1/* 2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68/** 69 @file mac_policy.h 70 @brief Kernel Interfaces for MAC policy modules 71 72 This header defines the list of operations that are defined by the 73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 with the framework to declare interest in a specific set of 75 operations. If interest in an entry point is not declared, then 76 the policy will be ignored when the Framework evaluates that entry 77 point. 78*/ 79 80#ifndef _SECURITY_MAC_POLICY_H_ 81#define _SECURITY_MAC_POLICY_H_ 82 83#ifndef PRIVATE 84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85#endif 86 87#include <security/_label.h> 88 89struct attrlist; 90struct auditinfo; 91struct bpf_d; 92struct devnode; 93struct fileglob; 94struct ifnet; 95struct inpcb; 96struct ipq; 97struct label; 98struct lctx; 99struct mac_module_data; 100struct mac_policy_conf; 101struct mbuf; 102struct mount; 103struct msg; 104struct msqid_kernel; 105struct pipe; 106struct pseminfo; 107struct pshminfo; 108struct sbuf; 109struct semid_kernel; 110struct shmid_kernel; 111struct socket; 112struct sockopt; 113struct task; 114struct thread; 115struct tty; 116struct ucred; 117struct vfs_attr; 118struct vnode; 119/** @struct dummy */ 120 121 122 123#ifndef _KAUTH_CRED_T 124#define _KAUTH_CRED_T 125typedef struct ucred *kauth_cred_t; 126#endif /* !_KAUTH_CRED_T */ 127 128#ifndef __IOKIT_PORTS_DEFINED__ 129#define __IOKIT_PORTS_DEFINED__ 130#ifdef __cplusplus 131class OSObject; 132typedef OSObject *io_object_t; 133#else 134struct OSObject; 135typedef struct OSObject *io_object_t; 136#endif 137#endif /* __IOKIT_PORTS_DEFINED__ */ 138 139/*- 140 * MAC entry points are generally named using the following template: 141 * 142 * mpo_<object>_<operation>() 143 * 144 * or: 145 * 146 * mpo_<object>_check_<operation>() 147 * 148 * Entry points are sorted by object type. 149 * 150 * It may be desirable also to consider some subsystems as "objects", such 151 * as system, iokit, etc. 152 */ 153 154/** 155 @name Entry Points for Label Management 156 157 These are the entry points corresponding to the life cycle events for 158 kernel objects, such as initialization, creation, and destruction. 159 160 Most policies (that use labels) will initialize labels by allocating 161 space for policy-specific data. In most cases, it is permitted to 162 sleep during label initialization operations; it will be noted when 163 it is not permitted. 164 165 Initialization usually will not require doing more than allocating a 166 generic label for the given object. What follows initialization is 167 creation, where a label is made specific to the object it is associated 168 with. Destruction occurs when the label is no longer needed, such as 169 when the corresponding object is destroyed. All necessary cleanup should 170 be performed in label destroy operations. 171 172 Where possible, the label entry points have identical parameters. If 173 the policy module does not require structure-specific label 174 information, the same function may be registered in the policy 175 operation vector. Many policies will implement two such generic 176 allocation calls: one to handle sleepable requests, and one to handle 177 potentially non-sleepable requests. 178*/ 179 180 181/** 182 @brief Audit event postselection 183 @param cred Subject credential 184 @param syscode Syscall number 185 @param args Syscall arguments 186 @param error Syscall errno 187 @param retval Syscall return value 188 189 This is the MAC Framework audit postselect, which is called before 190 exiting a syscall to determine if an audit event should be committed. 191 A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 192 Any other return value results in the audit record being committed. 193 194 @warning The suppression behavior will probably go away in Apple's 195 future version of the audit implementation. 196 197 @return Return MAC_AUDIT_NO to force suppression of the audit record. 198 Any other value results in the audit record being committed. 199 200*/ 201typedef int mpo_audit_check_postselect_t( 202 kauth_cred_t cred, 203 unsigned short syscode, 204 void *args, 205 int error, 206 int retval 207); 208/** 209 @brief Audit event preselection 210 @param cred Subject credential 211 @param syscode Syscall number 212 @param args Syscall arguments 213 214 This is the MAC Framework audit preselect, which is called before a 215 syscall is entered to determine if an audit event should be created. 216 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 217 returned. A return value of MAC_AUDIT_NO causes the audit record to 218 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 219 to defer to the system's existing preselection mechanism. 220 221 When policies return different preferences, the Framework decides what action 222 to take based on the following policy. If any policy returns MAC_AUDIT_YES, 223 then create an audit record, else if any policy returns MAC_AUDIT_NO, then 224 suppress the creations of an audit record, else defer to the system's 225 existing preselection mechanism. 226 227 @warning The audit implementation in Apple's current version is 228 incomplete, so the MAC policies have priority over the system's existing 229 mechanisms. This will probably change in the future version where 230 the audit implementation is more complete. 231 232 @return Return MAC_AUDIT_YES to force auditing of the syscall, 233 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 234 to allow auditing mechanisms to determine if the syscall is audited. 235 236*/ 237typedef int mpo_audit_check_preselect_t( 238 kauth_cred_t cred, 239 unsigned short syscode, 240 void *args 241); 242/** 243 @brief Initialize BPF descriptor label 244 @param label New label to initialize 245 246 Initialize the label for a newly instantiated BPF descriptor. 247 Sleeping is permitted. 248*/ 249typedef void mpo_bpfdesc_label_init_t( 250 struct label *label 251); 252/** 253 @brief Destroy BPF descriptor label 254 @param label The label to be destroyed 255 256 Destroy a BPF descriptor label. Since the BPF descriptor 257 is going out of scope, policy modules should free any internal 258 storage associated with the label so that it may be destroyed. 259*/ 260typedef void mpo_bpfdesc_label_destroy_t( 261 struct label *label 262); 263/** 264 @brief Associate a BPF descriptor with a label 265 @param cred User credential creating the BPF descriptor 266 @param bpf_d The BPF descriptor 267 @param bpflabel The new label 268 269 Set the label on a newly created BPF descriptor from the passed 270 subject credential. This call will be made when a BPF device node 271 is opened by a process with the passed subject credential. 272*/ 273typedef void mpo_bpfdesc_label_associate_t( 274 kauth_cred_t cred, 275 struct bpf_d *bpf_d, 276 struct label *bpflabel 277); 278/** 279 @brief Check whether BPF can read from a network interface 280 @param bpf_d Subject; the BPF descriptor 281 @param bpflabel Policy label for bpf_d 282 @param ifp Object; the network interface 283 @param ifnetlabel Policy label for ifp 284 285 Determine whether the MAC framework should permit datagrams from 286 the passed network interface to be delivered to the buffers of 287 the passed BPF descriptor. Return (0) for success, or an errno 288 value for failure. Suggested failure: EACCES for label mismatches, 289 EPERM for lack of privilege. 290*/ 291typedef int mpo_bpfdesc_check_receive_t( 292 struct bpf_d *bpf_d, 293 struct label *bpflabel, 294 struct ifnet *ifp, 295 struct label *ifnetlabel 296); 297/** 298 @brief Indicate desire to change the process label at exec time 299 @param old Existing subject credential 300 @param vp File being executed 301 @param offset Offset of binary within file being executed 302 @param scriptvp Script being executed by interpreter, if any. 303 @param vnodelabel Label corresponding to vp 304 @param scriptvnodelabel Script vnode label 305 @param execlabel Userspace provided execution label 306 @param proc Object process 307 @param macpolicyattr MAC policy-specific spawn attribute data 308 @param macpolicyattrlen Length of policy-specific spawn attribute data 309 @see mac_execve 310 @see mpo_cred_label_update_execve_t 311 @see mpo_vnode_check_exec_t 312 313 Indicate whether this policy intends to update the label of a newly 314 created credential from the existing subject credential (old). This 315 call occurs when a process executes the passed vnode. If a policy 316 returns success from this entry point, the mpo_cred_label_update_execve 317 entry point will later be called with the same parameters. Access 318 has already been checked via the mpo_vnode_check_exec entry point, 319 this entry point is necessary to preserve kernel locking constraints 320 during program execution. 321 322 The supplied vnode and vnodelabel correspond with the file actually 323 being executed; in the case that the file is interpreted (for 324 example, a script), the label of the original exec-time vnode has 325 been preserved in scriptvnodelabel. 326 327 The final label, execlabel, corresponds to a label supplied by a 328 user space application through the use of the mac_execve system call. 329 330 The vnode lock is held during this operation. No changes should be 331 made to the old credential structure. 332 333 @warning Even if a policy returns 0, it should behave correctly in 334 the presence of an invocation of mpo_cred_label_update_execve, as that 335 call may happen as a result of another policy requesting a transition. 336 337 @return Non-zero if a transition is required, 0 otherwise. 338*/ 339typedef int mpo_cred_check_label_update_execve_t( 340 kauth_cred_t old, 341 struct vnode *vp, 342 off_t offset, 343 struct vnode *scriptvp, 344 struct label *vnodelabel, 345 struct label *scriptvnodelabel, 346 struct label *execlabel, 347 struct proc *p, 348 void *macpolicyattr, 349 size_t macpolicyattrlen 350); 351/** 352 @brief Access control check for relabelling processes 353 @param cred Subject credential 354 @param newlabel New label to apply to the user credential 355 @see mpo_cred_label_update_t 356 @see mac_set_proc 357 358 Determine whether the subject identified by the credential can relabel 359 itself to the supplied new label (newlabel). This access control check 360 is called when the mac_set_proc system call is invoked. A user space 361 application will supply a new value, the value will be internalized 362 and provided in newlabel. 363 364 @return Return 0 if access is granted, otherwise an appropriate value for 365 errno should be returned. 366*/ 367typedef int mpo_cred_check_label_update_t( 368 kauth_cred_t cred, 369 struct label *newlabel 370); 371/** 372 @brief Access control check for visibility of other subjects 373 @param u1 Subject credential 374 @param u2 Object credential 375 376 Determine whether the subject identified by the credential u1 can 377 "see" other subjects with the passed subject credential u2. This call 378 may be made in a number of situations, including inter-process status 379 sysctls used by ps, and in procfs lookups. 380 381 @return Return 0 if access is granted, otherwise an appropriate value for 382 errno should be returned. Suggested failure: EACCES for label mismatch, 383 EPERM for lack of privilege, or ESRCH to hide visibility. 384*/ 385typedef int mpo_cred_check_visible_t( 386 kauth_cred_t u1, 387 kauth_cred_t u2 388); 389/** 390 @brief Associate a credential with a new process at fork 391 @param cred credential to inherited by new process 392 @param proc the new process 393 394 Allow a process to associate the credential with a new 395 process for reference countng purposes. 396 NOTE: the credential can be dis-associated in ways other 397 than exit - so this strategy is flawed - should just 398 catch label destroy callback. 399*/ 400typedef void mpo_cred_label_associate_fork_t( 401 kauth_cred_t cred, 402 proc_t proc 403); 404/** 405 @brief Create the first process 406 @param cred Subject credential to be labeled 407 408 Create the subject credential of process 0, the parent of all BSD 409 kernel processes. Policies should update the label in the 410 previously initialized credential structure. 411*/ 412typedef void mpo_cred_label_associate_kernel_t( 413 kauth_cred_t cred 414); 415/** 416 @brief Create a credential label 417 @param parent_cred Parent credential 418 @param child_cred Child credential 419 420 Set the label of a newly created credential, most likely using the 421 information in the supplied parent credential. 422 423 @warning This call is made when crcopy or crdup is invoked on a 424 newly created struct ucred, and should not be confused with a 425 process fork or creation event. 426*/ 427typedef void mpo_cred_label_associate_t( 428 kauth_cred_t parent_cred, 429 kauth_cred_t child_cred 430); 431/** 432 @brief Create the first process 433 @param cred Subject credential to be labeled 434 435 Create the subject credential of process 1, the parent of all BSD 436 user processes. Policies should update the label in the previously 437 initialized credential structure. This is the 'init' process. 438*/ 439typedef void mpo_cred_label_associate_user_t( 440 kauth_cred_t cred 441); 442/** 443 @brief Destroy credential label 444 @param label The label to be destroyed 445 446 Destroy a user credential label. Since the user credential 447 is going out of scope, policy modules should free any internal 448 storage associated with the label so that it may be destroyed. 449*/ 450typedef void mpo_cred_label_destroy_t( 451 struct label *label 452); 453/** 454 @brief Externalize a user credential label for auditing 455 @param label Label to be externalized 456 @param element_name Name of the label namespace for which labels should be 457 externalized 458 @param sb String buffer to be filled with a text representation of the label 459 460 Produce an external representation of the label on a user credential for 461 inclusion in an audit record. An externalized label consists of a text 462 representation of the label contents that will be added to the audit record 463 as part of a text token. Policy-agnostic user space tools will display 464 this externalized version. 465 466 @return 0 on success, return non-zero if an error occurs while 467 externalizing the label data. 468 469*/ 470typedef int mpo_cred_label_externalize_audit_t( 471 struct label *label, 472 char *element_name, 473 struct sbuf *sb 474); 475/** 476 @brief Externalize a user credential label 477 @param label Label to be externalized 478 @param element_name Name of the label namespace for which labels should be 479 externalized 480 @param sb String buffer to be filled with a text representation of the label 481 482 Produce an external representation of the label on a user 483 credential. An externalized label consists of a text representation 484 of the label contents that can be used with user applications. 485 Policy-agnostic user space tools will display this externalized 486 version. 487 488 @return 0 on success, return non-zero if an error occurs while 489 externalizing the label data. 490 491*/ 492typedef int mpo_cred_label_externalize_t( 493 struct label *label, 494 char *element_name, 495 struct sbuf *sb 496); 497/** 498 @brief Initialize user credential label 499 @param label New label to initialize 500 501 Initialize the label for a newly instantiated user credential. 502 Sleeping is permitted. 503*/ 504typedef void mpo_cred_label_init_t( 505 struct label *label 506); 507/** 508 @brief Internalize a user credential label 509 @param label Label to be internalized 510 @param element_name Name of the label namespace for which the label should 511 be internalized 512 @param element_data Text data to be internalized 513 514 Produce a user credential label from an external representation. An 515 externalized label consists of a text representation of the label 516 contents that can be used with user applications. Policy-agnostic 517 user space tools will forward text version to the kernel for 518 processing by individual policy modules. 519 520 The policy's internalize entry points will be called only if the 521 policy has registered interest in the label namespace. 522 523 @return 0 on success, Otherwise, return non-zero if an error occurs 524 while internalizing the label data. 525 526*/ 527typedef int mpo_cred_label_internalize_t( 528 struct label *label, 529 char *element_name, 530 char *element_data 531); 532/** 533 @brief Update credential at exec time 534 @param old_cred Existing subject credential 535 @param new_cred New subject credential to be labeled 536 @param p Object process. 537 @param vp File being executed 538 @param offset Offset of binary within file being executed 539 @param scriptvp Script being executed by interpreter, if any. 540 @param vnodelabel Label corresponding to vp 541 @param scriptvnodelabel Script vnode label 542 @param execlabel Userspace provided execution label 543 @param csflags Code signing flags to be set after exec 544 @param macpolicyattr MAC policy-specific spawn attribute data. 545 @param macpolicyattrlen Length of policy-specific spawn attribute data. 546 @see mac_execve 547 @see mpo_cred_check_label_update_execve_t 548 @see mpo_vnode_check_exec_t 549 550 Update the label of a newly created credential (new) from the 551 existing subject credential (old). This call occurs when a process 552 executes the passed vnode and one of the loaded policy modules has 553 returned success from the mpo_cred_check_label_update_execve entry point. 554 Access has already been checked via the mpo_vnode_check_exec entry 555 point, this entry point is only used to update any policy state. 556 557 The supplied vnode and vnodelabel correspond with the file actually 558 being executed; in the case that the file is interpreted (for 559 example, a script), the label of the original exec-time vnode has 560 been preserved in scriptvnodelabel. 561 562 The final label, execlabel, corresponds to a label supplied by a 563 user space application through the use of the mac_execve system call. 564 565 If non-NULL, the value pointed to by disjointp will be set to 0 to 566 indicate that the old and new credentials are not disjoint, or 1 to 567 indicate that they are. 568 569 The vnode lock is held during this operation. No changes should be 570 made to the old credential structure. 571 @return 0 on success, Otherwise, return non-zero if update results in 572 termination of child. 573*/ 574typedef int mpo_cred_label_update_execve_t( 575 kauth_cred_t old_cred, 576 kauth_cred_t new_cred, 577 struct proc *p, 578 struct vnode *vp, 579 off_t offset, 580 struct vnode *scriptvp, 581 struct label *vnodelabel, 582 struct label *scriptvnodelabel, 583 struct label *execlabel, 584 u_int *csflags, 585 void *macpolicyattr, 586 size_t macpolicyattrlen, 587 int *disjointp 588); 589/** 590 @brief Update a credential label 591 @param cred The existing credential 592 @param newlabel A new label to apply to the credential 593 @see mpo_cred_check_label_update_t 594 @see mac_set_proc 595 596 Update the label on a user credential, using the supplied new label. 597 This is called as a result of a process relabel operation. Access 598 control was already confirmed by mpo_cred_check_label_update. 599*/ 600typedef void mpo_cred_label_update_t( 601 kauth_cred_t cred, 602 struct label *newlabel 603); 604/** 605 @brief Create a new devfs device 606 @param dev Major and minor numbers of special file 607 @param de "inode" of new device file 608 @param label Destination label 609 @param fullpath Path relative to mount (e.g. /dev) of new device file 610 611 This entry point labels a new devfs device. The label will likely be based 612 on the path to the device, or the major and minor numbers. 613 The policy should store an appropriate label into 'label'. 614*/ 615typedef void mpo_devfs_label_associate_device_t( 616 dev_t dev, 617 struct devnode *de, 618 struct label *label, 619 const char *fullpath 620); 621/** 622 @brief Create a new devfs directory 623 @param dirname Name of new directory 624 @param dirnamelen Length of 'dirname' 625 @param de "inode" of new directory 626 @param label Destination label 627 @param fullpath Path relative to mount (e.g. /dev) of new directory 628 629 This entry point labels a new devfs directory. The label will likely be 630 based on the path of the new directory. The policy should store an appropriate 631 label into 'label'. The devfs root directory is labelled in this way. 632*/ 633typedef void mpo_devfs_label_associate_directory_t( 634 const char *dirname, 635 int dirnamelen, 636 struct devnode *de, 637 struct label *label, 638 const char *fullpath 639); 640/** 641 @brief Copy a devfs label 642 @param src Source devfs label 643 @param dest Destination devfs label 644 645 Copy the label information from src to dest. The devfs file system 646 often duplicates (splits) existing device nodes rather than creating 647 new ones. 648*/ 649typedef void mpo_devfs_label_copy_t( 650 struct label *src, 651 struct label *dest 652); 653/** 654 @brief Destroy devfs label 655 @param label The label to be destroyed 656 657 Destroy a devfs entry label. Since the object is going out 658 of scope, policy modules should free any internal storage associated 659 with the label so that it may be destroyed. 660*/ 661typedef void mpo_devfs_label_destroy_t( 662 struct label *label 663); 664/** 665 @brief Initialize devfs label 666 @param label New label to initialize 667 668 Initialize the label for a newly instantiated devfs entry. Sleeping 669 is permitted. 670*/ 671typedef void mpo_devfs_label_init_t( 672 struct label *label 673); 674/** 675 @brief Update a devfs label after relabelling its vnode 676 @param mp Devfs mount point 677 @param de Affected devfs directory entry 678 @param delabel Label of devfs directory entry 679 @param vp Vnode associated with de 680 @param vnodelabel New label of vnode 681 682 Update a devfs label when its vnode is manually relabelled, 683 for example with setfmac(1). Typically, this will simply copy 684 the vnode label into the devfs label. 685*/ 686typedef void mpo_devfs_label_update_t( 687 struct mount *mp, 688 struct devnode *de, 689 struct label *delabel, 690 struct vnode *vp, 691 struct label *vnodelabel 692); 693/** 694 @brief Access control for changing the offset of a file descriptor 695 @param cred Subject credential 696 @param fg Fileglob structure 697 @param label Policy label for fg 698 699 Determine whether the subject identified by the credential can 700 change the offset of the file represented by fg. 701 702 @return Return 0 if access if granted, otherwise an appropriate 703 value for errno should be returned. 704*/ 705typedef int mpo_file_check_change_offset_t( 706 kauth_cred_t cred, 707 struct fileglob *fg, 708 struct label *label 709); 710/** 711 @brief Access control for creating a file descriptor 712 @param cred Subject credential 713 714 Determine whether the subject identified by the credential can 715 allocate a new file descriptor. 716 717 @return Return 0 if access if granted, otherwise an appropriate 718 value for errno should be returned. 719*/ 720typedef int mpo_file_check_create_t( 721 kauth_cred_t cred 722); 723/** 724 @brief Access control for duplicating a file descriptor 725 @param cred Subject credential 726 @param fg Fileglob structure 727 @param label Policy label for fg 728 @param newfd New file descriptor number 729 730 Determine whether the subject identified by the credential can 731 duplicate the fileglob structure represented by fg and as file 732 descriptor number newfd. 733 734 @return Return 0 if access if granted, otherwise an appropriate 735 value for errno should be returned. 736*/ 737typedef int mpo_file_check_dup_t( 738 kauth_cred_t cred, 739 struct fileglob *fg, 740 struct label *label, 741 int newfd 742); 743/** 744 @brief Access control check for fcntl 745 @param cred Subject credential 746 @param fg Fileglob structure 747 @param label Policy label for fg 748 @param cmd Control operation to be performed; see fcntl(2) 749 @param arg fcnt arguments; see fcntl(2) 750 751 Determine whether the subject identified by the credential can perform 752 the file control operation indicated by cmd. 753 754 @return Return 0 if access is granted, otherwise an appropriate value for 755 errno should be returned. 756*/ 757typedef int mpo_file_check_fcntl_t( 758 kauth_cred_t cred, 759 struct fileglob *fg, 760 struct label *label, 761 int cmd, 762 user_long_t arg 763); 764/** 765 @brief Access control check for mac_get_fd 766 @param cred Subject credential 767 @param fg Fileglob structure 768 @param elements Element buffer 769 @param len Length of buffer 770 771 Determine whether the subject identified by the credential should be allowed 772 to get an externalized version of the label on the object indicated by fd. 773 774 @return Return 0 if access is granted, otherwise an appropriate value for 775 errno should be returned. 776*/ 777typedef int mpo_file_check_get_t( 778 kauth_cred_t cred, 779 struct fileglob *fg, 780 char *elements, 781 int len 782); 783/** 784 @brief Access control for getting the offset of a file descriptor 785 @param cred Subject credential 786 @param fg Fileglob structure 787 @param label Policy label for fg 788 789 Determine whether the subject identified by the credential can 790 get the offset of the file represented by fg. 791 792 @return Return 0 if access if granted, otherwise an appropriate 793 value for errno should be returned. 794*/ 795typedef int mpo_file_check_get_offset_t( 796 kauth_cred_t cred, 797 struct fileglob *fg, 798 struct label *label 799); 800/** 801 @brief Access control for inheriting a file descriptor 802 @param cred Subject credential 803 @param fg Fileglob structure 804 @param label Policy label for fg 805 806 Determine whether the subject identified by the credential can 807 inherit the fileglob structure represented by fg. 808 809 @return Return 0 if access if granted, otherwise an appropriate 810 value for errno should be returned. 811*/ 812typedef int mpo_file_check_inherit_t( 813 kauth_cred_t cred, 814 struct fileglob *fg, 815 struct label *label 816); 817/** 818 @brief Access control check for file ioctl 819 @param cred Subject credential 820 @param fg Fileglob structure 821 @param label Policy label for fg 822 @param cmd The ioctl command; see ioctl(2) 823 824 Determine whether the subject identified by the credential can perform 825 the ioctl operation indicated by cmd. 826 827 @warning Since ioctl data is opaque from the standpoint of the MAC 828 framework, policies must exercise extreme care when implementing 829 access control checks. 830 831 @return Return 0 if access is granted, otherwise an appropriate value for 832 errno should be returned. 833 834*/ 835typedef int mpo_file_check_ioctl_t( 836 kauth_cred_t cred, 837 struct fileglob *fg, 838 struct label *label, 839 unsigned int cmd 840); 841/** 842 @brief Access control check for file locking 843 @param cred Subject credential 844 @param fg Fileglob structure 845 @param label Policy label for fg 846 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 847 @param fl The flock structure 848 849 Determine whether the subject identified by the credential can perform 850 the lock operation indicated by op and fl on the file represented by fg. 851 852 @return Return 0 if access is granted, otherwise an appropriate value for 853 errno should be returned. 854 855*/ 856typedef int mpo_file_check_lock_t( 857 kauth_cred_t cred, 858 struct fileglob *fg, 859 struct label *label, 860 int op, 861 struct flock *fl 862); 863/** 864 @brief Access control check for mapping a file 865 @param cred Subject credential 866 @param fg fileglob representing file to map 867 @param label Policy label associated with vp 868 @param prot mmap protections; see mmap(2) 869 @param flags Type of mapped object; see mmap(2) 870 @param maxprot Maximum rights 871 872 Determine whether the subject identified by the credential should be 873 allowed to map the file represented by fg with the protections specified 874 in prot. The maxprot field holds the maximum permissions on the new 875 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 876 To avoid overriding prior access control checks, a policy should only 877 remove flags from maxprot. 878 879 @return Return 0 if access is granted, otherwise an appropriate value for 880 errno should be returned. Suggested failure: EACCES for label mismatch or 881 EPERM for lack of privilege. 882*/ 883typedef int mpo_file_check_mmap_t( 884 kauth_cred_t cred, 885 struct fileglob *fg, 886 struct label *label, 887 int prot, 888 int flags, 889 int *maxprot 890); 891/** 892 @brief Downgrade the mmap protections 893 @param cred Subject credential 894 @param fg file to map 895 @param label Policy label associated with vp 896 @param prot mmap protections to be downgraded 897 898 Downgrade the mmap protections based on the subject and object labels. 899*/ 900typedef void mpo_file_check_mmap_downgrade_t( 901 kauth_cred_t cred, 902 struct fileglob *fg, 903 struct label *label, 904 int *prot 905); 906/** 907 @brief Access control for receiving a file descriptor 908 @param cred Subject credential 909 @param fg Fileglob structure 910 @param label Policy label for fg 911 912 Determine whether the subject identified by the credential can 913 receive the fileglob structure represented by fg. 914 915 @return Return 0 if access if granted, otherwise an appropriate 916 value for errno should be returned. 917*/ 918typedef int mpo_file_check_receive_t( 919 kauth_cred_t cred, 920 struct fileglob *fg, 921 struct label *label 922); 923/** 924 @brief Access control check for mac_set_fd 925 @param cred Subject credential 926 @param fg Fileglob structure 927 @param elements Elements buffer 928 @param len Length of elements buffer 929 930 Determine whether the subject identified by the credential can 931 perform the mac_set_fd operation. The mac_set_fd operation is used 932 to associate a MAC label with a file. 933 934 @return Return 0 if access is granted, otherwise an appropriate value for 935 errno should be returned. 936*/ 937typedef int mpo_file_check_set_t( 938 kauth_cred_t cred, 939 struct fileglob *fg, 940 char *elements, 941 int len 942); 943/** 944 @brief Create file label 945 @param cred Subject credential 946 @param fg Fileglob structure 947 @param label Policy label for fg 948*/ 949typedef void mpo_file_label_associate_t( 950 kauth_cred_t cred, 951 struct fileglob *fg, 952 struct label *label 953); 954/** 955 @brief Destroy file label 956 @param label The label to be destroyed 957 958 Destroy the label on a file descriptor. In this entry point, a 959 policy module should free any internal storage associated with 960 label so that it may be destroyed. 961*/ 962typedef void mpo_file_label_destroy_t( 963 struct label *label 964); 965/** 966 @brief Initialize file label 967 @param label New label to initialize 968*/ 969typedef void mpo_file_label_init_t( 970 struct label *label 971); 972/** 973 @brief Access control check for relabeling network interfaces 974 @param cred Subject credential 975 @param ifp network interface being relabeled 976 @param ifnetlabel Current label of the network interfaces 977 @param newlabel New label to apply to the network interfaces 978 @see mpo_ifnet_label_update_t 979 980 Determine whether the subject identified by the credential can 981 relabel the network interface represented by ifp to the supplied 982 new label (newlabel). 983 984 @return Return 0 if access is granted, otherwise an appropriate value for 985 errno should be returned. 986*/ 987typedef int mpo_ifnet_check_label_update_t( 988 kauth_cred_t cred, 989 struct ifnet *ifp, 990 struct label *ifnetlabel, 991 struct label *newlabel 992); 993/** 994 @brief Access control check for relabeling network interfaces 995 @param ifp Network interface mbuf will be transmitted through 996 @param ifnetlabel Label of the network interfaces 997 @param m The mbuf to be transmitted 998 @param mbuflabel Label of the mbuf to be transmitted 999 @param family Address Family, AF_* 1000 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} 1001 1002 Determine whether the mbuf with label mbuflabel may be transmitted 1003 through the network interface represented by ifp that has the 1004 label ifnetlabel. 1005 1006 @return Return 0 if access is granted, otherwise an appropriate value for 1007 errno should be returned. 1008*/ 1009typedef int mpo_ifnet_check_transmit_t( 1010 struct ifnet *ifp, 1011 struct label *ifnetlabel, 1012 struct mbuf *m, 1013 struct label *mbuflabel, 1014 int family, 1015 int type 1016); 1017/** 1018 @brief Create a network interface label 1019 @param ifp Network interface labeled 1020 @param ifnetlabel Label for the network interface 1021 1022 Set the label of a newly created network interface, most likely 1023 using the information in the supplied network interface struct. 1024*/ 1025typedef void mpo_ifnet_label_associate_t( 1026 struct ifnet *ifp, 1027 struct label *ifnetlabel 1028); 1029/** 1030 @brief Copy an ifnet label 1031 @param src Source ifnet label 1032 @param dest Destination ifnet label 1033 1034 Copy the label information from src to dest. 1035*/ 1036typedef void mpo_ifnet_label_copy_t( 1037 struct label *src, 1038 struct label *dest 1039); 1040/** 1041 @brief Destroy ifnet label 1042 @param label The label to be destroyed 1043 1044 Destroy the label on an ifnet label. In this entry point, a 1045 policy module should free any internal storage associated with 1046 label so that it may be destroyed. 1047*/ 1048typedef void mpo_ifnet_label_destroy_t( 1049 struct label *label 1050); 1051/** 1052 @brief Externalize an ifnet label 1053 @param label Label to be externalized 1054 @param element_name Name of the label namespace for which labels should be 1055 externalized 1056 @param sb String buffer to be filled with a text representation of the label 1057 1058 Produce an external representation of the label on an interface. 1059 An externalized label consists of a text representation of the 1060 label contents that can be used with user applications. 1061 Policy-agnostic user space tools will display this externalized 1062 version. 1063 1064 @return 0 on success, return non-zero if an error occurs while 1065 externalizing the label data. 1066 1067*/ 1068typedef int mpo_ifnet_label_externalize_t( 1069 struct label *label, 1070 char *element_name, 1071 struct sbuf *sb 1072); 1073/** 1074 @brief Initialize ifnet label 1075 @param label New label to initialize 1076*/ 1077typedef void mpo_ifnet_label_init_t( 1078 struct label *label 1079); 1080/** 1081 @brief Internalize an interface label 1082 @param label Label to be internalized 1083 @param element_name Name of the label namespace for which the label should 1084 be internalized 1085 @param element_data Text data to be internalized 1086 1087 Produce an interface label from an external representation. An 1088 externalized label consists of a text representation of the label 1089 contents that can be used with user applications. Policy-agnostic 1090 user space tools will forward text version to the kernel for 1091 processing by individual policy modules. 1092 1093 The policy's internalize entry points will be called only if the 1094 policy has registered interest in the label namespace. 1095 1096 @return 0 on success, Otherwise, return non-zero if an error occurs 1097 while internalizing the label data. 1098 1099*/ 1100typedef int mpo_ifnet_label_internalize_t( 1101 struct label *label, 1102 char *element_name, 1103 char *element_data 1104); 1105/** 1106 @brief Recycle up a network interface label 1107 @param label The label to be recycled 1108 1109 Recycle a network interface label. Darwin caches the struct ifnet 1110 of detached ifnets in a "free pool". Before ifnets are returned 1111 to the "free pool", policies can cleanup or overwrite any information 1112 present in the label. 1113*/ 1114typedef void mpo_ifnet_label_recycle_t( 1115 struct label *label 1116); 1117/** 1118 @brief Update a network interface label 1119 @param cred Subject credential 1120 @param ifp The network interface to be relabeled 1121 @param ifnetlabel The current label of the network interface 1122 @param newlabel A new label to apply to the network interface 1123 @see mpo_ifnet_check_label_update_t 1124 1125 Update the label on a network interface, using the supplied new label. 1126*/ 1127typedef void mpo_ifnet_label_update_t( 1128 kauth_cred_t cred, 1129 struct ifnet *ifp, 1130 struct label *ifnetlabel, 1131 struct label *newlabel 1132); 1133/** 1134 @brief Access control check for delivering a packet to a socket 1135 @param inp inpcb the socket is associated with 1136 @param inplabel Label of the inpcb 1137 @param m The mbuf being received 1138 @param mbuflabel Label of the mbuf being received 1139 @param family Address family, AF_* 1140 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} 1141 1142 Determine whether the mbuf with label mbuflabel may be received 1143 by the socket associated with inpcb that has the label inplabel. 1144 1145 @return Return 0 if access is granted, otherwise an appropriate value for 1146 errno should be returned. 1147*/ 1148typedef int mpo_inpcb_check_deliver_t( 1149 struct inpcb *inp, 1150 struct label *inplabel, 1151 struct mbuf *m, 1152 struct label *mbuflabel, 1153 int family, 1154 int type 1155); 1156/** 1157 @brief Create an inpcb label 1158 @param so Socket containing the inpcb to be labeled 1159 @param solabel Label of the socket 1160 @param inp inpcb to be labeled 1161 @param inplabel Label for the inpcb 1162 1163 Set the label of a newly created inpcb, most likely 1164 using the information in the socket and/or socket label. 1165*/ 1166typedef void mpo_inpcb_label_associate_t( 1167 struct socket *so, 1168 struct label *solabel, 1169 struct inpcb *inp, 1170 struct label *inplabel 1171); 1172/** 1173 @brief Destroy inpcb label 1174 @param label The label to be destroyed 1175 1176 Destroy the label on an inpcb label. In this entry point, a 1177 policy module should free any internal storage associated with 1178 label so that it may be destroyed. 1179*/ 1180typedef void mpo_inpcb_label_destroy_t( 1181 struct label *label 1182); 1183/** 1184 @brief Initialize inpcb label 1185 @param label New label to initialize 1186 @param flag M_WAITOK or M_NOWAIT 1187*/ 1188typedef int mpo_inpcb_label_init_t( 1189 struct label *label, 1190 int flag 1191); 1192/** 1193 @brief Recycle up an inpcb label 1194 @param label The label to be recycled 1195 1196 Recycle an inpcb label. Darwin allocates the inpcb as part of 1197 the socket structure in some cases. For this case we must recycle 1198 rather than destroy the inpcb as it will be reused later. 1199*/ 1200typedef void mpo_inpcb_label_recycle_t( 1201 struct label *label 1202); 1203/** 1204 @brief Update an inpcb label from a socket label 1205 @param so Socket containing the inpcb to be relabeled 1206 @param solabel New label of the socket 1207 @param inp inpcb to be labeled 1208 @param inplabel Label for the inpcb 1209 1210 Set the label of a newly created inpcb due to a change in the 1211 underlying socket label. 1212*/ 1213typedef void mpo_inpcb_label_update_t( 1214 struct socket *so, 1215 struct label *solabel, 1216 struct inpcb *inp, 1217 struct label *inplabel 1218); 1219/** 1220 @brief Device hardware access control 1221 @param devtype Type of device connected 1222 @param properties XML-formatted property list 1223 @param proplen Length of the property list 1224 1225 This is the MAC Framework device access control, which is called by the I/O 1226 Kit when a new device is connected to the system to determine whether that 1227 device should be trusted. A list of properties associated with the device 1228 is passed as an XML-formatted string. The routine should examine these 1229 properties to determine the trustworthiness of the device. A return value 1230 of EPERM forces the device to be claimed by a special device driver that 1231 will prevent its operation. 1232 1233 @warning This is an experimental interface and may change in the future. 1234 1235 @return Return EPERM to indicate that the device is untrusted and should 1236 not be allowed to operate. Return zero to indicate that the device is 1237 trusted and should be allowed to operate normally. 1238 1239*/ 1240typedef int mpo_iokit_check_device_t( 1241 char *devtype, 1242 struct mac_module_data *mdata 1243); 1244/** 1245 @brief Access control check for opening an I/O Kit device 1246 @param cred Subject credential 1247 @param device_path Device path 1248 @param user_client User client instance 1249 @param user_client_type User client type 1250 1251 Determine whether the subject identified by the credential can open an 1252 I/O Kit device at the passed path of the passed user client class and 1253 type. 1254 1255 @return Return 0 if access is granted, or an appropriate value for 1256 errno should be returned. 1257*/ 1258typedef int mpo_iokit_check_open_t( 1259 kauth_cred_t cred, 1260 io_object_t user_client, 1261 unsigned int user_client_type 1262); 1263/** 1264 @brief Access control check for setting I/O Kit device properties 1265 @param cred Subject credential 1266 @param entry Target device 1267 @param properties Property list 1268 1269 Determine whether the subject identified by the credential can set 1270 properties on an I/O Kit device. 1271 1272 @return Return 0 if access is granted, or an appropriate value for 1273 errno should be returned. 1274*/ 1275typedef int mpo_iokit_check_set_properties_t( 1276 kauth_cred_t cred, 1277 io_object_t entry, 1278 io_object_t properties 1279); 1280/** 1281 @brief Indicate desire to filter I/O Kit devices properties 1282 @param cred Subject credential 1283 @param entry Target device 1284 @see mpo_iokit_check_get_property_t 1285 1286 Indicate whether this policy may restrict the subject credential 1287 from reading properties of the target device. 1288 If a policy returns success from this entry point, the 1289 mpo_iokit_check_get_property entry point will later be called 1290 for each property that the subject credential tries to read from 1291 the target device. 1292 1293 This entry point is primarilly to optimize bulk property reads 1294 by skipping calls to the mpo_iokit_check_get_property entry point 1295 for credentials / devices no MAC policy is interested in. 1296 1297 @warning Even if a policy returns 0, it should behave correctly in 1298 the presence of an invocation of mpo_iokit_check_get_property, as that 1299 call may happen as a result of another policy requesting a transition. 1300 1301 @return Non-zero if a transition is required, 0 otherwise. 1302 */ 1303typedef int mpo_iokit_check_filter_properties_t( 1304 kauth_cred_t cred, 1305 io_object_t entry 1306); 1307/** 1308 @brief Access control check for getting I/O Kit device properties 1309 @param cred Subject credential 1310 @param entry Target device 1311 @param name Property name 1312 1313 Determine whether the subject identified by the credential can get 1314 properties on an I/O Kit device. 1315 1316 @return Return 0 if access is granted, or an appropriate value for 1317 errno. 1318*/ 1319typedef int mpo_iokit_check_get_property_t( 1320 kauth_cred_t cred, 1321 io_object_t entry, 1322 const char *name 1323); 1324/** 1325 @brief Access control check for software HID control 1326 @param cred Subject credential 1327 1328 Determine whether the subject identified by the credential can 1329 control the HID (Human Interface Device) subsystem, such as to 1330 post synthetic keypresses, pointer movement and clicks. 1331 1332 @return Return 0 if access is granted, or an appropriate value for 1333 errno. 1334*/ 1335typedef int mpo_iokit_check_hid_control_t( 1336 kauth_cred_t cred 1337); 1338/** 1339 @brief Create an IP reassembly queue label 1340 @param fragment First received IP fragment 1341 @param fragmentlabel Policy label for fragment 1342 @param ipq IP reassembly queue to be labeled 1343 @param ipqlabel Policy label to be filled in for ipq 1344 1345 Set the label on a newly created IP reassembly queue from 1346 the mbuf header of the first received fragment. 1347*/ 1348typedef void mpo_ipq_label_associate_t( 1349 struct mbuf *fragment, 1350 struct label *fragmentlabel, 1351 struct ipq *ipq, 1352 struct label *ipqlabel 1353); 1354/** 1355 @brief Compare an mbuf header label to an ipq label 1356 @param fragment IP datagram fragment 1357 @param fragmentlabel Policy label for fragment 1358 @param ipq IP fragment reassembly queue 1359 @param ipqlabel Policy label for ipq 1360 1361 Compare the label of the mbuf header containing an IP datagram 1362 (fragment) fragment with the label of the passed IP fragment 1363 reassembly queue (ipq). Return (1) for a successful match, or (0) 1364 for no match. This call is made when the IP stack attempts to 1365 find an existing fragment reassembly queue for a newly received 1366 fragment; if this fails, a new fragment reassembly queue may be 1367 instantiated for the fragment. Policies may use this entry point 1368 to prevent the reassembly of otherwise matching IP fragments if 1369 policy does not permit them to be reassembled based on the label 1370 or other information. 1371*/ 1372typedef int mpo_ipq_label_compare_t( 1373 struct mbuf *fragment, 1374 struct label *fragmentlabel, 1375 struct ipq *ipq, 1376 struct label *ipqlabel 1377); 1378/** 1379 @brief Destroy IP reassembly queue label 1380 @param label The label to be destroyed 1381 1382 Destroy the label on an IP fragment queue. In this entry point, a 1383 policy module should free any internal storage associated with 1384 label so that it may be destroyed. 1385*/ 1386typedef void mpo_ipq_label_destroy_t( 1387 struct label *label 1388); 1389/** 1390 @brief Initialize IP reassembly queue label 1391 @param label New label to initialize 1392 @param flag M_WAITOK or M_NOWAIT 1393 1394 Initialize the label on a newly instantiated IP fragment reassembly 1395 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and 1396 should be employed to avoid performing a sleeping malloc(9) during 1397 this initialization call. IP fragment reassembly queue allocation 1398 frequently occurs in performance sensitive environments, and the 1399 implementation should be careful to avoid sleeping or long-lived 1400 operations. This entry point is permitted to fail resulting in 1401 the failure to allocate the IP fragment reassembly queue. 1402*/ 1403typedef int mpo_ipq_label_init_t( 1404 struct label *label, 1405 int flag 1406); 1407/** 1408 @brief Update the label on an IP fragment reassembly queue 1409 @param fragment IP fragment 1410 @param fragmentlabel Policy label for fragment 1411 @param ipq IP fragment reassembly queue 1412 @param ipqlabel Policy label to be updated for ipq 1413 1414 Update the label on an IP fragment reassembly queue (ipq) based 1415 on the acceptance of the passed IP fragment mbuf header (fragment). 1416*/ 1417typedef void mpo_ipq_label_update_t( 1418 struct mbuf *fragment, 1419 struct label *fragmentlabel, 1420 struct ipq *ipq, 1421 struct label *ipqlabel 1422); 1423/** 1424 @brief Access control check for relabelling Login Context 1425 @param l Subject credential 1426 @param newlabel New label to apply to the Login Context 1427 @see mpo_lctx_label_update_t 1428 @see mac_set_lcid 1429 @see mac_set_lctx 1430 1431 Determine whether the subject identified by the credential can relabel 1432 itself to the supplied new label (newlabel). This access control check 1433 is called when the mac_set_lctx/lcid system call is invoked. A user space 1434 application will supply a new value, the value will be internalized 1435 and provided in newlabel. 1436 1437 @return Return 0 if access is granted, otherwise an appropriate value for 1438 errno should be returned. 1439*/ 1440typedef int mpo_lctx_check_label_update_t( 1441 struct lctx *l, 1442 struct label *newlabel 1443); 1444/** 1445 @brief Destroy Login Context label 1446 @param label The label to be destroyed 1447*/ 1448typedef void mpo_lctx_label_destroy_t( 1449 struct label *label 1450); 1451/** 1452 @brief Externalize a Login Context label 1453 @param label Label to be externalized 1454 @param element_name Name of the label namespace for which labels should be 1455 externalized 1456 @param sb String buffer to be filled with a text representation of the label 1457 1458 Produce an external representation of the label on a Login Context. 1459 An externalized label consists of a text representation 1460 of the label contents that can be used with user applications. 1461 Policy-agnostic user space tools will display this externalized 1462 version. 1463 1464 @return 0 on success, return non-zero if an error occurs while 1465 externalizing the label data. 1466 1467*/ 1468typedef int mpo_lctx_label_externalize_t( 1469 struct label *label, 1470 char *element_name, 1471 struct sbuf *sb 1472); 1473/** 1474 @brief Initialize Login Context label 1475 @param label New label to initialize 1476*/ 1477typedef void mpo_lctx_label_init_t( 1478 struct label *label 1479); 1480/** 1481 @brief Internalize a Login Context label 1482 @param label Label to be internalized 1483 @param element_name Name of the label namespace for which the label should 1484 be internalized 1485 @param element_data Text data to be internalized 1486 1487 Produce a Login Context label from an external representation. An 1488 externalized label consists of a text representation of the label 1489 contents that can be used with user applications. Policy-agnostic 1490 user space tools will forward text version to the kernel for 1491 processing by individual policy modules. 1492 1493 The policy's internalize entry points will be called only if the 1494 policy has registered interest in the label namespace. 1495 1496 @return 0 on success, Otherwise, return non-zero if an error occurs 1497 while internalizing the label data. 1498 1499*/ 1500typedef int mpo_lctx_label_internalize_t( 1501 struct label *label, 1502 char *element_name, 1503 char *element_data 1504); 1505/** 1506 @brief Update a Login Context label 1507 @param l 1508 @param newlabel A new label to apply to the Login Context 1509 @see mpo_lctx_check_label_update_t 1510 @see mac_set_lcid 1511 @see mac_set_lctx 1512 1513 Update the label on a login context, using the supplied new label. 1514 This is called as a result of a login context relabel operation. Access 1515 control was already confirmed by mpo_lctx_check_label_update. 1516*/ 1517typedef void mpo_lctx_label_update_t( 1518 struct lctx *l, 1519 struct label *newlabel 1520); 1521/** 1522 @brief A process has created a login context 1523 @param p Subject 1524 @param l Login Context 1525 1526 When a process creates a login context (via setlcid()) this entrypoint 1527 is called to notify the policy that the process 'p' has created login 1528 context 'l'. 1529*/ 1530typedef void mpo_lctx_notify_create_t( 1531 struct proc *p, 1532 struct lctx *l 1533); 1534/** 1535 @brief A process has joined a login context 1536 @param p Subject 1537 @param l Login Context 1538 1539 When a process joins a login context, either via setlcid() or via 1540 fork() this entrypoint is called to notify the policy that process 1541 'p' is now a member of login context 'l'. 1542*/ 1543typedef void mpo_lctx_notify_join_t( 1544 struct proc *p, 1545 struct lctx *l 1546); 1547/** 1548 @brief A process has left a login context 1549 @param p Subject 1550 @param l Login Context 1551 1552 When a process leaves a login context either via setlcid() or as a 1553 result of the process exiting this entrypoint is called to notify 1554 the policy that the process 'p' is no longer a member of login context 'l'. 1555*/ 1556typedef void mpo_lctx_notify_leave_t( 1557 struct proc *p, 1558 struct lctx *l 1559); 1560/** 1561 @brief Assign a label to a new mbuf 1562 @param bpf_d BPF descriptor 1563 @param b_label Policy label for bpf_d 1564 @param m Object; mbuf 1565 @param m_label Policy label to fill in for m 1566 1567 Set the label on the mbuf header of a newly created datagram 1568 generated using the passed BPF descriptor. This call is made when 1569 a write is performed to the BPF device associated with the passed 1570 BPF descriptor. 1571*/ 1572typedef void mpo_mbuf_label_associate_bpfdesc_t( 1573 struct bpf_d *bpf_d, 1574 struct label *b_label, 1575 struct mbuf *m, 1576 struct label *m_label 1577); 1578/** 1579 @brief Assign a label to a new mbuf 1580 @param ifp Interface descriptor 1581 @param i_label Existing label of ifp 1582 @param m Object; mbuf 1583 @param m_label Policy label to fill in for m 1584 1585 Label an mbuf based on the interface from which it was received. 1586*/ 1587typedef void mpo_mbuf_label_associate_ifnet_t( 1588 struct ifnet *ifp, 1589 struct label *i_label, 1590 struct mbuf *m, 1591 struct label *m_label 1592); 1593/** 1594 @brief Assign a label to a new mbuf 1595 @param inp inpcb structure 1596 @param i_label Existing label of inp 1597 @param m Object; mbuf 1598 @param m_label Policy label to fill in for m 1599 1600 Label an mbuf based on the inpcb from which it was derived. 1601*/ 1602typedef void mpo_mbuf_label_associate_inpcb_t( 1603 struct inpcb *inp, 1604 struct label *i_label, 1605 struct mbuf *m, 1606 struct label *m_label 1607); 1608/** 1609 @brief Set the label on a newly reassembled IP datagram 1610 @param ipq IP fragment reassembly queue 1611 @param ipqlabel Policy label for ipq 1612 @param mbuf IP datagram to be labeled 1613 @param mbuflabel Policy label to be filled in for mbuf 1614 1615 Set the label on a newly reassembled IP datagram (mbuf) from the IP 1616 fragment reassembly queue (ipq) from which it was generated. 1617*/ 1618typedef void mpo_mbuf_label_associate_ipq_t( 1619 struct ipq *ipq, 1620 struct label *ipqlabel, 1621 struct mbuf *mbuf, 1622 struct label *mbuflabel 1623); 1624/** 1625 @brief Assign a label to a new mbuf 1626 @param ifp Subject; network interface 1627 @param i_label Existing label of ifp 1628 @param m Object; mbuf 1629 @param m_label Policy label to fill in for m 1630 1631 Set the label on the mbuf header of a newly created datagram 1632 generated for the purposes of a link layer response for the passed 1633 interface. This call may be made in a number of situations, including 1634 for ARP or ND6 responses in the IPv4 and IPv6 stacks. 1635*/ 1636typedef void mpo_mbuf_label_associate_linklayer_t( 1637 struct ifnet *ifp, 1638 struct label *i_label, 1639 struct mbuf *m, 1640 struct label *m_label 1641); 1642/** 1643 @brief Assign a label to a new mbuf 1644 @param oldmbuf mbuf headerder for existing datagram for existing datagram 1645 @param oldmbuflabel Policy label for oldmbuf 1646 @param ifp Network interface 1647 @param ifplabel Policy label for ifp 1648 @param newmbuf mbuf header to be labeled for new datagram 1649 @param newmbuflabel Policy label for newmbuf 1650 1651 Set the label on the mbuf header of a newly created datagram 1652 generated from the existing passed datagram when it is processed 1653 by the passed multicast encapsulation interface. This call is made 1654 when an mbuf is to be delivered using the virtual interface. 1655*/ 1656typedef void mpo_mbuf_label_associate_multicast_encap_t( 1657 struct mbuf *oldmbuf, 1658 struct label *oldmbuflabel, 1659 struct ifnet *ifp, 1660 struct label *ifplabel, 1661 struct mbuf *newmbuf, 1662 struct label *newmbuflabel 1663); 1664/** 1665 @brief Assign a label to a new mbuf 1666 @param oldmbuf Received datagram 1667 @param oldmbuflabel Policy label for oldmbuf 1668 @param newmbuf Newly created datagram 1669 @param newmbuflabel Policy label for newmbuf 1670 1671 Set the label on the mbuf header of a newly created datagram generated 1672 by the IP stack in response to an existing received datagram (oldmbuf). 1673 This call may be made in a number of situations, including when responding 1674 to ICMP request datagrams. 1675*/ 1676typedef void mpo_mbuf_label_associate_netlayer_t( 1677 struct mbuf *oldmbuf, 1678 struct label *oldmbuflabel, 1679 struct mbuf *newmbuf, 1680 struct label *newmbuflabel 1681); 1682/** 1683 @brief Assign a label to a new mbuf 1684 @param so Socket to label 1685 @param so_label Policy label for socket 1686 @param m Object; mbuf 1687 @param m_label Policy label to fill in for m 1688 1689 An mbuf structure is used to store network traffic in transit. 1690 When an application sends data to a socket or a pipe, it is wrapped 1691 in an mbuf first. This function sets the label on a newly created mbuf header 1692 based on the socket sending the data. The contents of the label should be 1693 suitable for performing an access check on the receiving side of the 1694 communication. 1695 1696 Only labeled MBUFs will be presented to the policy via this entrypoint. 1697*/ 1698typedef void mpo_mbuf_label_associate_socket_t( 1699 socket_t so, 1700 struct label *so_label, 1701 struct mbuf *m, 1702 struct label *m_label 1703); 1704/** 1705 @brief Copy a mbuf label 1706 @param src Source label 1707 @param dest Destination label 1708 1709 Copy the mbuf label information in src into dest. 1710 1711 Only called when both source and destination mbufs have labels. 1712*/ 1713typedef void mpo_mbuf_label_copy_t( 1714 struct label *src, 1715 struct label *dest 1716); 1717/** 1718 @brief Destroy mbuf label 1719 @param label The label to be destroyed 1720 1721 Destroy a mbuf label. Since the 1722 object is going out of scope, policy modules should free any 1723 internal storage associated with the label so that it may be 1724 destroyed. 1725*/ 1726typedef void mpo_mbuf_label_destroy_t( 1727 struct label *label 1728); 1729/** 1730 @brief Initialize mbuf label 1731 @param label New label to initialize 1732 @param flag Malloc flags 1733 1734 Initialize the label for a newly instantiated mbuf. 1735 1736 @warning Since it is possible for the flags to be set to 1737 M_NOWAIT, the malloc operation may fail. 1738 1739 @return On success, 0, otherwise, an appropriate errno return value. 1740*/ 1741typedef int mpo_mbuf_label_init_t( 1742 struct label *label, 1743 int flag 1744); 1745/** 1746 @brief Access control check for fsctl 1747 @param cred Subject credential 1748 @param mp The mount point 1749 @param label Label associated with the mount point 1750 @param com Filesystem-dependent request code; see fsctl(2) 1751 1752 Determine whether the subject identified by the credential can perform 1753 the volume operation indicated by com. 1754 1755 @warning The fsctl() system call is directly analogous to ioctl(); since 1756 the associated data is opaque from the standpoint of the MAC framework 1757 and since these operations can affect many aspects of system operation, 1758 policies must exercise extreme care when implementing access control checks. 1759 1760 @return Return 0 if access is granted, otherwise an appropriate value for 1761 errno should be returned. 1762*/ 1763typedef int mpo_mount_check_fsctl_t( 1764 kauth_cred_t cred, 1765 struct mount *mp, 1766 struct label *label, 1767 unsigned int cmd 1768); 1769/** 1770 @brief Access control check for the retrieval of file system attributes 1771 @param cred Subject credential 1772 @param mp The mount structure of the file system 1773 @param vfa The attributes requested 1774 1775 This entry point determines whether given subject can get information 1776 about the given file system. This check happens during statfs() syscalls, 1777 but is also used by other parts within the kernel such as the audit system. 1778 1779 @return Return 0 if access is granted, otherwise an appropriate value for 1780 errno should be returned. 1781*/ 1782 1783typedef int mpo_mount_check_getattr_t( 1784 kauth_cred_t cred, 1785 struct mount *mp, 1786 struct label *mp_label, 1787 struct vfs_attr *vfa 1788); 1789/** 1790 @brief Access control check for mount point relabeling 1791 @param cred Subject credential 1792 @param mp Object file system mount point 1793 @param mntlabel Policy label for fle system mount point 1794 1795 Determine whether the subject identified by the credential can relabel 1796 the mount point. This call is made when a file system mount is updated. 1797 1798 @return Return 0 if access is granted, otherwise an appropriate value for 1799 errno should be returned. Suggested failure: EACCES for label mismatch 1800 or EPERM for lack of privilege. 1801*/ 1802typedef int mpo_mount_check_label_update_t( 1803 kauth_cred_t cred, 1804 struct mount *mp, 1805 struct label *mntlabel 1806); 1807/** 1808 @brief Access control check for mounting a file system 1809 @param cred Subject credential 1810 @param vp Vnode that is to be the mount point 1811 @param vlabel Label associated with the vnode 1812 @param cnp Component name for vp 1813 @param vfc_name Filesystem type name 1814 1815 Determine whether the subject identified by the credential can perform 1816 the mount operation on the target vnode. 1817 1818 @return Return 0 if access is granted, otherwise an appropriate value for 1819 errno should be returned. 1820*/ 1821typedef int mpo_mount_check_mount_t( 1822 kauth_cred_t cred, 1823 struct vnode *vp, 1824 struct label *vlabel, 1825 struct componentname *cnp, 1826 const char *vfc_name 1827); 1828/** 1829 @brief Access control check remounting a filesystem 1830 @param cred Subject credential 1831 @param mp The mount point 1832 @param mlabel Label currently associated with the mount point 1833 1834 Determine whether the subject identified by the credential can perform 1835 the remount operation on the target vnode. 1836 1837 @return Return 0 if access is granted, otherwise an appropriate value for 1838 errno should be returned. 1839*/ 1840typedef int mpo_mount_check_remount_t( 1841 kauth_cred_t cred, 1842 struct mount *mp, 1843 struct label *mlabel 1844); 1845/** 1846 @brief Access control check for the settting of file system attributes 1847 @param cred Subject credential 1848 @param mp The mount structure of the file system 1849 @param vfa The attributes requested 1850 1851 This entry point determines whether given subject can set information 1852 about the given file system, for example the volume name. 1853 1854 @return Return 0 if access is granted, otherwise an appropriate value for 1855 errno should be returned. 1856*/ 1857 1858typedef int mpo_mount_check_setattr_t( 1859 kauth_cred_t cred, 1860 struct mount *mp, 1861 struct label *mp_label, 1862 struct vfs_attr *vfa 1863); 1864/** 1865 @brief Access control check for file system statistics 1866 @param cred Subject credential 1867 @param mp Object file system mount 1868 @param mntlabel Policy label for mp 1869 1870 Determine whether the subject identified by the credential can see 1871 the results of a statfs performed on the file system. This call may 1872 be made in a number of situations, including during invocations of 1873 statfs(2) and related calls, as well as to determine what file systems 1874 to exclude from listings of file systems, such as when getfsstat(2) 1875 is invoked. 1876 1877 @return Return 0 if access is granted, otherwise an appropriate value for 1878 errno should be returned. Suggested failure: EACCES for label mismatch 1879 or EPERM for lack of privilege. 1880*/ 1881typedef int mpo_mount_check_stat_t( 1882 kauth_cred_t cred, 1883 struct mount *mp, 1884 struct label *mntlabel 1885); 1886/** 1887 @brief Access control check for unmounting a filesystem 1888 @param cred Subject credential 1889 @param mp The mount point 1890 @param mlabel Label associated with the mount point 1891 1892 Determine whether the subject identified by the credential can perform 1893 the unmount operation on the target vnode. 1894 1895 @return Return 0 if access is granted, otherwise an appropriate value for 1896 errno should be returned. 1897*/ 1898typedef int mpo_mount_check_umount_t( 1899 kauth_cred_t cred, 1900 struct mount *mp, 1901 struct label *mlabel 1902); 1903/** 1904 @brief Create mount labels 1905 @param cred Subject credential 1906 @param mp Mount point of file system being mounted 1907 @param mntlabel Label to associate with the new mount point 1908 @see mpo_mount_label_init_t 1909 1910 Fill out the labels on the mount point being created by the supplied 1911 user credential. This call is made when file systems are first mounted. 1912*/ 1913typedef void mpo_mount_label_associate_t( 1914 kauth_cred_t cred, 1915 struct mount *mp, 1916 struct label *mntlabel 1917); 1918/** 1919 @brief Destroy mount label 1920 @param label The label to be destroyed 1921 1922 Destroy a file system mount label. Since the 1923 object is going out of scope, policy modules should free any 1924 internal storage associated with the label so that it may be 1925 destroyed. 1926*/ 1927typedef void mpo_mount_label_destroy_t( 1928 struct label *label 1929); 1930/** 1931 @brief Externalize a mount point label 1932 @param label Label to be externalized 1933 @param element_name Name of the label namespace for which labels should be 1934 externalized 1935 @param sb String buffer to be filled with a text representation of the label 1936 1937 Produce an external representation of the mount point label. An 1938 externalized label consists of a text representation of the label 1939 contents that can be used with user applications. Policy-agnostic 1940 user space tools will display this externalized version. 1941 1942 The policy's externalize entry points will be called only if the 1943 policy has registered interest in the label namespace. 1944 1945 @return 0 on success, return non-zero if an error occurs while 1946 externalizing the label data. 1947 1948*/ 1949typedef int mpo_mount_label_externalize_t( 1950 struct label *label, 1951 char *element_name, 1952 struct sbuf *sb 1953); 1954/** 1955 @brief Initialize mount point label 1956 @param label New label to initialize 1957 1958 Initialize the label for a newly instantiated mount structure. 1959 This label is typically used to store a default label in the case 1960 that the file system has been mounted singlelabel. Since some 1961 file systems do not support persistent labels (extended attributes) 1962 or are read-only (such as CD-ROMs), it is often necessary to store 1963 a default label separately from the label of the mount point 1964 itself. Sleeping is permitted. 1965*/ 1966typedef void mpo_mount_label_init_t( 1967 struct label *label 1968); 1969/** 1970 @brief Internalize a mount point label 1971 @param label Label to be internalized 1972 @param element_name Name of the label namespace for which the label should 1973 be internalized 1974 @param element_data Text data to be internalized 1975 1976 Produce a mount point file system label from an external representation. 1977 An externalized label consists of a text representation of the label 1978 contents that can be used with user applications. Policy-agnostic 1979 user space tools will forward text version to the kernel for 1980 processing by individual policy modules. 1981 1982 The policy's internalize entry points will be called only if the 1983 policy has registered interest in the label namespace. 1984 1985 @return 0 on success, Otherwise, return non-zero if an error occurs 1986 while internalizing the label data. 1987 1988*/ 1989typedef int mpo_mount_label_internalize_t( 1990 struct label *label, 1991 char *element_name, 1992 char *element_data 1993); 1994/** 1995 @brief Set the label on an IPv4 datagram fragment 1996 @param datagram Datagram being fragmented 1997 @param datagramlabel Policy label for datagram 1998 @param fragment New fragment 1999 @param fragmentlabel Policy label for fragment 2000 2001 Called when an IPv4 datagram is fragmented into several smaller datagrams. 2002 Policies implementing mbuf labels will typically copy the label from the 2003 source datagram to the new fragment. 2004*/ 2005typedef void mpo_netinet_fragment_t( 2006 struct mbuf *datagram, 2007 struct label *datagramlabel, 2008 struct mbuf *fragment, 2009 struct label *fragmentlabel 2010); 2011/** 2012 @brief Set the label on an ICMP reply 2013 @param m mbuf containing the ICMP reply 2014 @param mlabel Policy label for m 2015 2016 A policy may wish to update the label of an mbuf that refers to 2017 an ICMP packet being sent in response to an IP packet. This may 2018 be called in response to a bad packet or an ICMP request. 2019*/ 2020typedef void mpo_netinet_icmp_reply_t( 2021 struct mbuf *m, 2022 struct label *mlabel 2023); 2024/** 2025 @brief Set the label on a TCP reply 2026 @param m mbuf containing the TCP reply 2027 @param mlabel Policy label for m 2028 2029 Called for outgoing TCP packets not associated with an actual socket. 2030*/ 2031typedef void mpo_netinet_tcp_reply_t( 2032 struct mbuf *m, 2033 struct label *mlabel 2034); 2035/** 2036 @brief Access control check for pipe ioctl 2037 @param cred Subject credential 2038 @param cpipe Object to be accessed 2039 @param pipelabel The label on the pipe 2040 @param cmd The ioctl command; see ioctl(2) 2041 2042 Determine whether the subject identified by the credential can perform 2043 the ioctl operation indicated by cmd. 2044 2045 @warning Since ioctl data is opaque from the standpoint of the MAC 2046 framework, policies must exercise extreme care when implementing 2047 access control checks. 2048 2049 @return Return 0 if access is granted, otherwise an appropriate value for 2050 errno should be returned. 2051 2052*/ 2053typedef int mpo_pipe_check_ioctl_t( 2054 kauth_cred_t cred, 2055 struct pipe *cpipe, 2056 struct label *pipelabel, 2057 unsigned int cmd 2058); 2059/** 2060 @brief Access control check for pipe kqfilter 2061 @param cred Subject credential 2062 @param kn Object knote 2063 @param cpipe Object to be accessed 2064 @param pipelabel Policy label for the pipe 2065 2066 Determine whether the subject identified by the credential can 2067 receive the knote on the passed pipe. 2068 2069 @return Return 0 if access if granted, otherwise an appropriate 2070 value for errno should be returned. 2071*/ 2072typedef int mpo_pipe_check_kqfilter_t( 2073 kauth_cred_t cred, 2074 struct knote *kn, 2075 struct pipe *cpipe, 2076 struct label *pipelabel 2077); 2078/** 2079 @brief Access control check for pipe relabel 2080 @param cred Subject credential 2081 @param cpipe Object to be accessed 2082 @param pipelabel The current label on the pipe 2083 @param newlabel The new label to be used 2084 2085 Determine whether the subject identified by the credential can 2086 perform a relabel operation on the passed pipe. The cred object holds 2087 the credentials of the subject performing the operation. 2088 2089 @return Return 0 if access is granted, otherwise an appropriate value for 2090 errno should be returned. 2091 2092*/ 2093typedef int mpo_pipe_check_label_update_t( 2094 kauth_cred_t cred, 2095 struct pipe *cpipe, 2096 struct label *pipelabel, 2097 struct label *newlabel 2098); 2099/** 2100 @brief Access control check for pipe read 2101 @param cred Subject credential 2102 @param cpipe Object to be accessed 2103 @param pipelabel The label on the pipe 2104 2105 Determine whether the subject identified by the credential can 2106 perform a read operation on the passed pipe. The cred object holds 2107 the credentials of the subject performing the operation. 2108 2109 @return Return 0 if access is granted, otherwise an appropriate value for 2110 errno should be returned. 2111 2112*/ 2113typedef int mpo_pipe_check_read_t( 2114 kauth_cred_t cred, 2115 struct pipe *cpipe, 2116 struct label *pipelabel 2117); 2118/** 2119 @brief Access control check for pipe select 2120 @param cred Subject credential 2121 @param cpipe Object to be accessed 2122 @param pipelabel The label on the pipe 2123 @param which The operation selected on: FREAD or FWRITE 2124 2125 Determine whether the subject identified by the credential can 2126 perform a select operation on the passed pipe. The cred object holds 2127 the credentials of the subject performing the operation. 2128 2129 @return Return 0 if access is granted, otherwise an appropriate value for 2130 errno should be returned. 2131 2132*/ 2133typedef int mpo_pipe_check_select_t( 2134 kauth_cred_t cred, 2135 struct pipe *cpipe, 2136 struct label *pipelabel, 2137 int which 2138); 2139/** 2140 @brief Access control check for pipe stat 2141 @param cred Subject credential 2142 @param cpipe Object to be accessed 2143 @param pipelabel The label on the pipe 2144 2145 Determine whether the subject identified by the credential can 2146 perform a stat operation on the passed pipe. The cred object holds 2147 the credentials of the subject performing the operation. 2148 2149 @return Return 0 if access is granted, otherwise an appropriate value for 2150 errno should be returned. 2151 2152*/ 2153typedef int mpo_pipe_check_stat_t( 2154 kauth_cred_t cred, 2155 struct pipe *cpipe, 2156 struct label *pipelabel 2157); 2158/** 2159 @brief Access control check for pipe write 2160 @param cred Subject credential 2161 @param cpipe Object to be accessed 2162 @param pipelabel The label on the pipe 2163 2164 Determine whether the subject identified by the credential can 2165 perform a write operation on the passed pipe. The cred object holds 2166 the credentials of the subject performing the operation. 2167 2168 @return Return 0 if access is granted, otherwise an appropriate value for 2169 errno should be returned. 2170 2171*/ 2172typedef int mpo_pipe_check_write_t( 2173 kauth_cred_t cred, 2174 struct pipe *cpipe, 2175 struct label *pipelabel 2176); 2177/** 2178 @brief Create a pipe label 2179 @param cred Subject credential 2180 @param cpipe object to be labeled 2181 @param label Label for the pipe object 2182 2183 Create a label for the pipe object being created by the supplied 2184 user credential. This call is made when the pipe is being created 2185 XXXPIPE(for one or both sides of the pipe?). 2186 2187*/ 2188typedef void mpo_pipe_label_associate_t( 2189 kauth_cred_t cred, 2190 struct pipe *cpipe, 2191 struct label *pipelabel 2192); 2193/** 2194 @brief Copy a pipe label 2195 @param src Source pipe label 2196 @param dest Destination pipe label 2197 2198 Copy the pipe label associated with src to dest. 2199 XXXPIPE Describe when this is used: most likely during pipe creation to 2200 copy from rpipe to wpipe. 2201*/ 2202typedef void mpo_pipe_label_copy_t( 2203 struct label *src, 2204 struct label *dest 2205); 2206/** 2207 @brief Destroy pipe label 2208 @param label The label to be destroyed 2209 2210 Destroy a pipe label. Since the object is going out of scope, 2211 policy modules should free any internal storage associated with the 2212 label so that it may be destroyed. 2213*/ 2214typedef void mpo_pipe_label_destroy_t( 2215 struct label *label 2216); 2217/** 2218 @brief Externalize a pipe label 2219 @param label Label to be externalized 2220 @param element_name Name of the label namespace for which labels should be 2221 externalized 2222 @param sb String buffer to be filled with a text representation of the label 2223 2224 Produce an external representation of the label on a pipe. 2225 An externalized label consists of a text representation 2226 of the label contents that can be used with user applications. 2227 Policy-agnostic user space tools will display this externalized 2228 version. 2229 2230 The policy's externalize entry points will be called only if the 2231 policy has registered interest in the label namespace. 2232 2233 @return 0 on success, return non-zero if an error occurs while 2234 externalizing the label data. 2235 2236*/ 2237typedef int mpo_pipe_label_externalize_t( 2238 struct label *label, 2239 char *element_name, 2240 struct sbuf *sb 2241); 2242/** 2243 @brief Initialize pipe label 2244 @param label New label to initialize 2245 2246 Initialize label storage for use with a newly instantiated pipe object. 2247 Sleeping is permitted. 2248*/ 2249typedef void mpo_pipe_label_init_t( 2250 struct label *label 2251); 2252/** 2253 @brief Internalize a pipe label 2254 @param label Label to be internalized 2255 @param element_name Name of the label namespace for which the label should 2256 be internalized 2257 @param element_data Text data to be internalized 2258 2259 Produce a pipe label from an external representation. An 2260 externalized label consists of a text representation of the label 2261 contents that can be used with user applications. Policy-agnostic 2262 user space tools will forward text version to the kernel for 2263 processing by individual policy modules. 2264 2265 The policy's internalize entry points will be called only if the 2266 policy has registered interest in the label namespace. 2267 2268 @return 0 on success, Otherwise, return non-zero if an error occurs 2269 while internalizing the label data. 2270 2271*/ 2272typedef int mpo_pipe_label_internalize_t( 2273 struct label *label, 2274 char *element_name, 2275 char *element_data 2276); 2277/** 2278 @brief Update a pipe label 2279 @param cred Subject credential 2280 @param cpipe Object to be labeled 2281 @param oldlabel Existing pipe label 2282 @param newlabel New label to replace existing label 2283 @see mpo_pipe_check_label_update_t 2284 2285 The subject identified by the credential has previously requested 2286 and was authorized to relabel the pipe; this entry point allows 2287 policies to perform the actual relabel operation. Policies should 2288 update oldlabel using the label stored in the newlabel parameter. 2289 2290*/ 2291typedef void mpo_pipe_label_update_t( 2292 kauth_cred_t cred, 2293 struct pipe *cpipe, 2294 struct label *oldlabel, 2295 struct label *newlabel 2296); 2297/** 2298 @brief Policy unload event 2299 @param mpc MAC policy configuration 2300 2301 This is the MAC Framework policy unload event. This entry point will 2302 only be called if the module's policy configuration allows unload (if 2303 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 2304 want to be unloaded; they should set their flags to prevent this 2305 entry point from being called. 2306 2307 @warning During this call, the mac policy list mutex is held, so 2308 sleep operations cannot be performed, and calls out to other kernel 2309 subsystems must be made with caution. 2310 2311 @see MPC_LOADTIME_FLAG_UNLOADOK 2312*/ 2313typedef void mpo_policy_destroy_t( 2314 struct mac_policy_conf *mpc 2315); 2316/** 2317 @brief Policy initialization event 2318 @param mpc MAC policy configuration 2319 @see mac_policy_register 2320 @see mpo_policy_initbsd_t 2321 2322 This is the MAC Framework policy initialization event. This entry 2323 point is called during mac_policy_register, when the policy module 2324 is first registered with the MAC Framework. This is often done very 2325 early in the boot process, after the kernel Mach subsystem has been 2326 initialized, but prior to the BSD subsystem being initialized. 2327 Since the kernel BSD services are not yet available, it is possible 2328 that some initialization must occur later, possibly in the 2329 mpo_policy_initbsd_t policy entry point, such as registering BSD system 2330 controls (sysctls). Policy modules loaded at boot time will be 2331 registered and initialized before labeled Mach objects are created. 2332 2333 @warning During this call, the mac policy list mutex is held, so 2334 sleep operations cannot be performed, and calls out to other kernel 2335 subsystems must be made with caution. 2336*/ 2337typedef void mpo_policy_init_t( 2338 struct mac_policy_conf *mpc 2339); 2340/** 2341 @brief Policy BSD initialization event 2342 @param mpc MAC policy configuration 2343 @see mpo_policy_init_t 2344 2345 This entry point is called after the kernel BSD subsystem has been 2346 initialized. By this point, the module should already be loaded, 2347 registered, and initialized. Since policy modules are initialized 2348 before kernel BSD services are available, this second initialization 2349 phase is necessary. At this point, BSD services (memory management, 2350 synchronization primitives, vfs, etc.) are available, but the first 2351 process has not yet been created. Mach-related objects and tasks 2352 will already be fully initialized and may be in use--policies requiring 2353 ubiquitous labeling may also want to implement mpo_policy_init_t. 2354 2355 @warning During this call, the mac policy list mutex is held, so 2356 sleep operations cannot be performed, and calls out to other kernel 2357 subsystems must be made with caution. 2358*/ 2359typedef void mpo_policy_initbsd_t( 2360 struct mac_policy_conf *mpc 2361); 2362/** 2363 @brief Policy extension service 2364 @param p Calling process 2365 @param call Policy-specific syscall number 2366 @param arg Pointer to syscall arguments 2367 2368 This entry point provides a policy-multiplexed system call so that 2369 policies may provide additional services to user processes without 2370 registering specific system calls. The policy name provided during 2371 registration is used to demux calls from userland, and the arguments 2372 will be forwarded to this entry point. When implementing new 2373 services, security modules should be sure to invoke appropriate 2374 access control checks from the MAC framework as needed. For 2375 example, if a policy implements an augmented signal functionality, 2376 it should call the necessary signal access control checks to invoke 2377 the MAC framework and other registered policies. 2378 2379 @warning Since the format and contents of the policy-specific 2380 arguments are unknown to the MAC Framework, modules must perform the 2381 required copyin() of the syscall data on their own. No policy 2382 mediation is performed, so policies must perform any necessary 2383 access control checks themselves. If multiple policies are loaded, 2384 they will currently be unable to mediate calls to other policies. 2385 2386 @return In the event of an error, an appropriate value for errno 2387 should be returned, otherwise return 0 upon success. 2388*/ 2389typedef int mpo_policy_syscall_t( 2390 struct proc *p, 2391 int call, 2392 user_addr_t arg 2393); 2394/** 2395 @brief Access control check for POSIX semaphore create 2396 @param cred Subject credential 2397 @param name String name of the semaphore 2398 2399 Determine whether the subject identified by the credential can create 2400 a POSIX semaphore specified by name. 2401 2402 @return Return 0 if access is granted, otherwise an appropriate value for 2403 errno should be returned. 2404*/ 2405typedef int mpo_posixsem_check_create_t( 2406 kauth_cred_t cred, 2407 const char *name 2408); 2409/** 2410 @brief Access control check for POSIX semaphore open 2411 @param cred Subject credential 2412 @param ps Pointer to semaphore information structure 2413 @param semlabel Label associated with the semaphore 2414 2415 Determine whether the subject identified by the credential can open 2416 the named POSIX semaphore with label semlabel. 2417 2418 @return Return 0 if access is granted, otherwise an appropriate value for 2419 errno should be returned. 2420*/ 2421typedef int mpo_posixsem_check_open_t( 2422 kauth_cred_t cred, 2423 struct pseminfo *ps, 2424 struct label *semlabel 2425); 2426/** 2427 @brief Access control check for POSIX semaphore post 2428 @param cred Subject credential 2429 @param ps Pointer to semaphore information structure 2430 @param semlabel Label associated with the semaphore 2431 2432 Determine whether the subject identified by the credential can unlock 2433 the named POSIX semaphore with label semlabel. 2434 2435 @return Return 0 if access is granted, otherwise an appropriate value for 2436 errno should be returned. 2437*/ 2438typedef int mpo_posixsem_check_post_t( 2439 kauth_cred_t cred, 2440 struct pseminfo *ps, 2441 struct label *semlabel 2442); 2443/** 2444 @brief Access control check for POSIX semaphore unlink 2445 @param cred Subject credential 2446 @param ps Pointer to semaphore information structure 2447 @param semlabel Label associated with the semaphore 2448 @param name String name of the semaphore 2449 2450 Determine whether the subject identified by the credential can remove 2451 the named POSIX semaphore with label semlabel. 2452 2453 @return Return 0 if access is granted, otherwise an appropriate value for 2454 errno should be returned. 2455*/ 2456typedef int mpo_posixsem_check_unlink_t( 2457 kauth_cred_t cred, 2458 struct pseminfo *ps, 2459 struct label *semlabel, 2460 const char *name 2461); 2462/** 2463 @brief Access control check for POSIX semaphore wait 2464 @param cred Subject credential 2465 @param ps Pointer to semaphore information structure 2466 @param semlabel Label associated with the semaphore 2467 2468 Determine whether the subject identified by the credential can lock 2469 the named POSIX semaphore with label semlabel. 2470 2471 @return Return 0 if access is granted, otherwise an appropriate value for 2472 errno should be returned. 2473*/ 2474typedef int mpo_posixsem_check_wait_t( 2475 kauth_cred_t cred, 2476 struct pseminfo *ps, 2477 struct label *semlabel 2478); 2479/** 2480 @brief Create a POSIX semaphore label 2481 @param cred Subject credential 2482 @param ps Pointer to semaphore information structure 2483 @param semlabel Label to associate with the new semaphore 2484 @param name String name of the semaphore 2485 2486 Label a new POSIX semaphore. The label was previously 2487 initialized and associated with the semaphore. At this time, an 2488 appropriate initial label value should be assigned to the object and 2489 stored in semalabel. 2490*/ 2491typedef void mpo_posixsem_label_associate_t( 2492 kauth_cred_t cred, 2493 struct pseminfo *ps, 2494 struct label *semlabel, 2495 const char *name 2496); 2497/** 2498 @brief Destroy POSIX semaphore label 2499 @param label The label to be destroyed 2500 2501 Destroy a POSIX semaphore label. Since the object is 2502 going out of scope, policy modules should free any internal storage 2503 associated with the label so that it may be destroyed. 2504*/ 2505typedef void mpo_posixsem_label_destroy_t( 2506 struct label *label 2507); 2508/** 2509 @brief Initialize POSIX semaphore label 2510 @param label New label to initialize 2511 2512 Initialize the label for a newly instantiated POSIX semaphore. Sleeping 2513 is permitted. 2514*/ 2515typedef void mpo_posixsem_label_init_t( 2516 struct label *label 2517); 2518/** 2519 @brief Access control check for POSIX shared memory region create 2520 @param cred Subject credential 2521 @param name String name of the shared memory region 2522 2523 Determine whether the subject identified by the credential can create 2524 the POSIX shared memory region referenced by name. 2525 2526 @return Return 0 if access is granted, otherwise an appropriate value for 2527 errno should be returned. 2528*/ 2529typedef int mpo_posixshm_check_create_t( 2530 kauth_cred_t cred, 2531 const char *name 2532); 2533/** 2534 @brief Access control check for mapping POSIX shared memory 2535 @param cred Subject credential 2536 @param ps Pointer to shared memory information structure 2537 @param shmlabel Label associated with the shared memory region 2538 @param prot mmap protections; see mmap(2) 2539 @param flags shmat flags; see shmat(2) 2540 2541 Determine whether the subject identified by the credential can map 2542 the POSIX shared memory segment associated with shmlabel. 2543 2544 @return Return 0 if access is granted, otherwise an appropriate value for 2545 errno should be returned. 2546*/ 2547typedef int mpo_posixshm_check_mmap_t( 2548 kauth_cred_t cred, 2549 struct pshminfo *ps, 2550 struct label *shmlabel, 2551 int prot, 2552 int flags 2553); 2554/** 2555 @brief Access control check for POSIX shared memory region open 2556 @param cred Subject credential 2557 @param ps Pointer to shared memory information structure 2558 @param shmlabel Label associated with the shared memory region 2559 @param fflags shm_open(2) open flags ('fflags' encoded) 2560 2561 Determine whether the subject identified by the credential can open 2562 the POSIX shared memory region. 2563 2564 @return Return 0 if access is granted, otherwise an appropriate value for 2565 errno should be returned. 2566*/ 2567typedef int mpo_posixshm_check_open_t( 2568 kauth_cred_t cred, 2569 struct pshminfo *ps, 2570 struct label *shmlabel, 2571 int fflags 2572); 2573/** 2574 @brief Access control check for POSIX shared memory stat 2575 @param cred Subject credential 2576 @param ps Pointer to shared memory information structure 2577 @param shmlabel Label associated with the shared memory region 2578 2579 Determine whether the subject identified by the credential can obtain 2580 status for the POSIX shared memory segment associated with shmlabel. 2581 2582 @return Return 0 if access is granted, otherwise an appropriate value for 2583 errno should be returned. 2584*/ 2585typedef int mpo_posixshm_check_stat_t( 2586 kauth_cred_t cred, 2587 struct pshminfo *ps, 2588 struct label *shmlabel 2589); 2590/** 2591 @brief Access control check for POSIX shared memory truncate 2592 @param cred Subject credential 2593 @param ps Pointer to shared memory information structure 2594 @param shmlabel Label associated with the shared memory region 2595 @param len Length to truncate or extend shared memory segment 2596 2597 Determine whether the subject identified by the credential can truncate 2598 or extend (to len) the POSIX shared memory segment associated with shmlabel. 2599 2600 @return Return 0 if access is granted, otherwise an appropriate value for 2601 errno should be returned. 2602*/ 2603typedef int mpo_posixshm_check_truncate_t( 2604 kauth_cred_t cred, 2605 struct pshminfo *ps, 2606 struct label *shmlabel, 2607 off_t len 2608); 2609/** 2610 @brief Access control check for POSIX shared memory unlink 2611 @param cred Subject credential 2612 @param ps Pointer to shared memory information structure 2613 @param shmlabel Label associated with the shared memory region 2614 @param name String name of the shared memory region 2615 2616 Determine whether the subject identified by the credential can delete 2617 the POSIX shared memory segment associated with shmlabel. 2618 2619 @return Return 0 if access is granted, otherwise an appropriate value for 2620 errno should be returned. 2621*/ 2622typedef int mpo_posixshm_check_unlink_t( 2623 kauth_cred_t cred, 2624 struct pshminfo *ps, 2625 struct label *shmlabel, 2626 const char *name 2627); 2628/** 2629 @brief Create a POSIX shared memory region label 2630 @param cred Subject credential 2631 @param ps Pointer to shared memory information structure 2632 @param shmlabel Label to associate with the new shared memory region 2633 @param name String name of the shared memory region 2634 2635 Label a new POSIX shared memory region. The label was previously 2636 initialized and associated with the shared memory region. At this 2637 time, an appropriate initial label value should be assigned to the 2638 object and stored in shmlabel. 2639*/ 2640typedef void mpo_posixshm_label_associate_t( 2641 kauth_cred_t cred, 2642 struct pshminfo *ps, 2643 struct label *shmlabel, 2644 const char *name 2645); 2646/** 2647 @brief Destroy POSIX shared memory label 2648 @param label The label to be destroyed 2649 2650 Destroy a POSIX shared memory region label. Since the 2651 object is going out of scope, policy modules should free any 2652 internal storage associated with the label so that it may be 2653 destroyed. 2654*/ 2655typedef void mpo_posixshm_label_destroy_t( 2656 struct label *label 2657); 2658/** 2659 @brief Initialize POSIX Shared Memory region label 2660 @param label New label to initialize 2661 2662 Initialize the label for newly a instantiated POSIX Shared Memory 2663 region. Sleeping is permitted. 2664*/ 2665typedef void mpo_posixshm_label_init_t( 2666 struct label *label 2667); 2668/** 2669 @brief Access control check for privileged operations 2670 @param cred Subject credential 2671 @param priv Requested privilege (see sys/priv.h) 2672 2673 Determine whether the subject identified by the credential can perform 2674 a privileged operation. Privileged operations are allowed if the cred 2675 is the superuser or any policy returns zero for mpo_priv_grant, unless 2676 any policy returns nonzero for mpo_priv_check. 2677 2678 @return Return 0 if access is granted, otherwise EPERM should be returned. 2679*/ 2680typedef int mpo_priv_check_t( 2681 kauth_cred_t cred, 2682 int priv 2683); 2684/** 2685 @brief Grant regular users the ability to perform privileged operations 2686 @param cred Subject credential 2687 @param priv Requested privilege (see sys/priv.h) 2688 2689 Determine whether the subject identified by the credential should be 2690 allowed to perform a privileged operation that in the absense of any 2691 MAC policy it would not be able to perform. Privileged operations are 2692 allowed if the cred is the superuser or any policy returns zero for 2693 mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 2694 2695 Unlike other MAC hooks which can only reduce the privilege of a 2696 credential, this hook raises the privilege of a credential when it 2697 returns 0. Extreme care must be taken when implementing this hook to 2698 avoid undermining the security of the system. 2699 2700 @return Return 0 if additional privilege is granted, otherwise EPERM 2701 should be returned. 2702*/ 2703typedef int mpo_priv_grant_t( 2704 kauth_cred_t cred, 2705 int priv 2706); 2707/** 2708 @brief Access control check for debugging process 2709 @param cred Subject credential 2710 @param proc Object process 2711 2712 Determine whether the subject identified by the credential can debug 2713 the passed process. This call may be made in a number of situations, 2714 including use of the ptrace(2) and ktrace(2) APIs, as well as for some 2715 types of procfs operations. 2716 2717 @return Return 0 if access is granted, otherwise an appropriate value for 2718 errno should be returned. Suggested failure: EACCES for label mismatch, 2719 EPERM for lack of privilege, or ESRCH to hide visibility of the target. 2720*/ 2721typedef int mpo_proc_check_debug_t( 2722 kauth_cred_t cred, 2723 struct proc *proc 2724); 2725/** 2726 @brief Access control over fork 2727 @param cred Subject credential 2728 @param proc Subject process trying to fork 2729 2730 Determine whether the subject identified is allowed to fork. 2731 2732 @return Return 0 if access is granted, otherwise an appropriate value for 2733 errno should be returned. 2734*/ 2735typedef int mpo_proc_check_fork_t( 2736 kauth_cred_t cred, 2737 struct proc *proc 2738); 2739/** 2740 @brief Access control over pid_suspend and pid_resume 2741 @param cred Subject credential 2742 @param proc Subject process trying to run pid_suspend or pid_resume 2743 @param sr Call is suspend (0) or resume (1) 2744 2745 Determine whether the subject identified is allowed to suspend or resume 2746 other processes. 2747 2748 @return Return 0 if access is granted, otherwise an appropriate value for 2749 errno should be returned. 2750*/ 2751typedef int mpo_proc_check_suspend_resume_t( 2752 kauth_cred_t cred, 2753 struct proc *proc, 2754 int sr 2755); 2756/** 2757 @brief Access control check for retrieving audit information 2758 @param cred Subject credential 2759 2760 Determine whether the subject identified by the credential can get 2761 audit information such as the audit user ID, the preselection mask, 2762 the terminal ID and the audit session ID, using the getaudit() system call. 2763 2764 @return Return 0 if access is granted, otherwise an appropriate value for 2765 errno should be returned. 2766*/ 2767typedef int mpo_proc_check_getaudit_t( 2768 kauth_cred_t cred 2769); 2770/** 2771 @brief Access control check for retrieving audit user ID 2772 @param cred Subject credential 2773 2774 Determine whether the subject identified by the credential can get 2775 the user identity being used by the auditing system, using the getauid() 2776 system call. 2777 2778 @return Return 0 if access is granted, otherwise an appropriate value for 2779 errno should be returned. 2780*/ 2781typedef int mpo_proc_check_getauid_t( 2782 kauth_cred_t cred 2783); 2784/** 2785 @brief Access control check for retrieving Login Context ID 2786 @param p0 Calling process 2787 @param p Effected process 2788 @param pid syscall PID argument 2789 2790 Determine if getlcid(2) system call is permitted. 2791 2792 Information returned by this system call is similar to that returned via 2793 process listings etc. 2794 2795 @return Return 0 if access is granted, otherwise an appropriate value for 2796 errno should be returned. 2797*/ 2798typedef int mpo_proc_check_getlcid_t( 2799 struct proc *p0, 2800 struct proc *p, 2801 pid_t pid 2802); 2803/** 2804 @brief Access control check for retrieving ledger information 2805 @param cred Subject credential 2806 @param target Object process 2807 @param op ledger operation 2808 2809 Determine if ledger(2) system call is permitted. 2810 2811 Information returned by this system call is similar to that returned via 2812 process listings etc. 2813 2814 @return Return 0 if access is granted, otherwise an appropriate value for 2815 errno should be returned. 2816*/ 2817typedef int mpo_proc_check_ledger_t( 2818 kauth_cred_t cred, 2819 struct proc *target, 2820 int op 2821); 2822/** 2823 @brief Access control check for escaping default CPU usage monitor parameters. 2824 @param cred Subject credential 2825 2826 Determine if a credential has permission to program CPU usage monitor parameters 2827 that are less restrictive than the global system-wide defaults. 2828 2829 @return Return 0 if access is granted, otherwise an appropriate value for 2830 errno should be returned. 2831*/ 2832typedef int mpo_proc_check_cpumon_t( 2833 kauth_cred_t cred 2834); 2835/** 2836 @brief Access control check for retrieving process information. 2837 @param cred Subject credential 2838 @param target Target process (may be null, may be zombie) 2839 2840 Determine if a credential has permission to access process information as defined 2841 by call number and flavor on target process 2842 2843 @return Return 0 if access is granted, otherwise an appropriate value for 2844 errno should be returned. 2845*/ 2846typedef int mpo_proc_check_proc_info_t( 2847 kauth_cred_t cred, 2848 struct proc *target, 2849 int callnum, 2850 int flavor 2851); 2852/** 2853 @brief Access control check for mmap MAP_ANON 2854 @param proc User process requesting the memory 2855 @param cred Subject credential 2856 @param u_addr Start address of the memory range 2857 @param u_size Length address of the memory range 2858 @param prot mmap protections; see mmap(2) 2859 @param flags Type of mapped object; see mmap(2) 2860 @param maxprot Maximum rights 2861 2862 Determine whether the subject identified by the credential should be 2863 allowed to obtain anonymous memory using the specified flags and 2864 protections on the new mapping. MAP_ANON will always be present in the 2865 flags. Certain combinations of flags with a non-NULL addr may 2866 cause a mapping to be rejected before this hook is called. The maxprot field 2867 holds the maximum permissions on the new mapping, a combination of 2868 VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 2869 access control checks, a policy should only remove flags from maxprot. 2870 2871 @return Return 0 if access is granted, otherwise an appropriate value for 2872 errno should be returned. Suggested failure: EPERM for lack of privilege. 2873*/ 2874typedef int mpo_proc_check_map_anon_t( 2875 struct proc *proc, 2876 kauth_cred_t cred, 2877 user_addr_t u_addr, 2878 user_size_t u_size, 2879 int prot, 2880 int flags, 2881 int *maxprot 2882); 2883/** 2884 @brief Access control check for setting memory protections 2885 @param cred Subject credential 2886 @param proc User process requesting the change 2887 @param addr Start address of the memory range 2888 @param size Length address of the memory range 2889 @param prot Memory protections, see mmap(2) 2890 2891 Determine whether the subject identified by the credential should 2892 be allowed to set the specified memory protections on memory mapped 2893 in the process proc. 2894 2895 @return Return 0 if access is granted, otherwise an appropriate value for 2896 errno should be returned. 2897*/ 2898typedef int mpo_proc_check_mprotect_t( 2899 kauth_cred_t cred, 2900 struct proc *proc, 2901 user_addr_t addr, 2902 user_size_t size, 2903 int prot 2904); 2905/** 2906 @brief Access control check for changing scheduling parameters 2907 @param cred Subject credential 2908 @param proc Object process 2909 2910 Determine whether the subject identified by the credential can change 2911 the scheduling parameters of the passed process. 2912 2913 @return Return 0 if access is granted, otherwise an appropriate value for 2914 errno should be returned. Suggested failure: EACCES for label mismatch, 2915 EPERM for lack of privilege, or ESRCH to limit visibility. 2916*/ 2917typedef int mpo_proc_check_sched_t( 2918 kauth_cred_t cred, 2919 struct proc *proc 2920); 2921/** 2922 @brief Access control check for setting audit information 2923 @param cred Subject credential 2924 @param ai Audit information 2925 2926 Determine whether the subject identified by the credential can set 2927 audit information such as the the preselection mask, the terminal ID 2928 and the audit session ID, using the setaudit() system call. 2929 2930 @return Return 0 if access is granted, otherwise an appropriate value for 2931 errno should be returned. 2932*/ 2933typedef int mpo_proc_check_setaudit_t( 2934 kauth_cred_t cred, 2935 struct auditinfo_addr *ai 2936); 2937/** 2938 @brief Access control check for setting audit user ID 2939 @param cred Subject credential 2940 @param auid Audit user ID 2941 2942 Determine whether the subject identified by the credential can set 2943 the user identity used by the auditing system, using the setauid() 2944 system call. 2945 2946 @return Return 0 if access is granted, otherwise an appropriate value for 2947 errno should be returned. 2948*/ 2949typedef int mpo_proc_check_setauid_t( 2950 kauth_cred_t cred, 2951 uid_t auid 2952); 2953/** 2954 @brief Access control check for setting the Login Context 2955 @param p0 Calling process 2956 @param p Effected process 2957 @param pid syscall PID argument 2958 @param lcid syscall LCID argument 2959 2960 Determine if setlcid(2) system call is permitted. 2961 2962 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of 2963 decoding syscall arguments to determine action desired by caller. 2964 2965 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN 2966 2967 @return Return 0 if access is granted, otherwise an appropriate value for 2968 errno should be returned. 2969*/ 2970typedef int mpo_proc_check_setlcid_t( 2971 struct proc *p0, 2972 struct proc *p, 2973 pid_t pid, 2974 pid_t lcid 2975); 2976/** 2977 @brief Access control check for delivering signal 2978 @param cred Subject credential 2979 @param proc Object process 2980 @param signum Signal number; see kill(2) 2981 2982 Determine whether the subject identified by the credential can deliver 2983 the passed signal to the passed process. 2984 2985 @warning Programs typically expect to be able to send and receive 2986 signals as part or their normal process lifecycle; caution should be 2987 exercised when implementing access controls over signal events. 2988 2989 @return Return 0 if access is granted, otherwise an appropriate value for 2990 errno should be returned. Suggested failure: EACCES for label mismatch, 2991 EPERM for lack of privilege, or ESRCH to limit visibility. 2992*/ 2993typedef int mpo_proc_check_signal_t( 2994 kauth_cred_t cred, 2995 struct proc *proc, 2996 int signum 2997); 2998/** 2999 @brief Access control check for wait 3000 @param cred Subject credential 3001 @param proc Object process 3002 3003 Determine whether the subject identified by the credential can wait 3004 for process termination. 3005 3006 @warning Caution should be exercised when implementing access 3007 controls for wait, since programs often wait for child processes to 3008 exit. Failure to be notified of a child process terminating may 3009 cause the parent process to hang, or may produce zombie processes. 3010 3011 @return Return 0 if access is granted, otherwise an appropriate value for 3012 errno should be returned. 3013*/ 3014typedef int mpo_proc_check_wait_t( 3015 kauth_cred_t cred, 3016 struct proc *proc 3017); 3018/** 3019 @brief Destroy process label 3020 @param label The label to be destroyed 3021 3022 Destroy a process label. Since the object is going 3023 out of scope, policy modules should free any internal storage 3024 associated with the label so that it may be destroyed. 3025*/ 3026typedef void mpo_proc_label_destroy_t( 3027 struct label *label 3028); 3029/** 3030 @brief Initialize process label 3031 @param label New label to initialize 3032 @see mpo_cred_label_init_t 3033 3034 Initialize the label for a newly instantiated BSD process structure. 3035 Normally, security policies will store the process label in the user 3036 credential rather than here in the process structure. However, 3037 there are some floating label policies that may need to temporarily 3038 store a label in the process structure until it is safe to update 3039 the user credential label. Sleeping is permitted. 3040*/ 3041typedef void mpo_proc_label_init_t( 3042 struct label *label 3043); 3044/** 3045 @brief Access control check for socket accept 3046 @param cred Subject credential 3047 @param socket Object socket 3048 @param socklabel Policy label for socket 3049 3050 Determine whether the subject identified by the credential can accept() 3051 a new connection on the socket from the host specified by addr. 3052 3053 @return Return 0 if access if granted, otherwise an appropriate 3054 value for errno should be returned. 3055*/ 3056typedef int mpo_socket_check_accept_t( 3057 kauth_cred_t cred, 3058 socket_t so, 3059 struct label *socklabel 3060); 3061/** 3062 @brief Access control check for a pending socket accept 3063 @param cred Subject credential 3064 @param so Object socket 3065 @param socklabel Policy label for socket 3066 @param addr Address of the listening socket (coming soon) 3067 3068 Determine whether the subject identified by the credential can accept() 3069 a pending connection on the socket from the host specified by addr. 3070 3071 @return Return 0 if access if granted, otherwise an appropriate 3072 value for errno should be returned. 3073*/ 3074typedef int mpo_socket_check_accepted_t( 3075 kauth_cred_t cred, 3076 socket_t so, 3077 struct label *socklabel, 3078 struct sockaddr *addr 3079); 3080/** 3081 @brief Access control check for socket bind 3082 @param cred Subject credential 3083 @param so Object socket 3084 @param socklabel Policy label for socket 3085 @param addr Name to assign to the socket 3086 3087 Determine whether the subject identified by the credential can bind() 3088 the name (addr) to the socket. 3089 3090 @return Return 0 if access if granted, otherwise an appropriate 3091 value for errno should be returned. 3092*/ 3093typedef int mpo_socket_check_bind_t( 3094 kauth_cred_t cred, 3095 socket_t so, 3096 struct label *socklabel, 3097 struct sockaddr *addr 3098); 3099/** 3100 @brief Access control check for socket connect 3101 @param cred Subject credential 3102 @param so Object socket 3103 @param socklabel Policy label for socket 3104 @param addr Name to assign to the socket 3105 3106 Determine whether the subject identified by the credential can 3107 connect() the passed socket to the remote host specified by addr. 3108 3109 @return Return 0 if access if granted, otherwise an appropriate 3110 value for errno should be returned. 3111*/ 3112typedef int mpo_socket_check_connect_t( 3113 kauth_cred_t cred, 3114 socket_t so, 3115 struct label *socklabel, 3116 struct sockaddr *addr 3117); 3118/** 3119 @brief Access control check for socket() system call. 3120 @param cred Subject credential 3121 @param domain communication domain 3122 @param type socket type 3123 @param protocol socket protocol 3124 3125 Determine whether the subject identified by the credential can 3126 make the socket() call. 3127 3128 @return Return 0 if access if granted, otherwise an appropriate 3129 value for errno should be returned. 3130*/ 3131typedef int mpo_socket_check_create_t( 3132 kauth_cred_t cred, 3133 int domain, 3134 int type, 3135 int protocol 3136); 3137/** 3138 @brief Access control check for delivering data to a user's receieve queue 3139 @param so The socket data is being delivered to 3140 @param so_label The label of so 3141 @param m The mbuf whose data will be deposited into the receive queue 3142 @param m_label The label of the sender of the data. 3143 3144 A socket has a queue for receiving incoming data. When a packet arrives 3145 on the wire, it eventually gets deposited into this queue, which the 3146 owner of the socket drains when they read from the socket's file descriptor. 3147 3148 This function determines whether the socket can receive data from 3149 the sender specified by m_label. 3150 3151 @warning There is an outstanding design issue surrounding the placement 3152 of this function. The check must be placed either before or after the 3153 TCP sequence and ACK counters are updated. Placing the check before 3154 the counters are updated causes the incoming packet to be resent by 3155 the remote if the check rejects it. Placing the check after the counters 3156 are updated results in a completely silent drop. As far as each TCP stack 3157 is concerned the packet was received, however, the data will not be in the 3158 socket's receive queue. Another consideration is that the current design 3159 requires using the "failed label" occasionally. In that case, on rejection, 3160 we want the remote TCP to resend the data. Because of this, we chose to 3161 place this check before the counters are updated, so rejected packets will be 3162 resent by the remote host. 3163 3164 If a policy keeps rejecting the same packet, eventually the connection will 3165 be dropped. Policies have several options if this design causes problems. 3166 For example, one options is to sanitize the mbuf such that it is acceptable, 3167 then accept it. That may require negotiation between policies as the 3168 Framework will not know to re-check the packet. 3169 3170 The policy must handle NULL MBUF labels. This will likely be the case 3171 for non-local TCP sockets for example. 3172 3173 @return Return 0 if access if granted, otherwise an appropriate 3174 value for errno should be returned. 3175*/ 3176typedef int mpo_socket_check_deliver_t( 3177 socket_t so, 3178 struct label *so_label, 3179 struct mbuf *m, 3180 struct label *m_label 3181); 3182/** 3183 @brief Access control check for socket kqfilter 3184 @param cred Subject credential 3185 @param kn Object knote 3186 @param so Object socket 3187 @param socklabel Policy label for socket 3188 3189 Determine whether the subject identified by the credential can 3190 receive the knote on the passed socket. 3191 3192 @return Return 0 if access if granted, otherwise an appropriate 3193 value for errno should be returned. 3194*/ 3195typedef int mpo_socket_check_kqfilter_t( 3196 kauth_cred_t cred, 3197 struct knote *kn, 3198 socket_t so, 3199 struct label *socklabel 3200); 3201/** 3202 @brief Access control check for socket relabel 3203 @param cred Subject credential 3204 @param so Object socket 3205 @param so_label The current label of so 3206 @param newlabel The label to be assigned to so 3207 3208 Determine whether the subject identified by the credential can 3209 change the label on the socket. 3210 3211 @return Return 0 if access if granted, otherwise an appropriate 3212 value for errno should be returned. 3213*/ 3214typedef int mpo_socket_check_label_update_t( 3215 kauth_cred_t cred, 3216 socket_t so, 3217 struct label *so_label, 3218 struct label *newlabel 3219); 3220/** 3221 @brief Access control check for socket listen 3222 @param cred Subject credential 3223 @param so Object socket 3224 @param socklabel Policy label for socket 3225 3226 Determine whether the subject identified by the credential can 3227 listen() on the passed socket. 3228 3229 @return Return 0 if access if granted, otherwise an appropriate 3230 value for errno should be returned. 3231*/ 3232typedef int mpo_socket_check_listen_t( 3233 kauth_cred_t cred, 3234 socket_t so, 3235 struct label *socklabel 3236); 3237/** 3238 @brief Access control check for socket receive 3239 @param cred Subject credential 3240 @param so Object socket 3241 @param socklabel Policy label for socket 3242 3243 Determine whether the subject identified by the credential can 3244 receive data from the socket. 3245 3246 @return Return 0 if access if granted, otherwise an appropriate 3247 value for errno should be returned. 3248*/ 3249typedef int mpo_socket_check_receive_t( 3250 kauth_cred_t cred, 3251 socket_t so, 3252 struct label *socklabel 3253); 3254 3255/** 3256 @brief Access control check for socket receive 3257 @param cred Subject credential 3258 @param socket Object socket 3259 @param socklabel Policy label for socket 3260 @param addr Name of the remote socket 3261 3262 Determine whether the subject identified by the credential can 3263 receive data from the remote host specified by addr. 3264 3265 @return Return 0 if access if granted, otherwise an appropriate 3266 value for errno should be returned. 3267*/ 3268typedef int mpo_socket_check_received_t( 3269 kauth_cred_t cred, 3270 struct socket *sock, 3271 struct label *socklabel, 3272 struct sockaddr *saddr 3273 ); 3274 3275 3276/** 3277 @brief Access control check for socket select 3278 @param cred Subject credential 3279 @param so Object socket 3280 @param socklabel Policy label for socket 3281 @param which The operation selected on: FREAD or FWRITE 3282 3283 Determine whether the subject identified by the credential can use the 3284 socket in a call to select(). 3285 3286 @return Return 0 if access if granted, otherwise an appropriate 3287 value for errno should be returned. 3288*/ 3289typedef int mpo_socket_check_select_t( 3290 kauth_cred_t cred, 3291 socket_t so, 3292 struct label *socklabel, 3293 int which 3294); 3295/** 3296 @brief Access control check for socket send 3297 @param cred Subject credential 3298 @param so Object socket 3299 @param socklabel Policy label for socket 3300 @param addr Address being sent to 3301 3302 Determine whether the subject identified by the credential can send 3303 data to the socket. 3304 3305 @return Return 0 if access if granted, otherwise an appropriate 3306 value for errno should be returned. 3307*/ 3308typedef int mpo_socket_check_send_t( 3309 kauth_cred_t cred, 3310 socket_t so, 3311 struct label *socklabel, 3312 struct sockaddr *addr 3313); 3314/** 3315 @brief Access control check for retrieving socket status 3316 @param cred Subject credential 3317 @param so Object socket 3318 @param socklabel Policy label for so 3319 3320 Determine whether the subject identified by the credential can 3321 execute the stat() system call on the given socket. 3322 3323 @return Return 0 if access if granted, otherwise an appropriate 3324 value for errno should be returned. 3325*/ 3326typedef int mpo_socket_check_stat_t( 3327 kauth_cred_t cred, 3328 socket_t so, 3329 struct label *socklabel 3330); 3331/** 3332 @brief Access control check for setting socket options 3333 @param cred Subject credential 3334 @param so Object socket 3335 @param socklabel Policy label for so 3336 @param sopt The options being set 3337 3338 Determine whether the subject identified by the credential can 3339 execute the setsockopt system call on the given socket. 3340 3341 @return Return 0 if access if granted, otherwise an appropriate 3342 value for errno should be returned. 3343*/ 3344typedef int mpo_socket_check_setsockopt_t( 3345 kauth_cred_t cred, 3346 socket_t so, 3347 struct label *socklabel, 3348 struct sockopt *sopt 3349); 3350/** 3351 @brief Access control check for getting socket options 3352 @param cred Subject credential 3353 @param so Object socket 3354 @param socklabel Policy label for so 3355 @param sopt The options to get 3356 3357 Determine whether the subject identified by the credential can 3358 execute the getsockopt system call on the given socket. 3359 3360 @return Return 0 if access if granted, otherwise an appropriate 3361 value for errno should be returned. 3362*/ 3363typedef int mpo_socket_check_getsockopt_t( 3364 kauth_cred_t cred, 3365 socket_t so, 3366 struct label *socklabel, 3367 struct sockopt *sopt 3368); 3369/** 3370 @brief Label a socket 3371 @param oldsock Listening socket 3372 @param oldlabel Policy label associated with oldsock 3373 @param newsock New socket 3374 @param newlabel Policy label associated with newsock 3375 3376 A new socket is created when a connection is accept(2)ed. This 3377 function labels the new socket based on the existing listen(2)ing 3378 socket. 3379*/ 3380typedef void mpo_socket_label_associate_accept_t( 3381 socket_t oldsock, 3382 struct label *oldlabel, 3383 socket_t newsock, 3384 struct label *newlabel 3385); 3386/** 3387 @brief Assign a label to a new socket 3388 @param cred Credential of the owning process 3389 @param so The socket being labeled 3390 @param solabel The label 3391 @warning cred can be NULL 3392 3393 Set the label on a newly created socket from the passed subject 3394 credential. This call is made when a socket is created. The 3395 credentials may be null if the socket is being created by the 3396 kernel. 3397*/ 3398typedef void mpo_socket_label_associate_t( 3399 kauth_cred_t cred, 3400 socket_t so, 3401 struct label *solabel 3402); 3403/** 3404 @brief Copy a socket label 3405 @param src Source label 3406 @param dest Destination label 3407 3408 Copy the socket label information in src into dest. 3409*/ 3410typedef void mpo_socket_label_copy_t( 3411 struct label *src, 3412 struct label *dest 3413); 3414/** 3415 @brief Destroy socket label 3416 @param label The label to be destroyed 3417 3418 Destroy a socket label. Since the object is going out of 3419 scope, policy modules should free any internal storage associated 3420 with the label so that it may be destroyed. 3421*/ 3422typedef void mpo_socket_label_destroy_t( 3423 struct label *label 3424); 3425/** 3426 @brief Externalize a socket label 3427 @param label Label to be externalized 3428 @param element_name Name of the label namespace for which labels should be 3429 externalized 3430 @param sb String buffer to be filled with a text representation of label 3431 3432 Produce an externalized socket label based on the label structure passed. 3433 An externalized label consists of a text representation of the label 3434 contents that can be used with userland applications and read by the 3435 user. If element_name does not match a namespace managed by the policy, 3436 simply return 0. Only return nonzero if an error occurs while externalizing 3437 the label data. 3438 3439 @return In the event of an error, an appropriate value for errno 3440 should be returned, otherwise return 0 upon success. 3441*/ 3442typedef int mpo_socket_label_externalize_t( 3443 struct label *label, 3444 char *element_name, 3445 struct sbuf *sb 3446); 3447/** 3448 @brief Initialize socket label 3449 @param label New label to initialize 3450 @param waitok Malloc flags 3451 3452 Initialize the label of a newly instantiated socket. The waitok 3453 field may be one of M_WAITOK and M_NOWAIT, and should be employed to 3454 avoid performing a sleeping malloc(9) during this initialization 3455 call. It it not always safe to sleep during this entry point. 3456 3457 @warning Since it is possible for the waitok flags to be set to 3458 M_NOWAIT, the malloc operation may fail. 3459 3460 @return In the event of an error, an appropriate value for errno 3461 should be returned, otherwise return 0 upon success. 3462*/ 3463typedef int mpo_socket_label_init_t( 3464 struct label *label, 3465 int waitok 3466); 3467/** 3468 @brief Internalize a socket label 3469 @param label Label to be filled in 3470 @param element_name Name of the label namespace for which the label should 3471 be internalized 3472 @param element_data Text data to be internalized 3473 3474 Produce an internal socket label structure based on externalized label 3475 data in text format. 3476 3477 The policy's internalize entry points will be called only if the 3478 policy has registered interest in the label namespace. 3479 3480 @return In the event of an error, an appropriate value for errno 3481 should be returned, otherwise return 0 upon success. 3482*/ 3483typedef int mpo_socket_label_internalize_t( 3484 struct label *label, 3485 char *element_name, 3486 char *element_data 3487); 3488/** 3489 @brief Relabel socket 3490 @param cred Subject credential 3491 @param so Object; socket 3492 @param so_label Current label of the socket 3493 @param newlabel The label to be assigned to so 3494 3495 The subject identified by the credential has previously requested 3496 and was authorized to relabel the socket; this entry point allows 3497 policies to perform the actual label update operation. 3498 3499 @warning XXX This entry point will likely change in future versions. 3500*/ 3501typedef void mpo_socket_label_update_t( 3502 kauth_cred_t cred, 3503 socket_t so, 3504 struct label *so_label, 3505 struct label *newlabel 3506); 3507/** 3508 @brief Set the peer label on a socket from mbuf 3509 @param m Mbuf chain received on socket so 3510 @param m_label Label for m 3511 @param so Current label for the socket 3512 @param so_label Policy label to be filled out for the socket 3513 3514 Set the peer label of a socket based on the label of the sender of the 3515 mbuf. 3516 3517 This is called for every TCP/IP packet received. The first call for a given 3518 socket operates on a newly initialized label, and subsequent calls operate 3519 on existing label data. 3520 3521 @warning Because this can affect performance significantly, it has 3522 different sematics than other 'set' operations. Typically, 'set' operations 3523 operate on newly initialzed labels and policies do not need to worry about 3524 clobbering existing values. In this case, it is too inefficient to 3525 initialize and destroy a label every time data is received for the socket. 3526 Instead, it is up to the policies to determine how to replace the label data. 3527 Most policies should be able to replace the data inline. 3528*/ 3529typedef void mpo_socketpeer_label_associate_mbuf_t( 3530 struct mbuf *m, 3531 struct label *m_label, 3532 socket_t so, 3533 struct label *so_label 3534); 3535/** 3536 @brief Set the peer label on a socket from socket 3537 @param source Local socket 3538 @param sourcelabel Policy label for source 3539 @param target Peer socket 3540 @param targetlabel Policy label to fill in for target 3541 3542 Set the peer label on a stream UNIX domain socket from the passed 3543 remote socket endpoint. This call will be made when the socket pair 3544 is connected, and will be made for both endpoints. 3545 3546 Note that this call is only made on connection; it is currently not updated 3547 during communication. 3548*/ 3549typedef void mpo_socketpeer_label_associate_socket_t( 3550 socket_t source, 3551 struct label *sourcelabel, 3552 socket_t target, 3553 struct label *targetlabel 3554); 3555/** 3556 @brief Destroy socket peer label 3557 @param label The peer label to be destroyed 3558 3559 Destroy a socket peer label. Since the object is going out of 3560 scope, policy modules should free any internal storage associated 3561 with the label so that it may be destroyed. 3562*/ 3563typedef void mpo_socketpeer_label_destroy_t( 3564 struct label *label 3565); 3566/** 3567 @brief Externalize a socket peer label 3568 @param label Label to be externalized 3569 @param element_name Name of the label namespace for which labels should be 3570 externalized 3571 @param sb String buffer to be filled with a text representation of label 3572 3573 Produce an externalized socket peer label based on the label structure 3574 passed. An externalized label consists of a text representation of the 3575 label contents that can be used with userland applications and read by the 3576 user. If element_name does not match a namespace managed by the policy, 3577 simply return 0. Only return nonzero if an error occurs while externalizing 3578 the label data. 3579 3580 @return In the event of an error, an appropriate value for errno 3581 should be returned, otherwise return 0 upon success. 3582*/ 3583typedef int mpo_socketpeer_label_externalize_t( 3584 struct label *label, 3585 char *element_name, 3586 struct sbuf *sb 3587); 3588/** 3589 @brief Initialize socket peer label 3590 @param label New label to initialize 3591 @param waitok Malloc flags 3592 3593 Initialize the peer label of a newly instantiated socket. The 3594 waitok field may be one of M_WAITOK and M_NOWAIT, and should be 3595 employed to avoid performing a sleeping malloc(9) during this 3596 initialization call. It it not always safe to sleep during this 3597 entry point. 3598 3599 @warning Since it is possible for the waitok flags to be set to 3600 M_NOWAIT, the malloc operation may fail. 3601 3602 @return In the event of an error, an appropriate value for errno 3603 should be returned, otherwise return 0 upon success. 3604*/ 3605typedef int mpo_socketpeer_label_init_t( 3606 struct label *label, 3607 int waitok 3608); 3609/** 3610 @brief Access control check for enabling accounting 3611 @param cred Subject credential 3612 @param vp Accounting file 3613 @param vlabel Label associated with vp 3614 3615 Determine whether the subject should be allowed to enable accounting, 3616 based on its label and the label of the accounting log file. See 3617 acct(5) for more information. 3618 3619 As accounting is disabled by passing NULL to the acct(2) system call, 3620 the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 3621 3622 @return Return 0 if access is granted, otherwise an appropriate value for 3623 errno should be returned. 3624*/ 3625typedef int mpo_system_check_acct_t( 3626 kauth_cred_t cred, 3627 struct vnode *vp, 3628 struct label *vlabel 3629); 3630/** 3631 @brief Access control check for audit 3632 @param cred Subject credential 3633 @param record Audit record 3634 @param length Audit record length 3635 3636 Determine whether the subject identified by the credential can submit 3637 an audit record for inclusion in the audit log via the audit() system call. 3638 3639 @return Return 0 if access is granted, otherwise an appropriate value for 3640 errno should be returned. 3641*/ 3642typedef int mpo_system_check_audit_t( 3643 kauth_cred_t cred, 3644 void *record, 3645 int length 3646); 3647/** 3648 @brief Access control check for controlling audit 3649 @param cred Subject credential 3650 @param vp Audit file 3651 @param vl Label associated with vp 3652 3653 Determine whether the subject should be allowed to enable auditing using 3654 the auditctl() system call, based on its label and the label of the proposed 3655 audit file. 3656 3657 @return Return 0 if access is granted, otherwise an appropriate value for 3658 errno should be returned. 3659*/ 3660typedef int mpo_system_check_auditctl_t( 3661 kauth_cred_t cred, 3662 struct vnode *vp, 3663 struct label *vl 3664); 3665/** 3666 @brief Access control check for manipulating auditing 3667 @param cred Subject credential 3668 @param cmd Audit control command 3669 3670 Determine whether the subject identified by the credential can perform 3671 the audit subsystem control operation cmd via the auditon() system call. 3672 3673 @return Return 0 if access is granted, otherwise an appropriate value for 3674 errno should be returned. 3675*/ 3676typedef int mpo_system_check_auditon_t( 3677 kauth_cred_t cred, 3678 int cmd 3679); 3680/** 3681 @brief Access control check for using CHUD facilities 3682 @param cred Subject credential 3683 3684 Determine whether the subject identified by the credential can perform 3685 performance-related tasks using the CHUD system call. 3686 3687 @return Return 0 if access is granted, otherwise an appropriate value for 3688 errno should be returned. 3689*/ 3690typedef int mpo_system_check_chud_t( 3691 kauth_cred_t cred 3692); 3693/** 3694 @brief Access control check for obtaining the host control port 3695 @param cred Subject credential 3696 3697 Determine whether the subject identified by the credential can 3698 obtain the host control port. 3699 3700 @return Return 0 if access is granted, or non-zero otherwise. 3701*/ 3702typedef int mpo_system_check_host_priv_t( 3703 kauth_cred_t cred 3704); 3705/** 3706 @brief Access control check for obtaining system information 3707 @param cred Subject credential 3708 @param info_type A description of the information requested 3709 3710 Determine whether the subject identified by the credential should be 3711 allowed to obtain information about the system. 3712 3713 This is a generic hook that can be used in a variety of situations where 3714 information is being returned that might be considered sensitive. 3715 Rather than adding a new MAC hook for every such interface, this hook can 3716 be called with a string identifying the type of information requested. 3717 3718 @return Return 0 if access is granted, otherwise an appropriate value for 3719 errno should be returned. 3720*/ 3721typedef int mpo_system_check_info_t( 3722 kauth_cred_t cred, 3723 const char *info_type 3724); 3725/** 3726 @brief Access control check for calling NFS services 3727 @param cred Subject credential 3728 3729 Determine whether the subject identified by the credential should be 3730 allowed to call nfssrv(2). 3731 3732 @return Return 0 if access is granted, otherwise an appropriate value for 3733 errno should be returned. 3734*/ 3735typedef int mpo_system_check_nfsd_t( 3736 kauth_cred_t cred 3737); 3738/** 3739 @brief Access control check for reboot 3740 @param cred Subject credential 3741 @param howto howto parameter from reboot(2) 3742 3743 Determine whether the subject identified by the credential should be 3744 allowed to reboot the system in the specified manner. 3745 3746 @return Return 0 if access is granted, otherwise an appropriate value for 3747 errno should be returned. 3748*/ 3749typedef int mpo_system_check_reboot_t( 3750 kauth_cred_t cred, 3751 int howto 3752); 3753/** 3754 @brief Access control check for setting system clock 3755 @param cred Subject credential 3756 3757 Determine whether the subject identified by the credential should be 3758 allowed to set the system clock. 3759 3760 @return Return 0 if access is granted, otherwise an appropriate value for 3761 errno should be returned. 3762*/ 3763typedef int mpo_system_check_settime_t( 3764 kauth_cred_t cred 3765); 3766/** 3767 @brief Access control check for removing swap devices 3768 @param cred Subject credential 3769 @param vp Swap device 3770 @param label Label associated with vp 3771 3772 Determine whether the subject identified by the credential should be 3773 allowed to remove vp as a swap device. 3774 3775 @return Return 0 if access is granted, otherwise an appropriate value for 3776 errno should be returned. 3777*/ 3778typedef int mpo_system_check_swapoff_t( 3779 kauth_cred_t cred, 3780 struct vnode *vp, 3781 struct label *label 3782); 3783/** 3784 @brief Access control check for adding swap devices 3785 @param cred Subject credential 3786 @param vp Swap device 3787 @param label Label associated with vp 3788 3789 Determine whether the subject identified by the credential should be 3790 allowed to add vp as a swap device. 3791 3792 @return Return 0 if access is granted, otherwise an appropriate value for 3793 errno should be returned. 3794*/ 3795typedef int mpo_system_check_swapon_t( 3796 kauth_cred_t cred, 3797 struct vnode *vp, 3798 struct label *label 3799); 3800/** 3801 @brief Access control check for sysctl 3802 @param cred Subject credential 3803 @param namestring String representation of sysctl name. 3804 @param name Integer name; see sysctl(3) 3805 @param namelen Length of name array of integers; see sysctl(3) 3806 @param old 0 or address where to store old value; see sysctl(3) 3807 @param oldlen Length of old buffer; see sysctl(3) 3808 @param newvalue 0 or address of new value; see sysctl(3) 3809 @param newlen Length of new buffer; see sysctl(3) 3810 3811 Determine whether the subject identified by the credential should be 3812 allowed to make the specified sysctl(3) transaction. 3813 3814 The sysctl(3) call specifies that if the old value is not desired, 3815 oldp and oldlenp should be set to NULL. Likewise, if a new value is 3816 not to be set, newp should be set to NULL and newlen set to 0. 3817 3818 @return Return 0 if access is granted, otherwise an appropriate value for 3819 errno should be returned. 3820*/ 3821typedef int mpo_system_check_sysctlbyname_t( 3822 kauth_cred_t cred, 3823 const char *namestring, 3824 int *name, 3825 u_int namelen, 3826 user_addr_t old, /* NULLOK */ 3827 size_t oldlen, 3828 user_addr_t newvalue, /* NULLOK */ 3829 size_t newlen 3830); 3831/** 3832 @brief Access control check for kas_info 3833 @param cred Subject credential 3834 @param selector Category of information to return. See kas_info.h 3835 3836 Determine whether the subject identified by the credential can perform 3837 introspection of the kernel address space layout for 3838 debugging/performance analysis. 3839 3840 @return Return 0 if access is granted, otherwise an appropriate value for 3841 errno should be returned. 3842*/ 3843typedef int mpo_system_check_kas_info_t( 3844 kauth_cred_t cred, 3845 int selector 3846); 3847/** 3848 @brief Create a System V message label 3849 @param cred Subject credential 3850 @param msqkptr The message queue the message will be placed in 3851 @param msqlabel The label of the message queue 3852 @param msgptr The message 3853 @param msglabel The label of the message 3854 3855 Label the message as its placed in the message queue. 3856*/ 3857typedef void mpo_sysvmsg_label_associate_t( 3858 kauth_cred_t cred, 3859 struct msqid_kernel *msqptr, 3860 struct label *msqlabel, 3861 struct msg *msgptr, 3862 struct label *msglabel 3863); 3864/** 3865 @brief Destroy System V message label 3866 @param label The label to be destroyed 3867 3868 Destroy a System V message label. Since the object is 3869 going out of scope, policy modules should free any internal storage 3870 associated with the label so that it may be destroyed. 3871*/ 3872typedef void mpo_sysvmsg_label_destroy_t( 3873 struct label *label 3874); 3875/** 3876 @brief Initialize System V message label 3877 @param label New label to initialize 3878 3879 Initialize the label for a newly instantiated System V message. 3880*/ 3881typedef void mpo_sysvmsg_label_init_t( 3882 struct label *label 3883); 3884/** 3885 @brief Clean up a System V message label 3886 @param label The label to be destroyed 3887 3888 Clean up a System V message label. Darwin pre-allocates 3889 messages at system boot time and re-uses them rather than 3890 allocating new ones. Before messages are returned to the "free 3891 pool", policies can cleanup or overwrite any information present in 3892 the label. 3893*/ 3894typedef void mpo_sysvmsg_label_recycle_t( 3895 struct label *label 3896); 3897/** 3898 @brief Access control check for System V message enqueuing 3899 @param cred Subject credential 3900 @param msgptr The message 3901 @param msglabel The message's label 3902 @param msqkptr The message queue 3903 @param msqlabel The message queue's label 3904 3905 Determine whether the subject identified by the credential can add the 3906 given message to the given message queue. 3907 3908 @return Return 0 if access is granted, otherwise an appropriate value for 3909 errno should be returned. 3910*/ 3911typedef int mpo_sysvmsq_check_enqueue_t( 3912 kauth_cred_t cred, 3913 struct msg *msgptr, 3914 struct label *msglabel, 3915 struct msqid_kernel *msqptr, 3916 struct label *msqlabel 3917); 3918/** 3919 @brief Access control check for System V message reception 3920 @param cred The credential of the intended recipient 3921 @param msgptr The message 3922 @param msglabel The message's label 3923 3924 Determine whether the subject identified by the credential can receive 3925 the given message. 3926 3927 @return Return 0 if access is granted, otherwise an appropriate value for 3928 errno should be returned. 3929*/ 3930typedef int mpo_sysvmsq_check_msgrcv_t( 3931 kauth_cred_t cred, 3932 struct msg *msgptr, 3933 struct label *msglabel 3934); 3935/** 3936 @brief Access control check for System V message queue removal 3937 @param cred The credential of the caller 3938 @param msgptr The message 3939 @param msglabel The message's label 3940 3941 System V message queues are removed using the msgctl() system call. 3942 The system will iterate over each messsage in the queue, calling this 3943 function for each, to determine whether the caller has the appropriate 3944 credentials. 3945 3946 @return Return 0 if access is granted, otherwise an appropriate value for 3947 errno should be returned. 3948*/ 3949typedef int mpo_sysvmsq_check_msgrmid_t( 3950 kauth_cred_t cred, 3951 struct msg *msgptr, 3952 struct label *msglabel 3953); 3954/** 3955 @brief Access control check for msgctl() 3956 @param cred The credential of the caller 3957 @param msqptr The message queue 3958 @param msqlabel The message queue's label 3959 3960 This access check is performed to validate calls to msgctl(). 3961 3962 @return Return 0 if access is granted, otherwise an appropriate value for 3963 errno should be returned. 3964*/ 3965typedef int mpo_sysvmsq_check_msqctl_t( 3966 kauth_cred_t cred, 3967 struct msqid_kernel *msqptr, 3968 struct label *msqlabel, 3969 int cmd 3970); 3971/** 3972 @brief Access control check to get a System V message queue 3973 @param cred The credential of the caller 3974 @param msqptr The message queue requested 3975 @param msqlabel The message queue's label 3976 3977 On a call to msgget(), if the queue requested already exists, 3978 and it is a public queue, this check will be performed before the 3979 queue's ID is returned to the user. 3980 3981 @return Return 0 if access is granted, otherwise an appropriate value for 3982 errno should be returned. 3983*/ 3984typedef int mpo_sysvmsq_check_msqget_t( 3985 kauth_cred_t cred, 3986 struct msqid_kernel *msqptr, 3987 struct label *msqlabel 3988); 3989/** 3990 @brief Access control check to receive a System V message from the given queue 3991 @param cred The credential of the caller 3992 @param msqptr The message queue to receive from 3993 @param msqlabel The message queue's label 3994 3995 On a call to msgrcv(), this check is performed to determine whether the 3996 caller has receive rights on the given queue. 3997 3998 @return Return 0 if access is granted, otherwise an appropriate value for 3999 errno should be returned. 4000*/ 4001typedef int mpo_sysvmsq_check_msqrcv_t( 4002 kauth_cred_t cred, 4003 struct msqid_kernel *msqptr, 4004 struct label *msqlabel 4005); 4006/** 4007 @brief Access control check to send a System V message to the given queue 4008 @param cred The credential of the caller 4009 @param msqptr The message queue to send to 4010 @param msqlabel The message queue's label 4011 4012 On a call to msgsnd(), this check is performed to determine whether the 4013 caller has send rights on the given queue. 4014 4015 @return Return 0 if access is granted, otherwise an appropriate value for 4016 errno should be returned. 4017*/ 4018typedef int mpo_sysvmsq_check_msqsnd_t( 4019 kauth_cred_t cred, 4020 struct msqid_kernel *msqptr, 4021 struct label *msqlabel 4022); 4023/** 4024 @brief Create a System V message queue label 4025 @param cred Subject credential 4026 @param msqkptr The message queue 4027 @param msqlabel The label of the message queue 4028 4029*/ 4030typedef void mpo_sysvmsq_label_associate_t( 4031 kauth_cred_t cred, 4032 struct msqid_kernel *msqptr, 4033 struct label *msqlabel 4034); 4035/** 4036 @brief Destroy System V message queue label 4037 @param label The label to be destroyed 4038 4039 Destroy a System V message queue label. Since the object is 4040 going out of scope, policy modules should free any internal storage 4041 associated with the label so that it may be destroyed. 4042*/ 4043typedef void mpo_sysvmsq_label_destroy_t( 4044 struct label *label 4045); 4046/** 4047 @brief Initialize System V message queue label 4048 @param label New label to initialize 4049 4050 Initialize the label for a newly instantiated System V message queue. 4051*/ 4052typedef void mpo_sysvmsq_label_init_t( 4053 struct label *label 4054); 4055/** 4056 @brief Clean up a System V message queue label 4057 @param label The label to be destroyed 4058 4059 Clean up a System V message queue label. Darwin pre-allocates 4060 message queues at system boot time and re-uses them rather than 4061 allocating new ones. Before message queues are returned to the "free 4062 pool", policies can cleanup or overwrite any information present in 4063 the label. 4064*/ 4065typedef void mpo_sysvmsq_label_recycle_t( 4066 struct label *label 4067); 4068/** 4069 @brief Access control check for System V semaphore control operation 4070 @param cred Subject credential 4071 @param semakptr Pointer to semaphore identifier 4072 @param semaklabel Label associated with semaphore 4073 @param cmd Control operation to be performed; see semctl(2) 4074 4075 Determine whether the subject identified by the credential can perform 4076 the operation indicated by cmd on the System V semaphore semakptr. 4077 4078 @return Return 0 if access is granted, otherwise an appropriate value for 4079 errno should be returned. 4080*/ 4081typedef int mpo_sysvsem_check_semctl_t( 4082 kauth_cred_t cred, 4083 struct semid_kernel *semakptr, 4084 struct label *semaklabel, 4085 int cmd 4086); 4087/** 4088 @brief Access control check for obtaining a System V semaphore 4089 @param cred Subject credential 4090 @param semakptr Pointer to semaphore identifier 4091 @param semaklabel Label to associate with the semaphore 4092 4093 Determine whether the subject identified by the credential can 4094 obtain a System V semaphore. 4095 4096 @return Return 0 if access is granted, otherwise an appropriate value for 4097 errno should be returned. 4098*/ 4099typedef int mpo_sysvsem_check_semget_t( 4100 kauth_cred_t cred, 4101 struct semid_kernel *semakptr, 4102 struct label *semaklabel 4103); 4104/** 4105 @brief Access control check for System V semaphore operations 4106 @param cred Subject credential 4107 @param semakptr Pointer to semaphore identifier 4108 @param semaklabel Label associated with the semaphore 4109 @param accesstype Flags to indicate access (read and/or write) 4110 4111 Determine whether the subject identified by the credential can 4112 perform the operations on the System V semaphore indicated by 4113 semakptr. The accesstype flags hold the maximum set of permissions 4114 from the sem_op array passed to the semop system call. It may 4115 contain SEM_R for read-only operations or SEM_A for read/write 4116 operations. 4117 4118 @return Return 0 if access is granted, otherwise an appropriate value for 4119 errno should be returned. 4120*/ 4121typedef int mpo_sysvsem_check_semop_t( 4122 kauth_cred_t cred, 4123 struct semid_kernel *semakptr, 4124 struct label *semaklabel, 4125 size_t accesstype 4126); 4127/** 4128 @brief Create a System V semaphore label 4129 @param cred Subject credential 4130 @param semakptr The semaphore being created 4131 @param semalabel Label to associate with the new semaphore 4132 4133 Label a new System V semaphore. The label was previously 4134 initialized and associated with the semaphore. At this time, an 4135 appropriate initial label value should be assigned to the object and 4136 stored in semalabel. 4137*/ 4138typedef void mpo_sysvsem_label_associate_t( 4139 kauth_cred_t cred, 4140 struct semid_kernel *semakptr, 4141 struct label *semalabel 4142); 4143/** 4144 @brief Destroy System V semaphore label 4145 @param label The label to be destroyed 4146 4147 Destroy a System V semaphore label. Since the object is 4148 going out of scope, policy modules should free any internal storage 4149 associated with the label so that it may be destroyed. 4150*/ 4151typedef void mpo_sysvsem_label_destroy_t( 4152 struct label *label 4153); 4154/** 4155 @brief Initialize System V semaphore label 4156 @param label New label to initialize 4157 4158 Initialize the label for a newly instantiated System V semaphore. Sleeping 4159 is permitted. 4160*/ 4161typedef void mpo_sysvsem_label_init_t( 4162 struct label *label 4163); 4164/** 4165 @brief Clean up a System V semaphore label 4166 @param label The label to be cleaned 4167 4168 Clean up a System V semaphore label. Darwin pre-allocates 4169 semaphores at system boot time and re-uses them rather than 4170 allocating new ones. Before semaphores are returned to the "free 4171 pool", policies can cleanup or overwrite any information present in 4172 the label. 4173*/ 4174typedef void mpo_sysvsem_label_recycle_t( 4175 struct label *label 4176); 4177/** 4178 @brief Access control check for mapping System V shared memory 4179 @param cred Subject credential 4180 @param shmsegptr Pointer to shared memory segment identifier 4181 @param shmseglabel Label associated with the shared memory segment 4182 @param shmflg shmat flags; see shmat(2) 4183 4184 Determine whether the subject identified by the credential can map 4185 the System V shared memory segment associated with shmsegptr. 4186 4187 @return Return 0 if access is granted, otherwise an appropriate value for 4188 errno should be returned. 4189*/ 4190typedef int mpo_sysvshm_check_shmat_t( 4191 kauth_cred_t cred, 4192 struct shmid_kernel *shmsegptr, 4193 struct label *shmseglabel, 4194 int shmflg 4195); 4196/** 4197 @brief Access control check for System V shared memory control operation 4198 @param cred Subject credential 4199 @param shmsegptr Pointer to shared memory segment identifier 4200 @param shmseglabel Label associated with the shared memory segment 4201 @param cmd Control operation to be performed; see shmctl(2) 4202 4203 Determine whether the subject identified by the credential can perform 4204 the operation indicated by cmd on the System V shared memory segment 4205 shmsegptr. 4206 4207 @return Return 0 if access is granted, otherwise an appropriate value for 4208 errno should be returned. 4209*/ 4210typedef int mpo_sysvshm_check_shmctl_t( 4211 kauth_cred_t cred, 4212 struct shmid_kernel *shmsegptr, 4213 struct label *shmseglabel, 4214 int cmd 4215); 4216/** 4217 @brief Access control check for unmapping System V shared memory 4218 @param cred Subject credential 4219 @param shmsegptr Pointer to shared memory segment identifier 4220 @param shmseglabel Label associated with the shared memory segment 4221 4222 Determine whether the subject identified by the credential can unmap 4223 the System V shared memory segment associated with shmsegptr. 4224 4225 @return Return 0 if access is granted, otherwise an appropriate value for 4226 errno should be returned. 4227*/ 4228typedef int mpo_sysvshm_check_shmdt_t( 4229 kauth_cred_t cred, 4230 struct shmid_kernel *shmsegptr, 4231 struct label *shmseglabel 4232); 4233/** 4234 @brief Access control check obtaining System V shared memory identifier 4235 @param cred Subject credential 4236 @param shmsegptr Pointer to shared memory segment identifier 4237 @param shmseglabel Label associated with the shared memory segment 4238 @param shmflg shmget flags; see shmget(2) 4239 4240 Determine whether the subject identified by the credential can get 4241 the System V shared memory segment address. 4242 4243 @return Return 0 if access is granted, otherwise an appropriate value for 4244 errno should be returned. 4245*/ 4246typedef int mpo_sysvshm_check_shmget_t( 4247 kauth_cred_t cred, 4248 struct shmid_kernel *shmsegptr, 4249 struct label *shmseglabel, 4250 int shmflg 4251); 4252/** 4253 @brief Create a System V shared memory region label 4254 @param cred Subject credential 4255 @param shmsegptr The shared memory region being created 4256 @param shmlabel Label to associate with the new shared memory region 4257 4258 Label a new System V shared memory region. The label was previously 4259 initialized and associated with the shared memory region. At this 4260 time, an appropriate initial label value should be assigned to the 4261 object and stored in shmlabel. 4262*/ 4263typedef void mpo_sysvshm_label_associate_t( 4264 kauth_cred_t cred, 4265 struct shmid_kernel *shmsegptr, 4266 struct label *shmlabel 4267); 4268/** 4269 @brief Destroy System V shared memory label 4270 @param label The label to be destroyed 4271 4272 Destroy a System V shared memory region label. Since the 4273 object is going out of scope, policy modules should free any 4274 internal storage associated with the label so that it may be 4275 destroyed. 4276*/ 4277typedef void mpo_sysvshm_label_destroy_t( 4278 struct label *label 4279); 4280/** 4281 @brief Initialize System V Shared Memory region label 4282 @param label New label to initialize 4283 4284 Initialize the label for a newly instantiated System V Shared Memory 4285 region. Sleeping is permitted. 4286*/ 4287typedef void mpo_sysvshm_label_init_t( 4288 struct label *label 4289); 4290/** 4291 @brief Clean up a System V Share Memory Region label 4292 @param shmlabel The label to be cleaned 4293 4294 Clean up a System V Shared Memory Region label. Darwin 4295 pre-allocates these objects at system boot time and re-uses them 4296 rather than allocating new ones. Before the memory regions are 4297 returned to the "free pool", policies can cleanup or overwrite any 4298 information present in the label. 4299*/ 4300typedef void mpo_sysvshm_label_recycle_t( 4301 struct label *shmlabel 4302); 4303/** 4304 @brief Access control check for getting a process's task name 4305 @param cred Subject credential 4306 @param proc Object process 4307 4308 Determine whether the subject identified by the credential can get 4309 the passed process's task name port. 4310 This call is used by the task_name_for_pid(2) API. 4311 4312 @return Return 0 if access is granted, otherwise an appropriate value for 4313 errno should be returned. Suggested failure: EACCES for label mismatch, 4314 EPERM for lack of privilege, or ESRCH to hide visibility of the target. 4315*/ 4316typedef int mpo_proc_check_get_task_name_t( 4317 kauth_cred_t cred, 4318 struct proc *p 4319); 4320/** 4321 @brief Access control check for getting a process's task port 4322 @param cred Subject credential 4323 @param proc Object process 4324 4325 Determine whether the subject identified by the credential can get 4326 the passed process's task control port. 4327 This call is used by the task_for_pid(2) API. 4328 4329 @return Return 0 if access is granted, otherwise an appropriate value for 4330 errno should be returned. Suggested failure: EACCES for label mismatch, 4331 EPERM for lack of privilege, or ESRCH to hide visibility of the target. 4332*/ 4333typedef int mpo_proc_check_get_task_t( 4334 kauth_cred_t cred, 4335 struct proc *p 4336); 4337 4338/** 4339 @brief Check whether task's IPC may inherit across process exec 4340 @param proc current process instance 4341 @param cur_vp vnode pointer to current instance 4342 @param cur_offset offset of binary of currently executing image 4343 @param img_vp vnode pointer to to be exec'ed image 4344 @param img_offset offset into file which is selected for execution 4345 @param scriptvp vnode pointer of script file if any. 4346 @return Return 0 if access is granted. 4347 EPERM if parent does not have any entitlements. 4348 EACCESS if mismatch in entitlements 4349*/ 4350typedef int mpo_proc_check_inherit_ipc_ports_t( 4351 struct proc *p, 4352 struct vnode *cur_vp, 4353 off_t cur_offset, 4354 struct vnode *img_vp, 4355 off_t img_offset, 4356 struct vnode *scriptvp 4357); 4358 4359/** 4360 @brief Privilege check for a process to run invalid 4361 @param proc Object process 4362 4363 Determine whether the process may execute even though the system determined 4364 that it is untrusted (eg unidentified / modified code). 4365 4366 @return Return 0 if access is granted, otherwise an appropriate value for 4367 errno should be returned. 4368 */ 4369typedef int mac_proc_check_run_cs_invalid_t( 4370 struct proc *p 4371); 4372 4373/** 4374 @brief Perform MAC-related events when a thread returns to user space 4375 @param thread Mach (not BSD) thread that is returning 4376 4377 This entry point permits policy modules to perform MAC-related 4378 events when a thread returns to user space, via a system call 4379 return or trap return. 4380*/ 4381typedef void mpo_thread_userret_t( 4382 struct thread *thread 4383); 4384/** 4385 @brief Initialize per thread label 4386 @param label New label to initialize 4387 4388 Initialize the label for a newly instantiated thread. 4389 Sleeping is permitted. 4390*/ 4391typedef void mpo_thread_label_init_t( 4392 struct label *label 4393); 4394/** 4395 @brief Destroy thread label 4396 @param label The label to be destroyed 4397 4398 Destroy a user thread label. Since the user thread 4399 is going out of scope, policy modules should free any internal 4400 storage associated with the label so that it may be destroyed. 4401*/ 4402typedef void mpo_thread_label_destroy_t( 4403 struct label *label 4404); 4405/** 4406 @brief Check vnode access 4407 @param cred Subject credential 4408 @param vp Object vnode 4409 @param label Label for vp 4410 @param acc_mode access(2) flags 4411 4412 Determine how invocations of access(2) and related calls by the 4413 subject identified by the credential should return when performed 4414 on the passed vnode using the passed access flags. This should 4415 generally be implemented using the same semantics used in 4416 mpo_vnode_check_open. 4417 4418 @return Return 0 if access is granted, otherwise an appropriate value for 4419 errno should be returned. Suggested failure: EACCES for label mismatch or 4420 EPERM for lack of privilege. 4421*/ 4422typedef int mpo_vnode_check_access_t( 4423 kauth_cred_t cred, 4424 struct vnode *vp, 4425 struct label *label, 4426 int acc_mode 4427); 4428/** 4429 @brief Access control check for changing working directory 4430 @param cred Subject credential 4431 @param dvp Object; vnode to chdir(2) into 4432 @param dlabel Policy label for dvp 4433 4434 Determine whether the subject identified by the credential can change 4435 the process working directory to the passed vnode. 4436 4437 @return Return 0 if access is granted, otherwise an appropriate value for 4438 errno should be returned. Suggested failure: EACCES for label mismatch or 4439 EPERM for lack of privilege. 4440*/ 4441typedef int mpo_vnode_check_chdir_t( 4442 kauth_cred_t cred, 4443 struct vnode *dvp, 4444 struct label *dlabel 4445); 4446/** 4447 @brief Access control check for changing root directory 4448 @param cred Subject credential 4449 @param dvp Directory vnode 4450 @param dlabel Policy label associated with dvp 4451 @param cnp Component name for dvp 4452 4453 Determine whether the subject identified by the credential should be 4454 allowed to chroot(2) into the specified directory (dvp). 4455 4456 @return In the event of an error, an appropriate value for errno 4457 should be returned, otherwise return 0 upon success. 4458*/ 4459typedef int mpo_vnode_check_chroot_t( 4460 kauth_cred_t cred, 4461 struct vnode *dvp, 4462 struct label *dlabel, 4463 struct componentname *cnp 4464); 4465/** 4466 @brief Access control check for creating vnode 4467 @param cred Subject credential 4468 @param dvp Directory vnode 4469 @param dlabel Policy label for dvp 4470 @param cnp Component name for dvp 4471 @param vap vnode attributes for vap 4472 4473 Determine whether the subject identified by the credential can create 4474 a vnode with the passed parent directory, passed name information, 4475 and passed attribute information. This call may be made in a number of 4476 situations, including as a result of calls to open(2) with O_CREAT, 4477 mknod(2), mkfifo(2), and others. 4478 4479 @return Return 0 if access is granted, otherwise an appropriate value for 4480 errno should be returned. Suggested failure: EACCES for label mismatch or 4481 EPERM for lack of privilege. 4482*/ 4483typedef int mpo_vnode_check_create_t( 4484 kauth_cred_t cred, 4485 struct vnode *dvp, 4486 struct label *dlabel, 4487 struct componentname *cnp, 4488 struct vnode_attr *vap 4489); 4490/** 4491 @brief Access control check for deleting extended attribute 4492 @param cred Subject credential 4493 @param vp Object vnode 4494 @param vlabel Label associated with vp 4495 @param name Extended attribute name 4496 4497 Determine whether the subject identified by the credential can delete 4498 the extended attribute from the passed vnode. 4499 4500 @return Return 0 if access is granted, otherwise an appropriate value for 4501 errno should be returned. Suggested failure: EACCES for label mismatch or 4502 EPERM for lack of privilege. 4503*/ 4504typedef int mpo_vnode_check_deleteextattr_t( 4505 kauth_cred_t cred, 4506 struct vnode *vp, 4507 struct label *vlabel, 4508 const char *name 4509); 4510/** 4511 @brief Access control check for exchanging file data 4512 @param cred Subject credential 4513 @param v1 vnode 1 to swap 4514 @param vl1 Policy label for v1 4515 @param v2 vnode 2 to swap 4516 @param vl2 Policy label for v2 4517 4518 Determine whether the subject identified by the credential can swap the data 4519 in the two supplied vnodes. 4520 4521 @return Return 0 if access is granted, otherwise an appropriate value for 4522 errno should be returned. Suggested failure: EACCES for label mismatch or 4523 EPERM for lack of privilege. 4524*/ 4525typedef int mpo_vnode_check_exchangedata_t( 4526 kauth_cred_t cred, 4527 struct vnode *v1, 4528 struct label *vl1, 4529 struct vnode *v2, 4530 struct label *vl2 4531); 4532/** 4533 @brief Access control check for executing the vnode 4534 @param cred Subject credential 4535 @param vp Object vnode to execute 4536 @param scriptvp Script being executed by interpreter, if any. 4537 @param vnodelabel Label corresponding to vp 4538 @param scriptvnodelabel Script vnode label 4539 @param execlabel Userspace provided execution label 4540 @param cnp Component name for file being executed 4541 @param macpolicyattr MAC policy-specific spawn attribute data. 4542 @param macpolicyattrlen Length of policy-specific spawn attribute data. 4543 4544 Determine whether the subject identified by the credential can execute 4545 the passed vnode. Determination of execute privilege is made separately 4546 from decisions about any process label transitioning event. 4547 4548 The final label, execlabel, corresponds to a label supplied by a 4549 user space application through the use of the mac_execve system call. 4550 This label will be NULL if the user application uses the the vendor 4551 execve(2) call instead of the MAC Framework mac_execve() call. 4552 4553 @return Return 0 if access is granted, otherwise an appropriate value for 4554 errno should be returned. Suggested failure: EACCES for label mismatch or 4555 EPERM for lack of privilege. 4556*/ 4557typedef int mpo_vnode_check_exec_t( 4558 kauth_cred_t cred, 4559 struct vnode *vp, 4560 struct vnode *scriptvp, 4561 struct label *vnodelabel, 4562 struct label *scriptlabel, 4563 struct label *execlabel, /* NULLOK */ 4564 struct componentname *cnp, 4565 u_int *csflags, 4566 void *macpolicyattr, 4567 size_t macpolicyattrlen 4568); 4569/** 4570 @brief Access control check for fsgetpath 4571 @param cred Subject credential 4572 @param vp Vnode for which a path will be returned 4573 @param label Label associated with the vnode 4574 4575 Determine whether the subject identified by the credential can get the path 4576 of the given vnode with fsgetpath. 4577 4578 @return Return 0 if access is granted, otherwise an appropriate value for 4579 errno should be returned. 4580*/ 4581typedef int mpo_vnode_check_fsgetpath_t( 4582 kauth_cred_t cred, 4583 struct vnode *vp, 4584 struct label *label 4585); 4586/** 4587 @brief Access control check after determining the code directory hash 4588 */ 4589typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label, 4590 off_t macho_offset, unsigned char *sha1, 4591 const void *signature, int size, 4592 int *is_platform_binary); 4593 4594/** 4595 @brief Access control check for retrieving file attributes 4596 @param cred Subject credential 4597 @param vp Object vnode 4598 @param vlabel Policy label for vp 4599 @param alist List of attributes to retrieve 4600 4601 Determine whether the subject identified by the credential can read 4602 various attributes of the specified vnode, or the filesystem or volume on 4603 which that vnode resides. See <sys/attr.h> for definitions of the 4604 attributes. 4605 4606 @return Return 0 if access is granted, otherwise an appropriate value for 4607 errno should be returned. Suggested failure: EACCES for label mismatch or 4608 EPERM for lack of privilege. Access control covers all attributes requested 4609 with this call; the security policy is not permitted to change the set of 4610 attributes requested. 4611*/ 4612typedef int mpo_vnode_check_getattrlist_t( 4613 kauth_cred_t cred, 4614 struct vnode *vp, 4615 struct label *vlabel, 4616 struct attrlist *alist 4617); 4618/** 4619 @brief Access control check for retrieving an extended attribute 4620 @param cred Subject credential 4621 @param vp Object vnode 4622 @param label Policy label for vp 4623 @param name Extended attribute name 4624 @param uio I/O structure pointer 4625 4626 Determine whether the subject identified by the credential can retrieve 4627 the extended attribute from the passed vnode. The uio parameter 4628 will be NULL when the getxattr(2) call has been made with a NULL data 4629 value; this is done to request the size of the data only. 4630 4631 @return Return 0 if access is granted, otherwise an appropriate value for 4632 errno should be returned. Suggested failure: EACCES for label mismatch or 4633 EPERM for lack of privilege. 4634*/ 4635typedef int mpo_vnode_check_getextattr_t( 4636 kauth_cred_t cred, 4637 struct vnode *vp, 4638 struct label *label, /* NULLOK */ 4639 const char *name, 4640 struct uio *uio /* NULLOK */ 4641); 4642/** 4643 @brief Access control check for ioctl 4644 @param cred Subject credential 4645 @param vp Object vnode 4646 @param label Policy label for vp 4647 @param com Device-dependent request code; see ioctl(2) 4648 4649 Determine whether the subject identified by the credential can perform 4650 the ioctl operation indicated by com. 4651 4652 @warning Since ioctl data is opaque from the standpoint of the MAC 4653 framework, and since ioctls can affect many aspects of system 4654 operation, policies must exercise extreme care when implementing 4655 access control checks. 4656 4657 @return Return 0 if access is granted, otherwise an appropriate value for 4658 errno should be returned. 4659*/ 4660typedef int mpo_vnode_check_ioctl_t( 4661 kauth_cred_t cred, 4662 struct vnode *vp, 4663 struct label *label, 4664 unsigned int cmd 4665); 4666/** 4667 @brief Access control check for vnode kqfilter 4668 @param cred Subject credential 4669 @param kn Object knote 4670 @param vp Object vnode 4671 @param label Policy label for vp 4672 4673 Determine whether the subject identified by the credential can 4674 receive the knote on the passed vnode. 4675 4676 @return Return 0 if access if granted, otherwise an appropriate 4677 value for errno should be returned. 4678*/ 4679typedef int mpo_vnode_check_kqfilter_t( 4680 kauth_cred_t active_cred, 4681 kauth_cred_t file_cred, /* NULLOK */ 4682 struct knote *kn, 4683 struct vnode *vp, 4684 struct label *label 4685); 4686/** 4687 @brief Access control check for relabel 4688 @param cred Subject credential 4689 @param vp Object vnode 4690 @param vnodelabel Existing policy label for vp 4691 @param newlabel Policy label update to later be applied to vp 4692 @see mpo_relable_vnode_t 4693 4694 Determine whether the subject identified by the credential can relabel 4695 the passed vnode to the passed label update. If all policies permit 4696 the label change, the actual relabel entry point (mpo_vnode_label_update) 4697 will follow. 4698 4699 @return Return 0 if access is granted, otherwise an appropriate value for 4700 errno should be returned. 4701*/ 4702typedef int mpo_vnode_check_label_update_t( 4703 struct ucred *cred, 4704 struct vnode *vp, 4705 struct label *vnodelabel, 4706 struct label *newlabel 4707); 4708/** 4709 @brief Access control check for creating link 4710 @param cred Subject credential 4711 @param dvp Directory vnode 4712 @param dlabel Policy label associated with dvp 4713 @param vp Link destination vnode 4714 @param label Policy label associated with vp 4715 @param cnp Component name for the link being created 4716 4717 Determine whether the subject identified by the credential should be 4718 allowed to create a link to the vnode vp with the name specified by cnp. 4719 4720 @return Return 0 if access is granted, otherwise an appropriate value for 4721 errno should be returned. 4722*/ 4723typedef int mpo_vnode_check_link_t( 4724 kauth_cred_t cred, 4725 struct vnode *dvp, 4726 struct label *dlabel, 4727 struct vnode *vp, 4728 struct label *label, 4729 struct componentname *cnp 4730); 4731/** 4732 @brief Access control check for listing extended attributes 4733 @param cred Subject credential 4734 @param vp Object vnode 4735 @param vlabel Policy label associated with vp 4736 4737 Determine whether the subject identified by the credential can retrieve 4738 a list of named extended attributes from a vnode. 4739 4740 @return Return 0 if access is granted, otherwise an appropriate value for 4741 errno should be returned. 4742*/ 4743typedef int mpo_vnode_check_listextattr_t( 4744 kauth_cred_t cred, 4745 struct vnode *vp, 4746 struct label *vlabel 4747); 4748/** 4749 @brief Access control check for lookup 4750 @param cred Subject credential 4751 @param dvp Object vnode 4752 @param dlabel Policy label for dvp 4753 @param cnp Component name being looked up 4754 4755 Determine whether the subject identified by the credential can perform 4756 a lookup in the passed directory vnode for the passed name (cnp). 4757 4758 @return Return 0 if access is granted, otherwise an appropriate value for 4759 errno should be returned. Suggested failure: EACCES for label mismatch or 4760 EPERM for lack of privilege. 4761*/ 4762typedef int mpo_vnode_check_lookup_t( 4763 kauth_cred_t cred, 4764 struct vnode *dvp, 4765 struct label *dlabel, 4766 struct componentname *cnp 4767); 4768/** 4769 @brief Access control check for open 4770 @param cred Subject credential 4771 @param vp Object vnode 4772 @param label Policy label associated with vp 4773 @param acc_mode open(2) access mode 4774 4775 Determine whether the subject identified by the credential can perform 4776 an open operation on the passed vnode with the passed access mode. 4777 4778 @return Return 0 if access is granted, otherwise an appropriate value for 4779 errno should be returned. Suggested failure: EACCES for label mismatch or 4780 EPERM for lack of privilege. 4781*/ 4782typedef int mpo_vnode_check_open_t( 4783 kauth_cred_t cred, 4784 struct vnode *vp, 4785 struct label *label, 4786 int acc_mode 4787); 4788/** 4789 @brief Access control check for read 4790 @param active_cred Subject credential 4791 @param file_cred Credential associated with the struct fileproc 4792 @param vp Object vnode 4793 @param label Policy label for vp 4794 4795 Determine whether the subject identified by the credential can perform 4796 a read operation on the passed vnode. The active_cred hold the credentials 4797 of the subject performing the operation, and file_cred holds the 4798 credentials of the subject that originally opened the file. 4799 4800 @return Return 0 if access is granted, otherwise an appropriate value for 4801 errno should be returned. Suggested failure: EACCES for label mismatch or 4802 EPERM for lack of privilege. 4803*/ 4804typedef int mpo_vnode_check_read_t( 4805 kauth_cred_t active_cred, /* SUBJECT */ 4806 kauth_cred_t file_cred, /* NULLOK */ 4807 struct vnode *vp, /* OBJECT */ 4808 struct label *label /* LABEL */ 4809); 4810/** 4811 @brief Access control check for read directory 4812 @param cred Subject credential 4813 @param dvp Object directory vnode 4814 @param dlabel Policy label for dvp 4815 4816 Determine whether the subject identified by the credential can 4817 perform a readdir operation on the passed directory vnode. 4818 4819 @return Return 0 if access is granted, otherwise an appropriate value for 4820 errno should be returned. Suggested failure: EACCES for label mismatch or 4821 EPERM for lack of privilege. 4822*/ 4823typedef int mpo_vnode_check_readdir_t( 4824 kauth_cred_t cred, /* SUBJECT */ 4825 struct vnode *dvp, /* OBJECT */ 4826 struct label *dlabel /* LABEL */ 4827); 4828/** 4829 @brief Access control check for read link 4830 @param cred Subject credential 4831 @param vp Object vnode 4832 @param label Policy label for vp 4833 4834 Determine whether the subject identified by the credential can perform 4835 a readlink operation on the passed symlink vnode. This call can be made 4836 in a number of situations, including an explicit readlink call by the 4837 user process, or as a result of an implicit readlink during a name 4838 lookup by the process. 4839 4840 @return Return 0 if access is granted, otherwise an appropriate value for 4841 errno should be returned. Suggested failure: EACCES for label mismatch or 4842 EPERM for lack of privilege. 4843*/ 4844typedef int mpo_vnode_check_readlink_t( 4845 kauth_cred_t cred, 4846 struct vnode *vp, 4847 struct label *label 4848); 4849/** 4850 @brief Access control check for rename 4851 @param cred Subject credential 4852 @param dvp Directory vnode 4853 @param dlabel Policy label associated with dvp 4854 @param vp vnode to be renamed 4855 @param label Policy label associated with vp 4856 @param cnp Component name for vp 4857 @param tdvp Destination directory vnode 4858 @param tdlabel Policy label associated with tdvp 4859 @param tvp Overwritten vnode 4860 @param tlabel Policy label associated with tvp 4861 @param tcnp Destination component name 4862 4863 Determine whether the subject identified by the credential should be allowed 4864 to rename the vnode vp to something else. 4865 4866 @return Return 0 if access is granted, otherwise an appropriate value for 4867 errno should be returned. 4868*/ 4869typedef int mpo_vnode_check_rename_t( 4870 kauth_cred_t cred, 4871 struct vnode *dvp, 4872 struct label *dlabel, 4873 struct vnode *vp, 4874 struct label *label, 4875 struct componentname *cnp, 4876 struct vnode *tdvp, 4877 struct label *tdlabel, 4878 struct vnode *tvp, 4879 struct label *tlabel, 4880 struct componentname *tcnp 4881); 4882/** 4883 @brief Access control check for rename from 4884 @param cred Subject credential 4885 @param dvp Directory vnode 4886 @param dlabel Policy label associated with dvp 4887 @param vp vnode to be renamed 4888 @param label Policy label associated with vp 4889 @param cnp Component name for vp 4890 @see mpo_vnode_check_rename_t 4891 @see mpo_vnode_check_rename_to_t 4892 4893 Determine whether the subject identified by the credential should be 4894 allowed to rename the vnode vp to something else. 4895 4896 Due to VFS locking constraints (to make sure proper vnode locks are 4897 held during this entry point), the vnode relabel checks had to be 4898 split into two parts: relabel_from and relabel to. 4899 4900 This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4901 4902 @return Return 0 if access is granted, otherwise an appropriate value for 4903 errno should be returned. 4904*/ 4905typedef int mpo_vnode_check_rename_from_t( 4906 kauth_cred_t cred, 4907 struct vnode *dvp, 4908 struct label *dlabel, 4909 struct vnode *vp, 4910 struct label *label, 4911 struct componentname *cnp 4912); 4913/** 4914 @brief Access control check for rename to 4915 @param cred Subject credential 4916 @param dvp Directory vnode 4917 @param dlabel Policy label associated with dvp 4918 @param vp Overwritten vnode 4919 @param label Policy label associated with vp 4920 @param samedir Boolean; 1 if the source and destination directories are the same 4921 @param cnp Destination component name 4922 @see mpo_vnode_check_rename_t 4923 @see mpo_vnode_check_rename_from_t 4924 4925 Determine whether the subject identified by the credential should be 4926 allowed to rename to the vnode vp, into the directory dvp, or to the 4927 name represented by cnp. If there is no existing file to overwrite, 4928 vp and label will be NULL. 4929 4930 Due to VFS locking constraints (to make sure proper vnode locks are 4931 held during this entry point), the vnode relabel checks had to be 4932 split into two parts: relabel_from and relabel to. 4933 4934 This hook is deprecated, mpo_vnode_check_rename_t should be used instead. 4935 4936 @return Return 0 if access is granted, otherwise an appropriate value for 4937 errno should be returned. 4938*/ 4939typedef int mpo_vnode_check_rename_to_t( 4940 kauth_cred_t cred, 4941 struct vnode *dvp, 4942 struct label *dlabel, 4943 struct vnode *vp, /* NULLOK */ 4944 struct label *label, /* NULLOK */ 4945 int samedir, 4946 struct componentname *cnp 4947); 4948/** 4949 @brief Access control check for revoke 4950 @param cred Subject credential 4951 @param vp Object vnode 4952 @param label Policy label for vp 4953 4954 Determine whether the subject identified by the credential can revoke 4955 access to the passed vnode. 4956 4957 @return Return 0 if access is granted, otherwise an appropriate value for 4958 errno should be returned. Suggested failure: EACCES for label mismatch or 4959 EPERM for lack of privilege. 4960*/ 4961typedef int mpo_vnode_check_revoke_t( 4962 kauth_cred_t cred, 4963 struct vnode *vp, 4964 struct label *label 4965); 4966/** 4967 @brief Access control check for searchfs 4968 @param cred Subject credential 4969 @param vp Object vnode 4970 @param vlabel Policy label for vp 4971 @param alist List of attributes used as search criteria 4972 4973 Determine whether the subject identified by the credential can search the 4974 vnode using the searchfs system call. 4975 4976 @return Return 0 if access is granted, otherwise an appropriate value for 4977 errno should be returned. 4978*/ 4979typedef int mpo_vnode_check_searchfs_t( 4980 kauth_cred_t cred, 4981 struct vnode *vp, 4982 struct label *vlabel, 4983 struct attrlist *alist 4984); 4985/** 4986 @brief Access control check for select 4987 @param cred Subject credential 4988 @param vp Object vnode 4989 @param label Policy label for vp 4990 @param which The operation selected on: FREAD or FWRITE 4991 4992 Determine whether the subject identified by the credential can select 4993 the vnode. 4994 4995 @return Return 0 if access is granted, otherwise an appropriate value for 4996 errno should be returned. 4997*/ 4998typedef int mpo_vnode_check_select_t( 4999 kauth_cred_t cred, 5000 struct vnode *vp, 5001 struct label *label, 5002 int which 5003); 5004/** 5005 @brief Access control check for setting file attributes 5006 @param cred Subject credential 5007 @param vp Object vnode 5008 @param vlabel Policy label for vp 5009 @param alist List of attributes to set 5010 5011 Determine whether the subject identified by the credential can set 5012 various attributes of the specified vnode, or the filesystem or volume on 5013 which that vnode resides. See <sys/attr.h> for definitions of the 5014 attributes. 5015 5016 @return Return 0 if access is granted, otherwise an appropriate value for 5017 errno should be returned. Suggested failure: EACCES for label mismatch or 5018 EPERM for lack of privilege. Access control covers all attributes requested 5019 with this call. 5020*/ 5021typedef int mpo_vnode_check_setattrlist_t( 5022 kauth_cred_t cred, 5023 struct vnode *vp, 5024 struct label *vlabel, 5025 struct attrlist *alist 5026); 5027/** 5028 @brief Access control check for setting extended attribute 5029 @param cred Subject credential 5030 @param vp Object vnode 5031 @param label Policy label for vp 5032 @param name Extended attribute name 5033 @param uio I/O structure pointer 5034 5035 Determine whether the subject identified by the credential can set the 5036 extended attribute of passed name and passed namespace on the passed 5037 vnode. Policies implementing security labels backed into extended 5038 attributes may want to provide additional protections for those 5039 attributes. Additionally, policies should avoid making decisions based 5040 on the data referenced from uio, as there is a potential race condition 5041 between this check and the actual operation. The uio may also be NULL 5042 if a delete operation is being performed. 5043 5044 @return Return 0 if access is granted, otherwise an appropriate value for 5045 errno should be returned. Suggested failure: EACCES for label mismatch or 5046 EPERM for lack of privilege. 5047*/ 5048typedef int mpo_vnode_check_setextattr_t( 5049 kauth_cred_t cred, 5050 struct vnode *vp, 5051 struct label *label, 5052 const char *name, 5053 struct uio *uio 5054); 5055/** 5056 @brief Access control check for setting flags 5057 @param cred Subject credential 5058 @param vp Object vnode 5059 @param label Policy label for vp 5060 @param flags File flags; see chflags(2) 5061 5062 Determine whether the subject identified by the credential can set 5063 the passed flags on the passed vnode. 5064 5065 @return Return 0 if access is granted, otherwise an appropriate value for 5066 errno should be returned. Suggested failure: EACCES for label mismatch or 5067 EPERM for lack of privilege. 5068*/ 5069typedef int mpo_vnode_check_setflags_t( 5070 kauth_cred_t cred, 5071 struct vnode *vp, 5072 struct label *label, 5073 u_long flags 5074); 5075/** 5076 @brief Access control check for setting mode 5077 @param cred Subject credential 5078 @param vp Object vnode 5079 @param label Policy label for vp 5080 @param mode File mode; see chmod(2) 5081 5082 Determine whether the subject identified by the credential can set 5083 the passed mode on the passed vnode. 5084 5085 @return Return 0 if access is granted, otherwise an appropriate value for 5086 errno should be returned. Suggested failure: EACCES for label mismatch or 5087 EPERM for lack of privilege. 5088*/ 5089typedef int mpo_vnode_check_setmode_t( 5090 kauth_cred_t cred, 5091 struct vnode *vp, 5092 struct label *label, 5093 mode_t mode 5094); 5095/** 5096 @brief Access control check for setting uid and gid 5097 @param cred Subject credential 5098 @param vp Object vnode 5099 @param label Policy label for vp 5100 @param uid User ID 5101 @param gid Group ID 5102 5103 Determine whether the subject identified by the credential can set 5104 the passed uid and passed gid as file uid and file gid on the passed 5105 vnode. The IDs may be set to (-1) to request no update. 5106 5107 @return Return 0 if access is granted, otherwise an appropriate value for 5108 errno should be returned. Suggested failure: EACCES for label mismatch or 5109 EPERM for lack of privilege. 5110*/ 5111typedef int mpo_vnode_check_setowner_t( 5112 kauth_cred_t cred, 5113 struct vnode *vp, 5114 struct label *label, 5115 uid_t uid, 5116 gid_t gid 5117); 5118/** 5119 @brief Access control check for setting timestamps 5120 @param cred Subject credential 5121 @param vp Object vnode 5122 @param label Policy label for vp 5123 @param atime Access time; see utimes(2) 5124 @param mtime Modification time; see utimes(2) 5125 5126 Determine whether the subject identified by the credential can set 5127 the passed access timestamps on the passed vnode. 5128 5129 @return Return 0 if access is granted, otherwise an appropriate value for 5130 errno should be returned. Suggested failure: EACCES for label mismatch or 5131 EPERM for lack of privilege. 5132*/ 5133typedef int mpo_vnode_check_setutimes_t( 5134 kauth_cred_t cred, 5135 struct vnode *vp, 5136 struct label *label, 5137 struct timespec atime, 5138 struct timespec mtime 5139); 5140/** 5141 @brief Access control check for stat 5142 @param active_cred Subject credential 5143 @param file_cred Credential associated with the struct fileproc 5144 @param vp Object vnode 5145 @param label Policy label for vp 5146 5147 Determine whether the subject identified by the credential can stat 5148 the passed vnode. See stat(2) for more information. The active_cred 5149 hold the credentials of the subject performing the operation, and 5150 file_cred holds the credentials of the subject that originally 5151 opened the file. 5152 5153 @return Return 0 if access is granted, otherwise an appropriate value for 5154 errno should be returned. Suggested failure: EACCES for label mismatch or 5155 EPERM for lack of privilege. 5156*/ 5157typedef int mpo_vnode_check_stat_t( 5158 struct ucred *active_cred, 5159 struct ucred *file_cred, /* NULLOK */ 5160 struct vnode *vp, 5161 struct label *label 5162); 5163/** 5164 @brief Access control check for truncate/ftruncate 5165 @param active_cred Subject credential 5166 @param file_cred Credential associated with the struct fileproc 5167 @param vp Object vnode 5168 @param label Policy label for vp 5169 5170 Determine whether the subject identified by the credential can 5171 perform a truncate operation on the passed vnode. The active_cred hold 5172 the credentials of the subject performing the operation, and 5173 file_cred holds the credentials of the subject that originally 5174 opened the file. 5175 5176 @return Return 0 if access is granted, otherwise an appropriate value for 5177 errno should be returned. Suggested failure: EACCES for label mismatch or 5178 EPERM for lack of privilege. 5179*/ 5180typedef int mpo_vnode_check_truncate_t( 5181 kauth_cred_t active_cred, 5182 kauth_cred_t file_cred, /* NULLOK */ 5183 struct vnode *vp, 5184 struct label *label 5185); 5186/** 5187 @brief Access control check for binding UNIX domain socket 5188 @param cred Subject credential 5189 @param dvp Directory vnode 5190 @param dlabel Policy label for dvp 5191 @param cnp Component name for dvp 5192 @param vap vnode attributes for vap 5193 5194 Determine whether the subject identified by the credential can perform a 5195 bind operation on a UNIX domain socket with the passed parent directory, 5196 passed name information, and passed attribute information. 5197 5198 @return Return 0 if access is granted, otherwise an appropriate value for 5199 errno should be returned. Suggested failure: EACCES for label mismatch or 5200 EPERM for lack of privilege. 5201*/ 5202typedef int mpo_vnode_check_uipc_bind_t( 5203 kauth_cred_t cred, 5204 struct vnode *dvp, 5205 struct label *dlabel, 5206 struct componentname *cnp, 5207 struct vnode_attr *vap 5208); 5209/** 5210 @brief Access control check for connecting UNIX domain socket 5211 @param cred Subject credential 5212 @param vp Object vnode 5213 @param label Policy label associated with vp 5214 5215 Determine whether the subject identified by the credential can perform a 5216 connect operation on the passed UNIX domain socket vnode. 5217 5218 @return Return 0 if access is granted, otherwise an appropriate value for 5219 errno should be returned. Suggested failure: EACCES for label mismatch or 5220 EPERM for lack of privilege. 5221*/ 5222typedef int mpo_vnode_check_uipc_connect_t( 5223 kauth_cred_t cred, 5224 struct vnode *vp, 5225 struct label *label 5226); 5227/** 5228 @brief Access control check for deleting vnode 5229 @param cred Subject credential 5230 @param dvp Parent directory vnode 5231 @param dlabel Policy label for dvp 5232 @param vp Object vnode to delete 5233 @param label Policy label for vp 5234 @param cnp Component name for vp 5235 @see mpo_check_rename_to_t 5236 5237 Determine whether the subject identified by the credential can delete 5238 a vnode from the passed parent directory and passed name information. 5239 This call may be made in a number of situations, including as a 5240 results of calls to unlink(2) and rmdir(2). Policies implementing 5241 this entry point should also implement mpo_check_rename_to to 5242 authorize deletion of objects as a result of being the target of a rename. 5243 5244 @return Return 0 if access is granted, otherwise an appropriate value for 5245 errno should be returned. Suggested failure: EACCES for label mismatch or 5246 EPERM for lack of privilege. 5247*/ 5248typedef int mpo_vnode_check_unlink_t( 5249 kauth_cred_t cred, 5250 struct vnode *dvp, 5251 struct label *dlabel, 5252 struct vnode *vp, 5253 struct label *label, 5254 struct componentname *cnp 5255); 5256/** 5257 @brief Access control check for write 5258 @param active_cred Subject credential 5259 @param file_cred Credential associated with the struct fileproc 5260 @param vp Object vnode 5261 @param label Policy label for vp 5262 5263 Determine whether the subject identified by the credential can 5264 perform a write operation on the passed vnode. The active_cred hold 5265 the credentials of the subject performing the operation, and 5266 file_cred holds the credentials of the subject that originally 5267 opened the file. 5268 5269 @return Return 0 if access is granted, otherwise an appropriate value for 5270 errno should be returned. Suggested failure: EACCES for label mismatch or 5271 EPERM for lack of privilege. 5272*/ 5273typedef int mpo_vnode_check_write_t( 5274 kauth_cred_t active_cred, 5275 kauth_cred_t file_cred, /* NULLOK */ 5276 struct vnode *vp, 5277 struct label *label 5278); 5279/** 5280 @brief Associate a vnode with a devfs entry 5281 @param mp Devfs mount point 5282 @param mntlabel Devfs mount point label 5283 @param de Devfs directory entry 5284 @param delabel Label associated with de 5285 @param vp vnode associated with de 5286 @param vlabel Label associated with vp 5287 5288 Fill in the label (vlabel) for a newly created devfs vnode. The 5289 label is typically derived from the label on the devfs directory 5290 entry or the label on the filesystem, supplied as parameters. 5291*/ 5292typedef void mpo_vnode_label_associate_devfs_t( 5293 struct mount *mp, 5294 struct label *mntlabel, 5295 struct devnode *de, 5296 struct label *delabel, 5297 struct vnode *vp, 5298 struct label *vlabel 5299); 5300/** 5301 @brief Associate a label with a vnode 5302 @param mp File system mount point 5303 @param mntlabel File system mount point label 5304 @param vp Vnode to label 5305 @param vlabel Label associated with vp 5306 5307 Attempt to retrieve label information for the vnode, vp, from the 5308 file system extended attribute store. The label should be stored in 5309 the supplied vlabel parameter. If a policy cannot retrieve an 5310 extended attribute, sometimes it is acceptible to fallback to using 5311 the mntlabel. 5312 5313 If the policy requires vnodes to have a valid label elsewhere it 5314 MUST NOT return other than temporary errors, and must always provide 5315 a valid label of some sort. Returning an error will cause vnode 5316 labeling to be retried at a later access. Failure to handle policy 5317 centric errors internally (corrupt labels etc.) will result in 5318 inaccessible files. 5319 5320 @return In the event of an error, an appropriate value for errno 5321 should be returned, otherwise return 0 upon success. 5322*/ 5323typedef int mpo_vnode_label_associate_extattr_t( 5324 struct mount *mp, 5325 struct label *mntlabel, 5326 struct vnode *vp, 5327 struct label *vlabel 5328); 5329/** 5330 @brief Associate a file label with a vnode 5331 @param cred User credential 5332 @param mp Fdesc mount point 5333 @param mntlabel Fdesc mount point label 5334 @param fg Fileglob structure 5335 @param label Policy label for fg 5336 @param vp Vnode to label 5337 @param vlabel Label associated with vp 5338 5339 Associate label information for the vnode, vp, with the label of 5340 the open file descriptor described by fg. 5341 The label should be stored in the supplied vlabel parameter. 5342*/ 5343typedef void mpo_vnode_label_associate_file_t( 5344 struct ucred *cred, 5345 struct mount *mp, 5346 struct label *mntlabel, 5347 struct fileglob *fg, 5348 struct label *label, 5349 struct vnode *vp, 5350 struct label *vlabel 5351); 5352/** 5353 @brief Associate a pipe label with a vnode 5354 @param cred User credential for the process that opened the pipe 5355 @param cpipe Pipe structure 5356 @param pipelabel Label associated with pipe 5357 @param vp Vnode to label 5358 @param vlabel Label associated with vp 5359 5360 Associate label information for the vnode, vp, with the label of 5361 the pipe described by the pipe structure cpipe. 5362 The label should be stored in the supplied vlabel parameter. 5363*/ 5364typedef void mpo_vnode_label_associate_pipe_t( 5365 struct ucred *cred, 5366 struct pipe *cpipe, 5367 struct label *pipelabel, 5368 struct vnode *vp, 5369 struct label *vlabel 5370); 5371/** 5372 @brief Associate a POSIX semaphore label with a vnode 5373 @param cred User credential for the process that create psem 5374 @param psem POSIX semaphore structure 5375 @param psemlabel Label associated with psem 5376 @param vp Vnode to label 5377 @param vlabel Label associated with vp 5378 5379 Associate label information for the vnode, vp, with the label of 5380 the POSIX semaphore described by psem. 5381 The label should be stored in the supplied vlabel parameter. 5382*/ 5383typedef void mpo_vnode_label_associate_posixsem_t( 5384 struct ucred *cred, 5385 struct pseminfo *psem, 5386 struct label *psemlabel, 5387 struct vnode *vp, 5388 struct label *vlabel 5389); 5390/** 5391 @brief Associate a POSIX shared memory label with a vnode 5392 @param cred User credential for the process that created pshm 5393 @param pshm POSIX shared memory structure 5394 @param pshmlabel Label associated with pshm 5395 @param vp Vnode to label 5396 @param vlabel Label associated with vp 5397 5398 Associate label information for the vnode, vp, with the label of 5399 the POSIX shared memory region described by pshm. 5400 The label should be stored in the supplied vlabel parameter. 5401*/ 5402typedef void mpo_vnode_label_associate_posixshm_t( 5403 struct ucred *cred, 5404 struct pshminfo *pshm, 5405 struct label *pshmlabel, 5406 struct vnode *vp, 5407 struct label *vlabel 5408); 5409/** 5410 @brief Associate a label with a vnode 5411 @param mp File system mount point 5412 @param mntlabel File system mount point label 5413 @param vp Vnode to label 5414 @param vlabel Label associated with vp 5415 5416 On non-multilabel file systems, set the label for a vnode. The 5417 label will most likely be based on the file system label. 5418*/ 5419typedef void mpo_vnode_label_associate_singlelabel_t( 5420 struct mount *mp, 5421 struct label *mntlabel, 5422 struct vnode *vp, 5423 struct label *vlabel 5424); 5425/** 5426 @brief Associate a socket label with a vnode 5427 @param cred User credential for the process that opened the socket 5428 @param so Socket structure 5429 @param solabel Label associated with so 5430 @param vp Vnode to label 5431 @param vlabel Label associated with vp 5432 5433 Associate label information for the vnode, vp, with the label of 5434 the open socket described by the socket structure so. 5435 The label should be stored in the supplied vlabel parameter. 5436*/ 5437typedef void mpo_vnode_label_associate_socket_t( 5438 kauth_cred_t cred, 5439 socket_t so, 5440 struct label *solabel, 5441 struct vnode *vp, 5442 struct label *vlabel 5443); 5444/** 5445 @brief Copy a vnode label 5446 @param src Source vnode label 5447 @param dest Destination vnode label 5448 5449 Copy the vnode label information from src to dest. On Darwin, this 5450 is currently only necessary when executing interpreted scripts, but 5451 will later be used if vnode label externalization cannot be an 5452 atomic operation. 5453*/ 5454typedef void mpo_vnode_label_copy_t( 5455 struct label *src, 5456 struct label *dest 5457); 5458/** 5459 @brief Destroy vnode label 5460 @param label The label to be destroyed 5461 5462 Destroy a vnode label. Since the object is going out of scope, 5463 policy modules should free any internal storage associated with the 5464 label so that it may be destroyed. 5465*/ 5466typedef void mpo_vnode_label_destroy_t( 5467 struct label *label 5468); 5469/** 5470 @brief Externalize a vnode label for auditing 5471 @param label Label to be externalized 5472 @param element_name Name of the label namespace for which labels should be 5473 externalized 5474 @param sb String buffer to be filled with a text representation of the label 5475 5476 Produce an external representation of the label on a vnode suitable for 5477 inclusion in an audit record. An externalized label consists of a text 5478 representation of the label contents that will be added to the audit record 5479 as part of a text token. Policy-agnostic user space tools will display 5480 this externalized version. 5481 5482 @return 0 on success, return non-zero if an error occurs while 5483 externalizing the label data. 5484 5485*/ 5486typedef int mpo_vnode_label_externalize_audit_t( 5487 struct label *label, 5488 char *element_name, 5489 struct sbuf *sb 5490); 5491/** 5492 @brief Externalize a vnode label 5493 @param label Label to be externalized 5494 @param element_name Name of the label namespace for which labels should be 5495 externalized 5496 @param sb String buffer to be filled with a text representation of the label 5497 5498 Produce an external representation of the label on a vnode. An 5499 externalized label consists of a text representation of the label 5500 contents that can be used with user applications. Policy-agnostic 5501 user space tools will display this externalized version. 5502 5503 @return 0 on success, return non-zero if an error occurs while 5504 externalizing the label data. 5505 5506*/ 5507typedef int mpo_vnode_label_externalize_t( 5508 struct label *label, 5509 char *element_name, 5510 struct sbuf *sb 5511); 5512/** 5513 @brief Initialize vnode label 5514 @param label New label to initialize 5515 5516 Initialize label storage for use with a newly instantiated vnode, or 5517 for temporary storage associated with the copying in or out of a 5518 vnode label. While it is necessary to allocate space for a 5519 kernel-resident vnode label, it is not yet necessary to link this vnode 5520 with persistent label storage facilities, such as extended attributes. 5521 Sleeping is permitted. 5522*/ 5523typedef void mpo_vnode_label_init_t( 5524 struct label *label 5525); 5526/** 5527 @brief Internalize a vnode label 5528 @param label Label to be internalized 5529 @param element_name Name of the label namespace for which the label should 5530 be internalized 5531 @param element_data Text data to be internalized 5532 5533 Produce a vnode label from an external representation. An 5534 externalized label consists of a text representation of the label 5535 contents that can be used with user applications. Policy-agnostic 5536 user space tools will forward text version to the kernel for 5537 processing by individual policy modules. 5538 5539 The policy's internalize entry points will be called only if the 5540 policy has registered interest in the label namespace. 5541 5542 @return 0 on success, Otherwise, return non-zero if an error occurs 5543 while internalizing the label data. 5544*/ 5545typedef int mpo_vnode_label_internalize_t( 5546 struct label *label, 5547 char *element_name, 5548 char *element_data 5549); 5550/** 5551 @brief Clean up a vnode label 5552 @param label The label to be cleaned for re-use 5553 5554 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5555 typically never frees them. Before vnodes are placed back on free lists for 5556 re-use, policies can cleanup or overwrite any information present in the label. 5557*/ 5558typedef void mpo_vnode_label_recycle_t( 5559 struct label *label 5560); 5561/** 5562 @brief Write a label to a extended attribute 5563 @param cred Subject credential 5564 @param vp The vnode for which the label is being stored 5565 @param vlabel Label associated with vp 5566 @param intlabel The new label to store 5567 5568 Store a new label in the extended attribute corresponding to the 5569 supplied vnode. The policy has already authorized the operation; 5570 this call must be implemented in order to perform the actual 5571 operation. 5572 5573 @return In the event of an error, an appropriate value for errno 5574 should be returned, otherwise return 0 upon success. 5575 5576 @warning XXX After examining the extended attribute implementation on 5577 Apple's future release, this entry point may be changed. 5578*/ 5579typedef int mpo_vnode_label_store_t( 5580 kauth_cred_t cred, 5581 struct vnode *vp, 5582 struct label *vlabel, 5583 struct label *intlabel 5584); 5585/** 5586 @brief Update vnode label from extended attributes 5587 @param mp File system mount point 5588 @param mntlabel Mount point label 5589 @param vp Vnode to label 5590 @param vlabel Label associated with vp 5591 @param name Name of the xattr 5592 @see mpo_vnode_check_setextattr_t 5593 5594 When an extended attribute is updated via the Vendor attribute management 5595 functions, the MAC vnode label might also require an update. 5596 Policies should first determine if 'name' matches their xattr label 5597 name. If it does, the kernel is has either replaced or removed the 5598 named extended attribute that was previously associated with the 5599 vnode. Normally labels should only be modified via MAC Framework label 5600 management calls, but sometimes the user space components will directly 5601 modify extended attributes. For example, 'cp', 'tar', etc. manage 5602 extended attributes in userspace, not the kernel. 5603 5604 This entry point is called after the label update has occurred, so 5605 it cannot return a failure. However, the operation is preceded by 5606 the mpo_vnode_check_setextattr() access control check. 5607 5608 If the vnode label needs to be updated the policy should return 5609 a non-zero value. The vnode label will be marked for re-association 5610 by the framework. 5611*/ 5612typedef int mpo_vnode_label_update_extattr_t( 5613 struct mount *mp, 5614 struct label *mntlabel, 5615 struct vnode *vp, 5616 struct label *vlabel, 5617 const char *name 5618); 5619/** 5620 @brief Update a vnode label 5621 @param cred Subject credential 5622 @param vp The vnode to relabel 5623 @param vnodelabel Existing vnode label 5624 @param label New label to replace existing label 5625 @see mpo_vnode_check_label_update_t 5626 5627 The subject identified by the credential has previously requested 5628 and was authorized to relabel the vnode; this entry point allows 5629 policies to perform the actual relabel operation. Policies should 5630 update vnodelabel using the label stored in the label parameter. 5631*/ 5632typedef void mpo_vnode_label_update_t( 5633 kauth_cred_t cred, 5634 struct vnode *vp, 5635 struct label *vnodelabel, 5636 struct label *label 5637); 5638/** 5639 @brief Find deatched signatures for a shared library 5640 @param p file trying to find the signature 5641 @param vp The vnode to relabel 5642 @param offset offset in the macho that the signature is requested for (for fat binaries) 5643 @param label Existing vnode label 5644 5645*/ 5646typedef int mpo_vnode_find_sigs_t( 5647 struct proc *p, 5648 struct vnode *vp, 5649 off_t offset, 5650 struct label *label 5651); 5652/** 5653 @brief Create a new vnode, backed by extended attributes 5654 @param cred User credential for the creating process 5655 @param mp File system mount point 5656 @param mntlabel File system mount point label 5657 @param dvp Parent directory vnode 5658 @param dlabel Parent directory vnode label 5659 @param vp Newly created vnode 5660 @param vlabel Label to associate with the new vnode 5661 @param cnp Component name for vp 5662 5663 Write out the label for the newly created vnode, most likely storing 5664 the results in a file system extended attribute. Most policies will 5665 derive the new vnode label using information from a combination 5666 of the subject (user) credential, the file system label, the parent 5667 directory label, and potentially the path name component. 5668 5669 @return If the operation succeeds, store the new label in vlabel and 5670 return 0. Otherwise, return an appropriate errno value. 5671*/ 5672typedef int mpo_vnode_notify_create_t( 5673 kauth_cred_t cred, 5674 struct mount *mp, 5675 struct label *mntlabel, 5676 struct vnode *dvp, 5677 struct label *dlabel, 5678 struct vnode *vp, 5679 struct label *vlabel, 5680 struct componentname *cnp 5681); 5682 5683/** 5684 @brief Inform MAC policies that a vnode has been opened 5685 @param cred User credential for the creating process 5686 @param vp vnode opened 5687 @param label Policy label for the vp 5688 @param acc_mode open(2) access mode used 5689 5690 Inform Mac policies that a vnode have been successfully opened 5691 (passing all MAC polices and DAC). 5692*/ 5693typedef void mpo_vnode_notify_open_t( 5694 kauth_cred_t cred, 5695 struct vnode *vp, 5696 struct label *label, 5697 int acc_mode 5698); 5699 5700/** 5701 @brief Inform MAC policies that a vnode has been renamed 5702 @param cred User credential for the renaming process 5703 @param vp Vnode that's being renamed 5704 @param label Policy label for vp 5705 @param dvp Parent directory for the destination 5706 @param dlabel Policy label for dvp 5707 @param cnp Component name for the destination 5708 5709 Inform MAC policies that a vnode has been renamed. 5710 */ 5711typedef void mpo_vnode_notify_rename_t( 5712 kauth_cred_t cred, 5713 struct vnode *vp, 5714 struct label *label, 5715 struct vnode *dvp, 5716 struct label *dlabel, 5717 struct componentname *cnp 5718); 5719 5720/** 5721 @brief Inform MAC policies that a vnode has been linked 5722 @param cred User credential for the renaming process 5723 @param dvp Parent directory for the destination 5724 @param dlabel Policy label for dvp 5725 @param vp Vnode that's being linked 5726 @param vlabel Policy label for vp 5727 @param cnp Component name for the destination 5728 5729 Inform MAC policies that a vnode has been linked. 5730 */ 5731typedef void mpo_vnode_notify_link_t( 5732 kauth_cred_t cred, 5733 struct vnode *dvp, 5734 struct label *dlabel, 5735 struct vnode *vp, 5736 struct label *vlabel, 5737 struct componentname *cnp 5738); 5739 5740/** 5741 @brief Inform MAC policies that a pty slave has been granted 5742 @param p Responsible process 5743 @param tp tty data structure 5744 @param dev Major and minor numbers of device 5745 @param label Policy label for tp 5746 5747 Inform MAC policies that a pty slave has been granted. 5748*/ 5749typedef void mpo_pty_notify_grant_t( 5750 proc_t p, 5751 struct tty *tp, 5752 dev_t dev, 5753 struct label *label 5754); 5755 5756/** 5757 @brief Inform MAC policies that a pty master has been closed 5758 @param p Responsible process 5759 @param tp tty data structure 5760 @param dev Major and minor numbers of device 5761 @param label Policy label for tp 5762 5763 Inform MAC policies that a pty master has been closed. 5764*/ 5765typedef void mpo_pty_notify_close_t( 5766 proc_t p, 5767 struct tty *tp, 5768 dev_t dev, 5769 struct label *label 5770); 5771 5772/** 5773 @brief Access control check for kext loading 5774 @param cred Subject credential 5775 @param identifier Kext identifier 5776 5777 Determine whether the subject identified by the credential can load the 5778 specified kext. 5779 5780 @return Return 0 if access is granted, otherwise an appropriate value for 5781 errno should be returned. Suggested failure: EPERM for lack of privilege. 5782*/ 5783typedef int mpo_kext_check_load_t( 5784 kauth_cred_t cred, 5785 const char *identifier 5786); 5787 5788/** 5789 @brief Access control check for kext unloading 5790 @param cred Subject credential 5791 @param identifier Kext identifier 5792 5793 Determine whether the subject identified by the credential can unload the 5794 specified kext. 5795 5796 @return Return 0 if access is granted, otherwise an appropriate value for 5797 errno should be returned. Suggested failure: EPERM for lack of privilege. 5798*/ 5799typedef int mpo_kext_check_unload_t( 5800 kauth_cred_t cred, 5801 const char *identifier 5802); 5803 5804/* 5805 * Placeholder for future events that may need mac hooks. 5806 */ 5807typedef void mpo_reserved_hook_t(void); 5808 5809/* 5810 * Policy module operations. 5811 * 5812 * Please note that this should be kept in sync with the check assumptions 5813 * policy in bsd/kern/policy_check.c (policy_ops struct). 5814 */ 5815#define MAC_POLICY_OPS_VERSION 31 /* inc when new reserved slots are taken */ 5816struct mac_policy_ops { 5817 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 5818 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 5819 5820 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; 5821 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; 5822 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; 5823 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; 5824 5825 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 5826 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 5827 mpo_cred_check_visible_t *mpo_cred_check_visible; 5828 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 5829 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 5830 mpo_cred_label_associate_t *mpo_cred_label_associate; 5831 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 5832 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 5833 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 5834 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 5835 mpo_cred_label_init_t *mpo_cred_label_init; 5836 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 5837 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 5838 mpo_cred_label_update_t *mpo_cred_label_update; 5839 5840 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 5841 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 5842 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 5843 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 5844 mpo_devfs_label_init_t *mpo_devfs_label_init; 5845 mpo_devfs_label_update_t *mpo_devfs_label_update; 5846 5847 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 5848 mpo_file_check_create_t *mpo_file_check_create; 5849 mpo_file_check_dup_t *mpo_file_check_dup; 5850 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 5851 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 5852 mpo_file_check_get_t *mpo_file_check_get; 5853 mpo_file_check_inherit_t *mpo_file_check_inherit; 5854 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 5855 mpo_file_check_lock_t *mpo_file_check_lock; 5856 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 5857 mpo_file_check_mmap_t *mpo_file_check_mmap; 5858 mpo_file_check_receive_t *mpo_file_check_receive; 5859 mpo_file_check_set_t *mpo_file_check_set; 5860 mpo_file_label_init_t *mpo_file_label_init; 5861 mpo_file_label_destroy_t *mpo_file_label_destroy; 5862 mpo_file_label_associate_t *mpo_file_label_associate; 5863 5864 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; 5865 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; 5866 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; 5867 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; 5868 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; 5869 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; 5870 mpo_ifnet_label_init_t *mpo_ifnet_label_init; 5871 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; 5872 mpo_ifnet_label_update_t *mpo_ifnet_label_update; 5873 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; 5874 5875 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; 5876 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; 5877 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; 5878 mpo_inpcb_label_init_t *mpo_inpcb_label_init; 5879 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; 5880 mpo_inpcb_label_update_t *mpo_inpcb_label_update; 5881 5882 mpo_iokit_check_device_t *mpo_iokit_check_device; 5883 5884 mpo_ipq_label_associate_t *mpo_ipq_label_associate; 5885 mpo_ipq_label_compare_t *mpo_ipq_label_compare; 5886 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; 5887 mpo_ipq_label_init_t *mpo_ipq_label_init; 5888 mpo_ipq_label_update_t *mpo_ipq_label_update; 5889 5890 mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; 5891 mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; 5892 mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; 5893 mpo_lctx_label_init_t *mpo_lctx_label_init; 5894 mpo_lctx_label_internalize_t *mpo_lctx_label_internalize; 5895 mpo_lctx_label_update_t *mpo_lctx_label_update; 5896 mpo_lctx_notify_create_t *mpo_lctx_notify_create; 5897 mpo_lctx_notify_join_t *mpo_lctx_notify_join; 5898 mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; 5899 5900 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; 5901 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; 5902 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; 5903 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; 5904 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; 5905 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; 5906 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; 5907 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; 5908 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; 5909 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; 5910 mpo_mbuf_label_init_t *mpo_mbuf_label_init; 5911 5912 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 5913 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 5914 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 5915 mpo_mount_check_mount_t *mpo_mount_check_mount; 5916 mpo_mount_check_remount_t *mpo_mount_check_remount; 5917 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 5918 mpo_mount_check_stat_t *mpo_mount_check_stat; 5919 mpo_mount_check_umount_t *mpo_mount_check_umount; 5920 mpo_mount_label_associate_t *mpo_mount_label_associate; 5921 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 5922 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 5923 mpo_mount_label_init_t *mpo_mount_label_init; 5924 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 5925 5926 mpo_netinet_fragment_t *mpo_netinet_fragment; 5927 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; 5928 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; 5929 5930 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 5931 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 5932 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; 5933 mpo_pipe_check_read_t *mpo_pipe_check_read; 5934 mpo_pipe_check_select_t *mpo_pipe_check_select; 5935 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 5936 mpo_pipe_check_write_t *mpo_pipe_check_write; 5937 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 5938 mpo_pipe_label_copy_t *mpo_pipe_label_copy; 5939 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 5940 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; 5941 mpo_pipe_label_init_t *mpo_pipe_label_init; 5942 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; 5943 mpo_pipe_label_update_t *mpo_pipe_label_update; 5944 5945 mpo_policy_destroy_t *mpo_policy_destroy; 5946 mpo_policy_init_t *mpo_policy_init; 5947 mpo_policy_initbsd_t *mpo_policy_initbsd; 5948 mpo_policy_syscall_t *mpo_policy_syscall; 5949 5950 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname; 5951 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports; 5952 mpo_vnode_check_rename_t *mpo_vnode_check_rename; 5953 mpo_reserved_hook_t *mpo_reserved4; 5954 mpo_reserved_hook_t *mpo_reserved5; 5955 mpo_reserved_hook_t *mpo_reserved6; 5956 mpo_reserved_hook_t *mpo_reserved7; 5957 mpo_reserved_hook_t *mpo_reserved8; 5958 mpo_reserved_hook_t *mpo_reserved9; 5959 mpo_reserved_hook_t *mpo_reserved10; 5960 mpo_reserved_hook_t *mpo_reserved11; 5961 mpo_reserved_hook_t *mpo_reserved12; 5962 mpo_reserved_hook_t *mpo_reserved13; 5963 mpo_reserved_hook_t *mpo_reserved14; 5964 mpo_reserved_hook_t *mpo_reserved15; 5965 mpo_reserved_hook_t *mpo_reserved16; 5966 mpo_reserved_hook_t *mpo_reserved17; 5967 mpo_reserved_hook_t *mpo_reserved18; 5968 mpo_reserved_hook_t *mpo_reserved19; 5969 mpo_reserved_hook_t *mpo_reserved20; 5970 mpo_reserved_hook_t *mpo_reserved21; 5971 mpo_reserved_hook_t *mpo_reserved22; 5972 5973 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 5974 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 5975 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 5976 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 5977 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 5978 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 5979 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 5980 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 5981 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 5982 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 5983 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 5984 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 5985 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 5986 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 5987 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 5988 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 5989 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 5990 5991 mpo_proc_check_debug_t *mpo_proc_check_debug; 5992 mpo_proc_check_fork_t *mpo_proc_check_fork; 5993 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; 5994 mpo_proc_check_get_task_t *mpo_proc_check_get_task; 5995 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 5996 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 5997 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; 5998 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 5999 mpo_proc_check_sched_t *mpo_proc_check_sched; 6000 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 6001 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 6002 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; 6003 mpo_proc_check_signal_t *mpo_proc_check_signal; 6004 mpo_proc_check_wait_t *mpo_proc_check_wait; 6005 mpo_proc_label_destroy_t *mpo_proc_label_destroy; 6006 mpo_proc_label_init_t *mpo_proc_label_init; 6007 6008 mpo_socket_check_accept_t *mpo_socket_check_accept; 6009 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 6010 mpo_socket_check_bind_t *mpo_socket_check_bind; 6011 mpo_socket_check_connect_t *mpo_socket_check_connect; 6012 mpo_socket_check_create_t *mpo_socket_check_create; 6013 mpo_socket_check_deliver_t *mpo_socket_check_deliver; 6014 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; 6015 mpo_socket_check_label_update_t *mpo_socket_check_label_update; 6016 mpo_socket_check_listen_t *mpo_socket_check_listen; 6017 mpo_socket_check_receive_t *mpo_socket_check_receive; 6018 mpo_socket_check_received_t *mpo_socket_check_received; 6019 mpo_socket_check_select_t *mpo_socket_check_select; 6020 mpo_socket_check_send_t *mpo_socket_check_send; 6021 mpo_socket_check_stat_t *mpo_socket_check_stat; 6022 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 6023 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 6024 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; 6025 mpo_socket_label_associate_t *mpo_socket_label_associate; 6026 mpo_socket_label_copy_t *mpo_socket_label_copy; 6027 mpo_socket_label_destroy_t *mpo_socket_label_destroy; 6028 mpo_socket_label_externalize_t *mpo_socket_label_externalize; 6029 mpo_socket_label_init_t *mpo_socket_label_init; 6030 mpo_socket_label_internalize_t *mpo_socket_label_internalize; 6031 mpo_socket_label_update_t *mpo_socket_label_update; 6032 6033 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; 6034 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; 6035 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; 6036 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; 6037 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; 6038 6039 mpo_system_check_acct_t *mpo_system_check_acct; 6040 mpo_system_check_audit_t *mpo_system_check_audit; 6041 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6042 mpo_system_check_auditon_t *mpo_system_check_auditon; 6043 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6044 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6045 mpo_system_check_reboot_t *mpo_system_check_reboot; 6046 mpo_system_check_settime_t *mpo_system_check_settime; 6047 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6048 mpo_system_check_swapon_t *mpo_system_check_swapon; 6049 mpo_reserved_hook_t *mpo_reserved31; 6050 6051 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6052 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6053 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6054 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6055 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6056 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6057 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6058 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6059 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6060 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6061 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6062 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6063 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6064 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6065 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6066 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6067 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6068 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6069 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6070 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6071 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6072 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6073 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6074 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6075 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6076 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6077 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6078 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6079 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6080 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6081 6082 mpo_reserved_hook_t *mpo_reserved23; 6083 mpo_reserved_hook_t *mpo_reserved24; 6084 mpo_reserved_hook_t *mpo_reserved25; 6085 mpo_reserved_hook_t *mpo_reserved26; 6086 mpo_reserved_hook_t *mpo_reserved27; 6087 mpo_reserved_hook_t *mpo_reserved28; 6088 mpo_reserved_hook_t *mpo_reserved29; 6089 mpo_reserved_hook_t *mpo_reserved30; 6090 6091 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6092 6093 mpo_vnode_check_access_t *mpo_vnode_check_access; 6094 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6095 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6096 mpo_vnode_check_create_t *mpo_vnode_check_create; 6097 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6098 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6099 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6100 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6101 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6102 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6103 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6104 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6105 mpo_vnode_check_link_t *mpo_vnode_check_link; 6106 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6107 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6108 mpo_vnode_check_open_t *mpo_vnode_check_open; 6109 mpo_vnode_check_read_t *mpo_vnode_check_read; 6110 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6111 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6112 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6113 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6114 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6115 mpo_vnode_check_select_t *mpo_vnode_check_select; 6116 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6117 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6118 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6119 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6120 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6121 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6122 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6123 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6124 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6125 mpo_vnode_check_write_t *mpo_vnode_check_write; 6126 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6127 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6128 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6129 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6130 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6131 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6132 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6133 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6134 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6135 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6136 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6137 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6138 mpo_vnode_label_init_t *mpo_vnode_label_init; 6139 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6140 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6141 mpo_vnode_label_store_t *mpo_vnode_label_store; 6142 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6143 mpo_vnode_label_update_t *mpo_vnode_label_update; 6144 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6145 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6146 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6147 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6148 6149 mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6150 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6151 6152 mpo_thread_userret_t *mpo_thread_userret; 6153 6154 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6155 6156 mpo_system_check_chud_t *mpo_system_check_chud; 6157 6158 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6159 6160 mpo_priv_check_t *mpo_priv_check; 6161 mpo_priv_grant_t *mpo_priv_grant; 6162 6163 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6164 6165 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6166 6167 mpo_iokit_check_open_t *mpo_iokit_check_open; 6168 6169 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6170 6171 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6172 6173 mpo_thread_label_init_t *mpo_thread_label_init; 6174 mpo_thread_label_destroy_t *mpo_thread_label_destroy; 6175 6176 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6177 6178 mpo_proc_check_cpumon_t *mpo_proc_check_cpumon; 6179 6180 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6181 6182 mpo_system_check_info_t *mpo_system_check_info; 6183 6184 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6185 mpo_pty_notify_close_t *mpo_pty_notify_close; 6186 6187 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6188 6189 mpo_kext_check_load_t *mpo_kext_check_load; 6190 mpo_kext_check_unload_t *mpo_kext_check_unload; 6191 6192 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6193 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6194 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties; 6195 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property; 6196}; 6197 6198/** 6199 @brief MAC policy handle type 6200 6201 The MAC handle is used to uniquely identify a loaded policy within 6202 the MAC Framework. 6203 6204 A variable of this type is set by mac_policy_register(). 6205 */ 6206typedef unsigned int mac_policy_handle_t; 6207 6208#define mpc_t struct mac_policy_conf * 6209 6210/** 6211 @brief Mac policy configuration 6212 6213 This structure specifies the configuration information for a 6214 MAC policy module. A policy module developer must supply 6215 a short unique policy name, a more descriptive full name, a list of label 6216 namespaces and count, a pointer to the registered enty point operations, 6217 any load time flags, and optionally, a pointer to a label slot identifier. 6218 6219 The Framework will update the runtime flags (mpc_runtime_flags) to 6220 indicate that the module has been registered. 6221 6222 If the label slot identifier (mpc_field_off) is NULL, the Framework 6223 will not provide label storage for the policy. Otherwise, the 6224 Framework will store the label location (slot) in this field. 6225 6226 The mpc_list field is used by the Framework and should not be 6227 modified by policies. 6228*/ 6229/* XXX - reorder these for better aligment on 64bit platforms */ 6230struct mac_policy_conf { 6231 const char *mpc_name; /** policy name */ 6232 const char *mpc_fullname; /** full name */ 6233 const char **mpc_labelnames; /** managed label namespaces */ 6234 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6235 struct mac_policy_ops *mpc_ops; /** operation vector */ 6236 int mpc_loadtime_flags; /** load time flags */ 6237 int *mpc_field_off; /** label slot */ 6238 int mpc_runtime_flags; /** run time flags */ 6239 mpc_t mpc_list; /** List reference */ 6240 void *mpc_data; /** module data */ 6241}; 6242 6243/** 6244 @brief MAC policy module registration routine 6245 6246 This function is called to register a policy with the 6247 MAC framework. A policy module will typically call this from the 6248 Darwin KEXT registration routine. 6249 */ 6250int mac_policy_register(struct mac_policy_conf *mpc, 6251 mac_policy_handle_t *handlep, void *xd); 6252 6253/** 6254 @brief MAC policy module de-registration routine 6255 6256 This function is called to de-register a policy with theD 6257 MAC framework. A policy module will typically call this from the 6258 Darwin KEXT de-registration routine. 6259 */ 6260int mac_policy_unregister(mac_policy_handle_t handle); 6261 6262/* 6263 * Framework entry points for the policies to add audit data. 6264 */ 6265int mac_audit_text(char *text, mac_policy_handle_t handle); 6266 6267/* 6268 * Calls to assist with use of Apple XATTRs within policy modules. 6269 */ 6270int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6271int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6272 size_t *); 6273int mac_vnop_removexattr(struct vnode *, const char *); 6274 6275/* 6276 * Arbitrary limit on how much data will be logged by the audit 6277 * entry points above. 6278 */ 6279#define MAC_AUDIT_DATA_LIMIT 1024 6280 6281/* 6282 * Values returned by mac_audit_{pre,post}select. To combine the responses 6283 * of the security policies into a single decision, 6284 * mac_audit_{pre,post}select() choose the greatest value returned. 6285 */ 6286#define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6287#define MAC_AUDIT_NO 1 /* force not auditing this event */ 6288#define MAC_AUDIT_YES 2 /* force auditing this event */ 6289 6290// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6291 6292/** 6293 @name Flags for the mpc_loadtime_flags field 6294 @see mac_policy_conf 6295 6296 This is the complete list of flags that are supported by the 6297 mpc_loadtime_flags field of the mac_policy_conf structure. These 6298 flags specify the load time behavior of MAC Framework policy 6299 modules. 6300*/ 6301 6302/*@{*/ 6303 6304/** 6305 @brief Flag to indicate registration preference 6306 6307 This flag indicates that the policy module must be loaded and 6308 initialized early in the boot process. If the flag is specified, 6309 attempts to register the module following boot will be rejected. The 6310 flag may be used by policies that require pervasive labeling of all 6311 system objects, and cannot handle objects that have not been 6312 properly initialized by the policy. 6313 */ 6314#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6315 6316/** 6317 @brief Flag to indicate unload preference 6318 6319 This flag indicates that the policy module may be unloaded. If this 6320 flag is not set, then the policy framework will reject requests to 6321 unload the module. This flag might be used by modules that allocate 6322 label state and are unable to free that state at runtime, or for 6323 modules that simply do not want to permit unload operations. 6324*/ 6325#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6326 6327/** 6328 @brief Unsupported 6329 6330 XXX This flag is not yet supported. 6331*/ 6332#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6333 6334/** 6335 @brief Flag to indicate a base policy 6336 6337 This flag indicates that the policy module is a base policy. Only 6338 one module can declare itself as base, otherwise the boot process 6339 will be halted. 6340 */ 6341#define MPC_LOADTIME_BASE_POLICY 0x00000008 6342 6343/*@}*/ 6344 6345/** 6346 @brief Policy registration flag 6347 @see mac_policy_conf 6348 6349 This flag indicates that the policy module has been successfully 6350 registered with the TrustedBSD MAC Framework. The Framework will 6351 set this flag in the mpc_runtime_flags field of the policy's 6352 mac_policy_conf structure after registering the policy. 6353 */ 6354#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6355 6356/* 6357 * Depends on POLICY_VER 6358 */ 6359 6360#ifndef POLICY_VER 6361#define POLICY_VER 1.0 6362#endif 6363 6364#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6365 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6366 .mpc_name = #mpname, \ 6367 .mpc_fullname = mpfullname, \ 6368 .mpc_labelnames = lnames, \ 6369 .mpc_labelname_count = lcount, \ 6370 .mpc_ops = mpops, \ 6371 .mpc_loadtime_flags = lflags, \ 6372 .mpc_field_off = slot, \ 6373 .mpc_runtime_flags = rflags \ 6374 }; \ 6375 \ 6376 static kern_return_t \ 6377 kmod_start(kmod_info_t *ki, void *xd) \ 6378 { \ 6379 return mac_policy_register(&mpname##_mac_policy_conf, \ 6380 &handle, xd); \ 6381 } \ 6382 \ 6383 static kern_return_t \ 6384 kmod_stop(kmod_info_t *ki, void *xd) \ 6385 { \ 6386 return mac_policy_unregister(handle); \ 6387 } \ 6388 \ 6389 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6390 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6391 \ 6392 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6393 kmod_start_func_t *_realmain = kmod_start; \ 6394 kmod_stop_func_t *_antimain = kmod_stop; \ 6395 int _kext_apple_cc = __APPLE_CC__ 6396 6397 6398#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] 6399 6400/* 6401 * Policy interface to map a struct label pointer to per-policy data. 6402 * Typically, policies wrap this in their own accessor macro that casts an 6403 * intptr_t to a policy-specific data type. 6404 */ 6405intptr_t mac_label_get(struct label *l, int slot); 6406void mac_label_set(struct label *l, int slot, intptr_t v); 6407 6408#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6409 6410/** 6411 @name Flags for MAC allocator interfaces 6412 6413 These flags are passed to the Darwin kernel allocator routines to 6414 indicate whether the allocation is permitted to block or not. 6415 Caution should be taken; some operations are not permitted to sleep, 6416 and some types of locks cannot be held when sleeping. 6417 */ 6418 6419/*@{*/ 6420 6421/** 6422 @brief Allocation operations may block 6423 6424 If memory is not immediately available, the allocation routine 6425 will block (typically sleeping) until memory is available. 6426 6427 @warning Inappropriate use of this flag may cause kernel panics. 6428 */ 6429#define MAC_WAITOK 0 6430 6431/** 6432 @brief Allocation operations may not block 6433 6434 Rather than blocking, the allocator may return an error if memory 6435 is not immediately available. This type of allocation will not 6436 sleep, preserving locking semantics. 6437 */ 6438#define MAC_NOWAIT 1 6439 6440/*@}*/ 6441 6442#endif /* !_SECURITY_MAC_POLICY_H_ */ 6443