xnu-11417.121.6/security/mac_vfs.c

*a1e26a70SApple OSS Distributions/*
*a1e26a70SApple OSS Distributions * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code
*a1e26a70SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License
*a1e26a70SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in
*a1e26a70SApple OSS Distributions * compliance with the License. The rights granted to you under the License
*a1e26a70SApple OSS Distributions * may not be used to create, or enable the creation or redistribution of,
*a1e26a70SApple OSS Distributions * unlawful or unlicensed copies of an Apple operating system, or to
*a1e26a70SApple OSS Distributions * circumvent, violate, or enable the circumvention or violation of, any
*a1e26a70SApple OSS Distributions * terms of an Apple operating system software license agreement.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * Please obtain a copy of the License at
*a1e26a70SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this file.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * The Original Code and all software distributed under the License are
*a1e26a70SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
*a1e26a70SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
*a1e26a70SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
*a1e26a70SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
*a1e26a70SApple OSS Distributions * Please see the License for the specific language governing rights and
*a1e26a70SApple OSS Distributions * limitations under the License.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*a1e26a70SApple OSS Distributions */
*a1e26a70SApple OSS Distributions/*-
*a1e26a70SApple OSS Distributions * Copyright (c) 1999, 2000, 2001, 2002 Robert N. M. Watson
*a1e26a70SApple OSS Distributions * Copyright (c) 2001 Ilmar S. Habibulin
*a1e26a70SApple OSS Distributions * Copyright (c) 2001, 2002, 2003, 2004 Networks Associates Technology, Inc.
*a1e26a70SApple OSS Distributions * Copyright (c) 2005 SPARTA, Inc.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * This software was developed by Robert Watson and Ilmar Habibulin for the
*a1e26a70SApple OSS Distributions * TrustedBSD Project.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * This software was developed for the FreeBSD Project in part by Network
*a1e26a70SApple OSS Distributions * Associates Laboratories, the Security Research Division of Network
*a1e26a70SApple OSS Distributions * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
*a1e26a70SApple OSS Distributions * as part of the DARPA CHATS research program.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * Redistribution and use in source and binary forms, with or without
*a1e26a70SApple OSS Distributions * modification, are permitted provided that the following conditions
*a1e26a70SApple OSS Distributions * are met:
*a1e26a70SApple OSS Distributions * 1. Redistributions of source code must retain the above copyright
*a1e26a70SApple OSS Distributions *    notice, this list of conditions and the following disclaimer.
*a1e26a70SApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright
*a1e26a70SApple OSS Distributions *    notice, this list of conditions and the following disclaimer in the
*a1e26a70SApple OSS Distributions *    documentation and/or other materials provided with the distribution.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
*a1e26a70SApple OSS Distributions * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
*a1e26a70SApple OSS Distributions * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
*a1e26a70SApple OSS Distributions * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
*a1e26a70SApple OSS Distributions * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
*a1e26a70SApple OSS Distributions * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
*a1e26a70SApple OSS Distributions * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
*a1e26a70SApple OSS Distributions * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
*a1e26a70SApple OSS Distributions * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
*a1e26a70SApple OSS Distributions * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
*a1e26a70SApple OSS Distributions * SUCH DAMAGE.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions */
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#include <kern/kalloc.h>
*a1e26a70SApple OSS Distributions#include <libkern/OSAtomic.h>
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#include <sys/param.h>
*a1e26a70SApple OSS Distributions#include <sys/systm.h>
*a1e26a70SApple OSS Distributions#include <sys/kernel.h>
*a1e26a70SApple OSS Distributions#include <sys/proc.h>
*a1e26a70SApple OSS Distributions#include <sys/kauth.h>
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#include <sys/file_internal.h>
*a1e26a70SApple OSS Distributions#include <sys/imgact.h>
*a1e26a70SApple OSS Distributions#include <sys/namei.h>
*a1e26a70SApple OSS Distributions#include <sys/mount_internal.h>
*a1e26a70SApple OSS Distributions#include <sys/pipe.h>
*a1e26a70SApple OSS Distributions#include <sys/posix_sem.h>
*a1e26a70SApple OSS Distributions#include <sys/posix_shm.h>
*a1e26a70SApple OSS Distributions#include <sys/reason.h>
*a1e26a70SApple OSS Distributions#include <sys/uio_internal.h>
*a1e26a70SApple OSS Distributions#include <sys/vnode_internal.h>
*a1e26a70SApple OSS Distributions#include <sys/kdebug.h>
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#include <miscfs/devfs/devfsdefs.h>
*a1e26a70SApple OSS Distributions#include <miscfs/devfs/fdesc.h>
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#include <security/mac_internal.h>
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions/* convert {R,W,X}_OK values to V{READ,WRITE,EXEC} */
*a1e26a70SApple OSS Distributions#define ACCESS_MODE_TO_VNODE_MASK(m)    (m << 6)
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions/*
*a1e26a70SApple OSS Distributions * Optional tracing of policy operations. Define VFS_TRACE_POLICY_OPS to trace the operations.
*a1e26a70SApple OSS Distributions *
*a1e26a70SApple OSS Distributions * Along with DBG_FSYSTEM and DBG_VFS, dcode in the macros below is used to construct
*a1e26a70SApple OSS Distributions * KDBG_EVENTID(DBG_FSYSTEM, DBG_VFS, dcode) global event id, see bsd/sys/kdebug.h.
*a1e26a70SApple OSS Distributions * Note that dcode is multiplied by 4 and ORed as part of the construction. See bsd/kern/trace_codes
*a1e26a70SApple OSS Distributions * for list of system-wide {global event id, name} pairs. Currently DBG_VFS event ids are in range
*a1e26a70SApple OSS Distributions * [0x3130000, 0x3130198].
*a1e26a70SApple OSS Distributions */
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions//#define VFS_TRACE_POLICY_OPS
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#ifdef VFS_TRACE_POLICY_OPS
*a1e26a70SApple OSS Distributions#define DBG_VFS_CODE(dcode)                     FSDBG_CODE(DBG_VFS, dcode)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_START0(dcode)          KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_START, 0, 0, 0, 0, 0)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_END0(dcode)            KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_END, 0, 0, 0, 0, 0)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_START1(dcode, darg)    KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_START, darg, 0, 0, 0, 0)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_END1(dcode, darg)      KERNEL_DEBUG_CONSTANT(DBG_VFS_CODE(dcode) | DBG_FUNC_END, darg, 0, 0, 0, 0)
*a1e26a70SApple OSS Distributions#else
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_START0(dcode)          do {} while (0)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_END0(dcode)            do {} while (0)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_START1(dcode, darg)    do {} while (0)
*a1e26a70SApple OSS Distributions#define VFS_KERNEL_DEBUG_END1(dcode, darg)      do {} while (0)
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_devfs_label_init(struct devnode *de)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	mac_labelzone_alloc_owned(&de->dn_label, MAC_WAITOK, ^(struct label *label) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_START0(0);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(devfs_label_init, label);
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END0(0);
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstruct label *
*a1e26a70SApple OSS Distributionsmac_devfs_label(struct devnode *de)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	return mac_label_verify(&de->dn_label);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_devfs_label_destroy(struct devnode *de)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	mac_labelzone_free_owned(&de->dn_label, ^(struct label *label) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_START1(3, label);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(devfs_label_destroy, label);
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END1(3, label);
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_mount_label_init(struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	mac_labelzone_alloc_owned(&mp->mnt_mntlabel, MAC_WAITOK, ^(struct label *label) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_START0(1);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(mount_label_init, label);
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END0(1);
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstruct label *
*a1e26a70SApple OSS Distributionsmac_mount_label(struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	return mac_label_verify(&mp->mnt_mntlabel);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_mount_label_destroy(struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	mac_labelzone_free_owned(&mp->mnt_mntlabel, ^(struct label *label) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_START1(4, label);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(mount_label_destroy, label);
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END1(4, label);
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstruct label *
*a1e26a70SApple OSS Distributionsmac_vnode_label_alloc(vnode_t vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	return mac_labelzone_alloc_for_owner(vp ? &vp->v_label : NULL, MAC_WAITOK, ^(struct label *label) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_START0(2);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_init, label);
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END0(2);
*a1e26a70SApple OSS Distributions		OSIncrementAtomic(&mac_vnode_label_count);
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_init(vnode_t vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	struct label *label;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	label = mac_vnode_label_alloc(vp);
*a1e26a70SApple OSS Distributions	vp->v_label = label;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstruct label *
*a1e26a70SApple OSS Distributionsmac_vnode_label(vnode_t vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	return mac_label_verify(&vp->v_label);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstatic void
*a1e26a70SApple OSS Distributionsmac_vnode_label_cleanup(struct label *label)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(5, label);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_label_destroy, label);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(5, label);
*a1e26a70SApple OSS Distributions	OSDecrementAtomic(&mac_vnode_label_count);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_free(struct label *label)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	if (label != NULL) {
*a1e26a70SApple OSS Distributions		mac_vnode_label_cleanup(label);
*a1e26a70SApple OSS Distributions		mac_labelzone_free(label);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_destroy(struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	mac_labelzone_free_owned(&vp->v_label, ^(struct label *label) {
*a1e26a70SApple OSS Distributions		mac_vnode_label_cleanup(label);
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_init_needed(vnode_t vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if CONFIG_MACF_LAZY_VNODE_LABELS
*a1e26a70SApple OSS Distributions	(void)vp;
*a1e26a70SApple OSS Distributions	return false;
*a1e26a70SApple OSS Distributions#else
*a1e26a70SApple OSS Distributions	return mac_label_vnodes != 0 && mac_vnode_label(vp) == NULL;
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstruct label *
*a1e26a70SApple OSS Distributionsmac_vnode_label_allocate(vnode_t vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	if (mac_vnode_label_init_needed(vp)) {
*a1e26a70SApple OSS Distributions		mac_vnode_label_init(vp);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	return mac_vnode_label(vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions/*
*a1e26a70SApple OSS Distributions * vnode labels are allocated at the same time as vnodes, but vnodes are never
*a1e26a70SApple OSS Distributions * freed.  Instead, we want to remove any sensitive information before putting
*a1e26a70SApple OSS Distributions * them on the free list for reuse.
*a1e26a70SApple OSS Distributions */
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_recycle(vnode_t vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	struct label *v_label = mac_vnode_label(vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_label_recycle, v_label);
*a1e26a70SApple OSS Distributions#if CONFIG_MACF_LAZY_VNODE_LABELS
*a1e26a70SApple OSS Distributions	if (v_label) {
*a1e26a70SApple OSS Distributions		mac_vnode_label_destroy(vp);
*a1e26a70SApple OSS Distributions		vp->v_lflag &= ~VL_LABELED;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_copy(struct label *src, struct label *dest)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(6, src);
*a1e26a70SApple OSS Distributions	if (src == NULL) {
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_init, dest);
*a1e26a70SApple OSS Distributions	} else {
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_copy, src, dest);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(6, src);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* It is assumed that any necessary vnode locking is done on entry */
*a1e26a70SApple OSS Distributions	error = MAC_EXTERNALIZE_AUDIT(vnode, mac_vnode_label(vp),
*a1e26a70SApple OSS Distributions	    mac->m_string, mac->m_buflen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_externalize(struct label *label, char *elements,
*a1e26a70SApple OSS Distributions    char *outbuf, size_t outbuflen, int flags __unused)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	error = MAC_EXTERNALIZE(vnode, label, elements, outbuf, outbuflen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_internalize(struct label *label, char *string)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	error = MAC_INTERNALIZE(vnode, label, string);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_label_internalize(struct label *label, char *string)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	error = MAC_INTERNALIZE(mount, label, string);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_label_externalize(struct label *label, char *elements,
*a1e26a70SApple OSS Distributions    char *outbuf, size_t outbuflen)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	error = MAC_EXTERNALIZE(mount, label, elements, outbuf, outbuflen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_devfs_label_copy(struct label *src, struct label *dest)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_device_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(7, src);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(devfs_label_copy, src, dest);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(7, src);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_devfs_label_update(struct mount *mp, struct devnode *de,
*a1e26a70SApple OSS Distributions    struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_device_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(8, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(devfs_label_update, mp, de, mac_devfs_label(de), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(8, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_associate(struct mount *mp, struct vnode *vp, vfs_context_t ctx)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	struct devnode *dnp;
*a1e26a70SApple OSS Distributions	struct fdescnode *fnp;
*a1e26a70SApple OSS Distributions	int error = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return error;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* XXX: should not inspect v_tag in kernel! */
*a1e26a70SApple OSS Distributions	switch (vp->v_tag) {
*a1e26a70SApple OSS Distributions	case VT_DEVFS:
*a1e26a70SApple OSS Distributions		dnp = VTODN(vp);
*a1e26a70SApple OSS Distributions		mac_vnode_label_associate_devfs(mp, dnp, vp);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	case VT_FDESC:
*a1e26a70SApple OSS Distributions		fnp = VTOFDESC(vp);
*a1e26a70SApple OSS Distributions		error = mac_vnode_label_associate_fdesc(mp, fnp, vp, ctx);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	default:
*a1e26a70SApple OSS Distributions		error = mac_vnode_label_associate_extattr(mp, vp);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de,
*a1e26a70SApple OSS Distributions    struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_device_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(9, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_label_associate_devfs,
*a1e26a70SApple OSS Distributions	    mp, mp ? mac_mount_label(mp) : NULL,
*a1e26a70SApple OSS Distributions	    de, mac_devfs_label(de),
*a1e26a70SApple OSS Distributions	    vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(9, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(10, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_label_associate_extattr, mp, mac_mount_label(mp), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(10, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_associate_singlelabel(struct mount *mp, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	if (!mac_label_vnodes) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(11, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_label_associate_singlelabel, mp,
*a1e26a70SApple OSS Distributions	    mp ? mac_mount_label(mp) : NULL, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(11, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_notify_create(vfs_context_t ctx, struct mount *mp,
*a1e26a70SApple OSS Distributions    struct vnode *dvp, struct vnode *vp, struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(12, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_notify_create, cred, mp, mac_mount_label(mp),
*a1e26a70SApple OSS Distributions	    dvp, mac_vnode_label(dvp), vp, mac_vnode_label(vp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(12, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_rename(vfs_context_t ctx, struct vnode *fvp,
*a1e26a70SApple OSS Distributions    struct vnode *tdvp, struct componentname *tcnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(13, fvp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_rename, cred, fvp, mac_vnode_label(fvp), tdvp, mac_vnode_label(tdvp), tcnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(13, fvp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(14, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_open, cred, vp, mac_vnode_label(vp), acc_flags);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(14, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct vnode *dvp, struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(15, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_link, cred, dvp, mac_vnode_label(dvp), vp, mac_vnode_label(vp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(15, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_deleteextattr(vfs_context_t ctx, struct vnode *vp, const char *name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(16, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_deleteextattr, cred, vp, mac_vnode_label(vp), name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(16, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setacl(vfs_context_t ctx, struct vnode *vp, struct kauth_acl *acl)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(17, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setacl, cred, vp, mac_vnode_label(vp), acl);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(17, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setattrlist(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(18, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setattrlist, cred, vp, mac_vnode_label(vp), alist);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(18, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setextattr(vfs_context_t ctx, struct vnode *vp, const char *name, struct uio *uio)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(19, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setextattr, cred, vp, mac_vnode_label(vp), name, uio);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(19, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(20, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setflags, cred, vp, mac_vnode_label(vp), flags);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(20, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(21, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setmode, cred, vp, mac_vnode_label(vp), mode);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(21, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid, gid_t gid)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(22, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setowner, cred, vp, mac_vnode_label(vp), uid, gid);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(22, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_setutimes(vfs_context_t ctx, struct vnode *vp, struct timespec atime, struct timespec mtime)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(23, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_setutimes, cred, vp, mac_vnode_label(vp), atime, mtime);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(23, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_truncate(vfs_context_t ctx, kauth_cred_t file_cred, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(24, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_truncate, cred, file_cred, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(24, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions/*
*a1e26a70SApple OSS Distributions * Extended attribute 'name' was updated via
*a1e26a70SApple OSS Distributions * vn_setxattr() or vn_removexattr().  Allow the
*a1e26a70SApple OSS Distributions * policy to update the vnode label.
*a1e26a70SApple OSS Distributions */
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp,
*a1e26a70SApple OSS Distributions    const char *name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	if (!mac_label_vnodes) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(25, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_label_update_extattr, mp, mac_mount_label(mp), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp), name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(25, vp);
*a1e26a70SApple OSS Distributions	if (error == 0) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	vnode_lock(vp);
*a1e26a70SApple OSS Distributions	vnode_relabel(vp);
*a1e26a70SApple OSS Distributions	vnode_unlock(vp);
*a1e26a70SApple OSS Distributions	return;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsstatic int
*a1e26a70SApple OSS Distributionsmac_vnode_label_store(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct label *intlabel)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	if (!mac_label_vnodes) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(26, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_label_store, cred, vp, mac_vnode_label(vp), intlabel);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(26, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t new, struct vnode *vp, off_t offset,
*a1e26a70SApple OSS Distributions    struct vnode *scriptvp, struct label *scriptvnodelabel, struct label *execl, u_int *csflags,
*a1e26a70SApple OSS Distributions    void *macextensions, int *disjoint, int *labelupdateerror)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	*disjoint = 0;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions	posix_cred_t pcred = posix_cred_get(new);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_proc_enforce || !mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* mark the new cred to indicate "matching" includes the label */
*a1e26a70SApple OSS Distributions	pcred->cr_flags |= CRF_MAC_ENFORCE;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/*
*a1e26a70SApple OSS Distributions	 * NB: Cannot use MAC_CHECK macro because we need a sequence point after
*a1e26a70SApple OSS Distributions	 *     calling exec_spawnattr_getmacpolicyinfo() and before passing the
*a1e26a70SApple OSS Distributions	 *     spawnattrlen as an argument to the hook.
*a1e26a70SApple OSS Distributions	 */
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(27, vp);
*a1e26a70SApple OSS Distributions	{
*a1e26a70SApple OSS Distributions		struct mac_policy_conf *mpc;
*a1e26a70SApple OSS Distributions		u_int i;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		error = 0;
*a1e26a70SApple OSS Distributions		for (i = 0; i < mac_policy_list.staticmax; i++) {
*a1e26a70SApple OSS Distributions			mpc = mac_policy_list.entries[i].mpc;
*a1e26a70SApple OSS Distributions			if (mpc == NULL) {
*a1e26a70SApple OSS Distributions				continue;
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			mpo_cred_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_label_update_execve;
*a1e26a70SApple OSS Distributions			if (hook == NULL) {
*a1e26a70SApple OSS Distributions				continue;
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			size_t spawnattrlen = 0;
*a1e26a70SApple OSS Distributions			void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			error = mac_error_select(hook(cred, new, vfs_context_proc(ctx), vp, offset, scriptvp,
*a1e26a70SApple OSS Distributions			    mac_vnode_label(vp), scriptvnodelabel, execl, csflags, spawnattr, spawnattrlen, disjoint),
*a1e26a70SApple OSS Distributions			    error);
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		if (mac_policy_list_conditional_busy() != 0) {
*a1e26a70SApple OSS Distributions			for (; i <= mac_policy_list.maxindex; i++) {
*a1e26a70SApple OSS Distributions				mpc = mac_policy_list.entries[i].mpc;
*a1e26a70SApple OSS Distributions				if (mpc == NULL) {
*a1e26a70SApple OSS Distributions					continue;
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				mpo_cred_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_label_update_execve;
*a1e26a70SApple OSS Distributions				if (hook == NULL) {
*a1e26a70SApple OSS Distributions					continue;
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				size_t spawnattrlen = 0;
*a1e26a70SApple OSS Distributions				void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				error = mac_error_select(hook(cred, new, vfs_context_proc(ctx), vp, offset, scriptvp,
*a1e26a70SApple OSS Distributions				    mac_vnode_label(vp), scriptvnodelabel, execl, csflags, spawnattr, spawnattrlen, disjoint),
*a1e26a70SApple OSS Distributions				    error);
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions			mac_policy_list_unbusy();
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	*labelupdateerror = error;
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(27, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_cred_check_label_update_execve(vfs_context_t ctx, struct vnode *vp, off_t offset,
*a1e26a70SApple OSS Distributions    struct vnode *scriptvp, struct label *scriptvnodelabel, struct label *execlabel,
*a1e26a70SApple OSS Distributions    struct proc *p, void *macextensions)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int result = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_proc_enforce || !mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return result;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(28, vp);
*a1e26a70SApple OSS Distributions	/*
*a1e26a70SApple OSS Distributions	 * NB: Cannot use MAC_BOOLEAN macro because we need a sequence point after
*a1e26a70SApple OSS Distributions	 *     calling exec_spawnattr_getmacpolicyinfo() and before passing the
*a1e26a70SApple OSS Distributions	 *     spawnattrlen as an argument to the hook.
*a1e26a70SApple OSS Distributions	 */
*a1e26a70SApple OSS Distributions	{
*a1e26a70SApple OSS Distributions		struct mac_policy_conf *mpc;
*a1e26a70SApple OSS Distributions		u_int i;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		for (i = 0; i < mac_policy_list.staticmax; i++) {
*a1e26a70SApple OSS Distributions			mpc = mac_policy_list.entries[i].mpc;
*a1e26a70SApple OSS Distributions			if (mpc == NULL) {
*a1e26a70SApple OSS Distributions				continue;
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			mpo_cred_check_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_check_label_update_execve;
*a1e26a70SApple OSS Distributions			if (hook == NULL) {
*a1e26a70SApple OSS Distributions				continue;
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			size_t spawnattrlen = 0;
*a1e26a70SApple OSS Distributions			void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			result = result || hook(cred, vp, offset, scriptvp, mac_vnode_label(vp), scriptvnodelabel, execlabel, p, spawnattr, spawnattrlen);
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		if (mac_policy_list_conditional_busy() != 0) {
*a1e26a70SApple OSS Distributions			for (; i <= mac_policy_list.maxindex; i++) {
*a1e26a70SApple OSS Distributions				mpc = mac_policy_list.entries[i].mpc;
*a1e26a70SApple OSS Distributions				if (mpc == NULL) {
*a1e26a70SApple OSS Distributions					continue;
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				mpo_cred_check_label_update_execve_t *hook = mpc->mpc_ops->mpo_cred_check_label_update_execve;
*a1e26a70SApple OSS Distributions				if (hook == NULL) {
*a1e26a70SApple OSS Distributions					continue;
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				size_t spawnattrlen = 0;
*a1e26a70SApple OSS Distributions				void *spawnattr = exec_spawnattr_getmacpolicyinfo(macextensions, mpc->mpc_name, &spawnattrlen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				result = result || hook(cred, vp, offset, scriptvp, mac_vnode_label(vp), scriptvnodelabel, execlabel, p, spawnattr, spawnattrlen);
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions			mac_policy_list_unbusy();
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(28, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return result;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_access(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    int acc_mode)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions	int mask;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	/* Convert {R,W,X}_OK values to V{READ,WRITE,EXEC} for entry points */
*a1e26a70SApple OSS Distributions	mask = ACCESS_MODE_TO_VNODE_MASK(acc_mode);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(29, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_access, cred, vp, mac_vnode_label(vp), mask);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(29, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(30, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_chdir, cred, dvp, mac_vnode_label(dvp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(30, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(31, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_chroot, cred, dvp, mac_vnode_label(dvp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(31, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_clone(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct vnode *vp, struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(32, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_clone, cred, dvp, mac_vnode_label(dvp), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(32, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp, struct vnode_attr *vap)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(33, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_create, cred, dvp, mac_vnode_label(dvp), cnp, vap);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(33, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(34, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_unlink, cred, dvp, mac_vnode_label(dvp), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(34, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions#if 0
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_deleteacl(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    acl_type_t type)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(35, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_deleteacl, cred, vp, mac_vnode_label(vp), type);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(35, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    const char *name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(36, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_deleteextattr, cred, vp, mac_vnode_label(vp), name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(36, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_exchangedata(vfs_context_t ctx,
*a1e26a70SApple OSS Distributions    struct vnode *v1, struct vnode *v2)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(37, v1);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_exchangedata, cred, v1, mac_vnode_label(v1),
*a1e26a70SApple OSS Distributions	    v2, mac_vnode_label(v2));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(37, v1);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if 0
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_getacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(38, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_getacl, cred, vp, mac_vnode_label(vp), type);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(38, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_getattr(vfs_context_t ctx, struct ucred *file_cred,
*a1e26a70SApple OSS Distributions    struct vnode *vp, struct vnode_attr *va)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(39, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_getattr, cred, file_cred, vp, mac_vnode_label(vp), va);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(39, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct attrlist *alist, uint64_t options)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(40, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_getattrlist, cred, vp, mac_vnode_label(vp), alist, options);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(40, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* Falsify results instead of returning error? */
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct image_params *imgp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_proc_enforce || !mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/*
*a1e26a70SApple OSS Distributions	 * NB: Cannot use MAC_CHECK macro because we need a sequence point after
*a1e26a70SApple OSS Distributions	 *     calling exec_spawnattr_getmacpolicyinfo() and before passing the
*a1e26a70SApple OSS Distributions	 *     spawnattrlen as an argument to the hook.
*a1e26a70SApple OSS Distributions	 */
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(41, vp);
*a1e26a70SApple OSS Distributions	{
*a1e26a70SApple OSS Distributions		struct mac_policy_conf *mpc;
*a1e26a70SApple OSS Distributions		u_int i;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		for (i = 0; i < mac_policy_list.staticmax; i++) {
*a1e26a70SApple OSS Distributions			mpc = mac_policy_list.entries[i].mpc;
*a1e26a70SApple OSS Distributions			if (mpc == NULL) {
*a1e26a70SApple OSS Distributions				continue;
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			mpo_vnode_check_exec_t *hook = mpc->mpc_ops->mpo_vnode_check_exec;
*a1e26a70SApple OSS Distributions			if (hook == NULL) {
*a1e26a70SApple OSS Distributions				continue;
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			size_t spawnattrlen = 0;
*a1e26a70SApple OSS Distributions			void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			error = mac_error_select(
*a1e26a70SApple OSS Distributions				hook(cred,
*a1e26a70SApple OSS Distributions				vp, imgp->ip_scriptvp, mac_vnode_label(vp), imgp->ip_scriptlabelp,
*a1e26a70SApple OSS Distributions				imgp->ip_execlabelp, &imgp->ip_ndp->ni_cnd, &imgp->ip_csflags,
*a1e26a70SApple OSS Distributions				spawnattr, spawnattrlen), error);
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		if (mac_policy_list_conditional_busy() != 0) {
*a1e26a70SApple OSS Distributions			for (; i <= mac_policy_list.maxindex; i++) {
*a1e26a70SApple OSS Distributions				mpc = mac_policy_list.entries[i].mpc;
*a1e26a70SApple OSS Distributions				if (mpc == NULL) {
*a1e26a70SApple OSS Distributions					continue;
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				mpo_vnode_check_exec_t *hook = mpc->mpc_ops->mpo_vnode_check_exec;
*a1e26a70SApple OSS Distributions				if (hook == NULL) {
*a1e26a70SApple OSS Distributions					continue;
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				size_t spawnattrlen = 0;
*a1e26a70SApple OSS Distributions				void *spawnattr = exec_spawnattr_getmacpolicyinfo(&imgp->ip_px_smpx, mpc->mpc_name, &spawnattrlen);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				error = mac_error_select(
*a1e26a70SApple OSS Distributions					hook(cred,
*a1e26a70SApple OSS Distributions					vp, imgp->ip_scriptvp, mac_vnode_label(vp), imgp->ip_scriptlabelp,
*a1e26a70SApple OSS Distributions					imgp->ip_execlabelp, &imgp->ip_ndp->ni_cnd, &imgp->ip_csflags,
*a1e26a70SApple OSS Distributions					spawnattr, spawnattrlen), error);
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions			mac_policy_list_unbusy();
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(41, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(42, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_fsgetpath, cred, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(42, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_signature(struct vnode *vp, struct cs_blob *cs_blob,
*a1e26a70SApple OSS Distributions    struct image_params *imgp,
*a1e26a70SApple OSS Distributions    unsigned int *cs_flags, unsigned int *signer_type,
*a1e26a70SApple OSS Distributions    int flags, unsigned int platform)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions	char *fatal_failure_desc = NULL;
*a1e26a70SApple OSS Distributions	size_t fatal_failure_desc_len = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	char *vn_path = NULL;
*a1e26a70SApple OSS Distributions	vm_size_t vn_pathlen = MAXPATHLEN;
*a1e26a70SApple OSS Distributions	cpu_type_t cpu_type = (imgp == NULL) ? CPU_TYPE_ANY : imgp->ip_origcputype;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_proc_enforce || !mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(43, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_signature, vp, mac_vnode_label(vp), cpu_type, cs_blob,
*a1e26a70SApple OSS Distributions	    cs_flags, signer_type, flags, platform, &fatal_failure_desc, &fatal_failure_desc_len);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(43, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (fatal_failure_desc_len) {
*a1e26a70SApple OSS Distributions		// A fatal code signature validation failure occured, formulate a crash
*a1e26a70SApple OSS Distributions		// reason.
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		char const *path = NULL;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		vn_path = zalloc(ZV_NAMEI);
*a1e26a70SApple OSS Distributions		if (vn_getpath(vp, vn_path, (int*)&vn_pathlen) == 0) {
*a1e26a70SApple OSS Distributions			path = vn_path;
*a1e26a70SApple OSS Distributions		} else {
*a1e26a70SApple OSS Distributions			path = "(get vnode path failed)";
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		if (error == 0) {
*a1e26a70SApple OSS Distributions			panic("mac_vnode_check_signature: MAC hook returned no error, "
*a1e26a70SApple OSS Distributions			    "but status is claimed to be fatal? "
*a1e26a70SApple OSS Distributions			    "path: '%s', fatal_failure_desc_len: %ld, fatal_failure_desc:\n%s\n",
*a1e26a70SApple OSS Distributions			    path, fatal_failure_desc_len, fatal_failure_desc);
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		printf("mac_vnode_check_signature: %s: code signature validation failed fatally: %s",
*a1e26a70SApple OSS Distributions		    path, fatal_failure_desc);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		if (imgp == NULL) {
*a1e26a70SApple OSS Distributions			goto out;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		os_reason_t reason = os_reason_create(OS_REASON_CODESIGNING,
*a1e26a70SApple OSS Distributions		    CODESIGNING_EXIT_REASON_TASKGATED_INVALID_SIG);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		if (reason == OS_REASON_NULL) {
*a1e26a70SApple OSS Distributions			printf("mac_vnode_check_signature: %s: failure to allocate exit reason for validation failure: %s\n",
*a1e26a70SApple OSS Distributions			    path, fatal_failure_desc);
*a1e26a70SApple OSS Distributions			goto out;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		imgp->ip_cs_error = reason;
*a1e26a70SApple OSS Distributions		reason->osr_flags = (OS_REASON_FLAG_GENERATE_CRASH_REPORT |
*a1e26a70SApple OSS Distributions		    OS_REASON_FLAG_CONSISTENT_FAILURE);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		if (fatal_failure_desc == NULL) {
*a1e26a70SApple OSS Distributions			// This may happen if allocation for the buffer failed.
*a1e26a70SApple OSS Distributions			printf("mac_vnode_check_signature: %s: fatal failure is missing its description.\n", path);
*a1e26a70SApple OSS Distributions		} else {
*a1e26a70SApple OSS Distributions			mach_vm_address_t data_addr = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			int reason_error = 0;
*a1e26a70SApple OSS Distributions			int kcdata_error = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions			if ((reason_error = os_reason_alloc_buffer_noblock(reason, kcdata_estimate_required_buffer_size
*a1e26a70SApple OSS Distributions			    (1, (uint32_t)fatal_failure_desc_len))) == 0 &&
*a1e26a70SApple OSS Distributions			    (kcdata_error = kcdata_get_memory_addr(&reason->osr_kcd_descriptor,
*a1e26a70SApple OSS Distributions			    EXIT_REASON_USER_DESC, (uint32_t)fatal_failure_desc_len,
*a1e26a70SApple OSS Distributions			    &data_addr)) == KERN_SUCCESS) {
*a1e26a70SApple OSS Distributions				kern_return_t mc_error = kcdata_memcpy(&reason->osr_kcd_descriptor, (mach_vm_address_t)data_addr,
*a1e26a70SApple OSS Distributions				    fatal_failure_desc, (uint32_t)fatal_failure_desc_len);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions				if (mc_error != KERN_SUCCESS) {
*a1e26a70SApple OSS Distributions					printf("mac_vnode_check_signature: %s: failed to copy reason string "
*a1e26a70SApple OSS Distributions					    "(kcdata_memcpy error: %d, length: %ld)\n",
*a1e26a70SApple OSS Distributions					    path, mc_error, fatal_failure_desc_len);
*a1e26a70SApple OSS Distributions				}
*a1e26a70SApple OSS Distributions			} else {
*a1e26a70SApple OSS Distributions				printf("mac_vnode_check_signature: %s: failed to allocate space for reason string "
*a1e26a70SApple OSS Distributions				    "(os_reason_alloc_buffer error: %d, kcdata error: %d, length: %ld)\n",
*a1e26a70SApple OSS Distributions				    path, reason_error, kcdata_error, fatal_failure_desc_len);
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsout:
*a1e26a70SApple OSS Distributions	if (vn_path) {
*a1e26a70SApple OSS Distributions		zfree(ZV_NAMEI, vn_path);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (fatal_failure_desc_len > 0 && fatal_failure_desc != NULL) {
*a1e26a70SApple OSS Distributions		/* KERN_AMFI_SUPPORTS_DATA_ALLOC >= 2 */
*a1e26a70SApple OSS Distributions		kfree_data(fatal_failure_desc, fatal_failure_desc_len);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_supplemental_signature(struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct cs_blob *cs_blob, struct vnode *linked_vp,
*a1e26a70SApple OSS Distributions    struct cs_blob *linked_cs_blob, unsigned int *signer_type)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_proc_enforce || !mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(93, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_supplemental_signature, vp, mac_vnode_label(vp), cs_blob, linked_vp, linked_cs_blob,
*a1e26a70SApple OSS Distributions	    signer_type);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(93, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if 0
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_getacl(vfs_context_t ctx, struct vnode *vp, acl_type_t type)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(44, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_getacl, cred, vp, mac_vnode_label(vp), type);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(44, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    const char *name, struct uio *uio)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(45, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_getextattr, cred, vp, mac_vnode_label(vp),
*a1e26a70SApple OSS Distributions	    name, uio);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(45, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp, u_long cmd)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(46, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_ioctl, cred, vp, mac_vnode_label(vp), cmd);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(46, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_kqfilter(vfs_context_t ctx, kauth_cred_t file_cred,
*a1e26a70SApple OSS Distributions    struct knote *kn, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(47, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_kqfilter, cred, file_cred, kn, vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(47, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct vnode *vp, struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(48, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_link, cred, dvp, mac_vnode_label(dvp), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(48, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(49, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_listextattr, cred, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(49, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_lookup_preflight(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    const char *path, size_t pathlen)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(50, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_lookup_preflight, cred, dvp, mac_vnode_label(dvp), path, pathlen);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(50, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(51, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_lookup, cred, dvp, mac_vnode_label(dvp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(51, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_open(vfs_context_t ctx, struct vnode *vp, int acc_mode)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(52, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_open, cred, vp, mac_vnode_label(vp), acc_mode);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(52, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_read(vfs_context_t ctx, struct ucred *file_cred,
*a1e26a70SApple OSS Distributions    struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(53, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_read, cred, file_cred, vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(53, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_readdir(vfs_context_t ctx, struct vnode *dvp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(54, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_readdir, cred, dvp, mac_vnode_label(dvp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(54, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(55, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_readlink, cred, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(55, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct label *newlabel)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(56, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_label_update, cred, vp, mac_vnode_label(vp), newlabel);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(56, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_rename(vfs_context_t ctx, struct vnode *fdvp,
*a1e26a70SApple OSS Distributions    struct vnode *fvp, struct componentname *fcnp, struct vnode *tdvp,
*a1e26a70SApple OSS Distributions    struct vnode *tvp, struct componentname *tcnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(57, fvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_rename_from, cred, fdvp, mac_vnode_label(fdvp), fvp, mac_vnode_label(fvp), fcnp);
*a1e26a70SApple OSS Distributions	if (error) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END1(57, fvp);
*a1e26a70SApple OSS Distributions		return error;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_rename_to, cred, tdvp, mac_vnode_label(tdvp), tvp,
*a1e26a70SApple OSS Distributions	    tvp != NULL ? mac_vnode_label(tvp) : NULL, fdvp == tdvp, tcnp);
*a1e26a70SApple OSS Distributions	if (error) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END1(57, fvp);
*a1e26a70SApple OSS Distributions		return error;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_rename, cred, fdvp, mac_vnode_label(fdvp), fvp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(fvp), fcnp, tdvp, mac_vnode_label(tdvp), tvp,
*a1e26a70SApple OSS Distributions	    tvp != NULL ? mac_vnode_label(tvp) : NULL, tcnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(57, fvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(58, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_revoke, cred, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(58, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp, struct attrlist *returnattrs,
*a1e26a70SApple OSS Distributions    struct attrlist *searchattrs)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(59, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_searchfs, cred, vp, mac_vnode_label(vp), returnattrs, searchattrs);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(59, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_select(vfs_context_t ctx, struct vnode *vp, int which)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(60, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_select, cred, vp, mac_vnode_label(vp), which);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(60, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setacl(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct kauth_acl *acl)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(61, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setacl, cred, vp, mac_vnode_label(vp), acl);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(61, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setattrlist(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct attrlist *alist)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(62, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setattrlist, cred, vp, mac_vnode_label(vp), alist);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(62, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    const char *name, struct uio *uio)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(63, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setextattr, cred, vp, mac_vnode_label(vp),
*a1e26a70SApple OSS Distributions	    name, uio);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(63, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp, u_long flags)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(64, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setflags, cred, vp, mac_vnode_label(vp), flags);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(64, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp, mode_t mode)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(65, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setmode, cred, vp, mac_vnode_label(vp), mode);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(65, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp, uid_t uid,
*a1e26a70SApple OSS Distributions    gid_t gid)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(66, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setowner, cred, vp, mac_vnode_label(vp), uid, gid);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(66, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct timespec atime, struct timespec mtime)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(67, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_setutimes, cred, vp, mac_vnode_label(vp), atime,
*a1e26a70SApple OSS Distributions	    mtime);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(67, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_stat(vfs_context_t ctx, struct ucred *file_cred,
*a1e26a70SApple OSS Distributions    struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(68, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_stat, cred, file_cred, vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(68, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_trigger_resolve(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(69, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_trigger_resolve, cred, dvp, mac_vnode_label(dvp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(69, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_truncate(vfs_context_t ctx, struct ucred *file_cred,
*a1e26a70SApple OSS Distributions    struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(70, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_truncate, cred, file_cred, vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(70, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_write(vfs_context_t ctx, struct ucred *file_cred,
*a1e26a70SApple OSS Distributions    struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(71, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_write, cred, file_cred, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(71, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp, struct vnode_attr *vap)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(72, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_uipc_bind, cred, dvp, mac_vnode_label(dvp), cnp, vap);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(72, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp, struct socket *so)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(73, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_uipc_connect, cred, vp, mac_vnode_label(vp), (socket_t) so);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(73, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_update(vfs_context_t ctx, struct vnode *vp, struct label *newlabel)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	struct label *tmpl = NULL;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (mac_vnode_label(vp) == NULL) {
*a1e26a70SApple OSS Distributions		tmpl = mac_vnode_label_alloc(vp);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	vnode_lock(vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/*
*a1e26a70SApple OSS Distributions	 * Recheck under lock.  We allocate labels for vnodes lazily, so
*a1e26a70SApple OSS Distributions	 * somebody else might have already got here first.
*a1e26a70SApple OSS Distributions	 */
*a1e26a70SApple OSS Distributions	if (mac_vnode_label(vp) == NULL) {
*a1e26a70SApple OSS Distributions		vp->v_label = tmpl;
*a1e26a70SApple OSS Distributions		tmpl = NULL;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(74, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_label_update, cred, vp, mac_vnode_label(vp), newlabel);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(74, vp);
*a1e26a70SApple OSS Distributions	vnode_unlock(vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (tmpl != NULL) {
*a1e26a70SApple OSS Distributions		mac_vnode_label_free(tmpl);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offset)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_proc_enforce || !mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(75, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_find_sigs, p, vp, offset, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(75, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_mount_label_associate(vfs_context_t ctx, struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* XXX: eventually this logic may be handled by the policy? */
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* We desire MULTILABEL for the root filesystem. */
*a1e26a70SApple OSS Distributions	if ((mp->mnt_flag & MNT_ROOTFS) &&
*a1e26a70SApple OSS Distributions	    (strcmp(mp->mnt_vfsstat.f_fstypename, "hfs") == 0)) {
*a1e26a70SApple OSS Distributions		mp->mnt_flag |= MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* MULTILABEL on DEVFS. */
*a1e26a70SApple OSS Distributions	if (strcmp(mp->mnt_vfsstat.f_fstypename, "devfs") == 0) {
*a1e26a70SApple OSS Distributions		mp->mnt_flag |= MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* MULTILABEL on FDESC pseudo-filesystem. */
*a1e26a70SApple OSS Distributions	if (strcmp(mp->mnt_vfsstat.f_fstypename, "fdesc") == 0) {
*a1e26a70SApple OSS Distributions		mp->mnt_flag |= MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* MULTILABEL on all NFS filesystems. */
*a1e26a70SApple OSS Distributions	if (strcmp(mp->mnt_vfsstat.f_fstypename, "nfs") == 0) {
*a1e26a70SApple OSS Distributions		mp->mnt_flag |= MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/* MULTILABEL on all AFP filesystems. */
*a1e26a70SApple OSS Distributions	if (strcmp(mp->mnt_vfsstat.f_fstypename, "afpfs") == 0) {
*a1e26a70SApple OSS Distributions		mp->mnt_flag |= MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (mp->mnt_vtable != NULL) {
*a1e26a70SApple OSS Distributions		/* Any filesystem that supports native XATTRs. */
*a1e26a70SApple OSS Distributions		if ((mp->mnt_vtable->vfc_vfsflags & VFC_VFSNATIVEXATTR)) {
*a1e26a70SApple OSS Distributions			mp->mnt_flag |= MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions		/* Filesystem does not support multilabel. */
*a1e26a70SApple OSS Distributions		if ((mp->mnt_vtable->vfc_vfsflags & VFC_VFSNOMACLABEL) &&
*a1e26a70SApple OSS Distributions		    (mp->mnt_flag & MNT_MULTILABEL)) {
*a1e26a70SApple OSS Distributions			mp->mnt_flag &= ~MNT_MULTILABEL;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(76, mp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(mount_label_associate, cred, mp, mac_mount_label(mp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(76, mp);
*a1e26a70SApple OSS Distributions#if DEBUG
*a1e26a70SApple OSS Distributions	printf("MAC Framework enabling %s support: %s -> %s (%s)\n",
*a1e26a70SApple OSS Distributions	    mp->mnt_flag & MNT_MULTILABEL ? "multilabel" : "singlelabel",
*a1e26a70SApple OSS Distributions	    mp->mnt_vfsstat.f_mntfromname,
*a1e26a70SApple OSS Distributions	    mp->mnt_vfsstat.f_mntonname,
*a1e26a70SApple OSS Distributions	    mp->mnt_vfsstat.f_fstypename);
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_mount(vfs_context_t ctx, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp, const char *vfc_name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(77, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_mount, cred, vp, mac_vnode_label(vp), cnp, vfc_name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(77, vp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_mount_late(vfs_context_t ctx, struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(78, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_mount_late, cred, mp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(78, mp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_snapshot_create(vfs_context_t ctx, struct mount *mp,
*a1e26a70SApple OSS Distributions    const char *name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(79, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_snapshot_create, cred, mp, name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(79, mp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_snapshot_delete(vfs_context_t ctx, struct mount *mp,
*a1e26a70SApple OSS Distributions    const char *name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(80, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_snapshot_delete, cred, mp, name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(80, mp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_snapshot_mount(vfs_context_t ctx, struct vnode *rvp, struct vnode *vp, struct componentname *cnp,
*a1e26a70SApple OSS Distributions    const char *name, const char *vfc_name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(92, vp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_snapshot_mount, cred, rvp, vp, cnp, name, vfc_name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(92, vp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_snapshot_revert(vfs_context_t ctx, struct mount *mp,
*a1e26a70SApple OSS Distributions    const char *name)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(81, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_snapshot_revert, cred, mp, name);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(81, mp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_remount(vfs_context_t ctx, struct mount *mp, int flags)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions	uint64_t visflags = (uint64_t)(flags & (MNT_CMDFLAGS | MNT_VISFLAGMASK));
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(82, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_remount, cred, mp, mac_mount_label(mp), visflags);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(82, mp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_umount(vfs_context_t ctx, struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(83, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_umount, cred, mp, mac_mount_label(mp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(83, mp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_getattr(vfs_context_t ctx, struct mount *mp,
*a1e26a70SApple OSS Distributions    struct vfs_attr *vfa)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(84, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_getattr, cred, mp, mac_mount_label(mp), vfa);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(84, mp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_setattr(vfs_context_t ctx, struct mount *mp,
*a1e26a70SApple OSS Distributions    struct vfs_attr *vfa)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(85, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_setattr, cred, mp, mac_mount_label(mp), vfa);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(85, mp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_stat(vfs_context_t ctx, struct mount *mount)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(86, mount);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_stat, cred, mount, mac_mount_label(mount));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(86, mount);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_label_update(vfs_context_t ctx, struct mount *mount)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(87, mount);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_label_update, cred, mount, mac_mount_label(mount));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(87, mount);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp, u_long cmd)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(88, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_fsctl, cred, mp, mac_mount_label(mp), cmd);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(88, mp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_devfs_label_associate_device(dev_t dev, struct devnode *de,
*a1e26a70SApple OSS Distributions    const char *fullpath)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_device_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(89, de);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(devfs_label_associate_device, dev, de, mac_devfs_label(de),
*a1e26a70SApple OSS Distributions	    fullpath);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(89, de);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_devfs_label_associate_directory(const char *dirname, int dirnamelen,
*a1e26a70SApple OSS Distributions    struct devnode *de, const char *fullpath)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_device_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(90, de);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(devfs_label_associate_directory, dirname, dirnamelen, de,
*a1e26a70SApple OSS Distributions	    mac_devfs_label(de), fullpath);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(90, de);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsvn_setlabel(struct vnode *vp, struct label *intlabel, vfs_context_t context)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	if (!mac_label_vnodes) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (vp->v_mount == NULL) {
*a1e26a70SApple OSS Distributions		printf("vn_setlabel: null v_mount\n");
*a1e26a70SApple OSS Distributions		if (vp->v_type != VNON) {
*a1e26a70SApple OSS Distributions			printf("vn_setlabel: null v_mount with non-VNON\n");
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		return EBADF;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if ((vp->v_mount->mnt_flag & MNT_MULTILABEL) == 0) {
*a1e26a70SApple OSS Distributions		return ENOTSUP;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	/*
*a1e26a70SApple OSS Distributions	 * Multi-phase commit.  First check the policies to confirm the
*a1e26a70SApple OSS Distributions	 * change is OK.  Then commit via the filesystem.  Finally,
*a1e26a70SApple OSS Distributions	 * update the actual vnode label.  Question: maybe the filesystem
*a1e26a70SApple OSS Distributions	 * should update the vnode at the end as part of VNOP_SETLABEL()?
*a1e26a70SApple OSS Distributions	 */
*a1e26a70SApple OSS Distributions	error = mac_vnode_check_label_update(context, vp, intlabel);
*a1e26a70SApple OSS Distributions	if (error) {
*a1e26a70SApple OSS Distributions		return error;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	error = VNOP_SETLABEL(vp, intlabel, context);
*a1e26a70SApple OSS Distributions	if (error == ENOTSUP) {
*a1e26a70SApple OSS Distributions		error = mac_vnode_label_store(context, vp,
*a1e26a70SApple OSS Distributions		    intlabel);
*a1e26a70SApple OSS Distributions		if (error) {
*a1e26a70SApple OSS Distributions			printf("%s: mac_vnode_label_store failed %d\n",
*a1e26a70SApple OSS Distributions			    __func__, error);
*a1e26a70SApple OSS Distributions			return error;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		mac_vnode_label_update(context, vp, intlabel);
*a1e26a70SApple OSS Distributions	} else if (error) {
*a1e26a70SApple OSS Distributions		printf("vn_setlabel: vop setlabel failed %d\n", error);
*a1e26a70SApple OSS Distributions		return error;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return 0;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp,
*a1e26a70SApple OSS Distributions    struct vnode *vp, vfs_context_t ctx)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	struct fileproc *fp;
*a1e26a70SApple OSS Distributions#if CONFIG_MACF_SOCKET_SUBSET
*a1e26a70SApple OSS Distributions	struct socket *so;
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	struct pipe *cpipe;
*a1e26a70SApple OSS Distributions	struct vnode *fvp;
*a1e26a70SApple OSS Distributions	struct proc *p;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	error = 0;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(91, vp);
*a1e26a70SApple OSS Distributions	/*
*a1e26a70SApple OSS Distributions	 * If no backing file, let the policy choose which label to use.
*a1e26a70SApple OSS Distributions	 */
*a1e26a70SApple OSS Distributions	if (fnp->fd_fd == -1) {
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_associate_file, vfs_context_ucred(ctx),
*a1e26a70SApple OSS Distributions		    mp, mac_mount_label(mp), NULL, NULL, vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END1(91, vp);
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	p = vfs_context_proc(ctx);
*a1e26a70SApple OSS Distributions	error = fp_lookup(p, fnp->fd_fd, &fp, 0);
*a1e26a70SApple OSS Distributions	if (error) {
*a1e26a70SApple OSS Distributions		VFS_KERNEL_DEBUG_END1(91, vp);
*a1e26a70SApple OSS Distributions		return error;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	if (fp->fp_glob == NULL) {
*a1e26a70SApple OSS Distributions		error = EBADF;
*a1e26a70SApple OSS Distributions		goto out;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	switch (FILEGLOB_DTYPE(fp->fp_glob)) {
*a1e26a70SApple OSS Distributions	case DTYPE_VNODE:
*a1e26a70SApple OSS Distributions		fvp = (struct vnode *)fp_get_data(fp);
*a1e26a70SApple OSS Distributions		if ((error = vnode_getwithref(fvp))) {
*a1e26a70SApple OSS Distributions			goto out;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		if (mac_vnode_label(fvp) != NULL) {
*a1e26a70SApple OSS Distributions			if (mac_label_vnodes != 0 && mac_vnode_label(vp) == NULL) {
*a1e26a70SApple OSS Distributions				mac_vnode_label_init(vp); /* init dst label */
*a1e26a70SApple OSS Distributions			}
*a1e26a70SApple OSS Distributions			MAC_PERFORM(vnode_label_copy, mac_vnode_label(fvp), mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		(void)vnode_put(fvp);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions#if CONFIG_MACF_SOCKET_SUBSET
*a1e26a70SApple OSS Distributions	case DTYPE_SOCKET:
*a1e26a70SApple OSS Distributions		so = (struct socket *)fp_get_data(fp);
*a1e26a70SApple OSS Distributions		socket_lock(so, 1);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_associate_socket,
*a1e26a70SApple OSS Distributions		    vfs_context_ucred(ctx), (socket_t)so, NULL,
*a1e26a70SApple OSS Distributions		    vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions		socket_unlock(so, 1);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	case DTYPE_PSXSHM:
*a1e26a70SApple OSS Distributions		pshm_label_associate(fp, vp, ctx);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	case DTYPE_PSXSEM:
*a1e26a70SApple OSS Distributions		psem_label_associate(fp, vp, ctx);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	case DTYPE_PIPE:
*a1e26a70SApple OSS Distributions		cpipe = (struct pipe *)fp_get_data(fp);
*a1e26a70SApple OSS Distributions		/* kern/sys_pipe.c:pipe_select() suggests this test. */
*a1e26a70SApple OSS Distributions		if (cpipe == (struct pipe *)-1) {
*a1e26a70SApple OSS Distributions			error = EINVAL;
*a1e26a70SApple OSS Distributions			goto out;
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		PIPE_LOCK(cpipe);
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_associate_pipe, vfs_context_ucred(ctx),
*a1e26a70SApple OSS Distributions		    cpipe, mac_pipe_label(cpipe), vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions		PIPE_UNLOCK(cpipe);
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	case DTYPE_KQUEUE:
*a1e26a70SApple OSS Distributions	case DTYPE_FSEVENTS:
*a1e26a70SApple OSS Distributions	case DTYPE_ATALK:
*a1e26a70SApple OSS Distributions	case DTYPE_NETPOLICY:
*a1e26a70SApple OSS Distributions	case DTYPE_CHANNEL:
*a1e26a70SApple OSS Distributions	case DTYPE_NEXUS:
*a1e26a70SApple OSS Distributions	default:
*a1e26a70SApple OSS Distributions		MAC_PERFORM(vnode_label_associate_file, vfs_context_ucred(ctx),
*a1e26a70SApple OSS Distributions		    mp, mac_mount_label(mp), fp->fp_glob, NULL,
*a1e26a70SApple OSS Distributions		    vp, mac_vnode_label(vp));
*a1e26a70SApple OSS Distributions		break;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributionsout:
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(91, vp);
*a1e26a70SApple OSS Distributions	fp_drop(p, fnp->fd_fd, fp, 0);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsintptr_t
*a1e26a70SApple OSS Distributionsmac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	struct label *l;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	KASSERT(vp != NULL, ("mac_vnode_label_get: NULL vnode"));
*a1e26a70SApple OSS Distributions	l = mac_vnode_label(vp);
*a1e26a70SApple OSS Distributions	if (l != NULL) {
*a1e26a70SApple OSS Distributions		return mac_label_get(l, slot);
*a1e26a70SApple OSS Distributions	} else {
*a1e26a70SApple OSS Distributions		return sentinel;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_label_set(struct vnode *vp, int slot, intptr_t v)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	struct label *l;
*a1e26a70SApple OSS Distributions	KASSERT(vp != NULL, ("mac_vnode_label_set: NULL vnode"));
*a1e26a70SApple OSS Distributions	l = mac_vnode_label(vp);
*a1e26a70SApple OSS Distributions	if (l == NULL) {
*a1e26a70SApple OSS Distributions		mac_vnode_label_init(vp);
*a1e26a70SApple OSS Distributions		l = mac_vnode_label(vp);
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	mac_label_set(l, slot, v);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_reclaim(struct vnode *vp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(94, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_reclaim, vp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(94, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_mount_check_quotactl(vfs_context_t ctx, struct mount *mp, int cmd, int id)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(95, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(mount_check_quotactl, cred, mp, cmd, id);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(95, mp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_getattrlistbulk(vfs_context_t ctx, struct vnode *vp, struct attrlist *alist, uint64_t options)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(96, mp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_getattrlistbulk, cred, vp, alist, options);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(96, mp);
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_copyfile(vfs_context_t ctx, struct vnode *dvp,
*a1e26a70SApple OSS Distributions    struct vnode *tvp, struct vnode *fvp, struct componentname *cnp,
*a1e26a70SApple OSS Distributions    mode_t mode, int flags)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(97, dvp);
*a1e26a70SApple OSS Distributions	MAC_CHECK(vnode_check_copyfile, cred, dvp, mac_vnode_label(dvp),
*a1e26a70SApple OSS Distributions	    tvp, tvp ? mac_vnode_label(tvp) : NULL, fvp, mac_vnode_label(fvp), cnp, mode, flags);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(97, dvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_unlink(vfs_context_t ctx, struct vnode *dvp, struct vnode *vp,
*a1e26a70SApple OSS Distributions    struct componentname *cnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(98, vp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(vnode_notify_unlink, cred, dvp, mac_vnode_label(dvp), vp,
*a1e26a70SApple OSS Distributions	    mac_vnode_label(vp), cnp);
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(98, vp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_vnode_notify_rename_swap(vfs_context_t ctx, struct vnode *fdvp,
*a1e26a70SApple OSS Distributions    struct vnode *fvp, struct componentname *fcnp, struct vnode *tdvp,
*a1e26a70SApple OSS Distributions    struct vnode *tvp, struct componentname *tcnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(99, fvp);
*a1e26a70SApple OSS Distributions	MAC_POLICY_ITERATE({
*a1e26a70SApple OSS Distributions		/* BEGIN IGNORE CODESTYLE */
*a1e26a70SApple OSS Distributions		if (mpc->mpc_ops->mpo_vnode_notify_swap != NULL) {
*a1e26a70SApple OSS Distributions			MAC_PERFORM_CALL(vnode_notify_swap, mpc);
*a1e26a70SApple OSS Distributions			mpc->mpc_ops->mpo_vnode_notify_swap(cred, fvp, mac_vnode_label(fvp), tvp, mac_vnode_label(tvp));
*a1e26a70SApple OSS Distributions			MAC_PERFORM_RSLT(vnode_notify_swap, mpc);
*a1e26a70SApple OSS Distributions		} else if (mpc->mpc_ops->mpo_vnode_notify_rename != NULL) {
*a1e26a70SApple OSS Distributions			MAC_PERFORM_CALL(vnode_notify_swap_rename, mpc);
*a1e26a70SApple OSS Distributions			/* Call notify_rename twice, one for each member of the swap. */
*a1e26a70SApple OSS Distributions			mpc->mpc_ops->mpo_vnode_notify_rename(cred, fvp, mac_vnode_label(fvp), tdvp, mac_vnode_label(tdvp), tcnp);
*a1e26a70SApple OSS Distributions			mpc->mpc_ops->mpo_vnode_notify_rename(cred, tvp, mac_vnode_label(tvp), fdvp, mac_vnode_label(fdvp), fcnp);
*a1e26a70SApple OSS Distributions			MAC_PERFORM_RSLT(vnode_notify_swap_rename, mpc);
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		/* END IGNORE CODESTYLE */
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(99, fvp);
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsint
*a1e26a70SApple OSS Distributionsmac_vnode_check_rename_swap(vfs_context_t ctx, struct vnode *fdvp,
*a1e26a70SApple OSS Distributions    struct vnode *fvp, struct componentname *fcnp, struct vnode *tdvp,
*a1e26a70SApple OSS Distributions    struct vnode *tvp, struct componentname *tcnp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	kauth_cred_t cred;
*a1e26a70SApple OSS Distributions	int error;
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions#if SECURITY_MAC_CHECK_ENFORCE
*a1e26a70SApple OSS Distributions	/* 21167099 - only check if we allow write */
*a1e26a70SApple OSS Distributions	if (!mac_vnode_enforce) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions#endif
*a1e26a70SApple OSS Distributions	cred = vfs_context_ucred(ctx);
*a1e26a70SApple OSS Distributions	if (!mac_cred_check_enforce(cred)) {
*a1e26a70SApple OSS Distributions		return 0;
*a1e26a70SApple OSS Distributions	}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(100, fvp);
*a1e26a70SApple OSS Distributions	error = 0;
*a1e26a70SApple OSS Distributions	MAC_POLICY_ITERATE({
*a1e26a70SApple OSS Distributions		/* BEGIN IGNORE CODESTYLE */
*a1e26a70SApple OSS Distributions		int __step_err;
*a1e26a70SApple OSS Distributions		if (mpc->mpc_ops->mpo_vnode_check_swap != NULL) {
*a1e26a70SApple OSS Distributions			MAC_CHECK_CALL(vnode_check_swap, mpc);
*a1e26a70SApple OSS Distributions			__step_err = mpc->mpc_ops->mpo_vnode_check_swap(cred, fvp, mac_vnode_label(fvp), tvp, mac_vnode_label(tvp));
*a1e26a70SApple OSS Distributions			MAC_CHECK_RSLT(vnode_check_swap, mpc);
*a1e26a70SApple OSS Distributions			error = mac_error_select(__step_err, error);
*a1e26a70SApple OSS Distributions		} else if (mpc->mpc_ops->mpo_vnode_check_rename != NULL) {
*a1e26a70SApple OSS Distributions		        MAC_PERFORM_CALL(vnode_check_swap_rename, mpc);
*a1e26a70SApple OSS Distributions			/* Call check_rename twice, one for each member of the swap. */
*a1e26a70SApple OSS Distributions			__step_err = mpc->mpc_ops->mpo_vnode_check_rename(cred, fdvp, mac_vnode_label(fdvp), fvp, mac_vnode_label(fvp), fcnp,
*a1e26a70SApple OSS Distributions			    tdvp, mac_vnode_label(tdvp), tvp, mac_vnode_label(tvp), tcnp);
*a1e26a70SApple OSS Distributions			error = mac_error_select(__step_err, error);
*a1e26a70SApple OSS Distributions			__step_err = mpc->mpc_ops->mpo_vnode_check_rename(cred, tdvp, mac_vnode_label(tdvp), tvp, mac_vnode_label(tvp), tcnp,
*a1e26a70SApple OSS Distributions			    fdvp, mac_vnode_label(fdvp), fvp, mac_vnode_label(fvp), fcnp);
*a1e26a70SApple OSS Distributions			error = mac_error_select(__step_err, error);
*a1e26a70SApple OSS Distributions			MAC_PERFORM_RSLT(vnode_check_swap_rename, mpc);
*a1e26a70SApple OSS Distributions		}
*a1e26a70SApple OSS Distributions		/* END IGNORE CODESTYLE */
*a1e26a70SApple OSS Distributions	});
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(100, fvp);
*a1e26a70SApple OSS Distributions	return error;
*a1e26a70SApple OSS Distributions}
*a1e26a70SApple OSS Distributions
*a1e26a70SApple OSS Distributionsvoid
*a1e26a70SApple OSS Distributionsmac_mount_notify_mount(vfs_context_t ctx, struct mount *mp)
*a1e26a70SApple OSS Distributions{
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_START1(102, mp);
*a1e26a70SApple OSS Distributions	MAC_PERFORM(mount_notify_mount, vfs_context_ucred(ctx), mp, mac_mount_label(mp));
*a1e26a70SApple OSS Distributions	VFS_KERNEL_DEBUG_END1(102, mp);
*a1e26a70SApple OSS Distributions}