]> git.saurik.com Git - apple/xnu.git/blame - security/mac_policy.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-1228.12.14.tar.gz
[apple/xnu.git] / security / mac_policy.h
CommitLineData
2d21ac55
A		 1/*
2 * Copyright (c) 2007 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
69 @file mac_policy.h
70 @brief Kernel Interfaces for MAC policy modules
71
72 This header defines the list of operations that are defined by the
73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 with the framework to declare interest in a specific set of
75 operations. If interest in an entry point is not declared, then
76 the policy will be ignored when the Framework evaluates that entry
77 point.
78*/
79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
83#include <security/_label.h>
84
85struct attrlist;
86struct auditinfo;
87struct bpf_d;
88struct devnode;
89struct fileglob;
90struct ifnet;
91struct inpcb;
92struct ipq;
93struct label;
94struct lctx;
95struct mac_module_data;
96struct mac_policy_conf;
97struct mbuf;
98struct mount;
99struct pipe;
100struct pseminfo;
101struct pshminfo;
102struct sbuf;
103struct semid_kernel;
104struct shmid_kernel;
105struct task;
106struct thread;
107struct ucred;
108struct vnode;
109/** @struct dummy */
110
111
112
113#ifndef _KAUTH_CRED_T
114#define _KAUTH_CRED_T
115typedef struct ucred *kauth_cred_t;
116#endif /* !_KAUTH_CRED_T */
117
118
119/*-
120 * MAC entry points are generally named using the following template:
121 *
122 * mpo_<object>_<operation>()
123 *
124 * or:
125 *
126 * mpo_<object>_check_<operation>()
127 *
128 * Entry points are sorted by object type.
129 *
130 * It may be desirable also to consider some subsystems as "objects", such
131 * as system, iokit, etc.
132 */
133
134/**
135 @name Entry Points for Label Management
136
137 These are the entry points corresponding to the life cycle events for
138 kernel objects, such as initialization, creation, and destruction.
139
140 Most policies (that use labels) will initialize labels by allocating
141 space for policy-specific data. In most cases, it is permitted to
142 sleep during label initialization operations; it will be noted when
143 it is not permitted.
144
145 Initialization usually will not require doing more than allocating a
146 generic label for the given object. What follows initialization is
147 creation, where a label is made specific to the object it is associated
148 with. Destruction occurs when the label is no longer needed, such as
149 when the corresponding object is destroyed. All necessary cleanup should
150 be performed in label destroy operations.
151
152 Where possible, the label entry points have identical parameters. If
153 the policy module does not require structure-specific label
154 information, the same function may be registered in the policy
155 operation vector. Many policies will implement two such generic
156 allocation calls: one to handle sleepable requests, and one to handle
157 potentially non-sleepable requests.
158*/
159
160
161/**
162 @brief Audit event postselection
163 @param cred Subject credential
164 @param syscode Syscall number
165 @param args Syscall arguments
166 @param error Syscall errno
167 @param retval Syscall return value
168
169 This is the MAC Framework audit postselect, which is called before
170 exiting a syscall to determine if an audit event should be committed.
171 A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
172 Any other return value results in the audit record being committed.
173
174 @warning The suppression behavior will probably go away in Apple's
175 future version of the audit implementation.
176
177 @return Return MAC_AUDIT_NO to force suppression of the audit record.
178 Any other value results in the audit record being committed.
179
180*/
181typedef int mpo_audit_check_postselect_t(
182 kauth_cred_t cred,
183 unsigned short syscode,
184 void *args,
185 int error,
186 int retval
187);
188/**
189 @brief Audit event preselection
190 @param cred Subject credential
191 @param syscode Syscall number
192 @param args Syscall arguments
193
194 This is the MAC Framework audit preselect, which is called before a
195 syscall is entered to determine if an audit event should be created.
196 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
197 returned. A return value of MAC_AUDIT_NO causes the audit record to
198 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
199 to defer to the system's existing preselection mechanism.
200
201 When policies return different preferences, the Framework decides what action
202 to take based on the following policy. If any policy returns MAC_AUDIT_YES,
203 then create an audit record, else if any policy returns MAC_AUDIT_NO, then
204 suppress the creations of an audit record, else defer to the system's
205 existing preselection mechanism.
206
207 @warning The audit implementation in Apple's current version is
208 incomplete, so the MAC policies have priority over the system's existing
209 mechanisms. This will probably change in the future version where
210 the audit implementation is more complete.
211
212 @return Return MAC_AUDIT_YES to force auditing of the syscall,
213 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
214 to allow auditing mechanisms to determine if the syscall is audited.
215
216*/
217typedef int mpo_audit_check_preselect_t(
218 kauth_cred_t cred,
219 unsigned short syscode,
220 void *args
221);
222/**
223 @brief Initialize BPF descriptor label
224 @param label New label to initialize
225
226 Initialize the label for a newly instantiated BPF descriptor.
227 Sleeping is permitted.
228*/
229typedef void mpo_bpfdesc_label_init_t(
230 struct label *label
231);
232/**
233 @brief Destroy BPF descriptor label
234 @param label The label to be destroyed
235
236 Destroy a BPF descriptor label. Since the BPF descriptor
237 is going out of scope, policy modules should free any internal
238 storage associated with the label so that it may be destroyed.
239*/
240typedef void mpo_bpfdesc_label_destroy_t(
241 struct label *label
242);
243/**
244 @brief Associate a BPF descriptor with a label
245 @param cred User credential creating the BPF descriptor
246 @param bpf_d The BPF descriptor
247 @param bpflabel The new label
248
249 Set the label on a newly created BPF descriptor from the passed
250 subject credential. This call will be made when a BPF device node
251 is opened by a process with the passed subject credential.
252*/
253typedef void mpo_bpfdesc_label_associate_t(
254 kauth_cred_t cred,
255 struct bpf_d *bpf_d,
256 struct label *bpflabel
257);
258/**
259 @brief Check whether BPF can read from a network interface
260 @param bpf_d Subject; the BPF descriptor
261 @param bpflabel Policy label for bpf_d
262 @param ifp Object; the network interface
263 @param ifnetlabel Policy label for ifp
264
265 Determine whether the MAC framework should permit datagrams from
266 the passed network interface to be delivered to the buffers of
267 the passed BPF descriptor. Return (0) for success, or an errno
268 value for failure. Suggested failure: EACCES for label mismatches,
269 EPERM for lack of privilege.
270*/
271typedef int mpo_bpfdesc_check_receive_t(
272 struct bpf_d *bpf_d,
273 struct label *bpflabel,
274 struct ifnet *ifp,
275 struct label *ifnetlabel
276);
277/**
278 @brief Indicate desire to change the process label at exec time
279 @param old Existing subject credential
280 @param vp File being executed
281 @param vnodelabel Label corresponding to vp
282 @param scriptvnodelabel Script vnode label
283 @param execlabel Userspace provided execution label
284 @param proc Object process
285 @see mac_execve
286 @see mpo_cred_label_update_execve_t
287 @see mpo_vnode_check_exec_t
288
289 Indicate whether this policy intends to update the label of a newly
290 created credential from the existing subject credential (old). This
291 call occurs when a process executes the passed vnode. If a policy
292 returns success from this entry point, the mpo_cred_label_update_execve
293 entry point will later be called with the same parameters. Access
294 has already been checked via the mpo_vnode_check_exec entry point,
295 this entry point is necessary to preserve kernel locking constraints
296 during program execution.
297
298 The supplied vnode and vnodelabel correspond with the file actually
299 being executed; in the case that the file is interpreted (for
300 example, a script), the label of the original exec-time vnode has
301 been preserved in scriptvnodelabel.
302
303 The final label, execlabel, corresponds to a label supplied by a
304 user space application through the use of the mac_execve system call.
305
306 The vnode lock is held during this operation. No changes should be
307 made to the old credential structure.
308
309 @warning Even if a policy returns 0, it should behave correctly in
310 the presence of an invocation of mpo_cred_label_update_execve, as that
311 call may happen as a result of another policy requesting a transition.
312
313 @return Non-zero if a transition is required, 0 otherwise.
314*/
315typedef int mpo_cred_check_label_update_execve_t(
316 kauth_cred_t old,
317 struct vnode *vp,
318 struct label *vnodelabel,
319 struct label *scriptvnodelabel,
320 struct label *execlabel,
321 struct proc *proc
322);
323/**
324 @brief Access control check for relabelling processes
325 @param cred Subject credential
326 @param newlabel New label to apply to the user credential
327 @see mpo_cred_label_update_t
328 @see mac_set_proc
329
330 Determine whether the subject identified by the credential can relabel
331 itself to the supplied new label (newlabel). This access control check
332 is called when the mac_set_proc system call is invoked. A user space
333 application will supply a new value, the value will be internalized
334 and provided in newlabel.
335
336 @return Return 0 if access is granted, otherwise an appropriate value for
337 errno should be returned.
338*/
339typedef int mpo_cred_check_label_update_t(
340 kauth_cred_t cred,
341 struct label *newlabel
342);
343/**
344 @brief Access control check for visibility of other subjects
345 @param u1 Subject credential
346 @param u2 Object credential
347
348 Determine whether the subject identified by the credential u1 can
349 "see" other subjects with the passed subject credential u2. This call
350 may be made in a number of situations, including inter-process status
351 sysctls used by ps, and in procfs lookups.
352
353 @return Return 0 if access is granted, otherwise an appropriate value for
354 errno should be returned. Suggested failure: EACCES for label mismatch,
355 EPERM for lack of privilege, or ESRCH to hide visibility.
356*/
357typedef int mpo_cred_check_visible_t(
358 kauth_cred_t u1,
359 kauth_cred_t u2
360);
361/**
362 @brief Associate a credential with a new process at fork
363 @param cred credential to inherited by new process
364 @param proc the new process
365
366 Allow a process to associate the credential with a new
367 process for reference countng purposes.
368 NOTE: the credential can be dis-associated in ways other
369 than exit - so this strategy is flawed - should just
370 catch label destroy callback.
371*/
372typedef void mpo_cred_label_associate_fork_t(
373 kauth_cred_t cred,
374 proc_t proc
375);
376/**
377 @brief Create the first process
378 @param cred Subject credential to be labeled
379
380 Create the subject credential of process 0, the parent of all BSD
381 kernel processes. Policies should update the label in the
382 previously initialized credential structure.
383*/
384typedef void mpo_cred_label_associate_kernel_t(
385 kauth_cred_t cred
386);
387/**
388 @brief Create a credential label
389 @param parent_cred Parent credential
390 @param child_cred Child credential
391
392 Set the label of a newly created credential, most likely using the
393 information in the supplied parent credential.
394
395 @warning This call is made when crcopy or crdup is invoked on a
396 newly created struct ucred, and should not be confused with a
397 process fork or creation event.
398*/
399typedef void mpo_cred_label_associate_t(
400 kauth_cred_t parent_cred,
401 kauth_cred_t child_cred
402);
403/**
404 @brief Create the first process
405 @param cred Subject credential to be labeled
406
407 Create the subject credential of process 1, the parent of all BSD
408 user processes. Policies should update the label in the previously
409 initialized credential structure. This is the 'init' process.
410*/
411typedef void mpo_cred_label_associate_user_t(
412 kauth_cred_t cred
413);
414/**
415 @brief Destroy credential label
416 @param label The label to be destroyed
417
418 Destroy a user credential label. Since the user credential
419 is going out of scope, policy modules should free any internal
420 storage associated with the label so that it may be destroyed.
421*/
422typedef void mpo_cred_label_destroy_t(
423 struct label *label
424);
425/**
426 @brief Externalize a user credential label for auditing
427 @param label Label to be externalized
428 @param element_name Name of the label namespace for which labels should be
429 externalized
430 @param sb String buffer to be filled with a text representation of the label
431
432 Produce an external representation of the label on a user credential for
433 inclusion in an audit record. An externalized label consists of a text
434 representation of the label contents that will be added to the audit record
435 as part of a text token. Policy-agnostic user space tools will display
436 this externalized version.
437
438 @return 0 on success, return non-zero if an error occurs while
439 externalizing the label data.
440
441*/
442typedef int mpo_cred_label_externalize_audit_t(
443 struct label *label,
444 char *element_name,
445 struct sbuf *sb
446);
447/**
448 @brief Externalize a user credential label
449 @param label Label to be externalized
450 @param element_name Name of the label namespace for which labels should be
451 externalized
452 @param sb String buffer to be filled with a text representation of the label
453
454 Produce an external representation of the label on a user
455 credential. An externalized label consists of a text representation
456 of the label contents that can be used with user applications.
457 Policy-agnostic user space tools will display this externalized
458 version.
459
460 @return 0 on success, return non-zero if an error occurs while
461 externalizing the label data.
462
463*/
464typedef int mpo_cred_label_externalize_t(
465 struct label *label,
466 char *element_name,
467 struct sbuf *sb
468);
469/**
470 @brief Initialize user credential label
471 @param label New label to initialize
472
473 Initialize the label for a newly instantiated user credential.
474 Sleeping is permitted.
475*/
476typedef void mpo_cred_label_init_t(
477 struct label *label
478);
479/**
480 @brief Internalize a user credential label
481 @param label Label to be internalized
482 @param element_name Name of the label namespace for which the label should
483 be internalized
484 @param element_data Text data to be internalized
485
486 Produce a user credential label from an external representation. An
487 externalized label consists of a text representation of the label
488 contents that can be used with user applications. Policy-agnostic
489 user space tools will forward text version to the kernel for
490 processing by individual policy modules.
491
492 The policy's internalize entry points will be called only if the
493 policy has registered interest in the label namespace.
494
495 @return 0 on success, Otherwise, return non-zero if an error occurs
496 while internalizing the label data.
497
498*/
499typedef int mpo_cred_label_internalize_t(
500 struct label *label,
501 char *element_name,
502 char *element_data
503);
504/**
505 @brief Update credential at exec time
506 @param old_cred Existing subject credential
507 @param new_cred New subject credential to be labeled
508 @param vp File being executed
509 @param vnodelabel Label corresponding to vp
510 @param scriptvnodelabel Script vnode label
511 @param execlabel Userspace provided execution label
512 @see mac_execve
513 @see mpo_cred_check_label_update_execve_t
514 @see mpo_vnode_check_exec_t
515
516 Update the label of a newly created credential (new) from the
517 existing subject credential (old). This call occurs when a process
518 executes the passed vnode and one of the loaded policy modules has
519 returned success from the mpo_cred_check_label_update_execve entry point.
520 Access has already been checked via the mpo_vnode_check_exec entry
521 point, this entry point is only used to update any policy state.
522
523 The supplied vnode and vnodelabel correspond with the file actually
524 being executed; in the case that the file is interpreted (for
525 example, a script), the label of the original exec-time vnode has
526 been preserved in scriptvnodelabel.
527
528 The final label, execlabel, corresponds to a label supplied by a
529 user space application through the use of the mac_execve system call.
530
c910b4d9
A		 531 If non-NULL, the value pointed to by disjointp will be set to 0 to
532 indicate that the old and new credentials are not disjoint, or 1 to
533 indicate that they are.
534
2d21ac55
A		 535 The vnode lock is held during this operation. No changes should be
536 made to the old credential structure.
537*/
538typedef void mpo_cred_label_update_execve_t(
539 kauth_cred_t old_cred,
540 kauth_cred_t new_cred,
541 struct vnode *vp,
542 struct label *vnodelabel,
543 struct label *scriptvnodelabel,
c910b4d9
A		 544 struct label *execlabel,
545 int *disjointp
2d21ac55
A		 546);
547/**
548 @brief Update a credential label
549 @param cred The existing credential
550 @param newlabel A new label to apply to the credential
551 @see mpo_cred_check_label_update_t
552 @see mac_set_proc
553
554 Update the label on a user credential, using the supplied new label.
555 This is called as a result of a process relabel operation. Access
556 control was already confirmed by mpo_cred_check_label_update.
557*/
558typedef void mpo_cred_label_update_t(
559 kauth_cred_t cred,
560 struct label *newlabel
561);
562/**
563 @brief Create a new devfs device
564 @param dev Major and minor numbers of special file
565 @param de "inode" of new device file
566 @param label Destination label
567 @param fullpath Path relative to mount (e.g. /dev) of new device file
568
569 This entry point labels a new devfs device. The label will likely be based
570 on the path to the device, or the major and minor numbers.
571 The policy should store an appropriate label into 'label'.
572*/
573typedef void mpo_devfs_label_associate_device_t(
574 dev_t dev,
575 struct devnode *de,
576 struct label *label,
577 const char *fullpath
578);
579/**
580 @brief Create a new devfs directory
581 @param dirname Name of new directory
582 @param dirnamelen Length of 'dirname'
583 @param de "inode" of new directory
584 @param label Destination label
585 @param fullpath Path relative to mount (e.g. /dev) of new directory
586
587 This entry point labels a new devfs directory. The label will likely be
588 based on the path of the new directory. The policy should store an appropriate
589 label into 'label'. The devfs root directory is labelled in this way.
590*/
591typedef void mpo_devfs_label_associate_directory_t(
592 const char *dirname,
593 int dirnamelen,
594 struct devnode *de,
595 struct label *label,
596 const char *fullpath
597);
598/**
599 @brief Copy a devfs label
600 @param src Source devfs label
601 @param dest Destination devfs label
602
603 Copy the label information from src to dest. The devfs file system
604 often duplicates (splits) existing device nodes rather than creating
605 new ones.
606*/
607typedef void mpo_devfs_label_copy_t(
608 struct label *src,
609 struct label *dest
610);
611/**
612 @brief Destroy devfs label
613 @param label The label to be destroyed
614
615 Destroy a devfs entry label. Since the object is going out
616 of scope, policy modules should free any internal storage associated
617 with the label so that it may be destroyed.
618*/
619typedef void mpo_devfs_label_destroy_t(
620 struct label *label
621);
622/**
623 @brief Initialize devfs label
624 @param label New label to initialize
625
626 Initialize the label for a newly instantiated devfs entry. Sleeping
627 is permitted.
628*/
629typedef void mpo_devfs_label_init_t(
630 struct label *label
631);
632/**
633 @brief Update a devfs label after relabelling its vnode
634 @param mp Devfs mount point
635 @param de Affected devfs directory entry
636 @param delabel Label of devfs directory entry
637 @param vp Vnode associated with de
638 @param vnodelabel New label of vnode
639
640 Update a devfs label when its vnode is manually relabelled,
641 for example with setfmac(1). Typically, this will simply copy
642 the vnode label into the devfs label.
643*/
644typedef void mpo_devfs_label_update_t(
645 struct mount *mp,
646 struct devnode *de,
647 struct label *delabel,
648 struct vnode *vp,
649 struct label *vnodelabel
650);
651/**
652 @brief Access control for changing the offset of a file descriptor
653 @param cred Subject credential
654 @param fg Fileglob structure
655 @param label Policy label for fg
656
657 Determine whether the subject identified by the credential can
658 change the offset of the file represented by fg.
659
660 @return Return 0 if access if granted, otherwise an appropriate
661 value for errno should be returned.
662*/
663typedef int mpo_file_check_change_offset_t(
664 kauth_cred_t cred,
665 struct fileglob *fg,
666 struct label *label
667);
668/**
669 @brief Access control for creating a file descriptor
670 @param cred Subject credential
671
672 Determine whether the subject identified by the credential can
673 allocate a new file descriptor.
674
675 @return Return 0 if access if granted, otherwise an appropriate
676 value for errno should be returned.
677*/
678typedef int mpo_file_check_create_t(
679 kauth_cred_t cred
680);
681/**
682 @brief Access control for duplicating a file descriptor
683 @param cred Subject credential
684 @param fg Fileglob structure
685 @param label Policy label for fg
686 @param newfd New file descriptor number
687
688 Determine whether the subject identified by the credential can
689 duplicate the fileglob structure represented by fg and as file
690 descriptor number newfd.
691
692 @return Return 0 if access if granted, otherwise an appropriate
693 value for errno should be returned.
694*/
695typedef int mpo_file_check_dup_t(
696 kauth_cred_t cred,
697 struct fileglob *fg,
698 struct label *label,
699 int newfd
700);
701/**
702 @brief Access control check for fcntl
703 @param cred Subject credential
704 @param fg Fileglob structure
705 @param label Policy label for fg
706 @param cmd Control operation to be performed; see fcntl(2)
707 @param arg fcnt arguments; see fcntl(2)
708
709 Determine whether the subject identified by the credential can perform
710 the file control operation indicated by cmd.
711
712 @return Return 0 if access is granted, otherwise an appropriate value for
713 errno should be returned.
714*/
715typedef int mpo_file_check_fcntl_t(
716 kauth_cred_t cred,
717 struct fileglob *fg,
718 struct label *label,
719 int cmd,
720 user_long_t arg
721);
722/**
723 @brief Access control check for mac_get_fd
724 @param cred Subject credential
725 @param fg Fileglob structure
726 @param elements Element buffer
727 @param len Length of buffer
728
729 Determine whether the subject identified by the credential should be allowed
730 to get an externalized version of the label on the object indicated by fd.
731
732 @return Return 0 if access is granted, otherwise an appropriate value for
733 errno should be returned.
734*/
735typedef int mpo_file_check_get_t(
736 kauth_cred_t cred,
737 struct fileglob *fg,
738 char *elements,
739 int len
740);
741/**
742 @brief Access control for getting the offset of a file descriptor
743 @param cred Subject credential
744 @param fg Fileglob structure
745 @param label Policy label for fg
746
747 Determine whether the subject identified by the credential can
748 get the offset of the file represented by fg.
749
750 @return Return 0 if access if granted, otherwise an appropriate
751 value for errno should be returned.
752*/
753typedef int mpo_file_check_get_offset_t(
754 kauth_cred_t cred,
755 struct fileglob *fg,
756 struct label *label
757);
758/**
759 @brief Access control for inheriting a file descriptor
760 @param cred Subject credential
761 @param fg Fileglob structure
762 @param label Policy label for fg
763
764 Determine whether the subject identified by the credential can
765 inherit the fileglob structure represented by fg.
766
767 @return Return 0 if access if granted, otherwise an appropriate
768 value for errno should be returned.
769*/
770typedef int mpo_file_check_inherit_t(
771 kauth_cred_t cred,
772 struct fileglob *fg,
773 struct label *label
774);
775/**
776 @brief Access control check for file ioctl
777 @param cred Subject credential
778 @param fg Fileglob structure
779 @param label Policy label for fg
780 @param cmd The ioctl command; see ioctl(2)
781
782 Determine whether the subject identified by the credential can perform
783 the ioctl operation indicated by cmd.
784
785 @warning Since ioctl data is opaque from the standpoint of the MAC
786 framework, policies must exercise extreme care when implementing
787 access control checks.
788
789 @return Return 0 if access is granted, otherwise an appropriate value for
790 errno should be returned.
791
792*/
793typedef int mpo_file_check_ioctl_t(
794 kauth_cred_t cred,
795 struct fileglob *fg,
796 struct label *label,
797 unsigned int cmd
798);
799/**
800 @brief Access control check for file locking
801 @param cred Subject credential
802 @param fg Fileglob structure
803 @param label Policy label for fg
804 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
805 @param fl The flock structure
806
807 Determine whether the subject identified by the credential can perform
808 the lock operation indicated by op and fl on the file represented by fg.
809
810 @return Return 0 if access is granted, otherwise an appropriate value for
811 errno should be returned.
812
813*/
814typedef int mpo_file_check_lock_t(
815 kauth_cred_t cred,
816 struct fileglob *fg,
817 struct label *label,
818 int op,
819 struct flock *fl
820);
821/**
822 @brief Access control check for mapping a file
823 @param cred Subject credential
824 @param fg fileglob representing file to map
825 @param label Policy label associated with vp
826 @param prot mmap protections; see mmap(2)
827 @param flags Type of mapped object; see mmap(2)
828 @param maxprot Maximum rights
829
830 Determine whether the subject identified by the credential should be
831 allowed to map the file represented by fg with the protections specified
832 in prot. The maxprot field holds the maximum permissions on the new
833 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
834 To avoid overriding prior access control checks, a policy should only
835 remove flags from maxprot.
836
837 @return Return 0 if access is granted, otherwise an appropriate value for
838 errno should be returned. Suggested failure: EACCES for label mismatch or
839 EPERM for lack of privilege.
840*/
841typedef int mpo_file_check_mmap_t(
842 kauth_cred_t cred,
843 struct fileglob *fg,
844 struct label *label,
845 int prot,
846 int flags,
847 int *maxprot
848);
849/**
850 @brief Downgrade the mmap protections
851 @param cred Subject credential
852 @param fg file to map
853 @param label Policy label associated with vp
854 @param prot mmap protections to be downgraded
855
856 Downgrade the mmap protections based on the subject and object labels.
857*/
858typedef void mpo_file_check_mmap_downgrade_t(
859 kauth_cred_t cred,
860 struct fileglob *fg,
861 struct label *label,
862 int *prot
863);
864/**
865 @brief Access control for receiving a file descriptor
866 @param cred Subject credential
867 @param fg Fileglob structure
868 @param label Policy label for fg
869
870 Determine whether the subject identified by the credential can
871 receive the fileglob structure represented by fg.
872
873 @return Return 0 if access if granted, otherwise an appropriate
874 value for errno should be returned.
875*/
876typedef int mpo_file_check_receive_t(
877 kauth_cred_t cred,
878 struct fileglob *fg,
879 struct label *label
880);
881/**
882 @brief Access control check for mac_set_fd
883 @param cred Subject credential
884 @param fg Fileglob structure
885 @param elements Elements buffer
886 @param len Length of elements buffer
887
888 Determine whether the subject identified by the credential can
889 perform the mac_set_fd operation. The mac_set_fd operation is used
890 to associate a MAC label with a file.
891
892 @return Return 0 if access is granted, otherwise an appropriate value for
893 errno should be returned.
894*/
895typedef int mpo_file_check_set_t(
896 kauth_cred_t cred,
897 struct fileglob *fg,
898 char *elements,
899 int len
900);
901/**
902 @brief Create file label
903 @param cred Subject credential
904 @param fg Fileglob structure
905 @param label Policy label for fg
906*/
907typedef void mpo_file_label_associate_t(
908 kauth_cred_t cred,
909 struct fileglob *fg,
910 struct label *label
911);
912/**
913 @brief Destroy file label
914 @param label The label to be destroyed
915
916 Destroy the label on a file descriptor. In this entry point, a
917 policy module should free any internal storage associated with
918 label so that it may be destroyed.
919*/
920typedef void mpo_file_label_destroy_t(
921 struct label *label
922);
923/**
924 @brief Initialize file label
925 @param label New label to initialize
926*/
927typedef void mpo_file_label_init_t(
928 struct label *label
929);
930/**
931 @brief Access control check for relabeling network interfaces
932 @param cred Subject credential
933 @param ifp network interface being relabeled
934 @param ifnetlabel Current label of the network interfaces
935 @param newlabel New label to apply to the network interfaces
936 @see mpo_ifnet_label_update_t
937
938 Determine whether the subject identified by the credential can
939 relabel the network interface represented by ifp to the supplied
940 new label (newlabel).
941
942 @return Return 0 if access is granted, otherwise an appropriate value for
943 errno should be returned.
944*/
945typedef int mpo_ifnet_check_label_update_t(
946 kauth_cred_t cred,
947 struct ifnet *ifp,
948 struct label *ifnetlabel,
949 struct label *newlabel
950);
951/**
952 @brief Access control check for relabeling network interfaces
953 @param ifp Network interface mbuf will be transmitted through
954 @param ifnetlabel Label of the network interfaces
955 @param m The mbuf to be transmitted
956 @param mbuflabel Label of the mbuf to be transmitted
957 @param family Address Family, AF_*
958 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
959
960 Determine whether the mbuf with label mbuflabel may be transmitted
961 through the network interface represented by ifp that has the
962 label ifnetlabel.
963
964 @return Return 0 if access is granted, otherwise an appropriate value for
965 errno should be returned.
966*/
967typedef int mpo_ifnet_check_transmit_t(
968 struct ifnet *ifp,
969 struct label *ifnetlabel,
970 struct mbuf *m,
971 struct label *mbuflabel,
972 int family,
973 int type
974);
975/**
976 @brief Create a network interface label
977 @param ifp Network interface labeled
978 @param ifnetlabel Label for the network interface
979
980 Set the label of a newly created network interface, most likely
981 using the information in the supplied network interface struct.
982*/
983typedef void mpo_ifnet_label_associate_t(
984 struct ifnet *ifp,
985 struct label *ifnetlabel
986);
987/**
988 @brief Copy an ifnet label
989 @param src Source ifnet label
990 @param dest Destination ifnet label
991
992 Copy the label information from src to dest.
993*/
994typedef void mpo_ifnet_label_copy_t(
995 struct label *src,
996 struct label *dest
997);
998/**
999 @brief Destroy ifnet label
1000 @param label The label to be destroyed
1001
1002 Destroy the label on an ifnet label. In this entry point, a
1003 policy module should free any internal storage associated with
1004 label so that it may be destroyed.
1005*/
1006typedef void mpo_ifnet_label_destroy_t(
1007 struct label *label
1008);
1009/**
1010 @brief Externalize an ifnet label
1011 @param label Label to be externalized
1012 @param element_name Name of the label namespace for which labels should be
1013 externalized
1014 @param sb String buffer to be filled with a text representation of the label
1015
1016 Produce an external representation of the label on an interface.
1017 An externalized label consists of a text representation of the
1018 label contents that can be used with user applications.
1019 Policy-agnostic user space tools will display this externalized
1020 version.
1021
1022 @return 0 on success, return non-zero if an error occurs while
1023 externalizing the label data.
1024
1025*/
1026typedef int mpo_ifnet_label_externalize_t(
1027 struct label *label,
1028 char *element_name,
1029 struct sbuf *sb
1030);
1031/**
1032 @brief Initialize ifnet label
1033 @param label New label to initialize
1034*/
1035typedef void mpo_ifnet_label_init_t(
1036 struct label *label
1037);
1038/**
1039 @brief Internalize an interface label
1040 @param label Label to be internalized
1041 @param element_name Name of the label namespace for which the label should
1042 be internalized
1043 @param element_data Text data to be internalized
1044
1045 Produce an interface label from an external representation. An
1046 externalized label consists of a text representation of the label
1047 contents that can be used with user applications. Policy-agnostic
1048 user space tools will forward text version to the kernel for
1049 processing by individual policy modules.
1050
1051 The policy's internalize entry points will be called only if the
1052 policy has registered interest in the label namespace.
1053
1054 @return 0 on success, Otherwise, return non-zero if an error occurs
1055 while internalizing the label data.
1056
1057*/
1058typedef int mpo_ifnet_label_internalize_t(
1059 struct label *label,
1060 char *element_name,
1061 char *element_data
1062);
1063/**
1064 @brief Recycle up a network interface label
1065 @param label The label to be recycled
1066
1067 Recycle a network interface label. Darwin caches the struct ifnet
1068 of detached ifnets in a "free pool". Before ifnets are returned
1069 to the "free pool", policies can cleanup or overwrite any information
1070 present in the label.
1071*/
1072typedef void mpo_ifnet_label_recycle_t(
1073 struct label *label
1074);
1075/**
1076 @brief Update a network interface label
1077 @param cred Subject credential
1078 @param ifp The network interface to be relabeled
1079 @param ifnetlabel The current label of the network interface
1080 @param newlabel A new label to apply to the network interface
1081 @see mpo_ifnet_check_label_update_t
1082
1083 Update the label on a network interface, using the supplied new label.
1084*/
1085typedef void mpo_ifnet_label_update_t(
1086 kauth_cred_t cred,
1087 struct ifnet *ifp,
1088 struct label *ifnetlabel,
1089 struct label *newlabel
1090);
1091/**
1092 @brief Access control check for delivering a packet to a socket
1093 @param inp inpcb the socket is associated with
1094 @param inplabel Label of the inpcb
1095 @param m The mbuf being received
1096 @param mbuflabel Label of the mbuf being received
1097 @param family Address family, AF_*
1098 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1099
1100 Determine whether the mbuf with label mbuflabel may be received
1101 by the socket associated with inpcb that has the label inplabel.
1102
1103 @return Return 0 if access is granted, otherwise an appropriate value for
1104 errno should be returned.
1105*/
1106typedef int mpo_inpcb_check_deliver_t(
1107 struct inpcb *inp,
1108 struct label *inplabel,
1109 struct mbuf *m,
1110 struct label *mbuflabel,
1111 int family,
1112 int type
1113);
1114/**
1115 @brief Create an inpcb label
1116 @param so Socket containing the inpcb to be labeled
1117 @param solabel Label of the socket
1118 @param inp inpcb to be labeled
1119 @param inplabel Label for the inpcb
1120
1121 Set the label of a newly created inpcb, most likely
1122 using the information in the socket and/or socket label.
1123*/
1124typedef void mpo_inpcb_label_associate_t(
1125 struct socket *so,
1126 struct label *solabel,
1127 struct inpcb *inp,
1128 struct label *inplabel
1129);
1130/**
1131 @brief Destroy inpcb label
1132 @param label The label to be destroyed
1133
1134 Destroy the label on an inpcb label. In this entry point, a
1135 policy module should free any internal storage associated with
1136 label so that it may be destroyed.
1137*/
1138typedef void mpo_inpcb_label_destroy_t(
1139 struct label *label
1140);
1141/**
1142 @brief Initialize inpcb label
1143 @param label New label to initialize
1144 @param flag M_WAITOK or M_NOWAIT
1145*/
1146typedef int mpo_inpcb_label_init_t(
1147 struct label *label,
1148 int flag
1149);
1150/**
1151 @brief Recycle up an inpcb label
1152 @param label The label to be recycled
1153
1154 Recycle an inpcb label. Darwin allocates the inpcb as part of
1155 the socket structure in some cases. For this case we must recycle
1156 rather than destroy the inpcb as it will be reused later.
1157*/
1158typedef void mpo_inpcb_label_recycle_t(
1159 struct label *label
1160);
1161/**
1162 @brief Update an inpcb label from a socket label
1163 @param so Socket containing the inpcb to be relabeled
1164 @param solabel New label of the socket
1165 @param inp inpcb to be labeled
1166 @param inplabel Label for the inpcb
1167
1168 Set the label of a newly created inpcb due to a change in the
1169 underlying socket label.
1170*/
1171typedef void mpo_inpcb_label_update_t(
1172 struct socket *so,
1173 struct label *solabel,
1174 struct inpcb *inp,
1175 struct label *inplabel
1176);
1177/**
1178 @brief Device hardware access control
1179 @param devtype Type of device connected
1180 @param properties XML-formatted property list
1181 @param proplen Length of the property list
1182
1183 This is the MAC Framework device access control, which is called by the I/O
1184 Kit when a new device is connected to the system to determine whether that
1185 device should be trusted. A list of properties associated with the device
1186 is passed as an XML-formatted string. The routine should examine these
1187 properties to determine the trustworthiness of the device. A return value
1188 of EPERM forces the device to be claimed by a special device driver that
1189 will prevent its operation.
1190
1191 @warning This is an experimental interface and may change in the future.
1192
1193 @return Return EPERM to indicate that the device is untrusted and should
1194 not be allowed to operate. Return zero to indicate that the device is
1195 trusted and should be allowed to operate normally.
1196
1197*/
1198typedef int mpo_iokit_check_device_t(
1199 char *devtype,
1200 struct mac_module_data *mdata
1201);
1202/**
1203 @brief Create an IP reassembly queue label
1204 @param fragment First received IP fragment
1205 @param fragmentlabel Policy label for fragment
1206 @param ipq IP reassembly queue to be labeled
1207 @param ipqlabel Policy label to be filled in for ipq
1208
1209 Set the label on a newly created IP reassembly queue from
1210 the mbuf header of the first received fragment.
1211*/
1212typedef void mpo_ipq_label_associate_t(
1213 struct mbuf *fragment,
1214 struct label *fragmentlabel,
1215 struct ipq *ipq,
1216 struct label *ipqlabel
1217);
1218/**
1219 @brief Compare an mbuf header label to an ipq label
1220 @param fragment IP datagram fragment
1221 @param fragmentlabel Policy label for fragment
1222 @param ipq IP fragment reassembly queue
1223 @param ipqlabel Policy label for ipq
1224
1225 Compare the label of the mbuf header containing an IP datagram
1226 (fragment) fragment with the label of the passed IP fragment
1227 reassembly queue (ipq). Return (1) for a successful match, or (0)
1228 for no match. This call is made when the IP stack attempts to
1229 find an existing fragment reassembly queue for a newly received
1230 fragment; if this fails, a new fragment reassembly queue may be
1231 instantiated for the fragment. Policies may use this entry point
1232 to prevent the reassembly of otherwise matching IP fragments if
1233 policy does not permit them to be reassembled based on the label
1234 or other information.
1235*/
1236typedef int mpo_ipq_label_compare_t(
1237 struct mbuf *fragment,
1238 struct label *fragmentlabel,
1239 struct ipq *ipq,
1240 struct label *ipqlabel
1241);
1242/**
1243 @brief Destroy IP reassembly queue label
1244 @param label The label to be destroyed
1245
1246 Destroy the label on an IP fragment queue. In this entry point, a
1247 policy module should free any internal storage associated with
1248 label so that it may be destroyed.
1249*/
1250typedef void mpo_ipq_label_destroy_t(
1251 struct label *label
1252);
1253/**
1254 @brief Initialize IP reassembly queue label
1255 @param label New label to initialize
1256 @param flag M_WAITOK or M_NOWAIT
1257
1258 Initialize the label on a newly instantiated IP fragment reassembly
1259 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1260 should be employed to avoid performing a sleeping malloc(9) during
1261 this initialization call. IP fragment reassembly queue allocation
1262 frequently occurs in performance sensitive environments, and the
1263 implementation should be careful to avoid sleeping or long-lived
1264 operations. This entry point is permitted to fail resulting in
1265 the failure to allocate the IP fragment reassembly queue.
1266*/
1267typedef int mpo_ipq_label_init_t(
1268 struct label *label,
1269 int flag
1270);
1271/**
1272 @brief Update the label on an IP fragment reassembly queue
1273 @param fragment IP fragment
1274 @param fragmentlabel Policy label for fragment
1275 @param ipq IP fragment reassembly queue
1276 @param ipqlabel Policy label to be updated for ipq
1277
1278 Update the label on an IP fragment reassembly queue (ipq) based
1279 on the acceptance of the passed IP fragment mbuf header (fragment).
1280*/
1281typedef void mpo_ipq_label_update_t(
1282 struct mbuf *fragment,
1283 struct label *fragmentlabel,
1284 struct ipq *ipq,
1285 struct label *ipqlabel
1286);
1287/**
1288 @brief Access control check for relabelling Login Context
1289 @param l Subject credential
1290 @param newlabel New label to apply to the Login Context
1291 @see mpo_lctx_label_update_t
1292 @see mac_set_lcid
1293 @see mac_set_lctx
1294
1295 Determine whether the subject identified by the credential can relabel
1296 itself to the supplied new label (newlabel). This access control check
1297 is called when the mac_set_lctx/lcid system call is invoked. A user space
1298 application will supply a new value, the value will be internalized
1299 and provided in newlabel.
1300
1301 @return Return 0 if access is granted, otherwise an appropriate value for
1302 errno should be returned.
1303*/
1304typedef int mpo_lctx_check_label_update_t(
1305 struct lctx *l,
1306 struct label *newlabel
1307);
1308/**
1309 @brief Destroy Login Context label
1310 @param label The label to be destroyed
1311*/
1312typedef void mpo_lctx_label_destroy_t(
1313 struct label *label
1314);
1315/**
1316 @brief Externalize a Login Context label
1317 @param label Label to be externalized
1318 @param element_name Name of the label namespace for which labels should be
1319 externalized
1320 @param sb String buffer to be filled with a text representation of the label
1321
1322 Produce an external representation of the label on a Login Context.
1323 An externalized label consists of a text representation
1324 of the label contents that can be used with user applications.
1325 Policy-agnostic user space tools will display this externalized
1326 version.
1327
1328 @return 0 on success, return non-zero if an error occurs while
1329 externalizing the label data.
1330
1331*/
1332typedef int mpo_lctx_label_externalize_t(
1333 struct label *label,
1334 char *element_name,
1335 struct sbuf *sb
1336);
1337/**
1338 @brief Initialize Login Context label
1339 @param label New label to initialize
1340*/
1341typedef void mpo_lctx_label_init_t(
1342 struct label *label
1343);
1344/**
1345 @brief Internalize a Login Context label
1346 @param label Label to be internalized
1347 @param element_name Name of the label namespace for which the label should
1348 be internalized
1349 @param element_data Text data to be internalized
1350
1351 Produce a Login Context label from an external representation. An
1352 externalized label consists of a text representation of the label
1353 contents that can be used with user applications. Policy-agnostic
1354 user space tools will forward text version to the kernel for
1355 processing by individual policy modules.
1356
1357 The policy's internalize entry points will be called only if the
1358 policy has registered interest in the label namespace.
1359
1360 @return 0 on success, Otherwise, return non-zero if an error occurs
1361 while internalizing the label data.
1362
1363*/
1364typedef int mpo_lctx_label_internalize_t(
1365 struct label *label,
1366 char *element_name,
1367 char *element_data
1368);
1369/**
1370 @brief Update a Login Context label
1371 @param l
1372 @param newlabel A new label to apply to the Login Context
1373 @see mpo_lctx_check_label_update_t
1374 @see mac_set_lcid
1375 @see mac_set_lctx
1376
1377 Update the label on a login context, using the supplied new label.
1378 This is called as a result of a login context relabel operation. Access
1379 control was already confirmed by mpo_lctx_check_label_update.
1380*/
1381typedef void mpo_lctx_label_update_t(
1382 struct lctx *l,
1383 struct label *newlabel
1384);
1385/**
1386 @brief A process has created a login context
1387 @param p Subject
1388 @param l Login Context
1389
1390 When a process creates a login context (via setlcid()) this entrypoint
1391 is called to notify the policy that the process 'p' has created login
1392 context 'l'.
1393*/
1394typedef void mpo_lctx_notify_create_t(
1395 struct proc *p,
1396 struct lctx *l
1397);
1398/**
1399 @brief A process has joined a login context
1400 @param p Subject
1401 @param l Login Context
1402
1403 When a process joins a login context, either via setlcid() or via
1404 fork() this entrypoint is called to notify the policy that process
1405 'p' is now a member of login context 'l'.
1406*/
1407typedef void mpo_lctx_notify_join_t(
1408 struct proc *p,
1409 struct lctx *l
1410);
1411/**
1412 @brief A process has left a login context
1413 @param p Subject
1414 @param l Login Context
1415
1416 When a process leaves a login context either via setlcid() or as a
1417 result of the process exiting this entrypoint is called to notify
1418 the policy that the process 'p' is no longer a member of login context 'l'.
1419*/
1420typedef void mpo_lctx_notify_leave_t(
1421 struct proc *p,
1422 struct lctx *l
1423);
1424/**
1425 @brief Assign a label to a new mbuf
1426 @param bpf_d BPF descriptor
1427 @param b_label Policy label for bpf_d
1428 @param m Object; mbuf
1429 @param m_label Policy label to fill in for m
1430
1431 Set the label on the mbuf header of a newly created datagram
1432 generated using the passed BPF descriptor. This call is made when
1433 a write is performed to the BPF device associated with the passed
1434 BPF descriptor.
1435*/
1436typedef void mpo_mbuf_label_associate_bpfdesc_t(
1437 struct bpf_d *bpf_d,
1438 struct label *b_label,
1439 struct mbuf *m,
1440 struct label *m_label
1441);
1442/**
1443 @brief Assign a label to a new mbuf
1444 @param ifp Interface descriptor
1445 @param i_label Existing label of ifp
1446 @param m Object; mbuf
1447 @param m_label Policy label to fill in for m
1448
1449 Label an mbuf based on the interface from which it was received.
1450*/
1451typedef void mpo_mbuf_label_associate_ifnet_t(
1452 struct ifnet *ifp,
1453 struct label *i_label,
1454 struct mbuf *m,
1455 struct label *m_label
1456);
1457/**
1458 @brief Assign a label to a new mbuf
1459 @param inp inpcb structure
1460 @param i_label Existing label of inp
1461 @param m Object; mbuf
1462 @param m_label Policy label to fill in for m
1463
1464 Label an mbuf based on the inpcb from which it was derived.
1465*/
1466typedef void mpo_mbuf_label_associate_inpcb_t(
1467 struct inpcb *inp,
1468 struct label *i_label,
1469 struct mbuf *m,
1470 struct label *m_label
1471);
1472/**
1473 @brief Set the label on a newly reassembled IP datagram
1474 @param ipq IP fragment reassembly queue
1475 @param ipqlabel Policy label for ipq
1476 @param mbuf IP datagram to be labeled
1477 @param mbuflabel Policy label to be filled in for mbuf
1478
1479 Set the label on a newly reassembled IP datagram (mbuf) from the IP
1480 fragment reassembly queue (ipq) from which it was generated.
1481*/
1482typedef void mpo_mbuf_label_associate_ipq_t(
1483 struct ipq *ipq,
1484 struct label *ipqlabel,
1485 struct mbuf *mbuf,
1486 struct label *mbuflabel
1487);
1488/**
1489 @brief Assign a label to a new mbuf
1490 @param ifp Subject; network interface
1491 @param i_label Existing label of ifp
1492 @param m Object; mbuf
1493 @param m_label Policy label to fill in for m
1494
1495 Set the label on the mbuf header of a newly created datagram
1496 generated for the purposes of a link layer response for the passed
1497 interface. This call may be made in a number of situations, including
1498 for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1499*/
1500typedef void mpo_mbuf_label_associate_linklayer_t(
1501 struct ifnet *ifp,
1502 struct label *i_label,
1503 struct mbuf *m,
1504 struct label *m_label
1505);
1506/**
1507 @brief Assign a label to a new mbuf
1508 @param oldmbuf mbuf headerder for existing datagram for existing datagram
1509 @param oldmbuflabel Policy label for oldmbuf
1510 @param ifp Network interface
1511 @param ifplabel Policy label for ifp
1512 @param newmbuf mbuf header to be labeled for new datagram
1513 @param newmbuflabel Policy label for newmbuf
1514
1515 Set the label on the mbuf header of a newly created datagram
1516 generated from the existing passed datagram when it is processed
1517 by the passed multicast encapsulation interface. This call is made
1518 when an mbuf is to be delivered using the virtual interface.
1519*/
1520typedef void mpo_mbuf_label_associate_multicast_encap_t(
1521 struct mbuf *oldmbuf,
1522 struct label *oldmbuflabel,
1523 struct ifnet *ifp,
1524 struct label *ifplabel,
1525 struct mbuf *newmbuf,
1526 struct label *newmbuflabel
1527);
1528/**
1529 @brief Assign a label to a new mbuf
1530 @param oldmbuf Received datagram
1531 @param oldmbuflabel Policy label for oldmbuf
1532 @param newmbuf Newly created datagram
1533 @param newmbuflabel Policy label for newmbuf
1534
1535 Set the label on the mbuf header of a newly created datagram generated
1536 by the IP stack in response to an existing received datagram (oldmbuf).
1537 This call may be made in a number of situations, including when responding
1538 to ICMP request datagrams.
1539*/
1540typedef void mpo_mbuf_label_associate_netlayer_t(
1541 struct mbuf *oldmbuf,
1542 struct label *oldmbuflabel,
1543 struct mbuf *newmbuf,
1544 struct label *newmbuflabel
1545);
1546/**
1547 @brief Assign a label to a new mbuf
1548 @param so Socket to label
1549 @param so_label Policy label for socket
1550 @param m Object; mbuf
1551 @param m_label Policy label to fill in for m
1552
1553 An mbuf structure is used to store network traffic in transit.
1554 When an application sends data to a socket or a pipe, it is wrapped
1555 in an mbuf first. This function sets the label on a newly created mbuf header
1556 based on the socket sending the data. The contents of the label should be
1557 suitable for performing an access check on the receiving side of the
1558 communication.
1559
1560 Only labeled MBUFs will be presented to the policy via this entrypoint.
1561*/
1562typedef void mpo_mbuf_label_associate_socket_t(
1563 socket_t so,
1564 struct label *so_label,
1565 struct mbuf *m,
1566 struct label *m_label
1567);
1568/**
1569 @brief Copy a mbuf label
1570 @param src Source label
1571 @param dest Destination label
1572
1573 Copy the mbuf label information in src into dest.
1574
1575 Only called when both source and destination mbufs have labels.
1576*/
1577typedef void mpo_mbuf_label_copy_t(
1578 struct label *src,
1579 struct label *dest
1580);
1581/**
1582 @brief Destroy mbuf label
1583 @param label The label to be destroyed
1584
1585 Destroy a mbuf label. Since the
1586 object is going out of scope, policy modules should free any
1587 internal storage associated with the label so that it may be
1588 destroyed.
1589*/
1590typedef void mpo_mbuf_label_destroy_t(
1591 struct label *label
1592);
1593/**
1594 @brief Initialize mbuf label
1595 @param label New label to initialize
1596 @param flag Malloc flags
1597
1598 Initialize the label for a newly instantiated mbuf.
1599
1600 @warning Since it is possible for the flags to be set to
1601 M_NOWAIT, the malloc operation may fail.
1602
1603 @return On success, 0, otherwise, an appropriate errno return value.
1604*/
1605typedef int mpo_mbuf_label_init_t(
1606 struct label *label,
1607 int flag
1608);
1609/**
1610 @brief Access control check for fsctl
1611 @param cred Subject credential
1612 @param mp The mount point
1613 @param label Label associated with the mount point
1614 @param com Filesystem-dependent request code; see fsctl(2)
1615
1616 Determine whether the subject identified by the credential can perform
1617 the volume operation indicated by com.
1618
1619 @warning The fsctl() system call is directly analogous to ioctl(); since
1620 the associated data is opaque from the standpoint of the MAC framework
1621 and since these operations can affect many aspects of system operation,
1622 policies must exercise extreme care when implementing access control checks.
1623
1624 @return Return 0 if access is granted, otherwise an appropriate value for
1625 errno should be returned.
1626*/
1627typedef int mpo_mount_check_fsctl_t(
1628 kauth_cred_t cred,
1629 struct mount *mp,
1630 struct label *label,
1631 unsigned int cmd
1632);
1633/**
1634 @brief Access control check for the retrieval of file system attributes
1635 @param cred Subject credential
1636 @param mp The mount structure of the file system
1637 @param vfa The attributes requested
1638
1639 This entry point determines whether given subject can get information
1640 about the given file system. This check happens during statfs() syscalls,
1641 but is also used by other parts within the kernel such as the audit system.
1642
1643 @return Return 0 if access is granted, otherwise an appropriate value for
1644 errno should be returned.
1645*/
1646
1647typedef int mpo_mount_check_getattr_t(
1648 kauth_cred_t cred,
1649 struct mount *mp,
1650 struct label *mp_label,
1651 struct vfs_attr *vfa
1652);
1653/**
1654 @brief Access control check for mount point relabeling
1655 @param cred Subject credential
1656 @param mp Object file system mount point
1657 @param mntlabel Policy label for fle system mount point
1658
1659 Determine whether the subject identified by the credential can relabel
1660 the mount point. This call is made when a file system mount is updated.
1661
1662 @return Return 0 if access is granted, otherwise an appropriate value for
1663 errno should be returned. Suggested failure: EACCES for label mismatch
1664 or EPERM for lack of privilege.
1665*/
1666typedef int mpo_mount_check_label_update_t(
1667 kauth_cred_t cred,
1668 struct mount *mp,
1669 struct label *mntlabel
1670);
1671/**
1672 @brief Access control check for mounting a file system
1673 @param cred Subject credential
1674 @param vp Vnode that is to be the mount point
1675 @param vlabel Label associated with the vnode
1676 @param cnp Component name for vp
1677 @param vfc_name Filesystem type name
1678
1679 Determine whether the subject identified by the credential can perform
1680 the mount operation on the target vnode.
1681
1682 @return Return 0 if access is granted, otherwise an appropriate value for
1683 errno should be returned.
1684*/
1685typedef int mpo_mount_check_mount_t(
1686 kauth_cred_t cred,
1687 struct vnode *vp,
1688 struct label *vlabel,
1689 struct componentname *cnp,
1690 const char *vfc_name
1691);
1692/**
1693 @brief Access control check remounting a filesystem
1694 @param cred Subject credential
1695 @param mp The mount point
1696 @param mlabel Label currently associated with the mount point
1697
1698 Determine whether the subject identified by the credential can perform
1699 the remount operation on the target vnode.
1700
1701 @return Return 0 if access is granted, otherwise an appropriate value for
1702 errno should be returned.
1703*/
1704typedef int mpo_mount_check_remount_t(
1705 kauth_cred_t cred,
1706 struct mount *mp,
1707 struct label *mlabel
1708);
1709/**
1710 @brief Access control check for the settting of file system attributes
1711 @param cred Subject credential
1712 @param mp The mount structure of the file system
1713 @param vfa The attributes requested
1714
1715 This entry point determines whether given subject can set information
1716 about the given file system, for example the volume name.
1717
1718 @return Return 0 if access is granted, otherwise an appropriate value for
1719 errno should be returned.
1720*/
1721
1722typedef int mpo_mount_check_setattr_t(
1723 kauth_cred_t cred,
1724 struct mount *mp,
1725 struct label *mp_label,
1726 struct vfs_attr *vfa
1727);
1728/**
1729 @brief Access control check for file system statistics
1730 @param cred Subject credential
1731 @param mp Object file system mount
1732 @param mntlabel Policy label for mp
1733
1734 Determine whether the subject identified by the credential can see
1735 the results of a statfs performed on the file system. This call may
1736 be made in a number of situations, including during invocations of
1737 statfs(2) and related calls, as well as to determine what file systems
1738 to exclude from listings of file systems, such as when getfsstat(2)
1739 is invoked.
1740
1741 @return Return 0 if access is granted, otherwise an appropriate value for
1742 errno should be returned. Suggested failure: EACCES for label mismatch
1743 or EPERM for lack of privilege.
1744*/
1745typedef int mpo_mount_check_stat_t(
1746 kauth_cred_t cred,
1747 struct mount *mp,
1748 struct label *mntlabel
1749);
1750/**
1751 @brief Access control check for unmounting a filesystem
1752 @param cred Subject credential
1753 @param mp The mount point
1754 @param mlabel Label associated with the mount point
1755
1756 Determine whether the subject identified by the credential can perform
1757 the unmount operation on the target vnode.
1758
1759 @return Return 0 if access is granted, otherwise an appropriate value for
1760 errno should be returned.
1761*/
1762typedef int mpo_mount_check_umount_t(
1763 kauth_cred_t cred,
1764 struct mount *mp,
1765 struct label *mlabel
1766);
1767/**
1768 @brief Create mount labels
1769 @param cred Subject credential
1770 @param mp Mount point of file system being mounted
1771 @param mntlabel Label to associate with the new mount point
1772 @see mpo_mount_label_init_t
1773
1774 Fill out the labels on the mount point being created by the supplied
1775 user credential. This call is made when file systems are first mounted.
1776*/
1777typedef void mpo_mount_label_associate_t(
1778 kauth_cred_t cred,
1779 struct mount *mp,
1780 struct label *mntlabel
1781);
1782/**
1783 @brief Destroy mount label
1784 @param label The label to be destroyed
1785
1786 Destroy a file system mount label. Since the
1787 object is going out of scope, policy modules should free any
1788 internal storage associated with the label so that it may be
1789 destroyed.
1790*/
1791typedef void mpo_mount_label_destroy_t(
1792 struct label *label
1793);
1794/**
1795 @brief Externalize a mount point label
1796 @param label Label to be externalized
1797 @param element_name Name of the label namespace for which labels should be
1798 externalized
1799 @param sb String buffer to be filled with a text representation of the label
1800
1801 Produce an external representation of the mount point label. An
1802 externalized label consists of a text representation of the label
1803 contents that can be used with user applications. Policy-agnostic
1804 user space tools will display this externalized version.
1805
1806 The policy's externalize entry points will be called only if the
1807 policy has registered interest in the label namespace.
1808
1809 @return 0 on success, return non-zero if an error occurs while
1810 externalizing the label data.
1811
1812*/
1813typedef int mpo_mount_label_externalize_t(
1814 struct label *label,
1815 char *element_name,
1816 struct sbuf *sb
1817);
1818/**
1819 @brief Initialize mount point label
1820 @param label New label to initialize
1821
1822 Initialize the label for a newly instantiated mount structure.
1823 This label is typically used to store a default label in the case
1824 that the file system has been mounted singlelabel. Since some
1825 file systems do not support persistent labels (extended attributes)
1826 or are read-only (such as CD-ROMs), it is often necessary to store
1827 a default label separately from the label of the mount point
1828 itself. Sleeping is permitted.
1829*/
1830typedef void mpo_mount_label_init_t(
1831 struct label *label
1832);
1833/**
1834 @brief Internalize a mount point label
1835 @param label Label to be internalized
1836 @param element_name Name of the label namespace for which the label should
1837 be internalized
1838 @param element_data Text data to be internalized
1839
1840 Produce a mount point file system label from an external representation.
1841 An externalized label consists of a text representation of the label
1842 contents that can be used with user applications. Policy-agnostic
1843 user space tools will forward text version to the kernel for
1844 processing by individual policy modules.
1845
1846 The policy's internalize entry points will be called only if the
1847 policy has registered interest in the label namespace.
1848
1849 @return 0 on success, Otherwise, return non-zero if an error occurs
1850 while internalizing the label data.
1851
1852*/
1853typedef int mpo_mount_label_internalize_t(
1854 struct label *label,
1855 char *element_name,
1856 char *element_data
1857);
1858/**
1859 @brief Set the label on an IPv4 datagram fragment
1860 @param datagram Datagram being fragmented
1861 @param datagramlabel Policy label for datagram
1862 @param fragment New fragment
1863 @param fragmentlabel Policy label for fragment
1864
1865 Called when an IPv4 datagram is fragmented into several smaller datagrams.
1866 Policies implementing mbuf labels will typically copy the label from the
1867 source datagram to the new fragment.
1868*/
1869typedef void mpo_netinet_fragment_t(
1870 struct mbuf *datagram,
1871 struct label *datagramlabel,
1872 struct mbuf *fragment,
1873 struct label *fragmentlabel
1874);
1875/**
1876 @brief Set the label on an ICMP reply
1877 @param m mbuf containing the ICMP reply
1878 @param mlabel Policy label for m
1879
1880 A policy may wish to update the label of an mbuf that refers to
1881 an ICMP packet being sent in response to an IP packet. This may
1882 be called in response to a bad packet or an ICMP request.
1883*/
1884typedef void mpo_netinet_icmp_reply_t(
1885 struct mbuf *m,
1886 struct label *mlabel
1887);
1888/**
1889 @brief Set the label on a TCP reply
1890 @param m mbuf containing the TCP reply
1891 @param mlabel Policy label for m
1892
1893 Called for outgoing TCP packets not associated with an actual socket.
1894*/
1895typedef void mpo_netinet_tcp_reply_t(
1896 struct mbuf *m,
1897 struct label *mlabel
1898);
1899/**
1900 @brief Access control check for pipe ioctl
1901 @param cred Subject credential
1902 @param cpipe Object to be accessed
1903 @param pipelabel The label on the pipe
1904 @param cmd The ioctl command; see ioctl(2)
1905
1906 Determine whether the subject identified by the credential can perform
1907 the ioctl operation indicated by cmd.
1908
1909 @warning Since ioctl data is opaque from the standpoint of the MAC
1910 framework, policies must exercise extreme care when implementing
1911 access control checks.
1912
1913 @return Return 0 if access is granted, otherwise an appropriate value for
1914 errno should be returned.
1915
1916*/
1917typedef int mpo_pipe_check_ioctl_t(
1918 kauth_cred_t cred,
1919 struct pipe *cpipe,
1920 struct label *pipelabel,
1921 unsigned int cmd
1922);
1923/**
1924 @brief Access control check for pipe kqfilter
1925 @param cred Subject credential
1926 @param kn Object knote
1927 @param cpipe Object to be accessed
1928 @param pipelabel Policy label for the pipe
1929
1930 Determine whether the subject identified by the credential can
1931 receive the knote on the passed pipe.
1932
1933 @return Return 0 if access if granted, otherwise an appropriate
1934 value for errno should be returned.
1935*/
1936typedef int mpo_pipe_check_kqfilter_t(
1937 kauth_cred_t cred,
1938 struct knote *kn,
1939 struct pipe *cpipe,
1940 struct label *pipelabel
1941);
1942/**
1943 @brief Access control check for pipe relabel
1944 @param cred Subject credential
1945 @param cpipe Object to be accessed
1946 @param pipelabel The current label on the pipe
1947 @param newlabel The new label to be used
1948
1949 Determine whether the subject identified by the credential can
1950 perform a relabel operation on the passed pipe. The cred object holds
1951 the credentials of the subject performing the operation.
1952
1953 @return Return 0 if access is granted, otherwise an appropriate value for
1954 errno should be returned.
1955
1956*/
1957typedef int mpo_pipe_check_label_update_t(
1958 kauth_cred_t cred,
1959 struct pipe *cpipe,
1960 struct label *pipelabel,
1961 struct label *newlabel
1962);
1963/**
1964 @brief Access control check for pipe read
1965 @param cred Subject credential
1966 @param cpipe Object to be accessed
1967 @param pipelabel The label on the pipe
1968
1969 Determine whether the subject identified by the credential can
1970 perform a read operation on the passed pipe. The cred object holds
1971 the credentials of the subject performing the operation.
1972
1973 @return Return 0 if access is granted, otherwise an appropriate value for
1974 errno should be returned.
1975
1976*/
1977typedef int mpo_pipe_check_read_t(
1978 kauth_cred_t cred,
1979 struct pipe *cpipe,
1980 struct label *pipelabel
1981);
1982/**
1983 @brief Access control check for pipe select
1984 @param cred Subject credential
1985 @param cpipe Object to be accessed
1986 @param pipelabel The label on the pipe
1987 @param which The operation selected on: FREAD or FWRITE
1988
1989 Determine whether the subject identified by the credential can
1990 perform a select operation on the passed pipe. The cred object holds
1991 the credentials of the subject performing the operation.
1992
1993 @return Return 0 if access is granted, otherwise an appropriate value for
1994 errno should be returned.
1995
1996*/
1997typedef int mpo_pipe_check_select_t(
1998 kauth_cred_t cred,
1999 struct pipe *cpipe,
2000 struct label *pipelabel,
2001 int which
2002);
2003/**
2004 @brief Access control check for pipe stat
2005 @param cred Subject credential
2006 @param cpipe Object to be accessed
2007 @param pipelabel The label on the pipe
2008
2009 Determine whether the subject identified by the credential can
2010 perform a stat operation on the passed pipe. The cred object holds
2011 the credentials of the subject performing the operation.
2012
2013 @return Return 0 if access is granted, otherwise an appropriate value for
2014 errno should be returned.
2015
2016*/
2017typedef int mpo_pipe_check_stat_t(
2018 kauth_cred_t cred,
2019 struct pipe *cpipe,
2020 struct label *pipelabel
2021);
2022/**
2023 @brief Access control check for pipe write
2024 @param cred Subject credential
2025 @param cpipe Object to be accessed
2026 @param pipelabel The label on the pipe
2027
2028 Determine whether the subject identified by the credential can
2029 perform a write operation on the passed pipe. The cred object holds
2030 the credentials of the subject performing the operation.
2031
2032 @return Return 0 if access is granted, otherwise an appropriate value for
2033 errno should be returned.
2034
2035*/
2036typedef int mpo_pipe_check_write_t(
2037 kauth_cred_t cred,
2038 struct pipe *cpipe,
2039 struct label *pipelabel
2040);
2041/**
2042 @brief Create a pipe label
2043 @param cred Subject credential
2044 @param cpipe object to be labeled
2045 @param label Label for the pipe object
2046
2047 Create a label for the pipe object being created by the supplied
2048 user credential. This call is made when the pipe is being created
2049 XXXPIPE(for one or both sides of the pipe?).
2050
2051*/
2052typedef void mpo_pipe_label_associate_t(
2053 kauth_cred_t cred,
2054 struct pipe *cpipe,
2055 struct label *pipelabel
2056);
2057/**
2058 @brief Copy a pipe label
2059 @param src Source pipe label
2060 @param dest Destination pipe label
2061
2062 Copy the pipe label associated with src to dest.
2063 XXXPIPE Describe when this is used: most likely during pipe creation to
2064 copy from rpipe to wpipe.
2065*/
2066typedef void mpo_pipe_label_copy_t(
2067 struct label *src,
2068 struct label *dest
2069);
2070/**
2071 @brief Destroy pipe label
2072 @param label The label to be destroyed
2073
2074 Destroy a pipe label. Since the object is going out of scope,
2075 policy modules should free any internal storage associated with the
2076 label so that it may be destroyed.
2077*/
2078typedef void mpo_pipe_label_destroy_t(
2079 struct label *label
2080);
2081/**
2082 @brief Externalize a pipe label
2083 @param label Label to be externalized
2084 @param element_name Name of the label namespace for which labels should be
2085 externalized
2086 @param sb String buffer to be filled with a text representation of the label
2087
2088 Produce an external representation of the label on a pipe.
2089 An externalized label consists of a text representation
2090 of the label contents that can be used with user applications.
2091 Policy-agnostic user space tools will display this externalized
2092 version.
2093
2094 The policy's externalize entry points will be called only if the
2095 policy has registered interest in the label namespace.
2096
2097 @return 0 on success, return non-zero if an error occurs while
2098 externalizing the label data.
2099
2100*/
2101typedef int mpo_pipe_label_externalize_t(
2102 struct label *label,
2103 char *element_name,
2104 struct sbuf *sb
2105);
2106/**
2107 @brief Initialize pipe label
2108 @param label New label to initialize
2109
2110 Initialize label storage for use with a newly instantiated pipe object.
2111 Sleeping is permitted.
2112*/
2113typedef void mpo_pipe_label_init_t(
2114 struct label *label
2115);
2116/**
2117 @brief Internalize a pipe label
2118 @param label Label to be internalized
2119 @param element_name Name of the label namespace for which the label should
2120 be internalized
2121 @param element_data Text data to be internalized
2122
2123 Produce a pipe label from an external representation. An
2124 externalized label consists of a text representation of the label
2125 contents that can be used with user applications. Policy-agnostic
2126 user space tools will forward text version to the kernel for
2127 processing by individual policy modules.
2128
2129 The policy's internalize entry points will be called only if the
2130 policy has registered interest in the label namespace.
2131
2132 @return 0 on success, Otherwise, return non-zero if an error occurs
2133 while internalizing the label data.
2134
2135*/
2136typedef int mpo_pipe_label_internalize_t(
2137 struct label *label,
2138 char *element_name,
2139 char *element_data
2140);
2141/**
2142 @brief Update a pipe label
2143 @param cred Subject credential
2144 @param cpipe Object to be labeled
2145 @param oldlabel Existing pipe label
2146 @param newlabel New label to replace existing label
2147 @see mpo_pipe_check_label_update_t
2148
2149 The subject identified by the credential has previously requested
2150 and was authorized to relabel the pipe; this entry point allows
2151 policies to perform the actual relabel operation. Policies should
2152 update oldlabel using the label stored in the newlabel parameter.
2153
2154*/
2155typedef void mpo_pipe_label_update_t(
2156 kauth_cred_t cred,
2157 struct pipe *cpipe,
2158 struct label *oldlabel,
2159 struct label *newlabel
2160);
2161/**
2162 @brief Policy unload event
2163 @param mpc MAC policy configuration
2164
2165 This is the MAC Framework policy unload event. This entry point will
2166 only be called if the module's policy configuration allows unload (if
2167 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2168 want to be unloaded; they should set their flags to prevent this
2169 entry point from being called.
2170
2171 @warning During this call, the mac policy list mutex is held, so
2172 sleep operations cannot be performed, and calls out to other kernel
2173 subsystems must be made with caution.
2174
2175 @see MPC_LOADTIME_FLAG_UNLOADOK
2176*/
2177typedef void mpo_policy_destroy_t(
2178 struct mac_policy_conf *mpc
2179);
2180/**
2181 @brief Policy initialization event
2182 @param mpc MAC policy configuration
2183 @see mac_policy_register
2184 @see mpo_policy_initbsd_t
2185
2186 This is the MAC Framework policy initialization event. This entry
2187 point is called during mac_policy_register, when the policy module
2188 is first registered with the MAC Framework. This is often done very
2189 early in the boot process, after the kernel Mach subsystem has been
2190 initialized, but prior to the BSD subsystem being initialized.
2191 Since the kernel BSD services are not yet available, it is possible
2192 that some initialization must occur later, possibly in the
2193 mpo_policy_initbsd_t policy entry point, such as registering BSD system
2194 controls (sysctls). Policy modules loaded at boot time will be
2195 registered and initialized before labeled Mach objects are created.
2196
2197 @warning During this call, the mac policy list mutex is held, so
2198 sleep operations cannot be performed, and calls out to other kernel
2199 subsystems must be made with caution.
2200*/
2201typedef void mpo_policy_init_t(
2202 struct mac_policy_conf *mpc
2203);
2204/**
2205 @brief Policy BSD initialization event
2206 @param mpc MAC policy configuration
2207 @see mpo_policy_init_t
2208
2209 This entry point is called after the kernel BSD subsystem has been
2210 initialized. By this point, the module should already be loaded,
2211 registered, and initialized. Since policy modules are initialized
2212 before kernel BSD services are available, this second initialization
2213 phase is necessary. At this point, BSD services (memory management,
2214 synchronization primitives, vfs, etc.) are available, but the first
2215 process has not yet been created. Mach-related objects and tasks
2216 will already be fully initialized and may be in use--policies requiring
2217 ubiquitous labeling may also want to implement mpo_policy_init_t.
2218
2219 @warning During this call, the mac policy list mutex is held, so
2220 sleep operations cannot be performed, and calls out to other kernel
2221 subsystems must be made with caution.
2222*/
2223typedef void mpo_policy_initbsd_t(
2224 struct mac_policy_conf *mpc
2225);
2226/**
2227 @brief Policy extension service
2228 @param p Calling process
2229 @param call Policy-specific syscall number
2230 @param arg Pointer to syscall arguments
2231
2232 This entry point provides a policy-multiplexed system call so that
2233 policies may provide additional services to user processes without
2234 registering specific system calls. The policy name provided during
2235 registration is used to demux calls from userland, and the arguments
2236 will be forwarded to this entry point. When implementing new
2237 services, security modules should be sure to invoke appropriate
2238 access control checks from the MAC framework as needed. For
2239 example, if a policy implements an augmented signal functionality,
2240 it should call the necessary signal access control checks to invoke
2241 the MAC framework and other registered policies.
2242
2243 @warning Since the format and contents of the policy-specific
2244 arguments are unknown to the MAC Framework, modules must perform the
2245 required copyin() of the syscall data on their own. No policy
2246 mediation is performed, so policies must perform any necessary
2247 access control checks themselves. If multiple policies are loaded,
2248 they will currently be unable to mediate calls to other policies.
2249
2250 @return In the event of an error, an appropriate value for errno
2251 should be returned, otherwise return 0 upon success.
2252*/
2253typedef int mpo_policy_syscall_t(
2254 struct proc *p,
2255 int call,
2256 user_addr_t arg
2257);
2258/**
2259 @brief Access control check for copying a send right to another task
2260 @param task Label of the sender task
2261 @param port Label of the affected port
2262
2263 Access control check for copying send rights to the port from the
2264 specified task. A complementary entry point, mpo_port_check_hold_send,
2265 handles the receiving task. port_check_copy_send is called as part of
2266 a group of policy invocations when messages with port rights are sent.
2267 All access control checks made for a particular message must be successful
2268 for the message to be sent.
2269
2270 The task label and the port are locked. Sleeping is permitted.
2271
2272 @return Return 0 if access is granted, non-zero otherwise.
2273*/
2274typedef int mpo_port_check_copy_send_t(
2275 struct label *task,
2276 struct label *port
2277);
2278/**
2279 @brief Access control check for obtaining a receive right
2280 @param task Label of the receiving task
2281 @param port Label of the affected port
2282
2283 Access control check for a task obtaining receive rights to a
2284 port. Usually, these are port rights that were obtained with a call
2285 to mach_port_allocate. This entry point is called as part of a
2286 group of policy invocations when messages with port rights are
2287 received. All of these access control checks must succeed in order
2288 to receive the message.
2289
2290 The task label and the port are locked. Sleeping is permitted.
2291
2292 @return Return 0 if access is granted, non-zero otherwise.
2293*/
2294typedef int mpo_port_check_hold_receive_t(
2295 struct label *task,
2296 struct label *port
2297);
2298/**
2299 @brief Access control check for obtaining a send once right
2300 @param task Label of the receiving task
2301 @param port Label of the affected port
2302
2303 Access control check for a task obtaining send once rights to a port. Usually,
2304 these are port rights that were part of a message sent by another userspace
2305 task. port_check_hold_send_once is called as part of a group of policy
2306 invocations when messages with port rights are received. All of these access
2307 control checks must succeed in order to receive the message.
2308
2309 The task label and the port are locked. Sleeping is permitted.
2310
2311 @return Return 0 if access is granted, non-zero otherwise.
2312*/
2313typedef int mpo_port_check_hold_send_once_t(
2314 struct label *task,
2315 struct label *port
2316);
2317/**
2318 @brief Access control check for obtaining a send right
2319 @param task Label of the receiving task
2320 @param port Label of the affected port
2321
2322 Access control check for a task obtaining send rights to a port. Usually,
2323 these are port rights that were part of a message sent by another userspace
2324 task. port_check_hold_send is called as part of a group of policy
2325 invocations when messages with port rights are received. All of these access
2326 control checks must succeed in order to receive the message.
2327
2328 The task label and the port are locked. Sleeping is permitted.
2329
2330 @return Return 0 if access is granted, non-zero otherwise.
2331*/
2332typedef int mpo_port_check_hold_send_t(
2333 struct label *task,
2334 struct label *port
2335);
2336/**
2337 @brief Access control check for relabelling ports
2338 @param task Subject's task label
2339 @param oldlabel Original label of port
2340 @param newlabel New label for port
2341
2342 Access control check for relabelling ports. The policy should
2343 indicate whether the subject is permitted to change the label
2344 of a port from oldlabel to newlabel. The port is locked, but
2345 the subject's task label is not locked.
2346
2347 @warning XXX In future releases, the task label lock will likely
2348 also be held.
2349
2350 @return Return 0 if access is granted, non-zero otherwise.
2351*/
2352typedef int mpo_port_check_label_update_t(
2353 struct label *task,
2354 struct label *oldlabel,
2355 struct label *newlabel
2356);
2357/**
2358 @brief Access control check for producing a send once right from a receive right
2359 @param task Label of the sender task
2360 @param port Label of the affected port
2361
2362 Access control check for obtaining send once rights from receive rights.
2363 The new send once right may be destined for the calling task, or a different
2364 task. In either case the mpo_port_check_hold_send_once entry point handles
2365 the receiving task. port_check_make_send_once may be called as part of a
2366 group of policy invocations when messages with port rights are sent.
2367 All access control checks made for a particular message must be successful
2368 for the message to be sent.
2369
2370 The task label and the port are locked. Sleeping is permitted.
2371
2372 @return Return 0 if access is granted, non-zero otherwise.
2373*/
2374typedef int mpo_port_check_make_send_once_t(
2375 struct label *task,
2376 struct label *port
2377);
2378/**
2379 @brief Access control check for producing a send right from a receive right
2380 @param task Label of the sender task
2381 @param port Label of the affected port
2382
2383 Access control check for obtaining send rights from receive rights. The new
2384 send right may be destined for the calling task, or a different task.
2385 In either case the mpo_port_check_hold_send entry point
2386 handles the receiving task. port_check_make_send may be called as part of
2387 a group of policy invocations when messages with port rights are sent.
2388 All access control checks made for a particular message must be successful
2389 for the message to be sent.
2390
2391 The task label and the port are locked. Sleeping is permitted.
2392
2393 @return Return 0 if access is granted, non-zero otherwise.
2394*/
2395typedef int mpo_port_check_make_send_t(
2396 struct label *task,
2397 struct label *port
2398);
2399/**
2400 @brief Compute access control check for a Mach message-based service
2401 @param proc Sender's process structure (may be NULL)
2402 @param task Sender's task label
2403 @param port Destination port label
2404 @param msgid Message id
2405
2406 Access control computation for message-based services. This entry point
2407 computes permission to the service requested by the specified port and message
2408 id, for example a single MiG server routine, and is unrelated to the access
2409 check for sending messages to ports (but that check must succeed for the
2410 message to be sent to the destination). The result of this access computation
2411 is stored in the message trailer field msgh_ad (only if requested by the
2412 recipient); it does not actually inhibit the message from being sent or
2413 received.
2414
2415 @return 0 for access granted, nonzero for access denied.
2416*/
2417
2418typedef int mpo_port_check_method_t(
2419 struct proc *proc,
2420 struct label *task,
2421 struct label *port,
2422 int msgid
2423);
2424/**
2425 @brief Access control check for transferring a receive right
2426 @param task Label of the sender task
2427 @param port Label of the affected port
2428
2429 Access control check for transferring the receive right to a port out
2430 of the specified task. A complementary entry point,
2431 mpo_port_check_hold_receive, handles the receiving task.
2432 port_check_move_receive is called as part of
2433 a group of policy invocations when messages with port rights are sent.
2434 All access control checks made for a particular message must be successful
2435 for the message to be sent.
2436
2437 The task label and the port are locked. Sleeping is permitted.
2438
2439 @return Return 0 if access is granted, non-zero otherwise.
2440*/
2441typedef int mpo_port_check_move_receive_t(
2442 struct label *task,
2443 struct label *port
2444);
2445/**
2446 @brief Access control check for transferring a send once right
2447 @param task Label of the sender task
2448 @param port Label of the affected port
2449
2450 Access control check for transferring a send once right from one task to
2451 the task listening to the specified port. A complementary entry point,
2452 mpo_port_check_hold_send_once, handles the receiving task.
2453 port_check_move_send_once is called as part of a group of policy invocations
2454 when messages with port rights are sent. All access control checks made
2455 for a particular message must be successful for the message to be sent.
2456
2457 The task label and the port are locked. Sleeping is permitted.
2458
2459 @return Return 0 if access is granted, non-zero otherwise.
2460*/
2461typedef int mpo_port_check_move_send_once_t(
2462 struct label *task,
2463 struct label *port
2464);
2465/**
2466 @brief Access control check for transferring a send right
2467 @param task Label of the sender task
2468 @param port Label of the affected port
2469
2470 Access control check for transferring a send right from one task to the
2471 task listening to the specified port. A complementary entry point,
2472 mpo_port_check_hold_send, handles the receiving task.
2473 port_check_move_send is called as part of a group of policy invocations
2474 when messages with port rights are sent. All access control checks made
2475 for a particular message must be successful for the message to be sent.
2476
2477 The task label and the port are locked. Sleeping is permitted.
2478
2479 @return Return 0 if access is granted, non-zero otherwise.
2480*/
2481typedef int mpo_port_check_move_send_t(
2482 struct label *task,
2483 struct label *port
2484);
2485/**
2486 @brief Access control check for receiving Mach messsages
2487 @param task Label of the receiving task
2488 @param sender Label of the sending task
2489
2490 Access control check for receiving messages. The two labels are locked.
2491
2492 @warning This entry point can be invoked from many places inside the
2493 kernel, with arbitrary other locks held. The implementation of this
2494 entry point must not cause page faults, as those are handled by mach
2495 messages.
2496
2497 @return Return 0 if access is granted, non-zero otherwise.
2498*/
2499typedef int mpo_port_check_receive_t(
2500 struct label *task,
2501 struct label *sender
2502);
2503/**
2504 @brief Access control check for sending Mach messsages
2505 @param task Label of the sender task
2506 @param port Label of the destination port
2507
2508 Access control check for sending messages. The task label and the
2509 port are locked.
2510
2511 @warning This entry point can be invoked from many places inside the
2512 kernel, with arbitrary other locks held. The implementation of this
2513 entry point must not cause page faults, as those are handled by mach
2514 messages.
2515
2516 @return Return 0 if access is granted, non-zero otherwise.
2517*/
2518typedef int mpo_port_check_send_t(
2519 struct label *task,
2520 struct label *port
2521);
2522/**
2523 @brief Generic access control check
2524 @param subj Caller-provided subject label
2525 @param obj Caller-provided object label
2526 @param serv Service or object class name
2527 @param perm Permission, or method, within the specified service
2528
2529 This function provides a general way for a user process to query
2530 an arbitrary access control decision from the system's security policies.
2531 Currently, there are no standards for the format of the service and
2532 permission names. Labels may be either cred or port labels; the policy
2533 must accept either. The userspace interfaces to this entry point allow
2534 label strings or label handles (ports) to be provided.
2535
2536 @return Return 0 if access is granted, non-zero otherwise.
2537*/
2538typedef int mpo_port_check_service_t(
2539 struct label *subj,
2540 struct label *obj,
2541 const char *serv,
2542 const char *perm
2543);
2544/**
2545 @brief Assign a label to a new Mach port created by the kernel
2546 @param portlabel Label for the new port
2547 @param isreply True if the port is for a reply message from the kernel
2548
2549 Assign a label to a new port created by the kernel. If the port is being
2550 used to reply to a message, isreply is 1 (0 otherwise). The port is locked.
2551*/
2552typedef void mpo_port_label_associate_kernel_t(
2553 struct label *portlabel,
2554 int isreply
2555);
2556/**
2557 @brief Assign a label to a new Mach port
2558 @param it Task label of issuer
2559 @param st Task label of target
2560 @param portlabel Label for the new port
2561
2562 Assign a label to a new port. The policy can base this label on
2563 the label of the calling task, as well as the label of the target task.
2564 The target task is the one which recieves the first right for this port.
2565 Both task labels and the port are locked.
2566*/
2567typedef void mpo_port_label_associate_t(
2568 struct label *it,
2569 struct label *st,
2570 struct label *portlabel
2571);
2572/**
2573 @brief Request label for new (userspace) object
2574 @param subj Subject label
2575 @param obj Parent or existing object label
2576 @param serv Name of service
2577 @param out Computed label
2578
2579 Ask the loaded policies to compute a label based on the two input labels
2580 and the service name. There is currently no standard for the service name,
2581 or even what the input labels represent (Subject and parent object are only
2582 a suggestion). If successful, the computed label is stored in out. All labels
2583 must be port (or task) labels. The userspace interfaces to this entry point
2584 allow label handles (ports) to be provided.
2585
2586 @return 0 on success, or an errno value for failure.
2587*/
2588typedef int mpo_port_label_compute_t(
2589 struct label *subj,
2590 struct label *obj,
2591 const char *serv,
2592 struct label *out
2593);
2594/**
2595 @brief Copy a Mach port label
2596 @param src Source port label
2597 @param dest Destination port label
2598
2599 Copy the Mach port label information from src to dest. This is used
2600 to copy user-suplied labels into an existing port.
2601*/
2602typedef void mpo_port_label_copy_t(
2603 struct label *src,
2604 struct label *dest
2605);
2606/**
2607 @brief Destroy Mach port label
2608 @param label The label to be destroyed
2609
2610 Destroy a Mach port label. Since the object is going out of
2611 scope, policy modules should free any internal storage associated
2612 with the label so that it may be destroyed.
2613*/
2614typedef void mpo_port_label_destroy_t(
2615 struct label *label
2616);
2617/**
2618 @brief Initialize Mach port label
2619 @param label New label to initialize
2620
2621 Initialize the label for a newly instantiated Mach port. Sleeping
2622 is permitted.
2623*/
2624typedef void mpo_port_label_init_t(
2625 struct label *label
2626);
2627/**
2628 @brief Update a Mach task port label
2629 @param cred User credential label to be used as the source
2630 @param task Mach port label to be used as the destination
2631 @see mpo_cred_label_update_t
2632 @see mpo_cred_label_update_execve_t
2633
2634 Update the label on a Mach task port, using the supplied user
2635 credential label. When a mac_cred_label_update_execve or a mac_cred_label_update
2636 operation causes the label on a user credential to change, the Mach
2637 task port label also needs to be updated to reflect the change.
2638 Both labels are already valid (initialized and created).
2639*/
2640typedef void mpo_port_label_update_cred_t(
2641 struct label *cred,
2642 struct label *task
2643);
2644/**
2645 @brief Assign a label to a Mach port connected to a kernel object
2646 @param portlabel Label for the port
2647 @param kotype Type of kernel object
2648
2649 Label a kernel port based on the type of object behind it. The
2650 kotype parameter is one of the IKOT constants in
2651 <kern/ipc_kobject.h>. The port already has a valid label from either
2652 mpo_port_label_associate_kernel, or because it is a task port and has a label
2653 derived from the process and task labels. The port is locked.
2654*/
2655typedef void mpo_port_label_update_kobject_t(
2656 struct label *portlabel,
2657 int kotype
2658);
2659/**
2660 @brief Access control check for POSIX semaphore create
2661 @param cred Subject credential
2662 @param name String name of the semaphore
2663
2664 Determine whether the subject identified by the credential can create
2665 a POSIX semaphore specified by name.
2666
2667 @return Return 0 if access is granted, otherwise an appropriate value for
2668 errno should be returned.
2669*/
2670typedef int mpo_posixsem_check_create_t(
2671 kauth_cred_t cred,
2672 const char *name
2673);
2674/**
2675 @brief Access control check for POSIX semaphore open
2676 @param cred Subject credential
2677 @param ps Pointer to semaphore information structure
2678 @param semlabel Label associated with the semaphore
2679
2680 Determine whether the subject identified by the credential can open
2681 the named POSIX semaphore with label semlabel.
2682
2683 @return Return 0 if access is granted, otherwise an appropriate value for
2684 errno should be returned.
2685*/
2686typedef int mpo_posixsem_check_open_t(
2687 kauth_cred_t cred,
2688 struct pseminfo *ps,
2689 struct label *semlabel
2690);
2691/**
2692 @brief Access control check for POSIX semaphore post
2693 @param cred Subject credential
2694 @param ps Pointer to semaphore information structure
2695 @param semlabel Label associated with the semaphore
2696
2697 Determine whether the subject identified by the credential can unlock
2698 the named POSIX semaphore with label semlabel.
2699
2700 @return Return 0 if access is granted, otherwise an appropriate value for
2701 errno should be returned.
2702*/
2703typedef int mpo_posixsem_check_post_t(
2704 kauth_cred_t cred,
2705 struct pseminfo *ps,
2706 struct label *semlabel
2707);
2708/**
2709 @brief Access control check for POSIX semaphore unlink
2710 @param cred Subject credential
2711 @param ps Pointer to semaphore information structure
2712 @param semlabel Label associated with the semaphore
2713 @param name String name of the semaphore
2714
2715 Determine whether the subject identified by the credential can remove
2716 the named POSIX semaphore with label semlabel.
2717
2718 @return Return 0 if access is granted, otherwise an appropriate value for
2719 errno should be returned.
2720*/
2721typedef int mpo_posixsem_check_unlink_t(
2722 kauth_cred_t cred,
2723 struct pseminfo *ps,
2724 struct label *semlabel,
2725 const char *name
2726);
2727/**
2728 @brief Access control check for POSIX semaphore wait
2729 @param cred Subject credential
2730 @param ps Pointer to semaphore information structure
2731 @param semlabel Label associated with the semaphore
2732
2733 Determine whether the subject identified by the credential can lock
2734 the named POSIX semaphore with label semlabel.
2735
2736 @return Return 0 if access is granted, otherwise an appropriate value for
2737 errno should be returned.
2738*/
2739typedef int mpo_posixsem_check_wait_t(
2740 kauth_cred_t cred,
2741 struct pseminfo *ps,
2742 struct label *semlabel
2743);
2744/**
2745 @brief Create a POSIX semaphore label
2746 @param cred Subject credential
2747 @param ps Pointer to semaphore information structure
2748 @param semlabel Label to associate with the new semaphore
2749 @param name String name of the semaphore
2750
2751 Label a new POSIX semaphore. The label was previously
2752 initialized and associated with the semaphore. At this time, an
2753 appropriate initial label value should be assigned to the object and
2754 stored in semalabel.
2755*/
2756typedef void mpo_posixsem_label_associate_t(
2757 kauth_cred_t cred,
2758 struct pseminfo *ps,
2759 struct label *semlabel,
2760 const char *name
2761);
2762/**
2763 @brief Destroy POSIX semaphore label
2764 @param label The label to be destroyed
2765
2766 Destroy a POSIX semaphore label. Since the object is
2767 going out of scope, policy modules should free any internal storage
2768 associated with the label so that it may be destroyed.
2769*/
2770typedef void mpo_posixsem_label_destroy_t(
2771 struct label *label
2772);
2773/**
2774 @brief Initialize POSIX semaphore label
2775 @param label New label to initialize
2776
2777 Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2778 is permitted.
2779*/
2780typedef void mpo_posixsem_label_init_t(
2781 struct label *label
2782);
2783/**
2784 @brief Access control check for POSIX shared memory region create
2785 @param cred Subject credential
2786 @param name String name of the shared memory region
2787
2788 Determine whether the subject identified by the credential can create
2789 the POSIX shared memory region referenced by name.
2790
2791 @return Return 0 if access is granted, otherwise an appropriate value for
2792 errno should be returned.
2793*/
2794typedef int mpo_posixshm_check_create_t(
2795 kauth_cred_t cred,
2796 const char *name
2797);
2798/**
2799 @brief Access control check for mapping POSIX shared memory
2800 @param cred Subject credential
2801 @param ps Pointer to shared memory information structure
2802 @param shmlabel Label associated with the shared memory region
2803 @param prot mmap protections; see mmap(2)
2804 @param flags shmat flags; see shmat(2)
2805
2806 Determine whether the subject identified by the credential can map
2807 the POSIX shared memory segment associated with shmlabel.
2808
2809 @return Return 0 if access is granted, otherwise an appropriate value for
2810 errno should be returned.
2811*/
2812typedef int mpo_posixshm_check_mmap_t(
2813 kauth_cred_t cred,
2814 struct pshminfo *ps,
2815 struct label *shmlabel,
2816 int prot,
2817 int flags
2818);
2819/**
2820 @brief Access control check for POSIX shared memory region open
2821 @param cred Subject credential
2822 @param ps Pointer to shared memory information structure
2823 @param shmlabel Label associated with the shared memory region
2824
2825 Determine whether the subject identified by the credential can open
2826 the POSIX shared memory region.
2827
2828 @return Return 0 if access is granted, otherwise an appropriate value for
2829 errno should be returned.
2830*/
2831typedef int mpo_posixshm_check_open_t(
2832 kauth_cred_t cred,
2833 struct pshminfo *ps,
2834 struct label *shmlabel
2835);
2836/**
2837 @brief Access control check for POSIX shared memory stat
2838 @param cred Subject credential
2839 @param ps Pointer to shared memory information structure
2840 @param shmlabel Label associated with the shared memory region
2841
2842 Determine whether the subject identified by the credential can obtain
2843 status for the POSIX shared memory segment associated with shmlabel.
2844
2845 @return Return 0 if access is granted, otherwise an appropriate value for
2846 errno should be returned.
2847*/
2848typedef int mpo_posixshm_check_stat_t(
2849 kauth_cred_t cred,
2850 struct pshminfo *ps,
2851 struct label *shmlabel
2852);
2853/**
2854 @brief Access control check for POSIX shared memory truncate
2855 @param cred Subject credential
2856 @param ps Pointer to shared memory information structure
2857 @param shmlabel Label associated with the shared memory region
2858 @param len Length to truncate or extend shared memory segment
2859
2860 Determine whether the subject identified by the credential can truncate
2861 or extend (to len) the POSIX shared memory segment associated with shmlabel.
2862
2863 @return Return 0 if access is granted, otherwise an appropriate value for
2864 errno should be returned.
2865*/
2866typedef int mpo_posixshm_check_truncate_t(
2867 kauth_cred_t cred,
2868 struct pshminfo *ps,
2869 struct label *shmlabel,
2870 size_t len
2871);
2872/**
2873 @brief Access control check for POSIX shared memory unlink
2874 @param cred Subject credential
2875 @param ps Pointer to shared memory information structure
2876 @param shmlabel Label associated with the shared memory region
2877 @param name String name of the shared memory region
2878
2879 Determine whether the subject identified by the credential can delete
2880 the POSIX shared memory segment associated with shmlabel.
2881
2882 @return Return 0 if access is granted, otherwise an appropriate value for
2883 errno should be returned.
2884*/
2885typedef int mpo_posixshm_check_unlink_t(
2886 kauth_cred_t cred,
2887 struct pshminfo *ps,
2888 struct label *shmlabel,
2889 const char *name
2890);
2891/**
2892 @brief Create a POSIX shared memory region label
2893 @param cred Subject credential
2894 @param ps Pointer to shared memory information structure
2895 @param shmlabel Label to associate with the new shared memory region
2896 @param name String name of the shared memory region
2897
2898 Label a new POSIX shared memory region. The label was previously
2899 initialized and associated with the shared memory region. At this
2900 time, an appropriate initial label value should be assigned to the
2901 object and stored in shmlabel.
2902*/
2903typedef void mpo_posixshm_label_associate_t(
2904 kauth_cred_t cred,
2905 struct pshminfo *ps,
2906 struct label *shmlabel,
2907 const char *name
2908);
2909/**
2910 @brief Destroy POSIX shared memory label
2911 @param label The label to be destroyed
2912
2913 Destroy a POSIX shared memory region label. Since the
2914 object is going out of scope, policy modules should free any
2915 internal storage associated with the label so that it may be
2916 destroyed.
2917*/
2918typedef void mpo_posixshm_label_destroy_t(
2919 struct label *label
2920);
2921/**
2922 @brief Initialize POSIX Shared Memory region label
2923 @param label New label to initialize
2924
2925 Initialize the label for newly a instantiated POSIX Shared Memory
2926 region. Sleeping is permitted.
2927*/
2928typedef void mpo_posixshm_label_init_t(
2929 struct label *label
2930);
2931/**
2932 @brief Access control check for debugging process
2933 @param cred Subject credential
2934 @param proc Object process
2935
2936 Determine whether the subject identified by the credential can debug
2937 the passed process. This call may be made in a number of situations,
2938 including use of the ptrace(2) and ktrace(2) APIs, as well as for some
2939 types of procfs operations.
2940
2941 @return Return 0 if access is granted, otherwise an appropriate value for
2942 errno should be returned. Suggested failure: EACCES for label mismatch,
2943 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
2944*/
2945typedef int mpo_proc_check_debug_t(
2946 kauth_cred_t cred,
2947 struct proc *proc
2948);
2949/**
2950 @brief Access control over fork
2951 @param cred Subject credential
2952 @param proc Subject process trying to fork
2953
2954 Determine whether the subject identified is allowed to fork.
2955
2956 @return Return 0 if access is granted, otherwise an appropriate value for
2957 errno should be returned.
2958*/
2959typedef int mpo_proc_check_fork_t(
2960 kauth_cred_t cred,
2961 struct proc *proc
2962);
2963/**
2964 @brief Access control check for retrieving audit information
2965 @param cred Subject credential
2966
2967 Determine whether the subject identified by the credential can get
2968 audit information such as the audit user ID, the preselection mask,
2969 the terminal ID and the audit session ID, using the getaudit() system call.
2970
2971 @return Return 0 if access is granted, otherwise an appropriate value for
2972 errno should be returned.
2973*/
2974typedef int mpo_proc_check_getaudit_t(
2975 kauth_cred_t cred
2976);
2977/**
2978 @brief Access control check for retrieving audit user ID
2979 @param cred Subject credential
2980
2981 Determine whether the subject identified by the credential can get
2982 the user identity being used by the auditing system, using the getauid()
2983 system call.
2984
2985 @return Return 0 if access is granted, otherwise an appropriate value for
2986 errno should be returned.
2987*/
2988typedef int mpo_proc_check_getauid_t(
2989 kauth_cred_t cred
2990);
2991/**
2992 @brief Access control check for retrieving Login Context ID
2993 @param p0 Calling process
2994 @param p Effected process
2995 @param pid syscall PID argument
2996
2997 Determine if getlcid(2) system call is permitted.
2998
2999 Information returned by this system call is similar to that returned via
3000 process listings etc.
3001
3002 @return Return 0 if access is granted, otherwise an appropriate value for
3003 errno should be returned.
3004*/
3005typedef int mpo_proc_check_getlcid_t(
3006 struct proc *p0,
3007 struct proc *p,
3008 pid_t pid
3009);
3010/**
3011 @brief Access control check for setting memory protections
3012 @param cred Subject credential
3013 @param proc User process requesting the change
3014 @param addr Start address of the memory range
3015 @param size Length address of the memory range
3016 @param prot Memory protections, see mmap(2)
3017
3018 Determine whether the subject identified by the credential should
3019 be allowed to set the specified memory protections on memory mapped
3020 in the process proc.
3021
3022 @return Return 0 if access is granted, otherwise an appropriate value for
3023 errno should be returned.
3024*/
3025typedef int mpo_proc_check_mprotect_t(
3026 kauth_cred_t cred,
3027 struct proc *proc,
3028 user_addr_t addr,
3029 user_size_t size,
3030 int prot
3031);
3032/**
3033 @brief Access control check for changing scheduling parameters
3034 @param cred Subject credential
3035 @param proc Object process
3036
3037 Determine whether the subject identified by the credential can change
3038 the scheduling parameters of the passed process.
3039
3040 @return Return 0 if access is granted, otherwise an appropriate value for
3041 errno should be returned. Suggested failure: EACCES for label mismatch,
3042 EPERM for lack of privilege, or ESRCH to limit visibility.
3043*/
3044typedef int mpo_proc_check_sched_t(
3045 kauth_cred_t cred,
3046 struct proc *proc
3047);
3048/**
3049 @brief Access control check for setting audit information
3050 @param cred Subject credential
3051 @param ai Audit information
3052
3053 Determine whether the subject identified by the credential can set
3054 audit information such as the the preselection mask, the terminal ID
3055 and the audit session ID, using the setaudit() system call.
3056
3057 @return Return 0 if access is granted, otherwise an appropriate value for
3058 errno should be returned.
3059*/
3060typedef int mpo_proc_check_setaudit_t(
3061 kauth_cred_t cred,
3062 struct auditinfo *ai
3063);
3064/**
3065 @brief Access control check for setting audit user ID
3066 @param cred Subject credential
3067 @param auid Audit user ID
3068
3069 Determine whether the subject identified by the credential can set
3070 the user identity used by the auditing system, using the setauid()
3071 system call.
3072
3073 @return Return 0 if access is granted, otherwise an appropriate value for
3074 errno should be returned.
3075*/
3076typedef int mpo_proc_check_setauid_t(
3077 kauth_cred_t cred,
3078 uid_t auid
3079);
3080/**
3081 @brief Access control check for setting the Login Context
3082 @param p0 Calling process
3083 @param p Effected process
3084 @param pid syscall PID argument
3085 @param lcid syscall LCID argument
3086
3087 Determine if setlcid(2) system call is permitted.
3088
3089 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
3090 decoding syscall arguments to determine action desired by caller.
3091
3092 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
3093
3094 @return Return 0 if access is granted, otherwise an appropriate value for
3095 errno should be returned.
3096*/
3097typedef int mpo_proc_check_setlcid_t(
3098 struct proc *p0,
3099 struct proc *p,
3100 pid_t pid,
3101 pid_t lcid
3102);
3103/**
3104 @brief Access control check for delivering signal
3105 @param cred Subject credential
3106 @param proc Object process
3107 @param signum Signal number; see kill(2)
3108
3109 Determine whether the subject identified by the credential can deliver
3110 the passed signal to the passed process.
3111
3112 @warning Programs typically expect to be able to send and receive
3113 signals as part or their normal process lifecycle; caution should be
3114 exercised when implementing access controls over signal events.
3115
3116 @return Return 0 if access is granted, otherwise an appropriate value for
3117 errno should be returned. Suggested failure: EACCES for label mismatch,
3118 EPERM for lack of privilege, or ESRCH to limit visibility.
3119*/
3120typedef int mpo_proc_check_signal_t(
3121 kauth_cred_t cred,
3122 struct proc *proc,
3123 int signum
3124);
3125/**
3126 @brief Access control check for wait
3127 @param cred Subject credential
3128 @param proc Object process
3129
3130 Determine whether the subject identified by the credential can wait
3131 for process termination.
3132
3133 @warning Caution should be exercised when implementing access
3134 controls for wait, since programs often wait for child processes to
3135 exit. Failure to be notified of a child process terminating may
3136 cause the parent process to hang, or may produce zombie processes.
3137
3138 @return Return 0 if access is granted, otherwise an appropriate value for
3139 errno should be returned.
3140*/
3141typedef int mpo_proc_check_wait_t(
3142 kauth_cred_t cred,
3143 struct proc *proc
3144);
3145/**
3146 @brief Destroy process label
3147 @param label The label to be destroyed
3148
3149 Destroy a process label. Since the object is going
3150 out of scope, policy modules should free any internal storage
3151 associated with the label so that it may be destroyed.
3152*/
3153typedef void mpo_proc_label_destroy_t(
3154 struct label *label
3155);
3156/**
3157 @brief Initialize process label
3158 @param label New label to initialize
3159 @see mpo_cred_label_init_t
3160
3161 Initialize the label for a newly instantiated BSD process structure.
3162 Normally, security policies will store the process label in the user
3163 credential rather than here in the process structure. However,
3164 there are some floating label policies that may need to temporarily
3165 store a label in the process structure until it is safe to update
3166 the user credential label. Sleeping is permitted.
3167*/
3168typedef void mpo_proc_label_init_t(
3169 struct label *label
3170);
3171/**
3172 @brief Access control check for socket accept
3173 @param cred Subject credential
3174 @param socket Object socket
3175 @param socklabel Policy label for socket
3176
3177 Determine whether the subject identified by the credential can accept()
3178 a new connection on the socket from the host specified by addr.
3179
3180 @return Return 0 if access if granted, otherwise an appropriate
3181 value for errno should be returned.
3182*/
3183typedef int mpo_socket_check_accept_t(
3184 kauth_cred_t cred,
3185 socket_t so,
3186 struct label *socklabel
3187);
3188/**
3189 @brief Access control check for a pending socket accept
3190 @param cred Subject credential
3191 @param so Object socket
3192 @param socklabel Policy label for socket
3193 @param addr Address of the listening socket (coming soon)
3194
3195 Determine whether the subject identified by the credential can accept()
3196 a pending connection on the socket from the host specified by addr.
3197
3198 @return Return 0 if access if granted, otherwise an appropriate
3199 value for errno should be returned.
3200*/
3201typedef int mpo_socket_check_accepted_t(
3202 kauth_cred_t cred,
3203 socket_t so,
3204 struct label *socklabel,
3205 struct sockaddr *addr
3206);
3207/**
3208 @brief Access control check for socket bind
3209 @param cred Subject credential
3210 @param so Object socket
3211 @param socklabel Policy label for socket
3212 @param addr Name to assign to the socket
3213
3214 Determine whether the subject identified by the credential can bind()
3215 the name (addr) to the socket.
3216
3217 @return Return 0 if access if granted, otherwise an appropriate
3218 value for errno should be returned.
3219*/
3220typedef int mpo_socket_check_bind_t(
3221 kauth_cred_t cred,
3222 socket_t so,
3223 struct label *socklabel,
3224 struct sockaddr *addr
3225);
3226/**
3227 @brief Access control check for socket connect
3228 @param cred Subject credential
3229 @param so Object socket
3230 @param socklabel Policy label for socket
3231 @param addr Name to assign to the socket
3232
3233 Determine whether the subject identified by the credential can
3234 connect() the passed socket to the remote host specified by addr.
3235
3236 @return Return 0 if access if granted, otherwise an appropriate
3237 value for errno should be returned.
3238*/
3239typedef int mpo_socket_check_connect_t(
3240 kauth_cred_t cred,
3241 socket_t so,
3242 struct label *socklabel,
3243 struct sockaddr *addr
3244);
3245/**
3246 @brief Access control check for socket() system call.
3247 @param cred Subject credential
3248 @param domain communication domain
3249 @param type socket type
3250 @param protocol socket protocol
3251
3252 Determine whether the subject identified by the credential can
3253 make the socket() call.
3254
3255 @return Return 0 if access if granted, otherwise an appropriate
3256 value for errno should be returned.
3257*/
3258typedef int mpo_socket_check_create_t(
3259 kauth_cred_t cred,
3260 int domain,
3261 int type,
3262 int protocol
3263);
3264/**
3265 @brief Access control check for delivering data to a user's receieve queue
3266 @param so The socket data is being delivered to
3267 @param so_label The label of so
3268 @param m The mbuf whose data will be deposited into the receive queue
3269 @param m_label The label of the sender of the data.
3270
3271 A socket has a queue for receiving incoming data. When a packet arrives
3272 on the wire, it eventually gets deposited into this queue, which the
3273 owner of the socket drains when they read from the socket's file descriptor.
3274
3275 This function determines whether the socket can receive data from
3276 the sender specified by m_label.
3277
3278 @warning There is an outstanding design issue surrounding the placement
3279 of this function. The check must be placed either before or after the
3280 TCP sequence and ACK counters are updated. Placing the check before
3281 the counters are updated causes the incoming packet to be resent by
3282 the remote if the check rejects it. Placing the check after the counters
3283 are updated results in a completely silent drop. As far as each TCP stack
3284 is concerned the packet was received, however, the data will not be in the
3285 socket's receive queue. Another consideration is that the current design
3286 requires using the "failed label" occasionally. In that case, on rejection,
3287 we want the remote TCP to resend the data. Because of this, we chose to
3288 place this check before the counters are updated, so rejected packets will be
3289 resent by the remote host.
3290
3291 If a policy keeps rejecting the same packet, eventually the connection will
3292 be dropped. Policies have several options if this design causes problems.
3293 For example, one options is to sanitize the mbuf such that it is acceptable,
3294 then accept it. That may require negotiation between policies as the
3295 Framework will not know to re-check the packet.
3296
3297 The policy must handle NULL MBUF labels. This will likely be the case
3298 for non-local TCP sockets for example.
3299
3300 @return Return 0 if access if granted, otherwise an appropriate
3301 value for errno should be returned.
3302*/
3303typedef int mpo_socket_check_deliver_t(
3304 socket_t so,
3305 struct label *so_label,
3306 struct mbuf *m,
3307 struct label *m_label
3308);
3309/**
3310 @brief Access control check for socket kqfilter
3311 @param cred Subject credential
3312 @param kn Object knote
3313 @param so Object socket
3314 @param socklabel Policy label for socket
3315
3316 Determine whether the subject identified by the credential can
3317 receive the knote on the passed socket.
3318
3319 @return Return 0 if access if granted, otherwise an appropriate
3320 value for errno should be returned.
3321*/
3322typedef int mpo_socket_check_kqfilter_t(
3323 kauth_cred_t cred,
3324 struct knote *kn,
3325 socket_t so,
3326 struct label *socklabel
3327);
3328/**
3329 @brief Access control check for socket relabel
3330 @param cred Subject credential
3331 @param so Object socket
3332 @param so_label The current label of so
3333 @param newlabel The label to be assigned to so
3334
3335 Determine whether the subject identified by the credential can
3336 change the label on the socket.
3337
3338 @return Return 0 if access if granted, otherwise an appropriate
3339 value for errno should be returned.
3340*/
3341typedef int mpo_socket_check_label_update_t(
3342 kauth_cred_t cred,
3343 socket_t so,
3344 struct label *so_label,
3345 struct label *newlabel
3346);
3347/**
3348 @brief Access control check for socket listen
3349 @param cred Subject credential
3350 @param so Object socket
3351 @param socklabel Policy label for socket
3352
3353 Determine whether the subject identified by the credential can
3354 listen() on the passed socket.
3355
3356 @return Return 0 if access if granted, otherwise an appropriate
3357 value for errno should be returned.
3358*/
3359typedef int mpo_socket_check_listen_t(
3360 kauth_cred_t cred,
3361 socket_t so,
3362 struct label *socklabel
3363);
3364/**
3365 @brief Access control check for socket receive
3366 @param cred Subject credential
3367 @param so Object socket
3368 @param socklabel Policy label for socket
3369
3370 Determine whether the subject identified by the credential can
3371 receive data from the socket.
3372
3373 @return Return 0 if access if granted, otherwise an appropriate
3374 value for errno should be returned.
3375*/
3376typedef int mpo_socket_check_receive_t(
3377 kauth_cred_t cred,
3378 socket_t so,
3379 struct label *socklabel
3380);
3381
3382/**
3383 @brief Access control check for socket receive
3384 @param cred Subject credential
3385 @param socket Object socket
3386 @param socklabel Policy label for socket
3387 @param addr Name of the remote socket
3388
3389 Determine whether the subject identified by the credential can
3390 receive data from the remote host specified by addr.
3391
3392 @return Return 0 if access if granted, otherwise an appropriate
3393 value for errno should be returned.
3394*/
3395typedef int mpo_socket_check_received_t(
3396 kauth_cred_t cred,
3397 struct socket *sock,
3398 struct label *socklabel,
3399 struct sockaddr *saddr
3400 );
3401
3402
3403/**
3404 @brief Access control check for socket select
3405 @param cred Subject credential
3406 @param so Object socket
3407 @param socklabel Policy label for socket
3408 @param which The operation selected on: FREAD or FWRITE
3409
3410 Determine whether the subject identified by the credential can use the
3411 socket in a call to select().
3412
3413 @return Return 0 if access if granted, otherwise an appropriate
3414 value for errno should be returned.
3415*/
3416typedef int mpo_socket_check_select_t(
3417 kauth_cred_t cred,
3418 socket_t so,
3419 struct label *socklabel,
3420 int which
3421);
3422/**
3423 @brief Access control check for socket send
3424 @param cred Subject credential
3425 @param so Object socket
3426 @param socklabel Policy label for socket
3427 @param addr Address being sent to
3428
3429 Determine whether the subject identified by the credential can send
3430 data to the socket.
3431
3432 @return Return 0 if access if granted, otherwise an appropriate
3433 value for errno should be returned.
3434*/
3435typedef int mpo_socket_check_send_t(
3436 kauth_cred_t cred,
3437 socket_t so,
3438 struct label *socklabel,
3439 struct sockaddr *addr
3440);
3441/**
3442 @brief Access control check for retrieving socket status
3443 @param cred Subject credential
3444 @param so Object socket
3445 @param socklabel Policy label for so
3446
3447 Determine whether the subject identified by the credential can
3448 execute the stat() system call on the given socket.
3449
3450 @return Return 0 if access if granted, otherwise an appropriate
3451 value for errno should be returned.
3452*/
3453typedef int mpo_socket_check_stat_t(
3454 kauth_cred_t cred,
3455 socket_t so,
3456 struct label *socklabel
3457);
3458/**
3459 @brief Access control check for setting socket options
3460 @param cred Subject credential
3461 @param so Object socket
3462 @param socklabel Policy label for so
3463 @param sopt The options being set
3464
3465 Determine whether the subject identified by the credential can
3466 execute the setsockopt system call on the given socket.
3467
3468 @return Return 0 if access if granted, otherwise an appropriate
3469 value for errno should be returned.
3470*/
3471typedef int mpo_socket_check_setsockopt_t(
3472 kauth_cred_t cred,
3473 socket_t so,
3474 struct label *socklabel,
3475 struct sockopt *sopt
3476);
3477/**
3478 @brief Access control check for getting socket options
3479 @param cred Subject credential
3480 @param so Object socket
3481 @param socklabel Policy label for so
3482 @param sopt The options to get
3483
3484 Determine whether the subject identified by the credential can
3485 execute the getsockopt system call on the given socket.
3486
3487 @return Return 0 if access if granted, otherwise an appropriate
3488 value for errno should be returned.
3489*/
3490typedef int mpo_socket_check_getsockopt_t(
3491 kauth_cred_t cred,
3492 socket_t so,
3493 struct label *socklabel,
3494 struct sockopt *sopt
3495);
3496/**
3497 @brief Label a socket
3498 @param oldsock Listening socket
3499 @param oldlabel Policy label associated with oldsock
3500 @param newsock New socket
3501 @param newlabel Policy label associated with newsock
3502
3503 A new socket is created when a connection is accept(2)ed. This
3504 function labels the new socket based on the existing listen(2)ing
3505 socket.
3506*/
3507typedef void mpo_socket_label_associate_accept_t(
3508 socket_t oldsock,
3509 struct label *oldlabel,
3510 socket_t newsock,
3511 struct label *newlabel
3512);
3513/**
3514 @brief Assign a label to a new socket
3515 @param cred Credential of the owning process
3516 @param so The socket being labeled
3517 @param solabel The label
3518 @warning cred can be NULL
3519
3520 Set the label on a newly created socket from the passed subject
3521 credential. This call is made when a socket is created. The
3522 credentials may be null if the socket is being created by the
3523 kernel.
3524*/
3525typedef void mpo_socket_label_associate_t(
3526 kauth_cred_t cred,
3527 socket_t so,
3528 struct label *solabel
3529);
3530/**
3531 @brief Copy a socket label
3532 @param src Source label
3533 @param dest Destination label
3534
3535 Copy the socket label information in src into dest.
3536*/
3537typedef void mpo_socket_label_copy_t(
3538 struct label *src,
3539 struct label *dest
3540);
3541/**
3542 @brief Destroy socket label
3543 @param label The label to be destroyed
3544
3545 Destroy a socket label. Since the object is going out of
3546 scope, policy modules should free any internal storage associated
3547 with the label so that it may be destroyed.
3548*/
3549typedef void mpo_socket_label_destroy_t(
3550 struct label *label
3551);
3552/**
3553 @brief Externalize a socket label
3554 @param label Label to be externalized
3555 @param element_name Name of the label namespace for which labels should be
3556 externalized
3557 @param sb String buffer to be filled with a text representation of label
3558
3559 Produce an externalized socket label based on the label structure passed.
3560 An externalized label consists of a text representation of the label
3561 contents that can be used with userland applications and read by the
3562 user. If element_name does not match a namespace managed by the policy,
3563 simply return 0. Only return nonzero if an error occurs while externalizing
3564 the label data.
3565
3566 @return In the event of an error, an appropriate value for errno
3567 should be returned, otherwise return 0 upon success.
3568*/
3569typedef int mpo_socket_label_externalize_t(
3570 struct label *label,
3571 char *element_name,
3572 struct sbuf *sb
3573);
3574/**
3575 @brief Initialize socket label
3576 @param label New label to initialize
3577 @param waitok Malloc flags
3578
3579 Initialize the label of a newly instantiated socket. The waitok
3580 field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3581 avoid performing a sleeping malloc(9) during this initialization
3582 call. It it not always safe to sleep during this entry point.
3583
3584 @warning Since it is possible for the waitok flags to be set to
3585 M_NOWAIT, the malloc operation may fail.
3586
3587 @return In the event of an error, an appropriate value for errno
3588 should be returned, otherwise return 0 upon success.
3589*/
3590typedef int mpo_socket_label_init_t(
3591 struct label *label,
3592 int waitok
3593);
3594/**
3595 @brief Internalize a socket label
3596 @param label Label to be filled in
3597 @param element_name Name of the label namespace for which the label should
3598 be internalized
3599 @param element_data Text data to be internalized
3600
3601 Produce an internal socket label structure based on externalized label
3602 data in text format.
3603
3604 The policy's internalize entry points will be called only if the
3605 policy has registered interest in the label namespace.
3606
3607 @return In the event of an error, an appropriate value for errno
3608 should be returned, otherwise return 0 upon success.
3609*/
3610typedef int mpo_socket_label_internalize_t(
3611 struct label *label,
3612 char *element_name,
3613 char *element_data
3614);
3615/**
3616 @brief Relabel socket
3617 @param cred Subject credential
3618 @param so Object; socket
3619 @param so_label Current label of the socket
3620 @param newlabel The label to be assigned to so
3621
3622 The subject identified by the credential has previously requested
3623 and was authorized to relabel the socket; this entry point allows
3624 policies to perform the actual label update operation.
3625
3626 @warning XXX This entry point will likely change in future versions.
3627*/
3628typedef void mpo_socket_label_update_t(
3629 kauth_cred_t cred,
3630 socket_t so,
3631 struct label *so_label,
3632 struct label *newlabel
3633);
3634/**
3635 @brief Set the peer label on a socket from mbuf
3636 @param m Mbuf chain received on socket so
3637 @param m_label Label for m
3638 @param so Current label for the socket
3639 @param so_label Policy label to be filled out for the socket
3640
3641 Set the peer label of a socket based on the label of the sender of the
3642 mbuf.
3643
3644 This is called for every TCP/IP packet received. The first call for a given
3645 socket operates on a newly initialized label, and subsequent calls operate
3646 on existing label data.
3647
3648 @warning Because this can affect performance significantly, it has
3649 different sematics than other 'set' operations. Typically, 'set' operations
3650 operate on newly initialzed labels and policies do not need to worry about
3651 clobbering existing values. In this case, it is too inefficient to
3652 initialize and destroy a label every time data is received for the socket.
3653 Instead, it is up to the policies to determine how to replace the label data.
3654 Most policies should be able to replace the data inline.
3655*/
3656typedef void mpo_socketpeer_label_associate_mbuf_t(
3657 struct mbuf *m,
3658 struct label *m_label,
3659 socket_t so,
3660 struct label *so_label
3661);
3662/**
3663 @brief Set the peer label on a socket from socket
3664 @param source Local socket
3665 @param sourcelabel Policy label for source
3666 @param target Peer socket
3667 @param targetlabel Policy label to fill in for target
3668
3669 Set the peer label on a stream UNIX domain socket from the passed
3670 remote socket endpoint. This call will be made when the socket pair
3671 is connected, and will be made for both endpoints.
3672
3673 Note that this call is only made on connection; it is currently not updated
3674 during communication.
3675*/
3676typedef void mpo_socketpeer_label_associate_socket_t(
3677 socket_t source,
3678 struct label *sourcelabel,
3679 socket_t target,
3680 struct label *targetlabel
3681);
3682/**
3683 @brief Destroy socket peer label
3684 @param label The peer label to be destroyed
3685
3686 Destroy a socket peer label. Since the object is going out of
3687 scope, policy modules should free any internal storage associated
3688 with the label so that it may be destroyed.
3689*/
3690typedef void mpo_socketpeer_label_destroy_t(
3691 struct label *label
3692);
3693/**
3694 @brief Externalize a socket peer label
3695 @param label Label to be externalized
3696 @param element_name Name of the label namespace for which labels should be
3697 externalized
3698 @param sb String buffer to be filled with a text representation of label
3699
3700 Produce an externalized socket peer label based on the label structure
3701 passed. An externalized label consists of a text representation of the
3702 label contents that can be used with userland applications and read by the
3703 user. If element_name does not match a namespace managed by the policy,
3704 simply return 0. Only return nonzero if an error occurs while externalizing
3705 the label data.
3706
3707 @return In the event of an error, an appropriate value for errno
3708 should be returned, otherwise return 0 upon success.
3709*/
3710typedef int mpo_socketpeer_label_externalize_t(
3711 struct label *label,
3712 char *element_name,
3713 struct sbuf *sb
3714);
3715/**
3716 @brief Initialize socket peer label
3717 @param label New label to initialize
3718 @param waitok Malloc flags
3719
3720 Initialize the peer label of a newly instantiated socket. The
3721 waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3722 employed to avoid performing a sleeping malloc(9) during this
3723 initialization call. It it not always safe to sleep during this
3724 entry point.
3725
3726 @warning Since it is possible for the waitok flags to be set to
3727 M_NOWAIT, the malloc operation may fail.
3728
3729 @return In the event of an error, an appropriate value for errno
3730 should be returned, otherwise return 0 upon success.
3731*/
3732typedef int mpo_socketpeer_label_init_t(
3733 struct label *label,
3734 int waitok
3735);
3736/**
3737 @brief Access control check for enabling accounting
3738 @param cred Subject credential
3739 @param vp Accounting file
3740 @param vlabel Label associated with vp
3741
3742 Determine whether the subject should be allowed to enable accounting,
3743 based on its label and the label of the accounting log file. See
3744 acct(5) for more information.
3745
3746 As accounting is disabled by passing NULL to the acct(2) system call,
3747 the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3748
3749 @return Return 0 if access is granted, otherwise an appropriate value for
3750 errno should be returned.
3751*/
3752typedef int mpo_system_check_acct_t(
3753 kauth_cred_t cred,
3754 struct vnode *vp,
3755 struct label *vlabel
3756);
3757/**
3758 @brief Access control check for audit
3759 @param cred Subject credential
3760 @param record Audit record
3761 @param length Audit record length
3762
3763 Determine whether the subject identified by the credential can submit
3764 an audit record for inclusion in the audit log via the audit() system call.
3765
3766 @return Return 0 if access is granted, otherwise an appropriate value for
3767 errno should be returned.
3768*/
3769typedef int mpo_system_check_audit_t(
3770 kauth_cred_t cred,
3771 void *record,
3772 int length
3773);
3774/**
3775 @brief Access control check for controlling audit
3776 @param cred Subject credential
3777 @param vp Audit file
3778 @param vl Label associated with vp
3779
3780 Determine whether the subject should be allowed to enable auditing using
3781 the auditctl() system call, based on its label and the label of the proposed
3782 audit file.
3783
3784 @return Return 0 if access is granted, otherwise an appropriate value for
3785 errno should be returned.
3786*/
3787typedef int mpo_system_check_auditctl_t(
3788 kauth_cred_t cred,
3789 struct vnode *vp,
3790 struct label *vl
3791);
3792/**
3793 @brief Access control check for manipulating auditing
3794 @param cred Subject credential
3795 @param cmd Audit control command
3796
3797 Determine whether the subject identified by the credential can perform
3798 the audit subsystem control operation cmd via the auditon() system call.
3799
3800 @return Return 0 if access is granted, otherwise an appropriate value for
3801 errno should be returned.
3802*/
3803typedef int mpo_system_check_auditon_t(
3804 kauth_cred_t cred,
3805 int cmd
3806);
3807/**
3808 @brief Access control check for obtaining the host control port
3809 @param cred Subject credential
3810
3811 Determine whether the subject identified by the credential can
3812 obtain the host control port.
3813
3814 @return Return 0 if access is granted, or non-zero otherwise.
3815*/
3816typedef int mpo_system_check_host_priv_t(
3817 kauth_cred_t cred
3818);
3819/**
3820 @brief Access control check for calling NFS services
3821 @param cred Subject credential
3822
3823 Determine whether the subject identified by the credential should be
3824 allowed to call nfssrv(2).
3825
3826 @return Return 0 if access is granted, otherwise an appropriate value for
3827 errno should be returned.
3828*/
3829typedef int mpo_system_check_nfsd_t(
3830 kauth_cred_t cred
3831);
3832/**
3833 @brief Access control check for reboot
3834 @param cred Subject credential
3835 @param howto howto parameter from reboot(2)
3836
3837 Determine whether the subject identified by the credential should be
3838 allowed to reboot the system in the specified manner.
3839
3840 @return Return 0 if access is granted, otherwise an appropriate value for
3841 errno should be returned.
3842*/
3843typedef int mpo_system_check_reboot_t(
3844 kauth_cred_t cred,
3845 int howto
3846);
3847/**
3848 @brief Access control check for setting system clock
3849 @param cred Subject credential
3850
3851 Determine whether the subject identified by the credential should be
3852 allowed to set the system clock.
3853
3854 @return Return 0 if access is granted, otherwise an appropriate value for
3855 errno should be returned.
3856*/
3857typedef int mpo_system_check_settime_t(
3858 kauth_cred_t cred
3859);
3860/**
3861 @brief Access control check for removing swap devices
3862 @param cred Subject credential
3863 @param vp Swap device
3864 @param label Label associated with vp
3865
3866 Determine whether the subject identified by the credential should be
3867 allowed to remove vp as a swap device.
3868
3869 @return Return 0 if access is granted, otherwise an appropriate value for
3870 errno should be returned.
3871*/
3872typedef int mpo_system_check_swapoff_t(
3873 kauth_cred_t cred,
3874 struct vnode *vp,
3875 struct label *label
3876);
3877/**
3878 @brief Access control check for adding swap devices
3879 @param cred Subject credential
3880 @param vp Swap device
3881 @param label Label associated with vp
3882
3883 Determine whether the subject identified by the credential should be
3884 allowed to add vp as a swap device.
3885
3886 @return Return 0 if access is granted, otherwise an appropriate value for
3887 errno should be returned.
3888*/
3889typedef int mpo_system_check_swapon_t(
3890 kauth_cred_t cred,
3891 struct vnode *vp,
3892 struct label *label
3893);
3894/**
3895 @brief Access control check for sysctl
3896 @param cred Subject credential
3897 @param name Integer name; see sysctl(3)
3898 @param namelen Length of name array of integers; see sysctl(3)
3899 @param old 0 or address where to store old value; see sysctl(3)
3900 @param oldlenp Pointer to length of old buffer; see sysctl(3)
3901 @param inkernel Boolean; 1 if called from kernel
3902 @param newvalue 0 or address of new value; see sysctl(3)
3903 @param newlen Length of new buffer; see sysctl(3)
3904
3905 Determine whether the subject identified by the credential should be
3906 allowed to make the specified sysctl(3) transaction.
3907
3908 The sysctl(3) call specifies that if the old value is not desired,
3909 oldp and oldlenp should be set to NULL. Likewise, if a new value is
3910 not to be set, newp should be set to NULL and newlen set to 0.
3911
3912 @return Return 0 if access is granted, otherwise an appropriate value for
3913 errno should be returned.
3914*/
3915typedef int mpo_system_check_sysctl_t(
3916 kauth_cred_t cred,
3917 int *name,
3918 u_int namelen,
3919 user_addr_t old, /* NULLOK */
3920 user_addr_t oldlenp, /* NULLOK */
3921 int inkernel,
3922 user_addr_t newvalue, /* NULLOK */
3923 size_t newlen
3924);
3925/**
3926 @brief Create a System V message label
3927 @param cred Subject credential
3928 @param msqkptr The message queue the message will be placed in
3929 @param msqlabel The label of the message queue
3930 @param msgptr The message
3931 @param msglabel The label of the message
3932
3933 Label the message as its placed in the message queue.
3934*/
3935typedef void mpo_sysvmsg_label_associate_t(
3936 kauth_cred_t cred,
3937 struct msqid_kernel *msqptr,
3938 struct label *msqlabel,
3939 struct msg *msgptr,
3940 struct label *msglabel
3941);
3942/**
3943 @brief Destroy System V message label
3944 @param label The label to be destroyed
3945
3946 Destroy a System V message label. Since the object is
3947 going out of scope, policy modules should free any internal storage
3948 associated with the label so that it may be destroyed.
3949*/
3950typedef void mpo_sysvmsg_label_destroy_t(
3951 struct label *label
3952);
3953/**
3954 @brief Initialize System V message label
3955 @param label New label to initialize
3956
3957 Initialize the label for a newly instantiated System V message.
3958*/
3959typedef void mpo_sysvmsg_label_init_t(
3960 struct label *label
3961);
3962/**
3963 @brief Clean up a System V message label
3964 @param label The label to be destroyed
3965
3966 Clean up a System V message label. Darwin pre-allocates
3967 messages at system boot time and re-uses them rather than
3968 allocating new ones. Before messages are returned to the "free
3969 pool", policies can cleanup or overwrite any information present in
3970 the label.
3971*/
3972typedef void mpo_sysvmsg_label_recycle_t(
3973 struct label *label
3974);
3975/**
3976 @brief Access control check for System V message enqueuing
3977 @param cred Subject credential
3978 @param msgptr The message
3979 @param msglabel The message's label
3980 @param msqkptr The message queue
3981 @param msqlabel The message queue's label
3982
3983 Determine whether the subject identified by the credential can add the
3984 given message to the given message queue.
3985
3986 @return Return 0 if access is granted, otherwise an appropriate value for
3987 errno should be returned.
3988*/
3989typedef int mpo_sysvmsq_check_enqueue_t(
3990 kauth_cred_t cred,
3991 struct msg *msgptr,
3992 struct label *msglabel,
3993 struct msqid_kernel *msqptr,
3994 struct label *msqlabel
3995);
3996/**
3997 @brief Access control check for System V message reception
3998 @param cred The credential of the intended recipient
3999 @param msgptr The message
4000 @param msglabel The message's label
4001
4002 Determine whether the subject identified by the credential can receive
4003 the given message.
4004
4005 @return Return 0 if access is granted, otherwise an appropriate value for
4006 errno should be returned.
4007*/
4008typedef int mpo_sysvmsq_check_msgrcv_t(
4009 kauth_cred_t cred,
4010 struct msg *msgptr,
4011 struct label *msglabel
4012);
4013/**
4014 @brief Access control check for System V message queue removal
4015 @param cred The credential of the caller
4016 @param msgptr The message
4017 @param msglabel The message's label
4018
4019 System V message queues are removed using the msgctl() system call.
4020 The system will iterate over each messsage in the queue, calling this
4021 function for each, to determine whether the caller has the appropriate
4022 credentials.
4023
4024 @return Return 0 if access is granted, otherwise an appropriate value for
4025 errno should be returned.
4026*/
4027typedef int mpo_sysvmsq_check_msgrmid_t(
4028 kauth_cred_t cred,
4029 struct msg *msgptr,
4030 struct label *msglabel
4031);
4032/**
4033 @brief Access control check for msgctl()
4034 @param cred The credential of the caller
4035 @param msqptr The message queue
4036 @param msqlabel The message queue's label
4037
4038 This access check is performed to validate calls to msgctl().
4039
4040 @return Return 0 if access is granted, otherwise an appropriate value for
4041 errno should be returned.
4042*/
4043typedef int mpo_sysvmsq_check_msqctl_t(
4044 kauth_cred_t cred,
4045 struct msqid_kernel *msqptr,
4046 struct label *msqlabel,
4047 int cmd
4048);
4049/**
4050 @brief Access control check to get a System V message queue
4051 @param cred The credential of the caller
4052 @param msqptr The message queue requested
4053 @param msqlabel The message queue's label
4054
4055 On a call to msgget(), if the queue requested already exists,
4056 and it is a public queue, this check will be performed before the
4057 queue's ID is returned to the user.
4058
4059 @return Return 0 if access is granted, otherwise an appropriate value for
4060 errno should be returned.
4061*/
4062typedef int mpo_sysvmsq_check_msqget_t(
4063 kauth_cred_t cred,
4064 struct msqid_kernel *msqptr,
4065 struct label *msqlabel
4066);
4067/**
4068 @brief Access control check to receive a System V message from the given queue
4069 @param cred The credential of the caller
4070 @param msqptr The message queue to receive from
4071 @param msqlabel The message queue's label
4072
4073 On a call to msgrcv(), this check is performed to determine whether the
4074 caller has receive rights on the given queue.
4075
4076 @return Return 0 if access is granted, otherwise an appropriate value for
4077 errno should be returned.
4078*/
4079typedef int mpo_sysvmsq_check_msqrcv_t(
4080 kauth_cred_t cred,
4081 struct msqid_kernel *msqptr,
4082 struct label *msqlabel
4083);
4084/**
4085 @brief Access control check to send a System V message to the given queue
4086 @param cred The credential of the caller
4087 @param msqptr The message queue to send to
4088 @param msqlabel The message queue's label
4089
4090 On a call to msgsnd(), this check is performed to determine whether the
4091 caller has send rights on the given queue.
4092
4093 @return Return 0 if access is granted, otherwise an appropriate value for
4094 errno should be returned.
4095*/
4096typedef int mpo_sysvmsq_check_msqsnd_t(
4097 kauth_cred_t cred,
4098 struct msqid_kernel *msqptr,
4099 struct label *msqlabel
4100);
4101/**
4102 @brief Create a System V message queue label
4103 @param cred Subject credential
4104 @param msqkptr The message queue
4105 @param msqlabel The label of the message queue
4106
4107*/
4108typedef void mpo_sysvmsq_label_associate_t(
4109 kauth_cred_t cred,
4110 struct msqid_kernel *msqptr,
4111 struct label *msqlabel
4112);
4113/**
4114 @brief Destroy System V message queue label
4115 @param label The label to be destroyed
4116
4117 Destroy a System V message queue label. Since the object is
4118 going out of scope, policy modules should free any internal storage
4119 associated with the label so that it may be destroyed.
4120*/
4121typedef void mpo_sysvmsq_label_destroy_t(
4122 struct label *label
4123);
4124/**
4125 @brief Initialize System V message queue label
4126 @param label New label to initialize
4127
4128 Initialize the label for a newly instantiated System V message queue.
4129*/
4130typedef void mpo_sysvmsq_label_init_t(
4131 struct label *label
4132);
4133/**
4134 @brief Clean up a System V message queue label
4135 @param label The label to be destroyed
4136
4137 Clean up a System V message queue label. Darwin pre-allocates
4138 message queues at system boot time and re-uses them rather than
4139 allocating new ones. Before message queues are returned to the "free
4140 pool", policies can cleanup or overwrite any information present in
4141 the label.
4142*/
4143typedef void mpo_sysvmsq_label_recycle_t(
4144 struct label *label
4145);
4146/**
4147 @brief Access control check for System V semaphore control operation
4148 @param cred Subject credential
4149 @param semakptr Pointer to semaphore identifier
4150 @param semaklabel Label associated with semaphore
4151 @param cmd Control operation to be performed; see semctl(2)
4152
4153 Determine whether the subject identified by the credential can perform
4154 the operation indicated by cmd on the System V semaphore semakptr.
4155
4156 @return Return 0 if access is granted, otherwise an appropriate value for
4157 errno should be returned.
4158*/
4159typedef int mpo_sysvsem_check_semctl_t(
4160 kauth_cred_t cred,
4161 struct semid_kernel *semakptr,
4162 struct label *semaklabel,
4163 int cmd
4164);
4165/**
4166 @brief Access control check for obtaining a System V semaphore
4167 @param cred Subject credential
4168 @param semakptr Pointer to semaphore identifier
4169 @param semaklabel Label to associate with the semaphore
4170
4171 Determine whether the subject identified by the credential can
4172 obtain a System V semaphore.
4173
4174 @return Return 0 if access is granted, otherwise an appropriate value for
4175 errno should be returned.
4176*/
4177typedef int mpo_sysvsem_check_semget_t(
4178 kauth_cred_t cred,
4179 struct semid_kernel *semakptr,
4180 struct label *semaklabel
4181);
4182/**
4183 @brief Access control check for System V semaphore operations
4184 @param cred Subject credential
4185 @param semakptr Pointer to semaphore identifier
4186 @param semaklabel Label associated with the semaphore
4187 @param accesstype Flags to indicate access (read and/or write)
4188
4189 Determine whether the subject identified by the credential can
4190 perform the operations on the System V semaphore indicated by
4191 semakptr. The accesstype flags hold the maximum set of permissions
4192 from the sem_op array passed to the semop system call. It may
4193 contain SEM_R for read-only operations or SEM_A for read/write
4194 operations.
4195
4196 @return Return 0 if access is granted, otherwise an appropriate value for
4197 errno should be returned.
4198*/
4199typedef int mpo_sysvsem_check_semop_t(
4200 kauth_cred_t cred,
4201 struct semid_kernel *semakptr,
4202 struct label *semaklabel,
4203 size_t accesstype
4204);
4205/**
4206 @brief Create a System V semaphore label
4207 @param cred Subject credential
4208 @param semakptr The semaphore being created
4209 @param semalabel Label to associate with the new semaphore
4210
4211 Label a new System V semaphore. The label was previously
4212 initialized and associated with the semaphore. At this time, an
4213 appropriate initial label value should be assigned to the object and
4214 stored in semalabel.
4215*/
4216typedef void mpo_sysvsem_label_associate_t(
4217 kauth_cred_t cred,
4218 struct semid_kernel *semakptr,
4219 struct label *semalabel
4220);
4221/**
4222 @brief Destroy System V semaphore label
4223 @param label The label to be destroyed
4224
4225 Destroy a System V semaphore label. Since the object is
4226 going out of scope, policy modules should free any internal storage
4227 associated with the label so that it may be destroyed.
4228*/
4229typedef void mpo_sysvsem_label_destroy_t(
4230 struct label *label
4231);
4232/**
4233 @brief Initialize System V semaphore label
4234 @param label New label to initialize
4235
4236 Initialize the label for a newly instantiated System V semaphore. Sleeping
4237 is permitted.
4238*/
4239typedef void mpo_sysvsem_label_init_t(
4240 struct label *label
4241);
4242/**
4243 @brief Clean up a System V semaphore label
4244 @param label The label to be cleaned
4245
4246 Clean up a System V semaphore label. Darwin pre-allocates
4247 semaphores at system boot time and re-uses them rather than
4248 allocating new ones. Before semaphores are returned to the "free
4249 pool", policies can cleanup or overwrite any information present in
4250 the label.
4251*/
4252typedef void mpo_sysvsem_label_recycle_t(
4253 struct label *label
4254);
4255/**
4256 @brief Access control check for mapping System V shared memory
4257 @param cred Subject credential
4258 @param shmsegptr Pointer to shared memory segment identifier
4259 @param shmseglabel Label associated with the shared memory segment
4260 @param shmflg shmat flags; see shmat(2)
4261
4262 Determine whether the subject identified by the credential can map
4263 the System V shared memory segment associated with shmsegptr.
4264
4265 @return Return 0 if access is granted, otherwise an appropriate value for
4266 errno should be returned.
4267*/
4268typedef int mpo_sysvshm_check_shmat_t(
4269 kauth_cred_t cred,
4270 struct shmid_kernel *shmsegptr,
4271 struct label *shmseglabel,
4272 int shmflg
4273);
4274/**
4275 @brief Access control check for System V shared memory control operation
4276 @param cred Subject credential
4277 @param shmsegptr Pointer to shared memory segment identifier
4278 @param shmseglabel Label associated with the shared memory segment
4279 @param cmd Control operation to be performed; see shmctl(2)
4280
4281 Determine whether the subject identified by the credential can perform
4282 the operation indicated by cmd on the System V shared memory segment
4283 shmsegptr.
4284
4285 @return Return 0 if access is granted, otherwise an appropriate value for
4286 errno should be returned.
4287*/
4288typedef int mpo_sysvshm_check_shmctl_t(
4289 kauth_cred_t cred,
4290 struct shmid_kernel *shmsegptr,
4291 struct label *shmseglabel,
4292 int cmd
4293);
4294/**
4295 @brief Access control check for unmapping System V shared memory
4296 @param cred Subject credential
4297 @param shmsegptr Pointer to shared memory segment identifier
4298 @param shmseglabel Label associated with the shared memory segment
4299
4300 Determine whether the subject identified by the credential can unmap
4301 the System V shared memory segment associated with shmsegptr.
4302
4303 @return Return 0 if access is granted, otherwise an appropriate value for
4304 errno should be returned.
4305*/
4306typedef int mpo_sysvshm_check_shmdt_t(
4307 kauth_cred_t cred,
4308 struct shmid_kernel *shmsegptr,
4309 struct label *shmseglabel
4310);
4311/**
4312 @brief Access control check obtaining System V shared memory identifier
4313 @param cred Subject credential
4314 @param shmsegptr Pointer to shared memory segment identifier
4315 @param shmseglabel Label associated with the shared memory segment
4316 @param shmflg shmget flags; see shmget(2)
4317
4318 Determine whether the subject identified by the credential can get
4319 the System V shared memory segment address.
4320
4321 @return Return 0 if access is granted, otherwise an appropriate value for
4322 errno should be returned.
4323*/
4324typedef int mpo_sysvshm_check_shmget_t(
4325 kauth_cred_t cred,
4326 struct shmid_kernel *shmsegptr,
4327 struct label *shmseglabel,
4328 int shmflg
4329);
4330/**
4331 @brief Create a System V shared memory region label
4332 @param cred Subject credential
4333 @param shmsegptr The shared memory region being created
4334 @param shmlabel Label to associate with the new shared memory region
4335
4336 Label a new System V shared memory region. The label was previously
4337 initialized and associated with the shared memory region. At this
4338 time, an appropriate initial label value should be assigned to the
4339 object and stored in shmlabel.
4340*/
4341typedef void mpo_sysvshm_label_associate_t(
4342 kauth_cred_t cred,
4343 struct shmid_kernel *shmsegptr,
4344 struct label *shmlabel
4345);
4346/**
4347 @brief Destroy System V shared memory label
4348 @param label The label to be destroyed
4349
4350 Destroy a System V shared memory region label. Since the
4351 object is going out of scope, policy modules should free any
4352 internal storage associated with the label so that it may be
4353 destroyed.
4354*/
4355typedef void mpo_sysvshm_label_destroy_t(
4356 struct label *label
4357);
4358/**
4359 @brief Initialize System V Shared Memory region label
4360 @param label New label to initialize
4361
4362 Initialize the label for a newly instantiated System V Shared Memory
4363 region. Sleeping is permitted.
4364*/
4365typedef void mpo_sysvshm_label_init_t(
4366 struct label *label
4367);
4368/**
4369 @brief Clean up a System V Share Memory Region label
4370 @param shmlabel The label to be cleaned
4371
4372 Clean up a System V Shared Memory Region label. Darwin
4373 pre-allocates these objects at system boot time and re-uses them
4374 rather than allocating new ones. Before the memory regions are
4375 returned to the "free pool", policies can cleanup or overwrite any
4376 information present in the label.
4377*/
4378typedef void mpo_sysvshm_label_recycle_t(
4379 struct label *shmlabel
4380);
4381/**
4382 @brief Access control check for getting a process's task name
4383 @param cred Subject credential
4384 @param proc Object process
4385
4386 Determine whether the subject identified by the credential can get
4387 the passed process's task name port.
4388 This call is used by the task_name_for_pid(2) API.
4389
4390 @return Return 0 if access is granted, otherwise an appropriate value for
4391 errno should be returned. Suggested failure: EACCES for label mismatch,
4392 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4393*/
4394typedef int mpo_proc_check_get_task_name_t(
4395 kauth_cred_t cred,
4396 struct proc *p
4397);
4398/**
4399 @brief Access control check for getting a process's task port
4400 @param cred Subject credential
4401 @param proc Object process
4402
4403 Determine whether the subject identified by the credential can get
4404 the passed process's task control port.
4405 This call is used by the task_for_pid(2) API.
4406
4407 @return Return 0 if access is granted, otherwise an appropriate value for
4408 errno should be returned. Suggested failure: EACCES for label mismatch,
4409 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4410*/
4411typedef int mpo_proc_check_get_task_t(
4412 kauth_cred_t cred,
4413 struct proc *p
4414);
593a1d5f
A		 4415
4416
4417/**
4418 @brief Access control check for manipulating a proc's vm_map
4419 @param cred Subject credential
4420 @param proc Object process
4421
4422 Determine whether the vm_map map belonging to process proc with
4423 credential cred allows the VM_PROT_COPY operation.
4424
4425 @return Return 0 if access is granted, otherwise an appropriate value for
4426 errno should be returned.
4427 */
4428typedef int mpo_proc_check_map_prot_copy_allow_t(
4429 kauth_cred_t cred,
4430 struct proc *p
4431);
4432
4433
2d21ac55
A		 4434/**
4435 @brief Assign a label to a new kernelspace Mach task
4436 @param kproc New task
4437 @param tasklabel Label for new task
4438 @param portlabel Label for new task port
4439 @see mpo_cred_label_associate_kernel_t
4440
4441 Assign labels to a new kernel task and its task port. Both the task and
4442 task port labels should be specified. Both new labels are initialized.
4443 If there is an associated BSD process structure, it will be labelled
4444 with calls to mpo_cred_label_associate_kernel.
4445*/
4446typedef void mpo_task_label_associate_kernel_t(
4447 struct task *kproc,
4448 struct label *tasklabel,
4449 struct label *portlabel
4450);
4451/**
4452 @brief Assign a label to a new (userspace) Mach task
4453 @param parent Parent task
4454 @param child New (child) task
4455 @param parentlabel Label of parent task
4456 @param childlabel Label for new task
4457 @param childportlabel Label for new task's task port
4458
4459 Assign labels to a new task and its task port. Both the task and task port
4460 labels should be specified. Both new labels are initialized. If the task
4461 will have an associated BSD process, that information will be made available
4462 by the task_label_update and port_label_update_cred entry points.
4463*/
4464typedef void mpo_task_label_associate_t(
4465 struct task *parent,
4466 struct task *child,
4467 struct label *parentlabel,
4468 struct label *childlabel,
4469 struct label *childportlabel
4470);
4471/**
4472 @brief Copy a Mach task label
4473 @param src Source task label
4474 @param dest Destination task label
4475
4476 Copy the Mach task label information from src to dest. This is used
4477 when duplicating label handles to implement copy-on-write semantics.
4478*/
4479typedef void mpo_task_label_copy_t(
4480 struct label *src,
4481 struct label *dest
4482);
4483/**
4484 @brief Destroy Mach task label
4485 @param label The label to be destroyed
4486
4487 Destroy a Mach task label. Since the object is going out of
4488 scope, policy modules should free any internal storage associated
4489 with the label so that it may be destroyed.
4490*/
4491typedef void mpo_task_label_destroy_t(
4492 struct label *label
4493);
4494/**
4495 @brief Externalize a task label
4496 @param label Label to be externalized
4497 @param element_name Name of the label namespace for which labels should be
4498 externalized
4499 @param sb String buffer to be filled with a text representation of the label
4500
4501 Produce an external representation of the label on a task. An
4502 externalized label consists of a text representation of the label
4503 contents that can be used with user applications. Policy-agnostic
4504 user space tools will display this externalized version.
4505
4506 @return 0 on success, return non-zero if an error occurs while
4507 externalizing the label data.
4508
4509*/
4510typedef int mpo_task_label_externalize_t(
4511 struct label *label,
4512 char *element_name,
4513 struct sbuf *sb
4514);
4515/**
4516 @brief Initialize Mach task label
4517 @param label New label to initialize
4518
4519 Initialize the label for a newly instantiated Mach task. Sleeping
4520 is permitted.
4521*/
4522typedef void mpo_task_label_init_t(
4523 struct label *label
4524);
4525/**
4526 @brief Internalize a task label
4527 @param label Label to be internalized
4528 @param element_name Name of the label namespace for which the label should
4529 be internalized
4530 @param element_data Text data to be internalized
4531
4532 Produce a task label from an external representation. An
4533 externalized label consists of a text representation of the label
4534 contents that can be used with user applications. Policy-agnostic
4535 user space tools will forward text version to the kernel for
4536 processing by individual policy modules.
4537
4538 The policy's internalize entry points will be called only if the
4539 policy has registered interest in the label namespace.
4540
4541 @return 0 on success, Otherwise, return non-zero if an error occurs
4542 while internalizing the label data.
4543
4544*/
4545typedef int mpo_task_label_internalize_t(
4546 struct label *label,
4547 char *element_name,
4548 char *element_data
4549);
4550/**
4551 @brief Update a Mach task label
4552 @param cred User credential label to be used as the source
4553 @param task Mach task label to be used as the destination
4554 @see mpo_cred_label_update_t
4555 @see mpo_cred_label_update_execve_t
4556
4557 Update the label on a Mach task, using the supplied user credential
4558 label. When a mac_cred_label_update_execve or a mac_cred_label_update operation
4559 causes the label on a user credential to change, the Mach task label
4560 also needs to be updated to reflect the change. Both labels are
4561 already valid (initialized and created).
4562
4563 @warning XXX We may change the name of this entry point in a future
4564 version of the MAC framework.
4565*/
4566typedef void mpo_task_label_update_t(
4567 struct label *cred,
4568 struct label *task
4569);
4570/**
4571 @brief Perform MAC-related events when a thread returns to user space
4572 @param code The number of the syscall/trap that has finished
4573 @param error The error code that will be returned to user space
4574 @param thread Mach (not BSD) thread that is returning
4575
4576 This entry point permits policy modules to perform MAC-related
4577 events when a thread returns to user space, via a system call
4578 return, trap return, or otherwise.
4579*/
4580typedef void mpo_thread_userret_t(
4581 int code,
4582 int error,
4583 struct thread *thread
4584);
4585/**
4586 @brief Check vnode access
4587 @param cred Subject credential
4588 @param vp Object vnode
4589 @param label Label for vp
4590 @param acc_mode access(2) flags
4591
4592 Determine how invocations of access(2) and related calls by the
4593 subject identified by the credential should return when performed
4594 on the passed vnode using the passed access flags. This should
4595 generally be implemented using the same semantics used in
4596 mpo_vnode_check_open.
4597
4598 @return Return 0 if access is granted, otherwise an appropriate value for
4599 errno should be returned. Suggested failure: EACCES for label mismatch or
4600 EPERM for lack of privilege.
4601*/
4602typedef int mpo_vnode_check_access_t(
4603 kauth_cred_t cred,
4604 struct vnode *vp,
4605 struct label *label,
4606 int acc_mode
4607);
4608/**
4609 @brief Access control check for changing working directory
4610 @param cred Subject credential
4611 @param dvp Object; vnode to chdir(2) into
4612 @param dlabel Policy label for dvp
4613
4614 Determine whether the subject identified by the credential can change
4615 the process working directory to the passed vnode.
4616
4617 @return Return 0 if access is granted, otherwise an appropriate value for
4618 errno should be returned. Suggested failure: EACCES for label mismatch or
4619 EPERM for lack of privilege.
4620*/
4621typedef int mpo_vnode_check_chdir_t(
4622 kauth_cred_t cred,
4623 struct vnode *dvp,
4624 struct label *dlabel
4625);
4626/**
4627 @brief Access control check for changing root directory
4628 @param cred Subject credential
4629 @param dvp Directory vnode
4630 @param dlabel Policy label associated with dvp
4631 @param cnp Component name for dvp
4632
4633 Determine whether the subject identified by the credential should be
4634 allowed to chroot(2) into the specified directory (dvp).
4635
4636 @return In the event of an error, an appropriate value for errno
4637 should be returned, otherwise return 0 upon success.
4638*/
4639typedef int mpo_vnode_check_chroot_t(
4640 kauth_cred_t cred,
4641 struct vnode *dvp,
4642 struct label *dlabel,
4643 struct componentname *cnp
4644);
4645/**
4646 @brief Access control check for creating vnode
4647 @param cred Subject credential
4648 @param dvp Directory vnode
4649 @param dlabel Policy label for dvp
4650 @param cnp Component name for dvp
4651 @param vap vnode attributes for vap
4652
4653 Determine whether the subject identified by the credential can create
4654 a vnode with the passed parent directory, passed name information,
4655 and passed attribute information. This call may be made in a number of
4656 situations, including as a result of calls to open(2) with O_CREAT,
4657 mknod(2), mkfifo(2), and others.
4658
4659 @return Return 0 if access is granted, otherwise an appropriate value for
4660 errno should be returned. Suggested failure: EACCES for label mismatch or
4661 EPERM for lack of privilege.
4662*/
4663typedef int mpo_vnode_check_create_t(
4664 kauth_cred_t cred,
4665 struct vnode *dvp,
4666 struct label *dlabel,
4667 struct componentname *cnp,
4668 struct vnode_attr *vap
4669);
4670/**
4671 @brief Access control check for deleting extended attribute
4672 @param cred Subject credential
4673 @param vp Object vnode
4674 @param vlabel Label associated with vp
4675 @param name Extended attribute name
4676
4677 Determine whether the subject identified by the credential can delete
4678 the extended attribute from the passed vnode.
4679
4680 @return Return 0 if access is granted, otherwise an appropriate value for
4681 errno should be returned. Suggested failure: EACCES for label mismatch or
4682 EPERM for lack of privilege.
4683*/
4684typedef int mpo_vnode_check_deleteextattr_t(
4685 kauth_cred_t cred,
4686 struct vnode *vp,
4687 struct label *vlabel,
4688 const char *name
4689);
4690/**
4691 @brief Access control check for exchanging file data
4692 @param cred Subject credential
4693 @param v1 vnode 1 to swap
4694 @param vl1 Policy label for v1
4695 @param v2 vnode 2 to swap
4696 @param vl2 Policy label for v2
4697
4698 Determine whether the subject identified by the credential can swap the data
4699 in the two supplied vnodes.
4700
4701 @return Return 0 if access is granted, otherwise an appropriate value for
4702 errno should be returned. Suggested failure: EACCES for label mismatch or
4703 EPERM for lack of privilege.
4704*/
4705typedef int mpo_vnode_check_exchangedata_t(
4706 kauth_cred_t cred,
4707 struct vnode *v1,
4708 struct label *vl1,
4709 struct vnode *v2,
4710 struct label *vl2
4711);
4712/**
4713 @brief Access control check for executing the vnode
4714 @param cred Subject credential
4715 @param vp Object vnode to execute
4716 @param label Policy label for vp
4717 @param execlabel Userspace provided execution label
4718 @param cnp Component name for file being executed
4719
4720 Determine whether the subject identified by the credential can execute
4721 the passed vnode. Determination of execute privilege is made separately
4722 from decisions about any process label transitioning event.
4723
4724 The final label, execlabel, corresponds to a label supplied by a
4725 user space application through the use of the mac_execve system call.
4726 This label will be NULL if the user application uses the the vendor
4727 execve(2) call instead of the MAC Framework mac_execve() call.
4728
4729 @return Return 0 if access is granted, otherwise an appropriate value for
4730 errno should be returned. Suggested failure: EACCES for label mismatch or
4731 EPERM for lack of privilege.
4732*/
4733typedef int mpo_vnode_check_exec_t(
4734 kauth_cred_t cred,
4735 struct vnode *vp,
4736 struct label *label,
4737 struct label *execlabel, /* NULLOK */
4738 struct componentname *cnp,
4739 u_int *csflags
4740);
593a1d5f
A		 4741/**
4742 @brief Access control check after determining the code directory hash
4743 */
4744typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
4745 unsigned char *sha1, void *signature,
4746 int size);
4747
2d21ac55
A		 4748/**
4749 @brief Access control check for retrieving file attributes
4750 @param cred Subject credential
4751 @param vp Object vnode
4752 @param vlabel Policy label for vp
4753 @param alist List of attributes to retrieve
4754
4755 Determine whether the subject identified by the credential can read
4756 various attributes of the specified vnode, or the filesystem or volume on
4757 which that vnode resides. See <sys/attr.h> for definitions of the
4758 attributes.
4759
4760 @return Return 0 if access is granted, otherwise an appropriate value for
4761 errno should be returned. Suggested failure: EACCES for label mismatch or
4762 EPERM for lack of privilege. Access control covers all attributes requested
4763 with this call; the security policy is not permitted to change the set of
4764 attributes requested.
4765*/
4766typedef int mpo_vnode_check_getattrlist_t(
4767 kauth_cred_t cred,
4768 struct vnode *vp,
4769 struct label *vlabel,
4770 struct attrlist *alist
4771);
4772/**
4773 @brief Access control check for retrieving an extended attribute
4774 @param cred Subject credential
4775 @param vp Object vnode
4776 @param label Policy label for vp
4777 @param name Extended attribute name
4778 @param uio I/O structure pointer
4779
4780 Determine whether the subject identified by the credential can retrieve
4781 the extended attribute from the passed vnode. The uio parameter
4782 will be NULL when the getxattr(2) call has been made with a NULL data
4783 value; this is done to request the size of the data only.
4784
4785 @return Return 0 if access is granted, otherwise an appropriate value for
4786 errno should be returned. Suggested failure: EACCES for label mismatch or
4787 EPERM for lack of privilege.
4788*/
4789typedef int mpo_vnode_check_getextattr_t(
4790 kauth_cred_t cred,
4791 struct vnode *vp,
4792 struct label *label, /* NULLOK */
4793 const char *name,
4794 struct uio *uio /* NULLOK */
4795);
4796/**
4797 @brief Access control check for ioctl
4798 @param cred Subject credential
4799 @param vp Object vnode
4800 @param label Policy label for vp
4801 @param com Device-dependent request code; see ioctl(2)
4802
4803 Determine whether the subject identified by the credential can perform
4804 the ioctl operation indicated by com.
4805
4806 @warning Since ioctl data is opaque from the standpoint of the MAC
4807 framework, and since ioctls can affect many aspects of system
4808 operation, policies must exercise extreme care when implementing
4809 access control checks.
4810
4811 @return Return 0 if access is granted, otherwise an appropriate value for
4812 errno should be returned.
4813*/
4814typedef int mpo_vnode_check_ioctl_t(
4815 kauth_cred_t cred,
4816 struct vnode *vp,
4817 struct label *label,
4818 unsigned int cmd
4819);
4820/**
4821 @brief Access control check for vnode kqfilter
4822 @param cred Subject credential
4823 @param kn Object knote
4824 @param vp Object vnode
4825 @param label Policy label for vp
4826
4827 Determine whether the subject identified by the credential can
4828 receive the knote on the passed vnode.
4829
4830 @return Return 0 if access if granted, otherwise an appropriate
4831 value for errno should be returned.
4832*/
4833typedef int mpo_vnode_check_kqfilter_t(
4834 kauth_cred_t active_cred,
4835 kauth_cred_t file_cred, /* NULLOK */
4836 struct knote *kn,
4837 struct vnode *vp,
4838 struct label *label
4839);
4840/**
4841 @brief Access control check for relabel
4842 @param cred Subject credential
4843 @param vp Object vnode
4844 @param vnodelabel Existing policy label for vp
4845 @param newlabel Policy label update to later be applied to vp
4846 @see mpo_relable_vnode_t
4847
4848 Determine whether the subject identified by the credential can relabel
4849 the passed vnode to the passed label update. If all policies permit
4850 the label change, the actual relabel entry point (mpo_vnode_label_update)
4851 will follow.
4852
4853 @return Return 0 if access is granted, otherwise an appropriate value for
4854 errno should be returned.
4855*/
4856typedef int mpo_vnode_check_label_update_t(
4857 struct ucred *cred,
4858 struct vnode *vp,
4859 struct label *vnodelabel,
4860 struct label *newlabel
4861);
4862/**
4863 @brief Access control check for creating link
4864 @param cred Subject credential
4865 @param dvp Directory vnode
4866 @param dlabel Policy label associated with dvp
4867 @param vp Link destination vnode
4868 @param label Policy label associated with vp
4869 @param cnp Component name for the link being created
4870
4871 Determine whether the subject identified by the credential should be
4872 allowed to create a link to the vnode vp with the name specified by cnp.
4873
4874 @return Return 0 if access is granted, otherwise an appropriate value for
4875 errno should be returned.
4876*/
4877typedef int mpo_vnode_check_link_t(
4878 kauth_cred_t cred,
4879 struct vnode *dvp,
4880 struct label *dlabel,
4881 struct vnode *vp,
4882 struct label *label,
4883 struct componentname *cnp
4884);
4885/**
4886 @brief Access control check for listing extended attributes
4887 @param cred Subject credential
4888 @param vp Object vnode
4889 @param vlabel Policy label associated with vp
4890
4891 Determine whether the subject identified by the credential can retrieve
4892 a list of named extended attributes from a vnode.
4893
4894 @return Return 0 if access is granted, otherwise an appropriate value for
4895 errno should be returned.
4896*/
4897typedef int mpo_vnode_check_listextattr_t(
4898 kauth_cred_t cred,
4899 struct vnode *vp,
4900 struct label *vlabel
4901);
4902/**
4903 @brief Access control check for lookup
4904 @param cred Subject credential
4905 @param dvp Object vnode
4906 @param dlabel Policy label for dvp
4907 @param cnp Component name being looked up
4908
4909 Determine whether the subject identified by the credential can perform
4910 a lookup in the passed directory vnode for the passed name (cnp).
4911
4912 @return Return 0 if access is granted, otherwise an appropriate value for
4913 errno should be returned. Suggested failure: EACCES for label mismatch or
4914 EPERM for lack of privilege.
4915*/
4916typedef int mpo_vnode_check_lookup_t(
4917 kauth_cred_t cred,
4918 struct vnode *dvp,
4919 struct label *dlabel,
4920 struct componentname *cnp
4921);
4922/**
4923 @brief Access control check for open
4924 @param cred Subject credential
4925 @param vp Object vnode
4926 @param label Policy label associated with vp
4927 @param acc_mode open(2) access mode
4928
4929 Determine whether the subject identified by the credential can perform
4930 an open operation on the passed vnode with the passed access mode.
4931
4932 @return Return 0 if access is granted, otherwise an appropriate value for
4933 errno should be returned. Suggested failure: EACCES for label mismatch or
4934 EPERM for lack of privilege.
4935*/
4936typedef int mpo_vnode_check_open_t(
4937 kauth_cred_t cred,
4938 struct vnode *vp,
4939 struct label *label,
4940 int acc_mode
4941);
4942/**
4943 @brief Access control check for read
4944 @param active_cred Subject credential
4945 @param file_cred Credential associated with the struct fileproc
4946 @param vp Object vnode
4947 @param label Policy label for vp
4948
4949 Determine whether the subject identified by the credential can perform
4950 a read operation on the passed vnode. The active_cred hold the credentials
4951 of the subject performing the operation, and file_cred holds the
4952 credentials of the subject that originally opened the file.
4953
4954 @return Return 0 if access is granted, otherwise an appropriate value for
4955 errno should be returned. Suggested failure: EACCES for label mismatch or
4956 EPERM for lack of privilege.
4957*/
4958typedef int mpo_vnode_check_read_t(
4959 kauth_cred_t active_cred, /* SUBJECT */
4960 kauth_cred_t file_cred, /* NULLOK */
4961 struct vnode *vp, /* OBJECT */
4962 struct label *label /* LABEL */
4963);
4964/**
4965 @brief Access control check for read directory
4966 @param cred Subject credential
4967 @param dvp Object directory vnode
4968 @param dlabel Policy label for dvp
4969
4970 Determine whether the subject identified by the credential can
4971 perform a readdir operation on the passed directory vnode.
4972
4973 @return Return 0 if access is granted, otherwise an appropriate value for
4974 errno should be returned. Suggested failure: EACCES for label mismatch or
4975 EPERM for lack of privilege.
4976*/
4977typedef int mpo_vnode_check_readdir_t(
4978 kauth_cred_t cred, /* SUBJECT */
4979 struct vnode *dvp, /* OBJECT */
4980 struct label *dlabel /* LABEL */
4981);
4982/**
4983 @brief Access control check for read link
4984 @param cred Subject credential
4985 @param vp Object vnode
4986 @param label Policy label for vp
4987
4988 Determine whether the subject identified by the credential can perform
4989 a readlink operation on the passed symlink vnode. This call can be made
4990 in a number of situations, including an explicit readlink call by the
4991 user process, or as a result of an implicit readlink during a name
4992 lookup by the process.
4993
4994 @return Return 0 if access is granted, otherwise an appropriate value for
4995 errno should be returned. Suggested failure: EACCES for label mismatch or
4996 EPERM for lack of privilege.
4997*/
4998typedef int mpo_vnode_check_readlink_t(
4999 kauth_cred_t cred,
5000 struct vnode *vp,
5001 struct label *label
5002);
5003/**
5004 @brief Access control check for rename from
5005 @param cred Subject credential
5006 @param dvp Directory vnode
5007 @param dlabel Policy label associated with dvp
5008 @param vp vnode to be renamed
5009 @param label Policy label associated with vp
5010 @param cnp Component name for vp
5011 @see mpo_vnode_check_rename_to_t
5012
5013 Determine whether the subject identified by the credential should be
5014 allowed to rename the vnode vp to something else.
5015
5016 Due to VFS locking constraints (to make sure proper vnode locks are
5017 held during this entry point), the vnode relabel checks had to be
5018 split into two parts: relabel_from and relabel to.
5019
5020 @return Return 0 if access is granted, otherwise an appropriate value for
5021 errno should be returned.
5022*/
5023typedef int mpo_vnode_check_rename_from_t(
5024 kauth_cred_t cred,
5025 struct vnode *dvp,
5026 struct label *dlabel,
5027 struct vnode *vp,
5028 struct label *label,
5029 struct componentname *cnp
5030);
5031/**
5032 @brief Access control check for rename to
5033 @param cred Subject credential
5034 @param dvp Directory vnode
5035 @param dlabel Policy label associated with dvp
5036 @param vp Overwritten vnode
5037 @param label Policy label associated with vp
5038 @param samedir Boolean; 1 if the source and destination directories are the same
5039 @param cnp Destination component name
5040 @see mpo_vnode_check_rename_from_t
5041
5042 Determine whether the subject identified by the credential should be
5043 allowed to rename to the vnode vp, into the directory dvp, or to the
5044 name represented by cnp. If there is no existing file to overwrite,
5045 vp and label will be NULL.
5046
5047 Due to VFS locking constraints (to make sure proper vnode locks are
5048 held during this entry point), the vnode relabel checks had to be
5049 split into two parts: relabel_from and relabel to.
5050
5051 @return Return 0 if access is granted, otherwise an appropriate value for
5052 errno should be returned.
5053*/
5054typedef int mpo_vnode_check_rename_to_t(
5055 kauth_cred_t cred,
5056 struct vnode *dvp,
5057 struct label *dlabel,
5058 struct vnode *vp, /* NULLOK */
5059 struct label *label, /* NULLOK */
5060 int samedir,
5061 struct componentname *cnp
5062);
5063/**
5064 @brief Access control check for revoke
5065 @param cred Subject credential
5066 @param vp Object vnode
5067 @param label Policy label for vp
5068
5069 Determine whether the subject identified by the credential can revoke
5070 access to the passed vnode.
5071
5072 @return Return 0 if access is granted, otherwise an appropriate value for
5073 errno should be returned. Suggested failure: EACCES for label mismatch or
5074 EPERM for lack of privilege.
5075*/
5076typedef int mpo_vnode_check_revoke_t(
5077 kauth_cred_t cred,
5078 struct vnode *vp,
5079 struct label *label
5080);
5081/**
5082 @brief Access control check for select
5083 @param cred Subject credential
5084 @param vp Object vnode
5085 @param label Policy label for vp
5086 @param which The operation selected on: FREAD or FWRITE
5087
5088 Determine whether the subject identified by the credential can select
5089 the vnode.
5090
5091 @return Return 0 if access is granted, otherwise an appropriate value for
5092 errno should be returned.
5093*/
5094typedef int mpo_vnode_check_select_t(
5095 kauth_cred_t cred,
5096 struct vnode *vp,
5097 struct label *label,
5098 int which
5099);
5100/**
5101 @brief Access control check for setting file attributes
5102 @param cred Subject credential
5103 @param vp Object vnode
5104 @param vlabel Policy label for vp
5105 @param alist List of attributes to set
5106
5107 Determine whether the subject identified by the credential can set
5108 various attributes of the specified vnode, or the filesystem or volume on
5109 which that vnode resides. See <sys/attr.h> for definitions of the
5110 attributes.
5111
5112 @return Return 0 if access is granted, otherwise an appropriate value for
5113 errno should be returned. Suggested failure: EACCES for label mismatch or
5114 EPERM for lack of privilege. Access control covers all attributes requested
5115 with this call.
5116*/
5117typedef int mpo_vnode_check_setattrlist_t(
5118 kauth_cred_t cred,
5119 struct vnode *vp,
5120 struct label *vlabel,
5121 struct attrlist *alist
5122);
5123/**
5124 @brief Access control check for setting extended attribute
5125 @param cred Subject credential
5126 @param vp Object vnode
5127 @param label Policy label for vp
5128 @param name Extended attribute name
5129 @param uio I/O structure pointer
5130
5131 Determine whether the subject identified by the credential can set the
5132 extended attribute of passed name and passed namespace on the passed
5133 vnode. Policies implementing security labels backed into extended
5134 attributes may want to provide additional protections for those
5135 attributes. Additionally, policies should avoid making decisions based
5136 on the data referenced from uio, as there is a potential race condition
5137 between this check and the actual operation. The uio may also be NULL
5138 if a delete operation is being performed.
5139
5140 @return Return 0 if access is granted, otherwise an appropriate value for
5141 errno should be returned. Suggested failure: EACCES for label mismatch or
5142 EPERM for lack of privilege.
5143*/
5144typedef int mpo_vnode_check_setextattr_t(
5145 kauth_cred_t cred,
5146 struct vnode *vp,
5147 struct label *label,
5148 const char *name,
5149 struct uio *uio
5150);
5151/**
5152 @brief Access control check for setting flags
5153 @param cred Subject credential
5154 @param vp Object vnode
5155 @param label Policy label for vp
5156 @param flags File flags; see chflags(2)
5157
5158 Determine whether the subject identified by the credential can set
5159 the passed flags on the passed vnode.
5160
5161 @return Return 0 if access is granted, otherwise an appropriate value for
5162 errno should be returned. Suggested failure: EACCES for label mismatch or
5163 EPERM for lack of privilege.
5164*/
5165typedef int mpo_vnode_check_setflags_t(
5166 kauth_cred_t cred,
5167 struct vnode *vp,
5168 struct label *label,
5169 u_long flags
5170);
5171/**
5172 @brief Access control check for setting mode
5173 @param cred Subject credential
5174 @param vp Object vnode
5175 @param label Policy label for vp
5176 @param mode File mode; see chmod(2)
5177
5178 Determine whether the subject identified by the credential can set
5179 the passed mode on the passed vnode.
5180
5181 @return Return 0 if access is granted, otherwise an appropriate value for
5182 errno should be returned. Suggested failure: EACCES for label mismatch or
5183 EPERM for lack of privilege.
5184*/
5185typedef int mpo_vnode_check_setmode_t(
5186 kauth_cred_t cred,
5187 struct vnode *vp,
5188 struct label *label,
5189 mode_t mode
5190);
5191/**
5192 @brief Access control check for setting uid and gid
5193 @param cred Subject credential
5194 @param vp Object vnode
5195 @param label Policy label for vp
5196 @param uid User ID
5197 @param gid Group ID
5198
5199 Determine whether the subject identified by the credential can set
5200 the passed uid and passed gid as file uid and file gid on the passed
5201 vnode. The IDs may be set to (-1) to request no update.
5202
5203 @return Return 0 if access is granted, otherwise an appropriate value for
5204 errno should be returned. Suggested failure: EACCES for label mismatch or
5205 EPERM for lack of privilege.
5206*/
5207typedef int mpo_vnode_check_setowner_t(
5208 kauth_cred_t cred,
5209 struct vnode *vp,
5210 struct label *label,
5211 uid_t uid,
5212 gid_t gid
5213);
5214/**
5215 @brief Access control check for setting timestamps
5216 @param cred Subject credential
5217 @param vp Object vnode
5218 @param label Policy label for vp
5219 @param atime Access time; see utimes(2)
5220 @param mtime Modification time; see utimes(2)
5221
5222 Determine whether the subject identified by the credential can set
5223 the passed access timestamps on the passed vnode.
5224
5225 @return Return 0 if access is granted, otherwise an appropriate value for
5226 errno should be returned. Suggested failure: EACCES for label mismatch or
5227 EPERM for lack of privilege.
5228*/
5229typedef int mpo_vnode_check_setutimes_t(
5230 kauth_cred_t cred,
5231 struct vnode *vp,
5232 struct label *label,
5233 struct timespec atime,
5234 struct timespec mtime
5235);
5236/**
5237 @brief Access control check for stat
5238 @param active_cred Subject credential
5239 @param file_cred Credential associated with the struct fileproc
5240 @param vp Object vnode
5241 @param label Policy label for vp
5242
5243 Determine whether the subject identified by the credential can stat
5244 the passed vnode. See stat(2) for more information. The active_cred
5245 hold the credentials of the subject performing the operation, and
5246 file_cred holds the credentials of the subject that originally
5247 opened the file.
5248
5249 @return Return 0 if access is granted, otherwise an appropriate value for
5250 errno should be returned. Suggested failure: EACCES for label mismatch or
5251 EPERM for lack of privilege.
5252*/
5253typedef int mpo_vnode_check_stat_t(
5254 struct ucred *active_cred,
5255 struct ucred *file_cred, /* NULLOK */
5256 struct vnode *vp,
5257 struct label *label
5258);
5259/**
5260 @brief Access control check for truncate/ftruncate
5261 @param active_cred Subject credential
5262 @param file_cred Credential associated with the struct fileproc
5263 @param vp Object vnode
5264 @param label Policy label for vp
5265
5266 Determine whether the subject identified by the credential can
5267 perform a truncate operation on the passed vnode. The active_cred hold
5268 the credentials of the subject performing the operation, and
5269 file_cred holds the credentials of the subject that originally
5270 opened the file.
5271
5272 @return Return 0 if access is granted, otherwise an appropriate value for
5273 errno should be returned. Suggested failure: EACCES for label mismatch or
5274 EPERM for lack of privilege.
5275*/
5276typedef int mpo_vnode_check_truncate_t(
5277 kauth_cred_t active_cred,
5278 kauth_cred_t file_cred, /* NULLOK */
5279 struct vnode *vp,
5280 struct label *label
5281);
5282/**
5283 @brief Access control check for deleting vnode
5284 @param cred Subject credential
5285 @param dvp Parent directory vnode
5286 @param dlabel Policy label for dvp
5287 @param vp Object vnode to delete
5288 @param label Policy label for vp
5289 @param cnp Component name for vp
5290 @see mpo_check_rename_to_t
5291
5292 Determine whether the subject identified by the credential can delete
5293 a vnode from the passed parent directory and passed name information.
5294 This call may be made in a number of situations, including as a
5295 results of calls to unlink(2) and rmdir(2). Policies implementing
5296 this entry point should also implement mpo_check_rename_to to
5297 authorize deletion of objects as a result of being the target of a rename.
5298
5299 @return Return 0 if access is granted, otherwise an appropriate value for
5300 errno should be returned. Suggested failure: EACCES for label mismatch or
5301 EPERM for lack of privilege.
5302*/
5303typedef int mpo_vnode_check_unlink_t(
5304 kauth_cred_t cred,
5305 struct vnode *dvp,
5306 struct label *dlabel,
5307 struct vnode *vp,
5308 struct label *label,
5309 struct componentname *cnp
5310);
5311/**
5312 @brief Access control check for write
5313 @param active_cred Subject credential
5314 @param file_cred Credential associated with the struct fileproc
5315 @param vp Object vnode
5316 @param label Policy label for vp
5317
5318 Determine whether the subject identified by the credential can
5319 perform a write operation on the passed vnode. The active_cred hold
5320 the credentials of the subject performing the operation, and
5321 file_cred holds the credentials of the subject that originally
5322 opened the file.
5323
5324 @return Return 0 if access is granted, otherwise an appropriate value for
5325 errno should be returned. Suggested failure: EACCES for label mismatch or
5326 EPERM for lack of privilege.
5327*/
5328typedef int mpo_vnode_check_write_t(
5329 kauth_cred_t active_cred,
5330 kauth_cred_t file_cred, /* NULLOK */
5331 struct vnode *vp,
5332 struct label *label
5333);
5334/**
5335 @brief Associate a vnode with a devfs entry
5336 @param mp Devfs mount point
5337 @param mntlabel Devfs mount point label
5338 @param de Devfs directory entry
5339 @param delabel Label associated with de
5340 @param vp vnode associated with de
5341 @param vlabel Label associated with vp
5342
5343 Fill in the label (vlabel) for a newly created devfs vnode. The
5344 label is typically derived from the label on the devfs directory
5345 entry or the label on the filesystem, supplied as parameters.
5346*/
5347typedef void mpo_vnode_label_associate_devfs_t(
5348 struct mount *mp,
5349 struct label *mntlabel,
5350 struct devnode *de,
5351 struct label *delabel,
5352 struct vnode *vp,
5353 struct label *vlabel
5354);
5355/**
5356 @brief Associate a label with a vnode
5357 @param mp File system mount point
5358 @param mntlabel File system mount point label
5359 @param vp Vnode to label
5360 @param vlabel Label associated with vp
5361
5362 Attempt to retrieve label information for the vnode, vp, from the
5363 file system extended attribute store. The label should be stored in
5364 the supplied vlabel parameter. If a policy cannot retrieve an
5365 extended attribute, sometimes it is acceptible to fallback to using
5366 the mntlabel.
5367
5368 If the policy requires vnodes to have a valid label elsewhere it
5369 MUST NOT return other than temporary errors, and must always provide
5370 a valid label of some sort. Returning an error will cause vnode
5371 labeling to be retried at a later access. Failure to handle policy
5372 centric errors internally (corrupt labels etc.) will result in
5373 inaccessible files.
5374
5375 @return In the event of an error, an appropriate value for errno
5376 should be returned, otherwise return 0 upon success.
5377*/
5378typedef int mpo_vnode_label_associate_extattr_t(
5379 struct mount *mp,
5380 struct label *mntlabel,
5381 struct vnode *vp,
5382 struct label *vlabel
5383);
5384/**
5385 @brief Associate a file label with a vnode
5386 @param cred User credential
5387 @param mp Fdesc mount point
5388 @param mntlabel Fdesc mount point label
5389 @param fg Fileglob structure
5390 @param label Policy label for fg
5391 @param vp Vnode to label
5392 @param vlabel Label associated with vp
5393
5394 Associate label information for the vnode, vp, with the label of
5395 the open file descriptor described by fg.
5396 The label should be stored in the supplied vlabel parameter.
5397*/
5398typedef void mpo_vnode_label_associate_file_t(
5399 struct ucred *cred,
5400 struct mount *mp,
5401 struct label *mntlabel,
5402 struct fileglob *fg,
5403 struct label *label,
5404 struct vnode *vp,
5405 struct label *vlabel
5406);
5407/**
5408 @brief Associate a pipe label with a vnode
5409 @param cred User credential for the process that opened the pipe
5410 @param cpipe Pipe structure
5411 @param pipelabel Label associated with pipe
5412 @param vp Vnode to label
5413 @param vlabel Label associated with vp
5414
5415 Associate label information for the vnode, vp, with the label of
5416 the pipe described by the pipe structure cpipe.
5417 The label should be stored in the supplied vlabel parameter.
5418*/
5419typedef void mpo_vnode_label_associate_pipe_t(
5420 struct ucred *cred,
5421 struct pipe *cpipe,
5422 struct label *pipelabel,
5423 struct vnode *vp,
5424 struct label *vlabel
5425);
5426/**
5427 @brief Associate a POSIX semaphore label with a vnode
5428 @param cred User credential for the process that create psem
5429 @param psem POSIX semaphore structure
5430 @param psemlabel Label associated with psem
5431 @param vp Vnode to label
5432 @param vlabel Label associated with vp
5433
5434 Associate label information for the vnode, vp, with the label of
5435 the POSIX semaphore described by psem.
5436 The label should be stored in the supplied vlabel parameter.
5437*/
5438typedef void mpo_vnode_label_associate_posixsem_t(
5439 struct ucred *cred,
5440 struct pseminfo *psem,
5441 struct label *psemlabel,
5442 struct vnode *vp,
5443 struct label *vlabel
5444);
5445/**
5446 @brief Associate a POSIX shared memory label with a vnode
5447 @param cred User credential for the process that created pshm
5448 @param pshm POSIX shared memory structure
5449 @param pshmlabel Label associated with pshm
5450 @param vp Vnode to label
5451 @param vlabel Label associated with vp
5452
5453 Associate label information for the vnode, vp, with the label of
5454 the POSIX shared memory region described by pshm.
5455 The label should be stored in the supplied vlabel parameter.
5456*/
5457typedef void mpo_vnode_label_associate_posixshm_t(
5458 struct ucred *cred,
5459 struct pshminfo *pshm,
5460 struct label *pshmlabel,
5461 struct vnode *vp,
5462 struct label *vlabel
5463);
5464/**
5465 @brief Associate a label with a vnode
5466 @param mp File system mount point
5467 @param mntlabel File system mount point label
5468 @param vp Vnode to label
5469 @param vlabel Label associated with vp
5470
5471 On non-multilabel file systems, set the label for a vnode. The
5472 label will most likely be based on the file system label.
5473*/
5474typedef void mpo_vnode_label_associate_singlelabel_t(
5475 struct mount *mp,
5476 struct label *mntlabel,
5477 struct vnode *vp,
5478 struct label *vlabel
5479);
5480/**
5481 @brief Associate a socket label with a vnode
5482 @param cred User credential for the process that opened the socket
5483 @param so Socket structure
5484 @param solabel Label associated with so
5485 @param vp Vnode to label
5486 @param vlabel Label associated with vp
5487
5488 Associate label information for the vnode, vp, with the label of
5489 the open socket described by the socket structure so.
5490 The label should be stored in the supplied vlabel parameter.
5491*/
5492typedef void mpo_vnode_label_associate_socket_t(
5493 kauth_cred_t cred,
5494 socket_t so,
5495 struct label *solabel,
5496 struct vnode *vp,
5497 struct label *vlabel
5498);
5499/**
5500 @brief Copy a vnode label
5501 @param src Source vnode label
5502 @param dest Destination vnode label
5503
5504 Copy the vnode label information from src to dest. On Darwin, this
5505 is currently only necessary when executing interpreted scripts, but
5506 will later be used if vnode label externalization cannot be an
5507 atomic operation.
5508*/
5509typedef void mpo_vnode_label_copy_t(
5510 struct label *src,
5511 struct label *dest
5512);
5513/**
5514 @brief Destroy vnode label
5515 @param label The label to be destroyed
5516
5517 Destroy a vnode label. Since the object is going out of scope,
5518 policy modules should free any internal storage associated with the
5519 label so that it may be destroyed.
5520*/
5521typedef void mpo_vnode_label_destroy_t(
5522 struct label *label
5523);
5524/**
5525 @brief Externalize a vnode label for auditing
5526 @param label Label to be externalized
5527 @param element_name Name of the label namespace for which labels should be
5528 externalized
5529 @param sb String buffer to be filled with a text representation of the label
5530
5531 Produce an external representation of the label on a vnode suitable for
5532 inclusion in an audit record. An externalized label consists of a text
5533 representation of the label contents that will be added to the audit record
5534 as part of a text token. Policy-agnostic user space tools will display
5535 this externalized version.
5536
5537 @return 0 on success, return non-zero if an error occurs while
5538 externalizing the label data.
5539
5540*/
5541typedef int mpo_vnode_label_externalize_audit_t(
5542 struct label *label,
5543 char *element_name,
5544 struct sbuf *sb
5545);
5546/**
5547 @brief Externalize a vnode label
5548 @param label Label to be externalized
5549 @param element_name Name of the label namespace for which labels should be
5550 externalized
5551 @param sb String buffer to be filled with a text representation of the label
5552
5553 Produce an external representation of the label on a vnode. An
5554 externalized label consists of a text representation of the label
5555 contents that can be used with user applications. Policy-agnostic
5556 user space tools will display this externalized version.
5557
5558 @return 0 on success, return non-zero if an error occurs while
5559 externalizing the label data.
5560
5561*/
5562typedef int mpo_vnode_label_externalize_t(
5563 struct label *label,
5564 char *element_name,
5565 struct sbuf *sb
5566);
5567/**
5568 @brief Initialize vnode label
5569 @param label New label to initialize
5570
5571 Initialize label storage for use with a newly instantiated vnode, or
5572 for temporary storage associated with the copying in or out of a
5573 vnode label. While it is necessary to allocate space for a
5574 kernel-resident vnode label, it is not yet necessary to link this vnode
5575 with persistent label storage facilities, such as extended attributes.
5576 Sleeping is permitted.
5577*/
5578typedef void mpo_vnode_label_init_t(
5579 struct label *label
5580);
5581/**
5582 @brief Internalize a vnode label
5583 @param label Label to be internalized
5584 @param element_name Name of the label namespace for which the label should
5585 be internalized
5586 @param element_data Text data to be internalized
5587
5588 Produce a vnode label from an external representation. An
5589 externalized label consists of a text representation of the label
5590 contents that can be used with user applications. Policy-agnostic
5591 user space tools will forward text version to the kernel for
5592 processing by individual policy modules.
5593
5594 The policy's internalize entry points will be called only if the
5595 policy has registered interest in the label namespace.
5596
5597 @return 0 on success, Otherwise, return non-zero if an error occurs
5598 while internalizing the label data.
5599*/
5600typedef int mpo_vnode_label_internalize_t(
5601 struct label *label,
5602 char *element_name,
5603 char *element_data
5604);
5605/**
5606 @brief Clean up a vnode label
5607 @param label The label to be cleaned for re-use
5608
5609 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5610 typically never frees them. Before vnodes are placed back on free lists for
5611 re-use, policies can cleanup or overwrite any information present in the label.
5612*/
5613typedef void mpo_vnode_label_recycle_t(
5614 struct label *label
5615);
5616/**
5617 @brief Write a label to a extended attribute
5618 @param cred Subject credential
5619 @param vp The vnode for which the label is being stored
5620 @param vlabel Label associated with vp
5621 @param intlabel The new label to store
5622
5623 Store a new label in the extended attribute corresponding to the
5624 supplied vnode. The policy has already authorized the operation;
5625 this call must be implemented in order to perform the actual
5626 operation.
5627
5628 @return In the event of an error, an appropriate value for errno
5629 should be returned, otherwise return 0 upon success.
5630
5631 @warning XXX After examining the extended attribute implementation on
5632 Apple's future release, this entry point may be changed.
5633*/
5634typedef int mpo_vnode_label_store_t(
5635 kauth_cred_t cred,
5636 struct vnode *vp,
5637 struct label *vlabel,
5638 struct label *intlabel
5639);
5640/**
5641 @brief Update vnode label from extended attributes
5642 @param mp File system mount point
5643 @param mntlabel Mount point label
5644 @param vp Vnode to label
5645 @param vlabel Label associated with vp
5646 @param name Name of the xattr
5647 @see mpo_vnode_check_setextattr_t
5648
5649 When an extended attribute is updated via the Vendor attribute management
5650 functions, the MAC vnode label might also require an update.
5651 Policies should first determine if 'name' matches their xattr label
5652 name. If it does, the kernel is has either replaced or removed the
5653 named extended attribute that was previously associated with the
5654 vnode. Normally labels should only be modified via MAC Framework label
5655 management calls, but sometimes the user space components will directly
5656 modify extended attributes. For example, 'cp', 'tar', etc. manage
5657 extended attributes in userspace, not the kernel.
5658
5659 This entry point is called after the label update has occurred, so
5660 it cannot return a failure. However, the operation is preceded by
5661 the mpo_vnode_check_setextattr() access control check.
5662
5663 If the vnode label needs to be updated the policy should return
5664 a non-zero value. The vnode label will be marked for re-association
5665 by the framework.
5666*/
5667typedef int mpo_vnode_label_update_extattr_t(
5668 struct mount *mp,
5669 struct label *mntlabel,
5670 struct vnode *vp,
5671 struct label *vlabel,
5672 const char *name
5673);
5674/**
5675 @brief Update a vnode label
5676 @param cred Subject credential
5677 @param vp The vnode to relabel
5678 @param vnodelabel Existing vnode label
5679 @param label New label to replace existing label
5680 @see mpo_vnode_check_label_update_t
5681
5682 The subject identified by the credential has previously requested
5683 and was authorized to relabel the vnode; this entry point allows
5684 policies to perform the actual relabel operation. Policies should
5685 update vnodelabel using the label stored in the label parameter.
5686*/
5687typedef void mpo_vnode_label_update_t(
5688 kauth_cred_t cred,
5689 struct vnode *vp,
5690 struct label *vnodelabel,
5691 struct label *label
5692);
5693/**
5694 @brief Create a new vnode, backed by extended attributes
5695 @param cred User credential for the creating process
5696 @param mp File system mount point
5697 @param mntlabel File system mount point label
5698 @param dvp Parent directory vnode
5699 @param dlabel Parent directory vnode label
5700 @param vp Newly created vnode
5701 @param vlabel Label to associate with the new vnode
5702 @param cnp Component name for vp
5703
5704 Write out the label for the newly created vnode, most likely storing
5705 the results in a file system extended attribute. Most policies will
5706 derive the new vnode label using information from a combination
5707 of the subject (user) credential, the file system label, the parent
5708 directory label, and potentially the path name component.
5709
5710 @return If the operation succeeds, store the new label in vlabel and
5711 return 0. Otherwise, return an appropriate errno value.
5712*/
5713typedef int mpo_vnode_notify_create_t(
5714 kauth_cred_t cred,
5715 struct mount *mp,
5716 struct label *mntlabel,
5717 struct vnode *dvp,
5718 struct label *dlabel,
5719 struct vnode *vp,
5720 struct label *vlabel,
5721 struct componentname *cnp
5722);
5723
5724/*
5725 * Placeholder for future events that may need mac hooks.
5726 */
5727typedef void mpo_reserved_hook_t(void);
5728
5729/*!
5730 \struct mac_policy_ops
5731*/
5732struct mac_policy_ops {
5733 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
5734 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
5735 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
5736 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
5737 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
5738 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
5739 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
5740 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
5741 mpo_cred_check_visible_t *mpo_cred_check_visible;
5742 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
5743 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
5744 mpo_cred_label_associate_t *mpo_cred_label_associate;
5745 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
5746 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
5747 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
5748 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
5749 mpo_cred_label_init_t *mpo_cred_label_init;
5750 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
5751 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
5752 mpo_cred_label_update_t *mpo_cred_label_update;
5753 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
5754 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
5755 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
5756 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
5757 mpo_devfs_label_init_t *mpo_devfs_label_init;
5758 mpo_devfs_label_update_t *mpo_devfs_label_update;
5759 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
5760 mpo_file_check_create_t *mpo_file_check_create;
5761 mpo_file_check_dup_t *mpo_file_check_dup;
5762 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
5763 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
5764 mpo_file_check_get_t *mpo_file_check_get;
5765 mpo_file_check_inherit_t *mpo_file_check_inherit;
5766 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
5767 mpo_file_check_lock_t *mpo_file_check_lock;
5768 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
5769 mpo_file_check_mmap_t *mpo_file_check_mmap;
5770 mpo_file_check_receive_t *mpo_file_check_receive;
5771 mpo_file_check_set_t *mpo_file_check_set;
5772 mpo_file_label_init_t *mpo_file_label_init;
5773 mpo_file_label_destroy_t *mpo_file_label_destroy;
5774 mpo_file_label_associate_t *mpo_file_label_associate;
5775 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
5776 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
5777 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
5778 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
5779 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
5780 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
5781 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
5782 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
5783 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
5784 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
5785 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
5786 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
5787 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
5788 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
5789 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
5790 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
5791 mpo_iokit_check_device_t *mpo_iokit_check_device;
5792 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
5793 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
5794 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
5795 mpo_ipq_label_init_t *mpo_ipq_label_init;
5796 mpo_ipq_label_update_t *mpo_ipq_label_update;
5797 mpo_lctx_check_label_update_t *mpo_lctx_check_label_update;
5798 mpo_lctx_label_destroy_t *mpo_lctx_label_destroy;
5799 mpo_lctx_label_externalize_t *mpo_lctx_label_externalize;
5800 mpo_lctx_label_init_t *mpo_lctx_label_init;
5801 mpo_lctx_label_internalize_t *mpo_lctx_label_internalize;
5802 mpo_lctx_label_update_t *mpo_lctx_label_update;
5803 mpo_lctx_notify_create_t *mpo_lctx_notify_create;
5804 mpo_lctx_notify_join_t *mpo_lctx_notify_join;
5805 mpo_lctx_notify_leave_t *mpo_lctx_notify_leave;
5806 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
5807 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
5808 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
5809 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
5810 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
5811 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
5812 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
5813 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
5814 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
5815 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
5816 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
5817 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
5818 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
5819 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
5820 mpo_mount_check_mount_t *mpo_mount_check_mount;
5821 mpo_mount_check_remount_t *mpo_mount_check_remount;
5822 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
5823 mpo_mount_check_stat_t *mpo_mount_check_stat;
5824 mpo_mount_check_umount_t *mpo_mount_check_umount;
5825 mpo_mount_label_associate_t *mpo_mount_label_associate;
5826 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
5827 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
5828 mpo_mount_label_init_t *mpo_mount_label_init;
5829 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
5830 mpo_netinet_fragment_t *mpo_netinet_fragment;
5831 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
5832 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
5833 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
5834 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
5835 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
5836 mpo_pipe_check_read_t *mpo_pipe_check_read;
5837 mpo_pipe_check_select_t *mpo_pipe_check_select;
5838 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
5839 mpo_pipe_check_write_t *mpo_pipe_check_write;
5840 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
5841 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
5842 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
5843 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
5844 mpo_pipe_label_init_t *mpo_pipe_label_init;
5845 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
5846 mpo_pipe_label_update_t *mpo_pipe_label_update;
5847 mpo_policy_destroy_t *mpo_policy_destroy;
5848 mpo_policy_init_t *mpo_policy_init;
5849 mpo_policy_initbsd_t *mpo_policy_initbsd;
5850 mpo_policy_syscall_t *mpo_policy_syscall;
5851 mpo_port_check_copy_send_t *mpo_port_check_copy_send;
5852 mpo_port_check_hold_receive_t *mpo_port_check_hold_receive;
5853 mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once;
5854 mpo_port_check_hold_send_t *mpo_port_check_hold_send;
5855 mpo_port_check_label_update_t *mpo_port_check_label_update;
5856 mpo_port_check_make_send_once_t *mpo_port_check_make_send_once;
5857 mpo_port_check_make_send_t *mpo_port_check_make_send;
5858 mpo_port_check_method_t *mpo_port_check_method;
5859 mpo_port_check_move_receive_t *mpo_port_check_move_receive;
5860 mpo_port_check_move_send_once_t *mpo_port_check_move_send_once;
5861 mpo_port_check_move_send_t *mpo_port_check_move_send;
5862 mpo_port_check_receive_t *mpo_port_check_receive;
5863 mpo_port_check_send_t *mpo_port_check_send;
5864 mpo_port_check_service_t *mpo_port_check_service;
5865 mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel;
5866 mpo_port_label_associate_t *mpo_port_label_associate;
5867 mpo_port_label_compute_t *mpo_port_label_compute;
5868 mpo_port_label_copy_t *mpo_port_label_copy;
5869 mpo_port_label_destroy_t *mpo_port_label_destroy;
5870 mpo_port_label_init_t *mpo_port_label_init;
5871 mpo_port_label_update_cred_t *mpo_port_label_update_cred;
5872 mpo_port_label_update_kobject_t *mpo_port_label_update_kobject;
5873 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
5874 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
5875 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
5876 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
5877 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
5878 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
5879 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
5880 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
5881 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
5882 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
5883 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
5884 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
5885 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
5886 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
5887 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
5888 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
5889 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
5890 mpo_proc_check_debug_t *mpo_proc_check_debug;
5891 mpo_proc_check_fork_t *mpo_proc_check_fork;
5892 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
5893 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
5894 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
5895 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
5896 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
5897 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
5898 mpo_proc_check_sched_t *mpo_proc_check_sched;
5899 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
5900 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
5901 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
5902 mpo_proc_check_signal_t *mpo_proc_check_signal;
5903 mpo_proc_check_wait_t *mpo_proc_check_wait;
5904 mpo_proc_label_destroy_t *mpo_proc_label_destroy;
5905 mpo_proc_label_init_t *mpo_proc_label_init;
5906 mpo_socket_check_accept_t *mpo_socket_check_accept;
5907 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
5908 mpo_socket_check_bind_t *mpo_socket_check_bind;
5909 mpo_socket_check_connect_t *mpo_socket_check_connect;
5910 mpo_socket_check_create_t *mpo_socket_check_create;
5911 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
5912 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
5913 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
5914 mpo_socket_check_listen_t *mpo_socket_check_listen;
5915 mpo_socket_check_receive_t *mpo_socket_check_receive;
5916 mpo_socket_check_received_t *mpo_socket_check_received;
5917 mpo_socket_check_select_t *mpo_socket_check_select;
5918 mpo_socket_check_send_t *mpo_socket_check_send;
5919 mpo_socket_check_stat_t *mpo_socket_check_stat;
5920 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
5921 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
5922 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
5923 mpo_socket_label_associate_t *mpo_socket_label_associate;
5924 mpo_socket_label_copy_t *mpo_socket_label_copy;
5925 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
5926 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
5927 mpo_socket_label_init_t *mpo_socket_label_init;
5928 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
5929 mpo_socket_label_update_t *mpo_socket_label_update;
5930 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
5931 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
5932 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
5933 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
5934 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
5935 mpo_system_check_acct_t *mpo_system_check_acct;
5936 mpo_system_check_audit_t *mpo_system_check_audit;
5937 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
5938 mpo_system_check_auditon_t *mpo_system_check_auditon;
5939 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
5940 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
5941 mpo_system_check_reboot_t *mpo_system_check_reboot;
5942 mpo_system_check_settime_t *mpo_system_check_settime;
5943 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
5944 mpo_system_check_swapon_t *mpo_system_check_swapon;
5945 mpo_system_check_sysctl_t *mpo_system_check_sysctl;
5946 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
5947 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
5948 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
5949 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
5950 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
5951 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
5952 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
5953 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
5954 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
5955 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
5956 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
5957 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
5958 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
5959 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
5960 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
5961 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
5962 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
5963 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
5964 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
5965 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
5966 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
5967 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
5968 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
5969 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
5970 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
5971 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
5972 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
5973 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
5974 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
5975 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
5976 mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel;
5977 mpo_task_label_associate_t *mpo_task_label_associate;
5978 mpo_task_label_copy_t *mpo_task_label_copy;
5979 mpo_task_label_destroy_t *mpo_task_label_destroy;
5980 mpo_task_label_externalize_t *mpo_task_label_externalize;
5981 mpo_task_label_init_t *mpo_task_label_init;
5982 mpo_task_label_internalize_t *mpo_task_label_internalize;
5983 mpo_task_label_update_t *mpo_task_label_update;
5984 mpo_thread_userret_t *mpo_thread_userret;
5985 mpo_vnode_check_access_t *mpo_vnode_check_access;
5986 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
5987 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
5988 mpo_vnode_check_create_t *mpo_vnode_check_create;
5989 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
5990 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
5991 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
5992 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
5993 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
5994 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
5995 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
5996 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
5997 mpo_vnode_check_link_t *mpo_vnode_check_link;
5998 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
5999 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6000 mpo_vnode_check_open_t *mpo_vnode_check_open;
6001 mpo_vnode_check_read_t *mpo_vnode_check_read;
6002 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6003 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6004 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6005 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6006 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6007 mpo_vnode_check_select_t *mpo_vnode_check_select;
6008 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6009 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6010 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6011 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6012 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6013 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6014 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6015 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6016 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6017 mpo_vnode_check_write_t *mpo_vnode_check_write;
6018 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6019 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6020 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6021 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6022 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6023 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6024 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6025 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6026 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6027 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6028 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6029 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6030 mpo_vnode_label_init_t *mpo_vnode_label_init;
6031 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6032 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6033 mpo_vnode_label_store_t *mpo_vnode_label_store;
6034 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6035 mpo_vnode_label_update_t *mpo_vnode_label_update;
6036 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
593a1d5f
A		 6037 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
6038 mpo_proc_check_map_prot_copy_allow_t *mpo_proc_check_map_prot_copy_allow;
2d21ac55
A		 6039 mpo_reserved_hook_t *mpo_reserved2;
6040 mpo_reserved_hook_t *mpo_reserved3;
6041 mpo_reserved_hook_t *mpo_reserved4;
6042 mpo_reserved_hook_t *mpo_reserved5;
6043 mpo_reserved_hook_t *mpo_reserved6;
6044 mpo_reserved_hook_t *mpo_reserved7;
6045 mpo_reserved_hook_t *mpo_reserved8;
6046 mpo_reserved_hook_t *mpo_reserved9;
6047};
6048
6049/**
6050 @brief MAC policy handle type
6051
6052 The MAC handle is used to uniquely identify a loaded policy within
6053 the MAC Framework.
6054
6055 A variable of this type is set by mac_policy_register().
6056 */
6057typedef unsigned int mac_policy_handle_t;
6058
6059#define mpc_t struct mac_policy_conf *
6060
6061/**
6062 @brief Mac policy configuration
6063
6064 This structure specifies the configuration information for a
6065 MAC policy module. A policy module developer must supply
6066 a short unique policy name, a more descriptive full name, a list of label
6067 namespaces and count, a pointer to the registered enty point operations,
6068 any load time flags, and optionally, a pointer to a label slot identifier.
6069
6070 The Framework will update the runtime flags (mpc_runtime_flags) to
6071 indicate that the module has been registered.
6072
6073 If the label slot identifier (mpc_field_off) is NULL, the Framework
6074 will not provide label storage for the policy. Otherwise, the
6075 Framework will store the label location (slot) in this field.
6076
6077 The mpc_list field is used by the Framework and should not be
6078 modified by policies.
6079*/
6080/* XXX - reorder these for better aligment on 64bit platforms */
6081struct mac_policy_conf {
6082 const char *mpc_name; /** policy name */
6083 const char *mpc_fullname; /** full name */
6084 const char **mpc_labelnames; /** managed label namespaces */
6085 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6086 struct mac_policy_ops *mpc_ops; /** operation vector */
6087 int mpc_loadtime_flags; /** load time flags */
6088 int *mpc_field_off; /** label slot */
6089 int mpc_runtime_flags; /** run time flags */
6090 mpc_t mpc_list; /** List reference */
6091 void *mpc_data; /** module data */
6092};
6093
6094/**
6095 @brief MAC policy module registration routine
6096
6097 This function is called to register a policy with the
6098 MAC framework. A policy module will typically call this from the
6099 Darwin KEXT registration routine.
6100 */
6101int mac_policy_register(struct mac_policy_conf *mpc,
6102 mac_policy_handle_t *handlep, void *xd);
6103
6104/**
6105 @brief MAC policy module de-registration routine
6106
6107 This function is called to de-register a policy with theD
6108 MAC framework. A policy module will typically call this from the
6109 Darwin KEXT de-registration routine.
6110 */
6111int mac_policy_unregister(mac_policy_handle_t handle);
6112
6113/*
6114 * Framework entry points for the policies to add audit data.
6115 */
6116int mac_audit_text(char *text, mac_policy_handle_t handle);
6117
6118/*
6119 * Calls to assist with use of Apple XATTRs within policy modules.
6120 */
6121int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6122int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6123 size_t *);
6124int mac_vnop_removexattr(struct vnode *, const char *);
6125
6126/*
6127 * Arbitrary limit on how much data will be logged by the audit
6128 * entry points above.
6129 */
6130#define MAC_AUDIT_DATA_LIMIT 1024
6131
6132/*
6133 * Values returned by mac_audit_{pre,post}select. To combine the responses
6134 * of the security policies into a single decision,
6135 * mac_audit_{pre,post}select() choose the greatest value returned.
6136 */
6137#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6138#define MAC_AUDIT_NO 1 /* force not auditing this event */
6139#define MAC_AUDIT_YES 2 /* force auditing this event */
6140
6141// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6142
6143/**
6144 @name Flags for the mpc_loadtime_flags field
6145 @see mac_policy_conf
6146
6147 This is the complete list of flags that are supported by the
6148 mpc_loadtime_flags field of the mac_policy_conf structure. These
6149 flags specify the load time behavior of MAC Framework policy
6150 modules.
6151*/
6152
6153/*@{*/
6154
6155/**
6156 @brief Flag to indicate registration preference
6157
6158 This flag indicates that the policy module must be loaded and
6159 initialized early in the boot process. If the flag is specified,
6160 attempts to register the module following boot will be rejected. The
6161 flag may be used by policies that require pervasive labeling of all
6162 system objects, and cannot handle objects that have not been
6163 properly initialized by the policy.
6164 */
6165#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
6166
6167/**
6168 @brief Flag to indicate unload preference
6169
6170 This flag indicates that the policy module may be unloaded. If this
6171 flag is not set, then the policy framework will reject requests to
6172 unload the module. This flag might be used by modules that allocate
6173 label state and are unable to free that state at runtime, or for
6174 modules that simply do not want to permit unload operations.
6175*/
6176#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
6177
6178/**
6179 @brief Unsupported
6180
6181 XXX This flag is not yet supported.
6182*/
6183#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
6184
6185/**
6186 @brief Flag to indicate a base policy
6187
6188 This flag indicates that the policy module is a base policy. Only
6189 one module can declare itself as base, otherwise the boot process
6190 will be halted.
6191 */
6192#define MPC_LOADTIME_BASE_POLICY 0x00000008
6193
6194/*@}*/
6195
6196/**
6197 @brief Policy registration flag
6198 @see mac_policy_conf
6199
6200 This flag indicates that the policy module has been successfully
6201 registered with the TrustedBSD MAC Framework. The Framework will
6202 set this flag in the mpc_runtime_flags field of the policy's
6203 mac_policy_conf structure after registering the policy.
6204 */
6205#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
6206
6207/*
6208 * Depends on POLICY_VER
6209 */
6210
6211#ifndef POLICY_VER
6212#define POLICY_VER 1.0
6213#endif
6214
6215#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6216 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6217 .mpc_name = #mpname, \
6218 .mpc_fullname = mpfullname, \
6219 .mpc_labelnames = lnames, \
6220 .mpc_labelname_count = lcount, \
6221 .mpc_ops = mpops, \
6222 .mpc_loadtime_flags = lflags, \
6223 .mpc_field_off = slot, \
6224 .mpc_runtime_flags = rflags \
6225 }; \
6226 \
6227 static kern_return_t \
6228 kmod_start(kmod_info_t *ki, void *xd) \
6229 { \
6230 return mac_policy_register(&mpname##_mac_policy_conf, \
6231 &handle, xd); \
6232 } \
6233 \
6234 static kern_return_t \
6235 kmod_stop(kmod_info_t *ki, void *xd) \
6236 { \
6237 return mac_policy_unregister(handle); \
6238 } \
6239 \
6240 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6241 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6242 \
6243 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6244 kmod_start_func_t *_realmain = kmod_start; \
6245 kmod_stop_func_t *_antimain = kmod_stop; \
6246 int _kext_apple_cc = __APPLE_CC__
6247
6248
6249#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
6250
6251#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
6252
6253/**
6254 @name Flags for MAC allocator interfaces
6255
6256 These flags are passed to the Darwin kernel allocator routines to
6257 indicate whether the allocation is permitted to block or not.
6258 Caution should be taken; some operations are not permitted to sleep,
6259 and some types of locks cannot be held when sleeping.
6260 */
6261
6262/*@{*/
6263
6264/**
6265 @brief Allocation operations may block
6266
6267 If memory is not immediately available, the allocation routine
6268 will block (typically sleeping) until memory is available.
6269
6270 @warning Inappropriate use of this flag may cause kernel panics.
6271 */
6272#define MAC_WAITOK 0
6273
6274/**
6275 @brief Allocation operations may not block
6276
6277 Rather than blocking, the allocator may return an error if memory
6278 is not immediately available. This type of allocation will not
6279 sleep, preserving locking semantics.
6280 */
6281#define MAC_NOWAIT 1
6282
6283/*@}*/
6284
6285#endif /* !_SECURITY_MAC_POLICY_H_ */
mirror of XNU