]> git.saurik.com Git - apple/xnu.git/blame_incremental - security/mac_policy.h
xnu-2050.7.9.tar.gz
[apple/xnu.git] / security / mac_policy.h
... / ...
CommitLineData
1/*
2 * Copyright (c) 2007-2010 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*-
29 * Copyright (c) 1999-2002 Robert N. M. Watson
30 * Copyright (c) 2001-2005 Networks Associates Technology, Inc.
31 * Copyright (c) 2005-2007 SPARTA, Inc.
32 * All rights reserved.
33 *
34 * This software was developed by Robert Watson for the TrustedBSD Project.
35 *
36 * This software was developed for the FreeBSD Project in part by Network
37 * Associates Laboratories, the Security Research Division of Network
38 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"),
39 * as part of the DARPA CHATS research program.
40 *
41 * This software was enhanced by SPARTA ISSO under SPAWAR contract
42 * N66001-04-C-6019 ("SEFOS").
43 *
44 * Redistribution and use in source and binary forms, with or without
45 * modification, are permitted provided that the following conditions
46 * are met:
47 * 1. Redistributions of source code must retain the above copyright
48 * notice, this list of conditions and the following disclaimer.
49 * 2. Redistributions in binary form must reproduce the above copyright
50 * notice, this list of conditions and the following disclaimer in the
51 * documentation and/or other materials provided with the distribution.
52 *
53 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
54 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
55 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
56 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
57 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
58 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
59 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
60 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
61 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
62 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
63 * SUCH DAMAGE.
64 *
65 * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $
66 */
67
68/**
69 @file mac_policy.h
70 @brief Kernel Interfaces for MAC policy modules
71
72 This header defines the list of operations that are defined by the
73 TrustedBSD MAC Framwork on Darwin. MAC Policy modules register
74 with the framework to declare interest in a specific set of
75 operations. If interest in an entry point is not declared, then
76 the policy will be ignored when the Framework evaluates that entry
77 point.
78*/
79
80#ifndef _SECURITY_MAC_POLICY_H_
81#define _SECURITY_MAC_POLICY_H_
82
83#include <security/_label.h>
84
85struct attrlist;
86struct auditinfo;
87struct bpf_d;
88struct devnode;
89struct fileglob;
90struct ifnet;
91struct inpcb;
92struct ipq;
93struct label;
94struct lctx;
95struct mac_module_data;
96struct mac_policy_conf;
97struct mbuf;
98struct mount;
99struct pipe;
100struct pseminfo;
101struct pshminfo;
102struct sbuf;
103struct semid_kernel;
104struct shmid_kernel;
105struct task;
106struct thread;
107struct ucred;
108struct vnode;
109/** @struct dummy */
110
111
112
113#ifndef _KAUTH_CRED_T
114#define _KAUTH_CRED_T
115typedef struct ucred *kauth_cred_t;
116#endif /* !_KAUTH_CRED_T */
117
118#ifndef __IOKIT_PORTS_DEFINED__
119#define __IOKIT_PORTS_DEFINED__
120#ifdef __cplusplus
121class OSObject;
122typedef OSObject *io_object_t;
123#else
124struct OSObject;
125typedef struct OSObject *io_object_t;
126#endif
127#endif /* __IOKIT_PORTS_DEFINED__ */
128
129/*-
130 * MAC entry points are generally named using the following template:
131 *
132 * mpo_<object>_<operation>()
133 *
134 * or:
135 *
136 * mpo_<object>_check_<operation>()
137 *
138 * Entry points are sorted by object type.
139 *
140 * It may be desirable also to consider some subsystems as "objects", such
141 * as system, iokit, etc.
142 */
143
144/**
145 @name Entry Points for Label Management
146
147 These are the entry points corresponding to the life cycle events for
148 kernel objects, such as initialization, creation, and destruction.
149
150 Most policies (that use labels) will initialize labels by allocating
151 space for policy-specific data. In most cases, it is permitted to
152 sleep during label initialization operations; it will be noted when
153 it is not permitted.
154
155 Initialization usually will not require doing more than allocating a
156 generic label for the given object. What follows initialization is
157 creation, where a label is made specific to the object it is associated
158 with. Destruction occurs when the label is no longer needed, such as
159 when the corresponding object is destroyed. All necessary cleanup should
160 be performed in label destroy operations.
161
162 Where possible, the label entry points have identical parameters. If
163 the policy module does not require structure-specific label
164 information, the same function may be registered in the policy
165 operation vector. Many policies will implement two such generic
166 allocation calls: one to handle sleepable requests, and one to handle
167 potentially non-sleepable requests.
168*/
169
170
171/**
172 @brief Audit event postselection
173 @param cred Subject credential
174 @param syscode Syscall number
175 @param args Syscall arguments
176 @param error Syscall errno
177 @param retval Syscall return value
178
179 This is the MAC Framework audit postselect, which is called before
180 exiting a syscall to determine if an audit event should be committed.
181 A return value of MAC_AUDIT_NO forces the audit record to be suppressed.
182 Any other return value results in the audit record being committed.
183
184 @warning The suppression behavior will probably go away in Apple's
185 future version of the audit implementation.
186
187 @return Return MAC_AUDIT_NO to force suppression of the audit record.
188 Any other value results in the audit record being committed.
189
190*/
191typedef int mpo_audit_check_postselect_t(
192 kauth_cred_t cred,
193 unsigned short syscode,
194 void *args,
195 int error,
196 int retval
197);
198/**
199 @brief Audit event preselection
200 @param cred Subject credential
201 @param syscode Syscall number
202 @param args Syscall arguments
203
204 This is the MAC Framework audit preselect, which is called before a
205 syscall is entered to determine if an audit event should be created.
206 If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be
207 returned. A return value of MAC_AUDIT_NO causes the audit record to
208 be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants
209 to defer to the system's existing preselection mechanism.
210
211 When policies return different preferences, the Framework decides what action
212 to take based on the following policy. If any policy returns MAC_AUDIT_YES,
213 then create an audit record, else if any policy returns MAC_AUDIT_NO, then
214 suppress the creations of an audit record, else defer to the system's
215 existing preselection mechanism.
216
217 @warning The audit implementation in Apple's current version is
218 incomplete, so the MAC policies have priority over the system's existing
219 mechanisms. This will probably change in the future version where
220 the audit implementation is more complete.
221
222 @return Return MAC_AUDIT_YES to force auditing of the syscall,
223 MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT
224 to allow auditing mechanisms to determine if the syscall is audited.
225
226*/
227typedef int mpo_audit_check_preselect_t(
228 kauth_cred_t cred,
229 unsigned short syscode,
230 void *args
231);
232/**
233 @brief Initialize BPF descriptor label
234 @param label New label to initialize
235
236 Initialize the label for a newly instantiated BPF descriptor.
237 Sleeping is permitted.
238*/
239typedef void mpo_bpfdesc_label_init_t(
240 struct label *label
241);
242/**
243 @brief Destroy BPF descriptor label
244 @param label The label to be destroyed
245
246 Destroy a BPF descriptor label. Since the BPF descriptor
247 is going out of scope, policy modules should free any internal
248 storage associated with the label so that it may be destroyed.
249*/
250typedef void mpo_bpfdesc_label_destroy_t(
251 struct label *label
252);
253/**
254 @brief Associate a BPF descriptor with a label
255 @param cred User credential creating the BPF descriptor
256 @param bpf_d The BPF descriptor
257 @param bpflabel The new label
258
259 Set the label on a newly created BPF descriptor from the passed
260 subject credential. This call will be made when a BPF device node
261 is opened by a process with the passed subject credential.
262*/
263typedef void mpo_bpfdesc_label_associate_t(
264 kauth_cred_t cred,
265 struct bpf_d *bpf_d,
266 struct label *bpflabel
267);
268/**
269 @brief Check whether BPF can read from a network interface
270 @param bpf_d Subject; the BPF descriptor
271 @param bpflabel Policy label for bpf_d
272 @param ifp Object; the network interface
273 @param ifnetlabel Policy label for ifp
274
275 Determine whether the MAC framework should permit datagrams from
276 the passed network interface to be delivered to the buffers of
277 the passed BPF descriptor. Return (0) for success, or an errno
278 value for failure. Suggested failure: EACCES for label mismatches,
279 EPERM for lack of privilege.
280*/
281typedef int mpo_bpfdesc_check_receive_t(
282 struct bpf_d *bpf_d,
283 struct label *bpflabel,
284 struct ifnet *ifp,
285 struct label *ifnetlabel
286);
287/**
288 @brief Indicate desire to change the process label at exec time
289 @param old Existing subject credential
290 @param vp File being executed
291 @param vnodelabel Label corresponding to vp
292 @param scriptvnodelabel Script vnode label
293 @param execlabel Userspace provided execution label
294 @param proc Object process
295 @see mac_execve
296 @see mpo_cred_label_update_execve_t
297 @see mpo_vnode_check_exec_t
298
299 Indicate whether this policy intends to update the label of a newly
300 created credential from the existing subject credential (old). This
301 call occurs when a process executes the passed vnode. If a policy
302 returns success from this entry point, the mpo_cred_label_update_execve
303 entry point will later be called with the same parameters. Access
304 has already been checked via the mpo_vnode_check_exec entry point,
305 this entry point is necessary to preserve kernel locking constraints
306 during program execution.
307
308 The supplied vnode and vnodelabel correspond with the file actually
309 being executed; in the case that the file is interpreted (for
310 example, a script), the label of the original exec-time vnode has
311 been preserved in scriptvnodelabel.
312
313 The final label, execlabel, corresponds to a label supplied by a
314 user space application through the use of the mac_execve system call.
315
316 The vnode lock is held during this operation. No changes should be
317 made to the old credential structure.
318
319 @warning Even if a policy returns 0, it should behave correctly in
320 the presence of an invocation of mpo_cred_label_update_execve, as that
321 call may happen as a result of another policy requesting a transition.
322
323 @return Non-zero if a transition is required, 0 otherwise.
324*/
325typedef int mpo_cred_check_label_update_execve_t(
326 kauth_cred_t old,
327 struct vnode *vp,
328 struct label *vnodelabel,
329 struct label *scriptvnodelabel,
330 struct label *execlabel,
331 struct proc *proc
332);
333/**
334 @brief Access control check for relabelling processes
335 @param cred Subject credential
336 @param newlabel New label to apply to the user credential
337 @see mpo_cred_label_update_t
338 @see mac_set_proc
339
340 Determine whether the subject identified by the credential can relabel
341 itself to the supplied new label (newlabel). This access control check
342 is called when the mac_set_proc system call is invoked. A user space
343 application will supply a new value, the value will be internalized
344 and provided in newlabel.
345
346 @return Return 0 if access is granted, otherwise an appropriate value for
347 errno should be returned.
348*/
349typedef int mpo_cred_check_label_update_t(
350 kauth_cred_t cred,
351 struct label *newlabel
352);
353/**
354 @brief Access control check for visibility of other subjects
355 @param u1 Subject credential
356 @param u2 Object credential
357
358 Determine whether the subject identified by the credential u1 can
359 "see" other subjects with the passed subject credential u2. This call
360 may be made in a number of situations, including inter-process status
361 sysctls used by ps, and in procfs lookups.
362
363 @return Return 0 if access is granted, otherwise an appropriate value for
364 errno should be returned. Suggested failure: EACCES for label mismatch,
365 EPERM for lack of privilege, or ESRCH to hide visibility.
366*/
367typedef int mpo_cred_check_visible_t(
368 kauth_cred_t u1,
369 kauth_cred_t u2
370);
371/**
372 @brief Associate a credential with a new process at fork
373 @param cred credential to inherited by new process
374 @param proc the new process
375
376 Allow a process to associate the credential with a new
377 process for reference countng purposes.
378 NOTE: the credential can be dis-associated in ways other
379 than exit - so this strategy is flawed - should just
380 catch label destroy callback.
381*/
382typedef void mpo_cred_label_associate_fork_t(
383 kauth_cred_t cred,
384 proc_t proc
385);
386/**
387 @brief Create the first process
388 @param cred Subject credential to be labeled
389
390 Create the subject credential of process 0, the parent of all BSD
391 kernel processes. Policies should update the label in the
392 previously initialized credential structure.
393*/
394typedef void mpo_cred_label_associate_kernel_t(
395 kauth_cred_t cred
396);
397/**
398 @brief Create a credential label
399 @param parent_cred Parent credential
400 @param child_cred Child credential
401
402 Set the label of a newly created credential, most likely using the
403 information in the supplied parent credential.
404
405 @warning This call is made when crcopy or crdup is invoked on a
406 newly created struct ucred, and should not be confused with a
407 process fork or creation event.
408*/
409typedef void mpo_cred_label_associate_t(
410 kauth_cred_t parent_cred,
411 kauth_cred_t child_cred
412);
413/**
414 @brief Create the first process
415 @param cred Subject credential to be labeled
416
417 Create the subject credential of process 1, the parent of all BSD
418 user processes. Policies should update the label in the previously
419 initialized credential structure. This is the 'init' process.
420*/
421typedef void mpo_cred_label_associate_user_t(
422 kauth_cred_t cred
423);
424/**
425 @brief Destroy credential label
426 @param label The label to be destroyed
427
428 Destroy a user credential label. Since the user credential
429 is going out of scope, policy modules should free any internal
430 storage associated with the label so that it may be destroyed.
431*/
432typedef void mpo_cred_label_destroy_t(
433 struct label *label
434);
435/**
436 @brief Externalize a user credential label for auditing
437 @param label Label to be externalized
438 @param element_name Name of the label namespace for which labels should be
439 externalized
440 @param sb String buffer to be filled with a text representation of the label
441
442 Produce an external representation of the label on a user credential for
443 inclusion in an audit record. An externalized label consists of a text
444 representation of the label contents that will be added to the audit record
445 as part of a text token. Policy-agnostic user space tools will display
446 this externalized version.
447
448 @return 0 on success, return non-zero if an error occurs while
449 externalizing the label data.
450
451*/
452typedef int mpo_cred_label_externalize_audit_t(
453 struct label *label,
454 char *element_name,
455 struct sbuf *sb
456);
457/**
458 @brief Externalize a user credential label
459 @param label Label to be externalized
460 @param element_name Name of the label namespace for which labels should be
461 externalized
462 @param sb String buffer to be filled with a text representation of the label
463
464 Produce an external representation of the label on a user
465 credential. An externalized label consists of a text representation
466 of the label contents that can be used with user applications.
467 Policy-agnostic user space tools will display this externalized
468 version.
469
470 @return 0 on success, return non-zero if an error occurs while
471 externalizing the label data.
472
473*/
474typedef int mpo_cred_label_externalize_t(
475 struct label *label,
476 char *element_name,
477 struct sbuf *sb
478);
479/**
480 @brief Initialize user credential label
481 @param label New label to initialize
482
483 Initialize the label for a newly instantiated user credential.
484 Sleeping is permitted.
485*/
486typedef void mpo_cred_label_init_t(
487 struct label *label
488);
489/**
490 @brief Internalize a user credential label
491 @param label Label to be internalized
492 @param element_name Name of the label namespace for which the label should
493 be internalized
494 @param element_data Text data to be internalized
495
496 Produce a user credential label from an external representation. An
497 externalized label consists of a text representation of the label
498 contents that can be used with user applications. Policy-agnostic
499 user space tools will forward text version to the kernel for
500 processing by individual policy modules.
501
502 The policy's internalize entry points will be called only if the
503 policy has registered interest in the label namespace.
504
505 @return 0 on success, Otherwise, return non-zero if an error occurs
506 while internalizing the label data.
507
508*/
509typedef int mpo_cred_label_internalize_t(
510 struct label *label,
511 char *element_name,
512 char *element_data
513);
514/**
515 @brief Update credential at exec time
516 @param old_cred Existing subject credential
517 @param new_cred New subject credential to be labeled
518 @param vp File being executed
519 @param vnodelabel Label corresponding to vp
520 @param scriptvnodelabel Script vnode label
521 @param execlabel Userspace provided execution label
522 @see mac_execve
523 @see mpo_cred_check_label_update_execve_t
524 @see mpo_vnode_check_exec_t
525
526 Update the label of a newly created credential (new) from the
527 existing subject credential (old). This call occurs when a process
528 executes the passed vnode and one of the loaded policy modules has
529 returned success from the mpo_cred_check_label_update_execve entry point.
530 Access has already been checked via the mpo_vnode_check_exec entry
531 point, this entry point is only used to update any policy state.
532
533 The supplied vnode and vnodelabel correspond with the file actually
534 being executed; in the case that the file is interpreted (for
535 example, a script), the label of the original exec-time vnode has
536 been preserved in scriptvnodelabel.
537
538 The final label, execlabel, corresponds to a label supplied by a
539 user space application through the use of the mac_execve system call.
540
541 If non-NULL, the value pointed to by disjointp will be set to 0 to
542 indicate that the old and new credentials are not disjoint, or 1 to
543 indicate that they are.
544
545 The vnode lock is held during this operation. No changes should be
546 made to the old credential structure.
547*/
548typedef void mpo_cred_label_update_execve_t(
549 kauth_cred_t old_cred,
550 kauth_cred_t new_cred,
551 struct vnode *vp,
552 struct label *vnodelabel,
553 struct label *scriptvnodelabel,
554 struct label *execlabel,
555 int *disjointp
556);
557/**
558 @brief Update a credential label
559 @param cred The existing credential
560 @param newlabel A new label to apply to the credential
561 @see mpo_cred_check_label_update_t
562 @see mac_set_proc
563
564 Update the label on a user credential, using the supplied new label.
565 This is called as a result of a process relabel operation. Access
566 control was already confirmed by mpo_cred_check_label_update.
567*/
568typedef void mpo_cred_label_update_t(
569 kauth_cred_t cred,
570 struct label *newlabel
571);
572/**
573 @brief Create a new devfs device
574 @param dev Major and minor numbers of special file
575 @param de "inode" of new device file
576 @param label Destination label
577 @param fullpath Path relative to mount (e.g. /dev) of new device file
578
579 This entry point labels a new devfs device. The label will likely be based
580 on the path to the device, or the major and minor numbers.
581 The policy should store an appropriate label into 'label'.
582*/
583typedef void mpo_devfs_label_associate_device_t(
584 dev_t dev,
585 struct devnode *de,
586 struct label *label,
587 const char *fullpath
588);
589/**
590 @brief Create a new devfs directory
591 @param dirname Name of new directory
592 @param dirnamelen Length of 'dirname'
593 @param de "inode" of new directory
594 @param label Destination label
595 @param fullpath Path relative to mount (e.g. /dev) of new directory
596
597 This entry point labels a new devfs directory. The label will likely be
598 based on the path of the new directory. The policy should store an appropriate
599 label into 'label'. The devfs root directory is labelled in this way.
600*/
601typedef void mpo_devfs_label_associate_directory_t(
602 const char *dirname,
603 int dirnamelen,
604 struct devnode *de,
605 struct label *label,
606 const char *fullpath
607);
608/**
609 @brief Copy a devfs label
610 @param src Source devfs label
611 @param dest Destination devfs label
612
613 Copy the label information from src to dest. The devfs file system
614 often duplicates (splits) existing device nodes rather than creating
615 new ones.
616*/
617typedef void mpo_devfs_label_copy_t(
618 struct label *src,
619 struct label *dest
620);
621/**
622 @brief Destroy devfs label
623 @param label The label to be destroyed
624
625 Destroy a devfs entry label. Since the object is going out
626 of scope, policy modules should free any internal storage associated
627 with the label so that it may be destroyed.
628*/
629typedef void mpo_devfs_label_destroy_t(
630 struct label *label
631);
632/**
633 @brief Initialize devfs label
634 @param label New label to initialize
635
636 Initialize the label for a newly instantiated devfs entry. Sleeping
637 is permitted.
638*/
639typedef void mpo_devfs_label_init_t(
640 struct label *label
641);
642/**
643 @brief Update a devfs label after relabelling its vnode
644 @param mp Devfs mount point
645 @param de Affected devfs directory entry
646 @param delabel Label of devfs directory entry
647 @param vp Vnode associated with de
648 @param vnodelabel New label of vnode
649
650 Update a devfs label when its vnode is manually relabelled,
651 for example with setfmac(1). Typically, this will simply copy
652 the vnode label into the devfs label.
653*/
654typedef void mpo_devfs_label_update_t(
655 struct mount *mp,
656 struct devnode *de,
657 struct label *delabel,
658 struct vnode *vp,
659 struct label *vnodelabel
660);
661/**
662 @brief Access control for changing the offset of a file descriptor
663 @param cred Subject credential
664 @param fg Fileglob structure
665 @param label Policy label for fg
666
667 Determine whether the subject identified by the credential can
668 change the offset of the file represented by fg.
669
670 @return Return 0 if access if granted, otherwise an appropriate
671 value for errno should be returned.
672*/
673typedef int mpo_file_check_change_offset_t(
674 kauth_cred_t cred,
675 struct fileglob *fg,
676 struct label *label
677);
678/**
679 @brief Access control for creating a file descriptor
680 @param cred Subject credential
681
682 Determine whether the subject identified by the credential can
683 allocate a new file descriptor.
684
685 @return Return 0 if access if granted, otherwise an appropriate
686 value for errno should be returned.
687*/
688typedef int mpo_file_check_create_t(
689 kauth_cred_t cred
690);
691/**
692 @brief Access control for duplicating a file descriptor
693 @param cred Subject credential
694 @param fg Fileglob structure
695 @param label Policy label for fg
696 @param newfd New file descriptor number
697
698 Determine whether the subject identified by the credential can
699 duplicate the fileglob structure represented by fg and as file
700 descriptor number newfd.
701
702 @return Return 0 if access if granted, otherwise an appropriate
703 value for errno should be returned.
704*/
705typedef int mpo_file_check_dup_t(
706 kauth_cred_t cred,
707 struct fileglob *fg,
708 struct label *label,
709 int newfd
710);
711/**
712 @brief Access control check for fcntl
713 @param cred Subject credential
714 @param fg Fileglob structure
715 @param label Policy label for fg
716 @param cmd Control operation to be performed; see fcntl(2)
717 @param arg fcnt arguments; see fcntl(2)
718
719 Determine whether the subject identified by the credential can perform
720 the file control operation indicated by cmd.
721
722 @return Return 0 if access is granted, otherwise an appropriate value for
723 errno should be returned.
724*/
725typedef int mpo_file_check_fcntl_t(
726 kauth_cred_t cred,
727 struct fileglob *fg,
728 struct label *label,
729 int cmd,
730 user_long_t arg
731);
732/**
733 @brief Access control check for mac_get_fd
734 @param cred Subject credential
735 @param fg Fileglob structure
736 @param elements Element buffer
737 @param len Length of buffer
738
739 Determine whether the subject identified by the credential should be allowed
740 to get an externalized version of the label on the object indicated by fd.
741
742 @return Return 0 if access is granted, otherwise an appropriate value for
743 errno should be returned.
744*/
745typedef int mpo_file_check_get_t(
746 kauth_cred_t cred,
747 struct fileglob *fg,
748 char *elements,
749 int len
750);
751/**
752 @brief Access control for getting the offset of a file descriptor
753 @param cred Subject credential
754 @param fg Fileglob structure
755 @param label Policy label for fg
756
757 Determine whether the subject identified by the credential can
758 get the offset of the file represented by fg.
759
760 @return Return 0 if access if granted, otherwise an appropriate
761 value for errno should be returned.
762*/
763typedef int mpo_file_check_get_offset_t(
764 kauth_cred_t cred,
765 struct fileglob *fg,
766 struct label *label
767);
768/**
769 @brief Access control for inheriting a file descriptor
770 @param cred Subject credential
771 @param fg Fileglob structure
772 @param label Policy label for fg
773
774 Determine whether the subject identified by the credential can
775 inherit the fileglob structure represented by fg.
776
777 @return Return 0 if access if granted, otherwise an appropriate
778 value for errno should be returned.
779*/
780typedef int mpo_file_check_inherit_t(
781 kauth_cred_t cred,
782 struct fileglob *fg,
783 struct label *label
784);
785/**
786 @brief Access control check for file ioctl
787 @param cred Subject credential
788 @param fg Fileglob structure
789 @param label Policy label for fg
790 @param cmd The ioctl command; see ioctl(2)
791
792 Determine whether the subject identified by the credential can perform
793 the ioctl operation indicated by cmd.
794
795 @warning Since ioctl data is opaque from the standpoint of the MAC
796 framework, policies must exercise extreme care when implementing
797 access control checks.
798
799 @return Return 0 if access is granted, otherwise an appropriate value for
800 errno should be returned.
801
802*/
803typedef int mpo_file_check_ioctl_t(
804 kauth_cred_t cred,
805 struct fileglob *fg,
806 struct label *label,
807 unsigned int cmd
808);
809/**
810 @brief Access control check for file locking
811 @param cred Subject credential
812 @param fg Fileglob structure
813 @param label Policy label for fg
814 @param op The lock operation (F_GETLK, F_SETLK, F_UNLK)
815 @param fl The flock structure
816
817 Determine whether the subject identified by the credential can perform
818 the lock operation indicated by op and fl on the file represented by fg.
819
820 @return Return 0 if access is granted, otherwise an appropriate value for
821 errno should be returned.
822
823*/
824typedef int mpo_file_check_lock_t(
825 kauth_cred_t cred,
826 struct fileglob *fg,
827 struct label *label,
828 int op,
829 struct flock *fl
830);
831/**
832 @brief Access control check for mapping a file
833 @param cred Subject credential
834 @param fg fileglob representing file to map
835 @param label Policy label associated with vp
836 @param prot mmap protections; see mmap(2)
837 @param flags Type of mapped object; see mmap(2)
838 @param maxprot Maximum rights
839
840 Determine whether the subject identified by the credential should be
841 allowed to map the file represented by fg with the protections specified
842 in prot. The maxprot field holds the maximum permissions on the new
843 mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE.
844 To avoid overriding prior access control checks, a policy should only
845 remove flags from maxprot.
846
847 @return Return 0 if access is granted, otherwise an appropriate value for
848 errno should be returned. Suggested failure: EACCES for label mismatch or
849 EPERM for lack of privilege.
850*/
851typedef int mpo_file_check_mmap_t(
852 kauth_cred_t cred,
853 struct fileglob *fg,
854 struct label *label,
855 int prot,
856 int flags,
857 int *maxprot
858);
859/**
860 @brief Downgrade the mmap protections
861 @param cred Subject credential
862 @param fg file to map
863 @param label Policy label associated with vp
864 @param prot mmap protections to be downgraded
865
866 Downgrade the mmap protections based on the subject and object labels.
867*/
868typedef void mpo_file_check_mmap_downgrade_t(
869 kauth_cred_t cred,
870 struct fileglob *fg,
871 struct label *label,
872 int *prot
873);
874/**
875 @brief Access control for receiving a file descriptor
876 @param cred Subject credential
877 @param fg Fileglob structure
878 @param label Policy label for fg
879
880 Determine whether the subject identified by the credential can
881 receive the fileglob structure represented by fg.
882
883 @return Return 0 if access if granted, otherwise an appropriate
884 value for errno should be returned.
885*/
886typedef int mpo_file_check_receive_t(
887 kauth_cred_t cred,
888 struct fileglob *fg,
889 struct label *label
890);
891/**
892 @brief Access control check for mac_set_fd
893 @param cred Subject credential
894 @param fg Fileglob structure
895 @param elements Elements buffer
896 @param len Length of elements buffer
897
898 Determine whether the subject identified by the credential can
899 perform the mac_set_fd operation. The mac_set_fd operation is used
900 to associate a MAC label with a file.
901
902 @return Return 0 if access is granted, otherwise an appropriate value for
903 errno should be returned.
904*/
905typedef int mpo_file_check_set_t(
906 kauth_cred_t cred,
907 struct fileglob *fg,
908 char *elements,
909 int len
910);
911/**
912 @brief Create file label
913 @param cred Subject credential
914 @param fg Fileglob structure
915 @param label Policy label for fg
916*/
917typedef void mpo_file_label_associate_t(
918 kauth_cred_t cred,
919 struct fileglob *fg,
920 struct label *label
921);
922/**
923 @brief Destroy file label
924 @param label The label to be destroyed
925
926 Destroy the label on a file descriptor. In this entry point, a
927 policy module should free any internal storage associated with
928 label so that it may be destroyed.
929*/
930typedef void mpo_file_label_destroy_t(
931 struct label *label
932);
933/**
934 @brief Initialize file label
935 @param label New label to initialize
936*/
937typedef void mpo_file_label_init_t(
938 struct label *label
939);
940/**
941 @brief Access control check for relabeling network interfaces
942 @param cred Subject credential
943 @param ifp network interface being relabeled
944 @param ifnetlabel Current label of the network interfaces
945 @param newlabel New label to apply to the network interfaces
946 @see mpo_ifnet_label_update_t
947
948 Determine whether the subject identified by the credential can
949 relabel the network interface represented by ifp to the supplied
950 new label (newlabel).
951
952 @return Return 0 if access is granted, otherwise an appropriate value for
953 errno should be returned.
954*/
955typedef int mpo_ifnet_check_label_update_t(
956 kauth_cred_t cred,
957 struct ifnet *ifp,
958 struct label *ifnetlabel,
959 struct label *newlabel
960);
961/**
962 @brief Access control check for relabeling network interfaces
963 @param ifp Network interface mbuf will be transmitted through
964 @param ifnetlabel Label of the network interfaces
965 @param m The mbuf to be transmitted
966 @param mbuflabel Label of the mbuf to be transmitted
967 @param family Address Family, AF_*
968 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
969
970 Determine whether the mbuf with label mbuflabel may be transmitted
971 through the network interface represented by ifp that has the
972 label ifnetlabel.
973
974 @return Return 0 if access is granted, otherwise an appropriate value for
975 errno should be returned.
976*/
977typedef int mpo_ifnet_check_transmit_t(
978 struct ifnet *ifp,
979 struct label *ifnetlabel,
980 struct mbuf *m,
981 struct label *mbuflabel,
982 int family,
983 int type
984);
985/**
986 @brief Create a network interface label
987 @param ifp Network interface labeled
988 @param ifnetlabel Label for the network interface
989
990 Set the label of a newly created network interface, most likely
991 using the information in the supplied network interface struct.
992*/
993typedef void mpo_ifnet_label_associate_t(
994 struct ifnet *ifp,
995 struct label *ifnetlabel
996);
997/**
998 @brief Copy an ifnet label
999 @param src Source ifnet label
1000 @param dest Destination ifnet label
1001
1002 Copy the label information from src to dest.
1003*/
1004typedef void mpo_ifnet_label_copy_t(
1005 struct label *src,
1006 struct label *dest
1007);
1008/**
1009 @brief Destroy ifnet label
1010 @param label The label to be destroyed
1011
1012 Destroy the label on an ifnet label. In this entry point, a
1013 policy module should free any internal storage associated with
1014 label so that it may be destroyed.
1015*/
1016typedef void mpo_ifnet_label_destroy_t(
1017 struct label *label
1018);
1019/**
1020 @brief Externalize an ifnet label
1021 @param label Label to be externalized
1022 @param element_name Name of the label namespace for which labels should be
1023 externalized
1024 @param sb String buffer to be filled with a text representation of the label
1025
1026 Produce an external representation of the label on an interface.
1027 An externalized label consists of a text representation of the
1028 label contents that can be used with user applications.
1029 Policy-agnostic user space tools will display this externalized
1030 version.
1031
1032 @return 0 on success, return non-zero if an error occurs while
1033 externalizing the label data.
1034
1035*/
1036typedef int mpo_ifnet_label_externalize_t(
1037 struct label *label,
1038 char *element_name,
1039 struct sbuf *sb
1040);
1041/**
1042 @brief Initialize ifnet label
1043 @param label New label to initialize
1044*/
1045typedef void mpo_ifnet_label_init_t(
1046 struct label *label
1047);
1048/**
1049 @brief Internalize an interface label
1050 @param label Label to be internalized
1051 @param element_name Name of the label namespace for which the label should
1052 be internalized
1053 @param element_data Text data to be internalized
1054
1055 Produce an interface label from an external representation. An
1056 externalized label consists of a text representation of the label
1057 contents that can be used with user applications. Policy-agnostic
1058 user space tools will forward text version to the kernel for
1059 processing by individual policy modules.
1060
1061 The policy's internalize entry points will be called only if the
1062 policy has registered interest in the label namespace.
1063
1064 @return 0 on success, Otherwise, return non-zero if an error occurs
1065 while internalizing the label data.
1066
1067*/
1068typedef int mpo_ifnet_label_internalize_t(
1069 struct label *label,
1070 char *element_name,
1071 char *element_data
1072);
1073/**
1074 @brief Recycle up a network interface label
1075 @param label The label to be recycled
1076
1077 Recycle a network interface label. Darwin caches the struct ifnet
1078 of detached ifnets in a "free pool". Before ifnets are returned
1079 to the "free pool", policies can cleanup or overwrite any information
1080 present in the label.
1081*/
1082typedef void mpo_ifnet_label_recycle_t(
1083 struct label *label
1084);
1085/**
1086 @brief Update a network interface label
1087 @param cred Subject credential
1088 @param ifp The network interface to be relabeled
1089 @param ifnetlabel The current label of the network interface
1090 @param newlabel A new label to apply to the network interface
1091 @see mpo_ifnet_check_label_update_t
1092
1093 Update the label on a network interface, using the supplied new label.
1094*/
1095typedef void mpo_ifnet_label_update_t(
1096 kauth_cred_t cred,
1097 struct ifnet *ifp,
1098 struct label *ifnetlabel,
1099 struct label *newlabel
1100);
1101/**
1102 @brief Access control check for delivering a packet to a socket
1103 @param inp inpcb the socket is associated with
1104 @param inplabel Label of the inpcb
1105 @param m The mbuf being received
1106 @param mbuflabel Label of the mbuf being received
1107 @param family Address family, AF_*
1108 @param type Type of socket, SOCK_{STREAM,DGRAM,RAW}
1109
1110 Determine whether the mbuf with label mbuflabel may be received
1111 by the socket associated with inpcb that has the label inplabel.
1112
1113 @return Return 0 if access is granted, otherwise an appropriate value for
1114 errno should be returned.
1115*/
1116typedef int mpo_inpcb_check_deliver_t(
1117 struct inpcb *inp,
1118 struct label *inplabel,
1119 struct mbuf *m,
1120 struct label *mbuflabel,
1121 int family,
1122 int type
1123);
1124/**
1125 @brief Create an inpcb label
1126 @param so Socket containing the inpcb to be labeled
1127 @param solabel Label of the socket
1128 @param inp inpcb to be labeled
1129 @param inplabel Label for the inpcb
1130
1131 Set the label of a newly created inpcb, most likely
1132 using the information in the socket and/or socket label.
1133*/
1134typedef void mpo_inpcb_label_associate_t(
1135 struct socket *so,
1136 struct label *solabel,
1137 struct inpcb *inp,
1138 struct label *inplabel
1139);
1140/**
1141 @brief Destroy inpcb label
1142 @param label The label to be destroyed
1143
1144 Destroy the label on an inpcb label. In this entry point, a
1145 policy module should free any internal storage associated with
1146 label so that it may be destroyed.
1147*/
1148typedef void mpo_inpcb_label_destroy_t(
1149 struct label *label
1150);
1151/**
1152 @brief Initialize inpcb label
1153 @param label New label to initialize
1154 @param flag M_WAITOK or M_NOWAIT
1155*/
1156typedef int mpo_inpcb_label_init_t(
1157 struct label *label,
1158 int flag
1159);
1160/**
1161 @brief Recycle up an inpcb label
1162 @param label The label to be recycled
1163
1164 Recycle an inpcb label. Darwin allocates the inpcb as part of
1165 the socket structure in some cases. For this case we must recycle
1166 rather than destroy the inpcb as it will be reused later.
1167*/
1168typedef void mpo_inpcb_label_recycle_t(
1169 struct label *label
1170);
1171/**
1172 @brief Update an inpcb label from a socket label
1173 @param so Socket containing the inpcb to be relabeled
1174 @param solabel New label of the socket
1175 @param inp inpcb to be labeled
1176 @param inplabel Label for the inpcb
1177
1178 Set the label of a newly created inpcb due to a change in the
1179 underlying socket label.
1180*/
1181typedef void mpo_inpcb_label_update_t(
1182 struct socket *so,
1183 struct label *solabel,
1184 struct inpcb *inp,
1185 struct label *inplabel
1186);
1187/**
1188 @brief Device hardware access control
1189 @param devtype Type of device connected
1190 @param properties XML-formatted property list
1191 @param proplen Length of the property list
1192
1193 This is the MAC Framework device access control, which is called by the I/O
1194 Kit when a new device is connected to the system to determine whether that
1195 device should be trusted. A list of properties associated with the device
1196 is passed as an XML-formatted string. The routine should examine these
1197 properties to determine the trustworthiness of the device. A return value
1198 of EPERM forces the device to be claimed by a special device driver that
1199 will prevent its operation.
1200
1201 @warning This is an experimental interface and may change in the future.
1202
1203 @return Return EPERM to indicate that the device is untrusted and should
1204 not be allowed to operate. Return zero to indicate that the device is
1205 trusted and should be allowed to operate normally.
1206
1207*/
1208typedef int mpo_iokit_check_device_t(
1209 char *devtype,
1210 struct mac_module_data *mdata
1211);
1212/**
1213 @brief Access control check for opening an I/O Kit device
1214 @param cred Subject credential
1215 @param device_path Device path
1216 @param user_client User client instance
1217 @param user_client_type User client type
1218
1219 Determine whether the subject identified by the credential can open an
1220 I/O Kit device at the passed path of the passed user client class and
1221 type.
1222
1223 @return Return 0 if access is granted, or an appropriate value for
1224 errno should be returned.
1225*/
1226typedef int mpo_iokit_check_open_t(
1227 kauth_cred_t cred,
1228 io_object_t user_client,
1229 unsigned int user_client_type
1230);
1231/**
1232 @brief Access control check for setting I/O Kit device properties
1233 @param cred Subject credential
1234 @param registry_entry Target device
1235 @param properties Property list
1236
1237 Determine whether the subject identified by the credential can set
1238 properties on an I/O Kit device.
1239
1240 @return Return 0 if access is granted, or an appropriate value for
1241 errno should be returned.
1242*/
1243typedef int mpo_iokit_check_set_properties_t(
1244 kauth_cred_t cred,
1245 io_object_t entry,
1246 io_object_t properties
1247);
1248/**
1249 @brief Access control check for software HID control
1250 @param cred Subject credential
1251
1252 Determine whether the subject identified by the credential can
1253 control the HID (Human Interface Device) subsystem, such as to
1254 post synthetic keypresses, pointer movement and clicks.
1255
1256 @return Return 0 if access is granted, or an appropriate value for
1257 errno.
1258*/
1259typedef int mpo_iokit_check_hid_control_t(
1260 kauth_cred_t cred
1261);
1262/**
1263 @brief Create an IP reassembly queue label
1264 @param fragment First received IP fragment
1265 @param fragmentlabel Policy label for fragment
1266 @param ipq IP reassembly queue to be labeled
1267 @param ipqlabel Policy label to be filled in for ipq
1268
1269 Set the label on a newly created IP reassembly queue from
1270 the mbuf header of the first received fragment.
1271*/
1272typedef void mpo_ipq_label_associate_t(
1273 struct mbuf *fragment,
1274 struct label *fragmentlabel,
1275 struct ipq *ipq,
1276 struct label *ipqlabel
1277);
1278/**
1279 @brief Compare an mbuf header label to an ipq label
1280 @param fragment IP datagram fragment
1281 @param fragmentlabel Policy label for fragment
1282 @param ipq IP fragment reassembly queue
1283 @param ipqlabel Policy label for ipq
1284
1285 Compare the label of the mbuf header containing an IP datagram
1286 (fragment) fragment with the label of the passed IP fragment
1287 reassembly queue (ipq). Return (1) for a successful match, or (0)
1288 for no match. This call is made when the IP stack attempts to
1289 find an existing fragment reassembly queue for a newly received
1290 fragment; if this fails, a new fragment reassembly queue may be
1291 instantiated for the fragment. Policies may use this entry point
1292 to prevent the reassembly of otherwise matching IP fragments if
1293 policy does not permit them to be reassembled based on the label
1294 or other information.
1295*/
1296typedef int mpo_ipq_label_compare_t(
1297 struct mbuf *fragment,
1298 struct label *fragmentlabel,
1299 struct ipq *ipq,
1300 struct label *ipqlabel
1301);
1302/**
1303 @brief Destroy IP reassembly queue label
1304 @param label The label to be destroyed
1305
1306 Destroy the label on an IP fragment queue. In this entry point, a
1307 policy module should free any internal storage associated with
1308 label so that it may be destroyed.
1309*/
1310typedef void mpo_ipq_label_destroy_t(
1311 struct label *label
1312);
1313/**
1314 @brief Initialize IP reassembly queue label
1315 @param label New label to initialize
1316 @param flag M_WAITOK or M_NOWAIT
1317
1318 Initialize the label on a newly instantiated IP fragment reassembly
1319 queue. The flag field may be one of M_WAITOK and M_NOWAIT, and
1320 should be employed to avoid performing a sleeping malloc(9) during
1321 this initialization call. IP fragment reassembly queue allocation
1322 frequently occurs in performance sensitive environments, and the
1323 implementation should be careful to avoid sleeping or long-lived
1324 operations. This entry point is permitted to fail resulting in
1325 the failure to allocate the IP fragment reassembly queue.
1326*/
1327typedef int mpo_ipq_label_init_t(
1328 struct label *label,
1329 int flag
1330);
1331/**
1332 @brief Update the label on an IP fragment reassembly queue
1333 @param fragment IP fragment
1334 @param fragmentlabel Policy label for fragment
1335 @param ipq IP fragment reassembly queue
1336 @param ipqlabel Policy label to be updated for ipq
1337
1338 Update the label on an IP fragment reassembly queue (ipq) based
1339 on the acceptance of the passed IP fragment mbuf header (fragment).
1340*/
1341typedef void mpo_ipq_label_update_t(
1342 struct mbuf *fragment,
1343 struct label *fragmentlabel,
1344 struct ipq *ipq,
1345 struct label *ipqlabel
1346);
1347/**
1348 @brief Access control check for relabelling Login Context
1349 @param l Subject credential
1350 @param newlabel New label to apply to the Login Context
1351 @see mpo_lctx_label_update_t
1352 @see mac_set_lcid
1353 @see mac_set_lctx
1354
1355 Determine whether the subject identified by the credential can relabel
1356 itself to the supplied new label (newlabel). This access control check
1357 is called when the mac_set_lctx/lcid system call is invoked. A user space
1358 application will supply a new value, the value will be internalized
1359 and provided in newlabel.
1360
1361 @return Return 0 if access is granted, otherwise an appropriate value for
1362 errno should be returned.
1363*/
1364typedef int mpo_lctx_check_label_update_t(
1365 struct lctx *l,
1366 struct label *newlabel
1367);
1368/**
1369 @brief Destroy Login Context label
1370 @param label The label to be destroyed
1371*/
1372typedef void mpo_lctx_label_destroy_t(
1373 struct label *label
1374);
1375/**
1376 @brief Externalize a Login Context label
1377 @param label Label to be externalized
1378 @param element_name Name of the label namespace for which labels should be
1379 externalized
1380 @param sb String buffer to be filled with a text representation of the label
1381
1382 Produce an external representation of the label on a Login Context.
1383 An externalized label consists of a text representation
1384 of the label contents that can be used with user applications.
1385 Policy-agnostic user space tools will display this externalized
1386 version.
1387
1388 @return 0 on success, return non-zero if an error occurs while
1389 externalizing the label data.
1390
1391*/
1392typedef int mpo_lctx_label_externalize_t(
1393 struct label *label,
1394 char *element_name,
1395 struct sbuf *sb
1396);
1397/**
1398 @brief Initialize Login Context label
1399 @param label New label to initialize
1400*/
1401typedef void mpo_lctx_label_init_t(
1402 struct label *label
1403);
1404/**
1405 @brief Internalize a Login Context label
1406 @param label Label to be internalized
1407 @param element_name Name of the label namespace for which the label should
1408 be internalized
1409 @param element_data Text data to be internalized
1410
1411 Produce a Login Context label from an external representation. An
1412 externalized label consists of a text representation of the label
1413 contents that can be used with user applications. Policy-agnostic
1414 user space tools will forward text version to the kernel for
1415 processing by individual policy modules.
1416
1417 The policy's internalize entry points will be called only if the
1418 policy has registered interest in the label namespace.
1419
1420 @return 0 on success, Otherwise, return non-zero if an error occurs
1421 while internalizing the label data.
1422
1423*/
1424typedef int mpo_lctx_label_internalize_t(
1425 struct label *label,
1426 char *element_name,
1427 char *element_data
1428);
1429/**
1430 @brief Update a Login Context label
1431 @param l
1432 @param newlabel A new label to apply to the Login Context
1433 @see mpo_lctx_check_label_update_t
1434 @see mac_set_lcid
1435 @see mac_set_lctx
1436
1437 Update the label on a login context, using the supplied new label.
1438 This is called as a result of a login context relabel operation. Access
1439 control was already confirmed by mpo_lctx_check_label_update.
1440*/
1441typedef void mpo_lctx_label_update_t(
1442 struct lctx *l,
1443 struct label *newlabel
1444);
1445/**
1446 @brief A process has created a login context
1447 @param p Subject
1448 @param l Login Context
1449
1450 When a process creates a login context (via setlcid()) this entrypoint
1451 is called to notify the policy that the process 'p' has created login
1452 context 'l'.
1453*/
1454typedef void mpo_lctx_notify_create_t(
1455 struct proc *p,
1456 struct lctx *l
1457);
1458/**
1459 @brief A process has joined a login context
1460 @param p Subject
1461 @param l Login Context
1462
1463 When a process joins a login context, either via setlcid() or via
1464 fork() this entrypoint is called to notify the policy that process
1465 'p' is now a member of login context 'l'.
1466*/
1467typedef void mpo_lctx_notify_join_t(
1468 struct proc *p,
1469 struct lctx *l
1470);
1471/**
1472 @brief A process has left a login context
1473 @param p Subject
1474 @param l Login Context
1475
1476 When a process leaves a login context either via setlcid() or as a
1477 result of the process exiting this entrypoint is called to notify
1478 the policy that the process 'p' is no longer a member of login context 'l'.
1479*/
1480typedef void mpo_lctx_notify_leave_t(
1481 struct proc *p,
1482 struct lctx *l
1483);
1484/**
1485 @brief Assign a label to a new mbuf
1486 @param bpf_d BPF descriptor
1487 @param b_label Policy label for bpf_d
1488 @param m Object; mbuf
1489 @param m_label Policy label to fill in for m
1490
1491 Set the label on the mbuf header of a newly created datagram
1492 generated using the passed BPF descriptor. This call is made when
1493 a write is performed to the BPF device associated with the passed
1494 BPF descriptor.
1495*/
1496typedef void mpo_mbuf_label_associate_bpfdesc_t(
1497 struct bpf_d *bpf_d,
1498 struct label *b_label,
1499 struct mbuf *m,
1500 struct label *m_label
1501);
1502/**
1503 @brief Assign a label to a new mbuf
1504 @param ifp Interface descriptor
1505 @param i_label Existing label of ifp
1506 @param m Object; mbuf
1507 @param m_label Policy label to fill in for m
1508
1509 Label an mbuf based on the interface from which it was received.
1510*/
1511typedef void mpo_mbuf_label_associate_ifnet_t(
1512 struct ifnet *ifp,
1513 struct label *i_label,
1514 struct mbuf *m,
1515 struct label *m_label
1516);
1517/**
1518 @brief Assign a label to a new mbuf
1519 @param inp inpcb structure
1520 @param i_label Existing label of inp
1521 @param m Object; mbuf
1522 @param m_label Policy label to fill in for m
1523
1524 Label an mbuf based on the inpcb from which it was derived.
1525*/
1526typedef void mpo_mbuf_label_associate_inpcb_t(
1527 struct inpcb *inp,
1528 struct label *i_label,
1529 struct mbuf *m,
1530 struct label *m_label
1531);
1532/**
1533 @brief Set the label on a newly reassembled IP datagram
1534 @param ipq IP fragment reassembly queue
1535 @param ipqlabel Policy label for ipq
1536 @param mbuf IP datagram to be labeled
1537 @param mbuflabel Policy label to be filled in for mbuf
1538
1539 Set the label on a newly reassembled IP datagram (mbuf) from the IP
1540 fragment reassembly queue (ipq) from which it was generated.
1541*/
1542typedef void mpo_mbuf_label_associate_ipq_t(
1543 struct ipq *ipq,
1544 struct label *ipqlabel,
1545 struct mbuf *mbuf,
1546 struct label *mbuflabel
1547);
1548/**
1549 @brief Assign a label to a new mbuf
1550 @param ifp Subject; network interface
1551 @param i_label Existing label of ifp
1552 @param m Object; mbuf
1553 @param m_label Policy label to fill in for m
1554
1555 Set the label on the mbuf header of a newly created datagram
1556 generated for the purposes of a link layer response for the passed
1557 interface. This call may be made in a number of situations, including
1558 for ARP or ND6 responses in the IPv4 and IPv6 stacks.
1559*/
1560typedef void mpo_mbuf_label_associate_linklayer_t(
1561 struct ifnet *ifp,
1562 struct label *i_label,
1563 struct mbuf *m,
1564 struct label *m_label
1565);
1566/**
1567 @brief Assign a label to a new mbuf
1568 @param oldmbuf mbuf headerder for existing datagram for existing datagram
1569 @param oldmbuflabel Policy label for oldmbuf
1570 @param ifp Network interface
1571 @param ifplabel Policy label for ifp
1572 @param newmbuf mbuf header to be labeled for new datagram
1573 @param newmbuflabel Policy label for newmbuf
1574
1575 Set the label on the mbuf header of a newly created datagram
1576 generated from the existing passed datagram when it is processed
1577 by the passed multicast encapsulation interface. This call is made
1578 when an mbuf is to be delivered using the virtual interface.
1579*/
1580typedef void mpo_mbuf_label_associate_multicast_encap_t(
1581 struct mbuf *oldmbuf,
1582 struct label *oldmbuflabel,
1583 struct ifnet *ifp,
1584 struct label *ifplabel,
1585 struct mbuf *newmbuf,
1586 struct label *newmbuflabel
1587);
1588/**
1589 @brief Assign a label to a new mbuf
1590 @param oldmbuf Received datagram
1591 @param oldmbuflabel Policy label for oldmbuf
1592 @param newmbuf Newly created datagram
1593 @param newmbuflabel Policy label for newmbuf
1594
1595 Set the label on the mbuf header of a newly created datagram generated
1596 by the IP stack in response to an existing received datagram (oldmbuf).
1597 This call may be made in a number of situations, including when responding
1598 to ICMP request datagrams.
1599*/
1600typedef void mpo_mbuf_label_associate_netlayer_t(
1601 struct mbuf *oldmbuf,
1602 struct label *oldmbuflabel,
1603 struct mbuf *newmbuf,
1604 struct label *newmbuflabel
1605);
1606/**
1607 @brief Assign a label to a new mbuf
1608 @param so Socket to label
1609 @param so_label Policy label for socket
1610 @param m Object; mbuf
1611 @param m_label Policy label to fill in for m
1612
1613 An mbuf structure is used to store network traffic in transit.
1614 When an application sends data to a socket or a pipe, it is wrapped
1615 in an mbuf first. This function sets the label on a newly created mbuf header
1616 based on the socket sending the data. The contents of the label should be
1617 suitable for performing an access check on the receiving side of the
1618 communication.
1619
1620 Only labeled MBUFs will be presented to the policy via this entrypoint.
1621*/
1622typedef void mpo_mbuf_label_associate_socket_t(
1623 socket_t so,
1624 struct label *so_label,
1625 struct mbuf *m,
1626 struct label *m_label
1627);
1628/**
1629 @brief Copy a mbuf label
1630 @param src Source label
1631 @param dest Destination label
1632
1633 Copy the mbuf label information in src into dest.
1634
1635 Only called when both source and destination mbufs have labels.
1636*/
1637typedef void mpo_mbuf_label_copy_t(
1638 struct label *src,
1639 struct label *dest
1640);
1641/**
1642 @brief Destroy mbuf label
1643 @param label The label to be destroyed
1644
1645 Destroy a mbuf label. Since the
1646 object is going out of scope, policy modules should free any
1647 internal storage associated with the label so that it may be
1648 destroyed.
1649*/
1650typedef void mpo_mbuf_label_destroy_t(
1651 struct label *label
1652);
1653/**
1654 @brief Initialize mbuf label
1655 @param label New label to initialize
1656 @param flag Malloc flags
1657
1658 Initialize the label for a newly instantiated mbuf.
1659
1660 @warning Since it is possible for the flags to be set to
1661 M_NOWAIT, the malloc operation may fail.
1662
1663 @return On success, 0, otherwise, an appropriate errno return value.
1664*/
1665typedef int mpo_mbuf_label_init_t(
1666 struct label *label,
1667 int flag
1668);
1669/**
1670 @brief Access control check for fsctl
1671 @param cred Subject credential
1672 @param mp The mount point
1673 @param label Label associated with the mount point
1674 @param com Filesystem-dependent request code; see fsctl(2)
1675
1676 Determine whether the subject identified by the credential can perform
1677 the volume operation indicated by com.
1678
1679 @warning The fsctl() system call is directly analogous to ioctl(); since
1680 the associated data is opaque from the standpoint of the MAC framework
1681 and since these operations can affect many aspects of system operation,
1682 policies must exercise extreme care when implementing access control checks.
1683
1684 @return Return 0 if access is granted, otherwise an appropriate value for
1685 errno should be returned.
1686*/
1687typedef int mpo_mount_check_fsctl_t(
1688 kauth_cred_t cred,
1689 struct mount *mp,
1690 struct label *label,
1691 unsigned int cmd
1692);
1693/**
1694 @brief Access control check for the retrieval of file system attributes
1695 @param cred Subject credential
1696 @param mp The mount structure of the file system
1697 @param vfa The attributes requested
1698
1699 This entry point determines whether given subject can get information
1700 about the given file system. This check happens during statfs() syscalls,
1701 but is also used by other parts within the kernel such as the audit system.
1702
1703 @return Return 0 if access is granted, otherwise an appropriate value for
1704 errno should be returned.
1705*/
1706
1707typedef int mpo_mount_check_getattr_t(
1708 kauth_cred_t cred,
1709 struct mount *mp,
1710 struct label *mp_label,
1711 struct vfs_attr *vfa
1712);
1713/**
1714 @brief Access control check for mount point relabeling
1715 @param cred Subject credential
1716 @param mp Object file system mount point
1717 @param mntlabel Policy label for fle system mount point
1718
1719 Determine whether the subject identified by the credential can relabel
1720 the mount point. This call is made when a file system mount is updated.
1721
1722 @return Return 0 if access is granted, otherwise an appropriate value for
1723 errno should be returned. Suggested failure: EACCES for label mismatch
1724 or EPERM for lack of privilege.
1725*/
1726typedef int mpo_mount_check_label_update_t(
1727 kauth_cred_t cred,
1728 struct mount *mp,
1729 struct label *mntlabel
1730);
1731/**
1732 @brief Access control check for mounting a file system
1733 @param cred Subject credential
1734 @param vp Vnode that is to be the mount point
1735 @param vlabel Label associated with the vnode
1736 @param cnp Component name for vp
1737 @param vfc_name Filesystem type name
1738
1739 Determine whether the subject identified by the credential can perform
1740 the mount operation on the target vnode.
1741
1742 @return Return 0 if access is granted, otherwise an appropriate value for
1743 errno should be returned.
1744*/
1745typedef int mpo_mount_check_mount_t(
1746 kauth_cred_t cred,
1747 struct vnode *vp,
1748 struct label *vlabel,
1749 struct componentname *cnp,
1750 const char *vfc_name
1751);
1752/**
1753 @brief Access control check remounting a filesystem
1754 @param cred Subject credential
1755 @param mp The mount point
1756 @param mlabel Label currently associated with the mount point
1757
1758 Determine whether the subject identified by the credential can perform
1759 the remount operation on the target vnode.
1760
1761 @return Return 0 if access is granted, otherwise an appropriate value for
1762 errno should be returned.
1763*/
1764typedef int mpo_mount_check_remount_t(
1765 kauth_cred_t cred,
1766 struct mount *mp,
1767 struct label *mlabel
1768);
1769/**
1770 @brief Access control check for the settting of file system attributes
1771 @param cred Subject credential
1772 @param mp The mount structure of the file system
1773 @param vfa The attributes requested
1774
1775 This entry point determines whether given subject can set information
1776 about the given file system, for example the volume name.
1777
1778 @return Return 0 if access is granted, otherwise an appropriate value for
1779 errno should be returned.
1780*/
1781
1782typedef int mpo_mount_check_setattr_t(
1783 kauth_cred_t cred,
1784 struct mount *mp,
1785 struct label *mp_label,
1786 struct vfs_attr *vfa
1787);
1788/**
1789 @brief Access control check for file system statistics
1790 @param cred Subject credential
1791 @param mp Object file system mount
1792 @param mntlabel Policy label for mp
1793
1794 Determine whether the subject identified by the credential can see
1795 the results of a statfs performed on the file system. This call may
1796 be made in a number of situations, including during invocations of
1797 statfs(2) and related calls, as well as to determine what file systems
1798 to exclude from listings of file systems, such as when getfsstat(2)
1799 is invoked.
1800
1801 @return Return 0 if access is granted, otherwise an appropriate value for
1802 errno should be returned. Suggested failure: EACCES for label mismatch
1803 or EPERM for lack of privilege.
1804*/
1805typedef int mpo_mount_check_stat_t(
1806 kauth_cred_t cred,
1807 struct mount *mp,
1808 struct label *mntlabel
1809);
1810/**
1811 @brief Access control check for unmounting a filesystem
1812 @param cred Subject credential
1813 @param mp The mount point
1814 @param mlabel Label associated with the mount point
1815
1816 Determine whether the subject identified by the credential can perform
1817 the unmount operation on the target vnode.
1818
1819 @return Return 0 if access is granted, otherwise an appropriate value for
1820 errno should be returned.
1821*/
1822typedef int mpo_mount_check_umount_t(
1823 kauth_cred_t cred,
1824 struct mount *mp,
1825 struct label *mlabel
1826);
1827/**
1828 @brief Create mount labels
1829 @param cred Subject credential
1830 @param mp Mount point of file system being mounted
1831 @param mntlabel Label to associate with the new mount point
1832 @see mpo_mount_label_init_t
1833
1834 Fill out the labels on the mount point being created by the supplied
1835 user credential. This call is made when file systems are first mounted.
1836*/
1837typedef void mpo_mount_label_associate_t(
1838 kauth_cred_t cred,
1839 struct mount *mp,
1840 struct label *mntlabel
1841);
1842/**
1843 @brief Destroy mount label
1844 @param label The label to be destroyed
1845
1846 Destroy a file system mount label. Since the
1847 object is going out of scope, policy modules should free any
1848 internal storage associated with the label so that it may be
1849 destroyed.
1850*/
1851typedef void mpo_mount_label_destroy_t(
1852 struct label *label
1853);
1854/**
1855 @brief Externalize a mount point label
1856 @param label Label to be externalized
1857 @param element_name Name of the label namespace for which labels should be
1858 externalized
1859 @param sb String buffer to be filled with a text representation of the label
1860
1861 Produce an external representation of the mount point label. An
1862 externalized label consists of a text representation of the label
1863 contents that can be used with user applications. Policy-agnostic
1864 user space tools will display this externalized version.
1865
1866 The policy's externalize entry points will be called only if the
1867 policy has registered interest in the label namespace.
1868
1869 @return 0 on success, return non-zero if an error occurs while
1870 externalizing the label data.
1871
1872*/
1873typedef int mpo_mount_label_externalize_t(
1874 struct label *label,
1875 char *element_name,
1876 struct sbuf *sb
1877);
1878/**
1879 @brief Initialize mount point label
1880 @param label New label to initialize
1881
1882 Initialize the label for a newly instantiated mount structure.
1883 This label is typically used to store a default label in the case
1884 that the file system has been mounted singlelabel. Since some
1885 file systems do not support persistent labels (extended attributes)
1886 or are read-only (such as CD-ROMs), it is often necessary to store
1887 a default label separately from the label of the mount point
1888 itself. Sleeping is permitted.
1889*/
1890typedef void mpo_mount_label_init_t(
1891 struct label *label
1892);
1893/**
1894 @brief Internalize a mount point label
1895 @param label Label to be internalized
1896 @param element_name Name of the label namespace for which the label should
1897 be internalized
1898 @param element_data Text data to be internalized
1899
1900 Produce a mount point file system label from an external representation.
1901 An externalized label consists of a text representation of the label
1902 contents that can be used with user applications. Policy-agnostic
1903 user space tools will forward text version to the kernel for
1904 processing by individual policy modules.
1905
1906 The policy's internalize entry points will be called only if the
1907 policy has registered interest in the label namespace.
1908
1909 @return 0 on success, Otherwise, return non-zero if an error occurs
1910 while internalizing the label data.
1911
1912*/
1913typedef int mpo_mount_label_internalize_t(
1914 struct label *label,
1915 char *element_name,
1916 char *element_data
1917);
1918/**
1919 @brief Set the label on an IPv4 datagram fragment
1920 @param datagram Datagram being fragmented
1921 @param datagramlabel Policy label for datagram
1922 @param fragment New fragment
1923 @param fragmentlabel Policy label for fragment
1924
1925 Called when an IPv4 datagram is fragmented into several smaller datagrams.
1926 Policies implementing mbuf labels will typically copy the label from the
1927 source datagram to the new fragment.
1928*/
1929typedef void mpo_netinet_fragment_t(
1930 struct mbuf *datagram,
1931 struct label *datagramlabel,
1932 struct mbuf *fragment,
1933 struct label *fragmentlabel
1934);
1935/**
1936 @brief Set the label on an ICMP reply
1937 @param m mbuf containing the ICMP reply
1938 @param mlabel Policy label for m
1939
1940 A policy may wish to update the label of an mbuf that refers to
1941 an ICMP packet being sent in response to an IP packet. This may
1942 be called in response to a bad packet or an ICMP request.
1943*/
1944typedef void mpo_netinet_icmp_reply_t(
1945 struct mbuf *m,
1946 struct label *mlabel
1947);
1948/**
1949 @brief Set the label on a TCP reply
1950 @param m mbuf containing the TCP reply
1951 @param mlabel Policy label for m
1952
1953 Called for outgoing TCP packets not associated with an actual socket.
1954*/
1955typedef void mpo_netinet_tcp_reply_t(
1956 struct mbuf *m,
1957 struct label *mlabel
1958);
1959/**
1960 @brief Access control check for pipe ioctl
1961 @param cred Subject credential
1962 @param cpipe Object to be accessed
1963 @param pipelabel The label on the pipe
1964 @param cmd The ioctl command; see ioctl(2)
1965
1966 Determine whether the subject identified by the credential can perform
1967 the ioctl operation indicated by cmd.
1968
1969 @warning Since ioctl data is opaque from the standpoint of the MAC
1970 framework, policies must exercise extreme care when implementing
1971 access control checks.
1972
1973 @return Return 0 if access is granted, otherwise an appropriate value for
1974 errno should be returned.
1975
1976*/
1977typedef int mpo_pipe_check_ioctl_t(
1978 kauth_cred_t cred,
1979 struct pipe *cpipe,
1980 struct label *pipelabel,
1981 unsigned int cmd
1982);
1983/**
1984 @brief Access control check for pipe kqfilter
1985 @param cred Subject credential
1986 @param kn Object knote
1987 @param cpipe Object to be accessed
1988 @param pipelabel Policy label for the pipe
1989
1990 Determine whether the subject identified by the credential can
1991 receive the knote on the passed pipe.
1992
1993 @return Return 0 if access if granted, otherwise an appropriate
1994 value for errno should be returned.
1995*/
1996typedef int mpo_pipe_check_kqfilter_t(
1997 kauth_cred_t cred,
1998 struct knote *kn,
1999 struct pipe *cpipe,
2000 struct label *pipelabel
2001);
2002/**
2003 @brief Access control check for pipe relabel
2004 @param cred Subject credential
2005 @param cpipe Object to be accessed
2006 @param pipelabel The current label on the pipe
2007 @param newlabel The new label to be used
2008
2009 Determine whether the subject identified by the credential can
2010 perform a relabel operation on the passed pipe. The cred object holds
2011 the credentials of the subject performing the operation.
2012
2013 @return Return 0 if access is granted, otherwise an appropriate value for
2014 errno should be returned.
2015
2016*/
2017typedef int mpo_pipe_check_label_update_t(
2018 kauth_cred_t cred,
2019 struct pipe *cpipe,
2020 struct label *pipelabel,
2021 struct label *newlabel
2022);
2023/**
2024 @brief Access control check for pipe read
2025 @param cred Subject credential
2026 @param cpipe Object to be accessed
2027 @param pipelabel The label on the pipe
2028
2029 Determine whether the subject identified by the credential can
2030 perform a read operation on the passed pipe. The cred object holds
2031 the credentials of the subject performing the operation.
2032
2033 @return Return 0 if access is granted, otherwise an appropriate value for
2034 errno should be returned.
2035
2036*/
2037typedef int mpo_pipe_check_read_t(
2038 kauth_cred_t cred,
2039 struct pipe *cpipe,
2040 struct label *pipelabel
2041);
2042/**
2043 @brief Access control check for pipe select
2044 @param cred Subject credential
2045 @param cpipe Object to be accessed
2046 @param pipelabel The label on the pipe
2047 @param which The operation selected on: FREAD or FWRITE
2048
2049 Determine whether the subject identified by the credential can
2050 perform a select operation on the passed pipe. The cred object holds
2051 the credentials of the subject performing the operation.
2052
2053 @return Return 0 if access is granted, otherwise an appropriate value for
2054 errno should be returned.
2055
2056*/
2057typedef int mpo_pipe_check_select_t(
2058 kauth_cred_t cred,
2059 struct pipe *cpipe,
2060 struct label *pipelabel,
2061 int which
2062);
2063/**
2064 @brief Access control check for pipe stat
2065 @param cred Subject credential
2066 @param cpipe Object to be accessed
2067 @param pipelabel The label on the pipe
2068
2069 Determine whether the subject identified by the credential can
2070 perform a stat operation on the passed pipe. The cred object holds
2071 the credentials of the subject performing the operation.
2072
2073 @return Return 0 if access is granted, otherwise an appropriate value for
2074 errno should be returned.
2075
2076*/
2077typedef int mpo_pipe_check_stat_t(
2078 kauth_cred_t cred,
2079 struct pipe *cpipe,
2080 struct label *pipelabel
2081);
2082/**
2083 @brief Access control check for pipe write
2084 @param cred Subject credential
2085 @param cpipe Object to be accessed
2086 @param pipelabel The label on the pipe
2087
2088 Determine whether the subject identified by the credential can
2089 perform a write operation on the passed pipe. The cred object holds
2090 the credentials of the subject performing the operation.
2091
2092 @return Return 0 if access is granted, otherwise an appropriate value for
2093 errno should be returned.
2094
2095*/
2096typedef int mpo_pipe_check_write_t(
2097 kauth_cred_t cred,
2098 struct pipe *cpipe,
2099 struct label *pipelabel
2100);
2101/**
2102 @brief Create a pipe label
2103 @param cred Subject credential
2104 @param cpipe object to be labeled
2105 @param label Label for the pipe object
2106
2107 Create a label for the pipe object being created by the supplied
2108 user credential. This call is made when the pipe is being created
2109 XXXPIPE(for one or both sides of the pipe?).
2110
2111*/
2112typedef void mpo_pipe_label_associate_t(
2113 kauth_cred_t cred,
2114 struct pipe *cpipe,
2115 struct label *pipelabel
2116);
2117/**
2118 @brief Copy a pipe label
2119 @param src Source pipe label
2120 @param dest Destination pipe label
2121
2122 Copy the pipe label associated with src to dest.
2123 XXXPIPE Describe when this is used: most likely during pipe creation to
2124 copy from rpipe to wpipe.
2125*/
2126typedef void mpo_pipe_label_copy_t(
2127 struct label *src,
2128 struct label *dest
2129);
2130/**
2131 @brief Destroy pipe label
2132 @param label The label to be destroyed
2133
2134 Destroy a pipe label. Since the object is going out of scope,
2135 policy modules should free any internal storage associated with the
2136 label so that it may be destroyed.
2137*/
2138typedef void mpo_pipe_label_destroy_t(
2139 struct label *label
2140);
2141/**
2142 @brief Externalize a pipe label
2143 @param label Label to be externalized
2144 @param element_name Name of the label namespace for which labels should be
2145 externalized
2146 @param sb String buffer to be filled with a text representation of the label
2147
2148 Produce an external representation of the label on a pipe.
2149 An externalized label consists of a text representation
2150 of the label contents that can be used with user applications.
2151 Policy-agnostic user space tools will display this externalized
2152 version.
2153
2154 The policy's externalize entry points will be called only if the
2155 policy has registered interest in the label namespace.
2156
2157 @return 0 on success, return non-zero if an error occurs while
2158 externalizing the label data.
2159
2160*/
2161typedef int mpo_pipe_label_externalize_t(
2162 struct label *label,
2163 char *element_name,
2164 struct sbuf *sb
2165);
2166/**
2167 @brief Initialize pipe label
2168 @param label New label to initialize
2169
2170 Initialize label storage for use with a newly instantiated pipe object.
2171 Sleeping is permitted.
2172*/
2173typedef void mpo_pipe_label_init_t(
2174 struct label *label
2175);
2176/**
2177 @brief Internalize a pipe label
2178 @param label Label to be internalized
2179 @param element_name Name of the label namespace for which the label should
2180 be internalized
2181 @param element_data Text data to be internalized
2182
2183 Produce a pipe label from an external representation. An
2184 externalized label consists of a text representation of the label
2185 contents that can be used with user applications. Policy-agnostic
2186 user space tools will forward text version to the kernel for
2187 processing by individual policy modules.
2188
2189 The policy's internalize entry points will be called only if the
2190 policy has registered interest in the label namespace.
2191
2192 @return 0 on success, Otherwise, return non-zero if an error occurs
2193 while internalizing the label data.
2194
2195*/
2196typedef int mpo_pipe_label_internalize_t(
2197 struct label *label,
2198 char *element_name,
2199 char *element_data
2200);
2201/**
2202 @brief Update a pipe label
2203 @param cred Subject credential
2204 @param cpipe Object to be labeled
2205 @param oldlabel Existing pipe label
2206 @param newlabel New label to replace existing label
2207 @see mpo_pipe_check_label_update_t
2208
2209 The subject identified by the credential has previously requested
2210 and was authorized to relabel the pipe; this entry point allows
2211 policies to perform the actual relabel operation. Policies should
2212 update oldlabel using the label stored in the newlabel parameter.
2213
2214*/
2215typedef void mpo_pipe_label_update_t(
2216 kauth_cred_t cred,
2217 struct pipe *cpipe,
2218 struct label *oldlabel,
2219 struct label *newlabel
2220);
2221/**
2222 @brief Policy unload event
2223 @param mpc MAC policy configuration
2224
2225 This is the MAC Framework policy unload event. This entry point will
2226 only be called if the module's policy configuration allows unload (if
2227 the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't
2228 want to be unloaded; they should set their flags to prevent this
2229 entry point from being called.
2230
2231 @warning During this call, the mac policy list mutex is held, so
2232 sleep operations cannot be performed, and calls out to other kernel
2233 subsystems must be made with caution.
2234
2235 @see MPC_LOADTIME_FLAG_UNLOADOK
2236*/
2237typedef void mpo_policy_destroy_t(
2238 struct mac_policy_conf *mpc
2239);
2240/**
2241 @brief Policy initialization event
2242 @param mpc MAC policy configuration
2243 @see mac_policy_register
2244 @see mpo_policy_initbsd_t
2245
2246 This is the MAC Framework policy initialization event. This entry
2247 point is called during mac_policy_register, when the policy module
2248 is first registered with the MAC Framework. This is often done very
2249 early in the boot process, after the kernel Mach subsystem has been
2250 initialized, but prior to the BSD subsystem being initialized.
2251 Since the kernel BSD services are not yet available, it is possible
2252 that some initialization must occur later, possibly in the
2253 mpo_policy_initbsd_t policy entry point, such as registering BSD system
2254 controls (sysctls). Policy modules loaded at boot time will be
2255 registered and initialized before labeled Mach objects are created.
2256
2257 @warning During this call, the mac policy list mutex is held, so
2258 sleep operations cannot be performed, and calls out to other kernel
2259 subsystems must be made with caution.
2260*/
2261typedef void mpo_policy_init_t(
2262 struct mac_policy_conf *mpc
2263);
2264/**
2265 @brief Policy BSD initialization event
2266 @param mpc MAC policy configuration
2267 @see mpo_policy_init_t
2268
2269 This entry point is called after the kernel BSD subsystem has been
2270 initialized. By this point, the module should already be loaded,
2271 registered, and initialized. Since policy modules are initialized
2272 before kernel BSD services are available, this second initialization
2273 phase is necessary. At this point, BSD services (memory management,
2274 synchronization primitives, vfs, etc.) are available, but the first
2275 process has not yet been created. Mach-related objects and tasks
2276 will already be fully initialized and may be in use--policies requiring
2277 ubiquitous labeling may also want to implement mpo_policy_init_t.
2278
2279 @warning During this call, the mac policy list mutex is held, so
2280 sleep operations cannot be performed, and calls out to other kernel
2281 subsystems must be made with caution.
2282*/
2283typedef void mpo_policy_initbsd_t(
2284 struct mac_policy_conf *mpc
2285);
2286/**
2287 @brief Policy extension service
2288 @param p Calling process
2289 @param call Policy-specific syscall number
2290 @param arg Pointer to syscall arguments
2291
2292 This entry point provides a policy-multiplexed system call so that
2293 policies may provide additional services to user processes without
2294 registering specific system calls. The policy name provided during
2295 registration is used to demux calls from userland, and the arguments
2296 will be forwarded to this entry point. When implementing new
2297 services, security modules should be sure to invoke appropriate
2298 access control checks from the MAC framework as needed. For
2299 example, if a policy implements an augmented signal functionality,
2300 it should call the necessary signal access control checks to invoke
2301 the MAC framework and other registered policies.
2302
2303 @warning Since the format and contents of the policy-specific
2304 arguments are unknown to the MAC Framework, modules must perform the
2305 required copyin() of the syscall data on their own. No policy
2306 mediation is performed, so policies must perform any necessary
2307 access control checks themselves. If multiple policies are loaded,
2308 they will currently be unable to mediate calls to other policies.
2309
2310 @return In the event of an error, an appropriate value for errno
2311 should be returned, otherwise return 0 upon success.
2312*/
2313typedef int mpo_policy_syscall_t(
2314 struct proc *p,
2315 int call,
2316 user_addr_t arg
2317);
2318/**
2319 @brief Access control check for copying a send right to another task
2320 @param task Label of the sender task
2321 @param port Label of the affected port
2322
2323 Access control check for copying send rights to the port from the
2324 specified task. A complementary entry point, mpo_port_check_hold_send,
2325 handles the receiving task. port_check_copy_send is called as part of
2326 a group of policy invocations when messages with port rights are sent.
2327 All access control checks made for a particular message must be successful
2328 for the message to be sent.
2329
2330 The task label and the port are locked. Sleeping is permitted.
2331
2332 @return Return 0 if access is granted, non-zero otherwise.
2333*/
2334typedef int mpo_port_check_copy_send_t(
2335 struct label *task,
2336 struct label *port
2337);
2338/**
2339 @brief Access control check for obtaining a receive right
2340 @param task Label of the receiving task
2341 @param port Label of the affected port
2342
2343 Access control check for a task obtaining receive rights to a
2344 port. Usually, these are port rights that were obtained with a call
2345 to mach_port_allocate. This entry point is called as part of a
2346 group of policy invocations when messages with port rights are
2347 received. All of these access control checks must succeed in order
2348 to receive the message.
2349
2350 The task label and the port are locked. Sleeping is permitted.
2351
2352 @return Return 0 if access is granted, non-zero otherwise.
2353*/
2354typedef int mpo_port_check_hold_receive_t(
2355 struct label *task,
2356 struct label *port
2357);
2358/**
2359 @brief Access control check for obtaining a send once right
2360 @param task Label of the receiving task
2361 @param port Label of the affected port
2362
2363 Access control check for a task obtaining send once rights to a port. Usually,
2364 these are port rights that were part of a message sent by another userspace
2365 task. port_check_hold_send_once is called as part of a group of policy
2366 invocations when messages with port rights are received. All of these access
2367 control checks must succeed in order to receive the message.
2368
2369 The task label and the port are locked. Sleeping is permitted.
2370
2371 @return Return 0 if access is granted, non-zero otherwise.
2372*/
2373typedef int mpo_port_check_hold_send_once_t(
2374 struct label *task,
2375 struct label *port
2376);
2377/**
2378 @brief Access control check for obtaining a send right
2379 @param task Label of the receiving task
2380 @param port Label of the affected port
2381
2382 Access control check for a task obtaining send rights to a port. Usually,
2383 these are port rights that were part of a message sent by another userspace
2384 task. port_check_hold_send is called as part of a group of policy
2385 invocations when messages with port rights are received. All of these access
2386 control checks must succeed in order to receive the message.
2387
2388 The task label and the port are locked. Sleeping is permitted.
2389
2390 @return Return 0 if access is granted, non-zero otherwise.
2391*/
2392typedef int mpo_port_check_hold_send_t(
2393 struct label *task,
2394 struct label *port
2395);
2396/**
2397 @brief Access control check for relabelling ports
2398 @param task Subject's task label
2399 @param oldlabel Original label of port
2400 @param newlabel New label for port
2401
2402 Access control check for relabelling ports. The policy should
2403 indicate whether the subject is permitted to change the label
2404 of a port from oldlabel to newlabel. The port is locked, but
2405 the subject's task label is not locked.
2406
2407 @warning XXX In future releases, the task label lock will likely
2408 also be held.
2409
2410 @return Return 0 if access is granted, non-zero otherwise.
2411*/
2412typedef int mpo_port_check_label_update_t(
2413 struct label *task,
2414 struct label *oldlabel,
2415 struct label *newlabel
2416);
2417/**
2418 @brief Access control check for producing a send once right from a receive right
2419 @param task Label of the sender task
2420 @param port Label of the affected port
2421
2422 Access control check for obtaining send once rights from receive rights.
2423 The new send once right may be destined for the calling task, or a different
2424 task. In either case the mpo_port_check_hold_send_once entry point handles
2425 the receiving task. port_check_make_send_once may be called as part of a
2426 group of policy invocations when messages with port rights are sent.
2427 All access control checks made for a particular message must be successful
2428 for the message to be sent.
2429
2430 The task label and the port are locked. Sleeping is permitted.
2431
2432 @return Return 0 if access is granted, non-zero otherwise.
2433*/
2434typedef int mpo_port_check_make_send_once_t(
2435 struct label *task,
2436 struct label *port
2437);
2438/**
2439 @brief Access control check for producing a send right from a receive right
2440 @param task Label of the sender task
2441 @param port Label of the affected port
2442
2443 Access control check for obtaining send rights from receive rights. The new
2444 send right may be destined for the calling task, or a different task.
2445 In either case the mpo_port_check_hold_send entry point
2446 handles the receiving task. port_check_make_send may be called as part of
2447 a group of policy invocations when messages with port rights are sent.
2448 All access control checks made for a particular message must be successful
2449 for the message to be sent.
2450
2451 The task label and the port are locked. Sleeping is permitted.
2452
2453 @return Return 0 if access is granted, non-zero otherwise.
2454*/
2455typedef int mpo_port_check_make_send_t(
2456 struct label *task,
2457 struct label *port
2458);
2459/**
2460 @brief Compute access control check for a Mach message-based service
2461 @param proc Sender's process structure (may be NULL)
2462 @param task Sender's task label
2463 @param port Destination port label
2464 @param msgid Message id
2465
2466 Access control computation for message-based services. This entry point
2467 computes permission to the service requested by the specified port and message
2468 id, for example a single MiG server routine, and is unrelated to the access
2469 check for sending messages to ports (but that check must succeed for the
2470 message to be sent to the destination). The result of this access computation
2471 is stored in the message trailer field msgh_ad (only if requested by the
2472 recipient); it does not actually inhibit the message from being sent or
2473 received.
2474
2475 @return 0 for access granted, nonzero for access denied.
2476*/
2477
2478typedef int mpo_port_check_method_t(
2479 struct proc *proc,
2480 struct label *task,
2481 struct label *port,
2482 int msgid
2483);
2484/**
2485 @brief Access control check for transferring a receive right
2486 @param task Label of the sender task
2487 @param port Label of the affected port
2488
2489 Access control check for transferring the receive right to a port out
2490 of the specified task. A complementary entry point,
2491 mpo_port_check_hold_receive, handles the receiving task.
2492 port_check_move_receive is called as part of
2493 a group of policy invocations when messages with port rights are sent.
2494 All access control checks made for a particular message must be successful
2495 for the message to be sent.
2496
2497 The task label and the port are locked. Sleeping is permitted.
2498
2499 @return Return 0 if access is granted, non-zero otherwise.
2500*/
2501typedef int mpo_port_check_move_receive_t(
2502 struct label *task,
2503 struct label *port
2504);
2505/**
2506 @brief Access control check for transferring a send once right
2507 @param task Label of the sender task
2508 @param port Label of the affected port
2509
2510 Access control check for transferring a send once right from one task to
2511 the task listening to the specified port. A complementary entry point,
2512 mpo_port_check_hold_send_once, handles the receiving task.
2513 port_check_move_send_once is called as part of a group of policy invocations
2514 when messages with port rights are sent. All access control checks made
2515 for a particular message must be successful for the message to be sent.
2516
2517 The task label and the port are locked. Sleeping is permitted.
2518
2519 @return Return 0 if access is granted, non-zero otherwise.
2520*/
2521typedef int mpo_port_check_move_send_once_t(
2522 struct label *task,
2523 struct label *port
2524);
2525/**
2526 @brief Access control check for transferring a send right
2527 @param task Label of the sender task
2528 @param port Label of the affected port
2529
2530 Access control check for transferring a send right from one task to the
2531 task listening to the specified port. A complementary entry point,
2532 mpo_port_check_hold_send, handles the receiving task.
2533 port_check_move_send is called as part of a group of policy invocations
2534 when messages with port rights are sent. All access control checks made
2535 for a particular message must be successful for the message to be sent.
2536
2537 The task label and the port are locked. Sleeping is permitted.
2538
2539 @return Return 0 if access is granted, non-zero otherwise.
2540*/
2541typedef int mpo_port_check_move_send_t(
2542 struct label *task,
2543 struct label *port
2544);
2545/**
2546 @brief Access control check for receiving Mach messsages
2547 @param task Label of the receiving task
2548 @param sender Label of the sending task
2549
2550 Access control check for receiving messages. The two labels are locked.
2551
2552 @warning This entry point can be invoked from many places inside the
2553 kernel, with arbitrary other locks held. The implementation of this
2554 entry point must not cause page faults, as those are handled by mach
2555 messages.
2556
2557 @return Return 0 if access is granted, non-zero otherwise.
2558*/
2559typedef int mpo_port_check_receive_t(
2560 struct label *task,
2561 struct label *sender
2562);
2563/**
2564 @brief Access control check for sending Mach messsages
2565 @param task Label of the sender task
2566 @param port Label of the destination port
2567
2568 Access control check for sending messages. The task label and the
2569 port are locked.
2570
2571 @warning This entry point can be invoked from many places inside the
2572 kernel, with arbitrary other locks held. The implementation of this
2573 entry point must not cause page faults, as those are handled by mach
2574 messages.
2575
2576 @return Return 0 if access is granted, non-zero otherwise.
2577*/
2578typedef int mpo_port_check_send_t(
2579 struct label *task,
2580 struct label *port
2581);
2582/**
2583 @brief Generic access control check
2584 @param subj Caller-provided subject label
2585 @param obj Caller-provided object label
2586 @param serv Service or object class name
2587 @param perm Permission, or method, within the specified service
2588
2589 This function provides a general way for a user process to query
2590 an arbitrary access control decision from the system's security policies.
2591 Currently, there are no standards for the format of the service and
2592 permission names. Labels may be either cred or port labels; the policy
2593 must accept either. The userspace interfaces to this entry point allow
2594 label strings or label handles (ports) to be provided.
2595
2596 @return Return 0 if access is granted, non-zero otherwise.
2597*/
2598typedef int mpo_port_check_service_t(
2599 struct label *subj,
2600 struct label *obj,
2601 const char *serv,
2602 const char *perm
2603);
2604/**
2605 @brief Assign a label to a new Mach port created by the kernel
2606 @param portlabel Label for the new port
2607 @param isreply True if the port is for a reply message from the kernel
2608
2609 Assign a label to a new port created by the kernel. If the port is being
2610 used to reply to a message, isreply is 1 (0 otherwise). The port is locked.
2611*/
2612typedef void mpo_port_label_associate_kernel_t(
2613 struct label *portlabel,
2614 int isreply
2615);
2616/**
2617 @brief Assign a label to a new Mach port
2618 @param it Task label of issuer
2619 @param st Task label of target
2620 @param portlabel Label for the new port
2621
2622 Assign a label to a new port. The policy can base this label on
2623 the label of the calling task, as well as the label of the target task.
2624 The target task is the one which recieves the first right for this port.
2625 Both task labels and the port are locked.
2626*/
2627typedef void mpo_port_label_associate_t(
2628 struct label *it,
2629 struct label *st,
2630 struct label *portlabel
2631);
2632/**
2633 @brief Request label for new (userspace) object
2634 @param subj Subject label
2635 @param obj Parent or existing object label
2636 @param serv Name of service
2637 @param out Computed label
2638
2639 Ask the loaded policies to compute a label based on the two input labels
2640 and the service name. There is currently no standard for the service name,
2641 or even what the input labels represent (Subject and parent object are only
2642 a suggestion). If successful, the computed label is stored in out. All labels
2643 must be port (or task) labels. The userspace interfaces to this entry point
2644 allow label handles (ports) to be provided.
2645
2646 @return 0 on success, or an errno value for failure.
2647*/
2648typedef int mpo_port_label_compute_t(
2649 struct label *subj,
2650 struct label *obj,
2651 const char *serv,
2652 struct label *out
2653);
2654/**
2655 @brief Copy a Mach port label
2656 @param src Source port label
2657 @param dest Destination port label
2658
2659 Copy the Mach port label information from src to dest. This is used
2660 to copy user-suplied labels into an existing port.
2661*/
2662typedef void mpo_port_label_copy_t(
2663 struct label *src,
2664 struct label *dest
2665);
2666/**
2667 @brief Destroy Mach port label
2668 @param label The label to be destroyed
2669
2670 Destroy a Mach port label. Since the object is going out of
2671 scope, policy modules should free any internal storage associated
2672 with the label so that it may be destroyed.
2673*/
2674typedef void mpo_port_label_destroy_t(
2675 struct label *label
2676);
2677/**
2678 @brief Initialize Mach port label
2679 @param label New label to initialize
2680
2681 Initialize the label for a newly instantiated Mach port. Sleeping
2682 is permitted.
2683*/
2684typedef void mpo_port_label_init_t(
2685 struct label *label
2686);
2687/**
2688 @brief Update a Mach task port label
2689 @param cred User credential label to be used as the source
2690 @param task Mach port label to be used as the destination
2691 @see mpo_cred_label_update_t
2692 @see mpo_cred_label_update_execve_t
2693
2694 Update the label on a Mach task port, using the supplied user
2695 credential label. When a mac_cred_label_update_execve or a mac_cred_label_update
2696 operation causes the label on a user credential to change, the Mach
2697 task port label also needs to be updated to reflect the change.
2698 Both labels are already valid (initialized and created).
2699*/
2700typedef void mpo_port_label_update_cred_t(
2701 struct label *cred,
2702 struct label *task
2703);
2704/**
2705 @brief Assign a label to a Mach port connected to a kernel object
2706 @param portlabel Label for the port
2707 @param kotype Type of kernel object
2708
2709 Label a kernel port based on the type of object behind it. The
2710 kotype parameter is one of the IKOT constants in
2711 <kern/ipc_kobject.h>. The port already has a valid label from either
2712 mpo_port_label_associate_kernel, or because it is a task port and has a label
2713 derived from the process and task labels. The port is locked.
2714*/
2715typedef void mpo_port_label_update_kobject_t(
2716 struct label *portlabel,
2717 int kotype
2718);
2719/**
2720 @brief Access control check for POSIX semaphore create
2721 @param cred Subject credential
2722 @param name String name of the semaphore
2723
2724 Determine whether the subject identified by the credential can create
2725 a POSIX semaphore specified by name.
2726
2727 @return Return 0 if access is granted, otherwise an appropriate value for
2728 errno should be returned.
2729*/
2730typedef int mpo_posixsem_check_create_t(
2731 kauth_cred_t cred,
2732 const char *name
2733);
2734/**
2735 @brief Access control check for POSIX semaphore open
2736 @param cred Subject credential
2737 @param ps Pointer to semaphore information structure
2738 @param semlabel Label associated with the semaphore
2739
2740 Determine whether the subject identified by the credential can open
2741 the named POSIX semaphore with label semlabel.
2742
2743 @return Return 0 if access is granted, otherwise an appropriate value for
2744 errno should be returned.
2745*/
2746typedef int mpo_posixsem_check_open_t(
2747 kauth_cred_t cred,
2748 struct pseminfo *ps,
2749 struct label *semlabel
2750);
2751/**
2752 @brief Access control check for POSIX semaphore post
2753 @param cred Subject credential
2754 @param ps Pointer to semaphore information structure
2755 @param semlabel Label associated with the semaphore
2756
2757 Determine whether the subject identified by the credential can unlock
2758 the named POSIX semaphore with label semlabel.
2759
2760 @return Return 0 if access is granted, otherwise an appropriate value for
2761 errno should be returned.
2762*/
2763typedef int mpo_posixsem_check_post_t(
2764 kauth_cred_t cred,
2765 struct pseminfo *ps,
2766 struct label *semlabel
2767);
2768/**
2769 @brief Access control check for POSIX semaphore unlink
2770 @param cred Subject credential
2771 @param ps Pointer to semaphore information structure
2772 @param semlabel Label associated with the semaphore
2773 @param name String name of the semaphore
2774
2775 Determine whether the subject identified by the credential can remove
2776 the named POSIX semaphore with label semlabel.
2777
2778 @return Return 0 if access is granted, otherwise an appropriate value for
2779 errno should be returned.
2780*/
2781typedef int mpo_posixsem_check_unlink_t(
2782 kauth_cred_t cred,
2783 struct pseminfo *ps,
2784 struct label *semlabel,
2785 const char *name
2786);
2787/**
2788 @brief Access control check for POSIX semaphore wait
2789 @param cred Subject credential
2790 @param ps Pointer to semaphore information structure
2791 @param semlabel Label associated with the semaphore
2792
2793 Determine whether the subject identified by the credential can lock
2794 the named POSIX semaphore with label semlabel.
2795
2796 @return Return 0 if access is granted, otherwise an appropriate value for
2797 errno should be returned.
2798*/
2799typedef int mpo_posixsem_check_wait_t(
2800 kauth_cred_t cred,
2801 struct pseminfo *ps,
2802 struct label *semlabel
2803);
2804/**
2805 @brief Create a POSIX semaphore label
2806 @param cred Subject credential
2807 @param ps Pointer to semaphore information structure
2808 @param semlabel Label to associate with the new semaphore
2809 @param name String name of the semaphore
2810
2811 Label a new POSIX semaphore. The label was previously
2812 initialized and associated with the semaphore. At this time, an
2813 appropriate initial label value should be assigned to the object and
2814 stored in semalabel.
2815*/
2816typedef void mpo_posixsem_label_associate_t(
2817 kauth_cred_t cred,
2818 struct pseminfo *ps,
2819 struct label *semlabel,
2820 const char *name
2821);
2822/**
2823 @brief Destroy POSIX semaphore label
2824 @param label The label to be destroyed
2825
2826 Destroy a POSIX semaphore label. Since the object is
2827 going out of scope, policy modules should free any internal storage
2828 associated with the label so that it may be destroyed.
2829*/
2830typedef void mpo_posixsem_label_destroy_t(
2831 struct label *label
2832);
2833/**
2834 @brief Initialize POSIX semaphore label
2835 @param label New label to initialize
2836
2837 Initialize the label for a newly instantiated POSIX semaphore. Sleeping
2838 is permitted.
2839*/
2840typedef void mpo_posixsem_label_init_t(
2841 struct label *label
2842);
2843/**
2844 @brief Access control check for POSIX shared memory region create
2845 @param cred Subject credential
2846 @param name String name of the shared memory region
2847
2848 Determine whether the subject identified by the credential can create
2849 the POSIX shared memory region referenced by name.
2850
2851 @return Return 0 if access is granted, otherwise an appropriate value for
2852 errno should be returned.
2853*/
2854typedef int mpo_posixshm_check_create_t(
2855 kauth_cred_t cred,
2856 const char *name
2857);
2858/**
2859 @brief Access control check for mapping POSIX shared memory
2860 @param cred Subject credential
2861 @param ps Pointer to shared memory information structure
2862 @param shmlabel Label associated with the shared memory region
2863 @param prot mmap protections; see mmap(2)
2864 @param flags shmat flags; see shmat(2)
2865
2866 Determine whether the subject identified by the credential can map
2867 the POSIX shared memory segment associated with shmlabel.
2868
2869 @return Return 0 if access is granted, otherwise an appropriate value for
2870 errno should be returned.
2871*/
2872typedef int mpo_posixshm_check_mmap_t(
2873 kauth_cred_t cred,
2874 struct pshminfo *ps,
2875 struct label *shmlabel,
2876 int prot,
2877 int flags
2878);
2879/**
2880 @brief Access control check for POSIX shared memory region open
2881 @param cred Subject credential
2882 @param ps Pointer to shared memory information structure
2883 @param shmlabel Label associated with the shared memory region
2884 @param fflags shm_open(2) open flags ('fflags' encoded)
2885
2886 Determine whether the subject identified by the credential can open
2887 the POSIX shared memory region.
2888
2889 @return Return 0 if access is granted, otherwise an appropriate value for
2890 errno should be returned.
2891*/
2892typedef int mpo_posixshm_check_open_t(
2893 kauth_cred_t cred,
2894 struct pshminfo *ps,
2895 struct label *shmlabel,
2896 int fflags
2897);
2898/**
2899 @brief Access control check for POSIX shared memory stat
2900 @param cred Subject credential
2901 @param ps Pointer to shared memory information structure
2902 @param shmlabel Label associated with the shared memory region
2903
2904 Determine whether the subject identified by the credential can obtain
2905 status for the POSIX shared memory segment associated with shmlabel.
2906
2907 @return Return 0 if access is granted, otherwise an appropriate value for
2908 errno should be returned.
2909*/
2910typedef int mpo_posixshm_check_stat_t(
2911 kauth_cred_t cred,
2912 struct pshminfo *ps,
2913 struct label *shmlabel
2914);
2915/**
2916 @brief Access control check for POSIX shared memory truncate
2917 @param cred Subject credential
2918 @param ps Pointer to shared memory information structure
2919 @param shmlabel Label associated with the shared memory region
2920 @param len Length to truncate or extend shared memory segment
2921
2922 Determine whether the subject identified by the credential can truncate
2923 or extend (to len) the POSIX shared memory segment associated with shmlabel.
2924
2925 @return Return 0 if access is granted, otherwise an appropriate value for
2926 errno should be returned.
2927*/
2928typedef int mpo_posixshm_check_truncate_t(
2929 kauth_cred_t cred,
2930 struct pshminfo *ps,
2931 struct label *shmlabel,
2932 off_t len
2933);
2934/**
2935 @brief Access control check for POSIX shared memory unlink
2936 @param cred Subject credential
2937 @param ps Pointer to shared memory information structure
2938 @param shmlabel Label associated with the shared memory region
2939 @param name String name of the shared memory region
2940
2941 Determine whether the subject identified by the credential can delete
2942 the POSIX shared memory segment associated with shmlabel.
2943
2944 @return Return 0 if access is granted, otherwise an appropriate value for
2945 errno should be returned.
2946*/
2947typedef int mpo_posixshm_check_unlink_t(
2948 kauth_cred_t cred,
2949 struct pshminfo *ps,
2950 struct label *shmlabel,
2951 const char *name
2952);
2953/**
2954 @brief Create a POSIX shared memory region label
2955 @param cred Subject credential
2956 @param ps Pointer to shared memory information structure
2957 @param shmlabel Label to associate with the new shared memory region
2958 @param name String name of the shared memory region
2959
2960 Label a new POSIX shared memory region. The label was previously
2961 initialized and associated with the shared memory region. At this
2962 time, an appropriate initial label value should be assigned to the
2963 object and stored in shmlabel.
2964*/
2965typedef void mpo_posixshm_label_associate_t(
2966 kauth_cred_t cred,
2967 struct pshminfo *ps,
2968 struct label *shmlabel,
2969 const char *name
2970);
2971/**
2972 @brief Destroy POSIX shared memory label
2973 @param label The label to be destroyed
2974
2975 Destroy a POSIX shared memory region label. Since the
2976 object is going out of scope, policy modules should free any
2977 internal storage associated with the label so that it may be
2978 destroyed.
2979*/
2980typedef void mpo_posixshm_label_destroy_t(
2981 struct label *label
2982);
2983/**
2984 @brief Initialize POSIX Shared Memory region label
2985 @param label New label to initialize
2986
2987 Initialize the label for newly a instantiated POSIX Shared Memory
2988 region. Sleeping is permitted.
2989*/
2990typedef void mpo_posixshm_label_init_t(
2991 struct label *label
2992);
2993/**
2994 @brief Access control check for privileged operations
2995 @param cred Subject credential
2996 @param priv Requested privilege (see sys/priv.h)
2997
2998 Determine whether the subject identified by the credential can perform
2999 a privileged operation. Privileged operations are allowed if the cred
3000 is the superuser or any policy returns zero for mpo_priv_grant, unless
3001 any policy returns nonzero for mpo_priv_check.
3002
3003 @return Return 0 if access is granted, otherwise EPERM should be returned.
3004*/
3005typedef int mpo_priv_check_t(
3006 kauth_cred_t cred,
3007 int priv
3008);
3009/**
3010 @brief Grant regular users the ability to perform privileged operations
3011 @param cred Subject credential
3012 @param priv Requested privilege (see sys/priv.h)
3013
3014 Determine whether the subject identified by the credential should be
3015 allowed to perform a privileged operation that in the absense of any
3016 MAC policy it would not be able to perform. Privileged operations are
3017 allowed if the cred is the superuser or any policy returns zero for
3018 mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check.
3019
3020 Unlike other MAC hooks which can only reduce the privilege of a
3021 credential, this hook raises the privilege of a credential when it
3022 returns 0. Extreme care must be taken when implementing this hook to
3023 avoid undermining the security of the system.
3024
3025 @return Return 0 if additional privilege is granted, otherwise EPERM
3026 should be returned.
3027*/
3028typedef int mpo_priv_grant_t(
3029 kauth_cred_t cred,
3030 int priv
3031);
3032/**
3033 @brief Access control check for debugging process
3034 @param cred Subject credential
3035 @param proc Object process
3036
3037 Determine whether the subject identified by the credential can debug
3038 the passed process. This call may be made in a number of situations,
3039 including use of the ptrace(2) and ktrace(2) APIs, as well as for some
3040 types of procfs operations.
3041
3042 @return Return 0 if access is granted, otherwise an appropriate value for
3043 errno should be returned. Suggested failure: EACCES for label mismatch,
3044 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
3045*/
3046typedef int mpo_proc_check_debug_t(
3047 kauth_cred_t cred,
3048 struct proc *proc
3049);
3050/**
3051 @brief Access control over fork
3052 @param cred Subject credential
3053 @param proc Subject process trying to fork
3054
3055 Determine whether the subject identified is allowed to fork.
3056
3057 @return Return 0 if access is granted, otherwise an appropriate value for
3058 errno should be returned.
3059*/
3060typedef int mpo_proc_check_fork_t(
3061 kauth_cred_t cred,
3062 struct proc *proc
3063);
3064/**
3065 @brief Access control over pid_suspend and pid_resume
3066 @param cred Subject credential
3067 @param proc Subject process trying to run pid_suspend or pid_resume
3068 @param sr Call is suspend (0) or resume (1)
3069
3070 Determine whether the subject identified is allowed to suspend or resume
3071 other processes.
3072
3073 @return Return 0 if access is granted, otherwise an appropriate value for
3074 errno should be returned.
3075*/
3076typedef int mpo_proc_check_suspend_resume_t(
3077 kauth_cred_t cred,
3078 struct proc *proc,
3079 int sr
3080);
3081/**
3082 @brief Access control check for retrieving audit information
3083 @param cred Subject credential
3084
3085 Determine whether the subject identified by the credential can get
3086 audit information such as the audit user ID, the preselection mask,
3087 the terminal ID and the audit session ID, using the getaudit() system call.
3088
3089 @return Return 0 if access is granted, otherwise an appropriate value for
3090 errno should be returned.
3091*/
3092typedef int mpo_proc_check_getaudit_t(
3093 kauth_cred_t cred
3094);
3095/**
3096 @brief Access control check for retrieving audit user ID
3097 @param cred Subject credential
3098
3099 Determine whether the subject identified by the credential can get
3100 the user identity being used by the auditing system, using the getauid()
3101 system call.
3102
3103 @return Return 0 if access is granted, otherwise an appropriate value for
3104 errno should be returned.
3105*/
3106typedef int mpo_proc_check_getauid_t(
3107 kauth_cred_t cred
3108);
3109/**
3110 @brief Access control check for retrieving Login Context ID
3111 @param p0 Calling process
3112 @param p Effected process
3113 @param pid syscall PID argument
3114
3115 Determine if getlcid(2) system call is permitted.
3116
3117 Information returned by this system call is similar to that returned via
3118 process listings etc.
3119
3120 @return Return 0 if access is granted, otherwise an appropriate value for
3121 errno should be returned.
3122*/
3123typedef int mpo_proc_check_getlcid_t(
3124 struct proc *p0,
3125 struct proc *p,
3126 pid_t pid
3127);
3128/**
3129 @brief Access control check for retrieving ledger information
3130 @param cred Subject credential
3131 @param target Object process
3132 @param op ledger operation
3133
3134 Determine if ledger(2) system call is permitted.
3135
3136 Information returned by this system call is similar to that returned via
3137 process listings etc.
3138
3139 @return Return 0 if access is granted, otherwise an appropriate value for
3140 errno should be returned.
3141*/
3142typedef int mpo_proc_check_ledger_t(
3143 kauth_cred_t cred,
3144 struct proc *target,
3145 int op
3146);
3147/**
3148 @brief Access control check for mmap MAP_ANON
3149 @param proc User process requesting the memory
3150 @param cred Subject credential
3151 @param u_addr Start address of the memory range
3152 @param u_size Length address of the memory range
3153 @param prot mmap protections; see mmap(2)
3154 @param flags Type of mapped object; see mmap(2)
3155 @param maxprot Maximum rights
3156
3157 Determine whether the subject identified by the credential should be
3158 allowed to obtain anonymous memory using the specified flags and
3159 protections on the new mapping. MAP_ANON will always be present in the
3160 flags. Certain combinations of flags with a non-NULL addr may
3161 cause a mapping to be rejected before this hook is called. The maxprot field
3162 holds the maximum permissions on the new mapping, a combination of
3163 VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior
3164 access control checks, a policy should only remove flags from maxprot.
3165
3166 @return Return 0 if access is granted, otherwise an appropriate value for
3167 errno should be returned. Suggested failure: EPERM for lack of privilege.
3168*/
3169typedef int mpo_proc_check_map_anon_t(
3170 struct proc *proc,
3171 kauth_cred_t cred,
3172 user_addr_t u_addr,
3173 user_size_t u_size,
3174 int prot,
3175 int flags,
3176 int *maxprot
3177);
3178/**
3179 @brief Access control check for setting memory protections
3180 @param cred Subject credential
3181 @param proc User process requesting the change
3182 @param addr Start address of the memory range
3183 @param size Length address of the memory range
3184 @param prot Memory protections, see mmap(2)
3185
3186 Determine whether the subject identified by the credential should
3187 be allowed to set the specified memory protections on memory mapped
3188 in the process proc.
3189
3190 @return Return 0 if access is granted, otherwise an appropriate value for
3191 errno should be returned.
3192*/
3193typedef int mpo_proc_check_mprotect_t(
3194 kauth_cred_t cred,
3195 struct proc *proc,
3196 user_addr_t addr,
3197 user_size_t size,
3198 int prot
3199);
3200/**
3201 @brief Access control check for changing scheduling parameters
3202 @param cred Subject credential
3203 @param proc Object process
3204
3205 Determine whether the subject identified by the credential can change
3206 the scheduling parameters of the passed process.
3207
3208 @return Return 0 if access is granted, otherwise an appropriate value for
3209 errno should be returned. Suggested failure: EACCES for label mismatch,
3210 EPERM for lack of privilege, or ESRCH to limit visibility.
3211*/
3212typedef int mpo_proc_check_sched_t(
3213 kauth_cred_t cred,
3214 struct proc *proc
3215);
3216/**
3217 @brief Access control check for setting audit information
3218 @param cred Subject credential
3219 @param ai Audit information
3220
3221 Determine whether the subject identified by the credential can set
3222 audit information such as the the preselection mask, the terminal ID
3223 and the audit session ID, using the setaudit() system call.
3224
3225 @return Return 0 if access is granted, otherwise an appropriate value for
3226 errno should be returned.
3227*/
3228typedef int mpo_proc_check_setaudit_t(
3229 kauth_cred_t cred,
3230 struct auditinfo_addr *ai
3231);
3232/**
3233 @brief Access control check for setting audit user ID
3234 @param cred Subject credential
3235 @param auid Audit user ID
3236
3237 Determine whether the subject identified by the credential can set
3238 the user identity used by the auditing system, using the setauid()
3239 system call.
3240
3241 @return Return 0 if access is granted, otherwise an appropriate value for
3242 errno should be returned.
3243*/
3244typedef int mpo_proc_check_setauid_t(
3245 kauth_cred_t cred,
3246 uid_t auid
3247);
3248/**
3249 @brief Access control check for setting the Login Context
3250 @param p0 Calling process
3251 @param p Effected process
3252 @param pid syscall PID argument
3253 @param lcid syscall LCID argument
3254
3255 Determine if setlcid(2) system call is permitted.
3256
3257 See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of
3258 decoding syscall arguments to determine action desired by caller.
3259
3260 Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN
3261
3262 @return Return 0 if access is granted, otherwise an appropriate value for
3263 errno should be returned.
3264*/
3265typedef int mpo_proc_check_setlcid_t(
3266 struct proc *p0,
3267 struct proc *p,
3268 pid_t pid,
3269 pid_t lcid
3270);
3271/**
3272 @brief Access control check for delivering signal
3273 @param cred Subject credential
3274 @param proc Object process
3275 @param signum Signal number; see kill(2)
3276
3277 Determine whether the subject identified by the credential can deliver
3278 the passed signal to the passed process.
3279
3280 @warning Programs typically expect to be able to send and receive
3281 signals as part or their normal process lifecycle; caution should be
3282 exercised when implementing access controls over signal events.
3283
3284 @return Return 0 if access is granted, otherwise an appropriate value for
3285 errno should be returned. Suggested failure: EACCES for label mismatch,
3286 EPERM for lack of privilege, or ESRCH to limit visibility.
3287*/
3288typedef int mpo_proc_check_signal_t(
3289 kauth_cred_t cred,
3290 struct proc *proc,
3291 int signum
3292);
3293/**
3294 @brief Access control check for wait
3295 @param cred Subject credential
3296 @param proc Object process
3297
3298 Determine whether the subject identified by the credential can wait
3299 for process termination.
3300
3301 @warning Caution should be exercised when implementing access
3302 controls for wait, since programs often wait for child processes to
3303 exit. Failure to be notified of a child process terminating may
3304 cause the parent process to hang, or may produce zombie processes.
3305
3306 @return Return 0 if access is granted, otherwise an appropriate value for
3307 errno should be returned.
3308*/
3309typedef int mpo_proc_check_wait_t(
3310 kauth_cred_t cred,
3311 struct proc *proc
3312);
3313/**
3314 @brief Destroy process label
3315 @param label The label to be destroyed
3316
3317 Destroy a process label. Since the object is going
3318 out of scope, policy modules should free any internal storage
3319 associated with the label so that it may be destroyed.
3320*/
3321typedef void mpo_proc_label_destroy_t(
3322 struct label *label
3323);
3324/**
3325 @brief Initialize process label
3326 @param label New label to initialize
3327 @see mpo_cred_label_init_t
3328
3329 Initialize the label for a newly instantiated BSD process structure.
3330 Normally, security policies will store the process label in the user
3331 credential rather than here in the process structure. However,
3332 there are some floating label policies that may need to temporarily
3333 store a label in the process structure until it is safe to update
3334 the user credential label. Sleeping is permitted.
3335*/
3336typedef void mpo_proc_label_init_t(
3337 struct label *label
3338);
3339/**
3340 @brief Access control check for socket accept
3341 @param cred Subject credential
3342 @param socket Object socket
3343 @param socklabel Policy label for socket
3344
3345 Determine whether the subject identified by the credential can accept()
3346 a new connection on the socket from the host specified by addr.
3347
3348 @return Return 0 if access if granted, otherwise an appropriate
3349 value for errno should be returned.
3350*/
3351typedef int mpo_socket_check_accept_t(
3352 kauth_cred_t cred,
3353 socket_t so,
3354 struct label *socklabel
3355);
3356/**
3357 @brief Access control check for a pending socket accept
3358 @param cred Subject credential
3359 @param so Object socket
3360 @param socklabel Policy label for socket
3361 @param addr Address of the listening socket (coming soon)
3362
3363 Determine whether the subject identified by the credential can accept()
3364 a pending connection on the socket from the host specified by addr.
3365
3366 @return Return 0 if access if granted, otherwise an appropriate
3367 value for errno should be returned.
3368*/
3369typedef int mpo_socket_check_accepted_t(
3370 kauth_cred_t cred,
3371 socket_t so,
3372 struct label *socklabel,
3373 struct sockaddr *addr
3374);
3375/**
3376 @brief Access control check for socket bind
3377 @param cred Subject credential
3378 @param so Object socket
3379 @param socklabel Policy label for socket
3380 @param addr Name to assign to the socket
3381
3382 Determine whether the subject identified by the credential can bind()
3383 the name (addr) to the socket.
3384
3385 @return Return 0 if access if granted, otherwise an appropriate
3386 value for errno should be returned.
3387*/
3388typedef int mpo_socket_check_bind_t(
3389 kauth_cred_t cred,
3390 socket_t so,
3391 struct label *socklabel,
3392 struct sockaddr *addr
3393);
3394/**
3395 @brief Access control check for socket connect
3396 @param cred Subject credential
3397 @param so Object socket
3398 @param socklabel Policy label for socket
3399 @param addr Name to assign to the socket
3400
3401 Determine whether the subject identified by the credential can
3402 connect() the passed socket to the remote host specified by addr.
3403
3404 @return Return 0 if access if granted, otherwise an appropriate
3405 value for errno should be returned.
3406*/
3407typedef int mpo_socket_check_connect_t(
3408 kauth_cred_t cred,
3409 socket_t so,
3410 struct label *socklabel,
3411 struct sockaddr *addr
3412);
3413/**
3414 @brief Access control check for socket() system call.
3415 @param cred Subject credential
3416 @param domain communication domain
3417 @param type socket type
3418 @param protocol socket protocol
3419
3420 Determine whether the subject identified by the credential can
3421 make the socket() call.
3422
3423 @return Return 0 if access if granted, otherwise an appropriate
3424 value for errno should be returned.
3425*/
3426typedef int mpo_socket_check_create_t(
3427 kauth_cred_t cred,
3428 int domain,
3429 int type,
3430 int protocol
3431);
3432/**
3433 @brief Access control check for delivering data to a user's receieve queue
3434 @param so The socket data is being delivered to
3435 @param so_label The label of so
3436 @param m The mbuf whose data will be deposited into the receive queue
3437 @param m_label The label of the sender of the data.
3438
3439 A socket has a queue for receiving incoming data. When a packet arrives
3440 on the wire, it eventually gets deposited into this queue, which the
3441 owner of the socket drains when they read from the socket's file descriptor.
3442
3443 This function determines whether the socket can receive data from
3444 the sender specified by m_label.
3445
3446 @warning There is an outstanding design issue surrounding the placement
3447 of this function. The check must be placed either before or after the
3448 TCP sequence and ACK counters are updated. Placing the check before
3449 the counters are updated causes the incoming packet to be resent by
3450 the remote if the check rejects it. Placing the check after the counters
3451 are updated results in a completely silent drop. As far as each TCP stack
3452 is concerned the packet was received, however, the data will not be in the
3453 socket's receive queue. Another consideration is that the current design
3454 requires using the "failed label" occasionally. In that case, on rejection,
3455 we want the remote TCP to resend the data. Because of this, we chose to
3456 place this check before the counters are updated, so rejected packets will be
3457 resent by the remote host.
3458
3459 If a policy keeps rejecting the same packet, eventually the connection will
3460 be dropped. Policies have several options if this design causes problems.
3461 For example, one options is to sanitize the mbuf such that it is acceptable,
3462 then accept it. That may require negotiation between policies as the
3463 Framework will not know to re-check the packet.
3464
3465 The policy must handle NULL MBUF labels. This will likely be the case
3466 for non-local TCP sockets for example.
3467
3468 @return Return 0 if access if granted, otherwise an appropriate
3469 value for errno should be returned.
3470*/
3471typedef int mpo_socket_check_deliver_t(
3472 socket_t so,
3473 struct label *so_label,
3474 struct mbuf *m,
3475 struct label *m_label
3476);
3477/**
3478 @brief Access control check for socket kqfilter
3479 @param cred Subject credential
3480 @param kn Object knote
3481 @param so Object socket
3482 @param socklabel Policy label for socket
3483
3484 Determine whether the subject identified by the credential can
3485 receive the knote on the passed socket.
3486
3487 @return Return 0 if access if granted, otherwise an appropriate
3488 value for errno should be returned.
3489*/
3490typedef int mpo_socket_check_kqfilter_t(
3491 kauth_cred_t cred,
3492 struct knote *kn,
3493 socket_t so,
3494 struct label *socklabel
3495);
3496/**
3497 @brief Access control check for socket relabel
3498 @param cred Subject credential
3499 @param so Object socket
3500 @param so_label The current label of so
3501 @param newlabel The label to be assigned to so
3502
3503 Determine whether the subject identified by the credential can
3504 change the label on the socket.
3505
3506 @return Return 0 if access if granted, otherwise an appropriate
3507 value for errno should be returned.
3508*/
3509typedef int mpo_socket_check_label_update_t(
3510 kauth_cred_t cred,
3511 socket_t so,
3512 struct label *so_label,
3513 struct label *newlabel
3514);
3515/**
3516 @brief Access control check for socket listen
3517 @param cred Subject credential
3518 @param so Object socket
3519 @param socklabel Policy label for socket
3520
3521 Determine whether the subject identified by the credential can
3522 listen() on the passed socket.
3523
3524 @return Return 0 if access if granted, otherwise an appropriate
3525 value for errno should be returned.
3526*/
3527typedef int mpo_socket_check_listen_t(
3528 kauth_cred_t cred,
3529 socket_t so,
3530 struct label *socklabel
3531);
3532/**
3533 @brief Access control check for socket receive
3534 @param cred Subject credential
3535 @param so Object socket
3536 @param socklabel Policy label for socket
3537
3538 Determine whether the subject identified by the credential can
3539 receive data from the socket.
3540
3541 @return Return 0 if access if granted, otherwise an appropriate
3542 value for errno should be returned.
3543*/
3544typedef int mpo_socket_check_receive_t(
3545 kauth_cred_t cred,
3546 socket_t so,
3547 struct label *socklabel
3548);
3549
3550/**
3551 @brief Access control check for socket receive
3552 @param cred Subject credential
3553 @param socket Object socket
3554 @param socklabel Policy label for socket
3555 @param addr Name of the remote socket
3556
3557 Determine whether the subject identified by the credential can
3558 receive data from the remote host specified by addr.
3559
3560 @return Return 0 if access if granted, otherwise an appropriate
3561 value for errno should be returned.
3562*/
3563typedef int mpo_socket_check_received_t(
3564 kauth_cred_t cred,
3565 struct socket *sock,
3566 struct label *socklabel,
3567 struct sockaddr *saddr
3568 );
3569
3570
3571/**
3572 @brief Access control check for socket select
3573 @param cred Subject credential
3574 @param so Object socket
3575 @param socklabel Policy label for socket
3576 @param which The operation selected on: FREAD or FWRITE
3577
3578 Determine whether the subject identified by the credential can use the
3579 socket in a call to select().
3580
3581 @return Return 0 if access if granted, otherwise an appropriate
3582 value for errno should be returned.
3583*/
3584typedef int mpo_socket_check_select_t(
3585 kauth_cred_t cred,
3586 socket_t so,
3587 struct label *socklabel,
3588 int which
3589);
3590/**
3591 @brief Access control check for socket send
3592 @param cred Subject credential
3593 @param so Object socket
3594 @param socklabel Policy label for socket
3595 @param addr Address being sent to
3596
3597 Determine whether the subject identified by the credential can send
3598 data to the socket.
3599
3600 @return Return 0 if access if granted, otherwise an appropriate
3601 value for errno should be returned.
3602*/
3603typedef int mpo_socket_check_send_t(
3604 kauth_cred_t cred,
3605 socket_t so,
3606 struct label *socklabel,
3607 struct sockaddr *addr
3608);
3609/**
3610 @brief Access control check for retrieving socket status
3611 @param cred Subject credential
3612 @param so Object socket
3613 @param socklabel Policy label for so
3614
3615 Determine whether the subject identified by the credential can
3616 execute the stat() system call on the given socket.
3617
3618 @return Return 0 if access if granted, otherwise an appropriate
3619 value for errno should be returned.
3620*/
3621typedef int mpo_socket_check_stat_t(
3622 kauth_cred_t cred,
3623 socket_t so,
3624 struct label *socklabel
3625);
3626/**
3627 @brief Access control check for setting socket options
3628 @param cred Subject credential
3629 @param so Object socket
3630 @param socklabel Policy label for so
3631 @param sopt The options being set
3632
3633 Determine whether the subject identified by the credential can
3634 execute the setsockopt system call on the given socket.
3635
3636 @return Return 0 if access if granted, otherwise an appropriate
3637 value for errno should be returned.
3638*/
3639typedef int mpo_socket_check_setsockopt_t(
3640 kauth_cred_t cred,
3641 socket_t so,
3642 struct label *socklabel,
3643 struct sockopt *sopt
3644);
3645/**
3646 @brief Access control check for getting socket options
3647 @param cred Subject credential
3648 @param so Object socket
3649 @param socklabel Policy label for so
3650 @param sopt The options to get
3651
3652 Determine whether the subject identified by the credential can
3653 execute the getsockopt system call on the given socket.
3654
3655 @return Return 0 if access if granted, otherwise an appropriate
3656 value for errno should be returned.
3657*/
3658typedef int mpo_socket_check_getsockopt_t(
3659 kauth_cred_t cred,
3660 socket_t so,
3661 struct label *socklabel,
3662 struct sockopt *sopt
3663);
3664/**
3665 @brief Label a socket
3666 @param oldsock Listening socket
3667 @param oldlabel Policy label associated with oldsock
3668 @param newsock New socket
3669 @param newlabel Policy label associated with newsock
3670
3671 A new socket is created when a connection is accept(2)ed. This
3672 function labels the new socket based on the existing listen(2)ing
3673 socket.
3674*/
3675typedef void mpo_socket_label_associate_accept_t(
3676 socket_t oldsock,
3677 struct label *oldlabel,
3678 socket_t newsock,
3679 struct label *newlabel
3680);
3681/**
3682 @brief Assign a label to a new socket
3683 @param cred Credential of the owning process
3684 @param so The socket being labeled
3685 @param solabel The label
3686 @warning cred can be NULL
3687
3688 Set the label on a newly created socket from the passed subject
3689 credential. This call is made when a socket is created. The
3690 credentials may be null if the socket is being created by the
3691 kernel.
3692*/
3693typedef void mpo_socket_label_associate_t(
3694 kauth_cred_t cred,
3695 socket_t so,
3696 struct label *solabel
3697);
3698/**
3699 @brief Copy a socket label
3700 @param src Source label
3701 @param dest Destination label
3702
3703 Copy the socket label information in src into dest.
3704*/
3705typedef void mpo_socket_label_copy_t(
3706 struct label *src,
3707 struct label *dest
3708);
3709/**
3710 @brief Destroy socket label
3711 @param label The label to be destroyed
3712
3713 Destroy a socket label. Since the object is going out of
3714 scope, policy modules should free any internal storage associated
3715 with the label so that it may be destroyed.
3716*/
3717typedef void mpo_socket_label_destroy_t(
3718 struct label *label
3719);
3720/**
3721 @brief Externalize a socket label
3722 @param label Label to be externalized
3723 @param element_name Name of the label namespace for which labels should be
3724 externalized
3725 @param sb String buffer to be filled with a text representation of label
3726
3727 Produce an externalized socket label based on the label structure passed.
3728 An externalized label consists of a text representation of the label
3729 contents that can be used with userland applications and read by the
3730 user. If element_name does not match a namespace managed by the policy,
3731 simply return 0. Only return nonzero if an error occurs while externalizing
3732 the label data.
3733
3734 @return In the event of an error, an appropriate value for errno
3735 should be returned, otherwise return 0 upon success.
3736*/
3737typedef int mpo_socket_label_externalize_t(
3738 struct label *label,
3739 char *element_name,
3740 struct sbuf *sb
3741);
3742/**
3743 @brief Initialize socket label
3744 @param label New label to initialize
3745 @param waitok Malloc flags
3746
3747 Initialize the label of a newly instantiated socket. The waitok
3748 field may be one of M_WAITOK and M_NOWAIT, and should be employed to
3749 avoid performing a sleeping malloc(9) during this initialization
3750 call. It it not always safe to sleep during this entry point.
3751
3752 @warning Since it is possible for the waitok flags to be set to
3753 M_NOWAIT, the malloc operation may fail.
3754
3755 @return In the event of an error, an appropriate value for errno
3756 should be returned, otherwise return 0 upon success.
3757*/
3758typedef int mpo_socket_label_init_t(
3759 struct label *label,
3760 int waitok
3761);
3762/**
3763 @brief Internalize a socket label
3764 @param label Label to be filled in
3765 @param element_name Name of the label namespace for which the label should
3766 be internalized
3767 @param element_data Text data to be internalized
3768
3769 Produce an internal socket label structure based on externalized label
3770 data in text format.
3771
3772 The policy's internalize entry points will be called only if the
3773 policy has registered interest in the label namespace.
3774
3775 @return In the event of an error, an appropriate value for errno
3776 should be returned, otherwise return 0 upon success.
3777*/
3778typedef int mpo_socket_label_internalize_t(
3779 struct label *label,
3780 char *element_name,
3781 char *element_data
3782);
3783/**
3784 @brief Relabel socket
3785 @param cred Subject credential
3786 @param so Object; socket
3787 @param so_label Current label of the socket
3788 @param newlabel The label to be assigned to so
3789
3790 The subject identified by the credential has previously requested
3791 and was authorized to relabel the socket; this entry point allows
3792 policies to perform the actual label update operation.
3793
3794 @warning XXX This entry point will likely change in future versions.
3795*/
3796typedef void mpo_socket_label_update_t(
3797 kauth_cred_t cred,
3798 socket_t so,
3799 struct label *so_label,
3800 struct label *newlabel
3801);
3802/**
3803 @brief Set the peer label on a socket from mbuf
3804 @param m Mbuf chain received on socket so
3805 @param m_label Label for m
3806 @param so Current label for the socket
3807 @param so_label Policy label to be filled out for the socket
3808
3809 Set the peer label of a socket based on the label of the sender of the
3810 mbuf.
3811
3812 This is called for every TCP/IP packet received. The first call for a given
3813 socket operates on a newly initialized label, and subsequent calls operate
3814 on existing label data.
3815
3816 @warning Because this can affect performance significantly, it has
3817 different sematics than other 'set' operations. Typically, 'set' operations
3818 operate on newly initialzed labels and policies do not need to worry about
3819 clobbering existing values. In this case, it is too inefficient to
3820 initialize and destroy a label every time data is received for the socket.
3821 Instead, it is up to the policies to determine how to replace the label data.
3822 Most policies should be able to replace the data inline.
3823*/
3824typedef void mpo_socketpeer_label_associate_mbuf_t(
3825 struct mbuf *m,
3826 struct label *m_label,
3827 socket_t so,
3828 struct label *so_label
3829);
3830/**
3831 @brief Set the peer label on a socket from socket
3832 @param source Local socket
3833 @param sourcelabel Policy label for source
3834 @param target Peer socket
3835 @param targetlabel Policy label to fill in for target
3836
3837 Set the peer label on a stream UNIX domain socket from the passed
3838 remote socket endpoint. This call will be made when the socket pair
3839 is connected, and will be made for both endpoints.
3840
3841 Note that this call is only made on connection; it is currently not updated
3842 during communication.
3843*/
3844typedef void mpo_socketpeer_label_associate_socket_t(
3845 socket_t source,
3846 struct label *sourcelabel,
3847 socket_t target,
3848 struct label *targetlabel
3849);
3850/**
3851 @brief Destroy socket peer label
3852 @param label The peer label to be destroyed
3853
3854 Destroy a socket peer label. Since the object is going out of
3855 scope, policy modules should free any internal storage associated
3856 with the label so that it may be destroyed.
3857*/
3858typedef void mpo_socketpeer_label_destroy_t(
3859 struct label *label
3860);
3861/**
3862 @brief Externalize a socket peer label
3863 @param label Label to be externalized
3864 @param element_name Name of the label namespace for which labels should be
3865 externalized
3866 @param sb String buffer to be filled with a text representation of label
3867
3868 Produce an externalized socket peer label based on the label structure
3869 passed. An externalized label consists of a text representation of the
3870 label contents that can be used with userland applications and read by the
3871 user. If element_name does not match a namespace managed by the policy,
3872 simply return 0. Only return nonzero if an error occurs while externalizing
3873 the label data.
3874
3875 @return In the event of an error, an appropriate value for errno
3876 should be returned, otherwise return 0 upon success.
3877*/
3878typedef int mpo_socketpeer_label_externalize_t(
3879 struct label *label,
3880 char *element_name,
3881 struct sbuf *sb
3882);
3883/**
3884 @brief Initialize socket peer label
3885 @param label New label to initialize
3886 @param waitok Malloc flags
3887
3888 Initialize the peer label of a newly instantiated socket. The
3889 waitok field may be one of M_WAITOK and M_NOWAIT, and should be
3890 employed to avoid performing a sleeping malloc(9) during this
3891 initialization call. It it not always safe to sleep during this
3892 entry point.
3893
3894 @warning Since it is possible for the waitok flags to be set to
3895 M_NOWAIT, the malloc operation may fail.
3896
3897 @return In the event of an error, an appropriate value for errno
3898 should be returned, otherwise return 0 upon success.
3899*/
3900typedef int mpo_socketpeer_label_init_t(
3901 struct label *label,
3902 int waitok
3903);
3904/**
3905 @brief Access control check for enabling accounting
3906 @param cred Subject credential
3907 @param vp Accounting file
3908 @param vlabel Label associated with vp
3909
3910 Determine whether the subject should be allowed to enable accounting,
3911 based on its label and the label of the accounting log file. See
3912 acct(5) for more information.
3913
3914 As accounting is disabled by passing NULL to the acct(2) system call,
3915 the policy should be prepared for both 'vp' and 'vlabel' to be NULL.
3916
3917 @return Return 0 if access is granted, otherwise an appropriate value for
3918 errno should be returned.
3919*/
3920typedef int mpo_system_check_acct_t(
3921 kauth_cred_t cred,
3922 struct vnode *vp,
3923 struct label *vlabel
3924);
3925/**
3926 @brief Access control check for audit
3927 @param cred Subject credential
3928 @param record Audit record
3929 @param length Audit record length
3930
3931 Determine whether the subject identified by the credential can submit
3932 an audit record for inclusion in the audit log via the audit() system call.
3933
3934 @return Return 0 if access is granted, otherwise an appropriate value for
3935 errno should be returned.
3936*/
3937typedef int mpo_system_check_audit_t(
3938 kauth_cred_t cred,
3939 void *record,
3940 int length
3941);
3942/**
3943 @brief Access control check for controlling audit
3944 @param cred Subject credential
3945 @param vp Audit file
3946 @param vl Label associated with vp
3947
3948 Determine whether the subject should be allowed to enable auditing using
3949 the auditctl() system call, based on its label and the label of the proposed
3950 audit file.
3951
3952 @return Return 0 if access is granted, otherwise an appropriate value for
3953 errno should be returned.
3954*/
3955typedef int mpo_system_check_auditctl_t(
3956 kauth_cred_t cred,
3957 struct vnode *vp,
3958 struct label *vl
3959);
3960/**
3961 @brief Access control check for manipulating auditing
3962 @param cred Subject credential
3963 @param cmd Audit control command
3964
3965 Determine whether the subject identified by the credential can perform
3966 the audit subsystem control operation cmd via the auditon() system call.
3967
3968 @return Return 0 if access is granted, otherwise an appropriate value for
3969 errno should be returned.
3970*/
3971typedef int mpo_system_check_auditon_t(
3972 kauth_cred_t cred,
3973 int cmd
3974);
3975/**
3976 @brief Access control check for using CHUD facilities
3977 @param cred Subject credential
3978
3979 Determine whether the subject identified by the credential can perform
3980 performance-related tasks using the CHUD system call.
3981
3982 @return Return 0 if access is granted, otherwise an appropriate value for
3983 errno should be returned.
3984*/
3985typedef int mpo_system_check_chud_t(
3986 kauth_cred_t cred
3987);
3988/**
3989 @brief Access control check for obtaining the host control port
3990 @param cred Subject credential
3991
3992 Determine whether the subject identified by the credential can
3993 obtain the host control port.
3994
3995 @return Return 0 if access is granted, or non-zero otherwise.
3996*/
3997typedef int mpo_system_check_host_priv_t(
3998 kauth_cred_t cred
3999);
4000/**
4001 @brief Access control check for calling NFS services
4002 @param cred Subject credential
4003
4004 Determine whether the subject identified by the credential should be
4005 allowed to call nfssrv(2).
4006
4007 @return Return 0 if access is granted, otherwise an appropriate value for
4008 errno should be returned.
4009*/
4010typedef int mpo_system_check_nfsd_t(
4011 kauth_cred_t cred
4012);
4013/**
4014 @brief Access control check for reboot
4015 @param cred Subject credential
4016 @param howto howto parameter from reboot(2)
4017
4018 Determine whether the subject identified by the credential should be
4019 allowed to reboot the system in the specified manner.
4020
4021 @return Return 0 if access is granted, otherwise an appropriate value for
4022 errno should be returned.
4023*/
4024typedef int mpo_system_check_reboot_t(
4025 kauth_cred_t cred,
4026 int howto
4027);
4028/**
4029 @brief Access control check for setting system clock
4030 @param cred Subject credential
4031
4032 Determine whether the subject identified by the credential should be
4033 allowed to set the system clock.
4034
4035 @return Return 0 if access is granted, otherwise an appropriate value for
4036 errno should be returned.
4037*/
4038typedef int mpo_system_check_settime_t(
4039 kauth_cred_t cred
4040);
4041/**
4042 @brief Access control check for removing swap devices
4043 @param cred Subject credential
4044 @param vp Swap device
4045 @param label Label associated with vp
4046
4047 Determine whether the subject identified by the credential should be
4048 allowed to remove vp as a swap device.
4049
4050 @return Return 0 if access is granted, otherwise an appropriate value for
4051 errno should be returned.
4052*/
4053typedef int mpo_system_check_swapoff_t(
4054 kauth_cred_t cred,
4055 struct vnode *vp,
4056 struct label *label
4057);
4058/**
4059 @brief Access control check for adding swap devices
4060 @param cred Subject credential
4061 @param vp Swap device
4062 @param label Label associated with vp
4063
4064 Determine whether the subject identified by the credential should be
4065 allowed to add vp as a swap device.
4066
4067 @return Return 0 if access is granted, otherwise an appropriate value for
4068 errno should be returned.
4069*/
4070typedef int mpo_system_check_swapon_t(
4071 kauth_cred_t cred,
4072 struct vnode *vp,
4073 struct label *label
4074);
4075/**
4076 @brief Access control check for sysctl
4077 @param cred Subject credential
4078 @param name Integer name; see sysctl(3)
4079 @param namelen Length of name array of integers; see sysctl(3)
4080 @param old 0 or address where to store old value; see sysctl(3)
4081 @param oldlenp Pointer to length of old buffer; see sysctl(3)
4082 @param inkernel Boolean; 1 if called from kernel
4083 @param newvalue 0 or address of new value; see sysctl(3)
4084 @param newlen Length of new buffer; see sysctl(3)
4085
4086 Determine whether the subject identified by the credential should be
4087 allowed to make the specified sysctl(3) transaction.
4088
4089 The sysctl(3) call specifies that if the old value is not desired,
4090 oldp and oldlenp should be set to NULL. Likewise, if a new value is
4091 not to be set, newp should be set to NULL and newlen set to 0.
4092
4093 @return Return 0 if access is granted, otherwise an appropriate value for
4094 errno should be returned.
4095*/
4096typedef int mpo_system_check_sysctl_t(
4097 kauth_cred_t cred,
4098 int *name,
4099 u_int namelen,
4100 user_addr_t old, /* NULLOK */
4101 user_addr_t oldlenp, /* NULLOK */
4102 int inkernel,
4103 user_addr_t newvalue, /* NULLOK */
4104 size_t newlen
4105);
4106/**
4107 @brief Access control check for kas_info
4108 @param cred Subject credential
4109 @param selector Category of information to return. See kas_info.h
4110
4111 Determine whether the subject identified by the credential can perform
4112 introspection of the kernel address space layout for
4113 debugging/performance analysis.
4114
4115 @return Return 0 if access is granted, otherwise an appropriate value for
4116 errno should be returned.
4117*/
4118typedef int mpo_system_check_kas_info_t(
4119 kauth_cred_t cred,
4120 int selector
4121);
4122/**
4123 @brief Create a System V message label
4124 @param cred Subject credential
4125 @param msqkptr The message queue the message will be placed in
4126 @param msqlabel The label of the message queue
4127 @param msgptr The message
4128 @param msglabel The label of the message
4129
4130 Label the message as its placed in the message queue.
4131*/
4132typedef void mpo_sysvmsg_label_associate_t(
4133 kauth_cred_t cred,
4134 struct msqid_kernel *msqptr,
4135 struct label *msqlabel,
4136 struct msg *msgptr,
4137 struct label *msglabel
4138);
4139/**
4140 @brief Destroy System V message label
4141 @param label The label to be destroyed
4142
4143 Destroy a System V message label. Since the object is
4144 going out of scope, policy modules should free any internal storage
4145 associated with the label so that it may be destroyed.
4146*/
4147typedef void mpo_sysvmsg_label_destroy_t(
4148 struct label *label
4149);
4150/**
4151 @brief Initialize System V message label
4152 @param label New label to initialize
4153
4154 Initialize the label for a newly instantiated System V message.
4155*/
4156typedef void mpo_sysvmsg_label_init_t(
4157 struct label *label
4158);
4159/**
4160 @brief Clean up a System V message label
4161 @param label The label to be destroyed
4162
4163 Clean up a System V message label. Darwin pre-allocates
4164 messages at system boot time and re-uses them rather than
4165 allocating new ones. Before messages are returned to the "free
4166 pool", policies can cleanup or overwrite any information present in
4167 the label.
4168*/
4169typedef void mpo_sysvmsg_label_recycle_t(
4170 struct label *label
4171);
4172/**
4173 @brief Access control check for System V message enqueuing
4174 @param cred Subject credential
4175 @param msgptr The message
4176 @param msglabel The message's label
4177 @param msqkptr The message queue
4178 @param msqlabel The message queue's label
4179
4180 Determine whether the subject identified by the credential can add the
4181 given message to the given message queue.
4182
4183 @return Return 0 if access is granted, otherwise an appropriate value for
4184 errno should be returned.
4185*/
4186typedef int mpo_sysvmsq_check_enqueue_t(
4187 kauth_cred_t cred,
4188 struct msg *msgptr,
4189 struct label *msglabel,
4190 struct msqid_kernel *msqptr,
4191 struct label *msqlabel
4192);
4193/**
4194 @brief Access control check for System V message reception
4195 @param cred The credential of the intended recipient
4196 @param msgptr The message
4197 @param msglabel The message's label
4198
4199 Determine whether the subject identified by the credential can receive
4200 the given message.
4201
4202 @return Return 0 if access is granted, otherwise an appropriate value for
4203 errno should be returned.
4204*/
4205typedef int mpo_sysvmsq_check_msgrcv_t(
4206 kauth_cred_t cred,
4207 struct msg *msgptr,
4208 struct label *msglabel
4209);
4210/**
4211 @brief Access control check for System V message queue removal
4212 @param cred The credential of the caller
4213 @param msgptr The message
4214 @param msglabel The message's label
4215
4216 System V message queues are removed using the msgctl() system call.
4217 The system will iterate over each messsage in the queue, calling this
4218 function for each, to determine whether the caller has the appropriate
4219 credentials.
4220
4221 @return Return 0 if access is granted, otherwise an appropriate value for
4222 errno should be returned.
4223*/
4224typedef int mpo_sysvmsq_check_msgrmid_t(
4225 kauth_cred_t cred,
4226 struct msg *msgptr,
4227 struct label *msglabel
4228);
4229/**
4230 @brief Access control check for msgctl()
4231 @param cred The credential of the caller
4232 @param msqptr The message queue
4233 @param msqlabel The message queue's label
4234
4235 This access check is performed to validate calls to msgctl().
4236
4237 @return Return 0 if access is granted, otherwise an appropriate value for
4238 errno should be returned.
4239*/
4240typedef int mpo_sysvmsq_check_msqctl_t(
4241 kauth_cred_t cred,
4242 struct msqid_kernel *msqptr,
4243 struct label *msqlabel,
4244 int cmd
4245);
4246/**
4247 @brief Access control check to get a System V message queue
4248 @param cred The credential of the caller
4249 @param msqptr The message queue requested
4250 @param msqlabel The message queue's label
4251
4252 On a call to msgget(), if the queue requested already exists,
4253 and it is a public queue, this check will be performed before the
4254 queue's ID is returned to the user.
4255
4256 @return Return 0 if access is granted, otherwise an appropriate value for
4257 errno should be returned.
4258*/
4259typedef int mpo_sysvmsq_check_msqget_t(
4260 kauth_cred_t cred,
4261 struct msqid_kernel *msqptr,
4262 struct label *msqlabel
4263);
4264/**
4265 @brief Access control check to receive a System V message from the given queue
4266 @param cred The credential of the caller
4267 @param msqptr The message queue to receive from
4268 @param msqlabel The message queue's label
4269
4270 On a call to msgrcv(), this check is performed to determine whether the
4271 caller has receive rights on the given queue.
4272
4273 @return Return 0 if access is granted, otherwise an appropriate value for
4274 errno should be returned.
4275*/
4276typedef int mpo_sysvmsq_check_msqrcv_t(
4277 kauth_cred_t cred,
4278 struct msqid_kernel *msqptr,
4279 struct label *msqlabel
4280);
4281/**
4282 @brief Access control check to send a System V message to the given queue
4283 @param cred The credential of the caller
4284 @param msqptr The message queue to send to
4285 @param msqlabel The message queue's label
4286
4287 On a call to msgsnd(), this check is performed to determine whether the
4288 caller has send rights on the given queue.
4289
4290 @return Return 0 if access is granted, otherwise an appropriate value for
4291 errno should be returned.
4292*/
4293typedef int mpo_sysvmsq_check_msqsnd_t(
4294 kauth_cred_t cred,
4295 struct msqid_kernel *msqptr,
4296 struct label *msqlabel
4297);
4298/**
4299 @brief Create a System V message queue label
4300 @param cred Subject credential
4301 @param msqkptr The message queue
4302 @param msqlabel The label of the message queue
4303
4304*/
4305typedef void mpo_sysvmsq_label_associate_t(
4306 kauth_cred_t cred,
4307 struct msqid_kernel *msqptr,
4308 struct label *msqlabel
4309);
4310/**
4311 @brief Destroy System V message queue label
4312 @param label The label to be destroyed
4313
4314 Destroy a System V message queue label. Since the object is
4315 going out of scope, policy modules should free any internal storage
4316 associated with the label so that it may be destroyed.
4317*/
4318typedef void mpo_sysvmsq_label_destroy_t(
4319 struct label *label
4320);
4321/**
4322 @brief Initialize System V message queue label
4323 @param label New label to initialize
4324
4325 Initialize the label for a newly instantiated System V message queue.
4326*/
4327typedef void mpo_sysvmsq_label_init_t(
4328 struct label *label
4329);
4330/**
4331 @brief Clean up a System V message queue label
4332 @param label The label to be destroyed
4333
4334 Clean up a System V message queue label. Darwin pre-allocates
4335 message queues at system boot time and re-uses them rather than
4336 allocating new ones. Before message queues are returned to the "free
4337 pool", policies can cleanup or overwrite any information present in
4338 the label.
4339*/
4340typedef void mpo_sysvmsq_label_recycle_t(
4341 struct label *label
4342);
4343/**
4344 @brief Access control check for System V semaphore control operation
4345 @param cred Subject credential
4346 @param semakptr Pointer to semaphore identifier
4347 @param semaklabel Label associated with semaphore
4348 @param cmd Control operation to be performed; see semctl(2)
4349
4350 Determine whether the subject identified by the credential can perform
4351 the operation indicated by cmd on the System V semaphore semakptr.
4352
4353 @return Return 0 if access is granted, otherwise an appropriate value for
4354 errno should be returned.
4355*/
4356typedef int mpo_sysvsem_check_semctl_t(
4357 kauth_cred_t cred,
4358 struct semid_kernel *semakptr,
4359 struct label *semaklabel,
4360 int cmd
4361);
4362/**
4363 @brief Access control check for obtaining a System V semaphore
4364 @param cred Subject credential
4365 @param semakptr Pointer to semaphore identifier
4366 @param semaklabel Label to associate with the semaphore
4367
4368 Determine whether the subject identified by the credential can
4369 obtain a System V semaphore.
4370
4371 @return Return 0 if access is granted, otherwise an appropriate value for
4372 errno should be returned.
4373*/
4374typedef int mpo_sysvsem_check_semget_t(
4375 kauth_cred_t cred,
4376 struct semid_kernel *semakptr,
4377 struct label *semaklabel
4378);
4379/**
4380 @brief Access control check for System V semaphore operations
4381 @param cred Subject credential
4382 @param semakptr Pointer to semaphore identifier
4383 @param semaklabel Label associated with the semaphore
4384 @param accesstype Flags to indicate access (read and/or write)
4385
4386 Determine whether the subject identified by the credential can
4387 perform the operations on the System V semaphore indicated by
4388 semakptr. The accesstype flags hold the maximum set of permissions
4389 from the sem_op array passed to the semop system call. It may
4390 contain SEM_R for read-only operations or SEM_A for read/write
4391 operations.
4392
4393 @return Return 0 if access is granted, otherwise an appropriate value for
4394 errno should be returned.
4395*/
4396typedef int mpo_sysvsem_check_semop_t(
4397 kauth_cred_t cred,
4398 struct semid_kernel *semakptr,
4399 struct label *semaklabel,
4400 size_t accesstype
4401);
4402/**
4403 @brief Create a System V semaphore label
4404 @param cred Subject credential
4405 @param semakptr The semaphore being created
4406 @param semalabel Label to associate with the new semaphore
4407
4408 Label a new System V semaphore. The label was previously
4409 initialized and associated with the semaphore. At this time, an
4410 appropriate initial label value should be assigned to the object and
4411 stored in semalabel.
4412*/
4413typedef void mpo_sysvsem_label_associate_t(
4414 kauth_cred_t cred,
4415 struct semid_kernel *semakptr,
4416 struct label *semalabel
4417);
4418/**
4419 @brief Destroy System V semaphore label
4420 @param label The label to be destroyed
4421
4422 Destroy a System V semaphore label. Since the object is
4423 going out of scope, policy modules should free any internal storage
4424 associated with the label so that it may be destroyed.
4425*/
4426typedef void mpo_sysvsem_label_destroy_t(
4427 struct label *label
4428);
4429/**
4430 @brief Initialize System V semaphore label
4431 @param label New label to initialize
4432
4433 Initialize the label for a newly instantiated System V semaphore. Sleeping
4434 is permitted.
4435*/
4436typedef void mpo_sysvsem_label_init_t(
4437 struct label *label
4438);
4439/**
4440 @brief Clean up a System V semaphore label
4441 @param label The label to be cleaned
4442
4443 Clean up a System V semaphore label. Darwin pre-allocates
4444 semaphores at system boot time and re-uses them rather than
4445 allocating new ones. Before semaphores are returned to the "free
4446 pool", policies can cleanup or overwrite any information present in
4447 the label.
4448*/
4449typedef void mpo_sysvsem_label_recycle_t(
4450 struct label *label
4451);
4452/**
4453 @brief Access control check for mapping System V shared memory
4454 @param cred Subject credential
4455 @param shmsegptr Pointer to shared memory segment identifier
4456 @param shmseglabel Label associated with the shared memory segment
4457 @param shmflg shmat flags; see shmat(2)
4458
4459 Determine whether the subject identified by the credential can map
4460 the System V shared memory segment associated with shmsegptr.
4461
4462 @return Return 0 if access is granted, otherwise an appropriate value for
4463 errno should be returned.
4464*/
4465typedef int mpo_sysvshm_check_shmat_t(
4466 kauth_cred_t cred,
4467 struct shmid_kernel *shmsegptr,
4468 struct label *shmseglabel,
4469 int shmflg
4470);
4471/**
4472 @brief Access control check for System V shared memory control operation
4473 @param cred Subject credential
4474 @param shmsegptr Pointer to shared memory segment identifier
4475 @param shmseglabel Label associated with the shared memory segment
4476 @param cmd Control operation to be performed; see shmctl(2)
4477
4478 Determine whether the subject identified by the credential can perform
4479 the operation indicated by cmd on the System V shared memory segment
4480 shmsegptr.
4481
4482 @return Return 0 if access is granted, otherwise an appropriate value for
4483 errno should be returned.
4484*/
4485typedef int mpo_sysvshm_check_shmctl_t(
4486 kauth_cred_t cred,
4487 struct shmid_kernel *shmsegptr,
4488 struct label *shmseglabel,
4489 int cmd
4490);
4491/**
4492 @brief Access control check for unmapping System V shared memory
4493 @param cred Subject credential
4494 @param shmsegptr Pointer to shared memory segment identifier
4495 @param shmseglabel Label associated with the shared memory segment
4496
4497 Determine whether the subject identified by the credential can unmap
4498 the System V shared memory segment associated with shmsegptr.
4499
4500 @return Return 0 if access is granted, otherwise an appropriate value for
4501 errno should be returned.
4502*/
4503typedef int mpo_sysvshm_check_shmdt_t(
4504 kauth_cred_t cred,
4505 struct shmid_kernel *shmsegptr,
4506 struct label *shmseglabel
4507);
4508/**
4509 @brief Access control check obtaining System V shared memory identifier
4510 @param cred Subject credential
4511 @param shmsegptr Pointer to shared memory segment identifier
4512 @param shmseglabel Label associated with the shared memory segment
4513 @param shmflg shmget flags; see shmget(2)
4514
4515 Determine whether the subject identified by the credential can get
4516 the System V shared memory segment address.
4517
4518 @return Return 0 if access is granted, otherwise an appropriate value for
4519 errno should be returned.
4520*/
4521typedef int mpo_sysvshm_check_shmget_t(
4522 kauth_cred_t cred,
4523 struct shmid_kernel *shmsegptr,
4524 struct label *shmseglabel,
4525 int shmflg
4526);
4527/**
4528 @brief Create a System V shared memory region label
4529 @param cred Subject credential
4530 @param shmsegptr The shared memory region being created
4531 @param shmlabel Label to associate with the new shared memory region
4532
4533 Label a new System V shared memory region. The label was previously
4534 initialized and associated with the shared memory region. At this
4535 time, an appropriate initial label value should be assigned to the
4536 object and stored in shmlabel.
4537*/
4538typedef void mpo_sysvshm_label_associate_t(
4539 kauth_cred_t cred,
4540 struct shmid_kernel *shmsegptr,
4541 struct label *shmlabel
4542);
4543/**
4544 @brief Destroy System V shared memory label
4545 @param label The label to be destroyed
4546
4547 Destroy a System V shared memory region label. Since the
4548 object is going out of scope, policy modules should free any
4549 internal storage associated with the label so that it may be
4550 destroyed.
4551*/
4552typedef void mpo_sysvshm_label_destroy_t(
4553 struct label *label
4554);
4555/**
4556 @brief Initialize System V Shared Memory region label
4557 @param label New label to initialize
4558
4559 Initialize the label for a newly instantiated System V Shared Memory
4560 region. Sleeping is permitted.
4561*/
4562typedef void mpo_sysvshm_label_init_t(
4563 struct label *label
4564);
4565/**
4566 @brief Clean up a System V Share Memory Region label
4567 @param shmlabel The label to be cleaned
4568
4569 Clean up a System V Shared Memory Region label. Darwin
4570 pre-allocates these objects at system boot time and re-uses them
4571 rather than allocating new ones. Before the memory regions are
4572 returned to the "free pool", policies can cleanup or overwrite any
4573 information present in the label.
4574*/
4575typedef void mpo_sysvshm_label_recycle_t(
4576 struct label *shmlabel
4577);
4578/**
4579 @brief Access control check for getting a process's task name
4580 @param cred Subject credential
4581 @param proc Object process
4582
4583 Determine whether the subject identified by the credential can get
4584 the passed process's task name port.
4585 This call is used by the task_name_for_pid(2) API.
4586
4587 @return Return 0 if access is granted, otherwise an appropriate value for
4588 errno should be returned. Suggested failure: EACCES for label mismatch,
4589 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4590*/
4591typedef int mpo_proc_check_get_task_name_t(
4592 kauth_cred_t cred,
4593 struct proc *p
4594);
4595/**
4596 @brief Access control check for getting a process's task port
4597 @param cred Subject credential
4598 @param proc Object process
4599
4600 Determine whether the subject identified by the credential can get
4601 the passed process's task control port.
4602 This call is used by the task_for_pid(2) API.
4603
4604 @return Return 0 if access is granted, otherwise an appropriate value for
4605 errno should be returned. Suggested failure: EACCES for label mismatch,
4606 EPERM for lack of privilege, or ESRCH to hide visibility of the target.
4607*/
4608typedef int mpo_proc_check_get_task_t(
4609 kauth_cred_t cred,
4610 struct proc *p
4611);
4612/**
4613 @brief Privilege check for a process to run invalid
4614 @param proc Object process
4615
4616 Determine whether the process may execute even though the system determined
4617 that it is untrusted (eg unidentified / modified code).
4618
4619 @return Return 0 if access is granted, otherwise an appropriate value for
4620 errno should be returned.
4621 */
4622typedef int mac_proc_check_run_cs_invalid_t(
4623 struct proc *p
4624);
4625
4626
4627/**
4628 @brief Assign a label to a new kernelspace Mach task
4629 @param kproc New task
4630 @param tasklabel Label for new task
4631 @param portlabel Label for new task port
4632 @see mpo_cred_label_associate_kernel_t
4633
4634 Assign labels to a new kernel task and its task port. Both the task and
4635 task port labels should be specified. Both new labels are initialized.
4636 If there is an associated BSD process structure, it will be labelled
4637 with calls to mpo_cred_label_associate_kernel.
4638*/
4639typedef void mpo_task_label_associate_kernel_t(
4640 struct task *kproc,
4641 struct label *tasklabel,
4642 struct label *portlabel
4643);
4644/**
4645 @brief Assign a label to a new (userspace) Mach task
4646 @param parent Parent task
4647 @param child New (child) task
4648 @param parentlabel Label of parent task
4649 @param childlabel Label for new task
4650 @param childportlabel Label for new task's task port
4651
4652 Assign labels to a new task and its task port. Both the task and task port
4653 labels should be specified. Both new labels are initialized. If the task
4654 will have an associated BSD process, that information will be made available
4655 by the task_label_update and port_label_update_cred entry points.
4656*/
4657typedef void mpo_task_label_associate_t(
4658 struct task *parent,
4659 struct task *child,
4660 struct label *parentlabel,
4661 struct label *childlabel,
4662 struct label *childportlabel
4663);
4664/**
4665 @brief Copy a Mach task label
4666 @param src Source task label
4667 @param dest Destination task label
4668
4669 Copy the Mach task label information from src to dest. This is used
4670 when duplicating label handles to implement copy-on-write semantics.
4671*/
4672typedef void mpo_task_label_copy_t(
4673 struct label *src,
4674 struct label *dest
4675);
4676/**
4677 @brief Destroy Mach task label
4678 @param label The label to be destroyed
4679
4680 Destroy a Mach task label. Since the object is going out of
4681 scope, policy modules should free any internal storage associated
4682 with the label so that it may be destroyed.
4683*/
4684typedef void mpo_task_label_destroy_t(
4685 struct label *label
4686);
4687/**
4688 @brief Externalize a task label
4689 @param label Label to be externalized
4690 @param element_name Name of the label namespace for which labels should be
4691 externalized
4692 @param sb String buffer to be filled with a text representation of the label
4693
4694 Produce an external representation of the label on a task. An
4695 externalized label consists of a text representation of the label
4696 contents that can be used with user applications. Policy-agnostic
4697 user space tools will display this externalized version.
4698
4699 @return 0 on success, return non-zero if an error occurs while
4700 externalizing the label data.
4701
4702*/
4703typedef int mpo_task_label_externalize_t(
4704 struct label *label,
4705 char *element_name,
4706 struct sbuf *sb
4707);
4708/**
4709 @brief Initialize Mach task label
4710 @param label New label to initialize
4711
4712 Initialize the label for a newly instantiated Mach task. Sleeping
4713 is permitted.
4714*/
4715typedef void mpo_task_label_init_t(
4716 struct label *label
4717);
4718/**
4719 @brief Internalize a task label
4720 @param label Label to be internalized
4721 @param element_name Name of the label namespace for which the label should
4722 be internalized
4723 @param element_data Text data to be internalized
4724
4725 Produce a task label from an external representation. An
4726 externalized label consists of a text representation of the label
4727 contents that can be used with user applications. Policy-agnostic
4728 user space tools will forward text version to the kernel for
4729 processing by individual policy modules.
4730
4731 The policy's internalize entry points will be called only if the
4732 policy has registered interest in the label namespace.
4733
4734 @return 0 on success, Otherwise, return non-zero if an error occurs
4735 while internalizing the label data.
4736
4737*/
4738typedef int mpo_task_label_internalize_t(
4739 struct label *label,
4740 char *element_name,
4741 char *element_data
4742);
4743/**
4744 @brief Update a Mach task label
4745 @param cred User credential label to be used as the source
4746 @param task Mach task label to be used as the destination
4747 @see mpo_cred_label_update_t
4748 @see mpo_cred_label_update_execve_t
4749
4750 Update the label on a Mach task, using the supplied user credential
4751 label. When a mac_cred_label_update_execve or a mac_cred_label_update operation
4752 causes the label on a user credential to change, the Mach task label
4753 also needs to be updated to reflect the change. Both labels are
4754 already valid (initialized and created).
4755
4756 @warning XXX We may change the name of this entry point in a future
4757 version of the MAC framework.
4758*/
4759typedef void mpo_task_label_update_t(
4760 struct label *cred,
4761 struct label *task
4762);
4763/**
4764 @brief Perform MAC-related events when a thread returns to user space
4765 @param thread Mach (not BSD) thread that is returning
4766
4767 This entry point permits policy modules to perform MAC-related
4768 events when a thread returns to user space, via a system call
4769 return or trap return.
4770*/
4771typedef void mpo_thread_userret_t(
4772 struct thread *thread
4773);
4774/**
4775 @brief Initialize per thread label
4776 @param label New label to initialize
4777
4778 Initialize the label for a newly instantiated thread.
4779 Sleeping is permitted.
4780*/
4781typedef void mpo_thread_label_init_t(
4782 struct label *label
4783);
4784/**
4785 @brief Destroy thread label
4786 @param label The label to be destroyed
4787
4788 Destroy a user thread label. Since the user thread
4789 is going out of scope, policy modules should free any internal
4790 storage associated with the label so that it may be destroyed.
4791*/
4792typedef void mpo_thread_label_destroy_t(
4793 struct label *label
4794);
4795/**
4796 @brief Check vnode access
4797 @param cred Subject credential
4798 @param vp Object vnode
4799 @param label Label for vp
4800 @param acc_mode access(2) flags
4801
4802 Determine how invocations of access(2) and related calls by the
4803 subject identified by the credential should return when performed
4804 on the passed vnode using the passed access flags. This should
4805 generally be implemented using the same semantics used in
4806 mpo_vnode_check_open.
4807
4808 @return Return 0 if access is granted, otherwise an appropriate value for
4809 errno should be returned. Suggested failure: EACCES for label mismatch or
4810 EPERM for lack of privilege.
4811*/
4812typedef int mpo_vnode_check_access_t(
4813 kauth_cred_t cred,
4814 struct vnode *vp,
4815 struct label *label,
4816 int acc_mode
4817);
4818/**
4819 @brief Access control check for changing working directory
4820 @param cred Subject credential
4821 @param dvp Object; vnode to chdir(2) into
4822 @param dlabel Policy label for dvp
4823
4824 Determine whether the subject identified by the credential can change
4825 the process working directory to the passed vnode.
4826
4827 @return Return 0 if access is granted, otherwise an appropriate value for
4828 errno should be returned. Suggested failure: EACCES for label mismatch or
4829 EPERM for lack of privilege.
4830*/
4831typedef int mpo_vnode_check_chdir_t(
4832 kauth_cred_t cred,
4833 struct vnode *dvp,
4834 struct label *dlabel
4835);
4836/**
4837 @brief Access control check for changing root directory
4838 @param cred Subject credential
4839 @param dvp Directory vnode
4840 @param dlabel Policy label associated with dvp
4841 @param cnp Component name for dvp
4842
4843 Determine whether the subject identified by the credential should be
4844 allowed to chroot(2) into the specified directory (dvp).
4845
4846 @return In the event of an error, an appropriate value for errno
4847 should be returned, otherwise return 0 upon success.
4848*/
4849typedef int mpo_vnode_check_chroot_t(
4850 kauth_cred_t cred,
4851 struct vnode *dvp,
4852 struct label *dlabel,
4853 struct componentname *cnp
4854);
4855/**
4856 @brief Access control check for creating vnode
4857 @param cred Subject credential
4858 @param dvp Directory vnode
4859 @param dlabel Policy label for dvp
4860 @param cnp Component name for dvp
4861 @param vap vnode attributes for vap
4862
4863 Determine whether the subject identified by the credential can create
4864 a vnode with the passed parent directory, passed name information,
4865 and passed attribute information. This call may be made in a number of
4866 situations, including as a result of calls to open(2) with O_CREAT,
4867 mknod(2), mkfifo(2), and others.
4868
4869 @return Return 0 if access is granted, otherwise an appropriate value for
4870 errno should be returned. Suggested failure: EACCES for label mismatch or
4871 EPERM for lack of privilege.
4872*/
4873typedef int mpo_vnode_check_create_t(
4874 kauth_cred_t cred,
4875 struct vnode *dvp,
4876 struct label *dlabel,
4877 struct componentname *cnp,
4878 struct vnode_attr *vap
4879);
4880/**
4881 @brief Access control check for deleting extended attribute
4882 @param cred Subject credential
4883 @param vp Object vnode
4884 @param vlabel Label associated with vp
4885 @param name Extended attribute name
4886
4887 Determine whether the subject identified by the credential can delete
4888 the extended attribute from the passed vnode.
4889
4890 @return Return 0 if access is granted, otherwise an appropriate value for
4891 errno should be returned. Suggested failure: EACCES for label mismatch or
4892 EPERM for lack of privilege.
4893*/
4894typedef int mpo_vnode_check_deleteextattr_t(
4895 kauth_cred_t cred,
4896 struct vnode *vp,
4897 struct label *vlabel,
4898 const char *name
4899);
4900/**
4901 @brief Access control check for exchanging file data
4902 @param cred Subject credential
4903 @param v1 vnode 1 to swap
4904 @param vl1 Policy label for v1
4905 @param v2 vnode 2 to swap
4906 @param vl2 Policy label for v2
4907
4908 Determine whether the subject identified by the credential can swap the data
4909 in the two supplied vnodes.
4910
4911 @return Return 0 if access is granted, otherwise an appropriate value for
4912 errno should be returned. Suggested failure: EACCES for label mismatch or
4913 EPERM for lack of privilege.
4914*/
4915typedef int mpo_vnode_check_exchangedata_t(
4916 kauth_cred_t cred,
4917 struct vnode *v1,
4918 struct label *vl1,
4919 struct vnode *v2,
4920 struct label *vl2
4921);
4922/**
4923 @brief Access control check for executing the vnode
4924 @param cred Subject credential
4925 @param vp Object vnode to execute
4926 @param label Policy label for vp
4927 @param execlabel Userspace provided execution label
4928 @param cnp Component name for file being executed
4929
4930 Determine whether the subject identified by the credential can execute
4931 the passed vnode. Determination of execute privilege is made separately
4932 from decisions about any process label transitioning event.
4933
4934 The final label, execlabel, corresponds to a label supplied by a
4935 user space application through the use of the mac_execve system call.
4936 This label will be NULL if the user application uses the the vendor
4937 execve(2) call instead of the MAC Framework mac_execve() call.
4938
4939 @return Return 0 if access is granted, otherwise an appropriate value for
4940 errno should be returned. Suggested failure: EACCES for label mismatch or
4941 EPERM for lack of privilege.
4942*/
4943typedef int mpo_vnode_check_exec_t(
4944 kauth_cred_t cred,
4945 struct vnode *vp,
4946 struct label *label,
4947 struct label *execlabel, /* NULLOK */
4948 struct componentname *cnp,
4949 u_int *csflags
4950);
4951/**
4952 @brief Access control check for fsgetpath
4953 @param cred Subject credential
4954 @param vp Vnode for which a path will be returned
4955 @param label Label associated with the vnode
4956
4957 Determine whether the subject identified by the credential can get the path
4958 of the given vnode with fsgetpath.
4959
4960 @return Return 0 if access is granted, otherwise an appropriate value for
4961 errno should be returned.
4962*/
4963typedef int mpo_vnode_check_fsgetpath_t(
4964 kauth_cred_t cred,
4965 struct vnode *vp,
4966 struct label *label
4967);
4968/**
4969 @brief Access control check after determining the code directory hash
4970 */
4971typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label,
4972 unsigned char *sha1, void *signature,
4973 int size);
4974
4975/**
4976 @brief Access control check for retrieving file attributes
4977 @param cred Subject credential
4978 @param vp Object vnode
4979 @param vlabel Policy label for vp
4980 @param alist List of attributes to retrieve
4981
4982 Determine whether the subject identified by the credential can read
4983 various attributes of the specified vnode, or the filesystem or volume on
4984 which that vnode resides. See <sys/attr.h> for definitions of the
4985 attributes.
4986
4987 @return Return 0 if access is granted, otherwise an appropriate value for
4988 errno should be returned. Suggested failure: EACCES for label mismatch or
4989 EPERM for lack of privilege. Access control covers all attributes requested
4990 with this call; the security policy is not permitted to change the set of
4991 attributes requested.
4992*/
4993typedef int mpo_vnode_check_getattrlist_t(
4994 kauth_cred_t cred,
4995 struct vnode *vp,
4996 struct label *vlabel,
4997 struct attrlist *alist
4998);
4999/**
5000 @brief Access control check for retrieving an extended attribute
5001 @param cred Subject credential
5002 @param vp Object vnode
5003 @param label Policy label for vp
5004 @param name Extended attribute name
5005 @param uio I/O structure pointer
5006
5007 Determine whether the subject identified by the credential can retrieve
5008 the extended attribute from the passed vnode. The uio parameter
5009 will be NULL when the getxattr(2) call has been made with a NULL data
5010 value; this is done to request the size of the data only.
5011
5012 @return Return 0 if access is granted, otherwise an appropriate value for
5013 errno should be returned. Suggested failure: EACCES for label mismatch or
5014 EPERM for lack of privilege.
5015*/
5016typedef int mpo_vnode_check_getextattr_t(
5017 kauth_cred_t cred,
5018 struct vnode *vp,
5019 struct label *label, /* NULLOK */
5020 const char *name,
5021 struct uio *uio /* NULLOK */
5022);
5023/**
5024 @brief Access control check for ioctl
5025 @param cred Subject credential
5026 @param vp Object vnode
5027 @param label Policy label for vp
5028 @param com Device-dependent request code; see ioctl(2)
5029
5030 Determine whether the subject identified by the credential can perform
5031 the ioctl operation indicated by com.
5032
5033 @warning Since ioctl data is opaque from the standpoint of the MAC
5034 framework, and since ioctls can affect many aspects of system
5035 operation, policies must exercise extreme care when implementing
5036 access control checks.
5037
5038 @return Return 0 if access is granted, otherwise an appropriate value for
5039 errno should be returned.
5040*/
5041typedef int mpo_vnode_check_ioctl_t(
5042 kauth_cred_t cred,
5043 struct vnode *vp,
5044 struct label *label,
5045 unsigned int cmd
5046);
5047/**
5048 @brief Access control check for vnode kqfilter
5049 @param cred Subject credential
5050 @param kn Object knote
5051 @param vp Object vnode
5052 @param label Policy label for vp
5053
5054 Determine whether the subject identified by the credential can
5055 receive the knote on the passed vnode.
5056
5057 @return Return 0 if access if granted, otherwise an appropriate
5058 value for errno should be returned.
5059*/
5060typedef int mpo_vnode_check_kqfilter_t(
5061 kauth_cred_t active_cred,
5062 kauth_cred_t file_cred, /* NULLOK */
5063 struct knote *kn,
5064 struct vnode *vp,
5065 struct label *label
5066);
5067/**
5068 @brief Access control check for relabel
5069 @param cred Subject credential
5070 @param vp Object vnode
5071 @param vnodelabel Existing policy label for vp
5072 @param newlabel Policy label update to later be applied to vp
5073 @see mpo_relable_vnode_t
5074
5075 Determine whether the subject identified by the credential can relabel
5076 the passed vnode to the passed label update. If all policies permit
5077 the label change, the actual relabel entry point (mpo_vnode_label_update)
5078 will follow.
5079
5080 @return Return 0 if access is granted, otherwise an appropriate value for
5081 errno should be returned.
5082*/
5083typedef int mpo_vnode_check_label_update_t(
5084 struct ucred *cred,
5085 struct vnode *vp,
5086 struct label *vnodelabel,
5087 struct label *newlabel
5088);
5089/**
5090 @brief Access control check for creating link
5091 @param cred Subject credential
5092 @param dvp Directory vnode
5093 @param dlabel Policy label associated with dvp
5094 @param vp Link destination vnode
5095 @param label Policy label associated with vp
5096 @param cnp Component name for the link being created
5097
5098 Determine whether the subject identified by the credential should be
5099 allowed to create a link to the vnode vp with the name specified by cnp.
5100
5101 @return Return 0 if access is granted, otherwise an appropriate value for
5102 errno should be returned.
5103*/
5104typedef int mpo_vnode_check_link_t(
5105 kauth_cred_t cred,
5106 struct vnode *dvp,
5107 struct label *dlabel,
5108 struct vnode *vp,
5109 struct label *label,
5110 struct componentname *cnp
5111);
5112/**
5113 @brief Access control check for listing extended attributes
5114 @param cred Subject credential
5115 @param vp Object vnode
5116 @param vlabel Policy label associated with vp
5117
5118 Determine whether the subject identified by the credential can retrieve
5119 a list of named extended attributes from a vnode.
5120
5121 @return Return 0 if access is granted, otherwise an appropriate value for
5122 errno should be returned.
5123*/
5124typedef int mpo_vnode_check_listextattr_t(
5125 kauth_cred_t cred,
5126 struct vnode *vp,
5127 struct label *vlabel
5128);
5129/**
5130 @brief Access control check for lookup
5131 @param cred Subject credential
5132 @param dvp Object vnode
5133 @param dlabel Policy label for dvp
5134 @param cnp Component name being looked up
5135
5136 Determine whether the subject identified by the credential can perform
5137 a lookup in the passed directory vnode for the passed name (cnp).
5138
5139 @return Return 0 if access is granted, otherwise an appropriate value for
5140 errno should be returned. Suggested failure: EACCES for label mismatch or
5141 EPERM for lack of privilege.
5142*/
5143typedef int mpo_vnode_check_lookup_t(
5144 kauth_cred_t cred,
5145 struct vnode *dvp,
5146 struct label *dlabel,
5147 struct componentname *cnp
5148);
5149/**
5150 @brief Access control check for open
5151 @param cred Subject credential
5152 @param vp Object vnode
5153 @param label Policy label associated with vp
5154 @param acc_mode open(2) access mode
5155
5156 Determine whether the subject identified by the credential can perform
5157 an open operation on the passed vnode with the passed access mode.
5158
5159 @return Return 0 if access is granted, otherwise an appropriate value for
5160 errno should be returned. Suggested failure: EACCES for label mismatch or
5161 EPERM for lack of privilege.
5162*/
5163typedef int mpo_vnode_check_open_t(
5164 kauth_cred_t cred,
5165 struct vnode *vp,
5166 struct label *label,
5167 int acc_mode
5168);
5169/**
5170 @brief Access control check for read
5171 @param active_cred Subject credential
5172 @param file_cred Credential associated with the struct fileproc
5173 @param vp Object vnode
5174 @param label Policy label for vp
5175
5176 Determine whether the subject identified by the credential can perform
5177 a read operation on the passed vnode. The active_cred hold the credentials
5178 of the subject performing the operation, and file_cred holds the
5179 credentials of the subject that originally opened the file.
5180
5181 @return Return 0 if access is granted, otherwise an appropriate value for
5182 errno should be returned. Suggested failure: EACCES for label mismatch or
5183 EPERM for lack of privilege.
5184*/
5185typedef int mpo_vnode_check_read_t(
5186 kauth_cred_t active_cred, /* SUBJECT */
5187 kauth_cred_t file_cred, /* NULLOK */
5188 struct vnode *vp, /* OBJECT */
5189 struct label *label /* LABEL */
5190);
5191/**
5192 @brief Access control check for read directory
5193 @param cred Subject credential
5194 @param dvp Object directory vnode
5195 @param dlabel Policy label for dvp
5196
5197 Determine whether the subject identified by the credential can
5198 perform a readdir operation on the passed directory vnode.
5199
5200 @return Return 0 if access is granted, otherwise an appropriate value for
5201 errno should be returned. Suggested failure: EACCES for label mismatch or
5202 EPERM for lack of privilege.
5203*/
5204typedef int mpo_vnode_check_readdir_t(
5205 kauth_cred_t cred, /* SUBJECT */
5206 struct vnode *dvp, /* OBJECT */
5207 struct label *dlabel /* LABEL */
5208);
5209/**
5210 @brief Access control check for read link
5211 @param cred Subject credential
5212 @param vp Object vnode
5213 @param label Policy label for vp
5214
5215 Determine whether the subject identified by the credential can perform
5216 a readlink operation on the passed symlink vnode. This call can be made
5217 in a number of situations, including an explicit readlink call by the
5218 user process, or as a result of an implicit readlink during a name
5219 lookup by the process.
5220
5221 @return Return 0 if access is granted, otherwise an appropriate value for
5222 errno should be returned. Suggested failure: EACCES for label mismatch or
5223 EPERM for lack of privilege.
5224*/
5225typedef int mpo_vnode_check_readlink_t(
5226 kauth_cred_t cred,
5227 struct vnode *vp,
5228 struct label *label
5229);
5230/**
5231 @brief Access control check for rename from
5232 @param cred Subject credential
5233 @param dvp Directory vnode
5234 @param dlabel Policy label associated with dvp
5235 @param vp vnode to be renamed
5236 @param label Policy label associated with vp
5237 @param cnp Component name for vp
5238 @see mpo_vnode_check_rename_to_t
5239
5240 Determine whether the subject identified by the credential should be
5241 allowed to rename the vnode vp to something else.
5242
5243 Due to VFS locking constraints (to make sure proper vnode locks are
5244 held during this entry point), the vnode relabel checks had to be
5245 split into two parts: relabel_from and relabel to.
5246
5247 @return Return 0 if access is granted, otherwise an appropriate value for
5248 errno should be returned.
5249*/
5250typedef int mpo_vnode_check_rename_from_t(
5251 kauth_cred_t cred,
5252 struct vnode *dvp,
5253 struct label *dlabel,
5254 struct vnode *vp,
5255 struct label *label,
5256 struct componentname *cnp
5257);
5258/**
5259 @brief Access control check for rename to
5260 @param cred Subject credential
5261 @param dvp Directory vnode
5262 @param dlabel Policy label associated with dvp
5263 @param vp Overwritten vnode
5264 @param label Policy label associated with vp
5265 @param samedir Boolean; 1 if the source and destination directories are the same
5266 @param cnp Destination component name
5267 @see mpo_vnode_check_rename_from_t
5268
5269 Determine whether the subject identified by the credential should be
5270 allowed to rename to the vnode vp, into the directory dvp, or to the
5271 name represented by cnp. If there is no existing file to overwrite,
5272 vp and label will be NULL.
5273
5274 Due to VFS locking constraints (to make sure proper vnode locks are
5275 held during this entry point), the vnode relabel checks had to be
5276 split into two parts: relabel_from and relabel to.
5277
5278 @return Return 0 if access is granted, otherwise an appropriate value for
5279 errno should be returned.
5280*/
5281typedef int mpo_vnode_check_rename_to_t(
5282 kauth_cred_t cred,
5283 struct vnode *dvp,
5284 struct label *dlabel,
5285 struct vnode *vp, /* NULLOK */
5286 struct label *label, /* NULLOK */
5287 int samedir,
5288 struct componentname *cnp
5289);
5290/**
5291 @brief Access control check for revoke
5292 @param cred Subject credential
5293 @param vp Object vnode
5294 @param label Policy label for vp
5295
5296 Determine whether the subject identified by the credential can revoke
5297 access to the passed vnode.
5298
5299 @return Return 0 if access is granted, otherwise an appropriate value for
5300 errno should be returned. Suggested failure: EACCES for label mismatch or
5301 EPERM for lack of privilege.
5302*/
5303typedef int mpo_vnode_check_revoke_t(
5304 kauth_cred_t cred,
5305 struct vnode *vp,
5306 struct label *label
5307);
5308/**
5309 @brief Access control check for searchfs
5310 @param cred Subject credential
5311 @param vp Object vnode
5312 @param vlabel Policy label for vp
5313 @param alist List of attributes used as search criteria
5314
5315 Determine whether the subject identified by the credential can search the
5316 vnode using the searchfs system call.
5317
5318 @return Return 0 if access is granted, otherwise an appropriate value for
5319 errno should be returned.
5320*/
5321typedef int mpo_vnode_check_searchfs_t(
5322 kauth_cred_t cred,
5323 struct vnode *vp,
5324 struct label *vlabel,
5325 struct attrlist *alist
5326);
5327/**
5328 @brief Access control check for select
5329 @param cred Subject credential
5330 @param vp Object vnode
5331 @param label Policy label for vp
5332 @param which The operation selected on: FREAD or FWRITE
5333
5334 Determine whether the subject identified by the credential can select
5335 the vnode.
5336
5337 @return Return 0 if access is granted, otherwise an appropriate value for
5338 errno should be returned.
5339*/
5340typedef int mpo_vnode_check_select_t(
5341 kauth_cred_t cred,
5342 struct vnode *vp,
5343 struct label *label,
5344 int which
5345);
5346/**
5347 @brief Access control check for setting file attributes
5348 @param cred Subject credential
5349 @param vp Object vnode
5350 @param vlabel Policy label for vp
5351 @param alist List of attributes to set
5352
5353 Determine whether the subject identified by the credential can set
5354 various attributes of the specified vnode, or the filesystem or volume on
5355 which that vnode resides. See <sys/attr.h> for definitions of the
5356 attributes.
5357
5358 @return Return 0 if access is granted, otherwise an appropriate value for
5359 errno should be returned. Suggested failure: EACCES for label mismatch or
5360 EPERM for lack of privilege. Access control covers all attributes requested
5361 with this call.
5362*/
5363typedef int mpo_vnode_check_setattrlist_t(
5364 kauth_cred_t cred,
5365 struct vnode *vp,
5366 struct label *vlabel,
5367 struct attrlist *alist
5368);
5369/**
5370 @brief Access control check for setting extended attribute
5371 @param cred Subject credential
5372 @param vp Object vnode
5373 @param label Policy label for vp
5374 @param name Extended attribute name
5375 @param uio I/O structure pointer
5376
5377 Determine whether the subject identified by the credential can set the
5378 extended attribute of passed name and passed namespace on the passed
5379 vnode. Policies implementing security labels backed into extended
5380 attributes may want to provide additional protections for those
5381 attributes. Additionally, policies should avoid making decisions based
5382 on the data referenced from uio, as there is a potential race condition
5383 between this check and the actual operation. The uio may also be NULL
5384 if a delete operation is being performed.
5385
5386 @return Return 0 if access is granted, otherwise an appropriate value for
5387 errno should be returned. Suggested failure: EACCES for label mismatch or
5388 EPERM for lack of privilege.
5389*/
5390typedef int mpo_vnode_check_setextattr_t(
5391 kauth_cred_t cred,
5392 struct vnode *vp,
5393 struct label *label,
5394 const char *name,
5395 struct uio *uio
5396);
5397/**
5398 @brief Access control check for setting flags
5399 @param cred Subject credential
5400 @param vp Object vnode
5401 @param label Policy label for vp
5402 @param flags File flags; see chflags(2)
5403
5404 Determine whether the subject identified by the credential can set
5405 the passed flags on the passed vnode.
5406
5407 @return Return 0 if access is granted, otherwise an appropriate value for
5408 errno should be returned. Suggested failure: EACCES for label mismatch or
5409 EPERM for lack of privilege.
5410*/
5411typedef int mpo_vnode_check_setflags_t(
5412 kauth_cred_t cred,
5413 struct vnode *vp,
5414 struct label *label,
5415 u_long flags
5416);
5417/**
5418 @brief Access control check for setting mode
5419 @param cred Subject credential
5420 @param vp Object vnode
5421 @param label Policy label for vp
5422 @param mode File mode; see chmod(2)
5423
5424 Determine whether the subject identified by the credential can set
5425 the passed mode on the passed vnode.
5426
5427 @return Return 0 if access is granted, otherwise an appropriate value for
5428 errno should be returned. Suggested failure: EACCES for label mismatch or
5429 EPERM for lack of privilege.
5430*/
5431typedef int mpo_vnode_check_setmode_t(
5432 kauth_cred_t cred,
5433 struct vnode *vp,
5434 struct label *label,
5435 mode_t mode
5436);
5437/**
5438 @brief Access control check for setting uid and gid
5439 @param cred Subject credential
5440 @param vp Object vnode
5441 @param label Policy label for vp
5442 @param uid User ID
5443 @param gid Group ID
5444
5445 Determine whether the subject identified by the credential can set
5446 the passed uid and passed gid as file uid and file gid on the passed
5447 vnode. The IDs may be set to (-1) to request no update.
5448
5449 @return Return 0 if access is granted, otherwise an appropriate value for
5450 errno should be returned. Suggested failure: EACCES for label mismatch or
5451 EPERM for lack of privilege.
5452*/
5453typedef int mpo_vnode_check_setowner_t(
5454 kauth_cred_t cred,
5455 struct vnode *vp,
5456 struct label *label,
5457 uid_t uid,
5458 gid_t gid
5459);
5460/**
5461 @brief Access control check for setting timestamps
5462 @param cred Subject credential
5463 @param vp Object vnode
5464 @param label Policy label for vp
5465 @param atime Access time; see utimes(2)
5466 @param mtime Modification time; see utimes(2)
5467
5468 Determine whether the subject identified by the credential can set
5469 the passed access timestamps on the passed vnode.
5470
5471 @return Return 0 if access is granted, otherwise an appropriate value for
5472 errno should be returned. Suggested failure: EACCES for label mismatch or
5473 EPERM for lack of privilege.
5474*/
5475typedef int mpo_vnode_check_setutimes_t(
5476 kauth_cred_t cred,
5477 struct vnode *vp,
5478 struct label *label,
5479 struct timespec atime,
5480 struct timespec mtime
5481);
5482/**
5483 @brief Access control check for stat
5484 @param active_cred Subject credential
5485 @param file_cred Credential associated with the struct fileproc
5486 @param vp Object vnode
5487 @param label Policy label for vp
5488
5489 Determine whether the subject identified by the credential can stat
5490 the passed vnode. See stat(2) for more information. The active_cred
5491 hold the credentials of the subject performing the operation, and
5492 file_cred holds the credentials of the subject that originally
5493 opened the file.
5494
5495 @return Return 0 if access is granted, otherwise an appropriate value for
5496 errno should be returned. Suggested failure: EACCES for label mismatch or
5497 EPERM for lack of privilege.
5498*/
5499typedef int mpo_vnode_check_stat_t(
5500 struct ucred *active_cred,
5501 struct ucred *file_cred, /* NULLOK */
5502 struct vnode *vp,
5503 struct label *label
5504);
5505/**
5506 @brief Access control check for truncate/ftruncate
5507 @param active_cred Subject credential
5508 @param file_cred Credential associated with the struct fileproc
5509 @param vp Object vnode
5510 @param label Policy label for vp
5511
5512 Determine whether the subject identified by the credential can
5513 perform a truncate operation on the passed vnode. The active_cred hold
5514 the credentials of the subject performing the operation, and
5515 file_cred holds the credentials of the subject that originally
5516 opened the file.
5517
5518 @return Return 0 if access is granted, otherwise an appropriate value for
5519 errno should be returned. Suggested failure: EACCES for label mismatch or
5520 EPERM for lack of privilege.
5521*/
5522typedef int mpo_vnode_check_truncate_t(
5523 kauth_cred_t active_cred,
5524 kauth_cred_t file_cred, /* NULLOK */
5525 struct vnode *vp,
5526 struct label *label
5527);
5528/**
5529 @brief Access control check for binding UNIX domain socket
5530 @param cred Subject credential
5531 @param dvp Directory vnode
5532 @param dlabel Policy label for dvp
5533 @param cnp Component name for dvp
5534 @param vap vnode attributes for vap
5535
5536 Determine whether the subject identified by the credential can perform a
5537 bind operation on a UNIX domain socket with the passed parent directory,
5538 passed name information, and passed attribute information.
5539
5540 @return Return 0 if access is granted, otherwise an appropriate value for
5541 errno should be returned. Suggested failure: EACCES for label mismatch or
5542 EPERM for lack of privilege.
5543*/
5544typedef int mpo_vnode_check_uipc_bind_t(
5545 kauth_cred_t cred,
5546 struct vnode *dvp,
5547 struct label *dlabel,
5548 struct componentname *cnp,
5549 struct vnode_attr *vap
5550);
5551/**
5552 @brief Access control check for connecting UNIX domain socket
5553 @param cred Subject credential
5554 @param vp Object vnode
5555 @param label Policy label associated with vp
5556
5557 Determine whether the subject identified by the credential can perform a
5558 connect operation on the passed UNIX domain socket vnode.
5559
5560 @return Return 0 if access is granted, otherwise an appropriate value for
5561 errno should be returned. Suggested failure: EACCES for label mismatch or
5562 EPERM for lack of privilege.
5563*/
5564typedef int mpo_vnode_check_uipc_connect_t(
5565 kauth_cred_t cred,
5566 struct vnode *vp,
5567 struct label *label
5568);
5569/**
5570 @brief Access control check for deleting vnode
5571 @param cred Subject credential
5572 @param dvp Parent directory vnode
5573 @param dlabel Policy label for dvp
5574 @param vp Object vnode to delete
5575 @param label Policy label for vp
5576 @param cnp Component name for vp
5577 @see mpo_check_rename_to_t
5578
5579 Determine whether the subject identified by the credential can delete
5580 a vnode from the passed parent directory and passed name information.
5581 This call may be made in a number of situations, including as a
5582 results of calls to unlink(2) and rmdir(2). Policies implementing
5583 this entry point should also implement mpo_check_rename_to to
5584 authorize deletion of objects as a result of being the target of a rename.
5585
5586 @return Return 0 if access is granted, otherwise an appropriate value for
5587 errno should be returned. Suggested failure: EACCES for label mismatch or
5588 EPERM for lack of privilege.
5589*/
5590typedef int mpo_vnode_check_unlink_t(
5591 kauth_cred_t cred,
5592 struct vnode *dvp,
5593 struct label *dlabel,
5594 struct vnode *vp,
5595 struct label *label,
5596 struct componentname *cnp
5597);
5598/**
5599 @brief Access control check for write
5600 @param active_cred Subject credential
5601 @param file_cred Credential associated with the struct fileproc
5602 @param vp Object vnode
5603 @param label Policy label for vp
5604
5605 Determine whether the subject identified by the credential can
5606 perform a write operation on the passed vnode. The active_cred hold
5607 the credentials of the subject performing the operation, and
5608 file_cred holds the credentials of the subject that originally
5609 opened the file.
5610
5611 @return Return 0 if access is granted, otherwise an appropriate value for
5612 errno should be returned. Suggested failure: EACCES for label mismatch or
5613 EPERM for lack of privilege.
5614*/
5615typedef int mpo_vnode_check_write_t(
5616 kauth_cred_t active_cred,
5617 kauth_cred_t file_cred, /* NULLOK */
5618 struct vnode *vp,
5619 struct label *label
5620);
5621/**
5622 @brief Associate a vnode with a devfs entry
5623 @param mp Devfs mount point
5624 @param mntlabel Devfs mount point label
5625 @param de Devfs directory entry
5626 @param delabel Label associated with de
5627 @param vp vnode associated with de
5628 @param vlabel Label associated with vp
5629
5630 Fill in the label (vlabel) for a newly created devfs vnode. The
5631 label is typically derived from the label on the devfs directory
5632 entry or the label on the filesystem, supplied as parameters.
5633*/
5634typedef void mpo_vnode_label_associate_devfs_t(
5635 struct mount *mp,
5636 struct label *mntlabel,
5637 struct devnode *de,
5638 struct label *delabel,
5639 struct vnode *vp,
5640 struct label *vlabel
5641);
5642/**
5643 @brief Associate a label with a vnode
5644 @param mp File system mount point
5645 @param mntlabel File system mount point label
5646 @param vp Vnode to label
5647 @param vlabel Label associated with vp
5648
5649 Attempt to retrieve label information for the vnode, vp, from the
5650 file system extended attribute store. The label should be stored in
5651 the supplied vlabel parameter. If a policy cannot retrieve an
5652 extended attribute, sometimes it is acceptible to fallback to using
5653 the mntlabel.
5654
5655 If the policy requires vnodes to have a valid label elsewhere it
5656 MUST NOT return other than temporary errors, and must always provide
5657 a valid label of some sort. Returning an error will cause vnode
5658 labeling to be retried at a later access. Failure to handle policy
5659 centric errors internally (corrupt labels etc.) will result in
5660 inaccessible files.
5661
5662 @return In the event of an error, an appropriate value for errno
5663 should be returned, otherwise return 0 upon success.
5664*/
5665typedef int mpo_vnode_label_associate_extattr_t(
5666 struct mount *mp,
5667 struct label *mntlabel,
5668 struct vnode *vp,
5669 struct label *vlabel
5670);
5671/**
5672 @brief Associate a file label with a vnode
5673 @param cred User credential
5674 @param mp Fdesc mount point
5675 @param mntlabel Fdesc mount point label
5676 @param fg Fileglob structure
5677 @param label Policy label for fg
5678 @param vp Vnode to label
5679 @param vlabel Label associated with vp
5680
5681 Associate label information for the vnode, vp, with the label of
5682 the open file descriptor described by fg.
5683 The label should be stored in the supplied vlabel parameter.
5684*/
5685typedef void mpo_vnode_label_associate_file_t(
5686 struct ucred *cred,
5687 struct mount *mp,
5688 struct label *mntlabel,
5689 struct fileglob *fg,
5690 struct label *label,
5691 struct vnode *vp,
5692 struct label *vlabel
5693);
5694/**
5695 @brief Associate a pipe label with a vnode
5696 @param cred User credential for the process that opened the pipe
5697 @param cpipe Pipe structure
5698 @param pipelabel Label associated with pipe
5699 @param vp Vnode to label
5700 @param vlabel Label associated with vp
5701
5702 Associate label information for the vnode, vp, with the label of
5703 the pipe described by the pipe structure cpipe.
5704 The label should be stored in the supplied vlabel parameter.
5705*/
5706typedef void mpo_vnode_label_associate_pipe_t(
5707 struct ucred *cred,
5708 struct pipe *cpipe,
5709 struct label *pipelabel,
5710 struct vnode *vp,
5711 struct label *vlabel
5712);
5713/**
5714 @brief Associate a POSIX semaphore label with a vnode
5715 @param cred User credential for the process that create psem
5716 @param psem POSIX semaphore structure
5717 @param psemlabel Label associated with psem
5718 @param vp Vnode to label
5719 @param vlabel Label associated with vp
5720
5721 Associate label information for the vnode, vp, with the label of
5722 the POSIX semaphore described by psem.
5723 The label should be stored in the supplied vlabel parameter.
5724*/
5725typedef void mpo_vnode_label_associate_posixsem_t(
5726 struct ucred *cred,
5727 struct pseminfo *psem,
5728 struct label *psemlabel,
5729 struct vnode *vp,
5730 struct label *vlabel
5731);
5732/**
5733 @brief Associate a POSIX shared memory label with a vnode
5734 @param cred User credential for the process that created pshm
5735 @param pshm POSIX shared memory structure
5736 @param pshmlabel Label associated with pshm
5737 @param vp Vnode to label
5738 @param vlabel Label associated with vp
5739
5740 Associate label information for the vnode, vp, with the label of
5741 the POSIX shared memory region described by pshm.
5742 The label should be stored in the supplied vlabel parameter.
5743*/
5744typedef void mpo_vnode_label_associate_posixshm_t(
5745 struct ucred *cred,
5746 struct pshminfo *pshm,
5747 struct label *pshmlabel,
5748 struct vnode *vp,
5749 struct label *vlabel
5750);
5751/**
5752 @brief Associate a label with a vnode
5753 @param mp File system mount point
5754 @param mntlabel File system mount point label
5755 @param vp Vnode to label
5756 @param vlabel Label associated with vp
5757
5758 On non-multilabel file systems, set the label for a vnode. The
5759 label will most likely be based on the file system label.
5760*/
5761typedef void mpo_vnode_label_associate_singlelabel_t(
5762 struct mount *mp,
5763 struct label *mntlabel,
5764 struct vnode *vp,
5765 struct label *vlabel
5766);
5767/**
5768 @brief Associate a socket label with a vnode
5769 @param cred User credential for the process that opened the socket
5770 @param so Socket structure
5771 @param solabel Label associated with so
5772 @param vp Vnode to label
5773 @param vlabel Label associated with vp
5774
5775 Associate label information for the vnode, vp, with the label of
5776 the open socket described by the socket structure so.
5777 The label should be stored in the supplied vlabel parameter.
5778*/
5779typedef void mpo_vnode_label_associate_socket_t(
5780 kauth_cred_t cred,
5781 socket_t so,
5782 struct label *solabel,
5783 struct vnode *vp,
5784 struct label *vlabel
5785);
5786/**
5787 @brief Copy a vnode label
5788 @param src Source vnode label
5789 @param dest Destination vnode label
5790
5791 Copy the vnode label information from src to dest. On Darwin, this
5792 is currently only necessary when executing interpreted scripts, but
5793 will later be used if vnode label externalization cannot be an
5794 atomic operation.
5795*/
5796typedef void mpo_vnode_label_copy_t(
5797 struct label *src,
5798 struct label *dest
5799);
5800/**
5801 @brief Destroy vnode label
5802 @param label The label to be destroyed
5803
5804 Destroy a vnode label. Since the object is going out of scope,
5805 policy modules should free any internal storage associated with the
5806 label so that it may be destroyed.
5807*/
5808typedef void mpo_vnode_label_destroy_t(
5809 struct label *label
5810);
5811/**
5812 @brief Externalize a vnode label for auditing
5813 @param label Label to be externalized
5814 @param element_name Name of the label namespace for which labels should be
5815 externalized
5816 @param sb String buffer to be filled with a text representation of the label
5817
5818 Produce an external representation of the label on a vnode suitable for
5819 inclusion in an audit record. An externalized label consists of a text
5820 representation of the label contents that will be added to the audit record
5821 as part of a text token. Policy-agnostic user space tools will display
5822 this externalized version.
5823
5824 @return 0 on success, return non-zero if an error occurs while
5825 externalizing the label data.
5826
5827*/
5828typedef int mpo_vnode_label_externalize_audit_t(
5829 struct label *label,
5830 char *element_name,
5831 struct sbuf *sb
5832);
5833/**
5834 @brief Externalize a vnode label
5835 @param label Label to be externalized
5836 @param element_name Name of the label namespace for which labels should be
5837 externalized
5838 @param sb String buffer to be filled with a text representation of the label
5839
5840 Produce an external representation of the label on a vnode. An
5841 externalized label consists of a text representation of the label
5842 contents that can be used with user applications. Policy-agnostic
5843 user space tools will display this externalized version.
5844
5845 @return 0 on success, return non-zero if an error occurs while
5846 externalizing the label data.
5847
5848*/
5849typedef int mpo_vnode_label_externalize_t(
5850 struct label *label,
5851 char *element_name,
5852 struct sbuf *sb
5853);
5854/**
5855 @brief Initialize vnode label
5856 @param label New label to initialize
5857
5858 Initialize label storage for use with a newly instantiated vnode, or
5859 for temporary storage associated with the copying in or out of a
5860 vnode label. While it is necessary to allocate space for a
5861 kernel-resident vnode label, it is not yet necessary to link this vnode
5862 with persistent label storage facilities, such as extended attributes.
5863 Sleeping is permitted.
5864*/
5865typedef void mpo_vnode_label_init_t(
5866 struct label *label
5867);
5868/**
5869 @brief Internalize a vnode label
5870 @param label Label to be internalized
5871 @param element_name Name of the label namespace for which the label should
5872 be internalized
5873 @param element_data Text data to be internalized
5874
5875 Produce a vnode label from an external representation. An
5876 externalized label consists of a text representation of the label
5877 contents that can be used with user applications. Policy-agnostic
5878 user space tools will forward text version to the kernel for
5879 processing by individual policy modules.
5880
5881 The policy's internalize entry points will be called only if the
5882 policy has registered interest in the label namespace.
5883
5884 @return 0 on success, Otherwise, return non-zero if an error occurs
5885 while internalizing the label data.
5886*/
5887typedef int mpo_vnode_label_internalize_t(
5888 struct label *label,
5889 char *element_name,
5890 char *element_data
5891);
5892/**
5893 @brief Clean up a vnode label
5894 @param label The label to be cleaned for re-use
5895
5896 Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but
5897 typically never frees them. Before vnodes are placed back on free lists for
5898 re-use, policies can cleanup or overwrite any information present in the label.
5899*/
5900typedef void mpo_vnode_label_recycle_t(
5901 struct label *label
5902);
5903/**
5904 @brief Write a label to a extended attribute
5905 @param cred Subject credential
5906 @param vp The vnode for which the label is being stored
5907 @param vlabel Label associated with vp
5908 @param intlabel The new label to store
5909
5910 Store a new label in the extended attribute corresponding to the
5911 supplied vnode. The policy has already authorized the operation;
5912 this call must be implemented in order to perform the actual
5913 operation.
5914
5915 @return In the event of an error, an appropriate value for errno
5916 should be returned, otherwise return 0 upon success.
5917
5918 @warning XXX After examining the extended attribute implementation on
5919 Apple's future release, this entry point may be changed.
5920*/
5921typedef int mpo_vnode_label_store_t(
5922 kauth_cred_t cred,
5923 struct vnode *vp,
5924 struct label *vlabel,
5925 struct label *intlabel
5926);
5927/**
5928 @brief Update vnode label from extended attributes
5929 @param mp File system mount point
5930 @param mntlabel Mount point label
5931 @param vp Vnode to label
5932 @param vlabel Label associated with vp
5933 @param name Name of the xattr
5934 @see mpo_vnode_check_setextattr_t
5935
5936 When an extended attribute is updated via the Vendor attribute management
5937 functions, the MAC vnode label might also require an update.
5938 Policies should first determine if 'name' matches their xattr label
5939 name. If it does, the kernel is has either replaced or removed the
5940 named extended attribute that was previously associated with the
5941 vnode. Normally labels should only be modified via MAC Framework label
5942 management calls, but sometimes the user space components will directly
5943 modify extended attributes. For example, 'cp', 'tar', etc. manage
5944 extended attributes in userspace, not the kernel.
5945
5946 This entry point is called after the label update has occurred, so
5947 it cannot return a failure. However, the operation is preceded by
5948 the mpo_vnode_check_setextattr() access control check.
5949
5950 If the vnode label needs to be updated the policy should return
5951 a non-zero value. The vnode label will be marked for re-association
5952 by the framework.
5953*/
5954typedef int mpo_vnode_label_update_extattr_t(
5955 struct mount *mp,
5956 struct label *mntlabel,
5957 struct vnode *vp,
5958 struct label *vlabel,
5959 const char *name
5960);
5961/**
5962 @brief Update a vnode label
5963 @param cred Subject credential
5964 @param vp The vnode to relabel
5965 @param vnodelabel Existing vnode label
5966 @param label New label to replace existing label
5967 @see mpo_vnode_check_label_update_t
5968
5969 The subject identified by the credential has previously requested
5970 and was authorized to relabel the vnode; this entry point allows
5971 policies to perform the actual relabel operation. Policies should
5972 update vnodelabel using the label stored in the label parameter.
5973*/
5974typedef void mpo_vnode_label_update_t(
5975 kauth_cred_t cred,
5976 struct vnode *vp,
5977 struct label *vnodelabel,
5978 struct label *label
5979);
5980/**
5981 @brief Create a new vnode, backed by extended attributes
5982 @param cred User credential for the creating process
5983 @param mp File system mount point
5984 @param mntlabel File system mount point label
5985 @param dvp Parent directory vnode
5986 @param dlabel Parent directory vnode label
5987 @param vp Newly created vnode
5988 @param vlabel Label to associate with the new vnode
5989 @param cnp Component name for vp
5990
5991 Write out the label for the newly created vnode, most likely storing
5992 the results in a file system extended attribute. Most policies will
5993 derive the new vnode label using information from a combination
5994 of the subject (user) credential, the file system label, the parent
5995 directory label, and potentially the path name component.
5996
5997 @return If the operation succeeds, store the new label in vlabel and
5998 return 0. Otherwise, return an appropriate errno value.
5999*/
6000typedef int mpo_vnode_notify_create_t(
6001 kauth_cred_t cred,
6002 struct mount *mp,
6003 struct label *mntlabel,
6004 struct vnode *dvp,
6005 struct label *dlabel,
6006 struct vnode *vp,
6007 struct label *vlabel,
6008 struct componentname *cnp
6009);
6010
6011/**
6012 @brief Inform MAC policies that a vnode has been renamed
6013 @param cred User credential for the renaming process
6014 @param vp Vnode that's being renamed
6015 @param label Policy label for vp
6016 @param dvp Parent directory for the destination
6017 @param dlabel Policy label for dvp
6018 @param cnp Component name for the destination
6019
6020 Inform MAC policies that a vnode has been renamed.
6021 */
6022typedef void mpo_vnode_notify_rename_t(
6023 kauth_cred_t cred,
6024 struct vnode *vp,
6025 struct label *label,
6026 struct vnode *dvp,
6027 struct label *dlabel,
6028 struct componentname *cnp
6029);
6030
6031/*
6032 * Placeholder for future events that may need mac hooks.
6033 */
6034typedef void mpo_reserved_hook_t(void);
6035
6036/*!
6037 \struct mac_policy_ops
6038*/
6039#define MAC_POLICY_OPS_VERSION 13 /* inc when new reserved slots are taken */
6040struct mac_policy_ops {
6041 mpo_audit_check_postselect_t *mpo_audit_check_postselect;
6042 mpo_audit_check_preselect_t *mpo_audit_check_preselect;
6043 mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate;
6044 mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy;
6045 mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init;
6046 mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive;
6047 mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve;
6048 mpo_cred_check_label_update_t *mpo_cred_check_label_update;
6049 mpo_cred_check_visible_t *mpo_cred_check_visible;
6050 mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork;
6051 mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel;
6052 mpo_cred_label_associate_t *mpo_cred_label_associate;
6053 mpo_cred_label_associate_user_t *mpo_cred_label_associate_user;
6054 mpo_cred_label_destroy_t *mpo_cred_label_destroy;
6055 mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit;
6056 mpo_cred_label_externalize_t *mpo_cred_label_externalize;
6057 mpo_cred_label_init_t *mpo_cred_label_init;
6058 mpo_cred_label_internalize_t *mpo_cred_label_internalize;
6059 mpo_cred_label_update_execve_t *mpo_cred_label_update_execve;
6060 mpo_cred_label_update_t *mpo_cred_label_update;
6061 mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device;
6062 mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory;
6063 mpo_devfs_label_copy_t *mpo_devfs_label_copy;
6064 mpo_devfs_label_destroy_t *mpo_devfs_label_destroy;
6065 mpo_devfs_label_init_t *mpo_devfs_label_init;
6066 mpo_devfs_label_update_t *mpo_devfs_label_update;
6067 mpo_file_check_change_offset_t *mpo_file_check_change_offset;
6068 mpo_file_check_create_t *mpo_file_check_create;
6069 mpo_file_check_dup_t *mpo_file_check_dup;
6070 mpo_file_check_fcntl_t *mpo_file_check_fcntl;
6071 mpo_file_check_get_offset_t *mpo_file_check_get_offset;
6072 mpo_file_check_get_t *mpo_file_check_get;
6073 mpo_file_check_inherit_t *mpo_file_check_inherit;
6074 mpo_file_check_ioctl_t *mpo_file_check_ioctl;
6075 mpo_file_check_lock_t *mpo_file_check_lock;
6076 mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade;
6077 mpo_file_check_mmap_t *mpo_file_check_mmap;
6078 mpo_file_check_receive_t *mpo_file_check_receive;
6079 mpo_file_check_set_t *mpo_file_check_set;
6080 mpo_file_label_init_t *mpo_file_label_init;
6081 mpo_file_label_destroy_t *mpo_file_label_destroy;
6082 mpo_file_label_associate_t *mpo_file_label_associate;
6083 mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update;
6084 mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit;
6085 mpo_ifnet_label_associate_t *mpo_ifnet_label_associate;
6086 mpo_ifnet_label_copy_t *mpo_ifnet_label_copy;
6087 mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy;
6088 mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize;
6089 mpo_ifnet_label_init_t *mpo_ifnet_label_init;
6090 mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize;
6091 mpo_ifnet_label_update_t *mpo_ifnet_label_update;
6092 mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle;
6093 mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver;
6094 mpo_inpcb_label_associate_t *mpo_inpcb_label_associate;
6095 mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy;
6096 mpo_inpcb_label_init_t *mpo_inpcb_label_init;
6097 mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle;
6098 mpo_inpcb_label_update_t *mpo_inpcb_label_update;
6099 mpo_iokit_check_device_t *mpo_iokit_check_device;
6100 mpo_ipq_label_associate_t *mpo_ipq_label_associate;
6101 mpo_ipq_label_compare_t *mpo_ipq_label_compare;
6102 mpo_ipq_label_destroy_t *mpo_ipq_label_destroy;
6103 mpo_ipq_label_init_t *mpo_ipq_label_init;
6104 mpo_ipq_label_update_t *mpo_ipq_label_update;
6105 mpo_lctx_check_label_update_t *mpo_lctx_check_label_update;
6106 mpo_lctx_label_destroy_t *mpo_lctx_label_destroy;
6107 mpo_lctx_label_externalize_t *mpo_lctx_label_externalize;
6108 mpo_lctx_label_init_t *mpo_lctx_label_init;
6109 mpo_lctx_label_internalize_t *mpo_lctx_label_internalize;
6110 mpo_lctx_label_update_t *mpo_lctx_label_update;
6111 mpo_lctx_notify_create_t *mpo_lctx_notify_create;
6112 mpo_lctx_notify_join_t *mpo_lctx_notify_join;
6113 mpo_lctx_notify_leave_t *mpo_lctx_notify_leave;
6114 mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc;
6115 mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet;
6116 mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb;
6117 mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq;
6118 mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer;
6119 mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap;
6120 mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer;
6121 mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket;
6122 mpo_mbuf_label_copy_t *mpo_mbuf_label_copy;
6123 mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy;
6124 mpo_mbuf_label_init_t *mpo_mbuf_label_init;
6125 mpo_mount_check_fsctl_t *mpo_mount_check_fsctl;
6126 mpo_mount_check_getattr_t *mpo_mount_check_getattr;
6127 mpo_mount_check_label_update_t *mpo_mount_check_label_update;
6128 mpo_mount_check_mount_t *mpo_mount_check_mount;
6129 mpo_mount_check_remount_t *mpo_mount_check_remount;
6130 mpo_mount_check_setattr_t *mpo_mount_check_setattr;
6131 mpo_mount_check_stat_t *mpo_mount_check_stat;
6132 mpo_mount_check_umount_t *mpo_mount_check_umount;
6133 mpo_mount_label_associate_t *mpo_mount_label_associate;
6134 mpo_mount_label_destroy_t *mpo_mount_label_destroy;
6135 mpo_mount_label_externalize_t *mpo_mount_label_externalize;
6136 mpo_mount_label_init_t *mpo_mount_label_init;
6137 mpo_mount_label_internalize_t *mpo_mount_label_internalize;
6138 mpo_netinet_fragment_t *mpo_netinet_fragment;
6139 mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply;
6140 mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply;
6141 mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl;
6142 mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter;
6143 mpo_pipe_check_label_update_t *mpo_pipe_check_label_update;
6144 mpo_pipe_check_read_t *mpo_pipe_check_read;
6145 mpo_pipe_check_select_t *mpo_pipe_check_select;
6146 mpo_pipe_check_stat_t *mpo_pipe_check_stat;
6147 mpo_pipe_check_write_t *mpo_pipe_check_write;
6148 mpo_pipe_label_associate_t *mpo_pipe_label_associate;
6149 mpo_pipe_label_copy_t *mpo_pipe_label_copy;
6150 mpo_pipe_label_destroy_t *mpo_pipe_label_destroy;
6151 mpo_pipe_label_externalize_t *mpo_pipe_label_externalize;
6152 mpo_pipe_label_init_t *mpo_pipe_label_init;
6153 mpo_pipe_label_internalize_t *mpo_pipe_label_internalize;
6154 mpo_pipe_label_update_t *mpo_pipe_label_update;
6155 mpo_policy_destroy_t *mpo_policy_destroy;
6156 mpo_policy_init_t *mpo_policy_init;
6157 mpo_policy_initbsd_t *mpo_policy_initbsd;
6158 mpo_policy_syscall_t *mpo_policy_syscall;
6159 mpo_port_check_copy_send_t *mpo_port_check_copy_send;
6160 mpo_port_check_hold_receive_t *mpo_port_check_hold_receive;
6161 mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once;
6162 mpo_port_check_hold_send_t *mpo_port_check_hold_send;
6163 mpo_port_check_label_update_t *mpo_port_check_label_update;
6164 mpo_port_check_make_send_once_t *mpo_port_check_make_send_once;
6165 mpo_port_check_make_send_t *mpo_port_check_make_send;
6166 mpo_port_check_method_t *mpo_port_check_method;
6167 mpo_port_check_move_receive_t *mpo_port_check_move_receive;
6168 mpo_port_check_move_send_once_t *mpo_port_check_move_send_once;
6169 mpo_port_check_move_send_t *mpo_port_check_move_send;
6170 mpo_port_check_receive_t *mpo_port_check_receive;
6171 mpo_port_check_send_t *mpo_port_check_send;
6172 mpo_port_check_service_t *mpo_port_check_service;
6173 mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel;
6174 mpo_port_label_associate_t *mpo_port_label_associate;
6175 mpo_port_label_compute_t *mpo_port_label_compute;
6176 mpo_port_label_copy_t *mpo_port_label_copy;
6177 mpo_port_label_destroy_t *mpo_port_label_destroy;
6178 mpo_port_label_init_t *mpo_port_label_init;
6179 mpo_port_label_update_cred_t *mpo_port_label_update_cred;
6180 mpo_port_label_update_kobject_t *mpo_port_label_update_kobject;
6181 mpo_posixsem_check_create_t *mpo_posixsem_check_create;
6182 mpo_posixsem_check_open_t *mpo_posixsem_check_open;
6183 mpo_posixsem_check_post_t *mpo_posixsem_check_post;
6184 mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink;
6185 mpo_posixsem_check_wait_t *mpo_posixsem_check_wait;
6186 mpo_posixsem_label_associate_t *mpo_posixsem_label_associate;
6187 mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy;
6188 mpo_posixsem_label_init_t *mpo_posixsem_label_init;
6189 mpo_posixshm_check_create_t *mpo_posixshm_check_create;
6190 mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap;
6191 mpo_posixshm_check_open_t *mpo_posixshm_check_open;
6192 mpo_posixshm_check_stat_t *mpo_posixshm_check_stat;
6193 mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate;
6194 mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink;
6195 mpo_posixshm_label_associate_t *mpo_posixshm_label_associate;
6196 mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy;
6197 mpo_posixshm_label_init_t *mpo_posixshm_label_init;
6198 mpo_proc_check_debug_t *mpo_proc_check_debug;
6199 mpo_proc_check_fork_t *mpo_proc_check_fork;
6200 mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name;
6201 mpo_proc_check_get_task_t *mpo_proc_check_get_task;
6202 mpo_proc_check_getaudit_t *mpo_proc_check_getaudit;
6203 mpo_proc_check_getauid_t *mpo_proc_check_getauid;
6204 mpo_proc_check_getlcid_t *mpo_proc_check_getlcid;
6205 mpo_proc_check_mprotect_t *mpo_proc_check_mprotect;
6206 mpo_proc_check_sched_t *mpo_proc_check_sched;
6207 mpo_proc_check_setaudit_t *mpo_proc_check_setaudit;
6208 mpo_proc_check_setauid_t *mpo_proc_check_setauid;
6209 mpo_proc_check_setlcid_t *mpo_proc_check_setlcid;
6210 mpo_proc_check_signal_t *mpo_proc_check_signal;
6211 mpo_proc_check_wait_t *mpo_proc_check_wait;
6212 mpo_proc_label_destroy_t *mpo_proc_label_destroy;
6213 mpo_proc_label_init_t *mpo_proc_label_init;
6214 mpo_socket_check_accept_t *mpo_socket_check_accept;
6215 mpo_socket_check_accepted_t *mpo_socket_check_accepted;
6216 mpo_socket_check_bind_t *mpo_socket_check_bind;
6217 mpo_socket_check_connect_t *mpo_socket_check_connect;
6218 mpo_socket_check_create_t *mpo_socket_check_create;
6219 mpo_socket_check_deliver_t *mpo_socket_check_deliver;
6220 mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter;
6221 mpo_socket_check_label_update_t *mpo_socket_check_label_update;
6222 mpo_socket_check_listen_t *mpo_socket_check_listen;
6223 mpo_socket_check_receive_t *mpo_socket_check_receive;
6224 mpo_socket_check_received_t *mpo_socket_check_received;
6225 mpo_socket_check_select_t *mpo_socket_check_select;
6226 mpo_socket_check_send_t *mpo_socket_check_send;
6227 mpo_socket_check_stat_t *mpo_socket_check_stat;
6228 mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt;
6229 mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt;
6230 mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept;
6231 mpo_socket_label_associate_t *mpo_socket_label_associate;
6232 mpo_socket_label_copy_t *mpo_socket_label_copy;
6233 mpo_socket_label_destroy_t *mpo_socket_label_destroy;
6234 mpo_socket_label_externalize_t *mpo_socket_label_externalize;
6235 mpo_socket_label_init_t *mpo_socket_label_init;
6236 mpo_socket_label_internalize_t *mpo_socket_label_internalize;
6237 mpo_socket_label_update_t *mpo_socket_label_update;
6238 mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf;
6239 mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket;
6240 mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy;
6241 mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize;
6242 mpo_socketpeer_label_init_t *mpo_socketpeer_label_init;
6243 mpo_system_check_acct_t *mpo_system_check_acct;
6244 mpo_system_check_audit_t *mpo_system_check_audit;
6245 mpo_system_check_auditctl_t *mpo_system_check_auditctl;
6246 mpo_system_check_auditon_t *mpo_system_check_auditon;
6247 mpo_system_check_host_priv_t *mpo_system_check_host_priv;
6248 mpo_system_check_nfsd_t *mpo_system_check_nfsd;
6249 mpo_system_check_reboot_t *mpo_system_check_reboot;
6250 mpo_system_check_settime_t *mpo_system_check_settime;
6251 mpo_system_check_swapoff_t *mpo_system_check_swapoff;
6252 mpo_system_check_swapon_t *mpo_system_check_swapon;
6253 mpo_system_check_sysctl_t *mpo_system_check_sysctl;
6254 mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate;
6255 mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy;
6256 mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init;
6257 mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle;
6258 mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue;
6259 mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv;
6260 mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid;
6261 mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl;
6262 mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget;
6263 mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv;
6264 mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd;
6265 mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate;
6266 mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy;
6267 mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init;
6268 mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle;
6269 mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl;
6270 mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget;
6271 mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop;
6272 mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate;
6273 mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy;
6274 mpo_sysvsem_label_init_t *mpo_sysvsem_label_init;
6275 mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle;
6276 mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat;
6277 mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl;
6278 mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt;
6279 mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget;
6280 mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate;
6281 mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy;
6282 mpo_sysvshm_label_init_t *mpo_sysvshm_label_init;
6283 mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle;
6284 mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel;
6285 mpo_task_label_associate_t *mpo_task_label_associate;
6286 mpo_task_label_copy_t *mpo_task_label_copy;
6287 mpo_task_label_destroy_t *mpo_task_label_destroy;
6288 mpo_task_label_externalize_t *mpo_task_label_externalize;
6289 mpo_task_label_init_t *mpo_task_label_init;
6290 mpo_task_label_internalize_t *mpo_task_label_internalize;
6291 mpo_task_label_update_t *mpo_task_label_update;
6292 mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control;
6293 mpo_vnode_check_access_t *mpo_vnode_check_access;
6294 mpo_vnode_check_chdir_t *mpo_vnode_check_chdir;
6295 mpo_vnode_check_chroot_t *mpo_vnode_check_chroot;
6296 mpo_vnode_check_create_t *mpo_vnode_check_create;
6297 mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr;
6298 mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata;
6299 mpo_vnode_check_exec_t *mpo_vnode_check_exec;
6300 mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist;
6301 mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr;
6302 mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl;
6303 mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter;
6304 mpo_vnode_check_label_update_t *mpo_vnode_check_label_update;
6305 mpo_vnode_check_link_t *mpo_vnode_check_link;
6306 mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr;
6307 mpo_vnode_check_lookup_t *mpo_vnode_check_lookup;
6308 mpo_vnode_check_open_t *mpo_vnode_check_open;
6309 mpo_vnode_check_read_t *mpo_vnode_check_read;
6310 mpo_vnode_check_readdir_t *mpo_vnode_check_readdir;
6311 mpo_vnode_check_readlink_t *mpo_vnode_check_readlink;
6312 mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from;
6313 mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to;
6314 mpo_vnode_check_revoke_t *mpo_vnode_check_revoke;
6315 mpo_vnode_check_select_t *mpo_vnode_check_select;
6316 mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist;
6317 mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr;
6318 mpo_vnode_check_setflags_t *mpo_vnode_check_setflags;
6319 mpo_vnode_check_setmode_t *mpo_vnode_check_setmode;
6320 mpo_vnode_check_setowner_t *mpo_vnode_check_setowner;
6321 mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes;
6322 mpo_vnode_check_stat_t *mpo_vnode_check_stat;
6323 mpo_vnode_check_truncate_t *mpo_vnode_check_truncate;
6324 mpo_vnode_check_unlink_t *mpo_vnode_check_unlink;
6325 mpo_vnode_check_write_t *mpo_vnode_check_write;
6326 mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs;
6327 mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr;
6328 mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file;
6329 mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe;
6330 mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem;
6331 mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm;
6332 mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel;
6333 mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket;
6334 mpo_vnode_label_copy_t *mpo_vnode_label_copy;
6335 mpo_vnode_label_destroy_t *mpo_vnode_label_destroy;
6336 mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit;
6337 mpo_vnode_label_externalize_t *mpo_vnode_label_externalize;
6338 mpo_vnode_label_init_t *mpo_vnode_label_init;
6339 mpo_vnode_label_internalize_t *mpo_vnode_label_internalize;
6340 mpo_vnode_label_recycle_t *mpo_vnode_label_recycle;
6341 mpo_vnode_label_store_t *mpo_vnode_label_store;
6342 mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr;
6343 mpo_vnode_label_update_t *mpo_vnode_label_update;
6344 mpo_vnode_notify_create_t *mpo_vnode_notify_create;
6345 mpo_vnode_check_signature_t *mpo_vnode_check_signature;
6346 mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind;
6347 mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect;
6348 mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid;
6349 mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume;
6350 mpo_thread_userret_t *mpo_thread_userret;
6351 mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties;
6352 mpo_system_check_chud_t *mpo_system_check_chud;
6353 mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs;
6354 mpo_priv_check_t *mpo_priv_check;
6355 mpo_priv_grant_t *mpo_priv_grant;
6356 mpo_proc_check_map_anon_t *mpo_proc_check_map_anon;
6357 mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath;
6358 mpo_iokit_check_open_t *mpo_iokit_check_open;
6359 mpo_proc_check_ledger_t *mpo_proc_check_ledger;
6360 mpo_vnode_notify_rename_t *mpo_vnode_notify_rename;
6361 mpo_thread_label_init_t *mpo_thread_label_init;
6362 mpo_thread_label_destroy_t *mpo_thread_label_destroy;
6363 mpo_system_check_kas_info_t *mpo_system_check_kas_info;
6364 mpo_reserved_hook_t *mpo_reserved18;
6365 mpo_reserved_hook_t *mpo_reserved19;
6366 mpo_reserved_hook_t *mpo_reserved20;
6367 mpo_reserved_hook_t *mpo_reserved21;
6368 mpo_reserved_hook_t *mpo_reserved22;
6369 mpo_reserved_hook_t *mpo_reserved23;
6370 mpo_reserved_hook_t *mpo_reserved24;
6371 mpo_reserved_hook_t *mpo_reserved25;
6372 mpo_reserved_hook_t *mpo_reserved26;
6373 mpo_reserved_hook_t *mpo_reserved27;
6374 mpo_reserved_hook_t *mpo_reserved28;
6375 mpo_reserved_hook_t *mpo_reserved29;
6376};
6377
6378/**
6379 @brief MAC policy handle type
6380
6381 The MAC handle is used to uniquely identify a loaded policy within
6382 the MAC Framework.
6383
6384 A variable of this type is set by mac_policy_register().
6385 */
6386typedef unsigned int mac_policy_handle_t;
6387
6388#define mpc_t struct mac_policy_conf *
6389
6390/**
6391 @brief Mac policy configuration
6392
6393 This structure specifies the configuration information for a
6394 MAC policy module. A policy module developer must supply
6395 a short unique policy name, a more descriptive full name, a list of label
6396 namespaces and count, a pointer to the registered enty point operations,
6397 any load time flags, and optionally, a pointer to a label slot identifier.
6398
6399 The Framework will update the runtime flags (mpc_runtime_flags) to
6400 indicate that the module has been registered.
6401
6402 If the label slot identifier (mpc_field_off) is NULL, the Framework
6403 will not provide label storage for the policy. Otherwise, the
6404 Framework will store the label location (slot) in this field.
6405
6406 The mpc_list field is used by the Framework and should not be
6407 modified by policies.
6408*/
6409/* XXX - reorder these for better aligment on 64bit platforms */
6410struct mac_policy_conf {
6411 const char *mpc_name; /** policy name */
6412 const char *mpc_fullname; /** full name */
6413 const char **mpc_labelnames; /** managed label namespaces */
6414 unsigned int mpc_labelname_count; /** number of managed label namespaces */
6415 struct mac_policy_ops *mpc_ops; /** operation vector */
6416 int mpc_loadtime_flags; /** load time flags */
6417 int *mpc_field_off; /** label slot */
6418 int mpc_runtime_flags; /** run time flags */
6419 mpc_t mpc_list; /** List reference */
6420 void *mpc_data; /** module data */
6421};
6422
6423/**
6424 @brief MAC policy module registration routine
6425
6426 This function is called to register a policy with the
6427 MAC framework. A policy module will typically call this from the
6428 Darwin KEXT registration routine.
6429 */
6430int mac_policy_register(struct mac_policy_conf *mpc,
6431 mac_policy_handle_t *handlep, void *xd);
6432
6433/**
6434 @brief MAC policy module de-registration routine
6435
6436 This function is called to de-register a policy with theD
6437 MAC framework. A policy module will typically call this from the
6438 Darwin KEXT de-registration routine.
6439 */
6440int mac_policy_unregister(mac_policy_handle_t handle);
6441
6442/*
6443 * Framework entry points for the policies to add audit data.
6444 */
6445int mac_audit_text(char *text, mac_policy_handle_t handle);
6446
6447/*
6448 * Calls to assist with use of Apple XATTRs within policy modules.
6449 */
6450int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
6451int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
6452 size_t *);
6453int mac_vnop_removexattr(struct vnode *, const char *);
6454
6455/*
6456 * Arbitrary limit on how much data will be logged by the audit
6457 * entry points above.
6458 */
6459#define MAC_AUDIT_DATA_LIMIT 1024
6460
6461/*
6462 * Values returned by mac_audit_{pre,post}select. To combine the responses
6463 * of the security policies into a single decision,
6464 * mac_audit_{pre,post}select() choose the greatest value returned.
6465 */
6466#define MAC_AUDIT_DEFAULT 0 /* use system behavior */
6467#define MAC_AUDIT_NO 1 /* force not auditing this event */
6468#define MAC_AUDIT_YES 2 /* force auditing this event */
6469
6470// \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field
6471
6472/**
6473 @name Flags for the mpc_loadtime_flags field
6474 @see mac_policy_conf
6475
6476 This is the complete list of flags that are supported by the
6477 mpc_loadtime_flags field of the mac_policy_conf structure. These
6478 flags specify the load time behavior of MAC Framework policy
6479 modules.
6480*/
6481
6482/*@{*/
6483
6484/**
6485 @brief Flag to indicate registration preference
6486
6487 This flag indicates that the policy module must be loaded and
6488 initialized early in the boot process. If the flag is specified,
6489 attempts to register the module following boot will be rejected. The
6490 flag may be used by policies that require pervasive labeling of all
6491 system objects, and cannot handle objects that have not been
6492 properly initialized by the policy.
6493 */
6494#define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
6495
6496/**
6497 @brief Flag to indicate unload preference
6498
6499 This flag indicates that the policy module may be unloaded. If this
6500 flag is not set, then the policy framework will reject requests to
6501 unload the module. This flag might be used by modules that allocate
6502 label state and are unable to free that state at runtime, or for
6503 modules that simply do not want to permit unload operations.
6504*/
6505#define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
6506
6507/**
6508 @brief Unsupported
6509
6510 XXX This flag is not yet supported.
6511*/
6512#define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
6513
6514/**
6515 @brief Flag to indicate a base policy
6516
6517 This flag indicates that the policy module is a base policy. Only
6518 one module can declare itself as base, otherwise the boot process
6519 will be halted.
6520 */
6521#define MPC_LOADTIME_BASE_POLICY 0x00000008
6522
6523/*@}*/
6524
6525/**
6526 @brief Policy registration flag
6527 @see mac_policy_conf
6528
6529 This flag indicates that the policy module has been successfully
6530 registered with the TrustedBSD MAC Framework. The Framework will
6531 set this flag in the mpc_runtime_flags field of the policy's
6532 mac_policy_conf structure after registering the policy.
6533 */
6534#define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
6535
6536/*
6537 * Depends on POLICY_VER
6538 */
6539
6540#ifndef POLICY_VER
6541#define POLICY_VER 1.0
6542#endif
6543
6544#define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \
6545 static struct mac_policy_conf mpname##_mac_policy_conf = { \
6546 .mpc_name = #mpname, \
6547 .mpc_fullname = mpfullname, \
6548 .mpc_labelnames = lnames, \
6549 .mpc_labelname_count = lcount, \
6550 .mpc_ops = mpops, \
6551 .mpc_loadtime_flags = lflags, \
6552 .mpc_field_off = slot, \
6553 .mpc_runtime_flags = rflags \
6554 }; \
6555 \
6556 static kern_return_t \
6557 kmod_start(kmod_info_t *ki, void *xd) \
6558 { \
6559 return mac_policy_register(&mpname##_mac_policy_conf, \
6560 &handle, xd); \
6561 } \
6562 \
6563 static kern_return_t \
6564 kmod_stop(kmod_info_t *ki, void *xd) \
6565 { \
6566 return mac_policy_unregister(handle); \
6567 } \
6568 \
6569 extern kern_return_t _start(kmod_info_t *ki, void *data); \
6570 extern kern_return_t _stop(kmod_info_t *ki, void *data); \
6571 \
6572 KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \
6573 kmod_start_func_t *_realmain = kmod_start; \
6574 kmod_stop_func_t *_antimain = kmod_stop; \
6575 int _kext_apple_cc = __APPLE_CC__
6576
6577
6578#define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s]
6579
6580/*
6581 * Policy interface to map a struct label pointer to per-policy data.
6582 * Typically, policies wrap this in their own accessor macro that casts an
6583 * intptr_t to a policy-specific data type.
6584 */
6585intptr_t mac_label_get(struct label *l, int slot);
6586void mac_label_set(struct label *l, int slot, intptr_t v);
6587
6588#define mac_get_mpc(h) (mac_policy_list.entries[h].mpc)
6589
6590/**
6591 @name Flags for MAC allocator interfaces
6592
6593 These flags are passed to the Darwin kernel allocator routines to
6594 indicate whether the allocation is permitted to block or not.
6595 Caution should be taken; some operations are not permitted to sleep,
6596 and some types of locks cannot be held when sleeping.
6597 */
6598
6599/*@{*/
6600
6601/**
6602 @brief Allocation operations may block
6603
6604 If memory is not immediately available, the allocation routine
6605 will block (typically sleeping) until memory is available.
6606
6607 @warning Inappropriate use of this flag may cause kernel panics.
6608 */
6609#define MAC_WAITOK 0
6610
6611/**
6612 @brief Allocation operations may not block
6613
6614 Rather than blocking, the allocator may return an error if memory
6615 is not immediately available. This type of allocation will not
6616 sleep, preserving locking semantics.
6617 */
6618#define MAC_NOWAIT 1
6619
6620/*@}*/
6621
6622#endif /* !_SECURITY_MAC_POLICY_H_ */