1 /* 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 /*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68 /** 69 * @file mac_policy.h 70 * @brief Kernel Interfaces for MAC policy modules 71 * 72 * This header defines the list of operations that are defined by the 73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 * with the framework to declare interest in a specific set of 75 * operations. If interest in an entry point is not declared, then 76 * the policy will be ignored when the Framework evaluates that entry 77 * point. 78 */ 79 80 #ifndef _SECURITY_MAC_POLICY_H_ 81 #define _SECURITY_MAC_POLICY_H_ 82 83 #ifndef PRIVATE 84 #warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85 #endif 86 87 #include <security/_label.h> 88 #include <kern/cs_blobs.h> 89 90 struct attrlist; 91 struct auditinfo; 92 struct bpf_d; 93 struct cs_blob; 94 struct devnode; 95 struct exception_action; 96 struct fileglob; 97 struct ifnet; 98 struct inpcb; 99 struct ipq; 100 struct label; 101 struct mac_policy_conf; 102 struct mbuf; 103 struct mount; 104 struct msg; 105 struct msqid_kernel; 106 struct pipe; 107 struct pseminfo; 108 struct pshminfo; 109 struct sbuf; 110 struct semid_kernel; 111 struct shmid_kernel; 112 struct socket; 113 struct sockopt; 114 struct task; 115 struct thread; 116 struct tty; 117 struct ucred; 118 struct vfs_attr; 119 struct vnode; 120 struct sockaddr; 121 /** @struct dummy */ 122 123 124 /* 125 * proc_ident_t support, see: rdar://problem/58928152 126 * Should be removed once all dependent parties adopt 127 * proc_ident_t. 128 */ 129 #define MAC_PROC_IDENT_SUPPORT 1 130 131 /* 132 * rdar://146696727 133 * 134 * Support for opaque lookup policy on proc_ident 135 * when using proc_find_ident 136 */ 137 #define MAC_PROC_IDENT_POLICY_SUPPORT 1 138 139 #ifndef _KAUTH_CRED_T 140 #define _KAUTH_CRED_T 141 typedef struct ucred *kauth_cred_t; 142 #endif /* !_KAUTH_CRED_T */ 143 144 #ifndef __IOKIT_PORTS_DEFINED__ 145 #define __IOKIT_PORTS_DEFINED__ 146 #ifdef __cplusplus 147 class OSObject; 148 typedef OSObject *io_object_t; 149 #else 150 struct OSObject; 151 typedef struct OSObject *io_object_t; 152 #endif 153 #endif /* __IOKIT_PORTS_DEFINED__ */ 154 155 /*- 156 * MAC entry points are generally named using the following template: 157 * 158 * mpo_<object>_<operation>() 159 * 160 * or: 161 * 162 * mpo_<object>_check_<operation>() 163 * 164 * Entry points are sorted by object type. 165 * 166 * It may be desirable also to consider some subsystems as "objects", such 167 * as system, iokit, etc. 168 */ 169 170 /** 171 * @name Entry Points for Label Management 172 * 173 * These are the entry points corresponding to the life cycle events for 174 * kernel objects, such as initialization, creation, and destruction. 175 * 176 * Most policies (that use labels) will initialize labels by allocating 177 * space for policy-specific data. In most cases, it is permitted to 178 * sleep during label initialization operations; it will be noted when 179 * it is not permitted. 180 * 181 * Initialization usually will not require doing more than allocating a 182 * generic label for the given object. What follows initialization is 183 * creation, where a label is made specific to the object it is associated 184 * with. Destruction occurs when the label is no longer needed, such as 185 * when the corresponding object is destroyed. All necessary cleanup should 186 * be performed in label destroy operations. 187 * 188 * Where possible, the label entry points have identical parameters. If 189 * the policy module does not require structure-specific label 190 * information, the same function may be registered in the policy 191 * operation vector. Many policies will implement two such generic 192 * allocation calls: one to handle sleepable requests, and one to handle 193 * potentially non-sleepable requests. 194 */ 195 196 197 /** 198 * @brief Audit event postselection 199 * @param cred Subject credential 200 * @param syscode Syscall number 201 * @param args Syscall arguments 202 * @param error Syscall errno 203 * @param retval Syscall return value 204 * 205 * This is the MAC Framework audit postselect, which is called before 206 * exiting a syscall to determine if an audit event should be committed. 207 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 208 * Any other return value results in the audit record being committed. 209 * 210 * @warning The suppression behavior will probably go away in Apple's 211 * future version of the audit implementation. 212 * 213 * @return Return MAC_AUDIT_NO to force suppression of the audit record. 214 * Any other value results in the audit record being committed. 215 * 216 */ 217 typedef int mpo_audit_check_postselect_t( 218 kauth_cred_t cred, 219 unsigned short syscode, 220 void *args, 221 int error, 222 int retval 223 ); 224 /** 225 * @brief Audit event preselection 226 * @param cred Subject credential 227 * @param syscode Syscall number 228 * @param args Syscall arguments 229 * 230 * This is the MAC Framework audit preselect, which is called before a 231 * syscall is entered to determine if an audit event should be created. 232 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 233 * returned. A return value of MAC_AUDIT_NO causes the audit record to 234 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 235 * to defer to the system's existing preselection mechanism. 236 * 237 * When policies return different preferences, the Framework decides what action 238 * to take based on the following policy. If any policy returns MAC_AUDIT_YES, 239 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then 240 * suppress the creations of an audit record, else defer to the system's 241 * existing preselection mechanism. 242 * 243 * @warning The audit implementation in Apple's current version is 244 * incomplete, so the MAC policies have priority over the system's existing 245 * mechanisms. This will probably change in the future version where 246 * the audit implementation is more complete. 247 * 248 * @return Return MAC_AUDIT_YES to force auditing of the syscall, 249 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 250 * to allow auditing mechanisms to determine if the syscall is audited. 251 * 252 */ 253 typedef int mpo_audit_check_preselect_t( 254 kauth_cred_t cred, 255 unsigned short syscode, 256 void *args 257 ); 258 /** 259 * @brief Indicate desire to change the process label at exec time 260 * @param old Existing subject credential 261 * @param vp File being executed 262 * @param offset Offset of binary within file being executed 263 * @param scriptvp Script being executed by interpreter, if any. 264 * @param vnodelabel Label corresponding to vp 265 * @param scriptvnodelabel Script vnode label 266 * @param execlabel Userspace provided execution label 267 * @param p Object process 268 * @param macpolicyattr MAC policy-specific spawn attribute data 269 * @param macpolicyattrlen Length of policy-specific spawn attribute data 270 * @see mac_execve 271 * @see mpo_cred_label_update_execve_t 272 * @see mpo_vnode_check_exec_t 273 * 274 * Indicate whether this policy intends to update the label of a newly 275 * created credential from the existing subject credential (old). This 276 * call occurs when a process executes the passed vnode. If a policy 277 * returns success from this entry point, the mpo_cred_label_update_execve 278 * entry point will later be called with the same parameters. Access 279 * has already been checked via the mpo_vnode_check_exec entry point, 280 * this entry point is necessary to preserve kernel locking constraints 281 * during program execution. 282 * 283 * The supplied vnode and vnodelabel correspond with the file actually 284 * being executed; in the case that the file is interpreted (for 285 * example, a script), the label of the original exec-time vnode has 286 * been preserved in scriptvnodelabel. 287 * 288 * The final label, execlabel, corresponds to a label supplied by a 289 * user space application through the use of the mac_execve system call. 290 * 291 * The vnode lock is held during this operation. No changes should be 292 * made to the old credential structure. 293 * 294 * @warning Even if a policy returns 0, it should behave correctly in 295 * the presence of an invocation of mpo_cred_label_update_execve, as that 296 * call may happen as a result of another policy requesting a transition. 297 * 298 * @return Non-zero if a transition is required, 0 otherwise. 299 */ 300 typedef int mpo_cred_check_label_update_execve_t( 301 kauth_cred_t old, 302 struct vnode *vp, 303 off_t offset, 304 struct vnode *scriptvp, 305 struct label *vnodelabel, 306 struct label *scriptvnodelabel, 307 struct label *execlabel, 308 struct proc *p, 309 void *macpolicyattr, 310 size_t macpolicyattrlen 311 ); 312 /** 313 * @brief Access control check for relabelling processes 314 * @param cred Subject credential 315 * @param newlabel New label to apply to the user credential 316 * @see mpo_cred_label_update_t 317 * @see mac_set_proc 318 * 319 * Determine whether the subject identified by the credential can relabel 320 * itself to the supplied new label (newlabel). This access control check 321 * is called when the mac_set_proc system call is invoked. A user space 322 * application will supply a new value, the value will be internalized 323 * and provided in newlabel. 324 * 325 * @return Return 0 if access is granted, otherwise an appropriate value for 326 * errno should be returned. 327 */ 328 typedef int mpo_cred_check_label_update_t( 329 kauth_cred_t cred, 330 struct label *newlabel 331 ); 332 /** 333 * @brief Access control check for visibility of other subjects 334 * @param u1 Subject credential 335 * @param u2 Object credential 336 * 337 * Determine whether the subject identified by the credential u1 can 338 * "see" other subjects with the passed subject credential u2. This call 339 * may be made in a number of situations, including inter-process status 340 * sysctls used by ps, and in procfs lookups. 341 * 342 * @return Return 0 if access is granted, otherwise an appropriate value for 343 * errno should be returned. Suggested failure: EACCES for label mismatch, 344 * EPERM for lack of privilege, or ESRCH to hide visibility. 345 */ 346 typedef int mpo_cred_check_visible_t( 347 kauth_cred_t u1, 348 kauth_cred_t u2 349 ); 350 /** 351 * @brief Associate a credential with a new process at fork 352 * @param cred credential to inherited by new process 353 * @param proc the new process 354 * 355 * Allow a process to associate the credential with a new 356 * process for reference countng purposes. 357 * NOTE: the credential can be dis-associated in ways other 358 * than exit - so this strategy is flawed - should just 359 * catch label destroy callback. 360 */ 361 typedef void mpo_cred_label_associate_fork_t( 362 kauth_cred_t cred, 363 proc_t proc 364 ); 365 /** 366 * @brief Create the first process 367 * @param cred Subject credential to be labeled 368 * 369 * Create the subject credential of process 0, the parent of all BSD 370 * kernel processes. Policies should update the label in the 371 * previously initialized credential structure. 372 */ 373 typedef void mpo_cred_label_associate_kernel_t( 374 kauth_cred_t cred 375 ); 376 /** 377 * @brief Create a credential label 378 * @param parent_cred Parent credential 379 * @param child_cred Child credential 380 * 381 * Set the label of a newly created credential, most likely using the 382 * information in the supplied parent credential. 383 * 384 * @warning This call is made when crcopy or crdup is invoked on a 385 * newly created struct ucred, and should not be confused with a 386 * process fork or creation event. 387 */ 388 typedef void mpo_cred_label_associate_t( 389 kauth_cred_t parent_cred, 390 kauth_cred_t child_cred 391 ); 392 /** 393 * @brief Create the first process 394 * @param cred Subject credential to be labeled 395 * 396 * Create the subject credential of process 1, the parent of all BSD 397 * user processes. Policies should update the label in the previously 398 * initialized credential structure. This is the 'init' process. 399 */ 400 typedef void mpo_cred_label_associate_user_t( 401 kauth_cred_t cred 402 ); 403 /** 404 * @brief Destroy credential label 405 * @param label The label to be destroyed 406 * 407 * Destroy a user credential label. Since the user credential 408 * is going out of scope, policy modules should free any internal 409 * storage associated with the label so that it may be destroyed. 410 */ 411 typedef void mpo_cred_label_destroy_t( 412 struct label *label 413 ); 414 /** 415 * @brief Externalize a user credential label for auditing 416 * @param label Label to be externalized 417 * @param element_name Name of the label namespace for which labels should be 418 * externalized 419 * @param sb String buffer to be filled with a text representation of the label 420 * 421 * Produce an external representation of the label on a user credential for 422 * inclusion in an audit record. An externalized label consists of a text 423 * representation of the label contents that will be added to the audit record 424 * as part of a text token. Policy-agnostic user space tools will display 425 * this externalized version. 426 * 427 * @return 0 on success, return non-zero if an error occurs while 428 * externalizing the label data. 429 * 430 */ 431 typedef int mpo_cred_label_externalize_audit_t( 432 struct label *label, 433 char *element_name, 434 struct sbuf *sb 435 ); 436 /** 437 * @brief Externalize a user credential label 438 * @param label Label to be externalized 439 * @param element_name Name of the label namespace for which labels should be 440 * externalized 441 * @param sb String buffer to be filled with a text representation of the label 442 * 443 * Produce an external representation of the label on a user 444 * credential. An externalized label consists of a text representation 445 * of the label contents that can be used with user applications. 446 * Policy-agnostic user space tools will display this externalized 447 * version. 448 * 449 * @return 0 on success, return non-zero if an error occurs while 450 * externalizing the label data. 451 * 452 */ 453 typedef int mpo_cred_label_externalize_t( 454 struct label *label, 455 char *element_name, 456 struct sbuf *sb 457 ); 458 /** 459 * @brief Initialize user credential label 460 * @param label New label to initialize 461 * 462 * Initialize the label for a newly instantiated user credential. 463 * Sleeping is permitted. 464 */ 465 typedef void mpo_cred_label_init_t( 466 struct label *label 467 ); 468 /** 469 * @brief Internalize a user credential label 470 * @param label Label to be internalized 471 * @param element_name Name of the label namespace for which the label should 472 * be internalized 473 * @param element_data Text data to be internalized 474 * 475 * Produce a user credential label from an external representation. An 476 * externalized label consists of a text representation of the label 477 * contents that can be used with user applications. Policy-agnostic 478 * user space tools will forward text version to the kernel for 479 * processing by individual policy modules. 480 * 481 * The policy's internalize entry points will be called only if the 482 * policy has registered interest in the label namespace. 483 * 484 * @return 0 on success, Otherwise, return non-zero if an error occurs 485 * while internalizing the label data. 486 * 487 */ 488 typedef int mpo_cred_label_internalize_t( 489 struct label *label, 490 char *element_name, 491 char *element_data 492 ); 493 /** 494 * @brief Update credential at exec time 495 * @param old_cred Existing subject credential 496 * @param new_cred New subject credential to be labeled 497 * @param p Object process. 498 * @param vp File being executed 499 * @param offset Offset of binary within file being executed 500 * @param scriptvp Script being executed by interpreter, if any. 501 * @param vnodelabel Label corresponding to vp 502 * @param scriptvnodelabel Script vnode label 503 * @param execlabel Userspace provided execution label 504 * @param csflags Code signing flags to be set after exec 505 * @param macpolicyattr MAC policy-specific spawn attribute data. 506 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 507 * @see mac_execve 508 * @see mpo_cred_check_label_update_execve_t 509 * @see mpo_vnode_check_exec_t 510 * 511 * Update the label of a newly created credential (new) from the 512 * existing subject credential (old). This call occurs when a process 513 * executes the passed vnode and one of the loaded policy modules has 514 * returned success from the mpo_cred_check_label_update_execve entry point. 515 * Access has already been checked via the mpo_vnode_check_exec entry 516 * point, this entry point is only used to update any policy state. 517 * 518 * The supplied vnode and vnodelabel correspond with the file actually 519 * being executed; in the case that the file is interpreted (for 520 * example, a script), the label of the original exec-time vnode has 521 * been preserved in scriptvnodelabel. 522 * 523 * The final label, execlabel, corresponds to a label supplied by a 524 * user space application through the use of the mac_execve system call. 525 * 526 * If non-NULL, the value pointed to by disjointp will be set to 0 to 527 * indicate that the old and new credentials are not disjoint, or 1 to 528 * indicate that they are. 529 * 530 * The vnode lock is held during this operation. No changes should be 531 * made to the old credential structure. 532 * @return 0 on success, Otherwise, return non-zero if update results in 533 * termination of child. 534 */ 535 typedef int mpo_cred_label_update_execve_t( 536 kauth_cred_t old_cred, 537 kauth_cred_t new_cred, 538 struct proc *p, 539 struct vnode *vp, 540 off_t offset, 541 struct vnode *scriptvp, 542 struct label *vnodelabel, 543 struct label *scriptvnodelabel, 544 struct label *execlabel, 545 u_int *csflags, 546 void *macpolicyattr, 547 size_t macpolicyattrlen, 548 int *disjointp 549 ); 550 /** 551 * @brief Update a credential label 552 * @param cred The existing credential 553 * @param newlabel A new label to apply to the credential 554 * @see mpo_cred_check_label_update_t 555 * @see mac_set_proc 556 * 557 * Update the label on a user credential, using the supplied new label. 558 * This is called as a result of a process relabel operation. Access 559 * control was already confirmed by mpo_cred_check_label_update. 560 */ 561 typedef void mpo_cred_label_update_t( 562 kauth_cred_t cred, 563 struct label *newlabel 564 ); 565 /** 566 * @brief Access control for launching a process with constraints 567 * @param curr_p The new process 568 * @param original_parent_id The pid of the original parent that spawned this process 569 * @param responsible_pid The pid of the responsible process that spawned this process 570 * @param macpolicyattr MAC policy-specific spawn attribute data 571 * @param macpolicyattrlen Length of policy-specific spawn attribute data 572 * @param fatal_failure_desc Description of fatal failure 573 * @param fatal_failure_desc_len Failure description len, failure is fatal if non-0 574 * 575 * Detemine whether the process being spawned adheres to the launch 576 * constraints (e.g. whether the process is spawned by launchd) and should 577 * be allowed to execute. This call occurs during execve or posix_spawn. 578 * 579 * @return Return 0 if process can be created, otherwise an appropriate value for 580 * errno should be returned. 581 */ 582 typedef int mpo_proc_check_launch_constraints_t( 583 proc_t curr_p, 584 pid_t original_parent_id, 585 pid_t responsible_pid, 586 void *macpolicyattr, 587 size_t macpolicyattrlen, 588 launch_constraint_data_t lcd, 589 char **fatal_failure_desc, size_t *fatal_failure_desc_len 590 ); 591 /** 592 * @brief Create a new devfs device 593 * @param dev Major and minor numbers of special file 594 * @param de "inode" of new device file 595 * @param label Destination label 596 * @param fullpath Path relative to mount (e.g. /dev) of new device file 597 * 598 * This entry point labels a new devfs device. The label will likely be based 599 * on the path to the device, or the major and minor numbers. 600 * The policy should store an appropriate label into 'label'. 601 */ 602 typedef void mpo_devfs_label_associate_device_t( 603 dev_t dev, 604 struct devnode *de, 605 struct label *label, 606 const char *fullpath 607 ); 608 /** 609 * @brief Create a new devfs directory 610 * @param dirname Name of new directory 611 * @param dirnamelen Length of 'dirname' 612 * @param de "inode" of new directory 613 * @param label Destination label 614 * @param fullpath Path relative to mount (e.g. /dev) of new directory 615 * 616 * This entry point labels a new devfs directory. The label will likely be 617 * based on the path of the new directory. The policy should store an appropriate 618 * label into 'label'. The devfs root directory is labelled in this way. 619 */ 620 typedef void mpo_devfs_label_associate_directory_t( 621 const char *dirname, 622 int dirnamelen, 623 struct devnode *de, 624 struct label *label, 625 const char *fullpath 626 ); 627 /** 628 * @brief Copy a devfs label 629 * @param src Source devfs label 630 * @param dest Destination devfs label 631 * 632 * Copy the label information from src to dest. The devfs file system 633 * often duplicates (splits) existing device nodes rather than creating 634 * new ones. 635 */ 636 typedef void mpo_devfs_label_copy_t( 637 struct label *src, 638 struct label *dest 639 ); 640 /** 641 * @brief Destroy devfs label 642 * @param label The label to be destroyed 643 * 644 * Destroy a devfs entry label. Since the object is going out 645 * of scope, policy modules should free any internal storage associated 646 * with the label so that it may be destroyed. 647 */ 648 typedef void mpo_devfs_label_destroy_t( 649 struct label *label 650 ); 651 /** 652 * @brief Initialize devfs label 653 * @param label New label to initialize 654 * 655 * Initialize the label for a newly instantiated devfs entry. Sleeping 656 * is permitted. 657 */ 658 typedef void mpo_devfs_label_init_t( 659 struct label *label 660 ); 661 /** 662 * @brief Update a devfs label after relabelling its vnode 663 * @param mp Devfs mount point 664 * @param de Affected devfs directory entry 665 * @param delabel Label of devfs directory entry 666 * @param vp Vnode associated with de 667 * @param vnodelabel New label of vnode 668 * 669 * Update a devfs label when its vnode is manually relabelled, 670 * for example with setfmac(1). Typically, this will simply copy 671 * the vnode label into the devfs label. 672 */ 673 typedef void mpo_devfs_label_update_t( 674 struct mount *mp, 675 struct devnode *de, 676 struct label *delabel, 677 struct vnode *vp, 678 struct label *vnodelabel 679 ); 680 /** 681 * @brief Access control for sending an exception to an exception action 682 * @param crashlabel The crashing process's label 683 * @param action Exception action 684 * @param exclabel Policy label for exception action 685 * 686 * Determine whether the the exception message caused by the victim 687 * process can be sent to the exception action. The policy may compare 688 * credentials in the crashlabel, which are derived from the process at 689 * the time the exception occurs, with the credentials in the exclabel, 690 * which was set at the time the exception port was set, to determine 691 * its decision. Note that any process from which the policy derived 692 * any credentials may not exist anymore at the time of this policy 693 * operation. Sleeping is permitted. 694 * 695 * @return Return 0 if the message can be sent, otherwise an 696 * appropriate value for errno should be returned. 697 */ 698 typedef int mpo_exc_action_check_exception_send_t( 699 struct label *crashlabel, 700 struct exception_action *action, 701 struct label *exclabel 702 ); 703 /** 704 * @brief Associate an exception action label 705 * @param action Exception action to label 706 * @param exclabel Policy label to be filled in for exception action 707 * 708 * Set the label on an exception action. 709 */ 710 typedef void mpo_exc_action_label_associate_t( 711 struct exception_action *action, 712 struct label *exclabel 713 ); 714 /** 715 * @brief Destroy exception action label 716 * @param label The label to be destroyed 717 * 718 * Destroy the label on an exception action. Since the object is going 719 * out of scope, policy modules should free any internal storage 720 * associated with the label so that it may be destroyed. Sleeping is 721 * permitted. 722 */ 723 typedef void mpo_exc_action_label_destroy_t( 724 struct label *label 725 ); 726 /** 727 * @brief Populate an exception action label with process credentials 728 * @param label The label to be populated 729 * @param proc Process to derive credentials from 730 * 731 * Populate a label with credentials derived from a process. At 732 * exception delivery time, the policy should compare credentials of the 733 * process that set an exception ports with the credentials of the 734 * process or corpse that experienced the exception. Note that the 735 * process that set the port may not exist at that time anymore, so 736 * labels should carry copies of live credentials if necessary. 737 */ 738 typedef void mpo_exc_action_label_populate_t( 739 struct label *label, 740 struct proc *proc 741 ); 742 /** 743 * @brief Initialize exception action label 744 * @param label New label to initialize 745 * 746 * Initialize a label for an exception action. Usually performs 747 * policy specific allocations. Sleeping is permitted. 748 */ 749 typedef int mpo_exc_action_label_init_t( 750 struct label *label 751 ); 752 /** 753 * @brief Update the label on an exception action 754 * @param action Exception action that the label belongs to (may be 755 * NULL if none) 756 * @param label Policy label to update 757 * @param newlabel New label for update 758 * 759 * Update the credentials of an exception action from the given 760 * label. The policy should copy over any credentials (process and 761 * otherwise) from the new label into the label to update. Must not 762 * sleep, must be quick and can be called with locks held. 763 */ 764 typedef int mpo_exc_action_label_update_t( 765 struct exception_action *action, 766 struct label *label, 767 struct label *newlabel 768 ); 769 /** 770 * @brief Access control for changing the offset of a file descriptor 771 * @param cred Subject credential 772 * @param fg Fileglob structure 773 * @param label Policy label for fg 774 * 775 * Determine whether the subject identified by the credential can 776 * change the offset of the file represented by fg. 777 * 778 * @return Return 0 if access if granted, otherwise an appropriate 779 * value for errno should be returned. 780 */ 781 typedef int mpo_file_check_change_offset_t( 782 kauth_cred_t cred, 783 struct fileglob *fg, 784 struct label *label 785 ); 786 /** 787 * @brief Access control for creating a file descriptor 788 * @param cred Subject credential 789 * 790 * Determine whether the subject identified by the credential can 791 * allocate a new file descriptor. 792 * 793 * @return Return 0 if access if granted, otherwise an appropriate 794 * value for errno should be returned. 795 */ 796 typedef int mpo_file_check_create_t( 797 kauth_cred_t cred 798 ); 799 /** 800 * @brief Access control for duplicating a file descriptor 801 * @param cred Subject credential 802 * @param fg Fileglob structure 803 * @param label Policy label for fg 804 * @param newfd New file descriptor number 805 * 806 * Determine whether the subject identified by the credential can 807 * duplicate the fileglob structure represented by fg and as file 808 * descriptor number newfd. 809 * 810 * @return Return 0 if access if granted, otherwise an appropriate 811 * value for errno should be returned. 812 */ 813 typedef int mpo_file_check_dup_t( 814 kauth_cred_t cred, 815 struct fileglob *fg, 816 struct label *label, 817 int newfd 818 ); 819 /** 820 * @brief Access control check for fcntl 821 * @param cred Subject credential 822 * @param fg Fileglob structure 823 * @param label Policy label for fg 824 * @param cmd Control operation to be performed; see fcntl(2) 825 * @param arg fcnt arguments; see fcntl(2) 826 * 827 * Determine whether the subject identified by the credential can perform 828 * the file control operation indicated by cmd. 829 * 830 * @return Return 0 if access is granted, otherwise an appropriate value for 831 * errno should be returned. 832 */ 833 typedef int mpo_file_check_fcntl_t( 834 kauth_cred_t cred, 835 struct fileglob *fg, 836 struct label *label, 837 int cmd, 838 user_long_t arg 839 ); 840 /** 841 * @brief Access control check for mac_get_fd 842 * @param cred Subject credential 843 * @param fg Fileglob structure 844 * @param elements Element buffer 845 * @param len Length of buffer 846 * 847 * Determine whether the subject identified by the credential should be allowed 848 * to get an externalized version of the label on the object indicated by fd. 849 * 850 * @return Return 0 if access is granted, otherwise an appropriate value for 851 * errno should be returned. 852 */ 853 typedef int mpo_file_check_get_t( 854 kauth_cred_t cred, 855 struct fileglob *fg, 856 char *elements, 857 size_t len 858 ); 859 /** 860 * @brief Access control for getting the offset of a file descriptor 861 * @param cred Subject credential 862 * @param fg Fileglob structure 863 * @param label Policy label for fg 864 * 865 * Determine whether the subject identified by the credential can 866 * get the offset of the file represented by fg. 867 * 868 * @return Return 0 if access if granted, otherwise an appropriate 869 * value for errno should be returned. 870 */ 871 typedef int mpo_file_check_get_offset_t( 872 kauth_cred_t cred, 873 struct fileglob *fg, 874 struct label *label 875 ); 876 /** 877 * @brief Access control for inheriting a file descriptor 878 * @param cred Subject credential 879 * @param fg Fileglob structure 880 * @param label Policy label for fg 881 * 882 * Determine whether the subject identified by the credential can 883 * inherit the fileglob structure represented by fg. 884 * 885 * @return Return 0 if access if granted, otherwise an appropriate 886 * value for errno should be returned. 887 */ 888 typedef int mpo_file_check_inherit_t( 889 kauth_cred_t cred, 890 struct fileglob *fg, 891 struct label *label 892 ); 893 /** 894 * @brief Access control check for file ioctl 895 * @param cred Subject credential 896 * @param fg Fileglob structure 897 * @param label Policy label for fg 898 * @param cmd The ioctl command; see ioctl(2) 899 * 900 * Determine whether the subject identified by the credential can perform 901 * the ioctl operation indicated by cmd. 902 * 903 * @warning Since ioctl data is opaque from the standpoint of the MAC 904 * framework, policies must exercise extreme care when implementing 905 * access control checks. 906 * 907 * @return Return 0 if access is granted, otherwise an appropriate value for 908 * errno should be returned. 909 * 910 */ 911 typedef int mpo_file_check_ioctl_t( 912 kauth_cred_t cred, 913 struct fileglob *fg, 914 struct label *label, 915 unsigned long cmd 916 ); 917 /** 918 * @brief Access control check for file locking 919 * @param cred Subject credential 920 * @param fg Fileglob structure 921 * @param label Policy label for fg 922 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 923 * @param fl The flock structure 924 * 925 * Determine whether the subject identified by the credential can perform 926 * the lock operation indicated by op and fl on the file represented by fg. 927 * 928 * @return Return 0 if access is granted, otherwise an appropriate value for 929 * errno should be returned. 930 * 931 */ 932 typedef int mpo_file_check_lock_t( 933 kauth_cred_t cred, 934 struct fileglob *fg, 935 struct label *label, 936 int op, 937 struct flock *fl 938 ); 939 /** 940 * @brief Check with library validation if a Mach-O slice is allowed to be combined into a proc. 941 * @param p Subject process 942 * @param fg Fileglob structure 943 * @param slice_offset offset of the code slice 944 * @param error_message error message returned to user-space in case of error (userspace pointer) 945 * @param error_message_size error message size 946 * 947 * It's a little odd that the MAC/kext writes into userspace since this 948 * implies there is only one MAC module that implements this, however 949 * the alternative is to allocate memory in xnu, in the hope that 950 * the MAC module will use it, or allocate in the MAC module and then 951 * free it in xnu. Neither of these is very appealing, so let's go with 952 * the slightly more hacky way. 953 * 954 * @return Return 0 if access is granted, otherwise an appropriate value for 955 * errno should be returned. 956 */ 957 typedef int mpo_file_check_library_validation_t( 958 struct proc *p, 959 struct fileglob *fg, 960 off_t slice_offset, 961 user_long_t error_message, 962 size_t error_message_size 963 ); 964 /** 965 * @brief Access control check for mapping a file 966 * @param cred Subject credential 967 * @param fg fileglob representing file to map 968 * @param label Policy label associated with vp 969 * @param prot mmap protections; see mmap(2) 970 * @param flags Type of mapped object; see mmap(2) 971 * @param maxprot Maximum rights 972 * 973 * Determine whether the subject identified by the credential should be 974 * allowed to map the file represented by fg with the protections specified 975 * in prot. The maxprot field holds the maximum permissions on the new 976 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 977 * To avoid overriding prior access control checks, a policy should only 978 * remove flags from maxprot. 979 * 980 * @return Return 0 if access is granted, otherwise an appropriate value for 981 * errno should be returned. Suggested failure: EACCES for label mismatch or 982 * EPERM for lack of privilege. 983 */ 984 typedef int mpo_file_check_mmap_t( 985 kauth_cred_t cred, 986 struct fileglob *fg, 987 struct label *label, 988 int prot, 989 int flags, 990 uint64_t file_pos, 991 int *maxprot 992 ); 993 /** 994 * @brief Downgrade the mmap protections 995 * @param cred Subject credential 996 * @param fg file to map 997 * @param label Policy label associated with vp 998 * @param prot mmap protections to be downgraded 999 * 1000 * Downgrade the mmap protections based on the subject and object labels. 1001 */ 1002 typedef void mpo_file_check_mmap_downgrade_t( 1003 kauth_cred_t cred, 1004 struct fileglob *fg, 1005 struct label *label, 1006 int *prot 1007 ); 1008 /** 1009 * @brief Access control for receiving a file descriptor 1010 * @param cred Subject credential 1011 * @param fg Fileglob structure 1012 * @param label Policy label for fg 1013 * 1014 * Determine whether the subject identified by the credential can 1015 * receive the fileglob structure represented by fg. 1016 * 1017 * @return Return 0 if access if granted, otherwise an appropriate 1018 * value for errno should be returned. 1019 */ 1020 typedef int mpo_file_check_receive_t( 1021 kauth_cred_t cred, 1022 struct fileglob *fg, 1023 struct label *label 1024 ); 1025 /** 1026 * @brief Access control check for mac_set_fd 1027 * @param cred Subject credential 1028 * @param fg Fileglob structure 1029 * @param elements Elements buffer 1030 * @param len Length of elements buffer 1031 * 1032 * Determine whether the subject identified by the credential can 1033 * perform the mac_set_fd operation. The mac_set_fd operation is used 1034 * to associate a MAC label with a file. 1035 * 1036 * @return Return 0 if access is granted, otherwise an appropriate value for 1037 * errno should be returned. 1038 */ 1039 typedef int mpo_file_check_set_t( 1040 kauth_cred_t cred, 1041 struct fileglob *fg, 1042 char *elements, 1043 size_t len 1044 ); 1045 /** 1046 * @brief Inform MAC policies that file is being closed 1047 * @param cred Subject credential 1048 * @param fg Fileglob structure 1049 * @param label Policy label for fg 1050 * @param modified Boolean; 1 if file was modified, 0 otherwise 1051 * 1052 * Called when an open file is being closed, as a result of a call to 1053 * close(2), the process exiting, or exec(2) w/O_CLOEXEC set. 1054 */ 1055 typedef void mpo_file_notify_close_t( 1056 kauth_cred_t cred, 1057 struct fileglob *fg, 1058 struct label *label, 1059 int modified 1060 ); 1061 /** 1062 * @brief Create file label 1063 * @param cred Subject credential 1064 * @param fg Fileglob structure 1065 * @param label Policy label for fg 1066 */ 1067 typedef void mpo_file_label_associate_t( 1068 kauth_cred_t cred, 1069 struct fileglob *fg, 1070 struct label *label 1071 ); 1072 /** 1073 * @brief Destroy file label 1074 * @param label The label to be destroyed 1075 * 1076 * Destroy the label on a file descriptor. In this entry point, a 1077 * policy module should free any internal storage associated with 1078 * label so that it may be destroyed. 1079 */ 1080 typedef void mpo_file_label_destroy_t( 1081 struct label *label 1082 ); 1083 /** 1084 * @brief Initialize file label 1085 * @param label New label to initialize 1086 */ 1087 typedef void mpo_file_label_init_t( 1088 struct label *label 1089 ); 1090 /** 1091 * @brief Access control check for opening an I/O Kit device 1092 * @param cred Subject credential 1093 * @param user_client User client instance 1094 * @param user_client_type User client type 1095 * 1096 * Determine whether the subject identified by the credential can open an 1097 * I/O Kit device at the passed path of the passed user client class and 1098 * type. This check is performed after instantiating the user client. 1099 * See also mpo_iokit_check_open_service_t. 1100 * 1101 * @return Return 0 if access is granted, or an appropriate value for 1102 * errno should be returned. 1103 */ 1104 typedef int mpo_iokit_check_open_t( 1105 kauth_cred_t cred, 1106 io_object_t user_client, 1107 unsigned int user_client_type 1108 ); 1109 /** 1110 * @brief Access control check for opening an I/O Kit device 1111 * @param cred Subject credential 1112 * @param service Service instance 1113 * @param user_client_type User client type 1114 * 1115 * Determine whether the subject identified by the credential can open a 1116 * I/O Kit user client of the passed service and user client type. 1117 * This check is performed before instantiating the user client. See also 1118 * mpo_iokit_check_open_t. 1119 * 1120 * @return Return 0 if access is granted, or an appropriate value for 1121 * errno should be returned. 1122 */ 1123 typedef int mpo_iokit_check_open_service_t( 1124 kauth_cred_t cred, 1125 io_object_t service, 1126 unsigned int user_client_type 1127 ); 1128 /** 1129 * @brief Access control check for setting I/O Kit device properties 1130 * @param cred Subject credential 1131 * @param entry Target device 1132 * @param properties Property list 1133 * 1134 * Determine whether the subject identified by the credential can set 1135 * properties on an I/O Kit device. 1136 * 1137 * @return Return 0 if access is granted, or an appropriate value for 1138 * errno should be returned. 1139 */ 1140 typedef int mpo_iokit_check_set_properties_t( 1141 kauth_cred_t cred, 1142 io_object_t entry, 1143 io_object_t properties 1144 ); 1145 /** 1146 * @brief Indicate desire to filter I/O Kit devices properties 1147 * @param cred Subject credential 1148 * @param entry Target device 1149 * @see mpo_iokit_check_get_property_t 1150 * 1151 * Indicate whether this policy may restrict the subject credential 1152 * from reading properties of the target device. 1153 * If a policy returns success from this entry point, the 1154 * mpo_iokit_check_get_property entry point will later be called 1155 * for each property that the subject credential tries to read from 1156 * the target device. 1157 * 1158 * This entry point is primarilly to optimize bulk property reads 1159 * by skipping calls to the mpo_iokit_check_get_property entry point 1160 * for credentials / devices no MAC policy is interested in. 1161 * 1162 * @warning Even if a policy returns 0, it should behave correctly in 1163 * the presence of an invocation of mpo_iokit_check_get_property, as that 1164 * call may happen as a result of another policy requesting a transition. 1165 * 1166 * @return Non-zero if a transition is required, 0 otherwise. 1167 */ 1168 typedef int mpo_iokit_check_filter_properties_t( 1169 kauth_cred_t cred, 1170 io_object_t entry 1171 ); 1172 /** 1173 * @brief Access control check for getting I/O Kit device properties 1174 * @param cred Subject credential 1175 * @param entry Target device 1176 * @param name Property name 1177 * 1178 * Determine whether the subject identified by the credential can get 1179 * properties on an I/O Kit device. 1180 * 1181 * @return Return 0 if access is granted, or an appropriate value for 1182 * errno. 1183 */ 1184 typedef int mpo_iokit_check_get_property_t( 1185 kauth_cred_t cred, 1186 io_object_t entry, 1187 const char *name 1188 ); 1189 /** 1190 * @brief Access control check for software HID control 1191 * @param cred Subject credential 1192 * 1193 * Determine whether the subject identified by the credential can 1194 * control the HID (Human Interface Device) subsystem, such as to 1195 * post synthetic keypresses, pointer movement and clicks. 1196 * 1197 * @return Return 0 if access is granted, or an appropriate value for 1198 * errno. 1199 */ 1200 typedef int mpo_iokit_check_hid_control_t( 1201 kauth_cred_t cred 1202 ); 1203 /** 1204 * @brief Access control check for fsctl 1205 * @param cred Subject credential 1206 * @param mp The mount point 1207 * @param label Label associated with the mount point 1208 * @param cmd Filesystem-dependent request code; see fsctl(2) 1209 * 1210 * Determine whether the subject identified by the credential can perform 1211 * the volume operation indicated by com. 1212 * 1213 * @warning The fsctl() system call is directly analogous to ioctl(); since 1214 * the associated data is opaque from the standpoint of the MAC framework 1215 * and since these operations can affect many aspects of system operation, 1216 * policies must exercise extreme care when implementing access control checks. 1217 * 1218 * @return Return 0 if access is granted, otherwise an appropriate value for 1219 * errno should be returned. 1220 */ 1221 typedef int mpo_mount_check_fsctl_t( 1222 kauth_cred_t cred, 1223 struct mount *mp, 1224 struct label *label, 1225 unsigned long cmd 1226 ); 1227 /** 1228 * @brief Access control check for the retrieval of file system attributes 1229 * @param cred Subject credential 1230 * @param mp The mount structure of the file system 1231 * @param vfa The attributes requested 1232 * 1233 * This entry point determines whether given subject can get information 1234 * about the given file system. This check happens during statfs() syscalls, 1235 * but is also used by other parts within the kernel such as the audit system. 1236 * 1237 * @return Return 0 if access is granted, otherwise an appropriate value for 1238 * errno should be returned. 1239 * 1240 * @note Policies may change the contents of vfa to alter the list of 1241 * file system attributes returned. 1242 */ 1243 1244 typedef int mpo_mount_check_getattr_t( 1245 kauth_cred_t cred, 1246 struct mount *mp, 1247 struct label *mp_label, 1248 struct vfs_attr *vfa 1249 ); 1250 /** 1251 * @brief Access control check for mount point relabeling 1252 * @param cred Subject credential 1253 * @param mp Object file system mount point 1254 * @param mntlabel Policy label for fle system mount point 1255 * 1256 * Determine whether the subject identified by the credential can relabel 1257 * the mount point. This call is made when a file system mount is updated. 1258 * 1259 * @return Return 0 if access is granted, otherwise an appropriate value for 1260 * errno should be returned. Suggested failure: EACCES for label mismatch 1261 * or EPERM for lack of privilege. 1262 */ 1263 typedef int mpo_mount_check_label_update_t( 1264 kauth_cred_t cred, 1265 struct mount *mp, 1266 struct label *mntlabel 1267 ); 1268 /** 1269 * @brief Access control check for mounting a file system 1270 * @param cred Subject credential 1271 * @param vp Vnode that is to be the mount point 1272 * @param vlabel Label associated with the vnode 1273 * @param cnp Component name for vp 1274 * @param vfc_name Filesystem type name 1275 * 1276 * Determine whether the subject identified by the credential can perform 1277 * the mount operation on the target vnode. 1278 * 1279 * @return Return 0 if access is granted, otherwise an appropriate value for 1280 * errno should be returned. 1281 */ 1282 typedef int mpo_mount_check_mount_t( 1283 kauth_cred_t cred, 1284 struct vnode *vp, 1285 struct label *vlabel, 1286 struct componentname *cnp, 1287 const char *vfc_name 1288 ); 1289 /** 1290 * @brief Access control check for mounting a file system (late) 1291 * @param cred Subject credential 1292 * @param mp Mount point 1293 * 1294 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been 1295 * called, making it possible to access mnt_vfsstat.f_mntfromname and other 1296 * fields. 1297 * 1298 * @return Return 0 if access is granted, otherwise an appropriate value for 1299 * errno should be returned. 1300 */ 1301 typedef int mpo_mount_check_mount_late_t( 1302 kauth_cred_t cred, 1303 struct mount *mp 1304 ); 1305 1306 /** 1307 * @brief Access control check for quotactl 1308 * @param cred Subject credential 1309 * @param cmd The quotactl command and subcommand; see quotactl(2) 1310 * @param id The user or group ID on which cmd will operate 1311 * 1312 * Determine whether the subject identified by the credential can perform 1313 * the quotactl operation indicated by cmd. 1314 * 1315 * @return Return 0 if access is granted, otherwise an appropriate value for 1316 * errno should be returned. 1317 */ 1318 typedef int mpo_mount_check_quotactl_t( 1319 kauth_cred_t cred, 1320 struct mount *mp, 1321 int cmd, 1322 int id 1323 ); 1324 /** 1325 * @brief Access control check for fs_snapshot_create 1326 * @param cred Subject credential 1327 * @mp Filesystem mount point to create snapshot of 1328 * @name Name of snapshot to create 1329 * 1330 * Determine whether the subject identified by the credential can 1331 * create a snapshot of the filesystem at the given mount point. 1332 * 1333 * @return Return 0 if access is granted, otherwise an appropriate value 1334 * for errno should be returned. 1335 */ 1336 typedef int mpo_mount_check_snapshot_create_t( 1337 kauth_cred_t cred, 1338 struct mount *mp, 1339 const char *name 1340 ); 1341 /** 1342 * @brief Access control check for fs_snapshot_delete 1343 * @param cred Subject credential 1344 * @mp Filesystem mount point to delete snapshot of 1345 * @name Name of snapshot to delete 1346 * 1347 * Determine whether the subject identified by the credential can 1348 * delete the named snapshot from the filesystem at the given 1349 * mount point. 1350 * 1351 * @return Return 0 if access is granted, otherwise an appropriate value 1352 * for errno should be returned. 1353 */ 1354 typedef int mpo_mount_check_snapshot_delete_t( 1355 kauth_cred_t cred, 1356 struct mount *mp, 1357 const char *name 1358 ); 1359 /** 1360 * @brief Access control check for fs_snapshot_mount 1361 * @param cred Subject credential 1362 * @param rvp Vnode of either the root directory of the 1363 * filesystem to mount snapshot of, or the device from 1364 * which to mount the snapshot. 1365 * @param vp Vnode that is to be the mount point 1366 * @param cnp Component name for vp 1367 * @param name Name of snapshot to mount 1368 * @param vfc_name Filesystem type name 1369 * 1370 * Determine whether the subject identified by the credential can 1371 * mount the named snapshot from the filesystem at the given 1372 * directory. 1373 * 1374 * @return Return 0 if access is granted, otherwise an appropriate value 1375 * for errno should be returned. 1376 */ 1377 typedef int mpo_mount_check_snapshot_mount_t( 1378 kauth_cred_t cred, 1379 struct vnode *rvp, 1380 struct vnode *vp, 1381 struct componentname *cnp, 1382 const char *name, 1383 const char *vfc_name 1384 ); 1385 /** 1386 * @brief Access control check for fs_snapshot_revert 1387 * @param cred Subject credential 1388 * @mp Filesystem mount point to revert to snapshot 1389 * @name Name of snapshot to revert to 1390 * 1391 * Determine whether the subject identified by the credential can 1392 * revert the filesystem at the given mount point to the named snapshot. 1393 * 1394 * @return Return 0 if access is granted, otherwise an appropriate value 1395 * for errno should be returned. 1396 */ 1397 typedef int mpo_mount_check_snapshot_revert_t( 1398 kauth_cred_t cred, 1399 struct mount *mp, 1400 const char *name 1401 ); 1402 /** 1403 * @brief Access control check remounting a filesystem 1404 * @param cred Subject credential 1405 * @param mp The mount point 1406 * @param mlabel Label currently associated with the mount point 1407 * @param flags Requested updated flags 1408 * 1409 * Determine whether the subject identified by the credential can perform 1410 * the remount operation on the target vnode. 1411 * 1412 * @return Return 0 if access is granted, otherwise an appropriate value for 1413 * errno should be returned. 1414 */ 1415 #define NEEDS_RDAR_103115865 1 // Required until both EndpointSecurity & Sandbox are updated 1416 typedef int mpo_mount_check_remount_t( 1417 kauth_cred_t cred, 1418 struct mount *mp, 1419 struct label *mlabel, 1420 uint64_t flags 1421 ); 1422 /** 1423 * @brief Access control check for remounting a filesystem with modifiable flags 1424 * @param cred Subject credential 1425 * @param mp The mount point 1426 * @param mlabel Label currently associated with the mount point 1427 * @param flagsp A pointer to requested update flags. This can be modified by the function 1428 * to reflect changes in the operation flags. 1429 * 1430 * This function is a variant of mpo_mount_check_remount_t, allowing 1431 * the caller to specify and potentially overwrite the flags via a 1432 * pointer to an integer. 1433 * 1434 * @return Return 0 if access is granted, otherwise an appropriate value for 1435 * errno should be returned. 1436 */ 1437 typedef int mpo_mount_check_remount_with_flags_t( 1438 kauth_cred_t cred, 1439 struct mount *mp, 1440 struct label *mlabel, 1441 int *flagsp 1442 ); 1443 /** 1444 * @brief Access control check for the settting of file system attributes 1445 * @param cred Subject credential 1446 * @param mp The mount structure of the file system 1447 * @param vfa The attributes requested 1448 * 1449 * This entry point determines whether given subject can set information 1450 * about the given file system, for example the volume name. 1451 * 1452 * @return Return 0 if access is granted, otherwise an appropriate value for 1453 * errno should be returned. 1454 */ 1455 1456 typedef int mpo_mount_check_setattr_t( 1457 kauth_cred_t cred, 1458 struct mount *mp, 1459 struct label *mp_label, 1460 struct vfs_attr *vfa 1461 ); 1462 /** 1463 * @brief Access control check for file system statistics 1464 * @param cred Subject credential 1465 * @param mp Object file system mount 1466 * @param mntlabel Policy label for mp 1467 * 1468 * Determine whether the subject identified by the credential can see 1469 * the results of a statfs performed on the file system. This call may 1470 * be made in a number of situations, including during invocations of 1471 * statfs(2) and related calls, as well as to determine what file systems 1472 * to exclude from listings of file systems, such as when getfsstat(2) 1473 * is invoked. 1474 * 1475 * @return Return 0 if access is granted, otherwise an appropriate value for 1476 * errno should be returned. Suggested failure: EACCES for label mismatch 1477 * or EPERM for lack of privilege. 1478 */ 1479 typedef int mpo_mount_check_stat_t( 1480 kauth_cred_t cred, 1481 struct mount *mp, 1482 struct label *mntlabel 1483 ); 1484 /** 1485 * @brief Access control check for unmounting a filesystem 1486 * @param cred Subject credential 1487 * @param mp The mount point 1488 * @param mlabel Label associated with the mount point 1489 * 1490 * Determine whether the subject identified by the credential can perform 1491 * the unmount operation on the target vnode. 1492 * 1493 * @return Return 0 if access is granted, otherwise an appropriate value for 1494 * errno should be returned. 1495 */ 1496 typedef int mpo_mount_check_umount_t( 1497 kauth_cred_t cred, 1498 struct mount *mp, 1499 struct label *mlabel 1500 ); 1501 /** 1502 * @brief Create mount labels 1503 * @param cred Subject credential 1504 * @param mp Mount point of file system being mounted 1505 * @param mntlabel Label to associate with the new mount point 1506 * @see mpo_mount_label_init_t 1507 * 1508 * Fill out the labels on the mount point being created by the supplied 1509 * user credential. This call is made when file systems are first mounted. 1510 */ 1511 typedef void mpo_mount_label_associate_t( 1512 kauth_cred_t cred, 1513 struct mount *mp, 1514 struct label *mntlabel 1515 ); 1516 /** 1517 * @brief Destroy mount label 1518 * @param label The label to be destroyed 1519 * 1520 * Destroy a file system mount label. Since the 1521 * object is going out of scope, policy modules should free any 1522 * internal storage associated with the label so that it may be 1523 * destroyed. 1524 */ 1525 typedef void mpo_mount_label_destroy_t( 1526 struct label *label 1527 ); 1528 /** 1529 * @brief Externalize a mount point label 1530 * @param label Label to be externalized 1531 * @param element_name Name of the label namespace for which labels should be 1532 * externalized 1533 * @param sb String buffer to be filled with a text representation of the label 1534 * 1535 * Produce an external representation of the mount point label. An 1536 * externalized label consists of a text representation of the label 1537 * contents that can be used with user applications. Policy-agnostic 1538 * user space tools will display this externalized version. 1539 * 1540 * The policy's externalize entry points will be called only if the 1541 * policy has registered interest in the label namespace. 1542 * 1543 * @return 0 on success, return non-zero if an error occurs while 1544 * externalizing the label data. 1545 * 1546 */ 1547 typedef int mpo_mount_label_externalize_t( 1548 struct label *label, 1549 char *element_name, 1550 struct sbuf *sb 1551 ); 1552 /** 1553 * @brief Initialize mount point label 1554 * @param label New label to initialize 1555 * 1556 * Initialize the label for a newly instantiated mount structure. 1557 * This label is typically used to store a default label in the case 1558 * that the file system has been mounted singlelabel. Since some 1559 * file systems do not support persistent labels (extended attributes) 1560 * or are read-only (such as CD-ROMs), it is often necessary to store 1561 * a default label separately from the label of the mount point 1562 * itself. Sleeping is permitted. 1563 */ 1564 typedef void mpo_mount_label_init_t( 1565 struct label *label 1566 ); 1567 /** 1568 * @brief Internalize a mount point label 1569 * @param label Label to be internalized 1570 * @param element_name Name of the label namespace for which the label should 1571 * be internalized 1572 * @param element_data Text data to be internalized 1573 * 1574 * Produce a mount point file system label from an external representation. 1575 * An externalized label consists of a text representation of the label 1576 * contents that can be used with user applications. Policy-agnostic 1577 * user space tools will forward text version to the kernel for 1578 * processing by individual policy modules. 1579 * 1580 * The policy's internalize entry points will be called only if the 1581 * policy has registered interest in the label namespace. 1582 * 1583 * @return 0 on success, Otherwise, return non-zero if an error occurs 1584 * while internalizing the label data. 1585 * 1586 */ 1587 typedef int mpo_mount_label_internalize_t( 1588 struct label *label, 1589 char *element_name, 1590 char *element_data 1591 ); 1592 /** 1593 * @brief Notify on successful filesystem mount 1594 * @param cred Subject credential 1595 * @param mp Mount point of file system being mounted 1596 * @param mntlabel Label to associate with the new mount point 1597 * @see mpo_mount_label_init_t 1598 * 1599 * Notify on successful filesystem mount. The mntlabel associated 1600 * to this mount point should be initalized with mac_mount_label_init 1601 * prior to this call. 1602 */ 1603 typedef void mpo_mount_notify_mount_t( 1604 kauth_cred_t cred, 1605 struct mount *mp, 1606 struct label *mntlabel 1607 ); 1608 /** 1609 * @brief Access control check for opening an NECP file descriptor 1610 * @param cred Subject credential 1611 * @param flags Open flags 1612 * 1613 * Determine whether the subject identified by the credential can open 1614 * an NECP file descriptor. 1615 * 1616 * @return Return 0 if access is granted, otherwise an appropriate value for 1617 * errno should be returned. 1618 * 1619 */ 1620 typedef int mpo_necp_check_open_t( 1621 kauth_cred_t cred, 1622 int flags 1623 ); 1624 /** 1625 * @brief Access control check for necp_client_action(2) 1626 * @param cred Subject credential 1627 * @param fg NECP fileglob 1628 * @param action NECP client action 1629 * 1630 * Determine whether the subject identified by the credential can open 1631 * an NECP socket. 1632 * 1633 * @return Return 0 if access is granted, otherwise an appropriate value for 1634 * errno should be returned. 1635 * 1636 */ 1637 typedef int mpo_necp_check_client_action_t( 1638 kauth_cred_t cred, 1639 struct fileglob *fg, 1640 uint32_t action 1641 ); 1642 /** 1643 * @brief Access control check for pipe ioctl 1644 * @param cred Subject credential 1645 * @param cpipe Object to be accessed 1646 * @param pipelabel The label on the pipe 1647 * @param cmd The ioctl command; see ioctl(2) 1648 * 1649 * Determine whether the subject identified by the credential can perform 1650 * the ioctl operation indicated by cmd. 1651 * 1652 * @warning Since ioctl data is opaque from the standpoint of the MAC 1653 * framework, policies must exercise extreme care when implementing 1654 * access control checks. 1655 * 1656 * @return Return 0 if access is granted, otherwise an appropriate value for 1657 * errno should be returned. 1658 * 1659 */ 1660 typedef int mpo_pipe_check_ioctl_t( 1661 kauth_cred_t cred, 1662 struct pipe *cpipe, 1663 struct label *pipelabel, 1664 unsigned long cmd 1665 ); 1666 /** 1667 * @brief Access control check for pipe kqfilter 1668 * @param cred Subject credential 1669 * @param kn Object knote 1670 * @param cpipe Object to be accessed 1671 * @param pipelabel Policy label for the pipe 1672 * 1673 * Determine whether the subject identified by the credential can 1674 * receive the knote on the passed pipe. 1675 * 1676 * @return Return 0 if access if granted, otherwise an appropriate 1677 * value for errno should be returned. 1678 */ 1679 typedef int mpo_pipe_check_kqfilter_t( 1680 kauth_cred_t cred, 1681 struct knote *kn, 1682 struct pipe *cpipe, 1683 struct label *pipelabel 1684 ); 1685 /** 1686 * @brief Access control check for pipe read 1687 * @param cred Subject credential 1688 * @param cpipe Object to be accessed 1689 * @param pipelabel The label on the pipe 1690 * 1691 * Determine whether the subject identified by the credential can 1692 * perform a read operation on the passed pipe. The cred object holds 1693 * the credentials of the subject performing the operation. 1694 * 1695 * @return Return 0 if access is granted, otherwise an appropriate value for 1696 * errno should be returned. 1697 * 1698 */ 1699 typedef int mpo_pipe_check_read_t( 1700 kauth_cred_t cred, 1701 struct pipe *cpipe, 1702 struct label *pipelabel 1703 ); 1704 /** 1705 * @brief Access control check for pipe select 1706 * @param cred Subject credential 1707 * @param cpipe Object to be accessed 1708 * @param pipelabel The label on the pipe 1709 * @param which The operation selected on: FREAD or FWRITE 1710 * 1711 * Determine whether the subject identified by the credential can 1712 * perform a select operation on the passed pipe. The cred object holds 1713 * the credentials of the subject performing the operation. 1714 * 1715 * @return Return 0 if access is granted, otherwise an appropriate value for 1716 * errno should be returned. 1717 * 1718 */ 1719 typedef int mpo_pipe_check_select_t( 1720 kauth_cred_t cred, 1721 struct pipe *cpipe, 1722 struct label *pipelabel, 1723 int which 1724 ); 1725 /** 1726 * @brief Access control check for pipe stat 1727 * @param cred Subject credential 1728 * @param cpipe Object to be accessed 1729 * @param pipelabel The label on the pipe 1730 * 1731 * Determine whether the subject identified by the credential can 1732 * perform a stat operation on the passed pipe. The cred object holds 1733 * the credentials of the subject performing the operation. 1734 * 1735 * @return Return 0 if access is granted, otherwise an appropriate value for 1736 * errno should be returned. 1737 * 1738 */ 1739 typedef int mpo_pipe_check_stat_t( 1740 kauth_cred_t cred, 1741 struct pipe *cpipe, 1742 struct label *pipelabel 1743 ); 1744 /** 1745 * @brief Access control check for pipe write 1746 * @param cred Subject credential 1747 * @param cpipe Object to be accessed 1748 * @param pipelabel The label on the pipe 1749 * 1750 * Determine whether the subject identified by the credential can 1751 * perform a write operation on the passed pipe. The cred object holds 1752 * the credentials of the subject performing the operation. 1753 * 1754 * @return Return 0 if access is granted, otherwise an appropriate value for 1755 * errno should be returned. 1756 * 1757 */ 1758 typedef int mpo_pipe_check_write_t( 1759 kauth_cred_t cred, 1760 struct pipe *cpipe, 1761 struct label *pipelabel 1762 ); 1763 /** 1764 * @brief Create a pipe label 1765 * @param cred Subject credential 1766 * @param cpipe object to be labeled 1767 * @param pipelabel Label for the pipe object 1768 * 1769 * Create a label for the pipe object being created by the supplied 1770 * user credential. This call is made when a pipe pair is being created. 1771 * The label is shared by both ends of the pipe. 1772 */ 1773 typedef void mpo_pipe_label_associate_t( 1774 kauth_cred_t cred, 1775 struct pipe *cpipe, 1776 struct label *pipelabel 1777 ); 1778 /** 1779 * @brief Destroy pipe label 1780 * @param label The label to be destroyed 1781 * 1782 * Destroy a pipe label. Since the object is going out of scope, 1783 * policy modules should free any internal storage associated with the 1784 * label so that it may be destroyed. 1785 */ 1786 typedef void mpo_pipe_label_destroy_t( 1787 struct label *label 1788 ); 1789 /** 1790 * @brief Initialize pipe label 1791 * @param label New label to initialize 1792 * 1793 * Initialize label storage for use with a newly instantiated pipe object. 1794 * Sleeping is permitted. 1795 */ 1796 typedef void mpo_pipe_label_init_t( 1797 struct label *label 1798 ); 1799 /** 1800 * @brief Policy unload event 1801 * @param mpc MAC policy configuration 1802 * 1803 * This is the MAC Framework policy unload event. This entry point will 1804 * only be called if the module's policy configuration allows unload (if 1805 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 1806 * want to be unloaded; they should set their flags to prevent this 1807 * entry point from being called. 1808 * 1809 * @warning During this call, the mac policy list mutex is held, so 1810 * sleep operations cannot be performed, and calls out to other kernel 1811 * subsystems must be made with caution. 1812 * 1813 * @see MPC_LOADTIME_FLAG_UNLOADOK 1814 */ 1815 typedef void mpo_policy_destroy_t( 1816 struct mac_policy_conf *mpc 1817 ); 1818 /** 1819 * @brief Policy initialization event 1820 * @param mpc MAC policy configuration 1821 * @see mac_policy_register 1822 * @see mpo_policy_initbsd_t 1823 * 1824 * This is the MAC Framework policy initialization event. This entry 1825 * point is called during mac_policy_register, when the policy module 1826 * is first registered with the MAC Framework. This is often done very 1827 * early in the boot process, after the kernel Mach subsystem has been 1828 * initialized, but prior to the BSD subsystem being initialized. 1829 * Since the kernel BSD services are not yet available, it is possible 1830 * that some initialization must occur later, possibly in the 1831 * mpo_policy_initbsd_t policy entry point, such as registering BSD system 1832 * controls (sysctls). Policy modules loaded at boot time will be 1833 * registered and initialized before labeled Mach objects are created. 1834 * 1835 * @warning During this call, the mac policy list mutex is held, so 1836 * sleep operations cannot be performed, and calls out to other kernel 1837 * subsystems must be made with caution. 1838 */ 1839 typedef void mpo_policy_init_t( 1840 struct mac_policy_conf *mpc 1841 ); 1842 /** 1843 * @brief Policy BSD initialization event 1844 * @param mpc MAC policy configuration 1845 * @see mpo_policy_init_t 1846 * 1847 * This entry point is called after the kernel BSD subsystem has been 1848 * initialized. By this point, the module should already be loaded, 1849 * registered, and initialized. Since policy modules are initialized 1850 * before kernel BSD services are available, this second initialization 1851 * phase is necessary. At this point, BSD services (memory management, 1852 * synchronization primitives, vfs, etc.) are available, but the first 1853 * process has not yet been created. Mach-related objects and tasks 1854 * will already be fully initialized and may be in use--policies requiring 1855 * ubiquitous labeling may also want to implement mpo_policy_init_t. 1856 * 1857 * @warning During this call, the mac policy list mutex is held, so 1858 * sleep operations cannot be performed, and calls out to other kernel 1859 * subsystems must be made with caution. 1860 */ 1861 typedef void mpo_policy_initbsd_t( 1862 struct mac_policy_conf *mpc 1863 ); 1864 /** 1865 * @brief Policy extension service 1866 * @param p Calling process 1867 * @param call Policy-specific syscall number 1868 * @param arg Pointer to syscall arguments 1869 * 1870 * This entry point provides a policy-multiplexed system call so that 1871 * policies may provide additional services to user processes without 1872 * registering specific system calls. The policy name provided during 1873 * registration is used to demux calls from userland, and the arguments 1874 * will be forwarded to this entry point. When implementing new 1875 * services, security modules should be sure to invoke appropriate 1876 * access control checks from the MAC framework as needed. For 1877 * example, if a policy implements an augmented signal functionality, 1878 * it should call the necessary signal access control checks to invoke 1879 * the MAC framework and other registered policies. 1880 * 1881 * @warning Since the format and contents of the policy-specific 1882 * arguments are unknown to the MAC Framework, modules must perform the 1883 * required copyin() of the syscall data on their own. No policy 1884 * mediation is performed, so policies must perform any necessary 1885 * access control checks themselves. If multiple policies are loaded, 1886 * they will currently be unable to mediate calls to other policies. 1887 * 1888 * @return In the event of an error, an appropriate value for errno 1889 * should be returned, otherwise return 0 upon success. 1890 */ 1891 typedef int mpo_policy_syscall_t( 1892 struct proc *p, 1893 int call, 1894 user_addr_t arg 1895 ); 1896 /** 1897 * @brief Access control check for POSIX semaphore create 1898 * @param cred Subject credential 1899 * @param name String name of the semaphore 1900 * 1901 * Determine whether the subject identified by the credential can create 1902 * a POSIX semaphore specified by name. 1903 * 1904 * @return Return 0 if access is granted, otherwise an appropriate value for 1905 * errno should be returned. 1906 */ 1907 typedef int mpo_posixsem_check_create_t( 1908 kauth_cred_t cred, 1909 const char *name 1910 ); 1911 /** 1912 * @brief Access control check for POSIX semaphore open 1913 * @param cred Subject credential 1914 * @param ps Pointer to semaphore information structure 1915 * @param semlabel Label associated with the semaphore 1916 * 1917 * Determine whether the subject identified by the credential can open 1918 * the named POSIX semaphore with label semlabel. 1919 * 1920 * @return Return 0 if access is granted, otherwise an appropriate value for 1921 * errno should be returned. 1922 */ 1923 typedef int mpo_posixsem_check_open_t( 1924 kauth_cred_t cred, 1925 struct pseminfo *ps, 1926 struct label *semlabel 1927 ); 1928 /** 1929 * @brief Access control check for POSIX semaphore post 1930 * @param cred Subject credential 1931 * @param ps Pointer to semaphore information structure 1932 * @param semlabel Label associated with the semaphore 1933 * 1934 * Determine whether the subject identified by the credential can unlock 1935 * the named POSIX semaphore with label semlabel. 1936 * 1937 * @return Return 0 if access is granted, otherwise an appropriate value for 1938 * errno should be returned. 1939 */ 1940 typedef int mpo_posixsem_check_post_t( 1941 kauth_cred_t cred, 1942 struct pseminfo *ps, 1943 struct label *semlabel 1944 ); 1945 /** 1946 * @brief Access control check for POSIX semaphore unlink 1947 * @param cred Subject credential 1948 * @param ps Pointer to semaphore information structure 1949 * @param semlabel Label associated with the semaphore 1950 * @param name String name of the semaphore 1951 * 1952 * Determine whether the subject identified by the credential can remove 1953 * the named POSIX semaphore with label semlabel. 1954 * 1955 * @return Return 0 if access is granted, otherwise an appropriate value for 1956 * errno should be returned. 1957 */ 1958 typedef int mpo_posixsem_check_unlink_t( 1959 kauth_cred_t cred, 1960 struct pseminfo *ps, 1961 struct label *semlabel, 1962 const char *name 1963 ); 1964 /** 1965 * @brief Access control check for POSIX semaphore wait 1966 * @param cred Subject credential 1967 * @param ps Pointer to semaphore information structure 1968 * @param semlabel Label associated with the semaphore 1969 * 1970 * Determine whether the subject identified by the credential can lock 1971 * the named POSIX semaphore with label semlabel. 1972 * 1973 * @return Return 0 if access is granted, otherwise an appropriate value for 1974 * errno should be returned. 1975 */ 1976 typedef int mpo_posixsem_check_wait_t( 1977 kauth_cred_t cred, 1978 struct pseminfo *ps, 1979 struct label *semlabel 1980 ); 1981 /** 1982 * @brief Create a POSIX semaphore label 1983 * @param cred Subject credential 1984 * @param ps Pointer to semaphore information structure 1985 * @param semlabel Label to associate with the new semaphore 1986 * @param name String name of the semaphore 1987 * 1988 * Label a new POSIX semaphore. The label was previously 1989 * initialized and associated with the semaphore. At this time, an 1990 * appropriate initial label value should be assigned to the object and 1991 * stored in semalabel. 1992 */ 1993 typedef void mpo_posixsem_label_associate_t( 1994 kauth_cred_t cred, 1995 struct pseminfo *ps, 1996 struct label *semlabel, 1997 const char *name 1998 ); 1999 /** 2000 * @brief Destroy POSIX semaphore label 2001 * @param label The label to be destroyed 2002 * 2003 * Destroy a POSIX semaphore label. Since the object is 2004 * going out of scope, policy modules should free any internal storage 2005 * associated with the label so that it may be destroyed. 2006 */ 2007 typedef void mpo_posixsem_label_destroy_t( 2008 struct label *label 2009 ); 2010 /** 2011 * @brief Initialize POSIX semaphore label 2012 * @param label New label to initialize 2013 * 2014 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping 2015 * is permitted. 2016 */ 2017 typedef void mpo_posixsem_label_init_t( 2018 struct label *label 2019 ); 2020 /** 2021 * @brief Access control check for POSIX shared memory region create 2022 * @param cred Subject credential 2023 * @param name String name of the shared memory region 2024 * 2025 * Determine whether the subject identified by the credential can create 2026 * the POSIX shared memory region referenced by name. 2027 * 2028 * @return Return 0 if access is granted, otherwise an appropriate value for 2029 * errno should be returned. 2030 */ 2031 typedef int mpo_posixshm_check_create_t( 2032 kauth_cred_t cred, 2033 const char *name 2034 ); 2035 /** 2036 * @brief Access control check for mapping POSIX shared memory 2037 * @param cred Subject credential 2038 * @param ps Pointer to shared memory information structure 2039 * @param shmlabel Label associated with the shared memory region 2040 * @param prot mmap protections; see mmap(2) 2041 * @param flags shmat flags; see shmat(2) 2042 * 2043 * Determine whether the subject identified by the credential can map 2044 * the POSIX shared memory segment associated with shmlabel. 2045 * 2046 * @return Return 0 if access is granted, otherwise an appropriate value for 2047 * errno should be returned. 2048 */ 2049 typedef int mpo_posixshm_check_mmap_t( 2050 kauth_cred_t cred, 2051 struct pshminfo *ps, 2052 struct label *shmlabel, 2053 int prot, 2054 int flags 2055 ); 2056 /** 2057 * @brief Access control check for POSIX shared memory region open 2058 * @param cred Subject credential 2059 * @param ps Pointer to shared memory information structure 2060 * @param shmlabel Label associated with the shared memory region 2061 * @param fflags shm_open(2) open flags ('fflags' encoded) 2062 * 2063 * Determine whether the subject identified by the credential can open 2064 * the POSIX shared memory region. 2065 * 2066 * @return Return 0 if access is granted, otherwise an appropriate value for 2067 * errno should be returned. 2068 */ 2069 typedef int mpo_posixshm_check_open_t( 2070 kauth_cred_t cred, 2071 struct pshminfo *ps, 2072 struct label *shmlabel, 2073 int fflags 2074 ); 2075 /** 2076 * @brief Access control check for POSIX shared memory stat 2077 * @param cred Subject credential 2078 * @param ps Pointer to shared memory information structure 2079 * @param shmlabel Label associated with the shared memory region 2080 * 2081 * Determine whether the subject identified by the credential can obtain 2082 * status for the POSIX shared memory segment associated with shmlabel. 2083 * 2084 * @return Return 0 if access is granted, otherwise an appropriate value for 2085 * errno should be returned. 2086 */ 2087 typedef int mpo_posixshm_check_stat_t( 2088 kauth_cred_t cred, 2089 struct pshminfo *ps, 2090 struct label *shmlabel 2091 ); 2092 /** 2093 * @brief Access control check for POSIX shared memory truncate 2094 * @param cred Subject credential 2095 * @param ps Pointer to shared memory information structure 2096 * @param shmlabel Label associated with the shared memory region 2097 * @param len Length to truncate or extend shared memory segment 2098 * 2099 * Determine whether the subject identified by the credential can truncate 2100 * or extend (to len) the POSIX shared memory segment associated with shmlabel. 2101 * 2102 * @return Return 0 if access is granted, otherwise an appropriate value for 2103 * errno should be returned. 2104 */ 2105 typedef int mpo_posixshm_check_truncate_t( 2106 kauth_cred_t cred, 2107 struct pshminfo *ps, 2108 struct label *shmlabel, 2109 off_t len 2110 ); 2111 /** 2112 * @brief Access control check for POSIX shared memory unlink 2113 * @param cred Subject credential 2114 * @param ps Pointer to shared memory information structure 2115 * @param shmlabel Label associated with the shared memory region 2116 * @param name String name of the shared memory region 2117 * 2118 * Determine whether the subject identified by the credential can delete 2119 * the POSIX shared memory segment associated with shmlabel. 2120 * 2121 * @return Return 0 if access is granted, otherwise an appropriate value for 2122 * errno should be returned. 2123 */ 2124 typedef int mpo_posixshm_check_unlink_t( 2125 kauth_cred_t cred, 2126 struct pshminfo *ps, 2127 struct label *shmlabel, 2128 const char *name 2129 ); 2130 /** 2131 * @brief Create a POSIX shared memory region label 2132 * @param cred Subject credential 2133 * @param ps Pointer to shared memory information structure 2134 * @param shmlabel Label to associate with the new shared memory region 2135 * @param name String name of the shared memory region 2136 * 2137 * Label a new POSIX shared memory region. The label was previously 2138 * initialized and associated with the shared memory region. At this 2139 * time, an appropriate initial label value should be assigned to the 2140 * object and stored in shmlabel. 2141 */ 2142 typedef void mpo_posixshm_label_associate_t( 2143 kauth_cred_t cred, 2144 struct pshminfo *ps, 2145 struct label *shmlabel, 2146 const char *name 2147 ); 2148 /** 2149 * @brief Destroy POSIX shared memory label 2150 * @param label The label to be destroyed 2151 * 2152 * Destroy a POSIX shared memory region label. Since the 2153 * object is going out of scope, policy modules should free any 2154 * internal storage associated with the label so that it may be 2155 * destroyed. 2156 */ 2157 typedef void mpo_posixshm_label_destroy_t( 2158 struct label *label 2159 ); 2160 /** 2161 * @brief Initialize POSIX Shared Memory region label 2162 * @param label New label to initialize 2163 * 2164 * Initialize the label for newly a instantiated POSIX Shared Memory 2165 * region. Sleeping is permitted. 2166 */ 2167 typedef void mpo_posixshm_label_init_t( 2168 struct label *label 2169 ); 2170 /** 2171 * @brief Access control check for privileged operations 2172 * @param cred Subject credential 2173 * @param priv Requested privilege (see sys/priv.h) 2174 * 2175 * Determine whether the subject identified by the credential can perform 2176 * a privileged operation. Privileged operations are allowed if the cred 2177 * is the superuser or any policy returns zero for mpo_priv_grant, unless 2178 * any policy returns nonzero for mpo_priv_check. 2179 * 2180 * @return Return 0 if access is granted, otherwise EPERM should be returned. 2181 */ 2182 typedef int mpo_priv_check_t( 2183 kauth_cred_t cred, 2184 int priv 2185 ); 2186 /** 2187 * @brief Grant regular users the ability to perform privileged operations 2188 * @param cred Subject credential 2189 * @param priv Requested privilege (see sys/priv.h) 2190 * 2191 * Determine whether the subject identified by the credential should be 2192 * allowed to perform a privileged operation that in the absense of any 2193 * MAC policy it would not be able to perform. Privileged operations are 2194 * allowed if the cred is the superuser or any policy returns zero for 2195 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2196 * 2197 * Unlike other MAC hooks which can only reduce the privilege of a 2198 * credential, this hook raises the privilege of a credential when it 2199 * returns 0. Extreme care must be taken when implementing this hook to 2200 * avoid undermining the security of the system. 2201 * 2202 * @return Return 0 if additional privilege is granted, otherwise EPERM 2203 * should be returned. 2204 */ 2205 typedef int mpo_priv_grant_t( 2206 kauth_cred_t cred, 2207 int priv 2208 ); 2209 /** 2210 * @brief Access control over process core dumps 2211 * @param proc Subject process 2212 * 2213 * Determine whether a core dump may be written to disk for the subject 2214 * identified. 2215 * 2216 * @return Return 0 if access is granted, otherwise an appropriate value for 2217 * errno should be returned. 2218 */ 2219 typedef int mpo_proc_check_dump_core_t( 2220 struct proc *proc 2221 ); 2222 /** 2223 * @brief Access control over remote thread creation 2224 * @param cred Subject credential 2225 * @param proc Object process 2226 * @param flavor Flavor of thread state passed in new_state, or -1 2227 * @param new_state Thread state to be set on the created thread, or NULL 2228 * @param new_state_count Size of thread state, in natural_t units, or 0 2229 * 2230 * Determine whether the subject can create a thread in the object process 2231 * by calling the thread_create or thread_create_running MIG routines on 2232 * another process' task port. For thread_create_running, the flavor, 2233 * new_state and new_state_count arguments are passed here before they are 2234 * converted and checked by machine-dependent code. 2235 * 2236 * @return Return 0 if access is granted, otherwise an appropriate value for 2237 * errno should be returned. 2238 */ 2239 typedef int mpo_proc_check_remote_thread_create_t( 2240 kauth_cred_t cred, 2241 struct proc *proc, 2242 int flavor, 2243 thread_state_t new_state, 2244 mach_msg_type_number_t new_state_count 2245 ); 2246 /** 2247 * @brief Access control check for debugging process 2248 * @param cred Subject credential 2249 * @param pident Object unique process identifier 2250 * 2251 * Determine whether the subject identified by the credential can debug 2252 * the passed process. This call may be made in a number of situations, 2253 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2254 * types of procfs operations. 2255 * 2256 * @return Return 0 if access is granted, otherwise an appropriate value for 2257 * errno should be returned. Suggested failure: EACCES for label mismatch, 2258 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2259 */ 2260 typedef int mpo_proc_check_debug_t( 2261 kauth_cred_t cred, 2262 struct proc_ident *pident 2263 ); 2264 /** 2265 * @brief Access control over fork 2266 * @param cred Subject credential 2267 * @param proc Subject process trying to fork 2268 * 2269 * Determine whether the subject identified is allowed to fork. 2270 * 2271 * @return Return 0 if access is granted, otherwise an appropriate value for 2272 * errno should be returned. 2273 */ 2274 typedef int mpo_proc_check_fork_t( 2275 kauth_cred_t cred, 2276 struct proc *proc 2277 ); 2278 /** 2279 * @brief Access control check for setting host special ports. 2280 * @param cred Subject credential 2281 * @param id The host special port to set 2282 * @param port The new value to set for the special port 2283 * 2284 * @return Return 0 if access is granted, otherwise an appropriate value for 2285 * errno should be returned. 2286 */ 2287 typedef int mpo_proc_check_set_host_special_port_t( 2288 kauth_cred_t cred, 2289 int id, 2290 struct ipc_port *port 2291 ); 2292 /** 2293 * @brief Access control check for setting host exception ports. 2294 * @param cred Subject credential 2295 * @param exception Exception port to set 2296 * 2297 * @return Return 0 if access is granted, otherwise an appropriate value for 2298 * errno should be returned. 2299 */ 2300 typedef int mpo_proc_check_set_host_exception_port_t( 2301 kauth_cred_t cred, 2302 unsigned int exception 2303 ); 2304 /** 2305 * @brief Access control check for getting task special ports. 2306 * @param cred Subject credential 2307 * @param pident Object unique process identifier, NULL if target is a corpse task 2308 * @param which The task special port to get 2309 * 2310 * @return Return 0 if access is granted, otherwise an appropriate value for 2311 * errno should be returned. 2312 */ 2313 typedef int mpo_proc_check_get_task_special_port_t( 2314 kauth_cred_t cred, 2315 struct proc_ident *pident, 2316 int which 2317 ); 2318 /** 2319 * @brief Access control check for setting task special ports. 2320 * @param cred Subject credential 2321 * @param pident Object unique process identifier 2322 * @param which The task special port to set 2323 * @param port The new value to set for the special port 2324 * 2325 * @return Return 0 if access is granted, otherwise an appropriate value for 2326 * errno should be returned. 2327 */ 2328 typedef int mpo_proc_check_set_task_special_port_t( 2329 kauth_cred_t cred, 2330 struct proc_ident *pident, 2331 int which, 2332 struct ipc_port *port 2333 ); 2334 /** 2335 * @brief Access control check for setting task exception ports for current task. 2336 * @param cred Subject credential 2337 * @param pident Object unique process identifier 2338 * @param exception Exception port to set 2339 * @param new_behavior exception_behavior_t value 2340 * 2341 * @return Return 0 if access is granted, otherwise an appropriate value for 2342 * errno should be returned. 2343 */ 2344 typedef int mpo_proc_check_set_task_exception_port_t( 2345 kauth_cred_t cred, 2346 struct proc_ident *pident, 2347 unsigned int exception, 2348 int new_behavior 2349 ); 2350 /** 2351 * @brief Access control check for setting thread exception ports. 2352 * @param cred Subject credential 2353 * @param pident Object unique process identifier 2354 * @param exception Exception port to set 2355 * @param new_behavior exception_behavior_t value 2356 * 2357 * @return Return 0 if access is granted, otherwise an appropriate value for 2358 * errno should be returned. 2359 */ 2360 typedef int mpo_proc_check_set_thread_exception_port_t( 2361 kauth_cred_t cred, 2362 struct proc_ident *pident, 2363 unsigned int exception, 2364 int new_behavior 2365 ); 2366 /** 2367 * @brief Access control check for getting movable task/thread control port for current task. 2368 * @param cred Subject credential 2369 * 2370 * @return Return 0 if access is granted, otherwise an appropriate value for 2371 * errno should be returned. 2372 */ 2373 typedef int mpo_proc_check_get_movable_control_port_t( 2374 kauth_cred_t cred 2375 ); 2376 /** 2377 * @brief Access control check for calling task_dyld_process_info_notify_register 2378 * and task_dyld_process_info_notify_deregister. 2379 * @param cred Subject credential 2380 * 2381 * @return Return 0 if access is granted, otherwise an appropriate value for 2382 * errno should be returned. 2383 */ 2384 typedef int mpo_proc_check_dyld_process_info_notify_register_t( 2385 kauth_cred_t cred 2386 ); 2387 /** 2388 * @brief Access control over pid_suspend, pid_resume and family 2389 * @param cred Subject credential 2390 * @param proc Object process 2391 * @param sr Type of call; one of MAC_PROC_CHECK_SUSPEND, 2392 * MAC_PROC_CHECK_RESUME, MAC_PROC_CHECK_HIBERNATE, 2393 * MAC_PROC_CHECK_SHUTDOWN_SOCKETS or MAC_PROC_CHECK_PIDBIND. 2394 * 2395 * Determine whether the subject identified is allowed to call pid_suspend, 2396 * pid_resume, pid_hibernate, pid_shutdown_sockets, 2397 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_DEVSTATUS) or 2398 * process_policy(PROC_POLICY_APP_LIFECYCLE, PROC_POLICY_APPLIFE_PIDBIND) on 2399 * the object process. 2400 * 2401 * @return Return 0 if access is granted, otherwise an appropriate value for 2402 * errno should be returned. 2403 */ 2404 typedef int mpo_proc_check_suspend_resume_t( 2405 kauth_cred_t cred, 2406 struct proc *proc, 2407 int sr 2408 ); 2409 /** 2410 * @brief Access control check for retrieving audit information 2411 * @param cred Subject credential 2412 * 2413 * Determine whether the subject identified by the credential can get 2414 * audit information such as the audit user ID, the preselection mask, 2415 * the terminal ID and the audit session ID, using the getaudit() system call. 2416 * 2417 * @return Return 0 if access is granted, otherwise an appropriate value for 2418 * errno should be returned. 2419 */ 2420 typedef int mpo_proc_check_getaudit_t( 2421 kauth_cred_t cred 2422 ); 2423 /** 2424 * @brief Access control check for retrieving audit user ID 2425 * @param cred Subject credential 2426 * 2427 * Determine whether the subject identified by the credential can get 2428 * the user identity being used by the auditing system, using the getauid() 2429 * system call. 2430 * 2431 * @return Return 0 if access is granted, otherwise an appropriate value for 2432 * errno should be returned. 2433 */ 2434 typedef int mpo_proc_check_getauid_t( 2435 kauth_cred_t cred 2436 ); 2437 /** 2438 * @brief Access control check for retrieving ledger information 2439 * @param cred Subject credential 2440 * @param target Object process 2441 * @param op ledger operation 2442 * 2443 * Determine if ledger(2) system call is permitted. 2444 * 2445 * Information returned by this system call is similar to that returned via 2446 * process listings etc. 2447 * 2448 * @return Return 0 if access is granted, otherwise an appropriate value for 2449 * errno should be returned. 2450 */ 2451 typedef int mpo_proc_check_ledger_t( 2452 kauth_cred_t cred, 2453 struct proc *target, 2454 int op 2455 ); 2456 /** 2457 * @brief Access control check for retrieving process information. 2458 * @param cred Subject credential 2459 * @param target Target process (may be null, may be zombie) 2460 * 2461 * Determine if a credential has permission to access process information as defined 2462 * by call number and flavor on target process 2463 * 2464 * @return Return 0 if access is granted, otherwise an appropriate value for 2465 * errno should be returned. 2466 */ 2467 typedef int mpo_proc_check_proc_info_t( 2468 kauth_cred_t cred, 2469 struct proc *target, 2470 int callnum, 2471 int flavor 2472 ); 2473 /** 2474 * @brief Access control check for retrieving code signing information. 2475 * @param cred Subject credential 2476 * @param target Target process 2477 * @param op Code signing operation being performed 2478 * 2479 * Determine whether the subject identified by the credential should be 2480 * allowed to get code signing information about the target process. 2481 * 2482 * @return Return 0 if access is granted, otherwise an appropriate value for 2483 * errno should be returned. 2484 */ 2485 typedef int mpo_proc_check_get_cs_info_t( 2486 kauth_cred_t cred, 2487 struct proc *target, 2488 unsigned int op 2489 ); 2490 /** 2491 * @brief Access control check for setting code signing information. 2492 * @param cred Subject credential 2493 * @param target Target process 2494 * @param op Code signing operation being performed. 2495 * 2496 * Determine whether the subject identified by the credential should be 2497 * allowed to set code signing information about the target process. 2498 * 2499 * @return Return 0 if permission is granted, otherwise an appropriate 2500 * value of errno should be returned. 2501 */ 2502 typedef int mpo_proc_check_set_cs_info_t( 2503 kauth_cred_t cred, 2504 struct proc *target, 2505 unsigned int op 2506 ); 2507 /** 2508 * @brief Access control check for mmap MAP_ANON 2509 * @param proc User process requesting the memory 2510 * @param cred Subject credential 2511 * @param u_addr Start address of the memory range 2512 * @param u_size Length address of the memory range 2513 * @param prot mmap protections; see mmap(2) 2514 * @param flags Type of mapped object; see mmap(2) 2515 * @param maxprot Maximum rights 2516 * 2517 * Determine whether the subject identified by the credential should be 2518 * allowed to obtain anonymous memory using the specified flags and 2519 * protections on the new mapping. MAP_ANON will always be present in the 2520 * flags. Certain combinations of flags with a non-NULL addr may 2521 * cause a mapping to be rejected before this hook is called. The maxprot field 2522 * holds the maximum permissions on the new mapping, a combination of 2523 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2524 * access control checks, a policy should only remove flags from maxprot. 2525 * 2526 * @return Return 0 if access is granted, otherwise an appropriate value for 2527 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2528 */ 2529 typedef int mpo_proc_check_map_anon_t( 2530 struct proc *proc, 2531 kauth_cred_t cred, 2532 user_addr_t u_addr, 2533 user_size_t u_size, 2534 int prot, 2535 int flags, 2536 int *maxprot 2537 ); 2538 /** 2539 * @brief Access control check for memorystatus_control(2) 2540 * @param cred Subject credential 2541 * @param command Memory status control command 2542 * @param pid Target process id, or 0 2543 * 2544 * Determine whether the subject identified by the credential should 2545 * be allowed to issue the specified memorystatus control command. 2546 * 2547 * @return Return 0 if access is granted, otherwise an appropriate value for 2548 * errno should be returned. 2549 */ 2550 typedef int mpo_proc_check_memorystatus_control_t( 2551 kauth_cred_t cred, 2552 int32_t command, 2553 pid_t pid 2554 ); 2555 /** 2556 * @brief Access control check for setting memory protections 2557 * @param cred Subject credential 2558 * @param proc User process requesting the change 2559 * @param addr Start address of the memory range 2560 * @param size Length address of the memory range 2561 * @param prot Memory protections, see mmap(2) 2562 * 2563 * Determine whether the subject identified by the credential should 2564 * be allowed to set the specified memory protections on memory mapped 2565 * in the process proc. 2566 * 2567 * @return Return 0 if access is granted, otherwise an appropriate value for 2568 * errno should be returned. 2569 */ 2570 typedef int mpo_proc_check_mprotect_t( 2571 kauth_cred_t cred, 2572 struct proc *proc, 2573 user_addr_t addr, 2574 user_size_t size, 2575 int prot 2576 ); 2577 /** 2578 * @brief Access control check for changing scheduling parameters 2579 * @param cred Subject credential 2580 * @param proc Object process 2581 * 2582 * Determine whether the subject identified by the credential can change 2583 * the scheduling parameters of the passed process. 2584 * 2585 * @return Return 0 if access is granted, otherwise an appropriate value for 2586 * errno should be returned. Suggested failure: EACCES for label mismatch, 2587 * EPERM for lack of privilege, or ESRCH to limit visibility. 2588 */ 2589 typedef int mpo_proc_check_sched_t( 2590 kauth_cred_t cred, 2591 struct proc *proc 2592 ); 2593 /** 2594 * @brief Access control check for setting audit information 2595 * @param cred Subject credential 2596 * @param ai Audit information 2597 * 2598 * Determine whether the subject identified by the credential can set 2599 * audit information such as the the preselection mask, the terminal ID 2600 * and the audit session ID, using the setaudit() system call. 2601 * 2602 * @return Return 0 if access is granted, otherwise an appropriate value for 2603 * errno should be returned. 2604 */ 2605 typedef int mpo_proc_check_setaudit_t( 2606 kauth_cred_t cred, 2607 struct auditinfo_addr *ai 2608 ); 2609 /** 2610 * @brief Access control check for setting audit user ID 2611 * @param cred Subject credential 2612 * @param auid Audit user ID 2613 * 2614 * Determine whether the subject identified by the credential can set 2615 * the user identity used by the auditing system, using the setauid() 2616 * system call. 2617 * 2618 * @return Return 0 if access is granted, otherwise an appropriate value for 2619 * errno should be returned. 2620 */ 2621 typedef int mpo_proc_check_setauid_t( 2622 kauth_cred_t cred, 2623 uid_t auid 2624 ); 2625 /** 2626 * @brief Access control check for delivering signal 2627 * @param cred Subject credential 2628 * @param instigator Process which instigated the signal (optional) 2629 * @param target Object process 2630 * @param signum Signal number; see kill(2) 2631 * 2632 * Determine whether the subject identified by the credential can deliver 2633 * the passed signal to the passed process. 2634 * 2635 * @warning Programs typically expect to be able to send and receive 2636 * signals as part or their normal process lifecycle; caution should be 2637 * exercised when implementing access controls over signal events. 2638 * 2639 * @note Caller will always be current_proc(). But the instigator may be NULL, 2640 * may not be the current proc, and may no longer be running. 2641 * 2642 * @warning Policy implementations must avoid obtaining proc refs of 2643 * two different processes simultaneously. 2644 * 2645 * @return Return 0 if access is granted, otherwise an appropriate value for 2646 * errno should be returned. Suggested failure: EACCES for label mismatch, 2647 * EPERM for lack of privilege, or ESRCH to limit visibility. 2648 */ 2649 #define NEEDS_RDAR_132584934 1 // Required until both EndpointSecurity & Sandbox are updated 2650 typedef int mpo_proc_check_signal_t( 2651 kauth_cred_t cred, 2652 proc_ident_t instigator, 2653 proc_ident_t target, 2654 int signum 2655 ); 2656 /** 2657 * @brief Access control check for MAC syscalls. 2658 * @param proc Subject process 2659 * @param policy MAC policy name 2660 * @param callnum MAC policy-specific syscall number 2661 * 2662 * Determine whether the subject process can perform the passed MAC syscall. 2663 * 2664 * @return Return 0 if access is granted, otherwise an appropriate value for 2665 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2666 */ 2667 typedef int mpo_proc_check_syscall_mac_t( 2668 struct proc *proc, 2669 const char *policy, 2670 int callnum 2671 ); 2672 /** 2673 * @brief Access control check for Unix syscalls. 2674 * @param proc Subject process 2675 * @param scnum Syscall number; see bsd/kern/syscalls.master. 2676 * 2677 * Determine whether the subject process can perform the passed syscall (number). 2678 * 2679 * @warning Programs typically expect to be able to make syscalls as part of 2680 * their normal process lifecycle; caution should be exercised when restricting 2681 * which syscalls a process can perform. 2682 * 2683 * @return Return 0 if access is granted, otherwise an appropriate value for 2684 * errno should be returned. Suggested failure: EPERM for lack of privilege. 2685 */ 2686 typedef int mpo_proc_check_syscall_unix_t( 2687 struct proc *proc, 2688 int scnum 2689 ); 2690 /** 2691 * @brief Access control check for wait 2692 * @param cred Subject credential 2693 * @param proc Object process 2694 * 2695 * Determine whether the subject identified by the credential can wait 2696 * for process termination. 2697 * 2698 * @warning Caution should be exercised when implementing access 2699 * controls for wait, since programs often wait for child processes to 2700 * exit. Failure to be notified of a child process terminating may 2701 * cause the parent process to hang, or may produce zombie processes. 2702 * 2703 * @return Return 0 if access is granted, otherwise an appropriate value for 2704 * errno should be returned. 2705 */ 2706 typedef int mpo_proc_check_wait_t( 2707 kauth_cred_t cred, 2708 struct proc *proc 2709 ); 2710 /** 2711 * @brief Inform MAC policies that a process has exited. 2712 * @param proc Object process 2713 * 2714 * Called after all of the process's threads have terminated and 2715 * it has been removed from the process list. KPI that identifies 2716 * the process by pid will fail to find the process; KPI that 2717 * identifies the process by the object process pointer functions 2718 * normally. proc_exiting() returns true for the object process. 2719 */ 2720 typedef void mpo_proc_notify_exit_t( 2721 struct proc *proc 2722 ); 2723 /** 2724 * @brief Access control check for skywalk flow connect 2725 * @param cred Subject credential 2726 * @param flow Flow object 2727 * @param addr Remote address for flow to send data to 2728 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2729 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2730 * 2731 * Determine whether the subject identified by the credential can 2732 * create a flow for sending data to the remote host specified by 2733 * addr. 2734 * 2735 * @return Return 0 if access if granted, otherwise an appropriate 2736 * value for errno should be returned. 2737 */ 2738 typedef int mpo_skywalk_flow_check_connect_t( 2739 kauth_cred_t cred, 2740 void *flow, 2741 const struct sockaddr *addr, 2742 int type, 2743 int protocol 2744 ); 2745 /** 2746 * @brief Access control check for skywalk flow listen 2747 * @param cred Subject credential 2748 * @param flow Flow object 2749 * @param addr Local address for flow to listen on 2750 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM) 2751 * @param protocol Network protocol (e.g. IPPROTO_TCP) 2752 * 2753 * Determine whether the subject identified by the credential can 2754 * create a flow for receiving data on the local address specified 2755 * by addr. 2756 * 2757 * @return Return 0 if access if granted, otherwise an appropriate 2758 * value for errno should be returned. 2759 */ 2760 typedef int mpo_skywalk_flow_check_listen_t( 2761 kauth_cred_t cred, 2762 void *flow, 2763 const struct sockaddr *addr, 2764 int type, 2765 int protocol 2766 ); 2767 /** 2768 * @brief Access control check for socket accept 2769 * @param cred Subject credential 2770 * @param so Object socket 2771 * @param socklabel Policy label for socket 2772 * 2773 * Determine whether the subject identified by the credential can accept() 2774 * a new connection on the socket from the host specified by addr. 2775 * 2776 * @return Return 0 if access if granted, otherwise an appropriate 2777 * value for errno should be returned. 2778 */ 2779 typedef int mpo_socket_check_accept_t( 2780 kauth_cred_t cred, 2781 socket_t so, 2782 struct label *socklabel 2783 ); 2784 /** 2785 * @brief Access control check for a pending socket accept 2786 * @param cred Subject credential 2787 * @param so Object socket 2788 * @param socklabel Policy label for socket 2789 * @param addr Address of the listening socket (coming soon) 2790 * 2791 * Determine whether the subject identified by the credential can accept() 2792 * a pending connection on the socket from the host specified by addr. 2793 * 2794 * @return Return 0 if access if granted, otherwise an appropriate 2795 * value for errno should be returned. 2796 */ 2797 typedef int mpo_socket_check_accepted_t( 2798 kauth_cred_t cred, 2799 socket_t so, 2800 struct label *socklabel, 2801 struct sockaddr *addr 2802 ); 2803 /** 2804 * @brief Access control check for socket bind 2805 * @param cred Subject credential 2806 * @param so Object socket 2807 * @param socklabel Policy label for socket 2808 * @param addr Name to assign to the socket 2809 * 2810 * Determine whether the subject identified by the credential can bind() 2811 * the name (addr) to the socket. 2812 * 2813 * @return Return 0 if access if granted, otherwise an appropriate 2814 * value for errno should be returned. 2815 */ 2816 typedef int mpo_socket_check_bind_t( 2817 kauth_cred_t cred, 2818 socket_t so, 2819 struct label *socklabel, 2820 struct sockaddr *addr 2821 ); 2822 /** 2823 * @brief Access control check for socket connect 2824 * @param cred Subject credential 2825 * @param so Object socket 2826 * @param socklabel Policy label for socket 2827 * @param addr Name to assign to the socket 2828 * 2829 * Determine whether the subject identified by the credential can 2830 * connect() the passed socket to the remote host specified by addr. 2831 * 2832 * @return Return 0 if access if granted, otherwise an appropriate 2833 * value for errno should be returned. 2834 */ 2835 typedef int mpo_socket_check_connect_t( 2836 kauth_cred_t cred, 2837 socket_t so, 2838 struct label *socklabel, 2839 struct sockaddr *addr 2840 ); 2841 /** 2842 * @brief Access control check for socket() system call. 2843 * @param cred Subject credential 2844 * @param domain communication domain 2845 * @param type socket type 2846 * @param protocol socket protocol 2847 * 2848 * Determine whether the subject identified by the credential can 2849 * make the socket() call. 2850 * 2851 * @return Return 0 if access if granted, otherwise an appropriate 2852 * value for errno should be returned. 2853 */ 2854 typedef int mpo_socket_check_create_t( 2855 kauth_cred_t cred, 2856 int domain, 2857 int type, 2858 int protocol 2859 ); 2860 /** 2861 * @brief Access control check for socket ioctl. 2862 * @param cred Subject credential 2863 * @param so Object socket 2864 * @param cmd The ioctl command; see ioctl(2) 2865 * @param socklabel Policy label for socket 2866 * 2867 * Determine whether the subject identified by the credential can perform 2868 * the ioctl operation indicated by cmd on the given socket. 2869 * 2870 * @warning Since ioctl data is opaque from the standpoint of the MAC 2871 * framework, and since ioctls can affect many aspects of system 2872 * operation, policies must exercise extreme care when implementing 2873 * access control checks. 2874 * 2875 * @return Return 0 if access is granted, otherwise an appropriate value for 2876 * errno should be returned. 2877 */ 2878 typedef int mpo_socket_check_ioctl_t( 2879 kauth_cred_t cred, 2880 socket_t so, 2881 unsigned long cmd, 2882 struct label *socklabel 2883 ); 2884 /** 2885 * @brief Access control check for socket listen 2886 * @param cred Subject credential 2887 * @param so Object socket 2888 * @param socklabel Policy label for socket 2889 * 2890 * Determine whether the subject identified by the credential can 2891 * listen() on the passed socket. 2892 * 2893 * @return Return 0 if access if granted, otherwise an appropriate 2894 * value for errno should be returned. 2895 */ 2896 typedef int mpo_socket_check_listen_t( 2897 kauth_cred_t cred, 2898 socket_t so, 2899 struct label *socklabel 2900 ); 2901 /** 2902 * @brief Access control check for socket receive 2903 * @param cred Subject credential 2904 * @param so Object socket 2905 * @param socklabel Policy label for socket 2906 * 2907 * Determine whether the subject identified by the credential can 2908 * receive data from the socket. 2909 * 2910 * @return Return 0 if access if granted, otherwise an appropriate 2911 * value for errno should be returned. 2912 */ 2913 typedef int mpo_socket_check_receive_t( 2914 kauth_cred_t cred, 2915 socket_t so, 2916 struct label *socklabel 2917 ); 2918 2919 /** 2920 * @brief Access control check for socket receive 2921 * @param cred Subject credential 2922 * @param sock Object socket 2923 * @param socklabel Policy label for socket 2924 * @param saddr Name of the remote socket 2925 * 2926 * Determine whether the subject identified by the credential can 2927 * receive data from the remote host specified by addr. 2928 * 2929 * @return Return 0 if access if granted, otherwise an appropriate 2930 * value for errno should be returned. 2931 */ 2932 typedef int mpo_socket_check_received_t( 2933 kauth_cred_t cred, 2934 struct socket *sock, 2935 struct label *socklabel, 2936 struct sockaddr *saddr 2937 ); 2938 2939 /** 2940 * @brief Access control check for socket send 2941 * @param cred Subject credential 2942 * @param so Object socket 2943 * @param socklabel Policy label for socket 2944 * @param addr Address being sent to 2945 * 2946 * Determine whether the subject identified by the credential can send 2947 * data to the socket. 2948 * 2949 * @return Return 0 if access if granted, otherwise an appropriate 2950 * value for errno should be returned. 2951 */ 2952 typedef int mpo_socket_check_send_t( 2953 kauth_cred_t cred, 2954 socket_t so, 2955 struct label *socklabel, 2956 struct sockaddr *addr 2957 ); 2958 /** 2959 * @brief Access control check for retrieving socket status 2960 * @param cred Subject credential 2961 * @param so Object socket 2962 * @param socklabel Policy label for so 2963 * 2964 * Determine whether the subject identified by the credential can 2965 * execute the stat() system call on the given socket. 2966 * 2967 * @return Return 0 if access if granted, otherwise an appropriate 2968 * value for errno should be returned. 2969 */ 2970 typedef int mpo_socket_check_stat_t( 2971 kauth_cred_t cred, 2972 socket_t so, 2973 struct label *socklabel 2974 ); 2975 /** 2976 * @brief Access control check for setting socket options 2977 * @param cred Subject credential 2978 * @param so Object socket 2979 * @param socklabel Policy label for so 2980 * @param sopt The options being set 2981 * 2982 * Determine whether the subject identified by the credential can 2983 * execute the setsockopt system call on the given socket. 2984 * 2985 * @return Return 0 if access if granted, otherwise an appropriate 2986 * value for errno should be returned. 2987 */ 2988 typedef int mpo_socket_check_setsockopt_t( 2989 kauth_cred_t cred, 2990 socket_t so, 2991 struct label *socklabel, 2992 struct sockopt *sopt 2993 ); 2994 /** 2995 * @brief Access control check for getting socket options 2996 * @param cred Subject credential 2997 * @param so Object socket 2998 * @param socklabel Policy label for so 2999 * @param sopt The options to get 3000 * 3001 * Determine whether the subject identified by the credential can 3002 * execute the getsockopt system call on the given socket. 3003 * 3004 * @return Return 0 if access if granted, otherwise an appropriate 3005 * value for errno should be returned. 3006 */ 3007 typedef int mpo_socket_check_getsockopt_t( 3008 kauth_cred_t cred, 3009 socket_t so, 3010 struct label *socklabel, 3011 struct sockopt *sopt 3012 ); 3013 /** 3014 * @brief Access control check for enabling accounting 3015 * @param cred Subject credential 3016 * @param vp Accounting file 3017 * @param vlabel Label associated with vp 3018 * 3019 * Determine whether the subject should be allowed to enable accounting, 3020 * based on its label and the label of the accounting log file. See 3021 * acct(5) for more information. 3022 * 3023 * As accounting is disabled by passing NULL to the acct(2) system call, 3024 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 3025 * 3026 * @return Return 0 if access is granted, otherwise an appropriate value for 3027 * errno should be returned. 3028 */ 3029 typedef int mpo_system_check_acct_t( 3030 kauth_cred_t cred, 3031 struct vnode *vp, 3032 struct label *vlabel 3033 ); 3034 /** 3035 * @brief Access control check for audit 3036 * @param cred Subject credential 3037 * @param record Audit record 3038 * @param length Audit record length 3039 * 3040 * Determine whether the subject identified by the credential can submit 3041 * an audit record for inclusion in the audit log via the audit() system call. 3042 * 3043 * @return Return 0 if access is granted, otherwise an appropriate value for 3044 * errno should be returned. 3045 */ 3046 typedef int mpo_system_check_audit_t( 3047 kauth_cred_t cred, 3048 void *record, 3049 int length 3050 ); 3051 /** 3052 * @brief Access control check for controlling audit 3053 * @param cred Subject credential 3054 * @param vp Audit file 3055 * @param vl Label associated with vp 3056 * 3057 * Determine whether the subject should be allowed to enable auditing using 3058 * the auditctl() system call, based on its label and the label of the proposed 3059 * audit file. 3060 * 3061 * @return Return 0 if access is granted, otherwise an appropriate value for 3062 * errno should be returned. 3063 */ 3064 typedef int mpo_system_check_auditctl_t( 3065 kauth_cred_t cred, 3066 struct vnode *vp, 3067 struct label *vl 3068 ); 3069 /** 3070 * @brief Access control check for manipulating auditing 3071 * @param cred Subject credential 3072 * @param cmd Audit control command 3073 * 3074 * Determine whether the subject identified by the credential can perform 3075 * the audit subsystem control operation cmd via the auditon() system call. 3076 * 3077 * @return Return 0 if access is granted, otherwise an appropriate value for 3078 * errno should be returned. 3079 */ 3080 typedef int mpo_system_check_auditon_t( 3081 kauth_cred_t cred, 3082 int cmd 3083 ); 3084 /** 3085 * @brief Access control check for obtaining the host control port 3086 * @param cred Subject credential 3087 * 3088 * Determine whether the subject identified by the credential can 3089 * obtain the host control port. 3090 * 3091 * @return Return 0 if access is granted, or non-zero otherwise. 3092 */ 3093 typedef int mpo_system_check_host_priv_t( 3094 kauth_cred_t cred 3095 ); 3096 /** 3097 * @brief Access control check for obtaining system information 3098 * @param cred Subject credential 3099 * @param info_type A description of the information requested 3100 * 3101 * Determine whether the subject identified by the credential should be 3102 * allowed to obtain information about the system. 3103 * 3104 * This is a generic hook that can be used in a variety of situations where 3105 * information is being returned that might be considered sensitive. 3106 * Rather than adding a new MAC hook for every such interface, this hook can 3107 * be called with a string identifying the type of information requested. 3108 * 3109 * @return Return 0 if access is granted, otherwise an appropriate value for 3110 * errno should be returned. 3111 */ 3112 typedef int mpo_system_check_info_t( 3113 kauth_cred_t cred, 3114 const char *info_type 3115 ); 3116 /** 3117 * @brief Access control check for calling NFS services 3118 * @param cred Subject credential 3119 * 3120 * Determine whether the subject identified by the credential should be 3121 * allowed to call nfssrv(2). 3122 * 3123 * @return Return 0 if access is granted, otherwise an appropriate value for 3124 * errno should be returned. 3125 */ 3126 typedef int mpo_system_check_nfsd_t( 3127 kauth_cred_t cred 3128 ); 3129 /** 3130 * @brief Access control check for reboot 3131 * @param cred Subject credential 3132 * @param howto howto parameter from reboot(2) 3133 * 3134 * Determine whether the subject identified by the credential should be 3135 * allowed to reboot the system in the specified manner. 3136 * 3137 * @return Return 0 if access is granted, otherwise an appropriate value for 3138 * errno should be returned. 3139 */ 3140 typedef int mpo_system_check_reboot_t( 3141 kauth_cred_t cred, 3142 int howto 3143 ); 3144 /** 3145 * @brief Access control check for setting system clock 3146 * @param cred Subject credential 3147 * 3148 * Determine whether the subject identified by the credential should be 3149 * allowed to set the system clock. 3150 * 3151 * @return Return 0 if access is granted, otherwise an appropriate value for 3152 * errno should be returned. 3153 */ 3154 typedef int mpo_system_check_settime_t( 3155 kauth_cred_t cred 3156 ); 3157 /** 3158 * @brief Access control check for removing swap devices 3159 * @param cred Subject credential 3160 * @param vp Swap device 3161 * @param label Label associated with vp 3162 * 3163 * Determine whether the subject identified by the credential should be 3164 * allowed to remove vp as a swap device. 3165 * 3166 * @return Return 0 if access is granted, otherwise an appropriate value for 3167 * errno should be returned. 3168 */ 3169 typedef int mpo_system_check_swapoff_t( 3170 kauth_cred_t cred, 3171 struct vnode *vp, 3172 struct label *label 3173 ); 3174 /** 3175 * @brief Access control check for adding swap devices 3176 * @param cred Subject credential 3177 * @param vp Swap device 3178 * @param label Label associated with vp 3179 * 3180 * Determine whether the subject identified by the credential should be 3181 * allowed to add vp as a swap device. 3182 * 3183 * @return Return 0 if access is granted, otherwise an appropriate value for 3184 * errno should be returned. 3185 */ 3186 typedef int mpo_system_check_swapon_t( 3187 kauth_cred_t cred, 3188 struct vnode *vp, 3189 struct label *label 3190 ); 3191 /** 3192 * @brief Access control check for sysctl 3193 * @param cred Subject credential 3194 * @param namestring String representation of sysctl name. 3195 * @param name Integer name; see sysctl(3) 3196 * @param namelen Length of name array of integers; see sysctl(3) 3197 * @param old 0 or address where to store old value; see sysctl(3) 3198 * @param oldlen Length of old buffer; see sysctl(3) 3199 * @param newvalue 0 or address of new value; see sysctl(3) 3200 * @param newlen Length of new buffer; see sysctl(3) 3201 * 3202 * Determine whether the subject identified by the credential should be 3203 * allowed to make the specified sysctl(3) transaction. 3204 * 3205 * The sysctl(3) call specifies that if the old value is not desired, 3206 * oldp and oldlenp should be set to NULL. Likewise, if a new value is 3207 * not to be set, newp should be set to NULL and newlen set to 0. 3208 * 3209 * @return Return 0 if access is granted, otherwise an appropriate value for 3210 * errno should be returned. 3211 */ 3212 typedef int mpo_system_check_sysctlbyname_t( 3213 kauth_cred_t cred, 3214 const char *namestring, 3215 int *name, 3216 size_t namelen, 3217 user_addr_t old, /* NULLOK */ 3218 size_t oldlen, 3219 user_addr_t newvalue, /* NULLOK */ 3220 size_t newlen 3221 ); 3222 /** 3223 * @brief Access control check for kas_info 3224 * @param cred Subject credential 3225 * @param selector Category of information to return. See kas_info.h 3226 * 3227 * Determine whether the subject identified by the credential can perform 3228 * introspection of the kernel address space layout for 3229 * debugging/performance analysis. 3230 * 3231 * @return Return 0 if access is granted, otherwise an appropriate value for 3232 * errno should be returned. 3233 */ 3234 typedef int mpo_system_check_kas_info_t( 3235 kauth_cred_t cred, 3236 int selector 3237 ); 3238 /** 3239 * @brief Create a System V message label 3240 * @param cred Subject credential 3241 * @param msqptr The message queue the message will be placed in 3242 * @param msqlabel The label of the message queue 3243 * @param msgptr The message 3244 * @param msglabel The label of the message 3245 * 3246 * Label the message as its placed in the message queue. 3247 */ 3248 typedef void mpo_sysvmsg_label_associate_t( 3249 kauth_cred_t cred, 3250 struct msqid_kernel *msqptr, 3251 struct label *msqlabel, 3252 struct msg *msgptr, 3253 struct label *msglabel 3254 ); 3255 /** 3256 * @brief Destroy System V message label 3257 * @param label The label to be destroyed 3258 * 3259 * Destroy a System V message label. Since the object is 3260 * going out of scope, policy modules should free any internal storage 3261 * associated with the label so that it may be destroyed. 3262 */ 3263 typedef void mpo_sysvmsg_label_destroy_t( 3264 struct label *label 3265 ); 3266 /** 3267 * @brief Initialize System V message label 3268 * @param label New label to initialize 3269 * 3270 * Initialize the label for a newly instantiated System V message. 3271 */ 3272 typedef void mpo_sysvmsg_label_init_t( 3273 struct label *label 3274 ); 3275 /** 3276 * @brief Clean up a System V message label 3277 * @param label The label to be destroyed 3278 * 3279 * Clean up a System V message label. Darwin pre-allocates 3280 * messages at system boot time and re-uses them rather than 3281 * allocating new ones. Before messages are returned to the "free 3282 * pool", policies can cleanup or overwrite any information present in 3283 * the label. 3284 */ 3285 typedef void mpo_sysvmsg_label_recycle_t( 3286 struct label *label 3287 ); 3288 /** 3289 * @brief Access control check for System V message enqueuing 3290 * @param cred Subject credential 3291 * @param msgptr The message 3292 * @param msglabel The message's label 3293 * @param msqptr The message queue 3294 * @param msqlabel The message queue's label 3295 * 3296 * Determine whether the subject identified by the credential can add the 3297 * given message to the given message queue. 3298 * 3299 * @return Return 0 if access is granted, otherwise an appropriate value for 3300 * errno should be returned. 3301 */ 3302 typedef int mpo_sysvmsq_check_enqueue_t( 3303 kauth_cred_t cred, 3304 struct msg *msgptr, 3305 struct label *msglabel, 3306 struct msqid_kernel *msqptr, 3307 struct label *msqlabel 3308 ); 3309 /** 3310 * @brief Access control check for System V message reception 3311 * @param cred The credential of the intended recipient 3312 * @param msgptr The message 3313 * @param msglabel The message's label 3314 * 3315 * Determine whether the subject identified by the credential can receive 3316 * the given message. 3317 * 3318 * @return Return 0 if access is granted, otherwise an appropriate value for 3319 * errno should be returned. 3320 */ 3321 typedef int mpo_sysvmsq_check_msgrcv_t( 3322 kauth_cred_t cred, 3323 struct msg *msgptr, 3324 struct label *msglabel 3325 ); 3326 /** 3327 * @brief Access control check for System V message queue removal 3328 * @param cred The credential of the caller 3329 * @param msgptr The message 3330 * @param msglabel The message's label 3331 * 3332 * System V message queues are removed using the msgctl() system call. 3333 * The system will iterate over each message in the queue, calling this 3334 * function for each, to determine whether the caller has the appropriate 3335 * credentials. 3336 * 3337 * @return Return 0 if access is granted, otherwise an appropriate value for 3338 * errno should be returned. 3339 */ 3340 typedef int mpo_sysvmsq_check_msgrmid_t( 3341 kauth_cred_t cred, 3342 struct msg *msgptr, 3343 struct label *msglabel 3344 ); 3345 /** 3346 * @brief Access control check for msgctl() 3347 * @param cred The credential of the caller 3348 * @param msqptr The message queue 3349 * @param msqlabel The message queue's label 3350 * 3351 * This access check is performed to validate calls to msgctl(). 3352 * 3353 * @return Return 0 if access is granted, otherwise an appropriate value for 3354 * errno should be returned. 3355 */ 3356 typedef int mpo_sysvmsq_check_msqctl_t( 3357 kauth_cred_t cred, 3358 struct msqid_kernel *msqptr, 3359 struct label *msqlabel, 3360 int cmd 3361 ); 3362 /** 3363 * @brief Access control check to get a System V message queue 3364 * @param cred The credential of the caller 3365 * @param msqptr The message queue requested 3366 * @param msqlabel The message queue's label 3367 * 3368 * On a call to msgget(), if the queue requested already exists, 3369 * and it is a public queue, this check will be performed before the 3370 * queue's ID is returned to the user. 3371 * 3372 * @return Return 0 if access is granted, otherwise an appropriate value for 3373 * errno should be returned. 3374 */ 3375 typedef int mpo_sysvmsq_check_msqget_t( 3376 kauth_cred_t cred, 3377 struct msqid_kernel *msqptr, 3378 struct label *msqlabel 3379 ); 3380 /** 3381 * @brief Access control check to receive a System V message from the given queue 3382 * @param cred The credential of the caller 3383 * @param msqptr The message queue to receive from 3384 * @param msqlabel The message queue's label 3385 * 3386 * On a call to msgrcv(), this check is performed to determine whether the 3387 * caller has receive rights on the given queue. 3388 * 3389 * @return Return 0 if access is granted, otherwise an appropriate value for 3390 * errno should be returned. 3391 */ 3392 typedef int mpo_sysvmsq_check_msqrcv_t( 3393 kauth_cred_t cred, 3394 struct msqid_kernel *msqptr, 3395 struct label *msqlabel 3396 ); 3397 /** 3398 * @brief Access control check to send a System V message to the given queue 3399 * @param cred The credential of the caller 3400 * @param msqptr The message queue to send to 3401 * @param msqlabel The message queue's label 3402 * 3403 * On a call to msgsnd(), this check is performed to determine whether the 3404 * caller has send rights on the given queue. 3405 * 3406 * @return Return 0 if access is granted, otherwise an appropriate value for 3407 * errno should be returned. 3408 */ 3409 typedef int mpo_sysvmsq_check_msqsnd_t( 3410 kauth_cred_t cred, 3411 struct msqid_kernel *msqptr, 3412 struct label *msqlabel 3413 ); 3414 /** 3415 * @brief Create a System V message queue label 3416 * @param cred Subject credential 3417 * @param msqptr The message queue 3418 * @param msqlabel The label of the message queue 3419 * 3420 */ 3421 typedef void mpo_sysvmsq_label_associate_t( 3422 kauth_cred_t cred, 3423 struct msqid_kernel *msqptr, 3424 struct label *msqlabel 3425 ); 3426 /** 3427 * @brief Destroy System V message queue label 3428 * @param label The label to be destroyed 3429 * 3430 * Destroy a System V message queue label. Since the object is 3431 * going out of scope, policy modules should free any internal storage 3432 * associated with the label so that it may be destroyed. 3433 */ 3434 typedef void mpo_sysvmsq_label_destroy_t( 3435 struct label *label 3436 ); 3437 /** 3438 * @brief Initialize System V message queue label 3439 * @param label New label to initialize 3440 * 3441 * Initialize the label for a newly instantiated System V message queue. 3442 */ 3443 typedef void mpo_sysvmsq_label_init_t( 3444 struct label *label 3445 ); 3446 /** 3447 * @brief Clean up a System V message queue label 3448 * @param label The label to be destroyed 3449 * 3450 * Clean up a System V message queue label. Darwin pre-allocates 3451 * message queues at system boot time and re-uses them rather than 3452 * allocating new ones. Before message queues are returned to the "free 3453 * pool", policies can cleanup or overwrite any information present in 3454 * the label. 3455 */ 3456 typedef void mpo_sysvmsq_label_recycle_t( 3457 struct label *label 3458 ); 3459 /** 3460 * @brief Access control check for System V semaphore control operation 3461 * @param cred Subject credential 3462 * @param semakptr Pointer to semaphore identifier 3463 * @param semaklabel Label associated with semaphore 3464 * @param cmd Control operation to be performed; see semctl(2) 3465 * 3466 * Determine whether the subject identified by the credential can perform 3467 * the operation indicated by cmd on the System V semaphore semakptr. 3468 * 3469 * @return Return 0 if access is granted, otherwise an appropriate value for 3470 * errno should be returned. 3471 */ 3472 typedef int mpo_sysvsem_check_semctl_t( 3473 kauth_cred_t cred, 3474 struct semid_kernel *semakptr, 3475 struct label *semaklabel, 3476 int cmd 3477 ); 3478 /** 3479 * @brief Access control check for obtaining a System V semaphore 3480 * @param cred Subject credential 3481 * @param semakptr Pointer to semaphore identifier 3482 * @param semaklabel Label to associate with the semaphore 3483 * 3484 * Determine whether the subject identified by the credential can 3485 * obtain a System V semaphore. 3486 * 3487 * @return Return 0 if access is granted, otherwise an appropriate value for 3488 * errno should be returned. 3489 */ 3490 typedef int mpo_sysvsem_check_semget_t( 3491 kauth_cred_t cred, 3492 struct semid_kernel *semakptr, 3493 struct label *semaklabel 3494 ); 3495 /** 3496 * @brief Access control check for System V semaphore operations 3497 * @param cred Subject credential 3498 * @param semakptr Pointer to semaphore identifier 3499 * @param semaklabel Label associated with the semaphore 3500 * @param accesstype Flags to indicate access (read and/or write) 3501 * 3502 * Determine whether the subject identified by the credential can 3503 * perform the operations on the System V semaphore indicated by 3504 * semakptr. The accesstype flags hold the maximum set of permissions 3505 * from the sem_op array passed to the semop system call. It may 3506 * contain SEM_R for read-only operations or SEM_A for read/write 3507 * operations. 3508 * 3509 * @return Return 0 if access is granted, otherwise an appropriate value for 3510 * errno should be returned. 3511 */ 3512 typedef int mpo_sysvsem_check_semop_t( 3513 kauth_cred_t cred, 3514 struct semid_kernel *semakptr, 3515 struct label *semaklabel, 3516 size_t accesstype 3517 ); 3518 /** 3519 * @brief Create a System V semaphore label 3520 * @param cred Subject credential 3521 * @param semakptr The semaphore being created 3522 * @param semalabel Label to associate with the new semaphore 3523 * 3524 * Label a new System V semaphore. The label was previously 3525 * initialized and associated with the semaphore. At this time, an 3526 * appropriate initial label value should be assigned to the object and 3527 * stored in semalabel. 3528 */ 3529 typedef void mpo_sysvsem_label_associate_t( 3530 kauth_cred_t cred, 3531 struct semid_kernel *semakptr, 3532 struct label *semalabel 3533 ); 3534 /** 3535 * @brief Destroy System V semaphore label 3536 * @param label The label to be destroyed 3537 * 3538 * Destroy a System V semaphore label. Since the object is 3539 * going out of scope, policy modules should free any internal storage 3540 * associated with the label so that it may be destroyed. 3541 */ 3542 typedef void mpo_sysvsem_label_destroy_t( 3543 struct label *label 3544 ); 3545 /** 3546 * @brief Initialize System V semaphore label 3547 * @param label New label to initialize 3548 * 3549 * Initialize the label for a newly instantiated System V semaphore. Sleeping 3550 * is permitted. 3551 */ 3552 typedef void mpo_sysvsem_label_init_t( 3553 struct label *label 3554 ); 3555 /** 3556 * @brief Clean up a System V semaphore label 3557 * @param label The label to be cleaned 3558 * 3559 * Clean up a System V semaphore label. Darwin pre-allocates 3560 * semaphores at system boot time and re-uses them rather than 3561 * allocating new ones. Before semaphores are returned to the "free 3562 * pool", policies can cleanup or overwrite any information present in 3563 * the label. 3564 */ 3565 typedef void mpo_sysvsem_label_recycle_t( 3566 struct label *label 3567 ); 3568 /** 3569 * @brief Access control check for mapping System V shared memory 3570 * @param cred Subject credential 3571 * @param shmsegptr Pointer to shared memory segment identifier 3572 * @param shmseglabel Label associated with the shared memory segment 3573 * @param shmflg shmat flags; see shmat(2) 3574 * 3575 * Determine whether the subject identified by the credential can map 3576 * the System V shared memory segment associated with shmsegptr. 3577 * 3578 * @return Return 0 if access is granted, otherwise an appropriate value for 3579 * errno should be returned. 3580 */ 3581 typedef int mpo_sysvshm_check_shmat_t( 3582 kauth_cred_t cred, 3583 struct shmid_kernel *shmsegptr, 3584 struct label *shmseglabel, 3585 int shmflg 3586 ); 3587 /** 3588 * @brief Access control check for System V shared memory control operation 3589 * @param cred Subject credential 3590 * @param shmsegptr Pointer to shared memory segment identifier 3591 * @param shmseglabel Label associated with the shared memory segment 3592 * @param cmd Control operation to be performed; see shmctl(2) 3593 * 3594 * Determine whether the subject identified by the credential can perform 3595 * the operation indicated by cmd on the System V shared memory segment 3596 * shmsegptr. 3597 * 3598 * @return Return 0 if access is granted, otherwise an appropriate value for 3599 * errno should be returned. 3600 */ 3601 typedef int mpo_sysvshm_check_shmctl_t( 3602 kauth_cred_t cred, 3603 struct shmid_kernel *shmsegptr, 3604 struct label *shmseglabel, 3605 int cmd 3606 ); 3607 /** 3608 * @brief Access control check for unmapping System V shared memory 3609 * @param cred Subject credential 3610 * @param shmsegptr Pointer to shared memory segment identifier 3611 * @param shmseglabel Label associated with the shared memory segment 3612 * 3613 * Determine whether the subject identified by the credential can unmap 3614 * the System V shared memory segment associated with shmsegptr. 3615 * 3616 * @return Return 0 if access is granted, otherwise an appropriate value for 3617 * errno should be returned. 3618 */ 3619 typedef int mpo_sysvshm_check_shmdt_t( 3620 kauth_cred_t cred, 3621 struct shmid_kernel *shmsegptr, 3622 struct label *shmseglabel 3623 ); 3624 /** 3625 * @brief Access control check obtaining System V shared memory identifier 3626 * @param cred Subject credential 3627 * @param shmsegptr Pointer to shared memory segment identifier 3628 * @param shmseglabel Label associated with the shared memory segment 3629 * @param shmflg shmget flags; see shmget(2) 3630 * 3631 * Determine whether the subject identified by the credential can get 3632 * the System V shared memory segment address. 3633 * 3634 * @return Return 0 if access is granted, otherwise an appropriate value for 3635 * errno should be returned. 3636 */ 3637 typedef int mpo_sysvshm_check_shmget_t( 3638 kauth_cred_t cred, 3639 struct shmid_kernel *shmsegptr, 3640 struct label *shmseglabel, 3641 int shmflg 3642 ); 3643 /** 3644 * @brief Create a System V shared memory region label 3645 * @param cred Subject credential 3646 * @param shmsegptr The shared memory region being created 3647 * @param shmlabel Label to associate with the new shared memory region 3648 * 3649 * Label a new System V shared memory region. The label was previously 3650 * initialized and associated with the shared memory region. At this 3651 * time, an appropriate initial label value should be assigned to the 3652 * object and stored in shmlabel. 3653 */ 3654 typedef void mpo_sysvshm_label_associate_t( 3655 kauth_cred_t cred, 3656 struct shmid_kernel *shmsegptr, 3657 struct label *shmlabel 3658 ); 3659 /** 3660 * @brief Destroy System V shared memory label 3661 * @param label The label to be destroyed 3662 * 3663 * Destroy a System V shared memory region label. Since the 3664 * object is going out of scope, policy modules should free any 3665 * internal storage associated with the label so that it may be 3666 * destroyed. 3667 */ 3668 typedef void mpo_sysvshm_label_destroy_t( 3669 struct label *label 3670 ); 3671 /** 3672 * @brief Initialize System V Shared Memory region label 3673 * @param label New label to initialize 3674 * 3675 * Initialize the label for a newly instantiated System V Shared Memory 3676 * region. Sleeping is permitted. 3677 */ 3678 typedef void mpo_sysvshm_label_init_t( 3679 struct label *label 3680 ); 3681 /** 3682 * @brief Clean up a System V Share Memory Region label 3683 * @param shmlabel The label to be cleaned 3684 * 3685 * Clean up a System V Shared Memory Region label. Darwin 3686 * pre-allocates these objects at system boot time and re-uses them 3687 * rather than allocating new ones. Before the memory regions are 3688 * returned to the "free pool", policies can cleanup or overwrite any 3689 * information present in the label. 3690 */ 3691 typedef void mpo_sysvshm_label_recycle_t( 3692 struct label *shmlabel 3693 ); 3694 3695 /** 3696 * @brief Access control check for getting a process's task ports of different flavors 3697 * @param cred Subject credential 3698 * @param pident Object unique process identifier 3699 * @param flavor Requested task port flavor 3700 * 3701 * Determine whether the subject identified by the credential can get 3702 * the passed process's task port of given flavor. 3703 * This call is used by the task_{,read,inspect,name}_for_pid(2) API. 3704 * 3705 * @return Return 0 if access is granted, otherwise an appropriate value for 3706 * errno should be returned. Suggested failure: EACCES for label mismatch, 3707 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3708 */ 3709 typedef int mpo_proc_check_get_task_with_flavor_t( 3710 kauth_cred_t cred, 3711 struct proc_ident *pident, 3712 mach_task_flavor_t flavor 3713 ); 3714 3715 /** 3716 * @brief Access control check for exposing a process's task ports of different flavors 3717 * @param cred Subject credential 3718 * @param pident Object unique process identifier 3719 * @param flavor Requested task port flavor 3720 * 3721 * Determine whether the subject identified by the credential can expose 3722 * the passed process's task port of given flavor. 3723 * This call is used by the accessor APIs like processor_set_tasks() and 3724 * processor_set_threads(). 3725 * 3726 * @return Return 0 if access is granted, otherwise an appropriate value for 3727 * errno should be returned. Suggested failure: EACCES for label mismatch, 3728 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3729 */ 3730 typedef int mpo_proc_check_expose_task_with_flavor_t( 3731 kauth_cred_t cred, 3732 struct proc_ident *pident, 3733 mach_task_flavor_t flavor 3734 ); 3735 3736 /** 3737 * @brief Access control check for upgrading to task port with a task identity token 3738 * @param cred Subject credential 3739 * @param pident Object unique process identifier, NULL if token represents a corpse task 3740 * @param flavor Requested task port flavor 3741 * 3742 * Determine whether the subject identified by the credential can upgrade to task port 3743 * of given flavor with a task identity token of the passed process. 3744 * This call is used by task_identity_token_get_task_port(). 3745 * 3746 * @return Return 0 if access is granted, otherwise an appropriate value for 3747 * errno should be returned. Suggested failure: EACCES for label mismatch, 3748 * EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3749 */ 3750 typedef int mpo_proc_check_task_id_token_get_task_t( 3751 kauth_cred_t cred, 3752 struct proc_ident *pident, /* Nullable */ 3753 mach_task_flavor_t flavor 3754 ); 3755 3756 /** 3757 * @brief Check whether task's IPC may inherit across process exec 3758 * @param p current process instance 3759 * @param cur_vp vnode pointer to current instance 3760 * @param cur_offset offset of binary of currently executing image 3761 * @param img_vp vnode pointer to to be exec'ed image 3762 * @param img_offset offset into file which is selected for execution 3763 * @param scriptvp vnode pointer of script file if any. 3764 * @return Return 0 if access is granted. 3765 * EPERM if parent does not have any entitlements. 3766 * EACCESS if mismatch in entitlements 3767 */ 3768 typedef int mpo_proc_check_inherit_ipc_ports_t( 3769 struct proc *p, 3770 struct vnode *cur_vp, 3771 off_t cur_offset, 3772 struct vnode *img_vp, 3773 off_t img_offset, 3774 struct vnode *scriptvp 3775 ); 3776 3777 /** 3778 * @brief Access control check for iopolicysys 3779 * @param p current process instance 3780 * @param cred Subject credential 3781 * @param type Type of I/O policy (e.g. IOPOL_TYPE_DISK) 3782 * @param cmd Command into I/O policy (e.g. IOPOL_CMD_GET or IOPOL_CMD_SET) 3783 * @param scope Scope of the I/O policy (e.g IOPOL_SCOPE_PROCESS) 3784 * @param policy Priority of the I/O policy (e.g. IOPOL_IMPORTANT) 3785 * 3786 * Determine whether the subject identified by the credential can perform 3787 * the I/O policy type within the scope. 3788 * 3789 * @return Return 0 if access is granted, otherwise an appropriate value for 3790 * errno should be returned. 3791 */ 3792 typedef int mpo_proc_check_iopolicysys_t( 3793 struct proc *p, 3794 kauth_cred_t cred, 3795 int cmd, 3796 int type, 3797 int scope, 3798 int policy 3799 ); 3800 3801 /** 3802 * @brief Privilege check for a process to run invalid 3803 * @param p Object process 3804 * 3805 * Determine whether the process may execute even though the system determined 3806 * that it is untrusted (eg unidentified / modified code). 3807 * 3808 * @return Return 0 if access is granted, otherwise an appropriate value for 3809 * errno should be returned. 3810 */ 3811 typedef int mpo_proc_check_run_cs_invalid_t( 3812 struct proc *p 3813 ); 3814 3815 /** 3816 * @brief Notification a process was invalidated 3817 * @param p Object process 3818 * 3819 * Notifies that the CS_VALID bit was removed from a process' csflags. This 3820 * either indicates that a validly code-signed process has encountered an 3821 * invalidly code-signed page for the first time, or that it was explicitly 3822 * marked invalid via a csops(CS_OPS_MARKINVALID) syscall. 3823 * 3824 * @warning This hook can be called from the page fault handler; it should not 3825 * perform any operations that may result in paging, and stack space is extremely 3826 * limited. Furthermore, the hook is called with proc lock held, and if called 3827 * from the fault handler, with vm object lock held. Consumers reacting to this 3828 * hook being called are expected to defer processing to a userret, possibly 3829 * after suspending the task. 3830 */ 3831 typedef void mpo_proc_notify_cs_invalidated_t( 3832 struct proc *p 3833 ); 3834 3835 /** 3836 * @brief Notification a process is finished with exec and will jump to userspace 3837 * @param p Object process 3838 * 3839 * Notifies all MAC policies that a process has completed an exec and is about to 3840 * jump to userspace to continue execution. This may result in process termination 3841 * via signals. Hook is designed to hold no/minimal locks so it can be used for any 3842 * necessary upcalls. 3843 */ 3844 typedef void mpo_proc_notify_exec_complete_t( 3845 struct proc *p 3846 ); 3847 3848 /** 3849 * @brief Access control check for setting user ID 3850 * @param cred Subject credential 3851 * @param uid Requested user ID 3852 * 3853 * Determine whether the subject identified by the credential can set the 3854 * real and effective user ID and the saved set-user-ID of the current 3855 * process, using the setuid() system call. 3856 * 3857 * @return Return 0 if access is granted, otherwise an appropriate value for 3858 * errno should be returned. 3859 */ 3860 typedef int mpo_proc_check_setuid_t( 3861 kauth_cred_t cred, 3862 uid_t uid 3863 ); 3864 3865 /** 3866 * @brief Access control check for setting effective user ID 3867 * @param cred Subject credential 3868 * @param euid Requested effective user ID 3869 * 3870 * Determine whether the subject identified by the credential can set the 3871 * effective user ID of the current process, using the seteuid() system call. 3872 * 3873 * @return Return 0 if access is granted, otherwise an appropriate value for 3874 * errno should be returned. 3875 */ 3876 typedef int mpo_proc_check_seteuid_t( 3877 kauth_cred_t cred, 3878 uid_t euid 3879 ); 3880 3881 /** 3882 * @brief Access control check for setting real and effective user ID 3883 * @param cred Subject credential 3884 * @param ruid Requested real user ID 3885 * @param euid Requested effective user ID 3886 * 3887 * Determine whether the subject identified by the credential can set the 3888 * real and effective user ID of the current process, using the setreuid() 3889 * system call. 3890 * 3891 * @return Return 0 if access is granted, otherwise an appropriate value for 3892 * errno should be returned. 3893 */ 3894 typedef int mpo_proc_check_setreuid_t( 3895 kauth_cred_t cred, 3896 uid_t ruid, 3897 uid_t euid 3898 ); 3899 3900 /** 3901 * @brief Access control check for setting group ID 3902 * @param cred Subject credential 3903 * @param gid Requested group ID 3904 * 3905 * Determine whether the subject identified by the credential can set the 3906 * real and effective group IDs and the saved set-group-ID of the current 3907 * process, using the setgid() system call. 3908 * 3909 * @return Return 0 if access is granted, otherwise an appropriate value for 3910 * errno should be returned. 3911 */ 3912 typedef int mpo_proc_check_setgid_t( 3913 kauth_cred_t cred, 3914 gid_t gid 3915 ); 3916 3917 /** 3918 * @brief Access control check for setting effective group ID 3919 * @param cred Subject credential 3920 * @param egid Requested effective group ID 3921 * 3922 * Determine whether the subject identified by the credential can set the 3923 * effective group ID of the current process, using the setegid() system call. 3924 * 3925 * @return Return 0 if access is granted, otherwise an appropriate value for 3926 * errno should be returned. 3927 */ 3928 typedef int mpo_proc_check_setegid_t( 3929 kauth_cred_t cred, 3930 gid_t egid 3931 ); 3932 3933 /** 3934 * @brief Access control check for setting real and effective group ID 3935 * @param cred Subject credential 3936 * @param rgid Requested real group ID or KAUTH_UID_NONE for none 3937 * @param egid Requested effective group ID or KAUTH_GID_NONE for none 3938 * 3939 * Determine whether the subject identified by the credential can set the 3940 * real and effective group ID of the current process, using the setregid() 3941 * system call. 3942 * 3943 * @return Return 0 if access is granted, otherwise an appropriate value for 3944 * errno should be returned. 3945 */ 3946 typedef int mpo_proc_check_setregid_t( 3947 kauth_cred_t cred, 3948 gid_t rgid, 3949 gid_t egid 3950 ); 3951 3952 /** 3953 * @brief Access control check for setting thread assumed identity 3954 * @param pcred Subject process credential 3955 * @param tcred Subject thread credential 3956 * @param uid Requested user ID or KAUTH_UID_NONE for none 3957 * @param gid Requested group ID or KAUTH_GID_NONE for none 3958 * 3959 * Determine whether the subject identified by the credential can set the 3960 * user and group ID of the current thread, using the settid() or 3961 * settid_with_pid() system call. 3962 * 3963 * @return Return 0 if access is granted, otherwise an appropriate value for 3964 * errno should be returned. 3965 */ 3966 typedef int mpo_proc_check_settid_t( 3967 kauth_cred_t pcred, 3968 kauth_cred_t tcred, 3969 uid_t uid, 3970 gid_t gid 3971 ); 3972 3973 /** 3974 * @brief Notification of connection port derivation from service port 3975 * @param cred Subject process credential 3976 * @param sp_info Service port info 3977 * 3978 * Called when a process derives a connection port from a service port. 3979 * 3980 * Notes: 3981 * - Port derivation is only mandatory if the receiving end of the 3982 * connection performs validation of that fact. 3983 * - MAC policies should not perform upcalls or expensive operations in 3984 * this hook. 3985 * - Only called on macOS. 3986 */ 3987 typedef void mpo_proc_notify_service_port_derive_t( 3988 kauth_cred_t cred, 3989 struct mach_service_port_info *sp_info 3990 ); 3991 3992 /** 3993 * @brief Perform MAC-related analysis of telemetry data. 3994 * @param thread The Mach thread that was sampled. 3995 * 3996 * Notifies MAC policies that telemetry data was just collected from a 3997 * process's user thread and that it is ready to be analyzed. The analysis is 3998 * performed shortly before a thread is about to return to userspace via a 3999 * syscall or mach trap. 4000 * 4001 * Note that sometimes the scheduled telemetry can fail. In the case of 4002 * failure, the function will be called with a non-zero `err` value, in which 4003 * case it is expected that the client will cleanup any necessary state 4004 * recorded back when the telemetry was first scheduled. 4005 */ 4006 typedef void mpo_thread_telemetry_t( 4007 struct thread *thread, 4008 int err, 4009 const void *data, 4010 size_t length 4011 ); 4012 4013 /** 4014 * @brief Perform MAC-related events when a thread returns to user space 4015 * @param thread Mach (not BSD) thread that is returning 4016 * 4017 * This entry point permits policy modules to perform MAC-related 4018 * events when a thread returns to user space, via a system call 4019 * return or trap return. 4020 */ 4021 typedef void mpo_thread_userret_t( 4022 struct thread *thread 4023 ); 4024 4025 /** 4026 * @brief Check vnode access 4027 * @param cred Subject credential 4028 * @param vp Object vnode 4029 * @param label Label for vp 4030 * @param acc_mode access(2) flags 4031 * 4032 * Determine how invocations of access(2) and related calls by the 4033 * subject identified by the credential should return when performed 4034 * on the passed vnode using the passed access flags. This should 4035 * generally be implemented using the same semantics used in 4036 * mpo_vnode_check_open. 4037 * 4038 * @return Return 0 if access is granted, otherwise an appropriate value for 4039 * errno should be returned. Suggested failure: EACCES for label mismatch or 4040 * EPERM for lack of privilege. 4041 */ 4042 typedef int mpo_vnode_check_access_t( 4043 kauth_cred_t cred, 4044 struct vnode *vp, 4045 struct label *label, 4046 int acc_mode 4047 ); 4048 /** 4049 * @brief Access control check for changing working directory 4050 * @param cred Subject credential 4051 * @param dvp Object; vnode to chdir(2) into 4052 * @param dlabel Policy label for dvp 4053 * 4054 * Determine whether the subject identified by the credential can change 4055 * the process working directory to the passed vnode. 4056 * 4057 * @return Return 0 if access is granted, otherwise an appropriate value for 4058 * errno should be returned. Suggested failure: EACCES for label mismatch or 4059 * EPERM for lack of privilege. 4060 */ 4061 typedef int mpo_vnode_check_chdir_t( 4062 kauth_cred_t cred, 4063 struct vnode *dvp, 4064 struct label *dlabel 4065 ); 4066 /** 4067 * @brief Access control check for changing root directory 4068 * @param cred Subject credential 4069 * @param dvp Directory vnode 4070 * @param dlabel Policy label associated with dvp 4071 * @param cnp Component name for dvp 4072 * 4073 * Determine whether the subject identified by the credential should be 4074 * allowed to chroot(2) into the specified directory (dvp). 4075 * 4076 * @return In the event of an error, an appropriate value for errno 4077 * should be returned, otherwise return 0 upon success. 4078 */ 4079 typedef int mpo_vnode_check_chroot_t( 4080 kauth_cred_t cred, 4081 struct vnode *dvp, 4082 struct label *dlabel, 4083 struct componentname *cnp 4084 ); 4085 /** 4086 * @brief Access control check for creating clone 4087 * @param cred Subject credential 4088 * @param dvp Vnode of directory to create the clone in 4089 * @param dlabel Policy label associated with dvp 4090 * @param vp Vnode of the file to clone from 4091 * @param label Policy label associated with vp 4092 * @param cnp Component name for the clone being created 4093 * 4094 * Determine whether the subject identified by the credential should be 4095 * allowed to create a clone of the vnode vp with the name specified by cnp. 4096 * 4097 * @return Return 0 if access is granted, otherwise an appropriate value for 4098 * errno should be returned. 4099 */ 4100 typedef int mpo_vnode_check_clone_t( 4101 kauth_cred_t cred, 4102 struct vnode *dvp, 4103 struct label *dlabel, 4104 struct vnode *vp, 4105 struct label *label, 4106 struct componentname *cnp 4107 ); 4108 /** 4109 * @brief Access control check for creating vnode 4110 * @param cred Subject credential 4111 * @param dvp Directory vnode 4112 * @param dlabel Policy label for dvp 4113 * @param cnp Component name for dvp 4114 * @param vap vnode attributes for vap 4115 * 4116 * Determine whether the subject identified by the credential can create 4117 * a vnode with the passed parent directory, passed name information, 4118 * and passed attribute information. This call may be made in a number of 4119 * situations, including as a result of calls to open(2) with O_CREAT, 4120 * mknod(2), mkfifo(2), and others. 4121 * 4122 * @return Return 0 if access is granted, otherwise an appropriate value for 4123 * errno should be returned. Suggested failure: EACCES for label mismatch or 4124 * EPERM for lack of privilege. 4125 */ 4126 typedef int mpo_vnode_check_create_t( 4127 kauth_cred_t cred, 4128 struct vnode *dvp, 4129 struct label *dlabel, 4130 struct componentname *cnp, 4131 struct vnode_attr *vap 4132 ); 4133 /** 4134 * @brief Access control check for deleting extended attribute 4135 * @param cred Subject credential 4136 * @param vp Object vnode 4137 * @param vlabel Label associated with vp 4138 * @param name Extended attribute name 4139 * 4140 * Determine whether the subject identified by the credential can delete 4141 * the extended attribute from the passed vnode. 4142 * 4143 * @return Return 0 if access is granted, otherwise an appropriate value for 4144 * errno should be returned. Suggested failure: EACCES for label mismatch or 4145 * EPERM for lack of privilege. 4146 */ 4147 typedef int mpo_vnode_check_deleteextattr_t( 4148 kauth_cred_t cred, 4149 struct vnode *vp, 4150 struct label *vlabel, 4151 const char *name 4152 ); 4153 /** 4154 * @brief Access control check for exchanging file data 4155 * @param cred Subject credential 4156 * @param v1 vnode 1 to swap 4157 * @param vl1 Policy label for v1 4158 * @param v2 vnode 2 to swap 4159 * @param vl2 Policy label for v2 4160 * 4161 * Determine whether the subject identified by the credential can swap the data 4162 * in the two supplied vnodes. 4163 * 4164 * @return Return 0 if access is granted, otherwise an appropriate value for 4165 * errno should be returned. Suggested failure: EACCES for label mismatch or 4166 * EPERM for lack of privilege. 4167 */ 4168 typedef int mpo_vnode_check_exchangedata_t( 4169 kauth_cred_t cred, 4170 struct vnode *v1, 4171 struct label *vl1, 4172 struct vnode *v2, 4173 struct label *vl2 4174 ); 4175 /** 4176 * @brief Access control check for executing the vnode 4177 * @param cred Subject credential 4178 * @param vp Object vnode to execute 4179 * @param scriptvp Script being executed by interpreter, if any. 4180 * @param vnodelabel Label corresponding to vp 4181 * @param scriptlabel Script vnode label 4182 * @param execlabel Userspace provided execution label 4183 * @param cnp Component name for file being executed 4184 * @param macpolicyattr MAC policy-specific spawn attribute data. 4185 * @param macpolicyattrlen Length of policy-specific spawn attribute data. 4186 * 4187 * Determine whether the subject identified by the credential can execute 4188 * the passed vnode. Determination of execute privilege is made separately 4189 * from decisions about any process label transitioning event. 4190 * 4191 * The final label, execlabel, corresponds to a label supplied by a 4192 * user space application through the use of the mac_execve system call. 4193 * This label will be NULL if the user application uses the the vendor 4194 * execve(2) call instead of the MAC Framework mac_execve() call. 4195 * 4196 * @return Return 0 if access is granted, otherwise an appropriate value for 4197 * errno should be returned. Suggested failure: EACCES for label mismatch or 4198 * EPERM for lack of privilege. 4199 */ 4200 typedef int mpo_vnode_check_exec_t( 4201 kauth_cred_t cred, 4202 struct vnode *vp, 4203 struct vnode *scriptvp, 4204 struct label *vnodelabel, 4205 struct label *scriptlabel, 4206 struct label *execlabel, /* NULLOK */ 4207 struct componentname *cnp, 4208 u_int *csflags, 4209 void *macpolicyattr, 4210 size_t macpolicyattrlen 4211 ); 4212 /** 4213 * @brief Access control check for fsgetpath 4214 * @param cred Subject credential 4215 * @param vp Vnode for which a path will be returned 4216 * @param label Label associated with the vnode 4217 * 4218 * Determine whether the subject identified by the credential can get the path 4219 * of the given vnode with fsgetpath. 4220 * 4221 * @return Return 0 if access is granted, otherwise an appropriate value for 4222 * errno should be returned. 4223 */ 4224 typedef int mpo_vnode_check_fsgetpath_t( 4225 kauth_cred_t cred, 4226 struct vnode *vp, 4227 struct label *label 4228 ); 4229 /** 4230 * @brief Access control check for retrieving file attributes 4231 * @param active_cred Subject credential 4232 * @param file_cred Credential associated with the struct fileproc 4233 * @param vp Object vnode 4234 * @param vlabel Policy label for vp 4235 * @param va Vnode attributes to retrieve 4236 * 4237 * Determine whether the subject identified by the credential can 4238 * get information about the passed vnode. The active_cred hold 4239 * the credentials of the subject performing the operation, and 4240 * file_cred holds the credentials of the subject that originally 4241 * opened the file. This check happens during stat(), lstat(), 4242 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for 4243 * definitions of the attributes. 4244 * 4245 * @return Return 0 if access is granted, otherwise an appropriate value for 4246 * errno should be returned. 4247 * 4248 * @note Policies may change the contents of va to alter the list of 4249 * file attributes returned. 4250 */ 4251 typedef int mpo_vnode_check_getattr_t( 4252 kauth_cred_t active_cred, 4253 kauth_cred_t file_cred, /* NULLOK */ 4254 struct vnode *vp, 4255 struct label *vlabel, 4256 struct vnode_attr *va 4257 ); 4258 /** 4259 * @brief Access control check for retrieving file attributes 4260 * @param cred Subject credential 4261 * @param vp Object vnode 4262 * @param vlabel Policy label for vp 4263 * @param alist List of attributes to retrieve 4264 * @param options Option flags for alist 4265 * 4266 * Determine whether the subject identified by the credential can read 4267 * various attributes of the specified vnode, or the filesystem or volume on 4268 * which that vnode resides. See <sys/attr.h> for definitions of the 4269 * attributes and flags. 4270 * 4271 * @return Return 0 if access is granted, otherwise an appropriate value for 4272 * errno should be returned. Suggested failure: EACCES for label mismatch or 4273 * EPERM for lack of privilege. Access control covers all attributes requested 4274 * with this call; the security policy is not permitted to change the set of 4275 * attributes requested. 4276 */ 4277 typedef int mpo_vnode_check_getattrlist_t( 4278 kauth_cred_t cred, 4279 struct vnode *vp, 4280 struct label *vlabel, 4281 struct attrlist *alist, 4282 uint64_t options 4283 ); 4284 /** 4285 * @brief Access control check for retrieving file attributes for multiple directory entries 4286 * @param cred Subject credential 4287 * @param dvp Directory vnode 4288 * @param alist List of attributes to retrieve 4289 * @param options Option flags for alist 4290 * 4291 * Determine whether the subject identified by the credential can read 4292 * various attributes of the specified vnode, or the filesystem or volume on 4293 * which that vnode resides. See <sys/attr.h> for definitions of the 4294 * attributes and flags. 4295 * 4296 * @return Return 0 if access is granted, otherwise an appropriate value for 4297 * errno should be returned. Suggested failure: EACCES for label mismatch or 4298 * EPERM for lack of privilege. Access control covers all attributes requested 4299 * with this call; the security policy is not permitted to change the set of 4300 * attributes requested. 4301 */ 4302 typedef int mpo_vnode_check_getattrlistbulk_t( 4303 kauth_cred_t cred, 4304 struct vnode *dvp, 4305 struct attrlist *alist, 4306 uint64_t options 4307 ); 4308 /** 4309 * @brief Access control check for retrieving an extended attribute 4310 * @param cred Subject credential 4311 * @param vp Object vnode 4312 * @param label Policy label for vp 4313 * @param name Extended attribute name 4314 * @param uio I/O structure pointer 4315 * 4316 * Determine whether the subject identified by the credential can retrieve 4317 * the extended attribute from the passed vnode. The uio parameter 4318 * will be NULL when the getxattr(2) call has been made with a NULL data 4319 * value; this is done to request the size of the data only. 4320 * 4321 * @return Return 0 if access is granted, otherwise an appropriate value for 4322 * errno should be returned. Suggested failure: EACCES for label mismatch or 4323 * EPERM for lack of privilege. 4324 */ 4325 typedef int mpo_vnode_check_getextattr_t( 4326 kauth_cred_t cred, 4327 struct vnode *vp, 4328 struct label *label, /* NULLOK */ 4329 const char *name, 4330 struct uio *uio /* NULLOK */ 4331 ); 4332 /** 4333 * @brief Access control check for ioctl 4334 * @param cred Subject credential 4335 * @param vp Object vnode 4336 * @param label Policy label for vp 4337 * @param cmd Device-dependent request code; see ioctl(2) 4338 * 4339 * Determine whether the subject identified by the credential can perform 4340 * the ioctl operation indicated by com. 4341 * 4342 * @warning Since ioctl data is opaque from the standpoint of the MAC 4343 * framework, and since ioctls can affect many aspects of system 4344 * operation, policies must exercise extreme care when implementing 4345 * access control checks. 4346 * 4347 * @return Return 0 if access is granted, otherwise an appropriate value for 4348 * errno should be returned. 4349 */ 4350 typedef int mpo_vnode_check_ioctl_t( 4351 kauth_cred_t cred, 4352 struct vnode *vp, 4353 struct label *label, 4354 unsigned long cmd 4355 ); 4356 /** 4357 * @brief Access control check for vnode kqfilter 4358 * @param active_cred Subject credential 4359 * @param kn Object knote 4360 * @param vp Object vnode 4361 * @param label Policy label for vp 4362 * 4363 * Determine whether the subject identified by the credential can 4364 * receive the knote on the passed vnode. 4365 * 4366 * @return Return 0 if access if granted, otherwise an appropriate 4367 * value for errno should be returned. 4368 */ 4369 typedef int mpo_vnode_check_kqfilter_t( 4370 kauth_cred_t active_cred, 4371 kauth_cred_t file_cred, /* NULLOK */ 4372 struct knote *kn, 4373 struct vnode *vp, 4374 struct label *label 4375 ); 4376 /** 4377 * @brief Access control check for relabel 4378 * @param cred Subject credential 4379 * @param vp Object vnode 4380 * @param vnodelabel Existing policy label for vp 4381 * @param newlabel Policy label update to later be applied to vp 4382 * @see mpo_relable_vnode_t 4383 * 4384 * Determine whether the subject identified by the credential can relabel 4385 * the passed vnode to the passed label update. If all policies permit 4386 * the label change, the actual relabel entry point (mpo_vnode_label_update) 4387 * will follow. 4388 * 4389 * @return Return 0 if access is granted, otherwise an appropriate value for 4390 * errno should be returned. 4391 */ 4392 typedef int mpo_vnode_check_label_update_t( 4393 struct ucred *cred, 4394 struct vnode *vp, 4395 struct label *vnodelabel, 4396 struct label *newlabel 4397 ); 4398 /** 4399 * @brief Access control check for creating link 4400 * @param cred Subject credential 4401 * @param dvp Directory vnode 4402 * @param dlabel Policy label associated with dvp 4403 * @param vp Link destination vnode 4404 * @param label Policy label associated with vp 4405 * @param cnp Component name for the link being created 4406 * 4407 * Determine whether the subject identified by the credential should be 4408 * allowed to create a link to the vnode vp with the name specified by cnp. 4409 * 4410 * @return Return 0 if access is granted, otherwise an appropriate value for 4411 * errno should be returned. 4412 */ 4413 typedef int mpo_vnode_check_link_t( 4414 kauth_cred_t cred, 4415 struct vnode *dvp, 4416 struct label *dlabel, 4417 struct vnode *vp, 4418 struct label *label, 4419 struct componentname *cnp 4420 ); 4421 /** 4422 * @brief Access control check for listing extended attributes 4423 * @param cred Subject credential 4424 * @param vp Object vnode 4425 * @param vlabel Policy label associated with vp 4426 * 4427 * Determine whether the subject identified by the credential can retrieve 4428 * a list of named extended attributes from a vnode. 4429 * 4430 * @return Return 0 if access is granted, otherwise an appropriate value for 4431 * errno should be returned. 4432 */ 4433 typedef int mpo_vnode_check_listextattr_t( 4434 kauth_cred_t cred, 4435 struct vnode *vp, 4436 struct label *vlabel 4437 ); 4438 /** 4439 * @brief Access control check for lookup 4440 * @param cred Subject credential 4441 * @param dvp Directory vnode 4442 * @param dlabel Policy label for dvp 4443 * @param path Path being looked up 4444 * @param pathlen Length of path in bytes 4445 * 4446 * Determine whether the subject identified by the credential can perform 4447 * a lookup of the passed path relative to the passed directory vnode. 4448 * 4449 * @return Return 0 if access is granted, otherwise an appropriate value for 4450 * errno should be returned. Suggested failure: EACCES for label mismatch or 4451 * EPERM for lack of privilege. 4452 * 4453 * @note The path may contain untrusted input. If approved, lookup proceeds 4454 * on the path; if a component is found to be a symlink then this hook is 4455 * called again with the updated path. 4456 */ 4457 typedef int mpo_vnode_check_lookup_preflight_t( 4458 kauth_cred_t cred, 4459 struct vnode *dvp, 4460 struct label *dlabel, 4461 const char *path, 4462 size_t pathlen 4463 ); 4464 /** 4465 * @brief Access control check for lookup 4466 * @param cred Subject credential 4467 * @param dvp Object vnode 4468 * @param dlabel Policy label for dvp 4469 * @param cnp Component name being looked up 4470 * 4471 * Determine whether the subject identified by the credential can perform 4472 * a lookup in the passed directory vnode for the passed name (cnp). 4473 * 4474 * @return Return 0 if access is granted, otherwise an appropriate value for 4475 * errno should be returned. Suggested failure: EACCES for label mismatch or 4476 * EPERM for lack of privilege. 4477 */ 4478 typedef int mpo_vnode_check_lookup_t( 4479 kauth_cred_t cred, 4480 struct vnode *dvp, 4481 struct label *dlabel, 4482 struct componentname *cnp 4483 ); 4484 /** 4485 * @brief Access control check for open 4486 * @param cred Subject credential 4487 * @param vp Object vnode 4488 * @param label Policy label associated with vp 4489 * @param acc_mode open(2) access mode 4490 * 4491 * Determine whether the subject identified by the credential can perform 4492 * an open operation on the passed vnode with the passed access mode. 4493 * 4494 * @return Return 0 if access is granted, otherwise an appropriate value for 4495 * errno should be returned. Suggested failure: EACCES for label mismatch or 4496 * EPERM for lack of privilege. 4497 */ 4498 typedef int mpo_vnode_check_open_t( 4499 kauth_cred_t cred, 4500 struct vnode *vp, 4501 struct label *label, 4502 int acc_mode 4503 ); 4504 /** 4505 * @brief Access control check for read 4506 * @param active_cred Subject credential 4507 * @param file_cred Credential associated with the struct fileproc 4508 * @param vp Object vnode 4509 * @param label Policy label for vp 4510 * 4511 * Determine whether the subject identified by the credential can perform 4512 * a read operation on the passed vnode. The active_cred hold the credentials 4513 * of the subject performing the operation, and file_cred holds the 4514 * credentials of the subject that originally opened the file. 4515 * 4516 * @return Return 0 if access is granted, otherwise an appropriate value for 4517 * errno should be returned. Suggested failure: EACCES for label mismatch or 4518 * EPERM for lack of privilege. 4519 */ 4520 typedef int mpo_vnode_check_read_t( 4521 kauth_cred_t active_cred, /* SUBJECT */ 4522 kauth_cred_t file_cred, /* NULLOK */ 4523 struct vnode *vp, /* OBJECT */ 4524 struct label *label /* LABEL */ 4525 ); 4526 /** 4527 * @brief Access control check for read directory 4528 * @param cred Subject credential 4529 * @param dvp Object directory vnode 4530 * @param dlabel Policy label for dvp 4531 * 4532 * Determine whether the subject identified by the credential can 4533 * perform a readdir operation on the passed directory vnode. 4534 * 4535 * @return Return 0 if access is granted, otherwise an appropriate value for 4536 * errno should be returned. Suggested failure: EACCES for label mismatch or 4537 * EPERM for lack of privilege. 4538 */ 4539 typedef int mpo_vnode_check_readdir_t( 4540 kauth_cred_t cred, /* SUBJECT */ 4541 struct vnode *dvp, /* OBJECT */ 4542 struct label *dlabel /* LABEL */ 4543 ); 4544 /** 4545 * @brief Access control check for read link 4546 * @param cred Subject credential 4547 * @param vp Object vnode 4548 * @param label Policy label for vp 4549 * 4550 * Determine whether the subject identified by the credential can perform 4551 * a readlink operation on the passed symlink vnode. This call can be made 4552 * in a number of situations, including an explicit readlink call by the 4553 * user process, or as a result of an implicit readlink during a name 4554 * lookup by the process. 4555 * 4556 * @return Return 0 if access is granted, otherwise an appropriate value for 4557 * errno should be returned. Suggested failure: EACCES for label mismatch or 4558 * EPERM for lack of privilege. 4559 */ 4560 typedef int mpo_vnode_check_readlink_t( 4561 kauth_cred_t cred, 4562 struct vnode *vp, 4563 struct label *label 4564 ); 4565 /** 4566 * @brief Access control check for rename 4567 * @param cred Subject credential 4568 * @param fdvp Directory vnode 4569 * @param fdlabel Policy label associated with dvp 4570 * @param fvp vnode to be renamed 4571 * @param flabel Policy label associated with vp 4572 * @param fcnp Component name for vp 4573 * @param tdvp Destination directory vnode 4574 * @param tdlabel Policy label associated with tdvp 4575 * @param tvp Overwritten vnode 4576 * @param tlabel Policy label associated with tvp 4577 * @param tcnp Destination component name 4578 * 4579 * Determine whether the subject identified by the credential should be allowed 4580 * to rename the vnode vp to something else. 4581 * 4582 * @return Return 0 if access is granted, otherwise an appropriate value for 4583 * errno should be returned. 4584 */ 4585 typedef int mpo_vnode_check_rename_t( 4586 kauth_cred_t cred, 4587 struct vnode *fdvp, 4588 struct label *fdlabel, 4589 struct vnode *fvp, 4590 struct label *flabel, 4591 struct componentname *fcnp, 4592 struct vnode *tdvp, 4593 struct label *tdlabel, 4594 struct vnode *tvp, 4595 struct label *tlabel, 4596 struct componentname *tcnp 4597 ); 4598 /** 4599 * @brief Access control check for rename from 4600 * @param cred Subject credential 4601 * @param dvp Directory vnode 4602 * @param dlabel Policy label associated with dvp 4603 * @param vp vnode to be renamed 4604 * @param label Policy label associated with vp 4605 * @param cnp Component name for vp 4606 * @see mpo_vnode_check_rename_t 4607 * @see mpo_vnode_check_rename_to_t 4608 * 4609 * Determine whether the subject identified by the credential should be 4610 * allowed to rename the vnode vp to something else. 4611 * 4612 * Due to VFS locking constraints (to make sure proper vnode locks are 4613 * held during this entry point), the vnode relabel checks had to be 4614 * split into two parts: relabel_from and relabel to. 4615 * 4616 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4617 * 4618 * @return Return 0 if access is granted, otherwise an appropriate value for 4619 * errno should be returned. 4620 */ 4621 typedef int mpo_vnode_check_rename_from_t( 4622 kauth_cred_t cred, 4623 struct vnode *dvp, 4624 struct label *dlabel, 4625 struct vnode *vp, 4626 struct label *label, 4627 struct componentname *cnp 4628 ); 4629 /** 4630 * @brief Access control check for rename to 4631 * @param cred Subject credential 4632 * @param dvp Directory vnode 4633 * @param dlabel Policy label associated with dvp 4634 * @param vp Overwritten vnode 4635 * @param label Policy label associated with vp 4636 * @param samedir Boolean; 1 if the source and destination directories are the same 4637 * @param cnp Destination component name 4638 * @see mpo_vnode_check_rename_t 4639 * @see mpo_vnode_check_rename_from_t 4640 * 4641 * Determine whether the subject identified by the credential should be 4642 * allowed to rename to the vnode vp, into the directory dvp, or to the 4643 * name represented by cnp. If there is no existing file to overwrite, 4644 * vp and label will be NULL. 4645 * 4646 * Due to VFS locking constraints (to make sure proper vnode locks are 4647 * held during this entry point), the vnode relabel checks had to be 4648 * split into two parts: relabel_from and relabel to. 4649 * 4650 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4651 * 4652 * @return Return 0 if access is granted, otherwise an appropriate value for 4653 * errno should be returned. 4654 */ 4655 typedef int mpo_vnode_check_rename_to_t( 4656 kauth_cred_t cred, 4657 struct vnode *dvp, 4658 struct label *dlabel, 4659 struct vnode *vp, /* NULLOK */ 4660 struct label *label, /* NULLOK */ 4661 int samedir, 4662 struct componentname *cnp 4663 ); 4664 /** 4665 * @brief Access control check for revoke 4666 * @param cred Subject credential 4667 * @param vp Object vnode 4668 * @param label Policy label for vp 4669 * 4670 * Determine whether the subject identified by the credential can revoke 4671 * access to the passed vnode. 4672 * 4673 * @return Return 0 if access is granted, otherwise an appropriate value for 4674 * errno should be returned. Suggested failure: EACCES for label mismatch or 4675 * EPERM for lack of privilege. 4676 */ 4677 typedef int mpo_vnode_check_revoke_t( 4678 kauth_cred_t cred, 4679 struct vnode *vp, 4680 struct label *label 4681 ); 4682 /** 4683 * @brief Access control check for searchfs 4684 * @param cred Subject credential 4685 * @param vp Object vnode 4686 * @param vlabel Policy label for vp 4687 * @param returnattrs List of attributes to be returned 4688 * @param searchattrs List of attributes used as search criteria 4689 * 4690 * Determine whether the subject identified by the credential can search the 4691 * vnode using the searchfs system call. 4692 * 4693 * @return Return 0 if access is granted, otherwise an appropriate value for 4694 * errno should be returned. 4695 */ 4696 typedef int mpo_vnode_check_searchfs_t( 4697 kauth_cred_t cred, 4698 struct vnode *vp, 4699 struct label *vlabel, 4700 struct attrlist *returnattrs, 4701 struct attrlist *searchattrs 4702 ); 4703 /** 4704 * @brief Access control check for select 4705 * @param cred Subject credential 4706 * @param vp Object vnode 4707 * @param label Policy label for vp 4708 * @param which The operation selected on: FREAD or FWRITE 4709 * 4710 * Determine whether the subject identified by the credential can select 4711 * the vnode. 4712 * 4713 * @return Return 0 if access is granted, otherwise an appropriate value for 4714 * errno should be returned. 4715 */ 4716 typedef int mpo_vnode_check_select_t( 4717 kauth_cred_t cred, 4718 struct vnode *vp, 4719 struct label *label, 4720 int which 4721 ); 4722 /** 4723 * @brief Access control check for setting ACL 4724 * @param cred Subject credential 4725 * @param vp Object node 4726 * @param label Policy label for vp 4727 * @param acl ACL structure pointer 4728 * 4729 * Determine whether the subject identified by the credential can set an ACL 4730 * on the specified vnode. The ACL pointer will be NULL when removing an ACL. 4731 * 4732 * @return Return 0 if access is granted, otherwise an appropriate value for 4733 * errno should be returned. Suggested failure: EACCES for label mismatch or 4734 * EPERM for lack of privilege. 4735 */ 4736 typedef int mpo_vnode_check_setacl_t( 4737 kauth_cred_t cred, 4738 struct vnode *vp, 4739 struct label *label, 4740 struct kauth_acl *acl 4741 ); 4742 /** 4743 * @brief Access control check for setting file attributes 4744 * @param cred Subject credential 4745 * @param vp Object vnode 4746 * @param vlabel Policy label for vp 4747 * @param alist List of attributes to set 4748 * 4749 * Determine whether the subject identified by the credential can set 4750 * various attributes of the specified vnode, or the filesystem or volume on 4751 * which that vnode resides. See <sys/attr.h> for definitions of the 4752 * attributes. 4753 * 4754 * @return Return 0 if access is granted, otherwise an appropriate value for 4755 * errno should be returned. Suggested failure: EACCES for label mismatch or 4756 * EPERM for lack of privilege. Access control covers all attributes requested 4757 * with this call. 4758 */ 4759 typedef int mpo_vnode_check_setattrlist_t( 4760 kauth_cred_t cred, 4761 struct vnode *vp, 4762 struct label *vlabel, 4763 struct attrlist *alist 4764 ); 4765 /** 4766 * @brief Access control check for setting extended attribute 4767 * @param cred Subject credential 4768 * @param vp Object vnode 4769 * @param label Policy label for vp 4770 * @param name Extended attribute name 4771 * @param uio I/O structure pointer 4772 * 4773 * Determine whether the subject identified by the credential can set the 4774 * extended attribute of passed name and passed namespace on the passed 4775 * vnode. Policies implementing security labels backed into extended 4776 * attributes may want to provide additional protections for those 4777 * attributes. Additionally, policies should avoid making decisions based 4778 * on the data referenced from uio, as there is a potential race condition 4779 * between this check and the actual operation. The uio may also be NULL 4780 * if a delete operation is being performed. 4781 * 4782 * @return Return 0 if access is granted, otherwise an appropriate value for 4783 * errno should be returned. Suggested failure: EACCES for label mismatch or 4784 * EPERM for lack of privilege. 4785 */ 4786 typedef int mpo_vnode_check_setextattr_t( 4787 kauth_cred_t cred, 4788 struct vnode *vp, 4789 struct label *label, 4790 const char *name, 4791 struct uio *uio 4792 ); 4793 /** 4794 * @brief Access control check for setting flags 4795 * @param cred Subject credential 4796 * @param vp Object vnode 4797 * @param label Policy label for vp 4798 * @param flags File flags; see chflags(2) 4799 * 4800 * Determine whether the subject identified by the credential can set 4801 * the passed flags on the passed vnode. 4802 * 4803 * @return Return 0 if access is granted, otherwise an appropriate value for 4804 * errno should be returned. Suggested failure: EACCES for label mismatch or 4805 * EPERM for lack of privilege. 4806 */ 4807 typedef int mpo_vnode_check_setflags_t( 4808 kauth_cred_t cred, 4809 struct vnode *vp, 4810 struct label *label, 4811 u_long flags 4812 ); 4813 /** 4814 * @brief Access control check for setting mode 4815 * @param cred Subject credential 4816 * @param vp Object vnode 4817 * @param label Policy label for vp 4818 * @param mode File mode; see chmod(2) 4819 * 4820 * Determine whether the subject identified by the credential can set 4821 * the passed mode on the passed vnode. 4822 * 4823 * @return Return 0 if access is granted, otherwise an appropriate value for 4824 * errno should be returned. Suggested failure: EACCES for label mismatch or 4825 * EPERM for lack of privilege. 4826 */ 4827 typedef int mpo_vnode_check_setmode_t( 4828 kauth_cred_t cred, 4829 struct vnode *vp, 4830 struct label *label, 4831 mode_t mode 4832 ); 4833 /** 4834 * @brief Access control check for setting uid and gid 4835 * @param cred Subject credential 4836 * @param vp Object vnode 4837 * @param label Policy label for vp 4838 * @param uid User ID 4839 * @param gid Group ID 4840 * 4841 * Determine whether the subject identified by the credential can set 4842 * the passed uid and passed gid as file uid and file gid on the passed 4843 * vnode. The IDs may be set to (-1) to request no update. 4844 * 4845 * @return Return 0 if access is granted, otherwise an appropriate value for 4846 * errno should be returned. Suggested failure: EACCES for label mismatch or 4847 * EPERM for lack of privilege. 4848 */ 4849 typedef int mpo_vnode_check_setowner_t( 4850 kauth_cred_t cred, 4851 struct vnode *vp, 4852 struct label *label, 4853 uid_t uid, 4854 gid_t gid 4855 ); 4856 /** 4857 * @brief Access control check for setting timestamps 4858 * @param cred Subject credential 4859 * @param vp Object vnode 4860 * @param label Policy label for vp 4861 * @param atime Access time; see utimes(2) 4862 * @param mtime Modification time; see utimes(2) 4863 * 4864 * Determine whether the subject identified by the credential can set 4865 * the passed access timestamps on the passed vnode. 4866 * 4867 * @return Return 0 if access is granted, otherwise an appropriate value for 4868 * errno should be returned. Suggested failure: EACCES for label mismatch or 4869 * EPERM for lack of privilege. 4870 */ 4871 typedef int mpo_vnode_check_setutimes_t( 4872 kauth_cred_t cred, 4873 struct vnode *vp, 4874 struct label *label, 4875 struct timespec atime, 4876 struct timespec mtime 4877 ); 4878 /** 4879 * @brief Access control check after determining the code directory hash 4880 * @param vp vnode vnode to combine into proc 4881 * @param label label associated with the vnode 4882 * @param cpu_type cpu type of the signature being checked 4883 * @param cs_blob the code signature to check 4884 * @param cs_flags update code signing flags if needed 4885 * @param signer_type output parameter for the code signature's signer type 4886 * @param flags operational flag to mpo_vnode_check_signature 4887 * @param platform platform of the signature being checked 4888 * @param fatal_failure_desc description of fatal failure 4889 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0 4890 * 4891 * @return Return 0 if access is granted, otherwise an appropriate value for 4892 * errno should be returned. 4893 */ 4894 typedef int mpo_vnode_check_signature_t( 4895 struct vnode *vp, 4896 struct label *label, 4897 cpu_type_t cpu_type, 4898 struct cs_blob *cs_blob, 4899 unsigned int *cs_flags, 4900 unsigned int *signer_type, 4901 int flags, 4902 unsigned int platform, 4903 char **fatal_failure_desc, size_t *fatal_failure_desc_len 4904 ); 4905 /** 4906 * @brief Access control check for stat 4907 * @param active_cred Subject credential 4908 * @param file_cred Credential associated with the struct fileproc 4909 * @param vp Object vnode 4910 * @param label Policy label for vp 4911 * 4912 * Determine whether the subject identified by the credential can stat 4913 * the passed vnode. See stat(2) for more information. The active_cred 4914 * hold the credentials of the subject performing the operation, and 4915 * file_cred holds the credentials of the subject that originally 4916 * opened the file. 4917 * 4918 * @return Return 0 if access is granted, otherwise an appropriate value for 4919 * errno should be returned. Suggested failure: EACCES for label mismatch or 4920 * EPERM for lack of privilege. 4921 */ 4922 typedef int mpo_vnode_check_stat_t( 4923 struct ucred *active_cred, 4924 struct ucred *file_cred, /* NULLOK */ 4925 struct vnode *vp, 4926 struct label *label 4927 ); 4928 /** 4929 * @brief Access control check for supplemental signature attachement 4930 * @param vp the vnode to which the signature will be attached 4931 * @param label label associated with the vnode 4932 * @param cs_blob the code signature to check 4933 * @param linked_vp vnode to which this new vp is related 4934 * @param linked_cs_blob the code signature of the linked vnode 4935 * @param signer_type output parameter for the signer type of the code signature being checked. 4936 * 4937 * @return Return 0 if access is granted, otherwise an appropriate value for 4938 * errno should be returned. 4939 */ 4940 typedef int mpo_vnode_check_supplemental_signature_t( 4941 struct vnode *vp, 4942 struct label *label, 4943 struct cs_blob *cs_blob, 4944 struct vnode *linked_vp, 4945 struct cs_blob *linked_cs_blob, 4946 unsigned int *signer_type 4947 ); 4948 /** 4949 * @brief Access control check for atomically swapping two vnodes. 4950 * @param cred User credential for the swapping process 4951 * @param v1 vnode 1 to swap 4952 * @param vl1 Policy label for v1 4953 * @param v2 vnode 2 to swap 4954 * @param vl2 Policy label for v2 4955 * 4956 * @return Return 0 if access is granted, otherwise an appropriate value for 4957 * errno should be returned. Suggested failure: EACCES for label mismatch or 4958 * EPERM for lack of privilege. 4959 */ 4960 typedef int mpo_vnode_check_swap_t( 4961 kauth_cred_t cred, 4962 struct vnode *v1, 4963 struct label *vl1, 4964 struct vnode *v2, 4965 struct label *vl2 4966 ); 4967 /** 4968 * @brief Access control and clamping for changing dataprotection class of a vnode. 4969 * @param cred User credential for process changing dataprotection class 4970 * @param vp the vnode that is being changed 4971 * @param dataprotect_class a pointer to the desired new dataprotection class 4972 * 4973 * The hook may override the requested data protection class by altering the 4974 * value referenced by dataprotect_class. 4975 * 4976 * @return Return 0 if access is granted, otherwise an appropriate value for 4977 * errno should be returned. 4978 */ 4979 typedef int mpo_vnode_check_dataprotect_set_t( 4980 kauth_cred_t cred, 4981 struct vnode *vp, 4982 uint32_t *dataprotect_class 4983 ); 4984 /** 4985 * @brief Access control check for vnode trigger resolution 4986 * @param cred Subject credential 4987 * @param dvp Object vnode 4988 * @param dlabel Policy label for dvp 4989 * @param cnp Component name that triggered resolution 4990 * 4991 * Determine whether the subject identified by the credential can trigger 4992 * resolution of the passed name (cnp) in the passed directory vnode 4993 * via an external trigger resolver. 4994 * 4995 * @return Return 0 if access is granted, otherwise an appropriate value for 4996 * errno should be returned. Suggested failure: EACCES for label mismatch or 4997 * EPERM for lack of privilege. 4998 */ 4999 typedef int mpo_vnode_check_trigger_resolve_t( 5000 kauth_cred_t cred, 5001 struct vnode *dvp, 5002 struct label *dlabel, 5003 struct componentname *cnp 5004 ); 5005 /** 5006 * @brief Access control check for truncate/ftruncate 5007 * @param active_cred Subject credential 5008 * @param file_cred Credential associated with the struct fileproc 5009 * @param vp Object vnode 5010 * @param label Policy label for vp 5011 * 5012 * Determine whether the subject identified by the credential can 5013 * perform a truncate operation on the passed vnode. The active_cred hold 5014 * the credentials of the subject performing the operation, and 5015 * file_cred holds the credentials of the subject that originally 5016 * opened the file. 5017 * 5018 * @return Return 0 if access is granted, otherwise an appropriate value for 5019 * errno should be returned. Suggested failure: EACCES for label mismatch or 5020 * EPERM for lack of privilege. 5021 */ 5022 typedef int mpo_vnode_check_truncate_t( 5023 kauth_cred_t active_cred, 5024 kauth_cred_t file_cred, /* NULLOK */ 5025 struct vnode *vp, 5026 struct label *label 5027 ); 5028 /** 5029 * @brief Access control check for binding UNIX domain socket 5030 * @param cred Subject credential 5031 * @param dvp Directory vnode 5032 * @param dlabel Policy label for dvp 5033 * @param cnp Component name for dvp 5034 * @param vap vnode attributes for vap 5035 * 5036 * Determine whether the subject identified by the credential can perform a 5037 * bind operation on a UNIX domain socket with the passed parent directory, 5038 * passed name information, and passed attribute information. 5039 * 5040 * @return Return 0 if access is granted, otherwise an appropriate value for 5041 * errno should be returned. Suggested failure: EACCES for label mismatch or 5042 * EPERM for lack of privilege. 5043 */ 5044 typedef int mpo_vnode_check_uipc_bind_t( 5045 kauth_cred_t cred, 5046 struct vnode *dvp, 5047 struct label *dlabel, 5048 struct componentname *cnp, 5049 struct vnode_attr *vap 5050 ); 5051 /** 5052 * @brief Access control check for connecting UNIX domain socket 5053 * @param cred Subject credential 5054 * @param vp Object vnode 5055 * @param label Policy label associated with vp 5056 * @param so Socket 5057 * 5058 * Determine whether the subject identified by the credential can perform a 5059 * connect operation on the passed UNIX domain socket vnode. 5060 * 5061 * @return Return 0 if access is granted, otherwise an appropriate value for 5062 * errno should be returned. Suggested failure: EACCES for label mismatch or 5063 * EPERM for lack of privilege. 5064 */ 5065 typedef int mpo_vnode_check_uipc_connect_t( 5066 kauth_cred_t cred, 5067 struct vnode *vp, 5068 struct label *label, 5069 socket_t so 5070 ); 5071 /** 5072 * @brief Access control check for deleting vnode 5073 * @param cred Subject credential 5074 * @param dvp Parent directory vnode 5075 * @param dlabel Policy label for dvp 5076 * @param vp Object vnode to delete 5077 * @param label Policy label for vp 5078 * @param cnp Component name for vp 5079 * @see mpo_check_rename_to_t 5080 * 5081 * Determine whether the subject identified by the credential can delete 5082 * a vnode from the passed parent directory and passed name information. 5083 * This call may be made in a number of situations, including as a 5084 * results of calls to unlink(2) and rmdir(2). Policies implementing 5085 * this entry point should also implement mpo_check_rename_to to 5086 * authorize deletion of objects as a result of being the target of a rename. 5087 * 5088 * @return Return 0 if access is granted, otherwise an appropriate value for 5089 * errno should be returned. Suggested failure: EACCES for label mismatch or 5090 * EPERM for lack of privilege. 5091 */ 5092 typedef int mpo_vnode_check_unlink_t( 5093 kauth_cred_t cred, 5094 struct vnode *dvp, 5095 struct label *dlabel, 5096 struct vnode *vp, 5097 struct label *label, 5098 struct componentname *cnp 5099 ); 5100 /** 5101 * @brief Access control check for write 5102 * @param active_cred Subject credential 5103 * @param file_cred Credential associated with the struct fileproc 5104 * @param vp Object vnode 5105 * @param label Policy label for vp 5106 * 5107 * Determine whether the subject identified by the credential can 5108 * perform a write operation on the passed vnode. The active_cred hold 5109 * the credentials of the subject performing the operation, and 5110 * file_cred holds the credentials of the subject that originally 5111 * opened the file. 5112 * 5113 * @return Return 0 if access is granted, otherwise an appropriate value for 5114 * errno should be returned. Suggested failure: EACCES for label mismatch or 5115 * EPERM for lack of privilege. 5116 */ 5117 typedef int mpo_vnode_check_write_t( 5118 kauth_cred_t active_cred, 5119 kauth_cred_t file_cred, /* NULLOK */ 5120 struct vnode *vp, 5121 struct label *label 5122 ); 5123 /** 5124 * @brief Access control check for copyfile 5125 * @param cred Subject credential 5126 * @param dvp Vnode of directory to create the copy in 5127 * @param dlabel Policy label associated with dvp 5128 * @param tvp Vnode of the file at the target path that will be unlinked to 5129 * make room for the copy being created, if file exists 5130 * @param tlabel Policy label associated with tvp 5131 * @param fvp Vnode of the file to copy from 5132 * @param flabel Policy label associated with fvp 5133 * @param cnp Component name for the copy being created 5134 * @param mode Corresponds to mode argument to the copyfile syscall 5135 * @param flags Corresponds to flags argument to the copyfile syscall 5136 * 5137 * Determine whether the subject identified by the credential should be 5138 * allowed to create a copy of the vnode fvp with the name specified by cnp. 5139 * 5140 * @return Return 0 if access is granted, otherwise an appropriate value for 5141 * errno should be returned. 5142 */ 5143 typedef int mpo_vnode_check_copyfile_t( 5144 kauth_cred_t cred, 5145 struct vnode *dvp, 5146 struct label *dlabel, 5147 struct vnode *tvp, /* NULLOK */ 5148 struct label *tlabel, /* NULLOK */ 5149 struct vnode *fvp, 5150 struct label *flabel, 5151 struct componentname *cnp, 5152 mode_t mode, 5153 int flags 5154 ); 5155 /** 5156 * @brief Associate a vnode with a devfs entry 5157 * @param mp Devfs mount point 5158 * @param mntlabel Devfs mount point label 5159 * @param de Devfs directory entry 5160 * @param delabel Label associated with de 5161 * @param vp vnode associated with de 5162 * @param vlabel Label associated with vp 5163 * 5164 * Fill in the label (vlabel) for a newly created devfs vnode. The 5165 * label is typically derived from the label on the devfs directory 5166 * entry or the label on the filesystem, supplied as parameters. 5167 */ 5168 typedef void mpo_vnode_label_associate_devfs_t( 5169 struct mount *mp, 5170 struct label *mntlabel, 5171 struct devnode *de, 5172 struct label *delabel, 5173 struct vnode *vp, 5174 struct label *vlabel 5175 ); 5176 /** 5177 * @brief Associate a label with a vnode 5178 * @param mp File system mount point 5179 * @param mntlabel File system mount point label 5180 * @param vp Vnode to label 5181 * @param vlabel Label associated with vp 5182 * 5183 * Attempt to retrieve label information for the vnode, vp, from the 5184 * file system extended attribute store. The label should be stored in 5185 * the supplied vlabel parameter. If a policy cannot retrieve an 5186 * extended attribute, sometimes it is acceptible to fallback to using 5187 * the mntlabel. 5188 * 5189 * If the policy requires vnodes to have a valid label elsewhere it 5190 * MUST NOT return other than temporary errors, and must always provide 5191 * a valid label of some sort. Returning an error will cause vnode 5192 * labeling to be retried at a later access. Failure to handle policy 5193 * centric errors internally (corrupt labels etc.) will result in 5194 * inaccessible files. 5195 * 5196 * @return In the event of an error, an appropriate value for errno 5197 * should be returned, otherwise return 0 upon success. 5198 */ 5199 typedef int mpo_vnode_label_associate_extattr_t( 5200 struct mount *mp, 5201 struct label *mntlabel, 5202 struct vnode *vp, 5203 struct label *vlabel 5204 ); 5205 /** 5206 * @brief Associate a file label with a vnode 5207 * @param cred User credential 5208 * @param mp Fdesc mount point 5209 * @param mntlabel Fdesc mount point label 5210 * @param fg Fileglob structure 5211 * @param label Policy label for fg 5212 * @param vp Vnode to label 5213 * @param vlabel Label associated with vp 5214 * 5215 * Associate label information for the vnode, vp, with the label of 5216 * the open file descriptor described by fg. 5217 * The label should be stored in the supplied vlabel parameter. 5218 */ 5219 typedef void mpo_vnode_label_associate_file_t( 5220 struct ucred *cred, 5221 struct mount *mp, 5222 struct label *mntlabel, 5223 struct fileglob *fg, 5224 struct label *label, 5225 struct vnode *vp, 5226 struct label *vlabel 5227 ); 5228 /** 5229 * @brief Associate a pipe label with a vnode 5230 * @param cred User credential for the process that opened the pipe 5231 * @param cpipe Pipe structure 5232 * @param pipelabel Label associated with pipe 5233 * @param vp Vnode to label 5234 * @param vlabel Label associated with vp 5235 * 5236 * Associate label information for the vnode, vp, with the label of 5237 * the pipe described by the pipe structure cpipe. 5238 * The label should be stored in the supplied vlabel parameter. 5239 */ 5240 typedef void mpo_vnode_label_associate_pipe_t( 5241 struct ucred *cred, 5242 struct pipe *cpipe, 5243 struct label *pipelabel, 5244 struct vnode *vp, 5245 struct label *vlabel 5246 ); 5247 /** 5248 * @brief Associate a POSIX semaphore label with a vnode 5249 * @param cred User credential for the process that create psem 5250 * @param psem POSIX semaphore structure 5251 * @param psemlabel Label associated with psem 5252 * @param vp Vnode to label 5253 * @param vlabel Label associated with vp 5254 * 5255 * Associate label information for the vnode, vp, with the label of 5256 * the POSIX semaphore described by psem. 5257 * The label should be stored in the supplied vlabel parameter. 5258 */ 5259 typedef void mpo_vnode_label_associate_posixsem_t( 5260 struct ucred *cred, 5261 struct pseminfo *psem, 5262 struct label *psemlabel, 5263 struct vnode *vp, 5264 struct label *vlabel 5265 ); 5266 /** 5267 * @brief Associate a POSIX shared memory label with a vnode 5268 * @param cred User credential for the process that created pshm 5269 * @param pshm POSIX shared memory structure 5270 * @param pshmlabel Label associated with pshm 5271 * @param vp Vnode to label 5272 * @param vlabel Label associated with vp 5273 * 5274 * Associate label information for the vnode, vp, with the label of 5275 * the POSIX shared memory region described by pshm. 5276 * The label should be stored in the supplied vlabel parameter. 5277 */ 5278 typedef void mpo_vnode_label_associate_posixshm_t( 5279 struct ucred *cred, 5280 struct pshminfo *pshm, 5281 struct label *pshmlabel, 5282 struct vnode *vp, 5283 struct label *vlabel 5284 ); 5285 /** 5286 * @brief Associate a label with a vnode 5287 * @param mp File system mount point 5288 * @param mntlabel File system mount point label 5289 * @param vp Vnode to label 5290 * @param vlabel Label associated with vp 5291 * 5292 * On non-multilabel file systems, set the label for a vnode. The 5293 * label will most likely be based on the file system label. 5294 */ 5295 typedef void mpo_vnode_label_associate_singlelabel_t( 5296 struct mount *mp, 5297 struct label *mntlabel, 5298 struct vnode *vp, 5299 struct label *vlabel 5300 ); 5301 /** 5302 * @brief Associate a socket label with a vnode 5303 * @param cred User credential for the process that opened the socket 5304 * @param so Socket structure 5305 * @param solabel Label associated with so 5306 * @param vp Vnode to label 5307 * @param vlabel Label associated with vp 5308 * 5309 * Associate label information for the vnode, vp, with the label of 5310 * the open socket described by the socket structure so. 5311 * The label should be stored in the supplied vlabel parameter. 5312 */ 5313 typedef void mpo_vnode_label_associate_socket_t( 5314 kauth_cred_t cred, 5315 socket_t so, 5316 struct label *solabel, 5317 struct vnode *vp, 5318 struct label *vlabel 5319 ); 5320 /** 5321 * @brief Copy a vnode label 5322 * @param src Source vnode label 5323 * @param dest Destination vnode label 5324 * 5325 * Copy the vnode label information from src to dest. On Darwin, this 5326 * is currently only necessary when executing interpreted scripts, but 5327 * will later be used if vnode label externalization cannot be an 5328 * atomic operation. 5329 */ 5330 typedef void mpo_vnode_label_copy_t( 5331 struct label *src, 5332 struct label *dest 5333 ); 5334 /** 5335 * @brief Destroy vnode label 5336 * @param label The label to be destroyed 5337 * 5338 * Destroy a vnode label. Since the object is going out of scope, 5339 * policy modules should free any internal storage associated with the 5340 * label so that it may be destroyed. 5341 */ 5342 typedef void mpo_vnode_label_destroy_t( 5343 struct label *label 5344 ); 5345 /** 5346 * @brief Externalize a vnode label for auditing 5347 * @param label Label to be externalized 5348 * @param element_name Name of the label namespace for which labels should be 5349 * externalized 5350 * @param sb String buffer to be filled with a text representation of the label 5351 * 5352 * Produce an external representation of the label on a vnode suitable for 5353 * inclusion in an audit record. An externalized label consists of a text 5354 * representation of the label contents that will be added to the audit record 5355 * as part of a text token. Policy-agnostic user space tools will display 5356 * this externalized version. 5357 * 5358 * @return 0 on success, return non-zero if an error occurs while 5359 * externalizing the label data. 5360 * 5361 */ 5362 typedef int mpo_vnode_label_externalize_audit_t( 5363 struct label *label, 5364 char *element_name, 5365 struct sbuf *sb 5366 ); 5367 /** 5368 * @brief Externalize a vnode label 5369 * @param label Label to be externalized 5370 * @param element_name Name of the label namespace for which labels should be 5371 * externalized 5372 * @param sb String buffer to be filled with a text representation of the label 5373 * 5374 * Produce an external representation of the label on a vnode. An 5375 * externalized label consists of a text representation of the label 5376 * contents that can be used with user applications. Policy-agnostic 5377 * user space tools will display this externalized version. 5378 * 5379 * @return 0 on success, return non-zero if an error occurs while 5380 * externalizing the label data. 5381 * 5382 */ 5383 typedef int mpo_vnode_label_externalize_t( 5384 struct label *label, 5385 char *element_name, 5386 struct sbuf *sb 5387 ); 5388 /** 5389 * @brief Initialize vnode label 5390 * @param label New label to initialize 5391 * 5392 * Initialize label storage for use with a newly instantiated vnode, or 5393 * for temporary storage associated with the copying in or out of a 5394 * vnode label. While it is necessary to allocate space for a 5395 * kernel-resident vnode label, it is not yet necessary to link this vnode 5396 * with persistent label storage facilities, such as extended attributes. 5397 * Sleeping is permitted. 5398 */ 5399 typedef void mpo_vnode_label_init_t( 5400 struct label *label 5401 ); 5402 /** 5403 * @brief Internalize a vnode label 5404 * @param label Label to be internalized 5405 * @param element_name Name of the label namespace for which the label should 5406 * be internalized 5407 * @param element_data Text data to be internalized 5408 * 5409 * Produce a vnode label from an external representation. An 5410 * externalized label consists of a text representation of the label 5411 * contents that can be used with user applications. Policy-agnostic 5412 * user space tools will forward text version to the kernel for 5413 * processing by individual policy modules. 5414 * 5415 * The policy's internalize entry points will be called only if the 5416 * policy has registered interest in the label namespace. 5417 * 5418 * @return 0 on success, Otherwise, return non-zero if an error occurs 5419 * while internalizing the label data. 5420 */ 5421 typedef int mpo_vnode_label_internalize_t( 5422 struct label *label, 5423 char *element_name, 5424 char *element_data 5425 ); 5426 /** 5427 * @brief Clean up a vnode label 5428 * @param label The label to be cleaned or purged 5429 * 5430 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5431 * typically never frees them. Before vnodes are placed back on free lists for 5432 * re-use, policies can cleanup or overwrite any information present in the label, 5433 * or free any internal resources used for the label. 5434 */ 5435 typedef void mpo_vnode_label_recycle_t( 5436 struct label *label 5437 ); 5438 /** 5439 * @brief Write a label to a extended attribute 5440 * @param cred Subject credential 5441 * @param vp The vnode for which the label is being stored 5442 * @param vlabel Label associated with vp 5443 * @param intlabel The new label to store 5444 * 5445 * Store a new label in the extended attribute corresponding to the 5446 * supplied vnode. The policy has already authorized the operation; 5447 * this call must be implemented in order to perform the actual 5448 * operation. 5449 * 5450 * @return In the event of an error, an appropriate value for errno 5451 * should be returned, otherwise return 0 upon success. 5452 * 5453 * @warning XXX After examining the extended attribute implementation on 5454 * Apple's future release, this entry point may be changed. 5455 */ 5456 typedef int mpo_vnode_label_store_t( 5457 kauth_cred_t cred, 5458 struct vnode *vp, 5459 struct label *vlabel, 5460 struct label *intlabel 5461 ); 5462 /** 5463 * @brief Update vnode label from extended attributes 5464 * @param mp File system mount point 5465 * @param mntlabel Mount point label 5466 * @param vp Vnode to label 5467 * @param vlabel Label associated with vp 5468 * @param name Name of the xattr 5469 * @see mpo_vnode_check_setextattr_t 5470 * 5471 * When an extended attribute is updated via the Vendor attribute management 5472 * functions, the MAC vnode label might also require an update. 5473 * Policies should first determine if 'name' matches their xattr label 5474 * name. If it does, the kernel is has either replaced or removed the 5475 * named extended attribute that was previously associated with the 5476 * vnode. Normally labels should only be modified via MAC Framework label 5477 * management calls, but sometimes the user space components will directly 5478 * modify extended attributes. For example, 'cp', 'tar', etc. manage 5479 * extended attributes in userspace, not the kernel. 5480 * 5481 * This entry point is called after the label update has occurred, so 5482 * it cannot return a failure. However, the operation is preceded by 5483 * the mpo_vnode_check_setextattr() access control check. 5484 * 5485 * If the vnode label needs to be updated the policy should return 5486 * a non-zero value. The vnode label will be marked for re-association 5487 * by the framework. 5488 */ 5489 typedef int mpo_vnode_label_update_extattr_t( 5490 struct mount *mp, 5491 struct label *mntlabel, 5492 struct vnode *vp, 5493 struct label *vlabel, 5494 const char *name 5495 ); 5496 /** 5497 * @brief Update a vnode label 5498 * @param cred Subject credential 5499 * @param vp The vnode to relabel 5500 * @param vnodelabel Existing vnode label 5501 * @param label New label to replace existing label 5502 * @see mpo_vnode_check_label_update_t 5503 * 5504 * The subject identified by the credential has previously requested 5505 * and was authorized to relabel the vnode; this entry point allows 5506 * policies to perform the actual relabel operation. Policies should 5507 * update vnodelabel using the label stored in the label parameter. 5508 */ 5509 typedef void mpo_vnode_label_update_t( 5510 kauth_cred_t cred, 5511 struct vnode *vp, 5512 struct label *vnodelabel, 5513 struct label *label 5514 ); 5515 /** 5516 * @brief Find deatched signatures for a shared library 5517 * @param p file trying to find the signature 5518 * @param vp The vnode to relabel 5519 * @param offset offset in the Mach-O that the signature is requested for (for fat binaries) 5520 * @param label Existing vnode label 5521 * 5522 */ 5523 typedef int mpo_vnode_find_sigs_t( 5524 struct proc *p, 5525 struct vnode *vp, 5526 off_t offset, 5527 struct label *label 5528 ); 5529 /** 5530 * @brief Create a new vnode, backed by extended attributes 5531 * @param cred User credential for the creating process 5532 * @param mp File system mount point 5533 * @param mntlabel File system mount point label 5534 * @param dvp Parent directory vnode 5535 * @param dlabel Parent directory vnode label 5536 * @param vp Newly created vnode 5537 * @param vlabel Label to associate with the new vnode 5538 * @param cnp Component name for vp 5539 * 5540 * Write out the label for the newly created vnode, most likely storing 5541 * the results in a file system extended attribute. Most policies will 5542 * derive the new vnode label using information from a combination 5543 * of the subject (user) credential, the file system label, the parent 5544 * directory label, and potentially the path name component. 5545 * 5546 * @return If the operation succeeds, store the new label in vlabel and 5547 * return 0. Otherwise, return an appropriate errno value. 5548 */ 5549 typedef int mpo_vnode_notify_create_t( 5550 kauth_cred_t cred, 5551 struct mount *mp, 5552 struct label *mntlabel, 5553 struct vnode *dvp, 5554 struct label *dlabel, 5555 struct vnode *vp, 5556 struct label *vlabel, 5557 struct componentname *cnp 5558 ); 5559 5560 /** 5561 * @brief Inform MAC policies that a vnode has been opened 5562 * @param cred User credential for the creating process 5563 * @param vp vnode opened 5564 * @param label Policy label for the vp 5565 * @param acc_mode open(2) access mode used 5566 * 5567 * Inform Mac policies that a vnode have been successfully opened 5568 * (passing all MAC polices and DAC). 5569 */ 5570 typedef void mpo_vnode_notify_open_t( 5571 kauth_cred_t cred, 5572 struct vnode *vp, 5573 struct label *label, 5574 int acc_mode 5575 ); 5576 5577 /** 5578 * @brief Inform MAC policies that a vnode has been renamed 5579 * @param cred User credential for the renaming process 5580 * @param vp Vnode that's being renamed 5581 * @param label Policy label for vp 5582 * @param dvp Parent directory for the destination 5583 * @param dlabel Policy label for dvp 5584 * @param cnp Component name for the destination 5585 * 5586 * Inform MAC policies that a vnode has been renamed. 5587 */ 5588 typedef void mpo_vnode_notify_rename_t( 5589 kauth_cred_t cred, 5590 struct vnode *vp, 5591 struct label *label, 5592 struct vnode *dvp, 5593 struct label *dlabel, 5594 struct componentname *cnp 5595 ); 5596 5597 /** 5598 * @brief Inform MAC policies that two vnodes were atomically swapped. 5599 * @param cred User credential for the renaming process 5600 * @param v1 vnode 1 to swap 5601 * @param vl1 Policy label for v1 5602 * @param v2 vnode 2 to swap 5603 * @param vl2 Policy label for v2 5604 * 5605 * Inform MAC policies that two vnodes were atomically swapped. 5606 * NOTE: If a policy implements this notify hook, then this hook will be 5607 * called instead of two calls to the vnode_notify_rename hook (one for each 5608 * member of the swap). 5609 */ 5610 typedef void mpo_vnode_notify_swap_t( 5611 kauth_cred_t cred, 5612 struct vnode *v1, 5613 struct label *vl1, 5614 struct vnode *v2, 5615 struct label *vl2 5616 ); 5617 5618 /** 5619 * @brief Inform MAC policies that a vnode has been linked 5620 * @param cred User credential for the renaming process 5621 * @param dvp Parent directory for the destination 5622 * @param dlabel Policy label for dvp 5623 * @param vp Vnode that's being linked 5624 * @param vlabel Policy label for vp 5625 * @param cnp Component name for the destination 5626 * 5627 * Inform MAC policies that a vnode has been linked. 5628 */ 5629 typedef void mpo_vnode_notify_link_t( 5630 kauth_cred_t cred, 5631 struct vnode *dvp, 5632 struct label *dlabel, 5633 struct vnode *vp, 5634 struct label *vlabel, 5635 struct componentname *cnp 5636 ); 5637 5638 /** 5639 * @brief Inform MAC policies that an extended attribute has been removed from a vnode 5640 * @param cred Subject credential 5641 * @param vp Object node 5642 * @param label Policy label for vp 5643 * @param name Extended attribute name 5644 * 5645 * Inform MAC policies that an extended attribute has been removed from a vnode. 5646 */ 5647 typedef void mpo_vnode_notify_deleteextattr_t( 5648 kauth_cred_t cred, 5649 struct vnode *vp, 5650 struct label *label, 5651 const char *name 5652 ); 5653 5654 5655 /** 5656 * @brief Inform MAC policies that an ACL has been set on a vnode 5657 * @param cred Subject credential 5658 * @param vp Object node 5659 * @param label Policy label for vp 5660 * @param acl ACL structure pointer 5661 * 5662 * Inform MAC policies that an ACL has been set on a vnode. 5663 */ 5664 typedef void mpo_vnode_notify_setacl_t( 5665 kauth_cred_t cred, 5666 struct vnode *vp, 5667 struct label *label, 5668 struct kauth_acl *acl 5669 ); 5670 5671 /** 5672 * @brief Inform MAC policies that an attributes have been set on a vnode 5673 * @param cred Subject credential 5674 * @param vp Object vnode 5675 * @param label Policy label for vp 5676 * @param alist List of attributes to set 5677 * 5678 * Inform MAC policies that an attributes have been set on a vnode. 5679 */ 5680 typedef void mpo_vnode_notify_setattrlist_t( 5681 kauth_cred_t cred, 5682 struct vnode *vp, 5683 struct label *label, 5684 struct attrlist *alist 5685 ); 5686 5687 /** 5688 * @brief Inform MAC policies that an extended attribute has been set on a vnode 5689 * @param cred Subject credential 5690 * @param vp Object vnode 5691 * @param label Policy label for vp 5692 * @param name Extended attribute name 5693 * @param uio I/O structure pointer 5694 * 5695 * Inform MAC policies that an extended attribute has been set on a vnode. 5696 */ 5697 typedef void mpo_vnode_notify_setextattr_t( 5698 kauth_cred_t cred, 5699 struct vnode *vp, 5700 struct label *label, 5701 const char *name, 5702 struct uio *uio 5703 ); 5704 5705 /** 5706 * @brief Inform MAC policies that flags have been set on a vnode 5707 * @param cred Subject credential 5708 * @param vp Object vnode 5709 * @param label Policy label for vp 5710 * @param flags File flags; see chflags(2) 5711 * 5712 * Inform MAC policies that flags have been set on a vnode. 5713 */ 5714 typedef void mpo_vnode_notify_setflags_t( 5715 kauth_cred_t cred, 5716 struct vnode *vp, 5717 struct label *label, 5718 u_long flags 5719 ); 5720 5721 /** 5722 * @brief Inform MAC policies that a new mode has been set on a vnode 5723 * @param cred Subject credential 5724 * @param vp Object vnode 5725 * @param label Policy label for vp 5726 * @param mode File mode; see chmod(2) 5727 * 5728 * Inform MAC policies that a new mode has been set on a vnode. 5729 */ 5730 typedef void mpo_vnode_notify_setmode_t( 5731 kauth_cred_t cred, 5732 struct vnode *vp, 5733 struct label *label, 5734 mode_t mode 5735 ); 5736 5737 /** 5738 * @brief Inform MAC policies that new uid/gid have been set on a vnode 5739 * @param cred Subject credential 5740 * @param vp Object vnode 5741 * @param label Policy label for vp 5742 * @param uid User ID 5743 * @param gid Group ID 5744 * 5745 * Inform MAC policies that new uid/gid have been set on a vnode. 5746 */ 5747 typedef void mpo_vnode_notify_setowner_t( 5748 kauth_cred_t cred, 5749 struct vnode *vp, 5750 struct label *label, 5751 uid_t uid, 5752 gid_t gid 5753 ); 5754 5755 /** 5756 * @brief Inform MAC policies that new timestamps have been set on a vnode 5757 * @param cred Subject credential 5758 * @param vp Object vnode 5759 * @param label Policy label for vp 5760 * @param atime Access time; see utimes(2) 5761 * @param mtime Modification time; see utimes(2) 5762 * 5763 * Inform MAC policies that new timestamps have been set on a vnode. 5764 */ 5765 typedef void mpo_vnode_notify_setutimes_t( 5766 kauth_cred_t cred, 5767 struct vnode *vp, 5768 struct label *label, 5769 struct timespec atime, 5770 struct timespec mtime 5771 ); 5772 5773 /** 5774 * @brief Inform MAC policies that a vnode has been truncated 5775 * @param cred Subject credential 5776 * @param file_cred Credential associated with the struct fileproc 5777 * @param vp Object vnode 5778 * @param label Policy label for vp 5779 * 5780 * Inform MAC policies that a vnode has been truncated. 5781 */ 5782 typedef void mpo_vnode_notify_truncate_t( 5783 kauth_cred_t cred, 5784 kauth_cred_t file_cred, 5785 struct vnode *vp, 5786 struct label *label 5787 ); 5788 5789 5790 /** 5791 * @brief Inform MAC policies that a pty slave has been granted 5792 * @param p Responsible process 5793 * @param tp tty data structure 5794 * @param dev Major and minor numbers of device 5795 * @param label Policy label for tp 5796 * 5797 * Inform MAC policies that a pty slave has been granted. 5798 */ 5799 typedef void mpo_pty_notify_grant_t( 5800 proc_t p, 5801 struct tty *tp, 5802 dev_t dev, 5803 struct label *label 5804 ); 5805 5806 /** 5807 * @brief Inform MAC policies that a pty master has been closed 5808 * @param p Responsible process 5809 * @param tp tty data structure 5810 * @param dev Major and minor numbers of device 5811 * @param label Policy label for tp 5812 * 5813 * Inform MAC policies that a pty master has been closed. 5814 */ 5815 typedef void mpo_pty_notify_close_t( 5816 proc_t p, 5817 struct tty *tp, 5818 dev_t dev, 5819 struct label *label 5820 ); 5821 5822 /** 5823 * @brief Access control check for kext loading 5824 * @param cred Subject credential 5825 * @param identifier Kext identifier 5826 * 5827 * Determine whether the subject identified by the credential can load the 5828 * specified kext. 5829 * 5830 * @return Return 0 if access is granted, otherwise an appropriate value for 5831 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5832 */ 5833 typedef int mpo_kext_check_load_t( 5834 kauth_cred_t cred, 5835 const char *identifier 5836 ); 5837 5838 /** 5839 * @brief Access control check for kext unloading 5840 * @param cred Subject credential 5841 * @param identifier Kext identifier 5842 * 5843 * Determine whether the subject identified by the credential can unload the 5844 * specified kext. 5845 * 5846 * @return Return 0 if access is granted, otherwise an appropriate value for 5847 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5848 */ 5849 typedef int mpo_kext_check_unload_t( 5850 kauth_cred_t cred, 5851 const char *identifier 5852 ); 5853 5854 /** 5855 * @brief Access control check for querying information about loaded kexts 5856 * @param cred Subject credential 5857 * 5858 * Determine whether the subject identified by the credential can query 5859 * information about loaded kexts. 5860 * 5861 * @return Return 0 if access is granted, otherwise an appropriate value for 5862 * errno should be returned. Suggested failure: EPERM for lack of privilege. 5863 */ 5864 typedef int mpo_kext_check_query_t( 5865 kauth_cred_t cred 5866 ); 5867 5868 /** 5869 * @brief Inform MAC policies that a vnode is being reclaimed 5870 * @param vp Object vnode 5871 * 5872 * Any external accounting tracking this vnode must consider it to be no longer valid. 5873 */ 5874 typedef void mpo_vnode_notify_reclaim_t( 5875 struct vnode *vp 5876 ); 5877 5878 /** 5879 * @brief Inform MAC policies that a vnode has been deleted 5880 * @param cred Subject credential 5881 * @param dvp Parent directory vnode 5882 * @param dlabel Policy label for dvp 5883 * @param vp Object vnode to delete 5884 * @param label Policy label for vp 5885 * @param cnp Component name for vp 5886 * 5887 * Inform Mac policies that a vnode have been successfully deleted 5888 * (passing all MAC polices and DAC). 5889 */ 5890 typedef void mpo_vnode_notify_unlink_t( 5891 kauth_cred_t cred, 5892 struct vnode *dvp, 5893 struct label *dlabel, 5894 struct vnode *vp, 5895 struct label *label, 5896 struct componentname *cnp 5897 ); 5898 5899 /** 5900 * @brief Access control check for grafting a Cryptex 5901 * @param cred Subject credential 5902 * @param graft_dir_vp Vnode that is to be the graft point 5903 * 5904 * Determine whether the subject identified by the credential can perform 5905 * the graft operation on the target vnode. 5906 * 5907 * @return Return 0 if access is granted, otherwise an appropriate value for 5908 * errno should be returned. 5909 */ 5910 typedef int mpo_graft_check_graft_t( 5911 kauth_cred_t cred, 5912 struct vnode *graft_dir_vp 5913 ); 5914 5915 /** 5916 * @brief Access control check for ungrafting a Cryptex 5917 * @param cred Subject credential 5918 * @param graft_dir_vp Vnode of graft point to be ungrafted 5919 * 5920 * Determine whether the subject identified by the credential can perform 5921 * the ungraft operation on the target vnode. 5922 * 5923 * @return Return 0 if access is granted, otherwise an appropriate value for 5924 * errno should be returned. 5925 */ 5926 typedef int mpo_graft_check_ungraft_t( 5927 kauth_cred_t cred, 5928 struct vnode *graft_dir_vp 5929 ); 5930 5931 /** 5932 * @brief Notify on successful Cryptex graft 5933 * @param cred Subject credential 5934 * @param graft_dir_vp Vnode of graft point 5935 * 5936 * Notify on successful Cryptex graft. 5937 */ 5938 typedef void mpo_graft_notify_graft_t( 5939 kauth_cred_t cred, 5940 struct vnode *graft_dir_vp 5941 ); 5942 5943 /** 5944 * @brief Notify on successful Cryptex ungraft 5945 * @param cred Subject credential 5946 * @param graft_dir_vp Vnode of graft point 5947 * 5948 * Notify on successful Cryptex ungraft. 5949 */ 5950 typedef void mpo_graft_notify_ungraft_t( 5951 kauth_cred_t cred, 5952 struct vnode *graft_dir_vp 5953 ); 5954 5955 /* 5956 * Placeholder for future events that may need mac hooks. 5957 */ 5958 typedef void mpo_reserved_hook_t(void); 5959 5960 /* 5961 * Policy module operations. 5962 * 5963 * Please note that this should be kept in sync with the check assumptions 5964 * policy in bsd/kern/policy_check.c (policy_ops struct). 5965 */ 5966 #define MAC_POLICY_OPS_VERSION 91 /* inc when new reserved slots are taken */ 5967 struct mac_policy_ops { 5968 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5969 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5970 5971 mpo_graft_check_graft_t *mpo_graft_check_graft; 5972 mpo_graft_check_ungraft_t *mpo_graft_check_ungraft; 5973 mpo_graft_notify_graft_t *mpo_graft_notify_graft; 5974 mpo_graft_notify_ungraft_t *mpo_graft_notify_ungraft; 5975 5976 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5977 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5978 mpo_cred_check_visible_t *mpo_cred_check_visible; 5979 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5980 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5981 mpo_cred_label_associate_t *mpo_cred_label_associate; 5982 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5983 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5984 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5985 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5986 mpo_cred_label_init_t *mpo_cred_label_init; 5987 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5988 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5989 mpo_cred_label_update_t *mpo_cred_label_update; 5990 5991 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5992 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5993 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5994 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5995 mpo_devfs_label_init_t *mpo_devfs_label_init; 5996 mpo_devfs_label_update_t *mpo_devfs_label_update; 5997 5998 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5999 mpo_file_check_create_t *mpo_file_check_create; 6000 mpo_file_check_dup_t *mpo_file_check_dup; 6001 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 6002 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 6003 mpo_file_check_get_t *mpo_file_check_get; 6004 mpo_file_check_inherit_t *mpo_file_check_inherit; 6005 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 6006 mpo_file_check_lock_t *mpo_file_check_lock; 6007 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 6008 mpo_file_check_mmap_t *mpo_file_check_mmap; 6009 mpo_file_check_receive_t *mpo_file_check_receive; 6010 mpo_file_check_set_t *mpo_file_check_set; 6011 mpo_file_label_init_t *mpo_file_label_init; /* deprecated not called anymore */ 6012 mpo_file_label_destroy_t *mpo_file_label_destroy; /* deprecated not called anymore */ 6013 mpo_file_label_associate_t *mpo_file_label_associate; /* deprecated not called anymore */ 6014 mpo_file_notify_close_t *mpo_file_notify_close; 6015 6016 mpo_proc_check_launch_constraints_t *mpo_proc_check_launch_constraints; 6017 mpo_proc_notify_service_port_derive_t *mpo_proc_notify_service_port_derive; 6018 mpo_proc_check_set_task_exception_port_t *mpo_proc_check_set_task_exception_port; 6019 mpo_proc_check_set_thread_exception_port_t *mpo_proc_check_set_thread_exception_port; 6020 6021 mpo_reserved_hook_t *mpo_reserved08; 6022 mpo_reserved_hook_t *mpo_reserved09; 6023 mpo_reserved_hook_t *mpo_reserved10; 6024 mpo_reserved_hook_t *mpo_reserved11; 6025 mpo_reserved_hook_t *mpo_reserved12; 6026 mpo_reserved_hook_t *mpo_reserved13; 6027 mpo_reserved_hook_t *mpo_reserved14; 6028 mpo_reserved_hook_t *mpo_reserved15; 6029 mpo_reserved_hook_t *mpo_reserved16; 6030 mpo_reserved_hook_t *mpo_reserved17; 6031 mpo_reserved_hook_t *mpo_reserved18; 6032 mpo_reserved_hook_t *mpo_reserved19; 6033 mpo_reserved_hook_t *mpo_reserved20; 6034 mpo_reserved_hook_t *mpo_reserved21; 6035 mpo_reserved_hook_t *mpo_reserved22; 6036 6037 mpo_necp_check_open_t *mpo_necp_check_open; 6038 mpo_necp_check_client_action_t *mpo_necp_check_client_action; 6039 6040 mpo_file_check_library_validation_t *mpo_file_check_library_validation; 6041 6042 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl; 6043 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist; 6044 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr; 6045 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags; 6046 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode; 6047 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner; 6048 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes; 6049 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate; 6050 mpo_vnode_check_getattrlistbulk_t *mpo_vnode_check_getattrlistbulk; 6051 6052 mpo_proc_check_get_task_special_port_t *mpo_proc_check_get_task_special_port; 6053 mpo_proc_check_set_task_special_port_t *mpo_proc_check_set_task_special_port; 6054 6055 mpo_vnode_notify_swap_t *mpo_vnode_notify_swap; 6056 mpo_vnode_notify_unlink_t *mpo_vnode_notify_unlink; 6057 mpo_vnode_check_swap_t *mpo_vnode_check_swap; 6058 mpo_vnode_check_dataprotect_set_t *mpo_vnode_check_dataprotect_set; 6059 mpo_mount_check_remount_with_flags_t *mpo_mount_check_remount_with_flags; 6060 mpo_mount_notify_mount_t *mpo_mount_notify_mount; 6061 mpo_vnode_check_copyfile_t *mpo_vnode_check_copyfile; 6062 6063 mpo_mount_check_quotactl_t *mpo_mount_check_quotactl; 6064 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 6065 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 6066 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 6067 mpo_mount_check_mount_t *mpo_mount_check_mount; 6068 mpo_mount_check_remount_t *mpo_mount_check_remount; 6069 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 6070 mpo_mount_check_stat_t *mpo_mount_check_stat; 6071 mpo_mount_check_umount_t *mpo_mount_check_umount; 6072 mpo_mount_label_associate_t *mpo_mount_label_associate; 6073 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 6074 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 6075 mpo_mount_label_init_t *mpo_mount_label_init; 6076 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 6077 6078 mpo_proc_check_expose_task_with_flavor_t *mpo_proc_check_expose_task_with_flavor; 6079 mpo_proc_check_get_task_with_flavor_t *mpo_proc_check_get_task_with_flavor; 6080 mpo_proc_check_task_id_token_get_task_t *mpo_proc_check_task_id_token_get_task; 6081 6082 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 6083 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 6084 mpo_reserved_hook_t *mpo_reserved41; 6085 mpo_pipe_check_read_t *mpo_pipe_check_read; 6086 mpo_pipe_check_select_t *mpo_pipe_check_select; 6087 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 6088 mpo_pipe_check_write_t *mpo_pipe_check_write; 6089 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 6090 mpo_reserved_hook_t *mpo_reserved42; 6091 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 6092 mpo_reserved_hook_t *mpo_reserved43; 6093 mpo_pipe_label_init_t *mpo_pipe_label_init; 6094 mpo_reserved_hook_t *mpo_reserved44; 6095 mpo_proc_check_syscall_mac_t *mpo_proc_check_syscall_mac; 6096 6097 mpo_policy_destroy_t *mpo_policy_destroy; 6098 mpo_policy_init_t *mpo_policy_init; 6099 mpo_policy_initbsd_t *mpo_policy_initbsd; 6100 mpo_policy_syscall_t *mpo_policy_syscall; 6101 6102 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 6103 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 6104 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 6105 mpo_kext_check_query_t *mpo_kext_check_query; 6106 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete; 6107 mpo_proc_notify_cs_invalidated_t *mpo_proc_notify_cs_invalidated; 6108 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix; 6109 mpo_reserved_hook_t *mpo_reserved45; 6110 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port; 6111 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port; 6112 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send; 6113 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate; 6114 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate; 6115 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy; 6116 mpo_exc_action_label_init_t *mpo_exc_action_label_init; 6117 mpo_exc_action_label_update_t *mpo_exc_action_label_update; 6118 6119 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve; 6120 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late; 6121 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount; 6122 mpo_vnode_notify_reclaim_t *mpo_vnode_notify_reclaim; 6123 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect; 6124 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen; 6125 6126 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 6127 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 6128 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 6129 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 6130 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 6131 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 6132 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 6133 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 6134 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 6135 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 6136 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 6137 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 6138 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 6139 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 6140 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 6141 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 6142 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 6143 6144 mpo_proc_check_debug_t *mpo_proc_check_debug; 6145 mpo_proc_check_fork_t *mpo_proc_check_fork; 6146 mpo_reserved_hook_t *mpo_reserved61; 6147 mpo_reserved_hook_t *mpo_reserved62; 6148 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 6149 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 6150 mpo_reserved_hook_t *mpo_reserved63; 6151 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 6152 mpo_proc_check_sched_t *mpo_proc_check_sched; 6153 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 6154 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 6155 mpo_proc_check_iopolicysys_t *mpo_proc_check_iopolicysys; 6156 mpo_proc_check_signal_t *mpo_proc_check_signal; 6157 mpo_proc_check_wait_t *mpo_proc_check_wait; 6158 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core; 6159 mpo_proc_check_remote_thread_create_t *mpo_proc_check_remote_thread_create; 6160 6161 mpo_socket_check_accept_t *mpo_socket_check_accept; 6162 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 6163 mpo_socket_check_bind_t *mpo_socket_check_bind; 6164 mpo_socket_check_connect_t *mpo_socket_check_connect; 6165 mpo_socket_check_create_t *mpo_socket_check_create; 6166 mpo_reserved_hook_t *mpo_reserved46; 6167 mpo_reserved_hook_t *mpo_reserved47; 6168 mpo_reserved_hook_t *mpo_reserved48; 6169 mpo_socket_check_listen_t *mpo_socket_check_listen; 6170 mpo_socket_check_receive_t *mpo_socket_check_receive; 6171 mpo_socket_check_received_t *mpo_socket_check_received; 6172 mpo_reserved_hook_t *mpo_reserved49; 6173 mpo_socket_check_send_t *mpo_socket_check_send; 6174 mpo_socket_check_stat_t *mpo_socket_check_stat; 6175 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 6176 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 6177 6178 mpo_proc_check_get_movable_control_port_t *mpo_proc_check_get_movable_control_port; 6179 mpo_proc_check_dyld_process_info_notify_register_t *mpo_proc_check_dyld_process_info_notify_register; 6180 mpo_proc_check_setuid_t *mpo_proc_check_setuid; 6181 mpo_proc_check_seteuid_t *mpo_proc_check_seteuid; 6182 mpo_proc_check_setreuid_t *mpo_proc_check_setreuid; 6183 mpo_proc_check_setgid_t *mpo_proc_check_setgid; 6184 mpo_proc_check_setegid_t *mpo_proc_check_setegid; 6185 mpo_proc_check_setregid_t *mpo_proc_check_setregid; 6186 mpo_proc_check_settid_t *mpo_proc_check_settid; 6187 mpo_proc_check_memorystatus_control_t *mpo_proc_check_memorystatus_control; 6188 mpo_reserved_hook_t *mpo_reserved60; 6189 6190 mpo_thread_telemetry_t *mpo_thread_telemetry; 6191 6192 mpo_iokit_check_open_service_t *mpo_iokit_check_open_service; 6193 6194 mpo_system_check_acct_t *mpo_system_check_acct; 6195 mpo_system_check_audit_t *mpo_system_check_audit; 6196 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6197 mpo_system_check_auditon_t *mpo_system_check_auditon; 6198 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6199 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6200 mpo_system_check_reboot_t *mpo_system_check_reboot; 6201 mpo_system_check_settime_t *mpo_system_check_settime; 6202 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6203 mpo_system_check_swapon_t *mpo_system_check_swapon; 6204 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl; 6205 6206 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6207 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6208 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6209 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6210 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6211 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6212 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6213 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6214 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6215 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6216 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6217 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6218 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6219 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6220 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6221 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6222 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6223 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6224 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6225 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6226 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6227 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6228 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6229 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6230 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6231 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6232 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6233 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6234 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6235 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6236 6237 mpo_proc_notify_exit_t *mpo_proc_notify_exit; 6238 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert; 6239 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr; 6240 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create; 6241 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete; 6242 mpo_vnode_check_clone_t *mpo_vnode_check_clone; 6243 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info; 6244 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info; 6245 6246 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6247 6248 mpo_vnode_check_access_t *mpo_vnode_check_access; 6249 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6250 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6251 mpo_vnode_check_create_t *mpo_vnode_check_create; 6252 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6253 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6254 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6255 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6256 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6257 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6258 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6259 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6260 mpo_vnode_check_link_t *mpo_vnode_check_link; 6261 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6262 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6263 mpo_vnode_check_open_t *mpo_vnode_check_open; 6264 mpo_vnode_check_read_t *mpo_vnode_check_read; 6265 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6266 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6267 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6268 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6269 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6270 mpo_vnode_check_select_t *mpo_vnode_check_select; 6271 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6272 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6273 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6274 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6275 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6276 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6277 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6278 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6279 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6280 mpo_vnode_check_write_t *mpo_vnode_check_write; 6281 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6282 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6283 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6284 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6285 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6286 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6287 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6288 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6289 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6290 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6291 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6292 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6293 mpo_vnode_label_init_t *mpo_vnode_label_init; 6294 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6295 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6296 mpo_vnode_label_store_t *mpo_vnode_label_store; 6297 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6298 mpo_vnode_label_update_t *mpo_vnode_label_update; 6299 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6300 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6301 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6302 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6303 6304 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6305 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6306 6307 mpo_thread_userret_t *mpo_thread_userret; 6308 6309 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6310 6311 mpo_vnode_check_supplemental_signature_t *mpo_vnode_check_supplemental_signature; 6312 6313 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6314 6315 mpo_priv_check_t *mpo_priv_check; 6316 mpo_priv_grant_t *mpo_priv_grant; 6317 6318 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6319 6320 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6321 6322 mpo_iokit_check_open_t *mpo_iokit_check_open; 6323 6324 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6325 6326 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6327 6328 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl; 6329 6330 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr; 6331 6332 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6333 6334 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight; 6335 6336 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6337 6338 mpo_system_check_info_t *mpo_system_check_info; 6339 6340 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6341 mpo_pty_notify_close_t *mpo_pty_notify_close; 6342 6343 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6344 6345 mpo_kext_check_load_t *mpo_kext_check_load; 6346 mpo_kext_check_unload_t *mpo_kext_check_unload; 6347 6348 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6349 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6350 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6351 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6352 }; 6353 6354 /** 6355 * @brief MAC policy handle type 6356 * 6357 * The MAC handle is used to uniquely identify a loaded policy within 6358 * the MAC Framework. 6359 * 6360 * A variable of this type is set by mac_policy_register(). 6361 */ 6362 typedef unsigned int mac_policy_handle_t; 6363 6364 #define mpc_t struct mac_policy_conf * 6365 6366 /** 6367 * @brief Mac policy configuration 6368 * 6369 * This structure specifies the configuration information for a 6370 * MAC policy module. A policy module developer must supply 6371 * a short unique policy name, a more descriptive full name, a list of label 6372 * namespaces and count, a pointer to the registered enty point operations, 6373 * any load time flags, and optionally, a pointer to a label slot identifier. 6374 * 6375 * The Framework will update the runtime flags (mpc_runtime_flags) to 6376 * indicate that the module has been registered. 6377 * 6378 * If the label slot identifier (mpc_field_off) is NULL, the Framework 6379 * will not provide label storage for the policy. Otherwise, the 6380 * Framework will store the label location (slot) in this field. 6381 * 6382 * The mpc_list field is used by the Framework and should not be 6383 * modified by policies. 6384 */ 6385 /* XXX - reorder these for better alignment on 64bit platforms */ 6386 struct mac_policy_conf { 6387 const char *mpc_name; /** policy name */ 6388 const char *mpc_fullname; /** full name */ 6389 char const * const *mpc_labelnames; /** managed label namespaces */ 6390 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6391 const struct mac_policy_ops *mpc_ops; /** operation vector */ 6392 int mpc_loadtime_flags; /** load time flags */ 6393 int *mpc_field_off; /** label slot */ 6394 int mpc_runtime_flags; /** run time flags */ 6395 mpc_t mpc_list; /** List reference */ 6396 void *mpc_data; /** module data */ 6397 }; 6398 6399 /** 6400 * @brief MAC policy module registration routine 6401 * 6402 * This function is called to register a policy with the 6403 * MAC framework. A policy module will typically call this from the 6404 * Darwin KEXT registration routine. 6405 */ 6406 int mac_policy_register(struct mac_policy_conf *mpc, 6407 mac_policy_handle_t *handlep, void *xd); 6408 6409 /** 6410 * @brief MAC policy module de-registration routine 6411 * 6412 * This function is called to de-register a policy with the 6413 * MAC framework. A policy module will typically call this from the 6414 * Darwin KEXT de-registration routine. 6415 */ 6416 int mac_policy_unregister(mac_policy_handle_t handle); 6417 6418 /* 6419 * Framework entry points for the policies to add audit data. 6420 */ 6421 int mac_audit_text(char *text, mac_policy_handle_t handle); 6422 6423 /* 6424 * Calls to assist with use of Apple XATTRs within policy modules. 6425 */ 6426 int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6427 int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6428 size_t *); 6429 int mac_vnop_removexattr(struct vnode *, const char *); 6430 6431 /** 6432 * @brief Set an extended attribute on a vnode-based fileglob. 6433 * @param fg fileglob representing file to attach the extended attribute 6434 * @param name extended attribute name 6435 * @param buf buffer of data to use as the extended attribute value 6436 * @param len size of buffer 6437 * 6438 * Sets the value of an extended attribute on a file. 6439 * 6440 * Caller must hold an iocount on the vnode represented by the fileglob. 6441 */ 6442 #ifdef KERNEL_PRIVATE 6443 int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len); 6444 #endif 6445 6446 /** 6447 * @brief Get an extended attribute from a vnode-based fileglob. 6448 * @param fg fileglob representing file to read the extended attribute 6449 * @param name extended attribute name 6450 * @param buf buffer of data to hold the extended attribute value 6451 * @param len size of buffer 6452 * @param attrlen size of full extended attribute value 6453 * 6454 * Gets the value of an extended attribute on a file. 6455 * 6456 * Caller must hold an iocount on the vnode represented by the fileglob. 6457 */ 6458 #ifdef KERNEL_PRIVATE 6459 int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len, 6460 size_t *attrlen); 6461 #endif 6462 6463 /** 6464 * @brief Remove an extended attribute from a vnode-based fileglob. 6465 * @param fg fileglob representing file to remove the extended attribute 6466 * @param name extended attribute name 6467 * 6468 * Removes the named extended attribute from the file. 6469 * 6470 * Caller must hold an iocount on the vnode represented by the fileglob. 6471 */ 6472 #ifdef KERNEL_PRIVATE 6473 int mac_file_removexattr(struct fileglob *fg, const char *name); 6474 #endif 6475 6476 /* 6477 * Arbitrary limit on how much data will be logged by the audit 6478 * entry points above. 6479 */ 6480 #define MAC_AUDIT_DATA_LIMIT 1024 6481 6482 /* 6483 * Values returned by mac_audit_{pre,post}select. To combine the responses 6484 * of the security policies into a single decision, 6485 * mac_audit_{pre,post}select() choose the greatest value returned. 6486 */ 6487 #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6488 #define MAC_AUDIT_NO 1 /* force not auditing this event */ 6489 #define MAC_AUDIT_YES 2 /* force auditing this event */ 6490 6491 // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6492 6493 /** 6494 * @name Flags for the mpc_loadtime_flags field 6495 * @see mac_policy_conf 6496 * 6497 * This is the complete list of flags that are supported by the 6498 * mpc_loadtime_flags field of the mac_policy_conf structure. These 6499 * flags specify the load time behavior of MAC Framework policy 6500 * modules. 6501 */ 6502 6503 /*@{*/ 6504 6505 /** 6506 * @brief Flag to indicate registration preference 6507 * 6508 * This flag indicates that the policy module must be loaded and 6509 * initialized early in the boot process. If the flag is specified, 6510 * attempts to register the module following boot will be rejected. The 6511 * flag may be used by policies that require pervasive labeling of all 6512 * system objects, and cannot handle objects that have not been 6513 * properly initialized by the policy. 6514 */ 6515 #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6516 6517 /** 6518 * @brief Flag to indicate unload preference 6519 * 6520 * This flag indicates that the policy module may be unloaded. If this 6521 * flag is not set, then the policy framework will reject requests to 6522 * unload the module. This flag might be used by modules that allocate 6523 * label state and are unable to free that state at runtime, or for 6524 * modules that simply do not want to permit unload operations. 6525 */ 6526 #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6527 6528 /** 6529 * @brief Unsupported 6530 * 6531 * XXX This flag is not yet supported. 6532 */ 6533 #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6534 6535 /** 6536 * @brief Flag to indicate a base policy 6537 * 6538 * This flag indicates that the policy module is a base policy. Only 6539 * one module can declare itself as base, otherwise the boot process 6540 * will be halted. 6541 */ 6542 #define MPC_LOADTIME_BASE_POLICY 0x00000008 6543 6544 /*@}*/ 6545 6546 /** 6547 * @brief Policy registration flag 6548 * @see mac_policy_conf 6549 * 6550 * This flag indicates that the policy module has been successfully 6551 * registered with the TrustedBSD MAC Framework. The Framework will 6552 * set this flag in the mpc_runtime_flags field of the policy's 6553 * mac_policy_conf structure after registering the policy. 6554 */ 6555 #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6556 6557 /* 6558 * Depends on POLICY_VER 6559 */ 6560 6561 #ifndef POLICY_VER 6562 #define POLICY_VER 1.0 6563 #endif 6564 6565 #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6566 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6567 .mpc_name = #mpname, \ 6568 .mpc_fullname = mpfullname, \ 6569 .mpc_labelnames = lnames, \ 6570 .mpc_labelname_count = lcount, \ 6571 .mpc_ops = mpops, \ 6572 .mpc_loadtime_flags = lflags, \ 6573 .mpc_field_off = slot, \ 6574 .mpc_runtime_flags = rflags \ 6575 }; \ 6576 \ 6577 static kern_return_t \ 6578 kmod_start(kmod_info_t *ki, void *xd) \ 6579 { \ 6580 return mac_policy_register(&mpname##_mac_policy_conf, \ 6581 &handle, xd); \ 6582 } \ 6583 \ 6584 static kern_return_t \ 6585 kmod_stop(kmod_info_t *ki, void *xd) \ 6586 { \ 6587 return mac_policy_unregister(handle); \ 6588 } \ 6589 \ 6590 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6591 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6592 \ 6593 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6594 kmod_start_func_t *_realmain = kmod_start; \ 6595 kmod_stop_func_t *_antimain = kmod_stop; \ 6596 int _kext_apple_cc = __APPLE_CC__ 6597 6598 /* 6599 * Policy interface to map a struct label pointer to per-policy data. 6600 * Typically, policies wrap this in their own accessor macro that casts an 6601 * intptr_t to a policy-specific data type. 6602 */ 6603 #ifdef KERNEL_PRIVATE 6604 struct label * mac_label_verify(struct label **labelp); 6605 intptr_t mac_label_get(struct label *l, int slot); 6606 /* 6607 * Sets a label slot to the given pointer value, `v`. `v` cannot be `~0ULL`. 6608 */ 6609 void mac_label_set(struct label *l, int slot, intptr_t v); 6610 struct label * mac_labelzone_alloc(int flags); 6611 struct label * mac_labelzone_alloc_for_owner(struct label **labelp, int flags, 6612 void (^extra_setup)(struct label *)); 6613 struct label * mac_labelzone_alloc_owned(struct label **labelp, int flags, 6614 void (^extra_setup)(struct label *)); 6615 void mac_labelzone_free(struct label *l); 6616 void mac_labelzone_free_owned(struct label **labelp, 6617 void (^extra_deinit)(struct label *)); 6618 intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel); 6619 void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v); 6620 #endif 6621 6622 #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6623 6624 /** 6625 * @name Flags for MAC allocator interfaces 6626 * 6627 * These flags are passed to the Darwin kernel allocator routines to 6628 * indicate whether the allocation is permitted to block or not. 6629 * Caution should be taken; some operations are not permitted to sleep, 6630 * and some types of locks cannot be held when sleeping. 6631 */ 6632 6633 /*@{*/ 6634 6635 /** 6636 * @brief Allocation operations may block 6637 * 6638 * If memory is not immediately available, the allocation routine 6639 * will block (typically sleeping) until memory is available. 6640 * 6641 * @warning Inappropriate use of this flag may cause kernel panics. 6642 */ 6643 #define MAC_WAITOK 0 6644 6645 /** 6646 * @brief Allocation operations may not block 6647 * 6648 * Rather than blocking, the allocator may return an error if memory 6649 * is not immediately available. This type of allocation will not 6650 * sleep, preserving locking semantics. 6651 */ 6652 #define MAC_NOWAIT 1 6653 6654 /*@}*/ 6655 6656 #endif /* !_SECURITY_MAC_POLICY_H_ */ 6657