]> git.saurik.com Git - apple/xnu.git/blame - security/mac_policy.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-2422.115.4.tar.gz
[apple/xnu.git] / security / mac_policy.h
CommitLineData
2d21ac55 1/*
6d2010ae 2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
2d21ac55
A		 3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
69 @file mac_policy.h
70 @brief Kernel Interfaces for MAC policy modules
71
72 This header defines the list of operations that are defined by the
73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 with the framework to declare interest in a specific set of
75 operations. If interest in an entry point is not declared, then
76 the policy will be ignored when the Framework evaluates that entry
77 point.
78*/
79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
39236c6e
A		 83#ifndef PRIVATE
84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
85#endif
86
2d21ac55
A		 87#include <security/_label.h>
88
89struct attrlist;
90struct auditinfo;
91struct bpf_d;
92struct devnode;
93struct fileglob;
94struct ifnet;
95struct inpcb;
96struct ipq;
97struct label;
98struct lctx;
99struct mac_module_data;
100struct mac_policy_conf;
101struct mbuf;
102struct mount;
39236c6e
A		 103struct msg;
104struct msqid_kernel;
2d21ac55
A		 105struct pipe;
106struct pseminfo;
107struct pshminfo;
108struct sbuf;
109struct semid_kernel;
110struct shmid_kernel;
39236c6e
A		 111struct socket;
112struct sockopt;
2d21ac55
A		 113struct task;
114struct thread;
39236c6e 115struct tty;
2d21ac55 116struct ucred;
39236c6e 117struct vfs_attr;
2d21ac55
A		 118struct vnode;
119/** @struct dummy */
120
121
122
123#ifndef _KAUTH_CRED_T
124#define _KAUTH_CRED_T
125typedef struct ucred *kauth_cred_t;
126#endif /* !_KAUTH_CRED_T */
127
6d2010ae
A		 128#ifndef __IOKIT_PORTS_DEFINED__
129#define __IOKIT_PORTS_DEFINED__
130#ifdef __cplusplus
131class OSObject;
132typedef OSObject *io_object_t;
133#else
134struct OSObject;
135typedef struct OSObject *io_object_t;
136#endif
137#endif /* __IOKIT_PORTS_DEFINED__ */
2d21ac55
A		 138
139/*-
140 * MAC entry points are generally named using the following template:
141 *
142 * mpo_<object>_<operation>()
143 *
144 * or:
145 *
146 * mpo_<object>_check_<operation>()
147 *
148 * Entry points are sorted by object type.
149 *
150 * It may be desirable also to consider some subsystems as "objects", such
151 * as system, iokit, etc.
152 */
153
154/**
155 @name Entry Points for Label Management
156
157 These are the entry points corresponding to the life cycle events for
158 kernel objects, such as initialization, creation, and destruction.
159
160 Most policies (that use labels) will initialize labels by allocating
161 space for policy-specific data. In most cases, it is permitted to
162 sleep during label initialization operations; it will be noted when
163 it is not permitted.
164
165 Initialization usually will not require doing more than allocating a
166 generic label for the given object. What follows initialization is
167 creation, where a label is made specific to the object it is associated
168 with. Destruction occurs when the label is no longer needed, such as
169 when the corresponding object is destroyed. All necessary cleanup should
170 be performed in label destroy operations.
171
172 Where possible, the label entry points have identical parameters. If
173 the policy module does not require structure-specific label
174 information, the same function may be registered in the policy
175 operation vector. Many policies will implement two such generic
176 allocation calls: one to handle sleepable requests, and one to handle
177 potentially non-sleepable requests.
178*/
179
180
181/**
182 @brief Audit event postselection
183 @param cred Subject credential
184 @param syscode Syscall number
185 @param args Syscall arguments
186 @param error Syscall errno
187 @param retval Syscall return value
188
189 This is the MAC Framework audit postselect, which is called before
190 exiting a syscall to determine if an audit event should be committed.
191 A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
192 Any other return value results in the audit record being committed.
193
194 @warning The suppression behavior will probably go away in Apple's
195 future version of the audit implementation.
196
197 @return Return MAC_AUDIT_NO to force suppression of the audit record.
198 Any other value results in the audit record being committed.
199
200*/
201typedef int mpo_audit_check_postselect_t(
202 kauth_cred_t cred,
203 unsigned short syscode,
204 void *args,
205 int error,
206 int retval
207);
208/**
209 @brief Audit event preselection
210 @param cred Subject credential
211 @param syscode Syscall number
212 @param args Syscall arguments
213
214 This is the MAC Framework audit preselect, which is called before a
215 syscall is entered to determine if an audit event should be created.
216 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
217 returned. A return value of MAC_AUDIT_NO causes the audit record to
218 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
219 to defer to the system's existing preselection mechanism.
220
221 When policies return different preferences, the Framework decides what action
222 to take based on the following policy. If any policy returns MAC_AUDIT_YES,
223 then create an audit record, else if any policy returns MAC_AUDIT_NO, then
224 suppress the creations of an audit record, else defer to the system's
225 existing preselection mechanism.
226
227 @warning The audit implementation in Apple's current version is
228 incomplete, so the MAC policies have priority over the system's existing
229 mechanisms. This will probably change in the future version where
230 the audit implementation is more complete.
231
232 @return Return MAC_AUDIT_YES to force auditing of the syscall,
233 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
234 to allow auditing mechanisms to determine if the syscall is audited.
235
236*/
237typedef int mpo_audit_check_preselect_t(
238 kauth_cred_t cred,
239 unsigned short syscode,
240 void *args
241);
242/**
243 @brief Initialize BPF descriptor label
244 @param label New label to initialize
245
246 Initialize the label for a newly instantiated BPF descriptor.
247 Sleeping is permitted.
248*/
249typedef void mpo_bpfdesc_label_init_t(
250 struct label *label
251);
252/**
253 @brief Destroy BPF descriptor label
254 @param label The label to be destroyed
255
256 Destroy a BPF descriptor label. Since the BPF descriptor
257 is going out of scope, policy modules should free any internal
258 storage associated with the label so that it may be destroyed.
259*/
260typedef void mpo_bpfdesc_label_destroy_t(
261 struct label *label
262);
263/**
264 @brief Associate a BPF descriptor with a label
265 @param cred User credential creating the BPF descriptor
266 @param bpf_d The BPF descriptor
267 @param bpflabel The new label
268
269 Set the label on a newly created BPF descriptor from the passed
270 subject credential. This call will be made when a BPF device node
271 is opened by a process with the passed subject credential.
272*/
273typedef void mpo_bpfdesc_label_associate_t(
274 kauth_cred_t cred,
275 struct bpf_d *bpf_d,
276 struct label *bpflabel
277);
278/**
279 @brief Check whether BPF can read from a network interface
280 @param bpf_d Subject; the BPF descriptor
281 @param bpflabel Policy label for bpf_d
282 @param ifp Object; the network interface
283 @param ifnetlabel Policy label for ifp
284
285 Determine whether the MAC framework should permit datagrams from
286 the passed network interface to be delivered to the buffers of
287 the passed BPF descriptor. Return (0) for success, or an errno
288 value for failure. Suggested failure: EACCES for label mismatches,
289 EPERM for lack of privilege.
290*/
291typedef int mpo_bpfdesc_check_receive_t(
292 struct bpf_d *bpf_d,
293 struct label *bpflabel,
294 struct ifnet *ifp,
295 struct label *ifnetlabel
296);
297/**
298 @brief Indicate desire to change the process label at exec time
299 @param old Existing subject credential
300 @param vp File being executed
301 @param vnodelabel Label corresponding to vp
302 @param scriptvnodelabel Script vnode label
303 @param execlabel Userspace provided execution label
304 @param proc Object process
39236c6e
A		 305 @param macpolicyattr MAC policy-specific spawn attribute data
306 @param macpolicyattrlen Length of policy-specific spawn attribute data
2d21ac55
A		 307 @see mac_execve
308 @see mpo_cred_label_update_execve_t
309 @see mpo_vnode_check_exec_t
310
311 Indicate whether this policy intends to update the label of a newly
312 created credential from the existing subject credential (old). This
313 call occurs when a process executes the passed vnode. If a policy
314 returns success from this entry point, the mpo_cred_label_update_execve
315 entry point will later be called with the same parameters. Access
316 has already been checked via the mpo_vnode_check_exec entry point,
317 this entry point is necessary to preserve kernel locking constraints
318 during program execution.
319
320 The supplied vnode and vnodelabel correspond with the file actually
321 being executed; in the case that the file is interpreted (for
322 example, a script), the label of the original exec-time vnode has
323 been preserved in scriptvnodelabel.
324
325 The final label, execlabel, corresponds to a label supplied by a
326 user space application through the use of the mac_execve system call.
327
328 The vnode lock is held during this operation. No changes should be
329 made to the old credential structure.
330
331 @warning Even if a policy returns 0, it should behave correctly in
332 the presence of an invocation of mpo_cred_label_update_execve, as that
333 call may happen as a result of another policy requesting a transition.
334
335 @return Non-zero if a transition is required, 0 otherwise.
336*/
337typedef int mpo_cred_check_label_update_execve_t(
338 kauth_cred_t old,
339 struct vnode *vp,
39236c6e 340 struct vnode *scriptvp,
2d21ac55
A		 341 struct label *vnodelabel,
342 struct label *scriptvnodelabel,
343 struct label *execlabel,
39236c6e
A		 344 struct proc *p,
345 void *macpolicyattr,
346 size_t macpolicyattrlen
2d21ac55
A		 347);
348/**
349 @brief Access control check for relabelling processes
350 @param cred Subject credential
351 @param newlabel New label to apply to the user credential
352 @see mpo_cred_label_update_t
353 @see mac_set_proc
354
355 Determine whether the subject identified by the credential can relabel
356 itself to the supplied new label (newlabel). This access control check
357 is called when the mac_set_proc system call is invoked. A user space
358 application will supply a new value, the value will be internalized
359 and provided in newlabel.
360
361 @return Return 0 if access is granted, otherwise an appropriate value for
362 errno should be returned.
363*/
364typedef int mpo_cred_check_label_update_t(
365 kauth_cred_t cred,
366 struct label *newlabel
367);
368/**
369 @brief Access control check for visibility of other subjects
370 @param u1 Subject credential
371 @param u2 Object credential
372
373 Determine whether the subject identified by the credential u1 can
374 "see" other subjects with the passed subject credential u2. This call
375 may be made in a number of situations, including inter-process status
376 sysctls used by ps, and in procfs lookups.
377
378 @return Return 0 if access is granted, otherwise an appropriate value for
379 errno should be returned. Suggested failure: EACCES for label mismatch,
380 EPERM for lack of privilege, or ESRCH to hide visibility.
381*/
382typedef int mpo_cred_check_visible_t(
383 kauth_cred_t u1,
384 kauth_cred_t u2
385);
386/**
387 @brief Associate a credential with a new process at fork
388 @param cred credential to inherited by new process
389 @param proc the new process
390
391 Allow a process to associate the credential with a new
392 process for reference countng purposes.
393 NOTE: the credential can be dis-associated in ways other
394 than exit - so this strategy is flawed - should just
395 catch label destroy callback.
396*/
397typedef void mpo_cred_label_associate_fork_t(
398 kauth_cred_t cred,
399 proc_t proc
400);
401/**
402 @brief Create the first process
403 @param cred Subject credential to be labeled
404
405 Create the subject credential of process 0, the parent of all BSD
406 kernel processes. Policies should update the label in the
407 previously initialized credential structure.
408*/
409typedef void mpo_cred_label_associate_kernel_t(
410 kauth_cred_t cred
411);
412/**
413 @brief Create a credential label
414 @param parent_cred Parent credential
415 @param child_cred Child credential
416
417 Set the label of a newly created credential, most likely using the
418 information in the supplied parent credential.
419
420 @warning This call is made when crcopy or crdup is invoked on a
421 newly created struct ucred, and should not be confused with a
422 process fork or creation event.
423*/
424typedef void mpo_cred_label_associate_t(
425 kauth_cred_t parent_cred,
426 kauth_cred_t child_cred
427);
428/**
429 @brief Create the first process
430 @param cred Subject credential to be labeled
431
432 Create the subject credential of process 1, the parent of all BSD
433 user processes. Policies should update the label in the previously
434 initialized credential structure. This is the 'init' process.
435*/
436typedef void mpo_cred_label_associate_user_t(
437 kauth_cred_t cred
438);
439/**
440 @brief Destroy credential label
441 @param label The label to be destroyed
442
443 Destroy a user credential label. Since the user credential
444 is going out of scope, policy modules should free any internal
445 storage associated with the label so that it may be destroyed.
446*/
447typedef void mpo_cred_label_destroy_t(
448 struct label *label
449);
450/**
451 @brief Externalize a user credential label for auditing
452 @param label Label to be externalized
453 @param element_name Name of the label namespace for which labels should be
454 externalized
455 @param sb String buffer to be filled with a text representation of the label
456
457 Produce an external representation of the label on a user credential for
458 inclusion in an audit record. An externalized label consists of a text
459 representation of the label contents that will be added to the audit record
460 as part of a text token. Policy-agnostic user space tools will display
461 this externalized version.
462
463 @return 0 on success, return non-zero if an error occurs while
464 externalizing the label data.
465
466*/
467typedef int mpo_cred_label_externalize_audit_t(
468 struct label *label,
469 char *element_name,
470 struct sbuf *sb
471);
472/**
473 @brief Externalize a user credential label
474 @param label Label to be externalized
475 @param element_name Name of the label namespace for which labels should be
476 externalized
477 @param sb String buffer to be filled with a text representation of the label
478
479 Produce an external representation of the label on a user
480 credential. An externalized label consists of a text representation
481 of the label contents that can be used with user applications.
482 Policy-agnostic user space tools will display this externalized
483 version.
484
485 @return 0 on success, return non-zero if an error occurs while
486 externalizing the label data.
487
488*/
489typedef int mpo_cred_label_externalize_t(
490 struct label *label,
491 char *element_name,
492 struct sbuf *sb
493);
494/**
495 @brief Initialize user credential label
496 @param label New label to initialize
497
498 Initialize the label for a newly instantiated user credential.
499 Sleeping is permitted.
500*/
501typedef void mpo_cred_label_init_t(
502 struct label *label
503);
504/**
505 @brief Internalize a user credential label
506 @param label Label to be internalized
507 @param element_name Name of the label namespace for which the label should
508 be internalized
509 @param element_data Text data to be internalized
510
511 Produce a user credential label from an external representation. An
512 externalized label consists of a text representation of the label
513 contents that can be used with user applications. Policy-agnostic
514 user space tools will forward text version to the kernel for
515 processing by individual policy modules.
516
517 The policy's internalize entry points will be called only if the
518 policy has registered interest in the label namespace.
519
520 @return 0 on success, Otherwise, return non-zero if an error occurs
521 while internalizing the label data.
522
523*/
524typedef int mpo_cred_label_internalize_t(
525 struct label *label,
526 char *element_name,
527 char *element_data
528);
529/**
530 @brief Update credential at exec time
531 @param old_cred Existing subject credential
532 @param new_cred New subject credential to be labeled
39236c6e 533 @param p Object process.
2d21ac55
A		 534 @param vp File being executed
535 @param vnodelabel Label corresponding to vp
536 @param scriptvnodelabel Script vnode label
537 @param execlabel Userspace provided execution label
39236c6e
A		 538 @param macpolicyattr MAC policy-specific spawn attribute data.
539 @param macpolicyattrlen Length of policy-specific spawn attribute data.
2d21ac55
A		 540 @see mac_execve
541 @see mpo_cred_check_label_update_execve_t
542 @see mpo_vnode_check_exec_t
543
544 Update the label of a newly created credential (new) from the
545 existing subject credential (old). This call occurs when a process
546 executes the passed vnode and one of the loaded policy modules has
547 returned success from the mpo_cred_check_label_update_execve entry point.
548 Access has already been checked via the mpo_vnode_check_exec entry
549 point, this entry point is only used to update any policy state.
550
551 The supplied vnode and vnodelabel correspond with the file actually
552 being executed; in the case that the file is interpreted (for
553 example, a script), the label of the original exec-time vnode has
554 been preserved in scriptvnodelabel.
555
556 The final label, execlabel, corresponds to a label supplied by a
557 user space application through the use of the mac_execve system call.
558
c910b4d9
A		 559 If non-NULL, the value pointed to by disjointp will be set to 0 to
560 indicate that the old and new credentials are not disjoint, or 1 to
561 indicate that they are.
562
2d21ac55
A		 563 The vnode lock is held during this operation. No changes should be
564 made to the old credential structure.
565*/
566typedef void mpo_cred_label_update_execve_t(
567 kauth_cred_t old_cred,
568 kauth_cred_t new_cred,
39236c6e 569 struct proc *p,
2d21ac55 570 struct vnode *vp,
39236c6e 571 struct vnode *scriptvp,
2d21ac55
A		 572 struct label *vnodelabel,
573 struct label *scriptvnodelabel,
c910b4d9 574 struct label *execlabel,
39236c6e
A		 575 void *macpolicyattr,
576 size_t macpolicyattrlen,
c910b4d9 577 int *disjointp
2d21ac55
A		 578);
579/**
580 @brief Update a credential label
581 @param cred The existing credential
582 @param newlabel A new label to apply to the credential
583 @see mpo_cred_check_label_update_t
584 @see mac_set_proc
585
586 Update the label on a user credential, using the supplied new label.
587 This is called as a result of a process relabel operation. Access
588 control was already confirmed by mpo_cred_check_label_update.
589*/
590typedef void mpo_cred_label_update_t(
591 kauth_cred_t cred,
592 struct label *newlabel
593);
594/**
595 @brief Create a new devfs device
596 @param dev Major and minor numbers of special file
597 @param de "inode" of new device file
598 @param label Destination label
599 @param fullpath Path relative to mount (e.g. /dev) of new device file
600
601 This entry point labels a new devfs device. The label will likely be based
602 on the path to the device, or the major and minor numbers.
603 The policy should store an appropriate label into 'label'.
604*/
605typedef void mpo_devfs_label_associate_device_t(
606 dev_t dev,
607 struct devnode *de,
608 struct label *label,
609 const char *fullpath
610);
611/**
612 @brief Create a new devfs directory
613 @param dirname Name of new directory
614 @param dirnamelen Length of 'dirname'
615 @param de "inode" of new directory
616 @param label Destination label
617 @param fullpath Path relative to mount (e.g. /dev) of new directory
618
619 This entry point labels a new devfs directory. The label will likely be
620 based on the path of the new directory. The policy should store an appropriate
621 label into 'label'. The devfs root directory is labelled in this way.
622*/
623typedef void mpo_devfs_label_associate_directory_t(
624 const char *dirname,
625 int dirnamelen,
626 struct devnode *de,
627 struct label *label,
628 const char *fullpath
629);
630/**
631 @brief Copy a devfs label
632 @param src Source devfs label
633 @param dest Destination devfs label
634
635 Copy the label information from src to dest. The devfs file system
636 often duplicates (splits) existing device nodes rather than creating
637 new ones.
638*/
639typedef void mpo_devfs_label_copy_t(
640 struct label *src,
641 struct label *dest
642);
643/**
644 @brief Destroy devfs label
645 @param label The label to be destroyed
646
647 Destroy a devfs entry label. Since the object is going out
648 of scope, policy modules should free any internal storage associated
649 with the label so that it may be destroyed.
650*/
651typedef void mpo_devfs_label_destroy_t(
652 struct label *label
653);
654/**
655 @brief Initialize devfs label
656 @param label New label to initialize
657
658 Initialize the label for a newly instantiated devfs entry. Sleeping
659 is permitted.
660*/
661typedef void mpo_devfs_label_init_t(
662 struct label *label
663);
664/**
665 @brief Update a devfs label after relabelling its vnode
666 @param mp Devfs mount point
667 @param de Affected devfs directory entry
668 @param delabel Label of devfs directory entry
669 @param vp Vnode associated with de
670 @param vnodelabel New label of vnode
671
672 Update a devfs label when its vnode is manually relabelled,
673 for example with setfmac(1). Typically, this will simply copy
674 the vnode label into the devfs label.
675*/
676typedef void mpo_devfs_label_update_t(
677 struct mount *mp,
678 struct devnode *de,
679 struct label *delabel,
680 struct vnode *vp,
681 struct label *vnodelabel
682);
683/**
684 @brief Access control for changing the offset of a file descriptor
685 @param cred Subject credential
686 @param fg Fileglob structure
687 @param label Policy label for fg
688
689 Determine whether the subject identified by the credential can
690 change the offset of the file represented by fg.
691
692 @return Return 0 if access if granted, otherwise an appropriate
693 value for errno should be returned.
694*/
695typedef int mpo_file_check_change_offset_t(
696 kauth_cred_t cred,
697 struct fileglob *fg,
698 struct label *label
699);
700/**
701 @brief Access control for creating a file descriptor
702 @param cred Subject credential
703
704 Determine whether the subject identified by the credential can
705 allocate a new file descriptor.
706
707 @return Return 0 if access if granted, otherwise an appropriate
708 value for errno should be returned.
709*/
710typedef int mpo_file_check_create_t(
711 kauth_cred_t cred
712);
713/**
714 @brief Access control for duplicating a file descriptor
715 @param cred Subject credential
716 @param fg Fileglob structure
717 @param label Policy label for fg
718 @param newfd New file descriptor number
719
720 Determine whether the subject identified by the credential can
721 duplicate the fileglob structure represented by fg and as file
722 descriptor number newfd.
723
724 @return Return 0 if access if granted, otherwise an appropriate
725 value for errno should be returned.
726*/
727typedef int mpo_file_check_dup_t(
728 kauth_cred_t cred,
729 struct fileglob *fg,
730 struct label *label,
731 int newfd
732);
733/**
734 @brief Access control check for fcntl
735 @param cred Subject credential
736 @param fg Fileglob structure
737 @param label Policy label for fg
738 @param cmd Control operation to be performed; see fcntl(2)
739 @param arg fcnt arguments; see fcntl(2)
740
741 Determine whether the subject identified by the credential can perform
742 the file control operation indicated by cmd.
743
744 @return Return 0 if access is granted, otherwise an appropriate value for
745 errno should be returned.
746*/
747typedef int mpo_file_check_fcntl_t(
748 kauth_cred_t cred,
749 struct fileglob *fg,
750 struct label *label,
751 int cmd,
752 user_long_t arg
753);
754/**
755 @brief Access control check for mac_get_fd
756 @param cred Subject credential
757 @param fg Fileglob structure
758 @param elements Element buffer
759 @param len Length of buffer
760
761 Determine whether the subject identified by the credential should be allowed
762 to get an externalized version of the label on the object indicated by fd.
763
764 @return Return 0 if access is granted, otherwise an appropriate value for
765 errno should be returned.
766*/
767typedef int mpo_file_check_get_t(
768 kauth_cred_t cred,
769 struct fileglob *fg,
770 char *elements,
771 int len
772);
773/**
774 @brief Access control for getting the offset of a file descriptor
775 @param cred Subject credential
776 @param fg Fileglob structure
777 @param label Policy label for fg
778
779 Determine whether the subject identified by the credential can
780 get the offset of the file represented by fg.
781
782 @return Return 0 if access if granted, otherwise an appropriate
783 value for errno should be returned.
784*/
785typedef int mpo_file_check_get_offset_t(
786 kauth_cred_t cred,
787 struct fileglob *fg,
788 struct label *label
789);
790/**
791 @brief Access control for inheriting a file descriptor
792 @param cred Subject credential
793 @param fg Fileglob structure
794 @param label Policy label for fg
795
796 Determine whether the subject identified by the credential can
797 inherit the fileglob structure represented by fg.
798
799 @return Return 0 if access if granted, otherwise an appropriate
800 value for errno should be returned.
801*/
802typedef int mpo_file_check_inherit_t(
803 kauth_cred_t cred,
804 struct fileglob *fg,
805 struct label *label
806);
807/**
808 @brief Access control check for file ioctl
809 @param cred Subject credential
810 @param fg Fileglob structure
811 @param label Policy label for fg
812 @param cmd The ioctl command; see ioctl(2)
813
814 Determine whether the subject identified by the credential can perform
815 the ioctl operation indicated by cmd.
816
817 @warning Since ioctl data is opaque from the standpoint of the MAC
818 framework, policies must exercise extreme care when implementing
819 access control checks.
820
821 @return Return 0 if access is granted, otherwise an appropriate value for
822 errno should be returned.
823
824*/
825typedef int mpo_file_check_ioctl_t(
826 kauth_cred_t cred,
827 struct fileglob *fg,
828 struct label *label,
829 unsigned int cmd
830);
831/**
832 @brief Access control check for file locking
833 @param cred Subject credential
834 @param fg Fileglob structure
835 @param label Policy label for fg
836 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
837 @param fl The flock structure
838
839 Determine whether the subject identified by the credential can perform
840 the lock operation indicated by op and fl on the file represented by fg.
841
842 @return Return 0 if access is granted, otherwise an appropriate value for
843 errno should be returned.
844
845*/
846typedef int mpo_file_check_lock_t(
847 kauth_cred_t cred,
848 struct fileglob *fg,
849 struct label *label,
850 int op,
851 struct flock *fl
852);
853/**
854 @brief Access control check for mapping a file
855 @param cred Subject credential
856 @param fg fileglob representing file to map
857 @param label Policy label associated with vp
858 @param prot mmap protections; see mmap(2)
859 @param flags Type of mapped object; see mmap(2)
860 @param maxprot Maximum rights
861
862 Determine whether the subject identified by the credential should be
863 allowed to map the file represented by fg with the protections specified
864 in prot. The maxprot field holds the maximum permissions on the new
865 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
866 To avoid overriding prior access control checks, a policy should only
867 remove flags from maxprot.
868
869 @return Return 0 if access is granted, otherwise an appropriate value for
870 errno should be returned. Suggested failure: EACCES for label mismatch or
871 EPERM for lack of privilege.
872*/
873typedef int mpo_file_check_mmap_t(
874 kauth_cred_t cred,
875 struct fileglob *fg,
876 struct label *label,
877 int prot,
878 int flags,
879 int *maxprot
880);
881/**
882 @brief Downgrade the mmap protections
883 @param cred Subject credential
884 @param fg file to map
885 @param label Policy label associated with vp
886 @param prot mmap protections to be downgraded
887
888 Downgrade the mmap protections based on the subject and object labels.
889*/
890typedef void mpo_file_check_mmap_downgrade_t(
891 kauth_cred_t cred,
892 struct fileglob *fg,
893 struct label *label,
894 int *prot
895);
896/**
897 @brief Access control for receiving a file descriptor
898 @param cred Subject credential
899 @param fg Fileglob structure
900 @param label Policy label for fg
901
902 Determine whether the subject identified by the credential can
903 receive the fileglob structure represented by fg.
904
905 @return Return 0 if access if granted, otherwise an appropriate
906 value for errno should be returned.
907*/
908typedef int mpo_file_check_receive_t(
909 kauth_cred_t cred,
910 struct fileglob *fg,
911 struct label *label
912);
913/**
914 @brief Access control check for mac_set_fd
915 @param cred Subject credential
916 @param fg Fileglob structure
917 @param elements Elements buffer
918 @param len Length of elements buffer
919
920 Determine whether the subject identified by the credential can
921 perform the mac_set_fd operation. The mac_set_fd operation is used
922 to associate a MAC label with a file.
923
924 @return Return 0 if access is granted, otherwise an appropriate value for
925 errno should be returned.
926*/
927typedef int mpo_file_check_set_t(
928 kauth_cred_t cred,
929 struct fileglob *fg,
930 char *elements,
931 int len
932);
933/**
934 @brief Create file label
935 @param cred Subject credential
936 @param fg Fileglob structure
937 @param label Policy label for fg
938*/
939typedef void mpo_file_label_associate_t(
940 kauth_cred_t cred,
941 struct fileglob *fg,
942 struct label *label
943);
944/**
945 @brief Destroy file label
946 @param label The label to be destroyed
947
948 Destroy the label on a file descriptor. In this entry point, a
949 policy module should free any internal storage associated with
950 label so that it may be destroyed.
951*/
952typedef void mpo_file_label_destroy_t(
953 struct label *label
954);
955/**
956 @brief Initialize file label
957 @param label New label to initialize
958*/
959typedef void mpo_file_label_init_t(
960 struct label *label
961);
962/**
963 @brief Access control check for relabeling network interfaces
964 @param cred Subject credential
965 @param ifp network interface being relabeled
966 @param ifnetlabel Current label of the network interfaces
967 @param newlabel New label to apply to the network interfaces
968 @see mpo_ifnet_label_update_t
969
970 Determine whether the subject identified by the credential can
971 relabel the network interface represented by ifp to the supplied
972 new label (newlabel).
973
974 @return Return 0 if access is granted, otherwise an appropriate value for
975 errno should be returned.
976*/
977typedef int mpo_ifnet_check_label_update_t(
978 kauth_cred_t cred,
979 struct ifnet *ifp,
980 struct label *ifnetlabel,
981 struct label *newlabel
982);
983/**
984 @brief Access control check for relabeling network interfaces
985 @param ifp Network interface mbuf will be transmitted through
986 @param ifnetlabel Label of the network interfaces
987 @param m The mbuf to be transmitted
988 @param mbuflabel Label of the mbuf to be transmitted
989 @param family Address Family, AF_*
990 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
991
992 Determine whether the mbuf with label mbuflabel may be transmitted
993 through the network interface represented by ifp that has the
994 label ifnetlabel.
995
996 @return Return 0 if access is granted, otherwise an appropriate value for
997 errno should be returned.
998*/
999typedef int mpo_ifnet_check_transmit_t(
1000 struct ifnet *ifp,
1001 struct label *ifnetlabel,
1002 struct mbuf *m,
1003 struct label *mbuflabel,
1004 int family,
1005 int type
1006);
1007/**
1008 @brief Create a network interface label
1009 @param ifp Network interface labeled
1010 @param ifnetlabel Label for the network interface
1011
1012 Set the label of a newly created network interface, most likely
1013 using the information in the supplied network interface struct.
1014*/
1015typedef void mpo_ifnet_label_associate_t(
1016 struct ifnet *ifp,
1017 struct label *ifnetlabel
1018);
1019/**
1020 @brief Copy an ifnet label
1021 @param src Source ifnet label
1022 @param dest Destination ifnet label
1023
1024 Copy the label information from src to dest.
1025*/
1026typedef void mpo_ifnet_label_copy_t(
1027 struct label *src,
1028 struct label *dest
1029);
1030/**
1031 @brief Destroy ifnet label
1032 @param label The label to be destroyed
1033
1034 Destroy the label on an ifnet label. In this entry point, a
1035 policy module should free any internal storage associated with
1036 label so that it may be destroyed.
1037*/
1038typedef void mpo_ifnet_label_destroy_t(
1039 struct label *label
1040);
1041/**
1042 @brief Externalize an ifnet label
1043 @param label Label to be externalized
1044 @param element_name Name of the label namespace for which labels should be
1045 externalized
1046 @param sb String buffer to be filled with a text representation of the label
1047
1048 Produce an external representation of the label on an interface.
1049 An externalized label consists of a text representation of the
1050 label contents that can be used with user applications.
1051 Policy-agnostic user space tools will display this externalized
1052 version.
1053
1054 @return 0 on success, return non-zero if an error occurs while
1055 externalizing the label data.
1056
1057*/
1058typedef int mpo_ifnet_label_externalize_t(
1059 struct label *label,
1060 char *element_name,
1061 struct sbuf *sb
1062);
1063/**
1064 @brief Initialize ifnet label
1065 @param label New label to initialize
1066*/
1067typedef void mpo_ifnet_label_init_t(
1068 struct label *label
1069);
1070/**
1071 @brief Internalize an interface label
1072 @param label Label to be internalized
1073 @param element_name Name of the label namespace for which the label should
1074 be internalized
1075 @param element_data Text data to be internalized
1076
1077 Produce an interface label from an external representation. An
1078 externalized label consists of a text representation of the label
1079 contents that can be used with user applications. Policy-agnostic
1080 user space tools will forward text version to the kernel for
1081 processing by individual policy modules.
1082
1083 The policy's internalize entry points will be called only if the
1084 policy has registered interest in the label namespace.
1085
1086 @return 0 on success, Otherwise, return non-zero if an error occurs
1087 while internalizing the label data.
1088
1089*/
1090typedef int mpo_ifnet_label_internalize_t(
1091 struct label *label,
1092 char *element_name,
1093 char *element_data
1094);
1095/**
1096 @brief Recycle up a network interface label
1097 @param label The label to be recycled
1098
1099 Recycle a network interface label. Darwin caches the struct ifnet
1100 of detached ifnets in a "free pool". Before ifnets are returned
1101 to the "free pool", policies can cleanup or overwrite any information
1102 present in the label.
1103*/
1104typedef void mpo_ifnet_label_recycle_t(
1105 struct label *label
1106);
1107/**
1108 @brief Update a network interface label
1109 @param cred Subject credential
1110 @param ifp The network interface to be relabeled
1111 @param ifnetlabel The current label of the network interface
1112 @param newlabel A new label to apply to the network interface
1113 @see mpo_ifnet_check_label_update_t
1114
1115 Update the label on a network interface, using the supplied new label.
1116*/
1117typedef void mpo_ifnet_label_update_t(
1118 kauth_cred_t cred,
1119 struct ifnet *ifp,
1120 struct label *ifnetlabel,
1121 struct label *newlabel
1122);
1123/**
1124 @brief Access control check for delivering a packet to a socket
1125 @param inp inpcb the socket is associated with
1126 @param inplabel Label of the inpcb
1127 @param m The mbuf being received
1128 @param mbuflabel Label of the mbuf being received
1129 @param family Address family, AF_*
1130 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1131
1132 Determine whether the mbuf with label mbuflabel may be received
1133 by the socket associated with inpcb that has the label inplabel.
1134
1135 @return Return 0 if access is granted, otherwise an appropriate value for
1136 errno should be returned.
1137*/
1138typedef int mpo_inpcb_check_deliver_t(
1139 struct inpcb *inp,
1140 struct label *inplabel,
1141 struct mbuf *m,
1142 struct label *mbuflabel,
1143 int family,
1144 int type
1145);
1146/**
1147 @brief Create an inpcb label
1148 @param so Socket containing the inpcb to be labeled
1149 @param solabel Label of the socket
1150 @param inp inpcb to be labeled
1151 @param inplabel Label for the inpcb
1152
1153 Set the label of a newly created inpcb, most likely
1154 using the information in the socket and/or socket label.
1155*/
1156typedef void mpo_inpcb_label_associate_t(
1157 struct socket *so,
1158 struct label *solabel,
1159 struct inpcb *inp,
1160 struct label *inplabel
1161);
1162/**
1163 @brief Destroy inpcb label
1164 @param label The label to be destroyed
1165
1166 Destroy the label on an inpcb label. In this entry point, a
1167 policy module should free any internal storage associated with
1168 label so that it may be destroyed.
1169*/
1170typedef void mpo_inpcb_label_destroy_t(
1171 struct label *label
1172);
1173/**
1174 @brief Initialize inpcb label
1175 @param label New label to initialize
1176 @param flag M_WAITOK or M_NOWAIT
1177*/
1178typedef int mpo_inpcb_label_init_t(
1179 struct label *label,
1180 int flag
1181);
1182/**
1183 @brief Recycle up an inpcb label
1184 @param label The label to be recycled
1185
1186 Recycle an inpcb label. Darwin allocates the inpcb as part of
1187 the socket structure in some cases. For this case we must recycle
1188 rather than destroy the inpcb as it will be reused later.
1189*/
1190typedef void mpo_inpcb_label_recycle_t(
1191 struct label *label
1192);
1193/**
1194 @brief Update an inpcb label from a socket label
1195 @param so Socket containing the inpcb to be relabeled
1196 @param solabel New label of the socket
1197 @param inp inpcb to be labeled
1198 @param inplabel Label for the inpcb
1199
1200 Set the label of a newly created inpcb due to a change in the
1201 underlying socket label.
1202*/
1203typedef void mpo_inpcb_label_update_t(
1204 struct socket *so,
1205 struct label *solabel,
1206 struct inpcb *inp,
1207 struct label *inplabel
1208);
1209/**
1210 @brief Device hardware access control
1211 @param devtype Type of device connected
1212 @param properties XML-formatted property list
1213 @param proplen Length of the property list
1214
1215 This is the MAC Framework device access control, which is called by the I/O
1216 Kit when a new device is connected to the system to determine whether that
1217 device should be trusted. A list of properties associated with the device
1218 is passed as an XML-formatted string. The routine should examine these
1219 properties to determine the trustworthiness of the device. A return value
1220 of EPERM forces the device to be claimed by a special device driver that
1221 will prevent its operation.
1222
1223 @warning This is an experimental interface and may change in the future.
1224
1225 @return Return EPERM to indicate that the device is untrusted and should
1226 not be allowed to operate. Return zero to indicate that the device is
1227 trusted and should be allowed to operate normally.
1228
1229*/
1230typedef int mpo_iokit_check_device_t(
1231 char *devtype,
1232 struct mac_module_data *mdata
1233);
6d2010ae
A		 1234/**
1235 @brief Access control check for opening an I/O Kit device
1236 @param cred Subject credential
1237 @param device_path Device path
1238 @param user_client User client instance
1239 @param user_client_type User client type
1240
1241 Determine whether the subject identified by the credential can open an
1242 I/O Kit device at the passed path of the passed user client class and
1243 type.
1244
1245 @return Return 0 if access is granted, or an appropriate value for
1246 errno should be returned.
1247*/
1248typedef int mpo_iokit_check_open_t(
1249 kauth_cred_t cred,
1250 io_object_t user_client,
1251 unsigned int user_client_type
1252);
1253/**
1254 @brief Access control check for setting I/O Kit device properties
1255 @param cred Subject credential
1256 @param registry_entry Target device
1257 @param properties Property list
1258
1259 Determine whether the subject identified by the credential can set
1260 properties on an I/O Kit device.
1261
1262 @return Return 0 if access is granted, or an appropriate value for
1263 errno should be returned.
1264*/
1265typedef int mpo_iokit_check_set_properties_t(
1266 kauth_cred_t cred,
1267 io_object_t entry,
1268 io_object_t properties
1269);
1270/**
1271 @brief Access control check for software HID control
1272 @param cred Subject credential
1273
1274 Determine whether the subject identified by the credential can
1275 control the HID (Human Interface Device) subsystem, such as to
1276 post synthetic keypresses, pointer movement and clicks.
1277
1278 @return Return 0 if access is granted, or an appropriate value for
1279 errno.
1280*/
1281typedef int mpo_iokit_check_hid_control_t(
1282 kauth_cred_t cred
1283);
2d21ac55
A		 1284/**
1285 @brief Create an IP reassembly queue label
1286 @param fragment First received IP fragment
1287 @param fragmentlabel Policy label for fragment
1288 @param ipq IP reassembly queue to be labeled
1289 @param ipqlabel Policy label to be filled in for ipq
1290
1291 Set the label on a newly created IP reassembly queue from
1292 the mbuf header of the first received fragment.
1293*/
1294typedef void mpo_ipq_label_associate_t(
1295 struct mbuf *fragment,
1296 struct label *fragmentlabel,
1297 struct ipq *ipq,
1298 struct label *ipqlabel
1299);
1300/**
1301 @brief Compare an mbuf header label to an ipq label
1302 @param fragment IP datagram fragment
1303 @param fragmentlabel Policy label for fragment
1304 @param ipq IP fragment reassembly queue
1305 @param ipqlabel Policy label for ipq
1306
1307 Compare the label of the mbuf header containing an IP datagram
1308 (fragment) fragment with the label of the passed IP fragment
1309 reassembly queue (ipq). Return (1) for a successful match, or (0)
1310 for no match. This call is made when the IP stack attempts to
1311 find an existing fragment reassembly queue for a newly received
1312 fragment; if this fails, a new fragment reassembly queue may be
1313 instantiated for the fragment. Policies may use this entry point
1314 to prevent the reassembly of otherwise matching IP fragments if
1315 policy does not permit them to be reassembled based on the label
1316 or other information.
1317*/
1318typedef int mpo_ipq_label_compare_t(
1319 struct mbuf *fragment,
1320 struct label *fragmentlabel,
1321 struct ipq *ipq,
1322 struct label *ipqlabel
1323);
1324/**
1325 @brief Destroy IP reassembly queue label
1326 @param label The label to be destroyed
1327
1328 Destroy the label on an IP fragment queue. In this entry point, a
1329 policy module should free any internal storage associated with
1330 label so that it may be destroyed.
1331*/
1332typedef void mpo_ipq_label_destroy_t(
1333 struct label *label
1334);
1335/**
1336 @brief Initialize IP reassembly queue label
1337 @param label New label to initialize
1338 @param flag M_WAITOK or M_NOWAIT
1339
1340 Initialize the label on a newly instantiated IP fragment reassembly
1341 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1342 should be employed to avoid performing a sleeping malloc(9) during
1343 this initialization call. IP fragment reassembly queue allocation
1344 frequently occurs in performance sensitive environments, and the
1345 implementation should be careful to avoid sleeping or long-lived
1346 operations. This entry point is permitted to fail resulting in
1347 the failure to allocate the IP fragment reassembly queue.
1348*/
1349typedef int mpo_ipq_label_init_t(
1350 struct label *label,
1351 int flag
1352);
1353/**
1354 @brief Update the label on an IP fragment reassembly queue
1355 @param fragment IP fragment
1356 @param fragmentlabel Policy label for fragment
1357 @param ipq IP fragment reassembly queue
1358 @param ipqlabel Policy label to be updated for ipq
1359
1360 Update the label on an IP fragment reassembly queue (ipq) based
1361 on the acceptance of the passed IP fragment mbuf header (fragment).
1362*/
1363typedef void mpo_ipq_label_update_t(
1364 struct mbuf *fragment,
1365 struct label *fragmentlabel,
1366 struct ipq *ipq,
1367 struct label *ipqlabel
1368);
1369/**
1370 @brief Access control check for relabelling Login Context
1371 @param l Subject credential
1372 @param newlabel New label to apply to the Login Context
1373 @see mpo_lctx_label_update_t
1374 @see mac_set_lcid
1375 @see mac_set_lctx
1376
1377 Determine whether the subject identified by the credential can relabel
1378 itself to the supplied new label (newlabel). This access control check
1379 is called when the mac_set_lctx/lcid system call is invoked. A user space
1380 application will supply a new value, the value will be internalized
1381 and provided in newlabel.
1382
1383 @return Return 0 if access is granted, otherwise an appropriate value for
1384 errno should be returned.
1385*/
1386typedef int mpo_lctx_check_label_update_t(
1387 struct lctx *l,
1388 struct label *newlabel
1389);
1390/**
1391 @brief Destroy Login Context label
1392 @param label The label to be destroyed
1393*/
1394typedef void mpo_lctx_label_destroy_t(
1395 struct label *label
1396);
1397/**
1398 @brief Externalize a Login Context label
1399 @param label Label to be externalized
1400 @param element_name Name of the label namespace for which labels should be
1401 externalized
1402 @param sb String buffer to be filled with a text representation of the label
1403
1404 Produce an external representation of the label on a Login Context.
1405 An externalized label consists of a text representation
1406 of the label contents that can be used with user applications.
1407 Policy-agnostic user space tools will display this externalized
1408 version.
1409
1410 @return 0 on success, return non-zero if an error occurs while
1411 externalizing the label data.
1412
1413*/
1414typedef int mpo_lctx_label_externalize_t(
1415 struct label *label,
1416 char *element_name,
1417 struct sbuf *sb
1418);
1419/**
1420 @brief Initialize Login Context label
1421 @param label New label to initialize
1422*/
1423typedef void mpo_lctx_label_init_t(
1424 struct label *label
1425);
1426/**
1427 @brief Internalize a Login Context label
1428 @param label Label to be internalized
1429 @param element_name Name of the label namespace for which the label should
1430 be internalized
1431 @param element_data Text data to be internalized
1432
1433 Produce a Login Context label from an external representation. An
1434 externalized label consists of a text representation of the label
1435 contents that can be used with user applications. Policy-agnostic
1436 user space tools will forward text version to the kernel for
1437 processing by individual policy modules.
1438
1439 The policy's internalize entry points will be called only if the
1440 policy has registered interest in the label namespace.
1441
1442 @return 0 on success, Otherwise, return non-zero if an error occurs
1443 while internalizing the label data.
1444
1445*/
1446typedef int mpo_lctx_label_internalize_t(
1447 struct label *label,
1448 char *element_name,
1449 char *element_data
1450);
1451/**
1452 @brief Update a Login Context label
1453 @param l
1454 @param newlabel A new label to apply to the Login Context
1455 @see mpo_lctx_check_label_update_t
1456 @see mac_set_lcid
1457 @see mac_set_lctx
1458
1459 Update the label on a login context, using the supplied new label.
1460 This is called as a result of a login context relabel operation. Access
1461 control was already confirmed by mpo_lctx_check_label_update.
1462*/
1463typedef void mpo_lctx_label_update_t(
1464 struct lctx *l,
1465 struct label *newlabel
1466);
1467/**
1468 @brief A process has created a login context
1469 @param p Subject
1470 @param l Login Context
1471
1472 When a process creates a login context (via setlcid()) this entrypoint
1473 is called to notify the policy that the process 'p' has created login
1474 context 'l'.
1475*/
1476typedef void mpo_lctx_notify_create_t(
1477 struct proc *p,
1478 struct lctx *l
1479);
1480/**
1481 @brief A process has joined a login context
1482 @param p Subject
1483 @param l Login Context
1484
1485 When a process joins a login context, either via setlcid() or via
1486 fork() this entrypoint is called to notify the policy that process
1487 'p' is now a member of login context 'l'.
1488*/
1489typedef void mpo_lctx_notify_join_t(
1490 struct proc *p,
1491 struct lctx *l
1492);
1493/**
1494 @brief A process has left a login context
1495 @param p Subject
1496 @param l Login Context
1497
1498 When a process leaves a login context either via setlcid() or as a
1499 result of the process exiting this entrypoint is called to notify
1500 the policy that the process 'p' is no longer a member of login context 'l'.
1501*/
1502typedef void mpo_lctx_notify_leave_t(
1503 struct proc *p,
1504 struct lctx *l
1505);
1506/**
1507 @brief Assign a label to a new mbuf
1508 @param bpf_d BPF descriptor
1509 @param b_label Policy label for bpf_d
1510 @param m Object; mbuf
1511 @param m_label Policy label to fill in for m
1512
1513 Set the label on the mbuf header of a newly created datagram
1514 generated using the passed BPF descriptor. This call is made when
1515 a write is performed to the BPF device associated with the passed
1516 BPF descriptor.
1517*/
1518typedef void mpo_mbuf_label_associate_bpfdesc_t(
1519 struct bpf_d *bpf_d,
1520 struct label *b_label,
1521 struct mbuf *m,
1522 struct label *m_label
1523);
1524/**
1525 @brief Assign a label to a new mbuf
1526 @param ifp Interface descriptor
1527 @param i_label Existing label of ifp
1528 @param m Object; mbuf
1529 @param m_label Policy label to fill in for m
1530
1531 Label an mbuf based on the interface from which it was received.
1532*/
1533typedef void mpo_mbuf_label_associate_ifnet_t(
1534 struct ifnet *ifp,
1535 struct label *i_label,
1536 struct mbuf *m,
1537 struct label *m_label
1538);
1539/**
1540 @brief Assign a label to a new mbuf
1541 @param inp inpcb structure
1542 @param i_label Existing label of inp
1543 @param m Object; mbuf
1544 @param m_label Policy label to fill in for m
1545
1546 Label an mbuf based on the inpcb from which it was derived.
1547*/
1548typedef void mpo_mbuf_label_associate_inpcb_t(
1549 struct inpcb *inp,
1550 struct label *i_label,
1551 struct mbuf *m,
1552 struct label *m_label
1553);
1554/**
1555 @brief Set the label on a newly reassembled IP datagram
1556 @param ipq IP fragment reassembly queue
1557 @param ipqlabel Policy label for ipq
1558 @param mbuf IP datagram to be labeled
1559 @param mbuflabel Policy label to be filled in for mbuf
1560
1561 Set the label on a newly reassembled IP datagram (mbuf) from the IP
1562 fragment reassembly queue (ipq) from which it was generated.
1563*/
1564typedef void mpo_mbuf_label_associate_ipq_t(
1565 struct ipq *ipq,
1566 struct label *ipqlabel,
1567 struct mbuf *mbuf,
1568 struct label *mbuflabel
1569);
1570/**
1571 @brief Assign a label to a new mbuf
1572 @param ifp Subject; network interface
1573 @param i_label Existing label of ifp
1574 @param m Object; mbuf
1575 @param m_label Policy label to fill in for m
1576
1577 Set the label on the mbuf header of a newly created datagram
1578 generated for the purposes of a link layer response for the passed
1579 interface. This call may be made in a number of situations, including
1580 for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1581*/
1582typedef void mpo_mbuf_label_associate_linklayer_t(
1583 struct ifnet *ifp,
1584 struct label *i_label,
1585 struct mbuf *m,
1586 struct label *m_label
1587);
1588/**
1589 @brief Assign a label to a new mbuf
1590 @param oldmbuf mbuf headerder for existing datagram for existing datagram
1591 @param oldmbuflabel Policy label for oldmbuf
1592 @param ifp Network interface
1593 @param ifplabel Policy label for ifp
1594 @param newmbuf mbuf header to be labeled for new datagram
1595 @param newmbuflabel Policy label for newmbuf
1596
1597 Set the label on the mbuf header of a newly created datagram
1598 generated from the existing passed datagram when it is processed
1599 by the passed multicast encapsulation interface. This call is made
1600 when an mbuf is to be delivered using the virtual interface.
1601*/
1602typedef void mpo_mbuf_label_associate_multicast_encap_t(
1603 struct mbuf *oldmbuf,
1604 struct label *oldmbuflabel,
1605 struct ifnet *ifp,
1606 struct label *ifplabel,
1607 struct mbuf *newmbuf,
1608 struct label *newmbuflabel
1609);
1610/**
1611 @brief Assign a label to a new mbuf
1612 @param oldmbuf Received datagram
1613 @param oldmbuflabel Policy label for oldmbuf
1614 @param newmbuf Newly created datagram
1615 @param newmbuflabel Policy label for newmbuf
1616
1617 Set the label on the mbuf header of a newly created datagram generated
1618 by the IP stack in response to an existing received datagram (oldmbuf).
1619 This call may be made in a number of situations, including when responding
1620 to ICMP request datagrams.
1621*/
1622typedef void mpo_mbuf_label_associate_netlayer_t(
1623 struct mbuf *oldmbuf,
1624 struct label *oldmbuflabel,
1625 struct mbuf *newmbuf,
1626 struct label *newmbuflabel
1627);
1628/**
1629 @brief Assign a label to a new mbuf
1630 @param so Socket to label
1631 @param so_label Policy label for socket
1632 @param m Object; mbuf
1633 @param m_label Policy label to fill in for m
1634
1635 An mbuf structure is used to store network traffic in transit.
1636 When an application sends data to a socket or a pipe, it is wrapped
1637 in an mbuf first. This function sets the label on a newly created mbuf header
1638 based on the socket sending the data. The contents of the label should be
1639 suitable for performing an access check on the receiving side of the
1640 communication.
1641
1642 Only labeled MBUFs will be presented to the policy via this entrypoint.
1643*/
1644typedef void mpo_mbuf_label_associate_socket_t(
1645 socket_t so,
1646 struct label *so_label,
1647 struct mbuf *m,
1648 struct label *m_label
1649);
1650/**
1651 @brief Copy a mbuf label
1652 @param src Source label
1653 @param dest Destination label
1654
1655 Copy the mbuf label information in src into dest.
1656
1657 Only called when both source and destination mbufs have labels.
1658*/
1659typedef void mpo_mbuf_label_copy_t(
1660 struct label *src,
1661 struct label *dest
1662);
1663/**
1664 @brief Destroy mbuf label
1665 @param label The label to be destroyed
1666
1667 Destroy a mbuf label. Since the
1668 object is going out of scope, policy modules should free any
1669 internal storage associated with the label so that it may be
1670 destroyed.
1671*/
1672typedef void mpo_mbuf_label_destroy_t(
1673 struct label *label
1674);
1675/**
1676 @brief Initialize mbuf label
1677 @param label New label to initialize
1678 @param flag Malloc flags
1679
1680 Initialize the label for a newly instantiated mbuf.
1681
1682 @warning Since it is possible for the flags to be set to
1683 M_NOWAIT, the malloc operation may fail.
1684
1685 @return On success, 0, otherwise, an appropriate errno return value.
1686*/
1687typedef int mpo_mbuf_label_init_t(
1688 struct label *label,
1689 int flag
1690);
1691/**
1692 @brief Access control check for fsctl
1693 @param cred Subject credential
1694 @param mp The mount point
1695 @param label Label associated with the mount point
1696 @param com Filesystem-dependent request code; see fsctl(2)
1697
1698 Determine whether the subject identified by the credential can perform
1699 the volume operation indicated by com.
1700
1701 @warning The fsctl() system call is directly analogous to ioctl(); since
1702 the associated data is opaque from the standpoint of the MAC framework
1703 and since these operations can affect many aspects of system operation,
1704 policies must exercise extreme care when implementing access control checks.
1705
1706 @return Return 0 if access is granted, otherwise an appropriate value for
1707 errno should be returned.
1708*/
1709typedef int mpo_mount_check_fsctl_t(
1710 kauth_cred_t cred,
1711 struct mount *mp,
1712 struct label *label,
1713 unsigned int cmd
1714);
1715/**
1716 @brief Access control check for the retrieval of file system attributes
1717 @param cred Subject credential
1718 @param mp The mount structure of the file system
1719 @param vfa The attributes requested
1720
1721 This entry point determines whether given subject can get information
1722 about the given file system. This check happens during statfs() syscalls,
1723 but is also used by other parts within the kernel such as the audit system.
1724
1725 @return Return 0 if access is granted, otherwise an appropriate value for
1726 errno should be returned.
1727*/
1728
1729typedef int mpo_mount_check_getattr_t(
1730 kauth_cred_t cred,
1731 struct mount *mp,
1732 struct label *mp_label,
1733 struct vfs_attr *vfa
1734);
1735/**
1736 @brief Access control check for mount point relabeling
1737 @param cred Subject credential
1738 @param mp Object file system mount point
1739 @param mntlabel Policy label for fle system mount point
1740
1741 Determine whether the subject identified by the credential can relabel
1742 the mount point. This call is made when a file system mount is updated.
1743
1744 @return Return 0 if access is granted, otherwise an appropriate value for
1745 errno should be returned. Suggested failure: EACCES for label mismatch
1746 or EPERM for lack of privilege.
1747*/
1748typedef int mpo_mount_check_label_update_t(
1749 kauth_cred_t cred,
1750 struct mount *mp,
1751 struct label *mntlabel
1752);
1753/**
1754 @brief Access control check for mounting a file system
1755 @param cred Subject credential
1756 @param vp Vnode that is to be the mount point
1757 @param vlabel Label associated with the vnode
1758 @param cnp Component name for vp
1759 @param vfc_name Filesystem type name
1760
1761 Determine whether the subject identified by the credential can perform
1762 the mount operation on the target vnode.
1763
1764 @return Return 0 if access is granted, otherwise an appropriate value for
1765 errno should be returned.
1766*/
1767typedef int mpo_mount_check_mount_t(
1768 kauth_cred_t cred,
1769 struct vnode *vp,
1770 struct label *vlabel,
1771 struct componentname *cnp,
1772 const char *vfc_name
1773);
1774/**
1775 @brief Access control check remounting a filesystem
1776 @param cred Subject credential
1777 @param mp The mount point
1778 @param mlabel Label currently associated with the mount point
1779
1780 Determine whether the subject identified by the credential can perform
1781 the remount operation on the target vnode.
1782
1783 @return Return 0 if access is granted, otherwise an appropriate value for
1784 errno should be returned.
1785*/
1786typedef int mpo_mount_check_remount_t(
1787 kauth_cred_t cred,
1788 struct mount *mp,
1789 struct label *mlabel
1790);
1791/**
1792 @brief Access control check for the settting of file system attributes
1793 @param cred Subject credential
1794 @param mp The mount structure of the file system
1795 @param vfa The attributes requested
1796
1797 This entry point determines whether given subject can set information
1798 about the given file system, for example the volume name.
1799
1800 @return Return 0 if access is granted, otherwise an appropriate value for
1801 errno should be returned.
1802*/
1803
1804typedef int mpo_mount_check_setattr_t(
1805 kauth_cred_t cred,
1806 struct mount *mp,
1807 struct label *mp_label,
1808 struct vfs_attr *vfa
1809);
1810/**
1811 @brief Access control check for file system statistics
1812 @param cred Subject credential
1813 @param mp Object file system mount
1814 @param mntlabel Policy label for mp
1815
1816 Determine whether the subject identified by the credential can see
1817 the results of a statfs performed on the file system. This call may
1818 be made in a number of situations, including during invocations of
1819 statfs(2) and related calls, as well as to determine what file systems
1820 to exclude from listings of file systems, such as when getfsstat(2)
1821 is invoked.
1822
1823 @return Return 0 if access is granted, otherwise an appropriate value for
1824 errno should be returned. Suggested failure: EACCES for label mismatch
1825 or EPERM for lack of privilege.
1826*/
1827typedef int mpo_mount_check_stat_t(
1828 kauth_cred_t cred,
1829 struct mount *mp,
1830 struct label *mntlabel
1831);
1832/**
1833 @brief Access control check for unmounting a filesystem
1834 @param cred Subject credential
1835 @param mp The mount point
1836 @param mlabel Label associated with the mount point
1837
1838 Determine whether the subject identified by the credential can perform
1839 the unmount operation on the target vnode.
1840
1841 @return Return 0 if access is granted, otherwise an appropriate value for
1842 errno should be returned.
1843*/
1844typedef int mpo_mount_check_umount_t(
1845 kauth_cred_t cred,
1846 struct mount *mp,
1847 struct label *mlabel
1848);
1849/**
1850 @brief Create mount labels
1851 @param cred Subject credential
1852 @param mp Mount point of file system being mounted
1853 @param mntlabel Label to associate with the new mount point
1854 @see mpo_mount_label_init_t
1855
1856 Fill out the labels on the mount point being created by the supplied
1857 user credential. This call is made when file systems are first mounted.
1858*/
1859typedef void mpo_mount_label_associate_t(
1860 kauth_cred_t cred,
1861 struct mount *mp,
1862 struct label *mntlabel
1863);
1864/**
1865 @brief Destroy mount label
1866 @param label The label to be destroyed
1867
1868 Destroy a file system mount label. Since the
1869 object is going out of scope, policy modules should free any
1870 internal storage associated with the label so that it may be
1871 destroyed.
1872*/
1873typedef void mpo_mount_label_destroy_t(
1874 struct label *label
1875);
1876/**
1877 @brief Externalize a mount point label
1878 @param label Label to be externalized
1879 @param element_name Name of the label namespace for which labels should be
1880 externalized
1881 @param sb String buffer to be filled with a text representation of the label
1882
1883 Produce an external representation of the mount point label. An
1884 externalized label consists of a text representation of the label
1885 contents that can be used with user applications. Policy-agnostic
1886 user space tools will display this externalized version.
1887
1888 The policy's externalize entry points will be called only if the
1889 policy has registered interest in the label namespace.
1890
1891 @return 0 on success, return non-zero if an error occurs while
1892 externalizing the label data.
1893
1894*/
1895typedef int mpo_mount_label_externalize_t(
1896 struct label *label,
1897 char *element_name,
1898 struct sbuf *sb
1899);
1900/**
1901 @brief Initialize mount point label
1902 @param label New label to initialize
1903
1904 Initialize the label for a newly instantiated mount structure.
1905 This label is typically used to store a default label in the case
1906 that the file system has been mounted singlelabel. Since some
1907 file systems do not support persistent labels (extended attributes)
1908 or are read-only (such as CD-ROMs), it is often necessary to store
1909 a default label separately from the label of the mount point
1910 itself. Sleeping is permitted.
1911*/
1912typedef void mpo_mount_label_init_t(
1913 struct label *label
1914);
1915/**
1916 @brief Internalize a mount point label
1917 @param label Label to be internalized
1918 @param element_name Name of the label namespace for which the label should
1919 be internalized
1920 @param element_data Text data to be internalized
1921
1922 Produce a mount point file system label from an external representation.
1923 An externalized label consists of a text representation of the label
1924 contents that can be used with user applications. Policy-agnostic
1925 user space tools will forward text version to the kernel for
1926 processing by individual policy modules.
1927
1928 The policy's internalize entry points will be called only if the
1929 policy has registered interest in the label namespace.
1930
1931 @return 0 on success, Otherwise, return non-zero if an error occurs
1932 while internalizing the label data.
1933
1934*/
1935typedef int mpo_mount_label_internalize_t(
1936 struct label *label,
1937 char *element_name,
1938 char *element_data
1939);
1940/**
1941 @brief Set the label on an IPv4 datagram fragment
1942 @param datagram Datagram being fragmented
1943 @param datagramlabel Policy label for datagram
1944 @param fragment New fragment
1945 @param fragmentlabel Policy label for fragment
1946
1947 Called when an IPv4 datagram is fragmented into several smaller datagrams.
1948 Policies implementing mbuf labels will typically copy the label from the
1949 source datagram to the new fragment.
1950*/
1951typedef void mpo_netinet_fragment_t(
1952 struct mbuf *datagram,
1953 struct label *datagramlabel,
1954 struct mbuf *fragment,
1955 struct label *fragmentlabel
1956);
1957/**
1958 @brief Set the label on an ICMP reply
1959 @param m mbuf containing the ICMP reply
1960 @param mlabel Policy label for m
1961
1962 A policy may wish to update the label of an mbuf that refers to
1963 an ICMP packet being sent in response to an IP packet. This may
1964 be called in response to a bad packet or an ICMP request.
1965*/
1966typedef void mpo_netinet_icmp_reply_t(
1967 struct mbuf *m,
1968 struct label *mlabel
1969);
1970/**
1971 @brief Set the label on a TCP reply
1972 @param m mbuf containing the TCP reply
1973 @param mlabel Policy label for m
1974
1975 Called for outgoing TCP packets not associated with an actual socket.
1976*/
1977typedef void mpo_netinet_tcp_reply_t(
1978 struct mbuf *m,
1979 struct label *mlabel
1980);
1981/**
1982 @brief Access control check for pipe ioctl
1983 @param cred Subject credential
1984 @param cpipe Object to be accessed
1985 @param pipelabel The label on the pipe
1986 @param cmd The ioctl command; see ioctl(2)
1987
1988 Determine whether the subject identified by the credential can perform
1989 the ioctl operation indicated by cmd.
1990
1991 @warning Since ioctl data is opaque from the standpoint of the MAC
1992 framework, policies must exercise extreme care when implementing
1993 access control checks.
1994
1995 @return Return 0 if access is granted, otherwise an appropriate value for
1996 errno should be returned.
1997
1998*/
1999typedef int mpo_pipe_check_ioctl_t(
2000 kauth_cred_t cred,
2001 struct pipe *cpipe,
2002 struct label *pipelabel,
2003 unsigned int cmd
2004);
2005/**
2006 @brief Access control check for pipe kqfilter
2007 @param cred Subject credential
2008 @param kn Object knote
2009 @param cpipe Object to be accessed
2010 @param pipelabel Policy label for the pipe
2011
2012 Determine whether the subject identified by the credential can
2013 receive the knote on the passed pipe.
2014
2015 @return Return 0 if access if granted, otherwise an appropriate
2016 value for errno should be returned.
2017*/
2018typedef int mpo_pipe_check_kqfilter_t(
2019 kauth_cred_t cred,
2020 struct knote *kn,
2021 struct pipe *cpipe,
2022 struct label *pipelabel
2023);
2024/**
2025 @brief Access control check for pipe relabel
2026 @param cred Subject credential
2027 @param cpipe Object to be accessed
2028 @param pipelabel The current label on the pipe
2029 @param newlabel The new label to be used
2030
2031 Determine whether the subject identified by the credential can
2032 perform a relabel operation on the passed pipe. The cred object holds
2033 the credentials of the subject performing the operation.
2034
2035 @return Return 0 if access is granted, otherwise an appropriate value for
2036 errno should be returned.
2037
2038*/
2039typedef int mpo_pipe_check_label_update_t(
2040 kauth_cred_t cred,
2041 struct pipe *cpipe,
2042 struct label *pipelabel,
2043 struct label *newlabel
2044);
2045/**
2046 @brief Access control check for pipe read
2047 @param cred Subject credential
2048 @param cpipe Object to be accessed
2049 @param pipelabel The label on the pipe
2050
2051 Determine whether the subject identified by the credential can
2052 perform a read operation on the passed pipe. The cred object holds
2053 the credentials of the subject performing the operation.
2054
2055 @return Return 0 if access is granted, otherwise an appropriate value for
2056 errno should be returned.
2057
2058*/
2059typedef int mpo_pipe_check_read_t(
2060 kauth_cred_t cred,
2061 struct pipe *cpipe,
2062 struct label *pipelabel
2063);
2064/**
2065 @brief Access control check for pipe select
2066 @param cred Subject credential
2067 @param cpipe Object to be accessed
2068 @param pipelabel The label on the pipe
2069 @param which The operation selected on: FREAD or FWRITE
2070
2071 Determine whether the subject identified by the credential can
2072 perform a select operation on the passed pipe. The cred object holds
2073 the credentials of the subject performing the operation.
2074
2075 @return Return 0 if access is granted, otherwise an appropriate value for
2076 errno should be returned.
2077
2078*/
2079typedef int mpo_pipe_check_select_t(
2080 kauth_cred_t cred,
2081 struct pipe *cpipe,
2082 struct label *pipelabel,
2083 int which
2084);
2085/**
2086 @brief Access control check for pipe stat
2087 @param cred Subject credential
2088 @param cpipe Object to be accessed
2089 @param pipelabel The label on the pipe
2090
2091 Determine whether the subject identified by the credential can
2092 perform a stat operation on the passed pipe. The cred object holds
2093 the credentials of the subject performing the operation.
2094
2095 @return Return 0 if access is granted, otherwise an appropriate value for
2096 errno should be returned.
2097
2098*/
2099typedef int mpo_pipe_check_stat_t(
2100 kauth_cred_t cred,
2101 struct pipe *cpipe,
2102 struct label *pipelabel
2103);
2104/**
2105 @brief Access control check for pipe write
2106 @param cred Subject credential
2107 @param cpipe Object to be accessed
2108 @param pipelabel The label on the pipe
2109
2110 Determine whether the subject identified by the credential can
2111 perform a write operation on the passed pipe. The cred object holds
2112 the credentials of the subject performing the operation.
2113
2114 @return Return 0 if access is granted, otherwise an appropriate value for
2115 errno should be returned.
2116
2117*/
2118typedef int mpo_pipe_check_write_t(
2119 kauth_cred_t cred,
2120 struct pipe *cpipe,
2121 struct label *pipelabel
2122);
2123/**
2124 @brief Create a pipe label
2125 @param cred Subject credential
2126 @param cpipe object to be labeled
2127 @param label Label for the pipe object
2128
2129 Create a label for the pipe object being created by the supplied
2130 user credential. This call is made when the pipe is being created
2131 XXXPIPE(for one or both sides of the pipe?).
2132
2133*/
2134typedef void mpo_pipe_label_associate_t(
2135 kauth_cred_t cred,
2136 struct pipe *cpipe,
2137 struct label *pipelabel
2138);
2139/**
2140 @brief Copy a pipe label
2141 @param src Source pipe label
2142 @param dest Destination pipe label
2143
2144 Copy the pipe label associated with src to dest.
2145 XXXPIPE Describe when this is used: most likely during pipe creation to
2146 copy from rpipe to wpipe.
2147*/
2148typedef void mpo_pipe_label_copy_t(
2149 struct label *src,
2150 struct label *dest
2151);
2152/**
2153 @brief Destroy pipe label
2154 @param label The label to be destroyed
2155
2156 Destroy a pipe label. Since the object is going out of scope,
2157 policy modules should free any internal storage associated with the
2158 label so that it may be destroyed.
2159*/
2160typedef void mpo_pipe_label_destroy_t(
2161 struct label *label
2162);
2163/**
2164 @brief Externalize a pipe label
2165 @param label Label to be externalized
2166 @param element_name Name of the label namespace for which labels should be
2167 externalized
2168 @param sb String buffer to be filled with a text representation of the label
2169
2170 Produce an external representation of the label on a pipe.
2171 An externalized label consists of a text representation
2172 of the label contents that can be used with user applications.
2173 Policy-agnostic user space tools will display this externalized
2174 version.
2175
2176 The policy's externalize entry points will be called only if the
2177 policy has registered interest in the label namespace.
2178
2179 @return 0 on success, return non-zero if an error occurs while
2180 externalizing the label data.
2181
2182*/
2183typedef int mpo_pipe_label_externalize_t(
2184 struct label *label,
2185 char *element_name,
2186 struct sbuf *sb
2187);
2188/**
2189 @brief Initialize pipe label
2190 @param label New label to initialize
2191
2192 Initialize label storage for use with a newly instantiated pipe object.
2193 Sleeping is permitted.
2194*/
2195typedef void mpo_pipe_label_init_t(
2196 struct label *label
2197);
2198/**
2199 @brief Internalize a pipe label
2200 @param label Label to be internalized
2201 @param element_name Name of the label namespace for which the label should
2202 be internalized
2203 @param element_data Text data to be internalized
2204
2205 Produce a pipe label from an external representation. An
2206 externalized label consists of a text representation of the label
2207 contents that can be used with user applications. Policy-agnostic
2208 user space tools will forward text version to the kernel for
2209 processing by individual policy modules.
2210
2211 The policy's internalize entry points will be called only if the
2212 policy has registered interest in the label namespace.
2213
2214 @return 0 on success, Otherwise, return non-zero if an error occurs
2215 while internalizing the label data.
2216
2217*/
2218typedef int mpo_pipe_label_internalize_t(
2219 struct label *label,
2220 char *element_name,
2221 char *element_data
2222);
2223/**
2224 @brief Update a pipe label
2225 @param cred Subject credential
2226 @param cpipe Object to be labeled
2227 @param oldlabel Existing pipe label
2228 @param newlabel New label to replace existing label
2229 @see mpo_pipe_check_label_update_t
2230
2231 The subject identified by the credential has previously requested
2232 and was authorized to relabel the pipe; this entry point allows
2233 policies to perform the actual relabel operation. Policies should
2234 update oldlabel using the label stored in the newlabel parameter.
2235
2236*/
2237typedef void mpo_pipe_label_update_t(
2238 kauth_cred_t cred,
2239 struct pipe *cpipe,
2240 struct label *oldlabel,
2241 struct label *newlabel
2242);
2243/**
2244 @brief Policy unload event
2245 @param mpc MAC policy configuration
2246
2247 This is the MAC Framework policy unload event. This entry point will
2248 only be called if the module's policy configuration allows unload (if
2249 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2250 want to be unloaded; they should set their flags to prevent this
2251 entry point from being called.
2252
2253 @warning During this call, the mac policy list mutex is held, so
2254 sleep operations cannot be performed, and calls out to other kernel
2255 subsystems must be made with caution.
2256
2257 @see MPC_LOADTIME_FLAG_UNLOADOK
2258*/
2259typedef void mpo_policy_destroy_t(
2260 struct mac_policy_conf *mpc
2261);
2262/**
2263 @brief Policy initialization event
2264 @param mpc MAC policy configuration
2265 @see mac_policy_register
2266 @see mpo_policy_initbsd_t
2267
2268 This is the MAC Framework policy initialization event. This entry
2269 point is called during mac_policy_register, when the policy module
2270 is first registered with the MAC Framework. This is often done very
2271 early in the boot process, after the kernel Mach subsystem has been
2272 initialized, but prior to the BSD subsystem being initialized.
2273 Since the kernel BSD services are not yet available, it is possible
2274 that some initialization must occur later, possibly in the
2275 mpo_policy_initbsd_t policy entry point, such as registering BSD system
2276 controls (sysctls). Policy modules loaded at boot time will be
2277 registered and initialized before labeled Mach objects are created.
2278
2279 @warning During this call, the mac policy list mutex is held, so
2280 sleep operations cannot be performed, and calls out to other kernel
2281 subsystems must be made with caution.
2282*/
2283typedef void mpo_policy_init_t(
2284 struct mac_policy_conf *mpc
2285);
2286/**
2287 @brief Policy BSD initialization event
2288 @param mpc MAC policy configuration
2289 @see mpo_policy_init_t
2290
2291 This entry point is called after the kernel BSD subsystem has been
2292 initialized. By this point, the module should already be loaded,
2293 registered, and initialized. Since policy modules are initialized
2294 before kernel BSD services are available, this second initialization
2295 phase is necessary. At this point, BSD services (memory management,
2296 synchronization primitives, vfs, etc.) are available, but the first
2297 process has not yet been created. Mach-related objects and tasks
2298 will already be fully initialized and may be in use--policies requiring
2299 ubiquitous labeling may also want to implement mpo_policy_init_t.
2300
2301 @warning During this call, the mac policy list mutex is held, so
2302 sleep operations cannot be performed, and calls out to other kernel
2303 subsystems must be made with caution.
2304*/
2305typedef void mpo_policy_initbsd_t(
2306 struct mac_policy_conf *mpc
2307);
2308/**
2309 @brief Policy extension service
2310 @param p Calling process
2311 @param call Policy-specific syscall number
2312 @param arg Pointer to syscall arguments
2313
2314 This entry point provides a policy-multiplexed system call so that
2315 policies may provide additional services to user processes without
2316 registering specific system calls. The policy name provided during
2317 registration is used to demux calls from userland, and the arguments
2318 will be forwarded to this entry point. When implementing new
2319 services, security modules should be sure to invoke appropriate
2320 access control checks from the MAC framework as needed. For
2321 example, if a policy implements an augmented signal functionality,
2322 it should call the necessary signal access control checks to invoke
2323 the MAC framework and other registered policies.
2324
2325 @warning Since the format and contents of the policy-specific
2326 arguments are unknown to the MAC Framework, modules must perform the
2327 required copyin() of the syscall data on their own. No policy
2328 mediation is performed, so policies must perform any necessary
2329 access control checks themselves. If multiple policies are loaded,
2330 they will currently be unable to mediate calls to other policies.
2331
2332 @return In the event of an error, an appropriate value for errno
2333 should be returned, otherwise return 0 upon success.
2334*/
2335typedef int mpo_policy_syscall_t(
2336 struct proc *p,
2337 int call,
2338 user_addr_t arg
2339);
2340/**
2341 @brief Access control check for copying a send right to another task
2342 @param task Label of the sender task
2343 @param port Label of the affected port
2344
2345 Access control check for copying send rights to the port from the
2346 specified task. A complementary entry point, mpo_port_check_hold_send,
2347 handles the receiving task. port_check_copy_send is called as part of
2348 a group of policy invocations when messages with port rights are sent.
2349 All access control checks made for a particular message must be successful
2350 for the message to be sent.
2351
2352 The task label and the port are locked. Sleeping is permitted.
2353
2354 @return Return 0 if access is granted, non-zero otherwise.
2355*/
2356typedef int mpo_port_check_copy_send_t(
2357 struct label *task,
2358 struct label *port
2359);
2360/**
2361 @brief Access control check for obtaining a receive right
2362 @param task Label of the receiving task
2363 @param port Label of the affected port
2364
2365 Access control check for a task obtaining receive rights to a
2366 port. Usually, these are port rights that were obtained with a call
2367 to mach_port_allocate. This entry point is called as part of a
2368 group of policy invocations when messages with port rights are
2369 received. All of these access control checks must succeed in order
2370 to receive the message.
2371
2372 The task label and the port are locked. Sleeping is permitted.
2373
2374 @return Return 0 if access is granted, non-zero otherwise.
2375*/
2376typedef int mpo_port_check_hold_receive_t(
2377 struct label *task,
2378 struct label *port
2379);
2380/**
2381 @brief Access control check for obtaining a send once right
2382 @param task Label of the receiving task
2383 @param port Label of the affected port
2384
2385 Access control check for a task obtaining send once rights to a port. Usually,
2386 these are port rights that were part of a message sent by another userspace
2387 task. port_check_hold_send_once is called as part of a group of policy
2388 invocations when messages with port rights are received. All of these access
2389 control checks must succeed in order to receive the message.
2390
2391 The task label and the port are locked. Sleeping is permitted.
2392
2393 @return Return 0 if access is granted, non-zero otherwise.
2394*/
2395typedef int mpo_port_check_hold_send_once_t(
2396 struct label *task,
2397 struct label *port
2398);
2399/**
2400 @brief Access control check for obtaining a send right
2401 @param task Label of the receiving task
2402 @param port Label of the affected port
2403
2404 Access control check for a task obtaining send rights to a port. Usually,
2405 these are port rights that were part of a message sent by another userspace
2406 task. port_check_hold_send is called as part of a group of policy
2407 invocations when messages with port rights are received. All of these access
2408 control checks must succeed in order to receive the message.
2409
2410 The task label and the port are locked. Sleeping is permitted.
2411
2412 @return Return 0 if access is granted, non-zero otherwise.
2413*/
2414typedef int mpo_port_check_hold_send_t(
2415 struct label *task,
2416 struct label *port
2417);
2418/**
2419 @brief Access control check for relabelling ports
2420 @param task Subject's task label
2421 @param oldlabel Original label of port
2422 @param newlabel New label for port
2423
2424 Access control check for relabelling ports. The policy should
2425 indicate whether the subject is permitted to change the label
2426 of a port from oldlabel to newlabel. The port is locked, but
2427 the subject's task label is not locked.
2428
2429 @warning XXX In future releases, the task label lock will likely
2430 also be held.
2431
2432 @return Return 0 if access is granted, non-zero otherwise.
2433*/
2434typedef int mpo_port_check_label_update_t(
2435 struct label *task,
2436 struct label *oldlabel,
2437 struct label *newlabel
2438);
2439/**
2440 @brief Access control check for producing a send once right from a receive right
2441 @param task Label of the sender task
2442 @param port Label of the affected port
2443
2444 Access control check for obtaining send once rights from receive rights.
2445 The new send once right may be destined for the calling task, or a different
2446 task. In either case the mpo_port_check_hold_send_once entry point handles
2447 the receiving task. port_check_make_send_once may be called as part of a
2448 group of policy invocations when messages with port rights are sent.
2449 All access control checks made for a particular message must be successful
2450 for the message to be sent.
2451
2452 The task label and the port are locked. Sleeping is permitted.
2453
2454 @return Return 0 if access is granted, non-zero otherwise.
2455*/
2456typedef int mpo_port_check_make_send_once_t(
2457 struct label *task,
2458 struct label *port
2459);
2460/**
2461 @brief Access control check for producing a send right from a receive right
2462 @param task Label of the sender task
2463 @param port Label of the affected port
2464
2465 Access control check for obtaining send rights from receive rights. The new
2466 send right may be destined for the calling task, or a different task.
2467 In either case the mpo_port_check_hold_send entry point
2468 handles the receiving task. port_check_make_send may be called as part of
2469 a group of policy invocations when messages with port rights are sent.
2470 All access control checks made for a particular message must be successful
2471 for the message to be sent.
2472
2473 The task label and the port are locked. Sleeping is permitted.
2474
2475 @return Return 0 if access is granted, non-zero otherwise.
2476*/
2477typedef int mpo_port_check_make_send_t(
2478 struct label *task,
2479 struct label *port
2480);
2481/**
2482 @brief Compute access control check for a Mach message-based service
2483 @param proc Sender's process structure (may be NULL)
2484 @param task Sender's task label
2485 @param port Destination port label
2486 @param msgid Message id
2487
2488 Access control computation for message-based services. This entry point
2489 computes permission to the service requested by the specified port and message
2490 id, for example a single MiG server routine, and is unrelated to the access
2491 check for sending messages to ports (but that check must succeed for the
2492 message to be sent to the destination). The result of this access computation
2493 is stored in the message trailer field msgh_ad (only if requested by the
2494 recipient); it does not actually inhibit the message from being sent or
2495 received.
2496
2497 @return 0 for access granted, nonzero for access denied.
2498*/
2499
2500typedef int mpo_port_check_method_t(
2501 struct proc *proc,
2502 struct label *task,
2503 struct label *port,
2504 int msgid
2505);
2506/**
2507 @brief Access control check for transferring a receive right
2508 @param task Label of the sender task
2509 @param port Label of the affected port
2510
2511 Access control check for transferring the receive right to a port out
2512 of the specified task. A complementary entry point,
2513 mpo_port_check_hold_receive, handles the receiving task.
2514 port_check_move_receive is called as part of
2515 a group of policy invocations when messages with port rights are sent.
2516 All access control checks made for a particular message must be successful
2517 for the message to be sent.
2518
2519 The task label and the port are locked. Sleeping is permitted.
2520
2521 @return Return 0 if access is granted, non-zero otherwise.
2522*/
2523typedef int mpo_port_check_move_receive_t(
2524 struct label *task,
2525 struct label *port
2526);
2527/**
2528 @brief Access control check for transferring a send once right
2529 @param task Label of the sender task
2530 @param port Label of the affected port
2531
2532 Access control check for transferring a send once right from one task to
2533 the task listening to the specified port. A complementary entry point,
2534 mpo_port_check_hold_send_once, handles the receiving task.
2535 port_check_move_send_once is called as part of a group of policy invocations
2536 when messages with port rights are sent. All access control checks made
2537 for a particular message must be successful for the message to be sent.
2538
2539 The task label and the port are locked. Sleeping is permitted.
2540
2541 @return Return 0 if access is granted, non-zero otherwise.
2542*/
2543typedef int mpo_port_check_move_send_once_t(
2544 struct label *task,
2545 struct label *port
2546);
2547/**
2548 @brief Access control check for transferring a send right
2549 @param task Label of the sender task
2550 @param port Label of the affected port
2551
2552 Access control check for transferring a send right from one task to the
2553 task listening to the specified port. A complementary entry point,
2554 mpo_port_check_hold_send, handles the receiving task.
2555 port_check_move_send is called as part of a group of policy invocations
2556 when messages with port rights are sent. All access control checks made
2557 for a particular message must be successful for the message to be sent.
2558
2559 The task label and the port are locked. Sleeping is permitted.
2560
2561 @return Return 0 if access is granted, non-zero otherwise.
2562*/
2563typedef int mpo_port_check_move_send_t(
2564 struct label *task,
2565 struct label *port
2566);
2567/**
2568 @brief Access control check for receiving Mach messsages
2569 @param task Label of the receiving task
2570 @param sender Label of the sending task
2571
2572 Access control check for receiving messages. The two labels are locked.
2573
2574 @warning This entry point can be invoked from many places inside the
2575 kernel, with arbitrary other locks held. The implementation of this
2576 entry point must not cause page faults, as those are handled by mach
2577 messages.
2578
2579 @return Return 0 if access is granted, non-zero otherwise.
2580*/
2581typedef int mpo_port_check_receive_t(
2582 struct label *task,
2583 struct label *sender
2584);
2585/**
2586 @brief Access control check for sending Mach messsages
2587 @param task Label of the sender task
2588 @param port Label of the destination port
2589
2590 Access control check for sending messages. The task label and the
2591 port are locked.
2592
2593 @warning This entry point can be invoked from many places inside the
2594 kernel, with arbitrary other locks held. The implementation of this
2595 entry point must not cause page faults, as those are handled by mach
2596 messages.
2597
2598 @return Return 0 if access is granted, non-zero otherwise.
2599*/
2600typedef int mpo_port_check_send_t(
2601 struct label *task,
2602 struct label *port
2603);
2604/**
2605 @brief Generic access control check
2606 @param subj Caller-provided subject label
2607 @param obj Caller-provided object label
2608 @param serv Service or object class name
2609 @param perm Permission, or method, within the specified service
2610
2611 This function provides a general way for a user process to query
2612 an arbitrary access control decision from the system's security policies.
2613 Currently, there are no standards for the format of the service and
2614 permission names. Labels may be either cred or port labels; the policy
2615 must accept either. The userspace interfaces to this entry point allow
2616 label strings or label handles (ports) to be provided.
2617
2618 @return Return 0 if access is granted, non-zero otherwise.
2619*/
2620typedef int mpo_port_check_service_t(
2621 struct label *subj,
2622 struct label *obj,
2623 const char *serv,
2624 const char *perm
2625);
2626/**
2627 @brief Assign a label to a new Mach port created by the kernel
2628 @param portlabel Label for the new port
2629 @param isreply True if the port is for a reply message from the kernel
2630
2631 Assign a label to a new port created by the kernel. If the port is being
2632 used to reply to a message, isreply is 1 (0 otherwise). The port is locked.
2633*/
2634typedef void mpo_port_label_associate_kernel_t(
2635 struct label *portlabel,
2636 int isreply
2637);
2638/**
2639 @brief Assign a label to a new Mach port
2640 @param it Task label of issuer
2641 @param st Task label of target
2642 @param portlabel Label for the new port
2643
2644 Assign a label to a new port. The policy can base this label on
2645 the label of the calling task, as well as the label of the target task.
2646 The target task is the one which recieves the first right for this port.
2647 Both task labels and the port are locked.
2648*/
2649typedef void mpo_port_label_associate_t(
2650 struct label *it,
2651 struct label *st,
2652 struct label *portlabel
2653);
2654/**
2655 @brief Request label for new (userspace) object
2656 @param subj Subject label
2657 @param obj Parent or existing object label
2658 @param serv Name of service
2659 @param out Computed label
2660
2661 Ask the loaded policies to compute a label based on the two input labels
2662 and the service name. There is currently no standard for the service name,
2663 or even what the input labels represent (Subject and parent object are only
2664 a suggestion). If successful, the computed label is stored in out. All labels
2665 must be port (or task) labels. The userspace interfaces to this entry point
2666 allow label handles (ports) to be provided.
2667
2668 @return 0 on success, or an errno value for failure.
2669*/
2670typedef int mpo_port_label_compute_t(
2671 struct label *subj,
2672 struct label *obj,
2673 const char *serv,
2674 struct label *out
2675);
2676/**
2677 @brief Copy a Mach port label
2678 @param src Source port label
2679 @param dest Destination port label
2680
2681 Copy the Mach port label information from src to dest. This is used
2682 to copy user-suplied labels into an existing port.
2683*/
2684typedef void mpo_port_label_copy_t(
2685 struct label *src,
2686 struct label *dest
2687);
2688/**
2689 @brief Destroy Mach port label
2690 @param label The label to be destroyed
2691
2692 Destroy a Mach port label. Since the object is going out of
2693 scope, policy modules should free any internal storage associated
2694 with the label so that it may be destroyed.
2695*/
2696typedef void mpo_port_label_destroy_t(
2697 struct label *label
2698);
2699/**
2700 @brief Initialize Mach port label
2701 @param label New label to initialize
2702
2703 Initialize the label for a newly instantiated Mach port. Sleeping
2704 is permitted.
2705*/
2706typedef void mpo_port_label_init_t(
2707 struct label *label
2708);
2709/**
2710 @brief Update a Mach task port label
2711 @param cred User credential label to be used as the source
2712 @param task Mach port label to be used as the destination
2713 @see mpo_cred_label_update_t
2714 @see mpo_cred_label_update_execve_t
2715
2716 Update the label on a Mach task port, using the supplied user
2717 credential label. When a mac_cred_label_update_execve or a mac_cred_label_update
2718 operation causes the label on a user credential to change, the Mach
2719 task port label also needs to be updated to reflect the change.
2720 Both labels are already valid (initialized and created).
2721*/
2722typedef void mpo_port_label_update_cred_t(
2723 struct label *cred,
2724 struct label *task
2725);
2726/**
2727 @brief Assign a label to a Mach port connected to a kernel object
2728 @param portlabel Label for the port
2729 @param kotype Type of kernel object
2730
2731 Label a kernel port based on the type of object behind it. The
2732 kotype parameter is one of the IKOT constants in
2733 <kern/ipc_kobject.h>. The port already has a valid label from either
2734 mpo_port_label_associate_kernel, or because it is a task port and has a label
2735 derived from the process and task labels. The port is locked.
2736*/
2737typedef void mpo_port_label_update_kobject_t(
2738 struct label *portlabel,
2739 int kotype
2740);
2741/**
2742 @brief Access control check for POSIX semaphore create
2743 @param cred Subject credential
2744 @param name String name of the semaphore
2745
2746 Determine whether the subject identified by the credential can create
2747 a POSIX semaphore specified by name.
2748
2749 @return Return 0 if access is granted, otherwise an appropriate value for
2750 errno should be returned.
2751*/
2752typedef int mpo_posixsem_check_create_t(
2753 kauth_cred_t cred,
2754 const char *name
2755);
2756/**
2757 @brief Access control check for POSIX semaphore open
2758 @param cred Subject credential
2759 @param ps Pointer to semaphore information structure
2760 @param semlabel Label associated with the semaphore
2761
2762 Determine whether the subject identified by the credential can open
2763 the named POSIX semaphore with label semlabel.
2764
2765 @return Return 0 if access is granted, otherwise an appropriate value for
2766 errno should be returned.
2767*/
2768typedef int mpo_posixsem_check_open_t(
2769 kauth_cred_t cred,
2770 struct pseminfo *ps,
2771 struct label *semlabel
2772);
2773/**
2774 @brief Access control check for POSIX semaphore post
2775 @param cred Subject credential
2776 @param ps Pointer to semaphore information structure
2777 @param semlabel Label associated with the semaphore
2778
2779 Determine whether the subject identified by the credential can unlock
2780 the named POSIX semaphore with label semlabel.
2781
2782 @return Return 0 if access is granted, otherwise an appropriate value for
2783 errno should be returned.
2784*/
2785typedef int mpo_posixsem_check_post_t(
2786 kauth_cred_t cred,
2787 struct pseminfo *ps,
2788 struct label *semlabel
2789);
2790/**
2791 @brief Access control check for POSIX semaphore unlink
2792 @param cred Subject credential
2793 @param ps Pointer to semaphore information structure
2794 @param semlabel Label associated with the semaphore
2795 @param name String name of the semaphore
2796
2797 Determine whether the subject identified by the credential can remove
2798 the named POSIX semaphore with label semlabel.
2799
2800 @return Return 0 if access is granted, otherwise an appropriate value for
2801 errno should be returned.
2802*/
2803typedef int mpo_posixsem_check_unlink_t(
2804 kauth_cred_t cred,
2805 struct pseminfo *ps,
2806 struct label *semlabel,
2807 const char *name
2808);
2809/**
2810 @brief Access control check for POSIX semaphore wait
2811 @param cred Subject credential
2812 @param ps Pointer to semaphore information structure
2813 @param semlabel Label associated with the semaphore
2814
2815 Determine whether the subject identified by the credential can lock
2816 the named POSIX semaphore with label semlabel.
2817
2818 @return Return 0 if access is granted, otherwise an appropriate value for
2819 errno should be returned.
2820*/
2821typedef int mpo_posixsem_check_wait_t(
2822 kauth_cred_t cred,
2823 struct pseminfo *ps,
2824 struct label *semlabel
2825);
2826/**
2827 @brief Create a POSIX semaphore label
2828 @param cred Subject credential
2829 @param ps Pointer to semaphore information structure
2830 @param semlabel Label to associate with the new semaphore
2831 @param name String name of the semaphore
2832
2833 Label a new POSIX semaphore. The label was previously
2834 initialized and associated with the semaphore. At this time, an
2835 appropriate initial label value should be assigned to the object and
2836 stored in semalabel.
2837*/
2838typedef void mpo_posixsem_label_associate_t(
2839 kauth_cred_t cred,
2840 struct pseminfo *ps,
2841 struct label *semlabel,
2842 const char *name
2843);
2844/**
2845 @brief Destroy POSIX semaphore label
2846 @param label The label to be destroyed
2847
2848 Destroy a POSIX semaphore label. Since the object is
2849 going out of scope, policy modules should free any internal storage
2850 associated with the label so that it may be destroyed.
2851*/
2852typedef void mpo_posixsem_label_destroy_t(
2853 struct label *label
2854);
2855/**
2856 @brief Initialize POSIX semaphore label
2857 @param label New label to initialize
2858
2859 Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2860 is permitted.
2861*/
2862typedef void mpo_posixsem_label_init_t(
2863 struct label *label
2864);
2865/**
2866 @brief Access control check for POSIX shared memory region create
2867 @param cred Subject credential
2868 @param name String name of the shared memory region
2869
2870 Determine whether the subject identified by the credential can create
2871 the POSIX shared memory region referenced by name.
2872
2873 @return Return 0 if access is granted, otherwise an appropriate value for
2874 errno should be returned.
2875*/
2876typedef int mpo_posixshm_check_create_t(
2877 kauth_cred_t cred,
2878 const char *name
2879);
2880/**
2881 @brief Access control check for mapping POSIX shared memory
2882 @param cred Subject credential
2883 @param ps Pointer to shared memory information structure
2884 @param shmlabel Label associated with the shared memory region
2885 @param prot mmap protections; see mmap(2)
2886 @param flags shmat flags; see shmat(2)
2887
2888 Determine whether the subject identified by the credential can map
2889 the POSIX shared memory segment associated with shmlabel.
2890
2891 @return Return 0 if access is granted, otherwise an appropriate value for
2892 errno should be returned.
2893*/
2894typedef int mpo_posixshm_check_mmap_t(
2895 kauth_cred_t cred,
2896 struct pshminfo *ps,
2897 struct label *shmlabel,
2898 int prot,
2899 int flags
2900);
2901/**
2902 @brief Access control check for POSIX shared memory region open
2903 @param cred Subject credential
2904 @param ps Pointer to shared memory information structure
2905 @param shmlabel Label associated with the shared memory region
316670eb 2906 @param fflags shm_open(2) open flags ('fflags' encoded)
2d21ac55
A		 2907
2908 Determine whether the subject identified by the credential can open
2909 the POSIX shared memory region.
2910
2911 @return Return 0 if access is granted, otherwise an appropriate value for
2912 errno should be returned.
2913*/
2914typedef int mpo_posixshm_check_open_t(
2915 kauth_cred_t cred,
2916 struct pshminfo *ps,
316670eb
A		 2917 struct label *shmlabel,
2918 int fflags
2d21ac55
A		 2919);
2920/**
2921 @brief Access control check for POSIX shared memory stat
2922 @param cred Subject credential
2923 @param ps Pointer to shared memory information structure
2924 @param shmlabel Label associated with the shared memory region
2925
2926 Determine whether the subject identified by the credential can obtain
2927 status for the POSIX shared memory segment associated with shmlabel.
2928
2929 @return Return 0 if access is granted, otherwise an appropriate value for
2930 errno should be returned.
2931*/
2932typedef int mpo_posixshm_check_stat_t(
2933 kauth_cred_t cred,
2934 struct pshminfo *ps,
2935 struct label *shmlabel
2936);
2937/**
2938 @brief Access control check for POSIX shared memory truncate
2939 @param cred Subject credential
2940 @param ps Pointer to shared memory information structure
2941 @param shmlabel Label associated with the shared memory region
2942 @param len Length to truncate or extend shared memory segment
2943
2944 Determine whether the subject identified by the credential can truncate
2945 or extend (to len) the POSIX shared memory segment associated with shmlabel.
2946
2947 @return Return 0 if access is granted, otherwise an appropriate value for
2948 errno should be returned.
2949*/
2950typedef int mpo_posixshm_check_truncate_t(
2951 kauth_cred_t cred,
2952 struct pshminfo *ps,
2953 struct label *shmlabel,
6d2010ae 2954 off_t len
2d21ac55
A		 2955);
2956/**
2957 @brief Access control check for POSIX shared memory unlink
2958 @param cred Subject credential
2959 @param ps Pointer to shared memory information structure
2960 @param shmlabel Label associated with the shared memory region
2961 @param name String name of the shared memory region
2962
2963 Determine whether the subject identified by the credential can delete
2964 the POSIX shared memory segment associated with shmlabel.
2965
2966 @return Return 0 if access is granted, otherwise an appropriate value for
2967 errno should be returned.
2968*/
2969typedef int mpo_posixshm_check_unlink_t(
2970 kauth_cred_t cred,
2971 struct pshminfo *ps,
2972 struct label *shmlabel,
2973 const char *name
2974);
2975/**
2976 @brief Create a POSIX shared memory region label
2977 @param cred Subject credential
2978 @param ps Pointer to shared memory information structure
2979 @param shmlabel Label to associate with the new shared memory region
2980 @param name String name of the shared memory region
2981
2982 Label a new POSIX shared memory region. The label was previously
2983 initialized and associated with the shared memory region. At this
2984 time, an appropriate initial label value should be assigned to the
2985 object and stored in shmlabel.
2986*/
2987typedef void mpo_posixshm_label_associate_t(
2988 kauth_cred_t cred,
2989 struct pshminfo *ps,
2990 struct label *shmlabel,
2991 const char *name
2992);
2993/**
2994 @brief Destroy POSIX shared memory label
2995 @param label The label to be destroyed
2996
2997 Destroy a POSIX shared memory region label. Since the
2998 object is going out of scope, policy modules should free any
2999 internal storage associated with the label so that it may be
3000 destroyed.
3001*/
3002typedef void mpo_posixshm_label_destroy_t(
3003 struct label *label
3004);
3005/**
3006 @brief Initialize POSIX Shared Memory region label
3007 @param label New label to initialize
3008
3009 Initialize the label for newly a instantiated POSIX Shared Memory
3010 region. Sleeping is permitted.
3011*/
3012typedef void mpo_posixshm_label_init_t(
3013 struct label *label
3014);
6d2010ae
A		 3015/**
3016 @brief Access control check for privileged operations
3017 @param cred Subject credential
3018 @param priv Requested privilege (see sys/priv.h)
3019
3020 Determine whether the subject identified by the credential can perform
3021 a privileged operation. Privileged operations are allowed if the cred
3022 is the superuser or any policy returns zero for mpo_priv_grant, unless
3023 any policy returns nonzero for mpo_priv_check.
3024
3025 @return Return 0 if access is granted, otherwise EPERM should be returned.
3026*/
3027typedef int mpo_priv_check_t(
3028 kauth_cred_t cred,
3029 int priv
3030);
3031/**
3032 @brief Grant regular users the ability to perform privileged operations
3033 @param cred Subject credential
3034 @param priv Requested privilege (see sys/priv.h)
3035
3036 Determine whether the subject identified by the credential should be
3037 allowed to perform a privileged operation that in the absense of any
3038 MAC policy it would not be able to perform. Privileged operations are
3039 allowed if the cred is the superuser or any policy returns zero for
3040 mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
3041
3042 Unlike other MAC hooks which can only reduce the privilege of a
3043 credential, this hook raises the privilege of a credential when it
3044 returns 0. Extreme care must be taken when implementing this hook to
3045 avoid undermining the security of the system.
3046
3047 @return Return 0 if additional privilege is granted, otherwise EPERM
3048 should be returned.
3049*/
3050typedef int mpo_priv_grant_t(
3051 kauth_cred_t cred,
3052 int priv
3053);
2d21ac55
A		 3054/**
3055 @brief Access control check for debugging process
3056 @param cred Subject credential
3057 @param proc Object process
3058
3059 Determine whether the subject identified by the credential can debug
3060 the passed process. This call may be made in a number of situations,
3061 including use of the ptrace(2) and ktrace(2) APIs, as well as for some
3062 types of procfs operations.
3063
3064 @return Return 0 if access is granted, otherwise an appropriate value for
3065 errno should be returned. Suggested failure: EACCES for label mismatch,
3066 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
3067*/
3068typedef int mpo_proc_check_debug_t(
3069 kauth_cred_t cred,
3070 struct proc *proc
3071);
3072/**
3073 @brief Access control over fork
3074 @param cred Subject credential
3075 @param proc Subject process trying to fork
3076
3077 Determine whether the subject identified is allowed to fork.
3078
3079 @return Return 0 if access is granted, otherwise an appropriate value for
3080 errno should be returned.
3081*/
3082typedef int mpo_proc_check_fork_t(
3083 kauth_cred_t cred,
3084 struct proc *proc
3085);
d1ecb069
A		 3086/**
3087 @brief Access control over pid_suspend and pid_resume
3088 @param cred Subject credential
3089 @param proc Subject process trying to run pid_suspend or pid_resume
3090 @param sr Call is suspend (0) or resume (1)
3091
3092 Determine whether the subject identified is allowed to suspend or resume
3093 other processes.
3094
3095 @return Return 0 if access is granted, otherwise an appropriate value for
3096 errno should be returned.
3097*/
3098typedef int mpo_proc_check_suspend_resume_t(
3099 kauth_cred_t cred,
3100 struct proc *proc,
3101 int sr
3102);
2d21ac55
A		 3103/**
3104 @brief Access control check for retrieving audit information
3105 @param cred Subject credential
3106
3107 Determine whether the subject identified by the credential can get
3108 audit information such as the audit user ID, the preselection mask,
3109 the terminal ID and the audit session ID, using the getaudit() system call.
3110
3111 @return Return 0 if access is granted, otherwise an appropriate value for
3112 errno should be returned.
3113*/
3114typedef int mpo_proc_check_getaudit_t(
3115 kauth_cred_t cred
3116);
3117/**
3118 @brief Access control check for retrieving audit user ID
3119 @param cred Subject credential
3120
3121 Determine whether the subject identified by the credential can get
3122 the user identity being used by the auditing system, using the getauid()
3123 system call.
3124
3125 @return Return 0 if access is granted, otherwise an appropriate value for
3126 errno should be returned.
3127*/
3128typedef int mpo_proc_check_getauid_t(
3129 kauth_cred_t cred
3130);
3131/**
3132 @brief Access control check for retrieving Login Context ID
3133 @param p0 Calling process
3134 @param p Effected process
3135 @param pid syscall PID argument
3136
3137 Determine if getlcid(2) system call is permitted.
3138
3139 Information returned by this system call is similar to that returned via
3140 process listings etc.
3141
3142 @return Return 0 if access is granted, otherwise an appropriate value for
3143 errno should be returned.
3144*/
3145typedef int mpo_proc_check_getlcid_t(
3146 struct proc *p0,
3147 struct proc *p,
3148 pid_t pid
3149);
316670eb
A		 3150/**
3151 @brief Access control check for retrieving ledger information
3152 @param cred Subject credential
3153 @param target Object process
3154 @param op ledger operation
3155
3156 Determine if ledger(2) system call is permitted.
3157
3158 Information returned by this system call is similar to that returned via
3159 process listings etc.
3160
3161 @return Return 0 if access is granted, otherwise an appropriate value for
3162 errno should be returned.
3163*/
3164typedef int mpo_proc_check_ledger_t(
3165 kauth_cred_t cred,
3166 struct proc *target,
3167 int op
3168);
39236c6e
A		 3169/**
3170 @brief Access control check for escaping default CPU usage monitor parameters.
3171 @param cred Subject credential
3172
3173 Determine if a credential has permission to program CPU usage monitor parameters
3174 that are less restrictive than the global system-wide defaults.
3175
3176 @return Return 0 if access is granted, otherwise an appropriate value for
3177 errno should be returned.
3178*/
3179typedef int mpo_proc_check_cpumon_t(
3180 kauth_cred_t cred
3181);
3182/**
3183 @brief Access control check for retrieving process information.
3184 @param cred Subject credential
3185 @param target Target process (may be null, may be zombie)
3186
3187 Determine if a credential has permission to access process information as defined
3188 by call number and flavor on target process
3189
3190 @return Return 0 if access is granted, otherwise an appropriate value for
3191 errno should be returned.
3192*/
3193typedef int mpo_proc_check_proc_info_t(
3194 kauth_cred_t cred,
3195 struct proc *target,
3196 int callnum,
3197 int flavor
3198);
6d2010ae
A		 3199/**
3200 @brief Access control check for mmap MAP_ANON
3201 @param proc User process requesting the memory
3202 @param cred Subject credential
3203 @param u_addr Start address of the memory range
3204 @param u_size Length address of the memory range
3205 @param prot mmap protections; see mmap(2)
3206 @param flags Type of mapped object; see mmap(2)
3207 @param maxprot Maximum rights
3208
3209 Determine whether the subject identified by the credential should be
3210 allowed to obtain anonymous memory using the specified flags and
3211 protections on the new mapping. MAP_ANON will always be present in the
3212 flags. Certain combinations of flags with a non-NULL addr may
3213 cause a mapping to be rejected before this hook is called. The maxprot field
3214 holds the maximum permissions on the new mapping, a combination of
3215 VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
3216 access control checks, a policy should only remove flags from maxprot.
3217
3218 @return Return 0 if access is granted, otherwise an appropriate value for
3219 errno should be returned. Suggested failure: EPERM for lack of privilege.
3220*/
3221typedef int mpo_proc_check_map_anon_t(
3222 struct proc *proc,
3223 kauth_cred_t cred,
3224 user_addr_t u_addr,
3225 user_size_t u_size,
3226 int prot,
3227 int flags,
3228 int *maxprot
3229);
2d21ac55
A		 3230/**
3231 @brief Access control check for setting memory protections
3232 @param cred Subject credential
3233 @param proc User process requesting the change
3234 @param addr Start address of the memory range
3235 @param size Length address of the memory range
3236 @param prot Memory protections, see mmap(2)
3237
3238 Determine whether the subject identified by the credential should
3239 be allowed to set the specified memory protections on memory mapped
3240 in the process proc.
3241
3242 @return Return 0 if access is granted, otherwise an appropriate value for
3243 errno should be returned.
3244*/
3245typedef int mpo_proc_check_mprotect_t(
3246 kauth_cred_t cred,
3247 struct proc *proc,
3248 user_addr_t addr,
3249 user_size_t size,
3250 int prot
3251);
3252/**
3253 @brief Access control check for changing scheduling parameters
3254 @param cred Subject credential
3255 @param proc Object process
3256
3257 Determine whether the subject identified by the credential can change
3258 the scheduling parameters of the passed process.
3259
3260 @return Return 0 if access is granted, otherwise an appropriate value for
3261 errno should be returned. Suggested failure: EACCES for label mismatch,
3262 EPERM for lack of privilege, or ESRCH to limit visibility.
3263*/
3264typedef int mpo_proc_check_sched_t(
3265 kauth_cred_t cred,
3266 struct proc *proc
3267);
3268/**
3269 @brief Access control check for setting audit information
3270 @param cred Subject credential
3271 @param ai Audit information
3272
3273 Determine whether the subject identified by the credential can set
3274 audit information such as the the preselection mask, the terminal ID
3275 and the audit session ID, using the setaudit() system call.
3276
3277 @return Return 0 if access is granted, otherwise an appropriate value for
3278 errno should be returned.
3279*/
3280typedef int mpo_proc_check_setaudit_t(
3281 kauth_cred_t cred,
b0d623f7 3282 struct auditinfo_addr *ai
2d21ac55
A		 3283);
3284/**
3285 @brief Access control check for setting audit user ID
3286 @param cred Subject credential
3287 @param auid Audit user ID
3288
3289 Determine whether the subject identified by the credential can set
3290 the user identity used by the auditing system, using the setauid()
3291 system call.
3292
3293 @return Return 0 if access is granted, otherwise an appropriate value for
3294 errno should be returned.
3295*/
3296typedef int mpo_proc_check_setauid_t(
3297 kauth_cred_t cred,
3298 uid_t auid
3299);
3300/**
3301 @brief Access control check for setting the Login Context
3302 @param p0 Calling process
3303 @param p Effected process
3304 @param pid syscall PID argument
3305 @param lcid syscall LCID argument
3306
3307 Determine if setlcid(2) system call is permitted.
3308
3309 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
3310 decoding syscall arguments to determine action desired by caller.
3311
3312 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
3313
3314 @return Return 0 if access is granted, otherwise an appropriate value for
3315 errno should be returned.
3316*/
3317typedef int mpo_proc_check_setlcid_t(
3318 struct proc *p0,
3319 struct proc *p,
3320 pid_t pid,
3321 pid_t lcid
3322);
3323/**
3324 @brief Access control check for delivering signal
3325 @param cred Subject credential
3326 @param proc Object process
3327 @param signum Signal number; see kill(2)
3328
3329 Determine whether the subject identified by the credential can deliver
3330 the passed signal to the passed process.
3331
3332 @warning Programs typically expect to be able to send and receive
3333 signals as part or their normal process lifecycle; caution should be
3334 exercised when implementing access controls over signal events.
3335
3336 @return Return 0 if access is granted, otherwise an appropriate value for
3337 errno should be returned. Suggested failure: EACCES for label mismatch,
3338 EPERM for lack of privilege, or ESRCH to limit visibility.
3339*/
3340typedef int mpo_proc_check_signal_t(
3341 kauth_cred_t cred,
3342 struct proc *proc,
3343 int signum
3344);
3345/**
3346 @brief Access control check for wait
3347 @param cred Subject credential
3348 @param proc Object process
3349
3350 Determine whether the subject identified by the credential can wait
3351 for process termination.
3352
3353 @warning Caution should be exercised when implementing access
3354 controls for wait, since programs often wait for child processes to
3355 exit. Failure to be notified of a child process terminating may
3356 cause the parent process to hang, or may produce zombie processes.
3357
3358 @return Return 0 if access is granted, otherwise an appropriate value for
3359 errno should be returned.
3360*/
3361typedef int mpo_proc_check_wait_t(
3362 kauth_cred_t cred,
3363 struct proc *proc
3364);
3365/**
3366 @brief Destroy process label
3367 @param label The label to be destroyed
3368
3369 Destroy a process label. Since the object is going
3370 out of scope, policy modules should free any internal storage
3371 associated with the label so that it may be destroyed.
3372*/
3373typedef void mpo_proc_label_destroy_t(
3374 struct label *label
3375);
3376/**
3377 @brief Initialize process label
3378 @param label New label to initialize
3379 @see mpo_cred_label_init_t
3380
3381 Initialize the label for a newly instantiated BSD process structure.
3382 Normally, security policies will store the process label in the user
3383 credential rather than here in the process structure. However,
3384 there are some floating label policies that may need to temporarily
3385 store a label in the process structure until it is safe to update
3386 the user credential label. Sleeping is permitted.
3387*/
3388typedef void mpo_proc_label_init_t(
3389 struct label *label
3390);
3391/**
3392 @brief Access control check for socket accept
3393 @param cred Subject credential
3394 @param socket Object socket
3395 @param socklabel Policy label for socket
3396
3397 Determine whether the subject identified by the credential can accept()
3398 a new connection on the socket from the host specified by addr.
3399
3400 @return Return 0 if access if granted, otherwise an appropriate
3401 value for errno should be returned.
3402*/
3403typedef int mpo_socket_check_accept_t(
3404 kauth_cred_t cred,
3405 socket_t so,
3406 struct label *socklabel
3407);
3408/**
3409 @brief Access control check for a pending socket accept
3410 @param cred Subject credential
3411 @param so Object socket
3412 @param socklabel Policy label for socket
3413 @param addr Address of the listening socket (coming soon)
3414
3415 Determine whether the subject identified by the credential can accept()
3416 a pending connection on the socket from the host specified by addr.
3417
3418 @return Return 0 if access if granted, otherwise an appropriate
3419 value for errno should be returned.
3420*/
3421typedef int mpo_socket_check_accepted_t(
3422 kauth_cred_t cred,
3423 socket_t so,
3424 struct label *socklabel,
3425 struct sockaddr *addr
3426);
3427/**
3428 @brief Access control check for socket bind
3429 @param cred Subject credential
3430 @param so Object socket
3431 @param socklabel Policy label for socket
3432 @param addr Name to assign to the socket
3433
3434 Determine whether the subject identified by the credential can bind()
3435 the name (addr) to the socket.
3436
3437 @return Return 0 if access if granted, otherwise an appropriate
3438 value for errno should be returned.
3439*/
3440typedef int mpo_socket_check_bind_t(
3441 kauth_cred_t cred,
3442 socket_t so,
3443 struct label *socklabel,
3444 struct sockaddr *addr
3445);
3446/**
3447 @brief Access control check for socket connect
3448 @param cred Subject credential
3449 @param so Object socket
3450 @param socklabel Policy label for socket
3451 @param addr Name to assign to the socket
3452
3453 Determine whether the subject identified by the credential can
3454 connect() the passed socket to the remote host specified by addr.
3455
3456 @return Return 0 if access if granted, otherwise an appropriate
3457 value for errno should be returned.
3458*/
3459typedef int mpo_socket_check_connect_t(
3460 kauth_cred_t cred,
3461 socket_t so,
3462 struct label *socklabel,
3463 struct sockaddr *addr
3464);
3465/**
3466 @brief Access control check for socket() system call.
3467 @param cred Subject credential
3468 @param domain communication domain
3469 @param type socket type
3470 @param protocol socket protocol
3471
3472 Determine whether the subject identified by the credential can
3473 make the socket() call.
3474
3475 @return Return 0 if access if granted, otherwise an appropriate
3476 value for errno should be returned.
3477*/
3478typedef int mpo_socket_check_create_t(
3479 kauth_cred_t cred,
3480 int domain,
3481 int type,
3482 int protocol
3483);
3484/**
3485 @brief Access control check for delivering data to a user's receieve queue
3486 @param so The socket data is being delivered to
3487 @param so_label The label of so
3488 @param m The mbuf whose data will be deposited into the receive queue
3489 @param m_label The label of the sender of the data.
3490
3491 A socket has a queue for receiving incoming data. When a packet arrives
3492 on the wire, it eventually gets deposited into this queue, which the
3493 owner of the socket drains when they read from the socket's file descriptor.
3494
3495 This function determines whether the socket can receive data from
3496 the sender specified by m_label.
3497
3498 @warning There is an outstanding design issue surrounding the placement
3499 of this function. The check must be placed either before or after the
3500 TCP sequence and ACK counters are updated. Placing the check before
3501 the counters are updated causes the incoming packet to be resent by
3502 the remote if the check rejects it. Placing the check after the counters
3503 are updated results in a completely silent drop. As far as each TCP stack
3504 is concerned the packet was received, however, the data will not be in the
3505 socket's receive queue. Another consideration is that the current design
3506 requires using the "failed label" occasionally. In that case, on rejection,
3507 we want the remote TCP to resend the data. Because of this, we chose to
3508 place this check before the counters are updated, so rejected packets will be
3509 resent by the remote host.
3510
3511 If a policy keeps rejecting the same packet, eventually the connection will
3512 be dropped. Policies have several options if this design causes problems.
3513 For example, one options is to sanitize the mbuf such that it is acceptable,
3514 then accept it. That may require negotiation between policies as the
3515 Framework will not know to re-check the packet.
3516
3517 The policy must handle NULL MBUF labels. This will likely be the case
3518 for non-local TCP sockets for example.
3519
3520 @return Return 0 if access if granted, otherwise an appropriate
3521 value for errno should be returned.
3522*/
3523typedef int mpo_socket_check_deliver_t(
3524 socket_t so,
3525 struct label *so_label,
3526 struct mbuf *m,
3527 struct label *m_label
3528);
3529/**
3530 @brief Access control check for socket kqfilter
3531 @param cred Subject credential
3532 @param kn Object knote
3533 @param so Object socket
3534 @param socklabel Policy label for socket
3535
3536 Determine whether the subject identified by the credential can
3537 receive the knote on the passed socket.
3538
3539 @return Return 0 if access if granted, otherwise an appropriate
3540 value for errno should be returned.
3541*/
3542typedef int mpo_socket_check_kqfilter_t(
3543 kauth_cred_t cred,
3544 struct knote *kn,
3545 socket_t so,
3546 struct label *socklabel
3547);
3548/**
3549 @brief Access control check for socket relabel
3550 @param cred Subject credential
3551 @param so Object socket
3552 @param so_label The current label of so
3553 @param newlabel The label to be assigned to so
3554
3555 Determine whether the subject identified by the credential can
3556 change the label on the socket.
3557
3558 @return Return 0 if access if granted, otherwise an appropriate
3559 value for errno should be returned.
3560*/
3561typedef int mpo_socket_check_label_update_t(
3562 kauth_cred_t cred,
3563 socket_t so,
3564 struct label *so_label,
3565 struct label *newlabel
3566);
3567/**
3568 @brief Access control check for socket listen
3569 @param cred Subject credential
3570 @param so Object socket
3571 @param socklabel Policy label for socket
3572
3573 Determine whether the subject identified by the credential can
3574 listen() on the passed socket.
3575
3576 @return Return 0 if access if granted, otherwise an appropriate
3577 value for errno should be returned.
3578*/
3579typedef int mpo_socket_check_listen_t(
3580 kauth_cred_t cred,
3581 socket_t so,
3582 struct label *socklabel
3583);
3584/**
3585 @brief Access control check for socket receive
3586 @param cred Subject credential
3587 @param so Object socket
3588 @param socklabel Policy label for socket
3589
3590 Determine whether the subject identified by the credential can
3591 receive data from the socket.
3592
3593 @return Return 0 if access if granted, otherwise an appropriate
3594 value for errno should be returned.
3595*/
3596typedef int mpo_socket_check_receive_t(
3597 kauth_cred_t cred,
3598 socket_t so,
3599 struct label *socklabel
3600);
3601
3602/**
3603 @brief Access control check for socket receive
3604 @param cred Subject credential
3605 @param socket Object socket
3606 @param socklabel Policy label for socket
3607 @param addr Name of the remote socket
3608
3609 Determine whether the subject identified by the credential can
3610 receive data from the remote host specified by addr.
3611
3612 @return Return 0 if access if granted, otherwise an appropriate
3613 value for errno should be returned.
3614*/
3615typedef int mpo_socket_check_received_t(
3616 kauth_cred_t cred,
3617 struct socket *sock,
3618 struct label *socklabel,
3619 struct sockaddr *saddr
3620 );
3621
3622
3623/**
3624 @brief Access control check for socket select
3625 @param cred Subject credential
3626 @param so Object socket
3627 @param socklabel Policy label for socket
3628 @param which The operation selected on: FREAD or FWRITE
3629
3630 Determine whether the subject identified by the credential can use the
3631 socket in a call to select().
3632
3633 @return Return 0 if access if granted, otherwise an appropriate
3634 value for errno should be returned.
3635*/
3636typedef int mpo_socket_check_select_t(
3637 kauth_cred_t cred,
3638 socket_t so,
3639 struct label *socklabel,
3640 int which
3641);
3642/**
3643 @brief Access control check for socket send
3644 @param cred Subject credential
3645 @param so Object socket
3646 @param socklabel Policy label for socket
3647 @param addr Address being sent to
3648
3649 Determine whether the subject identified by the credential can send
3650 data to the socket.
3651
3652 @return Return 0 if access if granted, otherwise an appropriate
3653 value for errno should be returned.
3654*/
3655typedef int mpo_socket_check_send_t(
3656 kauth_cred_t cred,
3657 socket_t so,
3658 struct label *socklabel,
3659 struct sockaddr *addr
3660);
3661/**
3662 @brief Access control check for retrieving socket status
3663 @param cred Subject credential
3664 @param so Object socket
3665 @param socklabel Policy label for so
3666
3667 Determine whether the subject identified by the credential can
3668 execute the stat() system call on the given socket.
3669
3670 @return Return 0 if access if granted, otherwise an appropriate
3671 value for errno should be returned.
3672*/
3673typedef int mpo_socket_check_stat_t(
3674 kauth_cred_t cred,
3675 socket_t so,
3676 struct label *socklabel
3677);
3678/**
3679 @brief Access control check for setting socket options
3680 @param cred Subject credential
3681 @param so Object socket
3682 @param socklabel Policy label for so
3683 @param sopt The options being set
3684
3685 Determine whether the subject identified by the credential can
3686 execute the setsockopt system call on the given socket.
3687
3688 @return Return 0 if access if granted, otherwise an appropriate
3689 value for errno should be returned.
3690*/
3691typedef int mpo_socket_check_setsockopt_t(
3692 kauth_cred_t cred,
3693 socket_t so,
3694 struct label *socklabel,
3695 struct sockopt *sopt
3696);
3697/**
3698 @brief Access control check for getting socket options
3699 @param cred Subject credential
3700 @param so Object socket
3701 @param socklabel Policy label for so
3702 @param sopt The options to get
3703
3704 Determine whether the subject identified by the credential can
3705 execute the getsockopt system call on the given socket.
3706
3707 @return Return 0 if access if granted, otherwise an appropriate
3708 value for errno should be returned.
3709*/
3710typedef int mpo_socket_check_getsockopt_t(
3711 kauth_cred_t cred,
3712 socket_t so,
3713 struct label *socklabel,
3714 struct sockopt *sopt
3715);
3716/**
3717 @brief Label a socket
3718 @param oldsock Listening socket
3719 @param oldlabel Policy label associated with oldsock
3720 @param newsock New socket
3721 @param newlabel Policy label associated with newsock
3722
3723 A new socket is created when a connection is accept(2)ed. This
3724 function labels the new socket based on the existing listen(2)ing
3725 socket.
3726*/
3727typedef void mpo_socket_label_associate_accept_t(
3728 socket_t oldsock,
3729 struct label *oldlabel,
3730 socket_t newsock,
3731 struct label *newlabel
3732);
3733/**
3734 @brief Assign a label to a new socket
3735 @param cred Credential of the owning process
3736 @param so The socket being labeled
3737 @param solabel The label
3738 @warning cred can be NULL
3739
3740 Set the label on a newly created socket from the passed subject
3741 credential. This call is made when a socket is created. The
3742 credentials may be null if the socket is being created by the
3743 kernel.
3744*/
3745typedef void mpo_socket_label_associate_t(
3746 kauth_cred_t cred,
3747 socket_t so,
3748 struct label *solabel
3749);
3750/**
3751 @brief Copy a socket label
3752 @param src Source label
3753 @param dest Destination label
3754
3755 Copy the socket label information in src into dest.
3756*/
3757typedef void mpo_socket_label_copy_t(
3758 struct label *src,
3759 struct label *dest
3760);
3761/**
3762 @brief Destroy socket label
3763 @param label The label to be destroyed
3764
3765 Destroy a socket label. Since the object is going out of
3766 scope, policy modules should free any internal storage associated
3767 with the label so that it may be destroyed.
3768*/
3769typedef void mpo_socket_label_destroy_t(
3770 struct label *label
3771);
3772/**
3773 @brief Externalize a socket label
3774 @param label Label to be externalized
3775 @param element_name Name of the label namespace for which labels should be
3776 externalized
3777 @param sb String buffer to be filled with a text representation of label
3778
3779 Produce an externalized socket label based on the label structure passed.
3780 An externalized label consists of a text representation of the label
3781 contents that can be used with userland applications and read by the
3782 user. If element_name does not match a namespace managed by the policy,
3783 simply return 0. Only return nonzero if an error occurs while externalizing
3784 the label data.
3785
3786 @return In the event of an error, an appropriate value for errno
3787 should be returned, otherwise return 0 upon success.
3788*/
3789typedef int mpo_socket_label_externalize_t(
3790 struct label *label,
3791 char *element_name,
3792 struct sbuf *sb
3793);
3794/**
3795 @brief Initialize socket label
3796 @param label New label to initialize
3797 @param waitok Malloc flags
3798
3799 Initialize the label of a newly instantiated socket. The waitok
3800 field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3801 avoid performing a sleeping malloc(9) during this initialization
3802 call. It it not always safe to sleep during this entry point.
3803
3804 @warning Since it is possible for the waitok flags to be set to
3805 M_NOWAIT, the malloc operation may fail.
3806
3807 @return In the event of an error, an appropriate value for errno
3808 should be returned, otherwise return 0 upon success.
3809*/
3810typedef int mpo_socket_label_init_t(
3811 struct label *label,
3812 int waitok
3813);
3814/**
3815 @brief Internalize a socket label
3816 @param label Label to be filled in
3817 @param element_name Name of the label namespace for which the label should
3818 be internalized
3819 @param element_data Text data to be internalized
3820
3821 Produce an internal socket label structure based on externalized label
3822 data in text format.
3823
3824 The policy's internalize entry points will be called only if the
3825 policy has registered interest in the label namespace.
3826
3827 @return In the event of an error, an appropriate value for errno
3828 should be returned, otherwise return 0 upon success.
3829*/
3830typedef int mpo_socket_label_internalize_t(
3831 struct label *label,
3832 char *element_name,
3833 char *element_data
3834);
3835/**
3836 @brief Relabel socket
3837 @param cred Subject credential
3838 @param so Object; socket
3839 @param so_label Current label of the socket
3840 @param newlabel The label to be assigned to so
3841
3842 The subject identified by the credential has previously requested
3843 and was authorized to relabel the socket; this entry point allows
3844 policies to perform the actual label update operation.
3845
3846 @warning XXX This entry point will likely change in future versions.
3847*/
3848typedef void mpo_socket_label_update_t(
3849 kauth_cred_t cred,
3850 socket_t so,
3851 struct label *so_label,
3852 struct label *newlabel
3853);
3854/**
3855 @brief Set the peer label on a socket from mbuf
3856 @param m Mbuf chain received on socket so
3857 @param m_label Label for m
3858 @param so Current label for the socket
3859 @param so_label Policy label to be filled out for the socket
3860
3861 Set the peer label of a socket based on the label of the sender of the
3862 mbuf.
3863
3864 This is called for every TCP/IP packet received. The first call for a given
3865 socket operates on a newly initialized label, and subsequent calls operate
3866 on existing label data.
3867
3868 @warning Because this can affect performance significantly, it has
3869 different sematics than other 'set' operations. Typically, 'set' operations
3870 operate on newly initialzed labels and policies do not need to worry about
3871 clobbering existing values. In this case, it is too inefficient to
3872 initialize and destroy a label every time data is received for the socket.
3873 Instead, it is up to the policies to determine how to replace the label data.
3874 Most policies should be able to replace the data inline.
3875*/
3876typedef void mpo_socketpeer_label_associate_mbuf_t(
3877 struct mbuf *m,
3878 struct label *m_label,
3879 socket_t so,
3880 struct label *so_label
3881);
3882/**
3883 @brief Set the peer label on a socket from socket
3884 @param source Local socket
3885 @param sourcelabel Policy label for source
3886 @param target Peer socket
3887 @param targetlabel Policy label to fill in for target
3888
3889 Set the peer label on a stream UNIX domain socket from the passed
3890 remote socket endpoint. This call will be made when the socket pair
3891 is connected, and will be made for both endpoints.
3892
3893 Note that this call is only made on connection; it is currently not updated
3894 during communication.
3895*/
3896typedef void mpo_socketpeer_label_associate_socket_t(
3897 socket_t source,
3898 struct label *sourcelabel,
3899 socket_t target,
3900 struct label *targetlabel
3901);
3902/**
3903 @brief Destroy socket peer label
3904 @param label The peer label to be destroyed
3905
3906 Destroy a socket peer label. Since the object is going out of
3907 scope, policy modules should free any internal storage associated
3908 with the label so that it may be destroyed.
3909*/
3910typedef void mpo_socketpeer_label_destroy_t(
3911 struct label *label
3912);
3913/**
3914 @brief Externalize a socket peer label
3915 @param label Label to be externalized
3916 @param element_name Name of the label namespace for which labels should be
3917 externalized
3918 @param sb String buffer to be filled with a text representation of label
3919
3920 Produce an externalized socket peer label based on the label structure
3921 passed. An externalized label consists of a text representation of the
3922 label contents that can be used with userland applications and read by the
3923 user. If element_name does not match a namespace managed by the policy,
3924 simply return 0. Only return nonzero if an error occurs while externalizing
3925 the label data.
3926
3927 @return In the event of an error, an appropriate value for errno
3928 should be returned, otherwise return 0 upon success.
3929*/
3930typedef int mpo_socketpeer_label_externalize_t(
3931 struct label *label,
3932 char *element_name,
3933 struct sbuf *sb
3934);
3935/**
3936 @brief Initialize socket peer label
3937 @param label New label to initialize
3938 @param waitok Malloc flags
3939
3940 Initialize the peer label of a newly instantiated socket. The
3941 waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3942 employed to avoid performing a sleeping malloc(9) during this
3943 initialization call. It it not always safe to sleep during this
3944 entry point.
3945
3946 @warning Since it is possible for the waitok flags to be set to
3947 M_NOWAIT, the malloc operation may fail.
3948
3949 @return In the event of an error, an appropriate value for errno
3950 should be returned, otherwise return 0 upon success.
3951*/
3952typedef int mpo_socketpeer_label_init_t(
3953 struct label *label,
3954 int waitok
3955);
3956/**
3957 @brief Access control check for enabling accounting
3958 @param cred Subject credential
3959 @param vp Accounting file
3960 @param vlabel Label associated with vp
3961
3962 Determine whether the subject should be allowed to enable accounting,
3963 based on its label and the label of the accounting log file. See
3964 acct(5) for more information.
3965
3966 As accounting is disabled by passing NULL to the acct(2) system call,
3967 the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3968
3969 @return Return 0 if access is granted, otherwise an appropriate value for
3970 errno should be returned.
3971*/
3972typedef int mpo_system_check_acct_t(
3973 kauth_cred_t cred,
3974 struct vnode *vp,
3975 struct label *vlabel
3976);
3977/**
3978 @brief Access control check for audit
3979 @param cred Subject credential
3980 @param record Audit record
3981 @param length Audit record length
3982
3983 Determine whether the subject identified by the credential can submit
3984 an audit record for inclusion in the audit log via the audit() system call.
3985
3986 @return Return 0 if access is granted, otherwise an appropriate value for
3987 errno should be returned.
3988*/
3989typedef int mpo_system_check_audit_t(
3990 kauth_cred_t cred,
3991 void *record,
3992 int length
3993);
3994/**
3995 @brief Access control check for controlling audit
3996 @param cred Subject credential
3997 @param vp Audit file
3998 @param vl Label associated with vp
3999
4000 Determine whether the subject should be allowed to enable auditing using
4001 the auditctl() system call, based on its label and the label of the proposed
4002 audit file.
4003
4004 @return Return 0 if access is granted, otherwise an appropriate value for
4005 errno should be returned.
4006*/
4007typedef int mpo_system_check_auditctl_t(
4008 kauth_cred_t cred,
4009 struct vnode *vp,
4010 struct label *vl
4011);
4012/**
4013 @brief Access control check for manipulating auditing
4014 @param cred Subject credential
4015 @param cmd Audit control command
4016
4017 Determine whether the subject identified by the credential can perform
4018 the audit subsystem control operation cmd via the auditon() system call.
4019
4020 @return Return 0 if access is granted, otherwise an appropriate value for
4021 errno should be returned.
4022*/
4023typedef int mpo_system_check_auditon_t(
4024 kauth_cred_t cred,
4025 int cmd
4026);
6d2010ae
A		 4027/**
4028 @brief Access control check for using CHUD facilities
4029 @param cred Subject credential
4030
4031 Determine whether the subject identified by the credential can perform
4032 performance-related tasks using the CHUD system call.
4033
4034 @return Return 0 if access is granted, otherwise an appropriate value for
4035 errno should be returned.
4036*/
4037typedef int mpo_system_check_chud_t(
4038 kauth_cred_t cred
4039);
2d21ac55
A		 4040/**
4041 @brief Access control check for obtaining the host control port
4042 @param cred Subject credential
4043
4044 Determine whether the subject identified by the credential can
4045 obtain the host control port.
4046
4047 @return Return 0 if access is granted, or non-zero otherwise.
4048*/
4049typedef int mpo_system_check_host_priv_t(
4050 kauth_cred_t cred
4051);
39236c6e
A		 4052/**
4053 @brief Access control check for obtaining system information
4054 @param cred Subject credential
4055 @param info_type A description of the information requested
4056
4057 Determine whether the subject identified by the credential should be
4058 allowed to obtain information about the system.
4059
4060 This is a generic hook that can be used in a variety of situations where
4061 information is being returned that might be considered sensitive.
4062 Rather than adding a new MAC hook for every such interface, this hook can
4063 be called with a string identifying the type of information requested.
4064
4065 @return Return 0 if access is granted, otherwise an appropriate value for
4066 errno should be returned.
4067*/
4068typedef int mpo_system_check_info_t(
4069 kauth_cred_t cred,
4070 const char *info_type
4071);
2d21ac55
A		 4072/**
4073 @brief Access control check for calling NFS services
4074 @param cred Subject credential
4075
4076 Determine whether the subject identified by the credential should be
4077 allowed to call nfssrv(2).
4078
4079 @return Return 0 if access is granted, otherwise an appropriate value for
4080 errno should be returned.
4081*/
4082typedef int mpo_system_check_nfsd_t(
4083 kauth_cred_t cred
4084);
4085/**
4086 @brief Access control check for reboot
4087 @param cred Subject credential
4088 @param howto howto parameter from reboot(2)
4089
4090 Determine whether the subject identified by the credential should be
4091 allowed to reboot the system in the specified manner.
4092
4093 @return Return 0 if access is granted, otherwise an appropriate value for
4094 errno should be returned.
4095*/
4096typedef int mpo_system_check_reboot_t(
4097 kauth_cred_t cred,
4098 int howto
4099);
4100/**
4101 @brief Access control check for setting system clock
4102 @param cred Subject credential
4103
4104 Determine whether the subject identified by the credential should be
4105 allowed to set the system clock.
4106
4107 @return Return 0 if access is granted, otherwise an appropriate value for
4108 errno should be returned.
4109*/
4110typedef int mpo_system_check_settime_t(
4111 kauth_cred_t cred
4112);
4113/**
4114 @brief Access control check for removing swap devices
4115 @param cred Subject credential
4116 @param vp Swap device
4117 @param label Label associated with vp
4118
4119 Determine whether the subject identified by the credential should be
4120 allowed to remove vp as a swap device.
4121
4122 @return Return 0 if access is granted, otherwise an appropriate value for
4123 errno should be returned.
4124*/
4125typedef int mpo_system_check_swapoff_t(
4126 kauth_cred_t cred,
4127 struct vnode *vp,
4128 struct label *label
4129);
4130/**
4131 @brief Access control check for adding swap devices
4132 @param cred Subject credential
4133 @param vp Swap device
4134 @param label Label associated with vp
4135
4136 Determine whether the subject identified by the credential should be
4137 allowed to add vp as a swap device.
4138
4139 @return Return 0 if access is granted, otherwise an appropriate value for
4140 errno should be returned.
4141*/
4142typedef int mpo_system_check_swapon_t(
4143 kauth_cred_t cred,
4144 struct vnode *vp,
4145 struct label *label
4146);
4147/**
4148 @brief Access control check for sysctl
4149 @param cred Subject credential
4150 @param name Integer name; see sysctl(3)
4151 @param namelen Length of name array of integers; see sysctl(3)
4152 @param old 0 or address where to store old value; see sysctl(3)
4153 @param oldlenp Pointer to length of old buffer; see sysctl(3)
4154 @param inkernel Boolean; 1 if called from kernel
4155 @param newvalue 0 or address of new value; see sysctl(3)
4156 @param newlen Length of new buffer; see sysctl(3)
4157
4158 Determine whether the subject identified by the credential should be
4159 allowed to make the specified sysctl(3) transaction.
4160
4161 The sysctl(3) call specifies that if the old value is not desired,
4162 oldp and oldlenp should be set to NULL. Likewise, if a new value is
4163 not to be set, newp should be set to NULL and newlen set to 0.
4164
4165 @return Return 0 if access is granted, otherwise an appropriate value for
4166 errno should be returned.
4167*/
4168typedef int mpo_system_check_sysctl_t(
4169 kauth_cred_t cred,
4170 int *name,
4171 u_int namelen,
4172 user_addr_t old, /* NULLOK */
4173 user_addr_t oldlenp, /* NULLOK */
4174 int inkernel,
4175 user_addr_t newvalue, /* NULLOK */
4176 size_t newlen
4177);
316670eb
A		 4178/**
4179 @brief Access control check for kas_info
4180 @param cred Subject credential
4181 @param selector Category of information to return. See kas_info.h
4182
4183 Determine whether the subject identified by the credential can perform
4184 introspection of the kernel address space layout for
4185 debugging/performance analysis.
4186
4187 @return Return 0 if access is granted, otherwise an appropriate value for
4188 errno should be returned.
4189*/
4190typedef int mpo_system_check_kas_info_t(
4191 kauth_cred_t cred,
4192 int selector
4193);
2d21ac55
A		 4194/**
4195 @brief Create a System V message label
4196 @param cred Subject credential
4197 @param msqkptr The message queue the message will be placed in
4198 @param msqlabel The label of the message queue
4199 @param msgptr The message
4200 @param msglabel The label of the message
4201
4202 Label the message as its placed in the message queue.
4203*/
4204typedef void mpo_sysvmsg_label_associate_t(
4205 kauth_cred_t cred,
4206 struct msqid_kernel *msqptr,
4207 struct label *msqlabel,
4208 struct msg *msgptr,
4209 struct label *msglabel
4210);
4211/**
4212 @brief Destroy System V message label
4213 @param label The label to be destroyed
4214
4215 Destroy a System V message label. Since the object is
4216 going out of scope, policy modules should free any internal storage
4217 associated with the label so that it may be destroyed.
4218*/
4219typedef void mpo_sysvmsg_label_destroy_t(
4220 struct label *label
4221);
4222/**
4223 @brief Initialize System V message label
4224 @param label New label to initialize
4225
4226 Initialize the label for a newly instantiated System V message.
4227*/
4228typedef void mpo_sysvmsg_label_init_t(
4229 struct label *label
4230);
4231/**
4232 @brief Clean up a System V message label
4233 @param label The label to be destroyed
4234
4235 Clean up a System V message label. Darwin pre-allocates
4236 messages at system boot time and re-uses them rather than
4237 allocating new ones. Before messages are returned to the "free
4238 pool", policies can cleanup or overwrite any information present in
4239 the label.
4240*/
4241typedef void mpo_sysvmsg_label_recycle_t(
4242 struct label *label
4243);
4244/**
4245 @brief Access control check for System V message enqueuing
4246 @param cred Subject credential
4247 @param msgptr The message
4248 @param msglabel The message's label
4249 @param msqkptr The message queue
4250 @param msqlabel The message queue's label
4251
4252 Determine whether the subject identified by the credential can add the
4253 given message to the given message queue.
4254
4255 @return Return 0 if access is granted, otherwise an appropriate value for
4256 errno should be returned.
4257*/
4258typedef int mpo_sysvmsq_check_enqueue_t(
4259 kauth_cred_t cred,
4260 struct msg *msgptr,
4261 struct label *msglabel,
4262 struct msqid_kernel *msqptr,
4263 struct label *msqlabel
4264);
4265/**
4266 @brief Access control check for System V message reception
4267 @param cred The credential of the intended recipient
4268 @param msgptr The message
4269 @param msglabel The message's label
4270
4271 Determine whether the subject identified by the credential can receive
4272 the given message.
4273
4274 @return Return 0 if access is granted, otherwise an appropriate value for
4275 errno should be returned.
4276*/
4277typedef int mpo_sysvmsq_check_msgrcv_t(
4278 kauth_cred_t cred,
4279 struct msg *msgptr,
4280 struct label *msglabel
4281);
4282/**
4283 @brief Access control check for System V message queue removal
4284 @param cred The credential of the caller
4285 @param msgptr The message
4286 @param msglabel The message's label
4287
4288 System V message queues are removed using the msgctl() system call.
4289 The system will iterate over each messsage in the queue, calling this
4290 function for each, to determine whether the caller has the appropriate
4291 credentials.
4292
4293 @return Return 0 if access is granted, otherwise an appropriate value for
4294 errno should be returned.
4295*/
4296typedef int mpo_sysvmsq_check_msgrmid_t(
4297 kauth_cred_t cred,
4298 struct msg *msgptr,
4299 struct label *msglabel
4300);
4301/**
4302 @brief Access control check for msgctl()
4303 @param cred The credential of the caller
4304 @param msqptr The message queue
4305 @param msqlabel The message queue's label
4306
4307 This access check is performed to validate calls to msgctl().
4308
4309 @return Return 0 if access is granted, otherwise an appropriate value for
4310 errno should be returned.
4311*/
4312typedef int mpo_sysvmsq_check_msqctl_t(
4313 kauth_cred_t cred,
4314 struct msqid_kernel *msqptr,
4315 struct label *msqlabel,
4316 int cmd
4317);
4318/**
4319 @brief Access control check to get a System V message queue
4320 @param cred The credential of the caller
4321 @param msqptr The message queue requested
4322 @param msqlabel The message queue's label
4323
4324 On a call to msgget(), if the queue requested already exists,
4325 and it is a public queue, this check will be performed before the
4326 queue's ID is returned to the user.
4327
4328 @return Return 0 if access is granted, otherwise an appropriate value for
4329 errno should be returned.
4330*/
4331typedef int mpo_sysvmsq_check_msqget_t(
4332 kauth_cred_t cred,
4333 struct msqid_kernel *msqptr,
4334 struct label *msqlabel
4335);
4336/**
4337 @brief Access control check to receive a System V message from the given queue
4338 @param cred The credential of the caller
4339 @param msqptr The message queue to receive from
4340 @param msqlabel The message queue's label
4341
4342 On a call to msgrcv(), this check is performed to determine whether the
4343 caller has receive rights on the given queue.
4344
4345 @return Return 0 if access is granted, otherwise an appropriate value for
4346 errno should be returned.
4347*/
4348typedef int mpo_sysvmsq_check_msqrcv_t(
4349 kauth_cred_t cred,
4350 struct msqid_kernel *msqptr,
4351 struct label *msqlabel
4352);
4353/**
4354 @brief Access control check to send a System V message to the given queue
4355 @param cred The credential of the caller
4356 @param msqptr The message queue to send to
4357 @param msqlabel The message queue's label
4358
4359 On a call to msgsnd(), this check is performed to determine whether the
4360 caller has send rights on the given queue.
4361
4362 @return Return 0 if access is granted, otherwise an appropriate value for
4363 errno should be returned.
4364*/
4365typedef int mpo_sysvmsq_check_msqsnd_t(
4366 kauth_cred_t cred,
4367 struct msqid_kernel *msqptr,
4368 struct label *msqlabel
4369);
4370/**
4371 @brief Create a System V message queue label
4372 @param cred Subject credential
4373 @param msqkptr The message queue
4374 @param msqlabel The label of the message queue
4375
4376*/
4377typedef void mpo_sysvmsq_label_associate_t(
4378 kauth_cred_t cred,
4379 struct msqid_kernel *msqptr,
4380 struct label *msqlabel
4381);
4382/**
4383 @brief Destroy System V message queue label
4384 @param label The label to be destroyed
4385
4386 Destroy a System V message queue label. Since the object is
4387 going out of scope, policy modules should free any internal storage
4388 associated with the label so that it may be destroyed.
4389*/
4390typedef void mpo_sysvmsq_label_destroy_t(
4391 struct label *label
4392);
4393/**
4394 @brief Initialize System V message queue label
4395 @param label New label to initialize
4396
4397 Initialize the label for a newly instantiated System V message queue.
4398*/
4399typedef void mpo_sysvmsq_label_init_t(
4400 struct label *label
4401);
4402/**
4403 @brief Clean up a System V message queue label
4404 @param label The label to be destroyed
4405
4406 Clean up a System V message queue label. Darwin pre-allocates
4407 message queues at system boot time and re-uses them rather than
4408 allocating new ones. Before message queues are returned to the "free
4409 pool", policies can cleanup or overwrite any information present in
4410 the label.
4411*/
4412typedef void mpo_sysvmsq_label_recycle_t(
4413 struct label *label
4414);
4415/**
4416 @brief Access control check for System V semaphore control operation
4417 @param cred Subject credential
4418 @param semakptr Pointer to semaphore identifier
4419 @param semaklabel Label associated with semaphore
4420 @param cmd Control operation to be performed; see semctl(2)
4421
4422 Determine whether the subject identified by the credential can perform
4423 the operation indicated by cmd on the System V semaphore semakptr.
4424
4425 @return Return 0 if access is granted, otherwise an appropriate value for
4426 errno should be returned.
4427*/
4428typedef int mpo_sysvsem_check_semctl_t(
4429 kauth_cred_t cred,
4430 struct semid_kernel *semakptr,
4431 struct label *semaklabel,
4432 int cmd
4433);
4434/**
4435 @brief Access control check for obtaining a System V semaphore
4436 @param cred Subject credential
4437 @param semakptr Pointer to semaphore identifier
4438 @param semaklabel Label to associate with the semaphore
4439
4440 Determine whether the subject identified by the credential can
4441 obtain a System V semaphore.
4442
4443 @return Return 0 if access is granted, otherwise an appropriate value for
4444 errno should be returned.
4445*/
4446typedef int mpo_sysvsem_check_semget_t(
4447 kauth_cred_t cred,
4448 struct semid_kernel *semakptr,
4449 struct label *semaklabel
4450);
4451/**
4452 @brief Access control check for System V semaphore operations
4453 @param cred Subject credential
4454 @param semakptr Pointer to semaphore identifier
4455 @param semaklabel Label associated with the semaphore
4456 @param accesstype Flags to indicate access (read and/or write)
4457
4458 Determine whether the subject identified by the credential can
4459 perform the operations on the System V semaphore indicated by
4460 semakptr. The accesstype flags hold the maximum set of permissions
4461 from the sem_op array passed to the semop system call. It may
4462 contain SEM_R for read-only operations or SEM_A for read/write
4463 operations.
4464
4465 @return Return 0 if access is granted, otherwise an appropriate value for
4466 errno should be returned.
4467*/
4468typedef int mpo_sysvsem_check_semop_t(
4469 kauth_cred_t cred,
4470 struct semid_kernel *semakptr,
4471 struct label *semaklabel,
4472 size_t accesstype
4473);
4474/**
4475 @brief Create a System V semaphore label
4476 @param cred Subject credential
4477 @param semakptr The semaphore being created
4478 @param semalabel Label to associate with the new semaphore
4479
4480 Label a new System V semaphore. The label was previously
4481 initialized and associated with the semaphore. At this time, an
4482 appropriate initial label value should be assigned to the object and
4483 stored in semalabel.
4484*/
4485typedef void mpo_sysvsem_label_associate_t(
4486 kauth_cred_t cred,
4487 struct semid_kernel *semakptr,
4488 struct label *semalabel
4489);
4490/**
4491 @brief Destroy System V semaphore label
4492 @param label The label to be destroyed
4493
4494 Destroy a System V semaphore label. Since the object is
4495 going out of scope, policy modules should free any internal storage
4496 associated with the label so that it may be destroyed.
4497*/
4498typedef void mpo_sysvsem_label_destroy_t(
4499 struct label *label
4500);
4501/**
4502 @brief Initialize System V semaphore label
4503 @param label New label to initialize
4504
4505 Initialize the label for a newly instantiated System V semaphore. Sleeping
4506 is permitted.
4507*/
4508typedef void mpo_sysvsem_label_init_t(
4509 struct label *label
4510);
4511/**
4512 @brief Clean up a System V semaphore label
4513 @param label The label to be cleaned
4514
4515 Clean up a System V semaphore label. Darwin pre-allocates
4516 semaphores at system boot time and re-uses them rather than
4517 allocating new ones. Before semaphores are returned to the "free
4518 pool", policies can cleanup or overwrite any information present in
4519 the label.
4520*/
4521typedef void mpo_sysvsem_label_recycle_t(
4522 struct label *label
4523);
4524/**
4525 @brief Access control check for mapping System V shared memory
4526 @param cred Subject credential
4527 @param shmsegptr Pointer to shared memory segment identifier
4528 @param shmseglabel Label associated with the shared memory segment
4529 @param shmflg shmat flags; see shmat(2)
4530
4531 Determine whether the subject identified by the credential can map
4532 the System V shared memory segment associated with shmsegptr.
4533
4534 @return Return 0 if access is granted, otherwise an appropriate value for
4535 errno should be returned.
4536*/
4537typedef int mpo_sysvshm_check_shmat_t(
4538 kauth_cred_t cred,
4539 struct shmid_kernel *shmsegptr,
4540 struct label *shmseglabel,
4541 int shmflg
4542);
4543/**
4544 @brief Access control check for System V shared memory control operation
4545 @param cred Subject credential
4546 @param shmsegptr Pointer to shared memory segment identifier
4547 @param shmseglabel Label associated with the shared memory segment
4548 @param cmd Control operation to be performed; see shmctl(2)
4549
4550 Determine whether the subject identified by the credential can perform
4551 the operation indicated by cmd on the System V shared memory segment
4552 shmsegptr.
4553
4554 @return Return 0 if access is granted, otherwise an appropriate value for
4555 errno should be returned.
4556*/
4557typedef int mpo_sysvshm_check_shmctl_t(
4558 kauth_cred_t cred,
4559 struct shmid_kernel *shmsegptr,
4560 struct label *shmseglabel,
4561 int cmd
4562);
4563/**
4564 @brief Access control check for unmapping System V shared memory
4565 @param cred Subject credential
4566 @param shmsegptr Pointer to shared memory segment identifier
4567 @param shmseglabel Label associated with the shared memory segment
4568
4569 Determine whether the subject identified by the credential can unmap
4570 the System V shared memory segment associated with shmsegptr.
4571
4572 @return Return 0 if access is granted, otherwise an appropriate value for
4573 errno should be returned.
4574*/
4575typedef int mpo_sysvshm_check_shmdt_t(
4576 kauth_cred_t cred,
4577 struct shmid_kernel *shmsegptr,
4578 struct label *shmseglabel
4579);
4580/**
4581 @brief Access control check obtaining System V shared memory identifier
4582 @param cred Subject credential
4583 @param shmsegptr Pointer to shared memory segment identifier
4584 @param shmseglabel Label associated with the shared memory segment
4585 @param shmflg shmget flags; see shmget(2)
4586
4587 Determine whether the subject identified by the credential can get
4588 the System V shared memory segment address.
4589
4590 @return Return 0 if access is granted, otherwise an appropriate value for
4591 errno should be returned.
4592*/
4593typedef int mpo_sysvshm_check_shmget_t(
4594 kauth_cred_t cred,
4595 struct shmid_kernel *shmsegptr,
4596 struct label *shmseglabel,
4597 int shmflg
4598);
4599/**
4600 @brief Create a System V shared memory region label
4601 @param cred Subject credential
4602 @param shmsegptr The shared memory region being created
4603 @param shmlabel Label to associate with the new shared memory region
4604
4605 Label a new System V shared memory region. The label was previously
4606 initialized and associated with the shared memory region. At this
4607 time, an appropriate initial label value should be assigned to the
4608 object and stored in shmlabel.
4609*/
4610typedef void mpo_sysvshm_label_associate_t(
4611 kauth_cred_t cred,
4612 struct shmid_kernel *shmsegptr,
4613 struct label *shmlabel
4614);
4615/**
4616 @brief Destroy System V shared memory label
4617 @param label The label to be destroyed
4618
4619 Destroy a System V shared memory region label. Since the
4620 object is going out of scope, policy modules should free any
4621 internal storage associated with the label so that it may be
4622 destroyed.
4623*/
4624typedef void mpo_sysvshm_label_destroy_t(
4625 struct label *label
4626);
4627/**
4628 @brief Initialize System V Shared Memory region label
4629 @param label New label to initialize
4630
4631 Initialize the label for a newly instantiated System V Shared Memory
4632 region. Sleeping is permitted.
4633*/
4634typedef void mpo_sysvshm_label_init_t(
4635 struct label *label
4636);
4637/**
4638 @brief Clean up a System V Share Memory Region label
4639 @param shmlabel The label to be cleaned
4640
4641 Clean up a System V Shared Memory Region label. Darwin
4642 pre-allocates these objects at system boot time and re-uses them
4643 rather than allocating new ones. Before the memory regions are
4644 returned to the "free pool", policies can cleanup or overwrite any
4645 information present in the label.
4646*/
4647typedef void mpo_sysvshm_label_recycle_t(
4648 struct label *shmlabel
4649);
4650/**
4651 @brief Access control check for getting a process's task name
4652 @param cred Subject credential
4653 @param proc Object process
4654
4655 Determine whether the subject identified by the credential can get
4656 the passed process's task name port.
4657 This call is used by the task_name_for_pid(2) API.
4658
4659 @return Return 0 if access is granted, otherwise an appropriate value for
4660 errno should be returned. Suggested failure: EACCES for label mismatch,
4661 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4662*/
4663typedef int mpo_proc_check_get_task_name_t(
4664 kauth_cred_t cred,
4665 struct proc *p
4666);
4667/**
4668 @brief Access control check for getting a process's task port
4669 @param cred Subject credential
4670 @param proc Object process
4671
4672 Determine whether the subject identified by the credential can get
4673 the passed process's task control port.
4674 This call is used by the task_for_pid(2) API.
4675
4676 @return Return 0 if access is granted, otherwise an appropriate value for
4677 errno should be returned. Suggested failure: EACCES for label mismatch,
4678 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4679*/
4680typedef int mpo_proc_check_get_task_t(
4681 kauth_cred_t cred,
4682 struct proc *p
4683);
593a1d5f 4684/**
b0d623f7 4685 @brief Privilege check for a process to run invalid
593a1d5f
A		 4686 @param proc Object process
4687
b0d623f7
A		 4688 Determine whether the process may execute even though the system determined
4689 that it is untrusted (eg unidentified / modified code).
593a1d5f
A		 4690
4691 @return Return 0 if access is granted, otherwise an appropriate value for
4692 errno should be returned.
4693 */
b0d623f7 4694typedef int mac_proc_check_run_cs_invalid_t(
593a1d5f
A		 4695 struct proc *p
4696);
4697
4698
2d21ac55
A		 4699/**
4700 @brief Assign a label to a new kernelspace Mach task
4701 @param kproc New task
4702 @param tasklabel Label for new task
4703 @param portlabel Label for new task port
4704 @see mpo_cred_label_associate_kernel_t
4705
4706 Assign labels to a new kernel task and its task port. Both the task and
4707 task port labels should be specified. Both new labels are initialized.
4708 If there is an associated BSD process structure, it will be labelled
4709 with calls to mpo_cred_label_associate_kernel.
4710*/
4711typedef void mpo_task_label_associate_kernel_t(
4712 struct task *kproc,
4713 struct label *tasklabel,
4714 struct label *portlabel
4715);
4716/**
4717 @brief Assign a label to a new (userspace) Mach task
4718 @param parent Parent task
4719 @param child New (child) task
4720 @param parentlabel Label of parent task
4721 @param childlabel Label for new task
4722 @param childportlabel Label for new task's task port
4723
4724 Assign labels to a new task and its task port. Both the task and task port
4725 labels should be specified. Both new labels are initialized. If the task
4726 will have an associated BSD process, that information will be made available
4727 by the task_label_update and port_label_update_cred entry points.
4728*/
4729typedef void mpo_task_label_associate_t(
4730 struct task *parent,
4731 struct task *child,
4732 struct label *parentlabel,
4733 struct label *childlabel,
4734 struct label *childportlabel
4735);
4736/**
4737 @brief Copy a Mach task label
4738 @param src Source task label
4739 @param dest Destination task label
4740
4741 Copy the Mach task label information from src to dest. This is used
4742 when duplicating label handles to implement copy-on-write semantics.
4743*/
4744typedef void mpo_task_label_copy_t(
4745 struct label *src,
4746 struct label *dest
4747);
4748/**
4749 @brief Destroy Mach task label
4750 @param label The label to be destroyed
4751
4752 Destroy a Mach task label. Since the object is going out of
4753 scope, policy modules should free any internal storage associated
4754 with the label so that it may be destroyed.
4755*/
4756typedef void mpo_task_label_destroy_t(
4757 struct label *label
4758);
4759/**
4760 @brief Externalize a task label
4761 @param label Label to be externalized
4762 @param element_name Name of the label namespace for which labels should be
4763 externalized
4764 @param sb String buffer to be filled with a text representation of the label
4765
4766 Produce an external representation of the label on a task. An
4767 externalized label consists of a text representation of the label
4768 contents that can be used with user applications. Policy-agnostic
4769 user space tools will display this externalized version.
4770
4771 @return 0 on success, return non-zero if an error occurs while
4772 externalizing the label data.
4773
4774*/
4775typedef int mpo_task_label_externalize_t(
4776 struct label *label,
4777 char *element_name,
4778 struct sbuf *sb
4779);
4780/**
4781 @brief Initialize Mach task label
4782 @param label New label to initialize
4783
4784 Initialize the label for a newly instantiated Mach task. Sleeping
4785 is permitted.
4786*/
4787typedef void mpo_task_label_init_t(
4788 struct label *label
4789);
4790/**
4791 @brief Internalize a task label
4792 @param label Label to be internalized
4793 @param element_name Name of the label namespace for which the label should
4794 be internalized
4795 @param element_data Text data to be internalized
4796
4797 Produce a task label from an external representation. An
4798 externalized label consists of a text representation of the label
4799 contents that can be used with user applications. Policy-agnostic
4800 user space tools will forward text version to the kernel for
4801 processing by individual policy modules.
4802
4803 The policy's internalize entry points will be called only if the
4804 policy has registered interest in the label namespace.
4805
4806 @return 0 on success, Otherwise, return non-zero if an error occurs
4807 while internalizing the label data.
4808
4809*/
4810typedef int mpo_task_label_internalize_t(
4811 struct label *label,
4812 char *element_name,
4813 char *element_data
4814);
4815/**
4816 @brief Update a Mach task label
4817 @param cred User credential label to be used as the source
4818 @param task Mach task label to be used as the destination
4819 @see mpo_cred_label_update_t
4820 @see mpo_cred_label_update_execve_t
4821
4822 Update the label on a Mach task, using the supplied user credential
4823 label. When a mac_cred_label_update_execve or a mac_cred_label_update operation
4824 causes the label on a user credential to change, the Mach task label
4825 also needs to be updated to reflect the change. Both labels are
4826 already valid (initialized and created).
4827
4828 @warning XXX We may change the name of this entry point in a future
4829 version of the MAC framework.
4830*/
4831typedef void mpo_task_label_update_t(
4832 struct label *cred,
4833 struct label *task
4834);
316670eb
A		 4835/**
4836 @brief Perform MAC-related events when a thread returns to user space
4837 @param thread Mach (not BSD) thread that is returning
4838
4839 This entry point permits policy modules to perform MAC-related
4840 events when a thread returns to user space, via a system call
4841 return or trap return.
4842*/
4843typedef void mpo_thread_userret_t(
4844 struct thread *thread
4845);
4846/**
4847 @brief Initialize per thread label
4848 @param label New label to initialize
4849
4850 Initialize the label for a newly instantiated thread.
4851 Sleeping is permitted.
4852*/
4853typedef void mpo_thread_label_init_t(
4854 struct label *label
4855);
4856/**
4857 @brief Destroy thread label
4858 @param label The label to be destroyed
4859
4860 Destroy a user thread label. Since the user thread
4861 is going out of scope, policy modules should free any internal
4862 storage associated with the label so that it may be destroyed.
4863*/
4864typedef void mpo_thread_label_destroy_t(
4865 struct label *label
4866);
2d21ac55
A		 4867/**
4868 @brief Check vnode access
4869 @param cred Subject credential
4870 @param vp Object vnode
4871 @param label Label for vp
4872 @param acc_mode access(2) flags
4873
4874 Determine how invocations of access(2) and related calls by the
4875 subject identified by the credential should return when performed
4876 on the passed vnode using the passed access flags. This should
4877 generally be implemented using the same semantics used in
4878 mpo_vnode_check_open.
4879
4880 @return Return 0 if access is granted, otherwise an appropriate value for
4881 errno should be returned. Suggested failure: EACCES for label mismatch or
4882 EPERM for lack of privilege.
4883*/
4884typedef int mpo_vnode_check_access_t(
4885 kauth_cred_t cred,
4886 struct vnode *vp,
4887 struct label *label,
4888 int acc_mode
4889);
4890/**
4891 @brief Access control check for changing working directory
4892 @param cred Subject credential
4893 @param dvp Object; vnode to chdir(2) into
4894 @param dlabel Policy label for dvp
4895
4896 Determine whether the subject identified by the credential can change
4897 the process working directory to the passed vnode.
4898
4899 @return Return 0 if access is granted, otherwise an appropriate value for
4900 errno should be returned. Suggested failure: EACCES for label mismatch or
4901 EPERM for lack of privilege.
4902*/
4903typedef int mpo_vnode_check_chdir_t(
4904 kauth_cred_t cred,
4905 struct vnode *dvp,
4906 struct label *dlabel
4907);
4908/**
4909 @brief Access control check for changing root directory
4910 @param cred Subject credential
4911 @param dvp Directory vnode
4912 @param dlabel Policy label associated with dvp
4913 @param cnp Component name for dvp
4914
4915 Determine whether the subject identified by the credential should be
4916 allowed to chroot(2) into the specified directory (dvp).
4917
4918 @return In the event of an error, an appropriate value for errno
4919 should be returned, otherwise return 0 upon success.
4920*/
4921typedef int mpo_vnode_check_chroot_t(
4922 kauth_cred_t cred,
4923 struct vnode *dvp,
4924 struct label *dlabel,
4925 struct componentname *cnp
4926);
4927/**
4928 @brief Access control check for creating vnode
4929 @param cred Subject credential
4930 @param dvp Directory vnode
4931 @param dlabel Policy label for dvp
4932 @param cnp Component name for dvp
4933 @param vap vnode attributes for vap
4934
4935 Determine whether the subject identified by the credential can create
4936 a vnode with the passed parent directory, passed name information,
4937 and passed attribute information. This call may be made in a number of
4938 situations, including as a result of calls to open(2) with O_CREAT,
4939 mknod(2), mkfifo(2), and others.
4940
4941 @return Return 0 if access is granted, otherwise an appropriate value for
4942 errno should be returned. Suggested failure: EACCES for label mismatch or
4943 EPERM for lack of privilege.
4944*/
4945typedef int mpo_vnode_check_create_t(
4946 kauth_cred_t cred,
4947 struct vnode *dvp,
4948 struct label *dlabel,
4949 struct componentname *cnp,
4950 struct vnode_attr *vap
4951);
4952/**
4953 @brief Access control check for deleting extended attribute
4954 @param cred Subject credential
4955 @param vp Object vnode
4956 @param vlabel Label associated with vp
4957 @param name Extended attribute name
4958
4959 Determine whether the subject identified by the credential can delete
4960 the extended attribute from the passed vnode.
4961
4962 @return Return 0 if access is granted, otherwise an appropriate value for
4963 errno should be returned. Suggested failure: EACCES for label mismatch or
4964 EPERM for lack of privilege.
4965*/
4966typedef int mpo_vnode_check_deleteextattr_t(
4967 kauth_cred_t cred,
4968 struct vnode *vp,
4969 struct label *vlabel,
4970 const char *name
4971);
4972/**
4973 @brief Access control check for exchanging file data
4974 @param cred Subject credential
4975 @param v1 vnode 1 to swap
4976 @param vl1 Policy label for v1
4977 @param v2 vnode 2 to swap
4978 @param vl2 Policy label for v2
4979
4980 Determine whether the subject identified by the credential can swap the data
4981 in the two supplied vnodes.
4982
4983 @return Return 0 if access is granted, otherwise an appropriate value for
4984 errno should be returned. Suggested failure: EACCES for label mismatch or
4985 EPERM for lack of privilege.
4986*/
4987typedef int mpo_vnode_check_exchangedata_t(
4988 kauth_cred_t cred,
4989 struct vnode *v1,
4990 struct label *vl1,
4991 struct vnode *v2,
4992 struct label *vl2
4993);
4994/**
4995 @brief Access control check for executing the vnode
4996 @param cred Subject credential
4997 @param vp Object vnode to execute
4998 @param label Policy label for vp
4999 @param execlabel Userspace provided execution label
5000 @param cnp Component name for file being executed
39236c6e
A		 5001 @param macpolicyattr MAC policy-specific spawn attribute data.
5002 @param macpolicyattrlen Length of policy-specific spawn attribute data.
2d21ac55
A		 5003
5004 Determine whether the subject identified by the credential can execute
5005 the passed vnode. Determination of execute privilege is made separately
5006 from decisions about any process label transitioning event.
5007
5008 The final label, execlabel, corresponds to a label supplied by a
5009 user space application through the use of the mac_execve system call.
5010 This label will be NULL if the user application uses the the vendor
5011 execve(2) call instead of the MAC Framework mac_execve() call.
5012
5013 @return Return 0 if access is granted, otherwise an appropriate value for
5014 errno should be returned. Suggested failure: EACCES for label mismatch or
5015 EPERM for lack of privilege.
5016*/
5017typedef int mpo_vnode_check_exec_t(
5018 kauth_cred_t cred,
5019 struct vnode *vp,
5020 struct label *label,
5021 struct label *execlabel, /* NULLOK */
5022 struct componentname *cnp,
39236c6e
A		 5023 u_int *csflags,
5024 void *macpolicyattr,
5025 size_t macpolicyattrlen
2d21ac55 5026);
6d2010ae
A		 5027/**
5028 @brief Access control check for fsgetpath
5029 @param cred Subject credential
5030 @param vp Vnode for which a path will be returned
5031 @param label Label associated with the vnode
5032
5033 Determine whether the subject identified by the credential can get the path
5034 of the given vnode with fsgetpath.
5035
5036 @return Return 0 if access is granted, otherwise an appropriate value for
5037 errno should be returned.
5038*/
5039typedef int mpo_vnode_check_fsgetpath_t(
5040 kauth_cred_t cred,
5041 struct vnode *vp,
5042 struct label *label
5043);
593a1d5f
A		 5044/**
5045 @brief Access control check after determining the code directory hash
5046 */
5047typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
39236c6e 5048 off_t macho_offset, unsigned char *sha1, void *signature,
593a1d5f
A		 5049 int size);
5050
2d21ac55
A		 5051/**
5052 @brief Access control check for retrieving file attributes
5053 @param cred Subject credential
5054 @param vp Object vnode
5055 @param vlabel Policy label for vp
5056 @param alist List of attributes to retrieve
5057
5058 Determine whether the subject identified by the credential can read
5059 various attributes of the specified vnode, or the filesystem or volume on
5060 which that vnode resides. See <sys/attr.h> for definitions of the
5061 attributes.
5062
5063 @return Return 0 if access is granted, otherwise an appropriate value for
5064 errno should be returned. Suggested failure: EACCES for label mismatch or
5065 EPERM for lack of privilege. Access control covers all attributes requested
5066 with this call; the security policy is not permitted to change the set of
5067 attributes requested.
5068*/
5069typedef int mpo_vnode_check_getattrlist_t(
5070 kauth_cred_t cred,
5071 struct vnode *vp,
5072 struct label *vlabel,
5073 struct attrlist *alist
5074);
5075/**
5076 @brief Access control check for retrieving an extended attribute
5077 @param cred Subject credential
5078 @param vp Object vnode
5079 @param label Policy label for vp
5080 @param name Extended attribute name
5081 @param uio I/O structure pointer
5082
5083 Determine whether the subject identified by the credential can retrieve
5084 the extended attribute from the passed vnode. The uio parameter
5085 will be NULL when the getxattr(2) call has been made with a NULL data
5086 value; this is done to request the size of the data only.
5087
5088 @return Return 0 if access is granted, otherwise an appropriate value for
5089 errno should be returned. Suggested failure: EACCES for label mismatch or
5090 EPERM for lack of privilege.
5091*/
5092typedef int mpo_vnode_check_getextattr_t(
5093 kauth_cred_t cred,
5094 struct vnode *vp,
5095 struct label *label, /* NULLOK */
5096 const char *name,
5097 struct uio *uio /* NULLOK */
5098);
5099/**
5100 @brief Access control check for ioctl
5101 @param cred Subject credential
5102 @param vp Object vnode
5103 @param label Policy label for vp
5104 @param com Device-dependent request code; see ioctl(2)
5105
5106 Determine whether the subject identified by the credential can perform
5107 the ioctl operation indicated by com.
5108
5109 @warning Since ioctl data is opaque from the standpoint of the MAC
5110 framework, and since ioctls can affect many aspects of system
5111 operation, policies must exercise extreme care when implementing
5112 access control checks.
5113
5114 @return Return 0 if access is granted, otherwise an appropriate value for
5115 errno should be returned.
5116*/
5117typedef int mpo_vnode_check_ioctl_t(
5118 kauth_cred_t cred,
5119 struct vnode *vp,
5120 struct label *label,
5121 unsigned int cmd
5122);
5123/**
5124 @brief Access control check for vnode kqfilter
5125 @param cred Subject credential
5126 @param kn Object knote
5127 @param vp Object vnode
5128 @param label Policy label for vp
5129
5130 Determine whether the subject identified by the credential can
5131 receive the knote on the passed vnode.
5132
5133 @return Return 0 if access if granted, otherwise an appropriate
5134 value for errno should be returned.
5135*/
5136typedef int mpo_vnode_check_kqfilter_t(
5137 kauth_cred_t active_cred,
5138 kauth_cred_t file_cred, /* NULLOK */
5139 struct knote *kn,
5140 struct vnode *vp,
5141 struct label *label
5142);
5143/**
5144 @brief Access control check for relabel
5145 @param cred Subject credential
5146 @param vp Object vnode
5147 @param vnodelabel Existing policy label for vp
5148 @param newlabel Policy label update to later be applied to vp
5149 @see mpo_relable_vnode_t
5150
5151 Determine whether the subject identified by the credential can relabel
5152 the passed vnode to the passed label update. If all policies permit
5153 the label change, the actual relabel entry point (mpo_vnode_label_update)
5154 will follow.
5155
5156 @return Return 0 if access is granted, otherwise an appropriate value for
5157 errno should be returned.
5158*/
5159typedef int mpo_vnode_check_label_update_t(
5160 struct ucred *cred,
5161 struct vnode *vp,
5162 struct label *vnodelabel,
5163 struct label *newlabel
5164);
5165/**
5166 @brief Access control check for creating link
5167 @param cred Subject credential
5168 @param dvp Directory vnode
5169 @param dlabel Policy label associated with dvp
5170 @param vp Link destination vnode
5171 @param label Policy label associated with vp
5172 @param cnp Component name for the link being created
5173
5174 Determine whether the subject identified by the credential should be
5175 allowed to create a link to the vnode vp with the name specified by cnp.
5176
5177 @return Return 0 if access is granted, otherwise an appropriate value for
5178 errno should be returned.
5179*/
5180typedef int mpo_vnode_check_link_t(
5181 kauth_cred_t cred,
5182 struct vnode *dvp,
5183 struct label *dlabel,
5184 struct vnode *vp,
5185 struct label *label,
5186 struct componentname *cnp
5187);
5188/**
5189 @brief Access control check for listing extended attributes
5190 @param cred Subject credential
5191 @param vp Object vnode
5192 @param vlabel Policy label associated with vp
5193
5194 Determine whether the subject identified by the credential can retrieve
5195 a list of named extended attributes from a vnode.
5196
5197 @return Return 0 if access is granted, otherwise an appropriate value for
5198 errno should be returned.
5199*/
5200typedef int mpo_vnode_check_listextattr_t(
5201 kauth_cred_t cred,
5202 struct vnode *vp,
5203 struct label *vlabel
5204);
5205/**
5206 @brief Access control check for lookup
5207 @param cred Subject credential
5208 @param dvp Object vnode
5209 @param dlabel Policy label for dvp
5210 @param cnp Component name being looked up
5211
5212 Determine whether the subject identified by the credential can perform
5213 a lookup in the passed directory vnode for the passed name (cnp).
5214
5215 @return Return 0 if access is granted, otherwise an appropriate value for
5216 errno should be returned. Suggested failure: EACCES for label mismatch or
5217 EPERM for lack of privilege.
5218*/
5219typedef int mpo_vnode_check_lookup_t(
5220 kauth_cred_t cred,
5221 struct vnode *dvp,
5222 struct label *dlabel,
5223 struct componentname *cnp
5224);
5225/**
5226 @brief Access control check for open
5227 @param cred Subject credential
5228 @param vp Object vnode
5229 @param label Policy label associated with vp
5230 @param acc_mode open(2) access mode
5231
5232 Determine whether the subject identified by the credential can perform
5233 an open operation on the passed vnode with the passed access mode.
5234
5235 @return Return 0 if access is granted, otherwise an appropriate value for
5236 errno should be returned. Suggested failure: EACCES for label mismatch or
5237 EPERM for lack of privilege.
5238*/
5239typedef int mpo_vnode_check_open_t(
5240 kauth_cred_t cred,
5241 struct vnode *vp,
5242 struct label *label,
5243 int acc_mode
5244);
5245/**
5246 @brief Access control check for read
5247 @param active_cred Subject credential
5248 @param file_cred Credential associated with the struct fileproc
5249 @param vp Object vnode
5250 @param label Policy label for vp
5251
5252 Determine whether the subject identified by the credential can perform
5253 a read operation on the passed vnode. The active_cred hold the credentials
5254 of the subject performing the operation, and file_cred holds the
5255 credentials of the subject that originally opened the file.
5256
5257 @return Return 0 if access is granted, otherwise an appropriate value for
5258 errno should be returned. Suggested failure: EACCES for label mismatch or
5259 EPERM for lack of privilege.
5260*/
5261typedef int mpo_vnode_check_read_t(
5262 kauth_cred_t active_cred, /* SUBJECT */
5263 kauth_cred_t file_cred, /* NULLOK */
5264 struct vnode *vp, /* OBJECT */
5265 struct label *label /* LABEL */
5266);
5267/**
5268 @brief Access control check for read directory
5269 @param cred Subject credential
5270 @param dvp Object directory vnode
5271 @param dlabel Policy label for dvp
5272
5273 Determine whether the subject identified by the credential can
5274 perform a readdir operation on the passed directory vnode.
5275
5276 @return Return 0 if access is granted, otherwise an appropriate value for
5277 errno should be returned. Suggested failure: EACCES for label mismatch or
5278 EPERM for lack of privilege.
5279*/
5280typedef int mpo_vnode_check_readdir_t(
5281 kauth_cred_t cred, /* SUBJECT */
5282 struct vnode *dvp, /* OBJECT */
5283 struct label *dlabel /* LABEL */
5284);
5285/**
5286 @brief Access control check for read link
5287 @param cred Subject credential
5288 @param vp Object vnode
5289 @param label Policy label for vp
5290
5291 Determine whether the subject identified by the credential can perform
5292 a readlink operation on the passed symlink vnode. This call can be made
5293 in a number of situations, including an explicit readlink call by the
5294 user process, or as a result of an implicit readlink during a name
5295 lookup by the process.
5296
5297 @return Return 0 if access is granted, otherwise an appropriate value for
5298 errno should be returned. Suggested failure: EACCES for label mismatch or
5299 EPERM for lack of privilege.
5300*/
5301typedef int mpo_vnode_check_readlink_t(
5302 kauth_cred_t cred,
5303 struct vnode *vp,
5304 struct label *label
5305);
5306/**
5307 @brief Access control check for rename from
5308 @param cred Subject credential
5309 @param dvp Directory vnode
5310 @param dlabel Policy label associated with dvp
5311 @param vp vnode to be renamed
5312 @param label Policy label associated with vp
5313 @param cnp Component name for vp
5314 @see mpo_vnode_check_rename_to_t
5315
5316 Determine whether the subject identified by the credential should be
5317 allowed to rename the vnode vp to something else.
5318
5319 Due to VFS locking constraints (to make sure proper vnode locks are
5320 held during this entry point), the vnode relabel checks had to be
5321 split into two parts: relabel_from and relabel to.
5322
5323 @return Return 0 if access is granted, otherwise an appropriate value for
5324 errno should be returned.
5325*/
5326typedef int mpo_vnode_check_rename_from_t(
5327 kauth_cred_t cred,
5328 struct vnode *dvp,
5329 struct label *dlabel,
5330 struct vnode *vp,
5331 struct label *label,
5332 struct componentname *cnp
5333);
5334/**
5335 @brief Access control check for rename to
5336 @param cred Subject credential
5337 @param dvp Directory vnode
5338 @param dlabel Policy label associated with dvp
5339 @param vp Overwritten vnode
5340 @param label Policy label associated with vp
5341 @param samedir Boolean; 1 if the source and destination directories are the same
5342 @param cnp Destination component name
5343 @see mpo_vnode_check_rename_from_t
5344
5345 Determine whether the subject identified by the credential should be
5346 allowed to rename to the vnode vp, into the directory dvp, or to the
5347 name represented by cnp. If there is no existing file to overwrite,
5348 vp and label will be NULL.
5349
5350 Due to VFS locking constraints (to make sure proper vnode locks are
5351 held during this entry point), the vnode relabel checks had to be
5352 split into two parts: relabel_from and relabel to.
5353
5354 @return Return 0 if access is granted, otherwise an appropriate value for
5355 errno should be returned.
5356*/
5357typedef int mpo_vnode_check_rename_to_t(
5358 kauth_cred_t cred,
5359 struct vnode *dvp,
5360 struct label *dlabel,
5361 struct vnode *vp, /* NULLOK */
5362 struct label *label, /* NULLOK */
5363 int samedir,
5364 struct componentname *cnp
5365);
5366/**
5367 @brief Access control check for revoke
5368 @param cred Subject credential
5369 @param vp Object vnode
5370 @param label Policy label for vp
5371
5372 Determine whether the subject identified by the credential can revoke
5373 access to the passed vnode.
5374
5375 @return Return 0 if access is granted, otherwise an appropriate value for
5376 errno should be returned. Suggested failure: EACCES for label mismatch or
5377 EPERM for lack of privilege.
5378*/
5379typedef int mpo_vnode_check_revoke_t(
5380 kauth_cred_t cred,
5381 struct vnode *vp,
5382 struct label *label
5383);
6d2010ae
A		 5384/**
5385 @brief Access control check for searchfs
5386 @param cred Subject credential
5387 @param vp Object vnode
5388 @param vlabel Policy label for vp
5389 @param alist List of attributes used as search criteria
5390
5391 Determine whether the subject identified by the credential can search the
5392 vnode using the searchfs system call.
5393
5394 @return Return 0 if access is granted, otherwise an appropriate value for
5395 errno should be returned.
5396*/
5397typedef int mpo_vnode_check_searchfs_t(
5398 kauth_cred_t cred,
5399 struct vnode *vp,
5400 struct label *vlabel,
5401 struct attrlist *alist
5402);
2d21ac55
A		 5403/**
5404 @brief Access control check for select
5405 @param cred Subject credential
5406 @param vp Object vnode
5407 @param label Policy label for vp
5408 @param which The operation selected on: FREAD or FWRITE
5409
5410 Determine whether the subject identified by the credential can select
5411 the vnode.
5412
5413 @return Return 0 if access is granted, otherwise an appropriate value for
5414 errno should be returned.
5415*/
5416typedef int mpo_vnode_check_select_t(
5417 kauth_cred_t cred,
5418 struct vnode *vp,
5419 struct label *label,
5420 int which
5421);
5422/**
5423 @brief Access control check for setting file attributes
5424 @param cred Subject credential
5425 @param vp Object vnode
5426 @param vlabel Policy label for vp
5427 @param alist List of attributes to set
5428
5429 Determine whether the subject identified by the credential can set
5430 various attributes of the specified vnode, or the filesystem or volume on
5431 which that vnode resides. See <sys/attr.h> for definitions of the
5432 attributes.
5433
5434 @return Return 0 if access is granted, otherwise an appropriate value for
5435 errno should be returned. Suggested failure: EACCES for label mismatch or
5436 EPERM for lack of privilege. Access control covers all attributes requested
5437 with this call.
5438*/
5439typedef int mpo_vnode_check_setattrlist_t(
5440 kauth_cred_t cred,
5441 struct vnode *vp,
5442 struct label *vlabel,
5443 struct attrlist *alist
5444);
5445/**
5446 @brief Access control check for setting extended attribute
5447 @param cred Subject credential
5448 @param vp Object vnode
5449 @param label Policy label for vp
5450 @param name Extended attribute name
5451 @param uio I/O structure pointer
5452
5453 Determine whether the subject identified by the credential can set the
5454 extended attribute of passed name and passed namespace on the passed
5455 vnode. Policies implementing security labels backed into extended
5456 attributes may want to provide additional protections for those
5457 attributes. Additionally, policies should avoid making decisions based
5458 on the data referenced from uio, as there is a potential race condition
5459 between this check and the actual operation. The uio may also be NULL
5460 if a delete operation is being performed.
5461
5462 @return Return 0 if access is granted, otherwise an appropriate value for
5463 errno should be returned. Suggested failure: EACCES for label mismatch or
5464 EPERM for lack of privilege.
5465*/
5466typedef int mpo_vnode_check_setextattr_t(
5467 kauth_cred_t cred,
5468 struct vnode *vp,
5469 struct label *label,
5470 const char *name,
5471 struct uio *uio
5472);
5473/**
5474 @brief Access control check for setting flags
5475 @param cred Subject credential
5476 @param vp Object vnode
5477 @param label Policy label for vp
5478 @param flags File flags; see chflags(2)
5479
5480 Determine whether the subject identified by the credential can set
5481 the passed flags on the passed vnode.
5482
5483 @return Return 0 if access is granted, otherwise an appropriate value for
5484 errno should be returned. Suggested failure: EACCES for label mismatch or
5485 EPERM for lack of privilege.
5486*/
5487typedef int mpo_vnode_check_setflags_t(
5488 kauth_cred_t cred,
5489 struct vnode *vp,
5490 struct label *label,
5491 u_long flags
5492);
5493/**
5494 @brief Access control check for setting mode
5495 @param cred Subject credential
5496 @param vp Object vnode
5497 @param label Policy label for vp
5498 @param mode File mode; see chmod(2)
5499
5500 Determine whether the subject identified by the credential can set
5501 the passed mode on the passed vnode.
5502
5503 @return Return 0 if access is granted, otherwise an appropriate value for
5504 errno should be returned. Suggested failure: EACCES for label mismatch or
5505 EPERM for lack of privilege.
5506*/
5507typedef int mpo_vnode_check_setmode_t(
5508 kauth_cred_t cred,
5509 struct vnode *vp,
5510 struct label *label,
5511 mode_t mode
5512);
5513/**
5514 @brief Access control check for setting uid and gid
5515 @param cred Subject credential
5516 @param vp Object vnode
5517 @param label Policy label for vp
5518 @param uid User ID
5519 @param gid Group ID
5520
5521 Determine whether the subject identified by the credential can set
5522 the passed uid and passed gid as file uid and file gid on the passed
5523 vnode. The IDs may be set to (-1) to request no update.
5524
5525 @return Return 0 if access is granted, otherwise an appropriate value for
5526 errno should be returned. Suggested failure: EACCES for label mismatch or
5527 EPERM for lack of privilege.
5528*/
5529typedef int mpo_vnode_check_setowner_t(
5530 kauth_cred_t cred,
5531 struct vnode *vp,
5532 struct label *label,
5533 uid_t uid,
5534 gid_t gid
5535);
5536/**
5537 @brief Access control check for setting timestamps
5538 @param cred Subject credential
5539 @param vp Object vnode
5540 @param label Policy label for vp
5541 @param atime Access time; see utimes(2)
5542 @param mtime Modification time; see utimes(2)
5543
5544 Determine whether the subject identified by the credential can set
5545 the passed access timestamps on the passed vnode.
5546
5547 @return Return 0 if access is granted, otherwise an appropriate value for
5548 errno should be returned. Suggested failure: EACCES for label mismatch or
5549 EPERM for lack of privilege.
5550*/
5551typedef int mpo_vnode_check_setutimes_t(
5552 kauth_cred_t cred,
5553 struct vnode *vp,
5554 struct label *label,
5555 struct timespec atime,
5556 struct timespec mtime
5557);
5558/**
5559 @brief Access control check for stat
5560 @param active_cred Subject credential
5561 @param file_cred Credential associated with the struct fileproc
5562 @param vp Object vnode
5563 @param label Policy label for vp
5564
5565 Determine whether the subject identified by the credential can stat
5566 the passed vnode. See stat(2) for more information. The active_cred
5567 hold the credentials of the subject performing the operation, and
5568 file_cred holds the credentials of the subject that originally
5569 opened the file.
5570
5571 @return Return 0 if access is granted, otherwise an appropriate value for
5572 errno should be returned. Suggested failure: EACCES for label mismatch or
5573 EPERM for lack of privilege.
5574*/
5575typedef int mpo_vnode_check_stat_t(
5576 struct ucred *active_cred,
5577 struct ucred *file_cred, /* NULLOK */
5578 struct vnode *vp,
5579 struct label *label
5580);
5581/**
5582 @brief Access control check for truncate/ftruncate
5583 @param active_cred Subject credential
5584 @param file_cred Credential associated with the struct fileproc
5585 @param vp Object vnode
5586 @param label Policy label for vp
5587
5588 Determine whether the subject identified by the credential can
5589 perform a truncate operation on the passed vnode. The active_cred hold
5590 the credentials of the subject performing the operation, and
5591 file_cred holds the credentials of the subject that originally
5592 opened the file.
5593
5594 @return Return 0 if access is granted, otherwise an appropriate value for
5595 errno should be returned. Suggested failure: EACCES for label mismatch or
5596 EPERM for lack of privilege.
5597*/
5598typedef int mpo_vnode_check_truncate_t(
5599 kauth_cred_t active_cred,
5600 kauth_cred_t file_cred, /* NULLOK */
5601 struct vnode *vp,
5602 struct label *label
5603);
b0d623f7
A		 5604/**
5605 @brief Access control check for binding UNIX domain socket
5606 @param cred Subject credential
5607 @param dvp Directory vnode
5608 @param dlabel Policy label for dvp
5609 @param cnp Component name for dvp
5610 @param vap vnode attributes for vap
5611
5612 Determine whether the subject identified by the credential can perform a
5613 bind operation on a UNIX domain socket with the passed parent directory,
5614 passed name information, and passed attribute information.
5615
5616 @return Return 0 if access is granted, otherwise an appropriate value for
5617 errno should be returned. Suggested failure: EACCES for label mismatch or
5618 EPERM for lack of privilege.
5619*/
5620typedef int mpo_vnode_check_uipc_bind_t(
5621 kauth_cred_t cred,
5622 struct vnode *dvp,
5623 struct label *dlabel,
5624 struct componentname *cnp,
5625 struct vnode_attr *vap
5626);
5627/**
5628 @brief Access control check for connecting UNIX domain socket
5629 @param cred Subject credential
5630 @param vp Object vnode
5631 @param label Policy label associated with vp
5632
5633 Determine whether the subject identified by the credential can perform a
5634 connect operation on the passed UNIX domain socket vnode.
5635
5636 @return Return 0 if access is granted, otherwise an appropriate value for
5637 errno should be returned. Suggested failure: EACCES for label mismatch or
5638 EPERM for lack of privilege.
5639*/
5640typedef int mpo_vnode_check_uipc_connect_t(
5641 kauth_cred_t cred,
5642 struct vnode *vp,
5643 struct label *label
5644);
2d21ac55
A		 5645/**
5646 @brief Access control check for deleting vnode
5647 @param cred Subject credential
5648 @param dvp Parent directory vnode
5649 @param dlabel Policy label for dvp
5650 @param vp Object vnode to delete
5651 @param label Policy label for vp
5652 @param cnp Component name for vp
5653 @see mpo_check_rename_to_t
5654
5655 Determine whether the subject identified by the credential can delete
5656 a vnode from the passed parent directory and passed name information.
5657 This call may be made in a number of situations, including as a
5658 results of calls to unlink(2) and rmdir(2). Policies implementing
5659 this entry point should also implement mpo_check_rename_to to
5660 authorize deletion of objects as a result of being the target of a rename.
5661
5662 @return Return 0 if access is granted, otherwise an appropriate value for
5663 errno should be returned. Suggested failure: EACCES for label mismatch or
5664 EPERM for lack of privilege.
5665*/
5666typedef int mpo_vnode_check_unlink_t(
5667 kauth_cred_t cred,
5668 struct vnode *dvp,
5669 struct label *dlabel,
5670 struct vnode *vp,
5671 struct label *label,
5672 struct componentname *cnp
5673);
5674/**
5675 @brief Access control check for write
5676 @param active_cred Subject credential
5677 @param file_cred Credential associated with the struct fileproc
5678 @param vp Object vnode
5679 @param label Policy label for vp
5680
5681 Determine whether the subject identified by the credential can
5682 perform a write operation on the passed vnode. The active_cred hold
5683 the credentials of the subject performing the operation, and
5684 file_cred holds the credentials of the subject that originally
5685 opened the file.
5686
5687 @return Return 0 if access is granted, otherwise an appropriate value for
5688 errno should be returned. Suggested failure: EACCES for label mismatch or
5689 EPERM for lack of privilege.
5690*/
5691typedef int mpo_vnode_check_write_t(
5692 kauth_cred_t active_cred,
5693 kauth_cred_t file_cred, /* NULLOK */
5694 struct vnode *vp,
5695 struct label *label
5696);
5697/**
5698 @brief Associate a vnode with a devfs entry
5699 @param mp Devfs mount point
5700 @param mntlabel Devfs mount point label
5701 @param de Devfs directory entry
5702 @param delabel Label associated with de
5703 @param vp vnode associated with de
5704 @param vlabel Label associated with vp
5705
5706 Fill in the label (vlabel) for a newly created devfs vnode. The
5707 label is typically derived from the label on the devfs directory
5708 entry or the label on the filesystem, supplied as parameters.
5709*/
5710typedef void mpo_vnode_label_associate_devfs_t(
5711 struct mount *mp,
5712 struct label *mntlabel,
5713 struct devnode *de,
5714 struct label *delabel,
5715 struct vnode *vp,
5716 struct label *vlabel
5717);
5718/**
5719 @brief Associate a label with a vnode
5720 @param mp File system mount point
5721 @param mntlabel File system mount point label
5722 @param vp Vnode to label
5723 @param vlabel Label associated with vp
5724
5725 Attempt to retrieve label information for the vnode, vp, from the
5726 file system extended attribute store. The label should be stored in
5727 the supplied vlabel parameter. If a policy cannot retrieve an
5728 extended attribute, sometimes it is acceptible to fallback to using
5729 the mntlabel.
5730
5731 If the policy requires vnodes to have a valid label elsewhere it
5732 MUST NOT return other than temporary errors, and must always provide
5733 a valid label of some sort. Returning an error will cause vnode
5734 labeling to be retried at a later access. Failure to handle policy
5735 centric errors internally (corrupt labels etc.) will result in
5736 inaccessible files.
5737
5738 @return In the event of an error, an appropriate value for errno
5739 should be returned, otherwise return 0 upon success.
5740*/
5741typedef int mpo_vnode_label_associate_extattr_t(
5742 struct mount *mp,
5743 struct label *mntlabel,
5744 struct vnode *vp,
5745 struct label *vlabel
5746);
5747/**
5748 @brief Associate a file label with a vnode
5749 @param cred User credential
5750 @param mp Fdesc mount point
5751 @param mntlabel Fdesc mount point label
5752 @param fg Fileglob structure
5753 @param label Policy label for fg
5754 @param vp Vnode to label
5755 @param vlabel Label associated with vp
5756
5757 Associate label information for the vnode, vp, with the label of
5758 the open file descriptor described by fg.
5759 The label should be stored in the supplied vlabel parameter.
5760*/
5761typedef void mpo_vnode_label_associate_file_t(
5762 struct ucred *cred,
5763 struct mount *mp,
5764 struct label *mntlabel,
5765 struct fileglob *fg,
5766 struct label *label,
5767 struct vnode *vp,
5768 struct label *vlabel
5769);
5770/**
5771 @brief Associate a pipe label with a vnode
5772 @param cred User credential for the process that opened the pipe
5773 @param cpipe Pipe structure
5774 @param pipelabel Label associated with pipe
5775 @param vp Vnode to label
5776 @param vlabel Label associated with vp
5777
5778 Associate label information for the vnode, vp, with the label of
5779 the pipe described by the pipe structure cpipe.
5780 The label should be stored in the supplied vlabel parameter.
5781*/
5782typedef void mpo_vnode_label_associate_pipe_t(
5783 struct ucred *cred,
5784 struct pipe *cpipe,
5785 struct label *pipelabel,
5786 struct vnode *vp,
5787 struct label *vlabel
5788);
5789/**
5790 @brief Associate a POSIX semaphore label with a vnode
5791 @param cred User credential for the process that create psem
5792 @param psem POSIX semaphore structure
5793 @param psemlabel Label associated with psem
5794 @param vp Vnode to label
5795 @param vlabel Label associated with vp
5796
5797 Associate label information for the vnode, vp, with the label of
5798 the POSIX semaphore described by psem.
5799 The label should be stored in the supplied vlabel parameter.
5800*/
5801typedef void mpo_vnode_label_associate_posixsem_t(
5802 struct ucred *cred,
5803 struct pseminfo *psem,
5804 struct label *psemlabel,
5805 struct vnode *vp,
5806 struct label *vlabel
5807);
5808/**
5809 @brief Associate a POSIX shared memory label with a vnode
5810 @param cred User credential for the process that created pshm
5811 @param pshm POSIX shared memory structure
5812 @param pshmlabel Label associated with pshm
5813 @param vp Vnode to label
5814 @param vlabel Label associated with vp
5815
5816 Associate label information for the vnode, vp, with the label of
5817 the POSIX shared memory region described by pshm.
5818 The label should be stored in the supplied vlabel parameter.
5819*/
5820typedef void mpo_vnode_label_associate_posixshm_t(
5821 struct ucred *cred,
5822 struct pshminfo *pshm,
5823 struct label *pshmlabel,
5824 struct vnode *vp,
5825 struct label *vlabel
5826);
5827/**
5828 @brief Associate a label with a vnode
5829 @param mp File system mount point
5830 @param mntlabel File system mount point label
5831 @param vp Vnode to label
5832 @param vlabel Label associated with vp
5833
5834 On non-multilabel file systems, set the label for a vnode. The
5835 label will most likely be based on the file system label.
5836*/
5837typedef void mpo_vnode_label_associate_singlelabel_t(
5838 struct mount *mp,
5839 struct label *mntlabel,
5840 struct vnode *vp,
5841 struct label *vlabel
5842);
5843/**
5844 @brief Associate a socket label with a vnode
5845 @param cred User credential for the process that opened the socket
5846 @param so Socket structure
5847 @param solabel Label associated with so
5848 @param vp Vnode to label
5849 @param vlabel Label associated with vp
5850
5851 Associate label information for the vnode, vp, with the label of
5852 the open socket described by the socket structure so.
5853 The label should be stored in the supplied vlabel parameter.
5854*/
5855typedef void mpo_vnode_label_associate_socket_t(
5856 kauth_cred_t cred,
5857 socket_t so,
5858 struct label *solabel,
5859 struct vnode *vp,
5860 struct label *vlabel
5861);
5862/**
5863 @brief Copy a vnode label
5864 @param src Source vnode label
5865 @param dest Destination vnode label
5866
5867 Copy the vnode label information from src to dest. On Darwin, this
5868 is currently only necessary when executing interpreted scripts, but
5869 will later be used if vnode label externalization cannot be an
5870 atomic operation.
5871*/
5872typedef void mpo_vnode_label_copy_t(
5873 struct label *src,
5874 struct label *dest
5875);
5876/**
5877 @brief Destroy vnode label
5878 @param label The label to be destroyed
5879
5880 Destroy a vnode label. Since the object is going out of scope,
5881 policy modules should free any internal storage associated with the
5882 label so that it may be destroyed.
5883*/
5884typedef void mpo_vnode_label_destroy_t(
5885 struct label *label
5886);
5887/**
5888 @brief Externalize a vnode label for auditing
5889 @param label Label to be externalized
5890 @param element_name Name of the label namespace for which labels should be
5891 externalized
5892 @param sb String buffer to be filled with a text representation of the label
5893
5894 Produce an external representation of the label on a vnode suitable for
5895 inclusion in an audit record. An externalized label consists of a text
5896 representation of the label contents that will be added to the audit record
5897 as part of a text token. Policy-agnostic user space tools will display
5898 this externalized version.
5899
5900 @return 0 on success, return non-zero if an error occurs while
5901 externalizing the label data.
5902
5903*/
5904typedef int mpo_vnode_label_externalize_audit_t(
5905 struct label *label,
5906 char *element_name,
5907 struct sbuf *sb
5908);
5909/**
5910 @brief Externalize a vnode label
5911 @param label Label to be externalized
5912 @param element_name Name of the label namespace for which labels should be
5913 externalized
5914 @param sb String buffer to be filled with a text representation of the label
5915
5916 Produce an external representation of the label on a vnode. An
5917 externalized label consists of a text representation of the label
5918 contents that can be used with user applications. Policy-agnostic
5919 user space tools will display this externalized version.
5920
5921 @return 0 on success, return non-zero if an error occurs while
5922 externalizing the label data.
5923
5924*/
5925typedef int mpo_vnode_label_externalize_t(
5926 struct label *label,
5927 char *element_name,
5928 struct sbuf *sb
5929);
5930/**
5931 @brief Initialize vnode label
5932 @param label New label to initialize
5933
5934 Initialize label storage for use with a newly instantiated vnode, or
5935 for temporary storage associated with the copying in or out of a
5936 vnode label. While it is necessary to allocate space for a
5937 kernel-resident vnode label, it is not yet necessary to link this vnode
5938 with persistent label storage facilities, such as extended attributes.
5939 Sleeping is permitted.
5940*/
5941typedef void mpo_vnode_label_init_t(
5942 struct label *label
5943);
5944/**
5945 @brief Internalize a vnode label
5946 @param label Label to be internalized
5947 @param element_name Name of the label namespace for which the label should
5948 be internalized
5949 @param element_data Text data to be internalized
5950
5951 Produce a vnode label from an external representation. An
5952 externalized label consists of a text representation of the label
5953 contents that can be used with user applications. Policy-agnostic
5954 user space tools will forward text version to the kernel for
5955 processing by individual policy modules.
5956
5957 The policy's internalize entry points will be called only if the
5958 policy has registered interest in the label namespace.
5959
5960 @return 0 on success, Otherwise, return non-zero if an error occurs
5961 while internalizing the label data.
5962*/
5963typedef int mpo_vnode_label_internalize_t(
5964 struct label *label,
5965 char *element_name,
5966 char *element_data
5967);
5968/**
5969 @brief Clean up a vnode label
5970 @param label The label to be cleaned for re-use
5971
5972 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5973 typically never frees them. Before vnodes are placed back on free lists for
5974 re-use, policies can cleanup or overwrite any information present in the label.
5975*/
5976typedef void mpo_vnode_label_recycle_t(
5977 struct label *label
5978);
5979/**
5980 @brief Write a label to a extended attribute
5981 @param cred Subject credential
5982 @param vp The vnode for which the label is being stored
5983 @param vlabel Label associated with vp
5984 @param intlabel The new label to store
5985
5986 Store a new label in the extended attribute corresponding to the
5987 supplied vnode. The policy has already authorized the operation;
5988 this call must be implemented in order to perform the actual
5989 operation.
5990
5991 @return In the event of an error, an appropriate value for errno
5992 should be returned, otherwise return 0 upon success.
5993
5994 @warning XXX After examining the extended attribute implementation on
5995 Apple's future release, this entry point may be changed.
5996*/
5997typedef int mpo_vnode_label_store_t(
5998 kauth_cred_t cred,
5999 struct vnode *vp,
6000 struct label *vlabel,
6001 struct label *intlabel
6002);
6003/**
6004 @brief Update vnode label from extended attributes
6005 @param mp File system mount point
6006 @param mntlabel Mount point label
6007 @param vp Vnode to label
6008 @param vlabel Label associated with vp
6009 @param name Name of the xattr
6010 @see mpo_vnode_check_setextattr_t
6011
6012 When an extended attribute is updated via the Vendor attribute management
6013 functions, the MAC vnode label might also require an update.
6014 Policies should first determine if 'name' matches their xattr label
6015 name. If it does, the kernel is has either replaced or removed the
6016 named extended attribute that was previously associated with the
6017 vnode. Normally labels should only be modified via MAC Framework label
6018 management calls, but sometimes the user space components will directly
6019 modify extended attributes. For example, 'cp', 'tar', etc. manage
6020 extended attributes in userspace, not the kernel.
6021
6022 This entry point is called after the label update has occurred, so
6023 it cannot return a failure. However, the operation is preceded by
6024 the mpo_vnode_check_setextattr() access control check.
6025
6026 If the vnode label needs to be updated the policy should return
6027 a non-zero value. The vnode label will be marked for re-association
6028 by the framework.
6029*/
6030typedef int mpo_vnode_label_update_extattr_t(
6031 struct mount *mp,
6032 struct label *mntlabel,
6033 struct vnode *vp,
6034 struct label *vlabel,
6035 const char *name
6036);
6037/**
6038 @brief Update a vnode label
6039 @param cred Subject credential
6040 @param vp The vnode to relabel
6041 @param vnodelabel Existing vnode label
6042 @param label New label to replace existing label
6043 @see mpo_vnode_check_label_update_t
6044
6045 The subject identified by the credential has previously requested
6046 and was authorized to relabel the vnode; this entry point allows
6047 policies to perform the actual relabel operation. Policies should
6048 update vnodelabel using the label stored in the label parameter.
6049*/
6050typedef void mpo_vnode_label_update_t(
6051 kauth_cred_t cred,
6052 struct vnode *vp,
6053 struct label *vnodelabel,
6054 struct label *label
6055);
39236c6e
A		 6056/**
6057 @brief Find deatched signatures for a shared library
6058 @param p file trying to find the signature
6059 @param vp The vnode to relabel
6060 @param offset offset in the macho that the signature is requested for (for fat binaries)
6061 @param label Existing vnode label
6062
6063*/
6064typedef int mpo_vnode_find_sigs_t(
6065 struct proc *p,
6066 struct vnode *vp,
6067 off_t offset,
6068 struct label *label
6069);
2d21ac55
A		 6070/**
6071 @brief Create a new vnode, backed by extended attributes
6072 @param cred User credential for the creating process
6073 @param mp File system mount point
6074 @param mntlabel File system mount point label
6075 @param dvp Parent directory vnode
6076 @param dlabel Parent directory vnode label
6077 @param vp Newly created vnode
6078 @param vlabel Label to associate with the new vnode
6079 @param cnp Component name for vp
6080
6081 Write out the label for the newly created vnode, most likely storing
6082 the results in a file system extended attribute. Most policies will
6083 derive the new vnode label using information from a combination
6084 of the subject (user) credential, the file system label, the parent
6085 directory label, and potentially the path name component.
6086
6087 @return If the operation succeeds, store the new label in vlabel and
6088 return 0. Otherwise, return an appropriate errno value.
6089*/
6090typedef int mpo_vnode_notify_create_t(
6091 kauth_cred_t cred,
6092 struct mount *mp,
6093 struct label *mntlabel,
6094 struct vnode *dvp,
6095 struct label *dlabel,
6096 struct vnode *vp,
6097 struct label *vlabel,
6098 struct componentname *cnp
6099);
6100
4b17d6b6
A		 6101/**
6102 @brief Inform MAC policies that a vnode has been opened
6103 @param cred User credential for the creating process
6104 @param vp vnode opened
6105 @param label Policy label for the vp
6106 @param acc_mode open(2) access mode used
6107
6108 Inform Mac policies that a vnode have been successfully opened
6109 (passing all MAC polices and DAC).
6110*/
6111typedef void mpo_vnode_notify_open_t(
6112 kauth_cred_t cred,
6113 struct vnode *vp,
6114 struct label *label,
6115 int acc_mode
6116);
6117
6d2010ae
A		 6118/**
6119 @brief Inform MAC policies that a vnode has been renamed
6120 @param cred User credential for the renaming process
6121 @param vp Vnode that's being renamed
6122 @param label Policy label for vp
6123 @param dvp Parent directory for the destination
6124 @param dlabel Policy label for dvp
6125 @param cnp Component name for the destination
6126
6127 Inform MAC policies that a vnode has been renamed.
6128 */
6129typedef void mpo_vnode_notify_rename_t(
6130 kauth_cred_t cred,
6131 struct vnode *vp,
6132 struct label *label,
6133 struct vnode *dvp,
6134 struct label *dlabel,
6135 struct componentname *cnp
6136);
6137
39236c6e
A		 6138/**
6139 @brief Inform MAC policies that a vnode has been linked
6140 @param cred User credential for the renaming process
6141 @param dvp Parent directory for the destination
6142 @param dlabel Policy label for dvp
6143 @param vp Vnode that's being linked
6144 @param vlabel Policy label for vp
6145 @param cnp Component name for the destination
6146
6147 Inform MAC policies that a vnode has been linked.
6148 */
6149typedef void mpo_vnode_notify_link_t(
6150 kauth_cred_t cred,
6151 struct vnode *dvp,
6152 struct label *dlabel,
6153 struct vnode *vp,
6154 struct label *vlabel,
6155 struct componentname *cnp
6156);
6157
6158/**
6159 @brief Inform MAC policies that a pty slave has been granted
6160 @param p Responsible process
6161 @param tp tty data structure
6162 @param dev Major and minor numbers of device
6163 @param label Policy label for tp
6164
6165 Inform MAC policies that a pty slave has been granted.
6166*/
6167typedef void mpo_pty_notify_grant_t(
6168 proc_t p,
6169 struct tty *tp,
6170 dev_t dev,
6171 struct label *label
6172);
6173
6174/**
6175 @brief Inform MAC policies that a pty master has been closed
6176 @param p Responsible process
6177 @param tp tty data structure
6178 @param dev Major and minor numbers of device
6179 @param label Policy label for tp
6180
6181 Inform MAC policies that a pty master has been closed.
6182*/
6183typedef void mpo_pty_notify_close_t(
6184 proc_t p,
6185 struct tty *tp,
6186 dev_t dev,
6187 struct label *label
6188);
6189
6190/**
6191 @brief Access control check for kext loading
6192 @param cred Subject credential
6193 @param identifier Kext identifier
6194
6195 Determine whether the subject identified by the credential can load the
6196 specified kext.
6197
6198 @return Return 0 if access is granted, otherwise an appropriate value for
6199 errno should be returned. Suggested failure: EPERM for lack of privilege.
6200*/
6201typedef int mpo_kext_check_load_t(
6202 kauth_cred_t cred,
6203 const char *identifier
6204);
6205
6206/**
6207 @brief Access control check for kext unloading
6208 @param cred Subject credential
6209 @param identifier Kext identifier
6210
6211 Determine whether the subject identified by the credential can unload the
6212 specified kext.
6213
6214 @return Return 0 if access is granted, otherwise an appropriate value for
6215 errno should be returned. Suggested failure: EPERM for lack of privilege.
6216*/
6217typedef int mpo_kext_check_unload_t(
6218 kauth_cred_t cred,
6219 const char *identifier
6220);
6221
2d21ac55
A		 6222/*
6223 * Placeholder for future events that may need mac hooks.
6224 */
6225typedef void mpo_reserved_hook_t(void);
6226
39236c6e
A		 6227/*
6228 * Policy module operations.
6229 *
6230 * Please note that this should be kept in sync with the check assumptions
6231 * policy in bsd/kern/policy_check.c (policy_ops struct).
6232 */
6233#define MAC_POLICY_OPS_VERSION 24 /* inc when new reserved slots are taken */
2d21ac55
A		 6234struct mac_policy_ops {
6235 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
6236 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
39236c6e 6237
2d21ac55
A		 6238 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
6239 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
6240 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
6241 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
39236c6e 6242
2d21ac55
A		 6243 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
6244 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
6245 mpo_cred_check_visible_t *mpo_cred_check_visible;
6246 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
6247 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
6248 mpo_cred_label_associate_t *mpo_cred_label_associate;
6249 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
6250 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
6251 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
6252 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
6253 mpo_cred_label_init_t *mpo_cred_label_init;
6254 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
6255 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
6256 mpo_cred_label_update_t *mpo_cred_label_update;
39236c6e 6257
2d21ac55
A		 6258 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
6259 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
6260 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
6261 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
6262 mpo_devfs_label_init_t *mpo_devfs_label_init;
6263 mpo_devfs_label_update_t *mpo_devfs_label_update;
39236c6e 6264
2d21ac55
A		 6265 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
6266 mpo_file_check_create_t *mpo_file_check_create;
6267 mpo_file_check_dup_t *mpo_file_check_dup;
6268 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
6269 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
6270 mpo_file_check_get_t *mpo_file_check_get;
6271 mpo_file_check_inherit_t *mpo_file_check_inherit;
6272 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
6273 mpo_file_check_lock_t *mpo_file_check_lock;
6274 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
6275 mpo_file_check_mmap_t *mpo_file_check_mmap;
6276 mpo_file_check_receive_t *mpo_file_check_receive;
6277 mpo_file_check_set_t *mpo_file_check_set;
6278 mpo_file_label_init_t *mpo_file_label_init;
6279 mpo_file_label_destroy_t *mpo_file_label_destroy;
6280 mpo_file_label_associate_t *mpo_file_label_associate;
39236c6e 6281
2d21ac55
A		 6282 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
6283 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
6284 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
6285 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
6286 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
6287 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
6288 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
6289 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
6290 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
6291 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
39236c6e 6292
2d21ac55
A		 6293 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
6294 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
6295 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
6296 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
6297 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
6298 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
39236c6e 6299
2d21ac55 6300 mpo_iokit_check_device_t *mpo_iokit_check_device;
39236c6e 6301
2d21ac55
A		 6302 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
6303 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
6304 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
6305 mpo_ipq_label_init_t *mpo_ipq_label_init;
6306 mpo_ipq_label_update_t *mpo_ipq_label_update;
39236c6e 6307
2d21ac55
A		 6308 mpo_lctx_check_label_update_t *mpo_lctx_check_label_update;
6309 mpo_lctx_label_destroy_t *mpo_lctx_label_destroy;
6310 mpo_lctx_label_externalize_t *mpo_lctx_label_externalize;
6311 mpo_lctx_label_init_t *mpo_lctx_label_init;
6312 mpo_lctx_label_internalize_t *mpo_lctx_label_internalize;
6313 mpo_lctx_label_update_t *mpo_lctx_label_update;
6314 mpo_lctx_notify_create_t *mpo_lctx_notify_create;
6315 mpo_lctx_notify_join_t *mpo_lctx_notify_join;
6316 mpo_lctx_notify_leave_t *mpo_lctx_notify_leave;
39236c6e 6317
2d21ac55
A		 6318 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
6319 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
6320 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
6321 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
6322 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
6323 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
6324 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
6325 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
6326 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
6327 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
6328 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
39236c6e 6329
2d21ac55
A		 6330 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
6331 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
6332 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
6333 mpo_mount_check_mount_t *mpo_mount_check_mount;
6334 mpo_mount_check_remount_t *mpo_mount_check_remount;
6335 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
6336 mpo_mount_check_stat_t *mpo_mount_check_stat;
6337 mpo_mount_check_umount_t *mpo_mount_check_umount;
6338 mpo_mount_label_associate_t *mpo_mount_label_associate;
6339 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
6340 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
6341 mpo_mount_label_init_t *mpo_mount_label_init;
6342 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
39236c6e 6343
2d21ac55
A		 6344 mpo_netinet_fragment_t *mpo_netinet_fragment;
6345 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
6346 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
39236c6e 6347
2d21ac55
A		 6348 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
6349 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
6350 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
6351 mpo_pipe_check_read_t *mpo_pipe_check_read;
6352 mpo_pipe_check_select_t *mpo_pipe_check_select;
6353 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
6354 mpo_pipe_check_write_t *mpo_pipe_check_write;
6355 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
6356 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
6357 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
6358 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
6359 mpo_pipe_label_init_t *mpo_pipe_label_init;
6360 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
6361 mpo_pipe_label_update_t *mpo_pipe_label_update;
39236c6e 6362
2d21ac55
A		 6363 mpo_policy_destroy_t *mpo_policy_destroy;
6364 mpo_policy_init_t *mpo_policy_init;
6365 mpo_policy_initbsd_t *mpo_policy_initbsd;
6366 mpo_policy_syscall_t *mpo_policy_syscall;
39236c6e 6367
2d21ac55
A		 6368 mpo_port_check_copy_send_t *mpo_port_check_copy_send;
6369 mpo_port_check_hold_receive_t *mpo_port_check_hold_receive;
6370 mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once;
6371 mpo_port_check_hold_send_t *mpo_port_check_hold_send;
6372 mpo_port_check_label_update_t *mpo_port_check_label_update;
6373 mpo_port_check_make_send_once_t *mpo_port_check_make_send_once;
6374 mpo_port_check_make_send_t *mpo_port_check_make_send;
6375 mpo_port_check_method_t *mpo_port_check_method;
6376 mpo_port_check_move_receive_t *mpo_port_check_move_receive;
6377 mpo_port_check_move_send_once_t *mpo_port_check_move_send_once;
6378 mpo_port_check_move_send_t *mpo_port_check_move_send;
6379 mpo_port_check_receive_t *mpo_port_check_receive;
6380 mpo_port_check_send_t *mpo_port_check_send;
6381 mpo_port_check_service_t *mpo_port_check_service;
6382 mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel;
6383 mpo_port_label_associate_t *mpo_port_label_associate;
6384 mpo_port_label_compute_t *mpo_port_label_compute;
6385 mpo_port_label_copy_t *mpo_port_label_copy;
6386 mpo_port_label_destroy_t *mpo_port_label_destroy;
6387 mpo_port_label_init_t *mpo_port_label_init;
6388 mpo_port_label_update_cred_t *mpo_port_label_update_cred;
6389 mpo_port_label_update_kobject_t *mpo_port_label_update_kobject;
39236c6e 6390
2d21ac55
A		 6391 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
6392 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
6393 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
6394 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
6395 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
6396 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
6397 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
6398 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
6399 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
6400 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
6401 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
6402 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
6403 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
6404 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
6405 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
6406 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
6407 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
39236c6e 6408
2d21ac55
A		 6409 mpo_proc_check_debug_t *mpo_proc_check_debug;
6410 mpo_proc_check_fork_t *mpo_proc_check_fork;
6411 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
6412 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
6413 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
6414 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
6415 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
6416 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
6417 mpo_proc_check_sched_t *mpo_proc_check_sched;
6418 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
6419 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
6420 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
6421 mpo_proc_check_signal_t *mpo_proc_check_signal;
6422 mpo_proc_check_wait_t *mpo_proc_check_wait;
6423 mpo_proc_label_destroy_t *mpo_proc_label_destroy;
6424 mpo_proc_label_init_t *mpo_proc_label_init;
39236c6e 6425
2d21ac55
A		 6426 mpo_socket_check_accept_t *mpo_socket_check_accept;
6427 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
6428 mpo_socket_check_bind_t *mpo_socket_check_bind;
6429 mpo_socket_check_connect_t *mpo_socket_check_connect;
6430 mpo_socket_check_create_t *mpo_socket_check_create;
6431 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
6432 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
6433 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
6434 mpo_socket_check_listen_t *mpo_socket_check_listen;
6435 mpo_socket_check_receive_t *mpo_socket_check_receive;
6436 mpo_socket_check_received_t *mpo_socket_check_received;
6437 mpo_socket_check_select_t *mpo_socket_check_select;
6438 mpo_socket_check_send_t *mpo_socket_check_send;
6439 mpo_socket_check_stat_t *mpo_socket_check_stat;
6440 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
6441 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
6442 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
6443 mpo_socket_label_associate_t *mpo_socket_label_associate;
6444 mpo_socket_label_copy_t *mpo_socket_label_copy;
6445 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
6446 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
6447 mpo_socket_label_init_t *mpo_socket_label_init;
6448 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
6449 mpo_socket_label_update_t *mpo_socket_label_update;
39236c6e 6450
2d21ac55
A		 6451 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
6452 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
6453 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
6454 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
6455 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
39236c6e 6456
2d21ac55
A		 6457 mpo_system_check_acct_t *mpo_system_check_acct;
6458 mpo_system_check_audit_t *mpo_system_check_audit;
6459 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
6460 mpo_system_check_auditon_t *mpo_system_check_auditon;
6461 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
6462 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
6463 mpo_system_check_reboot_t *mpo_system_check_reboot;
6464 mpo_system_check_settime_t *mpo_system_check_settime;
6465 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6466 mpo_system_check_swapon_t *mpo_system_check_swapon;
6467 mpo_system_check_sysctl_t *mpo_system_check_sysctl;
39236c6e 6468
2d21ac55
A		 6469 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6470 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6471 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6472 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6473 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6474 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6475 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6476 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6477 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6478 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6479 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6480 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6481 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6482 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6483 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6484 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6485 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6486 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6487 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6488 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6489 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6490 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6491 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6492 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6493 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6494 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6495 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6496 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6497 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6498 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
39236c6e 6499
2d21ac55
A		 6500 mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel;
6501 mpo_task_label_associate_t *mpo_task_label_associate;
6502 mpo_task_label_copy_t *mpo_task_label_copy;
6503 mpo_task_label_destroy_t *mpo_task_label_destroy;
6504 mpo_task_label_externalize_t *mpo_task_label_externalize;
6505 mpo_task_label_init_t *mpo_task_label_init;
6506 mpo_task_label_internalize_t *mpo_task_label_internalize;
6507 mpo_task_label_update_t *mpo_task_label_update;
39236c6e
A		 6508
6509 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6510
2d21ac55
A		 6511 mpo_vnode_check_access_t *mpo_vnode_check_access;
6512 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6513 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6514 mpo_vnode_check_create_t *mpo_vnode_check_create;
6515 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6516 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6517 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6518 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6519 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6520 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6521 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6522 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6523 mpo_vnode_check_link_t *mpo_vnode_check_link;
6524 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6525 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6526 mpo_vnode_check_open_t *mpo_vnode_check_open;
6527 mpo_vnode_check_read_t *mpo_vnode_check_read;
6528 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6529 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6530 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6531 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6532 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6533 mpo_vnode_check_select_t *mpo_vnode_check_select;
6534 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6535 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6536 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6537 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6538 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6539 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6540 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6541 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6542 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6543 mpo_vnode_check_write_t *mpo_vnode_check_write;
6544 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6545 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6546 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6547 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6548 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6549 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6550 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6551 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6552 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6553 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6554 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6555 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6556 mpo_vnode_label_init_t *mpo_vnode_label_init;
6557 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6558 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6559 mpo_vnode_label_store_t *mpo_vnode_label_store;
6560 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6561 mpo_vnode_label_update_t *mpo_vnode_label_update;
6562 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
593a1d5f 6563 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
b0d623f7
A		 6564 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6565 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
39236c6e 6566
b0d623f7 6567 mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
d1ecb069 6568 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
39236c6e 6569
316670eb 6570 mpo_thread_userret_t *mpo_thread_userret;
39236c6e 6571
6d2010ae 6572 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
39236c6e 6573
6d2010ae 6574 mpo_system_check_chud_t *mpo_system_check_chud;
39236c6e 6575
6d2010ae 6576 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
39236c6e 6577
6d2010ae
A		 6578 mpo_priv_check_t *mpo_priv_check;
6579 mpo_priv_grant_t *mpo_priv_grant;
39236c6e 6580
6d2010ae 6581 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
39236c6e 6582
6d2010ae 6583 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
39236c6e 6584
6d2010ae 6585 mpo_iokit_check_open_t *mpo_iokit_check_open;
39236c6e 6586
316670eb 6587 mpo_proc_check_ledger_t *mpo_proc_check_ledger;
39236c6e 6588
6d2010ae 6589 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
39236c6e 6590
316670eb
A		 6591 mpo_thread_label_init_t *mpo_thread_label_init;
6592 mpo_thread_label_destroy_t *mpo_thread_label_destroy;
39236c6e
A		 6593
6594 mpo_system_check_kas_info_t *mpo_system_check_kas_info;
6595
6596 mpo_proc_check_cpumon_t *mpo_proc_check_cpumon;
6597
6598 mpo_vnode_notify_open_t *mpo_vnode_notify_open;
6599
6600 mpo_system_check_info_t *mpo_system_check_info;
6601
6602 mpo_pty_notify_grant_t *mpo_pty_notify_grant;
6603 mpo_pty_notify_close_t *mpo_pty_notify_close;
6604
6605 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
6606
6607 mpo_kext_check_load_t *mpo_kext_check_load;
6608 mpo_kext_check_unload_t *mpo_kext_check_unload;
6609
6610 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
6611 mpo_vnode_notify_link_t *mpo_vnode_notify_link;
6d2010ae
A		 6612 mpo_reserved_hook_t *mpo_reserved28;
6613 mpo_reserved_hook_t *mpo_reserved29;
2d21ac55
A		 6614};
6615
6616/**
6617 @brief MAC policy handle type
6618
6619 The MAC handle is used to uniquely identify a loaded policy within
6620 the MAC Framework.
6621
6622 A variable of this type is set by mac_policy_register().
6623 */
6624typedef unsigned int mac_policy_handle_t;
6625
6626#define mpc_t struct mac_policy_conf *
6627
6628/**
6629 @brief Mac policy configuration
6630
6631 This structure specifies the configuration information for a
6632 MAC policy module. A policy module developer must supply
6633 a short unique policy name, a more descriptive full name, a list of label
6634 namespaces and count, a pointer to the registered enty point operations,
6635 any load time flags, and optionally, a pointer to a label slot identifier.
6636
6637 The Framework will update the runtime flags (mpc_runtime_flags) to
6638 indicate that the module has been registered.
6639
6640 If the label slot identifier (mpc_field_off) is NULL, the Framework
6641 will not provide label storage for the policy. Otherwise, the
6642 Framework will store the label location (slot) in this field.
6643
6644 The mpc_list field is used by the Framework and should not be
6645 modified by policies.
6646*/
6647/* XXX - reorder these for better aligment on 64bit platforms */
6648struct mac_policy_conf {
6649 const char *mpc_name; /** policy name */
6650 const char *mpc_fullname; /** full name */
6651 const char **mpc_labelnames; /** managed label namespaces */
6652 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6653 struct mac_policy_ops *mpc_ops; /** operation vector */
6654 int mpc_loadtime_flags; /** load time flags */
6655 int *mpc_field_off; /** label slot */
6656 int mpc_runtime_flags; /** run time flags */
6657 mpc_t mpc_list; /** List reference */
6658 void *mpc_data; /** module data */
6659};
6660
6661/**
6662 @brief MAC policy module registration routine
6663
6664 This function is called to register a policy with the
6665 MAC framework. A policy module will typically call this from the
6666 Darwin KEXT registration routine.
6667 */
6668int mac_policy_register(struct mac_policy_conf *mpc,
6669 mac_policy_handle_t *handlep, void *xd);
6670
6671/**
6672 @brief MAC policy module de-registration routine
6673
6674 This function is called to de-register a policy with theD
6675 MAC framework. A policy module will typically call this from the
6676 Darwin KEXT de-registration routine.
6677 */
6678int mac_policy_unregister(mac_policy_handle_t handle);
6679
6680/*
6681 * Framework entry points for the policies to add audit data.
6682 */
6683int mac_audit_text(char *text, mac_policy_handle_t handle);
6684
6685/*
6686 * Calls to assist with use of Apple XATTRs within policy modules.
6687 */
6688int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6689int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6690 size_t *);
6691int mac_vnop_removexattr(struct vnode *, const char *);
6692
6693/*
6694 * Arbitrary limit on how much data will be logged by the audit
6695 * entry points above.
6696 */
6697#define MAC_AUDIT_DATA_LIMIT 1024
6698
6699/*
6700 * Values returned by mac_audit_{pre,post}select. To combine the responses
6701 * of the security policies into a single decision,
6702 * mac_audit_{pre,post}select() choose the greatest value returned.
6703 */
6704#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6705#define MAC_AUDIT_NO 1 /* force not auditing this event */
6706#define MAC_AUDIT_YES 2 /* force auditing this event */
6707
6708// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6709
6710/**
6711 @name Flags for the mpc_loadtime_flags field
6712 @see mac_policy_conf
6713
6714 This is the complete list of flags that are supported by the
6715 mpc_loadtime_flags field of the mac_policy_conf structure. These
6716 flags specify the load time behavior of MAC Framework policy
6717 modules.
6718*/
6719
6720/*@{*/
6721
6722/**
6723 @brief Flag to indicate registration preference
6724
6725 This flag indicates that the policy module must be loaded and
6726 initialized early in the boot process. If the flag is specified,
6727 attempts to register the module following boot will be rejected. The
6728 flag may be used by policies that require pervasive labeling of all
6729 system objects, and cannot handle objects that have not been
6730 properly initialized by the policy.
6731 */
6732#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
6733
6734/**
6735 @brief Flag to indicate unload preference
6736
6737 This flag indicates that the policy module may be unloaded. If this
6738 flag is not set, then the policy framework will reject requests to
6739 unload the module. This flag might be used by modules that allocate
6740 label state and are unable to free that state at runtime, or for
6741 modules that simply do not want to permit unload operations.
6742*/
6743#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
6744
6745/**
6746 @brief Unsupported
6747
6748 XXX This flag is not yet supported.
6749*/
6750#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
6751
6752/**
6753 @brief Flag to indicate a base policy
6754
6755 This flag indicates that the policy module is a base policy. Only
6756 one module can declare itself as base, otherwise the boot process
6757 will be halted.
6758 */
6759#define MPC_LOADTIME_BASE_POLICY 0x00000008
6760
6761/*@}*/
6762
6763/**
6764 @brief Policy registration flag
6765 @see mac_policy_conf
6766
6767 This flag indicates that the policy module has been successfully
6768 registered with the TrustedBSD MAC Framework. The Framework will
6769 set this flag in the mpc_runtime_flags field of the policy's
6770 mac_policy_conf structure after registering the policy.
6771 */
6772#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
6773
6774/*
6775 * Depends on POLICY_VER
6776 */
6777
6778#ifndef POLICY_VER
6779#define POLICY_VER 1.0
6780#endif
6781
6782#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6783 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6784 .mpc_name = #mpname, \
6785 .mpc_fullname = mpfullname, \
6786 .mpc_labelnames = lnames, \
6787 .mpc_labelname_count = lcount, \
6788 .mpc_ops = mpops, \
6789 .mpc_loadtime_flags = lflags, \
6790 .mpc_field_off = slot, \
6791 .mpc_runtime_flags = rflags \
6792 }; \
6793 \
6794 static kern_return_t \
6795 kmod_start(kmod_info_t *ki, void *xd) \
6796 { \
6797 return mac_policy_register(&mpname##_mac_policy_conf, \
6798 &handle, xd); \
6799 } \
6800 \
6801 static kern_return_t \
6802 kmod_stop(kmod_info_t *ki, void *xd) \
6803 { \
6804 return mac_policy_unregister(handle); \
6805 } \
6806 \
6807 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6808 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6809 \
6810 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6811 kmod_start_func_t *_realmain = kmod_start; \
6812 kmod_stop_func_t *_antimain = kmod_stop; \
6813 int _kext_apple_cc = __APPLE_CC__
6814
6815
6816#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
6817
b0d623f7
A		 6818/*
6819 * Policy interface to map a struct label pointer to per-policy data.
6820 * Typically, policies wrap this in their own accessor macro that casts an
6821 * intptr_t to a policy-specific data type.
6822 */
6823intptr_t mac_label_get(struct label *l, int slot);
6824void mac_label_set(struct label *l, int slot, intptr_t v);
6825
2d21ac55
A		 6826#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
6827
6828/**
6829 @name Flags for MAC allocator interfaces
6830
6831 These flags are passed to the Darwin kernel allocator routines to
6832 indicate whether the allocation is permitted to block or not.
6833 Caution should be taken; some operations are not permitted to sleep,
6834 and some types of locks cannot be held when sleeping.
6835 */
6836
6837/*@{*/
6838
6839/**
6840 @brief Allocation operations may block
6841
6842 If memory is not immediately available, the allocation routine
6843 will block (typically sleeping) until memory is available.
6844
6845 @warning Inappropriate use of this flag may cause kernel panics.
6846 */
6847#define MAC_WAITOK 0
6848
6849/**
6850 @brief Allocation operations may not block
6851
6852 Rather than blocking, the allocator may return an error if memory
6853 is not immediately available. This type of allocation will not
6854 sleep, preserving locking semantics.
6855 */
6856#define MAC_NOWAIT 1
6857
6858/*@}*/
6859
6860#endif /* !_SECURITY_MAC_POLICY_H_ */
mirror of XNU