1 /* 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68 /** 69 * @file mac_policy.h 70 * @brief Kernel Interfaces for MAC policy modules 71 * 72 * This header defines the list of operations that are defined by the 73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 * with the framework to declare interest in a specific set of 75 * operations. If interest in an entry point is not declared, then 76 * the policy will be ignored when the Framework evaluates that entry 77 * point. 78 */ 79 80 #ifndef _SECURITY_MAC_POLICY_H_ 81 #define _SECURITY_MAC_POLICY_H_ 82 83 #ifndef PRIVATE 84 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85 #endif 86 87 #include <security/_label.h> 88 #include <kern/cs_blobs.h> 89 90 struct attrlist; 91 struct auditinfo; 92 struct bpf_d; 93 struct cs_blob; 94 struct devnode; 95 struct exception_action; 96 struct fileglob; 97 struct ifnet; 98 struct inpcb; 99 struct ipq; 100 struct label; 101 struct mac_policy_conf; 102 struct mbuf; 103 struct mount; 104 struct msg; 105 struct msqid_kernel; 106 struct pipe; 107 struct pseminfo; 108 struct pshminfo; 109 struct sbuf; 110 struct semid_kernel; 111 struct shmid_kernel; 112 struct socket; 113 struct sockopt; 114 struct task; 115 struct thread; 116 struct tty; 117 struct ucred; 118 struct vfs_attr; 119 struct vnode; 120 struct sockaddr; 121 /** @struct dummy */ 122 123 124 /* 125 * proc_ident_t support, see: rdar://problem/58928152 126 * Should be removed once all dependent parties adopt 127 * proc_ident_t. 128 */ 129 #define MAC_PROC_IDENT_SUPPORT 130 131 #ifndef _KAUTH_CRED_T 132 #define _KAUTH_CRED_T 133 typedef struct ucred *kauth_cred_t; 134 #endif /* !_KAUTH_CRED_T */ 135 136 #ifndef __IOKIT_PORTS_DEFINED__ 137 #define __IOKIT_PORTS_DEFINED__ 138 #ifdef __cplusplus 139 class OSObject; 140 typedef OSObject *io_object_t; 141 #else 142 struct OSObject; 143 typedef struct OSObject *io_object_t; 144 #endif 145 #endif /* __IOKIT_PORTS_DEFINED__ */ 146 147 /*- 148 * MAC entry points are generally named using the following template: 149 * 150 * mpo_<object>_<operation>() 151 * 152 * or: 153 * 154 * mpo_<object>_check_<operation>() 155 * 156 * Entry points are sorted by object type. 157 * 158 * It may be desirable also to consider some subsystems as "objects", such 159 * as system, iokit, etc. 160 */ 161 162 /** 163 * @name Entry Points for Label Management 164 * 165 * These are the entry points corresponding to the life cycle events for 166 * kernel objects, such as initialization, creation, and destruction. 167 * 168 * Most policies (that use labels) will initialize labels by allocating 169 * space for policy-specific data. In most cases, it is permitted to 170 * sleep during label initialization operations; it will be noted when 171 * it is not permitted. 172 * 173 * Initialization usually will not require doing more than allocating a 174 * generic label for the given object. What follows initialization is 175 * creation, where a label is made specific to the object it is associated 176 * with. Destruction occurs when the label is no longer needed, such as 177 * when the corresponding object is destroyed. All necessary cleanup should 178 * be performed in label destroy operations. 179 * 180 * Where possible, the label entry points have identical parameters. If 181 * the policy module does not require structure-specific label 182 * information, the same function may be registered in the policy 183 * operation vector. Many policies will implement two such generic 184 * allocation calls: one to handle sleepable requests, and one to handle 185 * potentially non-sleepable requests. 186 */ 187 188 189 /** 190 * @brief Audit event postselection 191 * @param cred Subject credential 192 * @param syscode Syscall number 193 * @param args Syscall arguments 194 * @param error Syscall errno 195 * @param retval Syscall return value 196 * 197 * This is the MAC Framework audit postselect, which is called before 198 * exiting a syscall to determine if an audit event should be committed. 199 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 200 * Any other return value results in the audit record being committed. 201 * 202 * @warning The suppression behavior will probably go away in Apple's 203 * future version of the audit implementation. 204 * 205 * @return Return MAC_AUDIT_NO to force suppression of the audit record. 206 * Any other value results in the audit record being committed. 207 * 208 */ 209 typedef int mpo_audit_check_postselect_t( 210 kauth_cred_t cred, 211 unsigned short syscode, 212 void *args, 213 int error, 214 int retval 215 ); 216 /** 217 * @brief Audit event preselection 218 * @param cred Subject credential 219 * @param syscode Syscall number 220 * @param args Syscall arguments 221 * 222 * This is the MAC Framework audit preselect, which is called before a 223 * syscall is entered to determine if an audit event should be created. 224 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 225 * returned. A return value of MAC_AUDIT_NO causes the audit record to 226 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 227 * to defer to the system's existing preselection mechanism. 228 * 229 * When policies return different preferences, the Framework decides what action 230 * to take based on the following policy. If any policy returns MAC_AUDIT_YES, 231 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then 232 * suppress the creations of an audit record, else defer to the system's 233 * existing preselection mechanism. 234 * 235 * @warning The audit implementation in Apple's current version is 236 * incomplete, so the MAC policies have priority over the system's existing 237 * mechanisms. This will probably change in the future version where 238 * the audit implementation is more complete. 239 * 240 * @return Return MAC_AUDIT_YES to force auditing of the syscall, 241 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 242 * to allow auditing mechanisms to determine if the syscall is audited. 243 * 244 */ 245 typedef int mpo_audit_check_preselect_t( 246 kauth_cred_t cred, 247 unsigned short syscode, 248 void *args 249 ); 250 /** 251 * @brief Indicate desire to change the process label at exec time 252 * @param old Existing subject credential 253 * @param vp File being executed 254 * @param offset Offset of binary within file being executed 255 * @param scriptvp Script being executed by interpreter, if any. 256 * @param vnodelabel Label corresponding to vp 257 * @param scriptvnodelabel Script vnode label 258 * @param execlabel Userspace provided execution label 259 * @param p Object process 260 * @param macpolicyattr MAC policy-specific spawn attribute data 261 * @param macpolicyattrlen Length of policy-specific spawn attribute data 262 * @see mac_execve 263 * @see mpo_cred_label_update_execve_t 264 * @see mpo_vnode_check_exec_t 265 * 266 * Indicate whether this policy intends to update the label of a newly 267 * created credential from the existing subject credential (old). This 268 * call occurs when a process executes the passed vnode. If a policy 269 * returns success from this entry point, the mpo_cred_label_update_execve 270 * entry point will later be called with the same parameters. Access 271 * has already been checked via the mpo_vnode_check_exec entry point, 272 * this entry point is necessary to preserve kernel locking constraints 273 * during program execution. 274 * 275 * The supplied vnode and vnodelabel correspond with the file actually 276 * being executed; in the case that the file is interpreted (for 277 * example, a script), the label of the original exec-time vnode has 278 * been preserved in scriptvnodelabel. 279 * 280 * The final label, execlabel, corresponds to a label supplied by a 281 * user space application through the use of the mac_execve system call. 282 * 283 * The vnode lock is held during this operation. No changes should be 284 * made to the old credential structure. 285 * 286 * @warning Even if a policy returns 0, it should behave correctly in 287 * the presence of an invocation of mpo_cred_label_update_execve, as that 288 * call may happen as a result of another policy requesting a transition. 289 * 290 * @return Non-zero if a transition is required, 0 otherwise. 291 */ 292 typedef int mpo_cred_check_label_update_execve_t( 293 kauth_cred_t old, 294 struct vnode *vp, 295 off_t offset, 296 struct vnode *scriptvp, 297 struct label *vnodelabel, 298 struct label *scriptvnodelabel, 299 struct label *execlabel, 300 struct proc *p, 301 void *macpolicyattr, 302 size_t macpolicyattrlen 303 ); 304 /** 305 * @brief Access control check for relabelling processes 306 * @param cred Subject credential 307 * @param newlabel New label to apply to the user credential 308 * @see mpo_cred_label_update_t 309 * @see mac_set_proc 310 * 311 * Determine whether the subject identified by the credential can relabel 312 * itself to the supplied new label (newlabel). This access control check 313 * is called when the mac_set_proc system call is invoked. A user space 314 * application will supply a new value, the value will be internalized 315 * and provided in newlabel. 316 * 317 * @return Return 0 if access is granted, otherwise an appropriate value for 318 * errno should be returned. 319 */ 320 typedef int mpo_cred_check_label_update_t( 321 kauth_cred_t cred, 322 struct label *newlabel 323 ); 324 /** 325 * @brief Access control check for visibility of other subjects 326 * @param u1 Subject credential 327 * @param u2 Object credential 328 * 329 * Determine whether the subject identified by the credential u1 can 330 * "see" other subjects with the passed subject credential u2. This call 331 * may be made in a number of situations, including inter-process status 332 * sysctls used by ps, and in procfs lookups. 333 * 334 * @return Return 0 if access is granted, otherwise an appropriate value for 335 * errno should be returned. Suggested failure: EACCES for label mismatch, 336 * EPERM for lack of privilege, or ESRCH to hide visibility. 337 */ 338 typedef int mpo_cred_check_visible_t( 339 kauth_cred_t u1, 340 kauth_cred_t u2 341 ); 342 /** 343 * @brief Associate a credential with a new process at fork 344 * @param cred credential to inherited by new process 345 * @param proc the new process 346 * 347 * Allow a process to associate the credential with a new 348 * process for reference countng purposes. 349 * NOTE: the credential can be dis-associated in ways other 350 * than exit - so this strategy is flawed - should just 351 * catch label destroy callback. 352 */ 353 typedef void mpo_cred_label_associate_fork_t( 354 kauth_cred_t cred, 355 proc_t proc 356 ); 357 /** 358 * @brief Create the first process 359 * @param cred Subject credential to be labeled 360 * 361 * Create the subject credential of process 0, the parent of all BSD 362 * kernel processes. Policies should update the label in the 363 * previously initialized credential structure. 364 */ 365 typedef void mpo_cred_label_associate_kernel_t( 366 kauth_cred_t cred 367 ); 368 /** 369 * @brief Create a credential label 370 * @param parent_cred Parent credential 371 * @param child_cred Child credential 372 * 373 * Set the label of a newly created credential, most likely using the 374 * information in the supplied parent credential. 375 * 376 * @warning This call is made when crcopy or crdup is invoked on a 377 * newly created struct ucred, and should not be confused with a 378 * process fork or creation event. 379 */ 380 typedef void mpo_cred_label_associate_t( 381 kauth_cred_t parent_cred, 382 kauth_cred_t child_cred 383 ); 384 /** 385 * @brief Create the first process 386 * @param cred Subject credential to be labeled 387 * 388 * Create the subject credential of process 1, the parent of all BSD 389 * user processes. Policies should update the label in the previously 390 * initialized credential structure. This is the 'init' process. 391 */ 392 typedef void mpo_cred_label_associate_user_t( 393 kauth_cred_t cred 394 ); 395 /** 396 * @brief Destroy credential label 397 * @param label The label to be destroyed 398 * 399 * Destroy a user credential label. Since the user credential 400 * is going out of scope, policy modules should free any internal 401 * storage associated with the label so that it may be destroyed. 402 */ 403 typedef void mpo_cred_label_destroy_t( 404 struct label *label 405 ); 406 /** 407 * @brief Externalize a user credential label for auditing 408 * @param label Label to be externalized 409 * @param element_name Name of the label namespace for which labels should be 410 * externalized 411 * @param sb String buffer to be filled with a text representation of the label 412 * 413 * Produce an external representation of the label on a user credential for 414 * inclusion in an audit record. An externalized label consists of a text 415 * representation of the label contents that will be added to the audit record 416 * as part of a text token. Policy-agnostic user space tools will display 417 * this externalized version. 418 * 419 * @return 0 on success, return non-zero if an error occurs while 420 * externalizing the label data. 421 * 422 */ 423 typedef int mpo_cred_label_externalize_audit_t( 424 struct label *label, 425 char *element_name, 426 struct sbuf *sb 427 ); 428 /** 429 * @brief Externalize a user credential label 430 * @param label Label to be externalized 431 * @param element_name Name of the label namespace for which labels should be 432 * externalized 433 * @param sb String buffer to be filled with a text representation of the label 434 * 435 * Produce an external representation of the label on a user 436 * credential. An externalized label consists of a text representation 437 * of the label contents that can be used with user applications. 438 * Policy-agnostic user space tools will display this externalized 439 * version. 440 * 441 * @return 0 on success, return non-zero if an error occurs while 442 * externalizing the label data. 443 * 444 */ 445 typedef int mpo_cred_label_externalize_t( 446 struct label *label, 447 char *element_name, 448 struct sbuf *sb 449 ); 450 /** 451 * @brief Initialize user credential label 452 * @param label New label to initialize 453 * 454 * Initialize the label for a newly instantiated user credential. 455 * Sleeping is permitted. 456 */ 457 typedef void mpo_cred_label_init_t( 458 struct label *label 459 ); 460 /** 461 * @brief Internalize a user credential label 462 * @param label Label to be internalized 463 * @param element_name Name of the label namespace for which the label should 464 * be internalized 465 * @param element_data Text data to be internalized 466 * 467 * Produce a user credential label from an external representation. An 468 * externalized label consists of a text representation of the label 469 * contents that can be used with user applications. Policy-agnostic 470 * user space tools will forward text version to the kernel for 471 * processing by individual policy modules. 472 * 473 * The policy's internalize entry points will be called only if the 474 * policy has registered interest in the label namespace. 475 * 476 * @return 0 on success, Otherwise, return non-zero if an error occurs 477 * while internalizing the label data. 478 * 479 */ 480 typedef int mpo_cred_label_internalize_t( 481 struct label *label, 482 char *element_name, 483 char *element_data 484 ); 485 /** 486 * @brief Update credential at exec time 487 * @param old_cred Existing subject credential 488 * @param new_cred New subject credential to be labeled 489 * @param p Object process. 490 * @param vp File being executed 491 * @param offset Offset of binary within file being executed 492 * @param scriptvp Script being executed by interpreter, if any. 493 * @param vnodelabel Label corresponding to vp 494 * @param scriptvnodelabel Script vnode label 495 * @param execlabel Userspace provided execution label 496 * @param csflags Code signing flags to be set after exec 497 * @param macpolicyattr MAC policy-specific spawn attribute data. 498 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 499 * @see mac_execve 500 * @see mpo_cred_check_label_update_execve_t 501 * @see mpo_vnode_check_exec_t 502 * 503 * Update the label of a newly created credential (new) from the 504 * existing subject credential (old). This call occurs when a process 505 * executes the passed vnode and one of the loaded policy modules has 506 * returned success from the mpo_cred_check_label_update_execve entry point. 507 * Access has already been checked via the mpo_vnode_check_exec entry 508 * point, this entry point is only used to update any policy state. 509 * 510 * The supplied vnode and vnodelabel correspond with the file actually 511 * being executed; in the case that the file is interpreted (for 512 * example, a script), the label of the original exec-time vnode has 513 * been preserved in scriptvnodelabel. 514 * 515 * The final label, execlabel, corresponds to a label supplied by a 516 * user space application through the use of the mac_execve system call. 517 * 518 * If non-NULL, the value pointed to by disjointp will be set to 0 to 519 * indicate that the old and new credentials are not disjoint, or 1 to 520 * indicate that they are. 521 * 522 * The vnode lock is held during this operation. No changes should be 523 * made to the old credential structure. 524 * @return 0 on success, Otherwise, return non-zero if update results in 525 * termination of child. 526 */ 527 typedef int mpo_cred_label_update_execve_t( 528 kauth_cred_t old_cred, 529 kauth_cred_t new_cred, 530 struct proc *p, 531 struct vnode *vp, 532 off_t offset, 533 struct vnode *scriptvp, 534 struct label *vnodelabel, 535 struct label *scriptvnodelabel, 536 struct label *execlabel, 537 u_int *csflags, 538 void *macpolicyattr, 539 size_t macpolicyattrlen, 540 int *disjointp 541 ); 542 /** 543 * @brief Update a credential label 544 * @param cred The existing credential 545 * @param newlabel A new label to apply to the credential 546 * @see mpo_cred_check_label_update_t 547 * @see mac_set_proc 548 * 549 * Update the label on a user credential, using the supplied new label. 550 * This is called as a result of a process relabel operation. Access 551 * control was already confirmed by mpo_cred_check_label_update. 552 */ 553 typedef void mpo_cred_label_update_t( 554 kauth_cred_t cred, 555 struct label *newlabel 556 ); 557 /** 558 * @brief Access control for launching a process with constraints 559 * @param curr_p The new process 560 * @param original_parent_id The pid of the original parent that spawned this process 561 * @param responsible_pid The pid of the responsible process that spawned this process 562 * @param macpolicyattr MAC policy-specific spawn attribute data 563 * @param macpolicyattrlen Length of policy-specific spawn attribute data 564 * @param fatal_failure_desc Description of fatal failure 565 * @param fatal_failure_desc_len Failure description len, failure is fatal if non-0 566 * 567 * Detemine whether the process being spawned adheres to the launch 568 * constraints (e.g. whether the process is spawned by launchd) and should 569 * be allowed to execute. This call occurs during execve or posix_spawn. 570 * 571 * @return Return 0 if process can be created, otherwise an appropriate value for 572 * errno should be returned. 573 */ 574 typedef int mpo_proc_check_launch_constraints_t( 575 proc_t curr_p, 576 pid_t original_parent_id, 577 pid_t responsible_pid, 578 void *macpolicyattr, 579 size_t macpolicyattrlen, 580 launch_constraint_data_t lcd, 581 char **fatal_failure_desc, size_t *fatal_failure_desc_len 582 ); 583 /** 584 * @brief Create a new devfs device 585 * @param dev Major and minor numbers of special file 586 * @param de "inode" of new device file 587 * @param label Destination label 588 * @param fullpath Path relative to mount (e.g. /dev) of new device file 589 * 590 * This entry point labels a new devfs device. The label will likely be based 591 * on the path to the device, or the major and minor numbers. 592 * The policy should store an appropriate label into 'label'. 593 */ 594 typedef void mpo_devfs_label_associate_device_t( 595 dev_t dev, 596 struct devnode *de, 597 struct label *label, 598 const char *fullpath 599 ); 600 /** 601 * @brief Create a new devfs directory 602 * @param dirname Name of new directory 603 * @param dirnamelen Length of 'dirname' 604 * @param de "inode" of new directory 605 * @param label Destination label 606 * @param fullpath Path relative to mount (e.g. /dev) of new directory 607 * 608 * This entry point labels a new devfs directory. The label will likely be 609 * based on the path of the new directory. The policy should store an appropriate 610 * label into 'label'. The devfs root directory is labelled in this way. 611 */ 612 typedef void mpo_devfs_label_associate_directory_t( 613 const char *dirname, 614 int dirnamelen, 615 struct devnode *de, 616 struct label *label, 617 const char *fullpath 618 ); 619 /** 620 * @brief Copy a devfs label 621 * @param src Source devfs label 622 * @param dest Destination devfs label 623 * 624 * Copy the label information from src to dest. The devfs file system 625 * often duplicates (splits) existing device nodes rather than creating 626 * new ones. 627 */ 628 typedef void mpo_devfs_label_copy_t( 629 struct label *src, 630 struct label *dest 631 ); 632 /** 633 * @brief Destroy devfs label 634 * @param label The label to be destroyed 635 * 636 * Destroy a devfs entry label. Since the object is going out 637 * of scope, policy modules should free any internal storage associated 638 * with the label so that it may be destroyed. 639 */ 640 typedef void mpo_devfs_label_destroy_t( 641 struct label *label 642 ); 643 /** 644 * @brief Initialize devfs label 645 * @param label New label to initialize 646 * 647 * Initialize the label for a newly instantiated devfs entry. Sleeping 648 * is permitted. 649 */ 650 typedef void mpo_devfs_label_init_t( 651 struct label *label 652 ); 653 /** 654 * @brief Update a devfs label after relabelling its vnode 655 * @param mp Devfs mount point 656 * @param de Affected devfs directory entry 657 * @param delabel Label of devfs directory entry 658 * @param vp Vnode associated with de 659 * @param vnodelabel New label of vnode 660 * 661 * Update a devfs label when its vnode is manually relabelled, 662 * for example with setfmac(1). Typically, this will simply copy 663 * the vnode label into the devfs label. 664 */ 665 typedef void mpo_devfs_label_update_t( 666 struct mount *mp, 667 struct devnode *de, 668 struct label *delabel, 669 struct vnode *vp, 670 struct label *vnodelabel 671 ); 672 /** 673 * @brief Access control for sending an exception to an exception action 674 * @param crashlabel The crashing process's label 675 * @param action Exception action 676 * @param exclabel Policy label for exception action 677 * 678 * Determine whether the the exception message caused by the victim 679 * process can be sent to the exception action. The policy may compare 680 * credentials in the crashlabel, which are derived from the process at 681 * the time the exception occurs, with the credentials in the exclabel, 682 * which was set at the time the exception port was set, to determine 683 * its decision. Note that any process from which the policy derived 684 * any credentials may not exist anymore at the time of this policy 685 * operation. Sleeping is permitted. 686 * 687 * @return Return 0 if the message can be sent, otherwise an 688 * appropriate value for errno should be returned. 689 */ 690 typedef int mpo_exc_action_check_exception_send_t( 691 struct label *crashlabel, 692 struct exception_action *action, 693 struct label *exclabel 694 ); 695 /** 696 * @brief Associate an exception action label 697 * @param action Exception action to label 698 * @param exclabel Policy label to be filled in for exception action 699 * 700 * Set the label on an exception action. 701 */ 702 typedef void mpo_exc_action_label_associate_t( 703 struct exception_action *action, 704 struct label *exclabel 705 ); 706 /** 707 * @brief Destroy exception action label 708 * @param label The label to be destroyed 709 * 710 * Destroy the label on an exception action. Since the object is going 711 * out of scope, policy modules should free any internal storage 712 * associated with the label so that it may be destroyed. Sleeping is 713 * permitted. 714 */ 715 typedef void mpo_exc_action_label_destroy_t( 716 struct label *label 717 ); 718 /** 719 * @brief Populate an exception action label with process credentials 720 * @param label The label to be populated 721 * @param proc Process to derive credentials from 722 * 723 * Populate a label with credentials derived from a process. At 724 * exception delivery time, the policy should compare credentials of the 725 * process that set an exception ports with the credentials of the 726 * process or corpse that experienced the exception. Note that the 727 * process that set the port may not exist at that time anymore, so 728 * labels should carry copies of live credentials if necessary. 729 */ 730 typedef void mpo_exc_action_label_populate_t( 731 struct label *label, 732 struct proc *proc 733 ); 734 /** 735 * @brief Initialize exception action label 736 * @param label New label to initialize 737 * 738 * Initialize a label for an exception action. Usually performs 739 * policy specific allocations. Sleeping is permitted. 740 */ 741 typedef int mpo_exc_action_label_init_t( 742 struct label *label 743 ); 744 /** 745 * @brief Update the label on an exception action 746 * @param action Exception action that the label belongs to (may be 747 * NULL if none) 748 * @param label Policy label to update 749 * @param newlabel New label for update 750 * 751 * Update the credentials of an exception action from the given 752 * label. The policy should copy over any credentials (process and 753 * otherwise) from the new label into the label to update. Must not 754 * sleep, must be quick and can be called with locks held. 755 */ 756 typedef int mpo_exc_action_label_update_t( 757 struct exception_action *action, 758 struct label *label, 759 struct label *newlabel 760 ); 761 /** 762 * @brief Access control for changing the offset of a file descriptor 763 * @param cred Subject credential 764 * @param fg Fileglob structure 765 * @param label Policy label for fg 766 * 767 * Determine whether the subject identified by the credential can 768 * change the offset of the file represented by fg. 769 * 770 * @return Return 0 if access if granted, otherwise an appropriate 771 * value for errno should be returned. 772 */ 773 typedef int mpo_file_check_change_offset_t( 774 kauth_cred_t cred, 775 struct fileglob *fg, 776 struct label *label 777 ); 778 /** 779 * @brief Access control for creating a file descriptor 780 * @param cred Subject credential 781 * 782 * Determine whether the subject identified by the credential can 783 * allocate a new file descriptor. 784 * 785 * @return Return 0 if access if granted, otherwise an appropriate 786 * value for errno should be returned. 787 */ 788 typedef int mpo_file_check_create_t( 789 kauth_cred_t cred 790 ); 791 /** 792 * @brief Access control for duplicating a file descriptor 793 * @param cred Subject credential 794 * @param fg Fileglob structure 795 * @param label Policy label for fg 796 * @param newfd New file descriptor number 797 * 798 * Determine whether the subject identified by the credential can 799 * duplicate the fileglob structure represented by fg and as file 800 * descriptor number newfd. 801 * 802 * @return Return 0 if access if granted, otherwise an appropriate 803 * value for errno should be returned. 804 */ 805 typedef int mpo_file_check_dup_t( 806 kauth_cred_t cred, 807 struct fileglob *fg, 808 struct label *label, 809 int newfd 810 ); 811 /** 812 * @brief Access control check for fcntl 813 * @param cred Subject credential 814 * @param fg Fileglob structure 815 * @param label Policy label for fg 816 * @param cmd Control operation to be performed; see fcntl(2) 817 * @param arg fcnt arguments; see fcntl(2) 818 * 819 * Determine whether the subject identified by the credential can perform 820 * the file control operation indicated by cmd. 821 * 822 * @return Return 0 if access is granted, otherwise an appropriate value for 823 * errno should be returned. 824 */ 825 typedef int mpo_file_check_fcntl_t( 826 kauth_cred_t cred, 827 struct fileglob *fg, 828 struct label *label, 829 int cmd, 830 user_long_t arg 831 ); 832 /** 833 * @brief Access control check for mac_get_fd 834 * @param cred Subject credential 835 * @param fg Fileglob structure 836 * @param elements Element buffer 837 * @param len Length of buffer 838 * 839 * Determine whether the subject identified by the credential should be allowed 840 * to get an externalized version of the label on the object indicated by fd. 841 * 842 * @return Return 0 if access is granted, otherwise an appropriate value for 843 * errno should be returned. 844 */ 845 typedef int mpo_file_check_get_t( 846 kauth_cred_t cred, 847 struct fileglob *fg, 848 char *elements, 849 size_t len 850 ); 851 /** 852 * @brief Access control for getting the offset of a file descriptor 853 * @param cred Subject credential 854 * @param fg Fileglob structure 855 * @param label Policy label for fg 856 * 857 * Determine whether the subject identified by the credential can 858 * get the offset of the file represented by fg. 859 * 860 * @return Return 0 if access if granted, otherwise an appropriate 861 * value for errno should be returned. 862 */ 863 typedef int mpo_file_check_get_offset_t( 864 kauth_cred_t cred, 865 struct fileglob *fg, 866 struct label *label 867 ); 868 /** 869 * @brief Access control for inheriting a file descriptor 870 * @param cred Subject credential 871 * @param fg Fileglob structure 872 * @param label Policy label for fg 873 * 874 * Determine whether the subject identified by the credential can 875 * inherit the fileglob structure represented by fg. 876 * 877 * @return Return 0 if access if granted, otherwise an appropriate 878 * value for errno should be returned. 879 */ 880 typedef int mpo_file_check_inherit_t( 881 kauth_cred_t cred, 882 struct fileglob *fg, 883 struct label *label 884 ); 885 /** 886 * @brief Access control check for file ioctl 887 * @param cred Subject credential 888 * @param fg Fileglob structure 889 * @param label Policy label for fg 890 * @param cmd The ioctl command; see ioctl(2) 891 * 892 * Determine whether the subject identified by the credential can perform 893 * the ioctl operation indicated by cmd. 894 * 895 * @warning Since ioctl data is opaque from the standpoint of the MAC 896 * framework, policies must exercise extreme care when implementing 897 * access control checks. 898 * 899 * @return Return 0 if access is granted, otherwise an appropriate value for 900 * errno should be returned. 901 * 902 */ 903 typedef int mpo_file_check_ioctl_t( 904 kauth_cred_t cred, 905 struct fileglob *fg, 906 struct label *label, 907 unsigned long cmd 908 ); 909 /** 910 * @brief Access control check for file locking 911 * @param cred Subject credential 912 * @param fg Fileglob structure 913 * @param label Policy label for fg 914 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 915 * @param fl The flock structure 916 * 917 * Determine whether the subject identified by the credential can perform 918 * the lock operation indicated by op and fl on the file represented by fg. 919 * 920 * @return Return 0 if access is granted, otherwise an appropriate value for 921 * errno should be returned. 922 * 923 */ 924 typedef int mpo_file_check_lock_t( 925 kauth_cred_t cred, 926 struct fileglob *fg, 927 struct label *label, 928 int op, 929 struct flock *fl 930 ); 931 /** 932 * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. 933 * @param p Subject process 934 * @param fg Fileglob structure 935 * @param slice_offset offset of the code slice 936 * @param error_message error message returned to user-space in case of error (userspace pointer) 937 * @param error_message_size error message size 938 * 939 * It's a little odd that the MAC/kext writes into userspace since this 940 * implies there is only one MAC module that implements this, however 941 * the alternative is to allocate memory in xnu, in the hope that 942 * the MAC module will use it, or allocate in the MAC module and then 943 * free it in xnu. Neither of these is very appealing, so let's go with 944 * the slightly more hacky way. 945 * 946 * @return Return 0 if access is granted, otherwise an appropriate value for 947 * errno should be returned. 948 */ 949 typedef int mpo_file_check_library_validation_t( 950 struct proc *p, 951 struct fileglob *fg, 952 off_t slice_offset, 953 user_long_t error_message, 954 size_t error_message_size 955 ); 956 /** 957 * @brief Access control check for mapping a file 958 * @param cred Subject credential 959 * @param fg fileglob representing file to map 960 * @param label Policy label associated with vp 961 * @param prot mmap protections; see mmap(2) 962 * @param flags Type of mapped object; see mmap(2) 963 * @param maxprot Maximum rights 964 * 965 * Determine whether the subject identified by the credential should be 966 * allowed to map the file represented by fg with the protections specified 967 * in prot. The maxprot field holds the maximum permissions on the new 968 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 969 * To avoid overriding prior access control checks, a policy should only 970 * remove flags from maxprot. 971 * 972 * @return Return 0 if access is granted, otherwise an appropriate value for 973 * errno should be returned. Suggested failure: EACCES for label mismatch or 974 * EPERM for lack of privilege. 975 */ 976 typedef int mpo_file_check_mmap_t( 977 kauth_cred_t cred, 978 struct fileglob *fg, 979 struct label *label, 980 int prot, 981 int flags, 982 uint64_t file_pos, 983 int *maxprot 984 ); 985 /** 986 * @brief Downgrade the mmap protections 987 * @param cred Subject credential 988 * @param fg file to map 989 * @param label Policy label associated with vp 990 * @param prot mmap protections to be downgraded 991 * 992 * Downgrade the mmap protections based on the subject and object labels. 993 */ 994 typedef void mpo_file_check_mmap_downgrade_t( 995 kauth_cred_t cred, 996 struct fileglob *fg, 997 struct label *label, 998 int *prot 999 ); 1000 /** 1001 * @brief Access control for receiving a file descriptor 1002 * @param cred Subject credential 1003 * @param fg Fileglob structure 1004 * @param label Policy label for fg 1005 * 1006 * Determine whether the subject identified by the credential can 1007 * receive the fileglob structure represented by fg. 1008 * 1009 * @return Return 0 if access if granted, otherwise an appropriate 1010 * value for errno should be returned. 1011 */ 1012 typedef int mpo_file_check_receive_t( 1013 kauth_cred_t cred, 1014 struct fileglob *fg, 1015 struct label *label 1016 ); 1017 /** 1018 * @brief Access control check for mac_set_fd 1019 * @param cred Subject credential 1020 * @param fg Fileglob structure 1021 * @param elements Elements buffer 1022 * @param len Length of elements buffer 1023 * 1024 * Determine whether the subject identified by the credential can 1025 * perform the mac_set_fd operation. The mac_set_fd operation is used 1026 * to associate a MAC label with a file. 1027 * 1028 * @return Return 0 if access is granted, otherwise an appropriate value for 1029 * errno should be returned. 1030 */ 1031 typedef int mpo_file_check_set_t( 1032 kauth_cred_t cred, 1033 struct fileglob *fg, 1034 char *elements, 1035 size_t len 1036 ); 1037 /** 1038 * @brief Inform MAC policies that file is being closed 1039 * @param cred Subject credential 1040 * @param fg Fileglob structure 1041 * @param label Policy label for fg 1042 * @param modified Boolean; 1 if file was modified, 0 otherwise 1043 * 1044 * Called when an open file is being closed, as a result of a call to 1045 * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. 1046 */ 1047 typedef void mpo_file_notify_close_t( 1048 kauth_cred_t cred, 1049 struct fileglob *fg, 1050 struct label *label, 1051 int modified 1052 ); 1053 /** 1054 * @brief Create file label 1055 * @param cred Subject credential 1056 * @param fg Fileglob structure 1057 * @param label Policy label for fg 1058 */ 1059 typedef void mpo_file_label_associate_t( 1060 kauth_cred_t cred, 1061 struct fileglob *fg, 1062 struct label *label 1063 ); 1064 /** 1065 * @brief Destroy file label 1066 * @param label The label to be destroyed 1067 * 1068 * Destroy the label on a file descriptor. In this entry point, a 1069 * policy module should free any internal storage associated with 1070 * label so that it may be destroyed. 1071 */ 1072 typedef void mpo_file_label_destroy_t( 1073 struct label *label 1074 ); 1075 /** 1076 * @brief Initialize file label 1077 * @param label New label to initialize 1078 */ 1079 typedef void mpo_file_label_init_t( 1080 struct label *label 1081 ); 1082 /** 1083 * @brief Access control check for opening an I/O Kit device 1084 * @param cred Subject credential 1085 * @param user_client User client instance 1086 * @param user_client_type User client type 1087 * 1088 * Determine whether the subject identified by the credential can open an 1089 * I/O Kit device at the passed path of the passed user client class and 1090 * type. This check is performed after instantiating the user client. 1091 * See also mpo_iokit_check_open_service_t. 1092 * 1093 * @return Return 0 if access is granted, or an appropriate value for 1094 * errno should be returned. 1095 */ 1096 typedef int mpo_iokit_check_open_t( 1097 kauth_cred_t cred, 1098 io_object_t user_client, 1099 unsigned int user_client_type 1100 ); 1101 /** 1102 * @brief Access control check for opening an I/O Kit device 1103 * @param cred Subject credential 1104 * @param service Service instance 1105 * @param user_client_type User client type 1106 * 1107 * Determine whether the subject identified by the credential can open a 1108 * I/O Kit user client of the passed service and user client type. 1109 * This check is performed before instantiating the user client. See also 1110 * mpo_iokit_check_open_t. 1111 * 1112 * @return Return 0 if access is granted, or an appropriate value for 1113 * errno should be returned. 1114 */ 1115 typedef int mpo_iokit_check_open_service_t( 1116 kauth_cred_t cred, 1117 io_object_t service, 1118 unsigned int user_client_type 1119 ); 1120 /** 1121 * @brief Access control check for setting I/O Kit device properties 1122 * @param cred Subject credential 1123 * @param entry Target device 1124 * @param properties Property list 1125 * 1126 * Determine whether the subject identified by the credential can set 1127 * properties on an I/O Kit device. 1128 * 1129 * @return Return 0 if access is granted, or an appropriate value for 1130 * errno should be returned. 1131 */ 1132 typedef int mpo_iokit_check_set_properties_t( 1133 kauth_cred_t cred, 1134 io_object_t entry, 1135 io_object_t properties 1136 ); 1137 /** 1138 * @brief Indicate desire to filter I/O Kit devices properties 1139 * @param cred Subject credential 1140 * @param entry Target device 1141 * @see mpo_iokit_check_get_property_t 1142 * 1143 * Indicate whether this policy may restrict the subject credential 1144 * from reading properties of the target device. 1145 * If a policy returns success from this entry point, the 1146 * mpo_iokit_check_get_property entry point will later be called 1147 * for each property that the subject credential tries to read from 1148 * the target device. 1149 * 1150 * This entry point is primarilly to optimize bulk property reads 1151 * by skipping calls to the mpo_iokit_check_get_property entry point 1152 * for credentials / devices no MAC policy is interested in. 1153 * 1154 * @warning Even if a policy returns 0, it should behave correctly in 1155 * the presence of an invocation of mpo_iokit_check_get_property, as that 1156 * call may happen as a result of another policy requesting a transition. 1157 * 1158 * @return Non-zero if a transition is required, 0 otherwise. 1159 */ 1160 typedef int mpo_iokit_check_filter_properties_t( 1161 kauth_cred_t cred, 1162 io_object_t entry 1163 ); 1164 /** 1165 * @brief Access control check for getting I/O Kit device properties 1166 * @param cred Subject credential 1167 * @param entry Target device 1168 * @param name Property name 1169 * 1170 * Determine whether the subject identified by the credential can get 1171 * properties on an I/O Kit device. 1172 * 1173 * @return Return 0 if access is granted, or an appropriate value for 1174 * errno. 1175 */ 1176 typedef int mpo_iokit_check_get_property_t( 1177 kauth_cred_t cred, 1178 io_object_t entry, 1179 const char *name 1180 ); 1181 /** 1182 * @brief Access control check for software HID control 1183 * @param cred Subject credential 1184 * 1185 * Determine whether the subject identified by the credential can 1186 * control the HID (Human Interface Device) subsystem, such as to 1187 * post synthetic keypresses, pointer movement and clicks. 1188 * 1189 * @return Return 0 if access is granted, or an appropriate value for 1190 * errno. 1191 */ 1192 typedef int mpo_iokit_check_hid_control_t( 1193 kauth_cred_t cred 1194 ); 1195 /** 1196 * @brief Access control check for fsctl 1197 * @param cred Subject credential 1198 * @param mp The mount point 1199 * @param label Label associated with the mount point 1200 * @param cmd Filesystem-dependent request code; see fsctl(2) 1201 * 1202 * Determine whether the subject identified by the credential can perform 1203 * the volume operation indicated by com. 1204 * 1205 * @warning The fsctl() system call is directly analogous to ioctl(); since 1206 * the associated data is opaque from the standpoint of the MAC framework 1207 * and since these operations can affect many aspects of system operation, 1208 * policies must exercise extreme care when implementing access control checks. 1209 * 1210 * @return Return 0 if access is granted, otherwise an appropriate value for 1211 * errno should be returned. 1212 */ 1213 typedef int mpo_mount_check_fsctl_t( 1214 kauth_cred_t cred, 1215 struct mount *mp, 1216 struct label *label, 1217 unsigned long cmd 1218 ); 1219 /** 1220 * @brief Access control check for the retrieval of file system attributes 1221 * @param cred Subject credential 1222 * @param mp The mount structure of the file system 1223 * @param vfa The attributes requested 1224 * 1225 * This entry point determines whether given subject can get information 1226 * about the given file system. This check happens during statfs() syscalls, 1227 * but is also used by other parts within the kernel such as the audit system. 1228 * 1229 * @return Return 0 if access is granted, otherwise an appropriate value for 1230 * errno should be returned. 1231 * 1232 * @note Policies may change the contents of vfa to alter the list of 1233 * file system attributes returned. 1234 */ 1235 1236 typedef int mpo_mount_check_getattr_t( 1237 kauth_cred_t cred, 1238 struct mount *mp, 1239 struct label *mp_label, 1240 struct vfs_attr *vfa 1241 ); 1242 /** 1243 * @brief Access control check for mount point relabeling 1244 * @param cred Subject credential 1245 * @param mp Object file system mount point 1246 * @param mntlabel Policy label for fle system mount point 1247 * 1248 * Determine whether the subject identified by the credential can relabel 1249 * the mount point. This call is made when a file system mount is updated. 1250 * 1251 * @return Return 0 if access is granted, otherwise an appropriate value for 1252 * errno should be returned. Suggested failure: EACCES for label mismatch 1253 * or EPERM for lack of privilege. 1254 */ 1255 typedef int mpo_mount_check_label_update_t( 1256 kauth_cred_t cred, 1257 struct mount *mp, 1258 struct label *mntlabel 1259 ); 1260 /** 1261 * @brief Access control check for mounting a file system 1262 * @param cred Subject credential 1263 * @param vp Vnode that is to be the mount point 1264 * @param vlabel Label associated with the vnode 1265 * @param cnp Component name for vp 1266 * @param vfc_name Filesystem type name 1267 * 1268 * Determine whether the subject identified by the credential can perform 1269 * the mount operation on the target vnode. 1270 * 1271 * @return Return 0 if access is granted, otherwise an appropriate value for 1272 * errno should be returned. 1273 */ 1274 typedef int mpo_mount_check_mount_t( 1275 kauth_cred_t cred, 1276 struct vnode *vp, 1277 struct label *vlabel, 1278 struct componentname *cnp, 1279 const char *vfc_name 1280 ); 1281 /** 1282 * @brief Access control check for mounting a file system (late) 1283 * @param cred Subject credential 1284 * @param mp Mount point 1285 * 1286 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been 1287 * called, making it possible to access mnt_vfsstat.f_mntfromname and other 1288 * fields. 1289 * 1290 * @return Return 0 if access is granted, otherwise an appropriate value for 1291 * errno should be returned. 1292 */ 1293 typedef int mpo_mount_check_mount_late_t( 1294 kauth_cred_t cred, 1295 struct mount *mp 1296 ); 1297 1298 /** 1299 * @brief Access control check for quotactl 1300 * @param cred Subject credential 1301 * @param cmd The quotactl command and subcommand; see quotactl(2) 1302 * @param id The user or group ID on which cmd will operate 1303 * 1304 * Determine whether the subject identified by the credential can perform 1305 * the quotactl operation indicated by cmd. 1306 * 1307 * @return Return 0 if access is granted, otherwise an appropriate value for 1308 * errno should be returned. 1309 */ 1310 typedef int mpo_mount_check_quotactl_t( 1311 kauth_cred_t cred, 1312 struct mount *mp, 1313 int cmd, 1314 int id 1315 ); 1316 /** 1317 * @brief Access control check for fs_snapshot_create 1318 * @param cred Subject credential 1319 * @mp Filesystem mount point to create snapshot of 1320 * @name Name of snapshot to create 1321 * 1322 * Determine whether the subject identified by the credential can 1323 * create a snapshot of the filesystem at the given mount point. 1324 * 1325 * @return Return 0 if access is granted, otherwise an appropriate value 1326 * for errno should be returned. 1327 */ 1328 typedef int mpo_mount_check_snapshot_create_t( 1329 kauth_cred_t cred, 1330 struct mount *mp, 1331 const char *name 1332 ); 1333 /** 1334 * @brief Access control check for fs_snapshot_delete 1335 * @param cred Subject credential 1336 * @mp Filesystem mount point to delete snapshot of 1337 * @name Name of snapshot to delete 1338 * 1339 * Determine whether the subject identified by the credential can 1340 * delete the named snapshot from the filesystem at the given 1341 * mount point. 1342 * 1343 * @return Return 0 if access is granted, otherwise an appropriate value 1344 * for errno should be returned. 1345 */ 1346 typedef int mpo_mount_check_snapshot_delete_t( 1347 kauth_cred_t cred, 1348 struct mount *mp, 1349 const char *name 1350 ); 1351 /** 1352 * @brief Access control check for fs_snapshot_mount 1353 * @param cred Subject credential 1354 * @param rvp Vnode of either the root directory of the 1355 * filesystem to mount snapshot of, or the device from 1356 * which to mount the snapshot. 1357 * @param vp Vnode that is to be the mount point 1358 * @param cnp Component name for vp 1359 * @param name Name of snapshot to mount 1360 * @param vfc_name Filesystem type name 1361 * 1362 * Determine whether the subject identified by the credential can 1363 * mount the named snapshot from the filesystem at the given 1364 * directory. 1365 * 1366 * @return Return 0 if access is granted, otherwise an appropriate value 1367 * for errno should be returned. 1368 */ 1369 typedef int mpo_mount_check_snapshot_mount_t( 1370 kauth_cred_t cred, 1371 struct vnode *rvp, 1372 struct vnode *vp, 1373 struct componentname *cnp, 1374 const char *name, 1375 const char *vfc_name 1376 ); 1377 /** 1378 * @brief Access control check for fs_snapshot_revert 1379 * @param cred Subject credential 1380 * @mp Filesystem mount point to revert to snapshot 1381 * @name Name of snapshot to revert to 1382 * 1383 * Determine whether the subject identified by the credential can 1384 * revert the filesystem at the given mount point to the named snapshot. 1385 * 1386 * @return Return 0 if access is granted, otherwise an appropriate value 1387 * for errno should be returned. 1388 */ 1389 typedef int mpo_mount_check_snapshot_revert_t( 1390 kauth_cred_t cred, 1391 struct mount *mp, 1392 const char *name 1393 ); 1394 /** 1395 * @brief Access control check remounting a filesystem 1396 * @param cred Subject credential 1397 * @param mp The mount point 1398 * @param mlabel Label currently associated with the mount point 1399 * 1400 * Determine whether the subject identified by the credential can perform 1401 * the remount operation on the target vnode. 1402 * 1403 * @return Return 0 if access is granted, otherwise an appropriate value for 1404 * errno should be returned. 1405 */ 1406 typedef int mpo_mount_check_remount_t( 1407 kauth_cred_t cred, 1408 struct mount *mp, 1409 struct label *mlabel 1410 ); 1411 /** 1412 * @brief Access control check for the settting of file system attributes 1413 * @param cred Subject credential 1414 * @param mp The mount structure of the file system 1415 * @param vfa The attributes requested 1416 * 1417 * This entry point determines whether given subject can set information 1418 * about the given file system, for example the volume name. 1419 * 1420 * @return Return 0 if access is granted, otherwise an appropriate value for 1421 * errno should be returned. 1422 */ 1423 1424 typedef int mpo_mount_check_setattr_t( 1425 kauth_cred_t cred, 1426 struct mount *mp, 1427 struct label *mp_label, 1428 struct vfs_attr *vfa 1429 ); 1430 /** 1431 * @brief Access control check for file system statistics 1432 * @param cred Subject credential 1433 * @param mp Object file system mount 1434 * @param mntlabel Policy label for mp 1435 * 1436 * Determine whether the subject identified by the credential can see 1437 * the results of a statfs performed on the file system. This call may 1438 * be made in a number of situations, including during invocations of 1439 * statfs(2) and related calls, as well as to determine what file systems 1440 * to exclude from listings of file systems, such as when getfsstat(2) 1441 * is invoked. 1442 * 1443 * @return Return 0 if access is granted, otherwise an appropriate value for 1444 * errno should be returned. Suggested failure: EACCES for label mismatch 1445 * or EPERM for lack of privilege. 1446 */ 1447 typedef int mpo_mount_check_stat_t( 1448 kauth_cred_t cred, 1449 struct mount *mp, 1450 struct label *mntlabel 1451 ); 1452 /** 1453 * @brief Access control check for unmounting a filesystem 1454 * @param cred Subject credential 1455 * @param mp The mount point 1456 * @param mlabel Label associated with the mount point 1457 * 1458 * Determine whether the subject identified by the credential can perform 1459 * the unmount operation on the target vnode. 1460 * 1461 * @return Return 0 if access is granted, otherwise an appropriate value for 1462 * errno should be returned. 1463 */ 1464 typedef int mpo_mount_check_umount_t( 1465 kauth_cred_t cred, 1466 struct mount *mp, 1467 struct label *mlabel 1468 ); 1469 /** 1470 * @brief Create mount labels 1471 * @param cred Subject credential 1472 * @param mp Mount point of file system being mounted 1473 * @param mntlabel Label to associate with the new mount point 1474 * @see mpo_mount_label_init_t 1475 * 1476 * Fill out the labels on the mount point being created by the supplied 1477 * user credential. This call is made when file systems are first mounted. 1478 */ 1479 typedef void mpo_mount_label_associate_t( 1480 kauth_cred_t cred, 1481 struct mount *mp, 1482 struct label *mntlabel 1483 ); 1484 /** 1485 * @brief Destroy mount label 1486 * @param label The label to be destroyed 1487 * 1488 * Destroy a file system mount label. Since the 1489 * object is going out of scope, policy modules should free any 1490 * internal storage associated with the label so that it may be 1491 * destroyed. 1492 */ 1493 typedef void mpo_mount_label_destroy_t( 1494 struct label *label 1495 ); 1496 /** 1497 * @brief Externalize a mount point label 1498 * @param label Label to be externalized 1499 * @param element_name Name of the label namespace for which labels should be 1500 * externalized 1501 * @param sb String buffer to be filled with a text representation of the label 1502 * 1503 * Produce an external representation of the mount point label. An 1504 * externalized label consists of a text representation of the label 1505 * contents that can be used with user applications. Policy-agnostic 1506 * user space tools will display this externalized version. 1507 * 1508 * The policy's externalize entry points will be called only if the 1509 * policy has registered interest in the label namespace. 1510 * 1511 * @return 0 on success, return non-zero if an error occurs while 1512 * externalizing the label data. 1513 * 1514 */ 1515 typedef int mpo_mount_label_externalize_t( 1516 struct label *label, 1517 char *element_name, 1518 struct sbuf *sb 1519 ); 1520 /** 1521 * @brief Initialize mount point label 1522 * @param label New label to initialize 1523 * 1524 * Initialize the label for a newly instantiated mount structure. 1525 * This label is typically used to store a default label in the case 1526 * that the file system has been mounted singlelabel. Since some 1527 * file systems do not support persistent labels (extended attributes) 1528 * or are read-only (such as CD-ROMs), it is often necessary to store 1529 * a default label separately from the label of the mount point 1530 * itself. Sleeping is permitted. 1531 */ 1532 typedef void mpo_mount_label_init_t( 1533 struct label *label 1534 ); 1535 /** 1536 * @brief Internalize a mount point label 1537 * @param label Label to be internalized 1538 * @param element_name Name of the label namespace for which the label should 1539 * be internalized 1540 * @param element_data Text data to be internalized 1541 * 1542 * Produce a mount point file system label from an external representation. 1543 * An externalized label consists of a text representation of the label 1544 * contents that can be used with user applications. Policy-agnostic 1545 * user space tools will forward text version to the kernel for 1546 * processing by individual policy modules. 1547 * 1548 * The policy's internalize entry points will be called only if the 1549 * policy has registered interest in the label namespace. 1550 * 1551 * @return 0 on success, Otherwise, return non-zero if an error occurs 1552 * while internalizing the label data. 1553 * 1554 */ 1555 typedef int mpo_mount_label_internalize_t( 1556 struct label *label, 1557 char *element_name, 1558 char *element_data 1559 ); 1560 /** 1561 * @brief Access control check for opening an NECP file descriptor 1562 * @param cred Subject credential 1563 * @param flags Open flags 1564 * 1565 * Determine whether the subject identified by the credential can open 1566 * an NECP file descriptor. 1567 * 1568 * @return Return 0 if access is granted, otherwise an appropriate value for 1569 * errno should be returned. 1570 * 1571 */ 1572 typedef int mpo_necp_check_open_t( 1573 kauth_cred_t cred, 1574 int flags 1575 ); 1576 /** 1577 * @brief Access control check for necp_client_action(2) 1578 * @param cred Subject credential 1579 * @param fg NECP fileglob 1580 * @param action NECP client action 1581 * 1582 * Determine whether the subject identified by the credential can open 1583 * an NECP socket. 1584 * 1585 * @return Return 0 if access is granted, otherwise an appropriate value for 1586 * errno should be returned. 1587 * 1588 */ 1589 typedef int mpo_necp_check_client_action_t( 1590 kauth_cred_t cred, 1591 struct fileglob *fg, 1592 uint32_t action 1593 ); 1594 /** 1595 * @brief Access control check for pipe ioctl 1596 * @param cred Subject credential 1597 * @param cpipe Object to be accessed 1598 * @param pipelabel The label on the pipe 1599 * @param cmd The ioctl command; see ioctl(2) 1600 * 1601 * Determine whether the subject identified by the credential can perform 1602 * the ioctl operation indicated by cmd. 1603 * 1604 * @warning Since ioctl data is opaque from the standpoint of the MAC 1605 * framework, policies must exercise extreme care when implementing 1606 * access control checks. 1607 * 1608 * @return Return 0 if access is granted, otherwise an appropriate value for 1609 * errno should be returned. 1610 * 1611 */ 1612 typedef int mpo_pipe_check_ioctl_t( 1613 kauth_cred_t cred, 1614 struct pipe *cpipe, 1615 struct label *pipelabel, 1616 unsigned long cmd 1617 ); 1618 /** 1619 * @brief Access control check for pipe kqfilter 1620 * @param cred Subject credential 1621 * @param kn Object knote 1622 * @param cpipe Object to be accessed 1623 * @param pipelabel Policy label for the pipe 1624 * 1625 * Determine whether the subject identified by the credential can 1626 * receive the knote on the passed pipe. 1627 * 1628 * @return Return 0 if access if granted, otherwise an appropriate 1629 * value for errno should be returned. 1630 */ 1631 typedef int mpo_pipe_check_kqfilter_t( 1632 kauth_cred_t cred, 1633 struct knote *kn, 1634 struct pipe *cpipe, 1635 struct label *pipelabel 1636 ); 1637 /** 1638 * @brief Access control check for pipe read 1639 * @param cred Subject credential 1640 * @param cpipe Object to be accessed 1641 * @param pipelabel The label on the pipe 1642 * 1643 * Determine whether the subject identified by the credential can 1644 * perform a read operation on the passed pipe. The cred object holds 1645 * the credentials of the subject performing the operation. 1646 * 1647 * @return Return 0 if access is granted, otherwise an appropriate value for 1648 * errno should be returned. 1649 * 1650 */ 1651 typedef int mpo_pipe_check_read_t( 1652 kauth_cred_t cred, 1653 struct pipe *cpipe, 1654 struct label *pipelabel 1655 ); 1656 /** 1657 * @brief Access control check for pipe select 1658 * @param cred Subject credential 1659 * @param cpipe Object to be accessed 1660 * @param pipelabel The label on the pipe 1661 * @param which The operation selected on: FREAD or FWRITE 1662 * 1663 * Determine whether the subject identified by the credential can 1664 * perform a select operation on the passed pipe. The cred object holds 1665 * the credentials of the subject performing the operation. 1666 * 1667 * @return Return 0 if access is granted, otherwise an appropriate value for 1668 * errno should be returned. 1669 * 1670 */ 1671 typedef int mpo_pipe_check_select_t( 1672 kauth_cred_t cred, 1673 struct pipe *cpipe, 1674 struct label *pipelabel, 1675 int which 1676 ); 1677 /** 1678 * @brief Access control check for pipe stat 1679 * @param cred Subject credential 1680 * @param cpipe Object to be accessed 1681 * @param pipelabel The label on the pipe 1682 * 1683 * Determine whether the subject identified by the credential can 1684 * perform a stat operation on the passed pipe. The cred object holds 1685 * the credentials of the subject performing the operation. 1686 * 1687 * @return Return 0 if access is granted, otherwise an appropriate value for 1688 * errno should be returned. 1689 * 1690 */ 1691 typedef int mpo_pipe_check_stat_t( 1692 kauth_cred_t cred, 1693 struct pipe *cpipe, 1694 struct label *pipelabel 1695 ); 1696 /** 1697 * @brief Access control check for pipe write 1698 * @param cred Subject credential 1699 * @param cpipe Object to be accessed 1700 * @param pipelabel The label on the pipe 1701 * 1702 * Determine whether the subject identified by the credential can 1703 * perform a write operation on the passed pipe. The cred object holds 1704 * the credentials of the subject performing the operation. 1705 * 1706 * @return Return 0 if access is granted, otherwise an appropriate value for 1707 * errno should be returned. 1708 * 1709 */ 1710 typedef int mpo_pipe_check_write_t( 1711 kauth_cred_t cred, 1712 struct pipe *cpipe, 1713 struct label *pipelabel 1714 ); 1715 /** 1716 * @brief Create a pipe label 1717 * @param cred Subject credential 1718 * @param cpipe object to be labeled 1719 * @param pipelabel Label for the pipe object 1720 * 1721 * Create a label for the pipe object being created by the supplied 1722 * user credential. This call is made when a pipe pair is being created. 1723 * The label is shared by both ends of the pipe. 1724 */ 1725 typedef void mpo_pipe_label_associate_t( 1726 kauth_cred_t cred, 1727 struct pipe *cpipe, 1728 struct label *pipelabel 1729 ); 1730 /** 1731 * @brief Destroy pipe label 1732 * @param label The label to be destroyed 1733 * 1734 * Destroy a pipe label. Since the object is going out of scope, 1735 * policy modules should free any internal storage associated with the 1736 * label so that it may be destroyed. 1737 */ 1738 typedef void mpo_pipe_label_destroy_t( 1739 struct label *label 1740 ); 1741 /** 1742 * @brief Initialize pipe label 1743 * @param label New label to initialize 1744 * 1745 * Initialize label storage for use with a newly instantiated pipe object. 1746 * Sleeping is permitted. 1747 */ 1748 typedef void mpo_pipe_label_init_t( 1749 struct label *label 1750 ); 1751 /** 1752 * @brief Policy unload event 1753 * @param mpc MAC policy configuration 1754 * 1755 * This is the MAC Framework policy unload event. This entry point will 1756 * only be called if the module's policy configuration allows unload (if 1757 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 1758 * want to be unloaded; they should set their flags to prevent this 1759 * entry point from being called. 1760 * 1761 * @warning During this call, the mac policy list mutex is held, so 1762 * sleep operations cannot be performed, and calls out to other kernel 1763 * subsystems must be made with caution. 1764 * 1765 * @see MPC_LOADTIME_FLAG_UNLOADOK 1766 */ 1767 typedef void mpo_policy_destroy_t( 1768 struct mac_policy_conf *mpc 1769 ); 1770 /** 1771 * @brief Policy initialization event 1772 * @param mpc MAC policy configuration 1773 * @see mac_policy_register 1774 * @see mpo_policy_initbsd_t 1775 * 1776 * This is the MAC Framework policy initialization event. This entry 1777 * point is called during mac_policy_register, when the policy module 1778 * is first registered with the MAC Framework. This is often done very 1779 * early in the boot process, after the kernel Mach subsystem has been 1780 * initialized, but prior to the BSD subsystem being initialized. 1781 * Since the kernel BSD services are not yet available, it is possible 1782 * that some initialization must occur later, possibly in the 1783 * mpo_policy_initbsd_t policy entry point, such as registering BSD system 1784 * controls (sysctls). Policy modules loaded at boot time will be 1785 * registered and initialized before labeled Mach objects are created. 1786 * 1787 * @warning During this call, the mac policy list mutex is held, so 1788 * sleep operations cannot be performed, and calls out to other kernel 1789 * subsystems must be made with caution. 1790 */ 1791 typedef void mpo_policy_init_t( 1792 struct mac_policy_conf *mpc 1793 ); 1794 /** 1795 * @brief Policy BSD initialization event 1796 * @param mpc MAC policy configuration 1797 * @see mpo_policy_init_t 1798 * 1799 * This entry point is called after the kernel BSD subsystem has been 1800 * initialized. By this point, the module should already be loaded, 1801 * registered, and initialized. Since policy modules are initialized 1802 * before kernel BSD services are available, this second initialization 1803 * phase is necessary. At this point, BSD services (memory management, 1804 * synchronization primitives, vfs, etc.) are available, but the first 1805 * process has not yet been created. Mach-related objects and tasks 1806 * will already be fully initialized and may be in use--policies requiring 1807 * ubiquitous labeling may also want to implement mpo_policy_init_t. 1808 * 1809 * @warning During this call, the mac policy list mutex is held, so 1810 * sleep operations cannot be performed, and calls out to other kernel 1811 * subsystems must be made with caution. 1812 */ 1813 typedef void mpo_policy_initbsd_t( 1814 struct mac_policy_conf *mpc 1815 ); 1816 /** 1817 * @brief Policy extension service 1818 * @param p Calling process 1819 * @param call Policy-specific syscall number 1820 * @param arg Pointer to syscall arguments 1821 * 1822 * This entry point provides a policy-multiplexed system call so that 1823 * policies may provide additional services to user processes without 1824 * registering specific system calls. The policy name provided during 1825 * registration is used to demux calls from userland, and the arguments 1826 * will be forwarded to this entry point. When implementing new 1827 * services, security modules should be sure to invoke appropriate 1828 * access control checks from the MAC framework as needed. For 1829 * example, if a policy implements an augmented signal functionality, 1830 * it should call the necessary signal access control checks to invoke 1831 * the MAC framework and other registered policies. 1832 * 1833 * @warning Since the format and contents of the policy-specific 1834 * arguments are unknown to the MAC Framework, modules must perform the 1835 * required copyin() of the syscall data on their own. No policy 1836 * mediation is performed, so policies must perform any necessary 1837 * access control checks themselves. If multiple policies are loaded, 1838 * they will currently be unable to mediate calls to other policies. 1839 * 1840 * @return In the event of an error, an appropriate value for errno 1841 * should be returned, otherwise return 0 upon success. 1842 */ 1843 typedef int mpo_policy_syscall_t( 1844 struct proc *p, 1845 int call, 1846 user_addr_t arg 1847 ); 1848 /** 1849 * @brief Access control check for POSIX semaphore create 1850 * @param cred Subject credential 1851 * @param name String name of the semaphore 1852 * 1853 * Determine whether the subject identified by the credential can create 1854 * a POSIX semaphore specified by name. 1855 * 1856 * @return Return 0 if access is granted, otherwise an appropriate value for 1857 * errno should be returned. 1858 */ 1859 typedef int mpo_posixsem_check_create_t( 1860 kauth_cred_t cred, 1861 const char *name 1862 ); 1863 /** 1864 * @brief Access control check for POSIX semaphore open 1865 * @param cred Subject credential 1866 * @param ps Pointer to semaphore information structure 1867 * @param semlabel Label associated with the semaphore 1868 * 1869 * Determine whether the subject identified by the credential can open 1870 * the named POSIX semaphore with label semlabel. 1871 * 1872 * @return Return 0 if access is granted, otherwise an appropriate value for 1873 * errno should be returned. 1874 */ 1875 typedef int mpo_posixsem_check_open_t( 1876 kauth_cred_t cred, 1877 struct pseminfo *ps, 1878 struct label *semlabel 1879 ); 1880 /** 1881 * @brief Access control check for POSIX semaphore post 1882 * @param cred Subject credential 1883 * @param ps Pointer to semaphore information structure 1884 * @param semlabel Label associated with the semaphore 1885 * 1886 * Determine whether the subject identified by the credential can unlock 1887 * the named POSIX semaphore with label semlabel. 1888 * 1889 * @return Return 0 if access is granted, otherwise an appropriate value for 1890 * errno should be returned. 1891 */ 1892 typedef int mpo_posixsem_check_post_t( 1893 kauth_cred_t cred, 1894 struct pseminfo *ps, 1895 struct label *semlabel 1896 ); 1897 /** 1898 * @brief Access control check for POSIX semaphore unlink 1899 * @param cred Subject credential 1900 * @param ps Pointer to semaphore information structure 1901 * @param semlabel Label associated with the semaphore 1902 * @param name String name of the semaphore 1903 * 1904 * Determine whether the subject identified by the credential can remove 1905 * the named POSIX semaphore with label semlabel. 1906 * 1907 * @return Return 0 if access is granted, otherwise an appropriate value for 1908 * errno should be returned. 1909 */ 1910 typedef int mpo_posixsem_check_unlink_t( 1911 kauth_cred_t cred, 1912 struct pseminfo *ps, 1913 struct label *semlabel, 1914 const char *name 1915 ); 1916 /** 1917 * @brief Access control check for POSIX semaphore wait 1918 * @param cred Subject credential 1919 * @param ps Pointer to semaphore information structure 1920 * @param semlabel Label associated with the semaphore 1921 * 1922 * Determine whether the subject identified by the credential can lock 1923 * the named POSIX semaphore with label semlabel. 1924 * 1925 * @return Return 0 if access is granted, otherwise an appropriate value for 1926 * errno should be returned. 1927 */ 1928 typedef int mpo_posixsem_check_wait_t( 1929 kauth_cred_t cred, 1930 struct pseminfo *ps, 1931 struct label *semlabel 1932 ); 1933 /** 1934 * @brief Create a POSIX semaphore label 1935 * @param cred Subject credential 1936 * @param ps Pointer to semaphore information structure 1937 * @param semlabel Label to associate with the new semaphore 1938 * @param name String name of the semaphore 1939 * 1940 * Label a new POSIX semaphore. The label was previously 1941 * initialized and associated with the semaphore. At this time, an 1942 * appropriate initial label value should be assigned to the object and 1943 * stored in semalabel. 1944 */ 1945 typedef void mpo_posixsem_label_associate_t( 1946 kauth_cred_t cred, 1947 struct pseminfo *ps, 1948 struct label *semlabel, 1949 const char *name 1950 ); 1951 /** 1952 * @brief Destroy POSIX semaphore label 1953 * @param label The label to be destroyed 1954 * 1955 * Destroy a POSIX semaphore label. Since the object is 1956 * going out of scope, policy modules should free any internal storage 1957 * associated with the label so that it may be destroyed. 1958 */ 1959 typedef void mpo_posixsem_label_destroy_t( 1960 struct label *label 1961 ); 1962 /** 1963 * @brief Initialize POSIX semaphore label 1964 * @param label New label to initialize 1965 * 1966 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping 1967 * is permitted. 1968 */ 1969 typedef void mpo_posixsem_label_init_t( 1970 struct label *label 1971 ); 1972 /** 1973 * @brief Access control check for POSIX shared memory region create 1974 * @param cred Subject credential 1975 * @param name String name of the shared memory region 1976 * 1977 * Determine whether the subject identified by the credential can create 1978 * the POSIX shared memory region referenced by name. 1979 * 1980 * @return Return 0 if access is granted, otherwise an appropriate value for 1981 * errno should be returned. 1982 */ 1983 typedef int mpo_posixshm_check_create_t( 1984 kauth_cred_t cred, 1985 const char *name 1986 ); 1987 /** 1988 * @brief Access control check for mapping POSIX shared memory 1989 * @param cred Subject credential 1990 * @param ps Pointer to shared memory information structure 1991 * @param shmlabel Label associated with the shared memory region 1992 * @param prot mmap protections; see mmap(2) 1993 * @param flags shmat flags; see shmat(2) 1994 * 1995 * Determine whether the subject identified by the credential can map 1996 * the POSIX shared memory segment associated with shmlabel. 1997 * 1998 * @return Return 0 if access is granted, otherwise an appropriate value for 1999 * errno should be returned. 2000 */ 2001 typedef int mpo_posixshm_check_mmap_t( 2002 kauth_cred_t cred, 2003 struct pshminfo *ps, 2004 struct label *shmlabel, 2005 int prot, 2006 int flags 2007 ); 2008 /** 2009 * @brief Access control check for POSIX shared memory region open 2010 * @param cred Subject credential 2011 * @param ps Pointer to shared memory information structure 2012 * @param shmlabel Label associated with the shared memory region 2013 * @param fflags shm_open(2) open flags ('fflags' encoded) 2014 * 2015 * Determine whether the subject identified by the credential can open 2016 * the POSIX shared memory region. 2017 * 2018 * @return Return 0 if access is granted, otherwise an appropriate value for 2019 * errno should be returned. 2020 */ 2021 typedef int mpo_posixshm_check_open_t( 2022 kauth_cred_t cred, 2023 struct pshminfo *ps, 2024 struct label *shmlabel, 2025 int fflags 2026 ); 2027 /** 2028 * @brief Access control check for POSIX shared memory stat 2029 * @param cred Subject credential 2030 * @param ps Pointer to shared memory information structure 2031 * @param shmlabel Label associated with the shared memory region 2032 * 2033 * Determine whether the subject identified by the credential can obtain 2034 * status for the POSIX shared memory segment associated with shmlabel. 2035 * 2036 * @return Return 0 if access is granted, otherwise an appropriate value for 2037 * errno should be returned. 2038 */ 2039 typedef int mpo_posixshm_check_stat_t( 2040 kauth_cred_t cred, 2041 struct pshminfo *ps, 2042 struct label *shmlabel 2043 ); 2044 /** 2045 * @brief Access control check for POSIX shared memory truncate 2046 * @param cred Subject credential 2047 * @param ps Pointer to shared memory information structure 2048 * @param shmlabel Label associated with the shared memory region 2049 * @param len Length to truncate or extend shared memory segment 2050 * 2051 * Determine whether the subject identified by the credential can truncate 2052 * or extend (to len) the POSIX shared memory segment associated with shmlabel. 2053 * 2054 * @return Return 0 if access is granted, otherwise an appropriate value for 2055 * errno should be returned. 2056 */ 2057 typedef int mpo_posixshm_check_truncate_t( 2058 kauth_cred_t cred, 2059 struct pshminfo *ps, 2060 struct label *shmlabel, 2061 off_t len 2062 ); 2063 /** 2064 * @brief Access control check for POSIX shared memory unlink 2065 * @param cred Subject credential 2066 * @param ps Pointer to shared memory information structure 2067 * @param shmlabel Label associated with the shared memory region 2068 * @param name String name of the shared memory region 2069 * 2070 * Determine whether the subject identified by the credential can delete 2071 * the POSIX shared memory segment associated with shmlabel. 2072 * 2073 * @return Return 0 if access is granted, otherwise an appropriate value for 2074 * errno should be returned. 2075 */ 2076 typedef int mpo_posixshm_check_unlink_t( 2077 kauth_cred_t cred, 2078 struct pshminfo *ps, 2079 struct label *shmlabel, 2080 const char *name 2081 ); 2082 /** 2083 * @brief Create a POSIX shared memory region label 2084 * @param cred Subject credential 2085 * @param ps Pointer to shared memory information structure 2086 * @param shmlabel Label to associate with the new shared memory region 2087 * @param name String name of the shared memory region 2088 * 2089 * Label a new POSIX shared memory region. The label was previously 2090 * initialized and associated with the shared memory region. At this 2091 * time, an appropriate initial label value should be assigned to the 2092 * object and stored in shmlabel. 2093 */ 2094 typedef void mpo_posixshm_label_associate_t( 2095 kauth_cred_t cred, 2096 struct pshminfo *ps, 2097 struct label *shmlabel, 2098 const char *name 2099 ); 2100 /** 2101 * @brief Destroy POSIX shared memory label 2102 * @param label The label to be destroyed 2103 * 2104 * Destroy a POSIX shared memory region label. Since the 2105 * object is going out of scope, policy modules should free any 2106 * internal storage associated with the label so that it may be 2107 * destroyed. 2108 */ 2109 typedef void mpo_posixshm_label_destroy_t( 2110 struct label *label 2111 ); 2112 /** 2113 * @brief Initialize POSIX Shared Memory region label 2114 * @param label New label to initialize 2115 * 2116 * Initialize the label for newly a instantiated POSIX Shared Memory 2117 * region. Sleeping is permitted. 2118 */ 2119 typedef void mpo_posixshm_label_init_t( 2120 struct label *label 2121 ); 2122 /** 2123 * @brief Access control check for privileged operations 2124 * @param cred Subject credential 2125 * @param priv Requested privilege (see sys/priv.h) 2126 * 2127 * Determine whether the subject identified by the credential can perform 2128 * a privileged operation. Privileged operations are allowed if the cred 2129 * is the superuser or any policy returns zero for mpo_priv_grant, unless 2130 * any policy returns nonzero for mpo_priv_check. 2131 * 2132 * @return Return 0 if access is granted, otherwise EPERM should be returned. 2133 */ 2134 typedef int mpo_priv_check_t( 2135 kauth_cred_t cred, 2136 int priv 2137 ); 2138 /** 2139 * @brief Grant regular users the ability to perform privileged operations 2140 * @param cred Subject credential 2141 * @param priv Requested privilege (see sys/priv.h) 2142 * 2143 * Determine whether the subject identified by the credential should be 2144 * allowed to perform a privileged operation that in the absense of any 2145 * MAC policy it would not be able to perform. Privileged operations are 2146 * allowed if the cred is the superuser or any policy returns zero for 2147 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2148 * 2149 * Unlike other MAC hooks which can only reduce the privilege of a 2150 * credential, this hook raises the privilege of a credential when it 2151 * returns 0. Extreme care must be taken when implementing this hook to 2152 * avoid undermining the security of the system. 2153 * 2154 * @return Return 0 if additional privilege is granted, otherwise EPERM 2155 * should be returned. 2156 */ 2157 typedef int mpo_priv_grant_t( 2158 kauth_cred_t cred, 2159 int priv 2160 ); 2161 /** 2162 * @brief Access control over process core dumps 2163 * @param proc Subject process 2164 * 2165 * Determine whether a core dump may be written to disk for the subject 2166 * identified. 2167 * 2168 * @return Return 0 if access is granted, otherwise an appropriate value for 2169 * errno should be returned. 2170 */ 2171 typedef int mpo_proc_check_dump_core_t( 2172 struct proc *proc 2173 ); 2174 /** 2175 * @brief Access control over remote thread creation 2176 * @param cred Subject credential 2177 * @param proc Object process 2178 * @param flavor Flavor of thread state passed in new_state, or -1 2179 * @param new_state Thread state to be set on the created thread, or NULL 2180 * @param new_state_count Size of thread state, in natural_t units, or 0 2181 * 2182 * Determine whether the subject can create a thread in the object process 2183 * by calling the thread_create or thread_create_running MIG routines on 2184 * another process' task port. For thread_create_running, the flavor, 2185 * new_state and new_state_count arguments are passed here before they are 2186 * converted and checked by machine-dependent code. 2187 * 2188 * @return Return 0 if access is granted, otherwise an appropriate value for 2189 * errno should be returned. 2190 */ 2191 typedef int mpo_proc_check_remote_thread_create_t( 2192 kauth_cred_t cred, 2193 struct proc *proc, 2194 int flavor, 2195 thread_state_t new_state, 2196 mach_msg_type_number_t new_state_count 2197 ); 2198 /** 2199 * @brief Access control check for debugging process 2200 * @param cred Subject credential 2201 * @param pident Object unique process identifier 2202 * 2203 * Determine whether the subject identified by the credential can debug 2204 * the passed process. This call may be made in a number of situations, 2205 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2206 * types of procfs operations. 2207 * 2208 * @return Return 0 if access is granted, otherwise an appropriate value for 2209 * errno should be returned. Suggested failure: EACCES for label mismatch, 2210 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2211 */ 2212 typedef int mpo_proc_check_debug_t( 2213 kauth_cred_t cred, 2214 struct proc_ident *pident 2215 ); 2216 /** 2217 * @brief Access control over fork 2218 * @param cred Subject credential 2219 * @param proc Subject process trying to fork 2220 * 2221 * Determine whether the subject identified is allowed to fork. 2222 * 2223 * @return Return 0 if access is granted, otherwise an appropriate value for 2224 * errno should be returned. 2225 */ 2226 typedef int mpo_proc_check_fork_t( 2227 kauth_cred_t cred, 2228 struct proc *proc 2229 ); 2230 /** 2231 * @brief Access control check for setting host special ports. 2232 * @param cred Subject credential 2233 * @param id The host special port to set 2234 * @param port The new value to set for the special port 2235 * 2236 * @return Return 0 if access is granted, otherwise an appropriate value for 2237 * errno should be returned. 2238 */ 2239 typedef int mpo_proc_check_set_host_special_port_t( 2240 kauth_cred_t cred, 2241 int id, 2242 struct ipc_port *port 2243 ); 2244 /** 2245 * @brief Access control check for setting host exception ports. 2246 * @param cred Subject credential 2247 * @param exception Exception port to set 2248 * 2249 * @return Return 0 if access is granted, otherwise an appropriate value for 2250 * errno should be returned. 2251 */ 2252 typedef int mpo_proc_check_set_host_exception_port_t( 2253 kauth_cred_t cred, 2254 unsigned int exception 2255 ); 2256 /** 2257 * @brief Access control check for getting task special ports. 2258 * @param cred Subject credential 2259 * @param pident Object unique process identifier, NULL if target is a corpse task 2260 * @param which The task special port to get 2261 * 2262 * @return Return 0 if access is granted, otherwise an appropriate value for 2263 * errno should be returned. 2264 */ 2265 typedef int mpo_proc_check_get_task_special_port_t( 2266 kauth_cred_t cred, 2267 struct proc_ident *pident, 2268 int which 2269 ); 2270 /** 2271 * @brief Access control check for setting task special ports. 2272 * @param cred Subject credential 2273 * @param pident Object unique process identifier 2274 * @param which The task special port to set 2275 * @param port The new value to set for the special port 2276 * 2277 * @return Return 0 if access is granted, otherwise an appropriate value for 2278 * errno should be returned. 2279 */ 2280 typedef int mpo_proc_check_set_task_special_port_t( 2281 kauth_cred_t cred, 2282 struct proc_ident *pident, 2283 int which, 2284 struct ipc_port *port 2285 ); 2286 /** 2287 * @brief Access control check for getting movable task/thread control port for current task. 2288 * @param cred Subject credential 2289 * 2290 * @return Return 0 if access is granted, otherwise an appropriate value for 2291 * errno should be returned. 2292 */ 2293 typedef int mpo_proc_check_get_movable_control_port_t( 2294 kauth_cred_t cred 2295 ); 2296 /** 2297 * @brief Access control check for calling task_dyld_process_info_notify_register 2298 * and task_dyld_process_info_notify_deregister. 2299 * @param cred Subject credential 2300 * 2301 * @return Return 0 if access is granted, otherwise an appropriate value for 2302 * errno should be returned. 2303 */ 2304 typedef int mpo_proc_check_dyld_process_info_notify_register_t( 2305 kauth_cred_t cred 2306 ); 2307 /** 2308 * @brief Access control over pid_suspend, pid_resume and family 2309 * @param cred Subject credential 2310 * @param proc Object process 2311 * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, 2312 * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, 2313 * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. 2314 * 2315 * Determine whether the subject identified is allowed to call pid_suspend, 2316 * pid_resume, pid_hibernate, pid_shutdown_sockets, 2317 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or 2318 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on 2319 * the object process. 2320 * 2321 * @return Return 0 if access is granted, otherwise an appropriate value for 2322 * errno should be returned. 2323 */ 2324 typedef int mpo_proc_check_suspend_resume_t( 2325 kauth_cred_t cred, 2326 struct proc *proc, 2327 int sr 2328 ); 2329 /** 2330 * @brief Access control check for retrieving audit information 2331 * @param cred Subject credential 2332 * 2333 * Determine whether the subject identified by the credential can get 2334 * audit information such as the audit user ID, the preselection mask, 2335 * the terminal ID and the audit session ID, using the getaudit() system call. 2336 * 2337 * @return Return 0 if access is granted, otherwise an appropriate value for 2338 * errno should be returned. 2339 */ 2340 typedef int mpo_proc_check_getaudit_t( 2341 kauth_cred_t cred 2342 ); 2343 /** 2344 * @brief Access control check for retrieving audit user ID 2345 * @param cred Subject credential 2346 * 2347 * Determine whether the subject identified by the credential can get 2348 * the user identity being used by the auditing system, using the getauid() 2349 * system call. 2350 * 2351 * @return Return 0 if access is granted, otherwise an appropriate value for 2352 * errno should be returned. 2353 */ 2354 typedef int mpo_proc_check_getauid_t( 2355 kauth_cred_t cred 2356 ); 2357 /** 2358 * @brief Access control check for retrieving Login Context ID 2359 * @param p0 Calling process 2360 * @param p Effected process 2361 * @param pid syscall PID argument 2362 * 2363 * Determine if getlcid(2) system call is permitted. 2364 * 2365 * Information returned by this system call is similar to that returned via 2366 * process listings etc. 2367 * 2368 * @return Return 0 if access is granted, otherwise an appropriate value for 2369 * errno should be returned. 2370 */ 2371 typedef int mpo_proc_check_getlcid_t( 2372 struct proc *p0, 2373 struct proc *p, 2374 pid_t pid 2375 ); 2376 /** 2377 * @brief Access control check for retrieving ledger information 2378 * @param cred Subject credential 2379 * @param target Object process 2380 * @param op ledger operation 2381 * 2382 * Determine if ledger(2) system call is permitted. 2383 * 2384 * Information returned by this system call is similar to that returned via 2385 * process listings etc. 2386 * 2387 * @return Return 0 if access is granted, otherwise an appropriate value for 2388 * errno should be returned. 2389 */ 2390 typedef int mpo_proc_check_ledger_t( 2391 kauth_cred_t cred, 2392 struct proc *target, 2393 int op 2394 ); 2395 /** 2396 * @brief Access control check for retrieving process information. 2397 * @param cred Subject credential 2398 * @param target Target process (may be null, may be zombie) 2399 * 2400 * Determine if a credential has permission to access process information as defined 2401 * by call number and flavor on target process 2402 * 2403 * @return Return 0 if access is granted, otherwise an appropriate value for 2404 * errno should be returned. 2405 */ 2406 typedef int mpo_proc_check_proc_info_t( 2407 kauth_cred_t cred, 2408 struct proc *target, 2409 int callnum, 2410 int flavor 2411 ); 2412 /** 2413 * @brief Access control check for retrieving code signing information. 2414 * @param cred Subject credential 2415 * @param target Target process 2416 * @param op Code signing operation being performed 2417 * 2418 * Determine whether the subject identified by the credential should be 2419 * allowed to get code signing information about the target process. 2420 * 2421 * @return Return 0 if access is granted, otherwise an appropriate value for 2422 * errno should be returned. 2423 */ 2424 typedef int mpo_proc_check_get_cs_info_t( 2425 kauth_cred_t cred, 2426 struct proc *target, 2427 unsigned int op 2428 ); 2429 /** 2430 * @brief Access control check for setting code signing information. 2431 * @param cred Subject credential 2432 * @param target Target process 2433 * @param op Code signing operation being performed. 2434 * 2435 * Determine whether the subject identified by the credential should be 2436 * allowed to set code signing information about the target process. 2437 * 2438 * @return Return 0 if permission is granted, otherwise an appropriate 2439 * value of errno should be returned. 2440 */ 2441 typedef int mpo_proc_check_set_cs_info_t( 2442 kauth_cred_t cred, 2443 struct proc *target, 2444 unsigned int op 2445 ); 2446 /** 2447 * @brief Access control check for mmap MAP_ANON 2448 * @param proc User process requesting the memory 2449 * @param cred Subject credential 2450 * @param u_addr Start address of the memory range 2451 * @param u_size Length address of the memory range 2452 * @param prot mmap protections; see mmap(2) 2453 * @param flags Type of mapped object; see mmap(2) 2454 * @param maxprot Maximum rights 2455 * 2456 * Determine whether the subject identified by the credential should be 2457 * allowed to obtain anonymous memory using the specified flags and 2458 * protections on the new mapping. MAP_ANON will always be present in the 2459 * flags. Certain combinations of flags with a non-NULL addr may 2460 * cause a mapping to be rejected before this hook is called. The maxprot field 2461 * holds the maximum permissions on the new mapping, a combination of 2462 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2463 * access control checks, a policy should only remove flags from maxprot. 2464 * 2465 * @return Return 0 if access is granted, otherwise an appropriate value for 2466 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2467 */ 2468 typedef int mpo_proc_check_map_anon_t( 2469 struct proc *proc, 2470 kauth_cred_t cred, 2471 user_addr_t u_addr, 2472 user_size_t u_size, 2473 int prot, 2474 int flags, 2475 int *maxprot 2476 ); 2477 /** 2478 * @brief Access control check for memorystatus_control(2) 2479 * @param cred Subject credential 2480 * @param command Memory status control command 2481 * @param pid Target process id, or 0 2482 * 2483 * Determine whether the subject identified by the credential should 2484 * be allowed to issue the specified memorystatus control command. 2485 * 2486 * @return Return 0 if access is granted, otherwise an appropriate value for 2487 * errno should be returned. 2488 */ 2489 typedef int mpo_proc_check_memorystatus_control_t( 2490 kauth_cred_t cred, 2491 int32_t command, 2492 pid_t pid 2493 ); 2494 /** 2495 * @brief Access control check for setting memory protections 2496 * @param cred Subject credential 2497 * @param proc User process requesting the change 2498 * @param addr Start address of the memory range 2499 * @param size Length address of the memory range 2500 * @param prot Memory protections, see mmap(2) 2501 * 2502 * Determine whether the subject identified by the credential should 2503 * be allowed to set the specified memory protections on memory mapped 2504 * in the process proc. 2505 * 2506 * @return Return 0 if access is granted, otherwise an appropriate value for 2507 * errno should be returned. 2508 */ 2509 typedef int mpo_proc_check_mprotect_t( 2510 kauth_cred_t cred, 2511 struct proc *proc, 2512 user_addr_t addr, 2513 user_size_t size, 2514 int prot 2515 ); 2516 /** 2517 * @brief Access control check for changing scheduling parameters 2518 * @param cred Subject credential 2519 * @param proc Object process 2520 * 2521 * Determine whether the subject identified by the credential can change 2522 * the scheduling parameters of the passed process. 2523 * 2524 * @return Return 0 if access is granted, otherwise an appropriate value for 2525 * errno should be returned. Suggested failure: EACCES for label mismatch, 2526 * EPERM for lack of privilege, or ESRCH to limit visibility. 2527 */ 2528 typedef int mpo_proc_check_sched_t( 2529 kauth_cred_t cred, 2530 struct proc *proc 2531 ); 2532 /** 2533 * @brief Access control check for setting audit information 2534 * @param cred Subject credential 2535 * @param ai Audit information 2536 * 2537 * Determine whether the subject identified by the credential can set 2538 * audit information such as the the preselection mask, the terminal ID 2539 * and the audit session ID, using the setaudit() system call. 2540 * 2541 * @return Return 0 if access is granted, otherwise an appropriate value for 2542 * errno should be returned. 2543 */ 2544 typedef int mpo_proc_check_setaudit_t( 2545 kauth_cred_t cred, 2546 struct auditinfo_addr *ai 2547 ); 2548 /** 2549 * @brief Access control check for setting audit user ID 2550 * @param cred Subject credential 2551 * @param auid Audit user ID 2552 * 2553 * Determine whether the subject identified by the credential can set 2554 * the user identity used by the auditing system, using the setauid() 2555 * system call. 2556 * 2557 * @return Return 0 if access is granted, otherwise an appropriate value for 2558 * errno should be returned. 2559 */ 2560 typedef int mpo_proc_check_setauid_t( 2561 kauth_cred_t cred, 2562 uid_t auid 2563 ); 2564 /** 2565 * @brief Access control check for setting the Login Context 2566 * @param p0 Calling process 2567 * @param p Effected process 2568 * @param pid syscall PID argument 2569 * @param lcid syscall LCID argument 2570 * 2571 * Determine if setlcid(2) system call is permitted. 2572 * 2573 * See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of 2574 * decoding syscall arguments to determine action desired by caller. 2575 * 2576 * Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN 2577 * 2578 * @return Return 0 if access is granted, otherwise an appropriate value for 2579 * errno should be returned. 2580 */ 2581 typedef int mpo_proc_check_setlcid_t( 2582 struct proc *p0, 2583 struct proc *p, 2584 pid_t pid, 2585 pid_t lcid 2586 ); 2587 /** 2588 * @brief Access control check for delivering signal 2589 * @param cred Subject credential 2590 * @param proc Object process 2591 * @param signum Signal number; see kill(2) 2592 * 2593 * Determine whether the subject identified by the credential can deliver 2594 * the passed signal to the passed process. 2595 * 2596 * @warning Programs typically expect to be able to send and receive 2597 * signals as part or their normal process lifecycle; caution should be 2598 * exercised when implementing access controls over signal events. 2599 * 2600 * @return Return 0 if access is granted, otherwise an appropriate value for 2601 * errno should be returned. Suggested failure: EACCES for label mismatch, 2602 * EPERM for lack of privilege, or ESRCH to limit visibility. 2603 */ 2604 typedef int mpo_proc_check_signal_t( 2605 kauth_cred_t cred, 2606 struct proc *proc, 2607 int signum 2608 ); 2609 /** 2610 * @brief Access control check for MAC syscalls. 2611 * @param proc Subject process 2612 * @param policy MAC policy name 2613 * @param callnum MAC policy-specific syscall number 2614 * 2615 * Determine whether the subject process can perform the passed MAC syscall. 2616 * 2617 * @return Return 0 if access is granted, otherwise an appropriate value for 2618 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2619 */ 2620 typedef int mpo_proc_check_syscall_mac_t( 2621 struct proc *proc, 2622 const char *policy, 2623 int callnum 2624 ); 2625 /** 2626 * @brief Access control check for Unix syscalls. 2627 * @param proc Subject process 2628 * @param scnum Syscall number; see bsd/kern/syscalls.master. 2629 * 2630 * Determine whether the subject process can perform the passed syscall (number). 2631 * 2632 * @warning Programs typically expect to be able to make syscalls as part of 2633 * their normal process lifecycle; caution should be exercised when restricting 2634 * which syscalls a process can perform. 2635 * 2636 * @return Return 0 if access is granted, otherwise an appropriate value for 2637 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2638 */ 2639 typedef int mpo_proc_check_syscall_unix_t( 2640 struct proc *proc, 2641 int scnum 2642 ); 2643 /** 2644 * @brief Access control check for wait 2645 * @param cred Subject credential 2646 * @param proc Object process 2647 * 2648 * Determine whether the subject identified by the credential can wait 2649 * for process termination. 2650 * 2651 * @warning Caution should be exercised when implementing access 2652 * controls for wait, since programs often wait for child processes to 2653 * exit. Failure to be notified of a child process terminating may 2654 * cause the parent process to hang, or may produce zombie processes. 2655 * 2656 * @return Return 0 if access is granted, otherwise an appropriate value for 2657 * errno should be returned. 2658 */ 2659 typedef int mpo_proc_check_wait_t( 2660 kauth_cred_t cred, 2661 struct proc *proc 2662 ); 2663 /** 2664 * @brief Inform MAC policies that a process has exited. 2665 * @param proc Object process 2666 * 2667 * Called after all of the process's threads have terminated and 2668 * it has been removed from the process list. KPI that identifies 2669 * the process by pid will fail to find the process; KPI that 2670 * identifies the process by the object process pointer functions 2671 * normally. proc_exiting() returns true for the object process. 2672 */ 2673 typedef void mpo_proc_notify_exit_t( 2674 struct proc *proc 2675 ); 2676 /** 2677 * @brief Access control check for skywalk flow connect 2678 * @param cred Subject credential 2679 * @param flow Flow object 2680 * @param addr Remote address for flow to send data to 2681 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2682 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2683 * 2684 * Determine whether the subject identified by the credential can 2685 * create a flow for sending data to the remote host specified by 2686 * addr. 2687 * 2688 * @return Return 0 if access if granted, otherwise an appropriate 2689 * value for errno should be returned. 2690 */ 2691 typedef int mpo_skywalk_flow_check_connect_t( 2692 kauth_cred_t cred, 2693 void *flow, 2694 const struct sockaddr *addr, 2695 int type, 2696 int protocol 2697 ); 2698 /** 2699 * @brief Access control check for skywalk flow listen 2700 * @param cred Subject credential 2701 * @param flow Flow object 2702 * @param addr Local address for flow to listen on 2703 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2704 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2705 * 2706 * Determine whether the subject identified by the credential can 2707 * create a flow for receiving data on the local address specified 2708 * by addr. 2709 * 2710 * @return Return 0 if access if granted, otherwise an appropriate 2711 * value for errno should be returned. 2712 */ 2713 typedef int mpo_skywalk_flow_check_listen_t( 2714 kauth_cred_t cred, 2715 void *flow, 2716 const struct sockaddr *addr, 2717 int type, 2718 int protocol 2719 ); 2720 /** 2721 * @brief Access control check for socket accept 2722 * @param cred Subject credential 2723 * @param so Object socket 2724 * @param socklabel Policy label for socket 2725 * 2726 * Determine whether the subject identified by the credential can accept() 2727 * a new connection on the socket from the host specified by addr. 2728 * 2729 * @return Return 0 if access if granted, otherwise an appropriate 2730 * value for errno should be returned. 2731 */ 2732 typedef int mpo_socket_check_accept_t( 2733 kauth_cred_t cred, 2734 socket_t so, 2735 struct label *socklabel 2736 ); 2737 /** 2738 * @brief Access control check for a pending socket accept 2739 * @param cred Subject credential 2740 * @param so Object socket 2741 * @param socklabel Policy label for socket 2742 * @param addr Address of the listening socket (coming soon) 2743 * 2744 * Determine whether the subject identified by the credential can accept() 2745 * a pending connection on the socket from the host specified by addr. 2746 * 2747 * @return Return 0 if access if granted, otherwise an appropriate 2748 * value for errno should be returned. 2749 */ 2750 typedef int mpo_socket_check_accepted_t( 2751 kauth_cred_t cred, 2752 socket_t so, 2753 struct label *socklabel, 2754 struct sockaddr *addr 2755 ); 2756 /** 2757 * @brief Access control check for socket bind 2758 * @param cred Subject credential 2759 * @param so Object socket 2760 * @param socklabel Policy label for socket 2761 * @param addr Name to assign to the socket 2762 * 2763 * Determine whether the subject identified by the credential can bind() 2764 * the name (addr) to the socket. 2765 * 2766 * @return Return 0 if access if granted, otherwise an appropriate 2767 * value for errno should be returned. 2768 */ 2769 typedef int mpo_socket_check_bind_t( 2770 kauth_cred_t cred, 2771 socket_t so, 2772 struct label *socklabel, 2773 struct sockaddr *addr 2774 ); 2775 /** 2776 * @brief Access control check for socket connect 2777 * @param cred Subject credential 2778 * @param so Object socket 2779 * @param socklabel Policy label for socket 2780 * @param addr Name to assign to the socket 2781 * 2782 * Determine whether the subject identified by the credential can 2783 * connect() the passed socket to the remote host specified by addr. 2784 * 2785 * @return Return 0 if access if granted, otherwise an appropriate 2786 * value for errno should be returned. 2787 */ 2788 typedef int mpo_socket_check_connect_t( 2789 kauth_cred_t cred, 2790 socket_t so, 2791 struct label *socklabel, 2792 struct sockaddr *addr 2793 ); 2794 /** 2795 * @brief Access control check for socket() system call. 2796 * @param cred Subject credential 2797 * @param domain communication domain 2798 * @param type socket type 2799 * @param protocol socket protocol 2800 * 2801 * Determine whether the subject identified by the credential can 2802 * make the socket() call. 2803 * 2804 * @return Return 0 if access if granted, otherwise an appropriate 2805 * value for errno should be returned. 2806 */ 2807 typedef int mpo_socket_check_create_t( 2808 kauth_cred_t cred, 2809 int domain, 2810 int type, 2811 int protocol 2812 ); 2813 /** 2814 * @brief Access control check for socket ioctl. 2815 * @param cred Subject credential 2816 * @param so Object socket 2817 * @param cmd The ioctl command; see ioctl(2) 2818 * @param socklabel Policy label for socket 2819 * 2820 * Determine whether the subject identified by the credential can perform 2821 * the ioctl operation indicated by cmd on the given socket. 2822 * 2823 * @warning Since ioctl data is opaque from the standpoint of the MAC 2824 * framework, and since ioctls can affect many aspects of system 2825 * operation, policies must exercise extreme care when implementing 2826 * access control checks. 2827 * 2828 * @return Return 0 if access is granted, otherwise an appropriate value for 2829 * errno should be returned. 2830 */ 2831 typedef int mpo_socket_check_ioctl_t( 2832 kauth_cred_t cred, 2833 socket_t so, 2834 unsigned long cmd, 2835 struct label *socklabel 2836 ); 2837 /** 2838 * @brief Access control check for socket listen 2839 * @param cred Subject credential 2840 * @param so Object socket 2841 * @param socklabel Policy label for socket 2842 * 2843 * Determine whether the subject identified by the credential can 2844 * listen() on the passed socket. 2845 * 2846 * @return Return 0 if access if granted, otherwise an appropriate 2847 * value for errno should be returned. 2848 */ 2849 typedef int mpo_socket_check_listen_t( 2850 kauth_cred_t cred, 2851 socket_t so, 2852 struct label *socklabel 2853 ); 2854 /** 2855 * @brief Access control check for socket receive 2856 * @param cred Subject credential 2857 * @param so Object socket 2858 * @param socklabel Policy label for socket 2859 * 2860 * Determine whether the subject identified by the credential can 2861 * receive data from the socket. 2862 * 2863 * @return Return 0 if access if granted, otherwise an appropriate 2864 * value for errno should be returned. 2865 */ 2866 typedef int mpo_socket_check_receive_t( 2867 kauth_cred_t cred, 2868 socket_t so, 2869 struct label *socklabel 2870 ); 2871 2872 /** 2873 * @brief Access control check for socket receive 2874 * @param cred Subject credential 2875 * @param sock Object socket 2876 * @param socklabel Policy label for socket 2877 * @param saddr Name of the remote socket 2878 * 2879 * Determine whether the subject identified by the credential can 2880 * receive data from the remote host specified by addr. 2881 * 2882 * @return Return 0 if access if granted, otherwise an appropriate 2883 * value for errno should be returned. 2884 */ 2885 typedef int mpo_socket_check_received_t( 2886 kauth_cred_t cred, 2887 struct socket *sock, 2888 struct label *socklabel, 2889 struct sockaddr *saddr 2890 ); 2891 2892 /** 2893 * @brief Access control check for socket send 2894 * @param cred Subject credential 2895 * @param so Object socket 2896 * @param socklabel Policy label for socket 2897 * @param addr Address being sent to 2898 * 2899 * Determine whether the subject identified by the credential can send 2900 * data to the socket. 2901 * 2902 * @return Return 0 if access if granted, otherwise an appropriate 2903 * value for errno should be returned. 2904 */ 2905 typedef int mpo_socket_check_send_t( 2906 kauth_cred_t cred, 2907 socket_t so, 2908 struct label *socklabel, 2909 struct sockaddr *addr 2910 ); 2911 /** 2912 * @brief Access control check for retrieving socket status 2913 * @param cred Subject credential 2914 * @param so Object socket 2915 * @param socklabel Policy label for so 2916 * 2917 * Determine whether the subject identified by the credential can 2918 * execute the stat() system call on the given socket. 2919 * 2920 * @return Return 0 if access if granted, otherwise an appropriate 2921 * value for errno should be returned. 2922 */ 2923 typedef int mpo_socket_check_stat_t( 2924 kauth_cred_t cred, 2925 socket_t so, 2926 struct label *socklabel 2927 ); 2928 /** 2929 * @brief Access control check for setting socket options 2930 * @param cred Subject credential 2931 * @param so Object socket 2932 * @param socklabel Policy label for so 2933 * @param sopt The options being set 2934 * 2935 * Determine whether the subject identified by the credential can 2936 * execute the setsockopt system call on the given socket. 2937 * 2938 * @return Return 0 if access if granted, otherwise an appropriate 2939 * value for errno should be returned. 2940 */ 2941 typedef int mpo_socket_check_setsockopt_t( 2942 kauth_cred_t cred, 2943 socket_t so, 2944 struct label *socklabel, 2945 struct sockopt *sopt 2946 ); 2947 /** 2948 * @brief Access control check for getting socket options 2949 * @param cred Subject credential 2950 * @param so Object socket 2951 * @param socklabel Policy label for so 2952 * @param sopt The options to get 2953 * 2954 * Determine whether the subject identified by the credential can 2955 * execute the getsockopt system call on the given socket. 2956 * 2957 * @return Return 0 if access if granted, otherwise an appropriate 2958 * value for errno should be returned. 2959 */ 2960 typedef int mpo_socket_check_getsockopt_t( 2961 kauth_cred_t cred, 2962 socket_t so, 2963 struct label *socklabel, 2964 struct sockopt *sopt 2965 ); 2966 /** 2967 * @brief Access control check for enabling accounting 2968 * @param cred Subject credential 2969 * @param vp Accounting file 2970 * @param vlabel Label associated with vp 2971 * 2972 * Determine whether the subject should be allowed to enable accounting, 2973 * based on its label and the label of the accounting log file. See 2974 * acct(5) for more information. 2975 * 2976 * As accounting is disabled by passing NULL to the acct(2) system call, 2977 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 2978 * 2979 * @return Return 0 if access is granted, otherwise an appropriate value for 2980 * errno should be returned. 2981 */ 2982 typedef int mpo_system_check_acct_t( 2983 kauth_cred_t cred, 2984 struct vnode *vp, 2985 struct label *vlabel 2986 ); 2987 /** 2988 * @brief Access control check for audit 2989 * @param cred Subject credential 2990 * @param record Audit record 2991 * @param length Audit record length 2992 * 2993 * Determine whether the subject identified by the credential can submit 2994 * an audit record for inclusion in the audit log via the audit() system call. 2995 * 2996 * @return Return 0 if access is granted, otherwise an appropriate value for 2997 * errno should be returned. 2998 */ 2999 typedef int mpo_system_check_audit_t( 3000 kauth_cred_t cred, 3001 void *record, 3002 int length 3003 ); 3004 /** 3005 * @brief Access control check for controlling audit 3006 * @param cred Subject credential 3007 * @param vp Audit file 3008 * @param vl Label associated with vp 3009 * 3010 * Determine whether the subject should be allowed to enable auditing using 3011 * the auditctl() system call, based on its label and the label of the proposed 3012 * audit file. 3013 * 3014 * @return Return 0 if access is granted, otherwise an appropriate value for 3015 * errno should be returned. 3016 */ 3017 typedef int mpo_system_check_auditctl_t( 3018 kauth_cred_t cred, 3019 struct vnode *vp, 3020 struct label *vl 3021 ); 3022 /** 3023 * @brief Access control check for manipulating auditing 3024 * @param cred Subject credential 3025 * @param cmd Audit control command 3026 * 3027 * Determine whether the subject identified by the credential can perform 3028 * the audit subsystem control operation cmd via the auditon() system call. 3029 * 3030 * @return Return 0 if access is granted, otherwise an appropriate value for 3031 * errno should be returned. 3032 */ 3033 typedef int mpo_system_check_auditon_t( 3034 kauth_cred_t cred, 3035 int cmd 3036 ); 3037 /** 3038 * @brief Access control check for obtaining the host control port 3039 * @param cred Subject credential 3040 * 3041 * Determine whether the subject identified by the credential can 3042 * obtain the host control port. 3043 * 3044 * @return Return 0 if access is granted, or non-zero otherwise. 3045 */ 3046 typedef int mpo_system_check_host_priv_t( 3047 kauth_cred_t cred 3048 ); 3049 /** 3050 * @brief Access control check for obtaining system information 3051 * @param cred Subject credential 3052 * @param info_type A description of the information requested 3053 * 3054 * Determine whether the subject identified by the credential should be 3055 * allowed to obtain information about the system. 3056 * 3057 * This is a generic hook that can be used in a variety of situations where 3058 * information is being returned that might be considered sensitive. 3059 * Rather than adding a new MAC hook for every such interface, this hook can 3060 * be called with a string identifying the type of information requested. 3061 * 3062 * @return Return 0 if access is granted, otherwise an appropriate value for 3063 * errno should be returned. 3064 */ 3065 typedef int mpo_system_check_info_t( 3066 kauth_cred_t cred, 3067 const char *info_type 3068 ); 3069 /** 3070 * @brief Access control check for calling NFS services 3071 * @param cred Subject credential 3072 * 3073 * Determine whether the subject identified by the credential should be 3074 * allowed to call nfssrv(2). 3075 * 3076 * @return Return 0 if access is granted, otherwise an appropriate value for 3077 * errno should be returned. 3078 */ 3079 typedef int mpo_system_check_nfsd_t( 3080 kauth_cred_t cred 3081 ); 3082 /** 3083 * @brief Access control check for reboot 3084 * @param cred Subject credential 3085 * @param howto howto parameter from reboot(2) 3086 * 3087 * Determine whether the subject identified by the credential should be 3088 * allowed to reboot the system in the specified manner. 3089 * 3090 * @return Return 0 if access is granted, otherwise an appropriate value for 3091 * errno should be returned. 3092 */ 3093 typedef int mpo_system_check_reboot_t( 3094 kauth_cred_t cred, 3095 int howto 3096 ); 3097 /** 3098 * @brief Access control check for setting system clock 3099 * @param cred Subject credential 3100 * 3101 * Determine whether the subject identified by the credential should be 3102 * allowed to set the system clock. 3103 * 3104 * @return Return 0 if access is granted, otherwise an appropriate value for 3105 * errno should be returned. 3106 */ 3107 typedef int mpo_system_check_settime_t( 3108 kauth_cred_t cred 3109 ); 3110 /** 3111 * @brief Access control check for removing swap devices 3112 * @param cred Subject credential 3113 * @param vp Swap device 3114 * @param label Label associated with vp 3115 * 3116 * Determine whether the subject identified by the credential should be 3117 * allowed to remove vp as a swap device. 3118 * 3119 * @return Return 0 if access is granted, otherwise an appropriate value for 3120 * errno should be returned. 3121 */ 3122 typedef int mpo_system_check_swapoff_t( 3123 kauth_cred_t cred, 3124 struct vnode *vp, 3125 struct label *label 3126 ); 3127 /** 3128 * @brief Access control check for adding swap devices 3129 * @param cred Subject credential 3130 * @param vp Swap device 3131 * @param label Label associated with vp 3132 * 3133 * Determine whether the subject identified by the credential should be 3134 * allowed to add vp as a swap device. 3135 * 3136 * @return Return 0 if access is granted, otherwise an appropriate value for 3137 * errno should be returned. 3138 */ 3139 typedef int mpo_system_check_swapon_t( 3140 kauth_cred_t cred, 3141 struct vnode *vp, 3142 struct label *label 3143 ); 3144 /** 3145 * @brief Access control check for sysctl 3146 * @param cred Subject credential 3147 * @param namestring String representation of sysctl name. 3148 * @param name Integer name; see sysctl(3) 3149 * @param namelen Length of name array of integers; see sysctl(3) 3150 * @param old 0 or address where to store old value; see sysctl(3) 3151 * @param oldlen Length of old buffer; see sysctl(3) 3152 * @param newvalue 0 or address of new value; see sysctl(3) 3153 * @param newlen Length of new buffer; see sysctl(3) 3154 * 3155 * Determine whether the subject identified by the credential should be 3156 * allowed to make the specified sysctl(3) transaction. 3157 * 3158 * The sysctl(3) call specifies that if the old value is not desired, 3159 * oldp and oldlenp should be set to NULL. Likewise, if a new value is 3160 * not to be set, newp should be set to NULL and newlen set to 0. 3161 * 3162 * @return Return 0 if access is granted, otherwise an appropriate value for 3163 * errno should be returned. 3164 */ 3165 typedef int mpo_system_check_sysctlbyname_t( 3166 kauth_cred_t cred, 3167 const char *namestring, 3168 int *name, 3169 size_t namelen, 3170 user_addr_t old, /* NULLOK */ 3171 size_t oldlen, 3172 user_addr_t newvalue, /* NULLOK */ 3173 size_t newlen 3174 ); 3175 /** 3176 * @brief Access control check for kas_info 3177 * @param cred Subject credential 3178 * @param selector Category of information to return. See kas_info.h 3179 * 3180 * Determine whether the subject identified by the credential can perform 3181 * introspection of the kernel address space layout for 3182 * debugging/performance analysis. 3183 * 3184 * @return Return 0 if access is granted, otherwise an appropriate value for 3185 * errno should be returned. 3186 */ 3187 typedef int mpo_system_check_kas_info_t( 3188 kauth_cred_t cred, 3189 int selector 3190 ); 3191 /** 3192 * @brief Create a System V message label 3193 * @param cred Subject credential 3194 * @param msqptr The message queue the message will be placed in 3195 * @param msqlabel The label of the message queue 3196 * @param msgptr The message 3197 * @param msglabel The label of the message 3198 * 3199 * Label the message as its placed in the message queue. 3200 */ 3201 typedef void mpo_sysvmsg_label_associate_t( 3202 kauth_cred_t cred, 3203 struct msqid_kernel *msqptr, 3204 struct label *msqlabel, 3205 struct msg *msgptr, 3206 struct label *msglabel 3207 ); 3208 /** 3209 * @brief Destroy System V message label 3210 * @param label The label to be destroyed 3211 * 3212 * Destroy a System V message label. Since the object is 3213 * going out of scope, policy modules should free any internal storage 3214 * associated with the label so that it may be destroyed. 3215 */ 3216 typedef void mpo_sysvmsg_label_destroy_t( 3217 struct label *label 3218 ); 3219 /** 3220 * @brief Initialize System V message label 3221 * @param label New label to initialize 3222 * 3223 * Initialize the label for a newly instantiated System V message. 3224 */ 3225 typedef void mpo_sysvmsg_label_init_t( 3226 struct label *label 3227 ); 3228 /** 3229 * @brief Clean up a System V message label 3230 * @param label The label to be destroyed 3231 * 3232 * Clean up a System V message label. Darwin pre-allocates 3233 * messages at system boot time and re-uses them rather than 3234 * allocating new ones. Before messages are returned to the "free 3235 * pool", policies can cleanup or overwrite any information present in 3236 * the label. 3237 */ 3238 typedef void mpo_sysvmsg_label_recycle_t( 3239 struct label *label 3240 ); 3241 /** 3242 * @brief Access control check for System V message enqueuing 3243 * @param cred Subject credential 3244 * @param msgptr The message 3245 * @param msglabel The message's label 3246 * @param msqptr The message queue 3247 * @param msqlabel The message queue's label 3248 * 3249 * Determine whether the subject identified by the credential can add the 3250 * given message to the given message queue. 3251 * 3252 * @return Return 0 if access is granted, otherwise an appropriate value for 3253 * errno should be returned. 3254 */ 3255 typedef int mpo_sysvmsq_check_enqueue_t( 3256 kauth_cred_t cred, 3257 struct msg *msgptr, 3258 struct label *msglabel, 3259 struct msqid_kernel *msqptr, 3260 struct label *msqlabel 3261 ); 3262 /** 3263 * @brief Access control check for System V message reception 3264 * @param cred The credential of the intended recipient 3265 * @param msgptr The message 3266 * @param msglabel The message's label 3267 * 3268 * Determine whether the subject identified by the credential can receive 3269 * the given message. 3270 * 3271 * @return Return 0 if access is granted, otherwise an appropriate value for 3272 * errno should be returned. 3273 */ 3274 typedef int mpo_sysvmsq_check_msgrcv_t( 3275 kauth_cred_t cred, 3276 struct msg *msgptr, 3277 struct label *msglabel 3278 ); 3279 /** 3280 * @brief Access control check for System V message queue removal 3281 * @param cred The credential of the caller 3282 * @param msgptr The message 3283 * @param msglabel The message's label 3284 * 3285 * System V message queues are removed using the msgctl() system call. 3286 * The system will iterate over each message in the queue, calling this 3287 * function for each, to determine whether the caller has the appropriate 3288 * credentials. 3289 * 3290 * @return Return 0 if access is granted, otherwise an appropriate value for 3291 * errno should be returned. 3292 */ 3293 typedef int mpo_sysvmsq_check_msgrmid_t( 3294 kauth_cred_t cred, 3295 struct msg *msgptr, 3296 struct label *msglabel 3297 ); 3298 /** 3299 * @brief Access control check for msgctl() 3300 * @param cred The credential of the caller 3301 * @param msqptr The message queue 3302 * @param msqlabel The message queue's label 3303 * 3304 * This access check is performed to validate calls to msgctl(). 3305 * 3306 * @return Return 0 if access is granted, otherwise an appropriate value for 3307 * errno should be returned. 3308 */ 3309 typedef int mpo_sysvmsq_check_msqctl_t( 3310 kauth_cred_t cred, 3311 struct msqid_kernel *msqptr, 3312 struct label *msqlabel, 3313 int cmd 3314 ); 3315 /** 3316 * @brief Access control check to get a System V message queue 3317 * @param cred The credential of the caller 3318 * @param msqptr The message queue requested 3319 * @param msqlabel The message queue's label 3320 * 3321 * On a call to msgget(), if the queue requested already exists, 3322 * and it is a public queue, this check will be performed before the 3323 * queue's ID is returned to the user. 3324 * 3325 * @return Return 0 if access is granted, otherwise an appropriate value for 3326 * errno should be returned. 3327 */ 3328 typedef int mpo_sysvmsq_check_msqget_t( 3329 kauth_cred_t cred, 3330 struct msqid_kernel *msqptr, 3331 struct label *msqlabel 3332 ); 3333 /** 3334 * @brief Access control check to receive a System V message from the given queue 3335 * @param cred The credential of the caller 3336 * @param msqptr The message queue to receive from 3337 * @param msqlabel The message queue's label 3338 * 3339 * On a call to msgrcv(), this check is performed to determine whether the 3340 * caller has receive rights on the given queue. 3341 * 3342 * @return Return 0 if access is granted, otherwise an appropriate value for 3343 * errno should be returned. 3344 */ 3345 typedef int mpo_sysvmsq_check_msqrcv_t( 3346 kauth_cred_t cred, 3347 struct msqid_kernel *msqptr, 3348 struct label *msqlabel 3349 ); 3350 /** 3351 * @brief Access control check to send a System V message to the given queue 3352 * @param cred The credential of the caller 3353 * @param msqptr The message queue to send to 3354 * @param msqlabel The message queue's label 3355 * 3356 * On a call to msgsnd(), this check is performed to determine whether the 3357 * caller has send rights on the given queue. 3358 * 3359 * @return Return 0 if access is granted, otherwise an appropriate value for 3360 * errno should be returned. 3361 */ 3362 typedef int mpo_sysvmsq_check_msqsnd_t( 3363 kauth_cred_t cred, 3364 struct msqid_kernel *msqptr, 3365 struct label *msqlabel 3366 ); 3367 /** 3368 * @brief Create a System V message queue label 3369 * @param cred Subject credential 3370 * @param msqptr The message queue 3371 * @param msqlabel The label of the message queue 3372 * 3373 */ 3374 typedef void mpo_sysvmsq_label_associate_t( 3375 kauth_cred_t cred, 3376 struct msqid_kernel *msqptr, 3377 struct label *msqlabel 3378 ); 3379 /** 3380 * @brief Destroy System V message queue label 3381 * @param label The label to be destroyed 3382 * 3383 * Destroy a System V message queue label. Since the object is 3384 * going out of scope, policy modules should free any internal storage 3385 * associated with the label so that it may be destroyed. 3386 */ 3387 typedef void mpo_sysvmsq_label_destroy_t( 3388 struct label *label 3389 ); 3390 /** 3391 * @brief Initialize System V message queue label 3392 * @param label New label to initialize 3393 * 3394 * Initialize the label for a newly instantiated System V message queue. 3395 */ 3396 typedef void mpo_sysvmsq_label_init_t( 3397 struct label *label 3398 ); 3399 /** 3400 * @brief Clean up a System V message queue label 3401 * @param label The label to be destroyed 3402 * 3403 * Clean up a System V message queue label. Darwin pre-allocates 3404 * message queues at system boot time and re-uses them rather than 3405 * allocating new ones. Before message queues are returned to the "free 3406 * pool", policies can cleanup or overwrite any information present in 3407 * the label. 3408 */ 3409 typedef void mpo_sysvmsq_label_recycle_t( 3410 struct label *label 3411 ); 3412 /** 3413 * @brief Access control check for System V semaphore control operation 3414 * @param cred Subject credential 3415 * @param semakptr Pointer to semaphore identifier 3416 * @param semaklabel Label associated with semaphore 3417 * @param cmd Control operation to be performed; see semctl(2) 3418 * 3419 * Determine whether the subject identified by the credential can perform 3420 * the operation indicated by cmd on the System V semaphore semakptr. 3421 * 3422 * @return Return 0 if access is granted, otherwise an appropriate value for 3423 * errno should be returned. 3424 */ 3425 typedef int mpo_sysvsem_check_semctl_t( 3426 kauth_cred_t cred, 3427 struct semid_kernel *semakptr, 3428 struct label *semaklabel, 3429 int cmd 3430 ); 3431 /** 3432 * @brief Access control check for obtaining a System V semaphore 3433 * @param cred Subject credential 3434 * @param semakptr Pointer to semaphore identifier 3435 * @param semaklabel Label to associate with the semaphore 3436 * 3437 * Determine whether the subject identified by the credential can 3438 * obtain a System V semaphore. 3439 * 3440 * @return Return 0 if access is granted, otherwise an appropriate value for 3441 * errno should be returned. 3442 */ 3443 typedef int mpo_sysvsem_check_semget_t( 3444 kauth_cred_t cred, 3445 struct semid_kernel *semakptr, 3446 struct label *semaklabel 3447 ); 3448 /** 3449 * @brief Access control check for System V semaphore operations 3450 * @param cred Subject credential 3451 * @param semakptr Pointer to semaphore identifier 3452 * @param semaklabel Label associated with the semaphore 3453 * @param accesstype Flags to indicate access (read and/or write) 3454 * 3455 * Determine whether the subject identified by the credential can 3456 * perform the operations on the System V semaphore indicated by 3457 * semakptr. The accesstype flags hold the maximum set of permissions 3458 * from the sem_op array passed to the semop system call. It may 3459 * contain SEM_R for read-only operations or SEM_A for read/write 3460 * operations. 3461 * 3462 * @return Return 0 if access is granted, otherwise an appropriate value for 3463 * errno should be returned. 3464 */ 3465 typedef int mpo_sysvsem_check_semop_t( 3466 kauth_cred_t cred, 3467 struct semid_kernel *semakptr, 3468 struct label *semaklabel, 3469 size_t accesstype 3470 ); 3471 /** 3472 * @brief Create a System V semaphore label 3473 * @param cred Subject credential 3474 * @param semakptr The semaphore being created 3475 * @param semalabel Label to associate with the new semaphore 3476 * 3477 * Label a new System V semaphore. The label was previously 3478 * initialized and associated with the semaphore. At this time, an 3479 * appropriate initial label value should be assigned to the object and 3480 * stored in semalabel. 3481 */ 3482 typedef void mpo_sysvsem_label_associate_t( 3483 kauth_cred_t cred, 3484 struct semid_kernel *semakptr, 3485 struct label *semalabel 3486 ); 3487 /** 3488 * @brief Destroy System V semaphore label 3489 * @param label The label to be destroyed 3490 * 3491 * Destroy a System V semaphore label. Since the object is 3492 * going out of scope, policy modules should free any internal storage 3493 * associated with the label so that it may be destroyed. 3494 */ 3495 typedef void mpo_sysvsem_label_destroy_t( 3496 struct label *label 3497 ); 3498 /** 3499 * @brief Initialize System V semaphore label 3500 * @param label New label to initialize 3501 * 3502 * Initialize the label for a newly instantiated System V semaphore. Sleeping 3503 * is permitted. 3504 */ 3505 typedef void mpo_sysvsem_label_init_t( 3506 struct label *label 3507 ); 3508 /** 3509 * @brief Clean up a System V semaphore label 3510 * @param label The label to be cleaned 3511 * 3512 * Clean up a System V semaphore label. Darwin pre-allocates 3513 * semaphores at system boot time and re-uses them rather than 3514 * allocating new ones. Before semaphores are returned to the "free 3515 * pool", policies can cleanup or overwrite any information present in 3516 * the label. 3517 */ 3518 typedef void mpo_sysvsem_label_recycle_t( 3519 struct label *label 3520 ); 3521 /** 3522 * @brief Access control check for mapping System V shared memory 3523 * @param cred Subject credential 3524 * @param shmsegptr Pointer to shared memory segment identifier 3525 * @param shmseglabel Label associated with the shared memory segment 3526 * @param shmflg shmat flags; see shmat(2) 3527 * 3528 * Determine whether the subject identified by the credential can map 3529 * the System V shared memory segment associated with shmsegptr. 3530 * 3531 * @return Return 0 if access is granted, otherwise an appropriate value for 3532 * errno should be returned. 3533 */ 3534 typedef int mpo_sysvshm_check_shmat_t( 3535 kauth_cred_t cred, 3536 struct shmid_kernel *shmsegptr, 3537 struct label *shmseglabel, 3538 int shmflg 3539 ); 3540 /** 3541 * @brief Access control check for System V shared memory control operation 3542 * @param cred Subject credential 3543 * @param shmsegptr Pointer to shared memory segment identifier 3544 * @param shmseglabel Label associated with the shared memory segment 3545 * @param cmd Control operation to be performed; see shmctl(2) 3546 * 3547 * Determine whether the subject identified by the credential can perform 3548 * the operation indicated by cmd on the System V shared memory segment 3549 * shmsegptr. 3550 * 3551 * @return Return 0 if access is granted, otherwise an appropriate value for 3552 * errno should be returned. 3553 */ 3554 typedef int mpo_sysvshm_check_shmctl_t( 3555 kauth_cred_t cred, 3556 struct shmid_kernel *shmsegptr, 3557 struct label *shmseglabel, 3558 int cmd 3559 ); 3560 /** 3561 * @brief Access control check for unmapping System V shared memory 3562 * @param cred Subject credential 3563 * @param shmsegptr Pointer to shared memory segment identifier 3564 * @param shmseglabel Label associated with the shared memory segment 3565 * 3566 * Determine whether the subject identified by the credential can unmap 3567 * the System V shared memory segment associated with shmsegptr. 3568 * 3569 * @return Return 0 if access is granted, otherwise an appropriate value for 3570 * errno should be returned. 3571 */ 3572 typedef int mpo_sysvshm_check_shmdt_t( 3573 kauth_cred_t cred, 3574 struct shmid_kernel *shmsegptr, 3575 struct label *shmseglabel 3576 ); 3577 /** 3578 * @brief Access control check obtaining System V shared memory identifier 3579 * @param cred Subject credential 3580 * @param shmsegptr Pointer to shared memory segment identifier 3581 * @param shmseglabel Label associated with the shared memory segment 3582 * @param shmflg shmget flags; see shmget(2) 3583 * 3584 * Determine whether the subject identified by the credential can get 3585 * the System V shared memory segment address. 3586 * 3587 * @return Return 0 if access is granted, otherwise an appropriate value for 3588 * errno should be returned. 3589 */ 3590 typedef int mpo_sysvshm_check_shmget_t( 3591 kauth_cred_t cred, 3592 struct shmid_kernel *shmsegptr, 3593 struct label *shmseglabel, 3594 int shmflg 3595 ); 3596 /** 3597 * @brief Create a System V shared memory region label 3598 * @param cred Subject credential 3599 * @param shmsegptr The shared memory region being created 3600 * @param shmlabel Label to associate with the new shared memory region 3601 * 3602 * Label a new System V shared memory region. The label was previously 3603 * initialized and associated with the shared memory region. At this 3604 * time, an appropriate initial label value should be assigned to the 3605 * object and stored in shmlabel. 3606 */ 3607 typedef void mpo_sysvshm_label_associate_t( 3608 kauth_cred_t cred, 3609 struct shmid_kernel *shmsegptr, 3610 struct label *shmlabel 3611 ); 3612 /** 3613 * @brief Destroy System V shared memory label 3614 * @param label The label to be destroyed 3615 * 3616 * Destroy a System V shared memory region label. Since the 3617 * object is going out of scope, policy modules should free any 3618 * internal storage associated with the label so that it may be 3619 * destroyed. 3620 */ 3621 typedef void mpo_sysvshm_label_destroy_t( 3622 struct label *label 3623 ); 3624 /** 3625 * @brief Initialize System V Shared Memory region label 3626 * @param label New label to initialize 3627 * 3628 * Initialize the label for a newly instantiated System V Shared Memory 3629 * region. Sleeping is permitted. 3630 */ 3631 typedef void mpo_sysvshm_label_init_t( 3632 struct label *label 3633 ); 3634 /** 3635 * @brief Clean up a System V Share Memory Region label 3636 * @param shmlabel The label to be cleaned 3637 * 3638 * Clean up a System V Shared Memory Region label. Darwin 3639 * pre-allocates these objects at system boot time and re-uses them 3640 * rather than allocating new ones. Before the memory regions are 3641 * returned to the "free pool", policies can cleanup or overwrite any 3642 * information present in the label. 3643 */ 3644 typedef void mpo_sysvshm_label_recycle_t( 3645 struct label *shmlabel 3646 ); 3647 3648 /** 3649 * @brief Access control check for getting a process's task ports of different flavors 3650 * @param cred Subject credential 3651 * @param pident Object unique process identifier 3652 * @param flavor Requested task port flavor 3653 * 3654 * Determine whether the subject identified by the credential can get 3655 * the passed process's task port of given flavor. 3656 * This call is used by the task_{,read,inspect,name}_for_pid(2) API. 3657 * 3658 * @return Return 0 if access is granted, otherwise an appropriate value for 3659 * errno should be returned. Suggested failure: EACCES for label mismatch, 3660 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3661 */ 3662 typedef int mpo_proc_check_get_task_with_flavor_t( 3663 kauth_cred_t cred, 3664 struct proc_ident *pident, 3665 mach_task_flavor_t flavor 3666 ); 3667 3668 /** 3669 * @brief Access control check for exposing a process's task ports of different flavors 3670 * @param cred Subject credential 3671 * @param pident Object unique process identifier 3672 * @param flavor Requested task port flavor 3673 * 3674 * Determine whether the subject identified by the credential can expose 3675 * the passed process's task port of given flavor. 3676 * This call is used by the accessor APIs like processor_set_tasks() and 3677 * processor_set_threads(). 3678 * 3679 * @return Return 0 if access is granted, otherwise an appropriate value for 3680 * errno should be returned. Suggested failure: EACCES for label mismatch, 3681 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3682 */ 3683 typedef int mpo_proc_check_expose_task_with_flavor_t( 3684 kauth_cred_t cred, 3685 struct proc_ident *pident, 3686 mach_task_flavor_t flavor 3687 ); 3688 3689 /** 3690 * @brief Access control check for upgrading to task port with a task identity token 3691 * @param cred Subject credential 3692 * @param pident Object unique process identifier, NULL if token represents a corpse task 3693 * @param flavor Requested task port flavor 3694 * 3695 * Determine whether the subject identified by the credential can upgrade to task port 3696 * of given flavor with a task identity token of the passed process. 3697 * This call is used by task_identity_token_get_task_port(). 3698 * 3699 * @return Return 0 if access is granted, otherwise an appropriate value for 3700 * errno should be returned. Suggested failure: EACCES for label mismatch, 3701 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3702 */ 3703 typedef int mpo_proc_check_task_id_token_get_task_t( 3704 kauth_cred_t cred, 3705 struct proc_ident *pident, /* Nullable */ 3706 mach_task_flavor_t flavor 3707 ); 3708 3709 /** 3710 * @brief Check whether task's IPC may inherit across process exec 3711 * @param p current process instance 3712 * @param cur_vp vnode pointer to current instance 3713 * @param cur_offset offset of binary of currently executing image 3714 * @param img_vp vnode pointer to to be exec'ed image 3715 * @param img_offset offset into file which is selected for execution 3716 * @param scriptvp vnode pointer of script file if any. 3717 * @return Return 0 if access is granted. 3718 * EPERM if parent does not have any entitlements. 3719 * EACCESS if mismatch in entitlements 3720 */ 3721 typedef int mpo_proc_check_inherit_ipc_ports_t( 3722 struct proc *p, 3723 struct vnode *cur_vp, 3724 off_t cur_offset, 3725 struct vnode *img_vp, 3726 off_t img_offset, 3727 struct vnode *scriptvp 3728 ); 3729 3730 /** 3731 * @brief Privilege check for a process to run invalid 3732 * @param p Object process 3733 * 3734 * Determine whether the process may execute even though the system determined 3735 * that it is untrusted (eg unidentified / modified code). 3736 * 3737 * @return Return 0 if access is granted, otherwise an appropriate value for 3738 * errno should be returned. 3739 */ 3740 typedef int mpo_proc_check_run_cs_invalid_t( 3741 struct proc *p 3742 ); 3743 3744 /** 3745 * @brief Notification a process was invalidated 3746 * @param p Object process 3747 * 3748 * Notifies that the CS_VALID bit was removed from a process' csflags. This 3749 * either indicates that a validly code-signed process has encountered an 3750 * invalidly code-signed page for the first time, or that it was explicitly 3751 * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. 3752 * 3753 * @warning This hook can be called from the page fault handler; it should not 3754 * perform any operations that may result in paging, and stack space is extremely 3755 * limited. Furthermore, the hook is called with proc lock held, and if called 3756 * from the fault handler, with vm object lock held. Consumers reacting to this 3757 * hook being called are expected to defer processing to a userret, possibly 3758 * after suspending the task. 3759 */ 3760 typedef void mpo_proc_notify_cs_invalidated_t( 3761 struct proc *p 3762 ); 3763 3764 /** 3765 * @brief Notification a process is finished with exec and will jump to userspace 3766 * @param p Object process 3767 * 3768 * Notifies all MAC policies that a process has completed an exec and is about to 3769 * jump to userspace to continue execution. This may result in process termination 3770 * via signals. Hook is designed to hold no/minimal locks so it can be used for any 3771 * necessary upcalls. 3772 */ 3773 typedef void mpo_proc_notify_exec_complete_t( 3774 struct proc *p 3775 ); 3776 3777 /** 3778 * @brief Access control check for setting user ID 3779 * @param cred Subject credential 3780 * @param uid Requested user ID 3781 * 3782 * Determine whether the subject identified by the credential can set the 3783 * real and effective user ID and the saved set-user-ID of the current 3784 * process, using the setuid() system call. 3785 * 3786 * @return Return 0 if access is granted, otherwise an appropriate value for 3787 * errno should be returned. 3788 */ 3789 typedef int mpo_proc_check_setuid_t( 3790 kauth_cred_t cred, 3791 uid_t uid 3792 ); 3793 3794 /** 3795 * @brief Access control check for setting effective user ID 3796 * @param cred Subject credential 3797 * @param euid Requested effective user ID 3798 * 3799 * Determine whether the subject identified by the credential can set the 3800 * effective user ID of the current process, using the seteuid() system call. 3801 * 3802 * @return Return 0 if access is granted, otherwise an appropriate value for 3803 * errno should be returned. 3804 */ 3805 typedef int mpo_proc_check_seteuid_t( 3806 kauth_cred_t cred, 3807 uid_t euid 3808 ); 3809 3810 /** 3811 * @brief Access control check for setting real and effective user ID 3812 * @param cred Subject credential 3813 * @param ruid Requested real user ID 3814 * @param euid Requested effective user ID 3815 * 3816 * Determine whether the subject identified by the credential can set the 3817 * real and effective user ID of the current process, using the setreuid() 3818 * system call. 3819 * 3820 * @return Return 0 if access is granted, otherwise an appropriate value for 3821 * errno should be returned. 3822 */ 3823 typedef int mpo_proc_check_setreuid_t( 3824 kauth_cred_t cred, 3825 uid_t ruid, 3826 uid_t euid 3827 ); 3828 3829 /** 3830 * @brief Access control check for setting group ID 3831 * @param cred Subject credential 3832 * @param gid Requested group ID 3833 * 3834 * Determine whether the subject identified by the credential can set the 3835 * real and effective group IDs and the saved set-group-ID of the current 3836 * process, using the setgid() system call. 3837 * 3838 * @return Return 0 if access is granted, otherwise an appropriate value for 3839 * errno should be returned. 3840 */ 3841 typedef int mpo_proc_check_setgid_t( 3842 kauth_cred_t cred, 3843 gid_t gid 3844 ); 3845 3846 /** 3847 * @brief Access control check for setting effective group ID 3848 * @param cred Subject credential 3849 * @param egid Requested effective group ID 3850 * 3851 * Determine whether the subject identified by the credential can set the 3852 * effective group ID of the current process, using the setegid() system call. 3853 * 3854 * @return Return 0 if access is granted, otherwise an appropriate value for 3855 * errno should be returned. 3856 */ 3857 typedef int mpo_proc_check_setegid_t( 3858 kauth_cred_t cred, 3859 gid_t egid 3860 ); 3861 3862 /** 3863 * @brief Access control check for setting real and effective group ID 3864 * @param cred Subject credential 3865 * @param rgid Requested real group ID or KAUTH_UID_NONE for none 3866 * @param egid Requested effective group ID or KAUTH_GID_NONE for none 3867 * 3868 * Determine whether the subject identified by the credential can set the 3869 * real and effective group ID of the current process, using the setregid() 3870 * system call. 3871 * 3872 * @return Return 0 if access is granted, otherwise an appropriate value for 3873 * errno should be returned. 3874 */ 3875 typedef int mpo_proc_check_setregid_t( 3876 kauth_cred_t cred, 3877 gid_t rgid, 3878 gid_t egid 3879 ); 3880 3881 /** 3882 * @brief Access control check for setting thread assumed identity 3883 * @param pcred Subject process credential 3884 * @param tcred Subject thread credential 3885 * @param uid Requested user ID or KAUTH_UID_NONE for none 3886 * @param gid Requested group ID or KAUTH_GID_NONE for none 3887 * 3888 * Determine whether the subject identified by the credential can set the 3889 * user and group ID of the current thread, using the settid() or 3890 * settid_with_pid() system call. 3891 * 3892 * @return Return 0 if access is granted, otherwise an appropriate value for 3893 * errno should be returned. 3894 */ 3895 typedef int mpo_proc_check_settid_t( 3896 kauth_cred_t pcred, 3897 kauth_cred_t tcred, 3898 uid_t uid, 3899 gid_t gid 3900 ); 3901 3902 /** 3903 * @brief Perform MAC-related analysis of telemetry data. 3904 * @param thread The Mach thread that was sampled. 3905 * 3906 * Notifies MAC policies that telemetry data was just collected from a 3907 * process's user thread and that it is ready to be analyzed. The analysis is 3908 * performed shortly before a thread is about to return to userspace via a 3909 * syscall or mach trap. 3910 * 3911 * Note that sometimes the scheduled telemetry can fail. In the case of 3912 * failure, the function will be called with a non-zero `err` value, in which 3913 * case it is expected that the client will cleanup any necessary state 3914 * recorded back when the telemetry was first scheduled. 3915 */ 3916 typedef void mpo_thread_telemetry_t( 3917 struct thread *thread, 3918 int err, 3919 const void *data, 3920 size_t length 3921 ); 3922 3923 /** 3924 * @brief Perform MAC-related events when a thread returns to user space 3925 * @param thread Mach (not BSD) thread that is returning 3926 * 3927 * This entry point permits policy modules to perform MAC-related 3928 * events when a thread returns to user space, via a system call 3929 * return or trap return. 3930 */ 3931 typedef void mpo_thread_userret_t( 3932 struct thread *thread 3933 ); 3934 3935 /** 3936 * @brief Check vnode access 3937 * @param cred Subject credential 3938 * @param vp Object vnode 3939 * @param label Label for vp 3940 * @param acc_mode access(2) flags 3941 * 3942 * Determine how invocations of access(2) and related calls by the 3943 * subject identified by the credential should return when performed 3944 * on the passed vnode using the passed access flags. This should 3945 * generally be implemented using the same semantics used in 3946 * mpo_vnode_check_open. 3947 * 3948 * @return Return 0 if access is granted, otherwise an appropriate value for 3949 * errno should be returned. Suggested failure: EACCES for label mismatch or 3950 * EPERM for lack of privilege. 3951 */ 3952 typedef int mpo_vnode_check_access_t( 3953 kauth_cred_t cred, 3954 struct vnode *vp, 3955 struct label *label, 3956 int acc_mode 3957 ); 3958 /** 3959 * @brief Access control check for changing working directory 3960 * @param cred Subject credential 3961 * @param dvp Object; vnode to chdir(2) into 3962 * @param dlabel Policy label for dvp 3963 * 3964 * Determine whether the subject identified by the credential can change 3965 * the process working directory to the passed vnode. 3966 * 3967 * @return Return 0 if access is granted, otherwise an appropriate value for 3968 * errno should be returned. Suggested failure: EACCES for label mismatch or 3969 * EPERM for lack of privilege. 3970 */ 3971 typedef int mpo_vnode_check_chdir_t( 3972 kauth_cred_t cred, 3973 struct vnode *dvp, 3974 struct label *dlabel 3975 ); 3976 /** 3977 * @brief Access control check for changing root directory 3978 * @param cred Subject credential 3979 * @param dvp Directory vnode 3980 * @param dlabel Policy label associated with dvp 3981 * @param cnp Component name for dvp 3982 * 3983 * Determine whether the subject identified by the credential should be 3984 * allowed to chroot(2) into the specified directory (dvp). 3985 * 3986 * @return In the event of an error, an appropriate value for errno 3987 * should be returned, otherwise return 0 upon success. 3988 */ 3989 typedef int mpo_vnode_check_chroot_t( 3990 kauth_cred_t cred, 3991 struct vnode *dvp, 3992 struct label *dlabel, 3993 struct componentname *cnp 3994 ); 3995 /** 3996 * @brief Access control check for creating clone 3997 * @param cred Subject credential 3998 * @param dvp Vnode of directory to create the clone in 3999 * @param dlabel Policy label associated with dvp 4000 * @param vp Vnode of the file to clone from 4001 * @param label Policy label associated with vp 4002 * @param cnp Component name for the clone being created 4003 * 4004 * Determine whether the subject identified by the credential should be 4005 * allowed to create a clone of the vnode vp with the name specified by cnp. 4006 * 4007 * @return Return 0 if access is granted, otherwise an appropriate value for 4008 * errno should be returned. 4009 */ 4010 typedef int mpo_vnode_check_clone_t( 4011 kauth_cred_t cred, 4012 struct vnode *dvp, 4013 struct label *dlabel, 4014 struct vnode *vp, 4015 struct label *label, 4016 struct componentname *cnp 4017 ); 4018 /** 4019 * @brief Access control check for creating vnode 4020 * @param cred Subject credential 4021 * @param dvp Directory vnode 4022 * @param dlabel Policy label for dvp 4023 * @param cnp Component name for dvp 4024 * @param vap vnode attributes for vap 4025 * 4026 * Determine whether the subject identified by the credential can create 4027 * a vnode with the passed parent directory, passed name information, 4028 * and passed attribute information. This call may be made in a number of 4029 * situations, including as a result of calls to open(2) with O_CREAT, 4030 * mknod(2), mkfifo(2), and others. 4031 * 4032 * @return Return 0 if access is granted, otherwise an appropriate value for 4033 * errno should be returned. Suggested failure: EACCES for label mismatch or 4034 * EPERM for lack of privilege. 4035 */ 4036 typedef int mpo_vnode_check_create_t( 4037 kauth_cred_t cred, 4038 struct vnode *dvp, 4039 struct label *dlabel, 4040 struct componentname *cnp, 4041 struct vnode_attr *vap 4042 ); 4043 /** 4044 * @brief Access control check for deleting extended attribute 4045 * @param cred Subject credential 4046 * @param vp Object vnode 4047 * @param vlabel Label associated with vp 4048 * @param name Extended attribute name 4049 * 4050 * Determine whether the subject identified by the credential can delete 4051 * the extended attribute from the passed vnode. 4052 * 4053 * @return Return 0 if access is granted, otherwise an appropriate value for 4054 * errno should be returned. Suggested failure: EACCES for label mismatch or 4055 * EPERM for lack of privilege. 4056 */ 4057 typedef int mpo_vnode_check_deleteextattr_t( 4058 kauth_cred_t cred, 4059 struct vnode *vp, 4060 struct label *vlabel, 4061 const char *name 4062 ); 4063 /** 4064 * @brief Access control check for exchanging file data 4065 * @param cred Subject credential 4066 * @param v1 vnode 1 to swap 4067 * @param vl1 Policy label for v1 4068 * @param v2 vnode 2 to swap 4069 * @param vl2 Policy label for v2 4070 * 4071 * Determine whether the subject identified by the credential can swap the data 4072 * in the two supplied vnodes. 4073 * 4074 * @return Return 0 if access is granted, otherwise an appropriate value for 4075 * errno should be returned. Suggested failure: EACCES for label mismatch or 4076 * EPERM for lack of privilege. 4077 */ 4078 typedef int mpo_vnode_check_exchangedata_t( 4079 kauth_cred_t cred, 4080 struct vnode *v1, 4081 struct label *vl1, 4082 struct vnode *v2, 4083 struct label *vl2 4084 ); 4085 /** 4086 * @brief Access control check for executing the vnode 4087 * @param cred Subject credential 4088 * @param vp Object vnode to execute 4089 * @param scriptvp Script being executed by interpreter, if any. 4090 * @param vnodelabel Label corresponding to vp 4091 * @param scriptlabel Script vnode label 4092 * @param execlabel Userspace provided execution label 4093 * @param cnp Component name for file being executed 4094 * @param macpolicyattr MAC policy-specific spawn attribute data. 4095 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 4096 * 4097 * Determine whether the subject identified by the credential can execute 4098 * the passed vnode. Determination of execute privilege is made separately 4099 * from decisions about any process label transitioning event. 4100 * 4101 * The final label, execlabel, corresponds to a label supplied by a 4102 * user space application through the use of the mac_execve system call. 4103 * This label will be NULL if the user application uses the the vendor 4104 * execve(2) call instead of the MAC Framework mac_execve() call. 4105 * 4106 * @return Return 0 if access is granted, otherwise an appropriate value for 4107 * errno should be returned. Suggested failure: EACCES for label mismatch or 4108 * EPERM for lack of privilege. 4109 */ 4110 typedef int mpo_vnode_check_exec_t( 4111 kauth_cred_t cred, 4112 struct vnode *vp, 4113 struct vnode *scriptvp, 4114 struct label *vnodelabel, 4115 struct label *scriptlabel, 4116 struct label *execlabel, /* NULLOK */ 4117 struct componentname *cnp, 4118 u_int *csflags, 4119 void *macpolicyattr, 4120 size_t macpolicyattrlen 4121 ); 4122 /** 4123 * @brief Access control check for fsgetpath 4124 * @param cred Subject credential 4125 * @param vp Vnode for which a path will be returned 4126 * @param label Label associated with the vnode 4127 * 4128 * Determine whether the subject identified by the credential can get the path 4129 * of the given vnode with fsgetpath. 4130 * 4131 * @return Return 0 if access is granted, otherwise an appropriate value for 4132 * errno should be returned. 4133 */ 4134 typedef int mpo_vnode_check_fsgetpath_t( 4135 kauth_cred_t cred, 4136 struct vnode *vp, 4137 struct label *label 4138 ); 4139 /** 4140 * @brief Access control check for retrieving file attributes 4141 * @param active_cred Subject credential 4142 * @param file_cred Credential associated with the struct fileproc 4143 * @param vp Object vnode 4144 * @param vlabel Policy label for vp 4145 * @param va Vnode attributes to retrieve 4146 * 4147 * Determine whether the subject identified by the credential can 4148 * get information about the passed vnode. The active_cred hold 4149 * the credentials of the subject performing the operation, and 4150 * file_cred holds the credentials of the subject that originally 4151 * opened the file. This check happens during stat(), lstat(), 4152 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for 4153 * definitions of the attributes. 4154 * 4155 * @return Return 0 if access is granted, otherwise an appropriate value for 4156 * errno should be returned. 4157 * 4158 * @note Policies may change the contents of va to alter the list of 4159 * file attributes returned. 4160 */ 4161 typedef int mpo_vnode_check_getattr_t( 4162 kauth_cred_t active_cred, 4163 kauth_cred_t file_cred, /* NULLOK */ 4164 struct vnode *vp, 4165 struct label *vlabel, 4166 struct vnode_attr *va 4167 ); 4168 /** 4169 * @brief Access control check for retrieving file attributes 4170 * @param cred Subject credential 4171 * @param vp Object vnode 4172 * @param vlabel Policy label for vp 4173 * @param alist List of attributes to retrieve 4174 * @param options Option flags for alist 4175 * 4176 * Determine whether the subject identified by the credential can read 4177 * various attributes of the specified vnode, or the filesystem or volume on 4178 * which that vnode resides. See <sys/attr.h> for definitions of the 4179 * attributes and flags. 4180 * 4181 * @return Return 0 if access is granted, otherwise an appropriate value for 4182 * errno should be returned. Suggested failure: EACCES for label mismatch or 4183 * EPERM for lack of privilege. Access control covers all attributes requested 4184 * with this call; the security policy is not permitted to change the set of 4185 * attributes requested. 4186 */ 4187 typedef int mpo_vnode_check_getattrlist_t( 4188 kauth_cred_t cred, 4189 struct vnode *vp, 4190 struct label *vlabel, 4191 struct attrlist *alist, 4192 uint64_t options 4193 ); 4194 /** 4195 * @brief Access control check for retrieving file attributes for multiple directory entries 4196 * @param cred Subject credential 4197 * @param dvp Directory vnode 4198 * @param alist List of attributes to retrieve 4199 * @param options Option flags for alist 4200 * 4201 * Determine whether the subject identified by the credential can read 4202 * various attributes of the specified vnode, or the filesystem or volume on 4203 * which that vnode resides. See <sys/attr.h> for definitions of the 4204 * attributes and flags. 4205 * 4206 * @return Return 0 if access is granted, otherwise an appropriate value for 4207 * errno should be returned. Suggested failure: EACCES for label mismatch or 4208 * EPERM for lack of privilege. Access control covers all attributes requested 4209 * with this call; the security policy is not permitted to change the set of 4210 * attributes requested. 4211 */ 4212 typedef int mpo_vnode_check_getattrlistbulk_t( 4213 kauth_cred_t cred, 4214 struct vnode *dvp, 4215 struct attrlist *alist, 4216 uint64_t options 4217 ); 4218 /** 4219 * @brief Access control check for retrieving an extended attribute 4220 * @param cred Subject credential 4221 * @param vp Object vnode 4222 * @param label Policy label for vp 4223 * @param name Extended attribute name 4224 * @param uio I/O structure pointer 4225 * 4226 * Determine whether the subject identified by the credential can retrieve 4227 * the extended attribute from the passed vnode. The uio parameter 4228 * will be NULL when the getxattr(2) call has been made with a NULL data 4229 * value; this is done to request the size of the data only. 4230 * 4231 * @return Return 0 if access is granted, otherwise an appropriate value for 4232 * errno should be returned. Suggested failure: EACCES for label mismatch or 4233 * EPERM for lack of privilege. 4234 */ 4235 typedef int mpo_vnode_check_getextattr_t( 4236 kauth_cred_t cred, 4237 struct vnode *vp, 4238 struct label *label, /* NULLOK */ 4239 const char *name, 4240 struct uio *uio /* NULLOK */ 4241 ); 4242 /** 4243 * @brief Access control check for ioctl 4244 * @param cred Subject credential 4245 * @param vp Object vnode 4246 * @param label Policy label for vp 4247 * @param cmd Device-dependent request code; see ioctl(2) 4248 * 4249 * Determine whether the subject identified by the credential can perform 4250 * the ioctl operation indicated by com. 4251 * 4252 * @warning Since ioctl data is opaque from the standpoint of the MAC 4253 * framework, and since ioctls can affect many aspects of system 4254 * operation, policies must exercise extreme care when implementing 4255 * access control checks. 4256 * 4257 * @return Return 0 if access is granted, otherwise an appropriate value for 4258 * errno should be returned. 4259 */ 4260 typedef int mpo_vnode_check_ioctl_t( 4261 kauth_cred_t cred, 4262 struct vnode *vp, 4263 struct label *label, 4264 unsigned long cmd 4265 ); 4266 /** 4267 * @brief Access control check for vnode kqfilter 4268 * @param active_cred Subject credential 4269 * @param kn Object knote 4270 * @param vp Object vnode 4271 * @param label Policy label for vp 4272 * 4273 * Determine whether the subject identified by the credential can 4274 * receive the knote on the passed vnode. 4275 * 4276 * @return Return 0 if access if granted, otherwise an appropriate 4277 * value for errno should be returned. 4278 */ 4279 typedef int mpo_vnode_check_kqfilter_t( 4280 kauth_cred_t active_cred, 4281 kauth_cred_t file_cred, /* NULLOK */ 4282 struct knote *kn, 4283 struct vnode *vp, 4284 struct label *label 4285 ); 4286 /** 4287 * @brief Access control check for relabel 4288 * @param cred Subject credential 4289 * @param vp Object vnode 4290 * @param vnodelabel Existing policy label for vp 4291 * @param newlabel Policy label update to later be applied to vp 4292 * @see mpo_relable_vnode_t 4293 * 4294 * Determine whether the subject identified by the credential can relabel 4295 * the passed vnode to the passed label update. If all policies permit 4296 * the label change, the actual relabel entry point (mpo_vnode_label_update) 4297 * will follow. 4298 * 4299 * @return Return 0 if access is granted, otherwise an appropriate value for 4300 * errno should be returned. 4301 */ 4302 typedef int mpo_vnode_check_label_update_t( 4303 struct ucred *cred, 4304 struct vnode *vp, 4305 struct label *vnodelabel, 4306 struct label *newlabel 4307 ); 4308 /** 4309 * @brief Access control check for creating link 4310 * @param cred Subject credential 4311 * @param dvp Directory vnode 4312 * @param dlabel Policy label associated with dvp 4313 * @param vp Link destination vnode 4314 * @param label Policy label associated with vp 4315 * @param cnp Component name for the link being created 4316 * 4317 * Determine whether the subject identified by the credential should be 4318 * allowed to create a link to the vnode vp with the name specified by cnp. 4319 * 4320 * @return Return 0 if access is granted, otherwise an appropriate value for 4321 * errno should be returned. 4322 */ 4323 typedef int mpo_vnode_check_link_t( 4324 kauth_cred_t cred, 4325 struct vnode *dvp, 4326 struct label *dlabel, 4327 struct vnode *vp, 4328 struct label *label, 4329 struct componentname *cnp 4330 ); 4331 /** 4332 * @brief Access control check for listing extended attributes 4333 * @param cred Subject credential 4334 * @param vp Object vnode 4335 * @param vlabel Policy label associated with vp 4336 * 4337 * Determine whether the subject identified by the credential can retrieve 4338 * a list of named extended attributes from a vnode. 4339 * 4340 * @return Return 0 if access is granted, otherwise an appropriate value for 4341 * errno should be returned. 4342 */ 4343 typedef int mpo_vnode_check_listextattr_t( 4344 kauth_cred_t cred, 4345 struct vnode *vp, 4346 struct label *vlabel 4347 ); 4348 /** 4349 * @brief Access control check for lookup 4350 * @param cred Subject credential 4351 * @param dvp Directory vnode 4352 * @param dlabel Policy label for dvp 4353 * @param path Path being looked up 4354 * @param pathlen Length of path in bytes 4355 * 4356 * Determine whether the subject identified by the credential can perform 4357 * a lookup of the passed path relative to the passed directory vnode. 4358 * 4359 * @return Return 0 if access is granted, otherwise an appropriate value for 4360 * errno should be returned. Suggested failure: EACCES for label mismatch or 4361 * EPERM for lack of privilege. 4362 * 4363 * @note The path may contain untrusted input. If approved, lookup proceeds 4364 * on the path; if a component is found to be a symlink then this hook is 4365 * called again with the updated path. 4366 */ 4367 typedef int mpo_vnode_check_lookup_preflight_t( 4368 kauth_cred_t cred, 4369 struct vnode *dvp, 4370 struct label *dlabel, 4371 const char *path, 4372 size_t pathlen 4373 ); 4374 /** 4375 * @brief Access control check for lookup 4376 * @param cred Subject credential 4377 * @param dvp Object vnode 4378 * @param dlabel Policy label for dvp 4379 * @param cnp Component name being looked up 4380 * 4381 * Determine whether the subject identified by the credential can perform 4382 * a lookup in the passed directory vnode for the passed name (cnp). 4383 * 4384 * @return Return 0 if access is granted, otherwise an appropriate value for 4385 * errno should be returned. Suggested failure: EACCES for label mismatch or 4386 * EPERM for lack of privilege. 4387 */ 4388 typedef int mpo_vnode_check_lookup_t( 4389 kauth_cred_t cred, 4390 struct vnode *dvp, 4391 struct label *dlabel, 4392 struct componentname *cnp 4393 ); 4394 /** 4395 * @brief Access control check for open 4396 * @param cred Subject credential 4397 * @param vp Object vnode 4398 * @param label Policy label associated with vp 4399 * @param acc_mode open(2) access mode 4400 * 4401 * Determine whether the subject identified by the credential can perform 4402 * an open operation on the passed vnode with the passed access mode. 4403 * 4404 * @return Return 0 if access is granted, otherwise an appropriate value for 4405 * errno should be returned. Suggested failure: EACCES for label mismatch or 4406 * EPERM for lack of privilege. 4407 */ 4408 typedef int mpo_vnode_check_open_t( 4409 kauth_cred_t cred, 4410 struct vnode *vp, 4411 struct label *label, 4412 int acc_mode 4413 ); 4414 /** 4415 * @brief Access control check for read 4416 * @param active_cred Subject credential 4417 * @param file_cred Credential associated with the struct fileproc 4418 * @param vp Object vnode 4419 * @param label Policy label for vp 4420 * 4421 * Determine whether the subject identified by the credential can perform 4422 * a read operation on the passed vnode. The active_cred hold the credentials 4423 * of the subject performing the operation, and file_cred holds the 4424 * credentials of the subject that originally opened the file. 4425 * 4426 * @return Return 0 if access is granted, otherwise an appropriate value for 4427 * errno should be returned. Suggested failure: EACCES for label mismatch or 4428 * EPERM for lack of privilege. 4429 */ 4430 typedef int mpo_vnode_check_read_t( 4431 kauth_cred_t active_cred, /* SUBJECT */ 4432 kauth_cred_t file_cred, /* NULLOK */ 4433 struct vnode *vp, /* OBJECT */ 4434 struct label *label /* LABEL */ 4435 ); 4436 /** 4437 * @brief Access control check for read directory 4438 * @param cred Subject credential 4439 * @param dvp Object directory vnode 4440 * @param dlabel Policy label for dvp 4441 * 4442 * Determine whether the subject identified by the credential can 4443 * perform a readdir operation on the passed directory vnode. 4444 * 4445 * @return Return 0 if access is granted, otherwise an appropriate value for 4446 * errno should be returned. Suggested failure: EACCES for label mismatch or 4447 * EPERM for lack of privilege. 4448 */ 4449 typedef int mpo_vnode_check_readdir_t( 4450 kauth_cred_t cred, /* SUBJECT */ 4451 struct vnode *dvp, /* OBJECT */ 4452 struct label *dlabel /* LABEL */ 4453 ); 4454 /** 4455 * @brief Access control check for read link 4456 * @param cred Subject credential 4457 * @param vp Object vnode 4458 * @param label Policy label for vp 4459 * 4460 * Determine whether the subject identified by the credential can perform 4461 * a readlink operation on the passed symlink vnode. This call can be made 4462 * in a number of situations, including an explicit readlink call by the 4463 * user process, or as a result of an implicit readlink during a name 4464 * lookup by the process. 4465 * 4466 * @return Return 0 if access is granted, otherwise an appropriate value for 4467 * errno should be returned. Suggested failure: EACCES for label mismatch or 4468 * EPERM for lack of privilege. 4469 */ 4470 typedef int mpo_vnode_check_readlink_t( 4471 kauth_cred_t cred, 4472 struct vnode *vp, 4473 struct label *label 4474 ); 4475 /** 4476 * @brief Access control check for rename 4477 * @param cred Subject credential 4478 * @param dvp Directory vnode 4479 * @param dlabel Policy label associated with dvp 4480 * @param vp vnode to be renamed 4481 * @param label Policy label associated with vp 4482 * @param cnp Component name for vp 4483 * @param tdvp Destination directory vnode 4484 * @param tdlabel Policy label associated with tdvp 4485 * @param tvp Overwritten vnode 4486 * @param tlabel Policy label associated with tvp 4487 * @param tcnp Destination component name 4488 * 4489 * Determine whether the subject identified by the credential should be allowed 4490 * to rename the vnode vp to something else. 4491 * 4492 * @return Return 0 if access is granted, otherwise an appropriate value for 4493 * errno should be returned. 4494 */ 4495 typedef int mpo_vnode_check_rename_t( 4496 kauth_cred_t cred, 4497 struct vnode *dvp, 4498 struct label *dlabel, 4499 struct vnode *vp, 4500 struct label *label, 4501 struct componentname *cnp, 4502 struct vnode *tdvp, 4503 struct label *tdlabel, 4504 struct vnode *tvp, 4505 struct label *tlabel, 4506 struct componentname *tcnp 4507 ); 4508 /** 4509 * @brief Access control check for rename from 4510 * @param cred Subject credential 4511 * @param dvp Directory vnode 4512 * @param dlabel Policy label associated with dvp 4513 * @param vp vnode to be renamed 4514 * @param label Policy label associated with vp 4515 * @param cnp Component name for vp 4516 * @see mpo_vnode_check_rename_t 4517 * @see mpo_vnode_check_rename_to_t 4518 * 4519 * Determine whether the subject identified by the credential should be 4520 * allowed to rename the vnode vp to something else. 4521 * 4522 * Due to VFS locking constraints (to make sure proper vnode locks are 4523 * held during this entry point), the vnode relabel checks had to be 4524 * split into two parts: relabel_from and relabel to. 4525 * 4526 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4527 * 4528 * @return Return 0 if access is granted, otherwise an appropriate value for 4529 * errno should be returned. 4530 */ 4531 typedef int mpo_vnode_check_rename_from_t( 4532 kauth_cred_t cred, 4533 struct vnode *dvp, 4534 struct label *dlabel, 4535 struct vnode *vp, 4536 struct label *label, 4537 struct componentname *cnp 4538 ); 4539 /** 4540 * @brief Access control check for rename to 4541 * @param cred Subject credential 4542 * @param dvp Directory vnode 4543 * @param dlabel Policy label associated with dvp 4544 * @param vp Overwritten vnode 4545 * @param label Policy label associated with vp 4546 * @param samedir Boolean; 1 if the source and destination directories are the same 4547 * @param cnp Destination component name 4548 * @see mpo_vnode_check_rename_t 4549 * @see mpo_vnode_check_rename_from_t 4550 * 4551 * Determine whether the subject identified by the credential should be 4552 * allowed to rename to the vnode vp, into the directory dvp, or to the 4553 * name represented by cnp. If there is no existing file to overwrite, 4554 * vp and label will be NULL. 4555 * 4556 * Due to VFS locking constraints (to make sure proper vnode locks are 4557 * held during this entry point), the vnode relabel checks had to be 4558 * split into two parts: relabel_from and relabel to. 4559 * 4560 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4561 * 4562 * @return Return 0 if access is granted, otherwise an appropriate value for 4563 * errno should be returned. 4564 */ 4565 typedef int mpo_vnode_check_rename_to_t( 4566 kauth_cred_t cred, 4567 struct vnode *dvp, 4568 struct label *dlabel, 4569 struct vnode *vp, /* NULLOK */ 4570 struct label *label, /* NULLOK */ 4571 int samedir, 4572 struct componentname *cnp 4573 ); 4574 /** 4575 * @brief Access control check for revoke 4576 * @param cred Subject credential 4577 * @param vp Object vnode 4578 * @param label Policy label for vp 4579 * 4580 * Determine whether the subject identified by the credential can revoke 4581 * access to the passed vnode. 4582 * 4583 * @return Return 0 if access is granted, otherwise an appropriate value for 4584 * errno should be returned. Suggested failure: EACCES for label mismatch or 4585 * EPERM for lack of privilege. 4586 */ 4587 typedef int mpo_vnode_check_revoke_t( 4588 kauth_cred_t cred, 4589 struct vnode *vp, 4590 struct label *label 4591 ); 4592 /** 4593 * @brief Access control check for searchfs 4594 * @param cred Subject credential 4595 * @param vp Object vnode 4596 * @param vlabel Policy label for vp 4597 * @param returnattrs List of attributes to be returned 4598 * @param searchattrs List of attributes used as search criteria 4599 * 4600 * Determine whether the subject identified by the credential can search the 4601 * vnode using the searchfs system call. 4602 * 4603 * @return Return 0 if access is granted, otherwise an appropriate value for 4604 * errno should be returned. 4605 */ 4606 typedef int mpo_vnode_check_searchfs_t( 4607 kauth_cred_t cred, 4608 struct vnode *vp, 4609 struct label *vlabel, 4610 struct attrlist *returnattrs, 4611 struct attrlist *searchattrs 4612 ); 4613 /** 4614 * @brief Access control check for select 4615 * @param cred Subject credential 4616 * @param vp Object vnode 4617 * @param label Policy label for vp 4618 * @param which The operation selected on: FREAD or FWRITE 4619 * 4620 * Determine whether the subject identified by the credential can select 4621 * the vnode. 4622 * 4623 * @return Return 0 if access is granted, otherwise an appropriate value for 4624 * errno should be returned. 4625 */ 4626 typedef int mpo_vnode_check_select_t( 4627 kauth_cred_t cred, 4628 struct vnode *vp, 4629 struct label *label, 4630 int which 4631 ); 4632 /** 4633 * @brief Access control check for setting ACL 4634 * @param cred Subject credential 4635 * @param vp Object node 4636 * @param label Policy label for vp 4637 * @param acl ACL structure pointer 4638 * 4639 * Determine whether the subject identified by the credential can set an ACL 4640 * on the specified vnode. The ACL pointer will be NULL when removing an ACL. 4641 * 4642 * @return Return 0 if access is granted, otherwise an appropriate value for 4643 * errno should be returned. Suggested failure: EACCES for label mismatch or 4644 * EPERM for lack of privilege. 4645 */ 4646 typedef int mpo_vnode_check_setacl_t( 4647 kauth_cred_t cred, 4648 struct vnode *vp, 4649 struct label *label, 4650 struct kauth_acl *acl 4651 ); 4652 /** 4653 * @brief Access control check for setting file attributes 4654 * @param cred Subject credential 4655 * @param vp Object vnode 4656 * @param vlabel Policy label for vp 4657 * @param alist List of attributes to set 4658 * 4659 * Determine whether the subject identified by the credential can set 4660 * various attributes of the specified vnode, or the filesystem or volume on 4661 * which that vnode resides. See <sys/attr.h> for definitions of the 4662 * attributes. 4663 * 4664 * @return Return 0 if access is granted, otherwise an appropriate value for 4665 * errno should be returned. Suggested failure: EACCES for label mismatch or 4666 * EPERM for lack of privilege. Access control covers all attributes requested 4667 * with this call. 4668 */ 4669 typedef int mpo_vnode_check_setattrlist_t( 4670 kauth_cred_t cred, 4671 struct vnode *vp, 4672 struct label *vlabel, 4673 struct attrlist *alist 4674 ); 4675 /** 4676 * @brief Access control check for setting extended attribute 4677 * @param cred Subject credential 4678 * @param vp Object vnode 4679 * @param label Policy label for vp 4680 * @param name Extended attribute name 4681 * @param uio I/O structure pointer 4682 * 4683 * Determine whether the subject identified by the credential can set the 4684 * extended attribute of passed name and passed namespace on the passed 4685 * vnode. Policies implementing security labels backed into extended 4686 * attributes may want to provide additional protections for those 4687 * attributes. Additionally, policies should avoid making decisions based 4688 * on the data referenced from uio, as there is a potential race condition 4689 * between this check and the actual operation. The uio may also be NULL 4690 * if a delete operation is being performed. 4691 * 4692 * @return Return 0 if access is granted, otherwise an appropriate value for 4693 * errno should be returned. Suggested failure: EACCES for label mismatch or 4694 * EPERM for lack of privilege. 4695 */ 4696 typedef int mpo_vnode_check_setextattr_t( 4697 kauth_cred_t cred, 4698 struct vnode *vp, 4699 struct label *label, 4700 const char *name, 4701 struct uio *uio 4702 ); 4703 /** 4704 * @brief Access control check for setting flags 4705 * @param cred Subject credential 4706 * @param vp Object vnode 4707 * @param label Policy label for vp 4708 * @param flags File flags; see chflags(2) 4709 * 4710 * Determine whether the subject identified by the credential can set 4711 * the passed flags on the passed vnode. 4712 * 4713 * @return Return 0 if access is granted, otherwise an appropriate value for 4714 * errno should be returned. Suggested failure: EACCES for label mismatch or 4715 * EPERM for lack of privilege. 4716 */ 4717 typedef int mpo_vnode_check_setflags_t( 4718 kauth_cred_t cred, 4719 struct vnode *vp, 4720 struct label *label, 4721 u_long flags 4722 ); 4723 /** 4724 * @brief Access control check for setting mode 4725 * @param cred Subject credential 4726 * @param vp Object vnode 4727 * @param label Policy label for vp 4728 * @param mode File mode; see chmod(2) 4729 * 4730 * Determine whether the subject identified by the credential can set 4731 * the passed mode on the passed vnode. 4732 * 4733 * @return Return 0 if access is granted, otherwise an appropriate value for 4734 * errno should be returned. Suggested failure: EACCES for label mismatch or 4735 * EPERM for lack of privilege. 4736 */ 4737 typedef int mpo_vnode_check_setmode_t( 4738 kauth_cred_t cred, 4739 struct vnode *vp, 4740 struct label *label, 4741 mode_t mode 4742 ); 4743 /** 4744 * @brief Access control check for setting uid and gid 4745 * @param cred Subject credential 4746 * @param vp Object vnode 4747 * @param label Policy label for vp 4748 * @param uid User ID 4749 * @param gid Group ID 4750 * 4751 * Determine whether the subject identified by the credential can set 4752 * the passed uid and passed gid as file uid and file gid on the passed 4753 * vnode. The IDs may be set to (-1) to request no update. 4754 * 4755 * @return Return 0 if access is granted, otherwise an appropriate value for 4756 * errno should be returned. Suggested failure: EACCES for label mismatch or 4757 * EPERM for lack of privilege. 4758 */ 4759 typedef int mpo_vnode_check_setowner_t( 4760 kauth_cred_t cred, 4761 struct vnode *vp, 4762 struct label *label, 4763 uid_t uid, 4764 gid_t gid 4765 ); 4766 /** 4767 * @brief Access control check for setting timestamps 4768 * @param cred Subject credential 4769 * @param vp Object vnode 4770 * @param label Policy label for vp 4771 * @param atime Access time; see utimes(2) 4772 * @param mtime Modification time; see utimes(2) 4773 * 4774 * Determine whether the subject identified by the credential can set 4775 * the passed access timestamps on the passed vnode. 4776 * 4777 * @return Return 0 if access is granted, otherwise an appropriate value for 4778 * errno should be returned. Suggested failure: EACCES for label mismatch or 4779 * EPERM for lack of privilege. 4780 */ 4781 typedef int mpo_vnode_check_setutimes_t( 4782 kauth_cred_t cred, 4783 struct vnode *vp, 4784 struct label *label, 4785 struct timespec atime, 4786 struct timespec mtime 4787 ); 4788 /** 4789 * @brief Access control check after determining the code directory hash 4790 * @param vp vnode vnode to combine into proc 4791 * @param label label associated with the vnode 4792 * @param cpu_type cpu type of the signature being checked 4793 * @param cs_blob the code signature to check 4794 * @param cs_flags update code signing flags if needed 4795 * @param signer_type output parameter for the code signature's signer type 4796 * @param flags operational flag to mpo_vnode_check_signature 4797 * @param platform platform of the signature being checked 4798 * @param fatal_failure_desc description of fatal failure 4799 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 4800 * 4801 * @return Return 0 if access is granted, otherwise an appropriate value for 4802 * errno should be returned. 4803 */ 4804 typedef int mpo_vnode_check_signature_t( 4805 struct vnode *vp, 4806 struct label *label, 4807 cpu_type_t cpu_type, 4808 struct cs_blob *cs_blob, 4809 unsigned int *cs_flags, 4810 unsigned int *signer_type, 4811 int flags, 4812 unsigned int platform, 4813 char **fatal_failure_desc, size_t *fatal_failure_desc_len 4814 ); 4815 4816 /** 4817 * @brief Access control check for supplemental signature attachement 4818 * @param vp the vnode to which the signature will be attached 4819 * @param label label associated with the vnode 4820 * @param cs_blob the code signature to check 4821 * @param linked_vp vnode to which this new vp is related 4822 * @param linked_cs_blob the code signature of the linked vnode 4823 * @param signer_type output parameter for the signer type of the code signature being checked. 4824 * 4825 * @return Return 0 if access is granted, otherwise an appropriate value for 4826 * errno should be returned. 4827 */ 4828 typedef int mpo_vnode_check_supplemental_signature_t( 4829 struct vnode *vp, 4830 struct label *label, 4831 struct cs_blob *cs_blob, 4832 struct vnode *linked_vp, 4833 struct cs_blob *linked_cs_blob, 4834 unsigned int *signer_type 4835 ); 4836 4837 /** 4838 * @brief Access control check for stat 4839 * @param active_cred Subject credential 4840 * @param file_cred Credential associated with the struct fileproc 4841 * @param vp Object vnode 4842 * @param label Policy label for vp 4843 * 4844 * Determine whether the subject identified by the credential can stat 4845 * the passed vnode. See stat(2) for more information. The active_cred 4846 * hold the credentials of the subject performing the operation, and 4847 * file_cred holds the credentials of the subject that originally 4848 * opened the file. 4849 * 4850 * @return Return 0 if access is granted, otherwise an appropriate value for 4851 * errno should be returned. Suggested failure: EACCES for label mismatch or 4852 * EPERM for lack of privilege. 4853 */ 4854 typedef int mpo_vnode_check_stat_t( 4855 struct ucred *active_cred, 4856 struct ucred *file_cred, /* NULLOK */ 4857 struct vnode *vp, 4858 struct label *label 4859 ); 4860 /** 4861 * @brief Access control check for vnode trigger resolution 4862 * @param cred Subject credential 4863 * @param dvp Object vnode 4864 * @param dlabel Policy label for dvp 4865 * @param cnp Component name that triggered resolution 4866 * 4867 * Determine whether the subject identified by the credential can trigger 4868 * resolution of the passed name (cnp) in the passed directory vnode 4869 * via an external trigger resolver. 4870 * 4871 * @return Return 0 if access is granted, otherwise an appropriate value for 4872 * errno should be returned. Suggested failure: EACCES for label mismatch or 4873 * EPERM for lack of privilege. 4874 */ 4875 typedef int mpo_vnode_check_trigger_resolve_t( 4876 kauth_cred_t cred, 4877 struct vnode *dvp, 4878 struct label *dlabel, 4879 struct componentname *cnp 4880 ); 4881 /** 4882 * @brief Access control check for truncate/ftruncate 4883 * @param active_cred Subject credential 4884 * @param file_cred Credential associated with the struct fileproc 4885 * @param vp Object vnode 4886 * @param label Policy label for vp 4887 * 4888 * Determine whether the subject identified by the credential can 4889 * perform a truncate operation on the passed vnode. The active_cred hold 4890 * the credentials of the subject performing the operation, and 4891 * file_cred holds the credentials of the subject that originally 4892 * opened the file. 4893 * 4894 * @return Return 0 if access is granted, otherwise an appropriate value for 4895 * errno should be returned. Suggested failure: EACCES for label mismatch or 4896 * EPERM for lack of privilege. 4897 */ 4898 typedef int mpo_vnode_check_truncate_t( 4899 kauth_cred_t active_cred, 4900 kauth_cred_t file_cred, /* NULLOK */ 4901 struct vnode *vp, 4902 struct label *label 4903 ); 4904 /** 4905 * @brief Access control check for binding UNIX domain socket 4906 * @param cred Subject credential 4907 * @param dvp Directory vnode 4908 * @param dlabel Policy label for dvp 4909 * @param cnp Component name for dvp 4910 * @param vap vnode attributes for vap 4911 * 4912 * Determine whether the subject identified by the credential can perform a 4913 * bind operation on a UNIX domain socket with the passed parent directory, 4914 * passed name information, and passed attribute information. 4915 * 4916 * @return Return 0 if access is granted, otherwise an appropriate value for 4917 * errno should be returned. Suggested failure: EACCES for label mismatch or 4918 * EPERM for lack of privilege. 4919 */ 4920 typedef int mpo_vnode_check_uipc_bind_t( 4921 kauth_cred_t cred, 4922 struct vnode *dvp, 4923 struct label *dlabel, 4924 struct componentname *cnp, 4925 struct vnode_attr *vap 4926 ); 4927 /** 4928 * @brief Access control check for connecting UNIX domain socket 4929 * @param cred Subject credential 4930 * @param vp Object vnode 4931 * @param label Policy label associated with vp 4932 * @param so Socket 4933 * 4934 * Determine whether the subject identified by the credential can perform a 4935 * connect operation on the passed UNIX domain socket vnode. 4936 * 4937 * @return Return 0 if access is granted, otherwise an appropriate value for 4938 * errno should be returned. Suggested failure: EACCES for label mismatch or 4939 * EPERM for lack of privilege. 4940 */ 4941 typedef int mpo_vnode_check_uipc_connect_t( 4942 kauth_cred_t cred, 4943 struct vnode *vp, 4944 struct label *label, 4945 socket_t so 4946 ); 4947 /** 4948 * @brief Access control check for deleting vnode 4949 * @param cred Subject credential 4950 * @param dvp Parent directory vnode 4951 * @param dlabel Policy label for dvp 4952 * @param vp Object vnode to delete 4953 * @param label Policy label for vp 4954 * @param cnp Component name for vp 4955 * @see mpo_check_rename_to_t 4956 * 4957 * Determine whether the subject identified by the credential can delete 4958 * a vnode from the passed parent directory and passed name information. 4959 * This call may be made in a number of situations, including as a 4960 * results of calls to unlink(2) and rmdir(2). Policies implementing 4961 * this entry point should also implement mpo_check_rename_to to 4962 * authorize deletion of objects as a result of being the target of a rename. 4963 * 4964 * @return Return 0 if access is granted, otherwise an appropriate value for 4965 * errno should be returned. Suggested failure: EACCES for label mismatch or 4966 * EPERM for lack of privilege. 4967 */ 4968 typedef int mpo_vnode_check_unlink_t( 4969 kauth_cred_t cred, 4970 struct vnode *dvp, 4971 struct label *dlabel, 4972 struct vnode *vp, 4973 struct label *label, 4974 struct componentname *cnp 4975 ); 4976 /** 4977 * @brief Access control check for write 4978 * @param active_cred Subject credential 4979 * @param file_cred Credential associated with the struct fileproc 4980 * @param vp Object vnode 4981 * @param label Policy label for vp 4982 * 4983 * Determine whether the subject identified by the credential can 4984 * perform a write operation on the passed vnode. The active_cred hold 4985 * the credentials of the subject performing the operation, and 4986 * file_cred holds the credentials of the subject that originally 4987 * opened the file. 4988 * 4989 * @return Return 0 if access is granted, otherwise an appropriate value for 4990 * errno should be returned. Suggested failure: EACCES for label mismatch or 4991 * EPERM for lack of privilege. 4992 */ 4993 typedef int mpo_vnode_check_write_t( 4994 kauth_cred_t active_cred, 4995 kauth_cred_t file_cred, /* NULLOK */ 4996 struct vnode *vp, 4997 struct label *label 4998 ); 4999 /** 5000 * @brief Access control check for copyfile 5001 * @param cred Subject credential 5002 * @param dvp Vnode of directory to create the copy in 5003 * @param dlabel Policy label associated with dvp 5004 * @param tvp Vnode of the file at the target path that will be unlinked to 5005 * make room for the copy being created, if file exists 5006 * @param tlabel Policy label associated with tvp 5007 * @param fvp Vnode of the file to copy from 5008 * @param flabel Policy label associated with fvp 5009 * @param cnp Component name for the copy being created 5010 * @param mode Corresponds to mode argument to the copyfile syscall 5011 * @param flags Corresponds to flags argument to the copyfile syscall 5012 * 5013 * Determine whether the subject identified by the credential should be 5014 * allowed to create a copy of the vnode fvp with the name specified by cnp. 5015 * 5016 * @return Return 0 if access is granted, otherwise an appropriate value for 5017 * errno should be returned. 5018 */ 5019 typedef int mpo_vnode_check_copyfile_t( 5020 kauth_cred_t cred, 5021 struct vnode *dvp, 5022 struct label *dlabel, 5023 struct vnode *tvp, /* NULLOK */ 5024 struct label *tlabel, /* NULLOK */ 5025 struct vnode *fvp, 5026 struct label *flabel, 5027 struct componentname *cnp, 5028 mode_t mode, 5029 int flags 5030 ); 5031 /** 5032 * @brief Associate a vnode with a devfs entry 5033 * @param mp Devfs mount point 5034 * @param mntlabel Devfs mount point label 5035 * @param de Devfs directory entry 5036 * @param delabel Label associated with de 5037 * @param vp vnode associated with de 5038 * @param vlabel Label associated with vp 5039 * 5040 * Fill in the label (vlabel) for a newly created devfs vnode. The 5041 * label is typically derived from the label on the devfs directory 5042 * entry or the label on the filesystem, supplied as parameters. 5043 */ 5044 typedef void mpo_vnode_label_associate_devfs_t( 5045 struct mount *mp, 5046 struct label *mntlabel, 5047 struct devnode *de, 5048 struct label *delabel, 5049 struct vnode *vp, 5050 struct label *vlabel 5051 ); 5052 /** 5053 * @brief Associate a label with a vnode 5054 * @param mp File system mount point 5055 * @param mntlabel File system mount point label 5056 * @param vp Vnode to label 5057 * @param vlabel Label associated with vp 5058 * 5059 * Attempt to retrieve label information for the vnode, vp, from the 5060 * file system extended attribute store. The label should be stored in 5061 * the supplied vlabel parameter. If a policy cannot retrieve an 5062 * extended attribute, sometimes it is acceptible to fallback to using 5063 * the mntlabel. 5064 * 5065 * If the policy requires vnodes to have a valid label elsewhere it 5066 * MUST NOT return other than temporary errors, and must always provide 5067 * a valid label of some sort. Returning an error will cause vnode 5068 * labeling to be retried at a later access. Failure to handle policy 5069 * centric errors internally (corrupt labels etc.) will result in 5070 * inaccessible files. 5071 * 5072 * @return In the event of an error, an appropriate value for errno 5073 * should be returned, otherwise return 0 upon success. 5074 */ 5075 typedef int mpo_vnode_label_associate_extattr_t( 5076 struct mount *mp, 5077 struct label *mntlabel, 5078 struct vnode *vp, 5079 struct label *vlabel 5080 ); 5081 /** 5082 * @brief Associate a file label with a vnode 5083 * @param cred User credential 5084 * @param mp Fdesc mount point 5085 * @param mntlabel Fdesc mount point label 5086 * @param fg Fileglob structure 5087 * @param label Policy label for fg 5088 * @param vp Vnode to label 5089 * @param vlabel Label associated with vp 5090 * 5091 * Associate label information for the vnode, vp, with the label of 5092 * the open file descriptor described by fg. 5093 * The label should be stored in the supplied vlabel parameter. 5094 */ 5095 typedef void mpo_vnode_label_associate_file_t( 5096 struct ucred *cred, 5097 struct mount *mp, 5098 struct label *mntlabel, 5099 struct fileglob *fg, 5100 struct label *label, 5101 struct vnode *vp, 5102 struct label *vlabel 5103 ); 5104 /** 5105 * @brief Associate a pipe label with a vnode 5106 * @param cred User credential for the process that opened the pipe 5107 * @param cpipe Pipe structure 5108 * @param pipelabel Label associated with pipe 5109 * @param vp Vnode to label 5110 * @param vlabel Label associated with vp 5111 * 5112 * Associate label information for the vnode, vp, with the label of 5113 * the pipe described by the pipe structure cpipe. 5114 * The label should be stored in the supplied vlabel parameter. 5115 */ 5116 typedef void mpo_vnode_label_associate_pipe_t( 5117 struct ucred *cred, 5118 struct pipe *cpipe, 5119 struct label *pipelabel, 5120 struct vnode *vp, 5121 struct label *vlabel 5122 ); 5123 /** 5124 * @brief Associate a POSIX semaphore label with a vnode 5125 * @param cred User credential for the process that create psem 5126 * @param psem POSIX semaphore structure 5127 * @param psemlabel Label associated with psem 5128 * @param vp Vnode to label 5129 * @param vlabel Label associated with vp 5130 * 5131 * Associate label information for the vnode, vp, with the label of 5132 * the POSIX semaphore described by psem. 5133 * The label should be stored in the supplied vlabel parameter. 5134 */ 5135 typedef void mpo_vnode_label_associate_posixsem_t( 5136 struct ucred *cred, 5137 struct pseminfo *psem, 5138 struct label *psemlabel, 5139 struct vnode *vp, 5140 struct label *vlabel 5141 ); 5142 /** 5143 * @brief Associate a POSIX shared memory label with a vnode 5144 * @param cred User credential for the process that created pshm 5145 * @param pshm POSIX shared memory structure 5146 * @param pshmlabel Label associated with pshm 5147 * @param vp Vnode to label 5148 * @param vlabel Label associated with vp 5149 * 5150 * Associate label information for the vnode, vp, with the label of 5151 * the POSIX shared memory region described by pshm. 5152 * The label should be stored in the supplied vlabel parameter. 5153 */ 5154 typedef void mpo_vnode_label_associate_posixshm_t( 5155 struct ucred *cred, 5156 struct pshminfo *pshm, 5157 struct label *pshmlabel, 5158 struct vnode *vp, 5159 struct label *vlabel 5160 ); 5161 /** 5162 * @brief Associate a label with a vnode 5163 * @param mp File system mount point 5164 * @param mntlabel File system mount point label 5165 * @param vp Vnode to label 5166 * @param vlabel Label associated with vp 5167 * 5168 * On non-multilabel file systems, set the label for a vnode. The 5169 * label will most likely be based on the file system label. 5170 */ 5171 typedef void mpo_vnode_label_associate_singlelabel_t( 5172 struct mount *mp, 5173 struct label *mntlabel, 5174 struct vnode *vp, 5175 struct label *vlabel 5176 ); 5177 /** 5178 * @brief Associate a socket label with a vnode 5179 * @param cred User credential for the process that opened the socket 5180 * @param so Socket structure 5181 * @param solabel Label associated with so 5182 * @param vp Vnode to label 5183 * @param vlabel Label associated with vp 5184 * 5185 * Associate label information for the vnode, vp, with the label of 5186 * the open socket described by the socket structure so. 5187 * The label should be stored in the supplied vlabel parameter. 5188 */ 5189 typedef void mpo_vnode_label_associate_socket_t( 5190 kauth_cred_t cred, 5191 socket_t so, 5192 struct label *solabel, 5193 struct vnode *vp, 5194 struct label *vlabel 5195 ); 5196 /** 5197 * @brief Copy a vnode label 5198 * @param src Source vnode label 5199 * @param dest Destination vnode label 5200 * 5201 * Copy the vnode label information from src to dest. On Darwin, this 5202 * is currently only necessary when executing interpreted scripts, but 5203 * will later be used if vnode label externalization cannot be an 5204 * atomic operation. 5205 */ 5206 typedef void mpo_vnode_label_copy_t( 5207 struct label *src, 5208 struct label *dest 5209 ); 5210 /** 5211 * @brief Destroy vnode label 5212 * @param label The label to be destroyed 5213 * 5214 * Destroy a vnode label. Since the object is going out of scope, 5215 * policy modules should free any internal storage associated with the 5216 * label so that it may be destroyed. 5217 */ 5218 typedef void mpo_vnode_label_destroy_t( 5219 struct label *label 5220 ); 5221 /** 5222 * @brief Externalize a vnode label for auditing 5223 * @param label Label to be externalized 5224 * @param element_name Name of the label namespace for which labels should be 5225 * externalized 5226 * @param sb String buffer to be filled with a text representation of the label 5227 * 5228 * Produce an external representation of the label on a vnode suitable for 5229 * inclusion in an audit record. An externalized label consists of a text 5230 * representation of the label contents that will be added to the audit record 5231 * as part of a text token. Policy-agnostic user space tools will display 5232 * this externalized version. 5233 * 5234 * @return 0 on success, return non-zero if an error occurs while 5235 * externalizing the label data. 5236 * 5237 */ 5238 typedef int mpo_vnode_label_externalize_audit_t( 5239 struct label *label, 5240 char *element_name, 5241 struct sbuf *sb 5242 ); 5243 /** 5244 * @brief Externalize a vnode label 5245 * @param label Label to be externalized 5246 * @param element_name Name of the label namespace for which labels should be 5247 * externalized 5248 * @param sb String buffer to be filled with a text representation of the label 5249 * 5250 * Produce an external representation of the label on a vnode. An 5251 * externalized label consists of a text representation of the label 5252 * contents that can be used with user applications. Policy-agnostic 5253 * user space tools will display this externalized version. 5254 * 5255 * @return 0 on success, return non-zero if an error occurs while 5256 * externalizing the label data. 5257 * 5258 */ 5259 typedef int mpo_vnode_label_externalize_t( 5260 struct label *label, 5261 char *element_name, 5262 struct sbuf *sb 5263 ); 5264 /** 5265 * @brief Initialize vnode label 5266 * @param label New label to initialize 5267 * 5268 * Initialize label storage for use with a newly instantiated vnode, or 5269 * for temporary storage associated with the copying in or out of a 5270 * vnode label. While it is necessary to allocate space for a 5271 * kernel-resident vnode label, it is not yet necessary to link this vnode 5272 * with persistent label storage facilities, such as extended attributes. 5273 * Sleeping is permitted. 5274 */ 5275 typedef void mpo_vnode_label_init_t( 5276 struct label *label 5277 ); 5278 /** 5279 * @brief Internalize a vnode label 5280 * @param label Label to be internalized 5281 * @param element_name Name of the label namespace for which the label should 5282 * be internalized 5283 * @param element_data Text data to be internalized 5284 * 5285 * Produce a vnode label from an external representation. An 5286 * externalized label consists of a text representation of the label 5287 * contents that can be used with user applications. Policy-agnostic 5288 * user space tools will forward text version to the kernel for 5289 * processing by individual policy modules. 5290 * 5291 * The policy's internalize entry points will be called only if the 5292 * policy has registered interest in the label namespace. 5293 * 5294 * @return 0 on success, Otherwise, return non-zero if an error occurs 5295 * while internalizing the label data. 5296 */ 5297 typedef int mpo_vnode_label_internalize_t( 5298 struct label *label, 5299 char *element_name, 5300 char *element_data 5301 ); 5302 /** 5303 * @brief Clean up a vnode label 5304 * @param label The label to be cleaned or purged 5305 * 5306 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5307 * typically never frees them. Before vnodes are placed back on free lists for 5308 * re-use, policies can cleanup or overwrite any information present in the label, 5309 * or free any internal resources used for the label. 5310 */ 5311 typedef void mpo_vnode_label_recycle_t( 5312 struct label *label 5313 ); 5314 /** 5315 * @brief Write a label to a extended attribute 5316 * @param cred Subject credential 5317 * @param vp The vnode for which the label is being stored 5318 * @param vlabel Label associated with vp 5319 * @param intlabel The new label to store 5320 * 5321 * Store a new label in the extended attribute corresponding to the 5322 * supplied vnode. The policy has already authorized the operation; 5323 * this call must be implemented in order to perform the actual 5324 * operation. 5325 * 5326 * @return In the event of an error, an appropriate value for errno 5327 * should be returned, otherwise return 0 upon success. 5328 * 5329 * @warning XXX After examining the extended attribute implementation on 5330 * Apple's future release, this entry point may be changed. 5331 */ 5332 typedef int mpo_vnode_label_store_t( 5333 kauth_cred_t cred, 5334 struct vnode *vp, 5335 struct label *vlabel, 5336 struct label *intlabel 5337 ); 5338 /** 5339 * @brief Update vnode label from extended attributes 5340 * @param mp File system mount point 5341 * @param mntlabel Mount point label 5342 * @param vp Vnode to label 5343 * @param vlabel Label associated with vp 5344 * @param name Name of the xattr 5345 * @see mpo_vnode_check_setextattr_t 5346 * 5347 * When an extended attribute is updated via the Vendor attribute management 5348 * functions, the MAC vnode label might also require an update. 5349 * Policies should first determine if 'name' matches their xattr label 5350 * name. If it does, the kernel is has either replaced or removed the 5351 * named extended attribute that was previously associated with the 5352 * vnode. Normally labels should only be modified via MAC Framework label 5353 * management calls, but sometimes the user space components will directly 5354 * modify extended attributes. For example, 'cp', 'tar', etc. manage 5355 * extended attributes in userspace, not the kernel. 5356 * 5357 * This entry point is called after the label update has occurred, so 5358 * it cannot return a failure. However, the operation is preceded by 5359 * the mpo_vnode_check_setextattr() access control check. 5360 * 5361 * If the vnode label needs to be updated the policy should return 5362 * a non-zero value. The vnode label will be marked for re-association 5363 * by the framework. 5364 */ 5365 typedef int mpo_vnode_label_update_extattr_t( 5366 struct mount *mp, 5367 struct label *mntlabel, 5368 struct vnode *vp, 5369 struct label *vlabel, 5370 const char *name 5371 ); 5372 /** 5373 * @brief Update a vnode label 5374 * @param cred Subject credential 5375 * @param vp The vnode to relabel 5376 * @param vnodelabel Existing vnode label 5377 * @param label New label to replace existing label 5378 * @see mpo_vnode_check_label_update_t 5379 * 5380 * The subject identified by the credential has previously requested 5381 * and was authorized to relabel the vnode; this entry point allows 5382 * policies to perform the actual relabel operation. Policies should 5383 * update vnodelabel using the label stored in the label parameter. 5384 */ 5385 typedef void mpo_vnode_label_update_t( 5386 kauth_cred_t cred, 5387 struct vnode *vp, 5388 struct label *vnodelabel, 5389 struct label *label 5390 ); 5391 /** 5392 * @brief Find deatched signatures for a shared library 5393 * @param p file trying to find the signature 5394 * @param vp The vnode to relabel 5395 * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) 5396 * @param label Existing vnode label 5397 * 5398 */ 5399 typedef int mpo_vnode_find_sigs_t( 5400 struct proc *p, 5401 struct vnode *vp, 5402 off_t offset, 5403 struct label *label 5404 ); 5405 /** 5406 * @brief Create a new vnode, backed by extended attributes 5407 * @param cred User credential for the creating process 5408 * @param mp File system mount point 5409 * @param mntlabel File system mount point label 5410 * @param dvp Parent directory vnode 5411 * @param dlabel Parent directory vnode label 5412 * @param vp Newly created vnode 5413 * @param vlabel Label to associate with the new vnode 5414 * @param cnp Component name for vp 5415 * 5416 * Write out the label for the newly created vnode, most likely storing 5417 * the results in a file system extended attribute. Most policies will 5418 * derive the new vnode label using information from a combination 5419 * of the subject (user) credential, the file system label, the parent 5420 * directory label, and potentially the path name component. 5421 * 5422 * @return If the operation succeeds, store the new label in vlabel and 5423 * return 0. Otherwise, return an appropriate errno value. 5424 */ 5425 typedef int mpo_vnode_notify_create_t( 5426 kauth_cred_t cred, 5427 struct mount *mp, 5428 struct label *mntlabel, 5429 struct vnode *dvp, 5430 struct label *dlabel, 5431 struct vnode *vp, 5432 struct label *vlabel, 5433 struct componentname *cnp 5434 ); 5435 5436 /** 5437 * @brief Inform MAC policies that a vnode has been opened 5438 * @param cred User credential for the creating process 5439 * @param vp vnode opened 5440 * @param label Policy label for the vp 5441 * @param acc_mode open(2) access mode used 5442 * 5443 * Inform Mac policies that a vnode have been successfully opened 5444 * (passing all MAC polices and DAC). 5445 */ 5446 typedef void mpo_vnode_notify_open_t( 5447 kauth_cred_t cred, 5448 struct vnode *vp, 5449 struct label *label, 5450 int acc_mode 5451 ); 5452 5453 /** 5454 * @brief Inform MAC policies that a vnode has been renamed 5455 * @param cred User credential for the renaming process 5456 * @param vp Vnode that's being renamed 5457 * @param label Policy label for vp 5458 * @param dvp Parent directory for the destination 5459 * @param dlabel Policy label for dvp 5460 * @param cnp Component name for the destination 5461 * 5462 * Inform MAC policies that a vnode has been renamed. 5463 */ 5464 typedef void mpo_vnode_notify_rename_t( 5465 kauth_cred_t cred, 5466 struct vnode *vp, 5467 struct label *label, 5468 struct vnode *dvp, 5469 struct label *dlabel, 5470 struct componentname *cnp 5471 ); 5472 5473 /** 5474 * @brief Inform MAC policies that two vnodes were atomically swapped. 5475 * @param cred User credential for the renaming process 5476 * @param v1 vnode 1 to swap 5477 * @param vl1 Policy label for v1 5478 * @param v2 vnode 2 to swap 5479 * @param vl2 Policy label for v2 5480 * 5481 * Inform MAC policies that two vnodes were atomically swapped. 5482 * NOTE: If a policy implements this notify hook, then this hook will be 5483 * called instead of two calls to the vnode_notify_rename hook (one for each 5484 * member of the swap). 5485 */ 5486 typedef void mpo_vnode_notify_swap_t( 5487 kauth_cred_t cred, 5488 struct vnode *v1, 5489 struct label *vl1, 5490 struct vnode *v2, 5491 struct label *vl2 5492 ); 5493 5494 /** 5495 * @brief Inform MAC policies that a vnode has been linked 5496 * @param cred User credential for the renaming process 5497 * @param dvp Parent directory for the destination 5498 * @param dlabel Policy label for dvp 5499 * @param vp Vnode that's being linked 5500 * @param vlabel Policy label for vp 5501 * @param cnp Component name for the destination 5502 * 5503 * Inform MAC policies that a vnode has been linked. 5504 */ 5505 typedef void mpo_vnode_notify_link_t( 5506 kauth_cred_t cred, 5507 struct vnode *dvp, 5508 struct label *dlabel, 5509 struct vnode *vp, 5510 struct label *vlabel, 5511 struct componentname *cnp 5512 ); 5513 5514 /** 5515 * @brief Inform MAC policies that an extended attribute has been removed from a vnode 5516 * @param cred Subject credential 5517 * @param vp Object node 5518 * @param label Policy label for vp 5519 * @param name Extended attribute name 5520 * 5521 * Inform MAC policies that an extended attribute has been removed from a vnode. 5522 */ 5523 typedef void mpo_vnode_notify_deleteextattr_t( 5524 kauth_cred_t cred, 5525 struct vnode *vp, 5526 struct label *label, 5527 const char *name 5528 ); 5529 5530 5531 /** 5532 * @brief Inform MAC policies that an ACL has been set on a vnode 5533 * @param cred Subject credential 5534 * @param vp Object node 5535 * @param label Policy label for vp 5536 * @param acl ACL structure pointer 5537 * 5538 * Inform MAC policies that an ACL has been set on a vnode. 5539 */ 5540 typedef void mpo_vnode_notify_setacl_t( 5541 kauth_cred_t cred, 5542 struct vnode *vp, 5543 struct label *label, 5544 struct kauth_acl *acl 5545 ); 5546 5547 /** 5548 * @brief Inform MAC policies that an attributes have been set on a vnode 5549 * @param cred Subject credential 5550 * @param vp Object vnode 5551 * @param label Policy label for vp 5552 * @param alist List of attributes to set 5553 * 5554 * Inform MAC policies that an attributes have been set on a vnode. 5555 */ 5556 typedef void mpo_vnode_notify_setattrlist_t( 5557 kauth_cred_t cred, 5558 struct vnode *vp, 5559 struct label *label, 5560 struct attrlist *alist 5561 ); 5562 5563 /** 5564 * @brief Inform MAC policies that an extended attribute has been set on a vnode 5565 * @param cred Subject credential 5566 * @param vp Object vnode 5567 * @param label Policy label for vp 5568 * @param name Extended attribute name 5569 * @param uio I/O structure pointer 5570 * 5571 * Inform MAC policies that an extended attribute has been set on a vnode. 5572 */ 5573 typedef void mpo_vnode_notify_setextattr_t( 5574 kauth_cred_t cred, 5575 struct vnode *vp, 5576 struct label *label, 5577 const char *name, 5578 struct uio *uio 5579 ); 5580 5581 /** 5582 * @brief Inform MAC policies that flags have been set on a vnode 5583 * @param cred Subject credential 5584 * @param vp Object vnode 5585 * @param label Policy label for vp 5586 * @param flags File flags; see chflags(2) 5587 * 5588 * Inform MAC policies that flags have been set on a vnode. 5589 */ 5590 typedef void mpo_vnode_notify_setflags_t( 5591 kauth_cred_t cred, 5592 struct vnode *vp, 5593 struct label *label, 5594 u_long flags 5595 ); 5596 5597 /** 5598 * @brief Inform MAC policies that a new mode has been set on a vnode 5599 * @param cred Subject credential 5600 * @param vp Object vnode 5601 * @param label Policy label for vp 5602 * @param mode File mode; see chmod(2) 5603 * 5604 * Inform MAC policies that a new mode has been set on a vnode. 5605 */ 5606 typedef void mpo_vnode_notify_setmode_t( 5607 kauth_cred_t cred, 5608 struct vnode *vp, 5609 struct label *label, 5610 mode_t mode 5611 ); 5612 5613 /** 5614 * @brief Inform MAC policies that new uid/gid have been set on a vnode 5615 * @param cred Subject credential 5616 * @param vp Object vnode 5617 * @param label Policy label for vp 5618 * @param uid User ID 5619 * @param gid Group ID 5620 * 5621 * Inform MAC policies that new uid/gid have been set on a vnode. 5622 */ 5623 typedef void mpo_vnode_notify_setowner_t( 5624 kauth_cred_t cred, 5625 struct vnode *vp, 5626 struct label *label, 5627 uid_t uid, 5628 gid_t gid 5629 ); 5630 5631 /** 5632 * @brief Inform MAC policies that new timestamps have been set on a vnode 5633 * @param cred Subject credential 5634 * @param vp Object vnode 5635 * @param label Policy label for vp 5636 * @param atime Access time; see utimes(2) 5637 * @param mtime Modification time; see utimes(2) 5638 * 5639 * Inform MAC policies that new timestamps have been set on a vnode. 5640 */ 5641 typedef void mpo_vnode_notify_setutimes_t( 5642 kauth_cred_t cred, 5643 struct vnode *vp, 5644 struct label *label, 5645 struct timespec atime, 5646 struct timespec mtime 5647 ); 5648 5649 /** 5650 * @brief Inform MAC policies that a vnode has been truncated 5651 * @param cred Subject credential 5652 * @param file_cred Credential associated with the struct fileproc 5653 * @param vp Object vnode 5654 * @param label Policy label for vp 5655 * 5656 * Inform MAC policies that a vnode has been truncated. 5657 */ 5658 typedef void mpo_vnode_notify_truncate_t( 5659 kauth_cred_t cred, 5660 kauth_cred_t file_cred, 5661 struct vnode *vp, 5662 struct label *label 5663 ); 5664 5665 5666 /** 5667 * @brief Inform MAC policies that a pty slave has been granted 5668 * @param p Responsible process 5669 * @param tp tty data structure 5670 * @param dev Major and minor numbers of device 5671 * @param label Policy label for tp 5672 * 5673 * Inform MAC policies that a pty slave has been granted. 5674 */ 5675 typedef void mpo_pty_notify_grant_t( 5676 proc_t p, 5677 struct tty *tp, 5678 dev_t dev, 5679 struct label *label 5680 ); 5681 5682 /** 5683 * @brief Inform MAC policies that a pty master has been closed 5684 * @param p Responsible process 5685 * @param tp tty data structure 5686 * @param dev Major and minor numbers of device 5687 * @param label Policy label for tp 5688 * 5689 * Inform MAC policies that a pty master has been closed. 5690 */ 5691 typedef void mpo_pty_notify_close_t( 5692 proc_t p, 5693 struct tty *tp, 5694 dev_t dev, 5695 struct label *label 5696 ); 5697 5698 /** 5699 * @brief Access control check for kext loading 5700 * @param cred Subject credential 5701 * @param identifier Kext identifier 5702 * 5703 * Determine whether the subject identified by the credential can load the 5704 * specified kext. 5705 * 5706 * @return Return 0 if access is granted, otherwise an appropriate value for 5707 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5708 */ 5709 typedef int mpo_kext_check_load_t( 5710 kauth_cred_t cred, 5711 const char *identifier 5712 ); 5713 5714 /** 5715 * @brief Access control check for kext unloading 5716 * @param cred Subject credential 5717 * @param identifier Kext identifier 5718 * 5719 * Determine whether the subject identified by the credential can unload the 5720 * specified kext. 5721 * 5722 * @return Return 0 if access is granted, otherwise an appropriate value for 5723 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5724 */ 5725 typedef int mpo_kext_check_unload_t( 5726 kauth_cred_t cred, 5727 const char *identifier 5728 ); 5729 5730 /** 5731 * @brief Access control check for querying information about loaded kexts 5732 * @param cred Subject credential 5733 * 5734 * Determine whether the subject identified by the credential can query 5735 * information about loaded kexts. 5736 * 5737 * @return Return 0 if access is granted, otherwise an appropriate value for 5738 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5739 */ 5740 typedef int mpo_kext_check_query_t( 5741 kauth_cred_t cred 5742 ); 5743 5744 /** 5745 * @brief Inform MAC policies that a vnode is being reclaimed 5746 * @param vp Object vnode 5747 * 5748 * Any external accounting tracking this vnode must consider it to be no longer valid. 5749 */ 5750 typedef void mpo_vnode_notify_reclaim_t( 5751 struct vnode *vp 5752 ); 5753 5754 /** 5755 * @brief Inform MAC policies that a vnode has been deleted 5756 * @param cred Subject credential 5757 * @param dvp Parent directory vnode 5758 * @param dlabel Policy label for dvp 5759 * @param vp Object vnode to delete 5760 * @param label Policy label for vp 5761 * @param cnp Component name for vp 5762 * 5763 * Inform Mac policies that a vnode have been successfully deleted 5764 * (passing all MAC polices and DAC). 5765 */ 5766 typedef void mpo_vnode_notify_unlink_t( 5767 kauth_cred_t cred, 5768 struct vnode *dvp, 5769 struct label *dlabel, 5770 struct vnode *vp, 5771 struct label *label, 5772 struct componentname *cnp 5773 ); 5774 5775 /* 5776 * Placeholder for future events that may need mac hooks. 5777 */ 5778 typedef void mpo_reserved_hook_t(void); 5779 5780 /* 5781 * Policy module operations. 5782 * 5783 * Please note that this should be kept in sync with the check assumptions 5784 * policy in bsd/kern/policy_check.c (policy_ops struct). 5785 */ 5786 #define MAC_POLICY_OPS_VERSION 82 /* inc when new reserved slots are taken */ 5787 struct mac_policy_ops { 5788 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5789 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5790 5791 mpo_reserved_hook_t *mpo_reserved01; 5792 mpo_reserved_hook_t *mpo_reserved02; 5793 mpo_reserved_hook_t *mpo_reserved03; 5794 mpo_reserved_hook_t *mpo_reserved04; 5795 5796 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5797 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5798 mpo_cred_check_visible_t *mpo_cred_check_visible; 5799 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5800 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5801 mpo_cred_label_associate_t *mpo_cred_label_associate; 5802 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5803 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5804 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5805 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5806 mpo_cred_label_init_t *mpo_cred_label_init; 5807 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5808 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5809 mpo_cred_label_update_t *mpo_cred_label_update; 5810 5811 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5812 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5813 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5814 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5815 mpo_devfs_label_init_t *mpo_devfs_label_init; 5816 mpo_devfs_label_update_t *mpo_devfs_label_update; 5817 5818 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5819 mpo_file_check_create_t *mpo_file_check_create; 5820 mpo_file_check_dup_t *mpo_file_check_dup; 5821 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 5822 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 5823 mpo_file_check_get_t *mpo_file_check_get; 5824 mpo_file_check_inherit_t *mpo_file_check_inherit; 5825 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 5826 mpo_file_check_lock_t *mpo_file_check_lock; 5827 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 5828 mpo_file_check_mmap_t *mpo_file_check_mmap; 5829 mpo_file_check_receive_t *mpo_file_check_receive; 5830 mpo_file_check_set_t *mpo_file_check_set; 5831 mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ 5832 mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ 5833 mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ 5834 mpo_file_notify_close_t *mpo_file_notify_close; 5835 mpo_proc_check_launch_constraints_t *mpo_proc_check_launch_constraints; 5836 5837 mpo_reserved_hook_t *mpo_reserved07; 5838 mpo_reserved_hook_t *mpo_reserved08; 5839 mpo_reserved_hook_t *mpo_reserved09; 5840 mpo_reserved_hook_t *mpo_reserved10; 5841 mpo_reserved_hook_t *mpo_reserved11; 5842 mpo_reserved_hook_t *mpo_reserved12; 5843 mpo_reserved_hook_t *mpo_reserved13; 5844 mpo_reserved_hook_t *mpo_reserved14; 5845 mpo_reserved_hook_t *mpo_reserved15; 5846 mpo_reserved_hook_t *mpo_reserved16; 5847 mpo_reserved_hook_t *mpo_reserved17; 5848 mpo_reserved_hook_t *mpo_reserved18; 5849 mpo_reserved_hook_t *mpo_reserved19; 5850 mpo_reserved_hook_t *mpo_reserved20; 5851 mpo_reserved_hook_t *mpo_reserved21; 5852 mpo_reserved_hook_t *mpo_reserved22; 5853 mpo_reserved_hook_t *mpo_reserved23; 5854 mpo_reserved_hook_t *mpo_reserved24; 5855 5856 mpo_necp_check_open_t *mpo_necp_check_open; 5857 mpo_necp_check_client_action_t *mpo_necp_check_client_action; 5858 5859 mpo_file_check_library_validation_t *mpo_file_check_library_validation; 5860 5861 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; 5862 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; 5863 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; 5864 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; 5865 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; 5866 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; 5867 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; 5868 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; 5869 mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; 5870 5871 mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; 5872 mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; 5873 5874 mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; 5875 mpo_vnode_notify_unlink_t *mpo_vnode_notify_unlink; 5876 mpo_reserved_hook_t *mpo_reserved32; 5877 mpo_reserved_hook_t *mpo_reserved33; 5878 mpo_reserved_hook_t *mpo_reserved34; 5879 mpo_reserved_hook_t *mpo_reserved35; 5880 mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; 5881 5882 mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; 5883 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 5884 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 5885 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 5886 mpo_mount_check_mount_t *mpo_mount_check_mount; 5887 mpo_mount_check_remount_t *mpo_mount_check_remount; 5888 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 5889 mpo_mount_check_stat_t *mpo_mount_check_stat; 5890 mpo_mount_check_umount_t *mpo_mount_check_umount; 5891 mpo_mount_label_associate_t *mpo_mount_label_associate; 5892 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 5893 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 5894 mpo_mount_label_init_t *mpo_mount_label_init; 5895 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 5896 5897 mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; 5898 mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; 5899 mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; 5900 5901 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 5902 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 5903 mpo_reserved_hook_t *mpo_reserved41; 5904 mpo_pipe_check_read_t *mpo_pipe_check_read; 5905 mpo_pipe_check_select_t *mpo_pipe_check_select; 5906 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 5907 mpo_pipe_check_write_t *mpo_pipe_check_write; 5908 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 5909 mpo_reserved_hook_t *mpo_reserved42; 5910 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 5911 mpo_reserved_hook_t *mpo_reserved43; 5912 mpo_pipe_label_init_t *mpo_pipe_label_init; 5913 mpo_reserved_hook_t *mpo_reserved44; 5914 mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; 5915 5916 mpo_policy_destroy_t *mpo_policy_destroy; 5917 mpo_policy_init_t *mpo_policy_init; 5918 mpo_policy_initbsd_t *mpo_policy_initbsd; 5919 mpo_policy_syscall_t *mpo_policy_syscall; 5920 5921 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 5922 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 5923 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 5924 mpo_kext_check_query_t *mpo_kext_check_query; 5925 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; 5926 mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; 5927 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; 5928 mpo_reserved_hook_t *mpo_reserved45; 5929 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; 5930 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; 5931 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; 5932 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; 5933 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; 5934 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; 5935 mpo_exc_action_label_init_t *mpo_exc_action_label_init; 5936 mpo_exc_action_label_update_t *mpo_exc_action_label_update; 5937 5938 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; 5939 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; 5940 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; 5941 mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; 5942 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; 5943 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; 5944 5945 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 5946 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 5947 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 5948 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 5949 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 5950 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 5951 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 5952 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 5953 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 5954 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 5955 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 5956 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 5957 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 5958 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 5959 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 5960 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 5961 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 5962 5963 mpo_proc_check_debug_t *mpo_proc_check_debug; 5964 mpo_proc_check_fork_t *mpo_proc_check_fork; 5965 mpo_reserved_hook_t *mpo_reserved61; 5966 mpo_reserved_hook_t *mpo_reserved62; 5967 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 5968 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 5969 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; 5970 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 5971 mpo_proc_check_sched_t *mpo_proc_check_sched; 5972 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 5973 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 5974 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; 5975 mpo_proc_check_signal_t *mpo_proc_check_signal; 5976 mpo_proc_check_wait_t *mpo_proc_check_wait; 5977 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; 5978 mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; 5979 5980 mpo_socket_check_accept_t *mpo_socket_check_accept; 5981 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 5982 mpo_socket_check_bind_t *mpo_socket_check_bind; 5983 mpo_socket_check_connect_t *mpo_socket_check_connect; 5984 mpo_socket_check_create_t *mpo_socket_check_create; 5985 mpo_reserved_hook_t *mpo_reserved46; 5986 mpo_reserved_hook_t *mpo_reserved47; 5987 mpo_reserved_hook_t *mpo_reserved48; 5988 mpo_socket_check_listen_t *mpo_socket_check_listen; 5989 mpo_socket_check_receive_t *mpo_socket_check_receive; 5990 mpo_socket_check_received_t *mpo_socket_check_received; 5991 mpo_reserved_hook_t *mpo_reserved49; 5992 mpo_socket_check_send_t *mpo_socket_check_send; 5993 mpo_socket_check_stat_t *mpo_socket_check_stat; 5994 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 5995 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 5996 5997 mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; 5998 mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; 5999 mpo_proc_check_setuid_t *mpo_proc_check_setuid; 6000 mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; 6001 mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; 6002 mpo_proc_check_setgid_t *mpo_proc_check_setgid; 6003 mpo_proc_check_setegid_t *mpo_proc_check_setegid; 6004 mpo_proc_check_setregid_t *mpo_proc_check_setregid; 6005 mpo_proc_check_settid_t *mpo_proc_check_settid; 6006 mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; 6007 mpo_reserved_hook_t *mpo_reserved60; 6008 6009 mpo_thread_telemetry_t *mpo_thread_telemetry; 6010 6011 mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; 6012 6013 mpo_system_check_acct_t *mpo_system_check_acct; 6014 mpo_system_check_audit_t *mpo_system_check_audit; 6015 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6016 mpo_system_check_auditon_t *mpo_system_check_auditon; 6017 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6018 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6019 mpo_system_check_reboot_t *mpo_system_check_reboot; 6020 mpo_system_check_settime_t *mpo_system_check_settime; 6021 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6022 mpo_system_check_swapon_t *mpo_system_check_swapon; 6023 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; 6024 6025 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6026 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6027 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6028 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6029 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6030 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6031 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6032 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6033 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6034 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6035 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6036 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6037 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6038 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6039 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6040 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6041 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6042 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6043 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6044 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6045 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6046 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6047 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6048 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6049 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6050 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6051 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6052 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6053 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6054 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6055 6056 mpo_proc_notify_exit_t *mpo_proc_notify_exit; 6057 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; 6058 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; 6059 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; 6060 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; 6061 mpo_vnode_check_clone_t *mpo_vnode_check_clone; 6062 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; 6063 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; 6064 6065 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6066 6067 mpo_vnode_check_access_t *mpo_vnode_check_access; 6068 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6069 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6070 mpo_vnode_check_create_t *mpo_vnode_check_create; 6071 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6072 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6073 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6074 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6075 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6076 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6077 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6078 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6079 mpo_vnode_check_link_t *mpo_vnode_check_link; 6080 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6081 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6082 mpo_vnode_check_open_t *mpo_vnode_check_open; 6083 mpo_vnode_check_read_t *mpo_vnode_check_read; 6084 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6085 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6086 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6087 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6088 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6089 mpo_vnode_check_select_t *mpo_vnode_check_select; 6090 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6091 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6092 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6093 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6094 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6095 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6096 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6097 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6098 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6099 mpo_vnode_check_write_t *mpo_vnode_check_write; 6100 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6101 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6102 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6103 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6104 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6105 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6106 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6107 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6108 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6109 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6110 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6111 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6112 mpo_vnode_label_init_t *mpo_vnode_label_init; 6113 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6114 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6115 mpo_vnode_label_store_t *mpo_vnode_label_store; 6116 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6117 mpo_vnode_label_update_t *mpo_vnode_label_update; 6118 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6119 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6120 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6121 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6122 6123 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6124 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6125 6126 mpo_thread_userret_t *mpo_thread_userret; 6127 6128 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6129 6130 mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; 6131 6132 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6133 6134 mpo_priv_check_t *mpo_priv_check; 6135 mpo_priv_grant_t *mpo_priv_grant; 6136 6137 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6138 6139 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6140 6141 mpo_iokit_check_open_t *mpo_iokit_check_open; 6142 6143 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6144 6145 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6146 6147 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; 6148 6149 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; 6150 6151 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6152 6153 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; 6154 6155 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6156 6157 mpo_system_check_info_t *mpo_system_check_info; 6158 6159 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6160 mpo_pty_notify_close_t *mpo_pty_notify_close; 6161 6162 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6163 6164 mpo_kext_check_load_t *mpo_kext_check_load; 6165 mpo_kext_check_unload_t *mpo_kext_check_unload; 6166 6167 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6168 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6169 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6170 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6171 }; 6172 6173 /** 6174 * @brief MAC policy handle type 6175 * 6176 * The MAC handle is used to uniquely identify a loaded policy within 6177 * the MAC Framework. 6178 * 6179 * A variable of this type is set by mac_policy_register(). 6180 */ 6181 typedef unsigned int mac_policy_handle_t; 6182 6183 #define mpc_t struct mac_policy_conf * 6184 6185 /** 6186 * @brief Mac policy configuration 6187 * 6188 * This structure specifies the configuration information for a 6189 * MAC policy module. A policy module developer must supply 6190 * a short unique policy name, a more descriptive full name, a list of label 6191 * namespaces and count, a pointer to the registered enty point operations, 6192 * any load time flags, and optionally, a pointer to a label slot identifier. 6193 * 6194 * The Framework will update the runtime flags (mpc_runtime_flags) to 6195 * indicate that the module has been registered. 6196 * 6197 * If the label slot identifier (mpc_field_off) is NULL, the Framework 6198 * will not provide label storage for the policy. Otherwise, the 6199 * Framework will store the label location (slot) in this field. 6200 * 6201 * The mpc_list field is used by the Framework and should not be 6202 * modified by policies. 6203 */ 6204 /* XXX - reorder these for better alignment on 64bit platforms */ 6205 struct mac_policy_conf { 6206 const char *mpc_name; /** policy name */ 6207 const char *mpc_fullname; /** full name */ 6208 char const * const *mpc_labelnames; /** managed label namespaces */ 6209 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6210 const struct mac_policy_ops *mpc_ops; /** operation vector */ 6211 int mpc_loadtime_flags; /** load time flags */ 6212 int *mpc_field_off; /** label slot */ 6213 int mpc_runtime_flags; /** run time flags */ 6214 mpc_t mpc_list; /** List reference */ 6215 void *mpc_data; /** module data */ 6216 }; 6217 6218 /** 6219 * @brief MAC policy module registration routine 6220 * 6221 * This function is called to register a policy with the 6222 * MAC framework. A policy module will typically call this from the 6223 * Darwin KEXT registration routine. 6224 */ 6225 int mac_policy_register(struct mac_policy_conf *mpc, 6226 mac_policy_handle_t *handlep, void *xd); 6227 6228 /** 6229 * @brief MAC policy module de-registration routine 6230 * 6231 * This function is called to de-register a policy with the 6232 * MAC framework. A policy module will typically call this from the 6233 * Darwin KEXT de-registration routine. 6234 */ 6235 int mac_policy_unregister(mac_policy_handle_t handle); 6236 6237 /* 6238 * Framework entry points for the policies to add audit data. 6239 */ 6240 int mac_audit_text(char *text, mac_policy_handle_t handle); 6241 6242 /* 6243 * Calls to assist with use of Apple XATTRs within policy modules. 6244 */ 6245 int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6246 int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6247 size_t *); 6248 int mac_vnop_removexattr(struct vnode *, const char *); 6249 6250 /** 6251 * @brief Set an extended attribute on a vnode-based fileglob. 6252 * @param fg fileglob representing file to attach the extended attribute 6253 * @param name extended attribute name 6254 * @param buf buffer of data to use as the extended attribute value 6255 * @param len size of buffer 6256 * 6257 * Sets the value of an extended attribute on a file. 6258 * 6259 * Caller must hold an iocount on the vnode represented by the fileglob. 6260 */ 6261 #ifdef KERNEL_PRIVATE 6262 int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); 6263 #endif 6264 6265 /** 6266 * @brief Get an extended attribute from a vnode-based fileglob. 6267 * @param fg fileglob representing file to read the extended attribute 6268 * @param name extended attribute name 6269 * @param buf buffer of data to hold the extended attribute value 6270 * @param len size of buffer 6271 * @param attrlen size of full extended attribute value 6272 * 6273 * Gets the value of an extended attribute on a file. 6274 * 6275 * Caller must hold an iocount on the vnode represented by the fileglob. 6276 */ 6277 #ifdef KERNEL_PRIVATE 6278 int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, 6279 size_t *attrlen); 6280 #endif 6281 6282 /** 6283 * @brief Remove an extended attribute from a vnode-based fileglob. 6284 * @param fg fileglob representing file to remove the extended attribute 6285 * @param name extended attribute name 6286 * 6287 * Removes the named extended attribute from the file. 6288 * 6289 * Caller must hold an iocount on the vnode represented by the fileglob. 6290 */ 6291 #ifdef KERNEL_PRIVATE 6292 int mac_file_removexattr(struct fileglob *fg, const char *name); 6293 #endif 6294 6295 /* 6296 * Arbitrary limit on how much data will be logged by the audit 6297 * entry points above. 6298 */ 6299 #define MAC_AUDIT_DATA_LIMIT 1024 6300 6301 /* 6302 * Values returned by mac_audit_{pre,post}select. To combine the responses 6303 * of the security policies into a single decision, 6304 * mac_audit_{pre,post}select() choose the greatest value returned. 6305 */ 6306 #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6307 #define MAC_AUDIT_NO 1 /* force not auditing this event */ 6308 #define MAC_AUDIT_YES 2 /* force auditing this event */ 6309 6310 // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6311 6312 /** 6313 * @name Flags for the mpc_loadtime_flags field 6314 * @see mac_policy_conf 6315 * 6316 * This is the complete list of flags that are supported by the 6317 * mpc_loadtime_flags field of the mac_policy_conf structure. These 6318 * flags specify the load time behavior of MAC Framework policy 6319 * modules. 6320 */ 6321 6322 /*@{*/ 6323 6324 /** 6325 * @brief Flag to indicate registration preference 6326 * 6327 * This flag indicates that the policy module must be loaded and 6328 * initialized early in the boot process. If the flag is specified, 6329 * attempts to register the module following boot will be rejected. The 6330 * flag may be used by policies that require pervasive labeling of all 6331 * system objects, and cannot handle objects that have not been 6332 * properly initialized by the policy. 6333 */ 6334 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6335 6336 /** 6337 * @brief Flag to indicate unload preference 6338 * 6339 * This flag indicates that the policy module may be unloaded. If this 6340 * flag is not set, then the policy framework will reject requests to 6341 * unload the module. This flag might be used by modules that allocate 6342 * label state and are unable to free that state at runtime, or for 6343 * modules that simply do not want to permit unload operations. 6344 */ 6345 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6346 6347 /** 6348 * @brief Unsupported 6349 * 6350 * XXX This flag is not yet supported. 6351 */ 6352 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6353 6354 /** 6355 * @brief Flag to indicate a base policy 6356 * 6357 * This flag indicates that the policy module is a base policy. Only 6358 * one module can declare itself as base, otherwise the boot process 6359 * will be halted. 6360 */ 6361 #define MPC_LOADTIME_BASE_POLICY 0x00000008 6362 6363 /*@}*/ 6364 6365 /** 6366 * @brief Policy registration flag 6367 * @see mac_policy_conf 6368 * 6369 * This flag indicates that the policy module has been successfully 6370 * registered with the TrustedBSD MAC Framework. The Framework will 6371 * set this flag in the mpc_runtime_flags field of the policy's 6372 * mac_policy_conf structure after registering the policy. 6373 */ 6374 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6375 6376 /* 6377 * Depends on POLICY_VER 6378 */ 6379 6380 #ifndef POLICY_VER 6381 #define POLICY_VER 1.0 6382 #endif 6383 6384 #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6385 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6386 .mpc_name = #mpname, \ 6387 .mpc_fullname = mpfullname, \ 6388 .mpc_labelnames = lnames, \ 6389 .mpc_labelname_count = lcount, \ 6390 .mpc_ops = mpops, \ 6391 .mpc_loadtime_flags = lflags, \ 6392 .mpc_field_off = slot, \ 6393 .mpc_runtime_flags = rflags \ 6394 }; \ 6395 \ 6396 static kern_return_t \ 6397 kmod_start(kmod_info_t *ki, void *xd) \ 6398 { \ 6399 return mac_policy_register(&mpname##_mac_policy_conf, \ 6400 &handle, xd); \ 6401 } \ 6402 \ 6403 static kern_return_t \ 6404 kmod_stop(kmod_info_t *ki, void *xd) \ 6405 { \ 6406 return mac_policy_unregister(handle); \ 6407 } \ 6408 \ 6409 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6410 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6411 \ 6412 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6413 kmod_start_func_t *_realmain = kmod_start; \ 6414 kmod_stop_func_t *_antimain = kmod_stop; \ 6415 int _kext_apple_cc = __APPLE_CC__ 6416 6417 /* 6418 * Policy interface to map a struct label pointer to per-policy data. 6419 * Typically, policies wrap this in their own accessor macro that casts an 6420 * intptr_t to a policy-specific data type. 6421 */ 6422 #ifdef KERNEL_PRIVATE 6423 struct label * mac_label_verify(struct label **labelp); 6424 intptr_t mac_label_get(struct label *l, int slot); 6425 /* 6426 * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. 6427 */ 6428 void mac_label_set(struct label *l, int slot, intptr_t v); 6429 struct label * mac_labelzone_alloc(int flags); 6430 struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, 6431 void (^extra_setup)(struct label *)); 6432 struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, 6433 void (^extra_setup)(struct label *)); 6434 void mac_labelzone_free(struct label *l); 6435 void mac_labelzone_free_owned(struct label **labelp, 6436 void (^extra_deinit)(struct label *)); 6437 intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); 6438 void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); 6439 #endif 6440 6441 #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6442 6443 /** 6444 * @name Flags for MAC allocator interfaces 6445 * 6446 * These flags are passed to the Darwin kernel allocator routines to 6447 * indicate whether the allocation is permitted to block or not. 6448 * Caution should be taken; some operations are not permitted to sleep, 6449 * and some types of locks cannot be held when sleeping. 6450 */ 6451 6452 /*@{*/ 6453 6454 /** 6455 * @brief Allocation operations may block 6456 * 6457 * If memory is not immediately available, the allocation routine 6458 * will block (typically sleeping) until memory is available. 6459 * 6460 * @warning Inappropriate use of this flag may cause kernel panics. 6461 */ 6462 #define MAC_WAITOK 0 6463 6464 /** 6465 * @brief Allocation operations may not block 6466 * 6467 * Rather than blocking, the allocator may return an error if memory 6468 * is not immediately available. This type of allocation will not 6469 * sleep, preserving locking semantics. 6470 */ 6471 #define MAC_NOWAIT 1 6472 6473 /*@}*/ 6474 6475 #endif /* !_SECURITY_MAC_POLICY_H_ */ 6476