[apple/xnu.git] / bsd / net / content_filter.h

/*
 * Copyright (c) 2013-2019 Apple Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 *
 * This file contains Original Code and/or Modifications of Original Code
 * as defined in and that are subject to the Apple Public Source License
 * Version 2.0 (the 'License'). You may not use this file except in
 * compliance with the License. Please obtain a copy of the License at
 * http://www.opensource.apple.com/apsl/ and read it before using this
 * file.
 *
 * The Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
 * Please see the License for the specific language governing rights and
 * limitations under the License.
 *
 * @APPLE_LICENSE_HEADER_END@
 */

#ifndef __CONTENT_FILTER_H__
#define __CONTENT_FILTER_H__

#include <sys/param.h>
#include <sys/types.h>
#include <sys/_types/_timeval64.h>
#include <sys/socket.h>
#include <sys/syslog.h>
#include <netinet/in.h>
#include <stdint.h>
#include <corecrypto/ccsha2.h>

#ifdef BSD_KERNEL_PRIVATE
#include <sys/mbuf.h>
#include <sys/socketvar.h>
#endif /* BSD_KERNEL_PRIVATE */

__BEGIN_DECLS

#ifdef PRIVATE

/*
 * Kernel control name for an instance of a Content Filter
 * Use CTLIOCGINFO to find out the corresponding kernel control id
 * to be set in the sc_id field of sockaddr_ctl for connect(2)
 * Note: the sc_unit is ephemeral
 */
#define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter"

/*
 * Opaque socket identifier
 */
typedef uint64_t cfil_sock_id_t;

#define CFIL_SOCK_ID_NONE UINT64_MAX


/*
 * CFIL_OPT_NECP_CONTROL_UNIT
 * To set or get the NECP filter control unit for the kernel control socket
 * The option level is SYSPROTO_CONTROL
 */
#define CFIL_OPT_NECP_CONTROL_UNIT      1       /* uint32_t */

/*
 * CFIL_OPT_GET_SOCKET_INFO
 * To get information about a given socket that is being filtered.
 */
#define CFIL_OPT_GET_SOCKET_INFO        2       /* uint32_t */

/*
 * struct cfil_opt_sock_info
 *
 * Contains information about a socket that is being filtered.
 */
struct cfil_opt_sock_info {
	cfil_sock_id_t  cfs_sock_id;
	int                             cfs_sock_family;        /* e.g. PF_INET */
	int                             cfs_sock_type;          /* e.g. SOCK_STREAM */
	int                             cfs_sock_protocol;      /* e.g. IPPROTO_TCP */
	union sockaddr_in_4_6   cfs_local;
	union sockaddr_in_4_6   cfs_remote;
	pid_t                   cfs_pid;
	pid_t                   cfs_e_pid;
	uuid_t                  cfs_uuid;
	uuid_t                  cfs_e_uuid;
};

/*
 * How many filter may be active simultaneously
 */
#if !TARGET_OS_OSX && !defined(XNU_TARGET_OS_OSX)
#define CFIL_MAX_FILTER_COUNT   2
#else
#define CFIL_MAX_FILTER_COUNT   8
#endif


/*
 * Crypto Support
 */
#define CFIL_CRYPTO 1
#define CFIL_CRYPTO_SIGNATURE_SIZE 32
#define CFIL_CRYPTO_DATA_EVENT 1

typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE];
typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE];

typedef struct cfil_crypto_state {
	const struct ccdigest_info *digest_info;
	cfil_crypto_key key;
} *cfil_crypto_state_t;

typedef struct cfil_crypto_data {
	uuid_t flow_id;
	u_int64_t sock_id;
	u_int32_t direction;
	union sockaddr_in_4_6 remote;
	union sockaddr_in_4_6 local;
	u_int32_t socketProtocol;
	pid_t pid;
	pid_t effective_pid;
	uuid_t uuid;
	uuid_t effective_uuid;
	u_int64_t byte_count_in;
	u_int64_t byte_count_out;
} *cfil_crypto_data_t;

/*
 * Types of messages
 *
 * Event messages flow from kernel to user space while action
 * messages flow in the reverse direction.
 * A message in entirely represented by a packet sent or received
 * on a Content Filter kernel control socket.
 */
#define CFM_TYPE_EVENT 1        /* message from kernel */
#define CFM_TYPE_ACTION 2       /* message to kernel */

/*
 * Operations associated with events from kernel
 */
#define CFM_OP_SOCKET_ATTACHED 1        /* a socket has been attached */
#define CFM_OP_SOCKET_CLOSED 2          /* a socket is being closed */
#define CFM_OP_DATA_OUT 3               /* data being sent */
#define CFM_OP_DATA_IN 4                /* data being received */
#define CFM_OP_DISCONNECT_OUT 5         /* no more outgoing data */
#define CFM_OP_DISCONNECT_IN 6          /* no more incoming data */

/*
 * Operations associated with action from filter to kernel
 */
#define CFM_OP_DATA_UPDATE 16           /* update pass or peek offsets */
#define CFM_OP_DROP 17                  /* shutdown socket, no more data */
#define CFM_OP_BLESS_CLIENT 18          /* mark a client flow as already filtered, passes a uuid */
#define CFM_OP_SET_CRYPTO_KEY 19        /* assign client crypto key for message signing */

/*
 * struct cfil_msg_hdr
 *
 * Header common to all messages
 */
struct cfil_msg_hdr {
	uint32_t        cfm_len;        /* total length */
	uint32_t        cfm_version;
	uint32_t        cfm_type;
	uint32_t        cfm_op;
	cfil_sock_id_t  cfm_sock_id;
};

#define CFM_VERSION_CURRENT 1

/*
 * Connection Direction
 */
#define CFS_CONNECTION_DIR_IN  0
#define CFS_CONNECTION_DIR_OUT 1

#define CFS_AUDIT_TOKEN            1

/*
 * struct cfil_msg_sock_attached
 *
 * Information about a new socket being attached to the content filter
 *
 * Action: No reply is expected as this does not block the creation of the
 * TCP/IP but timely action must be taken to avoid user noticeable delays.
 *
 * Valid Types: CFM_TYPE_EVENT
 *
 * Valid Op: CFM_OP_SOCKET_ATTACHED
 */
struct cfil_msg_sock_attached {
	struct cfil_msg_hdr     cfs_msghdr;
	int                     cfs_sock_family;        /* e.g. PF_INET */
	int                     cfs_sock_type;          /* e.g. SOCK_STREAM */
	int                     cfs_sock_protocol;      /* e.g. IPPROTO_TCP */
	int                     cfs_unused;             /* padding */
	pid_t                   cfs_pid;
	pid_t                   cfs_e_pid;
	uuid_t                  cfs_uuid;
	uuid_t                  cfs_e_uuid;
	union sockaddr_in_4_6   cfs_src;
	union sockaddr_in_4_6   cfs_dst;
	int                     cfs_conn_dir;
	unsigned int            cfs_audit_token[8];             /* Must match audit_token_t */
	cfil_crypto_signature   cfs_signature;
	uint32_t                cfs_signature_length;
};

/*
 * struct cfil_msg_data_event
 *
 * Event for the content fiter to act on a span of data
 * A data span is described by a pair of offsets over the cumulative
 * number of bytes sent or received on the socket.
 *
 * Action: The event must be acted upon but the filter may buffer
 * data spans until it has enough content to make a decision.
 * The action must be timely to avoid user noticeable delays.
 *
 * Valid Type: CFM_TYPE_EVENT
 *
 * Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN
 */
struct cfil_msg_data_event {
	struct cfil_msg_hdr     cfd_msghdr;
	union sockaddr_in_4_6   cfc_src;
	union sockaddr_in_4_6   cfc_dst;
	uint64_t                cfd_start_offset;
	uint64_t                cfd_end_offset;
	cfil_crypto_signature   cfd_signature;
	uint32_t                cfd_signature_length;
	/* Actual content data immediatly follows */
};

#define CFI_MAX_TIME_LOG_ENTRY 6
/*
 * struct cfil_msg_sock_closed
 *
 * Information about a socket being closed to the content filter
 *
 * Action: No reply is expected as this does not block the closing of the
 * TCP/IP.
 *
 * Valid Types: CFM_TYPE_EVENT
 *
 * Valid Op: CFM_OP_SOCKET_CLOSED
 */
struct cfil_msg_sock_closed {
	struct cfil_msg_hdr     cfc_msghdr;
	struct timeval64        cfc_first_event;
	uint32_t                cfc_op_list_ctr;
	uint32_t                cfc_op_time[CFI_MAX_TIME_LOG_ENTRY];    /* time interval in microseconds since first event */
	unsigned char           cfc_op_list[CFI_MAX_TIME_LOG_ENTRY];
	uint64_t                cfc_byte_inbound_count;
	uint64_t                cfc_byte_outbound_count;
	cfil_crypto_signature   cfc_signature;
	uint32_t                cfc_signature_length;
} __attribute__((aligned(8)));

/*
 * struct cfil_msg_action
 *
 * Valid Type: CFM_TYPE_ACTION
 *
 * Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP
 *
 * For CFM_OP_DATA_UPDATE:
 *
 * cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is
 * allowed to pass. A zero value does not modify the corresponding pass offset.
 *
 * cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much
 * data it needs to make a decision: the kernel will deliver data up to that
 * offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET
 * if you don't value the corresponding peek offset to be updated.
 */
struct cfil_msg_action {
	struct cfil_msg_hdr     cfa_msghdr;
	uint64_t                cfa_in_pass_offset;
	uint64_t                cfa_in_peek_offset;
	uint64_t                cfa_out_pass_offset;
	uint64_t                cfa_out_peek_offset;
};

/*
 * struct cfil_msg_bless_client
 *
 * Marks a client UUID as already filtered at a higher level.
 *
 * Valid Type: CFM_TYPE_ACTION
 *
 * Valid Ops: CFM_OP_BLESS_CLIENT
 */
struct cfil_msg_bless_client {
	struct cfil_msg_hdr     cfb_msghdr;
	uuid_t cfb_client_uuid;
};

/*
 * struct cfil_msg_set_crypto_key
 *
 * Filter assigning client crypto key to CFIL for message signing
 *
 * Valid Type: CFM_TYPE_ACTION
 *
 * Valid Ops: CFM_OP_SET_CRYPTO_KEY
 */
struct cfil_msg_set_crypto_key {
	struct cfil_msg_hdr     cfb_msghdr;
	cfil_crypto_key         crypto_key;
};

#define CFM_MAX_OFFSET  UINT64_MAX

/*
 * Statistics retrieved via sysctl(3)
 */
struct cfil_filter_stat {
	uint32_t        cfs_len;
	uint32_t        cfs_filter_id;
	uint32_t        cfs_flags;
	uint32_t        cfs_sock_count;
	uint32_t        cfs_necp_control_unit;
};

struct cfil_entry_stat {
	uint32_t                ces_len;
	uint32_t                ces_filter_id;
	uint32_t                ces_flags;
	uint32_t                ces_necp_control_unit;
	struct timeval64        ces_last_event;
	struct timeval64        ces_last_action;
	struct cfe_buf_stat {
		uint64_t        cbs_pending_first;
		uint64_t        cbs_pending_last;
		uint64_t        cbs_ctl_first;
		uint64_t        cbs_ctl_last;
		uint64_t        cbs_pass_offset;
		uint64_t        cbs_peek_offset;
		uint64_t        cbs_peeked;
	} ces_snd, ces_rcv;
};

struct cfil_sock_stat {
	uint32_t        cfs_len;
	int             cfs_sock_family;
	int             cfs_sock_type;
	int             cfs_sock_protocol;
	cfil_sock_id_t  cfs_sock_id;
	uint64_t        cfs_flags;
	pid_t           cfs_pid;
	pid_t           cfs_e_pid;
	uuid_t          cfs_uuid;
	uuid_t          cfs_e_uuid;
	struct cfi_buf_stat {
		uint64_t        cbs_pending_first;
		uint64_t        cbs_pending_last;
		uint64_t        cbs_pass_offset;
		uint64_t        cbs_inject_q_len;
	} cfs_snd, cfs_rcv;
	struct cfil_entry_stat  ces_entries[CFIL_MAX_FILTER_COUNT];
};

/*
 * Global statistics
 */
struct cfil_stats {
	int32_t cfs_ctl_connect_ok;
	int32_t cfs_ctl_connect_fail;
	int32_t cfs_ctl_disconnect_ok;
	int32_t cfs_ctl_disconnect_fail;
	int32_t cfs_ctl_send_ok;
	int32_t cfs_ctl_send_bad;
	int32_t cfs_ctl_rcvd_ok;
	int32_t cfs_ctl_rcvd_bad;
	int32_t cfs_ctl_rcvd_flow_lift;
	int32_t cfs_ctl_action_data_update;
	int32_t cfs_ctl_action_drop;
	int32_t cfs_ctl_action_bad_op;
	int32_t cfs_ctl_action_bad_len;

	int32_t cfs_sock_id_not_found;

	int32_t cfs_cfi_alloc_ok;
	int32_t cfs_cfi_alloc_fail;

	int32_t cfs_sock_userspace_only;
	int32_t cfs_sock_attach_in_vain;
	int32_t cfs_sock_attach_already;
	int32_t cfs_sock_attach_no_mem;
	int32_t cfs_sock_attach_failed;
	int32_t cfs_sock_attached;
	int32_t cfs_sock_detached;

	int32_t cfs_attach_event_ok;
	int32_t cfs_attach_event_flow_control;
	int32_t cfs_attach_event_fail;

	int32_t cfs_closed_event_ok;
	int32_t cfs_closed_event_flow_control;
	int32_t cfs_closed_event_fail;

	int32_t cfs_data_event_ok;
	int32_t cfs_data_event_flow_control;
	int32_t cfs_data_event_fail;

	int32_t cfs_disconnect_in_event_ok;
	int32_t cfs_disconnect_out_event_ok;
	int32_t cfs_disconnect_event_flow_control;
	int32_t cfs_disconnect_event_fail;

	int32_t cfs_ctl_q_not_started;

	int32_t cfs_close_wait;
	int32_t cfs_close_wait_timeout;

	int32_t cfs_flush_in_drop;
	int32_t cfs_flush_out_drop;
	int32_t cfs_flush_in_close;
	int32_t cfs_flush_out_close;
	int32_t cfs_flush_in_free;
	int32_t cfs_flush_out_free;

	int32_t cfs_inject_q_nomem;
	int32_t cfs_inject_q_nobufs;
	int32_t cfs_inject_q_detached;
	int32_t cfs_inject_q_in_fail;
	int32_t cfs_inject_q_out_fail;

	int32_t cfs_inject_q_in_retry;
	int32_t cfs_inject_q_out_retry;

	int32_t cfs_data_in_control;
	int32_t cfs_data_in_oob;
	int32_t cfs_data_out_control;
	int32_t cfs_data_out_oob;

	int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8)));
	int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8)));
	int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8)));
	int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8)));

	int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8)));
	int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8)));

	int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8)));
	int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8)));
	int64_t cfs_inject_q_in_passed __attribute__((aligned(8)));
	int64_t cfs_inject_q_out_passed __attribute__((aligned(8)));
};
#endif /* PRIVATE */

#ifdef BSD_KERNEL_PRIVATE

#define M_SKIPCFIL      M_PROTO5

extern int cfil_log_level;

#define CFIL_LOG(level, fmt, ...) \
do { \
	if (cfil_log_level >= level) \
	        printf("%s:%d " fmt "\n",\
	                __FUNCTION__, __LINE__, ##__VA_ARGS__); \
} while (0)


extern void cfil_init(void);

extern boolean_t cfil_filter_present(void);
extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so);
extern errno_t cfil_sock_attach(struct socket *so,
    struct sockaddr *local, struct sockaddr *remote, int dir);
extern errno_t cfil_sock_detach(struct socket *so);

extern int cfil_sock_data_out(struct socket *so, struct sockaddr  *to,
    struct mbuf *data, struct mbuf *control,
    uint32_t flags);
extern int cfil_sock_data_in(struct socket *so, struct sockaddr *from,
    struct mbuf *data, struct mbuf *control,
    uint32_t flags);

extern int cfil_sock_shutdown(struct socket *so, int *how);
extern void cfil_sock_is_closed(struct socket *so);
extern void cfil_sock_notify_shutdown(struct socket *so, int how);
extern void cfil_sock_close_wait(struct socket *so);

extern boolean_t cfil_sock_data_pending(struct sockbuf *sb);
extern int cfil_sock_data_space(struct sockbuf *sb);
extern void cfil_sock_buf_update(struct sockbuf *sb);

extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so);

extern struct m_tag *cfil_udp_get_socket_state(struct mbuf *m, uint32_t *state_change_cnt,
    short *options, struct sockaddr **faddr);
#endif /* BSD_KERNEL_PRIVATE */

__END_DECLS

#endif /* __CONTENT_FILTER_H__ */
Commit	Line	Data
fe8ab488	1	/*
cb323159	2	* Copyright (c) 2013-2019 Apple Inc. All rights reserved.
fe8ab488 A	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* This file contains Original Code and/or Modifications of Original Code
	7	* as defined in and that are subject to the Apple Public Source License
	8	* Version 2.0 (the 'License'). You may not use this file except in
	9	* compliance with the License. Please obtain a copy of the License at
	10	* http://www.opensource.apple.com/apsl/ and read it before using this
	11	* file.
	12	*
	13	* The Original Code and all software distributed under the License are
	14	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	15	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	16	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	17	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
	18	* Please see the License for the specific language governing rights and
	19	* limitations under the License.
	20	*
	21	* @APPLE_LICENSE_HEADER_END@
	22	*/
	23
	24	#ifndef __CONTENT_FILTER_H__
0a7de745	25	#define __CONTENT_FILTER_H__
fe8ab488 A	26
	27	#include <sys/param.h>
	28	#include <sys/types.h>
3e170ce0	29	#include <sys/_types/_timeval64.h>
fe8ab488 A	30	#include <sys/socket.h>
	31	#include <sys/syslog.h>
	32	#include <netinet/in.h>
	33	#include <stdint.h>
cb323159	34	#include <corecrypto/ccsha2.h>
fe8ab488 A	35
	36	#ifdef BSD_KERNEL_PRIVATE
	37	#include <sys/mbuf.h>
	38	#include <sys/socketvar.h>
	39	#endif /* BSD_KERNEL_PRIVATE */
	40
	41	__BEGIN_DECLS
	42
	43	#ifdef PRIVATE
	44
	45	/*
	46	* Kernel control name for an instance of a Content Filter
	47	* Use CTLIOCGINFO to find out the corresponding kernel control id
	48	* to be set in the sc_id field of sockaddr_ctl for connect(2)
	49	* Note: the sc_unit is ephemeral
	50	*/
0a7de745	51	#define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter"
fe8ab488	52
5ba3f43e A	53	/*
	54	* Opaque socket identifier
	55	*/
	56	typedef uint64_t cfil_sock_id_t;
	57
0a7de745	58	#define CFIL_SOCK_ID_NONE UINT64_MAX
5ba3f43e A	59
5ba3f43e A	60
fe8ab488 A	61	/*
	62	* CFIL_OPT_NECP_CONTROL_UNIT
	63	* To set or get the NECP filter control unit for the kernel control socket
	64	* The option level is SYSPROTO_CONTROL
	65	*/
0a7de745	66	#define CFIL_OPT_NECP_CONTROL_UNIT 1 /* uint32_t */
fe8ab488	67
5ba3f43e A	68	/*
5ba3f43e A	69	* CFIL_OPT_GET_SOCKET_INFO
0a7de745	70	* To get information about a given socket that is being filtered.
5ba3f43e	71	*/
0a7de745	72	#define CFIL_OPT_GET_SOCKET_INFO 2 /* uint32_t */
5ba3f43e A	73
	74	/*
	75	* struct cfil_opt_sock_info
	76	*
0a7de745	77	* Contains information about a socket that is being filtered.
5ba3f43e A	78	*/
5ba3f43e A	79	struct cfil_opt_sock_info {
0a7de745 A	80	cfil_sock_id_t cfs_sock_id;
	81	int cfs_sock_family; /* e.g. PF_INET */
	82	int cfs_sock_type; /* e.g. SOCK_STREAM */
	83	int cfs_sock_protocol; /* e.g. IPPROTO_TCP */
	84	union sockaddr_in_4_6 cfs_local;
	85	union sockaddr_in_4_6 cfs_remote;
	86	pid_t cfs_pid;
	87	pid_t cfs_e_pid;
	88	uuid_t cfs_uuid;
	89	uuid_t cfs_e_uuid;
5ba3f43e A	90	};
5ba3f43e A	91
fe8ab488 A	92	/*
	93	* How many filter may be active simultaneously
	94	*/
cb323159	95	#if !TARGET_OS_OSX && !defined(XNU_TARGET_OS_OSX)
0a7de745	96	#define CFIL_MAX_FILTER_COUNT 2
cb323159 A	97	#else
	98	#define CFIL_MAX_FILTER_COUNT 8
	99	#endif
	100
	101
	102	/*
	103	* Crypto Support
	104	*/
	105	#define CFIL_CRYPTO 1
	106	#define CFIL_CRYPTO_SIGNATURE_SIZE 32
	107	#define CFIL_CRYPTO_DATA_EVENT 1
	108
	109	typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE];
	110	typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE];
	111
	112	typedef struct cfil_crypto_state {
	113	const struct ccdigest_info *digest_info;
	114	cfil_crypto_key key;
	115	} *cfil_crypto_state_t;
	116
	117	typedef struct cfil_crypto_data {
	118	uuid_t flow_id;
	119	u_int64_t sock_id;
	120	u_int32_t direction;
	121	union sockaddr_in_4_6 remote;
	122	union sockaddr_in_4_6 local;
	123	u_int32_t socketProtocol;
	124	pid_t pid;
	125	pid_t effective_pid;
	126	uuid_t uuid;
	127	uuid_t effective_uuid;
	128	u_int64_t byte_count_in;
	129	u_int64_t byte_count_out;
	130	} *cfil_crypto_data_t;
fe8ab488 A	131
	132	/*
	133	* Types of messages
	134	*
	135	* Event messages flow from kernel to user space while action
	136	* messages flow in the reverse direction.
	137	* A message in entirely represented by a packet sent or received
	138	* on a Content Filter kernel control socket.
	139	*/
0a7de745 A	140	#define CFM_TYPE_EVENT 1 /* message from kernel */
0a7de745 A	141	#define CFM_TYPE_ACTION 2 /* message to kernel */
fe8ab488 A	142
	143	/*
	144	* Operations associated with events from kernel
	145	*/
0a7de745 A	146	#define CFM_OP_SOCKET_ATTACHED 1 /* a socket has been attached */
	147	#define CFM_OP_SOCKET_CLOSED 2 /* a socket is being closed */
	148	#define CFM_OP_DATA_OUT 3 /* data being sent */
	149	#define CFM_OP_DATA_IN 4 /* data being received */
	150	#define CFM_OP_DISCONNECT_OUT 5 /* no more outgoing data */
	151	#define CFM_OP_DISCONNECT_IN 6 /* no more incoming data */
fe8ab488 A	152
	153	/*
	154	* Operations associated with action from filter to kernel
	155	*/
0a7de745 A	156	#define CFM_OP_DATA_UPDATE 16 /* update pass or peek offsets */
	157	#define CFM_OP_DROP 17 /* shutdown socket, no more data */
	158	#define CFM_OP_BLESS_CLIENT 18 /* mark a client flow as already filtered, passes a uuid */
cb323159	159	#define CFM_OP_SET_CRYPTO_KEY 19 /* assign client crypto key for message signing */
fe8ab488	160
fe8ab488 A	161	/*
	162	* struct cfil_msg_hdr
	163	*
	164	* Header common to all messages
	165	*/
	166	struct cfil_msg_hdr {
0a7de745 A	167	uint32_t cfm_len; /* total length */
	168	uint32_t cfm_version;
	169	uint32_t cfm_type;
	170	uint32_t cfm_op;
	171	cfil_sock_id_t cfm_sock_id;
fe8ab488 A	172	};
fe8ab488 A	173
0a7de745	174	#define CFM_VERSION_CURRENT 1
fe8ab488	175
cb323159 A	176	/*
	177	* Connection Direction
	178	*/
	179	#define CFS_CONNECTION_DIR_IN 0
	180	#define CFS_CONNECTION_DIR_OUT 1
	181
	182	#define CFS_AUDIT_TOKEN 1
	183
fe8ab488 A	184	/*
	185	* struct cfil_msg_sock_attached
	186	*
	187	* Information about a new socket being attached to the content filter
	188	*
	189	* Action: No reply is expected as this does not block the creation of the
	190	* TCP/IP but timely action must be taken to avoid user noticeable delays.
	191	*
	192	* Valid Types: CFM_TYPE_EVENT
	193	*
	194	* Valid Op: CFM_OP_SOCKET_ATTACHED
	195	*/
	196	struct cfil_msg_sock_attached {
0a7de745 A	197	struct cfil_msg_hdr cfs_msghdr;
	198	int cfs_sock_family; /* e.g. PF_INET */
	199	int cfs_sock_type; /* e.g. SOCK_STREAM */
	200	int cfs_sock_protocol; /* e.g. IPPROTO_TCP */
	201	int cfs_unused; /* padding */
	202	pid_t cfs_pid;
	203	pid_t cfs_e_pid;
	204	uuid_t cfs_uuid;
	205	uuid_t cfs_e_uuid;
cb323159 A	206	union sockaddr_in_4_6 cfs_src;
	207	union sockaddr_in_4_6 cfs_dst;
	208	int cfs_conn_dir;
	209	unsigned int cfs_audit_token[8]; /* Must match audit_token_t */
	210	cfil_crypto_signature cfs_signature;
	211	uint32_t cfs_signature_length;
fe8ab488 A	212	};
	213
	214	/*
	215	* struct cfil_msg_data_event
	216	*
	217	* Event for the content fiter to act on a span of data
	218	* A data span is described by a pair of offsets over the cumulative
	219	* number of bytes sent or received on the socket.
	220	*
	221	* Action: The event must be acted upon but the filter may buffer
	222	* data spans until it has enough content to make a decision.
	223	* The action must be timely to avoid user noticeable delays.
	224	*
	225	* Valid Type: CFM_TYPE_EVENT
	226	*
	227	* Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN
	228	*/
	229	struct cfil_msg_data_event {
0a7de745 A	230	struct cfil_msg_hdr cfd_msghdr;
	231	union sockaddr_in_4_6 cfc_src;
	232	union sockaddr_in_4_6 cfc_dst;
	233	uint64_t cfd_start_offset;
	234	uint64_t cfd_end_offset;
cb323159 A	235	cfil_crypto_signature cfd_signature;
cb323159 A	236	uint32_t cfd_signature_length;
fe8ab488 A	237	/* Actual content data immediatly follows */
	238	};
	239
5ba3f43e A	240	#define CFI_MAX_TIME_LOG_ENTRY 6
	241	/*
	242	* struct cfil_msg_sock_closed
	243	*
	244	* Information about a socket being closed to the content filter
	245	*
	246	* Action: No reply is expected as this does not block the closing of the
	247	* TCP/IP.
	248	*
	249	* Valid Types: CFM_TYPE_EVENT
	250	*
	251	* Valid Op: CFM_OP_SOCKET_CLOSED
	252	*/
	253	struct cfil_msg_sock_closed {
0a7de745 A	254	struct cfil_msg_hdr cfc_msghdr;
	255	struct timeval64 cfc_first_event;
	256	uint32_t cfc_op_list_ctr;
	257	uint32_t cfc_op_time[CFI_MAX_TIME_LOG_ENTRY]; /* time interval in microseconds since first event */
	258	unsigned char cfc_op_list[CFI_MAX_TIME_LOG_ENTRY];
cb323159 A	259	uint64_t cfc_byte_inbound_count;
	260	uint64_t cfc_byte_outbound_count;
	261	cfil_crypto_signature cfc_signature;
	262	uint32_t cfc_signature_length;
5ba3f43e A	263	} __attribute__((aligned(8)));
5ba3f43e A	264
fe8ab488 A	265	/*
	266	* struct cfil_msg_action
	267	*
	268	* Valid Type: CFM_TYPE_ACTION
	269	*
	270	* Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP
	271	*
	272	* For CFM_OP_DATA_UPDATE:
	273	*
	274	* cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is
	275	* allowed to pass. A zero value does not modify the corresponding pass offset.
	276	*
	277	* cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much
	278	* data it needs to make a decision: the kernel will deliver data up to that
	279	* offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET
	280	* if you don't value the corresponding peek offset to be updated.
	281	*/
	282	struct cfil_msg_action {
0a7de745 A	283	struct cfil_msg_hdr cfa_msghdr;
	284	uint64_t cfa_in_pass_offset;
	285	uint64_t cfa_in_peek_offset;
	286	uint64_t cfa_out_pass_offset;
	287	uint64_t cfa_out_peek_offset;
fe8ab488 A	288	};
fe8ab488 A	289
5ba3f43e A	290	/*
	291	* struct cfil_msg_bless_client
	292	*
	293	* Marks a client UUID as already filtered at a higher level.
	294	*
	295	* Valid Type: CFM_TYPE_ACTION
	296	*
	297	* Valid Ops: CFM_OP_BLESS_CLIENT
	298	*/
	299	struct cfil_msg_bless_client {
0a7de745	300	struct cfil_msg_hdr cfb_msghdr;
5ba3f43e A	301	uuid_t cfb_client_uuid;
	302	};
	303
cb323159 A	304	/*
	305	* struct cfil_msg_set_crypto_key
	306	*
	307	* Filter assigning client crypto key to CFIL for message signing
	308	*
	309	* Valid Type: CFM_TYPE_ACTION
	310	*
	311	* Valid Ops: CFM_OP_SET_CRYPTO_KEY
	312	*/
	313	struct cfil_msg_set_crypto_key {
	314	struct cfil_msg_hdr cfb_msghdr;
	315	cfil_crypto_key crypto_key;
	316	};
	317
0a7de745	318	#define CFM_MAX_OFFSET UINT64_MAX
fe8ab488 A	319
	320	/*
	321	* Statistics retrieved via sysctl(3)
	322	*/
	323	struct cfil_filter_stat {
0a7de745 A	324	uint32_t cfs_len;
	325	uint32_t cfs_filter_id;
	326	uint32_t cfs_flags;
	327	uint32_t cfs_sock_count;
	328	uint32_t cfs_necp_control_unit;
fe8ab488 A	329	};
	330
	331	struct cfil_entry_stat {
0a7de745 A	332	uint32_t ces_len;
	333	uint32_t ces_filter_id;
	334	uint32_t ces_flags;
	335	uint32_t ces_necp_control_unit;
	336	struct timeval64 ces_last_event;
	337	struct timeval64 ces_last_action;
fe8ab488	338	struct cfe_buf_stat {
0a7de745 A	339	uint64_t cbs_pending_first;
	340	uint64_t cbs_pending_last;
	341	uint64_t cbs_ctl_first;
	342	uint64_t cbs_ctl_last;
	343	uint64_t cbs_pass_offset;
	344	uint64_t cbs_peek_offset;
	345	uint64_t cbs_peeked;
fe8ab488 A	346	} ces_snd, ces_rcv;
	347	};
	348
	349	struct cfil_sock_stat {
0a7de745 A	350	uint32_t cfs_len;
	351	int cfs_sock_family;
	352	int cfs_sock_type;
	353	int cfs_sock_protocol;
	354	cfil_sock_id_t cfs_sock_id;
	355	uint64_t cfs_flags;
	356	pid_t cfs_pid;
	357	pid_t cfs_e_pid;
	358	uuid_t cfs_uuid;
	359	uuid_t cfs_e_uuid;
fe8ab488	360	struct cfi_buf_stat {
0a7de745 A	361	uint64_t cbs_pending_first;
	362	uint64_t cbs_pending_last;
	363	uint64_t cbs_pass_offset;
	364	uint64_t cbs_inject_q_len;
fe8ab488	365	} cfs_snd, cfs_rcv;
0a7de745	366	struct cfil_entry_stat ces_entries[CFIL_MAX_FILTER_COUNT];
fe8ab488 A	367	};
	368
	369	/*
	370	* Global statistics
	371	*/
	372	struct cfil_stats {
0a7de745 A	373	int32_t cfs_ctl_connect_ok;
	374	int32_t cfs_ctl_connect_fail;
	375	int32_t cfs_ctl_disconnect_ok;
	376	int32_t cfs_ctl_disconnect_fail;
	377	int32_t cfs_ctl_send_ok;
	378	int32_t cfs_ctl_send_bad;
	379	int32_t cfs_ctl_rcvd_ok;
	380	int32_t cfs_ctl_rcvd_bad;
	381	int32_t cfs_ctl_rcvd_flow_lift;
	382	int32_t cfs_ctl_action_data_update;
	383	int32_t cfs_ctl_action_drop;
	384	int32_t cfs_ctl_action_bad_op;
	385	int32_t cfs_ctl_action_bad_len;
	386
	387	int32_t cfs_sock_id_not_found;
	388
	389	int32_t cfs_cfi_alloc_ok;
	390	int32_t cfs_cfi_alloc_fail;
	391
	392	int32_t cfs_sock_userspace_only;
	393	int32_t cfs_sock_attach_in_vain;
	394	int32_t cfs_sock_attach_already;
	395	int32_t cfs_sock_attach_no_mem;
	396	int32_t cfs_sock_attach_failed;
	397	int32_t cfs_sock_attached;
	398	int32_t cfs_sock_detached;
	399
	400	int32_t cfs_attach_event_ok;
	401	int32_t cfs_attach_event_flow_control;
	402	int32_t cfs_attach_event_fail;
	403
	404	int32_t cfs_closed_event_ok;
	405	int32_t cfs_closed_event_flow_control;
	406	int32_t cfs_closed_event_fail;
	407
	408	int32_t cfs_data_event_ok;
	409	int32_t cfs_data_event_flow_control;
	410	int32_t cfs_data_event_fail;
	411
	412	int32_t cfs_disconnect_in_event_ok;
	413	int32_t cfs_disconnect_out_event_ok;
	414	int32_t cfs_disconnect_event_flow_control;
	415	int32_t cfs_disconnect_event_fail;
	416
	417	int32_t cfs_ctl_q_not_started;
fe8ab488 A	418
	419	int32_t cfs_close_wait;
	420	int32_t cfs_close_wait_timeout;
	421
	422	int32_t cfs_flush_in_drop;
	423	int32_t cfs_flush_out_drop;
	424	int32_t cfs_flush_in_close;
	425	int32_t cfs_flush_out_close;
	426	int32_t cfs_flush_in_free;
	427	int32_t cfs_flush_out_free;
	428
0a7de745 A	429	int32_t cfs_inject_q_nomem;
	430	int32_t cfs_inject_q_nobufs;
	431	int32_t cfs_inject_q_detached;
	432	int32_t cfs_inject_q_in_fail;
	433	int32_t cfs_inject_q_out_fail;
fe8ab488	434
0a7de745 A	435	int32_t cfs_inject_q_in_retry;
0a7de745 A	436	int32_t cfs_inject_q_out_retry;
fe8ab488 A	437
	438	int32_t cfs_data_in_control;
	439	int32_t cfs_data_in_oob;
	440	int32_t cfs_data_out_control;
	441	int32_t cfs_data_out_oob;
	442
0a7de745 A	443	int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8)));
	444	int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8)));
	445	int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8)));
	446	int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8)));
fe8ab488	447
0a7de745 A	448	int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8)));
0a7de745 A	449	int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8)));
fe8ab488	450
0a7de745 A	451	int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8)));
	452	int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8)));
	453	int64_t cfs_inject_q_in_passed __attribute__((aligned(8)));
	454	int64_t cfs_inject_q_out_passed __attribute__((aligned(8)));
fe8ab488 A	455	};
	456	#endif /* PRIVATE */
	457
	458	#ifdef BSD_KERNEL_PRIVATE
	459
0a7de745	460	#define M_SKIPCFIL M_PROTO5
fe8ab488 A	461
	462	extern int cfil_log_level;
	463
0a7de745	464	#define CFIL_LOG(level, fmt, ...) \
fe8ab488 A	465	do { \
fe8ab488 A	466	if (cfil_log_level >= level) \
0a7de745 A	467	printf("%s:%d " fmt "\n",\
0a7de745 A	468	__FUNCTION__, __LINE__, ##__VA_ARGS__); \
fe8ab488 A	469	} while (0)
	470
	471
	472	extern void cfil_init(void);
	473
cb323159 A	474	extern boolean_t cfil_filter_present(void);
	475	extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so);
	476	extern errno_t cfil_sock_attach(struct socket *so,
	477	struct sockaddr local, struct sockaddr remote, int dir);
fe8ab488 A	478	extern errno_t cfil_sock_detach(struct socket *so);
	479
	480	extern int cfil_sock_data_out(struct socket so, struct sockaddr to,
0a7de745 A	481	struct mbuf data, struct mbuf control,
0a7de745 A	482	uint32_t flags);
fe8ab488	483	extern int cfil_sock_data_in(struct socket so, struct sockaddr from,
0a7de745 A	484	struct mbuf data, struct mbuf control,
0a7de745 A	485	uint32_t flags);
fe8ab488 A	486
	487	extern int cfil_sock_shutdown(struct socket so, int how);
	488	extern void cfil_sock_is_closed(struct socket *so);
	489	extern void cfil_sock_notify_shutdown(struct socket *so, int how);
	490	extern void cfil_sock_close_wait(struct socket *so);
	491
	492	extern boolean_t cfil_sock_data_pending(struct sockbuf *sb);
	493	extern int cfil_sock_data_space(struct sockbuf *sb);
	494	extern void cfil_sock_buf_update(struct sockbuf *sb);
	495
	496	extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so);
	497
d9a64523	498	extern struct m_tag cfil_udp_get_socket_state(struct mbuf m, uint32_t *state_change_cnt,
0a7de745	499	short options, struct sockaddr *faddr);
fe8ab488 A	500	#endif /* BSD_KERNEL_PRIVATE */
fe8ab488 A	501
5ba3f43e A	502	__END_DECLS
5ba3f43e A	503
fe8ab488	504	#endif /* __CONTENT_FILTER_H__ */