1 /* 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68 /** 69 * @file mac_policy.h 70 * @brief Kernel Interfaces for MAC policy modules 71 * 72 * This header defines the list of operations that are defined by the 73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 * with the framework to declare interest in a specific set of 75 * operations. If interest in an entry point is not declared, then 76 * the policy will be ignored when the Framework evaluates that entry 77 * point. 78 */ 79 80 #ifndef _SECURITY_MAC_POLICY_H_ 81 #define _SECURITY_MAC_POLICY_H_ 82 83 #ifndef PRIVATE 84 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85 #endif 86 87 #include <security/_label.h> 88 89 struct attrlist; 90 struct auditinfo; 91 struct bpf_d; 92 struct cs_blob; 93 struct devnode; 94 struct exception_action; 95 struct fileglob; 96 struct ifnet; 97 struct inpcb; 98 struct ipq; 99 struct label; 100 struct mac_policy_conf; 101 struct mbuf; 102 struct mount; 103 struct msg; 104 struct msqid_kernel; 105 struct pipe; 106 struct pseminfo; 107 struct pshminfo; 108 struct sbuf; 109 struct semid_kernel; 110 struct shmid_kernel; 111 struct socket; 112 struct sockopt; 113 struct task; 114 struct thread; 115 struct tty; 116 struct ucred; 117 struct vfs_attr; 118 struct vnode; 119 /** @struct dummy */ 120 121 122 /* 123 * proc_ident_t support, see: rdar://problem/58928152 124 * Should be removed once all dependent parties adopt 125 * proc_ident_t. 126 */ 127 #define MAC_PROC_IDENT_SUPPORT 128 129 #ifndef _KAUTH_CRED_T 130 #define _KAUTH_CRED_T 131 typedef struct ucred *kauth_cred_t; 132 #endif /* !_KAUTH_CRED_T */ 133 134 #ifndef __IOKIT_PORTS_DEFINED__ 135 #define __IOKIT_PORTS_DEFINED__ 136 #ifdef __cplusplus 137 class OSObject; 138 typedef OSObject *io_object_t; 139 #else 140 struct OSObject; 141 typedef struct OSObject *io_object_t; 142 #endif 143 #endif /* __IOKIT_PORTS_DEFINED__ */ 144 145 /*- 146 * MAC entry points are generally named using the following template: 147 * 148 * mpo_<object>_<operation>() 149 * 150 * or: 151 * 152 * mpo_<object>_check_<operation>() 153 * 154 * Entry points are sorted by object type. 155 * 156 * It may be desirable also to consider some subsystems as "objects", such 157 * as system, iokit, etc. 158 */ 159 160 /** 161 * @name Entry Points for Label Management 162 * 163 * These are the entry points corresponding to the life cycle events for 164 * kernel objects, such as initialization, creation, and destruction. 165 * 166 * Most policies (that use labels) will initialize labels by allocating 167 * space for policy-specific data. In most cases, it is permitted to 168 * sleep during label initialization operations; it will be noted when 169 * it is not permitted. 170 * 171 * Initialization usually will not require doing more than allocating a 172 * generic label for the given object. What follows initialization is 173 * creation, where a label is made specific to the object it is associated 174 * with. Destruction occurs when the label is no longer needed, such as 175 * when the corresponding object is destroyed. All necessary cleanup should 176 * be performed in label destroy operations. 177 * 178 * Where possible, the label entry points have identical parameters. If 179 * the policy module does not require structure-specific label 180 * information, the same function may be registered in the policy 181 * operation vector. Many policies will implement two such generic 182 * allocation calls: one to handle sleepable requests, and one to handle 183 * potentially non-sleepable requests. 184 */ 185 186 187 /** 188 * @brief Audit event postselection 189 * @param cred Subject credential 190 * @param syscode Syscall number 191 * @param args Syscall arguments 192 * @param error Syscall errno 193 * @param retval Syscall return value 194 * 195 * This is the MAC Framework audit postselect, which is called before 196 * exiting a syscall to determine if an audit event should be committed. 197 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 198 * Any other return value results in the audit record being committed. 199 * 200 * @warning The suppression behavior will probably go away in Apple's 201 * future version of the audit implementation. 202 * 203 * @return Return MAC_AUDIT_NO to force suppression of the audit record. 204 * Any other value results in the audit record being committed. 205 * 206 */ 207 typedef int mpo_audit_check_postselect_t( 208 kauth_cred_t cred, 209 unsigned short syscode, 210 void *args, 211 int error, 212 int retval 213 ); 214 /** 215 * @brief Audit event preselection 216 * @param cred Subject credential 217 * @param syscode Syscall number 218 * @param args Syscall arguments 219 * 220 * This is the MAC Framework audit preselect, which is called before a 221 * syscall is entered to determine if an audit event should be created. 222 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 223 * returned. A return value of MAC_AUDIT_NO causes the audit record to 224 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 225 * to defer to the system's existing preselection mechanism. 226 * 227 * When policies return different preferences, the Framework decides what action 228 * to take based on the following policy. If any policy returns MAC_AUDIT_YES, 229 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then 230 * suppress the creations of an audit record, else defer to the system's 231 * existing preselection mechanism. 232 * 233 * @warning The audit implementation in Apple's current version is 234 * incomplete, so the MAC policies have priority over the system's existing 235 * mechanisms. This will probably change in the future version where 236 * the audit implementation is more complete. 237 * 238 * @return Return MAC_AUDIT_YES to force auditing of the syscall, 239 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 240 * to allow auditing mechanisms to determine if the syscall is audited. 241 * 242 */ 243 typedef int mpo_audit_check_preselect_t( 244 kauth_cred_t cred, 245 unsigned short syscode, 246 void *args 247 ); 248 /** 249 * @brief Indicate desire to change the process label at exec time 250 * @param old Existing subject credential 251 * @param vp File being executed 252 * @param offset Offset of binary within file being executed 253 * @param scriptvp Script being executed by interpreter, if any. 254 * @param vnodelabel Label corresponding to vp 255 * @param scriptvnodelabel Script vnode label 256 * @param execlabel Userspace provided execution label 257 * @param p Object process 258 * @param macpolicyattr MAC policy-specific spawn attribute data 259 * @param macpolicyattrlen Length of policy-specific spawn attribute data 260 * @see mac_execve 261 * @see mpo_cred_label_update_execve_t 262 * @see mpo_vnode_check_exec_t 263 * 264 * Indicate whether this policy intends to update the label of a newly 265 * created credential from the existing subject credential (old). This 266 * call occurs when a process executes the passed vnode. If a policy 267 * returns success from this entry point, the mpo_cred_label_update_execve 268 * entry point will later be called with the same parameters. Access 269 * has already been checked via the mpo_vnode_check_exec entry point, 270 * this entry point is necessary to preserve kernel locking constraints 271 * during program execution. 272 * 273 * The supplied vnode and vnodelabel correspond with the file actually 274 * being executed; in the case that the file is interpreted (for 275 * example, a script), the label of the original exec-time vnode has 276 * been preserved in scriptvnodelabel. 277 * 278 * The final label, execlabel, corresponds to a label supplied by a 279 * user space application through the use of the mac_execve system call. 280 * 281 * The vnode lock is held during this operation. No changes should be 282 * made to the old credential structure. 283 * 284 * @warning Even if a policy returns 0, it should behave correctly in 285 * the presence of an invocation of mpo_cred_label_update_execve, as that 286 * call may happen as a result of another policy requesting a transition. 287 * 288 * @return Non-zero if a transition is required, 0 otherwise. 289 */ 290 typedef int mpo_cred_check_label_update_execve_t( 291 kauth_cred_t old, 292 struct vnode *vp, 293 off_t offset, 294 struct vnode *scriptvp, 295 struct label *vnodelabel, 296 struct label *scriptvnodelabel, 297 struct label *execlabel, 298 struct proc *p, 299 void *macpolicyattr, 300 size_t macpolicyattrlen 301 ); 302 /** 303 * @brief Access control check for relabelling processes 304 * @param cred Subject credential 305 * @param newlabel New label to apply to the user credential 306 * @see mpo_cred_label_update_t 307 * @see mac_set_proc 308 * 309 * Determine whether the subject identified by the credential can relabel 310 * itself to the supplied new label (newlabel). This access control check 311 * is called when the mac_set_proc system call is invoked. A user space 312 * application will supply a new value, the value will be internalized 313 * and provided in newlabel. 314 * 315 * @return Return 0 if access is granted, otherwise an appropriate value for 316 * errno should be returned. 317 */ 318 typedef int mpo_cred_check_label_update_t( 319 kauth_cred_t cred, 320 struct label *newlabel 321 ); 322 /** 323 * @brief Access control check for visibility of other subjects 324 * @param u1 Subject credential 325 * @param u2 Object credential 326 * 327 * Determine whether the subject identified by the credential u1 can 328 * "see" other subjects with the passed subject credential u2. This call 329 * may be made in a number of situations, including inter-process status 330 * sysctls used by ps, and in procfs lookups. 331 * 332 * @return Return 0 if access is granted, otherwise an appropriate value for 333 * errno should be returned. Suggested failure: EACCES for label mismatch, 334 * EPERM for lack of privilege, or ESRCH to hide visibility. 335 */ 336 typedef int mpo_cred_check_visible_t( 337 kauth_cred_t u1, 338 kauth_cred_t u2 339 ); 340 /** 341 * @brief Associate a credential with a new process at fork 342 * @param cred credential to inherited by new process 343 * @param proc the new process 344 * 345 * Allow a process to associate the credential with a new 346 * process for reference countng purposes. 347 * NOTE: the credential can be dis-associated in ways other 348 * than exit - so this strategy is flawed - should just 349 * catch label destroy callback. 350 */ 351 typedef void mpo_cred_label_associate_fork_t( 352 kauth_cred_t cred, 353 proc_t proc 354 ); 355 /** 356 * @brief Create the first process 357 * @param cred Subject credential to be labeled 358 * 359 * Create the subject credential of process 0, the parent of all BSD 360 * kernel processes. Policies should update the label in the 361 * previously initialized credential structure. 362 */ 363 typedef void mpo_cred_label_associate_kernel_t( 364 kauth_cred_t cred 365 ); 366 /** 367 * @brief Create a credential label 368 * @param parent_cred Parent credential 369 * @param child_cred Child credential 370 * 371 * Set the label of a newly created credential, most likely using the 372 * information in the supplied parent credential. 373 * 374 * @warning This call is made when crcopy or crdup is invoked on a 375 * newly created struct ucred, and should not be confused with a 376 * process fork or creation event. 377 */ 378 typedef void mpo_cred_label_associate_t( 379 kauth_cred_t parent_cred, 380 kauth_cred_t child_cred 381 ); 382 /** 383 * @brief Create the first process 384 * @param cred Subject credential to be labeled 385 * 386 * Create the subject credential of process 1, the parent of all BSD 387 * user processes. Policies should update the label in the previously 388 * initialized credential structure. This is the 'init' process. 389 */ 390 typedef void mpo_cred_label_associate_user_t( 391 kauth_cred_t cred 392 ); 393 /** 394 * @brief Destroy credential label 395 * @param label The label to be destroyed 396 * 397 * Destroy a user credential label. Since the user credential 398 * is going out of scope, policy modules should free any internal 399 * storage associated with the label so that it may be destroyed. 400 */ 401 typedef void mpo_cred_label_destroy_t( 402 struct label *label 403 ); 404 /** 405 * @brief Externalize a user credential label for auditing 406 * @param label Label to be externalized 407 * @param element_name Name of the label namespace for which labels should be 408 * externalized 409 * @param sb String buffer to be filled with a text representation of the label 410 * 411 * Produce an external representation of the label on a user credential for 412 * inclusion in an audit record. An externalized label consists of a text 413 * representation of the label contents that will be added to the audit record 414 * as part of a text token. Policy-agnostic user space tools will display 415 * this externalized version. 416 * 417 * @return 0 on success, return non-zero if an error occurs while 418 * externalizing the label data. 419 * 420 */ 421 typedef int mpo_cred_label_externalize_audit_t( 422 struct label *label, 423 char *element_name, 424 struct sbuf *sb 425 ); 426 /** 427 * @brief Externalize a user credential label 428 * @param label Label to be externalized 429 * @param element_name Name of the label namespace for which labels should be 430 * externalized 431 * @param sb String buffer to be filled with a text representation of the label 432 * 433 * Produce an external representation of the label on a user 434 * credential. An externalized label consists of a text representation 435 * of the label contents that can be used with user applications. 436 * Policy-agnostic user space tools will display this externalized 437 * version. 438 * 439 * @return 0 on success, return non-zero if an error occurs while 440 * externalizing the label data. 441 * 442 */ 443 typedef int mpo_cred_label_externalize_t( 444 struct label *label, 445 char *element_name, 446 struct sbuf *sb 447 ); 448 /** 449 * @brief Initialize user credential label 450 * @param label New label to initialize 451 * 452 * Initialize the label for a newly instantiated user credential. 453 * Sleeping is permitted. 454 */ 455 typedef void mpo_cred_label_init_t( 456 struct label *label 457 ); 458 /** 459 * @brief Internalize a user credential label 460 * @param label Label to be internalized 461 * @param element_name Name of the label namespace for which the label should 462 * be internalized 463 * @param element_data Text data to be internalized 464 * 465 * Produce a user credential label from an external representation. An 466 * externalized label consists of a text representation of the label 467 * contents that can be used with user applications. Policy-agnostic 468 * user space tools will forward text version to the kernel for 469 * processing by individual policy modules. 470 * 471 * The policy's internalize entry points will be called only if the 472 * policy has registered interest in the label namespace. 473 * 474 * @return 0 on success, Otherwise, return non-zero if an error occurs 475 * while internalizing the label data. 476 * 477 */ 478 typedef int mpo_cred_label_internalize_t( 479 struct label *label, 480 char *element_name, 481 char *element_data 482 ); 483 /** 484 * @brief Update credential at exec time 485 * @param old_cred Existing subject credential 486 * @param new_cred New subject credential to be labeled 487 * @param p Object process. 488 * @param vp File being executed 489 * @param offset Offset of binary within file being executed 490 * @param scriptvp Script being executed by interpreter, if any. 491 * @param vnodelabel Label corresponding to vp 492 * @param scriptvnodelabel Script vnode label 493 * @param execlabel Userspace provided execution label 494 * @param csflags Code signing flags to be set after exec 495 * @param macpolicyattr MAC policy-specific spawn attribute data. 496 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 497 * @see mac_execve 498 * @see mpo_cred_check_label_update_execve_t 499 * @see mpo_vnode_check_exec_t 500 * 501 * Update the label of a newly created credential (new) from the 502 * existing subject credential (old). This call occurs when a process 503 * executes the passed vnode and one of the loaded policy modules has 504 * returned success from the mpo_cred_check_label_update_execve entry point. 505 * Access has already been checked via the mpo_vnode_check_exec entry 506 * point, this entry point is only used to update any policy state. 507 * 508 * The supplied vnode and vnodelabel correspond with the file actually 509 * being executed; in the case that the file is interpreted (for 510 * example, a script), the label of the original exec-time vnode has 511 * been preserved in scriptvnodelabel. 512 * 513 * The final label, execlabel, corresponds to a label supplied by a 514 * user space application through the use of the mac_execve system call. 515 * 516 * If non-NULL, the value pointed to by disjointp will be set to 0 to 517 * indicate that the old and new credentials are not disjoint, or 1 to 518 * indicate that they are. 519 * 520 * The vnode lock is held during this operation. No changes should be 521 * made to the old credential structure. 522 * @return 0 on success, Otherwise, return non-zero if update results in 523 * termination of child. 524 */ 525 typedef int mpo_cred_label_update_execve_t( 526 kauth_cred_t old_cred, 527 kauth_cred_t new_cred, 528 struct proc *p, 529 struct vnode *vp, 530 off_t offset, 531 struct vnode *scriptvp, 532 struct label *vnodelabel, 533 struct label *scriptvnodelabel, 534 struct label *execlabel, 535 u_int *csflags, 536 void *macpolicyattr, 537 size_t macpolicyattrlen, 538 int *disjointp 539 ); 540 /** 541 * @brief Update a credential label 542 * @param cred The existing credential 543 * @param newlabel A new label to apply to the credential 544 * @see mpo_cred_check_label_update_t 545 * @see mac_set_proc 546 * 547 * Update the label on a user credential, using the supplied new label. 548 * This is called as a result of a process relabel operation. Access 549 * control was already confirmed by mpo_cred_check_label_update. 550 */ 551 typedef void mpo_cred_label_update_t( 552 kauth_cred_t cred, 553 struct label *newlabel 554 ); 555 /** 556 * @brief Create a new devfs device 557 * @param dev Major and minor numbers of special file 558 * @param de "inode" of new device file 559 * @param label Destination label 560 * @param fullpath Path relative to mount (e.g. /dev) of new device file 561 * 562 * This entry point labels a new devfs device. The label will likely be based 563 * on the path to the device, or the major and minor numbers. 564 * The policy should store an appropriate label into 'label'. 565 */ 566 typedef void mpo_devfs_label_associate_device_t( 567 dev_t dev, 568 struct devnode *de, 569 struct label *label, 570 const char *fullpath 571 ); 572 /** 573 * @brief Create a new devfs directory 574 * @param dirname Name of new directory 575 * @param dirnamelen Length of 'dirname' 576 * @param de "inode" of new directory 577 * @param label Destination label 578 * @param fullpath Path relative to mount (e.g. /dev) of new directory 579 * 580 * This entry point labels a new devfs directory. The label will likely be 581 * based on the path of the new directory. The policy should store an appropriate 582 * label into 'label'. The devfs root directory is labelled in this way. 583 */ 584 typedef void mpo_devfs_label_associate_directory_t( 585 const char *dirname, 586 int dirnamelen, 587 struct devnode *de, 588 struct label *label, 589 const char *fullpath 590 ); 591 /** 592 * @brief Copy a devfs label 593 * @param src Source devfs label 594 * @param dest Destination devfs label 595 * 596 * Copy the label information from src to dest. The devfs file system 597 * often duplicates (splits) existing device nodes rather than creating 598 * new ones. 599 */ 600 typedef void mpo_devfs_label_copy_t( 601 struct label *src, 602 struct label *dest 603 ); 604 /** 605 * @brief Destroy devfs label 606 * @param label The label to be destroyed 607 * 608 * Destroy a devfs entry label. Since the object is going out 609 * of scope, policy modules should free any internal storage associated 610 * with the label so that it may be destroyed. 611 */ 612 typedef void mpo_devfs_label_destroy_t( 613 struct label *label 614 ); 615 /** 616 * @brief Initialize devfs label 617 * @param label New label to initialize 618 * 619 * Initialize the label for a newly instantiated devfs entry. Sleeping 620 * is permitted. 621 */ 622 typedef void mpo_devfs_label_init_t( 623 struct label *label 624 ); 625 /** 626 * @brief Update a devfs label after relabelling its vnode 627 * @param mp Devfs mount point 628 * @param de Affected devfs directory entry 629 * @param delabel Label of devfs directory entry 630 * @param vp Vnode associated with de 631 * @param vnodelabel New label of vnode 632 * 633 * Update a devfs label when its vnode is manually relabelled, 634 * for example with setfmac(1). Typically, this will simply copy 635 * the vnode label into the devfs label. 636 */ 637 typedef void mpo_devfs_label_update_t( 638 struct mount *mp, 639 struct devnode *de, 640 struct label *delabel, 641 struct vnode *vp, 642 struct label *vnodelabel 643 ); 644 /** 645 * @brief Access control for sending an exception to an exception action 646 * @param crashlabel The crashing process's label 647 * @param action Exception action 648 * @param exclabel Policy label for exception action 649 * 650 * Determine whether the the exception message caused by the victim 651 * process can be sent to the exception action. The policy may compare 652 * credentials in the crashlabel, which are derived from the process at 653 * the time the exception occurs, with the credentials in the exclabel, 654 * which was set at the time the exception port was set, to determine 655 * its decision. Note that any process from which the policy derived 656 * any credentials may not exist anymore at the time of this policy 657 * operation. Sleeping is permitted. 658 * 659 * @return Return 0 if the message can be sent, otherwise an 660 * appropriate value for errno should be returned. 661 */ 662 typedef int mpo_exc_action_check_exception_send_t( 663 struct label *crashlabel, 664 struct exception_action *action, 665 struct label *exclabel 666 ); 667 /** 668 * @brief Associate an exception action label 669 * @param action Exception action to label 670 * @param exclabel Policy label to be filled in for exception action 671 * 672 * Set the label on an exception action. 673 */ 674 typedef void mpo_exc_action_label_associate_t( 675 struct exception_action *action, 676 struct label *exclabel 677 ); 678 /** 679 * @brief Destroy exception action label 680 * @param label The label to be destroyed 681 * 682 * Destroy the label on an exception action. Since the object is going 683 * out of scope, policy modules should free any internal storage 684 * associated with the label so that it may be destroyed. Sleeping is 685 * permitted. 686 */ 687 typedef void mpo_exc_action_label_destroy_t( 688 struct label *label 689 ); 690 /** 691 * @brief Populate an exception action label with process credentials 692 * @param label The label to be populated 693 * @param proc Process to derive credentials from 694 * 695 * Populate a label with credentials derived from a process. At 696 * exception delivery time, the policy should compare credentials of the 697 * process that set an exception ports with the credentials of the 698 * process or corpse that experienced the exception. Note that the 699 * process that set the port may not exist at that time anymore, so 700 * labels should carry copies of live credentials if necessary. 701 */ 702 typedef void mpo_exc_action_label_populate_t( 703 struct label *label, 704 struct proc *proc 705 ); 706 /** 707 * @brief Initialize exception action label 708 * @param label New label to initialize 709 * 710 * Initialize a label for an exception action. Usually performs 711 * policy specific allocations. Sleeping is permitted. 712 */ 713 typedef int mpo_exc_action_label_init_t( 714 struct label *label 715 ); 716 /** 717 * @brief Update the label on an exception action 718 * @param action Exception action that the label belongs to (may be 719 * NULL if none) 720 * @param label Policy label to update 721 * @param newlabel New label for update 722 * 723 * Update the credentials of an exception action from the given 724 * label. The policy should copy over any credentials (process and 725 * otherwise) from the new label into the label to update. Must not 726 * sleep, must be quick and can be called with locks held. 727 */ 728 typedef int mpo_exc_action_label_update_t( 729 struct exception_action *action, 730 struct label *label, 731 struct label *newlabel 732 ); 733 /** 734 * @brief Access control for changing the offset of a file descriptor 735 * @param cred Subject credential 736 * @param fg Fileglob structure 737 * @param label Policy label for fg 738 * 739 * Determine whether the subject identified by the credential can 740 * change the offset of the file represented by fg. 741 * 742 * @return Return 0 if access if granted, otherwise an appropriate 743 * value for errno should be returned. 744 */ 745 typedef int mpo_file_check_change_offset_t( 746 kauth_cred_t cred, 747 struct fileglob *fg, 748 struct label *label 749 ); 750 /** 751 * @brief Access control for creating a file descriptor 752 * @param cred Subject credential 753 * 754 * Determine whether the subject identified by the credential can 755 * allocate a new file descriptor. 756 * 757 * @return Return 0 if access if granted, otherwise an appropriate 758 * value for errno should be returned. 759 */ 760 typedef int mpo_file_check_create_t( 761 kauth_cred_t cred 762 ); 763 /** 764 * @brief Access control for duplicating a file descriptor 765 * @param cred Subject credential 766 * @param fg Fileglob structure 767 * @param label Policy label for fg 768 * @param newfd New file descriptor number 769 * 770 * Determine whether the subject identified by the credential can 771 * duplicate the fileglob structure represented by fg and as file 772 * descriptor number newfd. 773 * 774 * @return Return 0 if access if granted, otherwise an appropriate 775 * value for errno should be returned. 776 */ 777 typedef int mpo_file_check_dup_t( 778 kauth_cred_t cred, 779 struct fileglob *fg, 780 struct label *label, 781 int newfd 782 ); 783 /** 784 * @brief Access control check for fcntl 785 * @param cred Subject credential 786 * @param fg Fileglob structure 787 * @param label Policy label for fg 788 * @param cmd Control operation to be performed; see fcntl(2) 789 * @param arg fcnt arguments; see fcntl(2) 790 * 791 * Determine whether the subject identified by the credential can perform 792 * the file control operation indicated by cmd. 793 * 794 * @return Return 0 if access is granted, otherwise an appropriate value for 795 * errno should be returned. 796 */ 797 typedef int mpo_file_check_fcntl_t( 798 kauth_cred_t cred, 799 struct fileglob *fg, 800 struct label *label, 801 int cmd, 802 user_long_t arg 803 ); 804 /** 805 * @brief Access control check for mac_get_fd 806 * @param cred Subject credential 807 * @param fg Fileglob structure 808 * @param elements Element buffer 809 * @param len Length of buffer 810 * 811 * Determine whether the subject identified by the credential should be allowed 812 * to get an externalized version of the label on the object indicated by fd. 813 * 814 * @return Return 0 if access is granted, otherwise an appropriate value for 815 * errno should be returned. 816 */ 817 typedef int mpo_file_check_get_t( 818 kauth_cred_t cred, 819 struct fileglob *fg, 820 char *elements, 821 size_t len 822 ); 823 /** 824 * @brief Access control for getting the offset of a file descriptor 825 * @param cred Subject credential 826 * @param fg Fileglob structure 827 * @param label Policy label for fg 828 * 829 * Determine whether the subject identified by the credential can 830 * get the offset of the file represented by fg. 831 * 832 * @return Return 0 if access if granted, otherwise an appropriate 833 * value for errno should be returned. 834 */ 835 typedef int mpo_file_check_get_offset_t( 836 kauth_cred_t cred, 837 struct fileglob *fg, 838 struct label *label 839 ); 840 /** 841 * @brief Access control for inheriting a file descriptor 842 * @param cred Subject credential 843 * @param fg Fileglob structure 844 * @param label Policy label for fg 845 * 846 * Determine whether the subject identified by the credential can 847 * inherit the fileglob structure represented by fg. 848 * 849 * @return Return 0 if access if granted, otherwise an appropriate 850 * value for errno should be returned. 851 */ 852 typedef int mpo_file_check_inherit_t( 853 kauth_cred_t cred, 854 struct fileglob *fg, 855 struct label *label 856 ); 857 /** 858 * @brief Access control check for file ioctl 859 * @param cred Subject credential 860 * @param fg Fileglob structure 861 * @param label Policy label for fg 862 * @param cmd The ioctl command; see ioctl(2) 863 * 864 * Determine whether the subject identified by the credential can perform 865 * the ioctl operation indicated by cmd. 866 * 867 * @warning Since ioctl data is opaque from the standpoint of the MAC 868 * framework, policies must exercise extreme care when implementing 869 * access control checks. 870 * 871 * @return Return 0 if access is granted, otherwise an appropriate value for 872 * errno should be returned. 873 * 874 */ 875 typedef int mpo_file_check_ioctl_t( 876 kauth_cred_t cred, 877 struct fileglob *fg, 878 struct label *label, 879 unsigned long cmd 880 ); 881 /** 882 * @brief Access control check for file locking 883 * @param cred Subject credential 884 * @param fg Fileglob structure 885 * @param label Policy label for fg 886 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 887 * @param fl The flock structure 888 * 889 * Determine whether the subject identified by the credential can perform 890 * the lock operation indicated by op and fl on the file represented by fg. 891 * 892 * @return Return 0 if access is granted, otherwise an appropriate value for 893 * errno should be returned. 894 * 895 */ 896 typedef int mpo_file_check_lock_t( 897 kauth_cred_t cred, 898 struct fileglob *fg, 899 struct label *label, 900 int op, 901 struct flock *fl 902 ); 903 /** 904 * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. 905 * @param p Subject process 906 * @param fg Fileglob structure 907 * @param slice_offset offset of the code slice 908 * @param error_message error message returned to user-space in case of error (userspace pointer) 909 * @param error_message_size error message size 910 * 911 * It's a little odd that the MAC/kext writes into userspace since this 912 * implies there is only one MAC module that implements this, however 913 * the alternative is to allocate memory in xnu, in the hope that 914 * the MAC module will use it, or allocate in the MAC module and then 915 * free it in xnu. Neither of these is very appealing, so let's go with 916 * the slightly more hacky way. 917 * 918 * @return Return 0 if access is granted, otherwise an appropriate value for 919 * errno should be returned. 920 */ 921 typedef int mpo_file_check_library_validation_t( 922 struct proc *p, 923 struct fileglob *fg, 924 off_t slice_offset, 925 user_long_t error_message, 926 size_t error_message_size 927 ); 928 /** 929 * @brief Access control check for mapping a file 930 * @param cred Subject credential 931 * @param fg fileglob representing file to map 932 * @param label Policy label associated with vp 933 * @param prot mmap protections; see mmap(2) 934 * @param flags Type of mapped object; see mmap(2) 935 * @param maxprot Maximum rights 936 * 937 * Determine whether the subject identified by the credential should be 938 * allowed to map the file represented by fg with the protections specified 939 * in prot. The maxprot field holds the maximum permissions on the new 940 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 941 * To avoid overriding prior access control checks, a policy should only 942 * remove flags from maxprot. 943 * 944 * @return Return 0 if access is granted, otherwise an appropriate value for 945 * errno should be returned. Suggested failure: EACCES for label mismatch or 946 * EPERM for lack of privilege. 947 */ 948 typedef int mpo_file_check_mmap_t( 949 kauth_cred_t cred, 950 struct fileglob *fg, 951 struct label *label, 952 int prot, 953 int flags, 954 uint64_t file_pos, 955 int *maxprot 956 ); 957 /** 958 * @brief Downgrade the mmap protections 959 * @param cred Subject credential 960 * @param fg file to map 961 * @param label Policy label associated with vp 962 * @param prot mmap protections to be downgraded 963 * 964 * Downgrade the mmap protections based on the subject and object labels. 965 */ 966 typedef void mpo_file_check_mmap_downgrade_t( 967 kauth_cred_t cred, 968 struct fileglob *fg, 969 struct label *label, 970 int *prot 971 ); 972 /** 973 * @brief Access control for receiving a file descriptor 974 * @param cred Subject credential 975 * @param fg Fileglob structure 976 * @param label Policy label for fg 977 * 978 * Determine whether the subject identified by the credential can 979 * receive the fileglob structure represented by fg. 980 * 981 * @return Return 0 if access if granted, otherwise an appropriate 982 * value for errno should be returned. 983 */ 984 typedef int mpo_file_check_receive_t( 985 kauth_cred_t cred, 986 struct fileglob *fg, 987 struct label *label 988 ); 989 /** 990 * @brief Access control check for mac_set_fd 991 * @param cred Subject credential 992 * @param fg Fileglob structure 993 * @param elements Elements buffer 994 * @param len Length of elements buffer 995 * 996 * Determine whether the subject identified by the credential can 997 * perform the mac_set_fd operation. The mac_set_fd operation is used 998 * to associate a MAC label with a file. 999 * 1000 * @return Return 0 if access is granted, otherwise an appropriate value for 1001 * errno should be returned. 1002 */ 1003 typedef int mpo_file_check_set_t( 1004 kauth_cred_t cred, 1005 struct fileglob *fg, 1006 char *elements, 1007 size_t len 1008 ); 1009 /** 1010 * @brief Inform MAC policies that file is being closed 1011 * @param cred Subject credential 1012 * @param fg Fileglob structure 1013 * @param label Policy label for fg 1014 * @param modified Boolean; 1 if file was modified, 0 otherwise 1015 * 1016 * Called when an open file is being closed, as a result of a call to 1017 * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. 1018 */ 1019 typedef void mpo_file_notify_close_t( 1020 kauth_cred_t cred, 1021 struct fileglob *fg, 1022 struct label *label, 1023 int modified 1024 ); 1025 /** 1026 * @brief Create file label 1027 * @param cred Subject credential 1028 * @param fg Fileglob structure 1029 * @param label Policy label for fg 1030 */ 1031 typedef void mpo_file_label_associate_t( 1032 kauth_cred_t cred, 1033 struct fileglob *fg, 1034 struct label *label 1035 ); 1036 /** 1037 * @brief Destroy file label 1038 * @param label The label to be destroyed 1039 * 1040 * Destroy the label on a file descriptor. In this entry point, a 1041 * policy module should free any internal storage associated with 1042 * label so that it may be destroyed. 1043 */ 1044 typedef void mpo_file_label_destroy_t( 1045 struct label *label 1046 ); 1047 /** 1048 * @brief Initialize file label 1049 * @param label New label to initialize 1050 */ 1051 typedef void mpo_file_label_init_t( 1052 struct label *label 1053 ); 1054 /** 1055 * @brief Access control check for opening an I/O Kit device 1056 * @param cred Subject credential 1057 * @param user_client User client instance 1058 * @param user_client_type User client type 1059 * 1060 * Determine whether the subject identified by the credential can open an 1061 * I/O Kit device at the passed path of the passed user client class and 1062 * type. This check is performed after instantiating the user client. 1063 * See also mpo_iokit_check_open_service_t. 1064 * 1065 * @return Return 0 if access is granted, or an appropriate value for 1066 * errno should be returned. 1067 */ 1068 typedef int mpo_iokit_check_open_t( 1069 kauth_cred_t cred, 1070 io_object_t user_client, 1071 unsigned int user_client_type 1072 ); 1073 /** 1074 * @brief Access control check for opening an I/O Kit device 1075 * @param cred Subject credential 1076 * @param service Service instance 1077 * @param user_client_type User client type 1078 * 1079 * Determine whether the subject identified by the credential can open a 1080 * I/O Kit user client of the passed service and user client type. 1081 * This check is performed before instantiating the user client. See also 1082 * mpo_iokit_check_open_t. 1083 * 1084 * @return Return 0 if access is granted, or an appropriate value for 1085 * errno should be returned. 1086 */ 1087 typedef int mpo_iokit_check_open_service_t( 1088 kauth_cred_t cred, 1089 io_object_t service, 1090 unsigned int user_client_type 1091 ); 1092 /** 1093 * @brief Access control check for setting I/O Kit device properties 1094 * @param cred Subject credential 1095 * @param entry Target device 1096 * @param properties Property list 1097 * 1098 * Determine whether the subject identified by the credential can set 1099 * properties on an I/O Kit device. 1100 * 1101 * @return Return 0 if access is granted, or an appropriate value for 1102 * errno should be returned. 1103 */ 1104 typedef int mpo_iokit_check_set_properties_t( 1105 kauth_cred_t cred, 1106 io_object_t entry, 1107 io_object_t properties 1108 ); 1109 /** 1110 * @brief Indicate desire to filter I/O Kit devices properties 1111 * @param cred Subject credential 1112 * @param entry Target device 1113 * @see mpo_iokit_check_get_property_t 1114 * 1115 * Indicate whether this policy may restrict the subject credential 1116 * from reading properties of the target device. 1117 * If a policy returns success from this entry point, the 1118 * mpo_iokit_check_get_property entry point will later be called 1119 * for each property that the subject credential tries to read from 1120 * the target device. 1121 * 1122 * This entry point is primarilly to optimize bulk property reads 1123 * by skipping calls to the mpo_iokit_check_get_property entry point 1124 * for credentials / devices no MAC policy is interested in. 1125 * 1126 * @warning Even if a policy returns 0, it should behave correctly in 1127 * the presence of an invocation of mpo_iokit_check_get_property, as that 1128 * call may happen as a result of another policy requesting a transition. 1129 * 1130 * @return Non-zero if a transition is required, 0 otherwise. 1131 */ 1132 typedef int mpo_iokit_check_filter_properties_t( 1133 kauth_cred_t cred, 1134 io_object_t entry 1135 ); 1136 /** 1137 * @brief Access control check for getting I/O Kit device properties 1138 * @param cred Subject credential 1139 * @param entry Target device 1140 * @param name Property name 1141 * 1142 * Determine whether the subject identified by the credential can get 1143 * properties on an I/O Kit device. 1144 * 1145 * @return Return 0 if access is granted, or an appropriate value for 1146 * errno. 1147 */ 1148 typedef int mpo_iokit_check_get_property_t( 1149 kauth_cred_t cred, 1150 io_object_t entry, 1151 const char *name 1152 ); 1153 /** 1154 * @brief Access control check for software HID control 1155 * @param cred Subject credential 1156 * 1157 * Determine whether the subject identified by the credential can 1158 * control the HID (Human Interface Device) subsystem, such as to 1159 * post synthetic keypresses, pointer movement and clicks. 1160 * 1161 * @return Return 0 if access is granted, or an appropriate value for 1162 * errno. 1163 */ 1164 typedef int mpo_iokit_check_hid_control_t( 1165 kauth_cred_t cred 1166 ); 1167 /** 1168 * @brief Access control check for fsctl 1169 * @param cred Subject credential 1170 * @param mp The mount point 1171 * @param label Label associated with the mount point 1172 * @param cmd Filesystem-dependent request code; see fsctl(2) 1173 * 1174 * Determine whether the subject identified by the credential can perform 1175 * the volume operation indicated by com. 1176 * 1177 * @warning The fsctl() system call is directly analogous to ioctl(); since 1178 * the associated data is opaque from the standpoint of the MAC framework 1179 * and since these operations can affect many aspects of system operation, 1180 * policies must exercise extreme care when implementing access control checks. 1181 * 1182 * @return Return 0 if access is granted, otherwise an appropriate value for 1183 * errno should be returned. 1184 */ 1185 typedef int mpo_mount_check_fsctl_t( 1186 kauth_cred_t cred, 1187 struct mount *mp, 1188 struct label *label, 1189 unsigned long cmd 1190 ); 1191 /** 1192 * @brief Access control check for the retrieval of file system attributes 1193 * @param cred Subject credential 1194 * @param mp The mount structure of the file system 1195 * @param vfa The attributes requested 1196 * 1197 * This entry point determines whether given subject can get information 1198 * about the given file system. This check happens during statfs() syscalls, 1199 * but is also used by other parts within the kernel such as the audit system. 1200 * 1201 * @return Return 0 if access is granted, otherwise an appropriate value for 1202 * errno should be returned. 1203 * 1204 * @note Policies may change the contents of vfa to alter the list of 1205 * file system attributes returned. 1206 */ 1207 1208 typedef int mpo_mount_check_getattr_t( 1209 kauth_cred_t cred, 1210 struct mount *mp, 1211 struct label *mp_label, 1212 struct vfs_attr *vfa 1213 ); 1214 /** 1215 * @brief Access control check for mount point relabeling 1216 * @param cred Subject credential 1217 * @param mp Object file system mount point 1218 * @param mntlabel Policy label for fle system mount point 1219 * 1220 * Determine whether the subject identified by the credential can relabel 1221 * the mount point. This call is made when a file system mount is updated. 1222 * 1223 * @return Return 0 if access is granted, otherwise an appropriate value for 1224 * errno should be returned. Suggested failure: EACCES for label mismatch 1225 * or EPERM for lack of privilege. 1226 */ 1227 typedef int mpo_mount_check_label_update_t( 1228 kauth_cred_t cred, 1229 struct mount *mp, 1230 struct label *mntlabel 1231 ); 1232 /** 1233 * @brief Access control check for mounting a file system 1234 * @param cred Subject credential 1235 * @param vp Vnode that is to be the mount point 1236 * @param vlabel Label associated with the vnode 1237 * @param cnp Component name for vp 1238 * @param vfc_name Filesystem type name 1239 * 1240 * Determine whether the subject identified by the credential can perform 1241 * the mount operation on the target vnode. 1242 * 1243 * @return Return 0 if access is granted, otherwise an appropriate value for 1244 * errno should be returned. 1245 */ 1246 typedef int mpo_mount_check_mount_t( 1247 kauth_cred_t cred, 1248 struct vnode *vp, 1249 struct label *vlabel, 1250 struct componentname *cnp, 1251 const char *vfc_name 1252 ); 1253 /** 1254 * @brief Access control check for mounting a file system (late) 1255 * @param cred Subject credential 1256 * @param mp Mount point 1257 * 1258 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been 1259 * called, making it possible to access mnt_vfsstat.f_mntfromname and other 1260 * fields. 1261 * 1262 * @return Return 0 if access is granted, otherwise an appropriate value for 1263 * errno should be returned. 1264 */ 1265 typedef int mpo_mount_check_mount_late_t( 1266 kauth_cred_t cred, 1267 struct mount *mp 1268 ); 1269 1270 /** 1271 * @brief Access control check for quotactl 1272 * @param cred Subject credential 1273 * @param cmd The quotactl command and subcommand; see quotactl(2) 1274 * @param id The user or group ID on which cmd will operate 1275 * 1276 * Determine whether the subject identified by the credential can perform 1277 * the quotactl operation indicated by cmd. 1278 * 1279 * @return Return 0 if access is granted, otherwise an appropriate value for 1280 * errno should be returned. 1281 */ 1282 typedef int mpo_mount_check_quotactl_t( 1283 kauth_cred_t cred, 1284 struct mount *mp, 1285 int cmd, 1286 int id 1287 ); 1288 /** 1289 * @brief Access control check for fs_snapshot_create 1290 * @param cred Subject credential 1291 * @mp Filesystem mount point to create snapshot of 1292 * @name Name of snapshot to create 1293 * 1294 * Determine whether the subject identified by the credential can 1295 * create a snapshot of the filesystem at the given mount point. 1296 * 1297 * @return Return 0 if access is granted, otherwise an appropriate value 1298 * for errno should be returned. 1299 */ 1300 typedef int mpo_mount_check_snapshot_create_t( 1301 kauth_cred_t cred, 1302 struct mount *mp, 1303 const char *name 1304 ); 1305 /** 1306 * @brief Access control check for fs_snapshot_delete 1307 * @param cred Subject credential 1308 * @mp Filesystem mount point to delete snapshot of 1309 * @name Name of snapshot to delete 1310 * 1311 * Determine whether the subject identified by the credential can 1312 * delete the named snapshot from the filesystem at the given 1313 * mount point. 1314 * 1315 * @return Return 0 if access is granted, otherwise an appropriate value 1316 * for errno should be returned. 1317 */ 1318 typedef int mpo_mount_check_snapshot_delete_t( 1319 kauth_cred_t cred, 1320 struct mount *mp, 1321 const char *name 1322 ); 1323 /** 1324 * @brief Access control check for fs_snapshot_mount 1325 * @param cred Subject credential 1326 * @param rvp Vnode of either the root directory of the 1327 * filesystem to mount snapshot of, or the device from 1328 * which to mount the snapshot. 1329 * @param vp Vnode that is to be the mount point 1330 * @param cnp Component name for vp 1331 * @param name Name of snapshot to mount 1332 * @param vfc_name Filesystem type name 1333 * 1334 * Determine whether the subject identified by the credential can 1335 * mount the named snapshot from the filesystem at the given 1336 * directory. 1337 * 1338 * @return Return 0 if access is granted, otherwise an appropriate value 1339 * for errno should be returned. 1340 */ 1341 typedef int mpo_mount_check_snapshot_mount_t( 1342 kauth_cred_t cred, 1343 struct vnode *rvp, 1344 struct vnode *vp, 1345 struct componentname *cnp, 1346 const char *name, 1347 const char *vfc_name 1348 ); 1349 /** 1350 * @brief Access control check for fs_snapshot_revert 1351 * @param cred Subject credential 1352 * @mp Filesystem mount point to revert to snapshot 1353 * @name Name of snapshot to revert to 1354 * 1355 * Determine whether the subject identified by the credential can 1356 * revert the filesystem at the given mount point to the named snapshot. 1357 * 1358 * @return Return 0 if access is granted, otherwise an appropriate value 1359 * for errno should be returned. 1360 */ 1361 typedef int mpo_mount_check_snapshot_revert_t( 1362 kauth_cred_t cred, 1363 struct mount *mp, 1364 const char *name 1365 ); 1366 /** 1367 * @brief Access control check remounting a filesystem 1368 * @param cred Subject credential 1369 * @param mp The mount point 1370 * @param mlabel Label currently associated with the mount point 1371 * 1372 * Determine whether the subject identified by the credential can perform 1373 * the remount operation on the target vnode. 1374 * 1375 * @return Return 0 if access is granted, otherwise an appropriate value for 1376 * errno should be returned. 1377 */ 1378 typedef int mpo_mount_check_remount_t( 1379 kauth_cred_t cred, 1380 struct mount *mp, 1381 struct label *mlabel 1382 ); 1383 /** 1384 * @brief Access control check for the settting of file system attributes 1385 * @param cred Subject credential 1386 * @param mp The mount structure of the file system 1387 * @param vfa The attributes requested 1388 * 1389 * This entry point determines whether given subject can set information 1390 * about the given file system, for example the volume name. 1391 * 1392 * @return Return 0 if access is granted, otherwise an appropriate value for 1393 * errno should be returned. 1394 */ 1395 1396 typedef int mpo_mount_check_setattr_t( 1397 kauth_cred_t cred, 1398 struct mount *mp, 1399 struct label *mp_label, 1400 struct vfs_attr *vfa 1401 ); 1402 /** 1403 * @brief Access control check for file system statistics 1404 * @param cred Subject credential 1405 * @param mp Object file system mount 1406 * @param mntlabel Policy label for mp 1407 * 1408 * Determine whether the subject identified by the credential can see 1409 * the results of a statfs performed on the file system. This call may 1410 * be made in a number of situations, including during invocations of 1411 * statfs(2) and related calls, as well as to determine what file systems 1412 * to exclude from listings of file systems, such as when getfsstat(2) 1413 * is invoked. 1414 * 1415 * @return Return 0 if access is granted, otherwise an appropriate value for 1416 * errno should be returned. Suggested failure: EACCES for label mismatch 1417 * or EPERM for lack of privilege. 1418 */ 1419 typedef int mpo_mount_check_stat_t( 1420 kauth_cred_t cred, 1421 struct mount *mp, 1422 struct label *mntlabel 1423 ); 1424 /** 1425 * @brief Access control check for unmounting a filesystem 1426 * @param cred Subject credential 1427 * @param mp The mount point 1428 * @param mlabel Label associated with the mount point 1429 * 1430 * Determine whether the subject identified by the credential can perform 1431 * the unmount operation on the target vnode. 1432 * 1433 * @return Return 0 if access is granted, otherwise an appropriate value for 1434 * errno should be returned. 1435 */ 1436 typedef int mpo_mount_check_umount_t( 1437 kauth_cred_t cred, 1438 struct mount *mp, 1439 struct label *mlabel 1440 ); 1441 /** 1442 * @brief Create mount labels 1443 * @param cred Subject credential 1444 * @param mp Mount point of file system being mounted 1445 * @param mntlabel Label to associate with the new mount point 1446 * @see mpo_mount_label_init_t 1447 * 1448 * Fill out the labels on the mount point being created by the supplied 1449 * user credential. This call is made when file systems are first mounted. 1450 */ 1451 typedef void mpo_mount_label_associate_t( 1452 kauth_cred_t cred, 1453 struct mount *mp, 1454 struct label *mntlabel 1455 ); 1456 /** 1457 * @brief Destroy mount label 1458 * @param label The label to be destroyed 1459 * 1460 * Destroy a file system mount label. Since the 1461 * object is going out of scope, policy modules should free any 1462 * internal storage associated with the label so that it may be 1463 * destroyed. 1464 */ 1465 typedef void mpo_mount_label_destroy_t( 1466 struct label *label 1467 ); 1468 /** 1469 * @brief Externalize a mount point label 1470 * @param label Label to be externalized 1471 * @param element_name Name of the label namespace for which labels should be 1472 * externalized 1473 * @param sb String buffer to be filled with a text representation of the label 1474 * 1475 * Produce an external representation of the mount point label. An 1476 * externalized label consists of a text representation of the label 1477 * contents that can be used with user applications. Policy-agnostic 1478 * user space tools will display this externalized version. 1479 * 1480 * The policy's externalize entry points will be called only if the 1481 * policy has registered interest in the label namespace. 1482 * 1483 * @return 0 on success, return non-zero if an error occurs while 1484 * externalizing the label data. 1485 * 1486 */ 1487 typedef int mpo_mount_label_externalize_t( 1488 struct label *label, 1489 char *element_name, 1490 struct sbuf *sb 1491 ); 1492 /** 1493 * @brief Initialize mount point label 1494 * @param label New label to initialize 1495 * 1496 * Initialize the label for a newly instantiated mount structure. 1497 * This label is typically used to store a default label in the case 1498 * that the file system has been mounted singlelabel. Since some 1499 * file systems do not support persistent labels (extended attributes) 1500 * or are read-only (such as CD-ROMs), it is often necessary to store 1501 * a default label separately from the label of the mount point 1502 * itself. Sleeping is permitted. 1503 */ 1504 typedef void mpo_mount_label_init_t( 1505 struct label *label 1506 ); 1507 /** 1508 * @brief Internalize a mount point label 1509 * @param label Label to be internalized 1510 * @param element_name Name of the label namespace for which the label should 1511 * be internalized 1512 * @param element_data Text data to be internalized 1513 * 1514 * Produce a mount point file system label from an external representation. 1515 * An externalized label consists of a text representation of the label 1516 * contents that can be used with user applications. Policy-agnostic 1517 * user space tools will forward text version to the kernel for 1518 * processing by individual policy modules. 1519 * 1520 * The policy's internalize entry points will be called only if the 1521 * policy has registered interest in the label namespace. 1522 * 1523 * @return 0 on success, Otherwise, return non-zero if an error occurs 1524 * while internalizing the label data. 1525 * 1526 */ 1527 typedef int mpo_mount_label_internalize_t( 1528 struct label *label, 1529 char *element_name, 1530 char *element_data 1531 ); 1532 /** 1533 * @brief Access control check for opening an NECP file descriptor 1534 * @param cred Subject credential 1535 * @param flags Open flags 1536 * 1537 * Determine whether the subject identified by the credential can open 1538 * an NECP file descriptor. 1539 * 1540 * @return Return 0 if access is granted, otherwise an appropriate value for 1541 * errno should be returned. 1542 * 1543 */ 1544 typedef int mpo_necp_check_open_t( 1545 kauth_cred_t cred, 1546 int flags 1547 ); 1548 /** 1549 * @brief Access control check for necp_client_action(2) 1550 * @param cred Subject credential 1551 * @param fg NECP fileglob 1552 * @param action NECP client action 1553 * 1554 * Determine whether the subject identified by the credential can open 1555 * an NECP socket. 1556 * 1557 * @return Return 0 if access is granted, otherwise an appropriate value for 1558 * errno should be returned. 1559 * 1560 */ 1561 typedef int mpo_necp_check_client_action_t( 1562 kauth_cred_t cred, 1563 struct fileglob *fg, 1564 uint32_t action 1565 ); 1566 /** 1567 * @brief Access control check for pipe ioctl 1568 * @param cred Subject credential 1569 * @param cpipe Object to be accessed 1570 * @param pipelabel The label on the pipe 1571 * @param cmd The ioctl command; see ioctl(2) 1572 * 1573 * Determine whether the subject identified by the credential can perform 1574 * the ioctl operation indicated by cmd. 1575 * 1576 * @warning Since ioctl data is opaque from the standpoint of the MAC 1577 * framework, policies must exercise extreme care when implementing 1578 * access control checks. 1579 * 1580 * @return Return 0 if access is granted, otherwise an appropriate value for 1581 * errno should be returned. 1582 * 1583 */ 1584 typedef int mpo_pipe_check_ioctl_t( 1585 kauth_cred_t cred, 1586 struct pipe *cpipe, 1587 struct label *pipelabel, 1588 unsigned long cmd 1589 ); 1590 /** 1591 * @brief Access control check for pipe kqfilter 1592 * @param cred Subject credential 1593 * @param kn Object knote 1594 * @param cpipe Object to be accessed 1595 * @param pipelabel Policy label for the pipe 1596 * 1597 * Determine whether the subject identified by the credential can 1598 * receive the knote on the passed pipe. 1599 * 1600 * @return Return 0 if access if granted, otherwise an appropriate 1601 * value for errno should be returned. 1602 */ 1603 typedef int mpo_pipe_check_kqfilter_t( 1604 kauth_cred_t cred, 1605 struct knote *kn, 1606 struct pipe *cpipe, 1607 struct label *pipelabel 1608 ); 1609 /** 1610 * @brief Access control check for pipe read 1611 * @param cred Subject credential 1612 * @param cpipe Object to be accessed 1613 * @param pipelabel The label on the pipe 1614 * 1615 * Determine whether the subject identified by the credential can 1616 * perform a read operation on the passed pipe. The cred object holds 1617 * the credentials of the subject performing the operation. 1618 * 1619 * @return Return 0 if access is granted, otherwise an appropriate value for 1620 * errno should be returned. 1621 * 1622 */ 1623 typedef int mpo_pipe_check_read_t( 1624 kauth_cred_t cred, 1625 struct pipe *cpipe, 1626 struct label *pipelabel 1627 ); 1628 /** 1629 * @brief Access control check for pipe select 1630 * @param cred Subject credential 1631 * @param cpipe Object to be accessed 1632 * @param pipelabel The label on the pipe 1633 * @param which The operation selected on: FREAD or FWRITE 1634 * 1635 * Determine whether the subject identified by the credential can 1636 * perform a select operation on the passed pipe. The cred object holds 1637 * the credentials of the subject performing the operation. 1638 * 1639 * @return Return 0 if access is granted, otherwise an appropriate value for 1640 * errno should be returned. 1641 * 1642 */ 1643 typedef int mpo_pipe_check_select_t( 1644 kauth_cred_t cred, 1645 struct pipe *cpipe, 1646 struct label *pipelabel, 1647 int which 1648 ); 1649 /** 1650 * @brief Access control check for pipe stat 1651 * @param cred Subject credential 1652 * @param cpipe Object to be accessed 1653 * @param pipelabel The label on the pipe 1654 * 1655 * Determine whether the subject identified by the credential can 1656 * perform a stat operation on the passed pipe. The cred object holds 1657 * the credentials of the subject performing the operation. 1658 * 1659 * @return Return 0 if access is granted, otherwise an appropriate value for 1660 * errno should be returned. 1661 * 1662 */ 1663 typedef int mpo_pipe_check_stat_t( 1664 kauth_cred_t cred, 1665 struct pipe *cpipe, 1666 struct label *pipelabel 1667 ); 1668 /** 1669 * @brief Access control check for pipe write 1670 * @param cred Subject credential 1671 * @param cpipe Object to be accessed 1672 * @param pipelabel The label on the pipe 1673 * 1674 * Determine whether the subject identified by the credential can 1675 * perform a write operation on the passed pipe. The cred object holds 1676 * the credentials of the subject performing the operation. 1677 * 1678 * @return Return 0 if access is granted, otherwise an appropriate value for 1679 * errno should be returned. 1680 * 1681 */ 1682 typedef int mpo_pipe_check_write_t( 1683 kauth_cred_t cred, 1684 struct pipe *cpipe, 1685 struct label *pipelabel 1686 ); 1687 /** 1688 * @brief Create a pipe label 1689 * @param cred Subject credential 1690 * @param cpipe object to be labeled 1691 * @param pipelabel Label for the pipe object 1692 * 1693 * Create a label for the pipe object being created by the supplied 1694 * user credential. This call is made when a pipe pair is being created. 1695 * The label is shared by both ends of the pipe. 1696 */ 1697 typedef void mpo_pipe_label_associate_t( 1698 kauth_cred_t cred, 1699 struct pipe *cpipe, 1700 struct label *pipelabel 1701 ); 1702 /** 1703 * @brief Destroy pipe label 1704 * @param label The label to be destroyed 1705 * 1706 * Destroy a pipe label. Since the object is going out of scope, 1707 * policy modules should free any internal storage associated with the 1708 * label so that it may be destroyed. 1709 */ 1710 typedef void mpo_pipe_label_destroy_t( 1711 struct label *label 1712 ); 1713 /** 1714 * @brief Initialize pipe label 1715 * @param label New label to initialize 1716 * 1717 * Initialize label storage for use with a newly instantiated pipe object. 1718 * Sleeping is permitted. 1719 */ 1720 typedef void mpo_pipe_label_init_t( 1721 struct label *label 1722 ); 1723 /** 1724 * @brief Policy unload event 1725 * @param mpc MAC policy configuration 1726 * 1727 * This is the MAC Framework policy unload event. This entry point will 1728 * only be called if the module's policy configuration allows unload (if 1729 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 1730 * want to be unloaded; they should set their flags to prevent this 1731 * entry point from being called. 1732 * 1733 * @warning During this call, the mac policy list mutex is held, so 1734 * sleep operations cannot be performed, and calls out to other kernel 1735 * subsystems must be made with caution. 1736 * 1737 * @see MPC_LOADTIME_FLAG_UNLOADOK 1738 */ 1739 typedef void mpo_policy_destroy_t( 1740 struct mac_policy_conf *mpc 1741 ); 1742 /** 1743 * @brief Policy initialization event 1744 * @param mpc MAC policy configuration 1745 * @see mac_policy_register 1746 * @see mpo_policy_initbsd_t 1747 * 1748 * This is the MAC Framework policy initialization event. This entry 1749 * point is called during mac_policy_register, when the policy module 1750 * is first registered with the MAC Framework. This is often done very 1751 * early in the boot process, after the kernel Mach subsystem has been 1752 * initialized, but prior to the BSD subsystem being initialized. 1753 * Since the kernel BSD services are not yet available, it is possible 1754 * that some initialization must occur later, possibly in the 1755 * mpo_policy_initbsd_t policy entry point, such as registering BSD system 1756 * controls (sysctls). Policy modules loaded at boot time will be 1757 * registered and initialized before labeled Mach objects are created. 1758 * 1759 * @warning During this call, the mac policy list mutex is held, so 1760 * sleep operations cannot be performed, and calls out to other kernel 1761 * subsystems must be made with caution. 1762 */ 1763 typedef void mpo_policy_init_t( 1764 struct mac_policy_conf *mpc 1765 ); 1766 /** 1767 * @brief Policy BSD initialization event 1768 * @param mpc MAC policy configuration 1769 * @see mpo_policy_init_t 1770 * 1771 * This entry point is called after the kernel BSD subsystem has been 1772 * initialized. By this point, the module should already be loaded, 1773 * registered, and initialized. Since policy modules are initialized 1774 * before kernel BSD services are available, this second initialization 1775 * phase is necessary. At this point, BSD services (memory management, 1776 * synchronization primitives, vfs, etc.) are available, but the first 1777 * process has not yet been created. Mach-related objects and tasks 1778 * will already be fully initialized and may be in use--policies requiring 1779 * ubiquitous labeling may also want to implement mpo_policy_init_t. 1780 * 1781 * @warning During this call, the mac policy list mutex is held, so 1782 * sleep operations cannot be performed, and calls out to other kernel 1783 * subsystems must be made with caution. 1784 */ 1785 typedef void mpo_policy_initbsd_t( 1786 struct mac_policy_conf *mpc 1787 ); 1788 /** 1789 * @brief Policy extension service 1790 * @param p Calling process 1791 * @param call Policy-specific syscall number 1792 * @param arg Pointer to syscall arguments 1793 * 1794 * This entry point provides a policy-multiplexed system call so that 1795 * policies may provide additional services to user processes without 1796 * registering specific system calls. The policy name provided during 1797 * registration is used to demux calls from userland, and the arguments 1798 * will be forwarded to this entry point. When implementing new 1799 * services, security modules should be sure to invoke appropriate 1800 * access control checks from the MAC framework as needed. For 1801 * example, if a policy implements an augmented signal functionality, 1802 * it should call the necessary signal access control checks to invoke 1803 * the MAC framework and other registered policies. 1804 * 1805 * @warning Since the format and contents of the policy-specific 1806 * arguments are unknown to the MAC Framework, modules must perform the 1807 * required copyin() of the syscall data on their own. No policy 1808 * mediation is performed, so policies must perform any necessary 1809 * access control checks themselves. If multiple policies are loaded, 1810 * they will currently be unable to mediate calls to other policies. 1811 * 1812 * @return In the event of an error, an appropriate value for errno 1813 * should be returned, otherwise return 0 upon success. 1814 */ 1815 typedef int mpo_policy_syscall_t( 1816 struct proc *p, 1817 int call, 1818 user_addr_t arg 1819 ); 1820 /** 1821 * @brief Access control check for POSIX semaphore create 1822 * @param cred Subject credential 1823 * @param name String name of the semaphore 1824 * 1825 * Determine whether the subject identified by the credential can create 1826 * a POSIX semaphore specified by name. 1827 * 1828 * @return Return 0 if access is granted, otherwise an appropriate value for 1829 * errno should be returned. 1830 */ 1831 typedef int mpo_posixsem_check_create_t( 1832 kauth_cred_t cred, 1833 const char *name 1834 ); 1835 /** 1836 * @brief Access control check for POSIX semaphore open 1837 * @param cred Subject credential 1838 * @param ps Pointer to semaphore information structure 1839 * @param semlabel Label associated with the semaphore 1840 * 1841 * Determine whether the subject identified by the credential can open 1842 * the named POSIX semaphore with label semlabel. 1843 * 1844 * @return Return 0 if access is granted, otherwise an appropriate value for 1845 * errno should be returned. 1846 */ 1847 typedef int mpo_posixsem_check_open_t( 1848 kauth_cred_t cred, 1849 struct pseminfo *ps, 1850 struct label *semlabel 1851 ); 1852 /** 1853 * @brief Access control check for POSIX semaphore post 1854 * @param cred Subject credential 1855 * @param ps Pointer to semaphore information structure 1856 * @param semlabel Label associated with the semaphore 1857 * 1858 * Determine whether the subject identified by the credential can unlock 1859 * the named POSIX semaphore with label semlabel. 1860 * 1861 * @return Return 0 if access is granted, otherwise an appropriate value for 1862 * errno should be returned. 1863 */ 1864 typedef int mpo_posixsem_check_post_t( 1865 kauth_cred_t cred, 1866 struct pseminfo *ps, 1867 struct label *semlabel 1868 ); 1869 /** 1870 * @brief Access control check for POSIX semaphore unlink 1871 * @param cred Subject credential 1872 * @param ps Pointer to semaphore information structure 1873 * @param semlabel Label associated with the semaphore 1874 * @param name String name of the semaphore 1875 * 1876 * Determine whether the subject identified by the credential can remove 1877 * the named POSIX semaphore with label semlabel. 1878 * 1879 * @return Return 0 if access is granted, otherwise an appropriate value for 1880 * errno should be returned. 1881 */ 1882 typedef int mpo_posixsem_check_unlink_t( 1883 kauth_cred_t cred, 1884 struct pseminfo *ps, 1885 struct label *semlabel, 1886 const char *name 1887 ); 1888 /** 1889 * @brief Access control check for POSIX semaphore wait 1890 * @param cred Subject credential 1891 * @param ps Pointer to semaphore information structure 1892 * @param semlabel Label associated with the semaphore 1893 * 1894 * Determine whether the subject identified by the credential can lock 1895 * the named POSIX semaphore with label semlabel. 1896 * 1897 * @return Return 0 if access is granted, otherwise an appropriate value for 1898 * errno should be returned. 1899 */ 1900 typedef int mpo_posixsem_check_wait_t( 1901 kauth_cred_t cred, 1902 struct pseminfo *ps, 1903 struct label *semlabel 1904 ); 1905 /** 1906 * @brief Create a POSIX semaphore label 1907 * @param cred Subject credential 1908 * @param ps Pointer to semaphore information structure 1909 * @param semlabel Label to associate with the new semaphore 1910 * @param name String name of the semaphore 1911 * 1912 * Label a new POSIX semaphore. The label was previously 1913 * initialized and associated with the semaphore. At this time, an 1914 * appropriate initial label value should be assigned to the object and 1915 * stored in semalabel. 1916 */ 1917 typedef void mpo_posixsem_label_associate_t( 1918 kauth_cred_t cred, 1919 struct pseminfo *ps, 1920 struct label *semlabel, 1921 const char *name 1922 ); 1923 /** 1924 * @brief Destroy POSIX semaphore label 1925 * @param label The label to be destroyed 1926 * 1927 * Destroy a POSIX semaphore label. Since the object is 1928 * going out of scope, policy modules should free any internal storage 1929 * associated with the label so that it may be destroyed. 1930 */ 1931 typedef void mpo_posixsem_label_destroy_t( 1932 struct label *label 1933 ); 1934 /** 1935 * @brief Initialize POSIX semaphore label 1936 * @param label New label to initialize 1937 * 1938 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping 1939 * is permitted. 1940 */ 1941 typedef void mpo_posixsem_label_init_t( 1942 struct label *label 1943 ); 1944 /** 1945 * @brief Access control check for POSIX shared memory region create 1946 * @param cred Subject credential 1947 * @param name String name of the shared memory region 1948 * 1949 * Determine whether the subject identified by the credential can create 1950 * the POSIX shared memory region referenced by name. 1951 * 1952 * @return Return 0 if access is granted, otherwise an appropriate value for 1953 * errno should be returned. 1954 */ 1955 typedef int mpo_posixshm_check_create_t( 1956 kauth_cred_t cred, 1957 const char *name 1958 ); 1959 /** 1960 * @brief Access control check for mapping POSIX shared memory 1961 * @param cred Subject credential 1962 * @param ps Pointer to shared memory information structure 1963 * @param shmlabel Label associated with the shared memory region 1964 * @param prot mmap protections; see mmap(2) 1965 * @param flags shmat flags; see shmat(2) 1966 * 1967 * Determine whether the subject identified by the credential can map 1968 * the POSIX shared memory segment associated with shmlabel. 1969 * 1970 * @return Return 0 if access is granted, otherwise an appropriate value for 1971 * errno should be returned. 1972 */ 1973 typedef int mpo_posixshm_check_mmap_t( 1974 kauth_cred_t cred, 1975 struct pshminfo *ps, 1976 struct label *shmlabel, 1977 int prot, 1978 int flags 1979 ); 1980 /** 1981 * @brief Access control check for POSIX shared memory region open 1982 * @param cred Subject credential 1983 * @param ps Pointer to shared memory information structure 1984 * @param shmlabel Label associated with the shared memory region 1985 * @param fflags shm_open(2) open flags ('fflags' encoded) 1986 * 1987 * Determine whether the subject identified by the credential can open 1988 * the POSIX shared memory region. 1989 * 1990 * @return Return 0 if access is granted, otherwise an appropriate value for 1991 * errno should be returned. 1992 */ 1993 typedef int mpo_posixshm_check_open_t( 1994 kauth_cred_t cred, 1995 struct pshminfo *ps, 1996 struct label *shmlabel, 1997 int fflags 1998 ); 1999 /** 2000 * @brief Access control check for POSIX shared memory stat 2001 * @param cred Subject credential 2002 * @param ps Pointer to shared memory information structure 2003 * @param shmlabel Label associated with the shared memory region 2004 * 2005 * Determine whether the subject identified by the credential can obtain 2006 * status for the POSIX shared memory segment associated with shmlabel. 2007 * 2008 * @return Return 0 if access is granted, otherwise an appropriate value for 2009 * errno should be returned. 2010 */ 2011 typedef int mpo_posixshm_check_stat_t( 2012 kauth_cred_t cred, 2013 struct pshminfo *ps, 2014 struct label *shmlabel 2015 ); 2016 /** 2017 * @brief Access control check for POSIX shared memory truncate 2018 * @param cred Subject credential 2019 * @param ps Pointer to shared memory information structure 2020 * @param shmlabel Label associated with the shared memory region 2021 * @param len Length to truncate or extend shared memory segment 2022 * 2023 * Determine whether the subject identified by the credential can truncate 2024 * or extend (to len) the POSIX shared memory segment associated with shmlabel. 2025 * 2026 * @return Return 0 if access is granted, otherwise an appropriate value for 2027 * errno should be returned. 2028 */ 2029 typedef int mpo_posixshm_check_truncate_t( 2030 kauth_cred_t cred, 2031 struct pshminfo *ps, 2032 struct label *shmlabel, 2033 off_t len 2034 ); 2035 /** 2036 * @brief Access control check for POSIX shared memory unlink 2037 * @param cred Subject credential 2038 * @param ps Pointer to shared memory information structure 2039 * @param shmlabel Label associated with the shared memory region 2040 * @param name String name of the shared memory region 2041 * 2042 * Determine whether the subject identified by the credential can delete 2043 * the POSIX shared memory segment associated with shmlabel. 2044 * 2045 * @return Return 0 if access is granted, otherwise an appropriate value for 2046 * errno should be returned. 2047 */ 2048 typedef int mpo_posixshm_check_unlink_t( 2049 kauth_cred_t cred, 2050 struct pshminfo *ps, 2051 struct label *shmlabel, 2052 const char *name 2053 ); 2054 /** 2055 * @brief Create a POSIX shared memory region label 2056 * @param cred Subject credential 2057 * @param ps Pointer to shared memory information structure 2058 * @param shmlabel Label to associate with the new shared memory region 2059 * @param name String name of the shared memory region 2060 * 2061 * Label a new POSIX shared memory region. The label was previously 2062 * initialized and associated with the shared memory region. At this 2063 * time, an appropriate initial label value should be assigned to the 2064 * object and stored in shmlabel. 2065 */ 2066 typedef void mpo_posixshm_label_associate_t( 2067 kauth_cred_t cred, 2068 struct pshminfo *ps, 2069 struct label *shmlabel, 2070 const char *name 2071 ); 2072 /** 2073 * @brief Destroy POSIX shared memory label 2074 * @param label The label to be destroyed 2075 * 2076 * Destroy a POSIX shared memory region label. Since the 2077 * object is going out of scope, policy modules should free any 2078 * internal storage associated with the label so that it may be 2079 * destroyed. 2080 */ 2081 typedef void mpo_posixshm_label_destroy_t( 2082 struct label *label 2083 ); 2084 /** 2085 * @brief Initialize POSIX Shared Memory region label 2086 * @param label New label to initialize 2087 * 2088 * Initialize the label for newly a instantiated POSIX Shared Memory 2089 * region. Sleeping is permitted. 2090 */ 2091 typedef void mpo_posixshm_label_init_t( 2092 struct label *label 2093 ); 2094 /** 2095 * @brief Access control check for privileged operations 2096 * @param cred Subject credential 2097 * @param priv Requested privilege (see sys/priv.h) 2098 * 2099 * Determine whether the subject identified by the credential can perform 2100 * a privileged operation. Privileged operations are allowed if the cred 2101 * is the superuser or any policy returns zero for mpo_priv_grant, unless 2102 * any policy returns nonzero for mpo_priv_check. 2103 * 2104 * @return Return 0 if access is granted, otherwise EPERM should be returned. 2105 */ 2106 typedef int mpo_priv_check_t( 2107 kauth_cred_t cred, 2108 int priv 2109 ); 2110 /** 2111 * @brief Grant regular users the ability to perform privileged operations 2112 * @param cred Subject credential 2113 * @param priv Requested privilege (see sys/priv.h) 2114 * 2115 * Determine whether the subject identified by the credential should be 2116 * allowed to perform a privileged operation that in the absense of any 2117 * MAC policy it would not be able to perform. Privileged operations are 2118 * allowed if the cred is the superuser or any policy returns zero for 2119 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2120 * 2121 * Unlike other MAC hooks which can only reduce the privilege of a 2122 * credential, this hook raises the privilege of a credential when it 2123 * returns 0. Extreme care must be taken when implementing this hook to 2124 * avoid undermining the security of the system. 2125 * 2126 * @return Return 0 if additional privilege is granted, otherwise EPERM 2127 * should be returned. 2128 */ 2129 typedef int mpo_priv_grant_t( 2130 kauth_cred_t cred, 2131 int priv 2132 ); 2133 /** 2134 * @brief Access control over process core dumps 2135 * @param proc Subject process 2136 * 2137 * Determine whether a core dump may be written to disk for the subject 2138 * identified. 2139 * 2140 * @return Return 0 if access is granted, otherwise an appropriate value for 2141 * errno should be returned. 2142 */ 2143 typedef int mpo_proc_check_dump_core_t( 2144 struct proc *proc 2145 ); 2146 /** 2147 * @brief Access control over remote thread creation 2148 * @param cred Subject credential 2149 * @param proc Object process 2150 * @param flavor Flavor of thread state passed in new_state, or -1 2151 * @param new_state Thread state to be set on the created thread, or NULL 2152 * @param new_state_count Size of thread state, in natural_t units, or 0 2153 * 2154 * Determine whether the subject can create a thread in the object process 2155 * by calling the thread_create or thread_create_running MIG routines on 2156 * another process' task port. For thread_create_running, the flavor, 2157 * new_state and new_state_count arguments are passed here before they are 2158 * converted and checked by machine-dependent code. 2159 * 2160 * @return Return 0 if access is granted, otherwise an appropriate value for 2161 * errno should be returned. 2162 */ 2163 typedef int mpo_proc_check_remote_thread_create_t( 2164 kauth_cred_t cred, 2165 struct proc *proc, 2166 int flavor, 2167 thread_state_t new_state, 2168 mach_msg_type_number_t new_state_count 2169 ); 2170 /** 2171 * @brief Access control check for debugging process 2172 * @param cred Subject credential 2173 * @param pident Object unique process identifier 2174 * 2175 * Determine whether the subject identified by the credential can debug 2176 * the passed process. This call may be made in a number of situations, 2177 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2178 * types of procfs operations. 2179 * 2180 * @return Return 0 if access is granted, otherwise an appropriate value for 2181 * errno should be returned. Suggested failure: EACCES for label mismatch, 2182 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2183 */ 2184 typedef int mpo_proc_check_debug_t( 2185 kauth_cred_t cred, 2186 struct proc_ident *pident 2187 ); 2188 /** 2189 * @brief Access control over fork 2190 * @param cred Subject credential 2191 * @param proc Subject process trying to fork 2192 * 2193 * Determine whether the subject identified is allowed to fork. 2194 * 2195 * @return Return 0 if access is granted, otherwise an appropriate value for 2196 * errno should be returned. 2197 */ 2198 typedef int mpo_proc_check_fork_t( 2199 kauth_cred_t cred, 2200 struct proc *proc 2201 ); 2202 /** 2203 * @brief Access control check for setting host special ports. 2204 * @param cred Subject credential 2205 * @param id The host special port to set 2206 * @param port The new value to set for the special port 2207 * 2208 * @return Return 0 if access is granted, otherwise an appropriate value for 2209 * errno should be returned. 2210 */ 2211 typedef int mpo_proc_check_set_host_special_port_t( 2212 kauth_cred_t cred, 2213 int id, 2214 struct ipc_port *port 2215 ); 2216 /** 2217 * @brief Access control check for setting host exception ports. 2218 * @param cred Subject credential 2219 * @param exception Exception port to set 2220 * 2221 * @return Return 0 if access is granted, otherwise an appropriate value for 2222 * errno should be returned. 2223 */ 2224 typedef int mpo_proc_check_set_host_exception_port_t( 2225 kauth_cred_t cred, 2226 unsigned int exception 2227 ); 2228 /** 2229 * @brief Access control check for getting task special ports. 2230 * @param cred Subject credential 2231 * @param pident Object unique process identifier, NULL if target is a corpse task 2232 * @param which The task special port to get 2233 * 2234 * @return Return 0 if access is granted, otherwise an appropriate value for 2235 * errno should be returned. 2236 */ 2237 typedef int mpo_proc_check_get_task_special_port_t( 2238 kauth_cred_t cred, 2239 struct proc_ident *pident, 2240 int which 2241 ); 2242 /** 2243 * @brief Access control check for setting task special ports. 2244 * @param cred Subject credential 2245 * @param pident Object unique process identifier 2246 * @param which The task special port to set 2247 * @param port The new value to set for the special port 2248 * 2249 * @return Return 0 if access is granted, otherwise an appropriate value for 2250 * errno should be returned. 2251 */ 2252 typedef int mpo_proc_check_set_task_special_port_t( 2253 kauth_cred_t cred, 2254 struct proc_ident *pident, 2255 int which, 2256 struct ipc_port *port 2257 ); 2258 /** 2259 * @brief Access control check for getting movable task/thread control port for current task. 2260 * @param cred Subject credential 2261 * 2262 * @return Return 0 if access is granted, otherwise an appropriate value for 2263 * errno should be returned. 2264 */ 2265 typedef int mpo_proc_check_get_movable_control_port_t( 2266 kauth_cred_t cred 2267 ); 2268 /** 2269 * @brief Access control check for calling task_dyld_process_info_notify_register 2270 * and task_dyld_process_info_notify_deregister. 2271 * @param cred Subject credential 2272 * 2273 * @return Return 0 if access is granted, otherwise an appropriate value for 2274 * errno should be returned. 2275 */ 2276 typedef int mpo_proc_check_dyld_process_info_notify_register_t( 2277 kauth_cred_t cred 2278 ); 2279 /** 2280 * @brief Access control over pid_suspend, pid_resume and family 2281 * @param cred Subject credential 2282 * @param proc Object process 2283 * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, 2284 * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, 2285 * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. 2286 * 2287 * Determine whether the subject identified is allowed to call pid_suspend, 2288 * pid_resume, pid_hibernate, pid_shutdown_sockets, 2289 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or 2290 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on 2291 * the object process. 2292 * 2293 * @return Return 0 if access is granted, otherwise an appropriate value for 2294 * errno should be returned. 2295 */ 2296 typedef int mpo_proc_check_suspend_resume_t( 2297 kauth_cred_t cred, 2298 struct proc *proc, 2299 int sr 2300 ); 2301 /** 2302 * @brief Access control check for retrieving audit information 2303 * @param cred Subject credential 2304 * 2305 * Determine whether the subject identified by the credential can get 2306 * audit information such as the audit user ID, the preselection mask, 2307 * the terminal ID and the audit session ID, using the getaudit() system call. 2308 * 2309 * @return Return 0 if access is granted, otherwise an appropriate value for 2310 * errno should be returned. 2311 */ 2312 typedef int mpo_proc_check_getaudit_t( 2313 kauth_cred_t cred 2314 ); 2315 /** 2316 * @brief Access control check for retrieving audit user ID 2317 * @param cred Subject credential 2318 * 2319 * Determine whether the subject identified by the credential can get 2320 * the user identity being used by the auditing system, using the getauid() 2321 * system call. 2322 * 2323 * @return Return 0 if access is granted, otherwise an appropriate value for 2324 * errno should be returned. 2325 */ 2326 typedef int mpo_proc_check_getauid_t( 2327 kauth_cred_t cred 2328 ); 2329 /** 2330 * @brief Access control check for retrieving Login Context ID 2331 * @param p0 Calling process 2332 * @param p Effected process 2333 * @param pid syscall PID argument 2334 * 2335 * Determine if getlcid(2) system call is permitted. 2336 * 2337 * Information returned by this system call is similar to that returned via 2338 * process listings etc. 2339 * 2340 * @return Return 0 if access is granted, otherwise an appropriate value for 2341 * errno should be returned. 2342 */ 2343 typedef int mpo_proc_check_getlcid_t( 2344 struct proc *p0, 2345 struct proc *p, 2346 pid_t pid 2347 ); 2348 /** 2349 * @brief Access control check for retrieving ledger information 2350 * @param cred Subject credential 2351 * @param target Object process 2352 * @param op ledger operation 2353 * 2354 * Determine if ledger(2) system call is permitted. 2355 * 2356 * Information returned by this system call is similar to that returned via 2357 * process listings etc. 2358 * 2359 * @return Return 0 if access is granted, otherwise an appropriate value for 2360 * errno should be returned. 2361 */ 2362 typedef int mpo_proc_check_ledger_t( 2363 kauth_cred_t cred, 2364 struct proc *target, 2365 int op 2366 ); 2367 /** 2368 * @brief Access control check for retrieving process information. 2369 * @param cred Subject credential 2370 * @param target Target process (may be null, may be zombie) 2371 * 2372 * Determine if a credential has permission to access process information as defined 2373 * by call number and flavor on target process 2374 * 2375 * @return Return 0 if access is granted, otherwise an appropriate value for 2376 * errno should be returned. 2377 */ 2378 typedef int mpo_proc_check_proc_info_t( 2379 kauth_cred_t cred, 2380 struct proc *target, 2381 int callnum, 2382 int flavor 2383 ); 2384 /** 2385 * @brief Access control check for retrieving code signing information. 2386 * @param cred Subject credential 2387 * @param target Target process 2388 * @param op Code signing operation being performed 2389 * 2390 * Determine whether the subject identified by the credential should be 2391 * allowed to get code signing information about the target process. 2392 * 2393 * @return Return 0 if access is granted, otherwise an appropriate value for 2394 * errno should be returned. 2395 */ 2396 typedef int mpo_proc_check_get_cs_info_t( 2397 kauth_cred_t cred, 2398 struct proc *target, 2399 unsigned int op 2400 ); 2401 /** 2402 * @brief Access control check for setting code signing information. 2403 * @param cred Subject credential 2404 * @param target Target process 2405 * @param op Code signing operation being performed. 2406 * 2407 * Determine whether the subject identified by the credential should be 2408 * allowed to set code signing information about the target process. 2409 * 2410 * @return Return 0 if permission is granted, otherwise an appropriate 2411 * value of errno should be returned. 2412 */ 2413 typedef int mpo_proc_check_set_cs_info_t( 2414 kauth_cred_t cred, 2415 struct proc *target, 2416 unsigned int op 2417 ); 2418 /** 2419 * @brief Access control check for mmap MAP_ANON 2420 * @param proc User process requesting the memory 2421 * @param cred Subject credential 2422 * @param u_addr Start address of the memory range 2423 * @param u_size Length address of the memory range 2424 * @param prot mmap protections; see mmap(2) 2425 * @param flags Type of mapped object; see mmap(2) 2426 * @param maxprot Maximum rights 2427 * 2428 * Determine whether the subject identified by the credential should be 2429 * allowed to obtain anonymous memory using the specified flags and 2430 * protections on the new mapping. MAP_ANON will always be present in the 2431 * flags. Certain combinations of flags with a non-NULL addr may 2432 * cause a mapping to be rejected before this hook is called. The maxprot field 2433 * holds the maximum permissions on the new mapping, a combination of 2434 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2435 * access control checks, a policy should only remove flags from maxprot. 2436 * 2437 * @return Return 0 if access is granted, otherwise an appropriate value for 2438 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2439 */ 2440 typedef int mpo_proc_check_map_anon_t( 2441 struct proc *proc, 2442 kauth_cred_t cred, 2443 user_addr_t u_addr, 2444 user_size_t u_size, 2445 int prot, 2446 int flags, 2447 int *maxprot 2448 ); 2449 /** 2450 * @brief Access control check for memorystatus_control(2) 2451 * @param cred Subject credential 2452 * @param command Memory status control command 2453 * @param pid Target process id, or 0 2454 * 2455 * Determine whether the subject identified by the credential should 2456 * be allowed to issue the specified memorystatus control command. 2457 * 2458 * @return Return 0 if access is granted, otherwise an appropriate value for 2459 * errno should be returned. 2460 */ 2461 typedef int mpo_proc_check_memorystatus_control_t( 2462 kauth_cred_t cred, 2463 int32_t command, 2464 pid_t pid 2465 ); 2466 /** 2467 * @brief Access control check for setting memory protections 2468 * @param cred Subject credential 2469 * @param proc User process requesting the change 2470 * @param addr Start address of the memory range 2471 * @param size Length address of the memory range 2472 * @param prot Memory protections, see mmap(2) 2473 * 2474 * Determine whether the subject identified by the credential should 2475 * be allowed to set the specified memory protections on memory mapped 2476 * in the process proc. 2477 * 2478 * @return Return 0 if access is granted, otherwise an appropriate value for 2479 * errno should be returned. 2480 */ 2481 typedef int mpo_proc_check_mprotect_t( 2482 kauth_cred_t cred, 2483 struct proc *proc, 2484 user_addr_t addr, 2485 user_size_t size, 2486 int prot 2487 ); 2488 /** 2489 * @brief Access control check for changing scheduling parameters 2490 * @param cred Subject credential 2491 * @param proc Object process 2492 * 2493 * Determine whether the subject identified by the credential can change 2494 * the scheduling parameters of the passed process. 2495 * 2496 * @return Return 0 if access is granted, otherwise an appropriate value for 2497 * errno should be returned. Suggested failure: EACCES for label mismatch, 2498 * EPERM for lack of privilege, or ESRCH to limit visibility. 2499 */ 2500 typedef int mpo_proc_check_sched_t( 2501 kauth_cred_t cred, 2502 struct proc *proc 2503 ); 2504 /** 2505 * @brief Access control check for setting audit information 2506 * @param cred Subject credential 2507 * @param ai Audit information 2508 * 2509 * Determine whether the subject identified by the credential can set 2510 * audit information such as the the preselection mask, the terminal ID 2511 * and the audit session ID, using the setaudit() system call. 2512 * 2513 * @return Return 0 if access is granted, otherwise an appropriate value for 2514 * errno should be returned. 2515 */ 2516 typedef int mpo_proc_check_setaudit_t( 2517 kauth_cred_t cred, 2518 struct auditinfo_addr *ai 2519 ); 2520 /** 2521 * @brief Access control check for setting audit user ID 2522 * @param cred Subject credential 2523 * @param auid Audit user ID 2524 * 2525 * Determine whether the subject identified by the credential can set 2526 * the user identity used by the auditing system, using the setauid() 2527 * system call. 2528 * 2529 * @return Return 0 if access is granted, otherwise an appropriate value for 2530 * errno should be returned. 2531 */ 2532 typedef int mpo_proc_check_setauid_t( 2533 kauth_cred_t cred, 2534 uid_t auid 2535 ); 2536 /** 2537 * @brief Access control check for setting the Login Context 2538 * @param p0 Calling process 2539 * @param p Effected process 2540 * @param pid syscall PID argument 2541 * @param lcid syscall LCID argument 2542 * 2543 * Determine if setlcid(2) system call is permitted. 2544 * 2545 * See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of 2546 * decoding syscall arguments to determine action desired by caller. 2547 * 2548 * Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN 2549 * 2550 * @return Return 0 if access is granted, otherwise an appropriate value for 2551 * errno should be returned. 2552 */ 2553 typedef int mpo_proc_check_setlcid_t( 2554 struct proc *p0, 2555 struct proc *p, 2556 pid_t pid, 2557 pid_t lcid 2558 ); 2559 /** 2560 * @brief Access control check for delivering signal 2561 * @param cred Subject credential 2562 * @param proc Object process 2563 * @param signum Signal number; see kill(2) 2564 * 2565 * Determine whether the subject identified by the credential can deliver 2566 * the passed signal to the passed process. 2567 * 2568 * @warning Programs typically expect to be able to send and receive 2569 * signals as part or their normal process lifecycle; caution should be 2570 * exercised when implementing access controls over signal events. 2571 * 2572 * @return Return 0 if access is granted, otherwise an appropriate value for 2573 * errno should be returned. Suggested failure: EACCES for label mismatch, 2574 * EPERM for lack of privilege, or ESRCH to limit visibility. 2575 */ 2576 typedef int mpo_proc_check_signal_t( 2577 kauth_cred_t cred, 2578 struct proc *proc, 2579 int signum 2580 ); 2581 /** 2582 * @brief Access control check for MAC syscalls. 2583 * @param proc Subject process 2584 * @param policy MAC policy name 2585 * @param callnum MAC policy-specific syscall number 2586 * 2587 * Determine whether the subject process can perform the passed MAC syscall. 2588 * 2589 * @return Return 0 if access is granted, otherwise an appropriate value for 2590 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2591 */ 2592 typedef int mpo_proc_check_syscall_mac_t( 2593 struct proc *proc, 2594 const char *policy, 2595 int callnum 2596 ); 2597 /** 2598 * @brief Access control check for Unix syscalls. 2599 * @param proc Subject process 2600 * @param scnum Syscall number; see bsd/kern/syscalls.master. 2601 * 2602 * Determine whether the subject process can perform the passed syscall (number). 2603 * 2604 * @warning Programs typically expect to be able to make syscalls as part of 2605 * their normal process lifecycle; caution should be exercised when restricting 2606 * which syscalls a process can perform. 2607 * 2608 * @return Return 0 if access is granted, otherwise an appropriate value for 2609 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2610 */ 2611 typedef int mpo_proc_check_syscall_unix_t( 2612 struct proc *proc, 2613 int scnum 2614 ); 2615 /** 2616 * @brief Access control check for wait 2617 * @param cred Subject credential 2618 * @param proc Object process 2619 * 2620 * Determine whether the subject identified by the credential can wait 2621 * for process termination. 2622 * 2623 * @warning Caution should be exercised when implementing access 2624 * controls for wait, since programs often wait for child processes to 2625 * exit. Failure to be notified of a child process terminating may 2626 * cause the parent process to hang, or may produce zombie processes. 2627 * 2628 * @return Return 0 if access is granted, otherwise an appropriate value for 2629 * errno should be returned. 2630 */ 2631 typedef int mpo_proc_check_wait_t( 2632 kauth_cred_t cred, 2633 struct proc *proc 2634 ); 2635 /** 2636 * @brief Inform MAC policies that a process has exited. 2637 * @param proc Object process 2638 * 2639 * Called after all of the process's threads have terminated and 2640 * it has been removed from the process list. KPI that identifies 2641 * the process by pid will fail to find the process; KPI that 2642 * identifies the process by the object process pointer functions 2643 * normally. proc_exiting() returns true for the object process. 2644 */ 2645 typedef void mpo_proc_notify_exit_t( 2646 struct proc *proc 2647 ); 2648 /** 2649 * @brief Access control check for skywalk flow connect 2650 * @param cred Subject credential 2651 * @param flow Flow object 2652 * @param addr Remote address for flow to send data to 2653 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2654 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2655 * 2656 * Determine whether the subject identified by the credential can 2657 * create a flow for sending data to the remote host specified by 2658 * addr. 2659 * 2660 * @return Return 0 if access if granted, otherwise an appropriate 2661 * value for errno should be returned. 2662 */ 2663 typedef int mpo_skywalk_flow_check_connect_t( 2664 kauth_cred_t cred, 2665 void *flow, 2666 const struct sockaddr *addr, 2667 int type, 2668 int protocol 2669 ); 2670 /** 2671 * @brief Access control check for skywalk flow listen 2672 * @param cred Subject credential 2673 * @param flow Flow object 2674 * @param addr Local address for flow to listen on 2675 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2676 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2677 * 2678 * Determine whether the subject identified by the credential can 2679 * create a flow for receiving data on the local address specified 2680 * by addr. 2681 * 2682 * @return Return 0 if access if granted, otherwise an appropriate 2683 * value for errno should be returned. 2684 */ 2685 typedef int mpo_skywalk_flow_check_listen_t( 2686 kauth_cred_t cred, 2687 void *flow, 2688 const struct sockaddr *addr, 2689 int type, 2690 int protocol 2691 ); 2692 /** 2693 * @brief Access control check for socket accept 2694 * @param cred Subject credential 2695 * @param so Object socket 2696 * @param socklabel Policy label for socket 2697 * 2698 * Determine whether the subject identified by the credential can accept() 2699 * a new connection on the socket from the host specified by addr. 2700 * 2701 * @return Return 0 if access if granted, otherwise an appropriate 2702 * value for errno should be returned. 2703 */ 2704 typedef int mpo_socket_check_accept_t( 2705 kauth_cred_t cred, 2706 socket_t so, 2707 struct label *socklabel 2708 ); 2709 /** 2710 * @brief Access control check for a pending socket accept 2711 * @param cred Subject credential 2712 * @param so Object socket 2713 * @param socklabel Policy label for socket 2714 * @param addr Address of the listening socket (coming soon) 2715 * 2716 * Determine whether the subject identified by the credential can accept() 2717 * a pending connection on the socket from the host specified by addr. 2718 * 2719 * @return Return 0 if access if granted, otherwise an appropriate 2720 * value for errno should be returned. 2721 */ 2722 typedef int mpo_socket_check_accepted_t( 2723 kauth_cred_t cred, 2724 socket_t so, 2725 struct label *socklabel, 2726 struct sockaddr *addr 2727 ); 2728 /** 2729 * @brief Access control check for socket bind 2730 * @param cred Subject credential 2731 * @param so Object socket 2732 * @param socklabel Policy label for socket 2733 * @param addr Name to assign to the socket 2734 * 2735 * Determine whether the subject identified by the credential can bind() 2736 * the name (addr) to the socket. 2737 * 2738 * @return Return 0 if access if granted, otherwise an appropriate 2739 * value for errno should be returned. 2740 */ 2741 typedef int mpo_socket_check_bind_t( 2742 kauth_cred_t cred, 2743 socket_t so, 2744 struct label *socklabel, 2745 struct sockaddr *addr 2746 ); 2747 /** 2748 * @brief Access control check for socket connect 2749 * @param cred Subject credential 2750 * @param so Object socket 2751 * @param socklabel Policy label for socket 2752 * @param addr Name to assign to the socket 2753 * 2754 * Determine whether the subject identified by the credential can 2755 * connect() the passed socket to the remote host specified by addr. 2756 * 2757 * @return Return 0 if access if granted, otherwise an appropriate 2758 * value for errno should be returned. 2759 */ 2760 typedef int mpo_socket_check_connect_t( 2761 kauth_cred_t cred, 2762 socket_t so, 2763 struct label *socklabel, 2764 struct sockaddr *addr 2765 ); 2766 /** 2767 * @brief Access control check for socket() system call. 2768 * @param cred Subject credential 2769 * @param domain communication domain 2770 * @param type socket type 2771 * @param protocol socket protocol 2772 * 2773 * Determine whether the subject identified by the credential can 2774 * make the socket() call. 2775 * 2776 * @return Return 0 if access if granted, otherwise an appropriate 2777 * value for errno should be returned. 2778 */ 2779 typedef int mpo_socket_check_create_t( 2780 kauth_cred_t cred, 2781 int domain, 2782 int type, 2783 int protocol 2784 ); 2785 /** 2786 * @brief Access control check for socket ioctl. 2787 * @param cred Subject credential 2788 * @param so Object socket 2789 * @param cmd The ioctl command; see ioctl(2) 2790 * @param socklabel Policy label for socket 2791 * 2792 * Determine whether the subject identified by the credential can perform 2793 * the ioctl operation indicated by cmd on the given socket. 2794 * 2795 * @warning Since ioctl data is opaque from the standpoint of the MAC 2796 * framework, and since ioctls can affect many aspects of system 2797 * operation, policies must exercise extreme care when implementing 2798 * access control checks. 2799 * 2800 * @return Return 0 if access is granted, otherwise an appropriate value for 2801 * errno should be returned. 2802 */ 2803 typedef int mpo_socket_check_ioctl_t( 2804 kauth_cred_t cred, 2805 socket_t so, 2806 unsigned long cmd, 2807 struct label *socklabel 2808 ); 2809 /** 2810 * @brief Access control check for socket listen 2811 * @param cred Subject credential 2812 * @param so Object socket 2813 * @param socklabel Policy label for socket 2814 * 2815 * Determine whether the subject identified by the credential can 2816 * listen() on the passed socket. 2817 * 2818 * @return Return 0 if access if granted, otherwise an appropriate 2819 * value for errno should be returned. 2820 */ 2821 typedef int mpo_socket_check_listen_t( 2822 kauth_cred_t cred, 2823 socket_t so, 2824 struct label *socklabel 2825 ); 2826 /** 2827 * @brief Access control check for socket receive 2828 * @param cred Subject credential 2829 * @param so Object socket 2830 * @param socklabel Policy label for socket 2831 * 2832 * Determine whether the subject identified by the credential can 2833 * receive data from the socket. 2834 * 2835 * @return Return 0 if access if granted, otherwise an appropriate 2836 * value for errno should be returned. 2837 */ 2838 typedef int mpo_socket_check_receive_t( 2839 kauth_cred_t cred, 2840 socket_t so, 2841 struct label *socklabel 2842 ); 2843 2844 /** 2845 * @brief Access control check for socket receive 2846 * @param cred Subject credential 2847 * @param sock Object socket 2848 * @param socklabel Policy label for socket 2849 * @param saddr Name of the remote socket 2850 * 2851 * Determine whether the subject identified by the credential can 2852 * receive data from the remote host specified by addr. 2853 * 2854 * @return Return 0 if access if granted, otherwise an appropriate 2855 * value for errno should be returned. 2856 */ 2857 typedef int mpo_socket_check_received_t( 2858 kauth_cred_t cred, 2859 struct socket *sock, 2860 struct label *socklabel, 2861 struct sockaddr *saddr 2862 ); 2863 2864 /** 2865 * @brief Access control check for socket send 2866 * @param cred Subject credential 2867 * @param so Object socket 2868 * @param socklabel Policy label for socket 2869 * @param addr Address being sent to 2870 * 2871 * Determine whether the subject identified by the credential can send 2872 * data to the socket. 2873 * 2874 * @return Return 0 if access if granted, otherwise an appropriate 2875 * value for errno should be returned. 2876 */ 2877 typedef int mpo_socket_check_send_t( 2878 kauth_cred_t cred, 2879 socket_t so, 2880 struct label *socklabel, 2881 struct sockaddr *addr 2882 ); 2883 /** 2884 * @brief Access control check for retrieving socket status 2885 * @param cred Subject credential 2886 * @param so Object socket 2887 * @param socklabel Policy label for so 2888 * 2889 * Determine whether the subject identified by the credential can 2890 * execute the stat() system call on the given socket. 2891 * 2892 * @return Return 0 if access if granted, otherwise an appropriate 2893 * value for errno should be returned. 2894 */ 2895 typedef int mpo_socket_check_stat_t( 2896 kauth_cred_t cred, 2897 socket_t so, 2898 struct label *socklabel 2899 ); 2900 /** 2901 * @brief Access control check for setting socket options 2902 * @param cred Subject credential 2903 * @param so Object socket 2904 * @param socklabel Policy label for so 2905 * @param sopt The options being set 2906 * 2907 * Determine whether the subject identified by the credential can 2908 * execute the setsockopt system call on the given socket. 2909 * 2910 * @return Return 0 if access if granted, otherwise an appropriate 2911 * value for errno should be returned. 2912 */ 2913 typedef int mpo_socket_check_setsockopt_t( 2914 kauth_cred_t cred, 2915 socket_t so, 2916 struct label *socklabel, 2917 struct sockopt *sopt 2918 ); 2919 /** 2920 * @brief Access control check for getting socket options 2921 * @param cred Subject credential 2922 * @param so Object socket 2923 * @param socklabel Policy label for so 2924 * @param sopt The options to get 2925 * 2926 * Determine whether the subject identified by the credential can 2927 * execute the getsockopt system call on the given socket. 2928 * 2929 * @return Return 0 if access if granted, otherwise an appropriate 2930 * value for errno should be returned. 2931 */ 2932 typedef int mpo_socket_check_getsockopt_t( 2933 kauth_cred_t cred, 2934 socket_t so, 2935 struct label *socklabel, 2936 struct sockopt *sopt 2937 ); 2938 /** 2939 * @brief Access control check for enabling accounting 2940 * @param cred Subject credential 2941 * @param vp Accounting file 2942 * @param vlabel Label associated with vp 2943 * 2944 * Determine whether the subject should be allowed to enable accounting, 2945 * based on its label and the label of the accounting log file. See 2946 * acct(5) for more information. 2947 * 2948 * As accounting is disabled by passing NULL to the acct(2) system call, 2949 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 2950 * 2951 * @return Return 0 if access is granted, otherwise an appropriate value for 2952 * errno should be returned. 2953 */ 2954 typedef int mpo_system_check_acct_t( 2955 kauth_cred_t cred, 2956 struct vnode *vp, 2957 struct label *vlabel 2958 ); 2959 /** 2960 * @brief Access control check for audit 2961 * @param cred Subject credential 2962 * @param record Audit record 2963 * @param length Audit record length 2964 * 2965 * Determine whether the subject identified by the credential can submit 2966 * an audit record for inclusion in the audit log via the audit() system call. 2967 * 2968 * @return Return 0 if access is granted, otherwise an appropriate value for 2969 * errno should be returned. 2970 */ 2971 typedef int mpo_system_check_audit_t( 2972 kauth_cred_t cred, 2973 void *record, 2974 int length 2975 ); 2976 /** 2977 * @brief Access control check for controlling audit 2978 * @param cred Subject credential 2979 * @param vp Audit file 2980 * @param vl Label associated with vp 2981 * 2982 * Determine whether the subject should be allowed to enable auditing using 2983 * the auditctl() system call, based on its label and the label of the proposed 2984 * audit file. 2985 * 2986 * @return Return 0 if access is granted, otherwise an appropriate value for 2987 * errno should be returned. 2988 */ 2989 typedef int mpo_system_check_auditctl_t( 2990 kauth_cred_t cred, 2991 struct vnode *vp, 2992 struct label *vl 2993 ); 2994 /** 2995 * @brief Access control check for manipulating auditing 2996 * @param cred Subject credential 2997 * @param cmd Audit control command 2998 * 2999 * Determine whether the subject identified by the credential can perform 3000 * the audit subsystem control operation cmd via the auditon() system call. 3001 * 3002 * @return Return 0 if access is granted, otherwise an appropriate value for 3003 * errno should be returned. 3004 */ 3005 typedef int mpo_system_check_auditon_t( 3006 kauth_cred_t cred, 3007 int cmd 3008 ); 3009 /** 3010 * @brief Access control check for obtaining the host control port 3011 * @param cred Subject credential 3012 * 3013 * Determine whether the subject identified by the credential can 3014 * obtain the host control port. 3015 * 3016 * @return Return 0 if access is granted, or non-zero otherwise. 3017 */ 3018 typedef int mpo_system_check_host_priv_t( 3019 kauth_cred_t cred 3020 ); 3021 /** 3022 * @brief Access control check for obtaining system information 3023 * @param cred Subject credential 3024 * @param info_type A description of the information requested 3025 * 3026 * Determine whether the subject identified by the credential should be 3027 * allowed to obtain information about the system. 3028 * 3029 * This is a generic hook that can be used in a variety of situations where 3030 * information is being returned that might be considered sensitive. 3031 * Rather than adding a new MAC hook for every such interface, this hook can 3032 * be called with a string identifying the type of information requested. 3033 * 3034 * @return Return 0 if access is granted, otherwise an appropriate value for 3035 * errno should be returned. 3036 */ 3037 typedef int mpo_system_check_info_t( 3038 kauth_cred_t cred, 3039 const char *info_type 3040 ); 3041 /** 3042 * @brief Access control check for calling NFS services 3043 * @param cred Subject credential 3044 * 3045 * Determine whether the subject identified by the credential should be 3046 * allowed to call nfssrv(2). 3047 * 3048 * @return Return 0 if access is granted, otherwise an appropriate value for 3049 * errno should be returned. 3050 */ 3051 typedef int mpo_system_check_nfsd_t( 3052 kauth_cred_t cred 3053 ); 3054 /** 3055 * @brief Access control check for reboot 3056 * @param cred Subject credential 3057 * @param howto howto parameter from reboot(2) 3058 * 3059 * Determine whether the subject identified by the credential should be 3060 * allowed to reboot the system in the specified manner. 3061 * 3062 * @return Return 0 if access is granted, otherwise an appropriate value for 3063 * errno should be returned. 3064 */ 3065 typedef int mpo_system_check_reboot_t( 3066 kauth_cred_t cred, 3067 int howto 3068 ); 3069 /** 3070 * @brief Access control check for setting system clock 3071 * @param cred Subject credential 3072 * 3073 * Determine whether the subject identified by the credential should be 3074 * allowed to set the system clock. 3075 * 3076 * @return Return 0 if access is granted, otherwise an appropriate value for 3077 * errno should be returned. 3078 */ 3079 typedef int mpo_system_check_settime_t( 3080 kauth_cred_t cred 3081 ); 3082 /** 3083 * @brief Access control check for removing swap devices 3084 * @param cred Subject credential 3085 * @param vp Swap device 3086 * @param label Label associated with vp 3087 * 3088 * Determine whether the subject identified by the credential should be 3089 * allowed to remove vp as a swap device. 3090 * 3091 * @return Return 0 if access is granted, otherwise an appropriate value for 3092 * errno should be returned. 3093 */ 3094 typedef int mpo_system_check_swapoff_t( 3095 kauth_cred_t cred, 3096 struct vnode *vp, 3097 struct label *label 3098 ); 3099 /** 3100 * @brief Access control check for adding swap devices 3101 * @param cred Subject credential 3102 * @param vp Swap device 3103 * @param label Label associated with vp 3104 * 3105 * Determine whether the subject identified by the credential should be 3106 * allowed to add vp as a swap device. 3107 * 3108 * @return Return 0 if access is granted, otherwise an appropriate value for 3109 * errno should be returned. 3110 */ 3111 typedef int mpo_system_check_swapon_t( 3112 kauth_cred_t cred, 3113 struct vnode *vp, 3114 struct label *label 3115 ); 3116 /** 3117 * @brief Access control check for sysctl 3118 * @param cred Subject credential 3119 * @param namestring String representation of sysctl name. 3120 * @param name Integer name; see sysctl(3) 3121 * @param namelen Length of name array of integers; see sysctl(3) 3122 * @param old 0 or address where to store old value; see sysctl(3) 3123 * @param oldlen Length of old buffer; see sysctl(3) 3124 * @param newvalue 0 or address of new value; see sysctl(3) 3125 * @param newlen Length of new buffer; see sysctl(3) 3126 * 3127 * Determine whether the subject identified by the credential should be 3128 * allowed to make the specified sysctl(3) transaction. 3129 * 3130 * The sysctl(3) call specifies that if the old value is not desired, 3131 * oldp and oldlenp should be set to NULL. Likewise, if a new value is 3132 * not to be set, newp should be set to NULL and newlen set to 0. 3133 * 3134 * @return Return 0 if access is granted, otherwise an appropriate value for 3135 * errno should be returned. 3136 */ 3137 typedef int mpo_system_check_sysctlbyname_t( 3138 kauth_cred_t cred, 3139 const char *namestring, 3140 int *name, 3141 size_t namelen, 3142 user_addr_t old, /* NULLOK */ 3143 size_t oldlen, 3144 user_addr_t newvalue, /* NULLOK */ 3145 size_t newlen 3146 ); 3147 /** 3148 * @brief Access control check for kas_info 3149 * @param cred Subject credential 3150 * @param selector Category of information to return. See kas_info.h 3151 * 3152 * Determine whether the subject identified by the credential can perform 3153 * introspection of the kernel address space layout for 3154 * debugging/performance analysis. 3155 * 3156 * @return Return 0 if access is granted, otherwise an appropriate value for 3157 * errno should be returned. 3158 */ 3159 typedef int mpo_system_check_kas_info_t( 3160 kauth_cred_t cred, 3161 int selector 3162 ); 3163 /** 3164 * @brief Create a System V message label 3165 * @param cred Subject credential 3166 * @param msqptr The message queue the message will be placed in 3167 * @param msqlabel The label of the message queue 3168 * @param msgptr The message 3169 * @param msglabel The label of the message 3170 * 3171 * Label the message as its placed in the message queue. 3172 */ 3173 typedef void mpo_sysvmsg_label_associate_t( 3174 kauth_cred_t cred, 3175 struct msqid_kernel *msqptr, 3176 struct label *msqlabel, 3177 struct msg *msgptr, 3178 struct label *msglabel 3179 ); 3180 /** 3181 * @brief Destroy System V message label 3182 * @param label The label to be destroyed 3183 * 3184 * Destroy a System V message label. Since the object is 3185 * going out of scope, policy modules should free any internal storage 3186 * associated with the label so that it may be destroyed. 3187 */ 3188 typedef void mpo_sysvmsg_label_destroy_t( 3189 struct label *label 3190 ); 3191 /** 3192 * @brief Initialize System V message label 3193 * @param label New label to initialize 3194 * 3195 * Initialize the label for a newly instantiated System V message. 3196 */ 3197 typedef void mpo_sysvmsg_label_init_t( 3198 struct label *label 3199 ); 3200 /** 3201 * @brief Clean up a System V message label 3202 * @param label The label to be destroyed 3203 * 3204 * Clean up a System V message label. Darwin pre-allocates 3205 * messages at system boot time and re-uses them rather than 3206 * allocating new ones. Before messages are returned to the "free 3207 * pool", policies can cleanup or overwrite any information present in 3208 * the label. 3209 */ 3210 typedef void mpo_sysvmsg_label_recycle_t( 3211 struct label *label 3212 ); 3213 /** 3214 * @brief Access control check for System V message enqueuing 3215 * @param cred Subject credential 3216 * @param msgptr The message 3217 * @param msglabel The message's label 3218 * @param msqptr The message queue 3219 * @param msqlabel The message queue's label 3220 * 3221 * Determine whether the subject identified by the credential can add the 3222 * given message to the given message queue. 3223 * 3224 * @return Return 0 if access is granted, otherwise an appropriate value for 3225 * errno should be returned. 3226 */ 3227 typedef int mpo_sysvmsq_check_enqueue_t( 3228 kauth_cred_t cred, 3229 struct msg *msgptr, 3230 struct label *msglabel, 3231 struct msqid_kernel *msqptr, 3232 struct label *msqlabel 3233 ); 3234 /** 3235 * @brief Access control check for System V message reception 3236 * @param cred The credential of the intended recipient 3237 * @param msgptr The message 3238 * @param msglabel The message's label 3239 * 3240 * Determine whether the subject identified by the credential can receive 3241 * the given message. 3242 * 3243 * @return Return 0 if access is granted, otherwise an appropriate value for 3244 * errno should be returned. 3245 */ 3246 typedef int mpo_sysvmsq_check_msgrcv_t( 3247 kauth_cred_t cred, 3248 struct msg *msgptr, 3249 struct label *msglabel 3250 ); 3251 /** 3252 * @brief Access control check for System V message queue removal 3253 * @param cred The credential of the caller 3254 * @param msgptr The message 3255 * @param msglabel The message's label 3256 * 3257 * System V message queues are removed using the msgctl() system call. 3258 * The system will iterate over each message in the queue, calling this 3259 * function for each, to determine whether the caller has the appropriate 3260 * credentials. 3261 * 3262 * @return Return 0 if access is granted, otherwise an appropriate value for 3263 * errno should be returned. 3264 */ 3265 typedef int mpo_sysvmsq_check_msgrmid_t( 3266 kauth_cred_t cred, 3267 struct msg *msgptr, 3268 struct label *msglabel 3269 ); 3270 /** 3271 * @brief Access control check for msgctl() 3272 * @param cred The credential of the caller 3273 * @param msqptr The message queue 3274 * @param msqlabel The message queue's label 3275 * 3276 * This access check is performed to validate calls to msgctl(). 3277 * 3278 * @return Return 0 if access is granted, otherwise an appropriate value for 3279 * errno should be returned. 3280 */ 3281 typedef int mpo_sysvmsq_check_msqctl_t( 3282 kauth_cred_t cred, 3283 struct msqid_kernel *msqptr, 3284 struct label *msqlabel, 3285 int cmd 3286 ); 3287 /** 3288 * @brief Access control check to get a System V message queue 3289 * @param cred The credential of the caller 3290 * @param msqptr The message queue requested 3291 * @param msqlabel The message queue's label 3292 * 3293 * On a call to msgget(), if the queue requested already exists, 3294 * and it is a public queue, this check will be performed before the 3295 * queue's ID is returned to the user. 3296 * 3297 * @return Return 0 if access is granted, otherwise an appropriate value for 3298 * errno should be returned. 3299 */ 3300 typedef int mpo_sysvmsq_check_msqget_t( 3301 kauth_cred_t cred, 3302 struct msqid_kernel *msqptr, 3303 struct label *msqlabel 3304 ); 3305 /** 3306 * @brief Access control check to receive a System V message from the given queue 3307 * @param cred The credential of the caller 3308 * @param msqptr The message queue to receive from 3309 * @param msqlabel The message queue's label 3310 * 3311 * On a call to msgrcv(), this check is performed to determine whether the 3312 * caller has receive rights on the given queue. 3313 * 3314 * @return Return 0 if access is granted, otherwise an appropriate value for 3315 * errno should be returned. 3316 */ 3317 typedef int mpo_sysvmsq_check_msqrcv_t( 3318 kauth_cred_t cred, 3319 struct msqid_kernel *msqptr, 3320 struct label *msqlabel 3321 ); 3322 /** 3323 * @brief Access control check to send a System V message to the given queue 3324 * @param cred The credential of the caller 3325 * @param msqptr The message queue to send to 3326 * @param msqlabel The message queue's label 3327 * 3328 * On a call to msgsnd(), this check is performed to determine whether the 3329 * caller has send rights on the given queue. 3330 * 3331 * @return Return 0 if access is granted, otherwise an appropriate value for 3332 * errno should be returned. 3333 */ 3334 typedef int mpo_sysvmsq_check_msqsnd_t( 3335 kauth_cred_t cred, 3336 struct msqid_kernel *msqptr, 3337 struct label *msqlabel 3338 ); 3339 /** 3340 * @brief Create a System V message queue label 3341 * @param cred Subject credential 3342 * @param msqptr The message queue 3343 * @param msqlabel The label of the message queue 3344 * 3345 */ 3346 typedef void mpo_sysvmsq_label_associate_t( 3347 kauth_cred_t cred, 3348 struct msqid_kernel *msqptr, 3349 struct label *msqlabel 3350 ); 3351 /** 3352 * @brief Destroy System V message queue label 3353 * @param label The label to be destroyed 3354 * 3355 * Destroy a System V message queue label. Since the object is 3356 * going out of scope, policy modules should free any internal storage 3357 * associated with the label so that it may be destroyed. 3358 */ 3359 typedef void mpo_sysvmsq_label_destroy_t( 3360 struct label *label 3361 ); 3362 /** 3363 * @brief Initialize System V message queue label 3364 * @param label New label to initialize 3365 * 3366 * Initialize the label for a newly instantiated System V message queue. 3367 */ 3368 typedef void mpo_sysvmsq_label_init_t( 3369 struct label *label 3370 ); 3371 /** 3372 * @brief Clean up a System V message queue label 3373 * @param label The label to be destroyed 3374 * 3375 * Clean up a System V message queue label. Darwin pre-allocates 3376 * message queues at system boot time and re-uses them rather than 3377 * allocating new ones. Before message queues are returned to the "free 3378 * pool", policies can cleanup or overwrite any information present in 3379 * the label. 3380 */ 3381 typedef void mpo_sysvmsq_label_recycle_t( 3382 struct label *label 3383 ); 3384 /** 3385 * @brief Access control check for System V semaphore control operation 3386 * @param cred Subject credential 3387 * @param semakptr Pointer to semaphore identifier 3388 * @param semaklabel Label associated with semaphore 3389 * @param cmd Control operation to be performed; see semctl(2) 3390 * 3391 * Determine whether the subject identified by the credential can perform 3392 * the operation indicated by cmd on the System V semaphore semakptr. 3393 * 3394 * @return Return 0 if access is granted, otherwise an appropriate value for 3395 * errno should be returned. 3396 */ 3397 typedef int mpo_sysvsem_check_semctl_t( 3398 kauth_cred_t cred, 3399 struct semid_kernel *semakptr, 3400 struct label *semaklabel, 3401 int cmd 3402 ); 3403 /** 3404 * @brief Access control check for obtaining a System V semaphore 3405 * @param cred Subject credential 3406 * @param semakptr Pointer to semaphore identifier 3407 * @param semaklabel Label to associate with the semaphore 3408 * 3409 * Determine whether the subject identified by the credential can 3410 * obtain a System V semaphore. 3411 * 3412 * @return Return 0 if access is granted, otherwise an appropriate value for 3413 * errno should be returned. 3414 */ 3415 typedef int mpo_sysvsem_check_semget_t( 3416 kauth_cred_t cred, 3417 struct semid_kernel *semakptr, 3418 struct label *semaklabel 3419 ); 3420 /** 3421 * @brief Access control check for System V semaphore operations 3422 * @param cred Subject credential 3423 * @param semakptr Pointer to semaphore identifier 3424 * @param semaklabel Label associated with the semaphore 3425 * @param accesstype Flags to indicate access (read and/or write) 3426 * 3427 * Determine whether the subject identified by the credential can 3428 * perform the operations on the System V semaphore indicated by 3429 * semakptr. The accesstype flags hold the maximum set of permissions 3430 * from the sem_op array passed to the semop system call. It may 3431 * contain SEM_R for read-only operations or SEM_A for read/write 3432 * operations. 3433 * 3434 * @return Return 0 if access is granted, otherwise an appropriate value for 3435 * errno should be returned. 3436 */ 3437 typedef int mpo_sysvsem_check_semop_t( 3438 kauth_cred_t cred, 3439 struct semid_kernel *semakptr, 3440 struct label *semaklabel, 3441 size_t accesstype 3442 ); 3443 /** 3444 * @brief Create a System V semaphore label 3445 * @param cred Subject credential 3446 * @param semakptr The semaphore being created 3447 * @param semalabel Label to associate with the new semaphore 3448 * 3449 * Label a new System V semaphore. The label was previously 3450 * initialized and associated with the semaphore. At this time, an 3451 * appropriate initial label value should be assigned to the object and 3452 * stored in semalabel. 3453 */ 3454 typedef void mpo_sysvsem_label_associate_t( 3455 kauth_cred_t cred, 3456 struct semid_kernel *semakptr, 3457 struct label *semalabel 3458 ); 3459 /** 3460 * @brief Destroy System V semaphore label 3461 * @param label The label to be destroyed 3462 * 3463 * Destroy a System V semaphore label. Since the object is 3464 * going out of scope, policy modules should free any internal storage 3465 * associated with the label so that it may be destroyed. 3466 */ 3467 typedef void mpo_sysvsem_label_destroy_t( 3468 struct label *label 3469 ); 3470 /** 3471 * @brief Initialize System V semaphore label 3472 * @param label New label to initialize 3473 * 3474 * Initialize the label for a newly instantiated System V semaphore. Sleeping 3475 * is permitted. 3476 */ 3477 typedef void mpo_sysvsem_label_init_t( 3478 struct label *label 3479 ); 3480 /** 3481 * @brief Clean up a System V semaphore label 3482 * @param label The label to be cleaned 3483 * 3484 * Clean up a System V semaphore label. Darwin pre-allocates 3485 * semaphores at system boot time and re-uses them rather than 3486 * allocating new ones. Before semaphores are returned to the "free 3487 * pool", policies can cleanup or overwrite any information present in 3488 * the label. 3489 */ 3490 typedef void mpo_sysvsem_label_recycle_t( 3491 struct label *label 3492 ); 3493 /** 3494 * @brief Access control check for mapping System V shared memory 3495 * @param cred Subject credential 3496 * @param shmsegptr Pointer to shared memory segment identifier 3497 * @param shmseglabel Label associated with the shared memory segment 3498 * @param shmflg shmat flags; see shmat(2) 3499 * 3500 * Determine whether the subject identified by the credential can map 3501 * the System V shared memory segment associated with shmsegptr. 3502 * 3503 * @return Return 0 if access is granted, otherwise an appropriate value for 3504 * errno should be returned. 3505 */ 3506 typedef int mpo_sysvshm_check_shmat_t( 3507 kauth_cred_t cred, 3508 struct shmid_kernel *shmsegptr, 3509 struct label *shmseglabel, 3510 int shmflg 3511 ); 3512 /** 3513 * @brief Access control check for System V shared memory control operation 3514 * @param cred Subject credential 3515 * @param shmsegptr Pointer to shared memory segment identifier 3516 * @param shmseglabel Label associated with the shared memory segment 3517 * @param cmd Control operation to be performed; see shmctl(2) 3518 * 3519 * Determine whether the subject identified by the credential can perform 3520 * the operation indicated by cmd on the System V shared memory segment 3521 * shmsegptr. 3522 * 3523 * @return Return 0 if access is granted, otherwise an appropriate value for 3524 * errno should be returned. 3525 */ 3526 typedef int mpo_sysvshm_check_shmctl_t( 3527 kauth_cred_t cred, 3528 struct shmid_kernel *shmsegptr, 3529 struct label *shmseglabel, 3530 int cmd 3531 ); 3532 /** 3533 * @brief Access control check for unmapping System V shared memory 3534 * @param cred Subject credential 3535 * @param shmsegptr Pointer to shared memory segment identifier 3536 * @param shmseglabel Label associated with the shared memory segment 3537 * 3538 * Determine whether the subject identified by the credential can unmap 3539 * the System V shared memory segment associated with shmsegptr. 3540 * 3541 * @return Return 0 if access is granted, otherwise an appropriate value for 3542 * errno should be returned. 3543 */ 3544 typedef int mpo_sysvshm_check_shmdt_t( 3545 kauth_cred_t cred, 3546 struct shmid_kernel *shmsegptr, 3547 struct label *shmseglabel 3548 ); 3549 /** 3550 * @brief Access control check obtaining System V shared memory identifier 3551 * @param cred Subject credential 3552 * @param shmsegptr Pointer to shared memory segment identifier 3553 * @param shmseglabel Label associated with the shared memory segment 3554 * @param shmflg shmget flags; see shmget(2) 3555 * 3556 * Determine whether the subject identified by the credential can get 3557 * the System V shared memory segment address. 3558 * 3559 * @return Return 0 if access is granted, otherwise an appropriate value for 3560 * errno should be returned. 3561 */ 3562 typedef int mpo_sysvshm_check_shmget_t( 3563 kauth_cred_t cred, 3564 struct shmid_kernel *shmsegptr, 3565 struct label *shmseglabel, 3566 int shmflg 3567 ); 3568 /** 3569 * @brief Create a System V shared memory region label 3570 * @param cred Subject credential 3571 * @param shmsegptr The shared memory region being created 3572 * @param shmlabel Label to associate with the new shared memory region 3573 * 3574 * Label a new System V shared memory region. The label was previously 3575 * initialized and associated with the shared memory region. At this 3576 * time, an appropriate initial label value should be assigned to the 3577 * object and stored in shmlabel. 3578 */ 3579 typedef void mpo_sysvshm_label_associate_t( 3580 kauth_cred_t cred, 3581 struct shmid_kernel *shmsegptr, 3582 struct label *shmlabel 3583 ); 3584 /** 3585 * @brief Destroy System V shared memory label 3586 * @param label The label to be destroyed 3587 * 3588 * Destroy a System V shared memory region label. Since the 3589 * object is going out of scope, policy modules should free any 3590 * internal storage associated with the label so that it may be 3591 * destroyed. 3592 */ 3593 typedef void mpo_sysvshm_label_destroy_t( 3594 struct label *label 3595 ); 3596 /** 3597 * @brief Initialize System V Shared Memory region label 3598 * @param label New label to initialize 3599 * 3600 * Initialize the label for a newly instantiated System V Shared Memory 3601 * region. Sleeping is permitted. 3602 */ 3603 typedef void mpo_sysvshm_label_init_t( 3604 struct label *label 3605 ); 3606 /** 3607 * @brief Clean up a System V Share Memory Region label 3608 * @param shmlabel The label to be cleaned 3609 * 3610 * Clean up a System V Shared Memory Region label. Darwin 3611 * pre-allocates these objects at system boot time and re-uses them 3612 * rather than allocating new ones. Before the memory regions are 3613 * returned to the "free pool", policies can cleanup or overwrite any 3614 * information present in the label. 3615 */ 3616 typedef void mpo_sysvshm_label_recycle_t( 3617 struct label *shmlabel 3618 ); 3619 /** 3620 * @brief Access control check for getting a process's task name 3621 * @param cred Subject credential 3622 * @param pident Object unique process identifier 3623 * 3624 * Determine whether the subject identified by the credential can get 3625 * the passed process's task name port. 3626 * This call is used by the task_name_for_pid(2) API. 3627 * 3628 * @return Return 0 if access is granted, otherwise an appropriate value for 3629 * errno should be returned. Suggested failure: EACCES for label mismatch, 3630 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3631 */ 3632 typedef int mpo_proc_check_get_task_name_t( 3633 kauth_cred_t cred, 3634 struct proc_ident *pident 3635 ); 3636 /** 3637 * @brief Access control check for getting a process's task port 3638 * @param cred Subject credential 3639 * @param pident Object unique process identifier 3640 * 3641 * Determine whether the subject identified by the credential can get 3642 * the passed process's task control port. 3643 * This call is used by the task_for_pid(2) API. 3644 * 3645 * @return Return 0 if access is granted, otherwise an appropriate value for 3646 * errno should be returned. Suggested failure: EACCES for label mismatch, 3647 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3648 */ 3649 typedef int mpo_proc_check_get_task_t( 3650 kauth_cred_t cred, 3651 struct proc_ident *pident 3652 ); 3653 3654 /** 3655 * @brief Access control check for getting a process's task ports of different flavors 3656 * @param cred Subject credential 3657 * @param pident Object unique process identifier 3658 * @param flavor Requested task port flavor 3659 * 3660 * Determine whether the subject identified by the credential can get 3661 * the passed process's task port of given flavor. 3662 * This call is used by the task_{,read,inspect,name}_for_pid(2) API. 3663 * 3664 * @return Return 0 if access is granted, otherwise an appropriate value for 3665 * errno should be returned. Suggested failure: EACCES for label mismatch, 3666 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3667 */ 3668 typedef int mpo_proc_check_get_task_with_flavor_t( 3669 kauth_cred_t cred, 3670 struct proc_ident *pident, 3671 mach_task_flavor_t flavor 3672 ); 3673 3674 /** 3675 * @brief Access control check for exposing a process's task port 3676 * @param cred Subject credential 3677 * @param pident Object unique process identifier 3678 * 3679 * Determine whether the subject identified by the credential can expose 3680 * the passed process's task control port. 3681 * This call is used by the accessor APIs like processor_set_tasks() and 3682 * processor_set_threads(). 3683 * 3684 * @return Return 0 if access is granted, otherwise an appropriate value for 3685 * errno should be returned. Suggested failure: EACCES for label mismatch, 3686 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3687 */ 3688 typedef int mpo_proc_check_expose_task_t( 3689 kauth_cred_t cred, 3690 struct proc_ident *pident 3691 ); 3692 3693 /** 3694 * @brief Access control check for exposing a process's task ports of different flavors 3695 * @param cred Subject credential 3696 * @param pident Object unique process identifier 3697 * @param flavor Requested task port flavor 3698 * 3699 * Determine whether the subject identified by the credential can expose 3700 * the passed process's task port of given flavor. 3701 * This call is used by the accessor APIs like processor_set_tasks() and 3702 * processor_set_threads(). 3703 * 3704 * @return Return 0 if access is granted, otherwise an appropriate value for 3705 * errno should be returned. Suggested failure: EACCES for label mismatch, 3706 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3707 */ 3708 typedef int mpo_proc_check_expose_task_with_flavor_t( 3709 kauth_cred_t cred, 3710 struct proc_ident *pident, 3711 mach_task_flavor_t flavor 3712 ); 3713 3714 /** 3715 * @brief Access control check for upgrading to task port with a task identity token 3716 * @param cred Subject credential 3717 * @param pident Object unique process identifier, NULL if token represents a corpse task 3718 * @param flavor Requested task port flavor 3719 * 3720 * Determine whether the subject identified by the credential can upgrade to task port 3721 * of given flavor with a task identity token of the passed process. 3722 * This call is used by task_identity_token_get_task_port(). 3723 * 3724 * @return Return 0 if access is granted, otherwise an appropriate value for 3725 * errno should be returned. Suggested failure: EACCES for label mismatch, 3726 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3727 */ 3728 typedef int mpo_proc_check_task_id_token_get_task_t( 3729 kauth_cred_t cred, 3730 struct proc_ident *pident, /* Nullable */ 3731 mach_task_flavor_t flavor 3732 ); 3733 3734 /** 3735 * @brief Check whether task's IPC may inherit across process exec 3736 * @param p current process instance 3737 * @param cur_vp vnode pointer to current instance 3738 * @param cur_offset offset of binary of currently executing image 3739 * @param img_vp vnode pointer to to be exec'ed image 3740 * @param img_offset offset into file which is selected for execution 3741 * @param scriptvp vnode pointer of script file if any. 3742 * @return Return 0 if access is granted. 3743 * EPERM if parent does not have any entitlements. 3744 * EACCESS if mismatch in entitlements 3745 */ 3746 typedef int mpo_proc_check_inherit_ipc_ports_t( 3747 struct proc *p, 3748 struct vnode *cur_vp, 3749 off_t cur_offset, 3750 struct vnode *img_vp, 3751 off_t img_offset, 3752 struct vnode *scriptvp 3753 ); 3754 3755 /** 3756 * @brief Privilege check for a process to run invalid 3757 * @param p Object process 3758 * 3759 * Determine whether the process may execute even though the system determined 3760 * that it is untrusted (eg unidentified / modified code). 3761 * 3762 * @return Return 0 if access is granted, otherwise an appropriate value for 3763 * errno should be returned. 3764 */ 3765 typedef int mpo_proc_check_run_cs_invalid_t( 3766 struct proc *p 3767 ); 3768 3769 /** 3770 * @brief Notification a process was invalidated 3771 * @param p Object process 3772 * 3773 * Notifies that the CS_VALID bit was removed from a process' csflags. This 3774 * either indicates that a validly code-signed process has encountered an 3775 * invalidly code-signed page for the first time, or that it was explicitly 3776 * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. 3777 * 3778 * @warning This hook can be called from the page fault handler; it should not 3779 * perform any operations that may result in paging, and stack space is extremely 3780 * limited. Furthermore, the hook is called with proc lock held, and if called 3781 * from the fault handler, with vm object lock held. Consumers reacting to this 3782 * hook being called are expected to defer processing to a userret, possibly 3783 * after suspending the task. 3784 */ 3785 typedef void mpo_proc_notify_cs_invalidated_t( 3786 struct proc *p 3787 ); 3788 3789 /** 3790 * @brief Notification a process is finished with exec and will jump to userspace 3791 * @param p Object process 3792 * 3793 * Notifies all MAC policies that a process has completed an exec and is about to 3794 * jump to userspace to continue execution. This may result in process termination 3795 * via signals. Hook is designed to hold no/minimal locks so it can be used for any 3796 * necessary upcalls. 3797 */ 3798 typedef void mpo_proc_notify_exec_complete_t( 3799 struct proc *p 3800 ); 3801 3802 /** 3803 * @brief Access control check for setting user ID 3804 * @param cred Subject credential 3805 * @param uid Requested user ID 3806 * 3807 * Determine whether the subject identified by the credential can set the 3808 * real and effective user ID and the saved set-user-ID of the current 3809 * process, using the setuid() system call. 3810 * 3811 * @return Return 0 if access is granted, otherwise an appropriate value for 3812 * errno should be returned. 3813 */ 3814 typedef int mpo_proc_check_setuid_t( 3815 kauth_cred_t cred, 3816 uid_t uid 3817 ); 3818 3819 /** 3820 * @brief Access control check for setting effective user ID 3821 * @param cred Subject credential 3822 * @param euid Requested effective user ID 3823 * 3824 * Determine whether the subject identified by the credential can set the 3825 * effective user ID of the current process, using the seteuid() system call. 3826 * 3827 * @return Return 0 if access is granted, otherwise an appropriate value for 3828 * errno should be returned. 3829 */ 3830 typedef int mpo_proc_check_seteuid_t( 3831 kauth_cred_t cred, 3832 uid_t euid 3833 ); 3834 3835 /** 3836 * @brief Access control check for setting real and effective user ID 3837 * @param cred Subject credential 3838 * @param ruid Requested real user ID 3839 * @param euid Requested effective user ID 3840 * 3841 * Determine whether the subject identified by the credential can set the 3842 * real and effective user ID of the current process, using the setreuid() 3843 * system call. 3844 * 3845 * @return Return 0 if access is granted, otherwise an appropriate value for 3846 * errno should be returned. 3847 */ 3848 typedef int mpo_proc_check_setreuid_t( 3849 kauth_cred_t cred, 3850 uid_t ruid, 3851 uid_t euid 3852 ); 3853 3854 /** 3855 * @brief Access control check for setting group ID 3856 * @param cred Subject credential 3857 * @param gid Requested group ID 3858 * 3859 * Determine whether the subject identified by the credential can set the 3860 * real and effective group IDs and the saved set-group-ID of the current 3861 * process, using the setgid() system call. 3862 * 3863 * @return Return 0 if access is granted, otherwise an appropriate value for 3864 * errno should be returned. 3865 */ 3866 typedef int mpo_proc_check_setgid_t( 3867 kauth_cred_t cred, 3868 gid_t gid 3869 ); 3870 3871 /** 3872 * @brief Access control check for setting effective group ID 3873 * @param cred Subject credential 3874 * @param egid Requested effective group ID 3875 * 3876 * Determine whether the subject identified by the credential can set the 3877 * effective group ID of the current process, using the setegid() system call. 3878 * 3879 * @return Return 0 if access is granted, otherwise an appropriate value for 3880 * errno should be returned. 3881 */ 3882 typedef int mpo_proc_check_setegid_t( 3883 kauth_cred_t cred, 3884 gid_t egid 3885 ); 3886 3887 /** 3888 * @brief Access control check for setting real and effective group ID 3889 * @param cred Subject credential 3890 * @param rgid Requested real group ID or KAUTH_UID_NONE for none 3891 * @param egid Requested effective group ID or KAUTH_GID_NONE for none 3892 * 3893 * Determine whether the subject identified by the credential can set the 3894 * real and effective group ID of the current process, using the setregid() 3895 * system call. 3896 * 3897 * @return Return 0 if access is granted, otherwise an appropriate value for 3898 * errno should be returned. 3899 */ 3900 typedef int mpo_proc_check_setregid_t( 3901 kauth_cred_t cred, 3902 gid_t rgid, 3903 gid_t egid 3904 ); 3905 3906 /** 3907 * @brief Access control check for setting thread assumed identity 3908 * @param pcred Subject process credential 3909 * @param tcred Subject thread credential 3910 * @param uid Requested user ID or KAUTH_UID_NONE for none 3911 * @param gid Requested group ID or KAUTH_GID_NONE for none 3912 * 3913 * Determine whether the subject identified by the credential can set the 3914 * user and group ID of the current thread, using the settid() or 3915 * settid_with_pid() system call. 3916 * 3917 * @return Return 0 if access is granted, otherwise an appropriate value for 3918 * errno should be returned. 3919 */ 3920 typedef int mpo_proc_check_settid_t( 3921 kauth_cred_t pcred, 3922 kauth_cred_t tcred, 3923 uid_t uid, 3924 gid_t gid 3925 ); 3926 3927 /** 3928 * @brief Perform MAC-related analysis of telemetry data. 3929 * @param thread The Mach thread that was sampled. 3930 * 3931 * Notifies MAC policies that telemetry data was just collected from a 3932 * process's user thread and that it is ready to be analyzed. The analysis is 3933 * performed shortly before a thread is about to return to userspace via a 3934 * syscall or mach trap. 3935 * 3936 * Note that sometimes the scheduled telemetry can fail. In the case of 3937 * failure, the function will be called with a non-zero `err` value, in which 3938 * case it is expected that the client will cleanup any necessary state 3939 * recorded back when the telemetry was first scheduled. 3940 */ 3941 typedef void mpo_thread_telemetry_t( 3942 struct thread *thread, 3943 int err, 3944 const void *data, 3945 size_t length 3946 ); 3947 3948 /** 3949 * @brief Perform MAC-related events when a thread returns to user space 3950 * @param thread Mach (not BSD) thread that is returning 3951 * 3952 * This entry point permits policy modules to perform MAC-related 3953 * events when a thread returns to user space, via a system call 3954 * return or trap return. 3955 */ 3956 typedef void mpo_thread_userret_t( 3957 struct thread *thread 3958 ); 3959 3960 /** 3961 * @brief Check vnode access 3962 * @param cred Subject credential 3963 * @param vp Object vnode 3964 * @param label Label for vp 3965 * @param acc_mode access(2) flags 3966 * 3967 * Determine how invocations of access(2) and related calls by the 3968 * subject identified by the credential should return when performed 3969 * on the passed vnode using the passed access flags. This should 3970 * generally be implemented using the same semantics used in 3971 * mpo_vnode_check_open. 3972 * 3973 * @return Return 0 if access is granted, otherwise an appropriate value for 3974 * errno should be returned. Suggested failure: EACCES for label mismatch or 3975 * EPERM for lack of privilege. 3976 */ 3977 typedef int mpo_vnode_check_access_t( 3978 kauth_cred_t cred, 3979 struct vnode *vp, 3980 struct label *label, 3981 int acc_mode 3982 ); 3983 /** 3984 * @brief Access control check for changing working directory 3985 * @param cred Subject credential 3986 * @param dvp Object; vnode to chdir(2) into 3987 * @param dlabel Policy label for dvp 3988 * 3989 * Determine whether the subject identified by the credential can change 3990 * the process working directory to the passed vnode. 3991 * 3992 * @return Return 0 if access is granted, otherwise an appropriate value for 3993 * errno should be returned. Suggested failure: EACCES for label mismatch or 3994 * EPERM for lack of privilege. 3995 */ 3996 typedef int mpo_vnode_check_chdir_t( 3997 kauth_cred_t cred, 3998 struct vnode *dvp, 3999 struct label *dlabel 4000 ); 4001 /** 4002 * @brief Access control check for changing root directory 4003 * @param cred Subject credential 4004 * @param dvp Directory vnode 4005 * @param dlabel Policy label associated with dvp 4006 * @param cnp Component name for dvp 4007 * 4008 * Determine whether the subject identified by the credential should be 4009 * allowed to chroot(2) into the specified directory (dvp). 4010 * 4011 * @return In the event of an error, an appropriate value for errno 4012 * should be returned, otherwise return 0 upon success. 4013 */ 4014 typedef int mpo_vnode_check_chroot_t( 4015 kauth_cred_t cred, 4016 struct vnode *dvp, 4017 struct label *dlabel, 4018 struct componentname *cnp 4019 ); 4020 /** 4021 * @brief Access control check for creating clone 4022 * @param cred Subject credential 4023 * @param dvp Vnode of directory to create the clone in 4024 * @param dlabel Policy label associated with dvp 4025 * @param vp Vnode of the file to clone from 4026 * @param label Policy label associated with vp 4027 * @param cnp Component name for the clone being created 4028 * 4029 * Determine whether the subject identified by the credential should be 4030 * allowed to create a clone of the vnode vp with the name specified by cnp. 4031 * 4032 * @return Return 0 if access is granted, otherwise an appropriate value for 4033 * errno should be returned. 4034 */ 4035 typedef int mpo_vnode_check_clone_t( 4036 kauth_cred_t cred, 4037 struct vnode *dvp, 4038 struct label *dlabel, 4039 struct vnode *vp, 4040 struct label *label, 4041 struct componentname *cnp 4042 ); 4043 /** 4044 * @brief Access control check for creating vnode 4045 * @param cred Subject credential 4046 * @param dvp Directory vnode 4047 * @param dlabel Policy label for dvp 4048 * @param cnp Component name for dvp 4049 * @param vap vnode attributes for vap 4050 * 4051 * Determine whether the subject identified by the credential can create 4052 * a vnode with the passed parent directory, passed name information, 4053 * and passed attribute information. This call may be made in a number of 4054 * situations, including as a result of calls to open(2) with O_CREAT, 4055 * mknod(2), mkfifo(2), and others. 4056 * 4057 * @return Return 0 if access is granted, otherwise an appropriate value for 4058 * errno should be returned. Suggested failure: EACCES for label mismatch or 4059 * EPERM for lack of privilege. 4060 */ 4061 typedef int mpo_vnode_check_create_t( 4062 kauth_cred_t cred, 4063 struct vnode *dvp, 4064 struct label *dlabel, 4065 struct componentname *cnp, 4066 struct vnode_attr *vap 4067 ); 4068 /** 4069 * @brief Access control check for deleting extended attribute 4070 * @param cred Subject credential 4071 * @param vp Object vnode 4072 * @param vlabel Label associated with vp 4073 * @param name Extended attribute name 4074 * 4075 * Determine whether the subject identified by the credential can delete 4076 * the extended attribute from the passed vnode. 4077 * 4078 * @return Return 0 if access is granted, otherwise an appropriate value for 4079 * errno should be returned. Suggested failure: EACCES for label mismatch or 4080 * EPERM for lack of privilege. 4081 */ 4082 typedef int mpo_vnode_check_deleteextattr_t( 4083 kauth_cred_t cred, 4084 struct vnode *vp, 4085 struct label *vlabel, 4086 const char *name 4087 ); 4088 /** 4089 * @brief Access control check for exchanging file data 4090 * @param cred Subject credential 4091 * @param v1 vnode 1 to swap 4092 * @param vl1 Policy label for v1 4093 * @param v2 vnode 2 to swap 4094 * @param vl2 Policy label for v2 4095 * 4096 * Determine whether the subject identified by the credential can swap the data 4097 * in the two supplied vnodes. 4098 * 4099 * @return Return 0 if access is granted, otherwise an appropriate value for 4100 * errno should be returned. Suggested failure: EACCES for label mismatch or 4101 * EPERM for lack of privilege. 4102 */ 4103 typedef int mpo_vnode_check_exchangedata_t( 4104 kauth_cred_t cred, 4105 struct vnode *v1, 4106 struct label *vl1, 4107 struct vnode *v2, 4108 struct label *vl2 4109 ); 4110 /** 4111 * @brief Access control check for executing the vnode 4112 * @param cred Subject credential 4113 * @param vp Object vnode to execute 4114 * @param scriptvp Script being executed by interpreter, if any. 4115 * @param vnodelabel Label corresponding to vp 4116 * @param scriptlabel Script vnode label 4117 * @param execlabel Userspace provided execution label 4118 * @param cnp Component name for file being executed 4119 * @param macpolicyattr MAC policy-specific spawn attribute data. 4120 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 4121 * 4122 * Determine whether the subject identified by the credential can execute 4123 * the passed vnode. Determination of execute privilege is made separately 4124 * from decisions about any process label transitioning event. 4125 * 4126 * The final label, execlabel, corresponds to a label supplied by a 4127 * user space application through the use of the mac_execve system call. 4128 * This label will be NULL if the user application uses the the vendor 4129 * execve(2) call instead of the MAC Framework mac_execve() call. 4130 * 4131 * @return Return 0 if access is granted, otherwise an appropriate value for 4132 * errno should be returned. Suggested failure: EACCES for label mismatch or 4133 * EPERM for lack of privilege. 4134 */ 4135 typedef int mpo_vnode_check_exec_t( 4136 kauth_cred_t cred, 4137 struct vnode *vp, 4138 struct vnode *scriptvp, 4139 struct label *vnodelabel, 4140 struct label *scriptlabel, 4141 struct label *execlabel, /* NULLOK */ 4142 struct componentname *cnp, 4143 u_int *csflags, 4144 void *macpolicyattr, 4145 size_t macpolicyattrlen 4146 ); 4147 /** 4148 * @brief Access control check for fsgetpath 4149 * @param cred Subject credential 4150 * @param vp Vnode for which a path will be returned 4151 * @param label Label associated with the vnode 4152 * 4153 * Determine whether the subject identified by the credential can get the path 4154 * of the given vnode with fsgetpath. 4155 * 4156 * @return Return 0 if access is granted, otherwise an appropriate value for 4157 * errno should be returned. 4158 */ 4159 typedef int mpo_vnode_check_fsgetpath_t( 4160 kauth_cred_t cred, 4161 struct vnode *vp, 4162 struct label *label 4163 ); 4164 /** 4165 * @brief Access control check for retrieving file attributes 4166 * @param active_cred Subject credential 4167 * @param file_cred Credential associated with the struct fileproc 4168 * @param vp Object vnode 4169 * @param vlabel Policy label for vp 4170 * @param va Vnode attributes to retrieve 4171 * 4172 * Determine whether the subject identified by the credential can 4173 * get information about the passed vnode. The active_cred hold 4174 * the credentials of the subject performing the operation, and 4175 * file_cred holds the credentials of the subject that originally 4176 * opened the file. This check happens during stat(), lstat(), 4177 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for 4178 * definitions of the attributes. 4179 * 4180 * @return Return 0 if access is granted, otherwise an appropriate value for 4181 * errno should be returned. 4182 * 4183 * @note Policies may change the contents of va to alter the list of 4184 * file attributes returned. 4185 */ 4186 typedef int mpo_vnode_check_getattr_t( 4187 kauth_cred_t active_cred, 4188 kauth_cred_t file_cred, /* NULLOK */ 4189 struct vnode *vp, 4190 struct label *vlabel, 4191 struct vnode_attr *va 4192 ); 4193 /** 4194 * @brief Access control check for retrieving file attributes 4195 * @param cred Subject credential 4196 * @param vp Object vnode 4197 * @param vlabel Policy label for vp 4198 * @param alist List of attributes to retrieve 4199 * @param options Option flags for alist 4200 * 4201 * Determine whether the subject identified by the credential can read 4202 * various attributes of the specified vnode, or the filesystem or volume on 4203 * which that vnode resides. See <sys/attr.h> for definitions of the 4204 * attributes and flags. 4205 * 4206 * @return Return 0 if access is granted, otherwise an appropriate value for 4207 * errno should be returned. Suggested failure: EACCES for label mismatch or 4208 * EPERM for lack of privilege. Access control covers all attributes requested 4209 * with this call; the security policy is not permitted to change the set of 4210 * attributes requested. 4211 */ 4212 typedef int mpo_vnode_check_getattrlist_t( 4213 kauth_cred_t cred, 4214 struct vnode *vp, 4215 struct label *vlabel, 4216 struct attrlist *alist, 4217 uint64_t options 4218 ); 4219 /** 4220 * @brief Access control check for retrieving file attributes for multiple directory entries 4221 * @param cred Subject credential 4222 * @param dvp Directory vnode 4223 * @param alist List of attributes to retrieve 4224 * @param options Option flags for alist 4225 * 4226 * Determine whether the subject identified by the credential can read 4227 * various attributes of the specified vnode, or the filesystem or volume on 4228 * which that vnode resides. See <sys/attr.h> for definitions of the 4229 * attributes and flags. 4230 * 4231 * @return Return 0 if access is granted, otherwise an appropriate value for 4232 * errno should be returned. Suggested failure: EACCES for label mismatch or 4233 * EPERM for lack of privilege. Access control covers all attributes requested 4234 * with this call; the security policy is not permitted to change the set of 4235 * attributes requested. 4236 */ 4237 typedef int mpo_vnode_check_getattrlistbulk_t( 4238 kauth_cred_t cred, 4239 struct vnode *dvp, 4240 struct attrlist *alist, 4241 uint64_t options 4242 ); 4243 /** 4244 * @brief Access control check for retrieving an extended attribute 4245 * @param cred Subject credential 4246 * @param vp Object vnode 4247 * @param label Policy label for vp 4248 * @param name Extended attribute name 4249 * @param uio I/O structure pointer 4250 * 4251 * Determine whether the subject identified by the credential can retrieve 4252 * the extended attribute from the passed vnode. The uio parameter 4253 * will be NULL when the getxattr(2) call has been made with a NULL data 4254 * value; this is done to request the size of the data only. 4255 * 4256 * @return Return 0 if access is granted, otherwise an appropriate value for 4257 * errno should be returned. Suggested failure: EACCES for label mismatch or 4258 * EPERM for lack of privilege. 4259 */ 4260 typedef int mpo_vnode_check_getextattr_t( 4261 kauth_cred_t cred, 4262 struct vnode *vp, 4263 struct label *label, /* NULLOK */ 4264 const char *name, 4265 struct uio *uio /* NULLOK */ 4266 ); 4267 /** 4268 * @brief Access control check for ioctl 4269 * @param cred Subject credential 4270 * @param vp Object vnode 4271 * @param label Policy label for vp 4272 * @param cmd Device-dependent request code; see ioctl(2) 4273 * 4274 * Determine whether the subject identified by the credential can perform 4275 * the ioctl operation indicated by com. 4276 * 4277 * @warning Since ioctl data is opaque from the standpoint of the MAC 4278 * framework, and since ioctls can affect many aspects of system 4279 * operation, policies must exercise extreme care when implementing 4280 * access control checks. 4281 * 4282 * @return Return 0 if access is granted, otherwise an appropriate value for 4283 * errno should be returned. 4284 */ 4285 typedef int mpo_vnode_check_ioctl_t( 4286 kauth_cred_t cred, 4287 struct vnode *vp, 4288 struct label *label, 4289 unsigned long cmd 4290 ); 4291 /** 4292 * @brief Access control check for vnode kqfilter 4293 * @param active_cred Subject credential 4294 * @param kn Object knote 4295 * @param vp Object vnode 4296 * @param label Policy label for vp 4297 * 4298 * Determine whether the subject identified by the credential can 4299 * receive the knote on the passed vnode. 4300 * 4301 * @return Return 0 if access if granted, otherwise an appropriate 4302 * value for errno should be returned. 4303 */ 4304 typedef int mpo_vnode_check_kqfilter_t( 4305 kauth_cred_t active_cred, 4306 kauth_cred_t file_cred, /* NULLOK */ 4307 struct knote *kn, 4308 struct vnode *vp, 4309 struct label *label 4310 ); 4311 /** 4312 * @brief Access control check for relabel 4313 * @param cred Subject credential 4314 * @param vp Object vnode 4315 * @param vnodelabel Existing policy label for vp 4316 * @param newlabel Policy label update to later be applied to vp 4317 * @see mpo_relable_vnode_t 4318 * 4319 * Determine whether the subject identified by the credential can relabel 4320 * the passed vnode to the passed label update. If all policies permit 4321 * the label change, the actual relabel entry point (mpo_vnode_label_update) 4322 * will follow. 4323 * 4324 * @return Return 0 if access is granted, otherwise an appropriate value for 4325 * errno should be returned. 4326 */ 4327 typedef int mpo_vnode_check_label_update_t( 4328 struct ucred *cred, 4329 struct vnode *vp, 4330 struct label *vnodelabel, 4331 struct label *newlabel 4332 ); 4333 /** 4334 * @brief Access control check for creating link 4335 * @param cred Subject credential 4336 * @param dvp Directory vnode 4337 * @param dlabel Policy label associated with dvp 4338 * @param vp Link destination vnode 4339 * @param label Policy label associated with vp 4340 * @param cnp Component name for the link being created 4341 * 4342 * Determine whether the subject identified by the credential should be 4343 * allowed to create a link to the vnode vp with the name specified by cnp. 4344 * 4345 * @return Return 0 if access is granted, otherwise an appropriate value for 4346 * errno should be returned. 4347 */ 4348 typedef int mpo_vnode_check_link_t( 4349 kauth_cred_t cred, 4350 struct vnode *dvp, 4351 struct label *dlabel, 4352 struct vnode *vp, 4353 struct label *label, 4354 struct componentname *cnp 4355 ); 4356 /** 4357 * @brief Access control check for listing extended attributes 4358 * @param cred Subject credential 4359 * @param vp Object vnode 4360 * @param vlabel Policy label associated with vp 4361 * 4362 * Determine whether the subject identified by the credential can retrieve 4363 * a list of named extended attributes from a vnode. 4364 * 4365 * @return Return 0 if access is granted, otherwise an appropriate value for 4366 * errno should be returned. 4367 */ 4368 typedef int mpo_vnode_check_listextattr_t( 4369 kauth_cred_t cred, 4370 struct vnode *vp, 4371 struct label *vlabel 4372 ); 4373 /** 4374 * @brief Access control check for lookup 4375 * @param cred Subject credential 4376 * @param dvp Directory vnode 4377 * @param dlabel Policy label for dvp 4378 * @param path Path being looked up 4379 * @param pathlen Length of path in bytes 4380 * 4381 * Determine whether the subject identified by the credential can perform 4382 * a lookup of the passed path relative to the passed directory vnode. 4383 * 4384 * @return Return 0 if access is granted, otherwise an appropriate value for 4385 * errno should be returned. Suggested failure: EACCES for label mismatch or 4386 * EPERM for lack of privilege. 4387 * 4388 * @note The path may contain untrusted input. If approved, lookup proceeds 4389 * on the path; if a component is found to be a symlink then this hook is 4390 * called again with the updated path. 4391 */ 4392 typedef int mpo_vnode_check_lookup_preflight_t( 4393 kauth_cred_t cred, 4394 struct vnode *dvp, 4395 struct label *dlabel, 4396 const char *path, 4397 size_t pathlen 4398 ); 4399 /** 4400 * @brief Access control check for lookup 4401 * @param cred Subject credential 4402 * @param dvp Object vnode 4403 * @param dlabel Policy label for dvp 4404 * @param cnp Component name being looked up 4405 * 4406 * Determine whether the subject identified by the credential can perform 4407 * a lookup in the passed directory vnode for the passed name (cnp). 4408 * 4409 * @return Return 0 if access is granted, otherwise an appropriate value for 4410 * errno should be returned. Suggested failure: EACCES for label mismatch or 4411 * EPERM for lack of privilege. 4412 */ 4413 typedef int mpo_vnode_check_lookup_t( 4414 kauth_cred_t cred, 4415 struct vnode *dvp, 4416 struct label *dlabel, 4417 struct componentname *cnp 4418 ); 4419 /** 4420 * @brief Access control check for open 4421 * @param cred Subject credential 4422 * @param vp Object vnode 4423 * @param label Policy label associated with vp 4424 * @param acc_mode open(2) access mode 4425 * 4426 * Determine whether the subject identified by the credential can perform 4427 * an open operation on the passed vnode with the passed access mode. 4428 * 4429 * @return Return 0 if access is granted, otherwise an appropriate value for 4430 * errno should be returned. Suggested failure: EACCES for label mismatch or 4431 * EPERM for lack of privilege. 4432 */ 4433 typedef int mpo_vnode_check_open_t( 4434 kauth_cred_t cred, 4435 struct vnode *vp, 4436 struct label *label, 4437 int acc_mode 4438 ); 4439 /** 4440 * @brief Access control check for read 4441 * @param active_cred Subject credential 4442 * @param file_cred Credential associated with the struct fileproc 4443 * @param vp Object vnode 4444 * @param label Policy label for vp 4445 * 4446 * Determine whether the subject identified by the credential can perform 4447 * a read operation on the passed vnode. The active_cred hold the credentials 4448 * of the subject performing the operation, and file_cred holds the 4449 * credentials of the subject that originally opened the file. 4450 * 4451 * @return Return 0 if access is granted, otherwise an appropriate value for 4452 * errno should be returned. Suggested failure: EACCES for label mismatch or 4453 * EPERM for lack of privilege. 4454 */ 4455 typedef int mpo_vnode_check_read_t( 4456 kauth_cred_t active_cred, /* SUBJECT */ 4457 kauth_cred_t file_cred, /* NULLOK */ 4458 struct vnode *vp, /* OBJECT */ 4459 struct label *label /* LABEL */ 4460 ); 4461 /** 4462 * @brief Access control check for read directory 4463 * @param cred Subject credential 4464 * @param dvp Object directory vnode 4465 * @param dlabel Policy label for dvp 4466 * 4467 * Determine whether the subject identified by the credential can 4468 * perform a readdir operation on the passed directory vnode. 4469 * 4470 * @return Return 0 if access is granted, otherwise an appropriate value for 4471 * errno should be returned. Suggested failure: EACCES for label mismatch or 4472 * EPERM for lack of privilege. 4473 */ 4474 typedef int mpo_vnode_check_readdir_t( 4475 kauth_cred_t cred, /* SUBJECT */ 4476 struct vnode *dvp, /* OBJECT */ 4477 struct label *dlabel /* LABEL */ 4478 ); 4479 /** 4480 * @brief Access control check for read link 4481 * @param cred Subject credential 4482 * @param vp Object vnode 4483 * @param label Policy label for vp 4484 * 4485 * Determine whether the subject identified by the credential can perform 4486 * a readlink operation on the passed symlink vnode. This call can be made 4487 * in a number of situations, including an explicit readlink call by the 4488 * user process, or as a result of an implicit readlink during a name 4489 * lookup by the process. 4490 * 4491 * @return Return 0 if access is granted, otherwise an appropriate value for 4492 * errno should be returned. Suggested failure: EACCES for label mismatch or 4493 * EPERM for lack of privilege. 4494 */ 4495 typedef int mpo_vnode_check_readlink_t( 4496 kauth_cred_t cred, 4497 struct vnode *vp, 4498 struct label *label 4499 ); 4500 /** 4501 * @brief Access control check for rename 4502 * @param cred Subject credential 4503 * @param dvp Directory vnode 4504 * @param dlabel Policy label associated with dvp 4505 * @param vp vnode to be renamed 4506 * @param label Policy label associated with vp 4507 * @param cnp Component name for vp 4508 * @param tdvp Destination directory vnode 4509 * @param tdlabel Policy label associated with tdvp 4510 * @param tvp Overwritten vnode 4511 * @param tlabel Policy label associated with tvp 4512 * @param tcnp Destination component name 4513 * 4514 * Determine whether the subject identified by the credential should be allowed 4515 * to rename the vnode vp to something else. 4516 * 4517 * @return Return 0 if access is granted, otherwise an appropriate value for 4518 * errno should be returned. 4519 */ 4520 typedef int mpo_vnode_check_rename_t( 4521 kauth_cred_t cred, 4522 struct vnode *dvp, 4523 struct label *dlabel, 4524 struct vnode *vp, 4525 struct label *label, 4526 struct componentname *cnp, 4527 struct vnode *tdvp, 4528 struct label *tdlabel, 4529 struct vnode *tvp, 4530 struct label *tlabel, 4531 struct componentname *tcnp 4532 ); 4533 /** 4534 * @brief Access control check for rename from 4535 * @param cred Subject credential 4536 * @param dvp Directory vnode 4537 * @param dlabel Policy label associated with dvp 4538 * @param vp vnode to be renamed 4539 * @param label Policy label associated with vp 4540 * @param cnp Component name for vp 4541 * @see mpo_vnode_check_rename_t 4542 * @see mpo_vnode_check_rename_to_t 4543 * 4544 * Determine whether the subject identified by the credential should be 4545 * allowed to rename the vnode vp to something else. 4546 * 4547 * Due to VFS locking constraints (to make sure proper vnode locks are 4548 * held during this entry point), the vnode relabel checks had to be 4549 * split into two parts: relabel_from and relabel to. 4550 * 4551 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4552 * 4553 * @return Return 0 if access is granted, otherwise an appropriate value for 4554 * errno should be returned. 4555 */ 4556 typedef int mpo_vnode_check_rename_from_t( 4557 kauth_cred_t cred, 4558 struct vnode *dvp, 4559 struct label *dlabel, 4560 struct vnode *vp, 4561 struct label *label, 4562 struct componentname *cnp 4563 ); 4564 /** 4565 * @brief Access control check for rename to 4566 * @param cred Subject credential 4567 * @param dvp Directory vnode 4568 * @param dlabel Policy label associated with dvp 4569 * @param vp Overwritten vnode 4570 * @param label Policy label associated with vp 4571 * @param samedir Boolean; 1 if the source and destination directories are the same 4572 * @param cnp Destination component name 4573 * @see mpo_vnode_check_rename_t 4574 * @see mpo_vnode_check_rename_from_t 4575 * 4576 * Determine whether the subject identified by the credential should be 4577 * allowed to rename to the vnode vp, into the directory dvp, or to the 4578 * name represented by cnp. If there is no existing file to overwrite, 4579 * vp and label will be NULL. 4580 * 4581 * Due to VFS locking constraints (to make sure proper vnode locks are 4582 * held during this entry point), the vnode relabel checks had to be 4583 * split into two parts: relabel_from and relabel to. 4584 * 4585 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4586 * 4587 * @return Return 0 if access is granted, otherwise an appropriate value for 4588 * errno should be returned. 4589 */ 4590 typedef int mpo_vnode_check_rename_to_t( 4591 kauth_cred_t cred, 4592 struct vnode *dvp, 4593 struct label *dlabel, 4594 struct vnode *vp, /* NULLOK */ 4595 struct label *label, /* NULLOK */ 4596 int samedir, 4597 struct componentname *cnp 4598 ); 4599 /** 4600 * @brief Access control check for revoke 4601 * @param cred Subject credential 4602 * @param vp Object vnode 4603 * @param label Policy label for vp 4604 * 4605 * Determine whether the subject identified by the credential can revoke 4606 * access to the passed vnode. 4607 * 4608 * @return Return 0 if access is granted, otherwise an appropriate value for 4609 * errno should be returned. Suggested failure: EACCES for label mismatch or 4610 * EPERM for lack of privilege. 4611 */ 4612 typedef int mpo_vnode_check_revoke_t( 4613 kauth_cred_t cred, 4614 struct vnode *vp, 4615 struct label *label 4616 ); 4617 /** 4618 * @brief Access control check for searchfs 4619 * @param cred Subject credential 4620 * @param vp Object vnode 4621 * @param vlabel Policy label for vp 4622 * @param returnattrs List of attributes to be returned 4623 * @param searchattrs List of attributes used as search criteria 4624 * 4625 * Determine whether the subject identified by the credential can search the 4626 * vnode using the searchfs system call. 4627 * 4628 * @return Return 0 if access is granted, otherwise an appropriate value for 4629 * errno should be returned. 4630 */ 4631 typedef int mpo_vnode_check_searchfs_t( 4632 kauth_cred_t cred, 4633 struct vnode *vp, 4634 struct label *vlabel, 4635 struct attrlist *returnattrs, 4636 struct attrlist *searchattrs 4637 ); 4638 /** 4639 * @brief Access control check for select 4640 * @param cred Subject credential 4641 * @param vp Object vnode 4642 * @param label Policy label for vp 4643 * @param which The operation selected on: FREAD or FWRITE 4644 * 4645 * Determine whether the subject identified by the credential can select 4646 * the vnode. 4647 * 4648 * @return Return 0 if access is granted, otherwise an appropriate value for 4649 * errno should be returned. 4650 */ 4651 typedef int mpo_vnode_check_select_t( 4652 kauth_cred_t cred, 4653 struct vnode *vp, 4654 struct label *label, 4655 int which 4656 ); 4657 /** 4658 * @brief Access control check for setting ACL 4659 * @param cred Subject credential 4660 * @param vp Object node 4661 * @param label Policy label for vp 4662 * @param acl ACL structure pointer 4663 * 4664 * Determine whether the subject identified by the credential can set an ACL 4665 * on the specified vnode. The ACL pointer will be NULL when removing an ACL. 4666 * 4667 * @return Return 0 if access is granted, otherwise an appropriate value for 4668 * errno should be returned. Suggested failure: EACCES for label mismatch or 4669 * EPERM for lack of privilege. 4670 */ 4671 typedef int mpo_vnode_check_setacl_t( 4672 kauth_cred_t cred, 4673 struct vnode *vp, 4674 struct label *label, 4675 struct kauth_acl *acl 4676 ); 4677 /** 4678 * @brief Access control check for setting file attributes 4679 * @param cred Subject credential 4680 * @param vp Object vnode 4681 * @param vlabel Policy label for vp 4682 * @param alist List of attributes to set 4683 * 4684 * Determine whether the subject identified by the credential can set 4685 * various attributes of the specified vnode, or the filesystem or volume on 4686 * which that vnode resides. See <sys/attr.h> for definitions of the 4687 * attributes. 4688 * 4689 * @return Return 0 if access is granted, otherwise an appropriate value for 4690 * errno should be returned. Suggested failure: EACCES for label mismatch or 4691 * EPERM for lack of privilege. Access control covers all attributes requested 4692 * with this call. 4693 */ 4694 typedef int mpo_vnode_check_setattrlist_t( 4695 kauth_cred_t cred, 4696 struct vnode *vp, 4697 struct label *vlabel, 4698 struct attrlist *alist 4699 ); 4700 /** 4701 * @brief Access control check for setting extended attribute 4702 * @param cred Subject credential 4703 * @param vp Object vnode 4704 * @param label Policy label for vp 4705 * @param name Extended attribute name 4706 * @param uio I/O structure pointer 4707 * 4708 * Determine whether the subject identified by the credential can set the 4709 * extended attribute of passed name and passed namespace on the passed 4710 * vnode. Policies implementing security labels backed into extended 4711 * attributes may want to provide additional protections for those 4712 * attributes. Additionally, policies should avoid making decisions based 4713 * on the data referenced from uio, as there is a potential race condition 4714 * between this check and the actual operation. The uio may also be NULL 4715 * if a delete operation is being performed. 4716 * 4717 * @return Return 0 if access is granted, otherwise an appropriate value for 4718 * errno should be returned. Suggested failure: EACCES for label mismatch or 4719 * EPERM for lack of privilege. 4720 */ 4721 typedef int mpo_vnode_check_setextattr_t( 4722 kauth_cred_t cred, 4723 struct vnode *vp, 4724 struct label *label, 4725 const char *name, 4726 struct uio *uio 4727 ); 4728 /** 4729 * @brief Access control check for setting flags 4730 * @param cred Subject credential 4731 * @param vp Object vnode 4732 * @param label Policy label for vp 4733 * @param flags File flags; see chflags(2) 4734 * 4735 * Determine whether the subject identified by the credential can set 4736 * the passed flags on the passed vnode. 4737 * 4738 * @return Return 0 if access is granted, otherwise an appropriate value for 4739 * errno should be returned. Suggested failure: EACCES for label mismatch or 4740 * EPERM for lack of privilege. 4741 */ 4742 typedef int mpo_vnode_check_setflags_t( 4743 kauth_cred_t cred, 4744 struct vnode *vp, 4745 struct label *label, 4746 u_long flags 4747 ); 4748 /** 4749 * @brief Access control check for setting mode 4750 * @param cred Subject credential 4751 * @param vp Object vnode 4752 * @param label Policy label for vp 4753 * @param mode File mode; see chmod(2) 4754 * 4755 * Determine whether the subject identified by the credential can set 4756 * the passed mode on the passed vnode. 4757 * 4758 * @return Return 0 if access is granted, otherwise an appropriate value for 4759 * errno should be returned. Suggested failure: EACCES for label mismatch or 4760 * EPERM for lack of privilege. 4761 */ 4762 typedef int mpo_vnode_check_setmode_t( 4763 kauth_cred_t cred, 4764 struct vnode *vp, 4765 struct label *label, 4766 mode_t mode 4767 ); 4768 /** 4769 * @brief Access control check for setting uid and gid 4770 * @param cred Subject credential 4771 * @param vp Object vnode 4772 * @param label Policy label for vp 4773 * @param uid User ID 4774 * @param gid Group ID 4775 * 4776 * Determine whether the subject identified by the credential can set 4777 * the passed uid and passed gid as file uid and file gid on the passed 4778 * vnode. The IDs may be set to (-1) to request no update. 4779 * 4780 * @return Return 0 if access is granted, otherwise an appropriate value for 4781 * errno should be returned. Suggested failure: EACCES for label mismatch or 4782 * EPERM for lack of privilege. 4783 */ 4784 typedef int mpo_vnode_check_setowner_t( 4785 kauth_cred_t cred, 4786 struct vnode *vp, 4787 struct label *label, 4788 uid_t uid, 4789 gid_t gid 4790 ); 4791 /** 4792 * @brief Access control check for setting timestamps 4793 * @param cred Subject credential 4794 * @param vp Object vnode 4795 * @param label Policy label for vp 4796 * @param atime Access time; see utimes(2) 4797 * @param mtime Modification time; see utimes(2) 4798 * 4799 * Determine whether the subject identified by the credential can set 4800 * the passed access timestamps on the passed vnode. 4801 * 4802 * @return Return 0 if access is granted, otherwise an appropriate value for 4803 * errno should be returned. Suggested failure: EACCES for label mismatch or 4804 * EPERM for lack of privilege. 4805 */ 4806 typedef int mpo_vnode_check_setutimes_t( 4807 kauth_cred_t cred, 4808 struct vnode *vp, 4809 struct label *label, 4810 struct timespec atime, 4811 struct timespec mtime 4812 ); 4813 /** 4814 * @brief Access control check after determining the code directory hash 4815 * @param vp vnode vnode to combine into proc 4816 * @param label label associated with the vnode 4817 * @param cpu_type cpu type of the signature being checked 4818 * @param cs_blob the code signature to check 4819 * @param cs_flags update code signing flags if needed 4820 * @param signer_type output parameter for the code signature's signer type 4821 * @param flags operational flag to mpo_vnode_check_signature 4822 * @param platform platform of the signature being checked 4823 * @param fatal_failure_desc description of fatal failure 4824 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 4825 * 4826 * @return Return 0 if access is granted, otherwise an appropriate value for 4827 * errno should be returned. 4828 */ 4829 typedef int mpo_vnode_check_signature_t( 4830 struct vnode *vp, 4831 struct label *label, 4832 cpu_type_t cpu_type, 4833 struct cs_blob *cs_blob, 4834 unsigned int *cs_flags, 4835 unsigned int *signer_type, 4836 int flags, 4837 unsigned int platform, 4838 char **fatal_failure_desc, size_t *fatal_failure_desc_len 4839 ); 4840 4841 /** 4842 * @brief Access control check for supplemental signature attachement 4843 * @param vp the vnode to which the signature will be attached 4844 * @param label label associated with the vnode 4845 * @param cs_blob the code signature to check 4846 * @param linked_vp vnode to which this new vp is related 4847 * @param linked_cs_blob the code signature of the linked vnode 4848 * @param signer_type output parameter for the signer type of the code signature being checked. 4849 * 4850 * @return Return 0 if access is granted, otherwise an appropriate value for 4851 * errno should be returned. 4852 */ 4853 typedef int mpo_vnode_check_supplemental_signature_t( 4854 struct vnode *vp, 4855 struct label *label, 4856 struct cs_blob *cs_blob, 4857 struct vnode *linked_vp, 4858 struct cs_blob *linked_cs_blob, 4859 unsigned int *signer_type 4860 ); 4861 4862 /** 4863 * @brief Access control check for stat 4864 * @param active_cred Subject credential 4865 * @param file_cred Credential associated with the struct fileproc 4866 * @param vp Object vnode 4867 * @param label Policy label for vp 4868 * 4869 * Determine whether the subject identified by the credential can stat 4870 * the passed vnode. See stat(2) for more information. The active_cred 4871 * hold the credentials of the subject performing the operation, and 4872 * file_cred holds the credentials of the subject that originally 4873 * opened the file. 4874 * 4875 * @return Return 0 if access is granted, otherwise an appropriate value for 4876 * errno should be returned. Suggested failure: EACCES for label mismatch or 4877 * EPERM for lack of privilege. 4878 */ 4879 typedef int mpo_vnode_check_stat_t( 4880 struct ucred *active_cred, 4881 struct ucred *file_cred, /* NULLOK */ 4882 struct vnode *vp, 4883 struct label *label 4884 ); 4885 /** 4886 * @brief Access control check for vnode trigger resolution 4887 * @param cred Subject credential 4888 * @param dvp Object vnode 4889 * @param dlabel Policy label for dvp 4890 * @param cnp Component name that triggered resolution 4891 * 4892 * Determine whether the subject identified by the credential can trigger 4893 * resolution of the passed name (cnp) in the passed directory vnode 4894 * via an external trigger resolver. 4895 * 4896 * @return Return 0 if access is granted, otherwise an appropriate value for 4897 * errno should be returned. Suggested failure: EACCES for label mismatch or 4898 * EPERM for lack of privilege. 4899 */ 4900 typedef int mpo_vnode_check_trigger_resolve_t( 4901 kauth_cred_t cred, 4902 struct vnode *dvp, 4903 struct label *dlabel, 4904 struct componentname *cnp 4905 ); 4906 /** 4907 * @brief Access control check for truncate/ftruncate 4908 * @param active_cred Subject credential 4909 * @param file_cred Credential associated with the struct fileproc 4910 * @param vp Object vnode 4911 * @param label Policy label for vp 4912 * 4913 * Determine whether the subject identified by the credential can 4914 * perform a truncate operation on the passed vnode. The active_cred hold 4915 * the credentials of the subject performing the operation, and 4916 * file_cred holds the credentials of the subject that originally 4917 * opened the file. 4918 * 4919 * @return Return 0 if access is granted, otherwise an appropriate value for 4920 * errno should be returned. Suggested failure: EACCES for label mismatch or 4921 * EPERM for lack of privilege. 4922 */ 4923 typedef int mpo_vnode_check_truncate_t( 4924 kauth_cred_t active_cred, 4925 kauth_cred_t file_cred, /* NULLOK */ 4926 struct vnode *vp, 4927 struct label *label 4928 ); 4929 /** 4930 * @brief Access control check for binding UNIX domain socket 4931 * @param cred Subject credential 4932 * @param dvp Directory vnode 4933 * @param dlabel Policy label for dvp 4934 * @param cnp Component name for dvp 4935 * @param vap vnode attributes for vap 4936 * 4937 * Determine whether the subject identified by the credential can perform a 4938 * bind operation on a UNIX domain socket with the passed parent directory, 4939 * passed name information, and passed attribute information. 4940 * 4941 * @return Return 0 if access is granted, otherwise an appropriate value for 4942 * errno should be returned. Suggested failure: EACCES for label mismatch or 4943 * EPERM for lack of privilege. 4944 */ 4945 typedef int mpo_vnode_check_uipc_bind_t( 4946 kauth_cred_t cred, 4947 struct vnode *dvp, 4948 struct label *dlabel, 4949 struct componentname *cnp, 4950 struct vnode_attr *vap 4951 ); 4952 /** 4953 * @brief Access control check for connecting UNIX domain socket 4954 * @param cred Subject credential 4955 * @param vp Object vnode 4956 * @param label Policy label associated with vp 4957 * @param so Socket 4958 * 4959 * Determine whether the subject identified by the credential can perform a 4960 * connect operation on the passed UNIX domain socket vnode. 4961 * 4962 * @return Return 0 if access is granted, otherwise an appropriate value for 4963 * errno should be returned. Suggested failure: EACCES for label mismatch or 4964 * EPERM for lack of privilege. 4965 */ 4966 typedef int mpo_vnode_check_uipc_connect_t( 4967 kauth_cred_t cred, 4968 struct vnode *vp, 4969 struct label *label, 4970 socket_t so 4971 ); 4972 /** 4973 * @brief Access control check for deleting vnode 4974 * @param cred Subject credential 4975 * @param dvp Parent directory vnode 4976 * @param dlabel Policy label for dvp 4977 * @param vp Object vnode to delete 4978 * @param label Policy label for vp 4979 * @param cnp Component name for vp 4980 * @see mpo_check_rename_to_t 4981 * 4982 * Determine whether the subject identified by the credential can delete 4983 * a vnode from the passed parent directory and passed name information. 4984 * This call may be made in a number of situations, including as a 4985 * results of calls to unlink(2) and rmdir(2). Policies implementing 4986 * this entry point should also implement mpo_check_rename_to to 4987 * authorize deletion of objects as a result of being the target of a rename. 4988 * 4989 * @return Return 0 if access is granted, otherwise an appropriate value for 4990 * errno should be returned. Suggested failure: EACCES for label mismatch or 4991 * EPERM for lack of privilege. 4992 */ 4993 typedef int mpo_vnode_check_unlink_t( 4994 kauth_cred_t cred, 4995 struct vnode *dvp, 4996 struct label *dlabel, 4997 struct vnode *vp, 4998 struct label *label, 4999 struct componentname *cnp 5000 ); 5001 /** 5002 * @brief Access control check for write 5003 * @param active_cred Subject credential 5004 * @param file_cred Credential associated with the struct fileproc 5005 * @param vp Object vnode 5006 * @param label Policy label for vp 5007 * 5008 * Determine whether the subject identified by the credential can 5009 * perform a write operation on the passed vnode. The active_cred hold 5010 * the credentials of the subject performing the operation, and 5011 * file_cred holds the credentials of the subject that originally 5012 * opened the file. 5013 * 5014 * @return Return 0 if access is granted, otherwise an appropriate value for 5015 * errno should be returned. Suggested failure: EACCES for label mismatch or 5016 * EPERM for lack of privilege. 5017 */ 5018 typedef int mpo_vnode_check_write_t( 5019 kauth_cred_t active_cred, 5020 kauth_cred_t file_cred, /* NULLOK */ 5021 struct vnode *vp, 5022 struct label *label 5023 ); 5024 /** 5025 * @brief Access control check for copyfile 5026 * @param cred Subject credential 5027 * @param dvp Vnode of directory to create the copy in 5028 * @param dlabel Policy label associated with dvp 5029 * @param tvp Vnode of the file at the target path that will be unlinked to 5030 * make room for the copy being created, if file exists 5031 * @param tlabel Policy label associated with tvp 5032 * @param fvp Vnode of the file to copy from 5033 * @param flabel Policy label associated with fvp 5034 * @param cnp Component name for the copy being created 5035 * @param mode Corresponds to mode argument to the copyfile syscall 5036 * @param flags Corresponds to flags argument to the copyfile syscall 5037 * 5038 * Determine whether the subject identified by the credential should be 5039 * allowed to create a copy of the vnode fvp with the name specified by cnp. 5040 * 5041 * @return Return 0 if access is granted, otherwise an appropriate value for 5042 * errno should be returned. 5043 */ 5044 typedef int mpo_vnode_check_copyfile_t( 5045 kauth_cred_t cred, 5046 struct vnode *dvp, 5047 struct label *dlabel, 5048 struct vnode *tvp, /* NULLOK */ 5049 struct label *tlabel, /* NULLOK */ 5050 struct vnode *fvp, 5051 struct label *flabel, 5052 struct componentname *cnp, 5053 mode_t mode, 5054 int flags 5055 ); 5056 /** 5057 * @brief Associate a vnode with a devfs entry 5058 * @param mp Devfs mount point 5059 * @param mntlabel Devfs mount point label 5060 * @param de Devfs directory entry 5061 * @param delabel Label associated with de 5062 * @param vp vnode associated with de 5063 * @param vlabel Label associated with vp 5064 * 5065 * Fill in the label (vlabel) for a newly created devfs vnode. The 5066 * label is typically derived from the label on the devfs directory 5067 * entry or the label on the filesystem, supplied as parameters. 5068 */ 5069 typedef void mpo_vnode_label_associate_devfs_t( 5070 struct mount *mp, 5071 struct label *mntlabel, 5072 struct devnode *de, 5073 struct label *delabel, 5074 struct vnode *vp, 5075 struct label *vlabel 5076 ); 5077 /** 5078 * @brief Associate a label with a vnode 5079 * @param mp File system mount point 5080 * @param mntlabel File system mount point label 5081 * @param vp Vnode to label 5082 * @param vlabel Label associated with vp 5083 * 5084 * Attempt to retrieve label information for the vnode, vp, from the 5085 * file system extended attribute store. The label should be stored in 5086 * the supplied vlabel parameter. If a policy cannot retrieve an 5087 * extended attribute, sometimes it is acceptible to fallback to using 5088 * the mntlabel. 5089 * 5090 * If the policy requires vnodes to have a valid label elsewhere it 5091 * MUST NOT return other than temporary errors, and must always provide 5092 * a valid label of some sort. Returning an error will cause vnode 5093 * labeling to be retried at a later access. Failure to handle policy 5094 * centric errors internally (corrupt labels etc.) will result in 5095 * inaccessible files. 5096 * 5097 * @return In the event of an error, an appropriate value for errno 5098 * should be returned, otherwise return 0 upon success. 5099 */ 5100 typedef int mpo_vnode_label_associate_extattr_t( 5101 struct mount *mp, 5102 struct label *mntlabel, 5103 struct vnode *vp, 5104 struct label *vlabel 5105 ); 5106 /** 5107 * @brief Associate a file label with a vnode 5108 * @param cred User credential 5109 * @param mp Fdesc mount point 5110 * @param mntlabel Fdesc mount point label 5111 * @param fg Fileglob structure 5112 * @param label Policy label for fg 5113 * @param vp Vnode to label 5114 * @param vlabel Label associated with vp 5115 * 5116 * Associate label information for the vnode, vp, with the label of 5117 * the open file descriptor described by fg. 5118 * The label should be stored in the supplied vlabel parameter. 5119 */ 5120 typedef void mpo_vnode_label_associate_file_t( 5121 struct ucred *cred, 5122 struct mount *mp, 5123 struct label *mntlabel, 5124 struct fileglob *fg, 5125 struct label *label, 5126 struct vnode *vp, 5127 struct label *vlabel 5128 ); 5129 /** 5130 * @brief Associate a pipe label with a vnode 5131 * @param cred User credential for the process that opened the pipe 5132 * @param cpipe Pipe structure 5133 * @param pipelabel Label associated with pipe 5134 * @param vp Vnode to label 5135 * @param vlabel Label associated with vp 5136 * 5137 * Associate label information for the vnode, vp, with the label of 5138 * the pipe described by the pipe structure cpipe. 5139 * The label should be stored in the supplied vlabel parameter. 5140 */ 5141 typedef void mpo_vnode_label_associate_pipe_t( 5142 struct ucred *cred, 5143 struct pipe *cpipe, 5144 struct label *pipelabel, 5145 struct vnode *vp, 5146 struct label *vlabel 5147 ); 5148 /** 5149 * @brief Associate a POSIX semaphore label with a vnode 5150 * @param cred User credential for the process that create psem 5151 * @param psem POSIX semaphore structure 5152 * @param psemlabel Label associated with psem 5153 * @param vp Vnode to label 5154 * @param vlabel Label associated with vp 5155 * 5156 * Associate label information for the vnode, vp, with the label of 5157 * the POSIX semaphore described by psem. 5158 * The label should be stored in the supplied vlabel parameter. 5159 */ 5160 typedef void mpo_vnode_label_associate_posixsem_t( 5161 struct ucred *cred, 5162 struct pseminfo *psem, 5163 struct label *psemlabel, 5164 struct vnode *vp, 5165 struct label *vlabel 5166 ); 5167 /** 5168 * @brief Associate a POSIX shared memory label with a vnode 5169 * @param cred User credential for the process that created pshm 5170 * @param pshm POSIX shared memory structure 5171 * @param pshmlabel Label associated with pshm 5172 * @param vp Vnode to label 5173 * @param vlabel Label associated with vp 5174 * 5175 * Associate label information for the vnode, vp, with the label of 5176 * the POSIX shared memory region described by pshm. 5177 * The label should be stored in the supplied vlabel parameter. 5178 */ 5179 typedef void mpo_vnode_label_associate_posixshm_t( 5180 struct ucred *cred, 5181 struct pshminfo *pshm, 5182 struct label *pshmlabel, 5183 struct vnode *vp, 5184 struct label *vlabel 5185 ); 5186 /** 5187 * @brief Associate a label with a vnode 5188 * @param mp File system mount point 5189 * @param mntlabel File system mount point label 5190 * @param vp Vnode to label 5191 * @param vlabel Label associated with vp 5192 * 5193 * On non-multilabel file systems, set the label for a vnode. The 5194 * label will most likely be based on the file system label. 5195 */ 5196 typedef void mpo_vnode_label_associate_singlelabel_t( 5197 struct mount *mp, 5198 struct label *mntlabel, 5199 struct vnode *vp, 5200 struct label *vlabel 5201 ); 5202 /** 5203 * @brief Associate a socket label with a vnode 5204 * @param cred User credential for the process that opened the socket 5205 * @param so Socket structure 5206 * @param solabel Label associated with so 5207 * @param vp Vnode to label 5208 * @param vlabel Label associated with vp 5209 * 5210 * Associate label information for the vnode, vp, with the label of 5211 * the open socket described by the socket structure so. 5212 * The label should be stored in the supplied vlabel parameter. 5213 */ 5214 typedef void mpo_vnode_label_associate_socket_t( 5215 kauth_cred_t cred, 5216 socket_t so, 5217 struct label *solabel, 5218 struct vnode *vp, 5219 struct label *vlabel 5220 ); 5221 /** 5222 * @brief Copy a vnode label 5223 * @param src Source vnode label 5224 * @param dest Destination vnode label 5225 * 5226 * Copy the vnode label information from src to dest. On Darwin, this 5227 * is currently only necessary when executing interpreted scripts, but 5228 * will later be used if vnode label externalization cannot be an 5229 * atomic operation. 5230 */ 5231 typedef void mpo_vnode_label_copy_t( 5232 struct label *src, 5233 struct label *dest 5234 ); 5235 /** 5236 * @brief Destroy vnode label 5237 * @param label The label to be destroyed 5238 * 5239 * Destroy a vnode label. Since the object is going out of scope, 5240 * policy modules should free any internal storage associated with the 5241 * label so that it may be destroyed. 5242 */ 5243 typedef void mpo_vnode_label_destroy_t( 5244 struct label *label 5245 ); 5246 /** 5247 * @brief Externalize a vnode label for auditing 5248 * @param label Label to be externalized 5249 * @param element_name Name of the label namespace for which labels should be 5250 * externalized 5251 * @param sb String buffer to be filled with a text representation of the label 5252 * 5253 * Produce an external representation of the label on a vnode suitable for 5254 * inclusion in an audit record. An externalized label consists of a text 5255 * representation of the label contents that will be added to the audit record 5256 * as part of a text token. Policy-agnostic user space tools will display 5257 * this externalized version. 5258 * 5259 * @return 0 on success, return non-zero if an error occurs while 5260 * externalizing the label data. 5261 * 5262 */ 5263 typedef int mpo_vnode_label_externalize_audit_t( 5264 struct label *label, 5265 char *element_name, 5266 struct sbuf *sb 5267 ); 5268 /** 5269 * @brief Externalize a vnode label 5270 * @param label Label to be externalized 5271 * @param element_name Name of the label namespace for which labels should be 5272 * externalized 5273 * @param sb String buffer to be filled with a text representation of the label 5274 * 5275 * Produce an external representation of the label on a vnode. An 5276 * externalized label consists of a text representation of the label 5277 * contents that can be used with user applications. Policy-agnostic 5278 * user space tools will display this externalized version. 5279 * 5280 * @return 0 on success, return non-zero if an error occurs while 5281 * externalizing the label data. 5282 * 5283 */ 5284 typedef int mpo_vnode_label_externalize_t( 5285 struct label *label, 5286 char *element_name, 5287 struct sbuf *sb 5288 ); 5289 /** 5290 * @brief Initialize vnode label 5291 * @param label New label to initialize 5292 * 5293 * Initialize label storage for use with a newly instantiated vnode, or 5294 * for temporary storage associated with the copying in or out of a 5295 * vnode label. While it is necessary to allocate space for a 5296 * kernel-resident vnode label, it is not yet necessary to link this vnode 5297 * with persistent label storage facilities, such as extended attributes. 5298 * Sleeping is permitted. 5299 */ 5300 typedef void mpo_vnode_label_init_t( 5301 struct label *label 5302 ); 5303 /** 5304 * @brief Internalize a vnode label 5305 * @param label Label to be internalized 5306 * @param element_name Name of the label namespace for which the label should 5307 * be internalized 5308 * @param element_data Text data to be internalized 5309 * 5310 * Produce a vnode label from an external representation. An 5311 * externalized label consists of a text representation of the label 5312 * contents that can be used with user applications. Policy-agnostic 5313 * user space tools will forward text version to the kernel for 5314 * processing by individual policy modules. 5315 * 5316 * The policy's internalize entry points will be called only if the 5317 * policy has registered interest in the label namespace. 5318 * 5319 * @return 0 on success, Otherwise, return non-zero if an error occurs 5320 * while internalizing the label data. 5321 */ 5322 typedef int mpo_vnode_label_internalize_t( 5323 struct label *label, 5324 char *element_name, 5325 char *element_data 5326 ); 5327 /** 5328 * @brief Clean up a vnode label 5329 * @param label The label to be cleaned or purged 5330 * 5331 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5332 * typically never frees them. Before vnodes are placed back on free lists for 5333 * re-use, policies can cleanup or overwrite any information present in the label, 5334 * or free any internal resources used for the label. 5335 */ 5336 typedef void mpo_vnode_label_recycle_t( 5337 struct label *label 5338 ); 5339 /** 5340 * @brief Write a label to a extended attribute 5341 * @param cred Subject credential 5342 * @param vp The vnode for which the label is being stored 5343 * @param vlabel Label associated with vp 5344 * @param intlabel The new label to store 5345 * 5346 * Store a new label in the extended attribute corresponding to the 5347 * supplied vnode. The policy has already authorized the operation; 5348 * this call must be implemented in order to perform the actual 5349 * operation. 5350 * 5351 * @return In the event of an error, an appropriate value for errno 5352 * should be returned, otherwise return 0 upon success. 5353 * 5354 * @warning XXX After examining the extended attribute implementation on 5355 * Apple's future release, this entry point may be changed. 5356 */ 5357 typedef int mpo_vnode_label_store_t( 5358 kauth_cred_t cred, 5359 struct vnode *vp, 5360 struct label *vlabel, 5361 struct label *intlabel 5362 ); 5363 /** 5364 * @brief Update vnode label from extended attributes 5365 * @param mp File system mount point 5366 * @param mntlabel Mount point label 5367 * @param vp Vnode to label 5368 * @param vlabel Label associated with vp 5369 * @param name Name of the xattr 5370 * @see mpo_vnode_check_setextattr_t 5371 * 5372 * When an extended attribute is updated via the Vendor attribute management 5373 * functions, the MAC vnode label might also require an update. 5374 * Policies should first determine if 'name' matches their xattr label 5375 * name. If it does, the kernel is has either replaced or removed the 5376 * named extended attribute that was previously associated with the 5377 * vnode. Normally labels should only be modified via MAC Framework label 5378 * management calls, but sometimes the user space components will directly 5379 * modify extended attributes. For example, 'cp', 'tar', etc. manage 5380 * extended attributes in userspace, not the kernel. 5381 * 5382 * This entry point is called after the label update has occurred, so 5383 * it cannot return a failure. However, the operation is preceded by 5384 * the mpo_vnode_check_setextattr() access control check. 5385 * 5386 * If the vnode label needs to be updated the policy should return 5387 * a non-zero value. The vnode label will be marked for re-association 5388 * by the framework. 5389 */ 5390 typedef int mpo_vnode_label_update_extattr_t( 5391 struct mount *mp, 5392 struct label *mntlabel, 5393 struct vnode *vp, 5394 struct label *vlabel, 5395 const char *name 5396 ); 5397 /** 5398 * @brief Update a vnode label 5399 * @param cred Subject credential 5400 * @param vp The vnode to relabel 5401 * @param vnodelabel Existing vnode label 5402 * @param label New label to replace existing label 5403 * @see mpo_vnode_check_label_update_t 5404 * 5405 * The subject identified by the credential has previously requested 5406 * and was authorized to relabel the vnode; this entry point allows 5407 * policies to perform the actual relabel operation. Policies should 5408 * update vnodelabel using the label stored in the label parameter. 5409 */ 5410 typedef void mpo_vnode_label_update_t( 5411 kauth_cred_t cred, 5412 struct vnode *vp, 5413 struct label *vnodelabel, 5414 struct label *label 5415 ); 5416 /** 5417 * @brief Find deatched signatures for a shared library 5418 * @param p file trying to find the signature 5419 * @param vp The vnode to relabel 5420 * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) 5421 * @param label Existing vnode label 5422 * 5423 */ 5424 typedef int mpo_vnode_find_sigs_t( 5425 struct proc *p, 5426 struct vnode *vp, 5427 off_t offset, 5428 struct label *label 5429 ); 5430 /** 5431 * @brief Create a new vnode, backed by extended attributes 5432 * @param cred User credential for the creating process 5433 * @param mp File system mount point 5434 * @param mntlabel File system mount point label 5435 * @param dvp Parent directory vnode 5436 * @param dlabel Parent directory vnode label 5437 * @param vp Newly created vnode 5438 * @param vlabel Label to associate with the new vnode 5439 * @param cnp Component name for vp 5440 * 5441 * Write out the label for the newly created vnode, most likely storing 5442 * the results in a file system extended attribute. Most policies will 5443 * derive the new vnode label using information from a combination 5444 * of the subject (user) credential, the file system label, the parent 5445 * directory label, and potentially the path name component. 5446 * 5447 * @return If the operation succeeds, store the new label in vlabel and 5448 * return 0. Otherwise, return an appropriate errno value. 5449 */ 5450 typedef int mpo_vnode_notify_create_t( 5451 kauth_cred_t cred, 5452 struct mount *mp, 5453 struct label *mntlabel, 5454 struct vnode *dvp, 5455 struct label *dlabel, 5456 struct vnode *vp, 5457 struct label *vlabel, 5458 struct componentname *cnp 5459 ); 5460 5461 /** 5462 * @brief Inform MAC policies that a vnode has been opened 5463 * @param cred User credential for the creating process 5464 * @param vp vnode opened 5465 * @param label Policy label for the vp 5466 * @param acc_mode open(2) access mode used 5467 * 5468 * Inform Mac policies that a vnode have been successfully opened 5469 * (passing all MAC polices and DAC). 5470 */ 5471 typedef void mpo_vnode_notify_open_t( 5472 kauth_cred_t cred, 5473 struct vnode *vp, 5474 struct label *label, 5475 int acc_mode 5476 ); 5477 5478 /** 5479 * @brief Inform MAC policies that a vnode has been renamed 5480 * @param cred User credential for the renaming process 5481 * @param vp Vnode that's being renamed 5482 * @param label Policy label for vp 5483 * @param dvp Parent directory for the destination 5484 * @param dlabel Policy label for dvp 5485 * @param cnp Component name for the destination 5486 * 5487 * Inform MAC policies that a vnode has been renamed. 5488 */ 5489 typedef void mpo_vnode_notify_rename_t( 5490 kauth_cred_t cred, 5491 struct vnode *vp, 5492 struct label *label, 5493 struct vnode *dvp, 5494 struct label *dlabel, 5495 struct componentname *cnp 5496 ); 5497 5498 /** 5499 * @brief Inform MAC policies that two vnodes were atomically swapped. 5500 * @param cred User credential for the renaming process 5501 * @param v1 vnode 1 to swap 5502 * @param vl1 Policy label for v1 5503 * @param v2 vnode 2 to swap 5504 * @param vl2 Policy label for v2 5505 * 5506 * Inform MAC policies that two vnodes were atomically swapped. 5507 * NOTE: If a policy implements this notify hook, then this hook will be 5508 * called instead of two calls to the vnode_notify_rename hook (one for each 5509 * member of the swap). 5510 */ 5511 typedef void mpo_vnode_notify_swap_t( 5512 kauth_cred_t cred, 5513 struct vnode *v1, 5514 struct label *vl1, 5515 struct vnode *v2, 5516 struct label *vl2 5517 ); 5518 5519 /** 5520 * @brief Inform MAC policies that a vnode has been linked 5521 * @param cred User credential for the renaming process 5522 * @param dvp Parent directory for the destination 5523 * @param dlabel Policy label for dvp 5524 * @param vp Vnode that's being linked 5525 * @param vlabel Policy label for vp 5526 * @param cnp Component name for the destination 5527 * 5528 * Inform MAC policies that a vnode has been linked. 5529 */ 5530 typedef void mpo_vnode_notify_link_t( 5531 kauth_cred_t cred, 5532 struct vnode *dvp, 5533 struct label *dlabel, 5534 struct vnode *vp, 5535 struct label *vlabel, 5536 struct componentname *cnp 5537 ); 5538 5539 /** 5540 * @brief Inform MAC policies that an extended attribute has been removed from a vnode 5541 * @param cred Subject credential 5542 * @param vp Object node 5543 * @param label Policy label for vp 5544 * @param name Extended attribute name 5545 * 5546 * Inform MAC policies that an extended attribute has been removed from a vnode. 5547 */ 5548 typedef void mpo_vnode_notify_deleteextattr_t( 5549 kauth_cred_t cred, 5550 struct vnode *vp, 5551 struct label *label, 5552 const char *name 5553 ); 5554 5555 5556 /** 5557 * @brief Inform MAC policies that an ACL has been set on a vnode 5558 * @param cred Subject credential 5559 * @param vp Object node 5560 * @param label Policy label for vp 5561 * @param acl ACL structure pointer 5562 * 5563 * Inform MAC policies that an ACL has been set on a vnode. 5564 */ 5565 typedef void mpo_vnode_notify_setacl_t( 5566 kauth_cred_t cred, 5567 struct vnode *vp, 5568 struct label *label, 5569 struct kauth_acl *acl 5570 ); 5571 5572 /** 5573 * @brief Inform MAC policies that an attributes have been set on a vnode 5574 * @param cred Subject credential 5575 * @param vp Object vnode 5576 * @param label Policy label for vp 5577 * @param alist List of attributes to set 5578 * 5579 * Inform MAC policies that an attributes have been set on a vnode. 5580 */ 5581 typedef void mpo_vnode_notify_setattrlist_t( 5582 kauth_cred_t cred, 5583 struct vnode *vp, 5584 struct label *label, 5585 struct attrlist *alist 5586 ); 5587 5588 /** 5589 * @brief Inform MAC policies that an extended attribute has been set on a vnode 5590 * @param cred Subject credential 5591 * @param vp Object vnode 5592 * @param label Policy label for vp 5593 * @param name Extended attribute name 5594 * @param uio I/O structure pointer 5595 * 5596 * Inform MAC policies that an extended attribute has been set on a vnode. 5597 */ 5598 typedef void mpo_vnode_notify_setextattr_t( 5599 kauth_cred_t cred, 5600 struct vnode *vp, 5601 struct label *label, 5602 const char *name, 5603 struct uio *uio 5604 ); 5605 5606 /** 5607 * @brief Inform MAC policies that flags have been set on a vnode 5608 * @param cred Subject credential 5609 * @param vp Object vnode 5610 * @param label Policy label for vp 5611 * @param flags File flags; see chflags(2) 5612 * 5613 * Inform MAC policies that flags have been set on a vnode. 5614 */ 5615 typedef void mpo_vnode_notify_setflags_t( 5616 kauth_cred_t cred, 5617 struct vnode *vp, 5618 struct label *label, 5619 u_long flags 5620 ); 5621 5622 /** 5623 * @brief Inform MAC policies that a new mode has been set on a vnode 5624 * @param cred Subject credential 5625 * @param vp Object vnode 5626 * @param label Policy label for vp 5627 * @param mode File mode; see chmod(2) 5628 * 5629 * Inform MAC policies that a new mode has been set on a vnode. 5630 */ 5631 typedef void mpo_vnode_notify_setmode_t( 5632 kauth_cred_t cred, 5633 struct vnode *vp, 5634 struct label *label, 5635 mode_t mode 5636 ); 5637 5638 /** 5639 * @brief Inform MAC policies that new uid/gid have been set on a vnode 5640 * @param cred Subject credential 5641 * @param vp Object vnode 5642 * @param label Policy label for vp 5643 * @param uid User ID 5644 * @param gid Group ID 5645 * 5646 * Inform MAC policies that new uid/gid have been set on a vnode. 5647 */ 5648 typedef void mpo_vnode_notify_setowner_t( 5649 kauth_cred_t cred, 5650 struct vnode *vp, 5651 struct label *label, 5652 uid_t uid, 5653 gid_t gid 5654 ); 5655 5656 /** 5657 * @brief Inform MAC policies that new timestamps have been set on a vnode 5658 * @param cred Subject credential 5659 * @param vp Object vnode 5660 * @param label Policy label for vp 5661 * @param atime Access time; see utimes(2) 5662 * @param mtime Modification time; see utimes(2) 5663 * 5664 * Inform MAC policies that new timestamps have been set on a vnode. 5665 */ 5666 typedef void mpo_vnode_notify_setutimes_t( 5667 kauth_cred_t cred, 5668 struct vnode *vp, 5669 struct label *label, 5670 struct timespec atime, 5671 struct timespec mtime 5672 ); 5673 5674 /** 5675 * @brief Inform MAC policies that a vnode has been truncated 5676 * @param cred Subject credential 5677 * @param file_cred Credential associated with the struct fileproc 5678 * @param vp Object vnode 5679 * @param label Policy label for vp 5680 * 5681 * Inform MAC policies that a vnode has been truncated. 5682 */ 5683 typedef void mpo_vnode_notify_truncate_t( 5684 kauth_cred_t cred, 5685 kauth_cred_t file_cred, 5686 struct vnode *vp, 5687 struct label *label 5688 ); 5689 5690 5691 /** 5692 * @brief Inform MAC policies that a pty slave has been granted 5693 * @param p Responsible process 5694 * @param tp tty data structure 5695 * @param dev Major and minor numbers of device 5696 * @param label Policy label for tp 5697 * 5698 * Inform MAC policies that a pty slave has been granted. 5699 */ 5700 typedef void mpo_pty_notify_grant_t( 5701 proc_t p, 5702 struct tty *tp, 5703 dev_t dev, 5704 struct label *label 5705 ); 5706 5707 /** 5708 * @brief Inform MAC policies that a pty master has been closed 5709 * @param p Responsible process 5710 * @param tp tty data structure 5711 * @param dev Major and minor numbers of device 5712 * @param label Policy label for tp 5713 * 5714 * Inform MAC policies that a pty master has been closed. 5715 */ 5716 typedef void mpo_pty_notify_close_t( 5717 proc_t p, 5718 struct tty *tp, 5719 dev_t dev, 5720 struct label *label 5721 ); 5722 5723 /** 5724 * @brief Access control check for kext loading 5725 * @param cred Subject credential 5726 * @param identifier Kext identifier 5727 * 5728 * Determine whether the subject identified by the credential can load the 5729 * specified kext. 5730 * 5731 * @return Return 0 if access is granted, otherwise an appropriate value for 5732 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5733 */ 5734 typedef int mpo_kext_check_load_t( 5735 kauth_cred_t cred, 5736 const char *identifier 5737 ); 5738 5739 /** 5740 * @brief Access control check for kext unloading 5741 * @param cred Subject credential 5742 * @param identifier Kext identifier 5743 * 5744 * Determine whether the subject identified by the credential can unload the 5745 * specified kext. 5746 * 5747 * @return Return 0 if access is granted, otherwise an appropriate value for 5748 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5749 */ 5750 typedef int mpo_kext_check_unload_t( 5751 kauth_cred_t cred, 5752 const char *identifier 5753 ); 5754 5755 /** 5756 * @brief Access control check for querying information about loaded kexts 5757 * @param cred Subject credential 5758 * 5759 * Determine whether the subject identified by the credential can query 5760 * information about loaded kexts. 5761 * 5762 * @return Return 0 if access is granted, otherwise an appropriate value for 5763 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5764 */ 5765 typedef int mpo_kext_check_query_t( 5766 kauth_cred_t cred 5767 ); 5768 5769 /** 5770 * @brief Inform MAC policies that a vnode is being reclaimed 5771 * @param vp Object vnode 5772 * 5773 * Any external accounting tracking this vnode must consider it to be no longer valid. 5774 */ 5775 typedef void mpo_vnode_notify_reclaim_t( 5776 struct vnode *vp 5777 ); 5778 5779 /* 5780 * Placeholder for future events that may need mac hooks. 5781 */ 5782 typedef void mpo_reserved_hook_t(void); 5783 5784 /* 5785 * Policy module operations. 5786 * 5787 * Please note that this should be kept in sync with the check assumptions 5788 * policy in bsd/kern/policy_check.c (policy_ops struct). 5789 */ 5790 #define MAC_POLICY_OPS_VERSION 80 /* inc when new reserved slots are taken */ 5791 struct mac_policy_ops { 5792 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5793 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5794 5795 mpo_reserved_hook_t *mpo_reserved01; 5796 mpo_reserved_hook_t *mpo_reserved02; 5797 mpo_reserved_hook_t *mpo_reserved03; 5798 mpo_reserved_hook_t *mpo_reserved04; 5799 5800 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5801 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5802 mpo_cred_check_visible_t *mpo_cred_check_visible; 5803 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5804 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5805 mpo_cred_label_associate_t *mpo_cred_label_associate; 5806 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5807 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5808 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5809 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5810 mpo_cred_label_init_t *mpo_cred_label_init; 5811 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5812 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5813 mpo_cred_label_update_t *mpo_cred_label_update; 5814 5815 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5816 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5817 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5818 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5819 mpo_devfs_label_init_t *mpo_devfs_label_init; 5820 mpo_devfs_label_update_t *mpo_devfs_label_update; 5821 5822 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5823 mpo_file_check_create_t *mpo_file_check_create; 5824 mpo_file_check_dup_t *mpo_file_check_dup; 5825 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 5826 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 5827 mpo_file_check_get_t *mpo_file_check_get; 5828 mpo_file_check_inherit_t *mpo_file_check_inherit; 5829 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 5830 mpo_file_check_lock_t *mpo_file_check_lock; 5831 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 5832 mpo_file_check_mmap_t *mpo_file_check_mmap; 5833 mpo_file_check_receive_t *mpo_file_check_receive; 5834 mpo_file_check_set_t *mpo_file_check_set; 5835 mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ 5836 mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ 5837 mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ 5838 mpo_file_notify_close_t *mpo_file_notify_close; 5839 5840 mpo_reserved_hook_t *mpo_reserved06; 5841 mpo_reserved_hook_t *mpo_reserved07; 5842 mpo_reserved_hook_t *mpo_reserved08; 5843 mpo_reserved_hook_t *mpo_reserved09; 5844 mpo_reserved_hook_t *mpo_reserved10; 5845 mpo_reserved_hook_t *mpo_reserved11; 5846 mpo_reserved_hook_t *mpo_reserved12; 5847 mpo_reserved_hook_t *mpo_reserved13; 5848 mpo_reserved_hook_t *mpo_reserved14; 5849 mpo_reserved_hook_t *mpo_reserved15; 5850 mpo_reserved_hook_t *mpo_reserved16; 5851 mpo_reserved_hook_t *mpo_reserved17; 5852 mpo_reserved_hook_t *mpo_reserved18; 5853 mpo_reserved_hook_t *mpo_reserved19; 5854 mpo_reserved_hook_t *mpo_reserved20; 5855 mpo_reserved_hook_t *mpo_reserved21; 5856 mpo_reserved_hook_t *mpo_reserved22; 5857 mpo_reserved_hook_t *mpo_reserved23; 5858 mpo_reserved_hook_t *mpo_reserved24; 5859 5860 mpo_necp_check_open_t *mpo_necp_check_open; 5861 mpo_necp_check_client_action_t *mpo_necp_check_client_action; 5862 5863 mpo_file_check_library_validation_t *mpo_file_check_library_validation; 5864 5865 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; 5866 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; 5867 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; 5868 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; 5869 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; 5870 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; 5871 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; 5872 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; 5873 mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; 5874 5875 mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; 5876 mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; 5877 5878 mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; 5879 mpo_reserved_hook_t *mpo_reserved31; 5880 mpo_reserved_hook_t *mpo_reserved32; 5881 mpo_reserved_hook_t *mpo_reserved33; 5882 mpo_reserved_hook_t *mpo_reserved34; 5883 mpo_reserved_hook_t *mpo_reserved35; 5884 mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; 5885 5886 mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; 5887 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 5888 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 5889 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 5890 mpo_mount_check_mount_t *mpo_mount_check_mount; 5891 mpo_mount_check_remount_t *mpo_mount_check_remount; 5892 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 5893 mpo_mount_check_stat_t *mpo_mount_check_stat; 5894 mpo_mount_check_umount_t *mpo_mount_check_umount; 5895 mpo_mount_label_associate_t *mpo_mount_label_associate; 5896 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 5897 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 5898 mpo_mount_label_init_t *mpo_mount_label_init; 5899 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 5900 5901 mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; 5902 mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; 5903 mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; 5904 5905 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 5906 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 5907 mpo_reserved_hook_t *mpo_reserved41; 5908 mpo_pipe_check_read_t *mpo_pipe_check_read; 5909 mpo_pipe_check_select_t *mpo_pipe_check_select; 5910 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 5911 mpo_pipe_check_write_t *mpo_pipe_check_write; 5912 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 5913 mpo_reserved_hook_t *mpo_reserved42; 5914 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 5915 mpo_reserved_hook_t *mpo_reserved43; 5916 mpo_pipe_label_init_t *mpo_pipe_label_init; 5917 mpo_reserved_hook_t *mpo_reserved44; 5918 mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; 5919 5920 mpo_policy_destroy_t *mpo_policy_destroy; 5921 mpo_policy_init_t *mpo_policy_init; 5922 mpo_policy_initbsd_t *mpo_policy_initbsd; 5923 mpo_policy_syscall_t *mpo_policy_syscall; 5924 5925 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 5926 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 5927 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 5928 mpo_kext_check_query_t *mpo_kext_check_query; 5929 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; 5930 mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; 5931 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; 5932 mpo_proc_check_expose_task_t *mpo_proc_check_expose_task; /* Deprecating, use mpo_proc_check_expose_task_with_flavor instead */ 5933 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; 5934 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; 5935 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; 5936 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; 5937 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; 5938 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; 5939 mpo_exc_action_label_init_t *mpo_exc_action_label_init; 5940 mpo_exc_action_label_update_t *mpo_exc_action_label_update; 5941 5942 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; 5943 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; 5944 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; 5945 mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; 5946 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; 5947 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; 5948 5949 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 5950 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 5951 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 5952 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 5953 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 5954 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 5955 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 5956 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 5957 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 5958 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 5959 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 5960 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 5961 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 5962 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 5963 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 5964 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 5965 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 5966 5967 mpo_proc_check_debug_t *mpo_proc_check_debug; 5968 mpo_proc_check_fork_t *mpo_proc_check_fork; 5969 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; /* Deprecating, use mpo_proc_check_get_task_with_flavor instead */ 5970 mpo_proc_check_get_task_t *mpo_proc_check_get_task; /* Deprecating, use mpo_proc_check_get_task_with_flavor instead */ 5971 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 5972 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 5973 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; 5974 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 5975 mpo_proc_check_sched_t *mpo_proc_check_sched; 5976 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 5977 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 5978 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; 5979 mpo_proc_check_signal_t *mpo_proc_check_signal; 5980 mpo_proc_check_wait_t *mpo_proc_check_wait; 5981 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; 5982 mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; 5983 5984 mpo_socket_check_accept_t *mpo_socket_check_accept; 5985 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 5986 mpo_socket_check_bind_t *mpo_socket_check_bind; 5987 mpo_socket_check_connect_t *mpo_socket_check_connect; 5988 mpo_socket_check_create_t *mpo_socket_check_create; 5989 mpo_reserved_hook_t *mpo_reserved46; 5990 mpo_reserved_hook_t *mpo_reserved47; 5991 mpo_reserved_hook_t *mpo_reserved48; 5992 mpo_socket_check_listen_t *mpo_socket_check_listen; 5993 mpo_socket_check_receive_t *mpo_socket_check_receive; 5994 mpo_socket_check_received_t *mpo_socket_check_received; 5995 mpo_reserved_hook_t *mpo_reserved49; 5996 mpo_socket_check_send_t *mpo_socket_check_send; 5997 mpo_socket_check_stat_t *mpo_socket_check_stat; 5998 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 5999 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 6000 6001 mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; 6002 mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; 6003 mpo_proc_check_setuid_t *mpo_proc_check_setuid; 6004 mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; 6005 mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; 6006 mpo_proc_check_setgid_t *mpo_proc_check_setgid; 6007 mpo_proc_check_setegid_t *mpo_proc_check_setegid; 6008 mpo_proc_check_setregid_t *mpo_proc_check_setregid; 6009 mpo_proc_check_settid_t *mpo_proc_check_settid; 6010 mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; 6011 mpo_reserved_hook_t *mpo_reserved60; 6012 6013 mpo_thread_telemetry_t *mpo_thread_telemetry; 6014 6015 mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; 6016 6017 mpo_system_check_acct_t *mpo_system_check_acct; 6018 mpo_system_check_audit_t *mpo_system_check_audit; 6019 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6020 mpo_system_check_auditon_t *mpo_system_check_auditon; 6021 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6022 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6023 mpo_system_check_reboot_t *mpo_system_check_reboot; 6024 mpo_system_check_settime_t *mpo_system_check_settime; 6025 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6026 mpo_system_check_swapon_t *mpo_system_check_swapon; 6027 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; 6028 6029 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6030 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6031 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6032 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6033 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6034 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6035 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6036 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6037 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6038 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6039 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6040 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6041 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6042 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6043 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6044 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6045 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6046 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6047 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6048 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6049 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6050 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6051 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6052 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6053 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6054 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6055 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6056 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6057 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6058 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6059 6060 mpo_proc_notify_exit_t *mpo_proc_notify_exit; 6061 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; 6062 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; 6063 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; 6064 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; 6065 mpo_vnode_check_clone_t *mpo_vnode_check_clone; 6066 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; 6067 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; 6068 6069 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6070 6071 mpo_vnode_check_access_t *mpo_vnode_check_access; 6072 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6073 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6074 mpo_vnode_check_create_t *mpo_vnode_check_create; 6075 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6076 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6077 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6078 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6079 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6080 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6081 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6082 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6083 mpo_vnode_check_link_t *mpo_vnode_check_link; 6084 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6085 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6086 mpo_vnode_check_open_t *mpo_vnode_check_open; 6087 mpo_vnode_check_read_t *mpo_vnode_check_read; 6088 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6089 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6090 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6091 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6092 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6093 mpo_vnode_check_select_t *mpo_vnode_check_select; 6094 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6095 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6096 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6097 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6098 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6099 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6100 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6101 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6102 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6103 mpo_vnode_check_write_t *mpo_vnode_check_write; 6104 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6105 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6106 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6107 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6108 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6109 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6110 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6111 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6112 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6113 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6114 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6115 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6116 mpo_vnode_label_init_t *mpo_vnode_label_init; 6117 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6118 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6119 mpo_vnode_label_store_t *mpo_vnode_label_store; 6120 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6121 mpo_vnode_label_update_t *mpo_vnode_label_update; 6122 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6123 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6124 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6125 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6126 6127 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6128 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6129 6130 mpo_thread_userret_t *mpo_thread_userret; 6131 6132 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6133 6134 mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; 6135 6136 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6137 6138 mpo_priv_check_t *mpo_priv_check; 6139 mpo_priv_grant_t *mpo_priv_grant; 6140 6141 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6142 6143 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6144 6145 mpo_iokit_check_open_t *mpo_iokit_check_open; 6146 6147 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6148 6149 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6150 6151 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; 6152 6153 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; 6154 6155 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6156 6157 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; 6158 6159 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6160 6161 mpo_system_check_info_t *mpo_system_check_info; 6162 6163 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6164 mpo_pty_notify_close_t *mpo_pty_notify_close; 6165 6166 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6167 6168 mpo_kext_check_load_t *mpo_kext_check_load; 6169 mpo_kext_check_unload_t *mpo_kext_check_unload; 6170 6171 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6172 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6173 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6174 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6175 }; 6176 6177 /** 6178 * @brief MAC policy handle type 6179 * 6180 * The MAC handle is used to uniquely identify a loaded policy within 6181 * the MAC Framework. 6182 * 6183 * A variable of this type is set by mac_policy_register(). 6184 */ 6185 typedef unsigned int mac_policy_handle_t; 6186 6187 #define mpc_t struct mac_policy_conf * 6188 6189 /** 6190 * @brief Mac policy configuration 6191 * 6192 * This structure specifies the configuration information for a 6193 * MAC policy module. A policy module developer must supply 6194 * a short unique policy name, a more descriptive full name, a list of label 6195 * namespaces and count, a pointer to the registered enty point operations, 6196 * any load time flags, and optionally, a pointer to a label slot identifier. 6197 * 6198 * The Framework will update the runtime flags (mpc_runtime_flags) to 6199 * indicate that the module has been registered. 6200 * 6201 * If the label slot identifier (mpc_field_off) is NULL, the Framework 6202 * will not provide label storage for the policy. Otherwise, the 6203 * Framework will store the label location (slot) in this field. 6204 * 6205 * The mpc_list field is used by the Framework and should not be 6206 * modified by policies. 6207 */ 6208 /* XXX - reorder these for better alignment on 64bit platforms */ 6209 struct mac_policy_conf { 6210 const char *mpc_name; /** policy name */ 6211 const char *mpc_fullname; /** full name */ 6212 char const * const *mpc_labelnames; /** managed label namespaces */ 6213 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6214 const struct mac_policy_ops *mpc_ops; /** operation vector */ 6215 int mpc_loadtime_flags; /** load time flags */ 6216 int *mpc_field_off; /** label slot */ 6217 int mpc_runtime_flags; /** run time flags */ 6218 mpc_t mpc_list; /** List reference */ 6219 void *mpc_data; /** module data */ 6220 }; 6221 6222 /** 6223 * @brief MAC policy module registration routine 6224 * 6225 * This function is called to register a policy with the 6226 * MAC framework. A policy module will typically call this from the 6227 * Darwin KEXT registration routine. 6228 */ 6229 int mac_policy_register(struct mac_policy_conf *mpc, 6230 mac_policy_handle_t *handlep, void *xd); 6231 6232 /** 6233 * @brief MAC policy module de-registration routine 6234 * 6235 * This function is called to de-register a policy with the 6236 * MAC framework. A policy module will typically call this from the 6237 * Darwin KEXT de-registration routine. 6238 */ 6239 int mac_policy_unregister(mac_policy_handle_t handle); 6240 6241 /* 6242 * Framework entry points for the policies to add audit data. 6243 */ 6244 int mac_audit_text(char *text, mac_policy_handle_t handle); 6245 6246 /* 6247 * Calls to assist with use of Apple XATTRs within policy modules. 6248 */ 6249 int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6250 int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6251 size_t *); 6252 int mac_vnop_removexattr(struct vnode *, const char *); 6253 6254 /** 6255 * @brief Set an extended attribute on a vnode-based fileglob. 6256 * @param fg fileglob representing file to attach the extended attribute 6257 * @param name extended attribute name 6258 * @param buf buffer of data to use as the extended attribute value 6259 * @param len size of buffer 6260 * 6261 * Sets the value of an extended attribute on a file. 6262 * 6263 * Caller must hold an iocount on the vnode represented by the fileglob. 6264 */ 6265 #ifdef KERNEL_PRIVATE 6266 int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); 6267 #endif 6268 6269 /** 6270 * @brief Get an extended attribute from a vnode-based fileglob. 6271 * @param fg fileglob representing file to read the extended attribute 6272 * @param name extended attribute name 6273 * @param buf buffer of data to hold the extended attribute value 6274 * @param len size of buffer 6275 * @param attrlen size of full extended attribute value 6276 * 6277 * Gets the value of an extended attribute on a file. 6278 * 6279 * Caller must hold an iocount on the vnode represented by the fileglob. 6280 */ 6281 #ifdef KERNEL_PRIVATE 6282 int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, 6283 size_t *attrlen); 6284 #endif 6285 6286 /** 6287 * @brief Remove an extended attribute from a vnode-based fileglob. 6288 * @param fg fileglob representing file to remove the extended attribute 6289 * @param name extended attribute name 6290 * 6291 * Removes the named extended attribute from the file. 6292 * 6293 * Caller must hold an iocount on the vnode represented by the fileglob. 6294 */ 6295 #ifdef KERNEL_PRIVATE 6296 int mac_file_removexattr(struct fileglob *fg, const char *name); 6297 #endif 6298 6299 /* 6300 * Arbitrary limit on how much data will be logged by the audit 6301 * entry points above. 6302 */ 6303 #define MAC_AUDIT_DATA_LIMIT 1024 6304 6305 /* 6306 * Values returned by mac_audit_{pre,post}select. To combine the responses 6307 * of the security policies into a single decision, 6308 * mac_audit_{pre,post}select() choose the greatest value returned. 6309 */ 6310 #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6311 #define MAC_AUDIT_NO 1 /* force not auditing this event */ 6312 #define MAC_AUDIT_YES 2 /* force auditing this event */ 6313 6314 // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6315 6316 /** 6317 * @name Flags for the mpc_loadtime_flags field 6318 * @see mac_policy_conf 6319 * 6320 * This is the complete list of flags that are supported by the 6321 * mpc_loadtime_flags field of the mac_policy_conf structure. These 6322 * flags specify the load time behavior of MAC Framework policy 6323 * modules. 6324 */ 6325 6326 /*@{*/ 6327 6328 /** 6329 * @brief Flag to indicate registration preference 6330 * 6331 * This flag indicates that the policy module must be loaded and 6332 * initialized early in the boot process. If the flag is specified, 6333 * attempts to register the module following boot will be rejected. The 6334 * flag may be used by policies that require pervasive labeling of all 6335 * system objects, and cannot handle objects that have not been 6336 * properly initialized by the policy. 6337 */ 6338 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6339 6340 /** 6341 * @brief Flag to indicate unload preference 6342 * 6343 * This flag indicates that the policy module may be unloaded. If this 6344 * flag is not set, then the policy framework will reject requests to 6345 * unload the module. This flag might be used by modules that allocate 6346 * label state and are unable to free that state at runtime, or for 6347 * modules that simply do not want to permit unload operations. 6348 */ 6349 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6350 6351 /** 6352 * @brief Unsupported 6353 * 6354 * XXX This flag is not yet supported. 6355 */ 6356 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6357 6358 /** 6359 * @brief Flag to indicate a base policy 6360 * 6361 * This flag indicates that the policy module is a base policy. Only 6362 * one module can declare itself as base, otherwise the boot process 6363 * will be halted. 6364 */ 6365 #define MPC_LOADTIME_BASE_POLICY 0x00000008 6366 6367 /*@}*/ 6368 6369 /** 6370 * @brief Policy registration flag 6371 * @see mac_policy_conf 6372 * 6373 * This flag indicates that the policy module has been successfully 6374 * registered with the TrustedBSD MAC Framework. The Framework will 6375 * set this flag in the mpc_runtime_flags field of the policy's 6376 * mac_policy_conf structure after registering the policy. 6377 */ 6378 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6379 6380 /* 6381 * Depends on POLICY_VER 6382 */ 6383 6384 #ifndef POLICY_VER 6385 #define POLICY_VER 1.0 6386 #endif 6387 6388 #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6389 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6390 .mpc_name = #mpname, \ 6391 .mpc_fullname = mpfullname, \ 6392 .mpc_labelnames = lnames, \ 6393 .mpc_labelname_count = lcount, \ 6394 .mpc_ops = mpops, \ 6395 .mpc_loadtime_flags = lflags, \ 6396 .mpc_field_off = slot, \ 6397 .mpc_runtime_flags = rflags \ 6398 }; \ 6399 \ 6400 static kern_return_t \ 6401 kmod_start(kmod_info_t *ki, void *xd) \ 6402 { \ 6403 return mac_policy_register(&mpname##_mac_policy_conf, \ 6404 &handle, xd); \ 6405 } \ 6406 \ 6407 static kern_return_t \ 6408 kmod_stop(kmod_info_t *ki, void *xd) \ 6409 { \ 6410 return mac_policy_unregister(handle); \ 6411 } \ 6412 \ 6413 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6414 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6415 \ 6416 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6417 kmod_start_func_t *_realmain = kmod_start; \ 6418 kmod_stop_func_t *_antimain = kmod_stop; \ 6419 int _kext_apple_cc = __APPLE_CC__ 6420 6421 /* 6422 * Policy interface to map a struct label pointer to per-policy data. 6423 * Typically, policies wrap this in their own accessor macro that casts an 6424 * intptr_t to a policy-specific data type. 6425 */ 6426 #ifdef KERNEL_PRIVATE 6427 struct label * mac_label_verify(struct label **labelp); 6428 intptr_t mac_label_get(struct label *l, int slot); 6429 /* 6430 * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. 6431 */ 6432 void mac_label_set(struct label *l, int slot, intptr_t v); 6433 struct label * mac_labelzone_alloc(int flags); 6434 struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, 6435 void (^extra_setup)(struct label *)); 6436 struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, 6437 void (^extra_setup)(struct label *)); 6438 void mac_labelzone_free(struct label *l); 6439 void mac_labelzone_free_owned(struct label **labelp, 6440 void (^extra_deinit)(struct label *)); 6441 intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); 6442 void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); 6443 #endif 6444 6445 #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6446 6447 /** 6448 * @name Flags for MAC allocator interfaces 6449 * 6450 * These flags are passed to the Darwin kernel allocator routines to 6451 * indicate whether the allocation is permitted to block or not. 6452 * Caution should be taken; some operations are not permitted to sleep, 6453 * and some types of locks cannot be held when sleeping. 6454 */ 6455 6456 /*@{*/ 6457 6458 /** 6459 * @brief Allocation operations may block 6460 * 6461 * If memory is not immediately available, the allocation routine 6462 * will block (typically sleeping) until memory is available. 6463 * 6464 * @warning Inappropriate use of this flag may cause kernel panics. 6465 */ 6466 #define MAC_WAITOK 0 6467 6468 /** 6469 * @brief Allocation operations may not block 6470 * 6471 * Rather than blocking, the allocator may return an error if memory 6472 * is not immediately available. This type of allocation will not 6473 * sleep, preserving locking semantics. 6474 */ 6475 #define MAC_NOWAIT 1 6476 6477 /*@}*/ 6478 6479 #endif /* !_SECURITY_MAC_POLICY_H_ */ 6480