1*8d741a5dSApple OSS Distributions /* 2*8d741a5dSApple OSS Distributions * Copyright (c) 2013-2019, 2022 Apple Inc. All rights reserved. 3*8d741a5dSApple OSS Distributions * 4*8d741a5dSApple OSS Distributions * @APPLE_LICENSE_HEADER_START@ 5*8d741a5dSApple OSS Distributions * 6*8d741a5dSApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code 7*8d741a5dSApple OSS Distributions * as defined in and that are subject to the Apple Public Source License 8*8d741a5dSApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in 9*8d741a5dSApple OSS Distributions * compliance with the License. Please obtain a copy of the License at 10*8d741a5dSApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this 11*8d741a5dSApple OSS Distributions * file. 12*8d741a5dSApple OSS Distributions * 13*8d741a5dSApple OSS Distributions * The Original Code and all software distributed under the License are 14*8d741a5dSApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15*8d741a5dSApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16*8d741a5dSApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17*8d741a5dSApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18*8d741a5dSApple OSS Distributions * Please see the License for the specific language governing rights and 19*8d741a5dSApple OSS Distributions * limitations under the License. 20*8d741a5dSApple OSS Distributions * 21*8d741a5dSApple OSS Distributions * @APPLE_LICENSE_HEADER_END@ 22*8d741a5dSApple OSS Distributions */ 23*8d741a5dSApple OSS Distributions 24*8d741a5dSApple OSS Distributions #ifndef __CONTENT_FILTER_H__ 25*8d741a5dSApple OSS Distributions #define __CONTENT_FILTER_H__ 26*8d741a5dSApple OSS Distributions 27*8d741a5dSApple OSS Distributions #include <sys/param.h> 28*8d741a5dSApple OSS Distributions #include <sys/types.h> 29*8d741a5dSApple OSS Distributions #include <sys/_types/_timeval64.h> 30*8d741a5dSApple OSS Distributions #include <sys/socket.h> 31*8d741a5dSApple OSS Distributions #include <sys/syslog.h> 32*8d741a5dSApple OSS Distributions #include <netinet/in.h> 33*8d741a5dSApple OSS Distributions #include <stdint.h> 34*8d741a5dSApple OSS Distributions #include <corecrypto/ccsha2.h> 35*8d741a5dSApple OSS Distributions 36*8d741a5dSApple OSS Distributions #ifdef BSD_KERNEL_PRIVATE 37*8d741a5dSApple OSS Distributions #include <sys/mbuf.h> 38*8d741a5dSApple OSS Distributions #include <sys/socketvar.h> 39*8d741a5dSApple OSS Distributions #endif /* BSD_KERNEL_PRIVATE */ 40*8d741a5dSApple OSS Distributions 41*8d741a5dSApple OSS Distributions #ifndef XNU_KERNEL_PRIVATE 42*8d741a5dSApple OSS Distributions #include <TargetConditionals.h> 43*8d741a5dSApple OSS Distributions #endif 44*8d741a5dSApple OSS Distributions 45*8d741a5dSApple OSS Distributions __BEGIN_DECLS 46*8d741a5dSApple OSS Distributions 47*8d741a5dSApple OSS Distributions #ifdef PRIVATE 48*8d741a5dSApple OSS Distributions 49*8d741a5dSApple OSS Distributions /* 50*8d741a5dSApple OSS Distributions * Kernel control name for an instance of a Content Filter 51*8d741a5dSApple OSS Distributions * Use CTLIOCGINFO to find out the corresponding kernel control id 52*8d741a5dSApple OSS Distributions * to be set in the sc_id field of sockaddr_ctl for connect(2) 53*8d741a5dSApple OSS Distributions * Note: the sc_unit is ephemeral 54*8d741a5dSApple OSS Distributions */ 55*8d741a5dSApple OSS Distributions #define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter" 56*8d741a5dSApple OSS Distributions 57*8d741a5dSApple OSS Distributions /* 58*8d741a5dSApple OSS Distributions * Opaque socket identifier 59*8d741a5dSApple OSS Distributions */ 60*8d741a5dSApple OSS Distributions typedef uint64_t cfil_sock_id_t; 61*8d741a5dSApple OSS Distributions 62*8d741a5dSApple OSS Distributions #define CFIL_SOCK_ID_NONE UINT64_MAX 63*8d741a5dSApple OSS Distributions 64*8d741a5dSApple OSS Distributions 65*8d741a5dSApple OSS Distributions /* 66*8d741a5dSApple OSS Distributions * CFIL_OPT_NECP_CONTROL_UNIT 67*8d741a5dSApple OSS Distributions * To set or get the NECP filter control unit for the kernel control socket 68*8d741a5dSApple OSS Distributions * The option level is SYSPROTO_CONTROL 69*8d741a5dSApple OSS Distributions */ 70*8d741a5dSApple OSS Distributions #define CFIL_OPT_NECP_CONTROL_UNIT 1 /* uint32_t */ 71*8d741a5dSApple OSS Distributions 72*8d741a5dSApple OSS Distributions /* 73*8d741a5dSApple OSS Distributions * CFIL_OPT_GET_SOCKET_INFO 74*8d741a5dSApple OSS Distributions * To get information about a given socket that is being filtered. 75*8d741a5dSApple OSS Distributions */ 76*8d741a5dSApple OSS Distributions #define CFIL_OPT_GET_SOCKET_INFO 2 /* uint32_t */ 77*8d741a5dSApple OSS Distributions 78*8d741a5dSApple OSS Distributions /* 79*8d741a5dSApple OSS Distributions * CFIL_OPT_PRESERVE_CONNECTIONS 80*8d741a5dSApple OSS Distributions * To set or get the preserve-connections setting for the filter 81*8d741a5dSApple OSS Distributions */ 82*8d741a5dSApple OSS Distributions #define CFIL_OPT_PRESERVE_CONNECTIONS 3 /* uint32_t */ 83*8d741a5dSApple OSS Distributions 84*8d741a5dSApple OSS Distributions /* 85*8d741a5dSApple OSS Distributions * struct cfil_opt_sock_info 86*8d741a5dSApple OSS Distributions * 87*8d741a5dSApple OSS Distributions * Contains information about a socket that is being filtered. 88*8d741a5dSApple OSS Distributions */ 89*8d741a5dSApple OSS Distributions struct cfil_opt_sock_info { 90*8d741a5dSApple OSS Distributions cfil_sock_id_t cfs_sock_id; 91*8d741a5dSApple OSS Distributions int cfs_sock_family; /* e.g. PF_INET */ 92*8d741a5dSApple OSS Distributions int cfs_sock_type; /* e.g. SOCK_STREAM */ 93*8d741a5dSApple OSS Distributions int cfs_sock_protocol; /* e.g. IPPROTO_TCP */ 94*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfs_local; 95*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfs_remote; 96*8d741a5dSApple OSS Distributions pid_t cfs_pid; 97*8d741a5dSApple OSS Distributions pid_t cfs_e_pid; 98*8d741a5dSApple OSS Distributions uuid_t cfs_uuid; 99*8d741a5dSApple OSS Distributions uuid_t cfs_e_uuid; 100*8d741a5dSApple OSS Distributions }; 101*8d741a5dSApple OSS Distributions 102*8d741a5dSApple OSS Distributions /* 103*8d741a5dSApple OSS Distributions * How many filter may be active simultaneously 104*8d741a5dSApple OSS Distributions */ 105*8d741a5dSApple OSS Distributions 106*8d741a5dSApple OSS Distributions #define CFIL_MAX_FILTER_COUNT 8 107*8d741a5dSApple OSS Distributions 108*8d741a5dSApple OSS Distributions /* 109*8d741a5dSApple OSS Distributions * Crypto Support 110*8d741a5dSApple OSS Distributions */ 111*8d741a5dSApple OSS Distributions #define CFIL_CRYPTO 1 112*8d741a5dSApple OSS Distributions #define CFIL_CRYPTO_SIGNATURE_SIZE 32 113*8d741a5dSApple OSS Distributions #define CFIL_CRYPTO_DATA_EVENT 1 114*8d741a5dSApple OSS Distributions 115*8d741a5dSApple OSS Distributions typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE]; 116*8d741a5dSApple OSS Distributions typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE]; 117*8d741a5dSApple OSS Distributions 118*8d741a5dSApple OSS Distributions typedef struct cfil_crypto_state { 119*8d741a5dSApple OSS Distributions const struct ccdigest_info *digest_info; 120*8d741a5dSApple OSS Distributions cfil_crypto_key key; 121*8d741a5dSApple OSS Distributions } *cfil_crypto_state_t; 122*8d741a5dSApple OSS Distributions 123*8d741a5dSApple OSS Distributions typedef struct cfil_crypto_data { 124*8d741a5dSApple OSS Distributions uuid_t flow_id; 125*8d741a5dSApple OSS Distributions u_int64_t sock_id; 126*8d741a5dSApple OSS Distributions u_int32_t direction; 127*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 remote; 128*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 local; 129*8d741a5dSApple OSS Distributions u_int32_t socketProtocol; 130*8d741a5dSApple OSS Distributions pid_t pid; 131*8d741a5dSApple OSS Distributions pid_t effective_pid; 132*8d741a5dSApple OSS Distributions uuid_t uuid; 133*8d741a5dSApple OSS Distributions uuid_t effective_uuid; 134*8d741a5dSApple OSS Distributions u_int64_t byte_count_in; 135*8d741a5dSApple OSS Distributions u_int64_t byte_count_out; 136*8d741a5dSApple OSS Distributions } *cfil_crypto_data_t; 137*8d741a5dSApple OSS Distributions 138*8d741a5dSApple OSS Distributions /* 139*8d741a5dSApple OSS Distributions * Types of messages 140*8d741a5dSApple OSS Distributions * 141*8d741a5dSApple OSS Distributions * Event messages flow from kernel to user space while action 142*8d741a5dSApple OSS Distributions * messages flow in the reverse direction. 143*8d741a5dSApple OSS Distributions * A message in entirely represented by a packet sent or received 144*8d741a5dSApple OSS Distributions * on a Content Filter kernel control socket. 145*8d741a5dSApple OSS Distributions */ 146*8d741a5dSApple OSS Distributions #define CFM_TYPE_EVENT 1 /* message from kernel */ 147*8d741a5dSApple OSS Distributions #define CFM_TYPE_ACTION 2 /* message to kernel */ 148*8d741a5dSApple OSS Distributions 149*8d741a5dSApple OSS Distributions /* 150*8d741a5dSApple OSS Distributions * Operations associated with events from kernel 151*8d741a5dSApple OSS Distributions */ 152*8d741a5dSApple OSS Distributions #define CFM_OP_SOCKET_ATTACHED 1 /* a socket has been attached */ 153*8d741a5dSApple OSS Distributions #define CFM_OP_SOCKET_CLOSED 2 /* a socket is being closed */ 154*8d741a5dSApple OSS Distributions #define CFM_OP_DATA_OUT 3 /* data being sent */ 155*8d741a5dSApple OSS Distributions #define CFM_OP_DATA_IN 4 /* data being received */ 156*8d741a5dSApple OSS Distributions #define CFM_OP_DISCONNECT_OUT 5 /* no more outgoing data */ 157*8d741a5dSApple OSS Distributions #define CFM_OP_DISCONNECT_IN 6 /* no more incoming data */ 158*8d741a5dSApple OSS Distributions #define CFM_OP_STATS 7 /* periodic stats report(s) */ 159*8d741a5dSApple OSS Distributions 160*8d741a5dSApple OSS Distributions /* 161*8d741a5dSApple OSS Distributions * Operations associated with action from filter to kernel 162*8d741a5dSApple OSS Distributions */ 163*8d741a5dSApple OSS Distributions #define CFM_OP_DATA_UPDATE 16 /* update pass or peek offsets */ 164*8d741a5dSApple OSS Distributions #define CFM_OP_DROP 17 /* shutdown socket, no more data */ 165*8d741a5dSApple OSS Distributions #define CFM_OP_BLESS_CLIENT 18 /* mark a client flow as already filtered, passes a uuid */ 166*8d741a5dSApple OSS Distributions #define CFM_OP_SET_CRYPTO_KEY 19 /* assign client crypto key for message signing */ 167*8d741a5dSApple OSS Distributions 168*8d741a5dSApple OSS Distributions /* 169*8d741a5dSApple OSS Distributions * struct cfil_msg_hdr 170*8d741a5dSApple OSS Distributions * 171*8d741a5dSApple OSS Distributions * Header common to all messages 172*8d741a5dSApple OSS Distributions */ 173*8d741a5dSApple OSS Distributions struct cfil_msg_hdr { 174*8d741a5dSApple OSS Distributions uint32_t cfm_len; /* total length */ 175*8d741a5dSApple OSS Distributions uint32_t cfm_version; 176*8d741a5dSApple OSS Distributions uint32_t cfm_type; 177*8d741a5dSApple OSS Distributions uint32_t cfm_op; 178*8d741a5dSApple OSS Distributions cfil_sock_id_t cfm_sock_id; 179*8d741a5dSApple OSS Distributions }; 180*8d741a5dSApple OSS Distributions 181*8d741a5dSApple OSS Distributions #define CFM_VERSION_CURRENT 1 182*8d741a5dSApple OSS Distributions 183*8d741a5dSApple OSS Distributions /* 184*8d741a5dSApple OSS Distributions * Connection Direction 185*8d741a5dSApple OSS Distributions */ 186*8d741a5dSApple OSS Distributions #define CFS_CONNECTION_DIR_IN 0 187*8d741a5dSApple OSS Distributions #define CFS_CONNECTION_DIR_OUT 1 188*8d741a5dSApple OSS Distributions 189*8d741a5dSApple OSS Distributions #define CFS_REAL_AUDIT_TOKEN 1 190*8d741a5dSApple OSS Distributions 191*8d741a5dSApple OSS Distributions #define CFS_MAX_DOMAIN_NAME_LENGTH 256 192*8d741a5dSApple OSS Distributions 193*8d741a5dSApple OSS Distributions 194*8d741a5dSApple OSS Distributions /* 195*8d741a5dSApple OSS Distributions * struct cfil_msg_sock_attached 196*8d741a5dSApple OSS Distributions * 197*8d741a5dSApple OSS Distributions * Information about a new socket being attached to the content filter 198*8d741a5dSApple OSS Distributions * 199*8d741a5dSApple OSS Distributions * Action: No reply is expected as this does not block the creation of the 200*8d741a5dSApple OSS Distributions * TCP/IP but timely action must be taken to avoid user noticeable delays. 201*8d741a5dSApple OSS Distributions * 202*8d741a5dSApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 203*8d741a5dSApple OSS Distributions * 204*8d741a5dSApple OSS Distributions * Valid Op: CFM_OP_SOCKET_ATTACHED 205*8d741a5dSApple OSS Distributions */ 206*8d741a5dSApple OSS Distributions struct cfil_msg_sock_attached { 207*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfs_msghdr; 208*8d741a5dSApple OSS Distributions int cfs_sock_family; /* e.g. PF_INET */ 209*8d741a5dSApple OSS Distributions int cfs_sock_type; /* e.g. SOCK_STREAM */ 210*8d741a5dSApple OSS Distributions int cfs_sock_protocol; /* e.g. IPPROTO_TCP */ 211*8d741a5dSApple OSS Distributions int cfs_unused; /* padding */ 212*8d741a5dSApple OSS Distributions pid_t cfs_pid; 213*8d741a5dSApple OSS Distributions pid_t cfs_e_pid; 214*8d741a5dSApple OSS Distributions uuid_t cfs_uuid; 215*8d741a5dSApple OSS Distributions uuid_t cfs_e_uuid; 216*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfs_src; 217*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfs_dst; 218*8d741a5dSApple OSS Distributions int cfs_conn_dir; 219*8d741a5dSApple OSS Distributions unsigned int cfs_audit_token[8]; /* Must match audit_token_t */ 220*8d741a5dSApple OSS Distributions unsigned int cfs_real_audit_token[8]; /* Must match audit_token_t */ 221*8d741a5dSApple OSS Distributions cfil_crypto_signature cfs_signature; 222*8d741a5dSApple OSS Distributions uint32_t cfs_signature_length; 223*8d741a5dSApple OSS Distributions char cfs_remote_domain_name[CFS_MAX_DOMAIN_NAME_LENGTH]; 224*8d741a5dSApple OSS Distributions }; 225*8d741a5dSApple OSS Distributions 226*8d741a5dSApple OSS Distributions /* 227*8d741a5dSApple OSS Distributions * CFIL data flags 228*8d741a5dSApple OSS Distributions */ 229*8d741a5dSApple OSS Distributions #define CFD_DATA_FLAG_IP_HEADER 0x00000001 /* Data includes IP header */ 230*8d741a5dSApple OSS Distributions #define CFIL_DATA_HAS_DELEGATED_PID 1 231*8d741a5dSApple OSS Distributions /* 232*8d741a5dSApple OSS Distributions * struct cfil_msg_data_event 233*8d741a5dSApple OSS Distributions * 234*8d741a5dSApple OSS Distributions * Event for the content fiter to act on a span of data 235*8d741a5dSApple OSS Distributions * A data span is described by a pair of offsets over the cumulative 236*8d741a5dSApple OSS Distributions * number of bytes sent or received on the socket. 237*8d741a5dSApple OSS Distributions * 238*8d741a5dSApple OSS Distributions * Action: The event must be acted upon but the filter may buffer 239*8d741a5dSApple OSS Distributions * data spans until it has enough content to make a decision. 240*8d741a5dSApple OSS Distributions * The action must be timely to avoid user noticeable delays. 241*8d741a5dSApple OSS Distributions * 242*8d741a5dSApple OSS Distributions * Valid Type: CFM_TYPE_EVENT 243*8d741a5dSApple OSS Distributions * 244*8d741a5dSApple OSS Distributions * Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN 245*8d741a5dSApple OSS Distributions */ 246*8d741a5dSApple OSS Distributions struct cfil_msg_data_event { 247*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfd_msghdr; 248*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfc_src; 249*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfc_dst; 250*8d741a5dSApple OSS Distributions uint64_t cfd_start_offset; 251*8d741a5dSApple OSS Distributions uint64_t cfd_end_offset; 252*8d741a5dSApple OSS Distributions cfil_crypto_signature cfd_signature; 253*8d741a5dSApple OSS Distributions uint32_t cfd_signature_length; 254*8d741a5dSApple OSS Distributions uint32_t cfd_flags; 255*8d741a5dSApple OSS Distributions pid_t cfd_delegated_pid; 256*8d741a5dSApple OSS Distributions unsigned int cfd_delegated_audit_token[8]; 257*8d741a5dSApple OSS Distributions /* Actual content data immediatly follows */ 258*8d741a5dSApple OSS Distributions }; 259*8d741a5dSApple OSS Distributions 260*8d741a5dSApple OSS Distributions #define CFI_MAX_TIME_LOG_ENTRY 6 261*8d741a5dSApple OSS Distributions /* 262*8d741a5dSApple OSS Distributions * struct cfil_msg_sock_closed 263*8d741a5dSApple OSS Distributions * 264*8d741a5dSApple OSS Distributions * Information about a socket being closed to the content filter 265*8d741a5dSApple OSS Distributions * 266*8d741a5dSApple OSS Distributions * Action: No reply is expected as this does not block the closing of the 267*8d741a5dSApple OSS Distributions * TCP/IP. 268*8d741a5dSApple OSS Distributions * 269*8d741a5dSApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 270*8d741a5dSApple OSS Distributions * 271*8d741a5dSApple OSS Distributions * Valid Op: CFM_OP_SOCKET_CLOSED 272*8d741a5dSApple OSS Distributions */ 273*8d741a5dSApple OSS Distributions struct cfil_msg_sock_closed { 274*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfc_msghdr; 275*8d741a5dSApple OSS Distributions struct timeval64 cfc_first_event; 276*8d741a5dSApple OSS Distributions uint32_t cfc_op_list_ctr; 277*8d741a5dSApple OSS Distributions uint32_t cfc_op_time[CFI_MAX_TIME_LOG_ENTRY]; /* time interval in microseconds since first event */ 278*8d741a5dSApple OSS Distributions unsigned char cfc_op_list[CFI_MAX_TIME_LOG_ENTRY]; 279*8d741a5dSApple OSS Distributions uint64_t cfc_byte_inbound_count; 280*8d741a5dSApple OSS Distributions uint64_t cfc_byte_outbound_count; 281*8d741a5dSApple OSS Distributions #define CFC_CLOSED_EVENT_LADDR 1 282*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfc_laddr; 283*8d741a5dSApple OSS Distributions cfil_crypto_signature cfc_signature; 284*8d741a5dSApple OSS Distributions uint32_t cfc_signature_length; 285*8d741a5dSApple OSS Distributions } __attribute__((aligned(8))); 286*8d741a5dSApple OSS Distributions 287*8d741a5dSApple OSS Distributions /* 288*8d741a5dSApple OSS Distributions * struct cfil_msg_stats_report 289*8d741a5dSApple OSS Distributions * 290*8d741a5dSApple OSS Distributions * Statistics report for flow(s). 291*8d741a5dSApple OSS Distributions * 292*8d741a5dSApple OSS Distributions * Action: No reply is expected. 293*8d741a5dSApple OSS Distributions * 294*8d741a5dSApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 295*8d741a5dSApple OSS Distributions * 296*8d741a5dSApple OSS Distributions * Valid Op: CFM_OP_STATS 297*8d741a5dSApple OSS Distributions */ 298*8d741a5dSApple OSS Distributions struct cfil_msg_sock_stats { 299*8d741a5dSApple OSS Distributions cfil_sock_id_t cfs_sock_id; 300*8d741a5dSApple OSS Distributions uint64_t cfs_byte_inbound_count; 301*8d741a5dSApple OSS Distributions uint64_t cfs_byte_outbound_count; 302*8d741a5dSApple OSS Distributions union sockaddr_in_4_6 cfs_laddr; 303*8d741a5dSApple OSS Distributions } __attribute__((aligned(8))); 304*8d741a5dSApple OSS Distributions 305*8d741a5dSApple OSS Distributions struct cfil_msg_stats_report { 306*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfr_msghdr; 307*8d741a5dSApple OSS Distributions uint32_t cfr_count; 308*8d741a5dSApple OSS Distributions struct cfil_msg_sock_stats cfr_stats[]; 309*8d741a5dSApple OSS Distributions } __attribute__((aligned(8))); 310*8d741a5dSApple OSS Distributions 311*8d741a5dSApple OSS Distributions /* 312*8d741a5dSApple OSS Distributions * struct cfil_msg_action 313*8d741a5dSApple OSS Distributions * 314*8d741a5dSApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 315*8d741a5dSApple OSS Distributions * 316*8d741a5dSApple OSS Distributions * Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP 317*8d741a5dSApple OSS Distributions * 318*8d741a5dSApple OSS Distributions * For CFM_OP_DATA_UPDATE: 319*8d741a5dSApple OSS Distributions * 320*8d741a5dSApple OSS Distributions * cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is 321*8d741a5dSApple OSS Distributions * allowed to pass. A zero value does not modify the corresponding pass offset. 322*8d741a5dSApple OSS Distributions * 323*8d741a5dSApple OSS Distributions * cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much 324*8d741a5dSApple OSS Distributions * data it needs to make a decision: the kernel will deliver data up to that 325*8d741a5dSApple OSS Distributions * offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET 326*8d741a5dSApple OSS Distributions * if you don't value the corresponding peek offset to be updated. 327*8d741a5dSApple OSS Distributions */ 328*8d741a5dSApple OSS Distributions struct cfil_msg_action { 329*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfa_msghdr; 330*8d741a5dSApple OSS Distributions uint64_t cfa_in_pass_offset; 331*8d741a5dSApple OSS Distributions uint64_t cfa_in_peek_offset; 332*8d741a5dSApple OSS Distributions uint64_t cfa_out_pass_offset; 333*8d741a5dSApple OSS Distributions uint64_t cfa_out_peek_offset; 334*8d741a5dSApple OSS Distributions uint32_t cfa_stats_frequency; // Statistics frequency in milliseconds 335*8d741a5dSApple OSS Distributions }; 336*8d741a5dSApple OSS Distributions 337*8d741a5dSApple OSS Distributions /* 338*8d741a5dSApple OSS Distributions * struct cfil_msg_bless_client 339*8d741a5dSApple OSS Distributions * 340*8d741a5dSApple OSS Distributions * Marks a client UUID as already filtered at a higher level. 341*8d741a5dSApple OSS Distributions * 342*8d741a5dSApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 343*8d741a5dSApple OSS Distributions * 344*8d741a5dSApple OSS Distributions * Valid Ops: CFM_OP_BLESS_CLIENT 345*8d741a5dSApple OSS Distributions */ 346*8d741a5dSApple OSS Distributions struct cfil_msg_bless_client { 347*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfb_msghdr; 348*8d741a5dSApple OSS Distributions uuid_t cfb_client_uuid; 349*8d741a5dSApple OSS Distributions }; 350*8d741a5dSApple OSS Distributions 351*8d741a5dSApple OSS Distributions /* 352*8d741a5dSApple OSS Distributions * struct cfil_msg_set_crypto_key 353*8d741a5dSApple OSS Distributions * 354*8d741a5dSApple OSS Distributions * Filter assigning client crypto key to CFIL for message signing 355*8d741a5dSApple OSS Distributions * 356*8d741a5dSApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 357*8d741a5dSApple OSS Distributions * 358*8d741a5dSApple OSS Distributions * Valid Ops: CFM_OP_SET_CRYPTO_KEY 359*8d741a5dSApple OSS Distributions */ 360*8d741a5dSApple OSS Distributions struct cfil_msg_set_crypto_key { 361*8d741a5dSApple OSS Distributions struct cfil_msg_hdr cfb_msghdr; 362*8d741a5dSApple OSS Distributions cfil_crypto_key crypto_key; 363*8d741a5dSApple OSS Distributions }; 364*8d741a5dSApple OSS Distributions 365*8d741a5dSApple OSS Distributions #define CFM_MAX_OFFSET UINT64_MAX 366*8d741a5dSApple OSS Distributions 367*8d741a5dSApple OSS Distributions /* 368*8d741a5dSApple OSS Distributions * Statistics retrieved via sysctl(3) 369*8d741a5dSApple OSS Distributions */ 370*8d741a5dSApple OSS Distributions struct cfil_filter_stat { 371*8d741a5dSApple OSS Distributions uint32_t cfs_len; 372*8d741a5dSApple OSS Distributions uint32_t cfs_filter_id; 373*8d741a5dSApple OSS Distributions uint32_t cfs_flags; 374*8d741a5dSApple OSS Distributions uint32_t cfs_sock_count; 375*8d741a5dSApple OSS Distributions uint32_t cfs_necp_control_unit; 376*8d741a5dSApple OSS Distributions }; 377*8d741a5dSApple OSS Distributions 378*8d741a5dSApple OSS Distributions struct cfil_entry_stat { 379*8d741a5dSApple OSS Distributions uint32_t ces_len; 380*8d741a5dSApple OSS Distributions uint32_t ces_filter_id; 381*8d741a5dSApple OSS Distributions uint32_t ces_flags; 382*8d741a5dSApple OSS Distributions uint32_t ces_necp_control_unit; 383*8d741a5dSApple OSS Distributions struct timeval64 ces_last_event; 384*8d741a5dSApple OSS Distributions struct timeval64 ces_last_action; 385*8d741a5dSApple OSS Distributions struct cfe_buf_stat { 386*8d741a5dSApple OSS Distributions uint64_t cbs_pending_first; 387*8d741a5dSApple OSS Distributions uint64_t cbs_pending_last; 388*8d741a5dSApple OSS Distributions uint64_t cbs_ctl_first; 389*8d741a5dSApple OSS Distributions uint64_t cbs_ctl_last; 390*8d741a5dSApple OSS Distributions uint64_t cbs_pass_offset; 391*8d741a5dSApple OSS Distributions uint64_t cbs_peek_offset; 392*8d741a5dSApple OSS Distributions uint64_t cbs_peeked; 393*8d741a5dSApple OSS Distributions } ces_snd, ces_rcv; 394*8d741a5dSApple OSS Distributions }; 395*8d741a5dSApple OSS Distributions 396*8d741a5dSApple OSS Distributions struct cfil_sock_stat { 397*8d741a5dSApple OSS Distributions uint32_t cfs_len; 398*8d741a5dSApple OSS Distributions int cfs_sock_family; 399*8d741a5dSApple OSS Distributions int cfs_sock_type; 400*8d741a5dSApple OSS Distributions int cfs_sock_protocol; 401*8d741a5dSApple OSS Distributions cfil_sock_id_t cfs_sock_id; 402*8d741a5dSApple OSS Distributions uint64_t cfs_flags; 403*8d741a5dSApple OSS Distributions pid_t cfs_pid; 404*8d741a5dSApple OSS Distributions pid_t cfs_e_pid; 405*8d741a5dSApple OSS Distributions uuid_t cfs_uuid; 406*8d741a5dSApple OSS Distributions uuid_t cfs_e_uuid; 407*8d741a5dSApple OSS Distributions struct cfi_buf_stat { 408*8d741a5dSApple OSS Distributions uint64_t cbs_pending_first; 409*8d741a5dSApple OSS Distributions uint64_t cbs_pending_last; 410*8d741a5dSApple OSS Distributions uint64_t cbs_pass_offset; 411*8d741a5dSApple OSS Distributions uint64_t cbs_inject_q_len; 412*8d741a5dSApple OSS Distributions } cfs_snd, cfs_rcv; 413*8d741a5dSApple OSS Distributions struct cfil_entry_stat ces_entries[CFIL_MAX_FILTER_COUNT]; 414*8d741a5dSApple OSS Distributions }; 415*8d741a5dSApple OSS Distributions 416*8d741a5dSApple OSS Distributions /* 417*8d741a5dSApple OSS Distributions * Global statistics 418*8d741a5dSApple OSS Distributions */ 419*8d741a5dSApple OSS Distributions struct cfil_stats { 420*8d741a5dSApple OSS Distributions int32_t cfs_ctl_connect_ok; 421*8d741a5dSApple OSS Distributions int32_t cfs_ctl_connect_fail; 422*8d741a5dSApple OSS Distributions int32_t cfs_ctl_disconnect_ok; 423*8d741a5dSApple OSS Distributions int32_t cfs_ctl_disconnect_fail; 424*8d741a5dSApple OSS Distributions int32_t cfs_ctl_send_ok; 425*8d741a5dSApple OSS Distributions int32_t cfs_ctl_send_bad; 426*8d741a5dSApple OSS Distributions int32_t cfs_ctl_rcvd_ok; 427*8d741a5dSApple OSS Distributions int32_t cfs_ctl_rcvd_bad; 428*8d741a5dSApple OSS Distributions int32_t cfs_ctl_rcvd_flow_lift; 429*8d741a5dSApple OSS Distributions int32_t cfs_ctl_action_data_update; 430*8d741a5dSApple OSS Distributions int32_t cfs_ctl_action_drop; 431*8d741a5dSApple OSS Distributions int32_t cfs_ctl_action_bad_op; 432*8d741a5dSApple OSS Distributions int32_t cfs_ctl_action_bad_len; 433*8d741a5dSApple OSS Distributions 434*8d741a5dSApple OSS Distributions int32_t cfs_sock_id_not_found; 435*8d741a5dSApple OSS Distributions 436*8d741a5dSApple OSS Distributions int32_t cfs_cfi_alloc_ok; 437*8d741a5dSApple OSS Distributions int32_t cfs_cfi_alloc_fail; 438*8d741a5dSApple OSS Distributions 439*8d741a5dSApple OSS Distributions int32_t cfs_sock_userspace_only; 440*8d741a5dSApple OSS Distributions int32_t cfs_sock_attach_in_vain; 441*8d741a5dSApple OSS Distributions int32_t cfs_sock_attach_already; 442*8d741a5dSApple OSS Distributions int32_t cfs_sock_attach_no_mem; 443*8d741a5dSApple OSS Distributions int32_t cfs_sock_attach_failed; 444*8d741a5dSApple OSS Distributions int32_t cfs_sock_attached; 445*8d741a5dSApple OSS Distributions int32_t cfs_sock_detached; 446*8d741a5dSApple OSS Distributions 447*8d741a5dSApple OSS Distributions int32_t cfs_attach_event_ok; 448*8d741a5dSApple OSS Distributions int32_t cfs_attach_event_flow_control; 449*8d741a5dSApple OSS Distributions int32_t cfs_attach_event_fail; 450*8d741a5dSApple OSS Distributions 451*8d741a5dSApple OSS Distributions int32_t cfs_closed_event_ok; 452*8d741a5dSApple OSS Distributions int32_t cfs_closed_event_flow_control; 453*8d741a5dSApple OSS Distributions int32_t cfs_closed_event_fail; 454*8d741a5dSApple OSS Distributions 455*8d741a5dSApple OSS Distributions int32_t cfs_data_event_ok; 456*8d741a5dSApple OSS Distributions int32_t cfs_data_event_flow_control; 457*8d741a5dSApple OSS Distributions int32_t cfs_data_event_fail; 458*8d741a5dSApple OSS Distributions 459*8d741a5dSApple OSS Distributions int32_t cfs_stats_event_ok; 460*8d741a5dSApple OSS Distributions int32_t cfs_stats_event_flow_control; 461*8d741a5dSApple OSS Distributions int32_t cfs_stats_event_fail; 462*8d741a5dSApple OSS Distributions 463*8d741a5dSApple OSS Distributions int32_t cfs_disconnect_in_event_ok; 464*8d741a5dSApple OSS Distributions int32_t cfs_disconnect_out_event_ok; 465*8d741a5dSApple OSS Distributions int32_t cfs_disconnect_event_flow_control; 466*8d741a5dSApple OSS Distributions int32_t cfs_disconnect_event_fail; 467*8d741a5dSApple OSS Distributions 468*8d741a5dSApple OSS Distributions int32_t cfs_ctl_q_not_started; 469*8d741a5dSApple OSS Distributions 470*8d741a5dSApple OSS Distributions int32_t cfs_close_wait; 471*8d741a5dSApple OSS Distributions int32_t cfs_close_wait_timeout; 472*8d741a5dSApple OSS Distributions 473*8d741a5dSApple OSS Distributions int32_t cfs_flush_in_drop; 474*8d741a5dSApple OSS Distributions int32_t cfs_flush_out_drop; 475*8d741a5dSApple OSS Distributions int32_t cfs_flush_in_close; 476*8d741a5dSApple OSS Distributions int32_t cfs_flush_out_close; 477*8d741a5dSApple OSS Distributions int32_t cfs_flush_in_free; 478*8d741a5dSApple OSS Distributions int32_t cfs_flush_out_free; 479*8d741a5dSApple OSS Distributions 480*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_nomem; 481*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_nobufs; 482*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_detached; 483*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_in_fail; 484*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_out_fail; 485*8d741a5dSApple OSS Distributions 486*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_in_retry; 487*8d741a5dSApple OSS Distributions int32_t cfs_inject_q_out_retry; 488*8d741a5dSApple OSS Distributions 489*8d741a5dSApple OSS Distributions int32_t cfs_data_in_control; 490*8d741a5dSApple OSS Distributions int32_t cfs_data_in_oob; 491*8d741a5dSApple OSS Distributions int32_t cfs_data_out_control; 492*8d741a5dSApple OSS Distributions int32_t cfs_data_out_oob; 493*8d741a5dSApple OSS Distributions 494*8d741a5dSApple OSS Distributions int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8))); 495*8d741a5dSApple OSS Distributions int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8))); 496*8d741a5dSApple OSS Distributions int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8))); 497*8d741a5dSApple OSS Distributions int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8))); 498*8d741a5dSApple OSS Distributions 499*8d741a5dSApple OSS Distributions int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8))); 500*8d741a5dSApple OSS Distributions int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8))); 501*8d741a5dSApple OSS Distributions 502*8d741a5dSApple OSS Distributions int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8))); 503*8d741a5dSApple OSS Distributions int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8))); 504*8d741a5dSApple OSS Distributions int64_t cfs_inject_q_in_passed __attribute__((aligned(8))); 505*8d741a5dSApple OSS Distributions int64_t cfs_inject_q_out_passed __attribute__((aligned(8))); 506*8d741a5dSApple OSS Distributions }; 507*8d741a5dSApple OSS Distributions #endif /* PRIVATE */ 508*8d741a5dSApple OSS Distributions 509*8d741a5dSApple OSS Distributions #ifdef BSD_KERNEL_PRIVATE 510*8d741a5dSApple OSS Distributions 511*8d741a5dSApple OSS Distributions #define M_SKIPCFIL M_PROTO5 512*8d741a5dSApple OSS Distributions 513*8d741a5dSApple OSS Distributions extern uint32_t cfil_active_count; 514*8d741a5dSApple OSS Distributions /* 515*8d741a5dSApple OSS Distributions * Check if flows on socket should be filtered 516*8d741a5dSApple OSS Distributions */ 517*8d741a5dSApple OSS Distributions #define CFIL_DGRAM_HAS_FILTERED_FLOWS(so) ((so->so_flags & SOF_CONTENT_FILTER) && (so->so_flow_db != NULL)) 518*8d741a5dSApple OSS Distributions #define CFIL_DGRAM_FILTERED(so) (!IS_TCP(so) && (cfil_active_count > 0) && (CFIL_DGRAM_HAS_FILTERED_FLOWS(so) || necp_socket_get_content_filter_control_unit(so))) 519*8d741a5dSApple OSS Distributions 520*8d741a5dSApple OSS Distributions extern int cfil_log_level; 521*8d741a5dSApple OSS Distributions 522*8d741a5dSApple OSS Distributions #define CFIL_LOG(level, fmt, ...) \ 523*8d741a5dSApple OSS Distributions do { \ 524*8d741a5dSApple OSS Distributions if (cfil_log_level >= level) \ 525*8d741a5dSApple OSS Distributions printf("%s:%d " fmt "\n",\ 526*8d741a5dSApple OSS Distributions __FUNCTION__, __LINE__, ##__VA_ARGS__); \ 527*8d741a5dSApple OSS Distributions } while (0) 528*8d741a5dSApple OSS Distributions 529*8d741a5dSApple OSS Distributions 530*8d741a5dSApple OSS Distributions extern void cfil_register_m_tag(void); 531*8d741a5dSApple OSS Distributions 532*8d741a5dSApple OSS Distributions extern void cfil_init(void); 533*8d741a5dSApple OSS Distributions 534*8d741a5dSApple OSS Distributions extern boolean_t cfil_filter_present(void); 535*8d741a5dSApple OSS Distributions extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so); 536*8d741a5dSApple OSS Distributions extern boolean_t cfil_sock_is_dead(struct socket *so); 537*8d741a5dSApple OSS Distributions extern boolean_t cfil_sock_tcp_add_time_wait(struct socket *so); 538*8d741a5dSApple OSS Distributions extern errno_t cfil_sock_attach(struct socket *so, 539*8d741a5dSApple OSS Distributions struct sockaddr *local, struct sockaddr *remote, int dir); 540*8d741a5dSApple OSS Distributions extern errno_t cfil_sock_detach(struct socket *so); 541*8d741a5dSApple OSS Distributions 542*8d741a5dSApple OSS Distributions extern int cfil_sock_data_out(struct socket *so, struct sockaddr *to, 543*8d741a5dSApple OSS Distributions struct mbuf *data, struct mbuf *control, 544*8d741a5dSApple OSS Distributions uint32_t flags, struct soflow_hash_entry *); 545*8d741a5dSApple OSS Distributions extern int cfil_sock_data_in(struct socket *so, struct sockaddr *from, 546*8d741a5dSApple OSS Distributions struct mbuf *data, struct mbuf *control, 547*8d741a5dSApple OSS Distributions uint32_t flags, struct soflow_hash_entry *); 548*8d741a5dSApple OSS Distributions 549*8d741a5dSApple OSS Distributions extern int cfil_sock_shutdown(struct socket *so, int *how); 550*8d741a5dSApple OSS Distributions extern void cfil_sock_is_closed(struct socket *so); 551*8d741a5dSApple OSS Distributions extern void cfil_sock_notify_shutdown(struct socket *so, int how); 552*8d741a5dSApple OSS Distributions extern void cfil_sock_close_wait(struct socket *so); 553*8d741a5dSApple OSS Distributions 554*8d741a5dSApple OSS Distributions extern boolean_t cfil_sock_data_pending(struct sockbuf *sb); 555*8d741a5dSApple OSS Distributions extern int cfil_sock_data_space(struct sockbuf *sb); 556*8d741a5dSApple OSS Distributions extern void cfil_sock_buf_update(struct sockbuf *sb); 557*8d741a5dSApple OSS Distributions 558*8d741a5dSApple OSS Distributions extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so); 559*8d741a5dSApple OSS Distributions extern cfil_sock_id_t cfil_sock_id_from_datagram_socket(struct socket *so, struct sockaddr *local, struct sockaddr *remote); 560*8d741a5dSApple OSS Distributions 561*8d741a5dSApple OSS Distributions extern struct m_tag *cfil_dgram_get_socket_state(struct mbuf *m, uint32_t *state_change_cnt, 562*8d741a5dSApple OSS Distributions uint32_t *options, struct sockaddr **faddr, int *inp_flags); 563*8d741a5dSApple OSS Distributions extern boolean_t cfil_dgram_peek_socket_state(struct mbuf *m, int *inp_flags); 564*8d741a5dSApple OSS Distributions 565*8d741a5dSApple OSS Distributions #endif /* BSD_KERNEL_PRIVATE */ 566*8d741a5dSApple OSS Distributions 567*8d741a5dSApple OSS Distributions __END_DECLS 568*8d741a5dSApple OSS Distributions 569*8d741a5dSApple OSS Distributions #endif /* __CONTENT_FILTER_H__ */ 570