]> git.saurik.com Git - apple/xnu.git/blame - security/mac_policy.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-3247.1.106.tar.gz
[apple/xnu.git] / security / mac_policy.h
CommitLineData
2d21ac55 1/*
6d2010ae 2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
2d21ac55
A		 3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
69 @file mac_policy.h
70 @brief Kernel Interfaces for MAC policy modules
71
72 This header defines the list of operations that are defined by the
73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 with the framework to declare interest in a specific set of
75 operations. If interest in an entry point is not declared, then
76 the policy will be ignored when the Framework evaluates that entry
77 point.
78*/
79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
39236c6e
A		 83#ifndef PRIVATE
84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
85#endif
86
2d21ac55
A		 87#include <security/_label.h>
88
89struct attrlist;
90struct auditinfo;
91struct bpf_d;
92struct devnode;
93struct fileglob;
94struct ifnet;
95struct inpcb;
96struct ipq;
97struct label;
2d21ac55
A		 98struct mac_module_data;
99struct mac_policy_conf;
100struct mbuf;
101struct mount;
39236c6e
A		 102struct msg;
103struct msqid_kernel;
2d21ac55
A		 104struct pipe;
105struct pseminfo;
106struct pshminfo;
107struct sbuf;
108struct semid_kernel;
109struct shmid_kernel;
39236c6e
A		 110struct socket;
111struct sockopt;
2d21ac55
A		 112struct task;
113struct thread;
39236c6e 114struct tty;
2d21ac55 115struct ucred;
39236c6e 116struct vfs_attr;
2d21ac55
A		 117struct vnode;
118/** @struct dummy */
119
120
121
122#ifndef _KAUTH_CRED_T
123#define _KAUTH_CRED_T
124typedef struct ucred *kauth_cred_t;
125#endif /* !_KAUTH_CRED_T */
126
6d2010ae
A		 127#ifndef __IOKIT_PORTS_DEFINED__
128#define __IOKIT_PORTS_DEFINED__
129#ifdef __cplusplus
130class OSObject;
131typedef OSObject *io_object_t;
132#else
133struct OSObject;
134typedef struct OSObject *io_object_t;
135#endif
136#endif /* __IOKIT_PORTS_DEFINED__ */
2d21ac55
A		 137
138/*-
139 * MAC entry points are generally named using the following template:
140 *
141 * mpo_<object>_<operation>()
142 *
143 * or:
144 *
145 * mpo_<object>_check_<operation>()
146 *
147 * Entry points are sorted by object type.
148 *
149 * It may be desirable also to consider some subsystems as "objects", such
150 * as system, iokit, etc.
151 */
152
153/**
154 @name Entry Points for Label Management
155
156 These are the entry points corresponding to the life cycle events for
157 kernel objects, such as initialization, creation, and destruction.
158
159 Most policies (that use labels) will initialize labels by allocating
160 space for policy-specific data. In most cases, it is permitted to
161 sleep during label initialization operations; it will be noted when
162 it is not permitted.
163
164 Initialization usually will not require doing more than allocating a
165 generic label for the given object. What follows initialization is
166 creation, where a label is made specific to the object it is associated
167 with. Destruction occurs when the label is no longer needed, such as
168 when the corresponding object is destroyed. All necessary cleanup should
169 be performed in label destroy operations.
170
171 Where possible, the label entry points have identical parameters. If
172 the policy module does not require structure-specific label
173 information, the same function may be registered in the policy
174 operation vector. Many policies will implement two such generic
175 allocation calls: one to handle sleepable requests, and one to handle
176 potentially non-sleepable requests.
177*/
178
179
180/**
181 @brief Audit event postselection
182 @param cred Subject credential
183 @param syscode Syscall number
184 @param args Syscall arguments
185 @param error Syscall errno
186 @param retval Syscall return value
187
188 This is the MAC Framework audit postselect, which is called before
189 exiting a syscall to determine if an audit event should be committed.
190 A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
191 Any other return value results in the audit record being committed.
192
193 @warning The suppression behavior will probably go away in Apple's
194 future version of the audit implementation.
195
196 @return Return MAC_AUDIT_NO to force suppression of the audit record.
197 Any other value results in the audit record being committed.
198
199*/
200typedef int mpo_audit_check_postselect_t(
201 kauth_cred_t cred,
202 unsigned short syscode,
203 void *args,
204 int error,
205 int retval
206);
207/**
208 @brief Audit event preselection
209 @param cred Subject credential
210 @param syscode Syscall number
211 @param args Syscall arguments
212
213 This is the MAC Framework audit preselect, which is called before a
214 syscall is entered to determine if an audit event should be created.
215 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
216 returned. A return value of MAC_AUDIT_NO causes the audit record to
217 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
218 to defer to the system's existing preselection mechanism.
219
220 When policies return different preferences, the Framework decides what action
221 to take based on the following policy. If any policy returns MAC_AUDIT_YES,
222 then create an audit record, else if any policy returns MAC_AUDIT_NO, then
223 suppress the creations of an audit record, else defer to the system's
224 existing preselection mechanism.
225
226 @warning The audit implementation in Apple's current version is
227 incomplete, so the MAC policies have priority over the system's existing
228 mechanisms. This will probably change in the future version where
229 the audit implementation is more complete.
230
231 @return Return MAC_AUDIT_YES to force auditing of the syscall,
232 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
233 to allow auditing mechanisms to determine if the syscall is audited.
234
235*/
236typedef int mpo_audit_check_preselect_t(
237 kauth_cred_t cred,
238 unsigned short syscode,
239 void *args
240);
241/**
242 @brief Initialize BPF descriptor label
243 @param label New label to initialize
244
245 Initialize the label for a newly instantiated BPF descriptor.
246 Sleeping is permitted.
247*/
248typedef void mpo_bpfdesc_label_init_t(
249 struct label *label
250);
251/**
252 @brief Destroy BPF descriptor label
253 @param label The label to be destroyed
254
255 Destroy a BPF descriptor label. Since the BPF descriptor
256 is going out of scope, policy modules should free any internal
257 storage associated with the label so that it may be destroyed.
258*/
259typedef void mpo_bpfdesc_label_destroy_t(
260 struct label *label
261);
262/**
263 @brief Associate a BPF descriptor with a label
264 @param cred User credential creating the BPF descriptor
265 @param bpf_d The BPF descriptor
266 @param bpflabel The new label
267
268 Set the label on a newly created BPF descriptor from the passed
269 subject credential. This call will be made when a BPF device node
270 is opened by a process with the passed subject credential.
271*/
272typedef void mpo_bpfdesc_label_associate_t(
273 kauth_cred_t cred,
274 struct bpf_d *bpf_d,
275 struct label *bpflabel
276);
277/**
278 @brief Check whether BPF can read from a network interface
279 @param bpf_d Subject; the BPF descriptor
280 @param bpflabel Policy label for bpf_d
281 @param ifp Object; the network interface
282 @param ifnetlabel Policy label for ifp
283
284 Determine whether the MAC framework should permit datagrams from
285 the passed network interface to be delivered to the buffers of
286 the passed BPF descriptor. Return (0) for success, or an errno
287 value for failure. Suggested failure: EACCES for label mismatches,
288 EPERM for lack of privilege.
289*/
290typedef int mpo_bpfdesc_check_receive_t(
291 struct bpf_d *bpf_d,
292 struct label *bpflabel,
293 struct ifnet *ifp,
294 struct label *ifnetlabel
295);
296/**
297 @brief Indicate desire to change the process label at exec time
298 @param old Existing subject credential
299 @param vp File being executed
fe8ab488
A		 300 @param offset Offset of binary within file being executed
301 @param scriptvp Script being executed by interpreter, if any.
2d21ac55
A		 302 @param vnodelabel Label corresponding to vp
303 @param scriptvnodelabel Script vnode label
304 @param execlabel Userspace provided execution label
305 @param proc Object process
39236c6e
A		 306 @param macpolicyattr MAC policy-specific spawn attribute data
307 @param macpolicyattrlen Length of policy-specific spawn attribute data
2d21ac55
A		 308 @see mac_execve
309 @see mpo_cred_label_update_execve_t
310 @see mpo_vnode_check_exec_t
311
312 Indicate whether this policy intends to update the label of a newly
313 created credential from the existing subject credential (old). This
314 call occurs when a process executes the passed vnode. If a policy
315 returns success from this entry point, the mpo_cred_label_update_execve
316 entry point will later be called with the same parameters. Access
317 has already been checked via the mpo_vnode_check_exec entry point,
318 this entry point is necessary to preserve kernel locking constraints
319 during program execution.
320
321 The supplied vnode and vnodelabel correspond with the file actually
322 being executed; in the case that the file is interpreted (for
323 example, a script), the label of the original exec-time vnode has
324 been preserved in scriptvnodelabel.
325
326 The final label, execlabel, corresponds to a label supplied by a
327 user space application through the use of the mac_execve system call.
328
329 The vnode lock is held during this operation. No changes should be
330 made to the old credential structure.
331
332 @warning Even if a policy returns 0, it should behave correctly in
333 the presence of an invocation of mpo_cred_label_update_execve, as that
334 call may happen as a result of another policy requesting a transition.
335
336 @return Non-zero if a transition is required, 0 otherwise.
337*/
338typedef int mpo_cred_check_label_update_execve_t(
339 kauth_cred_t old,
340 struct vnode *vp,
fe8ab488 341 off_t offset,
39236c6e 342 struct vnode *scriptvp,
2d21ac55
A		 343 struct label *vnodelabel,
344 struct label *scriptvnodelabel,
345 struct label *execlabel,
39236c6e
A		 346 struct proc *p,
347 void *macpolicyattr,
348 size_t macpolicyattrlen
2d21ac55
A		 349);
350/**
351 @brief Access control check for relabelling processes
352 @param cred Subject credential
353 @param newlabel New label to apply to the user credential
354 @see mpo_cred_label_update_t
355 @see mac_set_proc
356
357 Determine whether the subject identified by the credential can relabel
358 itself to the supplied new label (newlabel). This access control check
359 is called when the mac_set_proc system call is invoked. A user space
360 application will supply a new value, the value will be internalized
361 and provided in newlabel.
362
363 @return Return 0 if access is granted, otherwise an appropriate value for
364 errno should be returned.
365*/
366typedef int mpo_cred_check_label_update_t(
367 kauth_cred_t cred,
368 struct label *newlabel
369);
370/**
371 @brief Access control check for visibility of other subjects
372 @param u1 Subject credential
373 @param u2 Object credential
374
375 Determine whether the subject identified by the credential u1 can
376 "see" other subjects with the passed subject credential u2. This call
377 may be made in a number of situations, including inter-process status
378 sysctls used by ps, and in procfs lookups.
379
380 @return Return 0 if access is granted, otherwise an appropriate value for
381 errno should be returned. Suggested failure: EACCES for label mismatch,
382 EPERM for lack of privilege, or ESRCH to hide visibility.
383*/
384typedef int mpo_cred_check_visible_t(
385 kauth_cred_t u1,
386 kauth_cred_t u2
387);
388/**
389 @brief Associate a credential with a new process at fork
390 @param cred credential to inherited by new process
391 @param proc the new process
392
393 Allow a process to associate the credential with a new
394 process for reference countng purposes.
395 NOTE: the credential can be dis-associated in ways other
396 than exit - so this strategy is flawed - should just
397 catch label destroy callback.
398*/
399typedef void mpo_cred_label_associate_fork_t(
400 kauth_cred_t cred,
401 proc_t proc
402);
403/**
404 @brief Create the first process
405 @param cred Subject credential to be labeled
406
407 Create the subject credential of process 0, the parent of all BSD
408 kernel processes. Policies should update the label in the
409 previously initialized credential structure.
410*/
411typedef void mpo_cred_label_associate_kernel_t(
412 kauth_cred_t cred
413);
414/**
415 @brief Create a credential label
416 @param parent_cred Parent credential
417 @param child_cred Child credential
418
419 Set the label of a newly created credential, most likely using the
420 information in the supplied parent credential.
421
422 @warning This call is made when crcopy or crdup is invoked on a
423 newly created struct ucred, and should not be confused with a
424 process fork or creation event.
425*/
426typedef void mpo_cred_label_associate_t(
427 kauth_cred_t parent_cred,
428 kauth_cred_t child_cred
429);
430/**
431 @brief Create the first process
432 @param cred Subject credential to be labeled
433
434 Create the subject credential of process 1, the parent of all BSD
435 user processes. Policies should update the label in the previously
436 initialized credential structure. This is the 'init' process.
437*/
438typedef void mpo_cred_label_associate_user_t(
439 kauth_cred_t cred
440);
441/**
442 @brief Destroy credential label
443 @param label The label to be destroyed
444
445 Destroy a user credential label. Since the user credential
446 is going out of scope, policy modules should free any internal
447 storage associated with the label so that it may be destroyed.
448*/
449typedef void mpo_cred_label_destroy_t(
450 struct label *label
451);
452/**
453 @brief Externalize a user credential label for auditing
454 @param label Label to be externalized
455 @param element_name Name of the label namespace for which labels should be
456 externalized
457 @param sb String buffer to be filled with a text representation of the label
458
459 Produce an external representation of the label on a user credential for
460 inclusion in an audit record. An externalized label consists of a text
461 representation of the label contents that will be added to the audit record
462 as part of a text token. Policy-agnostic user space tools will display
463 this externalized version.
464
465 @return 0 on success, return non-zero if an error occurs while
466 externalizing the label data.
467
468*/
469typedef int mpo_cred_label_externalize_audit_t(
470 struct label *label,
471 char *element_name,
472 struct sbuf *sb
473);
474/**
475 @brief Externalize a user credential label
476 @param label Label to be externalized
477 @param element_name Name of the label namespace for which labels should be
478 externalized
479 @param sb String buffer to be filled with a text representation of the label
480
481 Produce an external representation of the label on a user
482 credential. An externalized label consists of a text representation
483 of the label contents that can be used with user applications.
484 Policy-agnostic user space tools will display this externalized
485 version.
486
487 @return 0 on success, return non-zero if an error occurs while
488 externalizing the label data.
489
490*/
491typedef int mpo_cred_label_externalize_t(
492 struct label *label,
493 char *element_name,
494 struct sbuf *sb
495);
496/**
497 @brief Initialize user credential label
498 @param label New label to initialize
499
500 Initialize the label for a newly instantiated user credential.
501 Sleeping is permitted.
502*/
503typedef void mpo_cred_label_init_t(
504 struct label *label
505);
506/**
507 @brief Internalize a user credential label
508 @param label Label to be internalized
509 @param element_name Name of the label namespace for which the label should
510 be internalized
511 @param element_data Text data to be internalized
512
513 Produce a user credential label from an external representation. An
514 externalized label consists of a text representation of the label
515 contents that can be used with user applications. Policy-agnostic
516 user space tools will forward text version to the kernel for
517 processing by individual policy modules.
518
519 The policy's internalize entry points will be called only if the
520 policy has registered interest in the label namespace.
521
522 @return 0 on success, Otherwise, return non-zero if an error occurs
523 while internalizing the label data.
524
525*/
526typedef int mpo_cred_label_internalize_t(
527 struct label *label,
528 char *element_name,
529 char *element_data
530);
531/**
532 @brief Update credential at exec time
533 @param old_cred Existing subject credential
534 @param new_cred New subject credential to be labeled
39236c6e 535 @param p Object process.
2d21ac55 536 @param vp File being executed
fe8ab488
A		 537 @param offset Offset of binary within file being executed
538 @param scriptvp Script being executed by interpreter, if any.
2d21ac55
A		 539 @param vnodelabel Label corresponding to vp
540 @param scriptvnodelabel Script vnode label
541 @param execlabel Userspace provided execution label
fe8ab488 542 @param csflags Code signing flags to be set after exec
39236c6e
A		 543 @param macpolicyattr MAC policy-specific spawn attribute data.
544 @param macpolicyattrlen Length of policy-specific spawn attribute data.
2d21ac55
A		 545 @see mac_execve
546 @see mpo_cred_check_label_update_execve_t
547 @see mpo_vnode_check_exec_t
548
549 Update the label of a newly created credential (new) from the
550 existing subject credential (old). This call occurs when a process
551 executes the passed vnode and one of the loaded policy modules has
552 returned success from the mpo_cred_check_label_update_execve entry point.
553 Access has already been checked via the mpo_vnode_check_exec entry
554 point, this entry point is only used to update any policy state.
555
556 The supplied vnode and vnodelabel correspond with the file actually
557 being executed; in the case that the file is interpreted (for
558 example, a script), the label of the original exec-time vnode has
559 been preserved in scriptvnodelabel.
560
561 The final label, execlabel, corresponds to a label supplied by a
562 user space application through the use of the mac_execve system call.
563
c910b4d9
A		 564 If non-NULL, the value pointed to by disjointp will be set to 0 to
565 indicate that the old and new credentials are not disjoint, or 1 to
566 indicate that they are.
567
2d21ac55
A		 568 The vnode lock is held during this operation. No changes should be
569 made to the old credential structure.
fe8ab488
A		 570 @return 0 on success, Otherwise, return non-zero if update results in
571 termination of child.
2d21ac55 572*/
fe8ab488 573typedef int mpo_cred_label_update_execve_t(
2d21ac55
A		 574 kauth_cred_t old_cred,
575 kauth_cred_t new_cred,
39236c6e 576 struct proc *p,
2d21ac55 577 struct vnode *vp,
fe8ab488 578 off_t offset,
39236c6e 579 struct vnode *scriptvp,
2d21ac55
A		 580 struct label *vnodelabel,
581 struct label *scriptvnodelabel,
c910b4d9 582 struct label *execlabel,
fe8ab488 583 u_int *csflags,
39236c6e
A		 584 void *macpolicyattr,
585 size_t macpolicyattrlen,
c910b4d9 586 int *disjointp
2d21ac55
A		 587);
588/**
589 @brief Update a credential label
590 @param cred The existing credential
591 @param newlabel A new label to apply to the credential
592 @see mpo_cred_check_label_update_t
593 @see mac_set_proc
594
595 Update the label on a user credential, using the supplied new label.
596 This is called as a result of a process relabel operation. Access
597 control was already confirmed by mpo_cred_check_label_update.
598*/
599typedef void mpo_cred_label_update_t(
600 kauth_cred_t cred,
601 struct label *newlabel
602);
603/**
604 @brief Create a new devfs device
605 @param dev Major and minor numbers of special file
606 @param de "inode" of new device file
607 @param label Destination label
608 @param fullpath Path relative to mount (e.g. /dev) of new device file
609
610 This entry point labels a new devfs device. The label will likely be based
611 on the path to the device, or the major and minor numbers.
612 The policy should store an appropriate label into 'label'.
613*/
614typedef void mpo_devfs_label_associate_device_t(
615 dev_t dev,
616 struct devnode *de,
617 struct label *label,
618 const char *fullpath
619);
620/**
621 @brief Create a new devfs directory
622 @param dirname Name of new directory
623 @param dirnamelen Length of 'dirname'
624 @param de "inode" of new directory
625 @param label Destination label
626 @param fullpath Path relative to mount (e.g. /dev) of new directory
627
628 This entry point labels a new devfs directory. The label will likely be
629 based on the path of the new directory. The policy should store an appropriate
630 label into 'label'. The devfs root directory is labelled in this way.
631*/
632typedef void mpo_devfs_label_associate_directory_t(
633 const char *dirname,
634 int dirnamelen,
635 struct devnode *de,
636 struct label *label,
637 const char *fullpath
638);
639/**
640 @brief Copy a devfs label
641 @param src Source devfs label
642 @param dest Destination devfs label
643
644 Copy the label information from src to dest. The devfs file system
645 often duplicates (splits) existing device nodes rather than creating
646 new ones.
647*/
648typedef void mpo_devfs_label_copy_t(
649 struct label *src,
650 struct label *dest
651);
652/**
653 @brief Destroy devfs label
654 @param label The label to be destroyed
655
656 Destroy a devfs entry label. Since the object is going out
657 of scope, policy modules should free any internal storage associated
658 with the label so that it may be destroyed.
659*/
660typedef void mpo_devfs_label_destroy_t(
661 struct label *label
662);
663/**
664 @brief Initialize devfs label
665 @param label New label to initialize
666
667 Initialize the label for a newly instantiated devfs entry. Sleeping
668 is permitted.
669*/
670typedef void mpo_devfs_label_init_t(
671 struct label *label
672);
673/**
674 @brief Update a devfs label after relabelling its vnode
675 @param mp Devfs mount point
676 @param de Affected devfs directory entry
677 @param delabel Label of devfs directory entry
678 @param vp Vnode associated with de
679 @param vnodelabel New label of vnode
680
681 Update a devfs label when its vnode is manually relabelled,
682 for example with setfmac(1). Typically, this will simply copy
683 the vnode label into the devfs label.
684*/
685typedef void mpo_devfs_label_update_t(
686 struct mount *mp,
687 struct devnode *de,
688 struct label *delabel,
689 struct vnode *vp,
690 struct label *vnodelabel
691);
692/**
693 @brief Access control for changing the offset of a file descriptor
694 @param cred Subject credential
695 @param fg Fileglob structure
696 @param label Policy label for fg
697
698 Determine whether the subject identified by the credential can
699 change the offset of the file represented by fg.
700
701 @return Return 0 if access if granted, otherwise an appropriate
702 value for errno should be returned.
703*/
704typedef int mpo_file_check_change_offset_t(
705 kauth_cred_t cred,
706 struct fileglob *fg,
707 struct label *label
708);
709/**
710 @brief Access control for creating a file descriptor
711 @param cred Subject credential
712
713 Determine whether the subject identified by the credential can
714 allocate a new file descriptor.
715
716 @return Return 0 if access if granted, otherwise an appropriate
717 value for errno should be returned.
718*/
719typedef int mpo_file_check_create_t(
720 kauth_cred_t cred
721);
722/**
723 @brief Access control for duplicating a file descriptor
724 @param cred Subject credential
725 @param fg Fileglob structure
726 @param label Policy label for fg
727 @param newfd New file descriptor number
728
729 Determine whether the subject identified by the credential can
730 duplicate the fileglob structure represented by fg and as file
731 descriptor number newfd.
732
733 @return Return 0 if access if granted, otherwise an appropriate
734 value for errno should be returned.
735*/
736typedef int mpo_file_check_dup_t(
737 kauth_cred_t cred,
738 struct fileglob *fg,
739 struct label *label,
740 int newfd
741);
742/**
743 @brief Access control check for fcntl
744 @param cred Subject credential
745 @param fg Fileglob structure
746 @param label Policy label for fg
747 @param cmd Control operation to be performed; see fcntl(2)
748 @param arg fcnt arguments; see fcntl(2)
749
750 Determine whether the subject identified by the credential can perform
751 the file control operation indicated by cmd.
752
753 @return Return 0 if access is granted, otherwise an appropriate value for
754 errno should be returned.
755*/
756typedef int mpo_file_check_fcntl_t(
757 kauth_cred_t cred,
758 struct fileglob *fg,
759 struct label *label,
760 int cmd,
761 user_long_t arg
762);
763/**
764 @brief Access control check for mac_get_fd
765 @param cred Subject credential
766 @param fg Fileglob structure
767 @param elements Element buffer
768 @param len Length of buffer
769
770 Determine whether the subject identified by the credential should be allowed
771 to get an externalized version of the label on the object indicated by fd.
772
773 @return Return 0 if access is granted, otherwise an appropriate value for
774 errno should be returned.
775*/
776typedef int mpo_file_check_get_t(
777 kauth_cred_t cred,
778 struct fileglob *fg,
779 char *elements,
780 int len
781);
782/**
783 @brief Access control for getting the offset of a file descriptor
784 @param cred Subject credential
785 @param fg Fileglob structure
786 @param label Policy label for fg
787
788 Determine whether the subject identified by the credential can
789 get the offset of the file represented by fg.
790
791 @return Return 0 if access if granted, otherwise an appropriate
792 value for errno should be returned.
793*/
794typedef int mpo_file_check_get_offset_t(
795 kauth_cred_t cred,
796 struct fileglob *fg,
797 struct label *label
798);
799/**
800 @brief Access control for inheriting a file descriptor
801 @param cred Subject credential
802 @param fg Fileglob structure
803 @param label Policy label for fg
804
805 Determine whether the subject identified by the credential can
806 inherit the fileglob structure represented by fg.
807
808 @return Return 0 if access if granted, otherwise an appropriate
809 value for errno should be returned.
810*/
811typedef int mpo_file_check_inherit_t(
812 kauth_cred_t cred,
813 struct fileglob *fg,
814 struct label *label
815);
816/**
817 @brief Access control check for file ioctl
818 @param cred Subject credential
819 @param fg Fileglob structure
820 @param label Policy label for fg
821 @param cmd The ioctl command; see ioctl(2)
822
823 Determine whether the subject identified by the credential can perform
824 the ioctl operation indicated by cmd.
825
826 @warning Since ioctl data is opaque from the standpoint of the MAC
827 framework, policies must exercise extreme care when implementing
828 access control checks.
829
830 @return Return 0 if access is granted, otherwise an appropriate value for
831 errno should be returned.
832
833*/
834typedef int mpo_file_check_ioctl_t(
835 kauth_cred_t cred,
836 struct fileglob *fg,
837 struct label *label,
838 unsigned int cmd
839);
840/**
841 @brief Access control check for file locking
842 @param cred Subject credential
843 @param fg Fileglob structure
844 @param label Policy label for fg
845 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
846 @param fl The flock structure
847
848 Determine whether the subject identified by the credential can perform
849 the lock operation indicated by op and fl on the file represented by fg.
850
851 @return Return 0 if access is granted, otherwise an appropriate value for
852 errno should be returned.
853
854*/
855typedef int mpo_file_check_lock_t(
856 kauth_cred_t cred,
857 struct fileglob *fg,
858 struct label *label,
859 int op,
860 struct flock *fl
861);
862/**
863 @brief Access control check for mapping a file
864 @param cred Subject credential
865 @param fg fileglob representing file to map
866 @param label Policy label associated with vp
867 @param prot mmap protections; see mmap(2)
868 @param flags Type of mapped object; see mmap(2)
869 @param maxprot Maximum rights
870
871 Determine whether the subject identified by the credential should be
872 allowed to map the file represented by fg with the protections specified
873 in prot. The maxprot field holds the maximum permissions on the new
874 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
875 To avoid overriding prior access control checks, a policy should only
876 remove flags from maxprot.
877
878 @return Return 0 if access is granted, otherwise an appropriate value for
879 errno should be returned. Suggested failure: EACCES for label mismatch or
880 EPERM for lack of privilege.
881*/
882typedef int mpo_file_check_mmap_t(
883 kauth_cred_t cred,
884 struct fileglob *fg,
885 struct label *label,
886 int prot,
887 int flags,
3e170ce0 888 uint64_t file_pos,
2d21ac55
A		 889 int *maxprot
890);
891/**
892 @brief Downgrade the mmap protections
893 @param cred Subject credential
894 @param fg file to map
895 @param label Policy label associated with vp
896 @param prot mmap protections to be downgraded
897
898 Downgrade the mmap protections based on the subject and object labels.
899*/
900typedef void mpo_file_check_mmap_downgrade_t(
901 kauth_cred_t cred,
902 struct fileglob *fg,
903 struct label *label,
904 int *prot
905);
906/**
907 @brief Access control for receiving a file descriptor
908 @param cred Subject credential
909 @param fg Fileglob structure
910 @param label Policy label for fg
911
912 Determine whether the subject identified by the credential can
913 receive the fileglob structure represented by fg.
914
915 @return Return 0 if access if granted, otherwise an appropriate
916 value for errno should be returned.
917*/
918typedef int mpo_file_check_receive_t(
919 kauth_cred_t cred,
920 struct fileglob *fg,
921 struct label *label
922);
923/**
924 @brief Access control check for mac_set_fd
925 @param cred Subject credential
926 @param fg Fileglob structure
927 @param elements Elements buffer
928 @param len Length of elements buffer
929
930 Determine whether the subject identified by the credential can
931 perform the mac_set_fd operation. The mac_set_fd operation is used
932 to associate a MAC label with a file.
933
934 @return Return 0 if access is granted, otherwise an appropriate value for
935 errno should be returned.
936*/
937typedef int mpo_file_check_set_t(
938 kauth_cred_t cred,
939 struct fileglob *fg,
940 char *elements,
941 int len
942);
943/**
944 @brief Create file label
945 @param cred Subject credential
946 @param fg Fileglob structure
947 @param label Policy label for fg
948*/
949typedef void mpo_file_label_associate_t(
950 kauth_cred_t cred,
951 struct fileglob *fg,
952 struct label *label
953);
954/**
955 @brief Destroy file label
956 @param label The label to be destroyed
957
958 Destroy the label on a file descriptor. In this entry point, a
959 policy module should free any internal storage associated with
960 label so that it may be destroyed.
961*/
962typedef void mpo_file_label_destroy_t(
963 struct label *label
964);
965/**
966 @brief Initialize file label
967 @param label New label to initialize
968*/
969typedef void mpo_file_label_init_t(
970 struct label *label
971);
972/**
973 @brief Access control check for relabeling network interfaces
974 @param cred Subject credential
975 @param ifp network interface being relabeled
976 @param ifnetlabel Current label of the network interfaces
977 @param newlabel New label to apply to the network interfaces
978 @see mpo_ifnet_label_update_t
979
980 Determine whether the subject identified by the credential can
981 relabel the network interface represented by ifp to the supplied
982 new label (newlabel).
983
984 @return Return 0 if access is granted, otherwise an appropriate value for
985 errno should be returned.
986*/
987typedef int mpo_ifnet_check_label_update_t(
988 kauth_cred_t cred,
989 struct ifnet *ifp,
990 struct label *ifnetlabel,
991 struct label *newlabel
992);
993/**
994 @brief Access control check for relabeling network interfaces
995 @param ifp Network interface mbuf will be transmitted through
996 @param ifnetlabel Label of the network interfaces
997 @param m The mbuf to be transmitted
998 @param mbuflabel Label of the mbuf to be transmitted
999 @param family Address Family, AF_*
1000 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1001
1002 Determine whether the mbuf with label mbuflabel may be transmitted
1003 through the network interface represented by ifp that has the
1004 label ifnetlabel.
1005
1006 @return Return 0 if access is granted, otherwise an appropriate value for
1007 errno should be returned.
1008*/
1009typedef int mpo_ifnet_check_transmit_t(
1010 struct ifnet *ifp,
1011 struct label *ifnetlabel,
1012 struct mbuf *m,
1013 struct label *mbuflabel,
1014 int family,
1015 int type
1016);
1017/**
1018 @brief Create a network interface label
1019 @param ifp Network interface labeled
1020 @param ifnetlabel Label for the network interface
1021
1022 Set the label of a newly created network interface, most likely
1023 using the information in the supplied network interface struct.
1024*/
1025typedef void mpo_ifnet_label_associate_t(
1026 struct ifnet *ifp,
1027 struct label *ifnetlabel
1028);
1029/**
1030 @brief Copy an ifnet label
1031 @param src Source ifnet label
1032 @param dest Destination ifnet label
1033
1034 Copy the label information from src to dest.
1035*/
1036typedef void mpo_ifnet_label_copy_t(
1037 struct label *src,
1038 struct label *dest
1039);
1040/**
1041 @brief Destroy ifnet label
1042 @param label The label to be destroyed
1043
1044 Destroy the label on an ifnet label. In this entry point, a
1045 policy module should free any internal storage associated with
1046 label so that it may be destroyed.
1047*/
1048typedef void mpo_ifnet_label_destroy_t(
1049 struct label *label
1050);
1051/**
1052 @brief Externalize an ifnet label
1053 @param label Label to be externalized
1054 @param element_name Name of the label namespace for which labels should be
1055 externalized
1056 @param sb String buffer to be filled with a text representation of the label
1057
1058 Produce an external representation of the label on an interface.
1059 An externalized label consists of a text representation of the
1060 label contents that can be used with user applications.
1061 Policy-agnostic user space tools will display this externalized
1062 version.
1063
1064 @return 0 on success, return non-zero if an error occurs while
1065 externalizing the label data.
1066
1067*/
1068typedef int mpo_ifnet_label_externalize_t(
1069 struct label *label,
1070 char *element_name,
1071 struct sbuf *sb
1072);
1073/**
1074 @brief Initialize ifnet label
1075 @param label New label to initialize
1076*/
1077typedef void mpo_ifnet_label_init_t(
1078 struct label *label
1079);
1080/**
1081 @brief Internalize an interface label
1082 @param label Label to be internalized
1083 @param element_name Name of the label namespace for which the label should
1084 be internalized
1085 @param element_data Text data to be internalized
1086
1087 Produce an interface label from an external representation. An
1088 externalized label consists of a text representation of the label
1089 contents that can be used with user applications. Policy-agnostic
1090 user space tools will forward text version to the kernel for
1091 processing by individual policy modules.
1092
1093 The policy's internalize entry points will be called only if the
1094 policy has registered interest in the label namespace.
1095
1096 @return 0 on success, Otherwise, return non-zero if an error occurs
1097 while internalizing the label data.
1098
1099*/
1100typedef int mpo_ifnet_label_internalize_t(
1101 struct label *label,
1102 char *element_name,
1103 char *element_data
1104);
1105/**
1106 @brief Recycle up a network interface label
1107 @param label The label to be recycled
1108
1109 Recycle a network interface label. Darwin caches the struct ifnet
1110 of detached ifnets in a "free pool". Before ifnets are returned
1111 to the "free pool", policies can cleanup or overwrite any information
1112 present in the label.
1113*/
1114typedef void mpo_ifnet_label_recycle_t(
1115 struct label *label
1116);
1117/**
1118 @brief Update a network interface label
1119 @param cred Subject credential
1120 @param ifp The network interface to be relabeled
1121 @param ifnetlabel The current label of the network interface
1122 @param newlabel A new label to apply to the network interface
1123 @see mpo_ifnet_check_label_update_t
1124
1125 Update the label on a network interface, using the supplied new label.
1126*/
1127typedef void mpo_ifnet_label_update_t(
1128 kauth_cred_t cred,
1129 struct ifnet *ifp,
1130 struct label *ifnetlabel,
1131 struct label *newlabel
1132);
1133/**
1134 @brief Access control check for delivering a packet to a socket
1135 @param inp inpcb the socket is associated with
1136 @param inplabel Label of the inpcb
1137 @param m The mbuf being received
1138 @param mbuflabel Label of the mbuf being received
1139 @param family Address family, AF_*
1140 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1141
1142 Determine whether the mbuf with label mbuflabel may be received
1143 by the socket associated with inpcb that has the label inplabel.
1144
1145 @return Return 0 if access is granted, otherwise an appropriate value for
1146 errno should be returned.
1147*/
1148typedef int mpo_inpcb_check_deliver_t(
1149 struct inpcb *inp,
1150 struct label *inplabel,
1151 struct mbuf *m,
1152 struct label *mbuflabel,
1153 int family,
1154 int type
1155);
1156/**
1157 @brief Create an inpcb label
1158 @param so Socket containing the inpcb to be labeled
1159 @param solabel Label of the socket
1160 @param inp inpcb to be labeled
1161 @param inplabel Label for the inpcb
1162
1163 Set the label of a newly created inpcb, most likely
1164 using the information in the socket and/or socket label.
1165*/
1166typedef void mpo_inpcb_label_associate_t(
1167 struct socket *so,
1168 struct label *solabel,
1169 struct inpcb *inp,
1170 struct label *inplabel
1171);
1172/**
1173 @brief Destroy inpcb label
1174 @param label The label to be destroyed
1175
1176 Destroy the label on an inpcb label. In this entry point, a
1177 policy module should free any internal storage associated with
1178 label so that it may be destroyed.
1179*/
1180typedef void mpo_inpcb_label_destroy_t(
1181 struct label *label
1182);
1183/**
1184 @brief Initialize inpcb label
1185 @param label New label to initialize
1186 @param flag M_WAITOK or M_NOWAIT
1187*/
1188typedef int mpo_inpcb_label_init_t(
1189 struct label *label,
1190 int flag
1191);
1192/**
1193 @brief Recycle up an inpcb label
1194 @param label The label to be recycled
1195
1196 Recycle an inpcb label. Darwin allocates the inpcb as part of
1197 the socket structure in some cases. For this case we must recycle
1198 rather than destroy the inpcb as it will be reused later.
1199*/
1200typedef void mpo_inpcb_label_recycle_t(
1201 struct label *label
1202);
1203/**
1204 @brief Update an inpcb label from a socket label
1205 @param so Socket containing the inpcb to be relabeled
1206 @param solabel New label of the socket
1207 @param inp inpcb to be labeled
1208 @param inplabel Label for the inpcb
1209
1210 Set the label of a newly created inpcb due to a change in the
1211 underlying socket label.
1212*/
1213typedef void mpo_inpcb_label_update_t(
1214 struct socket *so,
1215 struct label *solabel,
1216 struct inpcb *inp,
1217 struct label *inplabel
1218);
1219/**
1220 @brief Device hardware access control
1221 @param devtype Type of device connected
1222 @param properties XML-formatted property list
1223 @param proplen Length of the property list
1224
1225 This is the MAC Framework device access control, which is called by the I/O
1226 Kit when a new device is connected to the system to determine whether that
1227 device should be trusted. A list of properties associated with the device
1228 is passed as an XML-formatted string. The routine should examine these
1229 properties to determine the trustworthiness of the device. A return value
1230 of EPERM forces the device to be claimed by a special device driver that
1231 will prevent its operation.
1232
1233 @warning This is an experimental interface and may change in the future.
1234
1235 @return Return EPERM to indicate that the device is untrusted and should
1236 not be allowed to operate. Return zero to indicate that the device is
1237 trusted and should be allowed to operate normally.
1238
1239*/
1240typedef int mpo_iokit_check_device_t(
1241 char *devtype,
1242 struct mac_module_data *mdata
1243);
6d2010ae
A		 1244/**
1245 @brief Access control check for opening an I/O Kit device
1246 @param cred Subject credential
1247 @param device_path Device path
1248 @param user_client User client instance
1249 @param user_client_type User client type
1250
1251 Determine whether the subject identified by the credential can open an
1252 I/O Kit device at the passed path of the passed user client class and
1253 type.
1254
1255 @return Return 0 if access is granted, or an appropriate value for
1256 errno should be returned.
1257*/
1258typedef int mpo_iokit_check_open_t(
1259 kauth_cred_t cred,
1260 io_object_t user_client,
1261 unsigned int user_client_type
1262);
1263/**
1264 @brief Access control check for setting I/O Kit device properties
1265 @param cred Subject credential
fe8ab488 1266 @param entry Target device
6d2010ae
A		 1267 @param properties Property list
1268
1269 Determine whether the subject identified by the credential can set
1270 properties on an I/O Kit device.
1271
1272 @return Return 0 if access is granted, or an appropriate value for
1273 errno should be returned.
1274*/
1275typedef int mpo_iokit_check_set_properties_t(
1276 kauth_cred_t cred,
1277 io_object_t entry,
1278 io_object_t properties
1279);
fe8ab488
A		 1280/**
1281 @brief Indicate desire to filter I/O Kit devices properties
1282 @param cred Subject credential
1283 @param entry Target device
1284 @see mpo_iokit_check_get_property_t
1285
1286 Indicate whether this policy may restrict the subject credential
1287 from reading properties of the target device.
1288 If a policy returns success from this entry point, the
1289 mpo_iokit_check_get_property entry point will later be called
1290 for each property that the subject credential tries to read from
1291 the target device.
1292
1293 This entry point is primarilly to optimize bulk property reads
1294 by skipping calls to the mpo_iokit_check_get_property entry point
1295 for credentials / devices no MAC policy is interested in.
1296
1297 @warning Even if a policy returns 0, it should behave correctly in
1298 the presence of an invocation of mpo_iokit_check_get_property, as that
1299 call may happen as a result of another policy requesting a transition.
1300
1301 @return Non-zero if a transition is required, 0 otherwise.
1302 */
1303typedef int mpo_iokit_check_filter_properties_t(
1304 kauth_cred_t cred,
1305 io_object_t entry
1306);
1307/**
1308 @brief Access control check for getting I/O Kit device properties
1309 @param cred Subject credential
1310 @param entry Target device
1311 @param name Property name
1312
1313 Determine whether the subject identified by the credential can get
1314 properties on an I/O Kit device.
1315
1316 @return Return 0 if access is granted, or an appropriate value for
1317 errno.
1318*/
1319typedef int mpo_iokit_check_get_property_t(
1320 kauth_cred_t cred,
1321 io_object_t entry,
1322 const char *name
1323);
6d2010ae
A		 1324/**
1325 @brief Access control check for software HID control
1326 @param cred Subject credential
1327
1328 Determine whether the subject identified by the credential can
1329 control the HID (Human Interface Device) subsystem, such as to
1330 post synthetic keypresses, pointer movement and clicks.
1331
1332 @return Return 0 if access is granted, or an appropriate value for
1333 errno.
1334*/
1335typedef int mpo_iokit_check_hid_control_t(
1336 kauth_cred_t cred
1337);
2d21ac55
A		 1338/**
1339 @brief Create an IP reassembly queue label
1340 @param fragment First received IP fragment
1341 @param fragmentlabel Policy label for fragment
1342 @param ipq IP reassembly queue to be labeled
1343 @param ipqlabel Policy label to be filled in for ipq
1344
1345 Set the label on a newly created IP reassembly queue from
1346 the mbuf header of the first received fragment.
1347*/
1348typedef void mpo_ipq_label_associate_t(
1349 struct mbuf *fragment,
1350 struct label *fragmentlabel,
1351 struct ipq *ipq,
1352 struct label *ipqlabel
1353);
1354/**
1355 @brief Compare an mbuf header label to an ipq label
1356 @param fragment IP datagram fragment
1357 @param fragmentlabel Policy label for fragment
1358 @param ipq IP fragment reassembly queue
1359 @param ipqlabel Policy label for ipq
1360
1361 Compare the label of the mbuf header containing an IP datagram
1362 (fragment) fragment with the label of the passed IP fragment
1363 reassembly queue (ipq). Return (1) for a successful match, or (0)
1364 for no match. This call is made when the IP stack attempts to
1365 find an existing fragment reassembly queue for a newly received
1366 fragment; if this fails, a new fragment reassembly queue may be
1367 instantiated for the fragment. Policies may use this entry point
1368 to prevent the reassembly of otherwise matching IP fragments if
1369 policy does not permit them to be reassembled based on the label
1370 or other information.
1371*/
1372typedef int mpo_ipq_label_compare_t(
1373 struct mbuf *fragment,
1374 struct label *fragmentlabel,
1375 struct ipq *ipq,
1376 struct label *ipqlabel
1377);
1378/**
1379 @brief Destroy IP reassembly queue label
1380 @param label The label to be destroyed
1381
1382 Destroy the label on an IP fragment queue. In this entry point, a
1383 policy module should free any internal storage associated with
1384 label so that it may be destroyed.
1385*/
1386typedef void mpo_ipq_label_destroy_t(
1387 struct label *label
1388);
1389/**
1390 @brief Initialize IP reassembly queue label
1391 @param label New label to initialize
1392 @param flag M_WAITOK or M_NOWAIT
1393
1394 Initialize the label on a newly instantiated IP fragment reassembly
1395 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1396 should be employed to avoid performing a sleeping malloc(9) during
1397 this initialization call. IP fragment reassembly queue allocation
1398 frequently occurs in performance sensitive environments, and the
1399 implementation should be careful to avoid sleeping or long-lived
1400 operations. This entry point is permitted to fail resulting in
1401 the failure to allocate the IP fragment reassembly queue.
1402*/
1403typedef int mpo_ipq_label_init_t(
1404 struct label *label,
1405 int flag
1406);
1407/**
1408 @brief Update the label on an IP fragment reassembly queue
1409 @param fragment IP fragment
1410 @param fragmentlabel Policy label for fragment
1411 @param ipq IP fragment reassembly queue
1412 @param ipqlabel Policy label to be updated for ipq
1413
1414 Update the label on an IP fragment reassembly queue (ipq) based
1415 on the acceptance of the passed IP fragment mbuf header (fragment).
1416*/
1417typedef void mpo_ipq_label_update_t(
1418 struct mbuf *fragment,
1419 struct label *fragmentlabel,
1420 struct ipq *ipq,
1421 struct label *ipqlabel
1422);
2d21ac55
A		 1423/**
1424 @brief Assign a label to a new mbuf
1425 @param bpf_d BPF descriptor
1426 @param b_label Policy label for bpf_d
1427 @param m Object; mbuf
1428 @param m_label Policy label to fill in for m
1429
1430 Set the label on the mbuf header of a newly created datagram
1431 generated using the passed BPF descriptor. This call is made when
1432 a write is performed to the BPF device associated with the passed
1433 BPF descriptor.
1434*/
1435typedef void mpo_mbuf_label_associate_bpfdesc_t(
1436 struct bpf_d *bpf_d,
1437 struct label *b_label,
1438 struct mbuf *m,
1439 struct label *m_label
1440);
1441/**
1442 @brief Assign a label to a new mbuf
1443 @param ifp Interface descriptor
1444 @param i_label Existing label of ifp
1445 @param m Object; mbuf
1446 @param m_label Policy label to fill in for m
1447
1448 Label an mbuf based on the interface from which it was received.
1449*/
1450typedef void mpo_mbuf_label_associate_ifnet_t(
1451 struct ifnet *ifp,
1452 struct label *i_label,
1453 struct mbuf *m,
1454 struct label *m_label
1455);
1456/**
1457 @brief Assign a label to a new mbuf
1458 @param inp inpcb structure
1459 @param i_label Existing label of inp
1460 @param m Object; mbuf
1461 @param m_label Policy label to fill in for m
1462
1463 Label an mbuf based on the inpcb from which it was derived.
1464*/
1465typedef void mpo_mbuf_label_associate_inpcb_t(
1466 struct inpcb *inp,
1467 struct label *i_label,
1468 struct mbuf *m,
1469 struct label *m_label
1470);
1471/**
1472 @brief Set the label on a newly reassembled IP datagram
1473 @param ipq IP fragment reassembly queue
1474 @param ipqlabel Policy label for ipq
1475 @param mbuf IP datagram to be labeled
1476 @param mbuflabel Policy label to be filled in for mbuf
1477
1478 Set the label on a newly reassembled IP datagram (mbuf) from the IP
1479 fragment reassembly queue (ipq) from which it was generated.
1480*/
1481typedef void mpo_mbuf_label_associate_ipq_t(
1482 struct ipq *ipq,
1483 struct label *ipqlabel,
1484 struct mbuf *mbuf,
1485 struct label *mbuflabel
1486);
1487/**
1488 @brief Assign a label to a new mbuf
1489 @param ifp Subject; network interface
1490 @param i_label Existing label of ifp
1491 @param m Object; mbuf
1492 @param m_label Policy label to fill in for m
1493
1494 Set the label on the mbuf header of a newly created datagram
1495 generated for the purposes of a link layer response for the passed
1496 interface. This call may be made in a number of situations, including
1497 for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1498*/
1499typedef void mpo_mbuf_label_associate_linklayer_t(
1500 struct ifnet *ifp,
1501 struct label *i_label,
1502 struct mbuf *m,
1503 struct label *m_label
1504);
1505/**
1506 @brief Assign a label to a new mbuf
1507 @param oldmbuf mbuf headerder for existing datagram for existing datagram
1508 @param oldmbuflabel Policy label for oldmbuf
1509 @param ifp Network interface
1510 @param ifplabel Policy label for ifp
1511 @param newmbuf mbuf header to be labeled for new datagram
1512 @param newmbuflabel Policy label for newmbuf
1513
1514 Set the label on the mbuf header of a newly created datagram
1515 generated from the existing passed datagram when it is processed
1516 by the passed multicast encapsulation interface. This call is made
1517 when an mbuf is to be delivered using the virtual interface.
1518*/
1519typedef void mpo_mbuf_label_associate_multicast_encap_t(
1520 struct mbuf *oldmbuf,
1521 struct label *oldmbuflabel,
1522 struct ifnet *ifp,
1523 struct label *ifplabel,
1524 struct mbuf *newmbuf,
1525 struct label *newmbuflabel
1526);
1527/**
1528 @brief Assign a label to a new mbuf
1529 @param oldmbuf Received datagram
1530 @param oldmbuflabel Policy label for oldmbuf
1531 @param newmbuf Newly created datagram
1532 @param newmbuflabel Policy label for newmbuf
1533
1534 Set the label on the mbuf header of a newly created datagram generated
1535 by the IP stack in response to an existing received datagram (oldmbuf).
1536 This call may be made in a number of situations, including when responding
1537 to ICMP request datagrams.
1538*/
1539typedef void mpo_mbuf_label_associate_netlayer_t(
1540 struct mbuf *oldmbuf,
1541 struct label *oldmbuflabel,
1542 struct mbuf *newmbuf,
1543 struct label *newmbuflabel
1544);
1545/**
1546 @brief Assign a label to a new mbuf
1547 @param so Socket to label
1548 @param so_label Policy label for socket
1549 @param m Object; mbuf
1550 @param m_label Policy label to fill in for m
1551
1552 An mbuf structure is used to store network traffic in transit.
1553 When an application sends data to a socket or a pipe, it is wrapped
1554 in an mbuf first. This function sets the label on a newly created mbuf header
1555 based on the socket sending the data. The contents of the label should be
1556 suitable for performing an access check on the receiving side of the
1557 communication.
1558
1559 Only labeled MBUFs will be presented to the policy via this entrypoint.
1560*/
1561typedef void mpo_mbuf_label_associate_socket_t(
1562 socket_t so,
1563 struct label *so_label,
1564 struct mbuf *m,
1565 struct label *m_label
1566);
1567/**
1568 @brief Copy a mbuf label
1569 @param src Source label
1570 @param dest Destination label
1571
1572 Copy the mbuf label information in src into dest.
1573
1574 Only called when both source and destination mbufs have labels.
1575*/
1576typedef void mpo_mbuf_label_copy_t(
1577 struct label *src,
1578 struct label *dest
1579);
1580/**
1581 @brief Destroy mbuf label
1582 @param label The label to be destroyed
1583
1584 Destroy a mbuf label. Since the
1585 object is going out of scope, policy modules should free any
1586 internal storage associated with the label so that it may be
1587 destroyed.
1588*/
1589typedef void mpo_mbuf_label_destroy_t(
1590 struct label *label
1591);
1592/**
1593 @brief Initialize mbuf label
1594 @param label New label to initialize
1595 @param flag Malloc flags
1596
1597 Initialize the label for a newly instantiated mbuf.
1598
1599 @warning Since it is possible for the flags to be set to
1600 M_NOWAIT, the malloc operation may fail.
1601
1602 @return On success, 0, otherwise, an appropriate errno return value.
1603*/
1604typedef int mpo_mbuf_label_init_t(
1605 struct label *label,
1606 int flag
1607);
1608/**
1609 @brief Access control check for fsctl
1610 @param cred Subject credential
1611 @param mp The mount point
1612 @param label Label associated with the mount point
1613 @param com Filesystem-dependent request code; see fsctl(2)
1614
1615 Determine whether the subject identified by the credential can perform
1616 the volume operation indicated by com.
1617
1618 @warning The fsctl() system call is directly analogous to ioctl(); since
1619 the associated data is opaque from the standpoint of the MAC framework
1620 and since these operations can affect many aspects of system operation,
1621 policies must exercise extreme care when implementing access control checks.
1622
1623 @return Return 0 if access is granted, otherwise an appropriate value for
1624 errno should be returned.
1625*/
1626typedef int mpo_mount_check_fsctl_t(
1627 kauth_cred_t cred,
1628 struct mount *mp,
1629 struct label *label,
1630 unsigned int cmd
1631);
1632/**
1633 @brief Access control check for the retrieval of file system attributes
1634 @param cred Subject credential
1635 @param mp The mount structure of the file system
1636 @param vfa The attributes requested
1637
1638 This entry point determines whether given subject can get information
1639 about the given file system. This check happens during statfs() syscalls,
1640 but is also used by other parts within the kernel such as the audit system.
1641
1642 @return Return 0 if access is granted, otherwise an appropriate value for
1643 errno should be returned.
1644*/
1645
1646typedef int mpo_mount_check_getattr_t(
1647 kauth_cred_t cred,
1648 struct mount *mp,
1649 struct label *mp_label,
1650 struct vfs_attr *vfa
1651);
1652/**
1653 @brief Access control check for mount point relabeling
1654 @param cred Subject credential
1655 @param mp Object file system mount point
1656 @param mntlabel Policy label for fle system mount point
1657
1658 Determine whether the subject identified by the credential can relabel
1659 the mount point. This call is made when a file system mount is updated.
1660
1661 @return Return 0 if access is granted, otherwise an appropriate value for
1662 errno should be returned. Suggested failure: EACCES for label mismatch
1663 or EPERM for lack of privilege.
1664*/
1665typedef int mpo_mount_check_label_update_t(
1666 kauth_cred_t cred,
1667 struct mount *mp,
1668 struct label *mntlabel
1669);
1670/**
1671 @brief Access control check for mounting a file system
1672 @param cred Subject credential
1673 @param vp Vnode that is to be the mount point
1674 @param vlabel Label associated with the vnode
1675 @param cnp Component name for vp
1676 @param vfc_name Filesystem type name
1677
1678 Determine whether the subject identified by the credential can perform
1679 the mount operation on the target vnode.
1680
1681 @return Return 0 if access is granted, otherwise an appropriate value for
1682 errno should be returned.
1683*/
1684typedef int mpo_mount_check_mount_t(
1685 kauth_cred_t cred,
1686 struct vnode *vp,
1687 struct label *vlabel,
1688 struct componentname *cnp,
1689 const char *vfc_name
1690);
1691/**
1692 @brief Access control check remounting a filesystem
1693 @param cred Subject credential
1694 @param mp The mount point
1695 @param mlabel Label currently associated with the mount point
1696
1697 Determine whether the subject identified by the credential can perform
1698 the remount operation on the target vnode.
1699
1700 @return Return 0 if access is granted, otherwise an appropriate value for
1701 errno should be returned.
1702*/
1703typedef int mpo_mount_check_remount_t(
1704 kauth_cred_t cred,
1705 struct mount *mp,
1706 struct label *mlabel
1707);
1708/**
1709 @brief Access control check for the settting of file system attributes
1710 @param cred Subject credential
1711 @param mp The mount structure of the file system
1712 @param vfa The attributes requested
1713
1714 This entry point determines whether given subject can set information
1715 about the given file system, for example the volume name.
1716
1717 @return Return 0 if access is granted, otherwise an appropriate value for
1718 errno should be returned.
1719*/
1720
1721typedef int mpo_mount_check_setattr_t(
1722 kauth_cred_t cred,
1723 struct mount *mp,
1724 struct label *mp_label,
1725 struct vfs_attr *vfa
1726);
1727/**
1728 @brief Access control check for file system statistics
1729 @param cred Subject credential
1730 @param mp Object file system mount
1731 @param mntlabel Policy label for mp
1732
1733 Determine whether the subject identified by the credential can see
1734 the results of a statfs performed on the file system. This call may
1735 be made in a number of situations, including during invocations of
1736 statfs(2) and related calls, as well as to determine what file systems
1737 to exclude from listings of file systems, such as when getfsstat(2)
1738 is invoked.
1739
1740 @return Return 0 if access is granted, otherwise an appropriate value for
1741 errno should be returned. Suggested failure: EACCES for label mismatch
1742 or EPERM for lack of privilege.
1743*/
1744typedef int mpo_mount_check_stat_t(
1745 kauth_cred_t cred,
1746 struct mount *mp,
1747 struct label *mntlabel
1748);
1749/**
1750 @brief Access control check for unmounting a filesystem
1751 @param cred Subject credential
1752 @param mp The mount point
1753 @param mlabel Label associated with the mount point
1754
1755 Determine whether the subject identified by the credential can perform
1756 the unmount operation on the target vnode.
1757
1758 @return Return 0 if access is granted, otherwise an appropriate value for
1759 errno should be returned.
1760*/
1761typedef int mpo_mount_check_umount_t(
1762 kauth_cred_t cred,
1763 struct mount *mp,
1764 struct label *mlabel
1765);
1766/**
1767 @brief Create mount labels
1768 @param cred Subject credential
1769 @param mp Mount point of file system being mounted
1770 @param mntlabel Label to associate with the new mount point
1771 @see mpo_mount_label_init_t
1772
1773 Fill out the labels on the mount point being created by the supplied
1774 user credential. This call is made when file systems are first mounted.
1775*/
1776typedef void mpo_mount_label_associate_t(
1777 kauth_cred_t cred,
1778 struct mount *mp,
1779 struct label *mntlabel
1780);
1781/**
1782 @brief Destroy mount label
1783 @param label The label to be destroyed
1784
1785 Destroy a file system mount label. Since the
1786 object is going out of scope, policy modules should free any
1787 internal storage associated with the label so that it may be
1788 destroyed.
1789*/
1790typedef void mpo_mount_label_destroy_t(
1791 struct label *label
1792);
1793/**
1794 @brief Externalize a mount point label
1795 @param label Label to be externalized
1796 @param element_name Name of the label namespace for which labels should be
1797 externalized
1798 @param sb String buffer to be filled with a text representation of the label
1799
1800 Produce an external representation of the mount point label. An
1801 externalized label consists of a text representation of the label
1802 contents that can be used with user applications. Policy-agnostic
1803 user space tools will display this externalized version.
1804
1805 The policy's externalize entry points will be called only if the
1806 policy has registered interest in the label namespace.
1807
1808 @return 0 on success, return non-zero if an error occurs while
1809 externalizing the label data.
1810
1811*/
1812typedef int mpo_mount_label_externalize_t(
1813 struct label *label,
1814 char *element_name,
1815 struct sbuf *sb
1816);
1817/**
1818 @brief Initialize mount point label
1819 @param label New label to initialize
1820
1821 Initialize the label for a newly instantiated mount structure.
1822 This label is typically used to store a default label in the case
1823 that the file system has been mounted singlelabel. Since some
1824 file systems do not support persistent labels (extended attributes)
1825 or are read-only (such as CD-ROMs), it is often necessary to store
1826 a default label separately from the label of the mount point
1827 itself. Sleeping is permitted.
1828*/
1829typedef void mpo_mount_label_init_t(
1830 struct label *label
1831);
1832/**
1833 @brief Internalize a mount point label
1834 @param label Label to be internalized
1835 @param element_name Name of the label namespace for which the label should
1836 be internalized
1837 @param element_data Text data to be internalized
1838
1839 Produce a mount point file system label from an external representation.
1840 An externalized label consists of a text representation of the label
1841 contents that can be used with user applications. Policy-agnostic
1842 user space tools will forward text version to the kernel for
1843 processing by individual policy modules.
1844
1845 The policy's internalize entry points will be called only if the
1846 policy has registered interest in the label namespace.
1847
1848 @return 0 on success, Otherwise, return non-zero if an error occurs
1849 while internalizing the label data.
1850
1851*/
1852typedef int mpo_mount_label_internalize_t(
1853 struct label *label,
1854 char *element_name,
1855 char *element_data
1856);
1857/**
1858 @brief Set the label on an IPv4 datagram fragment
1859 @param datagram Datagram being fragmented
1860 @param datagramlabel Policy label for datagram
1861 @param fragment New fragment
1862 @param fragmentlabel Policy label for fragment
1863
1864 Called when an IPv4 datagram is fragmented into several smaller datagrams.
1865 Policies implementing mbuf labels will typically copy the label from the
1866 source datagram to the new fragment.
1867*/
1868typedef void mpo_netinet_fragment_t(
1869 struct mbuf *datagram,
1870 struct label *datagramlabel,
1871 struct mbuf *fragment,
1872 struct label *fragmentlabel
1873);
1874/**
1875 @brief Set the label on an ICMP reply
1876 @param m mbuf containing the ICMP reply
1877 @param mlabel Policy label for m
1878
1879 A policy may wish to update the label of an mbuf that refers to
1880 an ICMP packet being sent in response to an IP packet. This may
1881 be called in response to a bad packet or an ICMP request.
1882*/
1883typedef void mpo_netinet_icmp_reply_t(
1884 struct mbuf *m,
1885 struct label *mlabel
1886);
1887/**
1888 @brief Set the label on a TCP reply
1889 @param m mbuf containing the TCP reply
1890 @param mlabel Policy label for m
1891
1892 Called for outgoing TCP packets not associated with an actual socket.
1893*/
1894typedef void mpo_netinet_tcp_reply_t(
1895 struct mbuf *m,
1896 struct label *mlabel
1897);
1898/**
1899 @brief Access control check for pipe ioctl
1900 @param cred Subject credential
1901 @param cpipe Object to be accessed
1902 @param pipelabel The label on the pipe
1903 @param cmd The ioctl command; see ioctl(2)
1904
1905 Determine whether the subject identified by the credential can perform
1906 the ioctl operation indicated by cmd.
1907
1908 @warning Since ioctl data is opaque from the standpoint of the MAC
1909 framework, policies must exercise extreme care when implementing
1910 access control checks.
1911
1912 @return Return 0 if access is granted, otherwise an appropriate value for
1913 errno should be returned.
1914
1915*/
1916typedef int mpo_pipe_check_ioctl_t(
1917 kauth_cred_t cred,
1918 struct pipe *cpipe,
1919 struct label *pipelabel,
1920 unsigned int cmd
1921);
1922/**
1923 @brief Access control check for pipe kqfilter
1924 @param cred Subject credential
1925 @param kn Object knote
1926 @param cpipe Object to be accessed
1927 @param pipelabel Policy label for the pipe
1928
1929 Determine whether the subject identified by the credential can
1930 receive the knote on the passed pipe.
1931
1932 @return Return 0 if access if granted, otherwise an appropriate
1933 value for errno should be returned.
1934*/
1935typedef int mpo_pipe_check_kqfilter_t(
1936 kauth_cred_t cred,
1937 struct knote *kn,
1938 struct pipe *cpipe,
1939 struct label *pipelabel
1940);
1941/**
1942 @brief Access control check for pipe relabel
1943 @param cred Subject credential
1944 @param cpipe Object to be accessed
1945 @param pipelabel The current label on the pipe
1946 @param newlabel The new label to be used
1947
1948 Determine whether the subject identified by the credential can
1949 perform a relabel operation on the passed pipe. The cred object holds
1950 the credentials of the subject performing the operation.
1951
1952 @return Return 0 if access is granted, otherwise an appropriate value for
1953 errno should be returned.
1954
1955*/
1956typedef int mpo_pipe_check_label_update_t(
1957 kauth_cred_t cred,
1958 struct pipe *cpipe,
1959 struct label *pipelabel,
1960 struct label *newlabel
1961);
1962/**
1963 @brief Access control check for pipe read
1964 @param cred Subject credential
1965 @param cpipe Object to be accessed
1966 @param pipelabel The label on the pipe
1967
1968 Determine whether the subject identified by the credential can
1969 perform a read operation on the passed pipe. The cred object holds
1970 the credentials of the subject performing the operation.
1971
1972 @return Return 0 if access is granted, otherwise an appropriate value for
1973 errno should be returned.
1974
1975*/
1976typedef int mpo_pipe_check_read_t(
1977 kauth_cred_t cred,
1978 struct pipe *cpipe,
1979 struct label *pipelabel
1980);
1981/**
1982 @brief Access control check for pipe select
1983 @param cred Subject credential
1984 @param cpipe Object to be accessed
1985 @param pipelabel The label on the pipe
1986 @param which The operation selected on: FREAD or FWRITE
1987
1988 Determine whether the subject identified by the credential can
1989 perform a select operation on the passed pipe. The cred object holds
1990 the credentials of the subject performing the operation.
1991
1992 @return Return 0 if access is granted, otherwise an appropriate value for
1993 errno should be returned.
1994
1995*/
1996typedef int mpo_pipe_check_select_t(
1997 kauth_cred_t cred,
1998 struct pipe *cpipe,
1999 struct label *pipelabel,
2000 int which
2001);
2002/**
2003 @brief Access control check for pipe stat
2004 @param cred Subject credential
2005 @param cpipe Object to be accessed
2006 @param pipelabel The label on the pipe
2007
2008 Determine whether the subject identified by the credential can
2009 perform a stat operation on the passed pipe. The cred object holds
2010 the credentials of the subject performing the operation.
2011
2012 @return Return 0 if access is granted, otherwise an appropriate value for
2013 errno should be returned.
2014
2015*/
2016typedef int mpo_pipe_check_stat_t(
2017 kauth_cred_t cred,
2018 struct pipe *cpipe,
2019 struct label *pipelabel
2020);
2021/**
2022 @brief Access control check for pipe write
2023 @param cred Subject credential
2024 @param cpipe Object to be accessed
2025 @param pipelabel The label on the pipe
2026
2027 Determine whether the subject identified by the credential can
2028 perform a write operation on the passed pipe. The cred object holds
2029 the credentials of the subject performing the operation.
2030
2031 @return Return 0 if access is granted, otherwise an appropriate value for
2032 errno should be returned.
2033
2034*/
2035typedef int mpo_pipe_check_write_t(
2036 kauth_cred_t cred,
2037 struct pipe *cpipe,
2038 struct label *pipelabel
2039);
2040/**
2041 @brief Create a pipe label
2042 @param cred Subject credential
2043 @param cpipe object to be labeled
2044 @param label Label for the pipe object
2045
2046 Create a label for the pipe object being created by the supplied
2047 user credential. This call is made when the pipe is being created
2048 XXXPIPE(for one or both sides of the pipe?).
2049
2050*/
2051typedef void mpo_pipe_label_associate_t(
2052 kauth_cred_t cred,
2053 struct pipe *cpipe,
2054 struct label *pipelabel
2055);
2056/**
2057 @brief Copy a pipe label
2058 @param src Source pipe label
2059 @param dest Destination pipe label
2060
2061 Copy the pipe label associated with src to dest.
2062 XXXPIPE Describe when this is used: most likely during pipe creation to
2063 copy from rpipe to wpipe.
2064*/
2065typedef void mpo_pipe_label_copy_t(
2066 struct label *src,
2067 struct label *dest
2068);
2069/**
2070 @brief Destroy pipe label
2071 @param label The label to be destroyed
2072
2073 Destroy a pipe label. Since the object is going out of scope,
2074 policy modules should free any internal storage associated with the
2075 label so that it may be destroyed.
2076*/
2077typedef void mpo_pipe_label_destroy_t(
2078 struct label *label
2079);
2080/**
2081 @brief Externalize a pipe label
2082 @param label Label to be externalized
2083 @param element_name Name of the label namespace for which labels should be
2084 externalized
2085 @param sb String buffer to be filled with a text representation of the label
2086
2087 Produce an external representation of the label on a pipe.
2088 An externalized label consists of a text representation
2089 of the label contents that can be used with user applications.
2090 Policy-agnostic user space tools will display this externalized
2091 version.
2092
2093 The policy's externalize entry points will be called only if the
2094 policy has registered interest in the label namespace.
2095
2096 @return 0 on success, return non-zero if an error occurs while
2097 externalizing the label data.
2098
2099*/
2100typedef int mpo_pipe_label_externalize_t(
2101 struct label *label,
2102 char *element_name,
2103 struct sbuf *sb
2104);
2105/**
2106 @brief Initialize pipe label
2107 @param label New label to initialize
2108
2109 Initialize label storage for use with a newly instantiated pipe object.
2110 Sleeping is permitted.
2111*/
2112typedef void mpo_pipe_label_init_t(
2113 struct label *label
2114);
2115/**
2116 @brief Internalize a pipe label
2117 @param label Label to be internalized
2118 @param element_name Name of the label namespace for which the label should
2119 be internalized
2120 @param element_data Text data to be internalized
2121
2122 Produce a pipe label from an external representation. An
2123 externalized label consists of a text representation of the label
2124 contents that can be used with user applications. Policy-agnostic
2125 user space tools will forward text version to the kernel for
2126 processing by individual policy modules.
2127
2128 The policy's internalize entry points will be called only if the
2129 policy has registered interest in the label namespace.
2130
2131 @return 0 on success, Otherwise, return non-zero if an error occurs
2132 while internalizing the label data.
2133
2134*/
2135typedef int mpo_pipe_label_internalize_t(
2136 struct label *label,
2137 char *element_name,
2138 char *element_data
2139);
2140/**
2141 @brief Update a pipe label
2142 @param cred Subject credential
2143 @param cpipe Object to be labeled
2144 @param oldlabel Existing pipe label
2145 @param newlabel New label to replace existing label
2146 @see mpo_pipe_check_label_update_t
2147
2148 The subject identified by the credential has previously requested
2149 and was authorized to relabel the pipe; this entry point allows
2150 policies to perform the actual relabel operation. Policies should
2151 update oldlabel using the label stored in the newlabel parameter.
2152
2153*/
2154typedef void mpo_pipe_label_update_t(
2155 kauth_cred_t cred,
2156 struct pipe *cpipe,
2157 struct label *oldlabel,
2158 struct label *newlabel
2159);
2160/**
2161 @brief Policy unload event
2162 @param mpc MAC policy configuration
2163
2164 This is the MAC Framework policy unload event. This entry point will
2165 only be called if the module's policy configuration allows unload (if
2166 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2167 want to be unloaded; they should set their flags to prevent this
2168 entry point from being called.
2169
2170 @warning During this call, the mac policy list mutex is held, so
2171 sleep operations cannot be performed, and calls out to other kernel
2172 subsystems must be made with caution.
2173
2174 @see MPC_LOADTIME_FLAG_UNLOADOK
2175*/
2176typedef void mpo_policy_destroy_t(
2177 struct mac_policy_conf *mpc
2178);
2179/**
2180 @brief Policy initialization event
2181 @param mpc MAC policy configuration
2182 @see mac_policy_register
2183 @see mpo_policy_initbsd_t
2184
2185 This is the MAC Framework policy initialization event. This entry
2186 point is called during mac_policy_register, when the policy module
2187 is first registered with the MAC Framework. This is often done very
2188 early in the boot process, after the kernel Mach subsystem has been
2189 initialized, but prior to the BSD subsystem being initialized.
2190 Since the kernel BSD services are not yet available, it is possible
2191 that some initialization must occur later, possibly in the
2192 mpo_policy_initbsd_t policy entry point, such as registering BSD system
2193 controls (sysctls). Policy modules loaded at boot time will be
2194 registered and initialized before labeled Mach objects are created.
2195
2196 @warning During this call, the mac policy list mutex is held, so
2197 sleep operations cannot be performed, and calls out to other kernel
2198 subsystems must be made with caution.
2199*/
2200typedef void mpo_policy_init_t(
2201 struct mac_policy_conf *mpc
2202);
2203/**
2204 @brief Policy BSD initialization event
2205 @param mpc MAC policy configuration
2206 @see mpo_policy_init_t
2207
2208 This entry point is called after the kernel BSD subsystem has been
2209 initialized. By this point, the module should already be loaded,
2210 registered, and initialized. Since policy modules are initialized
2211 before kernel BSD services are available, this second initialization
2212 phase is necessary. At this point, BSD services (memory management,
2213 synchronization primitives, vfs, etc.) are available, but the first
2214 process has not yet been created. Mach-related objects and tasks
2215 will already be fully initialized and may be in use--policies requiring
2216 ubiquitous labeling may also want to implement mpo_policy_init_t.
2217
2218 @warning During this call, the mac policy list mutex is held, so
2219 sleep operations cannot be performed, and calls out to other kernel
2220 subsystems must be made with caution.
2221*/
2222typedef void mpo_policy_initbsd_t(
2223 struct mac_policy_conf *mpc
2224);
2225/**
2226 @brief Policy extension service
2227 @param p Calling process
2228 @param call Policy-specific syscall number
2229 @param arg Pointer to syscall arguments
2230
2231 This entry point provides a policy-multiplexed system call so that
2232 policies may provide additional services to user processes without
2233 registering specific system calls. The policy name provided during
2234 registration is used to demux calls from userland, and the arguments
2235 will be forwarded to this entry point. When implementing new
2236 services, security modules should be sure to invoke appropriate
2237 access control checks from the MAC framework as needed. For
2238 example, if a policy implements an augmented signal functionality,
2239 it should call the necessary signal access control checks to invoke
2240 the MAC framework and other registered policies.
2241
2242 @warning Since the format and contents of the policy-specific
2243 arguments are unknown to the MAC Framework, modules must perform the
2244 required copyin() of the syscall data on their own. No policy
2245 mediation is performed, so policies must perform any necessary
2246 access control checks themselves. If multiple policies are loaded,
2247 they will currently be unable to mediate calls to other policies.
2248
2249 @return In the event of an error, an appropriate value for errno
2250 should be returned, otherwise return 0 upon success.
2251*/
2252typedef int mpo_policy_syscall_t(
2253 struct proc *p,
2254 int call,
2255 user_addr_t arg
2256);
2d21ac55
A		 2257/**
2258 @brief Access control check for POSIX semaphore create
2259 @param cred Subject credential
2260 @param name String name of the semaphore
2261
2262 Determine whether the subject identified by the credential can create
2263 a POSIX semaphore specified by name.
2264
2265 @return Return 0 if access is granted, otherwise an appropriate value for
2266 errno should be returned.
2267*/
2268typedef int mpo_posixsem_check_create_t(
2269 kauth_cred_t cred,
2270 const char *name
2271);
2272/**
2273 @brief Access control check for POSIX semaphore open
2274 @param cred Subject credential
2275 @param ps Pointer to semaphore information structure
2276 @param semlabel Label associated with the semaphore
2277
2278 Determine whether the subject identified by the credential can open
2279 the named POSIX semaphore with label semlabel.
2280
2281 @return Return 0 if access is granted, otherwise an appropriate value for
2282 errno should be returned.
2283*/
2284typedef int mpo_posixsem_check_open_t(
2285 kauth_cred_t cred,
2286 struct pseminfo *ps,
2287 struct label *semlabel
2288);
2289/**
2290 @brief Access control check for POSIX semaphore post
2291 @param cred Subject credential
2292 @param ps Pointer to semaphore information structure
2293 @param semlabel Label associated with the semaphore
2294
2295 Determine whether the subject identified by the credential can unlock
2296 the named POSIX semaphore with label semlabel.
2297
2298 @return Return 0 if access is granted, otherwise an appropriate value for
2299 errno should be returned.
2300*/
2301typedef int mpo_posixsem_check_post_t(
2302 kauth_cred_t cred,
2303 struct pseminfo *ps,
2304 struct label *semlabel
2305);
2306/**
2307 @brief Access control check for POSIX semaphore unlink
2308 @param cred Subject credential
2309 @param ps Pointer to semaphore information structure
2310 @param semlabel Label associated with the semaphore
2311 @param name String name of the semaphore
2312
2313 Determine whether the subject identified by the credential can remove
2314 the named POSIX semaphore with label semlabel.
2315
2316 @return Return 0 if access is granted, otherwise an appropriate value for
2317 errno should be returned.
2318*/
2319typedef int mpo_posixsem_check_unlink_t(
2320 kauth_cred_t cred,
2321 struct pseminfo *ps,
2322 struct label *semlabel,
2323 const char *name
2324);
2325/**
2326 @brief Access control check for POSIX semaphore wait
2327 @param cred Subject credential
2328 @param ps Pointer to semaphore information structure
2329 @param semlabel Label associated with the semaphore
2330
2331 Determine whether the subject identified by the credential can lock
2332 the named POSIX semaphore with label semlabel.
2333
2334 @return Return 0 if access is granted, otherwise an appropriate value for
2335 errno should be returned.
2336*/
2337typedef int mpo_posixsem_check_wait_t(
2338 kauth_cred_t cred,
2339 struct pseminfo *ps,
2340 struct label *semlabel
2341);
2342/**
2343 @brief Create a POSIX semaphore label
2344 @param cred Subject credential
2345 @param ps Pointer to semaphore information structure
2346 @param semlabel Label to associate with the new semaphore
2347 @param name String name of the semaphore
2348
2349 Label a new POSIX semaphore. The label was previously
2350 initialized and associated with the semaphore. At this time, an
2351 appropriate initial label value should be assigned to the object and
2352 stored in semalabel.
2353*/
2354typedef void mpo_posixsem_label_associate_t(
2355 kauth_cred_t cred,
2356 struct pseminfo *ps,
2357 struct label *semlabel,
2358 const char *name
2359);
2360/**
2361 @brief Destroy POSIX semaphore label
2362 @param label The label to be destroyed
2363
2364 Destroy a POSIX semaphore label. Since the object is
2365 going out of scope, policy modules should free any internal storage
2366 associated with the label so that it may be destroyed.
2367*/
2368typedef void mpo_posixsem_label_destroy_t(
2369 struct label *label
2370);
2371/**
2372 @brief Initialize POSIX semaphore label
2373 @param label New label to initialize
2374
2375 Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2376 is permitted.
2377*/
2378typedef void mpo_posixsem_label_init_t(
2379 struct label *label
2380);
2381/**
2382 @brief Access control check for POSIX shared memory region create
2383 @param cred Subject credential
2384 @param name String name of the shared memory region
2385
2386 Determine whether the subject identified by the credential can create
2387 the POSIX shared memory region referenced by name.
2388
2389 @return Return 0 if access is granted, otherwise an appropriate value for
2390 errno should be returned.
2391*/
2392typedef int mpo_posixshm_check_create_t(
2393 kauth_cred_t cred,
2394 const char *name
2395);
2396/**
2397 @brief Access control check for mapping POSIX shared memory
2398 @param cred Subject credential
2399 @param ps Pointer to shared memory information structure
2400 @param shmlabel Label associated with the shared memory region
2401 @param prot mmap protections; see mmap(2)
2402 @param flags shmat flags; see shmat(2)
2403
2404 Determine whether the subject identified by the credential can map
2405 the POSIX shared memory segment associated with shmlabel.
2406
2407 @return Return 0 if access is granted, otherwise an appropriate value for
2408 errno should be returned.
2409*/
2410typedef int mpo_posixshm_check_mmap_t(
2411 kauth_cred_t cred,
2412 struct pshminfo *ps,
2413 struct label *shmlabel,
2414 int prot,
2415 int flags
2416);
2417/**
2418 @brief Access control check for POSIX shared memory region open
2419 @param cred Subject credential
2420 @param ps Pointer to shared memory information structure
2421 @param shmlabel Label associated with the shared memory region
316670eb 2422 @param fflags shm_open(2) open flags ('fflags' encoded)
2d21ac55
A		 2423
2424 Determine whether the subject identified by the credential can open
2425 the POSIX shared memory region.
2426
2427 @return Return 0 if access is granted, otherwise an appropriate value for
2428 errno should be returned.
2429*/
2430typedef int mpo_posixshm_check_open_t(
2431 kauth_cred_t cred,
2432 struct pshminfo *ps,
316670eb
A		 2433 struct label *shmlabel,
2434 int fflags
2d21ac55
A		 2435);
2436/**
2437 @brief Access control check for POSIX shared memory stat
2438 @param cred Subject credential
2439 @param ps Pointer to shared memory information structure
2440 @param shmlabel Label associated with the shared memory region
2441
2442 Determine whether the subject identified by the credential can obtain
2443 status for the POSIX shared memory segment associated with shmlabel.
2444
2445 @return Return 0 if access is granted, otherwise an appropriate value for
2446 errno should be returned.
2447*/
2448typedef int mpo_posixshm_check_stat_t(
2449 kauth_cred_t cred,
2450 struct pshminfo *ps,
2451 struct label *shmlabel
2452);
2453/**
2454 @brief Access control check for POSIX shared memory truncate
2455 @param cred Subject credential
2456 @param ps Pointer to shared memory information structure
2457 @param shmlabel Label associated with the shared memory region
2458 @param len Length to truncate or extend shared memory segment
2459
2460 Determine whether the subject identified by the credential can truncate
2461 or extend (to len) the POSIX shared memory segment associated with shmlabel.
2462
2463 @return Return 0 if access is granted, otherwise an appropriate value for
2464 errno should be returned.
2465*/
2466typedef int mpo_posixshm_check_truncate_t(
2467 kauth_cred_t cred,
2468 struct pshminfo *ps,
2469 struct label *shmlabel,
6d2010ae 2470 off_t len
2d21ac55
A		 2471);
2472/**
2473 @brief Access control check for POSIX shared memory unlink
2474 @param cred Subject credential
2475 @param ps Pointer to shared memory information structure
2476 @param shmlabel Label associated with the shared memory region
2477 @param name String name of the shared memory region
2478
2479 Determine whether the subject identified by the credential can delete
2480 the POSIX shared memory segment associated with shmlabel.
2481
2482 @return Return 0 if access is granted, otherwise an appropriate value for
2483 errno should be returned.
2484*/
2485typedef int mpo_posixshm_check_unlink_t(
2486 kauth_cred_t cred,
2487 struct pshminfo *ps,
2488 struct label *shmlabel,
2489 const char *name
2490);
2491/**
2492 @brief Create a POSIX shared memory region label
2493 @param cred Subject credential
2494 @param ps Pointer to shared memory information structure
2495 @param shmlabel Label to associate with the new shared memory region
2496 @param name String name of the shared memory region
2497
2498 Label a new POSIX shared memory region. The label was previously
2499 initialized and associated with the shared memory region. At this
2500 time, an appropriate initial label value should be assigned to the
2501 object and stored in shmlabel.
2502*/
2503typedef void mpo_posixshm_label_associate_t(
2504 kauth_cred_t cred,
2505 struct pshminfo *ps,
2506 struct label *shmlabel,
2507 const char *name
2508);
2509/**
2510 @brief Destroy POSIX shared memory label
2511 @param label The label to be destroyed
2512
2513 Destroy a POSIX shared memory region label. Since the
2514 object is going out of scope, policy modules should free any
2515 internal storage associated with the label so that it may be
2516 destroyed.
2517*/
2518typedef void mpo_posixshm_label_destroy_t(
2519 struct label *label
2520);
2521/**
2522 @brief Initialize POSIX Shared Memory region label
2523 @param label New label to initialize
2524
2525 Initialize the label for newly a instantiated POSIX Shared Memory
2526 region. Sleeping is permitted.
2527*/
2528typedef void mpo_posixshm_label_init_t(
2529 struct label *label
2530);
6d2010ae
A		 2531/**
2532 @brief Access control check for privileged operations
2533 @param cred Subject credential
2534 @param priv Requested privilege (see sys/priv.h)
2535
2536 Determine whether the subject identified by the credential can perform
2537 a privileged operation. Privileged operations are allowed if the cred
2538 is the superuser or any policy returns zero for mpo_priv_grant, unless
2539 any policy returns nonzero for mpo_priv_check.
2540
2541 @return Return 0 if access is granted, otherwise EPERM should be returned.
2542*/
2543typedef int mpo_priv_check_t(
2544 kauth_cred_t cred,
2545 int priv
2546);
2547/**
2548 @brief Grant regular users the ability to perform privileged operations
2549 @param cred Subject credential
2550 @param priv Requested privilege (see sys/priv.h)
2551
2552 Determine whether the subject identified by the credential should be
2553 allowed to perform a privileged operation that in the absense of any
2554 MAC policy it would not be able to perform. Privileged operations are
2555 allowed if the cred is the superuser or any policy returns zero for
2556 mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
2557
2558 Unlike other MAC hooks which can only reduce the privilege of a
2559 credential, this hook raises the privilege of a credential when it
2560 returns 0. Extreme care must be taken when implementing this hook to
2561 avoid undermining the security of the system.
2562
2563 @return Return 0 if additional privilege is granted, otherwise EPERM
2564 should be returned.
2565*/
2566typedef int mpo_priv_grant_t(
2567 kauth_cred_t cred,
2568 int priv
2569);
2d21ac55
A		 2570/**
2571 @brief Access control check for debugging process
2572 @param cred Subject credential
2573 @param proc Object process
2574
2575 Determine whether the subject identified by the credential can debug
2576 the passed process. This call may be made in a number of situations,
2577 including use of the ptrace(2) and ktrace(2) APIs, as well as for some
2578 types of procfs operations.
2579
2580 @return Return 0 if access is granted, otherwise an appropriate value for
2581 errno should be returned. Suggested failure: EACCES for label mismatch,
2582 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
2583*/
2584typedef int mpo_proc_check_debug_t(
2585 kauth_cred_t cred,
2586 struct proc *proc
2587);
2588/**
2589 @brief Access control over fork
2590 @param cred Subject credential
2591 @param proc Subject process trying to fork
2592
2593 Determine whether the subject identified is allowed to fork.
2594
2595 @return Return 0 if access is granted, otherwise an appropriate value for
2596 errno should be returned.
2597*/
2598typedef int mpo_proc_check_fork_t(
2599 kauth_cred_t cred,
2600 struct proc *proc
2601);
3e170ce0
A		 2602/**
2603 @brief Access control check for setting host special ports.
2604 @param cred Subject credential
2605 @param id The host special port to set
2606 @param port The new value to set for the special port
2607
2608 @return Return 0 if access is granted, otherwise an appropriate value for
2609 errno should be returned.
2610*/
2611typedef int mpo_proc_check_set_host_special_port_t(
2612 kauth_cred_t cred,
2613 int id,
2614 struct ipc_port *port
2615);
2616/**
2617 @brief Access control check for setting host exception ports.
2618 @param cred Subject credential
2619 @param exceptions Exception port to set
2620
2621 @return Return 0 if access is granted, otherwise an appropriate value for
2622 errno should be returned.
2623*/
2624typedef int mpo_proc_check_set_host_exception_port_t(
2625 kauth_cred_t cred,
2626 unsigned int exception
2627);
d1ecb069
A		 2628/**
2629 @brief Access control over pid_suspend and pid_resume
2630 @param cred Subject credential
2631 @param proc Subject process trying to run pid_suspend or pid_resume
2632 @param sr Call is suspend (0) or resume (1)
2633
2634 Determine whether the subject identified is allowed to suspend or resume
2635 other processes.
2636
2637 @return Return 0 if access is granted, otherwise an appropriate value for
2638 errno should be returned.
2639*/
2640typedef int mpo_proc_check_suspend_resume_t(
2641 kauth_cred_t cred,
2642 struct proc *proc,
2643 int sr
2644);
2d21ac55
A		 2645/**
2646 @brief Access control check for retrieving audit information
2647 @param cred Subject credential
2648
2649 Determine whether the subject identified by the credential can get
2650 audit information such as the audit user ID, the preselection mask,
2651 the terminal ID and the audit session ID, using the getaudit() system call.
2652
2653 @return Return 0 if access is granted, otherwise an appropriate value for
2654 errno should be returned.
2655*/
2656typedef int mpo_proc_check_getaudit_t(
2657 kauth_cred_t cred
2658);
2659/**
2660 @brief Access control check for retrieving audit user ID
2661 @param cred Subject credential
2662
2663 Determine whether the subject identified by the credential can get
2664 the user identity being used by the auditing system, using the getauid()
2665 system call.
2666
2667 @return Return 0 if access is granted, otherwise an appropriate value for
2668 errno should be returned.
2669*/
2670typedef int mpo_proc_check_getauid_t(
2671 kauth_cred_t cred
2672);
2673/**
2674 @brief Access control check for retrieving Login Context ID
2675 @param p0 Calling process
2676 @param p Effected process
2677 @param pid syscall PID argument
2678
2679 Determine if getlcid(2) system call is permitted.
2680
2681 Information returned by this system call is similar to that returned via
2682 process listings etc.
2683
2684 @return Return 0 if access is granted, otherwise an appropriate value for
2685 errno should be returned.
2686*/
2687typedef int mpo_proc_check_getlcid_t(
2688 struct proc *p0,
2689 struct proc *p,
2690 pid_t pid
2691);
316670eb
A		 2692/**
2693 @brief Access control check for retrieving ledger information
2694 @param cred Subject credential
2695 @param target Object process
2696 @param op ledger operation
2697
2698 Determine if ledger(2) system call is permitted.
2699
2700 Information returned by this system call is similar to that returned via
2701 process listings etc.
2702
2703 @return Return 0 if access is granted, otherwise an appropriate value for
2704 errno should be returned.
2705*/
2706typedef int mpo_proc_check_ledger_t(
2707 kauth_cred_t cred,
2708 struct proc *target,
2709 int op
2710);
39236c6e
A		 2711/**
2712 @brief Access control check for escaping default CPU usage monitor parameters.
2713 @param cred Subject credential
2714
2715 Determine if a credential has permission to program CPU usage monitor parameters
2716 that are less restrictive than the global system-wide defaults.
2717
2718 @return Return 0 if access is granted, otherwise an appropriate value for
2719 errno should be returned.
2720*/
2721typedef int mpo_proc_check_cpumon_t(
2722 kauth_cred_t cred
2723);
2724/**
2725 @brief Access control check for retrieving process information.
2726 @param cred Subject credential
2727 @param target Target process (may be null, may be zombie)
2728
2729 Determine if a credential has permission to access process information as defined
2730 by call number and flavor on target process
2731
2732 @return Return 0 if access is granted, otherwise an appropriate value for
2733 errno should be returned.
2734*/
2735typedef int mpo_proc_check_proc_info_t(
2736 kauth_cred_t cred,
2737 struct proc *target,
2738 int callnum,
2739 int flavor
2740);
6d2010ae
A		 2741/**
2742 @brief Access control check for mmap MAP_ANON
2743 @param proc User process requesting the memory
2744 @param cred Subject credential
2745 @param u_addr Start address of the memory range
2746 @param u_size Length address of the memory range
2747 @param prot mmap protections; see mmap(2)
2748 @param flags Type of mapped object; see mmap(2)
2749 @param maxprot Maximum rights
2750
2751 Determine whether the subject identified by the credential should be
2752 allowed to obtain anonymous memory using the specified flags and
2753 protections on the new mapping. MAP_ANON will always be present in the
2754 flags. Certain combinations of flags with a non-NULL addr may
2755 cause a mapping to be rejected before this hook is called. The maxprot field
2756 holds the maximum permissions on the new mapping, a combination of
2757 VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
2758 access control checks, a policy should only remove flags from maxprot.
2759
2760 @return Return 0 if access is granted, otherwise an appropriate value for
2761 errno should be returned. Suggested failure: EPERM for lack of privilege.
2762*/
2763typedef int mpo_proc_check_map_anon_t(
2764 struct proc *proc,
2765 kauth_cred_t cred,
2766 user_addr_t u_addr,
2767 user_size_t u_size,
2768 int prot,
2769 int flags,
2770 int *maxprot
2771);
2d21ac55
A		 2772/**
2773 @brief Access control check for setting memory protections
2774 @param cred Subject credential
2775 @param proc User process requesting the change
2776 @param addr Start address of the memory range
2777 @param size Length address of the memory range
2778 @param prot Memory protections, see mmap(2)
2779
2780 Determine whether the subject identified by the credential should
2781 be allowed to set the specified memory protections on memory mapped
2782 in the process proc.
2783
2784 @return Return 0 if access is granted, otherwise an appropriate value for
2785 errno should be returned.
2786*/
2787typedef int mpo_proc_check_mprotect_t(
2788 kauth_cred_t cred,
2789 struct proc *proc,
2790 user_addr_t addr,
2791 user_size_t size,
2792 int prot
2793);
2794/**
2795 @brief Access control check for changing scheduling parameters
2796 @param cred Subject credential
2797 @param proc Object process
2798
2799 Determine whether the subject identified by the credential can change
2800 the scheduling parameters of the passed process.
2801
2802 @return Return 0 if access is granted, otherwise an appropriate value for
2803 errno should be returned. Suggested failure: EACCES for label mismatch,
2804 EPERM for lack of privilege, or ESRCH to limit visibility.
2805*/
2806typedef int mpo_proc_check_sched_t(
2807 kauth_cred_t cred,
2808 struct proc *proc
2809);
2810/**
2811 @brief Access control check for setting audit information
2812 @param cred Subject credential
2813 @param ai Audit information
2814
2815 Determine whether the subject identified by the credential can set
2816 audit information such as the the preselection mask, the terminal ID
2817 and the audit session ID, using the setaudit() system call.
2818
2819 @return Return 0 if access is granted, otherwise an appropriate value for
2820 errno should be returned.
2821*/
2822typedef int mpo_proc_check_setaudit_t(
2823 kauth_cred_t cred,
b0d623f7 2824 struct auditinfo_addr *ai
2d21ac55
A		 2825);
2826/**
2827 @brief Access control check for setting audit user ID
2828 @param cred Subject credential
2829 @param auid Audit user ID
2830
2831 Determine whether the subject identified by the credential can set
2832 the user identity used by the auditing system, using the setauid()
2833 system call.
2834
2835 @return Return 0 if access is granted, otherwise an appropriate value for
2836 errno should be returned.
2837*/
2838typedef int mpo_proc_check_setauid_t(
2839 kauth_cred_t cred,
2840 uid_t auid
2841);
2842/**
2843 @brief Access control check for setting the Login Context
2844 @param p0 Calling process
2845 @param p Effected process
2846 @param pid syscall PID argument
2847 @param lcid syscall LCID argument
2848
2849 Determine if setlcid(2) system call is permitted.
2850
2851 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
2852 decoding syscall arguments to determine action desired by caller.
2853
2854 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
2855
2856 @return Return 0 if access is granted, otherwise an appropriate value for
2857 errno should be returned.
2858*/
2859typedef int mpo_proc_check_setlcid_t(
2860 struct proc *p0,
2861 struct proc *p,
2862 pid_t pid,
2863 pid_t lcid
2864);
2865/**
2866 @brief Access control check for delivering signal
2867 @param cred Subject credential
2868 @param proc Object process
2869 @param signum Signal number; see kill(2)
2870
2871 Determine whether the subject identified by the credential can deliver
2872 the passed signal to the passed process.
2873
2874 @warning Programs typically expect to be able to send and receive
2875 signals as part or their normal process lifecycle; caution should be
2876 exercised when implementing access controls over signal events.
2877
2878 @return Return 0 if access is granted, otherwise an appropriate value for
2879 errno should be returned. Suggested failure: EACCES for label mismatch,
2880 EPERM for lack of privilege, or ESRCH to limit visibility.
2881*/
2882typedef int mpo_proc_check_signal_t(
2883 kauth_cred_t cred,
2884 struct proc *proc,
2885 int signum
2886);
2887/**
2888 @brief Access control check for wait
2889 @param cred Subject credential
2890 @param proc Object process
2891
2892 Determine whether the subject identified by the credential can wait
2893 for process termination.
2894
2895 @warning Caution should be exercised when implementing access
2896 controls for wait, since programs often wait for child processes to
2897 exit. Failure to be notified of a child process terminating may
2898 cause the parent process to hang, or may produce zombie processes.
2899
2900 @return Return 0 if access is granted, otherwise an appropriate value for
2901 errno should be returned.
2902*/
2903typedef int mpo_proc_check_wait_t(
2904 kauth_cred_t cred,
2905 struct proc *proc
2906);
2907/**
2908 @brief Destroy process label
2909 @param label The label to be destroyed
2910
2911 Destroy a process label. Since the object is going
2912 out of scope, policy modules should free any internal storage
2913 associated with the label so that it may be destroyed.
2914*/
2915typedef void mpo_proc_label_destroy_t(
2916 struct label *label
2917);
2918/**
2919 @brief Initialize process label
2920 @param label New label to initialize
2921 @see mpo_cred_label_init_t
2922
2923 Initialize the label for a newly instantiated BSD process structure.
2924 Normally, security policies will store the process label in the user
2925 credential rather than here in the process structure. However,
2926 there are some floating label policies that may need to temporarily
2927 store a label in the process structure until it is safe to update
2928 the user credential label. Sleeping is permitted.
2929*/
2930typedef void mpo_proc_label_init_t(
2931 struct label *label
2932);
2933/**
2934 @brief Access control check for socket accept
2935 @param cred Subject credential
2936 @param socket Object socket
2937 @param socklabel Policy label for socket
2938
2939 Determine whether the subject identified by the credential can accept()
2940 a new connection on the socket from the host specified by addr.
2941
2942 @return Return 0 if access if granted, otherwise an appropriate
2943 value for errno should be returned.
2944*/
2945typedef int mpo_socket_check_accept_t(
2946 kauth_cred_t cred,
2947 socket_t so,
2948 struct label *socklabel
2949);
2950/**
2951 @brief Access control check for a pending socket accept
2952 @param cred Subject credential
2953 @param so Object socket
2954 @param socklabel Policy label for socket
2955 @param addr Address of the listening socket (coming soon)
2956
2957 Determine whether the subject identified by the credential can accept()
2958 a pending connection on the socket from the host specified by addr.
2959
2960 @return Return 0 if access if granted, otherwise an appropriate
2961 value for errno should be returned.
2962*/
2963typedef int mpo_socket_check_accepted_t(
2964 kauth_cred_t cred,
2965 socket_t so,
2966 struct label *socklabel,
2967 struct sockaddr *addr
2968);
2969/**
2970 @brief Access control check for socket bind
2971 @param cred Subject credential
2972 @param so Object socket
2973 @param socklabel Policy label for socket
2974 @param addr Name to assign to the socket
2975
2976 Determine whether the subject identified by the credential can bind()
2977 the name (addr) to the socket.
2978
2979 @return Return 0 if access if granted, otherwise an appropriate
2980 value for errno should be returned.
2981*/
2982typedef int mpo_socket_check_bind_t(
2983 kauth_cred_t cred,
2984 socket_t so,
2985 struct label *socklabel,
2986 struct sockaddr *addr
2987);
2988/**
2989 @brief Access control check for socket connect
2990 @param cred Subject credential
2991 @param so Object socket
2992 @param socklabel Policy label for socket
2993 @param addr Name to assign to the socket
2994
2995 Determine whether the subject identified by the credential can
2996 connect() the passed socket to the remote host specified by addr.
2997
2998 @return Return 0 if access if granted, otherwise an appropriate
2999 value for errno should be returned.
3000*/
3001typedef int mpo_socket_check_connect_t(
3002 kauth_cred_t cred,
3003 socket_t so,
3004 struct label *socklabel,
3005 struct sockaddr *addr
3006);
3007/**
3008 @brief Access control check for socket() system call.
3009 @param cred Subject credential
3010 @param domain communication domain
3011 @param type socket type
3012 @param protocol socket protocol
3013
3014 Determine whether the subject identified by the credential can
3015 make the socket() call.
3016
3017 @return Return 0 if access if granted, otherwise an appropriate
3018 value for errno should be returned.
3019*/
3020typedef int mpo_socket_check_create_t(
3021 kauth_cred_t cred,
3022 int domain,
3023 int type,
3024 int protocol
3025);
3026/**
3027 @brief Access control check for delivering data to a user's receieve queue
3028 @param so The socket data is being delivered to
3029 @param so_label The label of so
3030 @param m The mbuf whose data will be deposited into the receive queue
3031 @param m_label The label of the sender of the data.
3032
3033 A socket has a queue for receiving incoming data. When a packet arrives
3034 on the wire, it eventually gets deposited into this queue, which the
3035 owner of the socket drains when they read from the socket's file descriptor.
3036
3037 This function determines whether the socket can receive data from
3038 the sender specified by m_label.
3039
3040 @warning There is an outstanding design issue surrounding the placement
3041 of this function. The check must be placed either before or after the
3042 TCP sequence and ACK counters are updated. Placing the check before
3043 the counters are updated causes the incoming packet to be resent by
3044 the remote if the check rejects it. Placing the check after the counters
3045 are updated results in a completely silent drop. As far as each TCP stack
3046 is concerned the packet was received, however, the data will not be in the
3047 socket's receive queue. Another consideration is that the current design
3048 requires using the "failed label" occasionally. In that case, on rejection,
3049 we want the remote TCP to resend the data. Because of this, we chose to
3050 place this check before the counters are updated, so rejected packets will be
3051 resent by the remote host.
3052
3053 If a policy keeps rejecting the same packet, eventually the connection will
3054 be dropped. Policies have several options if this design causes problems.
3055 For example, one options is to sanitize the mbuf such that it is acceptable,
3056 then accept it. That may require negotiation between policies as the
3057 Framework will not know to re-check the packet.
3058
3059 The policy must handle NULL MBUF labels. This will likely be the case
3060 for non-local TCP sockets for example.
3061
3062 @return Return 0 if access if granted, otherwise an appropriate
3063 value for errno should be returned.
3064*/
3065typedef int mpo_socket_check_deliver_t(
3066 socket_t so,
3067 struct label *so_label,
3068 struct mbuf *m,
3069 struct label *m_label
3070);
3071/**
3072 @brief Access control check for socket kqfilter
3073 @param cred Subject credential
3074 @param kn Object knote
3075 @param so Object socket
3076 @param socklabel Policy label for socket
3077
3078 Determine whether the subject identified by the credential can
3079 receive the knote on the passed socket.
3080
3081 @return Return 0 if access if granted, otherwise an appropriate
3082 value for errno should be returned.
3083*/
3084typedef int mpo_socket_check_kqfilter_t(
3085 kauth_cred_t cred,
3086 struct knote *kn,
3087 socket_t so,
3088 struct label *socklabel
3089);
3090/**
3091 @brief Access control check for socket relabel
3092 @param cred Subject credential
3093 @param so Object socket
3094 @param so_label The current label of so
3095 @param newlabel The label to be assigned to so
3096
3097 Determine whether the subject identified by the credential can
3098 change the label on the socket.
3099
3100 @return Return 0 if access if granted, otherwise an appropriate
3101 value for errno should be returned.
3102*/
3103typedef int mpo_socket_check_label_update_t(
3104 kauth_cred_t cred,
3105 socket_t so,
3106 struct label *so_label,
3107 struct label *newlabel
3108);
3109/**
3110 @brief Access control check for socket listen
3111 @param cred Subject credential
3112 @param so Object socket
3113 @param socklabel Policy label for socket
3114
3115 Determine whether the subject identified by the credential can
3116 listen() on the passed socket.
3117
3118 @return Return 0 if access if granted, otherwise an appropriate
3119 value for errno should be returned.
3120*/
3121typedef int mpo_socket_check_listen_t(
3122 kauth_cred_t cred,
3123 socket_t so,
3124 struct label *socklabel
3125);
3126/**
3127 @brief Access control check for socket receive
3128 @param cred Subject credential
3129 @param so Object socket
3130 @param socklabel Policy label for socket
3131
3132 Determine whether the subject identified by the credential can
3133 receive data from the socket.
3134
3135 @return Return 0 if access if granted, otherwise an appropriate
3136 value for errno should be returned.
3137*/
3138typedef int mpo_socket_check_receive_t(
3139 kauth_cred_t cred,
3140 socket_t so,
3141 struct label *socklabel
3142);
3143
3144/**
3145 @brief Access control check for socket receive
3146 @param cred Subject credential
3147 @param socket Object socket
3148 @param socklabel Policy label for socket
3149 @param addr Name of the remote socket
3150
3151 Determine whether the subject identified by the credential can
3152 receive data from the remote host specified by addr.
3153
3154 @return Return 0 if access if granted, otherwise an appropriate
3155 value for errno should be returned.
3156*/
3157typedef int mpo_socket_check_received_t(
3158 kauth_cred_t cred,
3159 struct socket *sock,
3160 struct label *socklabel,
3161 struct sockaddr *saddr
3162 );
3163
3164
3165/**
3166 @brief Access control check for socket select
3167 @param cred Subject credential
3168 @param so Object socket
3169 @param socklabel Policy label for socket
3170 @param which The operation selected on: FREAD or FWRITE
3171
3172 Determine whether the subject identified by the credential can use the
3173 socket in a call to select().
3174
3175 @return Return 0 if access if granted, otherwise an appropriate
3176 value for errno should be returned.
3177*/
3178typedef int mpo_socket_check_select_t(
3179 kauth_cred_t cred,
3180 socket_t so,
3181 struct label *socklabel,
3182 int which
3183);
3184/**
3185 @brief Access control check for socket send
3186 @param cred Subject credential
3187 @param so Object socket
3188 @param socklabel Policy label for socket
3189 @param addr Address being sent to
3190
3191 Determine whether the subject identified by the credential can send
3192 data to the socket.
3193
3194 @return Return 0 if access if granted, otherwise an appropriate
3195 value for errno should be returned.
3196*/
3197typedef int mpo_socket_check_send_t(
3198 kauth_cred_t cred,
3199 socket_t so,
3200 struct label *socklabel,
3201 struct sockaddr *addr
3202);
3203/**
3204 @brief Access control check for retrieving socket status
3205 @param cred Subject credential
3206 @param so Object socket
3207 @param socklabel Policy label for so
3208
3209 Determine whether the subject identified by the credential can
3210 execute the stat() system call on the given socket.
3211
3212 @return Return 0 if access if granted, otherwise an appropriate
3213 value for errno should be returned.
3214*/
3215typedef int mpo_socket_check_stat_t(
3216 kauth_cred_t cred,
3217 socket_t so,
3218 struct label *socklabel
3219);
3220/**
3221 @brief Access control check for setting socket options
3222 @param cred Subject credential
3223 @param so Object socket
3224 @param socklabel Policy label for so
3225 @param sopt The options being set
3226
3227 Determine whether the subject identified by the credential can
3228 execute the setsockopt system call on the given socket.
3229
3230 @return Return 0 if access if granted, otherwise an appropriate
3231 value for errno should be returned.
3232*/
3233typedef int mpo_socket_check_setsockopt_t(
3234 kauth_cred_t cred,
3235 socket_t so,
3236 struct label *socklabel,
3237 struct sockopt *sopt
3238);
3239/**
3240 @brief Access control check for getting socket options
3241 @param cred Subject credential
3242 @param so Object socket
3243 @param socklabel Policy label for so
3244 @param sopt The options to get
3245
3246 Determine whether the subject identified by the credential can
3247 execute the getsockopt system call on the given socket.
3248
3249 @return Return 0 if access if granted, otherwise an appropriate
3250 value for errno should be returned.
3251*/
3252typedef int mpo_socket_check_getsockopt_t(
3253 kauth_cred_t cred,
3254 socket_t so,
3255 struct label *socklabel,
3256 struct sockopt *sopt
3257);
3258/**
3259 @brief Label a socket
3260 @param oldsock Listening socket
3261 @param oldlabel Policy label associated with oldsock
3262 @param newsock New socket
3263 @param newlabel Policy label associated with newsock
3264
3265 A new socket is created when a connection is accept(2)ed. This
3266 function labels the new socket based on the existing listen(2)ing
3267 socket.
3268*/
3269typedef void mpo_socket_label_associate_accept_t(
3270 socket_t oldsock,
3271 struct label *oldlabel,
3272 socket_t newsock,
3273 struct label *newlabel
3274);
3275/**
3276 @brief Assign a label to a new socket
3277 @param cred Credential of the owning process
3278 @param so The socket being labeled
3279 @param solabel The label
3280 @warning cred can be NULL
3281
3282 Set the label on a newly created socket from the passed subject
3283 credential. This call is made when a socket is created. The
3284 credentials may be null if the socket is being created by the
3285 kernel.
3286*/
3287typedef void mpo_socket_label_associate_t(
3288 kauth_cred_t cred,
3289 socket_t so,
3290 struct label *solabel
3291);
3292/**
3293 @brief Copy a socket label
3294 @param src Source label
3295 @param dest Destination label
3296
3297 Copy the socket label information in src into dest.
3298*/
3299typedef void mpo_socket_label_copy_t(
3300 struct label *src,
3301 struct label *dest
3302);
3303/**
3304 @brief Destroy socket label
3305 @param label The label to be destroyed
3306
3307 Destroy a socket label. Since the object is going out of
3308 scope, policy modules should free any internal storage associated
3309 with the label so that it may be destroyed.
3310*/
3311typedef void mpo_socket_label_destroy_t(
3312 struct label *label
3313);
3314/**
3315 @brief Externalize a socket label
3316 @param label Label to be externalized
3317 @param element_name Name of the label namespace for which labels should be
3318 externalized
3319 @param sb String buffer to be filled with a text representation of label
3320
3321 Produce an externalized socket label based on the label structure passed.
3322 An externalized label consists of a text representation of the label
3323 contents that can be used with userland applications and read by the
3324 user. If element_name does not match a namespace managed by the policy,
3325 simply return 0. Only return nonzero if an error occurs while externalizing
3326 the label data.
3327
3328 @return In the event of an error, an appropriate value for errno
3329 should be returned, otherwise return 0 upon success.
3330*/
3331typedef int mpo_socket_label_externalize_t(
3332 struct label *label,
3333 char *element_name,
3334 struct sbuf *sb
3335);
3336/**
3337 @brief Initialize socket label
3338 @param label New label to initialize
3339 @param waitok Malloc flags
3340
3341 Initialize the label of a newly instantiated socket. The waitok
3342 field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3343 avoid performing a sleeping malloc(9) during this initialization
3344 call. It it not always safe to sleep during this entry point.
3345
3346 @warning Since it is possible for the waitok flags to be set to
3347 M_NOWAIT, the malloc operation may fail.
3348
3349 @return In the event of an error, an appropriate value for errno
3350 should be returned, otherwise return 0 upon success.
3351*/
3352typedef int mpo_socket_label_init_t(
3353 struct label *label,
3354 int waitok
3355);
3356/**
3357 @brief Internalize a socket label
3358 @param label Label to be filled in
3359 @param element_name Name of the label namespace for which the label should
3360 be internalized
3361 @param element_data Text data to be internalized
3362
3363 Produce an internal socket label structure based on externalized label
3364 data in text format.
3365
3366 The policy's internalize entry points will be called only if the
3367 policy has registered interest in the label namespace.
3368
3369 @return In the event of an error, an appropriate value for errno
3370 should be returned, otherwise return 0 upon success.
3371*/
3372typedef int mpo_socket_label_internalize_t(
3373 struct label *label,
3374 char *element_name,
3375 char *element_data
3376);
3377/**
3378 @brief Relabel socket
3379 @param cred Subject credential
3380 @param so Object; socket
3381 @param so_label Current label of the socket
3382 @param newlabel The label to be assigned to so
3383
3384 The subject identified by the credential has previously requested
3385 and was authorized to relabel the socket; this entry point allows
3386 policies to perform the actual label update operation.
3387
3388 @warning XXX This entry point will likely change in future versions.
3389*/
3390typedef void mpo_socket_label_update_t(
3391 kauth_cred_t cred,
3392 socket_t so,
3393 struct label *so_label,
3394 struct label *newlabel
3395);
3396/**
3397 @brief Set the peer label on a socket from mbuf
3398 @param m Mbuf chain received on socket so
3399 @param m_label Label for m
3400 @param so Current label for the socket
3401 @param so_label Policy label to be filled out for the socket
3402
3403 Set the peer label of a socket based on the label of the sender of the
3404 mbuf.
3405
3406 This is called for every TCP/IP packet received. The first call for a given
3407 socket operates on a newly initialized label, and subsequent calls operate
3408 on existing label data.
3409
3410 @warning Because this can affect performance significantly, it has
3411 different sematics than other 'set' operations. Typically, 'set' operations
3412 operate on newly initialzed labels and policies do not need to worry about
3413 clobbering existing values. In this case, it is too inefficient to
3414 initialize and destroy a label every time data is received for the socket.
3415 Instead, it is up to the policies to determine how to replace the label data.
3416 Most policies should be able to replace the data inline.
3417*/
3418typedef void mpo_socketpeer_label_associate_mbuf_t(
3419 struct mbuf *m,
3420 struct label *m_label,
3421 socket_t so,
3422 struct label *so_label
3423);
3424/**
3425 @brief Set the peer label on a socket from socket
3426 @param source Local socket
3427 @param sourcelabel Policy label for source
3428 @param target Peer socket
3429 @param targetlabel Policy label to fill in for target
3430
3431 Set the peer label on a stream UNIX domain socket from the passed
3432 remote socket endpoint. This call will be made when the socket pair
3433 is connected, and will be made for both endpoints.
3434
3435 Note that this call is only made on connection; it is currently not updated
3436 during communication.
3437*/
3438typedef void mpo_socketpeer_label_associate_socket_t(
3439 socket_t source,
3440 struct label *sourcelabel,
3441 socket_t target,
3442 struct label *targetlabel
3443);
3444/**
3445 @brief Destroy socket peer label
3446 @param label The peer label to be destroyed
3447
3448 Destroy a socket peer label. Since the object is going out of
3449 scope, policy modules should free any internal storage associated
3450 with the label so that it may be destroyed.
3451*/
3452typedef void mpo_socketpeer_label_destroy_t(
3453 struct label *label
3454);
3455/**
3456 @brief Externalize a socket peer label
3457 @param label Label to be externalized
3458 @param element_name Name of the label namespace for which labels should be
3459 externalized
3460 @param sb String buffer to be filled with a text representation of label
3461
3462 Produce an externalized socket peer label based on the label structure
3463 passed. An externalized label consists of a text representation of the
3464 label contents that can be used with userland applications and read by the
3465 user. If element_name does not match a namespace managed by the policy,
3466 simply return 0. Only return nonzero if an error occurs while externalizing
3467 the label data.
3468
3469 @return In the event of an error, an appropriate value for errno
3470 should be returned, otherwise return 0 upon success.
3471*/
3472typedef int mpo_socketpeer_label_externalize_t(
3473 struct label *label,
3474 char *element_name,
3475 struct sbuf *sb
3476);
3477/**
3478 @brief Initialize socket peer label
3479 @param label New label to initialize
3480 @param waitok Malloc flags
3481
3482 Initialize the peer label of a newly instantiated socket. The
3483 waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3484 employed to avoid performing a sleeping malloc(9) during this
3485 initialization call. It it not always safe to sleep during this
3486 entry point.
3487
3488 @warning Since it is possible for the waitok flags to be set to
3489 M_NOWAIT, the malloc operation may fail.
3490
3491 @return In the event of an error, an appropriate value for errno
3492 should be returned, otherwise return 0 upon success.
3493*/
3494typedef int mpo_socketpeer_label_init_t(
3495 struct label *label,
3496 int waitok
3497);
3498/**
3499 @brief Access control check for enabling accounting
3500 @param cred Subject credential
3501 @param vp Accounting file
3502 @param vlabel Label associated with vp
3503
3504 Determine whether the subject should be allowed to enable accounting,
3505 based on its label and the label of the accounting log file. See
3506 acct(5) for more information.
3507
3508 As accounting is disabled by passing NULL to the acct(2) system call,
3509 the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3510
3511 @return Return 0 if access is granted, otherwise an appropriate value for
3512 errno should be returned.
3513*/
3514typedef int mpo_system_check_acct_t(
3515 kauth_cred_t cred,
3516 struct vnode *vp,
3517 struct label *vlabel
3518);
3519/**
3520 @brief Access control check for audit
3521 @param cred Subject credential
3522 @param record Audit record
3523 @param length Audit record length
3524
3525 Determine whether the subject identified by the credential can submit
3526 an audit record for inclusion in the audit log via the audit() system call.
3527
3528 @return Return 0 if access is granted, otherwise an appropriate value for
3529 errno should be returned.
3530*/
3531typedef int mpo_system_check_audit_t(
3532 kauth_cred_t cred,
3533 void *record,
3534 int length
3535);
3536/**
3537 @brief Access control check for controlling audit
3538 @param cred Subject credential
3539 @param vp Audit file
3540 @param vl Label associated with vp
3541
3542 Determine whether the subject should be allowed to enable auditing using
3543 the auditctl() system call, based on its label and the label of the proposed
3544 audit file.
3545
3546 @return Return 0 if access is granted, otherwise an appropriate value for
3547 errno should be returned.
3548*/
3549typedef int mpo_system_check_auditctl_t(
3550 kauth_cred_t cred,
3551 struct vnode *vp,
3552 struct label *vl
3553);
3554/**
3555 @brief Access control check for manipulating auditing
3556 @param cred Subject credential
3557 @param cmd Audit control command
3558
3559 Determine whether the subject identified by the credential can perform
3560 the audit subsystem control operation cmd via the auditon() system call.
3561
3562 @return Return 0 if access is granted, otherwise an appropriate value for
3563 errno should be returned.
3564*/
3565typedef int mpo_system_check_auditon_t(
3566 kauth_cred_t cred,
3567 int cmd
3568);
6d2010ae
A		 3569/**
3570 @brief Access control check for using CHUD facilities
3571 @param cred Subject credential
3572
3573 Determine whether the subject identified by the credential can perform
3574 performance-related tasks using the CHUD system call.
3575
3576 @return Return 0 if access is granted, otherwise an appropriate value for
3577 errno should be returned.
3578*/
3579typedef int mpo_system_check_chud_t(
3580 kauth_cred_t cred
3581);
2d21ac55
A		 3582/**
3583 @brief Access control check for obtaining the host control port
3584 @param cred Subject credential
3585
3586 Determine whether the subject identified by the credential can
3587 obtain the host control port.
3588
3589 @return Return 0 if access is granted, or non-zero otherwise.
3590*/
3591typedef int mpo_system_check_host_priv_t(
3592 kauth_cred_t cred
3593);
39236c6e
A		 3594/**
3595 @brief Access control check for obtaining system information
3596 @param cred Subject credential
3597 @param info_type A description of the information requested
3598
3599 Determine whether the subject identified by the credential should be
3600 allowed to obtain information about the system.
3601
3602 This is a generic hook that can be used in a variety of situations where
3603 information is being returned that might be considered sensitive.
3604 Rather than adding a new MAC hook for every such interface, this hook can
3605 be called with a string identifying the type of information requested.
3606
3607 @return Return 0 if access is granted, otherwise an appropriate value for
3608 errno should be returned.
3609*/
3610typedef int mpo_system_check_info_t(
3611 kauth_cred_t cred,
3612 const char *info_type
3613);
2d21ac55
A		 3614/**
3615 @brief Access control check for calling NFS services
3616 @param cred Subject credential
3617
3618 Determine whether the subject identified by the credential should be
3619 allowed to call nfssrv(2).
3620
3621 @return Return 0 if access is granted, otherwise an appropriate value for
3622 errno should be returned.
3623*/
3624typedef int mpo_system_check_nfsd_t(
3625 kauth_cred_t cred
3626);
3627/**
3628 @brief Access control check for reboot
3629 @param cred Subject credential
3630 @param howto howto parameter from reboot(2)
3631
3632 Determine whether the subject identified by the credential should be
3633 allowed to reboot the system in the specified manner.
3634
3635 @return Return 0 if access is granted, otherwise an appropriate value for
3636 errno should be returned.
3637*/
3638typedef int mpo_system_check_reboot_t(
3639 kauth_cred_t cred,
3640 int howto
3641);
3642/**
3643 @brief Access control check for setting system clock
3644 @param cred Subject credential
3645
3646 Determine whether the subject identified by the credential should be
3647 allowed to set the system clock.
3648
3649 @return Return 0 if access is granted, otherwise an appropriate value for
3650 errno should be returned.
3651*/
3652typedef int mpo_system_check_settime_t(
3653 kauth_cred_t cred
3654);
3655/**
3656 @brief Access control check for removing swap devices
3657 @param cred Subject credential
3658 @param vp Swap device
3659 @param label Label associated with vp
3660
3661 Determine whether the subject identified by the credential should be
3662 allowed to remove vp as a swap device.
3663
3664 @return Return 0 if access is granted, otherwise an appropriate value for
3665 errno should be returned.
3666*/
3667typedef int mpo_system_check_swapoff_t(
3668 kauth_cred_t cred,
3669 struct vnode *vp,
3670 struct label *label
3671);
3672/**
3673 @brief Access control check for adding swap devices
3674 @param cred Subject credential
3675 @param vp Swap device
3676 @param label Label associated with vp
3677
3678 Determine whether the subject identified by the credential should be
3679 allowed to add vp as a swap device.
3680
3681 @return Return 0 if access is granted, otherwise an appropriate value for
3682 errno should be returned.
3683*/
3684typedef int mpo_system_check_swapon_t(
3685 kauth_cred_t cred,
3686 struct vnode *vp,
3687 struct label *label
3688);
3689/**
3690 @brief Access control check for sysctl
3691 @param cred Subject credential
fe8ab488 3692 @param namestring String representation of sysctl name.
2d21ac55
A		 3693 @param name Integer name; see sysctl(3)
3694 @param namelen Length of name array of integers; see sysctl(3)
3695 @param old 0 or address where to store old value; see sysctl(3)
fe8ab488 3696 @param oldlen Length of old buffer; see sysctl(3)
2d21ac55
A		 3697 @param newvalue 0 or address of new value; see sysctl(3)
3698 @param newlen Length of new buffer; see sysctl(3)
3699
3700 Determine whether the subject identified by the credential should be
3701 allowed to make the specified sysctl(3) transaction.
3702
3703 The sysctl(3) call specifies that if the old value is not desired,
3704 oldp and oldlenp should be set to NULL. Likewise, if a new value is
3705 not to be set, newp should be set to NULL and newlen set to 0.
3706
3707 @return Return 0 if access is granted, otherwise an appropriate value for
3708 errno should be returned.
3709*/
fe8ab488 3710typedef int mpo_system_check_sysctlbyname_t(
2d21ac55 3711 kauth_cred_t cred,
fe8ab488 3712 const char *namestring,
2d21ac55
A		 3713 int *name,
3714 u_int namelen,
3715 user_addr_t old, /* NULLOK */
fe8ab488 3716 size_t oldlen,
2d21ac55
A		 3717 user_addr_t newvalue, /* NULLOK */
3718 size_t newlen
3719);
316670eb
A		 3720/**
3721 @brief Access control check for kas_info
3722 @param cred Subject credential
3723 @param selector Category of information to return. See kas_info.h
3724
3725 Determine whether the subject identified by the credential can perform
3726 introspection of the kernel address space layout for
3727 debugging/performance analysis.
3728
3729 @return Return 0 if access is granted, otherwise an appropriate value for
3730 errno should be returned.
3731*/
3732typedef int mpo_system_check_kas_info_t(
3733 kauth_cred_t cred,
3734 int selector
3735);
2d21ac55
A		 3736/**
3737 @brief Create a System V message label
3738 @param cred Subject credential
3739 @param msqkptr The message queue the message will be placed in
3740 @param msqlabel The label of the message queue
3741 @param msgptr The message
3742 @param msglabel The label of the message
3743
3744 Label the message as its placed in the message queue.
3745*/
3746typedef void mpo_sysvmsg_label_associate_t(
3747 kauth_cred_t cred,
3748 struct msqid_kernel *msqptr,
3749 struct label *msqlabel,
3750 struct msg *msgptr,
3751 struct label *msglabel
3752);
3753/**
3754 @brief Destroy System V message label
3755 @param label The label to be destroyed
3756
3757 Destroy a System V message label. Since the object is
3758 going out of scope, policy modules should free any internal storage
3759 associated with the label so that it may be destroyed.
3760*/
3761typedef void mpo_sysvmsg_label_destroy_t(
3762 struct label *label
3763);
3764/**
3765 @brief Initialize System V message label
3766 @param label New label to initialize
3767
3768 Initialize the label for a newly instantiated System V message.
3769*/
3770typedef void mpo_sysvmsg_label_init_t(
3771 struct label *label
3772);
3773/**
3774 @brief Clean up a System V message label
3775 @param label The label to be destroyed
3776
3777 Clean up a System V message label. Darwin pre-allocates
3778 messages at system boot time and re-uses them rather than
3779 allocating new ones. Before messages are returned to the "free
3780 pool", policies can cleanup or overwrite any information present in
3781 the label.
3782*/
3783typedef void mpo_sysvmsg_label_recycle_t(
3784 struct label *label
3785);
3786/**
3787 @brief Access control check for System V message enqueuing
3788 @param cred Subject credential
3789 @param msgptr The message
3790 @param msglabel The message's label
3791 @param msqkptr The message queue
3792 @param msqlabel The message queue's label
3793
3794 Determine whether the subject identified by the credential can add the
3795 given message to the given message queue.
3796
3797 @return Return 0 if access is granted, otherwise an appropriate value for
3798 errno should be returned.
3799*/
3800typedef int mpo_sysvmsq_check_enqueue_t(
3801 kauth_cred_t cred,
3802 struct msg *msgptr,
3803 struct label *msglabel,
3804 struct msqid_kernel *msqptr,
3805 struct label *msqlabel
3806);
3807/**
3808 @brief Access control check for System V message reception
3809 @param cred The credential of the intended recipient
3810 @param msgptr The message
3811 @param msglabel The message's label
3812
3813 Determine whether the subject identified by the credential can receive
3814 the given message.
3815
3816 @return Return 0 if access is granted, otherwise an appropriate value for
3817 errno should be returned.
3818*/
3819typedef int mpo_sysvmsq_check_msgrcv_t(
3820 kauth_cred_t cred,
3821 struct msg *msgptr,
3822 struct label *msglabel
3823);
3824/**
3825 @brief Access control check for System V message queue removal
3826 @param cred The credential of the caller
3827 @param msgptr The message
3828 @param msglabel The message's label
3829
3830 System V message queues are removed using the msgctl() system call.
3831 The system will iterate over each messsage in the queue, calling this
3832 function for each, to determine whether the caller has the appropriate
3833 credentials.
3834
3835 @return Return 0 if access is granted, otherwise an appropriate value for
3836 errno should be returned.
3837*/
3838typedef int mpo_sysvmsq_check_msgrmid_t(
3839 kauth_cred_t cred,
3840 struct msg *msgptr,
3841 struct label *msglabel
3842);
3843/**
3844 @brief Access control check for msgctl()
3845 @param cred The credential of the caller
3846 @param msqptr The message queue
3847 @param msqlabel The message queue's label
3848
3849 This access check is performed to validate calls to msgctl().
3850
3851 @return Return 0 if access is granted, otherwise an appropriate value for
3852 errno should be returned.
3853*/
3854typedef int mpo_sysvmsq_check_msqctl_t(
3855 kauth_cred_t cred,
3856 struct msqid_kernel *msqptr,
3857 struct label *msqlabel,
3858 int cmd
3859);
3860/**
3861 @brief Access control check to get a System V message queue
3862 @param cred The credential of the caller
3863 @param msqptr The message queue requested
3864 @param msqlabel The message queue's label
3865
3866 On a call to msgget(), if the queue requested already exists,
3867 and it is a public queue, this check will be performed before the
3868 queue's ID is returned to the user.
3869
3870 @return Return 0 if access is granted, otherwise an appropriate value for
3871 errno should be returned.
3872*/
3873typedef int mpo_sysvmsq_check_msqget_t(
3874 kauth_cred_t cred,
3875 struct msqid_kernel *msqptr,
3876 struct label *msqlabel
3877);
3878/**
3879 @brief Access control check to receive a System V message from the given queue
3880 @param cred The credential of the caller
3881 @param msqptr The message queue to receive from
3882 @param msqlabel The message queue's label
3883
3884 On a call to msgrcv(), this check is performed to determine whether the
3885 caller has receive rights on the given queue.
3886
3887 @return Return 0 if access is granted, otherwise an appropriate value for
3888 errno should be returned.
3889*/
3890typedef int mpo_sysvmsq_check_msqrcv_t(
3891 kauth_cred_t cred,
3892 struct msqid_kernel *msqptr,
3893 struct label *msqlabel
3894);
3895/**
3896 @brief Access control check to send a System V message to the given queue
3897 @param cred The credential of the caller
3898 @param msqptr The message queue to send to
3899 @param msqlabel The message queue's label
3900
3901 On a call to msgsnd(), this check is performed to determine whether the
3902 caller has send rights on the given queue.
3903
3904 @return Return 0 if access is granted, otherwise an appropriate value for
3905 errno should be returned.
3906*/
3907typedef int mpo_sysvmsq_check_msqsnd_t(
3908 kauth_cred_t cred,
3909 struct msqid_kernel *msqptr,
3910 struct label *msqlabel
3911);
3912/**
3913 @brief Create a System V message queue label
3914 @param cred Subject credential
3915 @param msqkptr The message queue
3916 @param msqlabel The label of the message queue
3917
3918*/
3919typedef void mpo_sysvmsq_label_associate_t(
3920 kauth_cred_t cred,
3921 struct msqid_kernel *msqptr,
3922 struct label *msqlabel
3923);
3924/**
3925 @brief Destroy System V message queue label
3926 @param label The label to be destroyed
3927
3928 Destroy a System V message queue label. Since the object is
3929 going out of scope, policy modules should free any internal storage
3930 associated with the label so that it may be destroyed.
3931*/
3932typedef void mpo_sysvmsq_label_destroy_t(
3933 struct label *label
3934);
3935/**
3936 @brief Initialize System V message queue label
3937 @param label New label to initialize
3938
3939 Initialize the label for a newly instantiated System V message queue.
3940*/
3941typedef void mpo_sysvmsq_label_init_t(
3942 struct label *label
3943);
3944/**
3945 @brief Clean up a System V message queue label
3946 @param label The label to be destroyed
3947
3948 Clean up a System V message queue label. Darwin pre-allocates
3949 message queues at system boot time and re-uses them rather than
3950 allocating new ones. Before message queues are returned to the "free
3951 pool", policies can cleanup or overwrite any information present in
3952 the label.
3953*/
3954typedef void mpo_sysvmsq_label_recycle_t(
3955 struct label *label
3956);
3957/**
3958 @brief Access control check for System V semaphore control operation
3959 @param cred Subject credential
3960 @param semakptr Pointer to semaphore identifier
3961 @param semaklabel Label associated with semaphore
3962 @param cmd Control operation to be performed; see semctl(2)
3963
3964 Determine whether the subject identified by the credential can perform
3965 the operation indicated by cmd on the System V semaphore semakptr.
3966
3967 @return Return 0 if access is granted, otherwise an appropriate value for
3968 errno should be returned.
3969*/
3970typedef int mpo_sysvsem_check_semctl_t(
3971 kauth_cred_t cred,
3972 struct semid_kernel *semakptr,
3973 struct label *semaklabel,
3974 int cmd
3975);
3976/**
3977 @brief Access control check for obtaining a System V semaphore
3978 @param cred Subject credential
3979 @param semakptr Pointer to semaphore identifier
3980 @param semaklabel Label to associate with the semaphore
3981
3982 Determine whether the subject identified by the credential can
3983 obtain a System V semaphore.
3984
3985 @return Return 0 if access is granted, otherwise an appropriate value for
3986 errno should be returned.
3987*/
3988typedef int mpo_sysvsem_check_semget_t(
3989 kauth_cred_t cred,
3990 struct semid_kernel *semakptr,
3991 struct label *semaklabel
3992);
3993/**
3994 @brief Access control check for System V semaphore operations
3995 @param cred Subject credential
3996 @param semakptr Pointer to semaphore identifier
3997 @param semaklabel Label associated with the semaphore
3998 @param accesstype Flags to indicate access (read and/or write)
3999
4000 Determine whether the subject identified by the credential can
4001 perform the operations on the System V semaphore indicated by
4002 semakptr. The accesstype flags hold the maximum set of permissions
4003 from the sem_op array passed to the semop system call. It may
4004 contain SEM_R for read-only operations or SEM_A for read/write
4005 operations.
4006
4007 @return Return 0 if access is granted, otherwise an appropriate value for
4008 errno should be returned.
4009*/
4010typedef int mpo_sysvsem_check_semop_t(
4011 kauth_cred_t cred,
4012 struct semid_kernel *semakptr,
4013 struct label *semaklabel,
4014 size_t accesstype
4015);
4016/**
4017 @brief Create a System V semaphore label
4018 @param cred Subject credential
4019 @param semakptr The semaphore being created
4020 @param semalabel Label to associate with the new semaphore
4021
4022 Label a new System V semaphore. The label was previously
4023 initialized and associated with the semaphore. At this time, an
4024 appropriate initial label value should be assigned to the object and
4025 stored in semalabel.
4026*/
4027typedef void mpo_sysvsem_label_associate_t(
4028 kauth_cred_t cred,
4029 struct semid_kernel *semakptr,
4030 struct label *semalabel
4031);
4032/**
4033 @brief Destroy System V semaphore label
4034 @param label The label to be destroyed
4035
4036 Destroy a System V semaphore label. Since the object is
4037 going out of scope, policy modules should free any internal storage
4038 associated with the label so that it may be destroyed.
4039*/
4040typedef void mpo_sysvsem_label_destroy_t(
4041 struct label *label
4042);
4043/**
4044 @brief Initialize System V semaphore label
4045 @param label New label to initialize
4046
4047 Initialize the label for a newly instantiated System V semaphore. Sleeping
4048 is permitted.
4049*/
4050typedef void mpo_sysvsem_label_init_t(
4051 struct label *label
4052);
4053/**
4054 @brief Clean up a System V semaphore label
4055 @param label The label to be cleaned
4056
4057 Clean up a System V semaphore label. Darwin pre-allocates
4058 semaphores at system boot time and re-uses them rather than
4059 allocating new ones. Before semaphores are returned to the "free
4060 pool", policies can cleanup or overwrite any information present in
4061 the label.
4062*/
4063typedef void mpo_sysvsem_label_recycle_t(
4064 struct label *label
4065);
4066/**
4067 @brief Access control check for mapping System V shared memory
4068 @param cred Subject credential
4069 @param shmsegptr Pointer to shared memory segment identifier
4070 @param shmseglabel Label associated with the shared memory segment
4071 @param shmflg shmat flags; see shmat(2)
4072
4073 Determine whether the subject identified by the credential can map
4074 the System V shared memory segment associated with shmsegptr.
4075
4076 @return Return 0 if access is granted, otherwise an appropriate value for
4077 errno should be returned.
4078*/
4079typedef int mpo_sysvshm_check_shmat_t(
4080 kauth_cred_t cred,
4081 struct shmid_kernel *shmsegptr,
4082 struct label *shmseglabel,
4083 int shmflg
4084);
4085/**
4086 @brief Access control check for System V shared memory control operation
4087 @param cred Subject credential
4088 @param shmsegptr Pointer to shared memory segment identifier
4089 @param shmseglabel Label associated with the shared memory segment
4090 @param cmd Control operation to be performed; see shmctl(2)
4091
4092 Determine whether the subject identified by the credential can perform
4093 the operation indicated by cmd on the System V shared memory segment
4094 shmsegptr.
4095
4096 @return Return 0 if access is granted, otherwise an appropriate value for
4097 errno should be returned.
4098*/
4099typedef int mpo_sysvshm_check_shmctl_t(
4100 kauth_cred_t cred,
4101 struct shmid_kernel *shmsegptr,
4102 struct label *shmseglabel,
4103 int cmd
4104);
4105/**
4106 @brief Access control check for unmapping System V shared memory
4107 @param cred Subject credential
4108 @param shmsegptr Pointer to shared memory segment identifier
4109 @param shmseglabel Label associated with the shared memory segment
4110
4111 Determine whether the subject identified by the credential can unmap
4112 the System V shared memory segment associated with shmsegptr.
4113
4114 @return Return 0 if access is granted, otherwise an appropriate value for
4115 errno should be returned.
4116*/
4117typedef int mpo_sysvshm_check_shmdt_t(
4118 kauth_cred_t cred,
4119 struct shmid_kernel *shmsegptr,
4120 struct label *shmseglabel
4121);
4122/**
4123 @brief Access control check obtaining System V shared memory identifier
4124 @param cred Subject credential
4125 @param shmsegptr Pointer to shared memory segment identifier
4126 @param shmseglabel Label associated with the shared memory segment
4127 @param shmflg shmget flags; see shmget(2)
4128
4129 Determine whether the subject identified by the credential can get
4130 the System V shared memory segment address.
4131
4132 @return Return 0 if access is granted, otherwise an appropriate value for
4133 errno should be returned.
4134*/
4135typedef int mpo_sysvshm_check_shmget_t(
4136 kauth_cred_t cred,
4137 struct shmid_kernel *shmsegptr,
4138 struct label *shmseglabel,
4139 int shmflg
4140);
4141/**
4142 @brief Create a System V shared memory region label
4143 @param cred Subject credential
4144 @param shmsegptr The shared memory region being created
4145 @param shmlabel Label to associate with the new shared memory region
4146
4147 Label a new System V shared memory region. The label was previously
4148 initialized and associated with the shared memory region. At this
4149 time, an appropriate initial label value should be assigned to the
4150 object and stored in shmlabel.
4151*/
4152typedef void mpo_sysvshm_label_associate_t(
4153 kauth_cred_t cred,
4154 struct shmid_kernel *shmsegptr,
4155 struct label *shmlabel
4156);
4157/**
4158 @brief Destroy System V shared memory label
4159 @param label The label to be destroyed
4160
4161 Destroy a System V shared memory region label. Since the
4162 object is going out of scope, policy modules should free any
4163 internal storage associated with the label so that it may be
4164 destroyed.
4165*/
4166typedef void mpo_sysvshm_label_destroy_t(
4167 struct label *label
4168);
4169/**
4170 @brief Initialize System V Shared Memory region label
4171 @param label New label to initialize
4172
4173 Initialize the label for a newly instantiated System V Shared Memory
4174 region. Sleeping is permitted.
4175*/
4176typedef void mpo_sysvshm_label_init_t(
4177 struct label *label
4178);
4179/**
4180 @brief Clean up a System V Share Memory Region label
4181 @param shmlabel The label to be cleaned
4182
4183 Clean up a System V Shared Memory Region label. Darwin
4184 pre-allocates these objects at system boot time and re-uses them
4185 rather than allocating new ones. Before the memory regions are
4186 returned to the "free pool", policies can cleanup or overwrite any
4187 information present in the label.
4188*/
4189typedef void mpo_sysvshm_label_recycle_t(
4190 struct label *shmlabel
4191);
4192/**
4193 @brief Access control check for getting a process's task name
4194 @param cred Subject credential
4195 @param proc Object process
4196
4197 Determine whether the subject identified by the credential can get
4198 the passed process's task name port.
4199 This call is used by the task_name_for_pid(2) API.
4200
4201 @return Return 0 if access is granted, otherwise an appropriate value for
4202 errno should be returned. Suggested failure: EACCES for label mismatch,
4203 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4204*/
4205typedef int mpo_proc_check_get_task_name_t(
4206 kauth_cred_t cred,
4207 struct proc *p
4208);
4209/**
4210 @brief Access control check for getting a process's task port
4211 @param cred Subject credential
4212 @param proc Object process
4213
4214 Determine whether the subject identified by the credential can get
4215 the passed process's task control port.
4216 This call is used by the task_for_pid(2) API.
4217
4218 @return Return 0 if access is granted, otherwise an appropriate value for
4219 errno should be returned. Suggested failure: EACCES for label mismatch,
4220 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4221*/
4222typedef int mpo_proc_check_get_task_t(
4223 kauth_cred_t cred,
4224 struct proc *p
4225);
fe8ab488 4226
3e170ce0
A		 4227/**
4228 @brief Access control check for exposing a process's task port
4229 @param cred Subject credential
4230 @param proc Object process
4231
4232 Determine whether the subject identified by the credential can expose
4233 the passed process's task control port.
4234 This call is used by the accessor APIs like processor_set_tasks() and
4235 processor_set_threads().
4236
4237 @return Return 0 if access is granted, otherwise an appropriate value for
4238 errno should be returned. Suggested failure: EACCES for label mismatch,
4239 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4240*/
4241typedef int mpo_proc_check_expose_task_t(
4242 kauth_cred_t cred,
4243 struct proc *p
4244);
4245
fe8ab488
A		 4246/**
4247 @brief Check whether task's IPC may inherit across process exec
4248 @param proc current process instance
4249 @param cur_vp vnode pointer to current instance
4250 @param cur_offset offset of binary of currently executing image
4251 @param img_vp vnode pointer to to be exec'ed image
4252 @param img_offset offset into file which is selected for execution
4253 @param scriptvp vnode pointer of script file if any.
4254 @return Return 0 if access is granted.
4255 EPERM if parent does not have any entitlements.
4256 EACCESS if mismatch in entitlements
4257*/
4258typedef int mpo_proc_check_inherit_ipc_ports_t(
4259 struct proc *p,
3e170ce0
A		 4260 struct vnode *cur_vp,
4261 off_t cur_offset,
4262 struct vnode *img_vp,
4263 off_t img_offset,
4264 struct vnode *scriptvp
fe8ab488
A		 4265);
4266
593a1d5f 4267/**
b0d623f7 4268 @brief Privilege check for a process to run invalid
593a1d5f
A		 4269 @param proc Object process
4270
b0d623f7
A		 4271 Determine whether the process may execute even though the system determined
4272 that it is untrusted (eg unidentified / modified code).
593a1d5f
A		 4273
4274 @return Return 0 if access is granted, otherwise an appropriate value for
4275 errno should be returned.
4276 */
3e170ce0 4277typedef int mpo_proc_check_run_cs_invalid_t(
593a1d5f
A		 4278 struct proc *p
4279);
4280
316670eb
A		 4281/**
4282 @brief Perform MAC-related events when a thread returns to user space
4283 @param thread Mach (not BSD) thread that is returning
4284
4285 This entry point permits policy modules to perform MAC-related
4286 events when a thread returns to user space, via a system call
4287 return or trap return.
4288*/
4289typedef void mpo_thread_userret_t(
4290 struct thread *thread
4291);
316670eb 4292
2d21ac55
A		 4293/**
4294 @brief Check vnode access
4295 @param cred Subject credential
4296 @param vp Object vnode
4297 @param label Label for vp
4298 @param acc_mode access(2) flags
4299
4300 Determine how invocations of access(2) and related calls by the
4301 subject identified by the credential should return when performed
4302 on the passed vnode using the passed access flags. This should
4303 generally be implemented using the same semantics used in
4304 mpo_vnode_check_open.
4305
4306 @return Return 0 if access is granted, otherwise an appropriate value for
4307 errno should be returned. Suggested failure: EACCES for label mismatch or
4308 EPERM for lack of privilege.
4309*/
4310typedef int mpo_vnode_check_access_t(
4311 kauth_cred_t cred,
4312 struct vnode *vp,
4313 struct label *label,
4314 int acc_mode
4315);
4316/**
4317 @brief Access control check for changing working directory
4318 @param cred Subject credential
4319 @param dvp Object; vnode to chdir(2) into
4320 @param dlabel Policy label for dvp
4321
4322 Determine whether the subject identified by the credential can change
4323 the process working directory to the passed vnode.
4324
4325 @return Return 0 if access is granted, otherwise an appropriate value for
4326 errno should be returned. Suggested failure: EACCES for label mismatch or
4327 EPERM for lack of privilege.
4328*/
4329typedef int mpo_vnode_check_chdir_t(
4330 kauth_cred_t cred,
4331 struct vnode *dvp,
4332 struct label *dlabel
4333);
4334/**
4335 @brief Access control check for changing root directory
4336 @param cred Subject credential
4337 @param dvp Directory vnode
4338 @param dlabel Policy label associated with dvp
4339 @param cnp Component name for dvp
4340
4341 Determine whether the subject identified by the credential should be
4342 allowed to chroot(2) into the specified directory (dvp).
4343
4344 @return In the event of an error, an appropriate value for errno
4345 should be returned, otherwise return 0 upon success.
4346*/
4347typedef int mpo_vnode_check_chroot_t(
4348 kauth_cred_t cred,
4349 struct vnode *dvp,
4350 struct label *dlabel,
4351 struct componentname *cnp
4352);
4353/**
4354 @brief Access control check for creating vnode
4355 @param cred Subject credential
4356 @param dvp Directory vnode
4357 @param dlabel Policy label for dvp
4358 @param cnp Component name for dvp
4359 @param vap vnode attributes for vap
4360
4361 Determine whether the subject identified by the credential can create
4362 a vnode with the passed parent directory, passed name information,
4363 and passed attribute information. This call may be made in a number of
4364 situations, including as a result of calls to open(2) with O_CREAT,
4365 mknod(2), mkfifo(2), and others.
4366
4367 @return Return 0 if access is granted, otherwise an appropriate value for
4368 errno should be returned. Suggested failure: EACCES for label mismatch or
4369 EPERM for lack of privilege.
4370*/
4371typedef int mpo_vnode_check_create_t(
4372 kauth_cred_t cred,
4373 struct vnode *dvp,
4374 struct label *dlabel,
4375 struct componentname *cnp,
4376 struct vnode_attr *vap
4377);
4378/**
4379 @brief Access control check for deleting extended attribute
4380 @param cred Subject credential
4381 @param vp Object vnode
4382 @param vlabel Label associated with vp
4383 @param name Extended attribute name
4384
4385 Determine whether the subject identified by the credential can delete
4386 the extended attribute from the passed vnode.
4387
4388 @return Return 0 if access is granted, otherwise an appropriate value for
4389 errno should be returned. Suggested failure: EACCES for label mismatch or
4390 EPERM for lack of privilege.
4391*/
4392typedef int mpo_vnode_check_deleteextattr_t(
4393 kauth_cred_t cred,
4394 struct vnode *vp,
4395 struct label *vlabel,
4396 const char *name
4397);
4398/**
4399 @brief Access control check for exchanging file data
4400 @param cred Subject credential
4401 @param v1 vnode 1 to swap
4402 @param vl1 Policy label for v1
4403 @param v2 vnode 2 to swap
4404 @param vl2 Policy label for v2
4405
4406 Determine whether the subject identified by the credential can swap the data
4407 in the two supplied vnodes.
4408
4409 @return Return 0 if access is granted, otherwise an appropriate value for
4410 errno should be returned. Suggested failure: EACCES for label mismatch or
4411 EPERM for lack of privilege.
4412*/
4413typedef int mpo_vnode_check_exchangedata_t(
4414 kauth_cred_t cred,
4415 struct vnode *v1,
4416 struct label *vl1,
4417 struct vnode *v2,
4418 struct label *vl2
4419);
4420/**
4421 @brief Access control check for executing the vnode
4422 @param cred Subject credential
4423 @param vp Object vnode to execute
fe8ab488
A		 4424 @param scriptvp Script being executed by interpreter, if any.
4425 @param vnodelabel Label corresponding to vp
4426 @param scriptvnodelabel Script vnode label
2d21ac55
A		 4427 @param execlabel Userspace provided execution label
4428 @param cnp Component name for file being executed
39236c6e
A		 4429 @param macpolicyattr MAC policy-specific spawn attribute data.
4430 @param macpolicyattrlen Length of policy-specific spawn attribute data.
2d21ac55
A		 4431
4432 Determine whether the subject identified by the credential can execute
4433 the passed vnode. Determination of execute privilege is made separately
4434 from decisions about any process label transitioning event.
4435
4436 The final label, execlabel, corresponds to a label supplied by a
4437 user space application through the use of the mac_execve system call.
4438 This label will be NULL if the user application uses the the vendor
4439 execve(2) call instead of the MAC Framework mac_execve() call.
4440
4441 @return Return 0 if access is granted, otherwise an appropriate value for
4442 errno should be returned. Suggested failure: EACCES for label mismatch or
4443 EPERM for lack of privilege.
4444*/
4445typedef int mpo_vnode_check_exec_t(
4446 kauth_cred_t cred,
4447 struct vnode *vp,
fe8ab488
A		 4448 struct vnode *scriptvp,
4449 struct label *vnodelabel,
4450 struct label *scriptlabel,
2d21ac55
A		 4451 struct label *execlabel, /* NULLOK */
4452 struct componentname *cnp,
39236c6e
A		 4453 u_int *csflags,
4454 void *macpolicyattr,
4455 size_t macpolicyattrlen
2d21ac55 4456);
6d2010ae
A		 4457/**
4458 @brief Access control check for fsgetpath
4459 @param cred Subject credential
4460 @param vp Vnode for which a path will be returned
4461 @param label Label associated with the vnode
4462
4463 Determine whether the subject identified by the credential can get the path
4464 of the given vnode with fsgetpath.
4465
4466 @return Return 0 if access is granted, otherwise an appropriate value for
4467 errno should be returned.
4468*/
4469typedef int mpo_vnode_check_fsgetpath_t(
4470 kauth_cred_t cred,
4471 struct vnode *vp,
4472 struct label *label
4473);
593a1d5f
A		 4474/**
4475 @brief Access control check after determining the code directory hash
4476 */
4477typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
fe8ab488
A		 4478 off_t macho_offset, unsigned char *sha1,
4479 const void *signature, int size,
c18c124e 4480 int flags, int *is_platform_binary);
593a1d5f 4481
2d21ac55
A		 4482/**
4483 @brief Access control check for retrieving file attributes
4484 @param cred Subject credential
4485 @param vp Object vnode
4486 @param vlabel Policy label for vp
4487 @param alist List of attributes to retrieve
4488
4489 Determine whether the subject identified by the credential can read
4490 various attributes of the specified vnode, or the filesystem or volume on
4491 which that vnode resides. See <sys/attr.h> for definitions of the
4492 attributes.
4493
4494 @return Return 0 if access is granted, otherwise an appropriate value for
4495 errno should be returned. Suggested failure: EACCES for label mismatch or
4496 EPERM for lack of privilege. Access control covers all attributes requested
4497 with this call; the security policy is not permitted to change the set of
4498 attributes requested.
4499*/
4500typedef int mpo_vnode_check_getattrlist_t(
4501 kauth_cred_t cred,
4502 struct vnode *vp,
4503 struct label *vlabel,
4504 struct attrlist *alist
4505);
4506/**
4507 @brief Access control check for retrieving an extended attribute
4508 @param cred Subject credential
4509 @param vp Object vnode
4510 @param label Policy label for vp
4511 @param name Extended attribute name
4512 @param uio I/O structure pointer
4513
4514 Determine whether the subject identified by the credential can retrieve
4515 the extended attribute from the passed vnode. The uio parameter
4516 will be NULL when the getxattr(2) call has been made with a NULL data
4517 value; this is done to request the size of the data only.
4518
4519 @return Return 0 if access is granted, otherwise an appropriate value for
4520 errno should be returned. Suggested failure: EACCES for label mismatch or
4521 EPERM for lack of privilege.
4522*/
4523typedef int mpo_vnode_check_getextattr_t(
4524 kauth_cred_t cred,
4525 struct vnode *vp,
4526 struct label *label, /* NULLOK */
4527 const char *name,
4528 struct uio *uio /* NULLOK */
4529);
4530/**
4531 @brief Access control check for ioctl
4532 @param cred Subject credential
4533 @param vp Object vnode
4534 @param label Policy label for vp
4535 @param com Device-dependent request code; see ioctl(2)
4536
4537 Determine whether the subject identified by the credential can perform
4538 the ioctl operation indicated by com.
4539
4540 @warning Since ioctl data is opaque from the standpoint of the MAC
4541 framework, and since ioctls can affect many aspects of system
4542 operation, policies must exercise extreme care when implementing
4543 access control checks.
4544
4545 @return Return 0 if access is granted, otherwise an appropriate value for
4546 errno should be returned.
4547*/
4548typedef int mpo_vnode_check_ioctl_t(
4549 kauth_cred_t cred,
4550 struct vnode *vp,
4551 struct label *label,
4552 unsigned int cmd
4553);
4554/**
4555 @brief Access control check for vnode kqfilter
4556 @param cred Subject credential
4557 @param kn Object knote
4558 @param vp Object vnode
4559 @param label Policy label for vp
4560
4561 Determine whether the subject identified by the credential can
4562 receive the knote on the passed vnode.
4563
4564 @return Return 0 if access if granted, otherwise an appropriate
4565 value for errno should be returned.
4566*/
4567typedef int mpo_vnode_check_kqfilter_t(
4568 kauth_cred_t active_cred,
4569 kauth_cred_t file_cred, /* NULLOK */
4570 struct knote *kn,
4571 struct vnode *vp,
4572 struct label *label
4573);
4574/**
4575 @brief Access control check for relabel
4576 @param cred Subject credential
4577 @param vp Object vnode
4578 @param vnodelabel Existing policy label for vp
4579 @param newlabel Policy label update to later be applied to vp
4580 @see mpo_relable_vnode_t
4581
4582 Determine whether the subject identified by the credential can relabel
4583 the passed vnode to the passed label update. If all policies permit
4584 the label change, the actual relabel entry point (mpo_vnode_label_update)
4585 will follow.
4586
4587 @return Return 0 if access is granted, otherwise an appropriate value for
4588 errno should be returned.
4589*/
4590typedef int mpo_vnode_check_label_update_t(
4591 struct ucred *cred,
4592 struct vnode *vp,
4593 struct label *vnodelabel,
4594 struct label *newlabel
4595);
4596/**
4597 @brief Access control check for creating link
4598 @param cred Subject credential
4599 @param dvp Directory vnode
4600 @param dlabel Policy label associated with dvp
4601 @param vp Link destination vnode
4602 @param label Policy label associated with vp
4603 @param cnp Component name for the link being created
4604
4605 Determine whether the subject identified by the credential should be
4606 allowed to create a link to the vnode vp with the name specified by cnp.
4607
4608 @return Return 0 if access is granted, otherwise an appropriate value for
4609 errno should be returned.
4610*/
4611typedef int mpo_vnode_check_link_t(
4612 kauth_cred_t cred,
4613 struct vnode *dvp,
4614 struct label *dlabel,
4615 struct vnode *vp,
4616 struct label *label,
4617 struct componentname *cnp
4618);
4619/**
4620 @brief Access control check for listing extended attributes
4621 @param cred Subject credential
4622 @param vp Object vnode
4623 @param vlabel Policy label associated with vp
4624
4625 Determine whether the subject identified by the credential can retrieve
4626 a list of named extended attributes from a vnode.
4627
4628 @return Return 0 if access is granted, otherwise an appropriate value for
4629 errno should be returned.
4630*/
4631typedef int mpo_vnode_check_listextattr_t(
4632 kauth_cred_t cred,
4633 struct vnode *vp,
4634 struct label *vlabel
4635);
4636/**
4637 @brief Access control check for lookup
4638 @param cred Subject credential
4639 @param dvp Object vnode
4640 @param dlabel Policy label for dvp
4641 @param cnp Component name being looked up
4642
4643 Determine whether the subject identified by the credential can perform
4644 a lookup in the passed directory vnode for the passed name (cnp).
4645
4646 @return Return 0 if access is granted, otherwise an appropriate value for
4647 errno should be returned. Suggested failure: EACCES for label mismatch or
4648 EPERM for lack of privilege.
4649*/
4650typedef int mpo_vnode_check_lookup_t(
4651 kauth_cred_t cred,
4652 struct vnode *dvp,
4653 struct label *dlabel,
4654 struct componentname *cnp
4655);
4656/**
4657 @brief Access control check for open
4658 @param cred Subject credential
4659 @param vp Object vnode
4660 @param label Policy label associated with vp
4661 @param acc_mode open(2) access mode
4662
4663 Determine whether the subject identified by the credential can perform
4664 an open operation on the passed vnode with the passed access mode.
4665
4666 @return Return 0 if access is granted, otherwise an appropriate value for
4667 errno should be returned. Suggested failure: EACCES for label mismatch or
4668 EPERM for lack of privilege.
4669*/
4670typedef int mpo_vnode_check_open_t(
4671 kauth_cred_t cred,
4672 struct vnode *vp,
4673 struct label *label,
4674 int acc_mode
4675);
4676/**
4677 @brief Access control check for read
4678 @param active_cred Subject credential
4679 @param file_cred Credential associated with the struct fileproc
4680 @param vp Object vnode
4681 @param label Policy label for vp
4682
4683 Determine whether the subject identified by the credential can perform
4684 a read operation on the passed vnode. The active_cred hold the credentials
4685 of the subject performing the operation, and file_cred holds the
4686 credentials of the subject that originally opened the file.
4687
4688 @return Return 0 if access is granted, otherwise an appropriate value for
4689 errno should be returned. Suggested failure: EACCES for label mismatch or
4690 EPERM for lack of privilege.
4691*/
4692typedef int mpo_vnode_check_read_t(
4693 kauth_cred_t active_cred, /* SUBJECT */
4694 kauth_cred_t file_cred, /* NULLOK */
4695 struct vnode *vp, /* OBJECT */
4696 struct label *label /* LABEL */
4697);
4698/**
4699 @brief Access control check for read directory
4700 @param cred Subject credential
4701 @param dvp Object directory vnode
4702 @param dlabel Policy label for dvp
4703
4704 Determine whether the subject identified by the credential can
4705 perform a readdir operation on the passed directory vnode.
4706
4707 @return Return 0 if access is granted, otherwise an appropriate value for
4708 errno should be returned. Suggested failure: EACCES for label mismatch or
4709 EPERM for lack of privilege.
4710*/
4711typedef int mpo_vnode_check_readdir_t(
4712 kauth_cred_t cred, /* SUBJECT */
4713 struct vnode *dvp, /* OBJECT */
4714 struct label *dlabel /* LABEL */
4715);
4716/**
4717 @brief Access control check for read link
4718 @param cred Subject credential
4719 @param vp Object vnode
4720 @param label Policy label for vp
4721
4722 Determine whether the subject identified by the credential can perform
4723 a readlink operation on the passed symlink vnode. This call can be made
4724 in a number of situations, including an explicit readlink call by the
4725 user process, or as a result of an implicit readlink during a name
4726 lookup by the process.
4727
4728 @return Return 0 if access is granted, otherwise an appropriate value for
4729 errno should be returned. Suggested failure: EACCES for label mismatch or
4730 EPERM for lack of privilege.
4731*/
4732typedef int mpo_vnode_check_readlink_t(
4733 kauth_cred_t cred,
4734 struct vnode *vp,
4735 struct label *label
4736);
fe8ab488
A		 4737/**
4738 @brief Access control check for rename
4739 @param cred Subject credential
4740 @param dvp Directory vnode
4741 @param dlabel Policy label associated with dvp
4742 @param vp vnode to be renamed
4743 @param label Policy label associated with vp
4744 @param cnp Component name for vp
4745 @param tdvp Destination directory vnode
4746 @param tdlabel Policy label associated with tdvp
4747 @param tvp Overwritten vnode
4748 @param tlabel Policy label associated with tvp
4749 @param tcnp Destination component name
4750
4751 Determine whether the subject identified by the credential should be allowed
4752 to rename the vnode vp to something else.
4753
4754 @return Return 0 if access is granted, otherwise an appropriate value for
4755 errno should be returned.
4756*/
4757typedef int mpo_vnode_check_rename_t(
4758 kauth_cred_t cred,
4759 struct vnode *dvp,
4760 struct label *dlabel,
4761 struct vnode *vp,
4762 struct label *label,
4763 struct componentname *cnp,
4764 struct vnode *tdvp,
4765 struct label *tdlabel,
4766 struct vnode *tvp,
4767 struct label *tlabel,
4768 struct componentname *tcnp
4769);
2d21ac55
A		 4770/**
4771 @brief Access control check for rename from
4772 @param cred Subject credential
4773 @param dvp Directory vnode
4774 @param dlabel Policy label associated with dvp
4775 @param vp vnode to be renamed
4776 @param label Policy label associated with vp
4777 @param cnp Component name for vp
fe8ab488 4778 @see mpo_vnode_check_rename_t
2d21ac55
A		 4779 @see mpo_vnode_check_rename_to_t
4780
4781 Determine whether the subject identified by the credential should be
4782 allowed to rename the vnode vp to something else.
4783
4784 Due to VFS locking constraints (to make sure proper vnode locks are
4785 held during this entry point), the vnode relabel checks had to be
4786 split into two parts: relabel_from and relabel to.
4787
fe8ab488
A		 4788 This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
4789
2d21ac55
A		 4790 @return Return 0 if access is granted, otherwise an appropriate value for
4791 errno should be returned.
4792*/
4793typedef int mpo_vnode_check_rename_from_t(
4794 kauth_cred_t cred,
4795 struct vnode *dvp,
4796 struct label *dlabel,
4797 struct vnode *vp,
4798 struct label *label,
4799 struct componentname *cnp
4800);
4801/**
4802 @brief Access control check for rename to
4803 @param cred Subject credential
4804 @param dvp Directory vnode
4805 @param dlabel Policy label associated with dvp
4806 @param vp Overwritten vnode
4807 @param label Policy label associated with vp
4808 @param samedir Boolean; 1 if the source and destination directories are the same
4809 @param cnp Destination component name
fe8ab488 4810 @see mpo_vnode_check_rename_t
2d21ac55
A		 4811 @see mpo_vnode_check_rename_from_t
4812
4813 Determine whether the subject identified by the credential should be
4814 allowed to rename to the vnode vp, into the directory dvp, or to the
4815 name represented by cnp. If there is no existing file to overwrite,
4816 vp and label will be NULL.
4817
4818 Due to VFS locking constraints (to make sure proper vnode locks are
4819 held during this entry point), the vnode relabel checks had to be
4820 split into two parts: relabel_from and relabel to.
4821
fe8ab488
A		 4822 This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
4823
2d21ac55
A		 4824 @return Return 0 if access is granted, otherwise an appropriate value for
4825 errno should be returned.
4826*/
4827typedef int mpo_vnode_check_rename_to_t(
4828 kauth_cred_t cred,
4829 struct vnode *dvp,
4830 struct label *dlabel,
4831 struct vnode *vp, /* NULLOK */
4832 struct label *label, /* NULLOK */
4833 int samedir,
4834 struct componentname *cnp
4835);
4836/**
4837 @brief Access control check for revoke
4838 @param cred Subject credential
4839 @param vp Object vnode
4840 @param label Policy label for vp
4841
4842 Determine whether the subject identified by the credential can revoke
4843 access to the passed vnode.
4844
4845 @return Return 0 if access is granted, otherwise an appropriate value for
4846 errno should be returned. Suggested failure: EACCES for label mismatch or
4847 EPERM for lack of privilege.
4848*/
4849typedef int mpo_vnode_check_revoke_t(
4850 kauth_cred_t cred,
4851 struct vnode *vp,
4852 struct label *label
4853);
6d2010ae
A		 4854/**
4855 @brief Access control check for searchfs
4856 @param cred Subject credential
4857 @param vp Object vnode
4858 @param vlabel Policy label for vp
4859 @param alist List of attributes used as search criteria
4860
4861 Determine whether the subject identified by the credential can search the
4862 vnode using the searchfs system call.
4863
4864 @return Return 0 if access is granted, otherwise an appropriate value for
4865 errno should be returned.
4866*/
4867typedef int mpo_vnode_check_searchfs_t(
4868 kauth_cred_t cred,
4869 struct vnode *vp,
4870 struct label *vlabel,
4871 struct attrlist *alist
4872);
2d21ac55
A		 4873/**
4874 @brief Access control check for select
4875 @param cred Subject credential
4876 @param vp Object vnode
4877 @param label Policy label for vp
4878 @param which The operation selected on: FREAD or FWRITE
4879
4880 Determine whether the subject identified by the credential can select
4881 the vnode.
4882
4883 @return Return 0 if access is granted, otherwise an appropriate value for
4884 errno should be returned.
4885*/
4886typedef int mpo_vnode_check_select_t(
4887 kauth_cred_t cred,
4888 struct vnode *vp,
4889 struct label *label,
4890 int which
4891);
4892/**
4893 @brief Access control check for setting file attributes
4894 @param cred Subject credential
4895 @param vp Object vnode
4896 @param vlabel Policy label for vp
4897 @param alist List of attributes to set
4898
4899 Determine whether the subject identified by the credential can set
4900 various attributes of the specified vnode, or the filesystem or volume on
4901 which that vnode resides. See <sys/attr.h> for definitions of the
4902 attributes.
4903
4904 @return Return 0 if access is granted, otherwise an appropriate value for
4905 errno should be returned. Suggested failure: EACCES for label mismatch or
4906 EPERM for lack of privilege. Access control covers all attributes requested
4907 with this call.
4908*/
4909typedef int mpo_vnode_check_setattrlist_t(
4910 kauth_cred_t cred,
4911 struct vnode *vp,
4912 struct label *vlabel,
4913 struct attrlist *alist
4914);
4915/**
4916 @brief Access control check for setting extended attribute
4917 @param cred Subject credential
4918 @param vp Object vnode
4919 @param label Policy label for vp
4920 @param name Extended attribute name
4921 @param uio I/O structure pointer
4922
4923 Determine whether the subject identified by the credential can set the
4924 extended attribute of passed name and passed namespace on the passed
4925 vnode. Policies implementing security labels backed into extended
4926 attributes may want to provide additional protections for those
4927 attributes. Additionally, policies should avoid making decisions based
4928 on the data referenced from uio, as there is a potential race condition
4929 between this check and the actual operation. The uio may also be NULL
4930 if a delete operation is being performed.
4931
4932 @return Return 0 if access is granted, otherwise an appropriate value for
4933 errno should be returned. Suggested failure: EACCES for label mismatch or
4934 EPERM for lack of privilege.
4935*/
4936typedef int mpo_vnode_check_setextattr_t(
4937 kauth_cred_t cred,
4938 struct vnode *vp,
4939 struct label *label,
4940 const char *name,
4941 struct uio *uio
4942);
4943/**
4944 @brief Access control check for setting flags
4945 @param cred Subject credential
4946 @param vp Object vnode
4947 @param label Policy label for vp
4948 @param flags File flags; see chflags(2)
4949
4950 Determine whether the subject identified by the credential can set
4951 the passed flags on the passed vnode.
4952
4953 @return Return 0 if access is granted, otherwise an appropriate value for
4954 errno should be returned. Suggested failure: EACCES for label mismatch or
4955 EPERM for lack of privilege.
4956*/
4957typedef int mpo_vnode_check_setflags_t(
4958 kauth_cred_t cred,
4959 struct vnode *vp,
4960 struct label *label,
4961 u_long flags
4962);
4963/**
4964 @brief Access control check for setting mode
4965 @param cred Subject credential
4966 @param vp Object vnode
4967 @param label Policy label for vp
4968 @param mode File mode; see chmod(2)
4969
4970 Determine whether the subject identified by the credential can set
4971 the passed mode on the passed vnode.
4972
4973 @return Return 0 if access is granted, otherwise an appropriate value for
4974 errno should be returned. Suggested failure: EACCES for label mismatch or
4975 EPERM for lack of privilege.
4976*/
4977typedef int mpo_vnode_check_setmode_t(
4978 kauth_cred_t cred,
4979 struct vnode *vp,
4980 struct label *label,
4981 mode_t mode
4982);
4983/**
4984 @brief Access control check for setting uid and gid
4985 @param cred Subject credential
4986 @param vp Object vnode
4987 @param label Policy label for vp
4988 @param uid User ID
4989 @param gid Group ID
4990
4991 Determine whether the subject identified by the credential can set
4992 the passed uid and passed gid as file uid and file gid on the passed
4993 vnode. The IDs may be set to (-1) to request no update.
4994
4995 @return Return 0 if access is granted, otherwise an appropriate value for
4996 errno should be returned. Suggested failure: EACCES for label mismatch or
4997 EPERM for lack of privilege.
4998*/
4999typedef int mpo_vnode_check_setowner_t(
5000 kauth_cred_t cred,
5001 struct vnode *vp,
5002 struct label *label,
5003 uid_t uid,
5004 gid_t gid
5005);
5006/**
5007 @brief Access control check for setting timestamps
5008 @param cred Subject credential
5009 @param vp Object vnode
5010 @param label Policy label for vp
5011 @param atime Access time; see utimes(2)
5012 @param mtime Modification time; see utimes(2)
5013
5014 Determine whether the subject identified by the credential can set
5015 the passed access timestamps on the passed vnode.
5016
5017 @return Return 0 if access is granted, otherwise an appropriate value for
5018 errno should be returned. Suggested failure: EACCES for label mismatch or
5019 EPERM for lack of privilege.
5020*/
5021typedef int mpo_vnode_check_setutimes_t(
5022 kauth_cred_t cred,
5023 struct vnode *vp,
5024 struct label *label,
5025 struct timespec atime,
5026 struct timespec mtime
5027);
5028/**
5029 @brief Access control check for stat
5030 @param active_cred Subject credential
5031 @param file_cred Credential associated with the struct fileproc
5032 @param vp Object vnode
5033 @param label Policy label for vp
5034
5035 Determine whether the subject identified by the credential can stat
5036 the passed vnode. See stat(2) for more information. The active_cred
5037 hold the credentials of the subject performing the operation, and
5038 file_cred holds the credentials of the subject that originally
5039 opened the file.
5040
5041 @return Return 0 if access is granted, otherwise an appropriate value for
5042 errno should be returned. Suggested failure: EACCES for label mismatch or
5043 EPERM for lack of privilege.
5044*/
5045typedef int mpo_vnode_check_stat_t(
5046 struct ucred *active_cred,
5047 struct ucred *file_cred, /* NULLOK */
5048 struct vnode *vp,
5049 struct label *label
5050);
5051/**
5052 @brief Access control check for truncate/ftruncate
5053 @param active_cred Subject credential
5054 @param file_cred Credential associated with the struct fileproc
5055 @param vp Object vnode
5056 @param label Policy label for vp
5057
5058 Determine whether the subject identified by the credential can
5059 perform a truncate operation on the passed vnode. The active_cred hold
5060 the credentials of the subject performing the operation, and
5061 file_cred holds the credentials of the subject that originally
5062 opened the file.
5063
5064 @return Return 0 if access is granted, otherwise an appropriate value for
5065 errno should be returned. Suggested failure: EACCES for label mismatch or
5066 EPERM for lack of privilege.
5067*/
5068typedef int mpo_vnode_check_truncate_t(
5069 kauth_cred_t active_cred,
5070 kauth_cred_t file_cred, /* NULLOK */
5071 struct vnode *vp,
5072 struct label *label
5073);
b0d623f7
A		 5074/**
5075 @brief Access control check for binding UNIX domain socket
5076 @param cred Subject credential
5077 @param dvp Directory vnode
5078 @param dlabel Policy label for dvp
5079 @param cnp Component name for dvp
5080 @param vap vnode attributes for vap
5081
5082 Determine whether the subject identified by the credential can perform a
5083 bind operation on a UNIX domain socket with the passed parent directory,
5084 passed name information, and passed attribute information.
5085
5086 @return Return 0 if access is granted, otherwise an appropriate value for
5087 errno should be returned. Suggested failure: EACCES for label mismatch or
5088 EPERM for lack of privilege.
5089*/
5090typedef int mpo_vnode_check_uipc_bind_t(
5091 kauth_cred_t cred,
5092 struct vnode *dvp,
5093 struct label *dlabel,
5094 struct componentname *cnp,
5095 struct vnode_attr *vap
5096);
5097/**
5098 @brief Access control check for connecting UNIX domain socket
5099 @param cred Subject credential
5100 @param vp Object vnode
5101 @param label Policy label associated with vp
5102
5103 Determine whether the subject identified by the credential can perform a
5104 connect operation on the passed UNIX domain socket vnode.
5105
5106 @return Return 0 if access is granted, otherwise an appropriate value for
5107 errno should be returned. Suggested failure: EACCES for label mismatch or
5108 EPERM for lack of privilege.
5109*/
5110typedef int mpo_vnode_check_uipc_connect_t(
5111 kauth_cred_t cred,
5112 struct vnode *vp,
5113 struct label *label
5114);
2d21ac55
A		 5115/**
5116 @brief Access control check for deleting vnode
5117 @param cred Subject credential
5118 @param dvp Parent directory vnode
5119 @param dlabel Policy label for dvp
5120 @param vp Object vnode to delete
5121 @param label Policy label for vp
5122 @param cnp Component name for vp
5123 @see mpo_check_rename_to_t
5124
5125 Determine whether the subject identified by the credential can delete
5126 a vnode from the passed parent directory and passed name information.
5127 This call may be made in a number of situations, including as a
5128 results of calls to unlink(2) and rmdir(2). Policies implementing
5129 this entry point should also implement mpo_check_rename_to to
5130 authorize deletion of objects as a result of being the target of a rename.
5131
5132 @return Return 0 if access is granted, otherwise an appropriate value for
5133 errno should be returned. Suggested failure: EACCES for label mismatch or
5134 EPERM for lack of privilege.
5135*/
5136typedef int mpo_vnode_check_unlink_t(
5137 kauth_cred_t cred,
5138 struct vnode *dvp,
5139 struct label *dlabel,
5140 struct vnode *vp,
5141 struct label *label,
5142 struct componentname *cnp
5143);
5144/**
5145 @brief Access control check for write
5146 @param active_cred Subject credential
5147 @param file_cred Credential associated with the struct fileproc
5148 @param vp Object vnode
5149 @param label Policy label for vp
5150
5151 Determine whether the subject identified by the credential can
5152 perform a write operation on the passed vnode. The active_cred hold
5153 the credentials of the subject performing the operation, and
5154 file_cred holds the credentials of the subject that originally
5155 opened the file.
5156
5157 @return Return 0 if access is granted, otherwise an appropriate value for
5158 errno should be returned. Suggested failure: EACCES for label mismatch or
5159 EPERM for lack of privilege.
5160*/
5161typedef int mpo_vnode_check_write_t(
5162 kauth_cred_t active_cred,
5163 kauth_cred_t file_cred, /* NULLOK */
5164 struct vnode *vp,
5165 struct label *label
5166);
5167/**
5168 @brief Associate a vnode with a devfs entry
5169 @param mp Devfs mount point
5170 @param mntlabel Devfs mount point label
5171 @param de Devfs directory entry
5172 @param delabel Label associated with de
5173 @param vp vnode associated with de
5174 @param vlabel Label associated with vp
5175
5176 Fill in the label (vlabel) for a newly created devfs vnode. The
5177 label is typically derived from the label on the devfs directory
5178 entry or the label on the filesystem, supplied as parameters.
5179*/
5180typedef void mpo_vnode_label_associate_devfs_t(
5181 struct mount *mp,
5182 struct label *mntlabel,
5183 struct devnode *de,
5184 struct label *delabel,
5185 struct vnode *vp,
5186 struct label *vlabel
5187);
5188/**
5189 @brief Associate a label with a vnode
5190 @param mp File system mount point
5191 @param mntlabel File system mount point label
5192 @param vp Vnode to label
5193 @param vlabel Label associated with vp
5194
5195 Attempt to retrieve label information for the vnode, vp, from the
5196 file system extended attribute store. The label should be stored in
5197 the supplied vlabel parameter. If a policy cannot retrieve an
5198 extended attribute, sometimes it is acceptible to fallback to using
5199 the mntlabel.
5200
5201 If the policy requires vnodes to have a valid label elsewhere it
5202 MUST NOT return other than temporary errors, and must always provide
5203 a valid label of some sort. Returning an error will cause vnode
5204 labeling to be retried at a later access. Failure to handle policy
5205 centric errors internally (corrupt labels etc.) will result in
5206 inaccessible files.
5207
5208 @return In the event of an error, an appropriate value for errno
5209 should be returned, otherwise return 0 upon success.
5210*/
5211typedef int mpo_vnode_label_associate_extattr_t(
5212 struct mount *mp,
5213 struct label *mntlabel,
5214 struct vnode *vp,
5215 struct label *vlabel
5216);
5217/**
5218 @brief Associate a file label with a vnode
5219 @param cred User credential
5220 @param mp Fdesc mount point
5221 @param mntlabel Fdesc mount point label
5222 @param fg Fileglob structure
5223 @param label Policy label for fg
5224 @param vp Vnode to label
5225 @param vlabel Label associated with vp
5226
5227 Associate label information for the vnode, vp, with the label of
5228 the open file descriptor described by fg.
5229 The label should be stored in the supplied vlabel parameter.
5230*/
5231typedef void mpo_vnode_label_associate_file_t(
5232 struct ucred *cred,
5233 struct mount *mp,
5234 struct label *mntlabel,
5235 struct fileglob *fg,
5236 struct label *label,
5237 struct vnode *vp,
5238 struct label *vlabel
5239);
5240/**
5241 @brief Associate a pipe label with a vnode
5242 @param cred User credential for the process that opened the pipe
5243 @param cpipe Pipe structure
5244 @param pipelabel Label associated with pipe
5245 @param vp Vnode to label
5246 @param vlabel Label associated with vp
5247
5248 Associate label information for the vnode, vp, with the label of
5249 the pipe described by the pipe structure cpipe.
5250 The label should be stored in the supplied vlabel parameter.
5251*/
5252typedef void mpo_vnode_label_associate_pipe_t(
5253 struct ucred *cred,
5254 struct pipe *cpipe,
5255 struct label *pipelabel,
5256 struct vnode *vp,
5257 struct label *vlabel
5258);
5259/**
5260 @brief Associate a POSIX semaphore label with a vnode
5261 @param cred User credential for the process that create psem
5262 @param psem POSIX semaphore structure
5263 @param psemlabel Label associated with psem
5264 @param vp Vnode to label
5265 @param vlabel Label associated with vp
5266
5267 Associate label information for the vnode, vp, with the label of
5268 the POSIX semaphore described by psem.
5269 The label should be stored in the supplied vlabel parameter.
5270*/
5271typedef void mpo_vnode_label_associate_posixsem_t(
5272 struct ucred *cred,
5273 struct pseminfo *psem,
5274 struct label *psemlabel,
5275 struct vnode *vp,
5276 struct label *vlabel
5277);
5278/**
5279 @brief Associate a POSIX shared memory label with a vnode
5280 @param cred User credential for the process that created pshm
5281 @param pshm POSIX shared memory structure
5282 @param pshmlabel Label associated with pshm
5283 @param vp Vnode to label
5284 @param vlabel Label associated with vp
5285
5286 Associate label information for the vnode, vp, with the label of
5287 the POSIX shared memory region described by pshm.
5288 The label should be stored in the supplied vlabel parameter.
5289*/
5290typedef void mpo_vnode_label_associate_posixshm_t(
5291 struct ucred *cred,
5292 struct pshminfo *pshm,
5293 struct label *pshmlabel,
5294 struct vnode *vp,
5295 struct label *vlabel
5296);
5297/**
5298 @brief Associate a label with a vnode
5299 @param mp File system mount point
5300 @param mntlabel File system mount point label
5301 @param vp Vnode to label
5302 @param vlabel Label associated with vp
5303
5304 On non-multilabel file systems, set the label for a vnode. The
5305 label will most likely be based on the file system label.
5306*/
5307typedef void mpo_vnode_label_associate_singlelabel_t(
5308 struct mount *mp,
5309 struct label *mntlabel,
5310 struct vnode *vp,
5311 struct label *vlabel
5312);
5313/**
5314 @brief Associate a socket label with a vnode
5315 @param cred User credential for the process that opened the socket
5316 @param so Socket structure
5317 @param solabel Label associated with so
5318 @param vp Vnode to label
5319 @param vlabel Label associated with vp
5320
5321 Associate label information for the vnode, vp, with the label of
5322 the open socket described by the socket structure so.
5323 The label should be stored in the supplied vlabel parameter.
5324*/
5325typedef void mpo_vnode_label_associate_socket_t(
5326 kauth_cred_t cred,
5327 socket_t so,
5328 struct label *solabel,
5329 struct vnode *vp,
5330 struct label *vlabel
5331);
5332/**
5333 @brief Copy a vnode label
5334 @param src Source vnode label
5335 @param dest Destination vnode label
5336
5337 Copy the vnode label information from src to dest. On Darwin, this
5338 is currently only necessary when executing interpreted scripts, but
5339 will later be used if vnode label externalization cannot be an
5340 atomic operation.
5341*/
5342typedef void mpo_vnode_label_copy_t(
5343 struct label *src,
5344 struct label *dest
5345);
5346/**
5347 @brief Destroy vnode label
5348 @param label The label to be destroyed
5349
5350 Destroy a vnode label. Since the object is going out of scope,
5351 policy modules should free any internal storage associated with the
5352 label so that it may be destroyed.
5353*/
5354typedef void mpo_vnode_label_destroy_t(
5355 struct label *label
5356);
5357/**
5358 @brief Externalize a vnode label for auditing
5359 @param label Label to be externalized
5360 @param element_name Name of the label namespace for which labels should be
5361 externalized
5362 @param sb String buffer to be filled with a text representation of the label
5363
5364 Produce an external representation of the label on a vnode suitable for
5365 inclusion in an audit record. An externalized label consists of a text
5366 representation of the label contents that will be added to the audit record
5367 as part of a text token. Policy-agnostic user space tools will display
5368 this externalized version.
5369
5370 @return 0 on success, return non-zero if an error occurs while
5371 externalizing the label data.
5372
5373*/
5374typedef int mpo_vnode_label_externalize_audit_t(
5375 struct label *label,
5376 char *element_name,
5377 struct sbuf *sb
5378);
5379/**
5380 @brief Externalize a vnode label
5381 @param label Label to be externalized
5382 @param element_name Name of the label namespace for which labels should be
5383 externalized
5384 @param sb String buffer to be filled with a text representation of the label
5385
5386 Produce an external representation of the label on a vnode. An
5387 externalized label consists of a text representation of the label
5388 contents that can be used with user applications. Policy-agnostic
5389 user space tools will display this externalized version.
5390
5391 @return 0 on success, return non-zero if an error occurs while
5392 externalizing the label data.
5393
5394*/
5395typedef int mpo_vnode_label_externalize_t(
5396 struct label *label,
5397 char *element_name,
5398 struct sbuf *sb
5399);
5400/**
5401 @brief Initialize vnode label
5402 @param label New label to initialize
5403
5404 Initialize label storage for use with a newly instantiated vnode, or
5405 for temporary storage associated with the copying in or out of a
5406 vnode label. While it is necessary to allocate space for a
5407 kernel-resident vnode label, it is not yet necessary to link this vnode
5408 with persistent label storage facilities, such as extended attributes.
5409 Sleeping is permitted.
5410*/
5411typedef void mpo_vnode_label_init_t(
5412 struct label *label
5413);
5414/**
5415 @brief Internalize a vnode label
5416 @param label Label to be internalized
5417 @param element_name Name of the label namespace for which the label should
5418 be internalized
5419 @param element_data Text data to be internalized
5420
5421 Produce a vnode label from an external representation. An
5422 externalized label consists of a text representation of the label
5423 contents that can be used with user applications. Policy-agnostic
5424 user space tools will forward text version to the kernel for
5425 processing by individual policy modules.
5426
5427 The policy's internalize entry points will be called only if the
5428 policy has registered interest in the label namespace.
5429
5430 @return 0 on success, Otherwise, return non-zero if an error occurs
5431 while internalizing the label data.
5432*/
5433typedef int mpo_vnode_label_internalize_t(
5434 struct label *label,
5435 char *element_name,
5436 char *element_data
5437);
5438/**
5439 @brief Clean up a vnode label
5440 @param label The label to be cleaned for re-use
5441
5442 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5443 typically never frees them. Before vnodes are placed back on free lists for
5444 re-use, policies can cleanup or overwrite any information present in the label.
5445*/
5446typedef void mpo_vnode_label_recycle_t(
5447 struct label *label
5448);
5449/**
5450 @brief Write a label to a extended attribute
5451 @param cred Subject credential
5452 @param vp The vnode for which the label is being stored
5453 @param vlabel Label associated with vp
5454 @param intlabel The new label to store
5455
5456 Store a new label in the extended attribute corresponding to the
5457 supplied vnode. The policy has already authorized the operation;
5458 this call must be implemented in order to perform the actual
5459 operation.
5460
5461 @return In the event of an error, an appropriate value for errno
5462 should be returned, otherwise return 0 upon success.
5463
5464 @warning XXX After examining the extended attribute implementation on
5465 Apple's future release, this entry point may be changed.
5466*/
5467typedef int mpo_vnode_label_store_t(
5468 kauth_cred_t cred,
5469 struct vnode *vp,
5470 struct label *vlabel,
5471 struct label *intlabel
5472);
5473/**
5474 @brief Update vnode label from extended attributes
5475 @param mp File system mount point
5476 @param mntlabel Mount point label
5477 @param vp Vnode to label
5478 @param vlabel Label associated with vp
5479 @param name Name of the xattr
5480 @see mpo_vnode_check_setextattr_t
5481
5482 When an extended attribute is updated via the Vendor attribute management
5483 functions, the MAC vnode label might also require an update.
5484 Policies should first determine if 'name' matches their xattr label
5485 name. If it does, the kernel is has either replaced or removed the
5486 named extended attribute that was previously associated with the
5487 vnode. Normally labels should only be modified via MAC Framework label
5488 management calls, but sometimes the user space components will directly
5489 modify extended attributes. For example, 'cp', 'tar', etc. manage
5490 extended attributes in userspace, not the kernel.
5491
5492 This entry point is called after the label update has occurred, so
5493 it cannot return a failure. However, the operation is preceded by
5494 the mpo_vnode_check_setextattr() access control check.
5495
5496 If the vnode label needs to be updated the policy should return
5497 a non-zero value. The vnode label will be marked for re-association
5498 by the framework.
5499*/
5500typedef int mpo_vnode_label_update_extattr_t(
5501 struct mount *mp,
5502 struct label *mntlabel,
5503 struct vnode *vp,
5504 struct label *vlabel,
5505 const char *name
5506);
5507/**
5508 @brief Update a vnode label
5509 @param cred Subject credential
5510 @param vp The vnode to relabel
5511 @param vnodelabel Existing vnode label
5512 @param label New label to replace existing label
5513 @see mpo_vnode_check_label_update_t
5514
5515 The subject identified by the credential has previously requested
5516 and was authorized to relabel the vnode; this entry point allows
5517 policies to perform the actual relabel operation. Policies should
5518 update vnodelabel using the label stored in the label parameter.
5519*/
5520typedef void mpo_vnode_label_update_t(
5521 kauth_cred_t cred,
5522 struct vnode *vp,
5523 struct label *vnodelabel,
5524 struct label *label
5525);
39236c6e
A		 5526/**
5527 @brief Find deatched signatures for a shared library
5528 @param p file trying to find the signature
5529 @param vp The vnode to relabel
5530 @param offset offset in the macho that the signature is requested for (for fat binaries)
5531 @param label Existing vnode label
5532
5533*/
5534typedef int mpo_vnode_find_sigs_t(
5535 struct proc *p,
5536 struct vnode *vp,
5537 off_t offset,
5538 struct label *label
5539);
2d21ac55
A		 5540/**
5541 @brief Create a new vnode, backed by extended attributes
5542 @param cred User credential for the creating process
5543 @param mp File system mount point
5544 @param mntlabel File system mount point label
5545 @param dvp Parent directory vnode
5546 @param dlabel Parent directory vnode label
5547 @param vp Newly created vnode
5548 @param vlabel Label to associate with the new vnode
5549 @param cnp Component name for vp
5550
5551 Write out the label for the newly created vnode, most likely storing
5552 the results in a file system extended attribute. Most policies will
5553 derive the new vnode label using information from a combination
5554 of the subject (user) credential, the file system label, the parent
5555 directory label, and potentially the path name component.
5556
5557 @return If the operation succeeds, store the new label in vlabel and
5558 return 0. Otherwise, return an appropriate errno value.
5559*/
5560typedef int mpo_vnode_notify_create_t(
5561 kauth_cred_t cred,
5562 struct mount *mp,
5563 struct label *mntlabel,
5564 struct vnode *dvp,
5565 struct label *dlabel,
5566 struct vnode *vp,
5567 struct label *vlabel,
5568 struct componentname *cnp
5569);
5570
4b17d6b6
A		 5571/**
5572 @brief Inform MAC policies that a vnode has been opened
5573 @param cred User credential for the creating process
5574 @param vp vnode opened
5575 @param label Policy label for the vp
5576 @param acc_mode open(2) access mode used
5577
5578 Inform Mac policies that a vnode have been successfully opened
5579 (passing all MAC polices and DAC).
5580*/
5581typedef void mpo_vnode_notify_open_t(
5582 kauth_cred_t cred,
5583 struct vnode *vp,
5584 struct label *label,
5585 int acc_mode
5586);
5587
6d2010ae
A		 5588/**
5589 @brief Inform MAC policies that a vnode has been renamed
5590 @param cred User credential for the renaming process
5591 @param vp Vnode that's being renamed
5592 @param label Policy label for vp
5593 @param dvp Parent directory for the destination
5594 @param dlabel Policy label for dvp
5595 @param cnp Component name for the destination
5596
5597 Inform MAC policies that a vnode has been renamed.
5598 */
5599typedef void mpo_vnode_notify_rename_t(
5600 kauth_cred_t cred,
5601 struct vnode *vp,
5602 struct label *label,
5603 struct vnode *dvp,
5604 struct label *dlabel,
5605 struct componentname *cnp
5606);
5607
39236c6e
A		 5608/**
5609 @brief Inform MAC policies that a vnode has been linked
5610 @param cred User credential for the renaming process
5611 @param dvp Parent directory for the destination
5612 @param dlabel Policy label for dvp
5613 @param vp Vnode that's being linked
5614 @param vlabel Policy label for vp
5615 @param cnp Component name for the destination
5616
5617 Inform MAC policies that a vnode has been linked.
5618 */
5619typedef void mpo_vnode_notify_link_t(
5620 kauth_cred_t cred,
5621 struct vnode *dvp,
5622 struct label *dlabel,
5623 struct vnode *vp,
5624 struct label *vlabel,
5625 struct componentname *cnp
5626);
5627
5628/**
5629 @brief Inform MAC policies that a pty slave has been granted
5630 @param p Responsible process
5631 @param tp tty data structure
5632 @param dev Major and minor numbers of device
5633 @param label Policy label for tp
5634
5635 Inform MAC policies that a pty slave has been granted.
5636*/
5637typedef void mpo_pty_notify_grant_t(
5638 proc_t p,
5639 struct tty *tp,
5640 dev_t dev,
5641 struct label *label
5642);
5643
5644/**
5645 @brief Inform MAC policies that a pty master has been closed
5646 @param p Responsible process
5647 @param tp tty data structure
5648 @param dev Major and minor numbers of device
5649 @param label Policy label for tp
5650
5651 Inform MAC policies that a pty master has been closed.
5652*/
5653typedef void mpo_pty_notify_close_t(
5654 proc_t p,
5655 struct tty *tp,
5656 dev_t dev,
5657 struct label *label
5658);
5659
5660/**
5661 @brief Access control check for kext loading
5662 @param cred Subject credential
5663 @param identifier Kext identifier
5664
5665 Determine whether the subject identified by the credential can load the
5666 specified kext.
5667
5668 @return Return 0 if access is granted, otherwise an appropriate value for
5669 errno should be returned. Suggested failure: EPERM for lack of privilege.
5670*/
5671typedef int mpo_kext_check_load_t(
5672 kauth_cred_t cred,
5673 const char *identifier
5674);
5675
5676/**
5677 @brief Access control check for kext unloading
5678 @param cred Subject credential
5679 @param identifier Kext identifier
5680
5681 Determine whether the subject identified by the credential can unload the
5682 specified kext.
5683
5684 @return Return 0 if access is granted, otherwise an appropriate value for
5685 errno should be returned. Suggested failure: EPERM for lack of privilege.
5686*/
5687typedef int mpo_kext_check_unload_t(
5688 kauth_cred_t cred,
5689 const char *identifier
5690);
5691
3e170ce0
A		 5692/**
5693 @brief Access control check for querying information about loaded kexts
5694 @param cred Subject credential
5695
5696 Determine whether the subject identified by the credential can query
5697 information about loaded kexts.
5698
5699 @return Return 0 if access is granted, otherwise an appropriate value for
5700 errno should be returned. Suggested failure: EPERM for lack of privilege.
5701*/
5702typedef int mpo_kext_check_query_t(
5703 kauth_cred_t cred
5704);
5705
5706/**
5707 @brief Access control check for getting NVRAM variables.
5708 @param cred Subject credential
5709 @param name NVRAM variable to get
5710
5711 Determine whether the subject identifier by the credential can get the
5712 value of the named NVRAM variable.
5713
5714 @return Return 0 if access is granted, otherwise an appropriate value for
5715 errno should be returned. Suggested failure: EPERM for lack of privilege.
5716*/
5717typedef int mpo_iokit_check_nvram_get_t(
5718 kauth_cred_t cred,
5719 const char *name
5720);
5721
5722/**
5723 @brief Access control check for setting NVRAM variables.
5724 @param cred Subject credential
5725 @param name NVRAM variable to set
5726 @param value The new value for the NVRAM variable
5727
5728 Determine whether the subject identifier by the credential can set the
5729 value of the named NVRAM variable.
5730
5731 @return Return 0 if access is granted, otherwise an appropriate value for
5732 errno should be returned. Suggested failure: EPERM for lack of privilege.
5733*/
5734typedef int mpo_iokit_check_nvram_set_t(
5735 kauth_cred_t cred,
5736 const char *name,
5737 io_object_t value
5738);
5739
5740/**
5741 @brief Access control check for deleting NVRAM variables.
5742 @param cred Subject credential
5743 @param name NVRAM variable to delete
5744
5745 Determine whether the subject identifier by the credential can delete the
5746 named NVRAM variable.
5747
5748 @return Return 0 if access is granted, otherwise an appropriate value for
5749 errno should be returned. Suggested failure: EPERM for lack of privilege.
5750*/
5751typedef int mpo_iokit_check_nvram_delete_t(
5752 kauth_cred_t cred,
5753 const char *name
5754);
5755
2d21ac55
A		 5756/*
5757 * Placeholder for future events that may need mac hooks.
5758 */
5759typedef void mpo_reserved_hook_t(void);
5760
39236c6e
A		 5761/*
5762 * Policy module operations.
5763 *
5764 * Please note that this should be kept in sync with the check assumptions
5765 * policy in bsd/kern/policy_check.c (policy_ops struct).
5766 */
3e170ce0 5767#define MAC_POLICY_OPS_VERSION 37 /* inc when new reserved slots are taken */
2d21ac55
A		 5768struct mac_policy_ops {
5769 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
5770 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
39236c6e 5771
2d21ac55
A		 5772 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
5773 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
5774 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
5775 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
39236c6e 5776
2d21ac55
A		 5777 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
5778 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
5779 mpo_cred_check_visible_t *mpo_cred_check_visible;
5780 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
5781 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
5782 mpo_cred_label_associate_t *mpo_cred_label_associate;
5783 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
5784 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
5785 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
5786 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
5787 mpo_cred_label_init_t *mpo_cred_label_init;
5788 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
5789 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
5790 mpo_cred_label_update_t *mpo_cred_label_update;
39236c6e 5791
2d21ac55
A		 5792 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
5793 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
5794 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
5795 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
5796 mpo_devfs_label_init_t *mpo_devfs_label_init;
5797 mpo_devfs_label_update_t *mpo_devfs_label_update;
39236c6e 5798
2d21ac55
A		 5799 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
5800 mpo_file_check_create_t *mpo_file_check_create;
5801 mpo_file_check_dup_t *mpo_file_check_dup;
5802 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
5803 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
5804 mpo_file_check_get_t *mpo_file_check_get;
5805 mpo_file_check_inherit_t *mpo_file_check_inherit;
5806 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
5807 mpo_file_check_lock_t *mpo_file_check_lock;
5808 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
5809 mpo_file_check_mmap_t *mpo_file_check_mmap;
5810 mpo_file_check_receive_t *mpo_file_check_receive;
5811 mpo_file_check_set_t *mpo_file_check_set;
5812 mpo_file_label_init_t *mpo_file_label_init;
5813 mpo_file_label_destroy_t *mpo_file_label_destroy;
5814 mpo_file_label_associate_t *mpo_file_label_associate;
39236c6e 5815
2d21ac55
A		 5816 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
5817 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
5818 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
5819 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
5820 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
5821 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
5822 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
5823 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
5824 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
5825 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
39236c6e 5826
2d21ac55
A		 5827 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
5828 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
5829 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
5830 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
5831 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
5832 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
39236c6e 5833
2d21ac55 5834 mpo_iokit_check_device_t *mpo_iokit_check_device;
39236c6e 5835
2d21ac55
A		 5836 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
5837 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
5838 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
5839 mpo_ipq_label_init_t *mpo_ipq_label_init;
5840 mpo_ipq_label_update_t *mpo_ipq_label_update;
39236c6e 5841
3e170ce0
A		 5842 mpo_reserved_hook_t *mpo_reserved1;
5843 mpo_reserved_hook_t *mpo_reserved2;
5844 mpo_reserved_hook_t *mpo_reserved3;
5845 mpo_reserved_hook_t *mpo_reserved4;
5846 mpo_reserved_hook_t *mpo_reserved5;
5847 mpo_reserved_hook_t *mpo_reserved6;
5848 mpo_reserved_hook_t *mpo_reserved7;
5849 mpo_reserved_hook_t *mpo_reserved8;
5850 mpo_reserved_hook_t *mpo_reserved9;
39236c6e 5851
2d21ac55
A		 5852 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
5853 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
5854 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
5855 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
5856 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
5857 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
5858 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
5859 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
5860 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
5861 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
5862 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
39236c6e 5863
2d21ac55
A		 5864 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
5865 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
5866 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
5867 mpo_mount_check_mount_t *mpo_mount_check_mount;
5868 mpo_mount_check_remount_t *mpo_mount_check_remount;
5869 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
5870 mpo_mount_check_stat_t *mpo_mount_check_stat;
5871 mpo_mount_check_umount_t *mpo_mount_check_umount;
5872 mpo_mount_label_associate_t *mpo_mount_label_associate;
5873 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
5874 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
5875 mpo_mount_label_init_t *mpo_mount_label_init;
5876 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
39236c6e 5877
2d21ac55
A		 5878 mpo_netinet_fragment_t *mpo_netinet_fragment;
5879 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
5880 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
39236c6e 5881
2d21ac55
A		 5882 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
5883 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
5884 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
5885 mpo_pipe_check_read_t *mpo_pipe_check_read;
5886 mpo_pipe_check_select_t *mpo_pipe_check_select;
5887 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
5888 mpo_pipe_check_write_t *mpo_pipe_check_write;
5889 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
5890 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
5891 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
5892 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
5893 mpo_pipe_label_init_t *mpo_pipe_label_init;
5894 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
5895 mpo_pipe_label_update_t *mpo_pipe_label_update;
39236c6e 5896
2d21ac55
A		 5897 mpo_policy_destroy_t *mpo_policy_destroy;
5898 mpo_policy_init_t *mpo_policy_init;
5899 mpo_policy_initbsd_t *mpo_policy_initbsd;
5900 mpo_policy_syscall_t *mpo_policy_syscall;
39236c6e 5901
fe8ab488
A		 5902 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
5903 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
5904 mpo_vnode_check_rename_t *mpo_vnode_check_rename;
3e170ce0
A		 5905 mpo_kext_check_query_t *mpo_kext_check_query;
5906 mpo_iokit_check_nvram_get_t *mpo_iokit_check_nvram_get;
5907 mpo_iokit_check_nvram_set_t *mpo_iokit_check_nvram_set;
5908 mpo_iokit_check_nvram_delete_t *mpo_iokit_check_nvram_delete;
5909 mpo_proc_check_expose_task_t *mpo_proc_check_expose_task;
5910 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port;
5911 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port;
fe8ab488
A		 5912 mpo_reserved_hook_t *mpo_reserved11;
5913 mpo_reserved_hook_t *mpo_reserved12;
5914 mpo_reserved_hook_t *mpo_reserved13;
5915 mpo_reserved_hook_t *mpo_reserved14;
5916 mpo_reserved_hook_t *mpo_reserved15;
5917 mpo_reserved_hook_t *mpo_reserved16;
5918 mpo_reserved_hook_t *mpo_reserved17;
5919 mpo_reserved_hook_t *mpo_reserved18;
5920 mpo_reserved_hook_t *mpo_reserved19;
5921 mpo_reserved_hook_t *mpo_reserved20;
5922 mpo_reserved_hook_t *mpo_reserved21;
5923 mpo_reserved_hook_t *mpo_reserved22;
39236c6e 5924
2d21ac55
A		 5925 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
5926 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
5927 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
5928 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
5929 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
5930 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
5931 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
5932 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
5933 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
5934 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
5935 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
5936 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
5937 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
5938 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
5939 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
5940 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
5941 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
39236c6e 5942
2d21ac55
A		 5943 mpo_proc_check_debug_t *mpo_proc_check_debug;
5944 mpo_proc_check_fork_t *mpo_proc_check_fork;
5945 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
5946 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
5947 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
5948 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
5949 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
5950 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
5951 mpo_proc_check_sched_t *mpo_proc_check_sched;
5952 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
5953 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
5954 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
5955 mpo_proc_check_signal_t *mpo_proc_check_signal;
5956 mpo_proc_check_wait_t *mpo_proc_check_wait;
5957 mpo_proc_label_destroy_t *mpo_proc_label_destroy;
5958 mpo_proc_label_init_t *mpo_proc_label_init;
39236c6e 5959
2d21ac55
A		 5960 mpo_socket_check_accept_t *mpo_socket_check_accept;
5961 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
5962 mpo_socket_check_bind_t *mpo_socket_check_bind;
5963 mpo_socket_check_connect_t *mpo_socket_check_connect;
5964 mpo_socket_check_create_t *mpo_socket_check_create;
5965 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
5966 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
5967 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
5968 mpo_socket_check_listen_t *mpo_socket_check_listen;
5969 mpo_socket_check_receive_t *mpo_socket_check_receive;
5970 mpo_socket_check_received_t *mpo_socket_check_received;
5971 mpo_socket_check_select_t *mpo_socket_check_select;
5972 mpo_socket_check_send_t *mpo_socket_check_send;
5973 mpo_socket_check_stat_t *mpo_socket_check_stat;
5974 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
5975 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
5976 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
5977 mpo_socket_label_associate_t *mpo_socket_label_associate;
5978 mpo_socket_label_copy_t *mpo_socket_label_copy;
5979 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
5980 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
5981 mpo_socket_label_init_t *mpo_socket_label_init;
5982 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
5983 mpo_socket_label_update_t *mpo_socket_label_update;
39236c6e 5984
2d21ac55
A		 5985 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
5986 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
5987 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
5988 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
5989 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
39236c6e 5990
2d21ac55
A		 5991 mpo_system_check_acct_t *mpo_system_check_acct;
5992 mpo_system_check_audit_t *mpo_system_check_audit;
5993 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
5994 mpo_system_check_auditon_t *mpo_system_check_auditon;
5995 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
5996 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
5997 mpo_system_check_reboot_t *mpo_system_check_reboot;
5998 mpo_system_check_settime_t *mpo_system_check_settime;
5999 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6000 mpo_system_check_swapon_t *mpo_system_check_swapon;
fe8ab488 6001 mpo_reserved_hook_t *mpo_reserved31;
39236c6e 6002
2d21ac55
A		 6003 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6004 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6005 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6006 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6007 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6008 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6009 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6010 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6011 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6012 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6013 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6014 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6015 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6016 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6017 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6018 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6019 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6020 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6021 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6022 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6023 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6024 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6025 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6026 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6027 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6028 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6029 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6030 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6031 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6032 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
39236c6e 6033
fe8ab488
A		 6034 mpo_reserved_hook_t *mpo_reserved23;
6035 mpo_reserved_hook_t *mpo_reserved24;
6036 mpo_reserved_hook_t *mpo_reserved25;
6037 mpo_reserved_hook_t *mpo_reserved26;
6038 mpo_reserved_hook_t *mpo_reserved27;
6039 mpo_reserved_hook_t *mpo_reserved28;
6040 mpo_reserved_hook_t *mpo_reserved29;
6041 mpo_reserved_hook_t *mpo_reserved30;
39236c6e
A		 6042
6043 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6044
2d21ac55
A		 6045 mpo_vnode_check_access_t *mpo_vnode_check_access;
6046 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6047 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6048 mpo_vnode_check_create_t *mpo_vnode_check_create;
6049 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6050 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6051 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6052 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6053 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6054 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6055 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6056 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6057 mpo_vnode_check_link_t *mpo_vnode_check_link;
6058 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6059 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6060 mpo_vnode_check_open_t *mpo_vnode_check_open;
6061 mpo_vnode_check_read_t *mpo_vnode_check_read;
6062 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6063 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6064 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6065 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6066 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6067 mpo_vnode_check_select_t *mpo_vnode_check_select;
6068 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6069 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6070 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6071 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6072 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6073 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6074 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6075 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6076 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6077 mpo_vnode_check_write_t *mpo_vnode_check_write;
6078 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6079 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6080 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6081 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6082 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6083 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6084 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6085 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6086 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6087 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6088 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6089 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6090 mpo_vnode_label_init_t *mpo_vnode_label_init;
6091 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6092 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6093 mpo_vnode_label_store_t *mpo_vnode_label_store;
6094 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6095 mpo_vnode_label_update_t *mpo_vnode_label_update;
6096 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
593a1d5f 6097 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
b0d623f7
A		 6098 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6099 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
39236c6e 6100
3e170ce0 6101 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
d1ecb069 6102 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
39236c6e 6103
316670eb 6104 mpo_thread_userret_t *mpo_thread_userret;
39236c6e 6105
6d2010ae 6106 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
39236c6e 6107
6d2010ae 6108 mpo_system_check_chud_t *mpo_system_check_chud;
39236c6e 6109
6d2010ae 6110 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
39236c6e 6111
6d2010ae
A		 6112 mpo_priv_check_t *mpo_priv_check;
6113 mpo_priv_grant_t *mpo_priv_grant;
39236c6e 6114
6d2010ae 6115 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
39236c6e 6116
6d2010ae 6117 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
39236c6e 6118
6d2010ae 6119 mpo_iokit_check_open_t *mpo_iokit_check_open;
39236c6e 6120
316670eb 6121 mpo_proc_check_ledger_t *mpo_proc_check_ledger;
39236c6e 6122
6d2010ae 6123 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
39236c6e 6124
3e170ce0
A		 6125 mpo_reserved_hook_t *mpo_reserved32;
6126 mpo_reserved_hook_t *mpo_reserved33;
39236c6e
A		 6127
6128 mpo_system_check_kas_info_t *mpo_system_check_kas_info;
6129
6130 mpo_proc_check_cpumon_t *mpo_proc_check_cpumon;
6131
6132 mpo_vnode_notify_open_t *mpo_vnode_notify_open;
6133
6134 mpo_system_check_info_t *mpo_system_check_info;
6135
6136 mpo_pty_notify_grant_t *mpo_pty_notify_grant;
6137 mpo_pty_notify_close_t *mpo_pty_notify_close;
6138
6139 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
6140
6141 mpo_kext_check_load_t *mpo_kext_check_load;
6142 mpo_kext_check_unload_t *mpo_kext_check_unload;
6143
6144 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
6145 mpo_vnode_notify_link_t *mpo_vnode_notify_link;
fe8ab488
A		 6146 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties;
6147 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property;
2d21ac55
A		 6148};
6149
6150/**
6151 @brief MAC policy handle type
6152
6153 The MAC handle is used to uniquely identify a loaded policy within
6154 the MAC Framework.
6155
6156 A variable of this type is set by mac_policy_register().
6157 */
6158typedef unsigned int mac_policy_handle_t;
6159
6160#define mpc_t struct mac_policy_conf *
6161
6162/**
6163 @brief Mac policy configuration
6164
6165 This structure specifies the configuration information for a
6166 MAC policy module. A policy module developer must supply
6167 a short unique policy name, a more descriptive full name, a list of label
6168 namespaces and count, a pointer to the registered enty point operations,
6169 any load time flags, and optionally, a pointer to a label slot identifier.
6170
6171 The Framework will update the runtime flags (mpc_runtime_flags) to
6172 indicate that the module has been registered.
6173
6174 If the label slot identifier (mpc_field_off) is NULL, the Framework
6175 will not provide label storage for the policy. Otherwise, the
6176 Framework will store the label location (slot) in this field.
6177
6178 The mpc_list field is used by the Framework and should not be
6179 modified by policies.
6180*/
6181/* XXX - reorder these for better aligment on 64bit platforms */
6182struct mac_policy_conf {
6183 const char *mpc_name; /** policy name */
6184 const char *mpc_fullname; /** full name */
6185 const char **mpc_labelnames; /** managed label namespaces */
6186 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6187 struct mac_policy_ops *mpc_ops; /** operation vector */
6188 int mpc_loadtime_flags; /** load time flags */
6189 int *mpc_field_off; /** label slot */
6190 int mpc_runtime_flags; /** run time flags */
6191 mpc_t mpc_list; /** List reference */
6192 void *mpc_data; /** module data */
6193};
6194
6195/**
6196 @brief MAC policy module registration routine
6197
6198 This function is called to register a policy with the
6199 MAC framework. A policy module will typically call this from the
6200 Darwin KEXT registration routine.
6201 */
6202int mac_policy_register(struct mac_policy_conf *mpc,
6203 mac_policy_handle_t *handlep, void *xd);
6204
6205/**
6206 @brief MAC policy module de-registration routine
6207
6208 This function is called to de-register a policy with theD
6209 MAC framework. A policy module will typically call this from the
6210 Darwin KEXT de-registration routine.
6211 */
6212int mac_policy_unregister(mac_policy_handle_t handle);
6213
6214/*
6215 * Framework entry points for the policies to add audit data.
6216 */
6217int mac_audit_text(char *text, mac_policy_handle_t handle);
6218
6219/*
6220 * Calls to assist with use of Apple XATTRs within policy modules.
6221 */
6222int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6223int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6224 size_t *);
6225int mac_vnop_removexattr(struct vnode *, const char *);
6226
6227/*
6228 * Arbitrary limit on how much data will be logged by the audit
6229 * entry points above.
6230 */
6231#define MAC_AUDIT_DATA_LIMIT 1024
6232
6233/*
6234 * Values returned by mac_audit_{pre,post}select. To combine the responses
6235 * of the security policies into a single decision,
6236 * mac_audit_{pre,post}select() choose the greatest value returned.
6237 */
6238#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6239#define MAC_AUDIT_NO 1 /* force not auditing this event */
6240#define MAC_AUDIT_YES 2 /* force auditing this event */
6241
6242// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6243
6244/**
6245 @name Flags for the mpc_loadtime_flags field
6246 @see mac_policy_conf
6247
6248 This is the complete list of flags that are supported by the
6249 mpc_loadtime_flags field of the mac_policy_conf structure. These
6250 flags specify the load time behavior of MAC Framework policy
6251 modules.
6252*/
6253
6254/*@{*/
6255
6256/**
6257 @brief Flag to indicate registration preference
6258
6259 This flag indicates that the policy module must be loaded and
6260 initialized early in the boot process. If the flag is specified,
6261 attempts to register the module following boot will be rejected. The
6262 flag may be used by policies that require pervasive labeling of all
6263 system objects, and cannot handle objects that have not been
6264 properly initialized by the policy.
6265 */
6266#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
6267
6268/**
6269 @brief Flag to indicate unload preference
6270
6271 This flag indicates that the policy module may be unloaded. If this
6272 flag is not set, then the policy framework will reject requests to
6273 unload the module. This flag might be used by modules that allocate
6274 label state and are unable to free that state at runtime, or for
6275 modules that simply do not want to permit unload operations.
6276*/
6277#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
6278
6279/**
6280 @brief Unsupported
6281
6282 XXX This flag is not yet supported.
6283*/
6284#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
6285
6286/**
6287 @brief Flag to indicate a base policy
6288
6289 This flag indicates that the policy module is a base policy. Only
6290 one module can declare itself as base, otherwise the boot process
6291 will be halted.
6292 */
6293#define MPC_LOADTIME_BASE_POLICY 0x00000008
6294
6295/*@}*/
6296
6297/**
6298 @brief Policy registration flag
6299 @see mac_policy_conf
6300
6301 This flag indicates that the policy module has been successfully
6302 registered with the TrustedBSD MAC Framework. The Framework will
6303 set this flag in the mpc_runtime_flags field of the policy's
6304 mac_policy_conf structure after registering the policy.
6305 */
6306#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
6307
6308/*
6309 * Depends on POLICY_VER
6310 */
6311
6312#ifndef POLICY_VER
6313#define POLICY_VER 1.0
6314#endif
6315
6316#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6317 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6318 .mpc_name = #mpname, \
6319 .mpc_fullname = mpfullname, \
6320 .mpc_labelnames = lnames, \
6321 .mpc_labelname_count = lcount, \
6322 .mpc_ops = mpops, \
6323 .mpc_loadtime_flags = lflags, \
6324 .mpc_field_off = slot, \
6325 .mpc_runtime_flags = rflags \
6326 }; \
6327 \
6328 static kern_return_t \
6329 kmod_start(kmod_info_t *ki, void *xd) \
6330 { \
6331 return mac_policy_register(&mpname##_mac_policy_conf, \
6332 &handle, xd); \
6333 } \
6334 \
6335 static kern_return_t \
6336 kmod_stop(kmod_info_t *ki, void *xd) \
6337 { \
6338 return mac_policy_unregister(handle); \
6339 } \
6340 \
6341 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6342 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6343 \
6344 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6345 kmod_start_func_t *_realmain = kmod_start; \
6346 kmod_stop_func_t *_antimain = kmod_stop; \
6347 int _kext_apple_cc = __APPLE_CC__
6348
6349
6350#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
6351
b0d623f7
A		 6352/*
6353 * Policy interface to map a struct label pointer to per-policy data.
6354 * Typically, policies wrap this in their own accessor macro that casts an
6355 * intptr_t to a policy-specific data type.
6356 */
6357intptr_t mac_label_get(struct label *l, int slot);
6358void mac_label_set(struct label *l, int slot, intptr_t v);
6359
2d21ac55
A		 6360#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
6361
6362/**
6363 @name Flags for MAC allocator interfaces
6364
6365 These flags are passed to the Darwin kernel allocator routines to
6366 indicate whether the allocation is permitted to block or not.
6367 Caution should be taken; some operations are not permitted to sleep,
6368 and some types of locks cannot be held when sleeping.
6369 */
6370
6371/*@{*/
6372
6373/**
6374 @brief Allocation operations may block
6375
6376 If memory is not immediately available, the allocation routine
6377 will block (typically sleeping) until memory is available.
6378
6379 @warning Inappropriate use of this flag may cause kernel panics.
6380 */
6381#define MAC_WAITOK 0
6382
6383/**
6384 @brief Allocation operations may not block
6385
6386 Rather than blocking, the allocator may return an error if memory
6387 is not immediately available. This type of allocation will not
6388 sleep, preserving locking semantics.
6389 */
6390#define MAC_NOWAIT 1
6391
6392/*@}*/
6393
6394#endif /* !_SECURITY_MAC_POLICY_H_ */
mirror of XNU