[apple/xnu.git] / bsd / net / content_filter.h

/*
 * Copyright (c) 2013-2019 Apple Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#ifndef __CONTENT_FILTER_H__
#define __CONTENT_FILTER_H__

#include <sys/param.h>
#include <sys/types.h>
#include <sys/_types/_timeval64.h>
#include <sys/socket.h>
#include <sys/syslog.h>
#include <netinet/in.h>
#include <stdint.h>
#include <corecrypto/ccsha2.h>

#ifdef BSD_KERNEL_PRIVATE
#include <sys/mbuf.h>
#include <sys/socketvar.h>
#endif /* BSD_KERNEL_PRIVATE */

__BEGIN_DECLS

#ifdef PRIVATE

/*
 * Kernel control name for an instance of a Content Filter
 * Use CTLIOCGINFO to find out the corresponding kernel control id
 * to be set in the sc_id field of sockaddr_ctl for connect(2)
 * Note: the sc_unit is ephemeral
 */
#define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter"

/*
 * Opaque socket identifier
 */
typedef uint64_t cfil_sock_id_t;

#define CFIL_SOCK_ID_NONE UINT64_MAX


/*
 * CFIL_OPT_NECP_CONTROL_UNIT
 * To set or get the NECP filter control unit for the kernel control socket
 * The option level is SYSPROTO_CONTROL
 */
#define CFIL_OPT_NECP_CONTROL_UNIT      1       /* uint32_t */

/*
 * CFIL_OPT_GET_SOCKET_INFO
 * To get information about a given socket that is being filtered.
 */
#define CFIL_OPT_GET_SOCKET_INFO        2       /* uint32_t */

/*
 * struct cfil_opt_sock_info
 *
 * Contains information about a socket that is being filtered.
 */
struct cfil_opt_sock_info {
	cfil_sock_id_t  cfs_sock_id;
	int                             cfs_sock_family;        /* e.g. PF_INET */
	int                             cfs_sock_type;          /* e.g. SOCK_STREAM */
	int                             cfs_sock_protocol;      /* e.g. IPPROTO_TCP */
	union sockaddr_in_4_6   cfs_local;
	union sockaddr_in_4_6   cfs_remote;
	pid_t                   cfs_pid;
	pid_t                   cfs_e_pid;
	uuid_t                  cfs_uuid;
	uuid_t                  cfs_e_uuid;
};

/*
 * How many filter may be active simultaneously
 */
#if !TARGET_OS_OSX && !defined(XNU_TARGET_OS_OSX)
#define CFIL_MAX_FILTER_COUNT   2
#else
#define CFIL_MAX_FILTER_COUNT   8
#endif


/*
 * Crypto Support
 */
#define CFIL_CRYPTO 1
#define CFIL_CRYPTO_SIGNATURE_SIZE 32
#define CFIL_CRYPTO_DATA_EVENT 1

typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE];
typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE];

typedef struct cfil_crypto_state {
	const struct ccdigest_info *digest_info;
	cfil_crypto_key key;
} *cfil_crypto_state_t;

typedef struct cfil_crypto_data {
	uuid_t flow_id;
	u_int64_t sock_id;
	u_int32_t direction;
	union sockaddr_in_4_6 remote;
	union sockaddr_in_4_6 local;
	u_int32_t socketProtocol;
	pid_t pid;
	pid_t effective_pid;
	uuid_t uuid;
	uuid_t effective_uuid;
	u_int64_t byte_count_in;
	u_int64_t byte_count_out;
} *cfil_crypto_data_t;

/*
 * Types of messages
 *
 * Event messages flow from kernel to user space while action
 * messages flow in the reverse direction.
 * A message in entirely represented by a packet sent or received
 * on a Content Filter kernel control socket.
 */
#define CFM_TYPE_EVENT 1        /* message from kernel */
#define CFM_TYPE_ACTION 2       /* message to kernel */

/*
 * Operations associated with events from kernel
 */
#define CFM_OP_SOCKET_ATTACHED 1        /* a socket has been attached */
#define CFM_OP_SOCKET_CLOSED 2          /* a socket is being closed */
#define CFM_OP_DATA_OUT 3               /* data being sent */
#define CFM_OP_DATA_IN 4                /* data being received */
#define CFM_OP_DISCONNECT_OUT 5         /* no more outgoing data */
#define CFM_OP_DISCONNECT_IN 6          /* no more incoming data */
#define CFM_OP_STATS 7                  /* periodic stats report(s) */

/*
 * Operations associated with action from filter to kernel
 */
#define CFM_OP_DATA_UPDATE 16           /* update pass or peek offsets */
#define CFM_OP_DROP 17                  /* shutdown socket, no more data */
#define CFM_OP_BLESS_CLIENT 18          /* mark a client flow as already filtered, passes a uuid */
#define CFM_OP_SET_CRYPTO_KEY 19        /* assign client crypto key for message signing */

/*
 * struct cfil_msg_hdr
 *
 * Header common to all messages
 */
struct cfil_msg_hdr {
	uint32_t        cfm_len;        /* total length */
	uint32_t        cfm_version;
	uint32_t        cfm_type;
	uint32_t        cfm_op;
	cfil_sock_id_t  cfm_sock_id;
};

#define CFM_VERSION_CURRENT 1

/*
 * Connection Direction
 */
#define CFS_CONNECTION_DIR_IN  0
#define CFS_CONNECTION_DIR_OUT 1

#define CFS_AUDIT_TOKEN            1

/*
 * struct cfil_msg_sock_attached
 *
 * Information about a new socket being attached to the content filter
 *
 * Action: No reply is expected as this does not block the creation of the
 * TCP/IP but timely action must be taken to avoid user noticeable delays.
 *
 * Valid Types: CFM_TYPE_EVENT
 *
 * Valid Op: CFM_OP_SOCKET_ATTACHED
 */
struct cfil_msg_sock_attached {
	struct cfil_msg_hdr     cfs_msghdr;
	int                     cfs_sock_family;        /* e.g. PF_INET */
	int                     cfs_sock_type;          /* e.g. SOCK_STREAM */
	int                     cfs_sock_protocol;      /* e.g. IPPROTO_TCP */
	int                     cfs_unused;             /* padding */
	pid_t                   cfs_pid;
	pid_t                   cfs_e_pid;
	uuid_t                  cfs_uuid;
	uuid_t                  cfs_e_uuid;
	union sockaddr_in_4_6   cfs_src;
	union sockaddr_in_4_6   cfs_dst;
	int                     cfs_conn_dir;
	unsigned int            cfs_audit_token[8];             /* Must match audit_token_t */
	cfil_crypto_signature   cfs_signature;
	uint32_t                cfs_signature_length;
};

/*
 * CFIL data flags
 */
#define CFD_DATA_FLAG_IP_HEADER         0x00000001          /* Data includes IP header */

/*
 * struct cfil_msg_data_event
 *
 * Event for the content fiter to act on a span of data
 * A data span is described by a pair of offsets over the cumulative
 * number of bytes sent or received on the socket.
 *
 * Action: The event must be acted upon but the filter may buffer
 * data spans until it has enough content to make a decision.
 * The action must be timely to avoid user noticeable delays.
 *
 * Valid Type: CFM_TYPE_EVENT
 *
 * Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN
 */
struct cfil_msg_data_event {
	struct cfil_msg_hdr     cfd_msghdr;
	union sockaddr_in_4_6   cfc_src;
	union sockaddr_in_4_6   cfc_dst;
	uint64_t                cfd_start_offset;
	uint64_t                cfd_end_offset;
	cfil_crypto_signature   cfd_signature;
	uint32_t                cfd_signature_length;
	uint32_t                cfd_flags;
	/* Actual content data immediatly follows */
};

#define CFI_MAX_TIME_LOG_ENTRY 6
/*
 * struct cfil_msg_sock_closed
 *
 * Information about a socket being closed to the content filter
 *
 * Action: No reply is expected as this does not block the closing of the
 * TCP/IP.
 *
 * Valid Types: CFM_TYPE_EVENT
 *
 * Valid Op: CFM_OP_SOCKET_CLOSED
 */
struct cfil_msg_sock_closed {
	struct cfil_msg_hdr     cfc_msghdr;
	struct timeval64        cfc_first_event;
	uint32_t                cfc_op_list_ctr;
	uint32_t                cfc_op_time[CFI_MAX_TIME_LOG_ENTRY];    /* time interval in microseconds since first event */
	unsigned char           cfc_op_list[CFI_MAX_TIME_LOG_ENTRY];
	uint64_t                cfc_byte_inbound_count;
	uint64_t                cfc_byte_outbound_count;
	cfil_crypto_signature   cfc_signature;
	uint32_t                cfc_signature_length;
} __attribute__((aligned(8)));

/*
 * struct cfil_msg_stats_report
 *
 * Statistics report for flow(s).
 *
 * Action: No reply is expected.
 *
 * Valid Types: CFM_TYPE_EVENT
 *
 * Valid Op: CFM_OP_STATS
 */
struct cfil_msg_sock_stats {
	cfil_sock_id_t          cfs_sock_id;
	uint64_t                cfs_byte_inbound_count;
	uint64_t                cfs_byte_outbound_count;
	union sockaddr_in_4_6   cfs_laddr;
} __attribute__((aligned(8)));

struct cfil_msg_stats_report {
	struct cfil_msg_hdr        cfr_msghdr;
	uint32_t                   cfr_count;
	struct cfil_msg_sock_stats cfr_stats[];
} __attribute__((aligned(8)));

/*
 * struct cfil_msg_action
 *
 * Valid Type: CFM_TYPE_ACTION
 *
 * Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP
 *
 * For CFM_OP_DATA_UPDATE:
 *
 * cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is
 * allowed to pass. A zero value does not modify the corresponding pass offset.
 *
 * cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much
 * data it needs to make a decision: the kernel will deliver data up to that
 * offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET
 * if you don't value the corresponding peek offset to be updated.
 */
struct cfil_msg_action {
	struct cfil_msg_hdr     cfa_msghdr;
	uint64_t                cfa_in_pass_offset;
	uint64_t                cfa_in_peek_offset;
	uint64_t                cfa_out_pass_offset;
	uint64_t                cfa_out_peek_offset;
	uint32_t                cfa_stats_frequency; // Statistics frequency in milliseconds
};

/*
 * struct cfil_msg_bless_client
 *
 * Marks a client UUID as already filtered at a higher level.
 *
 * Valid Type: CFM_TYPE_ACTION
 *
 * Valid Ops: CFM_OP_BLESS_CLIENT
 */
struct cfil_msg_bless_client {
	struct cfil_msg_hdr     cfb_msghdr;
	uuid_t cfb_client_uuid;
};

/*
 * struct cfil_msg_set_crypto_key
 *
 * Filter assigning client crypto key to CFIL for message signing
 *
 * Valid Type: CFM_TYPE_ACTION
 *
 * Valid Ops: CFM_OP_SET_CRYPTO_KEY
 */
struct cfil_msg_set_crypto_key {
	struct cfil_msg_hdr     cfb_msghdr;
	cfil_crypto_key         crypto_key;
};

#define CFM_MAX_OFFSET  UINT64_MAX

/*
 * Statistics retrieved via sysctl(3)
 */
struct cfil_filter_stat {
	uint32_t        cfs_len;
	uint32_t        cfs_filter_id;
	uint32_t        cfs_flags;
	uint32_t        cfs_sock_count;
	uint32_t        cfs_necp_control_unit;
};

struct cfil_entry_stat {
	uint32_t                ces_len;
	uint32_t                ces_filter_id;
	uint32_t                ces_flags;
	uint32_t                ces_necp_control_unit;
	struct timeval64        ces_last_event;
	struct timeval64        ces_last_action;
	struct cfe_buf_stat {
		uint64_t        cbs_pending_first;
		uint64_t        cbs_pending_last;
		uint64_t        cbs_ctl_first;
		uint64_t        cbs_ctl_last;
		uint64_t        cbs_pass_offset;
		uint64_t        cbs_peek_offset;
		uint64_t        cbs_peeked;
	} ces_snd, ces_rcv;
};

struct cfil_sock_stat {
	uint32_t        cfs_len;
	int             cfs_sock_family;
	int             cfs_sock_type;
	int             cfs_sock_protocol;
	cfil_sock_id_t  cfs_sock_id;
	uint64_t        cfs_flags;
	pid_t           cfs_pid;
	pid_t           cfs_e_pid;
	uuid_t          cfs_uuid;
	uuid_t          cfs_e_uuid;
	struct cfi_buf_stat {
		uint64_t        cbs_pending_first;
		uint64_t        cbs_pending_last;
		uint64_t        cbs_pass_offset;
		uint64_t        cbs_inject_q_len;
	} cfs_snd, cfs_rcv;
	struct cfil_entry_stat  ces_entries[CFIL_MAX_FILTER_COUNT];
};

/*
 * Global statistics
 */
struct cfil_stats {
	int32_t cfs_ctl_connect_ok;
	int32_t cfs_ctl_connect_fail;
	int32_t cfs_ctl_disconnect_ok;
	int32_t cfs_ctl_disconnect_fail;
	int32_t cfs_ctl_send_ok;
	int32_t cfs_ctl_send_bad;
	int32_t cfs_ctl_rcvd_ok;
	int32_t cfs_ctl_rcvd_bad;
	int32_t cfs_ctl_rcvd_flow_lift;
	int32_t cfs_ctl_action_data_update;
	int32_t cfs_ctl_action_drop;
	int32_t cfs_ctl_action_bad_op;
	int32_t cfs_ctl_action_bad_len;

	int32_t cfs_sock_id_not_found;

	int32_t cfs_cfi_alloc_ok;
	int32_t cfs_cfi_alloc_fail;

	int32_t cfs_sock_userspace_only;
	int32_t cfs_sock_attach_in_vain;
	int32_t cfs_sock_attach_already;
	int32_t cfs_sock_attach_no_mem;
	int32_t cfs_sock_attach_failed;
	int32_t cfs_sock_attached;
	int32_t cfs_sock_detached;

	int32_t cfs_attach_event_ok;
	int32_t cfs_attach_event_flow_control;
	int32_t cfs_attach_event_fail;

	int32_t cfs_closed_event_ok;
	int32_t cfs_closed_event_flow_control;
	int32_t cfs_closed_event_fail;

	int32_t cfs_data_event_ok;
	int32_t cfs_data_event_flow_control;
	int32_t cfs_data_event_fail;

	int32_t cfs_stats_event_ok;
	int32_t cfs_stats_event_flow_control;
	int32_t cfs_stats_event_fail;

	int32_t cfs_disconnect_in_event_ok;
	int32_t cfs_disconnect_out_event_ok;
	int32_t cfs_disconnect_event_flow_control;
	int32_t cfs_disconnect_event_fail;

	int32_t cfs_ctl_q_not_started;

	int32_t cfs_close_wait;
	int32_t cfs_close_wait_timeout;

	int32_t cfs_flush_in_drop;
	int32_t cfs_flush_out_drop;
	int32_t cfs_flush_in_close;
	int32_t cfs_flush_out_close;
	int32_t cfs_flush_in_free;
	int32_t cfs_flush_out_free;

	int32_t cfs_inject_q_nomem;
	int32_t cfs_inject_q_nobufs;
	int32_t cfs_inject_q_detached;
	int32_t cfs_inject_q_in_fail;
	int32_t cfs_inject_q_out_fail;

	int32_t cfs_inject_q_in_retry;
	int32_t cfs_inject_q_out_retry;

	int32_t cfs_data_in_control;
	int32_t cfs_data_in_oob;
	int32_t cfs_data_out_control;
	int32_t cfs_data_out_oob;

	int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8)));
	int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8)));
	int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8)));
	int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8)));

	int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8)));
	int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8)));

	int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8)));
	int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8)));
	int64_t cfs_inject_q_in_passed __attribute__((aligned(8)));
	int64_t cfs_inject_q_out_passed __attribute__((aligned(8)));
};
#endif /* PRIVATE */

#ifdef BSD_KERNEL_PRIVATE

#define M_SKIPCFIL      M_PROTO5

extern int cfil_log_level;

#define CFIL_LOG(level, fmt, ...) \
do { \
	if (cfil_log_level >= level) \
	        printf("%s:%d " fmt "\n",\
	                __FUNCTION__, __LINE__, ##__VA_ARGS__); \
} while (0)


extern void cfil_init(void);

extern boolean_t cfil_filter_present(void);
extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so);
extern errno_t cfil_sock_attach(struct socket *so,
    struct sockaddr *local, struct sockaddr *remote, int dir);
extern errno_t cfil_sock_detach(struct socket *so);

extern int cfil_sock_data_out(struct socket *so, struct sockaddr  *to,
    struct mbuf *data, struct mbuf *control,
    uint32_t flags);
extern int cfil_sock_data_in(struct socket *so, struct sockaddr *from,
    struct mbuf *data, struct mbuf *control,
    uint32_t flags);

extern int cfil_sock_shutdown(struct socket *so, int *how);
extern void cfil_sock_is_closed(struct socket *so);
extern void cfil_sock_notify_shutdown(struct socket *so, int how);
extern void cfil_sock_close_wait(struct socket *so);

extern boolean_t cfil_sock_data_pending(struct sockbuf *sb);
extern int cfil_sock_data_space(struct sockbuf *sb);
extern void cfil_sock_buf_update(struct sockbuf *sb);

extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so);

extern struct m_tag *cfil_dgram_get_socket_state(struct mbuf *m, uint32_t *state_change_cnt,
    short *options, struct sockaddr **faddr, int *inp_flags);
extern boolean_t cfil_dgram_peek_socket_state(struct mbuf *m, int *inp_flags);

#endif /* BSD_KERNEL_PRIVATE */

__END_DECLS

#endif /* __CONTENT_FILTER_H__ */
Commit	Line	Data
fe8ab488	1	/*
cb323159	2	* Copyright (c) 2013-2019 Apple Inc. All rights reserved.
fe8ab488 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#ifndef __CONTENT_FILTER_H__
0a7de745	25	#define __CONTENT_FILTER_H__
fe8ab488 A	26
	27	#include <sys/param.h>
	28	#include <sys/types.h>
3e170ce0	29	#include <sys/_types/_timeval64.h>
fe8ab488 A	30	#include <sys/socket.h>
	31	#include <sys/syslog.h>
	32	#include <netinet/in.h>
	33	#include <stdint.h>
cb323159	34	#include <corecrypto/ccsha2.h>
fe8ab488 A	35
	36	#ifdef BSD_KERNEL_PRIVATE
	37	#include <sys/mbuf.h>
	38	#include <sys/socketvar.h>
	39	#endif /* BSD_KERNEL_PRIVATE */
	40
	41	__BEGIN_DECLS
	42
	43	#ifdef PRIVATE
	44
	45	/*
	46	* Kernel control name for an instance of a Content Filter
	47	* Use CTLIOCGINFO to find out the corresponding kernel control id
	48	* to be set in the sc_id field of sockaddr_ctl for connect(2)
	49	* Note: the sc_unit is ephemeral
	50	*/
0a7de745	51	#define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter"
fe8ab488	52
5ba3f43e A	53	/*
	54	* Opaque socket identifier
	55	*/
	56	typedef uint64_t cfil_sock_id_t;
	57
0a7de745	58	#define CFIL_SOCK_ID_NONE UINT64_MAX
5ba3f43e A	59
5ba3f43e A	60
fe8ab488 A	61	/*
	62	* CFIL_OPT_NECP_CONTROL_UNIT
	63	* To set or get the NECP filter control unit for the kernel control socket
	64	* The option level is SYSPROTO_CONTROL
	65	*/
0a7de745	66	#define CFIL_OPT_NECP_CONTROL_UNIT 1 /* uint32_t */
fe8ab488	67
5ba3f43e A	68	/*
5ba3f43e A	69	* CFIL_OPT_GET_SOCKET_INFO
0a7de745	70	* To get information about a given socket that is being filtered.
5ba3f43e	71	*/
0a7de745	72	#define CFIL_OPT_GET_SOCKET_INFO 2 /* uint32_t */
5ba3f43e A	73
	74	/*
	75	* struct cfil_opt_sock_info
	76	*
0a7de745	77	* Contains information about a socket that is being filtered.
5ba3f43e A	78	*/
5ba3f43e A	79	struct cfil_opt_sock_info {
0a7de745 A	80	cfil_sock_id_t cfs_sock_id;
	81	int cfs_sock_family; /* e.g. PF_INET */
	82	int cfs_sock_type; /* e.g. SOCK_STREAM */
	83	int cfs_sock_protocol; /* e.g. IPPROTO_TCP */
	84	union sockaddr_in_4_6 cfs_local;
	85	union sockaddr_in_4_6 cfs_remote;
	86	pid_t cfs_pid;
	87	pid_t cfs_e_pid;
	88	uuid_t cfs_uuid;
	89	uuid_t cfs_e_uuid;
5ba3f43e A	90	};
5ba3f43e A	91
fe8ab488 A	92	/*
	93	* How many filter may be active simultaneously
	94	*/
cb323159	95	#if !TARGET_OS_OSX && !defined(XNU_TARGET_OS_OSX)
0a7de745	96	#define CFIL_MAX_FILTER_COUNT 2
cb323159 A	97	#else
	98	#define CFIL_MAX_FILTER_COUNT 8
	99	#endif
	100
	101
	102	/*
	103	* Crypto Support
	104	*/
	105	#define CFIL_CRYPTO 1
	106	#define CFIL_CRYPTO_SIGNATURE_SIZE 32
	107	#define CFIL_CRYPTO_DATA_EVENT 1
	108
	109	typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE];
	110	typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE];
	111
	112	typedef struct cfil_crypto_state {
	113	const struct ccdigest_info *digest_info;
	114	cfil_crypto_key key;
	115	} *cfil_crypto_state_t;
	116
	117	typedef struct cfil_crypto_data {
	118	uuid_t flow_id;
	119	u_int64_t sock_id;
	120	u_int32_t direction;
	121	union sockaddr_in_4_6 remote;
	122	union sockaddr_in_4_6 local;
	123	u_int32_t socketProtocol;
	124	pid_t pid;
	125	pid_t effective_pid;
	126	uuid_t uuid;
	127	uuid_t effective_uuid;
	128	u_int64_t byte_count_in;
	129	u_int64_t byte_count_out;
	130	} *cfil_crypto_data_t;
fe8ab488 A	131
	132	/*
	133	* Types of messages
	134	*
	135	* Event messages flow from kernel to user space while action
	136	* messages flow in the reverse direction.
	137	* A message in entirely represented by a packet sent or received
	138	* on a Content Filter kernel control socket.
	139	*/
0a7de745 A	140	#define CFM_TYPE_EVENT 1 /* message from kernel */
0a7de745 A	141	#define CFM_TYPE_ACTION 2 /* message to kernel */
fe8ab488 A	142
	143	/*
	144	* Operations associated with events from kernel
	145	*/
0a7de745 A	146	#define CFM_OP_SOCKET_ATTACHED 1 /* a socket has been attached */
	147	#define CFM_OP_SOCKET_CLOSED 2 /* a socket is being closed */
	148	#define CFM_OP_DATA_OUT 3 /* data being sent */
	149	#define CFM_OP_DATA_IN 4 /* data being received */
	150	#define CFM_OP_DISCONNECT_OUT 5 /* no more outgoing data */
	151	#define CFM_OP_DISCONNECT_IN 6 /* no more incoming data */
ea3f0419	152	#define CFM_OP_STATS 7 /* periodic stats report(s) */
fe8ab488 A	153
	154	/*
	155	* Operations associated with action from filter to kernel
	156	*/
0a7de745 A	157	#define CFM_OP_DATA_UPDATE 16 /* update pass or peek offsets */
	158	#define CFM_OP_DROP 17 /* shutdown socket, no more data */
	159	#define CFM_OP_BLESS_CLIENT 18 /* mark a client flow as already filtered, passes a uuid */
cb323159	160	#define CFM_OP_SET_CRYPTO_KEY 19 /* assign client crypto key for message signing */
fe8ab488	161
fe8ab488 A	162	/*
	163	* struct cfil_msg_hdr
	164	*
	165	* Header common to all messages
	166	*/
	167	struct cfil_msg_hdr {
0a7de745 A	168	uint32_t cfm_len; /* total length */
	169	uint32_t cfm_version;
	170	uint32_t cfm_type;
	171	uint32_t cfm_op;
	172	cfil_sock_id_t cfm_sock_id;
fe8ab488 A	173	};
fe8ab488 A	174
0a7de745	175	#define CFM_VERSION_CURRENT 1
fe8ab488	176
cb323159 A	177	/*
	178	* Connection Direction
	179	*/
	180	#define CFS_CONNECTION_DIR_IN 0
	181	#define CFS_CONNECTION_DIR_OUT 1
	182
	183	#define CFS_AUDIT_TOKEN 1
	184
fe8ab488 A	185	/*
	186	* struct cfil_msg_sock_attached
	187	*
	188	* Information about a new socket being attached to the content filter
	189	*
	190	* Action: No reply is expected as this does not block the creation of the
	191	* TCP/IP but timely action must be taken to avoid user noticeable delays.
	192	*
	193	* Valid Types: CFM_TYPE_EVENT
	194	*
	195	* Valid Op: CFM_OP_SOCKET_ATTACHED
	196	*/
	197	struct cfil_msg_sock_attached {
0a7de745 A	198	struct cfil_msg_hdr cfs_msghdr;
	199	int cfs_sock_family; /* e.g. PF_INET */
	200	int cfs_sock_type; /* e.g. SOCK_STREAM */
	201	int cfs_sock_protocol; /* e.g. IPPROTO_TCP */
	202	int cfs_unused; /* padding */
	203	pid_t cfs_pid;
	204	pid_t cfs_e_pid;
	205	uuid_t cfs_uuid;
	206	uuid_t cfs_e_uuid;
cb323159 A	207	union sockaddr_in_4_6 cfs_src;
	208	union sockaddr_in_4_6 cfs_dst;
	209	int cfs_conn_dir;
	210	unsigned int cfs_audit_token[8]; /* Must match audit_token_t */
	211	cfil_crypto_signature cfs_signature;
	212	uint32_t cfs_signature_length;
fe8ab488 A	213	};
fe8ab488 A	214
bca245ac A	215	/*
	216	* CFIL data flags
	217	*/
	218	#define CFD_DATA_FLAG_IP_HEADER 0x00000001 /* Data includes IP header */
	219
fe8ab488 A	220	/*
	221	* struct cfil_msg_data_event
	222	*
	223	* Event for the content fiter to act on a span of data
	224	* A data span is described by a pair of offsets over the cumulative
	225	* number of bytes sent or received on the socket.
	226	*
	227	* Action: The event must be acted upon but the filter may buffer
	228	* data spans until it has enough content to make a decision.
	229	* The action must be timely to avoid user noticeable delays.
	230	*
	231	* Valid Type: CFM_TYPE_EVENT
	232	*
	233	* Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN
	234	*/
	235	struct cfil_msg_data_event {
0a7de745 A	236	struct cfil_msg_hdr cfd_msghdr;
	237	union sockaddr_in_4_6 cfc_src;
	238	union sockaddr_in_4_6 cfc_dst;
	239	uint64_t cfd_start_offset;
	240	uint64_t cfd_end_offset;
cb323159 A	241	cfil_crypto_signature cfd_signature;
cb323159 A	242	uint32_t cfd_signature_length;
bca245ac	243	uint32_t cfd_flags;
fe8ab488 A	244	/* Actual content data immediatly follows */
	245	};
	246
5ba3f43e A	247	#define CFI_MAX_TIME_LOG_ENTRY 6
	248	/*
	249	* struct cfil_msg_sock_closed
	250	*
	251	* Information about a socket being closed to the content filter
	252	*
	253	* Action: No reply is expected as this does not block the closing of the
	254	* TCP/IP.
	255	*
	256	* Valid Types: CFM_TYPE_EVENT
	257	*
	258	* Valid Op: CFM_OP_SOCKET_CLOSED
	259	*/
	260	struct cfil_msg_sock_closed {
0a7de745 A	261	struct cfil_msg_hdr cfc_msghdr;
	262	struct timeval64 cfc_first_event;
	263	uint32_t cfc_op_list_ctr;
	264	uint32_t cfc_op_time[CFI_MAX_TIME_LOG_ENTRY]; /* time interval in microseconds since first event */
	265	unsigned char cfc_op_list[CFI_MAX_TIME_LOG_ENTRY];
cb323159 A	266	uint64_t cfc_byte_inbound_count;
	267	uint64_t cfc_byte_outbound_count;
	268	cfil_crypto_signature cfc_signature;
	269	uint32_t cfc_signature_length;
5ba3f43e A	270	} __attribute__((aligned(8)));
5ba3f43e A	271
ea3f0419 A	272	/*
	273	* struct cfil_msg_stats_report
	274	*
	275	* Statistics report for flow(s).
	276	*
	277	* Action: No reply is expected.
	278	*
	279	* Valid Types: CFM_TYPE_EVENT
	280	*
	281	* Valid Op: CFM_OP_STATS
	282	*/
	283	struct cfil_msg_sock_stats {
	284	cfil_sock_id_t cfs_sock_id;
	285	uint64_t cfs_byte_inbound_count;
	286	uint64_t cfs_byte_outbound_count;
	287	union sockaddr_in_4_6 cfs_laddr;
	288	} __attribute__((aligned(8)));
	289
	290	struct cfil_msg_stats_report {
	291	struct cfil_msg_hdr cfr_msghdr;
	292	uint32_t cfr_count;
	293	struct cfil_msg_sock_stats cfr_stats[];
	294	} __attribute__((aligned(8)));
	295
fe8ab488 A	296	/*
	297	* struct cfil_msg_action
	298	*
	299	* Valid Type: CFM_TYPE_ACTION
	300	*
	301	* Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP
	302	*
	303	* For CFM_OP_DATA_UPDATE:
	304	*
	305	* cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is
	306	* allowed to pass. A zero value does not modify the corresponding pass offset.
	307	*
	308	* cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much
	309	* data it needs to make a decision: the kernel will deliver data up to that
	310	* offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET
	311	* if you don't value the corresponding peek offset to be updated.
	312	*/
	313	struct cfil_msg_action {
0a7de745 A	314	struct cfil_msg_hdr cfa_msghdr;
	315	uint64_t cfa_in_pass_offset;
	316	uint64_t cfa_in_peek_offset;
	317	uint64_t cfa_out_pass_offset;
	318	uint64_t cfa_out_peek_offset;
ea3f0419	319	uint32_t cfa_stats_frequency; // Statistics frequency in milliseconds
fe8ab488 A	320	};
fe8ab488 A	321
5ba3f43e A	322	/*
	323	* struct cfil_msg_bless_client
	324	*
	325	* Marks a client UUID as already filtered at a higher level.
	326	*
	327	* Valid Type: CFM_TYPE_ACTION
	328	*
	329	* Valid Ops: CFM_OP_BLESS_CLIENT
	330	*/
	331	struct cfil_msg_bless_client {
0a7de745	332	struct cfil_msg_hdr cfb_msghdr;
5ba3f43e A	333	uuid_t cfb_client_uuid;
	334	};
	335
cb323159 A	336	/*
	337	* struct cfil_msg_set_crypto_key
	338	*
	339	* Filter assigning client crypto key to CFIL for message signing
	340	*
	341	* Valid Type: CFM_TYPE_ACTION
	342	*
	343	* Valid Ops: CFM_OP_SET_CRYPTO_KEY
	344	*/
	345	struct cfil_msg_set_crypto_key {
	346	struct cfil_msg_hdr cfb_msghdr;
	347	cfil_crypto_key crypto_key;
	348	};
	349
0a7de745	350	#define CFM_MAX_OFFSET UINT64_MAX
fe8ab488 A	351
	352	/*
	353	* Statistics retrieved via sysctl(3)
	354	*/
	355	struct cfil_filter_stat {
0a7de745 A	356	uint32_t cfs_len;
	357	uint32_t cfs_filter_id;
	358	uint32_t cfs_flags;
	359	uint32_t cfs_sock_count;
	360	uint32_t cfs_necp_control_unit;
fe8ab488 A	361	};
	362
	363	struct cfil_entry_stat {
0a7de745 A	364	uint32_t ces_len;
	365	uint32_t ces_filter_id;
	366	uint32_t ces_flags;
	367	uint32_t ces_necp_control_unit;
	368	struct timeval64 ces_last_event;
	369	struct timeval64 ces_last_action;
fe8ab488	370	struct cfe_buf_stat {
0a7de745 A	371	uint64_t cbs_pending_first;
	372	uint64_t cbs_pending_last;
	373	uint64_t cbs_ctl_first;
	374	uint64_t cbs_ctl_last;
	375	uint64_t cbs_pass_offset;
	376	uint64_t cbs_peek_offset;
	377	uint64_t cbs_peeked;
fe8ab488 A	378	} ces_snd, ces_rcv;
	379	};
	380
	381	struct cfil_sock_stat {
0a7de745 A	382	uint32_t cfs_len;
	383	int cfs_sock_family;
	384	int cfs_sock_type;
	385	int cfs_sock_protocol;
	386	cfil_sock_id_t cfs_sock_id;
	387	uint64_t cfs_flags;
	388	pid_t cfs_pid;
	389	pid_t cfs_e_pid;
	390	uuid_t cfs_uuid;
	391	uuid_t cfs_e_uuid;
fe8ab488	392	struct cfi_buf_stat {
0a7de745 A	393	uint64_t cbs_pending_first;
	394	uint64_t cbs_pending_last;
	395	uint64_t cbs_pass_offset;
	396	uint64_t cbs_inject_q_len;
fe8ab488	397	} cfs_snd, cfs_rcv;
0a7de745	398	struct cfil_entry_stat ces_entries[CFIL_MAX_FILTER_COUNT];
fe8ab488 A	399	};
	400
	401	/*
	402	* Global statistics
	403	*/
	404	struct cfil_stats {
0a7de745 A	405	int32_t cfs_ctl_connect_ok;
	406	int32_t cfs_ctl_connect_fail;
	407	int32_t cfs_ctl_disconnect_ok;
	408	int32_t cfs_ctl_disconnect_fail;
	409	int32_t cfs_ctl_send_ok;
	410	int32_t cfs_ctl_send_bad;
	411	int32_t cfs_ctl_rcvd_ok;
	412	int32_t cfs_ctl_rcvd_bad;
	413	int32_t cfs_ctl_rcvd_flow_lift;
	414	int32_t cfs_ctl_action_data_update;
	415	int32_t cfs_ctl_action_drop;
	416	int32_t cfs_ctl_action_bad_op;
	417	int32_t cfs_ctl_action_bad_len;
	418
	419	int32_t cfs_sock_id_not_found;
	420
	421	int32_t cfs_cfi_alloc_ok;
	422	int32_t cfs_cfi_alloc_fail;
	423
	424	int32_t cfs_sock_userspace_only;
	425	int32_t cfs_sock_attach_in_vain;
	426	int32_t cfs_sock_attach_already;
	427	int32_t cfs_sock_attach_no_mem;
	428	int32_t cfs_sock_attach_failed;
	429	int32_t cfs_sock_attached;
	430	int32_t cfs_sock_detached;
	431
	432	int32_t cfs_attach_event_ok;
	433	int32_t cfs_attach_event_flow_control;
	434	int32_t cfs_attach_event_fail;
	435
	436	int32_t cfs_closed_event_ok;
	437	int32_t cfs_closed_event_flow_control;
	438	int32_t cfs_closed_event_fail;
	439
	440	int32_t cfs_data_event_ok;
	441	int32_t cfs_data_event_flow_control;
	442	int32_t cfs_data_event_fail;
	443
ea3f0419 A	444	int32_t cfs_stats_event_ok;
	445	int32_t cfs_stats_event_flow_control;
	446	int32_t cfs_stats_event_fail;
	447
0a7de745 A	448	int32_t cfs_disconnect_in_event_ok;
	449	int32_t cfs_disconnect_out_event_ok;
	450	int32_t cfs_disconnect_event_flow_control;
	451	int32_t cfs_disconnect_event_fail;
	452
	453	int32_t cfs_ctl_q_not_started;
fe8ab488 A	454
	455	int32_t cfs_close_wait;
	456	int32_t cfs_close_wait_timeout;
	457
	458	int32_t cfs_flush_in_drop;
	459	int32_t cfs_flush_out_drop;
	460	int32_t cfs_flush_in_close;
	461	int32_t cfs_flush_out_close;
	462	int32_t cfs_flush_in_free;
	463	int32_t cfs_flush_out_free;
	464
0a7de745 A	465	int32_t cfs_inject_q_nomem;
	466	int32_t cfs_inject_q_nobufs;
	467	int32_t cfs_inject_q_detached;
	468	int32_t cfs_inject_q_in_fail;
	469	int32_t cfs_inject_q_out_fail;
fe8ab488	470
0a7de745 A	471	int32_t cfs_inject_q_in_retry;
0a7de745 A	472	int32_t cfs_inject_q_out_retry;
fe8ab488 A	473
	474	int32_t cfs_data_in_control;
	475	int32_t cfs_data_in_oob;
	476	int32_t cfs_data_out_control;
	477	int32_t cfs_data_out_oob;
	478
0a7de745 A	479	int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8)));
	480	int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8)));
	481	int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8)));
	482	int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8)));
fe8ab488	483
0a7de745 A	484	int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8)));
0a7de745 A	485	int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8)));
fe8ab488	486
0a7de745 A	487	int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8)));
	488	int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8)));
	489	int64_t cfs_inject_q_in_passed __attribute__((aligned(8)));
	490	int64_t cfs_inject_q_out_passed __attribute__((aligned(8)));
fe8ab488 A	491	};
	492	#endif /* PRIVATE */
	493
	494	#ifdef BSD_KERNEL_PRIVATE
	495
0a7de745	496	#define M_SKIPCFIL M_PROTO5
fe8ab488 A	497
	498	extern int cfil_log_level;
	499
0a7de745	500	#define CFIL_LOG(level, fmt, ...) \
fe8ab488 A	501	do { \
fe8ab488 A	502	if (cfil_log_level >= level) \
0a7de745 A	503	printf("%s:%d " fmt "\n",\
0a7de745 A	504	__FUNCTION__, __LINE__, ##__VA_ARGS__); \
fe8ab488 A	505	} while (0)
	506
	507
	508	extern void cfil_init(void);
	509
cb323159 A	510	extern boolean_t cfil_filter_present(void);
	511	extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so);
	512	extern errno_t cfil_sock_attach(struct socket *so,
	513	struct sockaddr local, struct sockaddr remote, int dir);
fe8ab488 A	514	extern errno_t cfil_sock_detach(struct socket *so);
	515
	516	extern int cfil_sock_data_out(struct socket so, struct sockaddr to,
0a7de745 A	517	struct mbuf data, struct mbuf control,
0a7de745 A	518	uint32_t flags);
fe8ab488	519	extern int cfil_sock_data_in(struct socket so, struct sockaddr from,
0a7de745 A	520	struct mbuf data, struct mbuf control,
0a7de745 A	521	uint32_t flags);
fe8ab488 A	522
	523	extern int cfil_sock_shutdown(struct socket so, int how);
	524	extern void cfil_sock_is_closed(struct socket *so);
	525	extern void cfil_sock_notify_shutdown(struct socket *so, int how);
	526	extern void cfil_sock_close_wait(struct socket *so);
	527
	528	extern boolean_t cfil_sock_data_pending(struct sockbuf *sb);
	529	extern int cfil_sock_data_space(struct sockbuf *sb);
	530	extern void cfil_sock_buf_update(struct sockbuf *sb);
	531
	532	extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so);
	533
bca245ac A	534	extern struct m_tag cfil_dgram_get_socket_state(struct mbuf m, uint32_t *state_change_cnt,
	535	short options, struct sockaddr faddr, int inp_flags);
	536	extern boolean_t cfil_dgram_peek_socket_state(struct mbuf m, int inp_flags);
	537
fe8ab488 A	538	#endif /* BSD_KERNEL_PRIVATE */
fe8ab488 A	539
5ba3f43e A	540	__END_DECLS
5ba3f43e A	541
fe8ab488	542	#endif /* __CONTENT_FILTER_H__ */