1/* 2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/*- 29 * Copyright (c) 1999-2002 Robert N. M. Watson 30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc. 31 * Copyright (c) 2005-2007 SPARTA, Inc. 32 * All rights reserved. 33 * 34 * This software was developed by Robert Watson for the TrustedBSD Project. 35 * 36 * This software was developed for the FreeBSD Project in part by Network 37 * Associates Laboratories, the Security Research Division of Network 38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 39 * as part of the DARPA CHATS research program. 40 * 41 * This software was enhanced by SPARTA ISSO under SPAWAR contract 42 * N66001-04-C-6019 ("SEFOS"). 43 * 44 * Redistribution and use in source and binary forms, with or without 45 * modification, are permitted provided that the following conditions 46 * are met: 47 * 1. Redistributions of source code must retain the above copyright 48 * notice, this list of conditions and the following disclaimer. 49 * 2. Redistributions in binary form must reproduce the above copyright 50 * notice, this list of conditions and the following disclaimer in the 51 * documentation and/or other materials provided with the distribution. 52 * 53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 63 * SUCH DAMAGE. 64 * 65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ 66 */ 67 68/** 69 @file mac_policy.h 70 @brief Kernel Interfaces for MAC policy modules 71 72 This header defines the list of operations that are defined by the 73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register 74 with the framework to declare interest in a specific set of 75 operations. If interest in an entry point is not declared, then 76 the policy will be ignored when the Framework evaluates that entry 77 point. 78*/ 79 80#ifndef _SECURITY_MAC_POLICY_H_ 81#define _SECURITY_MAC_POLICY_H_ 82 83#ifndef PRIVATE 84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version" 85#endif 86 87#include <security/_label.h> 88 89struct attrlist; 90struct auditinfo; 91struct bpf_d; 92struct devnode; 93struct fileglob; 94struct ifnet; 95struct inpcb; 96struct ipq; 97struct label; 98struct lctx; 99struct mac_module_data; 100struct mac_policy_conf; 101struct mbuf; 102struct mount; 103struct msg; 104struct msqid_kernel; 105struct pipe; 106struct pseminfo; 107struct pshminfo; 108struct sbuf; 109struct semid_kernel; 110struct shmid_kernel; 111struct socket; 112struct sockopt; 113struct task; 114struct thread; 115struct tty; 116struct ucred; 117struct vfs_attr; 118struct vnode; 119/** @struct dummy */ 120 121 122 123#ifndef _KAUTH_CRED_T 124#define _KAUTH_CRED_T 125typedef struct ucred *kauth_cred_t; 126#endif /* !_KAUTH_CRED_T */ 127 128#ifndef __IOKIT_PORTS_DEFINED__ 129#define __IOKIT_PORTS_DEFINED__ 130#ifdef __cplusplus 131class OSObject; 132typedef OSObject *io_object_t; 133#else 134struct OSObject; 135typedef struct OSObject *io_object_t; 136#endif 137#endif /* __IOKIT_PORTS_DEFINED__ */ 138 139/*- 140 * MAC entry points are generally named using the following template: 141 * 142 * mpo_<object>_<operation>() 143 * 144 * or: 145 * 146 * mpo_<object>_check_<operation>() 147 * 148 * Entry points are sorted by object type. 149 * 150 * It may be desirable also to consider some subsystems as "objects", such 151 * as system, iokit, etc. 152 */ 153 154/** 155 @name Entry Points for Label Management 156 157 These are the entry points corresponding to the life cycle events for 158 kernel objects, such as initialization, creation, and destruction. 159 160 Most policies (that use labels) will initialize labels by allocating 161 space for policy-specific data. In most cases, it is permitted to 162 sleep during label initialization operations; it will be noted when 163 it is not permitted. 164 165 Initialization usually will not require doing more than allocating a 166 generic label for the given object. What follows initialization is 167 creation, where a label is made specific to the object it is associated 168 with. Destruction occurs when the label is no longer needed, such as 169 when the corresponding object is destroyed. All necessary cleanup should 170 be performed in label destroy operations. 171 172 Where possible, the label entry points have identical parameters. If 173 the policy module does not require structure-specific label 174 information, the same function may be registered in the policy 175 operation vector. Many policies will implement two such generic 176 allocation calls: one to handle sleepable requests, and one to handle 177 potentially non-sleepable requests. 178*/ 179 180 181/** 182 @brief Audit event postselection 183 @param cred Subject credential 184 @param syscode Syscall number 185 @param args Syscall arguments 186 @param error Syscall errno 187 @param retval Syscall return value 188 189 This is the MAC Framework audit postselect, which is called before 190 exiting a syscall to determine if an audit event should be committed. 191 A return value of MAC_AUDIT_NO forces the audit record to be suppressed. 192 Any other return value results in the audit record being committed. 193 194 @warning The suppression behavior will probably go away in Apple's 195 future version of the audit implementation. 196 197 @return Return MAC_AUDIT_NO to force suppression of the audit record. 198 Any other value results in the audit record being committed. 199 200*/ 201typedef int mpo_audit_check_postselect_t( 202 kauth_cred_t cred, 203 unsigned short syscode, 204 void *args, 205 int error, 206 int retval 207); 208/** 209 @brief Audit event preselection 210 @param cred Subject credential 211 @param syscode Syscall number 212 @param args Syscall arguments 213 214 This is the MAC Framework audit preselect, which is called before a 215 syscall is entered to determine if an audit event should be created. 216 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be 217 returned. A return value of MAC_AUDIT_NO causes the audit record to 218 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants 219 to defer to the system's existing preselection mechanism. 220 221 When policies return different preferences, the Framework decides what action 222 to take based on the following policy. If any policy returns MAC_AUDIT_YES, 223 then create an audit record, else if any policy returns MAC_AUDIT_NO, then 224 suppress the creations of an audit record, else defer to the system's 225 existing preselection mechanism. 226 227 @warning The audit implementation in Apple's current version is 228 incomplete, so the MAC policies have priority over the system's existing 229 mechanisms. This will probably change in the future version where 230 the audit implementation is more complete. 231 232 @return Return MAC_AUDIT_YES to force auditing of the syscall, 233 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT 234 to allow auditing mechanisms to determine if the syscall is audited. 235 236*/ 237typedef int mpo_audit_check_preselect_t( 238 kauth_cred_t cred, 239 unsigned short syscode, 240 void *args 241); 242/** 243 @brief Initialize BPF descriptor label 244 @param label New label to initialize 245 246 Initialize the label for a newly instantiated BPF descriptor. 247 Sleeping is permitted. 248*/ 249typedef void mpo_bpfdesc_label_init_t( 250 struct label *label 251); 252/** 253 @brief Destroy BPF descriptor label 254 @param label The label to be destroyed 255 256 Destroy a BPF descriptor label. Since the BPF descriptor 257 is going out of scope, policy modules should free any internal 258 storage associated with the label so that it may be destroyed. 259*/ 260typedef void mpo_bpfdesc_label_destroy_t( 261 struct label *label 262); 263/** 264 @brief Associate a BPF descriptor with a label 265 @param cred User credential creating the BPF descriptor 266 @param bpf_d The BPF descriptor 267 @param bpflabel The new label 268 269 Set the label on a newly created BPF descriptor from the passed 270 subject credential. This call will be made when a BPF device node 271 is opened by a process with the passed subject credential. 272*/ 273typedef void mpo_bpfdesc_label_associate_t( 274 kauth_cred_t cred, 275 struct bpf_d *bpf_d, 276 struct label *bpflabel 277); 278/** 279 @brief Check whether BPF can read from a network interface 280 @param bpf_d Subject; the BPF descriptor 281 @param bpflabel Policy label for bpf_d 282 @param ifp Object; the network interface 283 @param ifnetlabel Policy label for ifp 284 285 Determine whether the MAC framework should permit datagrams from 286 the passed network interface to be delivered to the buffers of 287 the passed BPF descriptor. Return (0) for success, or an errno 288 value for failure. Suggested failure: EACCES for label mismatches, 289 EPERM for lack of privilege. 290*/ 291typedef int mpo_bpfdesc_check_receive_t( 292 struct bpf_d *bpf_d, 293 struct label *bpflabel, 294 struct ifnet *ifp, 295 struct label *ifnetlabel 296); 297/** 298 @brief Indicate desire to change the process label at exec time 299 @param old Existing subject credential 300 @param vp File being executed 301 @param vnodelabel Label corresponding to vp 302 @param scriptvnodelabel Script vnode label 303 @param execlabel Userspace provided execution label 304 @param proc Object process 305 @param macpolicyattr MAC policy-specific spawn attribute data 306 @param macpolicyattrlen Length of policy-specific spawn attribute data 307 @see mac_execve 308 @see mpo_cred_label_update_execve_t 309 @see mpo_vnode_check_exec_t 310 311 Indicate whether this policy intends to update the label of a newly 312 created credential from the existing subject credential (old). This 313 call occurs when a process executes the passed vnode. If a policy 314 returns success from this entry point, the mpo_cred_label_update_execve 315 entry point will later be called with the same parameters. Access 316 has already been checked via the mpo_vnode_check_exec entry point, 317 this entry point is necessary to preserve kernel locking constraints 318 during program execution. 319 320 The supplied vnode and vnodelabel correspond with the file actually 321 being executed; in the case that the file is interpreted (for 322 example, a script), the label of the original exec-time vnode has 323 been preserved in scriptvnodelabel. 324 325 The final label, execlabel, corresponds to a label supplied by a 326 user space application through the use of the mac_execve system call. 327 328 The vnode lock is held during this operation. No changes should be 329 made to the old credential structure. 330 331 @warning Even if a policy returns 0, it should behave correctly in 332 the presence of an invocation of mpo_cred_label_update_execve, as that 333 call may happen as a result of another policy requesting a transition. 334 335 @return Non-zero if a transition is required, 0 otherwise. 336*/ 337typedef int mpo_cred_check_label_update_execve_t( 338 kauth_cred_t old, 339 struct vnode *vp, 340 struct vnode *scriptvp, 341 struct label *vnodelabel, 342 struct label *scriptvnodelabel, 343 struct label *execlabel, 344 struct proc *p, 345 void *macpolicyattr, 346 size_t macpolicyattrlen 347); 348/** 349 @brief Access control check for relabelling processes 350 @param cred Subject credential 351 @param newlabel New label to apply to the user credential 352 @see mpo_cred_label_update_t 353 @see mac_set_proc 354 355 Determine whether the subject identified by the credential can relabel 356 itself to the supplied new label (newlabel). This access control check 357 is called when the mac_set_proc system call is invoked. A user space 358 application will supply a new value, the value will be internalized 359 and provided in newlabel. 360 361 @return Return 0 if access is granted, otherwise an appropriate value for 362 errno should be returned. 363*/ 364typedef int mpo_cred_check_label_update_t( 365 kauth_cred_t cred, 366 struct label *newlabel 367); 368/** 369 @brief Access control check for visibility of other subjects 370 @param u1 Subject credential 371 @param u2 Object credential 372 373 Determine whether the subject identified by the credential u1 can 374 "see" other subjects with the passed subject credential u2. This call 375 may be made in a number of situations, including inter-process status 376 sysctls used by ps, and in procfs lookups. 377 378 @return Return 0 if access is granted, otherwise an appropriate value for 379 errno should be returned. Suggested failure: EACCES for label mismatch, 380 EPERM for lack of privilege, or ESRCH to hide visibility. 381*/ 382typedef int mpo_cred_check_visible_t( 383 kauth_cred_t u1, 384 kauth_cred_t u2 385); 386/** 387 @brief Associate a credential with a new process at fork 388 @param cred credential to inherited by new process 389 @param proc the new process 390 391 Allow a process to associate the credential with a new 392 process for reference countng purposes. 393 NOTE: the credential can be dis-associated in ways other 394 than exit - so this strategy is flawed - should just 395 catch label destroy callback. 396*/ 397typedef void mpo_cred_label_associate_fork_t( 398 kauth_cred_t cred, 399 proc_t proc 400); 401/** 402 @brief Create the first process 403 @param cred Subject credential to be labeled 404 405 Create the subject credential of process 0, the parent of all BSD 406 kernel processes. Policies should update the label in the 407 previously initialized credential structure. 408*/ 409typedef void mpo_cred_label_associate_kernel_t( 410 kauth_cred_t cred 411); 412/** 413 @brief Create a credential label 414 @param parent_cred Parent credential 415 @param child_cred Child credential 416 417 Set the label of a newly created credential, most likely using the 418 information in the supplied parent credential. 419 420 @warning This call is made when crcopy or crdup is invoked on a 421 newly created struct ucred, and should not be confused with a 422 process fork or creation event. 423*/ 424typedef void mpo_cred_label_associate_t( 425 kauth_cred_t parent_cred, 426 kauth_cred_t child_cred 427); 428/** 429 @brief Create the first process 430 @param cred Subject credential to be labeled 431 432 Create the subject credential of process 1, the parent of all BSD 433 user processes. Policies should update the label in the previously 434 initialized credential structure. This is the 'init' process. 435*/ 436typedef void mpo_cred_label_associate_user_t( 437 kauth_cred_t cred 438); 439/** 440 @brief Destroy credential label 441 @param label The label to be destroyed 442 443 Destroy a user credential label. Since the user credential 444 is going out of scope, policy modules should free any internal 445 storage associated with the label so that it may be destroyed. 446*/ 447typedef void mpo_cred_label_destroy_t( 448 struct label *label 449); 450/** 451 @brief Externalize a user credential label for auditing 452 @param label Label to be externalized 453 @param element_name Name of the label namespace for which labels should be 454 externalized 455 @param sb String buffer to be filled with a text representation of the label 456 457 Produce an external representation of the label on a user credential for 458 inclusion in an audit record. An externalized label consists of a text 459 representation of the label contents that will be added to the audit record 460 as part of a text token. Policy-agnostic user space tools will display 461 this externalized version. 462 463 @return 0 on success, return non-zero if an error occurs while 464 externalizing the label data. 465 466*/ 467typedef int mpo_cred_label_externalize_audit_t( 468 struct label *label, 469 char *element_name, 470 struct sbuf *sb 471); 472/** 473 @brief Externalize a user credential label 474 @param label Label to be externalized 475 @param element_name Name of the label namespace for which labels should be 476 externalized 477 @param sb String buffer to be filled with a text representation of the label 478 479 Produce an external representation of the label on a user 480 credential. An externalized label consists of a text representation 481 of the label contents that can be used with user applications. 482 Policy-agnostic user space tools will display this externalized 483 version. 484 485 @return 0 on success, return non-zero if an error occurs while 486 externalizing the label data. 487 488*/ 489typedef int mpo_cred_label_externalize_t( 490 struct label *label, 491 char *element_name, 492 struct sbuf *sb 493); 494/** 495 @brief Initialize user credential label 496 @param label New label to initialize 497 498 Initialize the label for a newly instantiated user credential. 499 Sleeping is permitted. 500*/ 501typedef void mpo_cred_label_init_t( 502 struct label *label 503); 504/** 505 @brief Internalize a user credential label 506 @param label Label to be internalized 507 @param element_name Name of the label namespace for which the label should 508 be internalized 509 @param element_data Text data to be internalized 510 511 Produce a user credential label from an external representation. An 512 externalized label consists of a text representation of the label 513 contents that can be used with user applications. Policy-agnostic 514 user space tools will forward text version to the kernel for 515 processing by individual policy modules. 516 517 The policy's internalize entry points will be called only if the 518 policy has registered interest in the label namespace. 519 520 @return 0 on success, Otherwise, return non-zero if an error occurs 521 while internalizing the label data. 522 523*/ 524typedef int mpo_cred_label_internalize_t( 525 struct label *label, 526 char *element_name, 527 char *element_data 528); 529/** 530 @brief Update credential at exec time 531 @param old_cred Existing subject credential 532 @param new_cred New subject credential to be labeled 533 @param p Object process. 534 @param vp File being executed 535 @param vnodelabel Label corresponding to vp 536 @param scriptvnodelabel Script vnode label 537 @param execlabel Userspace provided execution label 538 @param macpolicyattr MAC policy-specific spawn attribute data. 539 @param macpolicyattrlen Length of policy-specific spawn attribute data. 540 @see mac_execve 541 @see mpo_cred_check_label_update_execve_t 542 @see mpo_vnode_check_exec_t 543 544 Update the label of a newly created credential (new) from the 545 existing subject credential (old). This call occurs when a process 546 executes the passed vnode and one of the loaded policy modules has 547 returned success from the mpo_cred_check_label_update_execve entry point. 548 Access has already been checked via the mpo_vnode_check_exec entry 549 point, this entry point is only used to update any policy state. 550 551 The supplied vnode and vnodelabel correspond with the file actually 552 being executed; in the case that the file is interpreted (for 553 example, a script), the label of the original exec-time vnode has 554 been preserved in scriptvnodelabel. 555 556 The final label, execlabel, corresponds to a label supplied by a 557 user space application through the use of the mac_execve system call. 558 559 If non-NULL, the value pointed to by disjointp will be set to 0 to 560 indicate that the old and new credentials are not disjoint, or 1 to 561 indicate that they are. 562 563 The vnode lock is held during this operation. No changes should be 564 made to the old credential structure. 565*/ 566typedef void mpo_cred_label_update_execve_t( 567 kauth_cred_t old_cred, 568 kauth_cred_t new_cred, 569 struct proc *p, 570 struct vnode *vp, 571 struct vnode *scriptvp, 572 struct label *vnodelabel, 573 struct label *scriptvnodelabel, 574 struct label *execlabel, 575 void *macpolicyattr, 576 size_t macpolicyattrlen, 577 int *disjointp 578); 579/** 580 @brief Update a credential label 581 @param cred The existing credential 582 @param newlabel A new label to apply to the credential 583 @see mpo_cred_check_label_update_t 584 @see mac_set_proc 585 586 Update the label on a user credential, using the supplied new label. 587 This is called as a result of a process relabel operation. Access 588 control was already confirmed by mpo_cred_check_label_update. 589*/ 590typedef void mpo_cred_label_update_t( 591 kauth_cred_t cred, 592 struct label *newlabel 593); 594/** 595 @brief Create a new devfs device 596 @param dev Major and minor numbers of special file 597 @param de "inode" of new device file 598 @param label Destination label 599 @param fullpath Path relative to mount (e.g. /dev) of new device file 600 601 This entry point labels a new devfs device. The label will likely be based 602 on the path to the device, or the major and minor numbers. 603 The policy should store an appropriate label into 'label'. 604*/ 605typedef void mpo_devfs_label_associate_device_t( 606 dev_t dev, 607 struct devnode *de, 608 struct label *label, 609 const char *fullpath 610); 611/** 612 @brief Create a new devfs directory 613 @param dirname Name of new directory 614 @param dirnamelen Length of 'dirname' 615 @param de "inode" of new directory 616 @param label Destination label 617 @param fullpath Path relative to mount (e.g. /dev) of new directory 618 619 This entry point labels a new devfs directory. The label will likely be 620 based on the path of the new directory. The policy should store an appropriate 621 label into 'label'. The devfs root directory is labelled in this way. 622*/ 623typedef void mpo_devfs_label_associate_directory_t( 624 const char *dirname, 625 int dirnamelen, 626 struct devnode *de, 627 struct label *label, 628 const char *fullpath 629); 630/** 631 @brief Copy a devfs label 632 @param src Source devfs label 633 @param dest Destination devfs label 634 635 Copy the label information from src to dest. The devfs file system 636 often duplicates (splits) existing device nodes rather than creating 637 new ones. 638*/ 639typedef void mpo_devfs_label_copy_t( 640 struct label *src, 641 struct label *dest 642); 643/** 644 @brief Destroy devfs label 645 @param label The label to be destroyed 646 647 Destroy a devfs entry label. Since the object is going out 648 of scope, policy modules should free any internal storage associated 649 with the label so that it may be destroyed. 650*/ 651typedef void mpo_devfs_label_destroy_t( 652 struct label *label 653); 654/** 655 @brief Initialize devfs label 656 @param label New label to initialize 657 658 Initialize the label for a newly instantiated devfs entry. Sleeping 659 is permitted. 660*/ 661typedef void mpo_devfs_label_init_t( 662 struct label *label 663); 664/** 665 @brief Update a devfs label after relabelling its vnode 666 @param mp Devfs mount point 667 @param de Affected devfs directory entry 668 @param delabel Label of devfs directory entry 669 @param vp Vnode associated with de 670 @param vnodelabel New label of vnode 671 672 Update a devfs label when its vnode is manually relabelled, 673 for example with setfmac(1). Typically, this will simply copy 674 the vnode label into the devfs label. 675*/ 676typedef void mpo_devfs_label_update_t( 677 struct mount *mp, 678 struct devnode *de, 679 struct label *delabel, 680 struct vnode *vp, 681 struct label *vnodelabel 682); 683/** 684 @brief Access control for changing the offset of a file descriptor 685 @param cred Subject credential 686 @param fg Fileglob structure 687 @param label Policy label for fg 688 689 Determine whether the subject identified by the credential can 690 change the offset of the file represented by fg. 691 692 @return Return 0 if access if granted, otherwise an appropriate 693 value for errno should be returned. 694*/ 695typedef int mpo_file_check_change_offset_t( 696 kauth_cred_t cred, 697 struct fileglob *fg, 698 struct label *label 699); 700/** 701 @brief Access control for creating a file descriptor 702 @param cred Subject credential 703 704 Determine whether the subject identified by the credential can 705 allocate a new file descriptor. 706 707 @return Return 0 if access if granted, otherwise an appropriate 708 value for errno should be returned. 709*/ 710typedef int mpo_file_check_create_t( 711 kauth_cred_t cred 712); 713/** 714 @brief Access control for duplicating a file descriptor 715 @param cred Subject credential 716 @param fg Fileglob structure 717 @param label Policy label for fg 718 @param newfd New file descriptor number 719 720 Determine whether the subject identified by the credential can 721 duplicate the fileglob structure represented by fg and as file 722 descriptor number newfd. 723 724 @return Return 0 if access if granted, otherwise an appropriate 725 value for errno should be returned. 726*/ 727typedef int mpo_file_check_dup_t( 728 kauth_cred_t cred, 729 struct fileglob *fg, 730 struct label *label, 731 int newfd 732); 733/** 734 @brief Access control check for fcntl 735 @param cred Subject credential 736 @param fg Fileglob structure 737 @param label Policy label for fg 738 @param cmd Control operation to be performed; see fcntl(2) 739 @param arg fcnt arguments; see fcntl(2) 740 741 Determine whether the subject identified by the credential can perform 742 the file control operation indicated by cmd. 743 744 @return Return 0 if access is granted, otherwise an appropriate value for 745 errno should be returned. 746*/ 747typedef int mpo_file_check_fcntl_t( 748 kauth_cred_t cred, 749 struct fileglob *fg, 750 struct label *label, 751 int cmd, 752 user_long_t arg 753); 754/** 755 @brief Access control check for mac_get_fd 756 @param cred Subject credential 757 @param fg Fileglob structure 758 @param elements Element buffer 759 @param len Length of buffer 760 761 Determine whether the subject identified by the credential should be allowed 762 to get an externalized version of the label on the object indicated by fd. 763 764 @return Return 0 if access is granted, otherwise an appropriate value for 765 errno should be returned. 766*/ 767typedef int mpo_file_check_get_t( 768 kauth_cred_t cred, 769 struct fileglob *fg, 770 char *elements, 771 int len 772); 773/** 774 @brief Access control for getting the offset of a file descriptor 775 @param cred Subject credential 776 @param fg Fileglob structure 777 @param label Policy label for fg 778 779 Determine whether the subject identified by the credential can 780 get the offset of the file represented by fg. 781 782 @return Return 0 if access if granted, otherwise an appropriate 783 value for errno should be returned. 784*/ 785typedef int mpo_file_check_get_offset_t( 786 kauth_cred_t cred, 787 struct fileglob *fg, 788 struct label *label 789); 790/** 791 @brief Access control for inheriting a file descriptor 792 @param cred Subject credential 793 @param fg Fileglob structure 794 @param label Policy label for fg 795 796 Determine whether the subject identified by the credential can 797 inherit the fileglob structure represented by fg. 798 799 @return Return 0 if access if granted, otherwise an appropriate 800 value for errno should be returned. 801*/ 802typedef int mpo_file_check_inherit_t( 803 kauth_cred_t cred, 804 struct fileglob *fg, 805 struct label *label 806); 807/** 808 @brief Access control check for file ioctl 809 @param cred Subject credential 810 @param fg Fileglob structure 811 @param label Policy label for fg 812 @param cmd The ioctl command; see ioctl(2) 813 814 Determine whether the subject identified by the credential can perform 815 the ioctl operation indicated by cmd. 816 817 @warning Since ioctl data is opaque from the standpoint of the MAC 818 framework, policies must exercise extreme care when implementing 819 access control checks. 820 821 @return Return 0 if access is granted, otherwise an appropriate value for 822 errno should be returned. 823 824*/ 825typedef int mpo_file_check_ioctl_t( 826 kauth_cred_t cred, 827 struct fileglob *fg, 828 struct label *label, 829 unsigned int cmd 830); 831/** 832 @brief Access control check for file locking 833 @param cred Subject credential 834 @param fg Fileglob structure 835 @param label Policy label for fg 836 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) 837 @param fl The flock structure 838 839 Determine whether the subject identified by the credential can perform 840 the lock operation indicated by op and fl on the file represented by fg. 841 842 @return Return 0 if access is granted, otherwise an appropriate value for 843 errno should be returned. 844 845*/ 846typedef int mpo_file_check_lock_t( 847 kauth_cred_t cred, 848 struct fileglob *fg, 849 struct label *label, 850 int op, 851 struct flock *fl 852); 853/** 854 @brief Access control check for mapping a file 855 @param cred Subject credential 856 @param fg fileglob representing file to map 857 @param label Policy label associated with vp 858 @param prot mmap protections; see mmap(2) 859 @param flags Type of mapped object; see mmap(2) 860 @param maxprot Maximum rights 861 862 Determine whether the subject identified by the credential should be 863 allowed to map the file represented by fg with the protections specified 864 in prot. The maxprot field holds the maximum permissions on the new 865 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. 866 To avoid overriding prior access control checks, a policy should only 867 remove flags from maxprot. 868 869 @return Return 0 if access is granted, otherwise an appropriate value for 870 errno should be returned. Suggested failure: EACCES for label mismatch or 871 EPERM for lack of privilege. 872*/ 873typedef int mpo_file_check_mmap_t( 874 kauth_cred_t cred, 875 struct fileglob *fg, 876 struct label *label, 877 int prot, 878 int flags, 879 int *maxprot 880); 881/** 882 @brief Downgrade the mmap protections 883 @param cred Subject credential 884 @param fg file to map 885 @param label Policy label associated with vp 886 @param prot mmap protections to be downgraded 887 888 Downgrade the mmap protections based on the subject and object labels. 889*/ 890typedef void mpo_file_check_mmap_downgrade_t( 891 kauth_cred_t cred, 892 struct fileglob *fg, 893 struct label *label, 894 int *prot 895); 896/** 897 @brief Access control for receiving a file descriptor 898 @param cred Subject credential 899 @param fg Fileglob structure 900 @param label Policy label for fg 901 902 Determine whether the subject identified by the credential can 903 receive the fileglob structure represented by fg. 904 905 @return Return 0 if access if granted, otherwise an appropriate 906 value for errno should be returned. 907*/ 908typedef int mpo_file_check_receive_t( 909 kauth_cred_t cred, 910 struct fileglob *fg, 911 struct label *label 912); 913/** 914 @brief Access control check for mac_set_fd 915 @param cred Subject credential 916 @param fg Fileglob structure 917 @param elements Elements buffer 918 @param len Length of elements buffer 919 920 Determine whether the subject identified by the credential can 921 perform the mac_set_fd operation. The mac_set_fd operation is used 922 to associate a MAC label with a file. 923 924 @return Return 0 if access is granted, otherwise an appropriate value for 925 errno should be returned. 926*/ 927typedef int mpo_file_check_set_t( 928 kauth_cred_t cred, 929 struct fileglob *fg, 930 char *elements, 931 int len 932); 933/** 934 @brief Create file label 935 @param cred Subject credential 936 @param fg Fileglob structure 937 @param label Policy label for fg 938*/ 939typedef void mpo_file_label_associate_t( 940 kauth_cred_t cred, 941 struct fileglob *fg, 942 struct label *label 943); 944/** 945 @brief Destroy file label 946 @param label The label to be destroyed 947 948 Destroy the label on a file descriptor. In this entry point, a 949 policy module should free any internal storage associated with 950 label so that it may be destroyed. 951*/ 952typedef void mpo_file_label_destroy_t( 953 struct label *label 954); 955/** 956 @brief Initialize file label 957 @param label New label to initialize 958*/ 959typedef void mpo_file_label_init_t( 960 struct label *label 961); 962/** 963 @brief Access control check for relabeling network interfaces 964 @param cred Subject credential 965 @param ifp network interface being relabeled 966 @param ifnetlabel Current label of the network interfaces 967 @param newlabel New label to apply to the network interfaces 968 @see mpo_ifnet_label_update_t 969 970 Determine whether the subject identified by the credential can 971 relabel the network interface represented by ifp to the supplied 972 new label (newlabel). 973 974 @return Return 0 if access is granted, otherwise an appropriate value for 975 errno should be returned. 976*/ 977typedef int mpo_ifnet_check_label_update_t( 978 kauth_cred_t cred, 979 struct ifnet *ifp, 980 struct label *ifnetlabel, 981 struct label *newlabel 982); 983/** 984 @brief Access control check for relabeling network interfaces 985 @param ifp Network interface mbuf will be transmitted through 986 @param ifnetlabel Label of the network interfaces 987 @param m The mbuf to be transmitted 988 @param mbuflabel Label of the mbuf to be transmitted 989 @param family Address Family, AF_* 990 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} 991 992 Determine whether the mbuf with label mbuflabel may be transmitted 993 through the network interface represented by ifp that has the 994 label ifnetlabel. 995 996 @return Return 0 if access is granted, otherwise an appropriate value for 997 errno should be returned. 998*/ 999typedef int mpo_ifnet_check_transmit_t( 1000 struct ifnet *ifp, 1001 struct label *ifnetlabel, 1002 struct mbuf *m, 1003 struct label *mbuflabel, 1004 int family, 1005 int type 1006); 1007/** 1008 @brief Create a network interface label 1009 @param ifp Network interface labeled 1010 @param ifnetlabel Label for the network interface 1011 1012 Set the label of a newly created network interface, most likely 1013 using the information in the supplied network interface struct. 1014*/ 1015typedef void mpo_ifnet_label_associate_t( 1016 struct ifnet *ifp, 1017 struct label *ifnetlabel 1018); 1019/** 1020 @brief Copy an ifnet label 1021 @param src Source ifnet label 1022 @param dest Destination ifnet label 1023 1024 Copy the label information from src to dest. 1025*/ 1026typedef void mpo_ifnet_label_copy_t( 1027 struct label *src, 1028 struct label *dest 1029); 1030/** 1031 @brief Destroy ifnet label 1032 @param label The label to be destroyed 1033 1034 Destroy the label on an ifnet label. In this entry point, a 1035 policy module should free any internal storage associated with 1036 label so that it may be destroyed. 1037*/ 1038typedef void mpo_ifnet_label_destroy_t( 1039 struct label *label 1040); 1041/** 1042 @brief Externalize an ifnet label 1043 @param label Label to be externalized 1044 @param element_name Name of the label namespace for which labels should be 1045 externalized 1046 @param sb String buffer to be filled with a text representation of the label 1047 1048 Produce an external representation of the label on an interface. 1049 An externalized label consists of a text representation of the 1050 label contents that can be used with user applications. 1051 Policy-agnostic user space tools will display this externalized 1052 version. 1053 1054 @return 0 on success, return non-zero if an error occurs while 1055 externalizing the label data. 1056 1057*/ 1058typedef int mpo_ifnet_label_externalize_t( 1059 struct label *label, 1060 char *element_name, 1061 struct sbuf *sb 1062); 1063/** 1064 @brief Initialize ifnet label 1065 @param label New label to initialize 1066*/ 1067typedef void mpo_ifnet_label_init_t( 1068 struct label *label 1069); 1070/** 1071 @brief Internalize an interface label 1072 @param label Label to be internalized 1073 @param element_name Name of the label namespace for which the label should 1074 be internalized 1075 @param element_data Text data to be internalized 1076 1077 Produce an interface label from an external representation. An 1078 externalized label consists of a text representation of the label 1079 contents that can be used with user applications. Policy-agnostic 1080 user space tools will forward text version to the kernel for 1081 processing by individual policy modules. 1082 1083 The policy's internalize entry points will be called only if the 1084 policy has registered interest in the label namespace. 1085 1086 @return 0 on success, Otherwise, return non-zero if an error occurs 1087 while internalizing the label data. 1088 1089*/ 1090typedef int mpo_ifnet_label_internalize_t( 1091 struct label *label, 1092 char *element_name, 1093 char *element_data 1094); 1095/** 1096 @brief Recycle up a network interface label 1097 @param label The label to be recycled 1098 1099 Recycle a network interface label. Darwin caches the struct ifnet 1100 of detached ifnets in a "free pool". Before ifnets are returned 1101 to the "free pool", policies can cleanup or overwrite any information 1102 present in the label. 1103*/ 1104typedef void mpo_ifnet_label_recycle_t( 1105 struct label *label 1106); 1107/** 1108 @brief Update a network interface label 1109 @param cred Subject credential 1110 @param ifp The network interface to be relabeled 1111 @param ifnetlabel The current label of the network interface 1112 @param newlabel A new label to apply to the network interface 1113 @see mpo_ifnet_check_label_update_t 1114 1115 Update the label on a network interface, using the supplied new label. 1116*/ 1117typedef void mpo_ifnet_label_update_t( 1118 kauth_cred_t cred, 1119 struct ifnet *ifp, 1120 struct label *ifnetlabel, 1121 struct label *newlabel 1122); 1123/** 1124 @brief Access control check for delivering a packet to a socket 1125 @param inp inpcb the socket is associated with 1126 @param inplabel Label of the inpcb 1127 @param m The mbuf being received 1128 @param mbuflabel Label of the mbuf being received 1129 @param family Address family, AF_* 1130 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} 1131 1132 Determine whether the mbuf with label mbuflabel may be received 1133 by the socket associated with inpcb that has the label inplabel. 1134 1135 @return Return 0 if access is granted, otherwise an appropriate value for 1136 errno should be returned. 1137*/ 1138typedef int mpo_inpcb_check_deliver_t( 1139 struct inpcb *inp, 1140 struct label *inplabel, 1141 struct mbuf *m, 1142 struct label *mbuflabel, 1143 int family, 1144 int type 1145); 1146/** 1147 @brief Create an inpcb label 1148 @param so Socket containing the inpcb to be labeled 1149 @param solabel Label of the socket 1150 @param inp inpcb to be labeled 1151 @param inplabel Label for the inpcb 1152 1153 Set the label of a newly created inpcb, most likely 1154 using the information in the socket and/or socket label. 1155*/ 1156typedef void mpo_inpcb_label_associate_t( 1157 struct socket *so, 1158 struct label *solabel, 1159 struct inpcb *inp, 1160 struct label *inplabel 1161); 1162/** 1163 @brief Destroy inpcb label 1164 @param label The label to be destroyed 1165 1166 Destroy the label on an inpcb label. In this entry point, a 1167 policy module should free any internal storage associated with 1168 label so that it may be destroyed. 1169*/ 1170typedef void mpo_inpcb_label_destroy_t( 1171 struct label *label 1172); 1173/** 1174 @brief Initialize inpcb label 1175 @param label New label to initialize 1176 @param flag M_WAITOK or M_NOWAIT 1177*/ 1178typedef int mpo_inpcb_label_init_t( 1179 struct label *label, 1180 int flag 1181); 1182/** 1183 @brief Recycle up an inpcb label 1184 @param label The label to be recycled 1185 1186 Recycle an inpcb label. Darwin allocates the inpcb as part of 1187 the socket structure in some cases. For this case we must recycle 1188 rather than destroy the inpcb as it will be reused later. 1189*/ 1190typedef void mpo_inpcb_label_recycle_t( 1191 struct label *label 1192); 1193/** 1194 @brief Update an inpcb label from a socket label 1195 @param so Socket containing the inpcb to be relabeled 1196 @param solabel New label of the socket 1197 @param inp inpcb to be labeled 1198 @param inplabel Label for the inpcb 1199 1200 Set the label of a newly created inpcb due to a change in the 1201 underlying socket label. 1202*/ 1203typedef void mpo_inpcb_label_update_t( 1204 struct socket *so, 1205 struct label *solabel, 1206 struct inpcb *inp, 1207 struct label *inplabel 1208); 1209/** 1210 @brief Device hardware access control 1211 @param devtype Type of device connected 1212 @param properties XML-formatted property list 1213 @param proplen Length of the property list 1214 1215 This is the MAC Framework device access control, which is called by the I/O 1216 Kit when a new device is connected to the system to determine whether that 1217 device should be trusted. A list of properties associated with the device 1218 is passed as an XML-formatted string. The routine should examine these 1219 properties to determine the trustworthiness of the device. A return value 1220 of EPERM forces the device to be claimed by a special device driver that 1221 will prevent its operation. 1222 1223 @warning This is an experimental interface and may change in the future. 1224 1225 @return Return EPERM to indicate that the device is untrusted and should 1226 not be allowed to operate. Return zero to indicate that the device is 1227 trusted and should be allowed to operate normally. 1228 1229*/ 1230typedef int mpo_iokit_check_device_t( 1231 char *devtype, 1232 struct mac_module_data *mdata 1233); 1234/** 1235 @brief Access control check for opening an I/O Kit device 1236 @param cred Subject credential 1237 @param device_path Device path 1238 @param user_client User client instance 1239 @param user_client_type User client type 1240 1241 Determine whether the subject identified by the credential can open an 1242 I/O Kit device at the passed path of the passed user client class and 1243 type. 1244 1245 @return Return 0 if access is granted, or an appropriate value for 1246 errno should be returned. 1247*/ 1248typedef int mpo_iokit_check_open_t( 1249 kauth_cred_t cred, 1250 io_object_t user_client, 1251 unsigned int user_client_type 1252); 1253/** 1254 @brief Access control check for setting I/O Kit device properties 1255 @param cred Subject credential 1256 @param registry_entry Target device 1257 @param properties Property list 1258 1259 Determine whether the subject identified by the credential can set 1260 properties on an I/O Kit device. 1261 1262 @return Return 0 if access is granted, or an appropriate value for 1263 errno should be returned. 1264*/ 1265typedef int mpo_iokit_check_set_properties_t( 1266 kauth_cred_t cred, 1267 io_object_t entry, 1268 io_object_t properties 1269); 1270/** 1271 @brief Access control check for software HID control 1272 @param cred Subject credential 1273 1274 Determine whether the subject identified by the credential can 1275 control the HID (Human Interface Device) subsystem, such as to 1276 post synthetic keypresses, pointer movement and clicks. 1277 1278 @return Return 0 if access is granted, or an appropriate value for 1279 errno. 1280*/ 1281typedef int mpo_iokit_check_hid_control_t( 1282 kauth_cred_t cred 1283); 1284/** 1285 @brief Create an IP reassembly queue label 1286 @param fragment First received IP fragment 1287 @param fragmentlabel Policy label for fragment 1288 @param ipq IP reassembly queue to be labeled 1289 @param ipqlabel Policy label to be filled in for ipq 1290 1291 Set the label on a newly created IP reassembly queue from 1292 the mbuf header of the first received fragment. 1293*/ 1294typedef void mpo_ipq_label_associate_t( 1295 struct mbuf *fragment, 1296 struct label *fragmentlabel, 1297 struct ipq *ipq, 1298 struct label *ipqlabel 1299); 1300/** 1301 @brief Compare an mbuf header label to an ipq label 1302 @param fragment IP datagram fragment 1303 @param fragmentlabel Policy label for fragment 1304 @param ipq IP fragment reassembly queue 1305 @param ipqlabel Policy label for ipq 1306 1307 Compare the label of the mbuf header containing an IP datagram 1308 (fragment) fragment with the label of the passed IP fragment 1309 reassembly queue (ipq). Return (1) for a successful match, or (0) 1310 for no match. This call is made when the IP stack attempts to 1311 find an existing fragment reassembly queue for a newly received 1312 fragment; if this fails, a new fragment reassembly queue may be 1313 instantiated for the fragment. Policies may use this entry point 1314 to prevent the reassembly of otherwise matching IP fragments if 1315 policy does not permit them to be reassembled based on the label 1316 or other information. 1317*/ 1318typedef int mpo_ipq_label_compare_t( 1319 struct mbuf *fragment, 1320 struct label *fragmentlabel, 1321 struct ipq *ipq, 1322 struct label *ipqlabel 1323); 1324/** 1325 @brief Destroy IP reassembly queue label 1326 @param label The label to be destroyed 1327 1328 Destroy the label on an IP fragment queue. In this entry point, a 1329 policy module should free any internal storage associated with 1330 label so that it may be destroyed. 1331*/ 1332typedef void mpo_ipq_label_destroy_t( 1333 struct label *label 1334); 1335/** 1336 @brief Initialize IP reassembly queue label 1337 @param label New label to initialize 1338 @param flag M_WAITOK or M_NOWAIT 1339 1340 Initialize the label on a newly instantiated IP fragment reassembly 1341 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and 1342 should be employed to avoid performing a sleeping malloc(9) during 1343 this initialization call. IP fragment reassembly queue allocation 1344 frequently occurs in performance sensitive environments, and the 1345 implementation should be careful to avoid sleeping or long-lived 1346 operations. This entry point is permitted to fail resulting in 1347 the failure to allocate the IP fragment reassembly queue. 1348*/ 1349typedef int mpo_ipq_label_init_t( 1350 struct label *label, 1351 int flag 1352); 1353/** 1354 @brief Update the label on an IP fragment reassembly queue 1355 @param fragment IP fragment 1356 @param fragmentlabel Policy label for fragment 1357 @param ipq IP fragment reassembly queue 1358 @param ipqlabel Policy label to be updated for ipq 1359 1360 Update the label on an IP fragment reassembly queue (ipq) based 1361 on the acceptance of the passed IP fragment mbuf header (fragment). 1362*/ 1363typedef void mpo_ipq_label_update_t( 1364 struct mbuf *fragment, 1365 struct label *fragmentlabel, 1366 struct ipq *ipq, 1367 struct label *ipqlabel 1368); 1369/** 1370 @brief Access control check for relabelling Login Context 1371 @param l Subject credential 1372 @param newlabel New label to apply to the Login Context 1373 @see mpo_lctx_label_update_t 1374 @see mac_set_lcid 1375 @see mac_set_lctx 1376 1377 Determine whether the subject identified by the credential can relabel 1378 itself to the supplied new label (newlabel). This access control check 1379 is called when the mac_set_lctx/lcid system call is invoked. A user space 1380 application will supply a new value, the value will be internalized 1381 and provided in newlabel. 1382 1383 @return Return 0 if access is granted, otherwise an appropriate value for 1384 errno should be returned. 1385*/ 1386typedef int mpo_lctx_check_label_update_t( 1387 struct lctx *l, 1388 struct label *newlabel 1389); 1390/** 1391 @brief Destroy Login Context label 1392 @param label The label to be destroyed 1393*/ 1394typedef void mpo_lctx_label_destroy_t( 1395 struct label *label 1396); 1397/** 1398 @brief Externalize a Login Context label 1399 @param label Label to be externalized 1400 @param element_name Name of the label namespace for which labels should be 1401 externalized 1402 @param sb String buffer to be filled with a text representation of the label 1403 1404 Produce an external representation of the label on a Login Context. 1405 An externalized label consists of a text representation 1406 of the label contents that can be used with user applications. 1407 Policy-agnostic user space tools will display this externalized 1408 version. 1409 1410 @return 0 on success, return non-zero if an error occurs while 1411 externalizing the label data. 1412 1413*/ 1414typedef int mpo_lctx_label_externalize_t( 1415 struct label *label, 1416 char *element_name, 1417 struct sbuf *sb 1418); 1419/** 1420 @brief Initialize Login Context label 1421 @param label New label to initialize 1422*/ 1423typedef void mpo_lctx_label_init_t( 1424 struct label *label 1425); 1426/** 1427 @brief Internalize a Login Context label 1428 @param label Label to be internalized 1429 @param element_name Name of the label namespace for which the label should 1430 be internalized 1431 @param element_data Text data to be internalized 1432 1433 Produce a Login Context label from an external representation. An 1434 externalized label consists of a text representation of the label 1435 contents that can be used with user applications. Policy-agnostic 1436 user space tools will forward text version to the kernel for 1437 processing by individual policy modules. 1438 1439 The policy's internalize entry points will be called only if the 1440 policy has registered interest in the label namespace. 1441 1442 @return 0 on success, Otherwise, return non-zero if an error occurs 1443 while internalizing the label data. 1444 1445*/ 1446typedef int mpo_lctx_label_internalize_t( 1447 struct label *label, 1448 char *element_name, 1449 char *element_data 1450); 1451/** 1452 @brief Update a Login Context label 1453 @param l 1454 @param newlabel A new label to apply to the Login Context 1455 @see mpo_lctx_check_label_update_t 1456 @see mac_set_lcid 1457 @see mac_set_lctx 1458 1459 Update the label on a login context, using the supplied new label. 1460 This is called as a result of a login context relabel operation. Access 1461 control was already confirmed by mpo_lctx_check_label_update. 1462*/ 1463typedef void mpo_lctx_label_update_t( 1464 struct lctx *l, 1465 struct label *newlabel 1466); 1467/** 1468 @brief A process has created a login context 1469 @param p Subject 1470 @param l Login Context 1471 1472 When a process creates a login context (via setlcid()) this entrypoint 1473 is called to notify the policy that the process 'p' has created login 1474 context 'l'. 1475*/ 1476typedef void mpo_lctx_notify_create_t( 1477 struct proc *p, 1478 struct lctx *l 1479); 1480/** 1481 @brief A process has joined a login context 1482 @param p Subject 1483 @param l Login Context 1484 1485 When a process joins a login context, either via setlcid() or via 1486 fork() this entrypoint is called to notify the policy that process 1487 'p' is now a member of login context 'l'. 1488*/ 1489typedef void mpo_lctx_notify_join_t( 1490 struct proc *p, 1491 struct lctx *l 1492); 1493/** 1494 @brief A process has left a login context 1495 @param p Subject 1496 @param l Login Context 1497 1498 When a process leaves a login context either via setlcid() or as a 1499 result of the process exiting this entrypoint is called to notify 1500 the policy that the process 'p' is no longer a member of login context 'l'. 1501*/ 1502typedef void mpo_lctx_notify_leave_t( 1503 struct proc *p, 1504 struct lctx *l 1505); 1506/** 1507 @brief Assign a label to a new mbuf 1508 @param bpf_d BPF descriptor 1509 @param b_label Policy label for bpf_d 1510 @param m Object; mbuf 1511 @param m_label Policy label to fill in for m 1512 1513 Set the label on the mbuf header of a newly created datagram 1514 generated using the passed BPF descriptor. This call is made when 1515 a write is performed to the BPF device associated with the passed 1516 BPF descriptor. 1517*/ 1518typedef void mpo_mbuf_label_associate_bpfdesc_t( 1519 struct bpf_d *bpf_d, 1520 struct label *b_label, 1521 struct mbuf *m, 1522 struct label *m_label 1523); 1524/** 1525 @brief Assign a label to a new mbuf 1526 @param ifp Interface descriptor 1527 @param i_label Existing label of ifp 1528 @param m Object; mbuf 1529 @param m_label Policy label to fill in for m 1530 1531 Label an mbuf based on the interface from which it was received. 1532*/ 1533typedef void mpo_mbuf_label_associate_ifnet_t( 1534 struct ifnet *ifp, 1535 struct label *i_label, 1536 struct mbuf *m, 1537 struct label *m_label 1538); 1539/** 1540 @brief Assign a label to a new mbuf 1541 @param inp inpcb structure 1542 @param i_label Existing label of inp 1543 @param m Object; mbuf 1544 @param m_label Policy label to fill in for m 1545 1546 Label an mbuf based on the inpcb from which it was derived. 1547*/ 1548typedef void mpo_mbuf_label_associate_inpcb_t( 1549 struct inpcb *inp, 1550 struct label *i_label, 1551 struct mbuf *m, 1552 struct label *m_label 1553); 1554/** 1555 @brief Set the label on a newly reassembled IP datagram 1556 @param ipq IP fragment reassembly queue 1557 @param ipqlabel Policy label for ipq 1558 @param mbuf IP datagram to be labeled 1559 @param mbuflabel Policy label to be filled in for mbuf 1560 1561 Set the label on a newly reassembled IP datagram (mbuf) from the IP 1562 fragment reassembly queue (ipq) from which it was generated. 1563*/ 1564typedef void mpo_mbuf_label_associate_ipq_t( 1565 struct ipq *ipq, 1566 struct label *ipqlabel, 1567 struct mbuf *mbuf, 1568 struct label *mbuflabel 1569); 1570/** 1571 @brief Assign a label to a new mbuf 1572 @param ifp Subject; network interface 1573 @param i_label Existing label of ifp 1574 @param m Object; mbuf 1575 @param m_label Policy label to fill in for m 1576 1577 Set the label on the mbuf header of a newly created datagram 1578 generated for the purposes of a link layer response for the passed 1579 interface. This call may be made in a number of situations, including 1580 for ARP or ND6 responses in the IPv4 and IPv6 stacks. 1581*/ 1582typedef void mpo_mbuf_label_associate_linklayer_t( 1583 struct ifnet *ifp, 1584 struct label *i_label, 1585 struct mbuf *m, 1586 struct label *m_label 1587); 1588/** 1589 @brief Assign a label to a new mbuf 1590 @param oldmbuf mbuf headerder for existing datagram for existing datagram 1591 @param oldmbuflabel Policy label for oldmbuf 1592 @param ifp Network interface 1593 @param ifplabel Policy label for ifp 1594 @param newmbuf mbuf header to be labeled for new datagram 1595 @param newmbuflabel Policy label for newmbuf 1596 1597 Set the label on the mbuf header of a newly created datagram 1598 generated from the existing passed datagram when it is processed 1599 by the passed multicast encapsulation interface. This call is made 1600 when an mbuf is to be delivered using the virtual interface. 1601*/ 1602typedef void mpo_mbuf_label_associate_multicast_encap_t( 1603 struct mbuf *oldmbuf, 1604 struct label *oldmbuflabel, 1605 struct ifnet *ifp, 1606 struct label *ifplabel, 1607 struct mbuf *newmbuf, 1608 struct label *newmbuflabel 1609); 1610/** 1611 @brief Assign a label to a new mbuf 1612 @param oldmbuf Received datagram 1613 @param oldmbuflabel Policy label for oldmbuf 1614 @param newmbuf Newly created datagram 1615 @param newmbuflabel Policy label for newmbuf 1616 1617 Set the label on the mbuf header of a newly created datagram generated 1618 by the IP stack in response to an existing received datagram (oldmbuf). 1619 This call may be made in a number of situations, including when responding 1620 to ICMP request datagrams. 1621*/ 1622typedef void mpo_mbuf_label_associate_netlayer_t( 1623 struct mbuf *oldmbuf, 1624 struct label *oldmbuflabel, 1625 struct mbuf *newmbuf, 1626 struct label *newmbuflabel 1627); 1628/** 1629 @brief Assign a label to a new mbuf 1630 @param so Socket to label 1631 @param so_label Policy label for socket 1632 @param m Object; mbuf 1633 @param m_label Policy label to fill in for m 1634 1635 An mbuf structure is used to store network traffic in transit. 1636 When an application sends data to a socket or a pipe, it is wrapped 1637 in an mbuf first. This function sets the label on a newly created mbuf header 1638 based on the socket sending the data. The contents of the label should be 1639 suitable for performing an access check on the receiving side of the 1640 communication. 1641 1642 Only labeled MBUFs will be presented to the policy via this entrypoint. 1643*/ 1644typedef void mpo_mbuf_label_associate_socket_t( 1645 socket_t so, 1646 struct label *so_label, 1647 struct mbuf *m, 1648 struct label *m_label 1649); 1650/** 1651 @brief Copy a mbuf label 1652 @param src Source label 1653 @param dest Destination label 1654 1655 Copy the mbuf label information in src into dest. 1656 1657 Only called when both source and destination mbufs have labels. 1658*/ 1659typedef void mpo_mbuf_label_copy_t( 1660 struct label *src, 1661 struct label *dest 1662); 1663/** 1664 @brief Destroy mbuf label 1665 @param label The label to be destroyed 1666 1667 Destroy a mbuf label. Since the 1668 object is going out of scope, policy modules should free any 1669 internal storage associated with the label so that it may be 1670 destroyed. 1671*/ 1672typedef void mpo_mbuf_label_destroy_t( 1673 struct label *label 1674); 1675/** 1676 @brief Initialize mbuf label 1677 @param label New label to initialize 1678 @param flag Malloc flags 1679 1680 Initialize the label for a newly instantiated mbuf. 1681 1682 @warning Since it is possible for the flags to be set to 1683 M_NOWAIT, the malloc operation may fail. 1684 1685 @return On success, 0, otherwise, an appropriate errno return value. 1686*/ 1687typedef int mpo_mbuf_label_init_t( 1688 struct label *label, 1689 int flag 1690); 1691/** 1692 @brief Access control check for fsctl 1693 @param cred Subject credential 1694 @param mp The mount point 1695 @param label Label associated with the mount point 1696 @param com Filesystem-dependent request code; see fsctl(2) 1697 1698 Determine whether the subject identified by the credential can perform 1699 the volume operation indicated by com. 1700 1701 @warning The fsctl() system call is directly analogous to ioctl(); since 1702 the associated data is opaque from the standpoint of the MAC framework 1703 and since these operations can affect many aspects of system operation, 1704 policies must exercise extreme care when implementing access control checks. 1705 1706 @return Return 0 if access is granted, otherwise an appropriate value for 1707 errno should be returned. 1708*/ 1709typedef int mpo_mount_check_fsctl_t( 1710 kauth_cred_t cred, 1711 struct mount *mp, 1712 struct label *label, 1713 unsigned int cmd 1714); 1715/** 1716 @brief Access control check for the retrieval of file system attributes 1717 @param cred Subject credential 1718 @param mp The mount structure of the file system 1719 @param vfa The attributes requested 1720 1721 This entry point determines whether given subject can get information 1722 about the given file system. This check happens during statfs() syscalls, 1723 but is also used by other parts within the kernel such as the audit system. 1724 1725 @return Return 0 if access is granted, otherwise an appropriate value for 1726 errno should be returned. 1727*/ 1728 1729typedef int mpo_mount_check_getattr_t( 1730 kauth_cred_t cred, 1731 struct mount *mp, 1732 struct label *mp_label, 1733 struct vfs_attr *vfa 1734); 1735/** 1736 @brief Access control check for mount point relabeling 1737 @param cred Subject credential 1738 @param mp Object file system mount point 1739 @param mntlabel Policy label for fle system mount point 1740 1741 Determine whether the subject identified by the credential can relabel 1742 the mount point. This call is made when a file system mount is updated. 1743 1744 @return Return 0 if access is granted, otherwise an appropriate value for 1745 errno should be returned. Suggested failure: EACCES for label mismatch 1746 or EPERM for lack of privilege. 1747*/ 1748typedef int mpo_mount_check_label_update_t( 1749 kauth_cred_t cred, 1750 struct mount *mp, 1751 struct label *mntlabel 1752); 1753/** 1754 @brief Access control check for mounting a file system 1755 @param cred Subject credential 1756 @param vp Vnode that is to be the mount point 1757 @param vlabel Label associated with the vnode 1758 @param cnp Component name for vp 1759 @param vfc_name Filesystem type name 1760 1761 Determine whether the subject identified by the credential can perform 1762 the mount operation on the target vnode. 1763 1764 @return Return 0 if access is granted, otherwise an appropriate value for 1765 errno should be returned. 1766*/ 1767typedef int mpo_mount_check_mount_t( 1768 kauth_cred_t cred, 1769 struct vnode *vp, 1770 struct label *vlabel, 1771 struct componentname *cnp, 1772 const char *vfc_name 1773); 1774/** 1775 @brief Access control check remounting a filesystem 1776 @param cred Subject credential 1777 @param mp The mount point 1778 @param mlabel Label currently associated with the mount point 1779 1780 Determine whether the subject identified by the credential can perform 1781 the remount operation on the target vnode. 1782 1783 @return Return 0 if access is granted, otherwise an appropriate value for 1784 errno should be returned. 1785*/ 1786typedef int mpo_mount_check_remount_t( 1787 kauth_cred_t cred, 1788 struct mount *mp, 1789 struct label *mlabel 1790); 1791/** 1792 @brief Access control check for the settting of file system attributes 1793 @param cred Subject credential 1794 @param mp The mount structure of the file system 1795 @param vfa The attributes requested 1796 1797 This entry point determines whether given subject can set information 1798 about the given file system, for example the volume name. 1799 1800 @return Return 0 if access is granted, otherwise an appropriate value for 1801 errno should be returned. 1802*/ 1803 1804typedef int mpo_mount_check_setattr_t( 1805 kauth_cred_t cred, 1806 struct mount *mp, 1807 struct label *mp_label, 1808 struct vfs_attr *vfa 1809); 1810/** 1811 @brief Access control check for file system statistics 1812 @param cred Subject credential 1813 @param mp Object file system mount 1814 @param mntlabel Policy label for mp 1815 1816 Determine whether the subject identified by the credential can see 1817 the results of a statfs performed on the file system. This call may 1818 be made in a number of situations, including during invocations of 1819 statfs(2) and related calls, as well as to determine what file systems 1820 to exclude from listings of file systems, such as when getfsstat(2) 1821 is invoked. 1822 1823 @return Return 0 if access is granted, otherwise an appropriate value for 1824 errno should be returned. Suggested failure: EACCES for label mismatch 1825 or EPERM for lack of privilege. 1826*/ 1827typedef int mpo_mount_check_stat_t( 1828 kauth_cred_t cred, 1829 struct mount *mp, 1830 struct label *mntlabel 1831); 1832/** 1833 @brief Access control check for unmounting a filesystem 1834 @param cred Subject credential 1835 @param mp The mount point 1836 @param mlabel Label associated with the mount point 1837 1838 Determine whether the subject identified by the credential can perform 1839 the unmount operation on the target vnode. 1840 1841 @return Return 0 if access is granted, otherwise an appropriate value for 1842 errno should be returned. 1843*/ 1844typedef int mpo_mount_check_umount_t( 1845 kauth_cred_t cred, 1846 struct mount *mp, 1847 struct label *mlabel 1848); 1849/** 1850 @brief Create mount labels 1851 @param cred Subject credential 1852 @param mp Mount point of file system being mounted 1853 @param mntlabel Label to associate with the new mount point 1854 @see mpo_mount_label_init_t 1855 1856 Fill out the labels on the mount point being created by the supplied 1857 user credential. This call is made when file systems are first mounted. 1858*/ 1859typedef void mpo_mount_label_associate_t( 1860 kauth_cred_t cred, 1861 struct mount *mp, 1862 struct label *mntlabel 1863); 1864/** 1865 @brief Destroy mount label 1866 @param label The label to be destroyed 1867 1868 Destroy a file system mount label. Since the 1869 object is going out of scope, policy modules should free any 1870 internal storage associated with the label so that it may be 1871 destroyed. 1872*/ 1873typedef void mpo_mount_label_destroy_t( 1874 struct label *label 1875); 1876/** 1877 @brief Externalize a mount point label 1878 @param label Label to be externalized 1879 @param element_name Name of the label namespace for which labels should be 1880 externalized 1881 @param sb String buffer to be filled with a text representation of the label 1882 1883 Produce an external representation of the mount point label. An 1884 externalized label consists of a text representation of the label 1885 contents that can be used with user applications. Policy-agnostic 1886 user space tools will display this externalized version. 1887 1888 The policy's externalize entry points will be called only if the 1889 policy has registered interest in the label namespace. 1890 1891 @return 0 on success, return non-zero if an error occurs while 1892 externalizing the label data. 1893 1894*/ 1895typedef int mpo_mount_label_externalize_t( 1896 struct label *label, 1897 char *element_name, 1898 struct sbuf *sb 1899); 1900/** 1901 @brief Initialize mount point label 1902 @param label New label to initialize 1903 1904 Initialize the label for a newly instantiated mount structure. 1905 This label is typically used to store a default label in the case 1906 that the file system has been mounted singlelabel. Since some 1907 file systems do not support persistent labels (extended attributes) 1908 or are read-only (such as CD-ROMs), it is often necessary to store 1909 a default label separately from the label of the mount point 1910 itself. Sleeping is permitted. 1911*/ 1912typedef void mpo_mount_label_init_t( 1913 struct label *label 1914); 1915/** 1916 @brief Internalize a mount point label 1917 @param label Label to be internalized 1918 @param element_name Name of the label namespace for which the label should 1919 be internalized 1920 @param element_data Text data to be internalized 1921 1922 Produce a mount point file system label from an external representation. 1923 An externalized label consists of a text representation of the label 1924 contents that can be used with user applications. Policy-agnostic 1925 user space tools will forward text version to the kernel for 1926 processing by individual policy modules. 1927 1928 The policy's internalize entry points will be called only if the 1929 policy has registered interest in the label namespace. 1930 1931 @return 0 on success, Otherwise, return non-zero if an error occurs 1932 while internalizing the label data. 1933 1934*/ 1935typedef int mpo_mount_label_internalize_t( 1936 struct label *label, 1937 char *element_name, 1938 char *element_data 1939); 1940/** 1941 @brief Set the label on an IPv4 datagram fragment 1942 @param datagram Datagram being fragmented 1943 @param datagramlabel Policy label for datagram 1944 @param fragment New fragment 1945 @param fragmentlabel Policy label for fragment 1946 1947 Called when an IPv4 datagram is fragmented into several smaller datagrams. 1948 Policies implementing mbuf labels will typically copy the label from the 1949 source datagram to the new fragment. 1950*/ 1951typedef void mpo_netinet_fragment_t( 1952 struct mbuf *datagram, 1953 struct label *datagramlabel, 1954 struct mbuf *fragment, 1955 struct label *fragmentlabel 1956); 1957/** 1958 @brief Set the label on an ICMP reply 1959 @param m mbuf containing the ICMP reply 1960 @param mlabel Policy label for m 1961 1962 A policy may wish to update the label of an mbuf that refers to 1963 an ICMP packet being sent in response to an IP packet. This may 1964 be called in response to a bad packet or an ICMP request. 1965*/ 1966typedef void mpo_netinet_icmp_reply_t( 1967 struct mbuf *m, 1968 struct label *mlabel 1969); 1970/** 1971 @brief Set the label on a TCP reply 1972 @param m mbuf containing the TCP reply 1973 @param mlabel Policy label for m 1974 1975 Called for outgoing TCP packets not associated with an actual socket. 1976*/ 1977typedef void mpo_netinet_tcp_reply_t( 1978 struct mbuf *m, 1979 struct label *mlabel 1980); 1981/** 1982 @brief Access control check for pipe ioctl 1983 @param cred Subject credential 1984 @param cpipe Object to be accessed 1985 @param pipelabel The label on the pipe 1986 @param cmd The ioctl command; see ioctl(2) 1987 1988 Determine whether the subject identified by the credential can perform 1989 the ioctl operation indicated by cmd. 1990 1991 @warning Since ioctl data is opaque from the standpoint of the MAC 1992 framework, policies must exercise extreme care when implementing 1993 access control checks. 1994 1995 @return Return 0 if access is granted, otherwise an appropriate value for 1996 errno should be returned. 1997 1998*/ 1999typedef int mpo_pipe_check_ioctl_t( 2000 kauth_cred_t cred, 2001 struct pipe *cpipe, 2002 struct label *pipelabel, 2003 unsigned int cmd 2004); 2005/** 2006 @brief Access control check for pipe kqfilter 2007 @param cred Subject credential 2008 @param kn Object knote 2009 @param cpipe Object to be accessed 2010 @param pipelabel Policy label for the pipe 2011 2012 Determine whether the subject identified by the credential can 2013 receive the knote on the passed pipe. 2014 2015 @return Return 0 if access if granted, otherwise an appropriate 2016 value for errno should be returned. 2017*/ 2018typedef int mpo_pipe_check_kqfilter_t( 2019 kauth_cred_t cred, 2020 struct knote *kn, 2021 struct pipe *cpipe, 2022 struct label *pipelabel 2023); 2024/** 2025 @brief Access control check for pipe relabel 2026 @param cred Subject credential 2027 @param cpipe Object to be accessed 2028 @param pipelabel The current label on the pipe 2029 @param newlabel The new label to be used 2030 2031 Determine whether the subject identified by the credential can 2032 perform a relabel operation on the passed pipe. The cred object holds 2033 the credentials of the subject performing the operation. 2034 2035 @return Return 0 if access is granted, otherwise an appropriate value for 2036 errno should be returned. 2037 2038*/ 2039typedef int mpo_pipe_check_label_update_t( 2040 kauth_cred_t cred, 2041 struct pipe *cpipe, 2042 struct label *pipelabel, 2043 struct label *newlabel 2044); 2045/** 2046 @brief Access control check for pipe read 2047 @param cred Subject credential 2048 @param cpipe Object to be accessed 2049 @param pipelabel The label on the pipe 2050 2051 Determine whether the subject identified by the credential can 2052 perform a read operation on the passed pipe. The cred object holds 2053 the credentials of the subject performing the operation. 2054 2055 @return Return 0 if access is granted, otherwise an appropriate value for 2056 errno should be returned. 2057 2058*/ 2059typedef int mpo_pipe_check_read_t( 2060 kauth_cred_t cred, 2061 struct pipe *cpipe, 2062 struct label *pipelabel 2063); 2064/** 2065 @brief Access control check for pipe select 2066 @param cred Subject credential 2067 @param cpipe Object to be accessed 2068 @param pipelabel The label on the pipe 2069 @param which The operation selected on: FREAD or FWRITE 2070 2071 Determine whether the subject identified by the credential can 2072 perform a select operation on the passed pipe. The cred object holds 2073 the credentials of the subject performing the operation. 2074 2075 @return Return 0 if access is granted, otherwise an appropriate value for 2076 errno should be returned. 2077 2078*/ 2079typedef int mpo_pipe_check_select_t( 2080 kauth_cred_t cred, 2081 struct pipe *cpipe, 2082 struct label *pipelabel, 2083 int which 2084); 2085/** 2086 @brief Access control check for pipe stat 2087 @param cred Subject credential 2088 @param cpipe Object to be accessed 2089 @param pipelabel The label on the pipe 2090 2091 Determine whether the subject identified by the credential can 2092 perform a stat operation on the passed pipe. The cred object holds 2093 the credentials of the subject performing the operation. 2094 2095 @return Return 0 if access is granted, otherwise an appropriate value for 2096 errno should be returned. 2097 2098*/ 2099typedef int mpo_pipe_check_stat_t( 2100 kauth_cred_t cred, 2101 struct pipe *cpipe, 2102 struct label *pipelabel 2103); 2104/** 2105 @brief Access control check for pipe write 2106 @param cred Subject credential 2107 @param cpipe Object to be accessed 2108 @param pipelabel The label on the pipe 2109 2110 Determine whether the subject identified by the credential can 2111 perform a write operation on the passed pipe. The cred object holds 2112 the credentials of the subject performing the operation. 2113 2114 @return Return 0 if access is granted, otherwise an appropriate value for 2115 errno should be returned. 2116 2117*/ 2118typedef int mpo_pipe_check_write_t( 2119 kauth_cred_t cred, 2120 struct pipe *cpipe, 2121 struct label *pipelabel 2122); 2123/** 2124 @brief Create a pipe label 2125 @param cred Subject credential 2126 @param cpipe object to be labeled 2127 @param label Label for the pipe object 2128 2129 Create a label for the pipe object being created by the supplied 2130 user credential. This call is made when the pipe is being created 2131 XXXPIPE(for one or both sides of the pipe?). 2132 2133*/ 2134typedef void mpo_pipe_label_associate_t( 2135 kauth_cred_t cred, 2136 struct pipe *cpipe, 2137 struct label *pipelabel 2138); 2139/** 2140 @brief Copy a pipe label 2141 @param src Source pipe label 2142 @param dest Destination pipe label 2143 2144 Copy the pipe label associated with src to dest. 2145 XXXPIPE Describe when this is used: most likely during pipe creation to 2146 copy from rpipe to wpipe. 2147*/ 2148typedef void mpo_pipe_label_copy_t( 2149 struct label *src, 2150 struct label *dest 2151); 2152/** 2153 @brief Destroy pipe label 2154 @param label The label to be destroyed 2155 2156 Destroy a pipe label. Since the object is going out of scope, 2157 policy modules should free any internal storage associated with the 2158 label so that it may be destroyed. 2159*/ 2160typedef void mpo_pipe_label_destroy_t( 2161 struct label *label 2162); 2163/** 2164 @brief Externalize a pipe label 2165 @param label Label to be externalized 2166 @param element_name Name of the label namespace for which labels should be 2167 externalized 2168 @param sb String buffer to be filled with a text representation of the label 2169 2170 Produce an external representation of the label on a pipe. 2171 An externalized label consists of a text representation 2172 of the label contents that can be used with user applications. 2173 Policy-agnostic user space tools will display this externalized 2174 version. 2175 2176 The policy's externalize entry points will be called only if the 2177 policy has registered interest in the label namespace. 2178 2179 @return 0 on success, return non-zero if an error occurs while 2180 externalizing the label data. 2181 2182*/ 2183typedef int mpo_pipe_label_externalize_t( 2184 struct label *label, 2185 char *element_name, 2186 struct sbuf *sb 2187); 2188/** 2189 @brief Initialize pipe label 2190 @param label New label to initialize 2191 2192 Initialize label storage for use with a newly instantiated pipe object. 2193 Sleeping is permitted. 2194*/ 2195typedef void mpo_pipe_label_init_t( 2196 struct label *label 2197); 2198/** 2199 @brief Internalize a pipe label 2200 @param label Label to be internalized 2201 @param element_name Name of the label namespace for which the label should 2202 be internalized 2203 @param element_data Text data to be internalized 2204 2205 Produce a pipe label from an external representation. An 2206 externalized label consists of a text representation of the label 2207 contents that can be used with user applications. Policy-agnostic 2208 user space tools will forward text version to the kernel for 2209 processing by individual policy modules. 2210 2211 The policy's internalize entry points will be called only if the 2212 policy has registered interest in the label namespace. 2213 2214 @return 0 on success, Otherwise, return non-zero if an error occurs 2215 while internalizing the label data. 2216 2217*/ 2218typedef int mpo_pipe_label_internalize_t( 2219 struct label *label, 2220 char *element_name, 2221 char *element_data 2222); 2223/** 2224 @brief Update a pipe label 2225 @param cred Subject credential 2226 @param cpipe Object to be labeled 2227 @param oldlabel Existing pipe label 2228 @param newlabel New label to replace existing label 2229 @see mpo_pipe_check_label_update_t 2230 2231 The subject identified by the credential has previously requested 2232 and was authorized to relabel the pipe; this entry point allows 2233 policies to perform the actual relabel operation. Policies should 2234 update oldlabel using the label stored in the newlabel parameter. 2235 2236*/ 2237typedef void mpo_pipe_label_update_t( 2238 kauth_cred_t cred, 2239 struct pipe *cpipe, 2240 struct label *oldlabel, 2241 struct label *newlabel 2242); 2243/** 2244 @brief Policy unload event 2245 @param mpc MAC policy configuration 2246 2247 This is the MAC Framework policy unload event. This entry point will 2248 only be called if the module's policy configuration allows unload (if 2249 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't 2250 want to be unloaded; they should set their flags to prevent this 2251 entry point from being called. 2252 2253 @warning During this call, the mac policy list mutex is held, so 2254 sleep operations cannot be performed, and calls out to other kernel 2255 subsystems must be made with caution. 2256 2257 @see MPC_LOADTIME_FLAG_UNLOADOK 2258*/ 2259typedef void mpo_policy_destroy_t( 2260 struct mac_policy_conf *mpc 2261); 2262/** 2263 @brief Policy initialization event 2264 @param mpc MAC policy configuration 2265 @see mac_policy_register 2266 @see mpo_policy_initbsd_t 2267 2268 This is the MAC Framework policy initialization event. This entry 2269 point is called during mac_policy_register, when the policy module 2270 is first registered with the MAC Framework. This is often done very 2271 early in the boot process, after the kernel Mach subsystem has been 2272 initialized, but prior to the BSD subsystem being initialized. 2273 Since the kernel BSD services are not yet available, it is possible 2274 that some initialization must occur later, possibly in the 2275 mpo_policy_initbsd_t policy entry point, such as registering BSD system 2276 controls (sysctls). Policy modules loaded at boot time will be 2277 registered and initialized before labeled Mach objects are created. 2278 2279 @warning During this call, the mac policy list mutex is held, so 2280 sleep operations cannot be performed, and calls out to other kernel 2281 subsystems must be made with caution. 2282*/ 2283typedef void mpo_policy_init_t( 2284 struct mac_policy_conf *mpc 2285); 2286/** 2287 @brief Policy BSD initialization event 2288 @param mpc MAC policy configuration 2289 @see mpo_policy_init_t 2290 2291 This entry point is called after the kernel BSD subsystem has been 2292 initialized. By this point, the module should already be loaded, 2293 registered, and initialized. Since policy modules are initialized 2294 before kernel BSD services are available, this second initialization 2295 phase is necessary. At this point, BSD services (memory management, 2296 synchronization primitives, vfs, etc.) are available, but the first 2297 process has not yet been created. Mach-related objects and tasks 2298 will already be fully initialized and may be in use--policies requiring 2299 ubiquitous labeling may also want to implement mpo_policy_init_t. 2300 2301 @warning During this call, the mac policy list mutex is held, so 2302 sleep operations cannot be performed, and calls out to other kernel 2303 subsystems must be made with caution. 2304*/ 2305typedef void mpo_policy_initbsd_t( 2306 struct mac_policy_conf *mpc 2307); 2308/** 2309 @brief Policy extension service 2310 @param p Calling process 2311 @param call Policy-specific syscall number 2312 @param arg Pointer to syscall arguments 2313 2314 This entry point provides a policy-multiplexed system call so that 2315 policies may provide additional services to user processes without 2316 registering specific system calls. The policy name provided during 2317 registration is used to demux calls from userland, and the arguments 2318 will be forwarded to this entry point. When implementing new 2319 services, security modules should be sure to invoke appropriate 2320 access control checks from the MAC framework as needed. For 2321 example, if a policy implements an augmented signal functionality, 2322 it should call the necessary signal access control checks to invoke 2323 the MAC framework and other registered policies. 2324 2325 @warning Since the format and contents of the policy-specific 2326 arguments are unknown to the MAC Framework, modules must perform the 2327 required copyin() of the syscall data on their own. No policy 2328 mediation is performed, so policies must perform any necessary 2329 access control checks themselves. If multiple policies are loaded, 2330 they will currently be unable to mediate calls to other policies. 2331 2332 @return In the event of an error, an appropriate value for errno 2333 should be returned, otherwise return 0 upon success. 2334*/ 2335typedef int mpo_policy_syscall_t( 2336 struct proc *p, 2337 int call, 2338 user_addr_t arg 2339); 2340/** 2341 @brief Access control check for copying a send right to another task 2342 @param task Label of the sender task 2343 @param port Label of the affected port 2344 2345 Access control check for copying send rights to the port from the 2346 specified task. A complementary entry point, mpo_port_check_hold_send, 2347 handles the receiving task. port_check_copy_send is called as part of 2348 a group of policy invocations when messages with port rights are sent. 2349 All access control checks made for a particular message must be successful 2350 for the message to be sent. 2351 2352 The task label and the port are locked. Sleeping is permitted. 2353 2354 @return Return 0 if access is granted, non-zero otherwise. 2355*/ 2356typedef int mpo_port_check_copy_send_t( 2357 struct label *task, 2358 struct label *port 2359); 2360/** 2361 @brief Access control check for obtaining a receive right 2362 @param task Label of the receiving task 2363 @param port Label of the affected port 2364 2365 Access control check for a task obtaining receive rights to a 2366 port. Usually, these are port rights that were obtained with a call 2367 to mach_port_allocate. This entry point is called as part of a 2368 group of policy invocations when messages with port rights are 2369 received. All of these access control checks must succeed in order 2370 to receive the message. 2371 2372 The task label and the port are locked. Sleeping is permitted. 2373 2374 @return Return 0 if access is granted, non-zero otherwise. 2375*/ 2376typedef int mpo_port_check_hold_receive_t( 2377 struct label *task, 2378 struct label *port 2379); 2380/** 2381 @brief Access control check for obtaining a send once right 2382 @param task Label of the receiving task 2383 @param port Label of the affected port 2384 2385 Access control check for a task obtaining send once rights to a port. Usually, 2386 these are port rights that were part of a message sent by another userspace 2387 task. port_check_hold_send_once is called as part of a group of policy 2388 invocations when messages with port rights are received. All of these access 2389 control checks must succeed in order to receive the message. 2390 2391 The task label and the port are locked. Sleeping is permitted. 2392 2393 @return Return 0 if access is granted, non-zero otherwise. 2394*/ 2395typedef int mpo_port_check_hold_send_once_t( 2396 struct label *task, 2397 struct label *port 2398); 2399/** 2400 @brief Access control check for obtaining a send right 2401 @param task Label of the receiving task 2402 @param port Label of the affected port 2403 2404 Access control check for a task obtaining send rights to a port. Usually, 2405 these are port rights that were part of a message sent by another userspace 2406 task. port_check_hold_send is called as part of a group of policy 2407 invocations when messages with port rights are received. All of these access 2408 control checks must succeed in order to receive the message. 2409 2410 The task label and the port are locked. Sleeping is permitted. 2411 2412 @return Return 0 if access is granted, non-zero otherwise. 2413*/ 2414typedef int mpo_port_check_hold_send_t( 2415 struct label *task, 2416 struct label *port 2417); 2418/** 2419 @brief Access control check for relabelling ports 2420 @param task Subject's task label 2421 @param oldlabel Original label of port 2422 @param newlabel New label for port 2423 2424 Access control check for relabelling ports. The policy should 2425 indicate whether the subject is permitted to change the label 2426 of a port from oldlabel to newlabel. The port is locked, but 2427 the subject's task label is not locked. 2428 2429 @warning XXX In future releases, the task label lock will likely 2430 also be held. 2431 2432 @return Return 0 if access is granted, non-zero otherwise. 2433*/ 2434typedef int mpo_port_check_label_update_t( 2435 struct label *task, 2436 struct label *oldlabel, 2437 struct label *newlabel 2438); 2439/** 2440 @brief Access control check for producing a send once right from a receive right 2441 @param task Label of the sender task 2442 @param port Label of the affected port 2443 2444 Access control check for obtaining send once rights from receive rights. 2445 The new send once right may be destined for the calling task, or a different 2446 task. In either case the mpo_port_check_hold_send_once entry point handles 2447 the receiving task. port_check_make_send_once may be called as part of a 2448 group of policy invocations when messages with port rights are sent. 2449 All access control checks made for a particular message must be successful 2450 for the message to be sent. 2451 2452 The task label and the port are locked. Sleeping is permitted. 2453 2454 @return Return 0 if access is granted, non-zero otherwise. 2455*/ 2456typedef int mpo_port_check_make_send_once_t( 2457 struct label *task, 2458 struct label *port 2459); 2460/** 2461 @brief Access control check for producing a send right from a receive right 2462 @param task Label of the sender task 2463 @param port Label of the affected port 2464 2465 Access control check for obtaining send rights from receive rights. The new 2466 send right may be destined for the calling task, or a different task. 2467 In either case the mpo_port_check_hold_send entry point 2468 handles the receiving task. port_check_make_send may be called as part of 2469 a group of policy invocations when messages with port rights are sent. 2470 All access control checks made for a particular message must be successful 2471 for the message to be sent. 2472 2473 The task label and the port are locked. Sleeping is permitted. 2474 2475 @return Return 0 if access is granted, non-zero otherwise. 2476*/ 2477typedef int mpo_port_check_make_send_t( 2478 struct label *task, 2479 struct label *port 2480); 2481/** 2482 @brief Compute access control check for a Mach message-based service 2483 @param proc Sender's process structure (may be NULL) 2484 @param task Sender's task label 2485 @param port Destination port label 2486 @param msgid Message id 2487 2488 Access control computation for message-based services. This entry point 2489 computes permission to the service requested by the specified port and message 2490 id, for example a single MiG server routine, and is unrelated to the access 2491 check for sending messages to ports (but that check must succeed for the 2492 message to be sent to the destination). The result of this access computation 2493 is stored in the message trailer field msgh_ad (only if requested by the 2494 recipient); it does not actually inhibit the message from being sent or 2495 received. 2496 2497 @return 0 for access granted, nonzero for access denied. 2498*/ 2499 2500typedef int mpo_port_check_method_t( 2501 struct proc *proc, 2502 struct label *task, 2503 struct label *port, 2504 int msgid 2505); 2506/** 2507 @brief Access control check for transferring a receive right 2508 @param task Label of the sender task 2509 @param port Label of the affected port 2510 2511 Access control check for transferring the receive right to a port out 2512 of the specified task. A complementary entry point, 2513 mpo_port_check_hold_receive, handles the receiving task. 2514 port_check_move_receive is called as part of 2515 a group of policy invocations when messages with port rights are sent. 2516 All access control checks made for a particular message must be successful 2517 for the message to be sent. 2518 2519 The task label and the port are locked. Sleeping is permitted. 2520 2521 @return Return 0 if access is granted, non-zero otherwise. 2522*/ 2523typedef int mpo_port_check_move_receive_t( 2524 struct label *task, 2525 struct label *port 2526); 2527/** 2528 @brief Access control check for transferring a send once right 2529 @param task Label of the sender task 2530 @param port Label of the affected port 2531 2532 Access control check for transferring a send once right from one task to 2533 the task listening to the specified port. A complementary entry point, 2534 mpo_port_check_hold_send_once, handles the receiving task. 2535 port_check_move_send_once is called as part of a group of policy invocations 2536 when messages with port rights are sent. All access control checks made 2537 for a particular message must be successful for the message to be sent. 2538 2539 The task label and the port are locked. Sleeping is permitted. 2540 2541 @return Return 0 if access is granted, non-zero otherwise. 2542*/ 2543typedef int mpo_port_check_move_send_once_t( 2544 struct label *task, 2545 struct label *port 2546); 2547/** 2548 @brief Access control check for transferring a send right 2549 @param task Label of the sender task 2550 @param port Label of the affected port 2551 2552 Access control check for transferring a send right from one task to the 2553 task listening to the specified port. A complementary entry point, 2554 mpo_port_check_hold_send, handles the receiving task. 2555 port_check_move_send is called as part of a group of policy invocations 2556 when messages with port rights are sent. All access control checks made 2557 for a particular message must be successful for the message to be sent. 2558 2559 The task label and the port are locked. Sleeping is permitted. 2560 2561 @return Return 0 if access is granted, non-zero otherwise. 2562*/ 2563typedef int mpo_port_check_move_send_t( 2564 struct label *task, 2565 struct label *port 2566); 2567/** 2568 @brief Access control check for receiving Mach messsages 2569 @param task Label of the receiving task 2570 @param sender Label of the sending task 2571 2572 Access control check for receiving messages. The two labels are locked. 2573 2574 @warning This entry point can be invoked from many places inside the 2575 kernel, with arbitrary other locks held. The implementation of this 2576 entry point must not cause page faults, as those are handled by mach 2577 messages. 2578 2579 @return Return 0 if access is granted, non-zero otherwise. 2580*/ 2581typedef int mpo_port_check_receive_t( 2582 struct label *task, 2583 struct label *sender 2584); 2585/** 2586 @brief Access control check for sending Mach messsages 2587 @param task Label of the sender task 2588 @param port Label of the destination port 2589 2590 Access control check for sending messages. The task label and the 2591 port are locked. 2592 2593 @warning This entry point can be invoked from many places inside the 2594 kernel, with arbitrary other locks held. The implementation of this 2595 entry point must not cause page faults, as those are handled by mach 2596 messages. 2597 2598 @return Return 0 if access is granted, non-zero otherwise. 2599*/ 2600typedef int mpo_port_check_send_t( 2601 struct label *task, 2602 struct label *port 2603); 2604/** 2605 @brief Generic access control check 2606 @param subj Caller-provided subject label 2607 @param obj Caller-provided object label 2608 @param serv Service or object class name 2609 @param perm Permission, or method, within the specified service 2610 2611 This function provides a general way for a user process to query 2612 an arbitrary access control decision from the system's security policies. 2613 Currently, there are no standards for the format of the service and 2614 permission names. Labels may be either cred or port labels; the policy 2615 must accept either. The userspace interfaces to this entry point allow 2616 label strings or label handles (ports) to be provided. 2617 2618 @return Return 0 if access is granted, non-zero otherwise. 2619*/ 2620typedef int mpo_port_check_service_t( 2621 struct label *subj, 2622 struct label *obj, 2623 const char *serv, 2624 const char *perm 2625); 2626/** 2627 @brief Assign a label to a new Mach port created by the kernel 2628 @param portlabel Label for the new port 2629 @param isreply True if the port is for a reply message from the kernel 2630 2631 Assign a label to a new port created by the kernel. If the port is being 2632 used to reply to a message, isreply is 1 (0 otherwise). The port is locked. 2633*/ 2634typedef void mpo_port_label_associate_kernel_t( 2635 struct label *portlabel, 2636 int isreply 2637); 2638/** 2639 @brief Assign a label to a new Mach port 2640 @param it Task label of issuer 2641 @param st Task label of target 2642 @param portlabel Label for the new port 2643 2644 Assign a label to a new port. The policy can base this label on 2645 the label of the calling task, as well as the label of the target task. 2646 The target task is the one which recieves the first right for this port. 2647 Both task labels and the port are locked. 2648*/ 2649typedef void mpo_port_label_associate_t( 2650 struct label *it, 2651 struct label *st, 2652 struct label *portlabel 2653); 2654/** 2655 @brief Request label for new (userspace) object 2656 @param subj Subject label 2657 @param obj Parent or existing object label 2658 @param serv Name of service 2659 @param out Computed label 2660 2661 Ask the loaded policies to compute a label based on the two input labels 2662 and the service name. There is currently no standard for the service name, 2663 or even what the input labels represent (Subject and parent object are only 2664 a suggestion). If successful, the computed label is stored in out. All labels 2665 must be port (or task) labels. The userspace interfaces to this entry point 2666 allow label handles (ports) to be provided. 2667 2668 @return 0 on success, or an errno value for failure. 2669*/ 2670typedef int mpo_port_label_compute_t( 2671 struct label *subj, 2672 struct label *obj, 2673 const char *serv, 2674 struct label *out 2675); 2676/** 2677 @brief Copy a Mach port label 2678 @param src Source port label 2679 @param dest Destination port label 2680 2681 Copy the Mach port label information from src to dest. This is used 2682 to copy user-suplied labels into an existing port. 2683*/ 2684typedef void mpo_port_label_copy_t( 2685 struct label *src, 2686 struct label *dest 2687); 2688/** 2689 @brief Destroy Mach port label 2690 @param label The label to be destroyed 2691 2692 Destroy a Mach port label. Since the object is going out of 2693 scope, policy modules should free any internal storage associated 2694 with the label so that it may be destroyed. 2695*/ 2696typedef void mpo_port_label_destroy_t( 2697 struct label *label 2698); 2699/** 2700 @brief Initialize Mach port label 2701 @param label New label to initialize 2702 2703 Initialize the label for a newly instantiated Mach port. Sleeping 2704 is permitted. 2705*/ 2706typedef void mpo_port_label_init_t( 2707 struct label *label 2708); 2709/** 2710 @brief Update a Mach task port label 2711 @param cred User credential label to be used as the source 2712 @param task Mach port label to be used as the destination 2713 @see mpo_cred_label_update_t 2714 @see mpo_cred_label_update_execve_t 2715 2716 Update the label on a Mach task port, using the supplied user 2717 credential label. When a mac_cred_label_update_execve or a mac_cred_label_update 2718 operation causes the label on a user credential to change, the Mach 2719 task port label also needs to be updated to reflect the change. 2720 Both labels are already valid (initialized and created). 2721*/ 2722typedef void mpo_port_label_update_cred_t( 2723 struct label *cred, 2724 struct label *task 2725); 2726/** 2727 @brief Assign a label to a Mach port connected to a kernel object 2728 @param portlabel Label for the port 2729 @param kotype Type of kernel object 2730 2731 Label a kernel port based on the type of object behind it. The 2732 kotype parameter is one of the IKOT constants in 2733 <kern/ipc_kobject.h>. The port already has a valid label from either 2734 mpo_port_label_associate_kernel, or because it is a task port and has a label 2735 derived from the process and task labels. The port is locked. 2736*/ 2737typedef void mpo_port_label_update_kobject_t( 2738 struct label *portlabel, 2739 int kotype 2740); 2741/** 2742 @brief Access control check for POSIX semaphore create 2743 @param cred Subject credential 2744 @param name String name of the semaphore 2745 2746 Determine whether the subject identified by the credential can create 2747 a POSIX semaphore specified by name. 2748 2749 @return Return 0 if access is granted, otherwise an appropriate value for 2750 errno should be returned. 2751*/ 2752typedef int mpo_posixsem_check_create_t( 2753 kauth_cred_t cred, 2754 const char *name 2755); 2756/** 2757 @brief Access control check for POSIX semaphore open 2758 @param cred Subject credential 2759 @param ps Pointer to semaphore information structure 2760 @param semlabel Label associated with the semaphore 2761 2762 Determine whether the subject identified by the credential can open 2763 the named POSIX semaphore with label semlabel. 2764 2765 @return Return 0 if access is granted, otherwise an appropriate value for 2766 errno should be returned. 2767*/ 2768typedef int mpo_posixsem_check_open_t( 2769 kauth_cred_t cred, 2770 struct pseminfo *ps, 2771 struct label *semlabel 2772); 2773/** 2774 @brief Access control check for POSIX semaphore post 2775 @param cred Subject credential 2776 @param ps Pointer to semaphore information structure 2777 @param semlabel Label associated with the semaphore 2778 2779 Determine whether the subject identified by the credential can unlock 2780 the named POSIX semaphore with label semlabel. 2781 2782 @return Return 0 if access is granted, otherwise an appropriate value for 2783 errno should be returned. 2784*/ 2785typedef int mpo_posixsem_check_post_t( 2786 kauth_cred_t cred, 2787 struct pseminfo *ps, 2788 struct label *semlabel 2789); 2790/** 2791 @brief Access control check for POSIX semaphore unlink 2792 @param cred Subject credential 2793 @param ps Pointer to semaphore information structure 2794 @param semlabel Label associated with the semaphore 2795 @param name String name of the semaphore 2796 2797 Determine whether the subject identified by the credential can remove 2798 the named POSIX semaphore with label semlabel. 2799 2800 @return Return 0 if access is granted, otherwise an appropriate value for 2801 errno should be returned. 2802*/ 2803typedef int mpo_posixsem_check_unlink_t( 2804 kauth_cred_t cred, 2805 struct pseminfo *ps, 2806 struct label *semlabel, 2807 const char *name 2808); 2809/** 2810 @brief Access control check for POSIX semaphore wait 2811 @param cred Subject credential 2812 @param ps Pointer to semaphore information structure 2813 @param semlabel Label associated with the semaphore 2814 2815 Determine whether the subject identified by the credential can lock 2816 the named POSIX semaphore with label semlabel. 2817 2818 @return Return 0 if access is granted, otherwise an appropriate value for 2819 errno should be returned. 2820*/ 2821typedef int mpo_posixsem_check_wait_t( 2822 kauth_cred_t cred, 2823 struct pseminfo *ps, 2824 struct label *semlabel 2825); 2826/** 2827 @brief Create a POSIX semaphore label 2828 @param cred Subject credential 2829 @param ps Pointer to semaphore information structure 2830 @param semlabel Label to associate with the new semaphore 2831 @param name String name of the semaphore 2832 2833 Label a new POSIX semaphore. The label was previously 2834 initialized and associated with the semaphore. At this time, an 2835 appropriate initial label value should be assigned to the object and 2836 stored in semalabel. 2837*/ 2838typedef void mpo_posixsem_label_associate_t( 2839 kauth_cred_t cred, 2840 struct pseminfo *ps, 2841 struct label *semlabel, 2842 const char *name 2843); 2844/** 2845 @brief Destroy POSIX semaphore label 2846 @param label The label to be destroyed 2847 2848 Destroy a POSIX semaphore label. Since the object is 2849 going out of scope, policy modules should free any internal storage 2850 associated with the label so that it may be destroyed. 2851*/ 2852typedef void mpo_posixsem_label_destroy_t( 2853 struct label *label 2854); 2855/** 2856 @brief Initialize POSIX semaphore label 2857 @param label New label to initialize 2858 2859 Initialize the label for a newly instantiated POSIX semaphore. Sleeping 2860 is permitted. 2861*/ 2862typedef void mpo_posixsem_label_init_t( 2863 struct label *label 2864); 2865/** 2866 @brief Access control check for POSIX shared memory region create 2867 @param cred Subject credential 2868 @param name String name of the shared memory region 2869 2870 Determine whether the subject identified by the credential can create 2871 the POSIX shared memory region referenced by name. 2872 2873 @return Return 0 if access is granted, otherwise an appropriate value for 2874 errno should be returned. 2875*/ 2876typedef int mpo_posixshm_check_create_t( 2877 kauth_cred_t cred, 2878 const char *name 2879); 2880/** 2881 @brief Access control check for mapping POSIX shared memory 2882 @param cred Subject credential 2883 @param ps Pointer to shared memory information structure 2884 @param shmlabel Label associated with the shared memory region 2885 @param prot mmap protections; see mmap(2) 2886 @param flags shmat flags; see shmat(2) 2887 2888 Determine whether the subject identified by the credential can map 2889 the POSIX shared memory segment associated with shmlabel. 2890 2891 @return Return 0 if access is granted, otherwise an appropriate value for 2892 errno should be returned. 2893*/ 2894typedef int mpo_posixshm_check_mmap_t( 2895 kauth_cred_t cred, 2896 struct pshminfo *ps, 2897 struct label *shmlabel, 2898 int prot, 2899 int flags 2900); 2901/** 2902 @brief Access control check for POSIX shared memory region open 2903 @param cred Subject credential 2904 @param ps Pointer to shared memory information structure 2905 @param shmlabel Label associated with the shared memory region 2906 @param fflags shm_open(2) open flags ('fflags' encoded) 2907 2908 Determine whether the subject identified by the credential can open 2909 the POSIX shared memory region. 2910 2911 @return Return 0 if access is granted, otherwise an appropriate value for 2912 errno should be returned. 2913*/ 2914typedef int mpo_posixshm_check_open_t( 2915 kauth_cred_t cred, 2916 struct pshminfo *ps, 2917 struct label *shmlabel, 2918 int fflags 2919); 2920/** 2921 @brief Access control check for POSIX shared memory stat 2922 @param cred Subject credential 2923 @param ps Pointer to shared memory information structure 2924 @param shmlabel Label associated with the shared memory region 2925 2926 Determine whether the subject identified by the credential can obtain 2927 status for the POSIX shared memory segment associated with shmlabel. 2928 2929 @return Return 0 if access is granted, otherwise an appropriate value for 2930 errno should be returned. 2931*/ 2932typedef int mpo_posixshm_check_stat_t( 2933 kauth_cred_t cred, 2934 struct pshminfo *ps, 2935 struct label *shmlabel 2936); 2937/** 2938 @brief Access control check for POSIX shared memory truncate 2939 @param cred Subject credential 2940 @param ps Pointer to shared memory information structure 2941 @param shmlabel Label associated with the shared memory region 2942 @param len Length to truncate or extend shared memory segment 2943 2944 Determine whether the subject identified by the credential can truncate 2945 or extend (to len) the POSIX shared memory segment associated with shmlabel. 2946 2947 @return Return 0 if access is granted, otherwise an appropriate value for 2948 errno should be returned. 2949*/ 2950typedef int mpo_posixshm_check_truncate_t( 2951 kauth_cred_t cred, 2952 struct pshminfo *ps, 2953 struct label *shmlabel, 2954 off_t len 2955); 2956/** 2957 @brief Access control check for POSIX shared memory unlink 2958 @param cred Subject credential 2959 @param ps Pointer to shared memory information structure 2960 @param shmlabel Label associated with the shared memory region 2961 @param name String name of the shared memory region 2962 2963 Determine whether the subject identified by the credential can delete 2964 the POSIX shared memory segment associated with shmlabel. 2965 2966 @return Return 0 if access is granted, otherwise an appropriate value for 2967 errno should be returned. 2968*/ 2969typedef int mpo_posixshm_check_unlink_t( 2970 kauth_cred_t cred, 2971 struct pshminfo *ps, 2972 struct label *shmlabel, 2973 const char *name 2974); 2975/** 2976 @brief Create a POSIX shared memory region label 2977 @param cred Subject credential 2978 @param ps Pointer to shared memory information structure 2979 @param shmlabel Label to associate with the new shared memory region 2980 @param name String name of the shared memory region 2981 2982 Label a new POSIX shared memory region. The label was previously 2983 initialized and associated with the shared memory region. At this 2984 time, an appropriate initial label value should be assigned to the 2985 object and stored in shmlabel. 2986*/ 2987typedef void mpo_posixshm_label_associate_t( 2988 kauth_cred_t cred, 2989 struct pshminfo *ps, 2990 struct label *shmlabel, 2991 const char *name 2992); 2993/** 2994 @brief Destroy POSIX shared memory label 2995 @param label The label to be destroyed 2996 2997 Destroy a POSIX shared memory region label. Since the 2998 object is going out of scope, policy modules should free any 2999 internal storage associated with the label so that it may be 3000 destroyed. 3001*/ 3002typedef void mpo_posixshm_label_destroy_t( 3003 struct label *label 3004); 3005/** 3006 @brief Initialize POSIX Shared Memory region label 3007 @param label New label to initialize 3008 3009 Initialize the label for newly a instantiated POSIX Shared Memory 3010 region. Sleeping is permitted. 3011*/ 3012typedef void mpo_posixshm_label_init_t( 3013 struct label *label 3014); 3015/** 3016 @brief Access control check for privileged operations 3017 @param cred Subject credential 3018 @param priv Requested privilege (see sys/priv.h) 3019 3020 Determine whether the subject identified by the credential can perform 3021 a privileged operation. Privileged operations are allowed if the cred 3022 is the superuser or any policy returns zero for mpo_priv_grant, unless 3023 any policy returns nonzero for mpo_priv_check. 3024 3025 @return Return 0 if access is granted, otherwise EPERM should be returned. 3026*/ 3027typedef int mpo_priv_check_t( 3028 kauth_cred_t cred, 3029 int priv 3030); 3031/** 3032 @brief Grant regular users the ability to perform privileged operations 3033 @param cred Subject credential 3034 @param priv Requested privilege (see sys/priv.h) 3035 3036 Determine whether the subject identified by the credential should be 3037 allowed to perform a privileged operation that in the absense of any 3038 MAC policy it would not be able to perform. Privileged operations are 3039 allowed if the cred is the superuser or any policy returns zero for 3040 mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. 3041 3042 Unlike other MAC hooks which can only reduce the privilege of a 3043 credential, this hook raises the privilege of a credential when it 3044 returns 0. Extreme care must be taken when implementing this hook to 3045 avoid undermining the security of the system. 3046 3047 @return Return 0 if additional privilege is granted, otherwise EPERM 3048 should be returned. 3049*/ 3050typedef int mpo_priv_grant_t( 3051 kauth_cred_t cred, 3052 int priv 3053); 3054/** 3055 @brief Access control check for debugging process 3056 @param cred Subject credential 3057 @param proc Object process 3058 3059 Determine whether the subject identified by the credential can debug 3060 the passed process. This call may be made in a number of situations, 3061 including use of the ptrace(2) and ktrace(2) APIs, as well as for some 3062 types of procfs operations. 3063 3064 @return Return 0 if access is granted, otherwise an appropriate value for 3065 errno should be returned. Suggested failure: EACCES for label mismatch, 3066 EPERM for lack of privilege, or ESRCH to hide visibility of the target. 3067*/ 3068typedef int mpo_proc_check_debug_t( 3069 kauth_cred_t cred, 3070 struct proc *proc 3071); 3072/** 3073 @brief Access control over fork 3074 @param cred Subject credential 3075 @param proc Subject process trying to fork 3076 3077 Determine whether the subject identified is allowed to fork. 3078 3079 @return Return 0 if access is granted, otherwise an appropriate value for 3080 errno should be returned. 3081*/ 3082typedef int mpo_proc_check_fork_t( 3083 kauth_cred_t cred, 3084 struct proc *proc 3085); 3086/** 3087 @brief Access control over pid_suspend and pid_resume 3088 @param cred Subject credential 3089 @param proc Subject process trying to run pid_suspend or pid_resume 3090 @param sr Call is suspend (0) or resume (1) 3091 3092 Determine whether the subject identified is allowed to suspend or resume 3093 other processes. 3094 3095 @return Return 0 if access is granted, otherwise an appropriate value for 3096 errno should be returned. 3097*/ 3098typedef int mpo_proc_check_suspend_resume_t( 3099 kauth_cred_t cred, 3100 struct proc *proc, 3101 int sr 3102); 3103/** 3104 @brief Access control check for retrieving audit information 3105 @param cred Subject credential 3106 3107 Determine whether the subject identified by the credential can get 3108 audit information such as the audit user ID, the preselection mask, 3109 the terminal ID and the audit session ID, using the getaudit() system call. 3110 3111 @return Return 0 if access is granted, otherwise an appropriate value for 3112 errno should be returned. 3113*/ 3114typedef int mpo_proc_check_getaudit_t( 3115 kauth_cred_t cred 3116); 3117/** 3118 @brief Access control check for retrieving audit user ID 3119 @param cred Subject credential 3120 3121 Determine whether the subject identified by the credential can get 3122 the user identity being used by the auditing system, using the getauid() 3123 system call. 3124 3125 @return Return 0 if access is granted, otherwise an appropriate value for 3126 errno should be returned. 3127*/ 3128typedef int mpo_proc_check_getauid_t( 3129 kauth_cred_t cred 3130); 3131/** 3132 @brief Access control check for retrieving Login Context ID 3133 @param p0 Calling process 3134 @param p Effected process 3135 @param pid syscall PID argument 3136 3137 Determine if getlcid(2) system call is permitted. 3138 3139 Information returned by this system call is similar to that returned via 3140 process listings etc. 3141 3142 @return Return 0 if access is granted, otherwise an appropriate value for 3143 errno should be returned. 3144*/ 3145typedef int mpo_proc_check_getlcid_t( 3146 struct proc *p0, 3147 struct proc *p, 3148 pid_t pid 3149); 3150/** 3151 @brief Access control check for retrieving ledger information 3152 @param cred Subject credential 3153 @param target Object process 3154 @param op ledger operation 3155 3156 Determine if ledger(2) system call is permitted. 3157 3158 Information returned by this system call is similar to that returned via 3159 process listings etc. 3160 3161 @return Return 0 if access is granted, otherwise an appropriate value for 3162 errno should be returned. 3163*/ 3164typedef int mpo_proc_check_ledger_t( 3165 kauth_cred_t cred, 3166 struct proc *target, 3167 int op 3168); 3169/** 3170 @brief Access control check for escaping default CPU usage monitor parameters. 3171 @param cred Subject credential 3172 3173 Determine if a credential has permission to program CPU usage monitor parameters 3174 that are less restrictive than the global system-wide defaults. 3175 3176 @return Return 0 if access is granted, otherwise an appropriate value for 3177 errno should be returned. 3178*/ 3179typedef int mpo_proc_check_cpumon_t( 3180 kauth_cred_t cred 3181); 3182/** 3183 @brief Access control check for retrieving process information. 3184 @param cred Subject credential 3185 @param target Target process (may be null, may be zombie) 3186 3187 Determine if a credential has permission to access process information as defined 3188 by call number and flavor on target process 3189 3190 @return Return 0 if access is granted, otherwise an appropriate value for 3191 errno should be returned. 3192*/ 3193typedef int mpo_proc_check_proc_info_t( 3194 kauth_cred_t cred, 3195 struct proc *target, 3196 int callnum, 3197 int flavor 3198); 3199/** 3200 @brief Access control check for mmap MAP_ANON 3201 @param proc User process requesting the memory 3202 @param cred Subject credential 3203 @param u_addr Start address of the memory range 3204 @param u_size Length address of the memory range 3205 @param prot mmap protections; see mmap(2) 3206 @param flags Type of mapped object; see mmap(2) 3207 @param maxprot Maximum rights 3208 3209 Determine whether the subject identified by the credential should be 3210 allowed to obtain anonymous memory using the specified flags and 3211 protections on the new mapping. MAP_ANON will always be present in the 3212 flags. Certain combinations of flags with a non-NULL addr may 3213 cause a mapping to be rejected before this hook is called. The maxprot field 3214 holds the maximum permissions on the new mapping, a combination of 3215 VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior 3216 access control checks, a policy should only remove flags from maxprot. 3217 3218 @return Return 0 if access is granted, otherwise an appropriate value for 3219 errno should be returned. Suggested failure: EPERM for lack of privilege. 3220*/ 3221typedef int mpo_proc_check_map_anon_t( 3222 struct proc *proc, 3223 kauth_cred_t cred, 3224 user_addr_t u_addr, 3225 user_size_t u_size, 3226 int prot, 3227 int flags, 3228 int *maxprot 3229); 3230/** 3231 @brief Access control check for setting memory protections 3232 @param cred Subject credential 3233 @param proc User process requesting the change 3234 @param addr Start address of the memory range 3235 @param size Length address of the memory range 3236 @param prot Memory protections, see mmap(2) 3237 3238 Determine whether the subject identified by the credential should 3239 be allowed to set the specified memory protections on memory mapped 3240 in the process proc. 3241 3242 @return Return 0 if access is granted, otherwise an appropriate value for 3243 errno should be returned. 3244*/ 3245typedef int mpo_proc_check_mprotect_t( 3246 kauth_cred_t cred, 3247 struct proc *proc, 3248 user_addr_t addr, 3249 user_size_t size, 3250 int prot 3251); 3252/** 3253 @brief Access control check for changing scheduling parameters 3254 @param cred Subject credential 3255 @param proc Object process 3256 3257 Determine whether the subject identified by the credential can change 3258 the scheduling parameters of the passed process. 3259 3260 @return Return 0 if access is granted, otherwise an appropriate value for 3261 errno should be returned. Suggested failure: EACCES for label mismatch, 3262 EPERM for lack of privilege, or ESRCH to limit visibility. 3263*/ 3264typedef int mpo_proc_check_sched_t( 3265 kauth_cred_t cred, 3266 struct proc *proc 3267); 3268/** 3269 @brief Access control check for setting audit information 3270 @param cred Subject credential 3271 @param ai Audit information 3272 3273 Determine whether the subject identified by the credential can set 3274 audit information such as the the preselection mask, the terminal ID 3275 and the audit session ID, using the setaudit() system call. 3276 3277 @return Return 0 if access is granted, otherwise an appropriate value for 3278 errno should be returned. 3279*/ 3280typedef int mpo_proc_check_setaudit_t( 3281 kauth_cred_t cred, 3282 struct auditinfo_addr *ai 3283); 3284/** 3285 @brief Access control check for setting audit user ID 3286 @param cred Subject credential 3287 @param auid Audit user ID 3288 3289 Determine whether the subject identified by the credential can set 3290 the user identity used by the auditing system, using the setauid() 3291 system call. 3292 3293 @return Return 0 if access is granted, otherwise an appropriate value for 3294 errno should be returned. 3295*/ 3296typedef int mpo_proc_check_setauid_t( 3297 kauth_cred_t cred, 3298 uid_t auid 3299); 3300/** 3301 @brief Access control check for setting the Login Context 3302 @param p0 Calling process 3303 @param p Effected process 3304 @param pid syscall PID argument 3305 @param lcid syscall LCID argument 3306 3307 Determine if setlcid(2) system call is permitted. 3308 3309 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of 3310 decoding syscall arguments to determine action desired by caller. 3311 3312 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN 3313 3314 @return Return 0 if access is granted, otherwise an appropriate value for 3315 errno should be returned. 3316*/ 3317typedef int mpo_proc_check_setlcid_t( 3318 struct proc *p0, 3319 struct proc *p, 3320 pid_t pid, 3321 pid_t lcid 3322); 3323/** 3324 @brief Access control check for delivering signal 3325 @param cred Subject credential 3326 @param proc Object process 3327 @param signum Signal number; see kill(2) 3328 3329 Determine whether the subject identified by the credential can deliver 3330 the passed signal to the passed process. 3331 3332 @warning Programs typically expect to be able to send and receive 3333 signals as part or their normal process lifecycle; caution should be 3334 exercised when implementing access controls over signal events. 3335 3336 @return Return 0 if access is granted, otherwise an appropriate value for 3337 errno should be returned. Suggested failure: EACCES for label mismatch, 3338 EPERM for lack of privilege, or ESRCH to limit visibility. 3339*/ 3340typedef int mpo_proc_check_signal_t( 3341 kauth_cred_t cred, 3342 struct proc *proc, 3343 int signum 3344); 3345/** 3346 @brief Access control check for wait 3347 @param cred Subject credential 3348 @param proc Object process 3349 3350 Determine whether the subject identified by the credential can wait 3351 for process termination. 3352 3353 @warning Caution should be exercised when implementing access 3354 controls for wait, since programs often wait for child processes to 3355 exit. Failure to be notified of a child process terminating may 3356 cause the parent process to hang, or may produce zombie processes. 3357 3358 @return Return 0 if access is granted, otherwise an appropriate value for 3359 errno should be returned. 3360*/ 3361typedef int mpo_proc_check_wait_t( 3362 kauth_cred_t cred, 3363 struct proc *proc 3364); 3365/** 3366 @brief Destroy process label 3367 @param label The label to be destroyed 3368 3369 Destroy a process label. Since the object is going 3370 out of scope, policy modules should free any internal storage 3371 associated with the label so that it may be destroyed. 3372*/ 3373typedef void mpo_proc_label_destroy_t( 3374 struct label *label 3375); 3376/** 3377 @brief Initialize process label 3378 @param label New label to initialize 3379 @see mpo_cred_label_init_t 3380 3381 Initialize the label for a newly instantiated BSD process structure. 3382 Normally, security policies will store the process label in the user 3383 credential rather than here in the process structure. However, 3384 there are some floating label policies that may need to temporarily 3385 store a label in the process structure until it is safe to update 3386 the user credential label. Sleeping is permitted. 3387*/ 3388typedef void mpo_proc_label_init_t( 3389 struct label *label 3390); 3391/** 3392 @brief Access control check for socket accept 3393 @param cred Subject credential 3394 @param socket Object socket 3395 @param socklabel Policy label for socket 3396 3397 Determine whether the subject identified by the credential can accept() 3398 a new connection on the socket from the host specified by addr. 3399 3400 @return Return 0 if access if granted, otherwise an appropriate 3401 value for errno should be returned. 3402*/ 3403typedef int mpo_socket_check_accept_t( 3404 kauth_cred_t cred, 3405 socket_t so, 3406 struct label *socklabel 3407); 3408/** 3409 @brief Access control check for a pending socket accept 3410 @param cred Subject credential 3411 @param so Object socket 3412 @param socklabel Policy label for socket 3413 @param addr Address of the listening socket (coming soon) 3414 3415 Determine whether the subject identified by the credential can accept() 3416 a pending connection on the socket from the host specified by addr. 3417 3418 @return Return 0 if access if granted, otherwise an appropriate 3419 value for errno should be returned. 3420*/ 3421typedef int mpo_socket_check_accepted_t( 3422 kauth_cred_t cred, 3423 socket_t so, 3424 struct label *socklabel, 3425 struct sockaddr *addr 3426); 3427/** 3428 @brief Access control check for socket bind 3429 @param cred Subject credential 3430 @param so Object socket 3431 @param socklabel Policy label for socket 3432 @param addr Name to assign to the socket 3433 3434 Determine whether the subject identified by the credential can bind() 3435 the name (addr) to the socket. 3436 3437 @return Return 0 if access if granted, otherwise an appropriate 3438 value for errno should be returned. 3439*/ 3440typedef int mpo_socket_check_bind_t( 3441 kauth_cred_t cred, 3442 socket_t so, 3443 struct label *socklabel, 3444 struct sockaddr *addr 3445); 3446/** 3447 @brief Access control check for socket connect 3448 @param cred Subject credential 3449 @param so Object socket 3450 @param socklabel Policy label for socket 3451 @param addr Name to assign to the socket 3452 3453 Determine whether the subject identified by the credential can 3454 connect() the passed socket to the remote host specified by addr. 3455 3456 @return Return 0 if access if granted, otherwise an appropriate 3457 value for errno should be returned. 3458*/ 3459typedef int mpo_socket_check_connect_t( 3460 kauth_cred_t cred, 3461 socket_t so, 3462 struct label *socklabel, 3463 struct sockaddr *addr 3464); 3465/** 3466 @brief Access control check for socket() system call. 3467 @param cred Subject credential 3468 @param domain communication domain 3469 @param type socket type 3470 @param protocol socket protocol 3471 3472 Determine whether the subject identified by the credential can 3473 make the socket() call. 3474 3475 @return Return 0 if access if granted, otherwise an appropriate 3476 value for errno should be returned. 3477*/ 3478typedef int mpo_socket_check_create_t( 3479 kauth_cred_t cred, 3480 int domain, 3481 int type, 3482 int protocol 3483); 3484/** 3485 @brief Access control check for delivering data to a user's receieve queue 3486 @param so The socket data is being delivered to 3487 @param so_label The label of so 3488 @param m The mbuf whose data will be deposited into the receive queue 3489 @param m_label The label of the sender of the data. 3490 3491 A socket has a queue for receiving incoming data. When a packet arrives 3492 on the wire, it eventually gets deposited into this queue, which the 3493 owner of the socket drains when they read from the socket's file descriptor. 3494 3495 This function determines whether the socket can receive data from 3496 the sender specified by m_label. 3497 3498 @warning There is an outstanding design issue surrounding the placement 3499 of this function. The check must be placed either before or after the 3500 TCP sequence and ACK counters are updated. Placing the check before 3501 the counters are updated causes the incoming packet to be resent by 3502 the remote if the check rejects it. Placing the check after the counters 3503 are updated results in a completely silent drop. As far as each TCP stack 3504 is concerned the packet was received, however, the data will not be in the 3505 socket's receive queue. Another consideration is that the current design 3506 requires using the "failed label" occasionally. In that case, on rejection, 3507 we want the remote TCP to resend the data. Because of this, we chose to 3508 place this check before the counters are updated, so rejected packets will be 3509 resent by the remote host. 3510 3511 If a policy keeps rejecting the same packet, eventually the connection will 3512 be dropped. Policies have several options if this design causes problems. 3513 For example, one options is to sanitize the mbuf such that it is acceptable, 3514 then accept it. That may require negotiation between policies as the 3515 Framework will not know to re-check the packet. 3516 3517 The policy must handle NULL MBUF labels. This will likely be the case 3518 for non-local TCP sockets for example. 3519 3520 @return Return 0 if access if granted, otherwise an appropriate 3521 value for errno should be returned. 3522*/ 3523typedef int mpo_socket_check_deliver_t( 3524 socket_t so, 3525 struct label *so_label, 3526 struct mbuf *m, 3527 struct label *m_label 3528); 3529/** 3530 @brief Access control check for socket kqfilter 3531 @param cred Subject credential 3532 @param kn Object knote 3533 @param so Object socket 3534 @param socklabel Policy label for socket 3535 3536 Determine whether the subject identified by the credential can 3537 receive the knote on the passed socket. 3538 3539 @return Return 0 if access if granted, otherwise an appropriate 3540 value for errno should be returned. 3541*/ 3542typedef int mpo_socket_check_kqfilter_t( 3543 kauth_cred_t cred, 3544 struct knote *kn, 3545 socket_t so, 3546 struct label *socklabel 3547); 3548/** 3549 @brief Access control check for socket relabel 3550 @param cred Subject credential 3551 @param so Object socket 3552 @param so_label The current label of so 3553 @param newlabel The label to be assigned to so 3554 3555 Determine whether the subject identified by the credential can 3556 change the label on the socket. 3557 3558 @return Return 0 if access if granted, otherwise an appropriate 3559 value for errno should be returned. 3560*/ 3561typedef int mpo_socket_check_label_update_t( 3562 kauth_cred_t cred, 3563 socket_t so, 3564 struct label *so_label, 3565 struct label *newlabel 3566); 3567/** 3568 @brief Access control check for socket listen 3569 @param cred Subject credential 3570 @param so Object socket 3571 @param socklabel Policy label for socket 3572 3573 Determine whether the subject identified by the credential can 3574 listen() on the passed socket. 3575 3576 @return Return 0 if access if granted, otherwise an appropriate 3577 value for errno should be returned. 3578*/ 3579typedef int mpo_socket_check_listen_t( 3580 kauth_cred_t cred, 3581 socket_t so, 3582 struct label *socklabel 3583); 3584/** 3585 @brief Access control check for socket receive 3586 @param cred Subject credential 3587 @param so Object socket 3588 @param socklabel Policy label for socket 3589 3590 Determine whether the subject identified by the credential can 3591 receive data from the socket. 3592 3593 @return Return 0 if access if granted, otherwise an appropriate 3594 value for errno should be returned. 3595*/ 3596typedef int mpo_socket_check_receive_t( 3597 kauth_cred_t cred, 3598 socket_t so, 3599 struct label *socklabel 3600); 3601 3602/** 3603 @brief Access control check for socket receive 3604 @param cred Subject credential 3605 @param socket Object socket 3606 @param socklabel Policy label for socket 3607 @param addr Name of the remote socket 3608 3609 Determine whether the subject identified by the credential can 3610 receive data from the remote host specified by addr. 3611 3612 @return Return 0 if access if granted, otherwise an appropriate 3613 value for errno should be returned. 3614*/ 3615typedef int mpo_socket_check_received_t( 3616 kauth_cred_t cred, 3617 struct socket *sock, 3618 struct label *socklabel, 3619 struct sockaddr *saddr 3620 ); 3621 3622 3623/** 3624 @brief Access control check for socket select 3625 @param cred Subject credential 3626 @param so Object socket 3627 @param socklabel Policy label for socket 3628 @param which The operation selected on: FREAD or FWRITE 3629 3630 Determine whether the subject identified by the credential can use the 3631 socket in a call to select(). 3632 3633 @return Return 0 if access if granted, otherwise an appropriate 3634 value for errno should be returned. 3635*/ 3636typedef int mpo_socket_check_select_t( 3637 kauth_cred_t cred, 3638 socket_t so, 3639 struct label *socklabel, 3640 int which 3641); 3642/** 3643 @brief Access control check for socket send 3644 @param cred Subject credential 3645 @param so Object socket 3646 @param socklabel Policy label for socket 3647 @param addr Address being sent to 3648 3649 Determine whether the subject identified by the credential can send 3650 data to the socket. 3651 3652 @return Return 0 if access if granted, otherwise an appropriate 3653 value for errno should be returned. 3654*/ 3655typedef int mpo_socket_check_send_t( 3656 kauth_cred_t cred, 3657 socket_t so, 3658 struct label *socklabel, 3659 struct sockaddr *addr 3660); 3661/** 3662 @brief Access control check for retrieving socket status 3663 @param cred Subject credential 3664 @param so Object socket 3665 @param socklabel Policy label for so 3666 3667 Determine whether the subject identified by the credential can 3668 execute the stat() system call on the given socket. 3669 3670 @return Return 0 if access if granted, otherwise an appropriate 3671 value for errno should be returned. 3672*/ 3673typedef int mpo_socket_check_stat_t( 3674 kauth_cred_t cred, 3675 socket_t so, 3676 struct label *socklabel 3677); 3678/** 3679 @brief Access control check for setting socket options 3680 @param cred Subject credential 3681 @param so Object socket 3682 @param socklabel Policy label for so 3683 @param sopt The options being set 3684 3685 Determine whether the subject identified by the credential can 3686 execute the setsockopt system call on the given socket. 3687 3688 @return Return 0 if access if granted, otherwise an appropriate 3689 value for errno should be returned. 3690*/ 3691typedef int mpo_socket_check_setsockopt_t( 3692 kauth_cred_t cred, 3693 socket_t so, 3694 struct label *socklabel, 3695 struct sockopt *sopt 3696); 3697/** 3698 @brief Access control check for getting socket options 3699 @param cred Subject credential 3700 @param so Object socket 3701 @param socklabel Policy label for so 3702 @param sopt The options to get 3703 3704 Determine whether the subject identified by the credential can 3705 execute the getsockopt system call on the given socket. 3706 3707 @return Return 0 if access if granted, otherwise an appropriate 3708 value for errno should be returned. 3709*/ 3710typedef int mpo_socket_check_getsockopt_t( 3711 kauth_cred_t cred, 3712 socket_t so, 3713 struct label *socklabel, 3714 struct sockopt *sopt 3715); 3716/** 3717 @brief Label a socket 3718 @param oldsock Listening socket 3719 @param oldlabel Policy label associated with oldsock 3720 @param newsock New socket 3721 @param newlabel Policy label associated with newsock 3722 3723 A new socket is created when a connection is accept(2)ed. This 3724 function labels the new socket based on the existing listen(2)ing 3725 socket. 3726*/ 3727typedef void mpo_socket_label_associate_accept_t( 3728 socket_t oldsock, 3729 struct label *oldlabel, 3730 socket_t newsock, 3731 struct label *newlabel 3732); 3733/** 3734 @brief Assign a label to a new socket 3735 @param cred Credential of the owning process 3736 @param so The socket being labeled 3737 @param solabel The label 3738 @warning cred can be NULL 3739 3740 Set the label on a newly created socket from the passed subject 3741 credential. This call is made when a socket is created. The 3742 credentials may be null if the socket is being created by the 3743 kernel. 3744*/ 3745typedef void mpo_socket_label_associate_t( 3746 kauth_cred_t cred, 3747 socket_t so, 3748 struct label *solabel 3749); 3750/** 3751 @brief Copy a socket label 3752 @param src Source label 3753 @param dest Destination label 3754 3755 Copy the socket label information in src into dest. 3756*/ 3757typedef void mpo_socket_label_copy_t( 3758 struct label *src, 3759 struct label *dest 3760); 3761/** 3762 @brief Destroy socket label 3763 @param label The label to be destroyed 3764 3765 Destroy a socket label. Since the object is going out of 3766 scope, policy modules should free any internal storage associated 3767 with the label so that it may be destroyed. 3768*/ 3769typedef void mpo_socket_label_destroy_t( 3770 struct label *label 3771); 3772/** 3773 @brief Externalize a socket label 3774 @param label Label to be externalized 3775 @param element_name Name of the label namespace for which labels should be 3776 externalized 3777 @param sb String buffer to be filled with a text representation of label 3778 3779 Produce an externalized socket label based on the label structure passed. 3780 An externalized label consists of a text representation of the label 3781 contents that can be used with userland applications and read by the 3782 user. If element_name does not match a namespace managed by the policy, 3783 simply return 0. Only return nonzero if an error occurs while externalizing 3784 the label data. 3785 3786 @return In the event of an error, an appropriate value for errno 3787 should be returned, otherwise return 0 upon success. 3788*/ 3789typedef int mpo_socket_label_externalize_t( 3790 struct label *label, 3791 char *element_name, 3792 struct sbuf *sb 3793); 3794/** 3795 @brief Initialize socket label 3796 @param label New label to initialize 3797 @param waitok Malloc flags 3798 3799 Initialize the label of a newly instantiated socket. The waitok 3800 field may be one of M_WAITOK and M_NOWAIT, and should be employed to 3801 avoid performing a sleeping malloc(9) during this initialization 3802 call. It it not always safe to sleep during this entry point. 3803 3804 @warning Since it is possible for the waitok flags to be set to 3805 M_NOWAIT, the malloc operation may fail. 3806 3807 @return In the event of an error, an appropriate value for errno 3808 should be returned, otherwise return 0 upon success. 3809*/ 3810typedef int mpo_socket_label_init_t( 3811 struct label *label, 3812 int waitok 3813); 3814/** 3815 @brief Internalize a socket label 3816 @param label Label to be filled in 3817 @param element_name Name of the label namespace for which the label should 3818 be internalized 3819 @param element_data Text data to be internalized 3820 3821 Produce an internal socket label structure based on externalized label 3822 data in text format. 3823 3824 The policy's internalize entry points will be called only if the 3825 policy has registered interest in the label namespace. 3826 3827 @return In the event of an error, an appropriate value for errno 3828 should be returned, otherwise return 0 upon success. 3829*/ 3830typedef int mpo_socket_label_internalize_t( 3831 struct label *label, 3832 char *element_name, 3833 char *element_data 3834); 3835/** 3836 @brief Relabel socket 3837 @param cred Subject credential 3838 @param so Object; socket 3839 @param so_label Current label of the socket 3840 @param newlabel The label to be assigned to so 3841 3842 The subject identified by the credential has previously requested 3843 and was authorized to relabel the socket; this entry point allows 3844 policies to perform the actual label update operation. 3845 3846 @warning XXX This entry point will likely change in future versions. 3847*/ 3848typedef void mpo_socket_label_update_t( 3849 kauth_cred_t cred, 3850 socket_t so, 3851 struct label *so_label, 3852 struct label *newlabel 3853); 3854/** 3855 @brief Set the peer label on a socket from mbuf 3856 @param m Mbuf chain received on socket so 3857 @param m_label Label for m 3858 @param so Current label for the socket 3859 @param so_label Policy label to be filled out for the socket 3860 3861 Set the peer label of a socket based on the label of the sender of the 3862 mbuf. 3863 3864 This is called for every TCP/IP packet received. The first call for a given 3865 socket operates on a newly initialized label, and subsequent calls operate 3866 on existing label data. 3867 3868 @warning Because this can affect performance significantly, it has 3869 different sematics than other 'set' operations. Typically, 'set' operations 3870 operate on newly initialzed labels and policies do not need to worry about 3871 clobbering existing values. In this case, it is too inefficient to 3872 initialize and destroy a label every time data is received for the socket. 3873 Instead, it is up to the policies to determine how to replace the label data. 3874 Most policies should be able to replace the data inline. 3875*/ 3876typedef void mpo_socketpeer_label_associate_mbuf_t( 3877 struct mbuf *m, 3878 struct label *m_label, 3879 socket_t so, 3880 struct label *so_label 3881); 3882/** 3883 @brief Set the peer label on a socket from socket 3884 @param source Local socket 3885 @param sourcelabel Policy label for source 3886 @param target Peer socket 3887 @param targetlabel Policy label to fill in for target 3888 3889 Set the peer label on a stream UNIX domain socket from the passed 3890 remote socket endpoint. This call will be made when the socket pair 3891 is connected, and will be made for both endpoints. 3892 3893 Note that this call is only made on connection; it is currently not updated 3894 during communication. 3895*/ 3896typedef void mpo_socketpeer_label_associate_socket_t( 3897 socket_t source, 3898 struct label *sourcelabel, 3899 socket_t target, 3900 struct label *targetlabel 3901); 3902/** 3903 @brief Destroy socket peer label 3904 @param label The peer label to be destroyed 3905 3906 Destroy a socket peer label. Since the object is going out of 3907 scope, policy modules should free any internal storage associated 3908 with the label so that it may be destroyed. 3909*/ 3910typedef void mpo_socketpeer_label_destroy_t( 3911 struct label *label 3912); 3913/** 3914 @brief Externalize a socket peer label 3915 @param label Label to be externalized 3916 @param element_name Name of the label namespace for which labels should be 3917 externalized 3918 @param sb String buffer to be filled with a text representation of label 3919 3920 Produce an externalized socket peer label based on the label structure 3921 passed. An externalized label consists of a text representation of the 3922 label contents that can be used with userland applications and read by the 3923 user. If element_name does not match a namespace managed by the policy, 3924 simply return 0. Only return nonzero if an error occurs while externalizing 3925 the label data. 3926 3927 @return In the event of an error, an appropriate value for errno 3928 should be returned, otherwise return 0 upon success. 3929*/ 3930typedef int mpo_socketpeer_label_externalize_t( 3931 struct label *label, 3932 char *element_name, 3933 struct sbuf *sb 3934); 3935/** 3936 @brief Initialize socket peer label 3937 @param label New label to initialize 3938 @param waitok Malloc flags 3939 3940 Initialize the peer label of a newly instantiated socket. The 3941 waitok field may be one of M_WAITOK and M_NOWAIT, and should be 3942 employed to avoid performing a sleeping malloc(9) during this 3943 initialization call. It it not always safe to sleep during this 3944 entry point. 3945 3946 @warning Since it is possible for the waitok flags to be set to 3947 M_NOWAIT, the malloc operation may fail. 3948 3949 @return In the event of an error, an appropriate value for errno 3950 should be returned, otherwise return 0 upon success. 3951*/ 3952typedef int mpo_socketpeer_label_init_t( 3953 struct label *label, 3954 int waitok 3955); 3956/** 3957 @brief Access control check for enabling accounting 3958 @param cred Subject credential 3959 @param vp Accounting file 3960 @param vlabel Label associated with vp 3961 3962 Determine whether the subject should be allowed to enable accounting, 3963 based on its label and the label of the accounting log file. See 3964 acct(5) for more information. 3965 3966 As accounting is disabled by passing NULL to the acct(2) system call, 3967 the policy should be prepared for both 'vp' and 'vlabel' to be NULL. 3968 3969 @return Return 0 if access is granted, otherwise an appropriate value for 3970 errno should be returned. 3971*/ 3972typedef int mpo_system_check_acct_t( 3973 kauth_cred_t cred, 3974 struct vnode *vp, 3975 struct label *vlabel 3976); 3977/** 3978 @brief Access control check for audit 3979 @param cred Subject credential 3980 @param record Audit record 3981 @param length Audit record length 3982 3983 Determine whether the subject identified by the credential can submit 3984 an audit record for inclusion in the audit log via the audit() system call. 3985 3986 @return Return 0 if access is granted, otherwise an appropriate value for 3987 errno should be returned. 3988*/ 3989typedef int mpo_system_check_audit_t( 3990 kauth_cred_t cred, 3991 void *record, 3992 int length 3993); 3994/** 3995 @brief Access control check for controlling audit 3996 @param cred Subject credential 3997 @param vp Audit file 3998 @param vl Label associated with vp 3999 4000 Determine whether the subject should be allowed to enable auditing using 4001 the auditctl() system call, based on its label and the label of the proposed 4002 audit file. 4003 4004 @return Return 0 if access is granted, otherwise an appropriate value for 4005 errno should be returned. 4006*/ 4007typedef int mpo_system_check_auditctl_t( 4008 kauth_cred_t cred, 4009 struct vnode *vp, 4010 struct label *vl 4011); 4012/** 4013 @brief Access control check for manipulating auditing 4014 @param cred Subject credential 4015 @param cmd Audit control command 4016 4017 Determine whether the subject identified by the credential can perform 4018 the audit subsystem control operation cmd via the auditon() system call. 4019 4020 @return Return 0 if access is granted, otherwise an appropriate value for 4021 errno should be returned. 4022*/ 4023typedef int mpo_system_check_auditon_t( 4024 kauth_cred_t cred, 4025 int cmd 4026); 4027/** 4028 @brief Access control check for using CHUD facilities 4029 @param cred Subject credential 4030 4031 Determine whether the subject identified by the credential can perform 4032 performance-related tasks using the CHUD system call. 4033 4034 @return Return 0 if access is granted, otherwise an appropriate value for 4035 errno should be returned. 4036*/ 4037typedef int mpo_system_check_chud_t( 4038 kauth_cred_t cred 4039); 4040/** 4041 @brief Access control check for obtaining the host control port 4042 @param cred Subject credential 4043 4044 Determine whether the subject identified by the credential can 4045 obtain the host control port. 4046 4047 @return Return 0 if access is granted, or non-zero otherwise. 4048*/ 4049typedef int mpo_system_check_host_priv_t( 4050 kauth_cred_t cred 4051); 4052/** 4053 @brief Access control check for obtaining system information 4054 @param cred Subject credential 4055 @param info_type A description of the information requested 4056 4057 Determine whether the subject identified by the credential should be 4058 allowed to obtain information about the system. 4059 4060 This is a generic hook that can be used in a variety of situations where 4061 information is being returned that might be considered sensitive. 4062 Rather than adding a new MAC hook for every such interface, this hook can 4063 be called with a string identifying the type of information requested. 4064 4065 @return Return 0 if access is granted, otherwise an appropriate value for 4066 errno should be returned. 4067*/ 4068typedef int mpo_system_check_info_t( 4069 kauth_cred_t cred, 4070 const char *info_type 4071); 4072/** 4073 @brief Access control check for calling NFS services 4074 @param cred Subject credential 4075 4076 Determine whether the subject identified by the credential should be 4077 allowed to call nfssrv(2). 4078 4079 @return Return 0 if access is granted, otherwise an appropriate value for 4080 errno should be returned. 4081*/ 4082typedef int mpo_system_check_nfsd_t( 4083 kauth_cred_t cred 4084); 4085/** 4086 @brief Access control check for reboot 4087 @param cred Subject credential 4088 @param howto howto parameter from reboot(2) 4089 4090 Determine whether the subject identified by the credential should be 4091 allowed to reboot the system in the specified manner. 4092 4093 @return Return 0 if access is granted, otherwise an appropriate value for 4094 errno should be returned. 4095*/ 4096typedef int mpo_system_check_reboot_t( 4097 kauth_cred_t cred, 4098 int howto 4099); 4100/** 4101 @brief Access control check for setting system clock 4102 @param cred Subject credential 4103 4104 Determine whether the subject identified by the credential should be 4105 allowed to set the system clock. 4106 4107 @return Return 0 if access is granted, otherwise an appropriate value for 4108 errno should be returned. 4109*/ 4110typedef int mpo_system_check_settime_t( 4111 kauth_cred_t cred 4112); 4113/** 4114 @brief Access control check for removing swap devices 4115 @param cred Subject credential 4116 @param vp Swap device 4117 @param label Label associated with vp 4118 4119 Determine whether the subject identified by the credential should be 4120 allowed to remove vp as a swap device. 4121 4122 @return Return 0 if access is granted, otherwise an appropriate value for 4123 errno should be returned. 4124*/ 4125typedef int mpo_system_check_swapoff_t( 4126 kauth_cred_t cred, 4127 struct vnode *vp, 4128 struct label *label 4129); 4130/** 4131 @brief Access control check for adding swap devices 4132 @param cred Subject credential 4133 @param vp Swap device 4134 @param label Label associated with vp 4135 4136 Determine whether the subject identified by the credential should be 4137 allowed to add vp as a swap device. 4138 4139 @return Return 0 if access is granted, otherwise an appropriate value for 4140 errno should be returned. 4141*/ 4142typedef int mpo_system_check_swapon_t( 4143 kauth_cred_t cred, 4144 struct vnode *vp, 4145 struct label *label 4146); 4147/** 4148 @brief Access control check for sysctl 4149 @param cred Subject credential 4150 @param name Integer name; see sysctl(3) 4151 @param namelen Length of name array of integers; see sysctl(3) 4152 @param old 0 or address where to store old value; see sysctl(3) 4153 @param oldlenp Pointer to length of old buffer; see sysctl(3) 4154 @param inkernel Boolean; 1 if called from kernel 4155 @param newvalue 0 or address of new value; see sysctl(3) 4156 @param newlen Length of new buffer; see sysctl(3) 4157 4158 Determine whether the subject identified by the credential should be 4159 allowed to make the specified sysctl(3) transaction. 4160 4161 The sysctl(3) call specifies that if the old value is not desired, 4162 oldp and oldlenp should be set to NULL. Likewise, if a new value is 4163 not to be set, newp should be set to NULL and newlen set to 0. 4164 4165 @return Return 0 if access is granted, otherwise an appropriate value for 4166 errno should be returned. 4167*/ 4168typedef int mpo_system_check_sysctl_t( 4169 kauth_cred_t cred, 4170 int *name, 4171 u_int namelen, 4172 user_addr_t old, /* NULLOK */ 4173 user_addr_t oldlenp, /* NULLOK */ 4174 int inkernel, 4175 user_addr_t newvalue, /* NULLOK */ 4176 size_t newlen 4177); 4178/** 4179 @brief Access control check for kas_info 4180 @param cred Subject credential 4181 @param selector Category of information to return. See kas_info.h 4182 4183 Determine whether the subject identified by the credential can perform 4184 introspection of the kernel address space layout for 4185 debugging/performance analysis. 4186 4187 @return Return 0 if access is granted, otherwise an appropriate value for 4188 errno should be returned. 4189*/ 4190typedef int mpo_system_check_kas_info_t( 4191 kauth_cred_t cred, 4192 int selector 4193); 4194/** 4195 @brief Create a System V message label 4196 @param cred Subject credential 4197 @param msqkptr The message queue the message will be placed in 4198 @param msqlabel The label of the message queue 4199 @param msgptr The message 4200 @param msglabel The label of the message 4201 4202 Label the message as its placed in the message queue. 4203*/ 4204typedef void mpo_sysvmsg_label_associate_t( 4205 kauth_cred_t cred, 4206 struct msqid_kernel *msqptr, 4207 struct label *msqlabel, 4208 struct msg *msgptr, 4209 struct label *msglabel 4210); 4211/** 4212 @brief Destroy System V message label 4213 @param label The label to be destroyed 4214 4215 Destroy a System V message label. Since the object is 4216 going out of scope, policy modules should free any internal storage 4217 associated with the label so that it may be destroyed. 4218*/ 4219typedef void mpo_sysvmsg_label_destroy_t( 4220 struct label *label 4221); 4222/** 4223 @brief Initialize System V message label 4224 @param label New label to initialize 4225 4226 Initialize the label for a newly instantiated System V message. 4227*/ 4228typedef void mpo_sysvmsg_label_init_t( 4229 struct label *label 4230); 4231/** 4232 @brief Clean up a System V message label 4233 @param label The label to be destroyed 4234 4235 Clean up a System V message label. Darwin pre-allocates 4236 messages at system boot time and re-uses them rather than 4237 allocating new ones. Before messages are returned to the "free 4238 pool", policies can cleanup or overwrite any information present in 4239 the label. 4240*/ 4241typedef void mpo_sysvmsg_label_recycle_t( 4242 struct label *label 4243); 4244/** 4245 @brief Access control check for System V message enqueuing 4246 @param cred Subject credential 4247 @param msgptr The message 4248 @param msglabel The message's label 4249 @param msqkptr The message queue 4250 @param msqlabel The message queue's label 4251 4252 Determine whether the subject identified by the credential can add the 4253 given message to the given message queue. 4254 4255 @return Return 0 if access is granted, otherwise an appropriate value for 4256 errno should be returned. 4257*/ 4258typedef int mpo_sysvmsq_check_enqueue_t( 4259 kauth_cred_t cred, 4260 struct msg *msgptr, 4261 struct label *msglabel, 4262 struct msqid_kernel *msqptr, 4263 struct label *msqlabel 4264); 4265/** 4266 @brief Access control check for System V message reception 4267 @param cred The credential of the intended recipient 4268 @param msgptr The message 4269 @param msglabel The message's label 4270 4271 Determine whether the subject identified by the credential can receive 4272 the given message. 4273 4274 @return Return 0 if access is granted, otherwise an appropriate value for 4275 errno should be returned. 4276*/ 4277typedef int mpo_sysvmsq_check_msgrcv_t( 4278 kauth_cred_t cred, 4279 struct msg *msgptr, 4280 struct label *msglabel 4281); 4282/** 4283 @brief Access control check for System V message queue removal 4284 @param cred The credential of the caller 4285 @param msgptr The message 4286 @param msglabel The message's label 4287 4288 System V message queues are removed using the msgctl() system call. 4289 The system will iterate over each messsage in the queue, calling this 4290 function for each, to determine whether the caller has the appropriate 4291 credentials. 4292 4293 @return Return 0 if access is granted, otherwise an appropriate value for 4294 errno should be returned. 4295*/ 4296typedef int mpo_sysvmsq_check_msgrmid_t( 4297 kauth_cred_t cred, 4298 struct msg *msgptr, 4299 struct label *msglabel 4300); 4301/** 4302 @brief Access control check for msgctl() 4303 @param cred The credential of the caller 4304 @param msqptr The message queue 4305 @param msqlabel The message queue's label 4306 4307 This access check is performed to validate calls to msgctl(). 4308 4309 @return Return 0 if access is granted, otherwise an appropriate value for 4310 errno should be returned. 4311*/ 4312typedef int mpo_sysvmsq_check_msqctl_t( 4313 kauth_cred_t cred, 4314 struct msqid_kernel *msqptr, 4315 struct label *msqlabel, 4316 int cmd 4317); 4318/** 4319 @brief Access control check to get a System V message queue 4320 @param cred The credential of the caller 4321 @param msqptr The message queue requested 4322 @param msqlabel The message queue's label 4323 4324 On a call to msgget(), if the queue requested already exists, 4325 and it is a public queue, this check will be performed before the 4326 queue's ID is returned to the user. 4327 4328 @return Return 0 if access is granted, otherwise an appropriate value for 4329 errno should be returned. 4330*/ 4331typedef int mpo_sysvmsq_check_msqget_t( 4332 kauth_cred_t cred, 4333 struct msqid_kernel *msqptr, 4334 struct label *msqlabel 4335); 4336/** 4337 @brief Access control check to receive a System V message from the given queue 4338 @param cred The credential of the caller 4339 @param msqptr The message queue to receive from 4340 @param msqlabel The message queue's label 4341 4342 On a call to msgrcv(), this check is performed to determine whether the 4343 caller has receive rights on the given queue. 4344 4345 @return Return 0 if access is granted, otherwise an appropriate value for 4346 errno should be returned. 4347*/ 4348typedef int mpo_sysvmsq_check_msqrcv_t( 4349 kauth_cred_t cred, 4350 struct msqid_kernel *msqptr, 4351 struct label *msqlabel 4352); 4353/** 4354 @brief Access control check to send a System V message to the given queue 4355 @param cred The credential of the caller 4356 @param msqptr The message queue to send to 4357 @param msqlabel The message queue's label 4358 4359 On a call to msgsnd(), this check is performed to determine whether the 4360 caller has send rights on the given queue. 4361 4362 @return Return 0 if access is granted, otherwise an appropriate value for 4363 errno should be returned. 4364*/ 4365typedef int mpo_sysvmsq_check_msqsnd_t( 4366 kauth_cred_t cred, 4367 struct msqid_kernel *msqptr, 4368 struct label *msqlabel 4369); 4370/** 4371 @brief Create a System V message queue label 4372 @param cred Subject credential 4373 @param msqkptr The message queue 4374 @param msqlabel The label of the message queue 4375 4376*/ 4377typedef void mpo_sysvmsq_label_associate_t( 4378 kauth_cred_t cred, 4379 struct msqid_kernel *msqptr, 4380 struct label *msqlabel 4381); 4382/** 4383 @brief Destroy System V message queue label 4384 @param label The label to be destroyed 4385 4386 Destroy a System V message queue label. Since the object is 4387 going out of scope, policy modules should free any internal storage 4388 associated with the label so that it may be destroyed. 4389*/ 4390typedef void mpo_sysvmsq_label_destroy_t( 4391 struct label *label 4392); 4393/** 4394 @brief Initialize System V message queue label 4395 @param label New label to initialize 4396 4397 Initialize the label for a newly instantiated System V message queue. 4398*/ 4399typedef void mpo_sysvmsq_label_init_t( 4400 struct label *label 4401); 4402/** 4403 @brief Clean up a System V message queue label 4404 @param label The label to be destroyed 4405 4406 Clean up a System V message queue label. Darwin pre-allocates 4407 message queues at system boot time and re-uses them rather than 4408 allocating new ones. Before message queues are returned to the "free 4409 pool", policies can cleanup or overwrite any information present in 4410 the label. 4411*/ 4412typedef void mpo_sysvmsq_label_recycle_t( 4413 struct label *label 4414); 4415/** 4416 @brief Access control check for System V semaphore control operation 4417 @param cred Subject credential 4418 @param semakptr Pointer to semaphore identifier 4419 @param semaklabel Label associated with semaphore 4420 @param cmd Control operation to be performed; see semctl(2) 4421 4422 Determine whether the subject identified by the credential can perform 4423 the operation indicated by cmd on the System V semaphore semakptr. 4424 4425 @return Return 0 if access is granted, otherwise an appropriate value for 4426 errno should be returned. 4427*/ 4428typedef int mpo_sysvsem_check_semctl_t( 4429 kauth_cred_t cred, 4430 struct semid_kernel *semakptr, 4431 struct label *semaklabel, 4432 int cmd 4433); 4434/** 4435 @brief Access control check for obtaining a System V semaphore 4436 @param cred Subject credential 4437 @param semakptr Pointer to semaphore identifier 4438 @param semaklabel Label to associate with the semaphore 4439 4440 Determine whether the subject identified by the credential can 4441 obtain a System V semaphore. 4442 4443 @return Return 0 if access is granted, otherwise an appropriate value for 4444 errno should be returned. 4445*/ 4446typedef int mpo_sysvsem_check_semget_t( 4447 kauth_cred_t cred, 4448 struct semid_kernel *semakptr, 4449 struct label *semaklabel 4450); 4451/** 4452 @brief Access control check for System V semaphore operations 4453 @param cred Subject credential 4454 @param semakptr Pointer to semaphore identifier 4455 @param semaklabel Label associated with the semaphore 4456 @param accesstype Flags to indicate access (read and/or write) 4457 4458 Determine whether the subject identified by the credential can 4459 perform the operations on the System V semaphore indicated by 4460 semakptr. The accesstype flags hold the maximum set of permissions 4461 from the sem_op array passed to the semop system call. It may 4462 contain SEM_R for read-only operations or SEM_A for read/write 4463 operations. 4464 4465 @return Return 0 if access is granted, otherwise an appropriate value for 4466 errno should be returned. 4467*/ 4468typedef int mpo_sysvsem_check_semop_t( 4469 kauth_cred_t cred, 4470 struct semid_kernel *semakptr, 4471 struct label *semaklabel, 4472 size_t accesstype 4473); 4474/** 4475 @brief Create a System V semaphore label 4476 @param cred Subject credential 4477 @param semakptr The semaphore being created 4478 @param semalabel Label to associate with the new semaphore 4479 4480 Label a new System V semaphore. The label was previously 4481 initialized and associated with the semaphore. At this time, an 4482 appropriate initial label value should be assigned to the object and 4483 stored in semalabel. 4484*/ 4485typedef void mpo_sysvsem_label_associate_t( 4486 kauth_cred_t cred, 4487 struct semid_kernel *semakptr, 4488 struct label *semalabel 4489); 4490/** 4491 @brief Destroy System V semaphore label 4492 @param label The label to be destroyed 4493 4494 Destroy a System V semaphore label. Since the object is 4495 going out of scope, policy modules should free any internal storage 4496 associated with the label so that it may be destroyed. 4497*/ 4498typedef void mpo_sysvsem_label_destroy_t( 4499 struct label *label 4500); 4501/** 4502 @brief Initialize System V semaphore label 4503 @param label New label to initialize 4504 4505 Initialize the label for a newly instantiated System V semaphore. Sleeping 4506 is permitted. 4507*/ 4508typedef void mpo_sysvsem_label_init_t( 4509 struct label *label 4510); 4511/** 4512 @brief Clean up a System V semaphore label 4513 @param label The label to be cleaned 4514 4515 Clean up a System V semaphore label. Darwin pre-allocates 4516 semaphores at system boot time and re-uses them rather than 4517 allocating new ones. Before semaphores are returned to the "free 4518 pool", policies can cleanup or overwrite any information present in 4519 the label. 4520*/ 4521typedef void mpo_sysvsem_label_recycle_t( 4522 struct label *label 4523); 4524/** 4525 @brief Access control check for mapping System V shared memory 4526 @param cred Subject credential 4527 @param shmsegptr Pointer to shared memory segment identifier 4528 @param shmseglabel Label associated with the shared memory segment 4529 @param shmflg shmat flags; see shmat(2) 4530 4531 Determine whether the subject identified by the credential can map 4532 the System V shared memory segment associated with shmsegptr. 4533 4534 @return Return 0 if access is granted, otherwise an appropriate value for 4535 errno should be returned. 4536*/ 4537typedef int mpo_sysvshm_check_shmat_t( 4538 kauth_cred_t cred, 4539 struct shmid_kernel *shmsegptr, 4540 struct label *shmseglabel, 4541 int shmflg 4542); 4543/** 4544 @brief Access control check for System V shared memory control operation 4545 @param cred Subject credential 4546 @param shmsegptr Pointer to shared memory segment identifier 4547 @param shmseglabel Label associated with the shared memory segment 4548 @param cmd Control operation to be performed; see shmctl(2) 4549 4550 Determine whether the subject identified by the credential can perform 4551 the operation indicated by cmd on the System V shared memory segment 4552 shmsegptr. 4553 4554 @return Return 0 if access is granted, otherwise an appropriate value for 4555 errno should be returned. 4556*/ 4557typedef int mpo_sysvshm_check_shmctl_t( 4558 kauth_cred_t cred, 4559 struct shmid_kernel *shmsegptr, 4560 struct label *shmseglabel, 4561 int cmd 4562); 4563/** 4564 @brief Access control check for unmapping System V shared memory 4565 @param cred Subject credential 4566 @param shmsegptr Pointer to shared memory segment identifier 4567 @param shmseglabel Label associated with the shared memory segment 4568 4569 Determine whether the subject identified by the credential can unmap 4570 the System V shared memory segment associated with shmsegptr. 4571 4572 @return Return 0 if access is granted, otherwise an appropriate value for 4573 errno should be returned. 4574*/ 4575typedef int mpo_sysvshm_check_shmdt_t( 4576 kauth_cred_t cred, 4577 struct shmid_kernel *shmsegptr, 4578 struct label *shmseglabel 4579); 4580/** 4581 @brief Access control check obtaining System V shared memory identifier 4582 @param cred Subject credential 4583 @param shmsegptr Pointer to shared memory segment identifier 4584 @param shmseglabel Label associated with the shared memory segment 4585 @param shmflg shmget flags; see shmget(2) 4586 4587 Determine whether the subject identified by the credential can get 4588 the System V shared memory segment address. 4589 4590 @return Return 0 if access is granted, otherwise an appropriate value for 4591 errno should be returned. 4592*/ 4593typedef int mpo_sysvshm_check_shmget_t( 4594 kauth_cred_t cred, 4595 struct shmid_kernel *shmsegptr, 4596 struct label *shmseglabel, 4597 int shmflg 4598); 4599/** 4600 @brief Create a System V shared memory region label 4601 @param cred Subject credential 4602 @param shmsegptr The shared memory region being created 4603 @param shmlabel Label to associate with the new shared memory region 4604 4605 Label a new System V shared memory region. The label was previously 4606 initialized and associated with the shared memory region. At this 4607 time, an appropriate initial label value should be assigned to the 4608 object and stored in shmlabel. 4609*/ 4610typedef void mpo_sysvshm_label_associate_t( 4611 kauth_cred_t cred, 4612 struct shmid_kernel *shmsegptr, 4613 struct label *shmlabel 4614); 4615/** 4616 @brief Destroy System V shared memory label 4617 @param label The label to be destroyed 4618 4619 Destroy a System V shared memory region label. Since the 4620 object is going out of scope, policy modules should free any 4621 internal storage associated with the label so that it may be 4622 destroyed. 4623*/ 4624typedef void mpo_sysvshm_label_destroy_t( 4625 struct label *label 4626); 4627/** 4628 @brief Initialize System V Shared Memory region label 4629 @param label New label to initialize 4630 4631 Initialize the label for a newly instantiated System V Shared Memory 4632 region. Sleeping is permitted. 4633*/ 4634typedef void mpo_sysvshm_label_init_t( 4635 struct label *label 4636); 4637/** 4638 @brief Clean up a System V Share Memory Region label 4639 @param shmlabel The label to be cleaned 4640 4641 Clean up a System V Shared Memory Region label. Darwin 4642 pre-allocates these objects at system boot time and re-uses them 4643 rather than allocating new ones. Before the memory regions are 4644 returned to the "free pool", policies can cleanup or overwrite any 4645 information present in the label. 4646*/ 4647typedef void mpo_sysvshm_label_recycle_t( 4648 struct label *shmlabel 4649); 4650/** 4651 @brief Access control check for getting a process's task name 4652 @param cred Subject credential 4653 @param proc Object process 4654 4655 Determine whether the subject identified by the credential can get 4656 the passed process's task name port. 4657 This call is used by the task_name_for_pid(2) API. 4658 4659 @return Return 0 if access is granted, otherwise an appropriate value for 4660 errno should be returned. Suggested failure: EACCES for label mismatch, 4661 EPERM for lack of privilege, or ESRCH to hide visibility of the target. 4662*/ 4663typedef int mpo_proc_check_get_task_name_t( 4664 kauth_cred_t cred, 4665 struct proc *p 4666); 4667/** 4668 @brief Access control check for getting a process's task port 4669 @param cred Subject credential 4670 @param proc Object process 4671 4672 Determine whether the subject identified by the credential can get 4673 the passed process's task control port. 4674 This call is used by the task_for_pid(2) API. 4675 4676 @return Return 0 if access is granted, otherwise an appropriate value for 4677 errno should be returned. Suggested failure: EACCES for label mismatch, 4678 EPERM for lack of privilege, or ESRCH to hide visibility of the target. 4679*/ 4680typedef int mpo_proc_check_get_task_t( 4681 kauth_cred_t cred, 4682 struct proc *p 4683); 4684/** 4685 @brief Privilege check for a process to run invalid 4686 @param proc Object process 4687 4688 Determine whether the process may execute even though the system determined 4689 that it is untrusted (eg unidentified / modified code). 4690 4691 @return Return 0 if access is granted, otherwise an appropriate value for 4692 errno should be returned. 4693 */ 4694typedef int mac_proc_check_run_cs_invalid_t( 4695 struct proc *p 4696); 4697 4698 4699/** 4700 @brief Assign a label to a new kernelspace Mach task 4701 @param kproc New task 4702 @param tasklabel Label for new task 4703 @param portlabel Label for new task port 4704 @see mpo_cred_label_associate_kernel_t 4705 4706 Assign labels to a new kernel task and its task port. Both the task and 4707 task port labels should be specified. Both new labels are initialized. 4708 If there is an associated BSD process structure, it will be labelled 4709 with calls to mpo_cred_label_associate_kernel. 4710*/ 4711typedef void mpo_task_label_associate_kernel_t( 4712 struct task *kproc, 4713 struct label *tasklabel, 4714 struct label *portlabel 4715); 4716/** 4717 @brief Assign a label to a new (userspace) Mach task 4718 @param parent Parent task 4719 @param child New (child) task 4720 @param parentlabel Label of parent task 4721 @param childlabel Label for new task 4722 @param childportlabel Label for new task's task port 4723 4724 Assign labels to a new task and its task port. Both the task and task port 4725 labels should be specified. Both new labels are initialized. If the task 4726 will have an associated BSD process, that information will be made available 4727 by the task_label_update and port_label_update_cred entry points. 4728*/ 4729typedef void mpo_task_label_associate_t( 4730 struct task *parent, 4731 struct task *child, 4732 struct label *parentlabel, 4733 struct label *childlabel, 4734 struct label *childportlabel 4735); 4736/** 4737 @brief Copy a Mach task label 4738 @param src Source task label 4739 @param dest Destination task label 4740 4741 Copy the Mach task label information from src to dest. This is used 4742 when duplicating label handles to implement copy-on-write semantics. 4743*/ 4744typedef void mpo_task_label_copy_t( 4745 struct label *src, 4746 struct label *dest 4747); 4748/** 4749 @brief Destroy Mach task label 4750 @param label The label to be destroyed 4751 4752 Destroy a Mach task label. Since the object is going out of 4753 scope, policy modules should free any internal storage associated 4754 with the label so that it may be destroyed. 4755*/ 4756typedef void mpo_task_label_destroy_t( 4757 struct label *label 4758); 4759/** 4760 @brief Externalize a task label 4761 @param label Label to be externalized 4762 @param element_name Name of the label namespace for which labels should be 4763 externalized 4764 @param sb String buffer to be filled with a text representation of the label 4765 4766 Produce an external representation of the label on a task. An 4767 externalized label consists of a text representation of the label 4768 contents that can be used with user applications. Policy-agnostic 4769 user space tools will display this externalized version. 4770 4771 @return 0 on success, return non-zero if an error occurs while 4772 externalizing the label data. 4773 4774*/ 4775typedef int mpo_task_label_externalize_t( 4776 struct label *label, 4777 char *element_name, 4778 struct sbuf *sb 4779); 4780/** 4781 @brief Initialize Mach task label 4782 @param label New label to initialize 4783 4784 Initialize the label for a newly instantiated Mach task. Sleeping 4785 is permitted. 4786*/ 4787typedef void mpo_task_label_init_t( 4788 struct label *label 4789); 4790/** 4791 @brief Internalize a task label 4792 @param label Label to be internalized 4793 @param element_name Name of the label namespace for which the label should 4794 be internalized 4795 @param element_data Text data to be internalized 4796 4797 Produce a task label from an external representation. An 4798 externalized label consists of a text representation of the label 4799 contents that can be used with user applications. Policy-agnostic 4800 user space tools will forward text version to the kernel for 4801 processing by individual policy modules. 4802 4803 The policy's internalize entry points will be called only if the 4804 policy has registered interest in the label namespace. 4805 4806 @return 0 on success, Otherwise, return non-zero if an error occurs 4807 while internalizing the label data. 4808 4809*/ 4810typedef int mpo_task_label_internalize_t( 4811 struct label *label, 4812 char *element_name, 4813 char *element_data 4814); 4815/** 4816 @brief Update a Mach task label 4817 @param cred User credential label to be used as the source 4818 @param task Mach task label to be used as the destination 4819 @see mpo_cred_label_update_t 4820 @see mpo_cred_label_update_execve_t 4821 4822 Update the label on a Mach task, using the supplied user credential 4823 label. When a mac_cred_label_update_execve or a mac_cred_label_update operation 4824 causes the label on a user credential to change, the Mach task label 4825 also needs to be updated to reflect the change. Both labels are 4826 already valid (initialized and created). 4827 4828 @warning XXX We may change the name of this entry point in a future 4829 version of the MAC framework. 4830*/ 4831typedef void mpo_task_label_update_t( 4832 struct label *cred, 4833 struct label *task 4834); 4835/** 4836 @brief Perform MAC-related events when a thread returns to user space 4837 @param thread Mach (not BSD) thread that is returning 4838 4839 This entry point permits policy modules to perform MAC-related 4840 events when a thread returns to user space, via a system call 4841 return or trap return. 4842*/ 4843typedef void mpo_thread_userret_t( 4844 struct thread *thread 4845); 4846/** 4847 @brief Initialize per thread label 4848 @param label New label to initialize 4849 4850 Initialize the label for a newly instantiated thread. 4851 Sleeping is permitted. 4852*/ 4853typedef void mpo_thread_label_init_t( 4854 struct label *label 4855); 4856/** 4857 @brief Destroy thread label 4858 @param label The label to be destroyed 4859 4860 Destroy a user thread label. Since the user thread 4861 is going out of scope, policy modules should free any internal 4862 storage associated with the label so that it may be destroyed. 4863*/ 4864typedef void mpo_thread_label_destroy_t( 4865 struct label *label 4866); 4867/** 4868 @brief Check vnode access 4869 @param cred Subject credential 4870 @param vp Object vnode 4871 @param label Label for vp 4872 @param acc_mode access(2) flags 4873 4874 Determine how invocations of access(2) and related calls by the 4875 subject identified by the credential should return when performed 4876 on the passed vnode using the passed access flags. This should 4877 generally be implemented using the same semantics used in 4878 mpo_vnode_check_open. 4879 4880 @return Return 0 if access is granted, otherwise an appropriate value for 4881 errno should be returned. Suggested failure: EACCES for label mismatch or 4882 EPERM for lack of privilege. 4883*/ 4884typedef int mpo_vnode_check_access_t( 4885 kauth_cred_t cred, 4886 struct vnode *vp, 4887 struct label *label, 4888 int acc_mode 4889); 4890/** 4891 @brief Access control check for changing working directory 4892 @param cred Subject credential 4893 @param dvp Object; vnode to chdir(2) into 4894 @param dlabel Policy label for dvp 4895 4896 Determine whether the subject identified by the credential can change 4897 the process working directory to the passed vnode. 4898 4899 @return Return 0 if access is granted, otherwise an appropriate value for 4900 errno should be returned. Suggested failure: EACCES for label mismatch or 4901 EPERM for lack of privilege. 4902*/ 4903typedef int mpo_vnode_check_chdir_t( 4904 kauth_cred_t cred, 4905 struct vnode *dvp, 4906 struct label *dlabel 4907); 4908/** 4909 @brief Access control check for changing root directory 4910 @param cred Subject credential 4911 @param dvp Directory vnode 4912 @param dlabel Policy label associated with dvp 4913 @param cnp Component name for dvp 4914 4915 Determine whether the subject identified by the credential should be 4916 allowed to chroot(2) into the specified directory (dvp). 4917 4918 @return In the event of an error, an appropriate value for errno 4919 should be returned, otherwise return 0 upon success. 4920*/ 4921typedef int mpo_vnode_check_chroot_t( 4922 kauth_cred_t cred, 4923 struct vnode *dvp, 4924 struct label *dlabel, 4925 struct componentname *cnp 4926); 4927/** 4928 @brief Access control check for creating vnode 4929 @param cred Subject credential 4930 @param dvp Directory vnode 4931 @param dlabel Policy label for dvp 4932 @param cnp Component name for dvp 4933 @param vap vnode attributes for vap 4934 4935 Determine whether the subject identified by the credential can create 4936 a vnode with the passed parent directory, passed name information, 4937 and passed attribute information. This call may be made in a number of 4938 situations, including as a result of calls to open(2) with O_CREAT, 4939 mknod(2), mkfifo(2), and others. 4940 4941 @return Return 0 if access is granted, otherwise an appropriate value for 4942 errno should be returned. Suggested failure: EACCES for label mismatch or 4943 EPERM for lack of privilege. 4944*/ 4945typedef int mpo_vnode_check_create_t( 4946 kauth_cred_t cred, 4947 struct vnode *dvp, 4948 struct label *dlabel, 4949 struct componentname *cnp, 4950 struct vnode_attr *vap 4951); 4952/** 4953 @brief Access control check for deleting extended attribute 4954 @param cred Subject credential 4955 @param vp Object vnode 4956 @param vlabel Label associated with vp 4957 @param name Extended attribute name 4958 4959 Determine whether the subject identified by the credential can delete 4960 the extended attribute from the passed vnode. 4961 4962 @return Return 0 if access is granted, otherwise an appropriate value for 4963 errno should be returned. Suggested failure: EACCES for label mismatch or 4964 EPERM for lack of privilege. 4965*/ 4966typedef int mpo_vnode_check_deleteextattr_t( 4967 kauth_cred_t cred, 4968 struct vnode *vp, 4969 struct label *vlabel, 4970 const char *name 4971); 4972/** 4973 @brief Access control check for exchanging file data 4974 @param cred Subject credential 4975 @param v1 vnode 1 to swap 4976 @param vl1 Policy label for v1 4977 @param v2 vnode 2 to swap 4978 @param vl2 Policy label for v2 4979 4980 Determine whether the subject identified by the credential can swap the data 4981 in the two supplied vnodes. 4982 4983 @return Return 0 if access is granted, otherwise an appropriate value for 4984 errno should be returned. Suggested failure: EACCES for label mismatch or 4985 EPERM for lack of privilege. 4986*/ 4987typedef int mpo_vnode_check_exchangedata_t( 4988 kauth_cred_t cred, 4989 struct vnode *v1, 4990 struct label *vl1, 4991 struct vnode *v2, 4992 struct label *vl2 4993); 4994/** 4995 @brief Access control check for executing the vnode 4996 @param cred Subject credential 4997 @param vp Object vnode to execute 4998 @param label Policy label for vp 4999 @param execlabel Userspace provided execution label 5000 @param cnp Component name for file being executed 5001 @param macpolicyattr MAC policy-specific spawn attribute data. 5002 @param macpolicyattrlen Length of policy-specific spawn attribute data. 5003 5004 Determine whether the subject identified by the credential can execute 5005 the passed vnode. Determination of execute privilege is made separately 5006 from decisions about any process label transitioning event. 5007 5008 The final label, execlabel, corresponds to a label supplied by a 5009 user space application through the use of the mac_execve system call. 5010 This label will be NULL if the user application uses the the vendor 5011 execve(2) call instead of the MAC Framework mac_execve() call. 5012 5013 @return Return 0 if access is granted, otherwise an appropriate value for 5014 errno should be returned. Suggested failure: EACCES for label mismatch or 5015 EPERM for lack of privilege. 5016*/ 5017typedef int mpo_vnode_check_exec_t( 5018 kauth_cred_t cred, 5019 struct vnode *vp, 5020 struct label *label, 5021 struct label *execlabel, /* NULLOK */ 5022 struct componentname *cnp, 5023 u_int *csflags, 5024 void *macpolicyattr, 5025 size_t macpolicyattrlen 5026); 5027/** 5028 @brief Access control check for fsgetpath 5029 @param cred Subject credential 5030 @param vp Vnode for which a path will be returned 5031 @param label Label associated with the vnode 5032 5033 Determine whether the subject identified by the credential can get the path 5034 of the given vnode with fsgetpath. 5035 5036 @return Return 0 if access is granted, otherwise an appropriate value for 5037 errno should be returned. 5038*/ 5039typedef int mpo_vnode_check_fsgetpath_t( 5040 kauth_cred_t cred, 5041 struct vnode *vp, 5042 struct label *label 5043); 5044/** 5045 @brief Access control check after determining the code directory hash 5046 */ 5047typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label, 5048 off_t macho_offset, unsigned char *sha1, void *signature, 5049 int size); 5050 5051/** 5052 @brief Access control check for retrieving file attributes 5053 @param cred Subject credential 5054 @param vp Object vnode 5055 @param vlabel Policy label for vp 5056 @param alist List of attributes to retrieve 5057 5058 Determine whether the subject identified by the credential can read 5059 various attributes of the specified vnode, or the filesystem or volume on 5060 which that vnode resides. See <sys/attr.h> for definitions of the 5061 attributes. 5062 5063 @return Return 0 if access is granted, otherwise an appropriate value for 5064 errno should be returned. Suggested failure: EACCES for label mismatch or 5065 EPERM for lack of privilege. Access control covers all attributes requested 5066 with this call; the security policy is not permitted to change the set of 5067 attributes requested. 5068*/ 5069typedef int mpo_vnode_check_getattrlist_t( 5070 kauth_cred_t cred, 5071 struct vnode *vp, 5072 struct label *vlabel, 5073 struct attrlist *alist 5074); 5075/** 5076 @brief Access control check for retrieving an extended attribute 5077 @param cred Subject credential 5078 @param vp Object vnode 5079 @param label Policy label for vp 5080 @param name Extended attribute name 5081 @param uio I/O structure pointer 5082 5083 Determine whether the subject identified by the credential can retrieve 5084 the extended attribute from the passed vnode. The uio parameter 5085 will be NULL when the getxattr(2) call has been made with a NULL data 5086 value; this is done to request the size of the data only. 5087 5088 @return Return 0 if access is granted, otherwise an appropriate value for 5089 errno should be returned. Suggested failure: EACCES for label mismatch or 5090 EPERM for lack of privilege. 5091*/ 5092typedef int mpo_vnode_check_getextattr_t( 5093 kauth_cred_t cred, 5094 struct vnode *vp, 5095 struct label *label, /* NULLOK */ 5096 const char *name, 5097 struct uio *uio /* NULLOK */ 5098); 5099/** 5100 @brief Access control check for ioctl 5101 @param cred Subject credential 5102 @param vp Object vnode 5103 @param label Policy label for vp 5104 @param com Device-dependent request code; see ioctl(2) 5105 5106 Determine whether the subject identified by the credential can perform 5107 the ioctl operation indicated by com. 5108 5109 @warning Since ioctl data is opaque from the standpoint of the MAC 5110 framework, and since ioctls can affect many aspects of system 5111 operation, policies must exercise extreme care when implementing 5112 access control checks. 5113 5114 @return Return 0 if access is granted, otherwise an appropriate value for 5115 errno should be returned. 5116*/ 5117typedef int mpo_vnode_check_ioctl_t( 5118 kauth_cred_t cred, 5119 struct vnode *vp, 5120 struct label *label, 5121 unsigned int cmd 5122); 5123/** 5124 @brief Access control check for vnode kqfilter 5125 @param cred Subject credential 5126 @param kn Object knote 5127 @param vp Object vnode 5128 @param label Policy label for vp 5129 5130 Determine whether the subject identified by the credential can 5131 receive the knote on the passed vnode. 5132 5133 @return Return 0 if access if granted, otherwise an appropriate 5134 value for errno should be returned. 5135*/ 5136typedef int mpo_vnode_check_kqfilter_t( 5137 kauth_cred_t active_cred, 5138 kauth_cred_t file_cred, /* NULLOK */ 5139 struct knote *kn, 5140 struct vnode *vp, 5141 struct label *label 5142); 5143/** 5144 @brief Access control check for relabel 5145 @param cred Subject credential 5146 @param vp Object vnode 5147 @param vnodelabel Existing policy label for vp 5148 @param newlabel Policy label update to later be applied to vp 5149 @see mpo_relable_vnode_t 5150 5151 Determine whether the subject identified by the credential can relabel 5152 the passed vnode to the passed label update. If all policies permit 5153 the label change, the actual relabel entry point (mpo_vnode_label_update) 5154 will follow. 5155 5156 @return Return 0 if access is granted, otherwise an appropriate value for 5157 errno should be returned. 5158*/ 5159typedef int mpo_vnode_check_label_update_t( 5160 struct ucred *cred, 5161 struct vnode *vp, 5162 struct label *vnodelabel, 5163 struct label *newlabel 5164); 5165/** 5166 @brief Access control check for creating link 5167 @param cred Subject credential 5168 @param dvp Directory vnode 5169 @param dlabel Policy label associated with dvp 5170 @param vp Link destination vnode 5171 @param label Policy label associated with vp 5172 @param cnp Component name for the link being created 5173 5174 Determine whether the subject identified by the credential should be 5175 allowed to create a link to the vnode vp with the name specified by cnp. 5176 5177 @return Return 0 if access is granted, otherwise an appropriate value for 5178 errno should be returned. 5179*/ 5180typedef int mpo_vnode_check_link_t( 5181 kauth_cred_t cred, 5182 struct vnode *dvp, 5183 struct label *dlabel, 5184 struct vnode *vp, 5185 struct label *label, 5186 struct componentname *cnp 5187); 5188/** 5189 @brief Access control check for listing extended attributes 5190 @param cred Subject credential 5191 @param vp Object vnode 5192 @param vlabel Policy label associated with vp 5193 5194 Determine whether the subject identified by the credential can retrieve 5195 a list of named extended attributes from a vnode. 5196 5197 @return Return 0 if access is granted, otherwise an appropriate value for 5198 errno should be returned. 5199*/ 5200typedef int mpo_vnode_check_listextattr_t( 5201 kauth_cred_t cred, 5202 struct vnode *vp, 5203 struct label *vlabel 5204); 5205/** 5206 @brief Access control check for lookup 5207 @param cred Subject credential 5208 @param dvp Object vnode 5209 @param dlabel Policy label for dvp 5210 @param cnp Component name being looked up 5211 5212 Determine whether the subject identified by the credential can perform 5213 a lookup in the passed directory vnode for the passed name (cnp). 5214 5215 @return Return 0 if access is granted, otherwise an appropriate value for 5216 errno should be returned. Suggested failure: EACCES for label mismatch or 5217 EPERM for lack of privilege. 5218*/ 5219typedef int mpo_vnode_check_lookup_t( 5220 kauth_cred_t cred, 5221 struct vnode *dvp, 5222 struct label *dlabel, 5223 struct componentname *cnp 5224); 5225/** 5226 @brief Access control check for open 5227 @param cred Subject credential 5228 @param vp Object vnode 5229 @param label Policy label associated with vp 5230 @param acc_mode open(2) access mode 5231 5232 Determine whether the subject identified by the credential can perform 5233 an open operation on the passed vnode with the passed access mode. 5234 5235 @return Return 0 if access is granted, otherwise an appropriate value for 5236 errno should be returned. Suggested failure: EACCES for label mismatch or 5237 EPERM for lack of privilege. 5238*/ 5239typedef int mpo_vnode_check_open_t( 5240 kauth_cred_t cred, 5241 struct vnode *vp, 5242 struct label *label, 5243 int acc_mode 5244); 5245/** 5246 @brief Access control check for read 5247 @param active_cred Subject credential 5248 @param file_cred Credential associated with the struct fileproc 5249 @param vp Object vnode 5250 @param label Policy label for vp 5251 5252 Determine whether the subject identified by the credential can perform 5253 a read operation on the passed vnode. The active_cred hold the credentials 5254 of the subject performing the operation, and file_cred holds the 5255 credentials of the subject that originally opened the file. 5256 5257 @return Return 0 if access is granted, otherwise an appropriate value for 5258 errno should be returned. Suggested failure: EACCES for label mismatch or 5259 EPERM for lack of privilege. 5260*/ 5261typedef int mpo_vnode_check_read_t( 5262 kauth_cred_t active_cred, /* SUBJECT */ 5263 kauth_cred_t file_cred, /* NULLOK */ 5264 struct vnode *vp, /* OBJECT */ 5265 struct label *label /* LABEL */ 5266); 5267/** 5268 @brief Access control check for read directory 5269 @param cred Subject credential 5270 @param dvp Object directory vnode 5271 @param dlabel Policy label for dvp 5272 5273 Determine whether the subject identified by the credential can 5274 perform a readdir operation on the passed directory vnode. 5275 5276 @return Return 0 if access is granted, otherwise an appropriate value for 5277 errno should be returned. Suggested failure: EACCES for label mismatch or 5278 EPERM for lack of privilege. 5279*/ 5280typedef int mpo_vnode_check_readdir_t( 5281 kauth_cred_t cred, /* SUBJECT */ 5282 struct vnode *dvp, /* OBJECT */ 5283 struct label *dlabel /* LABEL */ 5284); 5285/** 5286 @brief Access control check for read link 5287 @param cred Subject credential 5288 @param vp Object vnode 5289 @param label Policy label for vp 5290 5291 Determine whether the subject identified by the credential can perform 5292 a readlink operation on the passed symlink vnode. This call can be made 5293 in a number of situations, including an explicit readlink call by the 5294 user process, or as a result of an implicit readlink during a name 5295 lookup by the process. 5296 5297 @return Return 0 if access is granted, otherwise an appropriate value for 5298 errno should be returned. Suggested failure: EACCES for label mismatch or 5299 EPERM for lack of privilege. 5300*/ 5301typedef int mpo_vnode_check_readlink_t( 5302 kauth_cred_t cred, 5303 struct vnode *vp, 5304 struct label *label 5305); 5306/** 5307 @brief Access control check for rename from 5308 @param cred Subject credential 5309 @param dvp Directory vnode 5310 @param dlabel Policy label associated with dvp 5311 @param vp vnode to be renamed 5312 @param label Policy label associated with vp 5313 @param cnp Component name for vp 5314 @see mpo_vnode_check_rename_to_t 5315 5316 Determine whether the subject identified by the credential should be 5317 allowed to rename the vnode vp to something else. 5318 5319 Due to VFS locking constraints (to make sure proper vnode locks are 5320 held during this entry point), the vnode relabel checks had to be 5321 split into two parts: relabel_from and relabel to. 5322 5323 @return Return 0 if access is granted, otherwise an appropriate value for 5324 errno should be returned. 5325*/ 5326typedef int mpo_vnode_check_rename_from_t( 5327 kauth_cred_t cred, 5328 struct vnode *dvp, 5329 struct label *dlabel, 5330 struct vnode *vp, 5331 struct label *label, 5332 struct componentname *cnp 5333); 5334/** 5335 @brief Access control check for rename to 5336 @param cred Subject credential 5337 @param dvp Directory vnode 5338 @param dlabel Policy label associated with dvp 5339 @param vp Overwritten vnode 5340 @param label Policy label associated with vp 5341 @param samedir Boolean; 1 if the source and destination directories are the same 5342 @param cnp Destination component name 5343 @see mpo_vnode_check_rename_from_t 5344 5345 Determine whether the subject identified by the credential should be 5346 allowed to rename to the vnode vp, into the directory dvp, or to the 5347 name represented by cnp. If there is no existing file to overwrite, 5348 vp and label will be NULL. 5349 5350 Due to VFS locking constraints (to make sure proper vnode locks are 5351 held during this entry point), the vnode relabel checks had to be 5352 split into two parts: relabel_from and relabel to. 5353 5354 @return Return 0 if access is granted, otherwise an appropriate value for 5355 errno should be returned. 5356*/ 5357typedef int mpo_vnode_check_rename_to_t( 5358 kauth_cred_t cred, 5359 struct vnode *dvp, 5360 struct label *dlabel, 5361 struct vnode *vp, /* NULLOK */ 5362 struct label *label, /* NULLOK */ 5363 int samedir, 5364 struct componentname *cnp 5365); 5366/** 5367 @brief Access control check for revoke 5368 @param cred Subject credential 5369 @param vp Object vnode 5370 @param label Policy label for vp 5371 5372 Determine whether the subject identified by the credential can revoke 5373 access to the passed vnode. 5374 5375 @return Return 0 if access is granted, otherwise an appropriate value for 5376 errno should be returned. Suggested failure: EACCES for label mismatch or 5377 EPERM for lack of privilege. 5378*/ 5379typedef int mpo_vnode_check_revoke_t( 5380 kauth_cred_t cred, 5381 struct vnode *vp, 5382 struct label *label 5383); 5384/** 5385 @brief Access control check for searchfs 5386 @param cred Subject credential 5387 @param vp Object vnode 5388 @param vlabel Policy label for vp 5389 @param alist List of attributes used as search criteria 5390 5391 Determine whether the subject identified by the credential can search the 5392 vnode using the searchfs system call. 5393 5394 @return Return 0 if access is granted, otherwise an appropriate value for 5395 errno should be returned. 5396*/ 5397typedef int mpo_vnode_check_searchfs_t( 5398 kauth_cred_t cred, 5399 struct vnode *vp, 5400 struct label *vlabel, 5401 struct attrlist *alist 5402); 5403/** 5404 @brief Access control check for select 5405 @param cred Subject credential 5406 @param vp Object vnode 5407 @param label Policy label for vp 5408 @param which The operation selected on: FREAD or FWRITE 5409 5410 Determine whether the subject identified by the credential can select 5411 the vnode. 5412 5413 @return Return 0 if access is granted, otherwise an appropriate value for 5414 errno should be returned. 5415*/ 5416typedef int mpo_vnode_check_select_t( 5417 kauth_cred_t cred, 5418 struct vnode *vp, 5419 struct label *label, 5420 int which 5421); 5422/** 5423 @brief Access control check for setting file attributes 5424 @param cred Subject credential 5425 @param vp Object vnode 5426 @param vlabel Policy label for vp 5427 @param alist List of attributes to set 5428 5429 Determine whether the subject identified by the credential can set 5430 various attributes of the specified vnode, or the filesystem or volume on 5431 which that vnode resides. See <sys/attr.h> for definitions of the 5432 attributes. 5433 5434 @return Return 0 if access is granted, otherwise an appropriate value for 5435 errno should be returned. Suggested failure: EACCES for label mismatch or 5436 EPERM for lack of privilege. Access control covers all attributes requested 5437 with this call. 5438*/ 5439typedef int mpo_vnode_check_setattrlist_t( 5440 kauth_cred_t cred, 5441 struct vnode *vp, 5442 struct label *vlabel, 5443 struct attrlist *alist 5444); 5445/** 5446 @brief Access control check for setting extended attribute 5447 @param cred Subject credential 5448 @param vp Object vnode 5449 @param label Policy label for vp 5450 @param name Extended attribute name 5451 @param uio I/O structure pointer 5452 5453 Determine whether the subject identified by the credential can set the 5454 extended attribute of passed name and passed namespace on the passed 5455 vnode. Policies implementing security labels backed into extended 5456 attributes may want to provide additional protections for those 5457 attributes. Additionally, policies should avoid making decisions based 5458 on the data referenced from uio, as there is a potential race condition 5459 between this check and the actual operation. The uio may also be NULL 5460 if a delete operation is being performed. 5461 5462 @return Return 0 if access is granted, otherwise an appropriate value for 5463 errno should be returned. Suggested failure: EACCES for label mismatch or 5464 EPERM for lack of privilege. 5465*/ 5466typedef int mpo_vnode_check_setextattr_t( 5467 kauth_cred_t cred, 5468 struct vnode *vp, 5469 struct label *label, 5470 const char *name, 5471 struct uio *uio 5472); 5473/** 5474 @brief Access control check for setting flags 5475 @param cred Subject credential 5476 @param vp Object vnode 5477 @param label Policy label for vp 5478 @param flags File flags; see chflags(2) 5479 5480 Determine whether the subject identified by the credential can set 5481 the passed flags on the passed vnode. 5482 5483 @return Return 0 if access is granted, otherwise an appropriate value for 5484 errno should be returned. Suggested failure: EACCES for label mismatch or 5485 EPERM for lack of privilege. 5486*/ 5487typedef int mpo_vnode_check_setflags_t( 5488 kauth_cred_t cred, 5489 struct vnode *vp, 5490 struct label *label, 5491 u_long flags 5492); 5493/** 5494 @brief Access control check for setting mode 5495 @param cred Subject credential 5496 @param vp Object vnode 5497 @param label Policy label for vp 5498 @param mode File mode; see chmod(2) 5499 5500 Determine whether the subject identified by the credential can set 5501 the passed mode on the passed vnode. 5502 5503 @return Return 0 if access is granted, otherwise an appropriate value for 5504 errno should be returned. Suggested failure: EACCES for label mismatch or 5505 EPERM for lack of privilege. 5506*/ 5507typedef int mpo_vnode_check_setmode_t( 5508 kauth_cred_t cred, 5509 struct vnode *vp, 5510 struct label *label, 5511 mode_t mode 5512); 5513/** 5514 @brief Access control check for setting uid and gid 5515 @param cred Subject credential 5516 @param vp Object vnode 5517 @param label Policy label for vp 5518 @param uid User ID 5519 @param gid Group ID 5520 5521 Determine whether the subject identified by the credential can set 5522 the passed uid and passed gid as file uid and file gid on the passed 5523 vnode. The IDs may be set to (-1) to request no update. 5524 5525 @return Return 0 if access is granted, otherwise an appropriate value for 5526 errno should be returned. Suggested failure: EACCES for label mismatch or 5527 EPERM for lack of privilege. 5528*/ 5529typedef int mpo_vnode_check_setowner_t( 5530 kauth_cred_t cred, 5531 struct vnode *vp, 5532 struct label *label, 5533 uid_t uid, 5534 gid_t gid 5535); 5536/** 5537 @brief Access control check for setting timestamps 5538 @param cred Subject credential 5539 @param vp Object vnode 5540 @param label Policy label for vp 5541 @param atime Access time; see utimes(2) 5542 @param mtime Modification time; see utimes(2) 5543 5544 Determine whether the subject identified by the credential can set 5545 the passed access timestamps on the passed vnode. 5546 5547 @return Return 0 if access is granted, otherwise an appropriate value for 5548 errno should be returned. Suggested failure: EACCES for label mismatch or 5549 EPERM for lack of privilege. 5550*/ 5551typedef int mpo_vnode_check_setutimes_t( 5552 kauth_cred_t cred, 5553 struct vnode *vp, 5554 struct label *label, 5555 struct timespec atime, 5556 struct timespec mtime 5557); 5558/** 5559 @brief Access control check for stat 5560 @param active_cred Subject credential 5561 @param file_cred Credential associated with the struct fileproc 5562 @param vp Object vnode 5563 @param label Policy label for vp 5564 5565 Determine whether the subject identified by the credential can stat 5566 the passed vnode. See stat(2) for more information. The active_cred 5567 hold the credentials of the subject performing the operation, and 5568 file_cred holds the credentials of the subject that originally 5569 opened the file. 5570 5571 @return Return 0 if access is granted, otherwise an appropriate value for 5572 errno should be returned. Suggested failure: EACCES for label mismatch or 5573 EPERM for lack of privilege. 5574*/ 5575typedef int mpo_vnode_check_stat_t( 5576 struct ucred *active_cred, 5577 struct ucred *file_cred, /* NULLOK */ 5578 struct vnode *vp, 5579 struct label *label 5580); 5581/** 5582 @brief Access control check for truncate/ftruncate 5583 @param active_cred Subject credential 5584 @param file_cred Credential associated with the struct fileproc 5585 @param vp Object vnode 5586 @param label Policy label for vp 5587 5588 Determine whether the subject identified by the credential can 5589 perform a truncate operation on the passed vnode. The active_cred hold 5590 the credentials of the subject performing the operation, and 5591 file_cred holds the credentials of the subject that originally 5592 opened the file. 5593 5594 @return Return 0 if access is granted, otherwise an appropriate value for 5595 errno should be returned. Suggested failure: EACCES for label mismatch or 5596 EPERM for lack of privilege. 5597*/ 5598typedef int mpo_vnode_check_truncate_t( 5599 kauth_cred_t active_cred, 5600 kauth_cred_t file_cred, /* NULLOK */ 5601 struct vnode *vp, 5602 struct label *label 5603); 5604/** 5605 @brief Access control check for binding UNIX domain socket 5606 @param cred Subject credential 5607 @param dvp Directory vnode 5608 @param dlabel Policy label for dvp 5609 @param cnp Component name for dvp 5610 @param vap vnode attributes for vap 5611 5612 Determine whether the subject identified by the credential can perform a 5613 bind operation on a UNIX domain socket with the passed parent directory, 5614 passed name information, and passed attribute information. 5615 5616 @return Return 0 if access is granted, otherwise an appropriate value for 5617 errno should be returned. Suggested failure: EACCES for label mismatch or 5618 EPERM for lack of privilege. 5619*/ 5620typedef int mpo_vnode_check_uipc_bind_t( 5621 kauth_cred_t cred, 5622 struct vnode *dvp, 5623 struct label *dlabel, 5624 struct componentname *cnp, 5625 struct vnode_attr *vap 5626); 5627/** 5628 @brief Access control check for connecting UNIX domain socket 5629 @param cred Subject credential 5630 @param vp Object vnode 5631 @param label Policy label associated with vp 5632 5633 Determine whether the subject identified by the credential can perform a 5634 connect operation on the passed UNIX domain socket vnode. 5635 5636 @return Return 0 if access is granted, otherwise an appropriate value for 5637 errno should be returned. Suggested failure: EACCES for label mismatch or 5638 EPERM for lack of privilege. 5639*/ 5640typedef int mpo_vnode_check_uipc_connect_t( 5641 kauth_cred_t cred, 5642 struct vnode *vp, 5643 struct label *label 5644); 5645/** 5646 @brief Access control check for deleting vnode 5647 @param cred Subject credential 5648 @param dvp Parent directory vnode 5649 @param dlabel Policy label for dvp 5650 @param vp Object vnode to delete 5651 @param label Policy label for vp 5652 @param cnp Component name for vp 5653 @see mpo_check_rename_to_t 5654 5655 Determine whether the subject identified by the credential can delete 5656 a vnode from the passed parent directory and passed name information. 5657 This call may be made in a number of situations, including as a 5658 results of calls to unlink(2) and rmdir(2). Policies implementing 5659 this entry point should also implement mpo_check_rename_to to 5660 authorize deletion of objects as a result of being the target of a rename. 5661 5662 @return Return 0 if access is granted, otherwise an appropriate value for 5663 errno should be returned. Suggested failure: EACCES for label mismatch or 5664 EPERM for lack of privilege. 5665*/ 5666typedef int mpo_vnode_check_unlink_t( 5667 kauth_cred_t cred, 5668 struct vnode *dvp, 5669 struct label *dlabel, 5670 struct vnode *vp, 5671 struct label *label, 5672 struct componentname *cnp 5673); 5674/** 5675 @brief Access control check for write 5676 @param active_cred Subject credential 5677 @param file_cred Credential associated with the struct fileproc 5678 @param vp Object vnode 5679 @param label Policy label for vp 5680 5681 Determine whether the subject identified by the credential can 5682 perform a write operation on the passed vnode. The active_cred hold 5683 the credentials of the subject performing the operation, and 5684 file_cred holds the credentials of the subject that originally 5685 opened the file. 5686 5687 @return Return 0 if access is granted, otherwise an appropriate value for 5688 errno should be returned. Suggested failure: EACCES for label mismatch or 5689 EPERM for lack of privilege. 5690*/ 5691typedef int mpo_vnode_check_write_t( 5692 kauth_cred_t active_cred, 5693 kauth_cred_t file_cred, /* NULLOK */ 5694 struct vnode *vp, 5695 struct label *label 5696); 5697/** 5698 @brief Associate a vnode with a devfs entry 5699 @param mp Devfs mount point 5700 @param mntlabel Devfs mount point label 5701 @param de Devfs directory entry 5702 @param delabel Label associated with de 5703 @param vp vnode associated with de 5704 @param vlabel Label associated with vp 5705 5706 Fill in the label (vlabel) for a newly created devfs vnode. The 5707 label is typically derived from the label on the devfs directory 5708 entry or the label on the filesystem, supplied as parameters. 5709*/ 5710typedef void mpo_vnode_label_associate_devfs_t( 5711 struct mount *mp, 5712 struct label *mntlabel, 5713 struct devnode *de, 5714 struct label *delabel, 5715 struct vnode *vp, 5716 struct label *vlabel 5717); 5718/** 5719 @brief Associate a label with a vnode 5720 @param mp File system mount point 5721 @param mntlabel File system mount point label 5722 @param vp Vnode to label 5723 @param vlabel Label associated with vp 5724 5725 Attempt to retrieve label information for the vnode, vp, from the 5726 file system extended attribute store. The label should be stored in 5727 the supplied vlabel parameter. If a policy cannot retrieve an 5728 extended attribute, sometimes it is acceptible to fallback to using 5729 the mntlabel. 5730 5731 If the policy requires vnodes to have a valid label elsewhere it 5732 MUST NOT return other than temporary errors, and must always provide 5733 a valid label of some sort. Returning an error will cause vnode 5734 labeling to be retried at a later access. Failure to handle policy 5735 centric errors internally (corrupt labels etc.) will result in 5736 inaccessible files. 5737 5738 @return In the event of an error, an appropriate value for errno 5739 should be returned, otherwise return 0 upon success. 5740*/ 5741typedef int mpo_vnode_label_associate_extattr_t( 5742 struct mount *mp, 5743 struct label *mntlabel, 5744 struct vnode *vp, 5745 struct label *vlabel 5746); 5747/** 5748 @brief Associate a file label with a vnode 5749 @param cred User credential 5750 @param mp Fdesc mount point 5751 @param mntlabel Fdesc mount point label 5752 @param fg Fileglob structure 5753 @param label Policy label for fg 5754 @param vp Vnode to label 5755 @param vlabel Label associated with vp 5756 5757 Associate label information for the vnode, vp, with the label of 5758 the open file descriptor described by fg. 5759 The label should be stored in the supplied vlabel parameter. 5760*/ 5761typedef void mpo_vnode_label_associate_file_t( 5762 struct ucred *cred, 5763 struct mount *mp, 5764 struct label *mntlabel, 5765 struct fileglob *fg, 5766 struct label *label, 5767 struct vnode *vp, 5768 struct label *vlabel 5769); 5770/** 5771 @brief Associate a pipe label with a vnode 5772 @param cred User credential for the process that opened the pipe 5773 @param cpipe Pipe structure 5774 @param pipelabel Label associated with pipe 5775 @param vp Vnode to label 5776 @param vlabel Label associated with vp 5777 5778 Associate label information for the vnode, vp, with the label of 5779 the pipe described by the pipe structure cpipe. 5780 The label should be stored in the supplied vlabel parameter. 5781*/ 5782typedef void mpo_vnode_label_associate_pipe_t( 5783 struct ucred *cred, 5784 struct pipe *cpipe, 5785 struct label *pipelabel, 5786 struct vnode *vp, 5787 struct label *vlabel 5788); 5789/** 5790 @brief Associate a POSIX semaphore label with a vnode 5791 @param cred User credential for the process that create psem 5792 @param psem POSIX semaphore structure 5793 @param psemlabel Label associated with psem 5794 @param vp Vnode to label 5795 @param vlabel Label associated with vp 5796 5797 Associate label information for the vnode, vp, with the label of 5798 the POSIX semaphore described by psem. 5799 The label should be stored in the supplied vlabel parameter. 5800*/ 5801typedef void mpo_vnode_label_associate_posixsem_t( 5802 struct ucred *cred, 5803 struct pseminfo *psem, 5804 struct label *psemlabel, 5805 struct vnode *vp, 5806 struct label *vlabel 5807); 5808/** 5809 @brief Associate a POSIX shared memory label with a vnode 5810 @param cred User credential for the process that created pshm 5811 @param pshm POSIX shared memory structure 5812 @param pshmlabel Label associated with pshm 5813 @param vp Vnode to label 5814 @param vlabel Label associated with vp 5815 5816 Associate label information for the vnode, vp, with the label of 5817 the POSIX shared memory region described by pshm. 5818 The label should be stored in the supplied vlabel parameter. 5819*/ 5820typedef void mpo_vnode_label_associate_posixshm_t( 5821 struct ucred *cred, 5822 struct pshminfo *pshm, 5823 struct label *pshmlabel, 5824 struct vnode *vp, 5825 struct label *vlabel 5826); 5827/** 5828 @brief Associate a label with a vnode 5829 @param mp File system mount point 5830 @param mntlabel File system mount point label 5831 @param vp Vnode to label 5832 @param vlabel Label associated with vp 5833 5834 On non-multilabel file systems, set the label for a vnode. The 5835 label will most likely be based on the file system label. 5836*/ 5837typedef void mpo_vnode_label_associate_singlelabel_t( 5838 struct mount *mp, 5839 struct label *mntlabel, 5840 struct vnode *vp, 5841 struct label *vlabel 5842); 5843/** 5844 @brief Associate a socket label with a vnode 5845 @param cred User credential for the process that opened the socket 5846 @param so Socket structure 5847 @param solabel Label associated with so 5848 @param vp Vnode to label 5849 @param vlabel Label associated with vp 5850 5851 Associate label information for the vnode, vp, with the label of 5852 the open socket described by the socket structure so. 5853 The label should be stored in the supplied vlabel parameter. 5854*/ 5855typedef void mpo_vnode_label_associate_socket_t( 5856 kauth_cred_t cred, 5857 socket_t so, 5858 struct label *solabel, 5859 struct vnode *vp, 5860 struct label *vlabel 5861); 5862/** 5863 @brief Copy a vnode label 5864 @param src Source vnode label 5865 @param dest Destination vnode label 5866 5867 Copy the vnode label information from src to dest. On Darwin, this 5868 is currently only necessary when executing interpreted scripts, but 5869 will later be used if vnode label externalization cannot be an 5870 atomic operation. 5871*/ 5872typedef void mpo_vnode_label_copy_t( 5873 struct label *src, 5874 struct label *dest 5875); 5876/** 5877 @brief Destroy vnode label 5878 @param label The label to be destroyed 5879 5880 Destroy a vnode label. Since the object is going out of scope, 5881 policy modules should free any internal storage associated with the 5882 label so that it may be destroyed. 5883*/ 5884typedef void mpo_vnode_label_destroy_t( 5885 struct label *label 5886); 5887/** 5888 @brief Externalize a vnode label for auditing 5889 @param label Label to be externalized 5890 @param element_name Name of the label namespace for which labels should be 5891 externalized 5892 @param sb String buffer to be filled with a text representation of the label 5893 5894 Produce an external representation of the label on a vnode suitable for 5895 inclusion in an audit record. An externalized label consists of a text 5896 representation of the label contents that will be added to the audit record 5897 as part of a text token. Policy-agnostic user space tools will display 5898 this externalized version. 5899 5900 @return 0 on success, return non-zero if an error occurs while 5901 externalizing the label data. 5902 5903*/ 5904typedef int mpo_vnode_label_externalize_audit_t( 5905 struct label *label, 5906 char *element_name, 5907 struct sbuf *sb 5908); 5909/** 5910 @brief Externalize a vnode label 5911 @param label Label to be externalized 5912 @param element_name Name of the label namespace for which labels should be 5913 externalized 5914 @param sb String buffer to be filled with a text representation of the label 5915 5916 Produce an external representation of the label on a vnode. An 5917 externalized label consists of a text representation of the label 5918 contents that can be used with user applications. Policy-agnostic 5919 user space tools will display this externalized version. 5920 5921 @return 0 on success, return non-zero if an error occurs while 5922 externalizing the label data. 5923 5924*/ 5925typedef int mpo_vnode_label_externalize_t( 5926 struct label *label, 5927 char *element_name, 5928 struct sbuf *sb 5929); 5930/** 5931 @brief Initialize vnode label 5932 @param label New label to initialize 5933 5934 Initialize label storage for use with a newly instantiated vnode, or 5935 for temporary storage associated with the copying in or out of a 5936 vnode label. While it is necessary to allocate space for a 5937 kernel-resident vnode label, it is not yet necessary to link this vnode 5938 with persistent label storage facilities, such as extended attributes. 5939 Sleeping is permitted. 5940*/ 5941typedef void mpo_vnode_label_init_t( 5942 struct label *label 5943); 5944/** 5945 @brief Internalize a vnode label 5946 @param label Label to be internalized 5947 @param element_name Name of the label namespace for which the label should 5948 be internalized 5949 @param element_data Text data to be internalized 5950 5951 Produce a vnode label from an external representation. An 5952 externalized label consists of a text representation of the label 5953 contents that can be used with user applications. Policy-agnostic 5954 user space tools will forward text version to the kernel for 5955 processing by individual policy modules. 5956 5957 The policy's internalize entry points will be called only if the 5958 policy has registered interest in the label namespace. 5959 5960 @return 0 on success, Otherwise, return non-zero if an error occurs 5961 while internalizing the label data. 5962*/ 5963typedef int mpo_vnode_label_internalize_t( 5964 struct label *label, 5965 char *element_name, 5966 char *element_data 5967); 5968/** 5969 @brief Clean up a vnode label 5970 @param label The label to be cleaned for re-use 5971 5972 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but 5973 typically never frees them. Before vnodes are placed back on free lists for 5974 re-use, policies can cleanup or overwrite any information present in the label. 5975*/ 5976typedef void mpo_vnode_label_recycle_t( 5977 struct label *label 5978); 5979/** 5980 @brief Write a label to a extended attribute 5981 @param cred Subject credential 5982 @param vp The vnode for which the label is being stored 5983 @param vlabel Label associated with vp 5984 @param intlabel The new label to store 5985 5986 Store a new label in the extended attribute corresponding to the 5987 supplied vnode. The policy has already authorized the operation; 5988 this call must be implemented in order to perform the actual 5989 operation. 5990 5991 @return In the event of an error, an appropriate value for errno 5992 should be returned, otherwise return 0 upon success. 5993 5994 @warning XXX After examining the extended attribute implementation on 5995 Apple's future release, this entry point may be changed. 5996*/ 5997typedef int mpo_vnode_label_store_t( 5998 kauth_cred_t cred, 5999 struct vnode *vp, 6000 struct label *vlabel, 6001 struct label *intlabel 6002); 6003/** 6004 @brief Update vnode label from extended attributes 6005 @param mp File system mount point 6006 @param mntlabel Mount point label 6007 @param vp Vnode to label 6008 @param vlabel Label associated with vp 6009 @param name Name of the xattr 6010 @see mpo_vnode_check_setextattr_t 6011 6012 When an extended attribute is updated via the Vendor attribute management 6013 functions, the MAC vnode label might also require an update. 6014 Policies should first determine if 'name' matches their xattr label 6015 name. If it does, the kernel is has either replaced or removed the 6016 named extended attribute that was previously associated with the 6017 vnode. Normally labels should only be modified via MAC Framework label 6018 management calls, but sometimes the user space components will directly 6019 modify extended attributes. For example, 'cp', 'tar', etc. manage 6020 extended attributes in userspace, not the kernel. 6021 6022 This entry point is called after the label update has occurred, so 6023 it cannot return a failure. However, the operation is preceded by 6024 the mpo_vnode_check_setextattr() access control check. 6025 6026 If the vnode label needs to be updated the policy should return 6027 a non-zero value. The vnode label will be marked for re-association 6028 by the framework. 6029*/ 6030typedef int mpo_vnode_label_update_extattr_t( 6031 struct mount *mp, 6032 struct label *mntlabel, 6033 struct vnode *vp, 6034 struct label *vlabel, 6035 const char *name 6036); 6037/** 6038 @brief Update a vnode label 6039 @param cred Subject credential 6040 @param vp The vnode to relabel 6041 @param vnodelabel Existing vnode label 6042 @param label New label to replace existing label 6043 @see mpo_vnode_check_label_update_t 6044 6045 The subject identified by the credential has previously requested 6046 and was authorized to relabel the vnode; this entry point allows 6047 policies to perform the actual relabel operation. Policies should 6048 update vnodelabel using the label stored in the label parameter. 6049*/ 6050typedef void mpo_vnode_label_update_t( 6051 kauth_cred_t cred, 6052 struct vnode *vp, 6053 struct label *vnodelabel, 6054 struct label *label 6055); 6056/** 6057 @brief Find deatched signatures for a shared library 6058 @param p file trying to find the signature 6059 @param vp The vnode to relabel 6060 @param offset offset in the macho that the signature is requested for (for fat binaries) 6061 @param label Existing vnode label 6062 6063*/ 6064typedef int mpo_vnode_find_sigs_t( 6065 struct proc *p, 6066 struct vnode *vp, 6067 off_t offset, 6068 struct label *label 6069); 6070/** 6071 @brief Create a new vnode, backed by extended attributes 6072 @param cred User credential for the creating process 6073 @param mp File system mount point 6074 @param mntlabel File system mount point label 6075 @param dvp Parent directory vnode 6076 @param dlabel Parent directory vnode label 6077 @param vp Newly created vnode 6078 @param vlabel Label to associate with the new vnode 6079 @param cnp Component name for vp 6080 6081 Write out the label for the newly created vnode, most likely storing 6082 the results in a file system extended attribute. Most policies will 6083 derive the new vnode label using information from a combination 6084 of the subject (user) credential, the file system label, the parent 6085 directory label, and potentially the path name component. 6086 6087 @return If the operation succeeds, store the new label in vlabel and 6088 return 0. Otherwise, return an appropriate errno value. 6089*/ 6090typedef int mpo_vnode_notify_create_t( 6091 kauth_cred_t cred, 6092 struct mount *mp, 6093 struct label *mntlabel, 6094 struct vnode *dvp, 6095 struct label *dlabel, 6096 struct vnode *vp, 6097 struct label *vlabel, 6098 struct componentname *cnp 6099); 6100 6101/** 6102 @brief Inform MAC policies that a vnode has been opened 6103 @param cred User credential for the creating process 6104 @param vp vnode opened 6105 @param label Policy label for the vp 6106 @param acc_mode open(2) access mode used 6107 6108 Inform Mac policies that a vnode have been successfully opened 6109 (passing all MAC polices and DAC). 6110*/ 6111typedef void mpo_vnode_notify_open_t( 6112 kauth_cred_t cred, 6113 struct vnode *vp, 6114 struct label *label, 6115 int acc_mode 6116); 6117 6118/** 6119 @brief Inform MAC policies that a vnode has been renamed 6120 @param cred User credential for the renaming process 6121 @param vp Vnode that's being renamed 6122 @param label Policy label for vp 6123 @param dvp Parent directory for the destination 6124 @param dlabel Policy label for dvp 6125 @param cnp Component name for the destination 6126 6127 Inform MAC policies that a vnode has been renamed. 6128 */ 6129typedef void mpo_vnode_notify_rename_t( 6130 kauth_cred_t cred, 6131 struct vnode *vp, 6132 struct label *label, 6133 struct vnode *dvp, 6134 struct label *dlabel, 6135 struct componentname *cnp 6136); 6137 6138/** 6139 @brief Inform MAC policies that a vnode has been linked 6140 @param cred User credential for the renaming process 6141 @param dvp Parent directory for the destination 6142 @param dlabel Policy label for dvp 6143 @param vp Vnode that's being linked 6144 @param vlabel Policy label for vp 6145 @param cnp Component name for the destination 6146 6147 Inform MAC policies that a vnode has been linked. 6148 */ 6149typedef void mpo_vnode_notify_link_t( 6150 kauth_cred_t cred, 6151 struct vnode *dvp, 6152 struct label *dlabel, 6153 struct vnode *vp, 6154 struct label *vlabel, 6155 struct componentname *cnp 6156); 6157 6158/** 6159 @brief Inform MAC policies that a pty slave has been granted 6160 @param p Responsible process 6161 @param tp tty data structure 6162 @param dev Major and minor numbers of device 6163 @param label Policy label for tp 6164 6165 Inform MAC policies that a pty slave has been granted. 6166*/ 6167typedef void mpo_pty_notify_grant_t( 6168 proc_t p, 6169 struct tty *tp, 6170 dev_t dev, 6171 struct label *label 6172); 6173 6174/** 6175 @brief Inform MAC policies that a pty master has been closed 6176 @param p Responsible process 6177 @param tp tty data structure 6178 @param dev Major and minor numbers of device 6179 @param label Policy label for tp 6180 6181 Inform MAC policies that a pty master has been closed. 6182*/ 6183typedef void mpo_pty_notify_close_t( 6184 proc_t p, 6185 struct tty *tp, 6186 dev_t dev, 6187 struct label *label 6188); 6189 6190/** 6191 @brief Access control check for kext loading 6192 @param cred Subject credential 6193 @param identifier Kext identifier 6194 6195 Determine whether the subject identified by the credential can load the 6196 specified kext. 6197 6198 @return Return 0 if access is granted, otherwise an appropriate value for 6199 errno should be returned. Suggested failure: EPERM for lack of privilege. 6200*/ 6201typedef int mpo_kext_check_load_t( 6202 kauth_cred_t cred, 6203 const char *identifier 6204); 6205 6206/** 6207 @brief Access control check for kext unloading 6208 @param cred Subject credential 6209 @param identifier Kext identifier 6210 6211 Determine whether the subject identified by the credential can unload the 6212 specified kext. 6213 6214 @return Return 0 if access is granted, otherwise an appropriate value for 6215 errno should be returned. Suggested failure: EPERM for lack of privilege. 6216*/ 6217typedef int mpo_kext_check_unload_t( 6218 kauth_cred_t cred, 6219 const char *identifier 6220); 6221 6222/* 6223 * Placeholder for future events that may need mac hooks. 6224 */ 6225typedef void mpo_reserved_hook_t(void); 6226 6227/* 6228 * Policy module operations. 6229 * 6230 * Please note that this should be kept in sync with the check assumptions 6231 * policy in bsd/kern/policy_check.c (policy_ops struct). 6232 */ 6233#define MAC_POLICY_OPS_VERSION 24 /* inc when new reserved slots are taken */ 6234struct mac_policy_ops { 6235 mpo_audit_check_postselect_t *mpo_audit_check_postselect; 6236 mpo_audit_check_preselect_t *mpo_audit_check_preselect; 6237 6238 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; 6239 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; 6240 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; 6241 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; 6242 6243 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; 6244 mpo_cred_check_label_update_t *mpo_cred_check_label_update; 6245 mpo_cred_check_visible_t *mpo_cred_check_visible; 6246 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; 6247 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; 6248 mpo_cred_label_associate_t *mpo_cred_label_associate; 6249 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; 6250 mpo_cred_label_destroy_t *mpo_cred_label_destroy; 6251 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; 6252 mpo_cred_label_externalize_t *mpo_cred_label_externalize; 6253 mpo_cred_label_init_t *mpo_cred_label_init; 6254 mpo_cred_label_internalize_t *mpo_cred_label_internalize; 6255 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; 6256 mpo_cred_label_update_t *mpo_cred_label_update; 6257 6258 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; 6259 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; 6260 mpo_devfs_label_copy_t *mpo_devfs_label_copy; 6261 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; 6262 mpo_devfs_label_init_t *mpo_devfs_label_init; 6263 mpo_devfs_label_update_t *mpo_devfs_label_update; 6264 6265 mpo_file_check_change_offset_t *mpo_file_check_change_offset; 6266 mpo_file_check_create_t *mpo_file_check_create; 6267 mpo_file_check_dup_t *mpo_file_check_dup; 6268 mpo_file_check_fcntl_t *mpo_file_check_fcntl; 6269 mpo_file_check_get_offset_t *mpo_file_check_get_offset; 6270 mpo_file_check_get_t *mpo_file_check_get; 6271 mpo_file_check_inherit_t *mpo_file_check_inherit; 6272 mpo_file_check_ioctl_t *mpo_file_check_ioctl; 6273 mpo_file_check_lock_t *mpo_file_check_lock; 6274 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; 6275 mpo_file_check_mmap_t *mpo_file_check_mmap; 6276 mpo_file_check_receive_t *mpo_file_check_receive; 6277 mpo_file_check_set_t *mpo_file_check_set; 6278 mpo_file_label_init_t *mpo_file_label_init; 6279 mpo_file_label_destroy_t *mpo_file_label_destroy; 6280 mpo_file_label_associate_t *mpo_file_label_associate; 6281 6282 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; 6283 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; 6284 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; 6285 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; 6286 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; 6287 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; 6288 mpo_ifnet_label_init_t *mpo_ifnet_label_init; 6289 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; 6290 mpo_ifnet_label_update_t *mpo_ifnet_label_update; 6291 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; 6292 6293 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; 6294 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; 6295 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; 6296 mpo_inpcb_label_init_t *mpo_inpcb_label_init; 6297 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; 6298 mpo_inpcb_label_update_t *mpo_inpcb_label_update; 6299 6300 mpo_iokit_check_device_t *mpo_iokit_check_device; 6301 6302 mpo_ipq_label_associate_t *mpo_ipq_label_associate; 6303 mpo_ipq_label_compare_t *mpo_ipq_label_compare; 6304 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; 6305 mpo_ipq_label_init_t *mpo_ipq_label_init; 6306 mpo_ipq_label_update_t *mpo_ipq_label_update; 6307 6308 mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; 6309 mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; 6310 mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; 6311 mpo_lctx_label_init_t *mpo_lctx_label_init; 6312 mpo_lctx_label_internalize_t *mpo_lctx_label_internalize; 6313 mpo_lctx_label_update_t *mpo_lctx_label_update; 6314 mpo_lctx_notify_create_t *mpo_lctx_notify_create; 6315 mpo_lctx_notify_join_t *mpo_lctx_notify_join; 6316 mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; 6317 6318 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; 6319 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; 6320 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; 6321 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; 6322 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; 6323 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; 6324 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; 6325 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; 6326 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; 6327 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; 6328 mpo_mbuf_label_init_t *mpo_mbuf_label_init; 6329 6330 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; 6331 mpo_mount_check_getattr_t *mpo_mount_check_getattr; 6332 mpo_mount_check_label_update_t *mpo_mount_check_label_update; 6333 mpo_mount_check_mount_t *mpo_mount_check_mount; 6334 mpo_mount_check_remount_t *mpo_mount_check_remount; 6335 mpo_mount_check_setattr_t *mpo_mount_check_setattr; 6336 mpo_mount_check_stat_t *mpo_mount_check_stat; 6337 mpo_mount_check_umount_t *mpo_mount_check_umount; 6338 mpo_mount_label_associate_t *mpo_mount_label_associate; 6339 mpo_mount_label_destroy_t *mpo_mount_label_destroy; 6340 mpo_mount_label_externalize_t *mpo_mount_label_externalize; 6341 mpo_mount_label_init_t *mpo_mount_label_init; 6342 mpo_mount_label_internalize_t *mpo_mount_label_internalize; 6343 6344 mpo_netinet_fragment_t *mpo_netinet_fragment; 6345 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; 6346 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; 6347 6348 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; 6349 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; 6350 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; 6351 mpo_pipe_check_read_t *mpo_pipe_check_read; 6352 mpo_pipe_check_select_t *mpo_pipe_check_select; 6353 mpo_pipe_check_stat_t *mpo_pipe_check_stat; 6354 mpo_pipe_check_write_t *mpo_pipe_check_write; 6355 mpo_pipe_label_associate_t *mpo_pipe_label_associate; 6356 mpo_pipe_label_copy_t *mpo_pipe_label_copy; 6357 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; 6358 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; 6359 mpo_pipe_label_init_t *mpo_pipe_label_init; 6360 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; 6361 mpo_pipe_label_update_t *mpo_pipe_label_update; 6362 6363 mpo_policy_destroy_t *mpo_policy_destroy; 6364 mpo_policy_init_t *mpo_policy_init; 6365 mpo_policy_initbsd_t *mpo_policy_initbsd; 6366 mpo_policy_syscall_t *mpo_policy_syscall; 6367 6368 mpo_port_check_copy_send_t *mpo_port_check_copy_send; 6369 mpo_port_check_hold_receive_t *mpo_port_check_hold_receive; 6370 mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once; 6371 mpo_port_check_hold_send_t *mpo_port_check_hold_send; 6372 mpo_port_check_label_update_t *mpo_port_check_label_update; 6373 mpo_port_check_make_send_once_t *mpo_port_check_make_send_once; 6374 mpo_port_check_make_send_t *mpo_port_check_make_send; 6375 mpo_port_check_method_t *mpo_port_check_method; 6376 mpo_port_check_move_receive_t *mpo_port_check_move_receive; 6377 mpo_port_check_move_send_once_t *mpo_port_check_move_send_once; 6378 mpo_port_check_move_send_t *mpo_port_check_move_send; 6379 mpo_port_check_receive_t *mpo_port_check_receive; 6380 mpo_port_check_send_t *mpo_port_check_send; 6381 mpo_port_check_service_t *mpo_port_check_service; 6382 mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel; 6383 mpo_port_label_associate_t *mpo_port_label_associate; 6384 mpo_port_label_compute_t *mpo_port_label_compute; 6385 mpo_port_label_copy_t *mpo_port_label_copy; 6386 mpo_port_label_destroy_t *mpo_port_label_destroy; 6387 mpo_port_label_init_t *mpo_port_label_init; 6388 mpo_port_label_update_cred_t *mpo_port_label_update_cred; 6389 mpo_port_label_update_kobject_t *mpo_port_label_update_kobject; 6390 6391 mpo_posixsem_check_create_t *mpo_posixsem_check_create; 6392 mpo_posixsem_check_open_t *mpo_posixsem_check_open; 6393 mpo_posixsem_check_post_t *mpo_posixsem_check_post; 6394 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; 6395 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; 6396 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; 6397 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; 6398 mpo_posixsem_label_init_t *mpo_posixsem_label_init; 6399 mpo_posixshm_check_create_t *mpo_posixshm_check_create; 6400 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; 6401 mpo_posixshm_check_open_t *mpo_posixshm_check_open; 6402 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; 6403 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; 6404 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; 6405 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; 6406 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; 6407 mpo_posixshm_label_init_t *mpo_posixshm_label_init; 6408 6409 mpo_proc_check_debug_t *mpo_proc_check_debug; 6410 mpo_proc_check_fork_t *mpo_proc_check_fork; 6411 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; 6412 mpo_proc_check_get_task_t *mpo_proc_check_get_task; 6413 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; 6414 mpo_proc_check_getauid_t *mpo_proc_check_getauid; 6415 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; 6416 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; 6417 mpo_proc_check_sched_t *mpo_proc_check_sched; 6418 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; 6419 mpo_proc_check_setauid_t *mpo_proc_check_setauid; 6420 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; 6421 mpo_proc_check_signal_t *mpo_proc_check_signal; 6422 mpo_proc_check_wait_t *mpo_proc_check_wait; 6423 mpo_proc_label_destroy_t *mpo_proc_label_destroy; 6424 mpo_proc_label_init_t *mpo_proc_label_init; 6425 6426 mpo_socket_check_accept_t *mpo_socket_check_accept; 6427 mpo_socket_check_accepted_t *mpo_socket_check_accepted; 6428 mpo_socket_check_bind_t *mpo_socket_check_bind; 6429 mpo_socket_check_connect_t *mpo_socket_check_connect; 6430 mpo_socket_check_create_t *mpo_socket_check_create; 6431 mpo_socket_check_deliver_t *mpo_socket_check_deliver; 6432 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; 6433 mpo_socket_check_label_update_t *mpo_socket_check_label_update; 6434 mpo_socket_check_listen_t *mpo_socket_check_listen; 6435 mpo_socket_check_receive_t *mpo_socket_check_receive; 6436 mpo_socket_check_received_t *mpo_socket_check_received; 6437 mpo_socket_check_select_t *mpo_socket_check_select; 6438 mpo_socket_check_send_t *mpo_socket_check_send; 6439 mpo_socket_check_stat_t *mpo_socket_check_stat; 6440 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; 6441 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; 6442 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; 6443 mpo_socket_label_associate_t *mpo_socket_label_associate; 6444 mpo_socket_label_copy_t *mpo_socket_label_copy; 6445 mpo_socket_label_destroy_t *mpo_socket_label_destroy; 6446 mpo_socket_label_externalize_t *mpo_socket_label_externalize; 6447 mpo_socket_label_init_t *mpo_socket_label_init; 6448 mpo_socket_label_internalize_t *mpo_socket_label_internalize; 6449 mpo_socket_label_update_t *mpo_socket_label_update; 6450 6451 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; 6452 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; 6453 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; 6454 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; 6455 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; 6456 6457 mpo_system_check_acct_t *mpo_system_check_acct; 6458 mpo_system_check_audit_t *mpo_system_check_audit; 6459 mpo_system_check_auditctl_t *mpo_system_check_auditctl; 6460 mpo_system_check_auditon_t *mpo_system_check_auditon; 6461 mpo_system_check_host_priv_t *mpo_system_check_host_priv; 6462 mpo_system_check_nfsd_t *mpo_system_check_nfsd; 6463 mpo_system_check_reboot_t *mpo_system_check_reboot; 6464 mpo_system_check_settime_t *mpo_system_check_settime; 6465 mpo_system_check_swapoff_t *mpo_system_check_swapoff; 6466 mpo_system_check_swapon_t *mpo_system_check_swapon; 6467 mpo_system_check_sysctl_t *mpo_system_check_sysctl; 6468 6469 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; 6470 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; 6471 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; 6472 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; 6473 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; 6474 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; 6475 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; 6476 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; 6477 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; 6478 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; 6479 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; 6480 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; 6481 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; 6482 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; 6483 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; 6484 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; 6485 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; 6486 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; 6487 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; 6488 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; 6489 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; 6490 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; 6491 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; 6492 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; 6493 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; 6494 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; 6495 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; 6496 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; 6497 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; 6498 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; 6499 6500 mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel; 6501 mpo_task_label_associate_t *mpo_task_label_associate; 6502 mpo_task_label_copy_t *mpo_task_label_copy; 6503 mpo_task_label_destroy_t *mpo_task_label_destroy; 6504 mpo_task_label_externalize_t *mpo_task_label_externalize; 6505 mpo_task_label_init_t *mpo_task_label_init; 6506 mpo_task_label_internalize_t *mpo_task_label_internalize; 6507 mpo_task_label_update_t *mpo_task_label_update; 6508 6509 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; 6510 6511 mpo_vnode_check_access_t *mpo_vnode_check_access; 6512 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; 6513 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; 6514 mpo_vnode_check_create_t *mpo_vnode_check_create; 6515 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; 6516 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; 6517 mpo_vnode_check_exec_t *mpo_vnode_check_exec; 6518 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; 6519 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; 6520 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; 6521 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; 6522 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; 6523 mpo_vnode_check_link_t *mpo_vnode_check_link; 6524 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; 6525 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; 6526 mpo_vnode_check_open_t *mpo_vnode_check_open; 6527 mpo_vnode_check_read_t *mpo_vnode_check_read; 6528 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; 6529 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; 6530 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; 6531 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; 6532 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; 6533 mpo_vnode_check_select_t *mpo_vnode_check_select; 6534 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; 6535 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; 6536 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; 6537 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; 6538 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; 6539 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; 6540 mpo_vnode_check_stat_t *mpo_vnode_check_stat; 6541 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; 6542 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; 6543 mpo_vnode_check_write_t *mpo_vnode_check_write; 6544 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; 6545 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; 6546 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; 6547 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; 6548 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; 6549 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; 6550 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; 6551 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; 6552 mpo_vnode_label_copy_t *mpo_vnode_label_copy; 6553 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; 6554 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; 6555 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; 6556 mpo_vnode_label_init_t *mpo_vnode_label_init; 6557 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; 6558 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; 6559 mpo_vnode_label_store_t *mpo_vnode_label_store; 6560 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; 6561 mpo_vnode_label_update_t *mpo_vnode_label_update; 6562 mpo_vnode_notify_create_t *mpo_vnode_notify_create; 6563 mpo_vnode_check_signature_t *mpo_vnode_check_signature; 6564 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; 6565 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; 6566 6567 mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; 6568 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; 6569 6570 mpo_thread_userret_t *mpo_thread_userret; 6571 6572 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; 6573 6574 mpo_system_check_chud_t *mpo_system_check_chud; 6575 6576 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; 6577 6578 mpo_priv_check_t *mpo_priv_check; 6579 mpo_priv_grant_t *mpo_priv_grant; 6580 6581 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; 6582 6583 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; 6584 6585 mpo_iokit_check_open_t *mpo_iokit_check_open; 6586 6587 mpo_proc_check_ledger_t *mpo_proc_check_ledger; 6588 6589 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; 6590 6591 mpo_thread_label_init_t *mpo_thread_label_init; 6592 mpo_thread_label_destroy_t *mpo_thread_label_destroy; 6593 6594 mpo_system_check_kas_info_t *mpo_system_check_kas_info; 6595 6596 mpo_proc_check_cpumon_t *mpo_proc_check_cpumon; 6597 6598 mpo_vnode_notify_open_t *mpo_vnode_notify_open; 6599 6600 mpo_system_check_info_t *mpo_system_check_info; 6601 6602 mpo_pty_notify_grant_t *mpo_pty_notify_grant; 6603 mpo_pty_notify_close_t *mpo_pty_notify_close; 6604 6605 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs; 6606 6607 mpo_kext_check_load_t *mpo_kext_check_load; 6608 mpo_kext_check_unload_t *mpo_kext_check_unload; 6609 6610 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info; 6611 mpo_vnode_notify_link_t *mpo_vnode_notify_link; 6612 mpo_reserved_hook_t *mpo_reserved28; 6613 mpo_reserved_hook_t *mpo_reserved29; 6614}; 6615 6616/** 6617 @brief MAC policy handle type 6618 6619 The MAC handle is used to uniquely identify a loaded policy within 6620 the MAC Framework. 6621 6622 A variable of this type is set by mac_policy_register(). 6623 */ 6624typedef unsigned int mac_policy_handle_t; 6625 6626#define mpc_t struct mac_policy_conf * 6627 6628/** 6629 @brief Mac policy configuration 6630 6631 This structure specifies the configuration information for a 6632 MAC policy module. A policy module developer must supply 6633 a short unique policy name, a more descriptive full name, a list of label 6634 namespaces and count, a pointer to the registered enty point operations, 6635 any load time flags, and optionally, a pointer to a label slot identifier. 6636 6637 The Framework will update the runtime flags (mpc_runtime_flags) to 6638 indicate that the module has been registered. 6639 6640 If the label slot identifier (mpc_field_off) is NULL, the Framework 6641 will not provide label storage for the policy. Otherwise, the 6642 Framework will store the label location (slot) in this field. 6643 6644 The mpc_list field is used by the Framework and should not be 6645 modified by policies. 6646*/ 6647/* XXX - reorder these for better aligment on 64bit platforms */ 6648struct mac_policy_conf { 6649 const char *mpc_name; /** policy name */ 6650 const char *mpc_fullname; /** full name */ 6651 const char **mpc_labelnames; /** managed label namespaces */ 6652 unsigned int mpc_labelname_count; /** number of managed label namespaces */ 6653 struct mac_policy_ops *mpc_ops; /** operation vector */ 6654 int mpc_loadtime_flags; /** load time flags */ 6655 int *mpc_field_off; /** label slot */ 6656 int mpc_runtime_flags; /** run time flags */ 6657 mpc_t mpc_list; /** List reference */ 6658 void *mpc_data; /** module data */ 6659}; 6660 6661/** 6662 @brief MAC policy module registration routine 6663 6664 This function is called to register a policy with the 6665 MAC framework. A policy module will typically call this from the 6666 Darwin KEXT registration routine. 6667 */ 6668int mac_policy_register(struct mac_policy_conf *mpc, 6669 mac_policy_handle_t *handlep, void *xd); 6670 6671/** 6672 @brief MAC policy module de-registration routine 6673 6674 This function is called to de-register a policy with theD 6675 MAC framework. A policy module will typically call this from the 6676 Darwin KEXT de-registration routine. 6677 */ 6678int mac_policy_unregister(mac_policy_handle_t handle); 6679 6680/* 6681 * Framework entry points for the policies to add audit data. 6682 */ 6683int mac_audit_text(char *text, mac_policy_handle_t handle); 6684 6685/* 6686 * Calls to assist with use of Apple XATTRs within policy modules. 6687 */ 6688int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); 6689int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, 6690 size_t *); 6691int mac_vnop_removexattr(struct vnode *, const char *); 6692 6693/* 6694 * Arbitrary limit on how much data will be logged by the audit 6695 * entry points above. 6696 */ 6697#define MAC_AUDIT_DATA_LIMIT 1024 6698 6699/* 6700 * Values returned by mac_audit_{pre,post}select. To combine the responses 6701 * of the security policies into a single decision, 6702 * mac_audit_{pre,post}select() choose the greatest value returned. 6703 */ 6704#define MAC_AUDIT_DEFAULT 0 /* use system behavior */ 6705#define MAC_AUDIT_NO 1 /* force not auditing this event */ 6706#define MAC_AUDIT_YES 2 /* force auditing this event */ 6707 6708// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field 6709 6710/** 6711 @name Flags for the mpc_loadtime_flags field 6712 @see mac_policy_conf 6713 6714 This is the complete list of flags that are supported by the 6715 mpc_loadtime_flags field of the mac_policy_conf structure. These 6716 flags specify the load time behavior of MAC Framework policy 6717 modules. 6718*/ 6719 6720/*@{*/ 6721 6722/** 6723 @brief Flag to indicate registration preference 6724 6725 This flag indicates that the policy module must be loaded and 6726 initialized early in the boot process. If the flag is specified, 6727 attempts to register the module following boot will be rejected. The 6728 flag may be used by policies that require pervasive labeling of all 6729 system objects, and cannot handle objects that have not been 6730 properly initialized by the policy. 6731 */ 6732#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 6733 6734/** 6735 @brief Flag to indicate unload preference 6736 6737 This flag indicates that the policy module may be unloaded. If this 6738 flag is not set, then the policy framework will reject requests to 6739 unload the module. This flag might be used by modules that allocate 6740 label state and are unable to free that state at runtime, or for 6741 modules that simply do not want to permit unload operations. 6742*/ 6743#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 6744 6745/** 6746 @brief Unsupported 6747 6748 XXX This flag is not yet supported. 6749*/ 6750#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 6751 6752/** 6753 @brief Flag to indicate a base policy 6754 6755 This flag indicates that the policy module is a base policy. Only 6756 one module can declare itself as base, otherwise the boot process 6757 will be halted. 6758 */ 6759#define MPC_LOADTIME_BASE_POLICY 0x00000008 6760 6761/*@}*/ 6762 6763/** 6764 @brief Policy registration flag 6765 @see mac_policy_conf 6766 6767 This flag indicates that the policy module has been successfully 6768 registered with the TrustedBSD MAC Framework. The Framework will 6769 set this flag in the mpc_runtime_flags field of the policy's 6770 mac_policy_conf structure after registering the policy. 6771 */ 6772#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 6773 6774/* 6775 * Depends on POLICY_VER 6776 */ 6777 6778#ifndef POLICY_VER 6779#define POLICY_VER 1.0 6780#endif 6781 6782#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ 6783 static struct mac_policy_conf mpname##_mac_policy_conf = { \ 6784 .mpc_name = #mpname, \ 6785 .mpc_fullname = mpfullname, \ 6786 .mpc_labelnames = lnames, \ 6787 .mpc_labelname_count = lcount, \ 6788 .mpc_ops = mpops, \ 6789 .mpc_loadtime_flags = lflags, \ 6790 .mpc_field_off = slot, \ 6791 .mpc_runtime_flags = rflags \ 6792 }; \ 6793 \ 6794 static kern_return_t \ 6795 kmod_start(kmod_info_t *ki, void *xd) \ 6796 { \ 6797 return mac_policy_register(&mpname##_mac_policy_conf, \ 6798 &handle, xd); \ 6799 } \ 6800 \ 6801 static kern_return_t \ 6802 kmod_stop(kmod_info_t *ki, void *xd) \ 6803 { \ 6804 return mac_policy_unregister(handle); \ 6805 } \ 6806 \ 6807 extern kern_return_t _start(kmod_info_t *ki, void *data); \ 6808 extern kern_return_t _stop(kmod_info_t *ki, void *data); \ 6809 \ 6810 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ 6811 kmod_start_func_t *_realmain = kmod_start; \ 6812 kmod_stop_func_t *_antimain = kmod_stop; \ 6813 int _kext_apple_cc = __APPLE_CC__ 6814 6815 6816#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] 6817 6818/* 6819 * Policy interface to map a struct label pointer to per-policy data. 6820 * Typically, policies wrap this in their own accessor macro that casts an 6821 * intptr_t to a policy-specific data type. 6822 */ 6823intptr_t mac_label_get(struct label *l, int slot); 6824void mac_label_set(struct label *l, int slot, intptr_t v); 6825 6826#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) 6827 6828/** 6829 @name Flags for MAC allocator interfaces 6830 6831 These flags are passed to the Darwin kernel allocator routines to 6832 indicate whether the allocation is permitted to block or not. 6833 Caution should be taken; some operations are not permitted to sleep, 6834 and some types of locks cannot be held when sleeping. 6835 */ 6836 6837/*@{*/ 6838 6839/** 6840 @brief Allocation operations may block 6841 6842 If memory is not immediately available, the allocation routine 6843 will block (typically sleeping) until memory is available. 6844 6845 @warning Inappropriate use of this flag may cause kernel panics. 6846 */ 6847#define MAC_WAITOK 0 6848 6849/** 6850 @brief Allocation operations may not block 6851 6852 Rather than blocking, the allocator may return an error if memory 6853 is not immediately available. This type of allocation will not 6854 sleep, preserving locking semantics. 6855 */ 6856#define MAC_NOWAIT 1 6857 6858/*@}*/ 6859 6860#endif /* !_SECURITY_MAC_POLICY_H_ */ 6861