1*a1e26a70SApple OSS Distributions /* 2*a1e26a70SApple OSS Distributions * Copyright (c) 2013-2019, 2022 Apple Inc. All rights reserved. 3*a1e26a70SApple OSS Distributions * 4*a1e26a70SApple OSS Distributions * @APPLE_LICENSE_HEADER_START@ 5*a1e26a70SApple OSS Distributions * 6*a1e26a70SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code 7*a1e26a70SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License 8*a1e26a70SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in 9*a1e26a70SApple OSS Distributions * compliance with the License. Please obtain a copy of the License at 10*a1e26a70SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this 11*a1e26a70SApple OSS Distributions * file. 12*a1e26a70SApple OSS Distributions * 13*a1e26a70SApple OSS Distributions * The Original Code and all software distributed under the License are 14*a1e26a70SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15*a1e26a70SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16*a1e26a70SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17*a1e26a70SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18*a1e26a70SApple OSS Distributions * Please see the License for the specific language governing rights and 19*a1e26a70SApple OSS Distributions * limitations under the License. 20*a1e26a70SApple OSS Distributions * 21*a1e26a70SApple OSS Distributions * @APPLE_LICENSE_HEADER_END@ 22*a1e26a70SApple OSS Distributions */ 23*a1e26a70SApple OSS Distributions 24*a1e26a70SApple OSS Distributions #ifndef __CONTENT_FILTER_H__ 25*a1e26a70SApple OSS Distributions #define __CONTENT_FILTER_H__ 26*a1e26a70SApple OSS Distributions 27*a1e26a70SApple OSS Distributions #include <sys/param.h> 28*a1e26a70SApple OSS Distributions #include <sys/types.h> 29*a1e26a70SApple OSS Distributions #include <sys/_types/_timeval64.h> 30*a1e26a70SApple OSS Distributions #include <sys/socket.h> 31*a1e26a70SApple OSS Distributions #include <sys/syslog.h> 32*a1e26a70SApple OSS Distributions #include <netinet/in.h> 33*a1e26a70SApple OSS Distributions #include <stdint.h> 34*a1e26a70SApple OSS Distributions #include <corecrypto/ccsha2.h> 35*a1e26a70SApple OSS Distributions 36*a1e26a70SApple OSS Distributions #ifdef BSD_KERNEL_PRIVATE 37*a1e26a70SApple OSS Distributions #include <sys/mbuf.h> 38*a1e26a70SApple OSS Distributions #include <sys/socketvar.h> 39*a1e26a70SApple OSS Distributions #endif /* BSD_KERNEL_PRIVATE */ 40*a1e26a70SApple OSS Distributions 41*a1e26a70SApple OSS Distributions #ifndef XNU_KERNEL_PRIVATE 42*a1e26a70SApple OSS Distributions #include <TargetConditionals.h> 43*a1e26a70SApple OSS Distributions #endif 44*a1e26a70SApple OSS Distributions 45*a1e26a70SApple OSS Distributions __BEGIN_DECLS 46*a1e26a70SApple OSS Distributions 47*a1e26a70SApple OSS Distributions #ifdef PRIVATE 48*a1e26a70SApple OSS Distributions 49*a1e26a70SApple OSS Distributions /* 50*a1e26a70SApple OSS Distributions * Kernel control name for an instance of a Content Filter 51*a1e26a70SApple OSS Distributions * Use CTLIOCGINFO to find out the corresponding kernel control id 52*a1e26a70SApple OSS Distributions * to be set in the sc_id field of sockaddr_ctl for connect(2) 53*a1e26a70SApple OSS Distributions * Note: the sc_unit is ephemeral 54*a1e26a70SApple OSS Distributions */ 55*a1e26a70SApple OSS Distributions #define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter" 56*a1e26a70SApple OSS Distributions 57*a1e26a70SApple OSS Distributions /* 58*a1e26a70SApple OSS Distributions * Opaque socket identifier 59*a1e26a70SApple OSS Distributions */ 60*a1e26a70SApple OSS Distributions typedef uint64_t cfil_sock_id_t; 61*a1e26a70SApple OSS Distributions 62*a1e26a70SApple OSS Distributions #define CFIL_SOCK_ID_NONE UINT64_MAX 63*a1e26a70SApple OSS Distributions 64*a1e26a70SApple OSS Distributions 65*a1e26a70SApple OSS Distributions /* 66*a1e26a70SApple OSS Distributions * CFIL_OPT_NECP_CONTROL_UNIT 67*a1e26a70SApple OSS Distributions * To set or get the NECP filter control unit for the kernel control socket 68*a1e26a70SApple OSS Distributions * The option level is SYSPROTO_CONTROL 69*a1e26a70SApple OSS Distributions */ 70*a1e26a70SApple OSS Distributions #define CFIL_OPT_NECP_CONTROL_UNIT 1 /* uint32_t */ 71*a1e26a70SApple OSS Distributions 72*a1e26a70SApple OSS Distributions /* 73*a1e26a70SApple OSS Distributions * CFIL_OPT_GET_SOCKET_INFO 74*a1e26a70SApple OSS Distributions * To get information about a given socket that is being filtered. 75*a1e26a70SApple OSS Distributions */ 76*a1e26a70SApple OSS Distributions #define CFIL_OPT_GET_SOCKET_INFO 2 /* uint32_t */ 77*a1e26a70SApple OSS Distributions 78*a1e26a70SApple OSS Distributions /* 79*a1e26a70SApple OSS Distributions * CFIL_OPT_PRESERVE_CONNECTIONS 80*a1e26a70SApple OSS Distributions * To set or get the preserve-connections setting for the filter 81*a1e26a70SApple OSS Distributions */ 82*a1e26a70SApple OSS Distributions #define CFIL_OPT_PRESERVE_CONNECTIONS 3 /* uint32_t */ 83*a1e26a70SApple OSS Distributions 84*a1e26a70SApple OSS Distributions /* 85*a1e26a70SApple OSS Distributions * struct cfil_opt_sock_info 86*a1e26a70SApple OSS Distributions * 87*a1e26a70SApple OSS Distributions * Contains information about a socket that is being filtered. 88*a1e26a70SApple OSS Distributions */ 89*a1e26a70SApple OSS Distributions struct cfil_opt_sock_info { 90*a1e26a70SApple OSS Distributions cfil_sock_id_t cfs_sock_id; 91*a1e26a70SApple OSS Distributions int cfs_sock_family; /* e.g. PF_INET */ 92*a1e26a70SApple OSS Distributions int cfs_sock_type; /* e.g. SOCK_STREAM */ 93*a1e26a70SApple OSS Distributions int cfs_sock_protocol; /* e.g. IPPROTO_TCP */ 94*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfs_local; 95*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfs_remote; 96*a1e26a70SApple OSS Distributions pid_t cfs_pid; 97*a1e26a70SApple OSS Distributions pid_t cfs_e_pid; 98*a1e26a70SApple OSS Distributions pid_t cfs_r_pid; 99*a1e26a70SApple OSS Distributions uuid_t cfs_uuid; 100*a1e26a70SApple OSS Distributions uuid_t cfs_e_uuid; 101*a1e26a70SApple OSS Distributions uuid_t cfs_r_uuid; 102*a1e26a70SApple OSS Distributions }; 103*a1e26a70SApple OSS Distributions 104*a1e26a70SApple OSS Distributions /* 105*a1e26a70SApple OSS Distributions * How many filter may be active simultaneously 106*a1e26a70SApple OSS Distributions */ 107*a1e26a70SApple OSS Distributions 108*a1e26a70SApple OSS Distributions #define CFIL_MAX_FILTER_COUNT 8 109*a1e26a70SApple OSS Distributions 110*a1e26a70SApple OSS Distributions /* 111*a1e26a70SApple OSS Distributions * Crypto Support 112*a1e26a70SApple OSS Distributions */ 113*a1e26a70SApple OSS Distributions #define CFIL_CRYPTO 1 114*a1e26a70SApple OSS Distributions #define CFIL_CRYPTO_SIGNATURE_SIZE 32 115*a1e26a70SApple OSS Distributions #define CFIL_CRYPTO_DATA_EVENT 1 116*a1e26a70SApple OSS Distributions 117*a1e26a70SApple OSS Distributions typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE]; 118*a1e26a70SApple OSS Distributions typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE]; 119*a1e26a70SApple OSS Distributions 120*a1e26a70SApple OSS Distributions typedef struct cfil_crypto_state { 121*a1e26a70SApple OSS Distributions const struct ccdigest_info *digest_info; 122*a1e26a70SApple OSS Distributions cfil_crypto_key key; 123*a1e26a70SApple OSS Distributions } *cfil_crypto_state_t; 124*a1e26a70SApple OSS Distributions 125*a1e26a70SApple OSS Distributions typedef struct cfil_crypto_data { 126*a1e26a70SApple OSS Distributions uuid_t flow_id; 127*a1e26a70SApple OSS Distributions u_int64_t sock_id; 128*a1e26a70SApple OSS Distributions u_int32_t direction; 129*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 remote; 130*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 local; 131*a1e26a70SApple OSS Distributions u_int32_t socketProtocol; 132*a1e26a70SApple OSS Distributions pid_t pid; 133*a1e26a70SApple OSS Distributions pid_t effective_pid; 134*a1e26a70SApple OSS Distributions pid_t responsible_pid; 135*a1e26a70SApple OSS Distributions uuid_t uuid; 136*a1e26a70SApple OSS Distributions uuid_t effective_uuid; 137*a1e26a70SApple OSS Distributions uuid_t responsible_uuid; 138*a1e26a70SApple OSS Distributions u_int64_t byte_count_in; 139*a1e26a70SApple OSS Distributions u_int64_t byte_count_out; 140*a1e26a70SApple OSS Distributions } *cfil_crypto_data_t; 141*a1e26a70SApple OSS Distributions 142*a1e26a70SApple OSS Distributions /* 143*a1e26a70SApple OSS Distributions * Responsible pid/uuid support 144*a1e26a70SApple OSS Distributions */ 145*a1e26a70SApple OSS Distributions #define CFIL_RESPONSIBLE_PID_SUPPORT 1 146*a1e26a70SApple OSS Distributions 147*a1e26a70SApple OSS Distributions /* 148*a1e26a70SApple OSS Distributions * Types of messages 149*a1e26a70SApple OSS Distributions * 150*a1e26a70SApple OSS Distributions * Event messages flow from kernel to user space while action 151*a1e26a70SApple OSS Distributions * messages flow in the reverse direction. 152*a1e26a70SApple OSS Distributions * A message in entirely represented by a packet sent or received 153*a1e26a70SApple OSS Distributions * on a Content Filter kernel control socket. 154*a1e26a70SApple OSS Distributions */ 155*a1e26a70SApple OSS Distributions #define CFM_TYPE_EVENT 1 /* message from kernel */ 156*a1e26a70SApple OSS Distributions #define CFM_TYPE_ACTION 2 /* message to kernel */ 157*a1e26a70SApple OSS Distributions 158*a1e26a70SApple OSS Distributions /* 159*a1e26a70SApple OSS Distributions * Operations associated with events from kernel 160*a1e26a70SApple OSS Distributions */ 161*a1e26a70SApple OSS Distributions #define CFM_OP_SOCKET_ATTACHED 1 /* a socket has been attached */ 162*a1e26a70SApple OSS Distributions #define CFM_OP_SOCKET_CLOSED 2 /* a socket is being closed */ 163*a1e26a70SApple OSS Distributions #define CFM_OP_DATA_OUT 3 /* data being sent */ 164*a1e26a70SApple OSS Distributions #define CFM_OP_DATA_IN 4 /* data being received */ 165*a1e26a70SApple OSS Distributions #define CFM_OP_DISCONNECT_OUT 5 /* no more outgoing data */ 166*a1e26a70SApple OSS Distributions #define CFM_OP_DISCONNECT_IN 6 /* no more incoming data */ 167*a1e26a70SApple OSS Distributions #define CFM_OP_STATS 7 /* periodic stats report(s) */ 168*a1e26a70SApple OSS Distributions 169*a1e26a70SApple OSS Distributions /* 170*a1e26a70SApple OSS Distributions * Operations associated with action from filter to kernel 171*a1e26a70SApple OSS Distributions */ 172*a1e26a70SApple OSS Distributions #define CFM_OP_DATA_UPDATE 16 /* update pass or peek offsets */ 173*a1e26a70SApple OSS Distributions #define CFM_OP_DROP 17 /* shutdown socket, no more data */ 174*a1e26a70SApple OSS Distributions #define CFM_OP_BLESS_CLIENT 18 /* mark a client flow as already filtered, passes a uuid */ 175*a1e26a70SApple OSS Distributions #define CFM_OP_SET_CRYPTO_KEY 19 /* assign client crypto key for message signing */ 176*a1e26a70SApple OSS Distributions 177*a1e26a70SApple OSS Distributions /* 178*a1e26a70SApple OSS Distributions * struct cfil_msg_hdr 179*a1e26a70SApple OSS Distributions * 180*a1e26a70SApple OSS Distributions * Header common to all messages 181*a1e26a70SApple OSS Distributions */ 182*a1e26a70SApple OSS Distributions struct cfil_msg_hdr { 183*a1e26a70SApple OSS Distributions uint32_t cfm_len; /* total length */ 184*a1e26a70SApple OSS Distributions uint32_t cfm_version; 185*a1e26a70SApple OSS Distributions uint32_t cfm_type; 186*a1e26a70SApple OSS Distributions uint32_t cfm_op; 187*a1e26a70SApple OSS Distributions cfil_sock_id_t cfm_sock_id; 188*a1e26a70SApple OSS Distributions }; 189*a1e26a70SApple OSS Distributions 190*a1e26a70SApple OSS Distributions #define CFM_VERSION_CURRENT 1 191*a1e26a70SApple OSS Distributions 192*a1e26a70SApple OSS Distributions /* 193*a1e26a70SApple OSS Distributions * Connection Direction 194*a1e26a70SApple OSS Distributions */ 195*a1e26a70SApple OSS Distributions #define CFS_CONNECTION_DIR_IN 0 196*a1e26a70SApple OSS Distributions #define CFS_CONNECTION_DIR_OUT 1 197*a1e26a70SApple OSS Distributions 198*a1e26a70SApple OSS Distributions #define CFS_REAL_AUDIT_TOKEN 1 199*a1e26a70SApple OSS Distributions 200*a1e26a70SApple OSS Distributions #define CFS_MAX_DOMAIN_NAME_LENGTH 256 201*a1e26a70SApple OSS Distributions 202*a1e26a70SApple OSS Distributions 203*a1e26a70SApple OSS Distributions /* 204*a1e26a70SApple OSS Distributions * struct cfil_msg_sock_attached 205*a1e26a70SApple OSS Distributions * 206*a1e26a70SApple OSS Distributions * Information about a new socket being attached to the content filter 207*a1e26a70SApple OSS Distributions * 208*a1e26a70SApple OSS Distributions * Action: No reply is expected as this does not block the creation of the 209*a1e26a70SApple OSS Distributions * TCP/IP but timely action must be taken to avoid user noticeable delays. 210*a1e26a70SApple OSS Distributions * 211*a1e26a70SApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 212*a1e26a70SApple OSS Distributions * 213*a1e26a70SApple OSS Distributions * Valid Op: CFM_OP_SOCKET_ATTACHED 214*a1e26a70SApple OSS Distributions */ 215*a1e26a70SApple OSS Distributions struct cfil_msg_sock_attached { 216*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfs_msghdr; 217*a1e26a70SApple OSS Distributions int cfs_sock_family; /* e.g. PF_INET */ 218*a1e26a70SApple OSS Distributions int cfs_sock_type; /* e.g. SOCK_STREAM */ 219*a1e26a70SApple OSS Distributions int cfs_sock_protocol; /* e.g. IPPROTO_TCP */ 220*a1e26a70SApple OSS Distributions int cfs_unused; /* padding */ 221*a1e26a70SApple OSS Distributions pid_t cfs_pid; 222*a1e26a70SApple OSS Distributions pid_t cfs_e_pid; 223*a1e26a70SApple OSS Distributions pid_t cfs_r_pid; 224*a1e26a70SApple OSS Distributions uuid_t cfs_uuid; 225*a1e26a70SApple OSS Distributions uuid_t cfs_e_uuid; 226*a1e26a70SApple OSS Distributions uuid_t cfs_r_uuid; 227*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfs_src; 228*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfs_dst; 229*a1e26a70SApple OSS Distributions int cfs_conn_dir; 230*a1e26a70SApple OSS Distributions unsigned int cfs_audit_token[8]; /* Must match audit_token_t */ 231*a1e26a70SApple OSS Distributions unsigned int cfs_real_audit_token[8]; /* Must match audit_token_t */ 232*a1e26a70SApple OSS Distributions cfil_crypto_signature cfs_signature; 233*a1e26a70SApple OSS Distributions uint32_t cfs_signature_length; 234*a1e26a70SApple OSS Distributions char cfs_remote_domain_name[CFS_MAX_DOMAIN_NAME_LENGTH]; 235*a1e26a70SApple OSS Distributions }; 236*a1e26a70SApple OSS Distributions 237*a1e26a70SApple OSS Distributions /* 238*a1e26a70SApple OSS Distributions * CFIL data flags 239*a1e26a70SApple OSS Distributions */ 240*a1e26a70SApple OSS Distributions #define CFD_DATA_FLAG_IP_HEADER 0x00000001 /* Data includes IP header */ 241*a1e26a70SApple OSS Distributions #define CFIL_DATA_HAS_DELEGATED_PID 1 242*a1e26a70SApple OSS Distributions /* 243*a1e26a70SApple OSS Distributions * struct cfil_msg_data_event 244*a1e26a70SApple OSS Distributions * 245*a1e26a70SApple OSS Distributions * Event for the content fiter to act on a span of data 246*a1e26a70SApple OSS Distributions * A data span is described by a pair of offsets over the cumulative 247*a1e26a70SApple OSS Distributions * number of bytes sent or received on the socket. 248*a1e26a70SApple OSS Distributions * 249*a1e26a70SApple OSS Distributions * Action: The event must be acted upon but the filter may buffer 250*a1e26a70SApple OSS Distributions * data spans until it has enough content to make a decision. 251*a1e26a70SApple OSS Distributions * The action must be timely to avoid user noticeable delays. 252*a1e26a70SApple OSS Distributions * 253*a1e26a70SApple OSS Distributions * Valid Type: CFM_TYPE_EVENT 254*a1e26a70SApple OSS Distributions * 255*a1e26a70SApple OSS Distributions * Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN 256*a1e26a70SApple OSS Distributions */ 257*a1e26a70SApple OSS Distributions struct cfil_msg_data_event { 258*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfd_msghdr; 259*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfc_src; 260*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfc_dst; 261*a1e26a70SApple OSS Distributions uint64_t cfd_start_offset; 262*a1e26a70SApple OSS Distributions uint64_t cfd_end_offset; 263*a1e26a70SApple OSS Distributions cfil_crypto_signature cfd_signature; 264*a1e26a70SApple OSS Distributions uint32_t cfd_signature_length; 265*a1e26a70SApple OSS Distributions uint32_t cfd_flags; 266*a1e26a70SApple OSS Distributions pid_t cfd_delegated_pid; 267*a1e26a70SApple OSS Distributions unsigned int cfd_delegated_audit_token[8]; 268*a1e26a70SApple OSS Distributions /* Actual content data immediatly follows */ 269*a1e26a70SApple OSS Distributions }; 270*a1e26a70SApple OSS Distributions 271*a1e26a70SApple OSS Distributions #define CFI_MAX_TIME_LOG_ENTRY 6 272*a1e26a70SApple OSS Distributions /* 273*a1e26a70SApple OSS Distributions * struct cfil_msg_sock_closed 274*a1e26a70SApple OSS Distributions * 275*a1e26a70SApple OSS Distributions * Information about a socket being closed to the content filter 276*a1e26a70SApple OSS Distributions * 277*a1e26a70SApple OSS Distributions * Action: No reply is expected as this does not block the closing of the 278*a1e26a70SApple OSS Distributions * TCP/IP. 279*a1e26a70SApple OSS Distributions * 280*a1e26a70SApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 281*a1e26a70SApple OSS Distributions * 282*a1e26a70SApple OSS Distributions * Valid Op: CFM_OP_SOCKET_CLOSED 283*a1e26a70SApple OSS Distributions */ 284*a1e26a70SApple OSS Distributions struct cfil_msg_sock_closed { 285*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfc_msghdr; 286*a1e26a70SApple OSS Distributions struct timeval64 cfc_first_event; 287*a1e26a70SApple OSS Distributions uint32_t cfc_op_list_ctr; 288*a1e26a70SApple OSS Distributions uint32_t cfc_op_time[CFI_MAX_TIME_LOG_ENTRY]; /* time interval in microseconds since first event */ 289*a1e26a70SApple OSS Distributions unsigned char cfc_op_list[CFI_MAX_TIME_LOG_ENTRY]; 290*a1e26a70SApple OSS Distributions uint64_t cfc_byte_inbound_count; 291*a1e26a70SApple OSS Distributions uint64_t cfc_byte_outbound_count; 292*a1e26a70SApple OSS Distributions #define CFC_CLOSED_EVENT_LADDR 1 293*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfc_laddr; 294*a1e26a70SApple OSS Distributions cfil_crypto_signature cfc_signature; 295*a1e26a70SApple OSS Distributions uint32_t cfc_signature_length; 296*a1e26a70SApple OSS Distributions } __attribute__((aligned(8))); 297*a1e26a70SApple OSS Distributions 298*a1e26a70SApple OSS Distributions /* 299*a1e26a70SApple OSS Distributions * struct cfil_msg_stats_report 300*a1e26a70SApple OSS Distributions * 301*a1e26a70SApple OSS Distributions * Statistics report for flow(s). 302*a1e26a70SApple OSS Distributions * 303*a1e26a70SApple OSS Distributions * Action: No reply is expected. 304*a1e26a70SApple OSS Distributions * 305*a1e26a70SApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 306*a1e26a70SApple OSS Distributions * 307*a1e26a70SApple OSS Distributions * Valid Op: CFM_OP_STATS 308*a1e26a70SApple OSS Distributions */ 309*a1e26a70SApple OSS Distributions struct cfil_msg_sock_stats { 310*a1e26a70SApple OSS Distributions cfil_sock_id_t cfs_sock_id; 311*a1e26a70SApple OSS Distributions uint64_t cfs_byte_inbound_count; 312*a1e26a70SApple OSS Distributions uint64_t cfs_byte_outbound_count; 313*a1e26a70SApple OSS Distributions union sockaddr_in_4_6 cfs_laddr; 314*a1e26a70SApple OSS Distributions } __attribute__((aligned(8))); 315*a1e26a70SApple OSS Distributions 316*a1e26a70SApple OSS Distributions struct cfil_msg_stats_report { 317*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfr_msghdr; 318*a1e26a70SApple OSS Distributions uint32_t cfr_count; 319*a1e26a70SApple OSS Distributions struct cfil_msg_sock_stats cfr_stats[]; 320*a1e26a70SApple OSS Distributions } __attribute__((aligned(8))); 321*a1e26a70SApple OSS Distributions 322*a1e26a70SApple OSS Distributions /* 323*a1e26a70SApple OSS Distributions * struct cfil_msg_action 324*a1e26a70SApple OSS Distributions * 325*a1e26a70SApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 326*a1e26a70SApple OSS Distributions * 327*a1e26a70SApple OSS Distributions * Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP 328*a1e26a70SApple OSS Distributions * 329*a1e26a70SApple OSS Distributions * For CFM_OP_DATA_UPDATE: 330*a1e26a70SApple OSS Distributions * 331*a1e26a70SApple OSS Distributions * cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is 332*a1e26a70SApple OSS Distributions * allowed to pass. A zero value does not modify the corresponding pass offset. 333*a1e26a70SApple OSS Distributions * 334*a1e26a70SApple OSS Distributions * cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much 335*a1e26a70SApple OSS Distributions * data it needs to make a decision: the kernel will deliver data up to that 336*a1e26a70SApple OSS Distributions * offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET 337*a1e26a70SApple OSS Distributions * if you don't value the corresponding peek offset to be updated. 338*a1e26a70SApple OSS Distributions */ 339*a1e26a70SApple OSS Distributions struct cfil_msg_action { 340*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfa_msghdr; 341*a1e26a70SApple OSS Distributions uint64_t cfa_in_pass_offset; 342*a1e26a70SApple OSS Distributions uint64_t cfa_in_peek_offset; 343*a1e26a70SApple OSS Distributions uint64_t cfa_out_pass_offset; 344*a1e26a70SApple OSS Distributions uint64_t cfa_out_peek_offset; 345*a1e26a70SApple OSS Distributions uint32_t cfa_stats_frequency; // Statistics frequency in milliseconds 346*a1e26a70SApple OSS Distributions }; 347*a1e26a70SApple OSS Distributions 348*a1e26a70SApple OSS Distributions /* 349*a1e26a70SApple OSS Distributions * struct cfil_msg_bless_client 350*a1e26a70SApple OSS Distributions * 351*a1e26a70SApple OSS Distributions * Marks a client UUID as already filtered at a higher level. 352*a1e26a70SApple OSS Distributions * 353*a1e26a70SApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 354*a1e26a70SApple OSS Distributions * 355*a1e26a70SApple OSS Distributions * Valid Ops: CFM_OP_BLESS_CLIENT 356*a1e26a70SApple OSS Distributions */ 357*a1e26a70SApple OSS Distributions struct cfil_msg_bless_client { 358*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfb_msghdr; 359*a1e26a70SApple OSS Distributions uuid_t cfb_client_uuid; 360*a1e26a70SApple OSS Distributions }; 361*a1e26a70SApple OSS Distributions 362*a1e26a70SApple OSS Distributions /* 363*a1e26a70SApple OSS Distributions * struct cfil_msg_set_crypto_key 364*a1e26a70SApple OSS Distributions * 365*a1e26a70SApple OSS Distributions * Filter assigning client crypto key to CFIL for message signing 366*a1e26a70SApple OSS Distributions * 367*a1e26a70SApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 368*a1e26a70SApple OSS Distributions * 369*a1e26a70SApple OSS Distributions * Valid Ops: CFM_OP_SET_CRYPTO_KEY 370*a1e26a70SApple OSS Distributions */ 371*a1e26a70SApple OSS Distributions struct cfil_msg_set_crypto_key { 372*a1e26a70SApple OSS Distributions struct cfil_msg_hdr cfb_msghdr; 373*a1e26a70SApple OSS Distributions cfil_crypto_key crypto_key; 374*a1e26a70SApple OSS Distributions }; 375*a1e26a70SApple OSS Distributions 376*a1e26a70SApple OSS Distributions #define CFM_MAX_OFFSET UINT64_MAX 377*a1e26a70SApple OSS Distributions 378*a1e26a70SApple OSS Distributions /* 379*a1e26a70SApple OSS Distributions * Statistics retrieved via sysctl(3) 380*a1e26a70SApple OSS Distributions */ 381*a1e26a70SApple OSS Distributions struct cfil_filter_stat { 382*a1e26a70SApple OSS Distributions uint32_t cfs_len; 383*a1e26a70SApple OSS Distributions uint32_t cfs_filter_id; 384*a1e26a70SApple OSS Distributions uint32_t cfs_flags; 385*a1e26a70SApple OSS Distributions uint32_t cfs_sock_count; 386*a1e26a70SApple OSS Distributions uint32_t cfs_necp_control_unit; 387*a1e26a70SApple OSS Distributions }; 388*a1e26a70SApple OSS Distributions 389*a1e26a70SApple OSS Distributions struct cfil_entry_stat { 390*a1e26a70SApple OSS Distributions uint32_t ces_len; 391*a1e26a70SApple OSS Distributions uint32_t ces_filter_id; 392*a1e26a70SApple OSS Distributions uint32_t ces_flags; 393*a1e26a70SApple OSS Distributions uint32_t ces_necp_control_unit; 394*a1e26a70SApple OSS Distributions struct timeval64 ces_last_event; 395*a1e26a70SApple OSS Distributions struct timeval64 ces_last_action; 396*a1e26a70SApple OSS Distributions struct cfe_buf_stat { 397*a1e26a70SApple OSS Distributions uint64_t cbs_pending_first; 398*a1e26a70SApple OSS Distributions uint64_t cbs_pending_last; 399*a1e26a70SApple OSS Distributions uint64_t cbs_ctl_first; 400*a1e26a70SApple OSS Distributions uint64_t cbs_ctl_last; 401*a1e26a70SApple OSS Distributions uint64_t cbs_pass_offset; 402*a1e26a70SApple OSS Distributions uint64_t cbs_peek_offset; 403*a1e26a70SApple OSS Distributions uint64_t cbs_peeked; 404*a1e26a70SApple OSS Distributions } ces_snd, ces_rcv; 405*a1e26a70SApple OSS Distributions }; 406*a1e26a70SApple OSS Distributions 407*a1e26a70SApple OSS Distributions struct cfil_sock_stat { 408*a1e26a70SApple OSS Distributions uint32_t cfs_len; 409*a1e26a70SApple OSS Distributions int cfs_sock_family; 410*a1e26a70SApple OSS Distributions int cfs_sock_type; 411*a1e26a70SApple OSS Distributions int cfs_sock_protocol; 412*a1e26a70SApple OSS Distributions cfil_sock_id_t cfs_sock_id; 413*a1e26a70SApple OSS Distributions uint64_t cfs_flags; 414*a1e26a70SApple OSS Distributions pid_t cfs_pid; 415*a1e26a70SApple OSS Distributions pid_t cfs_e_pid; 416*a1e26a70SApple OSS Distributions uuid_t cfs_uuid; 417*a1e26a70SApple OSS Distributions uuid_t cfs_e_uuid; 418*a1e26a70SApple OSS Distributions struct cfi_buf_stat { 419*a1e26a70SApple OSS Distributions uint64_t cbs_pending_first; 420*a1e26a70SApple OSS Distributions uint64_t cbs_pending_last; 421*a1e26a70SApple OSS Distributions uint64_t cbs_pass_offset; 422*a1e26a70SApple OSS Distributions uint64_t cbs_inject_q_len; 423*a1e26a70SApple OSS Distributions } cfs_snd, cfs_rcv; 424*a1e26a70SApple OSS Distributions struct cfil_entry_stat ces_entries[CFIL_MAX_FILTER_COUNT]; 425*a1e26a70SApple OSS Distributions }; 426*a1e26a70SApple OSS Distributions 427*a1e26a70SApple OSS Distributions /* 428*a1e26a70SApple OSS Distributions * Global statistics 429*a1e26a70SApple OSS Distributions */ 430*a1e26a70SApple OSS Distributions struct cfil_stats { 431*a1e26a70SApple OSS Distributions int32_t cfs_ctl_connect_ok; 432*a1e26a70SApple OSS Distributions int32_t cfs_ctl_connect_fail; 433*a1e26a70SApple OSS Distributions int32_t cfs_ctl_disconnect_ok; 434*a1e26a70SApple OSS Distributions int32_t cfs_ctl_disconnect_fail; 435*a1e26a70SApple OSS Distributions int32_t cfs_ctl_send_ok; 436*a1e26a70SApple OSS Distributions int32_t cfs_ctl_send_bad; 437*a1e26a70SApple OSS Distributions int32_t cfs_ctl_rcvd_ok; 438*a1e26a70SApple OSS Distributions int32_t cfs_ctl_rcvd_bad; 439*a1e26a70SApple OSS Distributions int32_t cfs_ctl_rcvd_flow_lift; 440*a1e26a70SApple OSS Distributions int32_t cfs_ctl_action_data_update; 441*a1e26a70SApple OSS Distributions int32_t cfs_ctl_action_drop; 442*a1e26a70SApple OSS Distributions int32_t cfs_ctl_action_bad_op; 443*a1e26a70SApple OSS Distributions int32_t cfs_ctl_action_bad_len; 444*a1e26a70SApple OSS Distributions 445*a1e26a70SApple OSS Distributions int32_t cfs_sock_id_not_found; 446*a1e26a70SApple OSS Distributions 447*a1e26a70SApple OSS Distributions int32_t cfs_cfi_alloc_ok; 448*a1e26a70SApple OSS Distributions int32_t cfs_cfi_alloc_fail; 449*a1e26a70SApple OSS Distributions 450*a1e26a70SApple OSS Distributions int32_t cfs_sock_userspace_only; 451*a1e26a70SApple OSS Distributions int32_t cfs_sock_attach_in_vain; 452*a1e26a70SApple OSS Distributions int32_t cfs_sock_attach_already; 453*a1e26a70SApple OSS Distributions int32_t cfs_sock_attach_no_mem; 454*a1e26a70SApple OSS Distributions int32_t cfs_sock_attach_failed; 455*a1e26a70SApple OSS Distributions int32_t cfs_sock_attached; 456*a1e26a70SApple OSS Distributions int32_t cfs_sock_detached; 457*a1e26a70SApple OSS Distributions 458*a1e26a70SApple OSS Distributions int32_t cfs_attach_event_ok; 459*a1e26a70SApple OSS Distributions int32_t cfs_attach_event_flow_control; 460*a1e26a70SApple OSS Distributions int32_t cfs_attach_event_fail; 461*a1e26a70SApple OSS Distributions 462*a1e26a70SApple OSS Distributions int32_t cfs_closed_event_ok; 463*a1e26a70SApple OSS Distributions int32_t cfs_closed_event_flow_control; 464*a1e26a70SApple OSS Distributions int32_t cfs_closed_event_fail; 465*a1e26a70SApple OSS Distributions 466*a1e26a70SApple OSS Distributions int32_t cfs_data_event_ok; 467*a1e26a70SApple OSS Distributions int32_t cfs_data_event_flow_control; 468*a1e26a70SApple OSS Distributions int32_t cfs_data_event_fail; 469*a1e26a70SApple OSS Distributions 470*a1e26a70SApple OSS Distributions int32_t cfs_stats_event_ok; 471*a1e26a70SApple OSS Distributions int32_t cfs_stats_event_flow_control; 472*a1e26a70SApple OSS Distributions int32_t cfs_stats_event_fail; 473*a1e26a70SApple OSS Distributions 474*a1e26a70SApple OSS Distributions int32_t cfs_disconnect_in_event_ok; 475*a1e26a70SApple OSS Distributions int32_t cfs_disconnect_out_event_ok; 476*a1e26a70SApple OSS Distributions int32_t cfs_disconnect_event_flow_control; 477*a1e26a70SApple OSS Distributions int32_t cfs_disconnect_event_fail; 478*a1e26a70SApple OSS Distributions 479*a1e26a70SApple OSS Distributions int32_t cfs_ctl_q_not_started; 480*a1e26a70SApple OSS Distributions 481*a1e26a70SApple OSS Distributions int32_t cfs_close_wait; 482*a1e26a70SApple OSS Distributions int32_t cfs_close_wait_timeout; 483*a1e26a70SApple OSS Distributions 484*a1e26a70SApple OSS Distributions int32_t cfs_flush_in_drop; 485*a1e26a70SApple OSS Distributions int32_t cfs_flush_out_drop; 486*a1e26a70SApple OSS Distributions int32_t cfs_flush_in_close; 487*a1e26a70SApple OSS Distributions int32_t cfs_flush_out_close; 488*a1e26a70SApple OSS Distributions int32_t cfs_flush_in_free; 489*a1e26a70SApple OSS Distributions int32_t cfs_flush_out_free; 490*a1e26a70SApple OSS Distributions 491*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_nomem; 492*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_nobufs; 493*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_detached; 494*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_in_fail; 495*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_out_fail; 496*a1e26a70SApple OSS Distributions 497*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_in_retry; 498*a1e26a70SApple OSS Distributions int32_t cfs_inject_q_out_retry; 499*a1e26a70SApple OSS Distributions 500*a1e26a70SApple OSS Distributions int32_t cfs_data_in_control; 501*a1e26a70SApple OSS Distributions int32_t cfs_data_in_oob; 502*a1e26a70SApple OSS Distributions int32_t cfs_data_out_control; 503*a1e26a70SApple OSS Distributions int32_t cfs_data_out_oob; 504*a1e26a70SApple OSS Distributions 505*a1e26a70SApple OSS Distributions int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8))); 506*a1e26a70SApple OSS Distributions int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8))); 507*a1e26a70SApple OSS Distributions int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8))); 508*a1e26a70SApple OSS Distributions int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8))); 509*a1e26a70SApple OSS Distributions 510*a1e26a70SApple OSS Distributions int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8))); 511*a1e26a70SApple OSS Distributions int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8))); 512*a1e26a70SApple OSS Distributions 513*a1e26a70SApple OSS Distributions int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8))); 514*a1e26a70SApple OSS Distributions int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8))); 515*a1e26a70SApple OSS Distributions int64_t cfs_inject_q_in_passed __attribute__((aligned(8))); 516*a1e26a70SApple OSS Distributions int64_t cfs_inject_q_out_passed __attribute__((aligned(8))); 517*a1e26a70SApple OSS Distributions }; 518*a1e26a70SApple OSS Distributions #endif /* PRIVATE */ 519*a1e26a70SApple OSS Distributions 520*a1e26a70SApple OSS Distributions #ifdef BSD_KERNEL_PRIVATE 521*a1e26a70SApple OSS Distributions 522*a1e26a70SApple OSS Distributions #define M_SKIPCFIL M_PROTO5 523*a1e26a70SApple OSS Distributions 524*a1e26a70SApple OSS Distributions extern uint32_t cfil_active_count; 525*a1e26a70SApple OSS Distributions /* 526*a1e26a70SApple OSS Distributions * Check if flows on socket should be filtered 527*a1e26a70SApple OSS Distributions */ 528*a1e26a70SApple OSS Distributions #define CFIL_DGRAM_HAS_FILTERED_FLOWS(so) ((so->so_flags & SOF_CONTENT_FILTER) && (so->so_flow_db != NULL)) 529*a1e26a70SApple OSS Distributions #define CFIL_DGRAM_FILTERED(so) (!IS_TCP(so) && (cfil_active_count > 0) && (CFIL_DGRAM_HAS_FILTERED_FLOWS(so) || necp_socket_get_content_filter_control_unit(so))) 530*a1e26a70SApple OSS Distributions 531*a1e26a70SApple OSS Distributions extern int cfil_log_level; 532*a1e26a70SApple OSS Distributions 533*a1e26a70SApple OSS Distributions #define CFIL_LOG(level, fmt, ...) \ 534*a1e26a70SApple OSS Distributions do { \ 535*a1e26a70SApple OSS Distributions if (cfil_log_level >= level) \ 536*a1e26a70SApple OSS Distributions os_log(OS_LOG_DEFAULT, "%s:%d " fmt "\n",\ 537*a1e26a70SApple OSS Distributions __FUNCTION__, __LINE__, ##__VA_ARGS__); \ 538*a1e26a70SApple OSS Distributions } while (0) 539*a1e26a70SApple OSS Distributions 540*a1e26a70SApple OSS Distributions 541*a1e26a70SApple OSS Distributions extern void cfil_register_m_tag(void); 542*a1e26a70SApple OSS Distributions 543*a1e26a70SApple OSS Distributions extern void cfil_init(void); 544*a1e26a70SApple OSS Distributions 545*a1e26a70SApple OSS Distributions extern boolean_t cfil_filter_present(void); 546*a1e26a70SApple OSS Distributions extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so); 547*a1e26a70SApple OSS Distributions extern boolean_t cfil_sock_is_dead(struct socket *so); 548*a1e26a70SApple OSS Distributions extern boolean_t cfil_sock_tcp_add_time_wait(struct socket *so); 549*a1e26a70SApple OSS Distributions extern errno_t cfil_sock_attach(struct socket *so, 550*a1e26a70SApple OSS Distributions struct sockaddr *local, struct sockaddr *remote, int dir); 551*a1e26a70SApple OSS Distributions extern errno_t cfil_sock_detach(struct socket *so); 552*a1e26a70SApple OSS Distributions 553*a1e26a70SApple OSS Distributions extern int cfil_sock_data_out(struct socket *so, struct sockaddr *to, 554*a1e26a70SApple OSS Distributions struct mbuf *data, struct mbuf *control, 555*a1e26a70SApple OSS Distributions uint32_t flags, struct soflow_hash_entry *); 556*a1e26a70SApple OSS Distributions extern int cfil_sock_data_in(struct socket *so, struct sockaddr *from, 557*a1e26a70SApple OSS Distributions struct mbuf *data, struct mbuf *control, 558*a1e26a70SApple OSS Distributions uint32_t flags, struct soflow_hash_entry *); 559*a1e26a70SApple OSS Distributions 560*a1e26a70SApple OSS Distributions extern int cfil_sock_shutdown(struct socket *so, int *how); 561*a1e26a70SApple OSS Distributions extern void cfil_sock_is_closed(struct socket *so); 562*a1e26a70SApple OSS Distributions extern void cfil_sock_notify_shutdown(struct socket *so, int how); 563*a1e26a70SApple OSS Distributions extern void cfil_sock_close_wait(struct socket *so); 564*a1e26a70SApple OSS Distributions 565*a1e26a70SApple OSS Distributions extern boolean_t cfil_sock_data_pending(struct sockbuf *sb); 566*a1e26a70SApple OSS Distributions extern int cfil_sock_data_space(struct sockbuf *sb); 567*a1e26a70SApple OSS Distributions extern void cfil_sock_buf_update(struct sockbuf *sb); 568*a1e26a70SApple OSS Distributions 569*a1e26a70SApple OSS Distributions extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so); 570*a1e26a70SApple OSS Distributions extern cfil_sock_id_t cfil_sock_id_from_datagram_socket(struct socket *so, struct sockaddr *local, struct sockaddr *remote); 571*a1e26a70SApple OSS Distributions 572*a1e26a70SApple OSS Distributions extern struct m_tag *cfil_dgram_get_socket_state(struct mbuf *m, uint32_t *state_change_cnt, 573*a1e26a70SApple OSS Distributions uint32_t *options, struct sockaddr **faddr, int *inp_flags); 574*a1e26a70SApple OSS Distributions extern boolean_t cfil_dgram_peek_socket_state(struct mbuf *m, int *inp_flags); 575*a1e26a70SApple OSS Distributions 576*a1e26a70SApple OSS Distributions #endif /* BSD_KERNEL_PRIVATE */ 577*a1e26a70SApple OSS Distributions 578*a1e26a70SApple OSS Distributions __END_DECLS 579*a1e26a70SApple OSS Distributions 580*a1e26a70SApple OSS Distributions #endif /* __CONTENT_FILTER_H__ */ 581