is 1975 * going out of scope, policy modules should free any internal storage 1976 * associated with the label so that it may be destroyed. 1977 */ 1978 typedef void mpo_posixsem_label_destroy_t( 1979 struct label *label 1980 ); 1981 /** 1982 * @brief Initialize POSIX semaphore label 1983 * @param label New label to initialize 1984 * 1985 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping 1986 * is permitted. 1987 */ 1988 typedef void mpo_posixsem_label_init_t( 1989 struct label *label 1990 ); 1991 /** 1992 * @brief Access control check for POSIX shared memory region create 1993 * @param cred Subject credential 1994 * @param name String name of the shared memory region 1995 * 1996 * Determine whether the subject identified by the credential can create 1997 * the POSIX shared memory region referenced by name. 1998 * 1999 * @return Return 0 if access is granted, otherwise an appropriate value for 2000 * errno should be returned. 2001 */ 2002 typedef int mpo_posixshm_check_create_t( 2003 kauth_cred_t cred, 2004 const char *name 2005 ); 2006 /** 2007 * @brief Access control check for mapping POSIX shared memory 2008 * @param cred Subject credential 2009 * @param ps Pointer to shared memory information structure 2010 * @param shmlabel Label associated with the shared memory region 2011 * @param prot mmap protections; see mmap(2) 2012 * @param flags shmat flags; see shmat(2) 2013 * 2014 * Determine whether the subject identified by the credential can map 2015 * the POSIX shared memory segment associated with shmlabel. 2016 * 2017 * @return Return 0 if access is granted, otherwise an appropriate value for 2018 * errno should be returned. 2019 */ 2020 typedef int mpo_posixshm_check_mmap_t( 2021 kauth_cred_t cred, 2022 struct pshminfo *ps, 2023 struct label *shmlabel, 2024 int prot, 2025 int flags 2026 ); 2027 /** 2028 * @brief Access control check for POSIX shared memory region open 2029 * @param cred Subject credential 2030 * @param ps Pointer to shared memory information structure 2031 * @param shmlabel Label associated with the shared memory region 2032 * @param fflags shm_open(2) open flags ('fflags' encoded) 2033 * 2034 * Determine whether the subject identified by the credential can open 2035 * the POSIX shared memory region. 2036 * 2037 * @return Return 0 if access is granted, otherwise an appropriate value for 2038 * errno should be returned. 2039 */ 2040 typedef int mpo_posixshm_check_open_t( 2041 kauth_cred_t cred, 2042 struct pshminfo *ps, 2043 struct label *shmlabel, 2044 int fflags 2045 ); 2046 /** 2047 * @brief Access control check for POSIX shared memory stat 2048 * @param cred Subject credential 2049 * @param ps Pointer to shared memory information structure 2050 * @param shmlabel Label associated with the shared memory region 2051 * 2052 * Determine whether the subject identified by the credential can obtain 2053 * status for the POSIX shared memory segment associated with shmlabel. 2054 * 2055 * @return Return 0 if access is granted, otherwise an appropriate value for 2056 * errno should be returned. 2057 */ 2058 typedef int mpo_posixshm_check_stat_t( 2059 kauth_cred_t cred, 2060 struct pshminfo *ps, 2061 struct label *shmlabel 2062 ); 2063 /** 2064 * @brief Access control check for POSIX shared memory truncate 2065 * @param cred Subject credential 2066 * @param ps Pointer to shared memory information structure 2067 * @param shmlabel Label associated with the shared memory region 2068 * @param len Length to truncate or extend shared memory segment 2069 * 2070 * Determine whether the subject identified by the credential can truncate 2071 * or extend (to len) the POSIX shared memory segment associated with shmlabel. 2072 * 2073 * @return Return 0 if access is granted, otherwise an appropriate value for 2074 * errno should be returned. 2075 */ 2076 typedef int mpo_posixshm_check_truncate_t( 2077 kauth_cred_t cred, 2078 struct pshminfo *ps, 2079 struct label *shmlabel, 2080 off_t len 2081 ); 2082 /** 2083 * @brief Access control check for POSIX shared memory unlink 2084 * @param cred Subject credential 2085 * @param ps Pointer to shared memory information structure 2086 * @param shmlabel Label associated with the shared memory region 2087 * @param name String name of the shared memory region 2088 * 2089 * Determine whether the subject identified by the credential can delete 2090 * the POSIX shared memory segment associated with shmlabel. 2091 * 2092 * @return Return 0 if access is granted, otherwise an appropriate value for 2093 * errno should be returned. 2094 */ 2095 typedef int mpo_posixshm_check_unlink_t( 2096 kauth_cred_t cred, 2097 struct pshminfo *ps, 2098 struct label *shmlabel, 2099 const char *name 2100 ); 2101 /** 2102 * @brief Create a POSIX shared memory region label 2103 * @param cred Subject credential 2104 * @param ps Pointer to shared memory information structure 2105 * @param shmlabel Label to associate with the new shared memory region 2106 * @param name String name of the shared memory region 2107 * 2108 * Label a new POSIX shared memory region. The label was previously 2109 * initialized and associated with the shared memory region. At this 2110 * time, an appropriate initial label value should be assigned to the 2111 * object and stored in shmlabel. 2112 */ 2113 typedef void mpo_posixshm_label_associate_t( 2114 kauth_cred_t cred, 2115 struct pshminfo *ps, 2116 struct label *shmlabel, 2117 const char *name 2118 ); 2119 /** 2120 * @brief Destroy POSIX shared memory label 2121 * @param label The label to be destroyed 2122 * 2123 * Destroy a POSIX shared memory region label. Since the 2124 * object is going out of scope, policy modules should free any 2125 * internal storage associated with the label so that it may be 2126 * destroyed. 2127 */ 2128 typedef void mpo_posixshm_label_destroy_t( 2129 struct label *label 2130 ); 2131 /** 2132 * @brief Initialize POSIX Shared Memory region label 2133 * @param label New label to initialize 2134 * 2135 * Initialize the label for newly a instantiated POSIX Shared Memory 2136 * region. Sleeping is permitted. 2137 */ 2138 typedef void mpo_posixshm_label_init_t( 2139 struct label *label 2140 ); 2141 /** 2142 * @brief Access control check for privileged operations 2143 * @param cred Subject credential 2144 * @param priv Requested privilege (see sys/priv.h) 2145 * 2146 * Determine whether the subject identified by the credential can perform 2147 * a privileged operation. Privileged operations are allowed if the cred 2148 * is the superuser or any policy returns zero for mpo_priv_grant, unless 2149 * any policy returns nonzero for mpo_priv_check. 2150 * 2151 * @return Return 0 if access is granted, otherwise EPERM should be returned. 2152 */ 2153 typedef int mpo_priv_check_t( 2154 kauth_cred_t cred, 2155 int priv 2156 ); 2157 /** 2158 * @brief Grant regular users the ability to perform privileged operations 2159 * @param cred Subject credential 2160 * @param priv Requested privilege (see sys/priv.h) 2161 * 2162 * Determine whether the subject identified by the credential should be 2163 * allowed to perform a privileged operation that in the absense of any 2164 * MAC policy it would not be able to perform. Privileged operations are 2165 * allowed if the cred is the superuser or any policy returns zero for 2166 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2167 * 2168 * Unlike other MAC hooks which can only reduce the privilege of a 2169 * credential, this hook raises the privilege of a credential when it 2170 * returns 0. Extreme care must be taken when implementing this hook to 2171 * avoid undermining the security of the system. 2172 * 2173 * @return Return 0 if additional privilege is granted, otherwise EPERM 2174 * should be returned. 2175 */ 2176 typedef int mpo_priv_grant_t( 2177 kauth_cred_t cred, 2178 int priv 2179 ); 2180 /** 2181 * @brief Access control over process core dumps 2182 * @param proc Subject process 2183 * 2184 * Determine whether a core dump may be written to disk for the subject 2185 * identified. 2186 * 2187 * @return Return 0 if access is granted, otherwise an appropriate value for 2188 * errno should be returned. 2189 */ 2190 typedef int mpo_proc_check_dump_core_t( 2191 struct proc *proc 2192 ); 2193 /** 2194 * @brief Access control over remote thread creation 2195 * @param cred Subject credential 2196 * @param proc Object process 2197 * @param flavor Flavor of thread state passed in new_state, or -1 2198 * @param new_state Thread state to be set on the created thread, or NULL 2199 * @param new_state_count Size of thread state, in natural_t units, or 0 2200 * 2201 * Determine whether the subject can create a thread in the object process 2202 * by calling the thread_create or thread_create_running MIG routines on 2203 * another process' task port. For thread_create_running, the flavor, 2204 * new_state and new_state_count arguments are passed here before they are 2205 * converted and checked by machine-dependent code. 2206 * 2207 * @return Return 0 if access is granted, otherwise an appropriate value for 2208 * errno should be returned. 2209 */ 2210 typedef int mpo_proc_check_remote_thread_create_t( 2211 kauth_cred_t cred, 2212 struct proc *proc, 2213 int flavor, 2214 thread_state_t new_state, 2215 mach_msg_type_number_t new_state_count 2216 ); 2217 /** 2218 * @brief Access control check for debugging process 2219 * @param cred Subject credential 2220 * @param pident Object unique process identifier 2221 * 2222 * Determine whether the subject identified by the credential can debug 2223 * the passed process. This call may be made in a number of situations, 2224 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2225 * types of procfs operations. 2226 * 2227 * @return Return 0 if access is granted, otherwise an appropriate value for 2228 * errno should be returned. Suggested failure: EACCES for label mismatch, 2229 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2230 */ 2231 typedef int mpo_proc_check_debug_t( 2232 kauth_cred_t cred, 2233 struct proc_ident *pident 2234 ); 2235 /** 2236 * @brief Access control over fork 2237 * @param cred Subject credential 2238 * @param proc Subject process trying to fork 2239 * 2240 * Determine whether the subject identified is allowed to fork. 2241 * 2242 * @return Return 0 if access is granted, otherwise an appropriate value for 2243 * errno should be returned. 2244 */ 2245 typedef int mpo_proc_check_fork_t( 2246 kauth_cred_t cred, 2247 struct proc *proc 2248 ); 2249 /** 2250 * @brief Access control check for setting host special ports. 2251 * @param cred Subject credential 2252 * @param id The host special port to set 2253 * @param port The new value to set for the special port 2254 * 2255 * @return Return 0 if access is granted, otherwise an appropriate value for 2256 * errno should be returned. 2257 */ 2258 typedef int mpo_proc_check_set_host_special_port_t( 2259 kauth_cred_t cred, 2260 int id, 2261 struct ipc_port *port 2262 ); 2263 /** 2264 * @brief Access control check for setting host exception ports. 2265 * @param cred Subject credential 2266 * @param exception Exception port to set 2267 * 2268 * @return Return 0 if access is granted, otherwise an appropriate value for 2269 * errno should be returned. 2270 */ 2271 typedef int mpo_proc_check_set_host_exception_port_t( 2272 kauth_cred_t cred, 2273 unsigned int exception 2274 ); 2275 /** 2276 * @brief Access control check for getting task special ports. 2277 * @param cred Subject credential 2278 * @param pident Object unique process identifier, NULL if target is a corpse task 2279 * @param which The task special port to get 2280 * 2281 * @return Return 0 if access is granted, otherwise an appropriate value for 2282 * errno should be returned. 2283 */ 2284 typedef int mpo_proc_check_get_task_special_port_t( 2285 kauth_cred_t cred, 2286 struct proc_ident *pident, 2287 int which 2288 ); 2289 /** 2290 * @brief Access control check for setting task special ports. 2291 * @param cred Subject credential 2292 * @param pident Object unique process identifier 2293 * @param which The task special port to set 2294 * @param port The new value to set for the special port 2295 * 2296 * @return Return 0 if access is granted, otherwise an appropriate value for 2297 * errno should be returned. 2298 */ 2299 typedef int mpo_proc_check_set_task_special_port_t( 2300 kauth_cred_t cred, 2301 struct proc_ident *pident, 2302 int which, 2303 struct ipc_port *port 2304 ); 2305 /** 2306 * @brief Access control check for setting task exception ports for current task. 2307 * @param cred Subject credential 2308 * @param pident Object unique process identifier 2309 * @param exception Exception port to set 2310 * @param new_behavior exception_behavior_t value 2311 * 2312 * @return Return 0 if access is granted, otherwise an appropriate value for 2313 * errno should be returned. 2314 */ 2315 typedef int mpo_proc_check_set_task_exception_port_t( 2316 kauth_cred_t cred, 2317 struct proc_ident *pident, 2318 unsigned int exception, 2319 int new_behavior 2320 ); 2321 /** 2322 * @brief Access control check for setting thread exception ports. 2323 * @param cred Subject credential 2324 * @param pident Object unique process identifier 2325 * @param exception Exception port to set 2326 * @param new_behavior exception_behavior_t value 2327 * 2328 * @return Return 0 if access is granted, otherwise an appropriate value for 2329 * errno should be returned. 2330 */ 2331 typedef int mpo_proc_check_set_thread_exception_port_t( 2332 kauth_cred_t cred, 2333 struct proc_ident *pident, 2334 unsigned int exception, 2335 int new_behavior 2336 ); 2337 /** 2338 * @brief Access control check for getting movable task/thread control port for current task. 2339 * @param cred Subject credential 2340 * 2341 * @return Return 0 if access is granted, otherwise an appropriate value for 2342 * errno should be returned. 2343 */ 2344 typedef int mpo_proc_check_get_movable_control_port_t( 2345 kauth_cred_t cred 2346 ); 2347 /** 2348 * @brief Access control check for calling task_dyld_process_info_notify_register 2349 * and task_dyld_process_info_notify_deregister. 2350 * @param cred Subject credential 2351 * 2352 * @return Return 0 if access is granted, otherwise an appropriate value for 2353 * errno should be returned. 2354 */ 2355 typedef int mpo_proc_check_dyld_process_info_notify_register_t( 2356 kauth_cred_t cred 2357 ); 2358 /** 2359 * @brief Access control over pid_suspend, pid_resume and family 2360 * @param cred Subject credential 2361 * @param proc Object process 2362 * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, 2363 * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, 2364 * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. 2365 * 2366 * Determine whether the subject identified is allowed to call pid_suspend, 2367 * pid_resume, pid_hibernate, pid_shutdown_sockets, 2368 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or 2369 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on 2370 * the object process. 2371 * 2372 * @return Return 0 if access is granted, otherwise an appropriate value for 2373 * errno should be returned. 2374 */ 2375 typedef int mpo_proc_check_suspend_resume_t( 2376 kauth_cred_t cred, 2377 struct proc *proc, 2378 int sr 2379 ); 2380 /** 2381 * @brief Access control check for retrieving audit information 2382 * @param cred Subject credential 2383 * 2384 * Determine whether the subject identified by the credential can get 2385 * audit information such as the audit user ID, the preselection mask, 2386 * the terminal ID and the audit session ID, using the getaudit() system call. 2387 * 2388 * @return Return 0 if access is granted, otherwise an appropriate value for 2389 * errno should be returned. 2390 */ 2391 typedef int mpo_proc_check_getaudit_t( 2392 kauth_cred_t cred 2393 ); 2394 /** 2395 * @brief Access control check for retrieving audit user ID 2396 * @param cred Subject credential 2397 * 2398 * Determine whether the subject identified by the credential can get 2399 * the user identity being used by the auditing system, using the getauid() 2400 * system call. 2401 * 2402 * @return Return 0 if access is granted, otherwise an appropriate value for 2403 * errno should be returned. 2404 */ 2405 typedef int mpo_proc_check_getauid_t( 2406 kauth_cred_t cred 2407 ); 2408 /** 2409 * @brief Access control check for retrieving ledger information 2410 * @param cred Subject credential 2411 * @param target Object process 2412 * @param op ledger operation 2413 * 2414 * Determine if ledger(2) system call is permitted. 2415 * 2416 * Information returned by this system call is similar to that returned via 2417 * process listings etc. 2418 * 2419 * @return Return 0 if access is granted, otherwise an appropriate value for 2420 * errno should be returned. 2421 */ 2422 typedef int mpo_proc_check_ledger_t( 2423 kauth_cred_t cred, 2424 struct proc *target, 2425 int op 2426 ); 2427 /** 2428 * @brief Access control check for retrieving process information. 2429 * @param cred Subject credential 2430 * @param target Target process (may be null, may be zombie) 2431 * 2432 * Determine if a credential has permission to access process information as defined 2433 * by call number and flavor on target process 2434 * 2435 * @return Return 0 if access is granted, otherwise an appropriate value for 2436 * errno should be returned. 2437 */ 2438 typedef int mpo_proc_check_proc_info_t( 2439 kauth_cred_t cred, 2440 struct proc *target, 2441 int callnum, 2442 int flavor 2443 ); 2444 /** 2445 * @brief Access control check for retrieving code signing information. 2446 * @param cred Subject credential 2447 * @param target Target process 2448 * @param op Code signing operation being performed 2449 * 2450 * Determine whether the subject identified by the credential should be 2451 * allowed to get code signing information about the target process. 2452 * 2453 * @return Return 0 if access is granted, otherwise an appropriate value for 2454 * errno should be returned. 2455 */ 2456 typedef int mpo_proc_check_get_cs_info_t( 2457 kauth_cred_t cred, 2458 struct proc *target, 2459 unsigned int op 2460 ); 2461 /** 2462 * @brief Access control check for setting code signing information. 2463 * @param cred Subject credential 2464 * @param target Target process 2465 * @param op Code signing operation being performed. 2466 * 2467 * Determine whether the subject identified by the credential should be 2468 * allowed to set code signing information about the target process. 2469 * 2470 * @return Return 0 if permission is granted, otherwise an appropriate 2471 * value of errno should be returned. 2472 */ 2473 typedef int mpo_proc_check_set_cs_info_t( 2474 kauth_cred_t cred, 2475 struct proc *target, 2476 unsigned int op 2477 ); 2478 /** 2479 * @brief Access control check for mmap MAP_ANON 2480 * @param proc User process requesting the memory 2481 * @param cred Subject credential 2482 * @param u_addr Start address of the memory range 2483 * @param u_size Length address of the memory range 2484 * @param prot mmap protections; see mmap(2) 2485 * @param flags Type of mapped object; see mmap(2) 2486 * @param maxprot Maximum rights 2487 * 2488 * Determine whether the subject identified by the credential should be 2489 * allowed to obtain anonymous memory using the specified flags and 2490 * protections on the new mapping. MAP_ANON will always be present in the 2491 * flags. Certain combinations of flags with a non-NULL addr may 2492 * cause a mapping to be rejected before this hook is called. The maxprot field 2493 * holds the maximum permissions on the new mapping, a combination of 2494 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2495 * access control checks, a policy should only remove flags from maxprot. 2496 * 2497 * @return Return 0 if access is granted, otherwise an appropriate value for 2498 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2499 */ 2500 typedef int mpo_proc_check_map_anon_t( 2501 struct proc *proc, 2502 kauth_cred_t cred, 2503 user_addr_t u_addr, 2504 user_size_t u_size, 2505 int prot, 2506 int flags, 2507 int *maxprot 2508 ); 2509 /** 2510 * @brief Access control check for memorystatus_control(2) 2511 * @param cred Subject credential 2512 * @param command Memory status control command 2513 * @param pid Target process id, or 0 2514 * 2515 * Determine whether the subject identified by the credential should 2516 * be allowed to issue the specified memorystatus control command. 2517 * 2518 * @return Return 0 if access is granted, otherwise an appropriate value for 2519 * errno should be returned. 2520 */ 2521 typedef int mpo_proc_check_memorystatus_control_t( 2522 kauth_cred_t cred, 2523 int32_t command, 2524 pid_t pid 2525 ); 2526 /** 2527 * @brief Access control check for setting memory protections 2528 * @param cred Subject credential 2529 * @param proc User process requesting the change 2530 * @param addr Start address of the memory range 2531 * @param size Length address of the memory range 2532 * @param prot Memory protections, see mmap(2) 2533 * 2534 * Determine whether the subject identified by the credential should 2535 * be allowed to set the specified memory protections on memory mapped 2536 * in the process proc. 2537 * 2538 * @return Return 0 if access is granted, otherwise an appropriate value for 2539 * errno should be returned. 2540 */ 2541 typedef int mpo_proc_check_mprotect_t( 2542 kauth_cred_t cred, 2543 struct proc *proc, 2544 user_addr_t addr, 2545 user_size_t size, 2546 int prot 2547 ); 2548 /** 2549 * @brief Access control check for changing scheduling parameters 2550 * @param cred Subject credential 2551 * @param proc Object process 2552 * 2553 * Determine whether the subject identified by the credential can change 2554 * the scheduling parameters of the passed process. 2555 * 2556 * @return Return 0 if access is granted, otherwise an appropriate value for 2557 * errno should be returned. Suggested failure: EACCES for label mismatch, 2558 * EPERM for lack of privilege, or ESRCH to limit visibility. 2559 */ 2560 typedef int mpo_proc_check_sched_t( 2561 kauth_cred_t cred, 2562 struct proc *proc 2563 ); 2564 /** 2565 * @brief Access control check for setting audit information 2566 * @param cred Subject credential 2567 * @param ai Audit information 2568 * 2569 * Determine whether the subject identified by the credential can set 2570 * audit information such as the the preselection mask, the terminal ID 2571 * and the audit session ID, using the setaudit() system call. 2572 * 2573 * @return Return 0 if access is granted, otherwise an appropriate value for 2574 * errno should be returned. 2575 */ 2576 typedef int mpo_proc_check_setaudit_t( 2577 kauth_cred_t cred, 2578 struct auditinfo_addr *ai 2579 ); 2580 /** 2581 * @brief Access control check for setting audit user ID 2582 * @param cred Subject credential 2583 * @param auid Audit user ID 2584 * 2585 * Determine whether the subject identified by the credential can set 2586 * the user identity used by the auditing system, using the setauid() 2587 * system call. 2588 * 2589 * @return Return 0 if access is granted, otherwise an appropriate value for 2590 * errno should be returned. 2591 */ 2592 typedef int mpo_proc_check_setauid_t( 2593 kauth_cred_t cred, 2594 uid_t auid 2595 ); 2596 /** 2597 * @brief Access control check for delivering signal 2598 * @param cred Subject credential 2599 * @param instigator Process which instigated the signal (optional) 2600 * @param target Object process 2601 * @param signum Signal number; see kill(2) 2602 * 2603 * Determine whether the subject identified by the credential can deliver 2604 * the passed signal to the passed process. 2605 * 2606 * @warning Programs typically expect to be able to send and receive 2607 * signals as part or their normal process lifecycle; caution should be 2608 * exercised when implementing access controls over signal events. 2609 * 2610 * @note Caller will always be current_proc(). But the instigator may be NULL, 2611 * may not be the current proc, and may no longer be running. 2612 * 2613 * @warning Policy implementations must avoid obtaining proc refs of 2614 * two different processes simultaneously. 2615 * 2616 * @return Return 0 if access is granted, otherwise an appropriate value for 2617 * errno should be returned. Suggested failure: EACCES for label mismatch, 2618 * EPERM for lack of privilege, or ESRCH to limit visibility. 2619 */ 2620 #define NEEDS_RDAR_132584934 1 // Required until both EndpointSecurity & Sandbox are updated 2621 typedef int mpo_proc_check_signal_t( 2622 kauth_cred_t cred, 2623 proc_ident_t instigator, 2624 proc_ident_t target, 2625 int signum 2626 ); 2627 /** 2628 * @brief Access control check for MAC syscalls. 2629 * @param proc Subject process 2630 * @param policy MAC policy name 2631 * @param callnum MAC policy-specific syscall number 2632 * 2633 * Determine whether the subject process can perform the passed MAC syscall. 2634 * 2635 * @return Return 0 if access is granted, otherwise an appropriate value for 2636 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2637 */ 2638 typedef int mpo_proc_check_syscall_mac_t( 2639 struct proc *proc, 2640 const char *policy, 2641 int callnum 2642 ); 2643 /** 2644 * @brief Access control check for Unix syscalls. 2645 * @param proc Subject process 2646 * @param scnum Syscall number; see bsd/kern/syscalls.master. 2647 * 2648 * Determine whether the subject process can perform the passed syscall (number). 2649 * 2650 * @warning Programs typically expect to be able to make syscalls as part of 2651 * their normal process lifecycle; caution should be exercised when restricting 2652 * which syscalls a process can perform. 2653 * 2654 * @return Return 0 if access is granted, otherwise an appropriate value for 2655 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2656 */ 2657 typedef int mpo_proc_check_syscall_unix_t( 2658 struct proc *proc, 2659 int scnum 2660 ); 2661 /** 2662 * @brief Access control check for wait 2663 * @param cred Subject credential 2664 * @param proc Object process 2665 * 2666 * Determine whether the subject identified by the credential can wait 2667 * for process termination. 2668 * 2669 * @warning Caution should be exercised when implementing access 2670 * controls for wait, since programs often wait for child processes to 2671 * exit. Failure to be notified of a child process terminating may 2672 * cause the parent process to hang, or may produce zombie processes. 2673 * 2674 * @return Return 0 if access is granted, otherwise an appropriate value for 2675 * errno should be returned. 2676 */ 2677 typedef int mpo_proc_check_wait_t( 2678 kauth_cred_t cred, 2679 struct proc *proc 2680 ); 2681 /** 2682 * @brief Inform MAC policies that a process has exited. 2683 * @param proc Object process 2684 * 2685 * Called after all of the process's threads have terminated and 2686 * it has been removed from the process list. KPI that identifies 2687 * the process by pid will fail to find the process; KPI that 2688 * identifies the process by the object process pointer functions 2689 * normally. proc_exiting() returns true for the object process. 2690 */ 2691 typedef void mpo_proc_notify_exit_t( 2692 struct proc *proc 2693 ); 2694 /** 2695 * @brief Access control check for skywalk flow connect 2696 * @param cred Subject credential 2697 * @param flow Flow object 2698 * @param addr Remote address for flow to send data to 2699 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2700 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2701 * 2702 * Determine whether the subject identified by the credential can 2703 * create a flow for sending data to the remote host specified by 2704 * addr. 2705 * 2706 * @return Return 0 if access if granted, otherwise an appropriate 2707 * value for errno should be returned. 2708 */ 2709 typedef int mpo_skywalk_flow_check_connect_t( 2710 kauth_cred_t cred, 2711 void *flow, 2712 const struct sockaddr *addr, 2713 int type, 2714 int protocol 2715 ); 2716 /** 2717 * @brief Access control check for skywalk flow listen 2718 * @param cred Subject credential 2719 * @param flow Flow object 2720 * @param addr Local address for flow to listen on 2721 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2722 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2723 * 2724 * Determine whether the subject identified by the credential can 2725 * create a flow for receiving data on the local address specified 2726 * by addr. 2727 * 2728 * @return Return 0 if access if granted, otherwise an appropriate 2729 * value for errno should be returned. 2730 */ 2731 typedef int mpo_skywalk_flow_check_listen_t( 2732 kauth_cred_t cred, 2733 void *flow, 2734 const struct sockaddr *addr, 2735 int type, 2736 int protocol 2737 ); 2738 /** 2739 * @brief Access control check for socket accept 2740 * @param cred Subject credential 2741 * @param so Object socket 2742 * @param socklabel Policy label for socket 2743 * 2744 * Determine whether the subject identified by the credential can accept() 2745 * a new connection on the socket from the host specified by addr. 2746 * 2747 * @return Return 0 if access if granted, otherwise an appropriate 2748 * value for errno should be returned. 2749 */ 2750 typedef int mpo_socket_check_accept_t( 2751 kauth_cred_t cred, 2752 socket_t so, 2753 struct label *socklabel 2754 ); 2755 /** 2756 * @brief Access control check for a pending socket accept 2757 * @param cred Subject credential 2758 * @param so Object socket 2759 * @param socklabel Policy label for socket 2760 * @param addr Address of the listening socket (coming soon) 2761 * 2762 * Determine whether the subject identified by the credential can accept() 2763 * a pending connection on the socket from the host specified by addr. 2764 * 2765 * @return Return 0 if access if granted, otherwise an appropriate 2766 * value for errno should be returned. 2767 */ 2768 typedef int mpo_socket_check_accepted_t( 2769 kauth_cred_t cred, 2770 socket_t so, 2771 struct label *socklabel, 2772 struct sockaddr *addr 2773 ); 2774 /** 2775 * @brief Access control check for socket bind 2776 * @param cred Subject credential 2777 * @param so Object socket 2778 * @param socklabel Policy label for socket 2779 * @param addr Name to assign to the socket 2780 * 2781 * Determine whether the subject identified by the credential can bind() 2782 * the name (addr) to the socket. 2783 * 2784 * @return Return 0 if access if granted, otherwise an appropriate 2785 * value for errno should be returned. 2786 */ 2787 typedef int mpo_socket_check_bind_t( 2788 kauth_cred_t cred, 2789 socket_t so, 2790 struct label *socklabel, 2791 struct sockaddr *addr 2792 ); 2793 /** 2794 * @brief Access control check for socket connect 2795 * @param cred Subject credential 2796 * @param so Object socket 2797 * @param socklabel Policy label for socket 2798 * @param addr Name to assign to the socket 2799 * 2800 * Determine whether the subject identified by the credential can 2801 * connect() the passed socket to the remote host specified by addr. 2802 * 2803 * @return Return 0 if access if granted, otherwise an appropriate 2804 * value for errno should be returned. 2805 */ 2806 typedef int mpo_socket_check_connect_t( 2807 kauth_cred_t cred, 2808 socket_t so, 2809 struct label *socklabel, 2810 struct sockaddr *addr 2811 ); 2812 /** 2813 * @brief Access control check for socket() system call. 2814 * @param cred Subject credential 2815 * @param domain communication domain 2816 * @param type socket type 2817 * @param protocol socket protocol 2818 * 2819 * Determine whether the subject identified by the credential can 2820 * make the socket() call. 2821 * 2822 * @return Return 0 if access if granted, otherwise an appropriate 2823 * value for errno should be returned. 2824 */ 2825 typedef int mpo_socket_check_create_t( 2826 kauth_cred_t cred, 2827 int domain, 2828 int type, 2829 int protocol 2830 ); 2831 /** 2832 * @brief Access control check for socket ioctl. 2833 * @param cred Subject credential 2834 * @param so Object socket 2835 * @param cmd The ioctl command; see ioctl(2) 2836 * @param socklabel Policy label for socket 2837 * 2838 * Determine whether the subject identified by the credential can perform 2839 * the ioctl operation indicated by cmd on the given socket. 2840 * 2841 * @warning Since ioctl data is opaque from the standpoint of the MAC 2842 * framework, and since ioctls can affect many aspects of system 2843 * operation, policies must exercise extreme care when implementing 2844 * access control checks. 2845 * 2846 * @return Return 0 if access is granted, otherwise an appropriate value for 2847 * errno should be returned. 2848 */ 2849 typedef int mpo_socket_check_ioctl_t( 2850 kauth_cred_t cred, 2851 socket_t so, 2852 unsigned long cmd, 2853 struct label *socklabel 2854 ); 2855 /** 2856 * @brief Access control check for socket listen 2857 * @param cred Subject credential 2858 * @param so Object socket 2859 * @param socklabel Policy label for socket 2860 * 2861 * Determine whether the subject identified by the credential can 2862 * listen() on the passed socket. 2863 * 2864 * @return Return 0 if access if granted, otherwise an appropriate 2865 * value for errno should be returned. 2866 */ 2867 typedef int mpo_socket_check_listen_t( 2868 kauth_cred_t cred, 2869 socket_t so, 2870 struct label *socklabel 2871 ); 2872 /** 2873 * @brief Access control check for socket receive 2874 * @param cred Subject credential 2875 * @param so Object socket 2876 * @param socklabel Policy label for socket 2877 * 2878 * Determine whether the subject identified by the credential can 2879 * receive data from the socket. 2880 * 2881 * @return Return 0 if access if granted, otherwise an appropriate 2882 * value for errno should be returned. 2883 */ 2884 typedef int mpo_socket_check_receive_t( 2885 kauth_cred_t cred, 2886 socket_t so, 2887 struct label *socklabel 2888 ); 2889 2890 /** 2891 * @brief Access control check for socket receive 2892 * @param cred Subject credential 2893 * @param sock Object socket 2894 * @param socklabel Policy label for socket 2895 * @param saddr Name of the remote socket 2896 * 2897 * Determine whether the subject identified by the credential can 2898 * receive data from the remote host specified by addr. 2899 * 2900 * @return Return 0 if access if granted, otherwise an appropriate 2901 * value for errno should be returned. 2902 */ 2903 typedef int mpo_socket_check_received_t( 2904 kauth_cred_t cred, 2905 struct socket *sock, 2906 struct label *socklabel, 2907 struct sockaddr *saddr 2908 ); 2909 2910 /** 2911 * @brief Access control check for socket send 2912 * @param cred Subject credential 2913 * @param so Object socket 2914 * @param socklabel Policy label for socket 2915 * @param addr Address being sent to 2916 * 2917 * Determine whether the subject identified by the credential can send 2918 * data to the socket. 2919 * 2920 * @return Return 0 if access if granted, otherwise an appropriate 2921 * value for errno should be returned. 2922 */ 2923 typedef int mpo_socket_check_send_t( 2924 kauth_cred_t cred, 2925 socket_t so, 2926 struct label *socklabel, 2927 struct sockaddr *addr 2928 ); 2929 /** 2930 * @brief Access control check for retrieving socket status 2931 * @param cred Subject credential 2932 * @param so Object socket 2933 * @param socklabel Policy label for so 2934 * 2935 * Determine whether the subject identified by the credential can 2936 * execute the stat() system call on the given socket. 2937 * 2938 * @return Return 0 if access if granted, otherwise an appropriate 2939 * value for errno should be returned. 2940 */ 2941 typedef int mpo_socket_check_stat_t( 2942 kauth_cred_t cred, 2943 socket_t so, 2944 struct label *socklabel 2945 ); 2946 /** 2947 * @brief Access control check for setting socket options 2948 * @param cred Subject credential 2949 * @param so Object socket 2950 * @param socklabel Policy label for so 2951 * @param sopt The options being set 2952 * 2953 * Determine whether the subject identified by the credential can 2954 * execute the setsockopt system call on the given socket. 2955 * 2956 * @return Return 0 if access if granted, otherwise an appropriate 2957 * value for errno should be returned. 2958 */ 2959 typedef int mpo_socket_check_setsockopt_t( 2960 kauth_cred_t cred, 2961 socket_t so, 2962 struct label *socklabel, 2963 struct sockopt *sopt 2964 ); 2965 /** 2966 * @brief Access control check for getting socket options 2967 * @param cred Subject credential 2968 * @param so Object socket 2969 * @param socklabel Policy label for so 2970 * @param sopt The options to get 2971 * 2972 * Determine whether the subject identified by the credential can 2973 * execute the getsockopt system call on the given socket. 2974 * 2975 * @return Return 0 if access if granted, otherwise an appropriate 2976 * value for errno should be returned. 2977 */ 2978 typedef int mpo_socket_check_getsockopt_t( 2979 kauth_cred_t cred, 2980 socket_t so, 2981 struct label *socklabel, 2982 struct sockopt *sopt 2983 ); 2984 /** 2985 * @brief Access control check for enabling accounting 2986 * @param cred Subject credential 2987 * @param vp Accounting file 2988 * @param vlabel Label associated with vp 2989 * 2990 * Determine whether the subject should be allowed to enable accounting, 2991 * based on its label and the label of the accounting log file. See 2992 * acct(5) for more information. 2993 * 2994 * As accounting is disabled by passing NULL to the acct(2) system call, 2995 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 2996 * 2997 * @return Return 0 if access is granted, otherwise an appropriate value for 2998 * errno should be returned. 2999 */ 3000 typedef int mpo_system_check_acct_t( 3001 kauth_cred_t cred, 3002 struct vnode *vp, 3003 struct label *vlabel 3004 ); 3005 /** 3006 * @brief Access control check for audit 3007 * @param cred Subject credential 3008 * @param record Audit record 3009 * @param length Audit record length 3010 * 3011 * Determine whether the subject identified by the credential can submit 3012 * an audit record for inclusion in the audit log via the audit() system call. 3013 * 3014 * @return Return 0 if access is granted, otherwise an appropriate value for 3015 * errno should be returned. 3016 */ 3017 typedef int mpo_system_check_audit_t( 3018 kauth_cred_t cred, 3019 void *record, 3020 int length 3021 ); 3022 /** 3023 * @brief Access control check for controlling audit 3024 * @param cred Subject credential 3025 * @param vp Audit file 3026 * @param vl Label associated with vp 3027 * 3028 * Determine whether the subject should be allowed to enable auditing using 3029 * the auditctl() system call, based on its label and the label of the proposed 3030 * audit file. 3031 * 3032 * @return Return 0 if access is granted, otherwise an appropriate value for 3033 * errno should be returned. 3034 */ 3035 typedef int mpo_system_check_auditctl_t( 3036 kauth_cred_t cred, 3037 struct vnode *vp, 3038 struct label *vl 3039 ); 3040 /** 3041 * @brief Access control check for manipulating auditing 3042 * @param cred Subject credential 3043 * @param cmd Audit control command 3044 * 3045 * Determine whether the subject identified by the credential can perform 3046 * the audit subsystem control operation cmd via the auditon() system call. 3047 * 3048 * @return Return 0 if access is granted, otherwise an appropriate value for 3049 * errno should be returned. 3050 */ 3051 typedef int mpo_system_check_auditon_t( 3052 kauth_cred_t cred, 3053 int cmd 3054 ); 3055 /** 3056 * @brief Access control check for obtaining the host control port 3057 * @param cred Subject credential 3058 * 3059 * Determine whether the subject identified by the credential can 3060 * obtain the host control port. 3061 * 3062 * @return Return 0 if access is granted, or non-zero otherwise. 3063 */ 3064 typedef int mpo_system_check_host_priv_t( 3065 kauth_cred_t cred 3066 ); 3067 /** 3068 * @brief Access control check for obtaining system information 3069 * @param cred Subject credential 3070 * @param info_type A description of the information requested 3071 * 3072 * Determine whether the subject identified by the credential should be 3073 * allowed to obtain information about the system. 3074 * 3075 * This is a generic hook that can be used in a variety of situations where 3076 * information is being returned that might be considered sensitive. 3077 * Rather than adding a new MAC hook for every such interface, this hook can 3078 * be called with a string identifying the type of information requested. 3079 * 3080 * @return Return 0 if access is granted, otherwise an appropriate value for 3081 * errno should be returned. 3082 */ 3083 typedef int mpo_system_check_info_t( 3084 kauth_cred_t cred, 3085 const char *info_type 3086 ); 3087 /** 3088 * @brief Access control check for calling NFS services 3089 * @param cred Subject credential 3090 * 3091 * Determine whether the subject identified by the credential should be 3092 * allowed to call nfssrv(2). 3093 * 3094 * @return Return 0 if access is granted, otherwise an appropriate value for 3095 * errno should be returned. 3096 */ 3097 typedef int mpo_system_check_nfsd_t( 3098 kauth_cred_t cred 3099 ); 3100 /** 3101 * @brief Access control check for reboot 3102 * @param cred Subject credential 3103 * @param howto howto parameter from reboot(2) 3104 * 3105 * Determine whether the subject identified by the credential should be 3106 * allowed to reboot the system in the specified manner. 3107 * 3108 * @return Return 0 if access is granted, otherwise an appropriate value for 3109 * errno should be returned. 3110 */ 3111 typedef int mpo_system_check_reboot_t( 3112 kauth_cred_t cred, 3113 int howto 3114 ); 3115 /** 3116 * @brief Access control check for setting system clock 3117 * @param cred Subject credential 3118 * 3119 * Determine whether the subject identified by the credential should be 3120 * allowed to set the system clock. 3121 * 3122 * @return Return 0 if access is granted, otherwise an appropriate value for 3123 * errno should be returned. 3124 */ 3125 typedef int mpo_system_check_settime_t( 3126 kauth_cred_t cred 3127 ); 3128 /** 3129 * @brief Access control check for removing swap devices 3130 * @param cred Subject credential 3131 * @param vp Swap device 3132 * @param label Label associated with vp 3133 * 3134 * Determine whether the subject identified by the credential should be 3135 * allowed to remove vp as a swap device. 3136 * 3137 * @return Return 0 if access is granted, otherwise an appropriate value for 3138 * errno should be returned. 3139 */ 3140 typedef int mpo_system_check_swapoff_t( 3141 kauth_cred_t cred, 3142 struct vnode *vp, 3143 struct label *label 3144 ); 3145 /** 3146 * @brief Access control check for adding swap devices 3147 * @param cred Subject credential 3148 * @param vp Swap device 3149 * @param label Label associated with vp 3150 * 3151 * Determine whether the subject identified by the credential should be 3152 * allowed to add vp as a swap device. 3153 * 3154 * @return Return 0 if access is granted, otherwise an appropriate value for 3155 * errno should be returned. 3156 */ 3157 typedef int mpo_system_check_swapon_t( 3158 kauth_cred_t cred, 3159 struct vnode *vp, 3160 struct label *label 3161 ); 3162 /** 3163 * @brief Access control check for sysctl 3164 * @param cred Subject credential 3165 * @param namestring String representation of sysctl name. 3166 * @param name Integer name; see sysctl(3) 3167 * @param namelen Length of name array of integers; see sysctl(3) 3168 * @param old 0 or address where to store old value; see sysctl(3) 3169 * @param oldlen Length of old buffer; see sysctl(3) 3170 * @param newvalue 0 or address of new value; see sysctl(3) 3171 * @param newlen Length of new buffer; see sysctl(3) 3172 * 3173 * Determine whether the subject identified by the credential should be 3174 * allowed to make the specified sysctl(3) transaction. 3175 * 3176 * The sysctl(3) call specifies that if the old value is not desired, 3177 * oldp and oldlenp should be set to NULL. Likewise, if a new value is 3178 * not to be set, newp should be set to NULL and newlen set to 0. 3179 * 3180 * @return Return 0 if access is granted, otherwise an appropriate value for 3181 * errno should be returned. 3182 */ 3183 typedef int mpo_system_check_sysctlbyname_t( 3184 kauth_cred_t cred, 3185 const char *namestring, 3186 int *name, 3187 size_t namelen, 3188 user_addr_t old, /* NULLOK */ 3189 size_t oldlen, 3190 user_addr_t newvalue, /* NULLOK */ 3191 size_t newlen 3192 ); 3193 /** 3194 * @brief Access control check for kas_info 3195 * @param cred Subject credential 3196 * @param selector Category of information to return. See kas_info.h 3197 * 3198 * Determine whether the subject identified by the credential can perform 3199 * introspection of the kernel address space layout for 3200 * debugging/performance analysis. 3201 * 3202 * @return Return 0 if access is granted, otherwise an appropriate value for 3203 * errno should be returned. 3204 */ 3205 typedef int mpo_system_check_kas_info_t( 3206 kauth_cred_t cred, 3207 int selector 3208 ); 3209 /** 3210 * @brief Create a System V message label 3211 * @param cred Subject credential 3212 * @param msqptr The message queue the message will be placed in 3213 * @param msqlabel The label of the message queue 3214 * @param msgptr The message 3215 * @param msglabel The label of the message 3216 * 3217 * Label the message as its placed in the message queue. 3218 */ 3219 typedef void mpo_sysvmsg_label_associate_t( 3220 kauth_cred_t cred, 3221 struct msqid_kernel *msqptr, 3222 struct label *msqlabel, 3223 struct msg *msgptr, 3224 struct label *msglabel 3225 ); 3226 /** 3227 * @brief Destroy System V message label 3228 * @param label The label to be destroyed 3229 * 3230 * Destroy a System V message label. Since the object is 3231 * going out of scope, policy modules should free any internal storage 3232 * associated with the label so that it may be destroyed. 3233 */ 3234 typedef void mpo_sysvmsg_label_destroy_t( 3235 struct label *label 3236 ); 3237 /** 3238 * @brief Initialize System V message label 3239 * @param label New label to initialize 3240 * 3241 * Initialize the label for a newly instantiated System V message. 3242 */ 3243 typedef void mpo_sysvmsg_label_init_t( 3244 struct label *label 3245 ); 3246 /** 3247 * @brief Clean up a System V message label 3248 * @param label The label to be destroyed 3249 * 3250 * Clean up a System V message label. Darwin pre-allocates 3251 * messages at system boot time and re-uses them rather than 3252 * allocating new ones. Before messages are returned to the "free 3253 * pool", policies can cleanup or overwrite any information present in 3254 * the label. 3255 */ 3256 typedef void mpo_sysvmsg_label_recycle_t( 3257 struct label *label 3258 ); 3259 /** 3260 * @brief Access control check for System V message enqueuing 3261 * @param cred Subject credential 3262 * @param msgptr The message 3263 * @param msglabel The message's label 3264 * @param msqptr The message queue 3265 * @param msqlabel The message queue's label 3266 * 3267 * Determine whether the subject identified by the credential can add the 3268 * given message to the given message queue. 3269 * 3270 * @return Return 0 if access is granted, otherwise an appropriate value for 3271 * errno should be returned. 3272 */ 3273 typedef int mpo_sysvmsq_check_enqueue_t( 3274 kauth_cred_t cred, 3275 struct msg *msgptr, 3276 struct label *msglabel, 3277 struct msqid_kernel *msqptr, 3278 struct label *msqlabel 3279 ); 3280 /** 3281 * @brief Access control check for System V message reception 3282 * @param cred The credential of the intended recipient 3283 * @param msgptr The message 3284 * @param msglabel The message's label 3285 * 3286 * Determine whether the subject identified by the credential can receive 3287 * the given message. 3288 * 3289 * @return Return 0 if access is granted, otherwise an appropriate value for 3290 * errno should be returned. 3291 */ 3292 typedef int mpo_sysvmsq_check_msgrcv_t( 3293 kauth_cred_t cred, 3294 struct msg *msgptr, 3295 struct label *msglabel 3296 ); 3297 /** 3298 * @brief Access control check for System V message queue removal 3299 * @param cred The credential of the caller 3300 * @param msgptr The message 3301 * @param msglabel The message's label 3302 * 3303 * System V message queues are removed using the msgctl() system call. 3304 * The system will iterate over each message in the queue, calling this 3305 * function for each, to determine whether the caller has the appropriate 3306 * credentials. 3307 * 3308 * @return Return 0 if access is granted, otherwise an appropriate value for 3309 * errno should be returned. 3310 */ 3311 typedef int mpo_sysvmsq_check_msgrmid_t( 3312 kauth_cred_t cred, 3313 struct msg *msgptr, 3314 struct label *msglabel 3315 ); 3316 /** 3317 * @brief Access control check for msgctl() 3318 * @param cred The credential of the caller 3319 * @param msqptr The message queue 3320 * @param msqlabel The message queue's label 3321 * 3322 * This access check is performed to validate calls to msgctl(). 3323 * 3324 * @return Return 0 if access is granted, otherwise an appropriate value for 3325 * errno should be returned. 3326 */ 3327 typedef int mpo_sysvmsq_check_msqctl_t( 3328 kauth_cred_t cred, 3329 struct msqid_kernel *msqptr, 3330 struct label *msqlabel, 3331 int cmd 3332 ); 3333 /** 3334 * @brief Access control check to get a System V message queue 3335 * @param cred The credential of the caller 3336 * @param msqptr The message queue requested 3337 * @param msqlabel The message queue's label 3338 * 3339 * On a call to msgget(), if the queue requested already exists, 3340 * and it is a public queue, this check will be performed before the 3341 * queue's ID is returned to the user. 3342 * 3343 * @return Return 0 if access is granted, otherwise an appropriate value for 3344 * errno should be returned. 3345 */ 3346 typedef int mpo_sysvmsq_check_msqget_t( 3347 kauth_cred_t cred, 3348 struct msqid_kernel *msqptr, 3349 struct label *msqlabel 3350 ); 3351 /** 3352 * @brief Access control check to receive a System V message from the given queue 3353 * @param cred The credential of the caller 3354 * @param msqptr The message queue to receive from 3355 * @param msqlabel The message queue's label 3356 * 3357 * On a call to msgrcv(), this check is performed to determine whether the 3358 * caller has receive rights on the given queue. 3359 * 3360 * @return Return 0 if access is granted, otherwise an appropriate value for 3361 * errno should be returned. 3362 */ 3363 typedef int mpo_sysvmsq_check_msqrcv_t( 3364 kauth_cred_t cred, 3365 struct msqid_kernel *msqptr, 3366 struct label *msqlabel 3367 ); 3368 /** 3369 * @brief Access control check to send a System V message to the given queue 3370 * @param cred The credential of the caller 3371 * @param msqptr The message queue to send to 3372 * @param msqlabel The message queue's label 3373 * 3374 * On a call to msgsnd(), this check is performed to determine whether the 3375 * caller has send rights on the given queue. 3376 * 3377 * @return Return 0 if access is granted, otherwise an appropriate value for 3378 * errno should be returned. 3379 */ 3380 typedef int mpo_sysvmsq_check_msqsnd_t( 3381 kauth_cred_t cred, 3382 struct msqid_kernel *msqptr, 3383 struct label *msqlabel 3384 ); 3385 /** 3386 * @brief Create a System V message queue label 3387 * @param cred Subject credential 3388 * @param msqptr The message queue 3389 * @param msqlabel The label of the message queue 3390 * 3391 */ 3392 typedef void mpo_sysvmsq_label_associate_t( 3393 kauth_cred_t cred, 3394 struct msqid_kernel *msqptr, 3395 struct label *msqlabel 3396 ); 3397 /** 3398 * @brief Destroy System V message queue label 3399 * @param label The label to be destroyed 3400 * 3401 * Destroy a System V message queue label. Since the object is 3402 * going out of scope, policy modules should free any internal storage 3403 * associated with the label so that it may be destroyed. 3404 */ 3405 typedef void mpo_sysvmsq_label_destroy_t( 3406 struct label *label 3407 ); 3408 /** 3409 * @brief Initialize System V message queue label 3410 * @param label New label to initialize 3411 * 3412 * Initialize the label for a newly instantiated System V message queue. 3413 */ 3414 typedef void mpo_sysvmsq_label_init_t( 3415 struct label *label 3416 ); 3417 /** 3418 * @brief Clean up a System V message queue label 3419 * @param label The label to be destroyed 3420 * 3421 * Clean up a System V message queue label. Darwin pre-allocates 3422 * message queues at system boot time and re-uses them rather than 3423 * allocating new ones. Before message queues are returned to the "free 3424 * pool", policies can cleanup or overwrite any information present in 3425 * the label. 3426 */ 3427 typedef void mpo_sysvmsq_label_recycle_t( 3428 struct label *label 3429 ); 3430 /** 3431 * @brief Access control check for System V semaphore control operation 3432 * @param cred Subject credential 3433 * @param semakptr Pointer to semaphore identifier 3434 * @param semaklabel Label associated with semaphore 3435 * @param cmd Control operation to be performed; see semctl(2) 3436 * 3437 * Determine whether the subject identified by the credential can perform 3438 * the operation indicated by cmd on the System V semaphore semakptr. 3439 * 3440 * @return Return 0 if access is granted, otherwise an appropriate value for 3441 * errno should be returned. 3442 */ 3443 typedef int mpo_sysvsem_check_semctl_t( 3444 kauth_cred_t cred, 3445 struct semid_kernel *semakptr, 3446 struct label *semaklabel, 3447 int cmd 3448 ); 3449 /** 3450 * @brief Access control check for obtaining a System V semaphore 3451 * @param cred Subject credential 3452 * @param semakptr Pointer to semaphore identifier 3453 * @param semaklabel Label to associate with the semaphore 3454 * 3455 * Determine whether the subject identified by the credential can 3456 * obtain a System V semaphore. 3457 * 3458 * @return Return 0 if access is granted, otherwise an appropriate value for 3459 * errno should be returned. 3460 */ 3461 typedef int mpo_sysvsem_check_semget_t( 3462 kauth_cred_t cred, 3463 struct semid_kernel *semakptr, 3464 struct label *semaklabel 3465 ); 3466 /** 3467 * @brief Access control check for System V semaphore operations 3468 * @param cred Subject credential 3469 * @param semakptr Pointer to semaphore identifier 3470 * @param semaklabel Label associated with the semaphore 3471 * @param accesstype Flags to indicate access (read and/or write) 3472 * 3473 * Determine whether the subject identified by the credential can 3474 * perform the operations on the System V semaphore indicated by 3475 * semakptr. The accesstype flags hold the maximum set of permissions 3476 * from the sem_op array passed to the semop system call. It may 3477 * contain SEM_R for read-only operations or SEM_A for read/write 3478 * operations. 3479 * 3480 * @return Return 0 if access is granted, otherwise an appropriate value for 3481 * errno should be returned. 3482 */ 3483 typedef int mpo_sysvsem_check_semop_t( 3484 kauth_cred_t cred, 3485 struct semid_kernel *semakptr, 3486 struct label *semaklabel, 3487 size_t accesstype 3488 ); 3489 /** 3490 * @brief Create a System V semaphore label 3491 * @param cred Subject credential 3492 * @param semakptr The semaphore being created 3493 * @param semalabel Label to associate with the new semaphore 3494 * 3495 * Label a new System V semaphore. The label was previously 3496 * initialized and associated with the semaphore. At this time, an 3497 * appropriate initial label value should be assigned to the object and 3498 * stored in semalabel. 3499 */ 3500 typedef void mpo_sysvsem_label_associate_t( 3501 kauth_cred_t cred, 3502 struct semid_kernel *semakptr, 3503 struct label *semalabel 3504 ); 3505 /** 3506 * @brief Destroy System V semaphore label 3507 * @param label The label to be destroyed 3508 * 3509 * Destroy a System V semaphore label. Since the object is 3510 * going out of scope, policy modules should free any internal storage 3511 * associated with the label so that it may be destroyed. 3512 */ 3513 typedef void mpo_sysvsem_label_destroy_t( 3514 struct label *label 3515 ); 3516 /** 3517 * @brief Initialize System V semaphore label 3518 * @param label New label to initialize 3519 * 3520 * Initialize the label for a newly instantiated System V semaphore. Sleeping 3521 * is permitted. 3522 */ 3523 typedef void mpo_sysvsem_label_init_t( 3524 struct label *label 3525 ); 3526 /** 3527 * @brief Clean up a System V semaphore label 3528 * @param label The label to be cleaned 3529 * 3530 * Clean up a System V semaphore label. Darwin pre-allocates 3531 * semaphores at system boot time and re-uses them rather than 3532 * allocating new ones. Before semaphores are returned to the "free 3533 * pool", policies can cleanup or overwrite any information present in 3534 * the label. 3535 */ 3536 typedef void mpo_sysvsem_label_recycle_t( 3537 struct label *label 3538 ); 3539 /** 3540 * @brief Access control check for mapping System V shared memory 3541 * @param cred Subject credential 3542 * @param shmsegptr Pointer to shared memory segment identifier 3543 * @param shmseglabel Label associated with the shared memory segment 3544 * @param shmflg shmat flags; see shmat(2) 3545 * 3546 * Determine whether the subject identified by the credential can map 3547 * the System V shared memory segment associated with shmsegptr. 3548 * 3549 * @return Return 0 if access is granted, otherwise an appropriate value for 3550 * errno should be returned. 3551 */ 3552 typedef int mpo_sysvshm_check_shmat_t( 3553 kauth_cred_t cred, 3554 struct shmid_kernel *shmsegptr, 3555 struct label *shmseglabel, 3556 int shmflg 3557 ); 3558 /** 3559 * @brief Access control check for System V shared memory control operation 3560 * @param cred Subject credential 3561 * @param shmsegptr Pointer to shared memory segment identifier 3562 * @param shmseglabel Label associated with the shared memory segment 3563 * @param cmd Control operation to be performed; see shmctl(2) 3564 * 3565 * Determine whether the subject identified by the credential can perform 3566 * the operation indicated by cmd on the System V shared memory segment 3567 * shmsegptr. 3568 * 3569 * @return Return 0 if access is granted, otherwise an appropriate value for 3570 * errno should be returned. 3571 */ 3572 typedef int mpo_sysvshm_check_shmctl_t( 3573 kauth_cred_t cred, 3574 struct shmid_kernel *shmsegptr, 3575 struct label *shmseglabel, 3576 int cmd 3577 ); 3578 /** 3579 * @brief Access control check for unmapping System V shared memory 3580 * @param cred Subject credential 3581 * @param shmsegptr Pointer to shared memory segment identifier 3582 * @param shmseglabel Label associated with the shared memory segment 3583 * 3584 * Determine whether the subject identified by the credential can unmap 3585 * the System V shared memory segment associated with shmsegptr. 3586 * 3587 * @return Return 0 if access is granted, otherwise an appropriate value for 3588 * errno should be returned. 3589 */ 3590 typedef int mpo_sysvshm_check_shmdt_t( 3591 kauth_cred_t cred, 3592 struct shmid_kernel *shmsegptr, 3593 struct label *shmseglabel 3594 ); 3595 /** 3596 * @brief Access control check obtaining System V shared memory identifier 3597 * @param cred Subject credential 3598 * @param shmsegptr Pointer to shared memory segment identifier 3599 * @param shmseglabel Label associated with the shared memory segment 3600 * @param shmflg shmget flags; see shmget(2) 3601 * 3602 * Determine whether the subject identified by the credential can get 3603 * the System V shared memory segment address. 3604 * 3605 * @return Return 0 if access is granted, otherwise an appropriate value for 3606 * errno should be returned. 3607 */ 3608 typedef int mpo_sysvshm_check_shmget_t( 3609 kauth_cred_t cred, 3610 struct shmid_kernel *shmsegptr, 3611 struct label *shmseglabel, 3612 int shmflg 3613 ); 3614 /** 3615 * @brief Create a System V shared memory region label 3616 * @param cred Subject credential 3617 * @param shmsegptr The shared memory region being created 3618 * @param shmlabel Label to associate with the new shared memory region 3619 * 3620 * Label a new System V shared memory region. The label was previously 3621 * initialized and associated with the shared memory region. At this 3622 * time, an appropriate initial label value should be assigned to the 3623 * object and stored in shmlabel. 3624 */ 3625 typedef void mpo_sysvshm_label_associate_t( 3626 kauth_cred_t cred, 3627 struct shmid_kernel *shmsegptr, 3628 struct label *shmlabel 3629 ); 3630 /** 3631 * @brief Destroy System V shared memory label 3632 * @param label The label to be destroyed 3633 * 3634 * Destroy a System V shared memory region label. Since the 3635 * object is going out of scope, policy modules should free any 3636 * internal storage associated with the label so that it may be 3637 * destroyed. 3638 */ 3639 typedef void mpo_sysvshm_label_destroy_t( 3640 struct label *label 3641 ); 3642 /** 3643 * @brief Initialize System V Shared Memory region label 3644 * @param label New label to initialize 3645 * 3646 * Initialize the label for a newly instantiated System V Shared Memory 3647 * region. Sleeping is permitted. 3648 */ 3649 typedef void mpo_sysvshm_label_init_t( 3650 struct label *label 3651 ); 3652 /** 3653 * @brief Clean up a System V Share Memory Region label 3654 * @param shmlabel The label to be cleaned 3655 * 3656 * Clean up a System V Shared Memory Region label. Darwin 3657 * pre-allocates these objects at system boot time and re-uses them 3658 * rather than allocating new ones. Before the memory regions are 3659 * returned to the "free pool", policies can cleanup or overwrite any 3660 * information present in the label. 3661 */ 3662 typedef void mpo_sysvshm_label_recycle_t( 3663 struct label *shmlabel 3664 ); 3665 3666 /** 3667 * @brief Access control check for getting a process's task ports of different flavors 3668 * @param cred Subject credential 3669 * @param pident Object unique process identifier 3670 * @param flavor Requested task port flavor 3671 * 3672 * Determine whether the subject identified by the credential can get 3673 * the passed process's task port of given flavor. 3674 * This call is used by the task_{,read,inspect,name}_for_pid(2) API. 3675 * 3676 * @return Return 0 if access is granted, otherwise an appropriate value for 3677 * errno should be returned. Suggested failure: EACCES for label mismatch, 3678 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3679 */ 3680 typedef int mpo_proc_check_get_task_with_flavor_t( 3681 kauth_cred_t cred, 3682 struct proc_ident *pident, 3683 mach_task_flavor_t flavor 3684 ); 3685 3686 /** 3687 * @brief Access control check for exposing a process's task ports of different flavors 3688 * @param cred Subject credential 3689 * @param pident Object unique process identifier 3690 * @param flavor Requested task port flavor 3691 * 3692 * Determine whether the subject identified by the credential can expose 3693 * the passed process's task port of given flavor. 3694 * This call is used by the accessor APIs like processor_set_tasks() and 3695 * processor_set_threads(). 3696 * 3697 * @return Return 0 if access is granted, otherwise an appropriate value for 3698 * errno should be returned. Suggested failure: EACCES for label mismatch, 3699 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3700 */ 3701 typedef int mpo_proc_check_expose_task_with_flavor_t( 3702 kauth_cred_t cred, 3703 struct proc_ident *pident, 3704 mach_task_flavor_t flavor 3705 ); 3706 3707 /** 3708 * @brief Access control check for upgrading to task port with a task identity token 3709 * @param cred Subject credential 3710 * @param pident Object unique process identifier, NULL if token represents a corpse task 3711 * @param flavor Requested task port flavor 3712 * 3713 * Determine whether the subject identified by the credential can upgrade to task port 3714 * of given flavor with a task identity token of the passed process. 3715 * This call is used by task_identity_token_get_task_port(). 3716 * 3717 * @return Return 0 if access is granted, otherwise an appropriate value for 3718 * errno should be returned. Suggested failure: EACCES for label mismatch, 3719 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3720 */ 3721 typedef int mpo_proc_check_task_id_token_get_task_t( 3722 kauth_cred_t cred, 3723 struct proc_ident *pident, /* Nullable */ 3724 mach_task_flavor_t flavor 3725 ); 3726 3727 /** 3728 * @brief Check whether task's IPC may inherit across process exec 3729 * @param p current process instance 3730 * @param cur_vp vnode pointer to current instance 3731 * @param cur_offset offset of binary of currently executing image 3732 * @param img_vp vnode pointer to to be exec'ed image 3733 * @param img_offset offset into file which is selected for execution 3734 * @param scriptvp vnode pointer of script file if any. 3735 * @return Return 0 if access is granted. 3736 * EPERM if parent does not have any entitlements. 3737 * EACCESS if mismatch in entitlements 3738 */ 3739 typedef int mpo_proc_check_inherit_ipc_ports_t( 3740 struct proc *p, 3741 struct vnode *cur_vp, 3742 off_t cur_offset, 3743 struct vnode *img_vp, 3744 off_t img_offset, 3745 struct vnode *scriptvp 3746 ); 3747 3748 /** 3749 * @brief Privilege check for a process to run invalid 3750 * @param p Object process 3751 * 3752 * Determine whether the process may execute even though the system determined 3753 * that it is untrusted (eg unidentified / modified code). 3754 * 3755 * @return Return 0 if access is granted, otherwise an appropriate value for 3756 * errno should be returned. 3757 */ 3758 typedef int mpo_proc_check_run_cs_invalid_t( 3759 struct proc *p 3760 ); 3761 3762 /** 3763 * @brief Notification a process was invalidated 3764 * @param p Object process 3765 * 3766 * Notifies that the CS_VALID bit was removed from a process' csflags. This 3767 * either indicates that a validly code-signed process has encountered an 3768 * invalidly code-signed page for the first time, or that it was explicitly 3769 * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. 3770 * 3771 * @warning This hook can be called from the page fault handler; it should not 3772 * perform any operations that may result in paging, and stack space is extremely 3773 * limited. Furthermore, the hook is called with proc lock held, and if called 3774 * from the fault handler, with vm object lock held. Consumers reacting to this 3775 * hook being called are expected to defer processing to a userret, possibly 3776 * after suspending the task. 3777 */ 3778 typedef void mpo_proc_notify_cs_invalidated_t( 3779 struct proc *p 3780 ); 3781 3782 /** 3783 * @brief Notification a process is finished with exec and will jump to userspace 3784 * @param p Object process 3785 * 3786 * Notifies all MAC policies that a process has completed an exec and is about to 3787 * jump to userspace to continue execution. This may result in process termination 3788 * via signals. Hook is designed to hold no/minimal locks so it can be used for any 3789 * necessary upcalls. 3790 */ 3791 typedef void mpo_proc_notify_exec_complete_t( 3792 struct proc *p 3793 ); 3794 3795 /** 3796 * @brief Access control check for setting user ID 3797 * @param cred Subject credential 3798 * @param uid Requested user ID 3799 * 3800 * Determine whether the subject identified by the credential can set the 3801 * real and effective user ID and the saved set-user-ID of the current 3802 * process, using the setuid() system call. 3803 * 3804 * @return Return 0 if access is granted, otherwise an appropriate value for 3805 * errno should be returned. 3806 */ 3807 typedef int mpo_proc_check_setuid_t( 3808 kauth_cred_t cred, 3809 uid_t uid 3810 ); 3811 3812 /** 3813 * @brief Access control check for setting effective user ID 3814 * @param cred Subject credential 3815 * @param euid Requested effective user ID 3816 * 3817 * Determine whether the subject identified by the credential can set the 3818 * effective user ID of the current process, using the seteuid() system call. 3819 * 3820 * @return Return 0 if access is granted, otherwise an appropriate value for 3821 * errno should be returned. 3822 */ 3823 typedef int mpo_proc_check_seteuid_t( 3824 kauth_cred_t cred, 3825 uid_t euid 3826 ); 3827 3828 /** 3829 * @brief Access control check for setting real and effective user ID 3830 * @param cred Subject credential 3831 * @param ruid Requested real user ID 3832 * @param euid Requested effective user ID 3833 * 3834 * Determine whether the subject identified by the credential can set the 3835 * real and effective user ID of the current process, using the setreuid() 3836 * system call. 3837 * 3838 * @return Return 0 if access is granted, otherwise an appropriate value for 3839 * errno should be returned. 3840 */ 3841 typedef int mpo_proc_check_setreuid_t( 3842 kauth_cred_t cred, 3843 uid_t ruid, 3844 uid_t euid 3845 ); 3846 3847 /** 3848 * @brief Access control check for setting group ID 3849 * @param cred Subject credential 3850 * @param gid Requested group ID 3851 * 3852 * Determine whether the subject identified by the credential can set the 3853 * real and effective group IDs and the saved set-group-ID of the current 3854 * process, using the setgid() system call. 3855 * 3856 * @return Return 0 if access is granted, otherwise an appropriate value for 3857 * errno should be returned. 3858 */ 3859 typedef int mpo_proc_check_setgid_t( 3860 kauth_cred_t cred, 3861 gid_t gid 3862 ); 3863 3864 /** 3865 * @brief Access control check for setting effective group ID 3866 * @param cred Subject credential 3867 * @param egid Requested effective group ID 3868 * 3869 * Determine whether the subject identified by the credential can set the 3870 * effective group ID of the current process, using the setegid() system call. 3871 * 3872 * @return Return 0 if access is granted, otherwise an appropriate value for 3873 * errno should be returned. 3874 */ 3875 typedef int mpo_proc_check_setegid_t( 3876 kauth_cred_t cred, 3877 gid_t egid 3878 ); 3879 3880 /** 3881 * @brief Access control check for setting real and effective group ID 3882 * @param cred Subject credential 3883 * @param rgid Requested real group ID or KAUTH_UID_NONE for none 3884 * @param egid Requested effective group ID or KAUTH_GID_NONE for none 3885 * 3886 * Determine whether the subject identified by the credential can set the 3887 * real and effective group ID of the current process, using the setregid() 3888 * system call. 3889 * 3890 * @return Return 0 if access is granted, otherwise an appropriate value for 3891 * errno should be returned. 3892 */ 3893 typedef int mpo_proc_check_setregid_t( 3894 kauth_cred_t cred, 3895 gid_t rgid, 3896 gid_t egid 3897 ); 3898 3899 /** 3900 * @brief Access control check for setting thread assumed identity 3901 * @param pcred Subject process credential 3902 * @param tcred Subject thread credential 3903 * @param uid Requested user ID or KAUTH_UID_NONE for none 3904 * @param gid Requested group ID or KAUTH_GID_NONE for none 3905 * 3906 * Determine whether the subject identified by the credential can set the 3907 * user and group ID of the current thread, using the settid() or 3908 * settid_with_pid() system call. 3909 * 3910 * @return Return 0 if access is granted, otherwise an appropriate value for 3911 * errno should be returned. 3912 */ 3913 typedef int mpo_proc_check_settid_t( 3914 kauth_cred_t pcred, 3915 kauth_cred_t tcred, 3916 uid_t uid, 3917 gid_t gid 3918 ); 3919 3920 /** 3921 * @brief Notification of connection port derivation from service port 3922 * @param cred Subject process credential 3923 * @param sp_info Service port info 3924 * 3925 * Called when a process derives a connection port from a service port. 3926 * 3927 * Notes: 3928 * - Port derivation is only mandatory if the receiving end of the 3929 * connection performs validation of that fact. 3930 * - MAC policies should not perform upcalls or expensive operations in 3931 * this hook. 3932 * - Only called on macOS. 3933 */ 3934 typedef void mpo_proc_notify_service_port_derive_t( 3935 kauth_cred_t cred, 3936 struct mach_service_port_info *sp_info 3937 ); 3938 3939 /** 3940 * @brief Perform MAC-related analysis of telemetry data. 3941 * @param thread The Mach thread that was sampled. 3942 * 3943 * Notifies MAC policies that telemetry data was just collected from a 3944 * process's user thread and that it is ready to be analyzed. The analysis is 3945 * performed shortly before a thread is about to return to userspace via a 3946 * syscall or mach trap. 3947 * 3948 * Note that sometimes the scheduled telemetry can fail. In the case of 3949 * failure, the function will be called with a non-zero `err` value, in which 3950 * case it is expected that the client will cleanup any necessary state 3951 * recorded back when the telemetry was first scheduled. 3952 */ 3953 typedef void mpo_thread_telemetry_t( 3954 struct thread *thread, 3955 int err, 3956 const void *data, 3957 size_t length 3958 ); 3959 3960 /** 3961 * @brief Perform MAC-related events when a thread returns to user space 3962 * @param thread Mach (not BSD) thread that is returning 3963 * 3964 * This entry point permits policy modules to perform MAC-related 3965 * events when a thread returns to user space, via a system call 3966 * return or trap return. 3967 */ 3968 typedef void mpo_thread_userret_t( 3969 struct thread *thread 3970 ); 3971 3972 /** 3973 * @brief Check vnode access 3974 * @param cred Subject credential 3975 * @param vp Object vnode 3976 * @param label Label for vp 3977 * @param acc_mode access(2) flags 3978 * 3979 * Determine how invocations of access(2) and related calls by the 3980 * subject identified by the credential should return when performed 3981 * on the passed vnode using the passed access flags. This should 3982 * generally be implemented using the same semantics used in 3983 * mpo_vnode_check_open. 3984 * 3985 * @return Return 0 if access is granted, otherwise an appropriate value for 3986 * errno should be returned. Suggested failure: EACCES for label mismatch or 3987 * EPERM for lack of privilege. 3988 */ 3989 typedef int mpo_vnode_check_access_t( 3990 kauth_cred_t cred, 3991 struct vnode *vp, 3992 struct label *label, 3993 int acc_mode 3994 ); 3995 /** 3996 * @brief Access control check for changing working directory 3997 * @param cred Subject credential 3998 * @param dvp Object; vnode to chdir(2) into 3999 * @param dlabel Policy label for dvp 4000 * 4001 * Determine whether the subject identified by the credential can change 4002 * the process working directory to the passed vnode. 4003 * 4004 * @return Return 0 if access is granted, otherwise an appropriate value for 4005 * errno should be returned. Suggested failure: EACCES for label mismatch or 4006 * EPERM for lack of privilege. 4007 */ 4008 typedef int mpo_vnode_check_chdir_t( 4009 kauth_cred_t cred, 4010 struct vnode *dvp, 4011 struct label *dlabel 4012 ); 4013 /** 4014 * @brief Access control check for changing root directory 4015 * @param cred Subject credential 4016 * @param dvp Directory vnode 4017 * @param dlabel Policy label associated with dvp 4018 * @param cnp Component name for dvp 4019 * 4020 * Determine whether the subject identified by the credential should be 4021 * allowed to chroot(2) into the specified directory (dvp). 4022 * 4023 * @return In the event of an error, an appropriate value for errno 4024 * should be returned, otherwise return 0 upon success. 4025 */ 4026 typedef int mpo_vnode_check_chroot_t( 4027 kauth_cred_t cred, 4028 struct vnode *dvp, 4029 struct label *dlabel, 4030 struct componentname *cnp 4031 ); 4032 /** 4033 * @brief Access control check for creating clone 4034 * @param cred Subject credential 4035 * @param dvp Vnode of directory to create the clone in 4036 * @param dlabel Policy label associated with dvp 4037 * @param vp Vnode of the file to clone from 4038 * @param label Policy label associated with vp 4039 * @param cnp Component name for the clone being created 4040 * 4041 * Determine whether the subject identified by the credential should be 4042 * allowed to create a clone of the vnode vp with the name specified by cnp. 4043 * 4044 * @return Return 0 if access is granted, otherwise an appropriate value for 4045 * errno should be returned. 4046 */ 4047 typedef int mpo_vnode_check_clone_t( 4048 kauth_cred_t cred, 4049 struct vnode *dvp, 4050 struct label *dlabel, 4051 struct vnode *vp, 4052 struct label *label, 4053 struct componentname *cnp 4054 ); 4055 /** 4056 * @brief Access control check for creating vnode 4057 * @param cred Subject credential 4058 * @param dvp Directory vnode 4059 * @param dlabel Policy label for dvp 4060 * @param cnp Component name for dvp 4061 * @param vap vnode attributes for vap 4062 * 4063 * Determine whether the subject identified by the credential can create 4064 * a vnode with the passed parent directory, passed name information, 4065 * and passed attribute information. This call may be made in a number of 4066 * situations, including as a result of calls to open(2) with O_CREAT, 4067 * mknod(2), mkfifo(2), and others. 4068 * 4069 * @return Return 0 if access is granted, otherwise an appropriate value for 4070 * errno should be returned. Suggested failure: EACCES for label mismatch or 4071 * EPERM for lack of privilege. 4072 */ 4073 typedef int mpo_vnode_check_create_t( 4074 kauth_cred_t cred, 4075 struct vnode *dvp, 4076 struct label *dlabel, 4077 struct componentname *cnp, 4078 struct vnode_attr *vap 4079 ); 4080 /** 4081 * @brief Access control check for deleting extended attribute 4082 * @param cred Subject credential 4083 * @param vp Object vnode 4084 * @param vlabel Label associated with vp 4085 * @param name Extended attribute name 4086 * 4087 * Determine whether the subject identified by the credential can delete 4088 * the extended attribute from the passed vnode. 4089 * 4090 * @return Return 0 if access is granted, otherwise an appropriate value for 4091 * errno should be returned. Suggested failure: EACCES for label mismatch or 4092 * EPERM for lack of privilege. 4093 */ 4094 typedef int mpo_vnode_check_deleteextattr_t( 4095 kauth_cred_t cred, 4096 struct vnode *vp, 4097 struct label *vlabel, 4098 const char *name 4099 ); 4100 /** 4101 * @brief Access control check for exchanging file data 4102 * @param cred Subject credential 4103 * @param v1 vnode 1 to swap 4104 * @param vl1 Policy label for v1 4105 * @param v2 vnode 2 to swap 4106 * @param vl2 Policy label for v2 4107 * 4108 * Determine whether the subject identified by the credential can swap the data 4109 * in the two supplied vnodes. 4110 * 4111 * @return Return 0 if access is granted, otherwise an appropriate value for 4112 * errno should be returned. Suggested failure: EACCES for label mismatch or 4113 * EPERM for lack of privilege. 4114 */ 4115 typedef int mpo_vnode_check_exchangedata_t( 4116 kauth_cred_t cred, 4117 struct vnode *v1, 4118 struct label *vl1, 4119 struct vnode *v2, 4120 struct label *vl2 4121 ); 4122 /** 4123 * @brief Access control check for executing the vnode 4124 * @param cred Subject credential 4125 * @param vp Object vnode to execute 4126 * @param scriptvp Script being executed by interpreter, if any. 4127 * @param vnodelabel Label corresponding to vp 4128 * @param scriptlabel Script vnode label 4129 * @param execlabel Userspace provided execution label 4130 * @param cnp Component name for file being executed 4131 * @param macpolicyattr MAC policy-specific spawn attribute data. 4132 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 4133 * 4134 * Determine whether the subject identified by the credential can execute 4135 * the passed vnode. Determination of execute privilege is made separately 4136 * from decisions about any process label transitioning event. 4137 * 4138 * The final label, execlabel, corresponds to a label supplied by a 4139 * user space application through the use of the mac_execve system call. 4140 * This label will be NULL if the user application uses the the vendor 4141 * execve(2) call instead of the MAC Framework mac_execve() call. 4142 * 4143 * @return Return 0 if access is granted, otherwise an appropriate value for 4144 * errno should be returned. Suggested failure: EACCES for label mismatch or 4145 * EPERM for lack of privilege. 4146 */ 4147 typedef int mpo_vnode_check_exec_t( 4148 kauth_cred_t cred, 4149 struct vnode *vp, 4150 struct vnode *scriptvp, 4151 struct label *vnodelabel, 4152 struct label *scriptlabel, 4153 struct label *execlabel, /* NULLOK */ 4154 struct componentname *cnp, 4155 u_int *csflags, 4156 void *macpolicyattr, 4157 size_t macpolicyattrlen 4158 ); 4159 /** 4160 * @brief Access control check for fsgetpath 4161 * @param cred Subject credential 4162 * @param vp Vnode for which a path will be returned 4163 * @param label Label associated with the vnode 4164 * 4165 * Determine whether the subject identified by the credential can get the path 4166 * of the given vnode with fsgetpath. 4167 * 4168 * @return Return 0 if access is granted, otherwise an appropriate value for 4169 * errno should be returned. 4170 */ 4171 typedef int mpo_vnode_check_fsgetpath_t( 4172 kauth_cred_t cred, 4173 struct vnode *vp, 4174 struct label *label 4175 ); 4176 /** 4177 * @brief Access control check for retrieving file attributes 4178 * @param active_cred Subject credential 4179 * @param file_cred Credential associated with the struct fileproc 4180 * @param vp Object vnode 4181 * @param vlabel Policy label for vp 4182 * @param va Vnode attributes to retrieve 4183 * 4184 * Determine whether the subject identified by the credential can 4185 * get information about the passed vnode. The active_cred hold 4186 * the credentials of the subject performing the operation, and 4187 * file_cred holds the credentials of the subject that originally 4188 * opened the file. This check happens during stat(), lstat(), 4189 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for 4190 * definitions of the attributes. 4191 * 4192 * @return Return 0 if access is granted, otherwise an appropriate value for 4193 * errno should be returned. 4194 * 4195 * @note Policies may change the contents of va to alter the list of 4196 * file attributes returned. 4197 */ 4198 typedef int mpo_vnode_check_getattr_t( 4199 kauth_cred_t active_cred, 4200 kauth_cred_t file_cred, /* NULLOK */ 4201 struct vnode *vp, 4202 struct label *vlabel, 4203 struct vnode_attr *va 4204 ); 4205 /** 4206 * @brief Access control check for retrieving file attributes 4207 * @param cred Subject credential 4208 * @param vp Object vnode 4209 * @param vlabel Policy label for vp 4210 * @param alist List of attributes to retrieve 4211 * @param options Option flags for alist 4212 * 4213 * Determine whether the subject identified by the credential can read 4214 * various attributes of the specified vnode, or the filesystem or volume on 4215 * which that vnode resides. See <sys/attr.h> for definitions of the 4216 * attributes and flags. 4217 * 4218 * @return Return 0 if access is granted, otherwise an appropriate value for 4219 * errno should be returned. Suggested failure: EACCES for label mismatch or 4220 * EPERM for lack of privilege. Access control covers all attributes requested 4221 * with this call; the security policy is not permitted to change the set of 4222 * attributes requested. 4223 */ 4224 typedef int mpo_vnode_check_getattrlist_t( 4225 kauth_cred_t cred, 4226 struct vnode *vp, 4227 struct label *vlabel, 4228 struct attrlist *alist, 4229 uint64_t options 4230 ); 4231 /** 4232 * @brief Access control check for retrieving file attributes for multiple directory entries 4233 * @param cred Subject credential 4234 * @param dvp Directory vnode 4235 * @param alist List of attributes to retrieve 4236 * @param options Option flags for alist 4237 * 4238 * Determine whether the subject identified by the credential can read 4239 * various attributes of the specified vnode, or the filesystem or volume on 4240 * which that vnode resides. See <sys/attr.h> for definitions of the 4241 * attributes and flags. 4242 * 4243 * @return Return 0 if access is granted, otherwise an appropriate value for 4244 * errno should be returned. Suggested failure: EACCES for label mismatch or 4245 * EPERM for lack of privilege. Access control covers all attributes requested 4246 * with this call; the security policy is not permitted to change the set of 4247 * attributes requested. 4248 */ 4249 typedef int mpo_vnode_check_getattrlistbulk_t( 4250 kauth_cred_t cred, 4251 struct vnode *dvp, 4252 struct attrlist *alist, 4253 uint64_t options 4254 ); 4255 /** 4256 * @brief Access control check for retrieving an extended attribute 4257 * @param cred Subject credential 4258 * @param vp Object vnode 4259 * @param label Policy label for vp 4260 * @param name Extended attribute name 4261 * @param uio I/O structure pointer 4262 * 4263 * Determine whether the subject identified by the credential can retrieve 4264 * the extended attribute from the passed vnode. The uio parameter 4265 * will be NULL when the getxattr(2) call has been made with a NULL data 4266 * value; this is done to request the size of the data only. 4267 * 4268 * @return Return 0 if access is granted, otherwise an appropriate value for 4269 * errno should be returned. Suggested failure: EACCES for label mismatch or 4270 * EPERM for lack of privilege. 4271 */ 4272 typedef int mpo_vnode_check_getextattr_t( 4273 kauth_cred_t cred, 4274 struct vnode *vp, 4275 struct label *label, /* NULLOK */ 4276 const char *name, 4277 struct uio *uio /* NULLOK */ 4278 ); 4279 /** 4280 * @brief Access control check for ioctl 4281 * @param cred Subject credential 4282 * @param vp Object vnode 4283 * @param label Policy label for vp 4284 * @param cmd Device-dependent request code; see ioctl(2) 4285 * 4286 * Determine whether the subject identified by the credential can perform 4287 * the ioctl operation indicated by com. 4288 * 4289 * @warning Since ioctl data is opaque from the standpoint of the MAC 4290 * framework, and since ioctls can affect many aspects of system 4291 * operation, policies must exercise extreme care when implementing 4292 * access control checks. 4293 * 4294 * @return Return 0 if access is granted, otherwise an appropriate value for 4295 * errno should be returned. 4296 */ 4297 typedef int mpo_vnode_check_ioctl_t( 4298 kauth_cred_t cred, 4299 struct vnode *vp, 4300 struct label *label, 4301 unsigned long cmd 4302 ); 4303 /** 4304 * @brief Access control check for vnode kqfilter 4305 * @param active_cred Subject credential 4306 * @param kn Object knote 4307 * @param vp Object vnode 4308 * @param label Policy label for vp 4309 * 4310 * Determine whether the subject identified by the credential can 4311 * receive the knote on the passed vnode. 4312 * 4313 * @return Return 0 if access if granted, otherwise an appropriate 4314 * value for errno should be returned. 4315 */ 4316 typedef int mpo_vnode_check_kqfilter_t( 4317 kauth_cred_t active_cred, 4318 kauth_cred_t file_cred, /* NULLOK */ 4319 struct knote *kn, 4320 struct vnode *vp, 4321 struct label *label 4322 ); 4323 /** 4324 * @brief Access control check for relabel 4325 * @param cred Subject credential 4326 * @param vp Object vnode 4327 * @param vnodelabel Existing policy label for vp 4328 * @param newlabel Policy label update to later be applied to vp 4329 * @see mpo_relable_vnode_t 4330 * 4331 * Determine whether the subject identified by the credential can relabel 4332 * the passed vnode to the passed label update. If all policies permit 4333 * the label change, the actual relabel entry point (mpo_vnode_label_update) 4334 * will follow. 4335 * 4336 * @return Return 0 if access is granted, otherwise an appropriate value for 4337 * errno should be returned. 4338 */ 4339 typedef int mpo_vnode_check_label_update_t( 4340 struct ucred *cred, 4341 struct vnode *vp, 4342 struct label *vnodelabel, 4343 struct label *newlabel 4344 ); 4345 /** 4346 * @brief Access control check for creating link 4347 * @param cred Subject credential 4348 * @param dvp Directory vnode 4349 * @param dlabel Policy label associated with dvp 4350 * @param vp Link destination vnode 4351 * @param label Policy label associated with vp 4352 * @param cnp Component name for the link being created 4353 * 4354 * Determine whether the subject identified by the credential should be 4355 * allowed to create a link to the vnode vp with the name specified by cnp. 4356 * 4357 * @return Return 0 if access is granted, otherwise an appropriate value for 4358 * errno should be returned. 4359 */ 4360 typedef int mpo_vnode_check_link_t( 4361 kauth_cred_t cred, 4362 struct vnode *dvp, 4363 struct label *dlabel, 4364 struct vnode *vp, 4365 struct label *label, 4366 struct componentname *cnp 4367 ); 4368 /** 4369 * @brief Access control check for listing extended attributes 4370 * @param cred Subject credential 4371 * @param vp Object vnode 4372 * @param vlabel Policy label associated with vp 4373 * 4374 * Determine whether the subject identified by the credential can retrieve 4375 * a list of named extended attributes from a vnode. 4376 * 4377 * @return Return 0 if access is granted, otherwise an appropriate value for 4378 * errno should be returned. 4379 */ 4380 typedef int mpo_vnode_check_listextattr_t( 4381 kauth_cred_t cred, 4382 struct vnode *vp, 4383 struct label *vlabel 4384 ); 4385 /** 4386 * @brief Access control check for lookup 4387 * @param cred Subject credential 4388 * @param dvp Directory vnode 4389 * @param dlabel Policy label for dvp 4390 * @param path Path being looked up 4391 * @param pathlen Length of path in bytes 4392 * 4393 * Determine whether the subject identified by the credential can perform 4394 * a lookup of the passed path relative to the passed directory vnode. 4395 * 4396 * @return Return 0 if access is granted, otherwise an appropriate value for 4397 * errno should be returned. Suggested failure: EACCES for label mismatch or 4398 * EPERM for lack of privilege. 4399 * 4400 * @note The path may contain untrusted input. If approved, lookup proceeds 4401 * on the path; if a component is found to be a symlink then this hook is 4402 * called again with the updated path. 4403 */ 4404 typedef int mpo_vnode_check_lookup_preflight_t( 4405 kauth_cred_t cred, 4406 struct vnode *dvp, 4407 struct label *dlabel, 4408 const char *path, 4409 size_t pathlen 4410 ); 4411 /** 4412 * @brief Access control check for lookup 4413 * @param cred Subject credential 4414 * @param dvp Object vnode 4415 * @param dlabel Policy label for dvp 4416 * @param cnp Component name being looked up 4417 * 4418 * Determine whether the subject identified by the credential can perform 4419 * a lookup in the passed directory vnode for the passed name (cnp). 4420 * 4421 * @return Return 0 if access is granted, otherwise an appropriate value for 4422 * errno should be returned. Suggested failure: EACCES for label mismatch or 4423 * EPERM for lack of privilege. 4424 */ 4425 typedef int mpo_vnode_check_lookup_t( 4426 kauth_cred_t cred, 4427 struct vnode *dvp, 4428 struct label *dlabel, 4429 struct componentname *cnp 4430 ); 4431 /** 4432 * @brief Access control check for open 4433 * @param cred Subject credential 4434 * @param vp Object vnode 4435 * @param label Policy label associated with vp 4436 * @param acc_mode open(2) access mode 4437 * 4438 * Determine whether the subject identified by the credential can perform 4439 * an open operation on the passed vnode with the passed access mode. 4440 * 4441 * @return Return 0 if access is granted, otherwise an appropriate value for 4442 * errno should be returned. Suggested failure: EACCES for label mismatch or 4443 * EPERM for lack of privilege. 4444 */ 4445 typedef int mpo_vnode_check_open_t( 4446 kauth_cred_t cred, 4447 struct vnode *vp, 4448 struct label *label, 4449 int acc_mode 4450 ); 4451 /** 4452 * @brief Access control check for read 4453 * @param active_cred Subject credential 4454 * @param file_cred Credential associated with the struct fileproc 4455 * @param vp Object vnode 4456 * @param label Policy label for vp 4457 * 4458 * Determine whether the subject identified by the credential can perform 4459 * a read operation on the passed vnode. The active_cred hold the credentials 4460 * of the subject performing the operation, and file_cred holds the 4461 * credentials of the subject that originally opened the file. 4462 * 4463 * @return Return 0 if access is granted, otherwise an appropriate value for 4464 * errno should be returned. Suggested failure: EACCES for label mismatch or 4465 * EPERM for lack of privilege. 4466 */ 4467 typedef int mpo_vnode_check_read_t( 4468 kauth_cred_t active_cred, /* SUBJECT */ 4469 kauth_cred_t file_cred, /* NULLOK */ 4470 struct vnode *vp, /* OBJECT */ 4471 struct label *label /* LABEL */ 4472 ); 4473 /** 4474 * @brief Access control check for read directory 4475 * @param cred Subject credential 4476 * @param dvp Object directory vnode 4477 * @param dlabel Policy label for dvp 4478 * 4479 * Determine whether the subject identified by the credential can 4480 * perform a readdir operation on the passed directory vnode. 4481 * 4482 * @return Return 0 if access is granted, otherwise an appropriate value for 4483 * errno should be returned. Suggested failure: EACCES for label mismatch or 4484 * EPERM for lack of privilege. 4485 */ 4486 typedef int mpo_vnode_check_readdir_t( 4487 kauth_cred_t cred, /* SUBJECT */ 4488 struct vnode *dvp, /* OBJECT */ 4489 struct label *dlabel /* LABEL */ 4490 ); 4491 /** 4492 * @brief Access control check for read link 4493 * @param cred Subject credential 4494 * @param vp Object vnode 4495 * @param label Policy label for vp 4496 * 4497 * Determine whether the subject identified by the credential can perform 4498 * a readlink operation on the passed symlink vnode. This call can be made 4499 * in a number of situations, including an explicit readlink call by the 4500 * user process, or as a result of an implicit readlink during a name 4501 * lookup by the process. 4502 * 4503 * @return Return 0 if access is granted, otherwise an appropriate value for 4504 * errno should be returned. Suggested failure: EACCES for label mismatch or 4505 * EPERM for lack of privilege. 4506 */ 4507 typedef int mpo_vnode_check_readlink_t( 4508 kauth_cred_t cred, 4509 struct vnode *vp, 4510 struct label *label 4511 ); 4512 /** 4513 * @brief Access control check for rename 4514 * @param cred Subject credential 4515 * @param fdvp Directory vnode 4516 * @param fdlabel Policy label associated with dvp 4517 * @param fvp vnode to be renamed 4518 * @param flabel Policy label associated with vp 4519 * @param fcnp Component name for vp 4520 * @param tdvp Destination directory vnode 4521 * @param tdlabel Policy label associated with tdvp 4522 * @param tvp Overwritten vnode 4523 * @param tlabel Policy label associated with tvp 4524 * @param tcnp Destination component name 4525 * 4526 * Determine whether the subject identified by the credential should be allowed 4527 * to rename the vnode vp to something else. 4528 * 4529 * @return Return 0 if access is granted, otherwise an appropriate value for 4530 * errno should be returned. 4531 */ 4532 typedef int mpo_vnode_check_rename_t( 4533 kauth_cred_t cred, 4534 struct vnode *fdvp, 4535 struct label *fdlabel, 4536 struct vnode *fvp, 4537 struct label *flabel, 4538 struct componentname *fcnp, 4539 struct vnode *tdvp, 4540 struct label *tdlabel, 4541 struct vnode *tvp, 4542 struct label *tlabel, 4543 struct componentname *tcnp 4544 ); 4545 /** 4546 * @brief Access control check for rename from 4547 * @param cred Subject credential 4548 * @param dvp Directory vnode 4549 * @param dlabel Policy label associated with dvp 4550 * @param vp vnode to be renamed 4551 * @param label Policy label associated with vp 4552 * @param cnp Component name for vp 4553 * @see mpo_vnode_check_rename_t 4554 * @see mpo_vnode_check_rename_to_t 4555 * 4556 * Determine whether the subject identified by the credential should be 4557 * allowed to rename the vnode vp to something else. 4558 * 4559 * Due to VFS locking constraints (to make sure proper vnode locks are 4560 * held during this entry point), the vnode relabel checks had to be 4561 * split into two parts: relabel_from and relabel to. 4562 * 4563 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4564 * 4565 * @return Return 0 if access is granted, otherwise an appropriate value for 4566 * errno should be returned. 4567 */ 4568 typedef int mpo_vnode_check_rename_from_t( 4569 kauth_cred_t cred, 4570 struct vnode *dvp, 4571 struct label *dlabel, 4572 struct vnode *vp, 4573 struct label *label, 4574 struct componentname *cnp 4575 ); 4576 /** 4577 * @brief Access control check for rename to 4578 * @param cred Subject credential 4579 * @param dvp Directory vnode 4580 * @param dlabel Policy label associated with dvp 4581 * @param vp Overwritten vnode 4582 * @param label Policy label associated with vp 4583 * @param samedir Boolean; 1 if the source and destination directories are the same 4584 * @param cnp Destination component name 4585 * @see mpo_vnode_check_rename_t 4586 * @see mpo_vnode_check_rename_from_t 4587 * 4588 * Determine whether the subject identified by the credential should be 4589 * allowed to rename to the vnode vp, into the directory dvp, or to the 4590 * name represented by cnp. If there is no existing file to overwrite, 4591 * vp and label will be NULL. 4592 * 4593 * Due to VFS locking constraints (to make sure proper vnode locks are 4594 * held during this entry point), the vnode relabel checks had to be 4595 * split into two parts: relabel_from and relabel to. 4596 * 4597 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4598 * 4599 * @return Return 0 if access is granted, otherwise an appropriate value for 4600 * errno should be returned. 4601 */ 4602 typedef int mpo_vnode_check_rename_to_t( 4603 kauth_cred_t cred, 4604 struct vnode *dvp, 4605 struct label *dlabel, 4606 struct vnode *vp, /* NULLOK */ 4607 struct label *label, /* NULLOK */ 4608 int samedir, 4609 struct componentname *cnp 4610 ); 4611 /** 4612 * @brief Access control check for revoke 4613 * @param cred Subject credential 4614 * @param vp Object vnode 4615 * @param label Policy label for vp 4616 * 4617 * Determine whether the subject identified by the credential can revoke 4618 * access to the passed vnode. 4619 * 4620 * @return Return 0 if access is granted, otherwise an appropriate value for 4621 * errno should be returned. Suggested failure: EACCES for label mismatch or 4622 * EPERM for lack of privilege. 4623 */ 4624 typedef int mpo_vnode_check_revoke_t( 4625 kauth_cred_t cred, 4626 struct vnode *vp, 4627 struct label *label 4628 ); 4629 /** 4630 * @brief Access control check for searchfs 4631 * @param cred Subject credential 4632 * @param vp Object vnode 4633 * @param vlabel Policy label for vp 4634 * @param returnattrs List of attributes to be returned 4635 * @param searchattrs List of attributes used as search criteria 4636 * 4637 * Determine whether the subject identified by the credential can search the 4638 * vnode using the searchfs system call. 4639 * 4640 * @return Return 0 if access is granted, otherwise an appropriate value for 4641 * errno should be returned. 4642 */ 4643 typedef int mpo_vnode_check_searchfs_t( 4644 kauth_cred_t cred, 4645 struct vnode *vp, 4646 struct label *vlabel, 4647 struct attrlist *returnattrs, 4648 struct attrlist *searchattrs 4649 ); 4650 /** 4651 * @brief Access control check for select 4652 * @param cred Subject credential 4653 * @param vp Object vnode 4654 * @param label Policy label for vp 4655 * @param which The operation selected on: FREAD or FWRITE 4656 * 4657 * Determine whether the subject identified by the credential can select 4658 * the vnode. 4659 * 4660 * @return Return 0 if access is granted, otherwise an appropriate value for 4661 * errno should be returned. 4662 */ 4663 typedef int mpo_vnode_check_select_t( 4664 kauth_cred_t cred, 4665 struct vnode *vp, 4666 struct label *label, 4667 int which 4668 ); 4669 /** 4670 * @brief Access control check for setting ACL 4671 * @param cred Subject credential 4672 * @param vp Object node 4673 * @param label Policy label for vp 4674 * @param acl ACL structure pointer 4675 * 4676 * Determine whether the subject identified by the credential can set an ACL 4677 * on the specified vnode. The ACL pointer will be NULL when removing an ACL. 4678 * 4679 * @return Return 0 if access is granted, otherwise an appropriate value for 4680 * errno should be returned. Suggested failure: EACCES for label mismatch or 4681 * EPERM for lack of privilege. 4682 */ 4683 typedef int mpo_vnode_check_setacl_t( 4684 kauth_cred_t cred, 4685 struct vnode *vp, 4686 struct label *label, 4687 struct kauth_acl *acl 4688 ); 4689 /** 4690 * @brief Access control check for setting file attributes 4691 * @param cred Subject credential 4692 * @param vp Object vnode 4693 * @param vlabel Policy label for vp 4694 * @param alist List of attributes to set 4695 * 4696 * Determine whether the subject identified by the credential can set 4697 * various attributes of the specified vnode, or the filesystem or volume on 4698 * which that vnode resides. See <sys/attr.h> for definitions of the 4699 * attributes. 4700 * 4701 * @return Return 0 if access is granted, otherwise an appropriate value for 4702 * errno should be returned. Suggested failure: EACCES for label mismatch or 4703 * EPERM for lack of privilege. Access control covers all attributes requested 4704 * with this call. 4705 */ 4706 typedef int mpo_vnode_check_setattrlist_t( 4707 kauth_cred_t cred, 4708 struct vnode *vp, 4709 struct label *vlabel, 4710 struct attrlist *alist 4711 ); 4712 /** 4713 * @brief Access control check for setting extended attribute 4714 * @param cred Subject credential 4715 * @param vp Object vnode 4716 * @param label Policy label for vp 4717 * @param name Extended attribute name 4718 * @param uio I/O structure pointer 4719 * 4720 * Determine whether the subject identified by the credential can set the 4721 * extended attribute of passed name and passed namespace on the passed 4722 * vnode. Policies implementing security labels backed into extended 4723 * attributes may want to provide additional protections for those 4724 * attributes. Additionally, policies should avoid making decisions based 4725 * on the data referenced from uio, as there is a potential race condition 4726 * between this check and the actual operation. The uio may also be NULL 4727 * if a delete operation is being performed. 4728 * 4729 * @return Return 0 if access is granted, otherwise an appropriate value for 4730 * errno should be returned. Suggested failure: EACCES for label mismatch or 4731 * EPERM for lack of privilege. 4732 */ 4733 typedef int mpo_vnode_check_setextattr_t( 4734 kauth_cred_t cred, 4735 struct vnode *vp, 4736 struct label *label, 4737 const char *name, 4738 struct uio *uio 4739 ); 4740 /** 4741 * @brief Access control check for setting flags 4742 * @param cred Subject credential 4743 * @param vp Object vnode 4744 * @param label Policy label for vp 4745 * @param flags File flags; see chflags(2) 4746 * 4747 * Determine whether the subject identified by the credential can set 4748 * the passed flags on the passed vnode. 4749 * 4750 * @return Return 0 if access is granted, otherwise an appropriate value for 4751 * errno should be returned. Suggested failure: EACCES for label mismatch or 4752 * EPERM for lack of privilege. 4753 */ 4754 typedef int mpo_vnode_check_setflags_t( 4755 kauth_cred_t cred, 4756 struct vnode *vp, 4757 struct label *label, 4758 u_long flags 4759 ); 4760 /** 4761 * @brief Access control check for setting mode 4762 * @param cred Subject credential 4763 * @param vp Object vnode 4764 * @param label Policy label for vp 4765 * @param mode File mode; see chmod(2) 4766 * 4767 * Determine whether the subject identified by the credential can set 4768 * the passed mode on the passed vnode. 4769 * 4770 * @return Return 0 if access is granted, otherwise an appropriate value for 4771 * errno should be returned. Suggested failure: EACCES for label mismatch or 4772 * EPERM for lack of privilege. 4773 */ 4774 typedef int mpo_vnode_check_setmode_t( 4775 kauth_cred_t cred, 4776 struct vnode *vp, 4777 struct label *label, 4778 mode_t mode 4779 ); 4780 /** 4781 * @brief Access control check for setting uid and gid 4782 * @param cred Subject credential 4783 * @param vp Object vnode 4784 * @param label Policy label for vp 4785 * @param uid User ID 4786 * @param gid Group ID 4787 * 4788 * Determine whether the subject identified by the credential can set 4789 * the passed uid and passed gid as file uid and file gid on the passed 4790 * vnode. The IDs may be set to (-1) to request no update. 4791 * 4792 * @return Return 0 if access is granted, otherwise an appropriate value for 4793 * errno should be returned. Suggested failure: EACCES for label mismatch or 4794 * EPERM for lack of privilege. 4795 */ 4796 typedef int mpo_vnode_check_setowner_t( 4797 kauth_cred_t cred, 4798 struct vnode *vp, 4799 struct label *label, 4800 uid_t uid, 4801 gid_t gid 4802 ); 4803 /** 4804 * @brief Access control check for setting timestamps 4805 * @param cred Subject credential 4806 * @param vp Object vnode 4807 * @param label Policy label for vp 4808 * @param atime Access time; see utimes(2) 4809 * @param mtime Modification time; see utimes(2) 4810 * 4811 * Determine whether the subject identified by the credential can set 4812 * the passed access timestamps on the passed vnode. 4813 * 4814 * @return Return 0 if access is granted, otherwise an appropriate value for 4815 * errno should be returned. Suggested failure: EACCES for label mismatch or 4816 * EPERM for lack of privilege. 4817 */ 4818 typedef int mpo_vnode_check_setutimes_t( 4819 kauth_cred_t cred, 4820 struct vnode *vp, 4821 struct label *label, 4822 struct timespec atime, 4823 struct timespec mtime 4824 ); 4825 /** 4826 * @brief Access control check after determining the code directory hash 4827 * @param vp vnode vnode to combine into proc 4828 * @param label label associated with the vnode 4829 * @param cpu_type cpu type of the signature being checked 4830 * @param cs_blob the code signature to check 4831 * @param cs_flags update code signing flags if needed 4832 * @param signer_type output parameter for the code signature's signer type 4833 * @param flags operational flag to mpo_vnode_check_signature 4834 * @param platform platform of the signature being checked 4835 * @param fatal_failure_desc description of fatal failure 4836 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 4837 * 4838 * @return Return 0 if access is granted, otherwise an appropriate value for 4839 * errno should be returned. 4840 */ 4841 typedef int mpo_vnode_check_signature_t( 4842 struct vnode *vp, 4843 struct label *label, 4844 cpu_type_t cpu_type, 4845 struct cs_blob *cs_blob, 4846 unsigned int *cs_flags, 4847 unsigned int *signer_type, 4848 int flags, 4849 unsigned int platform, 4850 char **fatal_failure_desc, size_t *fatal_failure_desc_len 4851 ); 4852 /** 4853 * @brief Access control check for stat 4854 * @param active_cred Subject credential 4855 * @param file_cred Credential associated with the struct fileproc 4856 * @param vp Object vnode 4857 * @param label Policy label for vp 4858 * 4859 * Determine whether the subject identified by the credential can stat 4860 * the passed vnode. See stat(2) for more information. The active_cred 4861 * hold the credentials of the subject performing the operation, and 4862 * file_cred holds the credentials of the subject that originally 4863 * opened the file. 4864 * 4865 * @return Return 0 if access is granted, otherwise an appropriate value for 4866 * errno should be returned. Suggested failure: EACCES for label mismatch or 4867 * EPERM for lack of privilege. 4868 */ 4869 typedef int mpo_vnode_check_stat_t( 4870 struct ucred *active_cred, 4871 struct ucred *file_cred, /* NULLOK */ 4872 struct vnode *vp, 4873 struct label *label 4874 ); 4875 /** 4876 * @brief Access control check for supplemental signature attachement 4877 * @param vp the vnode to which the signature will be attached 4878 * @param label label associated with the vnode 4879 * @param cs_blob the code signature to check 4880 * @param linked_vp vnode to which this new vp is related 4881 * @param linked_cs_blob the code signature of the linked vnode 4882 * @param signer_type output parameter for the signer type of the code signature being checked. 4883 * 4884 * @return Return 0 if access is granted, otherwise an appropriate value for 4885 * errno should be returned. 4886 */ 4887 typedef int mpo_vnode_check_supplemental_signature_t( 4888 struct vnode *vp, 4889 struct label *label, 4890 struct cs_blob *cs_blob, 4891 struct vnode *linked_vp, 4892 struct cs_blob *linked_cs_blob, 4893 unsigned int *signer_type 4894 ); 4895 /** 4896 * @brief Access control check for atomically swapping two vnodes. 4897 * @param cred User credential for the swapping process 4898 * @param v1 vnode 1 to swap 4899 * @param vl1 Policy label for v1 4900 * @param v2 vnode 2 to swap 4901 * @param vl2 Policy label for v2 4902 * 4903 * @return Return 0 if access is granted, otherwise an appropriate value for 4904 * errno should be returned. Suggested failure: EACCES for label mismatch or 4905 * EPERM for lack of privilege. 4906 */ 4907 typedef int mpo_vnode_check_swap_t( 4908 kauth_cred_t cred, 4909 struct vnode *v1, 4910 struct label *vl1, 4911 struct vnode *v2, 4912 struct label *vl2 4913 ); 4914 /** 4915 * @brief Access control check for vnode trigger resolution 4916 * @param cred Subject credential 4917 * @param dvp Object vnode 4918 * @param dlabel Policy label for dvp 4919 * @param cnp Component name that triggered resolution 4920 * 4921 * Determine whether the subject identified by the credential can trigger 4922 * resolution of the passed name (cnp) in the passed directory vnode 4923 * via an external trigger resolver. 4924 * 4925 * @return Return 0 if access is granted, otherwise an appropriate value for 4926 * errno should be returned. Suggested failure: EACCES for label mismatch or 4927 * EPERM for lack of privilege. 4928 */ 4929 typedef int mpo_vnode_check_trigger_resolve_t( 4930 kauth_cred_t cred, 4931 struct vnode *dvp, 4932 struct label *dlabel, 4933 struct componentname *cnp 4934 ); 4935 /** 4936 * @brief Access control check for truncate/ftruncate 4937 * @param active_cred Subject credential 4938 * @param file_cred Credential associated with the struct fileproc 4939 * @param vp Object vnode 4940 * @param label Policy label for vp 4941 * 4942 * Determine whether the subject identified by the credential can 4943 * perform a truncate operation on the passed vnode. The active_cred hold 4944 * the credentials of the subject performing the operation, and 4945 * file_cred holds the credentials of the subject that originally 4946 * opened the file. 4947 * 4948 * @return Return 0 if access is granted, otherwise an appropriate value for 4949 * errno should be returned. Suggested failure: EACCES for label mismatch or 4950 * EPERM for lack of privilege. 4951 */ 4952 typedef int mpo_vnode_check_truncate_t( 4953 kauth_cred_t active_cred, 4954 kauth_cred_t file_cred, /* NULLOK */ 4955 struct vnode *vp, 4956 struct label *label 4957 ); 4958 /** 4959 * @brief Access control check for binding UNIX domain socket 4960 * @param cred Subject credential 4961 * @param dvp Directory vnode 4962 * @param dlabel Policy label for dvp 4963 * @param cnp Component name for dvp 4964 * @param vap vnode attributes for vap 4965 * 4966 * Determine whether the subject identified by the credential can perform a 4967 * bind operation on a UNIX domain socket with the passed parent directory, 4968 * passed name information, and passed attribute information. 4969 * 4970 * @return Return 0 if access is granted, otherwise an appropriate value for 4971 * errno should be returned. Suggested failure: EACCES for label mismatch or 4972 * EPERM for lack of privilege. 4973 */ 4974 typedef int mpo_vnode_check_uipc_bind_t( 4975 kauth_cred_t cred, 4976 struct vnode *dvp, 4977 struct label *dlabel, 4978 struct componentname *cnp, 4979 struct vnode_attr *vap 4980 ); 4981 /** 4982 * @brief Access control check for connecting UNIX domain socket 4983 * @param cred Subject credential 4984 * @param vp Object vnode 4985 * @param label Policy label associated with vp 4986 * @param so Socket 4987 * 4988 * Determine whether the subject identified by the credential can perform a 4989 * connect operation on the passed UNIX domain socket vnode. 4990 * 4991 * @return Return 0 if access is granted, otherwise an appropriate value for 4992 * errno should be returned. Suggested failure: EACCES for label mismatch or 4993 * EPERM for lack of privilege. 4994 */ 4995 typedef int mpo_vnode_check_uipc_connect_t( 4996 kauth_cred_t cred, 4997 struct vnode *vp, 4998 struct label *label, 4999 socket_t so 5000 ); 5001 /** 5002 * @brief Access control check for deleting vnode 5003 * @param cred Subject credential 5004 * @param dvp Parent directory vnode 5005 * @param dlabel Policy label for dvp 5006 * @param vp Object vnode to delete 5007 * @param label Policy label for vp 5008 * @param cnp Component name for vp 5009 * @see mpo_check_rename_to_t 5010 * 5011 * Determine whether the subject identified by the credential can delete 5012 * a vnode from the passed parent directory and passed name information. 5013 * This call may be made in a number of situations, including as a 5014 * results of calls to unlink(2) and rmdir(2). Policies implementing 5015 * this entry point should also implement mpo_check_rename_to to 5016 * authorize deletion of objects as a result of being the target of a rename. 5017 * 5018 * @return Return 0 if access is granted, otherwise an appropriate value for 5019 * errno should be returned. Suggested failure: EACCES for label mismatch or 5020 * EPERM for lack of privilege. 5021 */ 5022 typedef int mpo_vnode_check_unlink_t( 5023 kauth_cred_t cred, 5024 struct vnode *dvp, 5025 struct label *dlabel, 5026 struct vnode *vp, 5027 struct label *label, 5028 struct componentname *cnp 5029 ); 5030 /** 5031 * @brief Access control check for write 5032 * @param active_cred Subject credential 5033 * @param file_cred Credential associated with the struct fileproc 5034 * @param vp Object vnode 5035 * @param label Policy label for vp 5036 * 5037 * Determine whether the subject identified by the credential can 5038 * perform a write operation on the passed vnode. The active_cred hold 5039 * the credentials of the subject performing the operation, and 5040 * file_cred holds the credentials of the subject that originally 5041 * opened the file. 5042 * 5043 * @return Return 0 if access is granted, otherwise an appropriate value for 5044 * errno should be returned. Suggested failure: EACCES for label mismatch or 5045 * EPERM for lack of privilege. 5046 */ 5047 typedef int mpo_vnode_check_write_t( 5048 kauth_cred_t active_cred, 5049 kauth_cred_t file_cred, /* NULLOK */ 5050 struct vnode *vp, 5051 struct label *label 5052 ); 5053 /** 5054 * @brief Access control check for copyfile 5055 * @param cred Subject credential 5056 * @param dvp Vnode of directory to create the copy in 5057 * @param dlabel Policy label associated with dvp 5058 * @param tvp Vnode of the file at the target path that will be unlinked to 5059 * make room for the copy being created, if file exists 5060 * @param tlabel Policy label associated with tvp 5061 * @param fvp Vnode of the file to copy from 5062 * @param flabel Policy label associated with fvp 5063 * @param cnp Component name for the copy being created 5064 * @param mode Corresponds to mode argument to the copyfile syscall 5065 * @param flags Corresponds to flags argument to the copyfile syscall 5066 * 5067 * Determine whether the subject identified by the credential should be 5068 * allowed to create a copy of the vnode fvp with the name specified by cnp. 5069 * 5070 * @return Return 0 if access is granted, otherwise an appropriate value for 5071 * errno should be returned. 5072 */ 5073 typedef int mpo_vnode_check_copyfile_t( 5074 kauth_cred_t cred, 5075 struct vnode *dvp, 5076 struct label *dlabel, 5077 struct vnode *tvp, /* NULLOK */ 5078 struct label *tlabel, /* NULLOK */ 5079 struct vnode *fvp, 5080 struct label *flabel, 5081 struct componentname *cnp, 5082 mode_t mode, 5083 int flags 5084 ); 5085 /** 5086 * @brief Associate a vnode with a devfs entry 5087 * @param mp Devfs mount point 5088 * @param mntlabel Devfs mount point label 5089 * @param de Devfs directory entry 5090 * @param delabel Label associated with de 5091 * @param vp vnode associated with de 5092 * @param vlabel Label associated with vp 5093 * 5094 * Fill in the label (vlabel) for a newly created devfs vnode. The 5095 * label is typically derived from the label on the devfs directory 5096 * entry or the label on the filesystem, supplied as parameters. 5097 */ 5098 typedef void mpo_vnode_label_associate_devfs_t( 5099 struct mount *mp, 5100 struct label *mntlabel, 5101 struct devnode *de, 5102 struct label *delabel, 5103 struct vnode *vp, 5104 struct label *vlabel 5105 ); 5106 /** 5107 * @brief Associate a label with a vnode 5108 * @param mp File system mount point 5109 * @param mntlabel File system mount point label 5110 * @param vp Vnode to label 5111 * @param vlabel Label associated with vp 5112 * 5113 * Attempt to retrieve label information for the vnode, vp, from the 5114 * file system extended attribute store. The label should be stored in 5115 * the supplied vlabel parameter. If a policy cannot retrieve an 5116 * extended attribute, sometimes it is acceptible to fallback to using 5117 * the mntlabel. 5118 * 5119 * If the policy requires vnodes to have a valid label elsewhere it 5120 * MUST NOT return other than temporary errors, and must always provide 5121 * a valid label of some sort. Returning an error will cause vnode 5122 * labeling to be retried at a later access. Failure to handle policy 5123 * centric errors internally (corrupt labels etc.) will result in 5124 * inaccessible files. 5125 * 5126 * @return In the event of an error, an appropriate value for errno 5127 * should be returned, otherwise return 0 upon success. 5128 */ 5129 typedef int mpo_vnode_label_associate_extattr_t( 5130 struct mount *mp, 5131 struct label *mntlabel, 5132 struct vnode *vp, 5133 struct label *vlabel 5134 ); 5135 /** 5136 * @brief Associate a file label with a vnode 5137 * @param cred User credential 5138 * @param mp Fdesc mount point 5139 * @param mntlabel Fdesc mount point label 5140 * @param fg Fileglob structure 5141 * @param label Policy label for fg 5142 * @param vp Vnode to label 5143 * @param vlabel Label associated with vp 5144 * 5145 * Associate label information for the vnode, vp, with the label of 5146 * the open file descriptor described by fg. 5147 * The label should be stored in the supplied vlabel parameter. 5148 */ 5149 typedef void mpo_vnode_label_associate_file_t( 5150 struct ucred *cred, 5151 struct mount *mp, 5152 struct label *mntlabel, 5153 struct fileglob *fg, 5154 struct label *label, 5155 struct vnode *vp, 5156 struct label *vlabel 5157 ); 5158 /** 5159 * @brief Associate a pipe label with a vnode 5160 * @param cred User credential for the process that opened the pipe 5161 * @param cpipe Pipe structure 5162 * @param pipelabel Label associated with pipe 5163 * @param vp Vnode to label 5164 * @param vlabel Label associated with vp 5165 * 5166 * Associate label information for the vnode, vp, with the label of 5167 * the pipe described by the pipe structure cpipe. 5168 * The label should be stored in the supplied vlabel parameter. 5169 */ 5170 typedef void mpo_vnode_label_associate_pipe_t( 5171 struct ucred *cred, 5172 struct pipe *cpipe, 5173 struct label *pipelabel, 5174 struct vnode *vp, 5175 struct label *vlabel 5176 ); 5177 /** 5178 * @brief Associate a POSIX semaphore label with a vnode 5179 * @param cred User credential for the process that create psem 5180 * @param psem POSIX semaphore structure 5181 * @param psemlabel Label associated with psem 5182 * @param vp Vnode to label 5183 * @param vlabel Label associated with vp 5184 * 5185 * Associate label information for the vnode, vp, with the label of 5186 * the POSIX semaphore described by psem. 5187 * The label should be stored in the supplied vlabel parameter. 5188 */ 5189 typedef void mpo_vnode_label_associate_posixsem_t( 5190 struct ucred *cred, 5191 struct pseminfo *psem, 5192 struct label *psemlabel, 5193 struct vnode *vp, 5194 struct label *vlabel 5195 ); 5196 /** 5197 * @brief Associate a POSIX shared memory label with a vnode 5198 * @param cred User credential for the process that created pshm 5199 * @param pshm POSIX shared memory structure 5200 * @param pshmlabel Label associated with pshm 5201 * @param vp Vnode to label 5202 * @param vlabel Label associated with vp 5203 * 5204 * Associate label information for the vnode, vp, with the label of 5205 * the POSIX shared memory region described by pshm. 5206 * The label should be stored in the supplied vlabel parameter. 5207 */ 5208 typedef void mpo_vnode_label_associate_posixshm_t( 5209 struct ucred *cred, 5210 struct pshminfo *pshm, 5211 struct label *pshmlabel, 5212 struct vnode *vp, 5213 struct label *vlabel 5214 ); 5215 /** 5216 * @brief Associate a label with a vnode 5217 * @param mp File system mount point 5218 * @param mntlabel File system mount point label 5219 * @param vp Vnode to label 5220 * @param vlabel Label associated with vp 5221 * 5222 * On non-multilabel file systems, set the label for a vnode. The 5223 * label will most likely be based on the file system label. 5224 */ 5225 typedef void mpo_vnode_label_associate_singlelabel_t( 5226 struct mount *mp, 5227 struct label *mntlabel, 5228 struct vnode *vp, 5229 struct label *vlabel 5230 ); 5231 /** 5232 * @brief Associate a socket label with a vnode 5233 * @param cred User credential for the process that opened the socket 5234 * @param so Socket structure 5235 * @param solabel Label associated with so 5236 * @param vp Vnode to label 5237 * @param vlabel Label associated with vp 5238 * 5239 * Associate label information for the vnode, vp, with the label of 5240 * the open socket described by the socket structure so. 5241 * The label should be stored in the supplied vlabel parameter. 5242 */ 5243 typedef void mpo_vnode_label_associate_socket_t( 5244 kauth_cred_t cred, 5245 socket_t so, 5246 struct label *solabel, 5247 struct vnode *vp, 5248 struct label *vlabel 5249 ); 5250 /** 5251 * @brief Copy a vnode label 5252 * @param src Source vnode label 5253 * @param dest Destination vnode label 5254 * 5255 * Copy the vnode label information from src to dest. On Darwin, this 5256 * is currently only necessary when executing interpreted scripts, but 5257 * will later be used if vnode label externalization cannot be an 5258 * atomic operation. 5259 */ 5260 typedef void mpo_vnode_label_copy_t( 5261 struct label *src, 5262 struct label *dest 5263 ); 5264 /** 5265 * @brief Destroy vnode label 5266 * @param label The label to be destroyed 5267 * 5268 * Destroy a vnode label. Since the object is going out of scope, 5269 * policy modules should free any internal storage associated with the 5270 * label so that it may be destroyed. 5271 */ 5272 typedef void mpo_vnode_label_destroy_t( 5273 struct label *label 5274 ); 5275 /** 5276 * @brief Externalize a vnode label for auditing 5277 * @param label Label to be externalized 5278 * @param element_name Name of the label namespace for which labels should be 5279 * externalized 5280 * @param sb String buffer to be filled with a text representation of the label 5281 * 5282 * Produce an external representation of the label on a vnode suitable for 5283 * inclusion in an audit record. An externalized label consists of a text 5284 * representation of the label contents that will be added to the audit record 5285 * as part of a text token. Policy-agnostic user space tools will display 5286 * this externalized version. 5287 * 5288 * @return 0 on success, return non-zero if an error occurs while 5289 * externalizing the label data. 5290 * 5291 */ 5292 typedef int mpo_vnode_label_externalize_audit_t( 5293 struct label *label, 5294 char *element_name, 5295 struct sbuf *sb 5296 ); 5297 /** 5298 * @brief Externalize a vnode label 5299 * @param label Label to be externalized 5300 * @param element_name Name of the label namespace for which labels should be 5301 * externalized 5302 * @param sb String buffer to be filled with a text representation of the label 5303 * 5304 * Produce an external representation of the label on a vnode. An 5305 * externalized label consists of a text representation of the label 5306 * contents that can be used with user applications. Policy-agnostic 5307 * user space tools will display this externalized version. 5308 * 5309 * @return 0 on success, return non-zero if an error occurs while 5310 * externalizing the label data. 5311 * 5312 */ 5313 typedef int mpo_vnode_label_externalize_t( 5314 struct label *label, 5315 char *element_name, 5316 struct sbuf *sb 5317 ); 5318 /** 5319 * @brief Initialize vnode label 5320 * @param label New label to initialize 5321 * 5322 * Initialize label storage for use with a newly instantiated vnode, or 5323 * for temporary storage associated with the copying in or out of a 5324 * vnode label. While it is necessary to allocate space for a 5325 * kernel-resident vnode label, it is not yet necessary to link this vnode 5326 * with persistent label storage facilities, such as extended attributes. 5327 * Sleeping is permitted. 5328 */ 5329 typedef void mpo_vnode_label_init_t( 5330 struct label *label 5331 ); 5332 /** 5333 * @brief Internalize a vnode label 5334 * @param label Label to be internalized 5335 * @param element_name Name of the label namespace for which the label should 5336 * be internalized 5337 * @param element_data Text data to be internalized 5338 * 5339 * Produce a vnode label from an external representation. An 5340 * externalized label consists of a text representation of the label 5341 * contents that can be used with user applications. Policy-agnostic 5342 * user space tools will forward text version to the kernel for 5343 * processing by individual policy modules. 5344 * 5345 * The policy's internalize entry points will be called only if the 5346 * policy has registered interest in the label namespace. 5347 * 5348 * @return 0 on success, Otherwise, return non-zero if an error occurs 5349 * while internalizing the label data. 5350 */ 5351 typedef int mpo_vnode_label_internalize_t( 5352 struct label *label, 5353 char *element_name, 5354 char *element_data 5355 ); 5356 /** 5357 * @brief Clean up a vnode label 5358 * @param label The label to be cleaned or purged 5359 * 5360 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5361 * typically never frees them. Before vnodes are placed back on free lists for 5362 * re-use, policies can cleanup or overwrite any information present in the label, 5363 * or free any internal resources used for the label. 5364 */ 5365 typedef void mpo_vnode_label_recycle_t( 5366 struct label *label 5367 ); 5368 /** 5369 * @brief Write a label to a extended attribute 5370 * @param cred Subject credential 5371 * @param vp The vnode for which the label is being stored 5372 * @param vlabel Label associated with vp 5373 * @param intlabel The new label to store 5374 * 5375 * Store a new label in the extended attribute corresponding to the 5376 * supplied vnode. The policy has already authorized the operation; 5377 * this call must be implemented in order to perform the actual 5378 * operation. 5379 * 5380 * @return In the event of an error, an appropriate value for errno 5381 * should be returned, otherwise return 0 upon success. 5382 * 5383 * @warning XXX After examining the extended attribute implementation on 5384 * Apple's future release, this entry point may be changed. 5385 */ 5386 typedef int mpo_vnode_label_store_t( 5387 kauth_cred_t cred, 5388 struct vnode *vp, 5389 struct label *vlabel, 5390 struct label *intlabel 5391 ); 5392 /** 5393 * @brief Update vnode label from extended attributes 5394 * @param mp File system mount point 5395 * @param mntlabel Mount point label 5396 * @param vp Vnode to label 5397 * @param vlabel Label associated with vp 5398 * @param name Name of the xattr 5399 * @see mpo_vnode_check_setextattr_t 5400 * 5401 * When an extended attribute is updated via the Vendor attribute management 5402 * functions, the MAC vnode label might also require an update. 5403 * Policies should first determine if 'name' matches their xattr label 5404 * name. If it does, the kernel is has either replaced or removed the 5405 * named extended attribute that was previously associated with the 5406 * vnode. Normally labels should only be modified via MAC Framework label 5407 * management calls, but sometimes the user space components will directly 5408 * modify extended attributes. For example, 'cp', 'tar', etc. manage 5409 * extended attributes in userspace, not the kernel. 5410 * 5411 * This entry point is called after the label update has occurred, so 5412 * it cannot return a failure. However, the operation is preceded by 5413 * the mpo_vnode_check_setextattr() access control check. 5414 * 5415 * If the vnode label needs to be updated the policy should return 5416 * a non-zero value. The vnode label will be marked for re-association 5417 * by the framework. 5418 */ 5419 typedef int mpo_vnode_label_update_extattr_t( 5420 struct mount *mp, 5421 struct label *mntlabel, 5422 struct vnode *vp, 5423 struct label *vlabel, 5424 const char *name 5425 ); 5426 /** 5427 * @brief Update a vnode label 5428 * @param cred Subject credential 5429 * @param vp The vnode to relabel 5430 * @param vnodelabel Existing vnode label 5431 * @param label New label to replace existing label 5432 * @see mpo_vnode_check_label_update_t 5433 * 5434 * The subject identified by the credential has previously requested 5435 * and was authorized to relabel the vnode; this entry point allows 5436 * policies to perform the actual relabel operation. Policies should 5437 * update vnodelabel using the label stored in the label parameter. 5438 */ 5439 typedef void mpo_vnode_label_update_t( 5440 kauth_cred_t cred, 5441 struct vnode *vp, 5442 struct label *vnodelabel, 5443 struct label *label 5444 ); 5445 /** 5446 * @brief Find deatched signatures for a shared library 5447 * @param p file trying to find the signature 5448 * @param vp The vnode to relabel 5449 * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) 5450 * @param label Existing vnode label 5451 * 5452 */ 5453 typedef int mpo_vnode_find_sigs_t( 5454 struct proc *p, 5455 struct vnode *vp, 5456 off_t offset, 5457 struct label *label 5458 ); 5459 /** 5460 * @brief Create a new vnode, backed by extended attributes 5461 * @param cred User credential for the creating process 5462 * @param mp File system mount point 5463 * @param mntlabel File system mount point label 5464 * @param dvp Parent directory vnode 5465 * @param dlabel Parent directory vnode label 5466 * @param vp Newly created vnode 5467 * @param vlabel Label to associate with the new vnode 5468 * @param cnp Component name for vp 5469 * 5470 * Write out the label for the newly created vnode, most likely storing 5471 * the results in a file system extended attribute. Most policies will 5472 * derive the new vnode label using information from a combination 5473 * of the subject (user) credential, the file system label, the parent 5474 * directory label, and potentially the path name component. 5475 * 5476 * @return If the operation succeeds, store the new label in vlabel and 5477 * return 0. Otherwise, return an appropriate errno value. 5478 */ 5479 typedef int mpo_vnode_notify_create_t( 5480 kauth_cred_t cred, 5481 struct mount *mp, 5482 struct label *mntlabel, 5483 struct vnode *dvp, 5484 struct label *dlabel, 5485 struct vnode *vp, 5486 struct label *vlabel, 5487 struct componentname *cnp 5488 ); 5489 5490 /** 5491 * @brief Inform MAC policies that a vnode has been opened 5492 * @param cred User credential for the creating process 5493 * @param vp vnode opened 5494 * @param label Policy label for the vp 5495 * @param acc_mode open(2) access mode used 5496 * 5497 * Inform Mac policies that a vnode have been successfully opened 5498 * (passing all MAC polices and DAC). 5499 */ 5500 typedef void mpo_vnode_notify_open_t( 5501 kauth_cred_t cred, 5502 struct vnode *vp, 5503 struct label *label, 5504 int acc_mode 5505 ); 5506 5507 /** 5508 * @brief Inform MAC policies that a vnode has been renamed 5509 * @param cred User credential for the renaming process 5510 * @param vp Vnode that's being renamed 5511 * @param label Policy label for vp 5512 * @param dvp Parent directory for the destination 5513 * @param dlabel Policy label for dvp 5514 * @param cnp Component name for the destination 5515 * 5516 * Inform MAC policies that a vnode has been renamed. 5517 */ 5518 typedef void mpo_vnode_notify_rename_t( 5519 kauth_cred_t cred, 5520 struct vnode *vp, 5521 struct label *label, 5522 struct vnode *dvp, 5523 struct label *dlabel, 5524 struct componentname *cnp 5525 ); 5526 5527 /** 5528 * @brief Inform MAC policies that two vnodes were atomically swapped. 5529 * @param cred User credential for the renaming process 5530 * @param v1 vnode 1 to swap 5531 * @param vl1 Policy label for v1 5532 * @param v2 vnode 2 to swap 5533 * @param vl2 Policy label for v2 5534 * 5535 * Inform MAC policies that two vnodes were atomically swapped. 5536 * NOTE: If a policy implements this notify hook, then this hook will be 5537 * called instead of two calls to the vnode_notify_rename hook (one for each 5538 * member of the swap). 5539 */ 5540 typedef void mpo_vnode_notify_swap_t( 5541 kauth_cred_t cred, 5542 struct vnode *v1, 5543 struct label *vl1, 5544 struct vnode *v2, 5545 struct label *vl2 5546 ); 5547 5548 /** 5549 * @brief Inform MAC policies that a vnode has been linked 5550 * @param cred User credential for the renaming process 5551 * @param dvp Parent directory for the destination 5552 * @param dlabel Policy label for dvp 5553 * @param vp Vnode that's being linked 5554 * @param vlabel Policy label for vp 5555 * @param cnp Component name for the destination 5556 * 5557 * Inform MAC policies that a vnode has been linked. 5558 */ 5559 typedef void mpo_vnode_notify_link_t( 5560 kauth_cred_t cred, 5561 struct vnode *dvp, 5562 struct label *dlabel, 5563 struct vnode *vp, 5564 struct label *vlabel, 5565 struct componentname *cnp 5566 ); 5567 5568 /** 5569 * @brief Inform MAC policies that an extended attribute has been removed from a vnode 5570 * @param cred Subject credential 5571 * @param vp Object node 5572 * @param label Policy label for vp 5573 * @param name Extended attribute name 5574 * 5575 * Inform MAC policies that an extended attribute has been removed from a vnode. 5576 */ 5577 typedef void mpo_vnode_notify_deleteextattr_t( 5578 kauth_cred_t cred, 5579 struct vnode *vp, 5580 struct label *label, 5581 const char *name 5582 ); 5583 5584 5585 /** 5586 * @brief Inform MAC policies that an ACL has been set on a vnode 5587 * @param cred Subject credential 5588 * @param vp Object node 5589 * @param label Policy label for vp 5590 * @param acl ACL structure pointer 5591 * 5592 * Inform MAC policies that an ACL has been set on a vnode. 5593 */ 5594 typedef void mpo_vnode_notify_setacl_t( 5595 kauth_cred_t cred, 5596 struct vnode *vp, 5597 struct label *label, 5598 struct kauth_acl *acl 5599 ); 5600 5601 /** 5602 * @brief Inform MAC policies that an attributes have been set on a vnode 5603 * @param cred Subject credential 5604 * @param vp Object vnode 5605 * @param label Policy label for vp 5606 * @param alist List of attributes to set 5607 * 5608 * Inform MAC policies that an attributes have been set on a vnode. 5609 */ 5610 typedef void mpo_vnode_notify_setattrlist_t( 5611 kauth_cred_t cred, 5612 struct vnode *vp, 5613 struct label *label, 5614 struct attrlist *alist 5615 ); 5616 5617 /** 5618 * @brief Inform MAC policies that an extended attribute has been set on a vnode 5619 * @param cred Subject credential 5620 * @param vp Object vnode 5621 * @param label Policy label for vp 5622 * @param name Extended attribute name 5623 * @param uio I/O structure pointer 5624 * 5625 * Inform MAC policies that an extended attribute has been set on a vnode. 5626 */ 5627 typedef void mpo_vnode_notify_setextattr_t( 5628 kauth_cred_t cred, 5629 struct vnode *vp, 5630 struct label *label, 5631 const char *name, 5632 struct uio *uio 5633 ); 5634 5635 /** 5636 * @brief Inform MAC policies that flags have been set on a vnode 5637 * @param cred Subject credential 5638 * @param vp Object vnode 5639 * @param label Policy label for vp 5640 * @param flags File flags; see chflags(2) 5641 * 5642 * Inform MAC policies that flags have been set on a vnode. 5643 */ 5644 typedef void mpo_vnode_notify_setflags_t( 5645 kauth_cred_t cred, 5646 struct vnode *vp, 5647 struct label *label, 5648 u_long flags 5649 ); 5650 5651 /** 5652 * @brief Inform MAC policies that a new mode has been set on a vnode 5653 * @param cred Subject credential 5654 * @param vp Object vnode 5655 * @param label Policy label for vp 5656 * @param mode File mode; see chmod(2) 5657 * 5658 * Inform MAC policies that a new mode has been set on a vnode. 5659 */ 5660 typedef void mpo_vnode_notify_setmode_t( 5661 kauth_cred_t cred, 5662 struct vnode *vp, 5663 struct label *label, 5664 mode_t mode 5665 ); 5666 5667 /** 5668 * @brief Inform MAC policies that new uid/gid have been set on a vnode 5669 * @param cred Subject credential 5670 * @param vp Object vnode 5671 * @param label Policy label for vp 5672 * @param uid User ID 5673 * @param gid Group ID 5674 * 5675 * Inform MAC policies that new uid/gid have been set on a vnode. 5676 */ 5677 typedef void mpo_vnode_notify_setowner_t( 5678 kauth_cred_t cred, 5679 struct vnode *vp, 5680 struct label *label, 5681 uid_t uid, 5682 gid_t gid 5683 ); 5684 5685 /** 5686 * @brief Inform MAC policies that new timestamps have been set on a vnode 5687 * @param cred Subject credential 5688 * @param vp Object vnode 5689 * @param label Policy label for vp 5690 * @param atime Access time; see utimes(2) 5691 * @param mtime Modification time; see utimes(2) 5692 * 5693 * Inform MAC policies that new timestamps have been set on a vnode. 5694 */ 5695 typedef void mpo_vnode_notify_setutimes_t( 5696 kauth_cred_t cred, 5697 struct vnode *vp, 5698 struct label *label, 5699 struct timespec atime, 5700 struct timespec mtime 5701 ); 5702 5703 /** 5704 * @brief Inform MAC policies that a vnode has been truncated 5705 * @param cred Subject credential 5706 * @param file_cred Credential associated with the struct fileproc 5707 * @param vp Object vnode 5708 * @param label Policy label for vp 5709 * 5710 * Inform MAC policies that a vnode has been truncated. 5711 */ 5712 typedef void mpo_vnode_notify_truncate_t( 5713 kauth_cred_t cred, 5714 kauth_cred_t file_cred, 5715 struct vnode *vp, 5716 struct label *label 5717 ); 5718 5719 5720 /** 5721 * @brief Inform MAC policies that a pty slave has been granted 5722 * @param p Responsible process 5723 * @param tp tty data structure 5724 * @param dev Major and minor numbers of device 5725 * @param label Policy label for tp 5726 * 5727 * Inform MAC policies that a pty slave has been granted. 5728 */ 5729 typedef void mpo_pty_notify_grant_t( 5730 proc_t p, 5731 struct tty *tp, 5732 dev_t dev, 5733 struct label *label 5734 ); 5735 5736 /** 5737 * @brief Inform MAC policies that a pty master has been closed 5738 * @param p Responsible process 5739 * @param tp tty data structure 5740 * @param dev Major and minor numbers of device 5741 * @param label Policy label for tp 5742 * 5743 * Inform MAC policies that a pty master has been closed. 5744 */ 5745 typedef void mpo_pty_notify_close_t( 5746 proc_t p, 5747 struct tty *tp, 5748 dev_t dev, 5749 struct label *label 5750 ); 5751 5752 /** 5753 * @brief Access control check for kext loading 5754 * @param cred Subject credential 5755 * @param identifier Kext identifier 5756 * 5757 * Determine whether the subject identified by the credential can load the 5758 * specified kext. 5759 * 5760 * @return Return 0 if access is granted, otherwise an appropriate value for 5761 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5762 */ 5763 typedef int mpo_kext_check_load_t( 5764 kauth_cred_t cred, 5765 const char *identifier 5766 ); 5767 5768 /** 5769 * @brief Access control check for kext unloading 5770 * @param cred Subject credential 5771 * @param identifier Kext identifier 5772 * 5773 * Determine whether the subject identified by the credential can unload the 5774 * specified kext. 5775 * 5776 * @return Return 0 if access is granted, otherwise an appropriate value for 5777 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5778 */ 5779 typedef int mpo_kext_check_unload_t( 5780 kauth_cred_t cred, 5781 const char *identifier 5782 ); 5783 5784 /** 5785 * @brief Access control check for querying information about loaded kexts 5786 * @param cred Subject credential 5787 * 5788 * Determine whether the subject identified by the credential can query 5789 * information about loaded kexts. 5790 * 5791 * @return Return 0 if access is granted, otherwise an appropriate value for 5792 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5793 */ 5794 typedef int mpo_kext_check_query_t( 5795 kauth_cred_t cred 5796 ); 5797 5798 /** 5799 * @brief Inform MAC policies that a vnode is being reclaimed 5800 * @param vp Object vnode 5801 * 5802 * Any external accounting tracking this vnode must consider it to be no longer valid. 5803 */ 5804 typedef void mpo_vnode_notify_reclaim_t( 5805 struct vnode *vp 5806 ); 5807 5808 /** 5809 * @brief Inform MAC policies that a vnode has been deleted 5810 * @param cred Subject credential 5811 * @param dvp Parent directory vnode 5812 * @param dlabel Policy label for dvp 5813 * @param vp Object vnode to delete 5814 * @param label Policy label for vp 5815 * @param cnp Component name for vp 5816 * 5817 * Inform Mac policies that a vnode have been successfully deleted 5818 * (passing all MAC polices and DAC). 5819 */ 5820 typedef void mpo_vnode_notify_unlink_t( 5821 kauth_cred_t cred, 5822 struct vnode *dvp, 5823 struct label *dlabel, 5824 struct vnode *vp, 5825 struct label *label, 5826 struct componentname *cnp 5827 ); 5828 5829 /* 5830 * Placeholder for future events that may need mac hooks. 5831 */ 5832 typedef void mpo_reserved_hook_t(void); 5833 5834 /* 5835 * Policy module operations. 5836 * 5837 * Please note that this should be kept in sync with the check assumptions 5838 * policy in bsd/kern/policy_check.c (policy_ops struct). 5839 */ 5840 #define MAC_POLICY_OPS_VERSION 87 /* inc when new reserved slots are taken */ 5841 struct mac_policy_ops { 5842 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5843 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5844 5845 mpo_reserved_hook_t *mpo_reserved01; 5846 mpo_reserved_hook_t *mpo_reserved02; 5847 mpo_reserved_hook_t *mpo_reserved03; 5848 mpo_reserved_hook_t *mpo_reserved04; 5849 5850 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5851 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5852 mpo_cred_check_visible_t *mpo_cred_check_visible; 5853 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5854 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5855 mpo_cred_label_associate_t *mpo_cred_label_associate; 5856 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5857 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5858 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5859 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5860 mpo_cred_label_init_t *mpo_cred_label_init; 5861 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5862 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5863 mpo_cred_label_update_t *mpo_cred_label_update; 5864 5865 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5866 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5867 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5868 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5869 mpo_devfs_label_init_t *mpo_devfs_label_init; 5870 mpo_devfs_label_update_t *mpo_devfs_label_update; 5871 5872 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5873 mpo_file_check_create_t *mpo_file_check_create; 5874 mpo_file_check_dup_t *mpo_file_check_dup; 5875 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 5876 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 5877 mpo_file_check_get_t *mpo_file_check_get; 5878 mpo_file_check_inherit_t *mpo_file_check_inherit; 5879 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 5880 mpo_file_check_lock_t *mpo_file_check_lock; 5881 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 5882 mpo_file_check_mmap_t *mpo_file_check_mmap; 5883 mpo_file_check_receive_t *mpo_file_check_receive; 5884 mpo_file_check_set_t *mpo_file_check_set; 5885 mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ 5886 mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ 5887 mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ 5888 mpo_file_notify_close_t *mpo_file_notify_close; 5889 5890 mpo_proc_check_launch_constraints_t *mpo_proc_check_launch_constraints; 5891 mpo_proc_notify_service_port_derive_t *mpo_proc_notify_service_port_derive; 5892 mpo_proc_check_set_task_exception_port_t *mpo_proc_check_set_task_exception_port; 5893 mpo_proc_check_set_thread_exception_port_t *mpo_proc_check_set_thread_exception_port; 5894 5895 mpo_reserved_hook_t *mpo_reserved08; 5896 mpo_reserved_hook_t *mpo_reserved09; 5897 mpo_reserved_hook_t *mpo_reserved10; 5898 mpo_reserved_hook_t *mpo_reserved11; 5899 mpo_reserved_hook_t *mpo_reserved12; 5900 mpo_reserved_hook_t *mpo_reserved13; 5901 mpo_reserved_hook_t *mpo_reserved14; 5902 mpo_reserved_hook_t *mpo_reserved15; 5903 mpo_reserved_hook_t *mpo_reserved16; 5904 mpo_reserved_hook_t *mpo_reserved17; 5905 mpo_reserved_hook_t *mpo_reserved18; 5906 mpo_reserved_hook_t *mpo_reserved19; 5907 mpo_reserved_hook_t *mpo_reserved20; 5908 mpo_reserved_hook_t *mpo_reserved21; 5909 mpo_reserved_hook_t *mpo_reserved22; 5910 5911 mpo_necp_check_open_t *mpo_necp_check_open; 5912 mpo_necp_check_client_action_t *mpo_necp_check_client_action; 5913 5914 mpo_file_check_library_validation_t *mpo_file_check_library_validation; 5915 5916 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; 5917 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; 5918 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; 5919 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; 5920 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; 5921 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; 5922 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; 5923 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; 5924 mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; 5925 5926 mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; 5927 mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; 5928 5929 mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; 5930 mpo_vnode_notify_unlink_t *mpo_vnode_notify_unlink; 5931 mpo_vnode_check_swap_t *mpo_vnode_check_swap; 5932 mpo_reserved_hook_t *mpo_reserved33; 5933 mpo_reserved_hook_t *mpo_reserved34; 5934 mpo_mount_notify_mount_t *mpo_mount_notify_mount; 5935 mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; 5936 5937 mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; 5938 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 5939 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 5940 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 5941 mpo_mount_check_mount_t *mpo_mount_check_mount; 5942 mpo_mount_check_remount_t *mpo_mount_check_remount; 5943 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 5944 mpo_mount_check_stat_t *mpo_mount_check_stat; 5945 mpo_mount_check_umount_t *mpo_mount_check_umount; 5946 mpo_mount_label_associate_t *mpo_mount_label_associate; 5947 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 5948 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 5949 mpo_mount_label_init_t *mpo_mount_label_init; 5950 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 5951 5952 mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; 5953 mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; 5954 mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; 5955 5956 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 5957 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 5958 mpo_reserved_hook_t *mpo_reserved41; 5959 mpo_pipe_check_read_t *mpo_pipe_check_read; 5960 mpo_pipe_check_select_t *mpo_pipe_check_select; 5961 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 5962 mpo_pipe_check_write_t *mpo_pipe_check_write; 5963 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 5964 mpo_reserved_hook_t *mpo_reserved42; 5965 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 5966 mpo_reserved_hook_t *mpo_reserved43; 5967 mpo_pipe_label_init_t *mpo_pipe_label_init; 5968 mpo_reserved_hook_t *mpo_reserved44; 5969 mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; 5970 5971 mpo_policy_destroy_t *mpo_policy_destroy; 5972 mpo_policy_init_t *mpo_policy_init; 5973 mpo_policy_initbsd_t *mpo_policy_initbsd; 5974 mpo_policy_syscall_t *mpo_policy_syscall; 5975 5976 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 5977 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 5978 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 5979 mpo_kext_check_query_t *mpo_kext_check_query; 5980 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; 5981 mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; 5982 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; 5983 mpo_reserved_hook_t *mpo_reserved45; 5984 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; 5985 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; 5986 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; 5987 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; 5988 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; 5989 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; 5990 mpo_exc_action_label_init_t *mpo_exc_action_label_init; 5991 mpo_exc_action_label_update_t *mpo_exc_action_label_update; 5992 5993 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; 5994 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; 5995 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; 5996 mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; 5997 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; 5998 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; 5999 6000 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 6001 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 6002 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 6003 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 6004 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 6005 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 6006 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 6007 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 6008 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 6009 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 6010 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 6011 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 6012 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 6013 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 6014 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 6015 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 6016 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 6017 6018 mpo_proc_check_debug_t *mpo_proc_check_debug; 6019 mpo_proc_check_fork_t *mpo_proc_check_fork; 6020 mpo_reserved_hook_t *mpo_reserved61; 6021 mpo_reserved_hook_t *mpo_reserved62; 6022 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 6023 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 6024 mpo_reserved_hook_t *mpo_reserved63; 6025 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 6026 mpo_proc_check_sched_t *mpo_proc_check_sched; 6027 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 6028 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 6029 mpo_reserved_hook_t *mpo_reserved64; 6030 mpo_proc_check_signal_t *mpo_proc_check_signal; 6031 mpo_proc_check_wait_t *mpo_proc_check_wait; 6032 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; 6033 mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; 6034 6035 mpo_socket_check_accept_t *mpo_socket_check_accept; 6036 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 6037 mpo_socket_check_bind_t *mpo_socket_check_bind; 6038 mpo_socket_check_connect_t *mpo_socket_check_connect; 6039 mpo_socket_check_create_t *mpo_socket_check_create; 6040 mpo_reserved_hook_t *mpo_reserved46; 6041 mpo_reserved_hook_t *mpo_reserved47; 6042 mpo_reserved_hook_t *mpo_reserved48; 6043 mpo_socket_check_listen_t *mpo_socket_check_listen; 6044 mpo_socket_check_receive_t *mpo_socket_check_receive; 6045 mpo_socket_check_received_t *mpo_socket_check_received; 6046 mpo_reserved_hook_t *mpo_reserved49; 6047 mpo_socket_check_send_t *mpo_socket_check_send; 6048 mpo_socket_check_stat_t *mpo_socket_check_stat; 6049 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 6050 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 6051 6052 mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; 6053 mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; 6054 mpo_proc_check_setuid_t *mpo_proc_check_setuid; 6055 mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; 6056 mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; 6057 mpo_proc_check_setgid_t *mpo_proc_check_setgid; 6058 mpo_proc_check_setegid_t *mpo_proc_check_setegid; 6059 mpo_proc_check_setregid_t *mpo_proc_check_setregid; 6060 mpo_proc_check_settid_t *mpo_proc_check_settid; 6061 mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; 6062 mpo_reserved_hook_t *mpo_reserved60; 6063 6064 mpo_thread_telemetry_t *mpo_thread_telemetry; 6065 6066 mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; 6067 6068 mpo_system_check_acct_t *mpo_system_check_acct; 6069 mpo_system_check_audit_t *mpo_system_check_audit; 6070 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6071 mpo_system_check_auditon_t *mpo_system_check_auditon; 6072 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6073 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6074 mpo_system_check_reboot_t *mpo_system_check_reboot; 6075 mpo_system_check_settime_t *mpo_system_check_settime; 6076 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6077 mpo_system_check_swapon_t *mpo_system_check_swapon; 6078 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; 6079 6080 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6081 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6082 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6083 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6084 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6085 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6086 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6087 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6088 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6089 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6090 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6091 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6092 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6093 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6094 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6095 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6096 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6097 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6098 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6099 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6100 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6101 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6102 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6103 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6104 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6105 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6106 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6107 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6108 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6109 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6110 6111 mpo_proc_notify_exit_t *mpo_proc_notify_exit; 6112 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; 6113 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; 6114 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; 6115 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; 6116 mpo_vnode_check_clone_t *mpo_vnode_check_clone; 6117 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; 6118 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; 6119 6120 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6121 6122 mpo_vnode_check_access_t *mpo_vnode_check_access; 6123 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6124 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6125 mpo_vnode_check_create_t *mpo_vnode_check_create; 6126 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6127 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6128 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6129 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6130 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6131 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6132 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6133 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6134 mpo_vnode_check_link_t *mpo_vnode_check_link; 6135 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6136 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6137 mpo_vnode_check_open_t *mpo_vnode_check_open; 6138 mpo_vnode_check_read_t *mpo_vnode_check_read; 6139 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6140 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6141 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6142 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6143 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6144 mpo_vnode_check_select_t *mpo_vnode_check_select; 6145 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6146 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6147 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6148 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6149 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6150 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6151 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6152 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6153 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6154 mpo_vnode_check_write_t *mpo_vnode_check_write; 6155 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6156 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6157 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6158 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6159 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6160 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6161 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6162 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6163 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6164 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6165 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6166 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6167 mpo_vnode_label_init_t *mpo_vnode_label_init; 6168 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6169 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6170 mpo_vnode_label_store_t *mpo_vnode_label_store; 6171 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6172 mpo_vnode_label_update_t *mpo_vnode_label_update; 6173 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6174 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6175 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6176 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6177 6178 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6179 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6180 6181 mpo_thread_userret_t *mpo_thread_userret; 6182 6183 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6184 6185 mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; 6186 6187 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6188 6189 mpo_priv_check_t *mpo_priv_check; 6190 mpo_priv_grant_t *mpo_priv_grant; 6191 6192 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6193 6194 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6195 6196 mpo_iokit_check_open_t *mpo_iokit_check_open; 6197 6198 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6199 6200 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6201 6202 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; 6203 6204 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; 6205 6206 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6207 6208 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; 6209 6210 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6211 6212 mpo_system_check_info_t *mpo_system_check_info; 6213 6214 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6215 mpo_pty_notify_close_t *mpo_pty_notify_close; 6216 6217 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6218 6219 mpo_kext_check_load_t *mpo_kext_check_load; 6220 mpo_kext_check_unload_t *mpo_kext_check_unload; 6221 6222 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6223 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6224 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6225 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6226 }; 6227 6228 /** 6229 * @brief MAC policy handle type 6230 * 6231 * The MAC handle is used to uniquely identify a loaded policy within 6232 * the MAC Framework. 6233 * 6234 * A variable of this type is set by mac_policy_register(). 6235 */ 6236 typedef unsigned int mac_policy_handle_t; 6237 6238 #define mpc_t struct mac_policy_conf * 6239 6240 /** 6241 * @brief Mac policy configuration 6242 * 6243 * This structure specifies the configuration information for a 6244 * MAC policy module. A policy module developer must supply 6245 * a short unique policy name, a more descriptive full name, a list of label 6246 * namespaces and count, a pointer to the registered enty point operations, 6247 * any load time flags, and optionally, a pointer to a label slot identifier. 6248 * 6249 * The Framework will update the runtime flags (mpc_runtime_flags) to 6250 * indicate that the module has been registered. 6251 * 6252 * If the label slot identifier (mpc_field_off) is NULL, the Framework 6253 * will not provide label storage for the policy. Otherwise, the 6254 * Framework will store the label location (slot) in this field. 6255 * 6256 * The mpc_list field is used by the Framework and should not be 6257 * modified by policies. 6258 */ 6259 /* XXX - reorder these for better alignment on 64bit platforms */ 6260 struct mac_policy_conf { 6261 const char *mpc_name; /** policy name */ 6262 const char *mpc_fullname; /** full name */ 6263 char const * const *mpc_labelnames; /** managed label namespaces */ 6264 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6265 const struct mac_policy_ops *mpc_ops; /** operation vector */ 6266 int mpc_loadtime_flags; /** load time flags */ 6267 int *mpc_field_off; /** label slot */ 6268 int mpc_runtime_flags; /** run time flags */ 6269 mpc_t mpc_list; /** List reference */ 6270 void *mpc_data; /** module data */ 6271 }; 6272 6273 /** 6274 * @brief MAC policy module registration routine 6275 * 6276 * This function is called to register a policy with the 6277 * MAC framework. A policy module will typically call this from the 6278 * Darwin KEXT registration routine. 6279 */ 6280 int mac_policy_register(struct mac_policy_conf *mpc, 6281 mac_policy_handle_t *handlep, void *xd); 6282 6283 /** 6284 * @brief MAC policy module de-registration routine 6285 * 6286 * This function is called to de-register a policy with the 6287 * MAC framework. A policy module will typically call this from the 6288 * Darwin KEXT de-registration routine. 6289 */ 6290 int mac_policy_unregister(mac_policy_handle_t handle); 6291 6292 /* 6293 * Framework entry points for the policies to add audit data. 6294 */ 6295 int mac_audit_text(char *text, mac_policy_handle_t handle); 6296 6297 /* 6298 * Calls to assist with use of Apple XATTRs within policy modules. 6299 */ 6300 int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6301 int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6302 size_t *); 6303 int mac_vnop_removexattr(struct vnode *, const char *); 6304 6305 /** 6306 * @brief Set an extended attribute on a vnode-based fileglob. 6307 * @param fg fileglob representing file to attach the extended attribute 6308 * @param name extended attribute name 6309 * @param buf buffer of data to use as the extended attribute value 6310 * @param len size of buffer 6311 * 6312 * Sets the value of an extended attribute on a file. 6313 * 6314 * Caller must hold an iocount on the vnode represented by the fileglob. 6315 */ 6316 #ifdef KERNEL_PRIVATE 6317 int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); 6318 #endif 6319 6320 /** 6321 * @brief Get an extended attribute from a vnode-based fileglob. 6322 * @param fg fileglob representing file to read the extended attribute 6323 * @param name extended attribute name 6324 * @param buf buffer of data to hold the extended attribute value 6325 * @param len size of buffer 6326 * @param attrlen size of full extended attribute value 6327 * 6328 * Gets the value of an extended attribute on a file. 6329 * 6330 * Caller must hold an iocount on the vnode represented by the fileglob. 6331 */ 6332 #ifdef KERNEL_PRIVATE 6333 int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, 6334 size_t *attrlen); 6335 #endif 6336 6337 /** 6338 * @brief Remove an extended attribute from a vnode-based fileglob. 6339 * @param fg fileglob representing file to remove the extended attribute 6340 * @param name extended attribute name 6341 * 6342 * Removes the named extended attribute from the file. 6343 * 6344 * Caller must hold an iocount on the vnode represented by the fileglob. 6345 */ 6346 #ifdef KERNEL_PRIVATE 6347 int mac_file_removexattr(struct fileglob *fg, const char *name); 6348 #endif 6349 6350 /* 6351 * Arbitrary limit on how much data will be logged by the audit 6352 * entry points above. 6353 */ 6354 #define MAC_AUDIT_DATA_LIMIT 1024 6355 6356 /* 6357 * Values returned by mac_audit_{pre,post}select. To combine the responses 6358 * of the security policies into a single decision, 6359 * mac_audit_{pre,post}select() choose the greatest value returned. 6360 */ 6361 #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6362 #define MAC_AUDIT_NO 1 /* force not auditing this event */ 6363 #define MAC_AUDIT_YES 2 /* force auditing this event */ 6364 6365 // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6366 6367 /** 6368 * @name Flags for the mpc_loadtime_flags field 6369 * @see mac_policy_conf 6370 * 6371 * This is the complete list of flags that are supported by the 6372 * mpc_loadtime_flags field of the mac_policy_conf structure. These 6373 * flags specify the load time behavior of MAC Framework policy 6374 * modules. 6375 */ 6376 6377 /*@{*/ 6378 6379 /** 6380 * @brief Flag to indicate registration preference 6381 * 6382 * This flag indicates that the policy module must be loaded and 6383 * initialized early in the boot process. If the flag is specified, 6384 * attempts to register the module following boot will be rejected. The 6385 * flag may be used by policies that require pervasive labeling of all 6386 * system objects, and cannot handle objects that have not been 6387 * properly initialized by the policy. 6388 */ 6389 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6390 6391 /** 6392 * @brief Flag to indicate unload preference 6393 * 6394 * This flag indicates that the policy module may be unloaded. If this 6395 * flag is not set, then the policy framework will reject requests to 6396 * unload the module. This flag might be used by modules that allocate 6397 * label state and are unable to free that state at runtime, or for 6398 * modules that simply do not want to permit unload operations. 6399 */ 6400 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6401 6402 /** 6403 * @brief Unsupported 6404 * 6405 * XXX This flag is not yet supported. 6406 */ 6407 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6408 6409 /** 6410 * @brief Flag to indicate a base policy 6411 * 6412 * This flag indicates that the policy module is a base policy. Only 6413 * one module can declare itself as base, otherwise the boot process 6414 * will be halted. 6415 */ 6416 #define MPC_LOADTIME_BASE_POLICY 0x00000008 6417 6418 /*@}*/ 6419 6420 /** 6421 * @brief Policy registration flag 6422 * @see mac_policy_conf 6423 * 6424 * This flag indicates that the policy module has been successfully 6425 * registered with the TrustedBSD MAC Framework. The Framework will 6426 * set this flag in the mpc_runtime_flags field of the policy's 6427 * mac_policy_conf structure after registering the policy. 6428 */ 6429 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6430 6431 /* 6432 * Depends on POLICY_VER 6433 */ 6434 6435 #ifndef POLICY_VER 6436 #define POLICY_VER 1.0 6437 #endif 6438 6439 #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6440 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6441 .mpc_name = #mpname, \ 6442 .mpc_fullname = mpfullname, \ 6443 .mpc_labelnames = lnames, \ 6444 .mpc_labelname_count = lcount, \ 6445 .mpc_ops = mpops, \ 6446 .mpc_loadtime_flags = lflags, \ 6447 .mpc_field_off = slot, \ 6448 .mpc_runtime_flags = rflags \ 6449 }; \ 6450 \ 6451 static kern_return_t \ 6452 kmod_start(kmod_info_t *ki, void *xd) \ 6453 { \ 6454 return mac_policy_register(&mpname##_mac_policy_conf, \ 6455 &handle, xd); \ 6456 } \ 6457 \ 6458 static kern_return_t \ 6459 kmod_stop(kmod_info_t *ki, void *xd) \ 6460 { \ 6461 return mac_policy_unregister(handle); \ 6462 } \ 6463 \ 6464 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6465 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6466 \ 6467 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6468 kmod_start_func_t *_realmain = kmod_start; \ 6469 kmod_stop_func_t *_antimain = kmod_stop; \ 6470 int _kext_apple_cc = __APPLE_CC__ 6471 6472 /* 6473 * Policy interface to map a struct label pointer to per-policy data. 6474 * Typically, policies wrap this in their own accessor macro that casts an 6475 * intptr_t to a policy-specific data type. 6476 */ 6477 #ifdef KERNEL_PRIVATE 6478 struct label * mac_label_verify(struct label **labelp); 6479 intptr_t mac_label_get(struct label *l, int slot); 6480 /* 6481 * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. 6482 */ 6483 void mac_label_set(struct label *l, int slot, intptr_t v); 6484 struct label * mac_labelzone_alloc(int flags); 6485 struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, 6486 void (^extra_setup)(struct label *)); 6487 struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, 6488 void (^extra_setup)(struct label *)); 6489 void mac_labelzone_free(struct label *l); 6490 void mac_labelzone_free_owned(struct label **labelp, 6491 void (^extra_deinit)(struct label *)); 6492 intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); 6493 void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); 6494 #endif 6495 6496 #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6497 6498 /** 6499 * @name Flags for MAC allocator interfaces 6500 * 6501 * These flags are passed to the Darwin kernel allocator routines to 6502 * indicate whether the allocation is permitted to block or not. 6503 * Caution should be taken; some operations are not permitted to sleep, 6504 * and some types of locks cannot be held when sleeping. 6505 */ 6506 6507 /*@{*/ 6508 6509 /** 6510 * @brief Allocation operations may block 6511 * 6512 * If memory is not immediately available, the allocation routine 6513 * will block (typically sleeping) until memory is available. 6514 * 6515 * @warning Inappropriate use of this flag may cause kernel panics. 6516 */ 6517 #define MAC_WAITOK 0 6518 6519 /** 6520 * @brief Allocation operations may not block 6521 * 6522 * Rather than blocking, the allocator may return an error if memory 6523 * is not immediately available. This type of allocation will not 6524 * sleep, preserving locking semantics. 6525 */ 6526 #define MAC_NOWAIT 1 6527 6528 /*@}*/ 6529 6530 #endif /* !_SECURITY_MAC_POLICY_H_ */ 6531