]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2007-2010 Apple Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
14 | * | |
15 | * Please obtain a copy of the License at | |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
17 | * | |
18 | * The Original Code and all software distributed under the License are | |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
25 | * | |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ | |
27 | */ | |
28 | /*- | |
29 | * Copyright (c) 1999-2002 Robert N. M. Watson | |
30 | * Copyright (c) 2001-2005 Networks Associates Technology, Inc. | |
31 | * Copyright (c) 2005-2007 SPARTA, Inc. | |
32 | * All rights reserved. | |
33 | * | |
34 | * This software was developed by Robert Watson for the TrustedBSD Project. | |
35 | * | |
36 | * This software was developed for the FreeBSD Project in part by Network | |
37 | * Associates Laboratories, the Security Research Division of Network | |
38 | * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | |
39 | * as part of the DARPA CHATS research program. | |
40 | * | |
41 | * This software was enhanced by SPARTA ISSO under SPAWAR contract | |
42 | * N66001-04-C-6019 ("SEFOS"). | |
43 | * | |
44 | * Redistribution and use in source and binary forms, with or without | |
45 | * modification, are permitted provided that the following conditions | |
46 | * are met: | |
47 | * 1. Redistributions of source code must retain the above copyright | |
48 | * notice, this list of conditions and the following disclaimer. | |
49 | * 2. Redistributions in binary form must reproduce the above copyright | |
50 | * notice, this list of conditions and the following disclaimer in the | |
51 | * documentation and/or other materials provided with the distribution. | |
52 | * | |
53 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | |
54 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
55 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
56 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | |
57 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
58 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
59 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
60 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
61 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
62 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
63 | * SUCH DAMAGE. | |
64 | * | |
65 | * $FreeBSD: src/sys/sys/mac_policy.h,v 1.39 2003/04/18 19:57:37 rwatson Exp $ | |
66 | */ | |
67 | ||
68 | /** | |
69 | @file mac_policy.h | |
70 | @brief Kernel Interfaces for MAC policy modules | |
71 | ||
72 | This header defines the list of operations that are defined by the | |
73 | TrustedBSD MAC Framwork on Darwin. MAC Policy modules register | |
74 | with the framework to declare interest in a specific set of | |
75 | operations. If interest in an entry point is not declared, then | |
76 | the policy will be ignored when the Framework evaluates that entry | |
77 | point. | |
78 | */ | |
79 | ||
80 | #ifndef _SECURITY_MAC_POLICY_H_ | |
81 | #define _SECURITY_MAC_POLICY_H_ | |
82 | ||
83 | #include <security/_label.h> | |
84 | ||
85 | struct attrlist; | |
86 | struct auditinfo; | |
87 | struct bpf_d; | |
88 | struct devnode; | |
89 | struct fileglob; | |
90 | struct ifnet; | |
91 | struct inpcb; | |
92 | struct ipq; | |
93 | struct label; | |
94 | struct lctx; | |
95 | struct mac_module_data; | |
96 | struct mac_policy_conf; | |
97 | struct mbuf; | |
98 | struct mount; | |
99 | struct pipe; | |
100 | struct pseminfo; | |
101 | struct pshminfo; | |
102 | struct sbuf; | |
103 | struct semid_kernel; | |
104 | struct shmid_kernel; | |
105 | struct task; | |
106 | struct thread; | |
107 | struct ucred; | |
108 | struct vnode; | |
109 | /** @struct dummy */ | |
110 | ||
111 | ||
112 | ||
113 | #ifndef _KAUTH_CRED_T | |
114 | #define _KAUTH_CRED_T | |
115 | typedef struct ucred *kauth_cred_t; | |
116 | #endif /* !_KAUTH_CRED_T */ | |
117 | ||
118 | #ifndef __IOKIT_PORTS_DEFINED__ | |
119 | #define __IOKIT_PORTS_DEFINED__ | |
120 | #ifdef __cplusplus | |
121 | class OSObject; | |
122 | typedef OSObject *io_object_t; | |
123 | #else | |
124 | struct OSObject; | |
125 | typedef struct OSObject *io_object_t; | |
126 | #endif | |
127 | #endif /* __IOKIT_PORTS_DEFINED__ */ | |
128 | ||
129 | /*- | |
130 | * MAC entry points are generally named using the following template: | |
131 | * | |
132 | * mpo_<object>_<operation>() | |
133 | * | |
134 | * or: | |
135 | * | |
136 | * mpo_<object>_check_<operation>() | |
137 | * | |
138 | * Entry points are sorted by object type. | |
139 | * | |
140 | * It may be desirable also to consider some subsystems as "objects", such | |
141 | * as system, iokit, etc. | |
142 | */ | |
143 | ||
144 | /** | |
145 | @name Entry Points for Label Management | |
146 | ||
147 | These are the entry points corresponding to the life cycle events for | |
148 | kernel objects, such as initialization, creation, and destruction. | |
149 | ||
150 | Most policies (that use labels) will initialize labels by allocating | |
151 | space for policy-specific data. In most cases, it is permitted to | |
152 | sleep during label initialization operations; it will be noted when | |
153 | it is not permitted. | |
154 | ||
155 | Initialization usually will not require doing more than allocating a | |
156 | generic label for the given object. What follows initialization is | |
157 | creation, where a label is made specific to the object it is associated | |
158 | with. Destruction occurs when the label is no longer needed, such as | |
159 | when the corresponding object is destroyed. All necessary cleanup should | |
160 | be performed in label destroy operations. | |
161 | ||
162 | Where possible, the label entry points have identical parameters. If | |
163 | the policy module does not require structure-specific label | |
164 | information, the same function may be registered in the policy | |
165 | operation vector. Many policies will implement two such generic | |
166 | allocation calls: one to handle sleepable requests, and one to handle | |
167 | potentially non-sleepable requests. | |
168 | */ | |
169 | ||
170 | ||
171 | /** | |
172 | @brief Audit event postselection | |
173 | @param cred Subject credential | |
174 | @param syscode Syscall number | |
175 | @param args Syscall arguments | |
176 | @param error Syscall errno | |
177 | @param retval Syscall return value | |
178 | ||
179 | This is the MAC Framework audit postselect, which is called before | |
180 | exiting a syscall to determine if an audit event should be committed. | |
181 | A return value of MAC_AUDIT_NO forces the audit record to be suppressed. | |
182 | Any other return value results in the audit record being committed. | |
183 | ||
184 | @warning The suppression behavior will probably go away in Apple's | |
185 | future version of the audit implementation. | |
186 | ||
187 | @return Return MAC_AUDIT_NO to force suppression of the audit record. | |
188 | Any other value results in the audit record being committed. | |
189 | ||
190 | */ | |
191 | typedef int mpo_audit_check_postselect_t( | |
192 | kauth_cred_t cred, | |
193 | unsigned short syscode, | |
194 | void *args, | |
195 | int error, | |
196 | int retval | |
197 | ); | |
198 | /** | |
199 | @brief Audit event preselection | |
200 | @param cred Subject credential | |
201 | @param syscode Syscall number | |
202 | @param args Syscall arguments | |
203 | ||
204 | This is the MAC Framework audit preselect, which is called before a | |
205 | syscall is entered to determine if an audit event should be created. | |
206 | If the MAC policy forces the syscall to be audited, MAC_AUDIT_YES should be | |
207 | returned. A return value of MAC_AUDIT_NO causes the audit record to | |
208 | be suppressed. Returning MAC_POLICY_DEFAULT indicates that the policy wants | |
209 | to defer to the system's existing preselection mechanism. | |
210 | ||
211 | When policies return different preferences, the Framework decides what action | |
212 | to take based on the following policy. If any policy returns MAC_AUDIT_YES, | |
213 | then create an audit record, else if any policy returns MAC_AUDIT_NO, then | |
214 | suppress the creations of an audit record, else defer to the system's | |
215 | existing preselection mechanism. | |
216 | ||
217 | @warning The audit implementation in Apple's current version is | |
218 | incomplete, so the MAC policies have priority over the system's existing | |
219 | mechanisms. This will probably change in the future version where | |
220 | the audit implementation is more complete. | |
221 | ||
222 | @return Return MAC_AUDIT_YES to force auditing of the syscall, | |
223 | MAC_AUDIT_NO to force no auditing of the syscall, MAC_AUDIT_DEFAULT | |
224 | to allow auditing mechanisms to determine if the syscall is audited. | |
225 | ||
226 | */ | |
227 | typedef int mpo_audit_check_preselect_t( | |
228 | kauth_cred_t cred, | |
229 | unsigned short syscode, | |
230 | void *args | |
231 | ); | |
232 | /** | |
233 | @brief Initialize BPF descriptor label | |
234 | @param label New label to initialize | |
235 | ||
236 | Initialize the label for a newly instantiated BPF descriptor. | |
237 | Sleeping is permitted. | |
238 | */ | |
239 | typedef void mpo_bpfdesc_label_init_t( | |
240 | struct label *label | |
241 | ); | |
242 | /** | |
243 | @brief Destroy BPF descriptor label | |
244 | @param label The label to be destroyed | |
245 | ||
246 | Destroy a BPF descriptor label. Since the BPF descriptor | |
247 | is going out of scope, policy modules should free any internal | |
248 | storage associated with the label so that it may be destroyed. | |
249 | */ | |
250 | typedef void mpo_bpfdesc_label_destroy_t( | |
251 | struct label *label | |
252 | ); | |
253 | /** | |
254 | @brief Associate a BPF descriptor with a label | |
255 | @param cred User credential creating the BPF descriptor | |
256 | @param bpf_d The BPF descriptor | |
257 | @param bpflabel The new label | |
258 | ||
259 | Set the label on a newly created BPF descriptor from the passed | |
260 | subject credential. This call will be made when a BPF device node | |
261 | is opened by a process with the passed subject credential. | |
262 | */ | |
263 | typedef void mpo_bpfdesc_label_associate_t( | |
264 | kauth_cred_t cred, | |
265 | struct bpf_d *bpf_d, | |
266 | struct label *bpflabel | |
267 | ); | |
268 | /** | |
269 | @brief Check whether BPF can read from a network interface | |
270 | @param bpf_d Subject; the BPF descriptor | |
271 | @param bpflabel Policy label for bpf_d | |
272 | @param ifp Object; the network interface | |
273 | @param ifnetlabel Policy label for ifp | |
274 | ||
275 | Determine whether the MAC framework should permit datagrams from | |
276 | the passed network interface to be delivered to the buffers of | |
277 | the passed BPF descriptor. Return (0) for success, or an errno | |
278 | value for failure. Suggested failure: EACCES for label mismatches, | |
279 | EPERM for lack of privilege. | |
280 | */ | |
281 | typedef int mpo_bpfdesc_check_receive_t( | |
282 | struct bpf_d *bpf_d, | |
283 | struct label *bpflabel, | |
284 | struct ifnet *ifp, | |
285 | struct label *ifnetlabel | |
286 | ); | |
287 | /** | |
288 | @brief Indicate desire to change the process label at exec time | |
289 | @param old Existing subject credential | |
290 | @param vp File being executed | |
291 | @param vnodelabel Label corresponding to vp | |
292 | @param scriptvnodelabel Script vnode label | |
293 | @param execlabel Userspace provided execution label | |
294 | @param proc Object process | |
295 | @see mac_execve | |
296 | @see mpo_cred_label_update_execve_t | |
297 | @see mpo_vnode_check_exec_t | |
298 | ||
299 | Indicate whether this policy intends to update the label of a newly | |
300 | created credential from the existing subject credential (old). This | |
301 | call occurs when a process executes the passed vnode. If a policy | |
302 | returns success from this entry point, the mpo_cred_label_update_execve | |
303 | entry point will later be called with the same parameters. Access | |
304 | has already been checked via the mpo_vnode_check_exec entry point, | |
305 | this entry point is necessary to preserve kernel locking constraints | |
306 | during program execution. | |
307 | ||
308 | The supplied vnode and vnodelabel correspond with the file actually | |
309 | being executed; in the case that the file is interpreted (for | |
310 | example, a script), the label of the original exec-time vnode has | |
311 | been preserved in scriptvnodelabel. | |
312 | ||
313 | The final label, execlabel, corresponds to a label supplied by a | |
314 | user space application through the use of the mac_execve system call. | |
315 | ||
316 | The vnode lock is held during this operation. No changes should be | |
317 | made to the old credential structure. | |
318 | ||
319 | @warning Even if a policy returns 0, it should behave correctly in | |
320 | the presence of an invocation of mpo_cred_label_update_execve, as that | |
321 | call may happen as a result of another policy requesting a transition. | |
322 | ||
323 | @return Non-zero if a transition is required, 0 otherwise. | |
324 | */ | |
325 | typedef int mpo_cred_check_label_update_execve_t( | |
326 | kauth_cred_t old, | |
327 | struct vnode *vp, | |
328 | struct label *vnodelabel, | |
329 | struct label *scriptvnodelabel, | |
330 | struct label *execlabel, | |
331 | struct proc *proc | |
332 | ); | |
333 | /** | |
334 | @brief Access control check for relabelling processes | |
335 | @param cred Subject credential | |
336 | @param newlabel New label to apply to the user credential | |
337 | @see mpo_cred_label_update_t | |
338 | @see mac_set_proc | |
339 | ||
340 | Determine whether the subject identified by the credential can relabel | |
341 | itself to the supplied new label (newlabel). This access control check | |
342 | is called when the mac_set_proc system call is invoked. A user space | |
343 | application will supply a new value, the value will be internalized | |
344 | and provided in newlabel. | |
345 | ||
346 | @return Return 0 if access is granted, otherwise an appropriate value for | |
347 | errno should be returned. | |
348 | */ | |
349 | typedef int mpo_cred_check_label_update_t( | |
350 | kauth_cred_t cred, | |
351 | struct label *newlabel | |
352 | ); | |
353 | /** | |
354 | @brief Access control check for visibility of other subjects | |
355 | @param u1 Subject credential | |
356 | @param u2 Object credential | |
357 | ||
358 | Determine whether the subject identified by the credential u1 can | |
359 | "see" other subjects with the passed subject credential u2. This call | |
360 | may be made in a number of situations, including inter-process status | |
361 | sysctls used by ps, and in procfs lookups. | |
362 | ||
363 | @return Return 0 if access is granted, otherwise an appropriate value for | |
364 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
365 | EPERM for lack of privilege, or ESRCH to hide visibility. | |
366 | */ | |
367 | typedef int mpo_cred_check_visible_t( | |
368 | kauth_cred_t u1, | |
369 | kauth_cred_t u2 | |
370 | ); | |
371 | /** | |
372 | @brief Associate a credential with a new process at fork | |
373 | @param cred credential to inherited by new process | |
374 | @param proc the new process | |
375 | ||
376 | Allow a process to associate the credential with a new | |
377 | process for reference countng purposes. | |
378 | NOTE: the credential can be dis-associated in ways other | |
379 | than exit - so this strategy is flawed - should just | |
380 | catch label destroy callback. | |
381 | */ | |
382 | typedef void mpo_cred_label_associate_fork_t( | |
383 | kauth_cred_t cred, | |
384 | proc_t proc | |
385 | ); | |
386 | /** | |
387 | @brief Create the first process | |
388 | @param cred Subject credential to be labeled | |
389 | ||
390 | Create the subject credential of process 0, the parent of all BSD | |
391 | kernel processes. Policies should update the label in the | |
392 | previously initialized credential structure. | |
393 | */ | |
394 | typedef void mpo_cred_label_associate_kernel_t( | |
395 | kauth_cred_t cred | |
396 | ); | |
397 | /** | |
398 | @brief Create a credential label | |
399 | @param parent_cred Parent credential | |
400 | @param child_cred Child credential | |
401 | ||
402 | Set the label of a newly created credential, most likely using the | |
403 | information in the supplied parent credential. | |
404 | ||
405 | @warning This call is made when crcopy or crdup is invoked on a | |
406 | newly created struct ucred, and should not be confused with a | |
407 | process fork or creation event. | |
408 | */ | |
409 | typedef void mpo_cred_label_associate_t( | |
410 | kauth_cred_t parent_cred, | |
411 | kauth_cred_t child_cred | |
412 | ); | |
413 | /** | |
414 | @brief Create the first process | |
415 | @param cred Subject credential to be labeled | |
416 | ||
417 | Create the subject credential of process 1, the parent of all BSD | |
418 | user processes. Policies should update the label in the previously | |
419 | initialized credential structure. This is the 'init' process. | |
420 | */ | |
421 | typedef void mpo_cred_label_associate_user_t( | |
422 | kauth_cred_t cred | |
423 | ); | |
424 | /** | |
425 | @brief Destroy credential label | |
426 | @param label The label to be destroyed | |
427 | ||
428 | Destroy a user credential label. Since the user credential | |
429 | is going out of scope, policy modules should free any internal | |
430 | storage associated with the label so that it may be destroyed. | |
431 | */ | |
432 | typedef void mpo_cred_label_destroy_t( | |
433 | struct label *label | |
434 | ); | |
435 | /** | |
436 | @brief Externalize a user credential label for auditing | |
437 | @param label Label to be externalized | |
438 | @param element_name Name of the label namespace for which labels should be | |
439 | externalized | |
440 | @param sb String buffer to be filled with a text representation of the label | |
441 | ||
442 | Produce an external representation of the label on a user credential for | |
443 | inclusion in an audit record. An externalized label consists of a text | |
444 | representation of the label contents that will be added to the audit record | |
445 | as part of a text token. Policy-agnostic user space tools will display | |
446 | this externalized version. | |
447 | ||
448 | @return 0 on success, return non-zero if an error occurs while | |
449 | externalizing the label data. | |
450 | ||
451 | */ | |
452 | typedef int mpo_cred_label_externalize_audit_t( | |
453 | struct label *label, | |
454 | char *element_name, | |
455 | struct sbuf *sb | |
456 | ); | |
457 | /** | |
458 | @brief Externalize a user credential label | |
459 | @param label Label to be externalized | |
460 | @param element_name Name of the label namespace for which labels should be | |
461 | externalized | |
462 | @param sb String buffer to be filled with a text representation of the label | |
463 | ||
464 | Produce an external representation of the label on a user | |
465 | credential. An externalized label consists of a text representation | |
466 | of the label contents that can be used with user applications. | |
467 | Policy-agnostic user space tools will display this externalized | |
468 | version. | |
469 | ||
470 | @return 0 on success, return non-zero if an error occurs while | |
471 | externalizing the label data. | |
472 | ||
473 | */ | |
474 | typedef int mpo_cred_label_externalize_t( | |
475 | struct label *label, | |
476 | char *element_name, | |
477 | struct sbuf *sb | |
478 | ); | |
479 | /** | |
480 | @brief Initialize user credential label | |
481 | @param label New label to initialize | |
482 | ||
483 | Initialize the label for a newly instantiated user credential. | |
484 | Sleeping is permitted. | |
485 | */ | |
486 | typedef void mpo_cred_label_init_t( | |
487 | struct label *label | |
488 | ); | |
489 | /** | |
490 | @brief Internalize a user credential label | |
491 | @param label Label to be internalized | |
492 | @param element_name Name of the label namespace for which the label should | |
493 | be internalized | |
494 | @param element_data Text data to be internalized | |
495 | ||
496 | Produce a user credential label from an external representation. An | |
497 | externalized label consists of a text representation of the label | |
498 | contents that can be used with user applications. Policy-agnostic | |
499 | user space tools will forward text version to the kernel for | |
500 | processing by individual policy modules. | |
501 | ||
502 | The policy's internalize entry points will be called only if the | |
503 | policy has registered interest in the label namespace. | |
504 | ||
505 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
506 | while internalizing the label data. | |
507 | ||
508 | */ | |
509 | typedef int mpo_cred_label_internalize_t( | |
510 | struct label *label, | |
511 | char *element_name, | |
512 | char *element_data | |
513 | ); | |
514 | /** | |
515 | @brief Update credential at exec time | |
516 | @param old_cred Existing subject credential | |
517 | @param new_cred New subject credential to be labeled | |
518 | @param vp File being executed | |
519 | @param vnodelabel Label corresponding to vp | |
520 | @param scriptvnodelabel Script vnode label | |
521 | @param execlabel Userspace provided execution label | |
522 | @see mac_execve | |
523 | @see mpo_cred_check_label_update_execve_t | |
524 | @see mpo_vnode_check_exec_t | |
525 | ||
526 | Update the label of a newly created credential (new) from the | |
527 | existing subject credential (old). This call occurs when a process | |
528 | executes the passed vnode and one of the loaded policy modules has | |
529 | returned success from the mpo_cred_check_label_update_execve entry point. | |
530 | Access has already been checked via the mpo_vnode_check_exec entry | |
531 | point, this entry point is only used to update any policy state. | |
532 | ||
533 | The supplied vnode and vnodelabel correspond with the file actually | |
534 | being executed; in the case that the file is interpreted (for | |
535 | example, a script), the label of the original exec-time vnode has | |
536 | been preserved in scriptvnodelabel. | |
537 | ||
538 | The final label, execlabel, corresponds to a label supplied by a | |
539 | user space application through the use of the mac_execve system call. | |
540 | ||
541 | If non-NULL, the value pointed to by disjointp will be set to 0 to | |
542 | indicate that the old and new credentials are not disjoint, or 1 to | |
543 | indicate that they are. | |
544 | ||
545 | The vnode lock is held during this operation. No changes should be | |
546 | made to the old credential structure. | |
547 | */ | |
548 | typedef void mpo_cred_label_update_execve_t( | |
549 | kauth_cred_t old_cred, | |
550 | kauth_cred_t new_cred, | |
551 | struct vnode *vp, | |
552 | struct label *vnodelabel, | |
553 | struct label *scriptvnodelabel, | |
554 | struct label *execlabel, | |
555 | int *disjointp | |
556 | ); | |
557 | /** | |
558 | @brief Update a credential label | |
559 | @param cred The existing credential | |
560 | @param newlabel A new label to apply to the credential | |
561 | @see mpo_cred_check_label_update_t | |
562 | @see mac_set_proc | |
563 | ||
564 | Update the label on a user credential, using the supplied new label. | |
565 | This is called as a result of a process relabel operation. Access | |
566 | control was already confirmed by mpo_cred_check_label_update. | |
567 | */ | |
568 | typedef void mpo_cred_label_update_t( | |
569 | kauth_cred_t cred, | |
570 | struct label *newlabel | |
571 | ); | |
572 | /** | |
573 | @brief Create a new devfs device | |
574 | @param dev Major and minor numbers of special file | |
575 | @param de "inode" of new device file | |
576 | @param label Destination label | |
577 | @param fullpath Path relative to mount (e.g. /dev) of new device file | |
578 | ||
579 | This entry point labels a new devfs device. The label will likely be based | |
580 | on the path to the device, or the major and minor numbers. | |
581 | The policy should store an appropriate label into 'label'. | |
582 | */ | |
583 | typedef void mpo_devfs_label_associate_device_t( | |
584 | dev_t dev, | |
585 | struct devnode *de, | |
586 | struct label *label, | |
587 | const char *fullpath | |
588 | ); | |
589 | /** | |
590 | @brief Create a new devfs directory | |
591 | @param dirname Name of new directory | |
592 | @param dirnamelen Length of 'dirname' | |
593 | @param de "inode" of new directory | |
594 | @param label Destination label | |
595 | @param fullpath Path relative to mount (e.g. /dev) of new directory | |
596 | ||
597 | This entry point labels a new devfs directory. The label will likely be | |
598 | based on the path of the new directory. The policy should store an appropriate | |
599 | label into 'label'. The devfs root directory is labelled in this way. | |
600 | */ | |
601 | typedef void mpo_devfs_label_associate_directory_t( | |
602 | const char *dirname, | |
603 | int dirnamelen, | |
604 | struct devnode *de, | |
605 | struct label *label, | |
606 | const char *fullpath | |
607 | ); | |
608 | /** | |
609 | @brief Copy a devfs label | |
610 | @param src Source devfs label | |
611 | @param dest Destination devfs label | |
612 | ||
613 | Copy the label information from src to dest. The devfs file system | |
614 | often duplicates (splits) existing device nodes rather than creating | |
615 | new ones. | |
616 | */ | |
617 | typedef void mpo_devfs_label_copy_t( | |
618 | struct label *src, | |
619 | struct label *dest | |
620 | ); | |
621 | /** | |
622 | @brief Destroy devfs label | |
623 | @param label The label to be destroyed | |
624 | ||
625 | Destroy a devfs entry label. Since the object is going out | |
626 | of scope, policy modules should free any internal storage associated | |
627 | with the label so that it may be destroyed. | |
628 | */ | |
629 | typedef void mpo_devfs_label_destroy_t( | |
630 | struct label *label | |
631 | ); | |
632 | /** | |
633 | @brief Initialize devfs label | |
634 | @param label New label to initialize | |
635 | ||
636 | Initialize the label for a newly instantiated devfs entry. Sleeping | |
637 | is permitted. | |
638 | */ | |
639 | typedef void mpo_devfs_label_init_t( | |
640 | struct label *label | |
641 | ); | |
642 | /** | |
643 | @brief Update a devfs label after relabelling its vnode | |
644 | @param mp Devfs mount point | |
645 | @param de Affected devfs directory entry | |
646 | @param delabel Label of devfs directory entry | |
647 | @param vp Vnode associated with de | |
648 | @param vnodelabel New label of vnode | |
649 | ||
650 | Update a devfs label when its vnode is manually relabelled, | |
651 | for example with setfmac(1). Typically, this will simply copy | |
652 | the vnode label into the devfs label. | |
653 | */ | |
654 | typedef void mpo_devfs_label_update_t( | |
655 | struct mount *mp, | |
656 | struct devnode *de, | |
657 | struct label *delabel, | |
658 | struct vnode *vp, | |
659 | struct label *vnodelabel | |
660 | ); | |
661 | /** | |
662 | @brief Access control for changing the offset of a file descriptor | |
663 | @param cred Subject credential | |
664 | @param fg Fileglob structure | |
665 | @param label Policy label for fg | |
666 | ||
667 | Determine whether the subject identified by the credential can | |
668 | change the offset of the file represented by fg. | |
669 | ||
670 | @return Return 0 if access if granted, otherwise an appropriate | |
671 | value for errno should be returned. | |
672 | */ | |
673 | typedef int mpo_file_check_change_offset_t( | |
674 | kauth_cred_t cred, | |
675 | struct fileglob *fg, | |
676 | struct label *label | |
677 | ); | |
678 | /** | |
679 | @brief Access control for creating a file descriptor | |
680 | @param cred Subject credential | |
681 | ||
682 | Determine whether the subject identified by the credential can | |
683 | allocate a new file descriptor. | |
684 | ||
685 | @return Return 0 if access if granted, otherwise an appropriate | |
686 | value for errno should be returned. | |
687 | */ | |
688 | typedef int mpo_file_check_create_t( | |
689 | kauth_cred_t cred | |
690 | ); | |
691 | /** | |
692 | @brief Access control for duplicating a file descriptor | |
693 | @param cred Subject credential | |
694 | @param fg Fileglob structure | |
695 | @param label Policy label for fg | |
696 | @param newfd New file descriptor number | |
697 | ||
698 | Determine whether the subject identified by the credential can | |
699 | duplicate the fileglob structure represented by fg and as file | |
700 | descriptor number newfd. | |
701 | ||
702 | @return Return 0 if access if granted, otherwise an appropriate | |
703 | value for errno should be returned. | |
704 | */ | |
705 | typedef int mpo_file_check_dup_t( | |
706 | kauth_cred_t cred, | |
707 | struct fileglob *fg, | |
708 | struct label *label, | |
709 | int newfd | |
710 | ); | |
711 | /** | |
712 | @brief Access control check for fcntl | |
713 | @param cred Subject credential | |
714 | @param fg Fileglob structure | |
715 | @param label Policy label for fg | |
716 | @param cmd Control operation to be performed; see fcntl(2) | |
717 | @param arg fcnt arguments; see fcntl(2) | |
718 | ||
719 | Determine whether the subject identified by the credential can perform | |
720 | the file control operation indicated by cmd. | |
721 | ||
722 | @return Return 0 if access is granted, otherwise an appropriate value for | |
723 | errno should be returned. | |
724 | */ | |
725 | typedef int mpo_file_check_fcntl_t( | |
726 | kauth_cred_t cred, | |
727 | struct fileglob *fg, | |
728 | struct label *label, | |
729 | int cmd, | |
730 | user_long_t arg | |
731 | ); | |
732 | /** | |
733 | @brief Access control check for mac_get_fd | |
734 | @param cred Subject credential | |
735 | @param fg Fileglob structure | |
736 | @param elements Element buffer | |
737 | @param len Length of buffer | |
738 | ||
739 | Determine whether the subject identified by the credential should be allowed | |
740 | to get an externalized version of the label on the object indicated by fd. | |
741 | ||
742 | @return Return 0 if access is granted, otherwise an appropriate value for | |
743 | errno should be returned. | |
744 | */ | |
745 | typedef int mpo_file_check_get_t( | |
746 | kauth_cred_t cred, | |
747 | struct fileglob *fg, | |
748 | char *elements, | |
749 | int len | |
750 | ); | |
751 | /** | |
752 | @brief Access control for getting the offset of a file descriptor | |
753 | @param cred Subject credential | |
754 | @param fg Fileglob structure | |
755 | @param label Policy label for fg | |
756 | ||
757 | Determine whether the subject identified by the credential can | |
758 | get the offset of the file represented by fg. | |
759 | ||
760 | @return Return 0 if access if granted, otherwise an appropriate | |
761 | value for errno should be returned. | |
762 | */ | |
763 | typedef int mpo_file_check_get_offset_t( | |
764 | kauth_cred_t cred, | |
765 | struct fileglob *fg, | |
766 | struct label *label | |
767 | ); | |
768 | /** | |
769 | @brief Access control for inheriting a file descriptor | |
770 | @param cred Subject credential | |
771 | @param fg Fileglob structure | |
772 | @param label Policy label for fg | |
773 | ||
774 | Determine whether the subject identified by the credential can | |
775 | inherit the fileglob structure represented by fg. | |
776 | ||
777 | @return Return 0 if access if granted, otherwise an appropriate | |
778 | value for errno should be returned. | |
779 | */ | |
780 | typedef int mpo_file_check_inherit_t( | |
781 | kauth_cred_t cred, | |
782 | struct fileglob *fg, | |
783 | struct label *label | |
784 | ); | |
785 | /** | |
786 | @brief Access control check for file ioctl | |
787 | @param cred Subject credential | |
788 | @param fg Fileglob structure | |
789 | @param label Policy label for fg | |
790 | @param cmd The ioctl command; see ioctl(2) | |
791 | ||
792 | Determine whether the subject identified by the credential can perform | |
793 | the ioctl operation indicated by cmd. | |
794 | ||
795 | @warning Since ioctl data is opaque from the standpoint of the MAC | |
796 | framework, policies must exercise extreme care when implementing | |
797 | access control checks. | |
798 | ||
799 | @return Return 0 if access is granted, otherwise an appropriate value for | |
800 | errno should be returned. | |
801 | ||
802 | */ | |
803 | typedef int mpo_file_check_ioctl_t( | |
804 | kauth_cred_t cred, | |
805 | struct fileglob *fg, | |
806 | struct label *label, | |
807 | unsigned int cmd | |
808 | ); | |
809 | /** | |
810 | @brief Access control check for file locking | |
811 | @param cred Subject credential | |
812 | @param fg Fileglob structure | |
813 | @param label Policy label for fg | |
814 | @param op The lock operation (F_GETLK, F_SETLK, F_UNLK) | |
815 | @param fl The flock structure | |
816 | ||
817 | Determine whether the subject identified by the credential can perform | |
818 | the lock operation indicated by op and fl on the file represented by fg. | |
819 | ||
820 | @return Return 0 if access is granted, otherwise an appropriate value for | |
821 | errno should be returned. | |
822 | ||
823 | */ | |
824 | typedef int mpo_file_check_lock_t( | |
825 | kauth_cred_t cred, | |
826 | struct fileglob *fg, | |
827 | struct label *label, | |
828 | int op, | |
829 | struct flock *fl | |
830 | ); | |
831 | /** | |
832 | @brief Access control check for mapping a file | |
833 | @param cred Subject credential | |
834 | @param fg fileglob representing file to map | |
835 | @param label Policy label associated with vp | |
836 | @param prot mmap protections; see mmap(2) | |
837 | @param flags Type of mapped object; see mmap(2) | |
838 | @param maxprot Maximum rights | |
839 | ||
840 | Determine whether the subject identified by the credential should be | |
841 | allowed to map the file represented by fg with the protections specified | |
842 | in prot. The maxprot field holds the maximum permissions on the new | |
843 | mapping, a combination of VM_PROT_READ, VM_PROT_WRITE, and VM_PROT_EXECUTE. | |
844 | To avoid overriding prior access control checks, a policy should only | |
845 | remove flags from maxprot. | |
846 | ||
847 | @return Return 0 if access is granted, otherwise an appropriate value for | |
848 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
849 | EPERM for lack of privilege. | |
850 | */ | |
851 | typedef int mpo_file_check_mmap_t( | |
852 | kauth_cred_t cred, | |
853 | struct fileglob *fg, | |
854 | struct label *label, | |
855 | int prot, | |
856 | int flags, | |
857 | int *maxprot | |
858 | ); | |
859 | /** | |
860 | @brief Downgrade the mmap protections | |
861 | @param cred Subject credential | |
862 | @param fg file to map | |
863 | @param label Policy label associated with vp | |
864 | @param prot mmap protections to be downgraded | |
865 | ||
866 | Downgrade the mmap protections based on the subject and object labels. | |
867 | */ | |
868 | typedef void mpo_file_check_mmap_downgrade_t( | |
869 | kauth_cred_t cred, | |
870 | struct fileglob *fg, | |
871 | struct label *label, | |
872 | int *prot | |
873 | ); | |
874 | /** | |
875 | @brief Access control for receiving a file descriptor | |
876 | @param cred Subject credential | |
877 | @param fg Fileglob structure | |
878 | @param label Policy label for fg | |
879 | ||
880 | Determine whether the subject identified by the credential can | |
881 | receive the fileglob structure represented by fg. | |
882 | ||
883 | @return Return 0 if access if granted, otherwise an appropriate | |
884 | value for errno should be returned. | |
885 | */ | |
886 | typedef int mpo_file_check_receive_t( | |
887 | kauth_cred_t cred, | |
888 | struct fileglob *fg, | |
889 | struct label *label | |
890 | ); | |
891 | /** | |
892 | @brief Access control check for mac_set_fd | |
893 | @param cred Subject credential | |
894 | @param fg Fileglob structure | |
895 | @param elements Elements buffer | |
896 | @param len Length of elements buffer | |
897 | ||
898 | Determine whether the subject identified by the credential can | |
899 | perform the mac_set_fd operation. The mac_set_fd operation is used | |
900 | to associate a MAC label with a file. | |
901 | ||
902 | @return Return 0 if access is granted, otherwise an appropriate value for | |
903 | errno should be returned. | |
904 | */ | |
905 | typedef int mpo_file_check_set_t( | |
906 | kauth_cred_t cred, | |
907 | struct fileglob *fg, | |
908 | char *elements, | |
909 | int len | |
910 | ); | |
911 | /** | |
912 | @brief Create file label | |
913 | @param cred Subject credential | |
914 | @param fg Fileglob structure | |
915 | @param label Policy label for fg | |
916 | */ | |
917 | typedef void mpo_file_label_associate_t( | |
918 | kauth_cred_t cred, | |
919 | struct fileglob *fg, | |
920 | struct label *label | |
921 | ); | |
922 | /** | |
923 | @brief Destroy file label | |
924 | @param label The label to be destroyed | |
925 | ||
926 | Destroy the label on a file descriptor. In this entry point, a | |
927 | policy module should free any internal storage associated with | |
928 | label so that it may be destroyed. | |
929 | */ | |
930 | typedef void mpo_file_label_destroy_t( | |
931 | struct label *label | |
932 | ); | |
933 | /** | |
934 | @brief Initialize file label | |
935 | @param label New label to initialize | |
936 | */ | |
937 | typedef void mpo_file_label_init_t( | |
938 | struct label *label | |
939 | ); | |
940 | /** | |
941 | @brief Access control check for relabeling network interfaces | |
942 | @param cred Subject credential | |
943 | @param ifp network interface being relabeled | |
944 | @param ifnetlabel Current label of the network interfaces | |
945 | @param newlabel New label to apply to the network interfaces | |
946 | @see mpo_ifnet_label_update_t | |
947 | ||
948 | Determine whether the subject identified by the credential can | |
949 | relabel the network interface represented by ifp to the supplied | |
950 | new label (newlabel). | |
951 | ||
952 | @return Return 0 if access is granted, otherwise an appropriate value for | |
953 | errno should be returned. | |
954 | */ | |
955 | typedef int mpo_ifnet_check_label_update_t( | |
956 | kauth_cred_t cred, | |
957 | struct ifnet *ifp, | |
958 | struct label *ifnetlabel, | |
959 | struct label *newlabel | |
960 | ); | |
961 | /** | |
962 | @brief Access control check for relabeling network interfaces | |
963 | @param ifp Network interface mbuf will be transmitted through | |
964 | @param ifnetlabel Label of the network interfaces | |
965 | @param m The mbuf to be transmitted | |
966 | @param mbuflabel Label of the mbuf to be transmitted | |
967 | @param family Address Family, AF_* | |
968 | @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} | |
969 | ||
970 | Determine whether the mbuf with label mbuflabel may be transmitted | |
971 | through the network interface represented by ifp that has the | |
972 | label ifnetlabel. | |
973 | ||
974 | @return Return 0 if access is granted, otherwise an appropriate value for | |
975 | errno should be returned. | |
976 | */ | |
977 | typedef int mpo_ifnet_check_transmit_t( | |
978 | struct ifnet *ifp, | |
979 | struct label *ifnetlabel, | |
980 | struct mbuf *m, | |
981 | struct label *mbuflabel, | |
982 | int family, | |
983 | int type | |
984 | ); | |
985 | /** | |
986 | @brief Create a network interface label | |
987 | @param ifp Network interface labeled | |
988 | @param ifnetlabel Label for the network interface | |
989 | ||
990 | Set the label of a newly created network interface, most likely | |
991 | using the information in the supplied network interface struct. | |
992 | */ | |
993 | typedef void mpo_ifnet_label_associate_t( | |
994 | struct ifnet *ifp, | |
995 | struct label *ifnetlabel | |
996 | ); | |
997 | /** | |
998 | @brief Copy an ifnet label | |
999 | @param src Source ifnet label | |
1000 | @param dest Destination ifnet label | |
1001 | ||
1002 | Copy the label information from src to dest. | |
1003 | */ | |
1004 | typedef void mpo_ifnet_label_copy_t( | |
1005 | struct label *src, | |
1006 | struct label *dest | |
1007 | ); | |
1008 | /** | |
1009 | @brief Destroy ifnet label | |
1010 | @param label The label to be destroyed | |
1011 | ||
1012 | Destroy the label on an ifnet label. In this entry point, a | |
1013 | policy module should free any internal storage associated with | |
1014 | label so that it may be destroyed. | |
1015 | */ | |
1016 | typedef void mpo_ifnet_label_destroy_t( | |
1017 | struct label *label | |
1018 | ); | |
1019 | /** | |
1020 | @brief Externalize an ifnet label | |
1021 | @param label Label to be externalized | |
1022 | @param element_name Name of the label namespace for which labels should be | |
1023 | externalized | |
1024 | @param sb String buffer to be filled with a text representation of the label | |
1025 | ||
1026 | Produce an external representation of the label on an interface. | |
1027 | An externalized label consists of a text representation of the | |
1028 | label contents that can be used with user applications. | |
1029 | Policy-agnostic user space tools will display this externalized | |
1030 | version. | |
1031 | ||
1032 | @return 0 on success, return non-zero if an error occurs while | |
1033 | externalizing the label data. | |
1034 | ||
1035 | */ | |
1036 | typedef int mpo_ifnet_label_externalize_t( | |
1037 | struct label *label, | |
1038 | char *element_name, | |
1039 | struct sbuf *sb | |
1040 | ); | |
1041 | /** | |
1042 | @brief Initialize ifnet label | |
1043 | @param label New label to initialize | |
1044 | */ | |
1045 | typedef void mpo_ifnet_label_init_t( | |
1046 | struct label *label | |
1047 | ); | |
1048 | /** | |
1049 | @brief Internalize an interface label | |
1050 | @param label Label to be internalized | |
1051 | @param element_name Name of the label namespace for which the label should | |
1052 | be internalized | |
1053 | @param element_data Text data to be internalized | |
1054 | ||
1055 | Produce an interface label from an external representation. An | |
1056 | externalized label consists of a text representation of the label | |
1057 | contents that can be used with user applications. Policy-agnostic | |
1058 | user space tools will forward text version to the kernel for | |
1059 | processing by individual policy modules. | |
1060 | ||
1061 | The policy's internalize entry points will be called only if the | |
1062 | policy has registered interest in the label namespace. | |
1063 | ||
1064 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
1065 | while internalizing the label data. | |
1066 | ||
1067 | */ | |
1068 | typedef int mpo_ifnet_label_internalize_t( | |
1069 | struct label *label, | |
1070 | char *element_name, | |
1071 | char *element_data | |
1072 | ); | |
1073 | /** | |
1074 | @brief Recycle up a network interface label | |
1075 | @param label The label to be recycled | |
1076 | ||
1077 | Recycle a network interface label. Darwin caches the struct ifnet | |
1078 | of detached ifnets in a "free pool". Before ifnets are returned | |
1079 | to the "free pool", policies can cleanup or overwrite any information | |
1080 | present in the label. | |
1081 | */ | |
1082 | typedef void mpo_ifnet_label_recycle_t( | |
1083 | struct label *label | |
1084 | ); | |
1085 | /** | |
1086 | @brief Update a network interface label | |
1087 | @param cred Subject credential | |
1088 | @param ifp The network interface to be relabeled | |
1089 | @param ifnetlabel The current label of the network interface | |
1090 | @param newlabel A new label to apply to the network interface | |
1091 | @see mpo_ifnet_check_label_update_t | |
1092 | ||
1093 | Update the label on a network interface, using the supplied new label. | |
1094 | */ | |
1095 | typedef void mpo_ifnet_label_update_t( | |
1096 | kauth_cred_t cred, | |
1097 | struct ifnet *ifp, | |
1098 | struct label *ifnetlabel, | |
1099 | struct label *newlabel | |
1100 | ); | |
1101 | /** | |
1102 | @brief Access control check for delivering a packet to a socket | |
1103 | @param inp inpcb the socket is associated with | |
1104 | @param inplabel Label of the inpcb | |
1105 | @param m The mbuf being received | |
1106 | @param mbuflabel Label of the mbuf being received | |
1107 | @param family Address family, AF_* | |
1108 | @param type Type of socket, SOCK_{STREAM,DGRAM,RAW} | |
1109 | ||
1110 | Determine whether the mbuf with label mbuflabel may be received | |
1111 | by the socket associated with inpcb that has the label inplabel. | |
1112 | ||
1113 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1114 | errno should be returned. | |
1115 | */ | |
1116 | typedef int mpo_inpcb_check_deliver_t( | |
1117 | struct inpcb *inp, | |
1118 | struct label *inplabel, | |
1119 | struct mbuf *m, | |
1120 | struct label *mbuflabel, | |
1121 | int family, | |
1122 | int type | |
1123 | ); | |
1124 | /** | |
1125 | @brief Create an inpcb label | |
1126 | @param so Socket containing the inpcb to be labeled | |
1127 | @param solabel Label of the socket | |
1128 | @param inp inpcb to be labeled | |
1129 | @param inplabel Label for the inpcb | |
1130 | ||
1131 | Set the label of a newly created inpcb, most likely | |
1132 | using the information in the socket and/or socket label. | |
1133 | */ | |
1134 | typedef void mpo_inpcb_label_associate_t( | |
1135 | struct socket *so, | |
1136 | struct label *solabel, | |
1137 | struct inpcb *inp, | |
1138 | struct label *inplabel | |
1139 | ); | |
1140 | /** | |
1141 | @brief Destroy inpcb label | |
1142 | @param label The label to be destroyed | |
1143 | ||
1144 | Destroy the label on an inpcb label. In this entry point, a | |
1145 | policy module should free any internal storage associated with | |
1146 | label so that it may be destroyed. | |
1147 | */ | |
1148 | typedef void mpo_inpcb_label_destroy_t( | |
1149 | struct label *label | |
1150 | ); | |
1151 | /** | |
1152 | @brief Initialize inpcb label | |
1153 | @param label New label to initialize | |
1154 | @param flag M_WAITOK or M_NOWAIT | |
1155 | */ | |
1156 | typedef int mpo_inpcb_label_init_t( | |
1157 | struct label *label, | |
1158 | int flag | |
1159 | ); | |
1160 | /** | |
1161 | @brief Recycle up an inpcb label | |
1162 | @param label The label to be recycled | |
1163 | ||
1164 | Recycle an inpcb label. Darwin allocates the inpcb as part of | |
1165 | the socket structure in some cases. For this case we must recycle | |
1166 | rather than destroy the inpcb as it will be reused later. | |
1167 | */ | |
1168 | typedef void mpo_inpcb_label_recycle_t( | |
1169 | struct label *label | |
1170 | ); | |
1171 | /** | |
1172 | @brief Update an inpcb label from a socket label | |
1173 | @param so Socket containing the inpcb to be relabeled | |
1174 | @param solabel New label of the socket | |
1175 | @param inp inpcb to be labeled | |
1176 | @param inplabel Label for the inpcb | |
1177 | ||
1178 | Set the label of a newly created inpcb due to a change in the | |
1179 | underlying socket label. | |
1180 | */ | |
1181 | typedef void mpo_inpcb_label_update_t( | |
1182 | struct socket *so, | |
1183 | struct label *solabel, | |
1184 | struct inpcb *inp, | |
1185 | struct label *inplabel | |
1186 | ); | |
1187 | /** | |
1188 | @brief Device hardware access control | |
1189 | @param devtype Type of device connected | |
1190 | @param properties XML-formatted property list | |
1191 | @param proplen Length of the property list | |
1192 | ||
1193 | This is the MAC Framework device access control, which is called by the I/O | |
1194 | Kit when a new device is connected to the system to determine whether that | |
1195 | device should be trusted. A list of properties associated with the device | |
1196 | is passed as an XML-formatted string. The routine should examine these | |
1197 | properties to determine the trustworthiness of the device. A return value | |
1198 | of EPERM forces the device to be claimed by a special device driver that | |
1199 | will prevent its operation. | |
1200 | ||
1201 | @warning This is an experimental interface and may change in the future. | |
1202 | ||
1203 | @return Return EPERM to indicate that the device is untrusted and should | |
1204 | not be allowed to operate. Return zero to indicate that the device is | |
1205 | trusted and should be allowed to operate normally. | |
1206 | ||
1207 | */ | |
1208 | typedef int mpo_iokit_check_device_t( | |
1209 | char *devtype, | |
1210 | struct mac_module_data *mdata | |
1211 | ); | |
1212 | /** | |
1213 | @brief Access control check for opening an I/O Kit device | |
1214 | @param cred Subject credential | |
1215 | @param device_path Device path | |
1216 | @param user_client User client instance | |
1217 | @param user_client_type User client type | |
1218 | ||
1219 | Determine whether the subject identified by the credential can open an | |
1220 | I/O Kit device at the passed path of the passed user client class and | |
1221 | type. | |
1222 | ||
1223 | @return Return 0 if access is granted, or an appropriate value for | |
1224 | errno should be returned. | |
1225 | */ | |
1226 | typedef int mpo_iokit_check_open_t( | |
1227 | kauth_cred_t cred, | |
1228 | io_object_t user_client, | |
1229 | unsigned int user_client_type | |
1230 | ); | |
1231 | /** | |
1232 | @brief Access control check for setting I/O Kit device properties | |
1233 | @param cred Subject credential | |
1234 | @param registry_entry Target device | |
1235 | @param properties Property list | |
1236 | ||
1237 | Determine whether the subject identified by the credential can set | |
1238 | properties on an I/O Kit device. | |
1239 | ||
1240 | @return Return 0 if access is granted, or an appropriate value for | |
1241 | errno should be returned. | |
1242 | */ | |
1243 | typedef int mpo_iokit_check_set_properties_t( | |
1244 | kauth_cred_t cred, | |
1245 | io_object_t entry, | |
1246 | io_object_t properties | |
1247 | ); | |
1248 | /** | |
1249 | @brief Access control check for software HID control | |
1250 | @param cred Subject credential | |
1251 | ||
1252 | Determine whether the subject identified by the credential can | |
1253 | control the HID (Human Interface Device) subsystem, such as to | |
1254 | post synthetic keypresses, pointer movement and clicks. | |
1255 | ||
1256 | @return Return 0 if access is granted, or an appropriate value for | |
1257 | errno. | |
1258 | */ | |
1259 | typedef int mpo_iokit_check_hid_control_t( | |
1260 | kauth_cred_t cred | |
1261 | ); | |
1262 | /** | |
1263 | @brief Create an IP reassembly queue label | |
1264 | @param fragment First received IP fragment | |
1265 | @param fragmentlabel Policy label for fragment | |
1266 | @param ipq IP reassembly queue to be labeled | |
1267 | @param ipqlabel Policy label to be filled in for ipq | |
1268 | ||
1269 | Set the label on a newly created IP reassembly queue from | |
1270 | the mbuf header of the first received fragment. | |
1271 | */ | |
1272 | typedef void mpo_ipq_label_associate_t( | |
1273 | struct mbuf *fragment, | |
1274 | struct label *fragmentlabel, | |
1275 | struct ipq *ipq, | |
1276 | struct label *ipqlabel | |
1277 | ); | |
1278 | /** | |
1279 | @brief Compare an mbuf header label to an ipq label | |
1280 | @param fragment IP datagram fragment | |
1281 | @param fragmentlabel Policy label for fragment | |
1282 | @param ipq IP fragment reassembly queue | |
1283 | @param ipqlabel Policy label for ipq | |
1284 | ||
1285 | Compare the label of the mbuf header containing an IP datagram | |
1286 | (fragment) fragment with the label of the passed IP fragment | |
1287 | reassembly queue (ipq). Return (1) for a successful match, or (0) | |
1288 | for no match. This call is made when the IP stack attempts to | |
1289 | find an existing fragment reassembly queue for a newly received | |
1290 | fragment; if this fails, a new fragment reassembly queue may be | |
1291 | instantiated for the fragment. Policies may use this entry point | |
1292 | to prevent the reassembly of otherwise matching IP fragments if | |
1293 | policy does not permit them to be reassembled based on the label | |
1294 | or other information. | |
1295 | */ | |
1296 | typedef int mpo_ipq_label_compare_t( | |
1297 | struct mbuf *fragment, | |
1298 | struct label *fragmentlabel, | |
1299 | struct ipq *ipq, | |
1300 | struct label *ipqlabel | |
1301 | ); | |
1302 | /** | |
1303 | @brief Destroy IP reassembly queue label | |
1304 | @param label The label to be destroyed | |
1305 | ||
1306 | Destroy the label on an IP fragment queue. In this entry point, a | |
1307 | policy module should free any internal storage associated with | |
1308 | label so that it may be destroyed. | |
1309 | */ | |
1310 | typedef void mpo_ipq_label_destroy_t( | |
1311 | struct label *label | |
1312 | ); | |
1313 | /** | |
1314 | @brief Initialize IP reassembly queue label | |
1315 | @param label New label to initialize | |
1316 | @param flag M_WAITOK or M_NOWAIT | |
1317 | ||
1318 | Initialize the label on a newly instantiated IP fragment reassembly | |
1319 | queue. The flag field may be one of M_WAITOK and M_NOWAIT, and | |
1320 | should be employed to avoid performing a sleeping malloc(9) during | |
1321 | this initialization call. IP fragment reassembly queue allocation | |
1322 | frequently occurs in performance sensitive environments, and the | |
1323 | implementation should be careful to avoid sleeping or long-lived | |
1324 | operations. This entry point is permitted to fail resulting in | |
1325 | the failure to allocate the IP fragment reassembly queue. | |
1326 | */ | |
1327 | typedef int mpo_ipq_label_init_t( | |
1328 | struct label *label, | |
1329 | int flag | |
1330 | ); | |
1331 | /** | |
1332 | @brief Update the label on an IP fragment reassembly queue | |
1333 | @param fragment IP fragment | |
1334 | @param fragmentlabel Policy label for fragment | |
1335 | @param ipq IP fragment reassembly queue | |
1336 | @param ipqlabel Policy label to be updated for ipq | |
1337 | ||
1338 | Update the label on an IP fragment reassembly queue (ipq) based | |
1339 | on the acceptance of the passed IP fragment mbuf header (fragment). | |
1340 | */ | |
1341 | typedef void mpo_ipq_label_update_t( | |
1342 | struct mbuf *fragment, | |
1343 | struct label *fragmentlabel, | |
1344 | struct ipq *ipq, | |
1345 | struct label *ipqlabel | |
1346 | ); | |
1347 | /** | |
1348 | @brief Access control check for relabelling Login Context | |
1349 | @param l Subject credential | |
1350 | @param newlabel New label to apply to the Login Context | |
1351 | @see mpo_lctx_label_update_t | |
1352 | @see mac_set_lcid | |
1353 | @see mac_set_lctx | |
1354 | ||
1355 | Determine whether the subject identified by the credential can relabel | |
1356 | itself to the supplied new label (newlabel). This access control check | |
1357 | is called when the mac_set_lctx/lcid system call is invoked. A user space | |
1358 | application will supply a new value, the value will be internalized | |
1359 | and provided in newlabel. | |
1360 | ||
1361 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1362 | errno should be returned. | |
1363 | */ | |
1364 | typedef int mpo_lctx_check_label_update_t( | |
1365 | struct lctx *l, | |
1366 | struct label *newlabel | |
1367 | ); | |
1368 | /** | |
1369 | @brief Destroy Login Context label | |
1370 | @param label The label to be destroyed | |
1371 | */ | |
1372 | typedef void mpo_lctx_label_destroy_t( | |
1373 | struct label *label | |
1374 | ); | |
1375 | /** | |
1376 | @brief Externalize a Login Context label | |
1377 | @param label Label to be externalized | |
1378 | @param element_name Name of the label namespace for which labels should be | |
1379 | externalized | |
1380 | @param sb String buffer to be filled with a text representation of the label | |
1381 | ||
1382 | Produce an external representation of the label on a Login Context. | |
1383 | An externalized label consists of a text representation | |
1384 | of the label contents that can be used with user applications. | |
1385 | Policy-agnostic user space tools will display this externalized | |
1386 | version. | |
1387 | ||
1388 | @return 0 on success, return non-zero if an error occurs while | |
1389 | externalizing the label data. | |
1390 | ||
1391 | */ | |
1392 | typedef int mpo_lctx_label_externalize_t( | |
1393 | struct label *label, | |
1394 | char *element_name, | |
1395 | struct sbuf *sb | |
1396 | ); | |
1397 | /** | |
1398 | @brief Initialize Login Context label | |
1399 | @param label New label to initialize | |
1400 | */ | |
1401 | typedef void mpo_lctx_label_init_t( | |
1402 | struct label *label | |
1403 | ); | |
1404 | /** | |
1405 | @brief Internalize a Login Context label | |
1406 | @param label Label to be internalized | |
1407 | @param element_name Name of the label namespace for which the label should | |
1408 | be internalized | |
1409 | @param element_data Text data to be internalized | |
1410 | ||
1411 | Produce a Login Context label from an external representation. An | |
1412 | externalized label consists of a text representation of the label | |
1413 | contents that can be used with user applications. Policy-agnostic | |
1414 | user space tools will forward text version to the kernel for | |
1415 | processing by individual policy modules. | |
1416 | ||
1417 | The policy's internalize entry points will be called only if the | |
1418 | policy has registered interest in the label namespace. | |
1419 | ||
1420 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
1421 | while internalizing the label data. | |
1422 | ||
1423 | */ | |
1424 | typedef int mpo_lctx_label_internalize_t( | |
1425 | struct label *label, | |
1426 | char *element_name, | |
1427 | char *element_data | |
1428 | ); | |
1429 | /** | |
1430 | @brief Update a Login Context label | |
1431 | @param l | |
1432 | @param newlabel A new label to apply to the Login Context | |
1433 | @see mpo_lctx_check_label_update_t | |
1434 | @see mac_set_lcid | |
1435 | @see mac_set_lctx | |
1436 | ||
1437 | Update the label on a login context, using the supplied new label. | |
1438 | This is called as a result of a login context relabel operation. Access | |
1439 | control was already confirmed by mpo_lctx_check_label_update. | |
1440 | */ | |
1441 | typedef void mpo_lctx_label_update_t( | |
1442 | struct lctx *l, | |
1443 | struct label *newlabel | |
1444 | ); | |
1445 | /** | |
1446 | @brief A process has created a login context | |
1447 | @param p Subject | |
1448 | @param l Login Context | |
1449 | ||
1450 | When a process creates a login context (via setlcid()) this entrypoint | |
1451 | is called to notify the policy that the process 'p' has created login | |
1452 | context 'l'. | |
1453 | */ | |
1454 | typedef void mpo_lctx_notify_create_t( | |
1455 | struct proc *p, | |
1456 | struct lctx *l | |
1457 | ); | |
1458 | /** | |
1459 | @brief A process has joined a login context | |
1460 | @param p Subject | |
1461 | @param l Login Context | |
1462 | ||
1463 | When a process joins a login context, either via setlcid() or via | |
1464 | fork() this entrypoint is called to notify the policy that process | |
1465 | 'p' is now a member of login context 'l'. | |
1466 | */ | |
1467 | typedef void mpo_lctx_notify_join_t( | |
1468 | struct proc *p, | |
1469 | struct lctx *l | |
1470 | ); | |
1471 | /** | |
1472 | @brief A process has left a login context | |
1473 | @param p Subject | |
1474 | @param l Login Context | |
1475 | ||
1476 | When a process leaves a login context either via setlcid() or as a | |
1477 | result of the process exiting this entrypoint is called to notify | |
1478 | the policy that the process 'p' is no longer a member of login context 'l'. | |
1479 | */ | |
1480 | typedef void mpo_lctx_notify_leave_t( | |
1481 | struct proc *p, | |
1482 | struct lctx *l | |
1483 | ); | |
1484 | /** | |
1485 | @brief Assign a label to a new mbuf | |
1486 | @param bpf_d BPF descriptor | |
1487 | @param b_label Policy label for bpf_d | |
1488 | @param m Object; mbuf | |
1489 | @param m_label Policy label to fill in for m | |
1490 | ||
1491 | Set the label on the mbuf header of a newly created datagram | |
1492 | generated using the passed BPF descriptor. This call is made when | |
1493 | a write is performed to the BPF device associated with the passed | |
1494 | BPF descriptor. | |
1495 | */ | |
1496 | typedef void mpo_mbuf_label_associate_bpfdesc_t( | |
1497 | struct bpf_d *bpf_d, | |
1498 | struct label *b_label, | |
1499 | struct mbuf *m, | |
1500 | struct label *m_label | |
1501 | ); | |
1502 | /** | |
1503 | @brief Assign a label to a new mbuf | |
1504 | @param ifp Interface descriptor | |
1505 | @param i_label Existing label of ifp | |
1506 | @param m Object; mbuf | |
1507 | @param m_label Policy label to fill in for m | |
1508 | ||
1509 | Label an mbuf based on the interface from which it was received. | |
1510 | */ | |
1511 | typedef void mpo_mbuf_label_associate_ifnet_t( | |
1512 | struct ifnet *ifp, | |
1513 | struct label *i_label, | |
1514 | struct mbuf *m, | |
1515 | struct label *m_label | |
1516 | ); | |
1517 | /** | |
1518 | @brief Assign a label to a new mbuf | |
1519 | @param inp inpcb structure | |
1520 | @param i_label Existing label of inp | |
1521 | @param m Object; mbuf | |
1522 | @param m_label Policy label to fill in for m | |
1523 | ||
1524 | Label an mbuf based on the inpcb from which it was derived. | |
1525 | */ | |
1526 | typedef void mpo_mbuf_label_associate_inpcb_t( | |
1527 | struct inpcb *inp, | |
1528 | struct label *i_label, | |
1529 | struct mbuf *m, | |
1530 | struct label *m_label | |
1531 | ); | |
1532 | /** | |
1533 | @brief Set the label on a newly reassembled IP datagram | |
1534 | @param ipq IP fragment reassembly queue | |
1535 | @param ipqlabel Policy label for ipq | |
1536 | @param mbuf IP datagram to be labeled | |
1537 | @param mbuflabel Policy label to be filled in for mbuf | |
1538 | ||
1539 | Set the label on a newly reassembled IP datagram (mbuf) from the IP | |
1540 | fragment reassembly queue (ipq) from which it was generated. | |
1541 | */ | |
1542 | typedef void mpo_mbuf_label_associate_ipq_t( | |
1543 | struct ipq *ipq, | |
1544 | struct label *ipqlabel, | |
1545 | struct mbuf *mbuf, | |
1546 | struct label *mbuflabel | |
1547 | ); | |
1548 | /** | |
1549 | @brief Assign a label to a new mbuf | |
1550 | @param ifp Subject; network interface | |
1551 | @param i_label Existing label of ifp | |
1552 | @param m Object; mbuf | |
1553 | @param m_label Policy label to fill in for m | |
1554 | ||
1555 | Set the label on the mbuf header of a newly created datagram | |
1556 | generated for the purposes of a link layer response for the passed | |
1557 | interface. This call may be made in a number of situations, including | |
1558 | for ARP or ND6 responses in the IPv4 and IPv6 stacks. | |
1559 | */ | |
1560 | typedef void mpo_mbuf_label_associate_linklayer_t( | |
1561 | struct ifnet *ifp, | |
1562 | struct label *i_label, | |
1563 | struct mbuf *m, | |
1564 | struct label *m_label | |
1565 | ); | |
1566 | /** | |
1567 | @brief Assign a label to a new mbuf | |
1568 | @param oldmbuf mbuf headerder for existing datagram for existing datagram | |
1569 | @param oldmbuflabel Policy label for oldmbuf | |
1570 | @param ifp Network interface | |
1571 | @param ifplabel Policy label for ifp | |
1572 | @param newmbuf mbuf header to be labeled for new datagram | |
1573 | @param newmbuflabel Policy label for newmbuf | |
1574 | ||
1575 | Set the label on the mbuf header of a newly created datagram | |
1576 | generated from the existing passed datagram when it is processed | |
1577 | by the passed multicast encapsulation interface. This call is made | |
1578 | when an mbuf is to be delivered using the virtual interface. | |
1579 | */ | |
1580 | typedef void mpo_mbuf_label_associate_multicast_encap_t( | |
1581 | struct mbuf *oldmbuf, | |
1582 | struct label *oldmbuflabel, | |
1583 | struct ifnet *ifp, | |
1584 | struct label *ifplabel, | |
1585 | struct mbuf *newmbuf, | |
1586 | struct label *newmbuflabel | |
1587 | ); | |
1588 | /** | |
1589 | @brief Assign a label to a new mbuf | |
1590 | @param oldmbuf Received datagram | |
1591 | @param oldmbuflabel Policy label for oldmbuf | |
1592 | @param newmbuf Newly created datagram | |
1593 | @param newmbuflabel Policy label for newmbuf | |
1594 | ||
1595 | Set the label on the mbuf header of a newly created datagram generated | |
1596 | by the IP stack in response to an existing received datagram (oldmbuf). | |
1597 | This call may be made in a number of situations, including when responding | |
1598 | to ICMP request datagrams. | |
1599 | */ | |
1600 | typedef void mpo_mbuf_label_associate_netlayer_t( | |
1601 | struct mbuf *oldmbuf, | |
1602 | struct label *oldmbuflabel, | |
1603 | struct mbuf *newmbuf, | |
1604 | struct label *newmbuflabel | |
1605 | ); | |
1606 | /** | |
1607 | @brief Assign a label to a new mbuf | |
1608 | @param so Socket to label | |
1609 | @param so_label Policy label for socket | |
1610 | @param m Object; mbuf | |
1611 | @param m_label Policy label to fill in for m | |
1612 | ||
1613 | An mbuf structure is used to store network traffic in transit. | |
1614 | When an application sends data to a socket or a pipe, it is wrapped | |
1615 | in an mbuf first. This function sets the label on a newly created mbuf header | |
1616 | based on the socket sending the data. The contents of the label should be | |
1617 | suitable for performing an access check on the receiving side of the | |
1618 | communication. | |
1619 | ||
1620 | Only labeled MBUFs will be presented to the policy via this entrypoint. | |
1621 | */ | |
1622 | typedef void mpo_mbuf_label_associate_socket_t( | |
1623 | socket_t so, | |
1624 | struct label *so_label, | |
1625 | struct mbuf *m, | |
1626 | struct label *m_label | |
1627 | ); | |
1628 | /** | |
1629 | @brief Copy a mbuf label | |
1630 | @param src Source label | |
1631 | @param dest Destination label | |
1632 | ||
1633 | Copy the mbuf label information in src into dest. | |
1634 | ||
1635 | Only called when both source and destination mbufs have labels. | |
1636 | */ | |
1637 | typedef void mpo_mbuf_label_copy_t( | |
1638 | struct label *src, | |
1639 | struct label *dest | |
1640 | ); | |
1641 | /** | |
1642 | @brief Destroy mbuf label | |
1643 | @param label The label to be destroyed | |
1644 | ||
1645 | Destroy a mbuf label. Since the | |
1646 | object is going out of scope, policy modules should free any | |
1647 | internal storage associated with the label so that it may be | |
1648 | destroyed. | |
1649 | */ | |
1650 | typedef void mpo_mbuf_label_destroy_t( | |
1651 | struct label *label | |
1652 | ); | |
1653 | /** | |
1654 | @brief Initialize mbuf label | |
1655 | @param label New label to initialize | |
1656 | @param flag Malloc flags | |
1657 | ||
1658 | Initialize the label for a newly instantiated mbuf. | |
1659 | ||
1660 | @warning Since it is possible for the flags to be set to | |
1661 | M_NOWAIT, the malloc operation may fail. | |
1662 | ||
1663 | @return On success, 0, otherwise, an appropriate errno return value. | |
1664 | */ | |
1665 | typedef int mpo_mbuf_label_init_t( | |
1666 | struct label *label, | |
1667 | int flag | |
1668 | ); | |
1669 | /** | |
1670 | @brief Access control check for fsctl | |
1671 | @param cred Subject credential | |
1672 | @param mp The mount point | |
1673 | @param label Label associated with the mount point | |
1674 | @param com Filesystem-dependent request code; see fsctl(2) | |
1675 | ||
1676 | Determine whether the subject identified by the credential can perform | |
1677 | the volume operation indicated by com. | |
1678 | ||
1679 | @warning The fsctl() system call is directly analogous to ioctl(); since | |
1680 | the associated data is opaque from the standpoint of the MAC framework | |
1681 | and since these operations can affect many aspects of system operation, | |
1682 | policies must exercise extreme care when implementing access control checks. | |
1683 | ||
1684 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1685 | errno should be returned. | |
1686 | */ | |
1687 | typedef int mpo_mount_check_fsctl_t( | |
1688 | kauth_cred_t cred, | |
1689 | struct mount *mp, | |
1690 | struct label *label, | |
1691 | unsigned int cmd | |
1692 | ); | |
1693 | /** | |
1694 | @brief Access control check for the retrieval of file system attributes | |
1695 | @param cred Subject credential | |
1696 | @param mp The mount structure of the file system | |
1697 | @param vfa The attributes requested | |
1698 | ||
1699 | This entry point determines whether given subject can get information | |
1700 | about the given file system. This check happens during statfs() syscalls, | |
1701 | but is also used by other parts within the kernel such as the audit system. | |
1702 | ||
1703 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1704 | errno should be returned. | |
1705 | */ | |
1706 | ||
1707 | typedef int mpo_mount_check_getattr_t( | |
1708 | kauth_cred_t cred, | |
1709 | struct mount *mp, | |
1710 | struct label *mp_label, | |
1711 | struct vfs_attr *vfa | |
1712 | ); | |
1713 | /** | |
1714 | @brief Access control check for mount point relabeling | |
1715 | @param cred Subject credential | |
1716 | @param mp Object file system mount point | |
1717 | @param mntlabel Policy label for fle system mount point | |
1718 | ||
1719 | Determine whether the subject identified by the credential can relabel | |
1720 | the mount point. This call is made when a file system mount is updated. | |
1721 | ||
1722 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1723 | errno should be returned. Suggested failure: EACCES for label mismatch | |
1724 | or EPERM for lack of privilege. | |
1725 | */ | |
1726 | typedef int mpo_mount_check_label_update_t( | |
1727 | kauth_cred_t cred, | |
1728 | struct mount *mp, | |
1729 | struct label *mntlabel | |
1730 | ); | |
1731 | /** | |
1732 | @brief Access control check for mounting a file system | |
1733 | @param cred Subject credential | |
1734 | @param vp Vnode that is to be the mount point | |
1735 | @param vlabel Label associated with the vnode | |
1736 | @param cnp Component name for vp | |
1737 | @param vfc_name Filesystem type name | |
1738 | ||
1739 | Determine whether the subject identified by the credential can perform | |
1740 | the mount operation on the target vnode. | |
1741 | ||
1742 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1743 | errno should be returned. | |
1744 | */ | |
1745 | typedef int mpo_mount_check_mount_t( | |
1746 | kauth_cred_t cred, | |
1747 | struct vnode *vp, | |
1748 | struct label *vlabel, | |
1749 | struct componentname *cnp, | |
1750 | const char *vfc_name | |
1751 | ); | |
1752 | /** | |
1753 | @brief Access control check remounting a filesystem | |
1754 | @param cred Subject credential | |
1755 | @param mp The mount point | |
1756 | @param mlabel Label currently associated with the mount point | |
1757 | ||
1758 | Determine whether the subject identified by the credential can perform | |
1759 | the remount operation on the target vnode. | |
1760 | ||
1761 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1762 | errno should be returned. | |
1763 | */ | |
1764 | typedef int mpo_mount_check_remount_t( | |
1765 | kauth_cred_t cred, | |
1766 | struct mount *mp, | |
1767 | struct label *mlabel | |
1768 | ); | |
1769 | /** | |
1770 | @brief Access control check for the settting of file system attributes | |
1771 | @param cred Subject credential | |
1772 | @param mp The mount structure of the file system | |
1773 | @param vfa The attributes requested | |
1774 | ||
1775 | This entry point determines whether given subject can set information | |
1776 | about the given file system, for example the volume name. | |
1777 | ||
1778 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1779 | errno should be returned. | |
1780 | */ | |
1781 | ||
1782 | typedef int mpo_mount_check_setattr_t( | |
1783 | kauth_cred_t cred, | |
1784 | struct mount *mp, | |
1785 | struct label *mp_label, | |
1786 | struct vfs_attr *vfa | |
1787 | ); | |
1788 | /** | |
1789 | @brief Access control check for file system statistics | |
1790 | @param cred Subject credential | |
1791 | @param mp Object file system mount | |
1792 | @param mntlabel Policy label for mp | |
1793 | ||
1794 | Determine whether the subject identified by the credential can see | |
1795 | the results of a statfs performed on the file system. This call may | |
1796 | be made in a number of situations, including during invocations of | |
1797 | statfs(2) and related calls, as well as to determine what file systems | |
1798 | to exclude from listings of file systems, such as when getfsstat(2) | |
1799 | is invoked. | |
1800 | ||
1801 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1802 | errno should be returned. Suggested failure: EACCES for label mismatch | |
1803 | or EPERM for lack of privilege. | |
1804 | */ | |
1805 | typedef int mpo_mount_check_stat_t( | |
1806 | kauth_cred_t cred, | |
1807 | struct mount *mp, | |
1808 | struct label *mntlabel | |
1809 | ); | |
1810 | /** | |
1811 | @brief Access control check for unmounting a filesystem | |
1812 | @param cred Subject credential | |
1813 | @param mp The mount point | |
1814 | @param mlabel Label associated with the mount point | |
1815 | ||
1816 | Determine whether the subject identified by the credential can perform | |
1817 | the unmount operation on the target vnode. | |
1818 | ||
1819 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1820 | errno should be returned. | |
1821 | */ | |
1822 | typedef int mpo_mount_check_umount_t( | |
1823 | kauth_cred_t cred, | |
1824 | struct mount *mp, | |
1825 | struct label *mlabel | |
1826 | ); | |
1827 | /** | |
1828 | @brief Create mount labels | |
1829 | @param cred Subject credential | |
1830 | @param mp Mount point of file system being mounted | |
1831 | @param mntlabel Label to associate with the new mount point | |
1832 | @see mpo_mount_label_init_t | |
1833 | ||
1834 | Fill out the labels on the mount point being created by the supplied | |
1835 | user credential. This call is made when file systems are first mounted. | |
1836 | */ | |
1837 | typedef void mpo_mount_label_associate_t( | |
1838 | kauth_cred_t cred, | |
1839 | struct mount *mp, | |
1840 | struct label *mntlabel | |
1841 | ); | |
1842 | /** | |
1843 | @brief Destroy mount label | |
1844 | @param label The label to be destroyed | |
1845 | ||
1846 | Destroy a file system mount label. Since the | |
1847 | object is going out of scope, policy modules should free any | |
1848 | internal storage associated with the label so that it may be | |
1849 | destroyed. | |
1850 | */ | |
1851 | typedef void mpo_mount_label_destroy_t( | |
1852 | struct label *label | |
1853 | ); | |
1854 | /** | |
1855 | @brief Externalize a mount point label | |
1856 | @param label Label to be externalized | |
1857 | @param element_name Name of the label namespace for which labels should be | |
1858 | externalized | |
1859 | @param sb String buffer to be filled with a text representation of the label | |
1860 | ||
1861 | Produce an external representation of the mount point label. An | |
1862 | externalized label consists of a text representation of the label | |
1863 | contents that can be used with user applications. Policy-agnostic | |
1864 | user space tools will display this externalized version. | |
1865 | ||
1866 | The policy's externalize entry points will be called only if the | |
1867 | policy has registered interest in the label namespace. | |
1868 | ||
1869 | @return 0 on success, return non-zero if an error occurs while | |
1870 | externalizing the label data. | |
1871 | ||
1872 | */ | |
1873 | typedef int mpo_mount_label_externalize_t( | |
1874 | struct label *label, | |
1875 | char *element_name, | |
1876 | struct sbuf *sb | |
1877 | ); | |
1878 | /** | |
1879 | @brief Initialize mount point label | |
1880 | @param label New label to initialize | |
1881 | ||
1882 | Initialize the label for a newly instantiated mount structure. | |
1883 | This label is typically used to store a default label in the case | |
1884 | that the file system has been mounted singlelabel. Since some | |
1885 | file systems do not support persistent labels (extended attributes) | |
1886 | or are read-only (such as CD-ROMs), it is often necessary to store | |
1887 | a default label separately from the label of the mount point | |
1888 | itself. Sleeping is permitted. | |
1889 | */ | |
1890 | typedef void mpo_mount_label_init_t( | |
1891 | struct label *label | |
1892 | ); | |
1893 | /** | |
1894 | @brief Internalize a mount point label | |
1895 | @param label Label to be internalized | |
1896 | @param element_name Name of the label namespace for which the label should | |
1897 | be internalized | |
1898 | @param element_data Text data to be internalized | |
1899 | ||
1900 | Produce a mount point file system label from an external representation. | |
1901 | An externalized label consists of a text representation of the label | |
1902 | contents that can be used with user applications. Policy-agnostic | |
1903 | user space tools will forward text version to the kernel for | |
1904 | processing by individual policy modules. | |
1905 | ||
1906 | The policy's internalize entry points will be called only if the | |
1907 | policy has registered interest in the label namespace. | |
1908 | ||
1909 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
1910 | while internalizing the label data. | |
1911 | ||
1912 | */ | |
1913 | typedef int mpo_mount_label_internalize_t( | |
1914 | struct label *label, | |
1915 | char *element_name, | |
1916 | char *element_data | |
1917 | ); | |
1918 | /** | |
1919 | @brief Set the label on an IPv4 datagram fragment | |
1920 | @param datagram Datagram being fragmented | |
1921 | @param datagramlabel Policy label for datagram | |
1922 | @param fragment New fragment | |
1923 | @param fragmentlabel Policy label for fragment | |
1924 | ||
1925 | Called when an IPv4 datagram is fragmented into several smaller datagrams. | |
1926 | Policies implementing mbuf labels will typically copy the label from the | |
1927 | source datagram to the new fragment. | |
1928 | */ | |
1929 | typedef void mpo_netinet_fragment_t( | |
1930 | struct mbuf *datagram, | |
1931 | struct label *datagramlabel, | |
1932 | struct mbuf *fragment, | |
1933 | struct label *fragmentlabel | |
1934 | ); | |
1935 | /** | |
1936 | @brief Set the label on an ICMP reply | |
1937 | @param m mbuf containing the ICMP reply | |
1938 | @param mlabel Policy label for m | |
1939 | ||
1940 | A policy may wish to update the label of an mbuf that refers to | |
1941 | an ICMP packet being sent in response to an IP packet. This may | |
1942 | be called in response to a bad packet or an ICMP request. | |
1943 | */ | |
1944 | typedef void mpo_netinet_icmp_reply_t( | |
1945 | struct mbuf *m, | |
1946 | struct label *mlabel | |
1947 | ); | |
1948 | /** | |
1949 | @brief Set the label on a TCP reply | |
1950 | @param m mbuf containing the TCP reply | |
1951 | @param mlabel Policy label for m | |
1952 | ||
1953 | Called for outgoing TCP packets not associated with an actual socket. | |
1954 | */ | |
1955 | typedef void mpo_netinet_tcp_reply_t( | |
1956 | struct mbuf *m, | |
1957 | struct label *mlabel | |
1958 | ); | |
1959 | /** | |
1960 | @brief Access control check for pipe ioctl | |
1961 | @param cred Subject credential | |
1962 | @param cpipe Object to be accessed | |
1963 | @param pipelabel The label on the pipe | |
1964 | @param cmd The ioctl command; see ioctl(2) | |
1965 | ||
1966 | Determine whether the subject identified by the credential can perform | |
1967 | the ioctl operation indicated by cmd. | |
1968 | ||
1969 | @warning Since ioctl data is opaque from the standpoint of the MAC | |
1970 | framework, policies must exercise extreme care when implementing | |
1971 | access control checks. | |
1972 | ||
1973 | @return Return 0 if access is granted, otherwise an appropriate value for | |
1974 | errno should be returned. | |
1975 | ||
1976 | */ | |
1977 | typedef int mpo_pipe_check_ioctl_t( | |
1978 | kauth_cred_t cred, | |
1979 | struct pipe *cpipe, | |
1980 | struct label *pipelabel, | |
1981 | unsigned int cmd | |
1982 | ); | |
1983 | /** | |
1984 | @brief Access control check for pipe kqfilter | |
1985 | @param cred Subject credential | |
1986 | @param kn Object knote | |
1987 | @param cpipe Object to be accessed | |
1988 | @param pipelabel Policy label for the pipe | |
1989 | ||
1990 | Determine whether the subject identified by the credential can | |
1991 | receive the knote on the passed pipe. | |
1992 | ||
1993 | @return Return 0 if access if granted, otherwise an appropriate | |
1994 | value for errno should be returned. | |
1995 | */ | |
1996 | typedef int mpo_pipe_check_kqfilter_t( | |
1997 | kauth_cred_t cred, | |
1998 | struct knote *kn, | |
1999 | struct pipe *cpipe, | |
2000 | struct label *pipelabel | |
2001 | ); | |
2002 | /** | |
2003 | @brief Access control check for pipe relabel | |
2004 | @param cred Subject credential | |
2005 | @param cpipe Object to be accessed | |
2006 | @param pipelabel The current label on the pipe | |
2007 | @param newlabel The new label to be used | |
2008 | ||
2009 | Determine whether the subject identified by the credential can | |
2010 | perform a relabel operation on the passed pipe. The cred object holds | |
2011 | the credentials of the subject performing the operation. | |
2012 | ||
2013 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2014 | errno should be returned. | |
2015 | ||
2016 | */ | |
2017 | typedef int mpo_pipe_check_label_update_t( | |
2018 | kauth_cred_t cred, | |
2019 | struct pipe *cpipe, | |
2020 | struct label *pipelabel, | |
2021 | struct label *newlabel | |
2022 | ); | |
2023 | /** | |
2024 | @brief Access control check for pipe read | |
2025 | @param cred Subject credential | |
2026 | @param cpipe Object to be accessed | |
2027 | @param pipelabel The label on the pipe | |
2028 | ||
2029 | Determine whether the subject identified by the credential can | |
2030 | perform a read operation on the passed pipe. The cred object holds | |
2031 | the credentials of the subject performing the operation. | |
2032 | ||
2033 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2034 | errno should be returned. | |
2035 | ||
2036 | */ | |
2037 | typedef int mpo_pipe_check_read_t( | |
2038 | kauth_cred_t cred, | |
2039 | struct pipe *cpipe, | |
2040 | struct label *pipelabel | |
2041 | ); | |
2042 | /** | |
2043 | @brief Access control check for pipe select | |
2044 | @param cred Subject credential | |
2045 | @param cpipe Object to be accessed | |
2046 | @param pipelabel The label on the pipe | |
2047 | @param which The operation selected on: FREAD or FWRITE | |
2048 | ||
2049 | Determine whether the subject identified by the credential can | |
2050 | perform a select operation on the passed pipe. The cred object holds | |
2051 | the credentials of the subject performing the operation. | |
2052 | ||
2053 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2054 | errno should be returned. | |
2055 | ||
2056 | */ | |
2057 | typedef int mpo_pipe_check_select_t( | |
2058 | kauth_cred_t cred, | |
2059 | struct pipe *cpipe, | |
2060 | struct label *pipelabel, | |
2061 | int which | |
2062 | ); | |
2063 | /** | |
2064 | @brief Access control check for pipe stat | |
2065 | @param cred Subject credential | |
2066 | @param cpipe Object to be accessed | |
2067 | @param pipelabel The label on the pipe | |
2068 | ||
2069 | Determine whether the subject identified by the credential can | |
2070 | perform a stat operation on the passed pipe. The cred object holds | |
2071 | the credentials of the subject performing the operation. | |
2072 | ||
2073 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2074 | errno should be returned. | |
2075 | ||
2076 | */ | |
2077 | typedef int mpo_pipe_check_stat_t( | |
2078 | kauth_cred_t cred, | |
2079 | struct pipe *cpipe, | |
2080 | struct label *pipelabel | |
2081 | ); | |
2082 | /** | |
2083 | @brief Access control check for pipe write | |
2084 | @param cred Subject credential | |
2085 | @param cpipe Object to be accessed | |
2086 | @param pipelabel The label on the pipe | |
2087 | ||
2088 | Determine whether the subject identified by the credential can | |
2089 | perform a write operation on the passed pipe. The cred object holds | |
2090 | the credentials of the subject performing the operation. | |
2091 | ||
2092 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2093 | errno should be returned. | |
2094 | ||
2095 | */ | |
2096 | typedef int mpo_pipe_check_write_t( | |
2097 | kauth_cred_t cred, | |
2098 | struct pipe *cpipe, | |
2099 | struct label *pipelabel | |
2100 | ); | |
2101 | /** | |
2102 | @brief Create a pipe label | |
2103 | @param cred Subject credential | |
2104 | @param cpipe object to be labeled | |
2105 | @param label Label for the pipe object | |
2106 | ||
2107 | Create a label for the pipe object being created by the supplied | |
2108 | user credential. This call is made when the pipe is being created | |
2109 | XXXPIPE(for one or both sides of the pipe?). | |
2110 | ||
2111 | */ | |
2112 | typedef void mpo_pipe_label_associate_t( | |
2113 | kauth_cred_t cred, | |
2114 | struct pipe *cpipe, | |
2115 | struct label *pipelabel | |
2116 | ); | |
2117 | /** | |
2118 | @brief Copy a pipe label | |
2119 | @param src Source pipe label | |
2120 | @param dest Destination pipe label | |
2121 | ||
2122 | Copy the pipe label associated with src to dest. | |
2123 | XXXPIPE Describe when this is used: most likely during pipe creation to | |
2124 | copy from rpipe to wpipe. | |
2125 | */ | |
2126 | typedef void mpo_pipe_label_copy_t( | |
2127 | struct label *src, | |
2128 | struct label *dest | |
2129 | ); | |
2130 | /** | |
2131 | @brief Destroy pipe label | |
2132 | @param label The label to be destroyed | |
2133 | ||
2134 | Destroy a pipe label. Since the object is going out of scope, | |
2135 | policy modules should free any internal storage associated with the | |
2136 | label so that it may be destroyed. | |
2137 | */ | |
2138 | typedef void mpo_pipe_label_destroy_t( | |
2139 | struct label *label | |
2140 | ); | |
2141 | /** | |
2142 | @brief Externalize a pipe label | |
2143 | @param label Label to be externalized | |
2144 | @param element_name Name of the label namespace for which labels should be | |
2145 | externalized | |
2146 | @param sb String buffer to be filled with a text representation of the label | |
2147 | ||
2148 | Produce an external representation of the label on a pipe. | |
2149 | An externalized label consists of a text representation | |
2150 | of the label contents that can be used with user applications. | |
2151 | Policy-agnostic user space tools will display this externalized | |
2152 | version. | |
2153 | ||
2154 | The policy's externalize entry points will be called only if the | |
2155 | policy has registered interest in the label namespace. | |
2156 | ||
2157 | @return 0 on success, return non-zero if an error occurs while | |
2158 | externalizing the label data. | |
2159 | ||
2160 | */ | |
2161 | typedef int mpo_pipe_label_externalize_t( | |
2162 | struct label *label, | |
2163 | char *element_name, | |
2164 | struct sbuf *sb | |
2165 | ); | |
2166 | /** | |
2167 | @brief Initialize pipe label | |
2168 | @param label New label to initialize | |
2169 | ||
2170 | Initialize label storage for use with a newly instantiated pipe object. | |
2171 | Sleeping is permitted. | |
2172 | */ | |
2173 | typedef void mpo_pipe_label_init_t( | |
2174 | struct label *label | |
2175 | ); | |
2176 | /** | |
2177 | @brief Internalize a pipe label | |
2178 | @param label Label to be internalized | |
2179 | @param element_name Name of the label namespace for which the label should | |
2180 | be internalized | |
2181 | @param element_data Text data to be internalized | |
2182 | ||
2183 | Produce a pipe label from an external representation. An | |
2184 | externalized label consists of a text representation of the label | |
2185 | contents that can be used with user applications. Policy-agnostic | |
2186 | user space tools will forward text version to the kernel for | |
2187 | processing by individual policy modules. | |
2188 | ||
2189 | The policy's internalize entry points will be called only if the | |
2190 | policy has registered interest in the label namespace. | |
2191 | ||
2192 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
2193 | while internalizing the label data. | |
2194 | ||
2195 | */ | |
2196 | typedef int mpo_pipe_label_internalize_t( | |
2197 | struct label *label, | |
2198 | char *element_name, | |
2199 | char *element_data | |
2200 | ); | |
2201 | /** | |
2202 | @brief Update a pipe label | |
2203 | @param cred Subject credential | |
2204 | @param cpipe Object to be labeled | |
2205 | @param oldlabel Existing pipe label | |
2206 | @param newlabel New label to replace existing label | |
2207 | @see mpo_pipe_check_label_update_t | |
2208 | ||
2209 | The subject identified by the credential has previously requested | |
2210 | and was authorized to relabel the pipe; this entry point allows | |
2211 | policies to perform the actual relabel operation. Policies should | |
2212 | update oldlabel using the label stored in the newlabel parameter. | |
2213 | ||
2214 | */ | |
2215 | typedef void mpo_pipe_label_update_t( | |
2216 | kauth_cred_t cred, | |
2217 | struct pipe *cpipe, | |
2218 | struct label *oldlabel, | |
2219 | struct label *newlabel | |
2220 | ); | |
2221 | /** | |
2222 | @brief Policy unload event | |
2223 | @param mpc MAC policy configuration | |
2224 | ||
2225 | This is the MAC Framework policy unload event. This entry point will | |
2226 | only be called if the module's policy configuration allows unload (if | |
2227 | the MPC_LOADTIME_FLAG_UNLOADOK is set). Most security policies won't | |
2228 | want to be unloaded; they should set their flags to prevent this | |
2229 | entry point from being called. | |
2230 | ||
2231 | @warning During this call, the mac policy list mutex is held, so | |
2232 | sleep operations cannot be performed, and calls out to other kernel | |
2233 | subsystems must be made with caution. | |
2234 | ||
2235 | @see MPC_LOADTIME_FLAG_UNLOADOK | |
2236 | */ | |
2237 | typedef void mpo_policy_destroy_t( | |
2238 | struct mac_policy_conf *mpc | |
2239 | ); | |
2240 | /** | |
2241 | @brief Policy initialization event | |
2242 | @param mpc MAC policy configuration | |
2243 | @see mac_policy_register | |
2244 | @see mpo_policy_initbsd_t | |
2245 | ||
2246 | This is the MAC Framework policy initialization event. This entry | |
2247 | point is called during mac_policy_register, when the policy module | |
2248 | is first registered with the MAC Framework. This is often done very | |
2249 | early in the boot process, after the kernel Mach subsystem has been | |
2250 | initialized, but prior to the BSD subsystem being initialized. | |
2251 | Since the kernel BSD services are not yet available, it is possible | |
2252 | that some initialization must occur later, possibly in the | |
2253 | mpo_policy_initbsd_t policy entry point, such as registering BSD system | |
2254 | controls (sysctls). Policy modules loaded at boot time will be | |
2255 | registered and initialized before labeled Mach objects are created. | |
2256 | ||
2257 | @warning During this call, the mac policy list mutex is held, so | |
2258 | sleep operations cannot be performed, and calls out to other kernel | |
2259 | subsystems must be made with caution. | |
2260 | */ | |
2261 | typedef void mpo_policy_init_t( | |
2262 | struct mac_policy_conf *mpc | |
2263 | ); | |
2264 | /** | |
2265 | @brief Policy BSD initialization event | |
2266 | @param mpc MAC policy configuration | |
2267 | @see mpo_policy_init_t | |
2268 | ||
2269 | This entry point is called after the kernel BSD subsystem has been | |
2270 | initialized. By this point, the module should already be loaded, | |
2271 | registered, and initialized. Since policy modules are initialized | |
2272 | before kernel BSD services are available, this second initialization | |
2273 | phase is necessary. At this point, BSD services (memory management, | |
2274 | synchronization primitives, vfs, etc.) are available, but the first | |
2275 | process has not yet been created. Mach-related objects and tasks | |
2276 | will already be fully initialized and may be in use--policies requiring | |
2277 | ubiquitous labeling may also want to implement mpo_policy_init_t. | |
2278 | ||
2279 | @warning During this call, the mac policy list mutex is held, so | |
2280 | sleep operations cannot be performed, and calls out to other kernel | |
2281 | subsystems must be made with caution. | |
2282 | */ | |
2283 | typedef void mpo_policy_initbsd_t( | |
2284 | struct mac_policy_conf *mpc | |
2285 | ); | |
2286 | /** | |
2287 | @brief Policy extension service | |
2288 | @param p Calling process | |
2289 | @param call Policy-specific syscall number | |
2290 | @param arg Pointer to syscall arguments | |
2291 | ||
2292 | This entry point provides a policy-multiplexed system call so that | |
2293 | policies may provide additional services to user processes without | |
2294 | registering specific system calls. The policy name provided during | |
2295 | registration is used to demux calls from userland, and the arguments | |
2296 | will be forwarded to this entry point. When implementing new | |
2297 | services, security modules should be sure to invoke appropriate | |
2298 | access control checks from the MAC framework as needed. For | |
2299 | example, if a policy implements an augmented signal functionality, | |
2300 | it should call the necessary signal access control checks to invoke | |
2301 | the MAC framework and other registered policies. | |
2302 | ||
2303 | @warning Since the format and contents of the policy-specific | |
2304 | arguments are unknown to the MAC Framework, modules must perform the | |
2305 | required copyin() of the syscall data on their own. No policy | |
2306 | mediation is performed, so policies must perform any necessary | |
2307 | access control checks themselves. If multiple policies are loaded, | |
2308 | they will currently be unable to mediate calls to other policies. | |
2309 | ||
2310 | @return In the event of an error, an appropriate value for errno | |
2311 | should be returned, otherwise return 0 upon success. | |
2312 | */ | |
2313 | typedef int mpo_policy_syscall_t( | |
2314 | struct proc *p, | |
2315 | int call, | |
2316 | user_addr_t arg | |
2317 | ); | |
2318 | /** | |
2319 | @brief Access control check for copying a send right to another task | |
2320 | @param task Label of the sender task | |
2321 | @param port Label of the affected port | |
2322 | ||
2323 | Access control check for copying send rights to the port from the | |
2324 | specified task. A complementary entry point, mpo_port_check_hold_send, | |
2325 | handles the receiving task. port_check_copy_send is called as part of | |
2326 | a group of policy invocations when messages with port rights are sent. | |
2327 | All access control checks made for a particular message must be successful | |
2328 | for the message to be sent. | |
2329 | ||
2330 | The task label and the port are locked. Sleeping is permitted. | |
2331 | ||
2332 | @return Return 0 if access is granted, non-zero otherwise. | |
2333 | */ | |
2334 | typedef int mpo_port_check_copy_send_t( | |
2335 | struct label *task, | |
2336 | struct label *port | |
2337 | ); | |
2338 | /** | |
2339 | @brief Access control check for obtaining a receive right | |
2340 | @param task Label of the receiving task | |
2341 | @param port Label of the affected port | |
2342 | ||
2343 | Access control check for a task obtaining receive rights to a | |
2344 | port. Usually, these are port rights that were obtained with a call | |
2345 | to mach_port_allocate. This entry point is called as part of a | |
2346 | group of policy invocations when messages with port rights are | |
2347 | received. All of these access control checks must succeed in order | |
2348 | to receive the message. | |
2349 | ||
2350 | The task label and the port are locked. Sleeping is permitted. | |
2351 | ||
2352 | @return Return 0 if access is granted, non-zero otherwise. | |
2353 | */ | |
2354 | typedef int mpo_port_check_hold_receive_t( | |
2355 | struct label *task, | |
2356 | struct label *port | |
2357 | ); | |
2358 | /** | |
2359 | @brief Access control check for obtaining a send once right | |
2360 | @param task Label of the receiving task | |
2361 | @param port Label of the affected port | |
2362 | ||
2363 | Access control check for a task obtaining send once rights to a port. Usually, | |
2364 | these are port rights that were part of a message sent by another userspace | |
2365 | task. port_check_hold_send_once is called as part of a group of policy | |
2366 | invocations when messages with port rights are received. All of these access | |
2367 | control checks must succeed in order to receive the message. | |
2368 | ||
2369 | The task label and the port are locked. Sleeping is permitted. | |
2370 | ||
2371 | @return Return 0 if access is granted, non-zero otherwise. | |
2372 | */ | |
2373 | typedef int mpo_port_check_hold_send_once_t( | |
2374 | struct label *task, | |
2375 | struct label *port | |
2376 | ); | |
2377 | /** | |
2378 | @brief Access control check for obtaining a send right | |
2379 | @param task Label of the receiving task | |
2380 | @param port Label of the affected port | |
2381 | ||
2382 | Access control check for a task obtaining send rights to a port. Usually, | |
2383 | these are port rights that were part of a message sent by another userspace | |
2384 | task. port_check_hold_send is called as part of a group of policy | |
2385 | invocations when messages with port rights are received. All of these access | |
2386 | control checks must succeed in order to receive the message. | |
2387 | ||
2388 | The task label and the port are locked. Sleeping is permitted. | |
2389 | ||
2390 | @return Return 0 if access is granted, non-zero otherwise. | |
2391 | */ | |
2392 | typedef int mpo_port_check_hold_send_t( | |
2393 | struct label *task, | |
2394 | struct label *port | |
2395 | ); | |
2396 | /** | |
2397 | @brief Access control check for relabelling ports | |
2398 | @param task Subject's task label | |
2399 | @param oldlabel Original label of port | |
2400 | @param newlabel New label for port | |
2401 | ||
2402 | Access control check for relabelling ports. The policy should | |
2403 | indicate whether the subject is permitted to change the label | |
2404 | of a port from oldlabel to newlabel. The port is locked, but | |
2405 | the subject's task label is not locked. | |
2406 | ||
2407 | @warning XXX In future releases, the task label lock will likely | |
2408 | also be held. | |
2409 | ||
2410 | @return Return 0 if access is granted, non-zero otherwise. | |
2411 | */ | |
2412 | typedef int mpo_port_check_label_update_t( | |
2413 | struct label *task, | |
2414 | struct label *oldlabel, | |
2415 | struct label *newlabel | |
2416 | ); | |
2417 | /** | |
2418 | @brief Access control check for producing a send once right from a receive right | |
2419 | @param task Label of the sender task | |
2420 | @param port Label of the affected port | |
2421 | ||
2422 | Access control check for obtaining send once rights from receive rights. | |
2423 | The new send once right may be destined for the calling task, or a different | |
2424 | task. In either case the mpo_port_check_hold_send_once entry point handles | |
2425 | the receiving task. port_check_make_send_once may be called as part of a | |
2426 | group of policy invocations when messages with port rights are sent. | |
2427 | All access control checks made for a particular message must be successful | |
2428 | for the message to be sent. | |
2429 | ||
2430 | The task label and the port are locked. Sleeping is permitted. | |
2431 | ||
2432 | @return Return 0 if access is granted, non-zero otherwise. | |
2433 | */ | |
2434 | typedef int mpo_port_check_make_send_once_t( | |
2435 | struct label *task, | |
2436 | struct label *port | |
2437 | ); | |
2438 | /** | |
2439 | @brief Access control check for producing a send right from a receive right | |
2440 | @param task Label of the sender task | |
2441 | @param port Label of the affected port | |
2442 | ||
2443 | Access control check for obtaining send rights from receive rights. The new | |
2444 | send right may be destined for the calling task, or a different task. | |
2445 | In either case the mpo_port_check_hold_send entry point | |
2446 | handles the receiving task. port_check_make_send may be called as part of | |
2447 | a group of policy invocations when messages with port rights are sent. | |
2448 | All access control checks made for a particular message must be successful | |
2449 | for the message to be sent. | |
2450 | ||
2451 | The task label and the port are locked. Sleeping is permitted. | |
2452 | ||
2453 | @return Return 0 if access is granted, non-zero otherwise. | |
2454 | */ | |
2455 | typedef int mpo_port_check_make_send_t( | |
2456 | struct label *task, | |
2457 | struct label *port | |
2458 | ); | |
2459 | /** | |
2460 | @brief Compute access control check for a Mach message-based service | |
2461 | @param proc Sender's process structure (may be NULL) | |
2462 | @param task Sender's task label | |
2463 | @param port Destination port label | |
2464 | @param msgid Message id | |
2465 | ||
2466 | Access control computation for message-based services. This entry point | |
2467 | computes permission to the service requested by the specified port and message | |
2468 | id, for example a single MiG server routine, and is unrelated to the access | |
2469 | check for sending messages to ports (but that check must succeed for the | |
2470 | message to be sent to the destination). The result of this access computation | |
2471 | is stored in the message trailer field msgh_ad (only if requested by the | |
2472 | recipient); it does not actually inhibit the message from being sent or | |
2473 | received. | |
2474 | ||
2475 | @return 0 for access granted, nonzero for access denied. | |
2476 | */ | |
2477 | ||
2478 | typedef int mpo_port_check_method_t( | |
2479 | struct proc *proc, | |
2480 | struct label *task, | |
2481 | struct label *port, | |
2482 | int msgid | |
2483 | ); | |
2484 | /** | |
2485 | @brief Access control check for transferring a receive right | |
2486 | @param task Label of the sender task | |
2487 | @param port Label of the affected port | |
2488 | ||
2489 | Access control check for transferring the receive right to a port out | |
2490 | of the specified task. A complementary entry point, | |
2491 | mpo_port_check_hold_receive, handles the receiving task. | |
2492 | port_check_move_receive is called as part of | |
2493 | a group of policy invocations when messages with port rights are sent. | |
2494 | All access control checks made for a particular message must be successful | |
2495 | for the message to be sent. | |
2496 | ||
2497 | The task label and the port are locked. Sleeping is permitted. | |
2498 | ||
2499 | @return Return 0 if access is granted, non-zero otherwise. | |
2500 | */ | |
2501 | typedef int mpo_port_check_move_receive_t( | |
2502 | struct label *task, | |
2503 | struct label *port | |
2504 | ); | |
2505 | /** | |
2506 | @brief Access control check for transferring a send once right | |
2507 | @param task Label of the sender task | |
2508 | @param port Label of the affected port | |
2509 | ||
2510 | Access control check for transferring a send once right from one task to | |
2511 | the task listening to the specified port. A complementary entry point, | |
2512 | mpo_port_check_hold_send_once, handles the receiving task. | |
2513 | port_check_move_send_once is called as part of a group of policy invocations | |
2514 | when messages with port rights are sent. All access control checks made | |
2515 | for a particular message must be successful for the message to be sent. | |
2516 | ||
2517 | The task label and the port are locked. Sleeping is permitted. | |
2518 | ||
2519 | @return Return 0 if access is granted, non-zero otherwise. | |
2520 | */ | |
2521 | typedef int mpo_port_check_move_send_once_t( | |
2522 | struct label *task, | |
2523 | struct label *port | |
2524 | ); | |
2525 | /** | |
2526 | @brief Access control check for transferring a send right | |
2527 | @param task Label of the sender task | |
2528 | @param port Label of the affected port | |
2529 | ||
2530 | Access control check for transferring a send right from one task to the | |
2531 | task listening to the specified port. A complementary entry point, | |
2532 | mpo_port_check_hold_send, handles the receiving task. | |
2533 | port_check_move_send is called as part of a group of policy invocations | |
2534 | when messages with port rights are sent. All access control checks made | |
2535 | for a particular message must be successful for the message to be sent. | |
2536 | ||
2537 | The task label and the port are locked. Sleeping is permitted. | |
2538 | ||
2539 | @return Return 0 if access is granted, non-zero otherwise. | |
2540 | */ | |
2541 | typedef int mpo_port_check_move_send_t( | |
2542 | struct label *task, | |
2543 | struct label *port | |
2544 | ); | |
2545 | /** | |
2546 | @brief Access control check for receiving Mach messsages | |
2547 | @param task Label of the receiving task | |
2548 | @param sender Label of the sending task | |
2549 | ||
2550 | Access control check for receiving messages. The two labels are locked. | |
2551 | ||
2552 | @warning This entry point can be invoked from many places inside the | |
2553 | kernel, with arbitrary other locks held. The implementation of this | |
2554 | entry point must not cause page faults, as those are handled by mach | |
2555 | messages. | |
2556 | ||
2557 | @return Return 0 if access is granted, non-zero otherwise. | |
2558 | */ | |
2559 | typedef int mpo_port_check_receive_t( | |
2560 | struct label *task, | |
2561 | struct label *sender | |
2562 | ); | |
2563 | /** | |
2564 | @brief Access control check for sending Mach messsages | |
2565 | @param task Label of the sender task | |
2566 | @param port Label of the destination port | |
2567 | ||
2568 | Access control check for sending messages. The task label and the | |
2569 | port are locked. | |
2570 | ||
2571 | @warning This entry point can be invoked from many places inside the | |
2572 | kernel, with arbitrary other locks held. The implementation of this | |
2573 | entry point must not cause page faults, as those are handled by mach | |
2574 | messages. | |
2575 | ||
2576 | @return Return 0 if access is granted, non-zero otherwise. | |
2577 | */ | |
2578 | typedef int mpo_port_check_send_t( | |
2579 | struct label *task, | |
2580 | struct label *port | |
2581 | ); | |
2582 | /** | |
2583 | @brief Generic access control check | |
2584 | @param subj Caller-provided subject label | |
2585 | @param obj Caller-provided object label | |
2586 | @param serv Service or object class name | |
2587 | @param perm Permission, or method, within the specified service | |
2588 | ||
2589 | This function provides a general way for a user process to query | |
2590 | an arbitrary access control decision from the system's security policies. | |
2591 | Currently, there are no standards for the format of the service and | |
2592 | permission names. Labels may be either cred or port labels; the policy | |
2593 | must accept either. The userspace interfaces to this entry point allow | |
2594 | label strings or label handles (ports) to be provided. | |
2595 | ||
2596 | @return Return 0 if access is granted, non-zero otherwise. | |
2597 | */ | |
2598 | typedef int mpo_port_check_service_t( | |
2599 | struct label *subj, | |
2600 | struct label *obj, | |
2601 | const char *serv, | |
2602 | const char *perm | |
2603 | ); | |
2604 | /** | |
2605 | @brief Assign a label to a new Mach port created by the kernel | |
2606 | @param portlabel Label for the new port | |
2607 | @param isreply True if the port is for a reply message from the kernel | |
2608 | ||
2609 | Assign a label to a new port created by the kernel. If the port is being | |
2610 | used to reply to a message, isreply is 1 (0 otherwise). The port is locked. | |
2611 | */ | |
2612 | typedef void mpo_port_label_associate_kernel_t( | |
2613 | struct label *portlabel, | |
2614 | int isreply | |
2615 | ); | |
2616 | /** | |
2617 | @brief Assign a label to a new Mach port | |
2618 | @param it Task label of issuer | |
2619 | @param st Task label of target | |
2620 | @param portlabel Label for the new port | |
2621 | ||
2622 | Assign a label to a new port. The policy can base this label on | |
2623 | the label of the calling task, as well as the label of the target task. | |
2624 | The target task is the one which recieves the first right for this port. | |
2625 | Both task labels and the port are locked. | |
2626 | */ | |
2627 | typedef void mpo_port_label_associate_t( | |
2628 | struct label *it, | |
2629 | struct label *st, | |
2630 | struct label *portlabel | |
2631 | ); | |
2632 | /** | |
2633 | @brief Request label for new (userspace) object | |
2634 | @param subj Subject label | |
2635 | @param obj Parent or existing object label | |
2636 | @param serv Name of service | |
2637 | @param out Computed label | |
2638 | ||
2639 | Ask the loaded policies to compute a label based on the two input labels | |
2640 | and the service name. There is currently no standard for the service name, | |
2641 | or even what the input labels represent (Subject and parent object are only | |
2642 | a suggestion). If successful, the computed label is stored in out. All labels | |
2643 | must be port (or task) labels. The userspace interfaces to this entry point | |
2644 | allow label handles (ports) to be provided. | |
2645 | ||
2646 | @return 0 on success, or an errno value for failure. | |
2647 | */ | |
2648 | typedef int mpo_port_label_compute_t( | |
2649 | struct label *subj, | |
2650 | struct label *obj, | |
2651 | const char *serv, | |
2652 | struct label *out | |
2653 | ); | |
2654 | /** | |
2655 | @brief Copy a Mach port label | |
2656 | @param src Source port label | |
2657 | @param dest Destination port label | |
2658 | ||
2659 | Copy the Mach port label information from src to dest. This is used | |
2660 | to copy user-suplied labels into an existing port. | |
2661 | */ | |
2662 | typedef void mpo_port_label_copy_t( | |
2663 | struct label *src, | |
2664 | struct label *dest | |
2665 | ); | |
2666 | /** | |
2667 | @brief Destroy Mach port label | |
2668 | @param label The label to be destroyed | |
2669 | ||
2670 | Destroy a Mach port label. Since the object is going out of | |
2671 | scope, policy modules should free any internal storage associated | |
2672 | with the label so that it may be destroyed. | |
2673 | */ | |
2674 | typedef void mpo_port_label_destroy_t( | |
2675 | struct label *label | |
2676 | ); | |
2677 | /** | |
2678 | @brief Initialize Mach port label | |
2679 | @param label New label to initialize | |
2680 | ||
2681 | Initialize the label for a newly instantiated Mach port. Sleeping | |
2682 | is permitted. | |
2683 | */ | |
2684 | typedef void mpo_port_label_init_t( | |
2685 | struct label *label | |
2686 | ); | |
2687 | /** | |
2688 | @brief Update a Mach task port label | |
2689 | @param cred User credential label to be used as the source | |
2690 | @param task Mach port label to be used as the destination | |
2691 | @see mpo_cred_label_update_t | |
2692 | @see mpo_cred_label_update_execve_t | |
2693 | ||
2694 | Update the label on a Mach task port, using the supplied user | |
2695 | credential label. When a mac_cred_label_update_execve or a mac_cred_label_update | |
2696 | operation causes the label on a user credential to change, the Mach | |
2697 | task port label also needs to be updated to reflect the change. | |
2698 | Both labels are already valid (initialized and created). | |
2699 | */ | |
2700 | typedef void mpo_port_label_update_cred_t( | |
2701 | struct label *cred, | |
2702 | struct label *task | |
2703 | ); | |
2704 | /** | |
2705 | @brief Assign a label to a Mach port connected to a kernel object | |
2706 | @param portlabel Label for the port | |
2707 | @param kotype Type of kernel object | |
2708 | ||
2709 | Label a kernel port based on the type of object behind it. The | |
2710 | kotype parameter is one of the IKOT constants in | |
2711 | <kern/ipc_kobject.h>. The port already has a valid label from either | |
2712 | mpo_port_label_associate_kernel, or because it is a task port and has a label | |
2713 | derived from the process and task labels. The port is locked. | |
2714 | */ | |
2715 | typedef void mpo_port_label_update_kobject_t( | |
2716 | struct label *portlabel, | |
2717 | int kotype | |
2718 | ); | |
2719 | /** | |
2720 | @brief Access control check for POSIX semaphore create | |
2721 | @param cred Subject credential | |
2722 | @param name String name of the semaphore | |
2723 | ||
2724 | Determine whether the subject identified by the credential can create | |
2725 | a POSIX semaphore specified by name. | |
2726 | ||
2727 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2728 | errno should be returned. | |
2729 | */ | |
2730 | typedef int mpo_posixsem_check_create_t( | |
2731 | kauth_cred_t cred, | |
2732 | const char *name | |
2733 | ); | |
2734 | /** | |
2735 | @brief Access control check for POSIX semaphore open | |
2736 | @param cred Subject credential | |
2737 | @param ps Pointer to semaphore information structure | |
2738 | @param semlabel Label associated with the semaphore | |
2739 | ||
2740 | Determine whether the subject identified by the credential can open | |
2741 | the named POSIX semaphore with label semlabel. | |
2742 | ||
2743 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2744 | errno should be returned. | |
2745 | */ | |
2746 | typedef int mpo_posixsem_check_open_t( | |
2747 | kauth_cred_t cred, | |
2748 | struct pseminfo *ps, | |
2749 | struct label *semlabel | |
2750 | ); | |
2751 | /** | |
2752 | @brief Access control check for POSIX semaphore post | |
2753 | @param cred Subject credential | |
2754 | @param ps Pointer to semaphore information structure | |
2755 | @param semlabel Label associated with the semaphore | |
2756 | ||
2757 | Determine whether the subject identified by the credential can unlock | |
2758 | the named POSIX semaphore with label semlabel. | |
2759 | ||
2760 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2761 | errno should be returned. | |
2762 | */ | |
2763 | typedef int mpo_posixsem_check_post_t( | |
2764 | kauth_cred_t cred, | |
2765 | struct pseminfo *ps, | |
2766 | struct label *semlabel | |
2767 | ); | |
2768 | /** | |
2769 | @brief Access control check for POSIX semaphore unlink | |
2770 | @param cred Subject credential | |
2771 | @param ps Pointer to semaphore information structure | |
2772 | @param semlabel Label associated with the semaphore | |
2773 | @param name String name of the semaphore | |
2774 | ||
2775 | Determine whether the subject identified by the credential can remove | |
2776 | the named POSIX semaphore with label semlabel. | |
2777 | ||
2778 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2779 | errno should be returned. | |
2780 | */ | |
2781 | typedef int mpo_posixsem_check_unlink_t( | |
2782 | kauth_cred_t cred, | |
2783 | struct pseminfo *ps, | |
2784 | struct label *semlabel, | |
2785 | const char *name | |
2786 | ); | |
2787 | /** | |
2788 | @brief Access control check for POSIX semaphore wait | |
2789 | @param cred Subject credential | |
2790 | @param ps Pointer to semaphore information structure | |
2791 | @param semlabel Label associated with the semaphore | |
2792 | ||
2793 | Determine whether the subject identified by the credential can lock | |
2794 | the named POSIX semaphore with label semlabel. | |
2795 | ||
2796 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2797 | errno should be returned. | |
2798 | */ | |
2799 | typedef int mpo_posixsem_check_wait_t( | |
2800 | kauth_cred_t cred, | |
2801 | struct pseminfo *ps, | |
2802 | struct label *semlabel | |
2803 | ); | |
2804 | /** | |
2805 | @brief Create a POSIX semaphore label | |
2806 | @param cred Subject credential | |
2807 | @param ps Pointer to semaphore information structure | |
2808 | @param semlabel Label to associate with the new semaphore | |
2809 | @param name String name of the semaphore | |
2810 | ||
2811 | Label a new POSIX semaphore. The label was previously | |
2812 | initialized and associated with the semaphore. At this time, an | |
2813 | appropriate initial label value should be assigned to the object and | |
2814 | stored in semalabel. | |
2815 | */ | |
2816 | typedef void mpo_posixsem_label_associate_t( | |
2817 | kauth_cred_t cred, | |
2818 | struct pseminfo *ps, | |
2819 | struct label *semlabel, | |
2820 | const char *name | |
2821 | ); | |
2822 | /** | |
2823 | @brief Destroy POSIX semaphore label | |
2824 | @param label The label to be destroyed | |
2825 | ||
2826 | Destroy a POSIX semaphore label. Since the object is | |
2827 | going out of scope, policy modules should free any internal storage | |
2828 | associated with the label so that it may be destroyed. | |
2829 | */ | |
2830 | typedef void mpo_posixsem_label_destroy_t( | |
2831 | struct label *label | |
2832 | ); | |
2833 | /** | |
2834 | @brief Initialize POSIX semaphore label | |
2835 | @param label New label to initialize | |
2836 | ||
2837 | Initialize the label for a newly instantiated POSIX semaphore. Sleeping | |
2838 | is permitted. | |
2839 | */ | |
2840 | typedef void mpo_posixsem_label_init_t( | |
2841 | struct label *label | |
2842 | ); | |
2843 | /** | |
2844 | @brief Access control check for POSIX shared memory region create | |
2845 | @param cred Subject credential | |
2846 | @param name String name of the shared memory region | |
2847 | ||
2848 | Determine whether the subject identified by the credential can create | |
2849 | the POSIX shared memory region referenced by name. | |
2850 | ||
2851 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2852 | errno should be returned. | |
2853 | */ | |
2854 | typedef int mpo_posixshm_check_create_t( | |
2855 | kauth_cred_t cred, | |
2856 | const char *name | |
2857 | ); | |
2858 | /** | |
2859 | @brief Access control check for mapping POSIX shared memory | |
2860 | @param cred Subject credential | |
2861 | @param ps Pointer to shared memory information structure | |
2862 | @param shmlabel Label associated with the shared memory region | |
2863 | @param prot mmap protections; see mmap(2) | |
2864 | @param flags shmat flags; see shmat(2) | |
2865 | ||
2866 | Determine whether the subject identified by the credential can map | |
2867 | the POSIX shared memory segment associated with shmlabel. | |
2868 | ||
2869 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2870 | errno should be returned. | |
2871 | */ | |
2872 | typedef int mpo_posixshm_check_mmap_t( | |
2873 | kauth_cred_t cred, | |
2874 | struct pshminfo *ps, | |
2875 | struct label *shmlabel, | |
2876 | int prot, | |
2877 | int flags | |
2878 | ); | |
2879 | /** | |
2880 | @brief Access control check for POSIX shared memory region open | |
2881 | @param cred Subject credential | |
2882 | @param ps Pointer to shared memory information structure | |
2883 | @param shmlabel Label associated with the shared memory region | |
2884 | @param fflags shm_open(2) open flags ('fflags' encoded) | |
2885 | ||
2886 | Determine whether the subject identified by the credential can open | |
2887 | the POSIX shared memory region. | |
2888 | ||
2889 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2890 | errno should be returned. | |
2891 | */ | |
2892 | typedef int mpo_posixshm_check_open_t( | |
2893 | kauth_cred_t cred, | |
2894 | struct pshminfo *ps, | |
2895 | struct label *shmlabel, | |
2896 | int fflags | |
2897 | ); | |
2898 | /** | |
2899 | @brief Access control check for POSIX shared memory stat | |
2900 | @param cred Subject credential | |
2901 | @param ps Pointer to shared memory information structure | |
2902 | @param shmlabel Label associated with the shared memory region | |
2903 | ||
2904 | Determine whether the subject identified by the credential can obtain | |
2905 | status for the POSIX shared memory segment associated with shmlabel. | |
2906 | ||
2907 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2908 | errno should be returned. | |
2909 | */ | |
2910 | typedef int mpo_posixshm_check_stat_t( | |
2911 | kauth_cred_t cred, | |
2912 | struct pshminfo *ps, | |
2913 | struct label *shmlabel | |
2914 | ); | |
2915 | /** | |
2916 | @brief Access control check for POSIX shared memory truncate | |
2917 | @param cred Subject credential | |
2918 | @param ps Pointer to shared memory information structure | |
2919 | @param shmlabel Label associated with the shared memory region | |
2920 | @param len Length to truncate or extend shared memory segment | |
2921 | ||
2922 | Determine whether the subject identified by the credential can truncate | |
2923 | or extend (to len) the POSIX shared memory segment associated with shmlabel. | |
2924 | ||
2925 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2926 | errno should be returned. | |
2927 | */ | |
2928 | typedef int mpo_posixshm_check_truncate_t( | |
2929 | kauth_cred_t cred, | |
2930 | struct pshminfo *ps, | |
2931 | struct label *shmlabel, | |
2932 | off_t len | |
2933 | ); | |
2934 | /** | |
2935 | @brief Access control check for POSIX shared memory unlink | |
2936 | @param cred Subject credential | |
2937 | @param ps Pointer to shared memory information structure | |
2938 | @param shmlabel Label associated with the shared memory region | |
2939 | @param name String name of the shared memory region | |
2940 | ||
2941 | Determine whether the subject identified by the credential can delete | |
2942 | the POSIX shared memory segment associated with shmlabel. | |
2943 | ||
2944 | @return Return 0 if access is granted, otherwise an appropriate value for | |
2945 | errno should be returned. | |
2946 | */ | |
2947 | typedef int mpo_posixshm_check_unlink_t( | |
2948 | kauth_cred_t cred, | |
2949 | struct pshminfo *ps, | |
2950 | struct label *shmlabel, | |
2951 | const char *name | |
2952 | ); | |
2953 | /** | |
2954 | @brief Create a POSIX shared memory region label | |
2955 | @param cred Subject credential | |
2956 | @param ps Pointer to shared memory information structure | |
2957 | @param shmlabel Label to associate with the new shared memory region | |
2958 | @param name String name of the shared memory region | |
2959 | ||
2960 | Label a new POSIX shared memory region. The label was previously | |
2961 | initialized and associated with the shared memory region. At this | |
2962 | time, an appropriate initial label value should be assigned to the | |
2963 | object and stored in shmlabel. | |
2964 | */ | |
2965 | typedef void mpo_posixshm_label_associate_t( | |
2966 | kauth_cred_t cred, | |
2967 | struct pshminfo *ps, | |
2968 | struct label *shmlabel, | |
2969 | const char *name | |
2970 | ); | |
2971 | /** | |
2972 | @brief Destroy POSIX shared memory label | |
2973 | @param label The label to be destroyed | |
2974 | ||
2975 | Destroy a POSIX shared memory region label. Since the | |
2976 | object is going out of scope, policy modules should free any | |
2977 | internal storage associated with the label so that it may be | |
2978 | destroyed. | |
2979 | */ | |
2980 | typedef void mpo_posixshm_label_destroy_t( | |
2981 | struct label *label | |
2982 | ); | |
2983 | /** | |
2984 | @brief Initialize POSIX Shared Memory region label | |
2985 | @param label New label to initialize | |
2986 | ||
2987 | Initialize the label for newly a instantiated POSIX Shared Memory | |
2988 | region. Sleeping is permitted. | |
2989 | */ | |
2990 | typedef void mpo_posixshm_label_init_t( | |
2991 | struct label *label | |
2992 | ); | |
2993 | /** | |
2994 | @brief Access control check for privileged operations | |
2995 | @param cred Subject credential | |
2996 | @param priv Requested privilege (see sys/priv.h) | |
2997 | ||
2998 | Determine whether the subject identified by the credential can perform | |
2999 | a privileged operation. Privileged operations are allowed if the cred | |
3000 | is the superuser or any policy returns zero for mpo_priv_grant, unless | |
3001 | any policy returns nonzero for mpo_priv_check. | |
3002 | ||
3003 | @return Return 0 if access is granted, otherwise EPERM should be returned. | |
3004 | */ | |
3005 | typedef int mpo_priv_check_t( | |
3006 | kauth_cred_t cred, | |
3007 | int priv | |
3008 | ); | |
3009 | /** | |
3010 | @brief Grant regular users the ability to perform privileged operations | |
3011 | @param cred Subject credential | |
3012 | @param priv Requested privilege (see sys/priv.h) | |
3013 | ||
3014 | Determine whether the subject identified by the credential should be | |
3015 | allowed to perform a privileged operation that in the absense of any | |
3016 | MAC policy it would not be able to perform. Privileged operations are | |
3017 | allowed if the cred is the superuser or any policy returns zero for | |
3018 | mpo_priv_grant, unless any policy returns nonzero for mpo_priv_check. | |
3019 | ||
3020 | Unlike other MAC hooks which can only reduce the privilege of a | |
3021 | credential, this hook raises the privilege of a credential when it | |
3022 | returns 0. Extreme care must be taken when implementing this hook to | |
3023 | avoid undermining the security of the system. | |
3024 | ||
3025 | @return Return 0 if additional privilege is granted, otherwise EPERM | |
3026 | should be returned. | |
3027 | */ | |
3028 | typedef int mpo_priv_grant_t( | |
3029 | kauth_cred_t cred, | |
3030 | int priv | |
3031 | ); | |
3032 | /** | |
3033 | @brief Access control check for debugging process | |
3034 | @param cred Subject credential | |
3035 | @param proc Object process | |
3036 | ||
3037 | Determine whether the subject identified by the credential can debug | |
3038 | the passed process. This call may be made in a number of situations, | |
3039 | including use of the ptrace(2) and ktrace(2) APIs, as well as for some | |
3040 | types of procfs operations. | |
3041 | ||
3042 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3043 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
3044 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. | |
3045 | */ | |
3046 | typedef int mpo_proc_check_debug_t( | |
3047 | kauth_cred_t cred, | |
3048 | struct proc *proc | |
3049 | ); | |
3050 | /** | |
3051 | @brief Access control over fork | |
3052 | @param cred Subject credential | |
3053 | @param proc Subject process trying to fork | |
3054 | ||
3055 | Determine whether the subject identified is allowed to fork. | |
3056 | ||
3057 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3058 | errno should be returned. | |
3059 | */ | |
3060 | typedef int mpo_proc_check_fork_t( | |
3061 | kauth_cred_t cred, | |
3062 | struct proc *proc | |
3063 | ); | |
3064 | /** | |
3065 | @brief Access control over pid_suspend and pid_resume | |
3066 | @param cred Subject credential | |
3067 | @param proc Subject process trying to run pid_suspend or pid_resume | |
3068 | @param sr Call is suspend (0) or resume (1) | |
3069 | ||
3070 | Determine whether the subject identified is allowed to suspend or resume | |
3071 | other processes. | |
3072 | ||
3073 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3074 | errno should be returned. | |
3075 | */ | |
3076 | typedef int mpo_proc_check_suspend_resume_t( | |
3077 | kauth_cred_t cred, | |
3078 | struct proc *proc, | |
3079 | int sr | |
3080 | ); | |
3081 | /** | |
3082 | @brief Access control check for retrieving audit information | |
3083 | @param cred Subject credential | |
3084 | ||
3085 | Determine whether the subject identified by the credential can get | |
3086 | audit information such as the audit user ID, the preselection mask, | |
3087 | the terminal ID and the audit session ID, using the getaudit() system call. | |
3088 | ||
3089 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3090 | errno should be returned. | |
3091 | */ | |
3092 | typedef int mpo_proc_check_getaudit_t( | |
3093 | kauth_cred_t cred | |
3094 | ); | |
3095 | /** | |
3096 | @brief Access control check for retrieving audit user ID | |
3097 | @param cred Subject credential | |
3098 | ||
3099 | Determine whether the subject identified by the credential can get | |
3100 | the user identity being used by the auditing system, using the getauid() | |
3101 | system call. | |
3102 | ||
3103 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3104 | errno should be returned. | |
3105 | */ | |
3106 | typedef int mpo_proc_check_getauid_t( | |
3107 | kauth_cred_t cred | |
3108 | ); | |
3109 | /** | |
3110 | @brief Access control check for retrieving Login Context ID | |
3111 | @param p0 Calling process | |
3112 | @param p Effected process | |
3113 | @param pid syscall PID argument | |
3114 | ||
3115 | Determine if getlcid(2) system call is permitted. | |
3116 | ||
3117 | Information returned by this system call is similar to that returned via | |
3118 | process listings etc. | |
3119 | ||
3120 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3121 | errno should be returned. | |
3122 | */ | |
3123 | typedef int mpo_proc_check_getlcid_t( | |
3124 | struct proc *p0, | |
3125 | struct proc *p, | |
3126 | pid_t pid | |
3127 | ); | |
3128 | /** | |
3129 | @brief Access control check for retrieving ledger information | |
3130 | @param cred Subject credential | |
3131 | @param target Object process | |
3132 | @param op ledger operation | |
3133 | ||
3134 | Determine if ledger(2) system call is permitted. | |
3135 | ||
3136 | Information returned by this system call is similar to that returned via | |
3137 | process listings etc. | |
3138 | ||
3139 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3140 | errno should be returned. | |
3141 | */ | |
3142 | typedef int mpo_proc_check_ledger_t( | |
3143 | kauth_cred_t cred, | |
3144 | struct proc *target, | |
3145 | int op | |
3146 | ); | |
3147 | /** | |
3148 | @brief Access control check for mmap MAP_ANON | |
3149 | @param proc User process requesting the memory | |
3150 | @param cred Subject credential | |
3151 | @param u_addr Start address of the memory range | |
3152 | @param u_size Length address of the memory range | |
3153 | @param prot mmap protections; see mmap(2) | |
3154 | @param flags Type of mapped object; see mmap(2) | |
3155 | @param maxprot Maximum rights | |
3156 | ||
3157 | Determine whether the subject identified by the credential should be | |
3158 | allowed to obtain anonymous memory using the specified flags and | |
3159 | protections on the new mapping. MAP_ANON will always be present in the | |
3160 | flags. Certain combinations of flags with a non-NULL addr may | |
3161 | cause a mapping to be rejected before this hook is called. The maxprot field | |
3162 | holds the maximum permissions on the new mapping, a combination of | |
3163 | VM_PROT_READ, VM_PROT_WRITE and VM_PROT_EXECUTE. To avoid overriding prior | |
3164 | access control checks, a policy should only remove flags from maxprot. | |
3165 | ||
3166 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3167 | errno should be returned. Suggested failure: EPERM for lack of privilege. | |
3168 | */ | |
3169 | typedef int mpo_proc_check_map_anon_t( | |
3170 | struct proc *proc, | |
3171 | kauth_cred_t cred, | |
3172 | user_addr_t u_addr, | |
3173 | user_size_t u_size, | |
3174 | int prot, | |
3175 | int flags, | |
3176 | int *maxprot | |
3177 | ); | |
3178 | /** | |
3179 | @brief Access control check for setting memory protections | |
3180 | @param cred Subject credential | |
3181 | @param proc User process requesting the change | |
3182 | @param addr Start address of the memory range | |
3183 | @param size Length address of the memory range | |
3184 | @param prot Memory protections, see mmap(2) | |
3185 | ||
3186 | Determine whether the subject identified by the credential should | |
3187 | be allowed to set the specified memory protections on memory mapped | |
3188 | in the process proc. | |
3189 | ||
3190 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3191 | errno should be returned. | |
3192 | */ | |
3193 | typedef int mpo_proc_check_mprotect_t( | |
3194 | kauth_cred_t cred, | |
3195 | struct proc *proc, | |
3196 | user_addr_t addr, | |
3197 | user_size_t size, | |
3198 | int prot | |
3199 | ); | |
3200 | /** | |
3201 | @brief Access control check for changing scheduling parameters | |
3202 | @param cred Subject credential | |
3203 | @param proc Object process | |
3204 | ||
3205 | Determine whether the subject identified by the credential can change | |
3206 | the scheduling parameters of the passed process. | |
3207 | ||
3208 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3209 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
3210 | EPERM for lack of privilege, or ESRCH to limit visibility. | |
3211 | */ | |
3212 | typedef int mpo_proc_check_sched_t( | |
3213 | kauth_cred_t cred, | |
3214 | struct proc *proc | |
3215 | ); | |
3216 | /** | |
3217 | @brief Access control check for setting audit information | |
3218 | @param cred Subject credential | |
3219 | @param ai Audit information | |
3220 | ||
3221 | Determine whether the subject identified by the credential can set | |
3222 | audit information such as the the preselection mask, the terminal ID | |
3223 | and the audit session ID, using the setaudit() system call. | |
3224 | ||
3225 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3226 | errno should be returned. | |
3227 | */ | |
3228 | typedef int mpo_proc_check_setaudit_t( | |
3229 | kauth_cred_t cred, | |
3230 | struct auditinfo_addr *ai | |
3231 | ); | |
3232 | /** | |
3233 | @brief Access control check for setting audit user ID | |
3234 | @param cred Subject credential | |
3235 | @param auid Audit user ID | |
3236 | ||
3237 | Determine whether the subject identified by the credential can set | |
3238 | the user identity used by the auditing system, using the setauid() | |
3239 | system call. | |
3240 | ||
3241 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3242 | errno should be returned. | |
3243 | */ | |
3244 | typedef int mpo_proc_check_setauid_t( | |
3245 | kauth_cred_t cred, | |
3246 | uid_t auid | |
3247 | ); | |
3248 | /** | |
3249 | @brief Access control check for setting the Login Context | |
3250 | @param p0 Calling process | |
3251 | @param p Effected process | |
3252 | @param pid syscall PID argument | |
3253 | @param lcid syscall LCID argument | |
3254 | ||
3255 | Determine if setlcid(2) system call is permitted. | |
3256 | ||
3257 | See xnu/bsd/kern/kern_prot.c:setlcid() implementation for example of | |
3258 | decoding syscall arguments to determine action desired by caller. | |
3259 | ||
3260 | Five distinct actions are possible: CREATE JOIN LEAVE ADOPT ORPHAN | |
3261 | ||
3262 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3263 | errno should be returned. | |
3264 | */ | |
3265 | typedef int mpo_proc_check_setlcid_t( | |
3266 | struct proc *p0, | |
3267 | struct proc *p, | |
3268 | pid_t pid, | |
3269 | pid_t lcid | |
3270 | ); | |
3271 | /** | |
3272 | @brief Access control check for delivering signal | |
3273 | @param cred Subject credential | |
3274 | @param proc Object process | |
3275 | @param signum Signal number; see kill(2) | |
3276 | ||
3277 | Determine whether the subject identified by the credential can deliver | |
3278 | the passed signal to the passed process. | |
3279 | ||
3280 | @warning Programs typically expect to be able to send and receive | |
3281 | signals as part or their normal process lifecycle; caution should be | |
3282 | exercised when implementing access controls over signal events. | |
3283 | ||
3284 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3285 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
3286 | EPERM for lack of privilege, or ESRCH to limit visibility. | |
3287 | */ | |
3288 | typedef int mpo_proc_check_signal_t( | |
3289 | kauth_cred_t cred, | |
3290 | struct proc *proc, | |
3291 | int signum | |
3292 | ); | |
3293 | /** | |
3294 | @brief Access control check for wait | |
3295 | @param cred Subject credential | |
3296 | @param proc Object process | |
3297 | ||
3298 | Determine whether the subject identified by the credential can wait | |
3299 | for process termination. | |
3300 | ||
3301 | @warning Caution should be exercised when implementing access | |
3302 | controls for wait, since programs often wait for child processes to | |
3303 | exit. Failure to be notified of a child process terminating may | |
3304 | cause the parent process to hang, or may produce zombie processes. | |
3305 | ||
3306 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3307 | errno should be returned. | |
3308 | */ | |
3309 | typedef int mpo_proc_check_wait_t( | |
3310 | kauth_cred_t cred, | |
3311 | struct proc *proc | |
3312 | ); | |
3313 | /** | |
3314 | @brief Destroy process label | |
3315 | @param label The label to be destroyed | |
3316 | ||
3317 | Destroy a process label. Since the object is going | |
3318 | out of scope, policy modules should free any internal storage | |
3319 | associated with the label so that it may be destroyed. | |
3320 | */ | |
3321 | typedef void mpo_proc_label_destroy_t( | |
3322 | struct label *label | |
3323 | ); | |
3324 | /** | |
3325 | @brief Initialize process label | |
3326 | @param label New label to initialize | |
3327 | @see mpo_cred_label_init_t | |
3328 | ||
3329 | Initialize the label for a newly instantiated BSD process structure. | |
3330 | Normally, security policies will store the process label in the user | |
3331 | credential rather than here in the process structure. However, | |
3332 | there are some floating label policies that may need to temporarily | |
3333 | store a label in the process structure until it is safe to update | |
3334 | the user credential label. Sleeping is permitted. | |
3335 | */ | |
3336 | typedef void mpo_proc_label_init_t( | |
3337 | struct label *label | |
3338 | ); | |
3339 | /** | |
3340 | @brief Access control check for socket accept | |
3341 | @param cred Subject credential | |
3342 | @param socket Object socket | |
3343 | @param socklabel Policy label for socket | |
3344 | ||
3345 | Determine whether the subject identified by the credential can accept() | |
3346 | a new connection on the socket from the host specified by addr. | |
3347 | ||
3348 | @return Return 0 if access if granted, otherwise an appropriate | |
3349 | value for errno should be returned. | |
3350 | */ | |
3351 | typedef int mpo_socket_check_accept_t( | |
3352 | kauth_cred_t cred, | |
3353 | socket_t so, | |
3354 | struct label *socklabel | |
3355 | ); | |
3356 | /** | |
3357 | @brief Access control check for a pending socket accept | |
3358 | @param cred Subject credential | |
3359 | @param so Object socket | |
3360 | @param socklabel Policy label for socket | |
3361 | @param addr Address of the listening socket (coming soon) | |
3362 | ||
3363 | Determine whether the subject identified by the credential can accept() | |
3364 | a pending connection on the socket from the host specified by addr. | |
3365 | ||
3366 | @return Return 0 if access if granted, otherwise an appropriate | |
3367 | value for errno should be returned. | |
3368 | */ | |
3369 | typedef int mpo_socket_check_accepted_t( | |
3370 | kauth_cred_t cred, | |
3371 | socket_t so, | |
3372 | struct label *socklabel, | |
3373 | struct sockaddr *addr | |
3374 | ); | |
3375 | /** | |
3376 | @brief Access control check for socket bind | |
3377 | @param cred Subject credential | |
3378 | @param so Object socket | |
3379 | @param socklabel Policy label for socket | |
3380 | @param addr Name to assign to the socket | |
3381 | ||
3382 | Determine whether the subject identified by the credential can bind() | |
3383 | the name (addr) to the socket. | |
3384 | ||
3385 | @return Return 0 if access if granted, otherwise an appropriate | |
3386 | value for errno should be returned. | |
3387 | */ | |
3388 | typedef int mpo_socket_check_bind_t( | |
3389 | kauth_cred_t cred, | |
3390 | socket_t so, | |
3391 | struct label *socklabel, | |
3392 | struct sockaddr *addr | |
3393 | ); | |
3394 | /** | |
3395 | @brief Access control check for socket connect | |
3396 | @param cred Subject credential | |
3397 | @param so Object socket | |
3398 | @param socklabel Policy label for socket | |
3399 | @param addr Name to assign to the socket | |
3400 | ||
3401 | Determine whether the subject identified by the credential can | |
3402 | connect() the passed socket to the remote host specified by addr. | |
3403 | ||
3404 | @return Return 0 if access if granted, otherwise an appropriate | |
3405 | value for errno should be returned. | |
3406 | */ | |
3407 | typedef int mpo_socket_check_connect_t( | |
3408 | kauth_cred_t cred, | |
3409 | socket_t so, | |
3410 | struct label *socklabel, | |
3411 | struct sockaddr *addr | |
3412 | ); | |
3413 | /** | |
3414 | @brief Access control check for socket() system call. | |
3415 | @param cred Subject credential | |
3416 | @param domain communication domain | |
3417 | @param type socket type | |
3418 | @param protocol socket protocol | |
3419 | ||
3420 | Determine whether the subject identified by the credential can | |
3421 | make the socket() call. | |
3422 | ||
3423 | @return Return 0 if access if granted, otherwise an appropriate | |
3424 | value for errno should be returned. | |
3425 | */ | |
3426 | typedef int mpo_socket_check_create_t( | |
3427 | kauth_cred_t cred, | |
3428 | int domain, | |
3429 | int type, | |
3430 | int protocol | |
3431 | ); | |
3432 | /** | |
3433 | @brief Access control check for delivering data to a user's receieve queue | |
3434 | @param so The socket data is being delivered to | |
3435 | @param so_label The label of so | |
3436 | @param m The mbuf whose data will be deposited into the receive queue | |
3437 | @param m_label The label of the sender of the data. | |
3438 | ||
3439 | A socket has a queue for receiving incoming data. When a packet arrives | |
3440 | on the wire, it eventually gets deposited into this queue, which the | |
3441 | owner of the socket drains when they read from the socket's file descriptor. | |
3442 | ||
3443 | This function determines whether the socket can receive data from | |
3444 | the sender specified by m_label. | |
3445 | ||
3446 | @warning There is an outstanding design issue surrounding the placement | |
3447 | of this function. The check must be placed either before or after the | |
3448 | TCP sequence and ACK counters are updated. Placing the check before | |
3449 | the counters are updated causes the incoming packet to be resent by | |
3450 | the remote if the check rejects it. Placing the check after the counters | |
3451 | are updated results in a completely silent drop. As far as each TCP stack | |
3452 | is concerned the packet was received, however, the data will not be in the | |
3453 | socket's receive queue. Another consideration is that the current design | |
3454 | requires using the "failed label" occasionally. In that case, on rejection, | |
3455 | we want the remote TCP to resend the data. Because of this, we chose to | |
3456 | place this check before the counters are updated, so rejected packets will be | |
3457 | resent by the remote host. | |
3458 | ||
3459 | If a policy keeps rejecting the same packet, eventually the connection will | |
3460 | be dropped. Policies have several options if this design causes problems. | |
3461 | For example, one options is to sanitize the mbuf such that it is acceptable, | |
3462 | then accept it. That may require negotiation between policies as the | |
3463 | Framework will not know to re-check the packet. | |
3464 | ||
3465 | The policy must handle NULL MBUF labels. This will likely be the case | |
3466 | for non-local TCP sockets for example. | |
3467 | ||
3468 | @return Return 0 if access if granted, otherwise an appropriate | |
3469 | value for errno should be returned. | |
3470 | */ | |
3471 | typedef int mpo_socket_check_deliver_t( | |
3472 | socket_t so, | |
3473 | struct label *so_label, | |
3474 | struct mbuf *m, | |
3475 | struct label *m_label | |
3476 | ); | |
3477 | /** | |
3478 | @brief Access control check for socket kqfilter | |
3479 | @param cred Subject credential | |
3480 | @param kn Object knote | |
3481 | @param so Object socket | |
3482 | @param socklabel Policy label for socket | |
3483 | ||
3484 | Determine whether the subject identified by the credential can | |
3485 | receive the knote on the passed socket. | |
3486 | ||
3487 | @return Return 0 if access if granted, otherwise an appropriate | |
3488 | value for errno should be returned. | |
3489 | */ | |
3490 | typedef int mpo_socket_check_kqfilter_t( | |
3491 | kauth_cred_t cred, | |
3492 | struct knote *kn, | |
3493 | socket_t so, | |
3494 | struct label *socklabel | |
3495 | ); | |
3496 | /** | |
3497 | @brief Access control check for socket relabel | |
3498 | @param cred Subject credential | |
3499 | @param so Object socket | |
3500 | @param so_label The current label of so | |
3501 | @param newlabel The label to be assigned to so | |
3502 | ||
3503 | Determine whether the subject identified by the credential can | |
3504 | change the label on the socket. | |
3505 | ||
3506 | @return Return 0 if access if granted, otherwise an appropriate | |
3507 | value for errno should be returned. | |
3508 | */ | |
3509 | typedef int mpo_socket_check_label_update_t( | |
3510 | kauth_cred_t cred, | |
3511 | socket_t so, | |
3512 | struct label *so_label, | |
3513 | struct label *newlabel | |
3514 | ); | |
3515 | /** | |
3516 | @brief Access control check for socket listen | |
3517 | @param cred Subject credential | |
3518 | @param so Object socket | |
3519 | @param socklabel Policy label for socket | |
3520 | ||
3521 | Determine whether the subject identified by the credential can | |
3522 | listen() on the passed socket. | |
3523 | ||
3524 | @return Return 0 if access if granted, otherwise an appropriate | |
3525 | value for errno should be returned. | |
3526 | */ | |
3527 | typedef int mpo_socket_check_listen_t( | |
3528 | kauth_cred_t cred, | |
3529 | socket_t so, | |
3530 | struct label *socklabel | |
3531 | ); | |
3532 | /** | |
3533 | @brief Access control check for socket receive | |
3534 | @param cred Subject credential | |
3535 | @param so Object socket | |
3536 | @param socklabel Policy label for socket | |
3537 | ||
3538 | Determine whether the subject identified by the credential can | |
3539 | receive data from the socket. | |
3540 | ||
3541 | @return Return 0 if access if granted, otherwise an appropriate | |
3542 | value for errno should be returned. | |
3543 | */ | |
3544 | typedef int mpo_socket_check_receive_t( | |
3545 | kauth_cred_t cred, | |
3546 | socket_t so, | |
3547 | struct label *socklabel | |
3548 | ); | |
3549 | ||
3550 | /** | |
3551 | @brief Access control check for socket receive | |
3552 | @param cred Subject credential | |
3553 | @param socket Object socket | |
3554 | @param socklabel Policy label for socket | |
3555 | @param addr Name of the remote socket | |
3556 | ||
3557 | Determine whether the subject identified by the credential can | |
3558 | receive data from the remote host specified by addr. | |
3559 | ||
3560 | @return Return 0 if access if granted, otherwise an appropriate | |
3561 | value for errno should be returned. | |
3562 | */ | |
3563 | typedef int mpo_socket_check_received_t( | |
3564 | kauth_cred_t cred, | |
3565 | struct socket *sock, | |
3566 | struct label *socklabel, | |
3567 | struct sockaddr *saddr | |
3568 | ); | |
3569 | ||
3570 | ||
3571 | /** | |
3572 | @brief Access control check for socket select | |
3573 | @param cred Subject credential | |
3574 | @param so Object socket | |
3575 | @param socklabel Policy label for socket | |
3576 | @param which The operation selected on: FREAD or FWRITE | |
3577 | ||
3578 | Determine whether the subject identified by the credential can use the | |
3579 | socket in a call to select(). | |
3580 | ||
3581 | @return Return 0 if access if granted, otherwise an appropriate | |
3582 | value for errno should be returned. | |
3583 | */ | |
3584 | typedef int mpo_socket_check_select_t( | |
3585 | kauth_cred_t cred, | |
3586 | socket_t so, | |
3587 | struct label *socklabel, | |
3588 | int which | |
3589 | ); | |
3590 | /** | |
3591 | @brief Access control check for socket send | |
3592 | @param cred Subject credential | |
3593 | @param so Object socket | |
3594 | @param socklabel Policy label for socket | |
3595 | @param addr Address being sent to | |
3596 | ||
3597 | Determine whether the subject identified by the credential can send | |
3598 | data to the socket. | |
3599 | ||
3600 | @return Return 0 if access if granted, otherwise an appropriate | |
3601 | value for errno should be returned. | |
3602 | */ | |
3603 | typedef int mpo_socket_check_send_t( | |
3604 | kauth_cred_t cred, | |
3605 | socket_t so, | |
3606 | struct label *socklabel, | |
3607 | struct sockaddr *addr | |
3608 | ); | |
3609 | /** | |
3610 | @brief Access control check for retrieving socket status | |
3611 | @param cred Subject credential | |
3612 | @param so Object socket | |
3613 | @param socklabel Policy label for so | |
3614 | ||
3615 | Determine whether the subject identified by the credential can | |
3616 | execute the stat() system call on the given socket. | |
3617 | ||
3618 | @return Return 0 if access if granted, otherwise an appropriate | |
3619 | value for errno should be returned. | |
3620 | */ | |
3621 | typedef int mpo_socket_check_stat_t( | |
3622 | kauth_cred_t cred, | |
3623 | socket_t so, | |
3624 | struct label *socklabel | |
3625 | ); | |
3626 | /** | |
3627 | @brief Access control check for setting socket options | |
3628 | @param cred Subject credential | |
3629 | @param so Object socket | |
3630 | @param socklabel Policy label for so | |
3631 | @param sopt The options being set | |
3632 | ||
3633 | Determine whether the subject identified by the credential can | |
3634 | execute the setsockopt system call on the given socket. | |
3635 | ||
3636 | @return Return 0 if access if granted, otherwise an appropriate | |
3637 | value for errno should be returned. | |
3638 | */ | |
3639 | typedef int mpo_socket_check_setsockopt_t( | |
3640 | kauth_cred_t cred, | |
3641 | socket_t so, | |
3642 | struct label *socklabel, | |
3643 | struct sockopt *sopt | |
3644 | ); | |
3645 | /** | |
3646 | @brief Access control check for getting socket options | |
3647 | @param cred Subject credential | |
3648 | @param so Object socket | |
3649 | @param socklabel Policy label for so | |
3650 | @param sopt The options to get | |
3651 | ||
3652 | Determine whether the subject identified by the credential can | |
3653 | execute the getsockopt system call on the given socket. | |
3654 | ||
3655 | @return Return 0 if access if granted, otherwise an appropriate | |
3656 | value for errno should be returned. | |
3657 | */ | |
3658 | typedef int mpo_socket_check_getsockopt_t( | |
3659 | kauth_cred_t cred, | |
3660 | socket_t so, | |
3661 | struct label *socklabel, | |
3662 | struct sockopt *sopt | |
3663 | ); | |
3664 | /** | |
3665 | @brief Label a socket | |
3666 | @param oldsock Listening socket | |
3667 | @param oldlabel Policy label associated with oldsock | |
3668 | @param newsock New socket | |
3669 | @param newlabel Policy label associated with newsock | |
3670 | ||
3671 | A new socket is created when a connection is accept(2)ed. This | |
3672 | function labels the new socket based on the existing listen(2)ing | |
3673 | socket. | |
3674 | */ | |
3675 | typedef void mpo_socket_label_associate_accept_t( | |
3676 | socket_t oldsock, | |
3677 | struct label *oldlabel, | |
3678 | socket_t newsock, | |
3679 | struct label *newlabel | |
3680 | ); | |
3681 | /** | |
3682 | @brief Assign a label to a new socket | |
3683 | @param cred Credential of the owning process | |
3684 | @param so The socket being labeled | |
3685 | @param solabel The label | |
3686 | @warning cred can be NULL | |
3687 | ||
3688 | Set the label on a newly created socket from the passed subject | |
3689 | credential. This call is made when a socket is created. The | |
3690 | credentials may be null if the socket is being created by the | |
3691 | kernel. | |
3692 | */ | |
3693 | typedef void mpo_socket_label_associate_t( | |
3694 | kauth_cred_t cred, | |
3695 | socket_t so, | |
3696 | struct label *solabel | |
3697 | ); | |
3698 | /** | |
3699 | @brief Copy a socket label | |
3700 | @param src Source label | |
3701 | @param dest Destination label | |
3702 | ||
3703 | Copy the socket label information in src into dest. | |
3704 | */ | |
3705 | typedef void mpo_socket_label_copy_t( | |
3706 | struct label *src, | |
3707 | struct label *dest | |
3708 | ); | |
3709 | /** | |
3710 | @brief Destroy socket label | |
3711 | @param label The label to be destroyed | |
3712 | ||
3713 | Destroy a socket label. Since the object is going out of | |
3714 | scope, policy modules should free any internal storage associated | |
3715 | with the label so that it may be destroyed. | |
3716 | */ | |
3717 | typedef void mpo_socket_label_destroy_t( | |
3718 | struct label *label | |
3719 | ); | |
3720 | /** | |
3721 | @brief Externalize a socket label | |
3722 | @param label Label to be externalized | |
3723 | @param element_name Name of the label namespace for which labels should be | |
3724 | externalized | |
3725 | @param sb String buffer to be filled with a text representation of label | |
3726 | ||
3727 | Produce an externalized socket label based on the label structure passed. | |
3728 | An externalized label consists of a text representation of the label | |
3729 | contents that can be used with userland applications and read by the | |
3730 | user. If element_name does not match a namespace managed by the policy, | |
3731 | simply return 0. Only return nonzero if an error occurs while externalizing | |
3732 | the label data. | |
3733 | ||
3734 | @return In the event of an error, an appropriate value for errno | |
3735 | should be returned, otherwise return 0 upon success. | |
3736 | */ | |
3737 | typedef int mpo_socket_label_externalize_t( | |
3738 | struct label *label, | |
3739 | char *element_name, | |
3740 | struct sbuf *sb | |
3741 | ); | |
3742 | /** | |
3743 | @brief Initialize socket label | |
3744 | @param label New label to initialize | |
3745 | @param waitok Malloc flags | |
3746 | ||
3747 | Initialize the label of a newly instantiated socket. The waitok | |
3748 | field may be one of M_WAITOK and M_NOWAIT, and should be employed to | |
3749 | avoid performing a sleeping malloc(9) during this initialization | |
3750 | call. It it not always safe to sleep during this entry point. | |
3751 | ||
3752 | @warning Since it is possible for the waitok flags to be set to | |
3753 | M_NOWAIT, the malloc operation may fail. | |
3754 | ||
3755 | @return In the event of an error, an appropriate value for errno | |
3756 | should be returned, otherwise return 0 upon success. | |
3757 | */ | |
3758 | typedef int mpo_socket_label_init_t( | |
3759 | struct label *label, | |
3760 | int waitok | |
3761 | ); | |
3762 | /** | |
3763 | @brief Internalize a socket label | |
3764 | @param label Label to be filled in | |
3765 | @param element_name Name of the label namespace for which the label should | |
3766 | be internalized | |
3767 | @param element_data Text data to be internalized | |
3768 | ||
3769 | Produce an internal socket label structure based on externalized label | |
3770 | data in text format. | |
3771 | ||
3772 | The policy's internalize entry points will be called only if the | |
3773 | policy has registered interest in the label namespace. | |
3774 | ||
3775 | @return In the event of an error, an appropriate value for errno | |
3776 | should be returned, otherwise return 0 upon success. | |
3777 | */ | |
3778 | typedef int mpo_socket_label_internalize_t( | |
3779 | struct label *label, | |
3780 | char *element_name, | |
3781 | char *element_data | |
3782 | ); | |
3783 | /** | |
3784 | @brief Relabel socket | |
3785 | @param cred Subject credential | |
3786 | @param so Object; socket | |
3787 | @param so_label Current label of the socket | |
3788 | @param newlabel The label to be assigned to so | |
3789 | ||
3790 | The subject identified by the credential has previously requested | |
3791 | and was authorized to relabel the socket; this entry point allows | |
3792 | policies to perform the actual label update operation. | |
3793 | ||
3794 | @warning XXX This entry point will likely change in future versions. | |
3795 | */ | |
3796 | typedef void mpo_socket_label_update_t( | |
3797 | kauth_cred_t cred, | |
3798 | socket_t so, | |
3799 | struct label *so_label, | |
3800 | struct label *newlabel | |
3801 | ); | |
3802 | /** | |
3803 | @brief Set the peer label on a socket from mbuf | |
3804 | @param m Mbuf chain received on socket so | |
3805 | @param m_label Label for m | |
3806 | @param so Current label for the socket | |
3807 | @param so_label Policy label to be filled out for the socket | |
3808 | ||
3809 | Set the peer label of a socket based on the label of the sender of the | |
3810 | mbuf. | |
3811 | ||
3812 | This is called for every TCP/IP packet received. The first call for a given | |
3813 | socket operates on a newly initialized label, and subsequent calls operate | |
3814 | on existing label data. | |
3815 | ||
3816 | @warning Because this can affect performance significantly, it has | |
3817 | different sematics than other 'set' operations. Typically, 'set' operations | |
3818 | operate on newly initialzed labels and policies do not need to worry about | |
3819 | clobbering existing values. In this case, it is too inefficient to | |
3820 | initialize and destroy a label every time data is received for the socket. | |
3821 | Instead, it is up to the policies to determine how to replace the label data. | |
3822 | Most policies should be able to replace the data inline. | |
3823 | */ | |
3824 | typedef void mpo_socketpeer_label_associate_mbuf_t( | |
3825 | struct mbuf *m, | |
3826 | struct label *m_label, | |
3827 | socket_t so, | |
3828 | struct label *so_label | |
3829 | ); | |
3830 | /** | |
3831 | @brief Set the peer label on a socket from socket | |
3832 | @param source Local socket | |
3833 | @param sourcelabel Policy label for source | |
3834 | @param target Peer socket | |
3835 | @param targetlabel Policy label to fill in for target | |
3836 | ||
3837 | Set the peer label on a stream UNIX domain socket from the passed | |
3838 | remote socket endpoint. This call will be made when the socket pair | |
3839 | is connected, and will be made for both endpoints. | |
3840 | ||
3841 | Note that this call is only made on connection; it is currently not updated | |
3842 | during communication. | |
3843 | */ | |
3844 | typedef void mpo_socketpeer_label_associate_socket_t( | |
3845 | socket_t source, | |
3846 | struct label *sourcelabel, | |
3847 | socket_t target, | |
3848 | struct label *targetlabel | |
3849 | ); | |
3850 | /** | |
3851 | @brief Destroy socket peer label | |
3852 | @param label The peer label to be destroyed | |
3853 | ||
3854 | Destroy a socket peer label. Since the object is going out of | |
3855 | scope, policy modules should free any internal storage associated | |
3856 | with the label so that it may be destroyed. | |
3857 | */ | |
3858 | typedef void mpo_socketpeer_label_destroy_t( | |
3859 | struct label *label | |
3860 | ); | |
3861 | /** | |
3862 | @brief Externalize a socket peer label | |
3863 | @param label Label to be externalized | |
3864 | @param element_name Name of the label namespace for which labels should be | |
3865 | externalized | |
3866 | @param sb String buffer to be filled with a text representation of label | |
3867 | ||
3868 | Produce an externalized socket peer label based on the label structure | |
3869 | passed. An externalized label consists of a text representation of the | |
3870 | label contents that can be used with userland applications and read by the | |
3871 | user. If element_name does not match a namespace managed by the policy, | |
3872 | simply return 0. Only return nonzero if an error occurs while externalizing | |
3873 | the label data. | |
3874 | ||
3875 | @return In the event of an error, an appropriate value for errno | |
3876 | should be returned, otherwise return 0 upon success. | |
3877 | */ | |
3878 | typedef int mpo_socketpeer_label_externalize_t( | |
3879 | struct label *label, | |
3880 | char *element_name, | |
3881 | struct sbuf *sb | |
3882 | ); | |
3883 | /** | |
3884 | @brief Initialize socket peer label | |
3885 | @param label New label to initialize | |
3886 | @param waitok Malloc flags | |
3887 | ||
3888 | Initialize the peer label of a newly instantiated socket. The | |
3889 | waitok field may be one of M_WAITOK and M_NOWAIT, and should be | |
3890 | employed to avoid performing a sleeping malloc(9) during this | |
3891 | initialization call. It it not always safe to sleep during this | |
3892 | entry point. | |
3893 | ||
3894 | @warning Since it is possible for the waitok flags to be set to | |
3895 | M_NOWAIT, the malloc operation may fail. | |
3896 | ||
3897 | @return In the event of an error, an appropriate value for errno | |
3898 | should be returned, otherwise return 0 upon success. | |
3899 | */ | |
3900 | typedef int mpo_socketpeer_label_init_t( | |
3901 | struct label *label, | |
3902 | int waitok | |
3903 | ); | |
3904 | /** | |
3905 | @brief Access control check for enabling accounting | |
3906 | @param cred Subject credential | |
3907 | @param vp Accounting file | |
3908 | @param vlabel Label associated with vp | |
3909 | ||
3910 | Determine whether the subject should be allowed to enable accounting, | |
3911 | based on its label and the label of the accounting log file. See | |
3912 | acct(5) for more information. | |
3913 | ||
3914 | As accounting is disabled by passing NULL to the acct(2) system call, | |
3915 | the policy should be prepared for both 'vp' and 'vlabel' to be NULL. | |
3916 | ||
3917 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3918 | errno should be returned. | |
3919 | */ | |
3920 | typedef int mpo_system_check_acct_t( | |
3921 | kauth_cred_t cred, | |
3922 | struct vnode *vp, | |
3923 | struct label *vlabel | |
3924 | ); | |
3925 | /** | |
3926 | @brief Access control check for audit | |
3927 | @param cred Subject credential | |
3928 | @param record Audit record | |
3929 | @param length Audit record length | |
3930 | ||
3931 | Determine whether the subject identified by the credential can submit | |
3932 | an audit record for inclusion in the audit log via the audit() system call. | |
3933 | ||
3934 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3935 | errno should be returned. | |
3936 | */ | |
3937 | typedef int mpo_system_check_audit_t( | |
3938 | kauth_cred_t cred, | |
3939 | void *record, | |
3940 | int length | |
3941 | ); | |
3942 | /** | |
3943 | @brief Access control check for controlling audit | |
3944 | @param cred Subject credential | |
3945 | @param vp Audit file | |
3946 | @param vl Label associated with vp | |
3947 | ||
3948 | Determine whether the subject should be allowed to enable auditing using | |
3949 | the auditctl() system call, based on its label and the label of the proposed | |
3950 | audit file. | |
3951 | ||
3952 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3953 | errno should be returned. | |
3954 | */ | |
3955 | typedef int mpo_system_check_auditctl_t( | |
3956 | kauth_cred_t cred, | |
3957 | struct vnode *vp, | |
3958 | struct label *vl | |
3959 | ); | |
3960 | /** | |
3961 | @brief Access control check for manipulating auditing | |
3962 | @param cred Subject credential | |
3963 | @param cmd Audit control command | |
3964 | ||
3965 | Determine whether the subject identified by the credential can perform | |
3966 | the audit subsystem control operation cmd via the auditon() system call. | |
3967 | ||
3968 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3969 | errno should be returned. | |
3970 | */ | |
3971 | typedef int mpo_system_check_auditon_t( | |
3972 | kauth_cred_t cred, | |
3973 | int cmd | |
3974 | ); | |
3975 | /** | |
3976 | @brief Access control check for using CHUD facilities | |
3977 | @param cred Subject credential | |
3978 | ||
3979 | Determine whether the subject identified by the credential can perform | |
3980 | performance-related tasks using the CHUD system call. | |
3981 | ||
3982 | @return Return 0 if access is granted, otherwise an appropriate value for | |
3983 | errno should be returned. | |
3984 | */ | |
3985 | typedef int mpo_system_check_chud_t( | |
3986 | kauth_cred_t cred | |
3987 | ); | |
3988 | /** | |
3989 | @brief Access control check for obtaining the host control port | |
3990 | @param cred Subject credential | |
3991 | ||
3992 | Determine whether the subject identified by the credential can | |
3993 | obtain the host control port. | |
3994 | ||
3995 | @return Return 0 if access is granted, or non-zero otherwise. | |
3996 | */ | |
3997 | typedef int mpo_system_check_host_priv_t( | |
3998 | kauth_cred_t cred | |
3999 | ); | |
4000 | /** | |
4001 | @brief Access control check for calling NFS services | |
4002 | @param cred Subject credential | |
4003 | ||
4004 | Determine whether the subject identified by the credential should be | |
4005 | allowed to call nfssrv(2). | |
4006 | ||
4007 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4008 | errno should be returned. | |
4009 | */ | |
4010 | typedef int mpo_system_check_nfsd_t( | |
4011 | kauth_cred_t cred | |
4012 | ); | |
4013 | /** | |
4014 | @brief Access control check for reboot | |
4015 | @param cred Subject credential | |
4016 | @param howto howto parameter from reboot(2) | |
4017 | ||
4018 | Determine whether the subject identified by the credential should be | |
4019 | allowed to reboot the system in the specified manner. | |
4020 | ||
4021 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4022 | errno should be returned. | |
4023 | */ | |
4024 | typedef int mpo_system_check_reboot_t( | |
4025 | kauth_cred_t cred, | |
4026 | int howto | |
4027 | ); | |
4028 | /** | |
4029 | @brief Access control check for setting system clock | |
4030 | @param cred Subject credential | |
4031 | ||
4032 | Determine whether the subject identified by the credential should be | |
4033 | allowed to set the system clock. | |
4034 | ||
4035 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4036 | errno should be returned. | |
4037 | */ | |
4038 | typedef int mpo_system_check_settime_t( | |
4039 | kauth_cred_t cred | |
4040 | ); | |
4041 | /** | |
4042 | @brief Access control check for removing swap devices | |
4043 | @param cred Subject credential | |
4044 | @param vp Swap device | |
4045 | @param label Label associated with vp | |
4046 | ||
4047 | Determine whether the subject identified by the credential should be | |
4048 | allowed to remove vp as a swap device. | |
4049 | ||
4050 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4051 | errno should be returned. | |
4052 | */ | |
4053 | typedef int mpo_system_check_swapoff_t( | |
4054 | kauth_cred_t cred, | |
4055 | struct vnode *vp, | |
4056 | struct label *label | |
4057 | ); | |
4058 | /** | |
4059 | @brief Access control check for adding swap devices | |
4060 | @param cred Subject credential | |
4061 | @param vp Swap device | |
4062 | @param label Label associated with vp | |
4063 | ||
4064 | Determine whether the subject identified by the credential should be | |
4065 | allowed to add vp as a swap device. | |
4066 | ||
4067 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4068 | errno should be returned. | |
4069 | */ | |
4070 | typedef int mpo_system_check_swapon_t( | |
4071 | kauth_cred_t cred, | |
4072 | struct vnode *vp, | |
4073 | struct label *label | |
4074 | ); | |
4075 | /** | |
4076 | @brief Access control check for sysctl | |
4077 | @param cred Subject credential | |
4078 | @param name Integer name; see sysctl(3) | |
4079 | @param namelen Length of name array of integers; see sysctl(3) | |
4080 | @param old 0 or address where to store old value; see sysctl(3) | |
4081 | @param oldlenp Pointer to length of old buffer; see sysctl(3) | |
4082 | @param inkernel Boolean; 1 if called from kernel | |
4083 | @param newvalue 0 or address of new value; see sysctl(3) | |
4084 | @param newlen Length of new buffer; see sysctl(3) | |
4085 | ||
4086 | Determine whether the subject identified by the credential should be | |
4087 | allowed to make the specified sysctl(3) transaction. | |
4088 | ||
4089 | The sysctl(3) call specifies that if the old value is not desired, | |
4090 | oldp and oldlenp should be set to NULL. Likewise, if a new value is | |
4091 | not to be set, newp should be set to NULL and newlen set to 0. | |
4092 | ||
4093 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4094 | errno should be returned. | |
4095 | */ | |
4096 | typedef int mpo_system_check_sysctl_t( | |
4097 | kauth_cred_t cred, | |
4098 | int *name, | |
4099 | u_int namelen, | |
4100 | user_addr_t old, /* NULLOK */ | |
4101 | user_addr_t oldlenp, /* NULLOK */ | |
4102 | int inkernel, | |
4103 | user_addr_t newvalue, /* NULLOK */ | |
4104 | size_t newlen | |
4105 | ); | |
4106 | /** | |
4107 | @brief Access control check for kas_info | |
4108 | @param cred Subject credential | |
4109 | @param selector Category of information to return. See kas_info.h | |
4110 | ||
4111 | Determine whether the subject identified by the credential can perform | |
4112 | introspection of the kernel address space layout for | |
4113 | debugging/performance analysis. | |
4114 | ||
4115 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4116 | errno should be returned. | |
4117 | */ | |
4118 | typedef int mpo_system_check_kas_info_t( | |
4119 | kauth_cred_t cred, | |
4120 | int selector | |
4121 | ); | |
4122 | /** | |
4123 | @brief Create a System V message label | |
4124 | @param cred Subject credential | |
4125 | @param msqkptr The message queue the message will be placed in | |
4126 | @param msqlabel The label of the message queue | |
4127 | @param msgptr The message | |
4128 | @param msglabel The label of the message | |
4129 | ||
4130 | Label the message as its placed in the message queue. | |
4131 | */ | |
4132 | typedef void mpo_sysvmsg_label_associate_t( | |
4133 | kauth_cred_t cred, | |
4134 | struct msqid_kernel *msqptr, | |
4135 | struct label *msqlabel, | |
4136 | struct msg *msgptr, | |
4137 | struct label *msglabel | |
4138 | ); | |
4139 | /** | |
4140 | @brief Destroy System V message label | |
4141 | @param label The label to be destroyed | |
4142 | ||
4143 | Destroy a System V message label. Since the object is | |
4144 | going out of scope, policy modules should free any internal storage | |
4145 | associated with the label so that it may be destroyed. | |
4146 | */ | |
4147 | typedef void mpo_sysvmsg_label_destroy_t( | |
4148 | struct label *label | |
4149 | ); | |
4150 | /** | |
4151 | @brief Initialize System V message label | |
4152 | @param label New label to initialize | |
4153 | ||
4154 | Initialize the label for a newly instantiated System V message. | |
4155 | */ | |
4156 | typedef void mpo_sysvmsg_label_init_t( | |
4157 | struct label *label | |
4158 | ); | |
4159 | /** | |
4160 | @brief Clean up a System V message label | |
4161 | @param label The label to be destroyed | |
4162 | ||
4163 | Clean up a System V message label. Darwin pre-allocates | |
4164 | messages at system boot time and re-uses them rather than | |
4165 | allocating new ones. Before messages are returned to the "free | |
4166 | pool", policies can cleanup or overwrite any information present in | |
4167 | the label. | |
4168 | */ | |
4169 | typedef void mpo_sysvmsg_label_recycle_t( | |
4170 | struct label *label | |
4171 | ); | |
4172 | /** | |
4173 | @brief Access control check for System V message enqueuing | |
4174 | @param cred Subject credential | |
4175 | @param msgptr The message | |
4176 | @param msglabel The message's label | |
4177 | @param msqkptr The message queue | |
4178 | @param msqlabel The message queue's label | |
4179 | ||
4180 | Determine whether the subject identified by the credential can add the | |
4181 | given message to the given message queue. | |
4182 | ||
4183 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4184 | errno should be returned. | |
4185 | */ | |
4186 | typedef int mpo_sysvmsq_check_enqueue_t( | |
4187 | kauth_cred_t cred, | |
4188 | struct msg *msgptr, | |
4189 | struct label *msglabel, | |
4190 | struct msqid_kernel *msqptr, | |
4191 | struct label *msqlabel | |
4192 | ); | |
4193 | /** | |
4194 | @brief Access control check for System V message reception | |
4195 | @param cred The credential of the intended recipient | |
4196 | @param msgptr The message | |
4197 | @param msglabel The message's label | |
4198 | ||
4199 | Determine whether the subject identified by the credential can receive | |
4200 | the given message. | |
4201 | ||
4202 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4203 | errno should be returned. | |
4204 | */ | |
4205 | typedef int mpo_sysvmsq_check_msgrcv_t( | |
4206 | kauth_cred_t cred, | |
4207 | struct msg *msgptr, | |
4208 | struct label *msglabel | |
4209 | ); | |
4210 | /** | |
4211 | @brief Access control check for System V message queue removal | |
4212 | @param cred The credential of the caller | |
4213 | @param msgptr The message | |
4214 | @param msglabel The message's label | |
4215 | ||
4216 | System V message queues are removed using the msgctl() system call. | |
4217 | The system will iterate over each messsage in the queue, calling this | |
4218 | function for each, to determine whether the caller has the appropriate | |
4219 | credentials. | |
4220 | ||
4221 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4222 | errno should be returned. | |
4223 | */ | |
4224 | typedef int mpo_sysvmsq_check_msgrmid_t( | |
4225 | kauth_cred_t cred, | |
4226 | struct msg *msgptr, | |
4227 | struct label *msglabel | |
4228 | ); | |
4229 | /** | |
4230 | @brief Access control check for msgctl() | |
4231 | @param cred The credential of the caller | |
4232 | @param msqptr The message queue | |
4233 | @param msqlabel The message queue's label | |
4234 | ||
4235 | This access check is performed to validate calls to msgctl(). | |
4236 | ||
4237 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4238 | errno should be returned. | |
4239 | */ | |
4240 | typedef int mpo_sysvmsq_check_msqctl_t( | |
4241 | kauth_cred_t cred, | |
4242 | struct msqid_kernel *msqptr, | |
4243 | struct label *msqlabel, | |
4244 | int cmd | |
4245 | ); | |
4246 | /** | |
4247 | @brief Access control check to get a System V message queue | |
4248 | @param cred The credential of the caller | |
4249 | @param msqptr The message queue requested | |
4250 | @param msqlabel The message queue's label | |
4251 | ||
4252 | On a call to msgget(), if the queue requested already exists, | |
4253 | and it is a public queue, this check will be performed before the | |
4254 | queue's ID is returned to the user. | |
4255 | ||
4256 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4257 | errno should be returned. | |
4258 | */ | |
4259 | typedef int mpo_sysvmsq_check_msqget_t( | |
4260 | kauth_cred_t cred, | |
4261 | struct msqid_kernel *msqptr, | |
4262 | struct label *msqlabel | |
4263 | ); | |
4264 | /** | |
4265 | @brief Access control check to receive a System V message from the given queue | |
4266 | @param cred The credential of the caller | |
4267 | @param msqptr The message queue to receive from | |
4268 | @param msqlabel The message queue's label | |
4269 | ||
4270 | On a call to msgrcv(), this check is performed to determine whether the | |
4271 | caller has receive rights on the given queue. | |
4272 | ||
4273 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4274 | errno should be returned. | |
4275 | */ | |
4276 | typedef int mpo_sysvmsq_check_msqrcv_t( | |
4277 | kauth_cred_t cred, | |
4278 | struct msqid_kernel *msqptr, | |
4279 | struct label *msqlabel | |
4280 | ); | |
4281 | /** | |
4282 | @brief Access control check to send a System V message to the given queue | |
4283 | @param cred The credential of the caller | |
4284 | @param msqptr The message queue to send to | |
4285 | @param msqlabel The message queue's label | |
4286 | ||
4287 | On a call to msgsnd(), this check is performed to determine whether the | |
4288 | caller has send rights on the given queue. | |
4289 | ||
4290 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4291 | errno should be returned. | |
4292 | */ | |
4293 | typedef int mpo_sysvmsq_check_msqsnd_t( | |
4294 | kauth_cred_t cred, | |
4295 | struct msqid_kernel *msqptr, | |
4296 | struct label *msqlabel | |
4297 | ); | |
4298 | /** | |
4299 | @brief Create a System V message queue label | |
4300 | @param cred Subject credential | |
4301 | @param msqkptr The message queue | |
4302 | @param msqlabel The label of the message queue | |
4303 | ||
4304 | */ | |
4305 | typedef void mpo_sysvmsq_label_associate_t( | |
4306 | kauth_cred_t cred, | |
4307 | struct msqid_kernel *msqptr, | |
4308 | struct label *msqlabel | |
4309 | ); | |
4310 | /** | |
4311 | @brief Destroy System V message queue label | |
4312 | @param label The label to be destroyed | |
4313 | ||
4314 | Destroy a System V message queue label. Since the object is | |
4315 | going out of scope, policy modules should free any internal storage | |
4316 | associated with the label so that it may be destroyed. | |
4317 | */ | |
4318 | typedef void mpo_sysvmsq_label_destroy_t( | |
4319 | struct label *label | |
4320 | ); | |
4321 | /** | |
4322 | @brief Initialize System V message queue label | |
4323 | @param label New label to initialize | |
4324 | ||
4325 | Initialize the label for a newly instantiated System V message queue. | |
4326 | */ | |
4327 | typedef void mpo_sysvmsq_label_init_t( | |
4328 | struct label *label | |
4329 | ); | |
4330 | /** | |
4331 | @brief Clean up a System V message queue label | |
4332 | @param label The label to be destroyed | |
4333 | ||
4334 | Clean up a System V message queue label. Darwin pre-allocates | |
4335 | message queues at system boot time and re-uses them rather than | |
4336 | allocating new ones. Before message queues are returned to the "free | |
4337 | pool", policies can cleanup or overwrite any information present in | |
4338 | the label. | |
4339 | */ | |
4340 | typedef void mpo_sysvmsq_label_recycle_t( | |
4341 | struct label *label | |
4342 | ); | |
4343 | /** | |
4344 | @brief Access control check for System V semaphore control operation | |
4345 | @param cred Subject credential | |
4346 | @param semakptr Pointer to semaphore identifier | |
4347 | @param semaklabel Label associated with semaphore | |
4348 | @param cmd Control operation to be performed; see semctl(2) | |
4349 | ||
4350 | Determine whether the subject identified by the credential can perform | |
4351 | the operation indicated by cmd on the System V semaphore semakptr. | |
4352 | ||
4353 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4354 | errno should be returned. | |
4355 | */ | |
4356 | typedef int mpo_sysvsem_check_semctl_t( | |
4357 | kauth_cred_t cred, | |
4358 | struct semid_kernel *semakptr, | |
4359 | struct label *semaklabel, | |
4360 | int cmd | |
4361 | ); | |
4362 | /** | |
4363 | @brief Access control check for obtaining a System V semaphore | |
4364 | @param cred Subject credential | |
4365 | @param semakptr Pointer to semaphore identifier | |
4366 | @param semaklabel Label to associate with the semaphore | |
4367 | ||
4368 | Determine whether the subject identified by the credential can | |
4369 | obtain a System V semaphore. | |
4370 | ||
4371 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4372 | errno should be returned. | |
4373 | */ | |
4374 | typedef int mpo_sysvsem_check_semget_t( | |
4375 | kauth_cred_t cred, | |
4376 | struct semid_kernel *semakptr, | |
4377 | struct label *semaklabel | |
4378 | ); | |
4379 | /** | |
4380 | @brief Access control check for System V semaphore operations | |
4381 | @param cred Subject credential | |
4382 | @param semakptr Pointer to semaphore identifier | |
4383 | @param semaklabel Label associated with the semaphore | |
4384 | @param accesstype Flags to indicate access (read and/or write) | |
4385 | ||
4386 | Determine whether the subject identified by the credential can | |
4387 | perform the operations on the System V semaphore indicated by | |
4388 | semakptr. The accesstype flags hold the maximum set of permissions | |
4389 | from the sem_op array passed to the semop system call. It may | |
4390 | contain SEM_R for read-only operations or SEM_A for read/write | |
4391 | operations. | |
4392 | ||
4393 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4394 | errno should be returned. | |
4395 | */ | |
4396 | typedef int mpo_sysvsem_check_semop_t( | |
4397 | kauth_cred_t cred, | |
4398 | struct semid_kernel *semakptr, | |
4399 | struct label *semaklabel, | |
4400 | size_t accesstype | |
4401 | ); | |
4402 | /** | |
4403 | @brief Create a System V semaphore label | |
4404 | @param cred Subject credential | |
4405 | @param semakptr The semaphore being created | |
4406 | @param semalabel Label to associate with the new semaphore | |
4407 | ||
4408 | Label a new System V semaphore. The label was previously | |
4409 | initialized and associated with the semaphore. At this time, an | |
4410 | appropriate initial label value should be assigned to the object and | |
4411 | stored in semalabel. | |
4412 | */ | |
4413 | typedef void mpo_sysvsem_label_associate_t( | |
4414 | kauth_cred_t cred, | |
4415 | struct semid_kernel *semakptr, | |
4416 | struct label *semalabel | |
4417 | ); | |
4418 | /** | |
4419 | @brief Destroy System V semaphore label | |
4420 | @param label The label to be destroyed | |
4421 | ||
4422 | Destroy a System V semaphore label. Since the object is | |
4423 | going out of scope, policy modules should free any internal storage | |
4424 | associated with the label so that it may be destroyed. | |
4425 | */ | |
4426 | typedef void mpo_sysvsem_label_destroy_t( | |
4427 | struct label *label | |
4428 | ); | |
4429 | /** | |
4430 | @brief Initialize System V semaphore label | |
4431 | @param label New label to initialize | |
4432 | ||
4433 | Initialize the label for a newly instantiated System V semaphore. Sleeping | |
4434 | is permitted. | |
4435 | */ | |
4436 | typedef void mpo_sysvsem_label_init_t( | |
4437 | struct label *label | |
4438 | ); | |
4439 | /** | |
4440 | @brief Clean up a System V semaphore label | |
4441 | @param label The label to be cleaned | |
4442 | ||
4443 | Clean up a System V semaphore label. Darwin pre-allocates | |
4444 | semaphores at system boot time and re-uses them rather than | |
4445 | allocating new ones. Before semaphores are returned to the "free | |
4446 | pool", policies can cleanup or overwrite any information present in | |
4447 | the label. | |
4448 | */ | |
4449 | typedef void mpo_sysvsem_label_recycle_t( | |
4450 | struct label *label | |
4451 | ); | |
4452 | /** | |
4453 | @brief Access control check for mapping System V shared memory | |
4454 | @param cred Subject credential | |
4455 | @param shmsegptr Pointer to shared memory segment identifier | |
4456 | @param shmseglabel Label associated with the shared memory segment | |
4457 | @param shmflg shmat flags; see shmat(2) | |
4458 | ||
4459 | Determine whether the subject identified by the credential can map | |
4460 | the System V shared memory segment associated with shmsegptr. | |
4461 | ||
4462 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4463 | errno should be returned. | |
4464 | */ | |
4465 | typedef int mpo_sysvshm_check_shmat_t( | |
4466 | kauth_cred_t cred, | |
4467 | struct shmid_kernel *shmsegptr, | |
4468 | struct label *shmseglabel, | |
4469 | int shmflg | |
4470 | ); | |
4471 | /** | |
4472 | @brief Access control check for System V shared memory control operation | |
4473 | @param cred Subject credential | |
4474 | @param shmsegptr Pointer to shared memory segment identifier | |
4475 | @param shmseglabel Label associated with the shared memory segment | |
4476 | @param cmd Control operation to be performed; see shmctl(2) | |
4477 | ||
4478 | Determine whether the subject identified by the credential can perform | |
4479 | the operation indicated by cmd on the System V shared memory segment | |
4480 | shmsegptr. | |
4481 | ||
4482 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4483 | errno should be returned. | |
4484 | */ | |
4485 | typedef int mpo_sysvshm_check_shmctl_t( | |
4486 | kauth_cred_t cred, | |
4487 | struct shmid_kernel *shmsegptr, | |
4488 | struct label *shmseglabel, | |
4489 | int cmd | |
4490 | ); | |
4491 | /** | |
4492 | @brief Access control check for unmapping System V shared memory | |
4493 | @param cred Subject credential | |
4494 | @param shmsegptr Pointer to shared memory segment identifier | |
4495 | @param shmseglabel Label associated with the shared memory segment | |
4496 | ||
4497 | Determine whether the subject identified by the credential can unmap | |
4498 | the System V shared memory segment associated with shmsegptr. | |
4499 | ||
4500 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4501 | errno should be returned. | |
4502 | */ | |
4503 | typedef int mpo_sysvshm_check_shmdt_t( | |
4504 | kauth_cred_t cred, | |
4505 | struct shmid_kernel *shmsegptr, | |
4506 | struct label *shmseglabel | |
4507 | ); | |
4508 | /** | |
4509 | @brief Access control check obtaining System V shared memory identifier | |
4510 | @param cred Subject credential | |
4511 | @param shmsegptr Pointer to shared memory segment identifier | |
4512 | @param shmseglabel Label associated with the shared memory segment | |
4513 | @param shmflg shmget flags; see shmget(2) | |
4514 | ||
4515 | Determine whether the subject identified by the credential can get | |
4516 | the System V shared memory segment address. | |
4517 | ||
4518 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4519 | errno should be returned. | |
4520 | */ | |
4521 | typedef int mpo_sysvshm_check_shmget_t( | |
4522 | kauth_cred_t cred, | |
4523 | struct shmid_kernel *shmsegptr, | |
4524 | struct label *shmseglabel, | |
4525 | int shmflg | |
4526 | ); | |
4527 | /** | |
4528 | @brief Create a System V shared memory region label | |
4529 | @param cred Subject credential | |
4530 | @param shmsegptr The shared memory region being created | |
4531 | @param shmlabel Label to associate with the new shared memory region | |
4532 | ||
4533 | Label a new System V shared memory region. The label was previously | |
4534 | initialized and associated with the shared memory region. At this | |
4535 | time, an appropriate initial label value should be assigned to the | |
4536 | object and stored in shmlabel. | |
4537 | */ | |
4538 | typedef void mpo_sysvshm_label_associate_t( | |
4539 | kauth_cred_t cred, | |
4540 | struct shmid_kernel *shmsegptr, | |
4541 | struct label *shmlabel | |
4542 | ); | |
4543 | /** | |
4544 | @brief Destroy System V shared memory label | |
4545 | @param label The label to be destroyed | |
4546 | ||
4547 | Destroy a System V shared memory region label. Since the | |
4548 | object is going out of scope, policy modules should free any | |
4549 | internal storage associated with the label so that it may be | |
4550 | destroyed. | |
4551 | */ | |
4552 | typedef void mpo_sysvshm_label_destroy_t( | |
4553 | struct label *label | |
4554 | ); | |
4555 | /** | |
4556 | @brief Initialize System V Shared Memory region label | |
4557 | @param label New label to initialize | |
4558 | ||
4559 | Initialize the label for a newly instantiated System V Shared Memory | |
4560 | region. Sleeping is permitted. | |
4561 | */ | |
4562 | typedef void mpo_sysvshm_label_init_t( | |
4563 | struct label *label | |
4564 | ); | |
4565 | /** | |
4566 | @brief Clean up a System V Share Memory Region label | |
4567 | @param shmlabel The label to be cleaned | |
4568 | ||
4569 | Clean up a System V Shared Memory Region label. Darwin | |
4570 | pre-allocates these objects at system boot time and re-uses them | |
4571 | rather than allocating new ones. Before the memory regions are | |
4572 | returned to the "free pool", policies can cleanup or overwrite any | |
4573 | information present in the label. | |
4574 | */ | |
4575 | typedef void mpo_sysvshm_label_recycle_t( | |
4576 | struct label *shmlabel | |
4577 | ); | |
4578 | /** | |
4579 | @brief Access control check for getting a process's task name | |
4580 | @param cred Subject credential | |
4581 | @param proc Object process | |
4582 | ||
4583 | Determine whether the subject identified by the credential can get | |
4584 | the passed process's task name port. | |
4585 | This call is used by the task_name_for_pid(2) API. | |
4586 | ||
4587 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4588 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
4589 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. | |
4590 | */ | |
4591 | typedef int mpo_proc_check_get_task_name_t( | |
4592 | kauth_cred_t cred, | |
4593 | struct proc *p | |
4594 | ); | |
4595 | /** | |
4596 | @brief Access control check for getting a process's task port | |
4597 | @param cred Subject credential | |
4598 | @param proc Object process | |
4599 | ||
4600 | Determine whether the subject identified by the credential can get | |
4601 | the passed process's task control port. | |
4602 | This call is used by the task_for_pid(2) API. | |
4603 | ||
4604 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4605 | errno should be returned. Suggested failure: EACCES for label mismatch, | |
4606 | EPERM for lack of privilege, or ESRCH to hide visibility of the target. | |
4607 | */ | |
4608 | typedef int mpo_proc_check_get_task_t( | |
4609 | kauth_cred_t cred, | |
4610 | struct proc *p | |
4611 | ); | |
4612 | /** | |
4613 | @brief Privilege check for a process to run invalid | |
4614 | @param proc Object process | |
4615 | ||
4616 | Determine whether the process may execute even though the system determined | |
4617 | that it is untrusted (eg unidentified / modified code). | |
4618 | ||
4619 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4620 | errno should be returned. | |
4621 | */ | |
4622 | typedef int mac_proc_check_run_cs_invalid_t( | |
4623 | struct proc *p | |
4624 | ); | |
4625 | ||
4626 | ||
4627 | /** | |
4628 | @brief Assign a label to a new kernelspace Mach task | |
4629 | @param kproc New task | |
4630 | @param tasklabel Label for new task | |
4631 | @param portlabel Label for new task port | |
4632 | @see mpo_cred_label_associate_kernel_t | |
4633 | ||
4634 | Assign labels to a new kernel task and its task port. Both the task and | |
4635 | task port labels should be specified. Both new labels are initialized. | |
4636 | If there is an associated BSD process structure, it will be labelled | |
4637 | with calls to mpo_cred_label_associate_kernel. | |
4638 | */ | |
4639 | typedef void mpo_task_label_associate_kernel_t( | |
4640 | struct task *kproc, | |
4641 | struct label *tasklabel, | |
4642 | struct label *portlabel | |
4643 | ); | |
4644 | /** | |
4645 | @brief Assign a label to a new (userspace) Mach task | |
4646 | @param parent Parent task | |
4647 | @param child New (child) task | |
4648 | @param parentlabel Label of parent task | |
4649 | @param childlabel Label for new task | |
4650 | @param childportlabel Label for new task's task port | |
4651 | ||
4652 | Assign labels to a new task and its task port. Both the task and task port | |
4653 | labels should be specified. Both new labels are initialized. If the task | |
4654 | will have an associated BSD process, that information will be made available | |
4655 | by the task_label_update and port_label_update_cred entry points. | |
4656 | */ | |
4657 | typedef void mpo_task_label_associate_t( | |
4658 | struct task *parent, | |
4659 | struct task *child, | |
4660 | struct label *parentlabel, | |
4661 | struct label *childlabel, | |
4662 | struct label *childportlabel | |
4663 | ); | |
4664 | /** | |
4665 | @brief Copy a Mach task label | |
4666 | @param src Source task label | |
4667 | @param dest Destination task label | |
4668 | ||
4669 | Copy the Mach task label information from src to dest. This is used | |
4670 | when duplicating label handles to implement copy-on-write semantics. | |
4671 | */ | |
4672 | typedef void mpo_task_label_copy_t( | |
4673 | struct label *src, | |
4674 | struct label *dest | |
4675 | ); | |
4676 | /** | |
4677 | @brief Destroy Mach task label | |
4678 | @param label The label to be destroyed | |
4679 | ||
4680 | Destroy a Mach task label. Since the object is going out of | |
4681 | scope, policy modules should free any internal storage associated | |
4682 | with the label so that it may be destroyed. | |
4683 | */ | |
4684 | typedef void mpo_task_label_destroy_t( | |
4685 | struct label *label | |
4686 | ); | |
4687 | /** | |
4688 | @brief Externalize a task label | |
4689 | @param label Label to be externalized | |
4690 | @param element_name Name of the label namespace for which labels should be | |
4691 | externalized | |
4692 | @param sb String buffer to be filled with a text representation of the label | |
4693 | ||
4694 | Produce an external representation of the label on a task. An | |
4695 | externalized label consists of a text representation of the label | |
4696 | contents that can be used with user applications. Policy-agnostic | |
4697 | user space tools will display this externalized version. | |
4698 | ||
4699 | @return 0 on success, return non-zero if an error occurs while | |
4700 | externalizing the label data. | |
4701 | ||
4702 | */ | |
4703 | typedef int mpo_task_label_externalize_t( | |
4704 | struct label *label, | |
4705 | char *element_name, | |
4706 | struct sbuf *sb | |
4707 | ); | |
4708 | /** | |
4709 | @brief Initialize Mach task label | |
4710 | @param label New label to initialize | |
4711 | ||
4712 | Initialize the label for a newly instantiated Mach task. Sleeping | |
4713 | is permitted. | |
4714 | */ | |
4715 | typedef void mpo_task_label_init_t( | |
4716 | struct label *label | |
4717 | ); | |
4718 | /** | |
4719 | @brief Internalize a task label | |
4720 | @param label Label to be internalized | |
4721 | @param element_name Name of the label namespace for which the label should | |
4722 | be internalized | |
4723 | @param element_data Text data to be internalized | |
4724 | ||
4725 | Produce a task label from an external representation. An | |
4726 | externalized label consists of a text representation of the label | |
4727 | contents that can be used with user applications. Policy-agnostic | |
4728 | user space tools will forward text version to the kernel for | |
4729 | processing by individual policy modules. | |
4730 | ||
4731 | The policy's internalize entry points will be called only if the | |
4732 | policy has registered interest in the label namespace. | |
4733 | ||
4734 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
4735 | while internalizing the label data. | |
4736 | ||
4737 | */ | |
4738 | typedef int mpo_task_label_internalize_t( | |
4739 | struct label *label, | |
4740 | char *element_name, | |
4741 | char *element_data | |
4742 | ); | |
4743 | /** | |
4744 | @brief Update a Mach task label | |
4745 | @param cred User credential label to be used as the source | |
4746 | @param task Mach task label to be used as the destination | |
4747 | @see mpo_cred_label_update_t | |
4748 | @see mpo_cred_label_update_execve_t | |
4749 | ||
4750 | Update the label on a Mach task, using the supplied user credential | |
4751 | label. When a mac_cred_label_update_execve or a mac_cred_label_update operation | |
4752 | causes the label on a user credential to change, the Mach task label | |
4753 | also needs to be updated to reflect the change. Both labels are | |
4754 | already valid (initialized and created). | |
4755 | ||
4756 | @warning XXX We may change the name of this entry point in a future | |
4757 | version of the MAC framework. | |
4758 | */ | |
4759 | typedef void mpo_task_label_update_t( | |
4760 | struct label *cred, | |
4761 | struct label *task | |
4762 | ); | |
4763 | /** | |
4764 | @brief Perform MAC-related events when a thread returns to user space | |
4765 | @param thread Mach (not BSD) thread that is returning | |
4766 | ||
4767 | This entry point permits policy modules to perform MAC-related | |
4768 | events when a thread returns to user space, via a system call | |
4769 | return or trap return. | |
4770 | */ | |
4771 | typedef void mpo_thread_userret_t( | |
4772 | struct thread *thread | |
4773 | ); | |
4774 | /** | |
4775 | @brief Initialize per thread label | |
4776 | @param label New label to initialize | |
4777 | ||
4778 | Initialize the label for a newly instantiated thread. | |
4779 | Sleeping is permitted. | |
4780 | */ | |
4781 | typedef void mpo_thread_label_init_t( | |
4782 | struct label *label | |
4783 | ); | |
4784 | /** | |
4785 | @brief Destroy thread label | |
4786 | @param label The label to be destroyed | |
4787 | ||
4788 | Destroy a user thread label. Since the user thread | |
4789 | is going out of scope, policy modules should free any internal | |
4790 | storage associated with the label so that it may be destroyed. | |
4791 | */ | |
4792 | typedef void mpo_thread_label_destroy_t( | |
4793 | struct label *label | |
4794 | ); | |
4795 | /** | |
4796 | @brief Check vnode access | |
4797 | @param cred Subject credential | |
4798 | @param vp Object vnode | |
4799 | @param label Label for vp | |
4800 | @param acc_mode access(2) flags | |
4801 | ||
4802 | Determine how invocations of access(2) and related calls by the | |
4803 | subject identified by the credential should return when performed | |
4804 | on the passed vnode using the passed access flags. This should | |
4805 | generally be implemented using the same semantics used in | |
4806 | mpo_vnode_check_open. | |
4807 | ||
4808 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4809 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4810 | EPERM for lack of privilege. | |
4811 | */ | |
4812 | typedef int mpo_vnode_check_access_t( | |
4813 | kauth_cred_t cred, | |
4814 | struct vnode *vp, | |
4815 | struct label *label, | |
4816 | int acc_mode | |
4817 | ); | |
4818 | /** | |
4819 | @brief Access control check for changing working directory | |
4820 | @param cred Subject credential | |
4821 | @param dvp Object; vnode to chdir(2) into | |
4822 | @param dlabel Policy label for dvp | |
4823 | ||
4824 | Determine whether the subject identified by the credential can change | |
4825 | the process working directory to the passed vnode. | |
4826 | ||
4827 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4828 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4829 | EPERM for lack of privilege. | |
4830 | */ | |
4831 | typedef int mpo_vnode_check_chdir_t( | |
4832 | kauth_cred_t cred, | |
4833 | struct vnode *dvp, | |
4834 | struct label *dlabel | |
4835 | ); | |
4836 | /** | |
4837 | @brief Access control check for changing root directory | |
4838 | @param cred Subject credential | |
4839 | @param dvp Directory vnode | |
4840 | @param dlabel Policy label associated with dvp | |
4841 | @param cnp Component name for dvp | |
4842 | ||
4843 | Determine whether the subject identified by the credential should be | |
4844 | allowed to chroot(2) into the specified directory (dvp). | |
4845 | ||
4846 | @return In the event of an error, an appropriate value for errno | |
4847 | should be returned, otherwise return 0 upon success. | |
4848 | */ | |
4849 | typedef int mpo_vnode_check_chroot_t( | |
4850 | kauth_cred_t cred, | |
4851 | struct vnode *dvp, | |
4852 | struct label *dlabel, | |
4853 | struct componentname *cnp | |
4854 | ); | |
4855 | /** | |
4856 | @brief Access control check for creating vnode | |
4857 | @param cred Subject credential | |
4858 | @param dvp Directory vnode | |
4859 | @param dlabel Policy label for dvp | |
4860 | @param cnp Component name for dvp | |
4861 | @param vap vnode attributes for vap | |
4862 | ||
4863 | Determine whether the subject identified by the credential can create | |
4864 | a vnode with the passed parent directory, passed name information, | |
4865 | and passed attribute information. This call may be made in a number of | |
4866 | situations, including as a result of calls to open(2) with O_CREAT, | |
4867 | mknod(2), mkfifo(2), and others. | |
4868 | ||
4869 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4870 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4871 | EPERM for lack of privilege. | |
4872 | */ | |
4873 | typedef int mpo_vnode_check_create_t( | |
4874 | kauth_cred_t cred, | |
4875 | struct vnode *dvp, | |
4876 | struct label *dlabel, | |
4877 | struct componentname *cnp, | |
4878 | struct vnode_attr *vap | |
4879 | ); | |
4880 | /** | |
4881 | @brief Access control check for deleting extended attribute | |
4882 | @param cred Subject credential | |
4883 | @param vp Object vnode | |
4884 | @param vlabel Label associated with vp | |
4885 | @param name Extended attribute name | |
4886 | ||
4887 | Determine whether the subject identified by the credential can delete | |
4888 | the extended attribute from the passed vnode. | |
4889 | ||
4890 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4891 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4892 | EPERM for lack of privilege. | |
4893 | */ | |
4894 | typedef int mpo_vnode_check_deleteextattr_t( | |
4895 | kauth_cred_t cred, | |
4896 | struct vnode *vp, | |
4897 | struct label *vlabel, | |
4898 | const char *name | |
4899 | ); | |
4900 | /** | |
4901 | @brief Access control check for exchanging file data | |
4902 | @param cred Subject credential | |
4903 | @param v1 vnode 1 to swap | |
4904 | @param vl1 Policy label for v1 | |
4905 | @param v2 vnode 2 to swap | |
4906 | @param vl2 Policy label for v2 | |
4907 | ||
4908 | Determine whether the subject identified by the credential can swap the data | |
4909 | in the two supplied vnodes. | |
4910 | ||
4911 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4912 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4913 | EPERM for lack of privilege. | |
4914 | */ | |
4915 | typedef int mpo_vnode_check_exchangedata_t( | |
4916 | kauth_cred_t cred, | |
4917 | struct vnode *v1, | |
4918 | struct label *vl1, | |
4919 | struct vnode *v2, | |
4920 | struct label *vl2 | |
4921 | ); | |
4922 | /** | |
4923 | @brief Access control check for executing the vnode | |
4924 | @param cred Subject credential | |
4925 | @param vp Object vnode to execute | |
4926 | @param label Policy label for vp | |
4927 | @param execlabel Userspace provided execution label | |
4928 | @param cnp Component name for file being executed | |
4929 | ||
4930 | Determine whether the subject identified by the credential can execute | |
4931 | the passed vnode. Determination of execute privilege is made separately | |
4932 | from decisions about any process label transitioning event. | |
4933 | ||
4934 | The final label, execlabel, corresponds to a label supplied by a | |
4935 | user space application through the use of the mac_execve system call. | |
4936 | This label will be NULL if the user application uses the the vendor | |
4937 | execve(2) call instead of the MAC Framework mac_execve() call. | |
4938 | ||
4939 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4940 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4941 | EPERM for lack of privilege. | |
4942 | */ | |
4943 | typedef int mpo_vnode_check_exec_t( | |
4944 | kauth_cred_t cred, | |
4945 | struct vnode *vp, | |
4946 | struct label *label, | |
4947 | struct label *execlabel, /* NULLOK */ | |
4948 | struct componentname *cnp, | |
4949 | u_int *csflags | |
4950 | ); | |
4951 | /** | |
4952 | @brief Access control check for fsgetpath | |
4953 | @param cred Subject credential | |
4954 | @param vp Vnode for which a path will be returned | |
4955 | @param label Label associated with the vnode | |
4956 | ||
4957 | Determine whether the subject identified by the credential can get the path | |
4958 | of the given vnode with fsgetpath. | |
4959 | ||
4960 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4961 | errno should be returned. | |
4962 | */ | |
4963 | typedef int mpo_vnode_check_fsgetpath_t( | |
4964 | kauth_cred_t cred, | |
4965 | struct vnode *vp, | |
4966 | struct label *label | |
4967 | ); | |
4968 | /** | |
4969 | @brief Access control check after determining the code directory hash | |
4970 | */ | |
4971 | typedef int mpo_vnode_check_signature_t(struct vnode *vp, struct label *label, | |
4972 | unsigned char *sha1, void *signature, | |
4973 | int size); | |
4974 | ||
4975 | /** | |
4976 | @brief Access control check for retrieving file attributes | |
4977 | @param cred Subject credential | |
4978 | @param vp Object vnode | |
4979 | @param vlabel Policy label for vp | |
4980 | @param alist List of attributes to retrieve | |
4981 | ||
4982 | Determine whether the subject identified by the credential can read | |
4983 | various attributes of the specified vnode, or the filesystem or volume on | |
4984 | which that vnode resides. See <sys/attr.h> for definitions of the | |
4985 | attributes. | |
4986 | ||
4987 | @return Return 0 if access is granted, otherwise an appropriate value for | |
4988 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
4989 | EPERM for lack of privilege. Access control covers all attributes requested | |
4990 | with this call; the security policy is not permitted to change the set of | |
4991 | attributes requested. | |
4992 | */ | |
4993 | typedef int mpo_vnode_check_getattrlist_t( | |
4994 | kauth_cred_t cred, | |
4995 | struct vnode *vp, | |
4996 | struct label *vlabel, | |
4997 | struct attrlist *alist | |
4998 | ); | |
4999 | /** | |
5000 | @brief Access control check for retrieving an extended attribute | |
5001 | @param cred Subject credential | |
5002 | @param vp Object vnode | |
5003 | @param label Policy label for vp | |
5004 | @param name Extended attribute name | |
5005 | @param uio I/O structure pointer | |
5006 | ||
5007 | Determine whether the subject identified by the credential can retrieve | |
5008 | the extended attribute from the passed vnode. The uio parameter | |
5009 | will be NULL when the getxattr(2) call has been made with a NULL data | |
5010 | value; this is done to request the size of the data only. | |
5011 | ||
5012 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5013 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5014 | EPERM for lack of privilege. | |
5015 | */ | |
5016 | typedef int mpo_vnode_check_getextattr_t( | |
5017 | kauth_cred_t cred, | |
5018 | struct vnode *vp, | |
5019 | struct label *label, /* NULLOK */ | |
5020 | const char *name, | |
5021 | struct uio *uio /* NULLOK */ | |
5022 | ); | |
5023 | /** | |
5024 | @brief Access control check for ioctl | |
5025 | @param cred Subject credential | |
5026 | @param vp Object vnode | |
5027 | @param label Policy label for vp | |
5028 | @param com Device-dependent request code; see ioctl(2) | |
5029 | ||
5030 | Determine whether the subject identified by the credential can perform | |
5031 | the ioctl operation indicated by com. | |
5032 | ||
5033 | @warning Since ioctl data is opaque from the standpoint of the MAC | |
5034 | framework, and since ioctls can affect many aspects of system | |
5035 | operation, policies must exercise extreme care when implementing | |
5036 | access control checks. | |
5037 | ||
5038 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5039 | errno should be returned. | |
5040 | */ | |
5041 | typedef int mpo_vnode_check_ioctl_t( | |
5042 | kauth_cred_t cred, | |
5043 | struct vnode *vp, | |
5044 | struct label *label, | |
5045 | unsigned int cmd | |
5046 | ); | |
5047 | /** | |
5048 | @brief Access control check for vnode kqfilter | |
5049 | @param cred Subject credential | |
5050 | @param kn Object knote | |
5051 | @param vp Object vnode | |
5052 | @param label Policy label for vp | |
5053 | ||
5054 | Determine whether the subject identified by the credential can | |
5055 | receive the knote on the passed vnode. | |
5056 | ||
5057 | @return Return 0 if access if granted, otherwise an appropriate | |
5058 | value for errno should be returned. | |
5059 | */ | |
5060 | typedef int mpo_vnode_check_kqfilter_t( | |
5061 | kauth_cred_t active_cred, | |
5062 | kauth_cred_t file_cred, /* NULLOK */ | |
5063 | struct knote *kn, | |
5064 | struct vnode *vp, | |
5065 | struct label *label | |
5066 | ); | |
5067 | /** | |
5068 | @brief Access control check for relabel | |
5069 | @param cred Subject credential | |
5070 | @param vp Object vnode | |
5071 | @param vnodelabel Existing policy label for vp | |
5072 | @param newlabel Policy label update to later be applied to vp | |
5073 | @see mpo_relable_vnode_t | |
5074 | ||
5075 | Determine whether the subject identified by the credential can relabel | |
5076 | the passed vnode to the passed label update. If all policies permit | |
5077 | the label change, the actual relabel entry point (mpo_vnode_label_update) | |
5078 | will follow. | |
5079 | ||
5080 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5081 | errno should be returned. | |
5082 | */ | |
5083 | typedef int mpo_vnode_check_label_update_t( | |
5084 | struct ucred *cred, | |
5085 | struct vnode *vp, | |
5086 | struct label *vnodelabel, | |
5087 | struct label *newlabel | |
5088 | ); | |
5089 | /** | |
5090 | @brief Access control check for creating link | |
5091 | @param cred Subject credential | |
5092 | @param dvp Directory vnode | |
5093 | @param dlabel Policy label associated with dvp | |
5094 | @param vp Link destination vnode | |
5095 | @param label Policy label associated with vp | |
5096 | @param cnp Component name for the link being created | |
5097 | ||
5098 | Determine whether the subject identified by the credential should be | |
5099 | allowed to create a link to the vnode vp with the name specified by cnp. | |
5100 | ||
5101 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5102 | errno should be returned. | |
5103 | */ | |
5104 | typedef int mpo_vnode_check_link_t( | |
5105 | kauth_cred_t cred, | |
5106 | struct vnode *dvp, | |
5107 | struct label *dlabel, | |
5108 | struct vnode *vp, | |
5109 | struct label *label, | |
5110 | struct componentname *cnp | |
5111 | ); | |
5112 | /** | |
5113 | @brief Access control check for listing extended attributes | |
5114 | @param cred Subject credential | |
5115 | @param vp Object vnode | |
5116 | @param vlabel Policy label associated with vp | |
5117 | ||
5118 | Determine whether the subject identified by the credential can retrieve | |
5119 | a list of named extended attributes from a vnode. | |
5120 | ||
5121 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5122 | errno should be returned. | |
5123 | */ | |
5124 | typedef int mpo_vnode_check_listextattr_t( | |
5125 | kauth_cred_t cred, | |
5126 | struct vnode *vp, | |
5127 | struct label *vlabel | |
5128 | ); | |
5129 | /** | |
5130 | @brief Access control check for lookup | |
5131 | @param cred Subject credential | |
5132 | @param dvp Object vnode | |
5133 | @param dlabel Policy label for dvp | |
5134 | @param cnp Component name being looked up | |
5135 | ||
5136 | Determine whether the subject identified by the credential can perform | |
5137 | a lookup in the passed directory vnode for the passed name (cnp). | |
5138 | ||
5139 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5140 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5141 | EPERM for lack of privilege. | |
5142 | */ | |
5143 | typedef int mpo_vnode_check_lookup_t( | |
5144 | kauth_cred_t cred, | |
5145 | struct vnode *dvp, | |
5146 | struct label *dlabel, | |
5147 | struct componentname *cnp | |
5148 | ); | |
5149 | /** | |
5150 | @brief Access control check for open | |
5151 | @param cred Subject credential | |
5152 | @param vp Object vnode | |
5153 | @param label Policy label associated with vp | |
5154 | @param acc_mode open(2) access mode | |
5155 | ||
5156 | Determine whether the subject identified by the credential can perform | |
5157 | an open operation on the passed vnode with the passed access mode. | |
5158 | ||
5159 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5160 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5161 | EPERM for lack of privilege. | |
5162 | */ | |
5163 | typedef int mpo_vnode_check_open_t( | |
5164 | kauth_cred_t cred, | |
5165 | struct vnode *vp, | |
5166 | struct label *label, | |
5167 | int acc_mode | |
5168 | ); | |
5169 | /** | |
5170 | @brief Access control check for read | |
5171 | @param active_cred Subject credential | |
5172 | @param file_cred Credential associated with the struct fileproc | |
5173 | @param vp Object vnode | |
5174 | @param label Policy label for vp | |
5175 | ||
5176 | Determine whether the subject identified by the credential can perform | |
5177 | a read operation on the passed vnode. The active_cred hold the credentials | |
5178 | of the subject performing the operation, and file_cred holds the | |
5179 | credentials of the subject that originally opened the file. | |
5180 | ||
5181 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5182 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5183 | EPERM for lack of privilege. | |
5184 | */ | |
5185 | typedef int mpo_vnode_check_read_t( | |
5186 | kauth_cred_t active_cred, /* SUBJECT */ | |
5187 | kauth_cred_t file_cred, /* NULLOK */ | |
5188 | struct vnode *vp, /* OBJECT */ | |
5189 | struct label *label /* LABEL */ | |
5190 | ); | |
5191 | /** | |
5192 | @brief Access control check for read directory | |
5193 | @param cred Subject credential | |
5194 | @param dvp Object directory vnode | |
5195 | @param dlabel Policy label for dvp | |
5196 | ||
5197 | Determine whether the subject identified by the credential can | |
5198 | perform a readdir operation on the passed directory vnode. | |
5199 | ||
5200 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5201 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5202 | EPERM for lack of privilege. | |
5203 | */ | |
5204 | typedef int mpo_vnode_check_readdir_t( | |
5205 | kauth_cred_t cred, /* SUBJECT */ | |
5206 | struct vnode *dvp, /* OBJECT */ | |
5207 | struct label *dlabel /* LABEL */ | |
5208 | ); | |
5209 | /** | |
5210 | @brief Access control check for read link | |
5211 | @param cred Subject credential | |
5212 | @param vp Object vnode | |
5213 | @param label Policy label for vp | |
5214 | ||
5215 | Determine whether the subject identified by the credential can perform | |
5216 | a readlink operation on the passed symlink vnode. This call can be made | |
5217 | in a number of situations, including an explicit readlink call by the | |
5218 | user process, or as a result of an implicit readlink during a name | |
5219 | lookup by the process. | |
5220 | ||
5221 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5222 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5223 | EPERM for lack of privilege. | |
5224 | */ | |
5225 | typedef int mpo_vnode_check_readlink_t( | |
5226 | kauth_cred_t cred, | |
5227 | struct vnode *vp, | |
5228 | struct label *label | |
5229 | ); | |
5230 | /** | |
5231 | @brief Access control check for rename from | |
5232 | @param cred Subject credential | |
5233 | @param dvp Directory vnode | |
5234 | @param dlabel Policy label associated with dvp | |
5235 | @param vp vnode to be renamed | |
5236 | @param label Policy label associated with vp | |
5237 | @param cnp Component name for vp | |
5238 | @see mpo_vnode_check_rename_to_t | |
5239 | ||
5240 | Determine whether the subject identified by the credential should be | |
5241 | allowed to rename the vnode vp to something else. | |
5242 | ||
5243 | Due to VFS locking constraints (to make sure proper vnode locks are | |
5244 | held during this entry point), the vnode relabel checks had to be | |
5245 | split into two parts: relabel_from and relabel to. | |
5246 | ||
5247 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5248 | errno should be returned. | |
5249 | */ | |
5250 | typedef int mpo_vnode_check_rename_from_t( | |
5251 | kauth_cred_t cred, | |
5252 | struct vnode *dvp, | |
5253 | struct label *dlabel, | |
5254 | struct vnode *vp, | |
5255 | struct label *label, | |
5256 | struct componentname *cnp | |
5257 | ); | |
5258 | /** | |
5259 | @brief Access control check for rename to | |
5260 | @param cred Subject credential | |
5261 | @param dvp Directory vnode | |
5262 | @param dlabel Policy label associated with dvp | |
5263 | @param vp Overwritten vnode | |
5264 | @param label Policy label associated with vp | |
5265 | @param samedir Boolean; 1 if the source and destination directories are the same | |
5266 | @param cnp Destination component name | |
5267 | @see mpo_vnode_check_rename_from_t | |
5268 | ||
5269 | Determine whether the subject identified by the credential should be | |
5270 | allowed to rename to the vnode vp, into the directory dvp, or to the | |
5271 | name represented by cnp. If there is no existing file to overwrite, | |
5272 | vp and label will be NULL. | |
5273 | ||
5274 | Due to VFS locking constraints (to make sure proper vnode locks are | |
5275 | held during this entry point), the vnode relabel checks had to be | |
5276 | split into two parts: relabel_from and relabel to. | |
5277 | ||
5278 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5279 | errno should be returned. | |
5280 | */ | |
5281 | typedef int mpo_vnode_check_rename_to_t( | |
5282 | kauth_cred_t cred, | |
5283 | struct vnode *dvp, | |
5284 | struct label *dlabel, | |
5285 | struct vnode *vp, /* NULLOK */ | |
5286 | struct label *label, /* NULLOK */ | |
5287 | int samedir, | |
5288 | struct componentname *cnp | |
5289 | ); | |
5290 | /** | |
5291 | @brief Access control check for revoke | |
5292 | @param cred Subject credential | |
5293 | @param vp Object vnode | |
5294 | @param label Policy label for vp | |
5295 | ||
5296 | Determine whether the subject identified by the credential can revoke | |
5297 | access to the passed vnode. | |
5298 | ||
5299 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5300 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5301 | EPERM for lack of privilege. | |
5302 | */ | |
5303 | typedef int mpo_vnode_check_revoke_t( | |
5304 | kauth_cred_t cred, | |
5305 | struct vnode *vp, | |
5306 | struct label *label | |
5307 | ); | |
5308 | /** | |
5309 | @brief Access control check for searchfs | |
5310 | @param cred Subject credential | |
5311 | @param vp Object vnode | |
5312 | @param vlabel Policy label for vp | |
5313 | @param alist List of attributes used as search criteria | |
5314 | ||
5315 | Determine whether the subject identified by the credential can search the | |
5316 | vnode using the searchfs system call. | |
5317 | ||
5318 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5319 | errno should be returned. | |
5320 | */ | |
5321 | typedef int mpo_vnode_check_searchfs_t( | |
5322 | kauth_cred_t cred, | |
5323 | struct vnode *vp, | |
5324 | struct label *vlabel, | |
5325 | struct attrlist *alist | |
5326 | ); | |
5327 | /** | |
5328 | @brief Access control check for select | |
5329 | @param cred Subject credential | |
5330 | @param vp Object vnode | |
5331 | @param label Policy label for vp | |
5332 | @param which The operation selected on: FREAD or FWRITE | |
5333 | ||
5334 | Determine whether the subject identified by the credential can select | |
5335 | the vnode. | |
5336 | ||
5337 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5338 | errno should be returned. | |
5339 | */ | |
5340 | typedef int mpo_vnode_check_select_t( | |
5341 | kauth_cred_t cred, | |
5342 | struct vnode *vp, | |
5343 | struct label *label, | |
5344 | int which | |
5345 | ); | |
5346 | /** | |
5347 | @brief Access control check for setting file attributes | |
5348 | @param cred Subject credential | |
5349 | @param vp Object vnode | |
5350 | @param vlabel Policy label for vp | |
5351 | @param alist List of attributes to set | |
5352 | ||
5353 | Determine whether the subject identified by the credential can set | |
5354 | various attributes of the specified vnode, or the filesystem or volume on | |
5355 | which that vnode resides. See <sys/attr.h> for definitions of the | |
5356 | attributes. | |
5357 | ||
5358 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5359 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5360 | EPERM for lack of privilege. Access control covers all attributes requested | |
5361 | with this call. | |
5362 | */ | |
5363 | typedef int mpo_vnode_check_setattrlist_t( | |
5364 | kauth_cred_t cred, | |
5365 | struct vnode *vp, | |
5366 | struct label *vlabel, | |
5367 | struct attrlist *alist | |
5368 | ); | |
5369 | /** | |
5370 | @brief Access control check for setting extended attribute | |
5371 | @param cred Subject credential | |
5372 | @param vp Object vnode | |
5373 | @param label Policy label for vp | |
5374 | @param name Extended attribute name | |
5375 | @param uio I/O structure pointer | |
5376 | ||
5377 | Determine whether the subject identified by the credential can set the | |
5378 | extended attribute of passed name and passed namespace on the passed | |
5379 | vnode. Policies implementing security labels backed into extended | |
5380 | attributes may want to provide additional protections for those | |
5381 | attributes. Additionally, policies should avoid making decisions based | |
5382 | on the data referenced from uio, as there is a potential race condition | |
5383 | between this check and the actual operation. The uio may also be NULL | |
5384 | if a delete operation is being performed. | |
5385 | ||
5386 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5387 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5388 | EPERM for lack of privilege. | |
5389 | */ | |
5390 | typedef int mpo_vnode_check_setextattr_t( | |
5391 | kauth_cred_t cred, | |
5392 | struct vnode *vp, | |
5393 | struct label *label, | |
5394 | const char *name, | |
5395 | struct uio *uio | |
5396 | ); | |
5397 | /** | |
5398 | @brief Access control check for setting flags | |
5399 | @param cred Subject credential | |
5400 | @param vp Object vnode | |
5401 | @param label Policy label for vp | |
5402 | @param flags File flags; see chflags(2) | |
5403 | ||
5404 | Determine whether the subject identified by the credential can set | |
5405 | the passed flags on the passed vnode. | |
5406 | ||
5407 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5408 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5409 | EPERM for lack of privilege. | |
5410 | */ | |
5411 | typedef int mpo_vnode_check_setflags_t( | |
5412 | kauth_cred_t cred, | |
5413 | struct vnode *vp, | |
5414 | struct label *label, | |
5415 | u_long flags | |
5416 | ); | |
5417 | /** | |
5418 | @brief Access control check for setting mode | |
5419 | @param cred Subject credential | |
5420 | @param vp Object vnode | |
5421 | @param label Policy label for vp | |
5422 | @param mode File mode; see chmod(2) | |
5423 | ||
5424 | Determine whether the subject identified by the credential can set | |
5425 | the passed mode on the passed vnode. | |
5426 | ||
5427 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5428 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5429 | EPERM for lack of privilege. | |
5430 | */ | |
5431 | typedef int mpo_vnode_check_setmode_t( | |
5432 | kauth_cred_t cred, | |
5433 | struct vnode *vp, | |
5434 | struct label *label, | |
5435 | mode_t mode | |
5436 | ); | |
5437 | /** | |
5438 | @brief Access control check for setting uid and gid | |
5439 | @param cred Subject credential | |
5440 | @param vp Object vnode | |
5441 | @param label Policy label for vp | |
5442 | @param uid User ID | |
5443 | @param gid Group ID | |
5444 | ||
5445 | Determine whether the subject identified by the credential can set | |
5446 | the passed uid and passed gid as file uid and file gid on the passed | |
5447 | vnode. The IDs may be set to (-1) to request no update. | |
5448 | ||
5449 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5450 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5451 | EPERM for lack of privilege. | |
5452 | */ | |
5453 | typedef int mpo_vnode_check_setowner_t( | |
5454 | kauth_cred_t cred, | |
5455 | struct vnode *vp, | |
5456 | struct label *label, | |
5457 | uid_t uid, | |
5458 | gid_t gid | |
5459 | ); | |
5460 | /** | |
5461 | @brief Access control check for setting timestamps | |
5462 | @param cred Subject credential | |
5463 | @param vp Object vnode | |
5464 | @param label Policy label for vp | |
5465 | @param atime Access time; see utimes(2) | |
5466 | @param mtime Modification time; see utimes(2) | |
5467 | ||
5468 | Determine whether the subject identified by the credential can set | |
5469 | the passed access timestamps on the passed vnode. | |
5470 | ||
5471 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5472 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5473 | EPERM for lack of privilege. | |
5474 | */ | |
5475 | typedef int mpo_vnode_check_setutimes_t( | |
5476 | kauth_cred_t cred, | |
5477 | struct vnode *vp, | |
5478 | struct label *label, | |
5479 | struct timespec atime, | |
5480 | struct timespec mtime | |
5481 | ); | |
5482 | /** | |
5483 | @brief Access control check for stat | |
5484 | @param active_cred Subject credential | |
5485 | @param file_cred Credential associated with the struct fileproc | |
5486 | @param vp Object vnode | |
5487 | @param label Policy label for vp | |
5488 | ||
5489 | Determine whether the subject identified by the credential can stat | |
5490 | the passed vnode. See stat(2) for more information. The active_cred | |
5491 | hold the credentials of the subject performing the operation, and | |
5492 | file_cred holds the credentials of the subject that originally | |
5493 | opened the file. | |
5494 | ||
5495 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5496 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5497 | EPERM for lack of privilege. | |
5498 | */ | |
5499 | typedef int mpo_vnode_check_stat_t( | |
5500 | struct ucred *active_cred, | |
5501 | struct ucred *file_cred, /* NULLOK */ | |
5502 | struct vnode *vp, | |
5503 | struct label *label | |
5504 | ); | |
5505 | /** | |
5506 | @brief Access control check for truncate/ftruncate | |
5507 | @param active_cred Subject credential | |
5508 | @param file_cred Credential associated with the struct fileproc | |
5509 | @param vp Object vnode | |
5510 | @param label Policy label for vp | |
5511 | ||
5512 | Determine whether the subject identified by the credential can | |
5513 | perform a truncate operation on the passed vnode. The active_cred hold | |
5514 | the credentials of the subject performing the operation, and | |
5515 | file_cred holds the credentials of the subject that originally | |
5516 | opened the file. | |
5517 | ||
5518 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5519 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5520 | EPERM for lack of privilege. | |
5521 | */ | |
5522 | typedef int mpo_vnode_check_truncate_t( | |
5523 | kauth_cred_t active_cred, | |
5524 | kauth_cred_t file_cred, /* NULLOK */ | |
5525 | struct vnode *vp, | |
5526 | struct label *label | |
5527 | ); | |
5528 | /** | |
5529 | @brief Access control check for binding UNIX domain socket | |
5530 | @param cred Subject credential | |
5531 | @param dvp Directory vnode | |
5532 | @param dlabel Policy label for dvp | |
5533 | @param cnp Component name for dvp | |
5534 | @param vap vnode attributes for vap | |
5535 | ||
5536 | Determine whether the subject identified by the credential can perform a | |
5537 | bind operation on a UNIX domain socket with the passed parent directory, | |
5538 | passed name information, and passed attribute information. | |
5539 | ||
5540 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5541 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5542 | EPERM for lack of privilege. | |
5543 | */ | |
5544 | typedef int mpo_vnode_check_uipc_bind_t( | |
5545 | kauth_cred_t cred, | |
5546 | struct vnode *dvp, | |
5547 | struct label *dlabel, | |
5548 | struct componentname *cnp, | |
5549 | struct vnode_attr *vap | |
5550 | ); | |
5551 | /** | |
5552 | @brief Access control check for connecting UNIX domain socket | |
5553 | @param cred Subject credential | |
5554 | @param vp Object vnode | |
5555 | @param label Policy label associated with vp | |
5556 | ||
5557 | Determine whether the subject identified by the credential can perform a | |
5558 | connect operation on the passed UNIX domain socket vnode. | |
5559 | ||
5560 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5561 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5562 | EPERM for lack of privilege. | |
5563 | */ | |
5564 | typedef int mpo_vnode_check_uipc_connect_t( | |
5565 | kauth_cred_t cred, | |
5566 | struct vnode *vp, | |
5567 | struct label *label | |
5568 | ); | |
5569 | /** | |
5570 | @brief Access control check for deleting vnode | |
5571 | @param cred Subject credential | |
5572 | @param dvp Parent directory vnode | |
5573 | @param dlabel Policy label for dvp | |
5574 | @param vp Object vnode to delete | |
5575 | @param label Policy label for vp | |
5576 | @param cnp Component name for vp | |
5577 | @see mpo_check_rename_to_t | |
5578 | ||
5579 | Determine whether the subject identified by the credential can delete | |
5580 | a vnode from the passed parent directory and passed name information. | |
5581 | This call may be made in a number of situations, including as a | |
5582 | results of calls to unlink(2) and rmdir(2). Policies implementing | |
5583 | this entry point should also implement mpo_check_rename_to to | |
5584 | authorize deletion of objects as a result of being the target of a rename. | |
5585 | ||
5586 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5587 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5588 | EPERM for lack of privilege. | |
5589 | */ | |
5590 | typedef int mpo_vnode_check_unlink_t( | |
5591 | kauth_cred_t cred, | |
5592 | struct vnode *dvp, | |
5593 | struct label *dlabel, | |
5594 | struct vnode *vp, | |
5595 | struct label *label, | |
5596 | struct componentname *cnp | |
5597 | ); | |
5598 | /** | |
5599 | @brief Access control check for write | |
5600 | @param active_cred Subject credential | |
5601 | @param file_cred Credential associated with the struct fileproc | |
5602 | @param vp Object vnode | |
5603 | @param label Policy label for vp | |
5604 | ||
5605 | Determine whether the subject identified by the credential can | |
5606 | perform a write operation on the passed vnode. The active_cred hold | |
5607 | the credentials of the subject performing the operation, and | |
5608 | file_cred holds the credentials of the subject that originally | |
5609 | opened the file. | |
5610 | ||
5611 | @return Return 0 if access is granted, otherwise an appropriate value for | |
5612 | errno should be returned. Suggested failure: EACCES for label mismatch or | |
5613 | EPERM for lack of privilege. | |
5614 | */ | |
5615 | typedef int mpo_vnode_check_write_t( | |
5616 | kauth_cred_t active_cred, | |
5617 | kauth_cred_t file_cred, /* NULLOK */ | |
5618 | struct vnode *vp, | |
5619 | struct label *label | |
5620 | ); | |
5621 | /** | |
5622 | @brief Associate a vnode with a devfs entry | |
5623 | @param mp Devfs mount point | |
5624 | @param mntlabel Devfs mount point label | |
5625 | @param de Devfs directory entry | |
5626 | @param delabel Label associated with de | |
5627 | @param vp vnode associated with de | |
5628 | @param vlabel Label associated with vp | |
5629 | ||
5630 | Fill in the label (vlabel) for a newly created devfs vnode. The | |
5631 | label is typically derived from the label on the devfs directory | |
5632 | entry or the label on the filesystem, supplied as parameters. | |
5633 | */ | |
5634 | typedef void mpo_vnode_label_associate_devfs_t( | |
5635 | struct mount *mp, | |
5636 | struct label *mntlabel, | |
5637 | struct devnode *de, | |
5638 | struct label *delabel, | |
5639 | struct vnode *vp, | |
5640 | struct label *vlabel | |
5641 | ); | |
5642 | /** | |
5643 | @brief Associate a label with a vnode | |
5644 | @param mp File system mount point | |
5645 | @param mntlabel File system mount point label | |
5646 | @param vp Vnode to label | |
5647 | @param vlabel Label associated with vp | |
5648 | ||
5649 | Attempt to retrieve label information for the vnode, vp, from the | |
5650 | file system extended attribute store. The label should be stored in | |
5651 | the supplied vlabel parameter. If a policy cannot retrieve an | |
5652 | extended attribute, sometimes it is acceptible to fallback to using | |
5653 | the mntlabel. | |
5654 | ||
5655 | If the policy requires vnodes to have a valid label elsewhere it | |
5656 | MUST NOT return other than temporary errors, and must always provide | |
5657 | a valid label of some sort. Returning an error will cause vnode | |
5658 | labeling to be retried at a later access. Failure to handle policy | |
5659 | centric errors internally (corrupt labels etc.) will result in | |
5660 | inaccessible files. | |
5661 | ||
5662 | @return In the event of an error, an appropriate value for errno | |
5663 | should be returned, otherwise return 0 upon success. | |
5664 | */ | |
5665 | typedef int mpo_vnode_label_associate_extattr_t( | |
5666 | struct mount *mp, | |
5667 | struct label *mntlabel, | |
5668 | struct vnode *vp, | |
5669 | struct label *vlabel | |
5670 | ); | |
5671 | /** | |
5672 | @brief Associate a file label with a vnode | |
5673 | @param cred User credential | |
5674 | @param mp Fdesc mount point | |
5675 | @param mntlabel Fdesc mount point label | |
5676 | @param fg Fileglob structure | |
5677 | @param label Policy label for fg | |
5678 | @param vp Vnode to label | |
5679 | @param vlabel Label associated with vp | |
5680 | ||
5681 | Associate label information for the vnode, vp, with the label of | |
5682 | the open file descriptor described by fg. | |
5683 | The label should be stored in the supplied vlabel parameter. | |
5684 | */ | |
5685 | typedef void mpo_vnode_label_associate_file_t( | |
5686 | struct ucred *cred, | |
5687 | struct mount *mp, | |
5688 | struct label *mntlabel, | |
5689 | struct fileglob *fg, | |
5690 | struct label *label, | |
5691 | struct vnode *vp, | |
5692 | struct label *vlabel | |
5693 | ); | |
5694 | /** | |
5695 | @brief Associate a pipe label with a vnode | |
5696 | @param cred User credential for the process that opened the pipe | |
5697 | @param cpipe Pipe structure | |
5698 | @param pipelabel Label associated with pipe | |
5699 | @param vp Vnode to label | |
5700 | @param vlabel Label associated with vp | |
5701 | ||
5702 | Associate label information for the vnode, vp, with the label of | |
5703 | the pipe described by the pipe structure cpipe. | |
5704 | The label should be stored in the supplied vlabel parameter. | |
5705 | */ | |
5706 | typedef void mpo_vnode_label_associate_pipe_t( | |
5707 | struct ucred *cred, | |
5708 | struct pipe *cpipe, | |
5709 | struct label *pipelabel, | |
5710 | struct vnode *vp, | |
5711 | struct label *vlabel | |
5712 | ); | |
5713 | /** | |
5714 | @brief Associate a POSIX semaphore label with a vnode | |
5715 | @param cred User credential for the process that create psem | |
5716 | @param psem POSIX semaphore structure | |
5717 | @param psemlabel Label associated with psem | |
5718 | @param vp Vnode to label | |
5719 | @param vlabel Label associated with vp | |
5720 | ||
5721 | Associate label information for the vnode, vp, with the label of | |
5722 | the POSIX semaphore described by psem. | |
5723 | The label should be stored in the supplied vlabel parameter. | |
5724 | */ | |
5725 | typedef void mpo_vnode_label_associate_posixsem_t( | |
5726 | struct ucred *cred, | |
5727 | struct pseminfo *psem, | |
5728 | struct label *psemlabel, | |
5729 | struct vnode *vp, | |
5730 | struct label *vlabel | |
5731 | ); | |
5732 | /** | |
5733 | @brief Associate a POSIX shared memory label with a vnode | |
5734 | @param cred User credential for the process that created pshm | |
5735 | @param pshm POSIX shared memory structure | |
5736 | @param pshmlabel Label associated with pshm | |
5737 | @param vp Vnode to label | |
5738 | @param vlabel Label associated with vp | |
5739 | ||
5740 | Associate label information for the vnode, vp, with the label of | |
5741 | the POSIX shared memory region described by pshm. | |
5742 | The label should be stored in the supplied vlabel parameter. | |
5743 | */ | |
5744 | typedef void mpo_vnode_label_associate_posixshm_t( | |
5745 | struct ucred *cred, | |
5746 | struct pshminfo *pshm, | |
5747 | struct label *pshmlabel, | |
5748 | struct vnode *vp, | |
5749 | struct label *vlabel | |
5750 | ); | |
5751 | /** | |
5752 | @brief Associate a label with a vnode | |
5753 | @param mp File system mount point | |
5754 | @param mntlabel File system mount point label | |
5755 | @param vp Vnode to label | |
5756 | @param vlabel Label associated with vp | |
5757 | ||
5758 | On non-multilabel file systems, set the label for a vnode. The | |
5759 | label will most likely be based on the file system label. | |
5760 | */ | |
5761 | typedef void mpo_vnode_label_associate_singlelabel_t( | |
5762 | struct mount *mp, | |
5763 | struct label *mntlabel, | |
5764 | struct vnode *vp, | |
5765 | struct label *vlabel | |
5766 | ); | |
5767 | /** | |
5768 | @brief Associate a socket label with a vnode | |
5769 | @param cred User credential for the process that opened the socket | |
5770 | @param so Socket structure | |
5771 | @param solabel Label associated with so | |
5772 | @param vp Vnode to label | |
5773 | @param vlabel Label associated with vp | |
5774 | ||
5775 | Associate label information for the vnode, vp, with the label of | |
5776 | the open socket described by the socket structure so. | |
5777 | The label should be stored in the supplied vlabel parameter. | |
5778 | */ | |
5779 | typedef void mpo_vnode_label_associate_socket_t( | |
5780 | kauth_cred_t cred, | |
5781 | socket_t so, | |
5782 | struct label *solabel, | |
5783 | struct vnode *vp, | |
5784 | struct label *vlabel | |
5785 | ); | |
5786 | /** | |
5787 | @brief Copy a vnode label | |
5788 | @param src Source vnode label | |
5789 | @param dest Destination vnode label | |
5790 | ||
5791 | Copy the vnode label information from src to dest. On Darwin, this | |
5792 | is currently only necessary when executing interpreted scripts, but | |
5793 | will later be used if vnode label externalization cannot be an | |
5794 | atomic operation. | |
5795 | */ | |
5796 | typedef void mpo_vnode_label_copy_t( | |
5797 | struct label *src, | |
5798 | struct label *dest | |
5799 | ); | |
5800 | /** | |
5801 | @brief Destroy vnode label | |
5802 | @param label The label to be destroyed | |
5803 | ||
5804 | Destroy a vnode label. Since the object is going out of scope, | |
5805 | policy modules should free any internal storage associated with the | |
5806 | label so that it may be destroyed. | |
5807 | */ | |
5808 | typedef void mpo_vnode_label_destroy_t( | |
5809 | struct label *label | |
5810 | ); | |
5811 | /** | |
5812 | @brief Externalize a vnode label for auditing | |
5813 | @param label Label to be externalized | |
5814 | @param element_name Name of the label namespace for which labels should be | |
5815 | externalized | |
5816 | @param sb String buffer to be filled with a text representation of the label | |
5817 | ||
5818 | Produce an external representation of the label on a vnode suitable for | |
5819 | inclusion in an audit record. An externalized label consists of a text | |
5820 | representation of the label contents that will be added to the audit record | |
5821 | as part of a text token. Policy-agnostic user space tools will display | |
5822 | this externalized version. | |
5823 | ||
5824 | @return 0 on success, return non-zero if an error occurs while | |
5825 | externalizing the label data. | |
5826 | ||
5827 | */ | |
5828 | typedef int mpo_vnode_label_externalize_audit_t( | |
5829 | struct label *label, | |
5830 | char *element_name, | |
5831 | struct sbuf *sb | |
5832 | ); | |
5833 | /** | |
5834 | @brief Externalize a vnode label | |
5835 | @param label Label to be externalized | |
5836 | @param element_name Name of the label namespace for which labels should be | |
5837 | externalized | |
5838 | @param sb String buffer to be filled with a text representation of the label | |
5839 | ||
5840 | Produce an external representation of the label on a vnode. An | |
5841 | externalized label consists of a text representation of the label | |
5842 | contents that can be used with user applications. Policy-agnostic | |
5843 | user space tools will display this externalized version. | |
5844 | ||
5845 | @return 0 on success, return non-zero if an error occurs while | |
5846 | externalizing the label data. | |
5847 | ||
5848 | */ | |
5849 | typedef int mpo_vnode_label_externalize_t( | |
5850 | struct label *label, | |
5851 | char *element_name, | |
5852 | struct sbuf *sb | |
5853 | ); | |
5854 | /** | |
5855 | @brief Initialize vnode label | |
5856 | @param label New label to initialize | |
5857 | ||
5858 | Initialize label storage for use with a newly instantiated vnode, or | |
5859 | for temporary storage associated with the copying in or out of a | |
5860 | vnode label. While it is necessary to allocate space for a | |
5861 | kernel-resident vnode label, it is not yet necessary to link this vnode | |
5862 | with persistent label storage facilities, such as extended attributes. | |
5863 | Sleeping is permitted. | |
5864 | */ | |
5865 | typedef void mpo_vnode_label_init_t( | |
5866 | struct label *label | |
5867 | ); | |
5868 | /** | |
5869 | @brief Internalize a vnode label | |
5870 | @param label Label to be internalized | |
5871 | @param element_name Name of the label namespace for which the label should | |
5872 | be internalized | |
5873 | @param element_data Text data to be internalized | |
5874 | ||
5875 | Produce a vnode label from an external representation. An | |
5876 | externalized label consists of a text representation of the label | |
5877 | contents that can be used with user applications. Policy-agnostic | |
5878 | user space tools will forward text version to the kernel for | |
5879 | processing by individual policy modules. | |
5880 | ||
5881 | The policy's internalize entry points will be called only if the | |
5882 | policy has registered interest in the label namespace. | |
5883 | ||
5884 | @return 0 on success, Otherwise, return non-zero if an error occurs | |
5885 | while internalizing the label data. | |
5886 | */ | |
5887 | typedef int mpo_vnode_label_internalize_t( | |
5888 | struct label *label, | |
5889 | char *element_name, | |
5890 | char *element_data | |
5891 | ); | |
5892 | /** | |
5893 | @brief Clean up a vnode label | |
5894 | @param label The label to be cleaned for re-use | |
5895 | ||
5896 | Clean up a vnode label. Darwin (Tiger, 8.x) allocates vnodes on demand, but | |
5897 | typically never frees them. Before vnodes are placed back on free lists for | |
5898 | re-use, policies can cleanup or overwrite any information present in the label. | |
5899 | */ | |
5900 | typedef void mpo_vnode_label_recycle_t( | |
5901 | struct label *label | |
5902 | ); | |
5903 | /** | |
5904 | @brief Write a label to a extended attribute | |
5905 | @param cred Subject credential | |
5906 | @param vp The vnode for which the label is being stored | |
5907 | @param vlabel Label associated with vp | |
5908 | @param intlabel The new label to store | |
5909 | ||
5910 | Store a new label in the extended attribute corresponding to the | |
5911 | supplied vnode. The policy has already authorized the operation; | |
5912 | this call must be implemented in order to perform the actual | |
5913 | operation. | |
5914 | ||
5915 | @return In the event of an error, an appropriate value for errno | |
5916 | should be returned, otherwise return 0 upon success. | |
5917 | ||
5918 | @warning XXX After examining the extended attribute implementation on | |
5919 | Apple's future release, this entry point may be changed. | |
5920 | */ | |
5921 | typedef int mpo_vnode_label_store_t( | |
5922 | kauth_cred_t cred, | |
5923 | struct vnode *vp, | |
5924 | struct label *vlabel, | |
5925 | struct label *intlabel | |
5926 | ); | |
5927 | /** | |
5928 | @brief Update vnode label from extended attributes | |
5929 | @param mp File system mount point | |
5930 | @param mntlabel Mount point label | |
5931 | @param vp Vnode to label | |
5932 | @param vlabel Label associated with vp | |
5933 | @param name Name of the xattr | |
5934 | @see mpo_vnode_check_setextattr_t | |
5935 | ||
5936 | When an extended attribute is updated via the Vendor attribute management | |
5937 | functions, the MAC vnode label might also require an update. | |
5938 | Policies should first determine if 'name' matches their xattr label | |
5939 | name. If it does, the kernel is has either replaced or removed the | |
5940 | named extended attribute that was previously associated with the | |
5941 | vnode. Normally labels should only be modified via MAC Framework label | |
5942 | management calls, but sometimes the user space components will directly | |
5943 | modify extended attributes. For example, 'cp', 'tar', etc. manage | |
5944 | extended attributes in userspace, not the kernel. | |
5945 | ||
5946 | This entry point is called after the label update has occurred, so | |
5947 | it cannot return a failure. However, the operation is preceded by | |
5948 | the mpo_vnode_check_setextattr() access control check. | |
5949 | ||
5950 | If the vnode label needs to be updated the policy should return | |
5951 | a non-zero value. The vnode label will be marked for re-association | |
5952 | by the framework. | |
5953 | */ | |
5954 | typedef int mpo_vnode_label_update_extattr_t( | |
5955 | struct mount *mp, | |
5956 | struct label *mntlabel, | |
5957 | struct vnode *vp, | |
5958 | struct label *vlabel, | |
5959 | const char *name | |
5960 | ); | |
5961 | /** | |
5962 | @brief Update a vnode label | |
5963 | @param cred Subject credential | |
5964 | @param vp The vnode to relabel | |
5965 | @param vnodelabel Existing vnode label | |
5966 | @param label New label to replace existing label | |
5967 | @see mpo_vnode_check_label_update_t | |
5968 | ||
5969 | The subject identified by the credential has previously requested | |
5970 | and was authorized to relabel the vnode; this entry point allows | |
5971 | policies to perform the actual relabel operation. Policies should | |
5972 | update vnodelabel using the label stored in the label parameter. | |
5973 | */ | |
5974 | typedef void mpo_vnode_label_update_t( | |
5975 | kauth_cred_t cred, | |
5976 | struct vnode *vp, | |
5977 | struct label *vnodelabel, | |
5978 | struct label *label | |
5979 | ); | |
5980 | /** | |
5981 | @brief Create a new vnode, backed by extended attributes | |
5982 | @param cred User credential for the creating process | |
5983 | @param mp File system mount point | |
5984 | @param mntlabel File system mount point label | |
5985 | @param dvp Parent directory vnode | |
5986 | @param dlabel Parent directory vnode label | |
5987 | @param vp Newly created vnode | |
5988 | @param vlabel Label to associate with the new vnode | |
5989 | @param cnp Component name for vp | |
5990 | ||
5991 | Write out the label for the newly created vnode, most likely storing | |
5992 | the results in a file system extended attribute. Most policies will | |
5993 | derive the new vnode label using information from a combination | |
5994 | of the subject (user) credential, the file system label, the parent | |
5995 | directory label, and potentially the path name component. | |
5996 | ||
5997 | @return If the operation succeeds, store the new label in vlabel and | |
5998 | return 0. Otherwise, return an appropriate errno value. | |
5999 | */ | |
6000 | typedef int mpo_vnode_notify_create_t( | |
6001 | kauth_cred_t cred, | |
6002 | struct mount *mp, | |
6003 | struct label *mntlabel, | |
6004 | struct vnode *dvp, | |
6005 | struct label *dlabel, | |
6006 | struct vnode *vp, | |
6007 | struct label *vlabel, | |
6008 | struct componentname *cnp | |
6009 | ); | |
6010 | ||
6011 | /** | |
6012 | @brief Inform MAC policies that a vnode has been renamed | |
6013 | @param cred User credential for the renaming process | |
6014 | @param vp Vnode that's being renamed | |
6015 | @param label Policy label for vp | |
6016 | @param dvp Parent directory for the destination | |
6017 | @param dlabel Policy label for dvp | |
6018 | @param cnp Component name for the destination | |
6019 | ||
6020 | Inform MAC policies that a vnode has been renamed. | |
6021 | */ | |
6022 | typedef void mpo_vnode_notify_rename_t( | |
6023 | kauth_cred_t cred, | |
6024 | struct vnode *vp, | |
6025 | struct label *label, | |
6026 | struct vnode *dvp, | |
6027 | struct label *dlabel, | |
6028 | struct componentname *cnp | |
6029 | ); | |
6030 | ||
6031 | /* | |
6032 | * Placeholder for future events that may need mac hooks. | |
6033 | */ | |
6034 | typedef void mpo_reserved_hook_t(void); | |
6035 | ||
6036 | /*! | |
6037 | \struct mac_policy_ops | |
6038 | */ | |
6039 | #define MAC_POLICY_OPS_VERSION 13 /* inc when new reserved slots are taken */ | |
6040 | struct mac_policy_ops { | |
6041 | mpo_audit_check_postselect_t *mpo_audit_check_postselect; | |
6042 | mpo_audit_check_preselect_t *mpo_audit_check_preselect; | |
6043 | mpo_bpfdesc_label_associate_t *mpo_bpfdesc_label_associate; | |
6044 | mpo_bpfdesc_label_destroy_t *mpo_bpfdesc_label_destroy; | |
6045 | mpo_bpfdesc_label_init_t *mpo_bpfdesc_label_init; | |
6046 | mpo_bpfdesc_check_receive_t *mpo_bpfdesc_check_receive; | |
6047 | mpo_cred_check_label_update_execve_t *mpo_cred_check_label_update_execve; | |
6048 | mpo_cred_check_label_update_t *mpo_cred_check_label_update; | |
6049 | mpo_cred_check_visible_t *mpo_cred_check_visible; | |
6050 | mpo_cred_label_associate_fork_t *mpo_cred_label_associate_fork; | |
6051 | mpo_cred_label_associate_kernel_t *mpo_cred_label_associate_kernel; | |
6052 | mpo_cred_label_associate_t *mpo_cred_label_associate; | |
6053 | mpo_cred_label_associate_user_t *mpo_cred_label_associate_user; | |
6054 | mpo_cred_label_destroy_t *mpo_cred_label_destroy; | |
6055 | mpo_cred_label_externalize_audit_t *mpo_cred_label_externalize_audit; | |
6056 | mpo_cred_label_externalize_t *mpo_cred_label_externalize; | |
6057 | mpo_cred_label_init_t *mpo_cred_label_init; | |
6058 | mpo_cred_label_internalize_t *mpo_cred_label_internalize; | |
6059 | mpo_cred_label_update_execve_t *mpo_cred_label_update_execve; | |
6060 | mpo_cred_label_update_t *mpo_cred_label_update; | |
6061 | mpo_devfs_label_associate_device_t *mpo_devfs_label_associate_device; | |
6062 | mpo_devfs_label_associate_directory_t *mpo_devfs_label_associate_directory; | |
6063 | mpo_devfs_label_copy_t *mpo_devfs_label_copy; | |
6064 | mpo_devfs_label_destroy_t *mpo_devfs_label_destroy; | |
6065 | mpo_devfs_label_init_t *mpo_devfs_label_init; | |
6066 | mpo_devfs_label_update_t *mpo_devfs_label_update; | |
6067 | mpo_file_check_change_offset_t *mpo_file_check_change_offset; | |
6068 | mpo_file_check_create_t *mpo_file_check_create; | |
6069 | mpo_file_check_dup_t *mpo_file_check_dup; | |
6070 | mpo_file_check_fcntl_t *mpo_file_check_fcntl; | |
6071 | mpo_file_check_get_offset_t *mpo_file_check_get_offset; | |
6072 | mpo_file_check_get_t *mpo_file_check_get; | |
6073 | mpo_file_check_inherit_t *mpo_file_check_inherit; | |
6074 | mpo_file_check_ioctl_t *mpo_file_check_ioctl; | |
6075 | mpo_file_check_lock_t *mpo_file_check_lock; | |
6076 | mpo_file_check_mmap_downgrade_t *mpo_file_check_mmap_downgrade; | |
6077 | mpo_file_check_mmap_t *mpo_file_check_mmap; | |
6078 | mpo_file_check_receive_t *mpo_file_check_receive; | |
6079 | mpo_file_check_set_t *mpo_file_check_set; | |
6080 | mpo_file_label_init_t *mpo_file_label_init; | |
6081 | mpo_file_label_destroy_t *mpo_file_label_destroy; | |
6082 | mpo_file_label_associate_t *mpo_file_label_associate; | |
6083 | mpo_ifnet_check_label_update_t *mpo_ifnet_check_label_update; | |
6084 | mpo_ifnet_check_transmit_t *mpo_ifnet_check_transmit; | |
6085 | mpo_ifnet_label_associate_t *mpo_ifnet_label_associate; | |
6086 | mpo_ifnet_label_copy_t *mpo_ifnet_label_copy; | |
6087 | mpo_ifnet_label_destroy_t *mpo_ifnet_label_destroy; | |
6088 | mpo_ifnet_label_externalize_t *mpo_ifnet_label_externalize; | |
6089 | mpo_ifnet_label_init_t *mpo_ifnet_label_init; | |
6090 | mpo_ifnet_label_internalize_t *mpo_ifnet_label_internalize; | |
6091 | mpo_ifnet_label_update_t *mpo_ifnet_label_update; | |
6092 | mpo_ifnet_label_recycle_t *mpo_ifnet_label_recycle; | |
6093 | mpo_inpcb_check_deliver_t *mpo_inpcb_check_deliver; | |
6094 | mpo_inpcb_label_associate_t *mpo_inpcb_label_associate; | |
6095 | mpo_inpcb_label_destroy_t *mpo_inpcb_label_destroy; | |
6096 | mpo_inpcb_label_init_t *mpo_inpcb_label_init; | |
6097 | mpo_inpcb_label_recycle_t *mpo_inpcb_label_recycle; | |
6098 | mpo_inpcb_label_update_t *mpo_inpcb_label_update; | |
6099 | mpo_iokit_check_device_t *mpo_iokit_check_device; | |
6100 | mpo_ipq_label_associate_t *mpo_ipq_label_associate; | |
6101 | mpo_ipq_label_compare_t *mpo_ipq_label_compare; | |
6102 | mpo_ipq_label_destroy_t *mpo_ipq_label_destroy; | |
6103 | mpo_ipq_label_init_t *mpo_ipq_label_init; | |
6104 | mpo_ipq_label_update_t *mpo_ipq_label_update; | |
6105 | mpo_lctx_check_label_update_t *mpo_lctx_check_label_update; | |
6106 | mpo_lctx_label_destroy_t *mpo_lctx_label_destroy; | |
6107 | mpo_lctx_label_externalize_t *mpo_lctx_label_externalize; | |
6108 | mpo_lctx_label_init_t *mpo_lctx_label_init; | |
6109 | mpo_lctx_label_internalize_t *mpo_lctx_label_internalize; | |
6110 | mpo_lctx_label_update_t *mpo_lctx_label_update; | |
6111 | mpo_lctx_notify_create_t *mpo_lctx_notify_create; | |
6112 | mpo_lctx_notify_join_t *mpo_lctx_notify_join; | |
6113 | mpo_lctx_notify_leave_t *mpo_lctx_notify_leave; | |
6114 | mpo_mbuf_label_associate_bpfdesc_t *mpo_mbuf_label_associate_bpfdesc; | |
6115 | mpo_mbuf_label_associate_ifnet_t *mpo_mbuf_label_associate_ifnet; | |
6116 | mpo_mbuf_label_associate_inpcb_t *mpo_mbuf_label_associate_inpcb; | |
6117 | mpo_mbuf_label_associate_ipq_t *mpo_mbuf_label_associate_ipq; | |
6118 | mpo_mbuf_label_associate_linklayer_t *mpo_mbuf_label_associate_linklayer; | |
6119 | mpo_mbuf_label_associate_multicast_encap_t *mpo_mbuf_label_associate_multicast_encap; | |
6120 | mpo_mbuf_label_associate_netlayer_t *mpo_mbuf_label_associate_netlayer; | |
6121 | mpo_mbuf_label_associate_socket_t *mpo_mbuf_label_associate_socket; | |
6122 | mpo_mbuf_label_copy_t *mpo_mbuf_label_copy; | |
6123 | mpo_mbuf_label_destroy_t *mpo_mbuf_label_destroy; | |
6124 | mpo_mbuf_label_init_t *mpo_mbuf_label_init; | |
6125 | mpo_mount_check_fsctl_t *mpo_mount_check_fsctl; | |
6126 | mpo_mount_check_getattr_t *mpo_mount_check_getattr; | |
6127 | mpo_mount_check_label_update_t *mpo_mount_check_label_update; | |
6128 | mpo_mount_check_mount_t *mpo_mount_check_mount; | |
6129 | mpo_mount_check_remount_t *mpo_mount_check_remount; | |
6130 | mpo_mount_check_setattr_t *mpo_mount_check_setattr; | |
6131 | mpo_mount_check_stat_t *mpo_mount_check_stat; | |
6132 | mpo_mount_check_umount_t *mpo_mount_check_umount; | |
6133 | mpo_mount_label_associate_t *mpo_mount_label_associate; | |
6134 | mpo_mount_label_destroy_t *mpo_mount_label_destroy; | |
6135 | mpo_mount_label_externalize_t *mpo_mount_label_externalize; | |
6136 | mpo_mount_label_init_t *mpo_mount_label_init; | |
6137 | mpo_mount_label_internalize_t *mpo_mount_label_internalize; | |
6138 | mpo_netinet_fragment_t *mpo_netinet_fragment; | |
6139 | mpo_netinet_icmp_reply_t *mpo_netinet_icmp_reply; | |
6140 | mpo_netinet_tcp_reply_t *mpo_netinet_tcp_reply; | |
6141 | mpo_pipe_check_ioctl_t *mpo_pipe_check_ioctl; | |
6142 | mpo_pipe_check_kqfilter_t *mpo_pipe_check_kqfilter; | |
6143 | mpo_pipe_check_label_update_t *mpo_pipe_check_label_update; | |
6144 | mpo_pipe_check_read_t *mpo_pipe_check_read; | |
6145 | mpo_pipe_check_select_t *mpo_pipe_check_select; | |
6146 | mpo_pipe_check_stat_t *mpo_pipe_check_stat; | |
6147 | mpo_pipe_check_write_t *mpo_pipe_check_write; | |
6148 | mpo_pipe_label_associate_t *mpo_pipe_label_associate; | |
6149 | mpo_pipe_label_copy_t *mpo_pipe_label_copy; | |
6150 | mpo_pipe_label_destroy_t *mpo_pipe_label_destroy; | |
6151 | mpo_pipe_label_externalize_t *mpo_pipe_label_externalize; | |
6152 | mpo_pipe_label_init_t *mpo_pipe_label_init; | |
6153 | mpo_pipe_label_internalize_t *mpo_pipe_label_internalize; | |
6154 | mpo_pipe_label_update_t *mpo_pipe_label_update; | |
6155 | mpo_policy_destroy_t *mpo_policy_destroy; | |
6156 | mpo_policy_init_t *mpo_policy_init; | |
6157 | mpo_policy_initbsd_t *mpo_policy_initbsd; | |
6158 | mpo_policy_syscall_t *mpo_policy_syscall; | |
6159 | mpo_port_check_copy_send_t *mpo_port_check_copy_send; | |
6160 | mpo_port_check_hold_receive_t *mpo_port_check_hold_receive; | |
6161 | mpo_port_check_hold_send_once_t *mpo_port_check_hold_send_once; | |
6162 | mpo_port_check_hold_send_t *mpo_port_check_hold_send; | |
6163 | mpo_port_check_label_update_t *mpo_port_check_label_update; | |
6164 | mpo_port_check_make_send_once_t *mpo_port_check_make_send_once; | |
6165 | mpo_port_check_make_send_t *mpo_port_check_make_send; | |
6166 | mpo_port_check_method_t *mpo_port_check_method; | |
6167 | mpo_port_check_move_receive_t *mpo_port_check_move_receive; | |
6168 | mpo_port_check_move_send_once_t *mpo_port_check_move_send_once; | |
6169 | mpo_port_check_move_send_t *mpo_port_check_move_send; | |
6170 | mpo_port_check_receive_t *mpo_port_check_receive; | |
6171 | mpo_port_check_send_t *mpo_port_check_send; | |
6172 | mpo_port_check_service_t *mpo_port_check_service; | |
6173 | mpo_port_label_associate_kernel_t *mpo_port_label_associate_kernel; | |
6174 | mpo_port_label_associate_t *mpo_port_label_associate; | |
6175 | mpo_port_label_compute_t *mpo_port_label_compute; | |
6176 | mpo_port_label_copy_t *mpo_port_label_copy; | |
6177 | mpo_port_label_destroy_t *mpo_port_label_destroy; | |
6178 | mpo_port_label_init_t *mpo_port_label_init; | |
6179 | mpo_port_label_update_cred_t *mpo_port_label_update_cred; | |
6180 | mpo_port_label_update_kobject_t *mpo_port_label_update_kobject; | |
6181 | mpo_posixsem_check_create_t *mpo_posixsem_check_create; | |
6182 | mpo_posixsem_check_open_t *mpo_posixsem_check_open; | |
6183 | mpo_posixsem_check_post_t *mpo_posixsem_check_post; | |
6184 | mpo_posixsem_check_unlink_t *mpo_posixsem_check_unlink; | |
6185 | mpo_posixsem_check_wait_t *mpo_posixsem_check_wait; | |
6186 | mpo_posixsem_label_associate_t *mpo_posixsem_label_associate; | |
6187 | mpo_posixsem_label_destroy_t *mpo_posixsem_label_destroy; | |
6188 | mpo_posixsem_label_init_t *mpo_posixsem_label_init; | |
6189 | mpo_posixshm_check_create_t *mpo_posixshm_check_create; | |
6190 | mpo_posixshm_check_mmap_t *mpo_posixshm_check_mmap; | |
6191 | mpo_posixshm_check_open_t *mpo_posixshm_check_open; | |
6192 | mpo_posixshm_check_stat_t *mpo_posixshm_check_stat; | |
6193 | mpo_posixshm_check_truncate_t *mpo_posixshm_check_truncate; | |
6194 | mpo_posixshm_check_unlink_t *mpo_posixshm_check_unlink; | |
6195 | mpo_posixshm_label_associate_t *mpo_posixshm_label_associate; | |
6196 | mpo_posixshm_label_destroy_t *mpo_posixshm_label_destroy; | |
6197 | mpo_posixshm_label_init_t *mpo_posixshm_label_init; | |
6198 | mpo_proc_check_debug_t *mpo_proc_check_debug; | |
6199 | mpo_proc_check_fork_t *mpo_proc_check_fork; | |
6200 | mpo_proc_check_get_task_name_t *mpo_proc_check_get_task_name; | |
6201 | mpo_proc_check_get_task_t *mpo_proc_check_get_task; | |
6202 | mpo_proc_check_getaudit_t *mpo_proc_check_getaudit; | |
6203 | mpo_proc_check_getauid_t *mpo_proc_check_getauid; | |
6204 | mpo_proc_check_getlcid_t *mpo_proc_check_getlcid; | |
6205 | mpo_proc_check_mprotect_t *mpo_proc_check_mprotect; | |
6206 | mpo_proc_check_sched_t *mpo_proc_check_sched; | |
6207 | mpo_proc_check_setaudit_t *mpo_proc_check_setaudit; | |
6208 | mpo_proc_check_setauid_t *mpo_proc_check_setauid; | |
6209 | mpo_proc_check_setlcid_t *mpo_proc_check_setlcid; | |
6210 | mpo_proc_check_signal_t *mpo_proc_check_signal; | |
6211 | mpo_proc_check_wait_t *mpo_proc_check_wait; | |
6212 | mpo_proc_label_destroy_t *mpo_proc_label_destroy; | |
6213 | mpo_proc_label_init_t *mpo_proc_label_init; | |
6214 | mpo_socket_check_accept_t *mpo_socket_check_accept; | |
6215 | mpo_socket_check_accepted_t *mpo_socket_check_accepted; | |
6216 | mpo_socket_check_bind_t *mpo_socket_check_bind; | |
6217 | mpo_socket_check_connect_t *mpo_socket_check_connect; | |
6218 | mpo_socket_check_create_t *mpo_socket_check_create; | |
6219 | mpo_socket_check_deliver_t *mpo_socket_check_deliver; | |
6220 | mpo_socket_check_kqfilter_t *mpo_socket_check_kqfilter; | |
6221 | mpo_socket_check_label_update_t *mpo_socket_check_label_update; | |
6222 | mpo_socket_check_listen_t *mpo_socket_check_listen; | |
6223 | mpo_socket_check_receive_t *mpo_socket_check_receive; | |
6224 | mpo_socket_check_received_t *mpo_socket_check_received; | |
6225 | mpo_socket_check_select_t *mpo_socket_check_select; | |
6226 | mpo_socket_check_send_t *mpo_socket_check_send; | |
6227 | mpo_socket_check_stat_t *mpo_socket_check_stat; | |
6228 | mpo_socket_check_setsockopt_t *mpo_socket_check_setsockopt; | |
6229 | mpo_socket_check_getsockopt_t *mpo_socket_check_getsockopt; | |
6230 | mpo_socket_label_associate_accept_t *mpo_socket_label_associate_accept; | |
6231 | mpo_socket_label_associate_t *mpo_socket_label_associate; | |
6232 | mpo_socket_label_copy_t *mpo_socket_label_copy; | |
6233 | mpo_socket_label_destroy_t *mpo_socket_label_destroy; | |
6234 | mpo_socket_label_externalize_t *mpo_socket_label_externalize; | |
6235 | mpo_socket_label_init_t *mpo_socket_label_init; | |
6236 | mpo_socket_label_internalize_t *mpo_socket_label_internalize; | |
6237 | mpo_socket_label_update_t *mpo_socket_label_update; | |
6238 | mpo_socketpeer_label_associate_mbuf_t *mpo_socketpeer_label_associate_mbuf; | |
6239 | mpo_socketpeer_label_associate_socket_t *mpo_socketpeer_label_associate_socket; | |
6240 | mpo_socketpeer_label_destroy_t *mpo_socketpeer_label_destroy; | |
6241 | mpo_socketpeer_label_externalize_t *mpo_socketpeer_label_externalize; | |
6242 | mpo_socketpeer_label_init_t *mpo_socketpeer_label_init; | |
6243 | mpo_system_check_acct_t *mpo_system_check_acct; | |
6244 | mpo_system_check_audit_t *mpo_system_check_audit; | |
6245 | mpo_system_check_auditctl_t *mpo_system_check_auditctl; | |
6246 | mpo_system_check_auditon_t *mpo_system_check_auditon; | |
6247 | mpo_system_check_host_priv_t *mpo_system_check_host_priv; | |
6248 | mpo_system_check_nfsd_t *mpo_system_check_nfsd; | |
6249 | mpo_system_check_reboot_t *mpo_system_check_reboot; | |
6250 | mpo_system_check_settime_t *mpo_system_check_settime; | |
6251 | mpo_system_check_swapoff_t *mpo_system_check_swapoff; | |
6252 | mpo_system_check_swapon_t *mpo_system_check_swapon; | |
6253 | mpo_system_check_sysctl_t *mpo_system_check_sysctl; | |
6254 | mpo_sysvmsg_label_associate_t *mpo_sysvmsg_label_associate; | |
6255 | mpo_sysvmsg_label_destroy_t *mpo_sysvmsg_label_destroy; | |
6256 | mpo_sysvmsg_label_init_t *mpo_sysvmsg_label_init; | |
6257 | mpo_sysvmsg_label_recycle_t *mpo_sysvmsg_label_recycle; | |
6258 | mpo_sysvmsq_check_enqueue_t *mpo_sysvmsq_check_enqueue; | |
6259 | mpo_sysvmsq_check_msgrcv_t *mpo_sysvmsq_check_msgrcv; | |
6260 | mpo_sysvmsq_check_msgrmid_t *mpo_sysvmsq_check_msgrmid; | |
6261 | mpo_sysvmsq_check_msqctl_t *mpo_sysvmsq_check_msqctl; | |
6262 | mpo_sysvmsq_check_msqget_t *mpo_sysvmsq_check_msqget; | |
6263 | mpo_sysvmsq_check_msqrcv_t *mpo_sysvmsq_check_msqrcv; | |
6264 | mpo_sysvmsq_check_msqsnd_t *mpo_sysvmsq_check_msqsnd; | |
6265 | mpo_sysvmsq_label_associate_t *mpo_sysvmsq_label_associate; | |
6266 | mpo_sysvmsq_label_destroy_t *mpo_sysvmsq_label_destroy; | |
6267 | mpo_sysvmsq_label_init_t *mpo_sysvmsq_label_init; | |
6268 | mpo_sysvmsq_label_recycle_t *mpo_sysvmsq_label_recycle; | |
6269 | mpo_sysvsem_check_semctl_t *mpo_sysvsem_check_semctl; | |
6270 | mpo_sysvsem_check_semget_t *mpo_sysvsem_check_semget; | |
6271 | mpo_sysvsem_check_semop_t *mpo_sysvsem_check_semop; | |
6272 | mpo_sysvsem_label_associate_t *mpo_sysvsem_label_associate; | |
6273 | mpo_sysvsem_label_destroy_t *mpo_sysvsem_label_destroy; | |
6274 | mpo_sysvsem_label_init_t *mpo_sysvsem_label_init; | |
6275 | mpo_sysvsem_label_recycle_t *mpo_sysvsem_label_recycle; | |
6276 | mpo_sysvshm_check_shmat_t *mpo_sysvshm_check_shmat; | |
6277 | mpo_sysvshm_check_shmctl_t *mpo_sysvshm_check_shmctl; | |
6278 | mpo_sysvshm_check_shmdt_t *mpo_sysvshm_check_shmdt; | |
6279 | mpo_sysvshm_check_shmget_t *mpo_sysvshm_check_shmget; | |
6280 | mpo_sysvshm_label_associate_t *mpo_sysvshm_label_associate; | |
6281 | mpo_sysvshm_label_destroy_t *mpo_sysvshm_label_destroy; | |
6282 | mpo_sysvshm_label_init_t *mpo_sysvshm_label_init; | |
6283 | mpo_sysvshm_label_recycle_t *mpo_sysvshm_label_recycle; | |
6284 | mpo_task_label_associate_kernel_t *mpo_task_label_associate_kernel; | |
6285 | mpo_task_label_associate_t *mpo_task_label_associate; | |
6286 | mpo_task_label_copy_t *mpo_task_label_copy; | |
6287 | mpo_task_label_destroy_t *mpo_task_label_destroy; | |
6288 | mpo_task_label_externalize_t *mpo_task_label_externalize; | |
6289 | mpo_task_label_init_t *mpo_task_label_init; | |
6290 | mpo_task_label_internalize_t *mpo_task_label_internalize; | |
6291 | mpo_task_label_update_t *mpo_task_label_update; | |
6292 | mpo_iokit_check_hid_control_t *mpo_iokit_check_hid_control; | |
6293 | mpo_vnode_check_access_t *mpo_vnode_check_access; | |
6294 | mpo_vnode_check_chdir_t *mpo_vnode_check_chdir; | |
6295 | mpo_vnode_check_chroot_t *mpo_vnode_check_chroot; | |
6296 | mpo_vnode_check_create_t *mpo_vnode_check_create; | |
6297 | mpo_vnode_check_deleteextattr_t *mpo_vnode_check_deleteextattr; | |
6298 | mpo_vnode_check_exchangedata_t *mpo_vnode_check_exchangedata; | |
6299 | mpo_vnode_check_exec_t *mpo_vnode_check_exec; | |
6300 | mpo_vnode_check_getattrlist_t *mpo_vnode_check_getattrlist; | |
6301 | mpo_vnode_check_getextattr_t *mpo_vnode_check_getextattr; | |
6302 | mpo_vnode_check_ioctl_t *mpo_vnode_check_ioctl; | |
6303 | mpo_vnode_check_kqfilter_t *mpo_vnode_check_kqfilter; | |
6304 | mpo_vnode_check_label_update_t *mpo_vnode_check_label_update; | |
6305 | mpo_vnode_check_link_t *mpo_vnode_check_link; | |
6306 | mpo_vnode_check_listextattr_t *mpo_vnode_check_listextattr; | |
6307 | mpo_vnode_check_lookup_t *mpo_vnode_check_lookup; | |
6308 | mpo_vnode_check_open_t *mpo_vnode_check_open; | |
6309 | mpo_vnode_check_read_t *mpo_vnode_check_read; | |
6310 | mpo_vnode_check_readdir_t *mpo_vnode_check_readdir; | |
6311 | mpo_vnode_check_readlink_t *mpo_vnode_check_readlink; | |
6312 | mpo_vnode_check_rename_from_t *mpo_vnode_check_rename_from; | |
6313 | mpo_vnode_check_rename_to_t *mpo_vnode_check_rename_to; | |
6314 | mpo_vnode_check_revoke_t *mpo_vnode_check_revoke; | |
6315 | mpo_vnode_check_select_t *mpo_vnode_check_select; | |
6316 | mpo_vnode_check_setattrlist_t *mpo_vnode_check_setattrlist; | |
6317 | mpo_vnode_check_setextattr_t *mpo_vnode_check_setextattr; | |
6318 | mpo_vnode_check_setflags_t *mpo_vnode_check_setflags; | |
6319 | mpo_vnode_check_setmode_t *mpo_vnode_check_setmode; | |
6320 | mpo_vnode_check_setowner_t *mpo_vnode_check_setowner; | |
6321 | mpo_vnode_check_setutimes_t *mpo_vnode_check_setutimes; | |
6322 | mpo_vnode_check_stat_t *mpo_vnode_check_stat; | |
6323 | mpo_vnode_check_truncate_t *mpo_vnode_check_truncate; | |
6324 | mpo_vnode_check_unlink_t *mpo_vnode_check_unlink; | |
6325 | mpo_vnode_check_write_t *mpo_vnode_check_write; | |
6326 | mpo_vnode_label_associate_devfs_t *mpo_vnode_label_associate_devfs; | |
6327 | mpo_vnode_label_associate_extattr_t *mpo_vnode_label_associate_extattr; | |
6328 | mpo_vnode_label_associate_file_t *mpo_vnode_label_associate_file; | |
6329 | mpo_vnode_label_associate_pipe_t *mpo_vnode_label_associate_pipe; | |
6330 | mpo_vnode_label_associate_posixsem_t *mpo_vnode_label_associate_posixsem; | |
6331 | mpo_vnode_label_associate_posixshm_t *mpo_vnode_label_associate_posixshm; | |
6332 | mpo_vnode_label_associate_singlelabel_t *mpo_vnode_label_associate_singlelabel; | |
6333 | mpo_vnode_label_associate_socket_t *mpo_vnode_label_associate_socket; | |
6334 | mpo_vnode_label_copy_t *mpo_vnode_label_copy; | |
6335 | mpo_vnode_label_destroy_t *mpo_vnode_label_destroy; | |
6336 | mpo_vnode_label_externalize_audit_t *mpo_vnode_label_externalize_audit; | |
6337 | mpo_vnode_label_externalize_t *mpo_vnode_label_externalize; | |
6338 | mpo_vnode_label_init_t *mpo_vnode_label_init; | |
6339 | mpo_vnode_label_internalize_t *mpo_vnode_label_internalize; | |
6340 | mpo_vnode_label_recycle_t *mpo_vnode_label_recycle; | |
6341 | mpo_vnode_label_store_t *mpo_vnode_label_store; | |
6342 | mpo_vnode_label_update_extattr_t *mpo_vnode_label_update_extattr; | |
6343 | mpo_vnode_label_update_t *mpo_vnode_label_update; | |
6344 | mpo_vnode_notify_create_t *mpo_vnode_notify_create; | |
6345 | mpo_vnode_check_signature_t *mpo_vnode_check_signature; | |
6346 | mpo_vnode_check_uipc_bind_t *mpo_vnode_check_uipc_bind; | |
6347 | mpo_vnode_check_uipc_connect_t *mpo_vnode_check_uipc_connect; | |
6348 | mac_proc_check_run_cs_invalid_t *mpo_proc_check_run_cs_invalid; | |
6349 | mpo_proc_check_suspend_resume_t *mpo_proc_check_suspend_resume; | |
6350 | mpo_thread_userret_t *mpo_thread_userret; | |
6351 | mpo_iokit_check_set_properties_t *mpo_iokit_check_set_properties; | |
6352 | mpo_system_check_chud_t *mpo_system_check_chud; | |
6353 | mpo_vnode_check_searchfs_t *mpo_vnode_check_searchfs; | |
6354 | mpo_priv_check_t *mpo_priv_check; | |
6355 | mpo_priv_grant_t *mpo_priv_grant; | |
6356 | mpo_proc_check_map_anon_t *mpo_proc_check_map_anon; | |
6357 | mpo_vnode_check_fsgetpath_t *mpo_vnode_check_fsgetpath; | |
6358 | mpo_iokit_check_open_t *mpo_iokit_check_open; | |
6359 | mpo_proc_check_ledger_t *mpo_proc_check_ledger; | |
6360 | mpo_vnode_notify_rename_t *mpo_vnode_notify_rename; | |
6361 | mpo_thread_label_init_t *mpo_thread_label_init; | |
6362 | mpo_thread_label_destroy_t *mpo_thread_label_destroy; | |
6363 | mpo_system_check_kas_info_t *mpo_system_check_kas_info; | |
6364 | mpo_reserved_hook_t *mpo_reserved18; | |
6365 | mpo_reserved_hook_t *mpo_reserved19; | |
6366 | mpo_reserved_hook_t *mpo_reserved20; | |
6367 | mpo_reserved_hook_t *mpo_reserved21; | |
6368 | mpo_reserved_hook_t *mpo_reserved22; | |
6369 | mpo_reserved_hook_t *mpo_reserved23; | |
6370 | mpo_reserved_hook_t *mpo_reserved24; | |
6371 | mpo_reserved_hook_t *mpo_reserved25; | |
6372 | mpo_reserved_hook_t *mpo_reserved26; | |
6373 | mpo_reserved_hook_t *mpo_reserved27; | |
6374 | mpo_reserved_hook_t *mpo_reserved28; | |
6375 | mpo_reserved_hook_t *mpo_reserved29; | |
6376 | }; | |
6377 | ||
6378 | /** | |
6379 | @brief MAC policy handle type | |
6380 | ||
6381 | The MAC handle is used to uniquely identify a loaded policy within | |
6382 | the MAC Framework. | |
6383 | ||
6384 | A variable of this type is set by mac_policy_register(). | |
6385 | */ | |
6386 | typedef unsigned int mac_policy_handle_t; | |
6387 | ||
6388 | #define mpc_t struct mac_policy_conf * | |
6389 | ||
6390 | /** | |
6391 | @brief Mac policy configuration | |
6392 | ||
6393 | This structure specifies the configuration information for a | |
6394 | MAC policy module. A policy module developer must supply | |
6395 | a short unique policy name, a more descriptive full name, a list of label | |
6396 | namespaces and count, a pointer to the registered enty point operations, | |
6397 | any load time flags, and optionally, a pointer to a label slot identifier. | |
6398 | ||
6399 | The Framework will update the runtime flags (mpc_runtime_flags) to | |
6400 | indicate that the module has been registered. | |
6401 | ||
6402 | If the label slot identifier (mpc_field_off) is NULL, the Framework | |
6403 | will not provide label storage for the policy. Otherwise, the | |
6404 | Framework will store the label location (slot) in this field. | |
6405 | ||
6406 | The mpc_list field is used by the Framework and should not be | |
6407 | modified by policies. | |
6408 | */ | |
6409 | /* XXX - reorder these for better aligment on 64bit platforms */ | |
6410 | struct mac_policy_conf { | |
6411 | const char *mpc_name; /** policy name */ | |
6412 | const char *mpc_fullname; /** full name */ | |
6413 | const char **mpc_labelnames; /** managed label namespaces */ | |
6414 | unsigned int mpc_labelname_count; /** number of managed label namespaces */ | |
6415 | struct mac_policy_ops *mpc_ops; /** operation vector */ | |
6416 | int mpc_loadtime_flags; /** load time flags */ | |
6417 | int *mpc_field_off; /** label slot */ | |
6418 | int mpc_runtime_flags; /** run time flags */ | |
6419 | mpc_t mpc_list; /** List reference */ | |
6420 | void *mpc_data; /** module data */ | |
6421 | }; | |
6422 | ||
6423 | /** | |
6424 | @brief MAC policy module registration routine | |
6425 | ||
6426 | This function is called to register a policy with the | |
6427 | MAC framework. A policy module will typically call this from the | |
6428 | Darwin KEXT registration routine. | |
6429 | */ | |
6430 | int mac_policy_register(struct mac_policy_conf *mpc, | |
6431 | mac_policy_handle_t *handlep, void *xd); | |
6432 | ||
6433 | /** | |
6434 | @brief MAC policy module de-registration routine | |
6435 | ||
6436 | This function is called to de-register a policy with theD | |
6437 | MAC framework. A policy module will typically call this from the | |
6438 | Darwin KEXT de-registration routine. | |
6439 | */ | |
6440 | int mac_policy_unregister(mac_policy_handle_t handle); | |
6441 | ||
6442 | /* | |
6443 | * Framework entry points for the policies to add audit data. | |
6444 | */ | |
6445 | int mac_audit_text(char *text, mac_policy_handle_t handle); | |
6446 | ||
6447 | /* | |
6448 | * Calls to assist with use of Apple XATTRs within policy modules. | |
6449 | */ | |
6450 | int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t); | |
6451 | int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t, | |
6452 | size_t *); | |
6453 | int mac_vnop_removexattr(struct vnode *, const char *); | |
6454 | ||
6455 | /* | |
6456 | * Arbitrary limit on how much data will be logged by the audit | |
6457 | * entry points above. | |
6458 | */ | |
6459 | #define MAC_AUDIT_DATA_LIMIT 1024 | |
6460 | ||
6461 | /* | |
6462 | * Values returned by mac_audit_{pre,post}select. To combine the responses | |
6463 | * of the security policies into a single decision, | |
6464 | * mac_audit_{pre,post}select() choose the greatest value returned. | |
6465 | */ | |
6466 | #define MAC_AUDIT_DEFAULT 0 /* use system behavior */ | |
6467 | #define MAC_AUDIT_NO 1 /* force not auditing this event */ | |
6468 | #define MAC_AUDIT_YES 2 /* force auditing this event */ | |
6469 | ||
6470 | // \defgroup mpc_loadtime_flags Flags for the mpc_loadtime_flags field | |
6471 | ||
6472 | /** | |
6473 | @name Flags for the mpc_loadtime_flags field | |
6474 | @see mac_policy_conf | |
6475 | ||
6476 | This is the complete list of flags that are supported by the | |
6477 | mpc_loadtime_flags field of the mac_policy_conf structure. These | |
6478 | flags specify the load time behavior of MAC Framework policy | |
6479 | modules. | |
6480 | */ | |
6481 | ||
6482 | /*@{*/ | |
6483 | ||
6484 | /** | |
6485 | @brief Flag to indicate registration preference | |
6486 | ||
6487 | This flag indicates that the policy module must be loaded and | |
6488 | initialized early in the boot process. If the flag is specified, | |
6489 | attempts to register the module following boot will be rejected. The | |
6490 | flag may be used by policies that require pervasive labeling of all | |
6491 | system objects, and cannot handle objects that have not been | |
6492 | properly initialized by the policy. | |
6493 | */ | |
6494 | #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001 | |
6495 | ||
6496 | /** | |
6497 | @brief Flag to indicate unload preference | |
6498 | ||
6499 | This flag indicates that the policy module may be unloaded. If this | |
6500 | flag is not set, then the policy framework will reject requests to | |
6501 | unload the module. This flag might be used by modules that allocate | |
6502 | label state and are unable to free that state at runtime, or for | |
6503 | modules that simply do not want to permit unload operations. | |
6504 | */ | |
6505 | #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002 | |
6506 | ||
6507 | /** | |
6508 | @brief Unsupported | |
6509 | ||
6510 | XXX This flag is not yet supported. | |
6511 | */ | |
6512 | #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004 | |
6513 | ||
6514 | /** | |
6515 | @brief Flag to indicate a base policy | |
6516 | ||
6517 | This flag indicates that the policy module is a base policy. Only | |
6518 | one module can declare itself as base, otherwise the boot process | |
6519 | will be halted. | |
6520 | */ | |
6521 | #define MPC_LOADTIME_BASE_POLICY 0x00000008 | |
6522 | ||
6523 | /*@}*/ | |
6524 | ||
6525 | /** | |
6526 | @brief Policy registration flag | |
6527 | @see mac_policy_conf | |
6528 | ||
6529 | This flag indicates that the policy module has been successfully | |
6530 | registered with the TrustedBSD MAC Framework. The Framework will | |
6531 | set this flag in the mpc_runtime_flags field of the policy's | |
6532 | mac_policy_conf structure after registering the policy. | |
6533 | */ | |
6534 | #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001 | |
6535 | ||
6536 | /* | |
6537 | * Depends on POLICY_VER | |
6538 | */ | |
6539 | ||
6540 | #ifndef POLICY_VER | |
6541 | #define POLICY_VER 1.0 | |
6542 | #endif | |
6543 | ||
6544 | #define MAC_POLICY_SET(handle, mpops, mpname, mpfullname, lnames, lcount, slot, lflags, rflags) \ | |
6545 | static struct mac_policy_conf mpname##_mac_policy_conf = { \ | |
6546 | .mpc_name = #mpname, \ | |
6547 | .mpc_fullname = mpfullname, \ | |
6548 | .mpc_labelnames = lnames, \ | |
6549 | .mpc_labelname_count = lcount, \ | |
6550 | .mpc_ops = mpops, \ | |
6551 | .mpc_loadtime_flags = lflags, \ | |
6552 | .mpc_field_off = slot, \ | |
6553 | .mpc_runtime_flags = rflags \ | |
6554 | }; \ | |
6555 | \ | |
6556 | static kern_return_t \ | |
6557 | kmod_start(kmod_info_t *ki, void *xd) \ | |
6558 | { \ | |
6559 | return mac_policy_register(&mpname##_mac_policy_conf, \ | |
6560 | &handle, xd); \ | |
6561 | } \ | |
6562 | \ | |
6563 | static kern_return_t \ | |
6564 | kmod_stop(kmod_info_t *ki, void *xd) \ | |
6565 | { \ | |
6566 | return mac_policy_unregister(handle); \ | |
6567 | } \ | |
6568 | \ | |
6569 | extern kern_return_t _start(kmod_info_t *ki, void *data); \ | |
6570 | extern kern_return_t _stop(kmod_info_t *ki, void *data); \ | |
6571 | \ | |
6572 | KMOD_EXPLICIT_DECL(security.mpname, POLICY_VER, _start, _stop) \ | |
6573 | kmod_start_func_t *_realmain = kmod_start; \ | |
6574 | kmod_stop_func_t *_antimain = kmod_stop; \ | |
6575 | int _kext_apple_cc = __APPLE_CC__ | |
6576 | ||
6577 | ||
6578 | #define LABEL_TO_SLOT(l, s) (l)->l_perpolicy[s] | |
6579 | ||
6580 | /* | |
6581 | * Policy interface to map a struct label pointer to per-policy data. | |
6582 | * Typically, policies wrap this in their own accessor macro that casts an | |
6583 | * intptr_t to a policy-specific data type. | |
6584 | */ | |
6585 | intptr_t mac_label_get(struct label *l, int slot); | |
6586 | void mac_label_set(struct label *l, int slot, intptr_t v); | |
6587 | ||
6588 | #define mac_get_mpc(h) (mac_policy_list.entries[h].mpc) | |
6589 | ||
6590 | /** | |
6591 | @name Flags for MAC allocator interfaces | |
6592 | ||
6593 | These flags are passed to the Darwin kernel allocator routines to | |
6594 | indicate whether the allocation is permitted to block or not. | |
6595 | Caution should be taken; some operations are not permitted to sleep, | |
6596 | and some types of locks cannot be held when sleeping. | |
6597 | */ | |
6598 | ||
6599 | /*@{*/ | |
6600 | ||
6601 | /** | |
6602 | @brief Allocation operations may block | |
6603 | ||
6604 | If memory is not immediately available, the allocation routine | |
6605 | will block (typically sleeping) until memory is available. | |
6606 | ||
6607 | @warning Inappropriate use of this flag may cause kernel panics. | |
6608 | */ | |
6609 | #define MAC_WAITOK 0 | |
6610 | ||
6611 | /** | |
6612 | @brief Allocation operations may not block | |
6613 | ||
6614 | Rather than blocking, the allocator may return an error if memory | |
6615 | is not immediately available. This type of allocation will not | |
6616 | sleep, preserving locking semantics. | |
6617 | */ | |
6618 | #define MAC_NOWAIT 1 | |
6619 | ||
6620 | /*@}*/ | |
6621 | ||
6622 | #endif /* !_SECURITY_MAC_POLICY_H_ */ |