]> git.saurik.com Git - apple/xnu.git/blame - security/mac_policy.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-6153.121.1.tar.gz
[apple/xnu.git] / security / mac_policy.h
CommitLineData
2d21ac55 1/*
39037602 2 * Copyright (c) 2007-2016 Apple Inc. All rights reserved.
2d21ac55
A		 3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
0a7de745 5 *
2d21ac55
A		 6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
0a7de745 14 *
2d21ac55
A		 15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
0a7de745 17 *
2d21ac55
A		 18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
0a7de745 25 *
2d21ac55
A		 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
0a7de745
A		 69 * @file mac_policy.h
70 * @brief Kernel Interfaces for MAC policy modules
71 *
72 * This header defines the list of operations that are defined by the
73 * TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 * with the framework to declare interest in a specific set of
75 * operations. If interest in an entry point is not declared, then
76 * the policy will be ignored when the Framework evaluates that entry
77 * point.
78 */
2d21ac55
A		 79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
39236c6e
A		 83#ifndef PRIVATE
84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
85#endif
86
2d21ac55
A		 87#include <security/_label.h>
88
89struct attrlist;
90struct auditinfo;
91struct bpf_d;
39037602 92struct cs_blob;
2d21ac55 93struct devnode;
39037602 94struct exception_action;
2d21ac55
A		 95struct fileglob;
96struct ifnet;
97struct inpcb;
98struct ipq;
99struct label;
2d21ac55
A		 100struct mac_module_data;
101struct mac_policy_conf;
102struct mbuf;
103struct mount;
39236c6e
A		 104struct msg;
105struct msqid_kernel;
2d21ac55
A		 106struct pipe;
107struct pseminfo;
108struct pshminfo;
109struct sbuf;
110struct semid_kernel;
111struct shmid_kernel;
39236c6e
A		 112struct socket;
113struct sockopt;
2d21ac55
A		 114struct task;
115struct thread;
39236c6e 116struct tty;
2d21ac55 117struct ucred;
39236c6e 118struct vfs_attr;
2d21ac55
A		 119struct vnode;
120/** @struct dummy */
121
122
123
124#ifndef _KAUTH_CRED_T
0a7de745 125#define _KAUTH_CRED_T
2d21ac55 126typedef struct ucred *kauth_cred_t;
0a7de745 127#endif /* !_KAUTH_CRED_T */
2d21ac55 128
6d2010ae
A		 129#ifndef __IOKIT_PORTS_DEFINED__
130#define __IOKIT_PORTS_DEFINED__
131#ifdef __cplusplus
132class OSObject;
133typedef OSObject *io_object_t;
134#else
135struct OSObject;
136typedef struct OSObject *io_object_t;
137#endif
138#endif /* __IOKIT_PORTS_DEFINED__ */
2d21ac55
A		 139
140/*-
141 * MAC entry points are generally named using the following template:
142 *
143 * mpo_<object>_<operation>()
144 *
145 * or:
146 *
147 * mpo_<object>_check_<operation>()
148 *
149 * Entry points are sorted by object type.
150 *
151 * It may be desirable also to consider some subsystems as "objects", such
152 * as system, iokit, etc.
153 */
154
155/**
0a7de745
A		 156 * @name Entry Points for Label Management
157 *
158 * These are the entry points corresponding to the life cycle events for
159 * kernel objects, such as initialization, creation, and destruction.
160 *
161 * Most policies (that use labels) will initialize labels by allocating
162 * space for policy-specific data. In most cases, it is permitted to
163 * sleep during label initialization operations; it will be noted when
164 * it is not permitted.
165 *
166 * Initialization usually will not require doing more than allocating a
167 * generic label for the given object. What follows initialization is
168 * creation, where a label is made specific to the object it is associated
169 * with. Destruction occurs when the label is no longer needed, such as
170 * when the corresponding object is destroyed. All necessary cleanup should
171 * be performed in label destroy operations.
172 *
173 * Where possible, the label entry points have identical parameters. If
174 * the policy module does not require structure-specific label
175 * information, the same function may be registered in the policy
176 * operation vector. Many policies will implement two such generic
177 * allocation calls: one to handle sleepable requests, and one to handle
178 * potentially non-sleepable requests.
179 */
2d21ac55
A		 180
181
182/**
0a7de745
A		 183 * @brief Audit event postselection
184 * @param cred Subject credential
185 * @param syscode Syscall number
186 * @param args Syscall arguments
187 * @param error Syscall errno
188 * @param retval Syscall return value
189 *
190 * This is the MAC Framework audit postselect, which is called before
191 * exiting a syscall to determine if an audit event should be committed.
192 * A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
193 * Any other return value results in the audit record being committed.
194 *
195 * @warning The suppression behavior will probably go away in Apple's
196 * future version of the audit implementation.
197 *
198 * @return Return MAC_AUDIT_NO to force suppression of the audit record.
199 * Any other value results in the audit record being committed.
200 *
201 */
2d21ac55
A		 202typedef int mpo_audit_check_postselect_t(
203 kauth_cred_t cred,
204 unsigned short syscode,
205 void *args,
206 int error,
207 int retval
0a7de745 208 );
2d21ac55 209/**
0a7de745
A		 210 * @brief Audit event preselection
211 * @param cred Subject credential
212 * @param syscode Syscall number
213 * @param args Syscall arguments
214 *
215 * This is the MAC Framework audit preselect, which is called before a
216 * syscall is entered to determine if an audit event should be created.
217 * If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
218 * returned. A return value of MAC_AUDIT_NO causes the audit record to
219 * be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
220 * to defer to the system's existing preselection mechanism.
221 *
222 * When policies return different preferences, the Framework decides what action
223 * to take based on the following policy. If any policy returns MAC_AUDIT_YES,
224 * then create an audit record, else if any policy returns MAC_AUDIT_NO, then
225 * suppress the creations of an audit record, else defer to the system's
226 * existing preselection mechanism.
227 *
228 * @warning The audit implementation in Apple's current version is
229 * incomplete, so the MAC policies have priority over the system's existing
230 * mechanisms. This will probably change in the future version where
231 * the audit implementation is more complete.
232 *
233 * @return Return MAC_AUDIT_YES to force auditing of the syscall,
234 * MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
235 * to allow auditing mechanisms to determine if the syscall is audited.
236 *
237 */
2d21ac55
A		 238typedef int mpo_audit_check_preselect_t(
239 kauth_cred_t cred,
240 unsigned short syscode,
241 void *args
0a7de745 242 );
2d21ac55 243/**
0a7de745
A		 244 * @brief Initialize BPF descriptor label
245 * @param label New label to initialize
246 *
247 * Initialize the label for a newly instantiated BPF descriptor.
248 * Sleeping is permitted.
249 */
2d21ac55
A		 250typedef void mpo_bpfdesc_label_init_t(
251 struct label *label
0a7de745 252 );
2d21ac55 253/**
0a7de745
A		 254 * @brief Destroy BPF descriptor label
255 * @param label The label to be destroyed
256 *
257 * Destroy a BPF descriptor label. Since the BPF descriptor
258 * is going out of scope, policy modules should free any internal
259 * storage associated with the label so that it may be destroyed.
260 */
2d21ac55
A		 261typedef void mpo_bpfdesc_label_destroy_t(
262 struct label *label
0a7de745 263 );
2d21ac55 264/**
0a7de745
A		 265 * @brief Associate a BPF descriptor with a label
266 * @param cred User credential creating the BPF descriptor
267 * @param bpf_d The BPF descriptor
268 * @param bpflabel The new label
269 *
270 * Set the label on a newly created BPF descriptor from the passed
271 * subject credential. This call will be made when a BPF device node
272 * is opened by a process with the passed subject credential.
273 */
2d21ac55
A		 274typedef void mpo_bpfdesc_label_associate_t(
275 kauth_cred_t cred,
276 struct bpf_d *bpf_d,
277 struct label *bpflabel
0a7de745 278 );
2d21ac55 279/**
0a7de745
A		 280 * @brief Check whether BPF can read from a network interface
281 * @param bpf_d Subject; the BPF descriptor
282 * @param bpflabel Policy label for bpf_d
283 * @param ifp Object; the network interface
284 * @param ifnetlabel Policy label for ifp
285 *
286 * Determine whether the MAC framework should permit datagrams from
287 * the passed network interface to be delivered to the buffers of
288 * the passed BPF descriptor. Return (0) for success, or an errno
289 * value for failure. Suggested failure: EACCES for label mismatches,
290 * EPERM for lack of privilege.
291 */
2d21ac55
A		 292typedef int mpo_bpfdesc_check_receive_t(
293 struct bpf_d *bpf_d,
294 struct label *bpflabel,
295 struct ifnet *ifp,
296 struct label *ifnetlabel
0a7de745
A		 297 );
298/**
299 * @brief Indicate desire to change the process label at exec time
300 * @param old Existing subject credential
301 * @param vp File being executed
302 * @param offset Offset of binary within file being executed
303 * @param scriptvp Script being executed by interpreter, if any.
304 * @param vnodelabel Label corresponding to vp
305 * @param scriptvnodelabel Script vnode label
306 * @param execlabel Userspace provided execution label
307 * @param p Object process
308 * @param macpolicyattr MAC policy-specific spawn attribute data
309 * @param macpolicyattrlen Length of policy-specific spawn attribute data
310 * @see mac_execve
311 * @see mpo_cred_label_update_execve_t
312 * @see mpo_vnode_check_exec_t
313 *
314 * Indicate whether this policy intends to update the label of a newly
315 * created credential from the existing subject credential (old). This
316 * call occurs when a process executes the passed vnode. If a policy
317 * returns success from this entry point, the mpo_cred_label_update_execve
318 * entry point will later be called with the same parameters. Access
319 * has already been checked via the mpo_vnode_check_exec entry point,
320 * this entry point is necessary to preserve kernel locking constraints
321 * during program execution.
322 *
323 * The supplied vnode and vnodelabel correspond with the file actually
324 * being executed; in the case that the file is interpreted (for
325 * example, a script), the label of the original exec-time vnode has
326 * been preserved in scriptvnodelabel.
327 *
328 * The final label, execlabel, corresponds to a label supplied by a
329 * user space application through the use of the mac_execve system call.
330 *
331 * The vnode lock is held during this operation. No changes should be
332 * made to the old credential structure.
333 *
334 * @warning Even if a policy returns 0, it should behave correctly in
335 * the presence of an invocation of mpo_cred_label_update_execve, as that
336 * call may happen as a result of another policy requesting a transition.
337 *
338 * @return Non-zero if a transition is required, 0 otherwise.
339 */
2d21ac55
A		 340typedef int mpo_cred_check_label_update_execve_t(
341 kauth_cred_t old,
342 struct vnode *vp,
fe8ab488 343 off_t offset,
39236c6e 344 struct vnode *scriptvp,
2d21ac55
A		 345 struct label *vnodelabel,
346 struct label *scriptvnodelabel,
347 struct label *execlabel,
39236c6e
A		 348 struct proc *p,
349 void *macpolicyattr,
350 size_t macpolicyattrlen
0a7de745 351 );
2d21ac55 352/**
0a7de745
A		 353 * @brief Access control check for relabelling processes
354 * @param cred Subject credential
355 * @param newlabel New label to apply to the user credential
356 * @see mpo_cred_label_update_t
357 * @see mac_set_proc
358 *
359 * Determine whether the subject identified by the credential can relabel
360 * itself to the supplied new label (newlabel). This access control check
361 * is called when the mac_set_proc system call is invoked. A user space
362 * application will supply a new value, the value will be internalized
363 * and provided in newlabel.
364 *
365 * @return Return 0 if access is granted, otherwise an appropriate value for
366 * errno should be returned.
367 */
2d21ac55
A		 368typedef int mpo_cred_check_label_update_t(
369 kauth_cred_t cred,
370 struct label *newlabel
0a7de745 371 );
2d21ac55 372/**
0a7de745
A		 373 * @brief Access control check for visibility of other subjects
374 * @param u1 Subject credential
375 * @param u2 Object credential
376 *
377 * Determine whether the subject identified by the credential u1 can
378 * "see" other subjects with the passed subject credential u2. This call
379 * may be made in a number of situations, including inter-process status
380 * sysctls used by ps, and in procfs lookups.
381 *
382 * @return Return 0 if access is granted, otherwise an appropriate value for
383 * errno should be returned. Suggested failure: EACCES for label mismatch,
384 * EPERM for lack of privilege, or ESRCH to hide visibility.
385 */
2d21ac55
A		 386typedef int mpo_cred_check_visible_t(
387 kauth_cred_t u1,
388 kauth_cred_t u2
0a7de745 389 );
2d21ac55 390/**
0a7de745
A		 391 * @brief Associate a credential with a new process at fork
392 * @param cred credential to inherited by new process
393 * @param proc the new process
394 *
395 * Allow a process to associate the credential with a new
396 * process for reference countng purposes.
397 * NOTE: the credential can be dis-associated in ways other
398 * than exit - so this strategy is flawed - should just
399 * catch label destroy callback.
400 */
2d21ac55
A		 401typedef void mpo_cred_label_associate_fork_t(
402 kauth_cred_t cred,
403 proc_t proc
0a7de745 404 );
2d21ac55 405/**
0a7de745
A		 406 * @brief Create the first process
407 * @param cred Subject credential to be labeled
408 *
409 * Create the subject credential of process 0, the parent of all BSD
410 * kernel processes. Policies should update the label in the
411 * previously initialized credential structure.
412 */
2d21ac55
A		 413typedef void mpo_cred_label_associate_kernel_t(
414 kauth_cred_t cred
0a7de745 415 );
2d21ac55 416/**
0a7de745
A		 417 * @brief Create a credential label
418 * @param parent_cred Parent credential
419 * @param child_cred Child credential
420 *
421 * Set the label of a newly created credential, most likely using the
422 * information in the supplied parent credential.
423 *
424 * @warning This call is made when crcopy or crdup is invoked on a
425 * newly created struct ucred, and should not be confused with a
426 * process fork or creation event.
427 */
2d21ac55
A		 428typedef void mpo_cred_label_associate_t(
429 kauth_cred_t parent_cred,
430 kauth_cred_t child_cred
0a7de745 431 );
2d21ac55 432/**
0a7de745
A		 433 * @brief Create the first process
434 * @param cred Subject credential to be labeled
435 *
436 * Create the subject credential of process 1, the parent of all BSD
437 * user processes. Policies should update the label in the previously
438 * initialized credential structure. This is the 'init' process.
439 */
2d21ac55
A		 440typedef void mpo_cred_label_associate_user_t(
441 kauth_cred_t cred
0a7de745 442 );
2d21ac55 443/**
0a7de745
A		 444 * @brief Destroy credential label
445 * @param label The label to be destroyed
446 *
447 * Destroy a user credential label. Since the user credential
448 * is going out of scope, policy modules should free any internal
449 * storage associated with the label so that it may be destroyed.
450 */
2d21ac55
A		 451typedef void mpo_cred_label_destroy_t(
452 struct label *label
0a7de745 453 );
2d21ac55 454/**
0a7de745
A		 455 * @brief Externalize a user credential label for auditing
456 * @param label Label to be externalized
457 * @param element_name Name of the label namespace for which labels should be
458 * externalized
459 * @param sb String buffer to be filled with a text representation of the label
460 *
461 * Produce an external representation of the label on a user credential for
462 * inclusion in an audit record. An externalized label consists of a text
463 * representation of the label contents that will be added to the audit record
464 * as part of a text token. Policy-agnostic user space tools will display
465 * this externalized version.
466 *
467 * @return 0 on success, return non-zero if an error occurs while
468 * externalizing the label data.
469 *
470 */
2d21ac55
A		 471typedef int mpo_cred_label_externalize_audit_t(
472 struct label *label,
473 char *element_name,
474 struct sbuf *sb
0a7de745 475 );
2d21ac55 476/**
0a7de745
A		 477 * @brief Externalize a user credential label
478 * @param label Label to be externalized
479 * @param element_name Name of the label namespace for which labels should be
480 * externalized
481 * @param sb String buffer to be filled with a text representation of the label
482 *
483 * Produce an external representation of the label on a user
484 * credential. An externalized label consists of a text representation
485 * of the label contents that can be used with user applications.
486 * Policy-agnostic user space tools will display this externalized
487 * version.
488 *
489 * @return 0 on success, return non-zero if an error occurs while
490 * externalizing the label data.
491 *
492 */
2d21ac55
A		 493typedef int mpo_cred_label_externalize_t(
494 struct label *label,
495 char *element_name,
496 struct sbuf *sb
0a7de745 497 );
2d21ac55 498/**
0a7de745
A		 499 * @brief Initialize user credential label
500 * @param label New label to initialize
501 *
502 * Initialize the label for a newly instantiated user credential.
503 * Sleeping is permitted.
504 */
2d21ac55
A		 505typedef void mpo_cred_label_init_t(
506 struct label *label
0a7de745 507 );
2d21ac55 508/**
0a7de745
A		 509 * @brief Internalize a user credential label
510 * @param label Label to be internalized
511 * @param element_name Name of the label namespace for which the label should
512 * be internalized
513 * @param element_data Text data to be internalized
514 *
515 * Produce a user credential label from an external representation. An
516 * externalized label consists of a text representation of the label
517 * contents that can be used with user applications. Policy-agnostic
518 * user space tools will forward text version to the kernel for
519 * processing by individual policy modules.
520 *
521 * The policy's internalize entry points will be called only if the
522 * policy has registered interest in the label namespace.
523 *
524 * @return 0 on success, Otherwise, return non-zero if an error occurs
525 * while internalizing the label data.
526 *
527 */
2d21ac55
A		 528typedef int mpo_cred_label_internalize_t(
529 struct label *label,
530 char *element_name,
531 char *element_data
0a7de745
A		 532 );
533/**
534 * @brief Update credential at exec time
535 * @param old_cred Existing subject credential
536 * @param new_cred New subject credential to be labeled
537 * @param p Object process.
538 * @param vp File being executed
539 * @param offset Offset of binary within file being executed
540 * @param scriptvp Script being executed by interpreter, if any.
541 * @param vnodelabel Label corresponding to vp
542 * @param scriptvnodelabel Script vnode label
543 * @param execlabel Userspace provided execution label
544 * @param csflags Code signing flags to be set after exec
545 * @param macpolicyattr MAC policy-specific spawn attribute data.
546 * @param macpolicyattrlen Length of policy-specific spawn attribute data.
547 * @see mac_execve
548 * @see mpo_cred_check_label_update_execve_t
549 * @see mpo_vnode_check_exec_t
550 *
551 * Update the label of a newly created credential (new) from the
552 * existing subject credential (old). This call occurs when a process
553 * executes the passed vnode and one of the loaded policy modules has
554 * returned success from the mpo_cred_check_label_update_execve entry point.
555 * Access has already been checked via the mpo_vnode_check_exec entry
556 * point, this entry point is only used to update any policy state.
557 *
558 * The supplied vnode and vnodelabel correspond with the file actually
559 * being executed; in the case that the file is interpreted (for
560 * example, a script), the label of the original exec-time vnode has
561 * been preserved in scriptvnodelabel.
562 *
563 * The final label, execlabel, corresponds to a label supplied by a
564 * user space application through the use of the mac_execve system call.
565 *
566 * If non-NULL, the value pointed to by disjointp will be set to 0 to
567 * indicate that the old and new credentials are not disjoint, or 1 to
568 * indicate that they are.
569 *
570 * The vnode lock is held during this operation. No changes should be
571 * made to the old credential structure.
572 * @return 0 on success, Otherwise, return non-zero if update results in
573 * termination of child.
574 */
fe8ab488 575typedef int mpo_cred_label_update_execve_t(
2d21ac55
A		 576 kauth_cred_t old_cred,
577 kauth_cred_t new_cred,
39236c6e 578 struct proc *p,
2d21ac55 579 struct vnode *vp,
fe8ab488 580 off_t offset,
39236c6e 581 struct vnode *scriptvp,
2d21ac55
A		 582 struct label *vnodelabel,
583 struct label *scriptvnodelabel,
c910b4d9 584 struct label *execlabel,
fe8ab488 585 u_int *csflags,
39236c6e
A		 586 void *macpolicyattr,
587 size_t macpolicyattrlen,
c910b4d9 588 int *disjointp
0a7de745 589 );
2d21ac55 590/**
0a7de745
A		 591 * @brief Update a credential label
592 * @param cred The existing credential
593 * @param newlabel A new label to apply to the credential
594 * @see mpo_cred_check_label_update_t
595 * @see mac_set_proc
596 *
597 * Update the label on a user credential, using the supplied new label.
598 * This is called as a result of a process relabel operation. Access
599 * control was already confirmed by mpo_cred_check_label_update.
600 */
2d21ac55
A		 601typedef void mpo_cred_label_update_t(
602 kauth_cred_t cred,
603 struct label *newlabel
0a7de745 604 );
2d21ac55 605/**
0a7de745
A		 606 * @brief Create a new devfs device
607 * @param dev Major and minor numbers of special file
608 * @param de "inode" of new device file
609 * @param label Destination label
610 * @param fullpath Path relative to mount (e.g. /dev) of new device file
611 *
612 * This entry point labels a new devfs device. The label will likely be based
613 * on the path to the device, or the major and minor numbers.
614 * The policy should store an appropriate label into 'label'.
615 */
2d21ac55
A		 616typedef void mpo_devfs_label_associate_device_t(
617 dev_t dev,
618 struct devnode *de,
619 struct label *label,
620 const char *fullpath
0a7de745
A		 621 );
622/**
623 * @brief Create a new devfs directory
624 * @param dirname Name of new directory
625 * @param dirnamelen Length of 'dirname'
626 * @param de "inode" of new directory
627 * @param label Destination label
628 * @param fullpath Path relative to mount (e.g. /dev) of new directory
629 *
630 * This entry point labels a new devfs directory. The label will likely be
631 * based on the path of the new directory. The policy should store an appropriate
632 * label into 'label'. The devfs root directory is labelled in this way.
633 */
2d21ac55
A		 634typedef void mpo_devfs_label_associate_directory_t(
635 const char *dirname,
636 int dirnamelen,
637 struct devnode *de,
638 struct label *label,
639 const char *fullpath
0a7de745 640 );
2d21ac55 641/**
0a7de745
A		 642 * @brief Copy a devfs label
643 * @param src Source devfs label
644 * @param dest Destination devfs label
645 *
646 * Copy the label information from src to dest. The devfs file system
647 * often duplicates (splits) existing device nodes rather than creating
648 * new ones.
649 */
2d21ac55
A		 650typedef void mpo_devfs_label_copy_t(
651 struct label *src,
652 struct label *dest
0a7de745 653 );
2d21ac55 654/**
0a7de745
A		 655 * @brief Destroy devfs label
656 * @param label The label to be destroyed
657 *
658 * Destroy a devfs entry label. Since the object is going out
659 * of scope, policy modules should free any internal storage associated
660 * with the label so that it may be destroyed.
661 */
2d21ac55
A		 662typedef void mpo_devfs_label_destroy_t(
663 struct label *label
0a7de745 664 );
2d21ac55 665/**
0a7de745
A		 666 * @brief Initialize devfs label
667 * @param label New label to initialize
668 *
669 * Initialize the label for a newly instantiated devfs entry. Sleeping
670 * is permitted.
671 */
2d21ac55
A		 672typedef void mpo_devfs_label_init_t(
673 struct label *label
0a7de745
A		 674 );
675/**
676 * @brief Update a devfs label after relabelling its vnode
677 * @param mp Devfs mount point
678 * @param de Affected devfs directory entry
679 * @param delabel Label of devfs directory entry
680 * @param vp Vnode associated with de
681 * @param vnodelabel New label of vnode
682 *
683 * Update a devfs label when its vnode is manually relabelled,
684 * for example with setfmac(1). Typically, this will simply copy
685 * the vnode label into the devfs label.
686 */
2d21ac55
A		 687typedef void mpo_devfs_label_update_t(
688 struct mount *mp,
689 struct devnode *de,
690 struct label *delabel,
691 struct vnode *vp,
692 struct label *vnodelabel
0a7de745 693 );
39037602 694/**
0a7de745
A		 695 * @brief Access control for sending an exception to an exception action
696 * @param crashlabel The crashing process's label
697 * @param action Exception action
698 * @param exclabel Policy label for exception action
699 *
700 * Determine whether the the exception message caused by the victim
701 * process can be sent to the exception action. The policy may compare
702 * credentials in the crashlabel, which are derived from the process at
703 * the time the exception occurs, with the credentials in the exclabel,
704 * which was set at the time the exception port was set, to determine
705 * its decision. Note that any process from which the policy derived
706 * any credentials may not exist anymore at the time of this policy
707 * operation. Sleeping is permitted.
708 *
709 * @return Return 0 if the message can be sent, otherwise an
710 * appropriate value for errno should be returned.
711 */
39037602
A		 712typedef int mpo_exc_action_check_exception_send_t(
713 struct label *crashlabel,
714 struct exception_action *action,
715 struct label *exclabel
0a7de745 716 );
39037602 717/**
0a7de745
A		 718 * @brief Associate an exception action label
719 * @param action Exception action to label
720 * @param exclabel Policy label to be filled in for exception action
721 *
722 * Set the label on an exception action.
723 */
39037602
A		 724typedef void mpo_exc_action_label_associate_t(
725 struct exception_action *action,
726 struct label *exclabel
0a7de745 727 );
39037602 728/**
0a7de745
A		 729 * @brief Destroy exception action label
730 * @param label The label to be destroyed
731 *
732 * Destroy the label on an exception action. Since the object is going
733 * out of scope, policy modules should free any internal storage
734 * associated with the label so that it may be destroyed. Sleeping is
735 * permitted.
736 */
39037602
A		 737typedef void mpo_exc_action_label_destroy_t(
738 struct label *label
0a7de745 739 );
5ba3f43e 740/**
0a7de745
A		 741 * @brief Populate an exception action label with process credentials
742 * @param label The label to be populated
743 * @param proc Process to derive credentials from
744 *
745 * Populate a label with credentials derived from a process. At
746 * exception delivery time, the policy should compare credentials of the
747 * process that set an exception ports with the credentials of the
748 * process or corpse that experienced the exception. Note that the
749 * process that set the port may not exist at that time anymore, so
750 * labels should carry copies of live credentials if necessary.
751 */
5ba3f43e
A		 752typedef void mpo_exc_action_label_populate_t(
753 struct label *label,
754 struct proc *proc
0a7de745 755 );
39037602 756/**
0a7de745
A		 757 * @brief Initialize exception action label
758 * @param label New label to initialize
759 *
760 * Initialize a label for an exception action. Usually performs
761 * policy specific allocations. Sleeping is permitted.
762 */
39037602
A		 763typedef int mpo_exc_action_label_init_t(
764 struct label *label
0a7de745 765 );
39037602 766/**
0a7de745
A		 767 * @brief Update the label on an exception action
768 * @param action Exception action that the label belongs to (may be
769 * NULL if none)
770 * @param label Policy label to update
771 * @param newlabel New label for update
772 *
773 * Update the credentials of an exception action from the given
774 * label. The policy should copy over any credentials (process and
775 * otherwise) from the new label into the label to update. Must not
776 * sleep, must be quick and can be called with locks held.
777 */
5ba3f43e
A		 778typedef int mpo_exc_action_label_update_t(
779 struct exception_action *action,
780 struct label *label,
781 struct label *newlabel
0a7de745 782 );
2d21ac55 783/**
0a7de745
A		 784 * @brief Access control for changing the offset of a file descriptor
785 * @param cred Subject credential
786 * @param fg Fileglob structure
787 * @param label Policy label for fg
788 *
789 * Determine whether the subject identified by the credential can
790 * change the offset of the file represented by fg.
791 *
792 * @return Return 0 if access if granted, otherwise an appropriate
793 * value for errno should be returned.
794 */
2d21ac55
A		 795typedef int mpo_file_check_change_offset_t(
796 kauth_cred_t cred,
797 struct fileglob *fg,
798 struct label *label
0a7de745 799 );
2d21ac55 800/**
0a7de745
A		 801 * @brief Access control for creating a file descriptor
802 * @param cred Subject credential
803 *
804 * Determine whether the subject identified by the credential can
805 * allocate a new file descriptor.
806 *
807 * @return Return 0 if access if granted, otherwise an appropriate
808 * value for errno should be returned.
809 */
2d21ac55
A		 810typedef int mpo_file_check_create_t(
811 kauth_cred_t cred
0a7de745 812 );
2d21ac55 813/**
0a7de745
A		 814 * @brief Access control for duplicating a file descriptor
815 * @param cred Subject credential
816 * @param fg Fileglob structure
817 * @param label Policy label for fg
818 * @param newfd New file descriptor number
819 *
820 * Determine whether the subject identified by the credential can
821 * duplicate the fileglob structure represented by fg and as file
822 * descriptor number newfd.
823 *
824 * @return Return 0 if access if granted, otherwise an appropriate
825 * value for errno should be returned.
826 */
2d21ac55
A		 827typedef int mpo_file_check_dup_t(
828 kauth_cred_t cred,
829 struct fileglob *fg,
830 struct label *label,
831 int newfd
0a7de745
A		 832 );
833/**
834 * @brief Access control check for fcntl
835 * @param cred Subject credential
836 * @param fg Fileglob structure
837 * @param label Policy label for fg
838 * @param cmd Control operation to be performed; see fcntl(2)
839 * @param arg fcnt arguments; see fcntl(2)
840 *
841 * Determine whether the subject identified by the credential can perform
842 * the file control operation indicated by cmd.
843 *
844 * @return Return 0 if access is granted, otherwise an appropriate value for
845 * errno should be returned.
846 */
2d21ac55
A		 847typedef int mpo_file_check_fcntl_t(
848 kauth_cred_t cred,
849 struct fileglob *fg,
850 struct label *label,
851 int cmd,
852 user_long_t arg
0a7de745 853 );
2d21ac55 854/**
0a7de745
A		 855 * @brief Access control check for mac_get_fd
856 * @param cred Subject credential
857 * @param fg Fileglob structure
858 * @param elements Element buffer
859 * @param len Length of buffer
860 *
861 * Determine whether the subject identified by the credential should be allowed
862 * to get an externalized version of the label on the object indicated by fd.
863 *
864 * @return Return 0 if access is granted, otherwise an appropriate value for
865 * errno should be returned.
866 */
2d21ac55
A		 867typedef int mpo_file_check_get_t(
868 kauth_cred_t cred,
869 struct fileglob *fg,
870 char *elements,
871 int len
0a7de745 872 );
2d21ac55 873/**
0a7de745
A		 874 * @brief Access control for getting the offset of a file descriptor
875 * @param cred Subject credential
876 * @param fg Fileglob structure
877 * @param label Policy label for fg
878 *
879 * Determine whether the subject identified by the credential can
880 * get the offset of the file represented by fg.
881 *
882 * @return Return 0 if access if granted, otherwise an appropriate
883 * value for errno should be returned.
884 */
2d21ac55
A		 885typedef int mpo_file_check_get_offset_t(
886 kauth_cred_t cred,
887 struct fileglob *fg,
888 struct label *label
0a7de745 889 );
2d21ac55 890/**
0a7de745
A		 891 * @brief Access control for inheriting a file descriptor
892 * @param cred Subject credential
893 * @param fg Fileglob structure
894 * @param label Policy label for fg
895 *
896 * Determine whether the subject identified by the credential can
897 * inherit the fileglob structure represented by fg.
898 *
899 * @return Return 0 if access if granted, otherwise an appropriate
900 * value for errno should be returned.
901 */
2d21ac55
A		 902typedef int mpo_file_check_inherit_t(
903 kauth_cred_t cred,
904 struct fileglob *fg,
905 struct label *label
0a7de745 906 );
2d21ac55 907/**
0a7de745
A		 908 * @brief Access control check for file ioctl
909 * @param cred Subject credential
910 * @param fg Fileglob structure
911 * @param label Policy label for fg
912 * @param cmd The ioctl command; see ioctl(2)
913 *
914 * Determine whether the subject identified by the credential can perform
915 * the ioctl operation indicated by cmd.
916 *
917 * @warning Since ioctl data is opaque from the standpoint of the MAC
918 * framework, policies must exercise extreme care when implementing
919 * access control checks.
920 *
921 * @return Return 0 if access is granted, otherwise an appropriate value for
922 * errno should be returned.
923 *
924 */
2d21ac55
A		 925typedef int mpo_file_check_ioctl_t(
926 kauth_cred_t cred,
927 struct fileglob *fg,
928 struct label *label,
929 unsigned int cmd
0a7de745
A		 930 );
931/**
932 * @brief Access control check for file locking
933 * @param cred Subject credential
934 * @param fg Fileglob structure
935 * @param label Policy label for fg
936 * @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
937 * @param fl The flock structure
938 *
939 * Determine whether the subject identified by the credential can perform
940 * the lock operation indicated by op and fl on the file represented by fg.
941 *
942 * @return Return 0 if access is granted, otherwise an appropriate value for
943 * errno should be returned.
944 *
945 */
2d21ac55
A		 946typedef int mpo_file_check_lock_t(
947 kauth_cred_t cred,
948 struct fileglob *fg,
949 struct label *label,
950 int op,
951 struct flock *fl
0a7de745
A		 952 );
953/**
954 * @brief Check with library validation if a macho slice is allowed to be combined into a proc.
955 * @param p Subject process
956 * @param fg Fileglob structure
957 * @param slice_offset offset of the code slice
958 * @param error_message error message returned to user-space in case of error (userspace pointer)
959 * @param error_message_size error message size
960 *
961 * Its a little odd that the MAC/kext writes into userspace since this
962 * implies there is only one MAC module that implements this, however
963 * the alterantive is to allocate memory in xnu, on the hope that
964 * the MAC module will use it, or allocated in the MAC module and then
965 * free it in xnu. Either of these are very appeling, so lets go with
966 * the slightly more hacky way.
967 *
968 * @return Return 0 if access is granted, otherwise an appropriate value for
969 * errno should be returned.
970 */
39037602
A		 971typedef int mpo_file_check_library_validation_t(
972 struct proc *p,
973 struct fileglob *fg,
974 off_t slice_offset,
975 user_long_t error_message,
976 size_t error_message_size
0a7de745
A		 977 );
978/**
979 * @brief Access control check for mapping a file
980 * @param cred Subject credential
981 * @param fg fileglob representing file to map
982 * @param label Policy label associated with vp
983 * @param prot mmap protections; see mmap(2)
984 * @param flags Type of mapped object; see mmap(2)
985 * @param maxprot Maximum rights
986 *
987 * Determine whether the subject identified by the credential should be
988 * allowed to map the file represented by fg with the protections specified
989 * in prot. The maxprot field holds the maximum permissions on the new
990 * mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
991 * To avoid overriding prior access control checks, a policy should only
992 * remove flags from maxprot.
993 *
994 * @return Return 0 if access is granted, otherwise an appropriate value for
995 * errno should be returned. Suggested failure: EACCES for label mismatch or
996 * EPERM for lack of privilege.
997 */
2d21ac55
A		 998typedef int mpo_file_check_mmap_t(
999 kauth_cred_t cred,
1000 struct fileglob *fg,
1001 struct label *label,
1002 int prot,
1003 int flags,
3e170ce0 1004 uint64_t file_pos,
2d21ac55 1005 int *maxprot
0a7de745 1006 );
2d21ac55 1007/**
0a7de745
A		 1008 * @brief Downgrade the mmap protections
1009 * @param cred Subject credential
1010 * @param fg file to map
1011 * @param label Policy label associated with vp
1012 * @param prot mmap protections to be downgraded
1013 *
1014 * Downgrade the mmap protections based on the subject and object labels.
1015 */
2d21ac55
A		 1016typedef void mpo_file_check_mmap_downgrade_t(
1017 kauth_cred_t cred,
1018 struct fileglob *fg,
1019 struct label *label,
1020 int *prot
0a7de745 1021 );
2d21ac55 1022/**
0a7de745
A		 1023 * @brief Access control for receiving a file descriptor
1024 * @param cred Subject credential
1025 * @param fg Fileglob structure
1026 * @param label Policy label for fg
1027 *
1028 * Determine whether the subject identified by the credential can
1029 * receive the fileglob structure represented by fg.
1030 *
1031 * @return Return 0 if access if granted, otherwise an appropriate
1032 * value for errno should be returned.
1033 */
2d21ac55
A		 1034typedef int mpo_file_check_receive_t(
1035 kauth_cred_t cred,
1036 struct fileglob *fg,
1037 struct label *label
0a7de745 1038 );
2d21ac55 1039/**
0a7de745
A		 1040 * @brief Access control check for mac_set_fd
1041 * @param cred Subject credential
1042 * @param fg Fileglob structure
1043 * @param elements Elements buffer
1044 * @param len Length of elements buffer
1045 *
1046 * Determine whether the subject identified by the credential can
1047 * perform the mac_set_fd operation. The mac_set_fd operation is used
1048 * to associate a MAC label with a file.
1049 *
1050 * @return Return 0 if access is granted, otherwise an appropriate value for
1051 * errno should be returned.
1052 */
2d21ac55
A		 1053typedef int mpo_file_check_set_t(
1054 kauth_cred_t cred,
1055 struct fileglob *fg,
1056 char *elements,
1057 int len
0a7de745 1058 );
2d21ac55 1059/**
0a7de745
A		 1060 * @brief Create file label
1061 * @param cred Subject credential
1062 * @param fg Fileglob structure
1063 * @param label Policy label for fg
1064 */
2d21ac55
A		 1065typedef void mpo_file_label_associate_t(
1066 kauth_cred_t cred,
1067 struct fileglob *fg,
1068 struct label *label
0a7de745 1069 );
2d21ac55 1070/**
0a7de745
A		 1071 * @brief Destroy file label
1072 * @param label The label to be destroyed
1073 *
1074 * Destroy the label on a file descriptor. In this entry point, a
1075 * policy module should free any internal storage associated with
1076 * label so that it may be destroyed.
1077 */
2d21ac55
A		 1078typedef void mpo_file_label_destroy_t(
1079 struct label *label
0a7de745 1080 );
2d21ac55 1081/**
0a7de745
A		 1082 * @brief Initialize file label
1083 * @param label New label to initialize
1084 */
2d21ac55
A		 1085typedef void mpo_file_label_init_t(
1086 struct label *label
0a7de745
A		 1087 );
1088/**
1089 * @brief Access control check for relabeling network interfaces
1090 * @param cred Subject credential
1091 * @param ifp network interface being relabeled
1092 * @param ifnetlabel Current label of the network interfaces
1093 * @param newlabel New label to apply to the network interfaces
1094 * @see mpo_ifnet_label_update_t
1095 *
1096 * Determine whether the subject identified by the credential can
1097 * relabel the network interface represented by ifp to the supplied
1098 * new label (newlabel).
1099 *
1100 * @return Return 0 if access is granted, otherwise an appropriate value for
1101 * errno should be returned.
1102 */
2d21ac55
A		 1103typedef int mpo_ifnet_check_label_update_t(
1104 kauth_cred_t cred,
1105 struct ifnet *ifp,
1106 struct label *ifnetlabel,
1107 struct label *newlabel
0a7de745
A		 1108 );
1109/**
1110 * @brief Access control check for relabeling network interfaces
1111 * @param ifp Network interface mbuf will be transmitted through
1112 * @param ifnetlabel Label of the network interfaces
1113 * @param m The mbuf to be transmitted
1114 * @param mbuflabel Label of the mbuf to be transmitted
1115 * @param family Address Family, AF_*
1116 * @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1117 *
1118 * Determine whether the mbuf with label mbuflabel may be transmitted
1119 * through the network interface represented by ifp that has the
1120 * label ifnetlabel.
1121 *
1122 * @return Return 0 if access is granted, otherwise an appropriate value for
1123 * errno should be returned.
1124 */
2d21ac55
A		 1125typedef int mpo_ifnet_check_transmit_t(
1126 struct ifnet *ifp,
1127 struct label *ifnetlabel,
1128 struct mbuf *m,
1129 struct label *mbuflabel,
1130 int family,
1131 int type
0a7de745 1132 );
2d21ac55 1133/**
0a7de745
A		 1134 * @brief Create a network interface label
1135 * @param ifp Network interface labeled
1136 * @param ifnetlabel Label for the network interface
1137 *
1138 * Set the label of a newly created network interface, most likely
1139 * using the information in the supplied network interface struct.
1140 */
2d21ac55
A		 1141typedef void mpo_ifnet_label_associate_t(
1142 struct ifnet *ifp,
1143 struct label *ifnetlabel
0a7de745 1144 );
2d21ac55 1145/**
0a7de745
A		 1146 * @brief Copy an ifnet label
1147 * @param src Source ifnet label
1148 * @param dest Destination ifnet label
1149 *
1150 * Copy the label information from src to dest.
1151 */
2d21ac55
A		 1152typedef void mpo_ifnet_label_copy_t(
1153 struct label *src,
1154 struct label *dest
0a7de745 1155 );
2d21ac55 1156/**
0a7de745
A		 1157 * @brief Destroy ifnet label
1158 * @param label The label to be destroyed
1159 *
1160 * Destroy the label on an ifnet label. In this entry point, a
1161 * policy module should free any internal storage associated with
1162 * label so that it may be destroyed.
1163 */
2d21ac55
A		 1164typedef void mpo_ifnet_label_destroy_t(
1165 struct label *label
0a7de745 1166 );
2d21ac55 1167/**
0a7de745
A		 1168 * @brief Externalize an ifnet label
1169 * @param label Label to be externalized
1170 * @param element_name Name of the label namespace for which labels should be
1171 * externalized
1172 * @param sb String buffer to be filled with a text representation of the label
1173 *
1174 * Produce an external representation of the label on an interface.
1175 * An externalized label consists of a text representation of the
1176 * label contents that can be used with user applications.
1177 * Policy-agnostic user space tools will display this externalized
1178 * version.
1179 *
1180 * @return 0 on success, return non-zero if an error occurs while
1181 * externalizing the label data.
1182 *
1183 */
2d21ac55
A		 1184typedef int mpo_ifnet_label_externalize_t(
1185 struct label *label,
1186 char *element_name,
1187 struct sbuf *sb
0a7de745 1188 );
2d21ac55 1189/**
0a7de745
A		 1190 * @brief Initialize ifnet label
1191 * @param label New label to initialize
1192 */
2d21ac55
A		 1193typedef void mpo_ifnet_label_init_t(
1194 struct label *label
0a7de745 1195 );
2d21ac55 1196/**
0a7de745
A		 1197 * @brief Internalize an interface label
1198 * @param label Label to be internalized
1199 * @param element_name Name of the label namespace for which the label should
1200 * be internalized
1201 * @param element_data Text data to be internalized
1202 *
1203 * Produce an interface label from an external representation. An
1204 * externalized label consists of a text representation of the label
1205 * contents that can be used with user applications. Policy-agnostic
1206 * user space tools will forward text version to the kernel for
1207 * processing by individual policy modules.
1208 *
1209 * The policy's internalize entry points will be called only if the
1210 * policy has registered interest in the label namespace.
1211 *
1212 * @return 0 on success, Otherwise, return non-zero if an error occurs
1213 * while internalizing the label data.
1214 *
1215 */
2d21ac55
A		 1216typedef int mpo_ifnet_label_internalize_t(
1217 struct label *label,
1218 char *element_name,
1219 char *element_data
0a7de745 1220 );
2d21ac55 1221/**
0a7de745
A		 1222 * @brief Recycle up a network interface label
1223 * @param label The label to be recycled
1224 *
1225 * Recycle a network interface label. Darwin caches the struct ifnet
1226 * of detached ifnets in a "free pool". Before ifnets are returned
1227 * to the "free pool", policies can cleanup or overwrite any information
1228 * present in the label.
1229 */
2d21ac55
A		 1230typedef void mpo_ifnet_label_recycle_t(
1231 struct label *label
0a7de745
A		 1232 );
1233/**
1234 * @brief Update a network interface label
1235 * @param cred Subject credential
1236 * @param ifp The network interface to be relabeled
1237 * @param ifnetlabel The current label of the network interface
1238 * @param newlabel A new label to apply to the network interface
1239 * @see mpo_ifnet_check_label_update_t
1240 *
1241 * Update the label on a network interface, using the supplied new label.
1242 */
2d21ac55
A		 1243typedef void mpo_ifnet_label_update_t(
1244 kauth_cred_t cred,
1245 struct ifnet *ifp,
1246 struct label *ifnetlabel,
1247 struct label *newlabel
0a7de745
A		 1248 );
1249/**
1250 * @brief Access control check for delivering a packet to a socket
1251 * @param inp inpcb the socket is associated with
1252 * @param inplabel Label of the inpcb
1253 * @param m The mbuf being received
1254 * @param mbuflabel Label of the mbuf being received
1255 * @param family Address family, AF_*
1256 * @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1257 *
1258 * Determine whether the mbuf with label mbuflabel may be received
1259 * by the socket associated with inpcb that has the label inplabel.
1260 *
1261 * @return Return 0 if access is granted, otherwise an appropriate value for
1262 * errno should be returned.
1263 */
2d21ac55
A		 1264typedef int mpo_inpcb_check_deliver_t(
1265 struct inpcb *inp,
1266 struct label *inplabel,
1267 struct mbuf *m,
1268 struct label *mbuflabel,
1269 int family,
1270 int type
0a7de745 1271 );
2d21ac55 1272/**
0a7de745
A		 1273 * @brief Create an inpcb label
1274 * @param so Socket containing the inpcb to be labeled
1275 * @param solabel Label of the socket
1276 * @param inp inpcb to be labeled
1277 * @param inplabel Label for the inpcb
1278 *
1279 * Set the label of a newly created inpcb, most likely
1280 * using the information in the socket and/or socket label.
1281 */
2d21ac55
A		 1282typedef void mpo_inpcb_label_associate_t(
1283 struct socket *so,
1284 struct label *solabel,
1285 struct inpcb *inp,
1286 struct label *inplabel
0a7de745 1287 );
2d21ac55 1288/**
0a7de745
A		 1289 * @brief Destroy inpcb label
1290 * @param label The label to be destroyed
1291 *
1292 * Destroy the label on an inpcb label. In this entry point, a
1293 * policy module should free any internal storage associated with
1294 * label so that it may be destroyed.
1295 */
2d21ac55
A		 1296typedef void mpo_inpcb_label_destroy_t(
1297 struct label *label
0a7de745 1298 );
2d21ac55 1299/**
0a7de745
A		 1300 * @brief Initialize inpcb label
1301 * @param label New label to initialize
1302 * @param flag M_WAITOK or M_NOWAIT
1303 */
2d21ac55
A		 1304typedef int mpo_inpcb_label_init_t(
1305 struct label *label,
1306 int flag
0a7de745 1307 );
2d21ac55 1308/**
0a7de745
A		 1309 * @brief Recycle up an inpcb label
1310 * @param label The label to be recycled
1311 *
1312 * Recycle an inpcb label. Darwin allocates the inpcb as part of
1313 * the socket structure in some cases. For this case we must recycle
1314 * rather than destroy the inpcb as it will be reused later.
1315 */
2d21ac55
A		 1316typedef void mpo_inpcb_label_recycle_t(
1317 struct label *label
0a7de745 1318 );
2d21ac55 1319/**
0a7de745
A		 1320 * @brief Update an inpcb label from a socket label
1321 * @param so Socket containing the inpcb to be relabeled
1322 * @param solabel New label of the socket
1323 * @param inp inpcb to be labeled
1324 * @param inplabel Label for the inpcb
1325 *
1326 * Set the label of a newly created inpcb due to a change in the
1327 * underlying socket label.
1328 */
2d21ac55
A		 1329typedef void mpo_inpcb_label_update_t(
1330 struct socket *so,
1331 struct label *solabel,
1332 struct inpcb *inp,
1333 struct label *inplabel
0a7de745 1334 );
2d21ac55 1335/**
0a7de745
A		 1336 * @brief Device hardware access control
1337 * @param devtype Type of device connected
1338 *
1339 * This is the MAC Framework device access control, which is called by the I/O
1340 * Kit when a new device is connected to the system to determine whether that
1341 * device should be trusted. A list of properties associated with the device
1342 * is passed as an XML-formatted string. The routine should examine these
1343 * properties to determine the trustworthiness of the device. A return value
1344 * of EPERM forces the device to be claimed by a special device driver that
1345 * will prevent its operation.
1346 *
1347 * @warning This is an experimental interface and may change in the future.
1348 *
1349 * @return Return EPERM to indicate that the device is untrusted and should
1350 * not be allowed to operate. Return zero to indicate that the device is
1351 * trusted and should be allowed to operate normally.
1352 *
1353 */
2d21ac55
A		 1354typedef int mpo_iokit_check_device_t(
1355 char *devtype,
1356 struct mac_module_data *mdata
0a7de745 1357 );
6d2010ae 1358/**
0a7de745
A		 1359 * @brief Access control check for opening an I/O Kit device
1360 * @param cred Subject credential
1361 * @param user_client User client instance
1362 * @param user_client_type User client type
1363 *
1364 * Determine whether the subject identified by the credential can open an
1365 * I/O Kit device at the passed path of the passed user client class and
1366 * type.
1367 *
1368 * @return Return 0 if access is granted, or an appropriate value for
1369 * errno should be returned.
1370 */
6d2010ae
A		 1371typedef int mpo_iokit_check_open_t(
1372 kauth_cred_t cred,
1373 io_object_t user_client,
1374 unsigned int user_client_type
0a7de745 1375 );
6d2010ae 1376/**
0a7de745
A		 1377 * @brief Access control check for setting I/O Kit device properties
1378 * @param cred Subject credential
1379 * @param entry Target device
1380 * @param properties Property list
1381 *
1382 * Determine whether the subject identified by the credential can set
1383 * properties on an I/O Kit device.
1384 *
1385 * @return Return 0 if access is granted, or an appropriate value for
1386 * errno should be returned.
1387 */
6d2010ae
A		 1388typedef int mpo_iokit_check_set_properties_t(
1389 kauth_cred_t cred,
1390 io_object_t entry,
1391 io_object_t properties
0a7de745 1392 );
fe8ab488 1393/**
0a7de745
A		 1394 * @brief Indicate desire to filter I/O Kit devices properties
1395 * @param cred Subject credential
1396 * @param entry Target device
1397 * @see mpo_iokit_check_get_property_t
1398 *
1399 * Indicate whether this policy may restrict the subject credential
1400 * from reading properties of the target device.
1401 * If a policy returns success from this entry point, the
1402 * mpo_iokit_check_get_property entry point will later be called
1403 * for each property that the subject credential tries to read from
1404 * the target device.
1405 *
1406 * This entry point is primarilly to optimize bulk property reads
1407 * by skipping calls to the mpo_iokit_check_get_property entry point
1408 * for credentials / devices no MAC policy is interested in.
1409 *
1410 * @warning Even if a policy returns 0, it should behave correctly in
1411 * the presence of an invocation of mpo_iokit_check_get_property, as that
1412 * call may happen as a result of another policy requesting a transition.
1413 *
1414 * @return Non-zero if a transition is required, 0 otherwise.
fe8ab488
A		 1415 */
1416typedef int mpo_iokit_check_filter_properties_t(
1417 kauth_cred_t cred,
1418 io_object_t entry
0a7de745 1419 );
fe8ab488 1420/**
0a7de745
A		 1421 * @brief Access control check for getting I/O Kit device properties
1422 * @param cred Subject credential
1423 * @param entry Target device
1424 * @param name Property name
1425 *
1426 * Determine whether the subject identified by the credential can get
1427 * properties on an I/O Kit device.
1428 *
1429 * @return Return 0 if access is granted, or an appropriate value for
1430 * errno.
1431 */
fe8ab488
A		 1432typedef int mpo_iokit_check_get_property_t(
1433 kauth_cred_t cred,
1434 io_object_t entry,
1435 const char *name
0a7de745 1436 );
6d2010ae 1437/**
0a7de745
A		 1438 * @brief Access control check for software HID control
1439 * @param cred Subject credential
1440 *
1441 * Determine whether the subject identified by the credential can
1442 * control the HID (Human Interface Device) subsystem, such as to
1443 * post synthetic keypresses, pointer movement and clicks.
1444 *
1445 * @return Return 0 if access is granted, or an appropriate value for
1446 * errno.
1447 */
6d2010ae
A		 1448typedef int mpo_iokit_check_hid_control_t(
1449 kauth_cred_t cred
0a7de745 1450 );
2d21ac55 1451/**
0a7de745
A		 1452 * @brief Create an IP reassembly queue label
1453 * @param fragment First received IP fragment
1454 * @param fragmentlabel Policy label for fragment
1455 * @param ipq IP reassembly queue to be labeled
1456 * @param ipqlabel Policy label to be filled in for ipq
1457 *
1458 * Set the label on a newly created IP reassembly queue from
1459 * the mbuf header of the first received fragment.
1460 */
2d21ac55
A		 1461typedef void mpo_ipq_label_associate_t(
1462 struct mbuf *fragment,
1463 struct label *fragmentlabel,
1464 struct ipq *ipq,
1465 struct label *ipqlabel
0a7de745 1466 );
2d21ac55 1467/**
0a7de745
A		 1468 * @brief Compare an mbuf header label to an ipq label
1469 * @param fragment IP datagram fragment
1470 * @param fragmentlabel Policy label for fragment
1471 * @param ipq IP fragment reassembly queue
1472 * @param ipqlabel Policy label for ipq
1473 *
1474 * Compare the label of the mbuf header containing an IP datagram
1475 * (fragment) fragment with the label of the passed IP fragment
1476 * reassembly queue (ipq). Return (1) for a successful match, or (0)
1477 * for no match. This call is made when the IP stack attempts to
1478 * find an existing fragment reassembly queue for a newly received
1479 * fragment; if this fails, a new fragment reassembly queue may be
1480 * instantiated for the fragment. Policies may use this entry point
1481 * to prevent the reassembly of otherwise matching IP fragments if
1482 * policy does not permit them to be reassembled based on the label
1483 * or other information.
1484 */
2d21ac55
A		 1485typedef int mpo_ipq_label_compare_t(
1486 struct mbuf *fragment,
1487 struct label *fragmentlabel,
1488 struct ipq *ipq,
1489 struct label *ipqlabel
0a7de745 1490 );
2d21ac55 1491/**
0a7de745
A		 1492 * @brief Destroy IP reassembly queue label
1493 * @param label The label to be destroyed
1494 *
1495 * Destroy the label on an IP fragment queue. In this entry point, a
1496 * policy module should free any internal storage associated with
1497 * label so that it may be destroyed.
1498 */
2d21ac55
A		 1499typedef void mpo_ipq_label_destroy_t(
1500 struct label *label
0a7de745 1501 );
2d21ac55 1502/**
0a7de745
A		 1503 * @brief Initialize IP reassembly queue label
1504 * @param label New label to initialize
1505 * @param flag M_WAITOK or M_NOWAIT
1506 *
1507 * Initialize the label on a newly instantiated IP fragment reassembly
1508 * queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1509 * should be employed to avoid performing a sleeping malloc(9) during
1510 * this initialization call. IP fragment reassembly queue allocation
1511 * frequently occurs in performance sensitive environments, and the
1512 * implementation should be careful to avoid sleeping or long-lived
1513 * operations. This entry point is permitted to fail resulting in
1514 * the failure to allocate the IP fragment reassembly queue.
1515 */
2d21ac55
A		 1516typedef int mpo_ipq_label_init_t(
1517 struct label *label,
1518 int flag
0a7de745 1519 );
2d21ac55 1520/**
0a7de745
A		 1521 * @brief Update the label on an IP fragment reassembly queue
1522 * @param fragment IP fragment
1523 * @param fragmentlabel Policy label for fragment
1524 * @param ipq IP fragment reassembly queue
1525 * @param ipqlabel Policy label to be updated for ipq
1526 *
1527 * Update the label on an IP fragment reassembly queue (ipq) based
1528 * on the acceptance of the passed IP fragment mbuf header (fragment).
1529 */
2d21ac55
A		 1530typedef void mpo_ipq_label_update_t(
1531 struct mbuf *fragment,
1532 struct label *fragmentlabel,
1533 struct ipq *ipq,
1534 struct label *ipqlabel
0a7de745 1535 );
2d21ac55 1536/**
0a7de745
A		 1537 * @brief Assign a label to a new mbuf
1538 * @param bpf_d BPF descriptor
1539 * @param b_label Policy label for bpf_d
1540 * @param m Object; mbuf
1541 * @param m_label Policy label to fill in for m
1542 *
1543 * Set the label on the mbuf header of a newly created datagram
1544 * generated using the passed BPF descriptor. This call is made when
1545 * a write is performed to the BPF device associated with the passed
1546 * BPF descriptor.
1547 */
2d21ac55
A		 1548typedef void mpo_mbuf_label_associate_bpfdesc_t(
1549 struct bpf_d *bpf_d,
1550 struct label *b_label,
1551 struct mbuf *m,
1552 struct label *m_label
0a7de745 1553 );
2d21ac55 1554/**
0a7de745
A		 1555 * @brief Assign a label to a new mbuf
1556 * @param ifp Interface descriptor
1557 * @param i_label Existing label of ifp
1558 * @param m Object; mbuf
1559 * @param m_label Policy label to fill in for m
1560 *
1561 * Label an mbuf based on the interface from which it was received.
1562 */
2d21ac55
A		 1563typedef void mpo_mbuf_label_associate_ifnet_t(
1564 struct ifnet *ifp,
1565 struct label *i_label,
1566 struct mbuf *m,
1567 struct label *m_label
0a7de745 1568 );
2d21ac55 1569/**
0a7de745
A		 1570 * @brief Assign a label to a new mbuf
1571 * @param inp inpcb structure
1572 * @param i_label Existing label of inp
1573 * @param m Object; mbuf
1574 * @param m_label Policy label to fill in for m
1575 *
1576 * Label an mbuf based on the inpcb from which it was derived.
1577 */
2d21ac55
A		 1578typedef void mpo_mbuf_label_associate_inpcb_t(
1579 struct inpcb *inp,
1580 struct label *i_label,
1581 struct mbuf *m,
1582 struct label *m_label
0a7de745 1583 );
2d21ac55 1584/**
0a7de745
A		 1585 * @brief Set the label on a newly reassembled IP datagram
1586 * @param ipq IP fragment reassembly queue
1587 * @param ipqlabel Policy label for ipq
1588 * @param mbuf IP datagram to be labeled
1589 * @param mbuflabel Policy label to be filled in for mbuf
1590 *
1591 * Set the label on a newly reassembled IP datagram (mbuf) from the IP
1592 * fragment reassembly queue (ipq) from which it was generated.
1593 */
2d21ac55
A		 1594typedef void mpo_mbuf_label_associate_ipq_t(
1595 struct ipq *ipq,
1596 struct label *ipqlabel,
1597 struct mbuf *mbuf,
1598 struct label *mbuflabel
0a7de745 1599 );
2d21ac55 1600/**
0a7de745
A		 1601 * @brief Assign a label to a new mbuf
1602 * @param ifp Subject; network interface
1603 * @param i_label Existing label of ifp
1604 * @param m Object; mbuf
1605 * @param m_label Policy label to fill in for m
1606 *
1607 * Set the label on the mbuf header of a newly created datagram
1608 * generated for the purposes of a link layer response for the passed
1609 * interface. This call may be made in a number of situations, including
1610 * for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1611 */
2d21ac55
A		 1612typedef void mpo_mbuf_label_associate_linklayer_t(
1613 struct ifnet *ifp,
1614 struct label *i_label,
1615 struct mbuf *m,
1616 struct label *m_label
0a7de745
A		 1617 );
1618/**
1619 * @brief Assign a label to a new mbuf
1620 * @param oldmbuf mbuf headerder for existing datagram for existing datagram
1621 * @param oldmbuflabel Policy label for oldmbuf
1622 * @param ifp Network interface
1623 * @param ifplabel Policy label for ifp
1624 * @param newmbuf mbuf header to be labeled for new datagram
1625 * @param newmbuflabel Policy label for newmbuf
1626 *
1627 * Set the label on the mbuf header of a newly created datagram
1628 * generated from the existing passed datagram when it is processed
1629 * by the passed multicast encapsulation interface. This call is made
1630 * when an mbuf is to be delivered using the virtual interface.
1631 */
2d21ac55
A		 1632typedef void mpo_mbuf_label_associate_multicast_encap_t(
1633 struct mbuf *oldmbuf,
1634 struct label *oldmbuflabel,
1635 struct ifnet *ifp,
1636 struct label *ifplabel,
1637 struct mbuf *newmbuf,
1638 struct label *newmbuflabel
0a7de745 1639 );
2d21ac55 1640/**
0a7de745
A		 1641 * @brief Assign a label to a new mbuf
1642 * @param oldmbuf Received datagram
1643 * @param oldmbuflabel Policy label for oldmbuf
1644 * @param newmbuf Newly created datagram
1645 * @param newmbuflabel Policy label for newmbuf
1646 *
1647 * Set the label on the mbuf header of a newly created datagram generated
1648 * by the IP stack in response to an existing received datagram (oldmbuf).
1649 * This call may be made in a number of situations, including when responding
1650 * to ICMP request datagrams.
1651 */
2d21ac55
A		 1652typedef void mpo_mbuf_label_associate_netlayer_t(
1653 struct mbuf *oldmbuf,
1654 struct label *oldmbuflabel,
1655 struct mbuf *newmbuf,
1656 struct label *newmbuflabel
0a7de745 1657 );
2d21ac55 1658/**
0a7de745
A		 1659 * @brief Assign a label to a new mbuf
1660 * @param so Socket to label
1661 * @param so_label Policy label for socket
1662 * @param m Object; mbuf
1663 * @param m_label Policy label to fill in for m
1664 *
1665 * An mbuf structure is used to store network traffic in transit.
1666 * When an application sends data to a socket or a pipe, it is wrapped
1667 * in an mbuf first. This function sets the label on a newly created mbuf header
1668 * based on the socket sending the data. The contents of the label should be
1669 * suitable for performing an access check on the receiving side of the
1670 * communication.
1671 *
1672 * Only labeled MBUFs will be presented to the policy via this entrypoint.
1673 */
2d21ac55
A		 1674typedef void mpo_mbuf_label_associate_socket_t(
1675 socket_t so,
1676 struct label *so_label,
1677 struct mbuf *m,
1678 struct label *m_label
0a7de745 1679 );
2d21ac55 1680/**
0a7de745
A		 1681 * @brief Copy a mbuf label
1682 * @param src Source label
1683 * @param dest Destination label
1684 *
1685 * Copy the mbuf label information in src into dest.
1686 *
1687 * Only called when both source and destination mbufs have labels.
1688 */
2d21ac55
A		 1689typedef void mpo_mbuf_label_copy_t(
1690 struct label *src,
1691 struct label *dest
0a7de745 1692 );
2d21ac55 1693/**
0a7de745
A		 1694 * @brief Destroy mbuf label
1695 * @param label The label to be destroyed
1696 *
1697 * Destroy a mbuf label. Since the
1698 * object is going out of scope, policy modules should free any
1699 * internal storage associated with the label so that it may be
1700 * destroyed.
1701 */
2d21ac55
A		 1702typedef void mpo_mbuf_label_destroy_t(
1703 struct label *label
0a7de745 1704 );
2d21ac55 1705/**
0a7de745
A		 1706 * @brief Initialize mbuf label
1707 * @param label New label to initialize
1708 * @param flag Malloc flags
1709 *
1710 * Initialize the label for a newly instantiated mbuf.
1711 *
1712 * @warning Since it is possible for the flags to be set to
1713 * M_NOWAIT, the malloc operation may fail.
1714 *
1715 * @return On success, 0, otherwise, an appropriate errno return value.
1716 */
2d21ac55
A		 1717typedef int mpo_mbuf_label_init_t(
1718 struct label *label,
1719 int flag
0a7de745 1720 );
2d21ac55 1721/**
0a7de745
A		 1722 * @brief Access control check for fsctl
1723 * @param cred Subject credential
1724 * @param mp The mount point
1725 * @param label Label associated with the mount point
1726 * @param cmd Filesystem-dependent request code; see fsctl(2)
1727 *
1728 * Determine whether the subject identified by the credential can perform
1729 * the volume operation indicated by com.
1730 *
1731 * @warning The fsctl() system call is directly analogous to ioctl(); since
1732 * the associated data is opaque from the standpoint of the MAC framework
1733 * and since these operations can affect many aspects of system operation,
1734 * policies must exercise extreme care when implementing access control checks.
1735 *
1736 * @return Return 0 if access is granted, otherwise an appropriate value for
1737 * errno should be returned.
1738 */
2d21ac55
A		 1739typedef int mpo_mount_check_fsctl_t(
1740 kauth_cred_t cred,
1741 struct mount *mp,
1742 struct label *label,
1743 unsigned int cmd
0a7de745 1744 );
2d21ac55 1745/**
0a7de745
A		 1746 * @brief Access control check for the retrieval of file system attributes
1747 * @param cred Subject credential
1748 * @param mp The mount structure of the file system
1749 * @param vfa The attributes requested
1750 *
1751 * This entry point determines whether given subject can get information
1752 * about the given file system. This check happens during statfs() syscalls,
1753 * but is also used by other parts within the kernel such as the audit system.
1754 *
1755 * @return Return 0 if access is granted, otherwise an appropriate value for
1756 * errno should be returned.
1757 *
1758 * @note Policies may change the contents of vfa to alter the list of
1759 * file system attributes returned.
1760 */
2d21ac55
A		 1761
1762typedef int mpo_mount_check_getattr_t(
1763 kauth_cred_t cred,
1764 struct mount *mp,
1765 struct label *mp_label,
1766 struct vfs_attr *vfa
0a7de745 1767 );
2d21ac55 1768/**
0a7de745
A		 1769 * @brief Access control check for mount point relabeling
1770 * @param cred Subject credential
1771 * @param mp Object file system mount point
1772 * @param mntlabel Policy label for fle system mount point
1773 *
1774 * Determine whether the subject identified by the credential can relabel
1775 * the mount point. This call is made when a file system mount is updated.
1776 *
1777 * @return Return 0 if access is granted, otherwise an appropriate value for
1778 * errno should be returned. Suggested failure: EACCES for label mismatch
1779 * or EPERM for lack of privilege.
1780 */
2d21ac55
A		 1781typedef int mpo_mount_check_label_update_t(
1782 kauth_cred_t cred,
1783 struct mount *mp,
1784 struct label *mntlabel
0a7de745
A		 1785 );
1786/**
1787 * @brief Access control check for mounting a file system
1788 * @param cred Subject credential
1789 * @param vp Vnode that is to be the mount point
1790 * @param vlabel Label associated with the vnode
1791 * @param cnp Component name for vp
1792 * @param vfc_name Filesystem type name
1793 *
1794 * Determine whether the subject identified by the credential can perform
1795 * the mount operation on the target vnode.
1796 *
1797 * @return Return 0 if access is granted, otherwise an appropriate value for
1798 * errno should be returned.
1799 */
2d21ac55
A		 1800typedef int mpo_mount_check_mount_t(
1801 kauth_cred_t cred,
1802 struct vnode *vp,
1803 struct label *vlabel,
1804 struct componentname *cnp,
1805 const char *vfc_name
0a7de745 1806 );
cb323159
A		 1807/**
1808 * @brief Access control check for mounting a file system (late)
1809 * @param cred Subject credential
1810 * @param mp Mount point
1811 *
1812 * Similar to mpo_mount_check_mount, but occurs after VFS_MOUNT has been
1813 * called, making it possible to access mnt_vfsstat.f_mntfromname and other
1814 * fields.
1815 *
1816 * @return Return 0 if access is granted, otherwise an appropriate value for
1817 * errno should be returned.
1818 */
1819typedef int mpo_mount_check_mount_late_t(
1820 kauth_cred_t cred,
1821 struct mount *mp
1822 );
39037602 1823/**
0a7de745
A		 1824 * @brief Access control check for fs_snapshot_create
1825 * @param cred Subject credential
1826 * @mp Filesystem mount point to create snapshot of
1827 * @name Name of snapshot to create
1828 *
1829 * Determine whether the subject identified by the credential can
1830 * create a snapshot of the filesystem at the given mount point.
1831 *
1832 * @return Return 0 if access is granted, otherwise an appropriate value
1833 * for errno should be returned.
1834 */
39037602
A		 1835typedef int mpo_mount_check_snapshot_create_t(
1836 kauth_cred_t cred,
1837 struct mount *mp,
1838 const char *name
0a7de745 1839 );
39037602 1840/**
0a7de745
A		 1841 * @brief Access control check for fs_snapshot_delete
1842 * @param cred Subject credential
1843 * @mp Filesystem mount point to delete snapshot of
1844 * @name Name of snapshot to delete
1845 *
1846 * Determine whether the subject identified by the credential can
1847 * delete the named snapshot from the filesystem at the given
1848 * mount point.
1849 *
1850 * @return Return 0 if access is granted, otherwise an appropriate value
1851 * for errno should be returned.
1852 */
39037602
A		 1853typedef int mpo_mount_check_snapshot_delete_t(
1854 kauth_cred_t cred,
1855 struct mount *mp,
1856 const char *name
0a7de745 1857 );
ea3f0419
A		 1858/**
1859 * @brief Access control check for fs_snapshot_mount
1860 * @param cred Subject credential
1861 * @param rvp Vnode of either the root directory of the
1862 * filesystem to mount snapshot of, or the device from
1863 * which to mount the snapshot.
1864 * @param vp Vnode that is to be the mount point
1865 * @param cnp Component name for vp
1866 * @param name Name of snapshot to mount
1867 * @param vfc_name Filesystem type name
1868 *
1869 * Determine whether the subject identified by the credential can
1870 * mount the named snapshot from the filesystem at the given
1871 * directory.
1872 *
1873 * @return Return 0 if access is granted, otherwise an appropriate value
1874 * for errno should be returned.
1875 */
1876typedef int mpo_mount_check_snapshot_mount_t(
1877 kauth_cred_t cred,
1878 struct vnode *rvp,
1879 struct vnode *vp,
1880 struct componentname *cnp,
1881 const char *name,
1882 const char *vfc_name
1883 );
813fb2f6 1884/**
0a7de745
A		 1885 * @brief Access control check for fs_snapshot_revert
1886 * @param cred Subject credential
1887 * @mp Filesystem mount point to revert to snapshot
1888 * @name Name of snapshot to revert to
1889 *
1890 * Determine whether the subject identified by the credential can
1891 * revert the filesystem at the given mount point to the named snapshot.
1892 *
1893 * @return Return 0 if access is granted, otherwise an appropriate value
1894 * for errno should be returned.
1895 */
813fb2f6
A		 1896typedef int mpo_mount_check_snapshot_revert_t(
1897 kauth_cred_t cred,
1898 struct mount *mp,
1899 const char *name
0a7de745 1900 );
2d21ac55 1901/**
0a7de745
A		 1902 * @brief Access control check remounting a filesystem
1903 * @param cred Subject credential
1904 * @param mp The mount point
1905 * @param mlabel Label currently associated with the mount point
1906 *
1907 * Determine whether the subject identified by the credential can perform
1908 * the remount operation on the target vnode.
1909 *
1910 * @return Return 0 if access is granted, otherwise an appropriate value for
1911 * errno should be returned.
1912 */
2d21ac55
A		 1913typedef int mpo_mount_check_remount_t(
1914 kauth_cred_t cred,
1915 struct mount *mp,
1916 struct label *mlabel
0a7de745 1917 );
2d21ac55 1918/**
0a7de745
A		 1919 * @brief Access control check for the settting of file system attributes
1920 * @param cred Subject credential
1921 * @param mp The mount structure of the file system
1922 * @param vfa The attributes requested
1923 *
1924 * This entry point determines whether given subject can set information
1925 * about the given file system, for example the volume name.
1926 *
1927 * @return Return 0 if access is granted, otherwise an appropriate value for
1928 * errno should be returned.
1929 */
2d21ac55
A		 1930
1931typedef int mpo_mount_check_setattr_t(
1932 kauth_cred_t cred,
1933 struct mount *mp,
1934 struct label *mp_label,
1935 struct vfs_attr *vfa
0a7de745 1936 );
2d21ac55 1937/**
0a7de745
A		 1938 * @brief Access control check for file system statistics
1939 * @param cred Subject credential
1940 * @param mp Object file system mount
1941 * @param mntlabel Policy label for mp
1942 *
1943 * Determine whether the subject identified by the credential can see
1944 * the results of a statfs performed on the file system. This call may
1945 * be made in a number of situations, including during invocations of
1946 * statfs(2) and related calls, as well as to determine what file systems
1947 * to exclude from listings of file systems, such as when getfsstat(2)
1948 * is invoked.
1949 *
1950 * @return Return 0 if access is granted, otherwise an appropriate value for
1951 * errno should be returned. Suggested failure: EACCES for label mismatch
1952 * or EPERM for lack of privilege.
1953 */
2d21ac55
A		 1954typedef int mpo_mount_check_stat_t(
1955 kauth_cred_t cred,
1956 struct mount *mp,
1957 struct label *mntlabel
0a7de745 1958 );
2d21ac55 1959/**
0a7de745
A		 1960 * @brief Access control check for unmounting a filesystem
1961 * @param cred Subject credential
1962 * @param mp The mount point
1963 * @param mlabel Label associated with the mount point
1964 *
1965 * Determine whether the subject identified by the credential can perform
1966 * the unmount operation on the target vnode.
1967 *
1968 * @return Return 0 if access is granted, otherwise an appropriate value for
1969 * errno should be returned.
1970 */
2d21ac55
A		 1971typedef int mpo_mount_check_umount_t(
1972 kauth_cred_t cred,
1973 struct mount *mp,
1974 struct label *mlabel
0a7de745 1975 );
2d21ac55 1976/**
0a7de745
A		 1977 * @brief Create mount labels
1978 * @param cred Subject credential
1979 * @param mp Mount point of file system being mounted
1980 * @param mntlabel Label to associate with the new mount point
1981 * @see mpo_mount_label_init_t
1982 *
1983 * Fill out the labels on the mount point being created by the supplied
1984 * user credential. This call is made when file systems are first mounted.
1985 */
2d21ac55
A		 1986typedef void mpo_mount_label_associate_t(
1987 kauth_cred_t cred,
1988 struct mount *mp,
1989 struct label *mntlabel
0a7de745 1990 );
2d21ac55 1991/**
0a7de745
A		 1992 * @brief Destroy mount label
1993 * @param label The label to be destroyed
1994 *
1995 * Destroy a file system mount label. Since the
1996 * object is going out of scope, policy modules should free any
1997 * internal storage associated with the label so that it may be
1998 * destroyed.
1999 */
2d21ac55
A		 2000typedef void mpo_mount_label_destroy_t(
2001 struct label *label
0a7de745 2002 );
2d21ac55 2003/**
0a7de745
A		 2004 * @brief Externalize a mount point label
2005 * @param label Label to be externalized
2006 * @param element_name Name of the label namespace for which labels should be
2007 * externalized
2008 * @param sb String buffer to be filled with a text representation of the label
2009 *
2010 * Produce an external representation of the mount point label. An
2011 * externalized label consists of a text representation of the label
2012 * contents that can be used with user applications. Policy-agnostic
2013 * user space tools will display this externalized version.
2014 *
2015 * The policy's externalize entry points will be called only if the
2016 * policy has registered interest in the label namespace.
2017 *
2018 * @return 0 on success, return non-zero if an error occurs while
2019 * externalizing the label data.
2020 *
2021 */
2d21ac55
A		 2022typedef int mpo_mount_label_externalize_t(
2023 struct label *label,
2024 char *element_name,
2025 struct sbuf *sb
0a7de745 2026 );
2d21ac55 2027/**
0a7de745
A		 2028 * @brief Initialize mount point label
2029 * @param label New label to initialize
2030 *
2031 * Initialize the label for a newly instantiated mount structure.
2032 * This label is typically used to store a default label in the case
2033 * that the file system has been mounted singlelabel. Since some
2034 * file systems do not support persistent labels (extended attributes)
2035 * or are read-only (such as CD-ROMs), it is often necessary to store
2036 * a default label separately from the label of the mount point
2037 * itself. Sleeping is permitted.
2038 */
2d21ac55
A		 2039typedef void mpo_mount_label_init_t(
2040 struct label *label
0a7de745 2041 );
2d21ac55 2042/**
0a7de745
A		 2043 * @brief Internalize a mount point label
2044 * @param label Label to be internalized
2045 * @param element_name Name of the label namespace for which the label should
2046 * be internalized
2047 * @param element_data Text data to be internalized
2048 *
2049 * Produce a mount point file system label from an external representation.
2050 * An externalized label consists of a text representation of the label
2051 * contents that can be used with user applications. Policy-agnostic
2052 * user space tools will forward text version to the kernel for
2053 * processing by individual policy modules.
2054 *
2055 * The policy's internalize entry points will be called only if the
2056 * policy has registered interest in the label namespace.
2057 *
2058 * @return 0 on success, Otherwise, return non-zero if an error occurs
2059 * while internalizing the label data.
2060 *
2061 */
2d21ac55
A		 2062typedef int mpo_mount_label_internalize_t(
2063 struct label *label,
2064 char *element_name,
2065 char *element_data
0a7de745 2066 );
2d21ac55 2067/**
0a7de745
A		 2068 * @brief Set the label on an IPv4 datagram fragment
2069 * @param datagram Datagram being fragmented
2070 * @param datagramlabel Policy label for datagram
2071 * @param fragment New fragment
2072 * @param fragmentlabel Policy label for fragment
2073 *
2074 * Called when an IPv4 datagram is fragmented into several smaller datagrams.
2075 * Policies implementing mbuf labels will typically copy the label from the
2076 * source datagram to the new fragment.
2077 */
2d21ac55
A		 2078typedef void mpo_netinet_fragment_t(
2079 struct mbuf *datagram,
2080 struct label *datagramlabel,
2081 struct mbuf *fragment,
2082 struct label *fragmentlabel
0a7de745 2083 );
2d21ac55 2084/**
0a7de745
A		 2085 * @brief Set the label on an ICMP reply
2086 * @param m mbuf containing the ICMP reply
2087 * @param mlabel Policy label for m
2088 *
2089 * A policy may wish to update the label of an mbuf that refers to
2090 * an ICMP packet being sent in response to an IP packet. This may
2091 * be called in response to a bad packet or an ICMP request.
2092 */
2d21ac55
A		 2093typedef void mpo_netinet_icmp_reply_t(
2094 struct mbuf *m,
2095 struct label *mlabel
0a7de745 2096 );
2d21ac55 2097/**
0a7de745
A		 2098 * @brief Set the label on a TCP reply
2099 * @param m mbuf containing the TCP reply
2100 * @param mlabel Policy label for m
2101 *
2102 * Called for outgoing TCP packets not associated with an actual socket.
2103 */
2d21ac55
A		 2104typedef void mpo_netinet_tcp_reply_t(
2105 struct mbuf *m,
2106 struct label *mlabel
0a7de745 2107 );
2d21ac55 2108/**
0a7de745
A		 2109 * @brief Access control check for pipe ioctl
2110 * @param cred Subject credential
2111 * @param cpipe Object to be accessed
2112 * @param pipelabel The label on the pipe
2113 * @param cmd The ioctl command; see ioctl(2)
2114 *
2115 * Determine whether the subject identified by the credential can perform
2116 * the ioctl operation indicated by cmd.
2117 *
2118 * @warning Since ioctl data is opaque from the standpoint of the MAC
2119 * framework, policies must exercise extreme care when implementing
2120 * access control checks.
2121 *
2122 * @return Return 0 if access is granted, otherwise an appropriate value for
2123 * errno should be returned.
2124 *
2125 */
2d21ac55
A		 2126typedef int mpo_pipe_check_ioctl_t(
2127 kauth_cred_t cred,
2128 struct pipe *cpipe,
2129 struct label *pipelabel,
2130 unsigned int cmd
0a7de745 2131 );
2d21ac55 2132/**
0a7de745
A		 2133 * @brief Access control check for pipe kqfilter
2134 * @param cred Subject credential
2135 * @param kn Object knote
2136 * @param cpipe Object to be accessed
2137 * @param pipelabel Policy label for the pipe
2138 *
2139 * Determine whether the subject identified by the credential can
2140 * receive the knote on the passed pipe.
2141 *
2142 * @return Return 0 if access if granted, otherwise an appropriate
2143 * value for errno should be returned.
2144 */
2d21ac55
A		 2145typedef int mpo_pipe_check_kqfilter_t(
2146 kauth_cred_t cred,
2147 struct knote *kn,
2148 struct pipe *cpipe,
2149 struct label *pipelabel
0a7de745 2150 );
2d21ac55 2151/**
0a7de745
A		 2152 * @brief Access control check for pipe relabel
2153 * @param cred Subject credential
2154 * @param cpipe Object to be accessed
2155 * @param pipelabel The current label on the pipe
2156 * @param newlabel The new label to be used
2157 *
2158 * Determine whether the subject identified by the credential can
2159 * perform a relabel operation on the passed pipe. The cred object holds
2160 * the credentials of the subject performing the operation.
2161 *
2162 * @return Return 0 if access is granted, otherwise an appropriate value for
2163 * errno should be returned.
2164 *
2165 */
2166typedef int mpo_pipe_check_label_update_t(
2167 kauth_cred_t cred,
2d21ac55
A		 2168 struct pipe *cpipe,
2169 struct label *pipelabel,
2170 struct label *newlabel
0a7de745 2171 );
2d21ac55 2172/**
0a7de745
A		 2173 * @brief Access control check for pipe read
2174 * @param cred Subject credential
2175 * @param cpipe Object to be accessed
2176 * @param pipelabel The label on the pipe
2177 *
2178 * Determine whether the subject identified by the credential can
2179 * perform a read operation on the passed pipe. The cred object holds
2180 * the credentials of the subject performing the operation.
2181 *
2182 * @return Return 0 if access is granted, otherwise an appropriate value for
2183 * errno should be returned.
2184 *
2185 */
2d21ac55
A		 2186typedef int mpo_pipe_check_read_t(
2187 kauth_cred_t cred,
2188 struct pipe *cpipe,
2189 struct label *pipelabel
0a7de745 2190 );
2d21ac55 2191/**
0a7de745
A		 2192 * @brief Access control check for pipe select
2193 * @param cred Subject credential
2194 * @param cpipe Object to be accessed
2195 * @param pipelabel The label on the pipe
2196 * @param which The operation selected on: FREAD or FWRITE
2197 *
2198 * Determine whether the subject identified by the credential can
2199 * perform a select operation on the passed pipe. The cred object holds
2200 * the credentials of the subject performing the operation.
2201 *
2202 * @return Return 0 if access is granted, otherwise an appropriate value for
2203 * errno should be returned.
2204 *
2205 */
2d21ac55
A		 2206typedef int mpo_pipe_check_select_t(
2207 kauth_cred_t cred,
2208 struct pipe *cpipe,
2209 struct label *pipelabel,
2210 int which
0a7de745 2211 );
2d21ac55 2212/**
0a7de745
A		 2213 * @brief Access control check for pipe stat
2214 * @param cred Subject credential
2215 * @param cpipe Object to be accessed
2216 * @param pipelabel The label on the pipe
2217 *
2218 * Determine whether the subject identified by the credential can
2219 * perform a stat operation on the passed pipe. The cred object holds
2220 * the credentials of the subject performing the operation.
2221 *
2222 * @return Return 0 if access is granted, otherwise an appropriate value for
2223 * errno should be returned.
2224 *
2225 */
2d21ac55
A		 2226typedef int mpo_pipe_check_stat_t(
2227 kauth_cred_t cred,
2228 struct pipe *cpipe,
2229 struct label *pipelabel
0a7de745 2230 );
2d21ac55 2231/**
0a7de745
A		 2232 * @brief Access control check for pipe write
2233 * @param cred Subject credential
2234 * @param cpipe Object to be accessed
2235 * @param pipelabel The label on the pipe
2236 *
2237 * Determine whether the subject identified by the credential can
2238 * perform a write operation on the passed pipe. The cred object holds
2239 * the credentials of the subject performing the operation.
2240 *
2241 * @return Return 0 if access is granted, otherwise an appropriate value for
2242 * errno should be returned.
2243 *
2244 */
2d21ac55
A		 2245typedef int mpo_pipe_check_write_t(
2246 kauth_cred_t cred,
2247 struct pipe *cpipe,
2248 struct label *pipelabel
0a7de745 2249 );
2d21ac55 2250/**
0a7de745
A		 2251 * @brief Create a pipe label
2252 * @param cred Subject credential
2253 * @param cpipe object to be labeled
2254 * @param pipelabel Label for the pipe object
2255 *
2256 * Create a label for the pipe object being created by the supplied
2257 * user credential. This call is made when the pipe is being created
2258 * XXXPIPE(for one or both sides of the pipe?).
2259 *
2260 */
2d21ac55
A		 2261typedef void mpo_pipe_label_associate_t(
2262 kauth_cred_t cred,
2263 struct pipe *cpipe,
2264 struct label *pipelabel
0a7de745 2265 );
2d21ac55 2266/**
0a7de745
A		 2267 * @brief Copy a pipe label
2268 * @param src Source pipe label
2269 * @param dest Destination pipe label
2270 *
2271 * Copy the pipe label associated with src to dest.
2272 * XXXPIPE Describe when this is used: most likely during pipe creation to
2273 * copy from rpipe to wpipe.
2274 */
2d21ac55
A		 2275typedef void mpo_pipe_label_copy_t(
2276 struct label *src,
2277 struct label *dest
0a7de745 2278 );
2d21ac55 2279/**
0a7de745
A		 2280 * @brief Destroy pipe label
2281 * @param label The label to be destroyed
2282 *
2283 * Destroy a pipe label. Since the object is going out of scope,
2284 * policy modules should free any internal storage associated with the
2285 * label so that it may be destroyed.
2286 */
2d21ac55
A		 2287typedef void mpo_pipe_label_destroy_t(
2288 struct label *label
0a7de745 2289 );
2d21ac55 2290/**
0a7de745
A		 2291 * @brief Externalize a pipe label
2292 * @param label Label to be externalized
2293 * @param element_name Name of the label namespace for which labels should be
2294 * externalized
2295 * @param sb String buffer to be filled with a text representation of the label
2296 *
2297 * Produce an external representation of the label on a pipe.
2298 * An externalized label consists of a text representation
2299 * of the label contents that can be used with user applications.
2300 * Policy-agnostic user space tools will display this externalized
2301 * version.
2302 *
2303 * The policy's externalize entry points will be called only if the
2304 * policy has registered interest in the label namespace.
2305 *
2306 * @return 0 on success, return non-zero if an error occurs while
2307 * externalizing the label data.
2308 *
2309 */
2d21ac55
A		 2310typedef int mpo_pipe_label_externalize_t(
2311 struct label *label,
2312 char *element_name,
2313 struct sbuf *sb
0a7de745 2314 );
2d21ac55 2315/**
0a7de745
A		 2316 * @brief Initialize pipe label
2317 * @param label New label to initialize
2318 *
2319 * Initialize label storage for use with a newly instantiated pipe object.
2320 * Sleeping is permitted.
2321 */
2d21ac55
A		 2322typedef void mpo_pipe_label_init_t(
2323 struct label *label
0a7de745 2324 );
2d21ac55 2325/**
0a7de745
A		 2326 * @brief Internalize a pipe label
2327 * @param label Label to be internalized
2328 * @param element_name Name of the label namespace for which the label should
2329 * be internalized
2330 * @param element_data Text data to be internalized
2331 *
2332 * Produce a pipe label from an external representation. An
2333 * externalized label consists of a text representation of the label
2334 * contents that can be used with user applications. Policy-agnostic
2335 * user space tools will forward text version to the kernel for
2336 * processing by individual policy modules.
2337 *
2338 * The policy's internalize entry points will be called only if the
2339 * policy has registered interest in the label namespace.
2340 *
2341 * @return 0 on success, Otherwise, return non-zero if an error occurs
2342 * while internalizing the label data.
2343 *
2344 */
2d21ac55
A		 2345typedef int mpo_pipe_label_internalize_t(
2346 struct label *label,
2347 char *element_name,
2348 char *element_data
0a7de745
A		 2349 );
2350/**
2351 * @brief Update a pipe label
2352 * @param cred Subject credential
2353 * @param cpipe Object to be labeled
2354 * @param oldlabel Existing pipe label
2355 * @param newlabel New label to replace existing label
2356 * @see mpo_pipe_check_label_update_t
2357 *
2358 * The subject identified by the credential has previously requested
2359 * and was authorized to relabel the pipe; this entry point allows
2360 * policies to perform the actual relabel operation. Policies should
2361 * update oldlabel using the label stored in the newlabel parameter.
2362 *
2363 */
2d21ac55
A		 2364typedef void mpo_pipe_label_update_t(
2365 kauth_cred_t cred,
2366 struct pipe *cpipe,
2367 struct label *oldlabel,
2368 struct label *newlabel
0a7de745 2369 );
2d21ac55 2370/**
0a7de745
A		 2371 * @brief Policy unload event
2372 * @param mpc MAC policy configuration
2373 *
2374 * This is the MAC Framework policy unload event. This entry point will
2375 * only be called if the module's policy configuration allows unload (if
2376 * the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2377 * want to be unloaded; they should set their flags to prevent this
2378 * entry point from being called.
2379 *
2380 * @warning During this call, the mac policy list mutex is held, so
2381 * sleep operations cannot be performed, and calls out to other kernel
2382 * subsystems must be made with caution.
2383 *
2384 * @see MPC_LOADTIME_FLAG_UNLOADOK
2385 */
2d21ac55
A		 2386typedef void mpo_policy_destroy_t(
2387 struct mac_policy_conf *mpc
0a7de745 2388 );
2d21ac55 2389/**
0a7de745
A		 2390 * @brief Policy initialization event
2391 * @param mpc MAC policy configuration
2392 * @see mac_policy_register
2393 * @see mpo_policy_initbsd_t
2394 *
2395 * This is the MAC Framework policy initialization event. This entry
2396 * point is called during mac_policy_register, when the policy module
2397 * is first registered with the MAC Framework. This is often done very
2398 * early in the boot process, after the kernel Mach subsystem has been
2399 * initialized, but prior to the BSD subsystem being initialized.
2400 * Since the kernel BSD services are not yet available, it is possible
2401 * that some initialization must occur later, possibly in the
2402 * mpo_policy_initbsd_t policy entry point, such as registering BSD system
2403 * controls (sysctls). Policy modules loaded at boot time will be
2404 * registered and initialized before labeled Mach objects are created.
2405 *
2406 * @warning During this call, the mac policy list mutex is held, so
2407 * sleep operations cannot be performed, and calls out to other kernel
2408 * subsystems must be made with caution.
2409 */
2d21ac55
A		 2410typedef void mpo_policy_init_t(
2411 struct mac_policy_conf *mpc
0a7de745 2412 );
2d21ac55 2413/**
0a7de745
A		 2414 * @brief Policy BSD initialization event
2415 * @param mpc MAC policy configuration
2416 * @see mpo_policy_init_t
2417 *
2418 * This entry point is called after the kernel BSD subsystem has been
2419 * initialized. By this point, the module should already be loaded,
2420 * registered, and initialized. Since policy modules are initialized
2421 * before kernel BSD services are available, this second initialization
2422 * phase is necessary. At this point, BSD services (memory management,
2423 * synchronization primitives, vfs, etc.) are available, but the first
2424 * process has not yet been created. Mach-related objects and tasks
2425 * will already be fully initialized and may be in use--policies requiring
2426 * ubiquitous labeling may also want to implement mpo_policy_init_t.
2427 *
2428 * @warning During this call, the mac policy list mutex is held, so
2429 * sleep operations cannot be performed, and calls out to other kernel
2430 * subsystems must be made with caution.
2431 */
2d21ac55
A		 2432typedef void mpo_policy_initbsd_t(
2433 struct mac_policy_conf *mpc
0a7de745 2434 );
2d21ac55 2435/**
0a7de745
A		 2436 * @brief Policy extension service
2437 * @param p Calling process
2438 * @param call Policy-specific syscall number
2439 * @param arg Pointer to syscall arguments
2440 *
2441 * This entry point provides a policy-multiplexed system call so that
2442 * policies may provide additional services to user processes without
2443 * registering specific system calls. The policy name provided during
2444 * registration is used to demux calls from userland, and the arguments
2445 * will be forwarded to this entry point. When implementing new
2446 * services, security modules should be sure to invoke appropriate
2447 * access control checks from the MAC framework as needed. For
2448 * example, if a policy implements an augmented signal functionality,
2449 * it should call the necessary signal access control checks to invoke
2450 * the MAC framework and other registered policies.
2451 *
2452 * @warning Since the format and contents of the policy-specific
2453 * arguments are unknown to the MAC Framework, modules must perform the
2454 * required copyin() of the syscall data on their own. No policy
2455 * mediation is performed, so policies must perform any necessary
2456 * access control checks themselves. If multiple policies are loaded,
2457 * they will currently be unable to mediate calls to other policies.
2458 *
2459 * @return In the event of an error, an appropriate value for errno
2460 * should be returned, otherwise return 0 upon success.
2461 */
2d21ac55
A		 2462typedef int mpo_policy_syscall_t(
2463 struct proc *p,
2464 int call,
2465 user_addr_t arg
0a7de745 2466 );
2d21ac55 2467/**
0a7de745
A		 2468 * @brief Access control check for POSIX semaphore create
2469 * @param cred Subject credential
2470 * @param name String name of the semaphore
2471 *
2472 * Determine whether the subject identified by the credential can create
2473 * a POSIX semaphore specified by name.
2474 *
2475 * @return Return 0 if access is granted, otherwise an appropriate value for
2476 * errno should be returned.
2477 */
2d21ac55
A		 2478typedef int mpo_posixsem_check_create_t(
2479 kauth_cred_t cred,
2480 const char *name
0a7de745 2481 );
2d21ac55 2482/**
0a7de745
A		 2483 * @brief Access control check for POSIX semaphore open
2484 * @param cred Subject credential
2485 * @param ps Pointer to semaphore information structure
2486 * @param semlabel Label associated with the semaphore
2487 *
2488 * Determine whether the subject identified by the credential can open
2489 * the named POSIX semaphore with label semlabel.
2490 *
2491 * @return Return 0 if access is granted, otherwise an appropriate value for
2492 * errno should be returned.
2493 */
2d21ac55
A		 2494typedef int mpo_posixsem_check_open_t(
2495 kauth_cred_t cred,
2496 struct pseminfo *ps,
2497 struct label *semlabel
0a7de745 2498 );
2d21ac55 2499/**
0a7de745
A		 2500 * @brief Access control check for POSIX semaphore post
2501 * @param cred Subject credential
2502 * @param ps Pointer to semaphore information structure
2503 * @param semlabel Label associated with the semaphore
2504 *
2505 * Determine whether the subject identified by the credential can unlock
2506 * the named POSIX semaphore with label semlabel.
2507 *
2508 * @return Return 0 if access is granted, otherwise an appropriate value for
2509 * errno should be returned.
2510 */
2d21ac55
A		 2511typedef int mpo_posixsem_check_post_t(
2512 kauth_cred_t cred,
2513 struct pseminfo *ps,
2514 struct label *semlabel
0a7de745 2515 );
2d21ac55 2516/**
0a7de745
A		 2517 * @brief Access control check for POSIX semaphore unlink
2518 * @param cred Subject credential
2519 * @param ps Pointer to semaphore information structure
2520 * @param semlabel Label associated with the semaphore
2521 * @param name String name of the semaphore
2522 *
2523 * Determine whether the subject identified by the credential can remove
2524 * the named POSIX semaphore with label semlabel.
2525 *
2526 * @return Return 0 if access is granted, otherwise an appropriate value for
2527 * errno should be returned.
2528 */
2d21ac55
A		 2529typedef int mpo_posixsem_check_unlink_t(
2530 kauth_cred_t cred,
2531 struct pseminfo *ps,
2532 struct label *semlabel,
2533 const char *name
0a7de745 2534 );
2d21ac55 2535/**
0a7de745
A		 2536 * @brief Access control check for POSIX semaphore wait
2537 * @param cred Subject credential
2538 * @param ps Pointer to semaphore information structure
2539 * @param semlabel Label associated with the semaphore
2540 *
2541 * Determine whether the subject identified by the credential can lock
2542 * the named POSIX semaphore with label semlabel.
2543 *
2544 * @return Return 0 if access is granted, otherwise an appropriate value for
2545 * errno should be returned.
2546 */
2d21ac55
A		 2547typedef int mpo_posixsem_check_wait_t(
2548 kauth_cred_t cred,
2549 struct pseminfo *ps,
2550 struct label *semlabel
0a7de745 2551 );
2d21ac55 2552/**
0a7de745
A		 2553 * @brief Create a POSIX semaphore label
2554 * @param cred Subject credential
2555 * @param ps Pointer to semaphore information structure
2556 * @param semlabel Label to associate with the new semaphore
2557 * @param name String name of the semaphore
2558 *
2559 * Label a new POSIX semaphore. The label was previously
2560 * initialized and associated with the semaphore. At this time, an
2561 * appropriate initial label value should be assigned to the object and
2562 * stored in semalabel.
2563 */
2d21ac55
A		 2564typedef void mpo_posixsem_label_associate_t(
2565 kauth_cred_t cred,
2566 struct pseminfo *ps,
2567 struct label *semlabel,
2568 const char *name
0a7de745 2569 );
2d21ac55 2570/**
0a7de745
A		 2571 * @brief Destroy POSIX semaphore label
2572 * @param label The label to be destroyed
2573 *
2574 * Destroy a POSIX semaphore label. Since the object is
2575 * going out of scope, policy modules should free any internal storage
2576 * associated with the label so that it may be destroyed.
2577 */
2d21ac55
A		 2578typedef void mpo_posixsem_label_destroy_t(
2579 struct label *label
0a7de745 2580 );
2d21ac55 2581/**
0a7de745
A		 2582 * @brief Initialize POSIX semaphore label
2583 * @param label New label to initialize
2584 *
2585 * Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2586 * is permitted.
2587 */
2d21ac55
A		 2588typedef void mpo_posixsem_label_init_t(
2589 struct label *label
0a7de745 2590 );
2d21ac55 2591/**
0a7de745
A		 2592 * @brief Access control check for POSIX shared memory region create
2593 * @param cred Subject credential
2594 * @param name String name of the shared memory region
2595 *
2596 * Determine whether the subject identified by the credential can create
2597 * the POSIX shared memory region referenced by name.
2598 *
2599 * @return Return 0 if access is granted, otherwise an appropriate value for
2600 * errno should be returned.
2601 */
2d21ac55
A		 2602typedef int mpo_posixshm_check_create_t(
2603 kauth_cred_t cred,
2604 const char *name
0a7de745
A		 2605 );
2606/**
2607 * @brief Access control check for mapping POSIX shared memory
2608 * @param cred Subject credential
2609 * @param ps Pointer to shared memory information structure
2610 * @param shmlabel Label associated with the shared memory region
2611 * @param prot mmap protections; see mmap(2)
2612 * @param flags shmat flags; see shmat(2)
2613 *
2614 * Determine whether the subject identified by the credential can map
2615 * the POSIX shared memory segment associated with shmlabel.
2616 *
2617 * @return Return 0 if access is granted, otherwise an appropriate value for
2618 * errno should be returned.
2619 */
2d21ac55
A		 2620typedef int mpo_posixshm_check_mmap_t(
2621 kauth_cred_t cred,
2622 struct pshminfo *ps,
2623 struct label *shmlabel,
2624 int prot,
2625 int flags
0a7de745 2626 );
2d21ac55 2627/**
0a7de745
A		 2628 * @brief Access control check for POSIX shared memory region open
2629 * @param cred Subject credential
2630 * @param ps Pointer to shared memory information structure
2631 * @param shmlabel Label associated with the shared memory region
2632 * @param fflags shm_open(2) open flags ('fflags' encoded)
2633 *
2634 * Determine whether the subject identified by the credential can open
2635 * the POSIX shared memory region.
2636 *
2637 * @return Return 0 if access is granted, otherwise an appropriate value for
2638 * errno should be returned.
2639 */
2d21ac55
A		 2640typedef int mpo_posixshm_check_open_t(
2641 kauth_cred_t cred,
2642 struct pshminfo *ps,
316670eb
A		 2643 struct label *shmlabel,
2644 int fflags
0a7de745 2645 );
2d21ac55 2646/**
0a7de745
A		 2647 * @brief Access control check for POSIX shared memory stat
2648 * @param cred Subject credential
2649 * @param ps Pointer to shared memory information structure
2650 * @param shmlabel Label associated with the shared memory region
2651 *
2652 * Determine whether the subject identified by the credential can obtain
2653 * status for the POSIX shared memory segment associated with shmlabel.
2654 *
2655 * @return Return 0 if access is granted, otherwise an appropriate value for
2656 * errno should be returned.
2657 */
2d21ac55
A		 2658typedef int mpo_posixshm_check_stat_t(
2659 kauth_cred_t cred,
2660 struct pshminfo *ps,
2661 struct label *shmlabel
0a7de745 2662 );
2d21ac55 2663/**
0a7de745
A		 2664 * @brief Access control check for POSIX shared memory truncate
2665 * @param cred Subject credential
2666 * @param ps Pointer to shared memory information structure
2667 * @param shmlabel Label associated with the shared memory region
2668 * @param len Length to truncate or extend shared memory segment
2669 *
2670 * Determine whether the subject identified by the credential can truncate
2671 * or extend (to len) the POSIX shared memory segment associated with shmlabel.
2672 *
2673 * @return Return 0 if access is granted, otherwise an appropriate value for
2674 * errno should be returned.
2675 */
2d21ac55
A		 2676typedef int mpo_posixshm_check_truncate_t(
2677 kauth_cred_t cred,
2678 struct pshminfo *ps,
2679 struct label *shmlabel,
6d2010ae 2680 off_t len
0a7de745 2681 );
2d21ac55 2682/**
0a7de745
A		 2683 * @brief Access control check for POSIX shared memory unlink
2684 * @param cred Subject credential
2685 * @param ps Pointer to shared memory information structure
2686 * @param shmlabel Label associated with the shared memory region
2687 * @param name String name of the shared memory region
2688 *
2689 * Determine whether the subject identified by the credential can delete
2690 * the POSIX shared memory segment associated with shmlabel.
2691 *
2692 * @return Return 0 if access is granted, otherwise an appropriate value for
2693 * errno should be returned.
2694 */
2d21ac55
A		 2695typedef int mpo_posixshm_check_unlink_t(
2696 kauth_cred_t cred,
2697 struct pshminfo *ps,
2698 struct label *shmlabel,
2699 const char *name
0a7de745 2700 );
2d21ac55 2701/**
0a7de745
A		 2702 * @brief Create a POSIX shared memory region label
2703 * @param cred Subject credential
2704 * @param ps Pointer to shared memory information structure
2705 * @param shmlabel Label to associate with the new shared memory region
2706 * @param name String name of the shared memory region
2707 *
2708 * Label a new POSIX shared memory region. The label was previously
2709 * initialized and associated with the shared memory region. At this
2710 * time, an appropriate initial label value should be assigned to the
2711 * object and stored in shmlabel.
2712 */
2d21ac55
A		 2713typedef void mpo_posixshm_label_associate_t(
2714 kauth_cred_t cred,
2715 struct pshminfo *ps,
2716 struct label *shmlabel,
2717 const char *name
0a7de745 2718 );
2d21ac55 2719/**
0a7de745
A		 2720 * @brief Destroy POSIX shared memory label
2721 * @param label The label to be destroyed
2722 *
2723 * Destroy a POSIX shared memory region label. Since the
2724 * object is going out of scope, policy modules should free any
2725 * internal storage associated with the label so that it may be
2726 * destroyed.
2727 */
2d21ac55
A		 2728typedef void mpo_posixshm_label_destroy_t(
2729 struct label *label
0a7de745 2730 );
2d21ac55 2731/**
0a7de745
A		 2732 * @brief Initialize POSIX Shared Memory region label
2733 * @param label New label to initialize
2734 *
2735 * Initialize the label for newly a instantiated POSIX Shared Memory
2736 * region. Sleeping is permitted.
2737 */
2d21ac55
A		 2738typedef void mpo_posixshm_label_init_t(
2739 struct label *label
0a7de745 2740 );
6d2010ae 2741/**
0a7de745
A		 2742 * @brief Access control check for privileged operations
2743 * @param cred Subject credential
2744 * @param priv Requested privilege (see sys/priv.h)
2745 *
2746 * Determine whether the subject identified by the credential can perform
2747 * a privileged operation. Privileged operations are allowed if the cred
2748 * is the superuser or any policy returns zero for mpo_priv_grant, unless
2749 * any policy returns nonzero for mpo_priv_check.
2750 *
2751 * @return Return 0 if access is granted, otherwise EPERM should be returned.
2752 */
6d2010ae
A		 2753typedef int mpo_priv_check_t(
2754 kauth_cred_t cred,
2755 int priv
0a7de745 2756 );
6d2010ae 2757/**
0a7de745
A		 2758 * @brief Grant regular users the ability to perform privileged operations
2759 * @param cred Subject credential
2760 * @param priv Requested privilege (see sys/priv.h)
2761 *
2762 * Determine whether the subject identified by the credential should be
2763 * allowed to perform a privileged operation that in the absense of any
2764 * MAC policy it would not be able to perform. Privileged operations are
2765 * allowed if the cred is the superuser or any policy returns zero for
2766 * mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
2767 *
2768 * Unlike other MAC hooks which can only reduce the privilege of a
2769 * credential, this hook raises the privilege of a credential when it
2770 * returns 0. Extreme care must be taken when implementing this hook to
2771 * avoid undermining the security of the system.
2772 *
2773 * @return Return 0 if additional privilege is granted, otherwise EPERM
2774 * should be returned.
2775 */
6d2010ae
A		 2776typedef int mpo_priv_grant_t(
2777 kauth_cred_t cred,
2778 int priv
0a7de745 2779 );
c6bf4f31
A		 2780/**
2781 * @brief Access control over process core dumps
2782 * @param proc Subject process
2783 *
2784 * Determine whether a core dump may be written to disk for the subject
2785 * identified.
2786 *
2787 * @return Return 0 if access is granted, otherwise an appropriate value for
2788 * errno should be returned.
2789 */
2790typedef int mpo_proc_check_dump_core_t(
2791 struct proc *proc
2792 );
2d21ac55 2793/**
0a7de745
A		 2794 * @brief Access control check for debugging process
2795 * @param cred Subject credential
2796 * @param proc Object process
2797 *
2798 * Determine whether the subject identified by the credential can debug
2799 * the passed process. This call may be made in a number of situations,
2800 * including use of the ptrace(2) and ktrace(2) APIs, as well as for some
2801 * types of procfs operations.
2802 *
2803 * @return Return 0 if access is granted, otherwise an appropriate value for
2804 * errno should be returned. Suggested failure: EACCES for label mismatch,
2805 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
2806 */
2d21ac55
A		 2807typedef int mpo_proc_check_debug_t(
2808 kauth_cred_t cred,
2809 struct proc *proc
0a7de745 2810 );
2d21ac55 2811/**
0a7de745
A		 2812 * @brief Access control over fork
2813 * @param cred Subject credential
2814 * @param proc Subject process trying to fork
2815 *
2816 * Determine whether the subject identified is allowed to fork.
2817 *
2818 * @return Return 0 if access is granted, otherwise an appropriate value for
2819 * errno should be returned.
2820 */
2d21ac55
A		 2821typedef int mpo_proc_check_fork_t(
2822 kauth_cred_t cred,
2823 struct proc *proc
0a7de745 2824 );
3e170ce0 2825/**
0a7de745
A		 2826 * @brief Access control check for setting host special ports.
2827 * @param cred Subject credential
2828 * @param id The host special port to set
2829 * @param port The new value to set for the special port
2830 *
2831 * @return Return 0 if access is granted, otherwise an appropriate value for
2832 * errno should be returned.
2833 */
3e170ce0
A		 2834typedef int mpo_proc_check_set_host_special_port_t(
2835 kauth_cred_t cred,
2836 int id,
0a7de745
A		 2837 struct ipc_port *port
2838 );
3e170ce0 2839/**
0a7de745
A		 2840 * @brief Access control check for setting host exception ports.
2841 * @param cred Subject credential
2842 * @param exception Exception port to set
2843 *
2844 * @return Return 0 if access is granted, otherwise an appropriate value for
2845 * errno should be returned.
2846 */
3e170ce0
A		 2847typedef int mpo_proc_check_set_host_exception_port_t(
2848 kauth_cred_t cred,
2849 unsigned int exception
0a7de745 2850 );
d1ecb069 2851/**
0a7de745
A		 2852 * @brief Access control over pid_suspend and pid_resume
2853 * @param cred Subject credential
2854 * @param proc Subject process trying to run pid_suspend or pid_resume
2855 * @param sr Call is suspend (0) or resume (1)
2856 *
2857 * Determine whether the subject identified is allowed to suspend or resume
2858 * other processes.
2859 *
2860 * @return Return 0 if access is granted, otherwise an appropriate value for
2861 * errno should be returned.
2862 */
d1ecb069
A		 2863typedef int mpo_proc_check_suspend_resume_t(
2864 kauth_cred_t cred,
2865 struct proc *proc,
2866 int sr
0a7de745 2867 );
2d21ac55 2868/**
0a7de745
A		 2869 * @brief Access control check for retrieving audit information
2870 * @param cred Subject credential
2871 *
2872 * Determine whether the subject identified by the credential can get
2873 * audit information such as the audit user ID, the preselection mask,
2874 * the terminal ID and the audit session ID, using the getaudit() system call.
2875 *
2876 * @return Return 0 if access is granted, otherwise an appropriate value for
2877 * errno should be returned.
2878 */
2d21ac55
A		 2879typedef int mpo_proc_check_getaudit_t(
2880 kauth_cred_t cred
0a7de745 2881 );
2d21ac55 2882/**
0a7de745
A		 2883 * @brief Access control check for retrieving audit user ID
2884 * @param cred Subject credential
2885 *
2886 * Determine whether the subject identified by the credential can get
2887 * the user identity being used by the auditing system, using the getauid()
2888 * system call.
2889 *
2890 * @return Return 0 if access is granted, otherwise an appropriate value for
2891 * errno should be returned.
2892 */
2d21ac55
A		 2893typedef int mpo_proc_check_getauid_t(
2894 kauth_cred_t cred
0a7de745 2895 );
2d21ac55 2896/**
0a7de745
A		 2897 * @brief Access control check for retrieving Login Context ID
2898 * @param p0 Calling process
2899 * @param p Effected process
2900 * @param pid syscall PID argument
2901 *
2902 * Determine if getlcid(2) system call is permitted.
2903 *
2904 * Information returned by this system call is similar to that returned via
2905 * process listings etc.
2906 *
2907 * @return Return 0 if access is granted, otherwise an appropriate value for
2908 * errno should be returned.
2909 */
2d21ac55
A		 2910typedef int mpo_proc_check_getlcid_t(
2911 struct proc *p0,
2912 struct proc *p,
2913 pid_t pid
0a7de745 2914 );
316670eb 2915/**
0a7de745
A		 2916 * @brief Access control check for retrieving ledger information
2917 * @param cred Subject credential
2918 * @param target Object process
2919 * @param op ledger operation
2920 *
2921 * Determine if ledger(2) system call is permitted.
2922 *
2923 * Information returned by this system call is similar to that returned via
2924 * process listings etc.
2925 *
2926 * @return Return 0 if access is granted, otherwise an appropriate value for
2927 * errno should be returned.
2928 */
316670eb
A		 2929typedef int mpo_proc_check_ledger_t(
2930 kauth_cred_t cred,
2931 struct proc *target,
2932 int op
0a7de745 2933 );
39236c6e 2934/**
0a7de745
A		 2935 * @brief Access control check for retrieving process information.
2936 * @param cred Subject credential
2937 * @param target Target process (may be null, may be zombie)
2938 *
2939 * Determine if a credential has permission to access process information as defined
2940 * by call number and flavor on target process
2941 *
2942 * @return Return 0 if access is granted, otherwise an appropriate value for
2943 * errno should be returned.
2944 */
39236c6e
A		 2945typedef int mpo_proc_check_proc_info_t(
2946 kauth_cred_t cred,
2947 struct proc *target,
2948 int callnum,
2949 int flavor
0a7de745 2950 );
7e41aa88 2951/**
0a7de745
A		 2952 * @brief Access control check for retrieving code signing information.
2953 * @param cred Subject credential
2954 * @param target Target process
2955 * @param op Code signing operation being performed
2956 *
2957 * Determine whether the subject identified by the credential should be
2958 * allowed to get code signing information about the target process.
2959 *
2960 * @return Return 0 if access is granted, otherwise an appropriate value for
2961 * errno should be returned.
2962 */
7e41aa88
A		 2963typedef int mpo_proc_check_get_cs_info_t(
2964 kauth_cred_t cred,
2965 struct proc *target,
2966 unsigned int op
0a7de745 2967 );
7e41aa88 2968/**
0a7de745
A		 2969 * @brief Access control check for setting code signing information.
2970 * @param cred Subject credential
2971 * @param target Target process
2972 * @param op Code signing operation being performed.
2973 *
2974 * Determine whether the subject identified by the credential should be
2975 * allowed to set code signing information about the target process.
2976 *
2977 * @return Return 0 if permission is granted, otherwise an appropriate
2978 * value of errno should be returned.
2979 */
7e41aa88
A		 2980typedef int mpo_proc_check_set_cs_info_t(
2981 kauth_cred_t cred,
2982 struct proc *target,
2983 unsigned int op
0a7de745
A		 2984 );
2985/**
2986 * @brief Access control check for mmap MAP_ANON
2987 * @param proc User process requesting the memory
2988 * @param cred Subject credential
2989 * @param u_addr Start address of the memory range
2990 * @param u_size Length address of the memory range
2991 * @param prot mmap protections; see mmap(2)
2992 * @param flags Type of mapped object; see mmap(2)
2993 * @param maxprot Maximum rights
2994 *
2995 * Determine whether the subject identified by the credential should be
2996 * allowed to obtain anonymous memory using the specified flags and
2997 * protections on the new mapping. MAP_ANON will always be present in the
2998 * flags. Certain combinations of flags with a non-NULL addr may
2999 * cause a mapping to be rejected before this hook is called. The maxprot field
3000 * holds the maximum permissions on the new mapping, a combination of
3001 * VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
3002 * access control checks, a policy should only remove flags from maxprot.
3003 *
3004 * @return Return 0 if access is granted, otherwise an appropriate value for
3005 * errno should be returned. Suggested failure: EPERM for lack of privilege.
3006 */
6d2010ae
A		 3007typedef int mpo_proc_check_map_anon_t(
3008 struct proc *proc,
3009 kauth_cred_t cred,
3010 user_addr_t u_addr,
3011 user_size_t u_size,
3012 int prot,
3013 int flags,
3014 int *maxprot
0a7de745
A		 3015 );
3016/**
3017 * @brief Access control check for setting memory protections
3018 * @param cred Subject credential
3019 * @param proc User process requesting the change
3020 * @param addr Start address of the memory range
3021 * @param size Length address of the memory range
3022 * @param prot Memory protections, see mmap(2)
3023 *
3024 * Determine whether the subject identified by the credential should
3025 * be allowed to set the specified memory protections on memory mapped
3026 * in the process proc.
3027 *
3028 * @return Return 0 if access is granted, otherwise an appropriate value for
3029 * errno should be returned.
3030 */
2d21ac55
A		 3031typedef int mpo_proc_check_mprotect_t(
3032 kauth_cred_t cred,
3033 struct proc *proc,
3034 user_addr_t addr,
3035 user_size_t size,
3036 int prot
0a7de745 3037 );
2d21ac55 3038/**
0a7de745
A		 3039 * @brief Access control check for changing scheduling parameters
3040 * @param cred Subject credential
3041 * @param proc Object process
3042 *
3043 * Determine whether the subject identified by the credential can change
3044 * the scheduling parameters of the passed process.
3045 *
3046 * @return Return 0 if access is granted, otherwise an appropriate value for
3047 * errno should be returned. Suggested failure: EACCES for label mismatch,
3048 * EPERM for lack of privilege, or ESRCH to limit visibility.
3049 */
2d21ac55
A		 3050typedef int mpo_proc_check_sched_t(
3051 kauth_cred_t cred,
3052 struct proc *proc
0a7de745 3053 );
2d21ac55 3054/**
0a7de745
A		 3055 * @brief Access control check for setting audit information
3056 * @param cred Subject credential
3057 * @param ai Audit information
3058 *
3059 * Determine whether the subject identified by the credential can set
3060 * audit information such as the the preselection mask, the terminal ID
3061 * and the audit session ID, using the setaudit() system call.
3062 *
3063 * @return Return 0 if access is granted, otherwise an appropriate value for
3064 * errno should be returned.
3065 */
2d21ac55
A		 3066typedef int mpo_proc_check_setaudit_t(
3067 kauth_cred_t cred,
b0d623f7 3068 struct auditinfo_addr *ai
0a7de745 3069 );
2d21ac55 3070/**
0a7de745
A		 3071 * @brief Access control check for setting audit user ID
3072 * @param cred Subject credential
3073 * @param auid Audit user ID
3074 *
3075 * Determine whether the subject identified by the credential can set
3076 * the user identity used by the auditing system, using the setauid()
3077 * system call.
3078 *
3079 * @return Return 0 if access is granted, otherwise an appropriate value for
3080 * errno should be returned.
3081 */
2d21ac55
A		 3082typedef int mpo_proc_check_setauid_t(
3083 kauth_cred_t cred,
3084 uid_t auid
0a7de745 3085 );
2d21ac55 3086/**
0a7de745
A		 3087 * @brief Access control check for setting the Login Context
3088 * @param p0 Calling process
3089 * @param p Effected process
3090 * @param pid syscall PID argument
3091 * @param lcid syscall LCID argument
3092 *
3093 * Determine if setlcid(2) system call is permitted.
3094 *
3095 * See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
3096 * decoding syscall arguments to determine action desired by caller.
3097 *
3098 * Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
3099 *
3100 * @return Return 0 if access is granted, otherwise an appropriate value for
3101 * errno should be returned.
3102 */
2d21ac55
A		 3103typedef int mpo_proc_check_setlcid_t(
3104 struct proc *p0,
3105 struct proc *p,
3106 pid_t pid,
3107 pid_t lcid
0a7de745 3108 );
2d21ac55 3109/**
0a7de745
A		 3110 * @brief Access control check for delivering signal
3111 * @param cred Subject credential
3112 * @param proc Object process
3113 * @param signum Signal number; see kill(2)
3114 *
3115 * Determine whether the subject identified by the credential can deliver
3116 * the passed signal to the passed process.
3117 *
3118 * @warning Programs typically expect to be able to send and receive
3119 * signals as part or their normal process lifecycle; caution should be
3120 * exercised when implementing access controls over signal events.
3121 *
3122 * @return Return 0 if access is granted, otherwise an appropriate value for
3123 * errno should be returned. Suggested failure: EACCES for label mismatch,
3124 * EPERM for lack of privilege, or ESRCH to limit visibility.
3125 */
2d21ac55
A		 3126typedef int mpo_proc_check_signal_t(
3127 kauth_cred_t cred,
3128 struct proc *proc,
3129 int signum
0a7de745 3130 );
cb323159
A		 3131/**
3132 * @brief Access control check for Unix syscalls.
3133 * @param proc Subject process
3134 * @param scnum Syscall number; see bsd/kern/syscalls.master.
3135 *
3136 * Determine whether the subject process can perform the passed syscall (number).
3137 *
3138 * @warning Programs typically expect to be able to make syscalls as part of
3139 * their normal process lifecycle; caution should be exercised when restricting
3140 * which syscalls a process can perform.
3141 *
3142 * @return Return 0 if access is granted, otherwise an appropriate value for
3143 * errno should be returned. Suggested failure: EPERM for lack of privilege.
3144 */
3145typedef int mpo_proc_check_syscall_unix_t(
3146 struct proc *proc,
3147 int scnum
3148 );
2d21ac55 3149/**
0a7de745
A		 3150 * @brief Access control check for wait
3151 * @param cred Subject credential
3152 * @param proc Object process
3153 *
3154 * Determine whether the subject identified by the credential can wait
3155 * for process termination.
3156 *
3157 * @warning Caution should be exercised when implementing access
3158 * controls for wait, since programs often wait for child processes to
3159 * exit. Failure to be notified of a child process terminating may
3160 * cause the parent process to hang, or may produce zombie processes.
3161 *
3162 * @return Return 0 if access is granted, otherwise an appropriate value for
3163 * errno should be returned.
3164 */
2d21ac55
A		 3165typedef int mpo_proc_check_wait_t(
3166 kauth_cred_t cred,
3167 struct proc *proc
0a7de745 3168 );
5ba3f43e 3169/**
0a7de745
A		 3170 * @brief Inform MAC policies that a process has exited.
3171 * @param proc Object process
3172 *
3173 * Called after all of the process's threads have terminated and
3174 * it has been removed from the process list. KPI that identifies
3175 * the process by pid will fail to find the process; KPI that
3176 * identifies the process by the object process pointer functions
3177 * normally. proc_exiting() returns true for the object process.
3178 */
5ba3f43e
A		 3179typedef void mpo_proc_notify_exit_t(
3180 struct proc *proc
0a7de745 3181 );
0a7de745
A		 3182/**
3183 * @brief Access control check for skywalk flow connect
3184 * @param cred Subject credential
3185 * @param flow Flow object
3186 * @param addr Remote address for flow to send data to
3187 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
3188 * @param protocol Network protocol (e.g. IPPROTO_TCP)
3189 *
3190 * Determine whether the subject identified by the credential can
3191 * create a flow for sending data to the remote host specified by
3192 * addr.
3193 *
3194 * @return Return 0 if access if granted, otherwise an appropriate
3195 * value for errno should be returned.
3196 */
5ba3f43e
A		 3197typedef int mpo_skywalk_flow_check_connect_t(
3198 kauth_cred_t cred,
3199 void *flow,
3200 const struct sockaddr *addr,
3201 int type,
3202 int protocol
0a7de745
A		 3203 );
3204/**
3205 * @brief Access control check for skywalk flow listen
3206 * @param cred Subject credential
3207 * @param flow Flow object
3208 * @param addr Local address for flow to listen on
3209 * @param type Flow type (e.g. SOCK_STREAM or SOCK_DGRAM)
3210 * @param protocol Network protocol (e.g. IPPROTO_TCP)
3211 *
3212 * Determine whether the subject identified by the credential can
3213 * create a flow for receiving data on the local address specified
3214 * by addr.
3215 *
3216 * @return Return 0 if access if granted, otherwise an appropriate
3217 * value for errno should be returned.
3218 */
5ba3f43e
A		 3219typedef int mpo_skywalk_flow_check_listen_t(
3220 kauth_cred_t cred,
3221 void *flow,
3222 const struct sockaddr *addr,
3223 int type,
3224 int protocol
0a7de745 3225 );
2d21ac55 3226/**
0a7de745
A		 3227 * @brief Access control check for socket accept
3228 * @param cred Subject credential
3229 * @param so Object socket
3230 * @param socklabel Policy label for socket
3231 *
3232 * Determine whether the subject identified by the credential can accept()
3233 * a new connection on the socket from the host specified by addr.
3234 *
3235 * @return Return 0 if access if granted, otherwise an appropriate
3236 * value for errno should be returned.
3237 */
2d21ac55
A		 3238typedef int mpo_socket_check_accept_t(
3239 kauth_cred_t cred,
3240 socket_t so,
3241 struct label *socklabel
0a7de745 3242 );
2d21ac55 3243/**
0a7de745
A		 3244 * @brief Access control check for a pending socket accept
3245 * @param cred Subject credential
3246 * @param so Object socket
3247 * @param socklabel Policy label for socket
3248 * @param addr Address of the listening socket (coming soon)
3249 *
3250 * Determine whether the subject identified by the credential can accept()
3251 * a pending connection on the socket from the host specified by addr.
3252 *
3253 * @return Return 0 if access if granted, otherwise an appropriate
3254 * value for errno should be returned.
3255 */
2d21ac55
A		 3256typedef int mpo_socket_check_accepted_t(
3257 kauth_cred_t cred,
3258 socket_t so,
3259 struct label *socklabel,
3260 struct sockaddr *addr
0a7de745 3261 );
2d21ac55 3262/**
0a7de745
A		 3263 * @brief Access control check for socket bind
3264 * @param cred Subject credential
3265 * @param so Object socket
3266 * @param socklabel Policy label for socket
3267 * @param addr Name to assign to the socket
3268 *
3269 * Determine whether the subject identified by the credential can bind()
3270 * the name (addr) to the socket.
3271 *
3272 * @return Return 0 if access if granted, otherwise an appropriate
3273 * value for errno should be returned.
3274 */
2d21ac55
A		 3275typedef int mpo_socket_check_bind_t(
3276 kauth_cred_t cred,
3277 socket_t so,
3278 struct label *socklabel,
3279 struct sockaddr *addr
0a7de745 3280 );
2d21ac55 3281/**
0a7de745
A		 3282 * @brief Access control check for socket connect
3283 * @param cred Subject credential
3284 * @param so Object socket
3285 * @param socklabel Policy label for socket
3286 * @param addr Name to assign to the socket
3287 *
3288 * Determine whether the subject identified by the credential can
3289 * connect() the passed socket to the remote host specified by addr.
3290 *
3291 * @return Return 0 if access if granted, otherwise an appropriate
3292 * value for errno should be returned.
3293 */
2d21ac55
A		 3294typedef int mpo_socket_check_connect_t(
3295 kauth_cred_t cred,
3296 socket_t so,
3297 struct label *socklabel,
3298 struct sockaddr *addr
0a7de745 3299 );
2d21ac55 3300/**
0a7de745
A		 3301 * @brief Access control check for socket() system call.
3302 * @param cred Subject credential
3303 * @param domain communication domain
3304 * @param type socket type
3305 * @param protocol socket protocol
3306 *
3307 * Determine whether the subject identified by the credential can
3308 * make the socket() call.
3309 *
3310 * @return Return 0 if access if granted, otherwise an appropriate
3311 * value for errno should be returned.
3312 */
2d21ac55
A		 3313typedef int mpo_socket_check_create_t(
3314 kauth_cred_t cred,
3315 int domain,
3316 int type,
3317 int protocol
0a7de745 3318 );
2d21ac55 3319/**
0a7de745
A		 3320 * @brief Access control check for delivering data to a user's receieve queue
3321 * @param so The socket data is being delivered to
3322 * @param so_label The label of so
3323 * @param m The mbuf whose data will be deposited into the receive queue
3324 * @param m_label The label of the sender of the data.
3325 *
3326 * A socket has a queue for receiving incoming data. When a packet arrives
3327 * on the wire, it eventually gets deposited into this queue, which the
3328 * owner of the socket drains when they read from the socket's file descriptor.
3329 *
3330 * This function determines whether the socket can receive data from
3331 * the sender specified by m_label.
3332 *
3333 * @warning There is an outstanding design issue surrounding the placement
3334 * of this function. The check must be placed either before or after the
3335 * TCP sequence and ACK counters are updated. Placing the check before
3336 * the counters are updated causes the incoming packet to be resent by
3337 * the remote if the check rejects it. Placing the check after the counters
3338 * are updated results in a completely silent drop. As far as each TCP stack
3339 * is concerned the packet was received, however, the data will not be in the
3340 * socket's receive queue. Another consideration is that the current design
3341 * requires using the "failed label" occasionally. In that case, on rejection,
3342 * we want the remote TCP to resend the data. Because of this, we chose to
3343 * place this check before the counters are updated, so rejected packets will be
3344 * resent by the remote host.
3345 *
3346 * If a policy keeps rejecting the same packet, eventually the connection will
3347 * be dropped. Policies have several options if this design causes problems.
3348 * For example, one options is to sanitize the mbuf such that it is acceptable,
3349 * then accept it. That may require negotiation between policies as the
3350 * Framework will not know to re-check the packet.
3351 *
3352 * The policy must handle NULL MBUF labels. This will likely be the case
3353 * for non-local TCP sockets for example.
3354 *
3355 * @return Return 0 if access if granted, otherwise an appropriate
3356 * value for errno should be returned.
3357 */
2d21ac55
A		 3358typedef int mpo_socket_check_deliver_t(
3359 socket_t so,
3360 struct label *so_label,
3361 struct mbuf *m,
3362 struct label *m_label
0a7de745 3363 );
5ba3f43e 3364/**
0a7de745
A		 3365 * @brief Access control check for socket ioctl.
3366 * @param cred Subject credential
3367 * @param so Object socket
3368 * @param cmd The ioctl command; see ioctl(2)
3369 * @param socklabel Policy label for socket
3370 *
3371 * Determine whether the subject identified by the credential can perform
3372 * the ioctl operation indicated by cmd on the given socket.
3373 *
3374 * @warning Since ioctl data is opaque from the standpoint of the MAC
3375 * framework, and since ioctls can affect many aspects of system
3376 * operation, policies must exercise extreme care when implementing
3377 * access control checks.
3378 *
3379 * @return Return 0 if access is granted, otherwise an appropriate value for
3380 * errno should be returned.
3381 */
5ba3f43e
A		 3382typedef int mpo_socket_check_ioctl_t(
3383 kauth_cred_t cred,
3384 socket_t so,
3385 unsigned int cmd,
3386 struct label *socklabel
0a7de745 3387 );
2d21ac55 3388/**
0a7de745
A		 3389 * @brief Access control check for socket kqfilter
3390 * @param cred Subject credential
3391 * @param kn Object knote
3392 * @param so Object socket
3393 * @param socklabel Policy label for socket
3394 *
3395 * Determine whether the subject identified by the credential can
3396 * receive the knote on the passed socket.
3397 *
3398 * @return Return 0 if access if granted, otherwise an appropriate
3399 * value for errno should be returned.
3400 */
2d21ac55
A		 3401typedef int mpo_socket_check_kqfilter_t(
3402 kauth_cred_t cred,
3403 struct knote *kn,
3404 socket_t so,
3405 struct label *socklabel
0a7de745 3406 );
2d21ac55 3407/**
0a7de745
A		 3408 * @brief Access control check for socket relabel
3409 * @param cred Subject credential
3410 * @param so Object socket
3411 * @param so_label The current label of so
3412 * @param newlabel The label to be assigned to so
3413 *
3414 * Determine whether the subject identified by the credential can
3415 * change the label on the socket.
3416 *
3417 * @return Return 0 if access if granted, otherwise an appropriate
3418 * value for errno should be returned.
3419 */
2d21ac55
A		 3420typedef int mpo_socket_check_label_update_t(
3421 kauth_cred_t cred,
3422 socket_t so,
3423 struct label *so_label,
3424 struct label *newlabel
0a7de745 3425 );
2d21ac55 3426/**
0a7de745
A		 3427 * @brief Access control check for socket listen
3428 * @param cred Subject credential
3429 * @param so Object socket
3430 * @param socklabel Policy label for socket
3431 *
3432 * Determine whether the subject identified by the credential can
3433 * listen() on the passed socket.
3434 *
3435 * @return Return 0 if access if granted, otherwise an appropriate
3436 * value for errno should be returned.
3437 */
2d21ac55
A		 3438typedef int mpo_socket_check_listen_t(
3439 kauth_cred_t cred,
3440 socket_t so,
3441 struct label *socklabel
0a7de745 3442 );
2d21ac55 3443/**
0a7de745
A		 3444 * @brief Access control check for socket receive
3445 * @param cred Subject credential
3446 * @param so Object socket
3447 * @param socklabel Policy label for socket
3448 *
3449 * Determine whether the subject identified by the credential can
3450 * receive data from the socket.
3451 *
3452 * @return Return 0 if access if granted, otherwise an appropriate
3453 * value for errno should be returned.
3454 */
2d21ac55
A		 3455typedef int mpo_socket_check_receive_t(
3456 kauth_cred_t cred,
3457 socket_t so,
3458 struct label *socklabel
0a7de745 3459 );
2d21ac55 3460
0a7de745
A		 3461/**
3462 * @brief Access control check for socket receive
3463 * @param cred Subject credential
3464 * @param sock Object socket
3465 * @param socklabel Policy label for socket
3466 * @param saddr Name of the remote socket
3467 *
3468 * Determine whether the subject identified by the credential can
3469 * receive data from the remote host specified by addr.
3470 *
3471 * @return Return 0 if access if granted, otherwise an appropriate
3472 * value for errno should be returned.
3473 */
2d21ac55 3474typedef int mpo_socket_check_received_t(
0a7de745
A		 3475 kauth_cred_t cred,
3476 struct socket *sock,
3477 struct label *socklabel,
3478 struct sockaddr *saddr
3479 );
2d21ac55
A		 3480
3481
3482/**
0a7de745
A		 3483 * @brief Access control check for socket select
3484 * @param cred Subject credential
3485 * @param so Object socket
3486 * @param socklabel Policy label for socket
3487 * @param which The operation selected on: FREAD or FWRITE
3488 *
3489 * Determine whether the subject identified by the credential can use the
3490 * socket in a call to select().
3491 *
3492 * @return Return 0 if access if granted, otherwise an appropriate
3493 * value for errno should be returned.
3494 */
2d21ac55
A		 3495typedef int mpo_socket_check_select_t(
3496 kauth_cred_t cred,
3497 socket_t so,
3498 struct label *socklabel,
3499 int which
0a7de745 3500 );
2d21ac55 3501/**
0a7de745
A		 3502 * @brief Access control check for socket send
3503 * @param cred Subject credential
3504 * @param so Object socket
3505 * @param socklabel Policy label for socket
3506 * @param addr Address being sent to
3507 *
3508 * Determine whether the subject identified by the credential can send
3509 * data to the socket.
3510 *
3511 * @return Return 0 if access if granted, otherwise an appropriate
3512 * value for errno should be returned.
3513 */
2d21ac55
A		 3514typedef int mpo_socket_check_send_t(
3515 kauth_cred_t cred,
3516 socket_t so,
3517 struct label *socklabel,
3518 struct sockaddr *addr
0a7de745 3519 );
2d21ac55 3520/**
0a7de745
A		 3521 * @brief Access control check for retrieving socket status
3522 * @param cred Subject credential
3523 * @param so Object socket
3524 * @param socklabel Policy label for so
3525 *
3526 * Determine whether the subject identified by the credential can
3527 * execute the stat() system call on the given socket.
3528 *
3529 * @return Return 0 if access if granted, otherwise an appropriate
3530 * value for errno should be returned.
3531 */
2d21ac55
A		 3532typedef int mpo_socket_check_stat_t(
3533 kauth_cred_t cred,
3534 socket_t so,
3535 struct label *socklabel
0a7de745 3536 );
2d21ac55 3537/**
0a7de745
A		 3538 * @brief Access control check for setting socket options
3539 * @param cred Subject credential
3540 * @param so Object socket
3541 * @param socklabel Policy label for so
3542 * @param sopt The options being set
3543 *
3544 * Determine whether the subject identified by the credential can
3545 * execute the setsockopt system call on the given socket.
3546 *
3547 * @return Return 0 if access if granted, otherwise an appropriate
3548 * value for errno should be returned.
3549 */
2d21ac55
A		 3550typedef int mpo_socket_check_setsockopt_t(
3551 kauth_cred_t cred,
3552 socket_t so,
3553 struct label *socklabel,
3554 struct sockopt *sopt
0a7de745 3555 );
2d21ac55 3556/**
0a7de745
A		 3557 * @brief Access control check for getting socket options
3558 * @param cred Subject credential
3559 * @param so Object socket
3560 * @param socklabel Policy label for so
3561 * @param sopt The options to get
3562 *
3563 * Determine whether the subject identified by the credential can
3564 * execute the getsockopt system call on the given socket.
3565 *
3566 * @return Return 0 if access if granted, otherwise an appropriate
3567 * value for errno should be returned.
3568 */
2d21ac55
A		 3569typedef int mpo_socket_check_getsockopt_t(
3570 kauth_cred_t cred,
3571 socket_t so,
3572 struct label *socklabel,
3573 struct sockopt *sopt
0a7de745 3574 );
2d21ac55 3575/**
0a7de745
A		 3576 * @brief Label a socket
3577 * @param oldsock Listening socket
3578 * @param oldlabel Policy label associated with oldsock
3579 * @param newsock New socket
3580 * @param newlabel Policy label associated with newsock
3581 *
3582 * A new socket is created when a connection is accept(2)ed. This
3583 * function labels the new socket based on the existing listen(2)ing
3584 * socket.
3585 */
2d21ac55
A		 3586typedef void mpo_socket_label_associate_accept_t(
3587 socket_t oldsock,
3588 struct label *oldlabel,
3589 socket_t newsock,
3590 struct label *newlabel
0a7de745 3591 );
2d21ac55 3592/**
0a7de745
A		 3593 * @brief Assign a label to a new socket
3594 * @param cred Credential of the owning process
3595 * @param so The socket being labeled
3596 * @param solabel The label
3597 * @warning cred can be NULL
3598 *
3599 * Set the label on a newly created socket from the passed subject
3600 * credential. This call is made when a socket is created. The
3601 * credentials may be null if the socket is being created by the
3602 * kernel.
3603 */
2d21ac55
A		 3604typedef void mpo_socket_label_associate_t(
3605 kauth_cred_t cred,
3606 socket_t so,
3607 struct label *solabel
0a7de745 3608 );
2d21ac55 3609/**
0a7de745
A		 3610 * @brief Copy a socket label
3611 * @param src Source label
3612 * @param dest Destination label
3613 *
3614 * Copy the socket label information in src into dest.
3615 */
2d21ac55
A		 3616typedef void mpo_socket_label_copy_t(
3617 struct label *src,
3618 struct label *dest
0a7de745 3619 );
2d21ac55 3620/**
0a7de745
A		 3621 * @brief Destroy socket label
3622 * @param label The label to be destroyed
3623 *
3624 * Destroy a socket label. Since the object is going out of
3625 * scope, policy modules should free any internal storage associated
3626 * with the label so that it may be destroyed.
3627 */
2d21ac55
A		 3628typedef void mpo_socket_label_destroy_t(
3629 struct label *label
0a7de745 3630 );
2d21ac55 3631/**
0a7de745
A		 3632 * @brief Externalize a socket label
3633 * @param label Label to be externalized
3634 * @param element_name Name of the label namespace for which labels should be
3635 * externalized
3636 * @param sb String buffer to be filled with a text representation of label
3637 *
3638 * Produce an externalized socket label based on the label structure passed.
3639 * An externalized label consists of a text representation of the label
3640 * contents that can be used with userland applications and read by the
3641 * user. If element_name does not match a namespace managed by the policy,
3642 * simply return 0. Only return nonzero if an error occurs while externalizing
3643 * the label data.
3644 *
3645 * @return In the event of an error, an appropriate value for errno
3646 * should be returned, otherwise return 0 upon success.
3647 */
2d21ac55
A		 3648typedef int mpo_socket_label_externalize_t(
3649 struct label *label,
3650 char *element_name,
3651 struct sbuf *sb
0a7de745 3652 );
2d21ac55 3653/**
0a7de745
A		 3654 * @brief Initialize socket label
3655 * @param label New label to initialize
3656 * @param waitok Malloc flags
3657 *
3658 * Initialize the label of a newly instantiated socket. The waitok
3659 * field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3660 * avoid performing a sleeping malloc(9) during this initialization
3661 * call. It it not always safe to sleep during this entry point.
3662 *
3663 * @warning Since it is possible for the waitok flags to be set to
3664 * M_NOWAIT, the malloc operation may fail.
3665 *
3666 * @return In the event of an error, an appropriate value for errno
3667 * should be returned, otherwise return 0 upon success.
3668 */
2d21ac55
A		 3669typedef int mpo_socket_label_init_t(
3670 struct label *label,
3671 int waitok
0a7de745 3672 );
2d21ac55 3673/**
0a7de745
A		 3674 * @brief Internalize a socket label
3675 * @param label Label to be filled in
3676 * @param element_name Name of the label namespace for which the label should
3677 * be internalized
3678 * @param element_data Text data to be internalized
3679 *
3680 * Produce an internal socket label structure based on externalized label
3681 * data in text format.
3682 *
3683 * The policy's internalize entry points will be called only if the
3684 * policy has registered interest in the label namespace.
3685 *
3686 * @return In the event of an error, an appropriate value for errno
3687 * should be returned, otherwise return 0 upon success.
3688 */
2d21ac55
A		 3689typedef int mpo_socket_label_internalize_t(
3690 struct label *label,
3691 char *element_name,
3692 char *element_data
0a7de745 3693 );
2d21ac55 3694/**
0a7de745
A		 3695 * @brief Relabel socket
3696 * @param cred Subject credential
3697 * @param so Object; socket
3698 * @param so_label Current label of the socket
3699 * @param newlabel The label to be assigned to so
3700 *
3701 * The subject identified by the credential has previously requested
3702 * and was authorized to relabel the socket; this entry point allows
3703 * policies to perform the actual label update operation.
3704 *
3705 * @warning XXX This entry point will likely change in future versions.
3706 */
2d21ac55
A		 3707typedef void mpo_socket_label_update_t(
3708 kauth_cred_t cred,
3709 socket_t so,
3710 struct label *so_label,
3711 struct label *newlabel
0a7de745 3712 );
2d21ac55 3713/**
0a7de745
A		 3714 * @brief Set the peer label on a socket from mbuf
3715 * @param m Mbuf chain received on socket so
3716 * @param m_label Label for m
3717 * @param so Current label for the socket
3718 * @param so_label Policy label to be filled out for the socket
3719 *
3720 * Set the peer label of a socket based on the label of the sender of the
3721 * mbuf.
3722 *
3723 * This is called for every TCP/IP packet received. The first call for a given
3724 * socket operates on a newly initialized label, and subsequent calls operate
3725 * on existing label data.
3726 *
3727 * @warning Because this can affect performance significantly, it has
3728 * different sematics than other 'set' operations. Typically, 'set' operations
3729 * operate on newly initialzed labels and policies do not need to worry about
3730 * clobbering existing values. In this case, it is too inefficient to
3731 * initialize and destroy a label every time data is received for the socket.
3732 * Instead, it is up to the policies to determine how to replace the label data.
3733 * Most policies should be able to replace the data inline.
3734 */
2d21ac55
A		 3735typedef void mpo_socketpeer_label_associate_mbuf_t(
3736 struct mbuf *m,
3737 struct label *m_label,
3738 socket_t so,
3739 struct label *so_label
0a7de745 3740 );
2d21ac55 3741/**
0a7de745
A		 3742 * @brief Set the peer label on a socket from socket
3743 * @param source Local socket
3744 * @param sourcelabel Policy label for source
3745 * @param target Peer socket
3746 * @param targetlabel Policy label to fill in for target
3747 *
3748 * Set the peer label on a stream UNIX domain socket from the passed
3749 * remote socket endpoint. This call will be made when the socket pair
3750 * is connected, and will be made for both endpoints.
3751 *
3752 * Note that this call is only made on connection; it is currently not updated
3753 * during communication.
3754 */
2d21ac55
A		 3755typedef void mpo_socketpeer_label_associate_socket_t(
3756 socket_t source,
3757 struct label *sourcelabel,
3758 socket_t target,
3759 struct label *targetlabel
0a7de745 3760 );
2d21ac55 3761/**
0a7de745
A		 3762 * @brief Destroy socket peer label
3763 * @param label The peer label to be destroyed
3764 *
3765 * Destroy a socket peer label. Since the object is going out of
3766 * scope, policy modules should free any internal storage associated
3767 * with the label so that it may be destroyed.
3768 */
2d21ac55
A		 3769typedef void mpo_socketpeer_label_destroy_t(
3770 struct label *label
0a7de745 3771 );
2d21ac55 3772/**
0a7de745
A		 3773 * @brief Externalize a socket peer label
3774 * @param label Label to be externalized
3775 * @param element_name Name of the label namespace for which labels should be
3776 * externalized
3777 * @param sb String buffer to be filled with a text representation of label
3778 *
3779 * Produce an externalized socket peer label based on the label structure
3780 * passed. An externalized label consists of a text representation of the
3781 * label contents that can be used with userland applications and read by the
3782 * user. If element_name does not match a namespace managed by the policy,
3783 * simply return 0. Only return nonzero if an error occurs while externalizing
3784 * the label data.
3785 *
3786 * @return In the event of an error, an appropriate value for errno
3787 * should be returned, otherwise return 0 upon success.
3788 */
2d21ac55
A		 3789typedef int mpo_socketpeer_label_externalize_t(
3790 struct label *label,
3791 char *element_name,
3792 struct sbuf *sb
0a7de745 3793 );
2d21ac55 3794/**
0a7de745
A		 3795 * @brief Initialize socket peer label
3796 * @param label New label to initialize
3797 * @param waitok Malloc flags
3798 *
3799 * Initialize the peer label of a newly instantiated socket. The
3800 * waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3801 * employed to avoid performing a sleeping malloc(9) during this
3802 * initialization call. It it not always safe to sleep during this
3803 * entry point.
3804 *
3805 * @warning Since it is possible for the waitok flags to be set to
3806 * M_NOWAIT, the malloc operation may fail.
3807 *
3808 * @return In the event of an error, an appropriate value for errno
3809 * should be returned, otherwise return 0 upon success.
3810 */
2d21ac55
A		 3811typedef int mpo_socketpeer_label_init_t(
3812 struct label *label,
3813 int waitok
0a7de745 3814 );
2d21ac55 3815/**
0a7de745
A		 3816 * @brief Access control check for enabling accounting
3817 * @param cred Subject credential
3818 * @param vp Accounting file
3819 * @param vlabel Label associated with vp
3820 *
3821 * Determine whether the subject should be allowed to enable accounting,
3822 * based on its label and the label of the accounting log file. See
3823 * acct(5) for more information.
3824 *
3825 * As accounting is disabled by passing NULL to the acct(2) system call,
3826 * the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3827 *
3828 * @return Return 0 if access is granted, otherwise an appropriate value for
3829 * errno should be returned.
3830 */
2d21ac55
A		 3831typedef int mpo_system_check_acct_t(
3832 kauth_cred_t cred,
3833 struct vnode *vp,
3834 struct label *vlabel
0a7de745 3835 );
2d21ac55 3836/**
0a7de745
A		 3837 * @brief Access control check for audit
3838 * @param cred Subject credential
3839 * @param record Audit record
3840 * @param length Audit record length
3841 *
3842 * Determine whether the subject identified by the credential can submit
3843 * an audit record for inclusion in the audit log via the audit() system call.
3844 *
3845 * @return Return 0 if access is granted, otherwise an appropriate value for
3846 * errno should be returned.
3847 */
2d21ac55
A		 3848typedef int mpo_system_check_audit_t(
3849 kauth_cred_t cred,
3850 void *record,
3851 int length
0a7de745 3852 );
2d21ac55 3853/**
0a7de745
A		 3854 * @brief Access control check for controlling audit
3855 * @param cred Subject credential
3856 * @param vp Audit file
3857 * @param vl Label associated with vp
3858 *
3859 * Determine whether the subject should be allowed to enable auditing using
3860 * the auditctl() system call, based on its label and the label of the proposed
3861 * audit file.
3862 *
3863 * @return Return 0 if access is granted, otherwise an appropriate value for
3864 * errno should be returned.
3865 */
2d21ac55
A		 3866typedef int mpo_system_check_auditctl_t(
3867 kauth_cred_t cred,
3868 struct vnode *vp,
3869 struct label *vl
0a7de745 3870 );
2d21ac55 3871/**
0a7de745
A		 3872 * @brief Access control check for manipulating auditing
3873 * @param cred Subject credential
3874 * @param cmd Audit control command
3875 *
3876 * Determine whether the subject identified by the credential can perform
3877 * the audit subsystem control operation cmd via the auditon() system call.
3878 *
3879 * @return Return 0 if access is granted, otherwise an appropriate value for
3880 * errno should be returned.
3881 */
2d21ac55
A		 3882typedef int mpo_system_check_auditon_t(
3883 kauth_cred_t cred,
3884 int cmd
0a7de745 3885 );
2d21ac55 3886/**
0a7de745
A		 3887 * @brief Access control check for obtaining the host control port
3888 * @param cred Subject credential
3889 *
3890 * Determine whether the subject identified by the credential can
3891 * obtain the host control port.
3892 *
3893 * @return Return 0 if access is granted, or non-zero otherwise.
3894 */
2d21ac55
A		 3895typedef int mpo_system_check_host_priv_t(
3896 kauth_cred_t cred
0a7de745 3897 );
39236c6e 3898/**
0a7de745
A		 3899 * @brief Access control check for obtaining system information
3900 * @param cred Subject credential
3901 * @param info_type A description of the information requested
3902 *
3903 * Determine whether the subject identified by the credential should be
3904 * allowed to obtain information about the system.
3905 *
3906 * This is a generic hook that can be used in a variety of situations where
3907 * information is being returned that might be considered sensitive.
3908 * Rather than adding a new MAC hook for every such interface, this hook can
3909 * be called with a string identifying the type of information requested.
3910 *
3911 * @return Return 0 if access is granted, otherwise an appropriate value for
3912 * errno should be returned.
3913 */
39236c6e
A		 3914typedef int mpo_system_check_info_t(
3915 kauth_cred_t cred,
3916 const char *info_type
0a7de745 3917 );
2d21ac55 3918/**
0a7de745
A		 3919 * @brief Access control check for calling NFS services
3920 * @param cred Subject credential
3921 *
3922 * Determine whether the subject identified by the credential should be
3923 * allowed to call nfssrv(2).
3924 *
3925 * @return Return 0 if access is granted, otherwise an appropriate value for
3926 * errno should be returned.
3927 */
2d21ac55
A		 3928typedef int mpo_system_check_nfsd_t(
3929 kauth_cred_t cred
0a7de745 3930 );
2d21ac55 3931/**
0a7de745
A		 3932 * @brief Access control check for reboot
3933 * @param cred Subject credential
3934 * @param howto howto parameter from reboot(2)
3935 *
3936 * Determine whether the subject identified by the credential should be
3937 * allowed to reboot the system in the specified manner.
3938 *
3939 * @return Return 0 if access is granted, otherwise an appropriate value for
3940 * errno should be returned.
3941 */
2d21ac55
A		 3942typedef int mpo_system_check_reboot_t(
3943 kauth_cred_t cred,
3944 int howto
0a7de745 3945 );
2d21ac55 3946/**
0a7de745
A		 3947 * @brief Access control check for setting system clock
3948 * @param cred Subject credential
3949 *
3950 * Determine whether the subject identified by the credential should be
3951 * allowed to set the system clock.
3952 *
3953 * @return Return 0 if access is granted, otherwise an appropriate value for
3954 * errno should be returned.
3955 */
2d21ac55
A		 3956typedef int mpo_system_check_settime_t(
3957 kauth_cred_t cred
0a7de745 3958 );
2d21ac55 3959/**
0a7de745
A		 3960 * @brief Access control check for removing swap devices
3961 * @param cred Subject credential
3962 * @param vp Swap device
3963 * @param label Label associated with vp
3964 *
3965 * Determine whether the subject identified by the credential should be
3966 * allowed to remove vp as a swap device.
3967 *
3968 * @return Return 0 if access is granted, otherwise an appropriate value for
3969 * errno should be returned.
3970 */
2d21ac55
A		 3971typedef int mpo_system_check_swapoff_t(
3972 kauth_cred_t cred,
3973 struct vnode *vp,
3974 struct label *label
0a7de745 3975 );
2d21ac55 3976/**
0a7de745
A		 3977 * @brief Access control check for adding swap devices
3978 * @param cred Subject credential
3979 * @param vp Swap device
3980 * @param label Label associated with vp
3981 *
3982 * Determine whether the subject identified by the credential should be
3983 * allowed to add vp as a swap device.
3984 *
3985 * @return Return 0 if access is granted, otherwise an appropriate value for
3986 * errno should be returned.
3987 */
2d21ac55
A		 3988typedef int mpo_system_check_swapon_t(
3989 kauth_cred_t cred,
3990 struct vnode *vp,
3991 struct label *label
0a7de745
A		 3992 );
3993/**
3994 * @brief Access control check for sysctl
3995 * @param cred Subject credential
3996 * @param namestring String representation of sysctl name.
3997 * @param name Integer name; see sysctl(3)
3998 * @param namelen Length of name array of integers; see sysctl(3)
3999 * @param old 0 or address where to store old value; see sysctl(3)
4000 * @param oldlen Length of old buffer; see sysctl(3)
4001 * @param newvalue 0 or address of new value; see sysctl(3)
4002 * @param newlen Length of new buffer; see sysctl(3)
4003 *
4004 * Determine whether the subject identified by the credential should be
4005 * allowed to make the specified sysctl(3) transaction.
4006 *
4007 * The sysctl(3) call specifies that if the old value is not desired,
4008 * oldp and oldlenp should be set to NULL. Likewise, if a new value is
4009 * not to be set, newp should be set to NULL and newlen set to 0.
4010 *
4011 * @return Return 0 if access is granted, otherwise an appropriate value for
4012 * errno should be returned.
4013 */
fe8ab488 4014typedef int mpo_system_check_sysctlbyname_t(
2d21ac55 4015 kauth_cred_t cred,
fe8ab488 4016 const char *namestring,
2d21ac55
A		 4017 int *name,
4018 u_int namelen,
0a7de745 4019 user_addr_t old, /* NULLOK */
fe8ab488 4020 size_t oldlen,
0a7de745 4021 user_addr_t newvalue, /* NULLOK */
2d21ac55 4022 size_t newlen
0a7de745 4023 );
316670eb 4024/**
0a7de745
A		 4025 * @brief Access control check for kas_info
4026 * @param cred Subject credential
4027 * @param selector Category of information to return. See kas_info.h
4028 *
4029 * Determine whether the subject identified by the credential can perform
4030 * introspection of the kernel address space layout for
4031 * debugging/performance analysis.
4032 *
4033 * @return Return 0 if access is granted, otherwise an appropriate value for
4034 * errno should be returned.
4035 */
316670eb
A		 4036typedef int mpo_system_check_kas_info_t(
4037 kauth_cred_t cred,
4038 int selector
0a7de745
A		 4039 );
4040/**
4041 * @brief Create a System V message label
4042 * @param cred Subject credential
4043 * @param msqptr The message queue the message will be placed in
4044 * @param msqlabel The label of the message queue
4045 * @param msgptr The message
4046 * @param msglabel The label of the message
4047 *
4048 * Label the message as its placed in the message queue.
4049 */
2d21ac55
A		 4050typedef void mpo_sysvmsg_label_associate_t(
4051 kauth_cred_t cred,
4052 struct msqid_kernel *msqptr,
4053 struct label *msqlabel,
4054 struct msg *msgptr,
4055 struct label *msglabel
0a7de745 4056 );
2d21ac55 4057/**
0a7de745
A		 4058 * @brief Destroy System V message label
4059 * @param label The label to be destroyed
4060 *
4061 * Destroy a System V message label. Since the object is
4062 * going out of scope, policy modules should free any internal storage
4063 * associated with the label so that it may be destroyed.
4064 */
2d21ac55
A		 4065typedef void mpo_sysvmsg_label_destroy_t(
4066 struct label *label
0a7de745 4067 );
2d21ac55 4068/**
0a7de745
A		 4069 * @brief Initialize System V message label
4070 * @param label New label to initialize
4071 *
4072 * Initialize the label for a newly instantiated System V message.
4073 */
2d21ac55
A		 4074typedef void mpo_sysvmsg_label_init_t(
4075 struct label *label
0a7de745 4076 );
2d21ac55 4077/**
0a7de745
A		 4078 * @brief Clean up a System V message label
4079 * @param label The label to be destroyed
4080 *
4081 * Clean up a System V message label. Darwin pre-allocates
4082 * messages at system boot time and re-uses them rather than
4083 * allocating new ones. Before messages are returned to the "free
4084 * pool", policies can cleanup or overwrite any information present in
4085 * the label.
4086 */
2d21ac55
A		 4087typedef void mpo_sysvmsg_label_recycle_t(
4088 struct label *label
0a7de745
A		 4089 );
4090/**
4091 * @brief Access control check for System V message enqueuing
4092 * @param cred Subject credential
4093 * @param msgptr The message
4094 * @param msglabel The message's label
4095 * @param msqptr The message queue
4096 * @param msqlabel The message queue's label
4097 *
4098 * Determine whether the subject identified by the credential can add the
4099 * given message to the given message queue.
4100 *
4101 * @return Return 0 if access is granted, otherwise an appropriate value for
4102 * errno should be returned.
4103 */
2d21ac55
A		 4104typedef int mpo_sysvmsq_check_enqueue_t(
4105 kauth_cred_t cred,
4106 struct msg *msgptr,
4107 struct label *msglabel,
4108 struct msqid_kernel *msqptr,
4109 struct label *msqlabel
0a7de745 4110 );
2d21ac55 4111/**
0a7de745
A		 4112 * @brief Access control check for System V message reception
4113 * @param cred The credential of the intended recipient
4114 * @param msgptr The message
4115 * @param msglabel The message's label
4116 *
4117 * Determine whether the subject identified by the credential can receive
4118 * the given message.
4119 *
4120 * @return Return 0 if access is granted, otherwise an appropriate value for
4121 * errno should be returned.
4122 */
2d21ac55
A		 4123typedef int mpo_sysvmsq_check_msgrcv_t(
4124 kauth_cred_t cred,
4125 struct msg *msgptr,
4126 struct label *msglabel
0a7de745 4127 );
2d21ac55 4128/**
0a7de745
A		 4129 * @brief Access control check for System V message queue removal
4130 * @param cred The credential of the caller
4131 * @param msgptr The message
4132 * @param msglabel The message's label
4133 *
4134 * System V message queues are removed using the msgctl() system call.
4135 * The system will iterate over each messsage in the queue, calling this
4136 * function for each, to determine whether the caller has the appropriate
4137 * credentials.
4138 *
4139 * @return Return 0 if access is granted, otherwise an appropriate value for
4140 * errno should be returned.
4141 */
2d21ac55
A		 4142typedef int mpo_sysvmsq_check_msgrmid_t(
4143 kauth_cred_t cred,
4144 struct msg *msgptr,
4145 struct label *msglabel
0a7de745 4146 );
2d21ac55 4147/**
0a7de745
A		 4148 * @brief Access control check for msgctl()
4149 * @param cred The credential of the caller
4150 * @param msqptr The message queue
4151 * @param msqlabel The message queue's label
4152 *
4153 * This access check is performed to validate calls to msgctl().
4154 *
4155 * @return Return 0 if access is granted, otherwise an appropriate value for
4156 * errno should be returned.
4157 */
2d21ac55
A		 4158typedef int mpo_sysvmsq_check_msqctl_t(
4159 kauth_cred_t cred,
4160 struct msqid_kernel *msqptr,
4161 struct label *msqlabel,
4162 int cmd
0a7de745 4163 );
2d21ac55 4164/**
0a7de745
A		 4165 * @brief Access control check to get a System V message queue
4166 * @param cred The credential of the caller
4167 * @param msqptr The message queue requested
4168 * @param msqlabel The message queue's label
4169 *
4170 * On a call to msgget(), if the queue requested already exists,
4171 * and it is a public queue, this check will be performed before the
4172 * queue's ID is returned to the user.
4173 *
4174 * @return Return 0 if access is granted, otherwise an appropriate value for
4175 * errno should be returned.
4176 */
2d21ac55
A		 4177typedef int mpo_sysvmsq_check_msqget_t(
4178 kauth_cred_t cred,
4179 struct msqid_kernel *msqptr,
4180 struct label *msqlabel
0a7de745 4181 );
2d21ac55 4182/**
0a7de745
A		 4183 * @brief Access control check to receive a System V message from the given queue
4184 * @param cred The credential of the caller
4185 * @param msqptr The message queue to receive from
4186 * @param msqlabel The message queue's label
4187 *
4188 * On a call to msgrcv(), this check is performed to determine whether the
4189 * caller has receive rights on the given queue.
4190 *
4191 * @return Return 0 if access is granted, otherwise an appropriate value for
4192 * errno should be returned.
4193 */
2d21ac55
A		 4194typedef int mpo_sysvmsq_check_msqrcv_t(
4195 kauth_cred_t cred,
4196 struct msqid_kernel *msqptr,
4197 struct label *msqlabel
0a7de745 4198 );
2d21ac55 4199/**
0a7de745
A		 4200 * @brief Access control check to send a System V message to the given queue
4201 * @param cred The credential of the caller
4202 * @param msqptr The message queue to send to
4203 * @param msqlabel The message queue's label
4204 *
4205 * On a call to msgsnd(), this check is performed to determine whether the
4206 * caller has send rights on the given queue.
4207 *
4208 * @return Return 0 if access is granted, otherwise an appropriate value for
4209 * errno should be returned.
4210 */
2d21ac55
A		 4211typedef int mpo_sysvmsq_check_msqsnd_t(
4212 kauth_cred_t cred,
4213 struct msqid_kernel *msqptr,
4214 struct label *msqlabel
0a7de745 4215 );
2d21ac55 4216/**
0a7de745
A		 4217 * @brief Create a System V message queue label
4218 * @param cred Subject credential
4219 * @param msqptr The message queue
4220 * @param msqlabel The label of the message queue
4221 *
4222 */
2d21ac55
A		 4223typedef void mpo_sysvmsq_label_associate_t(
4224 kauth_cred_t cred,
4225 struct msqid_kernel *msqptr,
4226 struct label *msqlabel
0a7de745 4227 );
2d21ac55 4228/**
0a7de745
A		 4229 * @brief Destroy System V message queue label
4230 * @param label The label to be destroyed
4231 *
4232 * Destroy a System V message queue label. Since the object is
4233 * going out of scope, policy modules should free any internal storage
4234 * associated with the label so that it may be destroyed.
4235 */
2d21ac55
A		 4236typedef void mpo_sysvmsq_label_destroy_t(
4237 struct label *label
0a7de745 4238 );
2d21ac55 4239/**
0a7de745
A		 4240 * @brief Initialize System V message queue label
4241 * @param label New label to initialize
4242 *
4243 * Initialize the label for a newly instantiated System V message queue.
4244 */
2d21ac55
A		 4245typedef void mpo_sysvmsq_label_init_t(
4246 struct label *label
0a7de745 4247 );
2d21ac55 4248/**
0a7de745
A		 4249 * @brief Clean up a System V message queue label
4250 * @param label The label to be destroyed
4251 *
4252 * Clean up a System V message queue label. Darwin pre-allocates
4253 * message queues at system boot time and re-uses them rather than
4254 * allocating new ones. Before message queues are returned to the "free
4255 * pool", policies can cleanup or overwrite any information present in
4256 * the label.
4257 */
2d21ac55
A		 4258typedef void mpo_sysvmsq_label_recycle_t(
4259 struct label *label
0a7de745 4260 );
2d21ac55 4261/**
0a7de745
A		 4262 * @brief Access control check for System V semaphore control operation
4263 * @param cred Subject credential
4264 * @param semakptr Pointer to semaphore identifier
4265 * @param semaklabel Label associated with semaphore
4266 * @param cmd Control operation to be performed; see semctl(2)
4267 *
4268 * Determine whether the subject identified by the credential can perform
4269 * the operation indicated by cmd on the System V semaphore semakptr.
4270 *
4271 * @return Return 0 if access is granted, otherwise an appropriate value for
4272 * errno should be returned.
4273 */
2d21ac55
A		 4274typedef int mpo_sysvsem_check_semctl_t(
4275 kauth_cred_t cred,
4276 struct semid_kernel *semakptr,
4277 struct label *semaklabel,
4278 int cmd
0a7de745 4279 );
2d21ac55 4280/**
0a7de745
A		 4281 * @brief Access control check for obtaining a System V semaphore
4282 * @param cred Subject credential
4283 * @param semakptr Pointer to semaphore identifier
4284 * @param semaklabel Label to associate with the semaphore
4285 *
4286 * Determine whether the subject identified by the credential can
4287 * obtain a System V semaphore.
4288 *
4289 * @return Return 0 if access is granted, otherwise an appropriate value for
4290 * errno should be returned.
4291 */
2d21ac55
A		 4292typedef int mpo_sysvsem_check_semget_t(
4293 kauth_cred_t cred,
4294 struct semid_kernel *semakptr,
4295 struct label *semaklabel
0a7de745 4296 );
2d21ac55 4297/**
0a7de745
A		 4298 * @brief Access control check for System V semaphore operations
4299 * @param cred Subject credential
4300 * @param semakptr Pointer to semaphore identifier
4301 * @param semaklabel Label associated with the semaphore
4302 * @param accesstype Flags to indicate access (read and/or write)
4303 *
4304 * Determine whether the subject identified by the credential can
4305 * perform the operations on the System V semaphore indicated by
4306 * semakptr. The accesstype flags hold the maximum set of permissions
4307 * from the sem_op array passed to the semop system call. It may
4308 * contain SEM_R for read-only operations or SEM_A for read/write
4309 * operations.
4310 *
4311 * @return Return 0 if access is granted, otherwise an appropriate value for
4312 * errno should be returned.
4313 */
2d21ac55
A		 4314typedef int mpo_sysvsem_check_semop_t(
4315 kauth_cred_t cred,
4316 struct semid_kernel *semakptr,
4317 struct label *semaklabel,
4318 size_t accesstype
0a7de745 4319 );
2d21ac55 4320/**
0a7de745
A		 4321 * @brief Create a System V semaphore label
4322 * @param cred Subject credential
4323 * @param semakptr The semaphore being created
4324 * @param semalabel Label to associate with the new semaphore
4325 *
4326 * Label a new System V semaphore. The label was previously
4327 * initialized and associated with the semaphore. At this time, an
4328 * appropriate initial label value should be assigned to the object and
4329 * stored in semalabel.
4330 */
2d21ac55
A		 4331typedef void mpo_sysvsem_label_associate_t(
4332 kauth_cred_t cred,
4333 struct semid_kernel *semakptr,
4334 struct label *semalabel
0a7de745 4335 );
2d21ac55 4336/**
0a7de745
A		 4337 * @brief Destroy System V semaphore label
4338 * @param label The label to be destroyed
4339 *
4340 * Destroy a System V semaphore label. Since the object is
4341 * going out of scope, policy modules should free any internal storage
4342 * associated with the label so that it may be destroyed.
4343 */
2d21ac55
A		 4344typedef void mpo_sysvsem_label_destroy_t(
4345 struct label *label
0a7de745 4346 );
2d21ac55 4347/**
0a7de745
A		 4348 * @brief Initialize System V semaphore label
4349 * @param label New label to initialize
4350 *
4351 * Initialize the label for a newly instantiated System V semaphore. Sleeping
4352 * is permitted.
4353 */
2d21ac55
A		 4354typedef void mpo_sysvsem_label_init_t(
4355 struct label *label
0a7de745 4356 );
2d21ac55 4357/**
0a7de745
A		 4358 * @brief Clean up a System V semaphore label
4359 * @param label The label to be cleaned
4360 *
4361 * Clean up a System V semaphore label. Darwin pre-allocates
4362 * semaphores at system boot time and re-uses them rather than
4363 * allocating new ones. Before semaphores are returned to the "free
4364 * pool", policies can cleanup or overwrite any information present in
4365 * the label.
4366 */
2d21ac55
A		 4367typedef void mpo_sysvsem_label_recycle_t(
4368 struct label *label
0a7de745 4369 );
2d21ac55 4370/**
0a7de745
A		 4371 * @brief Access control check for mapping System V shared memory
4372 * @param cred Subject credential
4373 * @param shmsegptr Pointer to shared memory segment identifier
4374 * @param shmseglabel Label associated with the shared memory segment
4375 * @param shmflg shmat flags; see shmat(2)
4376 *
4377 * Determine whether the subject identified by the credential can map
4378 * the System V shared memory segment associated with shmsegptr.
4379 *
4380 * @return Return 0 if access is granted, otherwise an appropriate value for
4381 * errno should be returned.
4382 */
2d21ac55
A		 4383typedef int mpo_sysvshm_check_shmat_t(
4384 kauth_cred_t cred,
4385 struct shmid_kernel *shmsegptr,
4386 struct label *shmseglabel,
4387 int shmflg
0a7de745 4388 );
2d21ac55 4389/**
0a7de745
A		 4390 * @brief Access control check for System V shared memory control operation
4391 * @param cred Subject credential
4392 * @param shmsegptr Pointer to shared memory segment identifier
4393 * @param shmseglabel Label associated with the shared memory segment
4394 * @param cmd Control operation to be performed; see shmctl(2)
4395 *
4396 * Determine whether the subject identified by the credential can perform
4397 * the operation indicated by cmd on the System V shared memory segment
4398 * shmsegptr.
4399 *
4400 * @return Return 0 if access is granted, otherwise an appropriate value for
4401 * errno should be returned.
4402 */
2d21ac55
A		 4403typedef int mpo_sysvshm_check_shmctl_t(
4404 kauth_cred_t cred,
4405 struct shmid_kernel *shmsegptr,
4406 struct label *shmseglabel,
4407 int cmd
0a7de745 4408 );
2d21ac55 4409/**
0a7de745
A		 4410 * @brief Access control check for unmapping System V shared memory
4411 * @param cred Subject credential
4412 * @param shmsegptr Pointer to shared memory segment identifier
4413 * @param shmseglabel Label associated with the shared memory segment
4414 *
4415 * Determine whether the subject identified by the credential can unmap
4416 * the System V shared memory segment associated with shmsegptr.
4417 *
4418 * @return Return 0 if access is granted, otherwise an appropriate value for
4419 * errno should be returned.
4420 */
2d21ac55
A		 4421typedef int mpo_sysvshm_check_shmdt_t(
4422 kauth_cred_t cred,
4423 struct shmid_kernel *shmsegptr,
4424 struct label *shmseglabel
0a7de745 4425 );
2d21ac55 4426/**
0a7de745
A		 4427 * @brief Access control check obtaining System V shared memory identifier
4428 * @param cred Subject credential
4429 * @param shmsegptr Pointer to shared memory segment identifier
4430 * @param shmseglabel Label associated with the shared memory segment
4431 * @param shmflg shmget flags; see shmget(2)
4432 *
4433 * Determine whether the subject identified by the credential can get
4434 * the System V shared memory segment address.
4435 *
4436 * @return Return 0 if access is granted, otherwise an appropriate value for
4437 * errno should be returned.
4438 */
2d21ac55
A		 4439typedef int mpo_sysvshm_check_shmget_t(
4440 kauth_cred_t cred,
4441 struct shmid_kernel *shmsegptr,
4442 struct label *shmseglabel,
4443 int shmflg
0a7de745 4444 );
2d21ac55 4445/**
0a7de745
A		 4446 * @brief Create a System V shared memory region label
4447 * @param cred Subject credential
4448 * @param shmsegptr The shared memory region being created
4449 * @param shmlabel Label to associate with the new shared memory region
4450 *
4451 * Label a new System V shared memory region. The label was previously
4452 * initialized and associated with the shared memory region. At this
4453 * time, an appropriate initial label value should be assigned to the
4454 * object and stored in shmlabel.
4455 */
2d21ac55
A		 4456typedef void mpo_sysvshm_label_associate_t(
4457 kauth_cred_t cred,
4458 struct shmid_kernel *shmsegptr,
4459 struct label *shmlabel
0a7de745 4460 );
2d21ac55 4461/**
0a7de745
A		 4462 * @brief Destroy System V shared memory label
4463 * @param label The label to be destroyed
4464 *
4465 * Destroy a System V shared memory region label. Since the
4466 * object is going out of scope, policy modules should free any
4467 * internal storage associated with the label so that it may be
4468 * destroyed.
4469 */
2d21ac55
A		 4470typedef void mpo_sysvshm_label_destroy_t(
4471 struct label *label
0a7de745 4472 );
2d21ac55 4473/**
0a7de745
A		 4474 * @brief Initialize System V Shared Memory region label
4475 * @param label New label to initialize
4476 *
4477 * Initialize the label for a newly instantiated System V Shared Memory
4478 * region. Sleeping is permitted.
4479 */
2d21ac55
A		 4480typedef void mpo_sysvshm_label_init_t(
4481 struct label *label
0a7de745 4482 );
2d21ac55 4483/**
0a7de745
A		 4484 * @brief Clean up a System V Share Memory Region label
4485 * @param shmlabel The label to be cleaned
4486 *
4487 * Clean up a System V Shared Memory Region label. Darwin
4488 * pre-allocates these objects at system boot time and re-uses them
4489 * rather than allocating new ones. Before the memory regions are
4490 * returned to the "free pool", policies can cleanup or overwrite any
4491 * information present in the label.
4492 */
2d21ac55
A		 4493typedef void mpo_sysvshm_label_recycle_t(
4494 struct label *shmlabel
0a7de745 4495 );
2d21ac55 4496/**
0a7de745
A		 4497 * @brief Access control check for getting a process's task name
4498 * @param cred Subject credential
4499 * @param p Object process
4500 *
4501 * Determine whether the subject identified by the credential can get
4502 * the passed process's task name port.
4503 * This call is used by the task_name_for_pid(2) API.
4504 *
4505 * @return Return 0 if access is granted, otherwise an appropriate value for
4506 * errno should be returned. Suggested failure: EACCES for label mismatch,
4507 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4508 */
2d21ac55
A		 4509typedef int mpo_proc_check_get_task_name_t(
4510 kauth_cred_t cred,
4511 struct proc *p
0a7de745 4512 );
2d21ac55 4513/**
0a7de745
A		 4514 * @brief Access control check for getting a process's task port
4515 * @param cred Subject credential
4516 * @param p Object process
4517 *
4518 * Determine whether the subject identified by the credential can get
4519 * the passed process's task control port.
4520 * This call is used by the task_for_pid(2) API.
4521 *
4522 * @return Return 0 if access is granted, otherwise an appropriate value for
4523 * errno should be returned. Suggested failure: EACCES for label mismatch,
4524 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4525 */
2d21ac55
A		 4526typedef int mpo_proc_check_get_task_t(
4527 kauth_cred_t cred,
4528 struct proc *p
0a7de745 4529 );
fe8ab488 4530
3e170ce0 4531/**
0a7de745
A		 4532 * @brief Access control check for exposing a process's task port
4533 * @param cred Subject credential
4534 * @param p Object process
4535 *
4536 * Determine whether the subject identified by the credential can expose
4537 * the passed process's task control port.
4538 * This call is used by the accessor APIs like processor_set_tasks() and
4539 * processor_set_threads().
4540 *
4541 * @return Return 0 if access is granted, otherwise an appropriate value for
4542 * errno should be returned. Suggested failure: EACCES for label mismatch,
4543 * EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4544 */
3e170ce0
A		 4545typedef int mpo_proc_check_expose_task_t(
4546 kauth_cred_t cred,
4547 struct proc *p
0a7de745
A		 4548 );
4549
4550/**
4551 * @brief Check whether task's IPC may inherit across process exec
4552 * @param p current process instance
4553 * @param cur_vp vnode pointer to current instance
4554 * @param cur_offset offset of binary of currently executing image
4555 * @param img_vp vnode pointer to to be exec'ed image
4556 * @param img_offset offset into file which is selected for execution
4557 * @param scriptvp vnode pointer of script file if any.
4558 * @return Return 0 if access is granted.
4559 * EPERM if parent does not have any entitlements.
4560 * EACCESS if mismatch in entitlements
4561 */
fe8ab488
A		 4562typedef int mpo_proc_check_inherit_ipc_ports_t(
4563 struct proc *p,
3e170ce0
A		 4564 struct vnode *cur_vp,
4565 off_t cur_offset,
4566 struct vnode *img_vp,
4567 off_t img_offset,
4568 struct vnode *scriptvp
0a7de745 4569 );
fe8ab488 4570
593a1d5f 4571/**
0a7de745
A		 4572 * @brief Privilege check for a process to run invalid
4573 * @param p Object process
4574 *
4575 * Determine whether the process may execute even though the system determined
4576 * that it is untrusted (eg unidentified / modified code).
4577 *
4578 * @return Return 0 if access is granted, otherwise an appropriate value for
4579 * errno should be returned.
593a1d5f 4580 */
3e170ce0 4581typedef int mpo_proc_check_run_cs_invalid_t(
593a1d5f 4582 struct proc *p
0a7de745 4583 );
593a1d5f 4584
d9a64523 4585/**
0a7de745
A		 4586 * @brief Notification a process is finished with exec and will jump to userspace
4587 * @param p Object process
4588 *
4589 * Notifies all MAC policies that a process has completed an exec and is about to
4590 * jump to userspace to continue execution. This may result in process termination
4591 * via signals. Hook is designed to hold no/minimal locks so it can be used for any
4592 * necessary upcalls.
d9a64523
A		 4593 */
4594typedef void mpo_proc_notify_exec_complete_t(
4595 struct proc *p
0a7de745 4596 );
d9a64523 4597
316670eb 4598/**
0a7de745
A		 4599 * @brief Perform MAC-related events when a thread returns to user space
4600 * @param thread Mach (not BSD) thread that is returning
4601 *
4602 * This entry point permits policy modules to perform MAC-related
4603 * events when a thread returns to user space, via a system call
4604 * return or trap return.
4605 */
316670eb
A		 4606typedef void mpo_thread_userret_t(
4607 struct thread *thread
0a7de745 4608 );
316670eb 4609
2d21ac55 4610/**
0a7de745
A		 4611 * @brief Check vnode access
4612 * @param cred Subject credential
4613 * @param vp Object vnode
4614 * @param label Label for vp
4615 * @param acc_mode access(2) flags
4616 *
4617 * Determine how invocations of access(2) and related calls by the
4618 * subject identified by the credential should return when performed
4619 * on the passed vnode using the passed access flags. This should
4620 * generally be implemented using the same semantics used in
4621 * mpo_vnode_check_open.
4622 *
4623 * @return Return 0 if access is granted, otherwise an appropriate value for
4624 * errno should be returned. Suggested failure: EACCES for label mismatch or
4625 * EPERM for lack of privilege.
4626 */
2d21ac55
A		 4627typedef int mpo_vnode_check_access_t(
4628 kauth_cred_t cred,
4629 struct vnode *vp,
4630 struct label *label,
4631 int acc_mode
0a7de745 4632 );
2d21ac55 4633/**
0a7de745
A		 4634 * @brief Access control check for changing working directory
4635 * @param cred Subject credential
4636 * @param dvp Object; vnode to chdir(2) into
4637 * @param dlabel Policy label for dvp
4638 *
4639 * Determine whether the subject identified by the credential can change
4640 * the process working directory to the passed vnode.
4641 *
4642 * @return Return 0 if access is granted, otherwise an appropriate value for
4643 * errno should be returned. Suggested failure: EACCES for label mismatch or
4644 * EPERM for lack of privilege.
4645 */
2d21ac55
A		 4646typedef int mpo_vnode_check_chdir_t(
4647 kauth_cred_t cred,
4648 struct vnode *dvp,
4649 struct label *dlabel
0a7de745 4650 );
2d21ac55 4651/**
0a7de745
A		 4652 * @brief Access control check for changing root directory
4653 * @param cred Subject credential
4654 * @param dvp Directory vnode
4655 * @param dlabel Policy label associated with dvp
4656 * @param cnp Component name for dvp
4657 *
4658 * Determine whether the subject identified by the credential should be
4659 * allowed to chroot(2) into the specified directory (dvp).
4660 *
4661 * @return In the event of an error, an appropriate value for errno
4662 * should be returned, otherwise return 0 upon success.
4663 */
2d21ac55
A		 4664typedef int mpo_vnode_check_chroot_t(
4665 kauth_cred_t cred,
4666 struct vnode *dvp,
4667 struct label *dlabel,
4668 struct componentname *cnp
0a7de745
A		 4669 );
4670/**
4671 * @brief Access control check for creating clone
4672 * @param cred Subject credential
4673 * @param dvp Vnode of directory to create the clone in
4674 * @param dlabel Policy label associated with dvp
4675 * @param vp Vnode of the file to clone from
4676 * @param label Policy label associated with vp
4677 * @param cnp Component name for the clone being created
4678 *
4679 * Determine whether the subject identified by the credential should be
4680 * allowed to create a clone of the vnode vp with the name specified by cnp.
4681 *
4682 * @return Return 0 if access is granted, otherwise an appropriate value for
4683 * errno should be returned.
4684 */
39037602
A		 4685typedef int mpo_vnode_check_clone_t(
4686 kauth_cred_t cred,
4687 struct vnode *dvp,
4688 struct label *dlabel,
4689 struct vnode *vp,
4690 struct label *label,
4691 struct componentname *cnp
0a7de745
A		 4692 );
4693/**
4694 * @brief Access control check for creating vnode
4695 * @param cred Subject credential
4696 * @param dvp Directory vnode
4697 * @param dlabel Policy label for dvp
4698 * @param cnp Component name for dvp
4699 * @param vap vnode attributes for vap
4700 *
4701 * Determine whether the subject identified by the credential can create
4702 * a vnode with the passed parent directory, passed name information,
4703 * and passed attribute information. This call may be made in a number of
4704 * situations, including as a result of calls to open(2) with O_CREAT,
4705 * mknod(2), mkfifo(2), and others.
4706 *
4707 * @return Return 0 if access is granted, otherwise an appropriate value for
4708 * errno should be returned. Suggested failure: EACCES for label mismatch or
4709 * EPERM for lack of privilege.
4710 */
2d21ac55
A		 4711typedef int mpo_vnode_check_create_t(
4712 kauth_cred_t cred,
4713 struct vnode *dvp,
4714 struct label *dlabel,
4715 struct componentname *cnp,
4716 struct vnode_attr *vap
0a7de745 4717 );
2d21ac55 4718/**
0a7de745
A		 4719 * @brief Access control check for deleting extended attribute
4720 * @param cred Subject credential
4721 * @param vp Object vnode
4722 * @param vlabel Label associated with vp
4723 * @param name Extended attribute name
4724 *
4725 * Determine whether the subject identified by the credential can delete
4726 * the extended attribute from the passed vnode.
4727 *
4728 * @return Return 0 if access is granted, otherwise an appropriate value for
4729 * errno should be returned. Suggested failure: EACCES for label mismatch or
4730 * EPERM for lack of privilege.
4731 */
2d21ac55
A		 4732typedef int mpo_vnode_check_deleteextattr_t(
4733 kauth_cred_t cred,
4734 struct vnode *vp,
4735 struct label *vlabel,
4736 const char *name
0a7de745
A		 4737 );
4738/**
4739 * @brief Access control check for exchanging file data
4740 * @param cred Subject credential
4741 * @param v1 vnode 1 to swap
4742 * @param vl1 Policy label for v1
4743 * @param v2 vnode 2 to swap
4744 * @param vl2 Policy label for v2
4745 *
4746 * Determine whether the subject identified by the credential can swap the data
4747 * in the two supplied vnodes.
4748 *
4749 * @return Return 0 if access is granted, otherwise an appropriate value for
4750 * errno should be returned. Suggested failure: EACCES for label mismatch or
4751 * EPERM for lack of privilege.
4752 */
2d21ac55
A		 4753typedef int mpo_vnode_check_exchangedata_t(
4754 kauth_cred_t cred,
4755 struct vnode *v1,
4756 struct label *vl1,
4757 struct vnode *v2,
4758 struct label *vl2
0a7de745
A		 4759 );
4760/**
4761 * @brief Access control check for executing the vnode
4762 * @param cred Subject credential
4763 * @param vp Object vnode to execute
4764 * @param scriptvp Script being executed by interpreter, if any.
4765 * @param vnodelabel Label corresponding to vp
4766 * @param scriptlabel Script vnode label
4767 * @param execlabel Userspace provided execution label
4768 * @param cnp Component name for file being executed
4769 * @param macpolicyattr MAC policy-specific spawn attribute data.
4770 * @param macpolicyattrlen Length of policy-specific spawn attribute data.
4771 *
4772 * Determine whether the subject identified by the credential can execute
4773 * the passed vnode. Determination of execute privilege is made separately
4774 * from decisions about any process label transitioning event.
4775 *
4776 * The final label, execlabel, corresponds to a label supplied by a
4777 * user space application through the use of the mac_execve system call.
4778 * This label will be NULL if the user application uses the the vendor
4779 * execve(2) call instead of the MAC Framework mac_execve() call.
4780 *
4781 * @return Return 0 if access is granted, otherwise an appropriate value for
4782 * errno should be returned. Suggested failure: EACCES for label mismatch or
4783 * EPERM for lack of privilege.
4784 */
2d21ac55
A		 4785typedef int mpo_vnode_check_exec_t(
4786 kauth_cred_t cred,
4787 struct vnode *vp,
fe8ab488
A		 4788 struct vnode *scriptvp,
4789 struct label *vnodelabel,
4790 struct label *scriptlabel,
0a7de745 4791 struct label *execlabel, /* NULLOK */
2d21ac55 4792 struct componentname *cnp,
39236c6e
A		 4793 u_int *csflags,
4794 void *macpolicyattr,
4795 size_t macpolicyattrlen
0a7de745 4796 );
6d2010ae 4797/**
0a7de745
A		 4798 * @brief Access control check for fsgetpath
4799 * @param cred Subject credential
4800 * @param vp Vnode for which a path will be returned
4801 * @param label Label associated with the vnode
4802 *
4803 * Determine whether the subject identified by the credential can get the path
4804 * of the given vnode with fsgetpath.
4805 *
4806 * @return Return 0 if access is granted, otherwise an appropriate value for
4807 * errno should be returned.
4808 */
6d2010ae
A		 4809typedef int mpo_vnode_check_fsgetpath_t(
4810 kauth_cred_t cred,
4811 struct vnode *vp,
4812 struct label *label
0a7de745
A		 4813 );
4814/**
4815 * @brief Access control check for retrieving file attributes
4816 * @param active_cred Subject credential
4817 * @param file_cred Credential associated with the struct fileproc
4818 * @param vp Object vnode
4819 * @param vlabel Policy label for vp
4820 * @param va Vnode attributes to retrieve
4821 *
4822 * Determine whether the subject identified by the credential can
4823 * get information about the passed vnode. The active_cred hold
4824 * the credentials of the subject performing the operation, and
4825 * file_cred holds the credentials of the subject that originally
4826 * opened the file. This check happens during stat(), lstat(),
4827 * fstat(), and getattrlist() syscalls. See <sys/vnode.h> for
4828 * definitions of the attributes.
4829 *
4830 * @return Return 0 if access is granted, otherwise an appropriate value for
4831 * errno should be returned.
4832 *
4833 * @note Policies may change the contents of va to alter the list of
4834 * file attributes returned.
4835 */
743345f9
A		 4836typedef int mpo_vnode_check_getattr_t(
4837 kauth_cred_t active_cred,
4838 kauth_cred_t file_cred, /* NULLOK */
39037602 4839 struct vnode *vp,
743345f9
A		 4840 struct label *vlabel,
4841 struct vnode_attr *va
0a7de745 4842 );
2d21ac55 4843/**
0a7de745
A		 4844 * @brief Access control check for retrieving file attributes
4845 * @param cred Subject credential
4846 * @param vp Object vnode
4847 * @param vlabel Policy label for vp
4848 * @param alist List of attributes to retrieve
4849 *
4850 * Determine whether the subject identified by the credential can read
4851 * various attributes of the specified vnode, or the filesystem or volume on
4852 * which that vnode resides. See <sys/attr.h> for definitions of the
4853 * attributes.
4854 *
4855 * @return Return 0 if access is granted, otherwise an appropriate value for
4856 * errno should be returned. Suggested failure: EACCES for label mismatch or
4857 * EPERM for lack of privilege. Access control covers all attributes requested
4858 * with this call; the security policy is not permitted to change the set of
4859 * attributes requested.
4860 */
2d21ac55
A		 4861typedef int mpo_vnode_check_getattrlist_t(
4862 kauth_cred_t cred,
4863 struct vnode *vp,
4864 struct label *vlabel,
4865 struct attrlist *alist
0a7de745
A		 4866 );
4867/**
4868 * @brief Access control check for retrieving an extended attribute
4869 * @param cred Subject credential
4870 * @param vp Object vnode
4871 * @param label Policy label for vp
4872 * @param name Extended attribute name
4873 * @param uio I/O structure pointer
4874 *
4875 * Determine whether the subject identified by the credential can retrieve
4876 * the extended attribute from the passed vnode. The uio parameter
4877 * will be NULL when the getxattr(2) call has been made with a NULL data
4878 * value; this is done to request the size of the data only.
4879 *
4880 * @return Return 0 if access is granted, otherwise an appropriate value for
4881 * errno should be returned. Suggested failure: EACCES for label mismatch or
4882 * EPERM for lack of privilege.
4883 */
2d21ac55
A		 4884typedef int mpo_vnode_check_getextattr_t(
4885 kauth_cred_t cred,
4886 struct vnode *vp,
0a7de745 4887 struct label *label, /* NULLOK */
2d21ac55 4888 const char *name,
0a7de745
A		 4889 struct uio *uio /* NULLOK */
4890 );
4891/**
4892 * @brief Access control check for ioctl
4893 * @param cred Subject credential
4894 * @param vp Object vnode
4895 * @param label Policy label for vp
4896 * @param cmd Device-dependent request code; see ioctl(2)
4897 *
4898 * Determine whether the subject identified by the credential can perform
4899 * the ioctl operation indicated by com.
4900 *
4901 * @warning Since ioctl data is opaque from the standpoint of the MAC
4902 * framework, and since ioctls can affect many aspects of system
4903 * operation, policies must exercise extreme care when implementing
4904 * access control checks.
4905 *
4906 * @return Return 0 if access is granted, otherwise an appropriate value for
4907 * errno should be returned.
4908 */
2d21ac55
A		 4909typedef int mpo_vnode_check_ioctl_t(
4910 kauth_cred_t cred,
4911 struct vnode *vp,
4912 struct label *label,
4913 unsigned int cmd
0a7de745 4914 );
2d21ac55 4915/**
0a7de745
A		 4916 * @brief Access control check for vnode kqfilter
4917 * @param active_cred Subject credential
4918 * @param kn Object knote
4919 * @param vp Object vnode
4920 * @param label Policy label for vp
4921 *
4922 * Determine whether the subject identified by the credential can
4923 * receive the knote on the passed vnode.
4924 *
4925 * @return Return 0 if access if granted, otherwise an appropriate
4926 * value for errno should be returned.
4927 */
2d21ac55
A		 4928typedef int mpo_vnode_check_kqfilter_t(
4929 kauth_cred_t active_cred,
0a7de745 4930 kauth_cred_t file_cred, /* NULLOK */
2d21ac55
A		 4931 struct knote *kn,
4932 struct vnode *vp,
4933 struct label *label
0a7de745
A		 4934 );
4935/**
4936 * @brief Access control check for relabel
4937 * @param cred Subject credential
4938 * @param vp Object vnode
4939 * @param vnodelabel Existing policy label for vp
4940 * @param newlabel Policy label update to later be applied to vp
4941 * @see mpo_relable_vnode_t
4942 *
4943 * Determine whether the subject identified by the credential can relabel
4944 * the passed vnode to the passed label update. If all policies permit
4945 * the label change, the actual relabel entry point (mpo_vnode_label_update)
4946 * will follow.
4947 *
4948 * @return Return 0 if access is granted, otherwise an appropriate value for
4949 * errno should be returned.
4950 */
2d21ac55
A		 4951typedef int mpo_vnode_check_label_update_t(
4952 struct ucred *cred,
4953 struct vnode *vp,
4954 struct label *vnodelabel,
4955 struct label *newlabel
0a7de745
A		 4956 );
4957/**
4958 * @brief Access control check for creating link
4959 * @param cred Subject credential
4960 * @param dvp Directory vnode
4961 * @param dlabel Policy label associated with dvp
4962 * @param vp Link destination vnode
4963 * @param label Policy label associated with vp
4964 * @param cnp Component name for the link being created
4965 *
4966 * Determine whether the subject identified by the credential should be
4967 * allowed to create a link to the vnode vp with the name specified by cnp.
4968 *
4969 * @return Return 0 if access is granted, otherwise an appropriate value for
4970 * errno should be returned.
4971 */
2d21ac55
A		 4972typedef int mpo_vnode_check_link_t(
4973 kauth_cred_t cred,
4974 struct vnode *dvp,
4975 struct label *dlabel,
4976 struct vnode *vp,
4977 struct label *label,
4978 struct componentname *cnp
0a7de745 4979 );
2d21ac55 4980/**
0a7de745
A		 4981 * @brief Access control check for listing extended attributes
4982 * @param cred Subject credential
4983 * @param vp Object vnode
4984 * @param vlabel Policy label associated with vp
4985 *
4986 * Determine whether the subject identified by the credential can retrieve
4987 * a list of named extended attributes from a vnode.
4988 *
4989 * @return Return 0 if access is granted, otherwise an appropriate value for
4990 * errno should be returned.
4991 */
2d21ac55
A		 4992typedef int mpo_vnode_check_listextattr_t(
4993 kauth_cred_t cred,
4994 struct vnode *vp,
4995 struct label *vlabel
0a7de745
A		 4996 );
4997/**
4998 * @brief Access control check for lookup
4999 * @param cred Subject credential
5000 * @param dvp Directory vnode
5001 * @param dlabel Policy label for dvp
5002 * @param path Path being looked up
5003 * @param pathlen Length of path in bytes
5004 *
5005 * Determine whether the subject identified by the credential can perform
5006 * a lookup of the passed path relative to the passed directory vnode.
5007 *
5008 * @return Return 0 if access is granted, otherwise an appropriate value for
5009 * errno should be returned. Suggested failure: EACCES for label mismatch or
5010 * EPERM for lack of privilege.
5011 *
5012 * @note The path may contain untrusted input. If approved, lookup proceeds
5013 * on the path; if a component is found to be a symlink then this hook is
5014 * called again with the updated path.
5015 */
5ba3f43e
A		 5016typedef int mpo_vnode_check_lookup_preflight_t(
5017 kauth_cred_t cred,
5018 struct vnode *dvp,
5019 struct label *dlabel,
5020 const char *path,
5021 size_t pathlen
0a7de745 5022 );
2d21ac55 5023/**
0a7de745
A		 5024 * @brief Access control check for lookup
5025 * @param cred Subject credential
5026 * @param dvp Object vnode
5027 * @param dlabel Policy label for dvp
5028 * @param cnp Component name being looked up
5029 *
5030 * Determine whether the subject identified by the credential can perform
5031 * a lookup in the passed directory vnode for the passed name (cnp).
5032 *
5033 * @return Return 0 if access is granted, otherwise an appropriate value for
5034 * errno should be returned. Suggested failure: EACCES for label mismatch or
5035 * EPERM for lack of privilege.
5036 */
2d21ac55
A		 5037typedef int mpo_vnode_check_lookup_t(
5038 kauth_cred_t cred,
5039 struct vnode *dvp,
5040 struct label *dlabel,
5041 struct componentname *cnp
0a7de745 5042 );
2d21ac55 5043/**
0a7de745
A		 5044 * @brief Access control check for open
5045 * @param cred Subject credential
5046 * @param vp Object vnode
5047 * @param label Policy label associated with vp
5048 * @param acc_mode open(2) access mode
5049 *
5050 * Determine whether the subject identified by the credential can perform
5051 * an open operation on the passed vnode with the passed access mode.
5052 *
5053 * @return Return 0 if access is granted, otherwise an appropriate value for
5054 * errno should be returned. Suggested failure: EACCES for label mismatch or
5055 * EPERM for lack of privilege.
5056 */
2d21ac55
A		 5057typedef int mpo_vnode_check_open_t(
5058 kauth_cred_t cred,
5059 struct vnode *vp,
5060 struct label *label,
5061 int acc_mode
0a7de745 5062 );
2d21ac55 5063/**
0a7de745
A		 5064 * @brief Access control check for read
5065 * @param active_cred Subject credential
5066 * @param file_cred Credential associated with the struct fileproc
5067 * @param vp Object vnode
5068 * @param label Policy label for vp
5069 *
5070 * Determine whether the subject identified by the credential can perform
5071 * a read operation on the passed vnode. The active_cred hold the credentials
5072 * of the subject performing the operation, and file_cred holds the
5073 * credentials of the subject that originally opened the file.
5074 *
5075 * @return Return 0 if access is granted, otherwise an appropriate value for
5076 * errno should be returned. Suggested failure: EACCES for label mismatch or
5077 * EPERM for lack of privilege.
5078 */
2d21ac55 5079typedef int mpo_vnode_check_read_t(
0a7de745
A		 5080 kauth_cred_t active_cred, /* SUBJECT */
5081 kauth_cred_t file_cred, /* NULLOK */
5082 struct vnode *vp, /* OBJECT */
5083 struct label *label /* LABEL */
5084 );
5085/**
5086 * @brief Access control check for read directory
5087 * @param cred Subject credential
5088 * @param dvp Object directory vnode
5089 * @param dlabel Policy label for dvp
5090 *
5091 * Determine whether the subject identified by the credential can
5092 * perform a readdir operation on the passed directory vnode.
5093 *
5094 * @return Return 0 if access is granted, otherwise an appropriate value for
5095 * errno should be returned. Suggested failure: EACCES for label mismatch or
5096 * EPERM for lack of privilege.
5097 */
2d21ac55 5098typedef int mpo_vnode_check_readdir_t(
0a7de745
A		 5099 kauth_cred_t cred, /* SUBJECT */
5100 struct vnode *dvp, /* OBJECT */
5101 struct label *dlabel /* LABEL */
5102 );
5103/**
5104 * @brief Access control check for read link
5105 * @param cred Subject credential
5106 * @param vp Object vnode
5107 * @param label Policy label for vp
5108 *
5109 * Determine whether the subject identified by the credential can perform
5110 * a readlink operation on the passed symlink vnode. This call can be made
5111 * in a number of situations, including an explicit readlink call by the
5112 * user process, or as a result of an implicit readlink during a name
5113 * lookup by the process.
5114 *
5115 * @return Return 0 if access is granted, otherwise an appropriate value for
5116 * errno should be returned. Suggested failure: EACCES for label mismatch or
5117 * EPERM for lack of privilege.
5118 */
2d21ac55
A		 5119typedef int mpo_vnode_check_readlink_t(
5120 kauth_cred_t cred,
5121 struct vnode *vp,
5122 struct label *label
0a7de745
A		 5123 );
5124/**
5125 * @brief Access control check for rename
5126 * @param cred Subject credential
5127 * @param dvp Directory vnode
5128 * @param dlabel Policy label associated with dvp
5129 * @param vp vnode to be renamed
5130 * @param label Policy label associated with vp
5131 * @param cnp Component name for vp
5132 * @param tdvp Destination directory vnode
5133 * @param tdlabel Policy label associated with tdvp
5134 * @param tvp Overwritten vnode
5135 * @param tlabel Policy label associated with tvp
5136 * @param tcnp Destination component name
5137 *
5138 * Determine whether the subject identified by the credential should be allowed
5139 * to rename the vnode vp to something else.
5140 *
5141 * @return Return 0 if access is granted, otherwise an appropriate value for
5142 * errno should be returned.
5143 */
fe8ab488
A		 5144typedef int mpo_vnode_check_rename_t(
5145 kauth_cred_t cred,
5146 struct vnode *dvp,
5147 struct label *dlabel,
5148 struct vnode *vp,
5149 struct label *label,
5150 struct componentname *cnp,
5151 struct vnode *tdvp,
5152 struct label *tdlabel,
5153 struct vnode *tvp,
5154 struct label *tlabel,
5155 struct componentname *tcnp
0a7de745
A		 5156 );
5157/**
5158 * @brief Access control check for rename from
5159 * @param cred Subject credential
5160 * @param dvp Directory vnode
5161 * @param dlabel Policy label associated with dvp
5162 * @param vp vnode to be renamed
5163 * @param label Policy label associated with vp
5164 * @param cnp Component name for vp
5165 * @see mpo_vnode_check_rename_t
5166 * @see mpo_vnode_check_rename_to_t
5167 *
5168 * Determine whether the subject identified by the credential should be
5169 * allowed to rename the vnode vp to something else.
5170 *
5171 * Due to VFS locking constraints (to make sure proper vnode locks are
5172 * held during this entry point), the vnode relabel checks had to be
5173 * split into two parts: relabel_from and relabel to.
5174 *
5175 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
5176 *
5177 * @return Return 0 if access is granted, otherwise an appropriate value for
5178 * errno should be returned.
5179 */
2d21ac55
A		 5180typedef int mpo_vnode_check_rename_from_t(
5181 kauth_cred_t cred,
5182 struct vnode *dvp,
5183 struct label *dlabel,
5184 struct vnode *vp,
5185 struct label *label,
5186 struct componentname *cnp
0a7de745
A		 5187 );
5188/**
5189 * @brief Access control check for rename to
5190 * @param cred Subject credential
5191 * @param dvp Directory vnode
5192 * @param dlabel Policy label associated with dvp
5193 * @param vp Overwritten vnode
5194 * @param label Policy label associated with vp
5195 * @param samedir Boolean; 1 if the source and destination directories are the same
5196 * @param cnp Destination component name
5197 * @see mpo_vnode_check_rename_t
5198 * @see mpo_vnode_check_rename_from_t
5199 *
5200 * Determine whether the subject identified by the credential should be
5201 * allowed to rename to the vnode vp, into the directory dvp, or to the
5202 * name represented by cnp. If there is no existing file to overwrite,
5203 * vp and label will be NULL.
5204 *
5205 * Due to VFS locking constraints (to make sure proper vnode locks are
5206 * held during this entry point), the vnode relabel checks had to be
5207 * split into two parts: relabel_from and relabel to.
5208 *
5209 * This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
5210 *
5211 * @return Return 0 if access is granted, otherwise an appropriate value for
5212 * errno should be returned.
5213 */
2d21ac55
A		 5214typedef int mpo_vnode_check_rename_to_t(
5215 kauth_cred_t cred,
5216 struct vnode *dvp,
5217 struct label *dlabel,
0a7de745
A		 5218 struct vnode *vp, /* NULLOK */
5219 struct label *label, /* NULLOK */
2d21ac55
A		 5220 int samedir,
5221 struct componentname *cnp
0a7de745 5222 );
2d21ac55 5223/**
0a7de745
A		 5224 * @brief Access control check for revoke
5225 * @param cred Subject credential
5226 * @param vp Object vnode
5227 * @param label Policy label for vp
5228 *
5229 * Determine whether the subject identified by the credential can revoke
5230 * access to the passed vnode.
5231 *
5232 * @return Return 0 if access is granted, otherwise an appropriate value for
5233 * errno should be returned. Suggested failure: EACCES for label mismatch or
5234 * EPERM for lack of privilege.
5235 */
2d21ac55
A		 5236typedef int mpo_vnode_check_revoke_t(
5237 kauth_cred_t cred,
5238 struct vnode *vp,
5239 struct label *label
0a7de745 5240 );
6d2010ae 5241/**
0a7de745
A		 5242 * @brief Access control check for searchfs
5243 * @param cred Subject credential
5244 * @param vp Object vnode
5245 * @param vlabel Policy label for vp
5246 * @param alist List of attributes used as search criteria
5247 *
5248 * Determine whether the subject identified by the credential can search the
5249 * vnode using the searchfs system call.
5250 *
5251 * @return Return 0 if access is granted, otherwise an appropriate value for
5252 * errno should be returned.
5253 */
6d2010ae
A		 5254typedef int mpo_vnode_check_searchfs_t(
5255 kauth_cred_t cred,
5256 struct vnode *vp,
5257 struct label *vlabel,
5258 struct attrlist *alist
0a7de745 5259 );
2d21ac55 5260/**
0a7de745
A		 5261 * @brief Access control check for select
5262 * @param cred Subject credential
5263 * @param vp Object vnode
5264 * @param label Policy label for vp
5265 * @param which The operation selected on: FREAD or FWRITE
5266 *
5267 * Determine whether the subject identified by the credential can select
5268 * the vnode.
5269 *
5270 * @return Return 0 if access is granted, otherwise an appropriate value for
5271 * errno should be returned.
5272 */
2d21ac55
A		 5273typedef int mpo_vnode_check_select_t(
5274 kauth_cred_t cred,
5275 struct vnode *vp,
5276 struct label *label,
5277 int which
0a7de745 5278 );
39037602 5279/**
0a7de745
A		 5280 * @brief Access control check for setting ACL
5281 * @param cred Subject credential
5282 * @param vp Object node
5283 * @param label Policy label for vp
5284 * @param acl ACL structure pointer
5285 *
5286 * Determine whether the subject identified by the credential can set an ACL
5287 * on the specified vnode. The ACL pointer will be NULL when removing an ACL.
5288 *
5289 * @return Return 0 if access is granted, otherwise an appropriate value for
5290 * errno should be returned. Suggested failure: EACCES for label mismatch or
5291 * EPERM for lack of privilege.
5292 */
39037602
A		 5293typedef int mpo_vnode_check_setacl_t(
5294 kauth_cred_t cred,
5295 struct vnode *vp,
5296 struct label *label,
5297 struct kauth_acl *acl
0a7de745 5298 );
2d21ac55 5299/**
0a7de745
A		 5300 * @brief Access control check for setting file attributes
5301 * @param cred Subject credential
5302 * @param vp Object vnode
5303 * @param vlabel Policy label for vp
5304 * @param alist List of attributes to set
5305 *
5306 * Determine whether the subject identified by the credential can set
5307 * various attributes of the specified vnode, or the filesystem or volume on
5308 * which that vnode resides. See <sys/attr.h> for definitions of the
5309 * attributes.
5310 *
5311 * @return Return 0 if access is granted, otherwise an appropriate value for
5312 * errno should be returned. Suggested failure: EACCES for label mismatch or
5313 * EPERM for lack of privilege. Access control covers all attributes requested
5314 * with this call.
5315 */
2d21ac55
A		 5316typedef int mpo_vnode_check_setattrlist_t(
5317 kauth_cred_t cred,
5318 struct vnode *vp,
5319 struct label *vlabel,
5320 struct attrlist *alist
0a7de745
A		 5321 );
5322/**
5323 * @brief Access control check for setting extended attribute
5324 * @param cred Subject credential
5325 * @param vp Object vnode
5326 * @param label Policy label for vp
5327 * @param name Extended attribute name
5328 * @param uio I/O structure pointer
5329 *
5330 * Determine whether the subject identified by the credential can set the
5331 * extended attribute of passed name and passed namespace on the passed
5332 * vnode. Policies implementing security labels backed into extended
5333 * attributes may want to provide additional protections for those
5334 * attributes. Additionally, policies should avoid making decisions based
5335 * on the data referenced from uio, as there is a potential race condition
5336 * between this check and the actual operation. The uio may also be NULL
5337 * if a delete operation is being performed.
5338 *
5339 * @return Return 0 if access is granted, otherwise an appropriate value for
5340 * errno should be returned. Suggested failure: EACCES for label mismatch or
5341 * EPERM for lack of privilege.
5342 */
2d21ac55
A		 5343typedef int mpo_vnode_check_setextattr_t(
5344 kauth_cred_t cred,
5345 struct vnode *vp,
5346 struct label *label,
5347 const char *name,
5348 struct uio *uio
0a7de745 5349 );
2d21ac55 5350/**
0a7de745
A		 5351 * @brief Access control check for setting flags
5352 * @param cred Subject credential
5353 * @param vp Object vnode
5354 * @param label Policy label for vp
5355 * @param flags File flags; see chflags(2)
5356 *
5357 * Determine whether the subject identified by the credential can set
5358 * the passed flags on the passed vnode.
5359 *
5360 * @return Return 0 if access is granted, otherwise an appropriate value for
5361 * errno should be returned. Suggested failure: EACCES for label mismatch or
5362 * EPERM for lack of privilege.
5363 */
2d21ac55
A		 5364typedef int mpo_vnode_check_setflags_t(
5365 kauth_cred_t cred,
5366 struct vnode *vp,
5367 struct label *label,
5368 u_long flags
0a7de745 5369 );
2d21ac55 5370/**
0a7de745
A		 5371 * @brief Access control check for setting mode
5372 * @param cred Subject credential
5373 * @param vp Object vnode
5374 * @param label Policy label for vp
5375 * @param mode File mode; see chmod(2)
5376 *
5377 * Determine whether the subject identified by the credential can set
5378 * the passed mode on the passed vnode.
5379 *
5380 * @return Return 0 if access is granted, otherwise an appropriate value for
5381 * errno should be returned. Suggested failure: EACCES for label mismatch or
5382 * EPERM for lack of privilege.
5383 */
2d21ac55
A		 5384typedef int mpo_vnode_check_setmode_t(
5385 kauth_cred_t cred,
5386 struct vnode *vp,
5387 struct label *label,
5388 mode_t mode
0a7de745
A		 5389 );
5390/**
5391 * @brief Access control check for setting uid and gid
5392 * @param cred Subject credential
5393 * @param vp Object vnode
5394 * @param label Policy label for vp
5395 * @param uid User ID
5396 * @param gid Group ID
5397 *
5398 * Determine whether the subject identified by the credential can set
5399 * the passed uid and passed gid as file uid and file gid on the passed
5400 * vnode. The IDs may be set to (-1) to request no update.
5401 *
5402 * @return Return 0 if access is granted, otherwise an appropriate value for
5403 * errno should be returned. Suggested failure: EACCES for label mismatch or
5404 * EPERM for lack of privilege.
5405 */
2d21ac55
A		 5406typedef int mpo_vnode_check_setowner_t(
5407 kauth_cred_t cred,
5408 struct vnode *vp,
5409 struct label *label,
5410 uid_t uid,
5411 gid_t gid
0a7de745
A		 5412 );
5413/**
5414 * @brief Access control check for setting timestamps
5415 * @param cred Subject credential
5416 * @param vp Object vnode
5417 * @param label Policy label for vp
5418 * @param atime Access time; see utimes(2)
5419 * @param mtime Modification time; see utimes(2)
5420 *
5421 * Determine whether the subject identified by the credential can set
5422 * the passed access timestamps on the passed vnode.
5423 *
5424 * @return Return 0 if access is granted, otherwise an appropriate value for
5425 * errno should be returned. Suggested failure: EACCES for label mismatch or
5426 * EPERM for lack of privilege.
5427 */
2d21ac55
A		 5428typedef int mpo_vnode_check_setutimes_t(
5429 kauth_cred_t cred,
5430 struct vnode *vp,
5431 struct label *label,
5432 struct timespec atime,
5433 struct timespec mtime
0a7de745
A		 5434 );
5435/**
5436 * @brief Access control check after determining the code directory hash
5437 * @param vp vnode vnode to combine into proc
5438 * @param label label associated with the vnode
5439 * @param cpu_type cpu type of the signature being checked
5440 * @param cs_blob the code signature to check
5441 * @param cs_flags update code signing flags if needed
5442 * @param signer_type output parameter for the code signature's signer type
5443 * @param flags operational flag to mpo_vnode_check_signature
5444 * @param fatal_failure_desc description of fatal failure
5445 * @param fatal_failure_desc_len failure description len, failure is fatal if non-0
5446 *
5447 * @return Return 0 if access is granted, otherwise an appropriate value for
5448 * errno should be returned.
743345f9
A		 5449 */
5450typedef int mpo_vnode_check_signature_t(
5451 struct vnode *vp,
5452 struct label *label,
d9a64523 5453 cpu_type_t cpu_type,
743345f9
A		 5454 struct cs_blob *cs_blob,
5455 unsigned int *cs_flags,
5ba3f43e 5456 unsigned int *signer_type,
743345f9
A		 5457 int flags,
5458 char **fatal_failure_desc, size_t *fatal_failure_desc_len
0a7de745 5459 );
2d21ac55 5460/**
0a7de745
A		 5461 * @brief Access control check for stat
5462 * @param active_cred Subject credential
5463 * @param file_cred Credential associated with the struct fileproc
5464 * @param vp Object vnode
5465 * @param label Policy label for vp
5466 *
5467 * Determine whether the subject identified by the credential can stat
5468 * the passed vnode. See stat(2) for more information. The active_cred
5469 * hold the credentials of the subject performing the operation, and
5470 * file_cred holds the credentials of the subject that originally
5471 * opened the file.
5472 *
5473 * @return Return 0 if access is granted, otherwise an appropriate value for
5474 * errno should be returned. Suggested failure: EACCES for label mismatch or
5475 * EPERM for lack of privilege.
5476 */
2d21ac55
A		 5477typedef int mpo_vnode_check_stat_t(
5478 struct ucred *active_cred,
0a7de745 5479 struct ucred *file_cred, /* NULLOK */
2d21ac55
A		 5480 struct vnode *vp,
5481 struct label *label
0a7de745 5482 );
527f9951 5483/**
0a7de745
A		 5484 * @brief Access control check for vnode trigger resolution
5485 * @param cred Subject credential
5486 * @param dvp Object vnode
5487 * @param dlabel Policy label for dvp
5488 * @param cnp Component name that triggered resolution
5489 *
5490 * Determine whether the subject identified by the credential can trigger
5491 * resolution of the passed name (cnp) in the passed directory vnode
5492 * via an external trigger resolver.
5493 *
5494 * @return Return 0 if access is granted, otherwise an appropriate value for
5495 * errno should be returned. Suggested failure: EACCES for label mismatch or
5496 * EPERM for lack of privilege.
5497 */
527f9951
A		 5498typedef int mpo_vnode_check_trigger_resolve_t(
5499 kauth_cred_t cred,
5500 struct vnode *dvp,
5501 struct label *dlabel,
5502 struct componentname *cnp
0a7de745
A		 5503 );
5504/**
5505 * @brief Access control check for truncate/ftruncate
5506 * @param active_cred Subject credential
5507 * @param file_cred Credential associated with the struct fileproc
5508 * @param vp Object vnode
5509 * @param label Policy label for vp
5510 *
5511 * Determine whether the subject identified by the credential can
5512 * perform a truncate operation on the passed vnode. The active_cred hold
5513 * the credentials of the subject performing the operation, and
5514 * file_cred holds the credentials of the subject that originally
5515 * opened the file.
5516 *
5517 * @return Return 0 if access is granted, otherwise an appropriate value for
5518 * errno should be returned. Suggested failure: EACCES for label mismatch or
5519 * EPERM for lack of privilege.
5520 */
2d21ac55
A		 5521typedef int mpo_vnode_check_truncate_t(
5522 kauth_cred_t active_cred,
0a7de745 5523 kauth_cred_t file_cred, /* NULLOK */
2d21ac55
A		 5524 struct vnode *vp,
5525 struct label *label
0a7de745
A		 5526 );
5527/**
5528 * @brief Access control check for binding UNIX domain socket
5529 * @param cred Subject credential
5530 * @param dvp Directory vnode
5531 * @param dlabel Policy label for dvp
5532 * @param cnp Component name for dvp
5533 * @param vap vnode attributes for vap
5534 *
5535 * Determine whether the subject identified by the credential can perform a
5536 * bind operation on a UNIX domain socket with the passed parent directory,
5537 * passed name information, and passed attribute information.
5538 *
5539 * @return Return 0 if access is granted, otherwise an appropriate value for
5540 * errno should be returned. Suggested failure: EACCES for label mismatch or
5541 * EPERM for lack of privilege.
5542 */
b0d623f7
A		 5543typedef int mpo_vnode_check_uipc_bind_t(
5544 kauth_cred_t cred,
5545 struct vnode *dvp,
5546 struct label *dlabel,
5547 struct componentname *cnp,
5548 struct vnode_attr *vap
0a7de745 5549 );
b0d623f7 5550/**
0a7de745
A		 5551 * @brief Access control check for connecting UNIX domain socket
5552 * @param cred Subject credential
5553 * @param vp Object vnode
5554 * @param label Policy label associated with vp
5555 * @param so Socket
5556 *
5557 * Determine whether the subject identified by the credential can perform a
5558 * connect operation on the passed UNIX domain socket vnode.
5559 *
5560 * @return Return 0 if access is granted, otherwise an appropriate value for
5561 * errno should be returned. Suggested failure: EACCES for label mismatch or
5562 * EPERM for lack of privilege.
5563 */
b0d623f7
A		 5564typedef int mpo_vnode_check_uipc_connect_t(
5565 kauth_cred_t cred,
5566 struct vnode *vp,
39037602
A		 5567 struct label *label,
5568 socket_t so
0a7de745
A		 5569 );
5570/**
5571 * @brief Access control check for deleting vnode
5572 * @param cred Subject credential
5573 * @param dvp Parent directory vnode
5574 * @param dlabel Policy label for dvp
5575 * @param vp Object vnode to delete
5576 * @param label Policy label for vp
5577 * @param cnp Component name for vp
5578 * @see mpo_check_rename_to_t
5579 *
5580 * Determine whether the subject identified by the credential can delete
5581 * a vnode from the passed parent directory and passed name information.
5582 * This call may be made in a number of situations, including as a
5583 * results of calls to unlink(2) and rmdir(2). Policies implementing
5584 * this entry point should also implement mpo_check_rename_to to
5585 * authorize deletion of objects as a result of being the target of a rename.
5586 *
5587 * @return Return 0 if access is granted, otherwise an appropriate value for
5588 * errno should be returned. Suggested failure: EACCES for label mismatch or
5589 * EPERM for lack of privilege.
5590 */
2d21ac55
A		 5591typedef int mpo_vnode_check_unlink_t(
5592 kauth_cred_t cred,
5593 struct vnode *dvp,
5594 struct label *dlabel,
5595 struct vnode *vp,
5596 struct label *label,
5597 struct componentname *cnp
0a7de745 5598 );
2d21ac55 5599/**
0a7de745
A		 5600 * @brief Access control check for write
5601 * @param active_cred Subject credential
5602 * @param file_cred Credential associated with the struct fileproc
5603 * @param vp Object vnode
5604 * @param label Policy label for vp
5605 *
5606 * Determine whether the subject identified by the credential can
5607 * perform a write operation on the passed vnode. The active_cred hold
5608 * the credentials of the subject performing the operation, and
5609 * file_cred holds the credentials of the subject that originally
5610 * opened the file.
5611 *
5612 * @return Return 0 if access is granted, otherwise an appropriate value for
5613 * errno should be returned. Suggested failure: EACCES for label mismatch or
5614 * EPERM for lack of privilege.
5615 */
2d21ac55
A		 5616typedef int mpo_vnode_check_write_t(
5617 kauth_cred_t active_cred,
0a7de745 5618 kauth_cred_t file_cred, /* NULLOK */
2d21ac55
A		 5619 struct vnode *vp,
5620 struct label *label
0a7de745
A		 5621 );
5622/**
5623 * @brief Associate a vnode with a devfs entry
5624 * @param mp Devfs mount point
5625 * @param mntlabel Devfs mount point label
5626 * @param de Devfs directory entry
5627 * @param delabel Label associated with de
5628 * @param vp vnode associated with de
5629 * @param vlabel Label associated with vp
5630 *
5631 * Fill in the label (vlabel) for a newly created devfs vnode. The
5632 * label is typically derived from the label on the devfs directory
5633 * entry or the label on the filesystem, supplied as parameters.
5634 */
2d21ac55
A		 5635typedef void mpo_vnode_label_associate_devfs_t(
5636 struct mount *mp,
5637 struct label *mntlabel,
5638 struct devnode *de,
5639 struct label *delabel,
5640 struct vnode *vp,
5641 struct label *vlabel
0a7de745 5642 );
2d21ac55 5643/**
0a7de745
A		 5644 * @brief Associate a label with a vnode
5645 * @param mp File system mount point
5646 * @param mntlabel File system mount point label
5647 * @param vp Vnode to label
5648 * @param vlabel Label associated with vp
5649 *
5650 * Attempt to retrieve label information for the vnode, vp, from the
5651 * file system extended attribute store. The label should be stored in
5652 * the supplied vlabel parameter. If a policy cannot retrieve an
5653 * extended attribute, sometimes it is acceptible to fallback to using
5654 * the mntlabel.
5655 *
5656 * If the policy requires vnodes to have a valid label elsewhere it
5657 * MUST NOT return other than temporary errors, and must always provide
5658 * a valid label of some sort. Returning an error will cause vnode
5659 * labeling to be retried at a later access. Failure to handle policy
5660 * centric errors internally (corrupt labels etc.) will result in
5661 * inaccessible files.
5662 *
5663 * @return In the event of an error, an appropriate value for errno
5664 * should be returned, otherwise return 0 upon success.
5665 */
2d21ac55
A		 5666typedef int mpo_vnode_label_associate_extattr_t(
5667 struct mount *mp,
5668 struct label *mntlabel,
5669 struct vnode *vp,
5670 struct label *vlabel
0a7de745
A		 5671 );
5672/**
5673 * @brief Associate a file label with a vnode
5674 * @param cred User credential
5675 * @param mp Fdesc mount point
5676 * @param mntlabel Fdesc mount point label
5677 * @param fg Fileglob structure
5678 * @param label Policy label for fg
5679 * @param vp Vnode to label
5680 * @param vlabel Label associated with vp
5681 *
5682 * Associate label information for the vnode, vp, with the label of
5683 * the open file descriptor described by fg.
5684 * The label should be stored in the supplied vlabel parameter.
5685 */
2d21ac55
A		 5686typedef void mpo_vnode_label_associate_file_t(
5687 struct ucred *cred,
5688 struct mount *mp,
5689 struct label *mntlabel,
5690 struct fileglob *fg,
5691 struct label *label,
5692 struct vnode *vp,
5693 struct label *vlabel
0a7de745
A		 5694 );
5695/**
5696 * @brief Associate a pipe label with a vnode
5697 * @param cred User credential for the process that opened the pipe
5698 * @param cpipe Pipe structure
5699 * @param pipelabel Label associated with pipe
5700 * @param vp Vnode to label
5701 * @param vlabel Label associated with vp
5702 *
5703 * Associate label information for the vnode, vp, with the label of
5704 * the pipe described by the pipe structure cpipe.
5705 * The label should be stored in the supplied vlabel parameter.
5706 */
2d21ac55
A		 5707typedef void mpo_vnode_label_associate_pipe_t(
5708 struct ucred *cred,
5709 struct pipe *cpipe,
5710 struct label *pipelabel,
5711 struct vnode *vp,
5712 struct label *vlabel
0a7de745
A		 5713 );
5714/**
5715 * @brief Associate a POSIX semaphore label with a vnode
5716 * @param cred User credential for the process that create psem
5717 * @param psem POSIX semaphore structure
5718 * @param psemlabel Label associated with psem
5719 * @param vp Vnode to label
5720 * @param vlabel Label associated with vp
5721 *
5722 * Associate label information for the vnode, vp, with the label of
5723 * the POSIX semaphore described by psem.
5724 * The label should be stored in the supplied vlabel parameter.
5725 */
2d21ac55
A		 5726typedef void mpo_vnode_label_associate_posixsem_t(
5727 struct ucred *cred,
5728 struct pseminfo *psem,
5729 struct label *psemlabel,
5730 struct vnode *vp,
5731 struct label *vlabel
0a7de745
A		 5732 );
5733/**
5734 * @brief Associate a POSIX shared memory label with a vnode
5735 * @param cred User credential for the process that created pshm
5736 * @param pshm POSIX shared memory structure
5737 * @param pshmlabel Label associated with pshm
5738 * @param vp Vnode to label
5739 * @param vlabel Label associated with vp
5740 *
5741 * Associate label information for the vnode, vp, with the label of
5742 * the POSIX shared memory region described by pshm.
5743 * The label should be stored in the supplied vlabel parameter.
5744 */
2d21ac55
A		 5745typedef void mpo_vnode_label_associate_posixshm_t(
5746 struct ucred *cred,
5747 struct pshminfo *pshm,
5748 struct label *pshmlabel,
5749 struct vnode *vp,
5750 struct label *vlabel
0a7de745 5751 );
2d21ac55 5752/**
0a7de745
A		 5753 * @brief Associate a label with a vnode
5754 * @param mp File system mount point
5755 * @param mntlabel File system mount point label
5756 * @param vp Vnode to label
5757 * @param vlabel Label associated with vp
5758 *
5759 * On non-multilabel file systems, set the label for a vnode. The
5760 * label will most likely be based on the file system label.
5761 */
2d21ac55
A		 5762typedef void mpo_vnode_label_associate_singlelabel_t(
5763 struct mount *mp,
5764 struct label *mntlabel,
5765 struct vnode *vp,
5766 struct label *vlabel
0a7de745
A		 5767 );
5768/**
5769 * @brief Associate a socket label with a vnode
5770 * @param cred User credential for the process that opened the socket
5771 * @param so Socket structure
5772 * @param solabel Label associated with so
5773 * @param vp Vnode to label
5774 * @param vlabel Label associated with vp
5775 *
5776 * Associate label information for the vnode, vp, with the label of
5777 * the open socket described by the socket structure so.
5778 * The label should be stored in the supplied vlabel parameter.
5779 */
2d21ac55
A		 5780typedef void mpo_vnode_label_associate_socket_t(
5781 kauth_cred_t cred,
5782 socket_t so,
5783 struct label *solabel,
5784 struct vnode *vp,
5785 struct label *vlabel
0a7de745 5786 );
2d21ac55 5787/**
0a7de745
A		 5788 * @brief Copy a vnode label
5789 * @param src Source vnode label
5790 * @param dest Destination vnode label
5791 *
5792 * Copy the vnode label information from src to dest. On Darwin, this
5793 * is currently only necessary when executing interpreted scripts, but
5794 * will later be used if vnode label externalization cannot be an
5795 * atomic operation.
5796 */
2d21ac55
A		 5797typedef void mpo_vnode_label_copy_t(
5798 struct label *src,
5799 struct label *dest
0a7de745 5800 );
2d21ac55 5801/**
0a7de745
A		 5802 * @brief Destroy vnode label
5803 * @param label The label to be destroyed
5804 *
5805 * Destroy a vnode label. Since the object is going out of scope,
5806 * policy modules should free any internal storage associated with the
5807 * label so that it may be destroyed.
5808 */
2d21ac55
A		 5809typedef void mpo_vnode_label_destroy_t(
5810 struct label *label
0a7de745 5811 );
2d21ac55 5812/**
0a7de745
A		 5813 * @brief Externalize a vnode label for auditing
5814 * @param label Label to be externalized
5815 * @param element_name Name of the label namespace for which labels should be
5816 * externalized
5817 * @param sb String buffer to be filled with a text representation of the label
5818 *
5819 * Produce an external representation of the label on a vnode suitable for
5820 * inclusion in an audit record. An externalized label consists of a text
5821 * representation of the label contents that will be added to the audit record
5822 * as part of a text token. Policy-agnostic user space tools will display
5823 * this externalized version.
5824 *
5825 * @return 0 on success, return non-zero if an error occurs while
5826 * externalizing the label data.
5827 *
5828 */
2d21ac55
A		 5829typedef int mpo_vnode_label_externalize_audit_t(
5830 struct label *label,
5831 char *element_name,
5832 struct sbuf *sb
0a7de745 5833 );
2d21ac55 5834/**
0a7de745
A		 5835 * @brief Externalize a vnode label
5836 * @param label Label to be externalized
5837 * @param element_name Name of the label namespace for which labels should be
5838 * externalized
5839 * @param sb String buffer to be filled with a text representation of the label
5840 *
5841 * Produce an external representation of the label on a vnode. An
5842 * externalized label consists of a text representation of the label
5843 * contents that can be used with user applications. Policy-agnostic
5844 * user space tools will display this externalized version.
5845 *
5846 * @return 0 on success, return non-zero if an error occurs while
5847 * externalizing the label data.
5848 *
5849 */
2d21ac55
A		 5850typedef int mpo_vnode_label_externalize_t(
5851 struct label *label,
5852 char *element_name,
5853 struct sbuf *sb
0a7de745 5854 );
2d21ac55 5855/**
0a7de745
A		 5856 * @brief Initialize vnode label
5857 * @param label New label to initialize
5858 *
5859 * Initialize label storage for use with a newly instantiated vnode, or
5860 * for temporary storage associated with the copying in or out of a
5861 * vnode label. While it is necessary to allocate space for a
5862 * kernel-resident vnode label, it is not yet necessary to link this vnode
5863 * with persistent label storage facilities, such as extended attributes.
5864 * Sleeping is permitted.
5865 */
2d21ac55
A		 5866typedef void mpo_vnode_label_init_t(
5867 struct label *label
0a7de745 5868 );
2d21ac55 5869/**
0a7de745
A		 5870 * @brief Internalize a vnode label
5871 * @param label Label to be internalized
5872 * @param element_name Name of the label namespace for which the label should
5873 * be internalized
5874 * @param element_data Text data to be internalized
5875 *
5876 * Produce a vnode label from an external representation. An
5877 * externalized label consists of a text representation of the label
5878 * contents that can be used with user applications. Policy-agnostic
5879 * user space tools will forward text version to the kernel for
5880 * processing by individual policy modules.
5881 *
5882 * The policy's internalize entry points will be called only if the
5883 * policy has registered interest in the label namespace.
5884 *
5885 * @return 0 on success, Otherwise, return non-zero if an error occurs
5886 * while internalizing the label data.
5887 */
2d21ac55
A		 5888typedef int mpo_vnode_label_internalize_t(
5889 struct label *label,
5890 char *element_name,
5891 char *element_data
0a7de745 5892 );
2d21ac55 5893/**
0a7de745 5894 * @brief Clean up a vnode label
cb323159 5895 * @param label The label to be cleaned or purged
0a7de745
A		 5896 *
5897 * Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5898 * typically never frees them. Before vnodes are placed back on free lists for
cb323159
A		 5899 * re-use, policies can cleanup or overwrite any information present in the label,
5900 * or free any internal resources used for the label.
0a7de745 5901 */
2d21ac55
A		 5902typedef void mpo_vnode_label_recycle_t(
5903 struct label *label
0a7de745 5904 );
2d21ac55 5905/**
0a7de745
A		 5906 * @brief Write a label to a extended attribute
5907 * @param cred Subject credential
5908 * @param vp The vnode for which the label is being stored
5909 * @param vlabel Label associated with vp
5910 * @param intlabel The new label to store
5911 *
5912 * Store a new label in the extended attribute corresponding to the
5913 * supplied vnode. The policy has already authorized the operation;
5914 * this call must be implemented in order to perform the actual
5915 * operation.
5916 *
5917 * @return In the event of an error, an appropriate value for errno
5918 * should be returned, otherwise return 0 upon success.
5919 *
5920 * @warning XXX After examining the extended attribute implementation on
5921 * Apple's future release, this entry point may be changed.
5922 */
2d21ac55
A		 5923typedef int mpo_vnode_label_store_t(
5924 kauth_cred_t cred,
5925 struct vnode *vp,
5926 struct label *vlabel,
5927 struct label *intlabel
0a7de745
A		 5928 );
5929/**
5930 * @brief Update vnode label from extended attributes
5931 * @param mp File system mount point
5932 * @param mntlabel Mount point label
5933 * @param vp Vnode to label
5934 * @param vlabel Label associated with vp
5935 * @param name Name of the xattr
5936 * @see mpo_vnode_check_setextattr_t
5937 *
5938 * When an extended attribute is updated via the Vendor attribute management
5939 * functions, the MAC vnode label might also require an update.
5940 * Policies should first determine if 'name' matches their xattr label
5941 * name. If it does, the kernel is has either replaced or removed the
5942 * named extended attribute that was previously associated with the
5943 * vnode. Normally labels should only be modified via MAC Framework label
5944 * management calls, but sometimes the user space components will directly
5945 * modify extended attributes. For example, 'cp', 'tar', etc. manage
5946 * extended attributes in userspace, not the kernel.
5947 *
5948 * This entry point is called after the label update has occurred, so
5949 * it cannot return a failure. However, the operation is preceded by
5950 * the mpo_vnode_check_setextattr() access control check.
5951 *
5952 * If the vnode label needs to be updated the policy should return
5953 * a non-zero value. The vnode label will be marked for re-association
5954 * by the framework.
5955 */
2d21ac55
A		 5956typedef int mpo_vnode_label_update_extattr_t(
5957 struct mount *mp,
5958 struct label *mntlabel,
5959 struct vnode *vp,
5960 struct label *vlabel,
5961 const char *name
0a7de745
A		 5962 );
5963/**
5964 * @brief Update a vnode label
5965 * @param cred Subject credential
5966 * @param vp The vnode to relabel
5967 * @param vnodelabel Existing vnode label
5968 * @param label New label to replace existing label
5969 * @see mpo_vnode_check_label_update_t
5970 *
5971 * The subject identified by the credential has previously requested
5972 * and was authorized to relabel the vnode; this entry point allows
5973 * policies to perform the actual relabel operation. Policies should
5974 * update vnodelabel using the label stored in the label parameter.
5975 */
2d21ac55
A		 5976typedef void mpo_vnode_label_update_t(
5977 kauth_cred_t cred,
5978 struct vnode *vp,
5979 struct label *vnodelabel,
5980 struct label *label
0a7de745 5981 );
39236c6e 5982/**
0a7de745
A		 5983 * @brief Find deatched signatures for a shared library
5984 * @param p file trying to find the signature
5985 * @param vp The vnode to relabel
5986 * @param offset offset in the macho that the signature is requested for (for fat binaries)
5987 * @param label Existing vnode label
5988 *
5989 */
39236c6e
A		 5990typedef int mpo_vnode_find_sigs_t(
5991 struct proc *p,
5992 struct vnode *vp,
5993 off_t offset,
5994 struct label *label
0a7de745
A		 5995 );
5996/**
5997 * @brief Create a new vnode, backed by extended attributes
5998 * @param cred User credential for the creating process
5999 * @param mp File system mount point
6000 * @param mntlabel File system mount point label
6001 * @param dvp Parent directory vnode
6002 * @param dlabel Parent directory vnode label
6003 * @param vp Newly created vnode
6004 * @param vlabel Label to associate with the new vnode
6005 * @param cnp Component name for vp
6006 *
6007 * Write out the label for the newly created vnode, most likely storing
6008 * the results in a file system extended attribute. Most policies will
6009 * derive the new vnode label using information from a combination
6010 * of the subject (user) credential, the file system label, the parent
6011 * directory label, and potentially the path name component.
6012 *
6013 * @return If the operation succeeds, store the new label in vlabel and
6014 * return 0. Otherwise, return an appropriate errno value.
6015 */
2d21ac55
A		 6016typedef int mpo_vnode_notify_create_t(
6017 kauth_cred_t cred,
6018 struct mount *mp,
6019 struct label *mntlabel,
6020 struct vnode *dvp,
6021 struct label *dlabel,
6022 struct vnode *vp,
6023 struct label *vlabel,
6024 struct componentname *cnp
0a7de745 6025 );
2d21ac55 6026
4b17d6b6 6027/**
0a7de745
A		 6028 * @brief Inform MAC policies that a vnode has been opened
6029 * @param cred User credential for the creating process
6030 * @param vp vnode opened
6031 * @param label Policy label for the vp
6032 * @param acc_mode open(2) access mode used
6033 *
6034 * Inform Mac policies that a vnode have been successfully opened
6035 * (passing all MAC polices and DAC).
6036 */
4b17d6b6
A		 6037typedef void mpo_vnode_notify_open_t(
6038 kauth_cred_t cred,
6039 struct vnode *vp,
6040 struct label *label,
6041 int acc_mode
0a7de745 6042 );
4b17d6b6 6043
6d2010ae 6044/**
0a7de745
A		 6045 * @brief Inform MAC policies that a vnode has been renamed
6046 * @param cred User credential for the renaming process
6047 * @param vp Vnode that's being renamed
6048 * @param label Policy label for vp
6049 * @param dvp Parent directory for the destination
6050 * @param dlabel Policy label for dvp
6051 * @param cnp Component name for the destination
6052 *
6053 * Inform MAC policies that a vnode has been renamed.
6d2010ae
A		 6054 */
6055typedef void mpo_vnode_notify_rename_t(
6056 kauth_cred_t cred,
6057 struct vnode *vp,
6058 struct label *label,
6059 struct vnode *dvp,
6060 struct label *dlabel,
6061 struct componentname *cnp
0a7de745 6062 );
6d2010ae 6063
39236c6e 6064/**
0a7de745
A		 6065 * @brief Inform MAC policies that a vnode has been linked
6066 * @param cred User credential for the renaming process
6067 * @param dvp Parent directory for the destination
6068 * @param dlabel Policy label for dvp
6069 * @param vp Vnode that's being linked
6070 * @param vlabel Policy label for vp
6071 * @param cnp Component name for the destination
6072 *
6073 * Inform MAC policies that a vnode has been linked.
39236c6e
A		 6074 */
6075typedef void mpo_vnode_notify_link_t(
6076 kauth_cred_t cred,
6077 struct vnode *dvp,
6078 struct label *dlabel,
6079 struct vnode *vp,
6080 struct label *vlabel,
6081 struct componentname *cnp
0a7de745 6082 );
39236c6e 6083
39037602 6084/**
0a7de745
A		 6085 * @brief Inform MAC policies that an extended attribute has been removed from a vnode
6086 * @param cred Subject credential
6087 * @param vp Object node
6088 * @param label Policy label for vp
6089 * @param name Extended attribute name
6090 *
6091 * Inform MAC policies that an extended attribute has been removed from a vnode.
6092 */
39037602
A		 6093typedef void mpo_vnode_notify_deleteextattr_t(
6094 kauth_cred_t cred,
6095 struct vnode *vp,
6096 struct label *label,
6097 const char *name
0a7de745 6098 );
39037602
A		 6099
6100
6101/**
0a7de745
A		 6102 * @brief Inform MAC policies that an ACL has been set on a vnode
6103 * @param cred Subject credential
6104 * @param vp Object node
6105 * @param label Policy label for vp
6106 * @param acl ACL structure pointer
6107 *
6108 * Inform MAC policies that an ACL has been set on a vnode.
6109 */
39037602
A		 6110typedef void mpo_vnode_notify_setacl_t(
6111 kauth_cred_t cred,
6112 struct vnode *vp,
6113 struct label *label,
6114 struct kauth_acl *acl
0a7de745 6115 );
39037602
A		 6116
6117/**
0a7de745
A		 6118 * @brief Inform MAC policies that an attributes have been set on a vnode
6119 * @param cred Subject credential
6120 * @param vp Object vnode
6121 * @param label Policy label for vp
6122 * @param alist List of attributes to set
6123 *
6124 * Inform MAC policies that an attributes have been set on a vnode.
6125 */
39037602
A		 6126typedef void mpo_vnode_notify_setattrlist_t(
6127 kauth_cred_t cred,
6128 struct vnode *vp,
6129 struct label *label,
6130 struct attrlist *alist
0a7de745 6131 );
39037602
A		 6132
6133/**
0a7de745
A		 6134 * @brief Inform MAC policies that an extended attribute has been set on a vnode
6135 * @param cred Subject credential
6136 * @param vp Object vnode
6137 * @param label Policy label for vp
6138 * @param name Extended attribute name
6139 * @param uio I/O structure pointer
6140 *
6141 * Inform MAC policies that an extended attribute has been set on a vnode.
6142 */
39037602
A		 6143typedef void mpo_vnode_notify_setextattr_t(
6144 kauth_cred_t cred,
6145 struct vnode *vp,
6146 struct label *label,
6147 const char *name,
6148 struct uio *uio
0a7de745 6149 );
39037602
A		 6150
6151/**
0a7de745
A		 6152 * @brief Inform MAC policies that flags have been set on a vnode
6153 * @param cred Subject credential
6154 * @param vp Object vnode
6155 * @param label Policy label for vp
6156 * @param flags File flags; see chflags(2)
6157 *
6158 * Inform MAC policies that flags have been set on a vnode.
6159 */
39037602
A		 6160typedef void mpo_vnode_notify_setflags_t(
6161 kauth_cred_t cred,
6162 struct vnode *vp,
6163 struct label *label,
6164 u_long flags
0a7de745 6165 );
39037602
A		 6166
6167/**
0a7de745
A		 6168 * @brief Inform MAC policies that a new mode has been set on a vnode
6169 * @param cred Subject credential
6170 * @param vp Object vnode
6171 * @param label Policy label for vp
6172 * @param mode File mode; see chmod(2)
6173 *
6174 * Inform MAC policies that a new mode has been set on a vnode.
6175 */
39037602
A		 6176typedef void mpo_vnode_notify_setmode_t(
6177 kauth_cred_t cred,
6178 struct vnode *vp,
6179 struct label *label,
6180 mode_t mode
0a7de745 6181 );
39037602
A		 6182
6183/**
0a7de745
A		 6184 * @brief Inform MAC policies that new uid/gid have been set on a vnode
6185 * @param cred Subject credential
6186 * @param vp Object vnode
6187 * @param label Policy label for vp
6188 * @param uid User ID
6189 * @param gid Group ID
6190 *
6191 * Inform MAC policies that new uid/gid have been set on a vnode.
6192 */
39037602
A		 6193typedef void mpo_vnode_notify_setowner_t(
6194 kauth_cred_t cred,
6195 struct vnode *vp,
6196 struct label *label,
6197 uid_t uid,
6198 gid_t gid
0a7de745 6199 );
39037602
A		 6200
6201/**
0a7de745
A		 6202 * @brief Inform MAC policies that new timestamps have been set on a vnode
6203 * @param cred Subject credential
6204 * @param vp Object vnode
6205 * @param label Policy label for vp
6206 * @param atime Access time; see utimes(2)
6207 * @param mtime Modification time; see utimes(2)
6208 *
6209 * Inform MAC policies that new timestamps have been set on a vnode.
6210 */
39037602
A		 6211typedef void mpo_vnode_notify_setutimes_t(
6212 kauth_cred_t cred,
6213 struct vnode *vp,
6214 struct label *label,
6215 struct timespec atime,
6216 struct timespec mtime
0a7de745 6217 );
39037602
A		 6218
6219/**
0a7de745
A		 6220 * @brief Inform MAC policies that a vnode has been truncated
6221 * @param cred Subject credential
6222 * @param file_cred Credential associated with the struct fileproc
6223 * @param vp Object vnode
6224 * @param label Policy label for vp
6225 *
6226 * Inform MAC policies that a vnode has been truncated.
6227 */
39037602
A		 6228typedef void mpo_vnode_notify_truncate_t(
6229 kauth_cred_t cred,
6230 kauth_cred_t file_cred,
6231 struct vnode *vp,
6232 struct label *label
0a7de745 6233 );
39037602
A		 6234
6235
39236c6e 6236/**
0a7de745
A		 6237 * @brief Inform MAC policies that a pty slave has been granted
6238 * @param p Responsible process
6239 * @param tp tty data structure
6240 * @param dev Major and minor numbers of device
6241 * @param label Policy label for tp
6242 *
6243 * Inform MAC policies that a pty slave has been granted.
6244 */
39236c6e
A		 6245typedef void mpo_pty_notify_grant_t(
6246 proc_t p,
6247 struct tty *tp,
6248 dev_t dev,
6249 struct label *label
0a7de745 6250 );
39236c6e
A		 6251
6252/**
0a7de745
A		 6253 * @brief Inform MAC policies that a pty master has been closed
6254 * @param p Responsible process
6255 * @param tp tty data structure
6256 * @param dev Major and minor numbers of device
6257 * @param label Policy label for tp
6258 *
6259 * Inform MAC policies that a pty master has been closed.
6260 */
39236c6e
A		 6261typedef void mpo_pty_notify_close_t(
6262 proc_t p,
6263 struct tty *tp,
6264 dev_t dev,
6265 struct label *label
0a7de745 6266 );
39236c6e
A		 6267
6268/**
0a7de745
A		 6269 * @brief Access control check for kext loading
6270 * @param cred Subject credential
6271 * @param identifier Kext identifier
6272 *
6273 * Determine whether the subject identified by the credential can load the
6274 * specified kext.
6275 *
6276 * @return Return 0 if access is granted, otherwise an appropriate value for
6277 * errno should be returned. Suggested failure: EPERM for lack of privilege.
6278 */
39236c6e
A		 6279typedef int mpo_kext_check_load_t(
6280 kauth_cred_t cred,
6281 const char *identifier
0a7de745 6282 );
39236c6e
A		 6283
6284/**
0a7de745
A		 6285 * @brief Access control check for kext unloading
6286 * @param cred Subject credential
6287 * @param identifier Kext identifier
6288 *
6289 * Determine whether the subject identified by the credential can unload the
6290 * specified kext.
6291 *
6292 * @return Return 0 if access is granted, otherwise an appropriate value for
6293 * errno should be returned. Suggested failure: EPERM for lack of privilege.
6294 */
39236c6e
A		 6295typedef int mpo_kext_check_unload_t(
6296 kauth_cred_t cred,
6297 const char *identifier
0a7de745 6298 );
39236c6e 6299
3e170ce0 6300/**
0a7de745
A		 6301 * @brief Access control check for querying information about loaded kexts
6302 * @param cred Subject credential
6303 *
6304 * Determine whether the subject identified by the credential can query
6305 * information about loaded kexts.
6306 *
6307 * @return Return 0 if access is granted, otherwise an appropriate value for
6308 * errno should be returned. Suggested failure: EPERM for lack of privilege.
6309 */
3e170ce0
A		 6310typedef int mpo_kext_check_query_t(
6311 kauth_cred_t cred
0a7de745 6312 );
3e170ce0 6313
2d21ac55
A		 6314/*
6315 * Placeholder for future events that may need mac hooks.
6316 */
6317typedef void mpo_reserved_hook_t(void);
6318
39236c6e
A		 6319/*
6320 * Policy module operations.
6321 *
6322 * Please note that this should be kept in sync with the check assumptions
6323 * policy in bsd/kern/policy_check.c (policy_ops struct).
6324 */
ea3f0419 6325#define MAC_POLICY_OPS_VERSION 62 /* inc when new reserved slots are taken */
2d21ac55 6326struct mac_policy_ops {
0a7de745
A		 6327 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
6328 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
6329
6330 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
6331 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
6332 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
6333 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
6334
6335 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
6336 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
6337 mpo_cred_check_visible_t *mpo_cred_check_visible;
6338 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
6339 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
6340 mpo_cred_label_associate_t *mpo_cred_label_associate;
6341 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
6342 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
6343 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
6344 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
6345 mpo_cred_label_init_t *mpo_cred_label_init;
6346 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
6347 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
6348 mpo_cred_label_update_t *mpo_cred_label_update;
6349
6350 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
6351 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
6352 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
6353 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
6354 mpo_devfs_label_init_t *mpo_devfs_label_init;
6355 mpo_devfs_label_update_t *mpo_devfs_label_update;
6356
6357 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
6358 mpo_file_check_create_t *mpo_file_check_create;
6359 mpo_file_check_dup_t *mpo_file_check_dup;
6360 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
6361 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
6362 mpo_file_check_get_t *mpo_file_check_get;
6363 mpo_file_check_inherit_t *mpo_file_check_inherit;
6364 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
6365 mpo_file_check_lock_t *mpo_file_check_lock;
6366 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
6367 mpo_file_check_mmap_t *mpo_file_check_mmap;
6368 mpo_file_check_receive_t *mpo_file_check_receive;
6369 mpo_file_check_set_t *mpo_file_check_set;
6370 mpo_file_label_init_t *mpo_file_label_init;
6371 mpo_file_label_destroy_t *mpo_file_label_destroy;
6372 mpo_file_label_associate_t *mpo_file_label_associate;
6373
6374 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
6375 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
6376 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
6377 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
6378 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
6379 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
6380 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
6381 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
6382 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
6383 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
6384
6385 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
6386 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
6387 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
6388 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
6389 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
6390 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
6391
6392 mpo_iokit_check_device_t *mpo_iokit_check_device;
6393
6394 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
6395 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
6396 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
6397 mpo_ipq_label_init_t *mpo_ipq_label_init;
6398 mpo_ipq_label_update_t *mpo_ipq_label_update;
39236c6e 6399
39037602
A		 6400 mpo_file_check_library_validation_t *mpo_file_check_library_validation;
6401 mpo_vnode_notify_setacl_t *mpo_vnode_notify_setacl;
6402 mpo_vnode_notify_setattrlist_t *mpo_vnode_notify_setattrlist;
6403 mpo_vnode_notify_setextattr_t *mpo_vnode_notify_setextattr;
6404 mpo_vnode_notify_setflags_t *mpo_vnode_notify_setflags;
6405 mpo_vnode_notify_setmode_t *mpo_vnode_notify_setmode;
6406 mpo_vnode_notify_setowner_t *mpo_vnode_notify_setowner;
6407 mpo_vnode_notify_setutimes_t *mpo_vnode_notify_setutimes;
6408 mpo_vnode_notify_truncate_t *mpo_vnode_notify_truncate;
39236c6e 6409
0a7de745
A		 6410 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
6411 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
6412 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
6413 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
6414 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
2d21ac55 6415 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
0a7de745
A		 6416 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
6417 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
6418 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
6419 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
6420 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
6421
6422 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
6423 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
6424 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
6425 mpo_mount_check_mount_t *mpo_mount_check_mount;
6426 mpo_mount_check_remount_t *mpo_mount_check_remount;
6427 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
6428 mpo_mount_check_stat_t *mpo_mount_check_stat;
6429 mpo_mount_check_umount_t *mpo_mount_check_umount;
6430 mpo_mount_label_associate_t *mpo_mount_label_associate;
6431 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
6432 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
6433 mpo_mount_label_init_t *mpo_mount_label_init;
6434 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
6435
6436 mpo_netinet_fragment_t *mpo_netinet_fragment;
6437 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
6438 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
6439
6440 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
6441 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
6442 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
6443 mpo_pipe_check_read_t *mpo_pipe_check_read;
6444 mpo_pipe_check_select_t *mpo_pipe_check_select;
6445 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
6446 mpo_pipe_check_write_t *mpo_pipe_check_write;
6447 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
6448 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
6449 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
6450 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
6451 mpo_pipe_label_init_t *mpo_pipe_label_init;
6452 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
6453 mpo_pipe_label_update_t *mpo_pipe_label_update;
6454
6455 mpo_policy_destroy_t *mpo_policy_destroy;
6456 mpo_policy_init_t *mpo_policy_init;
6457 mpo_policy_initbsd_t *mpo_policy_initbsd;
6458 mpo_policy_syscall_t *mpo_policy_syscall;
6459
6460 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
6461 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
6462 mpo_vnode_check_rename_t *mpo_vnode_check_rename;
6463 mpo_kext_check_query_t *mpo_kext_check_query;
6464 mpo_proc_notify_exec_complete_t *mpo_proc_notify_exec_complete;
cb323159
A		 6465 mpo_reserved_hook_t *mpo_reserved4;
6466 mpo_proc_check_syscall_unix_t *mpo_proc_check_syscall_unix;
0a7de745
A		 6467 mpo_proc_check_expose_task_t *mpo_proc_check_expose_task;
6468 mpo_proc_check_set_host_special_port_t *mpo_proc_check_set_host_special_port;
3e170ce0 6469 mpo_proc_check_set_host_exception_port_t *mpo_proc_check_set_host_exception_port;
0a7de745
A		 6470 mpo_exc_action_check_exception_send_t *mpo_exc_action_check_exception_send;
6471 mpo_exc_action_label_associate_t *mpo_exc_action_label_associate;
6472 mpo_exc_action_label_populate_t *mpo_exc_action_label_populate;
6473 mpo_exc_action_label_destroy_t *mpo_exc_action_label_destroy;
6474 mpo_exc_action_label_init_t *mpo_exc_action_label_init;
6475 mpo_exc_action_label_update_t *mpo_exc_action_label_update;
6476
6477 mpo_vnode_check_trigger_resolve_t *mpo_vnode_check_trigger_resolve;
cb323159 6478 mpo_mount_check_mount_late_t *mpo_mount_check_mount_late;
ea3f0419 6479 mpo_mount_check_snapshot_mount_t *mpo_mount_check_snapshot_mount;
0a7de745 6480 mpo_reserved_hook_t *mpo_reserved2;
0a7de745
A		 6481 mpo_skywalk_flow_check_connect_t *mpo_skywalk_flow_check_connect;
6482 mpo_skywalk_flow_check_listen_t *mpo_skywalk_flow_check_listen;
6483
6484 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
6485 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
6486 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
6487 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
6488 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
6489 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
6490 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
6491 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
6492 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
6493 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
6494 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
6495 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
6496 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
6497 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
6498 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
6499 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
6500 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
6501
6502 mpo_proc_check_debug_t *mpo_proc_check_debug;
6503 mpo_proc_check_fork_t *mpo_proc_check_fork;
6504 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
6505 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
6506 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
6507 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
6508 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
6509 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
6510 mpo_proc_check_sched_t *mpo_proc_check_sched;
6511 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
6512 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
6513 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
6514 mpo_proc_check_signal_t *mpo_proc_check_signal;
6515 mpo_proc_check_wait_t *mpo_proc_check_wait;
c6bf4f31 6516 mpo_proc_check_dump_core_t *mpo_proc_check_dump_core;
cb323159 6517 mpo_reserved_hook_t *mpo_reserved5;
0a7de745
A		 6518
6519 mpo_socket_check_accept_t *mpo_socket_check_accept;
6520 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
6521 mpo_socket_check_bind_t *mpo_socket_check_bind;
6522 mpo_socket_check_connect_t *mpo_socket_check_connect;
6523 mpo_socket_check_create_t *mpo_socket_check_create;
6524 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
6525 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
6526 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
6527 mpo_socket_check_listen_t *mpo_socket_check_listen;
6528 mpo_socket_check_receive_t *mpo_socket_check_receive;
6529 mpo_socket_check_received_t *mpo_socket_check_received;
6530 mpo_socket_check_select_t *mpo_socket_check_select;
6531 mpo_socket_check_send_t *mpo_socket_check_send;
6532 mpo_socket_check_stat_t *mpo_socket_check_stat;
6533 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
6534 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
6535 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
6536 mpo_socket_label_associate_t *mpo_socket_label_associate;
6537 mpo_socket_label_copy_t *mpo_socket_label_copy;
6538 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
6539 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
6540 mpo_socket_label_init_t *mpo_socket_label_init;
6541 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
6542 mpo_socket_label_update_t *mpo_socket_label_update;
6543
6544 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
6545 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
6546 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
6547 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
6548 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
6549
6550 mpo_system_check_acct_t *mpo_system_check_acct;
6551 mpo_system_check_audit_t *mpo_system_check_audit;
6552 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
6553 mpo_system_check_auditon_t *mpo_system_check_auditon;
6554 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
6555 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
6556 mpo_system_check_reboot_t *mpo_system_check_reboot;
6557 mpo_system_check_settime_t *mpo_system_check_settime;
6558 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6559 mpo_system_check_swapon_t *mpo_system_check_swapon;
6560 mpo_socket_check_ioctl_t *mpo_socket_check_ioctl;
6561
6562 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6563 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6564 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6565 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6566 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6567 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6568 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6569 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6570 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6571 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6572 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6573 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6574 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6575 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6576 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6577 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6578 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6579 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6580 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6581 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6582 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6583 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6584 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6585 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6586 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6587 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6588 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6589 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6590 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6591 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
6592
6593 mpo_proc_notify_exit_t *mpo_proc_notify_exit;
6594 mpo_mount_check_snapshot_revert_t *mpo_mount_check_snapshot_revert;
6595 mpo_vnode_check_getattr_t *mpo_vnode_check_getattr;
6596 mpo_mount_check_snapshot_create_t *mpo_mount_check_snapshot_create;
6597 mpo_mount_check_snapshot_delete_t *mpo_mount_check_snapshot_delete;
6598 mpo_vnode_check_clone_t *mpo_vnode_check_clone;
6599 mpo_proc_check_get_cs_info_t *mpo_proc_check_get_cs_info;
6600 mpo_proc_check_set_cs_info_t *mpo_proc_check_set_cs_info;
6601
6602 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6603
6604 mpo_vnode_check_access_t *mpo_vnode_check_access;
6605 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6606 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6607 mpo_vnode_check_create_t *mpo_vnode_check_create;
6608 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6609 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6610 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6611 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6612 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6613 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6614 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6615 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6616 mpo_vnode_check_link_t *mpo_vnode_check_link;
6617 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6618 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6619 mpo_vnode_check_open_t *mpo_vnode_check_open;
6620 mpo_vnode_check_read_t *mpo_vnode_check_read;
6621 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6622 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6623 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6624 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6625 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6626 mpo_vnode_check_select_t *mpo_vnode_check_select;
6627 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6628 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6629 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6630 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6631 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6632 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6633 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6634 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6635 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6636 mpo_vnode_check_write_t *mpo_vnode_check_write;
6637 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6638 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6639 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6640 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6641 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6642 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6643 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6644 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6645 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6646 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6647 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6648 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6649 mpo_vnode_label_init_t *mpo_vnode_label_init;
6650 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6651 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6652 mpo_vnode_label_store_t *mpo_vnode_label_store;
6653 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6654 mpo_vnode_label_update_t *mpo_vnode_label_update;
6655 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
6656 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
6657 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6658 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
6659
6660 mpo_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
6661 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
6662
6663 mpo_thread_userret_t *mpo_thread_userret;
6664
6665 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
6666
cb323159 6667 mpo_reserved_hook_t *mpo_reserved3;
0a7de745
A		 6668
6669 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
6670
6671 mpo_priv_check_t *mpo_priv_check;
6672 mpo_priv_grant_t *mpo_priv_grant;
6673
6674 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
6675
6676 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
6677
6678 mpo_iokit_check_open_t *mpo_iokit_check_open;
6679
6680 mpo_proc_check_ledger_t *mpo_proc_check_ledger;
6681
6682 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
6683
6684 mpo_vnode_check_setacl_t *mpo_vnode_check_setacl;
39037602
A		 6685
6686 mpo_vnode_notify_deleteextattr_t *mpo_vnode_notify_deleteextattr;
39236c6e 6687
0a7de745 6688 mpo_system_check_kas_info_t *mpo_system_check_kas_info;
39236c6e 6689
0a7de745 6690 mpo_vnode_check_lookup_preflight_t *mpo_vnode_check_lookup_preflight;
39236c6e 6691
0a7de745 6692 mpo_vnode_notify_open_t *mpo_vnode_notify_open;
39236c6e 6693
0a7de745 6694 mpo_system_check_info_t *mpo_system_check_info;
39236c6e 6695
0a7de745
A		 6696 mpo_pty_notify_grant_t *mpo_pty_notify_grant;
6697 mpo_pty_notify_close_t *mpo_pty_notify_close;
39236c6e 6698
0a7de745 6699 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
39236c6e 6700
0a7de745
A		 6701 mpo_kext_check_load_t *mpo_kext_check_load;
6702 mpo_kext_check_unload_t *mpo_kext_check_unload;
39236c6e 6703
0a7de745
A		 6704 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
6705 mpo_vnode_notify_link_t *mpo_vnode_notify_link;
6706 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties;
6707 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property;
2d21ac55
A		 6708};
6709
6710/**
0a7de745
A		 6711 * @brief MAC policy handle type
6712 *
6713 * The MAC handle is used to uniquely identify a loaded policy within
6714 * the MAC Framework.
6715 *
6716 * A variable of this type is set by mac_policy_register().
2d21ac55
A		 6717 */
6718typedef unsigned int mac_policy_handle_t;
6719
0a7de745 6720#define mpc_t struct mac_policy_conf *
2d21ac55
A		 6721
6722/**
0a7de745
A		 6723 * @brief Mac policy configuration
6724 *
6725 * This structure specifies the configuration information for a
6726 * MAC policy module. A policy module developer must supply
6727 * a short unique policy name, a more descriptive full name, a list of label
6728 * namespaces and count, a pointer to the registered enty point operations,
6729 * any load time flags, and optionally, a pointer to a label slot identifier.
6730 *
6731 * The Framework will update the runtime flags (mpc_runtime_flags) to
6732 * indicate that the module has been registered.
6733 *
6734 * If the label slot identifier (mpc_field_off) is NULL, the Framework
6735 * will not provide label storage for the policy. Otherwise, the
6736 * Framework will store the label location (slot) in this field.
6737 *
6738 * The mpc_list field is used by the Framework and should not be
6739 * modified by policies.
6740 */
2d21ac55
A		 6741/* XXX - reorder these for better aligment on 64bit platforms */
6742struct mac_policy_conf {
0a7de745
A		 6743 const char *mpc_name; /** policy name */
6744 const char *mpc_fullname; /** full name */
6745 char const * const *mpc_labelnames; /** managed label namespaces */
6746 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6747 const struct mac_policy_ops *mpc_ops; /** operation vector */
6748 int mpc_loadtime_flags; /** load time flags */
6749 int *mpc_field_off; /** label slot */
6750 int mpc_runtime_flags; /** run time flags */
6751 mpc_t mpc_list; /** List reference */
6752 void *mpc_data; /** module data */
2d21ac55
A		 6753};
6754
6755/**
0a7de745
A		 6756 * @brief MAC policy module registration routine
6757 *
6758 * This function is called to register a policy with the
6759 * MAC framework. A policy module will typically call this from the
6760 * Darwin KEXT registration routine.
2d21ac55 6761 */
0a7de745 6762int mac_policy_register(struct mac_policy_conf *mpc,
2d21ac55
A		 6763 mac_policy_handle_t *handlep, void *xd);
6764
6765/**
0a7de745
A		 6766 * @brief MAC policy module de-registration routine
6767 *
6768 * This function is called to de-register a policy with theD
6769 * MAC framework. A policy module will typically call this from the
6770 * Darwin KEXT de-registration routine.
2d21ac55 6771 */
0a7de745 6772int mac_policy_unregister(mac_policy_handle_t handle);
2d21ac55
A		 6773
6774/*
6775 * Framework entry points for the policies to add audit data.
6776 */
0a7de745 6777int mac_audit_text(char *text, mac_policy_handle_t handle);
2d21ac55
A		 6778
6779/*
6780 * Calls to assist with use of Apple XATTRs within policy modules.
6781 */
0a7de745
A		 6782int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6783int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6784 size_t *);
6785int mac_vnop_removexattr(struct vnode *, const char *);
2d21ac55 6786
39037602 6787/**
0a7de745
A		 6788 * @brief Set an extended attribute on a vnode-based fileglob.
6789 * @param fg fileglob representing file to attach the extended attribute
6790 * @param name extended attribute name
6791 * @param buf buffer of data to use as the extended attribute value
6792 * @param len size of buffer
6793 *
6794 * Sets the value of an extended attribute on a file.
6795 *
6796 * Caller must hold an iocount on the vnode represented by the fileglob.
6797 */
6798int mac_file_setxattr(struct fileglob *fg, const char *name, char *buf, size_t len);
39037602
A		 6799
6800/**
0a7de745
A		 6801 * @brief Get an extended attribute from a vnode-based fileglob.
6802 * @param fg fileglob representing file to read the extended attribute
6803 * @param name extended attribute name
6804 * @param buf buffer of data to hold the extended attribute value
6805 * @param len size of buffer
6806 * @param attrlen size of full extended attribute value
6807 *
6808 * Gets the value of an extended attribute on a file.
6809 *
6810 * Caller must hold an iocount on the vnode represented by the fileglob.
6811 */
6812int mac_file_getxattr(struct fileglob *fg, const char *name, char *buf, size_t len,
6813 size_t *attrlen);
39037602
A		 6814
6815/**
0a7de745
A		 6816 * @brief Remove an extended attribute from a vnode-based fileglob.
6817 * @param fg fileglob representing file to remove the extended attribute
6818 * @param name extended attribute name
6819 *
6820 * Removes the named extended attribute from the file.
6821 *
6822 * Caller must hold an iocount on the vnode represented by the fileglob.
6823 */
6824int mac_file_removexattr(struct fileglob *fg, const char *name);
39037602
A		 6825
6826
2d21ac55
A		 6827/*
6828 * Arbitrary limit on how much data will be logged by the audit
6829 * entry points above.
6830 */
0a7de745 6831#define MAC_AUDIT_DATA_LIMIT 1024
2d21ac55
A		 6832
6833/*
6834 * Values returned by mac_audit_{pre,post}select. To combine the responses
6835 * of the security policies into a single decision,
6836 * mac_audit_{pre,post}select() choose the greatest value returned.
6837 */
0a7de745
A		 6838#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6839#define MAC_AUDIT_NO 1 /* force not auditing this event */
6840#define MAC_AUDIT_YES 2 /* force auditing this event */
2d21ac55
A		 6841
6842// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6843
6844/**
0a7de745
A		 6845 * @name Flags for the mpc_loadtime_flags field
6846 * @see mac_policy_conf
6847 *
6848 * This is the complete list of flags that are supported by the
6849 * mpc_loadtime_flags field of the mac_policy_conf structure. These
6850 * flags specify the load time behavior of MAC Framework policy
6851 * modules.
6852 */
2d21ac55
A		 6853
6854/*@{*/
6855
6856/**
0a7de745
A		 6857 * @brief Flag to indicate registration preference
6858 *
6859 * This flag indicates that the policy module must be loaded and
6860 * initialized early in the boot process. If the flag is specified,
6861 * attempts to register the module following boot will be rejected. The
6862 * flag may be used by policies that require pervasive labeling of all
6863 * system objects, and cannot handle objects that have not been
6864 * properly initialized by the policy.
6865 */
6866#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
2d21ac55
A		 6867
6868/**
0a7de745
A		 6869 * @brief Flag to indicate unload preference
6870 *
6871 * This flag indicates that the policy module may be unloaded. If this
6872 * flag is not set, then the policy framework will reject requests to
6873 * unload the module. This flag might be used by modules that allocate
6874 * label state and are unable to free that state at runtime, or for
6875 * modules that simply do not want to permit unload operations.
6876 */
6877#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
2d21ac55
A		 6878
6879/**
0a7de745
A		 6880 * @brief Unsupported
6881 *
6882 * XXX This flag is not yet supported.
6883 */
6884#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
2d21ac55
A		 6885
6886/**
0a7de745
A		 6887 * @brief Flag to indicate a base policy
6888 *
6889 * This flag indicates that the policy module is a base policy. Only
6890 * one module can declare itself as base, otherwise the boot process
6891 * will be halted.
2d21ac55 6892 */
0a7de745 6893#define MPC_LOADTIME_BASE_POLICY 0x00000008
2d21ac55
A		 6894
6895/*@}*/
6896
6897/**
0a7de745
A		 6898 * @brief Policy registration flag
6899 * @see mac_policy_conf
6900 *
6901 * This flag indicates that the policy module has been successfully
6902 * registered with the TrustedBSD MAC Framework. The Framework will
6903 * set this flag in the mpc_runtime_flags field of the policy's
6904 * mac_policy_conf structure after registering the policy.
2d21ac55 6905 */
0a7de745 6906#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
2d21ac55
A		 6907
6908/*
6909 * Depends on POLICY_VER
6910 */
6911
6912#ifndef POLICY_VER
0a7de745 6913#define POLICY_VER 1.0
2d21ac55
A		 6914#endif
6915
0a7de745
A		 6916#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6917 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6918 .mpc_name = #mpname, \
6919 .mpc_fullname = mpfullname, \
6920 .mpc_labelnames = lnames, \
6921 .mpc_labelname_count = lcount, \
6922 .mpc_ops = mpops, \
6923 .mpc_loadtime_flags = lflags, \
6924 .mpc_field_off = slot, \
6925 .mpc_runtime_flags = rflags \
6926 }; \
6927 \
6928 static kern_return_t \
6929 kmod_start(kmod_info_t *ki, void *xd) \
6930 { \
6931 return mac_policy_register(&mpname##_mac_policy_conf, \
6932 &handle, xd); \
6933 } \
6934 \
6935 static kern_return_t \
6936 kmod_stop(kmod_info_t *ki, void *xd) \
6937 { \
6938 return mac_policy_unregister(handle); \
6939 } \
6940 \
6941 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6942 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6943 \
6944 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6945 kmod_start_func_t *_realmain = kmod_start; \
6946 kmod_stop_func_t *_antimain = kmod_stop; \
2d21ac55
A		 6947 int _kext_apple_cc = __APPLE_CC__
6948
6949
0a7de745 6950#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
2d21ac55 6951
b0d623f7
A		 6952/*
6953 * Policy interface to map a struct label pointer to per-policy data.
6954 * Typically, policies wrap this in their own accessor macro that casts an
6955 * intptr_t to a policy-specific data type.
6956 */
6957intptr_t mac_label_get(struct label *l, int slot);
6958void mac_label_set(struct label *l, int slot, intptr_t v);
cb323159
A		 6959intptr_t mac_vnode_label_get(struct vnode *vp, int slot, intptr_t sentinel);
6960void mac_vnode_label_set(struct vnode *vp, int slot, intptr_t v);
b0d623f7 6961
0a7de745 6962#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
2d21ac55
A		 6963
6964/**
0a7de745
A		 6965 * @name Flags for MAC allocator interfaces
6966 *
6967 * These flags are passed to the Darwin kernel allocator routines to
6968 * indicate whether the allocation is permitted to block or not.
6969 * Caution should be taken; some operations are not permitted to sleep,
6970 * and some types of locks cannot be held when sleeping.
2d21ac55
A		 6971 */
6972
6973/*@{*/
6974
6975/**
0a7de745
A		 6976 * @brief Allocation operations may block
6977 *
6978 * If memory is not immediately available, the allocation routine
6979 * will block (typically sleeping) until memory is available.
6980 *
6981 * @warning Inappropriate use of this flag may cause kernel panics.
2d21ac55
A		 6982 */
6983#define MAC_WAITOK 0
6984
6985/**
0a7de745
A		 6986 * @brief Allocation operations may not block
6987 *
6988 * Rather than blocking, the allocator may return an error if memory
6989 * is not immediately available. This type of allocation will not
6990 * sleep, preserving locking semantics.
2d21ac55
A		 6991 */
6992#define MAC_NOWAIT 1
6993
6994/*@}*/
6995
6996#endif /* !_SECURITY_MAC_POLICY_H_ */
mirror of XNU