]> git.saurik.com Git - apple/xnu.git/blame - security/mac_policy.h
projects / apple / xnu.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
xnu-2782.1.97.tar.gz
[apple/xnu.git] / security / mac_policy.h
CommitLineData
2d21ac55 1/*
6d2010ae 2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
2d21ac55
A		 3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
69 @file mac_policy.h
70 @brief Kernel Interfaces for MAC policy modules
71
72 This header defines the list of operations that are defined by the
73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 with the framework to declare interest in a specific set of
75 operations. If interest in an entry point is not declared, then
76 the policy will be ignored when the Framework evaluates that entry
77 point.
78*/
79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
39236c6e
A		 83#ifndef PRIVATE
84#warning "MAC policy is not KPI, see Technical Q&A QA1574, this header will be removed in next version"
85#endif
86
2d21ac55
A		 87#include <security/_label.h>
88
89struct attrlist;
90struct auditinfo;
91struct bpf_d;
92struct devnode;
93struct fileglob;
94struct ifnet;
95struct inpcb;
96struct ipq;
97struct label;
98struct lctx;
99struct mac_module_data;
100struct mac_policy_conf;
101struct mbuf;
102struct mount;
39236c6e
A		 103struct msg;
104struct msqid_kernel;
2d21ac55
A		 105struct pipe;
106struct pseminfo;
107struct pshminfo;
108struct sbuf;
109struct semid_kernel;
110struct shmid_kernel;
39236c6e
A		 111struct socket;
112struct sockopt;
2d21ac55
A		 113struct task;
114struct thread;
39236c6e 115struct tty;
2d21ac55 116struct ucred;
39236c6e 117struct vfs_attr;
2d21ac55
A		 118struct vnode;
119/** @struct dummy */
120
121
122
123#ifndef _KAUTH_CRED_T
124#define _KAUTH_CRED_T
125typedef struct ucred *kauth_cred_t;
126#endif /* !_KAUTH_CRED_T */
127
6d2010ae
A		 128#ifndef __IOKIT_PORTS_DEFINED__
129#define __IOKIT_PORTS_DEFINED__
130#ifdef __cplusplus
131class OSObject;
132typedef OSObject *io_object_t;
133#else
134struct OSObject;
135typedef struct OSObject *io_object_t;
136#endif
137#endif /* __IOKIT_PORTS_DEFINED__ */
2d21ac55
A		 138
139/*-
140 * MAC entry points are generally named using the following template:
141 *
142 * mpo_<object>_<operation>()
143 *
144 * or:
145 *
146 * mpo_<object>_check_<operation>()
147 *
148 * Entry points are sorted by object type.
149 *
150 * It may be desirable also to consider some subsystems as "objects", such
151 * as system, iokit, etc.
152 */
153
154/**
155 @name Entry Points for Label Management
156
157 These are the entry points corresponding to the life cycle events for
158 kernel objects, such as initialization, creation, and destruction.
159
160 Most policies (that use labels) will initialize labels by allocating
161 space for policy-specific data. In most cases, it is permitted to
162 sleep during label initialization operations; it will be noted when
163 it is not permitted.
164
165 Initialization usually will not require doing more than allocating a
166 generic label for the given object. What follows initialization is
167 creation, where a label is made specific to the object it is associated
168 with. Destruction occurs when the label is no longer needed, such as
169 when the corresponding object is destroyed. All necessary cleanup should
170 be performed in label destroy operations.
171
172 Where possible, the label entry points have identical parameters. If
173 the policy module does not require structure-specific label
174 information, the same function may be registered in the policy
175 operation vector. Many policies will implement two such generic
176 allocation calls: one to handle sleepable requests, and one to handle
177 potentially non-sleepable requests.
178*/
179
180
181/**
182 @brief Audit event postselection
183 @param cred Subject credential
184 @param syscode Syscall number
185 @param args Syscall arguments
186 @param error Syscall errno
187 @param retval Syscall return value
188
189 This is the MAC Framework audit postselect, which is called before
190 exiting a syscall to determine if an audit event should be committed.
191 A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
192 Any other return value results in the audit record being committed.
193
194 @warning The suppression behavior will probably go away in Apple's
195 future version of the audit implementation.
196
197 @return Return MAC_AUDIT_NO to force suppression of the audit record.
198 Any other value results in the audit record being committed.
199
200*/
201typedef int mpo_audit_check_postselect_t(
202 kauth_cred_t cred,
203 unsigned short syscode,
204 void *args,
205 int error,
206 int retval
207);
208/**
209 @brief Audit event preselection
210 @param cred Subject credential
211 @param syscode Syscall number
212 @param args Syscall arguments
213
214 This is the MAC Framework audit preselect, which is called before a
215 syscall is entered to determine if an audit event should be created.
216 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
217 returned. A return value of MAC_AUDIT_NO causes the audit record to
218 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
219 to defer to the system's existing preselection mechanism.
220
221 When policies return different preferences, the Framework decides what action
222 to take based on the following policy. If any policy returns MAC_AUDIT_YES,
223 then create an audit record, else if any policy returns MAC_AUDIT_NO, then
224 suppress the creations of an audit record, else defer to the system's
225 existing preselection mechanism.
226
227 @warning The audit implementation in Apple's current version is
228 incomplete, so the MAC policies have priority over the system's existing
229 mechanisms. This will probably change in the future version where
230 the audit implementation is more complete.
231
232 @return Return MAC_AUDIT_YES to force auditing of the syscall,
233 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
234 to allow auditing mechanisms to determine if the syscall is audited.
235
236*/
237typedef int mpo_audit_check_preselect_t(
238 kauth_cred_t cred,
239 unsigned short syscode,
240 void *args
241);
242/**
243 @brief Initialize BPF descriptor label
244 @param label New label to initialize
245
246 Initialize the label for a newly instantiated BPF descriptor.
247 Sleeping is permitted.
248*/
249typedef void mpo_bpfdesc_label_init_t(
250 struct label *label
251);
252/**
253 @brief Destroy BPF descriptor label
254 @param label The label to be destroyed
255
256 Destroy a BPF descriptor label. Since the BPF descriptor
257 is going out of scope, policy modules should free any internal
258 storage associated with the label so that it may be destroyed.
259*/
260typedef void mpo_bpfdesc_label_destroy_t(
261 struct label *label
262);
263/**
264 @brief Associate a BPF descriptor with a label
265 @param cred User credential creating the BPF descriptor
266 @param bpf_d The BPF descriptor
267 @param bpflabel The new label
268
269 Set the label on a newly created BPF descriptor from the passed
270 subject credential. This call will be made when a BPF device node
271 is opened by a process with the passed subject credential.
272*/
273typedef void mpo_bpfdesc_label_associate_t(
274 kauth_cred_t cred,
275 struct bpf_d *bpf_d,
276 struct label *bpflabel
277);
278/**
279 @brief Check whether BPF can read from a network interface
280 @param bpf_d Subject; the BPF descriptor
281 @param bpflabel Policy label for bpf_d
282 @param ifp Object; the network interface
283 @param ifnetlabel Policy label for ifp
284
285 Determine whether the MAC framework should permit datagrams from
286 the passed network interface to be delivered to the buffers of
287 the passed BPF descriptor. Return (0) for success, or an errno
288 value for failure. Suggested failure: EACCES for label mismatches,
289 EPERM for lack of privilege.
290*/
291typedef int mpo_bpfdesc_check_receive_t(
292 struct bpf_d *bpf_d,
293 struct label *bpflabel,
294 struct ifnet *ifp,
295 struct label *ifnetlabel
296);
297/**
298 @brief Indicate desire to change the process label at exec time
299 @param old Existing subject credential
300 @param vp File being executed
fe8ab488
A		 301 @param offset Offset of binary within file being executed
302 @param scriptvp Script being executed by interpreter, if any.
2d21ac55
A		 303 @param vnodelabel Label corresponding to vp
304 @param scriptvnodelabel Script vnode label
305 @param execlabel Userspace provided execution label
306 @param proc Object process
39236c6e
A		 307 @param macpolicyattr MAC policy-specific spawn attribute data
308 @param macpolicyattrlen Length of policy-specific spawn attribute data
2d21ac55
A		 309 @see mac_execve
310 @see mpo_cred_label_update_execve_t
311 @see mpo_vnode_check_exec_t
312
313 Indicate whether this policy intends to update the label of a newly
314 created credential from the existing subject credential (old). This
315 call occurs when a process executes the passed vnode. If a policy
316 returns success from this entry point, the mpo_cred_label_update_execve
317 entry point will later be called with the same parameters. Access
318 has already been checked via the mpo_vnode_check_exec entry point,
319 this entry point is necessary to preserve kernel locking constraints
320 during program execution.
321
322 The supplied vnode and vnodelabel correspond with the file actually
323 being executed; in the case that the file is interpreted (for
324 example, a script), the label of the original exec-time vnode has
325 been preserved in scriptvnodelabel.
326
327 The final label, execlabel, corresponds to a label supplied by a
328 user space application through the use of the mac_execve system call.
329
330 The vnode lock is held during this operation. No changes should be
331 made to the old credential structure.
332
333 @warning Even if a policy returns 0, it should behave correctly in
334 the presence of an invocation of mpo_cred_label_update_execve, as that
335 call may happen as a result of another policy requesting a transition.
336
337 @return Non-zero if a transition is required, 0 otherwise.
338*/
339typedef int mpo_cred_check_label_update_execve_t(
340 kauth_cred_t old,
341 struct vnode *vp,
fe8ab488 342 off_t offset,
39236c6e 343 struct vnode *scriptvp,
2d21ac55
A		 344 struct label *vnodelabel,
345 struct label *scriptvnodelabel,
346 struct label *execlabel,
39236c6e
A		 347 struct proc *p,
348 void *macpolicyattr,
349 size_t macpolicyattrlen
2d21ac55
A		 350);
351/**
352 @brief Access control check for relabelling processes
353 @param cred Subject credential
354 @param newlabel New label to apply to the user credential
355 @see mpo_cred_label_update_t
356 @see mac_set_proc
357
358 Determine whether the subject identified by the credential can relabel
359 itself to the supplied new label (newlabel). This access control check
360 is called when the mac_set_proc system call is invoked. A user space
361 application will supply a new value, the value will be internalized
362 and provided in newlabel.
363
364 @return Return 0 if access is granted, otherwise an appropriate value for
365 errno should be returned.
366*/
367typedef int mpo_cred_check_label_update_t(
368 kauth_cred_t cred,
369 struct label *newlabel
370);
371/**
372 @brief Access control check for visibility of other subjects
373 @param u1 Subject credential
374 @param u2 Object credential
375
376 Determine whether the subject identified by the credential u1 can
377 "see" other subjects with the passed subject credential u2. This call
378 may be made in a number of situations, including inter-process status
379 sysctls used by ps, and in procfs lookups.
380
381 @return Return 0 if access is granted, otherwise an appropriate value for
382 errno should be returned. Suggested failure: EACCES for label mismatch,
383 EPERM for lack of privilege, or ESRCH to hide visibility.
384*/
385typedef int mpo_cred_check_visible_t(
386 kauth_cred_t u1,
387 kauth_cred_t u2
388);
389/**
390 @brief Associate a credential with a new process at fork
391 @param cred credential to inherited by new process
392 @param proc the new process
393
394 Allow a process to associate the credential with a new
395 process for reference countng purposes.
396 NOTE: the credential can be dis-associated in ways other
397 than exit - so this strategy is flawed - should just
398 catch label destroy callback.
399*/
400typedef void mpo_cred_label_associate_fork_t(
401 kauth_cred_t cred,
402 proc_t proc
403);
404/**
405 @brief Create the first process
406 @param cred Subject credential to be labeled
407
408 Create the subject credential of process 0, the parent of all BSD
409 kernel processes. Policies should update the label in the
410 previously initialized credential structure.
411*/
412typedef void mpo_cred_label_associate_kernel_t(
413 kauth_cred_t cred
414);
415/**
416 @brief Create a credential label
417 @param parent_cred Parent credential
418 @param child_cred Child credential
419
420 Set the label of a newly created credential, most likely using the
421 information in the supplied parent credential.
422
423 @warning This call is made when crcopy or crdup is invoked on a
424 newly created struct ucred, and should not be confused with a
425 process fork or creation event.
426*/
427typedef void mpo_cred_label_associate_t(
428 kauth_cred_t parent_cred,
429 kauth_cred_t child_cred
430);
431/**
432 @brief Create the first process
433 @param cred Subject credential to be labeled
434
435 Create the subject credential of process 1, the parent of all BSD
436 user processes. Policies should update the label in the previously
437 initialized credential structure. This is the 'init' process.
438*/
439typedef void mpo_cred_label_associate_user_t(
440 kauth_cred_t cred
441);
442/**
443 @brief Destroy credential label
444 @param label The label to be destroyed
445
446 Destroy a user credential label. Since the user credential
447 is going out of scope, policy modules should free any internal
448 storage associated with the label so that it may be destroyed.
449*/
450typedef void mpo_cred_label_destroy_t(
451 struct label *label
452);
453/**
454 @brief Externalize a user credential label for auditing
455 @param label Label to be externalized
456 @param element_name Name of the label namespace for which labels should be
457 externalized
458 @param sb String buffer to be filled with a text representation of the label
459
460 Produce an external representation of the label on a user credential for
461 inclusion in an audit record. An externalized label consists of a text
462 representation of the label contents that will be added to the audit record
463 as part of a text token. Policy-agnostic user space tools will display
464 this externalized version.
465
466 @return 0 on success, return non-zero if an error occurs while
467 externalizing the label data.
468
469*/
470typedef int mpo_cred_label_externalize_audit_t(
471 struct label *label,
472 char *element_name,
473 struct sbuf *sb
474);
475/**
476 @brief Externalize a user credential label
477 @param label Label to be externalized
478 @param element_name Name of the label namespace for which labels should be
479 externalized
480 @param sb String buffer to be filled with a text representation of the label
481
482 Produce an external representation of the label on a user
483 credential. An externalized label consists of a text representation
484 of the label contents that can be used with user applications.
485 Policy-agnostic user space tools will display this externalized
486 version.
487
488 @return 0 on success, return non-zero if an error occurs while
489 externalizing the label data.
490
491*/
492typedef int mpo_cred_label_externalize_t(
493 struct label *label,
494 char *element_name,
495 struct sbuf *sb
496);
497/**
498 @brief Initialize user credential label
499 @param label New label to initialize
500
501 Initialize the label for a newly instantiated user credential.
502 Sleeping is permitted.
503*/
504typedef void mpo_cred_label_init_t(
505 struct label *label
506);
507/**
508 @brief Internalize a user credential label
509 @param label Label to be internalized
510 @param element_name Name of the label namespace for which the label should
511 be internalized
512 @param element_data Text data to be internalized
513
514 Produce a user credential label from an external representation. An
515 externalized label consists of a text representation of the label
516 contents that can be used with user applications. Policy-agnostic
517 user space tools will forward text version to the kernel for
518 processing by individual policy modules.
519
520 The policy's internalize entry points will be called only if the
521 policy has registered interest in the label namespace.
522
523 @return 0 on success, Otherwise, return non-zero if an error occurs
524 while internalizing the label data.
525
526*/
527typedef int mpo_cred_label_internalize_t(
528 struct label *label,
529 char *element_name,
530 char *element_data
531);
532/**
533 @brief Update credential at exec time
534 @param old_cred Existing subject credential
535 @param new_cred New subject credential to be labeled
39236c6e 536 @param p Object process.
2d21ac55 537 @param vp File being executed
fe8ab488
A		 538 @param offset Offset of binary within file being executed
539 @param scriptvp Script being executed by interpreter, if any.
2d21ac55
A		 540 @param vnodelabel Label corresponding to vp
541 @param scriptvnodelabel Script vnode label
542 @param execlabel Userspace provided execution label
fe8ab488 543 @param csflags Code signing flags to be set after exec
39236c6e
A		 544 @param macpolicyattr MAC policy-specific spawn attribute data.
545 @param macpolicyattrlen Length of policy-specific spawn attribute data.
2d21ac55
A		 546 @see mac_execve
547 @see mpo_cred_check_label_update_execve_t
548 @see mpo_vnode_check_exec_t
549
550 Update the label of a newly created credential (new) from the
551 existing subject credential (old). This call occurs when a process
552 executes the passed vnode and one of the loaded policy modules has
553 returned success from the mpo_cred_check_label_update_execve entry point.
554 Access has already been checked via the mpo_vnode_check_exec entry
555 point, this entry point is only used to update any policy state.
556
557 The supplied vnode and vnodelabel correspond with the file actually
558 being executed; in the case that the file is interpreted (for
559 example, a script), the label of the original exec-time vnode has
560 been preserved in scriptvnodelabel.
561
562 The final label, execlabel, corresponds to a label supplied by a
563 user space application through the use of the mac_execve system call.
564
c910b4d9
A		 565 If non-NULL, the value pointed to by disjointp will be set to 0 to
566 indicate that the old and new credentials are not disjoint, or 1 to
567 indicate that they are.
568
2d21ac55
A		 569 The vnode lock is held during this operation. No changes should be
570 made to the old credential structure.
fe8ab488
A		 571 @return 0 on success, Otherwise, return non-zero if update results in
572 termination of child.
2d21ac55 573*/
fe8ab488 574typedef int mpo_cred_label_update_execve_t(
2d21ac55
A		 575 kauth_cred_t old_cred,
576 kauth_cred_t new_cred,
39236c6e 577 struct proc *p,
2d21ac55 578 struct vnode *vp,
fe8ab488 579 off_t offset,
39236c6e 580 struct vnode *scriptvp,
2d21ac55
A		 581 struct label *vnodelabel,
582 struct label *scriptvnodelabel,
c910b4d9 583 struct label *execlabel,
fe8ab488 584 u_int *csflags,
39236c6e
A		 585 void *macpolicyattr,
586 size_t macpolicyattrlen,
c910b4d9 587 int *disjointp
2d21ac55
A		 588);
589/**
590 @brief Update a credential label
591 @param cred The existing credential
592 @param newlabel A new label to apply to the credential
593 @see mpo_cred_check_label_update_t
594 @see mac_set_proc
595
596 Update the label on a user credential, using the supplied new label.
597 This is called as a result of a process relabel operation. Access
598 control was already confirmed by mpo_cred_check_label_update.
599*/
600typedef void mpo_cred_label_update_t(
601 kauth_cred_t cred,
602 struct label *newlabel
603);
604/**
605 @brief Create a new devfs device
606 @param dev Major and minor numbers of special file
607 @param de "inode" of new device file
608 @param label Destination label
609 @param fullpath Path relative to mount (e.g. /dev) of new device file
610
611 This entry point labels a new devfs device. The label will likely be based
612 on the path to the device, or the major and minor numbers.
613 The policy should store an appropriate label into 'label'.
614*/
615typedef void mpo_devfs_label_associate_device_t(
616 dev_t dev,
617 struct devnode *de,
618 struct label *label,
619 const char *fullpath
620);
621/**
622 @brief Create a new devfs directory
623 @param dirname Name of new directory
624 @param dirnamelen Length of 'dirname'
625 @param de "inode" of new directory
626 @param label Destination label
627 @param fullpath Path relative to mount (e.g. /dev) of new directory
628
629 This entry point labels a new devfs directory. The label will likely be
630 based on the path of the new directory. The policy should store an appropriate
631 label into 'label'. The devfs root directory is labelled in this way.
632*/
633typedef void mpo_devfs_label_associate_directory_t(
634 const char *dirname,
635 int dirnamelen,
636 struct devnode *de,
637 struct label *label,
638 const char *fullpath
639);
640/**
641 @brief Copy a devfs label
642 @param src Source devfs label
643 @param dest Destination devfs label
644
645 Copy the label information from src to dest. The devfs file system
646 often duplicates (splits) existing device nodes rather than creating
647 new ones.
648*/
649typedef void mpo_devfs_label_copy_t(
650 struct label *src,
651 struct label *dest
652);
653/**
654 @brief Destroy devfs label
655 @param label The label to be destroyed
656
657 Destroy a devfs entry label. Since the object is going out
658 of scope, policy modules should free any internal storage associated
659 with the label so that it may be destroyed.
660*/
661typedef void mpo_devfs_label_destroy_t(
662 struct label *label
663);
664/**
665 @brief Initialize devfs label
666 @param label New label to initialize
667
668 Initialize the label for a newly instantiated devfs entry. Sleeping
669 is permitted.
670*/
671typedef void mpo_devfs_label_init_t(
672 struct label *label
673);
674/**
675 @brief Update a devfs label after relabelling its vnode
676 @param mp Devfs mount point
677 @param de Affected devfs directory entry
678 @param delabel Label of devfs directory entry
679 @param vp Vnode associated with de
680 @param vnodelabel New label of vnode
681
682 Update a devfs label when its vnode is manually relabelled,
683 for example with setfmac(1). Typically, this will simply copy
684 the vnode label into the devfs label.
685*/
686typedef void mpo_devfs_label_update_t(
687 struct mount *mp,
688 struct devnode *de,
689 struct label *delabel,
690 struct vnode *vp,
691 struct label *vnodelabel
692);
693/**
694 @brief Access control for changing the offset of a file descriptor
695 @param cred Subject credential
696 @param fg Fileglob structure
697 @param label Policy label for fg
698
699 Determine whether the subject identified by the credential can
700 change the offset of the file represented by fg.
701
702 @return Return 0 if access if granted, otherwise an appropriate
703 value for errno should be returned.
704*/
705typedef int mpo_file_check_change_offset_t(
706 kauth_cred_t cred,
707 struct fileglob *fg,
708 struct label *label
709);
710/**
711 @brief Access control for creating a file descriptor
712 @param cred Subject credential
713
714 Determine whether the subject identified by the credential can
715 allocate a new file descriptor.
716
717 @return Return 0 if access if granted, otherwise an appropriate
718 value for errno should be returned.
719*/
720typedef int mpo_file_check_create_t(
721 kauth_cred_t cred
722);
723/**
724 @brief Access control for duplicating a file descriptor
725 @param cred Subject credential
726 @param fg Fileglob structure
727 @param label Policy label for fg
728 @param newfd New file descriptor number
729
730 Determine whether the subject identified by the credential can
731 duplicate the fileglob structure represented by fg and as file
732 descriptor number newfd.
733
734 @return Return 0 if access if granted, otherwise an appropriate
735 value for errno should be returned.
736*/
737typedef int mpo_file_check_dup_t(
738 kauth_cred_t cred,
739 struct fileglob *fg,
740 struct label *label,
741 int newfd
742);
743/**
744 @brief Access control check for fcntl
745 @param cred Subject credential
746 @param fg Fileglob structure
747 @param label Policy label for fg
748 @param cmd Control operation to be performed; see fcntl(2)
749 @param arg fcnt arguments; see fcntl(2)
750
751 Determine whether the subject identified by the credential can perform
752 the file control operation indicated by cmd.
753
754 @return Return 0 if access is granted, otherwise an appropriate value for
755 errno should be returned.
756*/
757typedef int mpo_file_check_fcntl_t(
758 kauth_cred_t cred,
759 struct fileglob *fg,
760 struct label *label,
761 int cmd,
762 user_long_t arg
763);
764/**
765 @brief Access control check for mac_get_fd
766 @param cred Subject credential
767 @param fg Fileglob structure
768 @param elements Element buffer
769 @param len Length of buffer
770
771 Determine whether the subject identified by the credential should be allowed
772 to get an externalized version of the label on the object indicated by fd.
773
774 @return Return 0 if access is granted, otherwise an appropriate value for
775 errno should be returned.
776*/
777typedef int mpo_file_check_get_t(
778 kauth_cred_t cred,
779 struct fileglob *fg,
780 char *elements,
781 int len
782);
783/**
784 @brief Access control for getting the offset of a file descriptor
785 @param cred Subject credential
786 @param fg Fileglob structure
787 @param label Policy label for fg
788
789 Determine whether the subject identified by the credential can
790 get the offset of the file represented by fg.
791
792 @return Return 0 if access if granted, otherwise an appropriate
793 value for errno should be returned.
794*/
795typedef int mpo_file_check_get_offset_t(
796 kauth_cred_t cred,
797 struct fileglob *fg,
798 struct label *label
799);
800/**
801 @brief Access control for inheriting a file descriptor
802 @param cred Subject credential
803 @param fg Fileglob structure
804 @param label Policy label for fg
805
806 Determine whether the subject identified by the credential can
807 inherit the fileglob structure represented by fg.
808
809 @return Return 0 if access if granted, otherwise an appropriate
810 value for errno should be returned.
811*/
812typedef int mpo_file_check_inherit_t(
813 kauth_cred_t cred,
814 struct fileglob *fg,
815 struct label *label
816);
817/**
818 @brief Access control check for file ioctl
819 @param cred Subject credential
820 @param fg Fileglob structure
821 @param label Policy label for fg
822 @param cmd The ioctl command; see ioctl(2)
823
824 Determine whether the subject identified by the credential can perform
825 the ioctl operation indicated by cmd.
826
827 @warning Since ioctl data is opaque from the standpoint of the MAC
828 framework, policies must exercise extreme care when implementing
829 access control checks.
830
831 @return Return 0 if access is granted, otherwise an appropriate value for
832 errno should be returned.
833
834*/
835typedef int mpo_file_check_ioctl_t(
836 kauth_cred_t cred,
837 struct fileglob *fg,
838 struct label *label,
839 unsigned int cmd
840);
841/**
842 @brief Access control check for file locking
843 @param cred Subject credential
844 @param fg Fileglob structure
845 @param label Policy label for fg
846 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
847 @param fl The flock structure
848
849 Determine whether the subject identified by the credential can perform
850 the lock operation indicated by op and fl on the file represented by fg.
851
852 @return Return 0 if access is granted, otherwise an appropriate value for
853 errno should be returned.
854
855*/
856typedef int mpo_file_check_lock_t(
857 kauth_cred_t cred,
858 struct fileglob *fg,
859 struct label *label,
860 int op,
861 struct flock *fl
862);
863/**
864 @brief Access control check for mapping a file
865 @param cred Subject credential
866 @param fg fileglob representing file to map
867 @param label Policy label associated with vp
868 @param prot mmap protections; see mmap(2)
869 @param flags Type of mapped object; see mmap(2)
870 @param maxprot Maximum rights
871
872 Determine whether the subject identified by the credential should be
873 allowed to map the file represented by fg with the protections specified
874 in prot. The maxprot field holds the maximum permissions on the new
875 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
876 To avoid overriding prior access control checks, a policy should only
877 remove flags from maxprot.
878
879 @return Return 0 if access is granted, otherwise an appropriate value for
880 errno should be returned. Suggested failure: EACCES for label mismatch or
881 EPERM for lack of privilege.
882*/
883typedef int mpo_file_check_mmap_t(
884 kauth_cred_t cred,
885 struct fileglob *fg,
886 struct label *label,
887 int prot,
888 int flags,
889 int *maxprot
890);
891/**
892 @brief Downgrade the mmap protections
893 @param cred Subject credential
894 @param fg file to map
895 @param label Policy label associated with vp
896 @param prot mmap protections to be downgraded
897
898 Downgrade the mmap protections based on the subject and object labels.
899*/
900typedef void mpo_file_check_mmap_downgrade_t(
901 kauth_cred_t cred,
902 struct fileglob *fg,
903 struct label *label,
904 int *prot
905);
906/**
907 @brief Access control for receiving a file descriptor
908 @param cred Subject credential
909 @param fg Fileglob structure
910 @param label Policy label for fg
911
912 Determine whether the subject identified by the credential can
913 receive the fileglob structure represented by fg.
914
915 @return Return 0 if access if granted, otherwise an appropriate
916 value for errno should be returned.
917*/
918typedef int mpo_file_check_receive_t(
919 kauth_cred_t cred,
920 struct fileglob *fg,
921 struct label *label
922);
923/**
924 @brief Access control check for mac_set_fd
925 @param cred Subject credential
926 @param fg Fileglob structure
927 @param elements Elements buffer
928 @param len Length of elements buffer
929
930 Determine whether the subject identified by the credential can
931 perform the mac_set_fd operation. The mac_set_fd operation is used
932 to associate a MAC label with a file.
933
934 @return Return 0 if access is granted, otherwise an appropriate value for
935 errno should be returned.
936*/
937typedef int mpo_file_check_set_t(
938 kauth_cred_t cred,
939 struct fileglob *fg,
940 char *elements,
941 int len
942);
943/**
944 @brief Create file label
945 @param cred Subject credential
946 @param fg Fileglob structure
947 @param label Policy label for fg
948*/
949typedef void mpo_file_label_associate_t(
950 kauth_cred_t cred,
951 struct fileglob *fg,
952 struct label *label
953);
954/**
955 @brief Destroy file label
956 @param label The label to be destroyed
957
958 Destroy the label on a file descriptor. In this entry point, a
959 policy module should free any internal storage associated with
960 label so that it may be destroyed.
961*/
962typedef void mpo_file_label_destroy_t(
963 struct label *label
964);
965/**
966 @brief Initialize file label
967 @param label New label to initialize
968*/
969typedef void mpo_file_label_init_t(
970 struct label *label
971);
972/**
973 @brief Access control check for relabeling network interfaces
974 @param cred Subject credential
975 @param ifp network interface being relabeled
976 @param ifnetlabel Current label of the network interfaces
977 @param newlabel New label to apply to the network interfaces
978 @see mpo_ifnet_label_update_t
979
980 Determine whether the subject identified by the credential can
981 relabel the network interface represented by ifp to the supplied
982 new label (newlabel).
983
984 @return Return 0 if access is granted, otherwise an appropriate value for
985 errno should be returned.
986*/
987typedef int mpo_ifnet_check_label_update_t(
988 kauth_cred_t cred,
989 struct ifnet *ifp,
990 struct label *ifnetlabel,
991 struct label *newlabel
992);
993/**
994 @brief Access control check for relabeling network interfaces
995 @param ifp Network interface mbuf will be transmitted through
996 @param ifnetlabel Label of the network interfaces
997 @param m The mbuf to be transmitted
998 @param mbuflabel Label of the mbuf to be transmitted
999 @param family Address Family, AF_*
1000 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1001
1002 Determine whether the mbuf with label mbuflabel may be transmitted
1003 through the network interface represented by ifp that has the
1004 label ifnetlabel.
1005
1006 @return Return 0 if access is granted, otherwise an appropriate value for
1007 errno should be returned.
1008*/
1009typedef int mpo_ifnet_check_transmit_t(
1010 struct ifnet *ifp,
1011 struct label *ifnetlabel,
1012 struct mbuf *m,
1013 struct label *mbuflabel,
1014 int family,
1015 int type
1016);
1017/**
1018 @brief Create a network interface label
1019 @param ifp Network interface labeled
1020 @param ifnetlabel Label for the network interface
1021
1022 Set the label of a newly created network interface, most likely
1023 using the information in the supplied network interface struct.
1024*/
1025typedef void mpo_ifnet_label_associate_t(
1026 struct ifnet *ifp,
1027 struct label *ifnetlabel
1028);
1029/**
1030 @brief Copy an ifnet label
1031 @param src Source ifnet label
1032 @param dest Destination ifnet label
1033
1034 Copy the label information from src to dest.
1035*/
1036typedef void mpo_ifnet_label_copy_t(
1037 struct label *src,
1038 struct label *dest
1039);
1040/**
1041 @brief Destroy ifnet label
1042 @param label The label to be destroyed
1043
1044 Destroy the label on an ifnet label. In this entry point, a
1045 policy module should free any internal storage associated with
1046 label so that it may be destroyed.
1047*/
1048typedef void mpo_ifnet_label_destroy_t(
1049 struct label *label
1050);
1051/**
1052 @brief Externalize an ifnet label
1053 @param label Label to be externalized
1054 @param element_name Name of the label namespace for which labels should be
1055 externalized
1056 @param sb String buffer to be filled with a text representation of the label
1057
1058 Produce an external representation of the label on an interface.
1059 An externalized label consists of a text representation of the
1060 label contents that can be used with user applications.
1061 Policy-agnostic user space tools will display this externalized
1062 version.
1063
1064 @return 0 on success, return non-zero if an error occurs while
1065 externalizing the label data.
1066
1067*/
1068typedef int mpo_ifnet_label_externalize_t(
1069 struct label *label,
1070 char *element_name,
1071 struct sbuf *sb
1072);
1073/**
1074 @brief Initialize ifnet label
1075 @param label New label to initialize
1076*/
1077typedef void mpo_ifnet_label_init_t(
1078 struct label *label
1079);
1080/**
1081 @brief Internalize an interface label
1082 @param label Label to be internalized
1083 @param element_name Name of the label namespace for which the label should
1084 be internalized
1085 @param element_data Text data to be internalized
1086
1087 Produce an interface label from an external representation. An
1088 externalized label consists of a text representation of the label
1089 contents that can be used with user applications. Policy-agnostic
1090 user space tools will forward text version to the kernel for
1091 processing by individual policy modules.
1092
1093 The policy's internalize entry points will be called only if the
1094 policy has registered interest in the label namespace.
1095
1096 @return 0 on success, Otherwise, return non-zero if an error occurs
1097 while internalizing the label data.
1098
1099*/
1100typedef int mpo_ifnet_label_internalize_t(
1101 struct label *label,
1102 char *element_name,
1103 char *element_data
1104);
1105/**
1106 @brief Recycle up a network interface label
1107 @param label The label to be recycled
1108
1109 Recycle a network interface label. Darwin caches the struct ifnet
1110 of detached ifnets in a "free pool". Before ifnets are returned
1111 to the "free pool", policies can cleanup or overwrite any information
1112 present in the label.
1113*/
1114typedef void mpo_ifnet_label_recycle_t(
1115 struct label *label
1116);
1117/**
1118 @brief Update a network interface label
1119 @param cred Subject credential
1120 @param ifp The network interface to be relabeled
1121 @param ifnetlabel The current label of the network interface
1122 @param newlabel A new label to apply to the network interface
1123 @see mpo_ifnet_check_label_update_t
1124
1125 Update the label on a network interface, using the supplied new label.
1126*/
1127typedef void mpo_ifnet_label_update_t(
1128 kauth_cred_t cred,
1129 struct ifnet *ifp,
1130 struct label *ifnetlabel,
1131 struct label *newlabel
1132);
1133/**
1134 @brief Access control check for delivering a packet to a socket
1135 @param inp inpcb the socket is associated with
1136 @param inplabel Label of the inpcb
1137 @param m The mbuf being received
1138 @param mbuflabel Label of the mbuf being received
1139 @param family Address family, AF_*
1140 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1141
1142 Determine whether the mbuf with label mbuflabel may be received
1143 by the socket associated with inpcb that has the label inplabel.
1144
1145 @return Return 0 if access is granted, otherwise an appropriate value for
1146 errno should be returned.
1147*/
1148typedef int mpo_inpcb_check_deliver_t(
1149 struct inpcb *inp,
1150 struct label *inplabel,
1151 struct mbuf *m,
1152 struct label *mbuflabel,
1153 int family,
1154 int type
1155);
1156/**
1157 @brief Create an inpcb label
1158 @param so Socket containing the inpcb to be labeled
1159 @param solabel Label of the socket
1160 @param inp inpcb to be labeled
1161 @param inplabel Label for the inpcb
1162
1163 Set the label of a newly created inpcb, most likely
1164 using the information in the socket and/or socket label.
1165*/
1166typedef void mpo_inpcb_label_associate_t(
1167 struct socket *so,
1168 struct label *solabel,
1169 struct inpcb *inp,
1170 struct label *inplabel
1171);
1172/**
1173 @brief Destroy inpcb label
1174 @param label The label to be destroyed
1175
1176 Destroy the label on an inpcb label. In this entry point, a
1177 policy module should free any internal storage associated with
1178 label so that it may be destroyed.
1179*/
1180typedef void mpo_inpcb_label_destroy_t(
1181 struct label *label
1182);
1183/**
1184 @brief Initialize inpcb label
1185 @param label New label to initialize
1186 @param flag M_WAITOK or M_NOWAIT
1187*/
1188typedef int mpo_inpcb_label_init_t(
1189 struct label *label,
1190 int flag
1191);
1192/**
1193 @brief Recycle up an inpcb label
1194 @param label The label to be recycled
1195
1196 Recycle an inpcb label. Darwin allocates the inpcb as part of
1197 the socket structure in some cases. For this case we must recycle
1198 rather than destroy the inpcb as it will be reused later.
1199*/
1200typedef void mpo_inpcb_label_recycle_t(
1201 struct label *label
1202);
1203/**
1204 @brief Update an inpcb label from a socket label
1205 @param so Socket containing the inpcb to be relabeled
1206 @param solabel New label of the socket
1207 @param inp inpcb to be labeled
1208 @param inplabel Label for the inpcb
1209
1210 Set the label of a newly created inpcb due to a change in the
1211 underlying socket label.
1212*/
1213typedef void mpo_inpcb_label_update_t(
1214 struct socket *so,
1215 struct label *solabel,
1216 struct inpcb *inp,
1217 struct label *inplabel
1218);
1219/**
1220 @brief Device hardware access control
1221 @param devtype Type of device connected
1222 @param properties XML-formatted property list
1223 @param proplen Length of the property list
1224
1225 This is the MAC Framework device access control, which is called by the I/O
1226 Kit when a new device is connected to the system to determine whether that
1227 device should be trusted. A list of properties associated with the device
1228 is passed as an XML-formatted string. The routine should examine these
1229 properties to determine the trustworthiness of the device. A return value
1230 of EPERM forces the device to be claimed by a special device driver that
1231 will prevent its operation.
1232
1233 @warning This is an experimental interface and may change in the future.
1234
1235 @return Return EPERM to indicate that the device is untrusted and should
1236 not be allowed to operate. Return zero to indicate that the device is
1237 trusted and should be allowed to operate normally.
1238
1239*/
1240typedef int mpo_iokit_check_device_t(
1241 char *devtype,
1242 struct mac_module_data *mdata
1243);
6d2010ae
A		 1244/**
1245 @brief Access control check for opening an I/O Kit device
1246 @param cred Subject credential
1247 @param device_path Device path
1248 @param user_client User client instance
1249 @param user_client_type User client type
1250
1251 Determine whether the subject identified by the credential can open an
1252 I/O Kit device at the passed path of the passed user client class and
1253 type.
1254
1255 @return Return 0 if access is granted, or an appropriate value for
1256 errno should be returned.
1257*/
1258typedef int mpo_iokit_check_open_t(
1259 kauth_cred_t cred,
1260 io_object_t user_client,
1261 unsigned int user_client_type
1262);
1263/**
1264 @brief Access control check for setting I/O Kit device properties
1265 @param cred Subject credential
fe8ab488 1266 @param entry Target device
6d2010ae
A		 1267 @param properties Property list
1268
1269 Determine whether the subject identified by the credential can set
1270 properties on an I/O Kit device.
1271
1272 @return Return 0 if access is granted, or an appropriate value for
1273 errno should be returned.
1274*/
1275typedef int mpo_iokit_check_set_properties_t(
1276 kauth_cred_t cred,
1277 io_object_t entry,
1278 io_object_t properties
1279);
fe8ab488
A		 1280/**
1281 @brief Indicate desire to filter I/O Kit devices properties
1282 @param cred Subject credential
1283 @param entry Target device
1284 @see mpo_iokit_check_get_property_t
1285
1286 Indicate whether this policy may restrict the subject credential
1287 from reading properties of the target device.
1288 If a policy returns success from this entry point, the
1289 mpo_iokit_check_get_property entry point will later be called
1290 for each property that the subject credential tries to read from
1291 the target device.
1292
1293 This entry point is primarilly to optimize bulk property reads
1294 by skipping calls to the mpo_iokit_check_get_property entry point
1295 for credentials / devices no MAC policy is interested in.
1296
1297 @warning Even if a policy returns 0, it should behave correctly in
1298 the presence of an invocation of mpo_iokit_check_get_property, as that
1299 call may happen as a result of another policy requesting a transition.
1300
1301 @return Non-zero if a transition is required, 0 otherwise.
1302 */
1303typedef int mpo_iokit_check_filter_properties_t(
1304 kauth_cred_t cred,
1305 io_object_t entry
1306);
1307/**
1308 @brief Access control check for getting I/O Kit device properties
1309 @param cred Subject credential
1310 @param entry Target device
1311 @param name Property name
1312
1313 Determine whether the subject identified by the credential can get
1314 properties on an I/O Kit device.
1315
1316 @return Return 0 if access is granted, or an appropriate value for
1317 errno.
1318*/
1319typedef int mpo_iokit_check_get_property_t(
1320 kauth_cred_t cred,
1321 io_object_t entry,
1322 const char *name
1323);
6d2010ae
A		 1324/**
1325 @brief Access control check for software HID control
1326 @param cred Subject credential
1327
1328 Determine whether the subject identified by the credential can
1329 control the HID (Human Interface Device) subsystem, such as to
1330 post synthetic keypresses, pointer movement and clicks.
1331
1332 @return Return 0 if access is granted, or an appropriate value for
1333 errno.
1334*/
1335typedef int mpo_iokit_check_hid_control_t(
1336 kauth_cred_t cred
1337);
2d21ac55
A		 1338/**
1339 @brief Create an IP reassembly queue label
1340 @param fragment First received IP fragment
1341 @param fragmentlabel Policy label for fragment
1342 @param ipq IP reassembly queue to be labeled
1343 @param ipqlabel Policy label to be filled in for ipq
1344
1345 Set the label on a newly created IP reassembly queue from
1346 the mbuf header of the first received fragment.
1347*/
1348typedef void mpo_ipq_label_associate_t(
1349 struct mbuf *fragment,
1350 struct label *fragmentlabel,
1351 struct ipq *ipq,
1352 struct label *ipqlabel
1353);
1354/**
1355 @brief Compare an mbuf header label to an ipq label
1356 @param fragment IP datagram fragment
1357 @param fragmentlabel Policy label for fragment
1358 @param ipq IP fragment reassembly queue
1359 @param ipqlabel Policy label for ipq
1360
1361 Compare the label of the mbuf header containing an IP datagram
1362 (fragment) fragment with the label of the passed IP fragment
1363 reassembly queue (ipq). Return (1) for a successful match, or (0)
1364 for no match. This call is made when the IP stack attempts to
1365 find an existing fragment reassembly queue for a newly received
1366 fragment; if this fails, a new fragment reassembly queue may be
1367 instantiated for the fragment. Policies may use this entry point
1368 to prevent the reassembly of otherwise matching IP fragments if
1369 policy does not permit them to be reassembled based on the label
1370 or other information.
1371*/
1372typedef int mpo_ipq_label_compare_t(
1373 struct mbuf *fragment,
1374 struct label *fragmentlabel,
1375 struct ipq *ipq,
1376 struct label *ipqlabel
1377);
1378/**
1379 @brief Destroy IP reassembly queue label
1380 @param label The label to be destroyed
1381
1382 Destroy the label on an IP fragment queue. In this entry point, a
1383 policy module should free any internal storage associated with
1384 label so that it may be destroyed.
1385*/
1386typedef void mpo_ipq_label_destroy_t(
1387 struct label *label
1388);
1389/**
1390 @brief Initialize IP reassembly queue label
1391 @param label New label to initialize
1392 @param flag M_WAITOK or M_NOWAIT
1393
1394 Initialize the label on a newly instantiated IP fragment reassembly
1395 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1396 should be employed to avoid performing a sleeping malloc(9) during
1397 this initialization call. IP fragment reassembly queue allocation
1398 frequently occurs in performance sensitive environments, and the
1399 implementation should be careful to avoid sleeping or long-lived
1400 operations. This entry point is permitted to fail resulting in
1401 the failure to allocate the IP fragment reassembly queue.
1402*/
1403typedef int mpo_ipq_label_init_t(
1404 struct label *label,
1405 int flag
1406);
1407/**
1408 @brief Update the label on an IP fragment reassembly queue
1409 @param fragment IP fragment
1410 @param fragmentlabel Policy label for fragment
1411 @param ipq IP fragment reassembly queue
1412 @param ipqlabel Policy label to be updated for ipq
1413
1414 Update the label on an IP fragment reassembly queue (ipq) based
1415 on the acceptance of the passed IP fragment mbuf header (fragment).
1416*/
1417typedef void mpo_ipq_label_update_t(
1418 struct mbuf *fragment,
1419 struct label *fragmentlabel,
1420 struct ipq *ipq,
1421 struct label *ipqlabel
1422);
1423/**
1424 @brief Access control check for relabelling Login Context
1425 @param l Subject credential
1426 @param newlabel New label to apply to the Login Context
1427 @see mpo_lctx_label_update_t
1428 @see mac_set_lcid
1429 @see mac_set_lctx
1430
1431 Determine whether the subject identified by the credential can relabel
1432 itself to the supplied new label (newlabel). This access control check
1433 is called when the mac_set_lctx/lcid system call is invoked. A user space
1434 application will supply a new value, the value will be internalized
1435 and provided in newlabel.
1436
1437 @return Return 0 if access is granted, otherwise an appropriate value for
1438 errno should be returned.
1439*/
1440typedef int mpo_lctx_check_label_update_t(
1441 struct lctx *l,
1442 struct label *newlabel
1443);
1444/**
1445 @brief Destroy Login Context label
1446 @param label The label to be destroyed
1447*/
1448typedef void mpo_lctx_label_destroy_t(
1449 struct label *label
1450);
1451/**
1452 @brief Externalize a Login Context label
1453 @param label Label to be externalized
1454 @param element_name Name of the label namespace for which labels should be
1455 externalized
1456 @param sb String buffer to be filled with a text representation of the label
1457
1458 Produce an external representation of the label on a Login Context.
1459 An externalized label consists of a text representation
1460 of the label contents that can be used with user applications.
1461 Policy-agnostic user space tools will display this externalized
1462 version.
1463
1464 @return 0 on success, return non-zero if an error occurs while
1465 externalizing the label data.
1466
1467*/
1468typedef int mpo_lctx_label_externalize_t(
1469 struct label *label,
1470 char *element_name,
1471 struct sbuf *sb
1472);
1473/**
1474 @brief Initialize Login Context label
1475 @param label New label to initialize
1476*/
1477typedef void mpo_lctx_label_init_t(
1478 struct label *label
1479);
1480/**
1481 @brief Internalize a Login Context label
1482 @param label Label to be internalized
1483 @param element_name Name of the label namespace for which the label should
1484 be internalized
1485 @param element_data Text data to be internalized
1486
1487 Produce a Login Context label from an external representation. An
1488 externalized label consists of a text representation of the label
1489 contents that can be used with user applications. Policy-agnostic
1490 user space tools will forward text version to the kernel for
1491 processing by individual policy modules.
1492
1493 The policy's internalize entry points will be called only if the
1494 policy has registered interest in the label namespace.
1495
1496 @return 0 on success, Otherwise, return non-zero if an error occurs
1497 while internalizing the label data.
1498
1499*/
1500typedef int mpo_lctx_label_internalize_t(
1501 struct label *label,
1502 char *element_name,
1503 char *element_data
1504);
1505/**
1506 @brief Update a Login Context label
1507 @param l
1508 @param newlabel A new label to apply to the Login Context
1509 @see mpo_lctx_check_label_update_t
1510 @see mac_set_lcid
1511 @see mac_set_lctx
1512
1513 Update the label on a login context, using the supplied new label.
1514 This is called as a result of a login context relabel operation. Access
1515 control was already confirmed by mpo_lctx_check_label_update.
1516*/
1517typedef void mpo_lctx_label_update_t(
1518 struct lctx *l,
1519 struct label *newlabel
1520);
1521/**
1522 @brief A process has created a login context
1523 @param p Subject
1524 @param l Login Context
1525
1526 When a process creates a login context (via setlcid()) this entrypoint
1527 is called to notify the policy that the process 'p' has created login
1528 context 'l'.
1529*/
1530typedef void mpo_lctx_notify_create_t(
1531 struct proc *p,
1532 struct lctx *l
1533);
1534/**
1535 @brief A process has joined a login context
1536 @param p Subject
1537 @param l Login Context
1538
1539 When a process joins a login context, either via setlcid() or via
1540 fork() this entrypoint is called to notify the policy that process
1541 'p' is now a member of login context 'l'.
1542*/
1543typedef void mpo_lctx_notify_join_t(
1544 struct proc *p,
1545 struct lctx *l
1546);
1547/**
1548 @brief A process has left a login context
1549 @param p Subject
1550 @param l Login Context
1551
1552 When a process leaves a login context either via setlcid() or as a
1553 result of the process exiting this entrypoint is called to notify
1554 the policy that the process 'p' is no longer a member of login context 'l'.
1555*/
1556typedef void mpo_lctx_notify_leave_t(
1557 struct proc *p,
1558 struct lctx *l
1559);
1560/**
1561 @brief Assign a label to a new mbuf
1562 @param bpf_d BPF descriptor
1563 @param b_label Policy label for bpf_d
1564 @param m Object; mbuf
1565 @param m_label Policy label to fill in for m
1566
1567 Set the label on the mbuf header of a newly created datagram
1568 generated using the passed BPF descriptor. This call is made when
1569 a write is performed to the BPF device associated with the passed
1570 BPF descriptor.
1571*/
1572typedef void mpo_mbuf_label_associate_bpfdesc_t(
1573 struct bpf_d *bpf_d,
1574 struct label *b_label,
1575 struct mbuf *m,
1576 struct label *m_label
1577);
1578/**
1579 @brief Assign a label to a new mbuf
1580 @param ifp Interface descriptor
1581 @param i_label Existing label of ifp
1582 @param m Object; mbuf
1583 @param m_label Policy label to fill in for m
1584
1585 Label an mbuf based on the interface from which it was received.
1586*/
1587typedef void mpo_mbuf_label_associate_ifnet_t(
1588 struct ifnet *ifp,
1589 struct label *i_label,
1590 struct mbuf *m,
1591 struct label *m_label
1592);
1593/**
1594 @brief Assign a label to a new mbuf
1595 @param inp inpcb structure
1596 @param i_label Existing label of inp
1597 @param m Object; mbuf
1598 @param m_label Policy label to fill in for m
1599
1600 Label an mbuf based on the inpcb from which it was derived.
1601*/
1602typedef void mpo_mbuf_label_associate_inpcb_t(
1603 struct inpcb *inp,
1604 struct label *i_label,
1605 struct mbuf *m,
1606 struct label *m_label
1607);
1608/**
1609 @brief Set the label on a newly reassembled IP datagram
1610 @param ipq IP fragment reassembly queue
1611 @param ipqlabel Policy label for ipq
1612 @param mbuf IP datagram to be labeled
1613 @param mbuflabel Policy label to be filled in for mbuf
1614
1615 Set the label on a newly reassembled IP datagram (mbuf) from the IP
1616 fragment reassembly queue (ipq) from which it was generated.
1617*/
1618typedef void mpo_mbuf_label_associate_ipq_t(
1619 struct ipq *ipq,
1620 struct label *ipqlabel,
1621 struct mbuf *mbuf,
1622 struct label *mbuflabel
1623);
1624/**
1625 @brief Assign a label to a new mbuf
1626 @param ifp Subject; network interface
1627 @param i_label Existing label of ifp
1628 @param m Object; mbuf
1629 @param m_label Policy label to fill in for m
1630
1631 Set the label on the mbuf header of a newly created datagram
1632 generated for the purposes of a link layer response for the passed
1633 interface. This call may be made in a number of situations, including
1634 for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1635*/
1636typedef void mpo_mbuf_label_associate_linklayer_t(
1637 struct ifnet *ifp,
1638 struct label *i_label,
1639 struct mbuf *m,
1640 struct label *m_label
1641);
1642/**
1643 @brief Assign a label to a new mbuf
1644 @param oldmbuf mbuf headerder for existing datagram for existing datagram
1645 @param oldmbuflabel Policy label for oldmbuf
1646 @param ifp Network interface
1647 @param ifplabel Policy label for ifp
1648 @param newmbuf mbuf header to be labeled for new datagram
1649 @param newmbuflabel Policy label for newmbuf
1650
1651 Set the label on the mbuf header of a newly created datagram
1652 generated from the existing passed datagram when it is processed
1653 by the passed multicast encapsulation interface. This call is made
1654 when an mbuf is to be delivered using the virtual interface.
1655*/
1656typedef void mpo_mbuf_label_associate_multicast_encap_t(
1657 struct mbuf *oldmbuf,
1658 struct label *oldmbuflabel,
1659 struct ifnet *ifp,
1660 struct label *ifplabel,
1661 struct mbuf *newmbuf,
1662 struct label *newmbuflabel
1663);
1664/**
1665 @brief Assign a label to a new mbuf
1666 @param oldmbuf Received datagram
1667 @param oldmbuflabel Policy label for oldmbuf
1668 @param newmbuf Newly created datagram
1669 @param newmbuflabel Policy label for newmbuf
1670
1671 Set the label on the mbuf header of a newly created datagram generated
1672 by the IP stack in response to an existing received datagram (oldmbuf).
1673 This call may be made in a number of situations, including when responding
1674 to ICMP request datagrams.
1675*/
1676typedef void mpo_mbuf_label_associate_netlayer_t(
1677 struct mbuf *oldmbuf,
1678 struct label *oldmbuflabel,
1679 struct mbuf *newmbuf,
1680 struct label *newmbuflabel
1681);
1682/**
1683 @brief Assign a label to a new mbuf
1684 @param so Socket to label
1685 @param so_label Policy label for socket
1686 @param m Object; mbuf
1687 @param m_label Policy label to fill in for m
1688
1689 An mbuf structure is used to store network traffic in transit.
1690 When an application sends data to a socket or a pipe, it is wrapped
1691 in an mbuf first. This function sets the label on a newly created mbuf header
1692 based on the socket sending the data. The contents of the label should be
1693 suitable for performing an access check on the receiving side of the
1694 communication.
1695
1696 Only labeled MBUFs will be presented to the policy via this entrypoint.
1697*/
1698typedef void mpo_mbuf_label_associate_socket_t(
1699 socket_t so,
1700 struct label *so_label,
1701 struct mbuf *m,
1702 struct label *m_label
1703);
1704/**
1705 @brief Copy a mbuf label
1706 @param src Source label
1707 @param dest Destination label
1708
1709 Copy the mbuf label information in src into dest.
1710
1711 Only called when both source and destination mbufs have labels.
1712*/
1713typedef void mpo_mbuf_label_copy_t(
1714 struct label *src,
1715 struct label *dest
1716);
1717/**
1718 @brief Destroy mbuf label
1719 @param label The label to be destroyed
1720
1721 Destroy a mbuf label. Since the
1722 object is going out of scope, policy modules should free any
1723 internal storage associated with the label so that it may be
1724 destroyed.
1725*/
1726typedef void mpo_mbuf_label_destroy_t(
1727 struct label *label
1728);
1729/**
1730 @brief Initialize mbuf label
1731 @param label New label to initialize
1732 @param flag Malloc flags
1733
1734 Initialize the label for a newly instantiated mbuf.
1735
1736 @warning Since it is possible for the flags to be set to
1737 M_NOWAIT, the malloc operation may fail.
1738
1739 @return On success, 0, otherwise, an appropriate errno return value.
1740*/
1741typedef int mpo_mbuf_label_init_t(
1742 struct label *label,
1743 int flag
1744);
1745/**
1746 @brief Access control check for fsctl
1747 @param cred Subject credential
1748 @param mp The mount point
1749 @param label Label associated with the mount point
1750 @param com Filesystem-dependent request code; see fsctl(2)
1751
1752 Determine whether the subject identified by the credential can perform
1753 the volume operation indicated by com.
1754
1755 @warning The fsctl() system call is directly analogous to ioctl(); since
1756 the associated data is opaque from the standpoint of the MAC framework
1757 and since these operations can affect many aspects of system operation,
1758 policies must exercise extreme care when implementing access control checks.
1759
1760 @return Return 0 if access is granted, otherwise an appropriate value for
1761 errno should be returned.
1762*/
1763typedef int mpo_mount_check_fsctl_t(
1764 kauth_cred_t cred,
1765 struct mount *mp,
1766 struct label *label,
1767 unsigned int cmd
1768);
1769/**
1770 @brief Access control check for the retrieval of file system attributes
1771 @param cred Subject credential
1772 @param mp The mount structure of the file system
1773 @param vfa The attributes requested
1774
1775 This entry point determines whether given subject can get information
1776 about the given file system. This check happens during statfs() syscalls,
1777 but is also used by other parts within the kernel such as the audit system.
1778
1779 @return Return 0 if access is granted, otherwise an appropriate value for
1780 errno should be returned.
1781*/
1782
1783typedef int mpo_mount_check_getattr_t(
1784 kauth_cred_t cred,
1785 struct mount *mp,
1786 struct label *mp_label,
1787 struct vfs_attr *vfa
1788);
1789/**
1790 @brief Access control check for mount point relabeling
1791 @param cred Subject credential
1792 @param mp Object file system mount point
1793 @param mntlabel Policy label for fle system mount point
1794
1795 Determine whether the subject identified by the credential can relabel
1796 the mount point. This call is made when a file system mount is updated.
1797
1798 @return Return 0 if access is granted, otherwise an appropriate value for
1799 errno should be returned. Suggested failure: EACCES for label mismatch
1800 or EPERM for lack of privilege.
1801*/
1802typedef int mpo_mount_check_label_update_t(
1803 kauth_cred_t cred,
1804 struct mount *mp,
1805 struct label *mntlabel
1806);
1807/**
1808 @brief Access control check for mounting a file system
1809 @param cred Subject credential
1810 @param vp Vnode that is to be the mount point
1811 @param vlabel Label associated with the vnode
1812 @param cnp Component name for vp
1813 @param vfc_name Filesystem type name
1814
1815 Determine whether the subject identified by the credential can perform
1816 the mount operation on the target vnode.
1817
1818 @return Return 0 if access is granted, otherwise an appropriate value for
1819 errno should be returned.
1820*/
1821typedef int mpo_mount_check_mount_t(
1822 kauth_cred_t cred,
1823 struct vnode *vp,
1824 struct label *vlabel,
1825 struct componentname *cnp,
1826 const char *vfc_name
1827);
1828/**
1829 @brief Access control check remounting a filesystem
1830 @param cred Subject credential
1831 @param mp The mount point
1832 @param mlabel Label currently associated with the mount point
1833
1834 Determine whether the subject identified by the credential can perform
1835 the remount operation on the target vnode.
1836
1837 @return Return 0 if access is granted, otherwise an appropriate value for
1838 errno should be returned.
1839*/
1840typedef int mpo_mount_check_remount_t(
1841 kauth_cred_t cred,
1842 struct mount *mp,
1843 struct label *mlabel
1844);
1845/**
1846 @brief Access control check for the settting of file system attributes
1847 @param cred Subject credential
1848 @param mp The mount structure of the file system
1849 @param vfa The attributes requested
1850
1851 This entry point determines whether given subject can set information
1852 about the given file system, for example the volume name.
1853
1854 @return Return 0 if access is granted, otherwise an appropriate value for
1855 errno should be returned.
1856*/
1857
1858typedef int mpo_mount_check_setattr_t(
1859 kauth_cred_t cred,
1860 struct mount *mp,
1861 struct label *mp_label,
1862 struct vfs_attr *vfa
1863);
1864/**
1865 @brief Access control check for file system statistics
1866 @param cred Subject credential
1867 @param mp Object file system mount
1868 @param mntlabel Policy label for mp
1869
1870 Determine whether the subject identified by the credential can see
1871 the results of a statfs performed on the file system. This call may
1872 be made in a number of situations, including during invocations of
1873 statfs(2) and related calls, as well as to determine what file systems
1874 to exclude from listings of file systems, such as when getfsstat(2)
1875 is invoked.
1876
1877 @return Return 0 if access is granted, otherwise an appropriate value for
1878 errno should be returned. Suggested failure: EACCES for label mismatch
1879 or EPERM for lack of privilege.
1880*/
1881typedef int mpo_mount_check_stat_t(
1882 kauth_cred_t cred,
1883 struct mount *mp,
1884 struct label *mntlabel
1885);
1886/**
1887 @brief Access control check for unmounting a filesystem
1888 @param cred Subject credential
1889 @param mp The mount point
1890 @param mlabel Label associated with the mount point
1891
1892 Determine whether the subject identified by the credential can perform
1893 the unmount operation on the target vnode.
1894
1895 @return Return 0 if access is granted, otherwise an appropriate value for
1896 errno should be returned.
1897*/
1898typedef int mpo_mount_check_umount_t(
1899 kauth_cred_t cred,
1900 struct mount *mp,
1901 struct label *mlabel
1902);
1903/**
1904 @brief Create mount labels
1905 @param cred Subject credential
1906 @param mp Mount point of file system being mounted
1907 @param mntlabel Label to associate with the new mount point
1908 @see mpo_mount_label_init_t
1909
1910 Fill out the labels on the mount point being created by the supplied
1911 user credential. This call is made when file systems are first mounted.
1912*/
1913typedef void mpo_mount_label_associate_t(
1914 kauth_cred_t cred,
1915 struct mount *mp,
1916 struct label *mntlabel
1917);
1918/**
1919 @brief Destroy mount label
1920 @param label The label to be destroyed
1921
1922 Destroy a file system mount label. Since the
1923 object is going out of scope, policy modules should free any
1924 internal storage associated with the label so that it may be
1925 destroyed.
1926*/
1927typedef void mpo_mount_label_destroy_t(
1928 struct label *label
1929);
1930/**
1931 @brief Externalize a mount point label
1932 @param label Label to be externalized
1933 @param element_name Name of the label namespace for which labels should be
1934 externalized
1935 @param sb String buffer to be filled with a text representation of the label
1936
1937 Produce an external representation of the mount point label. An
1938 externalized label consists of a text representation of the label
1939 contents that can be used with user applications. Policy-agnostic
1940 user space tools will display this externalized version.
1941
1942 The policy's externalize entry points will be called only if the
1943 policy has registered interest in the label namespace.
1944
1945 @return 0 on success, return non-zero if an error occurs while
1946 externalizing the label data.
1947
1948*/
1949typedef int mpo_mount_label_externalize_t(
1950 struct label *label,
1951 char *element_name,
1952 struct sbuf *sb
1953);
1954/**
1955 @brief Initialize mount point label
1956 @param label New label to initialize
1957
1958 Initialize the label for a newly instantiated mount structure.
1959 This label is typically used to store a default label in the case
1960 that the file system has been mounted singlelabel. Since some
1961 file systems do not support persistent labels (extended attributes)
1962 or are read-only (such as CD-ROMs), it is often necessary to store
1963 a default label separately from the label of the mount point
1964 itself. Sleeping is permitted.
1965*/
1966typedef void mpo_mount_label_init_t(
1967 struct label *label
1968);
1969/**
1970 @brief Internalize a mount point label
1971 @param label Label to be internalized
1972 @param element_name Name of the label namespace for which the label should
1973 be internalized
1974 @param element_data Text data to be internalized
1975
1976 Produce a mount point file system label from an external representation.
1977 An externalized label consists of a text representation of the label
1978 contents that can be used with user applications. Policy-agnostic
1979 user space tools will forward text version to the kernel for
1980 processing by individual policy modules.
1981
1982 The policy's internalize entry points will be called only if the
1983 policy has registered interest in the label namespace.
1984
1985 @return 0 on success, Otherwise, return non-zero if an error occurs
1986 while internalizing the label data.
1987
1988*/
1989typedef int mpo_mount_label_internalize_t(
1990 struct label *label,
1991 char *element_name,
1992 char *element_data
1993);
1994/**
1995 @brief Set the label on an IPv4 datagram fragment
1996 @param datagram Datagram being fragmented
1997 @param datagramlabel Policy label for datagram
1998 @param fragment New fragment
1999 @param fragmentlabel Policy label for fragment
2000
2001 Called when an IPv4 datagram is fragmented into several smaller datagrams.
2002 Policies implementing mbuf labels will typically copy the label from the
2003 source datagram to the new fragment.
2004*/
2005typedef void mpo_netinet_fragment_t(
2006 struct mbuf *datagram,
2007 struct label *datagramlabel,
2008 struct mbuf *fragment,
2009 struct label *fragmentlabel
2010);
2011/**
2012 @brief Set the label on an ICMP reply
2013 @param m mbuf containing the ICMP reply
2014 @param mlabel Policy label for m
2015
2016 A policy may wish to update the label of an mbuf that refers to
2017 an ICMP packet being sent in response to an IP packet. This may
2018 be called in response to a bad packet or an ICMP request.
2019*/
2020typedef void mpo_netinet_icmp_reply_t(
2021 struct mbuf *m,
2022 struct label *mlabel
2023);
2024/**
2025 @brief Set the label on a TCP reply
2026 @param m mbuf containing the TCP reply
2027 @param mlabel Policy label for m
2028
2029 Called for outgoing TCP packets not associated with an actual socket.
2030*/
2031typedef void mpo_netinet_tcp_reply_t(
2032 struct mbuf *m,
2033 struct label *mlabel
2034);
2035/**
2036 @brief Access control check for pipe ioctl
2037 @param cred Subject credential
2038 @param cpipe Object to be accessed
2039 @param pipelabel The label on the pipe
2040 @param cmd The ioctl command; see ioctl(2)
2041
2042 Determine whether the subject identified by the credential can perform
2043 the ioctl operation indicated by cmd.
2044
2045 @warning Since ioctl data is opaque from the standpoint of the MAC
2046 framework, policies must exercise extreme care when implementing
2047 access control checks.
2048
2049 @return Return 0 if access is granted, otherwise an appropriate value for
2050 errno should be returned.
2051
2052*/
2053typedef int mpo_pipe_check_ioctl_t(
2054 kauth_cred_t cred,
2055 struct pipe *cpipe,
2056 struct label *pipelabel,
2057 unsigned int cmd
2058);
2059/**
2060 @brief Access control check for pipe kqfilter
2061 @param cred Subject credential
2062 @param kn Object knote
2063 @param cpipe Object to be accessed
2064 @param pipelabel Policy label for the pipe
2065
2066 Determine whether the subject identified by the credential can
2067 receive the knote on the passed pipe.
2068
2069 @return Return 0 if access if granted, otherwise an appropriate
2070 value for errno should be returned.
2071*/
2072typedef int mpo_pipe_check_kqfilter_t(
2073 kauth_cred_t cred,
2074 struct knote *kn,
2075 struct pipe *cpipe,
2076 struct label *pipelabel
2077);
2078/**
2079 @brief Access control check for pipe relabel
2080 @param cred Subject credential
2081 @param cpipe Object to be accessed
2082 @param pipelabel The current label on the pipe
2083 @param newlabel The new label to be used
2084
2085 Determine whether the subject identified by the credential can
2086 perform a relabel operation on the passed pipe. The cred object holds
2087 the credentials of the subject performing the operation.
2088
2089 @return Return 0 if access is granted, otherwise an appropriate value for
2090 errno should be returned.
2091
2092*/
2093typedef int mpo_pipe_check_label_update_t(
2094 kauth_cred_t cred,
2095 struct pipe *cpipe,
2096 struct label *pipelabel,
2097 struct label *newlabel
2098);
2099/**
2100 @brief Access control check for pipe read
2101 @param cred Subject credential
2102 @param cpipe Object to be accessed
2103 @param pipelabel The label on the pipe
2104
2105 Determine whether the subject identified by the credential can
2106 perform a read operation on the passed pipe. The cred object holds
2107 the credentials of the subject performing the operation.
2108
2109 @return Return 0 if access is granted, otherwise an appropriate value for
2110 errno should be returned.
2111
2112*/
2113typedef int mpo_pipe_check_read_t(
2114 kauth_cred_t cred,
2115 struct pipe *cpipe,
2116 struct label *pipelabel
2117);
2118/**
2119 @brief Access control check for pipe select
2120 @param cred Subject credential
2121 @param cpipe Object to be accessed
2122 @param pipelabel The label on the pipe
2123 @param which The operation selected on: FREAD or FWRITE
2124
2125 Determine whether the subject identified by the credential can
2126 perform a select operation on the passed pipe. The cred object holds
2127 the credentials of the subject performing the operation.
2128
2129 @return Return 0 if access is granted, otherwise an appropriate value for
2130 errno should be returned.
2131
2132*/
2133typedef int mpo_pipe_check_select_t(
2134 kauth_cred_t cred,
2135 struct pipe *cpipe,
2136 struct label *pipelabel,
2137 int which
2138);
2139/**
2140 @brief Access control check for pipe stat
2141 @param cred Subject credential
2142 @param cpipe Object to be accessed
2143 @param pipelabel The label on the pipe
2144
2145 Determine whether the subject identified by the credential can
2146 perform a stat operation on the passed pipe. The cred object holds
2147 the credentials of the subject performing the operation.
2148
2149 @return Return 0 if access is granted, otherwise an appropriate value for
2150 errno should be returned.
2151
2152*/
2153typedef int mpo_pipe_check_stat_t(
2154 kauth_cred_t cred,
2155 struct pipe *cpipe,
2156 struct label *pipelabel
2157);
2158/**
2159 @brief Access control check for pipe write
2160 @param cred Subject credential
2161 @param cpipe Object to be accessed
2162 @param pipelabel The label on the pipe
2163
2164 Determine whether the subject identified by the credential can
2165 perform a write operation on the passed pipe. The cred object holds
2166 the credentials of the subject performing the operation.
2167
2168 @return Return 0 if access is granted, otherwise an appropriate value for
2169 errno should be returned.
2170
2171*/
2172typedef int mpo_pipe_check_write_t(
2173 kauth_cred_t cred,
2174 struct pipe *cpipe,
2175 struct label *pipelabel
2176);
2177/**
2178 @brief Create a pipe label
2179 @param cred Subject credential
2180 @param cpipe object to be labeled
2181 @param label Label for the pipe object
2182
2183 Create a label for the pipe object being created by the supplied
2184 user credential. This call is made when the pipe is being created
2185 XXXPIPE(for one or both sides of the pipe?).
2186
2187*/
2188typedef void mpo_pipe_label_associate_t(
2189 kauth_cred_t cred,
2190 struct pipe *cpipe,
2191 struct label *pipelabel
2192);
2193/**
2194 @brief Copy a pipe label
2195 @param src Source pipe label
2196 @param dest Destination pipe label
2197
2198 Copy the pipe label associated with src to dest.
2199 XXXPIPE Describe when this is used: most likely during pipe creation to
2200 copy from rpipe to wpipe.
2201*/
2202typedef void mpo_pipe_label_copy_t(
2203 struct label *src,
2204 struct label *dest
2205);
2206/**
2207 @brief Destroy pipe label
2208 @param label The label to be destroyed
2209
2210 Destroy a pipe label. Since the object is going out of scope,
2211 policy modules should free any internal storage associated with the
2212 label so that it may be destroyed.
2213*/
2214typedef void mpo_pipe_label_destroy_t(
2215 struct label *label
2216);
2217/**
2218 @brief Externalize a pipe label
2219 @param label Label to be externalized
2220 @param element_name Name of the label namespace for which labels should be
2221 externalized
2222 @param sb String buffer to be filled with a text representation of the label
2223
2224 Produce an external representation of the label on a pipe.
2225 An externalized label consists of a text representation
2226 of the label contents that can be used with user applications.
2227 Policy-agnostic user space tools will display this externalized
2228 version.
2229
2230 The policy's externalize entry points will be called only if the
2231 policy has registered interest in the label namespace.
2232
2233 @return 0 on success, return non-zero if an error occurs while
2234 externalizing the label data.
2235
2236*/
2237typedef int mpo_pipe_label_externalize_t(
2238 struct label *label,
2239 char *element_name,
2240 struct sbuf *sb
2241);
2242/**
2243 @brief Initialize pipe label
2244 @param label New label to initialize
2245
2246 Initialize label storage for use with a newly instantiated pipe object.
2247 Sleeping is permitted.
2248*/
2249typedef void mpo_pipe_label_init_t(
2250 struct label *label
2251);
2252/**
2253 @brief Internalize a pipe label
2254 @param label Label to be internalized
2255 @param element_name Name of the label namespace for which the label should
2256 be internalized
2257 @param element_data Text data to be internalized
2258
2259 Produce a pipe label from an external representation. An
2260 externalized label consists of a text representation of the label
2261 contents that can be used with user applications. Policy-agnostic
2262 user space tools will forward text version to the kernel for
2263 processing by individual policy modules.
2264
2265 The policy's internalize entry points will be called only if the
2266 policy has registered interest in the label namespace.
2267
2268 @return 0 on success, Otherwise, return non-zero if an error occurs
2269 while internalizing the label data.
2270
2271*/
2272typedef int mpo_pipe_label_internalize_t(
2273 struct label *label,
2274 char *element_name,
2275 char *element_data
2276);
2277/**
2278 @brief Update a pipe label
2279 @param cred Subject credential
2280 @param cpipe Object to be labeled
2281 @param oldlabel Existing pipe label
2282 @param newlabel New label to replace existing label
2283 @see mpo_pipe_check_label_update_t
2284
2285 The subject identified by the credential has previously requested
2286 and was authorized to relabel the pipe; this entry point allows
2287 policies to perform the actual relabel operation. Policies should
2288 update oldlabel using the label stored in the newlabel parameter.
2289
2290*/
2291typedef void mpo_pipe_label_update_t(
2292 kauth_cred_t cred,
2293 struct pipe *cpipe,
2294 struct label *oldlabel,
2295 struct label *newlabel
2296);
2297/**
2298 @brief Policy unload event
2299 @param mpc MAC policy configuration
2300
2301 This is the MAC Framework policy unload event. This entry point will
2302 only be called if the module's policy configuration allows unload (if
2303 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2304 want to be unloaded; they should set their flags to prevent this
2305 entry point from being called.
2306
2307 @warning During this call, the mac policy list mutex is held, so
2308 sleep operations cannot be performed, and calls out to other kernel
2309 subsystems must be made with caution.
2310
2311 @see MPC_LOADTIME_FLAG_UNLOADOK
2312*/
2313typedef void mpo_policy_destroy_t(
2314 struct mac_policy_conf *mpc
2315);
2316/**
2317 @brief Policy initialization event
2318 @param mpc MAC policy configuration
2319 @see mac_policy_register
2320 @see mpo_policy_initbsd_t
2321
2322 This is the MAC Framework policy initialization event. This entry
2323 point is called during mac_policy_register, when the policy module
2324 is first registered with the MAC Framework. This is often done very
2325 early in the boot process, after the kernel Mach subsystem has been
2326 initialized, but prior to the BSD subsystem being initialized.
2327 Since the kernel BSD services are not yet available, it is possible
2328 that some initialization must occur later, possibly in the
2329 mpo_policy_initbsd_t policy entry point, such as registering BSD system
2330 controls (sysctls). Policy modules loaded at boot time will be
2331 registered and initialized before labeled Mach objects are created.
2332
2333 @warning During this call, the mac policy list mutex is held, so
2334 sleep operations cannot be performed, and calls out to other kernel
2335 subsystems must be made with caution.
2336*/
2337typedef void mpo_policy_init_t(
2338 struct mac_policy_conf *mpc
2339);
2340/**
2341 @brief Policy BSD initialization event
2342 @param mpc MAC policy configuration
2343 @see mpo_policy_init_t
2344
2345 This entry point is called after the kernel BSD subsystem has been
2346 initialized. By this point, the module should already be loaded,
2347 registered, and initialized. Since policy modules are initialized
2348 before kernel BSD services are available, this second initialization
2349 phase is necessary. At this point, BSD services (memory management,
2350 synchronization primitives, vfs, etc.) are available, but the first
2351 process has not yet been created. Mach-related objects and tasks
2352 will already be fully initialized and may be in use--policies requiring
2353 ubiquitous labeling may also want to implement mpo_policy_init_t.
2354
2355 @warning During this call, the mac policy list mutex is held, so
2356 sleep operations cannot be performed, and calls out to other kernel
2357 subsystems must be made with caution.
2358*/
2359typedef void mpo_policy_initbsd_t(
2360 struct mac_policy_conf *mpc
2361);
2362/**
2363 @brief Policy extension service
2364 @param p Calling process
2365 @param call Policy-specific syscall number
2366 @param arg Pointer to syscall arguments
2367
2368 This entry point provides a policy-multiplexed system call so that
2369 policies may provide additional services to user processes without
2370 registering specific system calls. The policy name provided during
2371 registration is used to demux calls from userland, and the arguments
2372 will be forwarded to this entry point. When implementing new
2373 services, security modules should be sure to invoke appropriate
2374 access control checks from the MAC framework as needed. For
2375 example, if a policy implements an augmented signal functionality,
2376 it should call the necessary signal access control checks to invoke
2377 the MAC framework and other registered policies.
2378
2379 @warning Since the format and contents of the policy-specific
2380 arguments are unknown to the MAC Framework, modules must perform the
2381 required copyin() of the syscall data on their own. No policy
2382 mediation is performed, so policies must perform any necessary
2383 access control checks themselves. If multiple policies are loaded,
2384 they will currently be unable to mediate calls to other policies.
2385
2386 @return In the event of an error, an appropriate value for errno
2387 should be returned, otherwise return 0 upon success.
2388*/
2389typedef int mpo_policy_syscall_t(
2390 struct proc *p,
2391 int call,
2392 user_addr_t arg
2393);
2d21ac55
A		 2394/**
2395 @brief Access control check for POSIX semaphore create
2396 @param cred Subject credential
2397 @param name String name of the semaphore
2398
2399 Determine whether the subject identified by the credential can create
2400 a POSIX semaphore specified by name.
2401
2402 @return Return 0 if access is granted, otherwise an appropriate value for
2403 errno should be returned.
2404*/
2405typedef int mpo_posixsem_check_create_t(
2406 kauth_cred_t cred,
2407 const char *name
2408);
2409/**
2410 @brief Access control check for POSIX semaphore open
2411 @param cred Subject credential
2412 @param ps Pointer to semaphore information structure
2413 @param semlabel Label associated with the semaphore
2414
2415 Determine whether the subject identified by the credential can open
2416 the named POSIX semaphore with label semlabel.
2417
2418 @return Return 0 if access is granted, otherwise an appropriate value for
2419 errno should be returned.
2420*/
2421typedef int mpo_posixsem_check_open_t(
2422 kauth_cred_t cred,
2423 struct pseminfo *ps,
2424 struct label *semlabel
2425);
2426/**
2427 @brief Access control check for POSIX semaphore post
2428 @param cred Subject credential
2429 @param ps Pointer to semaphore information structure
2430 @param semlabel Label associated with the semaphore
2431
2432 Determine whether the subject identified by the credential can unlock
2433 the named POSIX semaphore with label semlabel.
2434
2435 @return Return 0 if access is granted, otherwise an appropriate value for
2436 errno should be returned.
2437*/
2438typedef int mpo_posixsem_check_post_t(
2439 kauth_cred_t cred,
2440 struct pseminfo *ps,
2441 struct label *semlabel
2442);
2443/**
2444 @brief Access control check for POSIX semaphore unlink
2445 @param cred Subject credential
2446 @param ps Pointer to semaphore information structure
2447 @param semlabel Label associated with the semaphore
2448 @param name String name of the semaphore
2449
2450 Determine whether the subject identified by the credential can remove
2451 the named POSIX semaphore with label semlabel.
2452
2453 @return Return 0 if access is granted, otherwise an appropriate value for
2454 errno should be returned.
2455*/
2456typedef int mpo_posixsem_check_unlink_t(
2457 kauth_cred_t cred,
2458 struct pseminfo *ps,
2459 struct label *semlabel,
2460 const char *name
2461);
2462/**
2463 @brief Access control check for POSIX semaphore wait
2464 @param cred Subject credential
2465 @param ps Pointer to semaphore information structure
2466 @param semlabel Label associated with the semaphore
2467
2468 Determine whether the subject identified by the credential can lock
2469 the named POSIX semaphore with label semlabel.
2470
2471 @return Return 0 if access is granted, otherwise an appropriate value for
2472 errno should be returned.
2473*/
2474typedef int mpo_posixsem_check_wait_t(
2475 kauth_cred_t cred,
2476 struct pseminfo *ps,
2477 struct label *semlabel
2478);
2479/**
2480 @brief Create a POSIX semaphore label
2481 @param cred Subject credential
2482 @param ps Pointer to semaphore information structure
2483 @param semlabel Label to associate with the new semaphore
2484 @param name String name of the semaphore
2485
2486 Label a new POSIX semaphore. The label was previously
2487 initialized and associated with the semaphore. At this time, an
2488 appropriate initial label value should be assigned to the object and
2489 stored in semalabel.
2490*/
2491typedef void mpo_posixsem_label_associate_t(
2492 kauth_cred_t cred,
2493 struct pseminfo *ps,
2494 struct label *semlabel,
2495 const char *name
2496);
2497/**
2498 @brief Destroy POSIX semaphore label
2499 @param label The label to be destroyed
2500
2501 Destroy a POSIX semaphore label. Since the object is
2502 going out of scope, policy modules should free any internal storage
2503 associated with the label so that it may be destroyed.
2504*/
2505typedef void mpo_posixsem_label_destroy_t(
2506 struct label *label
2507);
2508/**
2509 @brief Initialize POSIX semaphore label
2510 @param label New label to initialize
2511
2512 Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2513 is permitted.
2514*/
2515typedef void mpo_posixsem_label_init_t(
2516 struct label *label
2517);
2518/**
2519 @brief Access control check for POSIX shared memory region create
2520 @param cred Subject credential
2521 @param name String name of the shared memory region
2522
2523 Determine whether the subject identified by the credential can create
2524 the POSIX shared memory region referenced by name.
2525
2526 @return Return 0 if access is granted, otherwise an appropriate value for
2527 errno should be returned.
2528*/
2529typedef int mpo_posixshm_check_create_t(
2530 kauth_cred_t cred,
2531 const char *name
2532);
2533/**
2534 @brief Access control check for mapping POSIX shared memory
2535 @param cred Subject credential
2536 @param ps Pointer to shared memory information structure
2537 @param shmlabel Label associated with the shared memory region
2538 @param prot mmap protections; see mmap(2)
2539 @param flags shmat flags; see shmat(2)
2540
2541 Determine whether the subject identified by the credential can map
2542 the POSIX shared memory segment associated with shmlabel.
2543
2544 @return Return 0 if access is granted, otherwise an appropriate value for
2545 errno should be returned.
2546*/
2547typedef int mpo_posixshm_check_mmap_t(
2548 kauth_cred_t cred,
2549 struct pshminfo *ps,
2550 struct label *shmlabel,
2551 int prot,
2552 int flags
2553);
2554/**
2555 @brief Access control check for POSIX shared memory region open
2556 @param cred Subject credential
2557 @param ps Pointer to shared memory information structure
2558 @param shmlabel Label associated with the shared memory region
316670eb 2559 @param fflags shm_open(2) open flags ('fflags' encoded)
2d21ac55
A		 2560
2561 Determine whether the subject identified by the credential can open
2562 the POSIX shared memory region.
2563
2564 @return Return 0 if access is granted, otherwise an appropriate value for
2565 errno should be returned.
2566*/
2567typedef int mpo_posixshm_check_open_t(
2568 kauth_cred_t cred,
2569 struct pshminfo *ps,
316670eb
A		 2570 struct label *shmlabel,
2571 int fflags
2d21ac55
A		 2572);
2573/**
2574 @brief Access control check for POSIX shared memory stat
2575 @param cred Subject credential
2576 @param ps Pointer to shared memory information structure
2577 @param shmlabel Label associated with the shared memory region
2578
2579 Determine whether the subject identified by the credential can obtain
2580 status for the POSIX shared memory segment associated with shmlabel.
2581
2582 @return Return 0 if access is granted, otherwise an appropriate value for
2583 errno should be returned.
2584*/
2585typedef int mpo_posixshm_check_stat_t(
2586 kauth_cred_t cred,
2587 struct pshminfo *ps,
2588 struct label *shmlabel
2589);
2590/**
2591 @brief Access control check for POSIX shared memory truncate
2592 @param cred Subject credential
2593 @param ps Pointer to shared memory information structure
2594 @param shmlabel Label associated with the shared memory region
2595 @param len Length to truncate or extend shared memory segment
2596
2597 Determine whether the subject identified by the credential can truncate
2598 or extend (to len) the POSIX shared memory segment associated with shmlabel.
2599
2600 @return Return 0 if access is granted, otherwise an appropriate value for
2601 errno should be returned.
2602*/
2603typedef int mpo_posixshm_check_truncate_t(
2604 kauth_cred_t cred,
2605 struct pshminfo *ps,
2606 struct label *shmlabel,
6d2010ae 2607 off_t len
2d21ac55
A		 2608);
2609/**
2610 @brief Access control check for POSIX shared memory unlink
2611 @param cred Subject credential
2612 @param ps Pointer to shared memory information structure
2613 @param shmlabel Label associated with the shared memory region
2614 @param name String name of the shared memory region
2615
2616 Determine whether the subject identified by the credential can delete
2617 the POSIX shared memory segment associated with shmlabel.
2618
2619 @return Return 0 if access is granted, otherwise an appropriate value for
2620 errno should be returned.
2621*/
2622typedef int mpo_posixshm_check_unlink_t(
2623 kauth_cred_t cred,
2624 struct pshminfo *ps,
2625 struct label *shmlabel,
2626 const char *name
2627);
2628/**
2629 @brief Create a POSIX shared memory region label
2630 @param cred Subject credential
2631 @param ps Pointer to shared memory information structure
2632 @param shmlabel Label to associate with the new shared memory region
2633 @param name String name of the shared memory region
2634
2635 Label a new POSIX shared memory region. The label was previously
2636 initialized and associated with the shared memory region. At this
2637 time, an appropriate initial label value should be assigned to the
2638 object and stored in shmlabel.
2639*/
2640typedef void mpo_posixshm_label_associate_t(
2641 kauth_cred_t cred,
2642 struct pshminfo *ps,
2643 struct label *shmlabel,
2644 const char *name
2645);
2646/**
2647 @brief Destroy POSIX shared memory label
2648 @param label The label to be destroyed
2649
2650 Destroy a POSIX shared memory region label. Since the
2651 object is going out of scope, policy modules should free any
2652 internal storage associated with the label so that it may be
2653 destroyed.
2654*/
2655typedef void mpo_posixshm_label_destroy_t(
2656 struct label *label
2657);
2658/**
2659 @brief Initialize POSIX Shared Memory region label
2660 @param label New label to initialize
2661
2662 Initialize the label for newly a instantiated POSIX Shared Memory
2663 region. Sleeping is permitted.
2664*/
2665typedef void mpo_posixshm_label_init_t(
2666 struct label *label
2667);
6d2010ae
A		 2668/**
2669 @brief Access control check for privileged operations
2670 @param cred Subject credential
2671 @param priv Requested privilege (see sys/priv.h)
2672
2673 Determine whether the subject identified by the credential can perform
2674 a privileged operation. Privileged operations are allowed if the cred
2675 is the superuser or any policy returns zero for mpo_priv_grant, unless
2676 any policy returns nonzero for mpo_priv_check.
2677
2678 @return Return 0 if access is granted, otherwise EPERM should be returned.
2679*/
2680typedef int mpo_priv_check_t(
2681 kauth_cred_t cred,
2682 int priv
2683);
2684/**
2685 @brief Grant regular users the ability to perform privileged operations
2686 @param cred Subject credential
2687 @param priv Requested privilege (see sys/priv.h)
2688
2689 Determine whether the subject identified by the credential should be
2690 allowed to perform a privileged operation that in the absense of any
2691 MAC policy it would not be able to perform. Privileged operations are
2692 allowed if the cred is the superuser or any policy returns zero for
2693 mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
2694
2695 Unlike other MAC hooks which can only reduce the privilege of a
2696 credential, this hook raises the privilege of a credential when it
2697 returns 0. Extreme care must be taken when implementing this hook to
2698 avoid undermining the security of the system.
2699
2700 @return Return 0 if additional privilege is granted, otherwise EPERM
2701 should be returned.
2702*/
2703typedef int mpo_priv_grant_t(
2704 kauth_cred_t cred,
2705 int priv
2706);
2d21ac55
A		 2707/**
2708 @brief Access control check for debugging process
2709 @param cred Subject credential
2710 @param proc Object process
2711
2712 Determine whether the subject identified by the credential can debug
2713 the passed process. This call may be made in a number of situations,
2714 including use of the ptrace(2) and ktrace(2) APIs, as well as for some
2715 types of procfs operations.
2716
2717 @return Return 0 if access is granted, otherwise an appropriate value for
2718 errno should be returned. Suggested failure: EACCES for label mismatch,
2719 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
2720*/
2721typedef int mpo_proc_check_debug_t(
2722 kauth_cred_t cred,
2723 struct proc *proc
2724);
2725/**
2726 @brief Access control over fork
2727 @param cred Subject credential
2728 @param proc Subject process trying to fork
2729
2730 Determine whether the subject identified is allowed to fork.
2731
2732 @return Return 0 if access is granted, otherwise an appropriate value for
2733 errno should be returned.
2734*/
2735typedef int mpo_proc_check_fork_t(
2736 kauth_cred_t cred,
2737 struct proc *proc
2738);
d1ecb069
A		 2739/**
2740 @brief Access control over pid_suspend and pid_resume
2741 @param cred Subject credential
2742 @param proc Subject process trying to run pid_suspend or pid_resume
2743 @param sr Call is suspend (0) or resume (1)
2744
2745 Determine whether the subject identified is allowed to suspend or resume
2746 other processes.
2747
2748 @return Return 0 if access is granted, otherwise an appropriate value for
2749 errno should be returned.
2750*/
2751typedef int mpo_proc_check_suspend_resume_t(
2752 kauth_cred_t cred,
2753 struct proc *proc,
2754 int sr
2755);
2d21ac55
A		 2756/**
2757 @brief Access control check for retrieving audit information
2758 @param cred Subject credential
2759
2760 Determine whether the subject identified by the credential can get
2761 audit information such as the audit user ID, the preselection mask,
2762 the terminal ID and the audit session ID, using the getaudit() system call.
2763
2764 @return Return 0 if access is granted, otherwise an appropriate value for
2765 errno should be returned.
2766*/
2767typedef int mpo_proc_check_getaudit_t(
2768 kauth_cred_t cred
2769);
2770/**
2771 @brief Access control check for retrieving audit user ID
2772 @param cred Subject credential
2773
2774 Determine whether the subject identified by the credential can get
2775 the user identity being used by the auditing system, using the getauid()
2776 system call.
2777
2778 @return Return 0 if access is granted, otherwise an appropriate value for
2779 errno should be returned.
2780*/
2781typedef int mpo_proc_check_getauid_t(
2782 kauth_cred_t cred
2783);
2784/**
2785 @brief Access control check for retrieving Login Context ID
2786 @param p0 Calling process
2787 @param p Effected process
2788 @param pid syscall PID argument
2789
2790 Determine if getlcid(2) system call is permitted.
2791
2792 Information returned by this system call is similar to that returned via
2793 process listings etc.
2794
2795 @return Return 0 if access is granted, otherwise an appropriate value for
2796 errno should be returned.
2797*/
2798typedef int mpo_proc_check_getlcid_t(
2799 struct proc *p0,
2800 struct proc *p,
2801 pid_t pid
2802);
316670eb
A		 2803/**
2804 @brief Access control check for retrieving ledger information
2805 @param cred Subject credential
2806 @param target Object process
2807 @param op ledger operation
2808
2809 Determine if ledger(2) system call is permitted.
2810
2811 Information returned by this system call is similar to that returned via
2812 process listings etc.
2813
2814 @return Return 0 if access is granted, otherwise an appropriate value for
2815 errno should be returned.
2816*/
2817typedef int mpo_proc_check_ledger_t(
2818 kauth_cred_t cred,
2819 struct proc *target,
2820 int op
2821);
39236c6e
A		 2822/**
2823 @brief Access control check for escaping default CPU usage monitor parameters.
2824 @param cred Subject credential
2825
2826 Determine if a credential has permission to program CPU usage monitor parameters
2827 that are less restrictive than the global system-wide defaults.
2828
2829 @return Return 0 if access is granted, otherwise an appropriate value for
2830 errno should be returned.
2831*/
2832typedef int mpo_proc_check_cpumon_t(
2833 kauth_cred_t cred
2834);
2835/**
2836 @brief Access control check for retrieving process information.
2837 @param cred Subject credential
2838 @param target Target process (may be null, may be zombie)
2839
2840 Determine if a credential has permission to access process information as defined
2841 by call number and flavor on target process
2842
2843 @return Return 0 if access is granted, otherwise an appropriate value for
2844 errno should be returned.
2845*/
2846typedef int mpo_proc_check_proc_info_t(
2847 kauth_cred_t cred,
2848 struct proc *target,
2849 int callnum,
2850 int flavor
2851);
6d2010ae
A		 2852/**
2853 @brief Access control check for mmap MAP_ANON
2854 @param proc User process requesting the memory
2855 @param cred Subject credential
2856 @param u_addr Start address of the memory range
2857 @param u_size Length address of the memory range
2858 @param prot mmap protections; see mmap(2)
2859 @param flags Type of mapped object; see mmap(2)
2860 @param maxprot Maximum rights
2861
2862 Determine whether the subject identified by the credential should be
2863 allowed to obtain anonymous memory using the specified flags and
2864 protections on the new mapping. MAP_ANON will always be present in the
2865 flags. Certain combinations of flags with a non-NULL addr may
2866 cause a mapping to be rejected before this hook is called. The maxprot field
2867 holds the maximum permissions on the new mapping, a combination of
2868 VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
2869 access control checks, a policy should only remove flags from maxprot.
2870
2871 @return Return 0 if access is granted, otherwise an appropriate value for
2872 errno should be returned. Suggested failure: EPERM for lack of privilege.
2873*/
2874typedef int mpo_proc_check_map_anon_t(
2875 struct proc *proc,
2876 kauth_cred_t cred,
2877 user_addr_t u_addr,
2878 user_size_t u_size,
2879 int prot,
2880 int flags,
2881 int *maxprot
2882);
2d21ac55
A		 2883/**
2884 @brief Access control check for setting memory protections
2885 @param cred Subject credential
2886 @param proc User process requesting the change
2887 @param addr Start address of the memory range
2888 @param size Length address of the memory range
2889 @param prot Memory protections, see mmap(2)
2890
2891 Determine whether the subject identified by the credential should
2892 be allowed to set the specified memory protections on memory mapped
2893 in the process proc.
2894
2895 @return Return 0 if access is granted, otherwise an appropriate value for
2896 errno should be returned.
2897*/
2898typedef int mpo_proc_check_mprotect_t(
2899 kauth_cred_t cred,
2900 struct proc *proc,
2901 user_addr_t addr,
2902 user_size_t size,
2903 int prot
2904);
2905/**
2906 @brief Access control check for changing scheduling parameters
2907 @param cred Subject credential
2908 @param proc Object process
2909
2910 Determine whether the subject identified by the credential can change
2911 the scheduling parameters of the passed process.
2912
2913 @return Return 0 if access is granted, otherwise an appropriate value for
2914 errno should be returned. Suggested failure: EACCES for label mismatch,
2915 EPERM for lack of privilege, or ESRCH to limit visibility.
2916*/
2917typedef int mpo_proc_check_sched_t(
2918 kauth_cred_t cred,
2919 struct proc *proc
2920);
2921/**
2922 @brief Access control check for setting audit information
2923 @param cred Subject credential
2924 @param ai Audit information
2925
2926 Determine whether the subject identified by the credential can set
2927 audit information such as the the preselection mask, the terminal ID
2928 and the audit session ID, using the setaudit() system call.
2929
2930 @return Return 0 if access is granted, otherwise an appropriate value for
2931 errno should be returned.
2932*/
2933typedef int mpo_proc_check_setaudit_t(
2934 kauth_cred_t cred,
b0d623f7 2935 struct auditinfo_addr *ai
2d21ac55
A		 2936);
2937/**
2938 @brief Access control check for setting audit user ID
2939 @param cred Subject credential
2940 @param auid Audit user ID
2941
2942 Determine whether the subject identified by the credential can set
2943 the user identity used by the auditing system, using the setauid()
2944 system call.
2945
2946 @return Return 0 if access is granted, otherwise an appropriate value for
2947 errno should be returned.
2948*/
2949typedef int mpo_proc_check_setauid_t(
2950 kauth_cred_t cred,
2951 uid_t auid
2952);
2953/**
2954 @brief Access control check for setting the Login Context
2955 @param p0 Calling process
2956 @param p Effected process
2957 @param pid syscall PID argument
2958 @param lcid syscall LCID argument
2959
2960 Determine if setlcid(2) system call is permitted.
2961
2962 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
2963 decoding syscall arguments to determine action desired by caller.
2964
2965 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
2966
2967 @return Return 0 if access is granted, otherwise an appropriate value for
2968 errno should be returned.
2969*/
2970typedef int mpo_proc_check_setlcid_t(
2971 struct proc *p0,
2972 struct proc *p,
2973 pid_t pid,
2974 pid_t lcid
2975);
2976/**
2977 @brief Access control check for delivering signal
2978 @param cred Subject credential
2979 @param proc Object process
2980 @param signum Signal number; see kill(2)
2981
2982 Determine whether the subject identified by the credential can deliver
2983 the passed signal to the passed process.
2984
2985 @warning Programs typically expect to be able to send and receive
2986 signals as part or their normal process lifecycle; caution should be
2987 exercised when implementing access controls over signal events.
2988
2989 @return Return 0 if access is granted, otherwise an appropriate value for
2990 errno should be returned. Suggested failure: EACCES for label mismatch,
2991 EPERM for lack of privilege, or ESRCH to limit visibility.
2992*/
2993typedef int mpo_proc_check_signal_t(
2994 kauth_cred_t cred,
2995 struct proc *proc,
2996 int signum
2997);
2998/**
2999 @brief Access control check for wait
3000 @param cred Subject credential
3001 @param proc Object process
3002
3003 Determine whether the subject identified by the credential can wait
3004 for process termination.
3005
3006 @warning Caution should be exercised when implementing access
3007 controls for wait, since programs often wait for child processes to
3008 exit. Failure to be notified of a child process terminating may
3009 cause the parent process to hang, or may produce zombie processes.
3010
3011 @return Return 0 if access is granted, otherwise an appropriate value for
3012 errno should be returned.
3013*/
3014typedef int mpo_proc_check_wait_t(
3015 kauth_cred_t cred,
3016 struct proc *proc
3017);
3018/**
3019 @brief Destroy process label
3020 @param label The label to be destroyed
3021
3022 Destroy a process label. Since the object is going
3023 out of scope, policy modules should free any internal storage
3024 associated with the label so that it may be destroyed.
3025*/
3026typedef void mpo_proc_label_destroy_t(
3027 struct label *label
3028);
3029/**
3030 @brief Initialize process label
3031 @param label New label to initialize
3032 @see mpo_cred_label_init_t
3033
3034 Initialize the label for a newly instantiated BSD process structure.
3035 Normally, security policies will store the process label in the user
3036 credential rather than here in the process structure. However,
3037 there are some floating label policies that may need to temporarily
3038 store a label in the process structure until it is safe to update
3039 the user credential label. Sleeping is permitted.
3040*/
3041typedef void mpo_proc_label_init_t(
3042 struct label *label
3043);
3044/**
3045 @brief Access control check for socket accept
3046 @param cred Subject credential
3047 @param socket Object socket
3048 @param socklabel Policy label for socket
3049
3050 Determine whether the subject identified by the credential can accept()
3051 a new connection on the socket from the host specified by addr.
3052
3053 @return Return 0 if access if granted, otherwise an appropriate
3054 value for errno should be returned.
3055*/
3056typedef int mpo_socket_check_accept_t(
3057 kauth_cred_t cred,
3058 socket_t so,
3059 struct label *socklabel
3060);
3061/**
3062 @brief Access control check for a pending socket accept
3063 @param cred Subject credential
3064 @param so Object socket
3065 @param socklabel Policy label for socket
3066 @param addr Address of the listening socket (coming soon)
3067
3068 Determine whether the subject identified by the credential can accept()
3069 a pending connection on the socket from the host specified by addr.
3070
3071 @return Return 0 if access if granted, otherwise an appropriate
3072 value for errno should be returned.
3073*/
3074typedef int mpo_socket_check_accepted_t(
3075 kauth_cred_t cred,
3076 socket_t so,
3077 struct label *socklabel,
3078 struct sockaddr *addr
3079);
3080/**
3081 @brief Access control check for socket bind
3082 @param cred Subject credential
3083 @param so Object socket
3084 @param socklabel Policy label for socket
3085 @param addr Name to assign to the socket
3086
3087 Determine whether the subject identified by the credential can bind()
3088 the name (addr) to the socket.
3089
3090 @return Return 0 if access if granted, otherwise an appropriate
3091 value for errno should be returned.
3092*/
3093typedef int mpo_socket_check_bind_t(
3094 kauth_cred_t cred,
3095 socket_t so,
3096 struct label *socklabel,
3097 struct sockaddr *addr
3098);
3099/**
3100 @brief Access control check for socket connect
3101 @param cred Subject credential
3102 @param so Object socket
3103 @param socklabel Policy label for socket
3104 @param addr Name to assign to the socket
3105
3106 Determine whether the subject identified by the credential can
3107 connect() the passed socket to the remote host specified by addr.
3108
3109 @return Return 0 if access if granted, otherwise an appropriate
3110 value for errno should be returned.
3111*/
3112typedef int mpo_socket_check_connect_t(
3113 kauth_cred_t cred,
3114 socket_t so,
3115 struct label *socklabel,
3116 struct sockaddr *addr
3117);
3118/**
3119 @brief Access control check for socket() system call.
3120 @param cred Subject credential
3121 @param domain communication domain
3122 @param type socket type
3123 @param protocol socket protocol
3124
3125 Determine whether the subject identified by the credential can
3126 make the socket() call.
3127
3128 @return Return 0 if access if granted, otherwise an appropriate
3129 value for errno should be returned.
3130*/
3131typedef int mpo_socket_check_create_t(
3132 kauth_cred_t cred,
3133 int domain,
3134 int type,
3135 int protocol
3136);
3137/**
3138 @brief Access control check for delivering data to a user's receieve queue
3139 @param so The socket data is being delivered to
3140 @param so_label The label of so
3141 @param m The mbuf whose data will be deposited into the receive queue
3142 @param m_label The label of the sender of the data.
3143
3144 A socket has a queue for receiving incoming data. When a packet arrives
3145 on the wire, it eventually gets deposited into this queue, which the
3146 owner of the socket drains when they read from the socket's file descriptor.
3147
3148 This function determines whether the socket can receive data from
3149 the sender specified by m_label.
3150
3151 @warning There is an outstanding design issue surrounding the placement
3152 of this function. The check must be placed either before or after the
3153 TCP sequence and ACK counters are updated. Placing the check before
3154 the counters are updated causes the incoming packet to be resent by
3155 the remote if the check rejects it. Placing the check after the counters
3156 are updated results in a completely silent drop. As far as each TCP stack
3157 is concerned the packet was received, however, the data will not be in the
3158 socket's receive queue. Another consideration is that the current design
3159 requires using the "failed label" occasionally. In that case, on rejection,
3160 we want the remote TCP to resend the data. Because of this, we chose to
3161 place this check before the counters are updated, so rejected packets will be
3162 resent by the remote host.
3163
3164 If a policy keeps rejecting the same packet, eventually the connection will
3165 be dropped. Policies have several options if this design causes problems.
3166 For example, one options is to sanitize the mbuf such that it is acceptable,
3167 then accept it. That may require negotiation between policies as the
3168 Framework will not know to re-check the packet.
3169
3170 The policy must handle NULL MBUF labels. This will likely be the case
3171 for non-local TCP sockets for example.
3172
3173 @return Return 0 if access if granted, otherwise an appropriate
3174 value for errno should be returned.
3175*/
3176typedef int mpo_socket_check_deliver_t(
3177 socket_t so,
3178 struct label *so_label,
3179 struct mbuf *m,
3180 struct label *m_label
3181);
3182/**
3183 @brief Access control check for socket kqfilter
3184 @param cred Subject credential
3185 @param kn Object knote
3186 @param so Object socket
3187 @param socklabel Policy label for socket
3188
3189 Determine whether the subject identified by the credential can
3190 receive the knote on the passed socket.
3191
3192 @return Return 0 if access if granted, otherwise an appropriate
3193 value for errno should be returned.
3194*/
3195typedef int mpo_socket_check_kqfilter_t(
3196 kauth_cred_t cred,
3197 struct knote *kn,
3198 socket_t so,
3199 struct label *socklabel
3200);
3201/**
3202 @brief Access control check for socket relabel
3203 @param cred Subject credential
3204 @param so Object socket
3205 @param so_label The current label of so
3206 @param newlabel The label to be assigned to so
3207
3208 Determine whether the subject identified by the credential can
3209 change the label on the socket.
3210
3211 @return Return 0 if access if granted, otherwise an appropriate
3212 value for errno should be returned.
3213*/
3214typedef int mpo_socket_check_label_update_t(
3215 kauth_cred_t cred,
3216 socket_t so,
3217 struct label *so_label,
3218 struct label *newlabel
3219);
3220/**
3221 @brief Access control check for socket listen
3222 @param cred Subject credential
3223 @param so Object socket
3224 @param socklabel Policy label for socket
3225
3226 Determine whether the subject identified by the credential can
3227 listen() on the passed socket.
3228
3229 @return Return 0 if access if granted, otherwise an appropriate
3230 value for errno should be returned.
3231*/
3232typedef int mpo_socket_check_listen_t(
3233 kauth_cred_t cred,
3234 socket_t so,
3235 struct label *socklabel
3236);
3237/**
3238 @brief Access control check for socket receive
3239 @param cred Subject credential
3240 @param so Object socket
3241 @param socklabel Policy label for socket
3242
3243 Determine whether the subject identified by the credential can
3244 receive data from the socket.
3245
3246 @return Return 0 if access if granted, otherwise an appropriate
3247 value for errno should be returned.
3248*/
3249typedef int mpo_socket_check_receive_t(
3250 kauth_cred_t cred,
3251 socket_t so,
3252 struct label *socklabel
3253);
3254
3255/**
3256 @brief Access control check for socket receive
3257 @param cred Subject credential
3258 @param socket Object socket
3259 @param socklabel Policy label for socket
3260 @param addr Name of the remote socket
3261
3262 Determine whether the subject identified by the credential can
3263 receive data from the remote host specified by addr.
3264
3265 @return Return 0 if access if granted, otherwise an appropriate
3266 value for errno should be returned.
3267*/
3268typedef int mpo_socket_check_received_t(
3269 kauth_cred_t cred,
3270 struct socket *sock,
3271 struct label *socklabel,
3272 struct sockaddr *saddr
3273 );
3274
3275
3276/**
3277 @brief Access control check for socket select
3278 @param cred Subject credential
3279 @param so Object socket
3280 @param socklabel Policy label for socket
3281 @param which The operation selected on: FREAD or FWRITE
3282
3283 Determine whether the subject identified by the credential can use the
3284 socket in a call to select().
3285
3286 @return Return 0 if access if granted, otherwise an appropriate
3287 value for errno should be returned.
3288*/
3289typedef int mpo_socket_check_select_t(
3290 kauth_cred_t cred,
3291 socket_t so,
3292 struct label *socklabel,
3293 int which
3294);
3295/**
3296 @brief Access control check for socket send
3297 @param cred Subject credential
3298 @param so Object socket
3299 @param socklabel Policy label for socket
3300 @param addr Address being sent to
3301
3302 Determine whether the subject identified by the credential can send
3303 data to the socket.
3304
3305 @return Return 0 if access if granted, otherwise an appropriate
3306 value for errno should be returned.
3307*/
3308typedef int mpo_socket_check_send_t(
3309 kauth_cred_t cred,
3310 socket_t so,
3311 struct label *socklabel,
3312 struct sockaddr *addr
3313);
3314/**
3315 @brief Access control check for retrieving socket status
3316 @param cred Subject credential
3317 @param so Object socket
3318 @param socklabel Policy label for so
3319
3320 Determine whether the subject identified by the credential can
3321 execute the stat() system call on the given socket.
3322
3323 @return Return 0 if access if granted, otherwise an appropriate
3324 value for errno should be returned.
3325*/
3326typedef int mpo_socket_check_stat_t(
3327 kauth_cred_t cred,
3328 socket_t so,
3329 struct label *socklabel
3330);
3331/**
3332 @brief Access control check for setting socket options
3333 @param cred Subject credential
3334 @param so Object socket
3335 @param socklabel Policy label for so
3336 @param sopt The options being set
3337
3338 Determine whether the subject identified by the credential can
3339 execute the setsockopt system call on the given socket.
3340
3341 @return Return 0 if access if granted, otherwise an appropriate
3342 value for errno should be returned.
3343*/
3344typedef int mpo_socket_check_setsockopt_t(
3345 kauth_cred_t cred,
3346 socket_t so,
3347 struct label *socklabel,
3348 struct sockopt *sopt
3349);
3350/**
3351 @brief Access control check for getting socket options
3352 @param cred Subject credential
3353 @param so Object socket
3354 @param socklabel Policy label for so
3355 @param sopt The options to get
3356
3357 Determine whether the subject identified by the credential can
3358 execute the getsockopt system call on the given socket.
3359
3360 @return Return 0 if access if granted, otherwise an appropriate
3361 value for errno should be returned.
3362*/
3363typedef int mpo_socket_check_getsockopt_t(
3364 kauth_cred_t cred,
3365 socket_t so,
3366 struct label *socklabel,
3367 struct sockopt *sopt
3368);
3369/**
3370 @brief Label a socket
3371 @param oldsock Listening socket
3372 @param oldlabel Policy label associated with oldsock
3373 @param newsock New socket
3374 @param newlabel Policy label associated with newsock
3375
3376 A new socket is created when a connection is accept(2)ed. This
3377 function labels the new socket based on the existing listen(2)ing
3378 socket.
3379*/
3380typedef void mpo_socket_label_associate_accept_t(
3381 socket_t oldsock,
3382 struct label *oldlabel,
3383 socket_t newsock,
3384 struct label *newlabel
3385);
3386/**
3387 @brief Assign a label to a new socket
3388 @param cred Credential of the owning process
3389 @param so The socket being labeled
3390 @param solabel The label
3391 @warning cred can be NULL
3392
3393 Set the label on a newly created socket from the passed subject
3394 credential. This call is made when a socket is created. The
3395 credentials may be null if the socket is being created by the
3396 kernel.
3397*/
3398typedef void mpo_socket_label_associate_t(
3399 kauth_cred_t cred,
3400 socket_t so,
3401 struct label *solabel
3402);
3403/**
3404 @brief Copy a socket label
3405 @param src Source label
3406 @param dest Destination label
3407
3408 Copy the socket label information in src into dest.
3409*/
3410typedef void mpo_socket_label_copy_t(
3411 struct label *src,
3412 struct label *dest
3413);
3414/**
3415 @brief Destroy socket label
3416 @param label The label to be destroyed
3417
3418 Destroy a socket label. Since the object is going out of
3419 scope, policy modules should free any internal storage associated
3420 with the label so that it may be destroyed.
3421*/
3422typedef void mpo_socket_label_destroy_t(
3423 struct label *label
3424);
3425/**
3426 @brief Externalize a socket label
3427 @param label Label to be externalized
3428 @param element_name Name of the label namespace for which labels should be
3429 externalized
3430 @param sb String buffer to be filled with a text representation of label
3431
3432 Produce an externalized socket label based on the label structure passed.
3433 An externalized label consists of a text representation of the label
3434 contents that can be used with userland applications and read by the
3435 user. If element_name does not match a namespace managed by the policy,
3436 simply return 0. Only return nonzero if an error occurs while externalizing
3437 the label data.
3438
3439 @return In the event of an error, an appropriate value for errno
3440 should be returned, otherwise return 0 upon success.
3441*/
3442typedef int mpo_socket_label_externalize_t(
3443 struct label *label,
3444 char *element_name,
3445 struct sbuf *sb
3446);
3447/**
3448 @brief Initialize socket label
3449 @param label New label to initialize
3450 @param waitok Malloc flags
3451
3452 Initialize the label of a newly instantiated socket. The waitok
3453 field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3454 avoid performing a sleeping malloc(9) during this initialization
3455 call. It it not always safe to sleep during this entry point.
3456
3457 @warning Since it is possible for the waitok flags to be set to
3458 M_NOWAIT, the malloc operation may fail.
3459
3460 @return In the event of an error, an appropriate value for errno
3461 should be returned, otherwise return 0 upon success.
3462*/
3463typedef int mpo_socket_label_init_t(
3464 struct label *label,
3465 int waitok
3466);
3467/**
3468 @brief Internalize a socket label
3469 @param label Label to be filled in
3470 @param element_name Name of the label namespace for which the label should
3471 be internalized
3472 @param element_data Text data to be internalized
3473
3474 Produce an internal socket label structure based on externalized label
3475 data in text format.
3476
3477 The policy's internalize entry points will be called only if the
3478 policy has registered interest in the label namespace.
3479
3480 @return In the event of an error, an appropriate value for errno
3481 should be returned, otherwise return 0 upon success.
3482*/
3483typedef int mpo_socket_label_internalize_t(
3484 struct label *label,
3485 char *element_name,
3486 char *element_data
3487);
3488/**
3489 @brief Relabel socket
3490 @param cred Subject credential
3491 @param so Object; socket
3492 @param so_label Current label of the socket
3493 @param newlabel The label to be assigned to so
3494
3495 The subject identified by the credential has previously requested
3496 and was authorized to relabel the socket; this entry point allows
3497 policies to perform the actual label update operation.
3498
3499 @warning XXX This entry point will likely change in future versions.
3500*/
3501typedef void mpo_socket_label_update_t(
3502 kauth_cred_t cred,
3503 socket_t so,
3504 struct label *so_label,
3505 struct label *newlabel
3506);
3507/**
3508 @brief Set the peer label on a socket from mbuf
3509 @param m Mbuf chain received on socket so
3510 @param m_label Label for m
3511 @param so Current label for the socket
3512 @param so_label Policy label to be filled out for the socket
3513
3514 Set the peer label of a socket based on the label of the sender of the
3515 mbuf.
3516
3517 This is called for every TCP/IP packet received. The first call for a given
3518 socket operates on a newly initialized label, and subsequent calls operate
3519 on existing label data.
3520
3521 @warning Because this can affect performance significantly, it has
3522 different sematics than other 'set' operations. Typically, 'set' operations
3523 operate on newly initialzed labels and policies do not need to worry about
3524 clobbering existing values. In this case, it is too inefficient to
3525 initialize and destroy a label every time data is received for the socket.
3526 Instead, it is up to the policies to determine how to replace the label data.
3527 Most policies should be able to replace the data inline.
3528*/
3529typedef void mpo_socketpeer_label_associate_mbuf_t(
3530 struct mbuf *m,
3531 struct label *m_label,
3532 socket_t so,
3533 struct label *so_label
3534);
3535/**
3536 @brief Set the peer label on a socket from socket
3537 @param source Local socket
3538 @param sourcelabel Policy label for source
3539 @param target Peer socket
3540 @param targetlabel Policy label to fill in for target
3541
3542 Set the peer label on a stream UNIX domain socket from the passed
3543 remote socket endpoint. This call will be made when the socket pair
3544 is connected, and will be made for both endpoints.
3545
3546 Note that this call is only made on connection; it is currently not updated
3547 during communication.
3548*/
3549typedef void mpo_socketpeer_label_associate_socket_t(
3550 socket_t source,
3551 struct label *sourcelabel,
3552 socket_t target,
3553 struct label *targetlabel
3554);
3555/**
3556 @brief Destroy socket peer label
3557 @param label The peer label to be destroyed
3558
3559 Destroy a socket peer label. Since the object is going out of
3560 scope, policy modules should free any internal storage associated
3561 with the label so that it may be destroyed.
3562*/
3563typedef void mpo_socketpeer_label_destroy_t(
3564 struct label *label
3565);
3566/**
3567 @brief Externalize a socket peer label
3568 @param label Label to be externalized
3569 @param element_name Name of the label namespace for which labels should be
3570 externalized
3571 @param sb String buffer to be filled with a text representation of label
3572
3573 Produce an externalized socket peer label based on the label structure
3574 passed. An externalized label consists of a text representation of the
3575 label contents that can be used with userland applications and read by the
3576 user. If element_name does not match a namespace managed by the policy,
3577 simply return 0. Only return nonzero if an error occurs while externalizing
3578 the label data.
3579
3580 @return In the event of an error, an appropriate value for errno
3581 should be returned, otherwise return 0 upon success.
3582*/
3583typedef int mpo_socketpeer_label_externalize_t(
3584 struct label *label,
3585 char *element_name,
3586 struct sbuf *sb
3587);
3588/**
3589 @brief Initialize socket peer label
3590 @param label New label to initialize
3591 @param waitok Malloc flags
3592
3593 Initialize the peer label of a newly instantiated socket. The
3594 waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3595 employed to avoid performing a sleeping malloc(9) during this
3596 initialization call. It it not always safe to sleep during this
3597 entry point.
3598
3599 @warning Since it is possible for the waitok flags to be set to
3600 M_NOWAIT, the malloc operation may fail.
3601
3602 @return In the event of an error, an appropriate value for errno
3603 should be returned, otherwise return 0 upon success.
3604*/
3605typedef int mpo_socketpeer_label_init_t(
3606 struct label *label,
3607 int waitok
3608);
3609/**
3610 @brief Access control check for enabling accounting
3611 @param cred Subject credential
3612 @param vp Accounting file
3613 @param vlabel Label associated with vp
3614
3615 Determine whether the subject should be allowed to enable accounting,
3616 based on its label and the label of the accounting log file. See
3617 acct(5) for more information.
3618
3619 As accounting is disabled by passing NULL to the acct(2) system call,
3620 the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3621
3622 @return Return 0 if access is granted, otherwise an appropriate value for
3623 errno should be returned.
3624*/
3625typedef int mpo_system_check_acct_t(
3626 kauth_cred_t cred,
3627 struct vnode *vp,
3628 struct label *vlabel
3629);
3630/**
3631 @brief Access control check for audit
3632 @param cred Subject credential
3633 @param record Audit record
3634 @param length Audit record length
3635
3636 Determine whether the subject identified by the credential can submit
3637 an audit record for inclusion in the audit log via the audit() system call.
3638
3639 @return Return 0 if access is granted, otherwise an appropriate value for
3640 errno should be returned.
3641*/
3642typedef int mpo_system_check_audit_t(
3643 kauth_cred_t cred,
3644 void *record,
3645 int length
3646);
3647/**
3648 @brief Access control check for controlling audit
3649 @param cred Subject credential
3650 @param vp Audit file
3651 @param vl Label associated with vp
3652
3653 Determine whether the subject should be allowed to enable auditing using
3654 the auditctl() system call, based on its label and the label of the proposed
3655 audit file.
3656
3657 @return Return 0 if access is granted, otherwise an appropriate value for
3658 errno should be returned.
3659*/
3660typedef int mpo_system_check_auditctl_t(
3661 kauth_cred_t cred,
3662 struct vnode *vp,
3663 struct label *vl
3664);
3665/**
3666 @brief Access control check for manipulating auditing
3667 @param cred Subject credential
3668 @param cmd Audit control command
3669
3670 Determine whether the subject identified by the credential can perform
3671 the audit subsystem control operation cmd via the auditon() system call.
3672
3673 @return Return 0 if access is granted, otherwise an appropriate value for
3674 errno should be returned.
3675*/
3676typedef int mpo_system_check_auditon_t(
3677 kauth_cred_t cred,
3678 int cmd
3679);
6d2010ae
A		 3680/**
3681 @brief Access control check for using CHUD facilities
3682 @param cred Subject credential
3683
3684 Determine whether the subject identified by the credential can perform
3685 performance-related tasks using the CHUD system call.
3686
3687 @return Return 0 if access is granted, otherwise an appropriate value for
3688 errno should be returned.
3689*/
3690typedef int mpo_system_check_chud_t(
3691 kauth_cred_t cred
3692);
2d21ac55
A		 3693/**
3694 @brief Access control check for obtaining the host control port
3695 @param cred Subject credential
3696
3697 Determine whether the subject identified by the credential can
3698 obtain the host control port.
3699
3700 @return Return 0 if access is granted, or non-zero otherwise.
3701*/
3702typedef int mpo_system_check_host_priv_t(
3703 kauth_cred_t cred
3704);
39236c6e
A		 3705/**
3706 @brief Access control check for obtaining system information
3707 @param cred Subject credential
3708 @param info_type A description of the information requested
3709
3710 Determine whether the subject identified by the credential should be
3711 allowed to obtain information about the system.
3712
3713 This is a generic hook that can be used in a variety of situations where
3714 information is being returned that might be considered sensitive.
3715 Rather than adding a new MAC hook for every such interface, this hook can
3716 be called with a string identifying the type of information requested.
3717
3718 @return Return 0 if access is granted, otherwise an appropriate value for
3719 errno should be returned.
3720*/
3721typedef int mpo_system_check_info_t(
3722 kauth_cred_t cred,
3723 const char *info_type
3724);
2d21ac55
A		 3725/**
3726 @brief Access control check for calling NFS services
3727 @param cred Subject credential
3728
3729 Determine whether the subject identified by the credential should be
3730 allowed to call nfssrv(2).
3731
3732 @return Return 0 if access is granted, otherwise an appropriate value for
3733 errno should be returned.
3734*/
3735typedef int mpo_system_check_nfsd_t(
3736 kauth_cred_t cred
3737);
3738/**
3739 @brief Access control check for reboot
3740 @param cred Subject credential
3741 @param howto howto parameter from reboot(2)
3742
3743 Determine whether the subject identified by the credential should be
3744 allowed to reboot the system in the specified manner.
3745
3746 @return Return 0 if access is granted, otherwise an appropriate value for
3747 errno should be returned.
3748*/
3749typedef int mpo_system_check_reboot_t(
3750 kauth_cred_t cred,
3751 int howto
3752);
3753/**
3754 @brief Access control check for setting system clock
3755 @param cred Subject credential
3756
3757 Determine whether the subject identified by the credential should be
3758 allowed to set the system clock.
3759
3760 @return Return 0 if access is granted, otherwise an appropriate value for
3761 errno should be returned.
3762*/
3763typedef int mpo_system_check_settime_t(
3764 kauth_cred_t cred
3765);
3766/**
3767 @brief Access control check for removing swap devices
3768 @param cred Subject credential
3769 @param vp Swap device
3770 @param label Label associated with vp
3771
3772 Determine whether the subject identified by the credential should be
3773 allowed to remove vp as a swap device.
3774
3775 @return Return 0 if access is granted, otherwise an appropriate value for
3776 errno should be returned.
3777*/
3778typedef int mpo_system_check_swapoff_t(
3779 kauth_cred_t cred,
3780 struct vnode *vp,
3781 struct label *label
3782);
3783/**
3784 @brief Access control check for adding swap devices
3785 @param cred Subject credential
3786 @param vp Swap device
3787 @param label Label associated with vp
3788
3789 Determine whether the subject identified by the credential should be
3790 allowed to add vp as a swap device.
3791
3792 @return Return 0 if access is granted, otherwise an appropriate value for
3793 errno should be returned.
3794*/
3795typedef int mpo_system_check_swapon_t(
3796 kauth_cred_t cred,
3797 struct vnode *vp,
3798 struct label *label
3799);
3800/**
3801 @brief Access control check for sysctl
3802 @param cred Subject credential
fe8ab488 3803 @param namestring String representation of sysctl name.
2d21ac55
A		 3804 @param name Integer name; see sysctl(3)
3805 @param namelen Length of name array of integers; see sysctl(3)
3806 @param old 0 or address where to store old value; see sysctl(3)
fe8ab488 3807 @param oldlen Length of old buffer; see sysctl(3)
2d21ac55
A		 3808 @param newvalue 0 or address of new value; see sysctl(3)
3809 @param newlen Length of new buffer; see sysctl(3)
3810
3811 Determine whether the subject identified by the credential should be
3812 allowed to make the specified sysctl(3) transaction.
3813
3814 The sysctl(3) call specifies that if the old value is not desired,
3815 oldp and oldlenp should be set to NULL. Likewise, if a new value is
3816 not to be set, newp should be set to NULL and newlen set to 0.
3817
3818 @return Return 0 if access is granted, otherwise an appropriate value for
3819 errno should be returned.
3820*/
fe8ab488 3821typedef int mpo_system_check_sysctlbyname_t(
2d21ac55 3822 kauth_cred_t cred,
fe8ab488 3823 const char *namestring,
2d21ac55
A		 3824 int *name,
3825 u_int namelen,
3826 user_addr_t old, /* NULLOK */
fe8ab488 3827 size_t oldlen,
2d21ac55
A		 3828 user_addr_t newvalue, /* NULLOK */
3829 size_t newlen
3830);
316670eb
A		 3831/**
3832 @brief Access control check for kas_info
3833 @param cred Subject credential
3834 @param selector Category of information to return. See kas_info.h
3835
3836 Determine whether the subject identified by the credential can perform
3837 introspection of the kernel address space layout for
3838 debugging/performance analysis.
3839
3840 @return Return 0 if access is granted, otherwise an appropriate value for
3841 errno should be returned.
3842*/
3843typedef int mpo_system_check_kas_info_t(
3844 kauth_cred_t cred,
3845 int selector
3846);
2d21ac55
A		 3847/**
3848 @brief Create a System V message label
3849 @param cred Subject credential
3850 @param msqkptr The message queue the message will be placed in
3851 @param msqlabel The label of the message queue
3852 @param msgptr The message
3853 @param msglabel The label of the message
3854
3855 Label the message as its placed in the message queue.
3856*/
3857typedef void mpo_sysvmsg_label_associate_t(
3858 kauth_cred_t cred,
3859 struct msqid_kernel *msqptr,
3860 struct label *msqlabel,
3861 struct msg *msgptr,
3862 struct label *msglabel
3863);
3864/**
3865 @brief Destroy System V message label
3866 @param label The label to be destroyed
3867
3868 Destroy a System V message label. Since the object is
3869 going out of scope, policy modules should free any internal storage
3870 associated with the label so that it may be destroyed.
3871*/
3872typedef void mpo_sysvmsg_label_destroy_t(
3873 struct label *label
3874);
3875/**
3876 @brief Initialize System V message label
3877 @param label New label to initialize
3878
3879 Initialize the label for a newly instantiated System V message.
3880*/
3881typedef void mpo_sysvmsg_label_init_t(
3882 struct label *label
3883);
3884/**
3885 @brief Clean up a System V message label
3886 @param label The label to be destroyed
3887
3888 Clean up a System V message label. Darwin pre-allocates
3889 messages at system boot time and re-uses them rather than
3890 allocating new ones. Before messages are returned to the "free
3891 pool", policies can cleanup or overwrite any information present in
3892 the label.
3893*/
3894typedef void mpo_sysvmsg_label_recycle_t(
3895 struct label *label
3896);
3897/**
3898 @brief Access control check for System V message enqueuing
3899 @param cred Subject credential
3900 @param msgptr The message
3901 @param msglabel The message's label
3902 @param msqkptr The message queue
3903 @param msqlabel The message queue's label
3904
3905 Determine whether the subject identified by the credential can add the
3906 given message to the given message queue.
3907
3908 @return Return 0 if access is granted, otherwise an appropriate value for
3909 errno should be returned.
3910*/
3911typedef int mpo_sysvmsq_check_enqueue_t(
3912 kauth_cred_t cred,
3913 struct msg *msgptr,
3914 struct label *msglabel,
3915 struct msqid_kernel *msqptr,
3916 struct label *msqlabel
3917);
3918/**
3919 @brief Access control check for System V message reception
3920 @param cred The credential of the intended recipient
3921 @param msgptr The message
3922 @param msglabel The message's label
3923
3924 Determine whether the subject identified by the credential can receive
3925 the given message.
3926
3927 @return Return 0 if access is granted, otherwise an appropriate value for
3928 errno should be returned.
3929*/
3930typedef int mpo_sysvmsq_check_msgrcv_t(
3931 kauth_cred_t cred,
3932 struct msg *msgptr,
3933 struct label *msglabel
3934);
3935/**
3936 @brief Access control check for System V message queue removal
3937 @param cred The credential of the caller
3938 @param msgptr The message
3939 @param msglabel The message's label
3940
3941 System V message queues are removed using the msgctl() system call.
3942 The system will iterate over each messsage in the queue, calling this
3943 function for each, to determine whether the caller has the appropriate
3944 credentials.
3945
3946 @return Return 0 if access is granted, otherwise an appropriate value for
3947 errno should be returned.
3948*/
3949typedef int mpo_sysvmsq_check_msgrmid_t(
3950 kauth_cred_t cred,
3951 struct msg *msgptr,
3952 struct label *msglabel
3953);
3954/**
3955 @brief Access control check for msgctl()
3956 @param cred The credential of the caller
3957 @param msqptr The message queue
3958 @param msqlabel The message queue's label
3959
3960 This access check is performed to validate calls to msgctl().
3961
3962 @return Return 0 if access is granted, otherwise an appropriate value for
3963 errno should be returned.
3964*/
3965typedef int mpo_sysvmsq_check_msqctl_t(
3966 kauth_cred_t cred,
3967 struct msqid_kernel *msqptr,
3968 struct label *msqlabel,
3969 int cmd
3970);
3971/**
3972 @brief Access control check to get a System V message queue
3973 @param cred The credential of the caller
3974 @param msqptr The message queue requested
3975 @param msqlabel The message queue's label
3976
3977 On a call to msgget(), if the queue requested already exists,
3978 and it is a public queue, this check will be performed before the
3979 queue's ID is returned to the user.
3980
3981 @return Return 0 if access is granted, otherwise an appropriate value for
3982 errno should be returned.
3983*/
3984typedef int mpo_sysvmsq_check_msqget_t(
3985 kauth_cred_t cred,
3986 struct msqid_kernel *msqptr,
3987 struct label *msqlabel
3988);
3989/**
3990 @brief Access control check to receive a System V message from the given queue
3991 @param cred The credential of the caller
3992 @param msqptr The message queue to receive from
3993 @param msqlabel The message queue's label
3994
3995 On a call to msgrcv(), this check is performed to determine whether the
3996 caller has receive rights on the given queue.
3997
3998 @return Return 0 if access is granted, otherwise an appropriate value for
3999 errno should be returned.
4000*/
4001typedef int mpo_sysvmsq_check_msqrcv_t(
4002 kauth_cred_t cred,
4003 struct msqid_kernel *msqptr,
4004 struct label *msqlabel
4005);
4006/**
4007 @brief Access control check to send a System V message to the given queue
4008 @param cred The credential of the caller
4009 @param msqptr The message queue to send to
4010 @param msqlabel The message queue's label
4011
4012 On a call to msgsnd(), this check is performed to determine whether the
4013 caller has send rights on the given queue.
4014
4015 @return Return 0 if access is granted, otherwise an appropriate value for
4016 errno should be returned.
4017*/
4018typedef int mpo_sysvmsq_check_msqsnd_t(
4019 kauth_cred_t cred,
4020 struct msqid_kernel *msqptr,
4021 struct label *msqlabel
4022);
4023/**
4024 @brief Create a System V message queue label
4025 @param cred Subject credential
4026 @param msqkptr The message queue
4027 @param msqlabel The label of the message queue
4028
4029*/
4030typedef void mpo_sysvmsq_label_associate_t(
4031 kauth_cred_t cred,
4032 struct msqid_kernel *msqptr,
4033 struct label *msqlabel
4034);
4035/**
4036 @brief Destroy System V message queue label
4037 @param label The label to be destroyed
4038
4039 Destroy a System V message queue label. Since the object is
4040 going out of scope, policy modules should free any internal storage
4041 associated with the label so that it may be destroyed.
4042*/
4043typedef void mpo_sysvmsq_label_destroy_t(
4044 struct label *label
4045);
4046/**
4047 @brief Initialize System V message queue label
4048 @param label New label to initialize
4049
4050 Initialize the label for a newly instantiated System V message queue.
4051*/
4052typedef void mpo_sysvmsq_label_init_t(
4053 struct label *label
4054);
4055/**
4056 @brief Clean up a System V message queue label
4057 @param label The label to be destroyed
4058
4059 Clean up a System V message queue label. Darwin pre-allocates
4060 message queues at system boot time and re-uses them rather than
4061 allocating new ones. Before message queues are returned to the "free
4062 pool", policies can cleanup or overwrite any information present in
4063 the label.
4064*/
4065typedef void mpo_sysvmsq_label_recycle_t(
4066 struct label *label
4067);
4068/**
4069 @brief Access control check for System V semaphore control operation
4070 @param cred Subject credential
4071 @param semakptr Pointer to semaphore identifier
4072 @param semaklabel Label associated with semaphore
4073 @param cmd Control operation to be performed; see semctl(2)
4074
4075 Determine whether the subject identified by the credential can perform
4076 the operation indicated by cmd on the System V semaphore semakptr.
4077
4078 @return Return 0 if access is granted, otherwise an appropriate value for
4079 errno should be returned.
4080*/
4081typedef int mpo_sysvsem_check_semctl_t(
4082 kauth_cred_t cred,
4083 struct semid_kernel *semakptr,
4084 struct label *semaklabel,
4085 int cmd
4086);
4087/**
4088 @brief Access control check for obtaining a System V semaphore
4089 @param cred Subject credential
4090 @param semakptr Pointer to semaphore identifier
4091 @param semaklabel Label to associate with the semaphore
4092
4093 Determine whether the subject identified by the credential can
4094 obtain a System V semaphore.
4095
4096 @return Return 0 if access is granted, otherwise an appropriate value for
4097 errno should be returned.
4098*/
4099typedef int mpo_sysvsem_check_semget_t(
4100 kauth_cred_t cred,
4101 struct semid_kernel *semakptr,
4102 struct label *semaklabel
4103);
4104/**
4105 @brief Access control check for System V semaphore operations
4106 @param cred Subject credential
4107 @param semakptr Pointer to semaphore identifier
4108 @param semaklabel Label associated with the semaphore
4109 @param accesstype Flags to indicate access (read and/or write)
4110
4111 Determine whether the subject identified by the credential can
4112 perform the operations on the System V semaphore indicated by
4113 semakptr. The accesstype flags hold the maximum set of permissions
4114 from the sem_op array passed to the semop system call. It may
4115 contain SEM_R for read-only operations or SEM_A for read/write
4116 operations.
4117
4118 @return Return 0 if access is granted, otherwise an appropriate value for
4119 errno should be returned.
4120*/
4121typedef int mpo_sysvsem_check_semop_t(
4122 kauth_cred_t cred,
4123 struct semid_kernel *semakptr,
4124 struct label *semaklabel,
4125 size_t accesstype
4126);
4127/**
4128 @brief Create a System V semaphore label
4129 @param cred Subject credential
4130 @param semakptr The semaphore being created
4131 @param semalabel Label to associate with the new semaphore
4132
4133 Label a new System V semaphore. The label was previously
4134 initialized and associated with the semaphore. At this time, an
4135 appropriate initial label value should be assigned to the object and
4136 stored in semalabel.
4137*/
4138typedef void mpo_sysvsem_label_associate_t(
4139 kauth_cred_t cred,
4140 struct semid_kernel *semakptr,
4141 struct label *semalabel
4142);
4143/**
4144 @brief Destroy System V semaphore label
4145 @param label The label to be destroyed
4146
4147 Destroy a System V semaphore label. Since the object is
4148 going out of scope, policy modules should free any internal storage
4149 associated with the label so that it may be destroyed.
4150*/
4151typedef void mpo_sysvsem_label_destroy_t(
4152 struct label *label
4153);
4154/**
4155 @brief Initialize System V semaphore label
4156 @param label New label to initialize
4157
4158 Initialize the label for a newly instantiated System V semaphore. Sleeping
4159 is permitted.
4160*/
4161typedef void mpo_sysvsem_label_init_t(
4162 struct label *label
4163);
4164/**
4165 @brief Clean up a System V semaphore label
4166 @param label The label to be cleaned
4167
4168 Clean up a System V semaphore label. Darwin pre-allocates
4169 semaphores at system boot time and re-uses them rather than
4170 allocating new ones. Before semaphores are returned to the "free
4171 pool", policies can cleanup or overwrite any information present in
4172 the label.
4173*/
4174typedef void mpo_sysvsem_label_recycle_t(
4175 struct label *label
4176);
4177/**
4178 @brief Access control check for mapping System V shared memory
4179 @param cred Subject credential
4180 @param shmsegptr Pointer to shared memory segment identifier
4181 @param shmseglabel Label associated with the shared memory segment
4182 @param shmflg shmat flags; see shmat(2)
4183
4184 Determine whether the subject identified by the credential can map
4185 the System V shared memory segment associated with shmsegptr.
4186
4187 @return Return 0 if access is granted, otherwise an appropriate value for
4188 errno should be returned.
4189*/
4190typedef int mpo_sysvshm_check_shmat_t(
4191 kauth_cred_t cred,
4192 struct shmid_kernel *shmsegptr,
4193 struct label *shmseglabel,
4194 int shmflg
4195);
4196/**
4197 @brief Access control check for System V shared memory control operation
4198 @param cred Subject credential
4199 @param shmsegptr Pointer to shared memory segment identifier
4200 @param shmseglabel Label associated with the shared memory segment
4201 @param cmd Control operation to be performed; see shmctl(2)
4202
4203 Determine whether the subject identified by the credential can perform
4204 the operation indicated by cmd on the System V shared memory segment
4205 shmsegptr.
4206
4207 @return Return 0 if access is granted, otherwise an appropriate value for
4208 errno should be returned.
4209*/
4210typedef int mpo_sysvshm_check_shmctl_t(
4211 kauth_cred_t cred,
4212 struct shmid_kernel *shmsegptr,
4213 struct label *shmseglabel,
4214 int cmd
4215);
4216/**
4217 @brief Access control check for unmapping System V shared memory
4218 @param cred Subject credential
4219 @param shmsegptr Pointer to shared memory segment identifier
4220 @param shmseglabel Label associated with the shared memory segment
4221
4222 Determine whether the subject identified by the credential can unmap
4223 the System V shared memory segment associated with shmsegptr.
4224
4225 @return Return 0 if access is granted, otherwise an appropriate value for
4226 errno should be returned.
4227*/
4228typedef int mpo_sysvshm_check_shmdt_t(
4229 kauth_cred_t cred,
4230 struct shmid_kernel *shmsegptr,
4231 struct label *shmseglabel
4232);
4233/**
4234 @brief Access control check obtaining System V shared memory identifier
4235 @param cred Subject credential
4236 @param shmsegptr Pointer to shared memory segment identifier
4237 @param shmseglabel Label associated with the shared memory segment
4238 @param shmflg shmget flags; see shmget(2)
4239
4240 Determine whether the subject identified by the credential can get
4241 the System V shared memory segment address.
4242
4243 @return Return 0 if access is granted, otherwise an appropriate value for
4244 errno should be returned.
4245*/
4246typedef int mpo_sysvshm_check_shmget_t(
4247 kauth_cred_t cred,
4248 struct shmid_kernel *shmsegptr,
4249 struct label *shmseglabel,
4250 int shmflg
4251);
4252/**
4253 @brief Create a System V shared memory region label
4254 @param cred Subject credential
4255 @param shmsegptr The shared memory region being created
4256 @param shmlabel Label to associate with the new shared memory region
4257
4258 Label a new System V shared memory region. The label was previously
4259 initialized and associated with the shared memory region. At this
4260 time, an appropriate initial label value should be assigned to the
4261 object and stored in shmlabel.
4262*/
4263typedef void mpo_sysvshm_label_associate_t(
4264 kauth_cred_t cred,
4265 struct shmid_kernel *shmsegptr,
4266 struct label *shmlabel
4267);
4268/**
4269 @brief Destroy System V shared memory label
4270 @param label The label to be destroyed
4271
4272 Destroy a System V shared memory region label. Since the
4273 object is going out of scope, policy modules should free any
4274 internal storage associated with the label so that it may be
4275 destroyed.
4276*/
4277typedef void mpo_sysvshm_label_destroy_t(
4278 struct label *label
4279);
4280/**
4281 @brief Initialize System V Shared Memory region label
4282 @param label New label to initialize
4283
4284 Initialize the label for a newly instantiated System V Shared Memory
4285 region. Sleeping is permitted.
4286*/
4287typedef void mpo_sysvshm_label_init_t(
4288 struct label *label
4289);
4290/**
4291 @brief Clean up a System V Share Memory Region label
4292 @param shmlabel The label to be cleaned
4293
4294 Clean up a System V Shared Memory Region label. Darwin
4295 pre-allocates these objects at system boot time and re-uses them
4296 rather than allocating new ones. Before the memory regions are
4297 returned to the "free pool", policies can cleanup or overwrite any
4298 information present in the label.
4299*/
4300typedef void mpo_sysvshm_label_recycle_t(
4301 struct label *shmlabel
4302);
4303/**
4304 @brief Access control check for getting a process's task name
4305 @param cred Subject credential
4306 @param proc Object process
4307
4308 Determine whether the subject identified by the credential can get
4309 the passed process's task name port.
4310 This call is used by the task_name_for_pid(2) API.
4311
4312 @return Return 0 if access is granted, otherwise an appropriate value for
4313 errno should be returned. Suggested failure: EACCES for label mismatch,
4314 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4315*/
4316typedef int mpo_proc_check_get_task_name_t(
4317 kauth_cred_t cred,
4318 struct proc *p
4319);
4320/**
4321 @brief Access control check for getting a process's task port
4322 @param cred Subject credential
4323 @param proc Object process
4324
4325 Determine whether the subject identified by the credential can get
4326 the passed process's task control port.
4327 This call is used by the task_for_pid(2) API.
4328
4329 @return Return 0 if access is granted, otherwise an appropriate value for
4330 errno should be returned. Suggested failure: EACCES for label mismatch,
4331 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4332*/
4333typedef int mpo_proc_check_get_task_t(
4334 kauth_cred_t cred,
4335 struct proc *p
4336);
fe8ab488
A		 4337
4338/**
4339 @brief Check whether task's IPC may inherit across process exec
4340 @param proc current process instance
4341 @param cur_vp vnode pointer to current instance
4342 @param cur_offset offset of binary of currently executing image
4343 @param img_vp vnode pointer to to be exec'ed image
4344 @param img_offset offset into file which is selected for execution
4345 @param scriptvp vnode pointer of script file if any.
4346 @return Return 0 if access is granted.
4347 EPERM if parent does not have any entitlements.
4348 EACCESS if mismatch in entitlements
4349*/
4350typedef int mpo_proc_check_inherit_ipc_ports_t(
4351 struct proc *p,
4352 struct vnode *cur_vp,
4353 off_t cur_offset,
4354 struct vnode *img_vp,
4355 off_t img_offset,
4356 struct vnode *scriptvp
4357);
4358
593a1d5f 4359/**
b0d623f7 4360 @brief Privilege check for a process to run invalid
593a1d5f
A		 4361 @param proc Object process
4362
b0d623f7
A		 4363 Determine whether the process may execute even though the system determined
4364 that it is untrusted (eg unidentified / modified code).
593a1d5f
A		 4365
4366 @return Return 0 if access is granted, otherwise an appropriate value for
4367 errno should be returned.
4368 */
b0d623f7 4369typedef int mac_proc_check_run_cs_invalid_t(
593a1d5f
A		 4370 struct proc *p
4371);
4372
316670eb
A		 4373/**
4374 @brief Perform MAC-related events when a thread returns to user space
4375 @param thread Mach (not BSD) thread that is returning
4376
4377 This entry point permits policy modules to perform MAC-related
4378 events when a thread returns to user space, via a system call
4379 return or trap return.
4380*/
4381typedef void mpo_thread_userret_t(
4382 struct thread *thread
4383);
4384/**
4385 @brief Initialize per thread label
4386 @param label New label to initialize
4387
4388 Initialize the label for a newly instantiated thread.
4389 Sleeping is permitted.
4390*/
4391typedef void mpo_thread_label_init_t(
4392 struct label *label
4393);
4394/**
4395 @brief Destroy thread label
4396 @param label The label to be destroyed
4397
4398 Destroy a user thread label. Since the user thread
4399 is going out of scope, policy modules should free any internal
4400 storage associated with the label so that it may be destroyed.
4401*/
4402typedef void mpo_thread_label_destroy_t(
4403 struct label *label
4404);
2d21ac55
A		 4405/**
4406 @brief Check vnode access
4407 @param cred Subject credential
4408 @param vp Object vnode
4409 @param label Label for vp
4410 @param acc_mode access(2) flags
4411
4412 Determine how invocations of access(2) and related calls by the
4413 subject identified by the credential should return when performed
4414 on the passed vnode using the passed access flags. This should
4415 generally be implemented using the same semantics used in
4416 mpo_vnode_check_open.
4417
4418 @return Return 0 if access is granted, otherwise an appropriate value for
4419 errno should be returned. Suggested failure: EACCES for label mismatch or
4420 EPERM for lack of privilege.
4421*/
4422typedef int mpo_vnode_check_access_t(
4423 kauth_cred_t cred,
4424 struct vnode *vp,
4425 struct label *label,
4426 int acc_mode
4427);
4428/**
4429 @brief Access control check for changing working directory
4430 @param cred Subject credential
4431 @param dvp Object; vnode to chdir(2) into
4432 @param dlabel Policy label for dvp
4433
4434 Determine whether the subject identified by the credential can change
4435 the process working directory to the passed vnode.
4436
4437 @return Return 0 if access is granted, otherwise an appropriate value for
4438 errno should be returned. Suggested failure: EACCES for label mismatch or
4439 EPERM for lack of privilege.
4440*/
4441typedef int mpo_vnode_check_chdir_t(
4442 kauth_cred_t cred,
4443 struct vnode *dvp,
4444 struct label *dlabel
4445);
4446/**
4447 @brief Access control check for changing root directory
4448 @param cred Subject credential
4449 @param dvp Directory vnode
4450 @param dlabel Policy label associated with dvp
4451 @param cnp Component name for dvp
4452
4453 Determine whether the subject identified by the credential should be
4454 allowed to chroot(2) into the specified directory (dvp).
4455
4456 @return In the event of an error, an appropriate value for errno
4457 should be returned, otherwise return 0 upon success.
4458*/
4459typedef int mpo_vnode_check_chroot_t(
4460 kauth_cred_t cred,
4461 struct vnode *dvp,
4462 struct label *dlabel,
4463 struct componentname *cnp
4464);
4465/**
4466 @brief Access control check for creating vnode
4467 @param cred Subject credential
4468 @param dvp Directory vnode
4469 @param dlabel Policy label for dvp
4470 @param cnp Component name for dvp
4471 @param vap vnode attributes for vap
4472
4473 Determine whether the subject identified by the credential can create
4474 a vnode with the passed parent directory, passed name information,
4475 and passed attribute information. This call may be made in a number of
4476 situations, including as a result of calls to open(2) with O_CREAT,
4477 mknod(2), mkfifo(2), and others.
4478
4479 @return Return 0 if access is granted, otherwise an appropriate value for
4480 errno should be returned. Suggested failure: EACCES for label mismatch or
4481 EPERM for lack of privilege.
4482*/
4483typedef int mpo_vnode_check_create_t(
4484 kauth_cred_t cred,
4485 struct vnode *dvp,
4486 struct label *dlabel,
4487 struct componentname *cnp,
4488 struct vnode_attr *vap
4489);
4490/**
4491 @brief Access control check for deleting extended attribute
4492 @param cred Subject credential
4493 @param vp Object vnode
4494 @param vlabel Label associated with vp
4495 @param name Extended attribute name
4496
4497 Determine whether the subject identified by the credential can delete
4498 the extended attribute from the passed vnode.
4499
4500 @return Return 0 if access is granted, otherwise an appropriate value for
4501 errno should be returned. Suggested failure: EACCES for label mismatch or
4502 EPERM for lack of privilege.
4503*/
4504typedef int mpo_vnode_check_deleteextattr_t(
4505 kauth_cred_t cred,
4506 struct vnode *vp,
4507 struct label *vlabel,
4508 const char *name
4509);
4510/**
4511 @brief Access control check for exchanging file data
4512 @param cred Subject credential
4513 @param v1 vnode 1 to swap
4514 @param vl1 Policy label for v1
4515 @param v2 vnode 2 to swap
4516 @param vl2 Policy label for v2
4517
4518 Determine whether the subject identified by the credential can swap the data
4519 in the two supplied vnodes.
4520
4521 @return Return 0 if access is granted, otherwise an appropriate value for
4522 errno should be returned. Suggested failure: EACCES for label mismatch or
4523 EPERM for lack of privilege.
4524*/
4525typedef int mpo_vnode_check_exchangedata_t(
4526 kauth_cred_t cred,
4527 struct vnode *v1,
4528 struct label *vl1,
4529 struct vnode *v2,
4530 struct label *vl2
4531);
4532/**
4533 @brief Access control check for executing the vnode
4534 @param cred Subject credential
4535 @param vp Object vnode to execute
fe8ab488
A		 4536 @param scriptvp Script being executed by interpreter, if any.
4537 @param vnodelabel Label corresponding to vp
4538 @param scriptvnodelabel Script vnode label
2d21ac55
A		 4539 @param execlabel Userspace provided execution label
4540 @param cnp Component name for file being executed
39236c6e
A		 4541 @param macpolicyattr MAC policy-specific spawn attribute data.
4542 @param macpolicyattrlen Length of policy-specific spawn attribute data.
2d21ac55
A		 4543
4544 Determine whether the subject identified by the credential can execute
4545 the passed vnode. Determination of execute privilege is made separately
4546 from decisions about any process label transitioning event.
4547
4548 The final label, execlabel, corresponds to a label supplied by a
4549 user space application through the use of the mac_execve system call.
4550 This label will be NULL if the user application uses the the vendor
4551 execve(2) call instead of the MAC Framework mac_execve() call.
4552
4553 @return Return 0 if access is granted, otherwise an appropriate value for
4554 errno should be returned. Suggested failure: EACCES for label mismatch or
4555 EPERM for lack of privilege.
4556*/
4557typedef int mpo_vnode_check_exec_t(
4558 kauth_cred_t cred,
4559 struct vnode *vp,
fe8ab488
A		 4560 struct vnode *scriptvp,
4561 struct label *vnodelabel,
4562 struct label *scriptlabel,
2d21ac55
A		 4563 struct label *execlabel, /* NULLOK */
4564 struct componentname *cnp,
39236c6e
A		 4565 u_int *csflags,
4566 void *macpolicyattr,
4567 size_t macpolicyattrlen
2d21ac55 4568);
6d2010ae
A		 4569/**
4570 @brief Access control check for fsgetpath
4571 @param cred Subject credential
4572 @param vp Vnode for which a path will be returned
4573 @param label Label associated with the vnode
4574
4575 Determine whether the subject identified by the credential can get the path
4576 of the given vnode with fsgetpath.
4577
4578 @return Return 0 if access is granted, otherwise an appropriate value for
4579 errno should be returned.
4580*/
4581typedef int mpo_vnode_check_fsgetpath_t(
4582 kauth_cred_t cred,
4583 struct vnode *vp,
4584 struct label *label
4585);
593a1d5f
A		 4586/**
4587 @brief Access control check after determining the code directory hash
4588 */
4589typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
fe8ab488
A		 4590 off_t macho_offset, unsigned char *sha1,
4591 const void *signature, int size,
4592 int *is_platform_binary);
593a1d5f 4593
2d21ac55
A		 4594/**
4595 @brief Access control check for retrieving file attributes
4596 @param cred Subject credential
4597 @param vp Object vnode
4598 @param vlabel Policy label for vp
4599 @param alist List of attributes to retrieve
4600
4601 Determine whether the subject identified by the credential can read
4602 various attributes of the specified vnode, or the filesystem or volume on
4603 which that vnode resides. See <sys/attr.h> for definitions of the
4604 attributes.
4605
4606 @return Return 0 if access is granted, otherwise an appropriate value for
4607 errno should be returned. Suggested failure: EACCES for label mismatch or
4608 EPERM for lack of privilege. Access control covers all attributes requested
4609 with this call; the security policy is not permitted to change the set of
4610 attributes requested.
4611*/
4612typedef int mpo_vnode_check_getattrlist_t(
4613 kauth_cred_t cred,
4614 struct vnode *vp,
4615 struct label *vlabel,
4616 struct attrlist *alist
4617);
4618/**
4619 @brief Access control check for retrieving an extended attribute
4620 @param cred Subject credential
4621 @param vp Object vnode
4622 @param label Policy label for vp
4623 @param name Extended attribute name
4624 @param uio I/O structure pointer
4625
4626 Determine whether the subject identified by the credential can retrieve
4627 the extended attribute from the passed vnode. The uio parameter
4628 will be NULL when the getxattr(2) call has been made with a NULL data
4629 value; this is done to request the size of the data only.
4630
4631 @return Return 0 if access is granted, otherwise an appropriate value for
4632 errno should be returned. Suggested failure: EACCES for label mismatch or
4633 EPERM for lack of privilege.
4634*/
4635typedef int mpo_vnode_check_getextattr_t(
4636 kauth_cred_t cred,
4637 struct vnode *vp,
4638 struct label *label, /* NULLOK */
4639 const char *name,
4640 struct uio *uio /* NULLOK */
4641);
4642/**
4643 @brief Access control check for ioctl
4644 @param cred Subject credential
4645 @param vp Object vnode
4646 @param label Policy label for vp
4647 @param com Device-dependent request code; see ioctl(2)
4648
4649 Determine whether the subject identified by the credential can perform
4650 the ioctl operation indicated by com.
4651
4652 @warning Since ioctl data is opaque from the standpoint of the MAC
4653 framework, and since ioctls can affect many aspects of system
4654 operation, policies must exercise extreme care when implementing
4655 access control checks.
4656
4657 @return Return 0 if access is granted, otherwise an appropriate value for
4658 errno should be returned.
4659*/
4660typedef int mpo_vnode_check_ioctl_t(
4661 kauth_cred_t cred,
4662 struct vnode *vp,
4663 struct label *label,
4664 unsigned int cmd
4665);
4666/**
4667 @brief Access control check for vnode kqfilter
4668 @param cred Subject credential
4669 @param kn Object knote
4670 @param vp Object vnode
4671 @param label Policy label for vp
4672
4673 Determine whether the subject identified by the credential can
4674 receive the knote on the passed vnode.
4675
4676 @return Return 0 if access if granted, otherwise an appropriate
4677 value for errno should be returned.
4678*/
4679typedef int mpo_vnode_check_kqfilter_t(
4680 kauth_cred_t active_cred,
4681 kauth_cred_t file_cred, /* NULLOK */
4682 struct knote *kn,
4683 struct vnode *vp,
4684 struct label *label
4685);
4686/**
4687 @brief Access control check for relabel
4688 @param cred Subject credential
4689 @param vp Object vnode
4690 @param vnodelabel Existing policy label for vp
4691 @param newlabel Policy label update to later be applied to vp
4692 @see mpo_relable_vnode_t
4693
4694 Determine whether the subject identified by the credential can relabel
4695 the passed vnode to the passed label update. If all policies permit
4696 the label change, the actual relabel entry point (mpo_vnode_label_update)
4697 will follow.
4698
4699 @return Return 0 if access is granted, otherwise an appropriate value for
4700 errno should be returned.
4701*/
4702typedef int mpo_vnode_check_label_update_t(
4703 struct ucred *cred,
4704 struct vnode *vp,
4705 struct label *vnodelabel,
4706 struct label *newlabel
4707);
4708/**
4709 @brief Access control check for creating link
4710 @param cred Subject credential
4711 @param dvp Directory vnode
4712 @param dlabel Policy label associated with dvp
4713 @param vp Link destination vnode
4714 @param label Policy label associated with vp
4715 @param cnp Component name for the link being created
4716
4717 Determine whether the subject identified by the credential should be
4718 allowed to create a link to the vnode vp with the name specified by cnp.
4719
4720 @return Return 0 if access is granted, otherwise an appropriate value for
4721 errno should be returned.
4722*/
4723typedef int mpo_vnode_check_link_t(
4724 kauth_cred_t cred,
4725 struct vnode *dvp,
4726 struct label *dlabel,
4727 struct vnode *vp,
4728 struct label *label,
4729 struct componentname *cnp
4730);
4731/**
4732 @brief Access control check for listing extended attributes
4733 @param cred Subject credential
4734 @param vp Object vnode
4735 @param vlabel Policy label associated with vp
4736
4737 Determine whether the subject identified by the credential can retrieve
4738 a list of named extended attributes from a vnode.
4739
4740 @return Return 0 if access is granted, otherwise an appropriate value for
4741 errno should be returned.
4742*/
4743typedef int mpo_vnode_check_listextattr_t(
4744 kauth_cred_t cred,
4745 struct vnode *vp,
4746 struct label *vlabel
4747);
4748/**
4749 @brief Access control check for lookup
4750 @param cred Subject credential
4751 @param dvp Object vnode
4752 @param dlabel Policy label for dvp
4753 @param cnp Component name being looked up
4754
4755 Determine whether the subject identified by the credential can perform
4756 a lookup in the passed directory vnode for the passed name (cnp).
4757
4758 @return Return 0 if access is granted, otherwise an appropriate value for
4759 errno should be returned. Suggested failure: EACCES for label mismatch or
4760 EPERM for lack of privilege.
4761*/
4762typedef int mpo_vnode_check_lookup_t(
4763 kauth_cred_t cred,
4764 struct vnode *dvp,
4765 struct label *dlabel,
4766 struct componentname *cnp
4767);
4768/**
4769 @brief Access control check for open
4770 @param cred Subject credential
4771 @param vp Object vnode
4772 @param label Policy label associated with vp
4773 @param acc_mode open(2) access mode
4774
4775 Determine whether the subject identified by the credential can perform
4776 an open operation on the passed vnode with the passed access mode.
4777
4778 @return Return 0 if access is granted, otherwise an appropriate value for
4779 errno should be returned. Suggested failure: EACCES for label mismatch or
4780 EPERM for lack of privilege.
4781*/
4782typedef int mpo_vnode_check_open_t(
4783 kauth_cred_t cred,
4784 struct vnode *vp,
4785 struct label *label,
4786 int acc_mode
4787);
4788/**
4789 @brief Access control check for read
4790 @param active_cred Subject credential
4791 @param file_cred Credential associated with the struct fileproc
4792 @param vp Object vnode
4793 @param label Policy label for vp
4794
4795 Determine whether the subject identified by the credential can perform
4796 a read operation on the passed vnode. The active_cred hold the credentials
4797 of the subject performing the operation, and file_cred holds the
4798 credentials of the subject that originally opened the file.
4799
4800 @return Return 0 if access is granted, otherwise an appropriate value for
4801 errno should be returned. Suggested failure: EACCES for label mismatch or
4802 EPERM for lack of privilege.
4803*/
4804typedef int mpo_vnode_check_read_t(
4805 kauth_cred_t active_cred, /* SUBJECT */
4806 kauth_cred_t file_cred, /* NULLOK */
4807 struct vnode *vp, /* OBJECT */
4808 struct label *label /* LABEL */
4809);
4810/**
4811 @brief Access control check for read directory
4812 @param cred Subject credential
4813 @param dvp Object directory vnode
4814 @param dlabel Policy label for dvp
4815
4816 Determine whether the subject identified by the credential can
4817 perform a readdir operation on the passed directory vnode.
4818
4819 @return Return 0 if access is granted, otherwise an appropriate value for
4820 errno should be returned. Suggested failure: EACCES for label mismatch or
4821 EPERM for lack of privilege.
4822*/
4823typedef int mpo_vnode_check_readdir_t(
4824 kauth_cred_t cred, /* SUBJECT */
4825 struct vnode *dvp, /* OBJECT */
4826 struct label *dlabel /* LABEL */
4827);
4828/**
4829 @brief Access control check for read link
4830 @param cred Subject credential
4831 @param vp Object vnode
4832 @param label Policy label for vp
4833
4834 Determine whether the subject identified by the credential can perform
4835 a readlink operation on the passed symlink vnode. This call can be made
4836 in a number of situations, including an explicit readlink call by the
4837 user process, or as a result of an implicit readlink during a name
4838 lookup by the process.
4839
4840 @return Return 0 if access is granted, otherwise an appropriate value for
4841 errno should be returned. Suggested failure: EACCES for label mismatch or
4842 EPERM for lack of privilege.
4843*/
4844typedef int mpo_vnode_check_readlink_t(
4845 kauth_cred_t cred,
4846 struct vnode *vp,
4847 struct label *label
4848);
fe8ab488
A		 4849/**
4850 @brief Access control check for rename
4851 @param cred Subject credential
4852 @param dvp Directory vnode
4853 @param dlabel Policy label associated with dvp
4854 @param vp vnode to be renamed
4855 @param label Policy label associated with vp
4856 @param cnp Component name for vp
4857 @param tdvp Destination directory vnode
4858 @param tdlabel Policy label associated with tdvp
4859 @param tvp Overwritten vnode
4860 @param tlabel Policy label associated with tvp
4861 @param tcnp Destination component name
4862
4863 Determine whether the subject identified by the credential should be allowed
4864 to rename the vnode vp to something else.
4865
4866 @return Return 0 if access is granted, otherwise an appropriate value for
4867 errno should be returned.
4868*/
4869typedef int mpo_vnode_check_rename_t(
4870 kauth_cred_t cred,
4871 struct vnode *dvp,
4872 struct label *dlabel,
4873 struct vnode *vp,
4874 struct label *label,
4875 struct componentname *cnp,
4876 struct vnode *tdvp,
4877 struct label *tdlabel,
4878 struct vnode *tvp,
4879 struct label *tlabel,
4880 struct componentname *tcnp
4881);
2d21ac55
A		 4882/**
4883 @brief Access control check for rename from
4884 @param cred Subject credential
4885 @param dvp Directory vnode
4886 @param dlabel Policy label associated with dvp
4887 @param vp vnode to be renamed
4888 @param label Policy label associated with vp
4889 @param cnp Component name for vp
fe8ab488 4890 @see mpo_vnode_check_rename_t
2d21ac55
A		 4891 @see mpo_vnode_check_rename_to_t
4892
4893 Determine whether the subject identified by the credential should be
4894 allowed to rename the vnode vp to something else.
4895
4896 Due to VFS locking constraints (to make sure proper vnode locks are
4897 held during this entry point), the vnode relabel checks had to be
4898 split into two parts: relabel_from and relabel to.
4899
fe8ab488
A		 4900 This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
4901
2d21ac55
A		 4902 @return Return 0 if access is granted, otherwise an appropriate value for
4903 errno should be returned.
4904*/
4905typedef int mpo_vnode_check_rename_from_t(
4906 kauth_cred_t cred,
4907 struct vnode *dvp,
4908 struct label *dlabel,
4909 struct vnode *vp,
4910 struct label *label,
4911 struct componentname *cnp
4912);
4913/**
4914 @brief Access control check for rename to
4915 @param cred Subject credential
4916 @param dvp Directory vnode
4917 @param dlabel Policy label associated with dvp
4918 @param vp Overwritten vnode
4919 @param label Policy label associated with vp
4920 @param samedir Boolean; 1 if the source and destination directories are the same
4921 @param cnp Destination component name
fe8ab488 4922 @see mpo_vnode_check_rename_t
2d21ac55
A		 4923 @see mpo_vnode_check_rename_from_t
4924
4925 Determine whether the subject identified by the credential should be
4926 allowed to rename to the vnode vp, into the directory dvp, or to the
4927 name represented by cnp. If there is no existing file to overwrite,
4928 vp and label will be NULL.
4929
4930 Due to VFS locking constraints (to make sure proper vnode locks are
4931 held during this entry point), the vnode relabel checks had to be
4932 split into two parts: relabel_from and relabel to.
4933
fe8ab488
A		 4934 This hook is deprecated, mpo_vnode_check_rename_t should be used instead.
4935
2d21ac55
A		 4936 @return Return 0 if access is granted, otherwise an appropriate value for
4937 errno should be returned.
4938*/
4939typedef int mpo_vnode_check_rename_to_t(
4940 kauth_cred_t cred,
4941 struct vnode *dvp,
4942 struct label *dlabel,
4943 struct vnode *vp, /* NULLOK */
4944 struct label *label, /* NULLOK */
4945 int samedir,
4946 struct componentname *cnp
4947);
4948/**
4949 @brief Access control check for revoke
4950 @param cred Subject credential
4951 @param vp Object vnode
4952 @param label Policy label for vp
4953
4954 Determine whether the subject identified by the credential can revoke
4955 access to the passed vnode.
4956
4957 @return Return 0 if access is granted, otherwise an appropriate value for
4958 errno should be returned. Suggested failure: EACCES for label mismatch or
4959 EPERM for lack of privilege.
4960*/
4961typedef int mpo_vnode_check_revoke_t(
4962 kauth_cred_t cred,
4963 struct vnode *vp,
4964 struct label *label
4965);
6d2010ae
A		 4966/**
4967 @brief Access control check for searchfs
4968 @param cred Subject credential
4969 @param vp Object vnode
4970 @param vlabel Policy label for vp
4971 @param alist List of attributes used as search criteria
4972
4973 Determine whether the subject identified by the credential can search the
4974 vnode using the searchfs system call.
4975
4976 @return Return 0 if access is granted, otherwise an appropriate value for
4977 errno should be returned.
4978*/
4979typedef int mpo_vnode_check_searchfs_t(
4980 kauth_cred_t cred,
4981 struct vnode *vp,
4982 struct label *vlabel,
4983 struct attrlist *alist
4984);
2d21ac55
A		 4985/**
4986 @brief Access control check for select
4987 @param cred Subject credential
4988 @param vp Object vnode
4989 @param label Policy label for vp
4990 @param which The operation selected on: FREAD or FWRITE
4991
4992 Determine whether the subject identified by the credential can select
4993 the vnode.
4994
4995 @return Return 0 if access is granted, otherwise an appropriate value for
4996 errno should be returned.
4997*/
4998typedef int mpo_vnode_check_select_t(
4999 kauth_cred_t cred,
5000 struct vnode *vp,
5001 struct label *label,
5002 int which
5003);
5004/**
5005 @brief Access control check for setting file attributes
5006 @param cred Subject credential
5007 @param vp Object vnode
5008 @param vlabel Policy label for vp
5009 @param alist List of attributes to set
5010
5011 Determine whether the subject identified by the credential can set
5012 various attributes of the specified vnode, or the filesystem or volume on
5013 which that vnode resides. See <sys/attr.h> for definitions of the
5014 attributes.
5015
5016 @return Return 0 if access is granted, otherwise an appropriate value for
5017 errno should be returned. Suggested failure: EACCES for label mismatch or
5018 EPERM for lack of privilege. Access control covers all attributes requested
5019 with this call.
5020*/
5021typedef int mpo_vnode_check_setattrlist_t(
5022 kauth_cred_t cred,
5023 struct vnode *vp,
5024 struct label *vlabel,
5025 struct attrlist *alist
5026);
5027/**
5028 @brief Access control check for setting extended attribute
5029 @param cred Subject credential
5030 @param vp Object vnode
5031 @param label Policy label for vp
5032 @param name Extended attribute name
5033 @param uio I/O structure pointer
5034
5035 Determine whether the subject identified by the credential can set the
5036 extended attribute of passed name and passed namespace on the passed
5037 vnode. Policies implementing security labels backed into extended
5038 attributes may want to provide additional protections for those
5039 attributes. Additionally, policies should avoid making decisions based
5040 on the data referenced from uio, as there is a potential race condition
5041 between this check and the actual operation. The uio may also be NULL
5042 if a delete operation is being performed.
5043
5044 @return Return 0 if access is granted, otherwise an appropriate value for
5045 errno should be returned. Suggested failure: EACCES for label mismatch or
5046 EPERM for lack of privilege.
5047*/
5048typedef int mpo_vnode_check_setextattr_t(
5049 kauth_cred_t cred,
5050 struct vnode *vp,
5051 struct label *label,
5052 const char *name,
5053 struct uio *uio
5054);
5055/**
5056 @brief Access control check for setting flags
5057 @param cred Subject credential
5058 @param vp Object vnode
5059 @param label Policy label for vp
5060 @param flags File flags; see chflags(2)
5061
5062 Determine whether the subject identified by the credential can set
5063 the passed flags on the passed vnode.
5064
5065 @return Return 0 if access is granted, otherwise an appropriate value for
5066 errno should be returned. Suggested failure: EACCES for label mismatch or
5067 EPERM for lack of privilege.
5068*/
5069typedef int mpo_vnode_check_setflags_t(
5070 kauth_cred_t cred,
5071 struct vnode *vp,
5072 struct label *label,
5073 u_long flags
5074);
5075/**
5076 @brief Access control check for setting mode
5077 @param cred Subject credential
5078 @param vp Object vnode
5079 @param label Policy label for vp
5080 @param mode File mode; see chmod(2)
5081
5082 Determine whether the subject identified by the credential can set
5083 the passed mode on the passed vnode.
5084
5085 @return Return 0 if access is granted, otherwise an appropriate value for
5086 errno should be returned. Suggested failure: EACCES for label mismatch or
5087 EPERM for lack of privilege.
5088*/
5089typedef int mpo_vnode_check_setmode_t(
5090 kauth_cred_t cred,
5091 struct vnode *vp,
5092 struct label *label,
5093 mode_t mode
5094);
5095/**
5096 @brief Access control check for setting uid and gid
5097 @param cred Subject credential
5098 @param vp Object vnode
5099 @param label Policy label for vp
5100 @param uid User ID
5101 @param gid Group ID
5102
5103 Determine whether the subject identified by the credential can set
5104 the passed uid and passed gid as file uid and file gid on the passed
5105 vnode. The IDs may be set to (-1) to request no update.
5106
5107 @return Return 0 if access is granted, otherwise an appropriate value for
5108 errno should be returned. Suggested failure: EACCES for label mismatch or
5109 EPERM for lack of privilege.
5110*/
5111typedef int mpo_vnode_check_setowner_t(
5112 kauth_cred_t cred,
5113 struct vnode *vp,
5114 struct label *label,
5115 uid_t uid,
5116 gid_t gid
5117);
5118/**
5119 @brief Access control check for setting timestamps
5120 @param cred Subject credential
5121 @param vp Object vnode
5122 @param label Policy label for vp
5123 @param atime Access time; see utimes(2)
5124 @param mtime Modification time; see utimes(2)
5125
5126 Determine whether the subject identified by the credential can set
5127 the passed access timestamps on the passed vnode.
5128
5129 @return Return 0 if access is granted, otherwise an appropriate value for
5130 errno should be returned. Suggested failure: EACCES for label mismatch or
5131 EPERM for lack of privilege.
5132*/
5133typedef int mpo_vnode_check_setutimes_t(
5134 kauth_cred_t cred,
5135 struct vnode *vp,
5136 struct label *label,
5137 struct timespec atime,
5138 struct timespec mtime
5139);
5140/**
5141 @brief Access control check for stat
5142 @param active_cred Subject credential
5143 @param file_cred Credential associated with the struct fileproc
5144 @param vp Object vnode
5145 @param label Policy label for vp
5146
5147 Determine whether the subject identified by the credential can stat
5148 the passed vnode. See stat(2) for more information. The active_cred
5149 hold the credentials of the subject performing the operation, and
5150 file_cred holds the credentials of the subject that originally
5151 opened the file.
5152
5153 @return Return 0 if access is granted, otherwise an appropriate value for
5154 errno should be returned. Suggested failure: EACCES for label mismatch or
5155 EPERM for lack of privilege.
5156*/
5157typedef int mpo_vnode_check_stat_t(
5158 struct ucred *active_cred,
5159 struct ucred *file_cred, /* NULLOK */
5160 struct vnode *vp,
5161 struct label *label
5162);
5163/**
5164 @brief Access control check for truncate/ftruncate
5165 @param active_cred Subject credential
5166 @param file_cred Credential associated with the struct fileproc
5167 @param vp Object vnode
5168 @param label Policy label for vp
5169
5170 Determine whether the subject identified by the credential can
5171 perform a truncate operation on the passed vnode. The active_cred hold
5172 the credentials of the subject performing the operation, and
5173 file_cred holds the credentials of the subject that originally
5174 opened the file.
5175
5176 @return Return 0 if access is granted, otherwise an appropriate value for
5177 errno should be returned. Suggested failure: EACCES for label mismatch or
5178 EPERM for lack of privilege.
5179*/
5180typedef int mpo_vnode_check_truncate_t(
5181 kauth_cred_t active_cred,
5182 kauth_cred_t file_cred, /* NULLOK */
5183 struct vnode *vp,
5184 struct label *label
5185);
b0d623f7
A		 5186/**
5187 @brief Access control check for binding UNIX domain socket
5188 @param cred Subject credential
5189 @param dvp Directory vnode
5190 @param dlabel Policy label for dvp
5191 @param cnp Component name for dvp
5192 @param vap vnode attributes for vap
5193
5194 Determine whether the subject identified by the credential can perform a
5195 bind operation on a UNIX domain socket with the passed parent directory,
5196 passed name information, and passed attribute information.
5197
5198 @return Return 0 if access is granted, otherwise an appropriate value for
5199 errno should be returned. Suggested failure: EACCES for label mismatch or
5200 EPERM for lack of privilege.
5201*/
5202typedef int mpo_vnode_check_uipc_bind_t(
5203 kauth_cred_t cred,
5204 struct vnode *dvp,
5205 struct label *dlabel,
5206 struct componentname *cnp,
5207 struct vnode_attr *vap
5208);
5209/**
5210 @brief Access control check for connecting UNIX domain socket
5211 @param cred Subject credential
5212 @param vp Object vnode
5213 @param label Policy label associated with vp
5214
5215 Determine whether the subject identified by the credential can perform a
5216 connect operation on the passed UNIX domain socket vnode.
5217
5218 @return Return 0 if access is granted, otherwise an appropriate value for
5219 errno should be returned. Suggested failure: EACCES for label mismatch or
5220 EPERM for lack of privilege.
5221*/
5222typedef int mpo_vnode_check_uipc_connect_t(
5223 kauth_cred_t cred,
5224 struct vnode *vp,
5225 struct label *label
5226);
2d21ac55
A		 5227/**
5228 @brief Access control check for deleting vnode
5229 @param cred Subject credential
5230 @param dvp Parent directory vnode
5231 @param dlabel Policy label for dvp
5232 @param vp Object vnode to delete
5233 @param label Policy label for vp
5234 @param cnp Component name for vp
5235 @see mpo_check_rename_to_t
5236
5237 Determine whether the subject identified by the credential can delete
5238 a vnode from the passed parent directory and passed name information.
5239 This call may be made in a number of situations, including as a
5240 results of calls to unlink(2) and rmdir(2). Policies implementing
5241 this entry point should also implement mpo_check_rename_to to
5242 authorize deletion of objects as a result of being the target of a rename.
5243
5244 @return Return 0 if access is granted, otherwise an appropriate value for
5245 errno should be returned. Suggested failure: EACCES for label mismatch or
5246 EPERM for lack of privilege.
5247*/
5248typedef int mpo_vnode_check_unlink_t(
5249 kauth_cred_t cred,
5250 struct vnode *dvp,
5251 struct label *dlabel,
5252 struct vnode *vp,
5253 struct label *label,
5254 struct componentname *cnp
5255);
5256/**
5257 @brief Access control check for write
5258 @param active_cred Subject credential
5259 @param file_cred Credential associated with the struct fileproc
5260 @param vp Object vnode
5261 @param label Policy label for vp
5262
5263 Determine whether the subject identified by the credential can
5264 perform a write operation on the passed vnode. The active_cred hold
5265 the credentials of the subject performing the operation, and
5266 file_cred holds the credentials of the subject that originally
5267 opened the file.
5268
5269 @return Return 0 if access is granted, otherwise an appropriate value for
5270 errno should be returned. Suggested failure: EACCES for label mismatch or
5271 EPERM for lack of privilege.
5272*/
5273typedef int mpo_vnode_check_write_t(
5274 kauth_cred_t active_cred,
5275 kauth_cred_t file_cred, /* NULLOK */
5276 struct vnode *vp,
5277 struct label *label
5278);
5279/**
5280 @brief Associate a vnode with a devfs entry
5281 @param mp Devfs mount point
5282 @param mntlabel Devfs mount point label
5283 @param de Devfs directory entry
5284 @param delabel Label associated with de
5285 @param vp vnode associated with de
5286 @param vlabel Label associated with vp
5287
5288 Fill in the label (vlabel) for a newly created devfs vnode. The
5289 label is typically derived from the label on the devfs directory
5290 entry or the label on the filesystem, supplied as parameters.
5291*/
5292typedef void mpo_vnode_label_associate_devfs_t(
5293 struct mount *mp,
5294 struct label *mntlabel,
5295 struct devnode *de,
5296 struct label *delabel,
5297 struct vnode *vp,
5298 struct label *vlabel
5299);
5300/**
5301 @brief Associate a label with a vnode
5302 @param mp File system mount point
5303 @param mntlabel File system mount point label
5304 @param vp Vnode to label
5305 @param vlabel Label associated with vp
5306
5307 Attempt to retrieve label information for the vnode, vp, from the
5308 file system extended attribute store. The label should be stored in
5309 the supplied vlabel parameter. If a policy cannot retrieve an
5310 extended attribute, sometimes it is acceptible to fallback to using
5311 the mntlabel.
5312
5313 If the policy requires vnodes to have a valid label elsewhere it
5314 MUST NOT return other than temporary errors, and must always provide
5315 a valid label of some sort. Returning an error will cause vnode
5316 labeling to be retried at a later access. Failure to handle policy
5317 centric errors internally (corrupt labels etc.) will result in
5318 inaccessible files.
5319
5320 @return In the event of an error, an appropriate value for errno
5321 should be returned, otherwise return 0 upon success.
5322*/
5323typedef int mpo_vnode_label_associate_extattr_t(
5324 struct mount *mp,
5325 struct label *mntlabel,
5326 struct vnode *vp,
5327 struct label *vlabel
5328);
5329/**
5330 @brief Associate a file label with a vnode
5331 @param cred User credential
5332 @param mp Fdesc mount point
5333 @param mntlabel Fdesc mount point label
5334 @param fg Fileglob structure
5335 @param label Policy label for fg
5336 @param vp Vnode to label
5337 @param vlabel Label associated with vp
5338
5339 Associate label information for the vnode, vp, with the label of
5340 the open file descriptor described by fg.
5341 The label should be stored in the supplied vlabel parameter.
5342*/
5343typedef void mpo_vnode_label_associate_file_t(
5344 struct ucred *cred,
5345 struct mount *mp,
5346 struct label *mntlabel,
5347 struct fileglob *fg,
5348 struct label *label,
5349 struct vnode *vp,
5350 struct label *vlabel
5351);
5352/**
5353 @brief Associate a pipe label with a vnode
5354 @param cred User credential for the process that opened the pipe
5355 @param cpipe Pipe structure
5356 @param pipelabel Label associated with pipe
5357 @param vp Vnode to label
5358 @param vlabel Label associated with vp
5359
5360 Associate label information for the vnode, vp, with the label of
5361 the pipe described by the pipe structure cpipe.
5362 The label should be stored in the supplied vlabel parameter.
5363*/
5364typedef void mpo_vnode_label_associate_pipe_t(
5365 struct ucred *cred,
5366 struct pipe *cpipe,
5367 struct label *pipelabel,
5368 struct vnode *vp,
5369 struct label *vlabel
5370);
5371/**
5372 @brief Associate a POSIX semaphore label with a vnode
5373 @param cred User credential for the process that create psem
5374 @param psem POSIX semaphore structure
5375 @param psemlabel Label associated with psem
5376 @param vp Vnode to label
5377 @param vlabel Label associated with vp
5378
5379 Associate label information for the vnode, vp, with the label of
5380 the POSIX semaphore described by psem.
5381 The label should be stored in the supplied vlabel parameter.
5382*/
5383typedef void mpo_vnode_label_associate_posixsem_t(
5384 struct ucred *cred,
5385 struct pseminfo *psem,
5386 struct label *psemlabel,
5387 struct vnode *vp,
5388 struct label *vlabel
5389);
5390/**
5391 @brief Associate a POSIX shared memory label with a vnode
5392 @param cred User credential for the process that created pshm
5393 @param pshm POSIX shared memory structure
5394 @param pshmlabel Label associated with pshm
5395 @param vp Vnode to label
5396 @param vlabel Label associated with vp
5397
5398 Associate label information for the vnode, vp, with the label of
5399 the POSIX shared memory region described by pshm.
5400 The label should be stored in the supplied vlabel parameter.
5401*/
5402typedef void mpo_vnode_label_associate_posixshm_t(
5403 struct ucred *cred,
5404 struct pshminfo *pshm,
5405 struct label *pshmlabel,
5406 struct vnode *vp,
5407 struct label *vlabel
5408);
5409/**
5410 @brief Associate a label with a vnode
5411 @param mp File system mount point
5412 @param mntlabel File system mount point label
5413 @param vp Vnode to label
5414 @param vlabel Label associated with vp
5415
5416 On non-multilabel file systems, set the label for a vnode. The
5417 label will most likely be based on the file system label.
5418*/
5419typedef void mpo_vnode_label_associate_singlelabel_t(
5420 struct mount *mp,
5421 struct label *mntlabel,
5422 struct vnode *vp,
5423 struct label *vlabel
5424);
5425/**
5426 @brief Associate a socket label with a vnode
5427 @param cred User credential for the process that opened the socket
5428 @param so Socket structure
5429 @param solabel Label associated with so
5430 @param vp Vnode to label
5431 @param vlabel Label associated with vp
5432
5433 Associate label information for the vnode, vp, with the label of
5434 the open socket described by the socket structure so.
5435 The label should be stored in the supplied vlabel parameter.
5436*/
5437typedef void mpo_vnode_label_associate_socket_t(
5438 kauth_cred_t cred,
5439 socket_t so,
5440 struct label *solabel,
5441 struct vnode *vp,
5442 struct label *vlabel
5443);
5444/**
5445 @brief Copy a vnode label
5446 @param src Source vnode label
5447 @param dest Destination vnode label
5448
5449 Copy the vnode label information from src to dest. On Darwin, this
5450 is currently only necessary when executing interpreted scripts, but
5451 will later be used if vnode label externalization cannot be an
5452 atomic operation.
5453*/
5454typedef void mpo_vnode_label_copy_t(
5455 struct label *src,
5456 struct label *dest
5457);
5458/**
5459 @brief Destroy vnode label
5460 @param label The label to be destroyed
5461
5462 Destroy a vnode label. Since the object is going out of scope,
5463 policy modules should free any internal storage associated with the
5464 label so that it may be destroyed.
5465*/
5466typedef void mpo_vnode_label_destroy_t(
5467 struct label *label
5468);
5469/**
5470 @brief Externalize a vnode label for auditing
5471 @param label Label to be externalized
5472 @param element_name Name of the label namespace for which labels should be
5473 externalized
5474 @param sb String buffer to be filled with a text representation of the label
5475
5476 Produce an external representation of the label on a vnode suitable for
5477 inclusion in an audit record. An externalized label consists of a text
5478 representation of the label contents that will be added to the audit record
5479 as part of a text token. Policy-agnostic user space tools will display
5480 this externalized version.
5481
5482 @return 0 on success, return non-zero if an error occurs while
5483 externalizing the label data.
5484
5485*/
5486typedef int mpo_vnode_label_externalize_audit_t(
5487 struct label *label,
5488 char *element_name,
5489 struct sbuf *sb
5490);
5491/**
5492 @brief Externalize a vnode label
5493 @param label Label to be externalized
5494 @param element_name Name of the label namespace for which labels should be
5495 externalized
5496 @param sb String buffer to be filled with a text representation of the label
5497
5498 Produce an external representation of the label on a vnode. An
5499 externalized label consists of a text representation of the label
5500 contents that can be used with user applications. Policy-agnostic
5501 user space tools will display this externalized version.
5502
5503 @return 0 on success, return non-zero if an error occurs while
5504 externalizing the label data.
5505
5506*/
5507typedef int mpo_vnode_label_externalize_t(
5508 struct label *label,
5509 char *element_name,
5510 struct sbuf *sb
5511);
5512/**
5513 @brief Initialize vnode label
5514 @param label New label to initialize
5515
5516 Initialize label storage for use with a newly instantiated vnode, or
5517 for temporary storage associated with the copying in or out of a
5518 vnode label. While it is necessary to allocate space for a
5519 kernel-resident vnode label, it is not yet necessary to link this vnode
5520 with persistent label storage facilities, such as extended attributes.
5521 Sleeping is permitted.
5522*/
5523typedef void mpo_vnode_label_init_t(
5524 struct label *label
5525);
5526/**
5527 @brief Internalize a vnode label
5528 @param label Label to be internalized
5529 @param element_name Name of the label namespace for which the label should
5530 be internalized
5531 @param element_data Text data to be internalized
5532
5533 Produce a vnode label from an external representation. An
5534 externalized label consists of a text representation of the label
5535 contents that can be used with user applications. Policy-agnostic
5536 user space tools will forward text version to the kernel for
5537 processing by individual policy modules.
5538
5539 The policy's internalize entry points will be called only if the
5540 policy has registered interest in the label namespace.
5541
5542 @return 0 on success, Otherwise, return non-zero if an error occurs
5543 while internalizing the label data.
5544*/
5545typedef int mpo_vnode_label_internalize_t(
5546 struct label *label,
5547 char *element_name,
5548 char *element_data
5549);
5550/**
5551 @brief Clean up a vnode label
5552 @param label The label to be cleaned for re-use
5553
5554 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5555 typically never frees them. Before vnodes are placed back on free lists for
5556 re-use, policies can cleanup or overwrite any information present in the label.
5557*/
5558typedef void mpo_vnode_label_recycle_t(
5559 struct label *label
5560);
5561/**
5562 @brief Write a label to a extended attribute
5563 @param cred Subject credential
5564 @param vp The vnode for which the label is being stored
5565 @param vlabel Label associated with vp
5566 @param intlabel The new label to store
5567
5568 Store a new label in the extended attribute corresponding to the
5569 supplied vnode. The policy has already authorized the operation;
5570 this call must be implemented in order to perform the actual
5571 operation.
5572
5573 @return In the event of an error, an appropriate value for errno
5574 should be returned, otherwise return 0 upon success.
5575
5576 @warning XXX After examining the extended attribute implementation on
5577 Apple's future release, this entry point may be changed.
5578*/
5579typedef int mpo_vnode_label_store_t(
5580 kauth_cred_t cred,
5581 struct vnode *vp,
5582 struct label *vlabel,
5583 struct label *intlabel
5584);
5585/**
5586 @brief Update vnode label from extended attributes
5587 @param mp File system mount point
5588 @param mntlabel Mount point label
5589 @param vp Vnode to label
5590 @param vlabel Label associated with vp
5591 @param name Name of the xattr
5592 @see mpo_vnode_check_setextattr_t
5593
5594 When an extended attribute is updated via the Vendor attribute management
5595 functions, the MAC vnode label might also require an update.
5596 Policies should first determine if 'name' matches their xattr label
5597 name. If it does, the kernel is has either replaced or removed the
5598 named extended attribute that was previously associated with the
5599 vnode. Normally labels should only be modified via MAC Framework label
5600 management calls, but sometimes the user space components will directly
5601 modify extended attributes. For example, 'cp', 'tar', etc. manage
5602 extended attributes in userspace, not the kernel.
5603
5604 This entry point is called after the label update has occurred, so
5605 it cannot return a failure. However, the operation is preceded by
5606 the mpo_vnode_check_setextattr() access control check.
5607
5608 If the vnode label needs to be updated the policy should return
5609 a non-zero value. The vnode label will be marked for re-association
5610 by the framework.
5611*/
5612typedef int mpo_vnode_label_update_extattr_t(
5613 struct mount *mp,
5614 struct label *mntlabel,
5615 struct vnode *vp,
5616 struct label *vlabel,
5617 const char *name
5618);
5619/**
5620 @brief Update a vnode label
5621 @param cred Subject credential
5622 @param vp The vnode to relabel
5623 @param vnodelabel Existing vnode label
5624 @param label New label to replace existing label
5625 @see mpo_vnode_check_label_update_t
5626
5627 The subject identified by the credential has previously requested
5628 and was authorized to relabel the vnode; this entry point allows
5629 policies to perform the actual relabel operation. Policies should
5630 update vnodelabel using the label stored in the label parameter.
5631*/
5632typedef void mpo_vnode_label_update_t(
5633 kauth_cred_t cred,
5634 struct vnode *vp,
5635 struct label *vnodelabel,
5636 struct label *label
5637);
39236c6e
A		 5638/**
5639 @brief Find deatched signatures for a shared library
5640 @param p file trying to find the signature
5641 @param vp The vnode to relabel
5642 @param offset offset in the macho that the signature is requested for (for fat binaries)
5643 @param label Existing vnode label
5644
5645*/
5646typedef int mpo_vnode_find_sigs_t(
5647 struct proc *p,
5648 struct vnode *vp,
5649 off_t offset,
5650 struct label *label
5651);
2d21ac55
A		 5652/**
5653 @brief Create a new vnode, backed by extended attributes
5654 @param cred User credential for the creating process
5655 @param mp File system mount point
5656 @param mntlabel File system mount point label
5657 @param dvp Parent directory vnode
5658 @param dlabel Parent directory vnode label
5659 @param vp Newly created vnode
5660 @param vlabel Label to associate with the new vnode
5661 @param cnp Component name for vp
5662
5663 Write out the label for the newly created vnode, most likely storing
5664 the results in a file system extended attribute. Most policies will
5665 derive the new vnode label using information from a combination
5666 of the subject (user) credential, the file system label, the parent
5667 directory label, and potentially the path name component.
5668
5669 @return If the operation succeeds, store the new label in vlabel and
5670 return 0. Otherwise, return an appropriate errno value.
5671*/
5672typedef int mpo_vnode_notify_create_t(
5673 kauth_cred_t cred,
5674 struct mount *mp,
5675 struct label *mntlabel,
5676 struct vnode *dvp,
5677 struct label *dlabel,
5678 struct vnode *vp,
5679 struct label *vlabel,
5680 struct componentname *cnp
5681);
5682
4b17d6b6
A		 5683/**
5684 @brief Inform MAC policies that a vnode has been opened
5685 @param cred User credential for the creating process
5686 @param vp vnode opened
5687 @param label Policy label for the vp
5688 @param acc_mode open(2) access mode used
5689
5690 Inform Mac policies that a vnode have been successfully opened
5691 (passing all MAC polices and DAC).
5692*/
5693typedef void mpo_vnode_notify_open_t(
5694 kauth_cred_t cred,
5695 struct vnode *vp,
5696 struct label *label,
5697 int acc_mode
5698);
5699
6d2010ae
A		 5700/**
5701 @brief Inform MAC policies that a vnode has been renamed
5702 @param cred User credential for the renaming process
5703 @param vp Vnode that's being renamed
5704 @param label Policy label for vp
5705 @param dvp Parent directory for the destination
5706 @param dlabel Policy label for dvp
5707 @param cnp Component name for the destination
5708
5709 Inform MAC policies that a vnode has been renamed.
5710 */
5711typedef void mpo_vnode_notify_rename_t(
5712 kauth_cred_t cred,
5713 struct vnode *vp,
5714 struct label *label,
5715 struct vnode *dvp,
5716 struct label *dlabel,
5717 struct componentname *cnp
5718);
5719
39236c6e
A		 5720/**
5721 @brief Inform MAC policies that a vnode has been linked
5722 @param cred User credential for the renaming process
5723 @param dvp Parent directory for the destination
5724 @param dlabel Policy label for dvp
5725 @param vp Vnode that's being linked
5726 @param vlabel Policy label for vp
5727 @param cnp Component name for the destination
5728
5729 Inform MAC policies that a vnode has been linked.
5730 */
5731typedef void mpo_vnode_notify_link_t(
5732 kauth_cred_t cred,
5733 struct vnode *dvp,
5734 struct label *dlabel,
5735 struct vnode *vp,
5736 struct label *vlabel,
5737 struct componentname *cnp
5738);
5739
5740/**
5741 @brief Inform MAC policies that a pty slave has been granted
5742 @param p Responsible process
5743 @param tp tty data structure
5744 @param dev Major and minor numbers of device
5745 @param label Policy label for tp
5746
5747 Inform MAC policies that a pty slave has been granted.
5748*/
5749typedef void mpo_pty_notify_grant_t(
5750 proc_t p,
5751 struct tty *tp,
5752 dev_t dev,
5753 struct label *label
5754);
5755
5756/**
5757 @brief Inform MAC policies that a pty master has been closed
5758 @param p Responsible process
5759 @param tp tty data structure
5760 @param dev Major and minor numbers of device
5761 @param label Policy label for tp
5762
5763 Inform MAC policies that a pty master has been closed.
5764*/
5765typedef void mpo_pty_notify_close_t(
5766 proc_t p,
5767 struct tty *tp,
5768 dev_t dev,
5769 struct label *label
5770);
5771
5772/**
5773 @brief Access control check for kext loading
5774 @param cred Subject credential
5775 @param identifier Kext identifier
5776
5777 Determine whether the subject identified by the credential can load the
5778 specified kext.
5779
5780 @return Return 0 if access is granted, otherwise an appropriate value for
5781 errno should be returned. Suggested failure: EPERM for lack of privilege.
5782*/
5783typedef int mpo_kext_check_load_t(
5784 kauth_cred_t cred,
5785 const char *identifier
5786);
5787
5788/**
5789 @brief Access control check for kext unloading
5790 @param cred Subject credential
5791 @param identifier Kext identifier
5792
5793 Determine whether the subject identified by the credential can unload the
5794 specified kext.
5795
5796 @return Return 0 if access is granted, otherwise an appropriate value for
5797 errno should be returned. Suggested failure: EPERM for lack of privilege.
5798*/
5799typedef int mpo_kext_check_unload_t(
5800 kauth_cred_t cred,
5801 const char *identifier
5802);
5803
2d21ac55
A		 5804/*
5805 * Placeholder for future events that may need mac hooks.
5806 */
5807typedef void mpo_reserved_hook_t(void);
5808
39236c6e
A		 5809/*
5810 * Policy module operations.
5811 *
5812 * Please note that this should be kept in sync with the check assumptions
5813 * policy in bsd/kern/policy_check.c (policy_ops struct).
5814 */
fe8ab488 5815#define MAC_POLICY_OPS_VERSION 31 /* inc when new reserved slots are taken */
2d21ac55
A		 5816struct mac_policy_ops {
5817 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
5818 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
39236c6e 5819
2d21ac55
A		 5820 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
5821 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
5822 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
5823 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
39236c6e 5824
2d21ac55
A		 5825 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
5826 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
5827 mpo_cred_check_visible_t *mpo_cred_check_visible;
5828 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
5829 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
5830 mpo_cred_label_associate_t *mpo_cred_label_associate;
5831 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
5832 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
5833 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
5834 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
5835 mpo_cred_label_init_t *mpo_cred_label_init;
5836 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
5837 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
5838 mpo_cred_label_update_t *mpo_cred_label_update;
39236c6e 5839
2d21ac55
A		 5840 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
5841 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
5842 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
5843 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
5844 mpo_devfs_label_init_t *mpo_devfs_label_init;
5845 mpo_devfs_label_update_t *mpo_devfs_label_update;
39236c6e 5846
2d21ac55
A		 5847 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
5848 mpo_file_check_create_t *mpo_file_check_create;
5849 mpo_file_check_dup_t *mpo_file_check_dup;
5850 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
5851 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
5852 mpo_file_check_get_t *mpo_file_check_get;
5853 mpo_file_check_inherit_t *mpo_file_check_inherit;
5854 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
5855 mpo_file_check_lock_t *mpo_file_check_lock;
5856 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
5857 mpo_file_check_mmap_t *mpo_file_check_mmap;
5858 mpo_file_check_receive_t *mpo_file_check_receive;
5859 mpo_file_check_set_t *mpo_file_check_set;
5860 mpo_file_label_init_t *mpo_file_label_init;
5861 mpo_file_label_destroy_t *mpo_file_label_destroy;
5862 mpo_file_label_associate_t *mpo_file_label_associate;
39236c6e 5863
2d21ac55
A		 5864 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
5865 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
5866 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
5867 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
5868 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
5869 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
5870 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
5871 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
5872 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
5873 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
39236c6e 5874
2d21ac55
A		 5875 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
5876 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
5877 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
5878 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
5879 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
5880 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
39236c6e 5881
2d21ac55 5882 mpo_iokit_check_device_t *mpo_iokit_check_device;
39236c6e 5883
2d21ac55
A		 5884 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
5885 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
5886 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
5887 mpo_ipq_label_init_t *mpo_ipq_label_init;
5888 mpo_ipq_label_update_t *mpo_ipq_label_update;
39236c6e 5889
2d21ac55
A		 5890 mpo_lctx_check_label_update_t *mpo_lctx_check_label_update;
5891 mpo_lctx_label_destroy_t *mpo_lctx_label_destroy;
5892 mpo_lctx_label_externalize_t *mpo_lctx_label_externalize;
5893 mpo_lctx_label_init_t *mpo_lctx_label_init;
5894 mpo_lctx_label_internalize_t *mpo_lctx_label_internalize;
5895 mpo_lctx_label_update_t *mpo_lctx_label_update;
5896 mpo_lctx_notify_create_t *mpo_lctx_notify_create;
5897 mpo_lctx_notify_join_t *mpo_lctx_notify_join;
5898 mpo_lctx_notify_leave_t *mpo_lctx_notify_leave;
39236c6e 5899
2d21ac55
A		 5900 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
5901 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
5902 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
5903 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
5904 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
5905 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
5906 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
5907 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
5908 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
5909 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
5910 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
39236c6e 5911
2d21ac55
A		 5912 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
5913 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
5914 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
5915 mpo_mount_check_mount_t *mpo_mount_check_mount;
5916 mpo_mount_check_remount_t *mpo_mount_check_remount;
5917 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
5918 mpo_mount_check_stat_t *mpo_mount_check_stat;
5919 mpo_mount_check_umount_t *mpo_mount_check_umount;
5920 mpo_mount_label_associate_t *mpo_mount_label_associate;
5921 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
5922 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
5923 mpo_mount_label_init_t *mpo_mount_label_init;
5924 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
39236c6e 5925
2d21ac55
A		 5926 mpo_netinet_fragment_t *mpo_netinet_fragment;
5927 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
5928 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
39236c6e 5929
2d21ac55
A		 5930 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
5931 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
5932 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
5933 mpo_pipe_check_read_t *mpo_pipe_check_read;
5934 mpo_pipe_check_select_t *mpo_pipe_check_select;
5935 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
5936 mpo_pipe_check_write_t *mpo_pipe_check_write;
5937 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
5938 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
5939 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
5940 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
5941 mpo_pipe_label_init_t *mpo_pipe_label_init;
5942 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
5943 mpo_pipe_label_update_t *mpo_pipe_label_update;
39236c6e 5944
2d21ac55
A		 5945 mpo_policy_destroy_t *mpo_policy_destroy;
5946 mpo_policy_init_t *mpo_policy_init;
5947 mpo_policy_initbsd_t *mpo_policy_initbsd;
5948 mpo_policy_syscall_t *mpo_policy_syscall;
39236c6e 5949
fe8ab488
A		 5950 mpo_system_check_sysctlbyname_t *mpo_system_check_sysctlbyname;
5951 mpo_proc_check_inherit_ipc_ports_t *mpo_proc_check_inherit_ipc_ports;
5952 mpo_vnode_check_rename_t *mpo_vnode_check_rename;
5953 mpo_reserved_hook_t *mpo_reserved4;
5954 mpo_reserved_hook_t *mpo_reserved5;
5955 mpo_reserved_hook_t *mpo_reserved6;
5956 mpo_reserved_hook_t *mpo_reserved7;
5957 mpo_reserved_hook_t *mpo_reserved8;
5958 mpo_reserved_hook_t *mpo_reserved9;
5959 mpo_reserved_hook_t *mpo_reserved10;
5960 mpo_reserved_hook_t *mpo_reserved11;
5961 mpo_reserved_hook_t *mpo_reserved12;
5962 mpo_reserved_hook_t *mpo_reserved13;
5963 mpo_reserved_hook_t *mpo_reserved14;
5964 mpo_reserved_hook_t *mpo_reserved15;
5965 mpo_reserved_hook_t *mpo_reserved16;
5966 mpo_reserved_hook_t *mpo_reserved17;
5967 mpo_reserved_hook_t *mpo_reserved18;
5968 mpo_reserved_hook_t *mpo_reserved19;
5969 mpo_reserved_hook_t *mpo_reserved20;
5970 mpo_reserved_hook_t *mpo_reserved21;
5971 mpo_reserved_hook_t *mpo_reserved22;
39236c6e 5972
2d21ac55
A		 5973 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
5974 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
5975 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
5976 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
5977 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
5978 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
5979 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
5980 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
5981 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
5982 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
5983 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
5984 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
5985 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
5986 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
5987 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
5988 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
5989 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
39236c6e 5990
2d21ac55
A		 5991 mpo_proc_check_debug_t *mpo_proc_check_debug;
5992 mpo_proc_check_fork_t *mpo_proc_check_fork;
5993 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
5994 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
5995 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
5996 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
5997 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
5998 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
5999 mpo_proc_check_sched_t *mpo_proc_check_sched;
6000 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
6001 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
6002 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
6003 mpo_proc_check_signal_t *mpo_proc_check_signal;
6004 mpo_proc_check_wait_t *mpo_proc_check_wait;
6005 mpo_proc_label_destroy_t *mpo_proc_label_destroy;
6006 mpo_proc_label_init_t *mpo_proc_label_init;
39236c6e 6007
2d21ac55
A		 6008 mpo_socket_check_accept_t *mpo_socket_check_accept;
6009 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
6010 mpo_socket_check_bind_t *mpo_socket_check_bind;
6011 mpo_socket_check_connect_t *mpo_socket_check_connect;
6012 mpo_socket_check_create_t *mpo_socket_check_create;
6013 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
6014 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
6015 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
6016 mpo_socket_check_listen_t *mpo_socket_check_listen;
6017 mpo_socket_check_receive_t *mpo_socket_check_receive;
6018 mpo_socket_check_received_t *mpo_socket_check_received;
6019 mpo_socket_check_select_t *mpo_socket_check_select;
6020 mpo_socket_check_send_t *mpo_socket_check_send;
6021 mpo_socket_check_stat_t *mpo_socket_check_stat;
6022 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
6023 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
6024 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
6025 mpo_socket_label_associate_t *mpo_socket_label_associate;
6026 mpo_socket_label_copy_t *mpo_socket_label_copy;
6027 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
6028 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
6029 mpo_socket_label_init_t *mpo_socket_label_init;
6030 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
6031 mpo_socket_label_update_t *mpo_socket_label_update;
39236c6e 6032
2d21ac55
A		 6033 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
6034 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
6035 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
6036 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
6037 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
39236c6e 6038
2d21ac55
A		 6039 mpo_system_check_acct_t *mpo_system_check_acct;
6040 mpo_system_check_audit_t *mpo_system_check_audit;
6041 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
6042 mpo_system_check_auditon_t *mpo_system_check_auditon;
6043 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
6044 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
6045 mpo_system_check_reboot_t *mpo_system_check_reboot;
6046 mpo_system_check_settime_t *mpo_system_check_settime;
6047 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6048 mpo_system_check_swapon_t *mpo_system_check_swapon;
fe8ab488 6049 mpo_reserved_hook_t *mpo_reserved31;
39236c6e 6050
2d21ac55
A		 6051 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6052 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6053 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6054 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6055 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6056 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6057 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6058 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6059 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6060 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6061 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6062 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6063 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6064 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6065 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6066 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6067 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6068 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6069 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6070 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6071 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6072 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6073 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6074 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6075 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6076 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6077 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6078 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6079 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6080 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
39236c6e 6081
fe8ab488
A		 6082 mpo_reserved_hook_t *mpo_reserved23;
6083 mpo_reserved_hook_t *mpo_reserved24;
6084 mpo_reserved_hook_t *mpo_reserved25;
6085 mpo_reserved_hook_t *mpo_reserved26;
6086 mpo_reserved_hook_t *mpo_reserved27;
6087 mpo_reserved_hook_t *mpo_reserved28;
6088 mpo_reserved_hook_t *mpo_reserved29;
6089 mpo_reserved_hook_t *mpo_reserved30;
39236c6e
A		 6090
6091 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6092
2d21ac55
A		 6093 mpo_vnode_check_access_t *mpo_vnode_check_access;
6094 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6095 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6096 mpo_vnode_check_create_t *mpo_vnode_check_create;
6097 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6098 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6099 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6100 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6101 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6102 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6103 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6104 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6105 mpo_vnode_check_link_t *mpo_vnode_check_link;
6106 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6107 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6108 mpo_vnode_check_open_t *mpo_vnode_check_open;
6109 mpo_vnode_check_read_t *mpo_vnode_check_read;
6110 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6111 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6112 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6113 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6114 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6115 mpo_vnode_check_select_t *mpo_vnode_check_select;
6116 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6117 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6118 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6119 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6120 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6121 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6122 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6123 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6124 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6125 mpo_vnode_check_write_t *mpo_vnode_check_write;
6126 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6127 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6128 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6129 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6130 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6131 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6132 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6133 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6134 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6135 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6136 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6137 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6138 mpo_vnode_label_init_t *mpo_vnode_label_init;
6139 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6140 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6141 mpo_vnode_label_store_t *mpo_vnode_label_store;
6142 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6143 mpo_vnode_label_update_t *mpo_vnode_label_update;
6144 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
593a1d5f 6145 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
b0d623f7
A		 6146 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6147 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
39236c6e 6148
b0d623f7 6149 mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
d1ecb069 6150 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
39236c6e 6151
316670eb 6152 mpo_thread_userret_t *mpo_thread_userret;
39236c6e 6153
6d2010ae 6154 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
39236c6e 6155
6d2010ae 6156 mpo_system_check_chud_t *mpo_system_check_chud;
39236c6e 6157
6d2010ae 6158 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
39236c6e 6159
6d2010ae
A		 6160 mpo_priv_check_t *mpo_priv_check;
6161 mpo_priv_grant_t *mpo_priv_grant;
39236c6e 6162
6d2010ae 6163 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
39236c6e 6164
6d2010ae 6165 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
39236c6e 6166
6d2010ae 6167 mpo_iokit_check_open_t *mpo_iokit_check_open;
39236c6e 6168
316670eb 6169 mpo_proc_check_ledger_t *mpo_proc_check_ledger;
39236c6e 6170
6d2010ae 6171 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
39236c6e 6172
316670eb
A		 6173 mpo_thread_label_init_t *mpo_thread_label_init;
6174 mpo_thread_label_destroy_t *mpo_thread_label_destroy;
39236c6e
A		 6175
6176 mpo_system_check_kas_info_t *mpo_system_check_kas_info;
6177
6178 mpo_proc_check_cpumon_t *mpo_proc_check_cpumon;
6179
6180 mpo_vnode_notify_open_t *mpo_vnode_notify_open;
6181
6182 mpo_system_check_info_t *mpo_system_check_info;
6183
6184 mpo_pty_notify_grant_t *mpo_pty_notify_grant;
6185 mpo_pty_notify_close_t *mpo_pty_notify_close;
6186
6187 mpo_vnode_find_sigs_t *mpo_vnode_find_sigs;
6188
6189 mpo_kext_check_load_t *mpo_kext_check_load;
6190 mpo_kext_check_unload_t *mpo_kext_check_unload;
6191
6192 mpo_proc_check_proc_info_t *mpo_proc_check_proc_info;
6193 mpo_vnode_notify_link_t *mpo_vnode_notify_link;
fe8ab488
A		 6194 mpo_iokit_check_filter_properties_t *mpo_iokit_check_filter_properties;
6195 mpo_iokit_check_get_property_t *mpo_iokit_check_get_property;
2d21ac55
A		 6196};
6197
6198/**
6199 @brief MAC policy handle type
6200
6201 The MAC handle is used to uniquely identify a loaded policy within
6202 the MAC Framework.
6203
6204 A variable of this type is set by mac_policy_register().
6205 */
6206typedef unsigned int mac_policy_handle_t;
6207
6208#define mpc_t struct mac_policy_conf *
6209
6210/**
6211 @brief Mac policy configuration
6212
6213 This structure specifies the configuration information for a
6214 MAC policy module. A policy module developer must supply
6215 a short unique policy name, a more descriptive full name, a list of label
6216 namespaces and count, a pointer to the registered enty point operations,
6217 any load time flags, and optionally, a pointer to a label slot identifier.
6218
6219 The Framework will update the runtime flags (mpc_runtime_flags) to
6220 indicate that the module has been registered.
6221
6222 If the label slot identifier (mpc_field_off) is NULL, the Framework
6223 will not provide label storage for the policy. Otherwise, the
6224 Framework will store the label location (slot) in this field.
6225
6226 The mpc_list field is used by the Framework and should not be
6227 modified by policies.
6228*/
6229/* XXX - reorder these for better aligment on 64bit platforms */
6230struct mac_policy_conf {
6231 const char *mpc_name; /** policy name */
6232 const char *mpc_fullname; /** full name */
6233 const char **mpc_labelnames; /** managed label namespaces */
6234 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6235 struct mac_policy_ops *mpc_ops; /** operation vector */
6236 int mpc_loadtime_flags; /** load time flags */
6237 int *mpc_field_off; /** label slot */
6238 int mpc_runtime_flags; /** run time flags */
6239 mpc_t mpc_list; /** List reference */
6240 void *mpc_data; /** module data */
6241};
6242
6243/**
6244 @brief MAC policy module registration routine
6245
6246 This function is called to register a policy with the
6247 MAC framework. A policy module will typically call this from the
6248 Darwin KEXT registration routine.
6249 */
6250int mac_policy_register(struct mac_policy_conf *mpc,
6251 mac_policy_handle_t *handlep, void *xd);
6252
6253/**
6254 @brief MAC policy module de-registration routine
6255
6256 This function is called to de-register a policy with theD
6257 MAC framework. A policy module will typically call this from the
6258 Darwin KEXT de-registration routine.
6259 */
6260int mac_policy_unregister(mac_policy_handle_t handle);
6261
6262/*
6263 * Framework entry points for the policies to add audit data.
6264 */
6265int mac_audit_text(char *text, mac_policy_handle_t handle);
6266
6267/*
6268 * Calls to assist with use of Apple XATTRs within policy modules.
6269 */
6270int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6271int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6272 size_t *);
6273int mac_vnop_removexattr(struct vnode *, const char *);
6274
6275/*
6276 * Arbitrary limit on how much data will be logged by the audit
6277 * entry points above.
6278 */
6279#define MAC_AUDIT_DATA_LIMIT 1024
6280
6281/*
6282 * Values returned by mac_audit_{pre,post}select. To combine the responses
6283 * of the security policies into a single decision,
6284 * mac_audit_{pre,post}select() choose the greatest value returned.
6285 */
6286#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6287#define MAC_AUDIT_NO 1 /* force not auditing this event */
6288#define MAC_AUDIT_YES 2 /* force auditing this event */
6289
6290// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6291
6292/**
6293 @name Flags for the mpc_loadtime_flags field
6294 @see mac_policy_conf
6295
6296 This is the complete list of flags that are supported by the
6297 mpc_loadtime_flags field of the mac_policy_conf structure. These
6298 flags specify the load time behavior of MAC Framework policy
6299 modules.
6300*/
6301
6302/*@{*/
6303
6304/**
6305 @brief Flag to indicate registration preference
6306
6307 This flag indicates that the policy module must be loaded and
6308 initialized early in the boot process. If the flag is specified,
6309 attempts to register the module following boot will be rejected. The
6310 flag may be used by policies that require pervasive labeling of all
6311 system objects, and cannot handle objects that have not been
6312 properly initialized by the policy.
6313 */
6314#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
6315
6316/**
6317 @brief Flag to indicate unload preference
6318
6319 This flag indicates that the policy module may be unloaded. If this
6320 flag is not set, then the policy framework will reject requests to
6321 unload the module. This flag might be used by modules that allocate
6322 label state and are unable to free that state at runtime, or for
6323 modules that simply do not want to permit unload operations.
6324*/
6325#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
6326
6327/**
6328 @brief Unsupported
6329
6330 XXX This flag is not yet supported.
6331*/
6332#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
6333
6334/**
6335 @brief Flag to indicate a base policy
6336
6337 This flag indicates that the policy module is a base policy. Only
6338 one module can declare itself as base, otherwise the boot process
6339 will be halted.
6340 */
6341#define MPC_LOADTIME_BASE_POLICY 0x00000008
6342
6343/*@}*/
6344
6345/**
6346 @brief Policy registration flag
6347 @see mac_policy_conf
6348
6349 This flag indicates that the policy module has been successfully
6350 registered with the TrustedBSD MAC Framework. The Framework will
6351 set this flag in the mpc_runtime_flags field of the policy's
6352 mac_policy_conf structure after registering the policy.
6353 */
6354#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
6355
6356/*
6357 * Depends on POLICY_VER
6358 */
6359
6360#ifndef POLICY_VER
6361#define POLICY_VER 1.0
6362#endif
6363
6364#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6365 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6366 .mpc_name = #mpname, \
6367 .mpc_fullname = mpfullname, \
6368 .mpc_labelnames = lnames, \
6369 .mpc_labelname_count = lcount, \
6370 .mpc_ops = mpops, \
6371 .mpc_loadtime_flags = lflags, \
6372 .mpc_field_off = slot, \
6373 .mpc_runtime_flags = rflags \
6374 }; \
6375 \
6376 static kern_return_t \
6377 kmod_start(kmod_info_t *ki, void *xd) \
6378 { \
6379 return mac_policy_register(&mpname##_mac_policy_conf, \
6380 &handle, xd); \
6381 } \
6382 \
6383 static kern_return_t \
6384 kmod_stop(kmod_info_t *ki, void *xd) \
6385 { \
6386 return mac_policy_unregister(handle); \
6387 } \
6388 \
6389 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6390 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6391 \
6392 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6393 kmod_start_func_t *_realmain = kmod_start; \
6394 kmod_stop_func_t *_antimain = kmod_stop; \
6395 int _kext_apple_cc = __APPLE_CC__
6396
6397
6398#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
6399
b0d623f7
A		 6400/*
6401 * Policy interface to map a struct label pointer to per-policy data.
6402 * Typically, policies wrap this in their own accessor macro that casts an
6403 * intptr_t to a policy-specific data type.
6404 */
6405intptr_t mac_label_get(struct label *l, int slot);
6406void mac_label_set(struct label *l, int slot, intptr_t v);
6407
2d21ac55
A		 6408#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
6409
6410/**
6411 @name Flags for MAC allocator interfaces
6412
6413 These flags are passed to the Darwin kernel allocator routines to
6414 indicate whether the allocation is permitted to block or not.
6415 Caution should be taken; some operations are not permitted to sleep,
6416 and some types of locks cannot be held when sleeping.
6417 */
6418
6419/*@{*/
6420
6421/**
6422 @brief Allocation operations may block
6423
6424 If memory is not immediately available, the allocation routine
6425 will block (typically sleeping) until memory is available.
6426
6427 @warning Inappropriate use of this flag may cause kernel panics.
6428 */
6429#define MAC_WAITOK 0
6430
6431/**
6432 @brief Allocation operations may not block
6433
6434 Rather than blocking, the allocator may return an error if memory
6435 is not immediately available. This type of allocation will not
6436 sleep, preserving locking semantics.
6437 */
6438#define MAC_NOWAIT 1
6439
6440/*@}*/
6441
6442#endif /* !_SECURITY_MAC_POLICY_H_ */
mirror of XNU