]> git.saurik.com Git - apple/xnu.git/blame - security/mac_policy.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-6153.41.3.tar.gz
[apple/xnu.git] / security / mac_policy.h
CommitLineData
2d21ac55 1/*
39037602 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
2d21ac55
A		 3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
0a7de745 5 *
2d21ac55
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
0a7de745 14 *
2d21ac55
A		 15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
0a7de745 17 *
2d21ac55
A		 18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
0a7de745 25 *
2d21ac55
A		 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
0a7de745
A		 69 * @file mac_policy.h
70 * @brief Kernel Interfaces for MAC policy modules
71 *
72 * This header defines the list of operations that are defined by the
73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 * with the framework to declare interest in a specific set of
75 * operations. If interest in an entry point is not declared, then
76 * the policy will be ignored when the Framework evaluates that entry
77 * point.
78 */
2d21ac55
A		 79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
39236c6e
A		 83#ifndef PRIVATE
84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
85#endif
86
2d21ac55
A		 87#include <security/_label.h>
88
89struct attrlist;
90struct auditinfo;
91struct bpf_d;
39037602 92struct cs_blob;
2d21ac55 93struct devnode;
39037602 94struct exception_action;
2d21ac55
A		 95struct fileglob;
96struct ifnet;
97struct inpcb;
98struct ipq;
99struct label;
2d21ac55
A		 100struct mac_module_data;
101struct mac_policy_conf;
102struct mbuf;
103struct mount;
39236c6e
A		 104struct msg;
105struct msqid_kernel;
2d21ac55
A		 106struct pipe;
107struct pseminfo;
108struct pshminfo;
109struct sbuf;
110struct semid_kernel;
111struct shmid_kernel;
39236c6e
A		 112struct socket;
113struct sockopt;
2d21ac55
A		 114struct task;
115struct thread;
39236c6e 116struct tty;
2d21ac55 117struct ucred;
39236c6e 118struct vfs_attr;
2d21ac55
A		 119struct vnode;
120/** @struct dummy */
121
122
123
124#ifndef _KAUTH_CRED_T
0a7de745 125#define _KAUTH_CRED_T
2d21ac55 126typedef struct ucred *kauth_cred_t;
0a7de745 127#endif /* !_KAUTH_CRED_T */
2d21ac55 128
6d2010ae
A		 129#ifndef __IOKIT_PORTS_DEFINED__
130#define __IOKIT_PORTS_DEFINED__
131#ifdef __cplusplus
132class OSObject;
133typedef OSObject *io_object_t;
134#else
135struct OSObject;
136typedef struct OSObject *io_object_t;
137#endif
138#endif /* __IOKIT_PORTS_DEFINED__ */
2d21ac55
A		 139
140/*-
141 * MAC entry points are generally named using the following template:
142 *
143 * mpo_<object>_<operation>()
144 *
145 * or:
146 *
147 * mpo_<object>_check_<operation>()
148 *
149 * Entry points are sorted by object type.
150 *
151 * It may be desirable also to consider some subsystems as "objects", such
152 * as system, iokit, etc.
153 */
154
155/**
0a7de745
A		 156 * @name Entry Points for Label Management
157 *
158 * These are the entry points corresponding to the life cycle events for
159 * kernel objects, such as initialization, creation, and destruction.
160 *
161 * Most policies (that use labels) will initialize labels by allocating
162 * space for policy-specific data. In most cases, it is permitted to
163 * sleep during label initialization operations; it will be noted when
164 * it is not permitted.
165 *
166 * Initialization usually will not require doing more than allocating a
167 * generic label for the given object. What follows initialization is
168 * creation, where a label is made specific to the object it is associated
169 * with. Destruction occurs when the label is no longer needed, such as
170 * when the corresponding object is destroyed. All necessary cleanup should
171 * be performed in label destroy operations.
172 *
173 * Where possible, the label entry points have identical parameters. If
174 * the policy module does not require structure-specific label
175 * information, the same function may be registered in the policy
176 * operation vector. Many policies will implement two such generic
177 * allocation calls: one to handle sleepable requests, and one to handle
178 * potentially non-sleepable requests.
179 */
2d21ac55
A		 180
181
182/**
0a7de745
A		 183 * @brief Audit event postselection
184 * @param cred Subject credential
185 * @param syscode Syscall number
186 * @param args Syscall arguments
187 * @param error Syscall errno
188 * @param retval Syscall return value
189 *
190 * This is the MAC Framework audit postselect, which is called before
191 * exiting a syscall to determine if an audit event should be committed.
192 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
193 * Any other return value results in the audit record being committed.
194 *
195 * @warning The suppression behavior will probably go away in Apple's
196 * future version of the audit implementation.
197 *
198 * @return Return MAC_AUDIT_NO to force suppression of the audit record.
199 * Any other value results in the audit record being committed.
200 *
201 */
2d21ac55
A		 202typedef int mpo_audit_check_postselect_t(
203 kauth_cred_t cred,
204 unsigned short syscode,
205 void *args,
206 int error,
207 int retval
0a7de745 208 );
2d21ac55 209/**
0a7de745
A		 210 * @brief Audit event preselection
211 * @param cred Subject credential
212 * @param syscode Syscall number
213 * @param args Syscall arguments
214 *
215 * This is the MAC Framework audit preselect, which is called before a
216 * syscall is entered to determine if an audit event should be created.
217 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
218 * returned. A return value of MAC_AUDIT_NO causes the audit record to
219 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
220 * to defer to the system's existing preselection mechanism.
221 *
222 * When policies return different preferences, the Framework decides what action
223 * to take based on the following policy. If any policy returns MAC_AUDIT_YES,
224 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then
225 * suppress the creations of an audit record, else defer to the system's
226 * existing preselection mechanism.
227 *
228 * @warning The audit implementation in Apple's current version is
229 * incomplete, so the MAC policies have priority over the system's existing
230 * mechanisms. This will probably change in the future version where
231 * the audit implementation is more complete.
232 *
233 * @return Return MAC_AUDIT_YES to force auditing of the syscall,
234 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
235 * to allow auditing mechanisms to determine if the syscall is audited.
236 *
237 */
2d21ac55
A		 238typedef int mpo_audit_check_preselect_t(
239 kauth_cred_t cred,
240 unsigned short syscode,
241 void *args
0a7de745 242 );
2d21ac55 243/**
0a7de745
A		 244 * @brief Initialize BPF descriptor label
245 * @param label New label to initialize
246 *
247 * Initialize the label for a newly instantiated BPF descriptor.
248 * Sleeping is permitted.
249 */
2d21ac55
A		 250typedef void mpo_bpfdesc_label_init_t(
251 struct label *label
0a7de745 252 );
2d21ac55 253/**
0a7de745
A		 254 * @brief Destroy BPF descriptor label
255 * @param label The label to be destroyed
256 *
257 * Destroy a BPF descriptor label. Since the BPF descriptor
258 * is going out of scope, policy modules should free any internal
259 * storage associated with the label so that it may be destroyed.
260 */
2d21ac55
A		 261typedef void mpo_bpfdesc_label_destroy_t(
262 struct label *label
0a7de745 263 );
2d21ac55 264/**
0a7de745
A		 265 * @brief Associate a BPF descriptor with a label
266 * @param cred User credential creating the BPF descriptor
267 * @param bpf_d The BPF descriptor
268 * @param bpflabel The new label
269 *
270 * Set the label on a newly created BPF descriptor from the passed
271 * subject credential. This call will be made when a BPF device node
272 * is opened by a process with the passed subject credential.
273 */
2d21ac55
A		 274typedef void mpo_bpfdesc_label_associate_t(
275 kauth_cred_t cred,
276 struct bpf_d *bpf_d,
277 struct label *bpflabel
0a7de745 278 );
2d21ac55 279/**
0a7de745
A		 280 * @brief Check whether BPF can read from a network interface
281 * @param bpf_d Subject; the BPF descriptor
282 * @param bpflabel Policy label for bpf_d
283 * @param ifp Object; the network interface
284 * @param ifnetlabel Policy label for ifp
285 *
286 * Determine whether the MAC framework should permit datagrams from
287 * the passed network interface to be delivered to the buffers of
288 * the passed BPF descriptor. Return (0) for success, or an errno
289 * value for failure. Suggested failure: EACCES for label mismatches,
290 * EPERM for lack of privilege.
291 */
2d21ac55
A		 292typedef int mpo_bpfdesc_check_receive_t(
293 struct bpf_d *bpf_d,
294 struct label *bpflabel,
295 struct ifnet *ifp,
296 struct label *ifnetlabel
0a7de745
A		 297 );
298/**
299 * @brief Indicate desire to change the process label at exec time
300 * @param old Existing subject credential
301 * @param vp File being executed
302 * @param offset Offset of binary within file being executed
303 * @param scriptvp Script being executed by interpreter, if any.
304 * @param vnodelabel Label corresponding to vp
305 * @param scriptvnodelabel Script vnode label
306 * @param execlabel Userspace provided execution label
307 * @param p Object process
308 * @param macpolicyattr MAC policy-specific spawn attribute data
309 * @param macpolicyattrlen Length of policy-specific spawn attribute data
310 * @see mac_execve
311 * @see mpo_cred_label_update_execve_t
312 * @see mpo_vnode_check_exec_t
313 *
314 * Indicate whether this policy intends to update the label of a newly
315 * created credential from the existing subject credential (old). This
316 * call occurs when a process executes the passed vnode. If a policy
317 * returns success from this entry point, the mpo_cred_label_update_execve
318 * entry point will later be called with the same parameters. Access
319 * has already been checked via the mpo_vnode_check_exec entry point,
320 * this entry point is necessary to preserve kernel locking constraints
321 * during program execution.
322 *
323 * The supplied vnode and vnodelabel correspond with the file actually
324 * being executed; in the case that the file is interpreted (for
325 * example, a script), the label of the original exec-time vnode has
326 * been preserved in scriptvnodelabel.
327 *
328 * The final label, execlabel, corresponds to a label supplied by a
329 * user space application through the use of the mac_execve system call.
330 *
331 * The vnode lock is held during this operation. No changes should be
332 * made to the old credential structure.
333 *
334 * @warning Even if a policy returns 0, it should behave correctly in
335 * the presence of an invocation of mpo_cred_label_update_execve, as that
336 * call may happen as a result of another policy requesting a transition.
337 *
338 * @return Non-zero if a transition is required, 0 otherwise.
339 */
2d21ac55
A		 340typedef int mpo_cred_check_label_update_execve_t(
341 kauth_cred_t old,
342 struct vnode *vp,
fe8ab488 343 off_t offset,
39236c6e 344 struct vnode *scriptvp,
2d21ac55
A		 345 struct label *vnodelabel,
346 struct label *scriptvnodelabel,
347 struct label *execlabel,
39236c6e
A		 348 struct proc *p,
349 void *macpolicyattr,
350 size_t macpolicyattrlen
0a7de745 351 );
2d21ac55 352/**
0a7de745
A		 353 * @brief Access control check for relabelling processes
354 * @param cred Subject credential
355 * @param newlabel New label to apply to the user credential
356 * @see mpo_cred_label_update_t
357 * @see mac_set_proc
358 *
359 * Determine whether the subject identified by the credential can relabel
360 * itself to the supplied new label (newlabel). This access control check
361 * is called when the mac_set_proc system call is invoked. A user space
362 * application will supply a new value, the value will be internalized
363 * and provided in newlabel.
364 *
365 * @return Return 0 if access is granted, otherwise an appropriate value for
366 * errno should be returned.
367 */
2d21ac55
A		 368typedef int mpo_cred_check_label_update_t(
369 kauth_cred_t cred,
370 struct label *newlabel
0a7de745 371 );
2d21ac55 372/**
0a7de745
A		 373 * @brief Access control check for visibility of other subjects
374 * @param u1 Subject credential
375 * @param u2 Object credential
376 *
377 * Determine whether the subject identified by the credential u1 can
378 * "see" other subjects with the passed subject credential u2. This call
379 * may be made in a number of situations, including inter-process status
380 * sysctls used by ps, and in procfs lookups.
381 *
382 * @return Return 0 if access is granted, otherwise an appropriate value for
383 * errno should be returned. Suggested failure: EACCES for label mismatch,
384 * EPERM for lack of privilege, or ESRCH to hide visibility.
385 */
2d21ac55
A		 386typedef int mpo_cred_check_visible_t(
387 kauth_cred_t u1,
388 kauth_cred_t u2
0a7de745 389 );
2d21ac55 390/**
0a7de745
A		 391 * @brief Associate a credential with a new process at fork
392 * @param cred credential to inherited by new process
393 * @param proc the new process
394 *
395 * Allow a process to associate the credential with a new
396 * process for reference countng purposes.
397 * NOTE: the credential can be dis-associated in ways other
398 * than exit - so this strategy is flawed - should just
399 * catch label destroy callback.
400 */
2d21ac55
A		 401typedef void mpo_cred_label_associate_fork_t(
402 kauth_cred_t cred,
403 proc_t proc
0a7de745 404 );
2d21ac55 405/**
0a7de745
A		 406 * @brief Create the first process
407 * @param cred Subject credential to be labeled
408 *
409 * Create the subject credential of process 0, the parent of all BSD
410 * kernel processes. Policies should update the label in the
411 * previously initialized credential structure.
412 */
2d21ac55
A		 413typedef void mpo_cred_label_associate_kernel_t(
414 kauth_cred_t cred
0a7de745 415 );
2d21ac55 416/**
0a7de745
A		 417 * @brief Create a credential label
418 * @param parent_cred Parent credential
419 * @param child_cred Child credential
420 *
421 * Set the label of a newly created credential, most likely using the
422 * information in the supplied parent credential.
423 *
424 * @warning This call is made when crcopy or crdup is invoked on a
425 * newly created struct ucred, and should not be confused with a
426 * process fork or creation event.
427 */
2d21ac55
A		 428typedef void mpo_cred_label_associate_t(
429 kauth_cred_t parent_cred,
430 kauth_cred_t child_cred
0a7de745 431 );
2d21ac55 432/**
0a7de745
A		 433 * @brief Create the first process
434 * @param cred Subject credential to be labeled
435 *
436 * Create the subject credential of process 1, the parent of all BSD
437 * user processes. Policies should update the label in the previously
438 * initialized credential structure. This is the 'init' process.
439 */
2d21ac55
A		 440typedef void mpo_cred_label_associate_user_t(
441 kauth_cred_t cred
0a7de745 442 );
2d21ac55 443/**
0a7de745
A		 444 * @brief Destroy credential label
445 * @param label The label to be destroyed
446 *
447 * Destroy a user credential label. Since the user credential
448 * is going out of scope, policy modules should free any internal
449 * storage associated with the label so that it may be destroyed.
450 */
2d21ac55
A		 451typedef void mpo_cred_label_destroy_t(
452 struct label *label
0a7de745 453 );
2d21ac55 454/**
0a7de745
A		 455 * @brief Externalize a user credential label for auditing
456 * @param label Label to be externalized
457 * @param element_name Name of the label namespace for which labels should be
458 * externalized
459 * @param sb String buffer to be filled with a text representation of the label
460 *
461 * Produce an external representation of the label on a user credential for
462 * inclusion in an audit record. An externalized label consists of a text
463 * representation of the label contents that will be added to the audit record
464 * as part of a text token. Policy-agnostic user space tools will display
465 * this externalized version.
466 *
467 * @return 0 on success, return non-zero if an error occurs while
468 * externalizing the label data.
469 *
470 */
2d21ac55
A		 471typedef int mpo_cred_label_externalize_audit_t(
472 struct label *label,
473 char *element_name,
474 struct sbuf *sb
0a7de745 475 );
2d21ac55 476/**
0a7de745
A		 477 * @brief Externalize a user credential label
478 * @param label Label to be externalized
479 * @param element_name Name of the label namespace for which labels should be
480 * externalized
481 * @param sb String buffer to be filled with a text representation of the label
482 *
483 * Produce an external representation of the label on a user
484 * credential. An externalized label consists of a text representation
485 * of the label contents that can be used with user applications.
486 * Policy-agnostic user space tools will display this externalized
487 * version.
488 *
489 * @return 0 on success, return non-zero if an error occurs while
490 * externalizing the label data.
491 *
492 */
2d21ac55
A		 493typedef int mpo_cred_label_externalize_t(
494 struct label *label,
495 char *element_name,
496 struct sbuf *sb
0a7de745 497 );
2d21ac55 498/**
0a7de745
A		 499 * @brief Initialize user credential label
500 * @param label New label to initialize
501 *
502 * Initialize the label for a newly instantiated user credential.
503 * Sleeping is permitted.
504 */
2d21ac55
A		 505typedef void mpo_cred_label_init_t(
506 struct label *label
0a7de745 507 );
2d21ac55 508/**
0a7de745
A		 509 * @brief Internalize a user credential label
510 * @param label Label to be internalized
511 * @param element_name Name of the label namespace for which the label should
512 * be internalized
513 * @param element_data Text data to be internalized
514 *
515 * Produce a user credential label from an external representation. An
516 * externalized label consists of a text representation of the label
517 * contents that can be used with user applications. Policy-agnostic
518 * user space tools will forward text version to the kernel for
519 * processing by individual policy modules.
520 *
521 * The policy's internalize entry points will be called only if the
522 * policy has registered interest in the label namespace.
523 *
524 * @return 0 on success, Otherwise, return non-zero if an error occurs
525 * while internalizing the label data.
526 *
527 */
2d21ac55
A		 528typedef int mpo_cred_label_internalize_t(
529 struct label *label,
530 char *element_name,
531 char *element_data
0a7de745
A		 532 );
533/**
534 * @brief Update credential at exec time
535 * @param old_cred Existing subject credential
536 * @param new_cred New subject credential to be labeled
537 * @param p Object process.
538 * @param vp File being executed
539 * @param offset Offset of binary within file being executed
540 * @param scriptvp Script being executed by interpreter, if any.
541 * @param vnodelabel Label corresponding to vp
542 * @param scriptvnodelabel Script vnode label
543 * @param execlabel Userspace provided execution label
544 * @param csflags Code signing flags to be set after exec
545 * @param macpolicyattr MAC policy-specific spawn attribute data.
546 * @param macpolicyattrlen Length of policy-specific spawn attribute data.
547 * @see mac_execve
548 * @see mpo_cred_check_label_update_execve_t
549 * @see mpo_vnode_check_exec_t
550 *
551 * Update the label of a newly created credential (new) from the
552 * existing subject credential (old). This call occurs when a process
553 * executes the passed vnode and one of the loaded policy modules has
554 * returned success from the mpo_cred_check_label_update_execve entry point.
555 * Access has already been checked via the mpo_vnode_check_exec entry
556 * point, this entry point is only used to update any policy state.
557 *
558 * The supplied vnode and vnodelabel correspond with the file actually
559 * being executed; in the case that the file is interpreted (for
560 * example, a script), the label of the original exec-time vnode has
561 * been preserved in scriptvnodelabel.
562 *
563 * The final label, execlabel, corresponds to a label supplied by a
564 * user space application through the use of the mac_execve system call.
565 *
566 * If non-NULL, the value pointed to by disjointp will be set to 0 to
567 * indicate that the old and new credentials are not disjoint, or 1 to
568 * indicate that they are.
569 *
570 * The vnode lock is held during this operation. No changes should be
571 * made to the old credential structure.
572 * @return 0 on success, Otherwise, return non-zero if update results in
573 * termination of child.
574 */
fe8ab488 575typedef int mpo_cred_label_update_execve_t(
2d21ac55
A		 576 kauth_cred_t old_cred,
577 kauth_cred_t new_cred,
39236c6e 578 struct proc *p,
2d21ac55 579 struct vnode *vp,
fe8ab488 580 off_t offset,
39236c6e 581 struct vnode *scriptvp,
2d21ac55
A		 582 struct label *vnodelabel,
583 struct label *scriptvnodelabel,
c910b4d9 584 struct label *execlabel,
fe8ab488 585 u_int *csflags,
39236c6e
A		 586 void *macpolicyattr,
587 size_t macpolicyattrlen,
c910b4d9 588 int *disjointp
0a7de745 589 );
2d21ac55 590/**
0a7de745
A		 591 * @brief Update a credential label
592 * @param cred The existing credential
593 * @param newlabel A new label to apply to the credential
594 * @see mpo_cred_check_label_update_t
595 * @see mac_set_proc
596 *
597 * Update the label on a user credential, using the supplied new label.
598 * This is called as a result of a process relabel operation. Access
599 * control was already confirmed by mpo_cred_check_label_update.
600 */
2d21ac55
A		 601typedef void mpo_cred_label_update_t(
602 kauth_cred_t cred,
603 struct label *newlabel
0a7de745 604 );
2d21ac55 605/**
0a7de745
A		 606 * @brief Create a new devfs device
607 * @param dev Major and minor numbers of special file
608 * @param de "inode" of new device file
609 * @param label Destination label
610 * @param fullpath Path relative to mount (e.g. /dev) of new device file
611 *
612 * This entry point labels a new devfs device. The label will likely be based
613 * on the path to the device, or the major and minor numbers.
614 * The policy should store an appropriate label into 'label'.
615 */
2d21ac55
A		 616typedef void mpo_devfs_label_associate_device_t(
617 dev_t dev,
618 struct devnode *de,
619 struct label *label,
620 const char *fullpath
0a7de745
A		 621 );
622/**
623 * @brief Create a new devfs directory
624 * @param dirname Name of new directory
625 * @param dirnamelen Length of 'dirname'
626 * @param de "inode" of new directory
627 * @param label Destination label
628 * @param fullpath Path relative to mount (e.g. /dev) of new directory
629 *
630 * This entry point labels a new devfs directory. The label will likely be
631 * based on the path of the new directory. The policy should store an appropriate
632 * label into 'label'. The devfs root directory is labelled in this way.
633 */
2d21ac55
A		 634typedef void mpo_devfs_label_associate_directory_t(
635 const char *dirname,
636 int dirnamelen,
637 struct devnode *de,
638 struct label *label,
639 const char *fullpath
0a7de745 640 );
2d21ac55 641/**
0a7de745
A		 642 * @brief Copy a devfs label
643 * @param src Source devfs label
644 * @param dest Destination devfs label
645 *
646 * Copy the label information from src to dest. The devfs file system
647 * often duplicates (splits) existing device nodes rather than creating
648 * new ones.
649 */
2d21ac55
A		 650typedef void mpo_devfs_label_copy_t(
651 struct label *src,
652 struct label *dest
0a7de745 653 );
2d21ac55 654/**
0a7de745
A		 655 * @brief Destroy devfs label
656 * @param label The label to be destroyed
657 *
658 * Destroy a devfs entry label. Since the object is going out
659 * of scope, policy modules should free any internal storage associated
660 * with the label so that it may be destroyed.
661 */
2d21ac55
A		 662typedef void mpo_devfs_label_destroy_t(
663 struct label *label
0a7de745 664 );
2d21ac55 665/**
0a7de745
A		 666 * @brief Initialize devfs label
667 * @param label New label to initialize
668 *
669 * Initialize the label for a newly instantiated devfs entry. Sleeping
670 * is permitted.
671 */
2d21ac55
A		 672typedef void mpo_devfs_label_init_t(
673 struct label *label
0a7de745
A		 674 );
675/**
676 * @brief Update a devfs label after relabelling its vnode
677 * @param mp Devfs mount point
678 * @param de Affected devfs directory entry
679 * @param delabel Label of devfs directory entry
680 * @param vp Vnode associated with de
681 * @param vnodelabel New label of vnode
682 *
683 * Update a devfs label when its vnode is manually relabelled,
684 * for example with setfmac(1). Typically, this will simply copy
685 * the vnode label into the devfs label.
686 */
2d21ac55
A		 687typedef void mpo_devfs_label_update_t(
688 struct mount *mp,
689 struct devnode *de,
690 struct label *delabel,
691 struct vnode *vp,
692 struct label *vnodelabel
0a7de745 693 );
39037602 694/**
0a7de745
A		 695 * @brief Access control for sending an exception to an exception action
696 * @param crashlabel The crashing process's label
697 * @param action Exception action
698 * @param exclabel Policy label for exception action
699 *
700 * Determine whether the the exception message caused by the victim
701 * process can be sent to the exception action. The policy may compare
702 * credentials in the crashlabel, which are derived from the process at
703 * the time the exception occurs, with the credentials in the exclabel,
704 * which was set at the time the exception port was set, to determine
705 * its decision. Note that any process from which the policy derived
706 * any credentials may not exist anymore at the time of this policy
707 * operation. Sleeping is permitted.
708 *
709 * @return Return 0 if the message can be sent, otherwise an
710 * appropriate value for errno should be returned.
711 */
39037602
A		 712typedef int mpo_exc_action_check_exception_send_t(
713 struct label *crashlabel,
714 struct exception_action *action,
715 struct label *exclabel
0a7de745 716 );
39037602 717/**
0a7de745
A		 718 * @brief Associate an exception action label
719 * @param action Exception action to label
720 * @param exclabel Policy label to be filled in for exception action
721 *
722 * Set the label on an exception action.
723 */
39037602
A		 724typedef void mpo_exc_action_label_associate_t(
725 struct exception_action *action,
726 struct label *exclabel
0a7de745 727 );
39037602 728/**
0a7de745
A		 729 * @brief Destroy exception action label
730 * @param label The label to be destroyed
731 *
732 * Destroy the label on an exception action. Since the object is going
733 * out of scope, policy modules should free any internal storage
734 * associated with the label so that it may be destroyed. Sleeping is
735 * permitted.
736 */
39037602
A		 737typedef void mpo_exc_action_label_destroy_t(
738 struct label *label
0a7de745 739 );
5ba3f43e 740/**
0a7de745
A		 741 * @brief Populate an exception action label with process credentials
742 * @param label The label to be populated
743 * @param proc Process to derive credentials from
744 *
745 * Populate a label with credentials derived from a process. At
746 * exception delivery time, the policy should compare credentials of the
747 * process that set an exception ports with the credentials of the
748 * process or corpse that experienced the exception. Note that the
749 * process that set the port may not exist at that time anymore, so
750 * labels should carry copies of live credentials if necessary.
751 */
5ba3f43e
A		 752typedef void mpo_exc_action_label_populate_t(
753 struct label *label,
754 struct proc *proc
0a7de745 755 );
39037602 756/**
0a7de745
A		 757 * @brief Initialize exception action label
758 * @param label New label to initialize
759 *
760 * Initialize a label for an exception action. Usually performs
761 * policy specific allocations. Sleeping is permitted.
762 */
39037602
A		 763typedef int mpo_exc_action_label_init_t(
764 struct label *label
0a7de745 765 );
39037602 766/**
0a7de745
A		 767 * @brief Update the label on an exception action
768 * @param action Exception action that the label belongs to (may be
769 * NULL if none)
770 * @param label Policy label to update
771 * @param newlabel New label for update
772 *
773 * Update the credentials of an exception action from the given
774 * label. The policy should copy over any credentials (process and
775 * otherwise) from the new label into the label to update. Must not
776 * sleep, must be quick and can be called with locks held.
777 */
5ba3f43e
A		 778typedef int mpo_exc_action_label_update_t(
779 struct exception_action *action,
780 struct label *label,
781 struct label *newlabel
0a7de745 782 );
2d21ac55 783/**
0a7de745
A		 784 * @brief Access control for changing the offset of a file descriptor
785 * @param cred Subject credential
786 * @param fg Fileglob structure
787 * @param label Policy label for fg
788 *
789 * Determine whether the subject identified by the credential can
790 * change the offset of the file represented by fg.
791 *
792 * @return Return 0 if access if granted, otherwise an appropriate
793 * value for errno should be returned.
794 */
2d21ac55
A		 795typedef int mpo_file_check_change_offset_t(
796 kauth_cred_t cred,
797 struct fileglob *fg,
798 struct label *label
0a7de745 799 );
2d21ac55 800/**
0a7de745
A		 801 * @brief Access control for creating a file descriptor
802 * @param cred Subject credential
803 *
804 * Determine whether the subject identified by the credential can
805 * allocate a new file descriptor.
806 *
807 * @return Return 0 if access if granted, otherwise an appropriate
808 * value for errno should be returned.
809 */
2d21ac55
A		 810typedef int mpo_file_check_create_t(
811 kauth_cred_t cred
0a7de745 812 );
2d21ac55 813/**
0a7de745
A		 814 * @brief Access control for duplicating a file descriptor
815 * @param cred Subject credential
816 * @param fg Fileglob structure
817 * @param label Policy label for fg
818 * @param newfd New file descriptor number
819 *
820 * Determine whether the subject identified by the credential can
821 * duplicate the fileglob structure represented by fg and as file
822 * descriptor number newfd.
823 *
824 * @return Return 0 if access if granted, otherwise an appropriate
825 * value for errno should be returned.
826 */
2d21ac55
A		 827typedef int mpo_file_check_dup_t(
828 kauth_cred_t cred,
829 struct fileglob *fg,
830 struct label *label,
831 int newfd
0a7de745
A		 832 );
833/**
834 * @brief Access control check for fcntl
835 * @param cred Subject credential
836 * @param fg Fileglob structure
837 * @param label Policy label for fg
838 * @param cmd Control operation to be performed; see fcntl(2)
839 * @param arg fcnt arguments; see fcntl(2)
840 *
841 * Determine whether the subject identified by the credential can perform
842 * the file control operation indicated by cmd.
843 *
844 * @return Return 0 if access is granted, otherwise an appropriate value for
845 * errno should be returned.
846 */
2d21ac55
A		 847typedef int mpo_file_check_fcntl_t(
848 kauth_cred_t cred,
849 struct fileglob *fg,
850 struct label *label,
851 int cmd,
852 user_long_t arg
0a7de745 853 );
2d21ac55 854/**
0a7de745
A		 855 * @brief Access control check for mac_get_fd
856 * @param cred Subject credential
857 * @param fg Fileglob structure
858 * @param elements Element buffer
859 * @param len Length of buffer
860 *
861 * Determine whether the subject identified by the credential should be allowed
862 * to get an externalized version of the label on the object indicated by fd.
863 *
864 * @return Return 0 if access is granted, otherwise an appropriate value for
865 * errno should be returned.
866 */
2d21ac55
A		 867typedef int mpo_file_check_get_t(
868 kauth_cred_t cred,
869 struct fileglob *fg,
870 char *elements,
871 int len
0a7de745 872 );
2d21ac55 873/**
0a7de745
A		 874 * @brief Access control for getting the offset of a file descriptor
875 * @param cred Subject credential
876 * @param fg Fileglob structure
877 * @param label Policy label for fg
878 *
879 * Determine whether the subject identified by the credential can
880 * get the offset of the file represented by fg.
881 *
882 * @return Return 0 if access if granted, otherwise an appropriate
883 * value for errno should be returned.
884 */
2d21ac55
A		 885typedef int mpo_file_check_get_offset_t(
886 kauth_cred_t cred,
887 struct fileglob *fg,
888 struct label *label
0a7de745 889 );
2d21ac55 890/**
0a7de745
A		 891 * @brief Access control for inheriting a file descriptor
892 * @param cred Subject credential
893 * @param fg Fileglob structure
894 * @param label Policy label for fg
895 *
896 * Determine whether the subject identified by the credential can
897 * inherit the fileglob structure represented by fg.
898 *
899 * @return Return 0 if access if granted, otherwise an appropriate
900 * value for errno should be returned.
901 */
2d21ac55
A		 902typedef int mpo_file_check_inherit_t(
903 kauth_cred_t cred,
904 struct fileglob *fg,
905 struct label *label
0a7de745 906 );
2d21ac55 907/**
0a7de745
A		 908 * @brief Access control check for file ioctl
909 * @param cred Subject credential
910 * @param fg Fileglob structure
911 * @param label Policy label for fg
912 * @param cmd The ioctl command; see ioctl(2)
913 *
914 * Determine whether the subject identified by the credential can perform
915 * the ioctl operation indicated by cmd.
916 *
917 * @warning Since ioctl data is opaque from the standpoint of the MAC
918 * framework, policies must exercise extreme care when implementing
919 * access control checks.
920 *
921 * @return Return 0 if access is granted, otherwise an appropriate value for
922 * errno should be returned.
923 *
924 */
2d21ac55
A		 925typedef int mpo_file_check_ioctl_t(
926 kauth_cred_t cred,
927 struct fileglob *fg,
928 struct label *label,
929 unsigned int cmd
0a7de745
A		 930 );
931/**
932 * @brief Access control check for file locking
933 * @param cred Subject credential
934 * @param fg Fileglob structure
935 * @param label Policy label for fg
936 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
937 * @param fl The flock structure
938 *
939 * Determine whether the subject identified by the credential can perform
940 * the lock operation indicated by op and fl on the file represented by fg.
941 *
942 * @return Return 0 if access is granted, otherwise an appropriate value for
943 * errno should be returned.
944 *
945 */
2d21ac55
A		 946typedef int mpo_file_check_lock_t(
947 kauth_cred_t cred,
948 struct fileglob *fg,
949 struct label *label,
950 int op,
951 struct flock *fl
0a7de745
A		 952 );
953/**
954 * @brief Check with library validation if a macho slice is allowed to be combined into a proc.
955 * @param p Subject process
956 * @param fg Fileglob structure
957 * @param slice_offset offset of the code slice
958 * @param error_message error message returned to user-space in case of error (userspace pointer)
959 * @param error_message_size error message size
960 *
961 * Its a little odd that the MAC/kext writes into userspace since this
962 * implies there is only one MAC module that implements this, however
963 * the alterantive is to allocate memory in xnu, on the hope that
964 * the MAC module will use it, or allocated in the MAC module and then
965 * free it in xnu. Either of these are very appeling, so lets go with
966 * the slightly more hacky way.
967 *
968 * @return Return 0 if access is granted, otherwise an appropriate value for
969 * errno should be returned.
970 */
39037602
A		 971typedef int mpo_file_check_library_validation_t(
972 struct proc *p,
973 struct fileglob *fg,
974 off_t slice_offset,
975 user_long_t error_message,
976 size_t error_message_size
0a7de745
A		 977 );
978/**
979 * @brief Access control check for mapping a file
980 * @param cred Subject credential
981 * @param fg fileglob representing file to map
982 * @param label Policy label associated with vp
983 * @param prot mmap protections; see mmap(2)
984 * @param flags Type of mapped object; see mmap(2)
985 * @param maxprot Maximum rights
986 *
987 * Determine whether the subject identified by the credential should be
988 * allowed to map the file represented by fg with the protections specified
989 * in prot. The maxprot field holds the maximum permissions on the new
990 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
991 * To avoid overriding prior access control checks, a policy should only
992 * remove flags from maxprot.
993 *
994 * @return Return 0 if access is granted, otherwise an appropriate value for
995 * errno should be returned. Suggested failure: EACCES for label mismatch or
996 * EPERM for lack of privilege.
997 */
2d21ac55
A		 998typedef int mpo_file_check_mmap_t(
999 kauth_cred_t cred,
1000 struct fileglob *fg,
1001 struct label *label,
1002 int prot,
1003 int flags,
3e170ce0 1004 uint64_t file_pos,
2d21ac55 1005 int *maxprot
0a7de745 1006 );
2d21ac55 1007/**
0a7de745
A		 1008 * @brief Downgrade the mmap protections
1009 * @param cred Subject credential
1010 * @param fg file to map
1011 * @param label Policy label associated with vp
1012 * @param prot mmap protections to be downgraded
1013 *
1014 * Downgrade the mmap protections based on the subject and object labels.
1015 */
2d21ac55
A		 1016typedef void mpo_file_check_mmap_downgrade_t(
1017 kauth_cred_t cred,
1018 struct fileglob *fg,
1019 struct label *label,
1020 int *prot
0a7de745 1021 );
2d21ac55 1022/**
0a7de745
A		 1023 * @brief Access control for receiving a file descriptor
1024 * @param cred Subject credential
1025 * @param fg Fileglob structure
1026 * @param label Policy label for fg
1027 *
1028 * Determine whether the subject identified by the credential can
1029 * receive the fileglob structure represented by fg.
1030 *
1031 * @return Return 0 if access if granted, otherwise an appropriate
1032 * value for errno should be returned.
1033 */
2d21ac55
A		 1034typedef int mpo_file_check_receive_t(
1035 kauth_cred_t cred,
1036 struct fileglob *fg,
1037 struct label *label
0a7de745 1038 );
2d21ac55 1039/**
0a7de745
A		 1040 * @brief Access control check for mac_set_fd
1041 * @param cred Subject credential
1042 * @param fg Fileglob structure
1043 * @param elements Elements buffer
1044 * @param len Length of elements buffer
1045 *
1046 * Determine whether the subject identified by the credential can
1047 * perform the mac_set_fd operation. The mac_set_fd operation is used
1048 * to associate a MAC label with a file.
1049 *
1050 * @return Return 0 if access is granted, otherwise an appropriate value for
1051 * errno should be returned.
1052 */
2d21ac55
A		 1053typedef int mpo_file_check_set_t(
1054 kauth_cred_t cred,
1055 struct fileglob *fg,
1056 char *elements,
1057 int len
0a7de745 1058 );
2d21ac55 1059/**
0a7de745
A		 1060 * @brief Create file label
1061 * @param cred Subject credential
1062 * @param fg Fileglob structure
1063 * @param label Policy label for fg
1064 */
2d21ac55
A		 1065typedef void mpo_file_label_associate_t(
1066 kauth_cred_t cred,
1067 struct fileglob *fg,
1068 struct label *label
0a7de745 1069 );
2d21ac55 1070/**
0a7de745
A		 1071 * @brief Destroy file label
1072 * @param label The label to be destroyed
1073 *
1074 * Destroy the label on a file descriptor. In this entry point, a
1075 * policy module should free any internal storage associated with
1076 * label so that it may be destroyed.
1077 */
2d21ac55
A		 1078typedef void mpo_file_label_destroy_t(
1079 struct label *label
0a7de745 1080 );
2d21ac55 1081/**
0a7de745
A		 1082 * @brief Initialize file label
1083 * @param label New label to initialize
1084 */
2d21ac55
A		 1085typedef void mpo_file_label_init_t(
1086 struct label *label
0a7de745
A		 1087 );
1088/**
1089 * @brief Access control check for relabeling network interfaces
1090 * @param cred Subject credential
1091 * @param ifp network interface being relabeled
1092 * @param ifnetlabel Current label of the network interfaces
1093 * @param newlabel New label to apply to the network interfaces
1094 * @see mpo_ifnet_label_update_t
1095 *
1096 * Determine whether the subject identified by the credential can
1097 * relabel the network interface represented by ifp to the supplied
1098 * new label (newlabel).
1099 *
1100 * @return Return 0 if access is granted, otherwise an appropriate value for
1101 * errno should be returned.
1102 */
2d21ac55
A		 1103typedef int mpo_ifnet_check_label_update_t(
1104 kauth_cred_t cred,
1105 struct ifnet *ifp,
1106 struct label *ifnetlabel,
1107 struct label *newlabel
0a7de745
A		 1108 );
1109/**
1110 * @brief Access control check for relabeling network interfaces
1111 * @param ifp Network interface mbuf will be transmitted through
1112 * @param ifnetlabel Label of the network interfaces
1113 * @param m The mbuf to be transmitted
1114 * @param mbuflabel Label of the mbuf to be transmitted
1115 * @param family Address Family, AF_*
1116 * @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1117 *
1118 * Determine whether the mbuf with label mbuflabel may be transmitted
1119 * through the network interface represented by ifp that has the
1120 * label ifnetlabel.
1121 *
1122 * @return Return 0 if access is granted, otherwise an appropriate value for
1123 * errno should be returned.
1124 */
2d21ac55
A		 1125typedef int mpo_ifnet_check_transmit_t(
1126 struct ifnet *ifp,
1127 struct label *ifnetlabel,
1128 struct mbuf *m,
1129 struct label *mbuflabel,
1130 int family,
1131 int type
0a7de745 1132 );
2d21ac55 1133/**
0a7de745
A		 1134 * @brief Create a network interface label
1135 * @param ifp Network interface labeled
1136 * @param ifnetlabel Label for the network interface
1137 *
1138 * Set the label of a newly created network interface, most likely
1139 * using the information in the supplied network interface struct.
1140 */
2d21ac55
A		 1141typedef void mpo_ifnet_label_associate_t(
1142 struct ifnet *ifp,
1143 struct label *ifnetlabel
0a7de745 1144 );
2d21ac55 1145/**
0a7de745
A		 1146 * @brief Copy an ifnet label
1147 * @param src Source ifnet label
1148 * @param dest Destination ifnet label
1149 *
1150 * Copy the label information from src to dest.
1151 */
2d21ac55
A		 1152typedef void mpo_ifnet_label_copy_t(
1153 struct label *src,
1154 struct label *dest
0a7de745 1155 );
2d21ac55 1156/**
0a7de745
A		 1157 * @brief Destroy ifnet label
1158 * @param label The label to be destroyed
1159 *
1160 * Destroy the label on an ifnet label. In this entry point, a
1161 * policy module should free any internal storage associated with
1162 * label so that it may be destroyed.
1163 */
2d21ac55
A		 1164typedef void mpo_ifnet_label_destroy_t(
1165 struct label *label
0a7de745 1166 );
2d21ac55 1167/**
0a7de745
A		 1168 * @brief Externalize an ifnet label
1169 * @param label Label to be externalized
1170 * @param element_name Name of the label namespace for which labels should be
1171 * externalized
1172 * @param sb String buffer to be filled with a text representation of the label
1173 *
1174 * Produce an external representation of the label on an interface.
1175 * An externalized label consists of a text representation of the
1176 * label contents that can be used with user applications.
1177 * Policy-agnostic user space tools will display this externalized
1178 * version.
1179 *
1180 * @return 0 on success, return non-zero if an error occurs while
1181 * externalizing the label data.
1182 *
1183 */
2d21ac55
A		 1184typedef int mpo_ifnet_label_externalize_t(
1185 struct label *label,
1186 char *element_name,
1187 struct sbuf *sb
0a7de745 1188 );
2d21ac55 1189/**
0a7de745
A		 1190 * @brief Initialize ifnet label
1191 * @param label New label to initialize
1192 */
2d21ac55
A		 1193typedef void mpo_ifnet_label_init_t(
1194 struct label *label
0a7de745 1195 );
2d21ac55 1196/**
0a7de745
A		 1197 * @brief Internalize an interface label
1198 * @param label Label to be internalized
1199 * @param element_name Name of the label namespace for which the label should
1200 * be internalized
1201 * @param element_data Text data to be internalized
1202 *
1203 * Produce an interface label from an external representation. An
1204 * externalized label consists of a text representation of the label
1205 * contents that can be used with user applications. Policy-agnostic
1206 * user space tools will forward text version to the kernel for
1207 * processing by individual policy modules.
1208 *
1209 * The policy's internalize entry points will be called only if the
1210 * policy has registered interest in the label namespace.
1211 *
1212 * @return 0 on success, Otherwise, return non-zero if an error occurs
1213 * while internalizing the label data.
1214 *
1215 */
2d21ac55
A		 1216typedef int mpo_ifnet_label_internalize_t(
1217 struct label *label,
1218 char *element_name,
1219 char *element_data
0a7de745 1220 );
2d21ac55 1221/**
0a7de745
A		 1222 * @brief Recycle up a network interface label
1223 * @param label The label to be recycled
1224 *
1225 * Recycle a network interface label. Darwin caches the struct ifnet
1226 * of detached ifnets in a "free pool". Before ifnets are returned
1227 * to the "free pool", policies can cleanup or overwrite any information
1228 * present in the label.
1229 */
2d21ac55
A		 1230typedef void mpo_ifnet_label_recycle_t(
1231 struct label *label
0a7de745
A		 1232 );
1233/**
1234 * @brief Update a network interface label
1235 * @param cred Subject credential
1236 * @param ifp The network interface to be relabeled
1237 * @param ifnetlabel The current label of the network interface
1238 * @param newlabel A new label to apply to the network interface
1239 * @see mpo_ifnet_check_label_update_t
1240 *
1241 * Update the label on a network interface, using the supplied new label.
1242 */
2d21ac55
A		 1243typedef void mpo_ifnet_label_update_t(
1244 kauth_cred_t cred,
1245 struct ifnet *ifp,
1246 struct label *ifnetlabel,
1247 struct label *newlabel
0a7de745
A		 1248 );
1249/**
1250 * @brief Access control check for delivering a packet to a socket
1251 * @param inp inpcb the socket is associated with
1252 * @param inplabel Label of the inpcb
1253 * @param m The mbuf being received
1254 * @param mbuflabel Label of the mbuf being received
1255 * @param family Address family, AF_*
1256 * @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1257 *
1258 * Determine whether the mbuf with label mbuflabel may be received
1259 * by the socket associated with inpcb that has the label inplabel.
1260 *
1261 * @return Return 0 if access is granted, otherwise an appropriate value for
1262 * errno should be returned.
1263 */
2d21ac55
A		 1264typedef int mpo_inpcb_check_deliver_t(
1265 struct inpcb *inp,
1266 struct label *inplabel,
1267 struct mbuf *m,
1268 struct label *mbuflabel,
1269 int family,
1270 int type
0a7de745 1271 );
2d21ac55 1272/**
0a7de745
A		 1273 * @brief Create an inpcb label
1274 * @param so Socket containing the inpcb to be labeled
1275 * @param solabel Label of the socket
1276 * @param inp inpcb to be labeled
1277 * @param inplabel Label for the inpcb
1278 *
1279 * Set the label of a newly created inpcb, most likely
1280 * using the information in the socket and/or socket label.
1281 */
2d21ac55
A		 1282typedef void mpo_inpcb_label_associate_t(
1283 struct socket *so,
1284 struct label *solabel,
1285 struct inpcb *inp,
1286 struct label *inplabel
0a7de745 1287 );
2d21ac55 1288/**
0a7de745
A		 1289 * @brief Destroy inpcb label
1290 * @param label The label to be destroyed
1291 *
1292 * Destroy the label on an inpcb label. In this entry point, a
1293 * policy module should free any internal storage associated with
1294 * label so that it may be destroyed.
1295 */
2d21ac55
A		 1296typedef void mpo_inpcb_label_destroy_t(
1297 struct label *label
0a7de745 1298 );
2d21ac55 1299/**
0a7de745
A		 1300 * @brief Initialize inpcb label
1301 * @param label New label to initialize
1302 * @param flag M_WAITOK or M_NOWAIT
1303 */
2d21ac55
A		 1304typedef int mpo_inpcb_label_init_t(
1305 struct label *label,
1306 int flag
0a7de745 1307 );
2d21ac55 1308/**
0a7de745
A		 1309 * @brief Recycle up an inpcb label
1310 * @param label The label to be recycled
1311 *
1312 * Recycle an inpcb label. Darwin allocates the inpcb as part of
1313 * the socket structure in some cases. For this case we must recycle
1314 * rather than destroy the inpcb as it will be reused later.
1315 */
2d21ac55
A		 1316typedef void mpo_inpcb_label_recycle_t(
1317 struct label *label
0a7de745 1318 );
2d21ac55 1319/**
0a7de745
A		 1320 * @brief Update an inpcb label from a socket label
1321 * @param so Socket containing the inpcb to be relabeled
1322 * @param solabel New label of the socket
1323 * @param inp inpcb to be labeled
1324 * @param inplabel Label for the inpcb
1325 *
1326 * Set the label of a newly created inpcb due to a change in the
1327 * underlying socket label.
1328 */
2d21ac55
A		 1329typedef void mpo_inpcb_label_update_t(
1330 struct socket *so,
1331 struct label *solabel,
1332 struct inpcb *inp,
1333 struct label *inplabel
0a7de745 1334 );
2d21ac55 1335/**
0a7de745
A		 1336 * @brief Device hardware access control
1337 * @param devtype Type of device connected
1338 *
1339 * This is the MAC Framework device access control, which is called by the I/O
1340 * Kit when a new device is connected to the system to determine whether that
1341 * device should be trusted. A list of properties associated with the device
1342 * is passed as an XML-formatted string. The routine should examine these
1343 * properties to determine the trustworthiness of the device. A return value
1344 * of EPERM forces the device to be claimed by a special device driver that
1345 * will prevent its operation.
1346 *
1347 * @warning This is an experimental interface and may change in the future.
1348 *
1349 * @return Return EPERM to indicate that the device is untrusted and should
1350 * not be allowed to operate. Return zero to indicate that the device is
1351 * trusted and should be allowed to operate normally.
1352 *
1353 */
2d21ac55
A		 1354typedef int mpo_iokit_check_device_t(
1355 char *devtype,
1356 struct mac_module_data *mdata
0a7de745 1357 );
6d2010ae 1358/**
0a7de745
A		 1359 * @brief Access control check for opening an I/O Kit device
1360 * @param cred Subject credential
1361 * @param user_client User client instance
1362 * @param user_client_type User client type
1363 *
1364 * Determine whether the subject identified by the credential can open an
1365 * I/O Kit device at the passed path of the passed user client class and
1366 * type.
1367 *
1368 * @return Return 0 if access is granted, or an appropriate value for
1369 * errno should be returned.
1370 */
6d2010ae
A		 1371typedef int mpo_iokit_check_open_t(
1372 kauth_cred_t cred,
1373 io_object_t user_client,
1374 unsigned int user_client_type
0a7de745 1375 );
6d2010ae 1376/**
0a7de745
A		 1377 * @brief Access control check for setting I/O Kit device properties
1378 * @param cred Subject credential
1379 * @param entry Target device
1380 * @param properties Property list
1381 *
1382 * Determine whether the subject identified by the credential can set
1383 * properties on an I/O Kit device.
1384 *
1385 * @return Return 0 if access is granted, or an appropriate value for
1386 * errno should be returned.
1387 */
6d2010ae
A		 1388typedef int mpo_iokit_check_set_properties_t(
1389 kauth_cred_t cred,
1390 io_object_t entry,
1391 io_object_t properties
0a7de745 1392 );
fe8ab488 1393/**
0a7de745
A		 1394 * @brief Indicate desire to filter I/O Kit devices properties
1395 * @param cred Subject credential
1396 * @param entry Target device
1397 * @see mpo_iokit_check_get_property_t
1398 *
1399 * Indicate whether this policy may restrict the subject credential
1400 * from reading properties of the target device.
1401 * If a policy returns success from this entry point, the
1402 * mpo_iokit_check_get_property entry point will later be called
1403 * for each property that the subject credential tries to read from
1404 * the target device.
1405 *
1406 * This entry point is primarilly to optimize bulk property reads
1407 * by skipping calls to the mpo_iokit_check_get_property entry point
1408 * for credentials / devices no MAC policy is interested in.
1409 *
1410 * @warning Even if a policy returns 0, it should behave correctly in
1411 * the presence of an invocation of mpo_iokit_check_get_property, as that
1412 * call may happen as a result of another policy requesting a transition.
1413 *
1414 * @return Non-zero if a transition is required, 0 otherwise.
fe8ab488
A		 1415 */
1416typedef int mpo_iokit_check_filter_properties_t(
1417 kauth_cred_t cred,
1418 io_object_t entry
0a7de745 1419 );
fe8ab488 1420/**
0a7de745
A		 1421 * @brief Access control check for getting I/O Kit device properties
1422 * @param cred Subject credential
1423 * @param entry Target device
1424 * @param name Property name
1425 *
1426 * Determine whether the subject identified by the credential can get
1427 * properties on an I/O Kit device.
1428 *
1429 * @return Return 0 if access is granted, or an appropriate value for
1430 * errno.
1431 */
fe8ab488
A		 1432typedef int mpo_iokit_check_get_property_t(
1433 kauth_cred_t cred,
1434 io_object_t entry,
1435 const char *name
0a7de745 1436 );
6d2010ae 1437/**
0a7de745
A		 1438 * @brief Access control check for software HID control
1439 * @param cred Subject credential
1440 *
1441 * Determine whether the subject identified by the credential can
1442 * control the HID (Human Interface Device) subsystem, such as to
1443 * post synthetic keypresses, pointer movement and clicks.
1444 *
1445 * @return Return 0 if access is granted, or an appropriate value for
1446 * errno.
1447 */
6d2010ae
A		 1448typedef int mpo_iokit_check_hid_control_t(
1449 kauth_cred_t cred
0a7de745 1450 );
2d21ac55 1451/**
0a7de745
A		 1452 * @brief Create an IP reassembly queue label
1453 * @param fragment First received IP fragment
1454 * @param fragmentlabel Policy label for fragment
1455 * @param ipq IP reassembly queue to be labeled
1456 * @param ipqlabel Policy label to be filled in for ipq
1457 *
1458 * Set the label on a newly created IP reassembly queue from
1459 * the mbuf header of the first received fragment.
1460 */
2d21ac55
A		 1461typedef void mpo_ipq_label_associate_t(
1462 struct mbuf *fragment,
1463 struct label *fragmentlabel,
1464 struct ipq *ipq,
1465 struct label *ipqlabel
0a7de745 1466 );
2d21ac55 1467/**
0a7de745
A		 1468 * @brief Compare an mbuf header label to an ipq label
1469 * @param fragment IP datagram fragment
1470 * @param fragmentlabel Policy label for fragment
1471 * @param ipq IP fragment reassembly queue
1472 * @param ipqlabel Policy label for ipq
1473 *
1474 * Compare the label of the mbuf header containing an IP datagram
1475 * (fragment) fragment with the label of the passed IP fragment
1476 * reassembly queue (ipq). Return (1) for a successful match, or (0)
1477 * for no match. This call is made when the IP stack attempts to
1478 * find an existing fragment reassembly queue for a newly received
1479 * fragment; if this fails, a new fragment reassembly queue may be
1480 * instantiated for the fragment. Policies may use this entry point
1481 * to prevent the reassembly of otherwise matching IP fragments if
1482 * policy does not permit them to be reassembled based on the label
1483 * or other information.
1484 */
2d21ac55
A		 1485typedef int mpo_ipq_label_compare_t(
1486 struct mbuf *fragment,
1487 struct label *fragmentlabel,
1488 struct ipq *ipq,
1489 struct label *ipqlabel
0a7de745 1490 );
2d21ac55 1491/**
0a7de745
A		 1492 * @brief Destroy IP reassembly queue label
1493 * @param label The label to be destroyed
1494 *
1495 * Destroy the label on an IP fragment queue. In this entry point, a
1496 * policy module should free any internal storage associated with
1497 * label so that it may be destroyed.
1498 */
2d21ac55
A		 1499typedef void mpo_ipq_label_destroy_t(
1500 struct label *label
0a7de745 1501 );
2d21ac55 1502/**
0a7de745
A		 1503 * @brief Initialize IP reassembly queue label
1504 * @param label New label to initialize
1505 * @param flag M_WAITOK or M_NOWAIT
1506 *
1507 * Initialize the label on a newly instantiated IP fragment reassembly
1508 * queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1509 * should be employed to avoid performing a sleeping malloc(9) during
1510 * this initialization call. IP fragment reassembly queue allocation
1511 * frequently occurs in performance sensitive environments, and the
1512 * implementation should be careful to avoid sleeping or long-lived
1513 * operations. This entry point is permitted to fail resulting in
1514 * the failure to allocate the IP fragment reassembly queue.
1515 */
2d21ac55
A		 1516typedef int mpo_ipq_label_init_t(
1517 struct label *label,
1518 int flag
0a7de745 1519 );
2d21ac55 1520/**
0a7de745
A		 1521 * @brief Update the label on an IP fragment reassembly queue
1522 * @param fragment IP fragment
1523 * @param fragmentlabel Policy label for fragment
1524 * @param ipq IP fragment reassembly queue
1525 * @param ipqlabel Policy label to be updated for ipq
1526 *
1527 * Update the label on an IP fragment reassembly queue (ipq) based
1528 * on the acceptance of the passed IP fragment mbuf header (fragment).
1529 */
2d21ac55
A		 1530typedef void mpo_ipq_label_update_t(
1531 struct mbuf *fragment,
1532 struct label *fragmentlabel,
1533 struct ipq *ipq,
1534 struct label *ipqlabel
0a7de745 1535 );
2d21ac55 1536/**
0a7de745
A		 1537 * @brief Assign a label to a new mbuf
1538 * @param bpf_d BPF descriptor
1539 * @param b_label Policy label for bpf_d
1540 * @param m Object; mbuf
1541 * @param m_label Policy label to fill in for m
1542 *
1543 * Set the label on the mbuf header of a newly created datagram
1544 * generated using the passed BPF descriptor. This call is made when
1545 * a write is performed to the BPF device associated with the passed
1546 * BPF descriptor.
1547 */
2d21ac55
A		 1548typedef void mpo_mbuf_label_associate_bpfdesc_t(
1549 struct bpf_d *bpf_d,
1550 struct label *b_label,
1551 struct mbuf *m,
1552 struct label *m_label
0a7de745 1553 );
2d21ac55 1554/**
0a7de745
A		 1555 * @brief Assign a label to a new mbuf
1556 * @param ifp Interface descriptor
1557 * @param i_label Existing label of ifp
1558 * @param m Object; mbuf
1559 * @param m_label Policy label to fill in for m
1560 *
1561 * Label an mbuf based on the interface from which it was received.
1562 */
2d21ac55
A		 1563typedef void mpo_mbuf_label_associate_ifnet_t(
1564 struct ifnet *ifp,
1565 struct label *i_label,
1566 struct mbuf *m,
1567 struct label *m_label
0a7de745 1568 );
2d21ac55 1569/**
0a7de745
A		 1570 * @brief Assign a label to a new mbuf
1571 * @param inp inpcb structure
1572 * @param i_label Existing label of inp
1573 * @param m Object; mbuf
1574 * @param m_label Policy label to fill in for m
1575 *
1576 * Label an mbuf based on the inpcb from which it was derived.
1577 */
2d21ac55
A		 1578typedef void mpo_mbuf_label_associate_inpcb_t(
1579 struct inpcb *inp,
1580 struct label *i_label,
1581 struct mbuf *m,
1582 struct label *m_label
0a7de745 1583 );
2d21ac55 1584/**
0a7de745
A		 1585 * @brief Set the label on a newly reassembled IP datagram
1586 * @param ipq IP fragment reassembly queue
1587 * @param ipqlabel Policy label for ipq
1588 * @param mbuf IP datagram to be labeled
1589 * @param mbuflabel Policy label to be filled in for mbuf
1590 *
1591 * Set the label on a newly reassembled IP datagram (mbuf) from the IP
1592 * fragment reassembly queue (ipq) from which it was generated.
1593 */
2d21ac55
A		 1594typedef void mpo_mbuf_label_associate_ipq_t(
1595 struct ipq *ipq,
1596 struct label *ipqlabel,
1597 struct mbuf *mbuf,
1598 struct label *mbuflabel
0a7de745 1599 );
2d21ac55 1600/**
0a7de745
A		 1601 * @brief Assign a label to a new mbuf
1602 * @param ifp Subject; network interface
1603 * @param i_label Existing label of ifp
1604 * @param m Object; mbuf
1605 * @param m_label Policy label to fill in for m
1606 *
1607 * Set the label on the mbuf header of a newly created datagram
1608 * generated for the purposes of a link layer response for the passed
1609 * interface. This call may be made in a number of situations, including
1610 * for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1611 */
2d21ac55
A		 1612typedef void mpo_mbuf_label_associate_linklayer_t(
1613 struct ifnet *ifp,
1614 struct label *i_label,
1615 struct mbuf *m,
1616 struct label *m_label
0a7de745
A		 1617 );
1618/**
1619 * @brief Assign a label to a new mbuf
1620 * @param oldmbuf mbuf headerder for existing datagram for existing datagram
1621 * @param oldmbuflabel Policy label for oldmbuf
1622 * @param ifp Network interface
1623 * @param ifplabel Policy label for ifp
1624 * @param newmbuf mbuf header to be labeled for new datagram
1625 * @param newmbuflabel Policy label for newmbuf
1626 *
1627 * Set the label on the mbuf header of a newly created datagram
1628 * generated from the existing passed datagram when it is processed
1629 * by the passed multicast encapsulation interface. This call is made
1630 * when an mbuf is to be delivered using the virtual interface.
1631 */
2d21ac55
A		 1632typedef void mpo_mbuf_label_associate_multicast_encap_t(
1633 struct mbuf *oldmbuf,
1634 struct label *oldmbuflabel,
1635 struct ifnet *ifp,
1636 struct label *ifplabel,
1637 struct mbuf *newmbuf,
1638 struct label *newmbuflabel
0a7de745 1639 );
2d21ac55 1640/**
0a7de745
A		 1641 * @brief Assign a label to a new mbuf
1642 * @param oldmbuf Received datagram
1643 * @param oldmbuflabel Policy label for oldmbuf
1644 * @param newmbuf Newly created datagram
1645 * @param newmbuflabel Policy label for newmbuf
1646 *
1647 * Set the label on the mbuf header of a newly created datagram generated
1648 * by the IP stack in response to an existing received datagram (oldmbuf).
1649 * This call may be made in a number of situations, including when responding
1650 * to ICMP request datagrams.
1651 */
2d21ac55
A		 1652typedef void mpo_mbuf_label_associate_netlayer_t(
1653 struct mbuf *oldmbuf,
1654 struct label *oldmbuflabel,
1655 struct mbuf *newmbuf,
1656 struct label *newmbuflabel
0a7de745 1657 );
2d21ac55 1658/**
0a7de745
A		 1659 * @brief Assign a label to a new mbuf
1660 * @param so Socket to label
1661 * @param so_label Policy label for socket
1662 * @param m Object; mbuf
1663 * @param m_label Policy label to fill in for m
1664 *
1665 * An mbuf structure is used to store network traffic in transit.
1666 * When an application sends data to a socket or a pipe, it is wrapped
1667 * in an mbuf first. This function sets the label on a newly created mbuf header
1668 * based on the socket sending the data. The contents of the label should be
1669 * suitable for performing an access check on the receiving side of the
1670 * communication.
1671 *
1672 * Only labeled MBUFs will be presented to the policy via this entrypoint.
1673 */
2d21ac55
A		 1674typedef void mpo_mbuf_label_associate_socket_t(
1675 socket_t so,
1676 struct label *so_label,
1677 struct mbuf *m,
1678 struct label *m_label
0a7de745 1679 );
2d21ac55 1680/**
0a7de745
A		 1681 * @brief Copy a mbuf label
1682 * @param src Source label
1683 * @param dest Destination label
1684 *
1685 * Copy the mbuf label information in src into dest.
1686 *
1687 * Only called when both source and destination mbufs have labels.
1688 */
2d21ac55
A		 1689typedef void mpo_mbuf_label_copy_t(
1690 struct label *src,
1691 struct label *dest
0a7de745 1692 );
2d21ac55 1693/**
0a7de745
A		 1694 * @brief Destroy mbuf label
1695 * @param label The label to be destroyed
1696 *
1697 * Destroy a mbuf label. Since the
1698 * object is going out of scope, policy modules should free any
1699 * internal storage associated with the label so that it may be
1700 * destroyed.
1701 */
2d21ac55
A		 1702typedef void mpo_mbuf_label_destroy_t(
1703 struct label *label
0a7de745 1704 );
2d21ac55 1705/**
0a7de745
A		 1706 * @brief Initialize mbuf label
1707 * @param label New label to initialize
1708 * @param flag Malloc flags
1709 *
1710 * Initialize the label for a newly instantiated mbuf.
1711 *
1712 * @warning Since it is possible for the flags to be set to
1713 * M_NOWAIT, the malloc operation may fail.
1714 *
1715 * @return On success, 0, otherwise, an appropriate errno return value.
1716 */
2d21ac55
A		 1717typedef int mpo_mbuf_label_init_t(
1718 struct label *label,
1719 int flag
0a7de745 1720 );
2d21ac55 1721/**
0a7de745
A		 1722 * @brief Access control check for fsctl
1723 * @param cred Subject credential
1724 * @param mp The mount point
1725 * @param label Label associated with the mount point
1726 * @param cmd Filesystem-dependent request code; see fsctl(2)
1727 *
1728 * Determine whether the subject identified by the credential can perform
1729 * the volume operation indicated by com.
1730 *
1731 * @warning The fsctl() system call is directly analogous to ioctl(); since
1732 * the associated data is opaque from the standpoint of the MAC framework
1733 * and since these operations can affect many aspects of system operation,
1734 * policies must exercise extreme care when implementing access control checks.
1735 *
1736 * @return Return 0 if access is granted, otherwise an appropriate value for
1737 * errno should be returned.
1738 */
2d21ac55
A		 1739typedef int mpo_mount_check_fsctl_t(
1740 kauth_cred_t cred,
1741 struct mount *mp,
1742 struct label *label,
1743 unsigned int cmd
0a7de745 1744 );
2d21ac55 1745/**
0a7de745
A		 1746 * @brief Access control check for the retrieval of file system attributes
1747 * @param cred Subject credential
1748 * @param mp The mount structure of the file system
1749 * @param vfa The attributes requested
1750 *
1751 * This entry point determines whether given subject can get information
1752 * about the given file system. This check happens during statfs() syscalls,
1753 * but is also used by other parts within the kernel such as the audit system.
1754 *
1755 * @return Return 0 if access is granted, otherwise an appropriate value for
1756 * errno should be returned.
1757 *
1758 * @note Policies may change the contents of vfa to alter the list of
1759 * file system attributes returned.
1760 */
2d21ac55
A		 1761
1762typedef int mpo_mount_check_getattr_t(
1763 kauth_cred_t cred,
1764 struct mount *mp,
1765 struct label *mp_label,
1766 struct vfs_attr *vfa
0a7de745 1767 );
2d21ac55 1768/**
0a7de745
A		 1769 * @brief Access control check for mount point relabeling
1770 * @param cred Subject credential
1771 * @param mp Object file system mount point
1772 * @param mntlabel Policy label for fle system mount point
1773 *
1774 * Determine whether the subject identified by the credential can relabel
1775 * the mount point. This call is made when a file system mount is updated.
1776 *
1777 * @return Return 0 if access is granted, otherwise an appropriate value for
1778 * errno should be returned. Suggested failure: EACCES for label mismatch
1779 * or EPERM for lack of privilege.
1780 */
2d21ac55
A		 1781typedef int mpo_mount_check_label_update_t(
1782 kauth_cred_t cred,
1783 struct mount *mp,
1784 struct label *mntlabel
0a7de745
A		 1785 );
1786/**
1787 * @brief Access control check for mounting a file system
1788 * @param cred Subject credential
1789 * @param vp Vnode that is to be the mount point
1790 * @param vlabel Label associated with the vnode
1791 * @param cnp Component name for vp
1792 * @param vfc_name Filesystem type name
1793 *
1794 * Determine whether the subject identified by the credential can perform
1795 * the mount operation on the target vnode.
1796 *
1797 * @return Return 0 if access is granted, otherwise an appropriate value for
1798 * errno should be returned.
1799 */
2d21ac55
A		 1800typedef int mpo_mount_check_mount_t(
1801 kauth_cred_t cred,
1802 struct vnode *vp,
1803 struct label *vlabel,
1804 struct componentname *cnp,
1805 const char *vfc_name
0a7de745 1806 );
cb323159
A		 1807/**
1808 * @brief Access control check for mounting a file system (late)
1809 * @param cred Subject credential
1810 * @param mp Mount point
1811 *
1812 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been
1813 * called, making it possible to access mnt_vfsstat.f_mntfromname and other
1814 * fields.
1815 *
1816 * @return Return 0 if access is granted, otherwise an appropriate value for
1817 * errno should be returned.
1818 */
1819typedef int mpo_mount_check_mount_late_t(
1820 kauth_cred_t cred,
1821 struct mount *mp
1822 );
39037602 1823/**
0a7de745
A		 1824 * @brief Access control check for fs_snapshot_create
1825 * @param cred Subject credential
1826 * @mp Filesystem mount point to create snapshot of
1827 * @name Name of snapshot to create
1828 *
1829 * Determine whether the subject identified by the credential can
1830 * create a snapshot of the filesystem at the given mount point.
1831 *
1832 * @return Return 0 if access is granted, otherwise an appropriate value
1833 * for errno should be returned.
1834 */
39037602
A		 1835typedef int mpo_mount_check_snapshot_create_t(
1836 kauth_cred_t cred,
1837 struct mount *mp,
1838 const char *name
0a7de745 1839 );
39037602 1840/**
0a7de745
A		 1841 * @brief Access control check for fs_snapshot_delete
1842 * @param cred Subject credential
1843 * @mp Filesystem mount point to delete snapshot of
1844 * @name Name of snapshot to delete
1845 *
1846 * Determine whether the subject identified by the credential can
1847 * delete the named snapshot from the filesystem at the given
1848 * mount point.
1849 *
1850 * @return Return 0 if access is granted, otherwise an appropriate value
1851 * for errno should be returned.
1852 */
39037602
A		 1853typedef int mpo_mount_check_snapshot_delete_t(
1854 kauth_cred_t cred,
1855 struct mount *mp,
1856 const char *name
0a7de745 1857 );
813fb2f6 1858/**
0a7de745
A		 1859 * @brief Access control check for fs_snapshot_revert
1860 * @param cred Subject credential
1861 * @mp Filesystem mount point to revert to snapshot
1862 * @name Name of snapshot to revert to
1863 *
1864 * Determine whether the subject identified by the credential can
1865 * revert the filesystem at the given mount point to the named snapshot.
1866 *
1867 * @return Return 0 if access is granted, otherwise an appropriate value
1868 * for errno should be returned.
1869 */
813fb2f6
A		 1870typedef int mpo_mount_check_snapshot_revert_t(
1871 kauth_cred_t cred,
1872 struct mount *mp,
1873 const char *name
0a7de745 1874 );
2d21ac55 1875/**
0a7de745
A		 1876 * @brief Access control check remounting a filesystem
1877 * @param cred Subject credential
1878 * @param mp The mount point
1879 * @param mlabel Label currently associated with the mount point
1880 *
1881 * Determine whether the subject identified by the credential can perform
1882 * the remount operation on the target vnode.
1883 *
1884 * @return Return 0 if access is granted, otherwise an appropriate value for
1885 * errno should be returned.
1886 */
2d21ac55
A		 1887typedef int mpo_mount_check_remount_t(
1888 kauth_cred_t cred,
1889 struct mount *mp,
1890 struct label *mlabel
0a7de745 1891 );
2d21ac55 1892/**
0a7de745
A		 1893 * @brief Access control check for the settting of file system attributes
1894 * @param cred Subject credential
1895 * @param mp The mount structure of the file system
1896 * @param vfa The attributes requested
1897 *
1898 * This entry point determines whether given subject can set information
1899 * about the given file system, for example the volume name.
1900 *
1901 * @return Return 0 if access is granted, otherwise an appropriate value for
1902 * errno should be returned.
1903 */
2d21ac55
A		 1904
1905typedef int mpo_mount_check_setattr_t(
1906 kauth_cred_t cred,
1907 struct mount *mp,
1908 struct label *mp_label,
1909 struct vfs_attr *vfa
0a7de745 1910 );
2d21ac55 1911/**
0a7de745
A		 1912 * @brief Access control check for file system statistics
1913 * @param cred Subject credential
1914 * @param mp Object file system mount
1915 * @param mntlabel Policy label for mp
1916 *
1917 * Determine whether the subject identified by the credential can see
1918 * the results of a statfs performed on the file system. This call may
1919 * be made in a number of situations, including during invocations of
1920 * statfs(2) and related calls, as well as to determine what file systems
1921 * to exclude from listings of file systems, such as when getfsstat(2)
1922 * is invoked.
1923 *
1924 * @return Return 0 if access is granted, otherwise an appropriate value for
1925 * errno should be returned. Suggested failure: EACCES for label mismatch
1926 * or EPERM for lack of privilege.
1927 */
2d21ac55
A		 1928typedef int mpo_mount_check_stat_t(
1929 kauth_cred_t cred,
1930 struct mount *mp,
1931 struct label *mntlabel
0a7de745 1932 );
2d21ac55 1933/**
0a7de745
A		 1934 * @brief Access control check for unmounting a filesystem
1935 * @param cred Subject credential
1936 * @param mp The mount point
1937 * @param mlabel Label associated with the mount point
1938 *
1939 * Determine whether the subject identified by the credential can perform
1940 * the unmount operation on the target vnode.
1941 *
1942 * @return Return 0 if access is granted, otherwise an appropriate value for
1943 * errno should be returned.
1944 */
2d21ac55
A		 1945typedef int mpo_mount_check_umount_t(
1946 kauth_cred_t cred,
1947 struct mount *mp,
1948 struct label *mlabel
0a7de745 1949 );
2d21ac55 1950/**
0a7de745
A		 1951 * @brief Create mount labels
1952 * @param cred Subject credential
1953 * @param mp Mount point of file system being mounted
1954 * @param mntlabel Label to associate with the new mount point
1955 * @see mpo_mount_label_init_t
1956 *
1957 * Fill out the labels on the mount point being created by the supplied
1958 * user credential. This call is made when file systems are first mounted.
1959 */
2d21ac55
A		 1960typedef void mpo_mount_label_associate_t(
1961 kauth_cred_t cred,
1962 struct mount *mp,
1963 struct label *mntlabel
0a7de745 1964 );
2d21ac55 1965/**
0a7de745
A		 1966 * @brief Destroy mount label
1967 * @param label The label to be destroyed
1968 *
1969 * Destroy a file system mount label. Since the
1970 * object is going out of scope, policy modules should free any
1971 * internal storage associated with the label so that it may be
1972 * destroyed.
1973 */
2d21ac55
A		 1974typedef void mpo_mount_label_destroy_t(
1975 struct label *label
0a7de745 1976 );
2d21ac55 1977/**
0a7de745
A		 1978 * @brief Externalize a mount point label
1979 * @param label Label to be externalized
1980 * @param element_name Name of the label namespace for which labels should be
1981 * externalized
1982 * @param sb String buffer to be filled with a text representation of the label
1983 *
1984 * Produce an external representation of the mount point label. An
1985 * externalized label consists of a text representation of the label
1986 * contents that can be used with user applications. Policy-agnostic
1987 * user space tools will display this externalized version.
1988 *
1989 * The policy's externalize entry points will be called only if the
1990 * policy has registered interest in the label namespace.
1991 *
1992 * @return 0 on success, return non-zero if an error occurs while
1993 * externalizing the label data.
1994 *
1995 */
2d21ac55
A		 1996typedef int mpo_mount_label_externalize_t(
1997 struct label *label,
1998 char *element_name,
1999 struct sbuf *sb
0a7de745 2000 );
2d21ac55 2001/**
0a7de745
A		 2002 * @brief Initialize mount point label
2003 * @param label New label to initialize
2004 *
2005 * Initialize the label for a newly instantiated mount structure.
2006 * This label is typically used to store a default label in the case
2007 * that the file system has been mounted singlelabel. Since some
2008 * file systems do not support persistent labels (extended attributes)
2009 * or are read-only (such as CD-ROMs), it is often necessary to store
2010 * a default label separately from the label of the mount point
2011 * itself. Sleeping is permitted.
2012 */
2d21ac55
A		 2013typedef void mpo_mount_label_init_t(
2014 struct label *label
0a7de745 2015 );
2d21ac55 2016/**
0a7de745
A		 2017 * @brief Internalize a mount point label
2018 * @param label Label to be internalized
2019 * @param element_name Name of the label namespace for which the label should
2020 * be internalized
2021 * @param element_data Text data to be internalized
2022 *
2023 * Produce a mount point file system label from an external representation.
2024 * An externalized label consists of a text representation of the label
2025 * contents that can be used with user applications. Policy-agnostic
2026 * user space tools will forward text version to the kernel for
2027 * processing by individual policy modules.
2028 *
2029 * The policy's internalize entry points will be called only if the
2030 * policy has registered interest in the label namespace.
2031 *
2032 * @return 0 on success, Otherwise, return non-zero if an error occurs
2033 * while internalizing the label data.
2034 *
2035 */
2d21ac55
A		 2036typedef int mpo_mount_label_internalize_t(
2037 struct label *label,
2038 char *element_name,
2039 char *element_data
0a7de745 2040 );
2d21ac55 2041/**
0a7de745
A		 2042 * @brief Set the label on an IPv4 datagram fragment
2043 * @param datagram Datagram being fragmented
2044 * @param datagramlabel Policy label for datagram
2045 * @param fragment New fragment
2046 * @param fragmentlabel Policy label for fragment
2047 *
2048 * Called when an IPv4 datagram is fragmented into several smaller datagrams.
2049 * Policies implementing mbuf labels will typically copy the label from the
2050 * source datagram to the new fragment.
2051 */
2d21ac55
A		 2052typedef void mpo_netinet_fragment_t(
2053 struct mbuf *datagram,
2054 struct label *datagramlabel,
2055 struct mbuf *fragment,
2056 struct label *fragmentlabel
0a7de745 2057 );
2d21ac55 2058/**
0a7de745
A		 2059 * @brief Set the label on an ICMP reply
2060 * @param m mbuf containing the ICMP reply
2061 * @param mlabel Policy label for m
2062 *
2063 * A policy may wish to update the label of an mbuf that refers to
2064 * an ICMP packet being sent in response to an IP packet. This may
2065 * be called in response to a bad packet or an ICMP request.
2066 */
2d21ac55
A		 2067typedef void mpo_netinet_icmp_reply_t(
2068 struct mbuf *m,
2069 struct label *mlabel
0a7de745 2070 );
2d21ac55 2071/**
0a7de745
A		 2072 * @brief Set the label on a TCP reply
2073 * @param m mbuf containing the TCP reply
2074 * @param mlabel Policy label for m
2075 *
2076 * Called for outgoing TCP packets not associated with an actual socket.
2077 */
2d21ac55
A		 2078typedef void mpo_netinet_tcp_reply_t(
2079 struct mbuf *m,
2080 struct label *mlabel
0a7de745 2081 );
2d21ac55 2082/**
0a7de745
A		 2083 * @brief Access control check for pipe ioctl
2084 * @param cred Subject credential
2085 * @param cpipe Object to be accessed
2086 * @param pipelabel The label on the pipe
2087 * @param cmd The ioctl command; see ioctl(2)
2088 *
2089 * Determine whether the subject identified by the credential can perform
2090 * the ioctl operation indicated by cmd.
2091 *
2092 * @warning Since ioctl data is opaque from the standpoint of the MAC
2093 * framework, policies must exercise extreme care when implementing
2094 * access control checks.
2095 *
2096 * @return Return 0 if access is granted, otherwise an appropriate value for
2097 * errno should be returned.
2098 *
2099 */
2d21ac55
A		 2100typedef int mpo_pipe_check_ioctl_t(
2101 kauth_cred_t cred,
2102 struct pipe *cpipe,
2103 struct label *pipelabel,
2104 unsigned int cmd
0a7de745 2105 );
2d21ac55 2106/**
0a7de745
A		 2107 * @brief Access control check for pipe kqfilter
2108 * @param cred Subject credential
2109 * @param kn Object knote
2110 * @param cpipe Object to be accessed
2111 * @param pipelabel Policy label for the pipe
2112 *
2113 * Determine whether the subject identified by the credential can
2114 * receive the knote on the passed pipe.
2115 *
2116 * @return Return 0 if access if granted, otherwise an appropriate
2117 * value for errno should be returned.
2118 */
2d21ac55
A		 2119typedef int mpo_pipe_check_kqfilter_t(
2120 kauth_cred_t cred,
2121 struct knote *kn,
2122 struct pipe *cpipe,
2123 struct label *pipelabel
0a7de745 2124 );
2d21ac55 2125/**
0a7de745
A		 2126 * @brief Access control check for pipe relabel
2127 * @param cred Subject credential
2128 * @param cpipe Object to be accessed
2129 * @param pipelabel The current label on the pipe
2130 * @param newlabel The new label to be used
2131 *
2132 * Determine whether the subject identified by the credential can
2133 * perform a relabel operation on the passed pipe. The cred object holds
2134 * the credentials of the subject performing the operation.
2135 *
2136 * @return Return 0 if access is granted, otherwise an appropriate value for
2137 * errno should be returned.
2138 *
2139 */
2140typedef int mpo_pipe_check_label_update_t(
2141 kauth_cred_t cred,
2d21ac55
A		 2142 struct pipe *cpipe,
2143 struct label *pipelabel,
2144 struct label *newlabel
0a7de745 2145 );
2d21ac55 2146/**
0a7de745
A		 2147 * @brief Access control check for pipe read
2148 * @param cred Subject credential
2149 * @param cpipe Object to be accessed
2150 * @param pipelabel The label on the pipe
2151 *
2152 * Determine whether the subject identified by the credential can
2153 * perform a read operation on the passed pipe. The cred object holds
2154 * the credentials of the subject performing the operation.
2155 *
2156 * @return Return 0 if access is granted, otherwise an appropriate value for
2157 * errno should be returned.
2158 *
2159 */
2d21ac55
A		 2160typedef int mpo_pipe_check_read_t(
2161 kauth_cred_t cred,
2162 struct pipe *cpipe,
2163 struct label *pipelabel
0a7de745 2164 );
2d21ac55 2165/**
0a7de745
A		 2166 * @brief Access control check for pipe select
2167 * @param cred Subject credential
2168 * @param cpipe Object to be accessed
2169 * @param pipelabel The label on the pipe
2170 * @param which The operation selected on: FREAD or FWRITE
2171 *
2172 * Determine whether the subject identified by the credential can
2173 * perform a select operation on the passed pipe. The cred object holds
2174 * the credentials of the subject performing the operation.
2175 *
2176 * @return Return 0 if access is granted, otherwise an appropriate value for
2177 * errno should be returned.
2178 *
2179 */
2d21ac55
A		 2180typedef int mpo_pipe_check_select_t(
2181 kauth_cred_t cred,
2182 struct pipe *cpipe,
2183 struct label *pipelabel,
2184 int which
0a7de745 2185 );
2d21ac55 2186/**
0a7de745
A		 2187 * @brief Access control check for pipe stat
2188 * @param cred Subject credential
2189 * @param cpipe Object to be accessed
2190 * @param pipelabel The label on the pipe
2191 *
2192 * Determine whether the subject identified by the credential can
2193 * perform a stat operation on the passed pipe. The cred object holds
2194 * the credentials of the subject performing the operation.
2195 *
2196 * @return Return 0 if access is granted, otherwise an appropriate value for
2197 * errno should be returned.
2198 *
2199 */
2d21ac55
A		 2200typedef int mpo_pipe_check_stat_t(
2201 kauth_cred_t cred,
2202 struct pipe *cpipe,
2203 struct label *pipelabel
0a7de745 2204 );
2d21ac55 2205/**
0a7de745
A		 2206 * @brief Access control check for pipe write
2207 * @param cred Subject credential
2208 * @param cpipe Object to be accessed
2209 * @param pipelabel The label on the pipe
2210 *
2211 * Determine whether the subject identified by the credential can
2212 * perform a write operation on the passed pipe. The cred object holds
2213 * the credentials of the subject performing the operation.
2214 *
2215 * @return Return 0 if access is granted, otherwise an appropriate value for
2216 * errno should be returned.
2217 *
2218 */
2d21ac55
A		 2219typedef int mpo_pipe_check_write_t(
2220 kauth_cred_t cred,
2221 struct pipe *cpipe,
2222 struct label *pipelabel
0a7de745 2223 );
2d21ac55 2224/**
0a7de745
A		 2225 * @brief Create a pipe label
2226 * @param cred Subject credential
2227 * @param cpipe object to be labeled
2228 * @param pipelabel Label for the pipe object
2229 *
2230 * Create a label for the pipe object being created by the supplied
2231 * user credential. This call is made when the pipe is being created
2232 * XXXPIPE(for one or both sides of the pipe?).
2233 *
2234 */
2d21ac55
A		 2235typedef void mpo_pipe_label_associate_t(
2236 kauth_cred_t cred,
2237 struct pipe *cpipe,
2238 struct label *pipelabel
0a7de745 2239 );
2d21ac55 2240/**
0a7de745
A		 2241 * @brief Copy a pipe label
2242 * @param src Source pipe label
2243 * @param dest Destination pipe label
2244 *
2245 * Copy the pipe label associated with src to dest.
2246 * XXXPIPE Describe when this is used: most likely during pipe creation to
2247 * copy from rpipe to wpipe.
2248 */
2d21ac55
A		 2249typedef void mpo_pipe_label_copy_t(
2250 struct label *src,
2251 struct label *dest
0a7de745 2252 );
2d21ac55 2253/**
0a7de745
A		 2254 * @brief Destroy pipe label
2255 * @param label The label to be destroyed
2256 *
2257 * Destroy a pipe label. Since the object is going out of scope,
2258 * policy modules should free any internal storage associated with the
2259 * label so that it may be destroyed.
2260 */
2d21ac55
A		 2261typedef void mpo_pipe_label_destroy_t(
2262 struct label *label
0a7de745 2263 );
2d21ac55 2264/**
0a7de745
A		 2265 * @brief Externalize a pipe label
2266 * @param label Label to be externalized
2267 * @param element_name Name of the label namespace for which labels should be
2268 * externalized
2269 * @param sb String buffer to be filled with a text representation of the label
2270 *
2271 * Produce an external representation of the label on a pipe.
2272 * An externalized label consists of a text representation
2273 * of the label contents that can be used with user applications.
2274 * Policy-agnostic user space tools will display this externalized
2275 * version.
2276 *
2277 * The policy's externalize entry points will be called only if the
2278 * policy has registered interest in the label namespace.
2279 *
2280 * @return 0 on success, return non-zero if an error occurs while
2281 * externalizing the label data.
2282 *
2283 */
2d21ac55
A		 2284typedef int mpo_pipe_label_externalize_t(
2285 struct label *label,
2286 char *element_name,
2287 struct sbuf *sb
0a7de745 2288 );
2d21ac55 2289/**
0a7de745
A		 2290 * @brief Initialize pipe label
2291 * @param label New label to initialize
2292 *
2293 * Initialize label storage for use with a newly instantiated pipe object.
2294 * Sleeping is permitted.
2295 */
2d21ac55
A		 2296typedef void mpo_pipe_label_init_t(
2297 struct label *label
0a7de745 2298 );
2d21ac55 2299/**
0a7de745
A		 2300 * @brief Internalize a pipe label
2301 * @param label Label to be internalized
2302 * @param element_name Name of the label namespace for which the label should
2303 * be internalized
2304 * @param element_data Text data to be internalized
2305 *
2306 * Produce a pipe label from an external representation. An
2307 * externalized label consists of a text representation of the label
2308 * contents that can be used with user applications. Policy-agnostic
2309 * user space tools will forward text version to the kernel for
2310 * processing by individual policy modules.
2311 *
2312 * The policy's internalize entry points will be called only if the
2313 * policy has registered interest in the label namespace.
2314 *
2315 * @return 0 on success, Otherwise, return non-zero if an error occurs
2316 * while internalizing the label data.
2317 *
2318 */
2d21ac55
A		 2319typedef int mpo_pipe_label_internalize_t(
2320 struct label *label,
2321 char *element_name,
2322 char *element_data
0a7de745
A		 2323 );
2324/**
2325 * @brief Update a pipe label
2326 * @param cred Subject credential
2327 * @param cpipe Object to be labeled
2328 * @param oldlabel Existing pipe label
2329 * @param newlabel New label to replace existing label
2330 * @see mpo_pipe_check_label_update_t
2331 *
2332 * The subject identified by the credential has previously requested
2333 * and was authorized to relabel the pipe; this entry point allows
2334 * policies to perform the actual relabel operation. Policies should
2335 * update oldlabel using the label stored in the newlabel parameter.
2336 *
2337 */
2d21ac55
A		 2338typedef void mpo_pipe_label_update_t(
2339 kauth_cred_t cred,
2340 struct pipe *cpipe,
2341 struct label *oldlabel,
2342 struct label *newlabel
0a7de745 2343 );
2d21ac55 2344/**
0a7de745
A		 2345 * @brief Policy unload event
2346 * @param mpc MAC policy configuration
2347 *
2348 * This is the MAC Framework policy unload event. This entry point will
2349 * only be called if the module's policy configuration allows unload (if
2350 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2351 * want to be unloaded; they should set their flags to prevent this
2352 * entry point from being called.
2353 *
2354 * @warning During this call, the mac policy list mutex is held, so
2355 * sleep operations cannot be performed, and calls out to other kernel
2356 * subsystems must be made with caution.
2357 *
2358 * @see MPC_LOADTIME_FLAG_UNLOADOK
2359 */
2d21ac55
A		 2360typedef void mpo_policy_destroy_t(
2361 struct mac_policy_conf *mpc
0a7de745 2362 );
2d21ac55 2363/**
0a7de745
A		 2364 * @brief Policy initialization event
2365 * @param mpc MAC policy configuration
2366 * @see mac_policy_register
2367 * @see mpo_policy_initbsd_t
2368 *
2369 * This is the MAC Framework policy initialization event. This entry
2370 * point is called during mac_policy_register, when the policy module
2371 * is first registered with the MAC Framework. This is often done very
2372 * early in the boot process, after the kernel Mach subsystem has been
2373 * initialized, but prior to the BSD subsystem being initialized.
2374 * Since the kernel BSD services are not yet available, it is possible
2375 * that some initialization must occur later, possibly in the
2376 * mpo_policy_initbsd_t policy entry point, such as registering BSD system
2377 * controls (sysctls). Policy modules loaded at boot time will be
2378 * registered and initialized before labeled Mach objects are created.
2379 *
2380 * @warning During this call, the mac policy list mutex is held, so
2381 * sleep operations cannot be performed, and calls out to other kernel
2382 * subsystems must be made with caution.
2383 */
2d21ac55
A		 2384typedef void mpo_policy_init_t(
2385 struct mac_policy_conf *mpc
0a7de745 2386 );
2d21ac55 2387/**
0a7de745
A		 2388 * @brief Policy BSD initialization event
2389 * @param mpc MAC policy configuration
2390 * @see mpo_policy_init_t
2391 *
2392 * This entry point is called after the kernel BSD subsystem has been
2393 * initialized. By this point, the module should already be loaded,
2394 * registered, and initialized. Since policy modules are initialized
2395 * before kernel BSD services are available, this second initialization
2396 * phase is necessary. At this point, BSD services (memory management,
2397 * synchronization primitives, vfs, etc.) are available, but the first
2398 * process has not yet been created. Mach-related objects and tasks
2399 * will already be fully initialized and may be in use--policies requiring
2400 * ubiquitous labeling may also want to implement mpo_policy_init_t.
2401 *
2402 * @warning During this call, the mac policy list mutex is held, so
2403 * sleep operations cannot be performed, and calls out to other kernel
2404 * subsystems must be made with caution.
2405 */
2d21ac55
A		 2406typedef void mpo_policy_initbsd_t(
2407 struct mac_policy_conf *mpc
0a7de745 2408 );
2d21ac55 2409/**
0a7de745
A		 2410 * @brief Policy extension service
2411 * @param p Calling process
2412 * @param call Policy-specific syscall number
2413 * @param arg Pointer to syscall arguments
2414 *
2415 * This entry point provides a policy-multiplexed system call so that
2416 * policies may provide additional services to user processes without
2417 * registering specific system calls. The policy name provided during
2418 * registration is used to demux calls from userland, and the arguments
2419 * will be forwarded to this entry point. When implementing new
2420 * services, security modules should be sure to invoke appropriate
2421 * access control checks from the MAC framework as needed. For
2422 * example, if a policy implements an augmented signal functionality,
2423 * it should call the necessary signal access control checks to invoke
2424 * the MAC framework and other registered policies.
2425 *
2426 * @warning Since the format and contents of the policy-specific
2427 * arguments are unknown to the MAC Framework, modules must perform the
2428 * required copyin() of the syscall data on their own. No policy
2429 * mediation is performed, so policies must perform any necessary
2430 * access control checks themselves. If multiple policies are loaded,
2431 * they will currently be unable to mediate calls to other policies.
2432 *
2433 * @return In the event of an error, an appropriate value for errno
2434 * should be returned, otherwise return 0 upon success.
2435 */
2d21ac55
A		 2436typedef int mpo_policy_syscall_t(
2437 struct proc *p,
2438 int call,
2439 user_addr_t arg
0a7de745 2440 );
2d21ac55 2441/**
0a7de745
A		 2442 * @brief Access control check for POSIX semaphore create
2443 * @param cred Subject credential
2444 * @param name String name of the semaphore
2445 *
2446 * Determine whether the subject identified by the credential can create
2447 * a POSIX semaphore specified by name.
2448 *
2449 * @return Return 0 if access is granted, otherwise an appropriate value for
2450 * errno should be returned.
2451 */
2d21ac55
A		 2452typedef int mpo_posixsem_check_create_t(
2453 kauth_cred_t cred,
2454 const char *name
0a7de745 2455 );
2d21ac55 2456/**
0a7de745
A		 2457 * @brief Access control check for POSIX semaphore open
2458 * @param cred Subject credential
2459 * @param ps Pointer to semaphore information structure
2460 * @param semlabel Label associated with the semaphore
2461 *
2462 * Determine whether the subject identified by the credential can open
2463 * the named POSIX semaphore with label semlabel.
2464 *
2465 * @return Return 0 if access is granted, otherwise an appropriate value for
2466 * errno should be returned.
2467 */
2d21ac55
A		 2468typedef int mpo_posixsem_check_open_t(
2469 kauth_cred_t cred,
2470 struct pseminfo *ps,
2471 struct label *semlabel
0a7de745 2472 );
2d21ac55 2473/**
0a7de745
A		 2474 * @brief Access control check for POSIX semaphore post
2475 * @param cred Subject credential
2476 * @param ps Pointer to semaphore information structure
2477 * @param semlabel Label associated with the semaphore
2478 *
2479 * Determine whether the subject identified by the credential can unlock
2480 * the named POSIX semaphore with label semlabel.
2481 *
2482 * @return Return 0 if access is granted, otherwise an appropriate value for
2483 * errno should be returned.
2484 */
2d21ac55
A		 2485typedef int mpo_posixsem_check_post_t(
2486 kauth_cred_t cred,
2487 struct pseminfo *ps,
2488 struct label *semlabel
0a7de745 2489 );
2d21ac55 2490/**
0a7de745
A		 2491 * @brief Access control check for POSIX semaphore unlink
2492 * @param cred Subject credential
2493 * @param ps Pointer to semaphore information structure
2494 * @param semlabel Label associated with the semaphore
2495 * @param name String name of the semaphore
2496 *
2497 * Determine whether the subject identified by the credential can remove
2498 * the named POSIX semaphore with label semlabel.
2499 *
2500 * @return Return 0 if access is granted, otherwise an appropriate value for
2501 * errno should be returned.
2502 */
2d21ac55
A		 2503typedef int mpo_posixsem_check_unlink_t(
2504 kauth_cred_t cred,
2505 struct pseminfo *ps,
2506 struct label *semlabel,
2507 const char *name
0a7de745 2508 );
2d21ac55 2509/**
0a7de745
A		 2510 * @brief Access control check for POSIX semaphore wait
2511 * @param cred Subject credential
2512 * @param ps Pointer to semaphore information structure
2513 * @param semlabel Label associated with the semaphore
2514 *
2515 * Determine whether the subject identified by the credential can lock
2516 * the named POSIX semaphore with label semlabel.
2517 *
2518 * @return Return 0 if access is granted, otherwise an appropriate value for
2519 * errno should be returned.
2520 */
2d21ac55
A		 2521typedef int mpo_posixsem_check_wait_t(
2522 kauth_cred_t cred,
2523 struct pseminfo *ps,
2524 struct label *semlabel
0a7de745 2525 );
2d21ac55 2526/**
0a7de745
A		 2527 * @brief Create a POSIX semaphore label
2528 * @param cred Subject credential
2529 * @param ps Pointer to semaphore information structure
2530 * @param semlabel Label to associate with the new semaphore
2531 * @param name String name of the semaphore
2532 *
2533 * Label a new POSIX semaphore. The label was previously
2534 * initialized and associated with the semaphore. At this time, an
2535 * appropriate initial label value should be assigned to the object and
2536 * stored in semalabel.
2537 */
2d21ac55
A		 2538typedef void mpo_posixsem_label_associate_t(
2539 kauth_cred_t cred,
2540 struct pseminfo *ps,
2541 struct label *semlabel,
2542 const char *name
0a7de745 2543 );
2d21ac55 2544/**
0a7de745
A		 2545 * @brief Destroy POSIX semaphore label
2546 * @param label The label to be destroyed
2547 *
2548 * Destroy a POSIX semaphore label. Since the object is
2549 * going out of scope, policy modules should free any internal storage
2550 * associated with the label so that it may be destroyed.
2551 */
2d21ac55
A		 2552typedef void mpo_posixsem_label_destroy_t(
2553 struct label *label
0a7de745 2554 );
2d21ac55 2555/**
0a7de745
A		 2556 * @brief Initialize POSIX semaphore label
2557 * @param label New label to initialize
2558 *
2559 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2560 * is permitted.
2561 */
2d21ac55
A		 2562typedef void mpo_posixsem_label_init_t(
2563 struct label *label
0a7de745 2564 );
2d21ac55 2565/**
0a7de745
A		 2566 * @brief Access control check for POSIX shared memory region create
2567 * @param cred Subject credential
2568 * @param name String name of the shared memory region
2569 *
2570 * Determine whether the subject identified by the credential can create
2571 * the POSIX shared memory region referenced by name.
2572 *
2573 * @return Return 0 if access is granted, otherwise an appropriate value for
2574 * errno should be returned.
2575 */
2d21ac55
A		 2576typedef int mpo_posixshm_check_create_t(
2577 kauth_cred_t cred,
2578 const char *name
0a7de745
A		 2579 );
2580/**
2581 * @brief Access control check for mapping POSIX shared memory
2582 * @param cred Subject credential
2583 * @param ps Pointer to shared memory information structure
2584 * @param shmlabel Label associated with the shared memory region
2585 * @param prot mmap protections; see mmap(2)
2586 * @param flags shmat flags; see shmat(2)
2587 *
2588 * Determine whether the subject identified by the credential can map
2589 * the POSIX shared memory segment associated with shmlabel.
2590 *
2591 * @return Return 0 if access is granted, otherwise an appropriate value for
2592 * errno should be returned.
2593 */
2d21ac55
A		 2594typedef int mpo_posixshm_check_mmap_t(
2595 kauth_cred_t cred,
2596 struct pshminfo *ps,
2597 struct label *shmlabel,
2598 int prot,
2599 int flags
0a7de745 2600 );
2d21ac55 2601/**
0a7de745
A		 2602 * @brief Access control check for POSIX shared memory region open
2603 * @param cred Subject credential
2604 * @param ps Pointer to shared memory information structure
2605 * @param shmlabel Label associated with the shared memory region
2606 * @param fflags shm_open(2) open flags ('fflags' encoded)
2607 *
2608 * Determine whether the subject identified by the credential can open
2609 * the POSIX shared memory region.
2610 *
2611 * @return Return 0 if access is granted, otherwise an appropriate value for
2612 * errno should be returned.
2613 */
2d21ac55
A		 2614typedef int mpo_posixshm_check_open_t(
2615 kauth_cred_t cred,
2616 struct pshminfo *ps,
316670eb
A		 2617 struct label *shmlabel,
2618 int fflags
0a7de745 2619 );
2d21ac55 2620/**
0a7de745
A		 2621 * @brief Access control check for POSIX shared memory stat
2622 * @param cred Subject credential
2623 * @param ps Pointer to shared memory information structure
2624 * @param shmlabel Label associated with the shared memory region
2625 *
2626 * Determine whether the subject identified by the credential can obtain
2627 * status for the POSIX shared memory segment associated with shmlabel.
2628 *
2629 * @return Return 0 if access is granted, otherwise an appropriate value for
2630 * errno should be returned.
2631 */
2d21ac55
A		 2632typedef int mpo_posixshm_check_stat_t(
2633 kauth_cred_t cred,
2634 struct pshminfo *ps,
2635 struct label *shmlabel
0a7de745 2636 );
2d21ac55 2637/**
0a7de745
A		 2638 * @brief Access control check for POSIX shared memory truncate
2639 * @param cred Subject credential
2640 * @param ps Pointer to shared memory information structure
2641 * @param shmlabel Label associated with the shared memory region
2642 * @param len Length to truncate or extend shared memory segment
2643 *
2644 * Determine whether the subject identified by the credential can truncate
2645 * or extend (to len) the POSIX shared memory segment associated with shmlabel.
2646 *
2647 * @return Return 0 if access is granted, otherwise an appropriate value for
2648 * errno should be returned.
2649 */
2d21ac55
A		 2650typedef int mpo_posixshm_check_truncate_t(
2651 kauth_cred_t cred,
2652 struct pshminfo *ps,
2653 struct label *shmlabel,
6d2010ae 2654 off_t len
0a7de745 2655 );
2d21ac55 2656/**
0a7de745
A		 2657 * @brief Access control check for POSIX shared memory unlink
2658 * @param cred Subject credential
2659 * @param ps Pointer to shared memory information structure
2660 * @param shmlabel Label associated with the shared memory region
2661 * @param name String name of the shared memory region
2662 *
2663 * Determine whether the subject identified by the credential can delete
2664 * the POSIX shared memory segment associated with shmlabel.
2665 *
2666 * @return Return 0 if access is granted, otherwise an appropriate value for
2667 * errno should be returned.
2668 */
2d21ac55
A		 2669typedef int mpo_posixshm_check_unlink_t(
2670 kauth_cred_t cred,
2671 struct pshminfo *ps,
2672 struct label *shmlabel,
2673 const char *name
0a7de745 2674 );
2d21ac55 2675/**
0a7de745
A		 2676 * @brief Create a POSIX shared memory region label
2677 * @param cred Subject credential
2678 * @param ps Pointer to shared memory information structure
2679 * @param shmlabel Label to associate with the new shared memory region
2680 * @param name String name of the shared memory region
2681 *
2682 * Label a new POSIX shared memory region. The label was previously
2683 * initialized and associated with the shared memory region. At this
2684 * time, an appropriate initial label value should be assigned to the
2685 * object and stored in shmlabel.
2686 */
2d21ac55
A		 2687typedef void mpo_posixshm_label_associate_t(
2688 kauth_cred_t cred,
2689 struct pshminfo *ps,
2690 struct label *shmlabel,
2691 const char *name
0a7de745 2692 );
2d21ac55 2693/**
0a7de745
A		 2694 * @brief Destroy POSIX shared memory label
2695 * @param label The label to be destroyed
2696 *
2697 * Destroy a POSIX shared memory region label. Since the
2698 * object is going out of scope, policy modules should free any
2699 * internal storage associated with the label so that it may be
2700 * destroyed.
2701 */
2d21ac55
A		 2702typedef void mpo_posixshm_label_destroy_t(
2703 struct label *label
0a7de745 2704 );
2d21ac55 2705/**
0a7de745
A		 2706 * @brief Initialize POSIX Shared Memory region label
2707 * @param label New label to initialize
2708 *
2709 * Initialize the label for newly a instantiated POSIX Shared Memory
2710 * region. Sleeping is permitted.
2711 */
2d21ac55
A		 2712typedef void mpo_posixshm_label_init_t(
2713 struct label *label
0a7de745 2714 );
6d2010ae 2715/**
0a7de745
A		 2716 * @brief Access control check for privileged operations
2717 * @param cred Subject credential
2718 * @param priv Requested privilege (see sys/priv.h)
2719 *
2720 * Determine whether the subject identified by the credential can perform
2721 * a privileged operation. Privileged operations are allowed if the cred
2722 * is the superuser or any policy returns zero for mpo_priv_grant, unless
2723 * any policy returns nonzero for mpo_priv_check.
2724 *
2725 * @return Return 0 if access is granted, otherwise EPERM should be returned.
2726 */
6d2010ae
A		 2727typedef int mpo_priv_check_t(
2728 kauth_cred_t cred,
2729 int priv
0a7de745 2730 );
6d2010ae 2731/**
0a7de745
A		 2732 * @brief Grant regular users the ability to perform privileged operations
2733 * @param cred Subject credential
2734 * @param priv Requested privilege (see sys/priv.h)
2735 *
2736 * Determine whether the subject identified by the credential should be
2737 * allowed to perform a privileged operation that in the absense of any
2738 * MAC policy it would not be able to perform. Privileged operations are
2739 * allowed if the cred is the superuser or any policy returns zero for
2740 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
2741 *
2742 * Unlike other MAC hooks which can only reduce the privilege of a
2743 * credential, this hook raises the privilege of a credential when it
2744 * returns 0. Extreme care must be taken when implementing this hook to
2745 * avoid undermining the security of the system.
2746 *
2747 * @return Return 0 if additional privilege is granted, otherwise EPERM
2748 * should be returned.
2749 */
6d2010ae
A		 2750typedef int mpo_priv_grant_t(
2751 kauth_cred_t cred,
2752 int priv
0a7de745 2753 );
2d21ac55 2754/**
0a7de745
A		 2755 * @brief Access control check for debugging process
2756 * @param cred Subject credential
2757 * @param proc Object process
2758 *
2759 * Determine whether the subject identified by the credential can debug
2760 * the passed process. This call may be made in a number of situations,
2761 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some
2762 * types of procfs operations.
2763 *
2764 * @return Return 0 if access is granted, otherwise an appropriate value for
2765 * errno should be returned. Suggested failure: EACCES for label mismatch,
2766 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
2767 */
2d21ac55
A		 2768typedef int mpo_proc_check_debug_t(
2769 kauth_cred_t cred,
2770 struct proc *proc
0a7de745 2771 );
2d21ac55 2772/**
0a7de745
A		 2773 * @brief Access control over fork
2774 * @param cred Subject credential
2775 * @param proc Subject process trying to fork
2776 *
2777 * Determine whether the subject identified is allowed to fork.
2778 *
2779 * @return Return 0 if access is granted, otherwise an appropriate value for
2780 * errno should be returned.
2781 */
2d21ac55
A		 2782typedef int mpo_proc_check_fork_t(
2783 kauth_cred_t cred,
2784 struct proc *proc
0a7de745 2785 );
3e170ce0 2786/**
0a7de745
A		 2787 * @brief Access control check for setting host special ports.
2788 * @param cred Subject credential
2789 * @param id The host special port to set
2790 * @param port The new value to set for the special port
2791 *
2792 * @return Return 0 if access is granted, otherwise an appropriate value for
2793 * errno should be returned.
2794 */
3e170ce0
A		 2795typedef int mpo_proc_check_set_host_special_port_t(
2796 kauth_cred_t cred,
2797 int id,
0a7de745
A		 2798 struct ipc_port *port
2799 );
3e170ce0 2800/**
0a7de745
A		 2801 * @brief Access control check for setting host exception ports.
2802 * @param cred Subject credential
2803 * @param exception Exception port to set
2804 *
2805 * @return Return 0 if access is granted, otherwise an appropriate value for
2806 * errno should be returned.
2807 */
3e170ce0
A		 2808typedef int mpo_proc_check_set_host_exception_port_t(
2809 kauth_cred_t cred,
2810 unsigned int exception
0a7de745 2811 );
d1ecb069 2812/**
0a7de745
A		 2813 * @brief Access control over pid_suspend and pid_resume
2814 * @param cred Subject credential
2815 * @param proc Subject process trying to run pid_suspend or pid_resume
2816 * @param sr Call is suspend (0) or resume (1)
2817 *
2818 * Determine whether the subject identified is allowed to suspend or resume
2819 * other processes.
2820 *
2821 * @return Return 0 if access is granted, otherwise an appropriate value for
2822 * errno should be returned.
2823 */
d1ecb069
A		 2824typedef int mpo_proc_check_suspend_resume_t(
2825 kauth_cred_t cred,
2826 struct proc *proc,
2827 int sr
0a7de745 2828 );
2d21ac55 2829/**
0a7de745
A		 2830 * @brief Access control check for retrieving audit information
2831 * @param cred Subject credential
2832 *
2833 * Determine whether the subject identified by the credential can get
2834 * audit information such as the audit user ID, the preselection mask,
2835 * the terminal ID and the audit session ID, using the getaudit() system call.
2836 *
2837 * @return Return 0 if access is granted, otherwise an appropriate value for
2838 * errno should be returned.
2839 */
2d21ac55
A		 2840typedef int mpo_proc_check_getaudit_t(
2841 kauth_cred_t cred
0a7de745 2842 );
2d21ac55 2843/**
0a7de745
A		 2844 * @brief Access control check for retrieving audit user ID
2845 * @param cred Subject credential
2846 *
2847 * Determine whether the subject identified by the credential can get
2848 * the user identity being used by the auditing system, using the getauid()
2849 * system call.
2850 *
2851 * @return Return 0 if access is granted, otherwise an appropriate value for
2852 * errno should be returned.
2853 */
2d21ac55
A		 2854typedef int mpo_proc_check_getauid_t(
2855 kauth_cred_t cred
0a7de745 2856 );
2d21ac55 2857/**
0a7de745
A		 2858 * @brief Access control check for retrieving Login Context ID
2859 * @param p0 Calling process
2860 * @param p Effected process
2861 * @param pid syscall PID argument
2862 *
2863 * Determine if getlcid(2) system call is permitted.
2864 *
2865 * Information returned by this system call is similar to that returned via
2866 * process listings etc.
2867 *
2868 * @return Return 0 if access is granted, otherwise an appropriate value for
2869 * errno should be returned.
2870 */
2d21ac55
A		 2871typedef int mpo_proc_check_getlcid_t(
2872 struct proc *p0,
2873 struct proc *p,
2874 pid_t pid
0a7de745 2875 );
316670eb 2876/**
0a7de745
A		 2877 * @brief Access control check for retrieving ledger information
2878 * @param cred Subject credential
2879 * @param target Object process
2880 * @param op ledger operation
2881 *
2882 * Determine if ledger(2) system call is permitted.
2883 *
2884 * Information returned by this system call is similar to that returned via
2885 * process listings etc.
2886 *
2887 * @return Return 0 if access is granted, otherwise an appropriate value for
2888 * errno should be returned.
2889 */
316670eb
A		 2890typedef int mpo_proc_check_ledger_t(
2891 kauth_cred_t cred,
2892 struct proc *target,
2893 int op
0a7de745 2894 );
39236c6e 2895/**
0a7de745
A		 2896 * @brief Access control check for retrieving process information.
2897 * @param cred Subject credential
2898 * @param target Target process (may be null, may be zombie)
2899 *
2900 * Determine if a credential has permission to access process information as defined
2901 * by call number and flavor on target process
2902 *
2903 * @return Return 0 if access is granted, otherwise an appropriate value for
2904 * errno should be returned.
2905 */
39236c6e
A		 2906typedef int mpo_proc_check_proc_info_t(
2907 kauth_cred_t cred,
2908 struct proc *target,
2909 int callnum,
2910 int flavor
0a7de745 2911 );
7e41aa88 2912/**
0a7de745
A		 2913 * @brief Access control check for retrieving code signing information.
2914 * @param cred Subject credential
2915 * @param target Target process
2916 * @param op Code signing operation being performed
2917 *
2918 * Determine whether the subject identified by the credential should be
2919 * allowed to get code signing information about the target process.
2920 *
2921 * @return Return 0 if access is granted, otherwise an appropriate value for
2922 * errno should be returned.
2923 */
7e41aa88
A		 2924typedef int mpo_proc_check_get_cs_info_t(
2925 kauth_cred_t cred,
2926 struct proc *target,
2927 unsigned int op
0a7de745 2928 );
7e41aa88 2929/**
0a7de745
A		 2930 * @brief Access control check for setting code signing information.
2931 * @param cred Subject credential
2932 * @param target Target process
2933 * @param op Code signing operation being performed.
2934 *
2935 * Determine whether the subject identified by the credential should be
2936 * allowed to set code signing information about the target process.
2937 *
2938 * @return Return 0 if permission is granted, otherwise an appropriate
2939 * value of errno should be returned.
2940 */
7e41aa88
A		 2941typedef int mpo_proc_check_set_cs_info_t(
2942 kauth_cred_t cred,
2943 struct proc *target,
2944 unsigned int op
0a7de745
A		 2945 );
2946/**
2947 * @brief Access control check for mmap MAP_ANON
2948 * @param proc User process requesting the memory
2949 * @param cred Subject credential
2950 * @param u_addr Start address of the memory range
2951 * @param u_size Length address of the memory range
2952 * @param prot mmap protections; see mmap(2)
2953 * @param flags Type of mapped object; see mmap(2)
2954 * @param maxprot Maximum rights
2955 *
2956 * Determine whether the subject identified by the credential should be
2957 * allowed to obtain anonymous memory using the specified flags and
2958 * protections on the new mapping. MAP_ANON will always be present in the
2959 * flags. Certain combinations of flags with a non-NULL addr may
2960 * cause a mapping to be rejected before this hook is called. The maxprot field
2961 * holds the maximum permissions on the new mapping, a combination of
2962 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
2963 * access control checks, a policy should only remove flags from maxprot.
2964 *
2965 * @return Return 0 if access is granted, otherwise an appropriate value for
2966 * errno should be returned. Suggested failure: EPERM for lack of privilege.
2967 */
6d2010ae
A		 2968typedef int mpo_proc_check_map_anon_t(
2969 struct proc *proc,
2970 kauth_cred_t cred,
2971 user_addr_t u_addr,
2972 user_size_t u_size,
2973 int prot,
2974 int flags,
2975 int *maxprot
0a7de745
A		 2976 );
2977/**
2978 * @brief Access control check for setting memory protections
2979 * @param cred Subject credential
2980 * @param proc User process requesting the change
2981 * @param addr Start address of the memory range
2982 * @param size Length address of the memory range
2983 * @param prot Memory protections, see mmap(2)
2984 *
2985 * Determine whether the subject identified by the credential should
2986 * be allowed to set the specified memory protections on memory mapped
2987 * in the process proc.
2988 *
2989 * @return Return 0 if access is granted, otherwise an appropriate value for
2990 * errno should be returned.
2991 */
2d21ac55
A		 2992typedef int mpo_proc_check_mprotect_t(
2993 kauth_cred_t cred,
2994 struct proc *proc,
2995 user_addr_t addr,
2996 user_size_t size,
2997 int prot
0a7de745 2998 );
2d21ac55 2999/**
0a7de745
A		 3000 * @brief Access control check for changing scheduling parameters
3001 * @param cred Subject credential
3002 * @param proc Object process
3003 *
3004 * Determine whether the subject identified by the credential can change
3005 * the scheduling parameters of the passed process.
3006 *
3007 * @return Return 0 if access is granted, otherwise an appropriate value for
3008 * errno should be returned. Suggested failure: EACCES for label mismatch,
3009 * EPERM for lack of privilege, or ESRCH to limit visibility.
3010 */
2d21ac55
A		 3011typedef int mpo_proc_check_sched_t(
3012 kauth_cred_t cred,
3013 struct proc *proc
0a7de745 3014 );
2d21ac55 3015/**
0a7de745
A		 3016 * @brief Access control check for setting audit information
3017 * @param cred Subject credential
3018 * @param ai Audit information
3019 *
3020 * Determine whether the subject identified by the credential can set
3021 * audit information such as the the preselection mask, the terminal ID
3022 * and the audit session ID, using the setaudit() system call.
3023 *
3024 * @return Return 0 if access is granted, otherwise an appropriate value for
3025 * errno should be returned.
3026 */
2d21ac55
A		 3027typedef int mpo_proc_check_setaudit_t(
3028 kauth_cred_t cred,
b0d623f7 3029 struct auditinfo_addr *ai
0a7de745 3030 );
2d21ac55 3031/**
0a7de745
A		 3032 * @brief Access control check for setting audit user ID
3033 * @param cred Subject credential
3034 * @param auid Audit user ID
3035 *
3036 * Determine whether the subject identified by the credential can set
3037 * the user identity used by the auditing system, using the setauid()
3038 * system call.
3039 *
3040 * @return Return 0 if access is granted, otherwise an appropriate value for
3041 * errno should be returned.
3042 */
2d21ac55
A		 3043typedef int mpo_proc_check_setauid_t(
3044 kauth_cred_t cred,
3045 uid_t auid
0a7de745 3046 );
2d21ac55 3047/**
0a7de745
A		 3048 * @brief Access control check for setting the Login Context
3049 * @param p0 Calling process
3050 * @param p Effected process
3051 * @param pid syscall PID argument
3052 * @param lcid syscall LCID argument
3053 *
3054 * Determine if setlcid(2) system call is permitted.
3055 *
3056 * See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
3057 * decoding syscall arguments to determine action desired by caller.
3058 *
3059 * Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
3060 *
3061 * @return Return 0 if access is granted, otherwise an appropriate value for
3062 * errno should be returned.
3063 */
2d21ac55
A		 3064typedef int mpo_proc_check_setlcid_t(
3065 struct proc *p0,
3066 struct proc *p,
3067 pid_t pid,
3068 pid_t lcid
0a7de745 3069 );
2d21ac55 3070/**
0a7de745
A		 3071 * @brief Access control check for delivering signal
3072 * @param cred Subject credential
3073 * @param proc Object process
3074 * @param signum Signal number; see kill(2)
3075 *
3076 * Determine whether the subject identified by the credential can deliver
3077 * the passed signal to the passed process.
3078 *
3079 * @warning Programs typically expect to be able to send and receive
3080 * signals as part or their normal process lifecycle; caution should be
3081 * exercised when implementing access controls over signal events.
3082 *
3083 * @return Return 0 if access is granted, otherwise an appropriate value for
3084 * errno should be returned. Suggested failure: EACCES for label mismatch,
3085 * EPERM for lack of privilege, or ESRCH to limit visibility.
3086 */
2d21ac55
A		 3087typedef int mpo_proc_check_signal_t(
3088 kauth_cred_t cred,
3089 struct proc *proc,
3090 int signum
0a7de745 3091 );
cb323159
A		 3092/**
3093 * @brief Access control check for Unix syscalls.
3094 * @param proc Subject process
3095 * @param scnum Syscall number; see bsd/kern/syscalls.master.
3096 *
3097 * Determine whether the subject process can perform the passed syscall (number).
3098 *
3099 * @warning Programs typically expect to be able to make syscalls as part of
3100 * their normal process lifecycle; caution should be exercised when restricting
3101 * which syscalls a process can perform.
3102 *
3103 * @return Return 0 if access is granted, otherwise an appropriate value for
3104 * errno should be returned. Suggested failure: EPERM for lack of privilege.
3105 */
3106typedef int mpo_proc_check_syscall_unix_t(
3107 struct proc *proc,
3108 int scnum
3109 );
2d21ac55 3110/**
0a7de745
A		 3111 * @brief Access control check for wait
3112 * @param cred Subject credential
3113 * @param proc Object process
3114 *
3115 * Determine whether the subject identified by the credential can wait
3116 * for process termination.
3117 *
3118 * @warning Caution should be exercised when implementing access
3119 * controls for wait, since programs often wait for child processes to
3120 * exit. Failure to be notified of a child process terminating may
3121 * cause the parent process to hang, or may produce zombie processes.
3122 *
3123 * @return Return 0 if access is granted, otherwise an appropriate value for
3124 * errno should be returned.
3125 */
2d21ac55
A		 3126typedef int mpo_proc_check_wait_t(
3127 kauth_cred_t cred,
3128 struct proc *proc
0a7de745 3129 );
5ba3f43e 3130/**
0a7de745
A		 3131 * @brief Inform MAC policies that a process has exited.
3132 * @param proc Object process
3133 *
3134 * Called after all of the process's threads have terminated and
3135 * it has been removed from the process list. KPI that identifies
3136 * the process by pid will fail to find the process; KPI that
3137 * identifies the process by the object process pointer functions
3138 * normally. proc_exiting() returns true for the object process.
3139 */
5ba3f43e
A		 3140typedef void mpo_proc_notify_exit_t(
3141 struct proc *proc
0a7de745 3142 );
0a7de745
A		 3143/**
3144 * @brief Access control check for skywalk flow connect
3145 * @param cred Subject credential
3146 * @param flow Flow object
3147 * @param addr Remote address for flow to send data to
3148 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
3149 * @param protocol Network protocol (e.g. IPPROTO_TCP)
3150 *
3151 * Determine whether the subject identified by the credential can
3152 * create a flow for sending data to the remote host specified by
3153 * addr.
3154 *
3155 * @return Return 0 if access if granted, otherwise an appropriate
3156 * value for errno should be returned.
3157 */
5ba3f43e
A		 3158typedef int mpo_skywalk_flow_check_connect_t(
3159 kauth_cred_t cred,
3160 void *flow,
3161 const struct sockaddr *addr,
3162 int type,
3163 int protocol
0a7de745
A		 3164 );
3165/**
3166 * @brief Access control check for skywalk flow listen
3167 * @param cred Subject credential
3168 * @param flow Flow object
3169 * @param addr Local address for flow to listen on
3170 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
3171 * @param protocol Network protocol (e.g. IPPROTO_TCP)
3172 *
3173 * Determine whether the subject identified by the credential can
3174 * create a flow for receiving data on the local address specified
3175 * by addr.
3176 *
3177 * @return Return 0 if access if granted, otherwise an appropriate
3178 * value for errno should be returned.
3179 */
5ba3f43e
A		 3180typedef int mpo_skywalk_flow_check_listen_t(
3181 kauth_cred_t cred,
3182 void *flow,
3183 const struct sockaddr *addr,
3184 int type,
3185 int protocol
0a7de745 3186 );
2d21ac55 3187/**
0a7de745
A		 3188 * @brief Access control check for socket accept
3189 * @param cred Subject credential
3190 * @param so Object socket
3191 * @param socklabel Policy label for socket
3192 *
3193 * Determine whether the subject identified by the credential can accept()
3194 * a new connection on the socket from the host specified by addr.
3195 *
3196 * @return Return 0 if access if granted, otherwise an appropriate
3197 * value for errno should be returned.
3198 */
2d21ac55
A		 3199typedef int mpo_socket_check_accept_t(
3200 kauth_cred_t cred,
3201 socket_t so,
3202 struct label *socklabel
0a7de745 3203 );
2d21ac55 3204/**
0a7de745
A		 3205 * @brief Access control check for a pending socket accept
3206 * @param cred Subject credential
3207 * @param so Object socket
3208 * @param socklabel Policy label for socket
3209 * @param addr Address of the listening socket (coming soon)
3210 *
3211 * Determine whether the subject identified by the credential can accept()
3212 * a pending connection on the socket from the host specified by addr.
3213 *
3214 * @return Return 0 if access if granted, otherwise an appropriate
3215 * value for errno should be returned.
3216 */
2d21ac55
A		 3217typedef int mpo_socket_check_accepted_t(
3218 kauth_cred_t cred,
3219 socket_t so,
3220 struct label *socklabel,
3221 struct sockaddr *addr
0a7de745 3222 );
2d21ac55 3223/**
0a7de745
A		 3224 * @brief Access control check for socket bind
3225 * @param cred Subject credential
3226 * @param so Object socket
3227 * @param socklabel Policy label for socket
3228 * @param addr Name to assign to the socket
3229 *
3230 * Determine whether the subject identified by the credential can bind()
3231 * the name (addr) to the socket.
3232 *
3233 * @return Return 0 if access if granted, otherwise an appropriate
3234 * value for errno should be returned.
3235 */
2d21ac55
A		 3236typedef int mpo_socket_check_bind_t(
3237 kauth_cred_t cred,
3238 socket_t so,
3239 struct label *socklabel,
3240 struct sockaddr *addr
0a7de745 3241 );
2d21ac55 3242/**
0a7de745
A		 3243 * @brief Access control check for socket connect
3244 * @param cred Subject credential
3245 * @param so Object socket
3246 * @param socklabel Policy label for socket
3247 * @param addr Name to assign to the socket
3248 *
3249 * Determine whether the subject identified by the credential can
3250 * connect() the passed socket to the remote host specified by addr.
3251 *
3252 * @return Return 0 if access if granted, otherwise an appropriate
3253 * value for errno should be returned.
3254 */
2d21ac55
A		 3255typedef int mpo_socket_check_connect_t(
3256 kauth_cred_t cred,
3257 socket_t so,
3258 struct label *socklabel,
3259 struct sockaddr *addr
0a7de745 3260 );
2d21ac55 3261/**
0a7de745
A		 3262 * @brief Access control check for socket() system call.
3263 * @param cred Subject credential
3264 * @param domain communication domain
3265 * @param type socket type
3266 * @param protocol socket protocol
3267 *
3268 * Determine whether the subject identified by the credential can
3269 * make the socket() call.
3270 *
3271 * @return Return 0 if access if granted, otherwise an appropriate
3272 * value for errno should be returned.
3273 */
2d21ac55
A		 3274typedef int mpo_socket_check_create_t(
3275 kauth_cred_t cred,
3276 int domain,
3277 int type,
3278 int protocol
0a7de745 3279 );
2d21ac55 3280/**
0a7de745
A		 3281 * @brief Access control check for delivering data to a user's receieve queue
3282 * @param so The socket data is being delivered to
3283 * @param so_label The label of so
3284 * @param m The mbuf whose data will be deposited into the receive queue
3285 * @param m_label The label of the sender of the data.
3286 *
3287 * A socket has a queue for receiving incoming data. When a packet arrives
3288 * on the wire, it eventually gets deposited into this queue, which the
3289 * owner of the socket drains when they read from the socket's file descriptor.
3290 *
3291 * This function determines whether the socket can receive data from
3292 * the sender specified by m_label.
3293 *
3294 * @warning There is an outstanding design issue surrounding the placement
3295 * of this function. The check must be placed either before or after the
3296 * TCP sequence and ACK counters are updated. Placing the check before
3297 * the counters are updated causes the incoming packet to be resent by
3298 * the remote if the check rejects it. Placing the check after the counters
3299 * are updated results in a completely silent drop. As far as each TCP stack
3300 * is concerned the packet was received, however, the data will not be in the
3301 * socket's receive queue. Another consideration is that the current design
3302 * requires using the "failed label" occasionally. In that case, on rejection,
3303 * we want the remote TCP to resend the data. Because of this, we chose to
3304 * place this check before the counters are updated, so rejected packets will be
3305 * resent by the remote host.
3306 *
3307 * If a policy keeps rejecting the same packet, eventually the connection will
3308 * be dropped. Policies have several options if this design causes problems.
3309 * For example, one options is to sanitize the mbuf such that it is acceptable,
3310 * then accept it. That may require negotiation between policies as the
3311 * Framework will not know to re-check the packet.
3312 *
3313 * The policy must handle NULL MBUF labels. This will likely be the case
3314 * for non-local TCP sockets for example.
3315 *
3316 * @return Return 0 if access if granted, otherwise an appropriate
3317 * value for errno should be returned.
3318 */
2d21ac55
A		 3319typedef int mpo_socket_check_deliver_t(
3320 socket_t so,
3321 struct label *so_label,
3322 struct mbuf *m,
3323 struct label *m_label
0a7de745 3324 );
5ba3f43e 3325/**
0a7de745
A		 3326 * @brief Access control check for socket ioctl.
3327 * @param cred Subject credential
3328 * @param so Object socket
3329 * @param cmd The ioctl command; see ioctl(2)
3330 * @param socklabel Policy label for socket
3331 *
3332 * Determine whether the subject identified by the credential can perform
3333 * the ioctl operation indicated by cmd on the given socket.
3334 *
3335 * @warning Since ioctl data is opaque from the standpoint of the MAC
3336 * framework, and since ioctls can affect many aspects of system
3337 * operation, policies must exercise extreme care when implementing
3338 * access control checks.
3339 *
3340 * @return Return 0 if access is granted, otherwise an appropriate value for
3341 * errno should be returned.
3342 */
5ba3f43e
A		 3343typedef int mpo_socket_check_ioctl_t(
3344 kauth_cred_t cred,
3345 socket_t so,
3346 unsigned int cmd,
3347 struct label *socklabel
0a7de745 3348 );
2d21ac55 3349/**
0a7de745
A		 3350 * @brief Access control check for socket kqfilter
3351 * @param cred Subject credential
3352 * @param kn Object knote
3353 * @param so Object socket
3354 * @param socklabel Policy label for socket
3355 *
3356 * Determine whether the subject identified by the credential can
3357 * receive the knote on the passed socket.
3358 *
3359 * @return Return 0 if access if granted, otherwise an appropriate
3360 * value for errno should be returned.
3361 */
2d21ac55
A		 3362typedef int mpo_socket_check_kqfilter_t(
3363 kauth_cred_t cred,
3364 struct knote *kn,
3365 socket_t so,
3366 struct label *socklabel
0a7de745 3367 );
2d21ac55 3368/**
0a7de745
A		 3369 * @brief Access control check for socket relabel
3370 * @param cred Subject credential
3371 * @param so Object socket
3372 * @param so_label The current label of so
3373 * @param newlabel The label to be assigned to so
3374 *
3375 * Determine whether the subject identified by the credential can
3376 * change the label on the socket.
3377 *
3378 * @return Return 0 if access if granted, otherwise an appropriate
3379 * value for errno should be returned.
3380 */
2d21ac55
A		 3381typedef int mpo_socket_check_label_update_t(
3382 kauth_cred_t cred,
3383 socket_t so,
3384 struct label *so_label,
3385 struct label *newlabel
0a7de745 3386 );
2d21ac55 3387/**
0a7de745
A		 3388 * @brief Access control check for socket listen
3389 * @param cred Subject credential
3390 * @param so Object socket
3391 * @param socklabel Policy label for socket
3392 *
3393 * Determine whether the subject identified by the credential can
3394 * listen() on the passed socket.
3395 *
3396 * @return Return 0 if access if granted, otherwise an appropriate
3397 * value for errno should be returned.
3398 */
2d21ac55
A		 3399typedef int mpo_socket_check_listen_t(
3400 kauth_cred_t cred,
3401 socket_t so,
3402 struct label *socklabel
0a7de745 3403 );
2d21ac55 3404/**
0a7de745
A		 3405 * @brief Access control check for socket receive
3406 * @param cred Subject credential
3407 * @param so Object socket
3408 * @param socklabel Policy label for socket
3409 *
3410 * Determine whether the subject identified by the credential can
3411 * receive data from the socket.
3412 *
3413 * @return Return 0 if access if granted, otherwise an appropriate
3414 * value for errno should be returned.
3415 */
2d21ac55
A		 3416typedef int mpo_socket_check_receive_t(
3417 kauth_cred_t cred,
3418 socket_t so,
3419 struct label *socklabel
0a7de745 3420 );
2d21ac55 3421
0a7de745
A		 3422/**
3423 * @brief Access control check for socket receive
3424 * @param cred Subject credential
3425 * @param sock Object socket
3426 * @param socklabel Policy label for socket
3427 * @param saddr Name of the remote socket
3428 *
3429 * Determine whether the subject identified by the credential can
3430 * receive data from the remote host specified by addr.
3431 *
3432 * @return Return 0 if access if granted, otherwise an appropriate
3433 * value for errno should be returned.
3434 */
2d21ac55 3435typedef int mpo_socket_check_received_t(
0a7de745
A		 3436 kauth_cred_t cred,
3437 struct socket *sock,
3438 struct label *socklabel,
3439 struct sockaddr *saddr
3440 );
2d21ac55
A		 3441
3442
3443/**
0a7de745
A		 3444 * @brief Access control check for socket select
3445 * @param cred Subject credential
3446 * @param so Object socket
3447 * @param socklabel Policy label for socket
3448 * @param which The operation selected on: FREAD or FWRITE
3449 *
3450 * Determine whether the subject identified by the credential can use the
3451 * socket in a call to select().
3452 *
3453 * @return Return 0 if access if granted, otherwise an appropriate
3454 * value for errno should be returned.
3455 */
2d21ac55
A		 3456typedef int mpo_socket_check_select_t(
3457 kauth_cred_t cred,
3458 socket_t so,
3459 struct label *socklabel,
3460 int which
0a7de745 3461 );
2d21ac55 3462/**
0a7de745
A		 3463 * @brief Access control check for socket send
3464 * @param cred Subject credential
3465 * @param so Object socket
3466 * @param socklabel Policy label for socket
3467 * @param addr Address being sent to
3468 *
3469 * Determine whether the subject identified by the credential can send
3470 * data to the socket.
3471 *
3472 * @return Return 0 if access if granted, otherwise an appropriate
3473 * value for errno should be returned.
3474 */
2d21ac55
A		 3475typedef int mpo_socket_check_send_t(
3476 kauth_cred_t cred,
3477 socket_t so,
3478 struct label *socklabel,
3479 struct sockaddr *addr
0a7de745 3480 );
2d21ac55 3481/**
0a7de745
A		 3482 * @brief Access control check for retrieving socket status
3483 * @param cred Subject credential
3484 * @param so Object socket
3485 * @param socklabel Policy label for so
3486 *
3487 * Determine whether the subject identified by the credential can
3488 * execute the stat() system call on the given socket.
3489 *
3490 * @return Return 0 if access if granted, otherwise an appropriate
3491 * value for errno should be returned.
3492 */
2d21ac55
A		 3493typedef int mpo_socket_check_stat_t(
3494 kauth_cred_t cred,
3495 socket_t so,
3496 struct label *socklabel
0a7de745 3497 );
2d21ac55 3498/**
0a7de745
A		 3499 * @brief Access control check for setting socket options
3500 * @param cred Subject credential
3501 * @param so Object socket
3502 * @param socklabel Policy label for so
3503 * @param sopt The options being set
3504 *
3505 * Determine whether the subject identified by the credential can
3506 * execute the setsockopt system call on the given socket.
3507 *
3508 * @return Return 0 if access if granted, otherwise an appropriate
3509 * value for errno should be returned.
3510 */
2d21ac55
A		 3511typedef int mpo_socket_check_setsockopt_t(
3512 kauth_cred_t cred,
3513 socket_t so,
3514 struct label *socklabel,
3515 struct sockopt *sopt
0a7de745 3516 );
2d21ac55 3517/**
0a7de745
A		 3518 * @brief Access control check for getting socket options
3519 * @param cred Subject credential
3520 * @param so Object socket
3521 * @param socklabel Policy label for so
3522 * @param sopt The options to get
3523 *
3524 * Determine whether the subject identified by the credential can
3525 * execute the getsockopt system call on the given socket.
3526 *
3527 * @return Return 0 if access if granted, otherwise an appropriate
3528 * value for errno should be returned.
3529 */
2d21ac55
A		 3530typedef int mpo_socket_check_getsockopt_t(
3531 kauth_cred_t cred,
3532 socket_t so,
3533 struct label *socklabel,
3534 struct sockopt *sopt
0a7de745 3535 );
2d21ac55 3536/**
0a7de745
A		 3537 * @brief Label a socket
3538 * @param oldsock Listening socket
3539 * @param oldlabel Policy label associated with oldsock
3540 * @param newsock New socket
3541 * @param newlabel Policy label associated with newsock
3542 *
3543 * A new socket is created when a connection is accept(2)ed. This
3544 * function labels the new socket based on the existing listen(2)ing
3545 * socket.
3546 */
2d21ac55
A		 3547typedef void mpo_socket_label_associate_accept_t(
3548 socket_t oldsock,
3549 struct label *oldlabel,
3550 socket_t newsock,
3551 struct label *newlabel
0a7de745 3552 );
2d21ac55 3553/**
0a7de745
A		 3554 * @brief Assign a label to a new socket
3555 * @param cred Credential of the owning process
3556 * @param so The socket being labeled
3557 * @param solabel The label
3558 * @warning cred can be NULL
3559 *
3560 * Set the label on a newly created socket from the passed subject
3561 * credential. This call is made when a socket is created. The
3562 * credentials may be null if the socket is being created by the
3563 * kernel.
3564 */
2d21ac55
A		 3565typedef void mpo_socket_label_associate_t(
3566 kauth_cred_t cred,
3567 socket_t so,
3568 struct label *solabel
0a7de745 3569 );
2d21ac55 3570/**
0a7de745
A		 3571 * @brief Copy a socket label
3572 * @param src Source label
3573 * @param dest Destination label
3574 *
3575 * Copy the socket label information in src into dest.
3576 */
2d21ac55
A		 3577typedef void mpo_socket_label_copy_t(
3578 struct label *src,
3579 struct label *dest
0a7de745 3580 );
2d21ac55 3581/**
0a7de745
A		 3582 * @brief Destroy socket label
3583 * @param label The label to be destroyed
3584 *
3585 * Destroy a socket label. Since the object is going out of
3586 * scope, policy modules should free any internal storage associated
3587 * with the label so that it may be destroyed.
3588 */
2d21ac55
A		 3589typedef void mpo_socket_label_destroy_t(
3590 struct label *label
0a7de745 3591 );
2d21ac55 3592/**
0a7de745
A		 3593 * @brief Externalize a socket label
3594 * @param label Label to be externalized
3595 * @param element_name Name of the label namespace for which labels should be
3596 * externalized
3597 * @param sb String buffer to be filled with a text representation of label
3598 *
3599 * Produce an externalized socket label based on the label structure passed.
3600 * An externalized label consists of a text representation of the label
3601 * contents that can be used with userland applications and read by the
3602 * user. If element_name does not match a namespace managed by the policy,
3603 * simply return 0. Only return nonzero if an error occurs while externalizing
3604 * the label data.
3605 *
3606 * @return In the event of an error, an appropriate value for errno
3607 * should be returned, otherwise return 0 upon success.
3608 */
2d21ac55
A		 3609typedef int mpo_socket_label_externalize_t(
3610 struct label *label,
3611 char *element_name,
3612 struct sbuf *sb
0a7de745 3613 );
2d21ac55 3614/**
0a7de745
A		 3615 * @brief Initialize socket label
3616 * @param label New label to initialize
3617 * @param waitok Malloc flags
3618 *
3619 * Initialize the label of a newly instantiated socket. The waitok
3620 * field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3621 * avoid performing a sleeping malloc(9) during this initialization
3622 * call. It it not always safe to sleep during this entry point.
3623 *
3624 * @warning Since it is possible for the waitok flags to be set to
3625 * M_NOWAIT, the malloc operation may fail.
3626 *
3627 * @return In the event of an error, an appropriate value for errno
3628 * should be returned, otherwise return 0 upon success.
3629 */
2d21ac55
A		 3630typedef int mpo_socket_label_init_t(
3631 struct label *label,
3632 int waitok
0a7de745 3633 );
2d21ac55 3634/**
0a7de745
A		 3635 * @brief Internalize a socket label
3636 * @param label Label to be filled in
3637 * @param element_name Name of the label namespace for which the label should
3638 * be internalized
3639 * @param element_data Text data to be internalized
3640 *
3641 * Produce an internal socket label structure based on externalized label
3642 * data in text format.
3643 *
3644 * The policy's internalize entry points will be called only if the
3645 * policy has registered interest in the label namespace.
3646 *
3647 * @return In the event of an error, an appropriate value for errno
3648 * should be returned, otherwise return 0 upon success.
3649 */
2d21ac55
A		 3650typedef int mpo_socket_label_internalize_t(
3651 struct label *label,
3652 char *element_name,
3653 char *element_data
0a7de745 3654 );
2d21ac55 3655/**
0a7de745
A		 3656 * @brief Relabel socket
3657 * @param cred Subject credential
3658 * @param so Object; socket
3659 * @param so_label Current label of the socket
3660 * @param newlabel The label to be assigned to so
3661 *
3662 * The subject identified by the credential has previously requested
3663 * and was authorized to relabel the socket; this entry point allows
3664 * policies to perform the actual label update operation.
3665 *
3666 * @warning XXX This entry point will likely change in future versions.
3667 */
2d21ac55
A		 3668typedef void mpo_socket_label_update_t(
3669 kauth_cred_t cred,
3670 socket_t so,
3671 struct label *so_label,
3672 struct label *newlabel
0a7de745 3673 );
2d21ac55 3674/**
0a7de745
A		 3675 * @brief Set the peer label on a socket from mbuf
3676 * @param m Mbuf chain received on socket so
3677 * @param m_label Label for m
3678 * @param so Current label for the socket
3679 * @param so_label Policy label to be filled out for the socket
3680 *
3681 * Set the peer label of a socket based on the label of the sender of the
3682 * mbuf.
3683 *
3684 * This is called for every TCP/IP packet received. The first call for a given
3685 * socket operates on a newly initialized label, and subsequent calls operate
3686 * on existing label data.
3687 *
3688 * @warning Because this can affect performance significantly, it has
3689 * different sematics than other 'set' operations. Typically, 'set' operations
3690 * operate on newly initialzed labels and policies do not need to worry about
3691 * clobbering existing values. In this case, it is too inefficient to
3692 * initialize and destroy a label every time data is received for the socket.
3693 * Instead, it is up to the policies to determine how to replace the label data.
3694 * Most policies should be able to replace the data inline.
3695 */
2d21ac55
A		 3696typedef void mpo_socketpeer_label_associate_mbuf_t(
3697 struct mbuf *m,
3698 struct label *m_label,
3699 socket_t so,
3700 struct label *so_label
0a7de745 3701 );
2d21ac55 3702/**
0a7de745
A		 3703 * @brief Set the peer label on a socket from socket
3704 * @param source Local socket
3705 * @param sourcelabel Policy label for source
3706 * @param target Peer socket
3707 * @param targetlabel Policy label to fill in for target
3708 *
3709 * Set the peer label on a stream UNIX domain socket from the passed
3710 * remote socket endpoint. This call will be made when the socket pair
3711 * is connected, and will be made for both endpoints.
3712 *
3713 * Note that this call is only made on connection; it is currently not updated
3714 * during communication.
3715 */
2d21ac55
A		 3716typedef void mpo_socketpeer_label_associate_socket_t(
3717 socket_t source,
3718 struct label *sourcelabel,
3719 socket_t target,
3720 struct label *targetlabel
0a7de745 3721 );
2d21ac55 3722/**
0a7de745
A		 3723 * @brief Destroy socket peer label
3724 * @param label The peer label to be destroyed
3725 *
3726 * Destroy a socket peer label. Since the object is going out of
3727 * scope, policy modules should free any internal storage associated
3728 * with the label so that it may be destroyed.
3729 */
2d21ac55
A		 3730typedef void mpo_socketpeer_label_destroy_t(
3731 struct label *label
0a7de745 3732 );
2d21ac55 3733/**
0a7de745
A		 3734 * @brief Externalize a socket peer label
3735 * @param label Label to be externalized
3736 * @param element_name Name of the label namespace for which labels should be
3737 * externalized
3738 * @param sb String buffer to be filled with a text representation of label
3739 *
3740 * Produce an externalized socket peer label based on the label structure
3741 * passed. An externalized label consists of a text representation of the
3742 * label contents that can be used with userland applications and read by the
3743 * user. If element_name does not match a namespace managed by the policy,
3744 * simply return 0. Only return nonzero if an error occurs while externalizing
3745 * the label data.
3746 *
3747 * @return In the event of an error, an appropriate value for errno
3748 * should be returned, otherwise return 0 upon success.
3749 */
2d21ac55
A		 3750typedef int mpo_socketpeer_label_externalize_t(
3751 struct label *label,
3752 char *element_name,
3753 struct sbuf *sb
0a7de745 3754 );
2d21ac55 3755/**
0a7de745
A		 3756 * @brief Initialize socket peer label
3757 * @param label New label to initialize
3758 * @param waitok Malloc flags
3759 *
3760 * Initialize the peer label of a newly instantiated socket. The
3761 * waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3762 * employed to avoid performing a sleeping malloc(9) during this
3763 * initialization call. It it not always safe to sleep during this
3764 * entry point.
3765 *
3766 * @warning Since it is possible for the waitok flags to be set to
3767 * M_NOWAIT, the malloc operation may fail.
3768 *
3769 * @return In the event of an error, an appropriate value for errno
3770 * should be returned, otherwise return 0 upon success.
3771 */
2d21ac55
A		 3772typedef int mpo_socketpeer_label_init_t(
3773 struct label *label,
3774 int waitok
0a7de745 3775 );
2d21ac55 3776/**
0a7de745
A		 3777 * @brief Access control check for enabling accounting
3778 * @param cred Subject credential
3779 * @param vp Accounting file
3780 * @param vlabel Label associated with vp
3781 *
3782 * Determine whether the subject should be allowed to enable accounting,
3783 * based on its label and the label of the accounting log file. See
3784 * acct(5) for more information.
3785 *
3786 * As accounting is disabled by passing NULL to the acct(2) system call,
3787 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3788 *
3789 * @return Return 0 if access is granted, otherwise an appropriate value for
3790 * errno should be returned.
3791 */
2d21ac55
A		 3792typedef int mpo_system_check_acct_t(
3793 kauth_cred_t cred,
3794 struct vnode *vp,
3795 struct label *vlabel
0a7de745 3796 );
2d21ac55 3797/**
0a7de745
A		 3798 * @brief Access control check for audit
3799 * @param cred Subject credential
3800 * @param record Audit record
3801 * @param length Audit record length
3802 *
3803 * Determine whether the subject identified by the credential can submit
3804 * an audit record for inclusion in the audit log via the audit() system call.
3805 *
3806 * @return Return 0 if access is granted, otherwise an appropriate value for
3807 * errno should be returned.
3808 */
2d21ac55
A		 3809typedef int mpo_system_check_audit_t(
3810 kauth_cred_t cred,
3811 void *record,
3812 int length
0a7de745 3813 );
2d21ac55 3814/**
0a7de745
A		 3815 * @brief Access control check for controlling audit
3816 * @param cred Subject credential
3817 * @param vp Audit file
3818 * @param vl Label associated with vp
3819 *
3820 * Determine whether the subject should be allowed to enable auditing using
3821 * the auditctl() system call, based on its label and the label of the proposed
3822 * audit file.
3823 *
3824 * @return Return 0 if access is granted, otherwise an appropriate value for
3825 * errno should be returned.
3826 */
2d21ac55
A		 3827typedef int mpo_system_check_auditctl_t(
3828 kauth_cred_t cred,
3829 struct vnode *vp,
3830 struct label *vl
0a7de745 3831 );
2d21ac55 3832/**
0a7de745
A		 3833 * @brief Access control check for manipulating auditing
3834 * @param cred Subject credential
3835 * @param cmd Audit control command
3836 *
3837 * Determine whether the subject identified by the credential can perform
3838 * the audit subsystem control operation cmd via the auditon() system call.
3839 *
3840 * @return Return 0 if access is granted, otherwise an appropriate value for
3841 * errno should be returned.
3842 */
2d21ac55
A		 3843typedef int mpo_system_check_auditon_t(
3844 kauth_cred_t cred,
3845 int cmd
0a7de745 3846 );
2d21ac55 3847/**
0a7de745
A		 3848 * @brief Access control check for obtaining the host control port
3849 * @param cred Subject credential
3850 *
3851 * Determine whether the subject identified by the credential can
3852 * obtain the host control port.
3853 *
3854 * @return Return 0 if access is granted, or non-zero otherwise.
3855 */
2d21ac55
A		 3856typedef int mpo_system_check_host_priv_t(
3857 kauth_cred_t cred
0a7de745 3858 );
39236c6e 3859/**
0a7de745
A		 3860 * @brief Access control check for obtaining system information
3861 * @param cred Subject credential
3862 * @param info_type A description of the information requested
3863 *
3864 * Determine whether the subject identified by the credential should be
3865 * allowed to obtain information about the system.
3866 *
3867 * This is a generic hook that can be used in a variety of situations where
3868 * information is being returned that might be considered sensitive.
3869 * Rather than adding a new MAC hook for every such interface, this hook can
3870 * be called with a string identifying the type of information requested.
3871 *
3872 * @return Return 0 if access is granted, otherwise an appropriate value for
3873 * errno should be returned.
3874 */
39236c6e
A		 3875typedef int mpo_system_check_info_t(
3876 kauth_cred_t cred,
3877 const char *info_type
0a7de745 3878 );
2d21ac55 3879/**
0a7de745
A		 3880 * @brief Access control check for calling NFS services
3881 * @param cred Subject credential
3882 *
3883 * Determine whether the subject identified by the credential should be
3884 * allowed to call nfssrv(2).
3885 *
3886 * @return Return 0 if access is granted, otherwise an appropriate value for
3887 * errno should be returned.
3888 */
2d21ac55
A		 3889typedef int mpo_system_check_nfsd_t(
3890 kauth_cred_t cred
0a7de745 3891 );
2d21ac55 3892/**
0a7de745
A		 3893 * @brief Access control check for reboot
3894 * @param cred Subject credential
3895 * @param howto howto parameter from reboot(2)
3896 *
3897 * Determine whether the subject identified by the credential should be
3898 * allowed to reboot the system in the specified manner.
3899 *
3900 * @return Return 0 if access is granted, otherwise an appropriate value for
3901 * errno should be returned.
3902 */
2d21ac55
A		 3903typedef int mpo_system_check_reboot_t(
3904 kauth_cred_t cred,
3905 int howto
0a7de745 3906 );
2d21ac55 3907/**
0a7de745
A		 3908 * @brief Access control check for setting system clock
3909 * @param cred Subject credential
3910 *
3911 * Determine whether the subject identified by the credential should be
3912 * allowed to set the system clock.
3913 *
3914 * @return Return 0 if access is granted, otherwise an appropriate value for
3915 * errno should be returned.
3916 */
2d21ac55
A		 3917typedef int mpo_system_check_settime_t(
3918 kauth_cred_t cred
0a7de745 3919 );
2d21ac55 3920/**
0a7de745
A		 3921 * @brief Access control check for removing swap devices
3922 * @param cred Subject credential
3923 * @param vp Swap device
3924 * @param label Label associated with vp
3925 *
3926 * Determine whether the subject identified by the credential should be
3927 * allowed to remove vp as a swap device.
3928 *
3929 * @return Return 0 if access is granted, otherwise an appropriate value for
3930 * errno should be returned.
3931 */
2d21ac55
A		 3932typedef int mpo_system_check_swapoff_t(
3933 kauth_cred_t cred,
3934 struct vnode *vp,
3935 struct label *label
0a7de745 3936 );
2d21ac55 3937/**
0a7de745
A		 3938 * @brief Access control check for adding swap devices
3939 * @param cred Subject credential
3940 * @param vp Swap device
3941 * @param label Label associated with vp
3942 *
3943 * Determine whether the subject identified by the credential should be
3944 * allowed to add vp as a swap device.
3945 *
3946 * @return Return 0 if access is granted, otherwise an appropriate value for
3947 * errno should be returned.
3948 */
2d21ac55
A		 3949typedef int mpo_system_check_swapon_t(
3950 kauth_cred_t cred,
3951 struct vnode *vp,
3952 struct label *label
0a7de745
A		 3953 );
3954/**
3955 * @brief Access control check for sysctl
3956 * @param cred Subject credential
3957 * @param namestring String representation of sysctl name.
3958 * @param name Integer name; see sysctl(3)
3959 * @param namelen Length of name array of integers; see sysctl(3)
3960 * @param old 0 or address where to store old value; see sysctl(3)
3961 * @param oldlen Length of old buffer; see sysctl(3)
3962 * @param newvalue 0 or address of new value; see sysctl(3)
3963 * @param newlen Length of new buffer; see sysctl(3)
3964 *
3965 * Determine whether the subject identified by the credential should be
3966 * allowed to make the specified sysctl(3) transaction.
3967 *
3968 * The sysctl(3) call specifies that if the old value is not desired,
3969 * oldp and oldlenp should be set to NULL. Likewise, if a new value is
3970 * not to be set, newp should be set to NULL and newlen set to 0.
3971 *
3972 * @return Return 0 if access is granted, otherwise an appropriate value for
3973 * errno should be returned.
3974 */
fe8ab488 3975typedef int mpo_system_check_sysctlbyname_t(
2d21ac55 3976 kauth_cred_t cred,
fe8ab488 3977 const char *namestring,
2d21ac55
A		 3978 int *name,
3979 u_int namelen,
0a7de745 3980 user_addr_t old, /* NULLOK */
fe8ab488 3981 size_t oldlen,
0a7de745 3982 user_addr_t newvalue, /* NULLOK */
2d21ac55 3983 size_t newlen
0a7de745 3984 );
316670eb 3985/**
0a7de745
A		 3986 * @brief Access control check for kas_info
3987 * @param cred Subject credential
3988 * @param selector Category of information to return. See kas_info.h
3989 *
3990 * Determine whether the subject identified by the credential can perform
3991 * introspection of the kernel address space layout for
3992 * debugging/performance analysis.
3993 *
3994 * @return Return 0 if access is granted, otherwise an appropriate value for
3995 * errno should be returned.
3996 */
316670eb
A		 3997typedef int mpo_system_check_kas_info_t(
3998 kauth_cred_t cred,
3999 int selector
0a7de745
A		 4000 );
4001/**
4002 * @brief Create a System V message label
4003 * @param cred Subject credential
4004 * @param msqptr The message queue the message will be placed in
4005 * @param msqlabel The label of the message queue
4006 * @param msgptr The message
4007 * @param msglabel The label of the message
4008 *
4009 * Label the message as its placed in the message queue.
4010 */
2d21ac55
A		 4011typedef void mpo_sysvmsg_label_associate_t(
4012 kauth_cred_t cred,
4013 struct msqid_kernel *msqptr,
4014 struct label *msqlabel,
4015 struct msg *msgptr,
4016 struct label *msglabel
0a7de745 4017 );
2d21ac55 4018/**
0a7de745
A		 4019 * @brief Destroy System V message label
4020 * @param label The label to be destroyed
4021 *
4022 * Destroy a System V message label. Since the object is
4023 * going out of scope, policy modules should free any internal storage
4024 * associated with the label so that it may be destroyed.
4025 */
2d21ac55
A		 4026typedef void mpo_sysvmsg_label_destroy_t(
4027 struct label *label
0a7de745 4028 );
2d21ac55 4029/**
0a7de745
A		 4030 * @brief Initialize System V message label
4031 * @param label New label to initialize
4032 *
4033 * Initialize the label for a newly instantiated System V message.
4034 */
2d21ac55
A		 4035typedef void mpo_sysvmsg_label_init_t(
4036 struct label *label
0a7de745 4037 );
2d21ac55 4038/**
0a7de745
A		 4039 * @brief Clean up a System V message label
4040 * @param label The label to be destroyed
4041 *
4042 * Clean up a System V message label. Darwin pre-allocates
4043 * messages at system boot time and re-uses them rather than
4044 * allocating new ones. Before messages are returned to the "free
4045 * pool", policies can cleanup or overwrite any information present in
4046 * the label.
4047 */
2d21ac55
A		 4048typedef void mpo_sysvmsg_label_recycle_t(
4049 struct label *label
0a7de745
A		 4050 );
4051/**
4052 * @brief Access control check for System V message enqueuing
4053 * @param cred Subject credential
4054 * @param msgptr The message
4055 * @param msglabel The message's label
4056 * @param msqptr The message queue
4057 * @param msqlabel The message queue's label
4058 *
4059 * Determine whether the subject identified by the credential can add the
4060 * given message to the given message queue.
4061 *
4062 * @return Return 0 if access is granted, otherwise an appropriate value for
4063 * errno should be returned.
4064 */
2d21ac55
A		 4065typedef int mpo_sysvmsq_check_enqueue_t(
4066 kauth_cred_t cred,
4067 struct msg *msgptr,
4068 struct label *msglabel,
4069 struct msqid_kernel *msqptr,
4070 struct label *msqlabel
0a7de745 4071 );
2d21ac55 4072/**
0a7de745
A		 4073 * @brief Access control check for System V message reception
4074 * @param cred The credential of the intended recipient
4075 * @param msgptr The message
4076 * @param msglabel The message's label
4077 *
4078 * Determine whether the subject identified by the credential can receive
4079 * the given message.
4080 *
4081 * @return Return 0 if access is granted, otherwise an appropriate value for
4082 * errno should be returned.
4083 */
2d21ac55
A		 4084typedef int mpo_sysvmsq_check_msgrcv_t(
4085 kauth_cred_t cred,
4086 struct msg *msgptr,
4087 struct label *msglabel
0a7de745 4088 );
2d21ac55 4089/**
0a7de745
A		 4090 * @brief Access control check for System V message queue removal
4091 * @param cred The credential of the caller
4092 * @param msgptr The message
4093 * @param msglabel The message's label
4094 *
4095 * System V message queues are removed using the msgctl() system call.
4096 * The system will iterate over each messsage in the queue, calling this
4097 * function for each, to determine whether the caller has the appropriate
4098 * credentials.
4099 *
4100 * @return Return 0 if access is granted, otherwise an appropriate value for
4101 * errno should be returned.
4102 */
2d21ac55
A		 4103typedef int mpo_sysvmsq_check_msgrmid_t(
4104 kauth_cred_t cred,
4105 struct msg *msgptr,
4106 struct label *msglabel
0a7de745 4107 );
2d21ac55 4108/**
0a7de745
A		 4109 * @brief Access control check for msgctl()
4110 * @param cred The credential of the caller
4111 * @param msqptr The message queue
4112 * @param msqlabel The message queue's label
4113 *
4114 * This access check is performed to validate calls to msgctl().
4115 *
4116 * @return Return 0 if access is granted, otherwise an appropriate value for
4117 * errno should be returned.
4118 */
2d21ac55
A		 4119typedef int mpo_sysvmsq_check_msqctl_t(
4120 kauth_cred_t cred,
4121 struct msqid_kernel *msqptr,
4122 struct label *msqlabel,
4123 int cmd
0a7de745 4124 );
2d21ac55 4125/**
0a7de745
A		 4126 * @brief Access control check to get a System V message queue
4127 * @param cred The credential of the caller
4128 * @param msqptr The message queue requested
4129 * @param msqlabel The message queue's label
4130 *
4131 * On a call to msgget(), if the queue requested already exists,
4132 * and it is a public queue, this check will be performed before the
4133 * queue's ID is returned to the user.
4134 *
4135 * @return Return 0 if access is granted, otherwise an appropriate value for
4136 * errno should be returned.
4137 */
2d21ac55
A		 4138typedef int mpo_sysvmsq_check_msqget_t(
4139 kauth_cred_t cred,
4140 struct msqid_kernel *msqptr,
4141 struct label *msqlabel
0a7de745 4142 );
2d21ac55 4143/**
0a7de745
A		 4144 * @brief Access control check to receive a System V message from the given queue
4145 * @param cred The credential of the caller
4146 * @param msqptr The message queue to receive from
4147 * @param msqlabel The message queue's label
4148 *
4149 * On a call to msgrcv(), this check is performed to determine whether the
4150 * caller has receive rights on the given queue.
4151 *
4152 * @return Return 0 if access is granted, otherwise an appropriate value for
4153 * errno should be returned.
4154 */
2d21ac55
A		 4155typedef int mpo_sysvmsq_check_msqrcv_t(
4156 kauth_cred_t cred,
4157 struct msqid_kernel *msqptr,
4158 struct label *msqlabel
0a7de745 4159 );
2d21ac55 4160/**
0a7de745
A		 4161 * @brief Access control check to send a System V message to the given queue
4162 * @param cred The credential of the caller
4163 * @param msqptr The message queue to send to
4164 * @param msqlabel The message queue's label
4165 *
4166 * On a call to msgsnd(), this check is performed to determine whether the
4167 * caller has send rights on the given queue.
4168 *
4169 * @return Return 0 if access is granted, otherwise an appropriate value for
4170 * errno should be returned.
4171 */
2d21ac55
A		 4172typedef int mpo_sysvmsq_check_msqsnd_t(
4173 kauth_cred_t cred,
4174 struct msqid_kernel *msqptr,
4175 struct label *msqlabel
0a7de745 4176 );
2d21ac55 4177/**
0a7de745
A		 4178 * @brief Create a System V message queue label
4179 * @param cred Subject credential
4180 * @param msqptr The message queue
4181 * @param msqlabel The label of the message queue
4182 *
4183 */
2d21ac55
A		 4184typedef void mpo_sysvmsq_label_associate_t(
4185 kauth_cred_t cred,
4186 struct msqid_kernel *msqptr,
4187 struct label *msqlabel
0a7de745 4188 );
2d21ac55 4189/**
0a7de745
A		 4190 * @brief Destroy System V message queue label
4191 * @param label The label to be destroyed
4192 *
4193 * Destroy a System V message queue label. Since the object is
4194 * going out of scope, policy modules should free any internal storage
4195 * associated with the label so that it may be destroyed.
4196 */
2d21ac55
A		 4197typedef void mpo_sysvmsq_label_destroy_t(
4198 struct label *label
0a7de745 4199 );
2d21ac55 4200/**
0a7de745
A		 4201 * @brief Initialize System V message queue label
4202 * @param label New label to initialize
4203 *
4204 * Initialize the label for a newly instantiated System V message queue.
4205 */
2d21ac55
A		 4206typedef void mpo_sysvmsq_label_init_t(
4207 struct label *label
0a7de745 4208 );
2d21ac55 4209/**
0a7de745
A		 4210 * @brief Clean up a System V message queue label
4211 * @param label The label to be destroyed
4212 *
4213 * Clean up a System V message queue label. Darwin pre-allocates
4214 * message queues at system boot time and re-uses them rather than
4215 * allocating new ones. Before message queues are returned to the "free
4216 * pool", policies can cleanup or overwrite any information present in
4217 * the label.
4218 */
2d21ac55
A		 4219typedef void mpo_sysvmsq_label_recycle_t(
4220 struct label *label
0a7de745 4221 );
2d21ac55 4222/**
0a7de745
A		 4223 * @brief Access control check for System V semaphore control operation
4224 * @param cred Subject credential
4225 * @param semakptr Pointer to semaphore identifier
4226 * @param semaklabel Label associated with semaphore
4227 * @param cmd Control operation to be performed; see semctl(2)
4228 *
4229 * Determine whether the subject identified by the credential can perform
4230 * the operation indicated by cmd on the System V semaphore semakptr.
4231 *
4232 * @return Return 0 if access is granted, otherwise an appropriate value for
4233 * errno should be returned.
4234 */
2d21ac55
A		 4235typedef int mpo_sysvsem_check_semctl_t(
4236 kauth_cred_t cred,
4237 struct semid_kernel *semakptr,
4238 struct label *semaklabel,
4239 int cmd
0a7de745 4240 );
2d21ac55 4241/**
0a7de745
A		 4242 * @brief Access control check for obtaining a System V semaphore
4243 * @param cred Subject credential
4244 * @param semakptr Pointer to semaphore identifier
4245 * @param semaklabel Label to associate with the semaphore
4246 *
4247 * Determine whether the subject identified by the credential can
4248 * obtain a System V semaphore.
4249 *
4250 * @return Return 0 if access is granted, otherwise an appropriate value for
4251 * errno should be returned.
4252 */
2d21ac55
A		 4253typedef int mpo_sysvsem_check_semget_t(
4254 kauth_cred_t cred,
4255 struct semid_kernel *semakptr,
4256 struct label *semaklabel
0a7de745 4257 );
2d21ac55 4258/**
0a7de745
A		 4259 * @brief Access control check for System V semaphore operations
4260 * @param cred Subject credential
4261 * @param semakptr Pointer to semaphore identifier
4262 * @param semaklabel Label associated with the semaphore
4263 * @param accesstype Flags to indicate access (read and/or write)
4264 *
4265 * Determine whether the subject identified by the credential can
4266 * perform the operations on the System V semaphore indicated by
4267 * semakptr. The accesstype flags hold the maximum set of permissions
4268 * from the sem_op array passed to the semop system call. It may
4269 * contain SEM_R for read-only operations or SEM_A for read/write
4270 * operations.
4271 *
4272 * @return Return 0 if access is granted, otherwise an appropriate value for
4273 * errno should be returned.
4274 */
2d21ac55
A		 4275typedef int mpo_sysvsem_check_semop_t(
4276 kauth_cred_t cred,
4277 struct semid_kernel *semakptr,
4278 struct label *semaklabel,
4279 size_t accesstype
0a7de745 4280 );
2d21ac55 4281/**
0a7de745
A		 4282 * @brief Create a System V semaphore label
4283 * @param cred Subject credential
4284 * @param semakptr The semaphore being created
4285 * @param semalabel Label to associate with the new semaphore
4286 *
4287 * Label a new System V semaphore. The label was previously
4288 * initialized and associated with the semaphore. At this time, an
4289 * appropriate initial label value should be assigned to the object and
4290 * stored in semalabel.
4291 */
2d21ac55
A		 4292typedef void mpo_sysvsem_label_associate_t(
4293 kauth_cred_t cred,
4294 struct semid_kernel *semakptr,
4295 struct label *semalabel
0a7de745 4296 );
2d21ac55 4297/**
0a7de745
A		 4298 * @brief Destroy System V semaphore label
4299 * @param label The label to be destroyed
4300 *
4301 * Destroy a System V semaphore label. Since the object is
4302 * going out of scope, policy modules should free any internal storage
4303 * associated with the label so that it may be destroyed.
4304 */
2d21ac55
A		 4305typedef void mpo_sysvsem_label_destroy_t(
4306 struct label *label
0a7de745 4307 );
2d21ac55 4308/**
0a7de745
A		 4309 * @brief Initialize System V semaphore label
4310 * @param label New label to initialize
4311 *
4312 * Initialize the label for a newly instantiated System V semaphore. Sleeping
4313 * is permitted.
4314 */
2d21ac55
A		 4315typedef void mpo_sysvsem_label_init_t(
4316 struct label *label
0a7de745 4317 );
2d21ac55 4318/**
0a7de745
A		 4319 * @brief Clean up a System V semaphore label
4320 * @param label The label to be cleaned
4321 *
4322 * Clean up a System V semaphore label. Darwin pre-allocates
4323 * semaphores at system boot time and re-uses them rather than
4324 * allocating new ones. Before semaphores are returned to the "free
4325 * pool", policies can cleanup or overwrite any information present in
4326 * the label.
4327 */
2d21ac55
A		 4328typedef void mpo_sysvsem_label_recycle_t(
4329 struct label *label
0a7de745 4330 );
2d21ac55 4331/**
0a7de745
A		 4332 * @brief Access control check for mapping System V shared memory
4333 * @param cred Subject credential
4334 * @param shmsegptr Pointer to shared memory segment identifier
4335 * @param shmseglabel Label associated with the shared memory segment
4336 * @param shmflg shmat flags; see shmat(2)
4337 *
4338 * Determine whether the subject identified by the credential can map
4339 * the System V shared memory segment associated with shmsegptr.
4340 *
4341 * @return Return 0 if access is granted, otherwise an appropriate value for
4342 * errno should be returned.
4343 */
2d21ac55
A		 4344typedef int mpo_sysvshm_check_shmat_t(
4345 kauth_cred_t cred,
4346 struct shmid_kernel *shmsegptr,
4347 struct label *shmseglabel,
4348 int shmflg
0a7de745 4349 );
2d21ac55 4350/**
0a7de745
A		 4351 * @brief Access control check for System V shared memory control operation
4352 * @param cred Subject credential
4353 * @param shmsegptr Pointer to shared memory segment identifier
4354 * @param shmseglabel Label associated with the shared memory segment
4355 * @param cmd Control operation to be performed; see shmctl(2)
4356 *
4357 * Determine whether the subject identified by the credential can perform
4358 * the operation indicated by cmd on the System V shared memory segment
4359 * shmsegptr.
4360 *
4361 * @return Return 0 if access is granted, otherwise an appropriate value for
4362 * errno should be returned.
4363 */
2d21ac55
A		 4364typedef int mpo_sysvshm_check_shmctl_t(
4365 kauth_cred_t cred,
4366 struct shmid_kernel *shmsegptr,
4367 struct label *shmseglabel,
4368 int cmd
0a7de745 4369 );
2d21ac55 4370/**
0a7de745
A		 4371 * @brief Access control check for unmapping System V shared memory
4372 * @param cred Subject credential
4373 * @param shmsegptr Pointer to shared memory segment identifier
4374 * @param shmseglabel Label associated with the shared memory segment
4375 *
4376 * Determine whether the subject identified by the credential can unmap
4377 * the System V shared memory segment associated with shmsegptr.
4378 *
4379 * @return Return 0 if access is granted, otherwise an appropriate value for
4380 * errno should be returned.
4381 */
2d21ac55
A		 4382typedef int mpo_sysvshm_check_shmdt_t(
4383 kauth_cred_t cred,
4384 struct shmid_kernel *shmsegptr,
4385 struct label *shmseglabel
0a7de745 4386 );
2d21ac55 4387/**
0a7de745
A		 4388 * @brief Access control check obtaining System V shared memory identifier
4389 * @param cred Subject credential
4390 * @param shmsegptr Pointer to shared memory segment identifier
4391 * @param shmseglabel Label associated with the shared memory segment
4392 * @param shmflg shmget flags; see shmget(2)
4393 *
4394 * Determine whether the subject identified by the credential can get
4395 * the System V shared memory segment address.
4396 *
4397 * @return Return 0 if access is granted, otherwise an appropriate value for
4398 * errno should be returned.
4399 */
2d21ac55
A		 4400typedef int mpo_sysvshm_check_shmget_t(
4401 kauth_cred_t cred,
4402 struct shmid_kernel *shmsegptr,
4403 struct label *shmseglabel,
4404 int shmflg
0a7de745 4405 );
2d21ac55 4406/**
0a7de745
A		 4407 * @brief Create a System V shared memory region label
4408 * @param cred Subject credential
4409 * @param shmsegptr The shared memory region being created
4410 * @param shmlabel Label to associate with the new shared memory region
4411 *
4412 * Label a new System V shared memory region. The label was previously
4413 * initialized and associated with the shared memory region. At this
4414 * time, an appropriate initial label value should be assigned to the
4415 * object and stored in shmlabel.
4416 */
2d21ac55
A		 4417typedef void mpo_sysvshm_label_associate_t(
4418 kauth_cred_t cred,
4419 struct shmid_kernel *shmsegptr,
4420 struct label *shmlabel
0a7de745 4421 );
2d21ac55 4422/**
0a7de745
A		 4423 * @brief Destroy System V shared memory label
4424 * @param label The label to be destroyed
4425 *
4426 * Destroy a System V shared memory region label. Since the
4427 * object is going out of scope, policy modules should free any
4428 * internal storage associated with the label so that it may be
4429 * destroyed.
4430 */
2d21ac55
A		 4431typedef void mpo_sysvshm_label_destroy_t(
4432 struct label *label
0a7de745 4433 );
2d21ac55 4434/**
0a7de745
A		 4435 * @brief Initialize System V Shared Memory region label
4436 * @param label New label to initialize
4437 *
4438 * Initialize the label for a newly instantiated System V Shared Memory
4439 * region. Sleeping is permitted.
4440 */
2d21ac55
A		 4441typedef void mpo_sysvshm_label_init_t(
4442 struct label *label
0a7de745 4443 );
2d21ac55 4444/**
0a7de745
A		 4445 * @brief Clean up a System V Share Memory Region label
4446 * @param shmlabel The label to be cleaned
4447 *
4448 * Clean up a System V Shared Memory Region label. Darwin
4449 * pre-allocates these objects at system boot time and re-uses them
4450 * rather than allocating new ones. Before the memory regions are
4451 * returned to the "free pool", policies can cleanup or overwrite any
4452 * information present in the label.
4453 */
2d21ac55
A		 4454typedef void mpo_sysvshm_label_recycle_t(
4455 struct label *shmlabel
0a7de745 4456 );
2d21ac55 4457/**
0a7de745
A		 4458 * @brief Access control check for getting a process's task name
4459 * @param cred Subject credential
4460 * @param p Object process
4461 *
4462 * Determine whether the subject identified by the credential can get
4463 * the passed process's task name port.
4464 * This call is used by the task_name_for_pid(2) API.
4465 *
4466 * @return Return 0 if access is granted, otherwise an appropriate value for
4467 * errno should be returned. Suggested failure: EACCES for label mismatch,
4468 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4469 */
2d21ac55
A		 4470typedef int mpo_proc_check_get_task_name_t(
4471 kauth_cred_t cred,
4472 struct proc *p
0a7de745 4473 );
2d21ac55 4474/**
0a7de745
A		 4475 * @brief Access control check for getting a process's task port
4476 * @param cred Subject credential
4477 * @param p Object process
4478 *
4479 * Determine whether the subject identified by the credential can get
4480 * the passed process's task control port.
4481 * This call is used by the task_for_pid(2) API.
4482 *
4483 * @return Return 0 if access is granted, otherwise an appropriate value for
4484 * errno should be returned. Suggested failure: EACCES for label mismatch,
4485 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4486 */
2d21ac55
A		 4487typedef int mpo_proc_check_get_task_t(
4488 kauth_cred_t cred,
4489 struct proc *p
0a7de745 4490 );
fe8ab488 4491
3e170ce0 4492/**
0a7de745
A		 4493 * @brief Access control check for exposing a process's task port
4494 * @param cred Subject credential
4495 * @param p Object process
4496 *
4497 * Determine whether the subject identified by the credential can expose
4498 * the passed process's task control port.
4499 * This call is used by the accessor APIs like processor_set_tasks() and
4500 * processor_set_threads().
4501 *
4502 * @return Return 0 if access is granted, otherwise an appropriate value for
4503 * errno should be returned. Suggested failure: EACCES for label mismatch,
4504 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4505 */
3e170ce0
A		 4506typedef int mpo_proc_check_expose_task_t(
4507 kauth_cred_t cred,
4508 struct proc *p
0a7de745
A		 4509 );
4510
4511/**
4512 * @brief Check whether task's IPC may inherit across process exec
4513 * @param p current process instance
4514 * @param cur_vp vnode pointer to current instance
4515 * @param cur_offset offset of binary of currently executing image
4516 * @param img_vp vnode pointer to to be exec'ed image
4517 * @param img_offset offset into file which is selected for execution
4518 * @param scriptvp vnode pointer of script file if any.
4519 * @return Return 0 if access is granted.
4520 * EPERM if parent does not have any entitlements.
4521 * EACCESS if mismatch in entitlements
4522 */
fe8ab488
A		 4523typedef int mpo_proc_check_inherit_ipc_ports_t(
4524 struct proc *p,
3e170ce0
A		 4525 struct vnode *cur_vp,
4526 off_t cur_offset,
4527 struct vnode *img_vp,
4528 off_t img_offset,
4529 struct vnode *scriptvp
0a7de745 4530 );
fe8ab488 4531
593a1d5f 4532/**
0a7de745
A		 4533 * @brief Privilege check for a process to run invalid
4534 * @param p Object process
4535 *
4536 * Determine whether the process may execute even though the system determined
4537 * that it is untrusted (eg unidentified / modified code).
4538 *
4539 * @return Return 0 if access is granted, otherwise an appropriate value for
4540 * errno should be returned.
593a1d5f 4541 */
3e170ce0 4542typedef int mpo_proc_check_run_cs_invalid_t(
593a1d5f 4543 struct proc *p
0a7de745 4544 );
593a1d5f 4545
d9a64523 4546/**
0a7de745
A		 4547 * @brief Notification a process is finished with exec and will jump to userspace
4548 * @param p Object process
4549 *
4550 * Notifies all MAC policies that a process has completed an exec and is about to
4551 * jump to userspace to continue execution. This may result in process termination
4552 * via signals. Hook is designed to hold no/minimal locks so it can be used for any
4553 * necessary upcalls.
d9a64523
A		 4554 */
4555typedef void mpo_proc_notify_exec_complete_t(
4556 struct proc *p
0a7de745 4557 );
d9a64523 4558
316670eb 4559/**
0a7de745
A		 4560 * @brief Perform MAC-related events when a thread returns to user space
4561 * @param thread Mach (not BSD) thread that is returning
4562 *
4563 * This entry point permits policy modules to perform MAC-related
4564 * events when a thread returns to user space, via a system call
4565 * return or trap return.
4566 */
316670eb
A		 4567typedef void mpo_thread_userret_t(
4568 struct thread *thread
0a7de745 4569 );
316670eb 4570
2d21ac55 4571/**
0a7de745
A		 4572 * @brief Check vnode access
4573 * @param cred Subject credential
4574 * @param vp Object vnode
4575 * @param label Label for vp
4576 * @param acc_mode access(2) flags
4577 *
4578 * Determine how invocations of access(2) and related calls by the
4579 * subject identified by the credential should return when performed
4580 * on the passed vnode using the passed access flags. This should
4581 * generally be implemented using the same semantics used in
4582 * mpo_vnode_check_open.
4583 *
4584 * @return Return 0 if access is granted, otherwise an appropriate value for
4585 * errno should be returned. Suggested failure: EACCES for label mismatch or
4586 * EPERM for lack of privilege.
4587 */
2d21ac55
A		 4588typedef int mpo_vnode_check_access_t(
4589 kauth_cred_t cred,
4590 struct vnode *vp,
4591 struct label *label,
4592 int acc_mode
0a7de745 4593 );
2d21ac55 4594/**
0a7de745
A		 4595 * @brief Access control check for changing working directory
4596 * @param cred Subject credential
4597 * @param dvp Object; vnode to chdir(2) into
4598 * @param dlabel Policy label for dvp
4599 *
4600 * Determine whether the subject identified by the credential can change
4601 * the process working directory to the passed vnode.
4602 *
4603 * @return Return 0 if access is granted, otherwise an appropriate value for
4604 * errno should be returned. Suggested failure: EACCES for label mismatch or
4605 * EPERM for lack of privilege.
4606 */
2d21ac55
A		 4607typedef int mpo_vnode_check_chdir_t(
4608 kauth_cred_t cred,
4609 struct vnode *dvp,
4610 struct label *dlabel
0a7de745 4611 );
2d21ac55 4612/**
0a7de745
A		 4613 * @brief Access control check for changing root directory
4614 * @param cred Subject credential
4615 * @param dvp Directory vnode
4616 * @param dlabel Policy label associated with dvp
4617 * @param cnp Component name for dvp
4618 *
4619 * Determine whether the subject identified by the credential should be
4620 * allowed to chroot(2) into the specified directory (dvp).
4621 *
4622 * @return In the event of an error, an appropriate value for errno
4623 * should be returned, otherwise return 0 upon success.
4624 */
2d21ac55
A		 4625typedef int mpo_vnode_check_chroot_t(
4626 kauth_cred_t cred,
4627 struct vnode *dvp,
4628 struct label *dlabel,
4629 struct componentname *cnp
0a7de745
A		 4630 );
4631/**
4632 * @brief Access control check for creating clone
4633 * @param cred Subject credential
4634 * @param dvp Vnode of directory to create the clone in
4635 * @param dlabel Policy label associated with dvp
4636 * @param vp Vnode of the file to clone from
4637 * @param label Policy label associated with vp
4638 * @param cnp Component name for the clone being created
4639 *
4640 * Determine whether the subject identified by the credential should be
4641 * allowed to create a clone of the vnode vp with the name specified by cnp.
4642 *
4643 * @return Return 0 if access is granted, otherwise an appropriate value for
4644 * errno should be returned.
4645 */
39037602
A		 4646typedef int mpo_vnode_check_clone_t(
4647 kauth_cred_t cred,
4648 struct vnode *dvp,
4649 struct label *dlabel,
4650 struct vnode *vp,
4651 struct label *label,
4652 struct componentname *cnp
0a7de745
A		 4653 );
4654/**
4655 * @brief Access control check for creating vnode
4656 * @param cred Subject credential
4657 * @param dvp Directory vnode
4658 * @param dlabel Policy label for dvp
4659 * @param cnp Component name for dvp
4660 * @param vap vnode attributes for vap
4661 *
4662 * Determine whether the subject identified by the credential can create
4663 * a vnode with the passed parent directory, passed name information,
4664 * and passed attribute information. This call may be made in a number of
4665 * situations, including as a result of calls to open(2) with O_CREAT,
4666 * mknod(2), mkfifo(2), and others.
4667 *
4668 * @return Return 0 if access is granted, otherwise an appropriate value for
4669 * errno should be returned. Suggested failure: EACCES for label mismatch or
4670 * EPERM for lack of privilege.
4671 */
2d21ac55
A		 4672typedef int mpo_vnode_check_create_t(
4673 kauth_cred_t cred,
4674 struct vnode *dvp,
4675 struct label *dlabel,
4676 struct componentname *cnp,
4677 struct vnode_attr *vap
0a7de745 4678 );
2d21ac55 4679/**
0a7de745
A		 4680 * @brief Access control check for deleting extended attribute
4681 * @param cred Subject credential
4682 * @param vp Object vnode
4683 * @param vlabel Label associated with vp
4684 * @param name Extended attribute name
4685 *
4686 * Determine whether the subject identified by the credential can delete
4687 * the extended attribute from the passed vnode.
4688 *
4689 * @return Return 0 if access is granted, otherwise an appropriate value for
4690 * errno should be returned. Suggested failure: EACCES for label mismatch or
4691 * EPERM for lack of privilege.
4692 */
2d21ac55
A		 4693typedef int mpo_vnode_check_deleteextattr_t(
4694 kauth_cred_t cred,
4695 struct vnode *vp,
4696 struct label *vlabel,
4697 const char *name
0a7de745
A		 4698 );
4699/**
4700 * @brief Access control check for exchanging file data
4701 * @param cred Subject credential
4702 * @param v1 vnode 1 to swap
4703 * @param vl1 Policy label for v1
4704 * @param v2 vnode 2 to swap
4705 * @param vl2 Policy label for v2
4706 *
4707 * Determine whether the subject identified by the credential can swap the data
4708 * in the two supplied vnodes.
4709 *
4710 * @return Return 0 if access is granted, otherwise an appropriate value for
4711 * errno should be returned. Suggested failure: EACCES for label mismatch or
4712 * EPERM for lack of privilege.
4713 */
2d21ac55
A		 4714typedef int mpo_vnode_check_exchangedata_t(
4715 kauth_cred_t cred,
4716 struct vnode *v1,
4717 struct label *vl1,
4718 struct vnode *v2,
4719 struct label *vl2
0a7de745
A		 4720 );
4721/**
4722 * @brief Access control check for executing the vnode
4723 * @param cred Subject credential
4724 * @param vp Object vnode to execute
4725 * @param scriptvp Script being executed by interpreter, if any.
4726 * @param vnodelabel Label corresponding to vp
4727 * @param scriptlabel Script vnode label
4728 * @param execlabel Userspace provided execution label
4729 * @param cnp Component name for file being executed
4730 * @param macpolicyattr MAC policy-specific spawn attribute data.
4731 * @param macpolicyattrlen Length of policy-specific spawn attribute data.
4732 *
4733 * Determine whether the subject identified by the credential can execute
4734 * the passed vnode. Determination of execute privilege is made separately
4735 * from decisions about any process label transitioning event.
4736 *
4737 * The final label, execlabel, corresponds to a label supplied by a
4738 * user space application through the use of the mac_execve system call.
4739 * This label will be NULL if the user application uses the the vendor
4740 * execve(2) call instead of the MAC Framework mac_execve() call.
4741 *
4742 * @return Return 0 if access is granted, otherwise an appropriate value for
4743 * errno should be returned. Suggested failure: EACCES for label mismatch or
4744 * EPERM for lack of privilege.
4745 */
2d21ac55
A		 4746typedef int mpo_vnode_check_exec_t(
4747 kauth_cred_t cred,
4748 struct vnode *vp,
fe8ab488
A		 4749 struct vnode *scriptvp,
4750 struct label *vnodelabel,
4751 struct label *scriptlabel,
0a7de745 4752 struct label *execlabel, /* NULLOK */
2d21ac55 4753 struct componentname *cnp,
39236c6e
A		 4754 u_int *csflags,
4755 void *macpolicyattr,
4756 size_t macpolicyattrlen
0a7de745 4757 );
6d2010ae 4758/**
0a7de745
A		 4759 * @brief Access control check for fsgetpath
4760 * @param cred Subject credential
4761 * @param vp Vnode for which a path will be returned
4762 * @param label Label associated with the vnode
4763 *
4764 * Determine whether the subject identified by the credential can get the path
4765 * of the given vnode with fsgetpath.
4766 *
4767 * @return Return 0 if access is granted, otherwise an appropriate value for
4768 * errno should be returned.
4769 */
6d2010ae
A		 4770typedef int mpo_vnode_check_fsgetpath_t(
4771 kauth_cred_t cred,
4772 struct vnode *vp,
4773 struct label *label
0a7de745
A		 4774 );
4775/**
4776 * @brief Access control check for retrieving file attributes
4777 * @param active_cred Subject credential
4778 * @param file_cred Credential associated with the struct fileproc
4779 * @param vp Object vnode
4780 * @param vlabel Policy label for vp
4781 * @param va Vnode attributes to retrieve
4782 *
4783 * Determine whether the subject identified by the credential can
4784 * get information about the passed vnode. The active_cred hold
4785 * the credentials of the subject performing the operation, and
4786 * file_cred holds the credentials of the subject that originally
4787 * opened the file. This check happens during stat(), lstat(),
4788 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for
4789 * definitions of the attributes.
4790 *
4791 * @return Return 0 if access is granted, otherwise an appropriate value for
4792 * errno should be returned.
4793 *
4794 * @note Policies may change the contents of va to alter the list of
4795 * file attributes returned.
4796 */
743345f9
A		 4797typedef int mpo_vnode_check_getattr_t(
4798 kauth_cred_t active_cred,
4799 kauth_cred_t file_cred, /* NULLOK */
39037602 4800 struct vnode *vp,
743345f9
A		 4801 struct label *vlabel,
4802 struct vnode_attr *va
0a7de745 4803 );
2d21ac55 4804/**
0a7de745
A		 4805 * @brief Access control check for retrieving file attributes
4806 * @param cred Subject credential
4807 * @param vp Object vnode
4808 * @param vlabel Policy label for vp
4809 * @param alist List of attributes to retrieve
4810 *
4811 * Determine whether the subject identified by the credential can read
4812 * various attributes of the specified vnode, or the filesystem or volume on
4813 * which that vnode resides. See <sys/attr.h> for definitions of the
4814 * attributes.
4815 *
4816 * @return Return 0 if access is granted, otherwise an appropriate value for
4817 * errno should be returned. Suggested failure: EACCES for label mismatch or
4818 * EPERM for lack of privilege. Access control covers all attributes requested
4819 * with this call; the security policy is not permitted to change the set of
4820 * attributes requested.
4821 */
2d21ac55
A		 4822typedef int mpo_vnode_check_getattrlist_t(
4823 kauth_cred_t cred,
4824 struct vnode *vp,
4825 struct label *vlabel,
4826 struct attrlist *alist
0a7de745
A		 4827 );
4828/**
4829 * @brief Access control check for retrieving an extended attribute
4830 * @param cred Subject credential
4831 * @param vp Object vnode
4832 * @param label Policy label for vp
4833 * @param name Extended attribute name
4834 * @param uio I/O structure pointer
4835 *
4836 * Determine whether the subject identified by the credential can retrieve
4837 * the extended attribute from the passed vnode. The uio parameter
4838 * will be NULL when the getxattr(2) call has been made with a NULL data
4839 * value; this is done to request the size of the data only.
4840 *
4841 * @return Return 0 if access is granted, otherwise an appropriate value for
4842 * errno should be returned. Suggested failure: EACCES for label mismatch or
4843 * EPERM for lack of privilege.
4844 */
2d21ac55
A		 4845typedef int mpo_vnode_check_getextattr_t(
4846 kauth_cred_t cred,
4847 struct vnode *vp,
0a7de745 4848 struct label *label, /* NULLOK */
2d21ac55 4849 const char *name,
0a7de745
A		 4850 struct uio *uio /* NULLOK */
4851 );
4852/**
4853 * @brief Access control check for ioctl
4854 * @param cred Subject credential
4855 * @param vp Object vnode
4856 * @param label Policy label for vp
4857 * @param cmd Device-dependent request code; see ioctl(2)
4858 *
4859 * Determine whether the subject identified by the credential can perform
4860 * the ioctl operation indicated by com.
4861 *
4862 * @warning Since ioctl data is opaque from the standpoint of the MAC
4863 * framework, and since ioctls can affect many aspects of system
4864 * operation, policies must exercise extreme care when implementing
4865 * access control checks.
4866 *
4867 * @return Return 0 if access is granted, otherwise an appropriate value for
4868 * errno should be returned.
4869 */
2d21ac55
A		 4870typedef int mpo_vnode_check_ioctl_t(
4871 kauth_cred_t cred,
4872 struct vnode *vp,
4873 struct label *label,
4874 unsigned int cmd
0a7de745 4875 );
2d21ac55 4876/**
0a7de745
A		 4877 * @brief Access control check for vnode kqfilter
4878 * @param active_cred Subject credential
4879 * @param kn Object knote
4880 * @param vp Object vnode
4881 * @param label Policy label for vp
4882 *
4883 * Determine whether the subject identified by the credential can
4884 * receive the knote on the passed vnode.
4885 *
4886 * @return Return 0 if access if granted, otherwise an appropriate
4887 * value for errno should be returned.
4888 */
2d21ac55
A		 4889typedef int mpo_vnode_check_kqfilter_t(
4890 kauth_cred_t active_cred,
0a7de745 4891 kauth_cred_t file_cred, /* NULLOK */
2d21ac55
A		 4892 struct knote *kn,
4893 struct vnode *vp,
4894 struct label *label
0a7de745
A		 4895 );
4896/**
4897 * @brief Access control check for relabel
4898 * @param cred Subject credential
4899 * @param vp Object vnode
4900 * @param vnodelabel Existing policy label for vp
4901 * @param newlabel Policy label update to later be applied to vp
4902 * @see mpo_relable_vnode_t
4903 *
4904 * Determine whether the subject identified by the credential can relabel
4905 * the passed vnode to the passed label update. If all policies permit
4906 * the label change, the actual relabel entry point (mpo_vnode_label_update)
4907 * will follow.
4908 *
4909 * @return Return 0 if access is granted, otherwise an appropriate value for
4910 * errno should be returned.
4911 */
2d21ac55
A		 4912typedef int mpo_vnode_check_label_update_t(
4913 struct ucred *cred,
4914 struct vnode *vp,
4915 struct label *vnodelabel,
4916 struct label *newlabel
0a7de745
A		 4917 );
4918/**
4919 * @brief Access control check for creating link
4920 * @param cred Subject credential
4921 * @param dvp Directory vnode
4922 * @param dlabel Policy label associated with dvp
4923 * @param vp Link destination vnode
4924 * @param label Policy label associated with vp
4925 * @param cnp Component name for the link being created
4926 *
4927 * Determine whether the subject identified by the credential should be
4928 * allowed to create a link to the vnode vp with the name specified by cnp.
4929 *
4930 * @return Return 0 if access is granted, otherwise an appropriate value for
4931 * errno should be returned.
4932 */
2d21ac55
A		 4933typedef int mpo_vnode_check_link_t(
4934 kauth_cred_t cred,
4935 struct vnode *dvp,
4936 struct label *dlabel,
4937 struct vnode *vp,
4938 struct label *label,
4939 struct componentname *cnp
0a7de745 4940 );
2d21ac55 4941/**
0a7de745
A		 4942 * @brief Access control check for listing extended attributes
4943 * @param cred Subject credential
4944 * @param vp Object vnode
4945 * @param vlabel Policy label associated with vp
4946 *
4947 * Determine whether the subject identified by the credential can retrieve
4948 * a list of named extended attributes from a vnode.
4949 *
4950 * @return Return 0 if access is granted, otherwise an appropriate value for
4951 * errno should be returned.
4952 */
2d21ac55
A		 4953typedef int mpo_vnode_check_listextattr_t(
4954 kauth_cred_t cred,
4955 struct vnode *vp,
4956 struct label *vlabel
0a7de745
A		 4957 );
4958/**
4959 * @brief Access control check for lookup
4960 * @param cred Subject credential
4961 * @param dvp Directory vnode
4962 * @param dlabel Policy label for dvp
4963 * @param path Path being looked up
4964 * @param pathlen Length of path in bytes
4965 *
4966 * Determine whether the subject identified by the credential can perform
4967 * a lookup of the passed path relative to the passed directory vnode.
4968 *
4969 * @return Return 0 if access is granted, otherwise an appropriate value for
4970 * errno should be returned. Suggested failure: EACCES for label mismatch or
4971 * EPERM for lack of privilege.
4972 *
4973 * @note The path may contain untrusted input. If approved, lookup proceeds
4974 * on the path; if a component is found to be a symlink then this hook is
4975 * called again with the updated path.
4976 */
5ba3f43e
A		 4977typedef int mpo_vnode_check_lookup_preflight_t(
4978 kauth_cred_t cred,
4979 struct vnode *dvp,
4980 struct label *dlabel,
4981 const char *path,
4982 size_t pathlen
0a7de745 4983 );
2d21ac55 4984/**
0a7de745
A		 4985 * @brief Access control check for lookup
4986 * @param cred Subject credential
4987 * @param dvp Object vnode
4988 * @param dlabel Policy label for dvp
4989 * @param cnp Component name being looked up
4990 *
4991 * Determine whether the subject identified by the credential can perform
4992 * a lookup in the passed directory vnode for the passed name (cnp).
4993 *
4994 * @return Return 0 if access is granted, otherwise an appropriate value for
4995 * errno should be returned. Suggested failure: EACCES for label mismatch or
4996 * EPERM for lack of privilege.
4997 */
2d21ac55
A		 4998typedef int mpo_vnode_check_lookup_t(
4999 kauth_cred_t cred,
5000 struct vnode *dvp,
5001 struct label *dlabel,
5002 struct componentname *cnp
0a7de745 5003 );
2d21ac55 5004/**
0a7de745
A		 5005 * @brief Access control check for open
5006 * @param cred Subject credential
5007 * @param vp Object vnode
5008 * @param label Policy label associated with vp
5009 * @param acc_mode open(2) access mode
5010 *
5011 * Determine whether the subject identified by the credential can perform
5012 * an open operation on the passed vnode with the passed access mode.
5013 *
5014 * @return Return 0 if access is granted, otherwise an appropriate value for
5015 * errno should be returned. Suggested failure: EACCES for label mismatch or
5016 * EPERM for lack of privilege.
5017 */
2d21ac55
A		 5018typedef int mpo_vnode_check_open_t(
5019 kauth_cred_t cred,
5020 struct vnode *vp,
5021 struct label *label,
5022 int acc_mode
0a7de745 5023 );
2d21ac55 5024/**
0a7de745
A		 5025 * @brief Access control check for read
5026 * @param active_cred Subject credential
5027 * @param file_cred Credential associated with the struct fileproc
5028 * @param vp Object vnode
5029 * @param label Policy label for vp
5030 *
5031 * Determine whether the subject identified by the credential can perform
5032 * a read operation on the passed vnode. The active_cred hold the credentials
5033 * of the subject performing the operation, and file_cred holds the
5034 * credentials of the subject that originally opened the file.
5035 *
5036 * @return Return 0 if access is granted, otherwise an appropriate value for
5037 * errno should be returned. Suggested failure: EACCES for label mismatch or
5038 * EPERM for lack of privilege.
5039 */
2d21ac55 5040typedef int mpo_vnode_check_read_t(
0a7de745
A		 5041 kauth_cred_t active_cred, /* SUBJECT */
5042 kauth_cred_t file_cred, /* NULLOK */
5043 struct vnode *vp, /* OBJECT */
5044 struct label *label /* LABEL */
5045 );
5046/**
5047 * @brief Access control check for read directory
5048 * @param cred Subject credential
5049 * @param dvp Object directory vnode
5050 * @param dlabel Policy label for dvp
5051 *
5052 * Determine whether the subject identified by the credential can
5053 * perform a readdir operation on the passed directory vnode.
5054 *
5055 * @return Return 0 if access is granted, otherwise an appropriate value for
5056 * errno should be returned. Suggested failure: EACCES for label mismatch or
5057 * EPERM for lack of privilege.
5058 */
2d21ac55 5059typedef int mpo_vnode_check_readdir_t(
0a7de745
A		 5060 kauth_cred_t cred, /* SUBJECT */
5061 struct vnode *dvp, /* OBJECT */
5062 struct label *dlabel /* LABEL */
5063 );
5064/**
5065 * @brief Access control check for read link
5066 * @param cred Subject credential
5067 * @param vp Object vnode
5068 * @param label Policy label for vp
5069 *
5070 * Determine whether the subject identified by the credential can perform
5071 * a readlink operation on the passed symlink vnode. This call can be made
5072 * in a number of situations, including an explicit readlink call by the
5073 * user process, or as a result of an implicit readlink during a name
5074 * lookup by the process.
5075 *
5076 * @return Return 0 if access is granted, otherwise an appropriate value for
5077 * errno should be returned. Suggested failure: EACCES for label mismatch or
5078 * EPERM for lack of privilege.
5079 */
2d21ac55
A		 5080typedef int mpo_vnode_check_readlink_t(
5081 kauth_cred_t cred,
5082 struct vnode *vp,
5083 struct label *label
0a7de745
A		 5084 );
5085/**
5086 * @brief Access control check for rename
5087 * @param cred Subject credential
5088 * @param dvp Directory vnode
5089 * @param dlabel Policy label associated with dvp
5090 * @param vp vnode to be renamed
5091 * @param label Policy label associated with vp
5092 * @param cnp Component name for vp
5093 * @param tdvp Destination directory vnode
5094 * @param tdlabel Policy label associated with tdvp
5095 * @param tvp Overwritten vnode
5096 * @param tlabel Policy label associated with tvp
5097 * @param tcnp Destination component name
5098 *
5099 * Determine whether the subject identified by the credential should be allowed
5100 * to rename the vnode vp to something else.
5101 *
5102 * @return Return 0 if access is granted, otherwise an appropriate value for
5103 * errno should be returned.
5104 */
fe8ab488
A		 5105typedef int mpo_vnode_check_rename_t(
5106 kauth_cred_t cred,
5107 struct vnode *dvp,
5108 struct label *dlabel,
5109 struct vnode *vp,
5110 struct label *label,
5111 struct componentname *cnp,
5112 struct vnode *tdvp,
5113 struct label *tdlabel,
5114 struct vnode *tvp,
5115 struct label *tlabel,
5116 struct componentname *tcnp
0a7de745
A		 5117 );
5118/**
5119 * @brief Access control check for rename from
5120 * @param cred Subject credential
5121 * @param dvp Directory vnode
5122 * @param dlabel Policy label associated with dvp
5123 * @param vp vnode to be renamed
5124 * @param label Policy label associated with vp
5125 * @param cnp Component name for vp
5126 * @see mpo_vnode_check_rename_t
5127 * @see mpo_vnode_check_rename_to_t
5128 *
5129 * Determine whether the subject identified by the credential should be
5130 * allowed to rename the vnode vp to something else.
5131 *
5132 * Due to VFS locking constraints (to make sure proper vnode locks are
5133 * held during this entry point), the vnode relabel checks had to be
5134 * split into two parts: relabel_from and relabel to.
5135 *
5136 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
5137 *
5138 * @return Return 0 if access is granted, otherwise an appropriate value for
5139 * errno should be returned.
5140 */
2d21ac55
A		 5141typedef int mpo_vnode_check_rename_from_t(
5142 kauth_cred_t cred,
5143 struct vnode *dvp,
5144 struct label *dlabel,
5145 struct vnode *vp,
5146 struct label *label,
5147 struct componentname *cnp
0a7de745
A		 5148 );
5149/**
5150 * @brief Access control check for rename to
5151 * @param cred Subject credential
5152 * @param dvp Directory vnode
5153 * @param dlabel Policy label associated with dvp
5154 * @param vp Overwritten vnode
5155 * @param label Policy label associated with vp
5156 * @param samedir Boolean; 1 if the source and destination directories are the same
5157 * @param cnp Destination component name
5158 * @see mpo_vnode_check_rename_t
5159 * @see mpo_vnode_check_rename_from_t
5160 *
5161 * Determine whether the subject identified by the credential should be
5162 * allowed to rename to the vnode vp, into the directory dvp, or to the
5163 * name represented by cnp. If there is no existing file to overwrite,
5164 * vp and label will be NULL.
5165 *
5166 * Due to VFS locking constraints (to make sure proper vnode locks are
5167 * held during this entry point), the vnode relabel checks had to be
5168 * split into two parts: relabel_from and relabel to.
5169 *
5170 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
5171 *
5172 * @return Return 0 if access is granted, otherwise an appropriate value for
5173 * errno should be returned.
5174 */
2d21ac55
A		 5175typedef int mpo_vnode_check_rename_to_t(
5176 kauth_cred_t cred,
5177 struct vnode *dvp,
5178 struct label *dlabel,
0a7de745
A		 5179 struct vnode *vp, /* NULLOK */
5180 struct label *label, /* NULLOK */
2d21ac55
A		 5181 int samedir,
5182 struct componentname *cnp
0a7de745 5183 );
2d21ac55 5184/**
0a7de745
A		 5185 * @brief Access control check for revoke
5186 * @param cred Subject credential
5187 * @param vp Object vnode
5188 * @param label Policy label for vp
5189 *
5190 * Determine whether the subject identified by the credential can revoke
5191 * access to the passed vnode.
5192 *
5193 * @return Return 0 if access is granted, otherwise an appropriate value for
5194 * errno should be returned. Suggested failure: EACCES for label mismatch or
5195 * EPERM for lack of privilege.
5196 */
2d21ac55
A		 5197typedef int mpo_vnode_check_revoke_t(
5198 kauth_cred_t cred,
5199 struct vnode *vp,
5200 struct label *label
0a7de745 5201 );
6d2010ae 5202/**
0a7de745
A		 5203 * @brief Access control check for searchfs
5204 * @param cred Subject credential
5205 * @param vp Object vnode
5206 * @param vlabel Policy label for vp
5207 * @param alist List of attributes used as search criteria
5208 *
5209 * Determine whether the subject identified by the credential can search the
5210 * vnode using the searchfs system call.
5211 *
5212 * @return Return 0 if access is granted, otherwise an appropriate value for
5213 * errno should be returned.
5214 */
6d2010ae
A		 5215typedef int mpo_vnode_check_searchfs_t(
5216 kauth_cred_t cred,
5217 struct vnode *vp,
5218 struct label *vlabel,
5219 struct attrlist *alist
0a7de745 5220 );
2d21ac55 5221/**
0a7de745
A		 5222 * @brief Access control check for select
5223 * @param cred Subject credential
5224 * @param vp Object vnode
5225 * @param label Policy label for vp
5226 * @param which The operation selected on: FREAD or FWRITE
5227 *
5228 * Determine whether the subject identified by the credential can select
5229 * the vnode.
5230 *
5231 * @return Return 0 if access is granted, otherwise an appropriate value for
5232 * errno should be returned.
5233 */
2d21ac55
A		 5234typedef int mpo_vnode_check_select_t(
5235 kauth_cred_t cred,
5236 struct vnode *vp,
5237 struct label *label,
5238 int which
0a7de745 5239 );
39037602 5240/**
0a7de745
A		 5241 * @brief Access control check for setting ACL
5242 * @param cred Subject credential
5243 * @param vp Object node
5244 * @param label Policy label for vp
5245 * @param acl ACL structure pointer
5246 *
5247 * Determine whether the subject identified by the credential can set an ACL
5248 * on the specified vnode. The ACL pointer will be NULL when removing an ACL.
5249 *
5250 * @return Return 0 if access is granted, otherwise an appropriate value for
5251 * errno should be returned. Suggested failure: EACCES for label mismatch or
5252 * EPERM for lack of privilege.
5253 */
39037602
A		 5254typedef int mpo_vnode_check_setacl_t(
5255 kauth_cred_t cred,
5256 struct vnode *vp,
5257 struct label *label,
5258 struct kauth_acl *acl
0a7de745 5259 );
2d21ac55 5260/**
0a7de745
A		 5261 * @brief Access control check for setting file attributes
5262 * @param cred Subject credential
5263 * @param vp Object vnode
5264 * @param vlabel Policy label for vp
5265 * @param alist List of attributes to set
5266 *
5267 * Determine whether the subject identified by the credential can set
5268 * various attributes of the specified vnode, or the filesystem or volume on
5269 * which that vnode resides. See <sys/attr.h> for definitions of the
5270 * attributes.
5271 *
5272 * @return Return 0 if access is granted, otherwise an appropriate value for
5273 * errno should be returned. Suggested failure: EACCES for label mismatch or
5274 * EPERM for lack of privilege. Access control covers all attributes requested
5275 * with this call.
5276 */
2d21ac55
A		 5277typedef int mpo_vnode_check_setattrlist_t(
5278 kauth_cred_t cred,
5279 struct vnode *vp,
5280 struct label *vlabel,
5281 struct attrlist *alist
0a7de745
A		 5282 );
5283/**
5284 * @brief Access control check for setting extended attribute
5285 * @param cred Subject credential
5286 * @param vp Object vnode
5287 * @param label Policy label for vp
5288 * @param name Extended attribute name
5289 * @param uio I/O structure pointer
5290 *
5291 * Determine whether the subject identified by the credential can set the
5292 * extended attribute of passed name and passed namespace on the passed
5293 * vnode. Policies implementing security labels backed into extended
5294 * attributes may want to provide additional protections for those
5295 * attributes. Additionally, policies should avoid making decisions based
5296 * on the data referenced from uio, as there is a potential race condition
5297 * between this check and the actual operation. The uio may also be NULL
5298 * if a delete operation is being performed.
5299 *
5300 * @return Return 0 if access is granted, otherwise an appropriate value for
5301 * errno should be returned. Suggested failure: EACCES for label mismatch or
5302 * EPERM for lack of privilege.
5303 */
2d21ac55
A		 5304typedef int mpo_vnode_check_setextattr_t(
5305 kauth_cred_t cred,
5306 struct vnode *vp,
5307 struct label *label,
5308 const char *name,
5309 struct uio *uio
0a7de745 5310 );
2d21ac55 5311/**
0a7de745
A		 5312 * @brief Access control check for setting flags
5313 * @param cred Subject credential
5314 * @param vp Object vnode
5315 * @param label Policy label for vp
5316 * @param flags File flags; see chflags(2)
5317 *
5318 * Determine whether the subject identified by the credential can set
5319 * the passed flags on the passed vnode.
5320 *
5321 * @return Return 0 if access is granted, otherwise an appropriate value for
5322 * errno should be returned. Suggested failure: EACCES for label mismatch or
5323 * EPERM for lack of privilege.
5324 */
2d21ac55
A		 5325typedef int mpo_vnode_check_setflags_t(
5326 kauth_cred_t cred,
5327 struct vnode *vp,
5328 struct label *label,
5329 u_long flags
0a7de745 5330 );
2d21ac55 5331/**
0a7de745
A		 5332 * @brief Access control check for setting mode
5333 * @param cred Subject credential
5334 * @param vp Object vnode
5335 * @param label Policy label for vp
5336 * @param mode File mode; see chmod(2)
5337 *
5338 * Determine whether the subject identified by the credential can set
5339 * the passed mode on the passed vnode.
5340 *
5341 * @return Return 0 if access is granted, otherwise an appropriate value for
5342 * errno should be returned. Suggested failure: EACCES for label mismatch or
5343 * EPERM for lack of privilege.
5344 */
2d21ac55
A		 5345typedef int mpo_vnode_check_setmode_t(
5346 kauth_cred_t cred,
5347 struct vnode *vp,
5348 struct label *label,
5349 mode_t mode
0a7de745
A		 5350 );
5351/**
5352 * @brief Access control check for setting uid and gid
5353 * @param cred Subject credential
5354 * @param vp Object vnode
5355 * @param label Policy label for vp
5356 * @param uid User ID
5357 * @param gid Group ID
5358 *
5359 * Determine whether the subject identified by the credential can set
5360 * the passed uid and passed gid as file uid and file gid on the passed
5361 * vnode. The IDs may be set to (-1) to request no update.
5362 *
5363 * @return Return 0 if access is granted, otherwise an appropriate value for
5364 * errno should be returned. Suggested failure: EACCES for label mismatch or
5365 * EPERM for lack of privilege.
5366 */
2d21ac55
A		 5367typedef int mpo_vnode_check_setowner_t(
5368 kauth_cred_t cred,
5369 struct vnode *vp,
5370 struct label *label,
5371 uid_t uid,
5372 gid_t gid
0a7de745
A		 5373 );
5374/**
5375 * @brief Access control check for setting timestamps
5376 * @param cred Subject credential
5377 * @param vp Object vnode
5378 * @param label Policy label for vp
5379 * @param atime Access time; see utimes(2)
5380 * @param mtime Modification time; see utimes(2)
5381 *
5382 * Determine whether the subject identified by the credential can set
5383 * the passed access timestamps on the passed vnode.
5384 *
5385 * @return Return 0 if access is granted, otherwise an appropriate value for
5386 * errno should be returned. Suggested failure: EACCES for label mismatch or
5387 * EPERM for lack of privilege.
5388 */
2d21ac55
A		 5389typedef int mpo_vnode_check_setutimes_t(
5390 kauth_cred_t cred,
5391 struct vnode *vp,
5392 struct label *label,
5393 struct timespec atime,
5394 struct timespec mtime
0a7de745
A		 5395 );
5396/**
5397 * @brief Access control check after determining the code directory hash
5398 * @param vp vnode vnode to combine into proc
5399 * @param label label associated with the vnode
5400 * @param cpu_type cpu type of the signature being checked
5401 * @param cs_blob the code signature to check
5402 * @param cs_flags update code signing flags if needed
5403 * @param signer_type output parameter for the code signature's signer type
5404 * @param flags operational flag to mpo_vnode_check_signature
5405 * @param fatal_failure_desc description of fatal failure
5406 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0
5407 *
5408 * @return Return 0 if access is granted, otherwise an appropriate value for
5409 * errno should be returned.
743345f9
A		 5410 */
5411typedef int mpo_vnode_check_signature_t(
5412 struct vnode *vp,
5413 struct label *label,
d9a64523 5414 cpu_type_t cpu_type,
743345f9
A		 5415 struct cs_blob *cs_blob,
5416 unsigned int *cs_flags,
5ba3f43e 5417 unsigned int *signer_type,
743345f9
A		 5418 int flags,
5419 char **fatal_failure_desc, size_t *fatal_failure_desc_len
0a7de745 5420 );
2d21ac55 5421/**
0a7de745
A		 5422 * @brief Access control check for stat
5423 * @param active_cred Subject credential
5424 * @param file_cred Credential associated with the struct fileproc
5425 * @param vp Object vnode
5426 * @param label Policy label for vp
5427 *
5428 * Determine whether the subject identified by the credential can stat
5429 * the passed vnode. See stat(2) for more information. The active_cred
5430 * hold the credentials of the subject performing the operation, and
5431 * file_cred holds the credentials of the subject that originally
5432 * opened the file.
5433 *
5434 * @return Return 0 if access is granted, otherwise an appropriate value for
5435 * errno should be returned. Suggested failure: EACCES for label mismatch or
5436 * EPERM for lack of privilege.
5437 */
2d21ac55
A		 5438typedef int mpo_vnode_check_stat_t(
5439 struct ucred *active_cred,
0a7de745 5440 struct ucred *file_cred, /* NULLOK */
2d21ac55
A		 5441 struct vnode *vp,
5442 struct label *label
0a7de745 5443 );
527f9951 5444/**
0a7de745
A		 5445 * @brief Access control check for vnode trigger resolution
5446 * @param cred Subject credential
5447 * @param dvp Object vnode
5448 * @param dlabel Policy label for dvp
5449 * @param cnp Component name that triggered resolution
5450 *
5451 * Determine whether the subject identified by the credential can trigger
5452 * resolution of the passed name (cnp) in the passed directory vnode
5453 * via an external trigger resolver.
5454 *
5455 * @return Return 0 if access is granted, otherwise an appropriate value for
5456 * errno should be returned. Suggested failure: EACCES for label mismatch or
5457 * EPERM for lack of privilege.
5458 */
527f9951
A		 5459typedef int mpo_vnode_check_trigger_resolve_t(
5460 kauth_cred_t cred,
5461 struct vnode *dvp,
5462 struct label *dlabel,
5463 struct componentname *cnp
0a7de745
A		 5464 );
5465/**
5466 * @brief Access control check for truncate/ftruncate
5467 * @param active_cred Subject credential
5468 * @param file_cred Credential associated with the struct fileproc
5469 * @param vp Object vnode
5470 * @param label Policy label for vp
5471 *
5472 * Determine whether the subject identified by the credential can
5473 * perform a truncate operation on the passed vnode. The active_cred hold
5474 * the credentials of the subject performing the operation, and
5475 * file_cred holds the credentials of the subject that originally
5476 * opened the file.
5477 *
5478 * @return Return 0 if access is granted, otherwise an appropriate value for
5479 * errno should be returned. Suggested failure: EACCES for label mismatch or
5480 * EPERM for lack of privilege.
5481 */
2d21ac55
A		 5482typedef int mpo_vnode_check_truncate_t(
5483 kauth_cred_t active_cred,
0a7de745 5484 kauth_cred_t file_cred, /* NULLOK */
2d21ac55
A		 5485 struct vnode *vp,
5486 struct label *label
0a7de745
A		 5487 );
5488/**
5489 * @brief Access control check for binding UNIX domain socket
5490 * @param cred Subject credential
5491 * @param dvp Directory vnode
5492 * @param dlabel Policy label for dvp
5493 * @param cnp Component name for dvp
5494 * @param vap vnode attributes for vap
5495 *
5496 * Determine whether the subject identified by the credential can perform a
5497 * bind operation on a UNIX domain socket with the passed parent directory,
5498 * passed name information, and passed attribute information.
5499 *
5500 * @return Return 0 if access is granted, otherwise an appropriate value for
5501 * errno should be returned. Suggested failure: EACCES for label mismatch or
5502 * EPERM for lack of privilege.
5503 */
b0d623f7
A		 5504typedef int mpo_vnode_check_uipc_bind_t(
5505 kauth_cred_t cred,
5506 struct vnode *dvp,
5507 struct label *dlabel,
5508 struct componentname *cnp,
5509 struct vnode_attr *vap
0a7de745 5510 );
b0d623f7 5511/**
0a7de745
A		 5512 * @brief Access control check for connecting UNIX domain socket
5513 * @param cred Subject credential
5514 * @param vp Object vnode
5515 * @param label Policy label associated with vp
5516 * @param so Socket
5517 *
5518 * Determine whether the subject identified by the credential can perform a
5519 * connect operation on the passed UNIX domain socket vnode.
5520 *
5521 * @return Return 0 if access is granted, otherwise an appropriate value for
5522 * errno should be returned. Suggested failure: EACCES for label mismatch or
5523 * EPERM for lack of privilege.
5524 */
b0d623f7
A		 5525typedef int mpo_vnode_check_uipc_connect_t(
5526 kauth_cred_t cred,
5527 struct vnode *vp,
39037602
A		 5528 struct label *label,
5529 socket_t so
0a7de745
A		 5530 );
5531/**
5532 * @brief Access control check for deleting vnode
5533 * @param cred Subject credential
5534 * @param dvp Parent directory vnode
5535 * @param dlabel Policy label for dvp
5536 * @param vp Object vnode to delete
5537 * @param label Policy label for vp
5538 * @param cnp Component name for vp
5539 * @see mpo_check_rename_to_t
5540 *
5541 * Determine whether the subject identified by the credential can delete
5542 * a vnode from the passed parent directory and passed name information.
5543 * This call may be made in a number of situations, including as a
5544 * results of calls to unlink(2) and rmdir(2). Policies implementing
5545 * this entry point should also implement mpo_check_rename_to to
5546 * authorize deletion of objects as a result of being the target of a rename.
5547 *
5548 * @return Return 0 if access is granted, otherwise an appropriate value for
5549 * errno should be returned. Suggested failure: EACCES for label mismatch or
5550 * EPERM for lack of privilege.
5551 */
2d21ac55
A		 5552typedef int mpo_vnode_check_unlink_t(
5553 kauth_cred_t cred,
5554 struct vnode *dvp,
5555 struct label *dlabel,
5556 struct vnode *vp,
5557 struct label *label,
5558 struct componentname *cnp
0a7de745 5559 );
2d21ac55 5560/**
0a7de745
A		 5561 * @brief Access control check for write
5562 * @param active_cred Subject credential
5563 * @param file_cred Credential associated with the struct fileproc
5564 * @param vp Object vnode
5565 * @param label Policy label for vp
5566 *
5567 * Determine whether the subject identified by the credential can
5568 * perform a write operation on the passed vnode. The active_cred hold
5569 * the credentials of the subject performing the operation, and
5570 * file_cred holds the credentials of the subject that originally
5571 * opened the file.
5572 *
5573 * @return Return 0 if access is granted, otherwise an appropriate value for
5574 * errno should be returned. Suggested failure: EACCES for label mismatch or
5575 * EPERM for lack of privilege.
5576 */
2d21ac55
A		 5577typedef int mpo_vnode_check_write_t(
5578 kauth_cred_t active_cred,
0a7de745 5579 kauth_cred_t file_cred, /* NULLOK */
2d21ac55
A		 5580 struct vnode *vp,
5581 struct label *label
0a7de745
A		 5582 );
5583/**
5584 * @brief Associate a vnode with a devfs entry
5585 * @param mp Devfs mount point
5586 * @param mntlabel Devfs mount point label
5587 * @param de Devfs directory entry
5588 * @param delabel Label associated with de
5589 * @param vp vnode associated with de
5590 * @param vlabel Label associated with vp
5591 *
5592 * Fill in the label (vlabel) for a newly created devfs vnode. The
5593 * label is typically derived from the label on the devfs directory
5594 * entry or the label on the filesystem, supplied as parameters.
5595 */
2d21ac55
A		 5596typedef void mpo_vnode_label_associate_devfs_t(
5597 struct mount *mp,
5598 struct label *mntlabel,
5599 struct devnode *de,
5600 struct label *delabel,
5601 struct vnode *vp,
5602 struct label *vlabel
0a7de745 5603 );
2d21ac55 5604/**
0a7de745
A		 5605 * @brief Associate a label with a vnode
5606 * @param mp File system mount point
5607 * @param mntlabel File system mount point label
5608 * @param vp Vnode to label
5609 * @param vlabel Label associated with vp
5610 *
5611 * Attempt to retrieve label information for the vnode, vp, from the
5612 * file system extended attribute store. The label should be stored in
5613 * the supplied vlabel parameter. If a policy cannot retrieve an
5614 * extended attribute, sometimes it is acceptible to fallback to using
5615 * the mntlabel.
5616 *
5617 * If the policy requires vnodes to have a valid label elsewhere it
5618 * MUST NOT return other than temporary errors, and must always provide
5619 * a valid label of some sort. Returning an error will cause vnode
5620 * labeling to be retried at a later access. Failure to handle policy
5621 * centric errors internally (corrupt labels etc.) will result in
5622 * inaccessible files.
5623 *
5624 * @return In the event of an error, an appropriate value for errno
5625 * should be returned, otherwise return 0 upon success.
5626 */
2d21ac55
A		 5627typedef int mpo_vnode_label_associate_extattr_t(
5628 struct mount *mp,
5629 struct label *mntlabel,
5630 struct vnode *vp,
5631 struct label *vlabel
0a7de745
A		 5632 );
5633/**
5634 * @brief Associate a file label with a vnode
5635 * @param cred User credential
5636 * @param mp Fdesc mount point
5637 * @param mntlabel Fdesc mount point label
5638 * @param fg Fileglob structure
5639 * @param label Policy label for fg
5640 * @param vp Vnode to label
5641 * @param vlabel Label associated with vp
5642 *
5643 * Associate label information for the vnode, vp, with the label of
5644 * the open file descriptor described by fg.
5645 * The label should be stored in the supplied vlabel parameter.
5646 */
2d21ac55
A		 5647typedef void mpo_vnode_label_associate_file_t(
5648 struct ucred *cred,
5649 struct mount *mp,
5650 struct label *mntlabel,
5651 struct fileglob *fg,
5652 struct label *label,
5653 struct vnode *vp,
5654 struct label *vlabel
0a7de745
A		 5655 );
5656/**
5657 * @brief Associate a pipe label with a vnode
5658 * @param cred User credential for the process that opened the pipe
5659 * @param cpipe Pipe structure
5660 * @param pipelabel Label associated with pipe
5661 * @param vp Vnode to label
5662 * @param vlabel Label associated with vp
5663 *
5664 * Associate label information for the vnode, vp, with the label of
5665 * the pipe described by the pipe structure cpipe.
5666 * The label should be stored in the supplied vlabel parameter.
5667 */
2d21ac55
A		 5668typedef void mpo_vnode_label_associate_pipe_t(
5669 struct ucred *cred,
5670 struct pipe *cpipe,
5671 struct label *pipelabel,
5672 struct vnode *vp,
5673 struct label *vlabel
0a7de745
A		 5674 );
5675/**
5676 * @brief Associate a POSIX semaphore label with a vnode
5677 * @param cred User credential for the process that create psem
5678 * @param psem POSIX semaphore structure
5679 * @param psemlabel Label associated with psem
5680 * @param vp Vnode to label
5681 * @param vlabel Label associated with vp
5682 *
5683 * Associate label information for the vnode, vp, with the label of
5684 * the POSIX semaphore described by psem.
5685 * The label should be stored in the supplied vlabel parameter.
5686 */
2d21ac55
A		 5687typedef void mpo_vnode_label_associate_posixsem_t(
5688 struct ucred *cred,
5689 struct pseminfo *psem,
5690 struct label *psemlabel,
5691 struct vnode *vp,
5692 struct label *vlabel
0a7de745
A		 5693 );
5694/**
5695 * @brief Associate a POSIX shared memory label with a vnode
5696 * @param cred User credential for the process that created pshm
5697 * @param pshm POSIX shared memory structure
5698 * @param pshmlabel Label associated with pshm
5699 * @param vp Vnode to label
5700 * @param vlabel Label associated with vp
5701 *
5702 * Associate label information for the vnode, vp, with the label of
5703 * the POSIX shared memory region described by pshm.
5704 * The label should be stored in the supplied vlabel parameter.
5705 */
2d21ac55
A		 5706typedef void mpo_vnode_label_associate_posixshm_t(
5707 struct ucred *cred,
5708 struct pshminfo *pshm,
5709 struct label *pshmlabel,
5710 struct vnode *vp,
5711 struct label *vlabel
0a7de745 5712 );
2d21ac55 5713/**
0a7de745
A		 5714 * @brief Associate a label with a vnode
5715 * @param mp File system mount point
5716 * @param mntlabel File system mount point label
5717 * @param vp Vnode to label
5718 * @param vlabel Label associated with vp
5719 *
5720 * On non-multilabel file systems, set the label for a vnode. The
5721 * label will most likely be based on the file system label.
5722 */
2d21ac55
A		 5723typedef void mpo_vnode_label_associate_singlelabel_t(
5724 struct mount *mp,
5725 struct label *mntlabel,
5726 struct vnode *vp,
5727 struct label *vlabel
0a7de745
A		 5728 );
5729/**
5730 * @brief Associate a socket label with a vnode
5731 * @param cred User credential for the process that opened the socket
5732 * @param so Socket structure
5733 * @param solabel Label associated with so
5734 * @param vp Vnode to label
5735 * @param vlabel Label associated with vp
5736 *
5737 * Associate label information for the vnode, vp, with the label of
5738 * the open socket described by the socket structure so.
5739 * The label should be stored in the supplied vlabel parameter.
5740 */
2d21ac55
A		 5741typedef void mpo_vnode_label_associate_socket_t(
5742 kauth_cred_t cred,
5743 socket_t so,
5744 struct label *solabel,
5745 struct vnode *vp,
5746 struct label *vlabel
0a7de745 5747 );
2d21ac55 5748/**
0a7de745
A		 5749 * @brief Copy a vnode label
5750 * @param src Source vnode label
5751 * @param dest Destination vnode label
5752 *
5753 * Copy the vnode label information from src to dest. On Darwin, this
5754 * is currently only necessary when executing interpreted scripts, but
5755 * will later be used if vnode label externalization cannot be an
5756 * atomic operation.
5757 */
2d21ac55
A		 5758typedef void mpo_vnode_label_copy_t(
5759 struct label *src,
5760 struct label *dest
0a7de745 5761 );
2d21ac55 5762/**
0a7de745
A		 5763 * @brief Destroy vnode label
5764 * @param label The label to be destroyed
5765 *
5766 * Destroy a vnode label. Since the object is going out of scope,
5767 * policy modules should free any internal storage associated with the
5768 * label so that it may be destroyed.
5769 */
2d21ac55
A		 5770typedef void mpo_vnode_label_destroy_t(
5771 struct label *label
0a7de745 5772 );
2d21ac55 5773/**
0a7de745
A		 5774 * @brief Externalize a vnode label for auditing
5775 * @param label Label to be externalized
5776 * @param element_name Name of the label namespace for which labels should be
5777 * externalized
5778 * @param sb String buffer to be filled with a text representation of the label
5779 *
5780 * Produce an external representation of the label on a vnode suitable for
5781 * inclusion in an audit record. An externalized label consists of a text
5782 * representation of the label contents that will be added to the audit record
5783 * as part of a text token. Policy-agnostic user space tools will display
5784 * this externalized version.
5785 *
5786 * @return 0 on success, return non-zero if an error occurs while
5787 * externalizing the label data.
5788 *
5789 */
2d21ac55
A		 5790typedef int mpo_vnode_label_externalize_audit_t(
5791 struct label *label,
5792 char *element_name,
5793 struct sbuf *sb
0a7de745 5794 );
2d21ac55 5795/**
0a7de745
A		 5796 * @brief Externalize a vnode label
5797 * @param label Label to be externalized
5798 * @param element_name Name of the label namespace for which labels should be
5799 * externalized
5800 * @param sb String buffer to be filled with a text representation of the label
5801 *
5802 * Produce an external representation of the label on a vnode. An
5803 * externalized label consists of a text representation of the label
5804 * contents that can be used with user applications. Policy-agnostic
5805 * user space tools will display this externalized version.
5806 *
5807 * @return 0 on success, return non-zero if an error occurs while
5808 * externalizing the label data.
5809 *
5810 */
2d21ac55
A		 5811typedef int mpo_vnode_label_externalize_t(
5812 struct label *label,
5813 char *element_name,
5814 struct sbuf *sb
0a7de745 5815 );
2d21ac55 5816/**
0a7de745
A		 5817 * @brief Initialize vnode label
5818 * @param label New label to initialize
5819 *
5820 * Initialize label storage for use with a newly instantiated vnode, or
5821 * for temporary storage associated with the copying in or out of a
5822 * vnode label. While it is necessary to allocate space for a
5823 * kernel-resident vnode label, it is not yet necessary to link this vnode
5824 * with persistent label storage facilities, such as extended attributes.
5825 * Sleeping is permitted.
5826 */
2d21ac55
A		 5827typedef void mpo_vnode_label_init_t(
5828 struct label *label
0a7de745 5829 );
2d21ac55 5830/**
0a7de745
A		 5831 * @brief Internalize a vnode label
5832 * @param label Label to be internalized
5833 * @param element_name Name of the label namespace for which the label should
5834 * be internalized
5835 * @param element_data Text data to be internalized
5836 *
5837 * Produce a vnode label from an external representation. An
5838 * externalized label consists of a text representation of the label
5839 * contents that can be used with user applications. Policy-agnostic
5840 * user space tools will forward text version to the kernel for
5841 * processing by individual policy modules.
5842 *
5843 * The policy's internalize entry points will be called only if the
5844 * policy has registered interest in the label namespace.
5845 *
5846 * @return 0 on success, Otherwise, return non-zero if an error occurs
5847 * while internalizing the label data.
5848 */
2d21ac55
A		 5849typedef int mpo_vnode_label_internalize_t(
5850 struct label *label,
5851 char *element_name,
5852 char *element_data
0a7de745 5853 );
2d21ac55 5854/**
0a7de745 5855 * @brief Clean up a vnode label
cb323159 5856 * @param label The label to be cleaned or purged
0a7de745
A		 5857 *
5858 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5859 * typically never frees them. Before vnodes are placed back on free lists for
cb323159
A		 5860 * re-use, policies can cleanup or overwrite any information present in the label,
5861 * or free any internal resources used for the label.
0a7de745 5862 */
2d21ac55
A		 5863typedef void mpo_vnode_label_recycle_t(
5864 struct label *label
0a7de745 5865 );
2d21ac55 5866/**
0a7de745
A		 5867 * @brief Write a label to a extended attribute
5868 * @param cred Subject credential
5869 * @param vp The vnode for which the label is being stored
5870 * @param vlabel Label associated with vp
5871 * @param intlabel The new label to store
5872 *
5873 * Store a new label in the extended attribute corresponding to the
5874 * supplied vnode. The policy has already authorized the operation;
5875 * this call must be implemented in order to perform the actual
5876 * operation.
5877 *
5878 * @return In the event of an error, an appropriate value for errno
5879 * should be returned, otherwise return 0 upon success.
5880 *
5881 * @warning XXX After examining the extended attribute implementation on
5882 * Apple's future release, this entry point may be changed.
5883 */
2d21ac55
A		 5884typedef int mpo_vnode_label_store_t(
5885 kauth_cred_t cred,
5886 struct vnode *vp,
5887 struct label *vlabel,
5888 struct label *intlabel
0a7de745
A		 5889 );
5890/**
5891 * @brief Update vnode label from extended attributes
5892 * @param mp File system mount point
5893 * @param mntlabel Mount point label
5894 * @param vp Vnode to label
5895 * @param vlabel Label associated with vp
5896 * @param name Name of the xattr
5897 * @see mpo_vnode_check_setextattr_t
5898 *
5899 * When an extended attribute is updated via the Vendor attribute management
5900 * functions, the MAC vnode label might also require an update.
5901 * Policies should first determine if 'name' matches their xattr label
5902 * name. If it does, the kernel is has either replaced or removed the
5903 * named extended attribute that was previously associated with the
5904 * vnode. Normally labels should only be modified via MAC Framework label
5905 * management calls, but sometimes the user space components will directly
5906 * modify extended attributes. For example, 'cp', 'tar', etc. manage
5907 * extended attributes in userspace, not the kernel.
5908 *
5909 * This entry point is called after the label update has occurred, so
5910 * it cannot return a failure. However, the operation is preceded by
5911 * the mpo_vnode_check_setextattr() access control check.
5912 *
5913 * If the vnode label needs to be updated the policy should return
5914 * a non-zero value. The vnode label will be marked for re-association
5915 * by the framework.
5916 */
2d21ac55
A		 5917typedef int mpo_vnode_label_update_extattr_t(
5918 struct mount *mp,
5919 struct label *mntlabel,
5920 struct vnode *vp,
5921 struct label *vlabel,
5922 const char *name
0a7de745
A		 5923 );
5924/**
5925 * @brief Update a vnode label
5926 * @param cred Subject credential
5927 * @param vp The vnode to relabel
5928 * @param vnodelabel Existing vnode label
5929 * @param label New label to replace existing label
5930 * @see mpo_vnode_check_label_update_t
5931 *
5932 * The subject identified by the credential has previously requested
5933 * and was authorized to relabel the vnode; this entry point allows
5934 * policies to perform the actual relabel operation. Policies should
5935 * update vnodelabel using the label stored in the label parameter.
5936 */
2d21ac55
A		 5937typedef void mpo_vnode_label_update_t(
5938 kauth_cred_t cred,
5939 struct vnode *vp,
5940 struct label *vnodelabel,
5941 struct label *label
0a7de745 5942 );
39236c6e 5943/**
0a7de745
A		 5944 * @brief Find deatched signatures for a shared library
5945 * @param p file trying to find the signature
5946 * @param vp The vnode to relabel
5947 * @param offset offset in the macho that the signature is requested for (for fat binaries)
5948 * @param label Existing vnode label
5949 *
5950 */
39236c6e
A		 5951typedef int mpo_vnode_find_sigs_t(
5952 struct proc *p,
5953 struct vnode *vp,
5954 off_t offset,
5955 struct label *label
0a7de745
A		 5956 );
5957/**
5958 * @brief Create a new vnode, backed by extended attributes
5959 * @param cred User credential for the creating process
5960 * @param mp File system mount point
5961 * @param mntlabel File system mount point label
5962 * @param dvp Parent directory vnode
5963 * @param dlabel Parent directory vnode label
5964 * @param vp Newly created vnode
5965 * @param vlabel Label to associate with the new vnode
5966 * @param cnp Component name for vp
5967 *
5968 * Write out the label for the newly created vnode, most likely storing
5969 * the results in a file system extended attribute. Most policies will
5970 * derive the new vnode label using information from a combination
5971 * of the subject (user) credential, the file system label, the parent
5972 * directory label, and potentially the path name component.
5973 *
5974 * @return If the operation succeeds, store the new label in vlabel and
5975 * return 0. Otherwise, return an appropriate errno value.
5976 */
2d21ac55
A		 5977typedef int mpo_vnode_notify_create_t(
5978 kauth_cred_t cred,
5979 struct mount *mp,
5980 struct label *mntlabel,
5981 struct vnode *dvp,
5982 struct label *dlabel,
5983 struct vnode *vp,
5984 struct label *vlabel,
5985 struct componentname *cnp
0a7de745 5986 );
2d21ac55 5987
4b17d6b6 5988/**
0a7de745
A		 5989 * @brief Inform MAC policies that a vnode has been opened
5990 * @param cred User credential for the creating process
5991 * @param vp vnode opened
5992 * @param label Policy label for the vp
5993 * @param acc_mode open(2) access mode used
5994 *
5995 * Inform Mac policies that a vnode have been successfully opened
5996 * (passing all MAC polices and DAC).
5997 */
4b17d6b6
A		 5998typedef void mpo_vnode_notify_open_t(
5999 kauth_cred_t cred,
6000 struct vnode *vp,
6001 struct label *label,
6002 int acc_mode
0a7de745 6003 );
4b17d6b6 6004
6d2010ae 6005/**
0a7de745
A		 6006 * @brief Inform MAC policies that a vnode has been renamed
6007 * @param cred User credential for the renaming process
6008 * @param vp Vnode that's being renamed
6009 * @param label Policy label for vp
6010 * @param dvp Parent directory for the destination
6011 * @param dlabel Policy label for dvp
6012 * @param cnp Component name for the destination
6013 *
6014 * Inform MAC policies that a vnode has been renamed.
6d2010ae
A		 6015 */
6016typedef void mpo_vnode_notify_rename_t(
6017 kauth_cred_t cred,
6018 struct vnode *vp,
6019 struct label *label,
6020 struct vnode *dvp,
6021 struct label *dlabel,
6022 struct componentname *cnp
0a7de745 6023 );
6d2010ae 6024
39236c6e 6025/**
0a7de745
A		 6026 * @brief Inform MAC policies that a vnode has been linked
6027 * @param cred User credential for the renaming process
6028 * @param dvp Parent directory for the destination
6029 * @param dlabel Policy label for dvp
6030 * @param vp Vnode that's being linked
6031 * @param vlabel Policy label for vp
6032 * @param cnp Component name for the destination
6033 *
6034 * Inform MAC policies that a vnode has been linked.
39236c6e
A		 6035 */
6036typedef void mpo_vnode_notify_link_t(
6037 kauth_cred_t cred,
6038 struct vnode *dvp,
6039 struct label *dlabel,
6040 struct vnode *vp,
6041 struct label *vlabel,
6042 struct componentname *cnp
0a7de745 6043 );
39236c6e 6044
39037602 6045/**
0a7de745
A		 6046 * @brief Inform MAC policies that an extended attribute has been removed from a vnode
6047 * @param cred Subject credential
6048 * @param vp Object node
6049 * @param label Policy label for vp
6050 * @param name Extended attribute name
6051 *
6052 * Inform MAC policies that an extended attribute has been removed from a vnode.
6053 */
39037602
A		 6054typedef void mpo_vnode_notify_deleteextattr_t(
6055 kauth_cred_t cred,
6056 struct vnode *vp,
6057 struct label *label,
6058 const char *name
0a7de745 6059 );
39037602
A		 6060
6061
6062/**
0a7de745
A		 6063 * @brief Inform MAC policies that an ACL has been set on a vnode
6064 * @param cred Subject credential
6065 * @param vp Object node
6066 * @param label Policy label for vp
6067 * @param acl ACL structure pointer
6068 *
6069 * Inform MAC policies that an ACL has been set on a vnode.
6070 */
39037602
A		 6071typedef void mpo_vnode_notify_setacl_t(
6072 kauth_cred_t cred,
6073 struct vnode *vp,
6074 struct label *label,
6075 struct kauth_acl *acl
0a7de745 6076 );
39037602
A		 6077
6078/**
0a7de745
A		 6079 * @brief Inform MAC policies that an attributes have been set on a vnode
6080 * @param cred Subject credential
6081 * @param vp Object vnode
6082 * @param label Policy label for vp
6083 * @param alist List of attributes to set
6084 *
6085 * Inform MAC policies that an attributes have been set on a vnode.
6086 */
39037602
A		 6087typedef void mpo_vnode_notify_setattrlist_t(
6088 kauth_cred_t cred,
6089 struct vnode *vp,
6090 struct label *label,
6091 struct attrlist *alist
0a7de745 6092 );
39037602
A		 6093
6094/**
0a7de745
A		 6095 * @brief Inform MAC policies that an extended attribute has been set on a vnode
6096 * @param cred Subject credential
6097 * @param vp Object vnode
6098 * @param label Policy label for vp
6099 * @param name Extended attribute name
6100 * @param uio I/O structure pointer
6101 *
6102 * Inform MAC policies that an extended attribute has been set on a vnode.
6103 */
39037602
A		 6104typedef void mpo_vnode_notify_setextattr_t(
6105 kauth_cred_t cred,
6106 struct vnode *vp,
6107 struct label *label,
6108 const char *name,
6109 struct uio *uio
0a7de745 6110 );
39037602
A		 6111
6112/**
0a7de745
A		 6113 * @brief Inform MAC policies that flags have been set on a vnode
6114 * @param cred Subject credential
6115 * @param vp Object vnode
6116 * @param label Policy label for vp
6117 * @param flags File flags; see chflags(2)
6118 *
6119 * Inform MAC policies that flags have been set on a vnode.
6120 */
39037602
A		 6121typedef void mpo_vnode_notify_setflags_t(
6122 kauth_cred_t cred,
6123 struct vnode *vp,
6124 struct label *label,
6125 u_long flags
0a7de745 6126 );
39037602
A		 6127
6128/**
0a7de745
A		 6129 * @brief Inform MAC policies that a new mode has been set on a vnode
6130 * @param cred Subject credential
6131 * @param vp Object vnode
6132 * @param label Policy label for vp
6133 * @param mode File mode; see chmod(2)
6134 *
6135 * Inform MAC policies that a new mode has been set on a vnode.
6136 */
39037602
A		 6137typedef void mpo_vnode_notify_setmode_t(
6138 kauth_cred_t cred,
6139 struct vnode *vp,
6140 struct label *label,
6141 mode_t mode
0a7de745 6142 );
39037602
A		 6143
6144/**
0a7de745
A		 6145 * @brief Inform MAC policies that new uid/gid have been set on a vnode
6146 * @param cred Subject credential
6147 * @param vp Object vnode
6148 * @param label Policy label for vp
6149 * @param uid User ID
6150 * @param gid Group ID
6151 *
6152 * Inform MAC policies that new uid/gid have been set on a vnode.
6153 */
39037602
A		 6154typedef void mpo_vnode_notify_setowner_t(
6155 kauth_cred_t cred,
6156 struct vnode *vp,
6157 struct label *label,
6158 uid_t uid,
6159 gid_t gid
0a7de745 6160 );
39037602
A		 6161
6162/**
0a7de745
A		 6163 * @brief Inform MAC policies that new timestamps have been set on a vnode
6164 * @param cred Subject credential
6165 * @param vp Object vnode
6166 * @param label Policy label for vp
6167 * @param atime Access time; see utimes(2)
6168 * @param mtime Modification time; see utimes(2)
6169 *
6170 * Inform MAC policies that new timestamps have been set on a vnode.
6171 */
39037602
A		 6172typedef void mpo_vnode_notify_setutimes_t(
6173 kauth_cred_t cred,
6174 struct vnode *vp,
6175 struct label *label,
6176 struct timespec atime,
6177 struct timespec mtime
0a7de745 6178 );
39037602
A		 6179
6180/**
0a7de745
A		 6181 * @brief Inform MAC policies that a vnode has been truncated
6182 * @param cred Subject credential
6183 * @param file_cred Credential associated with the struct fileproc
6184 * @param vp Object vnode
6185 * @param label Policy label for vp
6186 *
6187 * Inform MAC policies that a vnode has been truncated.
6188 */
39037602
A		 6189typedef void mpo_vnode_notify_truncate_t(
6190 kauth_cred_t cred,
6191 kauth_cred_t file_cred,
6192 struct vnode *vp,
6193 struct label *label
0a7de745 6194 );
39037602
A		 6195
6196
39236c6e 6197/**
0a7de745
A		 6198 * @brief Inform MAC policies that a pty slave has been granted
6199 * @param p Responsible process
6200 * @param tp tty data structure
6201 * @param dev Major and minor numbers of device
6202 * @param label Policy label for tp
6203 *
6204 * Inform MAC policies that a pty slave has been granted.
6205 */
39236c6e
A		 6206typedef void mpo_pty_notify_grant_t(
6207 proc_t p,
6208 struct tty *tp,
6209 dev_t dev,
6210 struct label *label
0a7de745 6211 );
39236c6e
A		 6212
6213/**
0a7de745
A		 6214 * @brief Inform MAC policies that a pty master has been closed
6215 * @param p Responsible process
6216 * @param tp tty data structure
6217 * @param dev Major and minor numbers of device
6218 * @param label Policy label for tp
6219 *
6220 * Inform MAC policies that a pty master has been closed.
6221 */
39236c6e
A		 6222typedef void mpo_pty_notify_close_t(
6223 proc_t p,
6224 struct tty *tp,
6225 dev_t dev,
6226 struct label *label
0a7de745 6227 );
39236c6e
A		 6228
6229/**
0a7de745
A		 6230 * @brief Access control check for kext loading
6231 * @param cred Subject credential
6232 * @param identifier Kext identifier
6233 *
6234 * Determine whether the subject identified by the credential can load the
6235 * specified kext.
6236 *
6237 * @return Return 0 if access is granted, otherwise an appropriate value for
6238 * errno should be returned. Suggested failure: EPERM for lack of privilege.
6239 */
39236c6e
A		 6240typedef int mpo_kext_check_load_t(
6241 kauth_cred_t cred,
6242 const char *identifier
0a7de745 6243 );
39236c6e
A		 6244
6245/**
0a7de745
A		 6246 * @brief Access control check for kext unloading
6247 * @param cred Subject credential
6248 * @param identifier Kext identifier
6249 *
6250 * Determine whether the subject identified by the credential can unload the
6251 * specified kext.
6252 *
6253 * @return Return 0 if access is granted, otherwise an appropriate value for
6254 * errno should be returned. Suggested failure: EPERM for lack of privilege.
6255 */
39236c6e
A		 6256typedef int mpo_kext_check_unload_t(
6257 kauth_cred_t cred,
6258 const char *identifier
0a7de745 6259 );
39236c6e 6260
3e170ce0 6261/**
0a7de745
A		 6262 * @brief Access control check for querying information about loaded kexts
6263 * @param cred Subject credential
6264 *
6265 * Determine whether the subject identified by the credential can query
6266 * information about loaded kexts.
6267 *
6268 * @return Return 0 if access is granted, otherwise an appropriate value for
6269 * errno should be returned. Suggested failure: EPERM for lack of privilege.
6270 */
3e170ce0
A		 6271typedef int mpo_kext_check_query_t(
6272 kauth_cred_t cred
0a7de745 6273 );
3e170ce0 6274
2d21ac55
A		 6275/*
6276 * Placeholder for future events that may need mac hooks.
6277 */
6278typedef void mpo_reserved_hook_t(void);
6279
39236c6e
A		 6280/*
6281 * Policy module operations.
6282 *
6283 * Please note that this should be kept in sync with the check assumptions
6284 * policy in bsd/kern/policy_check.c (policy_ops struct).
6285 */
cb323159 6286#define MAC_POLICY_OPS_VERSION 58 /* inc when new reserved slots are taken */
2d21ac55 6287struct mac_policy_ops {
0a7de745
A		 6288 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
6289 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
6290
6291 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
6292 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
6293 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
6294 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
6295
6296 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
6297 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
6298 mpo_cred_check_visible_t *mpo_cred_check_visible;
6299 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
6300 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
6301 mpo_cred_label_associate_t *mpo_cred_label_associate;
6302 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
6303 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
6304 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
6305 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
6306 mpo_cred_label_init_t *mpo_cred_label_init;
6307 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
6308 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
6309 mpo_cred_label_update_t *mpo_cred_label_update;
6310
6311 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
6312 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
6313 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
6314 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
6315 mpo_devfs_label_init_t *mpo_devfs_label_init;
6316 mpo_devfs_label_update_t *mpo_devfs_label_update;
6317
6318 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
6319 mpo_file_check_create_t *mpo_file_check_create;
6320 mpo_file_check_dup_t *mpo_file_check_dup;
6321 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
6322 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
6323 mpo_file_check_get_t *mpo_file_check_get;
6324 mpo_file_check_inherit_t *mpo_file_check_inherit;
6325 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
6326 mpo_file_check_lock_t *mpo_file_check_lock;
6327 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
6328 mpo_file_check_mmap_t *mpo_file_check_mmap;
6329 mpo_file_check_receive_t *mpo_file_check_receive;
6330 mpo_file_check_set_t *mpo_file_check_set;
6331 mpo_file_label_init_t *mpo_file_label_init;
6332 mpo_file_label_destroy_t *mpo_file_label_destroy;
6333 mpo_file_label_associate_t *mpo_file_label_associate;
6334
6335 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
6336 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
6337 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
6338 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
6339 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
6340 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
6341 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
6342 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
6343 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
6344 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
6345
6346 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
6347 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
6348 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
6349 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
6350 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
6351 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
6352
6353 mpo_iokit_check_device_t *mpo_iokit_check_device;
6354
6355 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
6356 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
6357 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
6358 mpo_ipq_label_init_t *mpo_ipq_label_init;
6359 mpo_ipq_label_update_t *mpo_ipq_label_update;
39236c6e 6360
39037602
A		 6361 mpo_file_check_library_validation_t *mpo_file_check_library_validation;
6362 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl;
6363 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist;
6364 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr;
6365 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags;
6366 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode;
6367 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner;
6368 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes;
6369 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate;
39236c6e 6370
0a7de745
A		 6371 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
6372 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
6373 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
6374 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
6375 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
2d21ac55 6376 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
0a7de745
A		 6377 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
6378 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
6379 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
6380 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
6381 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
6382
6383 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
6384 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
6385 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
6386 mpo_mount_check_mount_t *mpo_mount_check_mount;
6387 mpo_mount_check_remount_t *mpo_mount_check_remount;
6388 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
6389 mpo_mount_check_stat_t *mpo_mount_check_stat;
6390 mpo_mount_check_umount_t *mpo_mount_check_umount;
6391 mpo_mount_label_associate_t *mpo_mount_label_associate;
6392 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
6393 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
6394 mpo_mount_label_init_t *mpo_mount_label_init;
6395 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
6396
6397 mpo_netinet_fragment_t *mpo_netinet_fragment;
6398 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
6399 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
6400
6401 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
6402 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
6403 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
6404 mpo_pipe_check_read_t *mpo_pipe_check_read;
6405 mpo_pipe_check_select_t *mpo_pipe_check_select;
6406 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
6407 mpo_pipe_check_write_t *mpo_pipe_check_write;
6408 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
6409 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
6410 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
6411 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
6412 mpo_pipe_label_init_t *mpo_pipe_label_init;
6413 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
6414 mpo_pipe_label_update_t *mpo_pipe_label_update;
6415
6416 mpo_policy_destroy_t *mpo_policy_destroy;
6417 mpo_policy_init_t *mpo_policy_init;
6418 mpo_policy_initbsd_t *mpo_policy_initbsd;
6419 mpo_policy_syscall_t *mpo_policy_syscall;
6420
6421 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
6422 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
6423 mpo_vnode_check_rename_t *mpo_vnode_check_rename;
6424 mpo_kext_check_query_t *mpo_kext_check_query;
6425 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete;
cb323159
A		 6426 mpo_reserved_hook_t *mpo_reserved4;
6427 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix;
0a7de745
A		 6428 mpo_proc_check_expose_task_t *mpo_proc_check_expose_task;
6429 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port;
3e170ce0 6430 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port;
0a7de745
A		 6431 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send;
6432 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate;
6433 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate;
6434 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy;
6435 mpo_exc_action_label_init_t *mpo_exc_action_label_init;
6436 mpo_exc_action_label_update_t *mpo_exc_action_label_update;
6437
6438 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve;
cb323159 6439 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late;
0a7de745
A		 6440 mpo_reserved_hook_t *mpo_reserved1;
6441 mpo_reserved_hook_t *mpo_reserved2;
0a7de745
A		 6442 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect;
6443 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen;
6444
6445 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
6446 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
6447 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
6448 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
6449 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
6450 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
6451 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
6452 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
6453 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
6454 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
6455 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
6456 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
6457 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
6458 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
6459 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
6460 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
6461 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
6462
6463 mpo_proc_check_debug_t *mpo_proc_check_debug;
6464 mpo_proc_check_fork_t *mpo_proc_check_fork;
6465 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
6466 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
6467 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
6468 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
6469 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
6470 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
6471 mpo_proc_check_sched_t *mpo_proc_check_sched;
6472 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
6473 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
6474 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
6475 mpo_proc_check_signal_t *mpo_proc_check_signal;
6476 mpo_proc_check_wait_t *mpo_proc_check_wait;
cb323159
A		 6477 mpo_reserved_hook_t *mpo_reserved5;
6478 mpo_reserved_hook_t *mpo_reserved6;
0a7de745
A		 6479
6480 mpo_socket_check_accept_t *mpo_socket_check_accept;
6481 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
6482 mpo_socket_check_bind_t *mpo_socket_check_bind;
6483 mpo_socket_check_connect_t *mpo_socket_check_connect;
6484 mpo_socket_check_create_t *mpo_socket_check_create;
6485 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
6486 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
6487 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
6488 mpo_socket_check_listen_t *mpo_socket_check_listen;
6489 mpo_socket_check_receive_t *mpo_socket_check_receive;
6490 mpo_socket_check_received_t *mpo_socket_check_received;
6491 mpo_socket_check_select_t *mpo_socket_check_select;
6492 mpo_socket_check_send_t *mpo_socket_check_send;
6493 mpo_socket_check_stat_t *mpo_socket_check_stat;
6494 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
6495 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
6496 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
6497 mpo_socket_label_associate_t *mpo_socket_label_associate;
6498 mpo_socket_label_copy_t *mpo_socket_label_copy;
6499 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
6500 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
6501 mpo_socket_label_init_t *mpo_socket_label_init;
6502 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
6503 mpo_socket_label_update_t *mpo_socket_label_update;
6504
6505 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
6506 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
6507 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
6508 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
6509 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
6510
6511 mpo_system_check_acct_t *mpo_system_check_acct;
6512 mpo_system_check_audit_t *mpo_system_check_audit;
6513 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
6514 mpo_system_check_auditon_t *mpo_system_check_auditon;
6515 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
6516 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
6517 mpo_system_check_reboot_t *mpo_system_check_reboot;
6518 mpo_system_check_settime_t *mpo_system_check_settime;
6519 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6520 mpo_system_check_swapon_t *mpo_system_check_swapon;
6521 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl;
6522
6523 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6524 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6525 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6526 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6527 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6528 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6529 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6530 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6531 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6532 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6533 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6534 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6535 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6536 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6537 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6538 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6539 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6540 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6541 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6542 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6543 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6544 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6545 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6546 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6547 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6548 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6549 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6550 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6551 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6552 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
6553
6554 mpo_proc_notify_exit_t *mpo_proc_notify_exit;
6555 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert;
6556 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr;
6557 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create;
6558 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete;
6559 mpo_vnode_check_clone_t *mpo_vnode_check_clone;
6560 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info;
6561 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info;
6562
6563 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6564
6565 mpo_vnode_check_access_t *mpo_vnode_check_access;
6566 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6567 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6568 mpo_vnode_check_create_t *mpo_vnode_check_create;
6569 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6570 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6571 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6572 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6573 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6574 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6575 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6576 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6577 mpo_vnode_check_link_t *mpo_vnode_check_link;
6578 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6579 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6580 mpo_vnode_check_open_t *mpo_vnode_check_open;
6581 mpo_vnode_check_read_t *mpo_vnode_check_read;
6582 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6583 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6584 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6585 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6586 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6587 mpo_vnode_check_select_t *mpo_vnode_check_select;
6588 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6589 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6590 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6591 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6592 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6593 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6594 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6595 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6596 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6597 mpo_vnode_check_write_t *mpo_vnode_check_write;
6598 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6599 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6600 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6601 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6602 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6603 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6604 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6605 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6606 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6607 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6608 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6609 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6610 mpo_vnode_label_init_t *mpo_vnode_label_init;
6611 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6612 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6613 mpo_vnode_label_store_t *mpo_vnode_label_store;
6614 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6615 mpo_vnode_label_update_t *mpo_vnode_label_update;
6616 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
6617 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
6618 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6619 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
6620
6621 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
6622 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
6623
6624 mpo_thread_userret_t *mpo_thread_userret;
6625
6626 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
6627
cb323159 6628 mpo_reserved_hook_t *mpo_reserved3;
0a7de745
A		 6629
6630 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
6631
6632 mpo_priv_check_t *mpo_priv_check;
6633 mpo_priv_grant_t *mpo_priv_grant;
6634
6635 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
6636
6637 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
6638
6639 mpo_iokit_check_open_t *mpo_iokit_check_open;
6640
6641 mpo_proc_check_ledger_t *mpo_proc_check_ledger;
6642
6643 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
6644
6645 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl;
39037602
A		 6646
6647 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr;
39236c6e 6648
0a7de745 6649 mpo_system_check_kas_info_t *mpo_system_check_kas_info;
39236c6e 6650
0a7de745 6651 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight;
39236c6e 6652
0a7de745 6653 mpo_vnode_notify_open_t *mpo_vnode_notify_open;
39236c6e 6654
0a7de745 6655 mpo_system_check_info_t *mpo_system_check_info;
39236c6e 6656
0a7de745
A		 6657 mpo_pty_notify_grant_t *mpo_pty_notify_grant;
6658 mpo_pty_notify_close_t *mpo_pty_notify_close;
39236c6e 6659
0a7de745 6660 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
39236c6e 6661
0a7de745
A		 6662 mpo_kext_check_load_t *mpo_kext_check_load;
6663 mpo_kext_check_unload_t *mpo_kext_check_unload;
39236c6e 6664
0a7de745
A		 6665 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
6666 mpo_vnode_notify_link_t *mpo_vnode_notify_link;
6667 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties;
6668 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property;
2d21ac55
A		 6669};
6670
6671/**
0a7de745
A		 6672 * @brief MAC policy handle type
6673 *
6674 * The MAC handle is used to uniquely identify a loaded policy within
6675 * the MAC Framework.
6676 *
6677 * A variable of this type is set by mac_policy_register().
2d21ac55
A		 6678 */
6679typedef unsigned int mac_policy_handle_t;
6680
0a7de745 6681#define mpc_t struct mac_policy_conf *
2d21ac55
A		 6682
6683/**
0a7de745
A		 6684 * @brief Mac policy configuration
6685 *
6686 * This structure specifies the configuration information for a
6687 * MAC policy module. A policy module developer must supply
6688 * a short unique policy name, a more descriptive full name, a list of label
6689 * namespaces and count, a pointer to the registered enty point operations,
6690 * any load time flags, and optionally, a pointer to a label slot identifier.
6691 *
6692 * The Framework will update the runtime flags (mpc_runtime_flags) to
6693 * indicate that the module has been registered.
6694 *
6695 * If the label slot identifier (mpc_field_off) is NULL, the Framework
6696 * will not provide label storage for the policy. Otherwise, the
6697 * Framework will store the label location (slot) in this field.
6698 *
6699 * The mpc_list field is used by the Framework and should not be
6700 * modified by policies.
6701 */
2d21ac55
A		 6702/* XXX - reorder these for better aligment on 64bit platforms */
6703struct mac_policy_conf {
0a7de745
A		 6704 const char *mpc_name; /** policy name */
6705 const char *mpc_fullname; /** full name */
6706 char const * const *mpc_labelnames; /** managed label namespaces */
6707 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6708 const struct mac_policy_ops *mpc_ops; /** operation vector */
6709 int mpc_loadtime_flags; /** load time flags */
6710 int *mpc_field_off; /** label slot */
6711 int mpc_runtime_flags; /** run time flags */
6712 mpc_t mpc_list; /** List reference */
6713 void *mpc_data; /** module data */
2d21ac55
A		 6714};
6715
6716/**
0a7de745
A		 6717 * @brief MAC policy module registration routine
6718 *
6719 * This function is called to register a policy with the
6720 * MAC framework. A policy module will typically call this from the
6721 * Darwin KEXT registration routine.
2d21ac55 6722 */
0a7de745 6723int mac_policy_register(struct mac_policy_conf *mpc,
2d21ac55
A		 6724 mac_policy_handle_t *handlep, void *xd);
6725
6726/**
0a7de745
A		 6727 * @brief MAC policy module de-registration routine
6728 *
6729 * This function is called to de-register a policy with theD
6730 * MAC framework. A policy module will typically call this from the
6731 * Darwin KEXT de-registration routine.
2d21ac55 6732 */
0a7de745 6733int mac_policy_unregister(mac_policy_handle_t handle);
2d21ac55
A		 6734
6735/*
6736 * Framework entry points for the policies to add audit data.
6737 */
0a7de745 6738int mac_audit_text(char *text, mac_policy_handle_t handle);
2d21ac55
A		 6739
6740/*
6741 * Calls to assist with use of Apple XATTRs within policy modules.
6742 */
0a7de745
A		 6743int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6744int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6745 size_t *);
6746int mac_vnop_removexattr(struct vnode *, const char *);
2d21ac55 6747
39037602 6748/**
0a7de745
A		 6749 * @brief Set an extended attribute on a vnode-based fileglob.
6750 * @param fg fileglob representing file to attach the extended attribute
6751 * @param name extended attribute name
6752 * @param buf buffer of data to use as the extended attribute value
6753 * @param len size of buffer
6754 *
6755 * Sets the value of an extended attribute on a file.
6756 *
6757 * Caller must hold an iocount on the vnode represented by the fileglob.
6758 */
6759int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len);
39037602
A		 6760
6761/**
0a7de745
A		 6762 * @brief Get an extended attribute from a vnode-based fileglob.
6763 * @param fg fileglob representing file to read the extended attribute
6764 * @param name extended attribute name
6765 * @param buf buffer of data to hold the extended attribute value
6766 * @param len size of buffer
6767 * @param attrlen size of full extended attribute value
6768 *
6769 * Gets the value of an extended attribute on a file.
6770 *
6771 * Caller must hold an iocount on the vnode represented by the fileglob.
6772 */
6773int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len,
6774 size_t *attrlen);
39037602
A		 6775
6776/**
0a7de745
A		 6777 * @brief Remove an extended attribute from a vnode-based fileglob.
6778 * @param fg fileglob representing file to remove the extended attribute
6779 * @param name extended attribute name
6780 *
6781 * Removes the named extended attribute from the file.
6782 *
6783 * Caller must hold an iocount on the vnode represented by the fileglob.
6784 */
6785int mac_file_removexattr(struct fileglob *fg, const char *name);
39037602
A		 6786
6787
2d21ac55
A		 6788/*
6789 * Arbitrary limit on how much data will be logged by the audit
6790 * entry points above.
6791 */
0a7de745 6792#define MAC_AUDIT_DATA_LIMIT 1024
2d21ac55
A		 6793
6794/*
6795 * Values returned by mac_audit_{pre,post}select. To combine the responses
6796 * of the security policies into a single decision,
6797 * mac_audit_{pre,post}select() choose the greatest value returned.
6798 */
0a7de745
A		 6799#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6800#define MAC_AUDIT_NO 1 /* force not auditing this event */
6801#define MAC_AUDIT_YES 2 /* force auditing this event */
2d21ac55
A		 6802
6803// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6804
6805/**
0a7de745
A		 6806 * @name Flags for the mpc_loadtime_flags field
6807 * @see mac_policy_conf
6808 *
6809 * This is the complete list of flags that are supported by the
6810 * mpc_loadtime_flags field of the mac_policy_conf structure. These
6811 * flags specify the load time behavior of MAC Framework policy
6812 * modules.
6813 */
2d21ac55
A		 6814
6815/*@{*/
6816
6817/**
0a7de745
A		 6818 * @brief Flag to indicate registration preference
6819 *
6820 * This flag indicates that the policy module must be loaded and
6821 * initialized early in the boot process. If the flag is specified,
6822 * attempts to register the module following boot will be rejected. The
6823 * flag may be used by policies that require pervasive labeling of all
6824 * system objects, and cannot handle objects that have not been
6825 * properly initialized by the policy.
6826 */
6827#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
2d21ac55
A		 6828
6829/**
0a7de745
A		 6830 * @brief Flag to indicate unload preference
6831 *
6832 * This flag indicates that the policy module may be unloaded. If this
6833 * flag is not set, then the policy framework will reject requests to
6834 * unload the module. This flag might be used by modules that allocate
6835 * label state and are unable to free that state at runtime, or for
6836 * modules that simply do not want to permit unload operations.
6837 */
6838#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
2d21ac55
A		 6839
6840/**
0a7de745
A		 6841 * @brief Unsupported
6842 *
6843 * XXX This flag is not yet supported.
6844 */
6845#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
2d21ac55
A		 6846
6847/**
0a7de745
A		 6848 * @brief Flag to indicate a base policy
6849 *
6850 * This flag indicates that the policy module is a base policy. Only
6851 * one module can declare itself as base, otherwise the boot process
6852 * will be halted.
2d21ac55 6853 */
0a7de745 6854#define MPC_LOADTIME_BASE_POLICY 0x00000008
2d21ac55
A		 6855
6856/*@}*/
6857
6858/**
0a7de745
A		 6859 * @brief Policy registration flag
6860 * @see mac_policy_conf
6861 *
6862 * This flag indicates that the policy module has been successfully
6863 * registered with the TrustedBSD MAC Framework. The Framework will
6864 * set this flag in the mpc_runtime_flags field of the policy's
6865 * mac_policy_conf structure after registering the policy.
2d21ac55 6866 */
0a7de745 6867#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
2d21ac55
A		 6868
6869/*
6870 * Depends on POLICY_VER
6871 */
6872
6873#ifndef POLICY_VER
0a7de745 6874#define POLICY_VER 1.0
2d21ac55
A		 6875#endif
6876
0a7de745
A		 6877#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6878 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6879 .mpc_name = #mpname, \
6880 .mpc_fullname = mpfullname, \
6881 .mpc_labelnames = lnames, \
6882 .mpc_labelname_count = lcount, \
6883 .mpc_ops = mpops, \
6884 .mpc_loadtime_flags = lflags, \
6885 .mpc_field_off = slot, \
6886 .mpc_runtime_flags = rflags \
6887 }; \
6888 \
6889 static kern_return_t \
6890 kmod_start(kmod_info_t *ki, void *xd) \
6891 { \
6892 return mac_policy_register(&mpname##_mac_policy_conf, \
6893 &handle, xd); \
6894 } \
6895 \
6896 static kern_return_t \
6897 kmod_stop(kmod_info_t *ki, void *xd) \
6898 { \
6899 return mac_policy_unregister(handle); \
6900 } \
6901 \
6902 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6903 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6904 \
6905 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6906 kmod_start_func_t *_realmain = kmod_start; \
6907 kmod_stop_func_t *_antimain = kmod_stop; \
2d21ac55
A		 6908 int _kext_apple_cc = __APPLE_CC__
6909
6910
0a7de745 6911#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
2d21ac55 6912
b0d623f7
A		 6913/*
6914 * Policy interface to map a struct label pointer to per-policy data.
6915 * Typically, policies wrap this in their own accessor macro that casts an
6916 * intptr_t to a policy-specific data type.
6917 */
6918intptr_t mac_label_get(struct label *l, int slot);
6919void mac_label_set(struct label *l, int slot, intptr_t v);
cb323159
A		 6920intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel);
6921void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v);
b0d623f7 6922
0a7de745 6923#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
2d21ac55
A		 6924
6925/**
0a7de745
A		 6926 * @name Flags for MAC allocator interfaces
6927 *
6928 * These flags are passed to the Darwin kernel allocator routines to
6929 * indicate whether the allocation is permitted to block or not.
6930 * Caution should be taken; some operations are not permitted to sleep,
6931 * and some types of locks cannot be held when sleeping.
2d21ac55
A		 6932 */
6933
6934/*@{*/
6935
6936/**
0a7de745
A		 6937 * @brief Allocation operations may block
6938 *
6939 * If memory is not immediately available, the allocation routine
6940 * will block (typically sleeping) until memory is available.
6941 *
6942 * @warning Inappropriate use of this flag may cause kernel panics.
2d21ac55
A		 6943 */
6944#define MAC_WAITOK 0
6945
6946/**
0a7de745
A		 6947 * @brief Allocation operations may not block
6948 *
6949 * Rather than blocking, the allocator may return an error if memory
6950 * is not immediately available. This type of allocation will not
6951 * sleep, preserving locking semantics.
2d21ac55
A		 6952 */
6953#define MAC_NOWAIT 1
6954
6955/*@}*/
6956
6957#endif /* !_SECURITY_MAC_POLICY_H_ */
mirror of XNU