1 /* 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68 /** 69 * @file mac_policy.h 70 * @brief Kernel Interfaces for MAC policy modules 71 * 72 * This header defines the list of operations that are defined by the 73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 * with the framework to declare interest in a specific set of 75 * operations. If interest in an entry point is not declared, then 76 * the policy will be ignored when the Framework evaluates that entry 77 * point. 78 */ 79 80 #ifndef _SECURITY_MAC_POLICY_H_ 81 #define _SECURITY_MAC_POLICY_H_ 82 83 #ifndef PRIVATE 84 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85 #endif 86 87 #include <security/_label.h> 88 #include <kern/cs_blobs.h> 89 90 struct attrlist; 91 struct auditinfo; 92 struct bpf_d; 93 struct cs_blob; 94 struct devnode; 95 struct exception_action; 96 struct fileglob; 97 struct ifnet; 98 struct inpcb; 99 struct ipq; 100 struct label; 101 struct mac_policy_conf; 102 struct mbuf; 103 struct mount; 104 struct msg; 105 struct msqid_kernel; 106 struct pipe; 107 struct pseminfo; 108 struct pshminfo; 109 struct sbuf; 110 struct semid_kernel; 111 struct shmid_kernel; 112 struct socket; 113 struct sockopt; 114 struct task; 115 struct thread; 116 struct tty; 117 struct ucred; 118 struct vfs_attr; 119 struct vnode; 120 struct sockaddr; 121 /** @struct dummy */ 122 123 124 /* 125 * proc_ident_t support, see: rdar://problem/58928152 126 * Should be removed once all dependent parties adopt 127 * proc_ident_t. 128 */ 129 #define MAC_PROC_IDENT_SUPPORT 130 131 #ifndef _KAUTH_CRED_T 132 #define _KAUTH_CRED_T 133 typedef struct ucred *kauth_cred_t; 134 #endif /* !_KAUTH_CRED_T */ 135 136 #ifndef __IOKIT_PORTS_DEFINED__ 137 #define __IOKIT_PORTS_DEFINED__ 138 #ifdef __cplusplus 139 class OSObject; 140 typedef OSObject *io_object_t; 141 #else 142 struct OSObject; 143 typedef struct OSObject *io_object_t; 144 #endif 145 #endif /* __IOKIT_PORTS_DEFINED__ */ 146 147 /*- 148 * MAC entry points are generally named using the following template: 149 * 150 * mpo_<object>_<operation>() 151 * 152 * or: 153 * 154 * mpo_<object>_check_<operation>() 155 * 156 * Entry points are sorted by object type. 157 * 158 * It may be desirable also to consider some subsystems as "objects", such 159 * as system, iokit, etc. 160 */ 161 162 /** 163 * @name Entry Points for Label Management 164 * 165 * These are the entry points corresponding to the life cycle events for 166 * kernel objects, such as initialization, creation, and destruction. 167 * 168 * Most policies (that use labels) will initialize labels by allocating 169 * space for policy-specific data. In most cases, it is permitted to 170 * sleep during label initialization operations; it will be noted when 171 * it is not permitted. 172 * 173 * Initialization usually will not require doing more than allocating a 174 * generic label for the given object. What follows initialization is 175 * creation, where a label is made specific to the object it is associated 176 * with. Destruction occurs when the label is no longer needed, such as 177 * when the corresponding object is destroyed. All necessary cleanup should 178 * be performed in label destroy operations. 179 * 180 * Where possible, the label entry points have identical parameters. If 181 * the policy module does not require structure-specific label 182 * information, the same function may be registered in the policy 183 * operation vector. Many policies will implement two such generic 184 * allocation calls: one to handle sleepable requests, and one to handle 185 * potentially non-sleepable requests. 186 */ 187 188 189 /** 190 * @brief Audit event postselection 191 * @param cred Subject credential 192 * @param syscode Syscall number 193 * @param args Syscall arguments 194 * @param error Syscall errno 195 * @param retval Syscall return value 196 * 197 * This is the MAC Framework audit postselect, which is called before 198 * exiting a syscall to determine if an audit event should be committed. 199 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 200 * Any other return value results in the audit record being committed. 201 * 202 * @warning The suppression behavior will probably go away in Apple's 203 * future version of the audit implementation. 204 * 205 * @return Return MAC_AUDIT_NO to force suppression of the audit record. 206 * Any other value results in the audit record being committed. 207 * 208 */ 209 typedef int mpo_audit_check_postselect_t( 210 kauth_cred_t cred, 211 unsigned short syscode, 212 void *args, 213 int error, 214 int retval 215 ); 216 /** 217 * @brief Audit event preselection 218 * @param cred Subject credential 219 * @param syscode Syscall number 220 * @param args Syscall arguments 221 * 222 * This is the MAC Framework audit preselect, which is called before a 223 * syscall is entered to determine if an audit event should be created. 224 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 225 * returned. A return value of MAC_AUDIT_NO causes the audit record to 226 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 227 * to defer to the system's existing preselection mechanism. 228 * 229 * When policies return different preferences, the Framework decides what action 230 * to take based on the following policy. If any policy returns MAC_AUDIT_YES, 231 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then 232 * suppress the creations of an audit record, else defer to the system's 233 * existing preselection mechanism. 234 * 235 * @warning The audit implementation in Apple's current version is 236 * incomplete, so the MAC policies have priority over the system's existing 237 * mechanisms. This will probably change in the future version where 238 * the audit implementation is more complete. 239 * 240 * @return Return MAC_AUDIT_YES to force auditing of the syscall, 241 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 242 * to allow auditing mechanisms to determine if the syscall is audited. 243 * 244 */ 245 typedef int mpo_audit_check_preselect_t( 246 kauth_cred_t cred, 247 unsigned short syscode, 248 void *args 249 ); 250 /** 251 * @brief Indicate desire to change the process label at exec time 252 * @param old Existing subject credential 253 * @param vp File being executed 254 * @param offset Offset of binary within file being executed 255 * @param scriptvp Script being executed by interpreter, if any. 256 * @param vnodelabel Label corresponding to vp 257 * @param scriptvnodelabel Script vnode label 258 * @param execlabel Userspace provided execution label 259 * @param p Object process 260 * @param macpolicyattr MAC policy-specific spawn attribute data 261 * @param macpolicyattrlen Length of policy-specific spawn attribute data 262 * @see mac_execve 263 * @see mpo_cred_label_update_execve_t 264 * @see mpo_vnode_check_exec_t 265 * 266 * Indicate whether this policy intends to update the label of a newly 267 * created credential from the existing subject credential (old). This 268 * call occurs when a process executes the passed vnode. If a policy 269 * returns success from this entry point, the mpo_cred_label_update_execve 270 * entry point will later be called with the same parameters. Access 271 * has already been checked via the mpo_vnode_check_exec entry point, 272 * this entry point is necessary to preserve kernel locking constraints 273 * during program execution. 274 * 275 * The supplied vnode and vnodelabel correspond with the file actually 276 * being executed; in the case that the file is interpreted (for 277 * example, a script), the label of the original exec-time vnode has 278 * been preserved in scriptvnodelabel. 279 * 280 * The final label, execlabel, corresponds to a label supplied by a 281 * user space application through the use of the mac_execve system call. 282 * 283 * The vnode lock is held during this operation. No changes should be 284 * made to the old credential structure. 285 * 286 * @warning Even if a policy returns 0, it should behave correctly in 287 * the presence of an invocation of mpo_cred_label_update_execve, as that 288 * call may happen as a result of another policy requesting a transition. 289 * 290 * @return Non-zero if a transition is required, 0 otherwise. 291 */ 292 typedef int mpo_cred_check_label_update_execve_t( 293 kauth_cred_t old, 294 struct vnode *vp, 295 off_t offset, 296 struct vnode *scriptvp, 297 struct label *vnodelabel, 298 struct label *scriptvnodelabel, 299 struct label *execlabel, 300 struct proc *p, 301 void *macpolicyattr, 302 size_t macpolicyattrlen 303 ); 304 /** 305 * @brief Access control check for relabelling processes 306 * @param cred Subject credential 307 * @param newlabel New label to apply to the user credential 308 * @see mpo_cred_label_update_t 309 * @see mac_set_proc 310 * 311 * Determine whether the subject identified by the credential can relabel 312 * itself to the supplied new label (newlabel). This access control check 313 * is called when the mac_set_proc system call is invoked. A user space 314 * application will supply a new value, the value will be internalized 315 * and provided in newlabel. 316 * 317 * @return Return 0 if access is granted, otherwise an appropriate value for 318 * errno should be returned. 319 */ 320 typedef int mpo_cred_check_label_update_t( 321 kauth_cred_t cred, 322 struct label *newlabel 323 ); 324 /** 325 * @brief Access control check for visibility of other subjects 326 * @param u1 Subject credential 327 * @param u2 Object credential 328 * 329 * Determine whether the subject identified by the credential u1 can 330 * "see" other subjects with the passed subject credential u2. This call 331 * may be made in a number of situations, including inter-process status 332 * sysctls used by ps, and in procfs lookups. 333 * 334 * @return Return 0 if access is granted, otherwise an appropriate value for 335 * errno should be returned. Suggested failure: EACCES for label mismatch, 336 * EPERM for lack of privilege, or ESRCH to hide visibility. 337 */ 338 typedef int mpo_cred_check_visible_t( 339 kauth_cred_t u1, 340 kauth_cred_t u2 341 ); 342 /** 343 * @brief Associate a credential with a new process at fork 344 * @param cred credential to inherited by new process 345 * @param proc the new process 346 * 347 * Allow a process to associate the credential with a new 348 * process for reference countng purposes. 349 * NOTE: the credential can be dis-associated in ways other 350 * than exit - so this strategy is flawed - should just 351 * catch label destroy callback. 352 */ 353 typedef void mpo_cred_label_associate_fork_t( 354 kauth_cred_t cred, 355 proc_t proc 356 ); 357 /** 358 * @brief Create the first process 359 * @param cred Subject credential to be labeled 360 * 361 * Create the subject credential of process 0, the parent of all BSD 362 * kernel processes. Policies should update the label in the 363 * previously initialized credential structure. 364 */ 365 typedef void mpo_cred_label_associate_kernel_t( 366 kauth_cred_t cred 367 ); 368 /** 369 * @brief Create a credential label 370 * @param parent_cred Parent credential 371 * @param child_cred Child credential 372 * 373 * Set the label of a newly created credential, most likely using the 374 * information in the supplied parent credential. 375 * 376 * @warning This call is made when crcopy or crdup is invoked on a 377 * newly created struct ucred, and should not be confused with a 378 * process fork or creation event. 379 */ 380 typedef void mpo_cred_label_associate_t( 381 kauth_cred_t parent_cred, 382 kauth_cred_t child_cred 383 ); 384 /** 385 * @brief Create the first process 386 * @param cred Subject credential to be labeled 387 * 388 * Create the subject credential of process 1, the parent of all BSD 389 * user processes. Policies should update the label in the previously 390 * initialized credential structure. This is the 'init' process. 391 */ 392 typedef void mpo_cred_label_associate_user_t( 393 kauth_cred_t cred 394 ); 395 /** 396 * @brief Destroy credential label 397 * @param label The label to be destroyed 398 * 399 * Destroy a user credential label. Since the user credential 400 * is going out of scope, policy modules should free any internal 401 * storage associated with the label so that it may be destroyed. 402 */ 403 typedef void mpo_cred_label_destroy_t( 404 struct label *label 405 ); 406 /** 407 * @brief Externalize a user credential label for auditing 408 * @param label Label to be externalized 409 * @param element_name Name of the label namespace for which labels should be 410 * externalized 411 * @param sb String buffer to be filled with a text representation of the label 412 * 413 * Produce an external representation of the label on a user credential for 414 * inclusion in an audit record. An externalized label consists of a text 415 * representation of the label contents that will be added to the audit record 416 * as part of a text token. Policy-agnostic user space tools will display 417 * this externalized version. 418 * 419 * @return 0 on success, return non-zero if an error occurs while 420 * externalizing the label data. 421 * 422 */ 423 typedef int mpo_cred_label_externalize_audit_t( 424 struct label *label, 425 char *element_name, 426 struct sbuf *sb 427 ); 428 /** 429 * @brief Externalize a user credential label 430 * @param label Label to be externalized 431 * @param element_name Name of the label namespace for which labels should be 432 * externalized 433 * @param sb String buffer to be filled with a text representation of the label 434 * 435 * Produce an external representation of the label on a user 436 * credential. An externalized label consists of a text representation 437 * of the label contents that can be used with user applications. 438 * Policy-agnostic user space tools will display this externalized 439 * version. 440 * 441 * @return 0 on success, return non-zero if an error occurs while 442 * externalizing the label data. 443 * 444 */ 445 typedef int mpo_cred_label_externalize_t( 446 struct label *label, 447 char *element_name, 448 struct sbuf *sb 449 ); 450 /** 451 * @brief Initialize user credential label 452 * @param label New label to initialize 453 * 454 * Initialize the label for a newly instantiated user credential. 455 * Sleeping is permitted. 456 */ 457 typedef void mpo_cred_label_init_t( 458 struct label *label 459 ); 460 /** 461 * @brief Internalize a user credential label 462 * @param label Label to be internalized 463 * @param element_name Name of the label namespace for which the label should 464 * be internalized 465 * @param element_data Text data to be internalized 466 * 467 * Produce a user credential label from an external representation. An 468 * externalized label consists of a text representation of the label 469 * contents that can be used with user applications. Policy-agnostic 470 * user space tools will forward text version to the kernel for 471 * processing by individual policy modules. 472 * 473 * The policy's internalize entry points will be called only if the 474 * policy has registered interest in the label namespace. 475 * 476 * @return 0 on success, Otherwise, return non-zero if an error occurs 477 * while internalizing the label data. 478 * 479 */ 480 typedef int mpo_cred_label_internalize_t( 481 struct label *label, 482 char *element_name, 483 char *element_data 484 ); 485 /** 486 * @brief Update credential at exec time 487 * @param old_cred Existing subject credential 488 * @param new_cred New subject credential to be labeled 489 * @param p Object process. 490 * @param vp File being executed 491 * @param offset Offset of binary within file being executed 492 * @param scriptvp Script being executed by interpreter, if any. 493 * @param vnodelabel Label corresponding to vp 494 * @param scriptvnodelabel Script vnode label 495 * @param execlabel Userspace provided execution label 496 * @param csflags Code signing flags to be set after exec 497 * @param macpolicyattr MAC policy-specific spawn attribute data. 498 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 499 * @see mac_execve 500 * @see mpo_cred_check_label_update_execve_t 501 * @see mpo_vnode_check_exec_t 502 * 503 * Update the label of a newly created credential (new) from the 504 * existing subject credential (old). This call occurs when a process 505 * executes the passed vnode and one of the loaded policy modules has 506 * returned success from the mpo_cred_check_label_update_execve entry point. 507 * Access has already been checked via the mpo_vnode_check_exec entry 508 * point, this entry point is only used to update any policy state. 509 * 510 * The supplied vnode and vnodelabel correspond with the file actually 511 * being executed; in the case that the file is interpreted (for 512 * example, a script), the label of the original exec-time vnode has 513 * been preserved in scriptvnodelabel. 514 * 515 * The final label, execlabel, corresponds to a label supplied by a 516 * user space application through the use of the mac_execve system call. 517 * 518 * If non-NULL, the value pointed to by disjointp will be set to 0 to 519 * indicate that the old and new credentials are not disjoint, or 1 to 520 * indicate that they are. 521 * 522 * The vnode lock is held during this operation. No changes should be 523 * made to the old credential structure. 524 * @return 0 on success, Otherwise, return non-zero if update results in 525 * termination of child. 526 */ 527 typedef int mpo_cred_label_update_execve_t( 528 kauth_cred_t old_cred, 529 kauth_cred_t new_cred, 530 struct proc *p, 531 struct vnode *vp, 532 off_t offset, 533 struct vnode *scriptvp, 534 struct label *vnodelabel, 535 struct label *scriptvnodelabel, 536 struct label *execlabel, 537 u_int *csflags, 538 void *macpolicyattr, 539 size_t macpolicyattrlen, 540 int *disjointp 541 ); 542 /** 543 * @brief Update a credential label 544 * @param cred The existing credential 545 * @param newlabel A new label to apply to the credential 546 * @see mpo_cred_check_label_update_t 547 * @see mac_set_proc 548 * 549 * Update the label on a user credential, using the supplied new label. 550 * This is called as a result of a process relabel operation. Access 551 * control was already confirmed by mpo_cred_check_label_update. 552 */ 553 typedef void mpo_cred_label_update_t( 554 kauth_cred_t cred, 555 struct label *newlabel 556 ); 557 /** 558 * @brief Access control for launching a process with constraints 559 * @param curr_p The new process 560 * @param original_parent_id The pid of the original parent that spawned this process 561 * @param responsible_pid The pid of the responsible process that spawned this process 562 * @param macpolicyattr MAC policy-specific spawn attribute data 563 * @param macpolicyattrlen Length of policy-specific spawn attribute data 564 * @param fatal_failure_desc Description of fatal failure 565 * @param fatal_failure_desc_len Failure description len, failure is fatal if non-0 566 * 567 * Detemine whether the process being spawned adheres to the launch 568 * constraints (e.g. whether the process is spawned by launchd) and should 569 * be allowed to execute. This call occurs during execve or posix_spawn. 570 * 571 * @return Return 0 if process can be created, otherwise an appropriate value for 572 * errno should be returned. 573 */ 574 typedef int mpo_proc_check_launch_constraints_t( 575 proc_t curr_p, 576 pid_t original_parent_id, 577 pid_t responsible_pid, 578 void *macpolicyattr, 579 size_t macpolicyattrlen, 580 launch_constraint_data_t lcd, 581 char **fatal_failure_desc, size_t *fatal_failure_desc_len 582 ); 583 /** 584 * @brief Create a new devfs device 585 * @param dev Major and minor numbers of special file 586 * @param de "inode" of new device file 587 * @param label Destination label 588 * @param fullpath Path relative to mount (e.g. /dev) of new device file 589 * 590 * This entry point labels a new devfs device. The label will likely be based 591 * on the path to the device, or the major and minor numbers. 592 * The policy should store an appropriate label into 'label'. 593 */ 594 typedef void mpo_devfs_label_associate_device_t( 595 dev_t dev, 596 struct devnode *de, 597 struct label *label, 598 const char *fullpath 599 ); 600 /** 601 * @brief Create a new devfs directory 602 * @param dirname Name of new directory 603 * @param dirnamelen Length of 'dirname' 604 * @param de "inode" of new directory 605 * @param label Destination label 606 * @param fullpath Path relative to mount (e.g. /dev) of new directory 607 * 608 * This entry point labels a new devfs directory. The label will likely be 609 * based on the path of the new directory. The policy should store an appropriate 610 * label into 'label'. The devfs root directory is labelled in this way. 611 */ 612 typedef void mpo_devfs_label_associate_directory_t( 613 const char *dirname, 614 int dirnamelen, 615 struct devnode *de, 616 struct label *label, 617 const char *fullpath 618 ); 619 /** 620 * @brief Copy a devfs label 621 * @param src Source devfs label 622 * @param dest Destination devfs label 623 * 624 * Copy the label information from src to dest. The devfs file system 625 * often duplicates (splits) existing device nodes rather than creating 626 * new ones. 627 */ 628 typedef void mpo_devfs_label_copy_t( 629 struct label *src, 630 struct label *dest 631 ); 632 /** 633 * @brief Destroy devfs label 634 * @param label The label to be destroyed 635 * 636 * Destroy a devfs entry label. Since the object is going out 637 * of scope, policy modules should free any internal storage associated 638 * with the label so that it may be destroyed. 639 */ 640 typedef void mpo_devfs_label_destroy_t( 641 struct label *label 642 ); 643 /** 644 * @brief Initialize devfs label 645 * @param label New label to initialize 646 * 647 * Initialize the label for a newly instantiated devfs entry. Sleeping 648 * is permitted. 649 */ 650 typedef void mpo_devfs_label_init_t( 651 struct label *label 652 ); 653 /** 654 * @brief Update a devfs label after relabelling its vnode 655 * @param mp Devfs mount point 656 * @param de Affected devfs directory entry 657 * @param delabel Label of devfs directory entry 658 * @param vp Vnode associated with de 659 * @param vnodelabel New label of vnode 660 * 661 * Update a devfs label when its vnode is manually relabelled, 662 * for example with setfmac(1). Typically, this will simply copy 663 * the vnode label into the devfs label. 664 */ 665 typedef void mpo_devfs_label_update_t( 666 struct mount *mp, 667 struct devnode *de, 668 struct label *delabel, 669 struct vnode *vp, 670 struct label *vnodelabel 671 ); 672 /** 673 * @brief Access control for sending an exception to an exception action 674 * @param crashlabel The crashing process's label 675 * @param action Exception action 676 * @param exclabel Policy label for exception action 677 * 678 * Determine whether the the exception message caused by the victim 679 * process can be sent to the exception action. The policy may compare 680 * credentials in the crashlabel, which are derived from the process at 681 * the time the exception occurs, with the credentials in the exclabel, 682 * which was set at the time the exception port was set, to determine 683 * its decision. Note that any process from which the policy derived 684 * any credentials may not exist anymore at the time of this policy 685 * operation. Sleeping is permitted. 686 * 687 * @return Return 0 if the message can be sent, otherwise an 688 * appropriate value for errno should be returned. 689 */ 690 typedef int mpo_exc_action_check_exception_send_t( 691 struct label *crashlabel, 692 struct exception_action *action, 693 struct label *exclabel 694 ); 695 /** 696 * @brief Associate an exception action label 697 * @param action Exception action to label 698 * @param exclabel Policy label to be filled in for exception action 699 * 700 * Set the label on an exception action. 701 */ 702 typedef void mpo_exc_action_label_associate_t( 703 struct exception_action *action, 704 struct label *exclabel 705 ); 706 /** 707 * @brief Destroy exception action label 708 * @param label The label to be destroyed 709 * 710 * Destroy the label on an exception action. Since the object is going 711 * out of scope, policy modules should free any internal storage 712 * associated with the label so that it may be destroyed. Sleeping is 713 * permitted. 714 */ 715 typedef void mpo_exc_action_label_destroy_t( 716 struct label *label 717 ); 718 /** 719 * @brief Populate an exception action label with process credentials 720 * @param label The label to be populated 721 * @param proc Process to derive credentials from 722 * 723 * Populate a label with credentials derived from a process. At 724 * exception delivery time, the policy should compare credentials of the 725 * process that set an exception ports with the credentials of the 726 * process or corpse that experienced the exception. Note that the 727 * process that set the port may not exist at that time anymore, so 728 * labels should carry copies of live credentials if necessary. 729 */ 730 typedef void mpo_exc_action_label_populate_t( 731 struct label *label, 732 struct proc *proc 733 ); 734 /** 735 * @brief Initialize exception action label 736 * @param label New label to initialize 737 * 738 * Initialize a label for an exception action. Usually performs 739 * policy specific allocations. Sleeping is permitted. 740 */ 741 typedef int mpo_exc_action_label_init_t( 742 struct label *label 743 ); 744 /** 745 * @brief Update the label on an exception action 746 * @param action Exception action that the label belongs to (may be 747 * NULL if none) 748 * @param label Policy label to update 749 * @param newlabel New label for update 750 * 751 * Update the credentials of an exception action from the given 752 * label. The policy should copy over any credentials (process and 753 * otherwise) from the new label into the label to update. Must not 754 * sleep, must be quick and can be called with locks held. 755 */ 756 typedef int mpo_exc_action_label_update_t( 757 struct exception_action *action, 758 struct label *label, 759 struct label *newlabel 760 ); 761 /** 762 * @brief Access control for changing the offset of a file descriptor 763 * @param cred Subject credential 764 * @param fg Fileglob structure 765 * @param label Policy label for fg 766 * 767 * Determine whether the subject identified by the credential can 768 * change the offset of the file represented by fg. 769 * 770 * @return Return 0 if access if granted, otherwise an appropriate 771 * value for errno should be returned. 772 */ 773 typedef int mpo_file_check_change_offset_t( 774 kauth_cred_t cred, 775 struct fileglob *fg, 776 struct label *label 777 ); 778 /** 779 * @brief Access control for creating a file descriptor 780 * @param cred Subject credential 781 * 782 * Determine whether the subject identified by the credential can 783 * allocate a new file descriptor. 784 * 785 * @return Return 0 if access if granted, otherwise an appropriate 786 * value for errno should be returned. 787 */ 788 typedef int mpo_file_check_create_t( 789 kauth_cred_t cred 790 ); 791 /** 792 * @brief Access control for duplicating a file descriptor 793 * @param cred Subject credential 794 * @param fg Fileglob structure 795 * @param label Policy label for fg 796 * @param newfd New file descriptor number 797 * 798 * Determine whether the subject identified by the credential can 799 * duplicate the fileglob structure represented by fg and as file 800 * descriptor number newfd. 801 * 802 * @return Return 0 if access if granted, otherwise an appropriate 803 * value for errno should be returned. 804 */ 805 typedef int mpo_file_check_dup_t( 806 kauth_cred_t cred, 807 struct fileglob *fg, 808 struct label *label, 809 int newfd 810 ); 811 /** 812 * @brief Access control check for fcntl 813 * @param cred Subject credential 814 * @param fg Fileglob structure 815 * @param label Policy label for fg 816 * @param cmd Control operation to be performed; see fcntl(2) 817 * @param arg fcnt arguments; see fcntl(2) 818 * 819 * Determine whether the subject identified by the credential can perform 820 * the file control operation indicated by cmd. 821 * 822 * @return Return 0 if access is granted, otherwise an appropriate value for 823 * errno should be returned. 824 */ 825 typedef int mpo_file_check_fcntl_t( 826 kauth_cred_t cred, 827 struct fileglob *fg, 828 struct label *label, 829 int cmd, 830 user_long_t arg 831 ); 832 /** 833 * @brief Access control check for mac_get_fd 834 * @param cred Subject credential 835 * @param fg Fileglob structure 836 * @param elements Element buffer 837 * @param len Length of buffer 838 * 839 * Determine whether the subject identified by the credential should be allowed 840 * to get an externalized version of the label on the object indicated by fd. 841 * 842 * @return Return 0 if access is granted, otherwise an appropriate value for 843 * errno should be returned. 844 */ 845 typedef int mpo_file_check_get_t( 846 kauth_cred_t cred, 847 struct fileglob *fg, 848 char *elements, 849 size_t len 850 ); 851 /** 852 * @brief Access control for getting the offset of a file descriptor 853 * @param cred Subject credential 854 * @param fg Fileglob structure 855 * @param label Policy label for fg 856 * 857 * Determine whether the subject identified by the credential can 858 * get the offset of the file represented by fg. 859 * 860 * @return Return 0 if access if granted, otherwise an appropriate 861 * value for errno should be returned. 862 */ 863 typedef int mpo_file_check_get_offset_t( 864 kauth_cred_t cred, 865 struct fileglob *fg, 866 struct label *label 867 ); 868 /** 869 * @brief Access control for inheriting a file descriptor 870 * @param cred Subject credential 871 * @param fg Fileglob structure 872 * @param label Policy label for fg 873 * 874 * Determine whether the subject identified by the credential can 875 * inherit the fileglob structure represented by fg. 876 * 877 * @return Return 0 if access if granted, otherwise an appropriate 878 * value for errno should be returned. 879 */ 880 typedef int mpo_file_check_inherit_t( 881 kauth_cred_t cred, 882 struct fileglob *fg, 883 struct label *label 884 ); 885 /** 886 * @brief Access control check for file ioctl 887 * @param cred Subject credential 888 * @param fg Fileglob structure 889 * @param label Policy label for fg 890 * @param cmd The ioctl command; see ioctl(2) 891 * 892 * Determine whether the subject identified by the credential can perform 893 * the ioctl operation indicated by cmd. 894 * 895 * @warning Since ioctl data is opaque from the standpoint of the MAC 896 * framework, policies must exercise extreme care when implementing 897 * access control checks. 898 * 899 * @return Return 0 if access is granted, otherwise an appropriate value for 900 * errno should be returned. 901 * 902 */ 903 typedef int mpo_file_check_ioctl_t( 904 kauth_cred_t cred, 905 struct fileglob *fg, 906 struct label *label, 907 unsigned long cmd 908 ); 909 /** 910 * @brief Access control check for file locking 911 * @param cred Subject credential 912 * @param fg Fileglob structure 913 * @param label Policy label for fg 914 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 915 * @param fl The flock structure 916 * 917 * Determine whether the subject identified by the credential can perform 918 * the lock operation indicated by op and fl on the file represented by fg. 919 * 920 * @return Return 0 if access is granted, otherwise an appropriate value for 921 * errno should be returned. 922 * 923 */ 924 typedef int mpo_file_check_lock_t( 925 kauth_cred_t cred, 926 struct fileglob *fg, 927 struct label *label, 928 int op, 929 struct flock *fl 930 ); 931 /** 932 * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. 933 * @param p Subject process 934 * @param fg Fileglob structure 935 * @param slice_offset offset of the code slice 936 * @param error_message error message returned to user-space in case of error (userspace pointer) 937 * @param error_message_size error message size 938 * 939 * It's a little odd that the MAC/kext writes into userspace since this 940 * implies there is only one MAC module that implements this, however 941 * the alternative is to allocate memory in xnu, in the hope that 942 * the MAC module will use it, or allocate in the MAC module and then 943 * free it in xnu. Neither of these is very appealing, so let's go with 944 * the slightly more hacky way. 945 * 946 * @return Return 0 if access is granted, otherwise an appropriate value for 947 * errno should be returned. 948 */ 949 typedef int mpo_file_check_library_validation_t( 950 struct proc *p, 951 struct fileglob *fg, 952 off_t slice_offset, 953 user_long_t error_message, 954 size_t error_message_size 955 ); 956 /** 957 * @brief Access control check for mapping a file 958 * @param cred Subject credential 959 * @param fg fileglob representing file to map 960 * @param label Policy label associated with vp 961 * @param prot mmap protections; see mmap(2) 962 * @param flags Type of mapped object; see mmap(2) 963 * @param maxprot Maximum rights 964 * 965 * Determine whether the subject identified by the credential should be 966 * allowed to map the file represented by fg with the protections specified 967 * in prot. The maxprot field holds the maximum permissions on the new 968 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 969 * To avoid overriding prior access control checks, a policy should only 970 * remove flags from maxprot. 971 * 972 * @return Return 0 if access is granted, otherwise an appropriate value for 973 * errno should be returned. Suggested failure: EACCES for label mismatch or 974 * EPERM for lack of privilege. 975 */ 976 typedef int mpo_file_check_mmap_t( 977 kauth_cred_t cred, 978 struct fileglob *fg, 979 struct label *label, 980 int prot, 981 int flags, 982 uint64_t file_pos, 983 int *maxprot 984 ); 985 /** 986 * @brief Downgrade the mmap protections 987 * @param cred Subject credential 988 * @param fg file to map 989 * @param label Policy label associated with vp 990 * @param prot mmap protections to be downgraded 991 * 992 * Downgrade the mmap protections based on the subject and object labels. 993 */ 994 typedef void mpo_file_check_mmap_downgrade_t( 995 kauth_cred_t cred, 996 struct fileglob *fg, 997 struct label *label, 998 int *prot 999 ); 1000 /** 1001 * @brief Access control for receiving a file descriptor 1002 * @param cred Subject credential 1003 * @param fg Fileglob structure 1004 * @param label Policy label for fg 1005 * 1006 * Determine whether the subject identified by the credential can 1007 * receive the fileglob structure represented by fg. 1008 * 1009 * @return Return 0 if access if granted, otherwise an appropriate 1010 * value for errno should be returned. 1011 */ 1012 typedef int mpo_file_check_receive_t( 1013 kauth_cred_t cred, 1014 struct fileglob *fg, 1015 struct label *label 1016 ); 1017 /** 1018 * @brief Access control check for mac_set_fd 1019 * @param cred Subject credential 1020 * @param fg Fileglob structure 1021 * @param elements Elements buffer 1022 * @param len Length of elements buffer 1023 * 1024 * Determine whether the subject identified by the credential can 1025 * perform the mac_set_fd operation. The mac_set_fd operation is used 1026 * to associate a MAC label with a file. 1027 * 1028 * @return Return 0 if access is granted, otherwise an appropriate value for 1029 * errno should be returned. 1030 */ 1031 typedef int mpo_file_check_set_t( 1032 kauth_cred_t cred, 1033 struct fileglob *fg, 1034 char *elements, 1035 size_t len 1036 ); 1037 /** 1038 * @brief Inform MAC policies that file is being closed 1039 * @param cred Subject credential 1040 * @param fg Fileglob structure 1041 * @param label Policy label for fg 1042 * @param modified Boolean; 1 if file was modified, 0 otherwise 1043 * 1044 * Called when an open file is being closed, as a result of a call to 1045 * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. 1046 */ 1047 typedef void mpo_file_notify_close_t( 1048 kauth_cred_t cred, 1049 struct fileglob *fg, 1050 struct label *label, 1051 int modified 1052 ); 1053 /** 1054 * @brief Create file label 1055 * @param cred Subject credential 1056 * @param fg Fileglob structure 1057 * @param label Policy label for fg 1058 */ 1059 typedef void mpo_file_label_associate_t( 1060 kauth_cred_t cred, 1061 struct fileglob *fg, 1062 struct label *label 1063 ); 1064 /** 1065 * @brief Destroy file label 1066 * @param label The label to be destroyed 1067 * 1068 * Destroy the label on a file descriptor. In this entry point, a 1069 * policy module should free any internal storage associated with 1070 * label so that it may be destroyed. 1071 */ 1072 typedef void mpo_file_label_destroy_t( 1073 struct label *label 1074 ); 1075 /** 1076 * @brief Initialize file label 1077 * @param label New label to initialize 1078 */ 1079 typedef void mpo_file_label_init_t( 1080 struct label *label 1081 ); 1082 /** 1083 * @brief Access control check for opening an I/O Kit device 1084 * @param cred Subject credential 1085 * @param user_client User client instance 1086 * @param user_client_type User client type 1087 * 1088 * Determine whether the subject identified by the credential can open an 1089 * I/O Kit device at the passed path of the passed user client class and 1090 * type. This check is performed after instantiating the user client. 1091 * See also mpo_iokit_check_open_service_t. 1092 * 1093 * @return Return 0 if access is granted, or an appropriate value for 1094 * errno should be returned. 1095 */ 1096 typedef int mpo_iokit_check_open_t( 1097 kauth_cred_t cred, 1098 io_object_t user_client, 1099 unsigned int user_client_type 1100 ); 1101 /** 1102 * @brief Access control check for opening an I/O Kit device 1103 * @param cred Subject credential 1104 * @param service Service instance 1105 * @param user_client_type User client type 1106 * 1107 * Determine whether the subject identified by the credential can open a 1108 * I/O Kit user client of the passed service and user client type. 1109 * This check is performed before instantiating the user client. See also 1110 * mpo_iokit_check_open_t. 1111 * 1112 * @return Return 0 if access is granted, or an appropriate value for 1113 * errno should be returned. 1114 */ 1115 typedef int mpo_iokit_check_open_service_t( 1116 kauth_cred_t cred, 1117 io_object_t service, 1118 unsigned int user_client_type 1119 ); 1120 /** 1121 * @brief Access control check for setting I/O Kit device properties 1122 * @param cred Subject credential 1123 * @param entry Target device 1124 * @param properties Property list 1125 * 1126 * Determine whether the subject identified by the credential can set 1127 * properties on an I/O Kit device. 1128 * 1129 * @return Return 0 if access is granted, or an appropriate value for 1130 * errno should be returned. 1131 */ 1132 typedef int mpo_iokit_check_set_properties_t( 1133 kauth_cred_t cred, 1134 io_object_t entry, 1135 io_object_t properties 1136 ); 1137 /** 1138 * @brief Indicate desire to filter I/O Kit devices properties 1139 * @param cred Subject credential 1140 * @param entry Target device 1141 * @see mpo_iokit_check_get_property_t 1142 * 1143 * Indicate whether this policy may restrict the subject credential 1144 * from reading properties of the target device. 1145 * If a policy returns success from this entry point, the 1146 * mpo_iokit_check_get_property entry point will later be called 1147 * for each property that the subject credential tries to read from 1148 * the target device. 1149 * 1150 * This entry point is primarilly to optimize bulk property reads 1151 * by skipping calls to the mpo_iokit_check_get_property entry point 1152 * for credentials / devices no MAC policy is interested in. 1153 * 1154 * @warning Even if a policy returns 0, it should behave correctly in 1155 * the presence of an invocation of mpo_iokit_check_get_property, as that 1156 * call may happen as a result of another policy requesting a transition. 1157 * 1158 * @return Non-zero if a transition is required, 0 otherwise. 1159 */ 1160 typedef int mpo_iokit_check_filter_properties_t( 1161 kauth_cred_t cred, 1162 io_object_t entry 1163 ); 1164 /** 1165 * @brief Access control check for getting I/O Kit device properties 1166 * @param cred Subject credential 1167 * @param entry Target device 1168 * @param name Property name 1169 * 1170 * Determine whether the subject identified by the credential can get 1171 * properties on an I/O Kit device. 1172 * 1173 * @return Return 0 if access is granted, or an appropriate value for 1174 * errno. 1175 */ 1176 typedef int mpo_iokit_check_get_property_t( 1177 kauth_cred_t cred, 1178 io_object_t entry, 1179 const char *name 1180 ); 1181 /** 1182 * @brief Access control check for software HID control 1183 * @param cred Subject credential 1184 * 1185 * Determine whether the subject identified by the credential can 1186 * control the HID (Human Interface Device) subsystem, such as to 1187 * post synthetic keypresses, pointer movement and clicks. 1188 * 1189 * @return Return 0 if access is granted, or an appropriate value for 1190 * errno. 1191 */ 1192 typedef int mpo_iokit_check_hid_control_t( 1193 kauth_cred_t cred 1194 ); 1195 /** 1196 * @brief Access control check for fsctl 1197 * @param cred Subject credential 1198 * @param mp The mount point 1199 * @param label Label associated with the mount point 1200 * @param cmd Filesystem-dependent request code; see fsctl(2) 1201 * 1202 * Determine whether the subject identified by the credential can perform 1203 * the volume operation indicated by com. 1204 * 1205 * @warning The fsctl() system call is directly analogous to ioctl(); since 1206 * the associated data is opaque from the standpoint of the MAC framework 1207 * and since these operations can affect many aspects of system operation, 1208 * policies must exercise extreme care when implementing access control checks. 1209 * 1210 * @return Return 0 if access is granted, otherwise an appropriate value for 1211 * errno should be returned. 1212 */ 1213 typedef int mpo_mount_check_fsctl_t( 1214 kauth_cred_t cred, 1215 struct mount *mp, 1216 struct label *label, 1217 unsigned long cmd 1218 ); 1219 /** 1220 * @brief Access control check for the retrieval of file system attributes 1221 * @param cred Subject credential 1222 * @param mp The mount structure of the file system 1223 * @param vfa The attributes requested 1224 * 1225 * This entry point determines whether given subject can get information 1226 * about the given file system. This check happens during statfs() syscalls, 1227 * but is also used by other parts within the kernel such as the audit system. 1228 * 1229 * @return Return 0 if access is granted, otherwise an appropriate value for 1230 * errno should be returned. 1231 * 1232 * @note Policies may change the contents of vfa to alter the list of 1233 * file system attributes returned. 1234 */ 1235 1236 typedef int mpo_mount_check_getattr_t( 1237 kauth_cred_t cred, 1238 struct mount *mp, 1239 struct label *mp_label, 1240 struct vfs_attr *vfa 1241 ); 1242 /** 1243 * @brief Access control check for mount point relabeling 1244 * @param cred Subject credential 1245 * @param mp Object file system mount point 1246 * @param mntlabel Policy label for fle system mount point 1247 * 1248 * Determine whether the subject identified by the credential can relabel 1249 * the mount point. This call is made when a file system mount is updated. 1250 * 1251 * @return Return 0 if access is granted, otherwise an appropriate value for 1252 * errno should be returned. Suggested failure: EACCES for label mismatch 1253 * or EPERM for lack of privilege. 1254 */ 1255 typedef int mpo_mount_check_label_update_t( 1256 kauth_cred_t cred, 1257 struct mount *mp, 1258 struct label *mntlabel 1259 ); 1260 /** 1261 * @brief Access control check for mounting a file system 1262 * @param cred Subject credential 1263 * @param vp Vnode that is to be the mount point 1264 * @param vlabel Label associated with the vnode 1265 * @param cnp Component name for vp 1266 * @param vfc_name Filesystem type name 1267 * 1268 * Determine whether the subject identified by the credential can perform 1269 * the mount operation on the target vnode. 1270 * 1271 * @return Return 0 if access is granted, otherwise an appropriate value for 1272 * errno should be returned. 1273 */ 1274 typedef int mpo_mount_check_mount_t( 1275 kauth_cred_t cred, 1276 struct vnode *vp, 1277 struct label *vlabel, 1278 struct componentname *cnp, 1279 const char *vfc_name 1280 ); 1281 /** 1282 * @brief Access control check for mounting a file system (late) 1283 * @param cred Subject credential 1284 * @param mp Mount point 1285 * 1286 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been 1287 * called, making it possible to access mnt_vfsstat.f_mntfromname and other 1288 * fields. 1289 * 1290 * @return Return 0 if access is granted, otherwise an appropriate value for 1291 * errno should be returned. 1292 */ 1293 typedef int mpo_mount_check_mount_late_t( 1294 kauth_cred_t cred, 1295 struct mount *mp 1296 ); 1297 1298 /** 1299 * @brief Access control check for quotactl 1300 * @param cred Subject credential 1301 * @param cmd The quotactl command and subcommand; see quotactl(2) 1302 * @param id The user or group ID on which cmd will operate 1303 * 1304 * Determine whether the subject identified by the credential can perform 1305 * the quotactl operation indicated by cmd. 1306 * 1307 * @return Return 0 if access is granted, otherwise an appropriate value for 1308 * errno should be returned. 1309 */ 1310 typedef int mpo_mount_check_quotactl_t( 1311 kauth_cred_t cred, 1312 struct mount *mp, 1313 int cmd, 1314 int id 1315 ); 1316 /** 1317 * @brief Access control check for fs_snapshot_create 1318 * @param cred Subject credential 1319 * @mp Filesystem mount point to create snapshot of 1320 * @name Name of snapshot to create 1321 * 1322 * Determine whether the subject identified by the credential can 1323 * create a snapshot of the filesystem at the given mount point. 1324 * 1325 * @return Return 0 if access is granted, otherwise an appropriate value 1326 * for errno should be returned. 1327 */ 1328 typedef int mpo_mount_check_snapshot_create_t( 1329 kauth_cred_t cred, 1330 struct mount *mp, 1331 const char *name 1332 ); 1333 /** 1334 * @brief Access control check for fs_snapshot_delete 1335 * @param cred Subject credential 1336 * @mp Filesystem mount point to delete snapshot of 1337 * @name Name of snapshot to delete 1338 * 1339 * Determine whether the subject identified by the credential can 1340 * delete the named snapshot from the filesystem at the given 1341 * mount point. 1342 * 1343 * @return Return 0 if access is granted, otherwise an appropriate value 1344 * for errno should be returned. 1345 */ 1346 typedef int mpo_mount_check_snapshot_delete_t( 1347 kauth_cred_t cred, 1348 struct mount *mp, 1349 const char *name 1350 ); 1351 /** 1352 * @brief Access control check for fs_snapshot_mount 1353 * @param cred Subject credential 1354 * @param rvp Vnode of either the root directory of the 1355 * filesystem to mount snapshot of, or the device from 1356 * which to mount the snapshot. 1357 * @param vp Vnode that is to be the mount point 1358 * @param cnp Component name for vp 1359 * @param name Name of snapshot to mount 1360 * @param vfc_name Filesystem type name 1361 * 1362 * Determine whether the subject identified by the credential can 1363 * mount the named snapshot from the filesystem at the given 1364 * directory. 1365 * 1366 * @return Return 0 if access is granted, otherwise an appropriate value 1367 * for errno should be returned. 1368 */ 1369 typedef int mpo_mount_check_snapshot_mount_t( 1370 kauth_cred_t cred, 1371 struct vnode *rvp, 1372 struct vnode *vp, 1373 struct componentname *cnp, 1374 const char *name, 1375 const char *vfc_name 1376 ); 1377 /** 1378 * @brief Access control check for fs_snapshot_revert 1379 * @param cred Subject credential 1380 * @mp Filesystem mount point to revert to snapshot 1381 * @name Name of snapshot to revert to 1382 * 1383 * Determine whether the subject identified by the credential can 1384 * revert the filesystem at the given mount point to the named snapshot. 1385 * 1386 * @return Return 0 if access is granted, otherwise an appropriate value 1387 * for errno should be returned. 1388 */ 1389 typedef int mpo_mount_check_snapshot_revert_t( 1390 kauth_cred_t cred, 1391 struct mount *mp, 1392 const char *name 1393 ); 1394 /** 1395 * @brief Access control check remounting a filesystem 1396 * @param cred Subject credential 1397 * @param mp The mount point 1398 * @param mlabel Label currently associated with the mount point 1399 * @param flags Requested updated flags 1400 * 1401 * Determine whether the subject identified by the credential can perform 1402 * the remount operation on the target vnode. 1403 * 1404 * @return Return 0 if access is granted, otherwise an appropriate value for 1405 * errno should be returned. 1406 */ 1407 #define NEEDS_RDAR_103115865 1 // Required until both EndpointSecurity & Sandbox are updated 1408 typedef int mpo_mount_check_remount_t( 1409 kauth_cred_t cred, 1410 struct mount *mp, 1411 struct label *mlabel, 1412 uint64_t flags 1413 ); 1414 /** 1415 * @brief Access control check for the settting of file system attributes 1416 * @param cred Subject credential 1417 * @param mp The mount structure of the file system 1418 * @param vfa The attributes requested 1419 * 1420 * This entry point determines whether given subject can set information 1421 * about the given file system, for example the volume name. 1422 * 1423 * @return Return 0 if access is granted, otherwise an appropriate value for 1424 * errno should be returned. 1425 */ 1426 1427 typedef int mpo_mount_check_setattr_t( 1428 kauth_cred_t cred, 1429 struct mount *mp, 1430 struct label *mp_label, 1431 struct vfs_attr *vfa 1432 ); 1433 /** 1434 * @brief Access control check for file system statistics 1435 * @param cred Subject credential 1436 * @param mp Object file system mount 1437 * @param mntlabel Policy label for mp 1438 * 1439 * Determine whether the subject identified by the credential can see 1440 * the results of a statfs performed on the file system. This call may 1441 * be made in a number of situations, including during invocations of 1442 * statfs(2) and related calls, as well as to determine what file systems 1443 * to exclude from listings of file systems, such as when getfsstat(2) 1444 * is invoked. 1445 * 1446 * @return Return 0 if access is granted, otherwise an appropriate value for 1447 * errno should be returned. Suggested failure: EACCES for label mismatch 1448 * or EPERM for lack of privilege. 1449 */ 1450 typedef int mpo_mount_check_stat_t( 1451 kauth_cred_t cred, 1452 struct mount *mp, 1453 struct label *mntlabel 1454 ); 1455 /** 1456 * @brief Access control check for unmounting a filesystem 1457 * @param cred Subject credential 1458 * @param mp The mount point 1459 * @param mlabel Label associated with the mount point 1460 * 1461 * Determine whether the subject identified by the credential can perform 1462 * the unmount operation on the target vnode. 1463 * 1464 * @return Return 0 if access is granted, otherwise an appropriate value for 1465 * errno should be returned. 1466 */ 1467 typedef int mpo_mount_check_umount_t( 1468 kauth_cred_t cred, 1469 struct mount *mp, 1470 struct label *mlabel 1471 ); 1472 /** 1473 * @brief Create mount labels 1474 * @param cred Subject credential 1475 * @param mp Mount point of file system being mounted 1476 * @param mntlabel Label to associate with the new mount point 1477 * @see mpo_mount_label_init_t 1478 * 1479 * Fill out the labels on the mount point being created by the supplied 1480 * user credential. This call is made when file systems are first mounted. 1481 */ 1482 typedef void mpo_mount_label_associate_t( 1483 kauth_cred_t cred, 1484 struct mount *mp, 1485 struct label *mntlabel 1486 ); 1487 /** 1488 * @brief Destroy mount label 1489 * @param label The label to be destroyed 1490 * 1491 * Destroy a file system mount label. Since the 1492 * object is going out of scope, policy modules should free any 1493 * internal storage associated with the label so that it may be 1494 * destroyed. 1495 */ 1496 typedef void mpo_mount_label_destroy_t( 1497 struct label *label 1498 ); 1499 /** 1500 * @brief Externalize a mount point label 1501 * @param label Label to be externalized 1502 * @param element_name Name of the label namespace for which labels should be 1503 * externalized 1504 * @param sb String buffer to be filled with a text representation of the label 1505 * 1506 * Produce an external representation of the mount point label. An 1507 * externalized label consists of a text representation of the label 1508 * contents that can be used with user applications. Policy-agnostic 1509 * user space tools will display this externalized version. 1510 * 1511 * The policy's externalize entry points will be called only if the 1512 * policy has registered interest in the label namespace. 1513 * 1514 * @return 0 on success, return non-zero if an error occurs while 1515 * externalizing the label data. 1516 * 1517 */ 1518 typedef int mpo_mount_label_externalize_t( 1519 struct label *label, 1520 char *element_name, 1521 struct sbuf *sb 1522 ); 1523 /** 1524 * @brief Initialize mount point label 1525 * @param label New label to initialize 1526 * 1527 * Initialize the label for a newly instantiated mount structure. 1528 * This label is typically used to store a default label in the case 1529 * that the file system has been mounted singlelabel. Since some 1530 * file systems do not support persistent labels (extended attributes) 1531 * or are read-only (such as CD-ROMs), it is often necessary to store 1532 * a default label separately from the label of the mount point 1533 * itself. Sleeping is permitted. 1534 */ 1535 typedef void mpo_mount_label_init_t( 1536 struct label *label 1537 ); 1538 /** 1539 * @brief Internalize a mount point label 1540 * @param label Label to be internalized 1541 * @param element_name Name of the label namespace for which the label should 1542 * be internalized 1543 * @param element_data Text data to be internalized 1544 * 1545 * Produce a mount point file system label from an external representation. 1546 * An externalized label consists of a text representation of the label 1547 * contents that can be used with user applications. Policy-agnostic 1548 * user space tools will forward text version to the kernel for 1549 * processing by individual policy modules. 1550 * 1551 * The policy's internalize entry points will be called only if the 1552 * policy has registered interest in the label namespace. 1553 * 1554 * @return 0 on success, Otherwise, return non-zero if an error occurs 1555 * while internalizing the label data. 1556 * 1557 */ 1558 typedef int mpo_mount_label_internalize_t( 1559 struct label *label, 1560 char *element_name, 1561 char *element_data 1562 ); 1563 /** 1564 * @brief Access control check for opening an NECP file descriptor 1565 * @param cred Subject credential 1566 * @param flags Open flags 1567 * 1568 * Determine whether the subject identified by the credential can open 1569 * an NECP file descriptor. 1570 * 1571 * @return Return 0 if access is granted, otherwise an appropriate value for 1572 * errno should be returned. 1573 * 1574 */ 1575 typedef int mpo_necp_check_open_t( 1576 kauth_cred_t cred, 1577 int flags 1578 ); 1579 /** 1580 * @brief Access control check for necp_client_action(2) 1581 * @param cred Subject credential 1582 * @param fg NECP fileglob 1583 * @param action NECP client action 1584 * 1585 * Determine whether the subject identified by the credential can open 1586 * an NECP socket. 1587 * 1588 * @return Return 0 if access is granted, otherwise an appropriate value for 1589 * errno should be returned. 1590 * 1591 */ 1592 typedef int mpo_necp_check_client_action_t( 1593 kauth_cred_t cred, 1594 struct fileglob *fg, 1595 uint32_t action 1596 ); 1597 /** 1598 * @brief Access control check for pipe ioctl 1599 * @param cred Subject credential 1600 * @param cpipe Object to be accessed 1601 * @param pipelabel The label on the pipe 1602 * @param cmd The ioctl command; see ioctl(2) 1603 * 1604 * Determine whether the subject identified by the credential can perform 1605 * the ioctl operation indicated by cmd. 1606 * 1607 * @warning Since ioctl data is opaque from the standpoint of the MAC 1608 * framework, policies must exercise extreme care when implementing 1609 * access control checks. 1610 * 1611 * @return Return 0 if access is granted, otherwise an appropriate value for 1612 * errno should be returned. 1613 * 1614 */ 1615 typedef int mpo_pipe_check_ioctl_t( 1616 kauth_cred_t cred, 1617 struct pipe *cpipe, 1618 struct label *pipelabel, 1619 unsigned long cmd 1620 ); 1621 /** 1622 * @brief Access control check for pipe kqfilter 1623 * @param cred Subject credential 1624 * @param kn Object knote 1625 * @param cpipe Object to be accessed 1626 * @param pipelabel Policy label for the pipe 1627 * 1628 * Determine whether the subject identified by the credential can 1629 * receive the knote on the passed pipe. 1630 * 1631 * @return Return 0 if access if granted, otherwise an appropriate 1632 * value for errno should be returned. 1633 */ 1634 typedef int mpo_pipe_check_kqfilter_t( 1635 kauth_cred_t cred, 1636 struct knote *kn, 1637 struct pipe *cpipe, 1638 struct label *pipelabel 1639 ); 1640 /** 1641 * @brief Access control check for pipe read 1642 * @param cred Subject credential 1643 * @param cpipe Object to be accessed 1644 * @param pipelabel The label on the pipe 1645 * 1646 * Determine whether the subject identified by the credential can 1647 * perform a read operation on the passed pipe. The cred object holds 1648 * the credentials of the subject performing the operation. 1649 * 1650 * @return Return 0 if access is granted, otherwise an appropriate value for 1651 * errno should be returned. 1652 * 1653 */ 1654 typedef int mpo_pipe_check_read_t( 1655 kauth_cred_t cred, 1656 struct pipe *cpipe, 1657 struct label *pipelabel 1658 ); 1659 /** 1660 * @brief Access control check for pipe select 1661 * @param cred Subject credential 1662 * @param cpipe Object to be accessed 1663 * @param pipelabel The label on the pipe 1664 * @param which The operation selected on: FREAD or FWRITE 1665 * 1666 * Determine whether the subject identified by the credential can 1667 * perform a select operation on the passed pipe. The cred object holds 1668 * the credentials of the subject performing the operation. 1669 * 1670 * @return Return 0 if access is granted, otherwise an appropriate value for 1671 * errno should be returned. 1672 * 1673 */ 1674 typedef int mpo_pipe_check_select_t( 1675 kauth_cred_t cred, 1676 struct pipe *cpipe, 1677 struct label *pipelabel, 1678 int which 1679 ); 1680 /** 1681 * @brief Access control check for pipe stat 1682 * @param cred Subject credential 1683 * @param cpipe Object to be accessed 1684 * @param pipelabel The label on the pipe 1685 * 1686 * Determine whether the subject identified by the credential can 1687 * perform a stat operation on the passed pipe. The cred object holds 1688 * the credentials of the subject performing the operation. 1689 * 1690 * @return Return 0 if access is granted, otherwise an appropriate value for 1691 * errno should be returned. 1692 * 1693 */ 1694 typedef int mpo_pipe_check_stat_t( 1695 kauth_cred_t cred, 1696 struct pipe *cpipe, 1697 struct label *pipelabel 1698 ); 1699 /** 1700 * @brief Access control check for pipe write 1701 * @param cred Subject credential 1702 * @param cpipe Object to be accessed 1703 * @param pipelabel The label on the pipe 1704 * 1705 * Determine whether the subject identified by the credential can 1706 * perform a write operation on the passed pipe. The cred object holds 1707 * the credentials of the subject performing the operation. 1708 * 1709 * @return Return 0 if access is granted, otherwise an appropriate value for 1710 * errno should be returned. 1711 * 1712 */ 1713 typedef int mpo_pipe_check_write_t( 1714 kauth_cred_t cred, 1715 struct pipe *cpipe, 1716 struct label *pipelabel 1717 ); 1718 /** 1719 * @brief Create a pipe label 1720 * @param cred Subject credential 1721 * @param cpipe object to be labeled 1722 * @param pipelabel Label for the pipe object 1723 * 1724 * Create a label for the pipe object being created by the supplied 1725 * user credential. This call is made when a pipe pair is being created. 1726 * The label is shared by both ends of the pipe. 1727 */ 1728 typedef void mpo_pipe_label_associate_t( 1729 kauth_cred_t cred, 1730 struct pipe *cpipe, 1731 struct label *pipelabel 1732 ); 1733 /** 1734 * @brief Destroy pipe label 1735 * @param label The label to be destroyed 1736 * 1737 * Destroy a pipe label. Since the object is going out of scope, 1738 * policy modules should free any internal storage associated with the 1739 * label so that it may be destroyed. 1740 */ 1741 typedef void mpo_pipe_label_destroy_t( 1742 struct label *label 1743 ); 1744 /** 1745 * @brief Initialize pipe label 1746 * @param label New label to initialize 1747 * 1748 * Initialize label storage for use with a newly instantiated pipe object. 1749 * Sleeping is permitted. 1750 */ 1751 typedef void mpo_pipe_label_init_t( 1752 struct label *label 1753 ); 1754 /** 1755 * @brief Policy unload event 1756 * @param mpc MAC policy configuration 1757 * 1758 * This is the MAC Framework policy unload event. This entry point will 1759 * only be called if the module's policy configuration allows unload (if 1760 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 1761 * want to be unloaded; they should set their flags to prevent this 1762 * entry point from being called. 1763 * 1764 * @warning During this call, the mac policy list mutex is held, so 1765 * sleep operations cannot be performed, and calls out to other kernel 1766 * subsystems must be made with caution. 1767 * 1768 * @see MPC_LOADTIME_FLAG_UNLOADOK 1769 */ 1770 typedef void mpo_policy_destroy_t( 1771 struct mac_policy_conf *mpc 1772 ); 1773 /** 1774 * @brief Policy initialization event 1775 * @param mpc MAC policy configuration 1776 * @see mac_policy_register 1777 * @see mpo_policy_initbsd_t 1778 * 1779 * This is the MAC Framework policy initialization event. This entry 1780 * point is called during mac_policy_register, when the policy module 1781 * is first registered with the MAC Framework. This is often done very 1782 * early in the boot process, after the kernel Mach subsystem has been 1783 * initialized, but prior to the BSD subsystem being initialized. 1784 * Since the kernel BSD services are not yet available, it is possible 1785 * that some initialization must occur later, possibly in the 1786 * mpo_policy_initbsd_t policy entry point, such as registering BSD system 1787 * controls (sysctls). Policy modules loaded at boot time will be 1788 * registered and initialized before labeled Mach objects are created. 1789 * 1790 * @warning During this call, the mac policy list mutex is held, so 1791 * sleep operations cannot be performed, and calls out to other kernel 1792 * subsystems must be made with caution. 1793 */ 1794 typedef void mpo_policy_init_t( 1795 struct mac_policy_conf *mpc 1796 ); 1797 /** 1798 * @brief Policy BSD initialization event 1799 * @param mpc MAC policy configuration 1800 * @see mpo_policy_init_t 1801 * 1802 * This entry point is called after the kernel BSD subsystem has been 1803 * initialized. By this point, the module should already be loaded, 1804 * registered, and initialized. Since policy modules are initialized 1805 * before kernel BSD services are available, this second initialization 1806 * phase is necessary. At this point, BSD services (memory management, 1807 * synchronization primitives, vfs, etc.) are available, but the first 1808 * process has not yet been created. Mach-related objects and tasks 1809 * will already be fully initialized and may be in use--policies requiring 1810 * ubiquitous labeling may also want to implement mpo_policy_init_t. 1811 * 1812 * @warning During this call, the mac policy list mutex is held, so 1813 * sleep operations cannot be performed, and calls out to other kernel 1814 * subsystems must be made with caution. 1815 */ 1816 typedef void mpo_policy_initbsd_t( 1817 struct mac_policy_conf *mpc 1818 ); 1819 /** 1820 * @brief Policy extension service 1821 * @param p Calling process 1822 * @param call Policy-specific syscall number 1823 * @param arg Pointer to syscall arguments 1824 * 1825 * This entry point provides a policy-multiplexed system call so that 1826 * policies may provide additional services to user processes without 1827 * registering specific system calls. The policy name provided during 1828 * registration is used to demux calls from userland, and the arguments 1829 * will be forwarded to this entry point. When implementing new 1830 * services, security modules should be sure to invoke appropriate 1831 * access control checks from the MAC framework as needed. For 1832 * example, if a policy implements an augmented signal functionality, 1833 * it should call the necessary signal access control checks to invoke 1834 * the MAC framework and other registered policies. 1835 * 1836 * @warning Since the format and contents of the policy-specific 1837 * arguments are unknown to the MAC Framework, modules must perform the 1838 * required copyin() of the syscall data on their own. No policy 1839 * mediation is performed, so policies must perform any necessary 1840 * access control checks themselves. If multiple policies are loaded, 1841 * they will currently be unable to mediate calls to other policies. 1842 * 1843 * @return In the event of an error, an appropriate value for errno 1844 * should be returned, otherwise return 0 upon success. 1845 */ 1846 typedef int mpo_policy_syscall_t( 1847 struct proc *p, 1848 int call, 1849 user_addr_t arg 1850 ); 1851 /** 1852 * @brief Access control check for POSIX semaphore create 1853 * @param cred Subject credential 1854 * @param name String name of the semaphore 1855 * 1856 * Determine whether the subject identified by the credential can create 1857 * a POSIX semaphore specified by name. 1858 * 1859 * @return Return 0 if access is granted, otherwise an appropriate value for 1860 * errno should be returned. 1861 */ 1862 typedef int mpo_posixsem_check_create_t( 1863 kauth_cred_t cred, 1864 const char *name 1865 ); 1866 /** 1867 * @brief Access control check for POSIX semaphore open 1868 * @param cred Subject credential 1869 * @param ps Pointer to semaphore information structure 1870 * @param semlabel Label associated with the semaphore 1871 * 1872 * Determine whether the subject identified by the credential can open 1873 * the named POSIX semaphore with label semlabel. 1874 * 1875 * @return Return 0 if access is granted, otherwise an appropriate value for 1876 * errno should be returned. 1877 */ 1878 typedef int mpo_posixsem_check_open_t( 1879 kauth_cred_t cred, 1880 struct pseminfo *ps, 1881 struct label *semlabel 1882 ); 1883 /** 1884 * @brief Access control check for POSIX semaphore post 1885 * @param cred Subject credential 1886 * @param ps Pointer to semaphore information structure 1887 * @param semlabel Label associated with the semaphore 1888 * 1889 * Determine whether the subject identified by the credential can unlock 1890 * the named POSIX semaphore with label semlabel. 1891 * 1892 * @return Return 0 if access is granted, otherwise an appropriate value for 1893 * errno should be returned. 1894 */ 1895 typedef int mpo_posixsem_check_post_t( 1896 kauth_cred_t cred, 1897 struct pseminfo *ps, 1898 struct label *semlabel 1899 ); 1900 /** 1901 * @brief Access control check for POSIX semaphore unlink 1902 * @param cred Subject credential 1903 * @param ps Pointer to semaphore information structure 1904 * @param semlabel Label associated with the semaphore 1905 * @param name String name of the semaphore 1906 * 1907 * Determine whether the subject identified by the credential can remove 1908 * the named POSIX semaphore with label semlabel. 1909 * 1910 * @return Return 0 if access is granted, otherwise an appropriate value for 1911 * errno should be returned. 1912 */ 1913 typedef int mpo_posixsem_check_unlink_t( 1914 kauth_cred_t cred, 1915 struct pseminfo *ps, 1916 struct label *semlabel, 1917 const char *name 1918 ); 1919 /** 1920 * @brief Access control check for POSIX semaphore wait 1921 * @param cred Subject credential 1922 * @param ps Pointer to semaphore information structure 1923 * @param semlabel Label associated with the semaphore 1924 * 1925 * Determine whether the subject identified by the credential can lock 1926 * the named POSIX semaphore with label semlabel. 1927 * 1928 * @return Return 0 if access is granted, otherwise an appropriate value for 1929 * errno should be returned. 1930 */ 1931 typedef int mpo_posixsem_check_wait_t( 1932 kauth_cred_t cred, 1933 struct pseminfo *ps, 1934 struct label *semlabel 1935 ); 1936 /** 1937 * @brief Create a POSIX semaphore label 1938 * @param cred Subject credential 1939 * @param ps Pointer to semaphore information structure 1940 * @param semlabel Label to associate with the new semaphore 1941 * @param name String name of the semaphore 1942 * 1943 * Label a new POSIX semaphore. The label was previously 1944 * initialized and associated with the semaphore. At this time, an 1945 * appropriate initial label value should be assigned to the object and 1946 * stored in semalabel. 1947 */ 1948 typedef void mpo_posixsem_label_associate_t( 1949 kauth_cred_t cred, 1950 struct pseminfo *ps, 1951 struct label *semlabel, 1952 const char *name 1953 ); 1954 /** 1955 * @brief Destroy POSIX semaphore label 1956 * @param label The label to be destroyed 1957 * 1958 * Destroy a POSIX semaphore label. Since the object is 1959 * going out of scope, policy modules should free any internal storage 1960 * associated with the label so that it may be destroyed. 1961 */ 1962 typedef void mpo_posixsem_label_destroy_t( 1963 struct label *label 1964 ); 1965 /** 1966 * @brief Initialize POSIX semaphore label 1967 * @param label New label to initialize 1968 * 1969 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping 1970 * is permitted. 1971 */ 1972 typedef void mpo_posixsem_label_init_t( 1973 struct label *label 1974 ); 1975 /** 1976 * @brief Access control check for POSIX shared memory region create 1977 * @param cred Subject credential 1978 * @param name String name of the shared memory region 1979 * 1980 * Determine whether the subject identified by the credential can create 1981 * the POSIX shared memory region referenced by name. 1982 * 1983 * @return Return 0 if access is granted, otherwise an appropriate value for 1984 * errno should be returned. 1985 */ 1986 typedef int mpo_posixshm_check_create_t( 1987 kauth_cred_t cred, 1988 const char *name 1989 ); 1990 /** 1991 * @brief Access control check for mapping POSIX shared memory 1992 * @param cred Subject credential 1993 * @param ps Pointer to shared memory information structure 1994 * @param shmlabel Label associated with the shared memory region 1995 * @param prot mmap protections; see mmap(2) 1996 * @param flags shmat flags; see shmat(2) 1997 * 1998 * Determine whether the subject identified by the credential can map 1999 * the POSIX shared memory segment associated with shmlabel. 2000 * 2001 * @return Return 0 if access is granted, otherwise an appropriate value for 2002 * errno should be returned. 2003 */ 2004 typedef int mpo_posixshm_check_mmap_t( 2005 kauth_cred_t cred, 2006 struct pshminfo *ps, 2007 struct label *shmlabel, 2008 int prot, 2009 int flags 2010 ); 2011 /** 2012 * @brief Access control check for POSIX shared memory region open 2013 * @param cred Subject credential 2014 * @param ps Pointer to shared memory information structure 2015 * @param shmlabel Label associated with the shared memory region 2016 * @param fflags shm_open(2) open flags ('fflags' encoded) 2017 * 2018 * Determine whether the subject identified by the credential can open 2019 * the POSIX shared memory region. 2020 * 2021 * @return Return 0 if access is granted, otherwise an appropriate value for 2022 * errno should be returned. 2023 */ 2024 typedef int mpo_posixshm_check_open_t( 2025 kauth_cred_t cred, 2026 struct pshminfo *ps, 2027 struct label *shmlabel, 2028 int fflags 2029 ); 2030 /** 2031 * @brief Access control check for POSIX shared memory stat 2032 * @param cred Subject credential 2033 * @param ps Pointer to shared memory information structure 2034 * @param shmlabel Label associated with the shared memory region 2035 * 2036 * Determine whether the subject identified by the credential can obtain 2037 * status for the POSIX shared memory segment associated with shmlabel. 2038 * 2039 * @return Return 0 if access is granted, otherwise an appropriate value for 2040 * errno should be returned. 2041 */ 2042 typedef int mpo_posixshm_check_stat_t( 2043 kauth_cred_t cred, 2044 struct pshminfo *ps, 2045 struct label *shmlabel 2046 ); 2047 /** 2048 * @brief Access control check for POSIX shared memory truncate 2049 * @param cred Subject credential 2050 * @param ps Pointer to shared memory information structure 2051 * @param shmlabel Label associated with the shared memory region 2052 * @param len Length to truncate or extend shared memory segment 2053 * 2054 * Determine whether the subject identified by the credential can truncate 2055 * or extend (to len) the POSIX shared memory segment associated with shmlabel. 2056 * 2057 * @return Return 0 if access is granted, otherwise an appropriate value for 2058 * errno should be returned. 2059 */ 2060 typedef int mpo_posixshm_check_truncate_t( 2061 kauth_cred_t cred, 2062 struct pshminfo *ps, 2063 struct label *shmlabel, 2064 off_t len 2065 ); 2066 /** 2067 * @brief Access control check for POSIX shared memory unlink 2068 * @param cred Subject credential 2069 * @param ps Pointer to shared memory information structure 2070 * @param shmlabel Label associated with the shared memory region 2071 * @param name String name of the shared memory region 2072 * 2073 * Determine whether the subject identified by the credential can delete 2074 * the POSIX shared memory segment associated with shmlabel. 2075 * 2076 * @return Return 0 if access is granted, otherwise an appropriate value for 2077 * errno should be returned. 2078 */ 2079 typedef int mpo_posixshm_check_unlink_t( 2080 kauth_cred_t cred, 2081 struct pshminfo *ps, 2082 struct label *shmlabel, 2083 const char *name 2084 ); 2085 /** 2086 * @brief Create a POSIX shared memory region label 2087 * @param cred Subject credential 2088 * @param ps Pointer to shared memory information structure 2089 * @param shmlabel Label to associate with the new shared memory region 2090 * @param name String name of the shared memory region 2091 * 2092 * Label a new POSIX shared memory region. The label was previously 2093 * initialized and associated with the shared memory region. At this 2094 * time, an appropriate initial label value should be assigned to the 2095 * object and stored in shmlabel. 2096 */ 2097 typedef void mpo_posixshm_label_associate_t( 2098 kauth_cred_t cred, 2099 struct pshminfo *ps, 2100 struct label *shmlabel, 2101 const char *name 2102 ); 2103 /** 2104 * @brief Destroy POSIX shared memory label 2105 * @param label The label to be destroyed 2106 * 2107 * Destroy a POSIX shared memory region label. Since the 2108 * object is going out of scope, policy modules should free any 2109 * internal storage associated with the label so that it may be 2110 * destroyed. 2111 */ 2112 typedef void mpo_posixshm_label_destroy_t( 2113 struct label *label 2114 ); 2115 /** 2116 * @brief Initialize POSIX Shared Memory region label 2117 * @param label New label to initialize 2118 * 2119 * Initialize the label for newly a instantiated POSIX Shared Memory 2120 * region. Sleeping is permitted. 2121 */ 2122 typedef void mpo_posixshm_label_init_t( 2123 struct label *label 2124 ); 2125 /** 2126 * @brief Access control check for privileged operations 2127 * @param cred Subject credential 2128 * @param priv Requested privilege (see sys/priv.h) 2129 * 2130 * Determine whether the subject identified by the credential can perform 2131 * a privileged operation. Privileged operations are allowed if the cred 2132 * is the superuser or any policy returns zero for mpo_priv_grant, unless 2133 * any policy returns nonzero for mpo_priv_check. 2134 * 2135 * @return Return 0 if access is granted, otherwise EPERM should be returned. 2136 */ 2137 typedef int mpo_priv_check_t( 2138 kauth_cred_t cred, 2139 int priv 2140 ); 2141 /** 2142 * @brief Grant regular users the ability to perform privileged operations 2143 * @param cred Subject credential 2144 * @param priv Requested privilege (see sys/priv.h) 2145 * 2146 * Determine whether the subject identified by the credential should be 2147 * allowed to perform a privileged operation that in the absense of any 2148 * MAC policy it would not be able to perform. Privileged operations are 2149 * allowed if the cred is the superuser or any policy returns zero for 2150 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2151 * 2152 * Unlike other MAC hooks which can only reduce the privilege of a 2153 * credential, this hook raises the privilege of a credential when it 2154 * returns 0. Extreme care must be taken when implementing this hook to 2155 * avoid undermining the security of the system. 2156 * 2157 * @return Return 0 if additional privilege is granted, otherwise EPERM 2158 * should be returned. 2159 */ 2160 typedef int mpo_priv_grant_t( 2161 kauth_cred_t cred, 2162 int priv 2163 ); 2164 /** 2165 * @brief Access control over process core dumps 2166 * @param proc Subject process 2167 * 2168 * Determine whether a core dump may be written to disk for the subject 2169 * identified. 2170 * 2171 * @return Return 0 if access is granted, otherwise an appropriate value for 2172 * errno should be returned. 2173 */ 2174 typedef int mpo_proc_check_dump_core_t( 2175 struct proc *proc 2176 ); 2177 /** 2178 * @brief Access control over remote thread creation 2179 * @param cred Subject credential 2180 * @param proc Object process 2181 * @param flavor Flavor of thread state passed in new_state, or -1 2182 * @param new_state Thread state to be set on the created thread, or NULL 2183 * @param new_state_count Size of thread state, in natural_t units, or 0 2184 * 2185 * Determine whether the subject can create a thread in the object process 2186 * by calling the thread_create or thread_create_running MIG routines on 2187 * another process' task port. For thread_create_running, the flavor, 2188 * new_state and new_state_count arguments are passed here before they are 2189 * converted and checked by machine-dependent code. 2190 * 2191 * @return Return 0 if access is granted, otherwise an appropriate value for 2192 * errno should be returned. 2193 */ 2194 typedef int mpo_proc_check_remote_thread_create_t( 2195 kauth_cred_t cred, 2196 struct proc *proc, 2197 int flavor, 2198 thread_state_t new_state, 2199 mach_msg_type_number_t new_state_count 2200 ); 2201 /** 2202 * @brief Access control check for debugging process 2203 * @param cred Subject credential 2204 * @param pident Object unique process identifier 2205 * 2206 * Determine whether the subject identified by the credential can debug 2207 * the passed process. This call may be made in a number of situations, 2208 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2209 * types of procfs operations. 2210 * 2211 * @return Return 0 if access is granted, otherwise an appropriate value for 2212 * errno should be returned. Suggested failure: EACCES for label mismatch, 2213 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2214 */ 2215 typedef int mpo_proc_check_debug_t( 2216 kauth_cred_t cred, 2217 struct proc_ident *pident 2218 ); 2219 /** 2220 * @brief Access control over fork 2221 * @param cred Subject credential 2222 * @param proc Subject process trying to fork 2223 * 2224 * Determine whether the subject identified is allowed to fork. 2225 * 2226 * @return Return 0 if access is granted, otherwise an appropriate value for 2227 * errno should be returned. 2228 */ 2229 typedef int mpo_proc_check_fork_t( 2230 kauth_cred_t cred, 2231 struct proc *proc 2232 ); 2233 /** 2234 * @brief Access control check for setting host special ports. 2235 * @param cred Subject credential 2236 * @param id The host special port to set 2237 * @param port The new value to set for the special port 2238 * 2239 * @return Return 0 if access is granted, otherwise an appropriate value for 2240 * errno should be returned. 2241 */ 2242 typedef int mpo_proc_check_set_host_special_port_t( 2243 kauth_cred_t cred, 2244 int id, 2245 struct ipc_port *port 2246 ); 2247 /** 2248 * @brief Access control check for setting host exception ports. 2249 * @param cred Subject credential 2250 * @param exception Exception port to set 2251 * 2252 * @return Return 0 if access is granted, otherwise an appropriate value for 2253 * errno should be returned. 2254 */ 2255 typedef int mpo_proc_check_set_host_exception_port_t( 2256 kauth_cred_t cred, 2257 unsigned int exception 2258 ); 2259 /** 2260 * @brief Access control check for getting task special ports. 2261 * @param cred Subject credential 2262 * @param pident Object unique process identifier, NULL if target is a corpse task 2263 * @param which The task special port to get 2264 * 2265 * @return Return 0 if access is granted, otherwise an appropriate value for 2266 * errno should be returned. 2267 */ 2268 typedef int mpo_proc_check_get_task_special_port_t( 2269 kauth_cred_t cred, 2270 struct proc_ident *pident, 2271 int which 2272 ); 2273 /** 2274 * @brief Access control check for setting task special ports. 2275 * @param cred Subject credential 2276 * @param pident Object unique process identifier 2277 * @param which The task special port to set 2278 * @param port The new value to set for the special port 2279 * 2280 * @return Return 0 if access is granted, otherwise an appropriate value for 2281 * errno should be returned. 2282 */ 2283 typedef int mpo_proc_check_set_task_special_port_t( 2284 kauth_cred_t cred, 2285 struct proc_ident *pident, 2286 int which, 2287 struct ipc_port *port 2288 ); 2289 /** 2290 * @brief Access control check for setting task exception ports for current task. 2291 * @param cred Subject credential 2292 * @param pident Object unique process identifier 2293 * @param exception Exception port to set 2294 * @param new_behavior exception_behavior_t value 2295 * 2296 * @return Return 0 if access is granted, otherwise an appropriate value for 2297 * errno should be returned. 2298 */ 2299 typedef int mpo_proc_check_set_task_exception_port_t( 2300 kauth_cred_t cred, 2301 struct proc_ident *pident, 2302 unsigned int exception, 2303 int new_behavior 2304 ); 2305 /** 2306 * @brief Access control check for setting thread exception ports. 2307 * @param cred Subject credential 2308 * @param pident Object unique process identifier 2309 * @param exception Exception port to set 2310 * @param new_behavior exception_behavior_t value 2311 * 2312 * @return Return 0 if access is granted, otherwise an appropriate value for 2313 * errno should be returned. 2314 */ 2315 typedef int mpo_proc_check_set_thread_exception_port_t( 2316 kauth_cred_t cred, 2317 struct proc_ident *pident, 2318 unsigned int exception, 2319 int new_behavior 2320 ); 2321 /** 2322 * @brief Access control check for getting movable task/thread control port for current task. 2323 * @param cred Subject credential 2324 * 2325 * @return Return 0 if access is granted, otherwise an appropriate value for 2326 * errno should be returned. 2327 */ 2328 typedef int mpo_proc_check_get_movable_control_port_t( 2329 kauth_cred_t cred 2330 ); 2331 /** 2332 * @brief Access control check for calling task_dyld_process_info_notify_register 2333 * and task_dyld_process_info_notify_deregister. 2334 * @param cred Subject credential 2335 * 2336 * @return Return 0 if access is granted, otherwise an appropriate value for 2337 * errno should be returned. 2338 */ 2339 typedef int mpo_proc_check_dyld_process_info_notify_register_t( 2340 kauth_cred_t cred 2341 ); 2342 /** 2343 * @brief Access control over pid_suspend, pid_resume and family 2344 * @param cred Subject credential 2345 * @param proc Object process 2346 * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, 2347 * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, 2348 * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. 2349 * 2350 * Determine whether the subject identified is allowed to call pid_suspend, 2351 * pid_resume, pid_hibernate, pid_shutdown_sockets, 2352 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or 2353 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on 2354 * the object process. 2355 * 2356 * @return Return 0 if access is granted, otherwise an appropriate value for 2357 * errno should be returned. 2358 */ 2359 typedef int mpo_proc_check_suspend_resume_t( 2360 kauth_cred_t cred, 2361 struct proc *proc, 2362 int sr 2363 ); 2364 /** 2365 * @brief Access control check for retrieving audit information 2366 * @param cred Subject credential 2367 * 2368 * Determine whether the subject identified by the credential can get 2369 * audit information such as the audit user ID, the preselection mask, 2370 * the terminal ID and the audit session ID, using the getaudit() system call. 2371 * 2372 * @return Return 0 if access is granted, otherwise an appropriate value for 2373 * errno should be returned. 2374 */ 2375 typedef int mpo_proc_check_getaudit_t( 2376 kauth_cred_t cred 2377 ); 2378 /** 2379 * @brief Access control check for retrieving audit user ID 2380 * @param cred Subject credential 2381 * 2382 * Determine whether the subject identified by the credential can get 2383 * the user identity being used by the auditing system, using the getauid() 2384 * system call. 2385 * 2386 * @return Return 0 if access is granted, otherwise an appropriate value for 2387 * errno should be returned. 2388 */ 2389 typedef int mpo_proc_check_getauid_t( 2390 kauth_cred_t cred 2391 ); 2392 /** 2393 * @brief Access control check for retrieving ledger information 2394 * @param cred Subject credential 2395 * @param target Object process 2396 * @param op ledger operation 2397 * 2398 * Determine if ledger(2) system call is permitted. 2399 * 2400 * Information returned by this system call is similar to that returned via 2401 * process listings etc. 2402 * 2403 * @return Return 0 if access is granted, otherwise an appropriate value for 2404 * errno should be returned. 2405 */ 2406 typedef int mpo_proc_check_ledger_t( 2407 kauth_cred_t cred, 2408 struct proc *target, 2409 int op 2410 ); 2411 /** 2412 * @brief Access control check for retrieving process information. 2413 * @param cred Subject credential 2414 * @param target Target process (may be null, may be zombie) 2415 * 2416 * Determine if a credential has permission to access process information as defined 2417 * by call number and flavor on target process 2418 * 2419 * @return Return 0 if access is granted, otherwise an appropriate value for 2420 * errno should be returned. 2421 */ 2422 typedef int mpo_proc_check_proc_info_t( 2423 kauth_cred_t cred, 2424 struct proc *target, 2425 int callnum, 2426 int flavor 2427 ); 2428 /** 2429 * @brief Access control check for retrieving code signing information. 2430 * @param cred Subject credential 2431 * @param target Target process 2432 * @param op Code signing operation being performed 2433 * 2434 * Determine whether the subject identified by the credential should be 2435 * allowed to get code signing information about the target process. 2436 * 2437 * @return Return 0 if access is granted, otherwise an appropriate value for 2438 * errno should be returned. 2439 */ 2440 typedef int mpo_proc_check_get_cs_info_t( 2441 kauth_cred_t cred, 2442 struct proc *target, 2443 unsigned int op 2444 ); 2445 /** 2446 * @brief Access control check for setting code signing information. 2447 * @param cred Subject credential 2448 * @param target Target process 2449 * @param op Code signing operation being performed. 2450 * 2451 * Determine whether the subject identified by the credential should be 2452 * allowed to set code signing information about the target process. 2453 * 2454 * @return Return 0 if permission is granted, otherwise an appropriate 2455 * value of errno should be returned. 2456 */ 2457 typedef int mpo_proc_check_set_cs_info_t( 2458 kauth_cred_t cred, 2459 struct proc *target, 2460 unsigned int op 2461 ); 2462 /** 2463 * @brief Access control check for mmap MAP_ANON 2464 * @param proc User process requesting the memory 2465 * @param cred Subject credential 2466 * @param u_addr Start address of the memory range 2467 * @param u_size Length address of the memory range 2468 * @param prot mmap protections; see mmap(2) 2469 * @param flags Type of mapped object; see mmap(2) 2470 * @param maxprot Maximum rights 2471 * 2472 * Determine whether the subject identified by the credential should be 2473 * allowed to obtain anonymous memory using the specified flags and 2474 * protections on the new mapping. MAP_ANON will always be present in the 2475 * flags. Certain combinations of flags with a non-NULL addr may 2476 * cause a mapping to be rejected before this hook is called. The maxprot field 2477 * holds the maximum permissions on the new mapping, a combination of 2478 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2479 * access control checks, a policy should only remove flags from maxprot. 2480 * 2481 * @return Return 0 if access is granted, otherwise an appropriate value for 2482 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2483 */ 2484 typedef int mpo_proc_check_map_anon_t( 2485 struct proc *proc, 2486 kauth_cred_t cred, 2487 user_addr_t u_addr, 2488 user_size_t u_size, 2489 int prot, 2490 int flags, 2491 int *maxprot 2492 ); 2493 /** 2494 * @brief Access control check for memorystatus_control(2) 2495 * @param cred Subject credential 2496 * @param command Memory status control command 2497 * @param pid Target process id, or 0 2498 * 2499 * Determine whether the subject identified by the credential should 2500 * be allowed to issue the specified memorystatus control command. 2501 * 2502 * @return Return 0 if access is granted, otherwise an appropriate value for 2503 * errno should be returned. 2504 */ 2505 typedef int mpo_proc_check_memorystatus_control_t( 2506 kauth_cred_t cred, 2507 int32_t command, 2508 pid_t pid 2509 ); 2510 /** 2511 * @brief Access control check for setting memory protections 2512 * @param cred Subject credential 2513 * @param proc User process requesting the change 2514 * @param addr Start address of the memory range 2515 * @param size Length address of the memory range 2516 * @param prot Memory protections, see mmap(2) 2517 * 2518 * Determine whether the subject identified by the credential should 2519 * be allowed to set the specified memory protections on memory mapped 2520 * in the process proc. 2521 * 2522 * @return Return 0 if access is granted, otherwise an appropriate value for 2523 * errno should be returned. 2524 */ 2525 typedef int mpo_proc_check_mprotect_t( 2526 kauth_cred_t cred, 2527 struct proc *proc, 2528 user_addr_t addr, 2529 user_size_t size, 2530 int prot 2531 ); 2532 /** 2533 * @brief Access control check for changing scheduling parameters 2534 * @param cred Subject credential 2535 * @param proc Object process 2536 * 2537 * Determine whether the subject identified by the credential can change 2538 * the scheduling parameters of the passed process. 2539 * 2540 * @return Return 0 if access is granted, otherwise an appropriate value for 2541 * errno should be returned. Suggested failure: EACCES for label mismatch, 2542 * EPERM for lack of privilege, or ESRCH to limit visibility. 2543 */ 2544 typedef int mpo_proc_check_sched_t( 2545 kauth_cred_t cred, 2546 struct proc *proc 2547 ); 2548 /** 2549 * @brief Access control check for setting audit information 2550 * @param cred Subject credential 2551 * @param ai Audit information 2552 * 2553 * Determine whether the subject identified by the credential can set 2554 * audit information such as the the preselection mask, the terminal ID 2555 * and the audit session ID, using the setaudit() system call. 2556 * 2557 * @return Return 0 if access is granted, otherwise an appropriate value for 2558 * errno should be returned. 2559 */ 2560 typedef int mpo_proc_check_setaudit_t( 2561 kauth_cred_t cred, 2562 struct auditinfo_addr *ai 2563 ); 2564 /** 2565 * @brief Access control check for setting audit user ID 2566 * @param cred Subject credential 2567 * @param auid Audit user ID 2568 * 2569 * Determine whether the subject identified by the credential can set 2570 * the user identity used by the auditing system, using the setauid() 2571 * system call. 2572 * 2573 * @return Return 0 if access is granted, otherwise an appropriate value for 2574 * errno should be returned. 2575 */ 2576 typedef int mpo_proc_check_setauid_t( 2577 kauth_cred_t cred, 2578 uid_t auid 2579 ); 2580 /** 2581 * @brief Access control check for delivering signal 2582 * @param cred Subject credential 2583 * @param proc Object process 2584 * @param signum Signal number; see kill(2) 2585 * 2586 * Determine whether the subject identified by the credential can deliver 2587 * the passed signal to the passed process. 2588 * 2589 * @warning Programs typically expect to be able to send and receive 2590 * signals as part or their normal process lifecycle; caution should be 2591 * exercised when implementing access controls over signal events. 2592 * 2593 * @return Return 0 if access is granted, otherwise an appropriate value for 2594 * errno should be returned. Suggested failure: EACCES for label mismatch, 2595 * EPERM for lack of privilege, or ESRCH to limit visibility. 2596 */ 2597 typedef int mpo_proc_check_signal_t( 2598 kauth_cred_t cred, 2599 struct proc *proc, 2600 int signum 2601 ); 2602 /** 2603 * @brief Access control check for delivering a delegated signal 2604 * @param caller Caller credential 2605 * @param instigator Instigator process audit token 2606 * @param target Target process audit token 2607 * @param signum Signal number; see kill(2) 2608 * 2609 * Determine whether the caller and instigator combination identified by 2610 * the provided credentials can deliver the specified signal to the target process. 2611 * 2612 * @note Caller will always be current_proc(). But the instigator may not be 2613 * the current proc, and may no longer be running. 2614 * 2615 * @warning Policy implementations must avoid obtaining proc refs of 2616 * two different processes simultaneously. 2617 * 2618 * @warning Programs typically expect to be able to send and receive 2619 * signals as part or their normal process lifecycle; caution should be 2620 * exercised when implementing access controls over signal events. 2621 * 2622 * @return Return 0 if access is granted, otherwise an appropriate value for 2623 * errno should be returned. Suggested failure: EACCES for label mismatch, 2624 * EPERM for lack of privilege, or ESRCH to limit visibility. 2625 */ 2626 typedef int mpo_proc_check_delegated_signal_t( 2627 kauth_cred_t caller, 2628 audit_token_t instigator, 2629 audit_token_t target, 2630 int signum 2631 ); 2632 /** 2633 * @brief Access control check for MAC syscalls. 2634 * @param proc Subject process 2635 * @param policy MAC policy name 2636 * @param callnum MAC policy-specific syscall number 2637 * 2638 * Determine whether the subject process can perform the passed MAC syscall. 2639 * 2640 * @return Return 0 if access is granted, otherwise an appropriate value for 2641 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2642 */ 2643 typedef int mpo_proc_check_syscall_mac_t( 2644 struct proc *proc, 2645 const char *policy, 2646 int callnum 2647 ); 2648 /** 2649 * @brief Access control check for Unix syscalls. 2650 * @param proc Subject process 2651 * @param scnum Syscall number; see bsd/kern/syscalls.master. 2652 * 2653 * Determine whether the subject process can perform the passed syscall (number). 2654 * 2655 * @warning Programs typically expect to be able to make syscalls as part of 2656 * their normal process lifecycle; caution should be exercised when restricting 2657 * which syscalls a process can perform. 2658 * 2659 * @return Return 0 if access is granted, otherwise an appropriate value for 2660 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2661 */ 2662 typedef int mpo_proc_check_syscall_unix_t( 2663 struct proc *proc, 2664 int scnum 2665 ); 2666 /** 2667 * @brief Access control check for wait 2668 * @param cred Subject credential 2669 * @param proc Object process 2670 * 2671 * Determine whether the subject identified by the credential can wait 2672 * for process termination. 2673 * 2674 * @warning Caution should be exercised when implementing access 2675 * controls for wait, since programs often wait for child processes to 2676 * exit. Failure to be notified of a child process terminating may 2677 * cause the parent process to hang, or may produce zombie processes. 2678 * 2679 * @return Return 0 if access is granted, otherwise an appropriate value for 2680 * errno should be returned. 2681 */ 2682 typedef int mpo_proc_check_wait_t( 2683 kauth_cred_t cred, 2684 struct proc *proc 2685 ); 2686 /** 2687 * @brief Inform MAC policies that a process has exited. 2688 * @param proc Object process 2689 * 2690 * Called after all of the process's threads have terminated and 2691 * it has been removed from the process list. KPI that identifies 2692 * the process by pid will fail to find the process; KPI that 2693 * identifies the process by the object process pointer functions 2694 * normally. proc_exiting() returns true for the object process. 2695 */ 2696 typedef void mpo_proc_notify_exit_t( 2697 struct proc *proc 2698 ); 2699 /** 2700 * @brief Access control check for skywalk flow connect 2701 * @param cred Subject credential 2702 * @param flow Flow object 2703 * @param addr Remote address for flow to send data to 2704 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2705 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2706 * 2707 * Determine whether the subject identified by the credential can 2708 * create a flow for sending data to the remote host specified by 2709 * addr. 2710 * 2711 * @return Return 0 if access if granted, otherwise an appropriate 2712 * value for errno should be returned. 2713 */ 2714 typedef int mpo_skywalk_flow_check_connect_t( 2715 kauth_cred_t cred, 2716 void *flow, 2717 const struct sockaddr *addr, 2718 int type, 2719 int protocol 2720 ); 2721 /** 2722 * @brief Access control check for skywalk flow listen 2723 * @param cred Subject credential 2724 * @param flow Flow object 2725 * @param addr Local address for flow to listen on 2726 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2727 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2728 * 2729 * Determine whether the subject identified by the credential can 2730 * create a flow for receiving data on the local address specified 2731 * by addr. 2732 * 2733 * @return Return 0 if access if granted, otherwise an appropriate 2734 * value for errno should be returned. 2735 */ 2736 typedef int mpo_skywalk_flow_check_listen_t( 2737 kauth_cred_t cred, 2738 void *flow, 2739 const struct sockaddr *addr, 2740 int type, 2741 int protocol 2742 ); 2743 /** 2744 * @brief Access control check for socket accept 2745 * @param cred Subject credential 2746 * @param so Object socket 2747 * @param socklabel Policy label for socket 2748 * 2749 * Determine whether the subject identified by the credential can accept() 2750 * a new connection on the socket from the host specified by addr. 2751 * 2752 * @return Return 0 if access if granted, otherwise an appropriate 2753 * value for errno should be returned. 2754 */ 2755 typedef int mpo_socket_check_accept_t( 2756 kauth_cred_t cred, 2757 socket_t so, 2758 struct label *socklabel 2759 ); 2760 /** 2761 * @brief Access control check for a pending socket accept 2762 * @param cred Subject credential 2763 * @param so Object socket 2764 * @param socklabel Policy label for socket 2765 * @param addr Address of the listening socket (coming soon) 2766 * 2767 * Determine whether the subject identified by the credential can accept() 2768 * a pending connection on the socket from the host specified by addr. 2769 * 2770 * @return Return 0 if access if granted, otherwise an appropriate 2771 * value for errno should be returned. 2772 */ 2773 typedef int mpo_socket_check_accepted_t( 2774 kauth_cred_t cred, 2775 socket_t so, 2776 struct label *socklabel, 2777 struct sockaddr *addr 2778 ); 2779 /** 2780 * @brief Access control check for socket bind 2781 * @param cred Subject credential 2782 * @param so Object socket 2783 * @param socklabel Policy label for socket 2784 * @param addr Name to assign to the socket 2785 * 2786 * Determine whether the subject identified by the credential can bind() 2787 * the name (addr) to the socket. 2788 * 2789 * @return Return 0 if access if granted, otherwise an appropriate 2790 * value for errno should be returned. 2791 */ 2792 typedef int mpo_socket_check_bind_t( 2793 kauth_cred_t cred, 2794 socket_t so, 2795 struct label *socklabel, 2796 struct sockaddr *addr 2797 ); 2798 /** 2799 * @brief Access control check for socket connect 2800 * @param cred Subject credential 2801 * @param so Object socket 2802 * @param socklabel Policy label for socket 2803 * @param addr Name to assign to the socket 2804 * 2805 * Determine whether the subject identified by the credential can 2806 * connect() the passed socket to the remote host specified by addr. 2807 * 2808 * @return Return 0 if access if granted, otherwise an appropriate 2809 * value for errno should be returned. 2810 */ 2811 typedef int mpo_socket_check_connect_t( 2812 kauth_cred_t cred, 2813 socket_t so, 2814 struct label *socklabel, 2815 struct sockaddr *addr 2816 ); 2817 /** 2818 * @brief Access control check for socket() system call. 2819 * @param cred Subject credential 2820 * @param domain communication domain 2821 * @param type socket type 2822 * @param protocol socket protocol 2823 * 2824 * Determine whether the subject identified by the credential can 2825 * make the socket() call. 2826 * 2827 * @return Return 0 if access if granted, otherwise an appropriate 2828 * value for errno should be returned. 2829 */ 2830 typedef int mpo_socket_check_create_t( 2831 kauth_cred_t cred, 2832 int domain, 2833 int type, 2834 int protocol 2835 ); 2836 /** 2837 * @brief Access control check for socket ioctl. 2838 * @param cred Subject credential 2839 * @param so Object socket 2840 * @param cmd The ioctl command; see ioctl(2) 2841 * @param socklabel Policy label for socket 2842 * 2843 * Determine whether the subject identified by the credential can perform 2844 * the ioctl operation indicated by cmd on the given socket. 2845 * 2846 * @warning Since ioctl data is opaque from the standpoint of the MAC 2847 * framework, and since ioctls can affect many aspects of system 2848 * operation, policies must exercise extreme care when implementing 2849 * access control checks. 2850 * 2851 * @return Return 0 if access is granted, otherwise an appropriate value for 2852 * errno should be returned. 2853 */ 2854 typedef int mpo_socket_check_ioctl_t( 2855 kauth_cred_t cred, 2856 socket_t so, 2857 unsigned long cmd, 2858 struct label *socklabel 2859 ); 2860 /** 2861 * @brief Access control check for socket listen 2862 * @param cred Subject credential 2863 * @param so Object socket 2864 * @param socklabel Policy label for socket 2865 * 2866 * Determine whether the subject identified by the credential can 2867 * listen() on the passed socket. 2868 * 2869 * @return Return 0 if access if granted, otherwise an appropriate 2870 * value for errno should be returned. 2871 */ 2872 typedef int mpo_socket_check_listen_t( 2873 kauth_cred_t cred, 2874 socket_t so, 2875 struct label *socklabel 2876 ); 2877 /** 2878 * @brief Access control check for socket receive 2879 * @param cred Subject credential 2880 * @param so Object socket 2881 * @param socklabel Policy label for socket 2882 * 2883 * Determine whether the subject identified by the credential can 2884 * receive data from the socket. 2885 * 2886 * @return Return 0 if access if granted, otherwise an appropriate 2887 * value for errno should be returned. 2888 */ 2889 typedef int mpo_socket_check_receive_t( 2890 kauth_cred_t cred, 2891 socket_t so, 2892 struct label *socklabel 2893 ); 2894 2895 /** 2896 * @brief Access control check for socket receive 2897 * @param cred Subject credential 2898 * @param sock Object socket 2899 * @param socklabel Policy label for socket 2900 * @param saddr Name of the remote socket 2901 * 2902 * Determine whether the subject identified by the credential can 2903 * receive data from the remote host specified by addr. 2904 * 2905 * @return Return 0 if access if granted, otherwise an appropriate 2906 * value for errno should be returned. 2907 */ 2908 typedef int mpo_socket_check_received_t( 2909 kauth_cred_t cred, 2910 struct socket *sock, 2911 struct label *socklabel, 2912 struct sockaddr *saddr 2913 ); 2914 2915 /** 2916 * @brief Access control check for socket send 2917 * @param cred Subject credential 2918 * @param so Object socket 2919 * @param socklabel Policy label for socket 2920 * @param addr Address being sent to 2921 * 2922 * Determine whether the subject identified by the credential can send 2923 * data to the socket. 2924 * 2925 * @return Return 0 if access if granted, otherwise an appropriate 2926 * value for errno should be returned. 2927 */ 2928 typedef int mpo_socket_check_send_t( 2929 kauth_cred_t cred, 2930 socket_t so, 2931 struct label *socklabel, 2932 struct sockaddr *addr 2933 ); 2934 /** 2935 * @brief Access control check for retrieving socket status 2936 * @param cred Subject credential 2937 * @param so Object socket 2938 * @param socklabel Policy label for so 2939 * 2940 * Determine whether the subject identified by the credential can 2941 * execute the stat() system call on the given socket. 2942 * 2943 * @return Return 0 if access if granted, otherwise an appropriate 2944 * value for errno should be returned. 2945 */ 2946 typedef int mpo_socket_check_stat_t( 2947 kauth_cred_t cred, 2948 socket_t so, 2949 struct label *socklabel 2950 ); 2951 /** 2952 * @brief Access control check for setting socket options 2953 * @param cred Subject credential 2954 * @param so Object socket 2955 * @param socklabel Policy label for so 2956 * @param sopt The options being set 2957 * 2958 * Determine whether the subject identified by the credential can 2959 * execute the setsockopt system call on the given socket. 2960 * 2961 * @return Return 0 if access if granted, otherwise an appropriate 2962 * value for errno should be returned. 2963 */ 2964 typedef int mpo_socket_check_setsockopt_t( 2965 kauth_cred_t cred, 2966 socket_t so, 2967 struct label *socklabel, 2968 struct sockopt *sopt 2969 ); 2970 /** 2971 * @brief Access control check for getting socket options 2972 * @param cred Subject credential 2973 * @param so Object socket 2974 * @param socklabel Policy label for so 2975 * @param sopt The options to get 2976 * 2977 * Determine whether the subject identified by the credential can 2978 * execute the getsockopt system call on the given socket. 2979 * 2980 * @return Return 0 if access if granted, otherwise an appropriate 2981 * value for errno should be returned. 2982 */ 2983 typedef int mpo_socket_check_getsockopt_t( 2984 kauth_cred_t cred, 2985 socket_t so, 2986 struct label *socklabel, 2987 struct sockopt *sopt 2988 ); 2989 /** 2990 * @brief Access control check for enabling accounting 2991 * @param cred Subject credential 2992 * @param vp Accounting file 2993 * @param vlabel Label associated with vp 2994 * 2995 * Determine whether the subject should be allowed to enable accounting, 2996 * based on its label and the label of the accounting log file. See 2997 * acct(5) for more information. 2998 * 2999 * As accounting is disabled by passing NULL to the acct(2) system call, 3000 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 3001 * 3002 * @return Return 0 if access is granted, otherwise an appropriate value for 3003 * errno should be returned. 3004 */ 3005 typedef int mpo_system_check_acct_t( 3006 kauth_cred_t cred, 3007 struct vnode *vp, 3008 struct label *vlabel 3009 ); 3010 /** 3011 * @brief Access control check for audit 3012 * @param cred Subject credential 3013 * @param record Audit record 3014 * @param length Audit record length 3015 * 3016 * Determine whether the subject identified by the credential can submit 3017 * an audit record for inclusion in the audit log via the audit() system call. 3018 * 3019 * @return Return 0 if access is granted, otherwise an appropriate value for 3020 * errno should be returned. 3021 */ 3022 typedef int mpo_system_check_audit_t( 3023 kauth_cred_t cred, 3024 void *record, 3025 int length 3026 ); 3027 /** 3028 * @brief Access control check for controlling audit 3029 * @param cred Subject credential 3030 * @param vp Audit file 3031 * @param vl Label associated with vp 3032 * 3033 * Determine whether the subject should be allowed to enable auditing using 3034 * the auditctl() system call, based on its label and the label of the proposed 3035 * audit file. 3036 * 3037 * @return Return 0 if access is granted, otherwise an appropriate value for 3038 * errno should be returned. 3039 */ 3040 typedef int mpo_system_check_auditctl_t( 3041 kauth_cred_t cred, 3042 struct vnode *vp, 3043 struct label *vl 3044 ); 3045 /** 3046 * @brief Access control check for manipulating auditing 3047 * @param cred Subject credential 3048 * @param cmd Audit control command 3049 * 3050 * Determine whether the subject identified by the credential can perform 3051 * the audit subsystem control operation cmd via the auditon() system call. 3052 * 3053 * @return Return 0 if access is granted, otherwise an appropriate value for 3054 * errno should be returned. 3055 */ 3056 typedef int mpo_system_check_auditon_t( 3057 kauth_cred_t cred, 3058 int cmd 3059 ); 3060 /** 3061 * @brief Access control check for obtaining the host control port 3062 * @param cred Subject credential 3063 * 3064 * Determine whether the subject identified by the credential can 3065 * obtain the host control port. 3066 * 3067 * @return Return 0 if access is granted, or non-zero otherwise. 3068 */ 3069 typedef int mpo_system_check_host_priv_t( 3070 kauth_cred_t cred 3071 ); 3072 /** 3073 * @brief Access control check for obtaining system information 3074 * @param cred Subject credential 3075 * @param info_type A description of the information requested 3076 * 3077 * Determine whether the subject identified by the credential should be 3078 * allowed to obtain information about the system. 3079 * 3080 * This is a generic hook that can be used in a variety of situations where 3081 * information is being returned that might be considered sensitive. 3082 * Rather than adding a new MAC hook for every such interface, this hook can 3083 * be called with a string identifying the type of information requested. 3084 * 3085 * @return Return 0 if access is granted, otherwise an appropriate value for 3086 * errno should be returned. 3087 */ 3088 typedef int mpo_system_check_info_t( 3089 kauth_cred_t cred, 3090 const char *info_type 3091 ); 3092 /** 3093 * @brief Access control check for calling NFS services 3094 * @param cred Subject credential 3095 * 3096 * Determine whether the subject identified by the credential should be 3097 * allowed to call nfssrv(2). 3098 * 3099 * @return Return 0 if access is granted, otherwise an appropriate value for 3100 * errno should be returned. 3101 */ 3102 typedef int mpo_system_check_nfsd_t( 3103 kauth_cred_t cred 3104 ); 3105 /** 3106 * @brief Access control check for reboot 3107 * @param cred Subject credential 3108 * @param howto howto parameter from reboot(2) 3109 * 3110 * Determine whether the subject identified by the credential should be 3111 * allowed to reboot the system in the specified manner. 3112 * 3113 * @return Return 0 if access is granted, otherwise an appropriate value for 3114 * errno should be returned. 3115 */ 3116 typedef int mpo_system_check_reboot_t( 3117 kauth_cred_t cred, 3118 int howto 3119 ); 3120 /** 3121 * @brief Access control check for setting system clock 3122 * @param cred Subject credential 3123 * 3124 * Determine whether the subject identified by the credential should be 3125 * allowed to set the system clock. 3126 * 3127 * @return Return 0 if access is granted, otherwise an appropriate value for 3128 * errno should be returned. 3129 */ 3130 typedef int mpo_system_check_settime_t( 3131 kauth_cred_t cred 3132 ); 3133 /** 3134 * @brief Access control check for removing swap devices 3135 * @param cred Subject credential 3136 * @param vp Swap device 3137 * @param label Label associated with vp 3138 * 3139 * Determine whether the subject identified by the credential should be 3140 * allowed to remove vp as a swap device. 3141 * 3142 * @return Return 0 if access is granted, otherwise an appropriate value for 3143 * errno should be returned. 3144 */ 3145 typedef int mpo_system_check_swapoff_t( 3146 kauth_cred_t cred, 3147 struct vnode *vp, 3148 struct label *label 3149 ); 3150 /** 3151 * @brief Access control check for adding swap devices 3152 * @param cred Subject credential 3153 * @param vp Swap device 3154 * @param label Label associated with vp 3155 * 3156 * Determine whether the subject identified by the credential should be 3157 * allowed to add vp as a swap device. 3158 * 3159 * @return Return 0 if access is granted, otherwise an appropriate value for 3160 * errno should be returned. 3161 */ 3162 typedef int mpo_system_check_swapon_t( 3163 kauth_cred_t cred, 3164 struct vnode *vp, 3165 struct label *label 3166 ); 3167 /** 3168 * @brief Access control check for sysctl 3169 * @param cred Subject credential 3170 * @param namestring String representation of sysctl name. 3171 * @param name Integer name; see sysctl(3) 3172 * @param namelen Length of name array of integers; see sysctl(3) 3173 * @param old 0 or address where to store old value; see sysctl(3) 3174 * @param oldlen Length of old buffer; see sysctl(3) 3175 * @param newvalue 0 or address of new value; see sysctl(3) 3176 * @param newlen Length of new buffer; see sysctl(3) 3177 * 3178 * Determine whether the subject identified by the credential should be 3179 * allowed to make the specified sysctl(3) transaction. 3180 * 3181 * The sysctl(3) call specifies that if the old value is not desired, 3182 * oldp and oldlenp should be set to NULL. Likewise, if a new value is 3183 * not to be set, newp should be set to NULL and newlen set to 0. 3184 * 3185 * @return Return 0 if access is granted, otherwise an appropriate value for 3186 * errno should be returned. 3187 */ 3188 typedef int mpo_system_check_sysctlbyname_t( 3189 kauth_cred_t cred, 3190 const char *namestring, 3191 int *name, 3192 size_t namelen, 3193 user_addr_t old, /* NULLOK */ 3194 size_t oldlen, 3195 user_addr_t newvalue, /* NULLOK */ 3196 size_t newlen 3197 ); 3198 /** 3199 * @brief Access control check for kas_info 3200 * @param cred Subject credential 3201 * @param selector Category of information to return. See kas_info.h 3202 * 3203 * Determine whether the subject identified by the credential can perform 3204 * introspection of the kernel address space layout for 3205 * debugging/performance analysis. 3206 * 3207 * @return Return 0 if access is granted, otherwise an appropriate value for 3208 * errno should be returned. 3209 */ 3210 typedef int mpo_system_check_kas_info_t( 3211 kauth_cred_t cred, 3212 int selector 3213 ); 3214 /** 3215 * @brief Create a System V message label 3216 * @param cred Subject credential 3217 * @param msqptr The message queue the message will be placed in 3218 * @param msqlabel The label of the message queue 3219 * @param msgptr The message 3220 * @param msglabel The label of the message 3221 * 3222 * Label the message as its placed in the message queue. 3223 */ 3224 typedef void mpo_sysvmsg_label_associate_t( 3225 kauth_cred_t cred, 3226 struct msqid_kernel *msqptr, 3227 struct label *msqlabel, 3228 struct msg *msgptr, 3229 struct label *msglabel 3230 ); 3231 /** 3232 * @brief Destroy System V message label 3233 * @param label The label to be destroyed 3234 * 3235 * Destroy a System V message label. Since the object is 3236 * going out of scope, policy modules should free any internal storage 3237 * associated with the label so that it may be destroyed. 3238 */ 3239 typedef void mpo_sysvmsg_label_destroy_t( 3240 struct label *label 3241 ); 3242 /** 3243 * @brief Initialize System V message label 3244 * @param label New label to initialize 3245 * 3246 * Initialize the label for a newly instantiated System V message. 3247 */ 3248 typedef void mpo_sysvmsg_label_init_t( 3249 struct label *label 3250 ); 3251 /** 3252 * @brief Clean up a System V message label 3253 * @param label The label to be destroyed 3254 * 3255 * Clean up a System V message label. Darwin pre-allocates 3256 * messages at system boot time and re-uses them rather than 3257 * allocating new ones. Before messages are returned to the "free 3258 * pool", policies can cleanup or overwrite any information present in 3259 * the label. 3260 */ 3261 typedef void mpo_sysvmsg_label_recycle_t( 3262 struct label *label 3263 ); 3264 /** 3265 * @brief Access control check for System V message enqueuing 3266 * @param cred Subject credential 3267 * @param msgptr The message 3268 * @param msglabel The message's label 3269 * @param msqptr The message queue 3270 * @param msqlabel The message queue's label 3271 * 3272 * Determine whether the subject identified by the credential can add the 3273 * given message to the given message queue. 3274 * 3275 * @return Return 0 if access is granted, otherwise an appropriate value for 3276 * errno should be returned. 3277 */ 3278 typedef int mpo_sysvmsq_check_enqueue_t( 3279 kauth_cred_t cred, 3280 struct msg *msgptr, 3281 struct label *msglabel, 3282 struct msqid_kernel *msqptr, 3283 struct label *msqlabel 3284 ); 3285 /** 3286 * @brief Access control check for System V message reception 3287 * @param cred The credential of the intended recipient 3288 * @param msgptr The message 3289 * @param msglabel The message's label 3290 * 3291 * Determine whether the subject identified by the credential can receive 3292 * the given message. 3293 * 3294 * @return Return 0 if access is granted, otherwise an appropriate value for 3295 * errno should be returned. 3296 */ 3297 typedef int mpo_sysvmsq_check_msgrcv_t( 3298 kauth_cred_t cred, 3299 struct msg *msgptr, 3300 struct label *msglabel 3301 ); 3302 /** 3303 * @brief Access control check for System V message queue removal 3304 * @param cred The credential of the caller 3305 * @param msgptr The message 3306 * @param msglabel The message's label 3307 * 3308 * System V message queues are removed using the msgctl() system call. 3309 * The system will iterate over each message in the queue, calling this 3310 * function for each, to determine whether the caller has the appropriate 3311 * credentials. 3312 * 3313 * @return Return 0 if access is granted, otherwise an appropriate value for 3314 * errno should be returned. 3315 */ 3316 typedef int mpo_sysvmsq_check_msgrmid_t( 3317 kauth_cred_t cred, 3318 struct msg *msgptr, 3319 struct label *msglabel 3320 ); 3321 /** 3322 * @brief Access control check for msgctl() 3323 * @param cred The credential of the caller 3324 * @param msqptr The message queue 3325 * @param msqlabel The message queue's label 3326 * 3327 * This access check is performed to validate calls to msgctl(). 3328 * 3329 * @return Return 0 if access is granted, otherwise an appropriate value for 3330 * errno should be returned. 3331 */ 3332 typedef int mpo_sysvmsq_check_msqctl_t( 3333 kauth_cred_t cred, 3334 struct msqid_kernel *msqptr, 3335 struct label *msqlabel, 3336 int cmd 3337 ); 3338 /** 3339 * @brief Access control check to get a System V message queue 3340 * @param cred The credential of the caller 3341 * @param msqptr The message queue requested 3342 * @param msqlabel The message queue's label 3343 * 3344 * On a call to msgget(), if the queue requested already exists, 3345 * and it is a public queue, this check will be performed before the 3346 * queue's ID is returned to the user. 3347 * 3348 * @return Return 0 if access is granted, otherwise an appropriate value for 3349 * errno should be returned. 3350 */ 3351 typedef int mpo_sysvmsq_check_msqget_t( 3352 kauth_cred_t cred, 3353 struct msqid_kernel *msqptr, 3354 struct label *msqlabel 3355 ); 3356 /** 3357 * @brief Access control check to receive a System V message from the given queue 3358 * @param cred The credential of the caller 3359 * @param msqptr The message queue to receive from 3360 * @param msqlabel The message queue's label 3361 * 3362 * On a call to msgrcv(), this check is performed to determine whether the 3363 * caller has receive rights on the given queue. 3364 * 3365 * @return Return 0 if access is granted, otherwise an appropriate value for 3366 * errno should be returned. 3367 */ 3368 typedef int mpo_sysvmsq_check_msqrcv_t( 3369 kauth_cred_t cred, 3370 struct msqid_kernel *msqptr, 3371 struct label *msqlabel 3372 ); 3373 /** 3374 * @brief Access control check to send a System V message to the given queue 3375 * @param cred The credential of the caller 3376 * @param msqptr The message queue to send to 3377 * @param msqlabel The message queue's label 3378 * 3379 * On a call to msgsnd(), this check is performed to determine whether the 3380 * caller has send rights on the given queue. 3381 * 3382 * @return Return 0 if access is granted, otherwise an appropriate value for 3383 * errno should be returned. 3384 */ 3385 typedef int mpo_sysvmsq_check_msqsnd_t( 3386 kauth_cred_t cred, 3387 struct msqid_kernel *msqptr, 3388 struct label *msqlabel 3389 ); 3390 /** 3391 * @brief Create a System V message queue label 3392 * @param cred Subject credential 3393 * @param msqptr The message queue 3394 * @param msqlabel The label of the message queue 3395 * 3396 */ 3397 typedef void mpo_sysvmsq_label_associate_t( 3398 kauth_cred_t cred, 3399 struct msqid_kernel *msqptr, 3400 struct label *msqlabel 3401 ); 3402 /** 3403 * @brief Destroy System V message queue label 3404 * @param label The label to be destroyed 3405 * 3406 * Destroy a System V message queue label. Since the object is 3407 * going out of scope, policy modules should free any internal storage 3408 * associated with the label so that it may be destroyed. 3409 */ 3410 typedef void mpo_sysvmsq_label_destroy_t( 3411 struct label *label 3412 ); 3413 /** 3414 * @brief Initialize System V message queue label 3415 * @param label New label to initialize 3416 * 3417 * Initialize the label for a newly instantiated System V message queue. 3418 */ 3419 typedef void mpo_sysvmsq_label_init_t( 3420 struct label *label 3421 ); 3422 /** 3423 * @brief Clean up a System V message queue label 3424 * @param label The label to be destroyed 3425 * 3426 * Clean up a System V message queue label. Darwin pre-allocates 3427 * message queues at system boot time and re-uses them rather than 3428 * allocating new ones. Before message queues are returned to the "free 3429 * pool", policies can cleanup or overwrite any information present in 3430 * the label. 3431 */ 3432 typedef void mpo_sysvmsq_label_recycle_t( 3433 struct label *label 3434 ); 3435 /** 3436 * @brief Access control check for System V semaphore control operation 3437 * @param cred Subject credential 3438 * @param semakptr Pointer to semaphore identifier 3439 * @param semaklabel Label associated with semaphore 3440 * @param cmd Control operation to be performed; see semctl(2) 3441 * 3442 * Determine whether the subject identified by the credential can perform 3443 * the operation indicated by cmd on the System V semaphore semakptr. 3444 * 3445 * @return Return 0 if access is granted, otherwise an appropriate value for 3446 * errno should be returned. 3447 */ 3448 typedef int mpo_sysvsem_check_semctl_t( 3449 kauth_cred_t cred, 3450 struct semid_kernel *semakptr, 3451 struct label *semaklabel, 3452 int cmd 3453 ); 3454 /** 3455 * @brief Access control check for obtaining a System V semaphore 3456 * @param cred Subject credential 3457 * @param semakptr Pointer to semaphore identifier 3458 * @param semaklabel Label to associate with the semaphore 3459 * 3460 * Determine whether the subject identified by the credential can 3461 * obtain a System V semaphore. 3462 * 3463 * @return Return 0 if access is granted, otherwise an appropriate value for 3464 * errno should be returned. 3465 */ 3466 typedef int mpo_sysvsem_check_semget_t( 3467 kauth_cred_t cred, 3468 struct semid_kernel *semakptr, 3469 struct label *semaklabel 3470 ); 3471 /** 3472 * @brief Access control check for System V semaphore operations 3473 * @param cred Subject credential 3474 * @param semakptr Pointer to semaphore identifier 3475 * @param semaklabel Label associated with the semaphore 3476 * @param accesstype Flags to indicate access (read and/or write) 3477 * 3478 * Determine whether the subject identified by the credential can 3479 * perform the operations on the System V semaphore indicated by 3480 * semakptr. The accesstype flags hold the maximum set of permissions 3481 * from the sem_op array passed to the semop system call. It may 3482 * contain SEM_R for read-only operations or SEM_A for read/write 3483 * operations. 3484 * 3485 * @return Return 0 if access is granted, otherwise an appropriate value for 3486 * errno should be returned. 3487 */ 3488 typedef int mpo_sysvsem_check_semop_t( 3489 kauth_cred_t cred, 3490 struct semid_kernel *semakptr, 3491 struct label *semaklabel, 3492 size_t accesstype 3493 ); 3494 /** 3495 * @brief Create a System V semaphore label 3496 * @param cred Subject credential 3497 * @param semakptr The semaphore being created 3498 * @param semalabel Label to associate with the new semaphore 3499 * 3500 * Label a new System V semaphore. The label was previously 3501 * initialized and associated with the semaphore. At this time, an 3502 * appropriate initial label value should be assigned to the object and 3503 * stored in semalabel. 3504 */ 3505 typedef void mpo_sysvsem_label_associate_t( 3506 kauth_cred_t cred, 3507 struct semid_kernel *semakptr, 3508 struct label *semalabel 3509 ); 3510 /** 3511 * @brief Destroy System V semaphore label 3512 * @param label The label to be destroyed 3513 * 3514 * Destroy a System V semaphore label. Since the object is 3515 * going out of scope, policy modules should free any internal storage 3516 * associated with the label so that it may be destroyed. 3517 */ 3518 typedef void mpo_sysvsem_label_destroy_t( 3519 struct label *label 3520 ); 3521 /** 3522 * @brief Initialize System V semaphore label 3523 * @param label New label to initialize 3524 * 3525 * Initialize the label for a newly instantiated System V semaphore. Sleeping 3526 * is permitted. 3527 */ 3528 typedef void mpo_sysvsem_label_init_t( 3529 struct label *label 3530 ); 3531 /** 3532 * @brief Clean up a System V semaphore label 3533 * @param label The label to be cleaned 3534 * 3535 * Clean up a System V semaphore label. Darwin pre-allocates 3536 * semaphores at system boot time and re-uses them rather than 3537 * allocating new ones. Before semaphores are returned to the "free 3538 * pool", policies can cleanup or overwrite any information present in 3539 * the label. 3540 */ 3541 typedef void mpo_sysvsem_label_recycle_t( 3542 struct label *label 3543 ); 3544 /** 3545 * @brief Access control check for mapping System V shared memory 3546 * @param cred Subject credential 3547 * @param shmsegptr Pointer to shared memory segment identifier 3548 * @param shmseglabel Label associated with the shared memory segment 3549 * @param shmflg shmat flags; see shmat(2) 3550 * 3551 * Determine whether the subject identified by the credential can map 3552 * the System V shared memory segment associated with shmsegptr. 3553 * 3554 * @return Return 0 if access is granted, otherwise an appropriate value for 3555 * errno should be returned. 3556 */ 3557 typedef int mpo_sysvshm_check_shmat_t( 3558 kauth_cred_t cred, 3559 struct shmid_kernel *shmsegptr, 3560 struct label *shmseglabel, 3561 int shmflg 3562 ); 3563 /** 3564 * @brief Access control check for System V shared memory control operation 3565 * @param cred Subject credential 3566 * @param shmsegptr Pointer to shared memory segment identifier 3567 * @param shmseglabel Label associated with the shared memory segment 3568 * @param cmd Control operation to be performed; see shmctl(2) 3569 * 3570 * Determine whether the subject identified by the credential can perform 3571 * the operation indicated by cmd on the System V shared memory segment 3572 * shmsegptr. 3573 * 3574 * @return Return 0 if access is granted, otherwise an appropriate value for 3575 * errno should be returned. 3576 */ 3577 typedef int mpo_sysvshm_check_shmctl_t( 3578 kauth_cred_t cred, 3579 struct shmid_kernel *shmsegptr, 3580 struct label *shmseglabel, 3581 int cmd 3582 ); 3583 /** 3584 * @brief Access control check for unmapping System V shared memory 3585 * @param cred Subject credential 3586 * @param shmsegptr Pointer to shared memory segment identifier 3587 * @param shmseglabel Label associated with the shared memory segment 3588 * 3589 * Determine whether the subject identified by the credential can unmap 3590 * the System V shared memory segment associated with shmsegptr. 3591 * 3592 * @return Return 0 if access is granted, otherwise an appropriate value for 3593 * errno should be returned. 3594 */ 3595 typedef int mpo_sysvshm_check_shmdt_t( 3596 kauth_cred_t cred, 3597 struct shmid_kernel *shmsegptr, 3598 struct label *shmseglabel 3599 ); 3600 /** 3601 * @brief Access control check obtaining System V shared memory identifier 3602 * @param cred Subject credential 3603 * @param shmsegptr Pointer to shared memory segment identifier 3604 * @param shmseglabel Label associated with the shared memory segment 3605 * @param shmflg shmget flags; see shmget(2) 3606 * 3607 * Determine whether the subject identified by the credential can get 3608 * the System V shared memory segment address. 3609 * 3610 * @return Return 0 if access is granted, otherwise an appropriate value for 3611 * errno should be returned. 3612 */ 3613 typedef int mpo_sysvshm_check_shmget_t( 3614 kauth_cred_t cred, 3615 struct shmid_kernel *shmsegptr, 3616 struct label *shmseglabel, 3617 int shmflg 3618 ); 3619 /** 3620 * @brief Create a System V shared memory region label 3621 * @param cred Subject credential 3622 * @param shmsegptr The shared memory region being created 3623 * @param shmlabel Label to associate with the new shared memory region 3624 * 3625 * Label a new System V shared memory region. The label was previously 3626 * initialized and associated with the shared memory region. At this 3627 * time, an appropriate initial label value should be assigned to the 3628 * object and stored in shmlabel. 3629 */ 3630 typedef void mpo_sysvshm_label_associate_t( 3631 kauth_cred_t cred, 3632 struct shmid_kernel *shmsegptr, 3633 struct label *shmlabel 3634 ); 3635 /** 3636 * @brief Destroy System V shared memory label 3637 * @param label The label to be destroyed 3638 * 3639 * Destroy a System V shared memory region label. Since the 3640 * object is going out of scope, policy modules should free any 3641 * internal storage associated with the label so that it may be 3642 * destroyed. 3643 */ 3644 typedef void mpo_sysvshm_label_destroy_t( 3645 struct label *label 3646 ); 3647 /** 3648 * @brief Initialize System V Shared Memory region label 3649 * @param label New label to initialize 3650 * 3651 * Initialize the label for a newly instantiated System V Shared Memory 3652 * region. Sleeping is permitted. 3653 */ 3654 typedef void mpo_sysvshm_label_init_t( 3655 struct label *label 3656 ); 3657 /** 3658 * @brief Clean up a System V Share Memory Region label 3659 * @param shmlabel The label to be cleaned 3660 * 3661 * Clean up a System V Shared Memory Region label. Darwin 3662 * pre-allocates these objects at system boot time and re-uses them 3663 * rather than allocating new ones. Before the memory regions are 3664 * returned to the "free pool", policies can cleanup or overwrite any 3665 * information present in the label. 3666 */ 3667 typedef void mpo_sysvshm_label_recycle_t( 3668 struct label *shmlabel 3669 ); 3670 3671 /** 3672 * @brief Access control check for getting a process's task ports of different flavors 3673 * @param cred Subject credential 3674 * @param pident Object unique process identifier 3675 * @param flavor Requested task port flavor 3676 * 3677 * Determine whether the subject identified by the credential can get 3678 * the passed process's task port of given flavor. 3679 * This call is used by the task_{,read,inspect,name}_for_pid(2) API. 3680 * 3681 * @return Return 0 if access is granted, otherwise an appropriate value for 3682 * errno should be returned. Suggested failure: EACCES for label mismatch, 3683 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3684 */ 3685 typedef int mpo_proc_check_get_task_with_flavor_t( 3686 kauth_cred_t cred, 3687 struct proc_ident *pident, 3688 mach_task_flavor_t flavor 3689 ); 3690 3691 /** 3692 * @brief Access control check for exposing a process's task ports of different flavors 3693 * @param cred Subject credential 3694 * @param pident Object unique process identifier 3695 * @param flavor Requested task port flavor 3696 * 3697 * Determine whether the subject identified by the credential can expose 3698 * the passed process's task port of given flavor. 3699 * This call is used by the accessor APIs like processor_set_tasks() and 3700 * processor_set_threads(). 3701 * 3702 * @return Return 0 if access is granted, otherwise an appropriate value for 3703 * errno should be returned. Suggested failure: EACCES for label mismatch, 3704 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3705 */ 3706 typedef int mpo_proc_check_expose_task_with_flavor_t( 3707 kauth_cred_t cred, 3708 struct proc_ident *pident, 3709 mach_task_flavor_t flavor 3710 ); 3711 3712 /** 3713 * @brief Access control check for upgrading to task port with a task identity token 3714 * @param cred Subject credential 3715 * @param pident Object unique process identifier, NULL if token represents a corpse task 3716 * @param flavor Requested task port flavor 3717 * 3718 * Determine whether the subject identified by the credential can upgrade to task port 3719 * of given flavor with a task identity token of the passed process. 3720 * This call is used by task_identity_token_get_task_port(). 3721 * 3722 * @return Return 0 if access is granted, otherwise an appropriate value for 3723 * errno should be returned. Suggested failure: EACCES for label mismatch, 3724 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3725 */ 3726 typedef int mpo_proc_check_task_id_token_get_task_t( 3727 kauth_cred_t cred, 3728 struct proc_ident *pident, /* Nullable */ 3729 mach_task_flavor_t flavor 3730 ); 3731 3732 /** 3733 * @brief Check whether task's IPC may inherit across process exec 3734 * @param p current process instance 3735 * @param cur_vp vnode pointer to current instance 3736 * @param cur_offset offset of binary of currently executing image 3737 * @param img_vp vnode pointer to to be exec'ed image 3738 * @param img_offset offset into file which is selected for execution 3739 * @param scriptvp vnode pointer of script file if any. 3740 * @return Return 0 if access is granted. 3741 * EPERM if parent does not have any entitlements. 3742 * EACCESS if mismatch in entitlements 3743 */ 3744 typedef int mpo_proc_check_inherit_ipc_ports_t( 3745 struct proc *p, 3746 struct vnode *cur_vp, 3747 off_t cur_offset, 3748 struct vnode *img_vp, 3749 off_t img_offset, 3750 struct vnode *scriptvp 3751 ); 3752 3753 /** 3754 * @brief Privilege check for a process to run invalid 3755 * @param p Object process 3756 * 3757 * Determine whether the process may execute even though the system determined 3758 * that it is untrusted (eg unidentified / modified code). 3759 * 3760 * @return Return 0 if access is granted, otherwise an appropriate value for 3761 * errno should be returned. 3762 */ 3763 typedef int mpo_proc_check_run_cs_invalid_t( 3764 struct proc *p 3765 ); 3766 3767 /** 3768 * @brief Notification a process was invalidated 3769 * @param p Object process 3770 * 3771 * Notifies that the CS_VALID bit was removed from a process' csflags. This 3772 * either indicates that a validly code-signed process has encountered an 3773 * invalidly code-signed page for the first time, or that it was explicitly 3774 * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. 3775 * 3776 * @warning This hook can be called from the page fault handler; it should not 3777 * perform any operations that may result in paging, and stack space is extremely 3778 * limited. Furthermore, the hook is called with proc lock held, and if called 3779 * from the fault handler, with vm object lock held. Consumers reacting to this 3780 * hook being called are expected to defer processing to a userret, possibly 3781 * after suspending the task. 3782 */ 3783 typedef void mpo_proc_notify_cs_invalidated_t( 3784 struct proc *p 3785 ); 3786 3787 /** 3788 * @brief Notification a process is finished with exec and will jump to userspace 3789 * @param p Object process 3790 * 3791 * Notifies all MAC policies that a process has completed an exec and is about to 3792 * jump to userspace to continue execution. This may result in process termination 3793 * via signals. Hook is designed to hold no/minimal locks so it can be used for any 3794 * necessary upcalls. 3795 */ 3796 typedef void mpo_proc_notify_exec_complete_t( 3797 struct proc *p 3798 ); 3799 3800 /** 3801 * @brief Access control check for setting user ID 3802 * @param cred Subject credential 3803 * @param uid Requested user ID 3804 * 3805 * Determine whether the subject identified by the credential can set the 3806 * real and effective user ID and the saved set-user-ID of the current 3807 * process, using the setuid() system call. 3808 * 3809 * @return Return 0 if access is granted, otherwise an appropriate value for 3810 * errno should be returned. 3811 */ 3812 typedef int mpo_proc_check_setuid_t( 3813 kauth_cred_t cred, 3814 uid_t uid 3815 ); 3816 3817 /** 3818 * @brief Access control check for setting effective user ID 3819 * @param cred Subject credential 3820 * @param euid Requested effective user ID 3821 * 3822 * Determine whether the subject identified by the credential can set the 3823 * effective user ID of the current process, using the seteuid() system call. 3824 * 3825 * @return Return 0 if access is granted, otherwise an appropriate value for 3826 * errno should be returned. 3827 */ 3828 typedef int mpo_proc_check_seteuid_t( 3829 kauth_cred_t cred, 3830 uid_t euid 3831 ); 3832 3833 /** 3834 * @brief Access control check for setting real and effective user ID 3835 * @param cred Subject credential 3836 * @param ruid Requested real user ID 3837 * @param euid Requested effective user ID 3838 * 3839 * Determine whether the subject identified by the credential can set the 3840 * real and effective user ID of the current process, using the setreuid() 3841 * system call. 3842 * 3843 * @return Return 0 if access is granted, otherwise an appropriate value for 3844 * errno should be returned. 3845 */ 3846 typedef int mpo_proc_check_setreuid_t( 3847 kauth_cred_t cred, 3848 uid_t ruid, 3849 uid_t euid 3850 ); 3851 3852 /** 3853 * @brief Access control check for setting group ID 3854 * @param cred Subject credential 3855 * @param gid Requested group ID 3856 * 3857 * Determine whether the subject identified by the credential can set the 3858 * real and effective group IDs and the saved set-group-ID of the current 3859 * process, using the setgid() system call. 3860 * 3861 * @return Return 0 if access is granted, otherwise an appropriate value for 3862 * errno should be returned. 3863 */ 3864 typedef int mpo_proc_check_setgid_t( 3865 kauth_cred_t cred, 3866 gid_t gid 3867 ); 3868 3869 /** 3870 * @brief Access control check for setting effective group ID 3871 * @param cred Subject credential 3872 * @param egid Requested effective group ID 3873 * 3874 * Determine whether the subject identified by the credential can set the 3875 * effective group ID of the current process, using the setegid() system call. 3876 * 3877 * @return Return 0 if access is granted, otherwise an appropriate value for 3878 * errno should be returned. 3879 */ 3880 typedef int mpo_proc_check_setegid_t( 3881 kauth_cred_t cred, 3882 gid_t egid 3883 ); 3884 3885 /** 3886 * @brief Access control check for setting real and effective group ID 3887 * @param cred Subject credential 3888 * @param rgid Requested real group ID or KAUTH_UID_NONE for none 3889 * @param egid Requested effective group ID or KAUTH_GID_NONE for none 3890 * 3891 * Determine whether the subject identified by the credential can set the 3892 * real and effective group ID of the current process, using the setregid() 3893 * system call. 3894 * 3895 * @return Return 0 if access is granted, otherwise an appropriate value for 3896 * errno should be returned. 3897 */ 3898 typedef int mpo_proc_check_setregid_t( 3899 kauth_cred_t cred, 3900 gid_t rgid, 3901 gid_t egid 3902 ); 3903 3904 /** 3905 * @brief Access control check for setting thread assumed identity 3906 * @param pcred Subject process credential 3907 * @param tcred Subject thread credential 3908 * @param uid Requested user ID or KAUTH_UID_NONE for none 3909 * @param gid Requested group ID or KAUTH_GID_NONE for none 3910 * 3911 * Determine whether the subject identified by the credential can set the 3912 * user and group ID of the current thread, using the settid() or 3913 * settid_with_pid() system call. 3914 * 3915 * @return Return 0 if access is granted, otherwise an appropriate value for 3916 * errno should be returned. 3917 */ 3918 typedef int mpo_proc_check_settid_t( 3919 kauth_cred_t pcred, 3920 kauth_cred_t tcred, 3921 uid_t uid, 3922 gid_t gid 3923 ); 3924 3925 /** 3926 * @brief Notification of connection port derivation from service port 3927 * @param cred Subject process credential 3928 * @param sp_info Service port info 3929 * 3930 * Called when a process derives a connection port from a service port. 3931 * 3932 * Notes: 3933 * - Port derivation is only mandatory if the receiving end of the 3934 * connection performs validation of that fact. 3935 * - MAC policies should not perform upcalls or expensive operations in 3936 * this hook. 3937 * - Only called on macOS. 3938 */ 3939 typedef void mpo_proc_notify_service_port_derive_t( 3940 kauth_cred_t cred, 3941 struct mach_service_port_info *sp_info 3942 ); 3943 3944 /** 3945 * @brief Perform MAC-related analysis of telemetry data. 3946 * @param thread The Mach thread that was sampled. 3947 * 3948 * Notifies MAC policies that telemetry data was just collected from a 3949 * process's user thread and that it is ready to be analyzed. The analysis is 3950 * performed shortly before a thread is about to return to userspace via a 3951 * syscall or mach trap. 3952 * 3953 * Note that sometimes the scheduled telemetry can fail. In the case of 3954 * failure, the function will be called with a non-zero `err` value, in which 3955 * case it is expected that the client will cleanup any necessary state 3956 * recorded back when the telemetry was first scheduled. 3957 */ 3958 typedef void mpo_thread_telemetry_t( 3959 struct thread *thread, 3960 int err, 3961 const void *data, 3962 size_t length 3963 ); 3964 3965 /** 3966 * @brief Perform MAC-related events when a thread returns to user space 3967 * @param thread Mach (not BSD) thread that is returning 3968 * 3969 * This entry point permits policy modules to perform MAC-related 3970 * events when a thread returns to user space, via a system call 3971 * return or trap return. 3972 */ 3973 typedef void mpo_thread_userret_t( 3974 struct thread *thread 3975 ); 3976 3977 /** 3978 * @brief Check vnode access 3979 * @param cred Subject credential 3980 * @param vp Object vnode 3981 * @param label Label for vp 3982 * @param acc_mode access(2) flags 3983 * 3984 * Determine how invocations of access(2) and related calls by the 3985 * subject identified by the credential should return when performed 3986 * on the passed vnode using the passed access flags. This should 3987 * generally be implemented using the same semantics used in 3988 * mpo_vnode_check_open. 3989 * 3990 * @return Return 0 if access is granted, otherwise an appropriate value for 3991 * errno should be returned. Suggested failure: EACCES for label mismatch or 3992 * EPERM for lack of privilege. 3993 */ 3994 typedef int mpo_vnode_check_access_t( 3995 kauth_cred_t cred, 3996 struct vnode *vp, 3997 struct label *label, 3998 int acc_mode 3999 ); 4000 /** 4001 * @brief Access control check for changing working directory 4002 * @param cred Subject credential 4003 * @param dvp Object; vnode to chdir(2) into 4004 * @param dlabel Policy label for dvp 4005 * 4006 * Determine whether the subject identified by the credential can change 4007 * the process working directory to the passed vnode. 4008 * 4009 * @return Return 0 if access is granted, otherwise an appropriate value for 4010 * errno should be returned. Suggested failure: EACCES for label mismatch or 4011 * EPERM for lack of privilege. 4012 */ 4013 typedef int mpo_vnode_check_chdir_t( 4014 kauth_cred_t cred, 4015 struct vnode *dvp, 4016 struct label *dlabel 4017 ); 4018 /** 4019 * @brief Access control check for changing root directory 4020 * @param cred Subject credential 4021 * @param dvp Directory vnode 4022 * @param dlabel Policy label associated with dvp 4023 * @param cnp Component name for dvp 4024 * 4025 * Determine whether the subject identified by the credential should be 4026 * allowed to chroot(2) into the specified directory (dvp). 4027 * 4028 * @return In the event of an error, an appropriate value for errno 4029 * should be returned, otherwise return 0 upon success. 4030 */ 4031 typedef int mpo_vnode_check_chroot_t( 4032 kauth_cred_t cred, 4033 struct vnode *dvp, 4034 struct label *dlabel, 4035 struct componentname *cnp 4036 ); 4037 /** 4038 * @brief Access control check for creating clone 4039 * @param cred Subject credential 4040 * @param dvp Vnode of directory to create the clone in 4041 * @param dlabel Policy label associated with dvp 4042 * @param vp Vnode of the file to clone from 4043 * @param label Policy label associated with vp 4044 * @param cnp Component name for the clone being created 4045 * 4046 * Determine whether the subject identified by the credential should be 4047 * allowed to create a clone of the vnode vp with the name specified by cnp. 4048 * 4049 * @return Return 0 if access is granted, otherwise an appropriate value for 4050 * errno should be returned. 4051 */ 4052 typedef int mpo_vnode_check_clone_t( 4053 kauth_cred_t cred, 4054 struct vnode *dvp, 4055 struct label *dlabel, 4056 struct vnode *vp, 4057 struct label *label, 4058 struct componentname *cnp 4059 ); 4060 /** 4061 * @brief Access control check for creating vnode 4062 * @param cred Subject credential 4063 * @param dvp Directory vnode 4064 * @param dlabel Policy label for dvp 4065 * @param cnp Component name for dvp 4066 * @param vap vnode attributes for vap 4067 * 4068 * Determine whether the subject identified by the credential can create 4069 * a vnode with the passed parent directory, passed name information, 4070 * and passed attribute information. This call may be made in a number of 4071 * situations, including as a result of calls to open(2) with O_CREAT, 4072 * mknod(2), mkfifo(2), and others. 4073 * 4074 * @return Return 0 if access is granted, otherwise an appropriate value for 4075 * errno should be returned. Suggested failure: EACCES for label mismatch or 4076 * EPERM for lack of privilege. 4077 */ 4078 typedef int mpo_vnode_check_create_t( 4079 kauth_cred_t cred, 4080 struct vnode *dvp, 4081 struct label *dlabel, 4082 struct componentname *cnp, 4083 struct vnode_attr *vap 4084 ); 4085 /** 4086 * @brief Access control check for deleting extended attribute 4087 * @param cred Subject credential 4088 * @param vp Object vnode 4089 * @param vlabel Label associated with vp 4090 * @param name Extended attribute name 4091 * 4092 * Determine whether the subject identified by the credential can delete 4093 * the extended attribute from the passed vnode. 4094 * 4095 * @return Return 0 if access is granted, otherwise an appropriate value for 4096 * errno should be returned. Suggested failure: EACCES for label mismatch or 4097 * EPERM for lack of privilege. 4098 */ 4099 typedef int mpo_vnode_check_deleteextattr_t( 4100 kauth_cred_t cred, 4101 struct vnode *vp, 4102 struct label *vlabel, 4103 const char *name 4104 ); 4105 /** 4106 * @brief Access control check for exchanging file data 4107 * @param cred Subject credential 4108 * @param v1 vnode 1 to swap 4109 * @param vl1 Policy label for v1 4110 * @param v2 vnode 2 to swap 4111 * @param vl2 Policy label for v2 4112 * 4113 * Determine whether the subject identified by the credential can swap the data 4114 * in the two supplied vnodes. 4115 * 4116 * @return Return 0 if access is granted, otherwise an appropriate value for 4117 * errno should be returned. Suggested failure: EACCES for label mismatch or 4118 * EPERM for lack of privilege. 4119 */ 4120 typedef int mpo_vnode_check_exchangedata_t( 4121 kauth_cred_t cred, 4122 struct vnode *v1, 4123 struct label *vl1, 4124 struct vnode *v2, 4125 struct label *vl2 4126 ); 4127 /** 4128 * @brief Access control check for executing the vnode 4129 * @param cred Subject credential 4130 * @param vp Object vnode to execute 4131 * @param scriptvp Script being executed by interpreter, if any. 4132 * @param vnodelabel Label corresponding to vp 4133 * @param scriptlabel Script vnode label 4134 * @param execlabel Userspace provided execution label 4135 * @param cnp Component name for file being executed 4136 * @param macpolicyattr MAC policy-specific spawn attribute data. 4137 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 4138 * 4139 * Determine whether the subject identified by the credential can execute 4140 * the passed vnode. Determination of execute privilege is made separately 4141 * from decisions about any process label transitioning event. 4142 * 4143 * The final label, execlabel, corresponds to a label supplied by a 4144 * user space application through the use of the mac_execve system call. 4145 * This label will be NULL if the user application uses the the vendor 4146 * execve(2) call instead of the MAC Framework mac_execve() call. 4147 * 4148 * @return Return 0 if access is granted, otherwise an appropriate value for 4149 * errno should be returned. Suggested failure: EACCES for label mismatch or 4150 * EPERM for lack of privilege. 4151 */ 4152 typedef int mpo_vnode_check_exec_t( 4153 kauth_cred_t cred, 4154 struct vnode *vp, 4155 struct vnode *scriptvp, 4156 struct label *vnodelabel, 4157 struct label *scriptlabel, 4158 struct label *execlabel, /* NULLOK */ 4159 struct componentname *cnp, 4160 u_int *csflags, 4161 void *macpolicyattr, 4162 size_t macpolicyattrlen 4163 ); 4164 /** 4165 * @brief Access control check for fsgetpath 4166 * @param cred Subject credential 4167 * @param vp Vnode for which a path will be returned 4168 * @param label Label associated with the vnode 4169 * 4170 * Determine whether the subject identified by the credential can get the path 4171 * of the given vnode with fsgetpath. 4172 * 4173 * @return Return 0 if access is granted, otherwise an appropriate value for 4174 * errno should be returned. 4175 */ 4176 typedef int mpo_vnode_check_fsgetpath_t( 4177 kauth_cred_t cred, 4178 struct vnode *vp, 4179 struct label *label 4180 ); 4181 /** 4182 * @brief Access control check for retrieving file attributes 4183 * @param active_cred Subject credential 4184 * @param file_cred Credential associated with the struct fileproc 4185 * @param vp Object vnode 4186 * @param vlabel Policy label for vp 4187 * @param va Vnode attributes to retrieve 4188 * 4189 * Determine whether the subject identified by the credential can 4190 * get information about the passed vnode. The active_cred hold 4191 * the credentials of the subject performing the operation, and 4192 * file_cred holds the credentials of the subject that originally 4193 * opened the file. This check happens during stat(), lstat(), 4194 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for 4195 * definitions of the attributes. 4196 * 4197 * @return Return 0 if access is granted, otherwise an appropriate value for 4198 * errno should be returned. 4199 * 4200 * @note Policies may change the contents of va to alter the list of 4201 * file attributes returned. 4202 */ 4203 typedef int mpo_vnode_check_getattr_t( 4204 kauth_cred_t active_cred, 4205 kauth_cred_t file_cred, /* NULLOK */ 4206 struct vnode *vp, 4207 struct label *vlabel, 4208 struct vnode_attr *va 4209 ); 4210 /** 4211 * @brief Access control check for retrieving file attributes 4212 * @param cred Subject credential 4213 * @param vp Object vnode 4214 * @param vlabel Policy label for vp 4215 * @param alist List of attributes to retrieve 4216 * @param options Option flags for alist 4217 * 4218 * Determine whether the subject identified by the credential can read 4219 * various attributes of the specified vnode, or the filesystem or volume on 4220 * which that vnode resides. See <sys/attr.h> for definitions of the 4221 * attributes and flags. 4222 * 4223 * @return Return 0 if access is granted, otherwise an appropriate value for 4224 * errno should be returned. Suggested failure: EACCES for label mismatch or 4225 * EPERM for lack of privilege. Access control covers all attributes requested 4226 * with this call; the security policy is not permitted to change the set of 4227 * attributes requested. 4228 */ 4229 typedef int mpo_vnode_check_getattrlist_t( 4230 kauth_cred_t cred, 4231 struct vnode *vp, 4232 struct label *vlabel, 4233 struct attrlist *alist, 4234 uint64_t options 4235 ); 4236 /** 4237 * @brief Access control check for retrieving file attributes for multiple directory entries 4238 * @param cred Subject credential 4239 * @param dvp Directory vnode 4240 * @param alist List of attributes to retrieve 4241 * @param options Option flags for alist 4242 * 4243 * Determine whether the subject identified by the credential can read 4244 * various attributes of the specified vnode, or the filesystem or volume on 4245 * which that vnode resides. See <sys/attr.h> for definitions of the 4246 * attributes and flags. 4247 * 4248 * @return Return 0 if access is granted, otherwise an appropriate value for 4249 * errno should be returned. Suggested failure: EACCES for label mismatch or 4250 * EPERM for lack of privilege. Access control covers all attributes requested 4251 * with this call; the security policy is not permitted to change the set of 4252 * attributes requested. 4253 */ 4254 typedef int mpo_vnode_check_getattrlistbulk_t( 4255 kauth_cred_t cred, 4256 struct vnode *dvp, 4257 struct attrlist *alist, 4258 uint64_t options 4259 ); 4260 /** 4261 * @brief Access control check for retrieving an extended attribute 4262 * @param cred Subject credential 4263 * @param vp Object vnode 4264 * @param label Policy label for vp 4265 * @param name Extended attribute name 4266 * @param uio I/O structure pointer 4267 * 4268 * Determine whether the subject identified by the credential can retrieve 4269 * the extended attribute from the passed vnode. The uio parameter 4270 * will be NULL when the getxattr(2) call has been made with a NULL data 4271 * value; this is done to request the size of the data only. 4272 * 4273 * @return Return 0 if access is granted, otherwise an appropriate value for 4274 * errno should be returned. Suggested failure: EACCES for label mismatch or 4275 * EPERM for lack of privilege. 4276 */ 4277 typedef int mpo_vnode_check_getextattr_t( 4278 kauth_cred_t cred, 4279 struct vnode *vp, 4280 struct label *label, /* NULLOK */ 4281 const char *name, 4282 struct uio *uio /* NULLOK */ 4283 ); 4284 /** 4285 * @brief Access control check for ioctl 4286 * @param cred Subject credential 4287 * @param vp Object vnode 4288 * @param label Policy label for vp 4289 * @param cmd Device-dependent request code; see ioctl(2) 4290 * 4291 * Determine whether the subject identified by the credential can perform 4292 * the ioctl operation indicated by com. 4293 * 4294 * @warning Since ioctl data is opaque from the standpoint of the MAC 4295 * framework, and since ioctls can affect many aspects of system 4296 * operation, policies must exercise extreme care when implementing 4297 * access control checks. 4298 * 4299 * @return Return 0 if access is granted, otherwise an appropriate value for 4300 * errno should be returned. 4301 */ 4302 typedef int mpo_vnode_check_ioctl_t( 4303 kauth_cred_t cred, 4304 struct vnode *vp, 4305 struct label *label, 4306 unsigned long cmd 4307 ); 4308 /** 4309 * @brief Access control check for vnode kqfilter 4310 * @param active_cred Subject credential 4311 * @param kn Object knote 4312 * @param vp Object vnode 4313 * @param label Policy label for vp 4314 * 4315 * Determine whether the subject identified by the credential can 4316 * receive the knote on the passed vnode. 4317 * 4318 * @return Return 0 if access if granted, otherwise an appropriate 4319 * value for errno should be returned. 4320 */ 4321 typedef int mpo_vnode_check_kqfilter_t( 4322 kauth_cred_t active_cred, 4323 kauth_cred_t file_cred, /* NULLOK */ 4324 struct knote *kn, 4325 struct vnode *vp, 4326 struct label *label 4327 ); 4328 /** 4329 * @brief Access control check for relabel 4330 * @param cred Subject credential 4331 * @param vp Object vnode 4332 * @param vnodelabel Existing policy label for vp 4333 * @param newlabel Policy label update to later be applied to vp 4334 * @see mpo_relable_vnode_t 4335 * 4336 * Determine whether the subject identified by the credential can relabel 4337 * the passed vnode to the passed label update. If all policies permit 4338 * the label change, the actual relabel entry point (mpo_vnode_label_update) 4339 * will follow. 4340 * 4341 * @return Return 0 if access is granted, otherwise an appropriate value for 4342 * errno should be returned. 4343 */ 4344 typedef int mpo_vnode_check_label_update_t( 4345 struct ucred *cred, 4346 struct vnode *vp, 4347 struct label *vnodelabel, 4348 struct label *newlabel 4349 ); 4350 /** 4351 * @brief Access control check for creating link 4352 * @param cred Subject credential 4353 * @param dvp Directory vnode 4354 * @param dlabel Policy label associated with dvp 4355 * @param vp Link destination vnode 4356 * @param label Policy label associated with vp 4357 * @param cnp Component name for the link being created 4358 * 4359 * Determine whether the subject identified by the credential should be 4360 * allowed to create a link to the vnode vp with the name specified by cnp. 4361 * 4362 * @return Return 0 if access is granted, otherwise an appropriate value for 4363 * errno should be returned. 4364 */ 4365 typedef int mpo_vnode_check_link_t( 4366 kauth_cred_t cred, 4367 struct vnode *dvp, 4368 struct label *dlabel, 4369 struct vnode *vp, 4370 struct label *label, 4371 struct componentname *cnp 4372 ); 4373 /** 4374 * @brief Access control check for listing extended attributes 4375 * @param cred Subject credential 4376 * @param vp Object vnode 4377 * @param vlabel Policy label associated with vp 4378 * 4379 * Determine whether the subject identified by the credential can retrieve 4380 * a list of named extended attributes from a vnode. 4381 * 4382 * @return Return 0 if access is granted, otherwise an appropriate value for 4383 * errno should be returned. 4384 */ 4385 typedef int mpo_vnode_check_listextattr_t( 4386 kauth_cred_t cred, 4387 struct vnode *vp, 4388 struct label *vlabel 4389 ); 4390 /** 4391 * @brief Access control check for lookup 4392 * @param cred Subject credential 4393 * @param dvp Directory vnode 4394 * @param dlabel Policy label for dvp 4395 * @param path Path being looked up 4396 * @param pathlen Length of path in bytes 4397 * 4398 * Determine whether the subject identified by the credential can perform 4399 * a lookup of the passed path relative to the passed directory vnode. 4400 * 4401 * @return Return 0 if access is granted, otherwise an appropriate value for 4402 * errno should be returned. Suggested failure: EACCES for label mismatch or 4403 * EPERM for lack of privilege. 4404 * 4405 * @note The path may contain untrusted input. If approved, lookup proceeds 4406 * on the path; if a component is found to be a symlink then this hook is 4407 * called again with the updated path. 4408 */ 4409 typedef int mpo_vnode_check_lookup_preflight_t( 4410 kauth_cred_t cred, 4411 struct vnode *dvp, 4412 struct label *dlabel, 4413 const char *path, 4414 size_t pathlen 4415 ); 4416 /** 4417 * @brief Access control check for lookup 4418 * @param cred Subject credential 4419 * @param dvp Object vnode 4420 * @param dlabel Policy label for dvp 4421 * @param cnp Component name being looked up 4422 * 4423 * Determine whether the subject identified by the credential can perform 4424 * a lookup in the passed directory vnode for the passed name (cnp). 4425 * 4426 * @return Return 0 if access is granted, otherwise an appropriate value for 4427 * errno should be returned. Suggested failure: EACCES for label mismatch or 4428 * EPERM for lack of privilege. 4429 */ 4430 typedef int mpo_vnode_check_lookup_t( 4431 kauth_cred_t cred, 4432 struct vnode *dvp, 4433 struct label *dlabel, 4434 struct componentname *cnp 4435 ); 4436 /** 4437 * @brief Access control check for open 4438 * @param cred Subject credential 4439 * @param vp Object vnode 4440 * @param label Policy label associated with vp 4441 * @param acc_mode open(2) access mode 4442 * 4443 * Determine whether the subject identified by the credential can perform 4444 * an open operation on the passed vnode with the passed access mode. 4445 * 4446 * @return Return 0 if access is granted, otherwise an appropriate value for 4447 * errno should be returned. Suggested failure: EACCES for label mismatch or 4448 * EPERM for lack of privilege. 4449 */ 4450 typedef int mpo_vnode_check_open_t( 4451 kauth_cred_t cred, 4452 struct vnode *vp, 4453 struct label *label, 4454 int acc_mode 4455 ); 4456 /** 4457 * @brief Access control check for read 4458 * @param active_cred Subject credential 4459 * @param file_cred Credential associated with the struct fileproc 4460 * @param vp Object vnode 4461 * @param label Policy label for vp 4462 * 4463 * Determine whether the subject identified by the credential can perform 4464 * a read operation on the passed vnode. The active_cred hold the credentials 4465 * of the subject performing the operation, and file_cred holds the 4466 * credentials of the subject that originally opened the file. 4467 * 4468 * @return Return 0 if access is granted, otherwise an appropriate value for 4469 * errno should be returned. Suggested failure: EACCES for label mismatch or 4470 * EPERM for lack of privilege. 4471 */ 4472 typedef int mpo_vnode_check_read_t( 4473 kauth_cred_t active_cred, /* SUBJECT */ 4474 kauth_cred_t file_cred, /* NULLOK */ 4475 struct vnode *vp, /* OBJECT */ 4476 struct label *label /* LABEL */ 4477 ); 4478 /** 4479 * @brief Access control check for read directory 4480 * @param cred Subject credential 4481 * @param dvp Object directory vnode 4482 * @param dlabel Policy label for dvp 4483 * 4484 * Determine whether the subject identified by the credential can 4485 * perform a readdir operation on the passed directory vnode. 4486 * 4487 * @return Return 0 if access is granted, otherwise an appropriate value for 4488 * errno should be returned. Suggested failure: EACCES for label mismatch or 4489 * EPERM for lack of privilege. 4490 */ 4491 typedef int mpo_vnode_check_readdir_t( 4492 kauth_cred_t cred, /* SUBJECT */ 4493 struct vnode *dvp, /* OBJECT */ 4494 struct label *dlabel /* LABEL */ 4495 ); 4496 /** 4497 * @brief Access control check for read link 4498 * @param cred Subject credential 4499 * @param vp Object vnode 4500 * @param label Policy label for vp 4501 * 4502 * Determine whether the subject identified by the credential can perform 4503 * a readlink operation on the passed symlink vnode. This call can be made 4504 * in a number of situations, including an explicit readlink call by the 4505 * user process, or as a result of an implicit readlink during a name 4506 * lookup by the process. 4507 * 4508 * @return Return 0 if access is granted, otherwise an appropriate value for 4509 * errno should be returned. Suggested failure: EACCES for label mismatch or 4510 * EPERM for lack of privilege. 4511 */ 4512 typedef int mpo_vnode_check_readlink_t( 4513 kauth_cred_t cred, 4514 struct vnode *vp, 4515 struct label *label 4516 ); 4517 /** 4518 * @brief Access control check for rename 4519 * @param cred Subject credential 4520 * @param fdvp Directory vnode 4521 * @param fdlabel Policy label associated with dvp 4522 * @param fvp vnode to be renamed 4523 * @param flabel Policy label associated with vp 4524 * @param fcnp Component name for vp 4525 * @param tdvp Destination directory vnode 4526 * @param tdlabel Policy label associated with tdvp 4527 * @param tvp Overwritten vnode 4528 * @param tlabel Policy label associated with tvp 4529 * @param tcnp Destination component name 4530 * 4531 * Determine whether the subject identified by the credential should be allowed 4532 * to rename the vnode vp to something else. 4533 * 4534 * @return Return 0 if access is granted, otherwise an appropriate value for 4535 * errno should be returned. 4536 */ 4537 typedef int mpo_vnode_check_rename_t( 4538 kauth_cred_t cred, 4539 struct vnode *fdvp, 4540 struct label *fdlabel, 4541 struct vnode *fvp, 4542 struct label *flabel, 4543 struct componentname *fcnp, 4544 struct vnode *tdvp, 4545 struct label *tdlabel, 4546 struct vnode *tvp, 4547 struct label *tlabel, 4548 struct componentname *tcnp 4549 ); 4550 /** 4551 * @brief Access control check for rename from 4552 * @param cred Subject credential 4553 * @param dvp Directory vnode 4554 * @param dlabel Policy label associated with dvp 4555 * @param vp vnode to be renamed 4556 * @param label Policy label associated with vp 4557 * @param cnp Component name for vp 4558 * @see mpo_vnode_check_rename_t 4559 * @see mpo_vnode_check_rename_to_t 4560 * 4561 * Determine whether the subject identified by the credential should be 4562 * allowed to rename the vnode vp to something else. 4563 * 4564 * Due to VFS locking constraints (to make sure proper vnode locks are 4565 * held during this entry point), the vnode relabel checks had to be 4566 * split into two parts: relabel_from and relabel to. 4567 * 4568 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4569 * 4570 * @return Return 0 if access is granted, otherwise an appropriate value for 4571 * errno should be returned. 4572 */ 4573 typedef int mpo_vnode_check_rename_from_t( 4574 kauth_cred_t cred, 4575 struct vnode *dvp, 4576 struct label *dlabel, 4577 struct vnode *vp, 4578 struct label *label, 4579 struct componentname *cnp 4580 ); 4581 /** 4582 * @brief Access control check for rename to 4583 * @param cred Subject credential 4584 * @param dvp Directory vnode 4585 * @param dlabel Policy label associated with dvp 4586 * @param vp Overwritten vnode 4587 * @param label Policy label associated with vp 4588 * @param samedir Boolean; 1 if the source and destination directories are the same 4589 * @param cnp Destination component name 4590 * @see mpo_vnode_check_rename_t 4591 * @see mpo_vnode_check_rename_from_t 4592 * 4593 * Determine whether the subject identified by the credential should be 4594 * allowed to rename to the vnode vp, into the directory dvp, or to the 4595 * name represented by cnp. If there is no existing file to overwrite, 4596 * vp and label will be NULL. 4597 * 4598 * Due to VFS locking constraints (to make sure proper vnode locks are 4599 * held during this entry point), the vnode relabel checks had to be 4600 * split into two parts: relabel_from and relabel to. 4601 * 4602 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4603 * 4604 * @return Return 0 if access is granted, otherwise an appropriate value for 4605 * errno should be returned. 4606 */ 4607 typedef int mpo_vnode_check_rename_to_t( 4608 kauth_cred_t cred, 4609 struct vnode *dvp, 4610 struct label *dlabel, 4611 struct vnode *vp, /* NULLOK */ 4612 struct label *label, /* NULLOK */ 4613 int samedir, 4614 struct componentname *cnp 4615 ); 4616 /** 4617 * @brief Access control check for revoke 4618 * @param cred Subject credential 4619 * @param vp Object vnode 4620 * @param label Policy label for vp 4621 * 4622 * Determine whether the subject identified by the credential can revoke 4623 * access to the passed vnode. 4624 * 4625 * @return Return 0 if access is granted, otherwise an appropriate value for 4626 * errno should be returned. Suggested failure: EACCES for label mismatch or 4627 * EPERM for lack of privilege. 4628 */ 4629 typedef int mpo_vnode_check_revoke_t( 4630 kauth_cred_t cred, 4631 struct vnode *vp, 4632 struct label *label 4633 ); 4634 /** 4635 * @brief Access control check for searchfs 4636 * @param cred Subject credential 4637 * @param vp Object vnode 4638 * @param vlabel Policy label for vp 4639 * @param returnattrs List of attributes to be returned 4640 * @param searchattrs List of attributes used as search criteria 4641 * 4642 * Determine whether the subject identified by the credential can search the 4643 * vnode using the searchfs system call. 4644 * 4645 * @return Return 0 if access is granted, otherwise an appropriate value for 4646 * errno should be returned. 4647 */ 4648 typedef int mpo_vnode_check_searchfs_t( 4649 kauth_cred_t cred, 4650 struct vnode *vp, 4651 struct label *vlabel, 4652 struct attrlist *returnattrs, 4653 struct attrlist *searchattrs 4654 ); 4655 /** 4656 * @brief Access control check for select 4657 * @param cred Subject credential 4658 * @param vp Object vnode 4659 * @param label Policy label for vp 4660 * @param which The operation selected on: FREAD or FWRITE 4661 * 4662 * Determine whether the subject identified by the credential can select 4663 * the vnode. 4664 * 4665 * @return Return 0 if access is granted, otherwise an appropriate value for 4666 * errno should be returned. 4667 */ 4668 typedef int mpo_vnode_check_select_t( 4669 kauth_cred_t cred, 4670 struct vnode *vp, 4671 struct label *label, 4672 int which 4673 ); 4674 /** 4675 * @brief Access control check for setting ACL 4676 * @param cred Subject credential 4677 * @param vp Object node 4678 * @param label Policy label for vp 4679 * @param acl ACL structure pointer 4680 * 4681 * Determine whether the subject identified by the credential can set an ACL 4682 * on the specified vnode. The ACL pointer will be NULL when removing an ACL. 4683 * 4684 * @return Return 0 if access is granted, otherwise an appropriate value for 4685 * errno should be returned. Suggested failure: EACCES for label mismatch or 4686 * EPERM for lack of privilege. 4687 */ 4688 typedef int mpo_vnode_check_setacl_t( 4689 kauth_cred_t cred, 4690 struct vnode *vp, 4691 struct label *label, 4692 struct kauth_acl *acl 4693 ); 4694 /** 4695 * @brief Access control check for setting file attributes 4696 * @param cred Subject credential 4697 * @param vp Object vnode 4698 * @param vlabel Policy label for vp 4699 * @param alist List of attributes to set 4700 * 4701 * Determine whether the subject identified by the credential can set 4702 * various attributes of the specified vnode, or the filesystem or volume on 4703 * which that vnode resides. See <sys/attr.h> for definitions of the 4704 * attributes. 4705 * 4706 * @return Return 0 if access is granted, otherwise an appropriate value for 4707 * errno should be returned. Suggested failure: EACCES for label mismatch or 4708 * EPERM for lack of privilege. Access control covers all attributes requested 4709 * with this call. 4710 */ 4711 typedef int mpo_vnode_check_setattrlist_t( 4712 kauth_cred_t cred, 4713 struct vnode *vp, 4714 struct label *vlabel, 4715 struct attrlist *alist 4716 ); 4717 /** 4718 * @brief Access control check for setting extended attribute 4719 * @param cred Subject credential 4720 * @param vp Object vnode 4721 * @param label Policy label for vp 4722 * @param name Extended attribute name 4723 * @param uio I/O structure pointer 4724 * 4725 * Determine whether the subject identified by the credential can set the 4726 * extended attribute of passed name and passed namespace on the passed 4727 * vnode. Policies implementing security labels backed into extended 4728 * attributes may want to provide additional protections for those 4729 * attributes. Additionally, policies should avoid making decisions based 4730 * on the data referenced from uio, as there is a potential race condition 4731 * between this check and the actual operation. The uio may also be NULL 4732 * if a delete operation is being performed. 4733 * 4734 * @return Return 0 if access is granted, otherwise an appropriate value for 4735 * errno should be returned. Suggested failure: EACCES for label mismatch or 4736 * EPERM for lack of privilege. 4737 */ 4738 typedef int mpo_vnode_check_setextattr_t( 4739 kauth_cred_t cred, 4740 struct vnode *vp, 4741 struct label *label, 4742 const char *name, 4743 struct uio *uio 4744 ); 4745 /** 4746 * @brief Access control check for setting flags 4747 * @param cred Subject credential 4748 * @param vp Object vnode 4749 * @param label Policy label for vp 4750 * @param flags File flags; see chflags(2) 4751 * 4752 * Determine whether the subject identified by the credential can set 4753 * the passed flags on the passed vnode. 4754 * 4755 * @return Return 0 if access is granted, otherwise an appropriate value for 4756 * errno should be returned. Suggested failure: EACCES for label mismatch or 4757 * EPERM for lack of privilege. 4758 */ 4759 typedef int mpo_vnode_check_setflags_t( 4760 kauth_cred_t cred, 4761 struct vnode *vp, 4762 struct label *label, 4763 u_long flags 4764 ); 4765 /** 4766 * @brief Access control check for setting mode 4767 * @param cred Subject credential 4768 * @param vp Object vnode 4769 * @param label Policy label for vp 4770 * @param mode File mode; see chmod(2) 4771 * 4772 * Determine whether the subject identified by the credential can set 4773 * the passed mode on the passed vnode. 4774 * 4775 * @return Return 0 if access is granted, otherwise an appropriate value for 4776 * errno should be returned. Suggested failure: EACCES for label mismatch or 4777 * EPERM for lack of privilege. 4778 */ 4779 typedef int mpo_vnode_check_setmode_t( 4780 kauth_cred_t cred, 4781 struct vnode *vp, 4782 struct label *label, 4783 mode_t mode 4784 ); 4785 /** 4786 * @brief Access control check for setting uid and gid 4787 * @param cred Subject credential 4788 * @param vp Object vnode 4789 * @param label Policy label for vp 4790 * @param uid User ID 4791 * @param gid Group ID 4792 * 4793 * Determine whether the subject identified by the credential can set 4794 * the passed uid and passed gid as file uid and file gid on the passed 4795 * vnode. The IDs may be set to (-1) to request no update. 4796 * 4797 * @return Return 0 if access is granted, otherwise an appropriate value for 4798 * errno should be returned. Suggested failure: EACCES for label mismatch or 4799 * EPERM for lack of privilege. 4800 */ 4801 typedef int mpo_vnode_check_setowner_t( 4802 kauth_cred_t cred, 4803 struct vnode *vp, 4804 struct label *label, 4805 uid_t uid, 4806 gid_t gid 4807 ); 4808 /** 4809 * @brief Access control check for setting timestamps 4810 * @param cred Subject credential 4811 * @param vp Object vnode 4812 * @param label Policy label for vp 4813 * @param atime Access time; see utimes(2) 4814 * @param mtime Modification time; see utimes(2) 4815 * 4816 * Determine whether the subject identified by the credential can set 4817 * the passed access timestamps on the passed vnode. 4818 * 4819 * @return Return 0 if access is granted, otherwise an appropriate value for 4820 * errno should be returned. Suggested failure: EACCES for label mismatch or 4821 * EPERM for lack of privilege. 4822 */ 4823 typedef int mpo_vnode_check_setutimes_t( 4824 kauth_cred_t cred, 4825 struct vnode *vp, 4826 struct label *label, 4827 struct timespec atime, 4828 struct timespec mtime 4829 ); 4830 /** 4831 * @brief Access control check after determining the code directory hash 4832 * @param vp vnode vnode to combine into proc 4833 * @param label label associated with the vnode 4834 * @param cpu_type cpu type of the signature being checked 4835 * @param cs_blob the code signature to check 4836 * @param cs_flags update code signing flags if needed 4837 * @param signer_type output parameter for the code signature's signer type 4838 * @param flags operational flag to mpo_vnode_check_signature 4839 * @param platform platform of the signature being checked 4840 * @param fatal_failure_desc description of fatal failure 4841 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 4842 * 4843 * @return Return 0 if access is granted, otherwise an appropriate value for 4844 * errno should be returned. 4845 */ 4846 typedef int mpo_vnode_check_signature_t( 4847 struct vnode *vp, 4848 struct label *label, 4849 cpu_type_t cpu_type, 4850 struct cs_blob *cs_blob, 4851 unsigned int *cs_flags, 4852 unsigned int *signer_type, 4853 int flags, 4854 unsigned int platform, 4855 char **fatal_failure_desc, size_t *fatal_failure_desc_len 4856 ); 4857 /** 4858 * @brief Access control check for stat 4859 * @param active_cred Subject credential 4860 * @param file_cred Credential associated with the struct fileproc 4861 * @param vp Object vnode 4862 * @param label Policy label for vp 4863 * 4864 * Determine whether the subject identified by the credential can stat 4865 * the passed vnode. See stat(2) for more information. The active_cred 4866 * hold the credentials of the subject performing the operation, and 4867 * file_cred holds the credentials of the subject that originally 4868 * opened the file. 4869 * 4870 * @return Return 0 if access is granted, otherwise an appropriate value for 4871 * errno should be returned. Suggested failure: EACCES for label mismatch or 4872 * EPERM for lack of privilege. 4873 */ 4874 typedef int mpo_vnode_check_stat_t( 4875 struct ucred *active_cred, 4876 struct ucred *file_cred, /* NULLOK */ 4877 struct vnode *vp, 4878 struct label *label 4879 ); 4880 /** 4881 * @brief Access control check for supplemental signature attachement 4882 * @param vp the vnode to which the signature will be attached 4883 * @param label label associated with the vnode 4884 * @param cs_blob the code signature to check 4885 * @param linked_vp vnode to which this new vp is related 4886 * @param linked_cs_blob the code signature of the linked vnode 4887 * @param signer_type output parameter for the signer type of the code signature being checked. 4888 * 4889 * @return Return 0 if access is granted, otherwise an appropriate value for 4890 * errno should be returned. 4891 */ 4892 typedef int mpo_vnode_check_supplemental_signature_t( 4893 struct vnode *vp, 4894 struct label *label, 4895 struct cs_blob *cs_blob, 4896 struct vnode *linked_vp, 4897 struct cs_blob *linked_cs_blob, 4898 unsigned int *signer_type 4899 ); 4900 /** 4901 * @brief Access control check for atomically swapping two vnodes. 4902 * @param cred User credential for the swapping process 4903 * @param v1 vnode 1 to swap 4904 * @param vl1 Policy label for v1 4905 * @param v2 vnode 2 to swap 4906 * @param vl2 Policy label for v2 4907 * 4908 * @return Return 0 if access is granted, otherwise an appropriate value for 4909 * errno should be returned. Suggested failure: EACCES for label mismatch or 4910 * EPERM for lack of privilege. 4911 */ 4912 typedef int mpo_vnode_check_swap_t( 4913 kauth_cred_t cred, 4914 struct vnode *v1, 4915 struct label *vl1, 4916 struct vnode *v2, 4917 struct label *vl2 4918 ); 4919 /** 4920 * @brief Access control check for vnode trigger resolution 4921 * @param cred Subject credential 4922 * @param dvp Object vnode 4923 * @param dlabel Policy label for dvp 4924 * @param cnp Component name that triggered resolution 4925 * 4926 * Determine whether the subject identified by the credential can trigger 4927 * resolution of the passed name (cnp) in the passed directory vnode 4928 * via an external trigger resolver. 4929 * 4930 * @return Return 0 if access is granted, otherwise an appropriate value for 4931 * errno should be returned. Suggested failure: EACCES for label mismatch or 4932 * EPERM for lack of privilege. 4933 */ 4934 typedef int mpo_vnode_check_trigger_resolve_t( 4935 kauth_cred_t cred, 4936 struct vnode *dvp, 4937 struct label *dlabel, 4938 struct componentname *cnp 4939 ); 4940 /** 4941 * @brief Access control check for truncate/ftruncate 4942 * @param active_cred Subject credential 4943 * @param file_cred Credential associated with the struct fileproc 4944 * @param vp Object vnode 4945 * @param label Policy label for vp 4946 * 4947 * Determine whether the subject identified by the credential can 4948 * perform a truncate operation on the passed vnode. The active_cred hold 4949 * the credentials of the subject performing the operation, and 4950 * file_cred holds the credentials of the subject that originally 4951 * opened the file. 4952 * 4953 * @return Return 0 if access is granted, otherwise an appropriate value for 4954 * errno should be returned. Suggested failure: EACCES for label mismatch or 4955 * EPERM for lack of privilege. 4956 */ 4957 typedef int mpo_vnode_check_truncate_t( 4958 kauth_cred_t active_cred, 4959 kauth_cred_t file_cred, /* NULLOK */ 4960 struct vnode *vp, 4961 struct label *label 4962 ); 4963 /** 4964 * @brief Access control check for binding UNIX domain socket 4965 * @param cred Subject credential 4966 * @param dvp Directory vnode 4967 * @param dlabel Policy label for dvp 4968 * @param cnp Component name for dvp 4969 * @param vap vnode attributes for vap 4970 * 4971 * Determine whether the subject identified by the credential can perform a 4972 * bind operation on a UNIX domain socket with the passed parent directory, 4973 * passed name information, and passed attribute information. 4974 * 4975 * @return Return 0 if access is granted, otherwise an appropriate value for 4976 * errno should be returned. Suggested failure: EACCES for label mismatch or 4977 * EPERM for lack of privilege. 4978 */ 4979 typedef int mpo_vnode_check_uipc_bind_t( 4980 kauth_cred_t cred, 4981 struct vnode *dvp, 4982 struct label *dlabel, 4983 struct componentname *cnp, 4984 struct vnode_attr *vap 4985 ); 4986 /** 4987 * @brief Access control check for connecting UNIX domain socket 4988 * @param cred Subject credential 4989 * @param vp Object vnode 4990 * @param label Policy label associated with vp 4991 * @param so Socket 4992 * 4993 * Determine whether the subject identified by the credential can perform a 4994 * connect operation on the passed UNIX domain socket vnode. 4995 * 4996 * @return Return 0 if access is granted, otherwise an appropriate value for 4997 * errno should be returned. Suggested failure: EACCES for label mismatch or 4998 * EPERM for lack of privilege. 4999 */ 5000 typedef int mpo_vnode_check_uipc_connect_t( 5001 kauth_cred_t cred, 5002 struct vnode *vp, 5003 struct label *label, 5004 socket_t so 5005 ); 5006 /** 5007 * @brief Access control check for deleting vnode 5008 * @param cred Subject credential 5009 * @param dvp Parent directory vnode 5010 * @param dlabel Policy label for dvp 5011 * @param vp Object vnode to delete 5012 * @param label Policy label for vp 5013 * @param cnp Component name for vp 5014 * @see mpo_check_rename_to_t 5015 * 5016 * Determine whether the subject identified by the credential can delete 5017 * a vnode from the passed parent directory and passed name information. 5018 * This call may be made in a number of situations, including as a 5019 * results of calls to unlink(2) and rmdir(2). Policies implementing 5020 * this entry point should also implement mpo_check_rename_to to 5021 * authorize deletion of objects as a result of being the target of a rename. 5022 * 5023 * @return Return 0 if access is granted, otherwise an appropriate value for 5024 * errno should be returned. Suggested failure: EACCES for label mismatch or 5025 * EPERM for lack of privilege. 5026 */ 5027 typedef int mpo_vnode_check_unlink_t( 5028 kauth_cred_t cred, 5029 struct vnode *dvp, 5030 struct label *dlabel, 5031 struct vnode *vp, 5032 struct label *label, 5033 struct componentname *cnp 5034 ); 5035 /** 5036 * @brief Access control check for write 5037 * @param active_cred Subject credential 5038 * @param file_cred Credential associated with the struct fileproc 5039 * @param vp Object vnode 5040 * @param label Policy label for vp 5041 * 5042 * Determine whether the subject identified by the credential can 5043 * perform a write operation on the passed vnode. The active_cred hold 5044 * the credentials of the subject performing the operation, and 5045 * file_cred holds the credentials of the subject that originally 5046 * opened the file. 5047 * 5048 * @return Return 0 if access is granted, otherwise an appropriate value for 5049 * errno should be returned. Suggested failure: EACCES for label mismatch or 5050 * EPERM for lack of privilege. 5051 */ 5052 typedef int mpo_vnode_check_write_t( 5053 kauth_cred_t active_cred, 5054 kauth_cred_t file_cred, /* NULLOK */ 5055 struct vnode *vp, 5056 struct label *label 5057 ); 5058 /** 5059 * @brief Access control check for copyfile 5060 * @param cred Subject credential 5061 * @param dvp Vnode of directory to create the copy in 5062 * @param dlabel Policy label associated with dvp 5063 * @param tvp Vnode of the file at the target path that will be unlinked to 5064 * make room for the copy being created, if file exists 5065 * @param tlabel Policy label associated with tvp 5066 * @param fvp Vnode of the file to copy from 5067 * @param flabel Policy label associated with fvp 5068 * @param cnp Component name for the copy being created 5069 * @param mode Corresponds to mode argument to the copyfile syscall 5070 * @param flags Corresponds to flags argument to the copyfile syscall 5071 * 5072 * Determine whether the subject identified by the credential should be 5073 * allowed to create a copy of the vnode fvp with the name specified by cnp. 5074 * 5075 * @return Return 0 if access is granted, otherwise an appropriate value for 5076 * errno should be returned. 5077 */ 5078 typedef int mpo_vnode_check_copyfile_t( 5079 kauth_cred_t cred, 5080 struct vnode *dvp, 5081 struct label *dlabel, 5082 struct vnode *tvp, /* NULLOK */ 5083 struct label *tlabel, /* NULLOK */ 5084 struct vnode *fvp, 5085 struct label *flabel, 5086 struct componentname *cnp, 5087 mode_t mode, 5088 int flags 5089 ); 5090 /** 5091 * @brief Associate a vnode with a devfs entry 5092 * @param mp Devfs mount point 5093 * @param mntlabel Devfs mount point label 5094 * @param de Devfs directory entry 5095 * @param delabel Label associated with de 5096 * @param vp vnode associated with de 5097 * @param vlabel Label associated with vp 5098 * 5099 * Fill in the label (vlabel) for a newly created devfs vnode. The 5100 * label is typically derived from the label on the devfs directory 5101 * entry or the label on the filesystem, supplied as parameters. 5102 */ 5103 typedef void mpo_vnode_label_associate_devfs_t( 5104 struct mount *mp, 5105 struct label *mntlabel, 5106 struct devnode *de, 5107 struct label *delabel, 5108 struct vnode *vp, 5109 struct label *vlabel 5110 ); 5111 /** 5112 * @brief Associate a label with a vnode 5113 * @param mp File system mount point 5114 * @param mntlabel File system mount point label 5115 * @param vp Vnode to label 5116 * @param vlabel Label associated with vp 5117 * 5118 * Attempt to retrieve label information for the vnode, vp, from the 5119 * file system extended attribute store. The label should be stored in 5120 * the supplied vlabel parameter. If a policy cannot retrieve an 5121 * extended attribute, sometimes it is acceptible to fallback to using 5122 * the mntlabel. 5123 * 5124 * If the policy requires vnodes to have a valid label elsewhere it 5125 * MUST NOT return other than temporary errors, and must always provide 5126 * a valid label of some sort. Returning an error will cause vnode 5127 * labeling to be retried at a later access. Failure to handle policy 5128 * centric errors internally (corrupt labels etc.) will result in 5129 * inaccessible files. 5130 * 5131 * @return In the event of an error, an appropriate value for errno 5132 * should be returned, otherwise return 0 upon success. 5133 */ 5134 typedef int mpo_vnode_label_associate_extattr_t( 5135 struct mount *mp, 5136 struct label *mntlabel, 5137 struct vnode *vp, 5138 struct label *vlabel 5139 ); 5140 /** 5141 * @brief Associate a file label with a vnode 5142 * @param cred User credential 5143 * @param mp Fdesc mount point 5144 * @param mntlabel Fdesc mount point label 5145 * @param fg Fileglob structure 5146 * @param label Policy label for fg 5147 * @param vp Vnode to label 5148 * @param vlabel Label associated with vp 5149 * 5150 * Associate label information for the vnode, vp, with the label of 5151 * the open file descriptor described by fg. 5152 * The label should be stored in the supplied vlabel parameter. 5153 */ 5154 typedef void mpo_vnode_label_associate_file_t( 5155 struct ucred *cred, 5156 struct mount *mp, 5157 struct label *mntlabel, 5158 struct fileglob *fg, 5159 struct label *label, 5160 struct vnode *vp, 5161 struct label *vlabel 5162 ); 5163 /** 5164 * @brief Associate a pipe label with a vnode 5165 * @param cred User credential for the process that opened the pipe 5166 * @param cpipe Pipe structure 5167 * @param pipelabel Label associated with pipe 5168 * @param vp Vnode to label 5169 * @param vlabel Label associated with vp 5170 * 5171 * Associate label information for the vnode, vp, with the label of 5172 * the pipe described by the pipe structure cpipe. 5173 * The label should be stored in the supplied vlabel parameter. 5174 */ 5175 typedef void mpo_vnode_label_associate_pipe_t( 5176 struct ucred *cred, 5177 struct pipe *cpipe, 5178 struct label *pipelabel, 5179 struct vnode *vp, 5180 struct label *vlabel 5181 ); 5182 /** 5183 * @brief Associate a POSIX semaphore label with a vnode 5184 * @param cred User credential for the process that create psem 5185 * @param psem POSIX semaphore structure 5186 * @param psemlabel Label associated with psem 5187 * @param vp Vnode to label 5188 * @param vlabel Label associated with vp 5189 * 5190 * Associate label information for the vnode, vp, with the label of 5191 * the POSIX semaphore described by psem. 5192 * The label should be stored in the supplied vlabel parameter. 5193 */ 5194 typedef void mpo_vnode_label_associate_posixsem_t( 5195 struct ucred *cred, 5196 struct pseminfo *psem, 5197 struct label *psemlabel, 5198 struct vnode *vp, 5199 struct label *vlabel 5200 ); 5201 /** 5202 * @brief Associate a POSIX shared memory label with a vnode 5203 * @param cred User credential for the process that created pshm 5204 * @param pshm POSIX shared memory structure 5205 * @param pshmlabel Label associated with pshm 5206 * @param vp Vnode to label 5207 * @param vlabel Label associated with vp 5208 * 5209 * Associate label information for the vnode, vp, with the label of 5210 * the POSIX shared memory region described by pshm. 5211 * The label should be stored in the supplied vlabel parameter. 5212 */ 5213 typedef void mpo_vnode_label_associate_posixshm_t( 5214 struct ucred *cred, 5215 struct pshminfo *pshm, 5216 struct label *pshmlabel, 5217 struct vnode *vp, 5218 struct label *vlabel 5219 ); 5220 /** 5221 * @brief Associate a label with a vnode 5222 * @param mp File system mount point 5223 * @param mntlabel File system mount point label 5224 * @param vp Vnode to label 5225 * @param vlabel Label associated with vp 5226 * 5227 * On non-multilabel file systems, set the label for a vnode. The 5228 * label will most likely be based on the file system label. 5229 */ 5230 typedef void mpo_vnode_label_associate_singlelabel_t( 5231 struct mount *mp, 5232 struct label *mntlabel, 5233 struct vnode *vp, 5234 struct label *vlabel 5235 ); 5236 /** 5237 * @brief Associate a socket label with a vnode 5238 * @param cred User credential for the process that opened the socket 5239 * @param so Socket structure 5240 * @param solabel Label associated with so 5241 * @param vp Vnode to label 5242 * @param vlabel Label associated with vp 5243 * 5244 * Associate label information for the vnode, vp, with the label of 5245 * the open socket described by the socket structure so. 5246 * The label should be stored in the supplied vlabel parameter. 5247 */ 5248 typedef void mpo_vnode_label_associate_socket_t( 5249 kauth_cred_t cred, 5250 socket_t so, 5251 struct label *solabel, 5252 struct vnode *vp, 5253 struct label *vlabel 5254 ); 5255 /** 5256 * @brief Copy a vnode label 5257 * @param src Source vnode label 5258 * @param dest Destination vnode label 5259 * 5260 * Copy the vnode label information from src to dest. On Darwin, this 5261 * is currently only necessary when executing interpreted scripts, but 5262 * will later be used if vnode label externalization cannot be an 5263 * atomic operation. 5264 */ 5265 typedef void mpo_vnode_label_copy_t( 5266 struct label *src, 5267 struct label *dest 5268 ); 5269 /** 5270 * @brief Destroy vnode label 5271 * @param label The label to be destroyed 5272 * 5273 * Destroy a vnode label. Since the object is going out of scope, 5274 * policy modules should free any internal storage associated with the 5275 * label so that it may be destroyed. 5276 */ 5277 typedef void mpo_vnode_label_destroy_t( 5278 struct label *label 5279 ); 5280 /** 5281 * @brief Externalize a vnode label for auditing 5282 * @param label Label to be externalized 5283 * @param element_name Name of the label namespace for which labels should be 5284 * externalized 5285 * @param sb String buffer to be filled with a text representation of the label 5286 * 5287 * Produce an external representation of the label on a vnode suitable for 5288 * inclusion in an audit record. An externalized label consists of a text 5289 * representation of the label contents that will be added to the audit record 5290 * as part of a text token. Policy-agnostic user space tools will display 5291 * this externalized version. 5292 * 5293 * @return 0 on success, return non-zero if an error occurs while 5294 * externalizing the label data. 5295 * 5296 */ 5297 typedef int mpo_vnode_label_externalize_audit_t( 5298 struct label *label, 5299 char *element_name, 5300 struct sbuf *sb 5301 ); 5302 /** 5303 * @brief Externalize a vnode label 5304 * @param label Label to be externalized 5305 * @param element_name Name of the label namespace for which labels should be 5306 * externalized 5307 * @param sb String buffer to be filled with a text representation of the label 5308 * 5309 * Produce an external representation of the label on a vnode. An 5310 * externalized label consists of a text representation of the label 5311 * contents that can be used with user applications. Policy-agnostic 5312 * user space tools will display this externalized version. 5313 * 5314 * @return 0 on success, return non-zero if an error occurs while 5315 * externalizing the label data. 5316 * 5317 */ 5318 typedef int mpo_vnode_label_externalize_t( 5319 struct label *label, 5320 char *element_name, 5321 struct sbuf *sb 5322 ); 5323 /** 5324 * @brief Initialize vnode label 5325 * @param label New label to initialize 5326 * 5327 * Initialize label storage for use with a newly instantiated vnode, or 5328 * for temporary storage associated with the copying in or out of a 5329 * vnode label. While it is necessary to allocate space for a 5330 * kernel-resident vnode label, it is not yet necessary to link this vnode 5331 * with persistent label storage facilities, such as extended attributes. 5332 * Sleeping is permitted. 5333 */ 5334 typedef void mpo_vnode_label_init_t( 5335 struct label *label 5336 ); 5337 /** 5338 * @brief Internalize a vnode label 5339 * @param label Label to be internalized 5340 * @param element_name Name of the label namespace for which the label should 5341 * be internalized 5342 * @param element_data Text data to be internalized 5343 * 5344 * Produce a vnode label from an external representation. An 5345 * externalized label consists of a text representation of the label 5346 * contents that can be used with user applications. Policy-agnostic 5347 * user space tools will forward text version to the kernel for 5348 * processing by individual policy modules. 5349 * 5350 * The policy's internalize entry points will be called only if the 5351 * policy has registered interest in the label namespace. 5352 * 5353 * @return 0 on success, Otherwise, return non-zero if an error occurs 5354 * while internalizing the label data. 5355 */ 5356 typedef int mpo_vnode_label_internalize_t( 5357 struct label *label, 5358 char *element_name, 5359 char *element_data 5360 ); 5361 /** 5362 * @brief Clean up a vnode label 5363 * @param label The label to be cleaned or purged 5364 * 5365 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5366 * typically never frees them. Before vnodes are placed back on free lists for 5367 * re-use, policies can cleanup or overwrite any information present in the label, 5368 * or free any internal resources used for the label. 5369 */ 5370 typedef void mpo_vnode_label_recycle_t( 5371 struct label *label 5372 ); 5373 /** 5374 * @brief Write a label to a extended attribute 5375 * @param cred Subject credential 5376 * @param vp The vnode for which the label is being stored 5377 * @param vlabel Label associated with vp 5378 * @param intlabel The new label to store 5379 * 5380 * Store a new label in the extended attribute corresponding to the 5381 * supplied vnode. The policy has already authorized the operation; 5382 * this call must be implemented in order to perform the actual 5383 * operation. 5384 * 5385 * @return In the event of an error, an appropriate value for errno 5386 * should be returned, otherwise return 0 upon success. 5387 * 5388 * @warning XXX After examining the extended attribute implementation on 5389 * Apple's future release, this entry point may be changed. 5390 */ 5391 typedef int mpo_vnode_label_store_t( 5392 kauth_cred_t cred, 5393 struct vnode *vp, 5394 struct label *vlabel, 5395 struct label *intlabel 5396 ); 5397 /** 5398 * @brief Update vnode label from extended attributes 5399 * @param mp File system mount point 5400 * @param mntlabel Mount point label 5401 * @param vp Vnode to label 5402 * @param vlabel Label associated with vp 5403 * @param name Name of the xattr 5404 * @see mpo_vnode_check_setextattr_t 5405 * 5406 * When an extended attribute is updated via the Vendor attribute management 5407 * functions, the MAC vnode label might also require an update. 5408 * Policies should first determine if 'name' matches their xattr label 5409 * name. If it does, the kernel is has either replaced or removed the 5410 * named extended attribute that was previously associated with the 5411 * vnode. Normally labels should only be modified via MAC Framework label 5412 * management calls, but sometimes the user space components will directly 5413 * modify extended attributes. For example, 'cp', 'tar', etc. manage 5414 * extended attributes in userspace, not the kernel. 5415 * 5416 * This entry point is called after the label update has occurred, so 5417 * it cannot return a failure. However, the operation is preceded by 5418 * the mpo_vnode_check_setextattr() access control check. 5419 * 5420 * If the vnode label needs to be updated the policy should return 5421 * a non-zero value. The vnode label will be marked for re-association 5422 * by the framework. 5423 */ 5424 typedef int mpo_vnode_label_update_extattr_t( 5425 struct mount *mp, 5426 struct label *mntlabel, 5427 struct vnode *vp, 5428 struct label *vlabel, 5429 const char *name 5430 ); 5431 /** 5432 * @brief Update a vnode label 5433 * @param cred Subject credential 5434 * @param vp The vnode to relabel 5435 * @param vnodelabel Existing vnode label 5436 * @param label New label to replace existing label 5437 * @see mpo_vnode_check_label_update_t 5438 * 5439 * The subject identified by the credential has previously requested 5440 * and was authorized to relabel the vnode; this entry point allows 5441 * policies to perform the actual relabel operation. Policies should 5442 * update vnodelabel using the label stored in the label parameter. 5443 */ 5444 typedef void mpo_vnode_label_update_t( 5445 kauth_cred_t cred, 5446 struct vnode *vp, 5447 struct label *vnodelabel, 5448 struct label *label 5449 ); 5450 /** 5451 * @brief Find deatched signatures for a shared library 5452 * @param p file trying to find the signature 5453 * @param vp The vnode to relabel 5454 * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) 5455 * @param label Existing vnode label 5456 * 5457 */ 5458 typedef int mpo_vnode_find_sigs_t( 5459 struct proc *p, 5460 struct vnode *vp, 5461 off_t offset, 5462 struct label *label 5463 ); 5464 /** 5465 * @brief Create a new vnode, backed by extended attributes 5466 * @param cred User credential for the creating process 5467 * @param mp File system mount point 5468 * @param mntlabel File system mount point label 5469 * @param dvp Parent directory vnode 5470 * @param dlabel Parent directory vnode label 5471 * @param vp Newly created vnode 5472 * @param vlabel Label to associate with the new vnode 5473 * @param cnp Component name for vp 5474 * 5475 * Write out the label for the newly created vnode, most likely storing 5476 * the results in a file system extended attribute. Most policies will 5477 * derive the new vnode label using information from a combination 5478 * of the subject (user) credential, the file system label, the parent 5479 * directory label, and potentially the path name component. 5480 * 5481 * @return If the operation succeeds, store the new label in vlabel and 5482 * return 0. Otherwise, return an appropriate errno value. 5483 */ 5484 typedef int mpo_vnode_notify_create_t( 5485 kauth_cred_t cred, 5486 struct mount *mp, 5487 struct label *mntlabel, 5488 struct vnode *dvp, 5489 struct label *dlabel, 5490 struct vnode *vp, 5491 struct label *vlabel, 5492 struct componentname *cnp 5493 ); 5494 5495 /** 5496 * @brief Inform MAC policies that a vnode has been opened 5497 * @param cred User credential for the creating process 5498 * @param vp vnode opened 5499 * @param label Policy label for the vp 5500 * @param acc_mode open(2) access mode used 5501 * 5502 * Inform Mac policies that a vnode have been successfully opened 5503 * (passing all MAC polices and DAC). 5504 */ 5505 typedef void mpo_vnode_notify_open_t( 5506 kauth_cred_t cred, 5507 struct vnode *vp, 5508 struct label *label, 5509 int acc_mode 5510 ); 5511 5512 /** 5513 * @brief Inform MAC policies that a vnode has been renamed 5514 * @param cred User credential for the renaming process 5515 * @param vp Vnode that's being renamed 5516 * @param label Policy label for vp 5517 * @param dvp Parent directory for the destination 5518 * @param dlabel Policy label for dvp 5519 * @param cnp Component name for the destination 5520 * 5521 * Inform MAC policies that a vnode has been renamed. 5522 */ 5523 typedef void mpo_vnode_notify_rename_t( 5524 kauth_cred_t cred, 5525 struct vnode *vp, 5526 struct label *label, 5527 struct vnode *dvp, 5528 struct label *dlabel, 5529 struct componentname *cnp 5530 ); 5531 5532 /** 5533 * @brief Inform MAC policies that two vnodes were atomically swapped. 5534 * @param cred User credential for the renaming process 5535 * @param v1 vnode 1 to swap 5536 * @param vl1 Policy label for v1 5537 * @param v2 vnode 2 to swap 5538 * @param vl2 Policy label for v2 5539 * 5540 * Inform MAC policies that two vnodes were atomically swapped. 5541 * NOTE: If a policy implements this notify hook, then this hook will be 5542 * called instead of two calls to the vnode_notify_rename hook (one for each 5543 * member of the swap). 5544 */ 5545 typedef void mpo_vnode_notify_swap_t( 5546 kauth_cred_t cred, 5547 struct vnode *v1, 5548 struct label *vl1, 5549 struct vnode *v2, 5550 struct label *vl2 5551 ); 5552 5553 /** 5554 * @brief Inform MAC policies that a vnode has been linked 5555 * @param cred User credential for the renaming process 5556 * @param dvp Parent directory for the destination 5557 * @param dlabel Policy label for dvp 5558 * @param vp Vnode that's being linked 5559 * @param vlabel Policy label for vp 5560 * @param cnp Component name for the destination 5561 * 5562 * Inform MAC policies that a vnode has been linked. 5563 */ 5564 typedef void mpo_vnode_notify_link_t( 5565 kauth_cred_t cred, 5566 struct vnode *dvp, 5567 struct label *dlabel, 5568 struct vnode *vp, 5569 struct label *vlabel, 5570 struct componentname *cnp 5571 ); 5572 5573 /** 5574 * @brief Inform MAC policies that an extended attribute has been removed from a vnode 5575 * @param cred Subject credential 5576 * @param vp Object node 5577 * @param label Policy label for vp 5578 * @param name Extended attribute name 5579 * 5580 * Inform MAC policies that an extended attribute has been removed from a vnode. 5581 */ 5582 typedef void mpo_vnode_notify_deleteextattr_t( 5583 kauth_cred_t cred, 5584 struct vnode *vp, 5585 struct label *label, 5586 const char *name 5587 ); 5588 5589 5590 /** 5591 * @brief Inform MAC policies that an ACL has been set on a vnode 5592 * @param cred Subject credential 5593 * @param vp Object node 5594 * @param label Policy label for vp 5595 * @param acl ACL structure pointer 5596 * 5597 * Inform MAC policies that an ACL has been set on a vnode. 5598 */ 5599 typedef void mpo_vnode_notify_setacl_t( 5600 kauth_cred_t cred, 5601 struct vnode *vp, 5602 struct label *label, 5603 struct kauth_acl *acl 5604 ); 5605 5606 /** 5607 * @brief Inform MAC policies that an attributes have been set on a vnode 5608 * @param cred Subject credential 5609 * @param vp Object vnode 5610 * @param label Policy label for vp 5611 * @param alist List of attributes to set 5612 * 5613 * Inform MAC policies that an attributes have been set on a vnode. 5614 */ 5615 typedef void mpo_vnode_notify_setattrlist_t( 5616 kauth_cred_t cred, 5617 struct vnode *vp, 5618 struct label *label, 5619 struct attrlist *alist 5620 ); 5621 5622 /** 5623 * @brief Inform MAC policies that an extended attribute has been set on a vnode 5624 * @param cred Subject credential 5625 * @param vp Object vnode 5626 * @param label Policy label for vp 5627 * @param name Extended attribute name 5628 * @param uio I/O structure pointer 5629 * 5630 * Inform MAC policies that an extended attribute has been set on a vnode. 5631 */ 5632 typedef void mpo_vnode_notify_setextattr_t( 5633 kauth_cred_t cred, 5634 struct vnode *vp, 5635 struct label *label, 5636 const char *name, 5637 struct uio *uio 5638 ); 5639 5640 /** 5641 * @brief Inform MAC policies that flags have been set on a vnode 5642 * @param cred Subject credential 5643 * @param vp Object vnode 5644 * @param label Policy label for vp 5645 * @param flags File flags; see chflags(2) 5646 * 5647 * Inform MAC policies that flags have been set on a vnode. 5648 */ 5649 typedef void mpo_vnode_notify_setflags_t( 5650 kauth_cred_t cred, 5651 struct vnode *vp, 5652 struct label *label, 5653 u_long flags 5654 ); 5655 5656 /** 5657 * @brief Inform MAC policies that a new mode has been set on a vnode 5658 * @param cred Subject credential 5659 * @param vp Object vnode 5660 * @param label Policy label for vp 5661 * @param mode File mode; see chmod(2) 5662 * 5663 * Inform MAC policies that a new mode has been set on a vnode. 5664 */ 5665 typedef void mpo_vnode_notify_setmode_t( 5666 kauth_cred_t cred, 5667 struct vnode *vp, 5668 struct label *label, 5669 mode_t mode 5670 ); 5671 5672 /** 5673 * @brief Inform MAC policies that new uid/gid have been set on a vnode 5674 * @param cred Subject credential 5675 * @param vp Object vnode 5676 * @param label Policy label for vp 5677 * @param uid User ID 5678 * @param gid Group ID 5679 * 5680 * Inform MAC policies that new uid/gid have been set on a vnode. 5681 */ 5682 typedef void mpo_vnode_notify_setowner_t( 5683 kauth_cred_t cred, 5684 struct vnode *vp, 5685 struct label *label, 5686 uid_t uid, 5687 gid_t gid 5688 ); 5689 5690 /** 5691 * @brief Inform MAC policies that new timestamps have been set on a vnode 5692 * @param cred Subject credential 5693 * @param vp Object vnode 5694 * @param label Policy label for vp 5695 * @param atime Access time; see utimes(2) 5696 * @param mtime Modification time; see utimes(2) 5697 * 5698 * Inform MAC policies that new timestamps have been set on a vnode. 5699 */ 5700 typedef void mpo_vnode_notify_setutimes_t( 5701 kauth_cred_t cred, 5702 struct vnode *vp, 5703 struct label *label, 5704 struct timespec atime, 5705 struct timespec mtime 5706 ); 5707 5708 /** 5709 * @brief Inform MAC policies that a vnode has been truncated 5710 * @param cred Subject credential 5711 * @param file_cred Credential associated with the struct fileproc 5712 * @param vp Object vnode 5713 * @param label Policy label for vp 5714 * 5715 * Inform MAC policies that a vnode has been truncated. 5716 */ 5717 typedef void mpo_vnode_notify_truncate_t( 5718 kauth_cred_t cred, 5719 kauth_cred_t file_cred, 5720 struct vnode *vp, 5721 struct label *label 5722 ); 5723 5724 5725 /** 5726 * @brief Inform MAC policies that a pty slave has been granted 5727 * @param p Responsible process 5728 * @param tp tty data structure 5729 * @param dev Major and minor numbers of device 5730 * @param label Policy label for tp 5731 * 5732 * Inform MAC policies that a pty slave has been granted. 5733 */ 5734 typedef void mpo_pty_notify_grant_t( 5735 proc_t p, 5736 struct tty *tp, 5737 dev_t dev, 5738 struct label *label 5739 ); 5740 5741 /** 5742 * @brief Inform MAC policies that a pty master has been closed 5743 * @param p Responsible process 5744 * @param tp tty data structure 5745 * @param dev Major and minor numbers of device 5746 * @param label Policy label for tp 5747 * 5748 * Inform MAC policies that a pty master has been closed. 5749 */ 5750 typedef void mpo_pty_notify_close_t( 5751 proc_t p, 5752 struct tty *tp, 5753 dev_t dev, 5754 struct label *label 5755 ); 5756 5757 /** 5758 * @brief Access control check for kext loading 5759 * @param cred Subject credential 5760 * @param identifier Kext identifier 5761 * 5762 * Determine whether the subject identified by the credential can load the 5763 * specified kext. 5764 * 5765 * @return Return 0 if access is granted, otherwise an appropriate value for 5766 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5767 */ 5768 typedef int mpo_kext_check_load_t( 5769 kauth_cred_t cred, 5770 const char *identifier 5771 ); 5772 5773 /** 5774 * @brief Access control check for kext unloading 5775 * @param cred Subject credential 5776 * @param identifier Kext identifier 5777 * 5778 * Determine whether the subject identified by the credential can unload the 5779 * specified kext. 5780 * 5781 * @return Return 0 if access is granted, otherwise an appropriate value for 5782 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5783 */ 5784 typedef int mpo_kext_check_unload_t( 5785 kauth_cred_t cred, 5786 const char *identifier 5787 ); 5788 5789 /** 5790 * @brief Access control check for querying information about loaded kexts 5791 * @param cred Subject credential 5792 * 5793 * Determine whether the subject identified by the credential can query 5794 * information about loaded kexts. 5795 * 5796 * @return Return 0 if access is granted, otherwise an appropriate value for 5797 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5798 */ 5799 typedef int mpo_kext_check_query_t( 5800 kauth_cred_t cred 5801 ); 5802 5803 /** 5804 * @brief Inform MAC policies that a vnode is being reclaimed 5805 * @param vp Object vnode 5806 * 5807 * Any external accounting tracking this vnode must consider it to be no longer valid. 5808 */ 5809 typedef void mpo_vnode_notify_reclaim_t( 5810 struct vnode *vp 5811 ); 5812 5813 /** 5814 * @brief Inform MAC policies that a vnode has been deleted 5815 * @param cred Subject credential 5816 * @param dvp Parent directory vnode 5817 * @param dlabel Policy label for dvp 5818 * @param vp Object vnode to delete 5819 * @param label Policy label for vp 5820 * @param cnp Component name for vp 5821 * 5822 * Inform Mac policies that a vnode have been successfully deleted 5823 * (passing all MAC polices and DAC). 5824 */ 5825 typedef void mpo_vnode_notify_unlink_t( 5826 kauth_cred_t cred, 5827 struct vnode *dvp, 5828 struct label *dlabel, 5829 struct vnode *vp, 5830 struct label *label, 5831 struct componentname *cnp 5832 ); 5833 5834 /* 5835 * Placeholder for future events that may need mac hooks. 5836 */ 5837 typedef void mpo_reserved_hook_t(void); 5838 5839 /* 5840 * Policy module operations. 5841 * 5842 * Please note that this should be kept in sync with the check assumptions 5843 * policy in bsd/kern/policy_check.c (policy_ops struct). 5844 */ 5845 #define MAC_POLICY_OPS_VERSION 86 /* inc when new reserved slots are taken */ 5846 struct mac_policy_ops { 5847 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5848 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5849 5850 mpo_reserved_hook_t *mpo_reserved01; 5851 mpo_reserved_hook_t *mpo_reserved02; 5852 mpo_reserved_hook_t *mpo_reserved03; 5853 mpo_reserved_hook_t *mpo_reserved04; 5854 5855 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5856 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5857 mpo_cred_check_visible_t *mpo_cred_check_visible; 5858 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5859 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5860 mpo_cred_label_associate_t *mpo_cred_label_associate; 5861 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5862 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5863 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5864 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5865 mpo_cred_label_init_t *mpo_cred_label_init; 5866 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5867 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5868 mpo_cred_label_update_t *mpo_cred_label_update; 5869 5870 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5871 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5872 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5873 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5874 mpo_devfs_label_init_t *mpo_devfs_label_init; 5875 mpo_devfs_label_update_t *mpo_devfs_label_update; 5876 5877 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5878 mpo_file_check_create_t *mpo_file_check_create; 5879 mpo_file_check_dup_t *mpo_file_check_dup; 5880 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 5881 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 5882 mpo_file_check_get_t *mpo_file_check_get; 5883 mpo_file_check_inherit_t *mpo_file_check_inherit; 5884 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 5885 mpo_file_check_lock_t *mpo_file_check_lock; 5886 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 5887 mpo_file_check_mmap_t *mpo_file_check_mmap; 5888 mpo_file_check_receive_t *mpo_file_check_receive; 5889 mpo_file_check_set_t *mpo_file_check_set; 5890 mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ 5891 mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ 5892 mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ 5893 mpo_file_notify_close_t *mpo_file_notify_close; 5894 5895 mpo_proc_check_launch_constraints_t *mpo_proc_check_launch_constraints; 5896 mpo_proc_notify_service_port_derive_t *mpo_proc_notify_service_port_derive; 5897 mpo_proc_check_set_task_exception_port_t *mpo_proc_check_set_task_exception_port; 5898 mpo_proc_check_set_thread_exception_port_t *mpo_proc_check_set_thread_exception_port; 5899 mpo_proc_check_delegated_signal_t *mpo_proc_check_delegated_signal; 5900 5901 mpo_reserved_hook_t *mpo_reserved08; 5902 mpo_reserved_hook_t *mpo_reserved09; 5903 mpo_reserved_hook_t *mpo_reserved10; 5904 mpo_reserved_hook_t *mpo_reserved11; 5905 mpo_reserved_hook_t *mpo_reserved12; 5906 mpo_reserved_hook_t *mpo_reserved13; 5907 mpo_reserved_hook_t *mpo_reserved14; 5908 mpo_reserved_hook_t *mpo_reserved15; 5909 mpo_reserved_hook_t *mpo_reserved16; 5910 mpo_reserved_hook_t *mpo_reserved17; 5911 mpo_reserved_hook_t *mpo_reserved18; 5912 mpo_reserved_hook_t *mpo_reserved19; 5913 mpo_reserved_hook_t *mpo_reserved20; 5914 mpo_reserved_hook_t *mpo_reserved21; 5915 5916 mpo_necp_check_open_t *mpo_necp_check_open; 5917 mpo_necp_check_client_action_t *mpo_necp_check_client_action; 5918 5919 mpo_file_check_library_validation_t *mpo_file_check_library_validation; 5920 5921 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; 5922 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; 5923 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; 5924 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; 5925 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; 5926 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; 5927 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; 5928 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; 5929 mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; 5930 5931 mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; 5932 mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; 5933 5934 mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; 5935 mpo_vnode_notify_unlink_t *mpo_vnode_notify_unlink; 5936 mpo_vnode_check_swap_t *mpo_vnode_check_swap; 5937 mpo_reserved_hook_t *mpo_reserved33; 5938 mpo_reserved_hook_t *mpo_reserved34; 5939 mpo_reserved_hook_t *mpo_reserved35; 5940 mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; 5941 5942 mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; 5943 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 5944 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 5945 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 5946 mpo_mount_check_mount_t *mpo_mount_check_mount; 5947 mpo_mount_check_remount_t *mpo_mount_check_remount; 5948 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 5949 mpo_mount_check_stat_t *mpo_mount_check_stat; 5950 mpo_mount_check_umount_t *mpo_mount_check_umount; 5951 mpo_mount_label_associate_t *mpo_mount_label_associate; 5952 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 5953 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 5954 mpo_mount_label_init_t *mpo_mount_label_init; 5955 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 5956 5957 mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; 5958 mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; 5959 mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; 5960 5961 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 5962 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 5963 mpo_reserved_hook_t *mpo_reserved41; 5964 mpo_pipe_check_read_t *mpo_pipe_check_read; 5965 mpo_pipe_check_select_t *mpo_pipe_check_select; 5966 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 5967 mpo_pipe_check_write_t *mpo_pipe_check_write; 5968 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 5969 mpo_reserved_hook_t *mpo_reserved42; 5970 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 5971 mpo_reserved_hook_t *mpo_reserved43; 5972 mpo_pipe_label_init_t *mpo_pipe_label_init; 5973 mpo_reserved_hook_t *mpo_reserved44; 5974 mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; 5975 5976 mpo_policy_destroy_t *mpo_policy_destroy; 5977 mpo_policy_init_t *mpo_policy_init; 5978 mpo_policy_initbsd_t *mpo_policy_initbsd; 5979 mpo_policy_syscall_t *mpo_policy_syscall; 5980 5981 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 5982 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 5983 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 5984 mpo_kext_check_query_t *mpo_kext_check_query; 5985 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; 5986 mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; 5987 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; 5988 mpo_reserved_hook_t *mpo_reserved45; 5989 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; 5990 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; 5991 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; 5992 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; 5993 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; 5994 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; 5995 mpo_exc_action_label_init_t *mpo_exc_action_label_init; 5996 mpo_exc_action_label_update_t *mpo_exc_action_label_update; 5997 5998 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; 5999 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; 6000 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; 6001 mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; 6002 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; 6003 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; 6004 6005 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 6006 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 6007 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 6008 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 6009 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 6010 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 6011 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 6012 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 6013 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 6014 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 6015 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 6016 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 6017 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 6018 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 6019 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 6020 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 6021 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 6022 6023 mpo_proc_check_debug_t *mpo_proc_check_debug; 6024 mpo_proc_check_fork_t *mpo_proc_check_fork; 6025 mpo_reserved_hook_t *mpo_reserved61; 6026 mpo_reserved_hook_t *mpo_reserved62; 6027 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 6028 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 6029 mpo_reserved_hook_t *mpo_reserved63; 6030 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 6031 mpo_proc_check_sched_t *mpo_proc_check_sched; 6032 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 6033 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 6034 mpo_reserved_hook_t *mpo_reserved64; 6035 mpo_proc_check_signal_t *mpo_proc_check_signal; 6036 mpo_proc_check_wait_t *mpo_proc_check_wait; 6037 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; 6038 mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; 6039 6040 mpo_socket_check_accept_t *mpo_socket_check_accept; 6041 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 6042 mpo_socket_check_bind_t *mpo_socket_check_bind; 6043 mpo_socket_check_connect_t *mpo_socket_check_connect; 6044 mpo_socket_check_create_t *mpo_socket_check_create; 6045 mpo_reserved_hook_t *mpo_reserved46; 6046 mpo_reserved_hook_t *mpo_reserved47; 6047 mpo_reserved_hook_t *mpo_reserved48; 6048 mpo_socket_check_listen_t *mpo_socket_check_listen; 6049 mpo_socket_check_receive_t *mpo_socket_check_receive; 6050 mpo_socket_check_received_t *mpo_socket_check_received; 6051 mpo_reserved_hook_t *mpo_reserved49; 6052 mpo_socket_check_send_t *mpo_socket_check_send; 6053 mpo_socket_check_stat_t *mpo_socket_check_stat; 6054 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 6055 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 6056 6057 mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; 6058 mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; 6059 mpo_proc_check_setuid_t *mpo_proc_check_setuid; 6060 mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; 6061 mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; 6062 mpo_proc_check_setgid_t *mpo_proc_check_setgid; 6063 mpo_proc_check_setegid_t *mpo_proc_check_setegid; 6064 mpo_proc_check_setregid_t *mpo_proc_check_setregid; 6065 mpo_proc_check_settid_t *mpo_proc_check_settid; 6066 mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; 6067 mpo_reserved_hook_t *mpo_reserved60; 6068 6069 mpo_thread_telemetry_t *mpo_thread_telemetry; 6070 6071 mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; 6072 6073 mpo_system_check_acct_t *mpo_system_check_acct; 6074 mpo_system_check_audit_t *mpo_system_check_audit; 6075 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6076 mpo_system_check_auditon_t *mpo_system_check_auditon; 6077 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6078 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6079 mpo_system_check_reboot_t *mpo_system_check_reboot; 6080 mpo_system_check_settime_t *mpo_system_check_settime; 6081 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6082 mpo_system_check_swapon_t *mpo_system_check_swapon; 6083 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; 6084 6085 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6086 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6087 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6088 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6089 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6090 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6091 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6092 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6093 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6094 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6095 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6096 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6097 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6098 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6099 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6100 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6101 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6102 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6103 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6104 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6105 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6106 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6107 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6108 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6109 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6110 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6111 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6112 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6113 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6114 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6115 6116 mpo_proc_notify_exit_t *mpo_proc_notify_exit; 6117 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; 6118 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; 6119 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; 6120 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; 6121 mpo_vnode_check_clone_t *mpo_vnode_check_clone; 6122 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; 6123 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; 6124 6125 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6126 6127 mpo_vnode_check_access_t *mpo_vnode_check_access; 6128 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6129 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6130 mpo_vnode_check_create_t *mpo_vnode_check_create; 6131 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6132 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6133 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6134 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6135 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6136 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6137 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6138 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6139 mpo_vnode_check_link_t *mpo_vnode_check_link; 6140 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6141 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6142 mpo_vnode_check_open_t *mpo_vnode_check_open; 6143 mpo_vnode_check_read_t *mpo_vnode_check_read; 6144 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6145 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6146 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6147 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6148 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6149 mpo_vnode_check_select_t *mpo_vnode_check_select; 6150 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6151 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6152 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6153 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6154 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6155 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6156 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6157 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6158 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6159 mpo_vnode_check_write_t *mpo_vnode_check_write; 6160 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6161 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6162 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6163 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6164 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6165 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6166 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6167 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6168 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6169 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6170 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6171 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6172 mpo_vnode_label_init_t *mpo_vnode_label_init; 6173 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6174 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6175 mpo_vnode_label_store_t *mpo_vnode_label_store; 6176 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6177 mpo_vnode_label_update_t *mpo_vnode_label_update; 6178 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6179 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6180 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6181 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6182 6183 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6184 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6185 6186 mpo_thread_userret_t *mpo_thread_userret; 6187 6188 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6189 6190 mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; 6191 6192 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6193 6194 mpo_priv_check_t *mpo_priv_check; 6195 mpo_priv_grant_t *mpo_priv_grant; 6196 6197 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6198 6199 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6200 6201 mpo_iokit_check_open_t *mpo_iokit_check_open; 6202 6203 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6204 6205 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6206 6207 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; 6208 6209 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; 6210 6211 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6212 6213 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; 6214 6215 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6216 6217 mpo_system_check_info_t *mpo_system_check_info; 6218 6219 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6220 mpo_pty_notify_close_t *mpo_pty_notify_close; 6221 6222 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6223 6224 mpo_kext_check_load_t *mpo_kext_check_load; 6225 mpo_kext_check_unload_t *mpo_kext_check_unload; 6226 6227 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6228 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6229 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6230 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6231 }; 6232 6233 /** 6234 * @brief MAC policy handle type 6235 * 6236 * The MAC handle is used to uniquely identify a loaded policy within 6237 * the MAC Framework. 6238 * 6239 * A variable of this type is set by mac_policy_register(). 6240 */ 6241 typedef unsigned int mac_policy_handle_t; 6242 6243 #define mpc_t struct mac_policy_conf * 6244 6245 /** 6246 * @brief Mac policy configuration 6247 * 6248 * This structure specifies the configuration information for a 6249 * MAC policy module. A policy module developer must supply 6250 * a short unique policy name, a more descriptive full name, a list of label 6251 * namespaces and count, a pointer to the registered enty point operations, 6252 * any load time flags, and optionally, a pointer to a label slot identifier. 6253 * 6254 * The Framework will update the runtime flags (mpc_runtime_flags) to 6255 * indicate that the module has been registered. 6256 * 6257 * If the label slot identifier (mpc_field_off) is NULL, the Framework 6258 * will not provide label storage for the policy. Otherwise, the 6259 * Framework will store the label location (slot) in this field. 6260 * 6261 * The mpc_list field is used by the Framework and should not be 6262 * modified by policies. 6263 */ 6264 /* XXX - reorder these for better alignment on 64bit platforms */ 6265 struct mac_policy_conf { 6266 const char *mpc_name; /** policy name */ 6267 const char *mpc_fullname; /** full name */ 6268 char const * const *mpc_labelnames; /** managed label namespaces */ 6269 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6270 const struct mac_policy_ops *mpc_ops; /** operation vector */ 6271 int mpc_loadtime_flags; /** load time flags */ 6272 int *mpc_field_off; /** label slot */ 6273 int mpc_runtime_flags; /** run time flags */ 6274 mpc_t mpc_list; /** List reference */ 6275 void *mpc_data; /** module data */ 6276 }; 6277 6278 /** 6279 * @brief MAC policy module registration routine 6280 * 6281 * This function is called to register a policy with the 6282 * MAC framework. A policy module will typically call this from the 6283 * Darwin KEXT registration routine. 6284 */ 6285 int mac_policy_register(struct mac_policy_conf *mpc, 6286 mac_policy_handle_t *handlep, void *xd); 6287 6288 /** 6289 * @brief MAC policy module de-registration routine 6290 * 6291 * This function is called to de-register a policy with the 6292 * MAC framework. A policy module will typically call this from the 6293 * Darwin KEXT de-registration routine. 6294 */ 6295 int mac_policy_unregister(mac_policy_handle_t handle); 6296 6297 /* 6298 * Framework entry points for the policies to add audit data. 6299 */ 6300 int mac_audit_text(char *text, mac_policy_handle_t handle); 6301 6302 /* 6303 * Calls to assist with use of Apple XATTRs within policy modules. 6304 */ 6305 int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6306 int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6307 size_t *); 6308 int mac_vnop_removexattr(struct vnode *, const char *); 6309 6310 /** 6311 * @brief Set an extended attribute on a vnode-based fileglob. 6312 * @param fg fileglob representing file to attach the extended attribute 6313 * @param name extended attribute name 6314 * @param buf buffer of data to use as the extended attribute value 6315 * @param len size of buffer 6316 * 6317 * Sets the value of an extended attribute on a file. 6318 * 6319 * Caller must hold an iocount on the vnode represented by the fileglob. 6320 */ 6321 #ifdef KERNEL_PRIVATE 6322 int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); 6323 #endif 6324 6325 /** 6326 * @brief Get an extended attribute from a vnode-based fileglob. 6327 * @param fg fileglob representing file to read the extended attribute 6328 * @param name extended attribute name 6329 * @param buf buffer of data to hold the extended attribute value 6330 * @param len size of buffer 6331 * @param attrlen size of full extended attribute value 6332 * 6333 * Gets the value of an extended attribute on a file. 6334 * 6335 * Caller must hold an iocount on the vnode represented by the fileglob. 6336 */ 6337 #ifdef KERNEL_PRIVATE 6338 int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, 6339 size_t *attrlen); 6340 #endif 6341 6342 /** 6343 * @brief Remove an extended attribute from a vnode-based fileglob. 6344 * @param fg fileglob representing file to remove the extended attribute 6345 * @param name extended attribute name 6346 * 6347 * Removes the named extended attribute from the file. 6348 * 6349 * Caller must hold an iocount on the vnode represented by the fileglob. 6350 */ 6351 #ifdef KERNEL_PRIVATE 6352 int mac_file_removexattr(struct fileglob *fg, const char *name); 6353 #endif 6354 6355 /* 6356 * Arbitrary limit on how much data will be logged by the audit 6357 * entry points above. 6358 */ 6359 #define MAC_AUDIT_DATA_LIMIT 1024 6360 6361 /* 6362 * Values returned by mac_audit_{pre,post}select. To combine the responses 6363 * of the security policies into a single decision, 6364 * mac_audit_{pre,post}select() choose the greatest value returned. 6365 */ 6366 #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6367 #define MAC_AUDIT_NO 1 /* force not auditing this event */ 6368 #define MAC_AUDIT_YES 2 /* force auditing this event */ 6369 6370 // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6371 6372 /** 6373 * @name Flags for the mpc_loadtime_flags field 6374 * @see mac_policy_conf 6375 * 6376 * This is the complete list of flags that are supported by the 6377 * mpc_loadtime_flags field of the mac_policy_conf structure. These 6378 * flags specify the load time behavior of MAC Framework policy 6379 * modules. 6380 */ 6381 6382 /*@{*/ 6383 6384 /** 6385 * @brief Flag to indicate registration preference 6386 * 6387 * This flag indicates that the policy module must be loaded and 6388 * initialized early in the boot process. If the flag is specified, 6389 * attempts to register the module following boot will be rejected. The 6390 * flag may be used by policies that require pervasive labeling of all 6391 * system objects, and cannot handle objects that have not been 6392 * properly initialized by the policy. 6393 */ 6394 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6395 6396 /** 6397 * @brief Flag to indicate unload preference 6398 * 6399 * This flag indicates that the policy module may be unloaded. If this 6400 * flag is not set, then the policy framework will reject requests to 6401 * unload the module. This flag might be used by modules that allocate 6402 * label state and are unable to free that state at runtime, or for 6403 * modules that simply do not want to permit unload operations. 6404 */ 6405 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6406 6407 /** 6408 * @brief Unsupported 6409 * 6410 * XXX This flag is not yet supported. 6411 */ 6412 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6413 6414 /** 6415 * @brief Flag to indicate a base policy 6416 * 6417 * This flag indicates that the policy module is a base policy. Only 6418 * one module can declare itself as base, otherwise the boot process 6419 * will be halted. 6420 */ 6421 #define MPC_LOADTIME_BASE_POLICY 0x00000008 6422 6423 /*@}*/ 6424 6425 /** 6426 * @brief Policy registration flag 6427 * @see mac_policy_conf 6428 * 6429 * This flag indicates that the policy module has been successfully 6430 * registered with the TrustedBSD MAC Framework. The Framework will 6431 * set this flag in the mpc_runtime_flags field of the policy's 6432 * mac_policy_conf structure after registering the policy. 6433 */ 6434 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6435 6436 /* 6437 * Depends on POLICY_VER 6438 */ 6439 6440 #ifndef POLICY_VER 6441 #define POLICY_VER 1.0 6442 #endif 6443 6444 #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6445 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6446 .mpc_name = #mpname, \ 6447 .mpc_fullname = mpfullname, \ 6448 .mpc_labelnames = lnames, \ 6449 .mpc_labelname_count = lcount, \ 6450 .mpc_ops = mpops, \ 6451 .mpc_loadtime_flags = lflags, \ 6452 .mpc_field_off = slot, \ 6453 .mpc_runtime_flags = rflags \ 6454 }; \ 6455 \ 6456 static kern_return_t \ 6457 kmod_start(kmod_info_t *ki, void *xd) \ 6458 { \ 6459 return mac_policy_register(&mpname##_mac_policy_conf, \ 6460 &handle, xd); \ 6461 } \ 6462 \ 6463 static kern_return_t \ 6464 kmod_stop(kmod_info_t *ki, void *xd) \ 6465 { \ 6466 return mac_policy_unregister(handle); \ 6467 } \ 6468 \ 6469 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6470 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6471 \ 6472 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6473 kmod_start_func_t *_realmain = kmod_start; \ 6474 kmod_stop_func_t *_antimain = kmod_stop; \ 6475 int _kext_apple_cc = __APPLE_CC__ 6476 6477 /* 6478 * Policy interface to map a struct label pointer to per-policy data. 6479 * Typically, policies wrap this in their own accessor macro that casts an 6480 * intptr_t to a policy-specific data type. 6481 */ 6482 #ifdef KERNEL_PRIVATE 6483 struct label * mac_label_verify(struct label **labelp); 6484 intptr_t mac_label_get(struct label *l, int slot); 6485 /* 6486 * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. 6487 */ 6488 void mac_label_set(struct label *l, int slot, intptr_t v); 6489 struct label * mac_labelzone_alloc(int flags); 6490 struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, 6491 void (^extra_setup)(struct label *)); 6492 struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, 6493 void (^extra_setup)(struct label *)); 6494 void mac_labelzone_free(struct label *l); 6495 void mac_labelzone_free_owned(struct label **labelp, 6496 void (^extra_deinit)(struct label *)); 6497 intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); 6498 void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); 6499 #endif 6500 6501 #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6502 6503 /** 6504 * @name Flags for MAC allocator interfaces 6505 * 6506 * These flags are passed to the Darwin kernel allocator routines to 6507 * indicate whether the allocation is permitted to block or not. 6508 * Caution should be taken; some operations are not permitted to sleep, 6509 * and some types of locks cannot be held when sleeping. 6510 */ 6511 6512 /*@{*/ 6513 6514 /** 6515 * @brief Allocation operations may block 6516 * 6517 * If memory is not immediately available, the allocation routine 6518 * will block (typically sleeping) until memory is available. 6519 * 6520 * @warning Inappropriate use of this flag may cause kernel panics. 6521 */ 6522 #define MAC_WAITOK 0 6523 6524 /** 6525 * @brief Allocation operations may not block 6526 * 6527 * Rather than blocking, the allocator may return an error if memory 6528 * is not immediately available. This type of allocation will not 6529 * sleep, preserving locking semantics. 6530 */ 6531 #define MAC_NOWAIT 1 6532 6533 /*@}*/ 6534 6535 #endif /* !_SECURITY_MAC_POLICY_H_ */ 6536