1 #include <sys/param.h>
2 #include <sys/systm.h> /* XXX printf() */
3
4 #include <sys/types.h>
5 #include <sys/fcntl.h>
6 #include <sys/file.h>
7 #include <sys/kauth.h>
8 #include <sys/mount.h>
9 #include <sys/msg.h>
10 #include <sys/proc.h>
11 #include <sys/socketvar.h>
12 #include <sys/vnode.h>
13 #include <security/mac.h>
14 #include <security/mac_policy.h>
15
16 #include <libkern/section_keywords.h>
17 #include <libkern/OSDebug.h> /* OSBPrintBacktrace */
18
19
20 /* forward declaration; see bsd_init.c */
21 errno_t check_policy_init(int);
22 int get_thread_lock_count(thread_t th); /* forced forward */
23
24 /*
25 * Policy flags used when the policy is enabled
26 *
27 * Note: CHECK_POLICY_CHECK is probably not very useful unless you
28 * are kernel debugging and set a breakpoint.
29 */
30 #define CHECK_POLICY_CHECK 0x00000001 /* Check on calls */
31 #define CHECK_POLICY_FAIL 0x00000002 /* EPERM on fails */
32 #define CHECK_POLICY_BACKTRACE 0x00000004 /* Show call stack on fails */
33 #define CHECK_POLICY_PANIC 0x00000008 /* Panic on fails */
34 #define CHECK_POLICY_PERIODIC 0x00000010 /* Show fails periodically */
35
36 static int policy_flags = 0;
37
38
39 #define CHECK_SET_HOOK(x) .mpo_##x = (mpo_##x##_t *)(void (*)(void))common_hook,
40
41 /*
42 * Init; currently, we only print our arrival notice.
43 */
44 static void
hook_policy_init(struct mac_policy_conf * mpc)45 hook_policy_init(struct mac_policy_conf *mpc)
46 {
47 printf("Policy '%s' = '%s' ready\n", mpc->mpc_name, mpc->mpc_fullname);
48 }
49
50 static void
hook_policy_initbsd(struct mac_policy_conf * mpc)51 hook_policy_initbsd(struct mac_policy_conf *mpc)
52 {
53 /* called with policy_grab_exclusive mutex held; exempt */
54 printf("hook_policy_initbsd: %s\n", mpc->mpc_name);
55 }
56
57
58 /* Implementation */
59 #define CLASS_PERIOD_LIMIT 10000
60 #define CLASS_PERIOD_MULT 20
61
62 static int policy_check_event = 1;
63 static int policy_check_period = 1;
64 static int policy_check_next = CLASS_PERIOD_MULT;
65
66
67 static int
common_hook(void)68 common_hook(void)
69 {
70 int i;
71 int rv = 0;
72
73 if ((i = get_thread_lock_count(current_thread())) != 0) {
74 /*
75 * fail the MACF check if we hold a lock; this assumes a
76 * a non-void (authorization) MACF hook.
77 */
78 if (policy_flags & CHECK_POLICY_FAIL) {
79 rv = EPERM;
80 }
81
82 /*
83 * display a backtrace if we hold a lock and we are not
84 * going to panic
85 */
86 if ((policy_flags & (CHECK_POLICY_BACKTRACE | CHECK_POLICY_PANIC)) == CHECK_POLICY_BACKTRACE) {
87 if (policy_flags & CHECK_POLICY_PERIODIC) {
88 /* at exponentially increasing intervals */
89 if (!(policy_check_event % policy_check_period)) {
90 if (policy_check_event <= policy_check_next || policy_check_period == CLASS_PERIOD_LIMIT) {
91 /*
92 * According to Derek, we could
93 * technically get a symbolicated name
94 * here, if we refactered some code
95 * and set the "keepsyms=1" boot
96 * argument...
97 */
98 OSReportWithBacktrace("calling MACF hook with mutex count %d (event %d) ", i, policy_check_event);
99 }
100 } else {
101 if (policy_check_period < CLASS_PERIOD_LIMIT) {
102 policy_check_next *= CLASS_PERIOD_MULT;
103 policy_check_period *= CLASS_PERIOD_MULT;
104 }
105 }
106 } else {
107 /* always */
108 OSReportWithBacktrace("calling MACF hook with mutex count %d (event %d) ", i, policy_check_event);
109 }
110 }
111
112 /* Panic */
113 if (policy_flags & CHECK_POLICY_PANIC) {
114 panic("calling MACF hook with mutex count %d", i);
115 }
116
117 /* count for non-fatal tracing */
118 policy_check_event++;
119 }
120
121 return rv;
122 }
123
124 #if (MAC_POLICY_OPS_VERSION != 87)
125 # error "struct mac_policy_ops doesn't match definition in mac_policy.h"
126 #endif
127 /*
128 * Policy hooks; one per possible hook
129 *
130 * Please note that this struct initialization should be kept in sync with
131 * security/mac_policy.h (mac_policy_ops struct definition).
132 */
133 const static struct mac_policy_ops policy_ops = {
134 CHECK_SET_HOOK(audit_check_postselect)
135 CHECK_SET_HOOK(audit_check_preselect)
136
137 .mpo_reserved01 = (mpo_reserved_hook_t *)common_hook,
138 .mpo_reserved02 = (mpo_reserved_hook_t *)common_hook,
139 .mpo_reserved03 = (mpo_reserved_hook_t *)common_hook,
140 .mpo_reserved04 = (mpo_reserved_hook_t *)common_hook,
141
142 CHECK_SET_HOOK(cred_check_label_update_execve)
143 CHECK_SET_HOOK(cred_check_label_update)
144 CHECK_SET_HOOK(cred_check_visible)
145 CHECK_SET_HOOK(cred_label_associate_fork)
146 CHECK_SET_HOOK(cred_label_associate_kernel)
147 CHECK_SET_HOOK(cred_label_associate)
148 CHECK_SET_HOOK(cred_label_associate_user)
149 CHECK_SET_HOOK(cred_label_destroy)
150 CHECK_SET_HOOK(cred_label_externalize_audit)
151 CHECK_SET_HOOK(cred_label_externalize)
152 CHECK_SET_HOOK(cred_label_init)
153 CHECK_SET_HOOK(cred_label_internalize)
154 CHECK_SET_HOOK(cred_label_update_execve)
155 CHECK_SET_HOOK(cred_label_update)
156
157 CHECK_SET_HOOK(devfs_label_associate_device)
158 CHECK_SET_HOOK(devfs_label_associate_directory)
159 CHECK_SET_HOOK(devfs_label_copy)
160 CHECK_SET_HOOK(devfs_label_destroy)
161 CHECK_SET_HOOK(devfs_label_init)
162 CHECK_SET_HOOK(devfs_label_update)
163
164 CHECK_SET_HOOK(file_check_change_offset)
165 CHECK_SET_HOOK(file_check_create)
166 CHECK_SET_HOOK(file_check_dup)
167 CHECK_SET_HOOK(file_check_fcntl)
168 CHECK_SET_HOOK(file_check_get_offset)
169 CHECK_SET_HOOK(file_check_get)
170 CHECK_SET_HOOK(file_check_inherit)
171 CHECK_SET_HOOK(file_check_ioctl)
172 CHECK_SET_HOOK(file_check_lock)
173 CHECK_SET_HOOK(file_check_mmap_downgrade)
174 CHECK_SET_HOOK(file_check_mmap)
175 CHECK_SET_HOOK(file_check_receive)
176 CHECK_SET_HOOK(file_check_set)
177 CHECK_SET_HOOK(file_label_init)
178 CHECK_SET_HOOK(file_label_destroy)
179 CHECK_SET_HOOK(file_label_associate)
180 CHECK_SET_HOOK(file_notify_close)
181 CHECK_SET_HOOK(proc_check_launch_constraints)
182 CHECK_SET_HOOK(proc_notify_service_port_derive)
183 CHECK_SET_HOOK(proc_check_set_task_exception_port)
184 CHECK_SET_HOOK(proc_check_set_thread_exception_port)
185
186 .mpo_reserved08 = (mpo_reserved_hook_t *)common_hook,
187 .mpo_reserved09 = (mpo_reserved_hook_t *)common_hook,
188 .mpo_reserved10 = (mpo_reserved_hook_t *)common_hook,
189 .mpo_reserved11 = (mpo_reserved_hook_t *)common_hook,
190 .mpo_reserved12 = (mpo_reserved_hook_t *)common_hook,
191 .mpo_reserved13 = (mpo_reserved_hook_t *)common_hook,
192 .mpo_reserved14 = (mpo_reserved_hook_t *)common_hook,
193 .mpo_reserved15 = (mpo_reserved_hook_t *)common_hook,
194 .mpo_reserved16 = (mpo_reserved_hook_t *)common_hook,
195 .mpo_reserved17 = (mpo_reserved_hook_t *)common_hook,
196 .mpo_reserved18 = (mpo_reserved_hook_t *)common_hook,
197 .mpo_reserved19 = (mpo_reserved_hook_t *)common_hook,
198 .mpo_reserved20 = (mpo_reserved_hook_t *)common_hook,
199 .mpo_reserved21 = (mpo_reserved_hook_t *)common_hook,
200 .mpo_reserved22 = (mpo_reserved_hook_t *)common_hook,
201
202 CHECK_SET_HOOK(necp_check_open)
203 CHECK_SET_HOOK(necp_check_client_action)
204
205 CHECK_SET_HOOK(file_check_library_validation)
206
207 CHECK_SET_HOOK(vnode_notify_setacl)
208 CHECK_SET_HOOK(vnode_notify_setattrlist)
209 CHECK_SET_HOOK(vnode_notify_setextattr)
210 CHECK_SET_HOOK(vnode_notify_setflags)
211 CHECK_SET_HOOK(vnode_notify_setmode)
212 CHECK_SET_HOOK(vnode_notify_setowner)
213 CHECK_SET_HOOK(vnode_notify_setutimes)
214 CHECK_SET_HOOK(vnode_notify_truncate)
215 CHECK_SET_HOOK(vnode_check_getattrlistbulk)
216
217 CHECK_SET_HOOK(proc_check_get_task_special_port)
218 CHECK_SET_HOOK(proc_check_set_task_special_port)
219
220 CHECK_SET_HOOK(vnode_notify_swap)
221 CHECK_SET_HOOK(vnode_notify_unlink)
222
223 CHECK_SET_HOOK(vnode_check_swap)
224 .mpo_reserved33 = (mpo_reserved_hook_t *)common_hook,
225 .mpo_reserved34 = (mpo_reserved_hook_t *)common_hook,
226 CHECK_SET_HOOK(mount_notify_mount)
227 CHECK_SET_HOOK(vnode_check_copyfile)
228
229 CHECK_SET_HOOK(mount_check_quotactl)
230 CHECK_SET_HOOK(mount_check_fsctl)
231 CHECK_SET_HOOK(mount_check_getattr)
232 CHECK_SET_HOOK(mount_check_label_update)
233 CHECK_SET_HOOK(mount_check_mount)
234 CHECK_SET_HOOK(mount_check_remount)
235 CHECK_SET_HOOK(mount_check_setattr)
236 CHECK_SET_HOOK(mount_check_stat)
237 CHECK_SET_HOOK(mount_check_umount)
238 CHECK_SET_HOOK(mount_label_associate)
239 CHECK_SET_HOOK(mount_label_destroy)
240 CHECK_SET_HOOK(mount_label_externalize)
241 CHECK_SET_HOOK(mount_label_init)
242 CHECK_SET_HOOK(mount_label_internalize)
243
244 CHECK_SET_HOOK(proc_check_expose_task_with_flavor)
245 CHECK_SET_HOOK(proc_check_get_task_with_flavor)
246 CHECK_SET_HOOK(proc_check_task_id_token_get_task)
247
248 CHECK_SET_HOOK(pipe_check_ioctl)
249 CHECK_SET_HOOK(pipe_check_kqfilter)
250 .mpo_reserved41 = (mpo_reserved_hook_t *)common_hook,
251 CHECK_SET_HOOK(pipe_check_read)
252 CHECK_SET_HOOK(pipe_check_select)
253 CHECK_SET_HOOK(pipe_check_stat)
254 CHECK_SET_HOOK(pipe_check_write)
255 CHECK_SET_HOOK(pipe_label_associate)
256 .mpo_reserved42 = (mpo_reserved_hook_t *)common_hook,
257 CHECK_SET_HOOK(pipe_label_destroy)
258 .mpo_reserved43 = (mpo_reserved_hook_t *)common_hook,
259 CHECK_SET_HOOK(pipe_label_init)
260 .mpo_reserved44 = (mpo_reserved_hook_t *)common_hook,
261 CHECK_SET_HOOK(proc_check_syscall_mac)
262
263 CHECK_SET_HOOK(policy_destroy)
264 /* special hooks for policy init's */
265 .mpo_policy_init = hook_policy_init,
266 .mpo_policy_initbsd = hook_policy_initbsd,
267 CHECK_SET_HOOK(policy_syscall)
268
269 CHECK_SET_HOOK(system_check_sysctlbyname)
270 CHECK_SET_HOOK(proc_check_inherit_ipc_ports)
271 CHECK_SET_HOOK(vnode_check_rename)
272 CHECK_SET_HOOK(kext_check_query)
273 CHECK_SET_HOOK(proc_notify_exec_complete)
274 CHECK_SET_HOOK(proc_notify_cs_invalidated)
275 CHECK_SET_HOOK(proc_check_syscall_unix)
276 .mpo_reserved45 = (mpo_reserved_hook_t *)common_hook,
277 CHECK_SET_HOOK(proc_check_set_host_special_port)
278 CHECK_SET_HOOK(proc_check_set_host_exception_port)
279 CHECK_SET_HOOK(exc_action_check_exception_send)
280 CHECK_SET_HOOK(exc_action_label_associate)
281 CHECK_SET_HOOK(exc_action_label_populate)
282 CHECK_SET_HOOK(exc_action_label_destroy)
283 CHECK_SET_HOOK(exc_action_label_init)
284 CHECK_SET_HOOK(exc_action_label_update)
285
286 CHECK_SET_HOOK(vnode_check_trigger_resolve)
287 CHECK_SET_HOOK(mount_check_mount_late)
288 CHECK_SET_HOOK(mount_check_snapshot_mount)
289 CHECK_SET_HOOK(vnode_notify_reclaim)
290 CHECK_SET_HOOK(skywalk_flow_check_connect)
291 CHECK_SET_HOOK(skywalk_flow_check_listen)
292
293 CHECK_SET_HOOK(posixsem_check_create)
294 CHECK_SET_HOOK(posixsem_check_open)
295 CHECK_SET_HOOK(posixsem_check_post)
296 CHECK_SET_HOOK(posixsem_check_unlink)
297 CHECK_SET_HOOK(posixsem_check_wait)
298 CHECK_SET_HOOK(posixsem_label_associate)
299 CHECK_SET_HOOK(posixsem_label_destroy)
300 CHECK_SET_HOOK(posixsem_label_init)
301 CHECK_SET_HOOK(posixshm_check_create)
302 CHECK_SET_HOOK(posixshm_check_mmap)
303 CHECK_SET_HOOK(posixshm_check_open)
304 CHECK_SET_HOOK(posixshm_check_stat)
305 CHECK_SET_HOOK(posixshm_check_truncate)
306 CHECK_SET_HOOK(posixshm_check_unlink)
307 CHECK_SET_HOOK(posixshm_label_associate)
308 CHECK_SET_HOOK(posixshm_label_destroy)
309 CHECK_SET_HOOK(posixshm_label_init)
310
311 CHECK_SET_HOOK(proc_check_debug)
312 CHECK_SET_HOOK(proc_check_fork)
313 .mpo_reserved61 = (mpo_reserved_hook_t *)common_hook,
314 .mpo_reserved62 = (mpo_reserved_hook_t *)common_hook,
315 CHECK_SET_HOOK(proc_check_getaudit)
316 CHECK_SET_HOOK(proc_check_getauid)
317 .mpo_reserved63 = (mpo_reserved_hook_t *)common_hook,
318 CHECK_SET_HOOK(proc_check_mprotect)
319 CHECK_SET_HOOK(proc_check_sched)
320 CHECK_SET_HOOK(proc_check_setaudit)
321 CHECK_SET_HOOK(proc_check_setauid)
322 .mpo_reserved64 = (mpo_reserved_hook_t *)common_hook,
323 CHECK_SET_HOOK(proc_check_signal)
324 CHECK_SET_HOOK(proc_check_wait)
325 CHECK_SET_HOOK(proc_check_dump_core)
326 CHECK_SET_HOOK(proc_check_remote_thread_create)
327
328 CHECK_SET_HOOK(socket_check_accept)
329 CHECK_SET_HOOK(socket_check_accepted)
330 CHECK_SET_HOOK(socket_check_bind)
331 CHECK_SET_HOOK(socket_check_connect)
332 CHECK_SET_HOOK(socket_check_create)
333 .mpo_reserved46 = (mpo_reserved_hook_t *)common_hook,
334 .mpo_reserved47 = (mpo_reserved_hook_t *)common_hook,
335 .mpo_reserved48 = (mpo_reserved_hook_t *)common_hook,
336 CHECK_SET_HOOK(socket_check_listen)
337 CHECK_SET_HOOK(socket_check_receive)
338 CHECK_SET_HOOK(socket_check_received)
339 .mpo_reserved49 = (mpo_reserved_hook_t *)common_hook,
340 CHECK_SET_HOOK(socket_check_send)
341 CHECK_SET_HOOK(socket_check_stat)
342 CHECK_SET_HOOK(socket_check_setsockopt)
343 CHECK_SET_HOOK(socket_check_getsockopt)
344
345 CHECK_SET_HOOK(proc_check_get_movable_control_port)
346 CHECK_SET_HOOK(proc_check_dyld_process_info_notify_register)
347 CHECK_SET_HOOK(proc_check_setuid)
348 CHECK_SET_HOOK(proc_check_seteuid)
349 CHECK_SET_HOOK(proc_check_setreuid)
350 CHECK_SET_HOOK(proc_check_setgid)
351 CHECK_SET_HOOK(proc_check_setegid)
352 CHECK_SET_HOOK(proc_check_setregid)
353 CHECK_SET_HOOK(proc_check_settid)
354 CHECK_SET_HOOK(proc_check_memorystatus_control)
355
356 .mpo_reserved60 = (mpo_reserved_hook_t *)common_hook,
357
358 CHECK_SET_HOOK(thread_telemetry)
359
360 CHECK_SET_HOOK(iokit_check_open_service)
361
362 CHECK_SET_HOOK(system_check_acct)
363 CHECK_SET_HOOK(system_check_audit)
364 CHECK_SET_HOOK(system_check_auditctl)
365 CHECK_SET_HOOK(system_check_auditon)
366 CHECK_SET_HOOK(system_check_host_priv)
367 CHECK_SET_HOOK(system_check_nfsd)
368 CHECK_SET_HOOK(system_check_reboot)
369 CHECK_SET_HOOK(system_check_settime)
370 CHECK_SET_HOOK(system_check_swapoff)
371 CHECK_SET_HOOK(system_check_swapon)
372 CHECK_SET_HOOK(socket_check_ioctl)
373
374 CHECK_SET_HOOK(sysvmsg_label_associate)
375 CHECK_SET_HOOK(sysvmsg_label_destroy)
376 CHECK_SET_HOOK(sysvmsg_label_init)
377 CHECK_SET_HOOK(sysvmsg_label_recycle)
378 CHECK_SET_HOOK(sysvmsq_check_enqueue)
379 CHECK_SET_HOOK(sysvmsq_check_msgrcv)
380 CHECK_SET_HOOK(sysvmsq_check_msgrmid)
381 CHECK_SET_HOOK(sysvmsq_check_msqctl)
382 CHECK_SET_HOOK(sysvmsq_check_msqget)
383 CHECK_SET_HOOK(sysvmsq_check_msqrcv)
384 CHECK_SET_HOOK(sysvmsq_check_msqsnd)
385 CHECK_SET_HOOK(sysvmsq_label_associate)
386 CHECK_SET_HOOK(sysvmsq_label_destroy)
387 CHECK_SET_HOOK(sysvmsq_label_init)
388 CHECK_SET_HOOK(sysvmsq_label_recycle)
389 CHECK_SET_HOOK(sysvsem_check_semctl)
390 CHECK_SET_HOOK(sysvsem_check_semget)
391 CHECK_SET_HOOK(sysvsem_check_semop)
392 CHECK_SET_HOOK(sysvsem_label_associate)
393 CHECK_SET_HOOK(sysvsem_label_destroy)
394 CHECK_SET_HOOK(sysvsem_label_init)
395 CHECK_SET_HOOK(sysvsem_label_recycle)
396 CHECK_SET_HOOK(sysvshm_check_shmat)
397 CHECK_SET_HOOK(sysvshm_check_shmctl)
398 CHECK_SET_HOOK(sysvshm_check_shmdt)
399 CHECK_SET_HOOK(sysvshm_check_shmget)
400 CHECK_SET_HOOK(sysvshm_label_associate)
401 CHECK_SET_HOOK(sysvshm_label_destroy)
402 CHECK_SET_HOOK(sysvshm_label_init)
403 CHECK_SET_HOOK(sysvshm_label_recycle)
404
405 CHECK_SET_HOOK(proc_notify_exit)
406 CHECK_SET_HOOK(mount_check_snapshot_revert)
407 CHECK_SET_HOOK(vnode_check_getattr)
408 CHECK_SET_HOOK(mount_check_snapshot_create)
409 CHECK_SET_HOOK(mount_check_snapshot_delete)
410 CHECK_SET_HOOK(vnode_check_clone)
411 CHECK_SET_HOOK(proc_check_get_cs_info)
412 CHECK_SET_HOOK(proc_check_set_cs_info)
413
414 CHECK_SET_HOOK(iokit_check_hid_control)
415
416 CHECK_SET_HOOK(vnode_check_access)
417 CHECK_SET_HOOK(vnode_check_chdir)
418 CHECK_SET_HOOK(vnode_check_chroot)
419 CHECK_SET_HOOK(vnode_check_create)
420 CHECK_SET_HOOK(vnode_check_deleteextattr)
421 CHECK_SET_HOOK(vnode_check_exchangedata)
422 CHECK_SET_HOOK(vnode_check_exec)
423 CHECK_SET_HOOK(vnode_check_getattrlist)
424 CHECK_SET_HOOK(vnode_check_getextattr)
425 CHECK_SET_HOOK(vnode_check_ioctl)
426 CHECK_SET_HOOK(vnode_check_kqfilter)
427 CHECK_SET_HOOK(vnode_check_label_update)
428 CHECK_SET_HOOK(vnode_check_link)
429 CHECK_SET_HOOK(vnode_check_listextattr)
430 CHECK_SET_HOOK(vnode_check_lookup)
431 CHECK_SET_HOOK(vnode_check_open)
432 CHECK_SET_HOOK(vnode_check_read)
433 CHECK_SET_HOOK(vnode_check_readdir)
434 CHECK_SET_HOOK(vnode_check_readlink)
435 CHECK_SET_HOOK(vnode_check_rename_from)
436 CHECK_SET_HOOK(vnode_check_rename_to)
437 CHECK_SET_HOOK(vnode_check_revoke)
438 CHECK_SET_HOOK(vnode_check_select)
439 CHECK_SET_HOOK(vnode_check_setattrlist)
440 CHECK_SET_HOOK(vnode_check_setextattr)
441 CHECK_SET_HOOK(vnode_check_setflags)
442 CHECK_SET_HOOK(vnode_check_setmode)
443 CHECK_SET_HOOK(vnode_check_setowner)
444 CHECK_SET_HOOK(vnode_check_setutimes)
445 CHECK_SET_HOOK(vnode_check_stat)
446 CHECK_SET_HOOK(vnode_check_truncate)
447 CHECK_SET_HOOK(vnode_check_unlink)
448 CHECK_SET_HOOK(vnode_check_write)
449 CHECK_SET_HOOK(vnode_label_associate_devfs)
450 CHECK_SET_HOOK(vnode_label_associate_extattr)
451 CHECK_SET_HOOK(vnode_label_associate_file)
452 CHECK_SET_HOOK(vnode_label_associate_pipe)
453 CHECK_SET_HOOK(vnode_label_associate_posixsem)
454 CHECK_SET_HOOK(vnode_label_associate_posixshm)
455 CHECK_SET_HOOK(vnode_label_associate_singlelabel)
456 CHECK_SET_HOOK(vnode_label_associate_socket)
457 CHECK_SET_HOOK(vnode_label_copy)
458 CHECK_SET_HOOK(vnode_label_destroy)
459 CHECK_SET_HOOK(vnode_label_externalize_audit)
460 CHECK_SET_HOOK(vnode_label_externalize)
461 CHECK_SET_HOOK(vnode_label_init)
462 CHECK_SET_HOOK(vnode_label_internalize)
463 CHECK_SET_HOOK(vnode_label_recycle)
464 CHECK_SET_HOOK(vnode_label_store)
465 CHECK_SET_HOOK(vnode_label_update_extattr)
466 CHECK_SET_HOOK(vnode_label_update)
467 CHECK_SET_HOOK(vnode_notify_create)
468 CHECK_SET_HOOK(vnode_check_signature)
469 CHECK_SET_HOOK(vnode_check_uipc_bind)
470 CHECK_SET_HOOK(vnode_check_uipc_connect)
471
472 CHECK_SET_HOOK(proc_check_run_cs_invalid)
473 CHECK_SET_HOOK(proc_check_suspend_resume)
474
475 CHECK_SET_HOOK(thread_userret)
476
477 CHECK_SET_HOOK(iokit_check_set_properties)
478
479 CHECK_SET_HOOK(vnode_check_supplemental_signature)
480
481 CHECK_SET_HOOK(vnode_check_searchfs)
482
483 CHECK_SET_HOOK(priv_check)
484 CHECK_SET_HOOK(priv_grant)
485
486 CHECK_SET_HOOK(proc_check_map_anon)
487
488 CHECK_SET_HOOK(vnode_check_fsgetpath)
489
490 CHECK_SET_HOOK(iokit_check_open)
491
492 CHECK_SET_HOOK(proc_check_ledger)
493
494 CHECK_SET_HOOK(vnode_notify_rename)
495
496 CHECK_SET_HOOK(vnode_check_setacl)
497
498 CHECK_SET_HOOK(vnode_notify_deleteextattr)
499
500 CHECK_SET_HOOK(system_check_kas_info)
501
502 CHECK_SET_HOOK(vnode_check_lookup_preflight)
503
504 CHECK_SET_HOOK(vnode_notify_open)
505
506 CHECK_SET_HOOK(system_check_info)
507
508 CHECK_SET_HOOK(pty_notify_grant)
509 CHECK_SET_HOOK(pty_notify_close)
510
511 CHECK_SET_HOOK(vnode_find_sigs)
512
513 CHECK_SET_HOOK(kext_check_load)
514 CHECK_SET_HOOK(kext_check_unload)
515
516 CHECK_SET_HOOK(proc_check_proc_info)
517
518 CHECK_SET_HOOK(vnode_notify_link)
519
520 CHECK_SET_HOOK(iokit_check_filter_properties)
521 CHECK_SET_HOOK(iokit_check_get_property)
522 };
523
524 /*
525 * Policy definition
526 */
527 static SECURITY_READ_ONLY_LATE(struct mac_policy_conf) policy_conf = {
528 .mpc_name = "CHECK",
529 .mpc_fullname = "Check Assumptions Policy",
530 .mpc_field_off = NULL, /* no label slot */
531 .mpc_labelnames = NULL, /* no policy label names */
532 .mpc_labelname_count = 0, /* count of label names is 0 */
533 .mpc_ops = &policy_ops, /* policy operations */
534 .mpc_loadtime_flags = 0,
535 .mpc_runtime_flags = 0,
536 };
537
538 static SECURITY_READ_ONLY_LATE(mac_policy_handle_t) policy_handle;
539
540 /*
541 * Init routine; for a loadable policy, this would be called during the KEXT
542 * initialization; we're going to call this from bsd_init() if the boot
543 * argument for checking is present.
544 */
545 errno_t
check_policy_init(int flags)546 check_policy_init(int flags)
547 {
548 /* Only instantiate the module if we have been asked to do checking */
549 if (!flags) {
550 return 0;
551 }
552
553 policy_flags = flags;
554
555 return mac_policy_register(&policy_conf, &policy_handle, NULL);
556 }
557