1#include <sys/param.h> 2#include <sys/systm.h> /* XXX printf() */ 3 4#include <sys/types.h> 5#include <sys/fcntl.h> 6#include <sys/file.h> 7#include <sys/kauth.h> 8#include <sys/mount.h> 9#include <sys/msg.h> 10#include <sys/proc.h> 11#include <sys/socketvar.h> 12#include <sys/vnode.h> 13#include <security/mac.h> 14#include <security/mac_policy.h> 15 16#include <libkern/OSDebug.h> /* OSBPrintBacktrace */ 17 18 19/* forward declaration; see bsd_init.c */ 20errno_t check_policy_init(int); 21int get_thread_lock_count(thread_t th); /* forced forward */ 22 23/* 24 * Policy flags used when the policy is enabled 25 * 26 * Note: CHECK_POLICY_CHECK is probably not very useful unless you 27 * are kernel debugging and set a breakpoint. 28 */ 29#define CHECK_POLICY_CHECK 0x00000001 /* Check on calls */ 30#define CHECK_POLICY_FAIL 0x00000002 /* EPERM on fails */ 31#define CHECK_POLICY_BACKTRACE 0x00000004 /* Show call stack on fails */ 32#define CHECK_POLICY_PANIC 0x00000008 /* Panic on fails */ 33#define CHECK_POLICY_PERIODIC 0x00000010 /* Show fails periodically */ 34 35static int policy_flags = 0; 36 37 38#define CHECK_SET_INT_HOOK(x) .mpo_##x = (mpo_##x##_t *)common_int_hook, 39#define CHECK_SET_VOID_HOOK(x) .mpo_##x = (mpo_##x##_t *)common_void_hook, 40 41 42/* 43 * Init; currently, we only print our arrival notice. 44 */ 45static void 46hook_policy_init(struct mac_policy_conf *mpc) 47{ 48 printf("Policy '%s' = '%s' ready\n", mpc->mpc_name, mpc->mpc_fullname); 49} 50 51static void 52hook_policy_initbsd(struct mac_policy_conf *mpc) 53{ 54 /* called with policy_grab_exclusive mutex held; exempt */ 55 printf("hook_policy_initbsd: %s\n", mpc->mpc_name); 56} 57 58 59/* Implementation */ 60#define CLASS_PERIOD_LIMIT 10000 61#define CLASS_PERIOD_MULT 20 62 63static int policy_check_event = 1; 64static int policy_check_period = 1; 65static int policy_check_next = CLASS_PERIOD_MULT; 66 67 68static int 69common_int_hook(void) 70{ 71 int i; 72 int rv = 0; 73 74 if ((i = get_thread_lock_count(current_thread())) != 0) { 75 /* 76 * fail the MACF check if we hold a lock; this assumes a 77 * a non-void (authorization) MACF hook. 78 */ 79 if (policy_flags & CHECK_POLICY_FAIL) 80 rv = EPERM; 81 82 /* 83 * display a backtrace if we hold a lock and we are not 84 * going to panic 85 */ 86 if ((policy_flags & (CHECK_POLICY_BACKTRACE | CHECK_POLICY_PANIC)) == CHECK_POLICY_BACKTRACE) { 87 if (policy_flags & CHECK_POLICY_PERIODIC) { 88 /* at exponentially increasing intervals */ 89 if (!(policy_check_event % policy_check_period)) { 90 if (policy_check_event <= policy_check_next || policy_check_period == CLASS_PERIOD_LIMIT) { 91 /* 92 * According to Derek, we could 93 * technically get a symbolicated name 94 * here, if we refactered some code 95 * and set the "keepsyms=1" boot 96 * argument... 97 */ 98 OSReportWithBacktrace("calling MACF hook with mutex count %d (event %d) ", i, policy_check_event); 99 } 100 } else { 101 if (policy_check_period < CLASS_PERIOD_LIMIT) { 102 policy_check_next *= CLASS_PERIOD_MULT; 103 policy_check_period *= CLASS_PERIOD_MULT; 104 } 105 } 106 } else { 107 /* always */ 108 OSReportWithBacktrace("calling MACF hook with mutex count %d (event %d) ", i, policy_check_event); 109 } 110 } 111 112 /* Panic */ 113 if (policy_flags & CHECK_POLICY_PANIC) 114 panic("calling MACF hook with mutex count %d\n", i); 115 116 /* count for non-fatal tracing */ 117 policy_check_event++; 118 } 119 120 return rv; 121} 122 123static void 124common_void_hook(void) 125{ 126 (void)common_int_hook(); 127 128 return; 129} 130 131 132/* 133 * Policy hooks; one per possible hook 134 */ 135static struct mac_policy_ops policy_ops = { 136 137 /* separate init */ 138 .mpo_policy_init = hook_policy_init, 139 .mpo_policy_initbsd = hook_policy_initbsd, 140 141 /* operations which return int */ 142 CHECK_SET_INT_HOOK(audit_check_postselect) 143 CHECK_SET_INT_HOOK(audit_check_preselect) 144 CHECK_SET_INT_HOOK(bpfdesc_check_receive) 145 CHECK_SET_INT_HOOK(cred_check_label_update_execve) 146 CHECK_SET_INT_HOOK(cred_check_label_update) 147 CHECK_SET_INT_HOOK(cred_check_visible) 148 CHECK_SET_INT_HOOK(cred_label_externalize_audit) 149 CHECK_SET_INT_HOOK(cred_label_externalize) 150 CHECK_SET_INT_HOOK(cred_label_internalize) 151 CHECK_SET_INT_HOOK(file_check_change_offset) 152 CHECK_SET_INT_HOOK(file_check_create) 153 CHECK_SET_INT_HOOK(file_check_dup) 154 CHECK_SET_INT_HOOK(file_check_fcntl) 155 CHECK_SET_INT_HOOK(file_check_get) 156 CHECK_SET_INT_HOOK(file_check_get_offset) 157 CHECK_SET_INT_HOOK(file_check_inherit) 158 CHECK_SET_INT_HOOK(file_check_ioctl) 159 CHECK_SET_INT_HOOK(file_check_lock) 160 CHECK_SET_INT_HOOK(file_check_mmap) 161 CHECK_SET_INT_HOOK(file_check_receive) 162 CHECK_SET_INT_HOOK(file_check_set) 163 CHECK_SET_INT_HOOK(ifnet_check_label_update) 164 CHECK_SET_INT_HOOK(ifnet_check_transmit) 165 CHECK_SET_INT_HOOK(ifnet_label_externalize) 166 CHECK_SET_INT_HOOK(ifnet_label_internalize) 167 CHECK_SET_INT_HOOK(inpcb_check_deliver) 168 CHECK_SET_INT_HOOK(inpcb_label_init) 169 CHECK_SET_INT_HOOK(iokit_check_device) 170 CHECK_SET_INT_HOOK(iokit_check_open) 171 CHECK_SET_INT_HOOK(iokit_check_set_properties) 172 CHECK_SET_INT_HOOK(iokit_check_hid_control) 173 CHECK_SET_INT_HOOK(ipq_label_compare) 174 CHECK_SET_INT_HOOK(ipq_label_init) 175 CHECK_SET_INT_HOOK(lctx_check_label_update) 176 CHECK_SET_INT_HOOK(lctx_label_externalize) 177 CHECK_SET_INT_HOOK(lctx_label_internalize) 178 CHECK_SET_INT_HOOK(mbuf_label_init) 179 CHECK_SET_INT_HOOK(mount_check_fsctl) 180 CHECK_SET_INT_HOOK(mount_check_getattr) 181 CHECK_SET_INT_HOOK(mount_check_label_update) 182 CHECK_SET_INT_HOOK(mount_check_mount) 183 CHECK_SET_INT_HOOK(mount_check_remount) 184 CHECK_SET_INT_HOOK(mount_check_setattr) 185 CHECK_SET_INT_HOOK(mount_check_stat) 186 CHECK_SET_INT_HOOK(mount_check_umount) 187 CHECK_SET_INT_HOOK(mount_label_externalize) 188 CHECK_SET_INT_HOOK(mount_label_internalize) 189 CHECK_SET_INT_HOOK(pipe_check_ioctl) 190 CHECK_SET_INT_HOOK(pipe_check_kqfilter) 191 CHECK_SET_INT_HOOK(pipe_check_label_update) 192 CHECK_SET_INT_HOOK(pipe_check_read) 193 CHECK_SET_INT_HOOK(pipe_check_select) 194 CHECK_SET_INT_HOOK(pipe_check_stat) 195 CHECK_SET_INT_HOOK(pipe_check_write) 196 CHECK_SET_INT_HOOK(pipe_label_externalize) 197 CHECK_SET_INT_HOOK(pipe_label_internalize) 198 CHECK_SET_INT_HOOK(policy_syscall) 199 CHECK_SET_INT_HOOK(port_check_copy_send) 200 CHECK_SET_INT_HOOK(port_check_hold_receive) 201 CHECK_SET_INT_HOOK(port_check_hold_send_once) 202 CHECK_SET_INT_HOOK(port_check_hold_send) 203 CHECK_SET_INT_HOOK(port_check_label_update) 204 CHECK_SET_INT_HOOK(port_check_make_send_once) 205 CHECK_SET_INT_HOOK(port_check_make_send) 206 CHECK_SET_INT_HOOK(port_check_method) 207 CHECK_SET_INT_HOOK(port_check_move_receive) 208 CHECK_SET_INT_HOOK(port_check_move_send_once) 209 CHECK_SET_INT_HOOK(port_check_move_send) 210 CHECK_SET_INT_HOOK(port_check_receive) 211 CHECK_SET_INT_HOOK(port_check_send) 212 CHECK_SET_INT_HOOK(port_check_service) 213 CHECK_SET_INT_HOOK(port_label_compute) 214 CHECK_SET_INT_HOOK(posixsem_check_create) 215 CHECK_SET_INT_HOOK(posixsem_check_open) 216 CHECK_SET_INT_HOOK(posixsem_check_post) 217 CHECK_SET_INT_HOOK(posixsem_check_unlink) 218 CHECK_SET_INT_HOOK(posixsem_check_wait) 219 CHECK_SET_INT_HOOK(posixshm_check_create) 220 CHECK_SET_INT_HOOK(posixshm_check_mmap) 221 CHECK_SET_INT_HOOK(posixshm_check_open) 222 CHECK_SET_INT_HOOK(posixshm_check_stat) 223 CHECK_SET_INT_HOOK(posixshm_check_truncate) 224 CHECK_SET_INT_HOOK(posixshm_check_unlink) 225 CHECK_SET_INT_HOOK(priv_check) 226 /* relative ordinal location of "priv_grant" */ 227 CHECK_SET_INT_HOOK(proc_check_debug) 228 CHECK_SET_INT_HOOK(proc_check_fork) 229 CHECK_SET_INT_HOOK(proc_check_getaudit) 230 CHECK_SET_INT_HOOK(proc_check_getauid) 231 CHECK_SET_INT_HOOK(proc_check_getlcid) 232 CHECK_SET_INT_HOOK(proc_check_ledger) 233 CHECK_SET_INT_HOOK(proc_check_map_anon) 234 CHECK_SET_INT_HOOK(proc_check_mprotect) 235 CHECK_SET_INT_HOOK(proc_check_sched) 236 CHECK_SET_INT_HOOK(proc_check_setaudit) 237 CHECK_SET_INT_HOOK(proc_check_setauid) 238 CHECK_SET_INT_HOOK(proc_check_setlcid) 239 CHECK_SET_INT_HOOK(proc_check_signal) 240 CHECK_SET_INT_HOOK(proc_check_suspend_resume) 241 CHECK_SET_INT_HOOK(proc_check_wait) 242 CHECK_SET_INT_HOOK(socket_check_accept) 243 CHECK_SET_INT_HOOK(socket_check_accepted) 244 CHECK_SET_INT_HOOK(socket_check_bind) 245 CHECK_SET_INT_HOOK(socket_check_connect) 246 CHECK_SET_INT_HOOK(socket_check_create) 247 CHECK_SET_INT_HOOK(socket_check_deliver) 248 CHECK_SET_INT_HOOK(socket_check_kqfilter) 249 CHECK_SET_INT_HOOK(socket_check_label_update) 250 CHECK_SET_INT_HOOK(socket_check_listen) 251 CHECK_SET_INT_HOOK(socket_check_receive) 252 CHECK_SET_INT_HOOK(socket_check_received) 253 CHECK_SET_INT_HOOK(socket_check_select) 254 CHECK_SET_INT_HOOK(socket_check_send) 255 CHECK_SET_INT_HOOK(socket_check_stat) 256 CHECK_SET_INT_HOOK(socket_check_setsockopt) 257 CHECK_SET_INT_HOOK(socket_check_getsockopt) 258 CHECK_SET_INT_HOOK(socket_label_externalize) 259 CHECK_SET_INT_HOOK(socket_label_init) 260 CHECK_SET_INT_HOOK(socket_label_internalize) 261 CHECK_SET_INT_HOOK(socketpeer_label_externalize) 262 CHECK_SET_INT_HOOK(socketpeer_label_init) 263 CHECK_SET_INT_HOOK(system_check_acct) 264 CHECK_SET_INT_HOOK(system_check_audit) 265 CHECK_SET_INT_HOOK(system_check_auditctl) 266 CHECK_SET_INT_HOOK(system_check_auditon) 267 CHECK_SET_INT_HOOK(system_check_chud) 268 CHECK_SET_INT_HOOK(system_check_host_priv) 269 CHECK_SET_INT_HOOK(system_check_nfsd) 270 CHECK_SET_INT_HOOK(system_check_reboot) 271 CHECK_SET_INT_HOOK(system_check_settime) 272 CHECK_SET_INT_HOOK(system_check_swapoff) 273 CHECK_SET_INT_HOOK(system_check_swapon) 274 CHECK_SET_INT_HOOK(system_check_sysctl) 275 CHECK_SET_INT_HOOK(system_check_kas_info) 276 CHECK_SET_INT_HOOK(sysvmsq_check_enqueue) 277 CHECK_SET_INT_HOOK(sysvmsq_check_msgrcv) 278 CHECK_SET_INT_HOOK(sysvmsq_check_msgrmid) 279 CHECK_SET_INT_HOOK(sysvmsq_check_msqctl) 280 CHECK_SET_INT_HOOK(sysvmsq_check_msqget) 281 CHECK_SET_INT_HOOK(sysvmsq_check_msqrcv) 282 CHECK_SET_INT_HOOK(sysvmsq_check_msqsnd) 283 CHECK_SET_INT_HOOK(sysvsem_check_semctl) 284 CHECK_SET_INT_HOOK(sysvsem_check_semget) 285 CHECK_SET_INT_HOOK(sysvsem_check_semop) 286 CHECK_SET_INT_HOOK(sysvshm_check_shmat) 287 CHECK_SET_INT_HOOK(sysvshm_check_shmctl) 288 CHECK_SET_INT_HOOK(sysvshm_check_shmdt) 289 CHECK_SET_INT_HOOK(sysvshm_check_shmget) 290 CHECK_SET_INT_HOOK(proc_check_get_task_name) 291 CHECK_SET_INT_HOOK(proc_check_get_task) 292 CHECK_SET_INT_HOOK(task_label_externalize) 293 CHECK_SET_INT_HOOK(task_label_internalize) 294 CHECK_SET_INT_HOOK(vnode_check_access) 295 CHECK_SET_INT_HOOK(vnode_check_chdir) 296 CHECK_SET_INT_HOOK(vnode_check_chroot) 297 CHECK_SET_INT_HOOK(vnode_check_create) 298 CHECK_SET_INT_HOOK(vnode_check_deleteextattr) 299 CHECK_SET_INT_HOOK(vnode_check_exchangedata) 300 CHECK_SET_INT_HOOK(vnode_check_exec) 301 CHECK_SET_INT_HOOK(vnode_check_fsgetpath) 302 CHECK_SET_INT_HOOK(vnode_check_signature) 303 CHECK_SET_INT_HOOK(vnode_check_getattrlist) 304 CHECK_SET_INT_HOOK(vnode_check_getextattr) 305 CHECK_SET_INT_HOOK(vnode_check_ioctl) 306 CHECK_SET_INT_HOOK(vnode_check_kqfilter) 307 CHECK_SET_INT_HOOK(vnode_check_label_update) 308 CHECK_SET_INT_HOOK(vnode_check_link) 309 CHECK_SET_INT_HOOK(vnode_check_listextattr) 310 CHECK_SET_INT_HOOK(vnode_check_lookup) 311 CHECK_SET_INT_HOOK(vnode_check_open) 312 CHECK_SET_INT_HOOK(vnode_check_read) 313 CHECK_SET_INT_HOOK(vnode_check_readdir) 314 CHECK_SET_INT_HOOK(vnode_check_readlink) 315 CHECK_SET_INT_HOOK(vnode_check_rename_from) 316 CHECK_SET_INT_HOOK(vnode_check_rename_to) 317 CHECK_SET_INT_HOOK(vnode_check_revoke) 318 CHECK_SET_INT_HOOK(vnode_check_searchfs) 319 CHECK_SET_INT_HOOK(vnode_check_select) 320 CHECK_SET_INT_HOOK(vnode_check_setattrlist) 321 CHECK_SET_INT_HOOK(vnode_check_setextattr) 322 CHECK_SET_INT_HOOK(vnode_check_setflags) 323 CHECK_SET_INT_HOOK(vnode_check_setmode) 324 CHECK_SET_INT_HOOK(vnode_check_setowner) 325 CHECK_SET_INT_HOOK(vnode_check_setutimes) 326 CHECK_SET_INT_HOOK(vnode_check_stat) 327 CHECK_SET_INT_HOOK(vnode_check_truncate) 328 CHECK_SET_INT_HOOK(vnode_check_uipc_bind) 329 CHECK_SET_INT_HOOK(vnode_check_uipc_connect) 330 CHECK_SET_INT_HOOK(vnode_check_unlink) 331 CHECK_SET_INT_HOOK(vnode_check_write) 332 CHECK_SET_INT_HOOK(vnode_label_associate_extattr) 333 CHECK_SET_INT_HOOK(vnode_label_externalize_audit) 334 CHECK_SET_INT_HOOK(vnode_label_externalize) 335 CHECK_SET_INT_HOOK(vnode_label_internalize) 336 CHECK_SET_INT_HOOK(vnode_label_store) 337 CHECK_SET_INT_HOOK(vnode_label_update_extattr) 338 CHECK_SET_INT_HOOK(vnode_notify_create) 339 340 /* operations which return void */ 341 CHECK_SET_VOID_HOOK(bpfdesc_label_init) 342 CHECK_SET_VOID_HOOK(bpfdesc_label_destroy) 343 CHECK_SET_VOID_HOOK(bpfdesc_label_associate) 344 CHECK_SET_VOID_HOOK(cred_label_associate_fork) 345 CHECK_SET_VOID_HOOK(cred_label_associate_kernel) 346 CHECK_SET_VOID_HOOK(cred_label_associate) 347 CHECK_SET_VOID_HOOK(cred_label_associate_user) 348 CHECK_SET_VOID_HOOK(cred_label_destroy) 349 CHECK_SET_VOID_HOOK(cred_label_init) 350 CHECK_SET_VOID_HOOK(cred_label_update_execve) 351 CHECK_SET_VOID_HOOK(cred_label_update) 352 CHECK_SET_VOID_HOOK(devfs_label_associate_device) 353 CHECK_SET_VOID_HOOK(devfs_label_associate_directory) 354 CHECK_SET_VOID_HOOK(devfs_label_copy) 355 CHECK_SET_VOID_HOOK(devfs_label_destroy) 356 CHECK_SET_VOID_HOOK(devfs_label_init) 357 CHECK_SET_VOID_HOOK(devfs_label_update) 358 CHECK_SET_VOID_HOOK(file_check_mmap_downgrade) 359 CHECK_SET_VOID_HOOK(file_label_associate) 360 CHECK_SET_VOID_HOOK(file_label_destroy) 361 CHECK_SET_VOID_HOOK(file_label_init) 362 CHECK_SET_VOID_HOOK(ifnet_label_associate) 363 CHECK_SET_VOID_HOOK(ifnet_label_copy) 364 CHECK_SET_VOID_HOOK(ifnet_label_destroy) 365 CHECK_SET_VOID_HOOK(ifnet_label_init) 366 CHECK_SET_VOID_HOOK(ifnet_label_recycle) 367 CHECK_SET_VOID_HOOK(ifnet_label_update) 368 CHECK_SET_VOID_HOOK(inpcb_label_associate) 369 CHECK_SET_VOID_HOOK(inpcb_label_destroy) 370 CHECK_SET_VOID_HOOK(inpcb_label_recycle) 371 CHECK_SET_VOID_HOOK(inpcb_label_update) 372 CHECK_SET_VOID_HOOK(ipq_label_associate) 373 CHECK_SET_VOID_HOOK(ipq_label_destroy) 374 CHECK_SET_VOID_HOOK(ipq_label_update) 375 CHECK_SET_VOID_HOOK(lctx_label_destroy) 376 CHECK_SET_VOID_HOOK(lctx_label_init) 377 CHECK_SET_VOID_HOOK(lctx_label_update) 378 CHECK_SET_VOID_HOOK(lctx_notify_create) 379 CHECK_SET_VOID_HOOK(lctx_notify_join) 380 CHECK_SET_VOID_HOOK(lctx_notify_leave) 381 CHECK_SET_VOID_HOOK(mbuf_label_associate_bpfdesc) 382 CHECK_SET_VOID_HOOK(mbuf_label_associate_ifnet) 383 CHECK_SET_VOID_HOOK(mbuf_label_associate_inpcb) 384 CHECK_SET_VOID_HOOK(mbuf_label_associate_ipq) 385 CHECK_SET_VOID_HOOK(mbuf_label_associate_linklayer) 386 CHECK_SET_VOID_HOOK(mbuf_label_associate_multicast_encap) 387 CHECK_SET_VOID_HOOK(mbuf_label_associate_netlayer) 388 CHECK_SET_VOID_HOOK(mbuf_label_associate_socket) 389 CHECK_SET_VOID_HOOK(mbuf_label_copy) 390 CHECK_SET_VOID_HOOK(mbuf_label_destroy) 391 CHECK_SET_VOID_HOOK(mount_label_associate) 392 CHECK_SET_VOID_HOOK(mount_label_destroy) 393 CHECK_SET_VOID_HOOK(mount_label_init) 394 CHECK_SET_VOID_HOOK(netinet_fragment) 395 CHECK_SET_VOID_HOOK(netinet_icmp_reply) 396 CHECK_SET_VOID_HOOK(netinet_tcp_reply) 397 CHECK_SET_VOID_HOOK(pipe_label_associate) 398 CHECK_SET_VOID_HOOK(pipe_label_copy) 399 CHECK_SET_VOID_HOOK(pipe_label_destroy) 400 CHECK_SET_VOID_HOOK(pipe_label_init) 401 CHECK_SET_VOID_HOOK(pipe_label_update) 402 CHECK_SET_VOID_HOOK(policy_destroy) 403 /* relative ordinal location of "policy_init" */ 404 /* relative ordinal location of "policy_initbsd" */ 405 CHECK_SET_VOID_HOOK(port_label_associate_kernel) 406 CHECK_SET_VOID_HOOK(port_label_associate) 407 CHECK_SET_VOID_HOOK(port_label_copy) 408 CHECK_SET_VOID_HOOK(port_label_destroy) 409 CHECK_SET_VOID_HOOK(port_label_init) 410 CHECK_SET_VOID_HOOK(port_label_update_cred) 411 CHECK_SET_VOID_HOOK(port_label_update_kobject) 412 CHECK_SET_VOID_HOOK(posixsem_label_associate) 413 CHECK_SET_VOID_HOOK(posixsem_label_destroy) 414 CHECK_SET_VOID_HOOK(posixsem_label_init) 415 CHECK_SET_VOID_HOOK(posixshm_label_associate) 416 CHECK_SET_VOID_HOOK(posixshm_label_destroy) 417 CHECK_SET_VOID_HOOK(posixshm_label_init) 418 CHECK_SET_VOID_HOOK(proc_label_destroy) 419 CHECK_SET_VOID_HOOK(proc_label_init) 420 CHECK_SET_VOID_HOOK(socket_label_associate_accept) 421 CHECK_SET_VOID_HOOK(socket_label_associate) 422 CHECK_SET_VOID_HOOK(socket_label_copy) 423 CHECK_SET_VOID_HOOK(socket_label_destroy) 424 CHECK_SET_VOID_HOOK(socket_label_update) 425 CHECK_SET_VOID_HOOK(socketpeer_label_associate_mbuf) 426 CHECK_SET_VOID_HOOK(socketpeer_label_associate_socket) 427 CHECK_SET_VOID_HOOK(socketpeer_label_destroy) 428 CHECK_SET_VOID_HOOK(sysvmsg_label_associate) 429 CHECK_SET_VOID_HOOK(sysvmsg_label_destroy) 430 CHECK_SET_VOID_HOOK(sysvmsg_label_init) 431 CHECK_SET_VOID_HOOK(sysvmsg_label_recycle) 432 CHECK_SET_VOID_HOOK(sysvmsq_label_associate) 433 CHECK_SET_VOID_HOOK(sysvmsq_label_destroy) 434 CHECK_SET_VOID_HOOK(sysvmsq_label_init) 435 CHECK_SET_VOID_HOOK(sysvmsq_label_recycle) 436 CHECK_SET_VOID_HOOK(sysvsem_label_associate) 437 CHECK_SET_VOID_HOOK(sysvsem_label_destroy) 438 CHECK_SET_VOID_HOOK(sysvsem_label_init) 439 CHECK_SET_VOID_HOOK(sysvsem_label_recycle) 440 CHECK_SET_VOID_HOOK(sysvshm_label_associate) 441 CHECK_SET_VOID_HOOK(sysvshm_label_destroy) 442 CHECK_SET_VOID_HOOK(sysvshm_label_init) 443 CHECK_SET_VOID_HOOK(sysvshm_label_recycle) 444 CHECK_SET_VOID_HOOK(task_label_associate_kernel) 445 CHECK_SET_VOID_HOOK(task_label_associate) 446 CHECK_SET_VOID_HOOK(task_label_copy) 447 CHECK_SET_VOID_HOOK(task_label_destroy) 448 CHECK_SET_VOID_HOOK(task_label_init) 449 CHECK_SET_VOID_HOOK(task_label_update) 450 CHECK_SET_VOID_HOOK(vnode_label_associate_devfs) 451 CHECK_SET_VOID_HOOK(vnode_label_associate_file) 452 CHECK_SET_VOID_HOOK(thread_userret) 453 CHECK_SET_VOID_HOOK(vnode_label_associate_posixsem) 454 CHECK_SET_VOID_HOOK(vnode_label_associate_posixshm) 455 CHECK_SET_VOID_HOOK(vnode_label_associate_singlelabel) 456 CHECK_SET_VOID_HOOK(vnode_label_associate_socket) 457 CHECK_SET_VOID_HOOK(vnode_label_copy) 458 CHECK_SET_VOID_HOOK(vnode_label_destroy) 459 CHECK_SET_VOID_HOOK(vnode_label_init) 460 CHECK_SET_VOID_HOOK(vnode_label_recycle) 461 CHECK_SET_VOID_HOOK(vnode_label_update) 462 CHECK_SET_VOID_HOOK(vnode_notify_rename) 463 CHECK_SET_VOID_HOOK(thread_label_init) 464 CHECK_SET_VOID_HOOK(thread_label_destroy) 465 .mpo_reserved18 = common_void_hook, 466 CHECK_SET_VOID_HOOK(vnode_notify_open) 467 .mpo_reserved20 = common_void_hook, 468 .mpo_reserved21 = common_void_hook, 469 .mpo_reserved22 = common_void_hook, 470 .mpo_reserved23 = common_void_hook, 471 .mpo_reserved24 = common_void_hook, 472 .mpo_reserved25 = common_void_hook, 473 .mpo_reserved26 = common_void_hook, 474 .mpo_reserved27 = common_void_hook, 475 .mpo_reserved28 = common_void_hook, 476 .mpo_reserved29 = common_void_hook, 477}; 478 479/* 480 * Policy definition 481 */ 482static struct mac_policy_conf policy_conf = { 483 .mpc_name = "CHECK", 484 .mpc_fullname = "Check Assumptions Policy", 485 .mpc_field_off = NULL, /* no label slot */ 486 .mpc_labelnames = NULL, /* no policy label names */ 487 .mpc_labelname_count = 0, /* count of label names is 0 */ 488 .mpc_ops = &policy_ops, /* policy operations */ 489 .mpc_loadtime_flags = 0, 490 .mpc_runtime_flags = 0, 491}; 492 493static mac_policy_handle_t policy_handle; 494 495/* 496 * Init routine; for a loadable policy, this would be called during the KEXT 497 * initialization; we're going to call this from bsd_init() if the boot 498 * argument for checking is present. 499 */ 500errno_t 501check_policy_init(int flags) 502{ 503 /* Only instantiate the module if we have been asked to do checking */ 504 if (!flags) 505 return 0; 506 507 policy_flags = flags; 508 509 return mac_policy_register(&policy_conf, &policy_handle, NULL); 510} 511