1/* 2 * Copyright (c) 2007 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac.h,v 1.40 2003/04/18 19:57:37 rwatson Exp $ 66 * 67 */ 68/* 69 * Kernel interface for Mandatory Access Control -- how kernel services 70 * interact with the TrustedBSD MAC Framework. 71 */ 72 73#ifndef _SECURITY_MAC_FRAMEWORK_H_ 74#define _SECURITY_MAC_FRAMEWORK_H_ 75 76#ifndef KERNEL 77#error "no user-serviceable parts inside" 78#endif 79 80#ifndef PRIVATE 81#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 82#endif 83 84struct attrlist; 85struct auditinfo; 86struct bpf_d; 87struct componentname; 88struct devnode; 89struct flock; 90struct fdescnode; 91struct fileglob; 92struct fileproc; 93struct ifnet; 94struct ifreq; 95struct image_params; 96struct inpcb; 97struct ipq; 98struct knote; 99struct lctx; 100struct m_tag; 101struct mac; 102struct mac_module_data; 103struct mbuf; 104struct msg; 105struct msqid_kernel; 106struct mount; 107struct pipe; 108struct proc; 109struct pseminfo; 110struct pshminfo; 111struct semid_kernel; 112struct shmid_kernel; 113struct sockaddr; 114struct sockopt; 115struct socket; 116struct task; 117struct thread; 118struct timespec; 119struct tty; 120struct ucred; 121struct uio; 122struct uthread; 123struct vfs_attr; 124struct vfs_context; 125struct vnode; 126struct vnode_attr; 127struct vop_setlabel_args; 128 129#if CONFIG_MACF 130 131#ifndef __IOKIT_PORTS_DEFINED__ 132#define __IOKIT_PORTS_DEFINED__ 133#ifdef __cplusplus 134class OSObject; 135typedef OSObject *io_object_t; 136#else 137struct OSObject; 138typedef struct OSObject *io_object_t; 139#endif 140#endif /* __IOKIT_PORTS_DEFINED__ */ 141 142/*@ macros */ 143#define VNODE_LABEL_CREATE 1 144 145#if CONFIG_MACF_MACH 146#define mac_task_label_update_cred(cred, task) \ 147 mac_task_label_update_internal(((cred)->cr_label), task) 148#else 149#define mac_task_label_update_cred(cred, task) 150#endif 151 152/*@ === */ 153int mac_audit_check_postselect(kauth_cred_t cred, unsigned short syscode, 154 void *args, int error, int retval, int mac_forced); 155int mac_audit_check_preselect(kauth_cred_t cred, unsigned short syscode, 156 void *args); 157int mac_bpfdesc_check_receive(struct bpf_d *bpf_d, struct ifnet *ifp); 158void mac_bpfdesc_label_destroy(struct bpf_d *bpf_d); 159void mac_bpfdesc_label_init(struct bpf_d *bpf_d); 160void mac_bpfdesc_label_associate(kauth_cred_t cred, struct bpf_d *bpf_d); 161int mac_cred_check_label_update(kauth_cred_t cred, 162 struct label *newlabel); 163int mac_cred_check_label_update_execve(vfs_context_t ctx, 164 struct vnode *vp, struct vnode *scriptvp, struct label *scriptvnodelabel, 165 struct label *execlabel, proc_t proc, void *macextensions); 166int mac_cred_check_visible(kauth_cred_t u1, kauth_cred_t u2); 167struct label *mac_cred_label_alloc(void); 168void mac_cred_label_associate(kauth_cred_t cred_parent, 169 kauth_cred_t cred_child); 170void mac_cred_label_associate_fork(kauth_cred_t cred, proc_t child); 171void mac_cred_label_associate_kernel(kauth_cred_t cred); 172void mac_cred_label_associate_user(kauth_cred_t cred); 173void mac_cred_label_destroy(kauth_cred_t cred); 174int mac_cred_label_externalize_audit(proc_t p, struct mac *mac); 175void mac_cred_label_free(struct label *label); 176void mac_cred_label_init(kauth_cred_t cred); 177int mac_cred_label_compare(struct label *a, struct label *b); 178void mac_cred_label_update(kauth_cred_t cred, struct label *newlabel); 179int mac_cred_label_update_execve(vfs_context_t ctx, kauth_cred_t newcred, 180 struct vnode *vp, struct vnode *scriptvp, struct label *scriptvnodelabel, 181 struct label *execlabel, void *macextensions); 182void mac_devfs_label_associate_device(dev_t dev, struct devnode *de, 183 const char *fullpath); 184void mac_devfs_label_associate_directory(const char *dirname, int dirnamelen, 185 struct devnode *de, const char *fullpath); 186void mac_devfs_label_copy(struct label *, struct label *label); 187void mac_devfs_label_destroy(struct devnode *de); 188void mac_devfs_label_init(struct devnode *de); 189void mac_devfs_label_update(struct mount *mp, struct devnode *de, 190 struct vnode *vp); 191int mac_execve_enter(user_addr_t mac_p, struct image_params *imgp); 192int mac_file_check_change_offset(kauth_cred_t cred, struct fileglob *fg); 193int mac_file_check_create(kauth_cred_t cred); 194int mac_file_check_dup(kauth_cred_t cred, struct fileglob *fg, int newfd); 195int mac_file_check_fcntl(kauth_cred_t cred, struct fileglob *fg, int cmd, 196 user_long_t arg); 197int mac_file_check_get(kauth_cred_t cred, struct fileglob *fg, 198 char *elements, int len); 199int mac_file_check_get_offset(kauth_cred_t cred, struct fileglob *fg); 200int mac_file_check_inherit(kauth_cred_t cred, struct fileglob *fg); 201int mac_file_check_ioctl(kauth_cred_t cred, struct fileglob *fg, 202 unsigned int cmd); 203int mac_file_check_lock(kauth_cred_t cred, struct fileglob *fg, int op, 204 struct flock *fl); 205int mac_file_check_mmap(kauth_cred_t cred, struct fileglob *fg, 206 int prot, int flags, int *maxprot); 207void mac_file_check_mmap_downgrade(kauth_cred_t cred, struct fileglob *fg, 208 int *prot); 209int mac_file_check_receive(kauth_cred_t cred, struct fileglob *fg); 210int mac_file_check_set(kauth_cred_t cred, struct fileglob *fg, 211 char *bufp, int buflen); 212void mac_file_label_associate(kauth_cred_t cred, struct fileglob *fg); 213void mac_file_label_destroy(struct fileglob *fg); 214void mac_file_label_init(struct fileglob *fg); 215int mac_ifnet_check_transmit(struct ifnet *ifp, struct mbuf *mbuf, 216 int family, int type); 217void mac_ifnet_label_associate(struct ifnet *ifp); 218void mac_ifnet_label_destroy(struct ifnet *ifp); 219int mac_ifnet_label_get(kauth_cred_t cred, struct ifreq *ifr, 220 struct ifnet *ifp); 221void mac_ifnet_label_init(struct ifnet *ifp); 222void mac_ifnet_label_recycle(struct ifnet *ifp); 223int mac_ifnet_label_set(kauth_cred_t cred, struct ifreq *ifr, 224 struct ifnet *ifp); 225int mac_inpcb_check_deliver(struct inpcb *inp, struct mbuf *mbuf, 226 int family, int type); 227void mac_inpcb_label_associate(struct socket *so, struct inpcb *inp); 228void mac_inpcb_label_destroy(struct inpcb *inp); 229int mac_inpcb_label_init(struct inpcb *inp, int flag); 230void mac_inpcb_label_recycle(struct inpcb *inp); 231void mac_inpcb_label_update(struct socket *so); 232int mac_iokit_check_device(char *devtype, struct mac_module_data *mdata); 233int mac_iokit_check_open(kauth_cred_t cred, io_object_t user_client, unsigned int user_client_type); 234int mac_iokit_check_set_properties(kauth_cred_t cred, io_object_t registry_entry, io_object_t properties); 235int mac_iokit_check_hid_control(kauth_cred_t cred); 236void mac_ipq_label_associate(struct mbuf *fragment, struct ipq *ipq); 237int mac_ipq_label_compare(struct mbuf *fragment, struct ipq *ipq); 238void mac_ipq_label_destroy(struct ipq *ipq); 239int mac_ipq_label_init(struct ipq *ipq, int flag); 240void mac_ipq_label_update(struct mbuf *fragment, struct ipq *ipq); 241struct label *mac_lctx_label_alloc(void); 242void mac_lctx_label_free(struct label *label); 243void mac_lctx_label_update(struct lctx *l, struct label *newlabel); 244int mac_lctx_check_label_update(struct lctx *l, struct label *newlabel); 245void mac_lctx_notify_create(proc_t proc, struct lctx *l); 246void mac_lctx_notify_join(proc_t proc, struct lctx *l); 247void mac_lctx_notify_leave(proc_t proc, struct lctx *l); 248void mac_mbuf_label_associate_bpfdesc(struct bpf_d *bpf_d, struct mbuf *m); 249void mac_mbuf_label_associate_ifnet(struct ifnet *ifp, struct mbuf *m); 250void mac_mbuf_label_associate_inpcb(struct inpcb *inp, struct mbuf *m); 251void mac_mbuf_label_associate_ipq(struct ipq *ipq, struct mbuf *mbuf); 252void mac_mbuf_label_associate_linklayer(struct ifnet *ifp, struct mbuf *m); 253void mac_mbuf_label_associate_multicast_encap(struct mbuf *oldmbuf, 254 struct ifnet *ifp, struct mbuf *newmbuf); 255void mac_mbuf_label_associate_netlayer(struct mbuf *oldmbuf, 256 struct mbuf *newmbuf); 257void mac_mbuf_label_associate_socket(struct socket *so, struct mbuf *m); 258void mac_mbuf_label_copy(struct mbuf *m_from, struct mbuf *m_to); 259void mac_mbuf_label_destroy(struct mbuf *m); 260int mac_mbuf_label_init(struct mbuf *m, int flag); 261void mac_mbuf_tag_copy(struct m_tag *m, struct m_tag *mtag); 262void mac_mbuf_tag_destroy(struct m_tag *mtag); 263int mac_mbuf_tag_init(struct m_tag *, int how); 264int mac_mount_check_fsctl(vfs_context_t ctx, struct mount *mp, 265 unsigned int cmd); 266int mac_mount_check_getattr(vfs_context_t ctx, struct mount *mp, 267 struct vfs_attr *vfa); 268int mac_mount_check_label_update(vfs_context_t ctx, struct mount *mp); 269int mac_mount_check_mount(vfs_context_t ctx, struct vnode *vp, 270 struct componentname *cnp, const char *vfc_name); 271int mac_mount_check_remount(vfs_context_t ctx, struct mount *mp); 272int mac_mount_check_setattr(vfs_context_t ctx, struct mount *mp, 273 struct vfs_attr *vfa); 274int mac_mount_check_stat(vfs_context_t ctx, struct mount *mp); 275int mac_mount_check_umount(vfs_context_t ctx, struct mount *mp); 276void mac_mount_label_associate(vfs_context_t ctx, struct mount *mp); 277void mac_mount_label_destroy(struct mount *mp); 278int mac_mount_label_externalize(struct label *label, char *elements, 279 char *outbuf, size_t outbuflen); 280int mac_mount_label_get(struct mount *mp, user_addr_t mac_p); 281void mac_mount_label_init(struct mount *); 282int mac_mount_label_internalize(struct label *, char *string); 283void mac_netinet_fragment(struct mbuf *datagram, struct mbuf *fragment); 284void mac_netinet_icmp_reply(struct mbuf *m); 285void mac_netinet_tcp_reply(struct mbuf *m); 286int mac_pipe_check_ioctl(kauth_cred_t cred, struct pipe *cpipe, 287 unsigned int cmd); 288int mac_pipe_check_kqfilter(kauth_cred_t cred, struct knote *kn, 289 struct pipe *cpipe); 290int mac_pipe_check_read(kauth_cred_t cred, struct pipe *cpipe); 291int mac_pipe_check_select(kauth_cred_t cred, struct pipe *cpipe, 292 int which); 293int mac_pipe_check_stat(kauth_cred_t cred, struct pipe *cpipe); 294int mac_pipe_check_write(kauth_cred_t cred, struct pipe *cpipe); 295struct label *mac_pipe_label_alloc(void); 296void mac_pipe_label_associate(kauth_cred_t cred, struct pipe *cpipe); 297void mac_pipe_label_copy(struct label *src, struct label *dest); 298void mac_pipe_label_destroy(struct pipe *cpipe); 299void mac_pipe_label_free(struct label *label); 300void mac_pipe_label_init(struct pipe *cpipe); 301int mac_pipe_label_update(kauth_cred_t cred, struct pipe *cpipe, 302 struct label *label); 303void mac_policy_initbsd(void); 304int mac_posixsem_check_create(kauth_cred_t cred, const char *name); 305int mac_posixsem_check_open(kauth_cred_t cred, struct pseminfo *psem); 306int mac_posixsem_check_post(kauth_cred_t cred, struct pseminfo *psem); 307int mac_posixsem_check_unlink(kauth_cred_t cred, struct pseminfo *psem, 308 const char *name); 309int mac_posixsem_check_wait(kauth_cred_t cred, struct pseminfo *psem); 310void mac_posixsem_vnode_label_associate(kauth_cred_t cred, 311 struct pseminfo *psem, struct label *plabel, 312 vnode_t vp, struct label *vlabel); 313void mac_posixsem_label_associate(kauth_cred_t cred, 314 struct pseminfo *psem, const char *name); 315void mac_posixsem_label_destroy(struct pseminfo *psem); 316void mac_posixsem_label_init(struct pseminfo *psem); 317int mac_posixshm_check_create(kauth_cred_t cred, const char *name); 318int mac_posixshm_check_mmap(kauth_cred_t cred, struct pshminfo *pshm, 319 int prot, int flags); 320int mac_posixshm_check_open(kauth_cred_t cred, struct pshminfo *pshm, 321 int fflags); 322int mac_posixshm_check_stat(kauth_cred_t cred, struct pshminfo *pshm); 323int mac_posixshm_check_truncate(kauth_cred_t cred, struct pshminfo *pshm, 324 off_t s); 325int mac_posixshm_check_unlink(kauth_cred_t cred, struct pshminfo *pshm, 326 const char *name); 327void mac_posixshm_vnode_label_associate(kauth_cred_t cred, 328 struct pshminfo *pshm, struct label *plabel, 329 vnode_t vp, struct label *vlabel); 330void mac_posixshm_label_associate(kauth_cred_t cred, 331 struct pshminfo *pshm, const char *name); 332void mac_posixshm_label_destroy(struct pshminfo *pshm); 333void mac_posixshm_label_init(struct pshminfo *pshm); 334int mac_priv_check(kauth_cred_t cred, int priv); 335int mac_priv_grant(kauth_cred_t cred, int priv); 336int mac_proc_check_debug(proc_t proc1, proc_t proc2); 337int mac_proc_check_cpumon(proc_t curp); 338int mac_proc_check_proc_info(proc_t curp, proc_t target, int callnum, int flavor); 339int mac_proc_check_fork(proc_t proc); 340int mac_proc_check_suspend_resume(proc_t proc, int sr); 341int mac_proc_check_get_task_name(kauth_cred_t cred, struct proc *p); 342int mac_proc_check_get_task(kauth_cred_t cred, struct proc *p); 343int mac_proc_check_getaudit(proc_t proc); 344int mac_proc_check_getauid(proc_t proc); 345int mac_proc_check_getlcid(proc_t proc1, proc_t proc2, 346 pid_t pid); 347int mac_proc_check_ledger(proc_t curp, proc_t target, int op); 348int mac_proc_check_map_anon(proc_t proc, user_addr_t u_addr, 349 user_size_t u_size, int prot, int flags, int *maxprot); 350int mac_proc_check_mprotect(proc_t proc, 351 user_addr_t addr, user_size_t size, int prot); 352int mac_proc_check_run_cs_invalid(proc_t proc); 353int mac_proc_check_sched(proc_t proc, proc_t proc2); 354int mac_proc_check_setaudit(proc_t proc, struct auditinfo_addr *ai); 355int mac_proc_check_setauid(proc_t proc, uid_t auid); 356int mac_proc_check_setlcid(proc_t proc1, proc_t proc2, 357 pid_t pid1, pid_t pid2); 358int mac_proc_check_signal(proc_t proc1, proc_t proc2, 359 int signum); 360int mac_proc_check_wait(proc_t proc1, proc_t proc2); 361void mac_proc_set_enforce(proc_t p, int enforce_flags); 362int mac_setsockopt_label(kauth_cred_t cred, struct socket *so, 363 struct mac *extmac); 364int mac_socket_check_accept(kauth_cred_t cred, struct socket *so); 365int mac_socket_check_accepted(kauth_cred_t cred, struct socket *so); 366int mac_socket_check_bind(kauth_cred_t cred, struct socket *so, 367 struct sockaddr *addr); 368int mac_socket_check_connect(kauth_cred_t cred, struct socket *so, 369 struct sockaddr *addr); 370int mac_socket_check_create(kauth_cred_t cred, int domain, 371 int type, int protocol); 372int mac_socket_check_deliver(struct socket *so, struct mbuf *m); 373int mac_socket_check_kqfilter(kauth_cred_t cred, struct knote *kn, 374 struct socket *so); 375int mac_socket_check_listen(kauth_cred_t cred, struct socket *so); 376int mac_socket_check_receive(kauth_cred_t cred, struct socket *so); 377int mac_socket_check_received(kauth_cred_t cred, struct socket *so, 378 struct sockaddr *saddr); 379int mac_socket_check_select(kauth_cred_t cred, struct socket *so, 380 int which); 381int mac_socket_check_send(kauth_cred_t cred, struct socket *so, 382 struct sockaddr *addr); 383int mac_socket_check_getsockopt(kauth_cred_t cred, struct socket *so, 384 struct sockopt *sopt); 385int mac_socket_check_setsockopt(kauth_cred_t cred, struct socket *so, 386 struct sockopt *sopt); 387int mac_socket_check_stat(kauth_cred_t cred, struct socket *so); 388void mac_socket_label_associate(kauth_cred_t cred, struct socket *so); 389void mac_socket_label_associate_accept(struct socket *oldsocket, 390 struct socket *newsocket); 391void mac_socket_label_copy(struct label *from, struct label *to); 392void mac_socket_label_destroy(struct socket *); 393int mac_socket_label_get(kauth_cred_t cred, struct socket *so, 394 struct mac *extmac); 395int mac_socket_label_init(struct socket *, int waitok); 396void mac_socketpeer_label_associate_mbuf(struct mbuf *m, struct socket *so); 397void mac_socketpeer_label_associate_socket(struct socket *peersocket, 398 struct socket *socket_to_modify); 399int mac_socketpeer_label_get(kauth_cred_t cred, struct socket *so, 400 struct mac *extmac); 401int mac_system_check_acct(kauth_cred_t cred, struct vnode *vp); 402int mac_system_check_audit(kauth_cred_t cred, void *record, int length); 403int mac_system_check_auditctl(kauth_cred_t cred, struct vnode *vp); 404int mac_system_check_auditon(kauth_cred_t cred, int cmd); 405int mac_system_check_chud(kauth_cred_t cred); 406int mac_system_check_host_priv(kauth_cred_t cred); 407int mac_system_check_info(kauth_cred_t, const char *info_type); 408int mac_system_check_nfsd(kauth_cred_t cred); 409int mac_system_check_reboot(kauth_cred_t cred, int howto); 410int mac_system_check_settime(kauth_cred_t cred); 411int mac_system_check_swapoff(kauth_cred_t cred, struct vnode *vp); 412int mac_system_check_swapon(kauth_cred_t cred, struct vnode *vp); 413int mac_system_check_sysctl(kauth_cred_t cred, int *name, 414 u_int namelen, user_addr_t oldctl, user_addr_t oldlenp, int inkernel, 415 user_addr_t newctl, size_t newlen); 416int mac_system_check_kas_info(kauth_cred_t cred, int selector); 417void mac_sysvmsg_label_associate(kauth_cred_t cred, 418 struct msqid_kernel *msqptr, struct msg *msgptr); 419void mac_sysvmsg_label_init(struct msg *msgptr); 420void mac_sysvmsg_label_recycle(struct msg *msgptr); 421int mac_sysvmsq_check_enqueue(kauth_cred_t cred, struct msg *msgptr, 422 struct msqid_kernel *msqptr); 423int mac_sysvmsq_check_msgrcv(kauth_cred_t cred, struct msg *msgptr); 424int mac_sysvmsq_check_msgrmid(kauth_cred_t cred, struct msg *msgptr); 425int mac_sysvmsq_check_msqctl(kauth_cred_t cred, 426 struct msqid_kernel *msqptr, int cmd); 427int mac_sysvmsq_check_msqget(kauth_cred_t cred, 428 struct msqid_kernel *msqptr); 429int mac_sysvmsq_check_msqrcv(kauth_cred_t cred, 430 struct msqid_kernel *msqptr); 431int mac_sysvmsq_check_msqsnd(kauth_cred_t cred, 432 struct msqid_kernel *msqptr); 433void mac_sysvmsq_label_associate(kauth_cred_t cred, 434 struct msqid_kernel *msqptr); 435void mac_sysvmsq_label_init(struct msqid_kernel *msqptr); 436void mac_sysvmsq_label_recycle(struct msqid_kernel *msqptr); 437int mac_sysvsem_check_semctl(kauth_cred_t cred, 438 struct semid_kernel *semakptr, int cmd); 439int mac_sysvsem_check_semget(kauth_cred_t cred, 440 struct semid_kernel *semakptr); 441int mac_sysvsem_check_semop(kauth_cred_t cred, 442 struct semid_kernel *semakptr, size_t accesstype); 443void mac_sysvsem_label_associate(kauth_cred_t cred, 444 struct semid_kernel *semakptr); 445void mac_sysvsem_label_destroy(struct semid_kernel *semakptr); 446void mac_sysvsem_label_init(struct semid_kernel *semakptr); 447void mac_sysvsem_label_recycle(struct semid_kernel *semakptr); 448int mac_sysvshm_check_shmat(kauth_cred_t cred, 449 struct shmid_kernel *shmsegptr, int shmflg); 450int mac_sysvshm_check_shmctl(kauth_cred_t cred, 451 struct shmid_kernel *shmsegptr, int cmd); 452int mac_sysvshm_check_shmdt(kauth_cred_t cred, 453 struct shmid_kernel *shmsegptr); 454int mac_sysvshm_check_shmget(kauth_cred_t cred, 455 struct shmid_kernel *shmsegptr, int shmflg); 456void mac_sysvshm_label_associate(kauth_cred_t cred, 457 struct shmid_kernel *shmsegptr); 458void mac_sysvshm_label_destroy(struct shmid_kernel *shmsegptr); 459void mac_sysvshm_label_init(struct shmid_kernel* shmsegptr); 460void mac_sysvshm_label_recycle(struct shmid_kernel *shmsegptr); 461struct label * mac_thread_label_alloc(void); 462void mac_thread_label_destroy(struct uthread *uthread); 463void mac_thread_label_free(struct label *label); 464void mac_thread_label_init(struct uthread *uthread); 465int mac_vnode_check_access(vfs_context_t ctx, struct vnode *vp, 466 int acc_mode); 467int mac_vnode_check_chdir(vfs_context_t ctx, struct vnode *dvp); 468int mac_vnode_check_chroot(vfs_context_t ctx, struct vnode *dvp, 469 struct componentname *cnp); 470int mac_vnode_check_create(vfs_context_t ctx, struct vnode *dvp, 471 struct componentname *cnp, struct vnode_attr *vap); 472int mac_vnode_check_deleteextattr(vfs_context_t ctx, struct vnode *vp, 473 const char *name); 474int mac_vnode_check_exchangedata(vfs_context_t ctx, struct vnode *v1, 475 struct vnode *v2); 476int mac_vnode_check_exec(vfs_context_t ctx, struct vnode *vp, 477 struct image_params *imgp); 478int mac_vnode_check_fsgetpath(vfs_context_t ctx, struct vnode *vp); 479int mac_vnode_check_signature(struct vnode *vp, off_t macho_offset, 480 unsigned char *sha1, void * signature, size_t size); 481int mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp, 482 struct attrlist *alist); 483int mac_vnode_check_getextattr(vfs_context_t ctx, struct vnode *vp, 484 const char *name, struct uio *uio); 485int mac_vnode_check_ioctl(vfs_context_t ctx, struct vnode *vp, 486 unsigned int cmd); 487int mac_vnode_check_kqfilter(vfs_context_t ctx, 488 kauth_cred_t file_cred, struct knote *kn, struct vnode *vp); 489int mac_vnode_check_label_update(vfs_context_t ctx, struct vnode *vp, 490 struct label *newlabel); 491int mac_vnode_check_link(vfs_context_t ctx, struct vnode *dvp, 492 struct vnode *vp, struct componentname *cnp); 493int mac_vnode_check_listextattr(vfs_context_t ctx, struct vnode *vp); 494int mac_vnode_check_lookup(vfs_context_t ctx, struct vnode *dvp, 495 struct componentname *cnp); 496int mac_vnode_check_open(vfs_context_t ctx, struct vnode *vp, 497 int acc_mode); 498int mac_vnode_check_read(vfs_context_t ctx, 499 kauth_cred_t file_cred, struct vnode *vp); 500int mac_vnode_check_readdir(vfs_context_t ctx, struct vnode *vp); 501int mac_vnode_check_readlink(vfs_context_t ctx, struct vnode *vp); 502int mac_vnode_check_rename_from(vfs_context_t ctx, struct vnode *dvp, 503 struct vnode *vp, struct componentname *cnp); 504int mac_vnode_check_rename_to(vfs_context_t ctx, struct vnode *dvp, 505 struct vnode *vp, int samedir, struct componentname *cnp); 506int mac_vnode_check_revoke(vfs_context_t ctx, struct vnode *vp); 507int mac_vnode_check_searchfs(vfs_context_t ctx, struct vnode *vp, 508 struct attrlist *alist); 509int mac_vnode_check_select(vfs_context_t ctx, struct vnode *vp, 510 int which); 511int mac_vnode_check_setattrlist(vfs_context_t ctxd, struct vnode *vp, 512 struct attrlist *alist); 513int mac_vnode_check_setextattr(vfs_context_t ctx, struct vnode *vp, 514 const char *name, struct uio *uio); 515int mac_vnode_check_setflags(vfs_context_t ctx, struct vnode *vp, 516 u_long flags); 517int mac_vnode_check_setmode(vfs_context_t ctx, struct vnode *vp, 518 mode_t mode); 519int mac_vnode_check_setowner(vfs_context_t ctx, struct vnode *vp, 520 uid_t uid, gid_t gid); 521int mac_vnode_check_setutimes(vfs_context_t ctx, struct vnode *vp, 522 struct timespec atime, struct timespec mtime); 523int mac_vnode_check_stat(vfs_context_t ctx, 524 kauth_cred_t file_cred, struct vnode *vp); 525int mac_vnode_check_truncate(vfs_context_t ctx, 526 kauth_cred_t file_cred, struct vnode *vp); 527int mac_vnode_check_uipc_bind(vfs_context_t ctx, struct vnode *dvp, 528 struct componentname *cnp, struct vnode_attr *vap); 529int mac_vnode_check_uipc_connect(vfs_context_t ctx, struct vnode *vp); 530int mac_vnode_check_unlink(vfs_context_t ctx, struct vnode *dvp, 531 struct vnode *vp, struct componentname *cnp); 532int mac_vnode_check_write(vfs_context_t ctx, 533 kauth_cred_t file_cred, struct vnode *vp); 534struct label *mac_vnode_label_alloc(void); 535int mac_vnode_label_associate(struct mount *mp, struct vnode *vp, 536 vfs_context_t ctx); 537void mac_vnode_label_associate_devfs(struct mount *mp, struct devnode *de, 538 struct vnode *vp); 539int mac_vnode_label_associate_extattr(struct mount *mp, struct vnode *vp); 540int mac_vnode_label_associate_fdesc(struct mount *mp, struct fdescnode *fnp, 541 struct vnode *vp, vfs_context_t ctx); 542void mac_vnode_label_associate_singlelabel(struct mount *mp, 543 struct vnode *vp); 544void mac_vnode_label_copy(struct label *l1, struct label *l2); 545void mac_vnode_label_destroy(struct vnode *vp); 546int mac_vnode_label_externalize_audit(struct vnode *vp, struct mac *mac); 547void mac_vnode_label_free(struct label *label); 548void mac_vnode_label_init(struct vnode *vp); 549int mac_vnode_label_init_needed(struct vnode *vp); 550void mac_vnode_label_recycle(struct vnode *vp); 551void mac_vnode_label_update(vfs_context_t ctx, struct vnode *vp, 552 struct label *newlabel); 553void mac_vnode_label_update_extattr(struct mount *mp, struct vnode *vp, 554 const char *name); 555int mac_vnode_notify_create(vfs_context_t ctx, struct mount *mp, 556 struct vnode *dvp, struct vnode *vp, struct componentname *cnp); 557void mac_vnode_notify_rename(vfs_context_t ctx, struct vnode *vp, 558 struct vnode *dvp, struct componentname *cnp); 559void mac_vnode_notify_open(vfs_context_t ctx, struct vnode *vp, int acc_flags); 560void mac_vnode_notify_link(vfs_context_t ctx, struct vnode *vp, 561 struct vnode *dvp, struct componentname *cnp); 562int mac_vnode_find_sigs(struct proc *p, struct vnode *vp, off_t offsetInMacho); 563int vnode_label(struct mount *mp, struct vnode *dvp, struct vnode *vp, 564 struct componentname *cnp, int flags, vfs_context_t ctx); 565void vnode_relabel(struct vnode *vp); 566void mac_pty_notify_grant(proc_t p, struct tty *tp, dev_t dev, struct label *label); 567void mac_pty_notify_close(proc_t p, struct tty *tp, dev_t dev, struct label *label); 568int mac_kext_check_load(kauth_cred_t cred, const char *identifier); 569int mac_kext_check_unload(kauth_cred_t cred, const char *identifier); 570 571void psem_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx); 572void pshm_label_associate(struct fileproc *fp, struct vnode *vp, struct vfs_context *ctx); 573 574#if CONFIG_MACF_NET 575struct label *mac_bpfdesc_label_get(struct bpf_d *d); 576void mac_bpfdesc_label_set(struct bpf_d *d, struct label *label); 577#endif 578 579#endif /* CONFIG_MACF */ 580 581#endif /* !_SECURITY_MAC_FRAMEWORK_H_ */ 582